diff options
| author | Guy Harris <guy@alum.mit.edu> | 2019-03-03 15:45:59 -0800 |
|---|---|---|
| committer | Guy Harris <guy@alum.mit.edu> | 2019-03-03 23:46:37 +0000 |
| commit | c84f69f7482fea6eb1b86f08811cc2b4547fe05f (patch) | |
| tree | 8fa81d1dc07cf5b4c699fe7fc6b5dffb9841aa68 /wiretap | |
| parent | 4e07033c38aae8750f19a3ee49362d9d5525ca42 (diff) | |
Discard the upper bits of the "network" field in the file header.
Libpcap's done that for a while; we should do so as well.
(Ideally, we should use those bits, but there's an issue with pcapng,
where the FCS length in the IDB is described as being in units of bits,
but where we're treating it as being in units of bytes, that I'd like to
resolve first.)
Change-Id: Ibcb82f1dcaa8baae5bba55636cea8852a6af814e
Reviewed-on: https://code.wireshark.org/review/32303
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Diffstat (limited to 'wiretap')
| -rw-r--r-- | wiretap/libpcap.c | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/wiretap/libpcap.c b/wiretap/libpcap.c index acf07d02b5..ff3f6056ae 100644 --- a/wiretap/libpcap.c +++ b/wiretap/libpcap.c @@ -182,6 +182,37 @@ wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info) } /* + * Link-layer header types are assigned for both pcap and + * pcapng, and the same value must work with both. In pcapng, + * the link-layer header type field in an Interface Description + * Block is 16 bits, so only the bottommost 16 bits of the + * link-layer header type in a pcap file can be used for the + * header type value. + * + * In libpcap, the upper 16 bits are divided into: + * + * A "class" field, to support non-standard link-layer + * header types; class 0 is for standard header types, + * class 0x224 was reserved for a NetBSD feature, and + * all other class values are reserved. That is in the + * lower 10 bits of the upper 16 bits. + * + * An "FCS length" field, to allow the FCS length to + * be specified, just as it can be specified in the + * if_fcslen field of the pcapng IDB. That is in the + * topmost 4 bits of the upper 16 bits. The field is + * in units of 16 bits, i.e. 1 means 16 bits of FCS, + * 2 means 32 bits of FCS, etc.. + * + * An "FCS length present" flag; if 0, the "FCS length" + * field should be ignored, and if 1, the "FCS length" + * field should be used. That is in the bit just above + * the "class" field. + * + * The one remaining bit is reserved. + */ + + /* * AIX's non-standard tcpdump uses a minor version number of 2. * Unfortunately, older versions of libpcap might have used * that as well. @@ -218,6 +249,11 @@ wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info) */ aix = FALSE; /* assume it's not AIX */ if (hdr.version_major == 2 && hdr.version_minor == 2) { + /* + * AIX pcap files didn't use the upper 16 bits, + * so we don't need to ignore them here - they'll + * be 0. + */ switch (hdr.network) { case 6: @@ -242,7 +278,14 @@ wtap_open_return_val libpcap_open(wtap *wth, int *err, gchar **err_info) } } - file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network); + /* + * Map the "network" field from the header to a Wiretap + * encapsulation. We ignore the FCS information and reserved + * bit; we include the "class" field, in case there's ever + * a need to implement it - currently, any link-layer header + * type with a non-zero class value will fail. + */ + file_encap = wtap_pcap_encap_to_wtap_encap(hdr.network & 0x03FFFFFF); if (file_encap == WTAP_ENCAP_UNKNOWN) { *err = WTAP_ERR_UNSUPPORTED; *err_info = g_strdup_printf("pcap: network type %u unknown or unsupported", |