"Fossies" - the Fresh Open Source Software Archive

Member "libpcap-1.10.1/./sf-pcapng.c" (7 Jun 2021, 40506 Bytes) of package /linux/misc/libpcap-1.10.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "sf-pcapng.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.10.0_vs_1.10.1.

    1 /*
    2  * Copyright (c) 1993, 1994, 1995, 1996, 1997
    3  *  The Regents of the University of California.  All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that: (1) source code distributions
    7  * retain the above copyright notice and this paragraph in its entirety, (2)
    8  * distributions including binary code include the above copyright notice and
    9  * this paragraph in its entirety in the documentation or other materials
   10  * provided with the distribution, and (3) all advertising materials mentioning
   11  * features or use of this software display the following acknowledgement:
   12  * ``This product includes software developed by the University of California,
   13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
   14  * the University nor the names of its contributors may be used to endorse
   15  * or promote products derived from this software without specific prior
   16  * written permission.
   17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
   18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
   19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
   20  *
   21  * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
   22  */
   23 
   24 #ifdef HAVE_CONFIG_H
   25 #include <config.h>
   26 #endif
   27 
   28 #include <pcap/pcap-inttypes.h>
   29 
   30 #include <errno.h>
   31 #include <memory.h>
   32 #include <stdio.h>
   33 #include <stdlib.h>
   34 #include <string.h>
   35 
   36 #include "pcap-int.h"
   37 
   38 #include "pcap-common.h"
   39 
   40 #ifdef HAVE_OS_PROTO_H
   41 #include "os-proto.h"
   42 #endif
   43 
   44 #include "sf-pcapng.h"
   45 
   46 /*
   47  * Block types.
   48  */
   49 
   50 /*
   51  * Common part at the beginning of all blocks.
   52  */
   53 struct block_header {
   54     bpf_u_int32 block_type;
   55     bpf_u_int32 total_length;
   56 };
   57 
   58 /*
   59  * Common trailer at the end of all blocks.
   60  */
   61 struct block_trailer {
   62     bpf_u_int32 total_length;
   63 };
   64 
   65 /*
   66  * Common options.
   67  */
   68 #define OPT_ENDOFOPT    0   /* end of options */
   69 #define OPT_COMMENT 1   /* comment string */
   70 
   71 /*
   72  * Option header.
   73  */
   74 struct option_header {
   75     u_short     option_code;
   76     u_short     option_length;
   77 };
   78 
   79 /*
   80  * Structures for the part of each block type following the common
   81  * part.
   82  */
   83 
   84 /*
   85  * Section Header Block.
   86  */
   87 #define BT_SHB          0x0A0D0D0A
   88 #define BT_SHB_INSANE_MAX       1024U*1024U*1U  /* 1MB should be enough */
   89 struct section_header_block {
   90     bpf_u_int32 byte_order_magic;
   91     u_short     major_version;
   92     u_short     minor_version;
   93     uint64_t    section_length;
   94     /* followed by options and trailer */
   95 };
   96 
   97 /*
   98  * Byte-order magic value.
   99  */
  100 #define BYTE_ORDER_MAGIC    0x1A2B3C4D
  101 
  102 /*
  103  * Current version number.  If major_version isn't PCAP_NG_VERSION_MAJOR,
  104  * or if minor_version isn't PCAP_NG_VERSION_MINOR or 2, that means that
  105  * this code can't read the file.
  106  */
  107 #define PCAP_NG_VERSION_MAJOR   1
  108 #define PCAP_NG_VERSION_MINOR   0
  109 
  110 /*
  111  * Interface Description Block.
  112  */
  113 #define BT_IDB          0x00000001
  114 
  115 struct interface_description_block {
  116     u_short     linktype;
  117     u_short     reserved;
  118     bpf_u_int32 snaplen;
  119     /* followed by options and trailer */
  120 };
  121 
  122 /*
  123  * Options in the IDB.
  124  */
  125 #define IF_NAME     2   /* interface name string */
  126 #define IF_DESCRIPTION  3   /* interface description string */
  127 #define IF_IPV4ADDR 4   /* interface's IPv4 address and netmask */
  128 #define IF_IPV6ADDR 5   /* interface's IPv6 address and prefix length */
  129 #define IF_MACADDR  6   /* interface's MAC address */
  130 #define IF_EUIADDR  7   /* interface's EUI address */
  131 #define IF_SPEED    8   /* interface's speed, in bits/s */
  132 #define IF_TSRESOL  9   /* interface's time stamp resolution */
  133 #define IF_TZONE    10  /* interface's time zone */
  134 #define IF_FILTER   11  /* filter used when capturing on interface */
  135 #define IF_OS       12  /* string OS on which capture on this interface was done */
  136 #define IF_FCSLEN   13  /* FCS length for this interface */
  137 #define IF_TSOFFSET 14  /* time stamp offset for this interface */
  138 
  139 /*
  140  * Enhanced Packet Block.
  141  */
  142 #define BT_EPB          0x00000006
  143 
  144 struct enhanced_packet_block {
  145     bpf_u_int32 interface_id;
  146     bpf_u_int32 timestamp_high;
  147     bpf_u_int32 timestamp_low;
  148     bpf_u_int32 caplen;
  149     bpf_u_int32 len;
  150     /* followed by packet data, options, and trailer */
  151 };
  152 
  153 /*
  154  * Simple Packet Block.
  155  */
  156 #define BT_SPB          0x00000003
  157 
  158 struct simple_packet_block {
  159     bpf_u_int32 len;
  160     /* followed by packet data and trailer */
  161 };
  162 
  163 /*
  164  * Packet Block.
  165  */
  166 #define BT_PB           0x00000002
  167 
  168 struct packet_block {
  169     u_short     interface_id;
  170     u_short     drops_count;
  171     bpf_u_int32 timestamp_high;
  172     bpf_u_int32 timestamp_low;
  173     bpf_u_int32 caplen;
  174     bpf_u_int32 len;
  175     /* followed by packet data, options, and trailer */
  176 };
  177 
  178 /*
  179  * Block cursor - used when processing the contents of a block.
  180  * Contains a pointer into the data being processed and a count
  181  * of bytes remaining in the block.
  182  */
  183 struct block_cursor {
  184     u_char      *data;
  185     size_t      data_remaining;
  186     bpf_u_int32 block_type;
  187 };
  188 
  189 typedef enum {
  190     PASS_THROUGH,
  191     SCALE_UP_DEC,
  192     SCALE_DOWN_DEC,
  193     SCALE_UP_BIN,
  194     SCALE_DOWN_BIN
  195 } tstamp_scale_type_t;
  196 
  197 /*
  198  * Per-interface information.
  199  */
  200 struct pcap_ng_if {
  201     uint32_t snaplen;       /* snapshot length */
  202     uint64_t tsresol;       /* time stamp resolution */
  203     tstamp_scale_type_t scale_type; /* how to scale */
  204     uint64_t scale_factor;      /* time stamp scale factor for power-of-10 tsresol */
  205     uint64_t tsoffset;      /* time stamp offset */
  206 };
  207 
  208 /*
  209  * Per-pcap_t private data.
  210  *
  211  * max_blocksize is the maximum size of a block that we'll accept.  We
  212  * reject blocks bigger than this, so we don't consume too much memory
  213  * with a truly huge block.  It can change as we see IDBs with different
  214  * link-layer header types.  (Currently, we don't support IDBs with
  215  * different link-layer header types, but we will support it in the
  216  * future, when we offer file-reading APIs that support it.)
  217  *
  218  * XXX - that's an issue on ILP32 platforms, where the maximum block
  219  * size of 2^31-1 would eat all but one byte of the entire address space.
  220  * It's less of an issue on ILP64/LLP64 platforms, but the actual size
  221  * of the address space may be limited by 1) the number of *significant*
  222  * address bits (currently, x86-64 only supports 48 bits of address), 2)
  223  * any limitations imposed by the operating system; 3) any limitations
  224  * imposed by the amount of available backing store for anonymous pages,
  225  * so we impose a limit regardless of the size of a pointer.
  226  */
  227 struct pcap_ng_sf {
  228     uint64_t user_tsresol;      /* time stamp resolution requested by the user */
  229     u_int max_blocksize;        /* don't grow buffer size past this */
  230     bpf_u_int32 ifcount;        /* number of interfaces seen in this capture */
  231     bpf_u_int32 ifaces_size;    /* size of array below */
  232     struct pcap_ng_if *ifaces;  /* array of interface information */
  233 };
  234 
  235 /*
  236  * The maximum block size we start with; we use an arbitrary value of
  237  * 16 MiB.
  238  */
  239 #define INITIAL_MAX_BLOCKSIZE   (16*1024*1024)
  240 
  241 /*
  242  * Maximum block size for a given maximum snapshot length; we define it
  243  * as the size of an EPB with a max_snaplen-sized packet and 128KB of
  244  * options.
  245  */
  246 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
  247     (sizeof (struct block_header) + \
  248      sizeof (struct enhanced_packet_block) + \
  249      (max_snaplen) + 131072 + \
  250      sizeof (struct block_trailer))
  251 
  252 static void pcap_ng_cleanup(pcap_t *p);
  253 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
  254     u_char **data);
  255 
  256 static int
  257 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
  258     char *errbuf)
  259 {
  260     size_t amt_read;
  261 
  262     amt_read = fread(buf, 1, bytes_to_read, fp);
  263     if (amt_read != bytes_to_read) {
  264         if (ferror(fp)) {
  265             pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  266                 errno, "error reading dump file");
  267         } else {
  268             if (amt_read == 0 && !fail_on_eof)
  269                 return (0); /* EOF */
  270             snprintf(errbuf, PCAP_ERRBUF_SIZE,
  271                 "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
  272                 bytes_to_read, amt_read);
  273         }
  274         return (-1);
  275     }
  276     return (1);
  277 }
  278 
  279 static int
  280 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
  281 {
  282     struct pcap_ng_sf *ps;
  283     int status;
  284     struct block_header bhdr;
  285     struct block_trailer *btrlr;
  286     u_char *bdata;
  287     size_t data_remaining;
  288 
  289     ps = p->priv;
  290 
  291     status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
  292     if (status <= 0)
  293         return (status);    /* error or EOF */
  294 
  295     if (p->swapped) {
  296         bhdr.block_type = SWAPLONG(bhdr.block_type);
  297         bhdr.total_length = SWAPLONG(bhdr.total_length);
  298     }
  299 
  300     /*
  301      * Is this block "too small" - i.e., is it shorter than a block
  302      * header plus a block trailer?
  303      */
  304     if (bhdr.total_length < sizeof(struct block_header) +
  305         sizeof(struct block_trailer)) {
  306         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  307             "block in pcapng dump file has a length of %u < %zu",
  308             bhdr.total_length,
  309             sizeof(struct block_header) + sizeof(struct block_trailer));
  310         return (-1);
  311     }
  312 
  313     /*
  314      * Is the block total length a multiple of 4?
  315      */
  316     if ((bhdr.total_length % 4) != 0) {
  317         /*
  318          * No.  Report that as an error.
  319          */
  320         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  321             "block in pcapng dump file has a length of %u that is not a multiple of 4",
  322             bhdr.total_length);
  323         return (-1);
  324     }
  325 
  326     /*
  327      * Is the buffer big enough?
  328      */
  329     if (p->bufsize < bhdr.total_length) {
  330         /*
  331          * No - make it big enough, unless it's too big, in
  332          * which case we fail.
  333          */
  334         void *bigger_buffer;
  335 
  336         if (bhdr.total_length > ps->max_blocksize) {
  337             snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
  338                 ps->max_blocksize);
  339             return (-1);
  340         }
  341         bigger_buffer = realloc(p->buffer, bhdr.total_length);
  342         if (bigger_buffer == NULL) {
  343             snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
  344             return (-1);
  345         }
  346         p->buffer = bigger_buffer;
  347     }
  348 
  349     /*
  350      * Copy the stuff we've read to the buffer, and read the rest
  351      * of the block.
  352      */
  353     memcpy(p->buffer, &bhdr, sizeof(bhdr));
  354     bdata = (u_char *)p->buffer + sizeof(bhdr);
  355     data_remaining = bhdr.total_length - sizeof(bhdr);
  356     if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
  357         return (-1);
  358 
  359     /*
  360      * Get the block size from the trailer.
  361      */
  362     btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
  363     if (p->swapped)
  364         btrlr->total_length = SWAPLONG(btrlr->total_length);
  365 
  366     /*
  367      * Is the total length from the trailer the same as the total
  368      * length from the header?
  369      */
  370     if (bhdr.total_length != btrlr->total_length) {
  371         /*
  372          * No.
  373          */
  374         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  375             "block total length in header and trailer don't match");
  376         return (-1);
  377     }
  378 
  379     /*
  380      * Initialize the cursor.
  381      */
  382     cursor->data = bdata;
  383     cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
  384     cursor->block_type = bhdr.block_type;
  385     return (1);
  386 }
  387 
  388 static void *
  389 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
  390     char *errbuf)
  391 {
  392     void *data;
  393 
  394     /*
  395      * Make sure we have the specified amount of data remaining in
  396      * the block data.
  397      */
  398     if (cursor->data_remaining < chunk_size) {
  399         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  400             "block of type %u in pcapng dump file is too short",
  401             cursor->block_type);
  402         return (NULL);
  403     }
  404 
  405     /*
  406      * Return the current pointer, and skip past the chunk.
  407      */
  408     data = cursor->data;
  409     cursor->data += chunk_size;
  410     cursor->data_remaining -= chunk_size;
  411     return (data);
  412 }
  413 
  414 static struct option_header *
  415 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
  416 {
  417     struct option_header *opthdr;
  418 
  419     opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
  420     if (opthdr == NULL) {
  421         /*
  422          * Option header is cut short.
  423          */
  424         return (NULL);
  425     }
  426 
  427     /*
  428      * Byte-swap it if necessary.
  429      */
  430     if (p->swapped) {
  431         opthdr->option_code = SWAPSHORT(opthdr->option_code);
  432         opthdr->option_length = SWAPSHORT(opthdr->option_length);
  433     }
  434 
  435     return (opthdr);
  436 }
  437 
  438 static void *
  439 get_optvalue_from_block_data(struct block_cursor *cursor,
  440     struct option_header *opthdr, char *errbuf)
  441 {
  442     size_t padded_option_len;
  443     void *optvalue;
  444 
  445     /* Pad option length to 4-byte boundary */
  446     padded_option_len = opthdr->option_length;
  447     padded_option_len = ((padded_option_len + 3)/4)*4;
  448 
  449     optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
  450     if (optvalue == NULL) {
  451         /*
  452          * Option value is cut short.
  453          */
  454         return (NULL);
  455     }
  456 
  457     return (optvalue);
  458 }
  459 
  460 static int
  461 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
  462     uint64_t *tsoffset, int *is_binary, char *errbuf)
  463 {
  464     struct option_header *opthdr;
  465     void *optvalue;
  466     int saw_tsresol, saw_tsoffset;
  467     uint8_t tsresol_opt;
  468     u_int i;
  469 
  470     saw_tsresol = 0;
  471     saw_tsoffset = 0;
  472     while (cursor->data_remaining != 0) {
  473         /*
  474          * Get the option header.
  475          */
  476         opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
  477         if (opthdr == NULL) {
  478             /*
  479              * Option header is cut short.
  480              */
  481             return (-1);
  482         }
  483 
  484         /*
  485          * Get option value.
  486          */
  487         optvalue = get_optvalue_from_block_data(cursor, opthdr,
  488             errbuf);
  489         if (optvalue == NULL) {
  490             /*
  491              * Option value is cut short.
  492              */
  493             return (-1);
  494         }
  495 
  496         switch (opthdr->option_code) {
  497 
  498         case OPT_ENDOFOPT:
  499             if (opthdr->option_length != 0) {
  500                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  501                     "Interface Description Block has opt_endofopt option with length %u != 0",
  502                     opthdr->option_length);
  503                 return (-1);
  504             }
  505             goto done;
  506 
  507         case IF_TSRESOL:
  508             if (opthdr->option_length != 1) {
  509                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  510                     "Interface Description Block has if_tsresol option with length %u != 1",
  511                     opthdr->option_length);
  512                 return (-1);
  513             }
  514             if (saw_tsresol) {
  515                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  516                     "Interface Description Block has more than one if_tsresol option");
  517                 return (-1);
  518             }
  519             saw_tsresol = 1;
  520             memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
  521             if (tsresol_opt & 0x80) {
  522                 /*
  523                  * Resolution is negative power of 2.
  524                  */
  525                 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
  526 
  527                 if (tsresol_shift > 63) {
  528                     /*
  529                      * Resolution is too high; 2^-{res}
  530                      * won't fit in a 64-bit value.
  531                      */
  532                     snprintf(errbuf, PCAP_ERRBUF_SIZE,
  533                         "Interface Description Block if_tsresol option resolution 2^-%u is too high",
  534                         tsresol_shift);
  535                     return (-1);
  536                 }
  537                 *is_binary = 1;
  538                 *tsresol = ((uint64_t)1) << tsresol_shift;
  539             } else {
  540                 /*
  541                  * Resolution is negative power of 10.
  542                  */
  543                 if (tsresol_opt > 19) {
  544                     /*
  545                      * Resolution is too high; 2^-{res}
  546                      * won't fit in a 64-bit value (the
  547                      * largest power of 10 that fits
  548                      * in a 64-bit value is 10^19, as
  549                      * the largest 64-bit unsigned
  550                      * value is ~1.8*10^19).
  551                      */
  552                     snprintf(errbuf, PCAP_ERRBUF_SIZE,
  553                         "Interface Description Block if_tsresol option resolution 10^-%u is too high",
  554                         tsresol_opt);
  555                     return (-1);
  556                 }
  557                 *is_binary = 0;
  558                 *tsresol = 1;
  559                 for (i = 0; i < tsresol_opt; i++)
  560                     *tsresol *= 10;
  561             }
  562             break;
  563 
  564         case IF_TSOFFSET:
  565             if (opthdr->option_length != 8) {
  566                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  567                     "Interface Description Block has if_tsoffset option with length %u != 8",
  568                     opthdr->option_length);
  569                 return (-1);
  570             }
  571             if (saw_tsoffset) {
  572                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  573                     "Interface Description Block has more than one if_tsoffset option");
  574                 return (-1);
  575             }
  576             saw_tsoffset = 1;
  577             memcpy(tsoffset, optvalue, sizeof(*tsoffset));
  578             if (p->swapped)
  579                 *tsoffset = SWAPLL(*tsoffset);
  580             break;
  581 
  582         default:
  583             break;
  584         }
  585     }
  586 
  587 done:
  588     return (0);
  589 }
  590 
  591 static int
  592 add_interface(pcap_t *p, struct interface_description_block *idbp,
  593     struct block_cursor *cursor, char *errbuf)
  594 {
  595     struct pcap_ng_sf *ps;
  596     uint64_t tsresol;
  597     uint64_t tsoffset;
  598     int is_binary;
  599 
  600     ps = p->priv;
  601 
  602     /*
  603      * Count this interface.
  604      */
  605     ps->ifcount++;
  606 
  607     /*
  608      * Grow the array of per-interface information as necessary.
  609      */
  610     if (ps->ifcount > ps->ifaces_size) {
  611         /*
  612          * We need to grow the array.
  613          */
  614         bpf_u_int32 new_ifaces_size;
  615         struct pcap_ng_if *new_ifaces;
  616 
  617         if (ps->ifaces_size == 0) {
  618             /*
  619              * It's currently empty.
  620              *
  621              * (The Clang static analyzer doesn't do enough,
  622              * err, umm, dataflow *analysis* to realize that
  623              * ps->ifaces_size == 0 if ps->ifaces == NULL,
  624              * and so complains about a possible zero argument
  625              * to realloc(), so we check for the former
  626              * condition to shut it up.
  627              *
  628              * However, it doesn't complain that one of the
  629              * multiplications below could overflow, which is
  630              * a real, albeit extremely unlikely, problem (you'd
  631              * need a pcapng file with tens of millions of
  632              * interfaces).)
  633              */
  634             new_ifaces_size = 1;
  635             new_ifaces = malloc(sizeof (struct pcap_ng_if));
  636         } else {
  637             /*
  638              * It's not currently empty; double its size.
  639              * (Perhaps overkill once we have a lot of interfaces.)
  640              *
  641              * Check for overflow if we double it.
  642              */
  643             if (ps->ifaces_size * 2 < ps->ifaces_size) {
  644                 /*
  645                  * The maximum number of interfaces before
  646                  * ps->ifaces_size overflows is the largest
  647                  * possible 32-bit power of 2, as we do
  648                  * size doubling.
  649                  */
  650                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  651                     "more than %u interfaces in the file",
  652                     0x80000000U);
  653                 return (0);
  654             }
  655 
  656             /*
  657              * ps->ifaces_size * 2 doesn't overflow, so it's
  658              * safe to multiply.
  659              */
  660             new_ifaces_size = ps->ifaces_size * 2;
  661 
  662             /*
  663              * Now make sure that's not so big that it overflows
  664              * if we multiply by sizeof (struct pcap_ng_if).
  665              *
  666              * That can happen on 32-bit platforms, with a 32-bit
  667              * size_t; it shouldn't happen on 64-bit platforms,
  668              * with a 64-bit size_t, as new_ifaces_size is
  669              * 32 bits.
  670              */
  671             if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
  672                 /*
  673                  * As this fails only with 32-bit size_t,
  674                  * the multiplication was 32x32->32, and
  675                  * the largest 32-bit value that can safely
  676                  * be multiplied by sizeof (struct pcap_ng_if)
  677                  * without overflow is the largest 32-bit
  678                  * (unsigned) value divided by
  679                  * sizeof (struct pcap_ng_if).
  680                  */
  681                 snprintf(errbuf, PCAP_ERRBUF_SIZE,
  682                     "more than %u interfaces in the file",
  683                     0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
  684                 return (0);
  685             }
  686             new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
  687         }
  688         if (new_ifaces == NULL) {
  689             /*
  690              * We ran out of memory.
  691              * Give up.
  692              */
  693             snprintf(errbuf, PCAP_ERRBUF_SIZE,
  694                 "out of memory for per-interface information (%u interfaces)",
  695                 ps->ifcount);
  696             return (0);
  697         }
  698         ps->ifaces_size = new_ifaces_size;
  699         ps->ifaces = new_ifaces;
  700     }
  701 
  702     ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
  703 
  704     /*
  705      * Set the default time stamp resolution and offset.
  706      */
  707     tsresol = 1000000;  /* microsecond resolution */
  708     is_binary = 0;      /* which is a power of 10 */
  709     tsoffset = 0;       /* absolute timestamps */
  710 
  711     /*
  712      * Now look for various time stamp options, so we know
  713      * how to interpret the time stamps for this interface.
  714      */
  715     if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
  716         errbuf) == -1)
  717         return (0);
  718 
  719     ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
  720     ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
  721 
  722     /*
  723      * Determine whether we're scaling up or down or not
  724      * at all for this interface.
  725      */
  726     if (tsresol == ps->user_tsresol) {
  727         /*
  728          * The resolution is the resolution the user wants,
  729          * so we don't have to do scaling.
  730          */
  731         ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
  732     } else if (tsresol > ps->user_tsresol) {
  733         /*
  734          * The resolution is greater than what the user wants,
  735          * so we have to scale the timestamps down.
  736          */
  737         if (is_binary)
  738             ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
  739         else {
  740             /*
  741              * Calculate the scale factor.
  742              */
  743             ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
  744             ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
  745         }
  746     } else {
  747         /*
  748          * The resolution is less than what the user wants,
  749          * so we have to scale the timestamps up.
  750          */
  751         if (is_binary)
  752             ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
  753         else {
  754             /*
  755              * Calculate the scale factor.
  756              */
  757             ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
  758             ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
  759         }
  760     }
  761     return (1);
  762 }
  763 
  764 /*
  765  * Check whether this is a pcapng savefile and, if it is, extract the
  766  * relevant information from the header.
  767  */
  768 pcap_t *
  769 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
  770     char *errbuf, int *err)
  771 {
  772     bpf_u_int32 magic_int;
  773     size_t amt_read;
  774     bpf_u_int32 total_length;
  775     bpf_u_int32 byte_order_magic;
  776     struct block_header *bhdrp;
  777     struct section_header_block *shbp;
  778     pcap_t *p;
  779     int swapped = 0;
  780     struct pcap_ng_sf *ps;
  781     int status;
  782     struct block_cursor cursor;
  783     struct interface_description_block *idbp;
  784 
  785     /*
  786      * Assume no read errors.
  787      */
  788     *err = 0;
  789 
  790     /*
  791      * Check whether the first 4 bytes of the file are the block
  792      * type for a pcapng savefile.
  793      */
  794     memcpy(&magic_int, magic, sizeof(magic_int));
  795     if (magic_int != BT_SHB) {
  796         /*
  797          * XXX - check whether this looks like what the block
  798          * type would be after being munged by mapping between
  799          * UN*X and DOS/Windows text file format and, if it
  800          * does, look for the byte-order magic number in
  801          * the appropriate place and, if we find it, report
  802          * this as possibly being a pcapng file transferred
  803          * between UN*X and Windows in text file format?
  804          */
  805         return (NULL);  /* nope */
  806     }
  807 
  808     /*
  809      * OK, they are.  However, that's just \n\r\r\n, so it could,
  810      * conceivably, be an ordinary text file.
  811      *
  812      * It could not, however, conceivably be any other type of
  813      * capture file, so we can read the rest of the putative
  814      * Section Header Block; put the block type in the common
  815      * header, read the rest of the common header and the
  816      * fixed-length portion of the SHB, and look for the byte-order
  817      * magic value.
  818      */
  819     amt_read = fread(&total_length, 1, sizeof(total_length), fp);
  820     if (amt_read < sizeof(total_length)) {
  821         if (ferror(fp)) {
  822             pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  823                 errno, "error reading dump file");
  824             *err = 1;
  825             return (NULL);  /* fail */
  826         }
  827 
  828         /*
  829          * Possibly a weird short text file, so just say
  830          * "not pcapng".
  831          */
  832         return (NULL);
  833     }
  834     amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
  835     if (amt_read < sizeof(byte_order_magic)) {
  836         if (ferror(fp)) {
  837             pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
  838                 errno, "error reading dump file");
  839             *err = 1;
  840             return (NULL);  /* fail */
  841         }
  842 
  843         /*
  844          * Possibly a weird short text file, so just say
  845          * "not pcapng".
  846          */
  847         return (NULL);
  848     }
  849     if (byte_order_magic != BYTE_ORDER_MAGIC) {
  850         byte_order_magic = SWAPLONG(byte_order_magic);
  851         if (byte_order_magic != BYTE_ORDER_MAGIC) {
  852             /*
  853              * Not a pcapng file.
  854              */
  855             return (NULL);
  856         }
  857         swapped = 1;
  858         total_length = SWAPLONG(total_length);
  859     }
  860 
  861     /*
  862      * Check the sanity of the total length.
  863      */
  864     if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
  865             (total_length > BT_SHB_INSANE_MAX)) {
  866         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  867             "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
  868             sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
  869             total_length,
  870             BT_SHB_INSANE_MAX);
  871 
  872         *err = 1;
  873         return (NULL);
  874     }
  875 
  876     /*
  877      * OK, this is a good pcapng file.
  878      * Allocate a pcap_t for it.
  879      */
  880     p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
  881     if (p == NULL) {
  882         /* Allocation failed. */
  883         *err = 1;
  884         return (NULL);
  885     }
  886     p->swapped = swapped;
  887     ps = p->priv;
  888 
  889     /*
  890      * What precision does the user want?
  891      */
  892     switch (precision) {
  893 
  894     case PCAP_TSTAMP_PRECISION_MICRO:
  895         ps->user_tsresol = 1000000;
  896         break;
  897 
  898     case PCAP_TSTAMP_PRECISION_NANO:
  899         ps->user_tsresol = 1000000000;
  900         break;
  901 
  902     default:
  903         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  904             "unknown time stamp resolution %u", precision);
  905         free(p);
  906         *err = 1;
  907         return (NULL);
  908     }
  909 
  910     p->opt.tstamp_precision = precision;
  911 
  912     /*
  913      * Allocate a buffer into which to read blocks.  We default to
  914      * the maximum of:
  915      *
  916      *  the total length of the SHB for which we read the header;
  917      *
  918      *  2K, which should be more than large enough for an Enhanced
  919      *  Packet Block containing a full-size Ethernet frame, and
  920      *  leaving room for some options.
  921      *
  922      * If we find a bigger block, we reallocate the buffer, up to
  923      * the maximum size.  We start out with a maximum size of
  924      * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
  925      * with a maximum snapshot that results in a larger maximum
  926      * block length, we boost the maximum.
  927      */
  928     p->bufsize = 2048;
  929     if (p->bufsize < total_length)
  930         p->bufsize = total_length;
  931     p->buffer = malloc(p->bufsize);
  932     if (p->buffer == NULL) {
  933         snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
  934         free(p);
  935         *err = 1;
  936         return (NULL);
  937     }
  938     ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
  939 
  940     /*
  941      * Copy the stuff we've read to the buffer, and read the rest
  942      * of the SHB.
  943      */
  944     bhdrp = (struct block_header *)p->buffer;
  945     shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
  946     bhdrp->block_type = magic_int;
  947     bhdrp->total_length = total_length;
  948     shbp->byte_order_magic = byte_order_magic;
  949     if (read_bytes(fp,
  950         (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
  951         total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
  952         1, errbuf) == -1)
  953         goto fail;
  954 
  955     if (p->swapped) {
  956         /*
  957          * Byte-swap the fields we've read.
  958          */
  959         shbp->major_version = SWAPSHORT(shbp->major_version);
  960         shbp->minor_version = SWAPSHORT(shbp->minor_version);
  961 
  962         /*
  963          * XXX - we don't care about the section length.
  964          */
  965     }
  966     /* Currently only SHB versions 1.0 and 1.2 are supported;
  967        version 1.2 is treated as being the same as version 1.0.
  968        See the current version of the pcapng specification.
  969 
  970        Version 1.2 is written by some programs that write additional
  971        block types (which can be read by any code that handles them,
  972        regardless of whether the minor version if 0 or 2, so that's
  973        not a reason to change the minor version number).
  974 
  975        XXX - the pcapng specification says that readers should
  976        just ignore sections with an unsupported version number;
  977        presumably they can also report an error if they skip
  978        all the way to the end of the file without finding
  979        any versions that they support. */
  980     if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
  981            (shbp->minor_version == PCAP_NG_VERSION_MINOR ||
  982             shbp->minor_version == 2))) {
  983         snprintf(errbuf, PCAP_ERRBUF_SIZE,
  984             "unsupported pcapng savefile version %u.%u",
  985             shbp->major_version, shbp->minor_version);
  986         goto fail;
  987     }
  988     p->version_major = shbp->major_version;
  989     p->version_minor = shbp->minor_version;
  990 
  991     /*
  992      * Save the time stamp resolution the user requested.
  993      */
  994     p->opt.tstamp_precision = precision;
  995 
  996     /*
  997      * Now start looking for an Interface Description Block.
  998      */
  999     for (;;) {
 1000         /*
 1001          * Read the next block.
 1002          */
 1003         status = read_block(fp, p, &cursor, errbuf);
 1004         if (status == 0) {
 1005             /* EOF - no IDB in this file */
 1006             snprintf(errbuf, PCAP_ERRBUF_SIZE,
 1007                 "the capture file has no Interface Description Blocks");
 1008             goto fail;
 1009         }
 1010         if (status == -1)
 1011             goto fail;  /* error */
 1012         switch (cursor.block_type) {
 1013 
 1014         case BT_IDB:
 1015             /*
 1016              * Get a pointer to the fixed-length portion of the
 1017              * IDB.
 1018              */
 1019             idbp = get_from_block_data(&cursor, sizeof(*idbp),
 1020                 errbuf);
 1021             if (idbp == NULL)
 1022                 goto fail;  /* error */
 1023 
 1024             /*
 1025              * Byte-swap it if necessary.
 1026              */
 1027             if (p->swapped) {
 1028                 idbp->linktype = SWAPSHORT(idbp->linktype);
 1029                 idbp->snaplen = SWAPLONG(idbp->snaplen);
 1030             }
 1031 
 1032             /*
 1033              * Try to add this interface.
 1034              */
 1035             if (!add_interface(p, idbp, &cursor, errbuf))
 1036                 goto fail;
 1037 
 1038             goto done;
 1039 
 1040         case BT_EPB:
 1041         case BT_SPB:
 1042         case BT_PB:
 1043             /*
 1044              * Saw a packet before we saw any IDBs.  That's
 1045              * not valid, as we don't know what link-layer
 1046              * encapsulation the packet has.
 1047              */
 1048             snprintf(errbuf, PCAP_ERRBUF_SIZE,
 1049                 "the capture file has a packet block before any Interface Description Blocks");
 1050             goto fail;
 1051 
 1052         default:
 1053             /*
 1054              * Just ignore it.
 1055              */
 1056             break;
 1057         }
 1058     }
 1059 
 1060 done:
 1061     p->linktype = linktype_to_dlt(idbp->linktype);
 1062     p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen);
 1063     p->linktype_ext = 0;
 1064 
 1065     /*
 1066      * If the maximum block size for a packet with the maximum
 1067      * snapshot length for this DLT_ is bigger than the current
 1068      * maximum block size, increase the maximum.
 1069      */
 1070     if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
 1071         ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
 1072 
 1073     p->next_packet_op = pcap_ng_next_packet;
 1074     p->cleanup_op = pcap_ng_cleanup;
 1075 
 1076     return (p);
 1077 
 1078 fail:
 1079     free(ps->ifaces);
 1080     free(p->buffer);
 1081     free(p);
 1082     *err = 1;
 1083     return (NULL);
 1084 }
 1085 
 1086 static void
 1087 pcap_ng_cleanup(pcap_t *p)
 1088 {
 1089     struct pcap_ng_sf *ps = p->priv;
 1090 
 1091     free(ps->ifaces);
 1092     sf_cleanup(p);
 1093 }
 1094 
 1095 /*
 1096  * Read and return the next packet from the savefile.  Return the header
 1097  * in hdr and a pointer to the contents in data.  Return 0 on success, 1
 1098  * if there were no more packets, and -1 on an error.
 1099  */
 1100 static int
 1101 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
 1102 {
 1103     struct pcap_ng_sf *ps = p->priv;
 1104     struct block_cursor cursor;
 1105     int status;
 1106     struct enhanced_packet_block *epbp;
 1107     struct simple_packet_block *spbp;
 1108     struct packet_block *pbp;
 1109     bpf_u_int32 interface_id = 0xFFFFFFFF;
 1110     struct interface_description_block *idbp;
 1111     struct section_header_block *shbp;
 1112     FILE *fp = p->rfile;
 1113     uint64_t t, sec, frac;
 1114 
 1115     /*
 1116      * Look for an Enhanced Packet Block, a Simple Packet Block,
 1117      * or a Packet Block.
 1118      */
 1119     for (;;) {
 1120         /*
 1121          * Read the block type and length; those are common
 1122          * to all blocks.
 1123          */
 1124         status = read_block(fp, p, &cursor, p->errbuf);
 1125         if (status == 0)
 1126             return (1); /* EOF */
 1127         if (status == -1)
 1128             return (-1);    /* error */
 1129         switch (cursor.block_type) {
 1130 
 1131         case BT_EPB:
 1132             /*
 1133              * Get a pointer to the fixed-length portion of the
 1134              * EPB.
 1135              */
 1136             epbp = get_from_block_data(&cursor, sizeof(*epbp),
 1137                 p->errbuf);
 1138             if (epbp == NULL)
 1139                 return (-1);    /* error */
 1140 
 1141             /*
 1142              * Byte-swap it if necessary.
 1143              */
 1144             if (p->swapped) {
 1145                 /* these were written in opposite byte order */
 1146                 interface_id = SWAPLONG(epbp->interface_id);
 1147                 hdr->caplen = SWAPLONG(epbp->caplen);
 1148                 hdr->len = SWAPLONG(epbp->len);
 1149                 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
 1150                     SWAPLONG(epbp->timestamp_low);
 1151             } else {
 1152                 interface_id = epbp->interface_id;
 1153                 hdr->caplen = epbp->caplen;
 1154                 hdr->len = epbp->len;
 1155                 t = ((uint64_t)epbp->timestamp_high) << 32 |
 1156                     epbp->timestamp_low;
 1157             }
 1158             goto found;
 1159 
 1160         case BT_SPB:
 1161             /*
 1162              * Get a pointer to the fixed-length portion of the
 1163              * SPB.
 1164              */
 1165             spbp = get_from_block_data(&cursor, sizeof(*spbp),
 1166                 p->errbuf);
 1167             if (spbp == NULL)
 1168                 return (-1);    /* error */
 1169 
 1170             /*
 1171              * SPB packets are assumed to have arrived on
 1172              * the first interface.
 1173              */
 1174             interface_id = 0;
 1175 
 1176             /*
 1177              * Byte-swap it if necessary.
 1178              */
 1179             if (p->swapped) {
 1180                 /* these were written in opposite byte order */
 1181                 hdr->len = SWAPLONG(spbp->len);
 1182             } else
 1183                 hdr->len = spbp->len;
 1184 
 1185             /*
 1186              * The SPB doesn't give the captured length;
 1187              * it's the minimum of the snapshot length
 1188              * and the packet length.
 1189              */
 1190             hdr->caplen = hdr->len;
 1191             if (hdr->caplen > (bpf_u_int32)p->snapshot)
 1192                 hdr->caplen = p->snapshot;
 1193             t = 0;  /* no time stamps */
 1194             goto found;
 1195 
 1196         case BT_PB:
 1197             /*
 1198              * Get a pointer to the fixed-length portion of the
 1199              * PB.
 1200              */
 1201             pbp = get_from_block_data(&cursor, sizeof(*pbp),
 1202                 p->errbuf);
 1203             if (pbp == NULL)
 1204                 return (-1);    /* error */
 1205 
 1206             /*
 1207              * Byte-swap it if necessary.
 1208              */
 1209             if (p->swapped) {
 1210                 /* these were written in opposite byte order */
 1211                 interface_id = SWAPSHORT(pbp->interface_id);
 1212                 hdr->caplen = SWAPLONG(pbp->caplen);
 1213                 hdr->len = SWAPLONG(pbp->len);
 1214                 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
 1215                     SWAPLONG(pbp->timestamp_low);
 1216             } else {
 1217                 interface_id = pbp->interface_id;
 1218                 hdr->caplen = pbp->caplen;
 1219                 hdr->len = pbp->len;
 1220                 t = ((uint64_t)pbp->timestamp_high) << 32 |
 1221                     pbp->timestamp_low;
 1222             }
 1223             goto found;
 1224 
 1225         case BT_IDB:
 1226             /*
 1227              * Interface Description Block.  Get a pointer
 1228              * to its fixed-length portion.
 1229              */
 1230             idbp = get_from_block_data(&cursor, sizeof(*idbp),
 1231                 p->errbuf);
 1232             if (idbp == NULL)
 1233                 return (-1);    /* error */
 1234 
 1235             /*
 1236              * Byte-swap it if necessary.
 1237              */
 1238             if (p->swapped) {
 1239                 idbp->linktype = SWAPSHORT(idbp->linktype);
 1240                 idbp->snaplen = SWAPLONG(idbp->snaplen);
 1241             }
 1242 
 1243             /*
 1244              * If the link-layer type or snapshot length
 1245              * differ from the ones for the first IDB we
 1246              * saw, quit.
 1247              *
 1248              * XXX - just discard packets from those
 1249              * interfaces?
 1250              */
 1251             if (p->linktype != idbp->linktype) {
 1252                 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1253                     "an interface has a type %u different from the type of the first interface",
 1254                     idbp->linktype);
 1255                 return (-1);
 1256             }
 1257 
 1258             /*
 1259              * Check against the *adjusted* value of this IDB's
 1260              * snapshot length.
 1261              */
 1262             if ((bpf_u_int32)p->snapshot !=
 1263                 pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
 1264                 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1265                     "an interface has a snapshot length %u different from the snapshot length of the first interface",
 1266                     idbp->snaplen);
 1267                 return (-1);
 1268             }
 1269 
 1270             /*
 1271              * Try to add this interface.
 1272              */
 1273             if (!add_interface(p, idbp, &cursor, p->errbuf))
 1274                 return (-1);
 1275             break;
 1276 
 1277         case BT_SHB:
 1278             /*
 1279              * Section Header Block.  Get a pointer
 1280              * to its fixed-length portion.
 1281              */
 1282             shbp = get_from_block_data(&cursor, sizeof(*shbp),
 1283                 p->errbuf);
 1284             if (shbp == NULL)
 1285                 return (-1);    /* error */
 1286 
 1287             /*
 1288              * Assume the byte order of this section is
 1289              * the same as that of the previous section.
 1290              * We'll check for that later.
 1291              */
 1292             if (p->swapped) {
 1293                 shbp->byte_order_magic =
 1294                     SWAPLONG(shbp->byte_order_magic);
 1295                 shbp->major_version =
 1296                     SWAPSHORT(shbp->major_version);
 1297             }
 1298 
 1299             /*
 1300              * Make sure the byte order doesn't change;
 1301              * pcap_is_swapped() shouldn't change its
 1302              * return value in the middle of reading a capture.
 1303              */
 1304             switch (shbp->byte_order_magic) {
 1305 
 1306             case BYTE_ORDER_MAGIC:
 1307                 /*
 1308                  * OK.
 1309                  */
 1310                 break;
 1311 
 1312             case SWAPLONG(BYTE_ORDER_MAGIC):
 1313                 /*
 1314                  * Byte order changes.
 1315                  */
 1316                 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1317                     "the file has sections with different byte orders");
 1318                 return (-1);
 1319 
 1320             default:
 1321                 /*
 1322                  * Not a valid SHB.
 1323                  */
 1324                 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1325                     "the file has a section with a bad byte order magic field");
 1326                 return (-1);
 1327             }
 1328 
 1329             /*
 1330              * Make sure the major version is the version
 1331              * we handle.
 1332              */
 1333             if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
 1334                 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1335                     "unknown pcapng savefile major version number %u",
 1336                     shbp->major_version);
 1337                 return (-1);
 1338             }
 1339 
 1340             /*
 1341              * Reset the interface count; this section should
 1342              * have its own set of IDBs.  If any of them
 1343              * don't have the same interface type, snapshot
 1344              * length, or resolution as the first interface
 1345              * we saw, we'll fail.  (And if we don't see
 1346              * any IDBs, we'll fail when we see a packet
 1347              * block.)
 1348              */
 1349             ps->ifcount = 0;
 1350             break;
 1351 
 1352         default:
 1353             /*
 1354              * Not a packet block, IDB, or SHB; ignore it.
 1355              */
 1356             break;
 1357         }
 1358     }
 1359 
 1360 found:
 1361     /*
 1362      * Is the interface ID an interface we know?
 1363      */
 1364     if (interface_id >= ps->ifcount) {
 1365         /*
 1366          * Yes.  Fail.
 1367          */
 1368         snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1369             "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
 1370             interface_id);
 1371         return (-1);
 1372     }
 1373 
 1374     if (hdr->caplen > (bpf_u_int32)p->snapshot) {
 1375         snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
 1376             "invalid packet capture length %u, bigger than "
 1377             "snaplen of %d", hdr->caplen, p->snapshot);
 1378         return (-1);
 1379     }
 1380 
 1381     /*
 1382      * Convert the time stamp to seconds and fractions of a second,
 1383      * with the fractions being in units of the file-supplied resolution.
 1384      */
 1385     sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
 1386     frac = t % ps->ifaces[interface_id].tsresol;
 1387 
 1388     /*
 1389      * Convert the fractions from units of the file-supplied resolution
 1390      * to units of the user-requested resolution.
 1391      */
 1392     switch (ps->ifaces[interface_id].scale_type) {
 1393 
 1394     case PASS_THROUGH:
 1395         /*
 1396          * The interface resolution is what the user wants,
 1397          * so we're done.
 1398          */
 1399         break;
 1400 
 1401     case SCALE_UP_DEC:
 1402         /*
 1403          * The interface resolution is less than what the user
 1404          * wants; scale the fractional part up to the units of
 1405          * the resolution the user requested by multiplying by
 1406          * the quotient of the user-requested resolution and the
 1407          * file-supplied resolution.
 1408          *
 1409          * Those resolutions are both powers of 10, and the user-
 1410          * requested resolution is greater than the file-supplied
 1411          * resolution, so the quotient in question is an integer.
 1412          * We've calculated that quotient already, so we just
 1413          * multiply by it.
 1414          */
 1415         frac *= ps->ifaces[interface_id].scale_factor;
 1416         break;
 1417 
 1418     case SCALE_UP_BIN:
 1419         /*
 1420          * The interface resolution is less than what the user
 1421          * wants; scale the fractional part up to the units of
 1422          * the resolution the user requested by multiplying by
 1423          * the quotient of the user-requested resolution and the
 1424          * file-supplied resolution.
 1425          *
 1426          * The file-supplied resolution is a power of 2, so the
 1427          * quotient is not an integer, so, in order to do this
 1428          * entirely with integer arithmetic, we multiply by the
 1429          * user-requested resolution and divide by the file-
 1430          * supplied resolution.
 1431          *
 1432          * XXX - Is there something clever we could do here,
 1433          * given that we know that the file-supplied resolution
 1434          * is a power of 2?  Doing a multiplication followed by
 1435          * a division runs the risk of overflowing, and involves
 1436          * two non-simple arithmetic operations.
 1437          */
 1438         frac *= ps->user_tsresol;
 1439         frac /= ps->ifaces[interface_id].tsresol;
 1440         break;
 1441 
 1442     case SCALE_DOWN_DEC:
 1443         /*
 1444          * The interface resolution is greater than what the user
 1445          * wants; scale the fractional part up to the units of
 1446          * the resolution the user requested by multiplying by
 1447          * the quotient of the user-requested resolution and the
 1448          * file-supplied resolution.
 1449          *
 1450          * Those resolutions are both powers of 10, and the user-
 1451          * requested resolution is less than the file-supplied
 1452          * resolution, so the quotient in question isn't an
 1453          * integer, but its reciprocal is, and we can just divide
 1454          * by the reciprocal of the quotient.  We've calculated
 1455          * the reciprocal of that quotient already, so we must
 1456          * divide by it.
 1457          */
 1458         frac /= ps->ifaces[interface_id].scale_factor;
 1459         break;
 1460 
 1461 
 1462     case SCALE_DOWN_BIN:
 1463         /*
 1464          * The interface resolution is greater than what the user
 1465          * wants; convert the fractional part to units of the
 1466          * resolution the user requested by multiplying by the
 1467          * quotient of the user-requested resolution and the
 1468          * file-supplied resolution.  We do that by multiplying
 1469          * by the user-requested resolution and dividing by the
 1470          * file-supplied resolution, as the quotient might not
 1471          * fit in an integer.
 1472          *
 1473          * The file-supplied resolution is a power of 2, so the
 1474          * quotient is not an integer, and neither is its
 1475          * reciprocal, so, in order to do this entirely with
 1476          * integer arithmetic, we multiply by the user-requested
 1477          * resolution and divide by the file-supplied resolution.
 1478          *
 1479          * XXX - Is there something clever we could do here,
 1480          * given that we know that the file-supplied resolution
 1481          * is a power of 2?  Doing a multiplication followed by
 1482          * a division runs the risk of overflowing, and involves
 1483          * two non-simple arithmetic operations.
 1484          */
 1485         frac *= ps->user_tsresol;
 1486         frac /= ps->ifaces[interface_id].tsresol;
 1487         break;
 1488     }
 1489 #ifdef _WIN32
 1490     /*
 1491      * tv_sec and tv_used in the Windows struct timeval are both
 1492      * longs.
 1493      */
 1494     hdr->ts.tv_sec = (long)sec;
 1495     hdr->ts.tv_usec = (long)frac;
 1496 #else
 1497     /*
 1498      * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
 1499      * suseconds_t in UN*Xes that work the way the current Single
 1500      * UNIX Standard specify - but not all older UN*Xes necessarily
 1501      * support that type, so just cast to int.
 1502      */
 1503     hdr->ts.tv_sec = (time_t)sec;
 1504     hdr->ts.tv_usec = (int)frac;
 1505 #endif
 1506 
 1507     /*
 1508      * Get a pointer to the packet data.
 1509      */
 1510     *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
 1511     if (*data == NULL)
 1512         return (-1);
 1513 
 1514     if (p->swapped)
 1515         swap_pseudo_headers(p->linktype, hdr, *data);
 1516 
 1517     return (0);
 1518 }