diff options
Diffstat (limited to 'src/file_pcap.c')
| -rw-r--r-- | src/file_pcap.c | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/src/file_pcap.c b/src/file_pcap.c new file mode 100644 index 00000000..759dc999 --- /dev/null +++ b/src/file_pcap.c @@ -0,0 +1,64 @@ +/* + + File: file_pcap.c + + Copyright (C) 2008 Christophe GRENIER <[email protected]> + + This software is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write the Free Software Foundation, Inc., 51 + Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif +#ifdef HAVE_STRING_H +#include <string.h> +#endif +#include <stdio.h> +#include "types.h" +#include "filegen.h" +#include "memmem.h" + +static void register_header_check_pcap(file_stat_t *file_stat); +static int header_check_pcap(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new); + +const file_hint_t file_hint_pcap= { + .extension="pcap", + .description="tcpdump capture file", + .min_header_distance=0, + .max_filesize=PHOTOREC_MAX_FILE_SIZE, + .recover=1, + .enable_by_default=1, + .register_header_check=®ister_header_check_pcap +}; + +static const unsigned char pcap_header[4] = {0xd4, 0xc3, 0xb2, 0xa1}; +/* pcap low-endian header */ + +static void register_header_check_pcap(file_stat_t *file_stat) +{ + register_header_check(0, pcap_header, sizeof(pcap_header), &header_check_pcap, file_stat); +} + +static int header_check_pcap(const unsigned char *buffer, const unsigned int buffer_size, const unsigned int safe_header_only, const file_recovery_t *file_recovery, file_recovery_t *file_recovery_new) +{ + if(memcmp(buffer, pcap_header, sizeof(pcap_header))==0) + { + reset_file_recovery(file_recovery_new); + file_recovery_new->extension=file_hint_pcap.extension; + return 1; + } + return 0; +} |