]> The Tcpdump Group git mirrors - libpcap/blob - sf-pcap-ng.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Make the buffer member of a pcap_t a void *.
[libpcap] / sf-pcap-ng.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
22 */
23
24 #ifndef lint
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #ifdef WIN32
34 #include <pcap-stdinc.h>
35 #else /* WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #endif /* WIN32 */
46
47 #include <errno.h>
48 #include <memory.h>
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52
53 #include "pcap-int.h"
54
55 #include "pcap-common.h"
56
57 #ifdef HAVE_OS_PROTO_H
58 #include "os-proto.h"
59 #endif
60
61 #include "sf-pcap-ng.h"
62
63 /*
64 * Block types.
65 */
66
67 /*
68 * Common part at the beginning of all blocks.
69 */
70 struct block_header {
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
73 };
74
75 /*
76 * Common trailer at the end of all blocks.
77 */
78 struct block_trailer {
79 bpf_u_int32 total_length;
80 };
81
82 /*
83 * Common options.
84 */
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
87
88 /*
89 * Option header.
90 */
91 struct option_header {
92 u_short option_code;
93 u_short option_length;
94 };
95
96 /*
97 * Structures for the part of each block type following the common
98 * part.
99 */
100
101 /*
102 * Section Header Block.
103 */
104 #define BT_SHB 0x0A0D0D0A
105
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
112 };
113
114 /*
115 * Byte-order magic value.
116 */
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
118
119 /*
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
122 */
123 #define PCAP_NG_VERSION_MAJOR 1
124
125 /*
126 * Interface Description Block.
127 */
128 #define BT_IDB 0x00000001
129
130 struct interface_description_block {
131 u_short linktype;
132 u_short reserved;
133 bpf_u_int32 snaplen;
134 /* followed by options and trailer */
135 };
136
137 /*
138 * Options in the IDB.
139 */
140 #define IF_NAME 2 /* interface name string */
141 #define IF_DESCRIPTION 3 /* interface description string */
142 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
143 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
144 #define IF_MACADDR 6 /* interface's MAC address */
145 #define IF_EUIADDR 7 /* interface's EUI address */
146 #define IF_SPEED 8 /* interface's speed, in bits/s */
147 #define IF_TSRESOL 9 /* interface's time stamp resolution */
148 #define IF_TZONE 10 /* interface's time zone */
149 #define IF_FILTER 11 /* filter used when capturing on interface */
150 #define IF_OS 12 /* string OS on which capture on this interface was done */
151 #define IF_FCSLEN 13 /* FCS length for this interface */
152 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
153
154 /*
155 * Enhanced Packet Block.
156 */
157 #define BT_EPB 0x00000006
158
159 struct enhanced_packet_block {
160 bpf_u_int32 interface_id;
161 bpf_u_int32 timestamp_high;
162 bpf_u_int32 timestamp_low;
163 bpf_u_int32 caplen;
164 bpf_u_int32 len;
165 /* followed by packet data, options, and trailer */
166 };
167
168 /*
169 * Simple Packet Block.
170 */
171 #define BT_SPB 0x00000003
172
173 struct simple_packet_block {
174 bpf_u_int32 len;
175 /* followed by packet data and trailer */
176 };
177
178 /*
179 * Packet Block.
180 */
181 #define BT_PB 0x00000002
182
183 struct packet_block {
184 u_short interface_id;
185 u_short drops_count;
186 bpf_u_int32 timestamp_high;
187 bpf_u_int32 timestamp_low;
188 bpf_u_int32 caplen;
189 bpf_u_int32 len;
190 /* followed by packet data, options, and trailer */
191 };
192
193 /*
194 * Block cursor - used when processing the contents of a block.
195 * Contains a pointer into the data being processed and a count
196 * of bytes remaining in the block.
197 */
198 struct block_cursor {
199 u_char *data;
200 size_t data_remaining;
201 bpf_u_int32 block_type;
202 };
203
204 typedef enum {
205 PASS_THROUGH,
206 SCALE_UP_DEC,
207 SCALE_DOWN_DEC,
208 SCALE_UP_BIN,
209 SCALE_DOWN_BIN
210 } tstamp_scale_type_t;
211
212 /*
213 * Per-interface information.
214 */
215 struct pcap_ng_if {
216 u_int tsresol; /* time stamp resolution */
217 tstamp_scale_type_t scale_type; /* how to scale */
218 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */
219 u_int64_t tsoffset; /* time stamp offset */
220 };
221
222 struct pcap_ng_sf {
223 u_int user_tsresol; /* time stamp resolution requested by the user */
224 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
225 bpf_u_int32 ifaces_size; /* size of arrary below */
226 struct pcap_ng_if *ifaces; /* array of interface information */
227 };
228
229 static void pcap_ng_cleanup(pcap_t *p);
230 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
231 u_char **data);
232
233 static int
234 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
235 char *errbuf)
236 {
237 size_t amt_read;
238
239 amt_read = fread(buf, 1, bytes_to_read, fp);
240 if (amt_read != bytes_to_read) {
241 if (ferror(fp)) {
242 snprintf(errbuf, PCAP_ERRBUF_SIZE,
243 "error reading dump file: %s",
244 pcap_strerror(errno));
245 } else {
246 if (amt_read == 0 && !fail_on_eof)
247 return (0); /* EOF */
248 snprintf(errbuf, PCAP_ERRBUF_SIZE,
249 "truncated dump file; tried to read %lu bytes, only got %lu",
250 (unsigned long)bytes_to_read,
251 (unsigned long)amt_read);
252 }
253 return (-1);
254 }
255 return (1);
256 }
257
258 static int
259 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
260 {
261 int status;
262 struct block_header bhdr;
263 u_char *bdata;
264 size_t data_remaining;
265
266 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
267 if (status <= 0)
268 return (status); /* error or EOF */
269
270 if (p->swapped) {
271 bhdr.block_type = SWAPLONG(bhdr.block_type);
272 bhdr.total_length = SWAPLONG(bhdr.total_length);
273 }
274
275 /*
276 * Is this block "too big"?
277 *
278 * We choose 16MB as "too big", for now, so that we handle
279 * "reasonably" large buffers but don't chew up all the
280 * memory if we read a malformed file.
281 */
282 if (bhdr.total_length > 16*1024*1024) {
283 snprintf(errbuf, PCAP_ERRBUF_SIZE,
284 "pcap-ng block size %u > maximum %u",
285 bhdr.total_length, 16*1024*1024);
286 return (-1);
287 }
288
289 /*
290 * Is this block "too small" - i.e., is it shorter than a block
291 * header plus a block trailer?
292 */
293 if (bhdr.total_length < sizeof(struct block_header) +
294 sizeof(struct block_trailer)) {
295 snprintf(errbuf, PCAP_ERRBUF_SIZE,
296 "block in pcap-ng dump file has a length of %u < %lu",
297 bhdr.total_length,
298 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
299 return (-1);
300 }
301
302 /*
303 * Is the buffer big enough?
304 */
305 if (p->bufsize < bhdr.total_length) {
306 /*
307 * No - make it big enough.
308 */
309 p->buffer = realloc(p->buffer, bhdr.total_length);
310 if (p->buffer == NULL) {
311 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
312 return (-1);
313 }
314 }
315
316 /*
317 * Copy the stuff we've read to the buffer, and read the rest
318 * of the block.
319 */
320 memcpy(p->buffer, &bhdr, sizeof(bhdr));
321 bdata = (u_char *)p->buffer + sizeof(bhdr);
322 data_remaining = bhdr.total_length - sizeof(bhdr);
323 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
324 return (-1);
325
326 /*
327 * Initialize the cursor.
328 */
329 cursor->data = bdata;
330 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
331 cursor->block_type = bhdr.block_type;
332 return (1);
333 }
334
335 static void *
336 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
337 char *errbuf)
338 {
339 void *data;
340
341 /*
342 * Make sure we have the specified amount of data remaining in
343 * the block data.
344 */
345 if (cursor->data_remaining < chunk_size) {
346 snprintf(errbuf, PCAP_ERRBUF_SIZE,
347 "block of type %u in pcap-ng dump file is too short",
348 cursor->block_type);
349 return (NULL);
350 }
351
352 /*
353 * Return the current pointer, and skip past the chunk.
354 */
355 data = cursor->data;
356 cursor->data += chunk_size;
357 cursor->data_remaining -= chunk_size;
358 return (data);
359 }
360
361 static struct option_header *
362 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
363 {
364 struct option_header *opthdr;
365
366 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
367 if (opthdr == NULL) {
368 /*
369 * Option header is cut short.
370 */
371 return (NULL);
372 }
373
374 /*
375 * Byte-swap it if necessary.
376 */
377 if (p->swapped) {
378 opthdr->option_code = SWAPSHORT(opthdr->option_code);
379 opthdr->option_length = SWAPSHORT(opthdr->option_length);
380 }
381
382 return (opthdr);
383 }
384
385 static void *
386 get_optvalue_from_block_data(struct block_cursor *cursor,
387 struct option_header *opthdr, char *errbuf)
388 {
389 size_t padded_option_len;
390 void *optvalue;
391
392 /* Pad option length to 4-byte boundary */
393 padded_option_len = opthdr->option_length;
394 padded_option_len = ((padded_option_len + 3)/4)*4;
395
396 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
397 if (optvalue == NULL) {
398 /*
399 * Option value is cut short.
400 */
401 return (NULL);
402 }
403
404 return (optvalue);
405 }
406
407 static int
408 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
409 u_int64_t *tsoffset, int *is_binary, char *errbuf)
410 {
411 struct option_header *opthdr;
412 void *optvalue;
413 int saw_tsresol, saw_tsoffset;
414 u_char tsresol_opt;
415 u_int i;
416
417 saw_tsresol = 0;
418 saw_tsoffset = 0;
419 while (cursor->data_remaining != 0) {
420 /*
421 * Get the option header.
422 */
423 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
424 if (opthdr == NULL) {
425 /*
426 * Option header is cut short.
427 */
428 return (-1);
429 }
430
431 /*
432 * Get option value.
433 */
434 optvalue = get_optvalue_from_block_data(cursor, opthdr,
435 errbuf);
436 if (optvalue == NULL) {
437 /*
438 * Option value is cut short.
439 */
440 return (-1);
441 }
442
443 switch (opthdr->option_code) {
444
445 case OPT_ENDOFOPT:
446 if (opthdr->option_length != 0) {
447 snprintf(errbuf, PCAP_ERRBUF_SIZE,
448 "Interface Description Block has opt_endofopt option with length %u != 0",
449 opthdr->option_length);
450 return (-1);
451 }
452 goto done;
453
454 case IF_TSRESOL:
455 if (opthdr->option_length != 1) {
456 snprintf(errbuf, PCAP_ERRBUF_SIZE,
457 "Interface Description Block has if_tsresol option with length %u != 1",
458 opthdr->option_length);
459 return (-1);
460 }
461 if (saw_tsresol) {
462 snprintf(errbuf, PCAP_ERRBUF_SIZE,
463 "Interface Description Block has more than one if_tsresol option");
464 return (-1);
465 }
466 saw_tsresol = 1;
467 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
468 if (tsresol_opt & 0x80) {
469 /*
470 * Resolution is negative power of 2.
471 */
472 *is_binary = 1;
473 *tsresol = 1 << (tsresol_opt & 0x7F);
474 } else {
475 /*
476 * Resolution is negative power of 10.
477 */
478 *is_binary = 0;
479 *tsresol = 1;
480 for (i = 0; i < tsresol_opt; i++)
481 *tsresol *= 10;
482 }
483 if (*tsresol == 0) {
484 /*
485 * Resolution is too high.
486 */
487 if (tsresol_opt & 0x80) {
488 snprintf(errbuf, PCAP_ERRBUF_SIZE,
489 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
490 tsresol_opt & 0x7F);
491 } else {
492 snprintf(errbuf, PCAP_ERRBUF_SIZE,
493 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
494 tsresol_opt);
495 }
496 return (-1);
497 }
498 break;
499
500 case IF_TSOFFSET:
501 if (opthdr->option_length != 8) {
502 snprintf(errbuf, PCAP_ERRBUF_SIZE,
503 "Interface Description Block has if_tsoffset option with length %u != 8",
504 opthdr->option_length);
505 return (-1);
506 }
507 if (saw_tsoffset) {
508 snprintf(errbuf, PCAP_ERRBUF_SIZE,
509 "Interface Description Block has more than one if_tsoffset option");
510 return (-1);
511 }
512 saw_tsoffset = 1;
513 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
514 if (p->swapped)
515 *tsoffset = SWAPLL(*tsoffset);
516 break;
517
518 default:
519 break;
520 }
521 }
522
523 done:
524 return (0);
525 }
526
527 static int
528 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
529 {
530 struct pcap_ng_sf *ps;
531 u_int tsresol;
532 u_int64_t tsoffset;
533 int is_binary;
534
535 ps = p->priv;
536
537 /*
538 * Count this interface.
539 */
540 ps->ifcount++;
541
542 /*
543 * Grow the array of per-interface information as necessary.
544 */
545 if (ps->ifcount > ps->ifaces_size) {
546 /*
547 * We need to grow the array.
548 */
549 if (ps->ifaces == NULL) {
550 /*
551 * It's currently empty.
552 */
553 ps->ifaces_size = 1;
554 ps->ifaces = malloc(sizeof (struct pcap_ng_if));
555 } else {
556 /*
557 * It's not currently empty; double its size.
558 * (Perhaps overkill once we have a lot of interfaces.)
559 */
560 ps->ifaces_size *= 2;
561 ps->ifaces = realloc(ps->ifaces, ps->ifaces_size * sizeof (struct pcap_ng_if));
562 }
563 if (ps->ifaces == NULL) {
564 /*
565 * We ran out of memory.
566 * Give up.
567 */
568 snprintf(errbuf, PCAP_ERRBUF_SIZE,
569 "out of memory for per-interface information (%u interfaces)",
570 ps->ifcount);
571 return (0);
572 }
573 }
574
575 /*
576 * Set the default time stamp resolution and offset.
577 */
578 tsresol = 1000000; /* microsecond resolution */
579 is_binary = 0; /* which is a power of 10 */
580 tsoffset = 0; /* absolute timestamps */
581
582 /*
583 * Now look for various time stamp options, so we know
584 * how to interpret the time stamps for this interface.
585 */
586 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
587 errbuf) == -1)
588 return (0);
589
590 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
591 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
592
593 /*
594 * Determine whether we're scaling up or down or not
595 * at all for this interface.
596 */
597 if (tsresol == ps->user_tsresol) {
598 /*
599 * The resolution is the resolution the user wants,
600 * so we don't have to do scaling.
601 */
602 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
603 } else if (tsresol > ps->user_tsresol) {
604 /*
605 * The resolution is greater than what the user wants,
606 * so we have to scale the timestamps down.
607 */
608 if (is_binary)
609 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
610 else {
611 /*
612 * Calculate the scale factor.
613 */
614 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
615 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
616 }
617 } else {
618 /*
619 * The resolution is less than what the user wants,
620 * so we have to scale the timestamps up.
621 */
622 if (is_binary)
623 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
624 else {
625 /*
626 * Calculate the scale factor.
627 */
628 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
629 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
630 }
631 }
632 return (1);
633 }
634
635 /*
636 * Check whether this is a pcap-ng savefile and, if it is, extract the
637 * relevant information from the header.
638 */
639 pcap_t *
640 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
641 int *err)
642 {
643 size_t amt_read;
644 bpf_u_int32 total_length;
645 bpf_u_int32 byte_order_magic;
646 struct block_header *bhdrp;
647 struct section_header_block *shbp;
648 pcap_t *p;
649 int swapped = 0;
650 struct pcap_ng_sf *ps;
651 int status;
652 struct block_cursor cursor;
653 struct interface_description_block *idbp;
654
655 /*
656 * Assume no read errors.
657 */
658 *err = 0;
659
660 /*
661 * Check whether the first 4 bytes of the file are the block
662 * type for a pcap-ng savefile.
663 */
664 if (magic != BT_SHB) {
665 /*
666 * XXX - check whether this looks like what the block
667 * type would be after being munged by mapping between
668 * UN*X and DOS/Windows text file format and, if it
669 * does, look for the byte-order magic number in
670 * the appropriate place and, if we find it, report
671 * this as possibly being a pcap-ng file transferred
672 * between UN*X and Windows in text file format?
673 */
674 return (NULL); /* nope */
675 }
676
677 /*
678 * OK, they are. However, that's just \n\r\r\n, so it could,
679 * conceivably, be an ordinary text file.
680 *
681 * It could not, however, conceivably be any other type of
682 * capture file, so we can read the rest of the putative
683 * Section Header Block; put the block type in the common
684 * header, read the rest of the common header and the
685 * fixed-length portion of the SHB, and look for the byte-order
686 * magic value.
687 */
688 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
689 if (amt_read < sizeof(total_length)) {
690 if (ferror(fp)) {
691 snprintf(errbuf, PCAP_ERRBUF_SIZE,
692 "error reading dump file: %s",
693 pcap_strerror(errno));
694 *err = 1;
695 return (NULL); /* fail */
696 }
697
698 /*
699 * Possibly a weird short text file, so just say
700 * "not pcap-ng".
701 */
702 return (NULL);
703 }
704 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
705 if (amt_read < sizeof(byte_order_magic)) {
706 if (ferror(fp)) {
707 snprintf(errbuf, PCAP_ERRBUF_SIZE,
708 "error reading dump file: %s",
709 pcap_strerror(errno));
710 *err = 1;
711 return (NULL); /* fail */
712 }
713
714 /*
715 * Possibly a weird short text file, so just say
716 * "not pcap-ng".
717 */
718 return (NULL);
719 }
720 if (byte_order_magic != BYTE_ORDER_MAGIC) {
721 byte_order_magic = SWAPLONG(byte_order_magic);
722 if (byte_order_magic != BYTE_ORDER_MAGIC) {
723 /*
724 * Not a pcap-ng file.
725 */
726 return (NULL);
727 }
728 swapped = 1;
729 total_length = SWAPLONG(total_length);
730 }
731
732 /*
733 * Check the sanity of the total length.
734 */
735 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
736 snprintf(errbuf, PCAP_ERRBUF_SIZE,
737 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
738 total_length,
739 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
740 *err = 1;
741 return (NULL);
742 }
743
744 /*
745 * OK, this is a good pcap-ng file.
746 * Allocate a pcap_t for it.
747 */
748 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
749 if (p == NULL) {
750 /* Allocation failed. */
751 *err = 1;
752 return (NULL);
753 }
754 p->swapped = swapped;
755 ps = p->priv;
756
757 /*
758 * What precision does the user want?
759 */
760 switch (precision) {
761
762 case PCAP_TSTAMP_PRECISION_MICRO:
763 ps->user_tsresol = 1000000;
764 break;
765
766 case PCAP_TSTAMP_PRECISION_NANO:
767 ps->user_tsresol = 1000000000;
768 break;
769
770 default:
771 snprintf(errbuf, PCAP_ERRBUF_SIZE,
772 "unknown time stamp resolution %u", precision);
773 free(p);
774 *err = 1;
775 return (NULL);
776 }
777
778 p->opt.tstamp_precision = precision;
779
780 /*
781 * Allocate a buffer into which to read blocks. We default to
782 * the maximum of:
783 *
784 * the total length of the SHB for which we read the header;
785 *
786 * 2K, which should be more than large enough for an Enhanced
787 * Packet Block containing a full-size Ethernet frame, and
788 * leaving room for some options.
789 *
790 * If we find a bigger block, we reallocate the buffer.
791 */
792 p->bufsize = 2048;
793 if (p->bufsize < total_length)
794 p->bufsize = total_length;
795 p->buffer = malloc(p->bufsize);
796 if (p->buffer == NULL) {
797 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
798 free(p);
799 *err = 1;
800 return (NULL);
801 }
802
803 /*
804 * Copy the stuff we've read to the buffer, and read the rest
805 * of the SHB.
806 */
807 bhdrp = (struct block_header *)p->buffer;
808 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
809 bhdrp->block_type = magic;
810 bhdrp->total_length = total_length;
811 shbp->byte_order_magic = byte_order_magic;
812 if (read_bytes(fp,
813 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
814 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
815 1, errbuf) == -1)
816 goto fail;
817
818 if (p->swapped) {
819 /*
820 * Byte-swap the fields we've read.
821 */
822 shbp->major_version = SWAPSHORT(shbp->major_version);
823 shbp->minor_version = SWAPSHORT(shbp->minor_version);
824
825 /*
826 * XXX - we don't care about the section length.
827 */
828 }
829 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
830 snprintf(errbuf, PCAP_ERRBUF_SIZE,
831 "unknown pcap-ng savefile major version number %u",
832 shbp->major_version);
833 goto fail;
834 }
835 p->version_major = shbp->major_version;
836 p->version_minor = shbp->minor_version;
837
838 /*
839 * Save the time stamp resolution the user requested.
840 */
841 p->opt.tstamp_precision = precision;
842
843 /*
844 * Now start looking for an Interface Description Block.
845 */
846 for (;;) {
847 /*
848 * Read the next block.
849 */
850 status = read_block(fp, p, &cursor, errbuf);
851 if (status == 0) {
852 /* EOF - no IDB in this file */
853 snprintf(errbuf, PCAP_ERRBUF_SIZE,
854 "the capture file has no Interface Description Blocks");
855 goto fail;
856 }
857 if (status == -1)
858 goto fail; /* error */
859 switch (cursor.block_type) {
860
861 case BT_IDB:
862 /*
863 * Get a pointer to the fixed-length portion of the
864 * IDB.
865 */
866 idbp = get_from_block_data(&cursor, sizeof(*idbp),
867 errbuf);
868 if (idbp == NULL)
869 goto fail; /* error */
870
871 /*
872 * Byte-swap it if necessary.
873 */
874 if (p->swapped) {
875 idbp->linktype = SWAPSHORT(idbp->linktype);
876 idbp->snaplen = SWAPLONG(idbp->snaplen);
877 }
878
879 /*
880 * Try to add this interface.
881 */
882 if (!add_interface(p, &cursor, errbuf))
883 goto fail;
884 goto done;
885
886 case BT_EPB:
887 case BT_SPB:
888 case BT_PB:
889 /*
890 * Saw a packet before we saw any IDBs. That's
891 * not valid, as we don't know what link-layer
892 * encapsulation the packet has.
893 */
894 snprintf(errbuf, PCAP_ERRBUF_SIZE,
895 "the capture file has a packet block before any Interface Description Blocks");
896 goto fail;
897
898 default:
899 /*
900 * Just ignore it.
901 */
902 break;
903 }
904 }
905
906 done:
907 p->tzoff = 0; /* XXX - not used in pcap */
908 p->snapshot = idbp->snaplen;
909 p->linktype = linktype_to_dlt(idbp->linktype);
910 p->linktype_ext = 0;
911
912 p->next_packet_op = pcap_ng_next_packet;
913 p->cleanup_op = pcap_ng_cleanup;
914
915 return (p);
916
917 fail:
918 free(ps->ifaces);
919 free(p->buffer);
920 free(p);
921 *err = 1;
922 return (NULL);
923 }
924
925 static void
926 pcap_ng_cleanup(pcap_t *p)
927 {
928 struct pcap_ng_sf *ps = p->priv;
929
930 free(ps->ifaces);
931 sf_cleanup(p);
932 }
933
934 /*
935 * Read and return the next packet from the savefile. Return the header
936 * in hdr and a pointer to the contents in data. Return 0 on success, 1
937 * if there were no more packets, and -1 on an error.
938 */
939 static int
940 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
941 {
942 struct pcap_ng_sf *ps = p->priv;
943 struct block_cursor cursor;
944 int status;
945 struct enhanced_packet_block *epbp;
946 struct simple_packet_block *spbp;
947 struct packet_block *pbp;
948 bpf_u_int32 interface_id = 0xFFFFFFFF;
949 struct interface_description_block *idbp;
950 struct section_header_block *shbp;
951 FILE *fp = p->rfile;
952 u_int64_t t, sec, frac;
953
954 /*
955 * Look for an Enhanced Packet Block, a Simple Packet Block,
956 * or a Packet Block.
957 */
958 for (;;) {
959 /*
960 * Read the block type and length; those are common
961 * to all blocks.
962 */
963 status = read_block(fp, p, &cursor, p->errbuf);
964 if (status == 0)
965 return (1); /* EOF */
966 if (status == -1)
967 return (-1); /* error */
968 switch (cursor.block_type) {
969
970 case BT_EPB:
971 /*
972 * Get a pointer to the fixed-length portion of the
973 * EPB.
974 */
975 epbp = get_from_block_data(&cursor, sizeof(*epbp),
976 p->errbuf);
977 if (epbp == NULL)
978 return (-1); /* error */
979
980 /*
981 * Byte-swap it if necessary.
982 */
983 if (p->swapped) {
984 /* these were written in opposite byte order */
985 interface_id = SWAPLONG(epbp->interface_id);
986 hdr->caplen = SWAPLONG(epbp->caplen);
987 hdr->len = SWAPLONG(epbp->len);
988 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
989 SWAPLONG(epbp->timestamp_low);
990 } else {
991 interface_id = epbp->interface_id;
992 hdr->caplen = epbp->caplen;
993 hdr->len = epbp->len;
994 t = ((u_int64_t)epbp->timestamp_high) << 32 |
995 epbp->timestamp_low;
996 }
997 goto found;
998
999 case BT_SPB:
1000 /*
1001 * Get a pointer to the fixed-length portion of the
1002 * SPB.
1003 */
1004 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1005 p->errbuf);
1006 if (spbp == NULL)
1007 return (-1); /* error */
1008
1009 /*
1010 * SPB packets are assumed to have arrived on
1011 * the first interface.
1012 */
1013 interface_id = 0;
1014
1015 /*
1016 * Byte-swap it if necessary.
1017 */
1018 if (p->swapped) {
1019 /* these were written in opposite byte order */
1020 hdr->len = SWAPLONG(spbp->len);
1021 } else
1022 hdr->len = spbp->len;
1023
1024 /*
1025 * The SPB doesn't give the captured length;
1026 * it's the minimum of the snapshot length
1027 * and the packet length.
1028 */
1029 hdr->caplen = hdr->len;
1030 if (hdr->caplen > p->snapshot)
1031 hdr->caplen = p->snapshot;
1032 t = 0; /* no time stamps */
1033 goto found;
1034
1035 case BT_PB:
1036 /*
1037 * Get a pointer to the fixed-length portion of the
1038 * PB.
1039 */
1040 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1041 p->errbuf);
1042 if (pbp == NULL)
1043 return (-1); /* error */
1044
1045 /*
1046 * Byte-swap it if necessary.
1047 */
1048 if (p->swapped) {
1049 /* these were written in opposite byte order */
1050 interface_id = SWAPSHORT(pbp->interface_id);
1051 hdr->caplen = SWAPLONG(pbp->caplen);
1052 hdr->len = SWAPLONG(pbp->len);
1053 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1054 SWAPLONG(pbp->timestamp_low);
1055 } else {
1056 interface_id = pbp->interface_id;
1057 hdr->caplen = pbp->caplen;
1058 hdr->len = pbp->len;
1059 t = ((u_int64_t)pbp->timestamp_high) << 32 |
1060 pbp->timestamp_low;
1061 }
1062 goto found;
1063
1064 case BT_IDB:
1065 /*
1066 * Interface Description Block. Get a pointer
1067 * to its fixed-length portion.
1068 */
1069 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1070 p->errbuf);
1071 if (idbp == NULL)
1072 return (-1); /* error */
1073
1074 /*
1075 * Byte-swap it if necessary.
1076 */
1077 if (p->swapped) {
1078 idbp->linktype = SWAPSHORT(idbp->linktype);
1079 idbp->snaplen = SWAPLONG(idbp->snaplen);
1080 }
1081
1082 /*
1083 * If the link-layer type or snapshot length
1084 * differ from the ones for the first IDB we
1085 * saw, quit.
1086 *
1087 * XXX - just discard packets from those
1088 * interfaces?
1089 */
1090 if (p->linktype != idbp->linktype) {
1091 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1092 "an interface has a type %u different from the type of the first interface",
1093 idbp->linktype);
1094 return (-1);
1095 }
1096 if (p->snapshot != idbp->snaplen) {
1097 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1098 "an interface has a snapshot length %u different from the type of the first interface",
1099 idbp->snaplen);
1100 return (-1);
1101 }
1102
1103 /*
1104 * Try to add this interface.
1105 */
1106 if (!add_interface(p, &cursor, p->errbuf))
1107 return (-1);
1108 break;
1109
1110 case BT_SHB:
1111 /*
1112 * Section Header Block. Get a pointer
1113 * to its fixed-length portion.
1114 */
1115 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1116 p->errbuf);
1117 if (shbp == NULL)
1118 return (-1); /* error */
1119
1120 /*
1121 * Assume the byte order of this section is
1122 * the same as that of the previous section.
1123 * We'll check for that later.
1124 */
1125 if (p->swapped) {
1126 shbp->byte_order_magic =
1127 SWAPLONG(shbp->byte_order_magic);
1128 shbp->major_version =
1129 SWAPSHORT(shbp->major_version);
1130 }
1131
1132 /*
1133 * Make sure the byte order doesn't change;
1134 * pcap_is_swapped() shouldn't change its
1135 * return value in the middle of reading a capture.
1136 */
1137 switch (shbp->byte_order_magic) {
1138
1139 case BYTE_ORDER_MAGIC:
1140 /*
1141 * OK.
1142 */
1143 break;
1144
1145 case SWAPLONG(BYTE_ORDER_MAGIC):
1146 /*
1147 * Byte order changes.
1148 */
1149 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1150 "the file has sections with different byte orders");
1151 return (-1);
1152
1153 default:
1154 /*
1155 * Not a valid SHB.
1156 */
1157 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1158 "the file has a section with a bad byte order magic field");
1159 return (-1);
1160 }
1161
1162 /*
1163 * Make sure the major version is the version
1164 * we handle.
1165 */
1166 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1167 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1168 "unknown pcap-ng savefile major version number %u",
1169 shbp->major_version);
1170 return (-1);
1171 }
1172
1173 /*
1174 * Reset the interface count; this section should
1175 * have its own set of IDBs. If any of them
1176 * don't have the same interface type, snapshot
1177 * length, or resolution as the first interface
1178 * we saw, we'll fail. (And if we don't see
1179 * any IDBs, we'll fail when we see a packet
1180 * block.)
1181 */
1182 ps->ifcount = 0;
1183 break;
1184
1185 default:
1186 /*
1187 * Not a packet block, IDB, or SHB; ignore it.
1188 */
1189 break;
1190 }
1191 }
1192
1193 found:
1194 /*
1195 * Is the interface ID an interface we know?
1196 */
1197 if (interface_id >= ps->ifcount) {
1198 /*
1199 * Yes. Fail.
1200 */
1201 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1202 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1203 interface_id);
1204 return (-1);
1205 }
1206
1207 /*
1208 * Convert the time stamp to seconds and fractions of a second,
1209 * with the fractions being in units of the file-supplied resolution.
1210 */
1211 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1212 frac = t % ps->ifaces[interface_id].tsresol;
1213
1214 /*
1215 * Convert the fractions from units of the file-supplied resolution
1216 * to units of the user-requested resolution.
1217 */
1218 switch (ps->ifaces[interface_id].scale_type) {
1219
1220 case PASS_THROUGH:
1221 /*
1222 * The interface resolution is what the user wants,
1223 * so we're done.
1224 */
1225 break;
1226
1227 case SCALE_UP_DEC:
1228 /*
1229 * The interface resolution is less than what the user
1230 * wants; scale the fractional part up to the units of
1231 * the resolution the user requested by multiplying by
1232 * the quotient of the user-requested resolution and the
1233 * file-supplied resolution.
1234 *
1235 * Those resolutions are both powers of 10, and the user-
1236 * requested resolution is greater than the file-supplied
1237 * resolution, so the quotient in question is an integer.
1238 * We've calculated that quotient already, so we just
1239 * multiply by it.
1240 */
1241 frac *= ps->ifaces[interface_id].scale_factor;
1242 break;
1243
1244 case SCALE_UP_BIN:
1245 /*
1246 * The interface resolution is less than what the user
1247 * wants; scale the fractional part up to the units of
1248 * the resolution the user requested by multiplying by
1249 * the quotient of the user-requested resolution and the
1250 * file-supplied resolution.
1251 *
1252 * The file-supplied resolution is a power of 2, so the
1253 * quotient is not an integer, so, in order to do this
1254 * entirely with integer arithmetic, we multiply by the
1255 * user-requested resolution and divide by the file-
1256 * supplied resolution.
1257 *
1258 * XXX - Is there something clever we could do here,
1259 * given that we know that the file-supplied resolution
1260 * is a power of 2? Doing a multiplication followed by
1261 * a division runs the risk of overflowing, and involves
1262 * two non-simple arithmetic operations.
1263 */
1264 frac *= ps->user_tsresol;
1265 frac /= ps->ifaces[interface_id].tsresol;
1266 break;
1267
1268 case SCALE_DOWN_DEC:
1269 /*
1270 * The interface resolution is greater than what the user
1271 * wants; scale the fractional part up to the units of
1272 * the resolution the user requested by multiplying by
1273 * the quotient of the user-requested resolution and the
1274 * file-supplied resolution.
1275 *
1276 * Those resolutions are both powers of 10, and the user-
1277 * requested resolution is less than the file-supplied
1278 * resolution, so the quotient in question isn't an
1279 * integer, but its reciprocal is, and we can just divide
1280 * by the reciprocal of the quotient. We've calculated
1281 * the reciprocal of that quotient already, so we must
1282 * divide by it.
1283 */
1284 frac /= ps->ifaces[interface_id].scale_factor;
1285 break;
1286
1287
1288 case SCALE_DOWN_BIN:
1289 /*
1290 * The interface resolution is greater than what the user
1291 * wants; convert the fractional part to units of the
1292 * resolution the user requested by multiplying by the
1293 * quotient of the user-requested resolution and the
1294 * file-supplied resolution. We do that by multiplying
1295 * by the user-requested resolution and dividing by the
1296 * file-supplied resolution, as the quotient might not
1297 * fit in an integer.
1298 *
1299 * The file-supplied resolution is a power of 2, so the
1300 * quotient is not an integer, and neither is its
1301 * reciprocal, so, in order to do this entirely with
1302 * integer arithmetic, we multiply by the user-requested
1303 * resolution and divide by the file-supplied resolution.
1304 *
1305 * XXX - Is there something clever we could do here,
1306 * given that we know that the file-supplied resolution
1307 * is a power of 2? Doing a multiplication followed by
1308 * a division runs the risk of overflowing, and involves
1309 * two non-simple arithmetic operations.
1310 */
1311 frac *= ps->user_tsresol;
1312 frac /= ps->ifaces[interface_id].tsresol;
1313 break;
1314 }
1315 hdr->ts.tv_sec = sec;
1316 hdr->ts.tv_usec = frac;
1317
1318 /*
1319 * Get a pointer to the packet data.
1320 */
1321 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1322 if (*data == NULL)
1323 return (-1);
1324
1325 if (p->swapped)
1326 swap_pseudo_headers(p->linktype, hdr, *data);
1327
1328 return (0);
1329 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism