2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
34 #include <pcap-stdinc.h>
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
44 #include <sys/types.h>
55 #include "pcap-common.h"
57 #ifdef HAVE_OS_PROTO_H
61 #include "sf-pcap-ng.h"
68 * Common part at the beginning of all blocks.
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
76 * Common trailer at the end of all blocks.
78 struct block_trailer {
79 bpf_u_int32 total_length;
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
91 struct option_header {
93 u_short option_length;
97 * Structures for the part of each block type following the common
102 * Section Header Block.
104 #define BT_SHB 0x0A0D0D0A
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
115 * Byte-order magic value.
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
123 #define PCAP_NG_VERSION_MAJOR 1
124 #define PCAP_NG_VERSION_MINOR 0
127 * Interface Description Block.
129 #define BT_IDB 0x00000001
131 struct interface_description_block {
135 /* followed by options and trailer */
139 * Options in the IDB.
141 #define IF_NAME 2 /* interface name string */
142 #define IF_DESCRIPTION 3 /* interface description string */
143 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
144 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
145 #define IF_MACADDR 6 /* interface's MAC address */
146 #define IF_EUIADDR 7 /* interface's EUI address */
147 #define IF_SPEED 8 /* interface's speed, in bits/s */
148 #define IF_TSRESOL 9 /* interface's time stamp resolution */
149 #define IF_TZONE 10 /* interface's time zone */
150 #define IF_FILTER 11 /* filter used when capturing on interface */
151 #define IF_OS 12 /* string OS on which capture on this interface was done */
152 #define IF_FCSLEN 13 /* FCS length for this interface */
153 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
156 * Enhanced Packet Block.
158 #define BT_EPB 0x00000006
160 struct enhanced_packet_block {
161 bpf_u_int32 interface_id;
162 bpf_u_int32 timestamp_high;
163 bpf_u_int32 timestamp_low;
166 /* followed by packet data, options, and trailer */
170 * Simple Packet Block.
172 #define BT_SPB 0x00000003
174 struct simple_packet_block {
176 /* followed by packet data and trailer */
182 #define BT_PB 0x00000002
184 struct packet_block {
185 u_short interface_id;
187 bpf_u_int32 timestamp_high;
188 bpf_u_int32 timestamp_low;
191 /* followed by packet data, options, and trailer */
195 * Block cursor - used when processing the contents of a block.
196 * Contains a pointer into the data being processed and a count
197 * of bytes remaining in the block.
199 struct block_cursor {
201 size_t data_remaining;
202 bpf_u_int32 block_type;
211 } tstamp_scale_type_t;
214 * Per-interface information.
217 u_int tsresol; /* time stamp resolution */
218 tstamp_scale_type_t scale_type; /* how to scale */
219 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */
220 u_int64_t tsoffset; /* time stamp offset */
224 u_int user_tsresol; /* time stamp resolution requested by the user */
225 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
226 bpf_u_int32 ifaces_size; /* size of array below */
227 struct pcap_ng_if *ifaces; /* array of interface information */
230 static void pcap_ng_cleanup(pcap_t *p);
231 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
235 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
240 amt_read = fread(buf, 1, bytes_to_read, fp);
241 if (amt_read != bytes_to_read) {
243 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
244 "error reading dump file: %s",
245 pcap_strerror(errno));
247 if (amt_read == 0 && !fail_on_eof)
248 return (0); /* EOF */
249 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
250 "truncated dump file; tried to read %lu bytes, only got %lu",
251 (unsigned long)bytes_to_read,
252 (unsigned long)amt_read);
260 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
263 struct block_header bhdr;
265 size_t data_remaining;
267 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
269 return (status); /* error or EOF */
272 bhdr.block_type = SWAPLONG(bhdr.block_type);
273 bhdr.total_length = SWAPLONG(bhdr.total_length);
277 * Is this block "too big"?
279 * We choose 16MB as "too big", for now, so that we handle
280 * "reasonably" large buffers but don't chew up all the
281 * memory if we read a malformed file.
283 if (bhdr.total_length > 16*1024*1024) {
284 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
285 "pcap-ng block size %u > maximum %u",
286 bhdr.total_length, 16*1024*1024);
291 * Is this block "too small" - i.e., is it shorter than a block
292 * header plus a block trailer?
294 if (bhdr.total_length < sizeof(struct block_header) +
295 sizeof(struct block_trailer)) {
296 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
297 "block in pcap-ng dump file has a length of %u < %lu",
299 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
304 * Is the buffer big enough?
306 if (p->bufsize < bhdr.total_length) {
308 * No - make it big enough.
312 bigger_buffer = realloc(p->buffer, bhdr.total_length);
313 if (bigger_buffer == NULL) {
314 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
317 p->buffer = bigger_buffer;
321 * Copy the stuff we've read to the buffer, and read the rest
324 memcpy(p->buffer, &bhdr, sizeof(bhdr));
325 bdata = (u_char *)p->buffer + sizeof(bhdr);
326 data_remaining = bhdr.total_length - sizeof(bhdr);
327 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
331 * Initialize the cursor.
333 cursor->data = bdata;
334 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
335 cursor->block_type = bhdr.block_type;
340 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
346 * Make sure we have the specified amount of data remaining in
349 if (cursor->data_remaining < chunk_size) {
350 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
351 "block of type %u in pcap-ng dump file is too short",
357 * Return the current pointer, and skip past the chunk.
360 cursor->data += chunk_size;
361 cursor->data_remaining -= chunk_size;
365 static struct option_header *
366 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
368 struct option_header *opthdr;
370 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
371 if (opthdr == NULL) {
373 * Option header is cut short.
379 * Byte-swap it if necessary.
382 opthdr->option_code = SWAPSHORT(opthdr->option_code);
383 opthdr->option_length = SWAPSHORT(opthdr->option_length);
390 get_optvalue_from_block_data(struct block_cursor *cursor,
391 struct option_header *opthdr, char *errbuf)
393 size_t padded_option_len;
396 /* Pad option length to 4-byte boundary */
397 padded_option_len = opthdr->option_length;
398 padded_option_len = ((padded_option_len + 3)/4)*4;
400 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
401 if (optvalue == NULL) {
403 * Option value is cut short.
412 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
413 u_int64_t *tsoffset, int *is_binary, char *errbuf)
415 struct option_header *opthdr;
417 int saw_tsresol, saw_tsoffset;
423 while (cursor->data_remaining != 0) {
425 * Get the option header.
427 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
428 if (opthdr == NULL) {
430 * Option header is cut short.
438 optvalue = get_optvalue_from_block_data(cursor, opthdr,
440 if (optvalue == NULL) {
442 * Option value is cut short.
447 switch (opthdr->option_code) {
450 if (opthdr->option_length != 0) {
451 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
452 "Interface Description Block has opt_endofopt option with length %u != 0",
453 opthdr->option_length);
459 if (opthdr->option_length != 1) {
460 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
461 "Interface Description Block has if_tsresol option with length %u != 1",
462 opthdr->option_length);
466 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
467 "Interface Description Block has more than one if_tsresol option");
471 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
472 if (tsresol_opt & 0x80) {
474 * Resolution is negative power of 2.
477 *tsresol = 1 << (tsresol_opt & 0x7F);
480 * Resolution is negative power of 10.
484 for (i = 0; i < tsresol_opt; i++)
489 * Resolution is too high.
491 if (tsresol_opt & 0x80) {
492 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
493 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
496 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
497 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
505 if (opthdr->option_length != 8) {
506 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
507 "Interface Description Block has if_tsoffset option with length %u != 8",
508 opthdr->option_length);
512 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
513 "Interface Description Block has more than one if_tsoffset option");
517 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
519 *tsoffset = SWAPLL(*tsoffset);
532 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
534 struct pcap_ng_sf *ps;
542 * Count this interface.
547 * Grow the array of per-interface information as necessary.
549 if (ps->ifcount > ps->ifaces_size) {
551 * We need to grow the array.
553 bpf_u_int32 new_ifaces_size;
554 struct pcap_ng_if *new_ifaces;
556 if (ps->ifaces_size == 0) {
558 * It's currently empty.
560 * (The Clang static analyzer doesn't do enough,
561 * err, umm, dataflow *analysis* to realize that
562 * ps->ifaces_size == 0 if ps->ifaces == NULL,
563 * and so complains about a possible zero argument
564 * to realloc(), so we check for the former
565 * condition to shut it up.
567 * However, it doesn't complain that one of the
568 * multiplications below could overflow, which is
569 * a real, albeit extremely unlikely, problem (you'd
570 * need a pcap-ng file with tens of millions of
574 new_ifaces = malloc(sizeof (struct pcap_ng_if));
577 * It's not currently empty; double its size.
578 * (Perhaps overkill once we have a lot of interfaces.)
580 * Check for overflow if we double it.
582 if (ps->ifaces_size * 2 < ps->ifaces_size) {
584 * The maximum number of interfaces before
585 * ps->ifaces_size overflows is the largest
586 * possible 32-bit power of 2, as we do
589 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
590 "more than %u interfaces in the file",
596 * ps->ifaces_size * 2 doesn't overflow, so it's
599 new_ifaces_size = ps->ifaces_size * 2;
602 * Now make sure that's not so big that it overflows
603 * if we multiply by sizeof (struct pcap_ng_if).
605 * That can happen on 32-bit platforms, with a 32-bit
606 * size_t; it shouldn't happen on 64-bit platforms,
607 * with a 64-bit size_t, as new_ifaces_size is
610 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
612 * As this fails only with 32-bit size_t,
613 * the multiplication was 32x32->32, and
614 * the largest 32-bit value that can safely
615 * be multiplied by sizeof (struct pcap_ng_if)
616 * without overflow is the largest 32-bit
617 * (unsigned) value divided by
618 * sizeof (struct pcap_ng_if).
620 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
621 "more than %u interfaces in the file",
622 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
625 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
627 if (new_ifaces == NULL) {
629 * We ran out of memory.
632 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
633 "out of memory for per-interface information (%u interfaces)",
637 ps->ifaces_size = new_ifaces_size;
638 ps->ifaces = new_ifaces;
642 * Set the default time stamp resolution and offset.
644 tsresol = 1000000; /* microsecond resolution */
645 is_binary = 0; /* which is a power of 10 */
646 tsoffset = 0; /* absolute timestamps */
649 * Now look for various time stamp options, so we know
650 * how to interpret the time stamps for this interface.
652 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
656 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
657 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
660 * Determine whether we're scaling up or down or not
661 * at all for this interface.
663 if (tsresol == ps->user_tsresol) {
665 * The resolution is the resolution the user wants,
666 * so we don't have to do scaling.
668 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
669 } else if (tsresol > ps->user_tsresol) {
671 * The resolution is greater than what the user wants,
672 * so we have to scale the timestamps down.
675 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
678 * Calculate the scale factor.
680 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
681 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
685 * The resolution is less than what the user wants,
686 * so we have to scale the timestamps up.
689 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
692 * Calculate the scale factor.
694 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
695 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
702 * Check whether this is a pcap-ng savefile and, if it is, extract the
703 * relevant information from the header.
706 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
710 bpf_u_int32 total_length;
711 bpf_u_int32 byte_order_magic;
712 struct block_header *bhdrp;
713 struct section_header_block *shbp;
716 struct pcap_ng_sf *ps;
718 struct block_cursor cursor;
719 struct interface_description_block *idbp;
722 * Assume no read errors.
727 * Check whether the first 4 bytes of the file are the block
728 * type for a pcap-ng savefile.
730 if (magic != BT_SHB) {
732 * XXX - check whether this looks like what the block
733 * type would be after being munged by mapping between
734 * UN*X and DOS/Windows text file format and, if it
735 * does, look for the byte-order magic number in
736 * the appropriate place and, if we find it, report
737 * this as possibly being a pcap-ng file transferred
738 * between UN*X and Windows in text file format?
740 return (NULL); /* nope */
744 * OK, they are. However, that's just \n\r\r\n, so it could,
745 * conceivably, be an ordinary text file.
747 * It could not, however, conceivably be any other type of
748 * capture file, so we can read the rest of the putative
749 * Section Header Block; put the block type in the common
750 * header, read the rest of the common header and the
751 * fixed-length portion of the SHB, and look for the byte-order
754 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
755 if (amt_read < sizeof(total_length)) {
757 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
758 "error reading dump file: %s",
759 pcap_strerror(errno));
761 return (NULL); /* fail */
765 * Possibly a weird short text file, so just say
770 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
771 if (amt_read < sizeof(byte_order_magic)) {
773 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
774 "error reading dump file: %s",
775 pcap_strerror(errno));
777 return (NULL); /* fail */
781 * Possibly a weird short text file, so just say
786 if (byte_order_magic != BYTE_ORDER_MAGIC) {
787 byte_order_magic = SWAPLONG(byte_order_magic);
788 if (byte_order_magic != BYTE_ORDER_MAGIC) {
790 * Not a pcap-ng file.
795 total_length = SWAPLONG(total_length);
799 * Check the sanity of the total length.
801 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
802 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
803 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
805 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
811 * OK, this is a good pcap-ng file.
812 * Allocate a pcap_t for it.
814 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
816 /* Allocation failed. */
820 p->swapped = swapped;
824 * What precision does the user want?
828 case PCAP_TSTAMP_PRECISION_MICRO:
829 ps->user_tsresol = 1000000;
832 case PCAP_TSTAMP_PRECISION_NANO:
833 ps->user_tsresol = 1000000000;
837 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
838 "unknown time stamp resolution %u", precision);
844 p->opt.tstamp_precision = precision;
847 * Allocate a buffer into which to read blocks. We default to
850 * the total length of the SHB for which we read the header;
852 * 2K, which should be more than large enough for an Enhanced
853 * Packet Block containing a full-size Ethernet frame, and
854 * leaving room for some options.
856 * If we find a bigger block, we reallocate the buffer.
859 if (p->bufsize < total_length)
860 p->bufsize = total_length;
861 p->buffer = malloc(p->bufsize);
862 if (p->buffer == NULL) {
863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
870 * Copy the stuff we've read to the buffer, and read the rest
873 bhdrp = (struct block_header *)p->buffer;
874 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
875 bhdrp->block_type = magic;
876 bhdrp->total_length = total_length;
877 shbp->byte_order_magic = byte_order_magic;
879 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
880 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
886 * Byte-swap the fields we've read.
888 shbp->major_version = SWAPSHORT(shbp->major_version);
889 shbp->minor_version = SWAPSHORT(shbp->minor_version);
892 * XXX - we don't care about the section length.
895 /* currently only SHB version 1.0 is supported */
896 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
897 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
898 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
899 "unsupported pcap-ng savefile version %u.%u",
900 shbp->major_version, shbp->minor_version);
903 p->version_major = shbp->major_version;
904 p->version_minor = shbp->minor_version;
907 * Save the time stamp resolution the user requested.
909 p->opt.tstamp_precision = precision;
912 * Now start looking for an Interface Description Block.
916 * Read the next block.
918 status = read_block(fp, p, &cursor, errbuf);
920 /* EOF - no IDB in this file */
921 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
922 "the capture file has no Interface Description Blocks");
926 goto fail; /* error */
927 switch (cursor.block_type) {
931 * Get a pointer to the fixed-length portion of the
934 idbp = get_from_block_data(&cursor, sizeof(*idbp),
937 goto fail; /* error */
940 * Byte-swap it if necessary.
943 idbp->linktype = SWAPSHORT(idbp->linktype);
944 idbp->snaplen = SWAPLONG(idbp->snaplen);
948 * Interface capture length sanity check
950 if (idbp->snaplen > MAXIMUM_SNAPLEN) {
951 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
952 "invalid interface capture length %u, "
953 "bigger than maximum of %u",
954 idbp->snaplen, MAXIMUM_SNAPLEN);
959 * Try to add this interface.
961 if (!add_interface(p, &cursor, errbuf))
970 * Saw a packet before we saw any IDBs. That's
971 * not valid, as we don't know what link-layer
972 * encapsulation the packet has.
974 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
975 "the capture file has a packet block before any Interface Description Blocks");
987 p->tzoff = 0; /* XXX - not used in pcap */
988 p->snapshot = idbp->snaplen;
989 p->linktype = linktype_to_dlt(idbp->linktype);
992 p->next_packet_op = pcap_ng_next_packet;
993 p->cleanup_op = pcap_ng_cleanup;
1006 pcap_ng_cleanup(pcap_t *p)
1008 struct pcap_ng_sf *ps = p->priv;
1015 * Read and return the next packet from the savefile. Return the header
1016 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1017 * if there were no more packets, and -1 on an error.
1020 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1022 struct pcap_ng_sf *ps = p->priv;
1023 struct block_cursor cursor;
1025 struct enhanced_packet_block *epbp;
1026 struct simple_packet_block *spbp;
1027 struct packet_block *pbp;
1028 bpf_u_int32 interface_id = 0xFFFFFFFF;
1029 struct interface_description_block *idbp;
1030 struct section_header_block *shbp;
1031 FILE *fp = p->rfile;
1032 u_int64_t t, sec, frac;
1035 * Look for an Enhanced Packet Block, a Simple Packet Block,
1036 * or a Packet Block.
1040 * Read the block type and length; those are common
1043 status = read_block(fp, p, &cursor, p->errbuf);
1045 return (1); /* EOF */
1047 return (-1); /* error */
1048 switch (cursor.block_type) {
1052 * Get a pointer to the fixed-length portion of the
1055 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1058 return (-1); /* error */
1061 * Byte-swap it if necessary.
1064 /* these were written in opposite byte order */
1065 interface_id = SWAPLONG(epbp->interface_id);
1066 hdr->caplen = SWAPLONG(epbp->caplen);
1067 hdr->len = SWAPLONG(epbp->len);
1068 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1069 SWAPLONG(epbp->timestamp_low);
1071 interface_id = epbp->interface_id;
1072 hdr->caplen = epbp->caplen;
1073 hdr->len = epbp->len;
1074 t = ((u_int64_t)epbp->timestamp_high) << 32 |
1075 epbp->timestamp_low;
1081 * Get a pointer to the fixed-length portion of the
1084 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1087 return (-1); /* error */
1090 * SPB packets are assumed to have arrived on
1091 * the first interface.
1096 * Byte-swap it if necessary.
1099 /* these were written in opposite byte order */
1100 hdr->len = SWAPLONG(spbp->len);
1102 hdr->len = spbp->len;
1105 * The SPB doesn't give the captured length;
1106 * it's the minimum of the snapshot length
1107 * and the packet length.
1109 hdr->caplen = hdr->len;
1110 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1111 hdr->caplen = p->snapshot;
1112 t = 0; /* no time stamps */
1117 * Get a pointer to the fixed-length portion of the
1120 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1123 return (-1); /* error */
1126 * Byte-swap it if necessary.
1129 /* these were written in opposite byte order */
1130 interface_id = SWAPSHORT(pbp->interface_id);
1131 hdr->caplen = SWAPLONG(pbp->caplen);
1132 hdr->len = SWAPLONG(pbp->len);
1133 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1134 SWAPLONG(pbp->timestamp_low);
1136 interface_id = pbp->interface_id;
1137 hdr->caplen = pbp->caplen;
1138 hdr->len = pbp->len;
1139 t = ((u_int64_t)pbp->timestamp_high) << 32 |
1146 * Interface Description Block. Get a pointer
1147 * to its fixed-length portion.
1149 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1152 return (-1); /* error */
1155 * Byte-swap it if necessary.
1158 idbp->linktype = SWAPSHORT(idbp->linktype);
1159 idbp->snaplen = SWAPLONG(idbp->snaplen);
1163 * If the link-layer type or snapshot length
1164 * differ from the ones for the first IDB we
1167 * XXX - just discard packets from those
1170 if (p->linktype != idbp->linktype) {
1171 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1172 "an interface has a type %u different from the type of the first interface",
1176 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1177 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1178 "an interface has a snapshot length %u different from the type of the first interface",
1184 * Try to add this interface.
1186 if (!add_interface(p, &cursor, p->errbuf))
1192 * Section Header Block. Get a pointer
1193 * to its fixed-length portion.
1195 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1198 return (-1); /* error */
1201 * Assume the byte order of this section is
1202 * the same as that of the previous section.
1203 * We'll check for that later.
1206 shbp->byte_order_magic =
1207 SWAPLONG(shbp->byte_order_magic);
1208 shbp->major_version =
1209 SWAPSHORT(shbp->major_version);
1213 * Make sure the byte order doesn't change;
1214 * pcap_is_swapped() shouldn't change its
1215 * return value in the middle of reading a capture.
1217 switch (shbp->byte_order_magic) {
1219 case BYTE_ORDER_MAGIC:
1225 case SWAPLONG(BYTE_ORDER_MAGIC):
1227 * Byte order changes.
1229 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1230 "the file has sections with different byte orders");
1237 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1238 "the file has a section with a bad byte order magic field");
1243 * Make sure the major version is the version
1246 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1247 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1248 "unknown pcap-ng savefile major version number %u",
1249 shbp->major_version);
1254 * Reset the interface count; this section should
1255 * have its own set of IDBs. If any of them
1256 * don't have the same interface type, snapshot
1257 * length, or resolution as the first interface
1258 * we saw, we'll fail. (And if we don't see
1259 * any IDBs, we'll fail when we see a packet
1267 * Not a packet block, IDB, or SHB; ignore it.
1275 * Is the interface ID an interface we know?
1277 if (interface_id >= ps->ifcount) {
1281 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1282 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1288 * Convert the time stamp to seconds and fractions of a second,
1289 * with the fractions being in units of the file-supplied resolution.
1291 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1292 frac = t % ps->ifaces[interface_id].tsresol;
1295 * Convert the fractions from units of the file-supplied resolution
1296 * to units of the user-requested resolution.
1298 switch (ps->ifaces[interface_id].scale_type) {
1302 * The interface resolution is what the user wants,
1309 * The interface resolution is less than what the user
1310 * wants; scale the fractional part up to the units of
1311 * the resolution the user requested by multiplying by
1312 * the quotient of the user-requested resolution and the
1313 * file-supplied resolution.
1315 * Those resolutions are both powers of 10, and the user-
1316 * requested resolution is greater than the file-supplied
1317 * resolution, so the quotient in question is an integer.
1318 * We've calculated that quotient already, so we just
1321 frac *= ps->ifaces[interface_id].scale_factor;
1326 * The interface resolution is less than what the user
1327 * wants; scale the fractional part up to the units of
1328 * the resolution the user requested by multiplying by
1329 * the quotient of the user-requested resolution and the
1330 * file-supplied resolution.
1332 * The file-supplied resolution is a power of 2, so the
1333 * quotient is not an integer, so, in order to do this
1334 * entirely with integer arithmetic, we multiply by the
1335 * user-requested resolution and divide by the file-
1336 * supplied resolution.
1338 * XXX - Is there something clever we could do here,
1339 * given that we know that the file-supplied resolution
1340 * is a power of 2? Doing a multiplication followed by
1341 * a division runs the risk of overflowing, and involves
1342 * two non-simple arithmetic operations.
1344 frac *= ps->user_tsresol;
1345 frac /= ps->ifaces[interface_id].tsresol;
1348 case SCALE_DOWN_DEC:
1350 * The interface resolution is greater than what the user
1351 * wants; scale the fractional part up to the units of
1352 * the resolution the user requested by multiplying by
1353 * the quotient of the user-requested resolution and the
1354 * file-supplied resolution.
1356 * Those resolutions are both powers of 10, and the user-
1357 * requested resolution is less than the file-supplied
1358 * resolution, so the quotient in question isn't an
1359 * integer, but its reciprocal is, and we can just divide
1360 * by the reciprocal of the quotient. We've calculated
1361 * the reciprocal of that quotient already, so we must
1364 frac /= ps->ifaces[interface_id].scale_factor;
1368 case SCALE_DOWN_BIN:
1370 * The interface resolution is greater than what the user
1371 * wants; convert the fractional part to units of the
1372 * resolution the user requested by multiplying by the
1373 * quotient of the user-requested resolution and the
1374 * file-supplied resolution. We do that by multiplying
1375 * by the user-requested resolution and dividing by the
1376 * file-supplied resolution, as the quotient might not
1377 * fit in an integer.
1379 * The file-supplied resolution is a power of 2, so the
1380 * quotient is not an integer, and neither is its
1381 * reciprocal, so, in order to do this entirely with
1382 * integer arithmetic, we multiply by the user-requested
1383 * resolution and divide by the file-supplied resolution.
1385 * XXX - Is there something clever we could do here,
1386 * given that we know that the file-supplied resolution
1387 * is a power of 2? Doing a multiplication followed by
1388 * a division runs the risk of overflowing, and involves
1389 * two non-simple arithmetic operations.
1391 frac *= ps->user_tsresol;
1392 frac /= ps->ifaces[interface_id].tsresol;
1397 * tv_sec and tv_used in the Windows struct timeval are both
1400 hdr->ts.tv_sec = (long)sec;
1401 hdr->ts.tv_usec = (long)frac;
1404 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1405 * suseconds_t in UN*Xes that work the way the current Single
1406 * UNIX Standard specify - but not all older UN*Xes necessarily
1407 * support that type, so just cast to int.
1409 hdr->ts.tv_sec = (time_t)sec;
1410 hdr->ts.tv_usec = (int)frac;
1414 * Get a pointer to the packet data.
1416 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1421 swap_pseudo_headers(p->linktype, hdr, *data);
projects / FreeBSD / FreeBSD.git / blob