aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

pcap: fix linktype raw issues

Browse Source 
On OpenBSD 6.0 and 6.1 the following pcap gets a datalink type of
101 instead of our defined DLT_RAW.

    File type:           Wireshark/tcpdump/... - pcap
    File encapsulation:  Raw IP
    File timestamp precision:  microseconds (6)
    Packet size limit:   file hdr: 262144 bytes
    Number of packets:   23
    File size:           11 kB
    Data size:           11 kB
    Capture duration:    7,424945 seconds
    First packet time:   2017-05-25 21:59:31,957953
    Last packet time:    2017-05-25 21:59:39,382898
    Data byte rate:      1536 bytes/s
    Data bit rate:       12 kbps
    Average packet size: 496,00 bytes
    Average packet rate: 3 packets/s
    SHA1:                120cff9878b93ac74b68fb9216027bef3b3c018f
    RIPEMD160:           35fa287bf30d8be8b8654abfe26e8d3883262e8e
    MD5:                 13fe4bc50fe09bdd38f07739bd1ff0f0
    Strict time order:   True
    Number of interfaces in file: 1
    Interface #0 info:
                         Encapsulation = Raw IP (7/101 - rawip)
                         Capture length = 262144
                         Time precision = microseconds (6)
                         Time ticks per second = 1000000
                         Number of stat entries = 0
                         Number of packets = 23

On Linux it is 12.

On the tcpdump/libpcap site the DLT_RAW is defined as 101:
http://www.tcpdump.org/linktypes.html

Strangely, on OpenBSD the DLT_RAW macro is defined as 14 as expected.
So for some reason, libpcap on OpenBSD uses 101 which seems to match
the tcpdump/libpcap documentation.

So this patch adds support for datalink 101 as RAW.
pull/2825/head
Victor Julien 8 years ago
parent 24fe3c99f1
commit 9d3a99bf0b
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File

3
src/decode.h
Unescape Escape View File

@ -1070,6 +1070,9 @@ int DecoderParseDataFromFileSerie(char *fileprefix, DecoderFunc Decoder);
#define LINKTYPE_LINUX_SLL 113
#define LINKTYPE_PPP 9
#define LINKTYPE_RAW DLT_RAW
/* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't.
* Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */
#define LINKTYPE_RAW2 101
#define PPP_OVER_GRE 11
#define VLAN_OVER_GRE 13

1
src/source-pcap-file.c
Unescape Escape View File

@ -327,6 +327,7 @@ TmEcode ReceivePcapFileThreadInit(ThreadVars *tv, void *initdata, void **data)
pcap_g.Decoder = DecodePPP;
break;
case LINKTYPE_RAW:
case LINKTYPE_RAW2:
pcap_g.Decoder = DecodeRaw;
break;
case LINKTYPE_NULL:

Write Preview
Loading…
Cancel
Save