]> The Tcpdump Group git mirrors - libpcap/blob - sf-pcapng.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Handle all protocol qualifiers in gen_host6().
[libpcap] / sf-pcapng.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include <pcap/pcap-inttypes.h>
29
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35
36 #include "pcap-int.h"
37
38 #include "pcap-common.h"
39
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43
44 #include "sf-pcapng.h"
45
46 /*
47 * Block types.
48 */
49
50 /*
51 * Common part at the beginning of all blocks.
52 */
53 struct block_header {
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
56 };
57
58 /*
59 * Common trailer at the end of all blocks.
60 */
61 struct block_trailer {
62 bpf_u_int32 total_length;
63 };
64
65 /*
66 * Common options.
67 */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70
71 /*
72 * Option header.
73 */
74 struct option_header {
75 u_short option_code;
76 u_short option_length;
77 };
78
79 /*
80 * Structures for the part of each block type following the common
81 * part.
82 */
83
84 /*
85 * Section Header Block.
86 */
87 #define BT_SHB 0x0A0D0D0A
88
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
95 };
96
97 /*
98 * Byte-order magic value.
99 */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101
102 /*
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * that means that this code can't read the file.
105 */
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
108
109 /*
110 * Interface Description Block.
111 */
112 #define BT_IDB 0x00000001
113
114 struct interface_description_block {
115 u_short linktype;
116 u_short reserved;
117 bpf_u_int32 snaplen;
118 /* followed by options and trailer */
119 };
120
121 /*
122 * Options in the IDB.
123 */
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
137
138 /*
139 * Enhanced Packet Block.
140 */
141 #define BT_EPB 0x00000006
142
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
147 bpf_u_int32 caplen;
148 bpf_u_int32 len;
149 /* followed by packet data, options, and trailer */
150 };
151
152 /*
153 * Simple Packet Block.
154 */
155 #define BT_SPB 0x00000003
156
157 struct simple_packet_block {
158 bpf_u_int32 len;
159 /* followed by packet data and trailer */
160 };
161
162 /*
163 * Packet Block.
164 */
165 #define BT_PB 0x00000002
166
167 struct packet_block {
168 u_short interface_id;
169 u_short drops_count;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
172 bpf_u_int32 caplen;
173 bpf_u_int32 len;
174 /* followed by packet data, options, and trailer */
175 };
176
177 /*
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
181 */
182 struct block_cursor {
183 u_char *data;
184 size_t data_remaining;
185 bpf_u_int32 block_type;
186 };
187
188 typedef enum {
189 PASS_THROUGH,
190 SCALE_UP_DEC,
191 SCALE_DOWN_DEC,
192 SCALE_UP_BIN,
193 SCALE_DOWN_BIN
194 } tstamp_scale_type_t;
195
196 /*
197 * Per-interface information.
198 */
199 struct pcap_ng_if {
200 uint64_t tsresol; /* time stamp resolution */
201 tstamp_scale_type_t scale_type; /* how to scale */
202 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
203 uint64_t tsoffset; /* time stamp offset */
204 };
205
206 /*
207 * Per-pcap_t private data.
208 *
209 * max_blocksize is the maximum size of a block that we'll accept. We
210 * reject blocks bigger than this, so we don't consume too much memory
211 * with a truly huge block. It can change as we see IDBs with different
212 * link-layer header types. (Currently, we don't support IDBs with
213 * different link-layer header types, but we will support it in the
214 * future, when we offer file-reading APIs that support it.)
215 *
216 * XXX - that's an issue on ILP32 platforms, where the maximum block
217 * size of 2^31-1 would eat all but one byte of the entire address space.
218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
219 * of the address space may be limited by 1) the number of *significant*
220 * address bits (currently, x86-64 only supports 48 bits of address), 2)
221 * any limitations imposed by the operating system; 3) any limitations
222 * imposed by the amount of available backing store for anonymous pages,
223 * so we impose a limit regardless of the size of a pointer.
224 */
225 struct pcap_ng_sf {
226 uint64_t user_tsresol; /* time stamp resolution requested by the user */
227 u_int max_blocksize; /* don't grow buffer size past this */
228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
229 bpf_u_int32 ifaces_size; /* size of array below */
230 struct pcap_ng_if *ifaces; /* array of interface information */
231 };
232
233 /*
234 * The maximum block size we start with; we use an arbitrary value of
235 * 16 MiB.
236 */
237 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
238
239 /*
240 * Maximum block size for a given maximum snapshot length; we define it
241 * as the size of an EPB with a max_snaplen-sized packet and 128KB of
242 * options.
243 */
244 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
245 (sizeof (struct block_header) + \
246 sizeof (struct enhanced_packet_block) + \
247 (max_snaplen) + 131072 + \
248 sizeof (struct block_trailer))
249
250 static void pcap_ng_cleanup(pcap_t *p);
251 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
252 u_char **data);
253
254 static int
255 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
256 char *errbuf)
257 {
258 size_t amt_read;
259
260 amt_read = fread(buf, 1, bytes_to_read, fp);
261 if (amt_read != bytes_to_read) {
262 if (ferror(fp)) {
263 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
264 errno, "error reading dump file");
265 } else {
266 if (amt_read == 0 && !fail_on_eof)
267 return (0); /* EOF */
268 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
269 "truncated dump file; tried to read %" PRIsize " bytes, only got %" PRIsize,
270 bytes_to_read, amt_read);
271 }
272 return (-1);
273 }
274 return (1);
275 }
276
277 static int
278 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
279 {
280 struct pcap_ng_sf *ps;
281 int status;
282 struct block_header bhdr;
283 u_char *bdata;
284 size_t data_remaining;
285
286 ps = p->priv;
287
288 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
289 if (status <= 0)
290 return (status); /* error or EOF */
291
292 if (p->swapped) {
293 bhdr.block_type = SWAPLONG(bhdr.block_type);
294 bhdr.total_length = SWAPLONG(bhdr.total_length);
295 }
296
297 /*
298 * Is this block "too small" - i.e., is it shorter than a block
299 * header plus a block trailer?
300 */
301 if (bhdr.total_length < sizeof(struct block_header) +
302 sizeof(struct block_trailer)) {
303 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
304 "block in pcapng dump file has a length of %u < %" PRIsize,
305 bhdr.total_length,
306 sizeof(struct block_header) + sizeof(struct block_trailer));
307 return (-1);
308 }
309
310 /*
311 * Is the buffer big enough?
312 */
313 if (p->bufsize < bhdr.total_length) {
314 /*
315 * No - make it big enough, unless it's too big, in
316 * which case we fail.
317 */
318 void *bigger_buffer;
319
320 if (bhdr.total_length > ps->max_blocksize) {
321 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
322 ps->max_blocksize);
323 return (-1);
324 }
325 bigger_buffer = realloc(p->buffer, bhdr.total_length);
326 if (bigger_buffer == NULL) {
327 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
328 return (-1);
329 }
330 p->buffer = bigger_buffer;
331 }
332
333 /*
334 * Copy the stuff we've read to the buffer, and read the rest
335 * of the block.
336 */
337 memcpy(p->buffer, &bhdr, sizeof(bhdr));
338 bdata = (u_char *)p->buffer + sizeof(bhdr);
339 data_remaining = bhdr.total_length - sizeof(bhdr);
340 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
341 return (-1);
342
343 /*
344 * Initialize the cursor.
345 */
346 cursor->data = bdata;
347 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
348 cursor->block_type = bhdr.block_type;
349 return (1);
350 }
351
352 static void *
353 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
354 char *errbuf)
355 {
356 void *data;
357
358 /*
359 * Make sure we have the specified amount of data remaining in
360 * the block data.
361 */
362 if (cursor->data_remaining < chunk_size) {
363 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
364 "block of type %u in pcapng dump file is too short",
365 cursor->block_type);
366 return (NULL);
367 }
368
369 /*
370 * Return the current pointer, and skip past the chunk.
371 */
372 data = cursor->data;
373 cursor->data += chunk_size;
374 cursor->data_remaining -= chunk_size;
375 return (data);
376 }
377
378 static struct option_header *
379 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
380 {
381 struct option_header *opthdr;
382
383 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
384 if (opthdr == NULL) {
385 /*
386 * Option header is cut short.
387 */
388 return (NULL);
389 }
390
391 /*
392 * Byte-swap it if necessary.
393 */
394 if (p->swapped) {
395 opthdr->option_code = SWAPSHORT(opthdr->option_code);
396 opthdr->option_length = SWAPSHORT(opthdr->option_length);
397 }
398
399 return (opthdr);
400 }
401
402 static void *
403 get_optvalue_from_block_data(struct block_cursor *cursor,
404 struct option_header *opthdr, char *errbuf)
405 {
406 size_t padded_option_len;
407 void *optvalue;
408
409 /* Pad option length to 4-byte boundary */
410 padded_option_len = opthdr->option_length;
411 padded_option_len = ((padded_option_len + 3)/4)*4;
412
413 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
414 if (optvalue == NULL) {
415 /*
416 * Option value is cut short.
417 */
418 return (NULL);
419 }
420
421 return (optvalue);
422 }
423
424 static int
425 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
426 uint64_t *tsoffset, int *is_binary, char *errbuf)
427 {
428 struct option_header *opthdr;
429 void *optvalue;
430 int saw_tsresol, saw_tsoffset;
431 uint8_t tsresol_opt;
432 u_int i;
433
434 saw_tsresol = 0;
435 saw_tsoffset = 0;
436 while (cursor->data_remaining != 0) {
437 /*
438 * Get the option header.
439 */
440 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
441 if (opthdr == NULL) {
442 /*
443 * Option header is cut short.
444 */
445 return (-1);
446 }
447
448 /*
449 * Get option value.
450 */
451 optvalue = get_optvalue_from_block_data(cursor, opthdr,
452 errbuf);
453 if (optvalue == NULL) {
454 /*
455 * Option value is cut short.
456 */
457 return (-1);
458 }
459
460 switch (opthdr->option_code) {
461
462 case OPT_ENDOFOPT:
463 if (opthdr->option_length != 0) {
464 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
465 "Interface Description Block has opt_endofopt option with length %u != 0",
466 opthdr->option_length);
467 return (-1);
468 }
469 goto done;
470
471 case IF_TSRESOL:
472 if (opthdr->option_length != 1) {
473 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
474 "Interface Description Block has if_tsresol option with length %u != 1",
475 opthdr->option_length);
476 return (-1);
477 }
478 if (saw_tsresol) {
479 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
480 "Interface Description Block has more than one if_tsresol option");
481 return (-1);
482 }
483 saw_tsresol = 1;
484 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
485 if (tsresol_opt & 0x80) {
486 /*
487 * Resolution is negative power of 2.
488 */
489 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
490
491 if (tsresol_shift > 63) {
492 /*
493 * Resolution is too high; 2^-{res}
494 * won't fit in a 64-bit value.
495 */
496 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
497 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
498 tsresol_shift);
499 return (-1);
500 }
501 *is_binary = 1;
502 *tsresol = ((uint64_t)1) << tsresol_shift;
503 } else {
504 /*
505 * Resolution is negative power of 10.
506 */
507 if (tsresol_opt > 19) {
508 /*
509 * Resolution is too high; 2^-{res}
510 * won't fit in a 64-bit value (the
511 * largest power of 10 that fits
512 * in a 64-bit value is 10^19, as
513 * the largest 64-bit unsigned
514 * value is ~1.8*10^19).
515 */
516 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
517 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
518 tsresol_opt);
519 return (-1);
520 }
521 *is_binary = 0;
522 *tsresol = 1;
523 for (i = 0; i < tsresol_opt; i++)
524 *tsresol *= 10;
525 }
526 break;
527
528 case IF_TSOFFSET:
529 if (opthdr->option_length != 8) {
530 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
531 "Interface Description Block has if_tsoffset option with length %u != 8",
532 opthdr->option_length);
533 return (-1);
534 }
535 if (saw_tsoffset) {
536 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
537 "Interface Description Block has more than one if_tsoffset option");
538 return (-1);
539 }
540 saw_tsoffset = 1;
541 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
542 if (p->swapped)
543 *tsoffset = SWAPLL(*tsoffset);
544 break;
545
546 default:
547 break;
548 }
549 }
550
551 done:
552 return (0);
553 }
554
555 static int
556 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
557 {
558 struct pcap_ng_sf *ps;
559 uint64_t tsresol;
560 uint64_t tsoffset;
561 int is_binary;
562
563 ps = p->priv;
564
565 /*
566 * Count this interface.
567 */
568 ps->ifcount++;
569
570 /*
571 * Grow the array of per-interface information as necessary.
572 */
573 if (ps->ifcount > ps->ifaces_size) {
574 /*
575 * We need to grow the array.
576 */
577 bpf_u_int32 new_ifaces_size;
578 struct pcap_ng_if *new_ifaces;
579
580 if (ps->ifaces_size == 0) {
581 /*
582 * It's currently empty.
583 *
584 * (The Clang static analyzer doesn't do enough,
585 * err, umm, dataflow *analysis* to realize that
586 * ps->ifaces_size == 0 if ps->ifaces == NULL,
587 * and so complains about a possible zero argument
588 * to realloc(), so we check for the former
589 * condition to shut it up.
590 *
591 * However, it doesn't complain that one of the
592 * multiplications below could overflow, which is
593 * a real, albeit extremely unlikely, problem (you'd
594 * need a pcapng file with tens of millions of
595 * interfaces).)
596 */
597 new_ifaces_size = 1;
598 new_ifaces = malloc(sizeof (struct pcap_ng_if));
599 } else {
600 /*
601 * It's not currently empty; double its size.
602 * (Perhaps overkill once we have a lot of interfaces.)
603 *
604 * Check for overflow if we double it.
605 */
606 if (ps->ifaces_size * 2 < ps->ifaces_size) {
607 /*
608 * The maximum number of interfaces before
609 * ps->ifaces_size overflows is the largest
610 * possible 32-bit power of 2, as we do
611 * size doubling.
612 */
613 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
614 "more than %u interfaces in the file",
615 0x80000000U);
616 return (0);
617 }
618
619 /*
620 * ps->ifaces_size * 2 doesn't overflow, so it's
621 * safe to multiply.
622 */
623 new_ifaces_size = ps->ifaces_size * 2;
624
625 /*
626 * Now make sure that's not so big that it overflows
627 * if we multiply by sizeof (struct pcap_ng_if).
628 *
629 * That can happen on 32-bit platforms, with a 32-bit
630 * size_t; it shouldn't happen on 64-bit platforms,
631 * with a 64-bit size_t, as new_ifaces_size is
632 * 32 bits.
633 */
634 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
635 /*
636 * As this fails only with 32-bit size_t,
637 * the multiplication was 32x32->32, and
638 * the largest 32-bit value that can safely
639 * be multiplied by sizeof (struct pcap_ng_if)
640 * without overflow is the largest 32-bit
641 * (unsigned) value divided by
642 * sizeof (struct pcap_ng_if).
643 */
644 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
645 "more than %u interfaces in the file",
646 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
647 return (0);
648 }
649 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
650 }
651 if (new_ifaces == NULL) {
652 /*
653 * We ran out of memory.
654 * Give up.
655 */
656 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
657 "out of memory for per-interface information (%u interfaces)",
658 ps->ifcount);
659 return (0);
660 }
661 ps->ifaces_size = new_ifaces_size;
662 ps->ifaces = new_ifaces;
663 }
664
665 /*
666 * Set the default time stamp resolution and offset.
667 */
668 tsresol = 1000000; /* microsecond resolution */
669 is_binary = 0; /* which is a power of 10 */
670 tsoffset = 0; /* absolute timestamps */
671
672 /*
673 * Now look for various time stamp options, so we know
674 * how to interpret the time stamps for this interface.
675 */
676 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
677 errbuf) == -1)
678 return (0);
679
680 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
681 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
682
683 /*
684 * Determine whether we're scaling up or down or not
685 * at all for this interface.
686 */
687 if (tsresol == ps->user_tsresol) {
688 /*
689 * The resolution is the resolution the user wants,
690 * so we don't have to do scaling.
691 */
692 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
693 } else if (tsresol > ps->user_tsresol) {
694 /*
695 * The resolution is greater than what the user wants,
696 * so we have to scale the timestamps down.
697 */
698 if (is_binary)
699 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
700 else {
701 /*
702 * Calculate the scale factor.
703 */
704 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
705 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
706 }
707 } else {
708 /*
709 * The resolution is less than what the user wants,
710 * so we have to scale the timestamps up.
711 */
712 if (is_binary)
713 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
714 else {
715 /*
716 * Calculate the scale factor.
717 */
718 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
719 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
720 }
721 }
722 return (1);
723 }
724
725 /*
726 * Check whether this is a pcapng savefile and, if it is, extract the
727 * relevant information from the header.
728 */
729 pcap_t *
730 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
731 int *err)
732 {
733 size_t amt_read;
734 bpf_u_int32 total_length;
735 bpf_u_int32 byte_order_magic;
736 struct block_header *bhdrp;
737 struct section_header_block *shbp;
738 pcap_t *p;
739 int swapped = 0;
740 struct pcap_ng_sf *ps;
741 int status;
742 struct block_cursor cursor;
743 struct interface_description_block *idbp;
744
745 /*
746 * Assume no read errors.
747 */
748 *err = 0;
749
750 /*
751 * Check whether the first 4 bytes of the file are the block
752 * type for a pcapng savefile.
753 */
754 if (magic != BT_SHB) {
755 /*
756 * XXX - check whether this looks like what the block
757 * type would be after being munged by mapping between
758 * UN*X and DOS/Windows text file format and, if it
759 * does, look for the byte-order magic number in
760 * the appropriate place and, if we find it, report
761 * this as possibly being a pcapng file transferred
762 * between UN*X and Windows in text file format?
763 */
764 return (NULL); /* nope */
765 }
766
767 /*
768 * OK, they are. However, that's just \n\r\r\n, so it could,
769 * conceivably, be an ordinary text file.
770 *
771 * It could not, however, conceivably be any other type of
772 * capture file, so we can read the rest of the putative
773 * Section Header Block; put the block type in the common
774 * header, read the rest of the common header and the
775 * fixed-length portion of the SHB, and look for the byte-order
776 * magic value.
777 */
778 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
779 if (amt_read < sizeof(total_length)) {
780 if (ferror(fp)) {
781 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
782 errno, "error reading dump file");
783 *err = 1;
784 return (NULL); /* fail */
785 }
786
787 /*
788 * Possibly a weird short text file, so just say
789 * "not pcapng".
790 */
791 return (NULL);
792 }
793 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
794 if (amt_read < sizeof(byte_order_magic)) {
795 if (ferror(fp)) {
796 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
797 errno, "error reading dump file");
798 *err = 1;
799 return (NULL); /* fail */
800 }
801
802 /*
803 * Possibly a weird short text file, so just say
804 * "not pcapng".
805 */
806 return (NULL);
807 }
808 if (byte_order_magic != BYTE_ORDER_MAGIC) {
809 byte_order_magic = SWAPLONG(byte_order_magic);
810 if (byte_order_magic != BYTE_ORDER_MAGIC) {
811 /*
812 * Not a pcapng file.
813 */
814 return (NULL);
815 }
816 swapped = 1;
817 total_length = SWAPLONG(total_length);
818 }
819
820 /*
821 * Check the sanity of the total length.
822 */
823 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
824 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
825 "Section Header Block in pcapng dump file has a length of %u < %" PRIsize,
826 total_length,
827 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer));
828 *err = 1;
829 return (NULL);
830 }
831
832 /*
833 * Make sure it's not too big.
834 */
835 if (total_length > INITIAL_MAX_BLOCKSIZE) {
836 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
837 "pcapng block size %u > maximum %u",
838 total_length, INITIAL_MAX_BLOCKSIZE);
839 *err = 1;
840 return (NULL);
841 }
842
843 /*
844 * OK, this is a good pcapng file.
845 * Allocate a pcap_t for it.
846 */
847 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
848 if (p == NULL) {
849 /* Allocation failed. */
850 *err = 1;
851 return (NULL);
852 }
853 p->swapped = swapped;
854 ps = p->priv;
855
856 /*
857 * What precision does the user want?
858 */
859 switch (precision) {
860
861 case PCAP_TSTAMP_PRECISION_MICRO:
862 ps->user_tsresol = 1000000;
863 break;
864
865 case PCAP_TSTAMP_PRECISION_NANO:
866 ps->user_tsresol = 1000000000;
867 break;
868
869 default:
870 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
871 "unknown time stamp resolution %u", precision);
872 free(p);
873 *err = 1;
874 return (NULL);
875 }
876
877 p->opt.tstamp_precision = precision;
878
879 /*
880 * Allocate a buffer into which to read blocks. We default to
881 * the maximum of:
882 *
883 * the total length of the SHB for which we read the header;
884 *
885 * 2K, which should be more than large enough for an Enhanced
886 * Packet Block containing a full-size Ethernet frame, and
887 * leaving room for some options.
888 *
889 * If we find a bigger block, we reallocate the buffer, up to
890 * the maximum size. We start out with a maximum size of
891 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
892 * with a maximum snapshot that results in a larger maximum
893 * block length, we boost the maximum.
894 */
895 p->bufsize = 2048;
896 if (p->bufsize < total_length)
897 p->bufsize = total_length;
898 p->buffer = malloc(p->bufsize);
899 if (p->buffer == NULL) {
900 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
901 free(p);
902 *err = 1;
903 return (NULL);
904 }
905 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
906
907 /*
908 * Copy the stuff we've read to the buffer, and read the rest
909 * of the SHB.
910 */
911 bhdrp = (struct block_header *)p->buffer;
912 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
913 bhdrp->block_type = magic;
914 bhdrp->total_length = total_length;
915 shbp->byte_order_magic = byte_order_magic;
916 if (read_bytes(fp,
917 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
918 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
919 1, errbuf) == -1)
920 goto fail;
921
922 if (p->swapped) {
923 /*
924 * Byte-swap the fields we've read.
925 */
926 shbp->major_version = SWAPSHORT(shbp->major_version);
927 shbp->minor_version = SWAPSHORT(shbp->minor_version);
928
929 /*
930 * XXX - we don't care about the section length.
931 */
932 }
933 /* currently only SHB version 1.0 is supported */
934 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
935 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
936 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
937 "unsupported pcapng savefile version %u.%u",
938 shbp->major_version, shbp->minor_version);
939 goto fail;
940 }
941 p->version_major = shbp->major_version;
942 p->version_minor = shbp->minor_version;
943
944 /*
945 * Save the time stamp resolution the user requested.
946 */
947 p->opt.tstamp_precision = precision;
948
949 /*
950 * Now start looking for an Interface Description Block.
951 */
952 for (;;) {
953 /*
954 * Read the next block.
955 */
956 status = read_block(fp, p, &cursor, errbuf);
957 if (status == 0) {
958 /* EOF - no IDB in this file */
959 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
960 "the capture file has no Interface Description Blocks");
961 goto fail;
962 }
963 if (status == -1)
964 goto fail; /* error */
965 switch (cursor.block_type) {
966
967 case BT_IDB:
968 /*
969 * Get a pointer to the fixed-length portion of the
970 * IDB.
971 */
972 idbp = get_from_block_data(&cursor, sizeof(*idbp),
973 errbuf);
974 if (idbp == NULL)
975 goto fail; /* error */
976
977 /*
978 * Byte-swap it if necessary.
979 */
980 if (p->swapped) {
981 idbp->linktype = SWAPSHORT(idbp->linktype);
982 idbp->snaplen = SWAPLONG(idbp->snaplen);
983 }
984
985 /*
986 * Try to add this interface.
987 */
988 if (!add_interface(p, &cursor, errbuf))
989 goto fail;
990
991 goto done;
992
993 case BT_EPB:
994 case BT_SPB:
995 case BT_PB:
996 /*
997 * Saw a packet before we saw any IDBs. That's
998 * not valid, as we don't know what link-layer
999 * encapsulation the packet has.
1000 */
1001 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
1002 "the capture file has a packet block before any Interface Description Blocks");
1003 goto fail;
1004
1005 default:
1006 /*
1007 * Just ignore it.
1008 */
1009 break;
1010 }
1011 }
1012
1013 done:
1014 p->snapshot = idbp->snaplen;
1015 if (p->snapshot <= 0) {
1016 /*
1017 * Bogus snapshot length; use the maximum for this
1018 * link-layer type as a fallback.
1019 *
1020 * XXX - the only reason why snapshot is signed is
1021 * that pcap_snapshot() returns an int, not an
1022 * unsigned int.
1023 */
1024 p->snapshot = max_snaplen_for_dlt(idbp->linktype);
1025 }
1026 p->linktype = linktype_to_dlt(idbp->linktype);
1027 p->linktype_ext = 0;
1028
1029 /*
1030 * If the maximum block size for a packet with the maximum
1031 * snapshot length for this DLT_ is bigger than the current
1032 * maximum block size, increase the maximum.
1033 */
1034 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1035 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1036
1037 p->next_packet_op = pcap_ng_next_packet;
1038 p->cleanup_op = pcap_ng_cleanup;
1039
1040 return (p);
1041
1042 fail:
1043 free(ps->ifaces);
1044 free(p->buffer);
1045 free(p);
1046 *err = 1;
1047 return (NULL);
1048 }
1049
1050 static void
1051 pcap_ng_cleanup(pcap_t *p)
1052 {
1053 struct pcap_ng_sf *ps = p->priv;
1054
1055 free(ps->ifaces);
1056 sf_cleanup(p);
1057 }
1058
1059 /*
1060 * Read and return the next packet from the savefile. Return the header
1061 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1062 * if there were no more packets, and -1 on an error.
1063 */
1064 static int
1065 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1066 {
1067 struct pcap_ng_sf *ps = p->priv;
1068 struct block_cursor cursor;
1069 int status;
1070 struct enhanced_packet_block *epbp;
1071 struct simple_packet_block *spbp;
1072 struct packet_block *pbp;
1073 bpf_u_int32 interface_id = 0xFFFFFFFF;
1074 struct interface_description_block *idbp;
1075 struct section_header_block *shbp;
1076 FILE *fp = p->rfile;
1077 uint64_t t, sec, frac;
1078
1079 /*
1080 * Look for an Enhanced Packet Block, a Simple Packet Block,
1081 * or a Packet Block.
1082 */
1083 for (;;) {
1084 /*
1085 * Read the block type and length; those are common
1086 * to all blocks.
1087 */
1088 status = read_block(fp, p, &cursor, p->errbuf);
1089 if (status == 0)
1090 return (1); /* EOF */
1091 if (status == -1)
1092 return (-1); /* error */
1093 switch (cursor.block_type) {
1094
1095 case BT_EPB:
1096 /*
1097 * Get a pointer to the fixed-length portion of the
1098 * EPB.
1099 */
1100 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1101 p->errbuf);
1102 if (epbp == NULL)
1103 return (-1); /* error */
1104
1105 /*
1106 * Byte-swap it if necessary.
1107 */
1108 if (p->swapped) {
1109 /* these were written in opposite byte order */
1110 interface_id = SWAPLONG(epbp->interface_id);
1111 hdr->caplen = SWAPLONG(epbp->caplen);
1112 hdr->len = SWAPLONG(epbp->len);
1113 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1114 SWAPLONG(epbp->timestamp_low);
1115 } else {
1116 interface_id = epbp->interface_id;
1117 hdr->caplen = epbp->caplen;
1118 hdr->len = epbp->len;
1119 t = ((uint64_t)epbp->timestamp_high) << 32 |
1120 epbp->timestamp_low;
1121 }
1122 goto found;
1123
1124 case BT_SPB:
1125 /*
1126 * Get a pointer to the fixed-length portion of the
1127 * SPB.
1128 */
1129 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1130 p->errbuf);
1131 if (spbp == NULL)
1132 return (-1); /* error */
1133
1134 /*
1135 * SPB packets are assumed to have arrived on
1136 * the first interface.
1137 */
1138 interface_id = 0;
1139
1140 /*
1141 * Byte-swap it if necessary.
1142 */
1143 if (p->swapped) {
1144 /* these were written in opposite byte order */
1145 hdr->len = SWAPLONG(spbp->len);
1146 } else
1147 hdr->len = spbp->len;
1148
1149 /*
1150 * The SPB doesn't give the captured length;
1151 * it's the minimum of the snapshot length
1152 * and the packet length.
1153 */
1154 hdr->caplen = hdr->len;
1155 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1156 hdr->caplen = p->snapshot;
1157 t = 0; /* no time stamps */
1158 goto found;
1159
1160 case BT_PB:
1161 /*
1162 * Get a pointer to the fixed-length portion of the
1163 * PB.
1164 */
1165 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1166 p->errbuf);
1167 if (pbp == NULL)
1168 return (-1); /* error */
1169
1170 /*
1171 * Byte-swap it if necessary.
1172 */
1173 if (p->swapped) {
1174 /* these were written in opposite byte order */
1175 interface_id = SWAPSHORT(pbp->interface_id);
1176 hdr->caplen = SWAPLONG(pbp->caplen);
1177 hdr->len = SWAPLONG(pbp->len);
1178 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1179 SWAPLONG(pbp->timestamp_low);
1180 } else {
1181 interface_id = pbp->interface_id;
1182 hdr->caplen = pbp->caplen;
1183 hdr->len = pbp->len;
1184 t = ((uint64_t)pbp->timestamp_high) << 32 |
1185 pbp->timestamp_low;
1186 }
1187 goto found;
1188
1189 case BT_IDB:
1190 /*
1191 * Interface Description Block. Get a pointer
1192 * to its fixed-length portion.
1193 */
1194 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1195 p->errbuf);
1196 if (idbp == NULL)
1197 return (-1); /* error */
1198
1199 /*
1200 * Byte-swap it if necessary.
1201 */
1202 if (p->swapped) {
1203 idbp->linktype = SWAPSHORT(idbp->linktype);
1204 idbp->snaplen = SWAPLONG(idbp->snaplen);
1205 }
1206
1207 /*
1208 * If the link-layer type or snapshot length
1209 * differ from the ones for the first IDB we
1210 * saw, quit.
1211 *
1212 * XXX - just discard packets from those
1213 * interfaces?
1214 */
1215 if (p->linktype != idbp->linktype) {
1216 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1217 "an interface has a type %u different from the type of the first interface",
1218 idbp->linktype);
1219 return (-1);
1220 }
1221 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1222 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1223 "an interface has a snapshot length %u different from the type of the first interface",
1224 idbp->snaplen);
1225 return (-1);
1226 }
1227
1228 /*
1229 * Try to add this interface.
1230 */
1231 if (!add_interface(p, &cursor, p->errbuf))
1232 return (-1);
1233 break;
1234
1235 case BT_SHB:
1236 /*
1237 * Section Header Block. Get a pointer
1238 * to its fixed-length portion.
1239 */
1240 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1241 p->errbuf);
1242 if (shbp == NULL)
1243 return (-1); /* error */
1244
1245 /*
1246 * Assume the byte order of this section is
1247 * the same as that of the previous section.
1248 * We'll check for that later.
1249 */
1250 if (p->swapped) {
1251 shbp->byte_order_magic =
1252 SWAPLONG(shbp->byte_order_magic);
1253 shbp->major_version =
1254 SWAPSHORT(shbp->major_version);
1255 }
1256
1257 /*
1258 * Make sure the byte order doesn't change;
1259 * pcap_is_swapped() shouldn't change its
1260 * return value in the middle of reading a capture.
1261 */
1262 switch (shbp->byte_order_magic) {
1263
1264 case BYTE_ORDER_MAGIC:
1265 /*
1266 * OK.
1267 */
1268 break;
1269
1270 case SWAPLONG(BYTE_ORDER_MAGIC):
1271 /*
1272 * Byte order changes.
1273 */
1274 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1275 "the file has sections with different byte orders");
1276 return (-1);
1277
1278 default:
1279 /*
1280 * Not a valid SHB.
1281 */
1282 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1283 "the file has a section with a bad byte order magic field");
1284 return (-1);
1285 }
1286
1287 /*
1288 * Make sure the major version is the version
1289 * we handle.
1290 */
1291 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1292 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1293 "unknown pcapng savefile major version number %u",
1294 shbp->major_version);
1295 return (-1);
1296 }
1297
1298 /*
1299 * Reset the interface count; this section should
1300 * have its own set of IDBs. If any of them
1301 * don't have the same interface type, snapshot
1302 * length, or resolution as the first interface
1303 * we saw, we'll fail. (And if we don't see
1304 * any IDBs, we'll fail when we see a packet
1305 * block.)
1306 */
1307 ps->ifcount = 0;
1308 break;
1309
1310 default:
1311 /*
1312 * Not a packet block, IDB, or SHB; ignore it.
1313 */
1314 break;
1315 }
1316 }
1317
1318 found:
1319 /*
1320 * Is the interface ID an interface we know?
1321 */
1322 if (interface_id >= ps->ifcount) {
1323 /*
1324 * Yes. Fail.
1325 */
1326 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1327 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1328 interface_id);
1329 return (-1);
1330 }
1331
1332 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1333 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1334 "invalid packet capture length %u, bigger than "
1335 "snaplen of %d", hdr->caplen, p->snapshot);
1336 return (-1);
1337 }
1338
1339 /*
1340 * Convert the time stamp to seconds and fractions of a second,
1341 * with the fractions being in units of the file-supplied resolution.
1342 */
1343 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1344 frac = t % ps->ifaces[interface_id].tsresol;
1345
1346 /*
1347 * Convert the fractions from units of the file-supplied resolution
1348 * to units of the user-requested resolution.
1349 */
1350 switch (ps->ifaces[interface_id].scale_type) {
1351
1352 case PASS_THROUGH:
1353 /*
1354 * The interface resolution is what the user wants,
1355 * so we're done.
1356 */
1357 break;
1358
1359 case SCALE_UP_DEC:
1360 /*
1361 * The interface resolution is less than what the user
1362 * wants; scale the fractional part up to the units of
1363 * the resolution the user requested by multiplying by
1364 * the quotient of the user-requested resolution and the
1365 * file-supplied resolution.
1366 *
1367 * Those resolutions are both powers of 10, and the user-
1368 * requested resolution is greater than the file-supplied
1369 * resolution, so the quotient in question is an integer.
1370 * We've calculated that quotient already, so we just
1371 * multiply by it.
1372 */
1373 frac *= ps->ifaces[interface_id].scale_factor;
1374 break;
1375
1376 case SCALE_UP_BIN:
1377 /*
1378 * The interface resolution is less than what the user
1379 * wants; scale the fractional part up to the units of
1380 * the resolution the user requested by multiplying by
1381 * the quotient of the user-requested resolution and the
1382 * file-supplied resolution.
1383 *
1384 * The file-supplied resolution is a power of 2, so the
1385 * quotient is not an integer, so, in order to do this
1386 * entirely with integer arithmetic, we multiply by the
1387 * user-requested resolution and divide by the file-
1388 * supplied resolution.
1389 *
1390 * XXX - Is there something clever we could do here,
1391 * given that we know that the file-supplied resolution
1392 * is a power of 2? Doing a multiplication followed by
1393 * a division runs the risk of overflowing, and involves
1394 * two non-simple arithmetic operations.
1395 */
1396 frac *= ps->user_tsresol;
1397 frac /= ps->ifaces[interface_id].tsresol;
1398 break;
1399
1400 case SCALE_DOWN_DEC:
1401 /*
1402 * The interface resolution is greater than what the user
1403 * wants; scale the fractional part up to the units of
1404 * the resolution the user requested by multiplying by
1405 * the quotient of the user-requested resolution and the
1406 * file-supplied resolution.
1407 *
1408 * Those resolutions are both powers of 10, and the user-
1409 * requested resolution is less than the file-supplied
1410 * resolution, so the quotient in question isn't an
1411 * integer, but its reciprocal is, and we can just divide
1412 * by the reciprocal of the quotient. We've calculated
1413 * the reciprocal of that quotient already, so we must
1414 * divide by it.
1415 */
1416 frac /= ps->ifaces[interface_id].scale_factor;
1417 break;
1418
1419
1420 case SCALE_DOWN_BIN:
1421 /*
1422 * The interface resolution is greater than what the user
1423 * wants; convert the fractional part to units of the
1424 * resolution the user requested by multiplying by the
1425 * quotient of the user-requested resolution and the
1426 * file-supplied resolution. We do that by multiplying
1427 * by the user-requested resolution and dividing by the
1428 * file-supplied resolution, as the quotient might not
1429 * fit in an integer.
1430 *
1431 * The file-supplied resolution is a power of 2, so the
1432 * quotient is not an integer, and neither is its
1433 * reciprocal, so, in order to do this entirely with
1434 * integer arithmetic, we multiply by the user-requested
1435 * resolution and divide by the file-supplied resolution.
1436 *
1437 * XXX - Is there something clever we could do here,
1438 * given that we know that the file-supplied resolution
1439 * is a power of 2? Doing a multiplication followed by
1440 * a division runs the risk of overflowing, and involves
1441 * two non-simple arithmetic operations.
1442 */
1443 frac *= ps->user_tsresol;
1444 frac /= ps->ifaces[interface_id].tsresol;
1445 break;
1446 }
1447 #ifdef _WIN32
1448 /*
1449 * tv_sec and tv_used in the Windows struct timeval are both
1450 * longs.
1451 */
1452 hdr->ts.tv_sec = (long)sec;
1453 hdr->ts.tv_usec = (long)frac;
1454 #else
1455 /*
1456 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1457 * suseconds_t in UN*Xes that work the way the current Single
1458 * UNIX Standard specify - but not all older UN*Xes necessarily
1459 * support that type, so just cast to int.
1460 */
1461 hdr->ts.tv_sec = (time_t)sec;
1462 hdr->ts.tv_usec = (int)frac;
1463 #endif
1464
1465 /*
1466 * Get a pointer to the packet data.
1467 */
1468 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1469 if (*data == NULL)
1470 return (-1);
1471
1472 if (p->swapped)
1473 swap_pseudo_headers(p->linktype, hdr, *data);
1474
1475 return (0);
1476 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism