]> The Tcpdump Group git mirrors - libpcap/blob - sf-pcap-ng.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Clean up the ether_hostton() stuff.
[libpcap] / sf-pcap-ng.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include <pcap/pcap-inttypes.h>
29
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35
36 #include "pcap-int.h"
37
38 #include "pcap-common.h"
39
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43
44 #include "sf-pcap-ng.h"
45
46 /*
47 * Block types.
48 */
49
50 /*
51 * Common part at the beginning of all blocks.
52 */
53 struct block_header {
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
56 };
57
58 /*
59 * Common trailer at the end of all blocks.
60 */
61 struct block_trailer {
62 bpf_u_int32 total_length;
63 };
64
65 /*
66 * Common options.
67 */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70
71 /*
72 * Option header.
73 */
74 struct option_header {
75 u_short option_code;
76 u_short option_length;
77 };
78
79 /*
80 * Structures for the part of each block type following the common
81 * part.
82 */
83
84 /*
85 * Section Header Block.
86 */
87 #define BT_SHB 0x0A0D0D0A
88
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
95 };
96
97 /*
98 * Byte-order magic value.
99 */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101
102 /*
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * that means that this code can't read the file.
105 */
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
108
109 /*
110 * Interface Description Block.
111 */
112 #define BT_IDB 0x00000001
113
114 struct interface_description_block {
115 u_short linktype;
116 u_short reserved;
117 bpf_u_int32 snaplen;
118 /* followed by options and trailer */
119 };
120
121 /*
122 * Options in the IDB.
123 */
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
137
138 /*
139 * Enhanced Packet Block.
140 */
141 #define BT_EPB 0x00000006
142
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
147 bpf_u_int32 caplen;
148 bpf_u_int32 len;
149 /* followed by packet data, options, and trailer */
150 };
151
152 /*
153 * Simple Packet Block.
154 */
155 #define BT_SPB 0x00000003
156
157 struct simple_packet_block {
158 bpf_u_int32 len;
159 /* followed by packet data and trailer */
160 };
161
162 /*
163 * Packet Block.
164 */
165 #define BT_PB 0x00000002
166
167 struct packet_block {
168 u_short interface_id;
169 u_short drops_count;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
172 bpf_u_int32 caplen;
173 bpf_u_int32 len;
174 /* followed by packet data, options, and trailer */
175 };
176
177 /*
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
181 */
182 struct block_cursor {
183 u_char *data;
184 size_t data_remaining;
185 bpf_u_int32 block_type;
186 };
187
188 typedef enum {
189 PASS_THROUGH,
190 SCALE_UP_DEC,
191 SCALE_DOWN_DEC,
192 SCALE_UP_BIN,
193 SCALE_DOWN_BIN
194 } tstamp_scale_type_t;
195
196 /*
197 * Per-interface information.
198 */
199 struct pcap_ng_if {
200 u_int tsresol; /* time stamp resolution */
201 tstamp_scale_type_t scale_type; /* how to scale */
202 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */
203 uint64_t tsoffset; /* time stamp offset */
204 };
205
206 /*
207 * Per-pcap_t private data.
208 *
209 * max_blocksize is the maximum size of a block that we'll accept. We
210 * reject blocks bigger than this, so we don't consume too much memory
211 * with a truly huge block. It can change as we see IDBs with different
212 * link-layer header types. (Currently, we don't support IDBs with
213 * different link-layer header types, but we will support it in the
214 * future, when we offer file-reading APIs that support it.)
215 *
216 * XXX - that's an issue on ILP32 platforms, where the maximum block
217 * size of 2^31-1 would eat all but one byte of the entire address space.
218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
219 * of the address space may be limited by 1) the number of *significant*
220 * address bits (currently, x86-64 only supports 48 bits of address), 2)
221 * any limitations imposed by the operating system; 3) any limitations
222 * imposed by the amount of available backing store for anonymous pages,
223 * so we impose a limit regardless of the size of a pointer.
224 */
225 struct pcap_ng_sf {
226 u_int user_tsresol; /* time stamp resolution requested by the user */
227 u_int max_blocksize; /* don't grow buffer size past this */
228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
229 bpf_u_int32 ifaces_size; /* size of array below */
230 struct pcap_ng_if *ifaces; /* array of interface information */
231 };
232
233 /*
234 * Maximum block size for a given maximum snapshot length; we calculate
235 * this based
236 *
237 * We define it as the size of an EPB with a max_snaplen-sized
238 * packet and 128KB of options.
239 */
240 #define MAX_BLOCKSIZE(max_snaplen) (sizeof (struct block_header) + \
241 sizeof (struct enhanced_packet_block) + \
242 (max_snaplen) + 131072 + \
243 sizeof (struct block_trailer))
244
245 static void pcap_ng_cleanup(pcap_t *p);
246 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
247 u_char **data);
248
249 static int
250 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
251 char *errbuf)
252 {
253 size_t amt_read;
254
255 amt_read = fread(buf, 1, bytes_to_read, fp);
256 if (amt_read != bytes_to_read) {
257 if (ferror(fp)) {
258 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
259 "error reading dump file: %s",
260 pcap_strerror(errno));
261 } else {
262 if (amt_read == 0 && !fail_on_eof)
263 return (0); /* EOF */
264 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
265 "truncated dump file; tried to read %lu bytes, only got %lu",
266 (unsigned long)bytes_to_read,
267 (unsigned long)amt_read);
268 }
269 return (-1);
270 }
271 return (1);
272 }
273
274 static int
275 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
276 {
277 struct pcap_ng_sf *ps;
278 int status;
279 struct block_header bhdr;
280 u_char *bdata;
281 size_t data_remaining;
282
283 ps = p->priv;
284
285 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
286 if (status <= 0)
287 return (status); /* error or EOF */
288
289 if (p->swapped) {
290 bhdr.block_type = SWAPLONG(bhdr.block_type);
291 bhdr.total_length = SWAPLONG(bhdr.total_length);
292 }
293
294 /*
295 * Is this block "too big"?
296 *
297 * We choose 16MB as "too big", for now, so that we handle
298 * "reasonably" large buffers but don't chew up all the
299 * memory if we read a malformed file.
300 */
301 if (bhdr.total_length > 16*1024*1024) {
302 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
303 "pcap-ng block size %u > maximum %u",
304 bhdr.total_length, 16*1024*1024);
305 return (-1);
306 }
307
308 /*
309 * Is this block "too small" - i.e., is it shorter than a block
310 * header plus a block trailer?
311 */
312 if (bhdr.total_length < sizeof(struct block_header) +
313 sizeof(struct block_trailer)) {
314 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
315 "block in pcap-ng dump file has a length of %u < %lu",
316 bhdr.total_length,
317 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
318 return (-1);
319 }
320
321 /*
322 * Is the buffer big enough?
323 */
324 if (p->bufsize < bhdr.total_length) {
325 /*
326 * No - make it big enough, unless it's too big.
327 */
328 void *bigger_buffer;
329
330 if (bhdr.total_length > ps->max_blocksize) {
331 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "block is larger than maximum block size %u",
332 ps->max_blocksize);
333 return (-1);
334 }
335 bigger_buffer = realloc(p->buffer, bhdr.total_length);
336 if (bigger_buffer == NULL) {
337 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
338 return (-1);
339 }
340 p->buffer = bigger_buffer;
341 }
342
343 /*
344 * Copy the stuff we've read to the buffer, and read the rest
345 * of the block.
346 */
347 memcpy(p->buffer, &bhdr, sizeof(bhdr));
348 bdata = (u_char *)p->buffer + sizeof(bhdr);
349 data_remaining = bhdr.total_length - sizeof(bhdr);
350 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
351 return (-1);
352
353 /*
354 * Initialize the cursor.
355 */
356 cursor->data = bdata;
357 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
358 cursor->block_type = bhdr.block_type;
359 return (1);
360 }
361
362 static void *
363 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
364 char *errbuf)
365 {
366 void *data;
367
368 /*
369 * Make sure we have the specified amount of data remaining in
370 * the block data.
371 */
372 if (cursor->data_remaining < chunk_size) {
373 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
374 "block of type %u in pcap-ng dump file is too short",
375 cursor->block_type);
376 return (NULL);
377 }
378
379 /*
380 * Return the current pointer, and skip past the chunk.
381 */
382 data = cursor->data;
383 cursor->data += chunk_size;
384 cursor->data_remaining -= chunk_size;
385 return (data);
386 }
387
388 static struct option_header *
389 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
390 {
391 struct option_header *opthdr;
392
393 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
394 if (opthdr == NULL) {
395 /*
396 * Option header is cut short.
397 */
398 return (NULL);
399 }
400
401 /*
402 * Byte-swap it if necessary.
403 */
404 if (p->swapped) {
405 opthdr->option_code = SWAPSHORT(opthdr->option_code);
406 opthdr->option_length = SWAPSHORT(opthdr->option_length);
407 }
408
409 return (opthdr);
410 }
411
412 static void *
413 get_optvalue_from_block_data(struct block_cursor *cursor,
414 struct option_header *opthdr, char *errbuf)
415 {
416 size_t padded_option_len;
417 void *optvalue;
418
419 /* Pad option length to 4-byte boundary */
420 padded_option_len = opthdr->option_length;
421 padded_option_len = ((padded_option_len + 3)/4)*4;
422
423 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
424 if (optvalue == NULL) {
425 /*
426 * Option value is cut short.
427 */
428 return (NULL);
429 }
430
431 return (optvalue);
432 }
433
434 static int
435 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
436 uint64_t *tsoffset, int *is_binary, char *errbuf)
437 {
438 struct option_header *opthdr;
439 void *optvalue;
440 int saw_tsresol, saw_tsoffset;
441 u_char tsresol_opt;
442 u_int i;
443
444 saw_tsresol = 0;
445 saw_tsoffset = 0;
446 while (cursor->data_remaining != 0) {
447 /*
448 * Get the option header.
449 */
450 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
451 if (opthdr == NULL) {
452 /*
453 * Option header is cut short.
454 */
455 return (-1);
456 }
457
458 /*
459 * Get option value.
460 */
461 optvalue = get_optvalue_from_block_data(cursor, opthdr,
462 errbuf);
463 if (optvalue == NULL) {
464 /*
465 * Option value is cut short.
466 */
467 return (-1);
468 }
469
470 switch (opthdr->option_code) {
471
472 case OPT_ENDOFOPT:
473 if (opthdr->option_length != 0) {
474 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
475 "Interface Description Block has opt_endofopt option with length %u != 0",
476 opthdr->option_length);
477 return (-1);
478 }
479 goto done;
480
481 case IF_TSRESOL:
482 if (opthdr->option_length != 1) {
483 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
484 "Interface Description Block has if_tsresol option with length %u != 1",
485 opthdr->option_length);
486 return (-1);
487 }
488 if (saw_tsresol) {
489 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
490 "Interface Description Block has more than one if_tsresol option");
491 return (-1);
492 }
493 saw_tsresol = 1;
494 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
495 if (tsresol_opt & 0x80) {
496 /*
497 * Resolution is negative power of 2.
498 */
499 *is_binary = 1;
500 *tsresol = 1 << (tsresol_opt & 0x7F);
501 } else {
502 /*
503 * Resolution is negative power of 10.
504 */
505 *is_binary = 0;
506 *tsresol = 1;
507 for (i = 0; i < tsresol_opt; i++)
508 *tsresol *= 10;
509 }
510 if (*tsresol == 0) {
511 /*
512 * Resolution is too high.
513 */
514 if (tsresol_opt & 0x80) {
515 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
516 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
517 tsresol_opt & 0x7F);
518 } else {
519 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
520 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
521 tsresol_opt);
522 }
523 return (-1);
524 }
525 break;
526
527 case IF_TSOFFSET:
528 if (opthdr->option_length != 8) {
529 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
530 "Interface Description Block has if_tsoffset option with length %u != 8",
531 opthdr->option_length);
532 return (-1);
533 }
534 if (saw_tsoffset) {
535 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
536 "Interface Description Block has more than one if_tsoffset option");
537 return (-1);
538 }
539 saw_tsoffset = 1;
540 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
541 if (p->swapped)
542 *tsoffset = SWAPLL(*tsoffset);
543 break;
544
545 default:
546 break;
547 }
548 }
549
550 done:
551 return (0);
552 }
553
554 static int
555 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
556 {
557 struct pcap_ng_sf *ps;
558 u_int tsresol;
559 uint64_t tsoffset;
560 int is_binary;
561
562 ps = p->priv;
563
564 /*
565 * Count this interface.
566 */
567 ps->ifcount++;
568
569 /*
570 * Grow the array of per-interface information as necessary.
571 */
572 if (ps->ifcount > ps->ifaces_size) {
573 /*
574 * We need to grow the array.
575 */
576 bpf_u_int32 new_ifaces_size;
577 struct pcap_ng_if *new_ifaces;
578
579 if (ps->ifaces_size == 0) {
580 /*
581 * It's currently empty.
582 *
583 * (The Clang static analyzer doesn't do enough,
584 * err, umm, dataflow *analysis* to realize that
585 * ps->ifaces_size == 0 if ps->ifaces == NULL,
586 * and so complains about a possible zero argument
587 * to realloc(), so we check for the former
588 * condition to shut it up.
589 *
590 * However, it doesn't complain that one of the
591 * multiplications below could overflow, which is
592 * a real, albeit extremely unlikely, problem (you'd
593 * need a pcap-ng file with tens of millions of
594 * interfaces).)
595 */
596 new_ifaces_size = 1;
597 new_ifaces = malloc(sizeof (struct pcap_ng_if));
598 } else {
599 /*
600 * It's not currently empty; double its size.
601 * (Perhaps overkill once we have a lot of interfaces.)
602 *
603 * Check for overflow if we double it.
604 */
605 if (ps->ifaces_size * 2 < ps->ifaces_size) {
606 /*
607 * The maximum number of interfaces before
608 * ps->ifaces_size overflows is the largest
609 * possible 32-bit power of 2, as we do
610 * size doubling.
611 */
612 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
613 "more than %u interfaces in the file",
614 0x80000000U);
615 return (0);
616 }
617
618 /*
619 * ps->ifaces_size * 2 doesn't overflow, so it's
620 * safe to multiply.
621 */
622 new_ifaces_size = ps->ifaces_size * 2;
623
624 /*
625 * Now make sure that's not so big that it overflows
626 * if we multiply by sizeof (struct pcap_ng_if).
627 *
628 * That can happen on 32-bit platforms, with a 32-bit
629 * size_t; it shouldn't happen on 64-bit platforms,
630 * with a 64-bit size_t, as new_ifaces_size is
631 * 32 bits.
632 */
633 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
634 /*
635 * As this fails only with 32-bit size_t,
636 * the multiplication was 32x32->32, and
637 * the largest 32-bit value that can safely
638 * be multiplied by sizeof (struct pcap_ng_if)
639 * without overflow is the largest 32-bit
640 * (unsigned) value divided by
641 * sizeof (struct pcap_ng_if).
642 */
643 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
644 "more than %u interfaces in the file",
645 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
646 return (0);
647 }
648 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
649 }
650 if (new_ifaces == NULL) {
651 /*
652 * We ran out of memory.
653 * Give up.
654 */
655 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
656 "out of memory for per-interface information (%u interfaces)",
657 ps->ifcount);
658 return (0);
659 }
660 ps->ifaces_size = new_ifaces_size;
661 ps->ifaces = new_ifaces;
662 }
663
664 /*
665 * Set the default time stamp resolution and offset.
666 */
667 tsresol = 1000000; /* microsecond resolution */
668 is_binary = 0; /* which is a power of 10 */
669 tsoffset = 0; /* absolute timestamps */
670
671 /*
672 * Now look for various time stamp options, so we know
673 * how to interpret the time stamps for this interface.
674 */
675 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
676 errbuf) == -1)
677 return (0);
678
679 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
680 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
681
682 /*
683 * Determine whether we're scaling up or down or not
684 * at all for this interface.
685 */
686 if (tsresol == ps->user_tsresol) {
687 /*
688 * The resolution is the resolution the user wants,
689 * so we don't have to do scaling.
690 */
691 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
692 } else if (tsresol > ps->user_tsresol) {
693 /*
694 * The resolution is greater than what the user wants,
695 * so we have to scale the timestamps down.
696 */
697 if (is_binary)
698 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
699 else {
700 /*
701 * Calculate the scale factor.
702 */
703 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
704 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
705 }
706 } else {
707 /*
708 * The resolution is less than what the user wants,
709 * so we have to scale the timestamps up.
710 */
711 if (is_binary)
712 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
713 else {
714 /*
715 * Calculate the scale factor.
716 */
717 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
718 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
719 }
720 }
721 return (1);
722 }
723
724 /*
725 * Check whether this is a pcap-ng savefile and, if it is, extract the
726 * relevant information from the header.
727 */
728 pcap_t *
729 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
730 int *err)
731 {
732 size_t amt_read;
733 bpf_u_int32 total_length;
734 bpf_u_int32 byte_order_magic;
735 struct block_header *bhdrp;
736 struct section_header_block *shbp;
737 pcap_t *p;
738 int swapped = 0;
739 struct pcap_ng_sf *ps;
740 int status;
741 struct block_cursor cursor;
742 struct interface_description_block *idbp;
743
744 /*
745 * Assume no read errors.
746 */
747 *err = 0;
748
749 /*
750 * Check whether the first 4 bytes of the file are the block
751 * type for a pcap-ng savefile.
752 */
753 if (magic != BT_SHB) {
754 /*
755 * XXX - check whether this looks like what the block
756 * type would be after being munged by mapping between
757 * UN*X and DOS/Windows text file format and, if it
758 * does, look for the byte-order magic number in
759 * the appropriate place and, if we find it, report
760 * this as possibly being a pcap-ng file transferred
761 * between UN*X and Windows in text file format?
762 */
763 return (NULL); /* nope */
764 }
765
766 /*
767 * OK, they are. However, that's just \n\r\r\n, so it could,
768 * conceivably, be an ordinary text file.
769 *
770 * It could not, however, conceivably be any other type of
771 * capture file, so we can read the rest of the putative
772 * Section Header Block; put the block type in the common
773 * header, read the rest of the common header and the
774 * fixed-length portion of the SHB, and look for the byte-order
775 * magic value.
776 */
777 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
778 if (amt_read < sizeof(total_length)) {
779 if (ferror(fp)) {
780 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
781 "error reading dump file: %s",
782 pcap_strerror(errno));
783 *err = 1;
784 return (NULL); /* fail */
785 }
786
787 /*
788 * Possibly a weird short text file, so just say
789 * "not pcap-ng".
790 */
791 return (NULL);
792 }
793 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
794 if (amt_read < sizeof(byte_order_magic)) {
795 if (ferror(fp)) {
796 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
797 "error reading dump file: %s",
798 pcap_strerror(errno));
799 *err = 1;
800 return (NULL); /* fail */
801 }
802
803 /*
804 * Possibly a weird short text file, so just say
805 * "not pcap-ng".
806 */
807 return (NULL);
808 }
809 if (byte_order_magic != BYTE_ORDER_MAGIC) {
810 byte_order_magic = SWAPLONG(byte_order_magic);
811 if (byte_order_magic != BYTE_ORDER_MAGIC) {
812 /*
813 * Not a pcap-ng file.
814 */
815 return (NULL);
816 }
817 swapped = 1;
818 total_length = SWAPLONG(total_length);
819 }
820
821 /*
822 * Check the sanity of the total length.
823 */
824 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
825 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
826 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
827 total_length,
828 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
829 *err = 1;
830 return (NULL);
831 }
832
833 /*
834 * OK, this is a good pcap-ng file.
835 * Allocate a pcap_t for it.
836 */
837 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
838 if (p == NULL) {
839 /* Allocation failed. */
840 *err = 1;
841 return (NULL);
842 }
843 p->swapped = swapped;
844 ps = p->priv;
845
846 /*
847 * What precision does the user want?
848 */
849 switch (precision) {
850
851 case PCAP_TSTAMP_PRECISION_MICRO:
852 ps->user_tsresol = 1000000;
853 break;
854
855 case PCAP_TSTAMP_PRECISION_NANO:
856 ps->user_tsresol = 1000000000;
857 break;
858
859 default:
860 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
861 "unknown time stamp resolution %u", precision);
862 free(p);
863 *err = 1;
864 return (NULL);
865 }
866
867 p->opt.tstamp_precision = precision;
868
869 /*
870 * Allocate a buffer into which to read blocks. We default to
871 * the maximum of:
872 *
873 * the total length of the SHB for which we read the header;
874 *
875 * 2K, which should be more than large enough for an Enhanced
876 * Packet Block containing a full-size Ethernet frame, and
877 * leaving room for some options.
878 *
879 * If we find a bigger block, we reallocate the buffer, up to
880 * the maximum size. We start out with a maximum size based
881 * on a maximum snapshot length of MAXIMUM_SNAPLEN; if we see
882 * any link-layer header types with a larger maximum snapshot
883 * length, we boost the maximum.
884 */
885 p->bufsize = 2048;
886 if (p->bufsize < total_length)
887 p->bufsize = total_length;
888 p->buffer = malloc(p->bufsize);
889 if (p->buffer == NULL) {
890 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
891 free(p);
892 *err = 1;
893 return (NULL);
894 }
895 ps->max_blocksize = MAX_BLOCKSIZE(MAXIMUM_SNAPLEN);
896
897 /*
898 * Copy the stuff we've read to the buffer, and read the rest
899 * of the SHB.
900 */
901 bhdrp = (struct block_header *)p->buffer;
902 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
903 bhdrp->block_type = magic;
904 bhdrp->total_length = total_length;
905 shbp->byte_order_magic = byte_order_magic;
906 if (read_bytes(fp,
907 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
908 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
909 1, errbuf) == -1)
910 goto fail;
911
912 if (p->swapped) {
913 /*
914 * Byte-swap the fields we've read.
915 */
916 shbp->major_version = SWAPSHORT(shbp->major_version);
917 shbp->minor_version = SWAPSHORT(shbp->minor_version);
918
919 /*
920 * XXX - we don't care about the section length.
921 */
922 }
923 /* currently only SHB version 1.0 is supported */
924 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
925 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
926 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
927 "unsupported pcap-ng savefile version %u.%u",
928 shbp->major_version, shbp->minor_version);
929 goto fail;
930 }
931 p->version_major = shbp->major_version;
932 p->version_minor = shbp->minor_version;
933
934 /*
935 * Save the time stamp resolution the user requested.
936 */
937 p->opt.tstamp_precision = precision;
938
939 /*
940 * Now start looking for an Interface Description Block.
941 */
942 for (;;) {
943 /*
944 * Read the next block.
945 */
946 status = read_block(fp, p, &cursor, errbuf);
947 if (status == 0) {
948 /* EOF - no IDB in this file */
949 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
950 "the capture file has no Interface Description Blocks");
951 goto fail;
952 }
953 if (status == -1)
954 goto fail; /* error */
955 switch (cursor.block_type) {
956
957 case BT_IDB:
958 /*
959 * Get a pointer to the fixed-length portion of the
960 * IDB.
961 */
962 idbp = get_from_block_data(&cursor, sizeof(*idbp),
963 errbuf);
964 if (idbp == NULL)
965 goto fail; /* error */
966
967 /*
968 * Byte-swap it if necessary.
969 */
970 if (p->swapped) {
971 idbp->linktype = SWAPSHORT(idbp->linktype);
972 idbp->snaplen = SWAPLONG(idbp->snaplen);
973 }
974
975 /*
976 * Try to add this interface.
977 */
978 if (!add_interface(p, &cursor, errbuf))
979 goto fail;
980
981 goto done;
982
983 case BT_EPB:
984 case BT_SPB:
985 case BT_PB:
986 /*
987 * Saw a packet before we saw any IDBs. That's
988 * not valid, as we don't know what link-layer
989 * encapsulation the packet has.
990 */
991 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
992 "the capture file has a packet block before any Interface Description Blocks");
993 goto fail;
994
995 default:
996 /*
997 * Just ignore it.
998 */
999 break;
1000 }
1001 }
1002
1003 done:
1004 p->tzoff = 0; /* XXX - not used in pcap */
1005 p->snapshot = idbp->snaplen;
1006 if (p->snapshot <= 0) {
1007 /*
1008 * Bogus snapshot length; use the maximum for this
1009 * link-layer type as a fallback.
1010 *
1011 * XXX - the only reason why snapshot is signed is
1012 * that pcap_snapshot() returns an int, not an
1013 * unsigned int.
1014 */
1015 p->snapshot = max_snaplen_for_dlt(idbp->linktype);
1016 }
1017 p->linktype = linktype_to_dlt(idbp->linktype);
1018 p->linktype_ext = 0;
1019
1020 /*
1021 * If the maximum block size for a packet with the maximum
1022 * snapshot length for this DLT_ is bigger than the current
1023 * maximum block size, increase the maximum.
1024 */
1025 if (MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1026 ps->max_blocksize = MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype));
1027
1028 p->next_packet_op = pcap_ng_next_packet;
1029 p->cleanup_op = pcap_ng_cleanup;
1030
1031 return (p);
1032
1033 fail:
1034 free(ps->ifaces);
1035 free(p->buffer);
1036 free(p);
1037 *err = 1;
1038 return (NULL);
1039 }
1040
1041 static void
1042 pcap_ng_cleanup(pcap_t *p)
1043 {
1044 struct pcap_ng_sf *ps = p->priv;
1045
1046 free(ps->ifaces);
1047 sf_cleanup(p);
1048 }
1049
1050 /*
1051 * Read and return the next packet from the savefile. Return the header
1052 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1053 * if there were no more packets, and -1 on an error.
1054 */
1055 static int
1056 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1057 {
1058 struct pcap_ng_sf *ps = p->priv;
1059 struct block_cursor cursor;
1060 int status;
1061 struct enhanced_packet_block *epbp;
1062 struct simple_packet_block *spbp;
1063 struct packet_block *pbp;
1064 bpf_u_int32 interface_id = 0xFFFFFFFF;
1065 struct interface_description_block *idbp;
1066 struct section_header_block *shbp;
1067 FILE *fp = p->rfile;
1068 uint64_t t, sec, frac;
1069
1070 /*
1071 * Look for an Enhanced Packet Block, a Simple Packet Block,
1072 * or a Packet Block.
1073 */
1074 for (;;) {
1075 /*
1076 * Read the block type and length; those are common
1077 * to all blocks.
1078 */
1079 status = read_block(fp, p, &cursor, p->errbuf);
1080 if (status == 0)
1081 return (1); /* EOF */
1082 if (status == -1)
1083 return (-1); /* error */
1084 switch (cursor.block_type) {
1085
1086 case BT_EPB:
1087 /*
1088 * Get a pointer to the fixed-length portion of the
1089 * EPB.
1090 */
1091 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1092 p->errbuf);
1093 if (epbp == NULL)
1094 return (-1); /* error */
1095
1096 /*
1097 * Byte-swap it if necessary.
1098 */
1099 if (p->swapped) {
1100 /* these were written in opposite byte order */
1101 interface_id = SWAPLONG(epbp->interface_id);
1102 hdr->caplen = SWAPLONG(epbp->caplen);
1103 hdr->len = SWAPLONG(epbp->len);
1104 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1105 SWAPLONG(epbp->timestamp_low);
1106 } else {
1107 interface_id = epbp->interface_id;
1108 hdr->caplen = epbp->caplen;
1109 hdr->len = epbp->len;
1110 t = ((uint64_t)epbp->timestamp_high) << 32 |
1111 epbp->timestamp_low;
1112 }
1113 goto found;
1114
1115 case BT_SPB:
1116 /*
1117 * Get a pointer to the fixed-length portion of the
1118 * SPB.
1119 */
1120 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1121 p->errbuf);
1122 if (spbp == NULL)
1123 return (-1); /* error */
1124
1125 /*
1126 * SPB packets are assumed to have arrived on
1127 * the first interface.
1128 */
1129 interface_id = 0;
1130
1131 /*
1132 * Byte-swap it if necessary.
1133 */
1134 if (p->swapped) {
1135 /* these were written in opposite byte order */
1136 hdr->len = SWAPLONG(spbp->len);
1137 } else
1138 hdr->len = spbp->len;
1139
1140 /*
1141 * The SPB doesn't give the captured length;
1142 * it's the minimum of the snapshot length
1143 * and the packet length.
1144 */
1145 hdr->caplen = hdr->len;
1146 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1147 hdr->caplen = p->snapshot;
1148 t = 0; /* no time stamps */
1149 goto found;
1150
1151 case BT_PB:
1152 /*
1153 * Get a pointer to the fixed-length portion of the
1154 * PB.
1155 */
1156 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1157 p->errbuf);
1158 if (pbp == NULL)
1159 return (-1); /* error */
1160
1161 /*
1162 * Byte-swap it if necessary.
1163 */
1164 if (p->swapped) {
1165 /* these were written in opposite byte order */
1166 interface_id = SWAPSHORT(pbp->interface_id);
1167 hdr->caplen = SWAPLONG(pbp->caplen);
1168 hdr->len = SWAPLONG(pbp->len);
1169 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1170 SWAPLONG(pbp->timestamp_low);
1171 } else {
1172 interface_id = pbp->interface_id;
1173 hdr->caplen = pbp->caplen;
1174 hdr->len = pbp->len;
1175 t = ((uint64_t)pbp->timestamp_high) << 32 |
1176 pbp->timestamp_low;
1177 }
1178 goto found;
1179
1180 case BT_IDB:
1181 /*
1182 * Interface Description Block. Get a pointer
1183 * to its fixed-length portion.
1184 */
1185 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1186 p->errbuf);
1187 if (idbp == NULL)
1188 return (-1); /* error */
1189
1190 /*
1191 * Byte-swap it if necessary.
1192 */
1193 if (p->swapped) {
1194 idbp->linktype = SWAPSHORT(idbp->linktype);
1195 idbp->snaplen = SWAPLONG(idbp->snaplen);
1196 }
1197
1198 /*
1199 * If the link-layer type or snapshot length
1200 * differ from the ones for the first IDB we
1201 * saw, quit.
1202 *
1203 * XXX - just discard packets from those
1204 * interfaces?
1205 */
1206 if (p->linktype != idbp->linktype) {
1207 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1208 "an interface has a type %u different from the type of the first interface",
1209 idbp->linktype);
1210 return (-1);
1211 }
1212 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1213 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1214 "an interface has a snapshot length %u different from the type of the first interface",
1215 idbp->snaplen);
1216 return (-1);
1217 }
1218
1219 /*
1220 * Try to add this interface.
1221 */
1222 if (!add_interface(p, &cursor, p->errbuf))
1223 return (-1);
1224 break;
1225
1226 case BT_SHB:
1227 /*
1228 * Section Header Block. Get a pointer
1229 * to its fixed-length portion.
1230 */
1231 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1232 p->errbuf);
1233 if (shbp == NULL)
1234 return (-1); /* error */
1235
1236 /*
1237 * Assume the byte order of this section is
1238 * the same as that of the previous section.
1239 * We'll check for that later.
1240 */
1241 if (p->swapped) {
1242 shbp->byte_order_magic =
1243 SWAPLONG(shbp->byte_order_magic);
1244 shbp->major_version =
1245 SWAPSHORT(shbp->major_version);
1246 }
1247
1248 /*
1249 * Make sure the byte order doesn't change;
1250 * pcap_is_swapped() shouldn't change its
1251 * return value in the middle of reading a capture.
1252 */
1253 switch (shbp->byte_order_magic) {
1254
1255 case BYTE_ORDER_MAGIC:
1256 /*
1257 * OK.
1258 */
1259 break;
1260
1261 case SWAPLONG(BYTE_ORDER_MAGIC):
1262 /*
1263 * Byte order changes.
1264 */
1265 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1266 "the file has sections with different byte orders");
1267 return (-1);
1268
1269 default:
1270 /*
1271 * Not a valid SHB.
1272 */
1273 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1274 "the file has a section with a bad byte order magic field");
1275 return (-1);
1276 }
1277
1278 /*
1279 * Make sure the major version is the version
1280 * we handle.
1281 */
1282 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1283 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1284 "unknown pcap-ng savefile major version number %u",
1285 shbp->major_version);
1286 return (-1);
1287 }
1288
1289 /*
1290 * Reset the interface count; this section should
1291 * have its own set of IDBs. If any of them
1292 * don't have the same interface type, snapshot
1293 * length, or resolution as the first interface
1294 * we saw, we'll fail. (And if we don't see
1295 * any IDBs, we'll fail when we see a packet
1296 * block.)
1297 */
1298 ps->ifcount = 0;
1299 break;
1300
1301 default:
1302 /*
1303 * Not a packet block, IDB, or SHB; ignore it.
1304 */
1305 break;
1306 }
1307 }
1308
1309 found:
1310 /*
1311 * Is the interface ID an interface we know?
1312 */
1313 if (interface_id >= ps->ifcount) {
1314 /*
1315 * Yes. Fail.
1316 */
1317 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1318 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1319 interface_id);
1320 return (-1);
1321 }
1322
1323 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1324 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1325 "invalid packet capture length %u, bigger than "
1326 "snaplen of %d", hdr->caplen, p->snapshot);
1327 return (-1);
1328 }
1329
1330 /*
1331 * Convert the time stamp to seconds and fractions of a second,
1332 * with the fractions being in units of the file-supplied resolution.
1333 */
1334 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1335 frac = t % ps->ifaces[interface_id].tsresol;
1336
1337 /*
1338 * Convert the fractions from units of the file-supplied resolution
1339 * to units of the user-requested resolution.
1340 */
1341 switch (ps->ifaces[interface_id].scale_type) {
1342
1343 case PASS_THROUGH:
1344 /*
1345 * The interface resolution is what the user wants,
1346 * so we're done.
1347 */
1348 break;
1349
1350 case SCALE_UP_DEC:
1351 /*
1352 * The interface resolution is less than what the user
1353 * wants; scale the fractional part up to the units of
1354 * the resolution the user requested by multiplying by
1355 * the quotient of the user-requested resolution and the
1356 * file-supplied resolution.
1357 *
1358 * Those resolutions are both powers of 10, and the user-
1359 * requested resolution is greater than the file-supplied
1360 * resolution, so the quotient in question is an integer.
1361 * We've calculated that quotient already, so we just
1362 * multiply by it.
1363 */
1364 frac *= ps->ifaces[interface_id].scale_factor;
1365 break;
1366
1367 case SCALE_UP_BIN:
1368 /*
1369 * The interface resolution is less than what the user
1370 * wants; scale the fractional part up to the units of
1371 * the resolution the user requested by multiplying by
1372 * the quotient of the user-requested resolution and the
1373 * file-supplied resolution.
1374 *
1375 * The file-supplied resolution is a power of 2, so the
1376 * quotient is not an integer, so, in order to do this
1377 * entirely with integer arithmetic, we multiply by the
1378 * user-requested resolution and divide by the file-
1379 * supplied resolution.
1380 *
1381 * XXX - Is there something clever we could do here,
1382 * given that we know that the file-supplied resolution
1383 * is a power of 2? Doing a multiplication followed by
1384 * a division runs the risk of overflowing, and involves
1385 * two non-simple arithmetic operations.
1386 */
1387 frac *= ps->user_tsresol;
1388 frac /= ps->ifaces[interface_id].tsresol;
1389 break;
1390
1391 case SCALE_DOWN_DEC:
1392 /*
1393 * The interface resolution is greater than what the user
1394 * wants; scale the fractional part up to the units of
1395 * the resolution the user requested by multiplying by
1396 * the quotient of the user-requested resolution and the
1397 * file-supplied resolution.
1398 *
1399 * Those resolutions are both powers of 10, and the user-
1400 * requested resolution is less than the file-supplied
1401 * resolution, so the quotient in question isn't an
1402 * integer, but its reciprocal is, and we can just divide
1403 * by the reciprocal of the quotient. We've calculated
1404 * the reciprocal of that quotient already, so we must
1405 * divide by it.
1406 */
1407 frac /= ps->ifaces[interface_id].scale_factor;
1408 break;
1409
1410
1411 case SCALE_DOWN_BIN:
1412 /*
1413 * The interface resolution is greater than what the user
1414 * wants; convert the fractional part to units of the
1415 * resolution the user requested by multiplying by the
1416 * quotient of the user-requested resolution and the
1417 * file-supplied resolution. We do that by multiplying
1418 * by the user-requested resolution and dividing by the
1419 * file-supplied resolution, as the quotient might not
1420 * fit in an integer.
1421 *
1422 * The file-supplied resolution is a power of 2, so the
1423 * quotient is not an integer, and neither is its
1424 * reciprocal, so, in order to do this entirely with
1425 * integer arithmetic, we multiply by the user-requested
1426 * resolution and divide by the file-supplied resolution.
1427 *
1428 * XXX - Is there something clever we could do here,
1429 * given that we know that the file-supplied resolution
1430 * is a power of 2? Doing a multiplication followed by
1431 * a division runs the risk of overflowing, and involves
1432 * two non-simple arithmetic operations.
1433 */
1434 frac *= ps->user_tsresol;
1435 frac /= ps->ifaces[interface_id].tsresol;
1436 break;
1437 }
1438 #ifdef _WIN32
1439 /*
1440 * tv_sec and tv_used in the Windows struct timeval are both
1441 * longs.
1442 */
1443 hdr->ts.tv_sec = (long)sec;
1444 hdr->ts.tv_usec = (long)frac;
1445 #else
1446 /*
1447 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1448 * suseconds_t in UN*Xes that work the way the current Single
1449 * UNIX Standard specify - but not all older UN*Xes necessarily
1450 * support that type, so just cast to int.
1451 */
1452 hdr->ts.tv_sec = (time_t)sec;
1453 hdr->ts.tv_usec = (int)frac;
1454 #endif
1455
1456 /*
1457 * Get a pointer to the packet data.
1458 */
1459 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1460 if (*data == NULL)
1461 return (-1);
1462
1463 if (p->swapped)
1464 swap_pseudo_headers(p->linktype, hdr, *data);
1465
1466 return (0);
1467 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism