1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
22 */
23
24 #ifndef lint
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #ifdef WIN32
34 #include <pcap-stdinc.h>
35 #else /* WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #endif /* WIN32 */
46
47 #include <errno.h>
48 #include <memory.h>
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52
53 #include "pcap-int.h"
54
55 #include "pcap-common.h"
56
57 #ifdef HAVE_OS_PROTO_H
58 #include "os-proto.h"
59 #endif
60
61 #include "sf-pcap-ng.h"
62
63 /*
64 * Block types.
65 */
66
67 /*
68 * Common part at the beginning of all blocks.
69 */
70 struct block_header {
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
73 };
74
75 /*
76 * Common trailer at the end of all blocks.
77 */
78 struct block_trailer {
79 bpf_u_int32 total_length;
80 };
81
82 /*
83 * Common options.
84 */
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
87
88 /*
89 * Option header.
90 */
91 struct option_header {
92 u_short option_code;
93 u_short option_length;
94 };
95
96 /*
97 * Structures for the part of each block type following the common
98 * part.
99 */
100
101 /*
102 * Section Header Block.
103 */
104 #define BT_SHB 0x0A0D0D0A
105
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
112 };
113
114 /*
115 * Byte-order magic value.
116 */
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
118
119 /*
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
122 */
123 #define PCAP_NG_VERSION_MAJOR 1
124
125 /*
126 * Interface Description Block.
127 */
128 #define BT_IDB 0x00000001
129
130 struct interface_description_block {
131 u_short linktype;
132 u_short reserved;
133 bpf_u_int32 snaplen;
134 /* followed by options and trailer */
135 };
136
137 /*
138 * Options in the IDB.
139 */
140 #define IF_NAME 2 /* interface name string */
141 #define IF_DESCRIPTION 3 /* interface description string */
142 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
143 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
144 #define IF_MACADDR 6 /* interface's MAC address */
145 #define IF_EUIADDR 7 /* interface's EUI address */
146 #define IF_SPEED 8 /* interface's speed, in bits/s */
147 #define IF_TSRESOL 9 /* interface's time stamp resolution */
148 #define IF_TZONE 10 /* interface's time zone */
149 #define IF_FILTER 11 /* filter used when capturing on interface */
150 #define IF_OS 12 /* string OS on which capture on this interface was done */
151 #define IF_FCSLEN 13 /* FCS length for this interface */
152 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
153
154 /*
155 * Enhanced Packet Block.
156 */
157 #define BT_EPB 0x00000006
158
159 struct enhanced_packet_block {
160 bpf_u_int32 interface_id;
161 bpf_u_int32 timestamp_high;
162 bpf_u_int32 timestamp_low;
163 bpf_u_int32 caplen;
164 bpf_u_int32 len;
165 /* followed by packet data, options, and trailer */
166 };
167
168 /*
169 * Simple Packet Block.
170 */
171 #define BT_SPB 0x00000003
172
173 struct simple_packet_block {
174 bpf_u_int32 len;
175 /* followed by packet data and trailer */
176 };
177
178 /*
179 * Packet Block.
180 */
181 #define BT_PB 0x00000002
182
183 struct packet_block {
184 u_short interface_id;
185 u_short drops_count;
186 bpf_u_int32 timestamp_high;
187 bpf_u_int32 timestamp_low;
188 bpf_u_int32 caplen;
189 bpf_u_int32 len;
190 /* followed by packet data, options, and trailer */
191 };
192
193 /*
194 * Block cursor - used when processing the contents of a block.
195 * Contains a pointer into the data being processed and a count
196 * of bytes remaining in the block.
197 */
198 struct block_cursor {
199 u_char *data;
200 size_t data_remaining;
201 bpf_u_int32 block_type;
202 };
203
204 typedef enum {
205 PASS_THROUGH,
206 SCALE_UP,
207 SCALE_DOWN
208 } tstamp_scale_type_t;
209
210 /*
211 * Per-interface information.
212 */
213 struct pcap_ng_if {
214 u_int tsresol; /* time stamp resolution */
215 u_int64_t tsoffset; /* time stamp offset */
216 tstamp_scale_type_t scale_type; /* how to scale */
217 };
218
219 struct pcap_ng_sf {
220 u_int user_tsresol; /* time stamp resolution requested by the user */
221 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
222 bpf_u_int32 ifaces_size; /* size of arrary below */
223 struct pcap_ng_if *ifaces; /* array of interface information */
224 };
225
226 static void pcap_ng_cleanup(pcap_t *p);
227 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
228 u_char **data);
229
230 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)231 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
232 char *errbuf)
233 {
234 size_t amt_read;
235
236 amt_read = fread(buf, 1, bytes_to_read, fp);
237 if (amt_read != bytes_to_read) {
238 if (ferror(fp)) {
239 snprintf(errbuf, PCAP_ERRBUF_SIZE,
240 "error reading dump file: %s",
241 pcap_strerror(errno));
242 } else {
243 if (amt_read == 0 && !fail_on_eof)
244 return (0); /* EOF */
245 snprintf(errbuf, PCAP_ERRBUF_SIZE,
246 "truncated dump file; tried to read %lu bytes, only got %lu",
247 (unsigned long)bytes_to_read,
248 (unsigned long)amt_read);
249 }
250 return (-1);
251 }
252 return (1);
253 }
254
255 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)256 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
257 {
258 int status;
259 struct block_header bhdr;
260
261 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
262 if (status <= 0)
263 return (status); /* error or EOF */
264
265 if (p->swapped) {
266 bhdr.block_type = SWAPLONG(bhdr.block_type);
267 bhdr.total_length = SWAPLONG(bhdr.total_length);
268 }
269
270 /*
271 * Is this block "too big"?
272 *
273 * We choose 16MB as "too big", for now, so that we handle
274 * "reasonably" large buffers but don't chew up all the
275 * memory if we read a malformed file.
276 */
277 if (bhdr.total_length > 16*1024*1024) {
278 snprintf(errbuf, PCAP_ERRBUF_SIZE,
279 "pcap-ng block size %u > maximum %u",
280 bhdr.total_length, 16*1024*1024);
281 return (-1);
282 }
283
284 /*
285 * Is this block "too small" - i.e., is it shorter than a block
286 * header plus a block trailer?
287 */
288 if (bhdr.total_length < sizeof(struct block_header) +
289 sizeof(struct block_trailer)) {
290 snprintf(errbuf, PCAP_ERRBUF_SIZE,
291 "block in pcap-ng dump file has a length of %u < %lu",
292 bhdr.total_length,
293 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
294 return (-1);
295 }
296
297 /*
298 * Is the buffer big enough?
299 */
300 if (p->bufsize < bhdr.total_length) {
301 /*
302 * No - make it big enough.
303 */
304 p->buffer = realloc(p->buffer, bhdr.total_length);
305 if (p->buffer == NULL) {
306 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
307 return (-1);
308 }
309 }
310
311 /*
312 * Copy the stuff we've read to the buffer, and read the rest
313 * of the block.
314 */
315 memcpy(p->buffer, &bhdr, sizeof(bhdr));
316 if (read_bytes(fp, p->buffer + sizeof(bhdr),
317 bhdr.total_length - sizeof(bhdr), 1, errbuf) == -1)
318 return (-1);
319
320 /*
321 * Initialize the cursor.
322 */
323 cursor->data = p->buffer + sizeof(bhdr);
324 cursor->data_remaining = bhdr.total_length - sizeof(bhdr) -
325 sizeof(struct block_trailer);
326 cursor->block_type = bhdr.block_type;
327 return (1);
328 }
329
330 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)331 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
332 char *errbuf)
333 {
334 void *data;
335
336 /*
337 * Make sure we have the specified amount of data remaining in
338 * the block data.
339 */
340 if (cursor->data_remaining < chunk_size) {
341 snprintf(errbuf, PCAP_ERRBUF_SIZE,
342 "block of type %u in pcap-ng dump file is too short",
343 cursor->block_type);
344 return (NULL);
345 }
346
347 /*
348 * Return the current pointer, and skip past the chunk.
349 */
350 data = cursor->data;
351 cursor->data += chunk_size;
352 cursor->data_remaining -= chunk_size;
353 return (data);
354 }
355
356 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)357 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
358 {
359 struct option_header *opthdr;
360
361 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
362 if (opthdr == NULL) {
363 /*
364 * Option header is cut short.
365 */
366 return (NULL);
367 }
368
369 /*
370 * Byte-swap it if necessary.
371 */
372 if (p->swapped) {
373 opthdr->option_code = SWAPSHORT(opthdr->option_code);
374 opthdr->option_length = SWAPSHORT(opthdr->option_length);
375 }
376
377 return (opthdr);
378 }
379
380 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)381 get_optvalue_from_block_data(struct block_cursor *cursor,
382 struct option_header *opthdr, char *errbuf)
383 {
384 size_t padded_option_len;
385 void *optvalue;
386
387 /* Pad option length to 4-byte boundary */
388 padded_option_len = opthdr->option_length;
389 padded_option_len = ((padded_option_len + 3)/4)*4;
390
391 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
392 if (optvalue == NULL) {
393 /*
394 * Option value is cut short.
395 */
396 return (NULL);
397 }
398
399 return (optvalue);
400 }
401
402 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,u_int * tsresol,u_int64_t * tsoffset,char * errbuf)403 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
404 u_int64_t *tsoffset, char *errbuf)
405 {
406 struct option_header *opthdr;
407 void *optvalue;
408 int saw_tsresol, saw_tsoffset;
409 u_char tsresol_opt;
410 u_int i;
411
412 saw_tsresol = 0;
413 saw_tsoffset = 0;
414 while (cursor->data_remaining != 0) {
415 /*
416 * Get the option header.
417 */
418 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
419 if (opthdr == NULL) {
420 /*
421 * Option header is cut short.
422 */
423 return (-1);
424 }
425
426 /*
427 * Get option value.
428 */
429 optvalue = get_optvalue_from_block_data(cursor, opthdr,
430 errbuf);
431 if (optvalue == NULL) {
432 /*
433 * Option value is cut short.
434 */
435 return (-1);
436 }
437
438 switch (opthdr->option_code) {
439
440 case OPT_ENDOFOPT:
441 if (opthdr->option_length != 0) {
442 snprintf(errbuf, PCAP_ERRBUF_SIZE,
443 "Interface Description Block has opt_endofopt option with length %u != 0",
444 opthdr->option_length);
445 return (-1);
446 }
447 goto done;
448
449 case IF_TSRESOL:
450 if (opthdr->option_length != 1) {
451 snprintf(errbuf, PCAP_ERRBUF_SIZE,
452 "Interface Description Block has if_tsresol option with length %u != 1",
453 opthdr->option_length);
454 return (-1);
455 }
456 if (saw_tsresol) {
457 snprintf(errbuf, PCAP_ERRBUF_SIZE,
458 "Interface Description Block has more than one if_tsresol option");
459 return (-1);
460 }
461 saw_tsresol = 1;
462 tsresol_opt = *(u_int *)optvalue;
463 if (tsresol_opt & 0x80) {
464 /*
465 * Resolution is negative power of 2.
466 */
467 *tsresol = 1 << (tsresol_opt & 0x7F);
468 } else {
469 /*
470 * Resolution is negative power of 10.
471 */
472 *tsresol = 1;
473 for (i = 0; i < tsresol_opt; i++)
474 *tsresol *= 10;
475 }
476 if (*tsresol == 0) {
477 /*
478 * Resolution is too high.
479 */
480 if (tsresol_opt & 0x80) {
481 snprintf(errbuf, PCAP_ERRBUF_SIZE,
482 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
483 tsresol_opt & 0x7F);
484 } else {
485 snprintf(errbuf, PCAP_ERRBUF_SIZE,
486 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
487 tsresol_opt);
488 }
489 return (-1);
490 }
491 break;
492
493 case IF_TSOFFSET:
494 if (opthdr->option_length != 8) {
495 snprintf(errbuf, PCAP_ERRBUF_SIZE,
496 "Interface Description Block has if_tsoffset option with length %u != 8",
497 opthdr->option_length);
498 return (-1);
499 }
500 if (saw_tsoffset) {
501 snprintf(errbuf, PCAP_ERRBUF_SIZE,
502 "Interface Description Block has more than one if_tsoffset option");
503 return (-1);
504 }
505 saw_tsoffset = 1;
506 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
507 if (p->swapped)
508 *tsoffset = SWAPLL(*tsoffset);
509 break;
510
511 default:
512 break;
513 }
514 }
515
516 done:
517 return (0);
518 }
519
520 static int
add_interface(pcap_t * p,struct block_cursor * cursor,char * errbuf)521 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
522 {
523 struct pcap_ng_sf *ps;
524 u_int tsresol;
525 u_int64_t tsoffset;
526
527 ps = p->priv;
528
529 /*
530 * Count this interface.
531 */
532 ps->ifcount++;
533
534 /*
535 * Grow the array of per-interface information as necessary.
536 */
537 if (ps->ifcount > ps->ifaces_size) {
538 /*
539 * We need to grow the array.
540 */
541 if (ps->ifaces == NULL) {
542 /*
543 * It's currently empty.
544 */
545 ps->ifaces_size = 1;
546 ps->ifaces = malloc(sizeof (struct pcap_ng_if));
547 } else {
548 /*
549 * It's not currently empty; double its size.
550 * (Perhaps overkill once we have a lot of interfaces.)
551 */
552 ps->ifaces_size *= 2;
553 ps->ifaces = realloc(ps->ifaces, ps->ifaces_size * sizeof (struct pcap_ng_if));
554 }
555 if (ps->ifaces == NULL) {
556 /*
557 * We ran out of memory.
558 * Give up.
559 */
560 snprintf(errbuf, PCAP_ERRBUF_SIZE,
561 "out of memory for per-interface information (%u interfaces)",
562 ps->ifcount);
563 return (0);
564 }
565 }
566
567 /*
568 * Set the default time stamp resolution and offset.
569 */
570 tsresol = 1000000; /* microsecond resolution */
571 tsoffset = 0; /* absolute timestamps */
572
573 /*
574 * Now look for various time stamp options, so we know
575 * how to interpret the time stamps for this interface.
576 */
577 if (process_idb_options(p, cursor, &tsresol, &tsoffset, errbuf) == -1)
578 return (0);
579
580 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
581 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
582
583 /*
584 * Determine whether we're scaling up or down or not
585 * at all for this interface.
586 */
587 switch (p->opt.tstamp_precision) {
588
589 case PCAP_TSTAMP_PRECISION_MICRO:
590 if (tsresol == 1000000) {
591 /*
592 * The resolution is 1 microsecond,
593 * so we don't have to do scaling.
594 */
595 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
596 } else if (tsresol > 1000000) {
597 /*
598 * The resolution is greater than
599 * 1 microsecond, so we have to
600 * scale the timestamps down.
601 */
602 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN;
603 } else {
604 /*
605 * The resolution is less than 1
606 * microsecond, so we have to scale
607 * the timestamps up.
608 */
609 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP;
610 }
611 break;
612
613 case PCAP_TSTAMP_PRECISION_NANO:
614 if (tsresol == 1000000000) {
615 /*
616 * The resolution is 1 nanosecond,
617 * so we don't have to do scaling.
618 */
619 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
620 } else if (tsresol > 1000000000) {
621 /*
622 * The resolution is greater than
623 * 1 nanosecond, so we have to
624 * scale the timestamps down.
625 */
626 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN;
627 } else {
628 /*
629 * The resolution is less than 1
630 * nanosecond, so we have to scale
631 * the timestamps up.
632 */
633 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP;
634 }
635 break;
636 }
637 return (1);
638 }
639
640 /*
641 * Check whether this is a pcap-ng savefile and, if it is, extract the
642 * relevant information from the header.
643 */
644 pcap_t *
pcap_ng_check_header(bpf_u_int32 magic,FILE * fp,u_int precision,char * errbuf,int * err)645 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
646 int *err)
647 {
648 size_t amt_read;
649 bpf_u_int32 total_length;
650 bpf_u_int32 byte_order_magic;
651 struct block_header *bhdrp;
652 struct section_header_block *shbp;
653 pcap_t *p;
654 int swapped = 0;
655 struct pcap_ng_sf *ps;
656 int status;
657 struct block_cursor cursor;
658 struct interface_description_block *idbp;
659
660 /*
661 * Assume no read errors.
662 */
663 *err = 0;
664
665 /*
666 * Check whether the first 4 bytes of the file are the block
667 * type for a pcap-ng savefile.
668 */
669 if (magic != BT_SHB) {
670 /*
671 * XXX - check whether this looks like what the block
672 * type would be after being munged by mapping between
673 * UN*X and DOS/Windows text file format and, if it
674 * does, look for the byte-order magic number in
675 * the appropriate place and, if we find it, report
676 * this as possibly being a pcap-ng file transferred
677 * between UN*X and Windows in text file format?
678 */
679 return (NULL); /* nope */
680 }
681
682 /*
683 * OK, they are. However, that's just \n\r\r\n, so it could,
684 * conceivably, be an ordinary text file.
685 *
686 * It could not, however, conceivably be any other type of
687 * capture file, so we can read the rest of the putative
688 * Section Header Block; put the block type in the common
689 * header, read the rest of the common header and the
690 * fixed-length portion of the SHB, and look for the byte-order
691 * magic value.
692 */
693 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
694 if (amt_read < sizeof(total_length)) {
695 if (ferror(fp)) {
696 snprintf(errbuf, PCAP_ERRBUF_SIZE,
697 "error reading dump file: %s",
698 pcap_strerror(errno));
699 *err = 1;
700 return (NULL); /* fail */
701 }
702
703 /*
704 * Possibly a weird short text file, so just say
705 * "not pcap-ng".
706 */
707 return (NULL);
708 }
709 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
710 if (amt_read < sizeof(byte_order_magic)) {
711 if (ferror(fp)) {
712 snprintf(errbuf, PCAP_ERRBUF_SIZE,
713 "error reading dump file: %s",
714 pcap_strerror(errno));
715 *err = 1;
716 return (NULL); /* fail */
717 }
718
719 /*
720 * Possibly a weird short text file, so just say
721 * "not pcap-ng".
722 */
723 return (NULL);
724 }
725 if (byte_order_magic != BYTE_ORDER_MAGIC) {
726 byte_order_magic = SWAPLONG(byte_order_magic);
727 if (byte_order_magic != BYTE_ORDER_MAGIC) {
728 /*
729 * Not a pcap-ng file.
730 */
731 return (NULL);
732 }
733 swapped = 1;
734 total_length = SWAPLONG(total_length);
735 }
736
737 /*
738 * Check the sanity of the total length.
739 */
740 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
741 snprintf(errbuf, PCAP_ERRBUF_SIZE,
742 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
743 total_length,
744 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
745 *err = 1;
746 return (NULL);
747 }
748
749 /*
750 * OK, this is a good pcap-ng file.
751 * Allocate a pcap_t for it.
752 */
753 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
754 if (p == NULL) {
755 /* Allocation failed. */
756 *err = 1;
757 return (NULL);
758 }
759 p->swapped = swapped;
760 ps = p->priv;
761
762 /*
763 * What precision does the user want?
764 */
765 switch (precision) {
766
767 case PCAP_TSTAMP_PRECISION_MICRO:
768 ps->user_tsresol = 1000000;
769 break;
770
771 case PCAP_TSTAMP_PRECISION_NANO:
772 ps->user_tsresol = 1000000000;
773 break;
774
775 default:
776 snprintf(errbuf, PCAP_ERRBUF_SIZE,
777 "unknown time stamp resolution %u", precision);
778 free(p);
779 *err = 1;
780 return (NULL);
781 }
782
783 p->opt.tstamp_precision = precision;
784
785 /*
786 * Allocate a buffer into which to read blocks. We default to
787 * the maximum of:
788 *
789 * the total length of the SHB for which we read the header;
790 *
791 * 2K, which should be more than large enough for an Enhanced
792 * Packet Block containing a full-size Ethernet frame, and
793 * leaving room for some options.
794 *
795 * If we find a bigger block, we reallocate the buffer.
796 */
797 p->bufsize = 2048;
798 if (p->bufsize < total_length)
799 p->bufsize = total_length;
800 p->buffer = malloc(p->bufsize);
801 if (p->buffer == NULL) {
802 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
803 free(p);
804 *err = 1;
805 return (NULL);
806 }
807
808 /*
809 * Copy the stuff we've read to the buffer, and read the rest
810 * of the SHB.
811 */
812 bhdrp = (struct block_header *)p->buffer;
813 shbp = (struct section_header_block *)(p->buffer + sizeof(struct block_header));
814 bhdrp->block_type = magic;
815 bhdrp->total_length = total_length;
816 shbp->byte_order_magic = byte_order_magic;
817 if (read_bytes(fp,
818 p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
819 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
820 1, errbuf) == -1)
821 goto fail;
822
823 if (p->swapped) {
824 /*
825 * Byte-swap the fields we've read.
826 */
827 shbp->major_version = SWAPSHORT(shbp->major_version);
828 shbp->minor_version = SWAPSHORT(shbp->minor_version);
829
830 /*
831 * XXX - we don't care about the section length.
832 */
833 }
834 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
835 snprintf(errbuf, PCAP_ERRBUF_SIZE,
836 "unknown pcap-ng savefile major version number %u",
837 shbp->major_version);
838 goto fail;
839 }
840 p->version_major = shbp->major_version;
841 p->version_minor = shbp->minor_version;
842
843 /*
844 * Save the time stamp resolution the user requested.
845 */
846 p->opt.tstamp_precision = precision;
847
848 /*
849 * Now start looking for an Interface Description Block.
850 */
851 for (;;) {
852 /*
853 * Read the next block.
854 */
855 status = read_block(fp, p, &cursor, errbuf);
856 if (status == 0) {
857 /* EOF - no IDB in this file */
858 snprintf(errbuf, PCAP_ERRBUF_SIZE,
859 "the capture file has no Interface Description Blocks");
860 goto fail;
861 }
862 if (status == -1)
863 goto fail; /* error */
864 switch (cursor.block_type) {
865
866 case BT_IDB:
867 /*
868 * Get a pointer to the fixed-length portion of the
869 * IDB.
870 */
871 idbp = get_from_block_data(&cursor, sizeof(*idbp),
872 errbuf);
873 if (idbp == NULL)
874 goto fail; /* error */
875
876 /*
877 * Byte-swap it if necessary.
878 */
879 if (p->swapped) {
880 idbp->linktype = SWAPSHORT(idbp->linktype);
881 idbp->snaplen = SWAPLONG(idbp->snaplen);
882 }
883
884 /*
885 * Try to add this interface.
886 */
887 if (!add_interface(p, &cursor, errbuf))
888 goto fail;
889 goto done;
890
891 case BT_EPB:
892 case BT_SPB:
893 case BT_PB:
894 /*
895 * Saw a packet before we saw any IDBs. That's
896 * not valid, as we don't know what link-layer
897 * encapsulation the packet has.
898 */
899 snprintf(errbuf, PCAP_ERRBUF_SIZE,
900 "the capture file has a packet block before any Interface Description Blocks");
901 goto fail;
902
903 default:
904 /*
905 * Just ignore it.
906 */
907 break;
908 }
909 }
910
911 done:
912 p->tzoff = 0; /* XXX - not used in pcap */
913 p->snapshot = idbp->snaplen;
914 p->linktype = linktype_to_dlt(idbp->linktype);
915 p->linktype_ext = 0;
916
917 p->next_packet_op = pcap_ng_next_packet;
918 p->cleanup_op = pcap_ng_cleanup;
919
920 return (p);
921
922 fail:
923 free(ps->ifaces);
924 free(p->buffer);
925 free(p);
926 *err = 1;
927 return (NULL);
928 }
929
930 static void
pcap_ng_cleanup(pcap_t * p)931 pcap_ng_cleanup(pcap_t *p)
932 {
933 struct pcap_ng_sf *ps = p->priv;
934
935 free(ps->ifaces);
936 sf_cleanup(p);
937 }
938
939 /*
940 * Read and return the next packet from the savefile. Return the header
941 * in hdr and a pointer to the contents in data. Return 0 on success, 1
942 * if there were no more packets, and -1 on an error.
943 */
944 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)945 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
946 {
947 struct pcap_ng_sf *ps = p->priv;
948 struct block_cursor cursor;
949 int status;
950 struct enhanced_packet_block *epbp;
951 struct simple_packet_block *spbp;
952 struct packet_block *pbp;
953 bpf_u_int32 interface_id = 0xFFFFFFFF;
954 struct interface_description_block *idbp;
955 struct section_header_block *shbp;
956 FILE *fp = p->rfile;
957 u_int64_t t, sec, frac;
958
959 /*
960 * Look for an Enhanced Packet Block, a Simple Packet Block,
961 * or a Packet Block.
962 */
963 for (;;) {
964 /*
965 * Read the block type and length; those are common
966 * to all blocks.
967 */
968 status = read_block(fp, p, &cursor, p->errbuf);
969 if (status == 0)
970 return (1); /* EOF */
971 if (status == -1)
972 return (-1); /* error */
973 switch (cursor.block_type) {
974
975 case BT_EPB:
976 /*
977 * Get a pointer to the fixed-length portion of the
978 * EPB.
979 */
980 epbp = get_from_block_data(&cursor, sizeof(*epbp),
981 p->errbuf);
982 if (epbp == NULL)
983 return (-1); /* error */
984
985 /*
986 * Byte-swap it if necessary.
987 */
988 if (p->swapped) {
989 /* these were written in opposite byte order */
990 interface_id = SWAPLONG(epbp->interface_id);
991 hdr->caplen = SWAPLONG(epbp->caplen);
992 hdr->len = SWAPLONG(epbp->len);
993 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
994 SWAPLONG(epbp->timestamp_low);
995 } else {
996 interface_id = epbp->interface_id;
997 hdr->caplen = epbp->caplen;
998 hdr->len = epbp->len;
999 t = ((u_int64_t)epbp->timestamp_high) << 32 |
1000 epbp->timestamp_low;
1001 }
1002 goto found;
1003
1004 case BT_SPB:
1005 /*
1006 * Get a pointer to the fixed-length portion of the
1007 * SPB.
1008 */
1009 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1010 p->errbuf);
1011 if (spbp == NULL)
1012 return (-1); /* error */
1013
1014 /*
1015 * SPB packets are assumed to have arrived on
1016 * the first interface.
1017 */
1018 interface_id = 0;
1019
1020 /*
1021 * Byte-swap it if necessary.
1022 */
1023 if (p->swapped) {
1024 /* these were written in opposite byte order */
1025 hdr->len = SWAPLONG(spbp->len);
1026 } else
1027 hdr->len = spbp->len;
1028
1029 /*
1030 * The SPB doesn't give the captured length;
1031 * it's the minimum of the snapshot length
1032 * and the packet length.
1033 */
1034 hdr->caplen = hdr->len;
1035 if (hdr->caplen > p->snapshot)
1036 hdr->caplen = p->snapshot;
1037 t = 0; /* no time stamps */
1038 goto found;
1039
1040 case BT_PB:
1041 /*
1042 * Get a pointer to the fixed-length portion of the
1043 * PB.
1044 */
1045 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1046 p->errbuf);
1047 if (pbp == NULL)
1048 return (-1); /* error */
1049
1050 /*
1051 * Byte-swap it if necessary.
1052 */
1053 if (p->swapped) {
1054 /* these were written in opposite byte order */
1055 interface_id = SWAPSHORT(pbp->interface_id);
1056 hdr->caplen = SWAPLONG(pbp->caplen);
1057 hdr->len = SWAPLONG(pbp->len);
1058 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1059 SWAPLONG(pbp->timestamp_low);
1060 } else {
1061 interface_id = pbp->interface_id;
1062 hdr->caplen = pbp->caplen;
1063 hdr->len = pbp->len;
1064 t = ((u_int64_t)pbp->timestamp_high) << 32 |
1065 pbp->timestamp_low;
1066 }
1067 goto found;
1068
1069 case BT_IDB:
1070 /*
1071 * Interface Description Block. Get a pointer
1072 * to its fixed-length portion.
1073 */
1074 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1075 p->errbuf);
1076 if (idbp == NULL)
1077 return (-1); /* error */
1078
1079 /*
1080 * Byte-swap it if necessary.
1081 */
1082 if (p->swapped) {
1083 idbp->linktype = SWAPSHORT(idbp->linktype);
1084 idbp->snaplen = SWAPLONG(idbp->snaplen);
1085 }
1086
1087 /*
1088 * If the link-layer type or snapshot length
1089 * differ from the ones for the first IDB we
1090 * saw, quit.
1091 *
1092 * XXX - just discard packets from those
1093 * interfaces?
1094 */
1095 if (p->linktype != idbp->linktype) {
1096 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1097 "an interface has a type %u different from the type of the first interface",
1098 idbp->linktype);
1099 return (-1);
1100 }
1101 if (p->snapshot != idbp->snaplen) {
1102 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1103 "an interface has a snapshot length %u different from the type of the first interface",
1104 idbp->snaplen);
1105 return (-1);
1106 }
1107
1108 /*
1109 * Try to add this interface.
1110 */
1111 if (!add_interface(p, &cursor, p->errbuf))
1112 return (-1);
1113 break;
1114
1115 case BT_SHB:
1116 /*
1117 * Section Header Block. Get a pointer
1118 * to its fixed-length portion.
1119 */
1120 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1121 p->errbuf);
1122 if (shbp == NULL)
1123 return (-1); /* error */
1124
1125 /*
1126 * Assume the byte order of this section is
1127 * the same as that of the previous section.
1128 * We'll check for that later.
1129 */
1130 if (p->swapped) {
1131 shbp->byte_order_magic =
1132 SWAPLONG(shbp->byte_order_magic);
1133 shbp->major_version =
1134 SWAPSHORT(shbp->major_version);
1135 }
1136
1137 /*
1138 * Make sure the byte order doesn't change;
1139 * pcap_is_swapped() shouldn't change its
1140 * return value in the middle of reading a capture.
1141 */
1142 switch (shbp->byte_order_magic) {
1143
1144 case BYTE_ORDER_MAGIC:
1145 /*
1146 * OK.
1147 */
1148 break;
1149
1150 case SWAPLONG(BYTE_ORDER_MAGIC):
1151 /*
1152 * Byte order changes.
1153 */
1154 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1155 "the file has sections with different byte orders");
1156 return (-1);
1157
1158 default:
1159 /*
1160 * Not a valid SHB.
1161 */
1162 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1163 "the file has a section with a bad byte order magic field");
1164 return (-1);
1165 }
1166
1167 /*
1168 * Make sure the major version is the version
1169 * we handle.
1170 */
1171 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1172 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1173 "unknown pcap-ng savefile major version number %u",
1174 shbp->major_version);
1175 return (-1);
1176 }
1177
1178 /*
1179 * Reset the interface count; this section should
1180 * have its own set of IDBs. If any of them
1181 * don't have the same interface type, snapshot
1182 * length, or resolution as the first interface
1183 * we saw, we'll fail. (And if we don't see
1184 * any IDBs, we'll fail when we see a packet
1185 * block.)
1186 */
1187 ps->ifcount = 0;
1188 break;
1189
1190 default:
1191 /*
1192 * Not a packet block, IDB, or SHB; ignore it.
1193 */
1194 break;
1195 }
1196 }
1197
1198 found:
1199 /*
1200 * Is the interface ID an interface we know?
1201 */
1202 if (interface_id >= ps->ifcount) {
1203 /*
1204 * Yes. Fail.
1205 */
1206 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1207 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1208 interface_id);
1209 return (-1);
1210 }
1211
1212 /*
1213 * Convert the time stamp to a struct timeval.
1214 */
1215 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1216 frac = t % ps->ifaces[interface_id].tsresol;
1217 switch (ps->ifaces[interface_id].scale_type) {
1218
1219 case PASS_THROUGH:
1220 /*
1221 * The interface resolution is what the user wants,
1222 * so we're done.
1223 */
1224 break;
1225
1226 case SCALE_UP:
1227 /*
1228 * The interface resolution is less than what the user
1229 * wants; scale up to that resolution.
1230 *
1231 * XXX - if ps->ifaces[interface_id].tsresol is a power
1232 * of 10, we could just multiply by the quotient of
1233 * ps->ifaces[interface_id].tsresol and ps->user_tsresol,
1234 * as we know that's an integer. That runs less risk of
1235 * overflow.
1236 *
1237 * Is there something clever we could do if
1238 * ps->ifaces[interface_id].tsresol is a power of 2?
1239 */
1240 frac *= ps->ifaces[interface_id].tsresol;
1241 frac /= ps->user_tsresol;
1242 break;
1243
1244 case SCALE_DOWN:
1245 /*
1246 * The interface resolution is greater than what the user
1247 * wants; scale down to that resolution.
1248 *
1249 * XXX - if ps->ifaces[interface_id].tsresol is a power
1250 * of 10, we could just divide by the quotient of
1251 * ps->user_tsresol and ps->ifaces[interface_id].tsresol,
1252 * as we know that's an integer. That runs less risk of
1253 * overflow.
1254 *
1255 * Is there something clever we could do if
1256 * ps->ifaces[interface_id].tsresol is a power of 2?
1257 */
1258 frac *= ps->user_tsresol;
1259 frac /= ps->ifaces[interface_id].tsresol;
1260 break;
1261 }
1262 hdr->ts.tv_sec = sec;
1263 hdr->ts.tv_usec = frac;
1264
1265 /*
1266 * Get a pointer to the packet data.
1267 */
1268 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1269 if (*data == NULL)
1270 return (-1);
1271
1272 if (p->swapped)
1273 swap_pseudo_headers(p->linktype, hdr, *data);
1274
1275 return (0);
1276 }
1277