/src/PcapPlusPlus/Pcap++/header/PcapFileDevice.h
Line | Count | Source |
1 | | #pragma once |
2 | | |
3 | | #include "Device.h" |
4 | | #include "PcapDevice.h" |
5 | | #include "RawPacket.h" |
6 | | #include <fstream> |
7 | | |
8 | | /// @file |
9 | | |
10 | | /// @namespace pcpp |
11 | | /// @brief The main namespace for the PcapPlusPlus lib |
12 | | namespace pcpp |
13 | | { |
14 | | namespace internal |
15 | | { |
16 | | /// @struct LightPcapNgHandle |
17 | | /// An opaque struct representing a handle for pcapng files. |
18 | | struct LightPcapNgHandle; |
19 | | } // namespace internal |
20 | | |
21 | | /// @enum FileTimestampPrecision |
22 | | /// An enumeration representing the precision of timestamps in a pcap file. |
23 | | /// The precision can be Unknown, Micro, or Nano. |
24 | | enum class FileTimestampPrecision : int8_t |
25 | | { |
26 | | /// Precision is unknown or not set/determined |
27 | | Unknown = -1, |
28 | | /// Precision is in microseconds. |
29 | | Microseconds = 0, |
30 | | /// Precision is in nanoseconds. |
31 | | Nanoseconds = 1 |
32 | | }; |
33 | | |
34 | | /// @class IFileDevice |
35 | | /// An abstract class (cannot be instantiated, has a private c'tor) which is the parent class for all file devices |
36 | | class IFileDevice : public IFilterableDevice, public IPcapStatisticsProvider |
37 | | { |
38 | | protected: |
39 | | std::string m_FileName; |
40 | | BpfFilterWrapper m_BpfWrapper; |
41 | | |
42 | | explicit IFileDevice(const std::string& fileName); |
43 | | |
44 | | bool doUpdateFilter(std::string const* filterAsString) override; |
45 | | |
46 | | public: |
47 | | /// @return The name of the file |
48 | | std::string getFileName() const; |
49 | | |
50 | | // override methods |
51 | | |
52 | | /// @brief Get the statistics for this device. |
53 | | /// |
54 | | /// The PcapStats structure will hold the following: |
55 | | /// - packetsRecv: Number of packets processed (read or written, depending on the device type) |
56 | | /// - packetsDrop: Number of packets dropped (not read or not written, depending on the device type) |
57 | | /// - packetsDropByInterface: Not supported for file devices, will always be 0 |
58 | | /// |
59 | | /// @param[out] stats The stats object to fill in. |
60 | | void getStatistics(PcapStats& stats) const override; |
61 | | |
62 | | protected: |
63 | | /// @brief Report that packets were processed (read or written, depending on the device type). |
64 | | /// @param numPackets The number of packets processed. Default is 1. |
65 | | void reportPacketProcessed(uint64_t numPackets = 1) |
66 | 0 | { |
67 | 0 | m_NumOfPacketsProcessed += numPackets; |
68 | 0 | } |
69 | | |
70 | | /// @brief Report that packets were dropped (not read or not written, depending on the device type). |
71 | | /// @param numPackets The number of packets dropped. Default is 1. |
72 | | void reportPacketDropped(uint64_t numPackets = 1) |
73 | 0 | { |
74 | 0 | m_NumOfPacketsDropped += numPackets; |
75 | 0 | } |
76 | | |
77 | | /// @brief Reset the internal statistic counters to zero. |
78 | | void resetStatisticCounters(); |
79 | | |
80 | | private: |
81 | | uint64_t m_NumOfPacketsProcessed = 0; |
82 | | uint64_t m_NumOfPacketsDropped = 0; |
83 | | }; |
84 | | |
85 | | /// @class IFileReaderDevice |
86 | | /// An abstract class (cannot be instantiated, has a private c'tor) which is the parent class for file reader |
87 | | /// devices |
88 | | class IFileReaderDevice : public IFileDevice |
89 | | { |
90 | | protected: |
91 | | /// A constructor for this class that gets the pcap full path file name to open. Notice that after calling this |
92 | | /// constructor the file isn't opened yet, so reading packets will fail. For opening the file call open() |
93 | | /// @param[in] fileName The full path of the file to read |
94 | | IFileReaderDevice(const std::string& fileName); |
95 | | |
96 | | public: |
97 | | /// A destructor for this class |
98 | | ~IFileReaderDevice() override = default; |
99 | | |
100 | | /// @return The file size in bytes |
101 | | uint64_t getFileSize() const; |
102 | | |
103 | | virtual bool getNextPacket(RawPacket& rawPacket) = 0; |
104 | | |
105 | | /// Read the next N packets into a raw packet vector |
106 | | /// @param[out] packetVec The raw packet vector to read packets into |
107 | | /// @param[in] numOfPacketsToRead Number of packets to read. If value <0 all remaining packets in the file will |
108 | | /// be read into the raw packet vector (this is the default value) |
109 | | /// @return The number of packets actually read |
110 | | int getNextPackets(RawPacketVector& packetVec, int numOfPacketsToRead = -1); |
111 | | |
112 | | /// A static method that creates an instance of the reader best fit to read the file. It decides by the file |
113 | | /// extension: for .pcapng files it returns an instance of PcapNgFileReaderDevice and for all other extensions |
114 | | /// it returns an instance of PcapFileReaderDevice |
115 | | /// @param[in] fileName The file name to open |
116 | | /// @return An instance of the reader to read the file. Notice you should free this instance when done using it |
117 | | /// @deprecated Prefer `createReader` or `tryCreateReader` due to selection of reader based on file content |
118 | | /// instead of extension. |
119 | | PCPP_DEPRECATED("Prefer `tryCreateReader` due to selection of reader based on file content.") |
120 | | static IFileReaderDevice* getReader(const std::string& fileName); |
121 | | |
122 | | /// @brief Creates an instance of the reader best fit to read the file. |
123 | | /// |
124 | | /// The factory function uses heuristics based on the file content to decide the reader. |
125 | | /// If the file type is known at compile time, it is better to construct a concrete reader instance directly. |
126 | | /// |
127 | | /// @param[in] fileName The path to the file to open. |
128 | | /// @return A unique pointer to a reader instance |
129 | | /// @throws std::runtime_error If the file could not be opened or is of unsupported format. |
130 | | /// @remarks The device is not opened automatically. Call `open()` on the returned device before using it. |
131 | | static std::unique_ptr<IFileReaderDevice> createReader(const std::string& fileName); |
132 | | |
133 | | /// @brief Tries to create an instance of the reader best fit to read the file. |
134 | | /// |
135 | | /// The factory function uses heuristics based on the file content to decide the reader. |
136 | | /// If the file type is known at compile time, it is better to construct a concrete reader instance directly. |
137 | | /// |
138 | | /// @param fileName The path to the file to open. |
139 | | /// @return A unique pointer to a reader instance, or nullptr if the file could not be opened or is of |
140 | | /// unsupported format. |
141 | | /// @remarks The device is not opened automatically. Call `open()` on the returned device before using it. |
142 | | static std::unique_ptr<IFileReaderDevice> tryCreateReader(const std::string& fileName); |
143 | | }; |
144 | | |
145 | | /// @class IFileWriterDevice |
146 | | /// An abstract class (cannot be instantiated, has a private c'tor) which is the parent class for file writer |
147 | | /// devices |
148 | | class IFileWriterDevice : public IFileDevice |
149 | | { |
150 | | protected: |
151 | | IFileWriterDevice(const std::string& fileName); |
152 | | |
153 | | public: |
154 | | /// A destructor for this class |
155 | | ~IFileWriterDevice() override = default; |
156 | | |
157 | | virtual bool writePacket(RawPacket const& packet) = 0; |
158 | | |
159 | | virtual bool writePackets(const RawPacketVector& packets) = 0; |
160 | | |
161 | | using IFileDevice::open; |
162 | | virtual bool open(bool appendMode) = 0; |
163 | | }; |
164 | | |
165 | | /// @class PcapFileReaderDevice |
166 | | /// A class for opening a pcap file in read-only mode. This class enable to open the file and read all packets, |
167 | | /// packet-by-packet |
168 | | class PcapFileReaderDevice : public IFileReaderDevice |
169 | | { |
170 | | public: |
171 | | /// A constructor for this class that gets the pcap full path file name to open. Notice that after calling this |
172 | | /// constructor the file isn't opened yet, so reading packets will fail. For opening the file call open() |
173 | | /// @param[in] fileName The full path of the file to read |
174 | 0 | explicit PcapFileReaderDevice(const std::string& fileName) : IFileReaderDevice(fileName) |
175 | 0 | {} |
176 | | |
177 | | /// A destructor for this class |
178 | 0 | ~PcapFileReaderDevice() override = default; |
179 | | |
180 | | PcapFileReaderDevice(const PcapFileReaderDevice& other) = delete; |
181 | | PcapFileReaderDevice& operator=(const PcapFileReaderDevice& other) = delete; |
182 | | |
183 | | /// @return The link layer type of this file |
184 | | LinkLayerType getLinkLayerType() const |
185 | 0 | { |
186 | 0 | return m_PcapLinkLayerType; |
187 | 0 | } |
188 | | |
189 | | /// @return The precision of the timestamps in the file |
190 | | FileTimestampPrecision getTimestampPrecision() const |
191 | 0 | { |
192 | 0 | return m_Precision; |
193 | 0 | } |
194 | | |
195 | | /// @return The file's snapshot length (snaplen) |
196 | | uint32_t getSnapshotLength() const |
197 | 0 | { |
198 | 0 | return m_SnapshotLength; |
199 | 0 | } |
200 | | |
201 | | /// A static method that checks if nano-second precision is supported in the current platform and environment |
202 | | /// @return True if nano-second precision is supported, false otherwise |
203 | | /// @deprecated Nanosecond precision is now natively supported by the internal parser and always returns true |
204 | | PCPP_DEPRECATED("Nanosecond precision is now natively supported by the internal parser and always returns true") |
205 | | static bool isNanoSecondPrecisionSupported() |
206 | 0 | { |
207 | 0 | return true; |
208 | 0 | } |
209 | | |
210 | | // overridden methods |
211 | | |
212 | | /// @return True if the file is opened, false otherwise |
213 | | bool isOpened() const override |
214 | 0 | { |
215 | 0 | return m_PcapFile.is_open(); |
216 | 0 | } |
217 | | |
218 | | /// Read the next packet from the file. Before using this method please verify the file is opened using open() |
219 | | /// @param[out] rawPacket A reference for an empty RawPacket where the packet will be written |
220 | | /// @return True if a packet was read successfully. False will be returned if the file isn't opened (also, an |
221 | | /// error log will be printed) or if reached end-of-file |
222 | | bool getNextPacket(RawPacket& rawPacket) override; |
223 | | |
224 | | /// Open the file name which path was specified in the constructor in a read-only mode |
225 | | /// @return True if file was opened successfully or if file is already opened. False if opening the file failed |
226 | | /// for some reason (for example: file path does not exist) |
227 | | bool open() override; |
228 | | |
229 | | /// Close the pacp file |
230 | | void close() override; |
231 | | |
232 | | private: |
233 | | FileTimestampPrecision m_Precision = FileTimestampPrecision::Unknown; |
234 | | LinkLayerType m_PcapLinkLayerType = LINKTYPE_ETHERNET; |
235 | | std::ifstream m_PcapFile; |
236 | | bool m_NeedsSwap = false; |
237 | | uint32_t m_SnapshotLength = 0; |
238 | | std::vector<uint8_t> m_ReadBuffer; |
239 | | |
240 | | bool readNextPacket(timespec& packetTimestamp, uint8_t* packetData, uint32_t packetDataLen, |
241 | | uint32_t& capturedLength, uint32_t& frameLength); |
242 | | }; |
243 | | |
244 | | /// @class PcapFileWriterDevice |
245 | | /// A class for opening a pcap file for writing or creating a new pcap file and writing packets to it. |
246 | | /// It supports opening a pcap file in append mode where packets are written at the end of the file |
247 | | /// instead of overwriting it. This implementation writes the pcap stream directly using C++ I/O |
248 | | /// facilities (std::fstream) and does not require libpcap/WinPcap at runtime. |
249 | | class PcapFileWriterDevice : public IFileWriterDevice |
250 | | { |
251 | | public: |
252 | | /// A constructor for this class that gets the pcap full path file name to open for writing or create. Notice |
253 | | /// that after calling this constructor the file isn't opened yet, so writing packets will fail. For opening the |
254 | | /// file call open() |
255 | | /// @param[in] fileName The full path of the file |
256 | | /// @param[in] linkLayerType The link layer type all packet in this file will be based on. The default is |
257 | | /// Ethernet |
258 | | /// @param[in] nanosecondsPrecision A boolean indicating whether to write timestamps in nano-precision. If set |
259 | | /// to false, timestamps will be written in micro-precision |
260 | | /// @throws std::runtime_error if nanosecondsPrecision is set to `true` but the current platform and environment |
261 | | /// doesn't support it. |
262 | | PcapFileWriterDevice(const std::string& fileName, LinkLayerType linkLayerType = LINKTYPE_ETHERNET, |
263 | | bool nanosecondsPrecision = false); |
264 | | |
265 | | PcapFileWriterDevice(const PcapFileWriterDevice& other) = delete; |
266 | | PcapFileWriterDevice& operator=(const PcapFileWriterDevice& other) = delete; |
267 | | |
268 | | /// Write a RawPacket to the file. Before using this method please verify the file is opened using open(). This |
269 | | /// method won't change the written packet |
270 | | /// @param[in] packet A reference for an existing RawPcket to write to the file |
271 | | /// @return True if a packet was written successfully. False will be returned if the file isn't opened |
272 | | /// or if the packet link layer type is different than the one defined for the file |
273 | | /// (in all cases, an error will be printed to log) |
274 | | bool writePacket(RawPacket const& packet) override; |
275 | | |
276 | | /// Write multiple RawPacket to the file. Before using this method please verify the file is opened using |
277 | | /// open(). This method won't change the written packets or the RawPacketVector instance |
278 | | /// @param[in] packets A reference for an existing RawPcketVector, all of its packets will be written to the |
279 | | /// file |
280 | | /// @return True if all packets were written successfully to the file. False will be returned if the file isn't |
281 | | /// opened (also, an error log will be printed) or if at least one of the packets wasn't written successfully to |
282 | | /// the file |
283 | | bool writePackets(const RawPacketVector& packets) override; |
284 | | |
285 | | /// @return The precision of the timestamps in the file. |
286 | | FileTimestampPrecision getTimestampPrecision() const |
287 | 0 | { |
288 | 0 | return m_Precision; |
289 | 0 | } |
290 | | |
291 | | /// A static method that checks if nano-second precision is supported in the current platform and environment |
292 | | /// @return True if nano-second precision is supported, false otherwise |
293 | | /// @deprecated Nanosecond precision is now natively supported by the internal parser and always returns true |
294 | | PCPP_DEPRECATED("Nanosecond precision is now natively supported by the internal parser and always returns true") |
295 | | static bool isNanoSecondPrecisionSupported() |
296 | 0 | { |
297 | 0 | return true; |
298 | 0 | } |
299 | | |
300 | | LinkLayerType getLinkLayerType() const |
301 | 0 | { |
302 | 0 | return m_PcapLinkLayerType; |
303 | 0 | } |
304 | | |
305 | | /// Open the file in a write mode. If file doesn't exist, it will be created. If it does exist it will be |
306 | | /// overwritten, meaning all its current content will be deleted |
307 | | /// @return True if file was opened/created successfully or if file is already opened. False if opening the file |
308 | | /// failed for some reason (an error will be printed to log) |
309 | | bool open() override; |
310 | | |
311 | | /// Same as open(), but enables to open the file in append mode in which packets will be appended to the file |
312 | | /// instead of overwrite its current content. In append mode file must exist, otherwise opening will fail |
313 | | /// @param[in] appendMode A boolean indicating whether to open the file in append mode or not. If set to false |
314 | | /// this method will act exactly like open(). If set to true, file will be opened in append mode |
315 | | /// @return True of managed to open the file successfully. In case appendMode is set to true, false will be |
316 | | /// returned if file wasn't found or couldn't be read, if file type is not pcap, or if link type specified in |
317 | | /// c'tor is different from current file link type. In case appendMode is set to false, please refer to open() |
318 | | /// for return values |
319 | | bool open(bool appendMode) override; |
320 | | |
321 | | /// @return True if the file is opened, false otherwise |
322 | | bool isOpened() const override |
323 | 0 | { |
324 | 0 | return m_PcapFile.is_open(); |
325 | 0 | } |
326 | | |
327 | | /// Flush and close the pacp file |
328 | | void close() override; |
329 | | |
330 | | /// Flush packets to disk. |
331 | | void flush(); |
332 | | |
333 | | private: |
334 | | static bool writeHeader(std::ostream& outStream, FileTimestampPrecision precision, uint32_t snaplen, |
335 | | LinkLayerType linkType); |
336 | | |
337 | | LinkLayerType m_PcapLinkLayerType = LINKTYPE_ETHERNET; |
338 | | bool m_NeedsSwap = false; |
339 | | FileTimestampPrecision m_Precision = FileTimestampPrecision::Unknown; |
340 | | std::fstream m_PcapFile; |
341 | | }; |
342 | | |
343 | | /// @class PcapNgFileReaderDevice |
344 | | /// A class for opening a pcap-ng file in read-only mode. This class enable to open the file and read all packets, |
345 | | /// packet-by-packet |
346 | | class PcapNgFileReaderDevice : public IFileReaderDevice |
347 | | { |
348 | | private: |
349 | | internal::LightPcapNgHandle* m_LightPcapNg; |
350 | | |
351 | | public: |
352 | | /// @brief A static method that checks if the device was built with zstd compression support |
353 | | /// @return True if zstd compression is supported, false otherwise. |
354 | | static bool isZstdSupported(); |
355 | | |
356 | | /// A constructor for this class that gets the pcap-ng full path file name to open. Notice that after calling |
357 | | /// this constructor the file isn't opened yet, so reading packets will fail. For opening the file call open() |
358 | | /// @param[in] fileName The full path of the file to read |
359 | | PcapNgFileReaderDevice(const std::string& fileName); |
360 | | |
361 | | /// A destructor for this class |
362 | | ~PcapNgFileReaderDevice() override |
363 | 0 | { |
364 | 0 | PcapNgFileReaderDevice::close(); |
365 | 0 | } |
366 | | |
367 | | PcapNgFileReaderDevice(const PcapNgFileReaderDevice& other) = delete; |
368 | | PcapNgFileReaderDevice& operator=(const PcapNgFileReaderDevice& other) = delete; |
369 | | |
370 | | /// The pcap-ng format allows storing metadata at the header of the file. Part of this metadata is a string |
371 | | /// specifying the operating system that was used for capturing the packets. This method reads this string from |
372 | | /// the metadata (if exists) and returns it |
373 | | /// @return The operating system string if exists, or an empty string otherwise |
374 | | std::string getOS() const; |
375 | | |
376 | | /// The pcap-ng format allows storing metadata at the header of the file. Part of this metadata is a string |
377 | | /// specifying the hardware that was used for capturing the packets. This method reads this string from the |
378 | | /// metadata (if exists) and returns it |
379 | | /// @return The hardware string if exists, or an empty string otherwise |
380 | | std::string getHardware() const; |
381 | | |
382 | | /// The pcap-ng format allows storing metadata at the header of the file. Part of this metadata is a string |
383 | | /// specifying the capture application that was used for capturing the packets. This method reads this string |
384 | | /// from the metadata (if exists) and returns it |
385 | | /// @return The capture application string if exists, or an empty string otherwise |
386 | | std::string getCaptureApplication() const; |
387 | | |
388 | | /// The pcap-ng format allows storing metadata at the header of the file. Part of this metadata is a string |
389 | | /// containing a user-defined comment (can be any string). This method reads this string from the metadata (if |
390 | | /// exists) and returns it |
391 | | /// @return The comment written inside the file if exists, or an empty string otherwise |
392 | | std::string getCaptureFileComment() const; |
393 | | |
394 | | /// The pcap-ng format allows storing a user-defined comment for every packet (besides the comment per-file). |
395 | | /// This method reads the next packet and the comment attached to it (if such comment exists), and returns them |
396 | | /// both |
397 | | /// @param[out] rawPacket A reference for an empty RawPacket where the packet will be written |
398 | | /// @param[out] packetComment The comment attached to the packet or an empty string if no comment exists |
399 | | /// @return True if a packet was read successfully. False will be returned if the file isn't opened (also, an |
400 | | /// error log will be printed) or if reached end-of-file |
401 | | bool getNextPacket(RawPacket& rawPacket, std::string& packetComment); |
402 | | |
403 | | // overridden methods |
404 | | |
405 | | /// Read the next packet from the file. Before using this method please verify the file is opened using open() |
406 | | /// @param[out] rawPacket A reference for an empty RawPacket where the packet will be written |
407 | | /// @return True if a packet was read successfully. False will be returned if the file isn't opened (also, an |
408 | | /// error log will be printed) or if reached end-of-file |
409 | | bool getNextPacket(RawPacket& rawPacket) override; |
410 | | |
411 | | /// Open the file name which path was specified in the constructor in a read-only mode |
412 | | /// @return True if file was opened successfully or if file is already opened. False if opening the file failed |
413 | | /// for some reason (for example: file path does not exist) |
414 | | bool open() override; |
415 | | |
416 | | /// @return True if the file is opened, false otherwise |
417 | | bool isOpened() const override |
418 | 0 | { |
419 | 0 | return m_LightPcapNg != nullptr; |
420 | 0 | } |
421 | | |
422 | | /// Close the pacp-ng file |
423 | | void close() override; |
424 | | |
425 | | private: |
426 | | bool getNextPacketInternal(RawPacket& rawPacket, std::string* packetComment); |
427 | | }; |
428 | | |
429 | | /// @class PcapNgFileWriterDevice |
430 | | /// A class for opening a pcap-ng file for writing or creating a new pcap-ng file and write packets to it. This |
431 | | /// class adds unique capabilities such as writing metadata attributes into the file header, adding comments per |
432 | | /// packet and opening the file in append mode where packets are added to a file instead of overriding it. This |
433 | | /// capabilities are part of the pcap-ng standard but aren't supported in most tools and libraries |
434 | | class PcapNgFileWriterDevice : public IFileWriterDevice |
435 | | { |
436 | | private: |
437 | | internal::LightPcapNgHandle* m_LightPcapNg; |
438 | | int m_CompressionLevel; |
439 | | |
440 | | public: |
441 | | /// @brief A static method that checks if the device was built with zstd compression support |
442 | | /// @return True if zstd compression is supported, false otherwise. |
443 | | static bool isZstdSupported(); |
444 | | |
445 | | /// A constructor for this class that gets the pcap-ng full path file name to open for writing or create. Notice |
446 | | /// that after calling this constructor the file isn't opened yet, so writing packets will fail. For opening the |
447 | | /// file call open() |
448 | | /// @param[in] fileName The full path of the file |
449 | | /// @param[in] compressionLevel The compression level to use when writing the file, use 0 to disable compression |
450 | | /// or 10 for max compression. Default is 0 |
451 | | PcapNgFileWriterDevice(const std::string& fileName, int compressionLevel = 0); |
452 | | |
453 | | /// A destructor for this class |
454 | | ~PcapNgFileWriterDevice() override |
455 | 0 | { |
456 | 0 | PcapNgFileWriterDevice::close(); |
457 | 0 | } |
458 | | |
459 | | PcapNgFileWriterDevice(const PcapFileWriterDevice& other) = delete; |
460 | | PcapNgFileWriterDevice& operator=(const PcapNgFileWriterDevice& other) = delete; |
461 | | |
462 | | /// The pcap-ng format allows adding a user-defined comment for each stored packet. This method writes a |
463 | | /// RawPacket to the file and adds a comment to it. Before using this method please verify the file is opened |
464 | | /// using open(). This method won't change the written packet or the input comment |
465 | | /// @param[in] packet A reference for an existing RawPcket to write to the file |
466 | | /// @param[in] comment The comment to be written for the packet. If this string is empty or null it will be |
467 | | /// ignored |
468 | | /// @return True if a packet was written successfully. False will be returned if the file isn't opened (an error |
469 | | /// will be printed to log) |
470 | | bool writePacket(RawPacket const& packet, const std::string& comment); |
471 | | |
472 | | // overridden methods |
473 | | |
474 | | /// Write a RawPacket to the file. Before using this method please verify the file is opened using open(). This |
475 | | /// method won't change the written packet |
476 | | /// @param[in] packet A reference for an existing RawPcket to write to the file |
477 | | /// @return True if a packet was written successfully. False will be returned if the file isn't opened (an error |
478 | | /// will be printed to log) |
479 | | bool writePacket(RawPacket const& packet) override; |
480 | | |
481 | | /// Write multiple RawPacket to the file. Before using this method please verify the file is opened using |
482 | | /// open(). This method won't change the written packets or the RawPacketVector instance |
483 | | /// @param[in] packets A reference for an existing RawPcketVector, all of its packets will be written to the |
484 | | /// file |
485 | | /// @return True if all packets were written successfully to the file. False will be returned if the file isn't |
486 | | /// opened (also, an error log will be printed) or if at least one of the packets wasn't written successfully to |
487 | | /// the file |
488 | | bool writePackets(const RawPacketVector& packets) override; |
489 | | |
490 | | /// Open the file in a write mode. If file doesn't exist, it will be created. If it does exist it will be |
491 | | /// overwritten, meaning all its current content will be deleted |
492 | | /// @return True if file was opened/created successfully or if file is already opened. False if opening the file |
493 | | /// failed for some reason (an error will be printed to log) |
494 | | bool open() override; |
495 | | |
496 | | /// Same as open(), but enables to open the file in append mode in which packets will be appended to the file |
497 | | /// instead of overwrite its current content. In append mode file must exist, otherwise opening will fail |
498 | | /// @param[in] appendMode A boolean indicating whether to open the file in append mode or not. If set to false |
499 | | /// this method will act exactly like open(). If set to true, file will be opened in append mode |
500 | | /// @return True of managed to open the file successfully. In case appendMode is set to true, false will be |
501 | | /// returned if file wasn't found or couldn't be read, if file type is not pcap-ng. In case appendMode is set to |
502 | | /// false, please refer to open() for return values |
503 | | bool open(bool appendMode) override; |
504 | | |
505 | | /// Open the file in a write mode. If file doesn't exist, it will be created. If it does exist it will be |
506 | | /// overwritten, meaning all its current content will be deleted. As opposed to open(), this method also allows |
507 | | /// writing several metadata attributes that will be stored in the header of the file |
508 | | /// @param[in] os A string describing the operating system that was used to capture the packets. If this string |
509 | | /// is empty or null it will be ignored |
510 | | /// @param[in] hardware A string describing the hardware that was used to capture the packets. If this string is |
511 | | /// empty or null it will be ignored |
512 | | /// @param[in] captureApp A string describing the application that was used to capture the packets. If this |
513 | | /// string is empty or null it will be ignored |
514 | | /// @param[in] fileComment A string containing a user-defined comment that will be part of the metadata of the |
515 | | /// file. If this string is empty or null it will be ignored |
516 | | /// @return True if file was opened/created successfully or if file is already opened. False if opening the file |
517 | | /// failed for some reason (an error will be printed to log) |
518 | | bool open(const std::string& os, const std::string& hardware, const std::string& captureApp, |
519 | | const std::string& fileComment); |
520 | | |
521 | | /// @return True if the file is opened, false otherwise |
522 | | bool isOpened() const override |
523 | 0 | { |
524 | 0 | return m_LightPcapNg != nullptr; |
525 | 0 | } |
526 | | |
527 | | /// Flush packets to the pcap-ng file |
528 | | void flush(); |
529 | | |
530 | | /// Flush and close the pcap-ng file |
531 | | void close() override; |
532 | | |
533 | | private: |
534 | | /// @struct PcapNgMetadata |
535 | | /// @brief A struct for holding the metadata of a pcap-ng file. The metadata includes the operating system, |
536 | | /// hardware, capture application and file comment. |
537 | | struct PcapNgMetadata |
538 | | { |
539 | | /// The operating system that was used for capturing the packets |
540 | | std::string os; |
541 | | /// The hardware that was used for capturing the packets |
542 | | std::string hardware; |
543 | | /// The capture application that was used for capturing the packets |
544 | | std::string captureApplication; |
545 | | /// The comment that was written inside the file |
546 | | std::string comment; |
547 | | }; |
548 | | |
549 | | bool openWrite(PcapNgMetadata const* metadata = nullptr); |
550 | | bool openAppend(); |
551 | | }; |
552 | | |
553 | | /// @class SnoopFileReaderDevice |
554 | | /// A class for opening a snoop file in read-only mode. This class enable to open the file and read all packets, |
555 | | /// packet-by-packet |
556 | | class SnoopFileReaderDevice : public IFileReaderDevice |
557 | | { |
558 | | private: |
559 | | #pragma pack(1) |
560 | | /// File format header. |
561 | | typedef struct |
562 | | { |
563 | | uint64_t identification_pattern; |
564 | | uint32_t version_number; |
565 | | uint32_t datalink_type; |
566 | | } snoop_file_header_t; |
567 | | |
568 | | /// Packet record header. |
569 | | typedef struct |
570 | | { |
571 | | uint32_t original_length; ///< original packet length |
572 | | uint32_t included_length; ///< saved packet length |
573 | | uint32_t packet_record_length; ///< total record length |
574 | | uint32_t ndrops_cumulative; ///< cumulative drops |
575 | | uint32_t time_sec; ///< timestamp |
576 | | uint32_t time_usec; ///< microsecond timestamp |
577 | | } snoop_packet_header_t; |
578 | | #pragma pack() |
579 | | |
580 | | LinkLayerType m_PcapLinkLayerType; |
581 | | std::ifstream m_SnoopFile; |
582 | | std::vector<uint8_t> m_ReadBuffer; |
583 | | |
584 | | bool readNextPacket(timespec& packetTimestamp, uint8_t* packetData, uint32_t packetDataLen, |
585 | | uint32_t& capturedLength, uint32_t& frameLength); |
586 | | |
587 | | public: |
588 | | /// A constructor for this class that gets the snoop full path file name to open. Notice that after calling this |
589 | | /// constructor the file isn't opened yet, so reading packets will fail. For opening the file call open() |
590 | | /// @param[in] fileName The full path of the file to read |
591 | | SnoopFileReaderDevice(const std::string& fileName) |
592 | 0 | : IFileReaderDevice(fileName), m_PcapLinkLayerType(LINKTYPE_ETHERNET) |
593 | 0 | {} |
594 | | |
595 | | /// A destructor for this class |
596 | | ~SnoopFileReaderDevice() override; |
597 | | |
598 | | SnoopFileReaderDevice(const PcapFileReaderDevice& other) = delete; |
599 | | SnoopFileReaderDevice& operator=(const PcapFileReaderDevice& other) = delete; |
600 | | |
601 | | /// @return The link layer type of this file |
602 | | LinkLayerType getLinkLayerType() const |
603 | 0 | { |
604 | 0 | return m_PcapLinkLayerType; |
605 | 0 | } |
606 | | |
607 | | // overridden methods |
608 | | |
609 | | /// Read the next packet from the file. Before using this method please verify the file is opened using open() |
610 | | /// @param[out] rawPacket A reference for an empty RawPacket where the packet will be written |
611 | | /// @return True if a packet was read successfully. False will be returned if the file isn't opened (also, an |
612 | | /// error log will be printed) or if reached end-of-file |
613 | | bool getNextPacket(RawPacket& rawPacket) override; |
614 | | |
615 | | /// Open the file name which path was specified in the constructor in a read-only mode |
616 | | /// @return True if file was opened successfully or if file is already opened. False if opening the file failed |
617 | | /// for some reason (for example: file path does not exist) |
618 | | bool open() override; |
619 | | |
620 | | /// @return True if the file is opened, false otherwise |
621 | | bool isOpened() const override |
622 | 0 | { |
623 | 0 | return m_SnoopFile.is_open(); |
624 | 0 | } |
625 | | |
626 | | /// Close the snoop file |
627 | | void close() override; |
628 | | }; |
629 | | } // namespace pcpp |