1998-11-15 05:29:17 +00:00
|
|
|
/* libpcap.c
|
|
|
|
*
|
|
|
|
* Wiretap Library
|
2001-11-13 23:55:44 +00:00
|
|
|
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
|
2002-08-28 20:30:45 +00:00
|
|
|
*
|
2018-02-07 11:26:45 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
1998-11-15 05:29:17 +00:00
|
|
|
*/
|
2002-02-27 08:57:25 +00:00
|
|
|
|
1999-07-13 02:53:26 +00:00
|
|
|
#include "config.h"
|
2002-07-29 06:09:59 +00:00
|
|
|
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
#include <stdlib.h>
|
2003-12-18 19:07:14 +00:00
|
|
|
#include <string.h>
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
#include <errno.h>
|
2000-05-19 23:07:04 +00:00
|
|
|
#include "wtap-int.h"
|
2000-01-13 07:09:20 +00:00
|
|
|
#include "file_wrappers.h"
|
2021-02-23 09:18:31 +00:00
|
|
|
#include "required_file_handlers.h"
|
2009-04-27 09:28:28 +00:00
|
|
|
#include "pcap-common.h"
|
2010-02-23 03:50:42 +00:00
|
|
|
#include "pcap-encap.h"
|
1998-11-15 05:29:17 +00:00
|
|
|
#include "libpcap.h"
|
2020-05-02 04:02:00 +00:00
|
|
|
#include "erf-common.h"
|
2021-05-23 23:46:43 +00:00
|
|
|
#include <wsutil/ws_assert.h>
|
1998-11-15 05:29:17 +00:00
|
|
|
|
|
|
|
/* See source to the "libpcap" library for information on the "libpcap"
|
|
|
|
file format. */
|
|
|
|
|
2010-02-24 07:21:17 +00:00
|
|
|
/*
|
|
|
|
* Private per-wtap_t data needed to read a file.
|
|
|
|
*/
|
|
|
|
typedef enum {
|
|
|
|
NOT_SWAPPED,
|
|
|
|
SWAPPED,
|
|
|
|
MAYBE_SWAPPED
|
|
|
|
} swapped_type_t;
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
/*
|
|
|
|
* Variants of pcap, some distinguished by the magic number and some,
|
|
|
|
* alas, not.
|
|
|
|
*
|
|
|
|
* (Don't do that. Srsly.)
|
|
|
|
*/
|
|
|
|
typedef enum {
|
|
|
|
PCAP, /* OG pcap */
|
|
|
|
PCAP_NSEC, /* PCAP with nanosecond resolution */
|
|
|
|
PCAP_AIX, /* AIX pcap */
|
|
|
|
PCAP_SS990417, /* Modified, from 1999-04-17 patch */
|
|
|
|
PCAP_SS990915, /* Modified, from 1999-09-15 patch */
|
|
|
|
PCAP_SS991029, /* Modified, from 1999-10-29 patch */
|
|
|
|
PCAP_NOKIA, /* Nokia pcap */
|
|
|
|
PCAP_UNKNOWN /* Unknown as yet */
|
|
|
|
} pcap_variant_t;
|
|
|
|
|
2010-02-24 07:21:17 +00:00
|
|
|
typedef struct {
|
|
|
|
gboolean byte_swapped;
|
|
|
|
swapped_type_t lengths_swapped;
|
|
|
|
guint16 version_major;
|
|
|
|
guint16 version_minor;
|
2021-02-23 09:18:31 +00:00
|
|
|
pcap_variant_t variant;
|
2022-03-05 00:23:02 +00:00
|
|
|
int fcs_len;
|
2016-04-05 02:21:36 +00:00
|
|
|
void *encap_priv;
|
2010-02-24 07:21:17 +00:00
|
|
|
} libpcap_t;
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
/* Try to read the first few records of the capture file. */
|
2022-01-16 09:48:14 +00:00
|
|
|
static gboolean libpcap_try_variants(wtap *wth, const pcap_variant_t *variants,
|
|
|
|
size_t n_variants, int *err, gchar **err_info);
|
2014-09-20 17:45:28 +00:00
|
|
|
static int libpcap_try(wtap *wth, int *err, gchar **err_info);
|
2022-01-16 09:48:14 +00:00
|
|
|
static int libpcap_try_record(wtap *wth, int *err, gchar **err_info);
|
2000-09-15 07:52:43 +00:00
|
|
|
|
2019-04-05 01:56:27 +00:00
|
|
|
static gboolean libpcap_read(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
int *err, gchar **err_info, gint64 *data_offset);
|
2014-05-23 10:50:02 +00:00
|
|
|
static gboolean libpcap_seek_read(wtap *wth, gint64 seek_off,
|
2018-02-09 00:19:12 +00:00
|
|
|
wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
|
2014-05-09 05:18:49 +00:00
|
|
|
static gboolean libpcap_read_packet(wtap *wth, FILE_T fh,
|
2018-02-09 00:19:12 +00:00
|
|
|
wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
|
2014-08-24 08:06:35 +00:00
|
|
|
static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
|
|
|
|
struct pcaprec_ss990915_hdr *hdr);
|
2016-04-05 02:21:36 +00:00
|
|
|
static void libpcap_close(wtap *wth);
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
static gboolean libpcap_dump_pcap(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info);
|
|
|
|
static gboolean libpcap_dump_pcap_nsec(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info);
|
|
|
|
static gboolean libpcap_dump_pcap_ss990417(wtap_dumper *wdh,
|
|
|
|
const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
|
|
|
|
static gboolean libpcap_dump_pcap_ss990915(wtap_dumper *wdh,
|
|
|
|
const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
|
|
|
|
static gboolean libpcap_dump_pcap_ss991029(wtap_dumper *wdh,
|
|
|
|
const wtap_rec *rec, const guint8 *pd, int *err, gchar **err_info);
|
|
|
|
static gboolean libpcap_dump_pcap_nokia(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info);
|
|
|
|
|
2022-03-05 00:23:02 +00:00
|
|
|
/*
|
|
|
|
* Subfields of the field containing the link-layer header type.
|
|
|
|
*
|
|
|
|
* Link-layer header types are assigned for both pcap and
|
|
|
|
* pcapng, and the same value must work with both. In pcapng,
|
|
|
|
* the link-layer header type field in an Interface Description
|
|
|
|
* Block is 16 bits, so only the bottommost 16 bits of the
|
|
|
|
* link-layer header type in a pcap file can be used for the
|
|
|
|
* header type value.
|
|
|
|
*
|
|
|
|
* In libpcap, the upper 16 bits, from the top down, are divided into:
|
|
|
|
*
|
|
|
|
* A 4-bit "FCS length" field, to allow the FCS length to
|
|
|
|
* be specified, just as it can be specified in the if_fcslen
|
|
|
|
* field of the pcapng IDB. The field is in units of 16 bits,
|
|
|
|
* i.e. 1 means 16 bits of FCS, 2 means 32 bits of FCS, etc..
|
|
|
|
*
|
|
|
|
* A reserved bit, which must be zero.
|
|
|
|
*
|
|
|
|
* An "FCS length present" flag; if 0, the "FCS length" field
|
|
|
|
* should be ignored, and if 1, the "FCS length" field should
|
|
|
|
* be used.
|
|
|
|
*
|
|
|
|
* 10 reserved bits, which must be zero. They were originally
|
|
|
|
* intended to be used as a "class" field, allowing additional
|
|
|
|
* classes of link-layer types to be defined, with a class value
|
|
|
|
* of 0 indicating that the link-layer type is a LINKTYPE_ value.
|
|
|
|
* A value of 0x224 was, at one point, used by NetBSD to define
|
|
|
|
* "raw" packet types, with the lower 16 bits containing a
|
|
|
|
* NetBSD AF_ value; see
|
|
|
|
*
|
|
|
|
* https://marc.info/?l=tcpdump-workers&m=98296750229149&w=2
|
|
|
|
*
|
|
|
|
* It's unknown whether those were ever used in capture files,
|
|
|
|
* or if the intent was just to use it as a link-layer type
|
|
|
|
* for BPF programs; NetBSD's libpcap used to support them in
|
|
|
|
* the BPF code generator, but it no longer does so. If it
|
|
|
|
* was ever used in capture files, or if classes other than
|
|
|
|
* "LINKTYPE_ value" are ever useful in capture files, we could
|
|
|
|
* re-enable this, and use the reserved 16 bits following the
|
|
|
|
* link-layer type in pcapng files to hold the class information
|
|
|
|
* there. (Note, BTW, that LINKTYPE_RAW/DLT_RAW is now being
|
|
|
|
* interpreted by libpcap, tcpdump, and Wireshark as "raw IP",
|
|
|
|
* including both IPv4 and IPv6, with the version number in the
|
|
|
|
* header being checked to see which it is, not just "raw IPv4";
|
|
|
|
* there are LINKTYPE_IPV4/DLT_IPV4 and LINKTYPE_IPV6/DLT_IPV6
|
|
|
|
* values if "these are IPv{4,6} and only IPv{4,6} packets"
|
|
|
|
* types are needed.)
|
2022-03-05 01:49:15 +00:00
|
|
|
*
|
|
|
|
* Or we might be able to use it for other purposes.
|
2022-03-05 00:23:02 +00:00
|
|
|
*/
|
|
|
|
#define LT_LINKTYPE(x) ((x) & 0x0000FFFF)
|
2022-03-05 01:49:15 +00:00
|
|
|
#define LT_RESERVED1(x) ((x) & 0x03FF0000)
|
2022-03-05 00:23:02 +00:00
|
|
|
#define LT_FCS_LENGTH_PRESENT(x) ((x) & 0x04000000)
|
|
|
|
#define LT_FCS_LENGTH(x) (((x) & 0xF0000000) >> 28)
|
|
|
|
#define LT_FCS_DATALINK_EXT(x) (((x) & 0xF) << 28) | 0x04000000)
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
/*
|
|
|
|
* Private file type/subtype values; pcap and nanosecond-resolution
|
|
|
|
* pcap are imported from wiretap/file_access.c.
|
|
|
|
*/
|
|
|
|
static int pcap_aix_file_type_subtype = -1;
|
|
|
|
static int pcap_ss990417_file_type_subtype = -1;
|
|
|
|
static int pcap_ss990915_file_type_subtype = -1;
|
|
|
|
static int pcap_ss991029_file_type_subtype = -1;
|
|
|
|
static int pcap_nokia_file_type_subtype = -1;
|
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
/*
|
|
|
|
* pcap variants that use the standard magic number.
|
|
|
|
*/
|
|
|
|
static const pcap_variant_t variants_standard[] = {
|
|
|
|
PCAP,
|
|
|
|
PCAP_SS990417,
|
|
|
|
PCAP_NOKIA
|
|
|
|
};
|
|
|
|
#define N_VARIANTS_STANDARD G_N_ELEMENTS(variants_standard)
|
|
|
|
|
|
|
|
/*
|
|
|
|
* pcap variants that use the modified magic number.
|
|
|
|
*/
|
|
|
|
static const pcap_variant_t variants_modified[] = {
|
|
|
|
PCAP_SS991029,
|
|
|
|
PCAP_SS990915
|
|
|
|
};
|
|
|
|
#define N_VARIANTS_MODIFIED G_N_ELEMENTS(variants_modified)
|
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info)
|
1998-11-15 05:29:17 +00:00
|
|
|
{
|
|
|
|
guint32 magic;
|
|
|
|
struct pcap_hdr hdr;
|
1999-11-06 10:31:47 +00:00
|
|
|
gboolean byte_swapped;
|
2022-01-16 09:48:14 +00:00
|
|
|
pcap_variant_t variant;
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap_t *libpcap;
|
2017-09-19 11:30:56 +00:00
|
|
|
int skip_size = 0;
|
|
|
|
int sizebytes;
|
1998-11-15 05:29:17 +00:00
|
|
|
|
|
|
|
/* Read in the number that should be at the start of a "libpcap" file */
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(wth->fh, &magic, sizeof magic, err, err_info)) {
|
|
|
|
if (*err != WTAP_ERR_SHORT_READ)
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
return WTAP_OPEN_NOT_MINE;
|
1998-11-15 05:29:17 +00:00
|
|
|
}
|
|
|
|
|
1999-11-06 08:42:01 +00:00
|
|
|
switch (magic) {
|
|
|
|
|
|
|
|
case PCAP_MAGIC:
|
2000-07-26 06:04:34 +00:00
|
|
|
/* Host that wrote it has our byte order, and was running
|
2022-01-16 09:48:14 +00:00
|
|
|
a program using either standard or ss990417 libpcap,
|
|
|
|
or maybe it was written by AIX. That means we don't
|
|
|
|
yet know the variant. */
|
1999-11-06 08:42:01 +00:00
|
|
|
byte_swapped = FALSE;
|
2022-01-16 09:48:14 +00:00
|
|
|
variant = PCAP_UNKNOWN;
|
1999-11-06 08:42:01 +00:00
|
|
|
break;
|
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
case PCAP_SWAPPED_MAGIC:
|
|
|
|
/* Host that wrote it has a byte order opposite to ours,
|
|
|
|
and was running a program using either standard or
|
|
|
|
ss990417 libpcap, or maybe it was written by AIX.
|
|
|
|
That means we don't yet know the variant. */
|
|
|
|
byte_swapped = TRUE;
|
|
|
|
variant = PCAP_UNKNOWN;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_IXIAHW_MAGIC:
|
|
|
|
case PCAP_IXIASW_MAGIC:
|
|
|
|
/* Weird Ixia variant that has extra crud, written in our
|
|
|
|
byte order. It's otherwise like standard pcap. */
|
|
|
|
skip_size = 1;
|
1999-11-06 08:42:01 +00:00
|
|
|
byte_swapped = FALSE;
|
2022-01-16 09:48:14 +00:00
|
|
|
variant = PCAP;
|
1999-11-06 08:42:01 +00:00
|
|
|
break;
|
|
|
|
|
2017-09-19 11:30:56 +00:00
|
|
|
case PCAP_SWAPPED_IXIAHW_MAGIC:
|
|
|
|
case PCAP_SWAPPED_IXIASW_MAGIC:
|
2022-01-16 09:48:14 +00:00
|
|
|
/* Weird Ixia variant that has extra crud, written in a
|
|
|
|
byte order opposite to ours. It's otherwise like
|
|
|
|
standard pcap. */
|
2017-09-19 11:30:56 +00:00
|
|
|
skip_size = 1;
|
1999-11-06 08:42:01 +00:00
|
|
|
byte_swapped = TRUE;
|
2022-01-16 09:48:14 +00:00
|
|
|
variant = PCAP;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_MODIFIED_MAGIC:
|
|
|
|
/* Host that wrote it has our byte order, and was running
|
|
|
|
a program using either ss990915 or ss991029 libpcap.
|
|
|
|
That means we don't yet know the variant; there's
|
|
|
|
no obvious default, so default to "unknown". */
|
|
|
|
byte_swapped = FALSE;
|
|
|
|
variant = PCAP_UNKNOWN;
|
1999-11-06 08:42:01 +00:00
|
|
|
break;
|
|
|
|
|
1999-11-06 10:31:47 +00:00
|
|
|
case PCAP_SWAPPED_MODIFIED_MAGIC:
|
1999-11-06 08:42:01 +00:00
|
|
|
/* Host that wrote it out has a byte order opposite to
|
2000-07-26 06:04:34 +00:00
|
|
|
ours, and was running a program using either ss990915
|
2022-01-16 09:48:14 +00:00
|
|
|
or ss991029 libpcap. That means we don't yet know
|
|
|
|
the variant; there's no obvious default, so default
|
|
|
|
to "unknown". */
|
1999-11-06 08:42:01 +00:00
|
|
|
byte_swapped = TRUE;
|
2022-01-16 09:48:14 +00:00
|
|
|
variant = PCAP_UNKNOWN;
|
1999-11-06 08:42:01 +00:00
|
|
|
break;
|
|
|
|
|
2005-08-30 09:43:47 +00:00
|
|
|
case PCAP_NSEC_MAGIC:
|
2010-01-27 00:35:32 +00:00
|
|
|
/* Host that wrote it has our byte order, and was writing
|
|
|
|
the file in a format similar to standard libpcap
|
|
|
|
except that the time stamps have nanosecond resolution. */
|
2005-08-30 09:43:47 +00:00
|
|
|
byte_swapped = FALSE;
|
2022-01-16 09:48:14 +00:00
|
|
|
variant = PCAP_NSEC;
|
2005-08-30 09:43:47 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_SWAPPED_NSEC_MAGIC:
|
|
|
|
/* Host that wrote it out has a byte order opposite to
|
2010-01-27 00:35:32 +00:00
|
|
|
ours, and was writing the file in a format similar to
|
|
|
|
standard libpcap except that the time stamps have
|
|
|
|
nanosecond resolution. */
|
2005-08-30 09:43:47 +00:00
|
|
|
byte_swapped = TRUE;
|
2022-01-16 09:48:14 +00:00
|
|
|
variant = PCAP_NSEC;
|
2005-08-30 09:43:47 +00:00
|
|
|
break;
|
|
|
|
|
1999-11-06 08:42:01 +00:00
|
|
|
default:
|
|
|
|
/* Not a "libpcap" type we know about. */
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_NOT_MINE;
|
1998-11-15 05:29:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Read the rest of the header. */
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes(wth->fh, &hdr, sizeof hdr, err, err_info))
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2017-09-19 11:30:56 +00:00
|
|
|
if (skip_size==1 && !wtap_read_bytes(wth->fh, &sizebytes, sizeof sizebytes, err, err_info))
|
|
|
|
return WTAP_OPEN_ERROR;
|
1998-11-15 05:29:17 +00:00
|
|
|
|
|
|
|
if (byte_swapped) {
|
|
|
|
/* Byte-swap the header fields about which we care. */
|
2022-01-16 09:48:14 +00:00
|
|
|
magic = GUINT32_SWAP_LE_BE(magic);
|
2013-11-29 19:21:20 +00:00
|
|
|
hdr.version_major = GUINT16_SWAP_LE_BE(hdr.version_major);
|
|
|
|
hdr.version_minor = GUINT16_SWAP_LE_BE(hdr.version_minor);
|
|
|
|
hdr.snaplen = GUINT32_SWAP_LE_BE(hdr.snaplen);
|
|
|
|
hdr.network = GUINT32_SWAP_LE_BE(hdr.network);
|
1998-11-15 05:29:17 +00:00
|
|
|
}
|
|
|
|
if (hdr.version_major < 2) {
|
|
|
|
/* We only support version 2.0 and later. */
|
Have the per-capture-file-type open routines "wtap_open_offline()" calls
return 1 on success, -1 if they got an error, and 0 if the file isn't of
the type that file is checking for, and supply an error code if they
return -1; have "wtap_open_offline()" use that error code. Also, have
the per-capture-file-type open routines treat errors accessing the file
as errors, and return -1, rather than just returning 0 so that we try
another file type.
Have the per-capture-file-type read routines "wtap_loop()" calls return
-1 and supply an error code on error (and not, as they did in some
cases, call "g_error()" and abort), and have "wtap_loop()", if the read
routine returned an error, return FALSE (and pass an error-code-pointer
argument onto the read routines, so they fill it in), and return TRUE on
success.
Add some new error codes for them to return.
Now that "wtap_loop()" can return a success/failure indication and an
error code, in "read_cap_file()" put up a message box if we get an error
reading the file, and return the error code.
Handle the additional errors we can get when opening a capture file.
If the attempt to open a capture file succeeds, but the attempt to read
it fails, don't treat that as a complete failure - we may have managed
to read some of the capture file, and we should display what we managed
to read.
svn path=/trunk/; revision=516
1999-08-19 05:31:38 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("pcap: major version %u unsupported",
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
hdr.version_major);
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
1998-11-15 05:29:17 +00:00
|
|
|
}
|
Add in some heuristics to try to detect AIX libpcap format. (This works
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
2001-11-06 01:55:14 +00:00
|
|
|
|
1998-11-15 05:29:17 +00:00
|
|
|
/* This is a libpcap file */
|
2022-01-16 19:25:48 +00:00
|
|
|
wth->subtype_read = libpcap_read;
|
|
|
|
wth->subtype_seek_read = libpcap_seek_read;
|
|
|
|
wth->subtype_close = libpcap_close;
|
|
|
|
wth->snapshot_length = hdr.snaplen;
|
|
|
|
libpcap = g_new0(libpcap_t, 1);
|
|
|
|
wth->priv = (void *)libpcap;
|
2022-01-16 09:48:14 +00:00
|
|
|
/*
|
|
|
|
* Fill in the information we already know or can determine
|
|
|
|
* at this point, so the private data is usable by the code
|
|
|
|
* that tries reading packets as a heuristic to guess the
|
|
|
|
* variant.
|
|
|
|
*/
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap->byte_swapped = byte_swapped;
|
2003-10-24 23:55:34 +00:00
|
|
|
/* In file format version 2.3, the order of the "incl_len" and
|
|
|
|
"orig_len" fields in the per-packet header was reversed,
|
|
|
|
in order to match the BPF header layout.
|
|
|
|
|
|
|
|
Therefore, in files with versions prior to that, we must swap
|
|
|
|
those two fields.
|
|
|
|
|
|
|
|
Unfortunately, some files were, according to a comment in the
|
|
|
|
"libpcap" source, written with version 2.3 in their headers
|
|
|
|
but without the interchanged fields, so if "incl_len" is
|
|
|
|
greater than "orig_len" - which would make no sense - we
|
|
|
|
assume that we need to swap them in version 2.3 files
|
|
|
|
as well.
|
|
|
|
|
|
|
|
In addition, DG/UX's tcpdump uses version 543.0, and writes
|
|
|
|
the two fields in the pre-2.3 order. */
|
|
|
|
switch (hdr.version_major) {
|
|
|
|
|
|
|
|
case 2:
|
|
|
|
if (hdr.version_minor < 3)
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap->lengths_swapped = SWAPPED;
|
2003-10-24 23:55:34 +00:00
|
|
|
else if (hdr.version_minor == 3)
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap->lengths_swapped = MAYBE_SWAPPED;
|
2003-10-24 23:55:34 +00:00
|
|
|
else
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap->lengths_swapped = NOT_SWAPPED;
|
2003-10-24 23:55:34 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 543:
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap->lengths_swapped = SWAPPED;
|
2003-10-24 23:55:34 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2010-02-24 07:21:17 +00:00
|
|
|
libpcap->lengths_swapped = NOT_SWAPPED;
|
2003-10-24 23:55:34 +00:00
|
|
|
break;
|
|
|
|
}
|
2022-01-16 09:48:14 +00:00
|
|
|
libpcap->version_major = hdr.version_major;
|
|
|
|
libpcap->version_minor = hdr.version_minor;
|
1999-11-06 10:31:47 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* Check whether this is an AIX pcap before we convert the
|
|
|
|
* link-layer type in the header file to an encapsulation,
|
|
|
|
* because AIX pcaps use RFC 1573 ifType values in the header.
|
|
|
|
*
|
|
|
|
* AIX pcap files use the standard magic number, and have a
|
|
|
|
* major and minor version of 2.
|
|
|
|
*
|
|
|
|
* Unfortunately, that's also true of older versions of libpcap,
|
|
|
|
* so we need to do some heuristics to try to identify AIX pcap
|
|
|
|
* files.
|
Add in some heuristics to try to detect AIX libpcap format. (This works
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
2001-11-06 01:55:14 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
if (magic == PCAP_MAGIC && hdr.version_major == 2 &&
|
|
|
|
hdr.version_minor == 2) {
|
Add in some heuristics to try to detect AIX libpcap format. (This works
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
2001-11-06 01:55:14 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* The AIX libpcap uses RFC 1573 ifType values rather
|
|
|
|
* than LINKTYPE_/DLT_ values in the header; the ifType
|
|
|
|
* values for LAN devices are:
|
|
|
|
*
|
|
|
|
* Ethernet 6
|
|
|
|
* Token Ring 9
|
|
|
|
* FDDI 15
|
|
|
|
*
|
|
|
|
* which correspond to LINKTYPE_IEEE802_5/DLT_IEEE802 (used
|
|
|
|
* for Token Ring), LINKTYPE_PPP/DLT_PPP, and
|
|
|
|
* LINKTYPE_SLIP_BSDOS/DLT_SLIP_BSDOS, respectively, and
|
|
|
|
* the ifType value for a loopback interface is 24, which
|
|
|
|
* currently isn't used by any version of libpcap I know
|
|
|
|
* about (and, as tcpdump.org are assigning LINKTYPE_/DLT_
|
|
|
|
* values above 100, and NetBSD started assigning values
|
|
|
|
* starting at 50, and the values chosen by other libpcaps
|
|
|
|
* appear to stop at 19, it's probably not going to be used
|
|
|
|
* by any libpcap in the future).
|
|
|
|
*
|
|
|
|
* So we shall assume that if the network type is 6, 9, 15,
|
|
|
|
* or 24 it's AIX libpcap.
|
|
|
|
*
|
|
|
|
* We also assume those older versions of libpcap didn't use
|
|
|
|
* LINKTYPE_IEEE802_5/DLT_IEEE802 for Token Ring, and didn't
|
|
|
|
* use LINKTYPE_SLIP_BSDOS/DLT_SLIP_BSDOS as that came later.
|
|
|
|
* It may have used LINKTYPE_PPP/DLT_PPP, however, in which
|
|
|
|
* case we're out of luck; we assume it's Token Ring in AIX
|
|
|
|
* libpcap rather than PPP in standard libpcap, as you're
|
|
|
|
* probably more likely to be handing an AIX libpcap token-
|
|
|
|
*ring capture than an old (pre-libpcap 0.4) PPP capture to
|
|
|
|
* Wireshark.
|
|
|
|
*
|
|
|
|
* AIX pcap files didn't use the upper 16 bits, so we don't
|
|
|
|
* need to ignore them here - they'll be 0.
|
Add in some heuristics to try to detect AIX libpcap format. (This works
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
2001-11-06 01:55:14 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
switch (hdr.network) {
|
2020-07-29 08:30:54 +00:00
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
case 6:
|
|
|
|
hdr.network = 1; /* LINKTYPE_EN10MB, Ethernet */
|
|
|
|
variant = PCAP_AIX;
|
|
|
|
break;
|
2020-07-29 08:30:54 +00:00
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
case 9:
|
|
|
|
hdr.network = 6; /* LINKTYPE_IEEE802_5, Token Ring */
|
|
|
|
variant = PCAP_AIX;
|
|
|
|
break;
|
Add in some heuristics to try to detect AIX libpcap format. (This works
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
2001-11-06 01:55:14 +00:00
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
case 15:
|
|
|
|
hdr.network = 10; /* LINKTYPE_FDDI, FDDI */
|
|
|
|
variant = PCAP_AIX;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 24:
|
|
|
|
hdr.network = 0; /* LINKTYPE_NULL, loopback */
|
|
|
|
variant = PCAP_AIX;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2022-03-05 00:23:02 +00:00
|
|
|
|
Add in some heuristics to try to detect AIX libpcap format. (This works
with one capture I've seen, but perhaps that was done with an old
version of AIX, and newer versions use a minor version number, in the
file, of 4.
However, libpcap hasn't used a minor version of 2 for ages, so perhaps
AIX hasn't updated their libpcap in ages, and aren't about to do so
soon. If they do, let's hope they change the magic number. The capture
file in question *does* have the capture length and real length in the
old, pre-2.3, order, so it really looks as if it's an old version,
rather than IBM trying to be "helpful" by using a different minor
version number so that you can distinguish between normal libpcap and
AIX libpcap formats.)
svn path=/trunk/; revision=4164
2001-11-06 01:55:14 +00:00
|
|
|
/*
|
2022-03-05 01:49:15 +00:00
|
|
|
* Check the main reserved field.
|
1999-11-06 10:31:47 +00:00
|
|
|
*/
|
2022-03-05 01:49:15 +00:00
|
|
|
if (LT_RESERVED1(hdr.network) != 0) {
|
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
|
|
|
*err_info = ws_strdup_printf("pcap: network type reserved field not zero (0x%08x)",
|
|
|
|
LT_RESERVED1(hdr.network));
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
2022-03-05 00:23:02 +00:00
|
|
|
|
2022-03-05 01:49:15 +00:00
|
|
|
/*
|
|
|
|
* Map the link-layer type from the "network" field in
|
|
|
|
* the header to a Wiretap encapsulation.
|
|
|
|
*/
|
|
|
|
wth->file_encap = wtap_pcap_encap_to_wtap_encap(LT_LINKTYPE(hdr.network));
|
|
|
|
if (wth->file_encap == WTAP_ENCAP_UNKNOWN) {
|
2022-01-16 09:48:14 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
2022-03-05 01:49:15 +00:00
|
|
|
*err_info = ws_strdup_printf("pcap: network type %u unknown or unsupported",
|
|
|
|
hdr.network);
|
2022-01-16 09:48:14 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2014-08-24 08:06:35 +00:00
|
|
|
}
|
2022-03-05 00:23:02 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Extract the FCS information, if present.
|
|
|
|
*/
|
|
|
|
libpcap->fcs_len = -1;
|
|
|
|
if (LT_FCS_LENGTH_PRESENT(hdr.network)) {
|
|
|
|
/*
|
|
|
|
* We have an FCS length.
|
|
|
|
*/
|
|
|
|
libpcap->fcs_len = LT_FCS_LENGTH(hdr.network) * 16;
|
|
|
|
}
|
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
libpcap->encap_priv = NULL;
|
2000-07-26 06:04:34 +00:00
|
|
|
|
2014-08-24 08:06:35 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* If this file has the standard magic number, it could be
|
|
|
|
* one of a number of variants, including regular pcap, the
|
|
|
|
* AIX variant, the ss990417 variant, and a Nokia variant.
|
|
|
|
* The ss990417 variant is used in, for example, Red Hat 6.1,
|
|
|
|
* so some versions of AIX, RH 6.1, and some Nokia devices
|
|
|
|
* write files that can't be read by any software that expects
|
|
|
|
* standard libpcap packet record headers if the magic number
|
|
|
|
* is the standard magic number (e.g., any program such as
|
|
|
|
* tcpdump that uses libpcap, when using the standard libpcap,
|
|
|
|
* and Wireshark if we don't do the heuristics below).
|
|
|
|
*
|
|
|
|
* If this file has the patched magic number, used by the
|
|
|
|
* ss990915 and ss991029 variants, then it could be either
|
|
|
|
* of those. The ss991029 variant uses the same packet
|
|
|
|
* record header as the ss990417 variant, but the ss990915
|
|
|
|
* variant uses a packet record header with some additional
|
|
|
|
* fields and it is used in, for example, SuSE 6.3, so SuSE
|
|
|
|
* 6.3 writes files that can't be read by any software that
|
|
|
|
* expects ss990417 packet record headers if the magic number
|
|
|
|
* is the modified magic number.
|
|
|
|
*
|
|
|
|
* So, for the standard and modified magic number:
|
|
|
|
*
|
|
|
|
* For the standard magic number, we first do some heuristic
|
|
|
|
* checks of data from the file header to see if it looks like
|
|
|
|
* an AIX libpcap file. If so, we choose PCAP_AIX as the variant,
|
|
|
|
* and we don't have to do any more guessing.
|
|
|
|
*
|
|
|
|
* Otherwise, we determine the variant by, for each variant,
|
|
|
|
* trying to read the first few packets as if that file were
|
|
|
|
* in that variant's format, and seeing whether the packet
|
|
|
|
* record headers make sense.
|
|
|
|
*
|
|
|
|
* But don't do the latter if the input is a pipe; that would mean
|
|
|
|
* the open won't complete until two packets have been written to
|
|
|
|
* the pipe, unless the pipe is closed after one packet has been
|
|
|
|
* written, so a program reading from the file won't see the
|
|
|
|
* first packet until the second packet has been written.
|
2014-08-24 08:06:35 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
switch (magic) {
|
|
|
|
|
|
|
|
case PCAP_MAGIC:
|
2018-01-19 07:06:24 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* Original libpcap magic.
|
|
|
|
*
|
|
|
|
* If we still don't know the variant, look at the first
|
|
|
|
* few packets to see what type of per-packet header they
|
|
|
|
* have.
|
|
|
|
*
|
|
|
|
* Default to PCAP, as that's probably what this is;
|
|
|
|
* libpcap_try_variants() will just give up if we're
|
|
|
|
* reading from a pipe.
|
2018-01-19 07:06:24 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
if (variant == PCAP_UNKNOWN) {
|
|
|
|
if (wth->ispipe) {
|
2018-01-19 07:06:24 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* We can't do the heuristics.
|
|
|
|
* Just go with standard libpcap.
|
2018-01-19 07:06:24 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
libpcap->variant = PCAP;
|
|
|
|
} else {
|
2018-01-19 07:06:24 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* Try the variants that use the standard
|
|
|
|
* pcap magic number.
|
2018-01-19 07:06:24 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
if (!libpcap_try_variants(wth, variants_standard,
|
|
|
|
N_VARIANTS_STANDARD, err, err_info)) {
|
|
|
|
/*
|
|
|
|
* File read error.
|
|
|
|
*/
|
2018-01-19 07:06:24 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
}
|
|
|
|
}
|
2022-01-16 09:48:14 +00:00
|
|
|
} else {
|
2000-09-15 07:52:43 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* Use the variant we found.
|
2000-09-15 07:52:43 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
libpcap->variant = variant;
|
2002-03-04 00:25:35 +00:00
|
|
|
}
|
2022-01-16 09:48:14 +00:00
|
|
|
break;
|
1999-11-06 10:31:47 +00:00
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
case PCAP_MODIFIED_MAGIC:
|
1999-11-06 10:31:47 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* Modified libpcap magic, from Alexey's later two
|
|
|
|
* patches.
|
|
|
|
*
|
|
|
|
* This might be one of two different flavors of
|
|
|
|
* pcap file, with different modified per-packet
|
|
|
|
* headers.
|
|
|
|
*
|
|
|
|
* If we're reading from a pipe, we don't have an
|
|
|
|
* obvious choice to use as a default.
|
1999-11-06 10:31:47 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
if (wth->ispipe) {
|
2014-08-24 08:06:35 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* We can't do the heuristics.
|
|
|
|
* There's no obvious choice to use as a
|
|
|
|
* default, so just report an error.
|
2014-08-24 08:06:35 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
*err = WTAP_ERR_UNSUPPORTED;
|
|
|
|
*err_info = g_strdup("pcap: that type of pcap file can't be read from a pipe");
|
|
|
|
return WTAP_OPEN_ERROR;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Try the variants that use the modified
|
|
|
|
* pcap magic number.
|
|
|
|
*/
|
|
|
|
if (!libpcap_try_variants(wth, variants_modified,
|
|
|
|
N_VARIANTS_MODIFIED, err, err_info)) {
|
2018-01-19 07:06:24 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* File read error.
|
2018-01-19 07:06:24 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
return WTAP_OPEN_ERROR;
|
2018-01-19 07:06:24 +00:00
|
|
|
}
|
2002-03-04 00:25:35 +00:00
|
|
|
}
|
2022-01-16 09:48:14 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
/*
|
|
|
|
* None of these require heuristics to guess the
|
|
|
|
* variant; just use the variant we found.
|
|
|
|
*/
|
|
|
|
libpcap->variant = variant;
|
|
|
|
break;
|
2000-07-26 06:04:34 +00:00
|
|
|
}
|
1999-11-06 10:31:47 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
/*
|
2022-01-16 09:48:14 +00:00
|
|
|
* Set the file type and subtype, and handle some variants
|
|
|
|
* specially.
|
2021-02-23 09:18:31 +00:00
|
|
|
*/
|
|
|
|
switch (libpcap->variant) {
|
|
|
|
|
|
|
|
case PCAP:
|
|
|
|
wth->file_type_subtype = pcap_file_type_subtype;
|
2022-01-16 09:48:14 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_USEC;
|
2021-02-23 09:18:31 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_NSEC:
|
|
|
|
wth->file_type_subtype = pcap_nsec_file_type_subtype;
|
2022-01-16 09:48:14 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_NSEC;
|
2021-02-23 09:18:31 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_SS990417:
|
|
|
|
wth->file_type_subtype = pcap_ss990417_file_type_subtype;
|
2022-01-16 09:48:14 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_USEC;
|
2021-02-23 09:18:31 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_SS990915:
|
|
|
|
wth->file_type_subtype = pcap_ss990915_file_type_subtype;
|
2022-01-16 09:48:14 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_USEC;
|
2021-02-23 09:18:31 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_SS991029:
|
|
|
|
wth->file_type_subtype = pcap_ss991029_file_type_subtype;
|
2022-01-16 09:48:14 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_USEC;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_AIX:
|
|
|
|
wth->file_type_subtype = pcap_aix_file_type_subtype;
|
|
|
|
wth->file_tsprec = WTAP_TSPREC_NSEC;
|
2021-02-23 09:18:31 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PCAP_NOKIA:
|
|
|
|
wth->file_type_subtype = pcap_nokia_file_type_subtype;
|
2022-01-16 09:48:14 +00:00
|
|
|
wth->file_tsprec = WTAP_TSPREC_USEC;
|
|
|
|
/*
|
|
|
|
* We treat a DLT_ value of 13 specially - it appears
|
|
|
|
* that in Nokia libpcap format, it's some form of ATM
|
|
|
|
* with what I suspect is a pseudo-header (even though
|
|
|
|
* Nokia's IPSO is based on FreeBSD, which #defines
|
|
|
|
* DLT_SLIP_BSDOS as 13).
|
|
|
|
*
|
|
|
|
* Treat 13 as WTAP_ENCAP_ATM_PDUS, rather than as what
|
|
|
|
* we normally treat it.
|
|
|
|
*/
|
|
|
|
if (hdr.network == 13)
|
|
|
|
wth->file_encap = WTAP_ENCAP_ATM_PDUS;
|
2021-02-23 09:18:31 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2021-05-23 23:46:43 +00:00
|
|
|
ws_assert_not_reached();
|
2021-02-23 09:18:31 +00:00
|
|
|
}
|
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
if (wth->file_encap == WTAP_ENCAP_ERF) {
|
2022-01-16 09:48:14 +00:00
|
|
|
/* Reset the ERF interface lookup table */
|
2016-04-05 02:21:36 +00:00
|
|
|
libpcap->encap_priv = erf_priv_create();
|
2021-06-18 22:34:49 +00:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Add an IDB; we don't know how many interfaces were
|
|
|
|
* involved, so we just say one interface, about which
|
|
|
|
* we only know the link-layer type, snapshot length,
|
|
|
|
* and time stamp resolution.
|
|
|
|
*/
|
|
|
|
wtap_add_generated_idb(wth);
|
2012-05-28 00:43:13 +00:00
|
|
|
}
|
2020-05-02 04:55:46 +00:00
|
|
|
|
2014-10-09 23:44:15 +00:00
|
|
|
return WTAP_OPEN_MINE;
|
2000-09-15 07:52:43 +00:00
|
|
|
}
|
2000-07-26 06:04:34 +00:00
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
static gboolean libpcap_try_variants(wtap *wth, const pcap_variant_t *variants,
|
|
|
|
size_t n_variants, int *err, gchar **err_info)
|
|
|
|
{
|
|
|
|
libpcap_t *libpcap = (libpcap_t *)wth->priv;
|
|
|
|
#define MAX_FIGURES_OF_MERIT \
|
|
|
|
MAX(N_VARIANTS_MODIFIED, N_VARIANTS_STANDARD)
|
|
|
|
int figures_of_merit[MAX_FIGURES_OF_MERIT];
|
|
|
|
int best_variant;
|
|
|
|
gint64 first_packet_offset;
|
|
|
|
|
|
|
|
first_packet_offset = file_tell(wth->fh);
|
|
|
|
for (size_t i = 0; i < n_variants; i++) {
|
|
|
|
libpcap->variant = variants[i];
|
|
|
|
figures_of_merit[i] = libpcap_try(wth, err, err_info);
|
|
|
|
if (figures_of_merit[i] == -1) {
|
|
|
|
/*
|
|
|
|
* Well, we couldn't even read it. Give up.
|
|
|
|
*/
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
if (figures_of_merit[i] == 0) {
|
|
|
|
/*
|
|
|
|
* This format doesn't have any issues.
|
|
|
|
* Put the seek pointer back, and finish,
|
|
|
|
* using that format as the subtype.
|
|
|
|
*/
|
|
|
|
if (file_seek(wth->fh, first_packet_offset, SEEK_SET,
|
|
|
|
err) == -1) {
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* OK, we've recorded the figure of merit for this
|
|
|
|
* one; go back to the first packet and try the
|
|
|
|
* next one.
|
|
|
|
*/
|
|
|
|
if (file_seek(wth->fh, first_packet_offset, SEEK_SET,
|
|
|
|
err) == -1) {
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* OK, none are perfect; let's see which one is least bad.
|
|
|
|
*/
|
|
|
|
best_variant = INT_MAX;
|
|
|
|
for (size_t i = 0; i < n_variants; i++) {
|
|
|
|
/*
|
|
|
|
* Is this subtype better than the last one we saw?
|
|
|
|
*/
|
|
|
|
if (figures_of_merit[i] < best_variant) {
|
|
|
|
/*
|
|
|
|
* Yes. Choose it until we find a better one.
|
|
|
|
*/
|
|
|
|
libpcap->variant = variants[i];
|
|
|
|
best_variant = figures_of_merit[i];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2018-04-24 08:32:22 +00:00
|
|
|
/*
|
|
|
|
* Maximum number of records to try to read. Must be >= 2.
|
|
|
|
*/
|
|
|
|
#define MAX_RECORDS_TO_TRY 3
|
|
|
|
|
|
|
|
/* Try to read the first MAX_RECORDS_TO_TRY records of the capture file. */
|
2014-09-20 17:45:28 +00:00
|
|
|
static int libpcap_try(wtap *wth, int *err, gchar **err_info)
|
2000-09-15 07:52:43 +00:00
|
|
|
{
|
2014-08-24 08:06:35 +00:00
|
|
|
int ret;
|
2018-04-24 08:32:22 +00:00
|
|
|
int i;
|
2014-08-24 08:06:35 +00:00
|
|
|
|
2000-07-26 06:04:34 +00:00
|
|
|
/*
|
2018-04-24 21:19:47 +00:00
|
|
|
* Attempt to read the first record.
|
2000-09-15 07:52:43 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
ret = libpcap_try_record(wth, err, err_info);
|
2014-08-24 08:06:35 +00:00
|
|
|
if (ret != 0) {
|
1999-11-06 10:31:47 +00:00
|
|
|
/*
|
2018-04-24 21:19:47 +00:00
|
|
|
* Error or mismatch; return the error indication or
|
|
|
|
* the figure of merit (demerit?).
|
1999-11-06 10:31:47 +00:00
|
|
|
*/
|
2014-08-24 08:06:35 +00:00
|
|
|
return ret;
|
1999-11-06 10:31:47 +00:00
|
|
|
}
|
|
|
|
|
2018-04-24 08:32:22 +00:00
|
|
|
/*
|
|
|
|
* Now attempt to read the next MAX_RECORDS_TO_TRY-1 records.
|
|
|
|
* Get the maximum figure of (de?)merit, as that represents the
|
|
|
|
* figure of merit for the record that had the most problems.
|
|
|
|
*/
|
|
|
|
for (i = 1; i < MAX_RECORDS_TO_TRY; i++) {
|
|
|
|
/*
|
2018-04-24 21:19:47 +00:00
|
|
|
* Attempt to read this record.
|
2018-04-24 08:32:22 +00:00
|
|
|
*/
|
2022-01-16 09:48:14 +00:00
|
|
|
ret = libpcap_try_record(wth, err, err_info);
|
2018-04-24 08:32:22 +00:00
|
|
|
if (ret != 0) {
|
|
|
|
/*
|
2018-04-24 21:19:47 +00:00
|
|
|
* Error or mismatch; return the error indication or
|
|
|
|
* the figure of merit (demerit?).
|
2018-04-24 08:32:22 +00:00
|
|
|
*/
|
|
|
|
return ret;
|
|
|
|
}
|
2014-08-24 08:06:35 +00:00
|
|
|
}
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
/* They all succeeded. */
|
2018-04-24 08:32:22 +00:00
|
|
|
return 0;
|
2014-08-24 08:06:35 +00:00
|
|
|
}
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
/* Read the header of the next packet and, if that succeeds, read the
|
|
|
|
data of the next packet.
|
2014-08-24 08:06:35 +00:00
|
|
|
|
|
|
|
Return -1 on an I/O error, 0 on success, or a positive number if the
|
|
|
|
header looks corrupt. The higher the positive number, the more things
|
|
|
|
are wrong with the header; this is used by the heuristics that try to
|
|
|
|
guess what type of file it is, with the type with the fewest problems
|
|
|
|
being chosen. */
|
2022-01-16 09:48:14 +00:00
|
|
|
static int libpcap_try_record(wtap *wth, int *err, gchar **err_info)
|
2014-08-24 08:06:35 +00:00
|
|
|
{
|
2018-04-24 21:19:47 +00:00
|
|
|
/*
|
|
|
|
* pcaprec_ss990915_hdr is the largest header type.
|
|
|
|
*/
|
|
|
|
struct pcaprec_ss990915_hdr rec_hdr;
|
2014-08-24 08:06:35 +00:00
|
|
|
int ret;
|
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
if (!libpcap_read_header(wth, wth->fh, err, err_info, &rec_hdr)) {
|
2018-04-24 21:19:47 +00:00
|
|
|
if (*err == 0) {
|
|
|
|
/*
|
|
|
|
* EOF - assume the file is in this format.
|
|
|
|
* This means it doesn't have all the
|
|
|
|
* records we're trying to read.
|
|
|
|
*/
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (*err == WTAP_ERR_SHORT_READ) {
|
|
|
|
/*
|
|
|
|
* Short read; this might be a corrupt
|
|
|
|
* file in this format or might not be
|
|
|
|
* in this format. Return a figure of
|
|
|
|
* merit of 1.
|
|
|
|
*/
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
/* Hard error. */
|
2014-08-24 08:06:35 +00:00
|
|
|
return -1;
|
2018-04-24 21:19:47 +00:00
|
|
|
}
|
2014-08-24 08:06:35 +00:00
|
|
|
|
|
|
|
ret = 0; /* start out presuming everything's OK */
|
2000-09-15 07:52:43 +00:00
|
|
|
|
2022-01-16 09:48:14 +00:00
|
|
|
/*
|
|
|
|
* The only file types for which we have to do variant
|
|
|
|
* determination by looking at packets have microsecond
|
|
|
|
* resolution; treat fractions-of-a-second values >= 1 000 000
|
|
|
|
* as an indication that the header format might not be
|
|
|
|
* what we think it is.
|
|
|
|
*/
|
|
|
|
if (rec_hdr.hdr.ts_usec >= 1000000)
|
|
|
|
ret++;
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
if (rec_hdr.hdr.incl_len > wtap_max_snaplen_for_encap(wth->file_encap)) {
|
2014-08-24 08:06:35 +00:00
|
|
|
/*
|
|
|
|
* Probably either a corrupt capture file or a file
|
|
|
|
* of a type different from the one we're trying.
|
|
|
|
*/
|
|
|
|
ret++;
|
2000-07-26 06:04:34 +00:00
|
|
|
}
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
if (rec_hdr.hdr.orig_len > 128*1024*1024) {
|
2015-01-02 00:45:22 +00:00
|
|
|
/*
|
|
|
|
* In theory I guess the on-the-wire packet size can be
|
|
|
|
* arbitrarily large, and it can certainly be larger than the
|
|
|
|
* maximum snapshot length which bounds the snapshot size,
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
* but any file claiming 128MB in a single packet is *probably*
|
2015-01-02 00:45:22 +00:00
|
|
|
* corrupt, and treating them as such makes the heuristics
|
|
|
|
* much more reliable. See, for example,
|
|
|
|
*
|
2020-10-03 14:54:12 +00:00
|
|
|
* https://gitlab.com/wireshark/wireshark/-/issues/9634
|
2015-01-02 00:45:22 +00:00
|
|
|
*
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
* (128MB is an arbitrary size at this point, chosen to be
|
|
|
|
* large enough for the largest D-Bus packet).
|
2015-01-02 00:45:22 +00:00
|
|
|
*/
|
|
|
|
ret++;
|
|
|
|
}
|
2014-08-24 08:06:35 +00:00
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
if (rec_hdr.hdr.incl_len > wth->snapshot_length) {
|
2014-08-24 08:06:35 +00:00
|
|
|
/*
|
|
|
|
* This is not a fatal error, and packets that have one
|
|
|
|
* such packet probably have thousands. For discussion,
|
|
|
|
* see
|
|
|
|
* https://www.wireshark.org/lists/wireshark-dev/201307/msg00076.html
|
|
|
|
* and related messages.
|
|
|
|
*
|
|
|
|
* The packet contents will be copied to a Buffer, which
|
|
|
|
* expands as necessary to hold the contents; we don't have
|
|
|
|
* to worry about fixed-length buffers allocated based on
|
|
|
|
* the original snapshot length.
|
|
|
|
*
|
|
|
|
* We just treat this as an indication that we might be
|
|
|
|
* trying the wrong file type here.
|
|
|
|
*/
|
|
|
|
ret++;
|
|
|
|
}
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
if (rec_hdr.hdr.incl_len > rec_hdr.hdr.orig_len) {
|
2014-08-24 08:06:35 +00:00
|
|
|
/*
|
|
|
|
* Another hint that this might be the wrong file type.
|
|
|
|
*/
|
|
|
|
ret++;
|
|
|
|
}
|
|
|
|
|
2018-04-24 21:19:47 +00:00
|
|
|
if (ret != 0) {
|
|
|
|
/*
|
|
|
|
* Might be the wrong file type; stop trying, and give
|
|
|
|
* this as the figure of merit for this file type.
|
|
|
|
*/
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now skip over the record's data, under the assumption that
|
|
|
|
* the header is sane.
|
|
|
|
*/
|
|
|
|
if (!wtap_read_bytes(wth->fh, NULL, rec_hdr.hdr.incl_len, err,
|
|
|
|
err_info)) {
|
|
|
|
if (*err == WTAP_ERR_SHORT_READ) {
|
|
|
|
/*
|
|
|
|
* Short read - treat that as a suggestion that
|
|
|
|
* the header isn't sane, and return a figure of
|
|
|
|
* merit value of 1.
|
|
|
|
*/
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
/* Hard error. */
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Success. */
|
|
|
|
return 0;
|
1998-11-15 05:29:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Read the next packet */
|
2019-04-05 01:56:27 +00:00
|
|
|
static gboolean libpcap_read(wtap *wth, wtap_rec *rec, Buffer *buf,
|
|
|
|
int *err, gchar **err_info, gint64 *data_offset)
|
2013-05-18 02:36:00 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
*data_offset = file_tell(wth->fh);
|
2013-05-18 02:36:00 +00:00
|
|
|
|
2019-04-05 01:56:27 +00:00
|
|
|
return libpcap_read_packet(wth, wth->fh, rec, buf, err, err_info);
|
2013-05-18 02:36:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static gboolean
|
2018-02-09 00:19:12 +00:00
|
|
|
libpcap_seek_read(wtap *wth, gint64 seek_off, wtap_rec *rec,
|
2014-01-02 20:47:21 +00:00
|
|
|
Buffer *buf, int *err, gchar **err_info)
|
2013-05-18 02:36:00 +00:00
|
|
|
{
|
2014-05-09 05:18:49 +00:00
|
|
|
if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2013-05-18 02:36:00 +00:00
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
if (!libpcap_read_packet(wth, wth->random_fh, rec, buf, err,
|
2013-06-17 21:18:47 +00:00
|
|
|
err_info)) {
|
|
|
|
if (*err == 0)
|
|
|
|
*err = WTAP_ERR_SHORT_READ;
|
2014-05-23 10:50:02 +00:00
|
|
|
return FALSE;
|
2013-06-17 21:18:47 +00:00
|
|
|
}
|
2014-05-23 10:50:02 +00:00
|
|
|
return TRUE;
|
2013-05-18 02:36:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static gboolean
|
2018-02-09 00:19:12 +00:00
|
|
|
libpcap_read_packet(wtap *wth, FILE_T fh, wtap_rec *rec,
|
2013-06-17 21:18:47 +00:00
|
|
|
Buffer *buf, int *err, gchar **err_info)
|
1998-11-15 05:29:17 +00:00
|
|
|
{
|
2000-07-26 06:04:34 +00:00
|
|
|
struct pcaprec_ss990915_hdr hdr;
|
2000-09-15 07:52:43 +00:00
|
|
|
guint packet_size;
|
2009-04-27 19:39:06 +00:00
|
|
|
guint orig_size;
|
|
|
|
int phdr_len;
|
2021-02-23 09:18:31 +00:00
|
|
|
libpcap_t *libpcap = (libpcap_t *)wth->priv;
|
|
|
|
gboolean is_nokia;
|
2016-04-05 02:21:36 +00:00
|
|
|
|
2014-08-24 08:06:35 +00:00
|
|
|
if (!libpcap_read_header(wth, fh, err, err_info, &hdr))
|
|
|
|
return FALSE;
|
|
|
|
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
if (hdr.hdr.incl_len > wtap_max_snaplen_for_encap(wth->file_encap)) {
|
2000-09-15 07:52:43 +00:00
|
|
|
/*
|
2014-08-24 08:06:35 +00:00
|
|
|
* Probably a corrupt capture file; return an error,
|
|
|
|
* so that our caller doesn't blow up trying to allocate
|
|
|
|
* space for an immensely-large packet.
|
2000-09-15 07:52:43 +00:00
|
|
|
*/
|
2014-08-24 08:06:35 +00:00
|
|
|
*err = WTAP_ERR_BAD_FILE;
|
|
|
|
if (err_info != NULL) {
|
2021-12-18 18:48:20 +00:00
|
|
|
*err_info = ws_strdup_printf("pcap: File has %u-byte packet, bigger than maximum of %u",
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
hdr.hdr.incl_len,
|
|
|
|
wtap_max_snaplen_for_encap(wth->file_encap));
|
2014-08-24 08:06:35 +00:00
|
|
|
}
|
2000-09-15 07:52:43 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
packet_size = hdr.hdr.incl_len;
|
2002-06-06 09:18:28 +00:00
|
|
|
orig_size = hdr.hdr.orig_len;
|
2000-09-15 07:52:43 +00:00
|
|
|
|
2002-11-16 20:20:30 +00:00
|
|
|
/*
|
|
|
|
* AIX appears to put 3 bytes of padding in front of FDDI
|
|
|
|
* frames; strip that crap off.
|
|
|
|
*/
|
2021-02-23 09:18:31 +00:00
|
|
|
if (libpcap->variant == PCAP_AIX &&
|
2014-05-09 05:18:49 +00:00
|
|
|
(wth->file_encap == WTAP_ENCAP_FDDI ||
|
|
|
|
wth->file_encap == WTAP_ENCAP_FDDI_BITSWAPPED)) {
|
2002-11-16 20:20:30 +00:00
|
|
|
/*
|
|
|
|
* The packet size is really a record size and includes
|
|
|
|
* the padding.
|
|
|
|
*/
|
|
|
|
packet_size -= 3;
|
|
|
|
orig_size -= 3;
|
|
|
|
|
|
|
|
/*
|
2013-06-16 00:20:00 +00:00
|
|
|
* Skip the padding.
|
2002-11-16 20:20:30 +00:00
|
|
|
*/
|
2016-09-28 23:45:23 +00:00
|
|
|
if (!wtap_read_bytes(fh, NULL, 3, err, err_info))
|
2013-06-16 00:20:00 +00:00
|
|
|
return FALSE;
|
2002-11-16 20:20:30 +00:00
|
|
|
}
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
is_nokia = (libpcap->variant == PCAP_NOKIA);
|
|
|
|
phdr_len = pcap_process_pseudo_header(fh, is_nokia,
|
2018-09-25 23:20:00 +00:00
|
|
|
wth->file_encap, packet_size, rec, err, err_info);
|
2009-04-27 19:39:06 +00:00
|
|
|
if (phdr_len < 0)
|
|
|
|
return FALSE; /* error */
|
|
|
|
|
2002-06-06 09:18:28 +00:00
|
|
|
/*
|
2009-04-27 19:39:06 +00:00
|
|
|
* Don't count any pseudo-header as part of the packet.
|
2002-06-06 09:18:28 +00:00
|
|
|
*/
|
2009-04-27 19:39:06 +00:00
|
|
|
orig_size -= phdr_len;
|
|
|
|
packet_size -= phdr_len;
|
2002-06-06 09:18:28 +00:00
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_type = REC_TYPE_PACKET;
|
2021-08-30 02:12:13 +00:00
|
|
|
rec->block = wtap_block_create(WTAP_BLOCK_PACKET);
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN;
|
2012-02-25 23:24:34 +00:00
|
|
|
|
2013-05-18 02:36:00 +00:00
|
|
|
/* Update the timestamp, if not already done */
|
2014-05-09 05:18:49 +00:00
|
|
|
if (wth->file_encap != WTAP_ENCAP_ERF) {
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->ts.secs = hdr.hdr.ts_sec;
|
2022-01-16 09:48:14 +00:00
|
|
|
if (libpcap->variant == PCAP_NSEC ||
|
|
|
|
libpcap->variant == PCAP_AIX)
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->ts.nsecs = hdr.hdr.ts_usec;
|
2013-05-18 02:36:00 +00:00
|
|
|
else
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->ts.nsecs = hdr.hdr.ts_usec * 1000;
|
2012-05-24 09:24:05 +00:00
|
|
|
} else {
|
2016-04-05 02:21:36 +00:00
|
|
|
int interface_id;
|
2013-05-18 03:15:06 +00:00
|
|
|
/* Set interface ID for ERF format */
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->presence_flags |= WTAP_HAS_INTERFACE_ID;
|
2021-06-18 23:22:54 +00:00
|
|
|
if ((interface_id = erf_populate_interface_from_header((erf_t*) libpcap->encap_priv, wth, &rec->rec_header.packet_header.pseudo_header, err, err_info)) < 0)
|
2016-04-05 02:21:36 +00:00
|
|
|
return FALSE;
|
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.interface_id = (guint) interface_id;
|
2005-08-30 09:43:47 +00:00
|
|
|
}
|
2018-02-09 00:19:12 +00:00
|
|
|
rec->rec_header.packet_header.caplen = packet_size;
|
|
|
|
rec->rec_header.packet_header.len = orig_size;
|
2002-06-06 09:18:28 +00:00
|
|
|
|
2013-06-17 21:18:47 +00:00
|
|
|
/*
|
|
|
|
* Read the packet data.
|
|
|
|
*/
|
|
|
|
if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
|
|
|
|
return FALSE; /* failed */
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
pcap_read_post_process(is_nokia, wth->file_encap, rec,
|
2022-03-05 00:23:02 +00:00
|
|
|
ws_buffer_start_ptr(buf), libpcap->byte_swapped, libpcap->fcs_len);
|
2002-08-07 06:59:49 +00:00
|
|
|
return TRUE;
|
2002-06-06 09:18:28 +00:00
|
|
|
}
|
|
|
|
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
/* Read the header of the next packet.
|
2000-09-15 07:52:43 +00:00
|
|
|
|
2014-08-24 08:06:35 +00:00
|
|
|
Return FALSE on an error, TRUE on success. */
|
2014-05-09 05:18:49 +00:00
|
|
|
static int libpcap_read_header(wtap *wth, FILE_T fh, int *err, gchar **err_info,
|
Have the Wiretap open, read, and seek-and-read routines return, in
addition to an error code, an error info string, for
WTAP_ERR_UNSUPPORTED, WTAP_ERR_UNSUPPORTED_ENCAP, and
WTAP_ERR_BAD_RECORD errors. Replace the error messages logged with
"g_message()" for those errors with g_strdup()ed or g_strdup_printf()ed
strings returned as the error info string, and change the callers of
those routines to, for those errors, put the info string into the
printed message or alert box for the error.
Add messages for cases where those errors were returned without printing
an additional message.
Nobody uses the error code from "cf_read()" - "cf_read()" puts up the
alert box itself for failures; get rid of the error code, so it just
returns a success/failure indication.
Rename "file_read_error_message()" to "cf_read_error_message()", as it
handles read errors from Wiretap, and have it take an error info string
as an argument. (That handles a lot of the work of putting the info
string into the error message.)
Make some variables in "ascend-grammar.y" static.
Check the return value of "erf_read_header()" in "erf_seek_read()".
Get rid of an unused #define in "i4btrace.c".
svn path=/trunk/; revision=9852
2004-01-25 21:55:17 +00:00
|
|
|
struct pcaprec_ss990915_hdr *hdr)
|
2000-09-15 07:52:43 +00:00
|
|
|
{
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
int bytes_to_read;
|
2014-08-24 08:06:35 +00:00
|
|
|
guint32 temp;
|
2021-02-23 09:18:31 +00:00
|
|
|
libpcap_t *libpcap = (libpcap_t *)wth->priv;
|
1998-11-15 05:29:17 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
switch (libpcap->variant) {
|
2000-07-26 06:04:34 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
case PCAP:
|
|
|
|
case PCAP_AIX:
|
|
|
|
case PCAP_NSEC:
|
2000-07-26 06:04:34 +00:00
|
|
|
bytes_to_read = sizeof (struct pcaprec_hdr);
|
|
|
|
break;
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
case PCAP_SS990417:
|
|
|
|
case PCAP_SS991029:
|
2000-07-26 06:04:34 +00:00
|
|
|
bytes_to_read = sizeof (struct pcaprec_modified_hdr);
|
|
|
|
break;
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
case PCAP_SS990915:
|
2000-07-26 06:04:34 +00:00
|
|
|
bytes_to_read = sizeof (struct pcaprec_ss990915_hdr);
|
|
|
|
break;
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
case PCAP_NOKIA:
|
2000-09-15 07:52:43 +00:00
|
|
|
bytes_to_read = sizeof (struct pcaprec_nokia_hdr);
|
|
|
|
break;
|
|
|
|
|
2000-07-26 06:04:34 +00:00
|
|
|
default:
|
|
|
|
bytes_to_read = 0;
|
2022-01-18 17:01:08 +00:00
|
|
|
ws_assert_not_reached();
|
2000-07-26 06:04:34 +00:00
|
|
|
}
|
Add some higher-level file-read APIs and use them.
Add wtap_read_bytes(), which takes a FILE_T, a pointer, a byte count, an
error number pointer, and an error string pointer as arguments, and that
treats a short read of any sort, including a read that returns 0 bytes,
as a WTAP_ERR_SHORT_READ error, and that returns the error number and
string through its last two arguments.
Add wtap_read_bytes_or_eof(), which is similar, but that treats a read
that returns 0 bytes as an EOF, supplying an error number of 0 as an EOF
indication.
Use those in file readers; that simplifies the code and makes it less
likely that somebody will fail to supply the error number and error
string on a file read error.
Change-Id: Ia5dba2a6f81151e87b614461349d611cffc16210
Reviewed-on: https://code.wireshark.org/review/4512
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2014-10-07 01:00:57 +00:00
|
|
|
if (!wtap_read_bytes_or_eof(fh, hdr, bytes_to_read, err, err_info))
|
2014-08-24 08:06:35 +00:00
|
|
|
return FALSE;
|
2003-10-24 23:55:34 +00:00
|
|
|
|
2010-02-24 07:21:17 +00:00
|
|
|
if (libpcap->byte_swapped) {
|
1999-11-06 10:31:47 +00:00
|
|
|
/* Byte-swap the record header fields. */
|
2014-08-24 08:06:35 +00:00
|
|
|
hdr->hdr.ts_sec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_sec);
|
|
|
|
hdr->hdr.ts_usec = GUINT32_SWAP_LE_BE(hdr->hdr.ts_usec);
|
|
|
|
hdr->hdr.incl_len = GUINT32_SWAP_LE_BE(hdr->hdr.incl_len);
|
|
|
|
hdr->hdr.orig_len = GUINT32_SWAP_LE_BE(hdr->hdr.orig_len);
|
1999-11-06 10:31:47 +00:00
|
|
|
}
|
|
|
|
|
2003-10-24 23:55:34 +00:00
|
|
|
/* Swap the "incl_len" and "orig_len" fields, if necessary. */
|
2010-02-24 07:21:17 +00:00
|
|
|
switch (libpcap->lengths_swapped) {
|
1999-11-06 10:31:47 +00:00
|
|
|
|
2003-10-24 23:55:34 +00:00
|
|
|
case NOT_SWAPPED:
|
|
|
|
break;
|
1999-11-06 10:31:47 +00:00
|
|
|
|
2003-10-24 23:55:34 +00:00
|
|
|
case MAYBE_SWAPPED:
|
2014-08-24 08:06:35 +00:00
|
|
|
if (hdr->hdr.incl_len <= hdr->hdr.orig_len) {
|
2003-10-24 23:55:34 +00:00
|
|
|
/*
|
|
|
|
* The captured length is <= the actual length,
|
|
|
|
* so presumably they weren't swapped.
|
|
|
|
*/
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
/* FALLTHROUGH */
|
2003-10-24 10:52:04 +00:00
|
|
|
|
2003-10-24 23:55:34 +00:00
|
|
|
case SWAPPED:
|
2014-08-24 08:06:35 +00:00
|
|
|
temp = hdr->hdr.orig_len;
|
|
|
|
hdr->hdr.orig_len = hdr->hdr.incl_len;
|
|
|
|
hdr->hdr.incl_len = temp;
|
2003-10-24 23:55:34 +00:00
|
|
|
break;
|
1999-11-06 10:31:47 +00:00
|
|
|
}
|
2014-08-24 08:06:35 +00:00
|
|
|
|
|
|
|
return TRUE;
|
1999-11-06 10:31:47 +00:00
|
|
|
}
|
|
|
|
|
1999-12-04 08:32:14 +00:00
|
|
|
/* Returns 0 if we could write the specified encapsulation type,
|
|
|
|
an error indication otherwise. */
|
2021-04-16 18:24:52 +00:00
|
|
|
static int libpcap_dump_can_write_encap(int encap)
|
1999-12-04 08:32:14 +00:00
|
|
|
{
|
|
|
|
/* Per-packet encapsulations aren't supported. */
|
|
|
|
if (encap == WTAP_ENCAP_PER_PACKET)
|
|
|
|
return WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
|
|
|
|
|
2000-08-25 06:25:21 +00:00
|
|
|
if (wtap_wtap_encap_to_pcap_encap(encap) == -1)
|
2014-12-17 06:40:45 +00:00
|
|
|
return WTAP_ERR_UNWRITABLE_ENCAP;
|
1999-12-04 08:32:14 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
static gboolean libpcap_dump_write_file_header(wtap_dumper *wdh, guint32 magic,
|
|
|
|
int *err)
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
{
|
|
|
|
struct pcap_hdr file_hdr;
|
|
|
|
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, &magic, sizeof magic, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
2001-12-04 07:32:05 +00:00
|
|
|
wdh->bytes_dumped += sizeof magic;
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
|
|
|
|
/* current "libpcap" format is 2.4 */
|
|
|
|
file_hdr.version_major = 2;
|
|
|
|
file_hdr.version_minor = 4;
|
|
|
|
file_hdr.thiszone = 0; /* XXX - current offset? */
|
|
|
|
file_hdr.sigfigs = 0; /* unknown, but also apparently unused */
|
2002-03-09 23:07:26 +00:00
|
|
|
/*
|
|
|
|
* Tcpdump cannot handle capture files with a snapshot length of 0,
|
|
|
|
* as BPF filters return either 0 if they fail or the snapshot length
|
|
|
|
* if they succeed, and a snapshot length of 0 means success is
|
|
|
|
* indistinguishable from failure and the filter expression would
|
|
|
|
* reject all packets.
|
|
|
|
*
|
|
|
|
* A snapshot length of 0, inside Wiretap, means "snapshot length
|
|
|
|
* unknown"; if the snapshot length supplied to us is 0, we make
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
* the snapshot length in the header file the maximum for the
|
|
|
|
* link-layer type we'll be writing.
|
2002-03-09 23:07:26 +00:00
|
|
|
*/
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
file_hdr.snaplen = (wdh->snaplen != 0) ? (guint)wdh->snaplen :
|
|
|
|
wtap_max_snaplen_for_encap(wdh->encap);
|
2000-08-25 06:25:21 +00:00
|
|
|
file_hdr.network = wtap_wtap_encap_to_pcap_encap(wdh->encap);
|
2014-05-09 05:18:49 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, &file_hdr, sizeof file_hdr, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
2001-12-04 07:32:05 +00:00
|
|
|
wdh->bytes_dumped += sizeof file_hdr;
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
|
1999-12-04 05:14:39 +00:00
|
|
|
return TRUE;
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
}
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
/* Good old fashioned pcap.
|
|
|
|
Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_open_pcap(wtap_dumper *wdh, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
/* This is a libpcap file */
|
|
|
|
wdh->subtype_write = libpcap_dump_pcap;
|
|
|
|
|
|
|
|
/* Write the file header. */
|
|
|
|
return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Like classic pcap, but with nanosecond resolution.
|
|
|
|
Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_open_pcap_nsec(wtap_dumper *wdh, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
/* This is a nanosecond-resolution libpcap file */
|
|
|
|
wdh->subtype_write = libpcap_dump_pcap_nsec;
|
|
|
|
|
|
|
|
/* Write the file header. */
|
|
|
|
return libpcap_dump_write_file_header(wdh, PCAP_NSEC_MAGIC, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Modified, but with the old magic, sigh.
|
|
|
|
Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_open_pcap_ss990417(wtap_dumper *wdh, int *err,
|
|
|
|
gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
/* This is a modified-by-patch-SS990417 libpcap file */
|
|
|
|
wdh->subtype_write = libpcap_dump_pcap_ss990417;
|
|
|
|
|
|
|
|
/* Write the file header. */
|
|
|
|
return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* New magic, extra crap.
|
|
|
|
Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_open_pcap_ss990915(wtap_dumper *wdh, int *err,
|
|
|
|
gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
/* This is a modified-by-patch-SS990915 libpcap file */
|
|
|
|
wdh->subtype_write = libpcap_dump_pcap_ss990915;
|
|
|
|
|
|
|
|
/* Write the file header. */
|
|
|
|
return libpcap_dump_write_file_header(wdh, PCAP_MODIFIED_MAGIC, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Same magic as SS990915, *different* extra crap, sigh.
|
|
|
|
Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_open_pcap_ss991029(wtap_dumper *wdh, int *err,
|
|
|
|
gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
/* This is a modified-by-patch-SS991029 libpcap file */
|
|
|
|
wdh->subtype_write = libpcap_dump_pcap_ss991029;
|
|
|
|
|
|
|
|
/* Write the file header. */
|
|
|
|
return libpcap_dump_write_file_header(wdh, PCAP_MODIFIED_MAGIC, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void libpcap_close(wtap *wth)
|
|
|
|
{
|
|
|
|
libpcap_t *libpcap = (libpcap_t *)wth->priv;
|
|
|
|
|
|
|
|
if (libpcap->encap_priv) {
|
|
|
|
switch (wth->file_encap) {
|
|
|
|
|
|
|
|
case WTAP_ENCAP_ERF:
|
|
|
|
erf_priv_free((erf_t*) libpcap->encap_priv);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_free(libpcap->encap_priv);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Nokia libpcap of some sort.
|
|
|
|
Returns TRUE on success, FALSE on failure; sets "*err" to an error code on
|
|
|
|
failure */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_open_pcap_nokia(wtap_dumper *wdh, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
/* This is a Nokia libpcap file */
|
|
|
|
wdh->subtype_write = libpcap_dump_pcap_nokia;
|
|
|
|
|
|
|
|
/* Write the file header. */
|
|
|
|
return libpcap_dump_write_file_header(wdh, PCAP_MAGIC, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_write_packet(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
struct pcaprec_hdr *hdr, size_t hdr_size, const guint8 *pd, int *err)
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
{
|
2018-02-09 00:19:12 +00:00
|
|
|
const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
|
2009-04-27 19:39:06 +00:00
|
|
|
int phdrsize;
|
2008-08-12 04:44:35 +00:00
|
|
|
|
2009-04-27 19:39:06 +00:00
|
|
|
phdrsize = pcap_get_phdr_size(wdh->encap, pseudo_header);
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
|
2014-05-24 18:28:30 +00:00
|
|
|
/* We can only write packet records. */
|
2018-02-09 00:19:12 +00:00
|
|
|
if (rec->rec_type != REC_TYPE_PACKET) {
|
2014-12-18 00:31:49 +00:00
|
|
|
*err = WTAP_ERR_UNWRITABLE_REC_TYPE;
|
2014-05-24 18:28:30 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
Catch attempts to write multiple encapsulation types if unsupported.
If, in the process of opening the input file, we determine that it has
packets of more than one link-layer type, we can catch attempts to write
that file to a file of a format that doesn't support more than one
link-layer type at the time we try to open the output file.
If, however, we don't discover that the file has more than one
link-layer type until we've already created the output file - for
example, if we have a pcapng file with a new IDB, with a different
link-layer type from previous IDBs, after packet blocks for the earlier
interfces - we can't catch that until we try to write the packet.
Currently, that causes the packet's data to be written out as is, so the
output file claims it's of the file's link-layer type, causing programs
reading the file to misdissect the packet.
Report WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED on the write attempt
instead, and have a nicer error message for
WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED on a write.
Change-Id: Ic41f2e4367cfe5667eb30c88cc6d3bfe422462f6
Reviewed-on: https://code.wireshark.org/review/30617
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2018-11-14 03:38:12 +00:00
|
|
|
/*
|
|
|
|
* Make sure this packet doesn't have a link-layer type that
|
|
|
|
* differs from the one for the file.
|
|
|
|
*/
|
|
|
|
if (wdh->encap != rec->rec_header.packet_header.pkt_encap) {
|
|
|
|
*err = WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-05 01:58:40 +00:00
|
|
|
/*
|
|
|
|
* Don't write anything we're not willing to read.
|
|
|
|
* (The cast is to prevent an overflow.)
|
|
|
|
*/
|
2018-02-09 00:19:12 +00:00
|
|
|
if ((guint64)rec->rec_header.packet_header.caplen + phdrsize > wtap_max_snaplen_for_encap(wdh->encap)) {
|
2014-01-22 00:26:36 +00:00
|
|
|
*err = WTAP_ERR_PACKET_TOO_LARGE;
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
hdr->incl_len = rec->rec_header.packet_header.caplen + phdrsize;
|
|
|
|
hdr->orig_len = rec->rec_header.packet_header.len + phdrsize;
|
Provide different file types for "modified" and Red Hat 6.1 "libpcap"
files (the former have a different per-packet header, and a different
magic number, from the standard "libpcap"; the latter have the same
per-packet header as "modified" "libpcap" files, but the same magic
number as standard "libpcap" files, sigh).
Support writing "libpcap" captures in all three formats (so that, for
example, people running Ethereal on RH 6.1 can write out captures that
the "tcpdump" that comes with RH 6.1 can read, although that's not the
default format we save in - there's no way to tell whether you're
running on RH 6.1, as far as I know; "uname()" just tells you, on Linux
systems, that the kernel is Linux 2.x, and what "x" is, it doesn't say
what the *rest* of the system is).
Fix the table in "file.c" to use Olivier's code for writing Sniffer
files.
svn path=/trunk/; revision=1288
1999-12-11 00:40:40 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, hdr, hdr_size, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
2001-12-04 07:32:05 +00:00
|
|
|
wdh->bytes_dumped += hdr_size;
|
2002-06-06 09:18:28 +00:00
|
|
|
|
2009-06-27 12:41:06 +00:00
|
|
|
if (!pcap_write_phdr(wdh, wdh->encap, pseudo_header, err))
|
2009-04-27 19:39:06 +00:00
|
|
|
return FALSE;
|
2002-06-06 09:18:28 +00:00
|
|
|
|
2018-02-09 00:19:12 +00:00
|
|
|
if (!wtap_dump_file_write(wdh, pd, rec->rec_header.packet_header.caplen, err))
|
1999-12-04 05:14:39 +00:00
|
|
|
return FALSE;
|
2018-02-09 00:19:12 +00:00
|
|
|
wdh->bytes_dumped += rec->rec_header.packet_header.caplen;
|
1999-12-04 05:14:39 +00:00
|
|
|
return TRUE;
|
Add to Wiretap the ability to write capture files; for now, it can only
write them in "libpcap" format, but the mechanism can have other formats
added.
When creating the temporary file for a capture, use "create_tempfile()",
to close a security hole opened by the fact that "tempnam()" creates a
temporary file, but doesn't open it, and we open the file with the name
it gives us - somebody could remove the file and plant a link to some
file, and, if as may well be the case when Ethereal is capturing
packets, it's running as "root", that means we write a capture on top of
that file.... (The aforementioned changes to Wiretap let you open a
capture file for writing given an file descriptor, "fdopen()"-style,
which this change requires.)
svn path=/trunk/; revision=509
1999-08-18 04:17:38 +00:00
|
|
|
}
|
2015-01-02 00:45:22 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
/* Good old fashioned pcap.
|
|
|
|
Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_pcap(wtap_dumper *wdh, const wtap_rec *rec, const guint8 *pd,
|
|
|
|
int *err, gchar **err_info _U_)
|
2016-04-05 02:21:36 +00:00
|
|
|
{
|
2021-02-23 09:18:31 +00:00
|
|
|
struct pcaprec_hdr rec_hdr;
|
2016-04-05 02:21:36 +00:00
|
|
|
|
2022-08-16 23:38:03 +00:00
|
|
|
/*
|
|
|
|
* Some code that reads libpcap files may handle time
|
|
|
|
* stamps as unsigned, but most of it probably handles
|
|
|
|
* them as signed.
|
|
|
|
*/
|
|
|
|
if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
|
|
|
|
*err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
2021-02-23 09:18:31 +00:00
|
|
|
rec_hdr.ts_sec = (guint32) rec->ts.secs;
|
|
|
|
rec_hdr.ts_usec = rec->ts.nsecs / 1000;
|
|
|
|
return libpcap_dump_write_packet(wdh, rec, &rec_hdr, sizeof rec_hdr,
|
|
|
|
pd, err);
|
|
|
|
}
|
2016-04-05 02:21:36 +00:00
|
|
|
|
2021-02-23 09:18:31 +00:00
|
|
|
/* Like classic pcap, but with nanosecond resolution.
|
|
|
|
Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_pcap_nsec(wtap_dumper *wdh, const wtap_rec *rec, const guint8 *pd,
|
|
|
|
int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
struct pcaprec_hdr rec_hdr;
|
2016-04-05 02:21:36 +00:00
|
|
|
|
2022-08-16 23:38:03 +00:00
|
|
|
/*
|
|
|
|
* Some code that reads libpcap files may handle time
|
|
|
|
* stamps as unsigned, but most of it probably handles
|
|
|
|
* them as signed.
|
|
|
|
*/
|
|
|
|
if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
|
|
|
|
*err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
2021-02-23 09:18:31 +00:00
|
|
|
rec_hdr.ts_sec = (guint32) rec->ts.secs;
|
|
|
|
rec_hdr.ts_usec = rec->ts.nsecs;
|
|
|
|
return libpcap_dump_write_packet(wdh, rec, &rec_hdr, sizeof rec_hdr,
|
|
|
|
pd, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Modified, but with the old magic, sigh.
|
|
|
|
Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_pcap_ss990417(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
struct pcaprec_modified_hdr rec_hdr;
|
|
|
|
|
2022-08-16 23:38:03 +00:00
|
|
|
/*
|
|
|
|
* Some code that reads libpcap files may handle time
|
|
|
|
* stamps as unsigned, but most of it probably handles
|
|
|
|
* them as signed.
|
|
|
|
*/
|
|
|
|
if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
|
|
|
|
*err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
2021-02-23 09:18:31 +00:00
|
|
|
rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
|
|
|
|
rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
|
|
|
|
/* XXX - what should we supply here?
|
|
|
|
|
|
|
|
Alexey's "libpcap" looks up the interface in the system's
|
|
|
|
interface list if "ifindex" is non-zero, and prints
|
|
|
|
the interface name. It ignores "protocol", and uses
|
|
|
|
"pkt_type" to tag the packet as "host", "broadcast",
|
|
|
|
"multicast", "other host", "outgoing", or "none of the
|
|
|
|
above", but that's it.
|
|
|
|
|
|
|
|
If the capture we're writing isn't a modified or
|
|
|
|
RH 6.1 capture, we'd have to do some work to
|
|
|
|
generate the packet type and interface index - and
|
|
|
|
we can't generate the interface index unless we
|
|
|
|
just did the capture ourselves in any case.
|
|
|
|
|
|
|
|
I'm inclined to continue to punt; systems other than
|
|
|
|
those with the older patch can read standard "libpcap"
|
|
|
|
files, and systems with the older patch, e.g. RH 6.1,
|
|
|
|
will just have to live with this. */
|
|
|
|
rec_hdr.ifindex = 0;
|
|
|
|
rec_hdr.protocol = 0;
|
|
|
|
rec_hdr.pkt_type = 0;
|
|
|
|
return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
|
|
|
|
pd, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* New magic, extra crap.
|
|
|
|
Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_pcap_ss990915(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
struct pcaprec_ss990915_hdr rec_hdr;
|
|
|
|
|
2022-08-16 23:38:03 +00:00
|
|
|
/*
|
|
|
|
* Some code that reads libpcap files may handle time
|
|
|
|
* stamps as unsigned, but most of it probably handles
|
|
|
|
* them as signed.
|
|
|
|
*/
|
|
|
|
if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
|
|
|
|
*err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
2021-02-23 09:18:31 +00:00
|
|
|
rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
|
|
|
|
rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
|
|
|
|
rec_hdr.ifindex = 0;
|
|
|
|
rec_hdr.protocol = 0;
|
|
|
|
rec_hdr.pkt_type = 0;
|
|
|
|
rec_hdr.cpu1 = 0;
|
|
|
|
rec_hdr.cpu2 = 0;
|
|
|
|
return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
|
|
|
|
pd, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Same magic as SS990915, *different* extra crap, sigh.
|
|
|
|
Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_pcap_ss991029(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
struct pcaprec_modified_hdr rec_hdr;
|
|
|
|
|
2022-08-16 23:38:03 +00:00
|
|
|
/*
|
|
|
|
* Some code that reads libpcap files may handle time
|
|
|
|
* stamps as unsigned, but most of it probably handles
|
|
|
|
* them as signed.
|
|
|
|
*/
|
|
|
|
if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
|
|
|
|
*err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
2021-02-23 09:18:31 +00:00
|
|
|
rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
|
|
|
|
rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
|
|
|
|
/* XXX - what should we supply here?
|
|
|
|
|
|
|
|
Alexey's "libpcap" looks up the interface in the system's
|
|
|
|
interface list if "ifindex" is non-zero, and prints
|
|
|
|
the interface name. It ignores "protocol", and uses
|
|
|
|
"pkt_type" to tag the packet as "host", "broadcast",
|
|
|
|
"multicast", "other host", "outgoing", or "none of the
|
|
|
|
above", but that's it.
|
|
|
|
|
|
|
|
If the capture we're writing isn't a modified or
|
|
|
|
RH 6.1 capture, we'd have to do some work to
|
|
|
|
generate the packet type and interface index - and
|
|
|
|
we can't generate the interface index unless we
|
|
|
|
just did the capture ourselves in any case.
|
|
|
|
|
|
|
|
I'm inclined to continue to punt; systems other than
|
|
|
|
those with the older patch can read standard "libpcap"
|
|
|
|
files, and systems with the older patch, e.g. RH 6.1,
|
|
|
|
will just have to live with this. */
|
|
|
|
rec_hdr.ifindex = 0;
|
|
|
|
rec_hdr.protocol = 0;
|
|
|
|
rec_hdr.pkt_type = 0;
|
|
|
|
return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
|
|
|
|
pd, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Nokia libpcap of some sort.
|
|
|
|
Write a record for a packet to a dump file.
|
|
|
|
Returns TRUE on success, FALSE on failure. */
|
|
|
|
static gboolean
|
|
|
|
libpcap_dump_pcap_nokia(wtap_dumper *wdh, const wtap_rec *rec,
|
|
|
|
const guint8 *pd, int *err, gchar **err_info _U_)
|
|
|
|
{
|
|
|
|
struct pcaprec_nokia_hdr rec_hdr;
|
|
|
|
const union wtap_pseudo_header *pseudo_header = &rec->rec_header.packet_header.pseudo_header;
|
|
|
|
|
2022-08-16 23:38:03 +00:00
|
|
|
/*
|
|
|
|
* Some code that reads libpcap files may handle time
|
|
|
|
* stamps as unsigned, but most of it probably handles
|
|
|
|
* them as signed.
|
|
|
|
*/
|
|
|
|
if (rec->ts.secs < 0 || rec->ts.secs > G_MAXINT32) {
|
|
|
|
*err = WTAP_ERR_TIME_STAMP_NOT_SUPPORTED;
|
|
|
|
return FALSE;
|
|
|
|
}
|
2021-02-23 09:18:31 +00:00
|
|
|
rec_hdr.hdr.ts_sec = (guint32) rec->ts.secs;
|
|
|
|
rec_hdr.hdr.ts_usec = rec->ts.nsecs / 1000;
|
|
|
|
/* restore the "mysterious stuff" that came with the packet */
|
|
|
|
memcpy(rec_hdr.stuff, pseudo_header->nokia.stuff, 4);
|
|
|
|
return libpcap_dump_write_packet(wdh, rec, &rec_hdr.hdr, sizeof rec_hdr,
|
|
|
|
pd, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct supported_block_type pcap_blocks_supported[] = {
|
|
|
|
/*
|
|
|
|
* We support packet blocks, with no comments or other options.
|
|
|
|
*/
|
|
|
|
{ WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, NO_OPTIONS_SUPPORTED }
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_info = {
|
|
|
|
/* Gianluca Varenni suggests that we add "deprecated" to the description. */
|
|
|
|
"Wireshark/tcpdump/... - pcap", "pcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
libpcap_dump_can_write_encap, libpcap_dump_open_pcap, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_nsec_info = {
|
|
|
|
"Wireshark/tcpdump/... - nanosecond pcap", "nsecpcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
libpcap_dump_can_write_encap, libpcap_dump_open_pcap_nsec, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_aix_info = {
|
|
|
|
"AIX tcpdump - pcap", "aixpcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
NULL, NULL, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_ss990417_info = {
|
|
|
|
"RedHat 6.1 tcpdump - pcap", "rh6_1pcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss990417, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_ss990915_info = {
|
|
|
|
"SuSE 6.3 tcpdump - pcap", "suse6_3pcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss990915, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_ss991029_info = {
|
|
|
|
"Modified tcpdump - pcap", "modpcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
libpcap_dump_can_write_encap, libpcap_dump_open_pcap_ss991029, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct file_type_subtype_info pcap_nokia_info = {
|
|
|
|
"Nokia tcpdump - pcap", "nokiapcap", "pcap", "cap;dmp",
|
|
|
|
FALSE, BLOCKS_SUPPORTED(pcap_blocks_supported),
|
|
|
|
libpcap_dump_can_write_encap, libpcap_dump_open_pcap_nokia, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
void register_pcap(void)
|
|
|
|
{
|
2021-02-24 03:10:35 +00:00
|
|
|
pcap_file_type_subtype = wtap_register_file_type_subtype(&pcap_info);
|
|
|
|
pcap_nsec_file_type_subtype = wtap_register_file_type_subtype(&pcap_nsec_info);
|
|
|
|
pcap_aix_file_type_subtype = wtap_register_file_type_subtype(&pcap_aix_info);
|
|
|
|
pcap_ss990417_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss990417_info);
|
|
|
|
pcap_ss990915_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss990915_info);
|
|
|
|
pcap_ss991029_file_type_subtype = wtap_register_file_type_subtype(&pcap_ss991029_info);
|
|
|
|
pcap_nokia_file_type_subtype = wtap_register_file_type_subtype(&pcap_nokia_info);
|
2021-02-23 09:18:31 +00:00
|
|
|
|
|
|
|
/*
|
2021-03-11 21:56:40 +00:00
|
|
|
* We now call the libpcap file format just pcap, but we allow
|
|
|
|
* the various variants of it to be specified using names
|
|
|
|
* containing "libpcap" as well as "pcap", for backwards
|
|
|
|
* compatibility.
|
|
|
|
*
|
|
|
|
* Register names for that purpose.
|
|
|
|
*/
|
|
|
|
wtap_register_compatibility_file_subtype_name("libpcap", "pcap");
|
|
|
|
wtap_register_compatibility_file_subtype_name("nseclibpcap", "nsecpcap");
|
|
|
|
wtap_register_compatibility_file_subtype_name("aixlibpcap", "aixpcap");
|
|
|
|
wtap_register_compatibility_file_subtype_name("modlibpcap", "modpcap");
|
|
|
|
wtap_register_compatibility_file_subtype_name("nokialibpcap", "nokiapcap");
|
|
|
|
wtap_register_compatibility_file_subtype_name("rh6_1libpcap", "rh6_1pcap");
|
|
|
|
wtap_register_compatibility_file_subtype_name("suse6_3libpcap", "suse6_3pcap");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Register names for backwards compatibility with the
|
2021-02-23 09:18:31 +00:00
|
|
|
* wtap_filetypes table in Lua.
|
|
|
|
*/
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP",
|
|
|
|
pcap_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP_NSEC",
|
|
|
|
pcap_nsec_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP_AIX",
|
|
|
|
pcap_aix_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP_SS990417",
|
|
|
|
pcap_ss990417_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP_SS990915",
|
|
|
|
pcap_ss990915_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP_SS991029",
|
|
|
|
pcap_ss991029_file_type_subtype);
|
|
|
|
wtap_register_backwards_compatibility_lua_name("PCAP_NOKIA",
|
|
|
|
pcap_nokia_file_type_subtype);
|
2016-04-05 02:21:36 +00:00
|
|
|
}
|
|
|
|
|
2015-01-02 00:45:22 +00:00
|
|
|
/*
|
2019-07-26 18:43:17 +00:00
|
|
|
* Editor modelines - https://www.wireshark.org/tools/modelines.html
|
2015-01-02 00:45:22 +00:00
|
|
|
*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 8
|
|
|
|
* tab-width: 8
|
|
|
|
* indent-tabs-mode: t
|
|
|
|
* End:
|
|
|
|
*
|
|
|
|
* vi: set shiftwidth=8 tabstop=8 noexpandtab:
|
|
|
|
* :indentSize=8:tabSize=8:noTabs=false:
|
|
|
|
*/
|