2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
28 #include <pcap/pcap-inttypes.h>
38 #include "pcap-common.h"
40 #ifdef HAVE_OS_PROTO_H
44 #include "sf-pcapng.h"
51 * Common part at the beginning of all blocks.
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
59 * Common trailer at the end of all blocks.
61 struct block_trailer {
62 bpf_u_int32 total_length;
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
74 struct option_header {
76 u_short option_length;
80 * Structures for the part of each block type following the common
85 * Section Header Block.
87 #define BT_SHB 0x0A0D0D0A
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
98 * Byte-order magic value.
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * that means that this code can't read the file.
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
110 * Interface Description Block.
112 #define BT_IDB 0x00000001
114 struct interface_description_block {
118 /* followed by options and trailer */
122 * Options in the IDB.
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
139 * Enhanced Packet Block.
141 #define BT_EPB 0x00000006
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
149 /* followed by packet data, options, and trailer */
153 * Simple Packet Block.
155 #define BT_SPB 0x00000003
157 struct simple_packet_block {
159 /* followed by packet data and trailer */
165 #define BT_PB 0x00000002
167 struct packet_block {
168 u_short interface_id;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
174 /* followed by packet data, options, and trailer */
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
182 struct block_cursor {
184 size_t data_remaining;
185 bpf_u_int32 block_type;
194 } tstamp_scale_type_t;
197 * Per-interface information.
200 u_int tsresol; /* time stamp resolution */
201 tstamp_scale_type_t scale_type; /* how to scale */
202 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */
203 uint64_t tsoffset; /* time stamp offset */
207 * Per-pcap_t private data.
209 * max_blocksize is the maximum size of a block that we'll accept. We
210 * reject blocks bigger than this, so we don't consume too much memory
211 * with a truly huge block. It can change as we see IDBs with different
212 * link-layer header types. (Currently, we don't support IDBs with
213 * different link-layer header types, but we will support it in the
214 * future, when we offer file-reading APIs that support it.)
216 * XXX - that's an issue on ILP32 platforms, where the maximum block
217 * size of 2^31-1 would eat all but one byte of the entire address space.
218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
219 * of the address space may be limited by 1) the number of *significant*
220 * address bits (currently, x86-64 only supports 48 bits of address), 2)
221 * any limitations imposed by the operating system; 3) any limitations
222 * imposed by the amount of available backing store for anonymous pages,
223 * so we impose a limit regardless of the size of a pointer.
226 u_int user_tsresol; /* time stamp resolution requested by the user */
227 u_int max_blocksize; /* don't grow buffer size past this */
228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
229 bpf_u_int32 ifaces_size; /* size of array below */
230 struct pcap_ng_if *ifaces; /* array of interface information */
234 * Maximum block size for a given maximum snapshot length; we calculate
237 * We define it as the size of an EPB with a max_snaplen-sized
238 * packet and 128KB of options.
240 #define MAX_BLOCKSIZE(max_snaplen) (sizeof (struct block_header) + \
241 sizeof (struct enhanced_packet_block) + \
242 (max_snaplen) + 131072 + \
243 sizeof (struct block_trailer))
245 static void pcap_ng_cleanup(pcap_t *p);
246 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
250 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
255 amt_read = fread(buf, 1, bytes_to_read, fp);
256 if (amt_read != bytes_to_read) {
258 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
259 errno, "error reading dump file");
261 if (amt_read == 0 && !fail_on_eof)
262 return (0); /* EOF */
263 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
264 "truncated dump file; tried to read %lu bytes, only got %lu",
265 (unsigned long)bytes_to_read,
266 (unsigned long)amt_read);
274 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
276 struct pcap_ng_sf *ps;
278 struct block_header bhdr;
280 size_t data_remaining;
284 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
286 return (status); /* error or EOF */
289 bhdr.block_type = SWAPLONG(bhdr.block_type);
290 bhdr.total_length = SWAPLONG(bhdr.total_length);
294 * Is this block "too big"?
296 * We choose 16MB as "too big", for now, so that we handle
297 * "reasonably" large buffers but don't chew up all the
298 * memory if we read a malformed file.
300 if (bhdr.total_length > 16*1024*1024) {
301 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
302 "pcapng block size %u > maximum %u",
303 bhdr.total_length, 16*1024*1024);
308 * Is this block "too small" - i.e., is it shorter than a block
309 * header plus a block trailer?
311 if (bhdr.total_length < sizeof(struct block_header) +
312 sizeof(struct block_trailer)) {
313 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
314 "block in pcapng dump file has a length of %u < %lu",
316 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
321 * Is the buffer big enough?
323 if (p->bufsize < bhdr.total_length) {
325 * No - make it big enough, unless it's too big.
329 if (bhdr.total_length > ps->max_blocksize) {
330 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "block is larger than maximum block size %u",
334 bigger_buffer = realloc(p->buffer, bhdr.total_length);
335 if (bigger_buffer == NULL) {
336 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
339 p->buffer = bigger_buffer;
343 * Copy the stuff we've read to the buffer, and read the rest
346 memcpy(p->buffer, &bhdr, sizeof(bhdr));
347 bdata = (u_char *)p->buffer + sizeof(bhdr);
348 data_remaining = bhdr.total_length - sizeof(bhdr);
349 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
353 * Initialize the cursor.
355 cursor->data = bdata;
356 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
357 cursor->block_type = bhdr.block_type;
362 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
368 * Make sure we have the specified amount of data remaining in
371 if (cursor->data_remaining < chunk_size) {
372 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
373 "block of type %u in pcapng dump file is too short",
379 * Return the current pointer, and skip past the chunk.
382 cursor->data += chunk_size;
383 cursor->data_remaining -= chunk_size;
387 static struct option_header *
388 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
390 struct option_header *opthdr;
392 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
393 if (opthdr == NULL) {
395 * Option header is cut short.
401 * Byte-swap it if necessary.
404 opthdr->option_code = SWAPSHORT(opthdr->option_code);
405 opthdr->option_length = SWAPSHORT(opthdr->option_length);
412 get_optvalue_from_block_data(struct block_cursor *cursor,
413 struct option_header *opthdr, char *errbuf)
415 size_t padded_option_len;
418 /* Pad option length to 4-byte boundary */
419 padded_option_len = opthdr->option_length;
420 padded_option_len = ((padded_option_len + 3)/4)*4;
422 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
423 if (optvalue == NULL) {
425 * Option value is cut short.
434 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
435 uint64_t *tsoffset, int *is_binary, char *errbuf)
437 struct option_header *opthdr;
439 int saw_tsresol, saw_tsoffset;
445 while (cursor->data_remaining != 0) {
447 * Get the option header.
449 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
450 if (opthdr == NULL) {
452 * Option header is cut short.
460 optvalue = get_optvalue_from_block_data(cursor, opthdr,
462 if (optvalue == NULL) {
464 * Option value is cut short.
469 switch (opthdr->option_code) {
472 if (opthdr->option_length != 0) {
473 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
474 "Interface Description Block has opt_endofopt option with length %u != 0",
475 opthdr->option_length);
481 if (opthdr->option_length != 1) {
482 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
483 "Interface Description Block has if_tsresol option with length %u != 1",
484 opthdr->option_length);
488 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
489 "Interface Description Block has more than one if_tsresol option");
493 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
494 if (tsresol_opt & 0x80) {
496 * Resolution is negative power of 2.
499 *tsresol = 1 << (tsresol_opt & 0x7F);
502 * Resolution is negative power of 10.
506 for (i = 0; i < tsresol_opt; i++)
511 * Resolution is too high.
513 if (tsresol_opt & 0x80) {
514 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
515 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
518 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
519 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
527 if (opthdr->option_length != 8) {
528 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
529 "Interface Description Block has if_tsoffset option with length %u != 8",
530 opthdr->option_length);
534 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
535 "Interface Description Block has more than one if_tsoffset option");
539 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
541 *tsoffset = SWAPLL(*tsoffset);
554 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
556 struct pcap_ng_sf *ps;
564 * Count this interface.
569 * Grow the array of per-interface information as necessary.
571 if (ps->ifcount > ps->ifaces_size) {
573 * We need to grow the array.
575 bpf_u_int32 new_ifaces_size;
576 struct pcap_ng_if *new_ifaces;
578 if (ps->ifaces_size == 0) {
580 * It's currently empty.
582 * (The Clang static analyzer doesn't do enough,
583 * err, umm, dataflow *analysis* to realize that
584 * ps->ifaces_size == 0 if ps->ifaces == NULL,
585 * and so complains about a possible zero argument
586 * to realloc(), so we check for the former
587 * condition to shut it up.
589 * However, it doesn't complain that one of the
590 * multiplications below could overflow, which is
591 * a real, albeit extremely unlikely, problem (you'd
592 * need a pcapng file with tens of millions of
596 new_ifaces = malloc(sizeof (struct pcap_ng_if));
599 * It's not currently empty; double its size.
600 * (Perhaps overkill once we have a lot of interfaces.)
602 * Check for overflow if we double it.
604 if (ps->ifaces_size * 2 < ps->ifaces_size) {
606 * The maximum number of interfaces before
607 * ps->ifaces_size overflows is the largest
608 * possible 32-bit power of 2, as we do
611 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
612 "more than %u interfaces in the file",
618 * ps->ifaces_size * 2 doesn't overflow, so it's
621 new_ifaces_size = ps->ifaces_size * 2;
624 * Now make sure that's not so big that it overflows
625 * if we multiply by sizeof (struct pcap_ng_if).
627 * That can happen on 32-bit platforms, with a 32-bit
628 * size_t; it shouldn't happen on 64-bit platforms,
629 * with a 64-bit size_t, as new_ifaces_size is
632 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
634 * As this fails only with 32-bit size_t,
635 * the multiplication was 32x32->32, and
636 * the largest 32-bit value that can safely
637 * be multiplied by sizeof (struct pcap_ng_if)
638 * without overflow is the largest 32-bit
639 * (unsigned) value divided by
640 * sizeof (struct pcap_ng_if).
642 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
643 "more than %u interfaces in the file",
644 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
647 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
649 if (new_ifaces == NULL) {
651 * We ran out of memory.
654 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
655 "out of memory for per-interface information (%u interfaces)",
659 ps->ifaces_size = new_ifaces_size;
660 ps->ifaces = new_ifaces;
664 * Set the default time stamp resolution and offset.
666 tsresol = 1000000; /* microsecond resolution */
667 is_binary = 0; /* which is a power of 10 */
668 tsoffset = 0; /* absolute timestamps */
671 * Now look for various time stamp options, so we know
672 * how to interpret the time stamps for this interface.
674 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
678 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
679 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
682 * Determine whether we're scaling up or down or not
683 * at all for this interface.
685 if (tsresol == ps->user_tsresol) {
687 * The resolution is the resolution the user wants,
688 * so we don't have to do scaling.
690 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
691 } else if (tsresol > ps->user_tsresol) {
693 * The resolution is greater than what the user wants,
694 * so we have to scale the timestamps down.
697 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
700 * Calculate the scale factor.
702 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
703 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
707 * The resolution is less than what the user wants,
708 * so we have to scale the timestamps up.
711 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
714 * Calculate the scale factor.
716 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
717 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
724 * Check whether this is a pcapng savefile and, if it is, extract the
725 * relevant information from the header.
728 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
732 bpf_u_int32 total_length;
733 bpf_u_int32 byte_order_magic;
734 struct block_header *bhdrp;
735 struct section_header_block *shbp;
738 struct pcap_ng_sf *ps;
740 struct block_cursor cursor;
741 struct interface_description_block *idbp;
744 * Assume no read errors.
749 * Check whether the first 4 bytes of the file are the block
750 * type for a pcapng savefile.
752 if (magic != BT_SHB) {
754 * XXX - check whether this looks like what the block
755 * type would be after being munged by mapping between
756 * UN*X and DOS/Windows text file format and, if it
757 * does, look for the byte-order magic number in
758 * the appropriate place and, if we find it, report
759 * this as possibly being a pcapng file transferred
760 * between UN*X and Windows in text file format?
762 return (NULL); /* nope */
766 * OK, they are. However, that's just \n\r\r\n, so it could,
767 * conceivably, be an ordinary text file.
769 * It could not, however, conceivably be any other type of
770 * capture file, so we can read the rest of the putative
771 * Section Header Block; put the block type in the common
772 * header, read the rest of the common header and the
773 * fixed-length portion of the SHB, and look for the byte-order
776 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
777 if (amt_read < sizeof(total_length)) {
779 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
780 errno, "error reading dump file");
782 return (NULL); /* fail */
786 * Possibly a weird short text file, so just say
791 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
792 if (amt_read < sizeof(byte_order_magic)) {
794 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
795 errno, "error reading dump file");
797 return (NULL); /* fail */
801 * Possibly a weird short text file, so just say
806 if (byte_order_magic != BYTE_ORDER_MAGIC) {
807 byte_order_magic = SWAPLONG(byte_order_magic);
808 if (byte_order_magic != BYTE_ORDER_MAGIC) {
815 total_length = SWAPLONG(total_length);
819 * Check the sanity of the total length.
821 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
822 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
823 "Section Header Block in pcapng dump file has a length of %u < %lu",
825 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
831 * OK, this is a good pcapng file.
832 * Allocate a pcap_t for it.
834 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
836 /* Allocation failed. */
840 p->swapped = swapped;
844 * What precision does the user want?
848 case PCAP_TSTAMP_PRECISION_MICRO:
849 ps->user_tsresol = 1000000;
852 case PCAP_TSTAMP_PRECISION_NANO:
853 ps->user_tsresol = 1000000000;
857 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
858 "unknown time stamp resolution %u", precision);
864 p->opt.tstamp_precision = precision;
867 * Allocate a buffer into which to read blocks. We default to
870 * the total length of the SHB for which we read the header;
872 * 2K, which should be more than large enough for an Enhanced
873 * Packet Block containing a full-size Ethernet frame, and
874 * leaving room for some options.
876 * If we find a bigger block, we reallocate the buffer, up to
877 * the maximum size. We start out with a maximum size based
878 * on a maximum snapshot length of MAXIMUM_SNAPLEN; if we see
879 * any link-layer header types with a larger maximum snapshot
880 * length, we boost the maximum.
883 if (p->bufsize < total_length)
884 p->bufsize = total_length;
885 p->buffer = malloc(p->bufsize);
886 if (p->buffer == NULL) {
887 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
892 ps->max_blocksize = MAX_BLOCKSIZE(MAXIMUM_SNAPLEN);
895 * Copy the stuff we've read to the buffer, and read the rest
898 bhdrp = (struct block_header *)p->buffer;
899 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
900 bhdrp->block_type = magic;
901 bhdrp->total_length = total_length;
902 shbp->byte_order_magic = byte_order_magic;
904 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
905 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
911 * Byte-swap the fields we've read.
913 shbp->major_version = SWAPSHORT(shbp->major_version);
914 shbp->minor_version = SWAPSHORT(shbp->minor_version);
917 * XXX - we don't care about the section length.
920 /* currently only SHB version 1.0 is supported */
921 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
922 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
923 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
924 "unsupported pcapng savefile version %u.%u",
925 shbp->major_version, shbp->minor_version);
928 p->version_major = shbp->major_version;
929 p->version_minor = shbp->minor_version;
932 * Save the time stamp resolution the user requested.
934 p->opt.tstamp_precision = precision;
937 * Now start looking for an Interface Description Block.
941 * Read the next block.
943 status = read_block(fp, p, &cursor, errbuf);
945 /* EOF - no IDB in this file */
946 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
947 "the capture file has no Interface Description Blocks");
951 goto fail; /* error */
952 switch (cursor.block_type) {
956 * Get a pointer to the fixed-length portion of the
959 idbp = get_from_block_data(&cursor, sizeof(*idbp),
962 goto fail; /* error */
965 * Byte-swap it if necessary.
968 idbp->linktype = SWAPSHORT(idbp->linktype);
969 idbp->snaplen = SWAPLONG(idbp->snaplen);
973 * Try to add this interface.
975 if (!add_interface(p, &cursor, errbuf))
984 * Saw a packet before we saw any IDBs. That's
985 * not valid, as we don't know what link-layer
986 * encapsulation the packet has.
988 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
989 "the capture file has a packet block before any Interface Description Blocks");
1001 p->tzoff = 0; /* XXX - not used in pcap */
1002 p->snapshot = idbp->snaplen;
1003 if (p->snapshot <= 0) {
1005 * Bogus snapshot length; use the maximum for this
1006 * link-layer type as a fallback.
1008 * XXX - the only reason why snapshot is signed is
1009 * that pcap_snapshot() returns an int, not an
1012 p->snapshot = max_snaplen_for_dlt(idbp->linktype);
1014 p->linktype = linktype_to_dlt(idbp->linktype);
1015 p->linktype_ext = 0;
1018 * If the maximum block size for a packet with the maximum
1019 * snapshot length for this DLT_ is bigger than the current
1020 * maximum block size, increase the maximum.
1022 if (MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1023 ps->max_blocksize = MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype));
1025 p->next_packet_op = pcap_ng_next_packet;
1026 p->cleanup_op = pcap_ng_cleanup;
1039 pcap_ng_cleanup(pcap_t *p)
1041 struct pcap_ng_sf *ps = p->priv;
1048 * Read and return the next packet from the savefile. Return the header
1049 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1050 * if there were no more packets, and -1 on an error.
1053 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1055 struct pcap_ng_sf *ps = p->priv;
1056 struct block_cursor cursor;
1058 struct enhanced_packet_block *epbp;
1059 struct simple_packet_block *spbp;
1060 struct packet_block *pbp;
1061 bpf_u_int32 interface_id = 0xFFFFFFFF;
1062 struct interface_description_block *idbp;
1063 struct section_header_block *shbp;
1064 FILE *fp = p->rfile;
1065 uint64_t t, sec, frac;
1068 * Look for an Enhanced Packet Block, a Simple Packet Block,
1069 * or a Packet Block.
1073 * Read the block type and length; those are common
1076 status = read_block(fp, p, &cursor, p->errbuf);
1078 return (1); /* EOF */
1080 return (-1); /* error */
1081 switch (cursor.block_type) {
1085 * Get a pointer to the fixed-length portion of the
1088 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1091 return (-1); /* error */
1094 * Byte-swap it if necessary.
1097 /* these were written in opposite byte order */
1098 interface_id = SWAPLONG(epbp->interface_id);
1099 hdr->caplen = SWAPLONG(epbp->caplen);
1100 hdr->len = SWAPLONG(epbp->len);
1101 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1102 SWAPLONG(epbp->timestamp_low);
1104 interface_id = epbp->interface_id;
1105 hdr->caplen = epbp->caplen;
1106 hdr->len = epbp->len;
1107 t = ((uint64_t)epbp->timestamp_high) << 32 |
1108 epbp->timestamp_low;
1114 * Get a pointer to the fixed-length portion of the
1117 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1120 return (-1); /* error */
1123 * SPB packets are assumed to have arrived on
1124 * the first interface.
1129 * Byte-swap it if necessary.
1132 /* these were written in opposite byte order */
1133 hdr->len = SWAPLONG(spbp->len);
1135 hdr->len = spbp->len;
1138 * The SPB doesn't give the captured length;
1139 * it's the minimum of the snapshot length
1140 * and the packet length.
1142 hdr->caplen = hdr->len;
1143 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1144 hdr->caplen = p->snapshot;
1145 t = 0; /* no time stamps */
1150 * Get a pointer to the fixed-length portion of the
1153 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1156 return (-1); /* error */
1159 * Byte-swap it if necessary.
1162 /* these were written in opposite byte order */
1163 interface_id = SWAPSHORT(pbp->interface_id);
1164 hdr->caplen = SWAPLONG(pbp->caplen);
1165 hdr->len = SWAPLONG(pbp->len);
1166 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1167 SWAPLONG(pbp->timestamp_low);
1169 interface_id = pbp->interface_id;
1170 hdr->caplen = pbp->caplen;
1171 hdr->len = pbp->len;
1172 t = ((uint64_t)pbp->timestamp_high) << 32 |
1179 * Interface Description Block. Get a pointer
1180 * to its fixed-length portion.
1182 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1185 return (-1); /* error */
1188 * Byte-swap it if necessary.
1191 idbp->linktype = SWAPSHORT(idbp->linktype);
1192 idbp->snaplen = SWAPLONG(idbp->snaplen);
1196 * If the link-layer type or snapshot length
1197 * differ from the ones for the first IDB we
1200 * XXX - just discard packets from those
1203 if (p->linktype != idbp->linktype) {
1204 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1205 "an interface has a type %u different from the type of the first interface",
1209 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1210 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1211 "an interface has a snapshot length %u different from the type of the first interface",
1217 * Try to add this interface.
1219 if (!add_interface(p, &cursor, p->errbuf))
1225 * Section Header Block. Get a pointer
1226 * to its fixed-length portion.
1228 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1231 return (-1); /* error */
1234 * Assume the byte order of this section is
1235 * the same as that of the previous section.
1236 * We'll check for that later.
1239 shbp->byte_order_magic =
1240 SWAPLONG(shbp->byte_order_magic);
1241 shbp->major_version =
1242 SWAPSHORT(shbp->major_version);
1246 * Make sure the byte order doesn't change;
1247 * pcap_is_swapped() shouldn't change its
1248 * return value in the middle of reading a capture.
1250 switch (shbp->byte_order_magic) {
1252 case BYTE_ORDER_MAGIC:
1258 case SWAPLONG(BYTE_ORDER_MAGIC):
1260 * Byte order changes.
1262 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1263 "the file has sections with different byte orders");
1270 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1271 "the file has a section with a bad byte order magic field");
1276 * Make sure the major version is the version
1279 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1280 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1281 "unknown pcapng savefile major version number %u",
1282 shbp->major_version);
1287 * Reset the interface count; this section should
1288 * have its own set of IDBs. If any of them
1289 * don't have the same interface type, snapshot
1290 * length, or resolution as the first interface
1291 * we saw, we'll fail. (And if we don't see
1292 * any IDBs, we'll fail when we see a packet
1300 * Not a packet block, IDB, or SHB; ignore it.
1308 * Is the interface ID an interface we know?
1310 if (interface_id >= ps->ifcount) {
1314 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1315 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1320 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1321 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1322 "invalid packet capture length %u, bigger than "
1323 "snaplen of %d", hdr->caplen, p->snapshot);
1328 * Convert the time stamp to seconds and fractions of a second,
1329 * with the fractions being in units of the file-supplied resolution.
1331 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1332 frac = t % ps->ifaces[interface_id].tsresol;
1335 * Convert the fractions from units of the file-supplied resolution
1336 * to units of the user-requested resolution.
1338 switch (ps->ifaces[interface_id].scale_type) {
1342 * The interface resolution is what the user wants,
1349 * The interface resolution is less than what the user
1350 * wants; scale the fractional part up to the units of
1351 * the resolution the user requested by multiplying by
1352 * the quotient of the user-requested resolution and the
1353 * file-supplied resolution.
1355 * Those resolutions are both powers of 10, and the user-
1356 * requested resolution is greater than the file-supplied
1357 * resolution, so the quotient in question is an integer.
1358 * We've calculated that quotient already, so we just
1361 frac *= ps->ifaces[interface_id].scale_factor;
1366 * The interface resolution is less than what the user
1367 * wants; scale the fractional part up to the units of
1368 * the resolution the user requested by multiplying by
1369 * the quotient of the user-requested resolution and the
1370 * file-supplied resolution.
1372 * The file-supplied resolution is a power of 2, so the
1373 * quotient is not an integer, so, in order to do this
1374 * entirely with integer arithmetic, we multiply by the
1375 * user-requested resolution and divide by the file-
1376 * supplied resolution.
1378 * XXX - Is there something clever we could do here,
1379 * given that we know that the file-supplied resolution
1380 * is a power of 2? Doing a multiplication followed by
1381 * a division runs the risk of overflowing, and involves
1382 * two non-simple arithmetic operations.
1384 frac *= ps->user_tsresol;
1385 frac /= ps->ifaces[interface_id].tsresol;
1388 case SCALE_DOWN_DEC:
1390 * The interface resolution is greater than what the user
1391 * wants; scale the fractional part up to the units of
1392 * the resolution the user requested by multiplying by
1393 * the quotient of the user-requested resolution and the
1394 * file-supplied resolution.
1396 * Those resolutions are both powers of 10, and the user-
1397 * requested resolution is less than the file-supplied
1398 * resolution, so the quotient in question isn't an
1399 * integer, but its reciprocal is, and we can just divide
1400 * by the reciprocal of the quotient. We've calculated
1401 * the reciprocal of that quotient already, so we must
1404 frac /= ps->ifaces[interface_id].scale_factor;
1408 case SCALE_DOWN_BIN:
1410 * The interface resolution is greater than what the user
1411 * wants; convert the fractional part to units of the
1412 * resolution the user requested by multiplying by the
1413 * quotient of the user-requested resolution and the
1414 * file-supplied resolution. We do that by multiplying
1415 * by the user-requested resolution and dividing by the
1416 * file-supplied resolution, as the quotient might not
1417 * fit in an integer.
1419 * The file-supplied resolution is a power of 2, so the
1420 * quotient is not an integer, and neither is its
1421 * reciprocal, so, in order to do this entirely with
1422 * integer arithmetic, we multiply by the user-requested
1423 * resolution and divide by the file-supplied resolution.
1425 * XXX - Is there something clever we could do here,
1426 * given that we know that the file-supplied resolution
1427 * is a power of 2? Doing a multiplication followed by
1428 * a division runs the risk of overflowing, and involves
1429 * two non-simple arithmetic operations.
1431 frac *= ps->user_tsresol;
1432 frac /= ps->ifaces[interface_id].tsresol;
1437 * tv_sec and tv_used in the Windows struct timeval are both
1440 hdr->ts.tv_sec = (long)sec;
1441 hdr->ts.tv_usec = (long)frac;
1444 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1445 * suseconds_t in UN*Xes that work the way the current Single
1446 * UNIX Standard specify - but not all older UN*Xes necessarily
1447 * support that type, so just cast to int.
1449 hdr->ts.tv_sec = (time_t)sec;
1450 hdr->ts.tv_usec = (int)frac;
1454 * Get a pointer to the packet data.
1456 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1461 swap_pseudo_headers(p->linktype, hdr, *data);