1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c
22 */
23
24 #ifndef lint
25 static const char rcsid[] _U_ =
26 "@(#) $Header$ (LBL)";
27 #endif
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32
33 #ifdef _WIN32
34 #include <pcap-stdinc.h>
35 #else /* _WIN32 */
36 #if HAVE_INTTYPES_H
37 #include <inttypes.h>
38 #elif HAVE_STDINT_H
39 #include <stdint.h>
40 #endif
41 #ifdef HAVE_SYS_BITYPES_H
42 #include <sys/bitypes.h>
43 #endif
44 #include <sys/types.h>
45 #endif /* _WIN32 */
46
47 #include <errno.h>
48 #include <memory.h>
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52
53 #include "pcap-int.h"
54
55 #include "pcap-common.h"
56
57 #ifdef HAVE_OS_PROTO_H
58 #include "os-proto.h"
59 #endif
60
61 #include "sf-pcap-ng.h"
62
63 /*
64 * Block types.
65 */
66
67 /*
68 * Common part at the beginning of all blocks.
69 */
70 struct block_header {
71 bpf_u_int32 block_type;
72 bpf_u_int32 total_length;
73 };
74
75 /*
76 * Common trailer at the end of all blocks.
77 */
78 struct block_trailer {
79 bpf_u_int32 total_length;
80 };
81
82 /*
83 * Common options.
84 */
85 #define OPT_ENDOFOPT 0 /* end of options */
86 #define OPT_COMMENT 1 /* comment string */
87
88 /*
89 * Option header.
90 */
91 struct option_header {
92 u_short option_code;
93 u_short option_length;
94 };
95
96 /*
97 * Structures for the part of each block type following the common
98 * part.
99 */
100
101 /*
102 * Section Header Block.
103 */
104 #define BT_SHB 0x0A0D0D0A
105
106 struct section_header_block {
107 bpf_u_int32 byte_order_magic;
108 u_short major_version;
109 u_short minor_version;
110 u_int64_t section_length;
111 /* followed by options and trailer */
112 };
113
114 /*
115 * Byte-order magic value.
116 */
117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
118
119 /*
120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
121 * that means that this code can't read the file.
122 */
123 #define PCAP_NG_VERSION_MAJOR 1
124 #define PCAP_NG_VERSION_MINOR 0
125
126 /*
127 * Interface Description Block.
128 */
129 #define BT_IDB 0x00000001
130
131 struct interface_description_block {
132 u_short linktype;
133 u_short reserved;
134 bpf_u_int32 snaplen;
135 /* followed by options and trailer */
136 };
137
138 /*
139 * Options in the IDB.
140 */
141 #define IF_NAME 2 /* interface name string */
142 #define IF_DESCRIPTION 3 /* interface description string */
143 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
144 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
145 #define IF_MACADDR 6 /* interface's MAC address */
146 #define IF_EUIADDR 7 /* interface's EUI address */
147 #define IF_SPEED 8 /* interface's speed, in bits/s */
148 #define IF_TSRESOL 9 /* interface's time stamp resolution */
149 #define IF_TZONE 10 /* interface's time zone */
150 #define IF_FILTER 11 /* filter used when capturing on interface */
151 #define IF_OS 12 /* string OS on which capture on this interface was done */
152 #define IF_FCSLEN 13 /* FCS length for this interface */
153 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
154
155 /*
156 * Enhanced Packet Block.
157 */
158 #define BT_EPB 0x00000006
159
160 struct enhanced_packet_block {
161 bpf_u_int32 interface_id;
162 bpf_u_int32 timestamp_high;
163 bpf_u_int32 timestamp_low;
164 bpf_u_int32 caplen;
165 bpf_u_int32 len;
166 /* followed by packet data, options, and trailer */
167 };
168
169 /*
170 * Simple Packet Block.
171 */
172 #define BT_SPB 0x00000003
173
174 struct simple_packet_block {
175 bpf_u_int32 len;
176 /* followed by packet data and trailer */
177 };
178
179 /*
180 * Packet Block.
181 */
182 #define BT_PB 0x00000002
183
184 struct packet_block {
185 u_short interface_id;
186 u_short drops_count;
187 bpf_u_int32 timestamp_high;
188 bpf_u_int32 timestamp_low;
189 bpf_u_int32 caplen;
190 bpf_u_int32 len;
191 /* followed by packet data, options, and trailer */
192 };
193
194 /*
195 * Block cursor - used when processing the contents of a block.
196 * Contains a pointer into the data being processed and a count
197 * of bytes remaining in the block.
198 */
199 struct block_cursor {
200 u_char *data;
201 size_t data_remaining;
202 bpf_u_int32 block_type;
203 };
204
205 typedef enum {
206 PASS_THROUGH,
207 SCALE_UP_DEC,
208 SCALE_DOWN_DEC,
209 SCALE_UP_BIN,
210 SCALE_DOWN_BIN
211 } tstamp_scale_type_t;
212
213 /*
214 * Per-interface information.
215 */
216 struct pcap_ng_if {
217 u_int tsresol; /* time stamp resolution */
218 tstamp_scale_type_t scale_type; /* how to scale */
219 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */
220 u_int64_t tsoffset; /* time stamp offset */
221 };
222
223 struct pcap_ng_sf {
224 u_int user_tsresol; /* time stamp resolution requested by the user */
225 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
226 bpf_u_int32 ifaces_size; /* size of array below */
227 struct pcap_ng_if *ifaces; /* array of interface information */
228 };
229
230 static void pcap_ng_cleanup(pcap_t *p);
231 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
232 u_char **data);
233
234 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)235 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
236 char *errbuf)
237 {
238 size_t amt_read;
239
240 amt_read = fread(buf, 1, bytes_to_read, fp);
241 if (amt_read != bytes_to_read) {
242 if (ferror(fp)) {
243 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
244 "error reading dump file: %s",
245 pcap_strerror(errno));
246 } else {
247 if (amt_read == 0 && !fail_on_eof)
248 return (0); /* EOF */
249 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
250 "truncated dump file; tried to read %lu bytes, only got %lu",
251 (unsigned long)bytes_to_read,
252 (unsigned long)amt_read);
253 }
254 return (-1);
255 }
256 return (1);
257 }
258
259 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)260 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
261 {
262 int status;
263 struct block_header bhdr;
264 u_char *bdata;
265 size_t data_remaining;
266
267 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
268 if (status <= 0)
269 return (status); /* error or EOF */
270
271 if (p->swapped) {
272 bhdr.block_type = SWAPLONG(bhdr.block_type);
273 bhdr.total_length = SWAPLONG(bhdr.total_length);
274 }
275
276 /*
277 * Is this block "too big"?
278 *
279 * We choose 16MB as "too big", for now, so that we handle
280 * "reasonably" large buffers but don't chew up all the
281 * memory if we read a malformed file.
282 */
283 if (bhdr.total_length > 16*1024*1024) {
284 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
285 "pcap-ng block size %u > maximum %u",
286 bhdr.total_length, 16*1024*1024);
287 return (-1);
288 }
289
290 /*
291 * Is this block "too small" - i.e., is it shorter than a block
292 * header plus a block trailer?
293 */
294 if (bhdr.total_length < sizeof(struct block_header) +
295 sizeof(struct block_trailer)) {
296 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
297 "block in pcap-ng dump file has a length of %u < %lu",
298 bhdr.total_length,
299 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer)));
300 return (-1);
301 }
302
303 /*
304 * Is the buffer big enough?
305 */
306 if (p->bufsize < bhdr.total_length) {
307 /*
308 * No - make it big enough.
309 */
310 void *bigger_buffer;
311
312 bigger_buffer = realloc(p->buffer, bhdr.total_length);
313 if (bigger_buffer == NULL) {
314 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
315 return (-1);
316 }
317 p->buffer = bigger_buffer;
318 }
319
320 /*
321 * Copy the stuff we've read to the buffer, and read the rest
322 * of the block.
323 */
324 memcpy(p->buffer, &bhdr, sizeof(bhdr));
325 bdata = (u_char *)p->buffer + sizeof(bhdr);
326 data_remaining = bhdr.total_length - sizeof(bhdr);
327 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
328 return (-1);
329
330 /*
331 * Initialize the cursor.
332 */
333 cursor->data = bdata;
334 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
335 cursor->block_type = bhdr.block_type;
336 return (1);
337 }
338
339 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)340 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
341 char *errbuf)
342 {
343 void *data;
344
345 /*
346 * Make sure we have the specified amount of data remaining in
347 * the block data.
348 */
349 if (cursor->data_remaining < chunk_size) {
350 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
351 "block of type %u in pcap-ng dump file is too short",
352 cursor->block_type);
353 return (NULL);
354 }
355
356 /*
357 * Return the current pointer, and skip past the chunk.
358 */
359 data = cursor->data;
360 cursor->data += chunk_size;
361 cursor->data_remaining -= chunk_size;
362 return (data);
363 }
364
365 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)366 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
367 {
368 struct option_header *opthdr;
369
370 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
371 if (opthdr == NULL) {
372 /*
373 * Option header is cut short.
374 */
375 return (NULL);
376 }
377
378 /*
379 * Byte-swap it if necessary.
380 */
381 if (p->swapped) {
382 opthdr->option_code = SWAPSHORT(opthdr->option_code);
383 opthdr->option_length = SWAPSHORT(opthdr->option_length);
384 }
385
386 return (opthdr);
387 }
388
389 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)390 get_optvalue_from_block_data(struct block_cursor *cursor,
391 struct option_header *opthdr, char *errbuf)
392 {
393 size_t padded_option_len;
394 void *optvalue;
395
396 /* Pad option length to 4-byte boundary */
397 padded_option_len = opthdr->option_length;
398 padded_option_len = ((padded_option_len + 3)/4)*4;
399
400 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
401 if (optvalue == NULL) {
402 /*
403 * Option value is cut short.
404 */
405 return (NULL);
406 }
407
408 return (optvalue);
409 }
410
411 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,u_int * tsresol,u_int64_t * tsoffset,int * is_binary,char * errbuf)412 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol,
413 u_int64_t *tsoffset, int *is_binary, char *errbuf)
414 {
415 struct option_header *opthdr;
416 void *optvalue;
417 int saw_tsresol, saw_tsoffset;
418 u_char tsresol_opt;
419 u_int i;
420
421 saw_tsresol = 0;
422 saw_tsoffset = 0;
423 while (cursor->data_remaining != 0) {
424 /*
425 * Get the option header.
426 */
427 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
428 if (opthdr == NULL) {
429 /*
430 * Option header is cut short.
431 */
432 return (-1);
433 }
434
435 /*
436 * Get option value.
437 */
438 optvalue = get_optvalue_from_block_data(cursor, opthdr,
439 errbuf);
440 if (optvalue == NULL) {
441 /*
442 * Option value is cut short.
443 */
444 return (-1);
445 }
446
447 switch (opthdr->option_code) {
448
449 case OPT_ENDOFOPT:
450 if (opthdr->option_length != 0) {
451 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
452 "Interface Description Block has opt_endofopt option with length %u != 0",
453 opthdr->option_length);
454 return (-1);
455 }
456 goto done;
457
458 case IF_TSRESOL:
459 if (opthdr->option_length != 1) {
460 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
461 "Interface Description Block has if_tsresol option with length %u != 1",
462 opthdr->option_length);
463 return (-1);
464 }
465 if (saw_tsresol) {
466 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
467 "Interface Description Block has more than one if_tsresol option");
468 return (-1);
469 }
470 saw_tsresol = 1;
471 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
472 if (tsresol_opt & 0x80) {
473 /*
474 * Resolution is negative power of 2.
475 */
476 *is_binary = 1;
477 *tsresol = 1 << (tsresol_opt & 0x7F);
478 } else {
479 /*
480 * Resolution is negative power of 10.
481 */
482 *is_binary = 0;
483 *tsresol = 1;
484 for (i = 0; i < tsresol_opt; i++)
485 *tsresol *= 10;
486 }
487 if (*tsresol == 0) {
488 /*
489 * Resolution is too high.
490 */
491 if (tsresol_opt & 0x80) {
492 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
493 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
494 tsresol_opt & 0x7F);
495 } else {
496 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
497 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
498 tsresol_opt);
499 }
500 return (-1);
501 }
502 break;
503
504 case IF_TSOFFSET:
505 if (opthdr->option_length != 8) {
506 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
507 "Interface Description Block has if_tsoffset option with length %u != 8",
508 opthdr->option_length);
509 return (-1);
510 }
511 if (saw_tsoffset) {
512 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
513 "Interface Description Block has more than one if_tsoffset option");
514 return (-1);
515 }
516 saw_tsoffset = 1;
517 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
518 if (p->swapped)
519 *tsoffset = SWAPLL(*tsoffset);
520 break;
521
522 default:
523 break;
524 }
525 }
526
527 done:
528 return (0);
529 }
530
531 static int
add_interface(pcap_t * p,struct block_cursor * cursor,char * errbuf)532 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf)
533 {
534 struct pcap_ng_sf *ps;
535 u_int tsresol;
536 u_int64_t tsoffset;
537 int is_binary;
538
539 ps = p->priv;
540
541 /*
542 * Count this interface.
543 */
544 ps->ifcount++;
545
546 /*
547 * Grow the array of per-interface information as necessary.
548 */
549 if (ps->ifcount > ps->ifaces_size) {
550 /*
551 * We need to grow the array.
552 */
553 bpf_u_int32 new_ifaces_size;
554 struct pcap_ng_if *new_ifaces;
555
556 if (ps->ifaces_size == 0) {
557 /*
558 * It's currently empty.
559 *
560 * (The Clang static analyzer doesn't do enough,
561 * err, umm, dataflow *analysis* to realize that
562 * ps->ifaces_size == 0 if ps->ifaces == NULL,
563 * and so complains about a possible zero argument
564 * to realloc(), so we check for the former
565 * condition to shut it up.
566 *
567 * However, it doesn't complain that one of the
568 * multiplications below could overflow, which is
569 * a real, albeit extremely unlikely, problem (you'd
570 * need a pcap-ng file with tens of millions of
571 * interfaces).)
572 */
573 new_ifaces_size = 1;
574 new_ifaces = malloc(sizeof (struct pcap_ng_if));
575 } else {
576 /*
577 * It's not currently empty; double its size.
578 * (Perhaps overkill once we have a lot of interfaces.)
579 *
580 * Check for overflow if we double it.
581 */
582 if (ps->ifaces_size * 2 < ps->ifaces_size) {
583 /*
584 * The maximum number of interfaces before
585 * ps->ifaces_size overflows is the largest
586 * possible 32-bit power of 2, as we do
587 * size doubling.
588 */
589 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
590 "more than %u interfaces in the file",
591 0x80000000U);
592 return (0);
593 }
594
595 /*
596 * ps->ifaces_size * 2 doesn't overflow, so it's
597 * safe to multiply.
598 */
599 new_ifaces_size = ps->ifaces_size * 2;
600
601 /*
602 * Now make sure that's not so big that it overflows
603 * if we multiply by sizeof (struct pcap_ng_if).
604 *
605 * That can happen on 32-bit platforms, with a 32-bit
606 * size_t; it shouldn't happen on 64-bit platforms,
607 * with a 64-bit size_t, as new_ifaces_size is
608 * 32 bits.
609 */
610 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
611 /*
612 * As this fails only with 32-bit size_t,
613 * the multiplication was 32x32->32, and
614 * the largest 32-bit value that can safely
615 * be multiplied by sizeof (struct pcap_ng_if)
616 * without overflow is the largest 32-bit
617 * (unsigned) value divided by
618 * sizeof (struct pcap_ng_if).
619 */
620 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
621 "more than %u interfaces in the file",
622 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
623 return (0);
624 }
625 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
626 }
627 if (new_ifaces == NULL) {
628 /*
629 * We ran out of memory.
630 * Give up.
631 */
632 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
633 "out of memory for per-interface information (%u interfaces)",
634 ps->ifcount);
635 return (0);
636 }
637 ps->ifaces_size = new_ifaces_size;
638 ps->ifaces = new_ifaces;
639 }
640
641 /*
642 * Set the default time stamp resolution and offset.
643 */
644 tsresol = 1000000; /* microsecond resolution */
645 is_binary = 0; /* which is a power of 10 */
646 tsoffset = 0; /* absolute timestamps */
647
648 /*
649 * Now look for various time stamp options, so we know
650 * how to interpret the time stamps for this interface.
651 */
652 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
653 errbuf) == -1)
654 return (0);
655
656 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
657 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
658
659 /*
660 * Determine whether we're scaling up or down or not
661 * at all for this interface.
662 */
663 if (tsresol == ps->user_tsresol) {
664 /*
665 * The resolution is the resolution the user wants,
666 * so we don't have to do scaling.
667 */
668 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
669 } else if (tsresol > ps->user_tsresol) {
670 /*
671 * The resolution is greater than what the user wants,
672 * so we have to scale the timestamps down.
673 */
674 if (is_binary)
675 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
676 else {
677 /*
678 * Calculate the scale factor.
679 */
680 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
681 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
682 }
683 } else {
684 /*
685 * The resolution is less than what the user wants,
686 * so we have to scale the timestamps up.
687 */
688 if (is_binary)
689 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
690 else {
691 /*
692 * Calculate the scale factor.
693 */
694 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
695 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
696 }
697 }
698 return (1);
699 }
700
701 /*
702 * Check whether this is a pcap-ng savefile and, if it is, extract the
703 * relevant information from the header.
704 */
705 pcap_t *
pcap_ng_check_header(bpf_u_int32 magic,FILE * fp,u_int precision,char * errbuf,int * err)706 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
707 int *err)
708 {
709 size_t amt_read;
710 bpf_u_int32 total_length;
711 bpf_u_int32 byte_order_magic;
712 struct block_header *bhdrp;
713 struct section_header_block *shbp;
714 pcap_t *p;
715 int swapped = 0;
716 struct pcap_ng_sf *ps;
717 int status;
718 struct block_cursor cursor;
719 struct interface_description_block *idbp;
720
721 /*
722 * Assume no read errors.
723 */
724 *err = 0;
725
726 /*
727 * Check whether the first 4 bytes of the file are the block
728 * type for a pcap-ng savefile.
729 */
730 if (magic != BT_SHB) {
731 /*
732 * XXX - check whether this looks like what the block
733 * type would be after being munged by mapping between
734 * UN*X and DOS/Windows text file format and, if it
735 * does, look for the byte-order magic number in
736 * the appropriate place and, if we find it, report
737 * this as possibly being a pcap-ng file transferred
738 * between UN*X and Windows in text file format?
739 */
740 return (NULL); /* nope */
741 }
742
743 /*
744 * OK, they are. However, that's just \n\r\r\n, so it could,
745 * conceivably, be an ordinary text file.
746 *
747 * It could not, however, conceivably be any other type of
748 * capture file, so we can read the rest of the putative
749 * Section Header Block; put the block type in the common
750 * header, read the rest of the common header and the
751 * fixed-length portion of the SHB, and look for the byte-order
752 * magic value.
753 */
754 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
755 if (amt_read < sizeof(total_length)) {
756 if (ferror(fp)) {
757 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
758 "error reading dump file: %s",
759 pcap_strerror(errno));
760 *err = 1;
761 return (NULL); /* fail */
762 }
763
764 /*
765 * Possibly a weird short text file, so just say
766 * "not pcap-ng".
767 */
768 return (NULL);
769 }
770 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
771 if (amt_read < sizeof(byte_order_magic)) {
772 if (ferror(fp)) {
773 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
774 "error reading dump file: %s",
775 pcap_strerror(errno));
776 *err = 1;
777 return (NULL); /* fail */
778 }
779
780 /*
781 * Possibly a weird short text file, so just say
782 * "not pcap-ng".
783 */
784 return (NULL);
785 }
786 if (byte_order_magic != BYTE_ORDER_MAGIC) {
787 byte_order_magic = SWAPLONG(byte_order_magic);
788 if (byte_order_magic != BYTE_ORDER_MAGIC) {
789 /*
790 * Not a pcap-ng file.
791 */
792 return (NULL);
793 }
794 swapped = 1;
795 total_length = SWAPLONG(total_length);
796 }
797
798 /*
799 * Check the sanity of the total length.
800 */
801 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
802 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
803 "Section Header Block in pcap-ng dump file has a length of %u < %lu",
804 total_length,
805 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
806 *err = 1;
807 return (NULL);
808 }
809
810 /*
811 * OK, this is a good pcap-ng file.
812 * Allocate a pcap_t for it.
813 */
814 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
815 if (p == NULL) {
816 /* Allocation failed. */
817 *err = 1;
818 return (NULL);
819 }
820 p->swapped = swapped;
821 ps = p->priv;
822
823 /*
824 * What precision does the user want?
825 */
826 switch (precision) {
827
828 case PCAP_TSTAMP_PRECISION_MICRO:
829 ps->user_tsresol = 1000000;
830 break;
831
832 case PCAP_TSTAMP_PRECISION_NANO:
833 ps->user_tsresol = 1000000000;
834 break;
835
836 default:
837 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
838 "unknown time stamp resolution %u", precision);
839 free(p);
840 *err = 1;
841 return (NULL);
842 }
843
844 p->opt.tstamp_precision = precision;
845
846 /*
847 * Allocate a buffer into which to read blocks. We default to
848 * the maximum of:
849 *
850 * the total length of the SHB for which we read the header;
851 *
852 * 2K, which should be more than large enough for an Enhanced
853 * Packet Block containing a full-size Ethernet frame, and
854 * leaving room for some options.
855 *
856 * If we find a bigger block, we reallocate the buffer.
857 */
858 p->bufsize = 2048;
859 if (p->bufsize < total_length)
860 p->bufsize = total_length;
861 p->buffer = malloc(p->bufsize);
862 if (p->buffer == NULL) {
863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
864 free(p);
865 *err = 1;
866 return (NULL);
867 }
868
869 /*
870 * Copy the stuff we've read to the buffer, and read the rest
871 * of the SHB.
872 */
873 bhdrp = (struct block_header *)p->buffer;
874 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
875 bhdrp->block_type = magic;
876 bhdrp->total_length = total_length;
877 shbp->byte_order_magic = byte_order_magic;
878 if (read_bytes(fp,
879 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
880 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
881 1, errbuf) == -1)
882 goto fail;
883
884 if (p->swapped) {
885 /*
886 * Byte-swap the fields we've read.
887 */
888 shbp->major_version = SWAPSHORT(shbp->major_version);
889 shbp->minor_version = SWAPSHORT(shbp->minor_version);
890
891 /*
892 * XXX - we don't care about the section length.
893 */
894 }
895 /* currently only SHB version 1.0 is supported */
896 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
897 shbp->minor_version == PCAP_NG_VERSION_MINOR)) {
898 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
899 "unsupported pcap-ng savefile version %u.%u",
900 shbp->major_version, shbp->minor_version);
901 goto fail;
902 }
903 p->version_major = shbp->major_version;
904 p->version_minor = shbp->minor_version;
905
906 /*
907 * Save the time stamp resolution the user requested.
908 */
909 p->opt.tstamp_precision = precision;
910
911 /*
912 * Now start looking for an Interface Description Block.
913 */
914 for (;;) {
915 /*
916 * Read the next block.
917 */
918 status = read_block(fp, p, &cursor, errbuf);
919 if (status == 0) {
920 /* EOF - no IDB in this file */
921 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
922 "the capture file has no Interface Description Blocks");
923 goto fail;
924 }
925 if (status == -1)
926 goto fail; /* error */
927 switch (cursor.block_type) {
928
929 case BT_IDB:
930 /*
931 * Get a pointer to the fixed-length portion of the
932 * IDB.
933 */
934 idbp = get_from_block_data(&cursor, sizeof(*idbp),
935 errbuf);
936 if (idbp == NULL)
937 goto fail; /* error */
938
939 /*
940 * Byte-swap it if necessary.
941 */
942 if (p->swapped) {
943 idbp->linktype = SWAPSHORT(idbp->linktype);
944 idbp->snaplen = SWAPLONG(idbp->snaplen);
945 }
946
947 /*
948 * Interface capture length sanity check
949 */
950 if (idbp->snaplen > MAXIMUM_SNAPLEN) {
951 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
952 "invalid interface capture length %u, "
953 "bigger than maximum of %u",
954 idbp->snaplen, MAXIMUM_SNAPLEN);
955 goto fail;
956 }
957
958 /*
959 * Try to add this interface.
960 */
961 if (!add_interface(p, &cursor, errbuf))
962 goto fail;
963
964 goto done;
965
966 case BT_EPB:
967 case BT_SPB:
968 case BT_PB:
969 /*
970 * Saw a packet before we saw any IDBs. That's
971 * not valid, as we don't know what link-layer
972 * encapsulation the packet has.
973 */
974 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
975 "the capture file has a packet block before any Interface Description Blocks");
976 goto fail;
977
978 default:
979 /*
980 * Just ignore it.
981 */
982 break;
983 }
984 }
985
986 done:
987 p->tzoff = 0; /* XXX - not used in pcap */
988 p->snapshot = idbp->snaplen;
989 p->linktype = linktype_to_dlt(idbp->linktype);
990 p->linktype_ext = 0;
991
992 p->next_packet_op = pcap_ng_next_packet;
993 p->cleanup_op = pcap_ng_cleanup;
994
995 return (p);
996
997 fail:
998 free(ps->ifaces);
999 free(p->buffer);
1000 free(p);
1001 *err = 1;
1002 return (NULL);
1003 }
1004
1005 static void
pcap_ng_cleanup(pcap_t * p)1006 pcap_ng_cleanup(pcap_t *p)
1007 {
1008 struct pcap_ng_sf *ps = p->priv;
1009
1010 free(ps->ifaces);
1011 sf_cleanup(p);
1012 }
1013
1014 /*
1015 * Read and return the next packet from the savefile. Return the header
1016 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1017 * if there were no more packets, and -1 on an error.
1018 */
1019 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1020 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1021 {
1022 struct pcap_ng_sf *ps = p->priv;
1023 struct block_cursor cursor;
1024 int status;
1025 struct enhanced_packet_block *epbp;
1026 struct simple_packet_block *spbp;
1027 struct packet_block *pbp;
1028 bpf_u_int32 interface_id = 0xFFFFFFFF;
1029 struct interface_description_block *idbp;
1030 struct section_header_block *shbp;
1031 FILE *fp = p->rfile;
1032 u_int64_t t, sec, frac;
1033
1034 /*
1035 * Look for an Enhanced Packet Block, a Simple Packet Block,
1036 * or a Packet Block.
1037 */
1038 for (;;) {
1039 /*
1040 * Read the block type and length; those are common
1041 * to all blocks.
1042 */
1043 status = read_block(fp, p, &cursor, p->errbuf);
1044 if (status == 0)
1045 return (1); /* EOF */
1046 if (status == -1)
1047 return (-1); /* error */
1048 switch (cursor.block_type) {
1049
1050 case BT_EPB:
1051 /*
1052 * Get a pointer to the fixed-length portion of the
1053 * EPB.
1054 */
1055 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1056 p->errbuf);
1057 if (epbp == NULL)
1058 return (-1); /* error */
1059
1060 /*
1061 * Byte-swap it if necessary.
1062 */
1063 if (p->swapped) {
1064 /* these were written in opposite byte order */
1065 interface_id = SWAPLONG(epbp->interface_id);
1066 hdr->caplen = SWAPLONG(epbp->caplen);
1067 hdr->len = SWAPLONG(epbp->len);
1068 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1069 SWAPLONG(epbp->timestamp_low);
1070 } else {
1071 interface_id = epbp->interface_id;
1072 hdr->caplen = epbp->caplen;
1073 hdr->len = epbp->len;
1074 t = ((u_int64_t)epbp->timestamp_high) << 32 |
1075 epbp->timestamp_low;
1076 }
1077 goto found;
1078
1079 case BT_SPB:
1080 /*
1081 * Get a pointer to the fixed-length portion of the
1082 * SPB.
1083 */
1084 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1085 p->errbuf);
1086 if (spbp == NULL)
1087 return (-1); /* error */
1088
1089 /*
1090 * SPB packets are assumed to have arrived on
1091 * the first interface.
1092 */
1093 interface_id = 0;
1094
1095 /*
1096 * Byte-swap it if necessary.
1097 */
1098 if (p->swapped) {
1099 /* these were written in opposite byte order */
1100 hdr->len = SWAPLONG(spbp->len);
1101 } else
1102 hdr->len = spbp->len;
1103
1104 /*
1105 * The SPB doesn't give the captured length;
1106 * it's the minimum of the snapshot length
1107 * and the packet length.
1108 */
1109 hdr->caplen = hdr->len;
1110 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1111 hdr->caplen = p->snapshot;
1112 t = 0; /* no time stamps */
1113 goto found;
1114
1115 case BT_PB:
1116 /*
1117 * Get a pointer to the fixed-length portion of the
1118 * PB.
1119 */
1120 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1121 p->errbuf);
1122 if (pbp == NULL)
1123 return (-1); /* error */
1124
1125 /*
1126 * Byte-swap it if necessary.
1127 */
1128 if (p->swapped) {
1129 /* these were written in opposite byte order */
1130 interface_id = SWAPSHORT(pbp->interface_id);
1131 hdr->caplen = SWAPLONG(pbp->caplen);
1132 hdr->len = SWAPLONG(pbp->len);
1133 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1134 SWAPLONG(pbp->timestamp_low);
1135 } else {
1136 interface_id = pbp->interface_id;
1137 hdr->caplen = pbp->caplen;
1138 hdr->len = pbp->len;
1139 t = ((u_int64_t)pbp->timestamp_high) << 32 |
1140 pbp->timestamp_low;
1141 }
1142 goto found;
1143
1144 case BT_IDB:
1145 /*
1146 * Interface Description Block. Get a pointer
1147 * to its fixed-length portion.
1148 */
1149 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1150 p->errbuf);
1151 if (idbp == NULL)
1152 return (-1); /* error */
1153
1154 /*
1155 * Byte-swap it if necessary.
1156 */
1157 if (p->swapped) {
1158 idbp->linktype = SWAPSHORT(idbp->linktype);
1159 idbp->snaplen = SWAPLONG(idbp->snaplen);
1160 }
1161
1162 /*
1163 * If the link-layer type or snapshot length
1164 * differ from the ones for the first IDB we
1165 * saw, quit.
1166 *
1167 * XXX - just discard packets from those
1168 * interfaces?
1169 */
1170 if (p->linktype != idbp->linktype) {
1171 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1172 "an interface has a type %u different from the type of the first interface",
1173 idbp->linktype);
1174 return (-1);
1175 }
1176 if ((bpf_u_int32)p->snapshot != idbp->snaplen) {
1177 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1178 "an interface has a snapshot length %u different from the type of the first interface",
1179 idbp->snaplen);
1180 return (-1);
1181 }
1182
1183 /*
1184 * Try to add this interface.
1185 */
1186 if (!add_interface(p, &cursor, p->errbuf))
1187 return (-1);
1188 break;
1189
1190 case BT_SHB:
1191 /*
1192 * Section Header Block. Get a pointer
1193 * to its fixed-length portion.
1194 */
1195 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1196 p->errbuf);
1197 if (shbp == NULL)
1198 return (-1); /* error */
1199
1200 /*
1201 * Assume the byte order of this section is
1202 * the same as that of the previous section.
1203 * We'll check for that later.
1204 */
1205 if (p->swapped) {
1206 shbp->byte_order_magic =
1207 SWAPLONG(shbp->byte_order_magic);
1208 shbp->major_version =
1209 SWAPSHORT(shbp->major_version);
1210 }
1211
1212 /*
1213 * Make sure the byte order doesn't change;
1214 * pcap_is_swapped() shouldn't change its
1215 * return value in the middle of reading a capture.
1216 */
1217 switch (shbp->byte_order_magic) {
1218
1219 case BYTE_ORDER_MAGIC:
1220 /*
1221 * OK.
1222 */
1223 break;
1224
1225 case SWAPLONG(BYTE_ORDER_MAGIC):
1226 /*
1227 * Byte order changes.
1228 */
1229 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1230 "the file has sections with different byte orders");
1231 return (-1);
1232
1233 default:
1234 /*
1235 * Not a valid SHB.
1236 */
1237 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1238 "the file has a section with a bad byte order magic field");
1239 return (-1);
1240 }
1241
1242 /*
1243 * Make sure the major version is the version
1244 * we handle.
1245 */
1246 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1247 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1248 "unknown pcap-ng savefile major version number %u",
1249 shbp->major_version);
1250 return (-1);
1251 }
1252
1253 /*
1254 * Reset the interface count; this section should
1255 * have its own set of IDBs. If any of them
1256 * don't have the same interface type, snapshot
1257 * length, or resolution as the first interface
1258 * we saw, we'll fail. (And if we don't see
1259 * any IDBs, we'll fail when we see a packet
1260 * block.)
1261 */
1262 ps->ifcount = 0;
1263 break;
1264
1265 default:
1266 /*
1267 * Not a packet block, IDB, or SHB; ignore it.
1268 */
1269 break;
1270 }
1271 }
1272
1273 found:
1274 /*
1275 * Is the interface ID an interface we know?
1276 */
1277 if (interface_id >= ps->ifcount) {
1278 /*
1279 * Yes. Fail.
1280 */
1281 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1282 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1283 interface_id);
1284 return (-1);
1285 }
1286
1287 /*
1288 * Convert the time stamp to seconds and fractions of a second,
1289 * with the fractions being in units of the file-supplied resolution.
1290 */
1291 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1292 frac = t % ps->ifaces[interface_id].tsresol;
1293
1294 /*
1295 * Convert the fractions from units of the file-supplied resolution
1296 * to units of the user-requested resolution.
1297 */
1298 switch (ps->ifaces[interface_id].scale_type) {
1299
1300 case PASS_THROUGH:
1301 /*
1302 * The interface resolution is what the user wants,
1303 * so we're done.
1304 */
1305 break;
1306
1307 case SCALE_UP_DEC:
1308 /*
1309 * The interface resolution is less than what the user
1310 * wants; scale the fractional part up to the units of
1311 * the resolution the user requested by multiplying by
1312 * the quotient of the user-requested resolution and the
1313 * file-supplied resolution.
1314 *
1315 * Those resolutions are both powers of 10, and the user-
1316 * requested resolution is greater than the file-supplied
1317 * resolution, so the quotient in question is an integer.
1318 * We've calculated that quotient already, so we just
1319 * multiply by it.
1320 */
1321 frac *= ps->ifaces[interface_id].scale_factor;
1322 break;
1323
1324 case SCALE_UP_BIN:
1325 /*
1326 * The interface resolution is less than what the user
1327 * wants; scale the fractional part up to the units of
1328 * the resolution the user requested by multiplying by
1329 * the quotient of the user-requested resolution and the
1330 * file-supplied resolution.
1331 *
1332 * The file-supplied resolution is a power of 2, so the
1333 * quotient is not an integer, so, in order to do this
1334 * entirely with integer arithmetic, we multiply by the
1335 * user-requested resolution and divide by the file-
1336 * supplied resolution.
1337 *
1338 * XXX - Is there something clever we could do here,
1339 * given that we know that the file-supplied resolution
1340 * is a power of 2? Doing a multiplication followed by
1341 * a division runs the risk of overflowing, and involves
1342 * two non-simple arithmetic operations.
1343 */
1344 frac *= ps->user_tsresol;
1345 frac /= ps->ifaces[interface_id].tsresol;
1346 break;
1347
1348 case SCALE_DOWN_DEC:
1349 /*
1350 * The interface resolution is greater than what the user
1351 * wants; scale the fractional part up to the units of
1352 * the resolution the user requested by multiplying by
1353 * the quotient of the user-requested resolution and the
1354 * file-supplied resolution.
1355 *
1356 * Those resolutions are both powers of 10, and the user-
1357 * requested resolution is less than the file-supplied
1358 * resolution, so the quotient in question isn't an
1359 * integer, but its reciprocal is, and we can just divide
1360 * by the reciprocal of the quotient. We've calculated
1361 * the reciprocal of that quotient already, so we must
1362 * divide by it.
1363 */
1364 frac /= ps->ifaces[interface_id].scale_factor;
1365 break;
1366
1367
1368 case SCALE_DOWN_BIN:
1369 /*
1370 * The interface resolution is greater than what the user
1371 * wants; convert the fractional part to units of the
1372 * resolution the user requested by multiplying by the
1373 * quotient of the user-requested resolution and the
1374 * file-supplied resolution. We do that by multiplying
1375 * by the user-requested resolution and dividing by the
1376 * file-supplied resolution, as the quotient might not
1377 * fit in an integer.
1378 *
1379 * The file-supplied resolution is a power of 2, so the
1380 * quotient is not an integer, and neither is its
1381 * reciprocal, so, in order to do this entirely with
1382 * integer arithmetic, we multiply by the user-requested
1383 * resolution and divide by the file-supplied resolution.
1384 *
1385 * XXX - Is there something clever we could do here,
1386 * given that we know that the file-supplied resolution
1387 * is a power of 2? Doing a multiplication followed by
1388 * a division runs the risk of overflowing, and involves
1389 * two non-simple arithmetic operations.
1390 */
1391 frac *= ps->user_tsresol;
1392 frac /= ps->ifaces[interface_id].tsresol;
1393 break;
1394 }
1395 #ifdef _WIN32
1396 /*
1397 * tv_sec and tv_used in the Windows struct timeval are both
1398 * longs.
1399 */
1400 hdr->ts.tv_sec = (long)sec;
1401 hdr->ts.tv_usec = (long)frac;
1402 #else
1403 /*
1404 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1405 * suseconds_t in UN*Xes that work the way the current Single
1406 * UNIX Standard specify - but not all older UN*Xes necessarily
1407 * support that type, so just cast to int.
1408 */
1409 hdr->ts.tv_sec = (time_t)sec;
1410 hdr->ts.tv_usec = (int)frac;
1411 #endif
1412
1413 /*
1414 * Get a pointer to the packet data.
1415 */
1416 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1417 if (*data == NULL)
1418 return (-1);
1419
1420 if (p->swapped)
1421 swap_pseudo_headers(p->linktype, hdr, *data);
1422
1423 return (0);
1424 }
1425