1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include <pcap/pcap-inttypes.h>
29
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35
36 #include "pcap-int.h"
37
38 #include "pcap-common.h"
39
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43
44 #include "sf-pcapng.h"
45
46 /*
47 * Block types.
48 */
49
50 /*
51 * Common part at the beginning of all blocks.
52 */
53 struct block_header {
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
56 };
57
58 /*
59 * Common trailer at the end of all blocks.
60 */
61 struct block_trailer {
62 bpf_u_int32 total_length;
63 };
64
65 /*
66 * Common options.
67 */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70
71 /*
72 * Option header.
73 */
74 struct option_header {
75 u_short option_code;
76 u_short option_length;
77 };
78
79 /*
80 * Structures for the part of each block type following the common
81 * part.
82 */
83
84 /*
85 * Section Header Block.
86 */
87 #define BT_SHB 0x0A0D0D0A
88 #define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
95 };
96
97 /*
98 * Byte-order magic value.
99 */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101
102 /*
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * that means that this code can't read the file.
105 */
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
108
109 /*
110 * Interface Description Block.
111 */
112 #define BT_IDB 0x00000001
113
114 struct interface_description_block {
115 u_short linktype;
116 u_short reserved;
117 bpf_u_int32 snaplen;
118 /* followed by options and trailer */
119 };
120
121 /*
122 * Options in the IDB.
123 */
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
137
138 /*
139 * Enhanced Packet Block.
140 */
141 #define BT_EPB 0x00000006
142
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
147 bpf_u_int32 caplen;
148 bpf_u_int32 len;
149 /* followed by packet data, options, and trailer */
150 };
151
152 /*
153 * Simple Packet Block.
154 */
155 #define BT_SPB 0x00000003
156
157 struct simple_packet_block {
158 bpf_u_int32 len;
159 /* followed by packet data and trailer */
160 };
161
162 /*
163 * Packet Block.
164 */
165 #define BT_PB 0x00000002
166
167 struct packet_block {
168 u_short interface_id;
169 u_short drops_count;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
172 bpf_u_int32 caplen;
173 bpf_u_int32 len;
174 /* followed by packet data, options, and trailer */
175 };
176
177 /*
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
181 */
182 struct block_cursor {
183 u_char *data;
184 size_t data_remaining;
185 bpf_u_int32 block_type;
186 };
187
188 typedef enum {
189 PASS_THROUGH,
190 SCALE_UP_DEC,
191 SCALE_DOWN_DEC,
192 SCALE_UP_BIN,
193 SCALE_DOWN_BIN
194 } tstamp_scale_type_t;
195
196 /*
197 * Per-interface information.
198 */
199 struct pcap_ng_if {
200 uint32_t snaplen; /* snapshot length */
201 uint64_t tsresol; /* time stamp resolution */
202 tstamp_scale_type_t scale_type; /* how to scale */
203 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
204 uint64_t tsoffset; /* time stamp offset */
205 };
206
207 /*
208 * Per-pcap_t private data.
209 *
210 * max_blocksize is the maximum size of a block that we'll accept. We
211 * reject blocks bigger than this, so we don't consume too much memory
212 * with a truly huge block. It can change as we see IDBs with different
213 * link-layer header types. (Currently, we don't support IDBs with
214 * different link-layer header types, but we will support it in the
215 * future, when we offer file-reading APIs that support it.)
216 *
217 * XXX - that's an issue on ILP32 platforms, where the maximum block
218 * size of 2^31-1 would eat all but one byte of the entire address space.
219 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
220 * of the address space may be limited by 1) the number of *significant*
221 * address bits (currently, x86-64 only supports 48 bits of address), 2)
222 * any limitations imposed by the operating system; 3) any limitations
223 * imposed by the amount of available backing store for anonymous pages,
224 * so we impose a limit regardless of the size of a pointer.
225 */
226 struct pcap_ng_sf {
227 uint64_t user_tsresol; /* time stamp resolution requested by the user */
228 u_int max_blocksize; /* don't grow buffer size past this */
229 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
230 bpf_u_int32 ifaces_size; /* size of array below */
231 struct pcap_ng_if *ifaces; /* array of interface information */
232 };
233
234 /*
235 * The maximum block size we start with; we use an arbitrary value of
236 * 16 MiB.
237 */
238 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
239
240 /*
241 * Maximum block size for a given maximum snapshot length; we define it
242 * as the size of an EPB with a max_snaplen-sized packet and 128KB of
243 * options.
244 */
245 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
246 (sizeof (struct block_header) + \
247 sizeof (struct enhanced_packet_block) + \
248 (max_snaplen) + 131072 + \
249 sizeof (struct block_trailer))
250
251 static void pcap_ng_cleanup(pcap_t *p);
252 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
253 u_char **data);
254
255 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)256 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
257 char *errbuf)
258 {
259 size_t amt_read;
260
261 amt_read = fread(buf, 1, bytes_to_read, fp);
262 if (amt_read != bytes_to_read) {
263 if (ferror(fp)) {
264 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
265 errno, "error reading dump file");
266 } else {
267 if (amt_read == 0 && !fail_on_eof)
268 return (0); /* EOF */
269 snprintf(errbuf, PCAP_ERRBUF_SIZE,
270 "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
271 bytes_to_read, amt_read);
272 }
273 return (-1);
274 }
275 return (1);
276 }
277
278 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)279 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
280 {
281 struct pcap_ng_sf *ps;
282 int status;
283 struct block_header bhdr;
284 struct block_trailer *btrlr;
285 u_char *bdata;
286 size_t data_remaining;
287
288 ps = p->priv;
289
290 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
291 if (status <= 0)
292 return (status); /* error or EOF */
293
294 if (p->swapped) {
295 bhdr.block_type = SWAPLONG(bhdr.block_type);
296 bhdr.total_length = SWAPLONG(bhdr.total_length);
297 }
298
299 /*
300 * Is this block "too small" - i.e., is it shorter than a block
301 * header plus a block trailer?
302 */
303 if (bhdr.total_length < sizeof(struct block_header) +
304 sizeof(struct block_trailer)) {
305 snprintf(errbuf, PCAP_ERRBUF_SIZE,
306 "block in pcapng dump file has a length of %u < %zu",
307 bhdr.total_length,
308 sizeof(struct block_header) + sizeof(struct block_trailer));
309 return (-1);
310 }
311
312 /*
313 * Is the block total length a multiple of 4?
314 */
315 if ((bhdr.total_length % 4) != 0) {
316 /*
317 * No. Report that as an error.
318 */
319 snprintf(errbuf, PCAP_ERRBUF_SIZE,
320 "block in pcapng dump file has a length of %u that is not a multiple of 4",
321 bhdr.total_length);
322 return (-1);
323 }
324
325 /*
326 * Is the buffer big enough?
327 */
328 if (p->bufsize < bhdr.total_length) {
329 /*
330 * No - make it big enough, unless it's too big, in
331 * which case we fail.
332 */
333 void *bigger_buffer;
334
335 if (bhdr.total_length > ps->max_blocksize) {
336 snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
337 ps->max_blocksize);
338 return (-1);
339 }
340 bigger_buffer = realloc(p->buffer, bhdr.total_length);
341 if (bigger_buffer == NULL) {
342 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
343 return (-1);
344 }
345 p->buffer = bigger_buffer;
346 }
347
348 /*
349 * Copy the stuff we've read to the buffer, and read the rest
350 * of the block.
351 */
352 memcpy(p->buffer, &bhdr, sizeof(bhdr));
353 bdata = (u_char *)p->buffer + sizeof(bhdr);
354 data_remaining = bhdr.total_length - sizeof(bhdr);
355 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
356 return (-1);
357
358 /*
359 * Get the block size from the trailer.
360 */
361 btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
362 if (p->swapped)
363 btrlr->total_length = SWAPLONG(btrlr->total_length);
364
365 /*
366 * Is the total length from the trailer the same as the total
367 * length from the header?
368 */
369 if (bhdr.total_length != btrlr->total_length) {
370 /*
371 * No.
372 */
373 snprintf(errbuf, PCAP_ERRBUF_SIZE,
374 "block total length in header and trailer don't match");
375 return (-1);
376 }
377
378 /*
379 * Initialize the cursor.
380 */
381 cursor->data = bdata;
382 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
383 cursor->block_type = bhdr.block_type;
384 return (1);
385 }
386
387 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)388 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
389 char *errbuf)
390 {
391 void *data;
392
393 /*
394 * Make sure we have the specified amount of data remaining in
395 * the block data.
396 */
397 if (cursor->data_remaining < chunk_size) {
398 snprintf(errbuf, PCAP_ERRBUF_SIZE,
399 "block of type %u in pcapng dump file is too short",
400 cursor->block_type);
401 return (NULL);
402 }
403
404 /*
405 * Return the current pointer, and skip past the chunk.
406 */
407 data = cursor->data;
408 cursor->data += chunk_size;
409 cursor->data_remaining -= chunk_size;
410 return (data);
411 }
412
413 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)414 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
415 {
416 struct option_header *opthdr;
417
418 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
419 if (opthdr == NULL) {
420 /*
421 * Option header is cut short.
422 */
423 return (NULL);
424 }
425
426 /*
427 * Byte-swap it if necessary.
428 */
429 if (p->swapped) {
430 opthdr->option_code = SWAPSHORT(opthdr->option_code);
431 opthdr->option_length = SWAPSHORT(opthdr->option_length);
432 }
433
434 return (opthdr);
435 }
436
437 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)438 get_optvalue_from_block_data(struct block_cursor *cursor,
439 struct option_header *opthdr, char *errbuf)
440 {
441 size_t padded_option_len;
442 void *optvalue;
443
444 /* Pad option length to 4-byte boundary */
445 padded_option_len = opthdr->option_length;
446 padded_option_len = ((padded_option_len + 3)/4)*4;
447
448 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
449 if (optvalue == NULL) {
450 /*
451 * Option value is cut short.
452 */
453 return (NULL);
454 }
455
456 return (optvalue);
457 }
458
459 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,uint64_t * tsresol,uint64_t * tsoffset,int * is_binary,char * errbuf)460 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
461 uint64_t *tsoffset, int *is_binary, char *errbuf)
462 {
463 struct option_header *opthdr;
464 void *optvalue;
465 int saw_tsresol, saw_tsoffset;
466 uint8_t tsresol_opt;
467 u_int i;
468
469 saw_tsresol = 0;
470 saw_tsoffset = 0;
471 while (cursor->data_remaining != 0) {
472 /*
473 * Get the option header.
474 */
475 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
476 if (opthdr == NULL) {
477 /*
478 * Option header is cut short.
479 */
480 return (-1);
481 }
482
483 /*
484 * Get option value.
485 */
486 optvalue = get_optvalue_from_block_data(cursor, opthdr,
487 errbuf);
488 if (optvalue == NULL) {
489 /*
490 * Option value is cut short.
491 */
492 return (-1);
493 }
494
495 switch (opthdr->option_code) {
496
497 case OPT_ENDOFOPT:
498 if (opthdr->option_length != 0) {
499 snprintf(errbuf, PCAP_ERRBUF_SIZE,
500 "Interface Description Block has opt_endofopt option with length %u != 0",
501 opthdr->option_length);
502 return (-1);
503 }
504 goto done;
505
506 case IF_TSRESOL:
507 if (opthdr->option_length != 1) {
508 snprintf(errbuf, PCAP_ERRBUF_SIZE,
509 "Interface Description Block has if_tsresol option with length %u != 1",
510 opthdr->option_length);
511 return (-1);
512 }
513 if (saw_tsresol) {
514 snprintf(errbuf, PCAP_ERRBUF_SIZE,
515 "Interface Description Block has more than one if_tsresol option");
516 return (-1);
517 }
518 saw_tsresol = 1;
519 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
520 if (tsresol_opt & 0x80) {
521 /*
522 * Resolution is negative power of 2.
523 */
524 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
525
526 if (tsresol_shift > 63) {
527 /*
528 * Resolution is too high; 2^-{res}
529 * won't fit in a 64-bit value.
530 */
531 snprintf(errbuf, PCAP_ERRBUF_SIZE,
532 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
533 tsresol_shift);
534 return (-1);
535 }
536 *is_binary = 1;
537 *tsresol = ((uint64_t)1) << tsresol_shift;
538 } else {
539 /*
540 * Resolution is negative power of 10.
541 */
542 if (tsresol_opt > 19) {
543 /*
544 * Resolution is too high; 2^-{res}
545 * won't fit in a 64-bit value (the
546 * largest power of 10 that fits
547 * in a 64-bit value is 10^19, as
548 * the largest 64-bit unsigned
549 * value is ~1.8*10^19).
550 */
551 snprintf(errbuf, PCAP_ERRBUF_SIZE,
552 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
553 tsresol_opt);
554 return (-1);
555 }
556 *is_binary = 0;
557 *tsresol = 1;
558 for (i = 0; i < tsresol_opt; i++)
559 *tsresol *= 10;
560 }
561 break;
562
563 case IF_TSOFFSET:
564 if (opthdr->option_length != 8) {
565 snprintf(errbuf, PCAP_ERRBUF_SIZE,
566 "Interface Description Block has if_tsoffset option with length %u != 8",
567 opthdr->option_length);
568 return (-1);
569 }
570 if (saw_tsoffset) {
571 snprintf(errbuf, PCAP_ERRBUF_SIZE,
572 "Interface Description Block has more than one if_tsoffset option");
573 return (-1);
574 }
575 saw_tsoffset = 1;
576 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
577 if (p->swapped)
578 *tsoffset = SWAPLL(*tsoffset);
579 break;
580
581 default:
582 break;
583 }
584 }
585
586 done:
587 return (0);
588 }
589
590 static int
add_interface(pcap_t * p,struct interface_description_block * idbp,struct block_cursor * cursor,char * errbuf)591 add_interface(pcap_t *p, struct interface_description_block *idbp,
592 struct block_cursor *cursor, char *errbuf)
593 {
594 struct pcap_ng_sf *ps;
595 uint64_t tsresol;
596 uint64_t tsoffset;
597 int is_binary;
598
599 ps = p->priv;
600
601 /*
602 * Count this interface.
603 */
604 ps->ifcount++;
605
606 /*
607 * Grow the array of per-interface information as necessary.
608 */
609 if (ps->ifcount > ps->ifaces_size) {
610 /*
611 * We need to grow the array.
612 */
613 bpf_u_int32 new_ifaces_size;
614 struct pcap_ng_if *new_ifaces;
615
616 if (ps->ifaces_size == 0) {
617 /*
618 * It's currently empty.
619 *
620 * (The Clang static analyzer doesn't do enough,
621 * err, umm, dataflow *analysis* to realize that
622 * ps->ifaces_size == 0 if ps->ifaces == NULL,
623 * and so complains about a possible zero argument
624 * to realloc(), so we check for the former
625 * condition to shut it up.
626 *
627 * However, it doesn't complain that one of the
628 * multiplications below could overflow, which is
629 * a real, albeit extremely unlikely, problem (you'd
630 * need a pcapng file with tens of millions of
631 * interfaces).)
632 */
633 new_ifaces_size = 1;
634 new_ifaces = malloc(sizeof (struct pcap_ng_if));
635 } else {
636 /*
637 * It's not currently empty; double its size.
638 * (Perhaps overkill once we have a lot of interfaces.)
639 *
640 * Check for overflow if we double it.
641 */
642 if (ps->ifaces_size * 2 < ps->ifaces_size) {
643 /*
644 * The maximum number of interfaces before
645 * ps->ifaces_size overflows is the largest
646 * possible 32-bit power of 2, as we do
647 * size doubling.
648 */
649 snprintf(errbuf, PCAP_ERRBUF_SIZE,
650 "more than %u interfaces in the file",
651 0x80000000U);
652 return (0);
653 }
654
655 /*
656 * ps->ifaces_size * 2 doesn't overflow, so it's
657 * safe to multiply.
658 */
659 new_ifaces_size = ps->ifaces_size * 2;
660
661 /*
662 * Now make sure that's not so big that it overflows
663 * if we multiply by sizeof (struct pcap_ng_if).
664 *
665 * That can happen on 32-bit platforms, with a 32-bit
666 * size_t; it shouldn't happen on 64-bit platforms,
667 * with a 64-bit size_t, as new_ifaces_size is
668 * 32 bits.
669 */
670 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
671 /*
672 * As this fails only with 32-bit size_t,
673 * the multiplication was 32x32->32, and
674 * the largest 32-bit value that can safely
675 * be multiplied by sizeof (struct pcap_ng_if)
676 * without overflow is the largest 32-bit
677 * (unsigned) value divided by
678 * sizeof (struct pcap_ng_if).
679 */
680 snprintf(errbuf, PCAP_ERRBUF_SIZE,
681 "more than %u interfaces in the file",
682 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
683 return (0);
684 }
685 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
686 }
687 if (new_ifaces == NULL) {
688 /*
689 * We ran out of memory.
690 * Give up.
691 */
692 snprintf(errbuf, PCAP_ERRBUF_SIZE,
693 "out of memory for per-interface information (%u interfaces)",
694 ps->ifcount);
695 return (0);
696 }
697 ps->ifaces_size = new_ifaces_size;
698 ps->ifaces = new_ifaces;
699 }
700
701 ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
702
703 /*
704 * Set the default time stamp resolution and offset.
705 */
706 tsresol = 1000000; /* microsecond resolution */
707 is_binary = 0; /* which is a power of 10 */
708 tsoffset = 0; /* absolute timestamps */
709
710 /*
711 * Now look for various time stamp options, so we know
712 * how to interpret the time stamps for this interface.
713 */
714 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
715 errbuf) == -1)
716 return (0);
717
718 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
719 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
720
721 /*
722 * Determine whether we're scaling up or down or not
723 * at all for this interface.
724 */
725 if (tsresol == ps->user_tsresol) {
726 /*
727 * The resolution is the resolution the user wants,
728 * so we don't have to do scaling.
729 */
730 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
731 } else if (tsresol > ps->user_tsresol) {
732 /*
733 * The resolution is greater than what the user wants,
734 * so we have to scale the timestamps down.
735 */
736 if (is_binary)
737 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
738 else {
739 /*
740 * Calculate the scale factor.
741 */
742 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
743 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
744 }
745 } else {
746 /*
747 * The resolution is less than what the user wants,
748 * so we have to scale the timestamps up.
749 */
750 if (is_binary)
751 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
752 else {
753 /*
754 * Calculate the scale factor.
755 */
756 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
757 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
758 }
759 }
760 return (1);
761 }
762
763 /*
764 * Check whether this is a pcapng savefile and, if it is, extract the
765 * relevant information from the header.
766 */
767 pcap_t *
pcap_ng_check_header(const uint8_t * magic,FILE * fp,u_int precision,char * errbuf,int * err)768 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
769 char *errbuf, int *err)
770 {
771 bpf_u_int32 magic_int;
772 size_t amt_read;
773 bpf_u_int32 total_length;
774 bpf_u_int32 byte_order_magic;
775 struct block_header *bhdrp;
776 struct section_header_block *shbp;
777 pcap_t *p;
778 int swapped = 0;
779 struct pcap_ng_sf *ps;
780 int status;
781 struct block_cursor cursor;
782 struct interface_description_block *idbp;
783
784 /*
785 * Assume no read errors.
786 */
787 *err = 0;
788
789 /*
790 * Check whether the first 4 bytes of the file are the block
791 * type for a pcapng savefile.
792 */
793 memcpy(&magic_int, magic, sizeof(magic_int));
794 if (magic_int != BT_SHB) {
795 /*
796 * XXX - check whether this looks like what the block
797 * type would be after being munged by mapping between
798 * UN*X and DOS/Windows text file format and, if it
799 * does, look for the byte-order magic number in
800 * the appropriate place and, if we find it, report
801 * this as possibly being a pcapng file transferred
802 * between UN*X and Windows in text file format?
803 */
804 return (NULL); /* nope */
805 }
806
807 /*
808 * OK, they are. However, that's just \n\r\r\n, so it could,
809 * conceivably, be an ordinary text file.
810 *
811 * It could not, however, conceivably be any other type of
812 * capture file, so we can read the rest of the putative
813 * Section Header Block; put the block type in the common
814 * header, read the rest of the common header and the
815 * fixed-length portion of the SHB, and look for the byte-order
816 * magic value.
817 */
818 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
819 if (amt_read < sizeof(total_length)) {
820 if (ferror(fp)) {
821 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
822 errno, "error reading dump file");
823 *err = 1;
824 return (NULL); /* fail */
825 }
826
827 /*
828 * Possibly a weird short text file, so just say
829 * "not pcapng".
830 */
831 return (NULL);
832 }
833 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
834 if (amt_read < sizeof(byte_order_magic)) {
835 if (ferror(fp)) {
836 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
837 errno, "error reading dump file");
838 *err = 1;
839 return (NULL); /* fail */
840 }
841
842 /*
843 * Possibly a weird short text file, so just say
844 * "not pcapng".
845 */
846 return (NULL);
847 }
848 if (byte_order_magic != BYTE_ORDER_MAGIC) {
849 byte_order_magic = SWAPLONG(byte_order_magic);
850 if (byte_order_magic != BYTE_ORDER_MAGIC) {
851 /*
852 * Not a pcapng file.
853 */
854 return (NULL);
855 }
856 swapped = 1;
857 total_length = SWAPLONG(total_length);
858 }
859
860 /*
861 * Check the sanity of the total length.
862 */
863 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
864 (total_length > BT_SHB_INSANE_MAX)) {
865 snprintf(errbuf, PCAP_ERRBUF_SIZE,
866 "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
867 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
868 total_length,
869 BT_SHB_INSANE_MAX);
870
871 *err = 1;
872 return (NULL);
873 }
874
875 /*
876 * OK, this is a good pcapng file.
877 * Allocate a pcap_t for it.
878 */
879 p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
880 if (p == NULL) {
881 /* Allocation failed. */
882 *err = 1;
883 return (NULL);
884 }
885 p->swapped = swapped;
886 ps = p->priv;
887
888 /*
889 * What precision does the user want?
890 */
891 switch (precision) {
892
893 case PCAP_TSTAMP_PRECISION_MICRO:
894 ps->user_tsresol = 1000000;
895 break;
896
897 case PCAP_TSTAMP_PRECISION_NANO:
898 ps->user_tsresol = 1000000000;
899 break;
900
901 default:
902 snprintf(errbuf, PCAP_ERRBUF_SIZE,
903 "unknown time stamp resolution %u", precision);
904 free(p);
905 *err = 1;
906 return (NULL);
907 }
908
909 p->opt.tstamp_precision = precision;
910
911 /*
912 * Allocate a buffer into which to read blocks. We default to
913 * the maximum of:
914 *
915 * the total length of the SHB for which we read the header;
916 *
917 * 2K, which should be more than large enough for an Enhanced
918 * Packet Block containing a full-size Ethernet frame, and
919 * leaving room for some options.
920 *
921 * If we find a bigger block, we reallocate the buffer, up to
922 * the maximum size. We start out with a maximum size of
923 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
924 * with a maximum snapshot that results in a larger maximum
925 * block length, we boost the maximum.
926 */
927 p->bufsize = 2048;
928 if (p->bufsize < total_length)
929 p->bufsize = total_length;
930 p->buffer = malloc(p->bufsize);
931 if (p->buffer == NULL) {
932 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
933 free(p);
934 *err = 1;
935 return (NULL);
936 }
937 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
938
939 /*
940 * Copy the stuff we've read to the buffer, and read the rest
941 * of the SHB.
942 */
943 bhdrp = (struct block_header *)p->buffer;
944 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
945 bhdrp->block_type = magic_int;
946 bhdrp->total_length = total_length;
947 shbp->byte_order_magic = byte_order_magic;
948 if (read_bytes(fp,
949 (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
950 total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
951 1, errbuf) == -1)
952 goto fail;
953
954 if (p->swapped) {
955 /*
956 * Byte-swap the fields we've read.
957 */
958 shbp->major_version = SWAPSHORT(shbp->major_version);
959 shbp->minor_version = SWAPSHORT(shbp->minor_version);
960
961 /*
962 * XXX - we don't care about the section length.
963 */
964 }
965 /* currently only SHB version 1.0 is supported */
966 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
967 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
968 snprintf(errbuf, PCAP_ERRBUF_SIZE,
969 "unsupported pcapng savefile version %u.%u",
970 shbp->major_version, shbp->minor_version);
971 goto fail;
972 }
973 p->version_major = shbp->major_version;
974 p->version_minor = shbp->minor_version;
975
976 /*
977 * Save the time stamp resolution the user requested.
978 */
979 p->opt.tstamp_precision = precision;
980
981 /*
982 * Now start looking for an Interface Description Block.
983 */
984 for (;;) {
985 /*
986 * Read the next block.
987 */
988 status = read_block(fp, p, &cursor, errbuf);
989 if (status == 0) {
990 /* EOF - no IDB in this file */
991 snprintf(errbuf, PCAP_ERRBUF_SIZE,
992 "the capture file has no Interface Description Blocks");
993 goto fail;
994 }
995 if (status == -1)
996 goto fail; /* error */
997 switch (cursor.block_type) {
998
999 case BT_IDB:
1000 /*
1001 * Get a pointer to the fixed-length portion of the
1002 * IDB.
1003 */
1004 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1005 errbuf);
1006 if (idbp == NULL)
1007 goto fail; /* error */
1008
1009 /*
1010 * Byte-swap it if necessary.
1011 */
1012 if (p->swapped) {
1013 idbp->linktype = SWAPSHORT(idbp->linktype);
1014 idbp->snaplen = SWAPLONG(idbp->snaplen);
1015 }
1016
1017 /*
1018 * Try to add this interface.
1019 */
1020 if (!add_interface(p, idbp, &cursor, errbuf))
1021 goto fail;
1022
1023 goto done;
1024
1025 case BT_EPB:
1026 case BT_SPB:
1027 case BT_PB:
1028 /*
1029 * Saw a packet before we saw any IDBs. That's
1030 * not valid, as we don't know what link-layer
1031 * encapsulation the packet has.
1032 */
1033 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1034 "the capture file has a packet block before any Interface Description Blocks");
1035 goto fail;
1036
1037 default:
1038 /*
1039 * Just ignore it.
1040 */
1041 break;
1042 }
1043 }
1044
1045 done:
1046 p->linktype = linktype_to_dlt(idbp->linktype);
1047 p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen);
1048 p->linktype_ext = 0;
1049
1050 /*
1051 * If the maximum block size for a packet with the maximum
1052 * snapshot length for this DLT_ is bigger than the current
1053 * maximum block size, increase the maximum.
1054 */
1055 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1056 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1057
1058 p->next_packet_op = pcap_ng_next_packet;
1059 p->cleanup_op = pcap_ng_cleanup;
1060
1061 return (p);
1062
1063 fail:
1064 free(ps->ifaces);
1065 free(p->buffer);
1066 free(p);
1067 *err = 1;
1068 return (NULL);
1069 }
1070
1071 static void
pcap_ng_cleanup(pcap_t * p)1072 pcap_ng_cleanup(pcap_t *p)
1073 {
1074 struct pcap_ng_sf *ps = p->priv;
1075
1076 free(ps->ifaces);
1077 sf_cleanup(p);
1078 }
1079
1080 /*
1081 * Read and return the next packet from the savefile. Return the header
1082 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1083 * if there were no more packets, and -1 on an error.
1084 */
1085 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1086 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1087 {
1088 struct pcap_ng_sf *ps = p->priv;
1089 struct block_cursor cursor;
1090 int status;
1091 struct enhanced_packet_block *epbp;
1092 struct simple_packet_block *spbp;
1093 struct packet_block *pbp;
1094 bpf_u_int32 interface_id = 0xFFFFFFFF;
1095 struct interface_description_block *idbp;
1096 struct section_header_block *shbp;
1097 FILE *fp = p->rfile;
1098 uint64_t t, sec, frac;
1099
1100 /*
1101 * Look for an Enhanced Packet Block, a Simple Packet Block,
1102 * or a Packet Block.
1103 */
1104 for (;;) {
1105 /*
1106 * Read the block type and length; those are common
1107 * to all blocks.
1108 */
1109 status = read_block(fp, p, &cursor, p->errbuf);
1110 if (status == 0)
1111 return (1); /* EOF */
1112 if (status == -1)
1113 return (-1); /* error */
1114 switch (cursor.block_type) {
1115
1116 case BT_EPB:
1117 /*
1118 * Get a pointer to the fixed-length portion of the
1119 * EPB.
1120 */
1121 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1122 p->errbuf);
1123 if (epbp == NULL)
1124 return (-1); /* error */
1125
1126 /*
1127 * Byte-swap it if necessary.
1128 */
1129 if (p->swapped) {
1130 /* these were written in opposite byte order */
1131 interface_id = SWAPLONG(epbp->interface_id);
1132 hdr->caplen = SWAPLONG(epbp->caplen);
1133 hdr->len = SWAPLONG(epbp->len);
1134 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1135 SWAPLONG(epbp->timestamp_low);
1136 } else {
1137 interface_id = epbp->interface_id;
1138 hdr->caplen = epbp->caplen;
1139 hdr->len = epbp->len;
1140 t = ((uint64_t)epbp->timestamp_high) << 32 |
1141 epbp->timestamp_low;
1142 }
1143 goto found;
1144
1145 case BT_SPB:
1146 /*
1147 * Get a pointer to the fixed-length portion of the
1148 * SPB.
1149 */
1150 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1151 p->errbuf);
1152 if (spbp == NULL)
1153 return (-1); /* error */
1154
1155 /*
1156 * SPB packets are assumed to have arrived on
1157 * the first interface.
1158 */
1159 interface_id = 0;
1160
1161 /*
1162 * Byte-swap it if necessary.
1163 */
1164 if (p->swapped) {
1165 /* these were written in opposite byte order */
1166 hdr->len = SWAPLONG(spbp->len);
1167 } else
1168 hdr->len = spbp->len;
1169
1170 /*
1171 * The SPB doesn't give the captured length;
1172 * it's the minimum of the snapshot length
1173 * and the packet length.
1174 */
1175 hdr->caplen = hdr->len;
1176 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1177 hdr->caplen = p->snapshot;
1178 t = 0; /* no time stamps */
1179 goto found;
1180
1181 case BT_PB:
1182 /*
1183 * Get a pointer to the fixed-length portion of the
1184 * PB.
1185 */
1186 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1187 p->errbuf);
1188 if (pbp == NULL)
1189 return (-1); /* error */
1190
1191 /*
1192 * Byte-swap it if necessary.
1193 */
1194 if (p->swapped) {
1195 /* these were written in opposite byte order */
1196 interface_id = SWAPSHORT(pbp->interface_id);
1197 hdr->caplen = SWAPLONG(pbp->caplen);
1198 hdr->len = SWAPLONG(pbp->len);
1199 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1200 SWAPLONG(pbp->timestamp_low);
1201 } else {
1202 interface_id = pbp->interface_id;
1203 hdr->caplen = pbp->caplen;
1204 hdr->len = pbp->len;
1205 t = ((uint64_t)pbp->timestamp_high) << 32 |
1206 pbp->timestamp_low;
1207 }
1208 goto found;
1209
1210 case BT_IDB:
1211 /*
1212 * Interface Description Block. Get a pointer
1213 * to its fixed-length portion.
1214 */
1215 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1216 p->errbuf);
1217 if (idbp == NULL)
1218 return (-1); /* error */
1219
1220 /*
1221 * Byte-swap it if necessary.
1222 */
1223 if (p->swapped) {
1224 idbp->linktype = SWAPSHORT(idbp->linktype);
1225 idbp->snaplen = SWAPLONG(idbp->snaplen);
1226 }
1227
1228 /*
1229 * If the link-layer type or snapshot length
1230 * differ from the ones for the first IDB we
1231 * saw, quit.
1232 *
1233 * XXX - just discard packets from those
1234 * interfaces?
1235 */
1236 if (p->linktype != idbp->linktype) {
1237 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1238 "an interface has a type %u different from the type of the first interface",
1239 idbp->linktype);
1240 return (-1);
1241 }
1242
1243 /*
1244 * Check against the *adjusted* value of this IDB's
1245 * snapshot length.
1246 */
1247 if ((bpf_u_int32)p->snapshot !=
1248 pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
1249 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1250 "an interface has a snapshot length %u different from the snapshot length of the first interface",
1251 idbp->snaplen);
1252 return (-1);
1253 }
1254
1255 /*
1256 * Try to add this interface.
1257 */
1258 if (!add_interface(p, idbp, &cursor, p->errbuf))
1259 return (-1);
1260 break;
1261
1262 case BT_SHB:
1263 /*
1264 * Section Header Block. Get a pointer
1265 * to its fixed-length portion.
1266 */
1267 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1268 p->errbuf);
1269 if (shbp == NULL)
1270 return (-1); /* error */
1271
1272 /*
1273 * Assume the byte order of this section is
1274 * the same as that of the previous section.
1275 * We'll check for that later.
1276 */
1277 if (p->swapped) {
1278 shbp->byte_order_magic =
1279 SWAPLONG(shbp->byte_order_magic);
1280 shbp->major_version =
1281 SWAPSHORT(shbp->major_version);
1282 }
1283
1284 /*
1285 * Make sure the byte order doesn't change;
1286 * pcap_is_swapped() shouldn't change its
1287 * return value in the middle of reading a capture.
1288 */
1289 switch (shbp->byte_order_magic) {
1290
1291 case BYTE_ORDER_MAGIC:
1292 /*
1293 * OK.
1294 */
1295 break;
1296
1297 case SWAPLONG(BYTE_ORDER_MAGIC):
1298 /*
1299 * Byte order changes.
1300 */
1301 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1302 "the file has sections with different byte orders");
1303 return (-1);
1304
1305 default:
1306 /*
1307 * Not a valid SHB.
1308 */
1309 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1310 "the file has a section with a bad byte order magic field");
1311 return (-1);
1312 }
1313
1314 /*
1315 * Make sure the major version is the version
1316 * we handle.
1317 */
1318 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1319 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1320 "unknown pcapng savefile major version number %u",
1321 shbp->major_version);
1322 return (-1);
1323 }
1324
1325 /*
1326 * Reset the interface count; this section should
1327 * have its own set of IDBs. If any of them
1328 * don't have the same interface type, snapshot
1329 * length, or resolution as the first interface
1330 * we saw, we'll fail. (And if we don't see
1331 * any IDBs, we'll fail when we see a packet
1332 * block.)
1333 */
1334 ps->ifcount = 0;
1335 break;
1336
1337 default:
1338 /*
1339 * Not a packet block, IDB, or SHB; ignore it.
1340 */
1341 break;
1342 }
1343 }
1344
1345 found:
1346 /*
1347 * Is the interface ID an interface we know?
1348 */
1349 if (interface_id >= ps->ifcount) {
1350 /*
1351 * Yes. Fail.
1352 */
1353 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1354 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1355 interface_id);
1356 return (-1);
1357 }
1358
1359 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1360 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1361 "invalid packet capture length %u, bigger than "
1362 "snaplen of %d", hdr->caplen, p->snapshot);
1363 return (-1);
1364 }
1365
1366 /*
1367 * Convert the time stamp to seconds and fractions of a second,
1368 * with the fractions being in units of the file-supplied resolution.
1369 */
1370 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1371 frac = t % ps->ifaces[interface_id].tsresol;
1372
1373 /*
1374 * Convert the fractions from units of the file-supplied resolution
1375 * to units of the user-requested resolution.
1376 */
1377 switch (ps->ifaces[interface_id].scale_type) {
1378
1379 case PASS_THROUGH:
1380 /*
1381 * The interface resolution is what the user wants,
1382 * so we're done.
1383 */
1384 break;
1385
1386 case SCALE_UP_DEC:
1387 /*
1388 * The interface resolution is less than what the user
1389 * wants; scale the fractional part up to the units of
1390 * the resolution the user requested by multiplying by
1391 * the quotient of the user-requested resolution and the
1392 * file-supplied resolution.
1393 *
1394 * Those resolutions are both powers of 10, and the user-
1395 * requested resolution is greater than the file-supplied
1396 * resolution, so the quotient in question is an integer.
1397 * We've calculated that quotient already, so we just
1398 * multiply by it.
1399 */
1400 frac *= ps->ifaces[interface_id].scale_factor;
1401 break;
1402
1403 case SCALE_UP_BIN:
1404 /*
1405 * The interface resolution is less than what the user
1406 * wants; scale the fractional part up to the units of
1407 * the resolution the user requested by multiplying by
1408 * the quotient of the user-requested resolution and the
1409 * file-supplied resolution.
1410 *
1411 * The file-supplied resolution is a power of 2, so the
1412 * quotient is not an integer, so, in order to do this
1413 * entirely with integer arithmetic, we multiply by the
1414 * user-requested resolution and divide by the file-
1415 * supplied resolution.
1416 *
1417 * XXX - Is there something clever we could do here,
1418 * given that we know that the file-supplied resolution
1419 * is a power of 2? Doing a multiplication followed by
1420 * a division runs the risk of overflowing, and involves
1421 * two non-simple arithmetic operations.
1422 */
1423 frac *= ps->user_tsresol;
1424 frac /= ps->ifaces[interface_id].tsresol;
1425 break;
1426
1427 case SCALE_DOWN_DEC:
1428 /*
1429 * The interface resolution is greater than what the user
1430 * wants; scale the fractional part up to the units of
1431 * the resolution the user requested by multiplying by
1432 * the quotient of the user-requested resolution and the
1433 * file-supplied resolution.
1434 *
1435 * Those resolutions are both powers of 10, and the user-
1436 * requested resolution is less than the file-supplied
1437 * resolution, so the quotient in question isn't an
1438 * integer, but its reciprocal is, and we can just divide
1439 * by the reciprocal of the quotient. We've calculated
1440 * the reciprocal of that quotient already, so we must
1441 * divide by it.
1442 */
1443 frac /= ps->ifaces[interface_id].scale_factor;
1444 break;
1445
1446
1447 case SCALE_DOWN_BIN:
1448 /*
1449 * The interface resolution is greater than what the user
1450 * wants; convert the fractional part to units of the
1451 * resolution the user requested by multiplying by the
1452 * quotient of the user-requested resolution and the
1453 * file-supplied resolution. We do that by multiplying
1454 * by the user-requested resolution and dividing by the
1455 * file-supplied resolution, as the quotient might not
1456 * fit in an integer.
1457 *
1458 * The file-supplied resolution is a power of 2, so the
1459 * quotient is not an integer, and neither is its
1460 * reciprocal, so, in order to do this entirely with
1461 * integer arithmetic, we multiply by the user-requested
1462 * resolution and divide by the file-supplied resolution.
1463 *
1464 * XXX - Is there something clever we could do here,
1465 * given that we know that the file-supplied resolution
1466 * is a power of 2? Doing a multiplication followed by
1467 * a division runs the risk of overflowing, and involves
1468 * two non-simple arithmetic operations.
1469 */
1470 frac *= ps->user_tsresol;
1471 frac /= ps->ifaces[interface_id].tsresol;
1472 break;
1473 }
1474 #ifdef _WIN32
1475 /*
1476 * tv_sec and tv_used in the Windows struct timeval are both
1477 * longs.
1478 */
1479 hdr->ts.tv_sec = (long)sec;
1480 hdr->ts.tv_usec = (long)frac;
1481 #else
1482 /*
1483 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1484 * suseconds_t in UN*Xes that work the way the current Single
1485 * UNIX Standard specify - but not all older UN*Xes necessarily
1486 * support that type, so just cast to int.
1487 */
1488 hdr->ts.tv_sec = (time_t)sec;
1489 hdr->ts.tv_usec = (int)frac;
1490 #endif
1491
1492 /*
1493 * Get a pointer to the packet data.
1494 */
1495 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1496 if (*data == NULL)
1497 return (-1);
1498
1499 if (p->swapped)
1500 swap_pseudo_headers(p->linktype, hdr, *data);
1501
1502 return (0);
1503 }
1504