Lines Matching +full:not +full:- +full:swapped
21 * sf-pcap.c - libpcap-file-format-specific code from savefile.c
33 #include <pcap-types.h>
46 #include "pcap-int.h"
47 #include "pcap-util.h"
49 #include "pcap-common.h"
52 #include "os-proto.h"
55 #include "sf-pcap.h"
75 * byte-swap some host-byte-order metadata.
105 * `struct timeval'; `struct timeval' has 32-bit tv_sec values on some
106 * platforms and 64-bit tv_sec values on other platforms, and writing
112 * says they are. (That gives pcap a 68-year Y2.038K reprieve, although
125 * Do not change the format of this structure, in any way (this includes
127 * and do not make the time stamp anything other than seconds and
132 * send mail to "tcpdump-workers@lists.tcpdump.org", requesting
145 * https://github.com/the-tcpdump-group/libpcap/tree/master
163 * Do not change the format of this structure, in any way (this includes
198 SWAPPED, enumerator
226 int swapped = 0; in pcap_check_header() local
236 * number for a pcap savefile, or for a byte-swapped pcap in pcap_check_header()
248 swapped = 1; in pcap_check_header()
257 sizeof(hdr) - sizeof(hdr.magic), fp); in pcap_check_header()
258 if (amt_read != sizeof(hdr) - sizeof(hdr.magic)) { in pcap_check_header()
272 * If it's a byte-swapped capture file, byte-swap the header. in pcap_check_header()
274 if (swapped) { in pcap_check_header()
291 * currently only versions 2.[0-4] are supported with in pcap_check_header()
310 "savefile linktype reserved field not zero (0x%08x)", in pcap_check_header()
326 p->swapped = swapped; in pcap_check_header()
327 p->version_major = hdr.version_major; in pcap_check_header()
328 p->version_minor = hdr.version_minor; in pcap_check_header()
329 p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype)); in pcap_check_header()
330 p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype); in pcap_check_header()
331 p->snapshot = pcapint_adjust_snapshot(p->linktype, hdr.snaplen); in pcap_check_header()
333 p->next_packet_op = pcap_next_packet; in pcap_check_header()
335 ps = p->priv; in pcap_check_header()
337 p->opt.tstamp_precision = precision; in pcap_check_header()
352 ps->scale_type = SCALE_DOWN; in pcap_check_header()
358 ps->scale_type = PASS_THROUGH; in pcap_check_header()
368 ps->scale_type = PASS_THROUGH; in pcap_check_header()
375 ps->scale_type = SCALE_UP; in pcap_check_header()
395 * pre-2.3 order. in pcap_check_header()
401 ps->lengths_swapped = SWAPPED; in pcap_check_header()
403 ps->lengths_swapped = MAYBE_SWAPPED; in pcap_check_header()
405 ps->lengths_swapped = NOT_SWAPPED; in pcap_check_header()
409 ps->lengths_swapped = SWAPPED; in pcap_check_header()
413 ps->lengths_swapped = NOT_SWAPPED; in pcap_check_header()
419 * XXX - the patch that's in some versions of libpcap in pcap_check_header()
420 * changes the packet header but not the magic number, in pcap_check_header()
435 ps->hdrsize = sizeof(struct pcap_sf_patched_pkthdr); in pcap_check_header()
437 if (p->linktype == DLT_EN10MB) { in pcap_check_header()
442 * If it was done in cooked mode, p->snapshot was in pcap_check_header()
445 * would be p->snapshot. However, a faked Ethernet in pcap_check_header()
448 * would be p->snapshot + 14. in pcap_check_header()
456 * but there's not much we can do to avoid that. in pcap_check_header()
461 if (p->snapshot <= INT_MAX - 14) in pcap_check_header()
462 p->snapshot += 14; in pcap_check_header()
464 p->snapshot = INT_MAX; in pcap_check_header()
467 ps->hdrsize = sizeof(struct pcap_sf_pkthdr); in pcap_check_header()
472 * that should be enough for most network packets - we'll grow it in pcap_check_header()
478 p->bufsize = p->snapshot; in pcap_check_header()
479 if (p->bufsize > 2048) in pcap_check_header()
480 p->bufsize = 2048; in pcap_check_header()
481 p->buffer = malloc(p->bufsize); in pcap_check_header()
482 if (p->buffer == NULL) { in pcap_check_header()
489 p->cleanup_op = pcapint_sf_cleanup; in pcap_check_header()
502 bigger_buffer = realloc(p->buffer, bufsize); in grow_buffer()
504 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "out of memory"); in grow_buffer()
507 p->buffer = bigger_buffer; in grow_buffer()
508 p->bufsize = bufsize; in grow_buffer()
515 * if there were no more packets, and -1 on an error.
520 struct pcap_sf *ps = p->priv; in pcap_next_packet()
522 FILE *fp = p->rfile; in pcap_next_packet()
533 amt_read = fread(&sf_hdr, 1, ps->hdrsize, fp); in pcap_next_packet()
534 if (amt_read != ps->hdrsize) { in pcap_next_packet()
536 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
538 return (-1); in pcap_next_packet()
541 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
543 ps->hdrsize, amt_read); in pcap_next_packet()
544 return (-1); in pcap_next_packet()
551 if (p->swapped) { in pcap_next_packet()
553 hdr->caplen = SWAPLONG(sf_hdr.caplen); in pcap_next_packet()
554 hdr->len = SWAPLONG(sf_hdr.len); in pcap_next_packet()
555 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); in pcap_next_packet()
556 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); in pcap_next_packet()
558 hdr->caplen = sf_hdr.caplen; in pcap_next_packet()
559 hdr->len = sf_hdr.len; in pcap_next_packet()
560 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; in pcap_next_packet()
561 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; in pcap_next_packet()
564 switch (ps->scale_type) { in pcap_next_packet()
577 hdr->ts.tv_usec = hdr->ts.tv_usec * 1000; in pcap_next_packet()
585 hdr->ts.tv_usec = hdr->ts.tv_usec / 1000; in pcap_next_packet()
590 switch (ps->lengths_swapped) { in pcap_next_packet()
596 if (hdr->caplen <= hdr->len) { in pcap_next_packet()
599 * so presumably they weren't swapped. in pcap_next_packet()
605 case SWAPPED: in pcap_next_packet()
606 t = hdr->caplen; in pcap_next_packet()
607 hdr->caplen = hdr->len; in pcap_next_packet()
608 hdr->len = t; in pcap_next_packet()
615 if (hdr->caplen > max_snaplen_for_dlt(p->linktype)) { in pcap_next_packet()
620 * (We don't treat that as an error if it's not in pcap_next_packet()
624 if (hdr->caplen > (bpf_u_int32)p->snapshot) { in pcap_next_packet()
625 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
627 "snaplen of %d", hdr->caplen, p->snapshot); in pcap_next_packet()
629 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
631 "maximum of %u", hdr->caplen, in pcap_next_packet()
632 max_snaplen_for_dlt(p->linktype)); in pcap_next_packet()
634 return (-1); in pcap_next_packet()
637 if (hdr->caplen > (bpf_u_int32)p->snapshot) { in pcap_next_packet()
643 * over the BUFMOD problem and not setting the snapshot in pcap_next_packet()
652 * per-packet callback, to the snapshot length if it's in pcap_next_packet()
660 * or the per-packet header, or perhaps this is a in pcap_next_packet()
669 * and might copy the packet into a snapshot-length- in pcap_next_packet()
676 if (hdr->caplen > p->bufsize) { in pcap_next_packet()
680 if (!grow_buffer(p, p->snapshot)) in pcap_next_packet()
681 return (-1); in pcap_next_packet()
685 * Read the first p->snapshot bytes into the buffer. in pcap_next_packet()
687 amt_read = fread(p->buffer, 1, p->snapshot, fp); in pcap_next_packet()
688 if (amt_read != (bpf_u_int32)p->snapshot) { in pcap_next_packet()
690 pcapint_fmt_errmsg_for_errno(p->errbuf, in pcap_next_packet()
695 * Yes, this uses hdr->caplen; technically, in pcap_next_packet()
701 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
703 p->snapshot, amt_read); in pcap_next_packet()
705 return (-1); in pcap_next_packet()
711 bytes_to_discard = hdr->caplen - p->snapshot; in pcap_next_packet()
721 pcapint_fmt_errmsg_for_errno(p->errbuf, in pcap_next_packet()
725 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
727 hdr->caplen, bytes_read); in pcap_next_packet()
729 return (-1); in pcap_next_packet()
731 bytes_to_discard -= amt_read; in pcap_next_packet()
738 hdr->caplen = p->snapshot; in pcap_next_packet()
743 if (hdr->caplen > p->bufsize) { in pcap_next_packet()
750 new_bufsize = hdr->caplen; in pcap_next_packet()
754 new_bufsize--; in pcap_next_packet()
762 if (new_bufsize > (u_int)p->snapshot) in pcap_next_packet()
763 new_bufsize = p->snapshot; in pcap_next_packet()
766 return (-1); in pcap_next_packet()
770 amt_read = fread(p->buffer, 1, hdr->caplen, fp); in pcap_next_packet()
771 if (amt_read != hdr->caplen) { in pcap_next_packet()
773 pcapint_fmt_errmsg_for_errno(p->errbuf, in pcap_next_packet()
777 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_next_packet()
779 hdr->caplen, amt_read); in pcap_next_packet()
781 return (-1); in pcap_next_packet()
784 *data = p->buffer; in pcap_next_packet()
786 pcapint_post_process(p->linktype, p->swapped, hdr, *data); in pcap_next_packet()
796 …hdr.magic = p->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO ? NSEC_TCPDUMP_MAGIC : TCPDUMP_M… in sf_write_header()
801 * https://www.tcpdump.org/manpages/pcap-savefile.5.txt states: in sf_write_header()
802 * thiszone (Reserved1): 4-byte not used - SHOULD be filled with 0 in sf_write_header()
803 * sigfigs (Reserved2): 4-byte not used - SHOULD be filled with 0 in sf_write_header()
811 return (-1); in sf_write_header()
838 * so we really have no insurance that things are not fubared. in pcap_dump()
845 * Better not try writing pcap files after in pcap_dump()
846 * 2106-02-07 06:28:15 UTC; switch to pcapng. in pcap_dump()
847 * (And better not try writing pcap files with time stamps in pcap_dump()
848 * that predate 1970-01-01 00:00:00 UTC; that's not supported. in pcap_dump()
851 * stamps, but you may also have to get a link-layer type for in pcap_dump()
855 sf_hdr.ts.tv_sec = (bpf_u_int32)h->ts.tv_sec; in pcap_dump()
856 sf_hdr.ts.tv_usec = (bpf_u_int32)h->ts.tv_usec; in pcap_dump()
857 sf_hdr.caplen = h->caplen; in pcap_dump()
858 sf_hdr.len = h->len; in pcap_dump()
868 (void)fwrite(sp, h->caplen, 1, f); in pcap_dump()
882 * XXX - why? And why not on the standard output? in pcap_setup_dump()
889 if (sf_write_header(p, f, linktype, p->snapshot) == -1) { in pcap_setup_dump()
890 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_setup_dump()
910 * link-layer type, so we can't use it. in pcap_dump_open()
912 if (!p->activated) { in pcap_dump_open()
913 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open()
914 "%s: not-yet-activated pcap_t passed to pcap_dump_open", in pcap_dump_open()
918 linktype = dlt_to_linktype(p->linktype); in pcap_dump_open()
919 if (linktype == -1) { in pcap_dump_open()
920 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open()
921 "%s: link-layer type %d isn't supported in savefiles", in pcap_dump_open()
922 fname, p->linktype); in pcap_dump_open()
925 linktype |= p->linktype_ext; in pcap_dump_open()
928 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open()
932 if (fname[0] == '-' && fname[1] == '\0') { in pcap_dump_open()
944 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open()
965 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_hopen()
972 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_hopen()
993 linktype = dlt_to_linktype(p->linktype); in pcap_dump_fopen()
994 if (linktype == -1) { in pcap_dump_fopen()
995 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_fopen()
996 "stream: link-layer type %d isn't supported in savefiles", in pcap_dump_fopen()
997 p->linktype); in pcap_dump_fopen()
1000 linktype |= p->linktype_ext; in pcap_dump_fopen()
1013 linktype = dlt_to_linktype(p->linktype); in pcap_dump_open_append()
1014 if (linktype == -1) { in pcap_dump_open_append()
1015 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1016 "%s: link-layer type %d isn't supported in savefiles", in pcap_dump_open_append()
1022 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1026 if (fname[0] == '-' && fname[1] == '\0') in pcap_dump_open_append()
1030 * "a" will cause the file *not* to be truncated if it exists in pcap_dump_open_append()
1044 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1052 * We do not assume that the file will be positioned at the in pcap_dump_open_append()
1053 * beginning immediately after we've opened it - we seek to in pcap_dump_open_append()
1054 * the beginning. ISO C says it's implementation-defined in pcap_dump_open_append()
1056 * or the end of the file after an append-mode open, and in pcap_dump_open_append()
1058 * or the Microsoft documentation how that works on SUS- in pcap_dump_open_append()
1061 if (fseek(f, 0, SEEK_SET) == -1) { in pcap_dump_open_append()
1062 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1070 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1075 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1085 * XXX - why? And why not on the standard output? in pcap_dump_open_append()
1093 * it's not for a pcap file of the appropriate resolution in pcap_dump_open_append()
1096 * the link-layer header types don't match; in pcap_dump_open_append()
1110 if (p->opt.tstamp_precision != PCAP_TSTAMP_PRECISION_MICRO) { in pcap_dump_open_append()
1111 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1119 if (p->opt.tstamp_precision != PCAP_TSTAMP_PRECISION_NANO) { in pcap_dump_open_append()
1120 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1129 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1138 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1139 "%s: not a pcap file to which we can append", fname); in pcap_dump_open_append()
1144 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1145 "%s: not a pcap file", fname); in pcap_dump_open_append()
1155 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1162 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1167 if ((bpf_u_int32)p->snapshot != ph.snaplen) { in pcap_dump_open_append()
1168 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1177 if (sf_write_header(p, f, linktype, p->snapshot) == -1) { in pcap_dump_open_append()
1178 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1188 * XXX - this shouldn't be necessary, given that we're opening in pcap_dump_open_append()
1192 if (fseek(f, 0, SEEK_END) == -1) { in pcap_dump_open_append()
1193 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, in pcap_dump_open_append()
1216 * If we have large file support (files larger than 2^31-1 bytes),
1239 * or this is probably an older 32-bit UN*X without large file
1241 * write files > 2^31-1, so it won't matter anyway.
1243 * XXX - what about MinGW?
1257 return (-1); in pcap_dump_flush()
1268 return-an-error; in pcap_dump_close()