Read and write pcap files without libpcap (#2034)

Author: seladb

.github/workflows/build_and_test.yml

@@ -156,7 +156,7 @@ jobs:
       - name: Create Cobertura Report
         run: |
           . .venv/bin/activate
-          python3 -m pip install gcovr
+          python3 -m pip install gcovr==8.2
           gcovr -v -r . ${{ matrix.additional-gcov-flags }} $GCOVR_FLAGS -o coverage.xml
 
       - name: Upload Coverage Results
@@ -226,7 +226,7 @@ jobs:
       - name: Create Cobertura Report
         run: |
           . .venv/bin/activate
-          python3 -m pip install gcovr
+          python3 -m pip install gcovr==8.2
           gcovr -v -r . $GCOVR_FLAGS -o coverage.xml
 
       - name: Upload Coverage Results
@@ -471,7 +471,7 @@ jobs:
       - name: Create Cobertura Report
         if: ${{ matrix.host-arch == matrix.arch }}
         run: |
-          python3 -m pip install gcovr
+          python3 -m pip install gcovr==8.2
           gcovr -v -r . $GCOVR_FLAGS -o coverage.xml
 
       - name: Upload Coverage Results
@@ -592,7 +592,7 @@ jobs:
           python -m pytest --root-path=../../Dist/examples_bin
 
       - name: Install Coverage Requirements
-        run: python3 -m pip install gcovr
+        run: python3 -m pip install gcovr==8.2
 
       - name: Process Coverage Files
         shell: msys2 {0}
@@ -906,7 +906,7 @@ jobs:
 
       - name: Create Cobertura Report
         run: |
-          python -m pip install gcovr
+          python -m pip install gcovr==8.2
           gcovr -v -r . $GCOVR_FLAGS -o coverage.xml
 
       - name: Upload Coverage Results

Pcap++/header/PcapFileDevice.h

@@ -152,77 +152,84 @@ namespace pcpp
 	/// packet-by-packet
 	class PcapFileReaderDevice : public IFileReaderDevice
 	{
-	private:
-		FileTimestampPrecision m_Precision;
-		LinkLayerType m_PcapLinkLayerType;
-
-		// private copy c'tor
-		PcapFileReaderDevice(const PcapFileReaderDevice& other);
-		PcapFileReaderDevice& operator=(const PcapFileReaderDevice& other);
-
 	public:
 		/// A constructor for this class that gets the pcap full path file name to open. Notice that after calling this
 		/// constructor the file isn't opened yet, so reading packets will fail. For opening the file call open()
 		/// @param[in] fileName The full path of the file to read
-		PcapFileReaderDevice(const std::string& fileName)
-		    : IFileReaderDevice(fileName), m_Precision(FileTimestampPrecision::Unknown),
-		      m_PcapLinkLayerType(LINKTYPE_ETHERNET)
+		explicit PcapFileReaderDevice(const std::string& fileName) : IFileReaderDevice(fileName)
 		{}
 
 		/// A destructor for this class
-		virtual ~PcapFileReaderDevice() = default;
+		~PcapFileReaderDevice() override = default;
+
+		PcapFileReaderDevice(const PcapFileReaderDevice& other) = delete;
+		PcapFileReaderDevice& operator=(const PcapFileReaderDevice& other) = delete;
 
 		/// @return The link layer type of this file
 		LinkLayerType getLinkLayerType() const
 		{
 			return m_PcapLinkLayerType;
 		}
 
-		/// @return The precision of the timestamps in the file. If the platform supports nanosecond precision, this
-		/// method will return nanoseconds even if the file has microseconds since libpcap scales timestamps before
-		/// supply. Otherwise, it will return microseconds.
+		/// @return The precision of the timestamps in the file
 		FileTimestampPrecision getTimestampPrecision() const
 		{
 			return m_Precision;
 		}
 
+		/// @return The file's snapshot length (snaplen)
+		uint32_t getSnapshotLength() const
+		{
+			return m_SnapshotLength;
+		}
+
 		/// A static method that checks if nano-second precision is supported in the current platform and environment
 		/// @return True if nano-second precision is supported, false otherwise
-		static bool isNanoSecondPrecisionSupported();
+		/// @deprecated Nanosecond precision is now natively supported by the internal parser and always returns true
+		PCPP_DEPRECATED("Nanosecond precision is now natively supported by the internal parser and always returns true")
+		static bool isNanoSecondPrecisionSupported()
+		{
+			return true;
+		}
 
 		// overridden methods
 
 		/// Read the next packet from the file. Before using this method please verify the file is opened using open()
 		/// @param[out] rawPacket A reference for an empty RawPacket where the packet will be written
 		/// @return True if a packet was read successfully. False will be returned if the file isn't opened (also, an
 		/// error log will be printed) or if reached end-of-file
-		bool getNextPacket(RawPacket& rawPacket);
+		bool getNextPacket(RawPacket& rawPacket) override;
 
 		/// Open the file name which path was specified in the constructor in a read-only mode
 		/// @return True if file was opened successfully or if file is already opened. False if opening the file failed
 		/// for some reason (for example: file path does not exist)
-		bool open();
+		bool open() override;
+
+		/// Close the pacp file
+		void close() override;
+
+	protected:
+		bool doUpdateFilter(std::string const* filterAsString) override;
+
+	private:
+		FileTimestampPrecision m_Precision = FileTimestampPrecision::Unknown;
+		LinkLayerType m_PcapLinkLayerType = LINKTYPE_ETHERNET;
+		std::ifstream m_PcapFile;
+		bool m_NeedsSwap = false;
+		uint32_t m_SnapshotLength = 0;
+		BpfFilterWrapper m_BpfWrapper;
+
+		bool readNextPacket(timespec& packetTimestamp, uint8_t* packetData, uint32_t packetDataLen,
+		                    uint32_t& capturedLength, uint32_t& frameLength);
 	};
 
 	/// @class PcapFileWriterDevice
-	/// A class for opening a pcap file for writing or create a new pcap file and write packets to it. This class adds
-	/// a unique capability that isn't supported in WinPcap and in older libpcap versions which is to open a pcap file
-	/// in append mode where packets are written at the end of the pcap file instead of running it over
+	/// A class for opening a pcap file for writing or creating a new pcap file and writing packets to it.
+	/// It supports opening a pcap file in append mode where packets are written at the end of the file
+	/// instead of overwriting it. This implementation writes the pcap stream directly using C++ I/O
+	/// facilities (std::fstream) and does not require libpcap/WinPcap at runtime.
 	class PcapFileWriterDevice : public IFileWriterDevice
 	{
-	private:
-		pcap_dumper_t* m_PcapDumpHandler;
-		LinkLayerType m_PcapLinkLayerType;
-		bool m_AppendMode;
-		FileTimestampPrecision m_Precision;
-		FILE* m_File;
-
-		// private copy c'tor
-		PcapFileWriterDevice(const PcapFileWriterDevice& other);
-		PcapFileWriterDevice& operator=(const PcapFileWriterDevice& other);
-
-		void closeFile();
-
 	public:
 		/// A constructor for this class that gets the pcap full path file name to open for writing or create. Notice
 		/// that after calling this constructor the file isn't opened yet, so writing packets will fail. For opening the
@@ -237,11 +244,8 @@ namespace pcpp
 		PcapFileWriterDevice(const std::string& fileName, LinkLayerType linkLayerType = LINKTYPE_ETHERNET,
 		                     bool nanosecondsPrecision = false);
 
-		/// A destructor for this class
-		~PcapFileWriterDevice()
-		{
-			PcapFileWriterDevice::close();
-		}
+		PcapFileWriterDevice(const PcapFileWriterDevice& other) = delete;
+		PcapFileWriterDevice& operator=(const PcapFileWriterDevice& other) = delete;
 
 		/// Write a RawPacket to the file. Before using this method please verify the file is opened using open(). This
 		/// method won't change the written packet
@@ -268,9 +272,17 @@ namespace pcpp
 
 		/// A static method that checks if nano-second precision is supported in the current platform and environment
 		/// @return True if nano-second precision is supported, false otherwise
-		static bool isNanoSecondPrecisionSupported();
+		/// @deprecated Nanosecond precision is now natively supported by the internal parser and always returns true
+		PCPP_DEPRECATED("Nanosecond precision is now natively supported by the internal parser and always returns true")
+		static bool isNanoSecondPrecisionSupported()
+		{
+			return true;
+		}
 
-		// override methods
+		LinkLayerType getLinkLayerType() const
+		{
+			return m_PcapLinkLayerType;
+		}
 
 		/// Open the file in a write mode. If file doesn't exist, it will be created. If it does exist it will be
 		/// overwritten, meaning all its current content will be deleted
@@ -294,9 +306,49 @@ namespace pcpp
 		/// Flush packets to disk.
 		void flush();
 
+	protected:
+		bool doUpdateFilter(std::string const* filterAsString) override;
+
 	private:
-		bool openWrite();
-		bool openAppend();
+		LinkLayerType m_PcapLinkLayerType = LINKTYPE_ETHERNET;
+		bool m_NeedsSwap = false;
+		FileTimestampPrecision m_Precision = FileTimestampPrecision::Unknown;
+		std::fstream m_PcapFile;
+		BpfFilterWrapper m_BpfWrapper;
+
+		struct CheckHeaderResult
+		{
+			enum class Result
+			{
+				HeaderOk,
+				HeaderError,
+				HeaderNeeded
+			};
+
+			Result result;
+			std::string error;
+			bool needsSwap = false;
+
+			static CheckHeaderResult fromOk(bool needsSwap)
+			{
+				return { Result::HeaderOk, "", needsSwap };
+			}
+
+			static CheckHeaderResult fromError(const std::string& error)
+			{
+				return { Result::HeaderError, error };
+			}
+
+			static CheckHeaderResult fromHeaderNeeded()
+			{
+				return { Result::HeaderNeeded };
+			}
+		};
+
+		static bool writeHeader(std::fstream& pcapFile, FileTimestampPrecision precision, uint32_t snaplen,
+		                        LinkLayerType linkType);
+		static CheckHeaderResult checkHeader(std::fstream& pcapFile, FileTimestampPrecision requestedPrecision,
+		                                     LinkLayerType requestedLinkType);
 	};
 
 	/// @class PcapNgFileReaderDevice