1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * sf-pcap-ng.c - pcap-ng-file-format-specific code from savefile.c 22 */ 23 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header$ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef _WIN32 34 #include <pcap-stdinc.h> 35 #else /* _WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #endif /* _WIN32 */ 46 47 #include <errno.h> 48 #include <memory.h> 49 #include <stdio.h> 50 #include <stdlib.h> 51 #include <string.h> 52 53 #include "pcap-int.h" 54 55 #include "pcap-common.h" 56 57 #ifdef HAVE_OS_PROTO_H 58 #include "os-proto.h" 59 #endif 60 61 #include "sf-pcap-ng.h" 62 63 /* 64 * Block types. 65 */ 66 67 /* 68 * Common part at the beginning of all blocks. 69 */ 70 struct block_header { 71 bpf_u_int32 block_type; 72 bpf_u_int32 total_length; 73 }; 74 75 /* 76 * Common trailer at the end of all blocks. 77 */ 78 struct block_trailer { 79 bpf_u_int32 total_length; 80 }; 81 82 /* 83 * Common options. 84 */ 85 #define OPT_ENDOFOPT 0 /* end of options */ 86 #define OPT_COMMENT 1 /* comment string */ 87 88 /* 89 * Option header. 90 */ 91 struct option_header { 92 u_short option_code; 93 u_short option_length; 94 }; 95 96 /* 97 * Structures for the part of each block type following the common 98 * part. 99 */ 100 101 /* 102 * Section Header Block. 103 */ 104 #define BT_SHB 0x0A0D0D0A 105 106 struct section_header_block { 107 bpf_u_int32 byte_order_magic; 108 u_short major_version; 109 u_short minor_version; 110 u_int64_t section_length; 111 /* followed by options and trailer */ 112 }; 113 114 /* 115 * Byte-order magic value. 116 */ 117 #define BYTE_ORDER_MAGIC 0x1A2B3C4D 118 119 /* 120 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR, 121 * that means that this code can't read the file. 122 */ 123 #define PCAP_NG_VERSION_MAJOR 1 124 #define PCAP_NG_VERSION_MINOR 0 125 126 /* 127 * Interface Description Block. 128 */ 129 #define BT_IDB 0x00000001 130 131 struct interface_description_block { 132 u_short linktype; 133 u_short reserved; 134 bpf_u_int32 snaplen; 135 /* followed by options and trailer */ 136 }; 137 138 /* 139 * Options in the IDB. 140 */ 141 #define IF_NAME 2 /* interface name string */ 142 #define IF_DESCRIPTION 3 /* interface description string */ 143 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */ 144 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */ 145 #define IF_MACADDR 6 /* interface's MAC address */ 146 #define IF_EUIADDR 7 /* interface's EUI address */ 147 #define IF_SPEED 8 /* interface's speed, in bits/s */ 148 #define IF_TSRESOL 9 /* interface's time stamp resolution */ 149 #define IF_TZONE 10 /* interface's time zone */ 150 #define IF_FILTER 11 /* filter used when capturing on interface */ 151 #define IF_OS 12 /* string OS on which capture on this interface was done */ 152 #define IF_FCSLEN 13 /* FCS length for this interface */ 153 #define IF_TSOFFSET 14 /* time stamp offset for this interface */ 154 155 /* 156 * Enhanced Packet Block. 157 */ 158 #define BT_EPB 0x00000006 159 160 struct enhanced_packet_block { 161 bpf_u_int32 interface_id; 162 bpf_u_int32 timestamp_high; 163 bpf_u_int32 timestamp_low; 164 bpf_u_int32 caplen; 165 bpf_u_int32 len; 166 /* followed by packet data, options, and trailer */ 167 }; 168 169 /* 170 * Simple Packet Block. 171 */ 172 #define BT_SPB 0x00000003 173 174 struct simple_packet_block { 175 bpf_u_int32 len; 176 /* followed by packet data and trailer */ 177 }; 178 179 /* 180 * Packet Block. 181 */ 182 #define BT_PB 0x00000002 183 184 struct packet_block { 185 u_short interface_id; 186 u_short drops_count; 187 bpf_u_int32 timestamp_high; 188 bpf_u_int32 timestamp_low; 189 bpf_u_int32 caplen; 190 bpf_u_int32 len; 191 /* followed by packet data, options, and trailer */ 192 }; 193 194 /* 195 * Block cursor - used when processing the contents of a block. 196 * Contains a pointer into the data being processed and a count 197 * of bytes remaining in the block. 198 */ 199 struct block_cursor { 200 u_char *data; 201 size_t data_remaining; 202 bpf_u_int32 block_type; 203 }; 204 205 typedef enum { 206 PASS_THROUGH, 207 SCALE_UP_DEC, 208 SCALE_DOWN_DEC, 209 SCALE_UP_BIN, 210 SCALE_DOWN_BIN 211 } tstamp_scale_type_t; 212 213 /* 214 * Per-interface information. 215 */ 216 struct pcap_ng_if { 217 u_int tsresol; /* time stamp resolution */ 218 tstamp_scale_type_t scale_type; /* how to scale */ 219 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */ 220 u_int64_t tsoffset; /* time stamp offset */ 221 }; 222 223 struct pcap_ng_sf { 224 u_int user_tsresol; /* time stamp resolution requested by the user */ 225 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */ 226 bpf_u_int32 ifaces_size; /* size of array below */ 227 struct pcap_ng_if *ifaces; /* array of interface information */ 228 }; 229 230 static void pcap_ng_cleanup(pcap_t *p); 231 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, 232 u_char **data); 233 234 static int 235 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof, 236 char *errbuf) 237 { 238 size_t amt_read; 239 240 amt_read = fread(buf, 1, bytes_to_read, fp); 241 if (amt_read != bytes_to_read) { 242 if (ferror(fp)) { 243 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 244 "error reading dump file: %s", 245 pcap_strerror(errno)); 246 } else { 247 if (amt_read == 0 && !fail_on_eof) 248 return (0); /* EOF */ 249 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 250 "truncated dump file; tried to read %lu bytes, only got %lu", 251 (unsigned long)bytes_to_read, 252 (unsigned long)amt_read); 253 } 254 return (-1); 255 } 256 return (1); 257 } 258 259 static int 260 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf) 261 { 262 int status; 263 struct block_header bhdr; 264 u_char *bdata; 265 size_t data_remaining; 266 267 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf); 268 if (status <= 0) 269 return (status); /* error or EOF */ 270 271 if (p->swapped) { 272 bhdr.block_type = SWAPLONG(bhdr.block_type); 273 bhdr.total_length = SWAPLONG(bhdr.total_length); 274 } 275 276 /* 277 * Is this block "too big"? 278 * 279 * We choose 16MB as "too big", for now, so that we handle 280 * "reasonably" large buffers but don't chew up all the 281 * memory if we read a malformed file. 282 */ 283 if (bhdr.total_length > 16*1024*1024) { 284 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 285 "pcap-ng block size %u > maximum %u", 286 bhdr.total_length, 16*1024*1024); 287 return (-1); 288 } 289 290 /* 291 * Is this block "too small" - i.e., is it shorter than a block 292 * header plus a block trailer? 293 */ 294 if (bhdr.total_length < sizeof(struct block_header) + 295 sizeof(struct block_trailer)) { 296 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 297 "block in pcap-ng dump file has a length of %u < %lu", 298 bhdr.total_length, 299 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer))); 300 return (-1); 301 } 302 303 /* 304 * Is the buffer big enough? 305 */ 306 if (p->bufsize < bhdr.total_length) { 307 /* 308 * No - make it big enough. 309 */ 310 void *bigger_buffer; 311 312 bigger_buffer = realloc(p->buffer, bhdr.total_length); 313 if (bigger_buffer == NULL) { 314 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 315 return (-1); 316 } 317 p->buffer = bigger_buffer; 318 } 319 320 /* 321 * Copy the stuff we've read to the buffer, and read the rest 322 * of the block. 323 */ 324 memcpy(p->buffer, &bhdr, sizeof(bhdr)); 325 bdata = (u_char *)p->buffer + sizeof(bhdr); 326 data_remaining = bhdr.total_length - sizeof(bhdr); 327 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1) 328 return (-1); 329 330 /* 331 * Initialize the cursor. 332 */ 333 cursor->data = bdata; 334 cursor->data_remaining = data_remaining - sizeof(struct block_trailer); 335 cursor->block_type = bhdr.block_type; 336 return (1); 337 } 338 339 static void * 340 get_from_block_data(struct block_cursor *cursor, size_t chunk_size, 341 char *errbuf) 342 { 343 void *data; 344 345 /* 346 * Make sure we have the specified amount of data remaining in 347 * the block data. 348 */ 349 if (cursor->data_remaining < chunk_size) { 350 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 351 "block of type %u in pcap-ng dump file is too short", 352 cursor->block_type); 353 return (NULL); 354 } 355 356 /* 357 * Return the current pointer, and skip past the chunk. 358 */ 359 data = cursor->data; 360 cursor->data += chunk_size; 361 cursor->data_remaining -= chunk_size; 362 return (data); 363 } 364 365 static struct option_header * 366 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf) 367 { 368 struct option_header *opthdr; 369 370 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf); 371 if (opthdr == NULL) { 372 /* 373 * Option header is cut short. 374 */ 375 return (NULL); 376 } 377 378 /* 379 * Byte-swap it if necessary. 380 */ 381 if (p->swapped) { 382 opthdr->option_code = SWAPSHORT(opthdr->option_code); 383 opthdr->option_length = SWAPSHORT(opthdr->option_length); 384 } 385 386 return (opthdr); 387 } 388 389 static void * 390 get_optvalue_from_block_data(struct block_cursor *cursor, 391 struct option_header *opthdr, char *errbuf) 392 { 393 size_t padded_option_len; 394 void *optvalue; 395 396 /* Pad option length to 4-byte boundary */ 397 padded_option_len = opthdr->option_length; 398 padded_option_len = ((padded_option_len + 3)/4)*4; 399 400 optvalue = get_from_block_data(cursor, padded_option_len, errbuf); 401 if (optvalue == NULL) { 402 /* 403 * Option value is cut short. 404 */ 405 return (NULL); 406 } 407 408 return (optvalue); 409 } 410 411 static int 412 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol, 413 u_int64_t *tsoffset, int *is_binary, char *errbuf) 414 { 415 struct option_header *opthdr; 416 void *optvalue; 417 int saw_tsresol, saw_tsoffset; 418 u_char tsresol_opt; 419 u_int i; 420 421 saw_tsresol = 0; 422 saw_tsoffset = 0; 423 while (cursor->data_remaining != 0) { 424 /* 425 * Get the option header. 426 */ 427 opthdr = get_opthdr_from_block_data(p, cursor, errbuf); 428 if (opthdr == NULL) { 429 /* 430 * Option header is cut short. 431 */ 432 return (-1); 433 } 434 435 /* 436 * Get option value. 437 */ 438 optvalue = get_optvalue_from_block_data(cursor, opthdr, 439 errbuf); 440 if (optvalue == NULL) { 441 /* 442 * Option value is cut short. 443 */ 444 return (-1); 445 } 446 447 switch (opthdr->option_code) { 448 449 case OPT_ENDOFOPT: 450 if (opthdr->option_length != 0) { 451 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 452 "Interface Description Block has opt_endofopt option with length %u != 0", 453 opthdr->option_length); 454 return (-1); 455 } 456 goto done; 457 458 case IF_TSRESOL: 459 if (opthdr->option_length != 1) { 460 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 461 "Interface Description Block has if_tsresol option with length %u != 1", 462 opthdr->option_length); 463 return (-1); 464 } 465 if (saw_tsresol) { 466 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 467 "Interface Description Block has more than one if_tsresol option"); 468 return (-1); 469 } 470 saw_tsresol = 1; 471 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt)); 472 if (tsresol_opt & 0x80) { 473 /* 474 * Resolution is negative power of 2. 475 */ 476 *is_binary = 1; 477 *tsresol = 1 << (tsresol_opt & 0x7F); 478 } else { 479 /* 480 * Resolution is negative power of 10. 481 */ 482 *is_binary = 0; 483 *tsresol = 1; 484 for (i = 0; i < tsresol_opt; i++) 485 *tsresol *= 10; 486 } 487 if (*tsresol == 0) { 488 /* 489 * Resolution is too high. 490 */ 491 if (tsresol_opt & 0x80) { 492 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 493 "Interface Description Block if_tsresol option resolution 2^-%u is too high", 494 tsresol_opt & 0x7F); 495 } else { 496 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 497 "Interface Description Block if_tsresol option resolution 10^-%u is too high", 498 tsresol_opt); 499 } 500 return (-1); 501 } 502 break; 503 504 case IF_TSOFFSET: 505 if (opthdr->option_length != 8) { 506 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 507 "Interface Description Block has if_tsoffset option with length %u != 8", 508 opthdr->option_length); 509 return (-1); 510 } 511 if (saw_tsoffset) { 512 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 513 "Interface Description Block has more than one if_tsoffset option"); 514 return (-1); 515 } 516 saw_tsoffset = 1; 517 memcpy(tsoffset, optvalue, sizeof(*tsoffset)); 518 if (p->swapped) 519 *tsoffset = SWAPLL(*tsoffset); 520 break; 521 522 default: 523 break; 524 } 525 } 526 527 done: 528 return (0); 529 } 530 531 static int 532 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf) 533 { 534 struct pcap_ng_sf *ps; 535 u_int tsresol; 536 u_int64_t tsoffset; 537 int is_binary; 538 539 ps = p->priv; 540 541 /* 542 * Count this interface. 543 */ 544 ps->ifcount++; 545 546 /* 547 * Grow the array of per-interface information as necessary. 548 */ 549 if (ps->ifcount > ps->ifaces_size) { 550 /* 551 * We need to grow the array. 552 */ 553 bpf_u_int32 new_ifaces_size; 554 struct pcap_ng_if *new_ifaces; 555 556 if (ps->ifaces_size == 0) { 557 /* 558 * It's currently empty. 559 * 560 * (The Clang static analyzer doesn't do enough, 561 * err, umm, dataflow *analysis* to realize that 562 * ps->ifaces_size == 0 if ps->ifaces == NULL, 563 * and so complains about a possible zero argument 564 * to realloc(), so we check for the former 565 * condition to shut it up. 566 * 567 * However, it doesn't complain that one of the 568 * multiplications below could overflow, which is 569 * a real, albeit extremely unlikely, problem (you'd 570 * need a pcap-ng file with tens of millions of 571 * interfaces).) 572 */ 573 new_ifaces_size = 1; 574 new_ifaces = malloc(sizeof (struct pcap_ng_if)); 575 } else { 576 /* 577 * It's not currently empty; double its size. 578 * (Perhaps overkill once we have a lot of interfaces.) 579 * 580 * Check for overflow if we double it. 581 */ 582 if (ps->ifaces_size * 2 < ps->ifaces_size) { 583 /* 584 * The maximum number of interfaces before 585 * ps->ifaces_size overflows is the largest 586 * possible 32-bit power of 2, as we do 587 * size doubling. 588 */ 589 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 590 "more than %u interfaces in the file", 591 0x80000000U); 592 return (0); 593 } 594 595 /* 596 * ps->ifaces_size * 2 doesn't overflow, so it's 597 * safe to multiply. 598 */ 599 new_ifaces_size = ps->ifaces_size * 2; 600 601 /* 602 * Now make sure that's not so big that it overflows 603 * if we multiply by sizeof (struct pcap_ng_if). 604 * 605 * That can happen on 32-bit platforms, with a 32-bit 606 * size_t; it shouldn't happen on 64-bit platforms, 607 * with a 64-bit size_t, as new_ifaces_size is 608 * 32 bits. 609 */ 610 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) { 611 /* 612 * As this fails only with 32-bit size_t, 613 * the multiplication was 32x32->32, and 614 * the largest 32-bit value that can safely 615 * be multiplied by sizeof (struct pcap_ng_if) 616 * without overflow is the largest 32-bit 617 * (unsigned) value divided by 618 * sizeof (struct pcap_ng_if). 619 */ 620 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 621 "more than %u interfaces in the file", 622 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if))); 623 return (0); 624 } 625 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if)); 626 } 627 if (new_ifaces == NULL) { 628 /* 629 * We ran out of memory. 630 * Give up. 631 */ 632 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 633 "out of memory for per-interface information (%u interfaces)", 634 ps->ifcount); 635 return (0); 636 } 637 ps->ifaces_size = new_ifaces_size; 638 ps->ifaces = new_ifaces; 639 } 640 641 /* 642 * Set the default time stamp resolution and offset. 643 */ 644 tsresol = 1000000; /* microsecond resolution */ 645 is_binary = 0; /* which is a power of 10 */ 646 tsoffset = 0; /* absolute timestamps */ 647 648 /* 649 * Now look for various time stamp options, so we know 650 * how to interpret the time stamps for this interface. 651 */ 652 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary, 653 errbuf) == -1) 654 return (0); 655 656 ps->ifaces[ps->ifcount - 1].tsresol = tsresol; 657 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset; 658 659 /* 660 * Determine whether we're scaling up or down or not 661 * at all for this interface. 662 */ 663 if (tsresol == ps->user_tsresol) { 664 /* 665 * The resolution is the resolution the user wants, 666 * so we don't have to do scaling. 667 */ 668 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH; 669 } else if (tsresol > ps->user_tsresol) { 670 /* 671 * The resolution is greater than what the user wants, 672 * so we have to scale the timestamps down. 673 */ 674 if (is_binary) 675 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN; 676 else { 677 /* 678 * Calculate the scale factor. 679 */ 680 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol; 681 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC; 682 } 683 } else { 684 /* 685 * The resolution is less than what the user wants, 686 * so we have to scale the timestamps up. 687 */ 688 if (is_binary) 689 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN; 690 else { 691 /* 692 * Calculate the scale factor. 693 */ 694 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol; 695 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC; 696 } 697 } 698 return (1); 699 } 700 701 /* 702 * Check whether this is a pcap-ng savefile and, if it is, extract the 703 * relevant information from the header. 704 */ 705 pcap_t * 706 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf, 707 int *err) 708 { 709 size_t amt_read; 710 bpf_u_int32 total_length; 711 bpf_u_int32 byte_order_magic; 712 struct block_header *bhdrp; 713 struct section_header_block *shbp; 714 pcap_t *p; 715 int swapped = 0; 716 struct pcap_ng_sf *ps; 717 int status; 718 struct block_cursor cursor; 719 struct interface_description_block *idbp; 720 721 /* 722 * Assume no read errors. 723 */ 724 *err = 0; 725 726 /* 727 * Check whether the first 4 bytes of the file are the block 728 * type for a pcap-ng savefile. 729 */ 730 if (magic != BT_SHB) { 731 /* 732 * XXX - check whether this looks like what the block 733 * type would be after being munged by mapping between 734 * UN*X and DOS/Windows text file format and, if it 735 * does, look for the byte-order magic number in 736 * the appropriate place and, if we find it, report 737 * this as possibly being a pcap-ng file transferred 738 * between UN*X and Windows in text file format? 739 */ 740 return (NULL); /* nope */ 741 } 742 743 /* 744 * OK, they are. However, that's just \n\r\r\n, so it could, 745 * conceivably, be an ordinary text file. 746 * 747 * It could not, however, conceivably be any other type of 748 * capture file, so we can read the rest of the putative 749 * Section Header Block; put the block type in the common 750 * header, read the rest of the common header and the 751 * fixed-length portion of the SHB, and look for the byte-order 752 * magic value. 753 */ 754 amt_read = fread(&total_length, 1, sizeof(total_length), fp); 755 if (amt_read < sizeof(total_length)) { 756 if (ferror(fp)) { 757 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 758 "error reading dump file: %s", 759 pcap_strerror(errno)); 760 *err = 1; 761 return (NULL); /* fail */ 762 } 763 764 /* 765 * Possibly a weird short text file, so just say 766 * "not pcap-ng". 767 */ 768 return (NULL); 769 } 770 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp); 771 if (amt_read < sizeof(byte_order_magic)) { 772 if (ferror(fp)) { 773 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 774 "error reading dump file: %s", 775 pcap_strerror(errno)); 776 *err = 1; 777 return (NULL); /* fail */ 778 } 779 780 /* 781 * Possibly a weird short text file, so just say 782 * "not pcap-ng". 783 */ 784 return (NULL); 785 } 786 if (byte_order_magic != BYTE_ORDER_MAGIC) { 787 byte_order_magic = SWAPLONG(byte_order_magic); 788 if (byte_order_magic != BYTE_ORDER_MAGIC) { 789 /* 790 * Not a pcap-ng file. 791 */ 792 return (NULL); 793 } 794 swapped = 1; 795 total_length = SWAPLONG(total_length); 796 } 797 798 /* 799 * Check the sanity of the total length. 800 */ 801 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) { 802 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 803 "Section Header Block in pcap-ng dump file has a length of %u < %lu", 804 total_length, 805 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer))); 806 *err = 1; 807 return (NULL); 808 } 809 810 /* 811 * OK, this is a good pcap-ng file. 812 * Allocate a pcap_t for it. 813 */ 814 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf)); 815 if (p == NULL) { 816 /* Allocation failed. */ 817 *err = 1; 818 return (NULL); 819 } 820 p->swapped = swapped; 821 ps = p->priv; 822 823 /* 824 * What precision does the user want? 825 */ 826 switch (precision) { 827 828 case PCAP_TSTAMP_PRECISION_MICRO: 829 ps->user_tsresol = 1000000; 830 break; 831 832 case PCAP_TSTAMP_PRECISION_NANO: 833 ps->user_tsresol = 1000000000; 834 break; 835 836 default: 837 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 838 "unknown time stamp resolution %u", precision); 839 free(p); 840 *err = 1; 841 return (NULL); 842 } 843 844 p->opt.tstamp_precision = precision; 845 846 /* 847 * Allocate a buffer into which to read blocks. We default to 848 * the maximum of: 849 * 850 * the total length of the SHB for which we read the header; 851 * 852 * 2K, which should be more than large enough for an Enhanced 853 * Packet Block containing a full-size Ethernet frame, and 854 * leaving room for some options. 855 * 856 * If we find a bigger block, we reallocate the buffer. 857 */ 858 p->bufsize = 2048; 859 if (p->bufsize < total_length) 860 p->bufsize = total_length; 861 p->buffer = malloc(p->bufsize); 862 if (p->buffer == NULL) { 863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 864 free(p); 865 *err = 1; 866 return (NULL); 867 } 868 869 /* 870 * Copy the stuff we've read to the buffer, and read the rest 871 * of the SHB. 872 */ 873 bhdrp = (struct block_header *)p->buffer; 874 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header)); 875 bhdrp->block_type = magic; 876 bhdrp->total_length = total_length; 877 shbp->byte_order_magic = byte_order_magic; 878 if (read_bytes(fp, 879 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)), 880 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)), 881 1, errbuf) == -1) 882 goto fail; 883 884 if (p->swapped) { 885 /* 886 * Byte-swap the fields we've read. 887 */ 888 shbp->major_version = SWAPSHORT(shbp->major_version); 889 shbp->minor_version = SWAPSHORT(shbp->minor_version); 890 891 /* 892 * XXX - we don't care about the section length. 893 */ 894 } 895 /* currently only SHB version 1.0 is supported */ 896 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR && 897 shbp->minor_version == PCAP_NG_VERSION_MINOR)) { 898 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 899 "unsupported pcap-ng savefile version %u.%u", 900 shbp->major_version, shbp->minor_version); 901 goto fail; 902 } 903 p->version_major = shbp->major_version; 904 p->version_minor = shbp->minor_version; 905 906 /* 907 * Save the time stamp resolution the user requested. 908 */ 909 p->opt.tstamp_precision = precision; 910 911 /* 912 * Now start looking for an Interface Description Block. 913 */ 914 for (;;) { 915 /* 916 * Read the next block. 917 */ 918 status = read_block(fp, p, &cursor, errbuf); 919 if (status == 0) { 920 /* EOF - no IDB in this file */ 921 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 922 "the capture file has no Interface Description Blocks"); 923 goto fail; 924 } 925 if (status == -1) 926 goto fail; /* error */ 927 switch (cursor.block_type) { 928 929 case BT_IDB: 930 /* 931 * Get a pointer to the fixed-length portion of the 932 * IDB. 933 */ 934 idbp = get_from_block_data(&cursor, sizeof(*idbp), 935 errbuf); 936 if (idbp == NULL) 937 goto fail; /* error */ 938 939 /* 940 * Byte-swap it if necessary. 941 */ 942 if (p->swapped) { 943 idbp->linktype = SWAPSHORT(idbp->linktype); 944 idbp->snaplen = SWAPLONG(idbp->snaplen); 945 } 946 947 /* 948 * Interface capture length sanity check 949 */ 950 if (idbp->snaplen > MAXIMUM_SNAPLEN) { 951 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 952 "invalid interface capture length %u, " 953 "bigger than maximum of %u", 954 idbp->snaplen, MAXIMUM_SNAPLEN); 955 goto fail; 956 } 957 958 /* 959 * Try to add this interface. 960 */ 961 if (!add_interface(p, &cursor, errbuf)) 962 goto fail; 963 964 goto done; 965 966 case BT_EPB: 967 case BT_SPB: 968 case BT_PB: 969 /* 970 * Saw a packet before we saw any IDBs. That's 971 * not valid, as we don't know what link-layer 972 * encapsulation the packet has. 973 */ 974 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 975 "the capture file has a packet block before any Interface Description Blocks"); 976 goto fail; 977 978 default: 979 /* 980 * Just ignore it. 981 */ 982 break; 983 } 984 } 985 986 done: 987 p->tzoff = 0; /* XXX - not used in pcap */ 988 p->snapshot = idbp->snaplen; 989 p->linktype = linktype_to_dlt(idbp->linktype); 990 p->linktype_ext = 0; 991 992 p->next_packet_op = pcap_ng_next_packet; 993 p->cleanup_op = pcap_ng_cleanup; 994 995 return (p); 996 997 fail: 998 free(ps->ifaces); 999 free(p->buffer); 1000 free(p); 1001 *err = 1; 1002 return (NULL); 1003 } 1004 1005 static void 1006 pcap_ng_cleanup(pcap_t *p) 1007 { 1008 struct pcap_ng_sf *ps = p->priv; 1009 1010 free(ps->ifaces); 1011 sf_cleanup(p); 1012 } 1013 1014 /* 1015 * Read and return the next packet from the savefile. Return the header 1016 * in hdr and a pointer to the contents in data. Return 0 on success, 1 1017 * if there were no more packets, and -1 on an error. 1018 */ 1019 static int 1020 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data) 1021 { 1022 struct pcap_ng_sf *ps = p->priv; 1023 struct block_cursor cursor; 1024 int status; 1025 struct enhanced_packet_block *epbp; 1026 struct simple_packet_block *spbp; 1027 struct packet_block *pbp; 1028 bpf_u_int32 interface_id = 0xFFFFFFFF; 1029 struct interface_description_block *idbp; 1030 struct section_header_block *shbp; 1031 FILE *fp = p->rfile; 1032 u_int64_t t, sec, frac; 1033 1034 /* 1035 * Look for an Enhanced Packet Block, a Simple Packet Block, 1036 * or a Packet Block. 1037 */ 1038 for (;;) { 1039 /* 1040 * Read the block type and length; those are common 1041 * to all blocks. 1042 */ 1043 status = read_block(fp, p, &cursor, p->errbuf); 1044 if (status == 0) 1045 return (1); /* EOF */ 1046 if (status == -1) 1047 return (-1); /* error */ 1048 switch (cursor.block_type) { 1049 1050 case BT_EPB: 1051 /* 1052 * Get a pointer to the fixed-length portion of the 1053 * EPB. 1054 */ 1055 epbp = get_from_block_data(&cursor, sizeof(*epbp), 1056 p->errbuf); 1057 if (epbp == NULL) 1058 return (-1); /* error */ 1059 1060 /* 1061 * Byte-swap it if necessary. 1062 */ 1063 if (p->swapped) { 1064 /* these were written in opposite byte order */ 1065 interface_id = SWAPLONG(epbp->interface_id); 1066 hdr->caplen = SWAPLONG(epbp->caplen); 1067 hdr->len = SWAPLONG(epbp->len); 1068 t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 | 1069 SWAPLONG(epbp->timestamp_low); 1070 } else { 1071 interface_id = epbp->interface_id; 1072 hdr->caplen = epbp->caplen; 1073 hdr->len = epbp->len; 1074 t = ((u_int64_t)epbp->timestamp_high) << 32 | 1075 epbp->timestamp_low; 1076 } 1077 goto found; 1078 1079 case BT_SPB: 1080 /* 1081 * Get a pointer to the fixed-length portion of the 1082 * SPB. 1083 */ 1084 spbp = get_from_block_data(&cursor, sizeof(*spbp), 1085 p->errbuf); 1086 if (spbp == NULL) 1087 return (-1); /* error */ 1088 1089 /* 1090 * SPB packets are assumed to have arrived on 1091 * the first interface. 1092 */ 1093 interface_id = 0; 1094 1095 /* 1096 * Byte-swap it if necessary. 1097 */ 1098 if (p->swapped) { 1099 /* these were written in opposite byte order */ 1100 hdr->len = SWAPLONG(spbp->len); 1101 } else 1102 hdr->len = spbp->len; 1103 1104 /* 1105 * The SPB doesn't give the captured length; 1106 * it's the minimum of the snapshot length 1107 * and the packet length. 1108 */ 1109 hdr->caplen = hdr->len; 1110 if (hdr->caplen > (bpf_u_int32)p->snapshot) 1111 hdr->caplen = p->snapshot; 1112 t = 0; /* no time stamps */ 1113 goto found; 1114 1115 case BT_PB: 1116 /* 1117 * Get a pointer to the fixed-length portion of the 1118 * PB. 1119 */ 1120 pbp = get_from_block_data(&cursor, sizeof(*pbp), 1121 p->errbuf); 1122 if (pbp == NULL) 1123 return (-1); /* error */ 1124 1125 /* 1126 * Byte-swap it if necessary. 1127 */ 1128 if (p->swapped) { 1129 /* these were written in opposite byte order */ 1130 interface_id = SWAPSHORT(pbp->interface_id); 1131 hdr->caplen = SWAPLONG(pbp->caplen); 1132 hdr->len = SWAPLONG(pbp->len); 1133 t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 | 1134 SWAPLONG(pbp->timestamp_low); 1135 } else { 1136 interface_id = pbp->interface_id; 1137 hdr->caplen = pbp->caplen; 1138 hdr->len = pbp->len; 1139 t = ((u_int64_t)pbp->timestamp_high) << 32 | 1140 pbp->timestamp_low; 1141 } 1142 goto found; 1143 1144 case BT_IDB: 1145 /* 1146 * Interface Description Block. Get a pointer 1147 * to its fixed-length portion. 1148 */ 1149 idbp = get_from_block_data(&cursor, sizeof(*idbp), 1150 p->errbuf); 1151 if (idbp == NULL) 1152 return (-1); /* error */ 1153 1154 /* 1155 * Byte-swap it if necessary. 1156 */ 1157 if (p->swapped) { 1158 idbp->linktype = SWAPSHORT(idbp->linktype); 1159 idbp->snaplen = SWAPLONG(idbp->snaplen); 1160 } 1161 1162 /* 1163 * If the link-layer type or snapshot length 1164 * differ from the ones for the first IDB we 1165 * saw, quit. 1166 * 1167 * XXX - just discard packets from those 1168 * interfaces? 1169 */ 1170 if (p->linktype != idbp->linktype) { 1171 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1172 "an interface has a type %u different from the type of the first interface", 1173 idbp->linktype); 1174 return (-1); 1175 } 1176 if ((bpf_u_int32)p->snapshot != idbp->snaplen) { 1177 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1178 "an interface has a snapshot length %u different from the type of the first interface", 1179 idbp->snaplen); 1180 return (-1); 1181 } 1182 1183 /* 1184 * Try to add this interface. 1185 */ 1186 if (!add_interface(p, &cursor, p->errbuf)) 1187 return (-1); 1188 break; 1189 1190 case BT_SHB: 1191 /* 1192 * Section Header Block. Get a pointer 1193 * to its fixed-length portion. 1194 */ 1195 shbp = get_from_block_data(&cursor, sizeof(*shbp), 1196 p->errbuf); 1197 if (shbp == NULL) 1198 return (-1); /* error */ 1199 1200 /* 1201 * Assume the byte order of this section is 1202 * the same as that of the previous section. 1203 * We'll check for that later. 1204 */ 1205 if (p->swapped) { 1206 shbp->byte_order_magic = 1207 SWAPLONG(shbp->byte_order_magic); 1208 shbp->major_version = 1209 SWAPSHORT(shbp->major_version); 1210 } 1211 1212 /* 1213 * Make sure the byte order doesn't change; 1214 * pcap_is_swapped() shouldn't change its 1215 * return value in the middle of reading a capture. 1216 */ 1217 switch (shbp->byte_order_magic) { 1218 1219 case BYTE_ORDER_MAGIC: 1220 /* 1221 * OK. 1222 */ 1223 break; 1224 1225 case SWAPLONG(BYTE_ORDER_MAGIC): 1226 /* 1227 * Byte order changes. 1228 */ 1229 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1230 "the file has sections with different byte orders"); 1231 return (-1); 1232 1233 default: 1234 /* 1235 * Not a valid SHB. 1236 */ 1237 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1238 "the file has a section with a bad byte order magic field"); 1239 return (-1); 1240 } 1241 1242 /* 1243 * Make sure the major version is the version 1244 * we handle. 1245 */ 1246 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) { 1247 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1248 "unknown pcap-ng savefile major version number %u", 1249 shbp->major_version); 1250 return (-1); 1251 } 1252 1253 /* 1254 * Reset the interface count; this section should 1255 * have its own set of IDBs. If any of them 1256 * don't have the same interface type, snapshot 1257 * length, or resolution as the first interface 1258 * we saw, we'll fail. (And if we don't see 1259 * any IDBs, we'll fail when we see a packet 1260 * block.) 1261 */ 1262 ps->ifcount = 0; 1263 break; 1264 1265 default: 1266 /* 1267 * Not a packet block, IDB, or SHB; ignore it. 1268 */ 1269 break; 1270 } 1271 } 1272 1273 found: 1274 /* 1275 * Is the interface ID an interface we know? 1276 */ 1277 if (interface_id >= ps->ifcount) { 1278 /* 1279 * Yes. Fail. 1280 */ 1281 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1282 "a packet arrived on interface %u, but there's no Interface Description Block for that interface", 1283 interface_id); 1284 return (-1); 1285 } 1286 1287 /* 1288 * Convert the time stamp to seconds and fractions of a second, 1289 * with the fractions being in units of the file-supplied resolution. 1290 */ 1291 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset; 1292 frac = t % ps->ifaces[interface_id].tsresol; 1293 1294 /* 1295 * Convert the fractions from units of the file-supplied resolution 1296 * to units of the user-requested resolution. 1297 */ 1298 switch (ps->ifaces[interface_id].scale_type) { 1299 1300 case PASS_THROUGH: 1301 /* 1302 * The interface resolution is what the user wants, 1303 * so we're done. 1304 */ 1305 break; 1306 1307 case SCALE_UP_DEC: 1308 /* 1309 * The interface resolution is less than what the user 1310 * wants; scale the fractional part up to the units of 1311 * the resolution the user requested by multiplying by 1312 * the quotient of the user-requested resolution and the 1313 * file-supplied resolution. 1314 * 1315 * Those resolutions are both powers of 10, and the user- 1316 * requested resolution is greater than the file-supplied 1317 * resolution, so the quotient in question is an integer. 1318 * We've calculated that quotient already, so we just 1319 * multiply by it. 1320 */ 1321 frac *= ps->ifaces[interface_id].scale_factor; 1322 break; 1323 1324 case SCALE_UP_BIN: 1325 /* 1326 * The interface resolution is less than what the user 1327 * wants; scale the fractional part up to the units of 1328 * the resolution the user requested by multiplying by 1329 * the quotient of the user-requested resolution and the 1330 * file-supplied resolution. 1331 * 1332 * The file-supplied resolution is a power of 2, so the 1333 * quotient is not an integer, so, in order to do this 1334 * entirely with integer arithmetic, we multiply by the 1335 * user-requested resolution and divide by the file- 1336 * supplied resolution. 1337 * 1338 * XXX - Is there something clever we could do here, 1339 * given that we know that the file-supplied resolution 1340 * is a power of 2? Doing a multiplication followed by 1341 * a division runs the risk of overflowing, and involves 1342 * two non-simple arithmetic operations. 1343 */ 1344 frac *= ps->user_tsresol; 1345 frac /= ps->ifaces[interface_id].tsresol; 1346 break; 1347 1348 case SCALE_DOWN_DEC: 1349 /* 1350 * The interface resolution is greater than what the user 1351 * wants; scale the fractional part up to the units of 1352 * the resolution the user requested by multiplying by 1353 * the quotient of the user-requested resolution and the 1354 * file-supplied resolution. 1355 * 1356 * Those resolutions are both powers of 10, and the user- 1357 * requested resolution is less than the file-supplied 1358 * resolution, so the quotient in question isn't an 1359 * integer, but its reciprocal is, and we can just divide 1360 * by the reciprocal of the quotient. We've calculated 1361 * the reciprocal of that quotient already, so we must 1362 * divide by it. 1363 */ 1364 frac /= ps->ifaces[interface_id].scale_factor; 1365 break; 1366 1367 1368 case SCALE_DOWN_BIN: 1369 /* 1370 * The interface resolution is greater than what the user 1371 * wants; convert the fractional part to units of the 1372 * resolution the user requested by multiplying by the 1373 * quotient of the user-requested resolution and the 1374 * file-supplied resolution. We do that by multiplying 1375 * by the user-requested resolution and dividing by the 1376 * file-supplied resolution, as the quotient might not 1377 * fit in an integer. 1378 * 1379 * The file-supplied resolution is a power of 2, so the 1380 * quotient is not an integer, and neither is its 1381 * reciprocal, so, in order to do this entirely with 1382 * integer arithmetic, we multiply by the user-requested 1383 * resolution and divide by the file-supplied resolution. 1384 * 1385 * XXX - Is there something clever we could do here, 1386 * given that we know that the file-supplied resolution 1387 * is a power of 2? Doing a multiplication followed by 1388 * a division runs the risk of overflowing, and involves 1389 * two non-simple arithmetic operations. 1390 */ 1391 frac *= ps->user_tsresol; 1392 frac /= ps->ifaces[interface_id].tsresol; 1393 break; 1394 } 1395 #ifdef _WIN32 1396 /* 1397 * tv_sec and tv_used in the Windows struct timeval are both 1398 * longs. 1399 */ 1400 hdr->ts.tv_sec = (long)sec; 1401 hdr->ts.tv_usec = (long)frac; 1402 #else 1403 /* 1404 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is 1405 * suseconds_t in UN*Xes that work the way the current Single 1406 * UNIX Standard specify - but not all older UN*Xes necessarily 1407 * support that type, so just cast to int. 1408 */ 1409 hdr->ts.tv_sec = (time_t)sec; 1410 hdr->ts.tv_usec = (int)frac; 1411 #endif 1412 1413 /* 1414 * Get a pointer to the packet data. 1415 */ 1416 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf); 1417 if (*data == NULL) 1418 return (-1); 1419 1420 if (p->swapped) 1421 swap_pseudo_headers(p->linktype, hdr, *data); 1422 1423 return (0); 1424 } 1425
