• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
22  */
23 
24 #ifndef lint
25 static const char rcsid[] _U_ =
26     "@(#) $Header$ (LBL)";
27 #endif
28 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #ifdef _WIN32
34 #include <pcap-stdinc.h>
35 #else /* _WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #endif /* _WIN32 */
46 
47 #include <errno.h>
48 #include <memory.h>
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52 
53 #include "pcap-int.h"
54 
55 #include "pcap-common.h"
56 
57 #ifdef HAVE_OS_PROTO_H
58 #include "os-proto.h"
59 #endif
60 
61 #include "sf-pcap-ng.h"
62 
63 /*
64  * Block types.
65  */
66 
67 /*
68  * Common part at the beginning of all blocks.
69  */
70 struct block_header {
71 	bpf_u_int32	block_type;
72 	bpf_u_int32	total_length;
73 };
74 
75 /*
76  * Common trailer at the end of all blocks.
77  */
78 struct block_trailer {
79 	bpf_u_int32	total_length;
80 };
81 
82 /*
83  * Common options.
84  */
85 #define OPT_ENDOFOPT	0	/* end of options */
86 #define OPT_COMMENT	1	/* comment string */
87 
88 /*
89  * Option header.
90  */
91 struct option_header {
92 	u_short		option_code;
93 	u_short		option_length;
94 };
95 
96 /*
97  * Structures for the part of each block type following the common
98  * part.
99  */
100 
101 /*
102  * Section Header Block.
103  */
104 #define BT_SHB			0x0A0D0D0A
105 
106 struct section_header_block {
107 	bpf_u_int32	byte_order_magic;
108 	u_short		major_version;
109 	u_short		minor_version;
110 	u_int64_t	section_length;
111 	/* followed by options and trailer */
112 };
113 
114 /*
115  * Byte-order magic value.
116  */
117 #define BYTE_ORDER_MAGIC	0x1A2B3C4D
118 
119 /*
120  * Current version number.  If major_version isn't PCAP_NG_VERSION_MAJOR,
121  * that means that this code can't read the file.
122  */
123 #define PCAP_NG_VERSION_MAJOR	1
124 #define PCAP_NG_VERSION_MINOR	0
125 
126 /*
127  * Interface Description Block.
128  */
129 #define BT_IDB			0x00000001
130 
131 struct interface_description_block {
132 	u_short		linktype;
133 	u_short		reserved;
134 	bpf_u_int32	snaplen;
135 	/* followed by options and trailer */
136 };
137 
138 /*
139  * Options in the IDB.
140  */
141 #define IF_NAME		2	/* interface name string */
142 #define IF_DESCRIPTION	3	/* interface description string */
143 #define IF_IPV4ADDR	4	/* interface's IPv4 address and netmask */
144 #define IF_IPV6ADDR	5	/* interface's IPv6 address and prefix length */
145 #define IF_MACADDR	6	/* interface's MAC address */
146 #define IF_EUIADDR	7	/* interface's EUI address */
147 #define IF_SPEED	8	/* interface's speed, in bits/s */
148 #define IF_TSRESOL	9	/* interface's time stamp resolution */
149 #define IF_TZONE	10	/* interface's time zone */
150 #define IF_FILTER	11	/* filter used when capturing on interface */
151 #define IF_OS		12	/* string OS on which capture on this interface was done */
152 #define IF_FCSLEN	13	/* FCS length for this interface */
153 #define IF_TSOFFSET	14	/* time stamp offset for this interface */
154 
155 /*
156  * Enhanced Packet Block.
157  */
158 #define BT_EPB			0x00000006
159 
160 struct enhanced_packet_block {
161 	bpf_u_int32	interface_id;
162 	bpf_u_int32	timestamp_high;
163 	bpf_u_int32	timestamp_low;
164 	bpf_u_int32	caplen;
165 	bpf_u_int32	len;
166 	/* followed by packet data, options, and trailer */
167 };
168 
169 /*
170  * Simple Packet Block.
171  */
172 #define BT_SPB			0x00000003
173 
174 struct simple_packet_block {
175 	bpf_u_int32	len;
176 	/* followed by packet data and trailer */
177 };
178 
179 /*
180  * Packet Block.
181  */
182 #define BT_PB			0x00000002
183 
184 struct packet_block {
185 	u_short		interface_id;
186 	u_short		drops_count;
187 	bpf_u_int32	timestamp_high;
188 	bpf_u_int32	timestamp_low;
189 	bpf_u_int32	caplen;
190 	bpf_u_int32	len;
191 	/* followed by packet data, options, and trailer */
192 };
193 
194 /*
195  * Block cursor - used when processing the contents of a block.
196  * Contains a pointer into the data being processed and a count
197  * of bytes remaining in the block.
198  */
199 struct block_cursor {
200 	u_char		*data;
201 	size_t		data_remaining;
202 	bpf_u_int32	block_type;
203 };
204 
205 typedef enum {
206 	PASS_THROUGH,
207 	SCALE_UP_DEC,
208 	SCALE_DOWN_DEC,
209 	SCALE_UP_BIN,
210 	SCALE_DOWN_BIN
211 } tstamp_scale_type_t;
212 
213 /*
214  * Per-interface information.
215  */
216 struct pcap_ng_if {
217 	u_int tsresol;			/* time stamp resolution */
218 	tstamp_scale_type_t scale_type;	/* how to scale */
219 	u_int scale_factor;		/* time stamp scale factor for power-of-10 tsresol */
220 	u_int64_t tsoffset;		/* time stamp offset */
221 };
222 
223 struct pcap_ng_sf {
224 	u_int user_tsresol;		/* time stamp resolution requested by the user */
225 	bpf_u_int32 ifcount;		/* number of interfaces seen in this capture */
226 	bpf_u_int32 ifaces_size;	/* size of array below */
227 	struct pcap_ng_if *ifaces;	/* array of interface information */
228 };
229 
230 static void pcap_ng_cleanup(pcap_t *p);
231 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
232     u_char **data);
233 
234 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)235 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
236     char *errbuf)
237 {
238 	size_t amt_read;
239 
240 	amt_read = fread(buf, 1, bytes_to_read, fp);
241 	if (amt_read != bytes_to_read) {
242 		if (ferror(fp)) {
243 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
244 			    "error reading dump file: %s",
245 			    pcap_strerror(errno));
246 		} else {
247 			if (amt_read == 0 && !fail_on_eof)
248 				return (0);	/* EOF */
249 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
250 			    "truncated dump file; tried to read %lu bytes, only got %lu",
251 			    (unsigned long)bytes_to_read,
252 			    (unsigned long)amt_read);
253 		}
254 		return (-1);
255 	}
256 	return (1);
257 }
258 
259 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)260 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
261 {
262 	int status;
263 	struct block_header bhdr;
264 	u_char *bdata;
265 	size_t data_remaining;
266 
267 	status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
268 	if (status <= 0)
269 		return (status);	/* error or EOF */
270 
271 	if (p->swapped) {
272 		bhdr.block_type = SWAPLONG(bhdr.block_type);
273 		bhdr.total_length = SWAPLONG(bhdr.total_length);
274 	}
275 
276 	/*
277 	 * Is this block "too big"?
278 	 *
279 	 * We choose 16MB as "too big", for now, so that we handle
280 	 * "reasonably" large buffers but don't chew up all the
281 	 * memory if we read a malformed file.
282 	 */
283 	if (bhdr.total_length > 16*1024*1024) {
284 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
285 		    "pcap-ng block size %u > maximum %u",
286 		    bhdr.total_length, 16*1024*1024);
287 		    return (-1);
288 	}
289 
290 	/*
291 	 * Is this block "too small" - i.e., is it shorter than a block
292 	 * header plus a block trailer?
293 	 */
294 	if (bhdr.total_length < sizeof(struct block_header) +
295 	    sizeof(struct block_trailer)) {
296 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
297 		    "block in pcap-ng dump file has a length of %u < %lu",
298 		    bhdr.total_length,
299 		    (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
300 		return (-1);
301 	}
302 
303 	/*
304 	 * Is the buffer big enough?
305 	 */
306 	if (p->bufsize < bhdr.total_length) {
307 		/*
308 		 * No - make it big enough.
309 		 */
310 		void *bigger_buffer;
311 
312 		bigger_buffer = realloc(p->buffer, bhdr.total_length);
313 		if (bigger_buffer == NULL) {
314 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
315 			return (-1);
316 		}
317 		p->buffer = bigger_buffer;
318 	}
319 
320 	/*
321 	 * Copy the stuff we've read to the buffer, and read the rest
322 	 * of the block.
323 	 */
324 	memcpy(p->buffer, &bhdr, sizeof(bhdr));
325 	bdata = (u_char *)p->buffer + sizeof(bhdr);
326 	data_remaining = bhdr.total_length - sizeof(bhdr);
327 	if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
328 		return (-1);
329 
330 	/*
331 	 * Initialize the cursor.
332 	 */
333 	cursor->data = bdata;
334 	cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
335 	cursor->block_type = bhdr.block_type;
336 	return (1);
337 }
338 
339 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)340 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
341     char *errbuf)
342 {
343 	void *data;
344 
345 	/*
346 	 * Make sure we have the specified amount of data remaining in
347 	 * the block data.
348 	 */
349 	if (cursor->data_remaining < chunk_size) {
350 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
351 		    "block of type %u in pcap-ng dump file is too short",
352 		    cursor->block_type);
353 		return (NULL);
354 	}
355 
356 	/*
357 	 * Return the current pointer, and skip past the chunk.
358 	 */
359 	data = cursor->data;
360 	cursor->data += chunk_size;
361 	cursor->data_remaining -= chunk_size;
362 	return (data);
363 }
364 
365 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)366 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
367 {
368 	struct option_header *opthdr;
369 
370 	opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
371 	if (opthdr == NULL) {
372 		/*
373 		 * Option header is cut short.
374 		 */
375 		return (NULL);
376 	}
377 
378 	/*
379 	 * Byte-swap it if necessary.
380 	 */
381 	if (p->swapped) {
382 		opthdr->option_code = SWAPSHORT(opthdr->option_code);
383 		opthdr->option_length = SWAPSHORT(opthdr->option_length);
384 	}
385 
386 	return (opthdr);
387 }
388 
389 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)390 get_optvalue_from_block_data(struct block_cursor *cursor,
391     struct option_header *opthdr, char *errbuf)
392 {
393 	size_t padded_option_len;
394 	void *optvalue;
395 
396 	/* Pad option length to 4-byte boundary */
397 	padded_option_len = opthdr->option_length;
398 	padded_option_len = ((padded_option_len + 3)/4)*4;
399 
400 	optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
401 	if (optvalue == NULL) {
402 		/*
403 		 * Option value is cut short.
404 		 */
405 		return (NULL);
406 	}
407 
408 	return (optvalue);
409 }
410 
411 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,u_int * tsresol,u_int64_t * tsoffset,int * is_binary,char * errbuf)412 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
413     u_int64_t *tsoffset, int *is_binary, char *errbuf)
414 {
415 	struct option_header *opthdr;
416 	void *optvalue;
417 	int saw_tsresol, saw_tsoffset;
418 	u_char tsresol_opt;
419 	u_int i;
420 
421 	saw_tsresol = 0;
422 	saw_tsoffset = 0;
423 	while (cursor->data_remaining != 0) {
424 		/*
425 		 * Get the option header.
426 		 */
427 		opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
428 		if (opthdr == NULL) {
429 			/*
430 			 * Option header is cut short.
431 			 */
432 			return (-1);
433 		}
434 
435 		/*
436 		 * Get option value.
437 		 */
438 		optvalue = get_optvalue_from_block_data(cursor, opthdr,
439 		    errbuf);
440 		if (optvalue == NULL) {
441 			/*
442 			 * Option value is cut short.
443 			 */
444 			return (-1);
445 		}
446 
447 		switch (opthdr->option_code) {
448 
449 		case OPT_ENDOFOPT:
450 			if (opthdr->option_length != 0) {
451 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
452 				    "Interface Description Block has opt_endofopt option with length %u != 0",
453 				    opthdr->option_length);
454 				return (-1);
455 			}
456 			goto done;
457 
458 		case IF_TSRESOL:
459 			if (opthdr->option_length != 1) {
460 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
461 				    "Interface Description Block has if_tsresol option with length %u != 1",
462 				    opthdr->option_length);
463 				return (-1);
464 			}
465 			if (saw_tsresol) {
466 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
467 				    "Interface Description Block has more than one if_tsresol option");
468 				return (-1);
469 			}
470 			saw_tsresol = 1;
471 			memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
472 			if (tsresol_opt & 0x80) {
473 				/*
474 				 * Resolution is negative power of 2.
475 				 */
476 				*is_binary = 1;
477 				*tsresol = 1 << (tsresol_opt & 0x7F);
478 			} else {
479 				/*
480 				 * Resolution is negative power of 10.
481 				 */
482 				*is_binary = 0;
483 				*tsresol = 1;
484 				for (i = 0; i < tsresol_opt; i++)
485 					*tsresol *= 10;
486 			}
487 			if (*tsresol == 0) {
488 				/*
489 				 * Resolution is too high.
490 				 */
491 				if (tsresol_opt & 0x80) {
492 					pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
493 					    "Interface Description Block if_tsresol option resolution 2^-%u is too high",
494 					    tsresol_opt & 0x7F);
495 				} else {
496 					pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
497 					    "Interface Description Block if_tsresol option resolution 10^-%u is too high",
498 					    tsresol_opt);
499 				}
500 				return (-1);
501 			}
502 			break;
503 
504 		case IF_TSOFFSET:
505 			if (opthdr->option_length != 8) {
506 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
507 				    "Interface Description Block has if_tsoffset option with length %u != 8",
508 				    opthdr->option_length);
509 				return (-1);
510 			}
511 			if (saw_tsoffset) {
512 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
513 				    "Interface Description Block has more than one if_tsoffset option");
514 				return (-1);
515 			}
516 			saw_tsoffset = 1;
517 			memcpy(tsoffset, optvalue, sizeof(*tsoffset));
518 			if (p->swapped)
519 				*tsoffset = SWAPLL(*tsoffset);
520 			break;
521 
522 		default:
523 			break;
524 		}
525 	}
526 
527 done:
528 	return (0);
529 }
530 
531 static int
add_interface(pcap_t * p,struct block_cursor * cursor,char * errbuf)532 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
533 {
534 	struct pcap_ng_sf *ps;
535 	u_int tsresol;
536 	u_int64_t tsoffset;
537 	int is_binary;
538 
539 	ps = p->priv;
540 
541 	/*
542 	 * Count this interface.
543 	 */
544 	ps->ifcount++;
545 
546 	/*
547 	 * Grow the array of per-interface information as necessary.
548 	 */
549 	if (ps->ifcount > ps->ifaces_size) {
550 		/*
551 		 * We need to grow the array.
552 		 */
553 		bpf_u_int32 new_ifaces_size;
554 		struct pcap_ng_if *new_ifaces;
555 
556 		if (ps->ifaces_size == 0) {
557 			/*
558 			 * It's currently empty.
559 			 *
560 			 * (The Clang static analyzer doesn't do enough,
561 			 * err, umm, dataflow *analysis* to realize that
562 			 * ps->ifaces_size == 0 if ps->ifaces == NULL,
563 			 * and so complains about a possible zero argument
564 			 * to realloc(), so we check for the former
565 			 * condition to shut it up.
566 			 *
567 			 * However, it doesn't complain that one of the
568 			 * multiplications below could overflow, which is
569 			 * a real, albeit extremely unlikely, problem (you'd
570 			 * need a pcap-ng file with tens of millions of
571 			 * interfaces).)
572 			 */
573 			new_ifaces_size = 1;
574 			new_ifaces = malloc(sizeof (struct pcap_ng_if));
575 		} else {
576 			/*
577 			 * It's not currently empty; double its size.
578 			 * (Perhaps overkill once we have a lot of interfaces.)
579 			 *
580 			 * Check for overflow if we double it.
581 			 */
582 			if (ps->ifaces_size * 2 < ps->ifaces_size) {
583 				/*
584 				 * The maximum number of interfaces before
585 				 * ps->ifaces_size overflows is the largest
586 				 * possible 32-bit power of 2, as we do
587 				 * size doubling.
588 				 */
589 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
590 				    "more than %u interfaces in the file",
591 				    0x80000000U);
592 				return (0);
593 			}
594 
595 			/*
596 			 * ps->ifaces_size * 2 doesn't overflow, so it's
597 			 * safe to multiply.
598 			 */
599 			new_ifaces_size = ps->ifaces_size * 2;
600 
601 			/*
602 			 * Now make sure that's not so big that it overflows
603 			 * if we multiply by sizeof (struct pcap_ng_if).
604 			 *
605 			 * That can happen on 32-bit platforms, with a 32-bit
606 			 * size_t; it shouldn't happen on 64-bit platforms,
607 			 * with a 64-bit size_t, as new_ifaces_size is
608 			 * 32 bits.
609 			 */
610 			if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
611 				/*
612 				 * As this fails only with 32-bit size_t,
613 				 * the multiplication was 32x32->32, and
614 				 * the largest 32-bit value that can safely
615 				 * be multiplied by sizeof (struct pcap_ng_if)
616 				 * without overflow is the largest 32-bit
617 				 * (unsigned) value divided by
618 				 * sizeof (struct pcap_ng_if).
619 				 */
620 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
621 				    "more than %u interfaces in the file",
622 				    0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
623 				return (0);
624 			}
625 			new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
626 		}
627 		if (new_ifaces == NULL) {
628 			/*
629 			 * We ran out of memory.
630 			 * Give up.
631 			 */
632 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
633 			    "out of memory for per-interface information (%u interfaces)",
634 			    ps->ifcount);
635 			return (0);
636 		}
637 		ps->ifaces_size = new_ifaces_size;
638 		ps->ifaces = new_ifaces;
639 	}
640 
641 	/*
642 	 * Set the default time stamp resolution and offset.
643 	 */
644 	tsresol = 1000000;	/* microsecond resolution */
645 	is_binary = 0;		/* which is a power of 10 */
646 	tsoffset = 0;		/* absolute timestamps */
647 
648 	/*
649 	 * Now look for various time stamp options, so we know
650 	 * how to interpret the time stamps for this interface.
651 	 */
652 	if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
653 	    errbuf) == -1)
654 		return (0);
655 
656 	ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
657 	ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
658 
659 	/*
660 	 * Determine whether we're scaling up or down or not
661 	 * at all for this interface.
662 	 */
663 	if (tsresol == ps->user_tsresol) {
664 		/*
665 		 * The resolution is the resolution the user wants,
666 		 * so we don't have to do scaling.
667 		 */
668 		ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
669 	} else if (tsresol > ps->user_tsresol) {
670 		/*
671 		 * The resolution is greater than what the user wants,
672 		 * so we have to scale the timestamps down.
673 		 */
674 		if (is_binary)
675 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
676 		else {
677 			/*
678 			 * Calculate the scale factor.
679 			 */
680 			ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
681 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
682 		}
683 	} else {
684 		/*
685 		 * The resolution is less than what the user wants,
686 		 * so we have to scale the timestamps up.
687 		 */
688 		if (is_binary)
689 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
690 		else {
691 			/*
692 			 * Calculate the scale factor.
693 			 */
694 			ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
695 			ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
696 		}
697 	}
698 	return (1);
699 }
700 
701 /*
702  * Check whether this is a pcap-ng savefile and, if it is, extract the
703  * relevant information from the header.
704  */
705 pcap_t *
pcap_ng_check_header(bpf_u_int32 magic,FILE * fp,u_int precision,char * errbuf,int * err)706 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
707     int *err)
708 {
709 	size_t amt_read;
710 	bpf_u_int32 total_length;
711 	bpf_u_int32 byte_order_magic;
712 	struct block_header *bhdrp;
713 	struct section_header_block *shbp;
714 	pcap_t *p;
715 	int swapped = 0;
716 	struct pcap_ng_sf *ps;
717 	int status;
718 	struct block_cursor cursor;
719 	struct interface_description_block *idbp;
720 
721 	/*
722 	 * Assume no read errors.
723 	 */
724 	*err = 0;
725 
726 	/*
727 	 * Check whether the first 4 bytes of the file are the block
728 	 * type for a pcap-ng savefile.
729 	 */
730 	if (magic != BT_SHB) {
731 		/*
732 		 * XXX - check whether this looks like what the block
733 		 * type would be after being munged by mapping between
734 		 * UN*X and DOS/Windows text file format and, if it
735 		 * does, look for the byte-order magic number in
736 		 * the appropriate place and, if we find it, report
737 		 * this as possibly being a pcap-ng file transferred
738 		 * between UN*X and Windows in text file format?
739 		 */
740 		return (NULL);	/* nope */
741 	}
742 
743 	/*
744 	 * OK, they are.  However, that's just \n\r\r\n, so it could,
745 	 * conceivably, be an ordinary text file.
746 	 *
747 	 * It could not, however, conceivably be any other type of
748 	 * capture file, so we can read the rest of the putative
749 	 * Section Header Block; put the block type in the common
750 	 * header, read the rest of the common header and the
751 	 * fixed-length portion of the SHB, and look for the byte-order
752 	 * magic value.
753 	 */
754 	amt_read = fread(&total_length, 1, sizeof(total_length), fp);
755 	if (amt_read < sizeof(total_length)) {
756 		if (ferror(fp)) {
757 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
758 			    "error reading dump file: %s",
759 			    pcap_strerror(errno));
760 			*err = 1;
761 			return (NULL);	/* fail */
762 		}
763 
764 		/*
765 		 * Possibly a weird short text file, so just say
766 		 * "not pcap-ng".
767 		 */
768 		return (NULL);
769 	}
770 	amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
771 	if (amt_read < sizeof(byte_order_magic)) {
772 		if (ferror(fp)) {
773 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
774 			    "error reading dump file: %s",
775 			    pcap_strerror(errno));
776 			*err = 1;
777 			return (NULL);	/* fail */
778 		}
779 
780 		/*
781 		 * Possibly a weird short text file, so just say
782 		 * "not pcap-ng".
783 		 */
784 		return (NULL);
785 	}
786 	if (byte_order_magic != BYTE_ORDER_MAGIC) {
787 		byte_order_magic = SWAPLONG(byte_order_magic);
788 		if (byte_order_magic != BYTE_ORDER_MAGIC) {
789 			/*
790 			 * Not a pcap-ng file.
791 			 */
792 			return (NULL);
793 		}
794 		swapped = 1;
795 		total_length = SWAPLONG(total_length);
796 	}
797 
798 	/*
799 	 * Check the sanity of the total length.
800 	 */
801 	if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
802 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
803 		    "Section Header Block in pcap-ng dump file has a length of %u < %lu",
804 		    total_length,
805 		    (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
806 		*err = 1;
807 		return (NULL);
808 	}
809 
810 	/*
811 	 * OK, this is a good pcap-ng file.
812 	 * Allocate a pcap_t for it.
813 	 */
814 	p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
815 	if (p == NULL) {
816 		/* Allocation failed. */
817 		*err = 1;
818 		return (NULL);
819 	}
820 	p->swapped = swapped;
821 	ps = p->priv;
822 
823 	/*
824 	 * What precision does the user want?
825 	 */
826 	switch (precision) {
827 
828 	case PCAP_TSTAMP_PRECISION_MICRO:
829 		ps->user_tsresol = 1000000;
830 		break;
831 
832 	case PCAP_TSTAMP_PRECISION_NANO:
833 		ps->user_tsresol = 1000000000;
834 		break;
835 
836 	default:
837 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
838 		    "unknown time stamp resolution %u", precision);
839 		free(p);
840 		*err = 1;
841 		return (NULL);
842 	}
843 
844 	p->opt.tstamp_precision = precision;
845 
846 	/*
847 	 * Allocate a buffer into which to read blocks.  We default to
848 	 * the maximum of:
849 	 *
850 	 *	the total length of the SHB for which we read the header;
851 	 *
852 	 *	2K, which should be more than large enough for an Enhanced
853 	 *	Packet Block containing a full-size Ethernet frame, and
854 	 *	leaving room for some options.
855 	 *
856 	 * If we find a bigger block, we reallocate the buffer.
857 	 */
858 	p->bufsize = 2048;
859 	if (p->bufsize < total_length)
860 		p->bufsize = total_length;
861 	p->buffer = malloc(p->bufsize);
862 	if (p->buffer == NULL) {
863 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
864 		free(p);
865 		*err = 1;
866 		return (NULL);
867 	}
868 
869 	/*
870 	 * Copy the stuff we've read to the buffer, and read the rest
871 	 * of the SHB.
872 	 */
873 	bhdrp = (struct block_header *)p->buffer;
874 	shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
875 	bhdrp->block_type = magic;
876 	bhdrp->total_length = total_length;
877 	shbp->byte_order_magic = byte_order_magic;
878 	if (read_bytes(fp,
879 	    (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
880 	    total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
881 	    1, errbuf) == -1)
882 		goto fail;
883 
884 	if (p->swapped) {
885 		/*
886 		 * Byte-swap the fields we've read.
887 		 */
888 		shbp->major_version = SWAPSHORT(shbp->major_version);
889 		shbp->minor_version = SWAPSHORT(shbp->minor_version);
890 
891 		/*
892 		 * XXX - we don't care about the section length.
893 		 */
894 	}
895 	/* currently only SHB version 1.0 is supported */
896 	if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
897 	       shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
898 		pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
899 		    "unsupported pcap-ng savefile version %u.%u",
900 		    shbp->major_version, shbp->minor_version);
901 		goto fail;
902 	}
903 	p->version_major = shbp->major_version;
904 	p->version_minor = shbp->minor_version;
905 
906 	/*
907 	 * Save the time stamp resolution the user requested.
908 	 */
909 	p->opt.tstamp_precision = precision;
910 
911 	/*
912 	 * Now start looking for an Interface Description Block.
913 	 */
914 	for (;;) {
915 		/*
916 		 * Read the next block.
917 		 */
918 		status = read_block(fp, p, &cursor, errbuf);
919 		if (status == 0) {
920 			/* EOF - no IDB in this file */
921 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
922 			    "the capture file has no Interface Description Blocks");
923 			goto fail;
924 		}
925 		if (status == -1)
926 			goto fail;	/* error */
927 		switch (cursor.block_type) {
928 
929 		case BT_IDB:
930 			/*
931 			 * Get a pointer to the fixed-length portion of the
932 			 * IDB.
933 			 */
934 			idbp = get_from_block_data(&cursor, sizeof(*idbp),
935 			    errbuf);
936 			if (idbp == NULL)
937 				goto fail;	/* error */
938 
939 			/*
940 			 * Byte-swap it if necessary.
941 			 */
942 			if (p->swapped) {
943 				idbp->linktype = SWAPSHORT(idbp->linktype);
944 				idbp->snaplen = SWAPLONG(idbp->snaplen);
945 			}
946 
947 			/*
948 			 * Interface capture length sanity check
949 			 */
950 			if (idbp->snaplen > MAXIMUM_SNAPLEN) {
951 				pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
952 				    "invalid interface capture length %u, "
953 				    "bigger than maximum of %u",
954 				    idbp->snaplen, MAXIMUM_SNAPLEN);
955 				goto fail;
956 			}
957 
958 			/*
959 			 * Try to add this interface.
960 			 */
961 			if (!add_interface(p, &cursor, errbuf))
962 				goto fail;
963 
964 			goto done;
965 
966 		case BT_EPB:
967 		case BT_SPB:
968 		case BT_PB:
969 			/*
970 			 * Saw a packet before we saw any IDBs.  That's
971 			 * not valid, as we don't know what link-layer
972 			 * encapsulation the packet has.
973 			 */
974 			pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
975 			    "the capture file has a packet block before any Interface Description Blocks");
976 			goto fail;
977 
978 		default:
979 			/*
980 			 * Just ignore it.
981 			 */
982 			break;
983 		}
984 	}
985 
986 done:
987 	p->tzoff = 0;	/* XXX - not used in pcap */
988 	p->snapshot = idbp->snaplen;
989 	p->linktype = linktype_to_dlt(idbp->linktype);
990 	p->linktype_ext = 0;
991 
992 	p->next_packet_op = pcap_ng_next_packet;
993 	p->cleanup_op = pcap_ng_cleanup;
994 
995 	return (p);
996 
997 fail:
998 	free(ps->ifaces);
999 	free(p->buffer);
1000 	free(p);
1001 	*err = 1;
1002 	return (NULL);
1003 }
1004 
1005 static void
pcap_ng_cleanup(pcap_t * p)1006 pcap_ng_cleanup(pcap_t *p)
1007 {
1008 	struct pcap_ng_sf *ps = p->priv;
1009 
1010 	free(ps->ifaces);
1011 	sf_cleanup(p);
1012 }
1013 
1014 /*
1015  * Read and return the next packet from the savefile.  Return the header
1016  * in hdr and a pointer to the contents in data.  Return 0 on success, 1
1017  * if there were no more packets, and -1 on an error.
1018  */
1019 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1020 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1021 {
1022 	struct pcap_ng_sf *ps = p->priv;
1023 	struct block_cursor cursor;
1024 	int status;
1025 	struct enhanced_packet_block *epbp;
1026 	struct simple_packet_block *spbp;
1027 	struct packet_block *pbp;
1028 	bpf_u_int32 interface_id = 0xFFFFFFFF;
1029 	struct interface_description_block *idbp;
1030 	struct section_header_block *shbp;
1031 	FILE *fp = p->rfile;
1032 	u_int64_t t, sec, frac;
1033 
1034 	/*
1035 	 * Look for an Enhanced Packet Block, a Simple Packet Block,
1036 	 * or a Packet Block.
1037 	 */
1038 	for (;;) {
1039 		/*
1040 		 * Read the block type and length; those are common
1041 		 * to all blocks.
1042 		 */
1043 		status = read_block(fp, p, &cursor, p->errbuf);
1044 		if (status == 0)
1045 			return (1);	/* EOF */
1046 		if (status == -1)
1047 			return (-1);	/* error */
1048 		switch (cursor.block_type) {
1049 
1050 		case BT_EPB:
1051 			/*
1052 			 * Get a pointer to the fixed-length portion of the
1053 			 * EPB.
1054 			 */
1055 			epbp = get_from_block_data(&cursor, sizeof(*epbp),
1056 			    p->errbuf);
1057 			if (epbp == NULL)
1058 				return (-1);	/* error */
1059 
1060 			/*
1061 			 * Byte-swap it if necessary.
1062 			 */
1063 			if (p->swapped) {
1064 				/* these were written in opposite byte order */
1065 				interface_id = SWAPLONG(epbp->interface_id);
1066 				hdr->caplen = SWAPLONG(epbp->caplen);
1067 				hdr->len = SWAPLONG(epbp->len);
1068 				t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1069 				    SWAPLONG(epbp->timestamp_low);
1070 			} else {
1071 				interface_id = epbp->interface_id;
1072 				hdr->caplen = epbp->caplen;
1073 				hdr->len = epbp->len;
1074 				t = ((u_int64_t)epbp->timestamp_high) << 32 |
1075 				    epbp->timestamp_low;
1076 			}
1077 			goto found;
1078 
1079 		case BT_SPB:
1080 			/*
1081 			 * Get a pointer to the fixed-length portion of the
1082 			 * SPB.
1083 			 */
1084 			spbp = get_from_block_data(&cursor, sizeof(*spbp),
1085 			    p->errbuf);
1086 			if (spbp == NULL)
1087 				return (-1);	/* error */
1088 
1089 			/*
1090 			 * SPB packets are assumed to have arrived on
1091 			 * the first interface.
1092 			 */
1093 			interface_id = 0;
1094 
1095 			/*
1096 			 * Byte-swap it if necessary.
1097 			 */
1098 			if (p->swapped) {
1099 				/* these were written in opposite byte order */
1100 				hdr->len = SWAPLONG(spbp->len);
1101 			} else
1102 				hdr->len = spbp->len;
1103 
1104 			/*
1105 			 * The SPB doesn't give the captured length;
1106 			 * it's the minimum of the snapshot length
1107 			 * and the packet length.
1108 			 */
1109 			hdr->caplen = hdr->len;
1110 			if (hdr->caplen > (bpf_u_int32)p->snapshot)
1111 				hdr->caplen = p->snapshot;
1112 			t = 0;	/* no time stamps */
1113 			goto found;
1114 
1115 		case BT_PB:
1116 			/*
1117 			 * Get a pointer to the fixed-length portion of the
1118 			 * PB.
1119 			 */
1120 			pbp = get_from_block_data(&cursor, sizeof(*pbp),
1121 			    p->errbuf);
1122 			if (pbp == NULL)
1123 				return (-1);	/* error */
1124 
1125 			/*
1126 			 * Byte-swap it if necessary.
1127 			 */
1128 			if (p->swapped) {
1129 				/* these were written in opposite byte order */
1130 				interface_id = SWAPSHORT(pbp->interface_id);
1131 				hdr->caplen = SWAPLONG(pbp->caplen);
1132 				hdr->len = SWAPLONG(pbp->len);
1133 				t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1134 				    SWAPLONG(pbp->timestamp_low);
1135 			} else {
1136 				interface_id = pbp->interface_id;
1137 				hdr->caplen = pbp->caplen;
1138 				hdr->len = pbp->len;
1139 				t = ((u_int64_t)pbp->timestamp_high) << 32 |
1140 				    pbp->timestamp_low;
1141 			}
1142 			goto found;
1143 
1144 		case BT_IDB:
1145 			/*
1146 			 * Interface Description Block.  Get a pointer
1147 			 * to its fixed-length portion.
1148 			 */
1149 			idbp = get_from_block_data(&cursor, sizeof(*idbp),
1150 			    p->errbuf);
1151 			if (idbp == NULL)
1152 				return (-1);	/* error */
1153 
1154 			/*
1155 			 * Byte-swap it if necessary.
1156 			 */
1157 			if (p->swapped) {
1158 				idbp->linktype = SWAPSHORT(idbp->linktype);
1159 				idbp->snaplen = SWAPLONG(idbp->snaplen);
1160 			}
1161 
1162 			/*
1163 			 * If the link-layer type or snapshot length
1164 			 * differ from the ones for the first IDB we
1165 			 * saw, quit.
1166 			 *
1167 			 * XXX - just discard packets from those
1168 			 * interfaces?
1169 			 */
1170 			if (p->linktype != idbp->linktype) {
1171 				pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1172 				    "an interface has a type %u different from the type of the first interface",
1173 				    idbp->linktype);
1174 				return (-1);
1175 			}
1176 			if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1177 				pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1178 				    "an interface has a snapshot length %u different from the type of the first interface",
1179 				    idbp->snaplen);
1180 				return (-1);
1181 			}
1182 
1183 			/*
1184 			 * Try to add this interface.
1185 			 */
1186 			if (!add_interface(p, &cursor, p->errbuf))
1187 				return (-1);
1188 			break;
1189 
1190 		case BT_SHB:
1191 			/*
1192 			 * Section Header Block.  Get a pointer
1193 			 * to its fixed-length portion.
1194 			 */
1195 			shbp = get_from_block_data(&cursor, sizeof(*shbp),
1196 			    p->errbuf);
1197 			if (shbp == NULL)
1198 				return (-1);	/* error */
1199 
1200 			/*
1201 			 * Assume the byte order of this section is
1202 			 * the same as that of the previous section.
1203 			 * We'll check for that later.
1204 			 */
1205 			if (p->swapped) {
1206 				shbp->byte_order_magic =
1207 				    SWAPLONG(shbp->byte_order_magic);
1208 				shbp->major_version =
1209 				    SWAPSHORT(shbp->major_version);
1210 			}
1211 
1212 			/*
1213 			 * Make sure the byte order doesn't change;
1214 			 * pcap_is_swapped() shouldn't change its
1215 			 * return value in the middle of reading a capture.
1216 			 */
1217 			switch (shbp->byte_order_magic) {
1218 
1219 			case BYTE_ORDER_MAGIC:
1220 				/*
1221 				 * OK.
1222 				 */
1223 				break;
1224 
1225 			case SWAPLONG(BYTE_ORDER_MAGIC):
1226 				/*
1227 				 * Byte order changes.
1228 				 */
1229 				pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1230 				    "the file has sections with different byte orders");
1231 				return (-1);
1232 
1233 			default:
1234 				/*
1235 				 * Not a valid SHB.
1236 				 */
1237 				pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1238 				    "the file has a section with a bad byte order magic field");
1239 				return (-1);
1240 			}
1241 
1242 			/*
1243 			 * Make sure the major version is the version
1244 			 * we handle.
1245 			 */
1246 			if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1247 				pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1248 				    "unknown pcap-ng savefile major version number %u",
1249 				    shbp->major_version);
1250 				return (-1);
1251 			}
1252 
1253 			/*
1254 			 * Reset the interface count; this section should
1255 			 * have its own set of IDBs.  If any of them
1256 			 * don't have the same interface type, snapshot
1257 			 * length, or resolution as the first interface
1258 			 * we saw, we'll fail.  (And if we don't see
1259 			 * any IDBs, we'll fail when we see a packet
1260 			 * block.)
1261 			 */
1262 			ps->ifcount = 0;
1263 			break;
1264 
1265 		default:
1266 			/*
1267 			 * Not a packet block, IDB, or SHB; ignore it.
1268 			 */
1269 			break;
1270 		}
1271 	}
1272 
1273 found:
1274 	/*
1275 	 * Is the interface ID an interface we know?
1276 	 */
1277 	if (interface_id >= ps->ifcount) {
1278 		/*
1279 		 * Yes.  Fail.
1280 		 */
1281 		pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1282 		    "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1283 		    interface_id);
1284 		return (-1);
1285 	}
1286 
1287 	/*
1288 	 * Convert the time stamp to seconds and fractions of a second,
1289 	 * with the fractions being in units of the file-supplied resolution.
1290 	 */
1291 	sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1292 	frac = t % ps->ifaces[interface_id].tsresol;
1293 
1294 	/*
1295 	 * Convert the fractions from units of the file-supplied resolution
1296 	 * to units of the user-requested resolution.
1297 	 */
1298 	switch (ps->ifaces[interface_id].scale_type) {
1299 
1300 	case PASS_THROUGH:
1301 		/*
1302 		 * The interface resolution is what the user wants,
1303 		 * so we're done.
1304 		 */
1305 		break;
1306 
1307 	case SCALE_UP_DEC:
1308 		/*
1309 		 * The interface resolution is less than what the user
1310 		 * wants; scale the fractional part up to the units of
1311 		 * the resolution the user requested by multiplying by
1312 		 * the quotient of the user-requested resolution and the
1313 		 * file-supplied resolution.
1314 		 *
1315 		 * Those resolutions are both powers of 10, and the user-
1316 		 * requested resolution is greater than the file-supplied
1317 		 * resolution, so the quotient in question is an integer.
1318 		 * We've calculated that quotient already, so we just
1319 		 * multiply by it.
1320 		 */
1321 		frac *= ps->ifaces[interface_id].scale_factor;
1322 		break;
1323 
1324 	case SCALE_UP_BIN:
1325 		/*
1326 		 * The interface resolution is less than what the user
1327 		 * wants; scale the fractional part up to the units of
1328 		 * the resolution the user requested by multiplying by
1329 		 * the quotient of the user-requested resolution and the
1330 		 * file-supplied resolution.
1331 		 *
1332 		 * The file-supplied resolution is a power of 2, so the
1333 		 * quotient is not an integer, so, in order to do this
1334 		 * entirely with integer arithmetic, we multiply by the
1335 		 * user-requested resolution and divide by the file-
1336 		 * supplied resolution.
1337 		 *
1338 		 * XXX - Is there something clever we could do here,
1339 		 * given that we know that the file-supplied resolution
1340 		 * is a power of 2?  Doing a multiplication followed by
1341 		 * a division runs the risk of overflowing, and involves
1342 		 * two non-simple arithmetic operations.
1343 		 */
1344 		frac *= ps->user_tsresol;
1345 		frac /= ps->ifaces[interface_id].tsresol;
1346 		break;
1347 
1348 	case SCALE_DOWN_DEC:
1349 		/*
1350 		 * The interface resolution is greater than what the user
1351 		 * wants; scale the fractional part up to the units of
1352 		 * the resolution the user requested by multiplying by
1353 		 * the quotient of the user-requested resolution and the
1354 		 * file-supplied resolution.
1355 		 *
1356 		 * Those resolutions are both powers of 10, and the user-
1357 		 * requested resolution is less than the file-supplied
1358 		 * resolution, so the quotient in question isn't an
1359 		 * integer, but its reciprocal is, and we can just divide
1360 		 * by the reciprocal of the quotient.  We've calculated
1361 		 * the reciprocal of that quotient already, so we must
1362 		 * divide by it.
1363 		 */
1364 		frac /= ps->ifaces[interface_id].scale_factor;
1365 		break;
1366 
1367 
1368 	case SCALE_DOWN_BIN:
1369 		/*
1370 		 * The interface resolution is greater than what the user
1371 		 * wants; convert the fractional part to units of the
1372 		 * resolution the user requested by multiplying by the
1373 		 * quotient of the user-requested resolution and the
1374 		 * file-supplied resolution.  We do that by multiplying
1375 		 * by the user-requested resolution and dividing by the
1376 		 * file-supplied resolution, as the quotient might not
1377 		 * fit in an integer.
1378 		 *
1379 		 * The file-supplied resolution is a power of 2, so the
1380 		 * quotient is not an integer, and neither is its
1381 		 * reciprocal, so, in order to do this entirely with
1382 		 * integer arithmetic, we multiply by the user-requested
1383 		 * resolution and divide by the file-supplied resolution.
1384 		 *
1385 		 * XXX - Is there something clever we could do here,
1386 		 * given that we know that the file-supplied resolution
1387 		 * is a power of 2?  Doing a multiplication followed by
1388 		 * a division runs the risk of overflowing, and involves
1389 		 * two non-simple arithmetic operations.
1390 		 */
1391 		frac *= ps->user_tsresol;
1392 		frac /= ps->ifaces[interface_id].tsresol;
1393 		break;
1394 	}
1395 #ifdef _WIN32
1396 	/*
1397 	 * tv_sec and tv_used in the Windows struct timeval are both
1398 	 * longs.
1399 	 */
1400 	hdr->ts.tv_sec = (long)sec;
1401 	hdr->ts.tv_usec = (long)frac;
1402 #else
1403 	/*
1404 	 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1405 	 * suseconds_t in UN*Xes that work the way the current Single
1406 	 * UNIX Standard specify - but not all older UN*Xes necessarily
1407 	 * support that type, so just cast to int.
1408 	 */
1409 	hdr->ts.tv_sec = (time_t)sec;
1410 	hdr->ts.tv_usec = (int)frac;
1411 #endif
1412 
1413 	/*
1414 	 * Get a pointer to the packet data.
1415 	 */
1416 	*data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1417 	if (*data == NULL)
1418 		return (-1);
1419 
1420 	if (p->swapped)
1421 		swap_pseudo_headers(p->linktype, hdr, *data);
1422 
1423 	return (0);
1424 }
1425