2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
34 #include <pcap-stdinc.h>
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
44 #include <sys/types.h>
55 #include "pcap-common.h"
57 #ifdef HAVE_OS_PROTO_H
61 #include "sf-pcap-ng.h"
68 * Common part at the beginning of all blocks.
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
76 * Common trailer at the end of all blocks.
78 struct block_trailer {
79 bpf_u_int32 total_length;
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
91 struct option_header {
93 u_short option_length;
97 * Structures for the part of each block type following the common
102 * Section Header Block.
104 #define BT_SHB 0x0A0D0D0A
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
115 * Byte-order magic value.
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
123 #define PCAP_NG_VERSION_MAJOR 1
126 * Interface Description Block.
128 #define BT_IDB 0x00000001
130 struct interface_description_block {
134 /* followed by options and trailer */
138 * Options in the IDB.
140 #define IF_NAME 2 /* interface name string */
141 #define IF_DESCRIPTION 3 /* interface description string */
142 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
143 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
144 #define IF_MACADDR 6 /* interface's MAC address */
145 #define IF_EUIADDR 7 /* interface's EUI address */
146 #define IF_SPEED 8 /* interface's speed, in bits/s */
147 #define IF_TSRESOL 9 /* interface's time stamp resolution */
148 #define IF_TZONE 10 /* interface's time zone */
149 #define IF_FILTER 11 /* filter used when capturing on interface */
150 #define IF_OS 12 /* string OS on which capture on this interface was done */
151 #define IF_FCSLEN 13 /* FCS length for this interface */
152 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
155 * Enhanced Packet Block.
157 #define BT_EPB 0x00000006
159 struct enhanced_packet_block {
160 bpf_u_int32 interface_id;
161 bpf_u_int32 timestamp_high;
162 bpf_u_int32 timestamp_low;
165 /* followed by packet data, options, and trailer */
169 * Simple Packet Block.
171 #define BT_SPB 0x00000003
173 struct simple_packet_block {
175 /* followed by packet data and trailer */
181 #define BT_PB 0x00000002
183 struct packet_block {
184 u_short interface_id;
186 bpf_u_int32 timestamp_high;
187 bpf_u_int32 timestamp_low;
190 /* followed by packet data, options, and trailer */
194 * Block cursor - used when processing the contents of a block.
195 * Contains a pointer into the data being processed and a count
196 * of bytes remaining in the block.
198 struct block_cursor {
200 size_t data_remaining;
201 bpf_u_int32 block_type;
204 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
208 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
213 amt_read = fread(buf, 1, bytes_to_read, fp);
214 if (amt_read != bytes_to_read) {
216 snprintf(errbuf, PCAP_ERRBUF_SIZE,
217 "error reading dump file: %s",
218 pcap_strerror(errno));
220 if (amt_read == 0 && !fail_on_eof)
221 return (0); /* EOF */
222 snprintf(errbuf, PCAP_ERRBUF_SIZE,
223 "truncated dump file; tried to read %lu bytes, only got %lu",
224 (unsigned long)bytes_to_read,
225 (unsigned long)amt_read);
233 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
236 struct block_header bhdr;
238 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
240 return (status); /* error or EOF */
243 bhdr.block_type = SWAPLONG(bhdr.block_type);
244 bhdr.total_length = SWAPLONG(bhdr.total_length);
248 * Is this block "too big"?
250 * We choose 16MB as "too big", for now, so that we handle
251 * "reasonably" large buffers but don't chew up all the
252 * memory if we read a malformed file.
254 if (bhdr.total_length > 16*1024*1024) {
255 snprintf(errbuf, PCAP_ERRBUF_SIZE,
256 "pcap-ng block size %u > maximum %u",
257 bhdr.total_length, 16*1024*1024);
262 * Is this block "too small" - i.e., is it shorter than a block
263 * header plus a block trailer?
265 if (bhdr.total_length < sizeof(struct block_header) +
266 sizeof(struct block_trailer)) {
267 snprintf(errbuf, PCAP_ERRBUF_SIZE,
268 "block in pcap-ng dump file has a length of %u < %lu",
270 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
275 * Is the buffer big enough?
277 if (p->bufsize < bhdr.total_length) {
279 * No - make it big enough.
281 p->buffer = realloc(p->buffer, bhdr.total_length);
282 if (p->buffer == NULL) {
283 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
289 * Copy the stuff we've read to the buffer, and read the rest
292 memcpy(p->buffer, &bhdr, sizeof(bhdr));
293 if (read_bytes(fp, p->buffer + sizeof(bhdr),
294 bhdr.total_length - sizeof(bhdr), 1, errbuf) == -1)
298 * Initialize the cursor.
300 cursor->data = p->buffer + sizeof(bhdr);
301 cursor->data_remaining = bhdr.total_length - sizeof(bhdr) -
302 sizeof(struct block_trailer);
303 cursor->block_type = bhdr.block_type;
308 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
314 * Make sure we have the specified amount of data remaining in
317 if (cursor->data_remaining < chunk_size) {
318 snprintf(errbuf, PCAP_ERRBUF_SIZE,
319 "block of type %u in pcap-ng dump file is too short",
325 * Return the current pointer, and skip past the chunk.
328 cursor->data += chunk_size;
329 cursor->data_remaining -= chunk_size;
333 static struct option_header *
334 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
336 struct option_header *opthdr;
338 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
339 if (opthdr == NULL) {
341 * Option header is cut short.
347 * Byte-swap it if necessary.
350 opthdr->option_code = SWAPSHORT(opthdr->option_code);
351 opthdr->option_length = SWAPSHORT(opthdr->option_length);
358 get_optvalue_from_block_data(struct block_cursor *cursor,
359 struct option_header *opthdr, char *errbuf)
361 size_t padded_option_len;
364 /* Pad option length to 4-byte boundary */
365 padded_option_len = opthdr->option_length;
366 padded_option_len = ((padded_option_len + 3)/4)*4;
368 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
369 if (optvalue == NULL) {
371 * Option value is cut short.
380 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
381 u_int64_t *tsoffset, char *errbuf)
383 struct option_header *opthdr;
385 int saw_tsresol, saw_tsoffset;
391 while (cursor->data_remaining != 0) {
393 * Get the option header.
395 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
396 if (opthdr == NULL) {
398 * Option header is cut short.
406 optvalue = get_optvalue_from_block_data(cursor, opthdr,
408 if (optvalue == NULL) {
410 * Option value is cut short.
415 switch (opthdr->option_code) {
418 if (opthdr->option_length != 0) {
419 snprintf(errbuf, PCAP_ERRBUF_SIZE,
420 "Interface Description Block has opt_endofopt option with length %u != 0",
421 opthdr->option_length);
427 if (opthdr->option_length != 1) {
428 snprintf(errbuf, PCAP_ERRBUF_SIZE,
429 "Interface Description Block has if_tsresol option with length %u != 1",
430 opthdr->option_length);
434 snprintf(errbuf, PCAP_ERRBUF_SIZE,
435 "Interface Description Block has more than one if_tsresol option");
439 tsresol_opt = *(u_int *)optvalue;
440 if (tsresol_opt & 0x80) {
442 * Resolution is negative power of 2.
444 *tsresol = 1 << (tsresol_opt & 0x7F);
447 * Resolution is negative power of 10.
450 for (i = 0; i < tsresol_opt; i++)
455 * Resolution is too high.
457 if (tsresol_opt & 0x80) {
458 snprintf(errbuf, PCAP_ERRBUF_SIZE,
459 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
462 snprintf(errbuf, PCAP_ERRBUF_SIZE,
463 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
471 if (opthdr->option_length != 8) {
472 snprintf(errbuf, PCAP_ERRBUF_SIZE,
473 "Interface Description Block has if_tsoffset option with length %u != 8",
474 opthdr->option_length);
478 snprintf(errbuf, PCAP_ERRBUF_SIZE,
479 "Interface Description Block has more than one if_tsoffset option");
483 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
485 *tsoffset = SWAPLL(*tsoffset);
498 * Check whether this is a pcap-ng savefile and, if it is, extract the
499 * relevant information from the header.
502 pcap_ng_check_header(pcap_t *p, bpf_u_int32 magic, FILE *fp, char *errbuf)
505 bpf_u_int32 total_length;
506 bpf_u_int32 byte_order_magic;
507 struct block_header *bhdrp;
508 struct section_header_block *shbp;
510 struct block_cursor cursor;
511 struct interface_description_block *idbp;
514 * Check whether the first 4 bytes of the file are the block
515 * type for a pcap-ng savefile.
517 if (magic != BT_SHB) {
519 * XXX - check whether this looks like what the block
520 * type would be after being munged by mapping between
521 * UN*X and DOS/Windows text file format and, if it
522 * does, look for the byte-order magic number in
523 * the appropriate place and, if we find it, report
524 * this as possibly being a pcap-ng file transferred
525 * between UN*X and Windows in text file format?
527 return (0); /* nope */
531 * OK, they are. However, that's just \n\r\r\n, so it could,
532 * conceivably, be an ordinary text file.
534 * It could not, however, conceivably be any other type of
535 * capture file, so we can read the rest of the putative
536 * Section Header Block; put the block type in the common
537 * header, read the rest of the common header and the
538 * fixed-length portion of the SHB, and look for the byte-order
541 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
542 if (amt_read < sizeof(total_length)) {
544 snprintf(errbuf, PCAP_ERRBUF_SIZE,
545 "error reading dump file: %s",
546 pcap_strerror(errno));
547 return (-1); /* fail */
551 * Possibly a weird short text file, so just say
556 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
557 if (amt_read < sizeof(byte_order_magic)) {
559 snprintf(errbuf, PCAP_ERRBUF_SIZE,
560 "error reading dump file: %s",
561 pcap_strerror(errno));
562 return (-1); /* fail */
566 * Possibly a weird short text file, so just say
571 if (byte_order_magic != BYTE_ORDER_MAGIC) {
572 byte_order_magic = SWAPLONG(byte_order_magic);
573 if (byte_order_magic != BYTE_ORDER_MAGIC) {
575 * Not a pcap-ng file.
580 total_length = SWAPLONG(total_length);
584 * Check the sanity of the total length.
586 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
587 snprintf(errbuf, PCAP_ERRBUF_SIZE,
588 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
590 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
595 * Allocate a buffer into which to read blocks. We default to
598 * the total length of the SHB for which we read the header;
600 * 2K, which should be more than large enough for an Enhanced
601 * Packet Block containing a full-size Ethernet frame, and
602 * leaving room for some options.
604 * If we find a bigger block, we reallocate the buffer.
607 if (p->bufsize < total_length)
608 p->bufsize = total_length;
609 p->buffer = malloc(p->bufsize);
610 if (p->buffer == NULL) {
611 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
616 * Copy the stuff we've read to the buffer, and read the rest
619 bhdrp = (struct block_header *)p->buffer;
620 shbp = (struct section_header_block *)(p->buffer + sizeof(struct block_header));
621 bhdrp->block_type = magic;
622 bhdrp->total_length = total_length;
623 shbp->byte_order_magic = byte_order_magic;
625 p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
626 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
632 * Byte-swap the fields we've read.
634 shbp->major_version = SWAPSHORT(shbp->major_version);
635 shbp->minor_version = SWAPSHORT(shbp->minor_version);
638 * XXX - we don't care about the section length.
641 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
642 snprintf(errbuf, PCAP_ERRBUF_SIZE,
643 "unknown pcap-ng savefile major version number %u",
644 shbp->major_version);
647 p->sf.version_major = shbp->major_version;
648 p->sf.version_minor = shbp->minor_version;
651 * Set the default time stamp resolution and offset.
653 p->sf.tsresol = 1000000; /* microsecond resolution */
654 p->sf.tsscale = 1; /* multiply by 1 to scale to microseconds */
655 p->sf.tsoffset = 0; /* absolute timestamps */
658 * Now start looking for an Interface Description Block.
662 * Read the next block.
664 status = read_block(fp, p, &cursor, errbuf);
666 /* EOF - no IDB in this file */
667 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
668 "the capture file has no Interface Description Blocks");
672 goto fail; /* error */
673 switch (cursor.block_type) {
677 * Get a pointer to the fixed-length portion of the
680 idbp = get_from_block_data(&cursor, sizeof(*idbp),
683 goto fail; /* error */
686 * Byte-swap it if necessary.
689 idbp->linktype = SWAPSHORT(idbp->linktype);
690 idbp->snaplen = SWAPLONG(idbp->snaplen);
694 * Count this interface.
699 * Now look for various time stamp options, so
700 * we know how to interpret the time stamps.
702 if (process_idb_options(p, &cursor, &p->sf.tsresol,
703 &p->sf.tsoffset, errbuf) == -1)
707 * Compute the scaling factor to convert the
708 * sub-second part of the time stamp to
711 if (p->sf.tsresol > 1000000) {
713 * Higher than microsecond resolution;
714 * scale down to microseconds.
716 p->sf.tsscale = (p->sf.tsresol / 1000000);
719 * Lower than microsecond resolution;
720 * scale up to microseconds.
722 p->sf.tsscale = (1000000 / p->sf.tsresol);
730 * Saw a packet before we saw any IDBs. That's
731 * not valid, as we don't know what link-layer
732 * encapsulation the packet has.
734 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
735 "the capture file has a packet block before any Interface Description Blocks");
747 p->tzoff = 0; /* XXX - not used in pcap */
748 p->snapshot = idbp->snaplen;
749 p->linktype = idbp->linktype;
752 p->sf.next_packet_op = pcap_ng_next_packet;
762 * Read and return the next packet from the savefile. Return the header
763 * in hdr and a pointer to the contents in data. Return 0 on success, 1
764 * if there were no more packets, and -1 on an error.
767 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
769 struct block_cursor cursor;
771 struct enhanced_packet_block *epbp;
772 struct simple_packet_block *spbp;
773 struct packet_block *pbp;
774 bpf_u_int32 interface_id = 0xFFFFFFFF;
776 struct interface_description_block *idbp;
777 struct section_header_block *shbp;
778 FILE *fp = p->sf.rfile;
781 u_int64_t t, sec, frac;
784 * Look for an Enhanced Packet Block, a Simple Packet Block,
789 * Read the block type and length; those are common
792 status = read_block(fp, p, &cursor, p->errbuf);
794 return (1); /* EOF */
796 return (-1); /* error */
797 switch (cursor.block_type) {
801 * Get a pointer to the fixed-length portion of the
804 epbp = get_from_block_data(&cursor, sizeof(*epbp),
807 return (-1); /* error */
810 * Byte-swap it if necessary.
813 /* these were written in opposite byte order */
814 interface_id = SWAPLONG(epbp->interface_id);
815 hdr->caplen = SWAPLONG(epbp->caplen);
816 hdr->len = SWAPLONG(epbp->len);
817 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
818 SWAPLONG(epbp->timestamp_low);
820 interface_id = epbp->interface_id;
821 hdr->caplen = epbp->caplen;
822 hdr->len = epbp->len;
823 t = ((u_int64_t)epbp->timestamp_high) << 32 |
826 pblock_len = sizeof(*epbp);
831 * Get a pointer to the fixed-length portion of the
834 spbp = get_from_block_data(&cursor, sizeof(*spbp),
837 return (-1); /* error */
840 * SPB packets are assumed to have arrived on
841 * the first interface.
846 * Byte-swap it if necessary.
849 /* these were written in opposite byte order */
850 hdr->len = SWAPLONG(spbp->len);
852 hdr->len = spbp->len;
855 * The SPB doesn't give the captured length;
856 * it's the minimum of the snapshot length
857 * and the packet length.
859 hdr->caplen = hdr->len;
860 if (hdr->caplen > p->snapshot)
861 hdr->caplen = p->snapshot;
862 t = 0; /* no time stamps */
863 pblock_len = sizeof(*spbp);
868 * Get a pointer to the fixed-length portion of the
871 pbp = get_from_block_data(&cursor, sizeof(*pbp),
874 return (-1); /* error */
877 * Byte-swap it if necessary.
880 /* these were written in opposite byte order */
881 interface_id = SWAPSHORT(pbp->interface_id);
882 hdr->caplen = SWAPLONG(pbp->caplen);
883 hdr->len = SWAPLONG(pbp->len);
884 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
885 SWAPLONG(pbp->timestamp_low);
887 interface_id = pbp->interface_id;
888 hdr->caplen = pbp->caplen;
890 t = ((u_int64_t)pbp->timestamp_high) << 32 |
893 pblock_len = sizeof(*pbp);
898 * Interface Description Block. Get a pointer
899 * to its fixed-length portion.
901 idbp = get_from_block_data(&cursor, sizeof(*idbp),
904 return (-1); /* error */
907 * Byte-swap it if necessary.
910 idbp->linktype = SWAPSHORT(idbp->linktype);
911 idbp->snaplen = SWAPLONG(idbp->snaplen);
915 * If the link-layer type or snapshot length
916 * differ from the ones for the first IDB we
919 * XXX - just discard packets from those
922 if (p->linktype != idbp->linktype) {
923 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
924 "an interface has a type %u different from the type of the first interface",
928 if (p->snapshot != idbp->snaplen) {
929 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
930 "an interface has a snapshot length %u different from the type of the first interface",
936 * Count this interface.
941 * Set the default time stamp resolution and offset.
943 tsresol = 1000000; /* microsecond resolution */
944 tsoffset = 0; /* absolute timestamps */
947 * Now look for various time stamp options, to
948 * make sure they're the same.
950 * XXX - we could, in theory, handle multiple
951 * different resolutions and offsets, but we
952 * don't do so for now.
954 if (process_idb_options(p, &cursor, &tsresol, &tsoffset,
957 if (tsresol != p->sf.tsresol) {
958 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
959 "an interface has a time stamp resolution different from the time stamp resolution of the first interface");
962 if (tsoffset != p->sf.tsoffset) {
963 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
964 "an interface has a time stamp offset different from the time stamp offset of the first interface");
971 * Section Header Block. Get a pointer
972 * to its fixed-length portion.
974 shbp = get_from_block_data(&cursor, sizeof(*shbp),
977 return (-1); /* error */
980 * Assume the byte order of this section is
981 * the same as that of the previous section.
982 * We'll check for that later.
985 shbp->byte_order_magic =
986 SWAPLONG(shbp->byte_order_magic);
987 shbp->major_version =
988 SWAPSHORT(shbp->major_version);
992 * Make sure the byte order doesn't change;
993 * pcap_is_swapped() shouldn't change its
994 * return value in the middle of reading a capture.
996 switch (shbp->byte_order_magic) {
998 case BYTE_ORDER_MAGIC:
1004 case SWAPLONG(BYTE_ORDER_MAGIC):
1006 * Byte order changes.
1008 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1009 "the file has sections with different byte orders");
1016 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1017 "the file has a section with a bad byte order magic field");
1022 * Make sure the major version is the version
1025 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1026 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1027 "unknown pcap-ng savefile major version number %u",
1028 shbp->major_version);
1033 * Reset the interface count; this section should
1034 * have its own set of IDBs. If any of them
1035 * don't have the same interface type, snapshot
1036 * length, or resolution as the first interface
1037 * we saw, we'll fail. (And if we don't see
1038 * any IDBs, we'll fail when we see a packet
1046 * Not a packet block, IDB, or SHB; ignore it.
1054 * Is the interface ID an interface we know?
1056 if (interface_id > p->sf.ifcount) {
1060 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1061 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1067 * Convert the time stamp to a struct timeval.
1069 sec = t / p->sf.tsresol + p->sf.tsoffset;
1070 frac = t % p->sf.tsresol;
1071 if (p->sf.tsresol > 1000000) {
1073 * Higher than microsecond resolution; scale down to
1076 frac /= p->sf.tsscale;
1079 * Lower than microsecond resolution; scale up to
1082 frac *= p->sf.tsscale;
1084 hdr->ts.tv_sec = sec;
1085 hdr->ts.tv_usec = frac;
1088 * Get a pointer to the packet data.
1090 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1094 if (p->sf.swapped) {
1096 * Convert pseudo-headers from the byte order of
1097 * the host on which the file was saved to our
1098 * byte order, as necessary.
1100 switch (p->linktype) {
1103 swap_linux_usb_header(hdr, *data, 0);
1106 case DLT_USB_LINUX_MMAPPED:
1107 swap_linux_usb_header(hdr, *data, 1);
projects / FreeBSD / releng / 9.0.git / blob