diff options
Diffstat (limited to 'contrib/libpcap/pcap-common.c')
| -rw-r--r-- | contrib/libpcap/pcap-common.c | 229 |
1 files changed, 213 insertions, 16 deletions
diff --git a/contrib/libpcap/pcap-common.c b/contrib/libpcap/pcap-common.c index bd18c64..a68e032 100644 --- a/contrib/libpcap/pcap-common.c +++ b/contrib/libpcap/pcap-common.c @@ -41,6 +41,7 @@ #include "pcap-int.h" #include "pcap/usb.h" +#include "pcap/nflog.h" #include "pcap-common.h" @@ -897,7 +898,103 @@ */ #define LINKTYPE_SCTP 248 -#define LINKTYPE_MATCHING_MAX 248 /* highest value in the "matching" range */ +/* + * USB packets, beginning with a USBPcap header. + * + * Requested by Tomasz Mon <desowin@gmail.com> + */ +#define LINKTYPE_USBPCAP 249 + +/* + * Schweitzer Engineering Laboratories "RTAC" product serial-line + * packets. + * + * Requested by Chris Bontje <chris_bontje@selinc.com>. + */ +#define DLT_RTAC_SERIAL 250 + +/* + * Bluetooth Low Energy air interface link-layer packets. + * + * Requested by Mike Kershaw <dragorn@kismetwireless.net>. + */ +#define LINKTYPE_BLUETOOTH_LE_LL 251 + +/* + * Link-layer header type for upper-protocol layer PDU saves from wireshark. + * + * the actual contents are determined by two TAGs stored with each + * packet: + * EXP_PDU_TAG_LINKTYPE the link type (LINKTYPE_ value) of the + * original packet. + * + * EXP_PDU_TAG_PROTO_NAME the name of the wireshark dissector + * that can make sense of the data stored. + */ +#define LINKTYPE_WIRESHARK_UPPER_PDU 252 + +/* + * Link-layer header type for the netlink protocol (nlmon devices). + */ +#define LINKTYPE_NETLINK 253 + +/* + * Bluetooth Linux Monitor headers for the BlueZ stack. + */ +#define LINKTYPE_BLUETOOTH_LINUX_MONITOR 254 + +/* + * Bluetooth Basic Rate/Enhanced Data Rate baseband packets, as + * captured by Ubertooth. + */ +#define LINKTYPE_BLUETOOTH_BREDR_BB 255 + +/* + * Bluetooth Low Energy link layer packets, as captured by Ubertooth. + */ +#define LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR 256 + +/* + * PROFIBUS data link layer. + */ +#define LINKTYPE_PROFIBUS_DL 257 + + +/* + * Apple's DLT_PKTAP headers. + * + * Sadly, the folks at Apple either had no clue that the DLT_USERn values + * are for internal use within an organization and partners only, and + * didn't know that the right way to get a link-layer header type is to + * ask tcpdump.org for one, or knew and didn't care, so they just + * used DLT_USER2, which causes problems for everything except for + * their version of tcpdump. + * + * So I'll just give them one; hopefully this will show up in a + * libpcap release in time for them to get this into 10.10 Big Sur + * or whatever Mavericks' successor is called. LINKTYPE_PKTAP + * will be 258 *even on OS X*; that is *intentional*, so that + * PKTAP files look the same on *all* OSes (different OSes can have + * different numerical values for a given DLT_, but *MUST NOT* have + * different values for what goes in a file, as files can be moved + * between OSes!). + */ +#define LINKTYPE_PKTAP 258 + +/* + * Ethernet packets preceded by a header giving the last 6 octets + * of the preamble specified by 802.3-2012 Clause 65, section + * 65.1.3.2 "Transmit". + */ +#define LINKTYPE_EPON 259 + +/* + * IPMI trace packets, as specified by Table 3-20 "Trace Data Block Format" + * in the PICMG HPM.2 specification. + */ +#define LINKTYPE_IPMI_HPM_2 260 + +#define LINKTYPE_MATCHING_MAX 260 /* highest value in the "matching" range */ static struct linktype_map { int dlt; @@ -970,13 +1067,20 @@ dlt_to_linktype(int dlt) int i; /* - * Map DLT_PFSYNC, whatever it might be, to LINKTYPE_PFSYNC. + * DLTs that, on some platforms, have values in the matching range + * but that *don't* have the same value as the corresponding + * LINKTYPE because, for some reason, not all OSes have the + * same value for that DLT (note that the DLT's value might be + * outside the matching range on some of those OSes). */ if (dlt == DLT_PFSYNC) return (LINKTYPE_PFSYNC); + if (dlt == DLT_PKTAP) + return (LINKTYPE_PKTAP); /* - * Map the values in the matching range. + * For all other values in the matching range, the DLT + * value is the same as the LINKTYPE value. */ if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX) return (dlt); @@ -990,9 +1094,9 @@ dlt_to_linktype(int dlt) } /* - * If we don't have a mapping for this DLT_ code, return an + * If we don't have a mapping for this DLT, return an * error; that means that this is a value with no corresponding - * LINKTYPE_ code, and we need to assign one. + * LINKTYPE, and we need to assign one. */ return (-1); } @@ -1003,16 +1107,19 @@ linktype_to_dlt(int linktype) int i; /* - * Map LINKTYPE_PFSYNC to DLT_PFSYNC, whatever it might be. - * LINKTYPE_PFSYNC is in the matching range, to make sure - * it's as safe from reuse as we can arrange, so we do - * this test first. + * LINKTYPEs in the matching range that *don't* + * have the same value as the corresponding DLTs + * because, for some reason, not all OSes have the + * same value for that DLT. */ if (linktype == LINKTYPE_PFSYNC) return (DLT_PFSYNC); + if (linktype == LINKTYPE_PKTAP) + return (DLT_PKTAP); /* - * Map the values in the matching range. + * For all other values in the matching range, the LINKTYPE + * value is the same as the DLT value. */ if (linktype >= LINKTYPE_MATCHING_MIN && linktype <= LINKTYPE_MATCHING_MAX) @@ -1027,9 +1134,9 @@ linktype_to_dlt(int linktype) } /* - * If we don't have an entry for this link type, return - * the link type value; it may be a DLT_ value from an - * older version of libpcap. + * If we don't have an entry for this LINKTYPE, return + * the link type value; it may be a DLT from an older + * version of libpcap. */ return linktype; } @@ -1040,10 +1147,10 @@ linktype_to_dlt(int linktype) * memory-mapped buffer shared by the kernel). * * When reading a DLT_USB_LINUX or DLT_USB_LINUX_MMAPPED capture file, - * we need to convert it from the capturing host's byte order to - * the reading host's byte order. + * we need to convert it from the byte order of the host that wrote + * the file to this host's byte order. */ -void +static void swap_linux_usb_header(const struct pcap_pkthdr *hdr, u_char *buf, int header_len_64_bytes) { @@ -1170,3 +1277,93 @@ swap_linux_usb_header(const struct pcap_pkthdr *hdr, u_char *buf, } } } + +/* + * The DLT_NFLOG "packets" have a mixture of big-endian and host-byte-order + * data. They begin with a fixed-length header with big-endian fields, + * followed by a set of TLVs, where the type and length are in host + * byte order but the values are either big-endian or are a raw byte + * sequence that's the same regardless of the host's byte order. + * + * When reading a DLT_NFLOG capture file, we need to convert the type + * and length values from the byte order of the host that wrote the + * file to the byte order of this host. + */ +static void +swap_nflog_header(const struct pcap_pkthdr *hdr, u_char *buf) +{ + u_char *p = buf; + nflog_hdr_t *nfhdr = (nflog_hdr_t *)buf; + nflog_tlv_t *tlv; + u_int caplen = hdr->caplen; + u_int length = hdr->len; + u_int16_t size; + + if (caplen < (int) sizeof(nflog_hdr_t) || length < (int) sizeof(nflog_hdr_t)) { + /* Not enough data to have any TLVs. */ + return; + } + + if (!(nfhdr->nflog_version) == 0) { + /* Unknown NFLOG version */ + return; + } + + length -= sizeof(nflog_hdr_t); + caplen -= sizeof(nflog_hdr_t); + p += sizeof(nflog_hdr_t); + + while (caplen >= sizeof(nflog_tlv_t)) { + tlv = (nflog_tlv_t *) p; + + /* Swap the type and length. */ + tlv->tlv_type = SWAPSHORT(tlv->tlv_type); + tlv->tlv_length = SWAPSHORT(tlv->tlv_length); + + /* Get the length of the TLV. */ + size = tlv->tlv_length; + if (size % 4 != 0) + size += 4 - size % 4; + + /* Is the TLV's length less than the minimum? */ + if (size < sizeof(nflog_tlv_t)) { + /* Yes. Give up now. */ + return; + } + + /* Do we have enough data for the full TLV? */ + if (caplen < size || length < size) { + /* No. */ + return; + } + + /* Skip over the TLV. */ + length -= size; + caplen -= size; + p += size; + } +} + +void +swap_pseudo_headers(int linktype, struct pcap_pkthdr *hdr, u_char *data) +{ + /* + * Convert pseudo-headers from the byte order of + * the host on which the file was saved to our + * byte order, as necessary. + */ + switch (linktype) { + + case DLT_USB_LINUX: + swap_linux_usb_header(hdr, data, 0); + break; + + case DLT_USB_LINUX_MMAPPED: + swap_linux_usb_header(hdr, data, 1); + break; + + case DLT_NFLOG: + swap_nflog_header(hdr, data); + break; + } +} |
