1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
/* pcapng.h
*
* Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef __W_PCAPNG_H__
#define __W_PCAPNG_H__
#include <glib.h>
#include "wtap.h"
#include "ws_symbol_export.h"
/* Option codes: 16-bit field */
#define OPT_EOFOPT 0x0000
#define OPT_COMMENT 0x0001 /**< NULL if not available */
/* Section Header block (SHB) */
#define OPT_SHB_HARDWARE 0x0002 /**< NULL if not available
* UTF-8 string containing the description of the
* hardware used to create this section.
*/
#define OPT_SHB_OS 0x0003 /**< NULL if not available, UTF-8 string containing the
* name of the operating system used to create this section.
*/
#define OPT_SHB_USERAPPL 0x0004 /**< NULL if not available, UTF-8 string containing the
* name of the application used to create this section.
*/
/* Interface Description block (IDB) */
#define OPT_IDB_NAME 0x0002 /**< NULL if not available, A UTF-8 string containing the name
* of the device used to capture data.
* "eth0" / "\Device\NPF_{AD1CE675-96D0-47C5-ADD0-2504B9126B68}"
*/
#define OPT_IDB_DESCR 0x0003 /**< NULL if not available, A UTF-8 string containing the description
* of the device used to capture data.
* "Broadcom NetXtreme" / "First Ethernet Interface"
*/
#define OPT_IDB_IP4ADDR 0x0004 /**< XXX: if_IPv4addr Interface network address and netmask.
* This option can be repeated multiple times within the same Interface Description Block
* when multiple IPv4 addresses are assigned to the interface.
* 192 168 1 1 255 255 255 0
*/
#define OPT_IDB_IP6ADDR 0x0005 /* XXX: if_IPv6addr Interface network address and prefix length (stored in the last byte).
* This option can be repeated multiple times within the same Interface
* Description Block when multiple IPv6 addresses are assigned to the interface.
* 2001:0db8:85a3:08d3:1319:8a2e:0370:7344/64 is written (in hex) as
* "20 01 0d b8 85 a3 08 d3 13 19 8a 2e 03 70 73 44 40"*/
#define OPT_IDB_MACADDR 0x0006 /* XXX: if_MACaddr Interface Hardware MAC address (48 bits). */
#define OPT_IDB_EUIADDR 0x0007 /* XXX: if_EUIaddr Interface Hardware EUI address (64 bits) */
#define OPT_IDB_SPEED 0x0008 /**< 0xFFFFFFFF if unknown
* Interface speed (in bps). 100000000 for 100Mbps
*/
#define OPT_IDB_TSRESOL 0x0009 /**< Resolution of timestamps. If the Most Significant Bit is equal to zero,
* the remaining bits indicates the resolution of the timestamp as as a
* negative power of 10 (e.g. 6 means microsecond resolution, timestamps
* are the number of microseconds since 1/1/1970). If the Most Significant Bit
* is equal to one, the remaining bits indicates the resolution has a
* negative power of 2 (e.g. 10 means 1/1024 of second).
* If this option is not present, a resolution of 10^-6 is assumed
* (i.e. timestamps have the same resolution of the standard 'libpcap' timestamps).
*/
#define OPT_IDB_TZONE 0x000A /* XXX: if_tzone Time zone for GMT support (TODO: specify better). */
#define OPT_IDB_FILTER 0x000B /**< The filter (e.g. "capture only TCP traffic") used to capture traffic.
* The first byte of the Option Data keeps a code of the filter used
* (e.g. if this is a libpcap string, or BPF bytecode, and more).
* More details about this format will be presented in Appendix XXX (TODO).
* (TODO: better use different options for different fields?
* e.g. if_filter_pcap, if_filter_bpf, ...) 00 "tcp port 23 and host 10.0.0.5"
*/
#define OPT_IDB_OS 0x000C /**< NULL if not available, A UTF-8 string containing the name of the operating system of the
* machine in which this interface is installed.
* This can be different from the same information that can be
* contained by the Section Header Block
* (Section 3.1 (Section Header Block (mandatory))) because
* the capture can have been done on a remote machine.
* "Windows XP SP2" / "openSUSE 10.2"
*/
#define OPT_IDB_FCSLEN 0x000D /**< An integer value that specified the length of the
* Frame Check Sequence (in bits) for this interface.
* For link layers whose FCS length can change during time,
* the Packet Block Flags Word can be used (see Appendix A (Packet Block Flags Word))
*/
#define OPT_IDB_TSOFFSET 0x000E /**< XXX: A 64 bits integer value that specifies an offset (in seconds)
* that must be added to the timestamp of each packet to obtain
* the absolute timestamp of a packet. If the option is missing,
* the timestamps stored in the packet must be considered absolute
* timestamps. The time zone of the offset can be specified with the
* option if_tzone. TODO: won't a if_tsoffset_low for fractional
* second offsets be useful for highly syncronized capture systems?
*/
#define OPT_ISB_STARTTIME 0x0002
#define OPT_ISB_ENDTIME 0x0003
#define OPT_ISB_IFRECV 0x0004
#define OPT_ISB_IFDROP 0x0005
#define OPT_ISB_FILTERACCEPT 0x0006
#define OPT_ISB_OSDROP 0x0007
#define OPT_ISB_USRDELIV 0x0008
/* pcapng: common block header file encoding for every block type */
typedef struct pcapng_block_header_s {
guint32 block_type;
guint32 block_total_length;
/* x bytes block_body */
/* guint32 block_total_length */
} pcapng_block_header_t;
/* pcapng: section header block file encoding */
typedef struct pcapng_section_header_block_s {
/* pcapng_block_header_t */
guint32 magic;
guint16 version_major;
guint16 version_minor;
guint64 section_length; /* might be -1 for unknown */
/* ... Options ... */
} pcapng_section_header_block_t;
/* pcapng: interface description block file encoding */
typedef struct pcapng_interface_description_block_s {
guint16 linktype;
guint16 reserved;
guint32 snaplen;
/* ... Options ... */
} pcapng_interface_description_block_t;
/* pcapng: interface statistics block file encoding */
typedef struct pcapng_interface_statistics_block_s {
guint32 interface_id;
guint32 timestamp_high;
guint32 timestamp_low;
/* ... Options ... */
} pcapng_interface_statistics_block_t;
struct pcapng_option_header {
guint16 type;
guint16 value_length;
};
/*
* Minimum IDB size = minimum block size + size of fixed length portion of IDB.
*/
#define MIN_IDB_SIZE ((guint32)(MIN_BLOCK_SIZE + sizeof(pcapng_interface_description_block_t)))
wtap_open_return_val pcapng_open(wtap *wth, int *err, gchar **err_info);
gboolean pcapng_dump_open(wtap_dumper *wdh, int *err);
int pcapng_dump_can_write_encap(int encap);
#endif
|
