libpcap  1.10.1
About: libpcap is a packet filter library used by tools like tcpdump.
  Fossies Dox: libpcap-1.10.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

sf-pcapng.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1997
3  * The Regents of the University of California. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27 
28 #include <pcap/pcap-inttypes.h>
29 
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 
36 #include "pcap-int.h"
37 
38 #include "pcap-common.h"
39 
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43 
44 #include "sf-pcapng.h"
45 
46 /*
47  * Block types.
48  */
49 
50 /*
51  * Common part at the beginning of all blocks.
52  */
53 struct block_header {
56 };
57 
58 /*
59  * Common trailer at the end of all blocks.
60  */
61 struct block_trailer {
63 };
64 
65 /*
66  * Common options.
67  */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70 
71 /*
72  * Option header.
73  */
74 struct option_header {
75  u_short option_code;
76  u_short option_length;
77 };
78 
79 /*
80  * Structures for the part of each block type following the common
81  * part.
82  */
83 
84 /*
85  * Section Header Block.
86  */
87 #define BT_SHB 0x0A0D0D0A
88 #define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
91  u_short major_version;
92  u_short minor_version;
93  uint64_t section_length;
94  /* followed by options and trailer */
95 };
96 
97 /*
98  * Byte-order magic value.
99  */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101 
102 /*
103  * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104  * or if minor_version isn't PCAP_NG_VERSION_MINOR or 2, that means that
105  * this code can't read the file.
106  */
107 #define PCAP_NG_VERSION_MAJOR 1
108 #define PCAP_NG_VERSION_MINOR 0
109 
110 /*
111  * Interface Description Block.
112  */
113 #define BT_IDB 0x00000001
114 
116  u_short linktype;
117  u_short reserved;
119  /* followed by options and trailer */
120 };
121 
122 /*
123  * Options in the IDB.
124  */
125 #define IF_NAME 2 /* interface name string */
126 #define IF_DESCRIPTION 3 /* interface description string */
127 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
128 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
129 #define IF_MACADDR 6 /* interface's MAC address */
130 #define IF_EUIADDR 7 /* interface's EUI address */
131 #define IF_SPEED 8 /* interface's speed, in bits/s */
132 #define IF_TSRESOL 9 /* interface's time stamp resolution */
133 #define IF_TZONE 10 /* interface's time zone */
134 #define IF_FILTER 11 /* filter used when capturing on interface */
135 #define IF_OS 12 /* string OS on which capture on this interface was done */
136 #define IF_FCSLEN 13 /* FCS length for this interface */
137 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
138 
139 /*
140  * Enhanced Packet Block.
141  */
142 #define BT_EPB 0x00000006
143 
150  /* followed by packet data, options, and trailer */
151 };
152 
153 /*
154  * Simple Packet Block.
155  */
156 #define BT_SPB 0x00000003
157 
160  /* followed by packet data and trailer */
161 };
162 
163 /*
164  * Packet Block.
165  */
166 #define BT_PB 0x00000002
167 
168 struct packet_block {
169  u_short interface_id;
170  u_short drops_count;
175  /* followed by packet data, options, and trailer */
176 };
177 
178 /*
179  * Block cursor - used when processing the contents of a block.
180  * Contains a pointer into the data being processed and a count
181  * of bytes remaining in the block.
182  */
183 struct block_cursor {
184  u_char *data;
187 };
188 
189 typedef enum {
196 
197 /*
198  * Per-interface information.
199  */
200 struct pcap_ng_if {
201  uint32_t snaplen; /* snapshot length */
202  uint64_t tsresol; /* time stamp resolution */
203  tstamp_scale_type_t scale_type; /* how to scale */
204  uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
205  uint64_t tsoffset; /* time stamp offset */
206 };
207 
208 /*
209  * Per-pcap_t private data.
210  *
211  * max_blocksize is the maximum size of a block that we'll accept. We
212  * reject blocks bigger than this, so we don't consume too much memory
213  * with a truly huge block. It can change as we see IDBs with different
214  * link-layer header types. (Currently, we don't support IDBs with
215  * different link-layer header types, but we will support it in the
216  * future, when we offer file-reading APIs that support it.)
217  *
218  * XXX - that's an issue on ILP32 platforms, where the maximum block
219  * size of 2^31-1 would eat all but one byte of the entire address space.
220  * It's less of an issue on ILP64/LLP64 platforms, but the actual size
221  * of the address space may be limited by 1) the number of *significant*
222  * address bits (currently, x86-64 only supports 48 bits of address), 2)
223  * any limitations imposed by the operating system; 3) any limitations
224  * imposed by the amount of available backing store for anonymous pages,
225  * so we impose a limit regardless of the size of a pointer.
226  */
227 struct pcap_ng_sf {
228  uint64_t user_tsresol; /* time stamp resolution requested by the user */
229  u_int max_blocksize; /* don't grow buffer size past this */
230  bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
231  bpf_u_int32 ifaces_size; /* size of array below */
232  struct pcap_ng_if *ifaces; /* array of interface information */
233 };
234 
235 /*
236  * The maximum block size we start with; we use an arbitrary value of
237  * 16 MiB.
238  */
239 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
240 
241 /*
242  * Maximum block size for a given maximum snapshot length; we define it
243  * as the size of an EPB with a max_snaplen-sized packet and 128KB of
244  * options.
245  */
246 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
247  (sizeof (struct block_header) + \
248  sizeof (struct enhanced_packet_block) + \
249  (max_snaplen) + 131072 + \
250  sizeof (struct block_trailer))
251 
252 static void pcap_ng_cleanup(pcap_t *p);
253 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
254  u_char **data);
255 
256 static int
257 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
258  char *errbuf)
259 {
260  size_t amt_read;
261 
262  amt_read = fread(buf, 1, bytes_to_read, fp);
263  if (amt_read != bytes_to_read) {
264  if (ferror(fp)) {
266  errno, "error reading dump file");
267  } else {
268  if (amt_read == 0 && !fail_on_eof)
269  return (0); /* EOF */
270  snprintf(errbuf, PCAP_ERRBUF_SIZE,
271  "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
272  bytes_to_read, amt_read);
273  }
274  return (-1);
275  }
276  return (1);
277 }
278 
279 static int
280 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
281 {
282  struct pcap_ng_sf *ps;
283  int status;
284  struct block_header bhdr;
285  struct block_trailer *btrlr;
286  u_char *bdata;
287  size_t data_remaining;
288 
289  ps = p->priv;
290 
291  status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
292  if (status <= 0)
293  return (status); /* error or EOF */
294 
295  if (p->swapped) {
296  bhdr.block_type = SWAPLONG(bhdr.block_type);
297  bhdr.total_length = SWAPLONG(bhdr.total_length);
298  }
299 
300  /*
301  * Is this block "too small" - i.e., is it shorter than a block
302  * header plus a block trailer?
303  */
304  if (bhdr.total_length < sizeof(struct block_header) +
305  sizeof(struct block_trailer)) {
306  snprintf(errbuf, PCAP_ERRBUF_SIZE,
307  "block in pcapng dump file has a length of %u < %zu",
308  bhdr.total_length,
309  sizeof(struct block_header) + sizeof(struct block_trailer));
310  return (-1);
311  }
312 
313  /*
314  * Is the block total length a multiple of 4?
315  */
316  if ((bhdr.total_length % 4) != 0) {
317  /*
318  * No. Report that as an error.
319  */
320  snprintf(errbuf, PCAP_ERRBUF_SIZE,
321  "block in pcapng dump file has a length of %u that is not a multiple of 4",
322  bhdr.total_length);
323  return (-1);
324  }
325 
326  /*
327  * Is the buffer big enough?
328  */
329  if (p->bufsize < bhdr.total_length) {
330  /*
331  * No - make it big enough, unless it's too big, in
332  * which case we fail.
333  */
334  void *bigger_buffer;
335 
336  if (bhdr.total_length > ps->max_blocksize) {
337  snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
338  ps->max_blocksize);
339  return (-1);
340  }
341  bigger_buffer = realloc(p->buffer, bhdr.total_length);
342  if (bigger_buffer == NULL) {
343  snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
344  return (-1);
345  }
346  p->buffer = bigger_buffer;
347  }
348 
349  /*
350  * Copy the stuff we've read to the buffer, and read the rest
351  * of the block.
352  */
353  memcpy(p->buffer, &bhdr, sizeof(bhdr));
354  bdata = (u_char *)p->buffer + sizeof(bhdr);
355  data_remaining = bhdr.total_length - sizeof(bhdr);
356  if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
357  return (-1);
358 
359  /*
360  * Get the block size from the trailer.
361  */
362  btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
363  if (p->swapped)
364  btrlr->total_length = SWAPLONG(btrlr->total_length);
365 
366  /*
367  * Is the total length from the trailer the same as the total
368  * length from the header?
369  */
370  if (bhdr.total_length != btrlr->total_length) {
371  /*
372  * No.
373  */
374  snprintf(errbuf, PCAP_ERRBUF_SIZE,
375  "block total length in header and trailer don't match");
376  return (-1);
377  }
378 
379  /*
380  * Initialize the cursor.
381  */
382  cursor->data = bdata;
383  cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
384  cursor->block_type = bhdr.block_type;
385  return (1);
386 }
387 
388 static void *
389 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
390  char *errbuf)
391 {
392  void *data;
393 
394  /*
395  * Make sure we have the specified amount of data remaining in
396  * the block data.
397  */
398  if (cursor->data_remaining < chunk_size) {
399  snprintf(errbuf, PCAP_ERRBUF_SIZE,
400  "block of type %u in pcapng dump file is too short",
401  cursor->block_type);
402  return (NULL);
403  }
404 
405  /*
406  * Return the current pointer, and skip past the chunk.
407  */
408  data = cursor->data;
409  cursor->data += chunk_size;
410  cursor->data_remaining -= chunk_size;
411  return (data);
412 }
413 
414 static struct option_header *
415 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
416 {
417  struct option_header *opthdr;
418 
419  opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
420  if (opthdr == NULL) {
421  /*
422  * Option header is cut short.
423  */
424  return (NULL);
425  }
426 
427  /*
428  * Byte-swap it if necessary.
429  */
430  if (p->swapped) {
431  opthdr->option_code = SWAPSHORT(opthdr->option_code);
432  opthdr->option_length = SWAPSHORT(opthdr->option_length);
433  }
434 
435  return (opthdr);
436 }
437 
438 static void *
440  struct option_header *opthdr, char *errbuf)
441 {
442  size_t padded_option_len;
443  void *optvalue;
444 
445  /* Pad option length to 4-byte boundary */
446  padded_option_len = opthdr->option_length;
447  padded_option_len = ((padded_option_len + 3)/4)*4;
448 
449  optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
450  if (optvalue == NULL) {
451  /*
452  * Option value is cut short.
453  */
454  return (NULL);
455  }
456 
457  return (optvalue);
458 }
459 
460 static int
461 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
462  uint64_t *tsoffset, int *is_binary, char *errbuf)
463 {
464  struct option_header *opthdr;
465  void *optvalue;
466  int saw_tsresol, saw_tsoffset;
467  uint8_t tsresol_opt;
468  u_int i;
469 
470  saw_tsresol = 0;
471  saw_tsoffset = 0;
472  while (cursor->data_remaining != 0) {
473  /*
474  * Get the option header.
475  */
476  opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
477  if (opthdr == NULL) {
478  /*
479  * Option header is cut short.
480  */
481  return (-1);
482  }
483 
484  /*
485  * Get option value.
486  */
487  optvalue = get_optvalue_from_block_data(cursor, opthdr,
488  errbuf);
489  if (optvalue == NULL) {
490  /*
491  * Option value is cut short.
492  */
493  return (-1);
494  }
495 
496  switch (opthdr->option_code) {
497 
498  case OPT_ENDOFOPT:
499  if (opthdr->option_length != 0) {
500  snprintf(errbuf, PCAP_ERRBUF_SIZE,
501  "Interface Description Block has opt_endofopt option with length %u != 0",
502  opthdr->option_length);
503  return (-1);
504  }
505  goto done;
506 
507  case IF_TSRESOL:
508  if (opthdr->option_length != 1) {
509  snprintf(errbuf, PCAP_ERRBUF_SIZE,
510  "Interface Description Block has if_tsresol option with length %u != 1",
511  opthdr->option_length);
512  return (-1);
513  }
514  if (saw_tsresol) {
515  snprintf(errbuf, PCAP_ERRBUF_SIZE,
516  "Interface Description Block has more than one if_tsresol option");
517  return (-1);
518  }
519  saw_tsresol = 1;
520  memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
521  if (tsresol_opt & 0x80) {
522  /*
523  * Resolution is negative power of 2.
524  */
525  uint8_t tsresol_shift = (tsresol_opt & 0x7F);
526 
527  if (tsresol_shift > 63) {
528  /*
529  * Resolution is too high; 2^-{res}
530  * won't fit in a 64-bit value.
531  */
532  snprintf(errbuf, PCAP_ERRBUF_SIZE,
533  "Interface Description Block if_tsresol option resolution 2^-%u is too high",
534  tsresol_shift);
535  return (-1);
536  }
537  *is_binary = 1;
538  *tsresol = ((uint64_t)1) << tsresol_shift;
539  } else {
540  /*
541  * Resolution is negative power of 10.
542  */
543  if (tsresol_opt > 19) {
544  /*
545  * Resolution is too high; 2^-{res}
546  * won't fit in a 64-bit value (the
547  * largest power of 10 that fits
548  * in a 64-bit value is 10^19, as
549  * the largest 64-bit unsigned
550  * value is ~1.8*10^19).
551  */
552  snprintf(errbuf, PCAP_ERRBUF_SIZE,
553  "Interface Description Block if_tsresol option resolution 10^-%u is too high",
554  tsresol_opt);
555  return (-1);
556  }
557  *is_binary = 0;
558  *tsresol = 1;
559  for (i = 0; i < tsresol_opt; i++)
560  *tsresol *= 10;
561  }
562  break;
563 
564  case IF_TSOFFSET:
565  if (opthdr->option_length != 8) {
566  snprintf(errbuf, PCAP_ERRBUF_SIZE,
567  "Interface Description Block has if_tsoffset option with length %u != 8",
568  opthdr->option_length);
569  return (-1);
570  }
571  if (saw_tsoffset) {
572  snprintf(errbuf, PCAP_ERRBUF_SIZE,
573  "Interface Description Block has more than one if_tsoffset option");
574  return (-1);
575  }
576  saw_tsoffset = 1;
577  memcpy(tsoffset, optvalue, sizeof(*tsoffset));
578  if (p->swapped)
579  *tsoffset = SWAPLL(*tsoffset);
580  break;
581 
582  default:
583  break;
584  }
585  }
586 
587 done:
588  return (0);
589 }
590 
591 static int
593  struct block_cursor *cursor, char *errbuf)
594 {
595  struct pcap_ng_sf *ps;
596  uint64_t tsresol;
597  uint64_t tsoffset;
598  int is_binary;
599 
600  ps = p->priv;
601 
602  /*
603  * Count this interface.
604  */
605  ps->ifcount++;
606 
607  /*
608  * Grow the array of per-interface information as necessary.
609  */
610  if (ps->ifcount > ps->ifaces_size) {
611  /*
612  * We need to grow the array.
613  */
614  bpf_u_int32 new_ifaces_size;
615  struct pcap_ng_if *new_ifaces;
616 
617  if (ps->ifaces_size == 0) {
618  /*
619  * It's currently empty.
620  *
621  * (The Clang static analyzer doesn't do enough,
622  * err, umm, dataflow *analysis* to realize that
623  * ps->ifaces_size == 0 if ps->ifaces == NULL,
624  * and so complains about a possible zero argument
625  * to realloc(), so we check for the former
626  * condition to shut it up.
627  *
628  * However, it doesn't complain that one of the
629  * multiplications below could overflow, which is
630  * a real, albeit extremely unlikely, problem (you'd
631  * need a pcapng file with tens of millions of
632  * interfaces).)
633  */
634  new_ifaces_size = 1;
635  new_ifaces = malloc(sizeof (struct pcap_ng_if));
636  } else {
637  /*
638  * It's not currently empty; double its size.
639  * (Perhaps overkill once we have a lot of interfaces.)
640  *
641  * Check for overflow if we double it.
642  */
643  if (ps->ifaces_size * 2 < ps->ifaces_size) {
644  /*
645  * The maximum number of interfaces before
646  * ps->ifaces_size overflows is the largest
647  * possible 32-bit power of 2, as we do
648  * size doubling.
649  */
650  snprintf(errbuf, PCAP_ERRBUF_SIZE,
651  "more than %u interfaces in the file",
652  0x80000000U);
653  return (0);
654  }
655 
656  /*
657  * ps->ifaces_size * 2 doesn't overflow, so it's
658  * safe to multiply.
659  */
660  new_ifaces_size = ps->ifaces_size * 2;
661 
662  /*
663  * Now make sure that's not so big that it overflows
664  * if we multiply by sizeof (struct pcap_ng_if).
665  *
666  * That can happen on 32-bit platforms, with a 32-bit
667  * size_t; it shouldn't happen on 64-bit platforms,
668  * with a 64-bit size_t, as new_ifaces_size is
669  * 32 bits.
670  */
671  if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
672  /*
673  * As this fails only with 32-bit size_t,
674  * the multiplication was 32x32->32, and
675  * the largest 32-bit value that can safely
676  * be multiplied by sizeof (struct pcap_ng_if)
677  * without overflow is the largest 32-bit
678  * (unsigned) value divided by
679  * sizeof (struct pcap_ng_if).
680  */
681  snprintf(errbuf, PCAP_ERRBUF_SIZE,
682  "more than %u interfaces in the file",
683  0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
684  return (0);
685  }
686  new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
687  }
688  if (new_ifaces == NULL) {
689  /*
690  * We ran out of memory.
691  * Give up.
692  */
693  snprintf(errbuf, PCAP_ERRBUF_SIZE,
694  "out of memory for per-interface information (%u interfaces)",
695  ps->ifcount);
696  return (0);
697  }
698  ps->ifaces_size = new_ifaces_size;
699  ps->ifaces = new_ifaces;
700  }
701 
702  ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
703 
704  /*
705  * Set the default time stamp resolution and offset.
706  */
707  tsresol = 1000000; /* microsecond resolution */
708  is_binary = 0; /* which is a power of 10 */
709  tsoffset = 0; /* absolute timestamps */
710 
711  /*
712  * Now look for various time stamp options, so we know
713  * how to interpret the time stamps for this interface.
714  */
715  if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
716  errbuf) == -1)
717  return (0);
718 
719  ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
720  ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
721 
722  /*
723  * Determine whether we're scaling up or down or not
724  * at all for this interface.
725  */
726  if (tsresol == ps->user_tsresol) {
727  /*
728  * The resolution is the resolution the user wants,
729  * so we don't have to do scaling.
730  */
731  ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
732  } else if (tsresol > ps->user_tsresol) {
733  /*
734  * The resolution is greater than what the user wants,
735  * so we have to scale the timestamps down.
736  */
737  if (is_binary)
738  ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
739  else {
740  /*
741  * Calculate the scale factor.
742  */
743  ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
744  ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
745  }
746  } else {
747  /*
748  * The resolution is less than what the user wants,
749  * so we have to scale the timestamps up.
750  */
751  if (is_binary)
752  ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
753  else {
754  /*
755  * Calculate the scale factor.
756  */
757  ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
758  ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
759  }
760  }
761  return (1);
762 }
763 
764 /*
765  * Check whether this is a pcapng savefile and, if it is, extract the
766  * relevant information from the header.
767  */
768 pcap_t *
769 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
770  char *errbuf, int *err)
771 {
772  bpf_u_int32 magic_int;
773  size_t amt_read;
774  bpf_u_int32 total_length;
775  bpf_u_int32 byte_order_magic;
776  struct block_header *bhdrp;
777  struct section_header_block *shbp;
778  pcap_t *p;
779  int swapped = 0;
780  struct pcap_ng_sf *ps;
781  int status;
782  struct block_cursor cursor;
783  struct interface_description_block *idbp;
784 
785  /*
786  * Assume no read errors.
787  */
788  *err = 0;
789 
790  /*
791  * Check whether the first 4 bytes of the file are the block
792  * type for a pcapng savefile.
793  */
794  memcpy(&magic_int, magic, sizeof(magic_int));
795  if (magic_int != BT_SHB) {
796  /*
797  * XXX - check whether this looks like what the block
798  * type would be after being munged by mapping between
799  * UN*X and DOS/Windows text file format and, if it
800  * does, look for the byte-order magic number in
801  * the appropriate place and, if we find it, report
802  * this as possibly being a pcapng file transferred
803  * between UN*X and Windows in text file format?
804  */
805  return (NULL); /* nope */
806  }
807 
808  /*
809  * OK, they are. However, that's just \n\r\r\n, so it could,
810  * conceivably, be an ordinary text file.
811  *
812  * It could not, however, conceivably be any other type of
813  * capture file, so we can read the rest of the putative
814  * Section Header Block; put the block type in the common
815  * header, read the rest of the common header and the
816  * fixed-length portion of the SHB, and look for the byte-order
817  * magic value.
818  */
819  amt_read = fread(&total_length, 1, sizeof(total_length), fp);
820  if (amt_read < sizeof(total_length)) {
821  if (ferror(fp)) {
823  errno, "error reading dump file");
824  *err = 1;
825  return (NULL); /* fail */
826  }
827 
828  /*
829  * Possibly a weird short text file, so just say
830  * "not pcapng".
831  */
832  return (NULL);
833  }
834  amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
835  if (amt_read < sizeof(byte_order_magic)) {
836  if (ferror(fp)) {
838  errno, "error reading dump file");
839  *err = 1;
840  return (NULL); /* fail */
841  }
842 
843  /*
844  * Possibly a weird short text file, so just say
845  * "not pcapng".
846  */
847  return (NULL);
848  }
849  if (byte_order_magic != BYTE_ORDER_MAGIC) {
850  byte_order_magic = SWAPLONG(byte_order_magic);
851  if (byte_order_magic != BYTE_ORDER_MAGIC) {
852  /*
853  * Not a pcapng file.
854  */
855  return (NULL);
856  }
857  swapped = 1;
858  total_length = SWAPLONG(total_length);
859  }
860 
861  /*
862  * Check the sanity of the total length.
863  */
864  if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
865  (total_length > BT_SHB_INSANE_MAX)) {
866  snprintf(errbuf, PCAP_ERRBUF_SIZE,
867  "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
868  sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
869  total_length,
871 
872  *err = 1;
873  return (NULL);
874  }
875 
876  /*
877  * OK, this is a good pcapng file.
878  * Allocate a pcap_t for it.
879  */
880  p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
881  if (p == NULL) {
882  /* Allocation failed. */
883  *err = 1;
884  return (NULL);
885  }
886  p->swapped = swapped;
887  ps = p->priv;
888 
889  /*
890  * What precision does the user want?
891  */
892  switch (precision) {
893 
895  ps->user_tsresol = 1000000;
896  break;
897 
899  ps->user_tsresol = 1000000000;
900  break;
901 
902  default:
903  snprintf(errbuf, PCAP_ERRBUF_SIZE,
904  "unknown time stamp resolution %u", precision);
905  free(p);
906  *err = 1;
907  return (NULL);
908  }
909 
910  p->opt.tstamp_precision = precision;
911 
912  /*
913  * Allocate a buffer into which to read blocks. We default to
914  * the maximum of:
915  *
916  * the total length of the SHB for which we read the header;
917  *
918  * 2K, which should be more than large enough for an Enhanced
919  * Packet Block containing a full-size Ethernet frame, and
920  * leaving room for some options.
921  *
922  * If we find a bigger block, we reallocate the buffer, up to
923  * the maximum size. We start out with a maximum size of
924  * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
925  * with a maximum snapshot that results in a larger maximum
926  * block length, we boost the maximum.
927  */
928  p->bufsize = 2048;
929  if (p->bufsize < total_length)
930  p->bufsize = total_length;
931  p->buffer = malloc(p->bufsize);
932  if (p->buffer == NULL) {
933  snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
934  free(p);
935  *err = 1;
936  return (NULL);
937  }
939 
940  /*
941  * Copy the stuff we've read to the buffer, and read the rest
942  * of the SHB.
943  */
944  bhdrp = (struct block_header *)p->buffer;
945  shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
946  bhdrp->block_type = magic_int;
947  bhdrp->total_length = total_length;
948  shbp->byte_order_magic = byte_order_magic;
949  if (read_bytes(fp,
950  (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
951  total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
952  1, errbuf) == -1)
953  goto fail;
954 
955  if (p->swapped) {
956  /*
957  * Byte-swap the fields we've read.
958  */
959  shbp->major_version = SWAPSHORT(shbp->major_version);
960  shbp->minor_version = SWAPSHORT(shbp->minor_version);
961 
962  /*
963  * XXX - we don't care about the section length.
964  */
965  }
966  /* Currently only SHB versions 1.0 and 1.2 are supported;
967  version 1.2 is treated as being the same as version 1.0.
968  See the current version of the pcapng specification.
969 
970  Version 1.2 is written by some programs that write additional
971  block types (which can be read by any code that handles them,
972  regardless of whether the minor version if 0 or 2, so that's
973  not a reason to change the minor version number).
974 
975  XXX - the pcapng specification says that readers should
976  just ignore sections with an unsupported version number;
977  presumably they can also report an error if they skip
978  all the way to the end of the file without finding
979  any versions that they support. */
980  if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
982  shbp->minor_version == 2))) {
983  snprintf(errbuf, PCAP_ERRBUF_SIZE,
984  "unsupported pcapng savefile version %u.%u",
985  shbp->major_version, shbp->minor_version);
986  goto fail;
987  }
988  p->version_major = shbp->major_version;
989  p->version_minor = shbp->minor_version;
990 
991  /*
992  * Save the time stamp resolution the user requested.
993  */
994  p->opt.tstamp_precision = precision;
995 
996  /*
997  * Now start looking for an Interface Description Block.
998  */
999  for (;;) {
1000  /*
1001  * Read the next block.
1002  */
1003  status = read_block(fp, p, &cursor, errbuf);
1004  if (status == 0) {
1005  /* EOF - no IDB in this file */
1006  snprintf(errbuf, PCAP_ERRBUF_SIZE,
1007  "the capture file has no Interface Description Blocks");
1008  goto fail;
1009  }
1010  if (status == -1)
1011  goto fail; /* error */
1012  switch (cursor.block_type) {
1013 
1014  case BT_IDB:
1015  /*
1016  * Get a pointer to the fixed-length portion of the
1017  * IDB.
1018  */
1019  idbp = get_from_block_data(&cursor, sizeof(*idbp),
1020  errbuf);
1021  if (idbp == NULL)
1022  goto fail; /* error */
1023 
1024  /*
1025  * Byte-swap it if necessary.
1026  */
1027  if (p->swapped) {
1028  idbp->linktype = SWAPSHORT(idbp->linktype);
1029  idbp->snaplen = SWAPLONG(idbp->snaplen);
1030  }
1031 
1032  /*
1033  * Try to add this interface.
1034  */
1035  if (!add_interface(p, idbp, &cursor, errbuf))
1036  goto fail;
1037 
1038  goto done;
1039 
1040  case BT_EPB:
1041  case BT_SPB:
1042  case BT_PB:
1043  /*
1044  * Saw a packet before we saw any IDBs. That's
1045  * not valid, as we don't know what link-layer
1046  * encapsulation the packet has.
1047  */
1048  snprintf(errbuf, PCAP_ERRBUF_SIZE,
1049  "the capture file has a packet block before any Interface Description Blocks");
1050  goto fail;
1051 
1052  default:
1053  /*
1054  * Just ignore it.
1055  */
1056  break;
1057  }
1058  }
1059 
1060 done:
1061  p->linktype = linktype_to_dlt(idbp->linktype);
1063  p->linktype_ext = 0;
1064 
1065  /*
1066  * If the maximum block size for a packet with the maximum
1067  * snapshot length for this DLT_ is bigger than the current
1068  * maximum block size, increase the maximum.
1069  */
1072 
1075 
1076  return (p);
1077 
1078 fail:
1079  free(ps->ifaces);
1080  free(p->buffer);
1081  free(p);
1082  *err = 1;
1083  return (NULL);
1084 }
1085 
1086 static void
1088 {
1089  struct pcap_ng_sf *ps = p->priv;
1090 
1091  free(ps->ifaces);
1092  sf_cleanup(p);
1093 }
1094 
1095 /*
1096  * Read and return the next packet from the savefile. Return the header
1097  * in hdr and a pointer to the contents in data. Return 0 on success, 1
1098  * if there were no more packets, and -1 on an error.
1099  */
1100 static int
1101 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1102 {
1103  struct pcap_ng_sf *ps = p->priv;
1104  struct block_cursor cursor;
1105  int status;
1106  struct enhanced_packet_block *epbp;
1107  struct simple_packet_block *spbp;
1108  struct packet_block *pbp;
1109  bpf_u_int32 interface_id = 0xFFFFFFFF;
1110  struct interface_description_block *idbp;
1111  struct section_header_block *shbp;
1112  FILE *fp = p->rfile;
1113  uint64_t t, sec, frac;
1114 
1115  /*
1116  * Look for an Enhanced Packet Block, a Simple Packet Block,
1117  * or a Packet Block.
1118  */
1119  for (;;) {
1120  /*
1121  * Read the block type and length; those are common
1122  * to all blocks.
1123  */
1124  status = read_block(fp, p, &cursor, p->errbuf);
1125  if (status == 0)
1126  return (1); /* EOF */
1127  if (status == -1)
1128  return (-1); /* error */
1129  switch (cursor.block_type) {
1130 
1131  case BT_EPB:
1132  /*
1133  * Get a pointer to the fixed-length portion of the
1134  * EPB.
1135  */
1136  epbp = get_from_block_data(&cursor, sizeof(*epbp),
1137  p->errbuf);
1138  if (epbp == NULL)
1139  return (-1); /* error */
1140 
1141  /*
1142  * Byte-swap it if necessary.
1143  */
1144  if (p->swapped) {
1145  /* these were written in opposite byte order */
1146  interface_id = SWAPLONG(epbp->interface_id);
1147  hdr->caplen = SWAPLONG(epbp->caplen);
1148  hdr->len = SWAPLONG(epbp->len);
1149  t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1150  SWAPLONG(epbp->timestamp_low);
1151  } else {
1152  interface_id = epbp->interface_id;
1153  hdr->caplen = epbp->caplen;
1154  hdr->len = epbp->len;
1155  t = ((uint64_t)epbp->timestamp_high) << 32 |
1156  epbp->timestamp_low;
1157  }
1158  goto found;
1159 
1160  case BT_SPB:
1161  /*
1162  * Get a pointer to the fixed-length portion of the
1163  * SPB.
1164  */
1165  spbp = get_from_block_data(&cursor, sizeof(*spbp),
1166  p->errbuf);
1167  if (spbp == NULL)
1168  return (-1); /* error */
1169 
1170  /*
1171  * SPB packets are assumed to have arrived on
1172  * the first interface.
1173  */
1174  interface_id = 0;
1175 
1176  /*
1177  * Byte-swap it if necessary.
1178  */
1179  if (p->swapped) {
1180  /* these were written in opposite byte order */
1181  hdr->len = SWAPLONG(spbp->len);
1182  } else
1183  hdr->len = spbp->len;
1184 
1185  /*
1186  * The SPB doesn't give the captured length;
1187  * it's the minimum of the snapshot length
1188  * and the packet length.
1189  */
1190  hdr->caplen = hdr->len;
1191  if (hdr->caplen > (bpf_u_int32)p->snapshot)
1192  hdr->caplen = p->snapshot;
1193  t = 0; /* no time stamps */
1194  goto found;
1195 
1196  case BT_PB:
1197  /*
1198  * Get a pointer to the fixed-length portion of the
1199  * PB.
1200  */
1201  pbp = get_from_block_data(&cursor, sizeof(*pbp),
1202  p->errbuf);
1203  if (pbp == NULL)
1204  return (-1); /* error */
1205 
1206  /*
1207  * Byte-swap it if necessary.
1208  */
1209  if (p->swapped) {
1210  /* these were written in opposite byte order */
1211  interface_id = SWAPSHORT(pbp->interface_id);
1212  hdr->caplen = SWAPLONG(pbp->caplen);
1213  hdr->len = SWAPLONG(pbp->len);
1214  t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1215  SWAPLONG(pbp->timestamp_low);
1216  } else {
1217  interface_id = pbp->interface_id;
1218  hdr->caplen = pbp->caplen;
1219  hdr->len = pbp->len;
1220  t = ((uint64_t)pbp->timestamp_high) << 32 |
1221  pbp->timestamp_low;
1222  }
1223  goto found;
1224 
1225  case BT_IDB:
1226  /*
1227  * Interface Description Block. Get a pointer
1228  * to its fixed-length portion.
1229  */
1230  idbp = get_from_block_data(&cursor, sizeof(*idbp),
1231  p->errbuf);
1232  if (idbp == NULL)
1233  return (-1); /* error */
1234 
1235  /*
1236  * Byte-swap it if necessary.
1237  */
1238  if (p->swapped) {
1239  idbp->linktype = SWAPSHORT(idbp->linktype);
1240  idbp->snaplen = SWAPLONG(idbp->snaplen);
1241  }
1242 
1243  /*
1244  * If the link-layer type or snapshot length
1245  * differ from the ones for the first IDB we
1246  * saw, quit.
1247  *
1248  * XXX - just discard packets from those
1249  * interfaces?
1250  */
1251  if (p->linktype != idbp->linktype) {
1253  "an interface has a type %u different from the type of the first interface",
1254  idbp->linktype);
1255  return (-1);
1256  }
1257 
1258  /*
1259  * Check against the *adjusted* value of this IDB's
1260  * snapshot length.
1261  */
1262  if ((bpf_u_int32)p->snapshot !=
1263  pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
1265  "an interface has a snapshot length %u different from the snapshot length of the first interface",
1266  idbp->snaplen);
1267  return (-1);
1268  }
1269 
1270  /*
1271  * Try to add this interface.
1272  */
1273  if (!add_interface(p, idbp, &cursor, p->errbuf))
1274  return (-1);
1275  break;
1276 
1277  case BT_SHB:
1278  /*
1279  * Section Header Block. Get a pointer
1280  * to its fixed-length portion.
1281  */
1282  shbp = get_from_block_data(&cursor, sizeof(*shbp),
1283  p->errbuf);
1284  if (shbp == NULL)
1285  return (-1); /* error */
1286 
1287  /*
1288  * Assume the byte order of this section is
1289  * the same as that of the previous section.
1290  * We'll check for that later.
1291  */
1292  if (p->swapped) {
1293  shbp->byte_order_magic =
1294  SWAPLONG(shbp->byte_order_magic);
1295  shbp->major_version =
1296  SWAPSHORT(shbp->major_version);
1297  }
1298 
1299  /*
1300  * Make sure the byte order doesn't change;
1301  * pcap_is_swapped() shouldn't change its
1302  * return value in the middle of reading a capture.
1303  */
1304  switch (shbp->byte_order_magic) {
1305 
1306  case BYTE_ORDER_MAGIC:
1307  /*
1308  * OK.
1309  */
1310  break;
1311 
1312  case SWAPLONG(BYTE_ORDER_MAGIC):
1313  /*
1314  * Byte order changes.
1315  */
1317  "the file has sections with different byte orders");
1318  return (-1);
1319 
1320  default:
1321  /*
1322  * Not a valid SHB.
1323  */
1325  "the file has a section with a bad byte order magic field");
1326  return (-1);
1327  }
1328 
1329  /*
1330  * Make sure the major version is the version
1331  * we handle.
1332  */
1333  if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1335  "unknown pcapng savefile major version number %u",
1336  shbp->major_version);
1337  return (-1);
1338  }
1339 
1340  /*
1341  * Reset the interface count; this section should
1342  * have its own set of IDBs. If any of them
1343  * don't have the same interface type, snapshot
1344  * length, or resolution as the first interface
1345  * we saw, we'll fail. (And if we don't see
1346  * any IDBs, we'll fail when we see a packet
1347  * block.)
1348  */
1349  ps->ifcount = 0;
1350  break;
1351 
1352  default:
1353  /*
1354  * Not a packet block, IDB, or SHB; ignore it.
1355  */
1356  break;
1357  }
1358  }
1359 
1360 found:
1361  /*
1362  * Is the interface ID an interface we know?
1363  */
1364  if (interface_id >= ps->ifcount) {
1365  /*
1366  * Yes. Fail.
1367  */
1369  "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1370  interface_id);
1371  return (-1);
1372  }
1373 
1374  if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1376  "invalid packet capture length %u, bigger than "
1377  "snaplen of %d", hdr->caplen, p->snapshot);
1378  return (-1);
1379  }
1380 
1381  /*
1382  * Convert the time stamp to seconds and fractions of a second,
1383  * with the fractions being in units of the file-supplied resolution.
1384  */
1385  sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1386  frac = t % ps->ifaces[interface_id].tsresol;
1387 
1388  /*
1389  * Convert the fractions from units of the file-supplied resolution
1390  * to units of the user-requested resolution.
1391  */
1392  switch (ps->ifaces[interface_id].scale_type) {
1393 
1394  case PASS_THROUGH:
1395  /*
1396  * The interface resolution is what the user wants,
1397  * so we're done.
1398  */
1399  break;
1400 
1401  case SCALE_UP_DEC:
1402  /*
1403  * The interface resolution is less than what the user
1404  * wants; scale the fractional part up to the units of
1405  * the resolution the user requested by multiplying by
1406  * the quotient of the user-requested resolution and the
1407  * file-supplied resolution.
1408  *
1409  * Those resolutions are both powers of 10, and the user-
1410  * requested resolution is greater than the file-supplied
1411  * resolution, so the quotient in question is an integer.
1412  * We've calculated that quotient already, so we just
1413  * multiply by it.
1414  */
1415  frac *= ps->ifaces[interface_id].scale_factor;
1416  break;
1417 
1418  case SCALE_UP_BIN:
1419  /*
1420  * The interface resolution is less than what the user
1421  * wants; scale the fractional part up to the units of
1422  * the resolution the user requested by multiplying by
1423  * the quotient of the user-requested resolution and the
1424  * file-supplied resolution.
1425  *
1426  * The file-supplied resolution is a power of 2, so the
1427  * quotient is not an integer, so, in order to do this
1428  * entirely with integer arithmetic, we multiply by the
1429  * user-requested resolution and divide by the file-
1430  * supplied resolution.
1431  *
1432  * XXX - Is there something clever we could do here,
1433  * given that we know that the file-supplied resolution
1434  * is a power of 2? Doing a multiplication followed by
1435  * a division runs the risk of overflowing, and involves
1436  * two non-simple arithmetic operations.
1437  */
1438  frac *= ps->user_tsresol;
1439  frac /= ps->ifaces[interface_id].tsresol;
1440  break;
1441 
1442  case SCALE_DOWN_DEC:
1443  /*
1444  * The interface resolution is greater than what the user
1445  * wants; scale the fractional part up to the units of
1446  * the resolution the user requested by multiplying by
1447  * the quotient of the user-requested resolution and the
1448  * file-supplied resolution.
1449  *
1450  * Those resolutions are both powers of 10, and the user-
1451  * requested resolution is less than the file-supplied
1452  * resolution, so the quotient in question isn't an
1453  * integer, but its reciprocal is, and we can just divide
1454  * by the reciprocal of the quotient. We've calculated
1455  * the reciprocal of that quotient already, so we must
1456  * divide by it.
1457  */
1458  frac /= ps->ifaces[interface_id].scale_factor;
1459  break;
1460 
1461 
1462  case SCALE_DOWN_BIN:
1463  /*
1464  * The interface resolution is greater than what the user
1465  * wants; convert the fractional part to units of the
1466  * resolution the user requested by multiplying by the
1467  * quotient of the user-requested resolution and the
1468  * file-supplied resolution. We do that by multiplying
1469  * by the user-requested resolution and dividing by the
1470  * file-supplied resolution, as the quotient might not
1471  * fit in an integer.
1472  *
1473  * The file-supplied resolution is a power of 2, so the
1474  * quotient is not an integer, and neither is its
1475  * reciprocal, so, in order to do this entirely with
1476  * integer arithmetic, we multiply by the user-requested
1477  * resolution and divide by the file-supplied resolution.
1478  *
1479  * XXX - Is there something clever we could do here,
1480  * given that we know that the file-supplied resolution
1481  * is a power of 2? Doing a multiplication followed by
1482  * a division runs the risk of overflowing, and involves
1483  * two non-simple arithmetic operations.
1484  */
1485  frac *= ps->user_tsresol;
1486  frac /= ps->ifaces[interface_id].tsresol;
1487  break;
1488  }
1489 #ifdef _WIN32
1490  /*
1491  * tv_sec and tv_used in the Windows struct timeval are both
1492  * longs.
1493  */
1494  hdr->ts.tv_sec = (long)sec;
1495  hdr->ts.tv_usec = (long)frac;
1496 #else
1497  /*
1498  * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1499  * suseconds_t in UN*Xes that work the way the current Single
1500  * UNIX Standard specify - but not all older UN*Xes necessarily
1501  * support that type, so just cast to int.
1502  */
1503  hdr->ts.tv_sec = (time_t)sec;
1504  hdr->ts.tv_usec = (int)frac;
1505 #endif
1506 
1507  /*
1508  * Get a pointer to the packet data.
1509  */
1510  *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1511  if (*data == NULL)
1512  return (-1);
1513 
1514  if (p->swapped)
1515  swap_pseudo_headers(p->linktype, hdr, *data);
1516 
1517  return (0);
1518 }
u_int bpf_u_int32
Definition: bpf.h:98
void pcap_fmt_errmsg_for_errno(char *errbuf, size_t errbuflen, int errnum, const char *fmt,...)
Definition: fmtutils.c:269
#define SWAPLONG(y)
Definition: gencode.c:1955
int snprintf(char *, size_t, const char *,...)
int linktype_to_dlt(int linktype)
Definition: pcap-common.c:1311
u_int max_snaplen_for_dlt(int dlt)
Definition: pcap-common.c:1377
void swap_pseudo_headers(int linktype, struct pcap_pkthdr *hdr, u_char *data)
Definition: pcap-common.c:1651
#define SWAPSHORT(y)
Definition: pcap-common.h:42
int errno
void sf_cleanup(pcap_t *p)
Definition: savefile.c:241
bpf_u_int32 pcap_adjust_snapshot(bpf_u_int32 linktype, bpf_u_int32 snaplen)
Definition: savefile.c:444
#define SWAPLL(ull)
Definition: pcap-int.h:96
#define PCAP_OPEN_OFFLINE_COMMON(ebuf, type)
Definition: pcap-int.h:558
#define PCAP_TSTAMP_PRECISION_NANO
Definition: pcap.h:512
#define PCAP_TSTAMP_PRECISION_MICRO
Definition: pcap.h:511
#define PCAP_ERRBUF_SIZE
Definition: pcap.h:152
tstamp_scale_type_t
Definition: sf-pcap.c:136
#define BT_PB
Definition: sf-pcapng.c:166
static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
Definition: sf-pcapng.c:1101
#define IF_TSOFFSET
Definition: sf-pcapng.c:137
static void pcap_ng_cleanup(pcap_t *p)
Definition: sf-pcapng.c:1087
#define IF_TSRESOL
Definition: sf-pcapng.c:132
#define INITIAL_MAX_BLOCKSIZE
Definition: sf-pcapng.c:239
#define BT_SHB_INSANE_MAX
Definition: sf-pcapng.c:88
static void * get_optvalue_from_block_data(struct block_cursor *cursor, struct option_header *opthdr, char *errbuf)
Definition: sf-pcapng.c:439
#define PCAP_NG_VERSION_MAJOR
Definition: sf-pcapng.c:107
#define BT_IDB
Definition: sf-pcapng.c:113
static int process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol, uint64_t *tsoffset, int *is_binary, char *errbuf)
Definition: sf-pcapng.c:461
static int add_interface(pcap_t *p, struct interface_description_block *idbp, struct block_cursor *cursor, char *errbuf)
Definition: sf-pcapng.c:592
#define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen)
Definition: sf-pcapng.c:246
pcap_t * pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision, char *errbuf, int *err)
Definition: sf-pcapng.c:769
#define BT_EPB
Definition: sf-pcapng.c:142
#define OPT_ENDOFOPT
Definition: sf-pcapng.c:68
#define BT_SHB
Definition: sf-pcapng.c:87
#define BYTE_ORDER_MAGIC
Definition: sf-pcapng.c:100
static void * get_from_block_data(struct block_cursor *cursor, size_t chunk_size, char *errbuf)
Definition: sf-pcapng.c:389
static int read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
Definition: sf-pcapng.c:280
static struct option_header * get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
Definition: sf-pcapng.c:415
static int read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof, char *errbuf)
Definition: sf-pcapng.c:257
#define BT_SPB
Definition: sf-pcapng.c:156
#define PCAP_NG_VERSION_MINOR
Definition: sf-pcapng.c:108
tstamp_scale_type_t
Definition: sf-pcapng.c:189
@ SCALE_DOWN_BIN
Definition: sf-pcapng.c:194
@ SCALE_UP_DEC
Definition: sf-pcapng.c:191
@ SCALE_DOWN_DEC
Definition: sf-pcapng.c:192
@ SCALE_UP_BIN
Definition: sf-pcapng.c:193
@ PASS_THROUGH
Definition: sf-pcapng.c:190
u_char * data
Definition: sf-pcapng.c:184
size_t data_remaining
Definition: sf-pcapng.c:185
bpf_u_int32 block_type
Definition: sf-pcapng.c:186
bpf_u_int32 block_type
Definition: sf-pcapng.c:54
bpf_u_int32 total_length
Definition: sf-pcapng.c:55
bpf_u_int32 total_length
Definition: sf-pcapng.c:62
bpf_u_int32 timestamp_high
Definition: sf-pcapng.c:146
bpf_u_int32 interface_id
Definition: sf-pcapng.c:145
bpf_u_int32 caplen
Definition: sf-pcapng.c:148
bpf_u_int32 timestamp_low
Definition: sf-pcapng.c:147
u_short option_length
Definition: sf-pcapng.c:76
u_short option_code
Definition: sf-pcapng.c:75
u_short drops_count
Definition: sf-pcapng.c:170
bpf_u_int32 timestamp_high
Definition: sf-pcapng.c:171
bpf_u_int32 caplen
Definition: sf-pcapng.c:173
bpf_u_int32 timestamp_low
Definition: sf-pcapng.c:172
bpf_u_int32 len
Definition: sf-pcapng.c:174
u_short interface_id
Definition: sf-pcapng.c:169
uint64_t tsoffset
Definition: sf-pcapng.c:205
uint64_t scale_factor
Definition: sf-pcapng.c:204
uint32_t snaplen
Definition: sf-pcapng.c:201
uint64_t tsresol
Definition: sf-pcapng.c:202
tstamp_scale_type_t scale_type
Definition: sf-pcapng.c:203
u_int max_blocksize
Definition: sf-pcapng.c:229
uint64_t user_tsresol
Definition: sf-pcapng.c:228
bpf_u_int32 ifaces_size
Definition: sf-pcapng.c:231
struct pcap_ng_if * ifaces
Definition: sf-pcapng.c:232
bpf_u_int32 ifcount
Definition: sf-pcapng.c:230
int tstamp_precision
Definition: pcap-int.h:154
bpf_u_int32 caplen
Definition: pcap.h:247
struct timeval ts
Definition: pcap.h:246
bpf_u_int32 len
Definition: pcap.h:248
Definition: pcap-int.h:200
int version_major
Definition: pcap-int.h:244
int swapped
Definition: pcap-int.h:233
int linktype_ext
Definition: pcap-int.h:249
u_int bufsize
Definition: pcap-int.h:220
void * priv
Definition: pcap-int.h:227
void * buffer
Definition: pcap-int.h:221
next_packet_op_t next_packet_op
Definition: pcap-int.h:209
int snapshot
Definition: pcap-int.h:247
cleanup_op_t cleanup_op
Definition: pcap-int.h:346
int version_minor
Definition: pcap-int.h:245
char errbuf[256+1]
Definition: pcap-int.h:295
int linktype
Definition: pcap-int.h:248
struct pcap_opt opt
Definition: pcap-int.h:254
FILE * rfile
Definition: pcap-int.h:234
u_short major_version
Definition: sf-pcapng.c:91
bpf_u_int32 byte_order_magic
Definition: sf-pcapng.c:90
uint64_t section_length
Definition: sf-pcapng.c:93
u_short minor_version
Definition: sf-pcapng.c:92
bpf_u_int32 len
Definition: sf-pcapng.c:159