/*
* Read and return the next packet from the savefile. Return the header
* in hdr and a pointer to the contents in data. Return 0 on success, 1
* if there were no more packets, and -1 on an error.
*/
static int
pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
{
struct pcap_ng_sf *ps = p->priv;
struct block_cursor cursor;
int status;
struct enhanced_packet_block *epbp;
struct simple_packet_block *spbp;
struct packet_block *pbp;
bpf_u_int32 interface_id = 0xFFFFFFFF;
struct interface_description_block *idbp;
struct section_header_block *shbp;
FILE *fp = p->rfile;
u_int64_t t, sec, frac;
/*
* Look for an Enhanced Packet Block, a Simple Packet Block,
* or a Packet Block.
*/
for (;;) {
/*
* Read the block type and length; those are common
* to all blocks.
*/
status = read_block(fp, p, &cursor, p->errbuf);
if (status == 0)
return (1); /* EOF */
if (status == -1)
return (-1); /* error */
switch (cursor.block_type) {
case BT_EPB:
/*
* Get a pointer to the fixed-length portion of the
* EPB.
*/
epbp = get_from_block_data(&cursor, sizeof(*epbp),
p->errbuf);
if (epbp == NULL)
return (-1); /* error */
/*
* Byte-swap it if necessary.
*/
if (p->swapped) {
/* these were written in opposite byte order */
interface_id = SWAPLONG(epbp->interface_id);
hdr->caplen = SWAPLONG(epbp->caplen);
hdr->len = SWAPLONG(epbp->len);
t = ((u_int64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
SWAPLONG(epbp->timestamp_low);
} else {
interface_id = epbp->interface_id;
hdr->caplen = epbp->caplen;
hdr->len = epbp->len;
t = ((u_int64_t)epbp->timestamp_high) << 32 |
epbp->timestamp_low;
}
goto found;
case BT_SPB:
/*
* Get a pointer to the fixed-length portion of the
* SPB.
*/
spbp = get_from_block_data(&cursor, sizeof(*spbp),
p->errbuf);
if (spbp == NULL)
return (-1); /* error */
/*
* SPB packets are assumed to have arrived on
* the first interface.
*/
interface_id = 0;
/*
* Byte-swap it if necessary.
*/
if (p->swapped) {
/* these were written in opposite byte order */
hdr->len = SWAPLONG(spbp->len);
} else
hdr->len = spbp->len;
/*
* The SPB doesn't give the captured length;
* it's the minimum of the snapshot length
* and the packet length.
*/
hdr->caplen = hdr->len;
if ((int)hdr->caplen > p->snapshot)
hdr->caplen = p->snapshot;
t = 0; /* no time stamps */
goto found;
case BT_PB:
/*
* Get a pointer to the fixed-length portion of the
* PB.
*/
pbp = get_from_block_data(&cursor, sizeof(*pbp),
p->errbuf);
if (pbp == NULL)
return (-1); /* error */
/*
* Byte-swap it if necessary.
*/
if (p->swapped) {
/* these were written in opposite byte order */
interface_id = SWAPSHORT((uint32_t)pbp->interface_id);
hdr->caplen = SWAPLONG(pbp->caplen);
hdr->len = SWAPLONG(pbp->len);
t = ((u_int64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
SWAPLONG(pbp->timestamp_low);
} else {
interface_id = pbp->interface_id;
hdr->caplen = pbp->caplen;
hdr->len = pbp->len;
t = ((u_int64_t)pbp->timestamp_high) << 32 |
pbp->timestamp_low;
}
goto found;
case BT_IDB:
/*
* Interface Description Block. Get a pointer
* to its fixed-length portion.
*/
idbp = get_from_block_data(&cursor, sizeof(*idbp),
p->errbuf);
if (idbp == NULL)
return (-1); /* error */
/*
* Byte-swap it if necessary.
*/
if (p->swapped) {
idbp->linktype = SWAPSHORT((uint32_t)idbp->linktype);
idbp->snaplen = SWAPLONG(idbp->snaplen);
}
/*
* If the link-layer type or snapshot length
* differ from the ones for the first IDB we
* saw, quit.
*
* XXX - just discard packets from those
* interfaces?
*/
if (p->linktype != idbp->linktype) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"an interface has a type %u different from the type of the first interface",
idbp->linktype);
return (-1);
}
if (p->snapshot != (int)idbp->snaplen) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"an interface has a snapshot length %u different from the type of the first interface",
idbp->snaplen);
return (-1);
}
/*
* Try to add this interface.
*/
if (!add_interface(p, &cursor, p->errbuf))
return (-1);
break;
case BT_SHB:
/*
* Section Header Block. Get a pointer
* to its fixed-length portion.
*/
shbp = get_from_block_data(&cursor, sizeof(*shbp),
p->errbuf);
if (shbp == NULL)
return (-1); /* error */
/*
* Assume the byte order of this section is
* the same as that of the previous section.
* We'll check for that later.
*/
if (p->swapped) {
shbp->byte_order_magic =
SWAPLONG(shbp->byte_order_magic);
shbp->major_version =
SWAPSHORT((uint32_t)shbp->major_version);
}
/*
* Make sure the byte order doesn't change;
* pcap_is_swapped() shouldn't change its
* return value in the middle of reading a capture.
*/
switch (shbp->byte_order_magic) {
case BYTE_ORDER_MAGIC:
/*
* OK.
*/
break;
case SWAPLONG(BYTE_ORDER_MAGIC):
/*
* Byte order changes.
*/
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"the file has sections with different byte orders");
return (-1);
default:
/*
* Not a valid SHB.
*/
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"the file has a section with a bad byte order magic field");
return (-1);
}
/*
* Make sure the major version is the version
* we handle.
*/
if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"unknown pcap-ng savefile major version number %u",
shbp->major_version);
return (-1);
}
/*
* Reset the interface count; this section should
* have its own set of IDBs. If any of them
* don't have the same interface type, snapshot
* length, or resolution as the first interface
* we saw, we'll fail. (And if we don't see
* any IDBs, we'll fail when we see a packet
* block.)
*/
ps->ifcount = 0;
break;
default:
/*
* Not a packet block, IDB, or SHB; ignore it.
*/
break;
}
}
found:
/*
* Is the interface ID an interface we know?
*/
if (interface_id >= ps->ifcount) {
/*
* Yes. Fail.
*/
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"a packet arrived on interface %u, but there's no Interface Description Block for that interface",
interface_id);
return (-1);
}
/*
* Convert the time stamp to seconds and fractions of a second,
* with the fractions being in units of the file-supplied resolution.
*/
sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
frac = t % ps->ifaces[interface_id].tsresol;
/*
* Convert the fractions from units of the file-supplied resolution
* to units of the user-requested resolution.
*/
switch (ps->ifaces[interface_id].scale_type) {
case PASS_THROUGH:
/*
* The interface resolution is what the user wants,
* so we're done.
*/
break;
case SCALE_UP:
case SCALE_DOWN:
/*
* The interface resolution is different from what the
* user wants; convert the fractions to units of the
* resolution the user requested by multiplying by the
* quotient of the user-requested resolution and the
* file-supplied resolution. We do that by multiplying
* by the user-requested resolution and dividing by the
* file-supplied resolution, as the quotient might not
* fit in an integer.
*
* XXX - if ps->ifaces[interface_id].tsresol is a power
* of 10, we could just multiply by the quotient of
* ps->user_tsresol and ps->ifaces[interface_id].tsresol
* in the scale-up case, and divide by the quotient of
* ps->ifaces[interface_id].tsresol and ps->user_tsresol
* in the scale-down case, as we know those will be integers.
* That would involve fewer arithmetic operations, and
* would run less risk of overflow.
*
* Is there something clever we could do if
* ps->ifaces[interface_id].tsresol is a power of 2?
*/
frac *= ps->user_tsresol;
frac /= ps->ifaces[interface_id].tsresol;
break;
}
hdr->ts.tv_sec = sec;
hdr->ts.tv_usec = (suseconds_t)frac;
/*
* Get a pointer to the packet data.
*/
*data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
if (*data == NULL)
return (-1);
if (p->swapped)
swap_pseudo_headers(p->linktype, hdr, *data);
return (0);
}
/*
* Read and return the next packet from the savefile. Return the header
* in hdr and a pointer to the contents in data. Return 0 on success, 1
* if there were no more packets, and -1 on an error.
*/
static int
pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
{
struct pcap_sf *ps = p->priv;
struct pcap_sf_patched_pkthdr sf_hdr;
FILE *fp = p->rfile;
size_t amt_read;
bpf_u_int32 t;
/*
* Read the packet header; the structure we use as a buffer
* is the longer structure for files generated by the patched
* libpcap, but if the file has the magic number for an
* unpatched libpcap we only read as many bytes as the regular
* header has.
*/
amt_read = fread(&sf_hdr, 1, ps->hdrsize, fp);
if (amt_read != ps->hdrsize) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
return (-1);
} else {
if (amt_read != 0) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %lu header bytes, only got %lu",
(unsigned long)ps->hdrsize,
(unsigned long)amt_read);
return (-1);
}
/* EOF */
return (1);
}
}
if (p->swapped) {
/* these were written in opposite byte order */
hdr->caplen = SWAPLONG(sf_hdr.caplen);
hdr->len = SWAPLONG(sf_hdr.len);
hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec);
hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec);
} else {
hdr->caplen = sf_hdr.caplen;
hdr->len = sf_hdr.len;
hdr->ts.tv_sec = sf_hdr.ts.tv_sec;
hdr->ts.tv_usec = sf_hdr.ts.tv_usec;
}
switch (ps->scale_type) {
case PASS_THROUGH:
/*
* Just pass the time stamp through.
*/
break;
case SCALE_UP:
/*
* File has microseconds, user wants nanoseconds; convert
* it.
*/
hdr->ts.tv_usec = hdr->ts.tv_usec * 1000;
break;
case SCALE_DOWN:
/*
* File has nanoseconds, user wants microseconds; convert
* it.
*/
hdr->ts.tv_usec = hdr->ts.tv_usec / 1000;
break;
}
/* Swap the caplen and len fields, if necessary. */
switch (ps->lengths_swapped) {
case NOT_SWAPPED:
break;
case MAYBE_SWAPPED:
if (hdr->caplen <= hdr->len) {
/*
* The captured length is <= the actual length,
* so presumably they weren't swapped.
*/
break;
}
/* FALLTHROUGH */
case SWAPPED:
t = hdr->caplen;
hdr->caplen = hdr->len;
hdr->len = t;
break;
}
if (hdr->caplen > p->bufsize) {
/*
* This can happen due to Solaris 2.3 systems tripping
* over the BUFMOD problem and not setting the snapshot
* correctly in the savefile header. If the caplen isn't
* grossly wrong, try to salvage.
*/
bpf_u_int32 bytes_to_discard;
size_t bytes_to_read, bytes_read;
char discard_buf[4096];
if (hdr->caplen > MAXIMUM_SNAPLEN) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"bogus savefile header");
return (-1);
}
/*
* XXX - we don't grow the buffer here because some
* program might assume that it will never get packets
* bigger than the snapshot length; for example, it might
* copy data from our buffer to a buffer of its own,
* allocated based on the return value of pcap_snapshot().
*
* Read the first p->bufsize bytes into the buffer.
*/
amt_read = fread(p->buffer, 1, p->bufsize, fp);
if (amt_read != p->bufsize) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
/*
* Yes, this uses hdr->caplen; technically,
* it's true, because we would try to read
* and discard the rest of those bytes, and
* that would fail because we got EOF before
* the read finished.
*/
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %u captured bytes, only got %lu",
hdr->caplen, (unsigned long)amt_read);
}
return (-1);
}
/*
* Now read and discard what's left.
*/
bytes_to_discard = hdr->caplen - p->bufsize;
bytes_read = amt_read;
while (bytes_to_discard != 0) {
bytes_to_read = bytes_to_discard;
if (bytes_to_read > sizeof (discard_buf))
bytes_to_read = sizeof (discard_buf);
amt_read = fread(discard_buf, 1, bytes_to_read, fp);
bytes_read += amt_read;
if (amt_read != bytes_to_read) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %u captured bytes, only got %lu",
hdr->caplen, (unsigned long)bytes_read);
}
return (-1);
}
bytes_to_discard -= amt_read;
}
/*
* Adjust caplen accordingly, so we don't get confused later
* as to how many bytes we have to play with.
*/
hdr->caplen = p->bufsize;
} else {
/* read the packet itself */
amt_read = fread(p->buffer, 1, hdr->caplen, fp);
if (amt_read != hdr->caplen) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %u captured bytes, only got %lu",
hdr->caplen, (unsigned long)amt_read);
}
return (-1);
}
}
*data = p->buffer;
if (p->swapped)
swap_pseudo_headers(p->linktype, hdr, *data);
return (0);
}
