/* * Copyright (c) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, * 2002, 2003, 2004 * Ohio University. * * --- * * Starting with the release of tcptrace version 6 in 2001, tcptrace * is licensed under the GNU General Public License (GPL). We believe * that, among the available licenses, the GPL will do the best job of * allowing tcptrace to continue to be a valuable, freely-available * and well-maintained tool for the networking community. * * Previous versions of tcptrace were released under a license that * was much less restrictive with respect to how tcptrace could be * used in commercial products. Because of this, I am willing to * consider alternate license arrangements as allowed in Section 10 of * the GNU GPL. Before I would consider licensing tcptrace under an * alternate agreement with a particular individual or company, * however, I would have to be convinced that such an alternative * would be to the greater benefit of the networking community. * * --- * * This file is part of Tcptrace. * * Tcptrace was originally written and continues to be maintained by * Shawn Ostermann with the help of a group of devoted students and * users (see the file 'THANKS'). The work on tcptrace has been made * possible over the years through the generous support of NASA GRC, * the National Science Foundation, and Sun Microsystems. * * Tcptrace is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * Tcptrace is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with Tcptrace (in the file 'COPYING'); if not, write to the * Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, * MA 02111-1307 USA * * Author: Shawn Ostermann * School of Electrical Engineering and Computer Science * Ohio University * Athens, OH * ostermann@cs.ohiou.edu * http://www.tcptrace.org/ */ /* Added FDDI support 9/96 Jeffrey Semke, Pittsburgh Supercomputing Center */ static char const GCC_UNUSED rcsid_tcpdump[] = "@(#)$Header: /usr/local/cvs/tcptrace/tcpdump.h,v 5.11 2003/11/19 14:38:08 sdo Exp $"; #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) #define SWAPSHORT(y) \ ( (((y)&0xff)<<8) | (((y)&0xff00)>>8) ) /* (from bpf.h) * Data-link level type codes. */ /* Note - Tue Feb 13, 2001 We're having trouble with the standard DLT_type because some OS versions, insist on renumbering these to different values. To avoid the problem, we're hijacking the types a little and adding the PCAP_ prefix. The constants all correspond to the "true" pcap numbers, so this should fix the problem */ /* currently supported */ #define PCAP_DLT_NULL 0 /* no link-layer encapsulation */ #define PCAP_DLT_EN10MB 1 /* Ethernet (10Mb) */ #define PCAP_DLT_IEEE802 6 /* IEEE 802 Networks */ #define PCAP_DLT_SLIP 8 /* Serial Line IP */ #define PCAP_DLT_PPP 9 /* Point-to-Point Protocol */ #define PCAP_DLT_FDDI 10 /* FDDI */ #define PCAP_DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #define PCAP_DLT_RAW 12 /* raw IP */ #define PCAP_DLT_C_HDLC 104 /* Cisco HDLC */ #define PCAP_DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ #define PCAP_DLT_LINUX_SLL 113 /* Linux cooked socket */ #define PCAP_DLT_PRISM2 119 /* Prism2 raw capture header */ #define PCAP_DLT_IEEE802_11_RADIO 127 /* 802.11 plus WLAN header */ /* NOT currently supported */ /* (mostly because I don't have an example file, send me one...) */ #define PCAP_DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #define PCAP_DLT_AX25 3 /* Amateur Radio AX.25 */ #define PCAP_DLT_PRONET 4 /* Proteon ProNET Token Ring */ #define PCAP_DLT_CHAOS 5 /* Chaos */ #define PCAP_DLT_ARCNET 7 /* ARCNET */ #define PCAP_DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ #define PCAP_DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ /* tcpdump file header */ #define TCPDUMP_MAGIC 0xa1b2c3d4 struct dump_file_header { u_int magic; u_short version_major; u_short version_minor; int thiszone; /* gmt to local correction */ u_int sigfigs; /* accuracy of timestamps */ u_int snaplen; /* max length saved portion of each pkt */ u_int linktype; /* data link type (PCAP_DLT_*) */ }; /* * Each packet in the dump file is prepended with this generic header. * This gets around the problem of different headers for different * packet interfaces. */ struct packet_header { u_int ts_secs; /* time stamp -- seconds */ u_int ts_usecs; /* time stamp -- useconds */ u_int caplen; /* length of portion present */ u_int len; /* length of this packet (off wire) */ }; #ifdef BY_HAND static void swap_hdr(struct dump_file_header *pdfh) { pdfh->version_major = SWAPSHORT(pdfh->version_major); pdfh->version_minor = SWAPSHORT(pdfh->version_minor); pdfh->thiszone = SWAPLONG(pdfh->thiszone); pdfh->sigfigs = SWAPLONG(pdfh->sigfigs); pdfh->snaplen = SWAPLONG(pdfh->snaplen); pdfh->linktype = SWAPLONG(pdfh->linktype); } static void swap_phdr(struct packet_header *pph) { pph->caplen = SWAPLONG(pph->caplen); pph->len = SWAPLONG(pph->len); pph->ts_secs = SWAPLONG(pph->ts_secs); pph->ts_usecs = SWAPLONG(pph->ts_usecs); } #endif /* BY_HAND */ /* (Courtesy Jeffrey Semke, Pittsburgh Supercomputing Center) */ /* locate ip within FDDI according to RFC 1188 */ static int find_ip_fddi(char* buf, int iplen) { char* ptr, *ptr2; int i; u_char pattern[] = {0xAA, 0x03, 0x00, 0x00, 0x00, 0x08, 0x00}; #define FDDIPATTERNLEN 7 ptr = ptr2 = buf; for (i=0; i < FDDIPATTERNLEN; i++) { ptr2 = memchr(ptr,pattern[i],(iplen - (int)(ptr - buf))); if (!ptr2) return (-1); if (i && (ptr2 != ptr)) { ptr2 = ptr2 - i - 1; i = -1; } ptr = ptr2 + 1; } return (ptr2 - buf + 1); } /* This function determine the offset for the IP packet in an Ethernet frame */ /* We handle three cases : straight Ethernet, PPPoE, or .1q VLAN encapsulation */ /* Written by Yann Samama (ysamama@nortelnetworks.com) on july 18th, 2003 */ static int find_ip_eth(char* buf) { unsigned short ppp_proto_type; /* the protocol type field of the PPP header */ unsigned short eth_proto_type; /* the protocol type field of the Ethernet header */ int offset = -1; /* the calculated offset that this function will return */ memcpy(ð_proto_type, buf+12, 2); eth_proto_type = ntohs(eth_proto_type); switch (eth_proto_type) { case ETHERTYPE_IPV6: /* it's pure IPv6 over ethernet */ /* FALLTHROUGH */ case ETHERTYPE_IP: /* it's pure IPv4 over ethernet */ offset = sizeof(struct ether_header); break; case ETHERTYPE_PPPOE_SESSION: /* it's a PPPoE session */ memcpy(&ppp_proto_type, buf+20, 2); ppp_proto_type = ntohs(ppp_proto_type); if (ppp_proto_type == 0x0021) /* it's IP over PPPoE */ offset = PPPOE_SIZE; break; case ETHERTYPE_VLAN: offset = sizeof(struct ether_header) + ETHER_VLAN_ENCAP_LEN; break; default: /* well, this is not an IP packet */ offset = -1; break; } return offset; } /* This function determine the offset for the IP packet in a PPP or HDLC PPP frame */ /* Written by Yann Samama (ysamama@nortelnetworks.com) on june 19th, 2003 */ static int find_ip_ppp(char* buf) { unsigned char ppp_byte0; /* the first byte of the PPP frame */ unsigned short ppp_proto_type; /* the protocol type field of the PPP header */ int offset = -1; /* the calculated offset that this function will return */ memcpy(&ppp_byte0, buf, 1); switch (ppp_byte0) { case 0xff: /* It is HDLC PPP encapsulation (2 bytes for HDLC and 2 bytes for PPP) */ memcpy(&ppp_proto_type, buf+2, 2); ppp_proto_type = ntohs(ppp_proto_type); if (ppp_proto_type == 0x21) /* That means HDLC PPP is encapsulating IP */ offset = 4; else /* That means PPP is *NOT* encapsulating IP */ offset = -1; break; case 0x21: /* It is raw PPP encapsulation of IP with compressed (1 byte) protocol field */ offset = 1; break; case 0x00: /* It is raw PPP encapsulation */ memcpy(&ppp_proto_type, buf, 2); ppp_proto_type = ntohs(ppp_proto_type); if (ppp_proto_type == 0x21) /* It is raw PPP encapsulation of IP with uncompressed (2 bytes) protocol field */ offset = 2; else /* That means PPP is *NOT* encapsulating IP */ offset = -1; break; default: /* There is certainly not an IP packet there ...*/ offset = -1; break; } return offset; }