1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22 */
23
24 #include <config.h>
25
26 #include <pcap/pcap-inttypes.h>
27
28 #include <errno.h>
29 #include <memory.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <string.h>
33
34 #include "pcap-int.h"
35 #include "pcap-util.h"
36
37 #include "pcap-common.h"
38
39 #ifdef HAVE_OS_PROTO_H
40 #include "os-proto.h"
41 #endif
42
43 #include "sf-pcapng.h"
44
45 /*
46 * Block types.
47 */
48
49 /*
50 * Common part at the beginning of all blocks.
51 */
52 struct block_header {
53 bpf_u_int32 block_type;
54 bpf_u_int32 total_length;
55 };
56
57 /*
58 * Common trailer at the end of all blocks.
59 */
60 struct block_trailer {
61 bpf_u_int32 total_length;
62 };
63
64 /*
65 * Common options.
66 */
67 #define OPT_ENDOFOPT 0 /* end of options */
68 #define OPT_COMMENT 1 /* comment string */
69
70 /*
71 * Option header.
72 */
73 struct option_header {
74 u_short option_code;
75 u_short option_length;
76 };
77
78 /*
79 * Structures for the part of each block type following the common
80 * part.
81 */
82
83 /*
84 * Section Header Block.
85 */
86 #define BT_SHB 0x0A0D0D0A
87 #define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
88 struct section_header_block {
89 bpf_u_int32 byte_order_magic;
90 u_short major_version;
91 u_short minor_version;
92 uint64_t section_length;
93 /* followed by options and trailer */
94 };
95
96 /*
97 * Byte-order magic value.
98 */
99 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
100
101 /*
102 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
103 * or if minor_version isn't PCAP_NG_VERSION_MINOR or 2, that means that
104 * this code can't read the file.
105 */
106 #define PCAP_NG_VERSION_MAJOR 1
107 #define PCAP_NG_VERSION_MINOR 0
108
109 /*
110 * Interface Description Block.
111 */
112 #define BT_IDB 0x00000001
113
114 struct interface_description_block {
115 u_short linktype;
116 u_short reserved;
117 bpf_u_int32 snaplen;
118 /* followed by options and trailer */
119 };
120
121 /*
122 * Options in the IDB.
123 */
124 #define IF_NAME 2 /* interface name string */
125 #define IF_DESCRIPTION 3 /* interface description string */
126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
128 #define IF_MACADDR 6 /* interface's MAC address */
129 #define IF_EUIADDR 7 /* interface's EUI address */
130 #define IF_SPEED 8 /* interface's speed, in bits/s */
131 #define IF_TSRESOL 9 /* interface's time stamp resolution */
132 #define IF_TZONE 10 /* interface's time zone */
133 #define IF_FILTER 11 /* filter used when capturing on interface */
134 #define IF_OS 12 /* string OS on which capture on this interface was done */
135 #define IF_FCSLEN 13 /* FCS length for this interface */
136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
137
138 /*
139 * Enhanced Packet Block.
140 */
141 #define BT_EPB 0x00000006
142
143 struct enhanced_packet_block {
144 bpf_u_int32 interface_id;
145 bpf_u_int32 timestamp_high;
146 bpf_u_int32 timestamp_low;
147 bpf_u_int32 caplen;
148 bpf_u_int32 len;
149 /* followed by packet data, options, and trailer */
150 };
151
152 /*
153 * Simple Packet Block.
154 */
155 #define BT_SPB 0x00000003
156
157 struct simple_packet_block {
158 bpf_u_int32 len;
159 /* followed by packet data and trailer */
160 };
161
162 /*
163 * Packet Block.
164 */
165 #define BT_PB 0x00000002
166
167 struct packet_block {
168 u_short interface_id;
169 u_short drops_count;
170 bpf_u_int32 timestamp_high;
171 bpf_u_int32 timestamp_low;
172 bpf_u_int32 caplen;
173 bpf_u_int32 len;
174 /* followed by packet data, options, and trailer */
175 };
176
177 /*
178 * Block cursor - used when processing the contents of a block.
179 * Contains a pointer into the data being processed and a count
180 * of bytes remaining in the block.
181 */
182 struct block_cursor {
183 u_char *data;
184 size_t data_remaining;
185 bpf_u_int32 block_type;
186 };
187
188 typedef enum {
189 PASS_THROUGH,
190 SCALE_UP_DEC,
191 SCALE_DOWN_DEC,
192 SCALE_UP_BIN,
193 SCALE_DOWN_BIN
194 } tstamp_scale_type_t;
195
196 /*
197 * Per-interface information.
198 */
199 struct pcap_ng_if {
200 uint32_t snaplen; /* snapshot length */
201 uint64_t tsresol; /* time stamp resolution */
202 tstamp_scale_type_t scale_type; /* how to scale */
203 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
204 int64_t tsoffset; /* time stamp offset */
205 };
206
207 /*
208 * Per-pcap_t private data.
209 *
210 * max_blocksize is the maximum size of a block that we'll accept. We
211 * reject blocks bigger than this, so we don't consume too much memory
212 * with a truly huge block. It can change as we see IDBs with different
213 * link-layer header types. (Currently, we don't support IDBs with
214 * different link-layer header types, but we will support it in the
215 * future, when we offer file-reading APIs that support it.)
216 *
217 * XXX - that's an issue on ILP32 platforms, where the maximum block
218 * size of 2^31-1 would eat all but one byte of the entire address space.
219 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
220 * of the address space may be limited by 1) the number of *significant*
221 * address bits (currently, x86-64 only supports 48 bits of address), 2)
222 * any limitations imposed by the operating system; 3) any limitations
223 * imposed by the amount of available backing store for anonymous pages,
224 * so we impose a limit regardless of the size of a pointer.
225 */
226 struct pcap_ng_sf {
227 uint64_t user_tsresol; /* time stamp resolution requested by the user */
228 u_int max_blocksize; /* don't grow buffer size past this */
229 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
230 bpf_u_int32 ifaces_size; /* size of array below */
231 struct pcap_ng_if *ifaces; /* array of interface information */
232 };
233
234 /*
235 * The maximum block size we start with; we use an arbitrary value of
236 * 16 MiB.
237 */
238 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
239
240 /*
241 * Maximum block size for a given maximum snapshot length; we define it
242 * as the size of an EPB with a max_snaplen-sized packet and 128KB of
243 * options.
244 */
245 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
246 (sizeof (struct block_header) + \
247 sizeof (struct enhanced_packet_block) + \
248 (max_snaplen) + 131072 + \
249 sizeof (struct block_trailer))
250
251 static void pcap_ng_cleanup(pcap_t *p);
252 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
253 u_char **data);
254
255 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)256 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
257 char *errbuf)
258 {
259 size_t amt_read;
260
261 amt_read = fread(buf, 1, bytes_to_read, fp);
262 if (amt_read != bytes_to_read) {
263 if (ferror(fp)) {
264 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
265 errno, "error reading dump file");
266 } else {
267 if (amt_read == 0 && !fail_on_eof)
268 return (0); /* EOF */
269 snprintf(errbuf, PCAP_ERRBUF_SIZE,
270 "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
271 bytes_to_read, amt_read);
272 }
273 return (-1);
274 }
275 return (1);
276 }
277
278 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)279 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
280 {
281 struct pcap_ng_sf *ps;
282 int status;
283 struct block_header bhdr;
284 struct block_trailer *btrlr;
285 u_char *bdata;
286 size_t data_remaining;
287
288 ps = p->priv;
289
290 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
291 if (status <= 0)
292 return (status); /* error or EOF */
293
294 if (p->swapped) {
295 bhdr.block_type = SWAPLONG(bhdr.block_type);
296 bhdr.total_length = SWAPLONG(bhdr.total_length);
297 }
298
299 /*
300 * Is this block "too small" - i.e., is it shorter than a block
301 * header plus a block trailer?
302 */
303 if (bhdr.total_length < sizeof(struct block_header) +
304 sizeof(struct block_trailer)) {
305 snprintf(errbuf, PCAP_ERRBUF_SIZE,
306 "block in pcapng dump file has a length of %u < %zu",
307 bhdr.total_length,
308 sizeof(struct block_header) + sizeof(struct block_trailer));
309 return (-1);
310 }
311
312 /*
313 * Is the block total length a multiple of 4?
314 */
315 if ((bhdr.total_length % 4) != 0) {
316 /*
317 * No. Report that as an error.
318 */
319 snprintf(errbuf, PCAP_ERRBUF_SIZE,
320 "block in pcapng dump file has a length of %u that is not a multiple of 4",
321 bhdr.total_length);
322 return (-1);
323 }
324
325 /*
326 * Is the buffer big enough?
327 */
328 if (p->bufsize < bhdr.total_length) {
329 /*
330 * No - make it big enough, unless it's too big, in
331 * which case we fail.
332 */
333 void *bigger_buffer;
334
335 if (bhdr.total_length > ps->max_blocksize) {
336 snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
337 ps->max_blocksize);
338 return (-1);
339 }
340 bigger_buffer = realloc(p->buffer, bhdr.total_length);
341 if (bigger_buffer == NULL) {
342 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
343 return (-1);
344 }
345 p->buffer = bigger_buffer;
346 }
347
348 /*
349 * Copy the stuff we've read to the buffer, and read the rest
350 * of the block.
351 */
352 memcpy(p->buffer, &bhdr, sizeof(bhdr));
353 bdata = (u_char *)p->buffer + sizeof(bhdr);
354 data_remaining = bhdr.total_length - sizeof(bhdr);
355 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
356 return (-1);
357
358 /*
359 * Get the block size from the trailer.
360 */
361 btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
362 if (p->swapped)
363 btrlr->total_length = SWAPLONG(btrlr->total_length);
364
365 /*
366 * Is the total length from the trailer the same as the total
367 * length from the header?
368 */
369 if (bhdr.total_length != btrlr->total_length) {
370 /*
371 * No.
372 */
373 snprintf(errbuf, PCAP_ERRBUF_SIZE,
374 "block total length in header and trailer don't match");
375 return (-1);
376 }
377
378 /*
379 * Initialize the cursor.
380 */
381 cursor->data = bdata;
382 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
383 cursor->block_type = bhdr.block_type;
384 return (1);
385 }
386
387 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)388 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
389 char *errbuf)
390 {
391 void *data;
392
393 /*
394 * Make sure we have the specified amount of data remaining in
395 * the block data.
396 */
397 if (cursor->data_remaining < chunk_size) {
398 snprintf(errbuf, PCAP_ERRBUF_SIZE,
399 "block of type %u in pcapng dump file is too short",
400 cursor->block_type);
401 return (NULL);
402 }
403
404 /*
405 * Return the current pointer, and skip past the chunk.
406 */
407 data = cursor->data;
408 cursor->data += chunk_size;
409 cursor->data_remaining -= chunk_size;
410 return (data);
411 }
412
413 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)414 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
415 {
416 struct option_header *opthdr;
417
418 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
419 if (opthdr == NULL) {
420 /*
421 * Option header is cut short.
422 */
423 return (NULL);
424 }
425
426 /*
427 * Byte-swap it if necessary.
428 */
429 if (p->swapped) {
430 opthdr->option_code = SWAPSHORT(opthdr->option_code);
431 opthdr->option_length = SWAPSHORT(opthdr->option_length);
432 }
433
434 return (opthdr);
435 }
436
437 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)438 get_optvalue_from_block_data(struct block_cursor *cursor,
439 struct option_header *opthdr, char *errbuf)
440 {
441 size_t padded_option_len;
442 void *optvalue;
443
444 /* Pad option length to 4-byte boundary */
445 padded_option_len = opthdr->option_length;
446 padded_option_len = ((padded_option_len + 3)/4)*4;
447
448 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
449 if (optvalue == NULL) {
450 /*
451 * Option value is cut short.
452 */
453 return (NULL);
454 }
455
456 return (optvalue);
457 }
458
459 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,uint64_t * tsresol,int64_t * tsoffset,int * is_binary,char * errbuf)460 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
461 int64_t *tsoffset, int *is_binary, char *errbuf)
462 {
463 struct option_header *opthdr;
464 void *optvalue;
465 int saw_tsresol, saw_tsoffset;
466 uint8_t tsresol_opt;
467 u_int i;
468
469 saw_tsresol = 0;
470 saw_tsoffset = 0;
471 while (cursor->data_remaining != 0) {
472 /*
473 * Get the option header.
474 */
475 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
476 if (opthdr == NULL) {
477 /*
478 * Option header is cut short.
479 */
480 return (-1);
481 }
482
483 /*
484 * Get option value.
485 */
486 optvalue = get_optvalue_from_block_data(cursor, opthdr,
487 errbuf);
488 if (optvalue == NULL) {
489 /*
490 * Option value is cut short.
491 */
492 return (-1);
493 }
494
495 switch (opthdr->option_code) {
496
497 case OPT_ENDOFOPT:
498 if (opthdr->option_length != 0) {
499 snprintf(errbuf, PCAP_ERRBUF_SIZE,
500 "Interface Description Block has opt_endofopt option with length %u != 0",
501 opthdr->option_length);
502 return (-1);
503 }
504 goto done;
505
506 case IF_TSRESOL:
507 if (opthdr->option_length != 1) {
508 snprintf(errbuf, PCAP_ERRBUF_SIZE,
509 "Interface Description Block has if_tsresol option with length %u != 1",
510 opthdr->option_length);
511 return (-1);
512 }
513 if (saw_tsresol) {
514 snprintf(errbuf, PCAP_ERRBUF_SIZE,
515 "Interface Description Block has more than one if_tsresol option");
516 return (-1);
517 }
518 saw_tsresol = 1;
519 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
520 if (tsresol_opt & 0x80) {
521 /*
522 * Resolution is negative power of 2.
523 */
524 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
525
526 if (tsresol_shift > 63) {
527 /*
528 * Resolution is too high; 2^-{res}
529 * won't fit in a 64-bit value.
530 */
531 snprintf(errbuf, PCAP_ERRBUF_SIZE,
532 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
533 tsresol_shift);
534 return (-1);
535 }
536 *is_binary = 1;
537 *tsresol = ((uint64_t)1) << tsresol_shift;
538 } else {
539 /*
540 * Resolution is negative power of 10.
541 */
542 if (tsresol_opt > 19) {
543 /*
544 * Resolution is too high; 2^-{res}
545 * won't fit in a 64-bit value (the
546 * largest power of 10 that fits
547 * in a 64-bit value is 10^19, as
548 * the largest 64-bit unsigned
549 * value is ~1.8*10^19).
550 */
551 snprintf(errbuf, PCAP_ERRBUF_SIZE,
552 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
553 tsresol_opt);
554 return (-1);
555 }
556 *is_binary = 0;
557 *tsresol = 1;
558 for (i = 0; i < tsresol_opt; i++)
559 *tsresol *= 10;
560 }
561 break;
562
563 case IF_TSOFFSET:
564 if (opthdr->option_length != 8) {
565 snprintf(errbuf, PCAP_ERRBUF_SIZE,
566 "Interface Description Block has if_tsoffset option with length %u != 8",
567 opthdr->option_length);
568 return (-1);
569 }
570 if (saw_tsoffset) {
571 snprintf(errbuf, PCAP_ERRBUF_SIZE,
572 "Interface Description Block has more than one if_tsoffset option");
573 return (-1);
574 }
575 saw_tsoffset = 1;
576 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
577 if (p->swapped)
578 *tsoffset = SWAPLL(*tsoffset);
579 break;
580
581 default:
582 break;
583 }
584 }
585
586 done:
587 return (0);
588 }
589
590 static int
add_interface(pcap_t * p,struct interface_description_block * idbp,struct block_cursor * cursor,char * errbuf)591 add_interface(pcap_t *p, struct interface_description_block *idbp,
592 struct block_cursor *cursor, char *errbuf)
593 {
594 struct pcap_ng_sf *ps;
595 uint64_t tsresol;
596 int64_t tsoffset;
597 int is_binary;
598
599 ps = p->priv;
600
601 /*
602 * Count this interface.
603 */
604 ps->ifcount++;
605
606 /*
607 * Grow the array of per-interface information as necessary.
608 */
609 if (ps->ifcount > ps->ifaces_size) {
610 /*
611 * We need to grow the array.
612 */
613 bpf_u_int32 new_ifaces_size;
614 struct pcap_ng_if *new_ifaces;
615
616 if (ps->ifaces_size == 0) {
617 /*
618 * It's currently empty.
619 *
620 * (The Clang static analyzer doesn't do enough,
621 * err, umm, dataflow *analysis* to realize that
622 * ps->ifaces_size == 0 if ps->ifaces == NULL,
623 * and so complains about a possible zero argument
624 * to realloc(), so we check for the former
625 * condition to shut it up.
626 *
627 * However, it doesn't complain that one of the
628 * multiplications below could overflow, which is
629 * a real, albeit extremely unlikely, problem (you'd
630 * need a pcapng file with tens of millions of
631 * interfaces).)
632 */
633 new_ifaces_size = 1;
634 new_ifaces = malloc(sizeof (struct pcap_ng_if));
635 } else {
636 /*
637 * It's not currently empty; double its size.
638 * (Perhaps overkill once we have a lot of interfaces.)
639 *
640 * Check for overflow if we double it.
641 */
642 if (ps->ifaces_size * 2 < ps->ifaces_size) {
643 /*
644 * The maximum number of interfaces before
645 * ps->ifaces_size overflows is the largest
646 * possible 32-bit power of 2, as we do
647 * size doubling.
648 */
649 snprintf(errbuf, PCAP_ERRBUF_SIZE,
650 "more than %u interfaces in the file",
651 0x80000000U);
652 return (0);
653 }
654
655 /*
656 * ps->ifaces_size * 2 doesn't overflow, so it's
657 * safe to multiply.
658 */
659 new_ifaces_size = ps->ifaces_size * 2;
660
661 /*
662 * Now make sure that's not so big that it overflows
663 * if we multiply by sizeof (struct pcap_ng_if).
664 *
665 * That can happen on 32-bit platforms, with a 32-bit
666 * size_t; it shouldn't happen on 64-bit platforms,
667 * with a 64-bit size_t, as new_ifaces_size is
668 * 32 bits.
669 */
670 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
671 /*
672 * As this fails only with 32-bit size_t,
673 * the multiplication was 32x32->32, and
674 * the largest 32-bit value that can safely
675 * be multiplied by sizeof (struct pcap_ng_if)
676 * without overflow is the largest 32-bit
677 * (unsigned) value divided by
678 * sizeof (struct pcap_ng_if).
679 */
680 snprintf(errbuf, PCAP_ERRBUF_SIZE,
681 "more than %u interfaces in the file",
682 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
683 return (0);
684 }
685 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
686 }
687 if (new_ifaces == NULL) {
688 /*
689 * We ran out of memory.
690 * Give up.
691 */
692 snprintf(errbuf, PCAP_ERRBUF_SIZE,
693 "out of memory for per-interface information (%u interfaces)",
694 ps->ifcount);
695 return (0);
696 }
697 ps->ifaces_size = new_ifaces_size;
698 ps->ifaces = new_ifaces;
699 }
700
701 ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
702
703 /*
704 * Set the default time stamp resolution and offset.
705 */
706 tsresol = 1000000; /* microsecond resolution */
707 is_binary = 0; /* which is a power of 10 */
708 tsoffset = 0; /* absolute timestamps */
709
710 /*
711 * Now look for various time stamp options, so we know
712 * how to interpret the time stamps for this interface.
713 */
714 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
715 errbuf) == -1)
716 return (0);
717
718 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
719 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
720
721 /*
722 * Determine whether we're scaling up or down or not
723 * at all for this interface.
724 */
725 if (tsresol == ps->user_tsresol) {
726 /*
727 * The resolution is the resolution the user wants,
728 * so we don't have to do scaling.
729 */
730 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
731 } else if (tsresol > ps->user_tsresol) {
732 /*
733 * The resolution is greater than what the user wants,
734 * so we have to scale the timestamps down.
735 */
736 if (is_binary)
737 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
738 else {
739 /*
740 * Calculate the scale factor.
741 */
742 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
743 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
744 }
745 } else {
746 /*
747 * The resolution is less than what the user wants,
748 * so we have to scale the timestamps up.
749 */
750 if (is_binary)
751 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
752 else {
753 /*
754 * Calculate the scale factor.
755 */
756 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
757 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
758 }
759 }
760 return (1);
761 }
762
763 /*
764 * Check whether this is a pcapng savefile and, if it is, extract the
765 * relevant information from the header.
766 */
767 pcap_t *
pcap_ng_check_header(const uint8_t * magic,FILE * fp,u_int precision,char * errbuf,int * err)768 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
769 char *errbuf, int *err)
770 {
771 bpf_u_int32 magic_int;
772 size_t amt_read;
773 bpf_u_int32 total_length;
774 bpf_u_int32 byte_order_magic;
775 struct block_header *bhdrp;
776 struct section_header_block *shbp;
777 pcap_t *p;
778 int swapped = 0;
779 struct pcap_ng_sf *ps;
780 int status;
781 struct block_cursor cursor;
782 struct interface_description_block *idbp;
783
784 /*
785 * Assume no read errors.
786 */
787 *err = 0;
788
789 /*
790 * Check whether the first 4 bytes of the file are the block
791 * type for a pcapng savefile.
792 */
793 memcpy(&magic_int, magic, sizeof(magic_int));
794 if (magic_int != BT_SHB) {
795 /*
796 * XXX - check whether this looks like what the block
797 * type would be after being munged by mapping between
798 * UN*X and DOS/Windows text file format and, if it
799 * does, look for the byte-order magic number in
800 * the appropriate place and, if we find it, report
801 * this as possibly being a pcapng file transferred
802 * between UN*X and Windows in text file format?
803 */
804 return (NULL); /* nope */
805 }
806
807 /*
808 * OK, they are. However, that's just \n\r\r\n, so it could,
809 * conceivably, be an ordinary text file.
810 *
811 * It could not, however, conceivably be any other type of
812 * capture file, so we can read the rest of the putative
813 * Section Header Block; put the block type in the common
814 * header, read the rest of the common header and the
815 * fixed-length portion of the SHB, and look for the byte-order
816 * magic value.
817 */
818 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
819 if (amt_read < sizeof(total_length)) {
820 if (ferror(fp)) {
821 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
822 errno, "error reading dump file");
823 *err = 1;
824 return (NULL); /* fail */
825 }
826
827 /*
828 * Possibly a weird short text file, so just say
829 * "not pcapng".
830 */
831 return (NULL);
832 }
833 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
834 if (amt_read < sizeof(byte_order_magic)) {
835 if (ferror(fp)) {
836 pcapint_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
837 errno, "error reading dump file");
838 *err = 1;
839 return (NULL); /* fail */
840 }
841
842 /*
843 * Possibly a weird short text file, so just say
844 * "not pcapng".
845 */
846 return (NULL);
847 }
848 if (byte_order_magic != BYTE_ORDER_MAGIC) {
849 byte_order_magic = SWAPLONG(byte_order_magic);
850 if (byte_order_magic != BYTE_ORDER_MAGIC) {
851 /*
852 * Not a pcapng file.
853 */
854 return (NULL);
855 }
856 swapped = 1;
857 total_length = SWAPLONG(total_length);
858 }
859
860 /*
861 * Check the sanity of the total length.
862 */
863 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
864 (total_length > BT_SHB_INSANE_MAX)) {
865 snprintf(errbuf, PCAP_ERRBUF_SIZE,
866 "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
867 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
868 total_length,
869 BT_SHB_INSANE_MAX);
870
871 *err = 1;
872 return (NULL);
873 }
874
875 /*
876 * OK, this is a good pcapng file.
877 * Allocate a pcap_t for it.
878 */
879 p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
880 if (p == NULL) {
881 /* Allocation failed. */
882 *err = 1;
883 return (NULL);
884 }
885 p->swapped = swapped;
886 ps = p->priv;
887
888 /*
889 * What precision does the user want?
890 */
891 switch (precision) {
892
893 case PCAP_TSTAMP_PRECISION_MICRO:
894 ps->user_tsresol = 1000000;
895 break;
896
897 case PCAP_TSTAMP_PRECISION_NANO:
898 ps->user_tsresol = 1000000000;
899 break;
900
901 default:
902 snprintf(errbuf, PCAP_ERRBUF_SIZE,
903 "unknown time stamp resolution %u", precision);
904 free(p);
905 *err = 1;
906 return (NULL);
907 }
908
909 p->opt.tstamp_precision = precision;
910
911 /*
912 * Allocate a buffer into which to read blocks. We default to
913 * the maximum of:
914 *
915 * the total length of the SHB for which we read the header;
916 *
917 * 2K, which should be more than large enough for an Enhanced
918 * Packet Block containing a full-size Ethernet frame, and
919 * leaving room for some options.
920 *
921 * If we find a bigger block, we reallocate the buffer, up to
922 * the maximum size. We start out with a maximum size of
923 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
924 * with a maximum snapshot that results in a larger maximum
925 * block length, we boost the maximum.
926 */
927 p->bufsize = 2048;
928 if (p->bufsize < total_length)
929 p->bufsize = total_length;
930 p->buffer = malloc(p->bufsize);
931 if (p->buffer == NULL) {
932 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
933 free(p);
934 *err = 1;
935 return (NULL);
936 }
937 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
938
939 /*
940 * Copy the stuff we've read to the buffer, and read the rest
941 * of the SHB.
942 */
943 bhdrp = (struct block_header *)p->buffer;
944 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
945 bhdrp->block_type = magic_int;
946 bhdrp->total_length = total_length;
947 shbp->byte_order_magic = byte_order_magic;
948 if (read_bytes(fp,
949 (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
950 total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
951 1, errbuf) == -1)
952 goto fail;
953
954 if (p->swapped) {
955 /*
956 * Byte-swap the fields we've read.
957 */
958 shbp->major_version = SWAPSHORT(shbp->major_version);
959 shbp->minor_version = SWAPSHORT(shbp->minor_version);
960
961 /*
962 * XXX - we don't care about the section length.
963 */
964 }
965 /* Currently only SHB versions 1.0 and 1.2 are supported;
966 version 1.2 is treated as being the same as version 1.0.
967 See the current version of the pcapng specification.
968
969 Version 1.2 is written by some programs that write additional
970 block types (which can be read by any code that handles them,
971 regardless of whether the minor version if 0 or 2, so that's
972 not a reason to change the minor version number).
973
974 XXX - the pcapng specification says that readers should
975 just ignore sections with an unsupported version number;
976 presumably they can also report an error if they skip
977 all the way to the end of the file without finding
978 any versions that they support. */
979 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
980 (shbp->minor_version == PCAP_NG_VERSION_MINOR ||
981 shbp->minor_version == 2))) {
982 snprintf(errbuf, PCAP_ERRBUF_SIZE,
983 "unsupported pcapng savefile version %u.%u",
984 shbp->major_version, shbp->minor_version);
985 goto fail;
986 }
987 p->version_major = shbp->major_version;
988 p->version_minor = shbp->minor_version;
989
990 /*
991 * Save the time stamp resolution the user requested.
992 */
993 p->opt.tstamp_precision = precision;
994
995 /*
996 * Now start looking for an Interface Description Block.
997 */
998 for (;;) {
999 /*
1000 * Read the next block.
1001 */
1002 status = read_block(fp, p, &cursor, errbuf);
1003 if (status == 0) {
1004 /* EOF - no IDB in this file */
1005 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1006 "the capture file has no Interface Description Blocks");
1007 goto fail;
1008 }
1009 if (status == -1)
1010 goto fail; /* error */
1011 switch (cursor.block_type) {
1012
1013 case BT_IDB:
1014 /*
1015 * Get a pointer to the fixed-length portion of the
1016 * IDB.
1017 */
1018 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1019 errbuf);
1020 if (idbp == NULL)
1021 goto fail; /* error */
1022
1023 /*
1024 * Byte-swap it if necessary.
1025 */
1026 if (p->swapped) {
1027 idbp->linktype = SWAPSHORT(idbp->linktype);
1028 idbp->snaplen = SWAPLONG(idbp->snaplen);
1029 }
1030
1031 /*
1032 * Try to add this interface.
1033 */
1034 if (!add_interface(p, idbp, &cursor, errbuf))
1035 goto fail;
1036
1037 goto done;
1038
1039 case BT_EPB:
1040 case BT_SPB:
1041 case BT_PB:
1042 /*
1043 * Saw a packet before we saw any IDBs. That's
1044 * not valid, as we don't know what link-layer
1045 * encapsulation the packet has.
1046 */
1047 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1048 "the capture file has a packet block before any Interface Description Blocks");
1049 goto fail;
1050
1051 default:
1052 /*
1053 * Just ignore it.
1054 */
1055 break;
1056 }
1057 }
1058
1059 done:
1060 p->linktype = linktype_to_dlt(idbp->linktype);
1061 p->snapshot = pcapint_adjust_snapshot(p->linktype, idbp->snaplen);
1062 p->linktype_ext = 0;
1063
1064 /*
1065 * If the maximum block size for a packet with the maximum
1066 * snapshot length for this DLT_ is bigger than the current
1067 * maximum block size, increase the maximum.
1068 */
1069 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1070 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1071
1072 p->next_packet_op = pcap_ng_next_packet;
1073 p->cleanup_op = pcap_ng_cleanup;
1074
1075 return (p);
1076
1077 fail:
1078 free(ps->ifaces);
1079 free(p->buffer);
1080 free(p);
1081 *err = 1;
1082 return (NULL);
1083 }
1084
1085 static void
pcap_ng_cleanup(pcap_t * p)1086 pcap_ng_cleanup(pcap_t *p)
1087 {
1088 struct pcap_ng_sf *ps = p->priv;
1089
1090 free(ps->ifaces);
1091 pcapint_sf_cleanup(p);
1092 }
1093
1094 /*
1095 * Read and return the next packet from the savefile. Return the header
1096 * in hdr and a pointer to the contents in data. Return 1 on success, 0
1097 * if there were no more packets, and -1 on an error.
1098 */
1099 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1100 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1101 {
1102 struct pcap_ng_sf *ps = p->priv;
1103 struct block_cursor cursor;
1104 int status;
1105 struct enhanced_packet_block *epbp;
1106 struct simple_packet_block *spbp;
1107 struct packet_block *pbp;
1108 bpf_u_int32 interface_id = 0xFFFFFFFF;
1109 struct interface_description_block *idbp;
1110 struct section_header_block *shbp;
1111 FILE *fp = p->rfile;
1112 uint64_t t, sec, frac;
1113
1114 /*
1115 * Look for an Enhanced Packet Block, a Simple Packet Block,
1116 * or a Packet Block.
1117 */
1118 for (;;) {
1119 /*
1120 * Read the block type and length; those are common
1121 * to all blocks.
1122 */
1123 status = read_block(fp, p, &cursor, p->errbuf);
1124 if (status == 0)
1125 return (0); /* EOF */
1126 if (status == -1)
1127 return (-1); /* error */
1128 switch (cursor.block_type) {
1129
1130 case BT_EPB:
1131 /*
1132 * Get a pointer to the fixed-length portion of the
1133 * EPB.
1134 */
1135 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1136 p->errbuf);
1137 if (epbp == NULL)
1138 return (-1); /* error */
1139
1140 /*
1141 * Byte-swap it if necessary.
1142 */
1143 if (p->swapped) {
1144 /* these were written in opposite byte order */
1145 interface_id = SWAPLONG(epbp->interface_id);
1146 hdr->caplen = SWAPLONG(epbp->caplen);
1147 hdr->len = SWAPLONG(epbp->len);
1148 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1149 SWAPLONG(epbp->timestamp_low);
1150 } else {
1151 interface_id = epbp->interface_id;
1152 hdr->caplen = epbp->caplen;
1153 hdr->len = epbp->len;
1154 t = ((uint64_t)epbp->timestamp_high) << 32 |
1155 epbp->timestamp_low;
1156 }
1157 goto found;
1158
1159 case BT_SPB:
1160 /*
1161 * Get a pointer to the fixed-length portion of the
1162 * SPB.
1163 */
1164 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1165 p->errbuf);
1166 if (spbp == NULL)
1167 return (-1); /* error */
1168
1169 /*
1170 * SPB packets are assumed to have arrived on
1171 * the first interface.
1172 */
1173 interface_id = 0;
1174
1175 /*
1176 * Byte-swap it if necessary.
1177 */
1178 if (p->swapped) {
1179 /* these were written in opposite byte order */
1180 hdr->len = SWAPLONG(spbp->len);
1181 } else
1182 hdr->len = spbp->len;
1183
1184 /*
1185 * The SPB doesn't give the captured length;
1186 * it's the minimum of the snapshot length
1187 * and the packet length.
1188 */
1189 hdr->caplen = hdr->len;
1190 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1191 hdr->caplen = p->snapshot;
1192 t = 0; /* no time stamps */
1193 goto found;
1194
1195 case BT_PB:
1196 /*
1197 * Get a pointer to the fixed-length portion of the
1198 * PB.
1199 */
1200 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1201 p->errbuf);
1202 if (pbp == NULL)
1203 return (-1); /* error */
1204
1205 /*
1206 * Byte-swap it if necessary.
1207 */
1208 if (p->swapped) {
1209 /* these were written in opposite byte order */
1210 interface_id = SWAPSHORT(pbp->interface_id);
1211 hdr->caplen = SWAPLONG(pbp->caplen);
1212 hdr->len = SWAPLONG(pbp->len);
1213 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1214 SWAPLONG(pbp->timestamp_low);
1215 } else {
1216 interface_id = pbp->interface_id;
1217 hdr->caplen = pbp->caplen;
1218 hdr->len = pbp->len;
1219 t = ((uint64_t)pbp->timestamp_high) << 32 |
1220 pbp->timestamp_low;
1221 }
1222 goto found;
1223
1224 case BT_IDB:
1225 /*
1226 * Interface Description Block. Get a pointer
1227 * to its fixed-length portion.
1228 */
1229 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1230 p->errbuf);
1231 if (idbp == NULL)
1232 return (-1); /* error */
1233
1234 /*
1235 * Byte-swap it if necessary.
1236 */
1237 if (p->swapped) {
1238 idbp->linktype = SWAPSHORT(idbp->linktype);
1239 idbp->snaplen = SWAPLONG(idbp->snaplen);
1240 }
1241
1242 /*
1243 * If the link-layer type or snapshot length
1244 * differ from the ones for the first IDB we
1245 * saw, quit.
1246 *
1247 * XXX - just discard packets from those
1248 * interfaces?
1249 */
1250 if (p->linktype != idbp->linktype) {
1251 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1252 "an interface has a type %u different from the type of the first interface",
1253 idbp->linktype);
1254 return (-1);
1255 }
1256
1257 /*
1258 * Check against the *adjusted* value of this IDB's
1259 * snapshot length.
1260 */
1261 if ((bpf_u_int32)p->snapshot !=
1262 pcapint_adjust_snapshot(p->linktype, idbp->snaplen)) {
1263 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1264 "an interface has a snapshot length %u different from the snapshot length of the first interface",
1265 idbp->snaplen);
1266 return (-1);
1267 }
1268
1269 /*
1270 * Try to add this interface.
1271 */
1272 if (!add_interface(p, idbp, &cursor, p->errbuf))
1273 return (-1);
1274 break;
1275
1276 case BT_SHB:
1277 /*
1278 * Section Header Block. Get a pointer
1279 * to its fixed-length portion.
1280 */
1281 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1282 p->errbuf);
1283 if (shbp == NULL)
1284 return (-1); /* error */
1285
1286 /*
1287 * Assume the byte order of this section is
1288 * the same as that of the previous section.
1289 * We'll check for that later.
1290 */
1291 if (p->swapped) {
1292 shbp->byte_order_magic =
1293 SWAPLONG(shbp->byte_order_magic);
1294 shbp->major_version =
1295 SWAPSHORT(shbp->major_version);
1296 }
1297
1298 /*
1299 * Make sure the byte order doesn't change;
1300 * pcap_is_swapped() shouldn't change its
1301 * return value in the middle of reading a capture.
1302 */
1303 switch (shbp->byte_order_magic) {
1304
1305 case BYTE_ORDER_MAGIC:
1306 /*
1307 * OK.
1308 */
1309 break;
1310
1311 case SWAPLONG(BYTE_ORDER_MAGIC):
1312 /*
1313 * Byte order changes.
1314 */
1315 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1316 "the file has sections with different byte orders");
1317 return (-1);
1318
1319 default:
1320 /*
1321 * Not a valid SHB.
1322 */
1323 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1324 "the file has a section with a bad byte order magic field");
1325 return (-1);
1326 }
1327
1328 /*
1329 * Make sure the major version is the version
1330 * we handle.
1331 */
1332 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1333 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1334 "unknown pcapng savefile major version number %u",
1335 shbp->major_version);
1336 return (-1);
1337 }
1338
1339 /*
1340 * Reset the interface count; this section should
1341 * have its own set of IDBs. If any of them
1342 * don't have the same interface type, snapshot
1343 * length, or resolution as the first interface
1344 * we saw, we'll fail. (And if we don't see
1345 * any IDBs, we'll fail when we see a packet
1346 * block.)
1347 */
1348 ps->ifcount = 0;
1349 break;
1350
1351 default:
1352 /*
1353 * Not a packet block, IDB, or SHB; ignore it.
1354 */
1355 break;
1356 }
1357 }
1358
1359 found:
1360 /*
1361 * Is the interface ID an interface we know?
1362 */
1363 if (interface_id >= ps->ifcount) {
1364 /*
1365 * Yes. Fail.
1366 */
1367 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1368 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1369 interface_id);
1370 return (-1);
1371 }
1372
1373 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1374 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1375 "invalid packet capture length %u, bigger than "
1376 "snaplen of %d", hdr->caplen, p->snapshot);
1377 return (-1);
1378 }
1379
1380 /*
1381 * Convert the time stamp to seconds and fractions of a second,
1382 * with the fractions being in units of the file-supplied resolution.
1383 */
1384 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1385 frac = t % ps->ifaces[interface_id].tsresol;
1386
1387 /*
1388 * Convert the fractions from units of the file-supplied resolution
1389 * to units of the user-requested resolution.
1390 */
1391 switch (ps->ifaces[interface_id].scale_type) {
1392
1393 case PASS_THROUGH:
1394 /*
1395 * The interface resolution is what the user wants,
1396 * so we're done.
1397 */
1398 break;
1399
1400 case SCALE_UP_DEC:
1401 /*
1402 * The interface resolution is less than what the user
1403 * wants; scale the fractional part up to the units of
1404 * the resolution the user requested by multiplying by
1405 * the quotient of the user-requested resolution and the
1406 * file-supplied resolution.
1407 *
1408 * Those resolutions are both powers of 10, and the user-
1409 * requested resolution is greater than the file-supplied
1410 * resolution, so the quotient in question is an integer.
1411 * We've calculated that quotient already, so we just
1412 * multiply by it.
1413 */
1414 frac *= ps->ifaces[interface_id].scale_factor;
1415 break;
1416
1417 case SCALE_UP_BIN:
1418 /*
1419 * The interface resolution is less than what the user
1420 * wants; scale the fractional part up to the units of
1421 * the resolution the user requested by multiplying by
1422 * the quotient of the user-requested resolution and the
1423 * file-supplied resolution.
1424 *
1425 * The file-supplied resolution is a power of 2, so the
1426 * quotient is not an integer, so, in order to do this
1427 * entirely with integer arithmetic, we multiply by the
1428 * user-requested resolution and divide by the file-
1429 * supplied resolution.
1430 *
1431 * XXX - Is there something clever we could do here,
1432 * given that we know that the file-supplied resolution
1433 * is a power of 2? Doing a multiplication followed by
1434 * a division runs the risk of overflowing, and involves
1435 * two non-simple arithmetic operations.
1436 */
1437 frac *= ps->user_tsresol;
1438 frac /= ps->ifaces[interface_id].tsresol;
1439 break;
1440
1441 case SCALE_DOWN_DEC:
1442 /*
1443 * The interface resolution is greater than what the user
1444 * wants; scale the fractional part up to the units of
1445 * the resolution the user requested by multiplying by
1446 * the quotient of the user-requested resolution and the
1447 * file-supplied resolution.
1448 *
1449 * Those resolutions are both powers of 10, and the user-
1450 * requested resolution is less than the file-supplied
1451 * resolution, so the quotient in question isn't an
1452 * integer, but its reciprocal is, and we can just divide
1453 * by the reciprocal of the quotient. We've calculated
1454 * the reciprocal of that quotient already, so we must
1455 * divide by it.
1456 */
1457 frac /= ps->ifaces[interface_id].scale_factor;
1458 break;
1459
1460
1461 case SCALE_DOWN_BIN:
1462 /*
1463 * The interface resolution is greater than what the user
1464 * wants; convert the fractional part to units of the
1465 * resolution the user requested by multiplying by the
1466 * quotient of the user-requested resolution and the
1467 * file-supplied resolution. We do that by multiplying
1468 * by the user-requested resolution and dividing by the
1469 * file-supplied resolution, as the quotient might not
1470 * fit in an integer.
1471 *
1472 * The file-supplied resolution is a power of 2, so the
1473 * quotient is not an integer, and neither is its
1474 * reciprocal, so, in order to do this entirely with
1475 * integer arithmetic, we multiply by the user-requested
1476 * resolution and divide by the file-supplied resolution.
1477 *
1478 * XXX - Is there something clever we could do here,
1479 * given that we know that the file-supplied resolution
1480 * is a power of 2? Doing a multiplication followed by
1481 * a division runs the risk of overflowing, and involves
1482 * two non-simple arithmetic operations.
1483 */
1484 frac *= ps->user_tsresol;
1485 frac /= ps->ifaces[interface_id].tsresol;
1486 break;
1487 }
1488 #ifdef _WIN32
1489 /*
1490 * tv_sec and tv_usec in the Windows struct timeval are both
1491 * longs.
1492 */
1493 hdr->ts.tv_sec = (long)sec;
1494 hdr->ts.tv_usec = (long)frac;
1495 #else
1496 /*
1497 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1498 * suseconds_t in UN*Xes that work the way the current Single
1499 * UNIX Standard specify - but not all older UN*Xes necessarily
1500 * support that type, so just cast to int.
1501 */
1502 hdr->ts.tv_sec = (time_t)sec;
1503 hdr->ts.tv_usec = (int)frac;
1504 #endif
1505
1506 /*
1507 * Get a pointer to the packet data.
1508 */
1509 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1510 if (*data == NULL)
1511 return (-1);
1512
1513 pcapint_post_process(p->linktype, p->swapped, hdr, *data);
1514
1515 return (1);
1516 }
1517