]> The Tcpdump Group git mirrors - libpcap/blob - sf-pcapng.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix a couple of issues.
[libpcap] / sf-pcapng.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include <pcap/pcap-inttypes.h>
29
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35
36 #include "pcap-int.h"
37
38 #include "pcap-common.h"
39
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43
44 #include "sf-pcapng.h"
45
46 /*
47 * Block types.
48 */
49
50 /*
51 * Common part at the beginning of all blocks.
52 */
53 struct block_header {
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
56 };
57
58 /*
59 * Common trailer at the end of all blocks.
60 */
61 struct block_trailer {
62 bpf_u_int32 total_length;
63 };
64
65 /*
66 * Common options.
67 */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70
71 /*
72 * Option header.
73 */
74 struct option_header {
75 u_short option_code;
76 u_short option_length;
77 };
78
79 /*
80 * Structures for the part of each block type following the common
81 * part.
82 */
83
84 /*
85 * Section Header Block.
86 */
87 #define BT_SHB 0x0A0D0D0A
88
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
95 };
96
97 /*
98 * Byte-order magic value.
99 */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101
102 /*
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * that means that this code can't read the file.
105 */
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
108
109 /*
110 * Interface Description Block.
111 */
112 #define BT_IDB 0x00000001
113
114 struct interface_description_block {
115 u_short linktype;
116 u_short reserved;
117 bpf_u_int32 snaplen;
118 /* followed by options and trailer */
119 };
120
121 /*
122 * Options in the IDB.
123 */
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
137
138 /*
139 * Enhanced Packet Block.
140 */
141 #define BT_EPB 0x00000006
142
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
147 bpf_u_int32 caplen;
148 bpf_u_int32 len;
149 /* followed by packet data, options, and trailer */
150 };
151
152 /*
153 * Simple Packet Block.
154 */
155 #define BT_SPB 0x00000003
156
157 struct simple_packet_block {
158 bpf_u_int32 len;
159 /* followed by packet data and trailer */
160 };
161
162 /*
163 * Packet Block.
164 */
165 #define BT_PB 0x00000002
166
167 struct packet_block {
168 u_short interface_id;
169 u_short drops_count;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
172 bpf_u_int32 caplen;
173 bpf_u_int32 len;
174 /* followed by packet data, options, and trailer */
175 };
176
177 /*
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
181 */
182 struct block_cursor {
183 u_char *data;
184 size_t data_remaining;
185 bpf_u_int32 block_type;
186 };
187
188 typedef enum {
189 PASS_THROUGH,
190 SCALE_UP_DEC,
191 SCALE_DOWN_DEC,
192 SCALE_UP_BIN,
193 SCALE_DOWN_BIN
194 } tstamp_scale_type_t;
195
196 /*
197 * Per-interface information.
198 */
199 struct pcap_ng_if {
200 uint64_t tsresol; /* time stamp resolution */
201 tstamp_scale_type_t scale_type; /* how to scale */
202 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
203 uint64_t tsoffset; /* time stamp offset */
204 };
205
206 /*
207 * Per-pcap_t private data.
208 *
209 * max_blocksize is the maximum size of a block that we'll accept. We
210 * reject blocks bigger than this, so we don't consume too much memory
211 * with a truly huge block. It can change as we see IDBs with different
212 * link-layer header types. (Currently, we don't support IDBs with
213 * different link-layer header types, but we will support it in the
214 * future, when we offer file-reading APIs that support it.)
215 *
216 * XXX - that's an issue on ILP32 platforms, where the maximum block
217 * size of 2^31-1 would eat all but one byte of the entire address space.
218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
219 * of the address space may be limited by 1) the number of *significant*
220 * address bits (currently, x86-64 only supports 48 bits of address), 2)
221 * any limitations imposed by the operating system; 3) any limitations
222 * imposed by the amount of available backing store for anonymous pages,
223 * so we impose a limit regardless of the size of a pointer.
224 */
225 struct pcap_ng_sf {
226 uint64_t user_tsresol; /* time stamp resolution requested by the user */
227 u_int max_blocksize; /* don't grow buffer size past this */
228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
229 bpf_u_int32 ifaces_size; /* size of array below */
230 struct pcap_ng_if *ifaces; /* array of interface information */
231 };
232
233 /*
234 * The maximum block size we start with; we use an arbitrary value of
235 * 16 MiB.
236 */
237 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
238
239 /*
240 * Maximum block size for a given maximum snapshot length; we define it
241 * as the size of an EPB with a max_snaplen-sized packet and 128KB of
242 * options.
243 */
244 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
245 (sizeof (struct block_header) + \
246 sizeof (struct enhanced_packet_block) + \
247 (max_snaplen) + 131072 + \
248 sizeof (struct block_trailer))
249
250 static void pcap_ng_cleanup(pcap_t *p);
251 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
252 u_char **data);
253
254 static int
255 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
256 char *errbuf)
257 {
258 size_t amt_read;
259
260 amt_read = fread(buf, 1, bytes_to_read, fp);
261 if (amt_read != bytes_to_read) {
262 if (ferror(fp)) {
263 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
264 errno, "error reading dump file");
265 } else {
266 if (amt_read == 0 && !fail_on_eof)
267 return (0); /* EOF */
268 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
269 "truncated dump file; tried to read %" PRIsize " bytes, only got %" PRIsize,
270 bytes_to_read, amt_read);
271 }
272 return (-1);
273 }
274 return (1);
275 }
276
277 static int
278 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
279 {
280 struct pcap_ng_sf *ps;
281 int status;
282 struct block_header bhdr;
283 struct block_trailer *btrlr;
284 u_char *bdata;
285 size_t data_remaining;
286
287 ps = p->priv;
288
289 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
290 if (status <= 0)
291 return (status); /* error or EOF */
292
293 if (p->swapped) {
294 bhdr.block_type = SWAPLONG(bhdr.block_type);
295 bhdr.total_length = SWAPLONG(bhdr.total_length);
296 }
297
298 /*
299 * Is this block "too small" - i.e., is it shorter than a block
300 * header plus a block trailer?
301 */
302 if (bhdr.total_length < sizeof(struct block_header) +
303 sizeof(struct block_trailer)) {
304 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
305 "block in pcapng dump file has a length of %u < %" PRIsize,
306 bhdr.total_length,
307 sizeof(struct block_header) + sizeof(struct block_trailer));
308 return (-1);
309 }
310
311 /*
312 * Is the block total length a multiple of 4?
313 */
314 if ((bhdr.total_length % 4) != 0) {
315 /*
316 * No.
317 *
318 * According to Wireshark's code to read pcapng files,
319 * "the "block total length" of some example files
320 * don't contain the packet data padding bytes!",
321 * so we just round up rather than treating this as an
322 * error.
323 */
324 if (bhdr.total_length > 0xFFFFFFFCU) {
325 /*
326 * Not a multiple of 4, *and* can't be rounded
327 * up to a multiple of 4 and still fit in 32 bits.
328 */
329 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
330 "block in pcapng dump file has a length of %u that is not a multiple of 4 and can't be rounded up to a multiple of 4" PRIsize,
331 bhdr.total_length);
332 return (-1);
333 }
334
335 /*
336 * OK, round it up.
337 */
338 bhdr.total_length = bhdr.total_length + 4 - (bhdr.total_length % 4);
339 }
340
341 /*
342 * Is the buffer big enough?
343 */
344 if (p->bufsize < bhdr.total_length) {
345 /*
346 * No - make it big enough, unless it's too big, in
347 * which case we fail.
348 */
349 void *bigger_buffer;
350
351 if (bhdr.total_length > ps->max_blocksize) {
352 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
353 ps->max_blocksize);
354 return (-1);
355 }
356 bigger_buffer = realloc(p->buffer, bhdr.total_length);
357 if (bigger_buffer == NULL) {
358 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
359 return (-1);
360 }
361 p->buffer = bigger_buffer;
362 }
363
364 /*
365 * Copy the stuff we've read to the buffer, and read the rest
366 * of the block.
367 */
368 memcpy(p->buffer, &bhdr, sizeof(bhdr));
369 bdata = (u_char *)p->buffer + sizeof(bhdr);
370 data_remaining = bhdr.total_length - sizeof(bhdr);
371 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
372 return (-1);
373
374 /*
375 * Get the block size from the trailer.
376 */
377 btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
378 if (p->swapped)
379 btrlr->total_length = SWAPLONG(btrlr->total_length);
380
381 /*
382 * Is the total length from the trailer a multiple of 4?
383 */
384 if ((btrlr->total_length % 4) != 0) {
385 /*
386 * No.
387 *
388 * According to Wireshark's code to read pcapng files,
389 * "the "block total length" of some example files
390 * don't contain the packet data padding bytes!",
391 * so we just round up rather than treating this as an
392 * error.
393 */
394 if (btrlr->total_length > 0xFFFFFFFCU) {
395 /*
396 * Not a multiple of 4, *and* can't be rounded
397 * up to a multiple of 4 and still fit in 32 bits.
398 */
399 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
400 "trailer of block in pcapng dump file has a block total length of %u that is not a multiple of 4 and can't be rounded up to a multiple of 4" PRIsize,
401 btrlr->total_length);
402 return (-1);
403 }
404
405 /*
406 * OK, round it up.
407 */
408 btrlr->total_length = btrlr->total_length + 4 - (btrlr->total_length % 4);
409 }
410
411 /*
412 * Is it the same as the total length from the header?
413 */
414 if (bhdr.total_length != btrlr->total_length) {
415 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
416 "block total length in header and trailer don't match");
417 return (-1);
418 }
419
420 /*
421 * Initialize the cursor.
422 */
423 cursor->data = bdata;
424 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
425 cursor->block_type = bhdr.block_type;
426 return (1);
427 }
428
429 static void *
430 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
431 char *errbuf)
432 {
433 void *data;
434
435 /*
436 * Make sure we have the specified amount of data remaining in
437 * the block data.
438 */
439 if (cursor->data_remaining < chunk_size) {
440 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
441 "block of type %u in pcapng dump file is too short",
442 cursor->block_type);
443 return (NULL);
444 }
445
446 /*
447 * Return the current pointer, and skip past the chunk.
448 */
449 data = cursor->data;
450 cursor->data += chunk_size;
451 cursor->data_remaining -= chunk_size;
452 return (data);
453 }
454
455 static struct option_header *
456 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
457 {
458 struct option_header *opthdr;
459
460 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
461 if (opthdr == NULL) {
462 /*
463 * Option header is cut short.
464 */
465 return (NULL);
466 }
467
468 /*
469 * Byte-swap it if necessary.
470 */
471 if (p->swapped) {
472 opthdr->option_code = SWAPSHORT(opthdr->option_code);
473 opthdr->option_length = SWAPSHORT(opthdr->option_length);
474 }
475
476 return (opthdr);
477 }
478
479 static void *
480 get_optvalue_from_block_data(struct block_cursor *cursor,
481 struct option_header *opthdr, char *errbuf)
482 {
483 size_t padded_option_len;
484 void *optvalue;
485
486 /* Pad option length to 4-byte boundary */
487 padded_option_len = opthdr->option_length;
488 padded_option_len = ((padded_option_len + 3)/4)*4;
489
490 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
491 if (optvalue == NULL) {
492 /*
493 * Option value is cut short.
494 */
495 return (NULL);
496 }
497
498 return (optvalue);
499 }
500
501 static int
502 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
503 uint64_t *tsoffset, int *is_binary, char *errbuf)
504 {
505 struct option_header *opthdr;
506 void *optvalue;
507 int saw_tsresol, saw_tsoffset;
508 uint8_t tsresol_opt;
509 u_int i;
510
511 saw_tsresol = 0;
512 saw_tsoffset = 0;
513 while (cursor->data_remaining != 0) {
514 /*
515 * Get the option header.
516 */
517 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
518 if (opthdr == NULL) {
519 /*
520 * Option header is cut short.
521 */
522 return (-1);
523 }
524
525 /*
526 * Get option value.
527 */
528 optvalue = get_optvalue_from_block_data(cursor, opthdr,
529 errbuf);
530 if (optvalue == NULL) {
531 /*
532 * Option value is cut short.
533 */
534 return (-1);
535 }
536
537 switch (opthdr->option_code) {
538
539 case OPT_ENDOFOPT:
540 if (opthdr->option_length != 0) {
541 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
542 "Interface Description Block has opt_endofopt option with length %u != 0",
543 opthdr->option_length);
544 return (-1);
545 }
546 goto done;
547
548 case IF_TSRESOL:
549 if (opthdr->option_length != 1) {
550 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
551 "Interface Description Block has if_tsresol option with length %u != 1",
552 opthdr->option_length);
553 return (-1);
554 }
555 if (saw_tsresol) {
556 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
557 "Interface Description Block has more than one if_tsresol option");
558 return (-1);
559 }
560 saw_tsresol = 1;
561 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
562 if (tsresol_opt & 0x80) {
563 /*
564 * Resolution is negative power of 2.
565 */
566 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
567
568 if (tsresol_shift > 63) {
569 /*
570 * Resolution is too high; 2^-{res}
571 * won't fit in a 64-bit value.
572 */
573 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
574 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
575 tsresol_shift);
576 return (-1);
577 }
578 *is_binary = 1;
579 *tsresol = ((uint64_t)1) << tsresol_shift;
580 } else {
581 /*
582 * Resolution is negative power of 10.
583 */
584 if (tsresol_opt > 19) {
585 /*
586 * Resolution is too high; 2^-{res}
587 * won't fit in a 64-bit value (the
588 * largest power of 10 that fits
589 * in a 64-bit value is 10^19, as
590 * the largest 64-bit unsigned
591 * value is ~1.8*10^19).
592 */
593 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
594 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
595 tsresol_opt);
596 return (-1);
597 }
598 *is_binary = 0;
599 *tsresol = 1;
600 for (i = 0; i < tsresol_opt; i++)
601 *tsresol *= 10;
602 }
603 break;
604
605 case IF_TSOFFSET:
606 if (opthdr->option_length != 8) {
607 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
608 "Interface Description Block has if_tsoffset option with length %u != 8",
609 opthdr->option_length);
610 return (-1);
611 }
612 if (saw_tsoffset) {
613 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
614 "Interface Description Block has more than one if_tsoffset option");
615 return (-1);
616 }
617 saw_tsoffset = 1;
618 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
619 if (p->swapped)
620 *tsoffset = SWAPLL(*tsoffset);
621 break;
622
623 default:
624 break;
625 }
626 }
627
628 done:
629 return (0);
630 }
631
632 static int
633 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
634 {
635 struct pcap_ng_sf *ps;
636 uint64_t tsresol;
637 uint64_t tsoffset;
638 int is_binary;
639
640 ps = p->priv;
641
642 /*
643 * Count this interface.
644 */
645 ps->ifcount++;
646
647 /*
648 * Grow the array of per-interface information as necessary.
649 */
650 if (ps->ifcount > ps->ifaces_size) {
651 /*
652 * We need to grow the array.
653 */
654 bpf_u_int32 new_ifaces_size;
655 struct pcap_ng_if *new_ifaces;
656
657 if (ps->ifaces_size == 0) {
658 /*
659 * It's currently empty.
660 *
661 * (The Clang static analyzer doesn't do enough,
662 * err, umm, dataflow *analysis* to realize that
663 * ps->ifaces_size == 0 if ps->ifaces == NULL,
664 * and so complains about a possible zero argument
665 * to realloc(), so we check for the former
666 * condition to shut it up.
667 *
668 * However, it doesn't complain that one of the
669 * multiplications below could overflow, which is
670 * a real, albeit extremely unlikely, problem (you'd
671 * need a pcapng file with tens of millions of
672 * interfaces).)
673 */
674 new_ifaces_size = 1;
675 new_ifaces = malloc(sizeof (struct pcap_ng_if));
676 } else {
677 /*
678 * It's not currently empty; double its size.
679 * (Perhaps overkill once we have a lot of interfaces.)
680 *
681 * Check for overflow if we double it.
682 */
683 if (ps->ifaces_size * 2 < ps->ifaces_size) {
684 /*
685 * The maximum number of interfaces before
686 * ps->ifaces_size overflows is the largest
687 * possible 32-bit power of 2, as we do
688 * size doubling.
689 */
690 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
691 "more than %u interfaces in the file",
692 0x80000000U);
693 return (0);
694 }
695
696 /*
697 * ps->ifaces_size * 2 doesn't overflow, so it's
698 * safe to multiply.
699 */
700 new_ifaces_size = ps->ifaces_size * 2;
701
702 /*
703 * Now make sure that's not so big that it overflows
704 * if we multiply by sizeof (struct pcap_ng_if).
705 *
706 * That can happen on 32-bit platforms, with a 32-bit
707 * size_t; it shouldn't happen on 64-bit platforms,
708 * with a 64-bit size_t, as new_ifaces_size is
709 * 32 bits.
710 */
711 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
712 /*
713 * As this fails only with 32-bit size_t,
714 * the multiplication was 32x32->32, and
715 * the largest 32-bit value that can safely
716 * be multiplied by sizeof (struct pcap_ng_if)
717 * without overflow is the largest 32-bit
718 * (unsigned) value divided by
719 * sizeof (struct pcap_ng_if).
720 */
721 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
722 "more than %u interfaces in the file",
723 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
724 return (0);
725 }
726 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
727 }
728 if (new_ifaces == NULL) {
729 /*
730 * We ran out of memory.
731 * Give up.
732 */
733 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
734 "out of memory for per-interface information (%u interfaces)",
735 ps->ifcount);
736 return (0);
737 }
738 ps->ifaces_size = new_ifaces_size;
739 ps->ifaces = new_ifaces;
740 }
741
742 /*
743 * Set the default time stamp resolution and offset.
744 */
745 tsresol = 1000000; /* microsecond resolution */
746 is_binary = 0; /* which is a power of 10 */
747 tsoffset = 0; /* absolute timestamps */
748
749 /*
750 * Now look for various time stamp options, so we know
751 * how to interpret the time stamps for this interface.
752 */
753 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
754 errbuf) == -1)
755 return (0);
756
757 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
758 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
759
760 /*
761 * Determine whether we're scaling up or down or not
762 * at all for this interface.
763 */
764 if (tsresol == ps->user_tsresol) {
765 /*
766 * The resolution is the resolution the user wants,
767 * so we don't have to do scaling.
768 */
769 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
770 } else if (tsresol > ps->user_tsresol) {
771 /*
772 * The resolution is greater than what the user wants,
773 * so we have to scale the timestamps down.
774 */
775 if (is_binary)
776 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
777 else {
778 /*
779 * Calculate the scale factor.
780 */
781 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
782 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
783 }
784 } else {
785 /*
786 * The resolution is less than what the user wants,
787 * so we have to scale the timestamps up.
788 */
789 if (is_binary)
790 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
791 else {
792 /*
793 * Calculate the scale factor.
794 */
795 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
796 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
797 }
798 }
799 return (1);
800 }
801
802 /*
803 * Check whether this is a pcapng savefile and, if it is, extract the
804 * relevant information from the header.
805 */
806 pcap_t *
807 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
808 int *err)
809 {
810 size_t amt_read;
811 bpf_u_int32 total_length;
812 bpf_u_int32 byte_order_magic;
813 struct block_header *bhdrp;
814 struct section_header_block *shbp;
815 pcap_t *p;
816 int swapped = 0;
817 struct pcap_ng_sf *ps;
818 int status;
819 struct block_cursor cursor;
820 struct interface_description_block *idbp;
821
822 /*
823 * Assume no read errors.
824 */
825 *err = 0;
826
827 /*
828 * Check whether the first 4 bytes of the file are the block
829 * type for a pcapng savefile.
830 */
831 if (magic != BT_SHB) {
832 /*
833 * XXX - check whether this looks like what the block
834 * type would be after being munged by mapping between
835 * UN*X and DOS/Windows text file format and, if it
836 * does, look for the byte-order magic number in
837 * the appropriate place and, if we find it, report
838 * this as possibly being a pcapng file transferred
839 * between UN*X and Windows in text file format?
840 */
841 return (NULL); /* nope */
842 }
843
844 /*
845 * OK, they are. However, that's just \n\r\r\n, so it could,
846 * conceivably, be an ordinary text file.
847 *
848 * It could not, however, conceivably be any other type of
849 * capture file, so we can read the rest of the putative
850 * Section Header Block; put the block type in the common
851 * header, read the rest of the common header and the
852 * fixed-length portion of the SHB, and look for the byte-order
853 * magic value.
854 */
855 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
856 if (amt_read < sizeof(total_length)) {
857 if (ferror(fp)) {
858 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
859 errno, "error reading dump file");
860 *err = 1;
861 return (NULL); /* fail */
862 }
863
864 /*
865 * Possibly a weird short text file, so just say
866 * "not pcapng".
867 */
868 return (NULL);
869 }
870 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
871 if (amt_read < sizeof(byte_order_magic)) {
872 if (ferror(fp)) {
873 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
874 errno, "error reading dump file");
875 *err = 1;
876 return (NULL); /* fail */
877 }
878
879 /*
880 * Possibly a weird short text file, so just say
881 * "not pcapng".
882 */
883 return (NULL);
884 }
885 if (byte_order_magic != BYTE_ORDER_MAGIC) {
886 byte_order_magic = SWAPLONG(byte_order_magic);
887 if (byte_order_magic != BYTE_ORDER_MAGIC) {
888 /*
889 * Not a pcapng file.
890 */
891 return (NULL);
892 }
893 swapped = 1;
894 total_length = SWAPLONG(total_length);
895 }
896
897 /*
898 * Check the sanity of the total length.
899 */
900 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
901 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
902 "Section Header Block in pcapng dump file has a length of %u < %" PRIsize,
903 total_length,
904 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer));
905 *err = 1;
906 return (NULL);
907 }
908
909 /*
910 * Make sure it's not too big.
911 */
912 if (total_length > INITIAL_MAX_BLOCKSIZE) {
913 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
914 "pcapng block size %u > maximum %u",
915 total_length, INITIAL_MAX_BLOCKSIZE);
916 *err = 1;
917 return (NULL);
918 }
919
920 /*
921 * OK, this is a good pcapng file.
922 * Allocate a pcap_t for it.
923 */
924 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
925 if (p == NULL) {
926 /* Allocation failed. */
927 *err = 1;
928 return (NULL);
929 }
930 p->swapped = swapped;
931 ps = p->priv;
932
933 /*
934 * What precision does the user want?
935 */
936 switch (precision) {
937
938 case PCAP_TSTAMP_PRECISION_MICRO:
939 ps->user_tsresol = 1000000;
940 break;
941
942 case PCAP_TSTAMP_PRECISION_NANO:
943 ps->user_tsresol = 1000000000;
944 break;
945
946 default:
947 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
948 "unknown time stamp resolution %u", precision);
949 free(p);
950 *err = 1;
951 return (NULL);
952 }
953
954 p->opt.tstamp_precision = precision;
955
956 /*
957 * Allocate a buffer into which to read blocks. We default to
958 * the maximum of:
959 *
960 * the total length of the SHB for which we read the header;
961 *
962 * 2K, which should be more than large enough for an Enhanced
963 * Packet Block containing a full-size Ethernet frame, and
964 * leaving room for some options.
965 *
966 * If we find a bigger block, we reallocate the buffer, up to
967 * the maximum size. We start out with a maximum size of
968 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
969 * with a maximum snapshot that results in a larger maximum
970 * block length, we boost the maximum.
971 */
972 p->bufsize = 2048;
973 if (p->bufsize < total_length)
974 p->bufsize = total_length;
975 p->buffer = malloc(p->bufsize);
976 if (p->buffer == NULL) {
977 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
978 free(p);
979 *err = 1;
980 return (NULL);
981 }
982 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
983
984 /*
985 * Copy the stuff we've read to the buffer, and read the rest
986 * of the SHB.
987 */
988 bhdrp = (struct block_header *)p->buffer;
989 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
990 bhdrp->block_type = magic;
991 bhdrp->total_length = total_length;
992 shbp->byte_order_magic = byte_order_magic;
993 if (read_bytes(fp,
994 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
995 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
996 1, errbuf) == -1)
997 goto fail;
998
999 if (p->swapped) {
1000 /*
1001 * Byte-swap the fields we've read.
1002 */
1003 shbp->major_version = SWAPSHORT(shbp->major_version);
1004 shbp->minor_version = SWAPSHORT(shbp->minor_version);
1005
1006 /*
1007 * XXX - we don't care about the section length.
1008 */
1009 }
1010 /* currently only SHB version 1.0 is supported */
1011 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
1012 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
1013 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
1014 "unsupported pcapng savefile version %u.%u",
1015 shbp->major_version, shbp->minor_version);
1016 goto fail;
1017 }
1018 p->version_major = shbp->major_version;
1019 p->version_minor = shbp->minor_version;
1020
1021 /*
1022 * Save the time stamp resolution the user requested.
1023 */
1024 p->opt.tstamp_precision = precision;
1025
1026 /*
1027 * Now start looking for an Interface Description Block.
1028 */
1029 for (;;) {
1030 /*
1031 * Read the next block.
1032 */
1033 status = read_block(fp, p, &cursor, errbuf);
1034 if (status == 0) {
1035 /* EOF - no IDB in this file */
1036 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
1037 "the capture file has no Interface Description Blocks");
1038 goto fail;
1039 }
1040 if (status == -1)
1041 goto fail; /* error */
1042 switch (cursor.block_type) {
1043
1044 case BT_IDB:
1045 /*
1046 * Get a pointer to the fixed-length portion of the
1047 * IDB.
1048 */
1049 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1050 errbuf);
1051 if (idbp == NULL)
1052 goto fail; /* error */
1053
1054 /*
1055 * Byte-swap it if necessary.
1056 */
1057 if (p->swapped) {
1058 idbp->linktype = SWAPSHORT(idbp->linktype);
1059 idbp->snaplen = SWAPLONG(idbp->snaplen);
1060 }
1061
1062 /*
1063 * Try to add this interface.
1064 */
1065 if (!add_interface(p, &cursor, errbuf))
1066 goto fail;
1067
1068 goto done;
1069
1070 case BT_EPB:
1071 case BT_SPB:
1072 case BT_PB:
1073 /*
1074 * Saw a packet before we saw any IDBs. That's
1075 * not valid, as we don't know what link-layer
1076 * encapsulation the packet has.
1077 */
1078 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
1079 "the capture file has a packet block before any Interface Description Blocks");
1080 goto fail;
1081
1082 default:
1083 /*
1084 * Just ignore it.
1085 */
1086 break;
1087 }
1088 }
1089
1090 done:
1091 p->snapshot = idbp->snaplen;
1092 if (p->snapshot <= 0) {
1093 /*
1094 * Bogus snapshot length; use the maximum for this
1095 * link-layer type as a fallback.
1096 *
1097 * XXX - the only reason why snapshot is signed is
1098 * that pcap_snapshot() returns an int, not an
1099 * unsigned int.
1100 */
1101 p->snapshot = max_snaplen_for_dlt(idbp->linktype);
1102 }
1103 p->linktype = linktype_to_dlt(idbp->linktype);
1104 p->linktype_ext = 0;
1105
1106 /*
1107 * If the maximum block size for a packet with the maximum
1108 * snapshot length for this DLT_ is bigger than the current
1109 * maximum block size, increase the maximum.
1110 */
1111 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1112 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1113
1114 p->next_packet_op = pcap_ng_next_packet;
1115 p->cleanup_op = pcap_ng_cleanup;
1116
1117 return (p);
1118
1119 fail:
1120 free(ps->ifaces);
1121 free(p->buffer);
1122 free(p);
1123 *err = 1;
1124 return (NULL);
1125 }
1126
1127 static void
1128 pcap_ng_cleanup(pcap_t *p)
1129 {
1130 struct pcap_ng_sf *ps = p->priv;
1131
1132 free(ps->ifaces);
1133 sf_cleanup(p);
1134 }
1135
1136 /*
1137 * Read and return the next packet from the savefile. Return the header
1138 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1139 * if there were no more packets, and -1 on an error.
1140 */
1141 static int
1142 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1143 {
1144 struct pcap_ng_sf *ps = p->priv;
1145 struct block_cursor cursor;
1146 int status;
1147 struct enhanced_packet_block *epbp;
1148 struct simple_packet_block *spbp;
1149 struct packet_block *pbp;
1150 bpf_u_int32 interface_id = 0xFFFFFFFF;
1151 struct interface_description_block *idbp;
1152 struct section_header_block *shbp;
1153 FILE *fp = p->rfile;
1154 uint64_t t, sec, frac;
1155
1156 /*
1157 * Look for an Enhanced Packet Block, a Simple Packet Block,
1158 * or a Packet Block.
1159 */
1160 for (;;) {
1161 /*
1162 * Read the block type and length; those are common
1163 * to all blocks.
1164 */
1165 status = read_block(fp, p, &cursor, p->errbuf);
1166 if (status == 0)
1167 return (1); /* EOF */
1168 if (status == -1)
1169 return (-1); /* error */
1170 switch (cursor.block_type) {
1171
1172 case BT_EPB:
1173 /*
1174 * Get a pointer to the fixed-length portion of the
1175 * EPB.
1176 */
1177 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1178 p->errbuf);
1179 if (epbp == NULL)
1180 return (-1); /* error */
1181
1182 /*
1183 * Byte-swap it if necessary.
1184 */
1185 if (p->swapped) {
1186 /* these were written in opposite byte order */
1187 interface_id = SWAPLONG(epbp->interface_id);
1188 hdr->caplen = SWAPLONG(epbp->caplen);
1189 hdr->len = SWAPLONG(epbp->len);
1190 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1191 SWAPLONG(epbp->timestamp_low);
1192 } else {
1193 interface_id = epbp->interface_id;
1194 hdr->caplen = epbp->caplen;
1195 hdr->len = epbp->len;
1196 t = ((uint64_t)epbp->timestamp_high) << 32 |
1197 epbp->timestamp_low;
1198 }
1199 goto found;
1200
1201 case BT_SPB:
1202 /*
1203 * Get a pointer to the fixed-length portion of the
1204 * SPB.
1205 */
1206 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1207 p->errbuf);
1208 if (spbp == NULL)
1209 return (-1); /* error */
1210
1211 /*
1212 * SPB packets are assumed to have arrived on
1213 * the first interface.
1214 */
1215 interface_id = 0;
1216
1217 /*
1218 * Byte-swap it if necessary.
1219 */
1220 if (p->swapped) {
1221 /* these were written in opposite byte order */
1222 hdr->len = SWAPLONG(spbp->len);
1223 } else
1224 hdr->len = spbp->len;
1225
1226 /*
1227 * The SPB doesn't give the captured length;
1228 * it's the minimum of the snapshot length
1229 * and the packet length.
1230 */
1231 hdr->caplen = hdr->len;
1232 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1233 hdr->caplen = p->snapshot;
1234 t = 0; /* no time stamps */
1235 goto found;
1236
1237 case BT_PB:
1238 /*
1239 * Get a pointer to the fixed-length portion of the
1240 * PB.
1241 */
1242 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1243 p->errbuf);
1244 if (pbp == NULL)
1245 return (-1); /* error */
1246
1247 /*
1248 * Byte-swap it if necessary.
1249 */
1250 if (p->swapped) {
1251 /* these were written in opposite byte order */
1252 interface_id = SWAPSHORT(pbp->interface_id);
1253 hdr->caplen = SWAPLONG(pbp->caplen);
1254 hdr->len = SWAPLONG(pbp->len);
1255 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1256 SWAPLONG(pbp->timestamp_low);
1257 } else {
1258 interface_id = pbp->interface_id;
1259 hdr->caplen = pbp->caplen;
1260 hdr->len = pbp->len;
1261 t = ((uint64_t)pbp->timestamp_high) << 32 |
1262 pbp->timestamp_low;
1263 }
1264 goto found;
1265
1266 case BT_IDB:
1267 /*
1268 * Interface Description Block. Get a pointer
1269 * to its fixed-length portion.
1270 */
1271 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1272 p->errbuf);
1273 if (idbp == NULL)
1274 return (-1); /* error */
1275
1276 /*
1277 * Byte-swap it if necessary.
1278 */
1279 if (p->swapped) {
1280 idbp->linktype = SWAPSHORT(idbp->linktype);
1281 idbp->snaplen = SWAPLONG(idbp->snaplen);
1282 }
1283
1284 /*
1285 * If the link-layer type or snapshot length
1286 * differ from the ones for the first IDB we
1287 * saw, quit.
1288 *
1289 * XXX - just discard packets from those
1290 * interfaces?
1291 */
1292 if (p->linktype != idbp->linktype) {
1293 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1294 "an interface has a type %u different from the type of the first interface",
1295 idbp->linktype);
1296 return (-1);
1297 }
1298 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1299 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1300 "an interface has a snapshot length %u different from the type of the first interface",
1301 idbp->snaplen);
1302 return (-1);
1303 }
1304
1305 /*
1306 * Try to add this interface.
1307 */
1308 if (!add_interface(p, &cursor, p->errbuf))
1309 return (-1);
1310 break;
1311
1312 case BT_SHB:
1313 /*
1314 * Section Header Block. Get a pointer
1315 * to its fixed-length portion.
1316 */
1317 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1318 p->errbuf);
1319 if (shbp == NULL)
1320 return (-1); /* error */
1321
1322 /*
1323 * Assume the byte order of this section is
1324 * the same as that of the previous section.
1325 * We'll check for that later.
1326 */
1327 if (p->swapped) {
1328 shbp->byte_order_magic =
1329 SWAPLONG(shbp->byte_order_magic);
1330 shbp->major_version =
1331 SWAPSHORT(shbp->major_version);
1332 }
1333
1334 /*
1335 * Make sure the byte order doesn't change;
1336 * pcap_is_swapped() shouldn't change its
1337 * return value in the middle of reading a capture.
1338 */
1339 switch (shbp->byte_order_magic) {
1340
1341 case BYTE_ORDER_MAGIC:
1342 /*
1343 * OK.
1344 */
1345 break;
1346
1347 case SWAPLONG(BYTE_ORDER_MAGIC):
1348 /*
1349 * Byte order changes.
1350 */
1351 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1352 "the file has sections with different byte orders");
1353 return (-1);
1354
1355 default:
1356 /*
1357 * Not a valid SHB.
1358 */
1359 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1360 "the file has a section with a bad byte order magic field");
1361 return (-1);
1362 }
1363
1364 /*
1365 * Make sure the major version is the version
1366 * we handle.
1367 */
1368 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1369 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1370 "unknown pcapng savefile major version number %u",
1371 shbp->major_version);
1372 return (-1);
1373 }
1374
1375 /*
1376 * Reset the interface count; this section should
1377 * have its own set of IDBs. If any of them
1378 * don't have the same interface type, snapshot
1379 * length, or resolution as the first interface
1380 * we saw, we'll fail. (And if we don't see
1381 * any IDBs, we'll fail when we see a packet
1382 * block.)
1383 */
1384 ps->ifcount = 0;
1385 break;
1386
1387 default:
1388 /*
1389 * Not a packet block, IDB, or SHB; ignore it.
1390 */
1391 break;
1392 }
1393 }
1394
1395 found:
1396 /*
1397 * Is the interface ID an interface we know?
1398 */
1399 if (interface_id >= ps->ifcount) {
1400 /*
1401 * Yes. Fail.
1402 */
1403 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1404 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1405 interface_id);
1406 return (-1);
1407 }
1408
1409 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1410 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1411 "invalid packet capture length %u, bigger than "
1412 "snaplen of %d", hdr->caplen, p->snapshot);
1413 return (-1);
1414 }
1415
1416 /*
1417 * Convert the time stamp to seconds and fractions of a second,
1418 * with the fractions being in units of the file-supplied resolution.
1419 */
1420 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1421 frac = t % ps->ifaces[interface_id].tsresol;
1422
1423 /*
1424 * Convert the fractions from units of the file-supplied resolution
1425 * to units of the user-requested resolution.
1426 */
1427 switch (ps->ifaces[interface_id].scale_type) {
1428
1429 case PASS_THROUGH:
1430 /*
1431 * The interface resolution is what the user wants,
1432 * so we're done.
1433 */
1434 break;
1435
1436 case SCALE_UP_DEC:
1437 /*
1438 * The interface resolution is less than what the user
1439 * wants; scale the fractional part up to the units of
1440 * the resolution the user requested by multiplying by
1441 * the quotient of the user-requested resolution and the
1442 * file-supplied resolution.
1443 *
1444 * Those resolutions are both powers of 10, and the user-
1445 * requested resolution is greater than the file-supplied
1446 * resolution, so the quotient in question is an integer.
1447 * We've calculated that quotient already, so we just
1448 * multiply by it.
1449 */
1450 frac *= ps->ifaces[interface_id].scale_factor;
1451 break;
1452
1453 case SCALE_UP_BIN:
1454 /*
1455 * The interface resolution is less than what the user
1456 * wants; scale the fractional part up to the units of
1457 * the resolution the user requested by multiplying by
1458 * the quotient of the user-requested resolution and the
1459 * file-supplied resolution.
1460 *
1461 * The file-supplied resolution is a power of 2, so the
1462 * quotient is not an integer, so, in order to do this
1463 * entirely with integer arithmetic, we multiply by the
1464 * user-requested resolution and divide by the file-
1465 * supplied resolution.
1466 *
1467 * XXX - Is there something clever we could do here,
1468 * given that we know that the file-supplied resolution
1469 * is a power of 2? Doing a multiplication followed by
1470 * a division runs the risk of overflowing, and involves
1471 * two non-simple arithmetic operations.
1472 */
1473 frac *= ps->user_tsresol;
1474 frac /= ps->ifaces[interface_id].tsresol;
1475 break;
1476
1477 case SCALE_DOWN_DEC:
1478 /*
1479 * The interface resolution is greater than what the user
1480 * wants; scale the fractional part up to the units of
1481 * the resolution the user requested by multiplying by
1482 * the quotient of the user-requested resolution and the
1483 * file-supplied resolution.
1484 *
1485 * Those resolutions are both powers of 10, and the user-
1486 * requested resolution is less than the file-supplied
1487 * resolution, so the quotient in question isn't an
1488 * integer, but its reciprocal is, and we can just divide
1489 * by the reciprocal of the quotient. We've calculated
1490 * the reciprocal of that quotient already, so we must
1491 * divide by it.
1492 */
1493 frac /= ps->ifaces[interface_id].scale_factor;
1494 break;
1495
1496
1497 case SCALE_DOWN_BIN:
1498 /*
1499 * The interface resolution is greater than what the user
1500 * wants; convert the fractional part to units of the
1501 * resolution the user requested by multiplying by the
1502 * quotient of the user-requested resolution and the
1503 * file-supplied resolution. We do that by multiplying
1504 * by the user-requested resolution and dividing by the
1505 * file-supplied resolution, as the quotient might not
1506 * fit in an integer.
1507 *
1508 * The file-supplied resolution is a power of 2, so the
1509 * quotient is not an integer, and neither is its
1510 * reciprocal, so, in order to do this entirely with
1511 * integer arithmetic, we multiply by the user-requested
1512 * resolution and divide by the file-supplied resolution.
1513 *
1514 * XXX - Is there something clever we could do here,
1515 * given that we know that the file-supplied resolution
1516 * is a power of 2? Doing a multiplication followed by
1517 * a division runs the risk of overflowing, and involves
1518 * two non-simple arithmetic operations.
1519 */
1520 frac *= ps->user_tsresol;
1521 frac /= ps->ifaces[interface_id].tsresol;
1522 break;
1523 }
1524 #ifdef _WIN32
1525 /*
1526 * tv_sec and tv_used in the Windows struct timeval are both
1527 * longs.
1528 */
1529 hdr->ts.tv_sec = (long)sec;
1530 hdr->ts.tv_usec = (long)frac;
1531 #else
1532 /*
1533 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1534 * suseconds_t in UN*Xes that work the way the current Single
1535 * UNIX Standard specify - but not all older UN*Xes necessarily
1536 * support that type, so just cast to int.
1537 */
1538 hdr->ts.tv_sec = (time_t)sec;
1539 hdr->ts.tv_usec = (int)frac;
1540 #endif
1541
1542 /*
1543 * Get a pointer to the packet data.
1544 */
1545 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1546 if (*data == NULL)
1547 return (-1);
1548
1549 if (p->swapped)
1550 swap_pseudo_headers(p->linktype, hdr, *data);
1551
1552 return (0);
1553 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism