Home page logo
/

tcpdump mailing list archives

[libpcap][patch] appending to a capture
From: Mark Johnston <markjdb () gmail com>
Date: Mon, 30 May 2011 16:58:26 -0400

Hello all,

I submitted a patch to the sourceforge tracker a while ago and didn't
receive any response. It adds a dump append function which verifies that
we only append if the link-layer type is the same as that in the capture
to append to. I submitted this based on a (rather old) thread:

http://permalink.gmane.org/gmane.network.tcpdump.devel/1469

My original submission is here:

http://sourceforge.net/tracker/?func=detail&aid=3086711&group_id=53067&atid=469579

I regenerated the patch against 1.1.1 and pasted it inline. I was hoping
that someone would be interested in reviewing it and giving some feedback,
and letting me know if there's any interest in having it committed.

Thanks!
-Mark


diff --git a/pcap/pcap.h b/pcap/pcap.h
index 05ba31f..abf5d5b 100644
--- a/pcap/pcap.h
+++ b/pcap/pcap.h
@@ -337,6 +337,7 @@ int pcap_fileno(pcap_t *);
 
 pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
 pcap_dumper_t *pcap_dump_fopen(pcap_t *, FILE *fp);
+pcap_dumper_t *pcap_dump_append(pcap_t *, const char *);
 FILE   *pcap_dump_file(pcap_dumper_t *);
 long   pcap_dump_ftell(pcap_dumper_t *);
 int    pcap_dump_flush(pcap_dumper_t *);
diff --git a/sf-pcap.c b/sf-pcap.c
index 9d55dae..a3b0757 100644
--- a/sf-pcap.c
+++ b/sf-pcap.c
@@ -56,6 +56,7 @@ static const char rcsid[] _U_ =
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include "pcap-int.h"
 
@@ -579,6 +580,65 @@ pcap_dump_fopen(pcap_t *p, FILE *f)
        return (pcap_setup_dump(p, linktype, f, "stream"));
 }
 
+pcap_dumper_t *
+pcap_dump_append(pcap_t *p, const char *fname)
+{
+
+       FILE *f;
+       int linktype;
+       int exists = 0, amt_read;
+       struct pcap_file_header ph;
+
+       linktype = dlt_to_linktype(p->linktype);
+       if (linktype == -1) {
+               snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+                   "%s: link-layer type %d isn't supported in savefiles",
+                   fname, linktype);
+               return (NULL);
+       }
+       if (fname[0] == '-' && fname[1] == '\0') {
+               sf_write_header(stdout, linktype, p->tzoff, p->snapshot);
+               return ((pcap_dumper_t *)stdout);
+       }
+
+       exists = !access(fname, R_OK);
+       f = fopen(fname, "r+");
+       if (f == NULL) {
+               snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s",
+                   fname, pcap_strerror(errno));
+               return (NULL);
+       }
+
+       /* Read the header and make sure it's of the same linktype. */
+       amt_read = fread(&ph, 1, sizeof (ph), f);
+       if (amt_read != sizeof (ph)) {
+               if (ferror(f)) {
+                       snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s",
+                           fname, pcap_strerror(errno));
+                       return (NULL);
+               } else if (feof(f) && amt_read > 0) {
+                       snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+                           "%s: truncated pcap file header", fname);
+                       return (NULL);
+               }
+       }
+
+       /*
+        * If a header is already present and doesn't match the linktype,
+        * return an error.
+        */
+       if (amt_read > 0 && linktype != ph.linktype) {
+               snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+                   "%s: invalid linktype, cannot append to file", fname);
+               return (NULL);
+       }
+
+       fseek(f, 0, SEEK_END);
+       if (!exists)
+               (void)sf_write_header(f, linktype, p->tzoff, p->snapshot);
+       return ((pcap_dumper_t *)f);
+}
+
 FILE *
 pcap_dump_file(pcap_dumper_t *p)
 {
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault