dect
/
libpcap
Archived
13
0
Fork 0
Code Releases Activity

packaging/pcap.spec is generated from packaging/pcap.spec.in; don't 

check in the generated version, and don't put it into the distribution.

Fix a bunch of references to tcpdump-workers@tcpdump.org to refer to the
new address, tcpdump-workers@lists.tcpdump.org.

Fix a reference to the pcap man page from the pcap-filter(4) man page.

Note that patches should be submitted on the SourceForge site, not sent
to the spam-trap patches@tcpdump.org list.
This commit is contained in:
guy 2008-05-30 01:36:06 +00:00
parent 2b31a188b5
commit 839343cdce
12 changed files with 610 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile.in
View File

@ -17,7 +17,7 @@
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.108.2.16 2008-05-28 02:15:05 guy Exp $ (LBL)
# @(#) $Header: /tcpdump/master/libpcap/Makefile.in,v 1.108.2.17 2008-05-30 01:36:06 guy Exp $ (LBL)
#
# Various configurable paths (remember to edit Makefile.in, not Makefile)
@ -241,7 +241,6 @@ EXTRA_DIST = \
msdos/readme.dos \
net/bpf_filter.c \
org.tcpdump.chmod_bpf.plist \
packaging/pcap.spec \
packaging/pcap.spec.in \
pcap-bpf.c \
pcap-bpf.h \

82
README
View File

@ -1,10 +1,25 @@
@(#) $Header: /tcpdump/master/libpcap/README,v 1.18.1.1 1999-10-07 23:46:40 mcr Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/README,v 1.30.4.1 2008-05-30 01:36:06 guy Exp $ (LBL)
LIBPCAP 0.4
Lawrence Berkeley National Laboratory
Network Research Group
libpcap@ee.lbl.gov
ftp://ftp.ee.lbl.gov/libpcap.tar.Z
LIBPCAP 0.9
Now maintained by "The Tcpdump Group"
See www.tcpdump.org
Please send inquiries/comments/reports to:
tcpdump-workers@lists.tcpdump.org
Anonymous CVS is available via:
cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master login
(password "anoncvs")
cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master checkout libpcap
Version 0.9 of LIBPCAP can be retrieved with the CVS tag "libpcap_0_9rel1":
cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master checkout -r libpcap_0_9rel1 libpcap
Please send patches against the master copy to patches@tcpdump.org.
formerly from Lawrence Berkeley National Laboratory
Network Research Group <libpcap@ee.lbl.gov>
ftp://ftp.ee.lbl.gov/libpcap.tar.Z (0.4)
This directory contains source code for libpcap, a system-independent
interface for user-level packet capture. libpcap provides a portable
@ -18,12 +33,30 @@ system-dependent packet capture modules in each application.
Note well: this interface is new and is likely to change.
For some platforms there are README.{system} files that discuss issues
with the OS's interface for packet capture on those platforms, such as
how to enable support for that interface in the OS, if it's not built in
by default.
The libpcap interface supports a filtering mechanism based on the
architecture in the BSD packet filter. BPF is described in the 1993
Winter Usenix paper ``The BSD Packet Filter: A New Architecture for
User-level Packet Capture''. A compressed postscript version is in:
User-level Packet Capture''. A compressed PostScript version can be
found at
ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z.
ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z
or
http://www.tcpdump.org/papers/bpf-usenix93.ps.Z
and a gzipped version can be found at
http://www.tcpdump.org/papers/bpf-usenix93.ps.gz
A PDF version can be found at
http://www.tcpdump.org/papers/bpf-usenix93.pdf
Although most packet capture interfaces support in-kernel filtering,
libpcap utilizes in-kernel filtering only for the BPF interface.
@ -33,17 +66,30 @@ added overhead (especially, for selective filters). Ideally, libpcap
would translate BPF filters into a filter program that is compatible
with the underlying kernel subsystem, but this is not yet implemented.
BPF is standard in 4.4BSD, BSD/386, NetBSD, and FreeBSD. DEC OSF/1
uses the packetfilter interface but has been extended to accept BPF
filters (which libpcap utilizes). Also, you can add BPF filter support
to Ultrix using the kernel source and/or object patches available in:
BPF is standard in 4.4BSD, BSD/OS, NetBSD, FreeBSD, and OpenBSD. DEC
OSF/1/Digital UNIX/Tru64 UNIX uses the packetfilter interface but has
been extended to accept BPF filters (which libpcap utilizes). Also, you
can add BPF filter support to Ultrix using the kernel source and/or
object patches available in:
ftp://gatekeeper.dec.com/pub/DEC/net/bpfext42.tar.Z.
Problems, bugs, questions, desirable enhancements, source code
contributions, etc., should be sent to the email address
"libpcap@ee.lbl.gov".
Linux, in the 2.2 kernel and later kernels, has a "Socket Filter"
mechanism that accepts BPF filters; see the README.linux file for
information on configuring that option.
- Steve McCanne
Craig Leres
Van Jacobson
Problems, bugs, questions, desirable enhancements, etc. should be sent
to the address "tcpdump-workers@lists.tcpdump.org". Bugs, support
requests, and feature requests may also be submitted on the SourceForge
site for libpcap at
http://sourceforge.net/projects/libpcap/
Source code contributions, etc. should be sent to the email address
"patches@tcpdump.org", or submitted as patches on the SourceForge site
for libpcap.
Current versions can be found at www.tcpdump.org, or the SourceForge
site for libpcap.
- The TCPdump team

78
README.aix Normal file
View File

@ -0,0 +1,78 @@
Using BPF:
(1) AIX 4.x's version of BPF is undocumented and somewhat unstandard; the
current BPF support code includes changes that should work around
that; it appears to compile and work on at least one AIX 4.3.3
machine.
Note that the BPF driver and the "/dev/bpf" devices might not exist
on your machine; AIX's tcpdump loads the driver and creates the
devices if they don't already exist. Our libpcap should do the
same, and the configure script should detect that it's on an AIX
system and choose BPF even if the devices aren't there.
(2) If libpcap doesn't compile on your machine when configured to use
BPF, or if the workarounds fail to make it work correctly, you
should send to tcpdump-workers@lists.tcpdump.org a detailed bug
report (if the compile fails, send us the compile error messages;
if it compiles but fails to work correctly, send us as detailed as
possible a description of the symptoms, including indications of the
network link-layer type being wrong or time stamps being wrong).
If you fix the problems yourself, please send to patches@tcpdump.org
a patch, so we can incorporate them into the next release.
If you don't fix the problems yourself, you can, as a workaround,
make libpcap use DLPI instead of BPF.
This can be done by specifying the flag:
--with-pcap=dlpi
to the "configure" script for libpcap.
If you use DLPI:
(1) It is a good idea to have the latest version of the DLPI driver on
your system, since certain versions may be buggy and cause your AIX
system to crash. DLPI is included in the fileset bos.rte.tty. I
found that the DLPI driver that came with AIX 4.3.2 was buggy, and
had to upgrade to bos.rte.tty 4.3.2.4:
lslpp -l bos.rte.tty
bos.rte.tty 4.3.2.4 COMMITTED Base TTY Support and Commands
Updates for AIX filesets can be obtained from:
ftp://service.software.ibm.com/aix/fixes/
These updates can be installed with the smit program.
(2) After compiling libpcap, you need to make sure that the DLPI driver
is loaded. Type:
strload -q -d dlpi
If the result is:
dlpi: yes
then the DLPI driver is loaded correctly.
If it is:
dlpi: no
Then you need to type:
strload -f /etc/dlpi.conf
Check again with strload -q -d dlpi that the dlpi driver is loaded.
Alternatively, you can uncomment the lines for DLPI in
/etc/pse.conf and reboot the machine; this way DLPI will always
be loaded when you boot your system.
(3) There appears to be a problem in the DLPI code in some versions of
AIX, causing a warning about DL_PROMISC_MULTI failing; this might
be responsible for DLPI not being able to capture outgoing packets.

2
packaging/pcap.spec.in
View File

@ -15,7 +15,7 @@ URL: http://www.tcpdump.org
Packet-capture library LIBPCAP @VERSION@
Now maintained by "The Tcpdump Group"
See http://www.tcpdump.org
Please send inquiries/comments/reports to tcpdump-workers@tcpdump.org
Please send inquiries/comments/reports to tcpdump-workers@lists.tcpdump.org
%prep
%setup

6
pcap-filter.4
View File

@ -1,4 +1,4 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap-filter.4,v 1.1.2.1 2008-01-06 21:14:56 guy Exp $ (LBL)
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap-filter.4,v 1.1.2.2 2008-05-30 01:36:06 guy Exp $ (LBL)
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
@ -904,7 +904,7 @@ icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
.fi
.RE
.SH "SEE ALSO"
pcap(3)
pcap(3PCAP)
.SH AUTHORS
The original authors are:
.LP
@ -930,7 +930,7 @@ The original distribution is available via anonymous ftp:
Please send problems, bugs, questions, desirable enhancements, etc. to:
.LP
.RS
tcpdump-workers@tcpdump.org
tcpdump-workers@lists.tcpdump.org
.RE
.LP
Filter expressions on fields other than those in Token Ring headers will

6
pcap-int.h
View File

@ -30,7 +30,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: /tcpdump/master/libpcap/pcap-int.h,v 1.85.2.5 2008-04-14 20:41:52 guy Exp $ (LBL)
* @(#) $Header: /tcpdump/master/libpcap/pcap-int.h,v 1.85.2.6 2008-05-30 01:36:06 guy Exp $ (LBL)
*/
#ifndef pcap_int_h
@ -309,8 +309,8 @@ struct pcap_timeval {
*
* introduce a new structure for the new format;
*
* send mail to "tcpdump-workers@tcpdump.org", requesting a new
* magic number for your new capture file format, and, when
* send mail to "tcpdump-workers@lists.tcpdump.org", requesting
* a new magic number for your new capture file format, and, when
* you get the new magic number, put it in "savefile.c";
*
* use that magic number for save files with the changed record

4
pcap.3pcap
View File

@ -1,4 +1,4 @@
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3pcap,v 1.1.2.5 2008-04-10 01:56:38 guy Exp $
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap.3pcap,v 1.1.2.6 2008-05-30 01:36:06 guy Exp $
.\"
.\" Copyright (c) 1994, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
@ -382,5 +382,5 @@ The current version is available from "The Tcpdump Group"'s Web site at
Please send problems, bugs, questions, desirable enhancements, etc. to:
.LP
.RS
tcpdump-workers@tcpdump.org
tcpdump-workers@lists.tcpdump.org
.RE

16
pcap/bpf.h
View File

@ -37,7 +37,7 @@
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
* @(#) $Header: /tcpdump/master/libpcap/pcap/bpf.h,v 1.19.2.6 2008-04-06 18:10:08 guy Exp $ (LBL)
* @(#) $Header: /tcpdump/master/libpcap/pcap/bpf.h,v 1.19.2.7 2008-05-30 01:36:06 guy Exp $ (LBL)
*/
/*
@ -113,12 +113,12 @@ struct bpf_version {
* Data-link level type codes.
*
* Do *NOT* add new values to this list without asking
* "tcpdump-workers@tcpdump.org" for a value. Otherwise, you run the
* risk of using a value that's already being used for some other purpose,
* and of having tools that read libpcap-format captures not being able
* to handle captures with your new DLT_ value, with no hope that they
* will ever be changed to do so (as that would destroy their ability
* to read captures using that value for that other purpose).
* "tcpdump-workers@lists.tcpdump.org" for a value. Otherwise, you run
* the risk of using a value that's already being used for some other
* purpose, and of having tools that read libpcap-format captures not
* being able to handle captures with your new DLT_ value, with no hope
* that they will ever be changed to do so (as that would destroy their
* ability to read captures using that value for that other purpose).
*/
/*
@ -482,7 +482,7 @@ struct bpf_version {
* for *their* private type and tools using them for *your* private type
* would have to read them.
*
* Instead, ask "tcpdump-workers@tcpdump.org" for a new DLT_ value,
* Instead, ask "tcpdump-workers@lists.tcpdump.org" for a new DLT_ value,
* as per the comment above, and use the type you're given.
*/
#define DLT_USER0 147

15
pcap/pcap.h
View File

@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: /tcpdump/master/libpcap/pcap/pcap.h,v 1.4.2.8 2008-05-26 19:58:59 guy Exp $ (LBL)
* @(#) $Header: /tcpdump/master/libpcap/pcap/pcap.h,v 1.4.2.9 2008-05-30 01:36:06 guy Exp $ (LBL)
*/
#ifndef lib_pcap_pcap_h
@ -95,8 +95,8 @@ typedef struct pcap_addr pcap_addr_t;
* introduce a new structure for the new format, if the layout
* of the structure changed;
*
* send mail to "tcpdump-workers@tcpdump.org", requesting a new
* magic number for your new capture file format, and, when
* send mail to "tcpdump-workers@lists.tcpdump.org", requesting
* a new magic number for your new capture file format, and, when
* you get the new magic number, put it in "savefile.c";
*
* use that magic number for save files with the changed file
@ -106,9 +106,12 @@ typedef struct pcap_addr pcap_addr_t;
* the old file header as well as files with the new file header
* (using the magic number to determine the header format).
*
* Then supply the changes to "patches@tcpdump.org", so that future
* versions of libpcap and programs that use it (such as tcpdump) will
* be able to read your new capture file format.
* Then supply the changes as a patch at
*
* http://sourceforge.net/projects/libpcap/
*
* so that future versions of libpcap and programs that use it (such as
* tcpdump) will be able to read your new capture file format.
*/
struct pcap_file_header {
bpf_u_int32 magic;

129
pcap/sll.h Normal file
View File

@ -0,0 +1,129 @@
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: /tcpdump/master/libpcap/pcap/sll.h,v 1.2.2.1 2008-05-30 01:36:06 guy Exp $ (LBL)
*/
/*
* For captures on Linux cooked sockets, we construct a fake header
* that includes:
*
* a 2-byte "packet type" which is one of:
*
* LINUX_SLL_HOST packet was sent to us
* LINUX_SLL_BROADCAST packet was broadcast
* LINUX_SLL_MULTICAST packet was multicast
* LINUX_SLL_OTHERHOST packet was sent to somebody else
* LINUX_SLL_OUTGOING packet was sent *by* us;
*
* a 2-byte Ethernet protocol field;
*
* a 2-byte link-layer type;
*
* a 2-byte link-layer address length;
*
* an 8-byte source link-layer address, whose actual length is
* specified by the previous value.
*
* All fields except for the link-layer address are in network byte order.
*
* DO NOT change the layout of this structure, or change any of the
* LINUX_SLL_ values below. If you must change the link-layer header
* for a "cooked" Linux capture, introduce a new DLT_ type (ask
* "tcpdump-workers@lists.tcpdump.org" for one, so that you don't give it
* a value that collides with a value already being used), and use the
* new header in captures of that type, so that programs that can
* handle DLT_LINUX_SLL captures will continue to handle them correctly
* without any change, and so that capture files with different headers
* can be told apart and programs that read them can dissect the
* packets in them.
*/
#ifndef lib_pcap_sll_h
#define lib_pcap_sll_h
/*
* A DLT_LINUX_SLL fake link-layer header.
*/
#define SLL_HDR_LEN 16 /* total header length */
#define SLL_ADDRLEN 8 /* length of address field */
struct sll_header {
u_int16_t sll_pkttype; /* packet type */
u_int16_t sll_hatype; /* link-layer address type */
u_int16_t sll_halen; /* link-layer address length */
u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
u_int16_t sll_protocol; /* protocol */
};
/*
* The LINUX_SLL_ values for "sll_pkttype"; these correspond to the
* PACKET_ values on Linux, but are defined here so that they're
* available even on systems other than Linux, and so that they
* don't change even if the PACKET_ values change.
*/
#define LINUX_SLL_HOST 0
#define LINUX_SLL_BROADCAST 1
#define LINUX_SLL_MULTICAST 2
#define LINUX_SLL_OTHERHOST 3
#define LINUX_SLL_OUTGOING 4
/*
* The LINUX_SLL_ values for "sll_protocol"; these correspond to the
* ETH_P_ values on Linux, but are defined here so that they're
* available even on systems other than Linux. We assume, for now,
* that the ETH_P_ values won't change in Linux; if they do, then:
*
* if we don't translate them in "pcap-linux.c", capture files
* won't necessarily be readable if captured on a system that
* defines ETH_P_ values that don't match these values;
*
* if we do translate them in "pcap-linux.c", that makes life
* unpleasant for the BPF code generator, as the values you test
* for in the kernel aren't the values that you test for when
* reading a capture file, so the fixup code run on BPF programs
* handed to the kernel ends up having to do more work.
*
* Add other values here as necessary, for handling packet types that
* might show up on non-Ethernet, non-802.x networks. (Not all the ones
* in the Linux "if_ether.h" will, I suspect, actually show up in
* captures.)
*/
#define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
#define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
#endif

302
pcap1.h Normal file
View File

@ -0,0 +1,302 @@
/* -*- Mode: c; tab-width: 8; indent-tabs-mode: 1; c-basic-offset: 8; -*- */
/*
* Copyright (c) 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the Computer Systems
* Engineering Group at Lawrence Berkeley Laboratory.
* 4. Neither the name of the University nor of the Laboratory may be used
* to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: /tcpdump/master/libpcap/pcap1.h,v 1.3.2.1 2008-05-30 01:36:06 guy Exp $ (LBL)
*/
#ifndef lib_pcap_h
#define lib_pcap_h
#ifdef WIN32
#include <pcap-stdinc.h>
#else /* WIN32 */
#include <sys/types.h>
#include <sys/time.h>
#endif /* WIN32 */
#ifndef PCAP_DONT_INCLUDE_PCAP_BPF_H
#include <pcap/bpf.h>
#endif
#include <stdio.h>
#ifdef __cplusplus
extern "C" {
#endif
#define PCAP_VERSION_MAJOR 3
#define PCAP_VERSION_MINOR 0
#define PCAP_ERRBUF_SIZE 256
/*
* Compatibility for systems that have a bpf.h that
* predates the bpf typedefs for 64-bit support.
*/
#if BPF_RELEASE - 0 < 199406
typedef int bpf_int32;
typedef u_int bpf_u_int32;
#endif
typedef struct pcap pcap_t;
typedef struct pcap_dumper pcap_dumper_t;
typedef struct pcap_if pcap_if_t;
typedef struct pcap_addr pcap_addr_t;
/*
* The first record in the file contains saved values for some
* of the flags used in the printout phases of tcpdump.
* Many fields here are 32 bit ints so compilers won't insert unwanted
* padding; these files need to be interchangeable across architectures.
*
* Do not change the layout of this structure, in any way (this includes
* changes that only affect the length of fields in this structure).
*
* Also, do not change the interpretation of any of the members of this
* structure, in any way (this includes using values other than
* LINKTYPE_ values, as defined in "savefile.c", in the "linktype"
* field).
*
* Instead:
*
* introduce a new structure for the new format, if the layout
* of the structure changed;
*
* send mail to "tcpdump-workers@lists.tcpdump.org", requesting
* a new magic number for your new capture file format, and, when
* you get the new magic number, put it in "savefile.c";
*
* use that magic number for save files with the changed file
* header;
*
* make the code in "savefile.c" capable of reading files with
* the old file header as well as files with the new file header
* (using the magic number to determine the header format).
*
* Then supply the changes to "patches@tcpdump.org", so that future
* versions of libpcap and programs that use it (such as tcpdump) will
* be able to read your new capture file format.
*/
enum pcap1_info_types {
PCAP_DATACAPTURE,
PCAP_TIMESTAMP,
PCAP_WALLTIME,
PCAP_TIMESKEW,
PCAP_PROBEPLACE, /* aka direction */
PCAP_COMMENT, /* comment */
};
struct pcap1_info_container {
bpf_u_int32 info_len; /* in bytes */
bpf_u_int32 info_type; /* enum pcap1_info_types */
unsigned char info_data[0];
};
struct pcap1_info_timestamp {
struct pcap1_info_container pic;
bpf_u_int32 nanoseconds; /* 10^-9 of seconds */
bpf_u_int32 seconds; /* seconds since Unix epoch - GMT */
bpf_u_int16 macroseconds; /* 16 bits more of MSB of time */
bpf_u_int16 sigfigs; /* accuracy of timestamps - LSB bits */
};
struct pcap1_info_packet {
struct pcap1_info_container pic;
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */
bpf_u_int32 ifIndex; /* abstracted interface index */
unsigned char packet_data[0];
};
enum pcap1_probe {
INBOUND =1,
OUTBOUND =2,
FORWARD =3,
PREENCAP =4,
POSTDECAP=5,
};
struct pcap1_info_probe {
struct pcap1_info_container pic;
bpf_u_int32 probeloc; /* enum pcap1_probe */
unsigned char probe_desc[0];
};
struct pcap1_info_comment {
struct pcap1_info_container pic;
unsigned char comment[0];
};
struct pcap1_packet_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_u_int32 block_len;
struct pcap1_info_container pics[0];
};
/*
* Each packet in the dump file is prepended with this generic header.
* This gets around the problem of different headers for different
* packet interfaces.
*/
/*
* As returned by the pcap_stats()
*/
struct pcap_stat {
u_int ps_recv; /* number of packets received */
u_int ps_drop; /* number of packets dropped */
u_int ps_ifdrop; /* drops by interface XXX not yet supported */
#ifdef WIN32
u_int bs_capt; /* number of packets that reach the application */
#endif /* WIN32 */
};
/*
* Item in a list of interfaces.
*/
struct pcap_if {
struct pcap_if *next;
char *name; /* name to hand to "pcap_open_live()" */
char *description; /* textual description of interface, or NULL */
struct pcap_addr *addresses;
bpf_u_int32 flags; /* PCAP_IF_ interface flags */
};
#define PCAP_IF_LOOPBACK 0x00000001 /* interface is loopback */
/*
* Representation of an interface address.
*/
struct pcap_addr {
struct pcap_addr *next;
struct sockaddr *addr; /* address */
struct sockaddr *netmask; /* netmask for that address */
struct sockaddr *broadaddr; /* broadcast address for that address */
struct sockaddr *dstaddr; /* P2P destination address for that address */
};
typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
const u_char *);
char *pcap_lookupdev(char *);
int pcap_lookupnet(const char *, bpf_u_int32 *, bpf_u_int32 *, char *);
pcap_t *pcap_open_live(const char *, int, int, int, char *);
pcap_t *pcap_open_dead(int, int);
pcap_t *pcap_open_offline(const char *, char *);
void pcap_close(pcap_t *);
int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
const u_char*
pcap_next(pcap_t *, struct pcap_pkthdr *);
int pcap_next_ex(pcap_t *, struct pcap_pkthdr **, const u_char **);
void pcap_breakloop(pcap_t *);
int pcap_stats(pcap_t *, struct pcap_stat *);
int pcap_setfilter(pcap_t *, struct bpf_program *);
int pcap_getnonblock(pcap_t *, char *);
int pcap_setnonblock(pcap_t *, int, char *);
void pcap_perror(pcap_t *, char *);
char *pcap_strerror(int);
char *pcap_geterr(pcap_t *);
int pcap_compile(pcap_t *, struct bpf_program *, char *, int,
bpf_u_int32);
int pcap_compile_nopcap(int, int, struct bpf_program *,
char *, int, bpf_u_int32);
void pcap_freecode(struct bpf_program *);
int pcap_datalink(pcap_t *);
int pcap_list_datalinks(pcap_t *, int **);
int pcap_set_datalink(pcap_t *, int);
int pcap_datalink_name_to_val(const char *);
const char *pcap_datalink_val_to_name(int);
const char *pcap_datalink_val_to_description(int);
int pcap_snapshot(pcap_t *);
int pcap_is_swapped(pcap_t *);
int pcap_major_version(pcap_t *);
int pcap_minor_version(pcap_t *);
/* XXX */
FILE *pcap_file(pcap_t *);
int pcap_fileno(pcap_t *);
pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
int pcap_dump_flush(pcap_dumper_t *);
void pcap_dump_close(pcap_dumper_t *);
void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
FILE *pcap_dump_file(pcap_dumper_t *);
int pcap_findalldevs(pcap_if_t **, char *);
void pcap_freealldevs(pcap_if_t *);
const char *pcap_lib_version(void);
/* XXX this guy lives in the bpf tree */
u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
int bpf_validate(struct bpf_insn *f, int len);
char *bpf_image(struct bpf_insn *, int);
void bpf_dump(struct bpf_program *, int);
#ifdef WIN32
/*
* Win32 definitions
*/
int pcap_setbuff(pcap_t *p, int dim);
int pcap_setmode(pcap_t *p, int mode);
int pcap_sendpacket(pcap_t *p, u_char *buf, int size);
int pcap_setmintocopy(pcap_t *p, int size);
#ifdef WPCAP
/* Include file with the wpcap-specific extensions */
#include <Win32-Extensions.h>
#endif
#define MODE_CAPT 0
#define MODE_STAT 1
#else
/*
* UN*X definitions
*/
int pcap_get_selectable_fd(pcap_t *);
#endif /* WIN32 */
#ifdef __cplusplus
}
#endif
#endif

19
savefile.c
View File

@ -30,7 +30,7 @@
#ifndef lint
static const char rcsid[] _U_ =
"@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.7 2008-04-14 20:41:52 guy Exp $ (LBL)";
"@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.8 2008-05-30 01:36:06 guy Exp $ (LBL)";
#endif
#ifdef HAVE_CONFIG_H
@ -147,11 +147,12 @@ static const char rcsid[] _U_ =
*
* In order to ensure that a given LINKTYPE_* code's value will refer to
* the same encapsulation type on all platforms, you should not allocate
* a new LINKTYPE_* value without consulting "tcpdump-workers@tcpdump.org".
* The tcpdump developers will allocate a value for you, and will not
* subsequently allocate it to anybody else; that value will be added to
* the "pcap.h" in the tcpdump.org CVS repository, so that a future
* libpcap release will include it.
* a new LINKTYPE_* value without consulting
* "tcpdump-workers@lists.tcpdump.org". The tcpdump developers will
* allocate a value for you, and will not subsequently allocate it to
* anybody else; that value will be added to the "pcap.h" in the
* tcpdump.org CVS repository, so that a future libpcap release will
* include it.
*
* You should, if possible, also contribute patches to libpcap and tcpdump
* to handle the new encapsulation type, so that they can also be checked
@ -313,9 +314,9 @@ static const char rcsid[] _U_ =
* for *their* private type and tools using them for *your* private type
* would have to read them.
*
* Instead, in those cases, ask "tcpdump-workers@tcpdump.org" for a new DLT_
* and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use the type
* you're given.
* Instead, in those cases, ask "tcpdump-workers@lists.tcpdump.org" for a
* new DLT_ and LINKTYPE_ value, as per the comment in pcap/bpf.h, and use
* the type you're given.
*/
#define LINKTYPE_USER0 147
#define LINKTYPE_USER1 148