2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * savefile.c - supports offline use of tcpdump
22 * Extraction/creation by Jeffrey Mogul, DECWRL
23 * Modified by Steve McCanne, LBL.
25 * Used to save the received packet headers, after filtering, to
26 * a file, and then read them later.
27 * The first record in the file contains saved values for the machine
28 * dependent values so we can print the dump file on any architecture.
32 static const char rcsid[] =
33 "@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.55 2001/11/28 07:16:53 guy Exp $ (LBL)";
40 #include <sys/types.h>
52 #ifdef HAVE_OS_PROTO_H
56 #define TCPDUMP_MAGIC 0xa1b2c3d4
57 #define PATCHED_TCPDUMP_MAGIC 0xa1b2cd34
60 * We use the "receiver-makes-right" approach to byte order,
61 * because time is at a premium when we are writing the file.
62 * In other words, the pcap_file_header and pcap_pkthdr,
63 * records are written in host byte order.
64 * Note that the packets are always written in network byte order.
66 * ntoh[ls] aren't sufficient because we might need to swap on a big-endian
67 * machine (if the file was written in little-end order).
70 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
71 #define SWAPSHORT(y) \
72 ( (((y)&0xff)<<8) | ((u_short)((y)&0xff00)>>8) )
75 #define SFERR_BADVERSION 2
77 #define SFERR_EOF 4 /* not really an error, just a status */
80 * We don't write DLT_* values to the capture file header, because
81 * they're not the same on all platforms.
83 * Unfortunately, the various flavors of BSD have not always used the same
84 * numerical values for the same data types, and various patches to
85 * libpcap for non-BSD OSes have added their own DLT_* codes for link
86 * layer encapsulation types seen on those OSes, and those codes have had,
87 * in some cases, values that were also used, on other platforms, for other
88 * link layer encapsulation types.
90 * This means that capture files of a type whose numerical DLT_* code
91 * means different things on different BSDs, or with different versions
92 * of libpcap, can't always be read on systems other than those like
93 * the one running on the machine on which the capture was made.
95 * Instead, we define here a set of LINKTYPE_* codes, and map DLT_* codes
96 * to LINKTYPE_* codes when writing a savefile header, and map LINKTYPE_*
97 * codes to DLT_* codes when reading a savefile header.
99 * For those DLT_* codes that have, as far as we know, the same values on
100 * all platforms (DLT_NULL through DLT_FDDI), we define LINKTYPE_xxx as
101 * DLT_xxx; that way, captures of those types can still be read by
102 * versions of libpcap that map LINKTYPE_* values to DLT_* values, and
103 * captures of those types written by versions of libpcap that map DLT_
104 * values to LINKTYPE_ values can still be read by older versions
107 * The other LINKTYPE_* codes are given values starting at 100, in the
108 * hopes that no DLT_* code will be given one of those values.
110 * In order to ensure that a given LINKTYPE_* code's value will refer to
111 * the same encapsulation type on all platforms, you should not allocate
112 * a new LINKTYPE_* value without consulting "tcpdump-workers@tcpdump.org".
113 * The tcpdump developers will allocate a value for you, and will not
114 * subsequently allocate it to anybody else; that value will be added to
115 * the "pcap.h" in the tcpdump.org CVS repository, so that a future
116 * libpcap release will include it.
118 * You should, if possible, also contribute patches to libpcap and tcpdump
119 * to handle the new encapsulation type, so that they can also be checked
120 * into the tcpdump.org CVS repository and so that they will appear in
121 * future libpcap and tcpdump releases.
123 #define LINKTYPE_NULL DLT_NULL
124 #define LINKTYPE_ETHERNET DLT_EN10MB /* also for 100Mb and up */
125 #define LINKTYPE_EXP_ETHERNET DLT_EN3MB /* 3Mb experimental Ethernet */
126 #define LINKTYPE_AX25 DLT_AX25
127 #define LINKTYPE_PRONET DLT_PRONET
128 #define LINKTYPE_CHAOS DLT_CHAOS
129 #define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */
130 #define LINKTYPE_ARCNET DLT_ARCNET
131 #define LINKTYPE_SLIP DLT_SLIP
132 #define LINKTYPE_PPP DLT_PPP
133 #define LINKTYPE_FDDI DLT_FDDI
136 * LINKTYPE_PPP is for use when there might, or might not, be an RFC 1662
137 * PPP in HDLC-like framing header (with 0xff 0x03 before the PPP protocol
138 * field) at the beginning of the packet.
140 * This is for use when there is always such a header; the address field
141 * might be 0xff, for regular PPP, or it might be an address field for Cisco
142 * point-to-point with HDLC framing as per section 4.3.1 of RFC 1547 ("Cisco
143 * HDLC"). This is, for example, what you get with NetBSD's DLT_PPP_SERIAL.
145 * We give it the same value as NetBSD's DLT_PPP_SERIAL, in the hopes that
146 * nobody else will choose a DLT_ value of 50, and so that DLT_PPP_SERIAL
147 * captures will be written out with a link type that NetBSD's tcpdump
150 #define LINKTYPE_PPP_HDLC 50 /* PPP in HDLC-like framing */
152 #define LINKTYPE_PPP_ETHER 51 /* NetBSD PPP-over-Ethernet */
154 #define LINKTYPE_ATM_RFC1483 100 /* LLC/SNAP-encapsulated ATM */
155 #define LINKTYPE_RAW 101 /* raw IP */
156 #define LINKTYPE_SLIP_BSDOS 102 /* BSD/OS SLIP BPF header */
157 #define LINKTYPE_PPP_BSDOS 103 /* BSD/OS PPP BPF header */
158 #define LINKTYPE_C_HDLC 104 /* Cisco HDLC */
159 #define LINKTYPE_IEEE802_11 105 /* IEEE 802.11 (wireless) */
160 #define LINKTYPE_ATM_CLIP 106 /* Linux Classical IP over ATM */
161 #define LINKTYPE_LOOP 108 /* OpenBSD loopback */
163 #define LINKTYPE_LINUX_SLL 113 /* Linux cooked socket capture */
164 #define LINKTYPE_LTALK 114 /* Apple LocalTalk hardware */
165 #define LINKTYPE_ECONET 115 /* Acorn Econet */
167 #define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */
168 #define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */
169 #define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */
172 * These types are reserved for future use.
174 #define LINKTYPE_FR 107 /* BSD/OS Frame Relay */
175 #define LINKTYPE_ENC 109 /* OpenBSD IPSEC enc */
176 #define LINKTYPE_LANE8023 110 /* ATM LANE + 802.3 */
177 #define LINKTYPE_HIPPI 111 /* NetBSD HIPPI */
178 #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */
179 #define LINKTYPE_IPFILTER 116 /* IP Filter capture files */
180 #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */
182 static struct linktype_map {
187 * These DLT_* codes have LINKTYPE_* codes with values identical
188 * to the values of the corresponding DLT_* code.
190 { DLT_NULL, LINKTYPE_NULL },
191 { DLT_EN10MB, LINKTYPE_ETHERNET },
192 { DLT_EN3MB, LINKTYPE_EXP_ETHERNET },
193 { DLT_AX25, LINKTYPE_AX25 },
194 { DLT_PRONET, LINKTYPE_PRONET },
195 { DLT_CHAOS, LINKTYPE_CHAOS },
196 { DLT_IEEE802, LINKTYPE_TOKEN_RING },
197 { DLT_ARCNET, LINKTYPE_ARCNET },
198 { DLT_SLIP, LINKTYPE_SLIP },
199 { DLT_PPP, LINKTYPE_PPP },
200 { DLT_FDDI, LINKTYPE_FDDI },
203 * These DLT_* codes have different values on different
204 * platforms; we map them to LINKTYPE_* codes that
205 * have values that should never be equal to any DLT_*
208 { DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 },
209 { DLT_RAW, LINKTYPE_RAW },
210 { DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS },
211 { DLT_PPP_BSDOS, LINKTYPE_PPP_BSDOS },
213 /* BSD/OS Cisco HDLC */
214 { DLT_C_HDLC, LINKTYPE_C_HDLC },
217 * These DLT_* codes are not on all platforms, but, so far,
218 * there don't appear to be any platforms that define
219 * other codes with those values; we map them to
220 * different LINKTYPE_* values anyway, just in case.
223 /* Linux ATM Classical IP */
224 { DLT_ATM_CLIP, LINKTYPE_ATM_CLIP },
226 /* NetBSD sync/async serial PPP (or Cisco HDLC) */
227 { DLT_PPP_SERIAL, LINKTYPE_PPP_HDLC },
229 /* NetBSD PPP over Ethernet */
230 { DLT_PPP_ETHER, LINKTYPE_PPP_ETHER },
232 /* IEEE 802.11 wireless */
233 { DLT_IEEE802_11, LINKTYPE_IEEE802_11 },
235 /* OpenBSD loopback */
236 { DLT_LOOP, LINKTYPE_LOOP },
238 /* Linux cooked socket capture */
239 { DLT_LINUX_SLL, LINKTYPE_LINUX_SLL },
241 /* Apple LocalTalk hardware */
242 { DLT_LTALK, LINKTYPE_LTALK },
245 { DLT_ECONET, LINKTYPE_ECONET },
247 /* For Cisco-internal use */
248 { DLT_CISCO_IOS, LINKTYPE_CISCO_IOS },
250 /* Prism II monitor-mode header plus 802.11 header */
251 { DLT_PRISM_HEADER, LINKTYPE_PRISM_HEADER },
253 /* FreeBSD Aironet driver stuff */
254 { DLT_AIRONET_HEADER, LINKTYPE_AIRONET_HEADER },
257 * Any platform that defines additional DLT_* codes should:
259 * request a LINKTYPE_* code and value from tcpdump.org,
262 * add, in their version of libpcap, an entry to map
263 * those DLT_* codes to the corresponding LINKTYPE_*
266 * redefine, in their "net/bpf.h", any DLT_* values
267 * that collide with the values used by their additional
268 * DLT_* codes, to remove those collisions (but without
269 * making them collide with any of the LINKTYPE_*
270 * values equal to 50 or above; they should also avoid
271 * defining DLT_* values that collide with those
272 * LINKTYPE_* values, either).
278 dlt_to_linktype(int dlt)
282 for (i = 0; map[i].dlt != -1; i++) {
283 if (map[i].dlt == dlt)
284 return (map[i].linktype);
288 * If we don't have a mapping for this DLT_ code, return an
289 * error; that means that the table above needs to have an
296 linktype_to_dlt(int linktype)
300 for (i = 0; map[i].linktype != -1; i++) {
301 if (map[i].linktype == linktype)
306 * If we don't have an entry for this link type, return
307 * the link type value; it may be a DLT_ value from an
308 * older version of libpcap.
314 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen)
316 struct pcap_file_header hdr;
318 hdr.magic = TCPDUMP_MAGIC;
319 hdr.version_major = PCAP_VERSION_MAJOR;
320 hdr.version_minor = PCAP_VERSION_MINOR;
322 hdr.thiszone = thiszone;
323 hdr.snaplen = snaplen;
325 hdr.linktype = linktype;
327 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1)
334 swap_hdr(struct pcap_file_header *hp)
336 hp->version_major = SWAPSHORT(hp->version_major);
337 hp->version_minor = SWAPSHORT(hp->version_minor);
338 hp->thiszone = SWAPLONG(hp->thiszone);
339 hp->sigfigs = SWAPLONG(hp->sigfigs);
340 hp->snaplen = SWAPLONG(hp->snaplen);
341 hp->linktype = SWAPLONG(hp->linktype);
345 pcap_open_offline(const char *fname, char *errbuf)
349 struct pcap_file_header hdr;
353 p = (pcap_t *)malloc(sizeof(*p));
355 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
359 memset((char *)p, 0, sizeof(*p));
361 * Set this field so we don't close stdin in pcap_close!
365 if (fname[0] == '-' && fname[1] == '\0')
368 fp = fopen(fname, "r");
370 snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname,
371 pcap_strerror(errno));
375 if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
376 snprintf(errbuf, PCAP_ERRBUF_SIZE, "fread: %s",
377 pcap_strerror(errno));
381 if (magic != TCPDUMP_MAGIC && magic != PATCHED_TCPDUMP_MAGIC) {
382 magic = SWAPLONG(magic);
383 if (magic != TCPDUMP_MAGIC && magic != PATCHED_TCPDUMP_MAGIC) {
384 snprintf(errbuf, PCAP_ERRBUF_SIZE,
385 "bad dump file format");
391 if (magic == PATCHED_TCPDUMP_MAGIC) {
393 * XXX - the patch that's in some versions of libpcap
394 * changes the packet header but not the magic number;
395 * we'd have to use some hacks^H^H^H^H^Hheuristics to
398 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr);
400 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr);
401 if (hdr.version_major < PCAP_VERSION_MAJOR) {
402 snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format");
405 p->tzoff = hdr.thiszone;
406 p->snapshot = hdr.snaplen;
407 p->linktype = linktype_to_dlt(hdr.linktype);
409 p->bufsize = hdr.snaplen;
411 /* Align link header as required for proper data alignment */
412 /* XXX should handle all types */
413 switch (p->linktype) {
420 linklen = 13 + 8; /* fddi_header + llc */
430 p->bufsize = BPF_MAXBUFSIZE;
431 p->sf.base = (u_char *)malloc(p->bufsize + BPF_ALIGNMENT);
432 if (p->sf.base == NULL) {
433 strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
436 p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT);
437 p->sf.version_major = hdr.version_major;
438 p->sf.version_minor = hdr.version_minor;
440 /* XXX padding only needed for kernel fcode */
451 * Read sf_readfile and return the next packet. Return the header in hdr
452 * and the contents in buf. Return 0 on success, SFERR_EOF if there were
453 * no more packets, and SFERR_TRUNC if a partial packet was encountered.
456 sf_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char *buf, int buflen)
458 struct pcap_sf_patched_pkthdr sf_hdr;
459 FILE *fp = p->sf.rfile;
462 * Read the packet header; the structure we use as a buffer
463 * is the longer structure for files generated by the patched
464 * libpcap, but if the file has the magic number for an
465 * unpatched libpcap we only read as many bytes as the regular
468 if (fread(&sf_hdr, p->sf.hdrsize, 1, fp) != 1) {
469 /* probably an EOF, though could be a truncated packet */
474 /* these were written in opposite byte order */
475 hdr->caplen = SWAPLONG(sf_hdr.caplen);
476 hdr->len = SWAPLONG(sf_hdr.len);
477 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec);
478 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec);
480 hdr->caplen = sf_hdr.caplen;
481 hdr->len = sf_hdr.len;
482 hdr->ts.tv_sec = sf_hdr.ts.tv_sec;
483 hdr->ts.tv_usec = sf_hdr.ts.tv_usec;
486 * We interchanged the caplen and len fields at version 2.3,
487 * in order to match the bpf header layout. But unfortunately
488 * some files were written with version 2.3 in their headers
489 * but without the interchanged fields.
491 if (p->sf.version_minor < 3 ||
492 (p->sf.version_minor == 3 && hdr->caplen > hdr->len)) {
494 hdr->caplen = hdr->len;
498 if (hdr->caplen > buflen) {
500 * This can happen due to Solaris 2.3 systems tripping
501 * over the BUFMOD problem and not setting the snapshot
502 * correctly in the savefile header. If the caplen isn't
503 * grossly wrong, try to salvage.
505 static u_char *tp = NULL;
506 static int tsize = 0;
508 if (hdr->caplen > 65535) {
509 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
510 "bogus savefile header");
514 if (tsize < hdr->caplen) {
515 tsize = ((hdr->caplen + 1023) / 1024) * 1024;
518 tp = (u_char *)malloc(tsize);
521 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
522 "BUFMOD hack malloc");
526 if (fread((char *)tp, hdr->caplen, 1, fp) != 1) {
527 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
528 "truncated dump file");
532 * We can only keep up to buflen bytes. Since caplen > buflen
533 * is exactly how we got here, we know we can only keep the
534 * first buflen bytes and must drop the remainder. Adjust
535 * caplen accordingly, so we don't get confused later as
536 * to how many bytes we have to play with.
538 hdr->caplen = buflen;
539 memcpy((char *)buf, (char *)tp, buflen);
542 /* read the packet itself */
544 if (fread((char *)buf, hdr->caplen, 1, fp) != 1) {
545 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
546 "truncated dump file");
554 * Print out packets stored in the file initialized by sf_read_init().
555 * If cnt > 0, return after 'cnt' packets, otherwise continue until eof.
558 pcap_offline_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
560 struct bpf_insn *fcode = p->fcode.bf_insns;
564 while (status == 0) {
565 struct pcap_pkthdr h;
567 status = sf_next_packet(p, &h, p->buffer, p->bufsize);
575 bpf_filter(fcode, p->buffer, h.len, h.caplen)) {
576 (*callback)(user, &h, p->buffer);
577 if (++n >= cnt && cnt > 0)
581 /*XXX this breaks semantics tcpslice expects */
586 * Output a packet to the initialized dump file.
589 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
592 struct pcap_sf_pkthdr sf_hdr;
595 sf_hdr.ts.tv_sec = h->ts.tv_sec;
596 sf_hdr.ts.tv_usec = h->ts.tv_usec;
597 sf_hdr.caplen = h->caplen;
599 /* XXX we should check the return status */
600 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f);
601 (void)fwrite((char *)sp, h->caplen, 1, f);
605 * Initialize so that sf_write() will output to the file named 'fname'.
608 pcap_dump_open(pcap_t *p, const char *fname)
613 linktype = dlt_to_linktype(p->linktype);
614 if (linktype == -1) {
615 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
616 "%s: link-layer type %d isn't supported in savefiles",
621 if (fname[0] == '-' && fname[1] == '\0')
624 f = fopen(fname, "w");
626 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s",
627 fname, pcap_strerror(errno));
631 (void)sf_write_header(f, linktype, p->tzoff, p->snapshot);
632 return ((pcap_dumper_t *)f);
636 pcap_dump_close(pcap_dumper_t *p)
640 if (ferror((FILE *)p))
642 /* XXX should check return from fclose() too */
644 (void)fclose((FILE *)p);