2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
28 #include <pcap/pcap-inttypes.h>
37 #include "pcap-util.h"
39 #include "pcap-common.h"
41 #ifdef HAVE_OS_PROTO_H
45 #include "sf-pcapng.h"
52 * Common part at the beginning of all blocks.
55 bpf_u_int32 block_type;
56 bpf_u_int32 total_length;
60 * Common trailer at the end of all blocks.
62 struct block_trailer {
63 bpf_u_int32 total_length;
69 #define OPT_ENDOFOPT 0 /* end of options */
70 #define OPT_COMMENT 1 /* comment string */
75 struct option_header {
77 u_short option_length;
81 * Structures for the part of each block type following the common
86 * Section Header Block.
88 #define BT_SHB 0x0A0D0D0A
89 #define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
90 struct section_header_block {
91 bpf_u_int32 byte_order_magic;
92 u_short major_version;
93 u_short minor_version;
94 uint64_t section_length;
95 /* followed by options and trailer */
99 * Byte-order magic value.
101 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
104 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
105 * or if minor_version isn't PCAP_NG_VERSION_MINOR or 2, that means that
106 * this code can't read the file.
108 #define PCAP_NG_VERSION_MAJOR 1
109 #define PCAP_NG_VERSION_MINOR 0
112 * Interface Description Block.
114 #define BT_IDB 0x00000001
116 struct interface_description_block {
120 /* followed by options and trailer */
124 * Options in the IDB.
126 #define IF_NAME 2 /* interface name string */
127 #define IF_DESCRIPTION 3 /* interface description string */
128 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
129 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
130 #define IF_MACADDR 6 /* interface's MAC address */
131 #define IF_EUIADDR 7 /* interface's EUI address */
132 #define IF_SPEED 8 /* interface's speed, in bits/s */
133 #define IF_TSRESOL 9 /* interface's time stamp resolution */
134 #define IF_TZONE 10 /* interface's time zone */
135 #define IF_FILTER 11 /* filter used when capturing on interface */
136 #define IF_OS 12 /* string OS on which capture on this interface was done */
137 #define IF_FCSLEN 13 /* FCS length for this interface */
138 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
141 * Enhanced Packet Block.
143 #define BT_EPB 0x00000006
145 struct enhanced_packet_block {
146 bpf_u_int32 interface_id;
147 bpf_u_int32 timestamp_high;
148 bpf_u_int32 timestamp_low;
151 /* followed by packet data, options, and trailer */
155 * Simple Packet Block.
157 #define BT_SPB 0x00000003
159 struct simple_packet_block {
161 /* followed by packet data and trailer */
167 #define BT_PB 0x00000002
169 struct packet_block {
170 u_short interface_id;
172 bpf_u_int32 timestamp_high;
173 bpf_u_int32 timestamp_low;
176 /* followed by packet data, options, and trailer */
180 * Block cursor - used when processing the contents of a block.
181 * Contains a pointer into the data being processed and a count
182 * of bytes remaining in the block.
184 struct block_cursor {
186 size_t data_remaining;
187 bpf_u_int32 block_type;
196 } tstamp_scale_type_t;
199 * Per-interface information.
202 uint32_t snaplen; /* snapshot length */
203 uint64_t tsresol; /* time stamp resolution */
204 tstamp_scale_type_t scale_type; /* how to scale */
205 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
206 uint64_t tsoffset; /* time stamp offset */
210 * Per-pcap_t private data.
212 * max_blocksize is the maximum size of a block that we'll accept. We
213 * reject blocks bigger than this, so we don't consume too much memory
214 * with a truly huge block. It can change as we see IDBs with different
215 * link-layer header types. (Currently, we don't support IDBs with
216 * different link-layer header types, but we will support it in the
217 * future, when we offer file-reading APIs that support it.)
219 * XXX - that's an issue on ILP32 platforms, where the maximum block
220 * size of 2^31-1 would eat all but one byte of the entire address space.
221 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
222 * of the address space may be limited by 1) the number of *significant*
223 * address bits (currently, x86-64 only supports 48 bits of address), 2)
224 * any limitations imposed by the operating system; 3) any limitations
225 * imposed by the amount of available backing store for anonymous pages,
226 * so we impose a limit regardless of the size of a pointer.
229 uint64_t user_tsresol; /* time stamp resolution requested by the user */
230 u_int max_blocksize; /* don't grow buffer size past this */
231 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
232 bpf_u_int32 ifaces_size; /* size of array below */
233 struct pcap_ng_if *ifaces; /* array of interface information */
237 * The maximum block size we start with; we use an arbitrary value of
240 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
243 * Maximum block size for a given maximum snapshot length; we define it
244 * as the size of an EPB with a max_snaplen-sized packet and 128KB of
247 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
248 (sizeof (struct block_header) + \
249 sizeof (struct enhanced_packet_block) + \
250 (max_snaplen) + 131072 + \
251 sizeof (struct block_trailer))
253 static void pcap_ng_cleanup(pcap_t *p);
254 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
258 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
263 amt_read = fread(buf, 1, bytes_to_read, fp);
264 if (amt_read != bytes_to_read) {
266 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
267 errno, "error reading dump file");
269 if (amt_read == 0 && !fail_on_eof)
270 return (0); /* EOF */
271 snprintf(errbuf, PCAP_ERRBUF_SIZE,
272 "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
273 bytes_to_read, amt_read);
281 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
283 struct pcap_ng_sf *ps;
285 struct block_header bhdr;
286 struct block_trailer *btrlr;
288 size_t data_remaining;
292 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
294 return (status); /* error or EOF */
297 bhdr.block_type = SWAPLONG(bhdr.block_type);
298 bhdr.total_length = SWAPLONG(bhdr.total_length);
302 * Is this block "too small" - i.e., is it shorter than a block
303 * header plus a block trailer?
305 if (bhdr.total_length < sizeof(struct block_header) +
306 sizeof(struct block_trailer)) {
307 snprintf(errbuf, PCAP_ERRBUF_SIZE,
308 "block in pcapng dump file has a length of %u < %zu",
310 sizeof(struct block_header) + sizeof(struct block_trailer));
315 * Is the block total length a multiple of 4?
317 if ((bhdr.total_length % 4) != 0) {
319 * No. Report that as an error.
321 snprintf(errbuf, PCAP_ERRBUF_SIZE,
322 "block in pcapng dump file has a length of %u that is not a multiple of 4",
328 * Is the buffer big enough?
330 if (p->bufsize < bhdr.total_length) {
332 * No - make it big enough, unless it's too big, in
333 * which case we fail.
337 if (bhdr.total_length > ps->max_blocksize) {
338 snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
342 bigger_buffer = realloc(p->buffer, bhdr.total_length);
343 if (bigger_buffer == NULL) {
344 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
347 p->buffer = bigger_buffer;
351 * Copy the stuff we've read to the buffer, and read the rest
354 memcpy(p->buffer, &bhdr, sizeof(bhdr));
355 bdata = (u_char *)p->buffer + sizeof(bhdr);
356 data_remaining = bhdr.total_length - sizeof(bhdr);
357 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
361 * Get the block size from the trailer.
363 btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
365 btrlr->total_length = SWAPLONG(btrlr->total_length);
368 * Is the total length from the trailer the same as the total
369 * length from the header?
371 if (bhdr.total_length != btrlr->total_length) {
375 snprintf(errbuf, PCAP_ERRBUF_SIZE,
376 "block total length in header and trailer don't match");
381 * Initialize the cursor.
383 cursor->data = bdata;
384 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
385 cursor->block_type = bhdr.block_type;
390 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
396 * Make sure we have the specified amount of data remaining in
399 if (cursor->data_remaining < chunk_size) {
400 snprintf(errbuf, PCAP_ERRBUF_SIZE,
401 "block of type %u in pcapng dump file is too short",
407 * Return the current pointer, and skip past the chunk.
410 cursor->data += chunk_size;
411 cursor->data_remaining -= chunk_size;
415 static struct option_header *
416 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
418 struct option_header *opthdr;
420 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
421 if (opthdr == NULL) {
423 * Option header is cut short.
429 * Byte-swap it if necessary.
432 opthdr->option_code = SWAPSHORT(opthdr->option_code);
433 opthdr->option_length = SWAPSHORT(opthdr->option_length);
440 get_optvalue_from_block_data(struct block_cursor *cursor,
441 struct option_header *opthdr, char *errbuf)
443 size_t padded_option_len;
446 /* Pad option length to 4-byte boundary */
447 padded_option_len = opthdr->option_length;
448 padded_option_len = ((padded_option_len + 3)/4)*4;
450 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
451 if (optvalue == NULL) {
453 * Option value is cut short.
462 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
463 uint64_t *tsoffset, int *is_binary, char *errbuf)
465 struct option_header *opthdr;
467 int saw_tsresol, saw_tsoffset;
473 while (cursor->data_remaining != 0) {
475 * Get the option header.
477 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
478 if (opthdr == NULL) {
480 * Option header is cut short.
488 optvalue = get_optvalue_from_block_data(cursor, opthdr,
490 if (optvalue == NULL) {
492 * Option value is cut short.
497 switch (opthdr->option_code) {
500 if (opthdr->option_length != 0) {
501 snprintf(errbuf, PCAP_ERRBUF_SIZE,
502 "Interface Description Block has opt_endofopt option with length %u != 0",
503 opthdr->option_length);
509 if (opthdr->option_length != 1) {
510 snprintf(errbuf, PCAP_ERRBUF_SIZE,
511 "Interface Description Block has if_tsresol option with length %u != 1",
512 opthdr->option_length);
516 snprintf(errbuf, PCAP_ERRBUF_SIZE,
517 "Interface Description Block has more than one if_tsresol option");
521 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
522 if (tsresol_opt & 0x80) {
524 * Resolution is negative power of 2.
526 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
528 if (tsresol_shift > 63) {
530 * Resolution is too high; 2^-{res}
531 * won't fit in a 64-bit value.
533 snprintf(errbuf, PCAP_ERRBUF_SIZE,
534 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
539 *tsresol = ((uint64_t)1) << tsresol_shift;
542 * Resolution is negative power of 10.
544 if (tsresol_opt > 19) {
546 * Resolution is too high; 2^-{res}
547 * won't fit in a 64-bit value (the
548 * largest power of 10 that fits
549 * in a 64-bit value is 10^19, as
550 * the largest 64-bit unsigned
551 * value is ~1.8*10^19).
553 snprintf(errbuf, PCAP_ERRBUF_SIZE,
554 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
560 for (i = 0; i < tsresol_opt; i++)
566 if (opthdr->option_length != 8) {
567 snprintf(errbuf, PCAP_ERRBUF_SIZE,
568 "Interface Description Block has if_tsoffset option with length %u != 8",
569 opthdr->option_length);
573 snprintf(errbuf, PCAP_ERRBUF_SIZE,
574 "Interface Description Block has more than one if_tsoffset option");
578 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
580 *tsoffset = SWAPLL(*tsoffset);
593 add_interface(pcap_t *p, struct interface_description_block *idbp,
594 struct block_cursor *cursor, char *errbuf)
596 struct pcap_ng_sf *ps;
604 * Count this interface.
609 * Grow the array of per-interface information as necessary.
611 if (ps->ifcount > ps->ifaces_size) {
613 * We need to grow the array.
615 bpf_u_int32 new_ifaces_size;
616 struct pcap_ng_if *new_ifaces;
618 if (ps->ifaces_size == 0) {
620 * It's currently empty.
622 * (The Clang static analyzer doesn't do enough,
623 * err, umm, dataflow *analysis* to realize that
624 * ps->ifaces_size == 0 if ps->ifaces == NULL,
625 * and so complains about a possible zero argument
626 * to realloc(), so we check for the former
627 * condition to shut it up.
629 * However, it doesn't complain that one of the
630 * multiplications below could overflow, which is
631 * a real, albeit extremely unlikely, problem (you'd
632 * need a pcapng file with tens of millions of
636 new_ifaces = malloc(sizeof (struct pcap_ng_if));
639 * It's not currently empty; double its size.
640 * (Perhaps overkill once we have a lot of interfaces.)
642 * Check for overflow if we double it.
644 if (ps->ifaces_size * 2 < ps->ifaces_size) {
646 * The maximum number of interfaces before
647 * ps->ifaces_size overflows is the largest
648 * possible 32-bit power of 2, as we do
651 snprintf(errbuf, PCAP_ERRBUF_SIZE,
652 "more than %u interfaces in the file",
658 * ps->ifaces_size * 2 doesn't overflow, so it's
661 new_ifaces_size = ps->ifaces_size * 2;
664 * Now make sure that's not so big that it overflows
665 * if we multiply by sizeof (struct pcap_ng_if).
667 * That can happen on 32-bit platforms, with a 32-bit
668 * size_t; it shouldn't happen on 64-bit platforms,
669 * with a 64-bit size_t, as new_ifaces_size is
672 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
674 * As this fails only with 32-bit size_t,
675 * the multiplication was 32x32->32, and
676 * the largest 32-bit value that can safely
677 * be multiplied by sizeof (struct pcap_ng_if)
678 * without overflow is the largest 32-bit
679 * (unsigned) value divided by
680 * sizeof (struct pcap_ng_if).
682 snprintf(errbuf, PCAP_ERRBUF_SIZE,
683 "more than %u interfaces in the file",
684 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
687 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
689 if (new_ifaces == NULL) {
691 * We ran out of memory.
694 snprintf(errbuf, PCAP_ERRBUF_SIZE,
695 "out of memory for per-interface information (%u interfaces)",
699 ps->ifaces_size = new_ifaces_size;
700 ps->ifaces = new_ifaces;
703 ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
706 * Set the default time stamp resolution and offset.
708 tsresol = 1000000; /* microsecond resolution */
709 is_binary = 0; /* which is a power of 10 */
710 tsoffset = 0; /* absolute timestamps */
713 * Now look for various time stamp options, so we know
714 * how to interpret the time stamps for this interface.
716 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
720 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
721 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
724 * Determine whether we're scaling up or down or not
725 * at all for this interface.
727 if (tsresol == ps->user_tsresol) {
729 * The resolution is the resolution the user wants,
730 * so we don't have to do scaling.
732 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
733 } else if (tsresol > ps->user_tsresol) {
735 * The resolution is greater than what the user wants,
736 * so we have to scale the timestamps down.
739 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
742 * Calculate the scale factor.
744 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
745 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
749 * The resolution is less than what the user wants,
750 * so we have to scale the timestamps up.
753 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
756 * Calculate the scale factor.
758 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
759 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
766 * Check whether this is a pcapng savefile and, if it is, extract the
767 * relevant information from the header.
770 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
771 char *errbuf, int *err)
773 bpf_u_int32 magic_int;
775 bpf_u_int32 total_length;
776 bpf_u_int32 byte_order_magic;
777 struct block_header *bhdrp;
778 struct section_header_block *shbp;
781 struct pcap_ng_sf *ps;
783 struct block_cursor cursor;
784 struct interface_description_block *idbp;
787 * Assume no read errors.
792 * Check whether the first 4 bytes of the file are the block
793 * type for a pcapng savefile.
795 memcpy(&magic_int, magic, sizeof(magic_int));
796 if (magic_int != BT_SHB) {
798 * XXX - check whether this looks like what the block
799 * type would be after being munged by mapping between
800 * UN*X and DOS/Windows text file format and, if it
801 * does, look for the byte-order magic number in
802 * the appropriate place and, if we find it, report
803 * this as possibly being a pcapng file transferred
804 * between UN*X and Windows in text file format?
806 return (NULL); /* nope */
810 * OK, they are. However, that's just \n\r\r\n, so it could,
811 * conceivably, be an ordinary text file.
813 * It could not, however, conceivably be any other type of
814 * capture file, so we can read the rest of the putative
815 * Section Header Block; put the block type in the common
816 * header, read the rest of the common header and the
817 * fixed-length portion of the SHB, and look for the byte-order
820 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
821 if (amt_read < sizeof(total_length)) {
823 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
824 errno, "error reading dump file");
826 return (NULL); /* fail */
830 * Possibly a weird short text file, so just say
835 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
836 if (amt_read < sizeof(byte_order_magic)) {
838 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
839 errno, "error reading dump file");
841 return (NULL); /* fail */
845 * Possibly a weird short text file, so just say
850 if (byte_order_magic != BYTE_ORDER_MAGIC) {
851 byte_order_magic = SWAPLONG(byte_order_magic);
852 if (byte_order_magic != BYTE_ORDER_MAGIC) {
859 total_length = SWAPLONG(total_length);
863 * Check the sanity of the total length.
865 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
866 (total_length > BT_SHB_INSANE_MAX)) {
867 snprintf(errbuf, PCAP_ERRBUF_SIZE,
868 "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
869 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
878 * OK, this is a good pcapng file.
879 * Allocate a pcap_t for it.
881 p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
883 /* Allocation failed. */
887 p->swapped = swapped;
891 * What precision does the user want?
895 case PCAP_TSTAMP_PRECISION_MICRO:
896 ps->user_tsresol = 1000000;
899 case PCAP_TSTAMP_PRECISION_NANO:
900 ps->user_tsresol = 1000000000;
904 snprintf(errbuf, PCAP_ERRBUF_SIZE,
905 "unknown time stamp resolution %u", precision);
911 p->opt.tstamp_precision = precision;
914 * Allocate a buffer into which to read blocks. We default to
917 * the total length of the SHB for which we read the header;
919 * 2K, which should be more than large enough for an Enhanced
920 * Packet Block containing a full-size Ethernet frame, and
921 * leaving room for some options.
923 * If we find a bigger block, we reallocate the buffer, up to
924 * the maximum size. We start out with a maximum size of
925 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
926 * with a maximum snapshot that results in a larger maximum
927 * block length, we boost the maximum.
930 if (p->bufsize < total_length)
931 p->bufsize = total_length;
932 p->buffer = malloc(p->bufsize);
933 if (p->buffer == NULL) {
934 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
939 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
942 * Copy the stuff we've read to the buffer, and read the rest
945 bhdrp = (struct block_header *)p->buffer;
946 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
947 bhdrp->block_type = magic_int;
948 bhdrp->total_length = total_length;
949 shbp->byte_order_magic = byte_order_magic;
951 (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
952 total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
958 * Byte-swap the fields we've read.
960 shbp->major_version = SWAPSHORT(shbp->major_version);
961 shbp->minor_version = SWAPSHORT(shbp->minor_version);
964 * XXX - we don't care about the section length.
967 /* Currently only SHB versions 1.0 and 1.2 are supported;
968 version 1.2 is treated as being the same as version 1.0.
969 See the current version of the pcapng specification.
971 Version 1.2 is written by some programs that write additional
972 block types (which can be read by any code that handles them,
973 regardless of whether the minor version if 0 or 2, so that's
974 not a reason to change the minor version number).
976 XXX - the pcapng specification says that readers should
977 just ignore sections with an unsupported version number;
978 presumably they can also report an error if they skip
979 all the way to the end of the file without finding
980 any versions that they support. */
981 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
982 (shbp->minor_version == PCAP_NG_VERSION_MINOR ||
983 shbp->minor_version == 2))) {
984 snprintf(errbuf, PCAP_ERRBUF_SIZE,
985 "unsupported pcapng savefile version %u.%u",
986 shbp->major_version, shbp->minor_version);
989 p->version_major = shbp->major_version;
990 p->version_minor = shbp->minor_version;
993 * Save the time stamp resolution the user requested.
995 p->opt.tstamp_precision = precision;
998 * Now start looking for an Interface Description Block.
1002 * Read the next block.
1004 status = read_block(fp, p, &cursor, errbuf);
1006 /* EOF - no IDB in this file */
1007 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1008 "the capture file has no Interface Description Blocks");
1012 goto fail; /* error */
1013 switch (cursor.block_type) {
1017 * Get a pointer to the fixed-length portion of the
1020 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1023 goto fail; /* error */
1026 * Byte-swap it if necessary.
1029 idbp->linktype = SWAPSHORT(idbp->linktype);
1030 idbp->snaplen = SWAPLONG(idbp->snaplen);
1034 * Try to add this interface.
1036 if (!add_interface(p, idbp, &cursor, errbuf))
1045 * Saw a packet before we saw any IDBs. That's
1046 * not valid, as we don't know what link-layer
1047 * encapsulation the packet has.
1049 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1050 "the capture file has a packet block before any Interface Description Blocks");
1062 p->linktype = linktype_to_dlt(idbp->linktype);
1063 p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen);
1064 p->linktype_ext = 0;
1067 * If the maximum block size for a packet with the maximum
1068 * snapshot length for this DLT_ is bigger than the current
1069 * maximum block size, increase the maximum.
1071 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1072 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1074 p->next_packet_op = pcap_ng_next_packet;
1075 p->cleanup_op = pcap_ng_cleanup;
1088 pcap_ng_cleanup(pcap_t *p)
1090 struct pcap_ng_sf *ps = p->priv;
1097 * Read and return the next packet from the savefile. Return the header
1098 * in hdr and a pointer to the contents in data. Return 1 on success, 0
1099 * if there were no more packets, and -1 on an error.
1102 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1104 struct pcap_ng_sf *ps = p->priv;
1105 struct block_cursor cursor;
1107 struct enhanced_packet_block *epbp;
1108 struct simple_packet_block *spbp;
1109 struct packet_block *pbp;
1110 bpf_u_int32 interface_id = 0xFFFFFFFF;
1111 struct interface_description_block *idbp;
1112 struct section_header_block *shbp;
1113 FILE *fp = p->rfile;
1114 uint64_t t, sec, frac;
1117 * Look for an Enhanced Packet Block, a Simple Packet Block,
1118 * or a Packet Block.
1122 * Read the block type and length; those are common
1125 status = read_block(fp, p, &cursor, p->errbuf);
1127 return (0); /* EOF */
1129 return (-1); /* error */
1130 switch (cursor.block_type) {
1134 * Get a pointer to the fixed-length portion of the
1137 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1140 return (-1); /* error */
1143 * Byte-swap it if necessary.
1146 /* these were written in opposite byte order */
1147 interface_id = SWAPLONG(epbp->interface_id);
1148 hdr->caplen = SWAPLONG(epbp->caplen);
1149 hdr->len = SWAPLONG(epbp->len);
1150 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1151 SWAPLONG(epbp->timestamp_low);
1153 interface_id = epbp->interface_id;
1154 hdr->caplen = epbp->caplen;
1155 hdr->len = epbp->len;
1156 t = ((uint64_t)epbp->timestamp_high) << 32 |
1157 epbp->timestamp_low;
1163 * Get a pointer to the fixed-length portion of the
1166 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1169 return (-1); /* error */
1172 * SPB packets are assumed to have arrived on
1173 * the first interface.
1178 * Byte-swap it if necessary.
1181 /* these were written in opposite byte order */
1182 hdr->len = SWAPLONG(spbp->len);
1184 hdr->len = spbp->len;
1187 * The SPB doesn't give the captured length;
1188 * it's the minimum of the snapshot length
1189 * and the packet length.
1191 hdr->caplen = hdr->len;
1192 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1193 hdr->caplen = p->snapshot;
1194 t = 0; /* no time stamps */
1199 * Get a pointer to the fixed-length portion of the
1202 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1205 return (-1); /* error */
1208 * Byte-swap it if necessary.
1211 /* these were written in opposite byte order */
1212 interface_id = SWAPSHORT(pbp->interface_id);
1213 hdr->caplen = SWAPLONG(pbp->caplen);
1214 hdr->len = SWAPLONG(pbp->len);
1215 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1216 SWAPLONG(pbp->timestamp_low);
1218 interface_id = pbp->interface_id;
1219 hdr->caplen = pbp->caplen;
1220 hdr->len = pbp->len;
1221 t = ((uint64_t)pbp->timestamp_high) << 32 |
1228 * Interface Description Block. Get a pointer
1229 * to its fixed-length portion.
1231 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1234 return (-1); /* error */
1237 * Byte-swap it if necessary.
1240 idbp->linktype = SWAPSHORT(idbp->linktype);
1241 idbp->snaplen = SWAPLONG(idbp->snaplen);
1245 * If the link-layer type or snapshot length
1246 * differ from the ones for the first IDB we
1249 * XXX - just discard packets from those
1252 if (p->linktype != idbp->linktype) {
1253 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1254 "an interface has a type %u different from the type of the first interface",
1260 * Check against the *adjusted* value of this IDB's
1263 if ((bpf_u_int32)p->snapshot !=
1264 pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
1265 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1266 "an interface has a snapshot length %u different from the snapshot length of the first interface",
1272 * Try to add this interface.
1274 if (!add_interface(p, idbp, &cursor, p->errbuf))
1280 * Section Header Block. Get a pointer
1281 * to its fixed-length portion.
1283 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1286 return (-1); /* error */
1289 * Assume the byte order of this section is
1290 * the same as that of the previous section.
1291 * We'll check for that later.
1294 shbp->byte_order_magic =
1295 SWAPLONG(shbp->byte_order_magic);
1296 shbp->major_version =
1297 SWAPSHORT(shbp->major_version);
1301 * Make sure the byte order doesn't change;
1302 * pcap_is_swapped() shouldn't change its
1303 * return value in the middle of reading a capture.
1305 switch (shbp->byte_order_magic) {
1307 case BYTE_ORDER_MAGIC:
1313 case SWAPLONG(BYTE_ORDER_MAGIC):
1315 * Byte order changes.
1317 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1318 "the file has sections with different byte orders");
1325 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1326 "the file has a section with a bad byte order magic field");
1331 * Make sure the major version is the version
1334 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1335 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1336 "unknown pcapng savefile major version number %u",
1337 shbp->major_version);
1342 * Reset the interface count; this section should
1343 * have its own set of IDBs. If any of them
1344 * don't have the same interface type, snapshot
1345 * length, or resolution as the first interface
1346 * we saw, we'll fail. (And if we don't see
1347 * any IDBs, we'll fail when we see a packet
1355 * Not a packet block, IDB, or SHB; ignore it.
1363 * Is the interface ID an interface we know?
1365 if (interface_id >= ps->ifcount) {
1369 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1370 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1375 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1376 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1377 "invalid packet capture length %u, bigger than "
1378 "snaplen of %d", hdr->caplen, p->snapshot);
1383 * Convert the time stamp to seconds and fractions of a second,
1384 * with the fractions being in units of the file-supplied resolution.
1386 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1387 frac = t % ps->ifaces[interface_id].tsresol;
1390 * Convert the fractions from units of the file-supplied resolution
1391 * to units of the user-requested resolution.
1393 switch (ps->ifaces[interface_id].scale_type) {
1397 * The interface resolution is what the user wants,
1404 * The interface resolution is less than what the user
1405 * wants; scale the fractional part up to the units of
1406 * the resolution the user requested by multiplying by
1407 * the quotient of the user-requested resolution and the
1408 * file-supplied resolution.
1410 * Those resolutions are both powers of 10, and the user-
1411 * requested resolution is greater than the file-supplied
1412 * resolution, so the quotient in question is an integer.
1413 * We've calculated that quotient already, so we just
1416 frac *= ps->ifaces[interface_id].scale_factor;
1421 * The interface resolution is less than what the user
1422 * wants; scale the fractional part up to the units of
1423 * the resolution the user requested by multiplying by
1424 * the quotient of the user-requested resolution and the
1425 * file-supplied resolution.
1427 * The file-supplied resolution is a power of 2, so the
1428 * quotient is not an integer, so, in order to do this
1429 * entirely with integer arithmetic, we multiply by the
1430 * user-requested resolution and divide by the file-
1431 * supplied resolution.
1433 * XXX - Is there something clever we could do here,
1434 * given that we know that the file-supplied resolution
1435 * is a power of 2? Doing a multiplication followed by
1436 * a division runs the risk of overflowing, and involves
1437 * two non-simple arithmetic operations.
1439 frac *= ps->user_tsresol;
1440 frac /= ps->ifaces[interface_id].tsresol;
1443 case SCALE_DOWN_DEC:
1445 * The interface resolution is greater than what the user
1446 * wants; scale the fractional part up to the units of
1447 * the resolution the user requested by multiplying by
1448 * the quotient of the user-requested resolution and the
1449 * file-supplied resolution.
1451 * Those resolutions are both powers of 10, and the user-
1452 * requested resolution is less than the file-supplied
1453 * resolution, so the quotient in question isn't an
1454 * integer, but its reciprocal is, and we can just divide
1455 * by the reciprocal of the quotient. We've calculated
1456 * the reciprocal of that quotient already, so we must
1459 frac /= ps->ifaces[interface_id].scale_factor;
1463 case SCALE_DOWN_BIN:
1465 * The interface resolution is greater than what the user
1466 * wants; convert the fractional part to units of the
1467 * resolution the user requested by multiplying by the
1468 * quotient of the user-requested resolution and the
1469 * file-supplied resolution. We do that by multiplying
1470 * by the user-requested resolution and dividing by the
1471 * file-supplied resolution, as the quotient might not
1472 * fit in an integer.
1474 * The file-supplied resolution is a power of 2, so the
1475 * quotient is not an integer, and neither is its
1476 * reciprocal, so, in order to do this entirely with
1477 * integer arithmetic, we multiply by the user-requested
1478 * resolution and divide by the file-supplied resolution.
1480 * XXX - Is there something clever we could do here,
1481 * given that we know that the file-supplied resolution
1482 * is a power of 2? Doing a multiplication followed by
1483 * a division runs the risk of overflowing, and involves
1484 * two non-simple arithmetic operations.
1486 frac *= ps->user_tsresol;
1487 frac /= ps->ifaces[interface_id].tsresol;
1492 * tv_sec and tv_used in the Windows struct timeval are both
1495 hdr->ts.tv_sec = (long)sec;
1496 hdr->ts.tv_usec = (long)frac;
1499 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1500 * suseconds_t in UN*Xes that work the way the current Single
1501 * UNIX Standard specify - but not all older UN*Xes necessarily
1502 * support that type, so just cast to int.
1504 hdr->ts.tv_sec = (time_t)sec;
1505 hdr->ts.tv_usec = (int)frac;
1509 * Get a pointer to the packet data.
1511 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1515 pcap_post_process(p->linktype, p->swapped, hdr, *data);
projects / FreeBSD / FreeBSD.git / blob