1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * sf-pcap.c - libpcap-file-format-specific code from savefile.c 22 * Extraction/creation by Jeffrey Mogul, DECWRL 23 * Modified by Steve McCanne, LBL. 24 * 25 * Used to save the received packet headers, after filtering, to 26 * a file, and then read them later. 27 * The first record in the file contains saved values for the machine 28 * dependent values so we can print the dump file on any architecture. 29 */ 30 31 #ifndef lint 32 static const char rcsid[] _U_ = 33 "@(#) $Header$ (LBL)"; 34 #endif 35 36 #ifdef HAVE_CONFIG_H 37 #include "config.h" 38 #endif 39 40 #ifdef WIN32 41 #include <pcap-stdinc.h> 42 #else /* WIN32 */ 43 #if HAVE_INTTYPES_H 44 #include <inttypes.h> 45 #elif HAVE_STDINT_H 46 #include <stdint.h> 47 #endif 48 #ifdef HAVE_SYS_BITYPES_H 49 #include <sys/bitypes.h> 50 #endif 51 #include <sys/types.h> 52 #endif /* WIN32 */ 53 54 #include <errno.h> 55 #include <memory.h> 56 #include <stdio.h> 57 #include <stdlib.h> 58 #include <string.h> 59 60 #include "pcap-int.h" 61 62 #include "pcap-common.h" 63 64 #ifdef HAVE_OS_PROTO_H 65 #include "os-proto.h" 66 #endif 67 68 #include "sf-pcap.h" 69 70 /* 71 * Setting O_BINARY on DOS/Windows is a bit tricky 72 */ 73 #if defined(WIN32) 74 #define SET_BINMODE(f) _setmode(_fileno(f), _O_BINARY) 75 #elif defined(MSDOS) 76 #if defined(__HIGHC__) 77 #define SET_BINMODE(f) setmode(f, O_BINARY) 78 #else 79 #define SET_BINMODE(f) setmode(fileno(f), O_BINARY) 80 #endif 81 #endif 82 83 /* 84 * Standard libpcap format. 85 */ 86 #define TCPDUMP_MAGIC 0xa1b2c3d4 87 88 /* 89 * Alexey Kuznetzov's modified libpcap format. 90 */ 91 #define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 92 93 /* 94 * Reserved for Francisco Mesquita <francisco.mesquita@radiomovel.pt> 95 * for another modified format. 96 */ 97 #define FMESQUITA_TCPDUMP_MAGIC 0xa1b234cd 98 99 /* 100 * Navtel Communcations' format, with nanosecond timestamps, 101 * as per a request from Dumas Hwang <dumas.hwang@navtelcom.com>. 102 */ 103 #define NAVTEL_TCPDUMP_MAGIC 0xa12b3c4d 104 105 /* 106 * Normal libpcap format, except for seconds/nanoseconds timestamps, 107 * as per a request by Ulf Lamping <ulf.lamping@web.de> 108 */ 109 #define NSEC_TCPDUMP_MAGIC 0xa1b23c4d 110 111 /* 112 * Mechanism for storing information about a capture in the upper 113 * 6 bits of a linktype value in a capture file. 114 * 115 * LT_LINKTYPE_EXT(x) extracts the additional information. 116 * 117 * The rest of the bits are for a value describing the link-layer 118 * value. LT_LINKTYPE(x) extracts that value. 119 */ 120 #define LT_LINKTYPE(x) ((x) & 0x03FFFFFF) 121 #define LT_LINKTYPE_EXT(x) ((x) & 0xFC000000) 122 123 static int pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **datap); 124 125 /* 126 * Check whether this is a pcap savefile and, if it is, extract the 127 * relevant information from the header. 128 */ 129 int 130 pcap_check_header(pcap_t *p, bpf_u_int32 magic, FILE *fp, char *errbuf) 131 { 132 struct pcap_file_header hdr; 133 size_t amt_read; 134 135 /* 136 * Check whether the first 4 bytes of the file are the magic 137 * number for a pcap savefile, or for a byte-swapped pcap 138 * savefile. 139 */ 140 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 141 magic = SWAPLONG(magic); 142 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) 143 return (0); /* nope */ 144 p->sf.swapped = 1; 145 } 146 147 /* 148 * They are. Put the magic number in the header, and read 149 * the rest of the header. 150 */ 151 hdr.magic = magic; 152 amt_read = fread(((char *)&hdr) + sizeof hdr.magic, 1, 153 sizeof(hdr) - sizeof(hdr.magic), fp); 154 if (amt_read != sizeof(hdr) - sizeof(hdr.magic)) { 155 if (ferror(fp)) { 156 snprintf(errbuf, PCAP_ERRBUF_SIZE, 157 "error reading dump file: %s", 158 pcap_strerror(errno)); 159 } else { 160 snprintf(errbuf, PCAP_ERRBUF_SIZE, 161 "truncated dump file; tried to read %lu file header bytes, only got %lu", 162 (unsigned long)sizeof(hdr), 163 (unsigned long)amt_read); 164 } 165 return (-1); 166 } 167 168 /* 169 * If it's a byte-swapped capture file, byte-swap the header. 170 */ 171 if (p->sf.swapped) { 172 hdr.version_major = SWAPSHORT(hdr.version_major); 173 hdr.version_minor = SWAPSHORT(hdr.version_minor); 174 hdr.thiszone = SWAPLONG(hdr.thiszone); 175 hdr.sigfigs = SWAPLONG(hdr.sigfigs); 176 hdr.snaplen = SWAPLONG(hdr.snaplen); 177 hdr.linktype = SWAPLONG(hdr.linktype); 178 } 179 180 if (hdr.version_major < PCAP_VERSION_MAJOR) { 181 snprintf(errbuf, PCAP_ERRBUF_SIZE, 182 "archaic pcap savefile format"); 183 return (-1); 184 } 185 p->sf.version_major = hdr.version_major; 186 p->sf.version_minor = hdr.version_minor; 187 p->tzoff = hdr.thiszone; 188 p->snapshot = hdr.snaplen; 189 p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype)); 190 p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype); 191 192 p->sf.next_packet_op = pcap_next_packet; 193 194 /* 195 * We interchanged the caplen and len fields at version 2.3, 196 * in order to match the bpf header layout. But unfortunately 197 * some files were written with version 2.3 in their headers 198 * but without the interchanged fields. 199 * 200 * In addition, DG/UX tcpdump writes out files with a version 201 * number of 543.0, and with the caplen and len fields in the 202 * pre-2.3 order. 203 */ 204 switch (hdr.version_major) { 205 206 case 2: 207 if (hdr.version_minor < 3) 208 p->sf.lengths_swapped = SWAPPED; 209 else if (hdr.version_minor == 3) 210 p->sf.lengths_swapped = MAYBE_SWAPPED; 211 else 212 p->sf.lengths_swapped = NOT_SWAPPED; 213 break; 214 215 case 543: 216 p->sf.lengths_swapped = SWAPPED; 217 break; 218 219 default: 220 p->sf.lengths_swapped = NOT_SWAPPED; 221 break; 222 } 223 224 if (magic == KUZNETZOV_TCPDUMP_MAGIC) { 225 /* 226 * XXX - the patch that's in some versions of libpcap 227 * changes the packet header but not the magic number, 228 * and some other versions with this magic number have 229 * some extra debugging information in the packet header; 230 * we'd have to use some hacks^H^H^H^H^Hheuristics to 231 * detect those variants. 232 * 233 * Ethereal does that, but it does so by trying to read 234 * the first two packets of the file with each of the 235 * record header formats. That currently means it seeks 236 * backwards and retries the reads, which doesn't work 237 * on pipes. We want to be able to read from a pipe, so 238 * that strategy won't work; we'd have to buffer some 239 * data ourselves and read from that buffer in order to 240 * make that work. 241 */ 242 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr); 243 244 if (p->linktype == DLT_EN10MB) { 245 /* 246 * This capture might have been done in raw mode 247 * or cooked mode. 248 * 249 * If it was done in cooked mode, p->snapshot was 250 * passed to recvfrom() as the buffer size, meaning 251 * that the most packet data that would be copied 252 * would be p->snapshot. However, a faked Ethernet 253 * header would then have been added to it, so the 254 * most data that would be in a packet in the file 255 * would be p->snapshot + 14. 256 * 257 * We can't easily tell whether the capture was done 258 * in raw mode or cooked mode, so we'll assume it was 259 * cooked mode, and add 14 to the snapshot length. 260 * That means that, for a raw capture, the snapshot 261 * length will be misleading if you use it to figure 262 * out why a capture doesn't have all the packet data, 263 * but there's not much we can do to avoid that. 264 */ 265 p->snapshot += 14; 266 } 267 } else 268 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr); 269 270 /* 271 * Allocate a buffer for the packet data. 272 */ 273 p->bufsize = p->snapshot; 274 if (p->bufsize <= 0) 275 p->bufsize = BPF_MAXBUFSIZE; 276 p->buffer = malloc(p->bufsize); 277 if (p->buffer == NULL) { 278 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 279 return (-1); 280 } 281 282 return (1); 283 } 284 285 /* 286 * Read and return the next packet from the savefile. Return the header 287 * in hdr and a pointer to the contents in data. Return 0 on success, 1 288 * if there were no more packets, and -1 on an error. 289 */ 290 static int 291 pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data) 292 { 293 struct pcap_sf_patched_pkthdr sf_hdr; 294 FILE *fp = p->sf.rfile; 295 size_t amt_read; 296 bpf_u_int32 t; 297 298 /* 299 * Read the packet header; the structure we use as a buffer 300 * is the longer structure for files generated by the patched 301 * libpcap, but if the file has the magic number for an 302 * unpatched libpcap we only read as many bytes as the regular 303 * header has. 304 */ 305 amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp); 306 if (amt_read != p->sf.hdrsize) { 307 if (ferror(fp)) { 308 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 309 "error reading dump file: %s", 310 pcap_strerror(errno)); 311 return (-1); 312 } else { 313 if (amt_read != 0) { 314 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 315 "truncated dump file; tried to read %lu header bytes, only got %lu", 316 (unsigned long)p->sf.hdrsize, 317 (unsigned long)amt_read); 318 return (-1); 319 } 320 /* EOF */ 321 return (1); 322 } 323 } 324 325 if (p->sf.swapped) { 326 /* these were written in opposite byte order */ 327 hdr->caplen = SWAPLONG(sf_hdr.caplen); 328 hdr->len = SWAPLONG(sf_hdr.len); 329 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); 330 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); 331 } else { 332 hdr->caplen = sf_hdr.caplen; 333 hdr->len = sf_hdr.len; 334 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; 335 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; 336 } 337 /* Swap the caplen and len fields, if necessary. */ 338 switch (p->sf.lengths_swapped) { 339 340 case NOT_SWAPPED: 341 break; 342 343 case MAYBE_SWAPPED: 344 if (hdr->caplen <= hdr->len) { 345 /* 346 * The captured length is <= the actual length, 347 * so presumably they weren't swapped. 348 */ 349 break; 350 } 351 /* FALLTHROUGH */ 352 353 case SWAPPED: 354 t = hdr->caplen; 355 hdr->caplen = hdr->len; 356 hdr->len = t; 357 break; 358 } 359 360 if (hdr->caplen > p->bufsize) { 361 /* 362 * This can happen due to Solaris 2.3 systems tripping 363 * over the BUFMOD problem and not setting the snapshot 364 * correctly in the savefile header. If the caplen isn't 365 * grossly wrong, try to salvage. 366 */ 367 static u_char *tp = NULL; 368 static size_t tsize = 0; 369 370 if (hdr->caplen > 65535) { 371 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 372 "bogus savefile header"); 373 return (-1); 374 } 375 376 if (tsize < hdr->caplen) { 377 tsize = ((hdr->caplen + 1023) / 1024) * 1024; 378 if (tp != NULL) 379 free((u_char *)tp); 380 tp = (u_char *)malloc(tsize); 381 if (tp == NULL) { 382 tsize = 0; 383 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 384 "BUFMOD hack malloc"); 385 return (-1); 386 } 387 } 388 amt_read = fread((char *)tp, 1, hdr->caplen, fp); 389 if (amt_read != hdr->caplen) { 390 if (ferror(fp)) { 391 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 392 "error reading dump file: %s", 393 pcap_strerror(errno)); 394 } else { 395 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 396 "truncated dump file; tried to read %u captured bytes, only got %lu", 397 hdr->caplen, (unsigned long)amt_read); 398 } 399 return (-1); 400 } 401 /* 402 * We can only keep up to p->bufsize bytes. Since 403 * caplen > p->bufsize is exactly how we got here, 404 * we know we can only keep the first p->bufsize bytes 405 * and must drop the remainder. Adjust caplen accordingly, 406 * so we don't get confused later as to how many bytes we 407 * have to play with. 408 */ 409 hdr->caplen = p->bufsize; 410 memcpy(p->buffer, (char *)tp, p->bufsize); 411 } else { 412 /* read the packet itself */ 413 amt_read = fread(p->buffer, 1, hdr->caplen, fp); 414 if (amt_read != hdr->caplen) { 415 if (ferror(fp)) { 416 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 417 "error reading dump file: %s", 418 pcap_strerror(errno)); 419 } else { 420 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 421 "truncated dump file; tried to read %u captured bytes, only got %lu", 422 hdr->caplen, (unsigned long)amt_read); 423 } 424 return (-1); 425 } 426 } 427 *data = p->buffer; 428 429 if (p->sf.swapped) { 430 /* 431 * Convert pseudo-headers from the byte order of 432 * the host on which the file was saved to our 433 * byte order, as necessary. 434 */ 435 switch (p->linktype) { 436 437 case DLT_USB_LINUX: 438 swap_linux_usb_header(hdr, *data, 0); 439 break; 440 441 case DLT_USB_LINUX_MMAPPED: 442 swap_linux_usb_header(hdr, *data, 1); 443 break; 444 } 445 } 446 447 return (0); 448 } 449 450 static int 451 sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) 452 { 453 struct pcap_file_header hdr; 454 455 hdr.magic = TCPDUMP_MAGIC; 456 hdr.version_major = PCAP_VERSION_MAJOR; 457 hdr.version_minor = PCAP_VERSION_MINOR; 458 459 hdr.thiszone = thiszone; 460 hdr.snaplen = snaplen; 461 hdr.sigfigs = 0; 462 hdr.linktype = linktype; 463 464 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) 465 return (-1); 466 467 return (0); 468 } 469 470 /* 471 * Output a packet to the initialized dump file. 472 */ 473 void 474 pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 475 { 476 register FILE *f; 477 struct pcap_sf_pkthdr sf_hdr; 478 479 f = (FILE *)user; 480 sf_hdr.ts.tv_sec = h->ts.tv_sec; 481 sf_hdr.ts.tv_usec = h->ts.tv_usec; 482 sf_hdr.caplen = h->caplen; 483 sf_hdr.len = h->len; 484 /* XXX we should check the return status */ 485 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f); 486 (void)fwrite(sp, h->caplen, 1, f); 487 } 488 489 static pcap_dumper_t * 490 pcap_setup_dump(pcap_t *p, int linktype, FILE *f, const char *fname) 491 { 492 493 #if defined(WIN32) || defined(MSDOS) 494 /* 495 * If we're writing to the standard output, put it in binary 496 * mode, as savefiles are binary files. 497 * 498 * Otherwise, we turn off buffering. 499 * XXX - why? And why not on the standard output? 500 */ 501 if (f == stdout) 502 SET_BINMODE(f); 503 else 504 setbuf(f, NULL); 505 #endif 506 if (sf_write_header(f, linktype, p->tzoff, p->snapshot) == -1) { 507 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Can't write to %s: %s", 508 fname, pcap_strerror(errno)); 509 if (f != stdout) 510 (void)fclose(f); 511 return (NULL); 512 } 513 return ((pcap_dumper_t *)f); 514 } 515 516 /* 517 * Initialize so that sf_write() will output to the file named 'fname'. 518 */ 519 pcap_dumper_t * 520 pcap_dump_open(pcap_t *p, const char *fname) 521 { 522 FILE *f; 523 int linktype; 524 525 /* 526 * If this pcap_t hasn't been activated, it doesn't have a 527 * link-layer type, so we can't use it. 528 */ 529 if (!p->activated) { 530 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 531 "%s: not-yet-activated pcap_t passed to pcap_dump_open", 532 fname); 533 return (NULL); 534 } 535 linktype = dlt_to_linktype(p->linktype); 536 if (linktype == -1) { 537 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 538 "%s: link-layer type %d isn't supported in savefiles", 539 fname, p->linktype); 540 return (NULL); 541 } 542 linktype |= p->linktype_ext; 543 544 if (fname[0] == '-' && fname[1] == '\0') { 545 f = stdout; 546 fname = "standard output"; 547 } else { 548 #if !defined(WIN32) && !defined(MSDOS) 549 f = fopen(fname, "w"); 550 #else 551 f = fopen(fname, "wb"); 552 #endif 553 if (f == NULL) { 554 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", 555 fname, pcap_strerror(errno)); 556 return (NULL); 557 } 558 } 559 return (pcap_setup_dump(p, linktype, f, fname)); 560 } 561 562 /* 563 * Initialize so that sf_write() will output to the given stream. 564 */ 565 pcap_dumper_t * 566 pcap_dump_fopen(pcap_t *p, FILE *f) 567 { 568 int linktype; 569 570 linktype = dlt_to_linktype(p->linktype); 571 if (linktype == -1) { 572 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 573 "stream: link-layer type %d isn't supported in savefiles", 574 p->linktype); 575 return (NULL); 576 } 577 linktype |= p->linktype_ext; 578 579 return (pcap_setup_dump(p, linktype, f, "stream")); 580 } 581 582 FILE * 583 pcap_dump_file(pcap_dumper_t *p) 584 { 585 return ((FILE *)p); 586 } 587 588 long 589 pcap_dump_ftell(pcap_dumper_t *p) 590 { 591 return (ftell((FILE *)p)); 592 } 593 594 int 595 pcap_dump_flush(pcap_dumper_t *p) 596 { 597 598 if (fflush((FILE *)p) == EOF) 599 return (-1); 600 else 601 return (0); 602 } 603 604 void 605 pcap_dump_close(pcap_dumper_t *p) 606 { 607 608 #ifdef notyet 609 if (ferror((FILE *)p)) 610 return-an-error; 611 /* XXX should check return from fclose() too */ 612 #endif 613 (void)fclose((FILE *)p); 614 } 615