Use uid from the PCAPdroid trailer if available

When loading a PCAP file, if there is a PCAPdroid trailer available,
use its uid to associate the connections to the originating app.
Currently this assumes that the uid mapping has not changed, e.g. the
app for a specific uid has not been uninstalled.

app/src/main/jni/core/capture_libpcap.c

@@ -352,6 +352,19 @@ static bool handle_packet(pcapdroid_t *pd, pcapd_hdr_t *hdr, const char *buffer,
         return false;
     }
 
+    if(pd->pcap_file_capture && (hdr->uid == UID_UNKNOWN)) {
+        // retrieve the UID from the PCAPdroid trailer, if available
+        int non_ip_overhead = (int)hdr->len - (int)pkt.len;
+
+        if(non_ip_overhead >= sizeof(pcapdroid_trailer_t)) {
+            const struct pcapdroid_trailer* trailer =
+                    (const struct pcapdroid_trailer*) (buffer + hdr->len - sizeof(pcapdroid_trailer_t));
+
+            if(ntohl(trailer->magic) == PCAPDROID_TRAILER_MAGIC)
+                hdr->uid = ntohl(trailer->uid);
+        }
+    }
+
     if((pkt.flags & ZDTUN_PKT_IS_FRAGMENT) &&
             (pkt.tuple.src_port == 0) && (pkt.tuple.dst_port == 0)) {
         // This fragment cannot be mapped to the original src/dst ports. This may happen if the first

app/src/main/jni/core/pcap_dump.c

@@ -26,7 +26,6 @@
 #define LINKTYPE_ETHERNET 1
 #define LINKTYPE_RAW      101
 
-#define PCAPDROID_TRAILER_MAGIC 0x01072021
 #define MAX_PCAP_DUMP_DELAY_MS 1000
 #define PCAP_BUFFER_SIZE             (512*1024)         // 512K
 #define PCAP_BUFFER_ALMOST_FULL_SIZE (450*1024)         // 450K

app/src/main/jni/core/pcap_dump.h

@@ -104,6 +104,8 @@ typedef enum {
     PCAPNG_DUMP,              // PcapNg file
 } pcap_dump_mode_t;
 
+#define PCAPDROID_TRAILER_MAGIC 0x01072021
+
 /* A trailer to the packet which contains PCAPdroid-specific information.
  * When pcapdroid_trailer is set, the raw packet will be prepended with a bogus ethernet header,
  * whose size spans the raw packet data. The pcapdroid_trailer_t will be appended after the L3 data