2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
34 #include <pcap-stdinc.h>
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
44 #include <sys/types.h>
55 #include "pcap-common.h"
57 #ifdef HAVE_OS_PROTO_H
61 #include "sf-pcap-ng.h"
68 * Common part at the beginning of all blocks.
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
76 * Common trailer at the end of all blocks.
78 struct block_trailer {
79 bpf_u_int32 total_length;
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
91 struct option_header {
93 u_short option_length;
97 * Structures for the part of each block type following the common
102 * Section Header Block.
104 #define BT_SHB 0x0A0D0D0A
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
115 * Byte-order magic value.
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
123 #define PCAP_NG_VERSION_MAJOR 1
126 * Interface Description Block.
128 #define BT_IDB 0x00000001
130 struct interface_description_block {
134 /* followed by options and trailer */
138 * Options in the IDB.
140 #define IF_NAME 2 /* interface name string */
141 #define IF_DESCRIPTION 3 /* interface description string */
142 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
143 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
144 #define IF_MACADDR 6 /* interface's MAC address */
145 #define IF_EUIADDR 7 /* interface's EUI address */
146 #define IF_SPEED 8 /* interface's speed, in bits/s */
147 #define IF_TSRESOL 9 /* interface's time stamp resolution */
148 #define IF_TZONE 10 /* interface's time zone */
149 #define IF_FILTER 11 /* filter used when capturing on interface */
150 #define IF_OS 12 /* string OS on which capture on this interface was done */
151 #define IF_FCSLEN 13 /* FCS length for this interface */
152 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
155 * Enhanced Packet Block.
157 #define BT_EPB 0x00000006
159 struct enhanced_packet_block {
160 bpf_u_int32 interface_id;
161 bpf_u_int32 timestamp_high;
162 bpf_u_int32 timestamp_low;
165 /* followed by packet data, options, and trailer */
169 * Simple Packet Block.
171 #define BT_SPB 0x00000003
173 struct simple_packet_block {
175 /* followed by packet data and trailer */
181 #define BT_PB 0x00000002
183 struct packet_block {
184 u_short interface_id;
186 bpf_u_int32 timestamp_high;
187 bpf_u_int32 timestamp_low;
190 /* followed by packet data, options, and trailer */
194 * Block cursor - used when processing the contents of a block.
195 * Contains a pointer into the data being processed and a count
196 * of bytes remaining in the block.
198 struct block_cursor {
200 size_t data_remaining;
201 bpf_u_int32 block_type;
208 } tstamp_scale_type_t;
211 * Per-interface information.
214 u_int tsresol; /* time stamp resolution */
215 u_int64_t tsoffset; /* time stamp offset */
216 tstamp_scale_type_t scale_type; /* how to scale */
220 u_int user_tsresol; /* time stamp resolution requested by the user */
221 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
222 bpf_u_int32 ifaces_size; /* size of arrary below */
223 struct pcap_ng_if *ifaces; /* array of interface information */
226 static void pcap_ng_cleanup(pcap_t *p);
227 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
231 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
236 amt_read = fread(buf, 1, bytes_to_read, fp);
237 if (amt_read != bytes_to_read) {
239 snprintf(errbuf, PCAP_ERRBUF_SIZE,
240 "error reading dump file: %s",
241 pcap_strerror(errno));
243 if (amt_read == 0 && !fail_on_eof)
244 return (0); /* EOF */
245 snprintf(errbuf, PCAP_ERRBUF_SIZE,
246 "truncated dump file; tried to read %lu bytes, only got %lu",
247 (unsigned long)bytes_to_read,
248 (unsigned long)amt_read);
256 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
259 struct block_header bhdr;
261 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
263 return (status); /* error or EOF */
266 bhdr.block_type = SWAPLONG(bhdr.block_type);
267 bhdr.total_length = SWAPLONG(bhdr.total_length);
271 * Is this block "too big"?
273 * We choose 16MB as "too big", for now, so that we handle
274 * "reasonably" large buffers but don't chew up all the
275 * memory if we read a malformed file.
277 if (bhdr.total_length > 16*1024*1024) {
278 snprintf(errbuf, PCAP_ERRBUF_SIZE,
279 "pcap-ng block size %u > maximum %u",
280 bhdr.total_length, 16*1024*1024);
285 * Is this block "too small" - i.e., is it shorter than a block
286 * header plus a block trailer?
288 if (bhdr.total_length < sizeof(struct block_header) +
289 sizeof(struct block_trailer)) {
290 snprintf(errbuf, PCAP_ERRBUF_SIZE,
291 "block in pcap-ng dump file has a length of %u < %lu",
293 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
298 * Is the buffer big enough?
300 if (p->bufsize < bhdr.total_length) {
302 * No - make it big enough.
304 p->buffer = realloc(p->buffer, bhdr.total_length);
305 if (p->buffer == NULL) {
306 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
312 * Copy the stuff we've read to the buffer, and read the rest
315 memcpy(p->buffer, &bhdr, sizeof(bhdr));
316 if (read_bytes(fp, p->buffer + sizeof(bhdr),
317 bhdr.total_length - sizeof(bhdr), 1, errbuf) == -1)
321 * Initialize the cursor.
323 cursor->data = p->buffer + sizeof(bhdr);
324 cursor->data_remaining = bhdr.total_length - sizeof(bhdr) -
325 sizeof(struct block_trailer);
326 cursor->block_type = bhdr.block_type;
331 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
337 * Make sure we have the specified amount of data remaining in
340 if (cursor->data_remaining < chunk_size) {
341 snprintf(errbuf, PCAP_ERRBUF_SIZE,
342 "block of type %u in pcap-ng dump file is too short",
348 * Return the current pointer, and skip past the chunk.
351 cursor->data += chunk_size;
352 cursor->data_remaining -= chunk_size;
356 static struct option_header *
357 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
359 struct option_header *opthdr;
361 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
362 if (opthdr == NULL) {
364 * Option header is cut short.
370 * Byte-swap it if necessary.
373 opthdr->option_code = SWAPSHORT(opthdr->option_code);
374 opthdr->option_length = SWAPSHORT(opthdr->option_length);
381 get_optvalue_from_block_data(struct block_cursor *cursor,
382 struct option_header *opthdr, char *errbuf)
384 size_t padded_option_len;
387 /* Pad option length to 4-byte boundary */
388 padded_option_len = opthdr->option_length;
389 padded_option_len = ((padded_option_len + 3)/4)*4;
391 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
392 if (optvalue == NULL) {
394 * Option value is cut short.
403 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
404 u_int64_t *tsoffset, char *errbuf)
406 struct option_header *opthdr;
408 int saw_tsresol, saw_tsoffset;
414 while (cursor->data_remaining != 0) {
416 * Get the option header.
418 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
419 if (opthdr == NULL) {
421 * Option header is cut short.
429 optvalue = get_optvalue_from_block_data(cursor, opthdr,
431 if (optvalue == NULL) {
433 * Option value is cut short.
438 switch (opthdr->option_code) {
441 if (opthdr->option_length != 0) {
442 snprintf(errbuf, PCAP_ERRBUF_SIZE,
443 "Interface Description Block has opt_endofopt option with length %u != 0",
444 opthdr->option_length);
450 if (opthdr->option_length != 1) {
451 snprintf(errbuf, PCAP_ERRBUF_SIZE,
452 "Interface Description Block has if_tsresol option with length %u != 1",
453 opthdr->option_length);
457 snprintf(errbuf, PCAP_ERRBUF_SIZE,
458 "Interface Description Block has more than one if_tsresol option");
462 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
463 if (tsresol_opt & 0x80) {
465 * Resolution is negative power of 2.
467 *tsresol = 1 << (tsresol_opt & 0x7F);
470 * Resolution is negative power of 10.
473 for (i = 0; i < tsresol_opt; i++)
478 * Resolution is too high.
480 if (tsresol_opt & 0x80) {
481 snprintf(errbuf, PCAP_ERRBUF_SIZE,
482 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
485 snprintf(errbuf, PCAP_ERRBUF_SIZE,
486 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
494 if (opthdr->option_length != 8) {
495 snprintf(errbuf, PCAP_ERRBUF_SIZE,
496 "Interface Description Block has if_tsoffset option with length %u != 8",
497 opthdr->option_length);
501 snprintf(errbuf, PCAP_ERRBUF_SIZE,
502 "Interface Description Block has more than one if_tsoffset option");
506 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
508 *tsoffset = SWAPLL(*tsoffset);
521 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
523 struct pcap_ng_sf *ps;
530 * Count this interface.
535 * Grow the array of per-interface information as necessary.
537 if (ps->ifcount > ps->ifaces_size) {
539 * We need to grow the array.
541 if (ps->ifaces == NULL) {
543 * It's currently empty.
546 ps->ifaces = malloc(sizeof (struct pcap_ng_if));
549 * It's not currently empty; double its size.
550 * (Perhaps overkill once we have a lot of interfaces.)
552 ps->ifaces_size *= 2;
553 ps->ifaces = realloc(ps->ifaces, ps->ifaces_size * sizeof (struct pcap_ng_if));
555 if (ps->ifaces == NULL) {
557 * We ran out of memory.
560 snprintf(errbuf, PCAP_ERRBUF_SIZE,
561 "out of memory for per-interface information (%u interfaces)",
568 * Set the default time stamp resolution and offset.
570 tsresol = 1000000; /* microsecond resolution */
571 tsoffset = 0; /* absolute timestamps */
574 * Now look for various time stamp options, so we know
575 * how to interpret the time stamps for this interface.
577 if (process_idb_options(p, cursor, &tsresol, &tsoffset, errbuf) == -1)
580 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
581 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
584 * Determine whether we're scaling up or down or not
585 * at all for this interface.
587 switch (p->opt.tstamp_precision) {
589 case PCAP_TSTAMP_PRECISION_MICRO:
590 if (tsresol == 1000000) {
592 * The resolution is 1 microsecond,
593 * so we don't have to do scaling.
595 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
596 } else if (tsresol > 1000000) {
598 * The resolution is greater than
599 * 1 microsecond, so we have to
600 * scale the timestamps down.
602 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN;
605 * The resolution is less than 1
606 * microsecond, so we have to scale
609 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP;
613 case PCAP_TSTAMP_PRECISION_NANO:
614 if (tsresol == 1000000000) {
616 * The resolution is 1 nanosecond,
617 * so we don't have to do scaling.
619 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
620 } else if (tsresol > 1000000000) {
622 * The resolution is greater than
623 * 1 nanosecond, so we have to
624 * scale the timestamps down.
626 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN;
629 * The resolution is less than 1
630 * nanosecond, so we have to scale
633 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP;
641 * Check whether this is a pcap-ng savefile and, if it is, extract the
642 * relevant information from the header.
645 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
649 bpf_u_int32 total_length;
650 bpf_u_int32 byte_order_magic;
651 struct block_header *bhdrp;
652 struct section_header_block *shbp;
655 struct pcap_ng_sf *ps;
657 struct block_cursor cursor;
658 struct interface_description_block *idbp;
661 * Assume no read errors.
666 * Check whether the first 4 bytes of the file are the block
667 * type for a pcap-ng savefile.
669 if (magic != BT_SHB) {
671 * XXX - check whether this looks like what the block
672 * type would be after being munged by mapping between
673 * UN*X and DOS/Windows text file format and, if it
674 * does, look for the byte-order magic number in
675 * the appropriate place and, if we find it, report
676 * this as possibly being a pcap-ng file transferred
677 * between UN*X and Windows in text file format?
679 return (NULL); /* nope */
683 * OK, they are. However, that's just \n\r\r\n, so it could,
684 * conceivably, be an ordinary text file.
686 * It could not, however, conceivably be any other type of
687 * capture file, so we can read the rest of the putative
688 * Section Header Block; put the block type in the common
689 * header, read the rest of the common header and the
690 * fixed-length portion of the SHB, and look for the byte-order
693 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
694 if (amt_read < sizeof(total_length)) {
696 snprintf(errbuf, PCAP_ERRBUF_SIZE,
697 "error reading dump file: %s",
698 pcap_strerror(errno));
700 return (NULL); /* fail */
704 * Possibly a weird short text file, so just say
709 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
710 if (amt_read < sizeof(byte_order_magic)) {
712 snprintf(errbuf, PCAP_ERRBUF_SIZE,
713 "error reading dump file: %s",
714 pcap_strerror(errno));
716 return (NULL); /* fail */
720 * Possibly a weird short text file, so just say
725 if (byte_order_magic != BYTE_ORDER_MAGIC) {
726 byte_order_magic = SWAPLONG(byte_order_magic);
727 if (byte_order_magic != BYTE_ORDER_MAGIC) {
729 * Not a pcap-ng file.
734 total_length = SWAPLONG(total_length);
738 * Check the sanity of the total length.
740 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
741 snprintf(errbuf, PCAP_ERRBUF_SIZE,
742 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
744 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
750 * OK, this is a good pcap-ng file.
751 * Allocate a pcap_t for it.
753 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
755 /* Allocation failed. */
759 p->swapped = swapped;
763 * What precision does the user want?
767 case PCAP_TSTAMP_PRECISION_MICRO:
768 ps->user_tsresol = 1000000;
771 case PCAP_TSTAMP_PRECISION_NANO:
772 ps->user_tsresol = 1000000000;
776 snprintf(errbuf, PCAP_ERRBUF_SIZE,
777 "unknown time stamp resolution %u", precision);
783 p->opt.tstamp_precision = precision;
786 * Allocate a buffer into which to read blocks. We default to
789 * the total length of the SHB for which we read the header;
791 * 2K, which should be more than large enough for an Enhanced
792 * Packet Block containing a full-size Ethernet frame, and
793 * leaving room for some options.
795 * If we find a bigger block, we reallocate the buffer.
798 if (p->bufsize < total_length)
799 p->bufsize = total_length;
800 p->buffer = malloc(p->bufsize);
801 if (p->buffer == NULL) {
802 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
809 * Copy the stuff we've read to the buffer, and read the rest
812 bhdrp = (struct block_header *)p->buffer;
813 shbp = (struct section_header_block *)(p->buffer + sizeof(struct block_header));
814 bhdrp->block_type = magic;
815 bhdrp->total_length = total_length;
816 shbp->byte_order_magic = byte_order_magic;
818 p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
819 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
825 * Byte-swap the fields we've read.
827 shbp->major_version = SWAPSHORT(shbp->major_version);
828 shbp->minor_version = SWAPSHORT(shbp->minor_version);
831 * XXX - we don't care about the section length.
834 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
835 snprintf(errbuf, PCAP_ERRBUF_SIZE,
836 "unknown pcap-ng savefile major version number %u",
837 shbp->major_version);
840 p->version_major = shbp->major_version;
841 p->version_minor = shbp->minor_version;
844 * Save the time stamp resolution the user requested.
846 p->opt.tstamp_precision = precision;
849 * Now start looking for an Interface Description Block.
853 * Read the next block.
855 status = read_block(fp, p, &cursor, errbuf);
857 /* EOF - no IDB in this file */
858 snprintf(errbuf, PCAP_ERRBUF_SIZE,
859 "the capture file has no Interface Description Blocks");
863 goto fail; /* error */
864 switch (cursor.block_type) {
868 * Get a pointer to the fixed-length portion of the
871 idbp = get_from_block_data(&cursor, sizeof(*idbp),
874 goto fail; /* error */
877 * Byte-swap it if necessary.
880 idbp->linktype = SWAPSHORT(idbp->linktype);
881 idbp->snaplen = SWAPLONG(idbp->snaplen);
885 * Try to add this interface.
887 if (!add_interface(p, &cursor, errbuf))
895 * Saw a packet before we saw any IDBs. That's
896 * not valid, as we don't know what link-layer
897 * encapsulation the packet has.
899 snprintf(errbuf, PCAP_ERRBUF_SIZE,
900 "the capture file has a packet block before any Interface Description Blocks");
912 p->tzoff = 0; /* XXX - not used in pcap */
913 p->snapshot = idbp->snaplen;
914 p->linktype = linktype_to_dlt(idbp->linktype);
917 p->next_packet_op = pcap_ng_next_packet;
918 p->cleanup_op = pcap_ng_cleanup;
931 pcap_ng_cleanup(pcap_t *p)
933 struct pcap_ng_sf *ps = p->priv;
940 * Read and return the next packet from the savefile. Return the header
941 * in hdr and a pointer to the contents in data. Return 0 on success, 1
942 * if there were no more packets, and -1 on an error.
945 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
947 struct pcap_ng_sf *ps = p->priv;
948 struct block_cursor cursor;
950 struct enhanced_packet_block *epbp;
951 struct simple_packet_block *spbp;
952 struct packet_block *pbp;
953 bpf_u_int32 interface_id = 0xFFFFFFFF;
954 struct interface_description_block *idbp;
955 struct section_header_block *shbp;
957 u_int64_t t, sec, frac;
960 * Look for an Enhanced Packet Block, a Simple Packet Block,
965 * Read the block type and length; those are common
968 status = read_block(fp, p, &cursor, p->errbuf);
970 return (1); /* EOF */
972 return (-1); /* error */
973 switch (cursor.block_type) {
977 * Get a pointer to the fixed-length portion of the
980 epbp = get_from_block_data(&cursor, sizeof(*epbp),
983 return (-1); /* error */
986 * Byte-swap it if necessary.
989 /* these were written in opposite byte order */
990 interface_id = SWAPLONG(epbp->interface_id);
991 hdr->caplen = SWAPLONG(epbp->caplen);
992 hdr->len = SWAPLONG(epbp->len);
993 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
994 SWAPLONG(epbp->timestamp_low);
996 interface_id = epbp->interface_id;
997 hdr->caplen = epbp->caplen;
998 hdr->len = epbp->len;
999 t = ((u_int64_t)epbp->timestamp_high) << 32 |
1000 epbp->timestamp_low;
1006 * Get a pointer to the fixed-length portion of the
1009 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1012 return (-1); /* error */
1015 * SPB packets are assumed to have arrived on
1016 * the first interface.
1021 * Byte-swap it if necessary.
1024 /* these were written in opposite byte order */
1025 hdr->len = SWAPLONG(spbp->len);
1027 hdr->len = spbp->len;
1030 * The SPB doesn't give the captured length;
1031 * it's the minimum of the snapshot length
1032 * and the packet length.
1034 hdr->caplen = hdr->len;
1035 if (hdr->caplen > p->snapshot)
1036 hdr->caplen = p->snapshot;
1037 t = 0; /* no time stamps */
1042 * Get a pointer to the fixed-length portion of the
1045 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1048 return (-1); /* error */
1051 * Byte-swap it if necessary.
1054 /* these were written in opposite byte order */
1055 interface_id = SWAPSHORT(pbp->interface_id);
1056 hdr->caplen = SWAPLONG(pbp->caplen);
1057 hdr->len = SWAPLONG(pbp->len);
1058 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1059 SWAPLONG(pbp->timestamp_low);
1061 interface_id = pbp->interface_id;
1062 hdr->caplen = pbp->caplen;
1063 hdr->len = pbp->len;
1064 t = ((u_int64_t)pbp->timestamp_high) << 32 |
1071 * Interface Description Block. Get a pointer
1072 * to its fixed-length portion.
1074 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1077 return (-1); /* error */
1080 * Byte-swap it if necessary.
1083 idbp->linktype = SWAPSHORT(idbp->linktype);
1084 idbp->snaplen = SWAPLONG(idbp->snaplen);
1088 * If the link-layer type or snapshot length
1089 * differ from the ones for the first IDB we
1092 * XXX - just discard packets from those
1095 if (p->linktype != idbp->linktype) {
1096 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1097 "an interface has a type %u different from the type of the first interface",
1101 if (p->snapshot != idbp->snaplen) {
1102 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1103 "an interface has a snapshot length %u different from the type of the first interface",
1109 * Try to add this interface.
1111 if (!add_interface(p, &cursor, p->errbuf))
1117 * Section Header Block. Get a pointer
1118 * to its fixed-length portion.
1120 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1123 return (-1); /* error */
1126 * Assume the byte order of this section is
1127 * the same as that of the previous section.
1128 * We'll check for that later.
1131 shbp->byte_order_magic =
1132 SWAPLONG(shbp->byte_order_magic);
1133 shbp->major_version =
1134 SWAPSHORT(shbp->major_version);
1138 * Make sure the byte order doesn't change;
1139 * pcap_is_swapped() shouldn't change its
1140 * return value in the middle of reading a capture.
1142 switch (shbp->byte_order_magic) {
1144 case BYTE_ORDER_MAGIC:
1150 case SWAPLONG(BYTE_ORDER_MAGIC):
1152 * Byte order changes.
1154 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1155 "the file has sections with different byte orders");
1162 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1163 "the file has a section with a bad byte order magic field");
1168 * Make sure the major version is the version
1171 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1172 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1173 "unknown pcap-ng savefile major version number %u",
1174 shbp->major_version);
1179 * Reset the interface count; this section should
1180 * have its own set of IDBs. If any of them
1181 * don't have the same interface type, snapshot
1182 * length, or resolution as the first interface
1183 * we saw, we'll fail. (And if we don't see
1184 * any IDBs, we'll fail when we see a packet
1192 * Not a packet block, IDB, or SHB; ignore it.
1200 * Is the interface ID an interface we know?
1202 if (interface_id >= ps->ifcount) {
1206 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1207 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1213 * Convert the time stamp to a struct timeval.
1215 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1216 frac = t % ps->ifaces[interface_id].tsresol;
1217 switch (ps->ifaces[interface_id].scale_type) {
1221 * The interface resolution is what the user wants,
1229 * The interface resolution is different from what the
1230 * user wants; scale up or down to that resolution.
1232 * XXX - if ps->ifaces[interface_id].tsresol is a power
1233 * of 10, we could just multiply by the quotient of
1234 * ps->ifaces[interface_id].tsresol and ps->user_tsresol
1235 * in the scale-up case, and divide by the quotient of
1236 * ps->user_tsresol and ps->ifaces[interface_id].tsresol
1237 * in the scale-down case, as we know those are integers,
1238 * which would involve fewer arithmetic operations.
1240 * Is there something clever we could do if
1241 * ps->ifaces[interface_id].tsresol is a power of 2?
1243 frac *= ps->ifaces[interface_id].tsresol;
1244 frac /= ps->user_tsresol;
1247 hdr->ts.tv_sec = sec;
1248 hdr->ts.tv_usec = frac;
1251 * Get a pointer to the packet data.
1253 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1258 swap_pseudo_headers(p->linktype, hdr, *data);
projects / FreeBSD / FreeBSD.git / blob