1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c 22 */ 23 24 #ifdef HAVE_CONFIG_H 25 #include <config.h> 26 #endif 27 28 #include <pcap/pcap-inttypes.h> 29 30 #include <errno.h> 31 #include <memory.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 36 #include "pcap-int.h" 37 38 #include "pcap-common.h" 39 40 #ifdef HAVE_OS_PROTO_H 41 #include "os-proto.h" 42 #endif 43 44 #include "sf-pcapng.h" 45 46 /* 47 * Block types. 48 */ 49 50 /* 51 * Common part at the beginning of all blocks. 52 */ 53 struct block_header { 54 bpf_u_int32 block_type; 55 bpf_u_int32 total_length; 56 }; 57 58 /* 59 * Common trailer at the end of all blocks. 60 */ 61 struct block_trailer { 62 bpf_u_int32 total_length; 63 }; 64 65 /* 66 * Common options. 67 */ 68 #define OPT_ENDOFOPT 0 /* end of options */ 69 #define OPT_COMMENT 1 /* comment string */ 70 71 /* 72 * Option header. 73 */ 74 struct option_header { 75 u_short option_code; 76 u_short option_length; 77 }; 78 79 /* 80 * Structures for the part of each block type following the common 81 * part. 82 */ 83 84 /* 85 * Section Header Block. 86 */ 87 #define BT_SHB 0x0A0D0D0A 88 89 struct section_header_block { 90 bpf_u_int32 byte_order_magic; 91 u_short major_version; 92 u_short minor_version; 93 uint64_t section_length; 94 /* followed by options and trailer */ 95 }; 96 97 /* 98 * Byte-order magic value. 99 */ 100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D 101 102 /* 103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR, 104 * that means that this code can't read the file. 105 */ 106 #define PCAP_NG_VERSION_MAJOR 1 107 #define PCAP_NG_VERSION_MINOR 0 108 109 /* 110 * Interface Description Block. 111 */ 112 #define BT_IDB 0x00000001 113 114 struct interface_description_block { 115 u_short linktype; 116 u_short reserved; 117 bpf_u_int32 snaplen; 118 /* followed by options and trailer */ 119 }; 120 121 /* 122 * Options in the IDB. 123 */ 124 #define IF_NAME 2 /* interface name string */ 125 #define IF_DESCRIPTION 3 /* interface description string */ 126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */ 127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */ 128 #define IF_MACADDR 6 /* interface's MAC address */ 129 #define IF_EUIADDR 7 /* interface's EUI address */ 130 #define IF_SPEED 8 /* interface's speed, in bits/s */ 131 #define IF_TSRESOL 9 /* interface's time stamp resolution */ 132 #define IF_TZONE 10 /* interface's time zone */ 133 #define IF_FILTER 11 /* filter used when capturing on interface */ 134 #define IF_OS 12 /* string OS on which capture on this interface was done */ 135 #define IF_FCSLEN 13 /* FCS length for this interface */ 136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */ 137 138 /* 139 * Enhanced Packet Block. 140 */ 141 #define BT_EPB 0x00000006 142 143 struct enhanced_packet_block { 144 bpf_u_int32 interface_id; 145 bpf_u_int32 timestamp_high; 146 bpf_u_int32 timestamp_low; 147 bpf_u_int32 caplen; 148 bpf_u_int32 len; 149 /* followed by packet data, options, and trailer */ 150 }; 151 152 /* 153 * Simple Packet Block. 154 */ 155 #define BT_SPB 0x00000003 156 157 struct simple_packet_block { 158 bpf_u_int32 len; 159 /* followed by packet data and trailer */ 160 }; 161 162 /* 163 * Packet Block. 164 */ 165 #define BT_PB 0x00000002 166 167 struct packet_block { 168 u_short interface_id; 169 u_short drops_count; 170 bpf_u_int32 timestamp_high; 171 bpf_u_int32 timestamp_low; 172 bpf_u_int32 caplen; 173 bpf_u_int32 len; 174 /* followed by packet data, options, and trailer */ 175 }; 176 177 /* 178 * Block cursor - used when processing the contents of a block. 179 * Contains a pointer into the data being processed and a count 180 * of bytes remaining in the block. 181 */ 182 struct block_cursor { 183 u_char *data; 184 size_t data_remaining; 185 bpf_u_int32 block_type; 186 }; 187 188 typedef enum { 189 PASS_THROUGH, 190 SCALE_UP_DEC, 191 SCALE_DOWN_DEC, 192 SCALE_UP_BIN, 193 SCALE_DOWN_BIN 194 } tstamp_scale_type_t; 195 196 /* 197 * Per-interface information. 198 */ 199 struct pcap_ng_if { 200 u_int tsresol; /* time stamp resolution */ 201 tstamp_scale_type_t scale_type; /* how to scale */ 202 u_int scale_factor; /* time stamp scale factor for power-of-10 tsresol */ 203 uint64_t tsoffset; /* time stamp offset */ 204 }; 205 206 /* 207 * Per-pcap_t private data. 208 * 209 * max_blocksize is the maximum size of a block that we'll accept. We 210 * reject blocks bigger than this, so we don't consume too much memory 211 * with a truly huge block. It can change as we see IDBs with different 212 * link-layer header types. (Currently, we don't support IDBs with 213 * different link-layer header types, but we will support it in the 214 * future, when we offer file-reading APIs that support it.) 215 * 216 * XXX - that's an issue on ILP32 platforms, where the maximum block 217 * size of 2^31-1 would eat all but one byte of the entire address space. 218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size 219 * of the address space may be limited by 1) the number of *significant* 220 * address bits (currently, x86-64 only supports 48 bits of address), 2) 221 * any limitations imposed by the operating system; 3) any limitations 222 * imposed by the amount of available backing store for anonymous pages, 223 * so we impose a limit regardless of the size of a pointer. 224 */ 225 struct pcap_ng_sf { 226 u_int user_tsresol; /* time stamp resolution requested by the user */ 227 u_int max_blocksize; /* don't grow buffer size past this */ 228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */ 229 bpf_u_int32 ifaces_size; /* size of array below */ 230 struct pcap_ng_if *ifaces; /* array of interface information */ 231 }; 232 233 /* 234 * Maximum block size for a given maximum snapshot length; we calculate 235 * this based 236 * 237 * We define it as the size of an EPB with a max_snaplen-sized 238 * packet and 128KB of options. 239 */ 240 #define MAX_BLOCKSIZE(max_snaplen) (sizeof (struct block_header) + \ 241 sizeof (struct enhanced_packet_block) + \ 242 (max_snaplen) + 131072 + \ 243 sizeof (struct block_trailer)) 244 245 static void pcap_ng_cleanup(pcap_t *p); 246 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, 247 u_char **data); 248 249 static int 250 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof, 251 char *errbuf) 252 { 253 size_t amt_read; 254 255 amt_read = fread(buf, 1, bytes_to_read, fp); 256 if (amt_read != bytes_to_read) { 257 if (ferror(fp)) { 258 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 259 errno, "error reading dump file"); 260 } else { 261 if (amt_read == 0 && !fail_on_eof) 262 return (0); /* EOF */ 263 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 264 "truncated dump file; tried to read %lu bytes, only got %lu", 265 (unsigned long)bytes_to_read, 266 (unsigned long)amt_read); 267 } 268 return (-1); 269 } 270 return (1); 271 } 272 273 static int 274 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf) 275 { 276 struct pcap_ng_sf *ps; 277 int status; 278 struct block_header bhdr; 279 u_char *bdata; 280 size_t data_remaining; 281 282 ps = p->priv; 283 284 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf); 285 if (status <= 0) 286 return (status); /* error or EOF */ 287 288 if (p->swapped) { 289 bhdr.block_type = SWAPLONG(bhdr.block_type); 290 bhdr.total_length = SWAPLONG(bhdr.total_length); 291 } 292 293 /* 294 * Is this block "too big"? 295 * 296 * We choose 16MB as "too big", for now, so that we handle 297 * "reasonably" large buffers but don't chew up all the 298 * memory if we read a malformed file. 299 */ 300 if (bhdr.total_length > 16*1024*1024) { 301 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 302 "pcapng block size %u > maximum %u", 303 bhdr.total_length, 16*1024*1024); 304 return (-1); 305 } 306 307 /* 308 * Is this block "too small" - i.e., is it shorter than a block 309 * header plus a block trailer? 310 */ 311 if (bhdr.total_length < sizeof(struct block_header) + 312 sizeof(struct block_trailer)) { 313 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 314 "block in pcapng dump file has a length of %u < %lu", 315 bhdr.total_length, 316 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer))); 317 return (-1); 318 } 319 320 /* 321 * Is the buffer big enough? 322 */ 323 if (p->bufsize < bhdr.total_length) { 324 /* 325 * No - make it big enough, unless it's too big. 326 */ 327 void *bigger_buffer; 328 329 if (bhdr.total_length > ps->max_blocksize) { 330 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "block is larger than maximum block size %u", 331 ps->max_blocksize); 332 return (-1); 333 } 334 bigger_buffer = realloc(p->buffer, bhdr.total_length); 335 if (bigger_buffer == NULL) { 336 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 337 return (-1); 338 } 339 p->buffer = bigger_buffer; 340 } 341 342 /* 343 * Copy the stuff we've read to the buffer, and read the rest 344 * of the block. 345 */ 346 memcpy(p->buffer, &bhdr, sizeof(bhdr)); 347 bdata = (u_char *)p->buffer + sizeof(bhdr); 348 data_remaining = bhdr.total_length - sizeof(bhdr); 349 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1) 350 return (-1); 351 352 /* 353 * Initialize the cursor. 354 */ 355 cursor->data = bdata; 356 cursor->data_remaining = data_remaining - sizeof(struct block_trailer); 357 cursor->block_type = bhdr.block_type; 358 return (1); 359 } 360 361 static void * 362 get_from_block_data(struct block_cursor *cursor, size_t chunk_size, 363 char *errbuf) 364 { 365 void *data; 366 367 /* 368 * Make sure we have the specified amount of data remaining in 369 * the block data. 370 */ 371 if (cursor->data_remaining < chunk_size) { 372 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 373 "block of type %u in pcapng dump file is too short", 374 cursor->block_type); 375 return (NULL); 376 } 377 378 /* 379 * Return the current pointer, and skip past the chunk. 380 */ 381 data = cursor->data; 382 cursor->data += chunk_size; 383 cursor->data_remaining -= chunk_size; 384 return (data); 385 } 386 387 static struct option_header * 388 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf) 389 { 390 struct option_header *opthdr; 391 392 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf); 393 if (opthdr == NULL) { 394 /* 395 * Option header is cut short. 396 */ 397 return (NULL); 398 } 399 400 /* 401 * Byte-swap it if necessary. 402 */ 403 if (p->swapped) { 404 opthdr->option_code = SWAPSHORT(opthdr->option_code); 405 opthdr->option_length = SWAPSHORT(opthdr->option_length); 406 } 407 408 return (opthdr); 409 } 410 411 static void * 412 get_optvalue_from_block_data(struct block_cursor *cursor, 413 struct option_header *opthdr, char *errbuf) 414 { 415 size_t padded_option_len; 416 void *optvalue; 417 418 /* Pad option length to 4-byte boundary */ 419 padded_option_len = opthdr->option_length; 420 padded_option_len = ((padded_option_len + 3)/4)*4; 421 422 optvalue = get_from_block_data(cursor, padded_option_len, errbuf); 423 if (optvalue == NULL) { 424 /* 425 * Option value is cut short. 426 */ 427 return (NULL); 428 } 429 430 return (optvalue); 431 } 432 433 static int 434 process_idb_options(pcap_t *p, struct block_cursor *cursor, u_int *tsresol, 435 uint64_t *tsoffset, int *is_binary, char *errbuf) 436 { 437 struct option_header *opthdr; 438 void *optvalue; 439 int saw_tsresol, saw_tsoffset; 440 u_char tsresol_opt; 441 u_int i; 442 443 saw_tsresol = 0; 444 saw_tsoffset = 0; 445 while (cursor->data_remaining != 0) { 446 /* 447 * Get the option header. 448 */ 449 opthdr = get_opthdr_from_block_data(p, cursor, errbuf); 450 if (opthdr == NULL) { 451 /* 452 * Option header is cut short. 453 */ 454 return (-1); 455 } 456 457 /* 458 * Get option value. 459 */ 460 optvalue = get_optvalue_from_block_data(cursor, opthdr, 461 errbuf); 462 if (optvalue == NULL) { 463 /* 464 * Option value is cut short. 465 */ 466 return (-1); 467 } 468 469 switch (opthdr->option_code) { 470 471 case OPT_ENDOFOPT: 472 if (opthdr->option_length != 0) { 473 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 474 "Interface Description Block has opt_endofopt option with length %u != 0", 475 opthdr->option_length); 476 return (-1); 477 } 478 goto done; 479 480 case IF_TSRESOL: 481 if (opthdr->option_length != 1) { 482 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 483 "Interface Description Block has if_tsresol option with length %u != 1", 484 opthdr->option_length); 485 return (-1); 486 } 487 if (saw_tsresol) { 488 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 489 "Interface Description Block has more than one if_tsresol option"); 490 return (-1); 491 } 492 saw_tsresol = 1; 493 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt)); 494 if (tsresol_opt & 0x80) { 495 /* 496 * Resolution is negative power of 2. 497 */ 498 *is_binary = 1; 499 *tsresol = 1 << (tsresol_opt & 0x7F); 500 } else { 501 /* 502 * Resolution is negative power of 10. 503 */ 504 *is_binary = 0; 505 *tsresol = 1; 506 for (i = 0; i < tsresol_opt; i++) 507 *tsresol *= 10; 508 } 509 if (*tsresol == 0) { 510 /* 511 * Resolution is too high. 512 */ 513 if (tsresol_opt & 0x80) { 514 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 515 "Interface Description Block if_tsresol option resolution 2^-%u is too high", 516 tsresol_opt & 0x7F); 517 } else { 518 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 519 "Interface Description Block if_tsresol option resolution 10^-%u is too high", 520 tsresol_opt); 521 } 522 return (-1); 523 } 524 break; 525 526 case IF_TSOFFSET: 527 if (opthdr->option_length != 8) { 528 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 529 "Interface Description Block has if_tsoffset option with length %u != 8", 530 opthdr->option_length); 531 return (-1); 532 } 533 if (saw_tsoffset) { 534 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 535 "Interface Description Block has more than one if_tsoffset option"); 536 return (-1); 537 } 538 saw_tsoffset = 1; 539 memcpy(tsoffset, optvalue, sizeof(*tsoffset)); 540 if (p->swapped) 541 *tsoffset = SWAPLL(*tsoffset); 542 break; 543 544 default: 545 break; 546 } 547 } 548 549 done: 550 return (0); 551 } 552 553 static int 554 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf) 555 { 556 struct pcap_ng_sf *ps; 557 u_int tsresol; 558 uint64_t tsoffset; 559 int is_binary; 560 561 ps = p->priv; 562 563 /* 564 * Count this interface. 565 */ 566 ps->ifcount++; 567 568 /* 569 * Grow the array of per-interface information as necessary. 570 */ 571 if (ps->ifcount > ps->ifaces_size) { 572 /* 573 * We need to grow the array. 574 */ 575 bpf_u_int32 new_ifaces_size; 576 struct pcap_ng_if *new_ifaces; 577 578 if (ps->ifaces_size == 0) { 579 /* 580 * It's currently empty. 581 * 582 * (The Clang static analyzer doesn't do enough, 583 * err, umm, dataflow *analysis* to realize that 584 * ps->ifaces_size == 0 if ps->ifaces == NULL, 585 * and so complains about a possible zero argument 586 * to realloc(), so we check for the former 587 * condition to shut it up. 588 * 589 * However, it doesn't complain that one of the 590 * multiplications below could overflow, which is 591 * a real, albeit extremely unlikely, problem (you'd 592 * need a pcapng file with tens of millions of 593 * interfaces).) 594 */ 595 new_ifaces_size = 1; 596 new_ifaces = malloc(sizeof (struct pcap_ng_if)); 597 } else { 598 /* 599 * It's not currently empty; double its size. 600 * (Perhaps overkill once we have a lot of interfaces.) 601 * 602 * Check for overflow if we double it. 603 */ 604 if (ps->ifaces_size * 2 < ps->ifaces_size) { 605 /* 606 * The maximum number of interfaces before 607 * ps->ifaces_size overflows is the largest 608 * possible 32-bit power of 2, as we do 609 * size doubling. 610 */ 611 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 612 "more than %u interfaces in the file", 613 0x80000000U); 614 return (0); 615 } 616 617 /* 618 * ps->ifaces_size * 2 doesn't overflow, so it's 619 * safe to multiply. 620 */ 621 new_ifaces_size = ps->ifaces_size * 2; 622 623 /* 624 * Now make sure that's not so big that it overflows 625 * if we multiply by sizeof (struct pcap_ng_if). 626 * 627 * That can happen on 32-bit platforms, with a 32-bit 628 * size_t; it shouldn't happen on 64-bit platforms, 629 * with a 64-bit size_t, as new_ifaces_size is 630 * 32 bits. 631 */ 632 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) { 633 /* 634 * As this fails only with 32-bit size_t, 635 * the multiplication was 32x32->32, and 636 * the largest 32-bit value that can safely 637 * be multiplied by sizeof (struct pcap_ng_if) 638 * without overflow is the largest 32-bit 639 * (unsigned) value divided by 640 * sizeof (struct pcap_ng_if). 641 */ 642 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 643 "more than %u interfaces in the file", 644 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if))); 645 return (0); 646 } 647 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if)); 648 } 649 if (new_ifaces == NULL) { 650 /* 651 * We ran out of memory. 652 * Give up. 653 */ 654 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 655 "out of memory for per-interface information (%u interfaces)", 656 ps->ifcount); 657 return (0); 658 } 659 ps->ifaces_size = new_ifaces_size; 660 ps->ifaces = new_ifaces; 661 } 662 663 /* 664 * Set the default time stamp resolution and offset. 665 */ 666 tsresol = 1000000; /* microsecond resolution */ 667 is_binary = 0; /* which is a power of 10 */ 668 tsoffset = 0; /* absolute timestamps */ 669 670 /* 671 * Now look for various time stamp options, so we know 672 * how to interpret the time stamps for this interface. 673 */ 674 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary, 675 errbuf) == -1) 676 return (0); 677 678 ps->ifaces[ps->ifcount - 1].tsresol = tsresol; 679 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset; 680 681 /* 682 * Determine whether we're scaling up or down or not 683 * at all for this interface. 684 */ 685 if (tsresol == ps->user_tsresol) { 686 /* 687 * The resolution is the resolution the user wants, 688 * so we don't have to do scaling. 689 */ 690 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH; 691 } else if (tsresol > ps->user_tsresol) { 692 /* 693 * The resolution is greater than what the user wants, 694 * so we have to scale the timestamps down. 695 */ 696 if (is_binary) 697 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN; 698 else { 699 /* 700 * Calculate the scale factor. 701 */ 702 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol; 703 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC; 704 } 705 } else { 706 /* 707 * The resolution is less than what the user wants, 708 * so we have to scale the timestamps up. 709 */ 710 if (is_binary) 711 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN; 712 else { 713 /* 714 * Calculate the scale factor. 715 */ 716 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol; 717 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC; 718 } 719 } 720 return (1); 721 } 722 723 /* 724 * Check whether this is a pcapng savefile and, if it is, extract the 725 * relevant information from the header. 726 */ 727 pcap_t * 728 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf, 729 int *err) 730 { 731 size_t amt_read; 732 bpf_u_int32 total_length; 733 bpf_u_int32 byte_order_magic; 734 struct block_header *bhdrp; 735 struct section_header_block *shbp; 736 pcap_t *p; 737 int swapped = 0; 738 struct pcap_ng_sf *ps; 739 int status; 740 struct block_cursor cursor; 741 struct interface_description_block *idbp; 742 743 /* 744 * Assume no read errors. 745 */ 746 *err = 0; 747 748 /* 749 * Check whether the first 4 bytes of the file are the block 750 * type for a pcapng savefile. 751 */ 752 if (magic != BT_SHB) { 753 /* 754 * XXX - check whether this looks like what the block 755 * type would be after being munged by mapping between 756 * UN*X and DOS/Windows text file format and, if it 757 * does, look for the byte-order magic number in 758 * the appropriate place and, if we find it, report 759 * this as possibly being a pcapng file transferred 760 * between UN*X and Windows in text file format? 761 */ 762 return (NULL); /* nope */ 763 } 764 765 /* 766 * OK, they are. However, that's just \n\r\r\n, so it could, 767 * conceivably, be an ordinary text file. 768 * 769 * It could not, however, conceivably be any other type of 770 * capture file, so we can read the rest of the putative 771 * Section Header Block; put the block type in the common 772 * header, read the rest of the common header and the 773 * fixed-length portion of the SHB, and look for the byte-order 774 * magic value. 775 */ 776 amt_read = fread(&total_length, 1, sizeof(total_length), fp); 777 if (amt_read < sizeof(total_length)) { 778 if (ferror(fp)) { 779 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 780 errno, "error reading dump file"); 781 *err = 1; 782 return (NULL); /* fail */ 783 } 784 785 /* 786 * Possibly a weird short text file, so just say 787 * "not pcapng". 788 */ 789 return (NULL); 790 } 791 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp); 792 if (amt_read < sizeof(byte_order_magic)) { 793 if (ferror(fp)) { 794 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 795 errno, "error reading dump file"); 796 *err = 1; 797 return (NULL); /* fail */ 798 } 799 800 /* 801 * Possibly a weird short text file, so just say 802 * "not pcapng". 803 */ 804 return (NULL); 805 } 806 if (byte_order_magic != BYTE_ORDER_MAGIC) { 807 byte_order_magic = SWAPLONG(byte_order_magic); 808 if (byte_order_magic != BYTE_ORDER_MAGIC) { 809 /* 810 * Not a pcapng file. 811 */ 812 return (NULL); 813 } 814 swapped = 1; 815 total_length = SWAPLONG(total_length); 816 } 817 818 /* 819 * Check the sanity of the total length. 820 */ 821 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) { 822 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 823 "Section Header Block in pcapng dump file has a length of %u < %lu", 824 total_length, 825 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer))); 826 *err = 1; 827 return (NULL); 828 } 829 830 /* 831 * OK, this is a good pcapng file. 832 * Allocate a pcap_t for it. 833 */ 834 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf)); 835 if (p == NULL) { 836 /* Allocation failed. */ 837 *err = 1; 838 return (NULL); 839 } 840 p->swapped = swapped; 841 ps = p->priv; 842 843 /* 844 * What precision does the user want? 845 */ 846 switch (precision) { 847 848 case PCAP_TSTAMP_PRECISION_MICRO: 849 ps->user_tsresol = 1000000; 850 break; 851 852 case PCAP_TSTAMP_PRECISION_NANO: 853 ps->user_tsresol = 1000000000; 854 break; 855 856 default: 857 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 858 "unknown time stamp resolution %u", precision); 859 free(p); 860 *err = 1; 861 return (NULL); 862 } 863 864 p->opt.tstamp_precision = precision; 865 866 /* 867 * Allocate a buffer into which to read blocks. We default to 868 * the maximum of: 869 * 870 * the total length of the SHB for which we read the header; 871 * 872 * 2K, which should be more than large enough for an Enhanced 873 * Packet Block containing a full-size Ethernet frame, and 874 * leaving room for some options. 875 * 876 * If we find a bigger block, we reallocate the buffer, up to 877 * the maximum size. We start out with a maximum size based 878 * on a maximum snapshot length of MAXIMUM_SNAPLEN; if we see 879 * any link-layer header types with a larger maximum snapshot 880 * length, we boost the maximum. 881 */ 882 p->bufsize = 2048; 883 if (p->bufsize < total_length) 884 p->bufsize = total_length; 885 p->buffer = malloc(p->bufsize); 886 if (p->buffer == NULL) { 887 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 888 free(p); 889 *err = 1; 890 return (NULL); 891 } 892 ps->max_blocksize = MAX_BLOCKSIZE(MAXIMUM_SNAPLEN); 893 894 /* 895 * Copy the stuff we've read to the buffer, and read the rest 896 * of the SHB. 897 */ 898 bhdrp = (struct block_header *)p->buffer; 899 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header)); 900 bhdrp->block_type = magic; 901 bhdrp->total_length = total_length; 902 shbp->byte_order_magic = byte_order_magic; 903 if (read_bytes(fp, 904 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)), 905 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)), 906 1, errbuf) == -1) 907 goto fail; 908 909 if (p->swapped) { 910 /* 911 * Byte-swap the fields we've read. 912 */ 913 shbp->major_version = SWAPSHORT(shbp->major_version); 914 shbp->minor_version = SWAPSHORT(shbp->minor_version); 915 916 /* 917 * XXX - we don't care about the section length. 918 */ 919 } 920 /* currently only SHB version 1.0 is supported */ 921 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR && 922 shbp->minor_version == PCAP_NG_VERSION_MINOR)) { 923 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 924 "unsupported pcapng savefile version %u.%u", 925 shbp->major_version, shbp->minor_version); 926 goto fail; 927 } 928 p->version_major = shbp->major_version; 929 p->version_minor = shbp->minor_version; 930 931 /* 932 * Save the time stamp resolution the user requested. 933 */ 934 p->opt.tstamp_precision = precision; 935 936 /* 937 * Now start looking for an Interface Description Block. 938 */ 939 for (;;) { 940 /* 941 * Read the next block. 942 */ 943 status = read_block(fp, p, &cursor, errbuf); 944 if (status == 0) { 945 /* EOF - no IDB in this file */ 946 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 947 "the capture file has no Interface Description Blocks"); 948 goto fail; 949 } 950 if (status == -1) 951 goto fail; /* error */ 952 switch (cursor.block_type) { 953 954 case BT_IDB: 955 /* 956 * Get a pointer to the fixed-length portion of the 957 * IDB. 958 */ 959 idbp = get_from_block_data(&cursor, sizeof(*idbp), 960 errbuf); 961 if (idbp == NULL) 962 goto fail; /* error */ 963 964 /* 965 * Byte-swap it if necessary. 966 */ 967 if (p->swapped) { 968 idbp->linktype = SWAPSHORT(idbp->linktype); 969 idbp->snaplen = SWAPLONG(idbp->snaplen); 970 } 971 972 /* 973 * Try to add this interface. 974 */ 975 if (!add_interface(p, &cursor, errbuf)) 976 goto fail; 977 978 goto done; 979 980 case BT_EPB: 981 case BT_SPB: 982 case BT_PB: 983 /* 984 * Saw a packet before we saw any IDBs. That's 985 * not valid, as we don't know what link-layer 986 * encapsulation the packet has. 987 */ 988 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 989 "the capture file has a packet block before any Interface Description Blocks"); 990 goto fail; 991 992 default: 993 /* 994 * Just ignore it. 995 */ 996 break; 997 } 998 } 999 1000 done: 1001 p->tzoff = 0; /* XXX - not used in pcap */ 1002 p->snapshot = idbp->snaplen; 1003 if (p->snapshot <= 0) { 1004 /* 1005 * Bogus snapshot length; use the maximum for this 1006 * link-layer type as a fallback. 1007 * 1008 * XXX - the only reason why snapshot is signed is 1009 * that pcap_snapshot() returns an int, not an 1010 * unsigned int. 1011 */ 1012 p->snapshot = max_snaplen_for_dlt(idbp->linktype); 1013 } 1014 p->linktype = linktype_to_dlt(idbp->linktype); 1015 p->linktype_ext = 0; 1016 1017 /* 1018 * If the maximum block size for a packet with the maximum 1019 * snapshot length for this DLT_ is bigger than the current 1020 * maximum block size, increase the maximum. 1021 */ 1022 if (MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize) 1023 ps->max_blocksize = MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)); 1024 1025 p->next_packet_op = pcap_ng_next_packet; 1026 p->cleanup_op = pcap_ng_cleanup; 1027 1028 return (p); 1029 1030 fail: 1031 free(ps->ifaces); 1032 free(p->buffer); 1033 free(p); 1034 *err = 1; 1035 return (NULL); 1036 } 1037 1038 static void 1039 pcap_ng_cleanup(pcap_t *p) 1040 { 1041 struct pcap_ng_sf *ps = p->priv; 1042 1043 free(ps->ifaces); 1044 sf_cleanup(p); 1045 } 1046 1047 /* 1048 * Read and return the next packet from the savefile. Return the header 1049 * in hdr and a pointer to the contents in data. Return 0 on success, 1 1050 * if there were no more packets, and -1 on an error. 1051 */ 1052 static int 1053 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data) 1054 { 1055 struct pcap_ng_sf *ps = p->priv; 1056 struct block_cursor cursor; 1057 int status; 1058 struct enhanced_packet_block *epbp; 1059 struct simple_packet_block *spbp; 1060 struct packet_block *pbp; 1061 bpf_u_int32 interface_id = 0xFFFFFFFF; 1062 struct interface_description_block *idbp; 1063 struct section_header_block *shbp; 1064 FILE *fp = p->rfile; 1065 uint64_t t, sec, frac; 1066 1067 /* 1068 * Look for an Enhanced Packet Block, a Simple Packet Block, 1069 * or a Packet Block. 1070 */ 1071 for (;;) { 1072 /* 1073 * Read the block type and length; those are common 1074 * to all blocks. 1075 */ 1076 status = read_block(fp, p, &cursor, p->errbuf); 1077 if (status == 0) 1078 return (1); /* EOF */ 1079 if (status == -1) 1080 return (-1); /* error */ 1081 switch (cursor.block_type) { 1082 1083 case BT_EPB: 1084 /* 1085 * Get a pointer to the fixed-length portion of the 1086 * EPB. 1087 */ 1088 epbp = get_from_block_data(&cursor, sizeof(*epbp), 1089 p->errbuf); 1090 if (epbp == NULL) 1091 return (-1); /* error */ 1092 1093 /* 1094 * Byte-swap it if necessary. 1095 */ 1096 if (p->swapped) { 1097 /* these were written in opposite byte order */ 1098 interface_id = SWAPLONG(epbp->interface_id); 1099 hdr->caplen = SWAPLONG(epbp->caplen); 1100 hdr->len = SWAPLONG(epbp->len); 1101 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 | 1102 SWAPLONG(epbp->timestamp_low); 1103 } else { 1104 interface_id = epbp->interface_id; 1105 hdr->caplen = epbp->caplen; 1106 hdr->len = epbp->len; 1107 t = ((uint64_t)epbp->timestamp_high) << 32 | 1108 epbp->timestamp_low; 1109 } 1110 goto found; 1111 1112 case BT_SPB: 1113 /* 1114 * Get a pointer to the fixed-length portion of the 1115 * SPB. 1116 */ 1117 spbp = get_from_block_data(&cursor, sizeof(*spbp), 1118 p->errbuf); 1119 if (spbp == NULL) 1120 return (-1); /* error */ 1121 1122 /* 1123 * SPB packets are assumed to have arrived on 1124 * the first interface. 1125 */ 1126 interface_id = 0; 1127 1128 /* 1129 * Byte-swap it if necessary. 1130 */ 1131 if (p->swapped) { 1132 /* these were written in opposite byte order */ 1133 hdr->len = SWAPLONG(spbp->len); 1134 } else 1135 hdr->len = spbp->len; 1136 1137 /* 1138 * The SPB doesn't give the captured length; 1139 * it's the minimum of the snapshot length 1140 * and the packet length. 1141 */ 1142 hdr->caplen = hdr->len; 1143 if (hdr->caplen > (bpf_u_int32)p->snapshot) 1144 hdr->caplen = p->snapshot; 1145 t = 0; /* no time stamps */ 1146 goto found; 1147 1148 case BT_PB: 1149 /* 1150 * Get a pointer to the fixed-length portion of the 1151 * PB. 1152 */ 1153 pbp = get_from_block_data(&cursor, sizeof(*pbp), 1154 p->errbuf); 1155 if (pbp == NULL) 1156 return (-1); /* error */ 1157 1158 /* 1159 * Byte-swap it if necessary. 1160 */ 1161 if (p->swapped) { 1162 /* these were written in opposite byte order */ 1163 interface_id = SWAPSHORT(pbp->interface_id); 1164 hdr->caplen = SWAPLONG(pbp->caplen); 1165 hdr->len = SWAPLONG(pbp->len); 1166 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 | 1167 SWAPLONG(pbp->timestamp_low); 1168 } else { 1169 interface_id = pbp->interface_id; 1170 hdr->caplen = pbp->caplen; 1171 hdr->len = pbp->len; 1172 t = ((uint64_t)pbp->timestamp_high) << 32 | 1173 pbp->timestamp_low; 1174 } 1175 goto found; 1176 1177 case BT_IDB: 1178 /* 1179 * Interface Description Block. Get a pointer 1180 * to its fixed-length portion. 1181 */ 1182 idbp = get_from_block_data(&cursor, sizeof(*idbp), 1183 p->errbuf); 1184 if (idbp == NULL) 1185 return (-1); /* error */ 1186 1187 /* 1188 * Byte-swap it if necessary. 1189 */ 1190 if (p->swapped) { 1191 idbp->linktype = SWAPSHORT(idbp->linktype); 1192 idbp->snaplen = SWAPLONG(idbp->snaplen); 1193 } 1194 1195 /* 1196 * If the link-layer type or snapshot length 1197 * differ from the ones for the first IDB we 1198 * saw, quit. 1199 * 1200 * XXX - just discard packets from those 1201 * interfaces? 1202 */ 1203 if (p->linktype != idbp->linktype) { 1204 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1205 "an interface has a type %u different from the type of the first interface", 1206 idbp->linktype); 1207 return (-1); 1208 } 1209 if ((bpf_u_int32)p->snapshot != idbp->snaplen) { 1210 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1211 "an interface has a snapshot length %u different from the type of the first interface", 1212 idbp->snaplen); 1213 return (-1); 1214 } 1215 1216 /* 1217 * Try to add this interface. 1218 */ 1219 if (!add_interface(p, &cursor, p->errbuf)) 1220 return (-1); 1221 break; 1222 1223 case BT_SHB: 1224 /* 1225 * Section Header Block. Get a pointer 1226 * to its fixed-length portion. 1227 */ 1228 shbp = get_from_block_data(&cursor, sizeof(*shbp), 1229 p->errbuf); 1230 if (shbp == NULL) 1231 return (-1); /* error */ 1232 1233 /* 1234 * Assume the byte order of this section is 1235 * the same as that of the previous section. 1236 * We'll check for that later. 1237 */ 1238 if (p->swapped) { 1239 shbp->byte_order_magic = 1240 SWAPLONG(shbp->byte_order_magic); 1241 shbp->major_version = 1242 SWAPSHORT(shbp->major_version); 1243 } 1244 1245 /* 1246 * Make sure the byte order doesn't change; 1247 * pcap_is_swapped() shouldn't change its 1248 * return value in the middle of reading a capture. 1249 */ 1250 switch (shbp->byte_order_magic) { 1251 1252 case BYTE_ORDER_MAGIC: 1253 /* 1254 * OK. 1255 */ 1256 break; 1257 1258 case SWAPLONG(BYTE_ORDER_MAGIC): 1259 /* 1260 * Byte order changes. 1261 */ 1262 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1263 "the file has sections with different byte orders"); 1264 return (-1); 1265 1266 default: 1267 /* 1268 * Not a valid SHB. 1269 */ 1270 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1271 "the file has a section with a bad byte order magic field"); 1272 return (-1); 1273 } 1274 1275 /* 1276 * Make sure the major version is the version 1277 * we handle. 1278 */ 1279 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) { 1280 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1281 "unknown pcapng savefile major version number %u", 1282 shbp->major_version); 1283 return (-1); 1284 } 1285 1286 /* 1287 * Reset the interface count; this section should 1288 * have its own set of IDBs. If any of them 1289 * don't have the same interface type, snapshot 1290 * length, or resolution as the first interface 1291 * we saw, we'll fail. (And if we don't see 1292 * any IDBs, we'll fail when we see a packet 1293 * block.) 1294 */ 1295 ps->ifcount = 0; 1296 break; 1297 1298 default: 1299 /* 1300 * Not a packet block, IDB, or SHB; ignore it. 1301 */ 1302 break; 1303 } 1304 } 1305 1306 found: 1307 /* 1308 * Is the interface ID an interface we know? 1309 */ 1310 if (interface_id >= ps->ifcount) { 1311 /* 1312 * Yes. Fail. 1313 */ 1314 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1315 "a packet arrived on interface %u, but there's no Interface Description Block for that interface", 1316 interface_id); 1317 return (-1); 1318 } 1319 1320 if (hdr->caplen > (bpf_u_int32)p->snapshot) { 1321 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1322 "invalid packet capture length %u, bigger than " 1323 "snaplen of %d", hdr->caplen, p->snapshot); 1324 return (-1); 1325 } 1326 1327 /* 1328 * Convert the time stamp to seconds and fractions of a second, 1329 * with the fractions being in units of the file-supplied resolution. 1330 */ 1331 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset; 1332 frac = t % ps->ifaces[interface_id].tsresol; 1333 1334 /* 1335 * Convert the fractions from units of the file-supplied resolution 1336 * to units of the user-requested resolution. 1337 */ 1338 switch (ps->ifaces[interface_id].scale_type) { 1339 1340 case PASS_THROUGH: 1341 /* 1342 * The interface resolution is what the user wants, 1343 * so we're done. 1344 */ 1345 break; 1346 1347 case SCALE_UP_DEC: 1348 /* 1349 * The interface resolution is less than what the user 1350 * wants; scale the fractional part up to the units of 1351 * the resolution the user requested by multiplying by 1352 * the quotient of the user-requested resolution and the 1353 * file-supplied resolution. 1354 * 1355 * Those resolutions are both powers of 10, and the user- 1356 * requested resolution is greater than the file-supplied 1357 * resolution, so the quotient in question is an integer. 1358 * We've calculated that quotient already, so we just 1359 * multiply by it. 1360 */ 1361 frac *= ps->ifaces[interface_id].scale_factor; 1362 break; 1363 1364 case SCALE_UP_BIN: 1365 /* 1366 * The interface resolution is less than what the user 1367 * wants; scale the fractional part up to the units of 1368 * the resolution the user requested by multiplying by 1369 * the quotient of the user-requested resolution and the 1370 * file-supplied resolution. 1371 * 1372 * The file-supplied resolution is a power of 2, so the 1373 * quotient is not an integer, so, in order to do this 1374 * entirely with integer arithmetic, we multiply by the 1375 * user-requested resolution and divide by the file- 1376 * supplied resolution. 1377 * 1378 * XXX - Is there something clever we could do here, 1379 * given that we know that the file-supplied resolution 1380 * is a power of 2? Doing a multiplication followed by 1381 * a division runs the risk of overflowing, and involves 1382 * two non-simple arithmetic operations. 1383 */ 1384 frac *= ps->user_tsresol; 1385 frac /= ps->ifaces[interface_id].tsresol; 1386 break; 1387 1388 case SCALE_DOWN_DEC: 1389 /* 1390 * The interface resolution is greater than what the user 1391 * wants; scale the fractional part up to the units of 1392 * the resolution the user requested by multiplying by 1393 * the quotient of the user-requested resolution and the 1394 * file-supplied resolution. 1395 * 1396 * Those resolutions are both powers of 10, and the user- 1397 * requested resolution is less than the file-supplied 1398 * resolution, so the quotient in question isn't an 1399 * integer, but its reciprocal is, and we can just divide 1400 * by the reciprocal of the quotient. We've calculated 1401 * the reciprocal of that quotient already, so we must 1402 * divide by it. 1403 */ 1404 frac /= ps->ifaces[interface_id].scale_factor; 1405 break; 1406 1407 1408 case SCALE_DOWN_BIN: 1409 /* 1410 * The interface resolution is greater than what the user 1411 * wants; convert the fractional part to units of the 1412 * resolution the user requested by multiplying by the 1413 * quotient of the user-requested resolution and the 1414 * file-supplied resolution. We do that by multiplying 1415 * by the user-requested resolution and dividing by the 1416 * file-supplied resolution, as the quotient might not 1417 * fit in an integer. 1418 * 1419 * The file-supplied resolution is a power of 2, so the 1420 * quotient is not an integer, and neither is its 1421 * reciprocal, so, in order to do this entirely with 1422 * integer arithmetic, we multiply by the user-requested 1423 * resolution and divide by the file-supplied resolution. 1424 * 1425 * XXX - Is there something clever we could do here, 1426 * given that we know that the file-supplied resolution 1427 * is a power of 2? Doing a multiplication followed by 1428 * a division runs the risk of overflowing, and involves 1429 * two non-simple arithmetic operations. 1430 */ 1431 frac *= ps->user_tsresol; 1432 frac /= ps->ifaces[interface_id].tsresol; 1433 break; 1434 } 1435 #ifdef _WIN32 1436 /* 1437 * tv_sec and tv_used in the Windows struct timeval are both 1438 * longs. 1439 */ 1440 hdr->ts.tv_sec = (long)sec; 1441 hdr->ts.tv_usec = (long)frac; 1442 #else 1443 /* 1444 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is 1445 * suseconds_t in UN*Xes that work the way the current Single 1446 * UNIX Standard specify - but not all older UN*Xes necessarily 1447 * support that type, so just cast to int. 1448 */ 1449 hdr->ts.tv_sec = (time_t)sec; 1450 hdr->ts.tv_usec = (int)frac; 1451 #endif 1452 1453 /* 1454 * Get a pointer to the packet data. 1455 */ 1456 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf); 1457 if (*data == NULL) 1458 return (-1); 1459 1460 if (p->swapped) 1461 swap_pseudo_headers(p->linktype, hdr, *data); 1462 1463 return (0); 1464 } 1465