]> The Tcpdump Group git mirrors - libpcap/blob - sf-pcap-ng.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Don't use our own getaddrinfo() on Windows.
[libpcap] / sf-pcap-ng.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
22 */
23
24 #ifndef lint
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #ifdef _WIN32
34 #include <pcap-stdinc.h>
35 #else /* _WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #endif /* _WIN32 */
46
47 #include <errno.h>
48 #include <memory.h>
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52
53 #include "pcap-int.h"
54
55 #include "pcap-common.h"
56
57 #ifdef HAVE_OS_PROTO_H
58 #include "os-proto.h"
59 #endif
60
61 #include "sf-pcap-ng.h"
62
63 /*
64 * Block types.
65 */
66
67 /*
68 * Common part at the beginning of all blocks.
69 */
70 struct block_header {
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
73 };
74
75 /*
76 * Common trailer at the end of all blocks.
77 */
78 struct block_trailer {
79 bpf_u_int32 total_length;
80 };
81
82 /*
83 * Common options.
84 */
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
87
88 /*
89 * Option header.
90 */
91 struct option_header {
92 u_short option_code;
93 u_short option_length;
94 };
95
96 /*
97 * Structures for the part of each block type following the common
98 * part.
99 */
100
101 /*
102 * Section Header Block.
103 */
104 #define BT_SHB 0x0A0D0D0A
105
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
112 };
113
114 /*
115 * Byte-order magic value.
116 */
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
118
119 /*
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
122 */
123 #define PCAP_NG_VERSION_MAJOR 1
124
125 /*
126 * Interface Description Block.
127 */
128 #define BT_IDB 0x00000001
129
130 struct interface_description_block {
131 u_short linktype;
132 u_short reserved;
133 bpf_u_int32 snaplen;
134 /* followed by options and trailer */
135 };
136
137 /*
138 * Options in the IDB.
139 */
140 #define IF_NAME 2 /* interface name string */
141 #define IF_DESCRIPTION 3 /* interface description string */
142 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
143 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
144 #define IF_MACADDR 6 /* interface's MAC address */
145 #define IF_EUIADDR 7 /* interface's EUI address */
146 #define IF_SPEED 8 /* interface's speed, in bits/s */
147 #define IF_TSRESOL 9 /* interface's time stamp resolution */
148 #define IF_TZONE 10 /* interface's time zone */
149 #define IF_FILTER 11 /* filter used when capturing on interface */
150 #define IF_OS 12 /* string OS on which capture on this interface was done */
151 #define IF_FCSLEN 13 /* FCS length for this interface */
152 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
153
154 /*
155 * Enhanced Packet Block.
156 */
157 #define BT_EPB 0x00000006
158
159 struct enhanced_packet_block {
160 bpf_u_int32 interface_id;
161 bpf_u_int32 timestamp_high;
162 bpf_u_int32 timestamp_low;
163 bpf_u_int32 caplen;
164 bpf_u_int32 len;
165 /* followed by packet data, options, and trailer */
166 };
167
168 /*
169 * Simple Packet Block.
170 */
171 #define BT_SPB 0x00000003
172
173 struct simple_packet_block {
174 bpf_u_int32 len;
175 /* followed by packet data and trailer */
176 };
177
178 /*
179 * Packet Block.
180 */
181 #define BT_PB 0x00000002
182
183 struct packet_block {
184 u_short interface_id;
185 u_short drops_count;
186 bpf_u_int32 timestamp_high;
187 bpf_u_int32 timestamp_low;
188 bpf_u_int32 caplen;
189 bpf_u_int32 len;
190 /* followed by packet data, options, and trailer */
191 };
192
193 /*
194 * Block cursor - used when processing the contents of a block.
195 * Contains a pointer into the data being processed and a count
196 * of bytes remaining in the block.
197 */
198 struct block_cursor {
199 u_char *data;
200 size_t data_remaining;
201 bpf_u_int32 block_type;
202 };
203
204 typedef enum {
205 PASS_THROUGH,
206 SCALE_UP_DEC,
207 SCALE_DOWN_DEC,
208 SCALE_UP_BIN,
209 SCALE_DOWN_BIN
210 } tstamp_scale_type_t;
211
212 /*
213 * Per-interface information.
214 */
215 struct pcap_ng_if {
216 u_int tsresol; /* time stamp resolution */
217 tstamp_scale_type_t scale_type; /* how to scale */
218 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */
219 u_int64_t tsoffset; /* time stamp offset */
220 };
221
222 struct pcap_ng_sf {
223 u_int user_tsresol; /* time stamp resolution requested by the user */
224 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
225 bpf_u_int32 ifaces_size; /* size of array below */
226 struct pcap_ng_if *ifaces; /* array of interface information */
227 };
228
229 static void pcap_ng_cleanup(pcap_t *p);
230 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
231 u_char **data);
232
233 static int
234 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
235 char *errbuf)
236 {
237 size_t amt_read;
238
239 amt_read = fread(buf, 1, bytes_to_read, fp);
240 if (amt_read != bytes_to_read) {
241 if (ferror(fp)) {
242 snprintf(errbuf, PCAP_ERRBUF_SIZE,
243 "error reading dump file: %s",
244 pcap_strerror(errno));
245 } else {
246 if (amt_read == 0 && !fail_on_eof)
247 return (0); /* EOF */
248 snprintf(errbuf, PCAP_ERRBUF_SIZE,
249 "truncated dump file; tried to read %lu bytes, only got %lu",
250 (unsigned long)bytes_to_read,
251 (unsigned long)amt_read);
252 }
253 return (-1);
254 }
255 return (1);
256 }
257
258 static int
259 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
260 {
261 int status;
262 struct block_header bhdr;
263 u_char *bdata;
264 size_t data_remaining;
265
266 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
267 if (status <= 0)
268 return (status); /* error or EOF */
269
270 if (p->swapped) {
271 bhdr.block_type = SWAPLONG(bhdr.block_type);
272 bhdr.total_length = SWAPLONG(bhdr.total_length);
273 }
274
275 /*
276 * Is this block "too big"?
277 *
278 * We choose 16MB as "too big", for now, so that we handle
279 * "reasonably" large buffers but don't chew up all the
280 * memory if we read a malformed file.
281 */
282 if (bhdr.total_length > 16*1024*1024) {
283 snprintf(errbuf, PCAP_ERRBUF_SIZE,
284 "pcap-ng block size %u > maximum %u",
285 bhdr.total_length, 16*1024*1024);
286 return (-1);
287 }
288
289 /*
290 * Is this block "too small" - i.e., is it shorter than a block
291 * header plus a block trailer?
292 */
293 if (bhdr.total_length < sizeof(struct block_header) +
294 sizeof(struct block_trailer)) {
295 snprintf(errbuf, PCAP_ERRBUF_SIZE,
296 "block in pcap-ng dump file has a length of %u < %lu",
297 bhdr.total_length,
298 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
299 return (-1);
300 }
301
302 /*
303 * Is the buffer big enough?
304 */
305 if (p->bufsize < bhdr.total_length) {
306 /*
307 * No - make it big enough.
308 */
309 void *bigger_buffer;
310
311 bigger_buffer = realloc(p->buffer, bhdr.total_length);
312 if (bigger_buffer == NULL) {
313 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
314 return (-1);
315 }
316 p->buffer = bigger_buffer;
317 }
318
319 /*
320 * Copy the stuff we've read to the buffer, and read the rest
321 * of the block.
322 */
323 memcpy(p->buffer, &bhdr, sizeof(bhdr));
324 bdata = (u_char *)p->buffer + sizeof(bhdr);
325 data_remaining = bhdr.total_length - sizeof(bhdr);
326 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
327 return (-1);
328
329 /*
330 * Initialize the cursor.
331 */
332 cursor->data = bdata;
333 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
334 cursor->block_type = bhdr.block_type;
335 return (1);
336 }
337
338 static void *
339 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
340 char *errbuf)
341 {
342 void *data;
343
344 /*
345 * Make sure we have the specified amount of data remaining in
346 * the block data.
347 */
348 if (cursor->data_remaining < chunk_size) {
349 snprintf(errbuf, PCAP_ERRBUF_SIZE,
350 "block of type %u in pcap-ng dump file is too short",
351 cursor->block_type);
352 return (NULL);
353 }
354
355 /*
356 * Return the current pointer, and skip past the chunk.
357 */
358 data = cursor->data;
359 cursor->data += chunk_size;
360 cursor->data_remaining -= chunk_size;
361 return (data);
362 }
363
364 static struct option_header *
365 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
366 {
367 struct option_header *opthdr;
368
369 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
370 if (opthdr == NULL) {
371 /*
372 * Option header is cut short.
373 */
374 return (NULL);
375 }
376
377 /*
378 * Byte-swap it if necessary.
379 */
380 if (p->swapped) {
381 opthdr->option_code = SWAPSHORT(opthdr->option_code);
382 opthdr->option_length = SWAPSHORT(opthdr->option_length);
383 }
384
385 return (opthdr);
386 }
387
388 static void *
389 get_optvalue_from_block_data(struct block_cursor *cursor,
390 struct option_header *opthdr, char *errbuf)
391 {
392 size_t padded_option_len;
393 void *optvalue;
394
395 /* Pad option length to 4-byte boundary */
396 padded_option_len = opthdr->option_length;
397 padded_option_len = ((padded_option_len + 3)/4)*4;
398
399 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
400 if (optvalue == NULL) {
401 /*
402 * Option value is cut short.
403 */
404 return (NULL);
405 }
406
407 return (optvalue);
408 }
409
410 static int
411 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
412 u_int64_t *tsoffset, int *is_binary, char *errbuf)
413 {
414 struct option_header *opthdr;
415 void *optvalue;
416 int saw_tsresol, saw_tsoffset;
417 u_char tsresol_opt;
418 u_int i;
419
420 saw_tsresol = 0;
421 saw_tsoffset = 0;
422 while (cursor->data_remaining != 0) {
423 /*
424 * Get the option header.
425 */
426 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
427 if (opthdr == NULL) {
428 /*
429 * Option header is cut short.
430 */
431 return (-1);
432 }
433
434 /*
435 * Get option value.
436 */
437 optvalue = get_optvalue_from_block_data(cursor, opthdr,
438 errbuf);
439 if (optvalue == NULL) {
440 /*
441 * Option value is cut short.
442 */
443 return (-1);
444 }
445
446 switch (opthdr->option_code) {
447
448 case OPT_ENDOFOPT:
449 if (opthdr->option_length != 0) {
450 snprintf(errbuf, PCAP_ERRBUF_SIZE,
451 "Interface Description Block has opt_endofopt option with length %u != 0",
452 opthdr->option_length);
453 return (-1);
454 }
455 goto done;
456
457 case IF_TSRESOL:
458 if (opthdr->option_length != 1) {
459 snprintf(errbuf, PCAP_ERRBUF_SIZE,
460 "Interface Description Block has if_tsresol option with length %u != 1",
461 opthdr->option_length);
462 return (-1);
463 }
464 if (saw_tsresol) {
465 snprintf(errbuf, PCAP_ERRBUF_SIZE,
466 "Interface Description Block has more than one if_tsresol option");
467 return (-1);
468 }
469 saw_tsresol = 1;
470 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
471 if (tsresol_opt & 0x80) {
472 /*
473 * Resolution is negative power of 2.
474 */
475 *is_binary = 1;
476 *tsresol = 1 << (tsresol_opt & 0x7F);
477 } else {
478 /*
479 * Resolution is negative power of 10.
480 */
481 *is_binary = 0;
482 *tsresol = 1;
483 for (i = 0; i < tsresol_opt; i++)
484 *tsresol *= 10;
485 }
486 if (*tsresol == 0) {
487 /*
488 * Resolution is too high.
489 */
490 if (tsresol_opt & 0x80) {
491 snprintf(errbuf, PCAP_ERRBUF_SIZE,
492 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
493 tsresol_opt & 0x7F);
494 } else {
495 snprintf(errbuf, PCAP_ERRBUF_SIZE,
496 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
497 tsresol_opt);
498 }
499 return (-1);
500 }
501 break;
502
503 case IF_TSOFFSET:
504 if (opthdr->option_length != 8) {
505 snprintf(errbuf, PCAP_ERRBUF_SIZE,
506 "Interface Description Block has if_tsoffset option with length %u != 8",
507 opthdr->option_length);
508 return (-1);
509 }
510 if (saw_tsoffset) {
511 snprintf(errbuf, PCAP_ERRBUF_SIZE,
512 "Interface Description Block has more than one if_tsoffset option");
513 return (-1);
514 }
515 saw_tsoffset = 1;
516 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
517 if (p->swapped)
518 *tsoffset = SWAPLL(*tsoffset);
519 break;
520
521 default:
522 break;
523 }
524 }
525
526 done:
527 return (0);
528 }
529
530 static int
531 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
532 {
533 struct pcap_ng_sf *ps;
534 u_int tsresol;
535 u_int64_t tsoffset;
536 int is_binary;
537
538 ps = p->priv;
539
540 /*
541 * Count this interface.
542 */
543 ps->ifcount++;
544
545 /*
546 * Grow the array of per-interface information as necessary.
547 */
548 if (ps->ifcount > ps->ifaces_size) {
549 /*
550 * We need to grow the array.
551 */
552 bpf_u_int32 new_ifaces_size;
553 struct pcap_ng_if *new_ifaces;
554
555 if (ps->ifaces_size == 0) {
556 /*
557 * It's currently empty.
558 *
559 * (The Clang static analyzer doesn't do enough,
560 * err, umm, dataflow *analysis* to realize that
561 * ps->ifaces_size == 0 if ps->ifaces == NULL,
562 * and so complains about a possible zero argument
563 * to realloc(), so we check for the former
564 * condition to shut it up.
565 *
566 * However, it doesn't complain that one of the
567 * multiplications below could overflow, which is
568 * a real, albeit extremely unlikely, problem (you'd
569 * need a pcap-ng file with tens of millions of
570 * interfaces).)
571 */
572 new_ifaces_size = 1;
573 new_ifaces = malloc(sizeof (struct pcap_ng_if));
574 } else {
575 /*
576 * It's not currently empty; double its size.
577 * (Perhaps overkill once we have a lot of interfaces.)
578 *
579 * Check for overflow if we double it.
580 */
581 if (ps->ifaces_size * 2 < ps->ifaces_size) {
582 /*
583 * The maximum number of interfaces before
584 * ps->ifaces_size overflows is the largest
585 * possible 32-bit power of 2, as we do
586 * size doubling.
587 */
588 snprintf(errbuf, PCAP_ERRBUF_SIZE,
589 "more than %u interfaces in the file",
590 0x80000000U);
591 return (0);
592 }
593
594 /*
595 * ps->ifaces_size * 2 doesn't overflow, so it's
596 * safe to multiply.
597 */
598 new_ifaces_size = ps->ifaces_size * 2;
599
600 /*
601 * Now make sure that's not so big that it overflows
602 * if we multiply by sizeof (struct pcap_ng_if).
603 *
604 * That can happen on 32-bit platforms, with a 32-bit
605 * size_t; it shouldn't happen on 64-bit platforms,
606 * with a 64-bit size_t, as new_ifaces_size is
607 * 32 bits.
608 */
609 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
610 /*
611 * As this fails only with 32-bit size_t,
612 * the multiplication was 32x32->32, and
613 * the largest 32-bit value that can safely
614 * be multiplied by sizeof (struct pcap_ng_if)
615 * without overflow is the largest 32-bit
616 * (unsigned) value divided by
617 * sizeof (struct pcap_ng_if).
618 */
619 snprintf(errbuf, PCAP_ERRBUF_SIZE,
620 "more than %u interfaces in the file",
621 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
622 return (0);
623 }
624 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
625 }
626 if (new_ifaces == NULL) {
627 /*
628 * We ran out of memory.
629 * Give up.
630 */
631 snprintf(errbuf, PCAP_ERRBUF_SIZE,
632 "out of memory for per-interface information (%u interfaces)",
633 ps->ifcount);
634 return (0);
635 }
636 ps->ifaces_size = new_ifaces_size;
637 ps->ifaces = new_ifaces;
638 }
639
640 /*
641 * Set the default time stamp resolution and offset.
642 */
643 tsresol = 1000000; /* microsecond resolution */
644 is_binary = 0; /* which is a power of 10 */
645 tsoffset = 0; /* absolute timestamps */
646
647 /*
648 * Now look for various time stamp options, so we know
649 * how to interpret the time stamps for this interface.
650 */
651 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
652 errbuf) == -1)
653 return (0);
654
655 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
656 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
657
658 /*
659 * Determine whether we're scaling up or down or not
660 * at all for this interface.
661 */
662 if (tsresol == ps->user_tsresol) {
663 /*
664 * The resolution is the resolution the user wants,
665 * so we don't have to do scaling.
666 */
667 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
668 } else if (tsresol > ps->user_tsresol) {
669 /*
670 * The resolution is greater than what the user wants,
671 * so we have to scale the timestamps down.
672 */
673 if (is_binary)
674 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
675 else {
676 /*
677 * Calculate the scale factor.
678 */
679 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
680 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
681 }
682 } else {
683 /*
684 * The resolution is less than what the user wants,
685 * so we have to scale the timestamps up.
686 */
687 if (is_binary)
688 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
689 else {
690 /*
691 * Calculate the scale factor.
692 */
693 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
694 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
695 }
696 }
697 return (1);
698 }
699
700 /*
701 * Check whether this is a pcap-ng savefile and, if it is, extract the
702 * relevant information from the header.
703 */
704 pcap_t *
705 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
706 int *err)
707 {
708 size_t amt_read;
709 bpf_u_int32 total_length;
710 bpf_u_int32 byte_order_magic;
711 struct block_header *bhdrp;
712 struct section_header_block *shbp;
713 pcap_t *p;
714 int swapped = 0;
715 struct pcap_ng_sf *ps;
716 int status;
717 struct block_cursor cursor;
718 struct interface_description_block *idbp;
719
720 /*
721 * Assume no read errors.
722 */
723 *err = 0;
724
725 /*
726 * Check whether the first 4 bytes of the file are the block
727 * type for a pcap-ng savefile.
728 */
729 if (magic != BT_SHB) {
730 /*
731 * XXX - check whether this looks like what the block
732 * type would be after being munged by mapping between
733 * UN*X and DOS/Windows text file format and, if it
734 * does, look for the byte-order magic number in
735 * the appropriate place and, if we find it, report
736 * this as possibly being a pcap-ng file transferred
737 * between UN*X and Windows in text file format?
738 */
739 return (NULL); /* nope */
740 }
741
742 /*
743 * OK, they are. However, that's just \n\r\r\n, so it could,
744 * conceivably, be an ordinary text file.
745 *
746 * It could not, however, conceivably be any other type of
747 * capture file, so we can read the rest of the putative
748 * Section Header Block; put the block type in the common
749 * header, read the rest of the common header and the
750 * fixed-length portion of the SHB, and look for the byte-order
751 * magic value.
752 */
753 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
754 if (amt_read < sizeof(total_length)) {
755 if (ferror(fp)) {
756 snprintf(errbuf, PCAP_ERRBUF_SIZE,
757 "error reading dump file: %s",
758 pcap_strerror(errno));
759 *err = 1;
760 return (NULL); /* fail */
761 }
762
763 /*
764 * Possibly a weird short text file, so just say
765 * "not pcap-ng".
766 */
767 return (NULL);
768 }
769 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
770 if (amt_read < sizeof(byte_order_magic)) {
771 if (ferror(fp)) {
772 snprintf(errbuf, PCAP_ERRBUF_SIZE,
773 "error reading dump file: %s",
774 pcap_strerror(errno));
775 *err = 1;
776 return (NULL); /* fail */
777 }
778
779 /*
780 * Possibly a weird short text file, so just say
781 * "not pcap-ng".
782 */
783 return (NULL);
784 }
785 if (byte_order_magic != BYTE_ORDER_MAGIC) {
786 byte_order_magic = SWAPLONG(byte_order_magic);
787 if (byte_order_magic != BYTE_ORDER_MAGIC) {
788 /*
789 * Not a pcap-ng file.
790 */
791 return (NULL);
792 }
793 swapped = 1;
794 total_length = SWAPLONG(total_length);
795 }
796
797 /*
798 * Check the sanity of the total length.
799 */
800 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
801 snprintf(errbuf, PCAP_ERRBUF_SIZE,
802 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
803 total_length,
804 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
805 *err = 1;
806 return (NULL);
807 }
808
809 /*
810 * OK, this is a good pcap-ng file.
811 * Allocate a pcap_t for it.
812 */
813 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
814 if (p == NULL) {
815 /* Allocation failed. */
816 *err = 1;
817 return (NULL);
818 }
819 p->swapped = swapped;
820 ps = p->priv;
821
822 /*
823 * What precision does the user want?
824 */
825 switch (precision) {
826
827 case PCAP_TSTAMP_PRECISION_MICRO:
828 ps->user_tsresol = 1000000;
829 break;
830
831 case PCAP_TSTAMP_PRECISION_NANO:
832 ps->user_tsresol = 1000000000;
833 break;
834
835 default:
836 snprintf(errbuf, PCAP_ERRBUF_SIZE,
837 "unknown time stamp resolution %u", precision);
838 free(p);
839 *err = 1;
840 return (NULL);
841 }
842
843 p->opt.tstamp_precision = precision;
844
845 /*
846 * Allocate a buffer into which to read blocks. We default to
847 * the maximum of:
848 *
849 * the total length of the SHB for which we read the header;
850 *
851 * 2K, which should be more than large enough for an Enhanced
852 * Packet Block containing a full-size Ethernet frame, and
853 * leaving room for some options.
854 *
855 * If we find a bigger block, we reallocate the buffer.
856 */
857 p->bufsize = 2048;
858 if (p->bufsize < total_length)
859 p->bufsize = total_length;
860 p->buffer = malloc(p->bufsize);
861 if (p->buffer == NULL) {
862 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
863 free(p);
864 *err = 1;
865 return (NULL);
866 }
867
868 /*
869 * Copy the stuff we've read to the buffer, and read the rest
870 * of the SHB.
871 */
872 bhdrp = (struct block_header *)p->buffer;
873 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
874 bhdrp->block_type = magic;
875 bhdrp->total_length = total_length;
876 shbp->byte_order_magic = byte_order_magic;
877 if (read_bytes(fp,
878 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
879 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
880 1, errbuf) == -1)
881 goto fail;
882
883 if (p->swapped) {
884 /*
885 * Byte-swap the fields we've read.
886 */
887 shbp->major_version = SWAPSHORT(shbp->major_version);
888 shbp->minor_version = SWAPSHORT(shbp->minor_version);
889
890 /*
891 * XXX - we don't care about the section length.
892 */
893 }
894 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
895 snprintf(errbuf, PCAP_ERRBUF_SIZE,
896 "unknown pcap-ng savefile major version number %u",
897 shbp->major_version);
898 goto fail;
899 }
900 p->version_major = shbp->major_version;
901 p->version_minor = shbp->minor_version;
902
903 /*
904 * Save the time stamp resolution the user requested.
905 */
906 p->opt.tstamp_precision = precision;
907
908 /*
909 * Now start looking for an Interface Description Block.
910 */
911 for (;;) {
912 /*
913 * Read the next block.
914 */
915 status = read_block(fp, p, &cursor, errbuf);
916 if (status == 0) {
917 /* EOF - no IDB in this file */
918 snprintf(errbuf, PCAP_ERRBUF_SIZE,
919 "the capture file has no Interface Description Blocks");
920 goto fail;
921 }
922 if (status == -1)
923 goto fail; /* error */
924 switch (cursor.block_type) {
925
926 case BT_IDB:
927 /*
928 * Get a pointer to the fixed-length portion of the
929 * IDB.
930 */
931 idbp = get_from_block_data(&cursor, sizeof(*idbp),
932 errbuf);
933 if (idbp == NULL)
934 goto fail; /* error */
935
936 /*
937 * Byte-swap it if necessary.
938 */
939 if (p->swapped) {
940 idbp->linktype = SWAPSHORT(idbp->linktype);
941 idbp->snaplen = SWAPLONG(idbp->snaplen);
942 }
943
944 /*
945 * Try to add this interface.
946 */
947 if (!add_interface(p, &cursor, errbuf))
948 goto fail;
949 goto done;
950
951 case BT_EPB:
952 case BT_SPB:
953 case BT_PB:
954 /*
955 * Saw a packet before we saw any IDBs. That's
956 * not valid, as we don't know what link-layer
957 * encapsulation the packet has.
958 */
959 snprintf(errbuf, PCAP_ERRBUF_SIZE,
960 "the capture file has a packet block before any Interface Description Blocks");
961 goto fail;
962
963 default:
964 /*
965 * Just ignore it.
966 */
967 break;
968 }
969 }
970
971 done:
972 p->tzoff = 0; /* XXX - not used in pcap */
973 p->snapshot = idbp->snaplen;
974 p->linktype = linktype_to_dlt(idbp->linktype);
975 p->linktype_ext = 0;
976
977 p->next_packet_op = pcap_ng_next_packet;
978 p->cleanup_op = pcap_ng_cleanup;
979
980 return (p);
981
982 fail:
983 free(ps->ifaces);
984 free(p->buffer);
985 free(p);
986 *err = 1;
987 return (NULL);
988 }
989
990 static void
991 pcap_ng_cleanup(pcap_t *p)
992 {
993 struct pcap_ng_sf *ps = p->priv;
994
995 free(ps->ifaces);
996 sf_cleanup(p);
997 }
998
999 /*
1000 * Read and return the next packet from the savefile. Return the header
1001 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1002 * if there were no more packets, and -1 on an error.
1003 */
1004 static int
1005 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1006 {
1007 struct pcap_ng_sf *ps = p->priv;
1008 struct block_cursor cursor;
1009 int status;
1010 struct enhanced_packet_block *epbp;
1011 struct simple_packet_block *spbp;
1012 struct packet_block *pbp;
1013 bpf_u_int32 interface_id = 0xFFFFFFFF;
1014 struct interface_description_block *idbp;
1015 struct section_header_block *shbp;
1016 FILE *fp = p->rfile;
1017 u_int64_t t, sec, frac;
1018
1019 /*
1020 * Look for an Enhanced Packet Block, a Simple Packet Block,
1021 * or a Packet Block.
1022 */
1023 for (;;) {
1024 /*
1025 * Read the block type and length; those are common
1026 * to all blocks.
1027 */
1028 status = read_block(fp, p, &cursor, p->errbuf);
1029 if (status == 0)
1030 return (1); /* EOF */
1031 if (status == -1)
1032 return (-1); /* error */
1033 switch (cursor.block_type) {
1034
1035 case BT_EPB:
1036 /*
1037 * Get a pointer to the fixed-length portion of the
1038 * EPB.
1039 */
1040 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1041 p->errbuf);
1042 if (epbp == NULL)
1043 return (-1); /* error */
1044
1045 /*
1046 * Byte-swap it if necessary.
1047 */
1048 if (p->swapped) {
1049 /* these were written in opposite byte order */
1050 interface_id = SWAPLONG(epbp->interface_id);
1051 hdr->caplen = SWAPLONG(epbp->caplen);
1052 hdr->len = SWAPLONG(epbp->len);
1053 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1054 SWAPLONG(epbp->timestamp_low);
1055 } else {
1056 interface_id = epbp->interface_id;
1057 hdr->caplen = epbp->caplen;
1058 hdr->len = epbp->len;
1059 t = ((u_int64_t)epbp->timestamp_high) << 32 |
1060 epbp->timestamp_low;
1061 }
1062 goto found;
1063
1064 case BT_SPB:
1065 /*
1066 * Get a pointer to the fixed-length portion of the
1067 * SPB.
1068 */
1069 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1070 p->errbuf);
1071 if (spbp == NULL)
1072 return (-1); /* error */
1073
1074 /*
1075 * SPB packets are assumed to have arrived on
1076 * the first interface.
1077 */
1078 interface_id = 0;
1079
1080 /*
1081 * Byte-swap it if necessary.
1082 */
1083 if (p->swapped) {
1084 /* these were written in opposite byte order */
1085 hdr->len = SWAPLONG(spbp->len);
1086 } else
1087 hdr->len = spbp->len;
1088
1089 /*
1090 * The SPB doesn't give the captured length;
1091 * it's the minimum of the snapshot length
1092 * and the packet length.
1093 */
1094 hdr->caplen = hdr->len;
1095 if (hdr->caplen > p->snapshot)
1096 hdr->caplen = p->snapshot;
1097 t = 0; /* no time stamps */
1098 goto found;
1099
1100 case BT_PB:
1101 /*
1102 * Get a pointer to the fixed-length portion of the
1103 * PB.
1104 */
1105 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1106 p->errbuf);
1107 if (pbp == NULL)
1108 return (-1); /* error */
1109
1110 /*
1111 * Byte-swap it if necessary.
1112 */
1113 if (p->swapped) {
1114 /* these were written in opposite byte order */
1115 interface_id = SWAPSHORT(pbp->interface_id);
1116 hdr->caplen = SWAPLONG(pbp->caplen);
1117 hdr->len = SWAPLONG(pbp->len);
1118 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1119 SWAPLONG(pbp->timestamp_low);
1120 } else {
1121 interface_id = pbp->interface_id;
1122 hdr->caplen = pbp->caplen;
1123 hdr->len = pbp->len;
1124 t = ((u_int64_t)pbp->timestamp_high) << 32 |
1125 pbp->timestamp_low;
1126 }
1127 goto found;
1128
1129 case BT_IDB:
1130 /*
1131 * Interface Description Block. Get a pointer
1132 * to its fixed-length portion.
1133 */
1134 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1135 p->errbuf);
1136 if (idbp == NULL)
1137 return (-1); /* error */
1138
1139 /*
1140 * Byte-swap it if necessary.
1141 */
1142 if (p->swapped) {
1143 idbp->linktype = SWAPSHORT(idbp->linktype);
1144 idbp->snaplen = SWAPLONG(idbp->snaplen);
1145 }
1146
1147 /*
1148 * If the link-layer type or snapshot length
1149 * differ from the ones for the first IDB we
1150 * saw, quit.
1151 *
1152 * XXX - just discard packets from those
1153 * interfaces?
1154 */
1155 if (p->linktype != idbp->linktype) {
1156 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1157 "an interface has a type %u different from the type of the first interface",
1158 idbp->linktype);
1159 return (-1);
1160 }
1161 if (p->snapshot != idbp->snaplen) {
1162 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1163 "an interface has a snapshot length %u different from the type of the first interface",
1164 idbp->snaplen);
1165 return (-1);
1166 }
1167
1168 /*
1169 * Try to add this interface.
1170 */
1171 if (!add_interface(p, &cursor, p->errbuf))
1172 return (-1);
1173 break;
1174
1175 case BT_SHB:
1176 /*
1177 * Section Header Block. Get a pointer
1178 * to its fixed-length portion.
1179 */
1180 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1181 p->errbuf);
1182 if (shbp == NULL)
1183 return (-1); /* error */
1184
1185 /*
1186 * Assume the byte order of this section is
1187 * the same as that of the previous section.
1188 * We'll check for that later.
1189 */
1190 if (p->swapped) {
1191 shbp->byte_order_magic =
1192 SWAPLONG(shbp->byte_order_magic);
1193 shbp->major_version =
1194 SWAPSHORT(shbp->major_version);
1195 }
1196
1197 /*
1198 * Make sure the byte order doesn't change;
1199 * pcap_is_swapped() shouldn't change its
1200 * return value in the middle of reading a capture.
1201 */
1202 switch (shbp->byte_order_magic) {
1203
1204 case BYTE_ORDER_MAGIC:
1205 /*
1206 * OK.
1207 */
1208 break;
1209
1210 case SWAPLONG(BYTE_ORDER_MAGIC):
1211 /*
1212 * Byte order changes.
1213 */
1214 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1215 "the file has sections with different byte orders");
1216 return (-1);
1217
1218 default:
1219 /*
1220 * Not a valid SHB.
1221 */
1222 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1223 "the file has a section with a bad byte order magic field");
1224 return (-1);
1225 }
1226
1227 /*
1228 * Make sure the major version is the version
1229 * we handle.
1230 */
1231 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1232 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1233 "unknown pcap-ng savefile major version number %u",
1234 shbp->major_version);
1235 return (-1);
1236 }
1237
1238 /*
1239 * Reset the interface count; this section should
1240 * have its own set of IDBs. If any of them
1241 * don't have the same interface type, snapshot
1242 * length, or resolution as the first interface
1243 * we saw, we'll fail. (And if we don't see
1244 * any IDBs, we'll fail when we see a packet
1245 * block.)
1246 */
1247 ps->ifcount = 0;
1248 break;
1249
1250 default:
1251 /*
1252 * Not a packet block, IDB, or SHB; ignore it.
1253 */
1254 break;
1255 }
1256 }
1257
1258 found:
1259 /*
1260 * Is the interface ID an interface we know?
1261 */
1262 if (interface_id >= ps->ifcount) {
1263 /*
1264 * Yes. Fail.
1265 */
1266 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1267 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1268 interface_id);
1269 return (-1);
1270 }
1271
1272 /*
1273 * Convert the time stamp to seconds and fractions of a second,
1274 * with the fractions being in units of the file-supplied resolution.
1275 */
1276 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1277 frac = t % ps->ifaces[interface_id].tsresol;
1278
1279 /*
1280 * Convert the fractions from units of the file-supplied resolution
1281 * to units of the user-requested resolution.
1282 */
1283 switch (ps->ifaces[interface_id].scale_type) {
1284
1285 case PASS_THROUGH:
1286 /*
1287 * The interface resolution is what the user wants,
1288 * so we're done.
1289 */
1290 break;
1291
1292 case SCALE_UP_DEC:
1293 /*
1294 * The interface resolution is less than what the user
1295 * wants; scale the fractional part up to the units of
1296 * the resolution the user requested by multiplying by
1297 * the quotient of the user-requested resolution and the
1298 * file-supplied resolution.
1299 *
1300 * Those resolutions are both powers of 10, and the user-
1301 * requested resolution is greater than the file-supplied
1302 * resolution, so the quotient in question is an integer.
1303 * We've calculated that quotient already, so we just
1304 * multiply by it.
1305 */
1306 frac *= ps->ifaces[interface_id].scale_factor;
1307 break;
1308
1309 case SCALE_UP_BIN:
1310 /*
1311 * The interface resolution is less than what the user
1312 * wants; scale the fractional part up to the units of
1313 * the resolution the user requested by multiplying by
1314 * the quotient of the user-requested resolution and the
1315 * file-supplied resolution.
1316 *
1317 * The file-supplied resolution is a power of 2, so the
1318 * quotient is not an integer, so, in order to do this
1319 * entirely with integer arithmetic, we multiply by the
1320 * user-requested resolution and divide by the file-
1321 * supplied resolution.
1322 *
1323 * XXX - Is there something clever we could do here,
1324 * given that we know that the file-supplied resolution
1325 * is a power of 2? Doing a multiplication followed by
1326 * a division runs the risk of overflowing, and involves
1327 * two non-simple arithmetic operations.
1328 */
1329 frac *= ps->user_tsresol;
1330 frac /= ps->ifaces[interface_id].tsresol;
1331 break;
1332
1333 case SCALE_DOWN_DEC:
1334 /*
1335 * The interface resolution is greater than what the user
1336 * wants; scale the fractional part up to the units of
1337 * the resolution the user requested by multiplying by
1338 * the quotient of the user-requested resolution and the
1339 * file-supplied resolution.
1340 *
1341 * Those resolutions are both powers of 10, and the user-
1342 * requested resolution is less than the file-supplied
1343 * resolution, so the quotient in question isn't an
1344 * integer, but its reciprocal is, and we can just divide
1345 * by the reciprocal of the quotient. We've calculated
1346 * the reciprocal of that quotient already, so we must
1347 * divide by it.
1348 */
1349 frac /= ps->ifaces[interface_id].scale_factor;
1350 break;
1351
1352
1353 case SCALE_DOWN_BIN:
1354 /*
1355 * The interface resolution is greater than what the user
1356 * wants; convert the fractional part to units of the
1357 * resolution the user requested by multiplying by the
1358 * quotient of the user-requested resolution and the
1359 * file-supplied resolution. We do that by multiplying
1360 * by the user-requested resolution and dividing by the
1361 * file-supplied resolution, as the quotient might not
1362 * fit in an integer.
1363 *
1364 * The file-supplied resolution is a power of 2, so the
1365 * quotient is not an integer, and neither is its
1366 * reciprocal, so, in order to do this entirely with
1367 * integer arithmetic, we multiply by the user-requested
1368 * resolution and divide by the file-supplied resolution.
1369 *
1370 * XXX - Is there something clever we could do here,
1371 * given that we know that the file-supplied resolution
1372 * is a power of 2? Doing a multiplication followed by
1373 * a division runs the risk of overflowing, and involves
1374 * two non-simple arithmetic operations.
1375 */
1376 frac *= ps->user_tsresol;
1377 frac /= ps->ifaces[interface_id].tsresol;
1378 break;
1379 }
1380 hdr->ts.tv_sec = sec;
1381 hdr->ts.tv_usec = frac;
1382
1383 /*
1384 * Get a pointer to the packet data.
1385 */
1386 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1387 if (*data == NULL)
1388 return (-1);
1389
1390 if (p->swapped)
1391 swap_pseudo_headers(p->linktype, hdr, *data);
1392
1393 return (0);
1394 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism