use I2n::tmpfstream to write pcap dump files

[pingcheck] / src / tools / pcap.h

/*
 The software in this package is distributed under the GNU General
 Public License version 2 (with a special exception described below).

 A copy of GNU General Public License (GPL) is included in this distribution,
 in the file COPYING.GPL.

 As a special exception, if other files instantiate templates or use macros
 or inline functions from this file, or you compile this file and link it
 with other works to produce a work based on this file, this file
 does not by itself cause the resulting work to be covered
 by the GNU General Public License.

 However the source code for this file must still be made available
 in accordance with section (3) of the GNU General Public License.

 This exception does not invalidate any other reasons why a work based
 on this file might be covered by the GNU General Public License.

 Christian Herdtweck, Intra2net AG 2015
 */

#ifndef PCAP_H
#define PCAP_H

#include <stdint.h>
#include <iostream>
#include <ctime>

#pragma pack(push, 1) // exact fit -- no padding of data in structs

// pcap header for dumping of packet data
// (http://wiki.wireshark.org/Development/LibpcapFileFormat)
typedef struct pcapfile_hdr_s {
        uint32_t magic_number;   /* magic number */
        uint16_t version_major;  /* major version number */
        uint16_t version_minor;  /* minor version number */
        int32_t  thiszone;       /* GMT to local correction */
        uint32_t sigfigs;        /* accuracy of timestamps */
        uint32_t snaplen;        /* max length of captured packets, in octets */
        uint32_t network;        /* data link type */
} pcapfile_hdr_t;

typedef struct pcaprec_hdr_s {
        uint32_t ts_sec;         /* timestamp seconds */
        uint32_t ts_usec;        /* timestamp microseconds */
        uint32_t incl_len;       /* number of octets of packet saved in file */
        uint32_t orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

// not used here but in feed_packet_data and want to keep things together
// this structure is contained in packet data if pcapfile_hdr_t.network is 1
// adapted from http://www.tcpdump.org/pcap.html
typedef struct pcapeth_hdr_s {
        uint8_t source_mac_address[6];
        uint8_t destination_mac_address[6];
        uint16_t ether_type;
} pcapeth_hdr_t;

// pcap file header is 5 x uint32 + 2 x uint16 --> 24 bytes
const std::streamsize pcap_file_header_size = sizeof(pcapfile_hdr_t);

// pcap file header is 4 x uint32 --> 16 bytes
const std::streamsize pcap_packet_header_size = sizeof(pcaprec_hdr_t);

// pcap ethernet header is 2 x 6 byte + 2 byte --> 14 bytes
const std::streamsize pcap_ethernet_header_size = sizeof(pcapeth_hdr_t);

void write_pcap_packet_data(const std::string &data,
                            std::ostream &os,
                            const time_t &capture_time);

bool check_for_pcap_header(std::istream &input_stream);
uint32_t consume_pcap_file_header(std::istream &input_stream);
void consume_pcap_packet_header(std::istream &input_stream);
void consume_pcap_ethernet_header(std::istream &input_stream);
//void consume_pcap_padding_zeros(std::istream &input_stream);
//  --> see feed_packet_data.cpp

// returns true if is is pcap, false otherwise
bool consume_single_packet_pcap(std::istream &input_stream);

#pragma pack(pop) // restore old value

#endif