1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include <pcap/pcap-inttypes.h>
29
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35
36 #include "pcap-int.h"
37
38 #include "pcap-common.h"
39
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43
44 #include "sf-pcapng.h"
45
46 /*
47 * Block types.
48 */
49
50 /*
51 * Common part at the beginning of all blocks.
52 */
53 struct block_header {
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
56 };
57
58 /*
59 * Common trailer at the end of all blocks.
60 */
61 struct block_trailer {
62 bpf_u_int32 total_length;
63 };
64
65 /*
66 * Common options.
67 */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70
71 /*
72 * Option header.
73 */
74 struct option_header {
75 u_short option_code;
76 u_short option_length;
77 };
78
79 /*
80 * Structures for the part of each block type following the common
81 * part.
82 */
83
84 /*
85 * Section Header Block.
86 */
87 #define BT_SHB 0x0A0D0D0A
88
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
95 };
96
97 /*
98 * Byte-order magic value.
99 */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101
102 /*
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * that means that this code can't read the file.
105 */
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
108
109 /*
110 * Interface Description Block.
111 */
112 #define BT_IDB 0x00000001
113
114 struct interface_description_block {
115 u_short linktype;
116 u_short reserved;
117 bpf_u_int32 snaplen;
118 /* followed by options and trailer */
119 };
120
121 /*
122 * Options in the IDB.
123 */
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
137
138 /*
139 * Enhanced Packet Block.
140 */
141 #define BT_EPB 0x00000006
142
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
147 bpf_u_int32 caplen;
148 bpf_u_int32 len;
149 /* followed by packet data, options, and trailer */
150 };
151
152 /*
153 * Simple Packet Block.
154 */
155 #define BT_SPB 0x00000003
156
157 struct simple_packet_block {
158 bpf_u_int32 len;
159 /* followed by packet data and trailer */
160 };
161
162 /*
163 * Packet Block.
164 */
165 #define BT_PB 0x00000002
166
167 struct packet_block {
168 u_short interface_id;
169 u_short drops_count;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
172 bpf_u_int32 caplen;
173 bpf_u_int32 len;
174 /* followed by packet data, options, and trailer */
175 };
176
177 /*
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
181 */
182 struct block_cursor {
183 u_char *data;
184 size_t data_remaining;
185 bpf_u_int32 block_type;
186 };
187
188 typedef enum {
189 PASS_THROUGH,
190 SCALE_UP_DEC,
191 SCALE_DOWN_DEC,
192 SCALE_UP_BIN,
193 SCALE_DOWN_BIN
194 } tstamp_scale_type_t;
195
196 /*
197 * Per-interface information.
198 */
199 struct pcap_ng_if {
200 uint64_t tsresol; /* time stamp resolution */
201 tstamp_scale_type_t scale_type; /* how to scale */
202 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
203 uint64_t tsoffset; /* time stamp offset */
204 };
205
206 /*
207 * Per-pcap_t private data.
208 *
209 * max_blocksize is the maximum size of a block that we'll accept. We
210 * reject blocks bigger than this, so we don't consume too much memory
211 * with a truly huge block. It can change as we see IDBs with different
212 * link-layer header types. (Currently, we don't support IDBs with
213 * different link-layer header types, but we will support it in the
214 * future, when we offer file-reading APIs that support it.)
215 *
216 * XXX - that's an issue on ILP32 platforms, where the maximum block
217 * size of 2^31-1 would eat all but one byte of the entire address space.
218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
219 * of the address space may be limited by 1) the number of *significant*
220 * address bits (currently, x86-64 only supports 48 bits of address), 2)
221 * any limitations imposed by the operating system; 3) any limitations
222 * imposed by the amount of available backing store for anonymous pages,
223 * so we impose a limit regardless of the size of a pointer.
224 */
225 struct pcap_ng_sf {
226 uint64_t user_tsresol; /* time stamp resolution requested by the user */
227 u_int max_blocksize; /* don't grow buffer size past this */
228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
229 bpf_u_int32 ifaces_size; /* size of array below */
230 struct pcap_ng_if *ifaces; /* array of interface information */
231 };
232
233 /*
234 * Maximum block size for a given maximum snapshot length; we calculate
235 * this based
236 *
237 * We define it as the size of an EPB with a max_snaplen-sized
238 * packet and 128KB of options.
239 */
240 #define MAX_BLOCKSIZE(max_snaplen) (sizeof (struct block_header) + \
241 sizeof (struct enhanced_packet_block) + \
242 (max_snaplen) + 131072 + \
243 sizeof (struct block_trailer))
244
245 static void pcap_ng_cleanup(pcap_t *p);
246 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
247 u_char **data);
248
249 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)250 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
251 char *errbuf)
252 {
253 size_t amt_read;
254
255 amt_read = fread(buf, 1, bytes_to_read, fp);
256 if (amt_read != bytes_to_read) {
257 if (ferror(fp)) {
258 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
259 errno, "error reading dump file");
260 } else {
261 if (amt_read == 0 && !fail_on_eof)
262 return (0); /* EOF */
263 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
264 "truncated dump file; tried to read %lu bytes, only got %lu",
265 (unsigned long)bytes_to_read,
266 (unsigned long)amt_read);
267 }
268 return (-1);
269 }
270 return (1);
271 }
272
273 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)274 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
275 {
276 struct pcap_ng_sf *ps;
277 int status;
278 struct block_header bhdr;
279 u_char *bdata;
280 size_t data_remaining;
281
282 ps = p->priv;
283
284 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
285 if (status <= 0)
286 return (status); /* error or EOF */
287
288 if (p->swapped) {
289 bhdr.block_type = SWAPLONG(bhdr.block_type);
290 bhdr.total_length = SWAPLONG(bhdr.total_length);
291 }
292
293 /*
294 * Is this block "too big"?
295 *
296 * We choose 16MB as "too big", for now, so that we handle
297 * "reasonably" large buffers but don't chew up all the
298 * memory if we read a malformed file.
299 */
300 if (bhdr.total_length > 16*1024*1024) {
301 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
302 "pcapng block size %u > maximum %u",
303 bhdr.total_length, 16*1024*1024);
304 return (-1);
305 }
306
307 /*
308 * Is this block "too small" - i.e., is it shorter than a block
309 * header plus a block trailer?
310 */
311 if (bhdr.total_length < sizeof(struct block_header) +
312 sizeof(struct block_trailer)) {
313 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
314 "block in pcapng dump file has a length of %u < %lu",
315 bhdr.total_length,
316 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
317 return (-1);
318 }
319
320 /*
321 * Is the buffer big enough?
322 */
323 if (p->bufsize < bhdr.total_length) {
324 /*
325 * No - make it big enough, unless it's too big.
326 */
327 void *bigger_buffer;
328
329 if (bhdr.total_length > ps->max_blocksize) {
330 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "block is larger than maximum block size %u",
331 ps->max_blocksize);
332 return (-1);
333 }
334 bigger_buffer = realloc(p->buffer, bhdr.total_length);
335 if (bigger_buffer == NULL) {
336 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
337 return (-1);
338 }
339 p->buffer = bigger_buffer;
340 }
341
342 /*
343 * Copy the stuff we've read to the buffer, and read the rest
344 * of the block.
345 */
346 memcpy(p->buffer, &bhdr, sizeof(bhdr));
347 bdata = (u_char *)p->buffer + sizeof(bhdr);
348 data_remaining = bhdr.total_length - sizeof(bhdr);
349 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
350 return (-1);
351
352 /*
353 * Initialize the cursor.
354 */
355 cursor->data = bdata;
356 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
357 cursor->block_type = bhdr.block_type;
358 return (1);
359 }
360
361 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)362 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
363 char *errbuf)
364 {
365 void *data;
366
367 /*
368 * Make sure we have the specified amount of data remaining in
369 * the block data.
370 */
371 if (cursor->data_remaining < chunk_size) {
372 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
373 "block of type %u in pcapng dump file is too short",
374 cursor->block_type);
375 return (NULL);
376 }
377
378 /*
379 * Return the current pointer, and skip past the chunk.
380 */
381 data = cursor->data;
382 cursor->data += chunk_size;
383 cursor->data_remaining -= chunk_size;
384 return (data);
385 }
386
387 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)388 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
389 {
390 struct option_header *opthdr;
391
392 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
393 if (opthdr == NULL) {
394 /*
395 * Option header is cut short.
396 */
397 return (NULL);
398 }
399
400 /*
401 * Byte-swap it if necessary.
402 */
403 if (p->swapped) {
404 opthdr->option_code = SWAPSHORT(opthdr->option_code);
405 opthdr->option_length = SWAPSHORT(opthdr->option_length);
406 }
407
408 return (opthdr);
409 }
410
411 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)412 get_optvalue_from_block_data(struct block_cursor *cursor,
413 struct option_header *opthdr, char *errbuf)
414 {
415 size_t padded_option_len;
416 void *optvalue;
417
418 /* Pad option length to 4-byte boundary */
419 padded_option_len = opthdr->option_length;
420 padded_option_len = ((padded_option_len + 3)/4)*4;
421
422 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
423 if (optvalue == NULL) {
424 /*
425 * Option value is cut short.
426 */
427 return (NULL);
428 }
429
430 return (optvalue);
431 }
432
433 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,uint64_t * tsresol,uint64_t * tsoffset,int * is_binary,char * errbuf)434 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
435 uint64_t *tsoffset, int *is_binary, char *errbuf)
436 {
437 struct option_header *opthdr;
438 void *optvalue;
439 int saw_tsresol, saw_tsoffset;
440 uint8_t tsresol_opt;
441 u_int i;
442
443 saw_tsresol = 0;
444 saw_tsoffset = 0;
445 while (cursor->data_remaining != 0) {
446 /*
447 * Get the option header.
448 */
449 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
450 if (opthdr == NULL) {
451 /*
452 * Option header is cut short.
453 */
454 return (-1);
455 }
456
457 /*
458 * Get option value.
459 */
460 optvalue = get_optvalue_from_block_data(cursor, opthdr,
461 errbuf);
462 if (optvalue == NULL) {
463 /*
464 * Option value is cut short.
465 */
466 return (-1);
467 }
468
469 switch (opthdr->option_code) {
470
471 case OPT_ENDOFOPT:
472 if (opthdr->option_length != 0) {
473 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
474 "Interface Description Block has opt_endofopt option with length %u != 0",
475 opthdr->option_length);
476 return (-1);
477 }
478 goto done;
479
480 case IF_TSRESOL:
481 if (opthdr->option_length != 1) {
482 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
483 "Interface Description Block has if_tsresol option with length %u != 1",
484 opthdr->option_length);
485 return (-1);
486 }
487 if (saw_tsresol) {
488 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
489 "Interface Description Block has more than one if_tsresol option");
490 return (-1);
491 }
492 saw_tsresol = 1;
493 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
494 if (tsresol_opt & 0x80) {
495 /*
496 * Resolution is negative power of 2.
497 */
498 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
499
500 if (tsresol_shift > 63) {
501 /*
502 * Resolution is too high; 2^-{res}
503 * won't fit in a 64-bit value.
504 */
505 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
506 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
507 tsresol_shift);
508 return (-1);
509 }
510 *is_binary = 1;
511 *tsresol = ((uint64_t)1) << tsresol_shift;
512 } else {
513 /*
514 * Resolution is negative power of 10.
515 */
516 if (tsresol_opt > 19) {
517 /*
518 * Resolution is too high; 2^-{res}
519 * won't fit in a 64-bit value (the
520 * largest power of 10 that fits
521 * in a 64-bit value is 10^19, as
522 * the largest 64-bit unsigned
523 * value is ~1.8*10^19).
524 */
525 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
526 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
527 tsresol_opt);
528 return (-1);
529 }
530 *is_binary = 0;
531 *tsresol = 1;
532 for (i = 0; i < tsresol_opt; i++)
533 *tsresol *= 10;
534 }
535 break;
536
537 case IF_TSOFFSET:
538 if (opthdr->option_length != 8) {
539 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
540 "Interface Description Block has if_tsoffset option with length %u != 8",
541 opthdr->option_length);
542 return (-1);
543 }
544 if (saw_tsoffset) {
545 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
546 "Interface Description Block has more than one if_tsoffset option");
547 return (-1);
548 }
549 saw_tsoffset = 1;
550 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
551 if (p->swapped)
552 *tsoffset = SWAPLL(*tsoffset);
553 break;
554
555 default:
556 break;
557 }
558 }
559
560 done:
561 return (0);
562 }
563
564 static int
add_interface(pcap_t * p,struct block_cursor * cursor,char * errbuf)565 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
566 {
567 struct pcap_ng_sf *ps;
568 uint64_t tsresol;
569 uint64_t tsoffset;
570 int is_binary;
571
572 ps = p->priv;
573
574 /*
575 * Count this interface.
576 */
577 ps->ifcount++;
578
579 /*
580 * Grow the array of per-interface information as necessary.
581 */
582 if (ps->ifcount > ps->ifaces_size) {
583 /*
584 * We need to grow the array.
585 */
586 bpf_u_int32 new_ifaces_size;
587 struct pcap_ng_if *new_ifaces;
588
589 if (ps->ifaces_size == 0) {
590 /*
591 * It's currently empty.
592 *
593 * (The Clang static analyzer doesn't do enough,
594 * err, umm, dataflow *analysis* to realize that
595 * ps->ifaces_size == 0 if ps->ifaces == NULL,
596 * and so complains about a possible zero argument
597 * to realloc(), so we check for the former
598 * condition to shut it up.
599 *
600 * However, it doesn't complain that one of the
601 * multiplications below could overflow, which is
602 * a real, albeit extremely unlikely, problem (you'd
603 * need a pcapng file with tens of millions of
604 * interfaces).)
605 */
606 new_ifaces_size = 1;
607 new_ifaces = malloc(sizeof (struct pcap_ng_if));
608 } else {
609 /*
610 * It's not currently empty; double its size.
611 * (Perhaps overkill once we have a lot of interfaces.)
612 *
613 * Check for overflow if we double it.
614 */
615 if (ps->ifaces_size * 2 < ps->ifaces_size) {
616 /*
617 * The maximum number of interfaces before
618 * ps->ifaces_size overflows is the largest
619 * possible 32-bit power of 2, as we do
620 * size doubling.
621 */
622 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
623 "more than %u interfaces in the file",
624 0x80000000U);
625 return (0);
626 }
627
628 /*
629 * ps->ifaces_size * 2 doesn't overflow, so it's
630 * safe to multiply.
631 */
632 new_ifaces_size = ps->ifaces_size * 2;
633
634 /*
635 * Now make sure that's not so big that it overflows
636 * if we multiply by sizeof (struct pcap_ng_if).
637 *
638 * That can happen on 32-bit platforms, with a 32-bit
639 * size_t; it shouldn't happen on 64-bit platforms,
640 * with a 64-bit size_t, as new_ifaces_size is
641 * 32 bits.
642 */
643 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
644 /*
645 * As this fails only with 32-bit size_t,
646 * the multiplication was 32x32->32, and
647 * the largest 32-bit value that can safely
648 * be multiplied by sizeof (struct pcap_ng_if)
649 * without overflow is the largest 32-bit
650 * (unsigned) value divided by
651 * sizeof (struct pcap_ng_if).
652 */
653 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
654 "more than %u interfaces in the file",
655 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
656 return (0);
657 }
658 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
659 }
660 if (new_ifaces == NULL) {
661 /*
662 * We ran out of memory.
663 * Give up.
664 */
665 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
666 "out of memory for per-interface information (%u interfaces)",
667 ps->ifcount);
668 return (0);
669 }
670 ps->ifaces_size = new_ifaces_size;
671 ps->ifaces = new_ifaces;
672 }
673
674 /*
675 * Set the default time stamp resolution and offset.
676 */
677 tsresol = 1000000; /* microsecond resolution */
678 is_binary = 0; /* which is a power of 10 */
679 tsoffset = 0; /* absolute timestamps */
680
681 /*
682 * Now look for various time stamp options, so we know
683 * how to interpret the time stamps for this interface.
684 */
685 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
686 errbuf) == -1)
687 return (0);
688
689 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
690 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
691
692 /*
693 * Determine whether we're scaling up or down or not
694 * at all for this interface.
695 */
696 if (tsresol == ps->user_tsresol) {
697 /*
698 * The resolution is the resolution the user wants,
699 * so we don't have to do scaling.
700 */
701 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
702 } else if (tsresol > ps->user_tsresol) {
703 /*
704 * The resolution is greater than what the user wants,
705 * so we have to scale the timestamps down.
706 */
707 if (is_binary)
708 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
709 else {
710 /*
711 * Calculate the scale factor.
712 */
713 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
714 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
715 }
716 } else {
717 /*
718 * The resolution is less than what the user wants,
719 * so we have to scale the timestamps up.
720 */
721 if (is_binary)
722 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
723 else {
724 /*
725 * Calculate the scale factor.
726 */
727 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
728 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
729 }
730 }
731 return (1);
732 }
733
734 /*
735 * Check whether this is a pcapng savefile and, if it is, extract the
736 * relevant information from the header.
737 */
738 pcap_t *
pcap_ng_check_header(bpf_u_int32 magic,FILE * fp,u_int precision,char * errbuf,int * err)739 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
740 int *err)
741 {
742 size_t amt_read;
743 bpf_u_int32 total_length;
744 bpf_u_int32 byte_order_magic;
745 struct block_header *bhdrp;
746 struct section_header_block *shbp;
747 pcap_t *p;
748 int swapped = 0;
749 struct pcap_ng_sf *ps;
750 int status;
751 struct block_cursor cursor;
752 struct interface_description_block *idbp;
753
754 /*
755 * Assume no read errors.
756 */
757 *err = 0;
758
759 /*
760 * Check whether the first 4 bytes of the file are the block
761 * type for a pcapng savefile.
762 */
763 if (magic != BT_SHB) {
764 /*
765 * XXX - check whether this looks like what the block
766 * type would be after being munged by mapping between
767 * UN*X and DOS/Windows text file format and, if it
768 * does, look for the byte-order magic number in
769 * the appropriate place and, if we find it, report
770 * this as possibly being a pcapng file transferred
771 * between UN*X and Windows in text file format?
772 */
773 return (NULL); /* nope */
774 }
775
776 /*
777 * OK, they are. However, that's just \n\r\r\n, so it could,
778 * conceivably, be an ordinary text file.
779 *
780 * It could not, however, conceivably be any other type of
781 * capture file, so we can read the rest of the putative
782 * Section Header Block; put the block type in the common
783 * header, read the rest of the common header and the
784 * fixed-length portion of the SHB, and look for the byte-order
785 * magic value.
786 */
787 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
788 if (amt_read < sizeof(total_length)) {
789 if (ferror(fp)) {
790 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
791 errno, "error reading dump file");
792 *err = 1;
793 return (NULL); /* fail */
794 }
795
796 /*
797 * Possibly a weird short text file, so just say
798 * "not pcapng".
799 */
800 return (NULL);
801 }
802 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
803 if (amt_read < sizeof(byte_order_magic)) {
804 if (ferror(fp)) {
805 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
806 errno, "error reading dump file");
807 *err = 1;
808 return (NULL); /* fail */
809 }
810
811 /*
812 * Possibly a weird short text file, so just say
813 * "not pcapng".
814 */
815 return (NULL);
816 }
817 if (byte_order_magic != BYTE_ORDER_MAGIC) {
818 byte_order_magic = SWAPLONG(byte_order_magic);
819 if (byte_order_magic != BYTE_ORDER_MAGIC) {
820 /*
821 * Not a pcapng file.
822 */
823 return (NULL);
824 }
825 swapped = 1;
826 total_length = SWAPLONG(total_length);
827 }
828
829 /*
830 * Check the sanity of the total length.
831 */
832 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
833 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
834 "Section Header Block in pcapng dump file has a length of %u < %lu",
835 total_length,
836 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
837 *err = 1;
838 return (NULL);
839 }
840
841 /*
842 * OK, this is a good pcapng file.
843 * Allocate a pcap_t for it.
844 */
845 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
846 if (p == NULL) {
847 /* Allocation failed. */
848 *err = 1;
849 return (NULL);
850 }
851 p->swapped = swapped;
852 ps = p->priv;
853
854 /*
855 * What precision does the user want?
856 */
857 switch (precision) {
858
859 case PCAP_TSTAMP_PRECISION_MICRO:
860 ps->user_tsresol = 1000000;
861 break;
862
863 case PCAP_TSTAMP_PRECISION_NANO:
864 ps->user_tsresol = 1000000000;
865 break;
866
867 default:
868 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
869 "unknown time stamp resolution %u", precision);
870 free(p);
871 *err = 1;
872 return (NULL);
873 }
874
875 p->opt.tstamp_precision = precision;
876
877 /*
878 * Allocate a buffer into which to read blocks. We default to
879 * the maximum of:
880 *
881 * the total length of the SHB for which we read the header;
882 *
883 * 2K, which should be more than large enough for an Enhanced
884 * Packet Block containing a full-size Ethernet frame, and
885 * leaving room for some options.
886 *
887 * If we find a bigger block, we reallocate the buffer, up to
888 * the maximum size. We start out with a maximum size based
889 * on a maximum snapshot length of MAXIMUM_SNAPLEN; if we see
890 * any link-layer header types with a larger maximum snapshot
891 * length, we boost the maximum.
892 */
893 p->bufsize = 2048;
894 if (p->bufsize < total_length)
895 p->bufsize = total_length;
896 p->buffer = malloc(p->bufsize);
897 if (p->buffer == NULL) {
898 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
899 free(p);
900 *err = 1;
901 return (NULL);
902 }
903 ps->max_blocksize = MAX_BLOCKSIZE(MAXIMUM_SNAPLEN);
904
905 /*
906 * Copy the stuff we've read to the buffer, and read the rest
907 * of the SHB.
908 */
909 bhdrp = (struct block_header *)p->buffer;
910 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
911 bhdrp->block_type = magic;
912 bhdrp->total_length = total_length;
913 shbp->byte_order_magic = byte_order_magic;
914 if (read_bytes(fp,
915 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
916 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
917 1, errbuf) == -1)
918 goto fail;
919
920 if (p->swapped) {
921 /*
922 * Byte-swap the fields we've read.
923 */
924 shbp->major_version = SWAPSHORT(shbp->major_version);
925 shbp->minor_version = SWAPSHORT(shbp->minor_version);
926
927 /*
928 * XXX - we don't care about the section length.
929 */
930 }
931 /* currently only SHB version 1.0 is supported */
932 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
933 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
934 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
935 "unsupported pcapng savefile version %u.%u",
936 shbp->major_version, shbp->minor_version);
937 goto fail;
938 }
939 p->version_major = shbp->major_version;
940 p->version_minor = shbp->minor_version;
941
942 /*
943 * Save the time stamp resolution the user requested.
944 */
945 p->opt.tstamp_precision = precision;
946
947 /*
948 * Now start looking for an Interface Description Block.
949 */
950 for (;;) {
951 /*
952 * Read the next block.
953 */
954 status = read_block(fp, p, &cursor, errbuf);
955 if (status == 0) {
956 /* EOF - no IDB in this file */
957 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
958 "the capture file has no Interface Description Blocks");
959 goto fail;
960 }
961 if (status == -1)
962 goto fail; /* error */
963 switch (cursor.block_type) {
964
965 case BT_IDB:
966 /*
967 * Get a pointer to the fixed-length portion of the
968 * IDB.
969 */
970 idbp = get_from_block_data(&cursor, sizeof(*idbp),
971 errbuf);
972 if (idbp == NULL)
973 goto fail; /* error */
974
975 /*
976 * Byte-swap it if necessary.
977 */
978 if (p->swapped) {
979 idbp->linktype = SWAPSHORT(idbp->linktype);
980 idbp->snaplen = SWAPLONG(idbp->snaplen);
981 }
982
983 /*
984 * Try to add this interface.
985 */
986 if (!add_interface(p, &cursor, errbuf))
987 goto fail;
988
989 goto done;
990
991 case BT_EPB:
992 case BT_SPB:
993 case BT_PB:
994 /*
995 * Saw a packet before we saw any IDBs. That's
996 * not valid, as we don't know what link-layer
997 * encapsulation the packet has.
998 */
999 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
1000 "the capture file has a packet block before any Interface Description Blocks");
1001 goto fail;
1002
1003 default:
1004 /*
1005 * Just ignore it.
1006 */
1007 break;
1008 }
1009 }
1010
1011 done:
1012 p->tzoff = 0; /* XXX - not used in pcap */
1013 p->snapshot = idbp->snaplen;
1014 if (p->snapshot <= 0) {
1015 /*
1016 * Bogus snapshot length; use the maximum for this
1017 * link-layer type as a fallback.
1018 *
1019 * XXX - the only reason why snapshot is signed is
1020 * that pcap_snapshot() returns an int, not an
1021 * unsigned int.
1022 */
1023 p->snapshot = max_snaplen_for_dlt(idbp->linktype);
1024 }
1025 p->linktype = linktype_to_dlt(idbp->linktype);
1026 p->linktype_ext = 0;
1027
1028 /*
1029 * If the maximum block size for a packet with the maximum
1030 * snapshot length for this DLT_ is bigger than the current
1031 * maximum block size, increase the maximum.
1032 */
1033 if (MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1034 ps->max_blocksize = MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype));
1035
1036 p->next_packet_op = pcap_ng_next_packet;
1037 p->cleanup_op = pcap_ng_cleanup;
1038
1039 return (p);
1040
1041 fail:
1042 free(ps->ifaces);
1043 free(p->buffer);
1044 free(p);
1045 *err = 1;
1046 return (NULL);
1047 }
1048
1049 static void
pcap_ng_cleanup(pcap_t * p)1050 pcap_ng_cleanup(pcap_t *p)
1051 {
1052 struct pcap_ng_sf *ps = p->priv;
1053
1054 free(ps->ifaces);
1055 sf_cleanup(p);
1056 }
1057
1058 /*
1059 * Read and return the next packet from the savefile. Return the header
1060 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1061 * if there were no more packets, and -1 on an error.
1062 */
1063 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1064 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1065 {
1066 struct pcap_ng_sf *ps = p->priv;
1067 struct block_cursor cursor;
1068 int status;
1069 struct enhanced_packet_block *epbp;
1070 struct simple_packet_block *spbp;
1071 struct packet_block *pbp;
1072 bpf_u_int32 interface_id = 0xFFFFFFFF;
1073 struct interface_description_block *idbp;
1074 struct section_header_block *shbp;
1075 FILE *fp = p->rfile;
1076 uint64_t t, sec, frac;
1077
1078 /*
1079 * Look for an Enhanced Packet Block, a Simple Packet Block,
1080 * or a Packet Block.
1081 */
1082 for (;;) {
1083 /*
1084 * Read the block type and length; those are common
1085 * to all blocks.
1086 */
1087 status = read_block(fp, p, &cursor, p->errbuf);
1088 if (status == 0)
1089 return (1); /* EOF */
1090 if (status == -1)
1091 return (-1); /* error */
1092 switch (cursor.block_type) {
1093
1094 case BT_EPB:
1095 /*
1096 * Get a pointer to the fixed-length portion of the
1097 * EPB.
1098 */
1099 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1100 p->errbuf);
1101 if (epbp == NULL)
1102 return (-1); /* error */
1103
1104 /*
1105 * Byte-swap it if necessary.
1106 */
1107 if (p->swapped) {
1108 /* these were written in opposite byte order */
1109 interface_id = SWAPLONG(epbp->interface_id);
1110 hdr->caplen = SWAPLONG(epbp->caplen);
1111 hdr->len = SWAPLONG(epbp->len);
1112 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1113 SWAPLONG(epbp->timestamp_low);
1114 } else {
1115 interface_id = epbp->interface_id;
1116 hdr->caplen = epbp->caplen;
1117 hdr->len = epbp->len;
1118 t = ((uint64_t)epbp->timestamp_high) << 32 |
1119 epbp->timestamp_low;
1120 }
1121 goto found;
1122
1123 case BT_SPB:
1124 /*
1125 * Get a pointer to the fixed-length portion of the
1126 * SPB.
1127 */
1128 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1129 p->errbuf);
1130 if (spbp == NULL)
1131 return (-1); /* error */
1132
1133 /*
1134 * SPB packets are assumed to have arrived on
1135 * the first interface.
1136 */
1137 interface_id = 0;
1138
1139 /*
1140 * Byte-swap it if necessary.
1141 */
1142 if (p->swapped) {
1143 /* these were written in opposite byte order */
1144 hdr->len = SWAPLONG(spbp->len);
1145 } else
1146 hdr->len = spbp->len;
1147
1148 /*
1149 * The SPB doesn't give the captured length;
1150 * it's the minimum of the snapshot length
1151 * and the packet length.
1152 */
1153 hdr->caplen = hdr->len;
1154 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1155 hdr->caplen = p->snapshot;
1156 t = 0; /* no time stamps */
1157 goto found;
1158
1159 case BT_PB:
1160 /*
1161 * Get a pointer to the fixed-length portion of the
1162 * PB.
1163 */
1164 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1165 p->errbuf);
1166 if (pbp == NULL)
1167 return (-1); /* error */
1168
1169 /*
1170 * Byte-swap it if necessary.
1171 */
1172 if (p->swapped) {
1173 /* these were written in opposite byte order */
1174 interface_id = SWAPSHORT(pbp->interface_id);
1175 hdr->caplen = SWAPLONG(pbp->caplen);
1176 hdr->len = SWAPLONG(pbp->len);
1177 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1178 SWAPLONG(pbp->timestamp_low);
1179 } else {
1180 interface_id = pbp->interface_id;
1181 hdr->caplen = pbp->caplen;
1182 hdr->len = pbp->len;
1183 t = ((uint64_t)pbp->timestamp_high) << 32 |
1184 pbp->timestamp_low;
1185 }
1186 goto found;
1187
1188 case BT_IDB:
1189 /*
1190 * Interface Description Block. Get a pointer
1191 * to its fixed-length portion.
1192 */
1193 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1194 p->errbuf);
1195 if (idbp == NULL)
1196 return (-1); /* error */
1197
1198 /*
1199 * Byte-swap it if necessary.
1200 */
1201 if (p->swapped) {
1202 idbp->linktype = SWAPSHORT(idbp->linktype);
1203 idbp->snaplen = SWAPLONG(idbp->snaplen);
1204 }
1205
1206 /*
1207 * If the link-layer type or snapshot length
1208 * differ from the ones for the first IDB we
1209 * saw, quit.
1210 *
1211 * XXX - just discard packets from those
1212 * interfaces?
1213 */
1214 if (p->linktype != idbp->linktype) {
1215 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1216 "an interface has a type %u different from the type of the first interface",
1217 idbp->linktype);
1218 return (-1);
1219 }
1220 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1221 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1222 "an interface has a snapshot length %u different from the type of the first interface",
1223 idbp->snaplen);
1224 return (-1);
1225 }
1226
1227 /*
1228 * Try to add this interface.
1229 */
1230 if (!add_interface(p, &cursor, p->errbuf))
1231 return (-1);
1232 break;
1233
1234 case BT_SHB:
1235 /*
1236 * Section Header Block. Get a pointer
1237 * to its fixed-length portion.
1238 */
1239 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1240 p->errbuf);
1241 if (shbp == NULL)
1242 return (-1); /* error */
1243
1244 /*
1245 * Assume the byte order of this section is
1246 * the same as that of the previous section.
1247 * We'll check for that later.
1248 */
1249 if (p->swapped) {
1250 shbp->byte_order_magic =
1251 SWAPLONG(shbp->byte_order_magic);
1252 shbp->major_version =
1253 SWAPSHORT(shbp->major_version);
1254 }
1255
1256 /*
1257 * Make sure the byte order doesn't change;
1258 * pcap_is_swapped() shouldn't change its
1259 * return value in the middle of reading a capture.
1260 */
1261 switch (shbp->byte_order_magic) {
1262
1263 case BYTE_ORDER_MAGIC:
1264 /*
1265 * OK.
1266 */
1267 break;
1268
1269 case SWAPLONG(BYTE_ORDER_MAGIC):
1270 /*
1271 * Byte order changes.
1272 */
1273 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1274 "the file has sections with different byte orders");
1275 return (-1);
1276
1277 default:
1278 /*
1279 * Not a valid SHB.
1280 */
1281 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1282 "the file has a section with a bad byte order magic field");
1283 return (-1);
1284 }
1285
1286 /*
1287 * Make sure the major version is the version
1288 * we handle.
1289 */
1290 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1291 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1292 "unknown pcapng savefile major version number %u",
1293 shbp->major_version);
1294 return (-1);
1295 }
1296
1297 /*
1298 * Reset the interface count; this section should
1299 * have its own set of IDBs. If any of them
1300 * don't have the same interface type, snapshot
1301 * length, or resolution as the first interface
1302 * we saw, we'll fail. (And if we don't see
1303 * any IDBs, we'll fail when we see a packet
1304 * block.)
1305 */
1306 ps->ifcount = 0;
1307 break;
1308
1309 default:
1310 /*
1311 * Not a packet block, IDB, or SHB; ignore it.
1312 */
1313 break;
1314 }
1315 }
1316
1317 found:
1318 /*
1319 * Is the interface ID an interface we know?
1320 */
1321 if (interface_id >= ps->ifcount) {
1322 /*
1323 * Yes. Fail.
1324 */
1325 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1326 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1327 interface_id);
1328 return (-1);
1329 }
1330
1331 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1332 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1333 "invalid packet capture length %u, bigger than "
1334 "snaplen of %d", hdr->caplen, p->snapshot);
1335 return (-1);
1336 }
1337
1338 /*
1339 * Convert the time stamp to seconds and fractions of a second,
1340 * with the fractions being in units of the file-supplied resolution.
1341 */
1342 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1343 frac = t % ps->ifaces[interface_id].tsresol;
1344
1345 /*
1346 * Convert the fractions from units of the file-supplied resolution
1347 * to units of the user-requested resolution.
1348 */
1349 switch (ps->ifaces[interface_id].scale_type) {
1350
1351 case PASS_THROUGH:
1352 /*
1353 * The interface resolution is what the user wants,
1354 * so we're done.
1355 */
1356 break;
1357
1358 case SCALE_UP_DEC:
1359 /*
1360 * The interface resolution is less than what the user
1361 * wants; scale the fractional part up to the units of
1362 * the resolution the user requested by multiplying by
1363 * the quotient of the user-requested resolution and the
1364 * file-supplied resolution.
1365 *
1366 * Those resolutions are both powers of 10, and the user-
1367 * requested resolution is greater than the file-supplied
1368 * resolution, so the quotient in question is an integer.
1369 * We've calculated that quotient already, so we just
1370 * multiply by it.
1371 */
1372 frac *= ps->ifaces[interface_id].scale_factor;
1373 break;
1374
1375 case SCALE_UP_BIN:
1376 /*
1377 * The interface resolution is less than what the user
1378 * wants; scale the fractional part up to the units of
1379 * the resolution the user requested by multiplying by
1380 * the quotient of the user-requested resolution and the
1381 * file-supplied resolution.
1382 *
1383 * The file-supplied resolution is a power of 2, so the
1384 * quotient is not an integer, so, in order to do this
1385 * entirely with integer arithmetic, we multiply by the
1386 * user-requested resolution and divide by the file-
1387 * supplied resolution.
1388 *
1389 * XXX - Is there something clever we could do here,
1390 * given that we know that the file-supplied resolution
1391 * is a power of 2? Doing a multiplication followed by
1392 * a division runs the risk of overflowing, and involves
1393 * two non-simple arithmetic operations.
1394 */
1395 frac *= ps->user_tsresol;
1396 frac /= ps->ifaces[interface_id].tsresol;
1397 break;
1398
1399 case SCALE_DOWN_DEC:
1400 /*
1401 * The interface resolution is greater than what the user
1402 * wants; scale the fractional part up to the units of
1403 * the resolution the user requested by multiplying by
1404 * the quotient of the user-requested resolution and the
1405 * file-supplied resolution.
1406 *
1407 * Those resolutions are both powers of 10, and the user-
1408 * requested resolution is less than the file-supplied
1409 * resolution, so the quotient in question isn't an
1410 * integer, but its reciprocal is, and we can just divide
1411 * by the reciprocal of the quotient. We've calculated
1412 * the reciprocal of that quotient already, so we must
1413 * divide by it.
1414 */
1415 frac /= ps->ifaces[interface_id].scale_factor;
1416 break;
1417
1418
1419 case SCALE_DOWN_BIN:
1420 /*
1421 * The interface resolution is greater than what the user
1422 * wants; convert the fractional part to units of the
1423 * resolution the user requested by multiplying by the
1424 * quotient of the user-requested resolution and the
1425 * file-supplied resolution. We do that by multiplying
1426 * by the user-requested resolution and dividing by the
1427 * file-supplied resolution, as the quotient might not
1428 * fit in an integer.
1429 *
1430 * The file-supplied resolution is a power of 2, so the
1431 * quotient is not an integer, and neither is its
1432 * reciprocal, so, in order to do this entirely with
1433 * integer arithmetic, we multiply by the user-requested
1434 * resolution and divide by the file-supplied resolution.
1435 *
1436 * XXX - Is there something clever we could do here,
1437 * given that we know that the file-supplied resolution
1438 * is a power of 2? Doing a multiplication followed by
1439 * a division runs the risk of overflowing, and involves
1440 * two non-simple arithmetic operations.
1441 */
1442 frac *= ps->user_tsresol;
1443 frac /= ps->ifaces[interface_id].tsresol;
1444 break;
1445 }
1446 #ifdef _WIN32
1447 /*
1448 * tv_sec and tv_used in the Windows struct timeval are both
1449 * longs.
1450 */
1451 hdr->ts.tv_sec = (long)sec;
1452 hdr->ts.tv_usec = (long)frac;
1453 #else
1454 /*
1455 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1456 * suseconds_t in UN*Xes that work the way the current Single
1457 * UNIX Standard specify - but not all older UN*Xes necessarily
1458 * support that type, so just cast to int.
1459 */
1460 hdr->ts.tv_sec = (time_t)sec;
1461 hdr->ts.tv_usec = (int)frac;
1462 #endif
1463
1464 /*
1465 * Get a pointer to the packet data.
1466 */
1467 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1468 if (*data == NULL)
1469 return (-1);
1470
1471 if (p->swapped)
1472 swap_pseudo_headers(p->linktype, hdr, *data);
1473
1474 return (0);
1475 }
1476