1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c 22 */ 23 24 #ifdef HAVE_CONFIG_H 25 #include <config.h> 26 #endif 27 28 #include <pcap/pcap-inttypes.h> 29 30 #include <errno.h> 31 #include <memory.h> 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 36 #include "pcap-int.h" 37 38 #include "pcap-common.h" 39 40 #ifdef HAVE_OS_PROTO_H 41 #include "os-proto.h" 42 #endif 43 44 #include "sf-pcapng.h" 45 46 /* 47 * Block types. 48 */ 49 50 /* 51 * Common part at the beginning of all blocks. 52 */ 53 struct block_header { 54 bpf_u_int32 block_type; 55 bpf_u_int32 total_length; 56 }; 57 58 /* 59 * Common trailer at the end of all blocks. 60 */ 61 struct block_trailer { 62 bpf_u_int32 total_length; 63 }; 64 65 /* 66 * Common options. 67 */ 68 #define OPT_ENDOFOPT 0 /* end of options */ 69 #define OPT_COMMENT 1 /* comment string */ 70 71 /* 72 * Option header. 73 */ 74 struct option_header { 75 u_short option_code; 76 u_short option_length; 77 }; 78 79 /* 80 * Structures for the part of each block type following the common 81 * part. 82 */ 83 84 /* 85 * Section Header Block. 86 */ 87 #define BT_SHB 0x0A0D0D0A 88 89 struct section_header_block { 90 bpf_u_int32 byte_order_magic; 91 u_short major_version; 92 u_short minor_version; 93 uint64_t section_length; 94 /* followed by options and trailer */ 95 }; 96 97 /* 98 * Byte-order magic value. 99 */ 100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D 101 102 /* 103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR, 104 * that means that this code can't read the file. 105 */ 106 #define PCAP_NG_VERSION_MAJOR 1 107 #define PCAP_NG_VERSION_MINOR 0 108 109 /* 110 * Interface Description Block. 111 */ 112 #define BT_IDB 0x00000001 113 114 struct interface_description_block { 115 u_short linktype; 116 u_short reserved; 117 bpf_u_int32 snaplen; 118 /* followed by options and trailer */ 119 }; 120 121 /* 122 * Options in the IDB. 123 */ 124 #define IF_NAME 2 /* interface name string */ 125 #define IF_DESCRIPTION 3 /* interface description string */ 126 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */ 127 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */ 128 #define IF_MACADDR 6 /* interface's MAC address */ 129 #define IF_EUIADDR 7 /* interface's EUI address */ 130 #define IF_SPEED 8 /* interface's speed, in bits/s */ 131 #define IF_TSRESOL 9 /* interface's time stamp resolution */ 132 #define IF_TZONE 10 /* interface's time zone */ 133 #define IF_FILTER 11 /* filter used when capturing on interface */ 134 #define IF_OS 12 /* string OS on which capture on this interface was done */ 135 #define IF_FCSLEN 13 /* FCS length for this interface */ 136 #define IF_TSOFFSET 14 /* time stamp offset for this interface */ 137 138 /* 139 * Enhanced Packet Block. 140 */ 141 #define BT_EPB 0x00000006 142 143 struct enhanced_packet_block { 144 bpf_u_int32 interface_id; 145 bpf_u_int32 timestamp_high; 146 bpf_u_int32 timestamp_low; 147 bpf_u_int32 caplen; 148 bpf_u_int32 len; 149 /* followed by packet data, options, and trailer */ 150 }; 151 152 /* 153 * Simple Packet Block. 154 */ 155 #define BT_SPB 0x00000003 156 157 struct simple_packet_block { 158 bpf_u_int32 len; 159 /* followed by packet data and trailer */ 160 }; 161 162 /* 163 * Packet Block. 164 */ 165 #define BT_PB 0x00000002 166 167 struct packet_block { 168 u_short interface_id; 169 u_short drops_count; 170 bpf_u_int32 timestamp_high; 171 bpf_u_int32 timestamp_low; 172 bpf_u_int32 caplen; 173 bpf_u_int32 len; 174 /* followed by packet data, options, and trailer */ 175 }; 176 177 /* 178 * Block cursor - used when processing the contents of a block. 179 * Contains a pointer into the data being processed and a count 180 * of bytes remaining in the block. 181 */ 182 struct block_cursor { 183 u_char *data; 184 size_t data_remaining; 185 bpf_u_int32 block_type; 186 }; 187 188 typedef enum { 189 PASS_THROUGH, 190 SCALE_UP_DEC, 191 SCALE_DOWN_DEC, 192 SCALE_UP_BIN, 193 SCALE_DOWN_BIN 194 } tstamp_scale_type_t; 195 196 /* 197 * Per-interface information. 198 */ 199 struct pcap_ng_if { 200 uint64_t tsresol; /* time stamp resolution */ 201 tstamp_scale_type_t scale_type; /* how to scale */ 202 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */ 203 uint64_t tsoffset; /* time stamp offset */ 204 }; 205 206 /* 207 * Per-pcap_t private data. 208 * 209 * max_blocksize is the maximum size of a block that we'll accept. We 210 * reject blocks bigger than this, so we don't consume too much memory 211 * with a truly huge block. It can change as we see IDBs with different 212 * link-layer header types. (Currently, we don't support IDBs with 213 * different link-layer header types, but we will support it in the 214 * future, when we offer file-reading APIs that support it.) 215 * 216 * XXX - that's an issue on ILP32 platforms, where the maximum block 217 * size of 2^31-1 would eat all but one byte of the entire address space. 218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size 219 * of the address space may be limited by 1) the number of *significant* 220 * address bits (currently, x86-64 only supports 48 bits of address), 2) 221 * any limitations imposed by the operating system; 3) any limitations 222 * imposed by the amount of available backing store for anonymous pages, 223 * so we impose a limit regardless of the size of a pointer. 224 */ 225 struct pcap_ng_sf { 226 uint64_t user_tsresol; /* time stamp resolution requested by the user */ 227 u_int max_blocksize; /* don't grow buffer size past this */ 228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */ 229 bpf_u_int32 ifaces_size; /* size of array below */ 230 struct pcap_ng_if *ifaces; /* array of interface information */ 231 }; 232 233 /* 234 * Maximum block size for a given maximum snapshot length; we calculate 235 * this based 236 * 237 * We define it as the size of an EPB with a max_snaplen-sized 238 * packet and 128KB of options. 239 */ 240 #define MAX_BLOCKSIZE(max_snaplen) (sizeof (struct block_header) + \ 241 sizeof (struct enhanced_packet_block) + \ 242 (max_snaplen) + 131072 + \ 243 sizeof (struct block_trailer)) 244 245 static void pcap_ng_cleanup(pcap_t *p); 246 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, 247 u_char **data); 248 249 static int read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)250 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof, 251 char *errbuf) 252 { 253 size_t amt_read; 254 255 amt_read = fread(buf, 1, bytes_to_read, fp); 256 if (amt_read != bytes_to_read) { 257 if (ferror(fp)) { 258 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 259 errno, "error reading dump file"); 260 } else { 261 if (amt_read == 0 && !fail_on_eof) 262 return (0); /* EOF */ 263 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 264 "truncated dump file; tried to read %lu bytes, only got %lu", 265 (unsigned long)bytes_to_read, 266 (unsigned long)amt_read); 267 } 268 return (-1); 269 } 270 return (1); 271 } 272 273 static int read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)274 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf) 275 { 276 struct pcap_ng_sf *ps; 277 int status; 278 struct block_header bhdr; 279 u_char *bdata; 280 size_t data_remaining; 281 282 ps = p->priv; 283 284 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf); 285 if (status <= 0) 286 return (status); /* error or EOF */ 287 288 if (p->swapped) { 289 bhdr.block_type = SWAPLONG(bhdr.block_type); 290 bhdr.total_length = SWAPLONG(bhdr.total_length); 291 } 292 293 /* 294 * Is this block "too big"? 295 * 296 * We choose 16MB as "too big", for now, so that we handle 297 * "reasonably" large buffers but don't chew up all the 298 * memory if we read a malformed file. 299 */ 300 if (bhdr.total_length > 16*1024*1024) { 301 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 302 "pcapng block size %u > maximum %u", 303 bhdr.total_length, 16*1024*1024); 304 return (-1); 305 } 306 307 /* 308 * Is this block "too small" - i.e., is it shorter than a block 309 * header plus a block trailer? 310 */ 311 if (bhdr.total_length < sizeof(struct block_header) + 312 sizeof(struct block_trailer)) { 313 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 314 "block in pcapng dump file has a length of %u < %lu", 315 bhdr.total_length, 316 (unsigned long)(sizeof(struct block_header) + sizeof(struct block_trailer))); 317 return (-1); 318 } 319 320 /* 321 * Is the buffer big enough? 322 */ 323 if (p->bufsize < bhdr.total_length) { 324 /* 325 * No - make it big enough, unless it's too big. 326 */ 327 void *bigger_buffer; 328 329 if (bhdr.total_length > ps->max_blocksize) { 330 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "block is larger than maximum block size %u", 331 ps->max_blocksize); 332 return (-1); 333 } 334 bigger_buffer = realloc(p->buffer, bhdr.total_length); 335 if (bigger_buffer == NULL) { 336 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 337 return (-1); 338 } 339 p->buffer = bigger_buffer; 340 } 341 342 /* 343 * Copy the stuff we've read to the buffer, and read the rest 344 * of the block. 345 */ 346 memcpy(p->buffer, &bhdr, sizeof(bhdr)); 347 bdata = (u_char *)p->buffer + sizeof(bhdr); 348 data_remaining = bhdr.total_length - sizeof(bhdr); 349 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1) 350 return (-1); 351 352 /* 353 * Initialize the cursor. 354 */ 355 cursor->data = bdata; 356 cursor->data_remaining = data_remaining - sizeof(struct block_trailer); 357 cursor->block_type = bhdr.block_type; 358 return (1); 359 } 360 361 static void * get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)362 get_from_block_data(struct block_cursor *cursor, size_t chunk_size, 363 char *errbuf) 364 { 365 void *data; 366 367 /* 368 * Make sure we have the specified amount of data remaining in 369 * the block data. 370 */ 371 if (cursor->data_remaining < chunk_size) { 372 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 373 "block of type %u in pcapng dump file is too short", 374 cursor->block_type); 375 return (NULL); 376 } 377 378 /* 379 * Return the current pointer, and skip past the chunk. 380 */ 381 data = cursor->data; 382 cursor->data += chunk_size; 383 cursor->data_remaining -= chunk_size; 384 return (data); 385 } 386 387 static struct option_header * get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)388 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf) 389 { 390 struct option_header *opthdr; 391 392 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf); 393 if (opthdr == NULL) { 394 /* 395 * Option header is cut short. 396 */ 397 return (NULL); 398 } 399 400 /* 401 * Byte-swap it if necessary. 402 */ 403 if (p->swapped) { 404 opthdr->option_code = SWAPSHORT(opthdr->option_code); 405 opthdr->option_length = SWAPSHORT(opthdr->option_length); 406 } 407 408 return (opthdr); 409 } 410 411 static void * get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)412 get_optvalue_from_block_data(struct block_cursor *cursor, 413 struct option_header *opthdr, char *errbuf) 414 { 415 size_t padded_option_len; 416 void *optvalue; 417 418 /* Pad option length to 4-byte boundary */ 419 padded_option_len = opthdr->option_length; 420 padded_option_len = ((padded_option_len + 3)/4)*4; 421 422 optvalue = get_from_block_data(cursor, padded_option_len, errbuf); 423 if (optvalue == NULL) { 424 /* 425 * Option value is cut short. 426 */ 427 return (NULL); 428 } 429 430 return (optvalue); 431 } 432 433 static int process_idb_options(pcap_t * p,struct block_cursor * cursor,uint64_t * tsresol,uint64_t * tsoffset,int * is_binary,char * errbuf)434 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol, 435 uint64_t *tsoffset, int *is_binary, char *errbuf) 436 { 437 struct option_header *opthdr; 438 void *optvalue; 439 int saw_tsresol, saw_tsoffset; 440 uint8_t tsresol_opt; 441 u_int i; 442 443 saw_tsresol = 0; 444 saw_tsoffset = 0; 445 while (cursor->data_remaining != 0) { 446 /* 447 * Get the option header. 448 */ 449 opthdr = get_opthdr_from_block_data(p, cursor, errbuf); 450 if (opthdr == NULL) { 451 /* 452 * Option header is cut short. 453 */ 454 return (-1); 455 } 456 457 /* 458 * Get option value. 459 */ 460 optvalue = get_optvalue_from_block_data(cursor, opthdr, 461 errbuf); 462 if (optvalue == NULL) { 463 /* 464 * Option value is cut short. 465 */ 466 return (-1); 467 } 468 469 switch (opthdr->option_code) { 470 471 case OPT_ENDOFOPT: 472 if (opthdr->option_length != 0) { 473 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 474 "Interface Description Block has opt_endofopt option with length %u != 0", 475 opthdr->option_length); 476 return (-1); 477 } 478 goto done; 479 480 case IF_TSRESOL: 481 if (opthdr->option_length != 1) { 482 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 483 "Interface Description Block has if_tsresol option with length %u != 1", 484 opthdr->option_length); 485 return (-1); 486 } 487 if (saw_tsresol) { 488 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 489 "Interface Description Block has more than one if_tsresol option"); 490 return (-1); 491 } 492 saw_tsresol = 1; 493 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt)); 494 if (tsresol_opt & 0x80) { 495 /* 496 * Resolution is negative power of 2. 497 */ 498 uint8_t tsresol_shift = (tsresol_opt & 0x7F); 499 500 if (tsresol_shift > 63) { 501 /* 502 * Resolution is too high; 2^-{res} 503 * won't fit in a 64-bit value. 504 */ 505 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 506 "Interface Description Block if_tsresol option resolution 2^-%u is too high", 507 tsresol_shift); 508 return (-1); 509 } 510 *is_binary = 1; 511 *tsresol = ((uint64_t)1) << tsresol_shift; 512 } else { 513 /* 514 * Resolution is negative power of 10. 515 */ 516 if (tsresol_opt > 19) { 517 /* 518 * Resolution is too high; 2^-{res} 519 * won't fit in a 64-bit value (the 520 * largest power of 10 that fits 521 * in a 64-bit value is 10^19, as 522 * the largest 64-bit unsigned 523 * value is ~1.8*10^19). 524 */ 525 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 526 "Interface Description Block if_tsresol option resolution 10^-%u is too high", 527 tsresol_opt); 528 return (-1); 529 } 530 *is_binary = 0; 531 *tsresol = 1; 532 for (i = 0; i < tsresol_opt; i++) 533 *tsresol *= 10; 534 } 535 break; 536 537 case IF_TSOFFSET: 538 if (opthdr->option_length != 8) { 539 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 540 "Interface Description Block has if_tsoffset option with length %u != 8", 541 opthdr->option_length); 542 return (-1); 543 } 544 if (saw_tsoffset) { 545 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 546 "Interface Description Block has more than one if_tsoffset option"); 547 return (-1); 548 } 549 saw_tsoffset = 1; 550 memcpy(tsoffset, optvalue, sizeof(*tsoffset)); 551 if (p->swapped) 552 *tsoffset = SWAPLL(*tsoffset); 553 break; 554 555 default: 556 break; 557 } 558 } 559 560 done: 561 return (0); 562 } 563 564 static int add_interface(pcap_t * p,struct block_cursor * cursor,char * errbuf)565 add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf) 566 { 567 struct pcap_ng_sf *ps; 568 uint64_t tsresol; 569 uint64_t tsoffset; 570 int is_binary; 571 572 ps = p->priv; 573 574 /* 575 * Count this interface. 576 */ 577 ps->ifcount++; 578 579 /* 580 * Grow the array of per-interface information as necessary. 581 */ 582 if (ps->ifcount > ps->ifaces_size) { 583 /* 584 * We need to grow the array. 585 */ 586 bpf_u_int32 new_ifaces_size; 587 struct pcap_ng_if *new_ifaces; 588 589 if (ps->ifaces_size == 0) { 590 /* 591 * It's currently empty. 592 * 593 * (The Clang static analyzer doesn't do enough, 594 * err, umm, dataflow *analysis* to realize that 595 * ps->ifaces_size == 0 if ps->ifaces == NULL, 596 * and so complains about a possible zero argument 597 * to realloc(), so we check for the former 598 * condition to shut it up. 599 * 600 * However, it doesn't complain that one of the 601 * multiplications below could overflow, which is 602 * a real, albeit extremely unlikely, problem (you'd 603 * need a pcapng file with tens of millions of 604 * interfaces).) 605 */ 606 new_ifaces_size = 1; 607 new_ifaces = malloc(sizeof (struct pcap_ng_if)); 608 } else { 609 /* 610 * It's not currently empty; double its size. 611 * (Perhaps overkill once we have a lot of interfaces.) 612 * 613 * Check for overflow if we double it. 614 */ 615 if (ps->ifaces_size * 2 < ps->ifaces_size) { 616 /* 617 * The maximum number of interfaces before 618 * ps->ifaces_size overflows is the largest 619 * possible 32-bit power of 2, as we do 620 * size doubling. 621 */ 622 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 623 "more than %u interfaces in the file", 624 0x80000000U); 625 return (0); 626 } 627 628 /* 629 * ps->ifaces_size * 2 doesn't overflow, so it's 630 * safe to multiply. 631 */ 632 new_ifaces_size = ps->ifaces_size * 2; 633 634 /* 635 * Now make sure that's not so big that it overflows 636 * if we multiply by sizeof (struct pcap_ng_if). 637 * 638 * That can happen on 32-bit platforms, with a 32-bit 639 * size_t; it shouldn't happen on 64-bit platforms, 640 * with a 64-bit size_t, as new_ifaces_size is 641 * 32 bits. 642 */ 643 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) { 644 /* 645 * As this fails only with 32-bit size_t, 646 * the multiplication was 32x32->32, and 647 * the largest 32-bit value that can safely 648 * be multiplied by sizeof (struct pcap_ng_if) 649 * without overflow is the largest 32-bit 650 * (unsigned) value divided by 651 * sizeof (struct pcap_ng_if). 652 */ 653 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 654 "more than %u interfaces in the file", 655 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if))); 656 return (0); 657 } 658 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if)); 659 } 660 if (new_ifaces == NULL) { 661 /* 662 * We ran out of memory. 663 * Give up. 664 */ 665 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 666 "out of memory for per-interface information (%u interfaces)", 667 ps->ifcount); 668 return (0); 669 } 670 ps->ifaces_size = new_ifaces_size; 671 ps->ifaces = new_ifaces; 672 } 673 674 /* 675 * Set the default time stamp resolution and offset. 676 */ 677 tsresol = 1000000; /* microsecond resolution */ 678 is_binary = 0; /* which is a power of 10 */ 679 tsoffset = 0; /* absolute timestamps */ 680 681 /* 682 * Now look for various time stamp options, so we know 683 * how to interpret the time stamps for this interface. 684 */ 685 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary, 686 errbuf) == -1) 687 return (0); 688 689 ps->ifaces[ps->ifcount - 1].tsresol = tsresol; 690 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset; 691 692 /* 693 * Determine whether we're scaling up or down or not 694 * at all for this interface. 695 */ 696 if (tsresol == ps->user_tsresol) { 697 /* 698 * The resolution is the resolution the user wants, 699 * so we don't have to do scaling. 700 */ 701 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH; 702 } else if (tsresol > ps->user_tsresol) { 703 /* 704 * The resolution is greater than what the user wants, 705 * so we have to scale the timestamps down. 706 */ 707 if (is_binary) 708 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN; 709 else { 710 /* 711 * Calculate the scale factor. 712 */ 713 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol; 714 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC; 715 } 716 } else { 717 /* 718 * The resolution is less than what the user wants, 719 * so we have to scale the timestamps up. 720 */ 721 if (is_binary) 722 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN; 723 else { 724 /* 725 * Calculate the scale factor. 726 */ 727 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol; 728 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC; 729 } 730 } 731 return (1); 732 } 733 734 /* 735 * Check whether this is a pcapng savefile and, if it is, extract the 736 * relevant information from the header. 737 */ 738 pcap_t * pcap_ng_check_header(bpf_u_int32 magic,FILE * fp,u_int precision,char * errbuf,int * err)739 pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf, 740 int *err) 741 { 742 size_t amt_read; 743 bpf_u_int32 total_length; 744 bpf_u_int32 byte_order_magic; 745 struct block_header *bhdrp; 746 struct section_header_block *shbp; 747 pcap_t *p; 748 int swapped = 0; 749 struct pcap_ng_sf *ps; 750 int status; 751 struct block_cursor cursor; 752 struct interface_description_block *idbp; 753 754 /* 755 * Assume no read errors. 756 */ 757 *err = 0; 758 759 /* 760 * Check whether the first 4 bytes of the file are the block 761 * type for a pcapng savefile. 762 */ 763 if (magic != BT_SHB) { 764 /* 765 * XXX - check whether this looks like what the block 766 * type would be after being munged by mapping between 767 * UN*X and DOS/Windows text file format and, if it 768 * does, look for the byte-order magic number in 769 * the appropriate place and, if we find it, report 770 * this as possibly being a pcapng file transferred 771 * between UN*X and Windows in text file format? 772 */ 773 return (NULL); /* nope */ 774 } 775 776 /* 777 * OK, they are. However, that's just \n\r\r\n, so it could, 778 * conceivably, be an ordinary text file. 779 * 780 * It could not, however, conceivably be any other type of 781 * capture file, so we can read the rest of the putative 782 * Section Header Block; put the block type in the common 783 * header, read the rest of the common header and the 784 * fixed-length portion of the SHB, and look for the byte-order 785 * magic value. 786 */ 787 amt_read = fread(&total_length, 1, sizeof(total_length), fp); 788 if (amt_read < sizeof(total_length)) { 789 if (ferror(fp)) { 790 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 791 errno, "error reading dump file"); 792 *err = 1; 793 return (NULL); /* fail */ 794 } 795 796 /* 797 * Possibly a weird short text file, so just say 798 * "not pcapng". 799 */ 800 return (NULL); 801 } 802 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp); 803 if (amt_read < sizeof(byte_order_magic)) { 804 if (ferror(fp)) { 805 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 806 errno, "error reading dump file"); 807 *err = 1; 808 return (NULL); /* fail */ 809 } 810 811 /* 812 * Possibly a weird short text file, so just say 813 * "not pcapng". 814 */ 815 return (NULL); 816 } 817 if (byte_order_magic != BYTE_ORDER_MAGIC) { 818 byte_order_magic = SWAPLONG(byte_order_magic); 819 if (byte_order_magic != BYTE_ORDER_MAGIC) { 820 /* 821 * Not a pcapng file. 822 */ 823 return (NULL); 824 } 825 swapped = 1; 826 total_length = SWAPLONG(total_length); 827 } 828 829 /* 830 * Check the sanity of the total length. 831 */ 832 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) { 833 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 834 "Section Header Block in pcapng dump file has a length of %u < %lu", 835 total_length, 836 (unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer))); 837 *err = 1; 838 return (NULL); 839 } 840 841 /* 842 * OK, this is a good pcapng file. 843 * Allocate a pcap_t for it. 844 */ 845 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf)); 846 if (p == NULL) { 847 /* Allocation failed. */ 848 *err = 1; 849 return (NULL); 850 } 851 p->swapped = swapped; 852 ps = p->priv; 853 854 /* 855 * What precision does the user want? 856 */ 857 switch (precision) { 858 859 case PCAP_TSTAMP_PRECISION_MICRO: 860 ps->user_tsresol = 1000000; 861 break; 862 863 case PCAP_TSTAMP_PRECISION_NANO: 864 ps->user_tsresol = 1000000000; 865 break; 866 867 default: 868 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 869 "unknown time stamp resolution %u", precision); 870 free(p); 871 *err = 1; 872 return (NULL); 873 } 874 875 p->opt.tstamp_precision = precision; 876 877 /* 878 * Allocate a buffer into which to read blocks. We default to 879 * the maximum of: 880 * 881 * the total length of the SHB for which we read the header; 882 * 883 * 2K, which should be more than large enough for an Enhanced 884 * Packet Block containing a full-size Ethernet frame, and 885 * leaving room for some options. 886 * 887 * If we find a bigger block, we reallocate the buffer, up to 888 * the maximum size. We start out with a maximum size based 889 * on a maximum snapshot length of MAXIMUM_SNAPLEN; if we see 890 * any link-layer header types with a larger maximum snapshot 891 * length, we boost the maximum. 892 */ 893 p->bufsize = 2048; 894 if (p->bufsize < total_length) 895 p->bufsize = total_length; 896 p->buffer = malloc(p->bufsize); 897 if (p->buffer == NULL) { 898 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 899 free(p); 900 *err = 1; 901 return (NULL); 902 } 903 ps->max_blocksize = MAX_BLOCKSIZE(MAXIMUM_SNAPLEN); 904 905 /* 906 * Copy the stuff we've read to the buffer, and read the rest 907 * of the SHB. 908 */ 909 bhdrp = (struct block_header *)p->buffer; 910 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header)); 911 bhdrp->block_type = magic; 912 bhdrp->total_length = total_length; 913 shbp->byte_order_magic = byte_order_magic; 914 if (read_bytes(fp, 915 (u_char *)p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)), 916 total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)), 917 1, errbuf) == -1) 918 goto fail; 919 920 if (p->swapped) { 921 /* 922 * Byte-swap the fields we've read. 923 */ 924 shbp->major_version = SWAPSHORT(shbp->major_version); 925 shbp->minor_version = SWAPSHORT(shbp->minor_version); 926 927 /* 928 * XXX - we don't care about the section length. 929 */ 930 } 931 /* currently only SHB version 1.0 is supported */ 932 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR && 933 shbp->minor_version == PCAP_NG_VERSION_MINOR)) { 934 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 935 "unsupported pcapng savefile version %u.%u", 936 shbp->major_version, shbp->minor_version); 937 goto fail; 938 } 939 p->version_major = shbp->major_version; 940 p->version_minor = shbp->minor_version; 941 942 /* 943 * Save the time stamp resolution the user requested. 944 */ 945 p->opt.tstamp_precision = precision; 946 947 /* 948 * Now start looking for an Interface Description Block. 949 */ 950 for (;;) { 951 /* 952 * Read the next block. 953 */ 954 status = read_block(fp, p, &cursor, errbuf); 955 if (status == 0) { 956 /* EOF - no IDB in this file */ 957 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 958 "the capture file has no Interface Description Blocks"); 959 goto fail; 960 } 961 if (status == -1) 962 goto fail; /* error */ 963 switch (cursor.block_type) { 964 965 case BT_IDB: 966 /* 967 * Get a pointer to the fixed-length portion of the 968 * IDB. 969 */ 970 idbp = get_from_block_data(&cursor, sizeof(*idbp), 971 errbuf); 972 if (idbp == NULL) 973 goto fail; /* error */ 974 975 /* 976 * Byte-swap it if necessary. 977 */ 978 if (p->swapped) { 979 idbp->linktype = SWAPSHORT(idbp->linktype); 980 idbp->snaplen = SWAPLONG(idbp->snaplen); 981 } 982 983 /* 984 * Try to add this interface. 985 */ 986 if (!add_interface(p, &cursor, errbuf)) 987 goto fail; 988 989 goto done; 990 991 case BT_EPB: 992 case BT_SPB: 993 case BT_PB: 994 /* 995 * Saw a packet before we saw any IDBs. That's 996 * not valid, as we don't know what link-layer 997 * encapsulation the packet has. 998 */ 999 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 1000 "the capture file has a packet block before any Interface Description Blocks"); 1001 goto fail; 1002 1003 default: 1004 /* 1005 * Just ignore it. 1006 */ 1007 break; 1008 } 1009 } 1010 1011 done: 1012 p->tzoff = 0; /* XXX - not used in pcap */ 1013 p->snapshot = idbp->snaplen; 1014 if (p->snapshot <= 0) { 1015 /* 1016 * Bogus snapshot length; use the maximum for this 1017 * link-layer type as a fallback. 1018 * 1019 * XXX - the only reason why snapshot is signed is 1020 * that pcap_snapshot() returns an int, not an 1021 * unsigned int. 1022 */ 1023 p->snapshot = max_snaplen_for_dlt(idbp->linktype); 1024 } 1025 p->linktype = linktype_to_dlt(idbp->linktype); 1026 p->linktype_ext = 0; 1027 1028 /* 1029 * If the maximum block size for a packet with the maximum 1030 * snapshot length for this DLT_ is bigger than the current 1031 * maximum block size, increase the maximum. 1032 */ 1033 if (MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize) 1034 ps->max_blocksize = MAX_BLOCKSIZE(max_snaplen_for_dlt(p->linktype)); 1035 1036 p->next_packet_op = pcap_ng_next_packet; 1037 p->cleanup_op = pcap_ng_cleanup; 1038 1039 return (p); 1040 1041 fail: 1042 free(ps->ifaces); 1043 free(p->buffer); 1044 free(p); 1045 *err = 1; 1046 return (NULL); 1047 } 1048 1049 static void pcap_ng_cleanup(pcap_t * p)1050 pcap_ng_cleanup(pcap_t *p) 1051 { 1052 struct pcap_ng_sf *ps = p->priv; 1053 1054 free(ps->ifaces); 1055 sf_cleanup(p); 1056 } 1057 1058 /* 1059 * Read and return the next packet from the savefile. Return the header 1060 * in hdr and a pointer to the contents in data. Return 0 on success, 1 1061 * if there were no more packets, and -1 on an error. 1062 */ 1063 static int pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1064 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data) 1065 { 1066 struct pcap_ng_sf *ps = p->priv; 1067 struct block_cursor cursor; 1068 int status; 1069 struct enhanced_packet_block *epbp; 1070 struct simple_packet_block *spbp; 1071 struct packet_block *pbp; 1072 bpf_u_int32 interface_id = 0xFFFFFFFF; 1073 struct interface_description_block *idbp; 1074 struct section_header_block *shbp; 1075 FILE *fp = p->rfile; 1076 uint64_t t, sec, frac; 1077 1078 /* 1079 * Look for an Enhanced Packet Block, a Simple Packet Block, 1080 * or a Packet Block. 1081 */ 1082 for (;;) { 1083 /* 1084 * Read the block type and length; those are common 1085 * to all blocks. 1086 */ 1087 status = read_block(fp, p, &cursor, p->errbuf); 1088 if (status == 0) 1089 return (1); /* EOF */ 1090 if (status == -1) 1091 return (-1); /* error */ 1092 switch (cursor.block_type) { 1093 1094 case BT_EPB: 1095 /* 1096 * Get a pointer to the fixed-length portion of the 1097 * EPB. 1098 */ 1099 epbp = get_from_block_data(&cursor, sizeof(*epbp), 1100 p->errbuf); 1101 if (epbp == NULL) 1102 return (-1); /* error */ 1103 1104 /* 1105 * Byte-swap it if necessary. 1106 */ 1107 if (p->swapped) { 1108 /* these were written in opposite byte order */ 1109 interface_id = SWAPLONG(epbp->interface_id); 1110 hdr->caplen = SWAPLONG(epbp->caplen); 1111 hdr->len = SWAPLONG(epbp->len); 1112 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 | 1113 SWAPLONG(epbp->timestamp_low); 1114 } else { 1115 interface_id = epbp->interface_id; 1116 hdr->caplen = epbp->caplen; 1117 hdr->len = epbp->len; 1118 t = ((uint64_t)epbp->timestamp_high) << 32 | 1119 epbp->timestamp_low; 1120 } 1121 goto found; 1122 1123 case BT_SPB: 1124 /* 1125 * Get a pointer to the fixed-length portion of the 1126 * SPB. 1127 */ 1128 spbp = get_from_block_data(&cursor, sizeof(*spbp), 1129 p->errbuf); 1130 if (spbp == NULL) 1131 return (-1); /* error */ 1132 1133 /* 1134 * SPB packets are assumed to have arrived on 1135 * the first interface. 1136 */ 1137 interface_id = 0; 1138 1139 /* 1140 * Byte-swap it if necessary. 1141 */ 1142 if (p->swapped) { 1143 /* these were written in opposite byte order */ 1144 hdr->len = SWAPLONG(spbp->len); 1145 } else 1146 hdr->len = spbp->len; 1147 1148 /* 1149 * The SPB doesn't give the captured length; 1150 * it's the minimum of the snapshot length 1151 * and the packet length. 1152 */ 1153 hdr->caplen = hdr->len; 1154 if (hdr->caplen > (bpf_u_int32)p->snapshot) 1155 hdr->caplen = p->snapshot; 1156 t = 0; /* no time stamps */ 1157 goto found; 1158 1159 case BT_PB: 1160 /* 1161 * Get a pointer to the fixed-length portion of the 1162 * PB. 1163 */ 1164 pbp = get_from_block_data(&cursor, sizeof(*pbp), 1165 p->errbuf); 1166 if (pbp == NULL) 1167 return (-1); /* error */ 1168 1169 /* 1170 * Byte-swap it if necessary. 1171 */ 1172 if (p->swapped) { 1173 /* these were written in opposite byte order */ 1174 interface_id = SWAPSHORT(pbp->interface_id); 1175 hdr->caplen = SWAPLONG(pbp->caplen); 1176 hdr->len = SWAPLONG(pbp->len); 1177 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 | 1178 SWAPLONG(pbp->timestamp_low); 1179 } else { 1180 interface_id = pbp->interface_id; 1181 hdr->caplen = pbp->caplen; 1182 hdr->len = pbp->len; 1183 t = ((uint64_t)pbp->timestamp_high) << 32 | 1184 pbp->timestamp_low; 1185 } 1186 goto found; 1187 1188 case BT_IDB: 1189 /* 1190 * Interface Description Block. Get a pointer 1191 * to its fixed-length portion. 1192 */ 1193 idbp = get_from_block_data(&cursor, sizeof(*idbp), 1194 p->errbuf); 1195 if (idbp == NULL) 1196 return (-1); /* error */ 1197 1198 /* 1199 * Byte-swap it if necessary. 1200 */ 1201 if (p->swapped) { 1202 idbp->linktype = SWAPSHORT(idbp->linktype); 1203 idbp->snaplen = SWAPLONG(idbp->snaplen); 1204 } 1205 1206 /* 1207 * If the link-layer type or snapshot length 1208 * differ from the ones for the first IDB we 1209 * saw, quit. 1210 * 1211 * XXX - just discard packets from those 1212 * interfaces? 1213 */ 1214 if (p->linktype != idbp->linktype) { 1215 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1216 "an interface has a type %u different from the type of the first interface", 1217 idbp->linktype); 1218 return (-1); 1219 } 1220 if ((bpf_u_int32)p->snapshot != idbp->snaplen) { 1221 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1222 "an interface has a snapshot length %u different from the type of the first interface", 1223 idbp->snaplen); 1224 return (-1); 1225 } 1226 1227 /* 1228 * Try to add this interface. 1229 */ 1230 if (!add_interface(p, &cursor, p->errbuf)) 1231 return (-1); 1232 break; 1233 1234 case BT_SHB: 1235 /* 1236 * Section Header Block. Get a pointer 1237 * to its fixed-length portion. 1238 */ 1239 shbp = get_from_block_data(&cursor, sizeof(*shbp), 1240 p->errbuf); 1241 if (shbp == NULL) 1242 return (-1); /* error */ 1243 1244 /* 1245 * Assume the byte order of this section is 1246 * the same as that of the previous section. 1247 * We'll check for that later. 1248 */ 1249 if (p->swapped) { 1250 shbp->byte_order_magic = 1251 SWAPLONG(shbp->byte_order_magic); 1252 shbp->major_version = 1253 SWAPSHORT(shbp->major_version); 1254 } 1255 1256 /* 1257 * Make sure the byte order doesn't change; 1258 * pcap_is_swapped() shouldn't change its 1259 * return value in the middle of reading a capture. 1260 */ 1261 switch (shbp->byte_order_magic) { 1262 1263 case BYTE_ORDER_MAGIC: 1264 /* 1265 * OK. 1266 */ 1267 break; 1268 1269 case SWAPLONG(BYTE_ORDER_MAGIC): 1270 /* 1271 * Byte order changes. 1272 */ 1273 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1274 "the file has sections with different byte orders"); 1275 return (-1); 1276 1277 default: 1278 /* 1279 * Not a valid SHB. 1280 */ 1281 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1282 "the file has a section with a bad byte order magic field"); 1283 return (-1); 1284 } 1285 1286 /* 1287 * Make sure the major version is the version 1288 * we handle. 1289 */ 1290 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) { 1291 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1292 "unknown pcapng savefile major version number %u", 1293 shbp->major_version); 1294 return (-1); 1295 } 1296 1297 /* 1298 * Reset the interface count; this section should 1299 * have its own set of IDBs. If any of them 1300 * don't have the same interface type, snapshot 1301 * length, or resolution as the first interface 1302 * we saw, we'll fail. (And if we don't see 1303 * any IDBs, we'll fail when we see a packet 1304 * block.) 1305 */ 1306 ps->ifcount = 0; 1307 break; 1308 1309 default: 1310 /* 1311 * Not a packet block, IDB, or SHB; ignore it. 1312 */ 1313 break; 1314 } 1315 } 1316 1317 found: 1318 /* 1319 * Is the interface ID an interface we know? 1320 */ 1321 if (interface_id >= ps->ifcount) { 1322 /* 1323 * Yes. Fail. 1324 */ 1325 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1326 "a packet arrived on interface %u, but there's no Interface Description Block for that interface", 1327 interface_id); 1328 return (-1); 1329 } 1330 1331 if (hdr->caplen > (bpf_u_int32)p->snapshot) { 1332 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1333 "invalid packet capture length %u, bigger than " 1334 "snaplen of %d", hdr->caplen, p->snapshot); 1335 return (-1); 1336 } 1337 1338 /* 1339 * Convert the time stamp to seconds and fractions of a second, 1340 * with the fractions being in units of the file-supplied resolution. 1341 */ 1342 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset; 1343 frac = t % ps->ifaces[interface_id].tsresol; 1344 1345 /* 1346 * Convert the fractions from units of the file-supplied resolution 1347 * to units of the user-requested resolution. 1348 */ 1349 switch (ps->ifaces[interface_id].scale_type) { 1350 1351 case PASS_THROUGH: 1352 /* 1353 * The interface resolution is what the user wants, 1354 * so we're done. 1355 */ 1356 break; 1357 1358 case SCALE_UP_DEC: 1359 /* 1360 * The interface resolution is less than what the user 1361 * wants; scale the fractional part up to the units of 1362 * the resolution the user requested by multiplying by 1363 * the quotient of the user-requested resolution and the 1364 * file-supplied resolution. 1365 * 1366 * Those resolutions are both powers of 10, and the user- 1367 * requested resolution is greater than the file-supplied 1368 * resolution, so the quotient in question is an integer. 1369 * We've calculated that quotient already, so we just 1370 * multiply by it. 1371 */ 1372 frac *= ps->ifaces[interface_id].scale_factor; 1373 break; 1374 1375 case SCALE_UP_BIN: 1376 /* 1377 * The interface resolution is less than what the user 1378 * wants; scale the fractional part up to the units of 1379 * the resolution the user requested by multiplying by 1380 * the quotient of the user-requested resolution and the 1381 * file-supplied resolution. 1382 * 1383 * The file-supplied resolution is a power of 2, so the 1384 * quotient is not an integer, so, in order to do this 1385 * entirely with integer arithmetic, we multiply by the 1386 * user-requested resolution and divide by the file- 1387 * supplied resolution. 1388 * 1389 * XXX - Is there something clever we could do here, 1390 * given that we know that the file-supplied resolution 1391 * is a power of 2? Doing a multiplication followed by 1392 * a division runs the risk of overflowing, and involves 1393 * two non-simple arithmetic operations. 1394 */ 1395 frac *= ps->user_tsresol; 1396 frac /= ps->ifaces[interface_id].tsresol; 1397 break; 1398 1399 case SCALE_DOWN_DEC: 1400 /* 1401 * The interface resolution is greater than what the user 1402 * wants; scale the fractional part up to the units of 1403 * the resolution the user requested by multiplying by 1404 * the quotient of the user-requested resolution and the 1405 * file-supplied resolution. 1406 * 1407 * Those resolutions are both powers of 10, and the user- 1408 * requested resolution is less than the file-supplied 1409 * resolution, so the quotient in question isn't an 1410 * integer, but its reciprocal is, and we can just divide 1411 * by the reciprocal of the quotient. We've calculated 1412 * the reciprocal of that quotient already, so we must 1413 * divide by it. 1414 */ 1415 frac /= ps->ifaces[interface_id].scale_factor; 1416 break; 1417 1418 1419 case SCALE_DOWN_BIN: 1420 /* 1421 * The interface resolution is greater than what the user 1422 * wants; convert the fractional part to units of the 1423 * resolution the user requested by multiplying by the 1424 * quotient of the user-requested resolution and the 1425 * file-supplied resolution. We do that by multiplying 1426 * by the user-requested resolution and dividing by the 1427 * file-supplied resolution, as the quotient might not 1428 * fit in an integer. 1429 * 1430 * The file-supplied resolution is a power of 2, so the 1431 * quotient is not an integer, and neither is its 1432 * reciprocal, so, in order to do this entirely with 1433 * integer arithmetic, we multiply by the user-requested 1434 * resolution and divide by the file-supplied resolution. 1435 * 1436 * XXX - Is there something clever we could do here, 1437 * given that we know that the file-supplied resolution 1438 * is a power of 2? Doing a multiplication followed by 1439 * a division runs the risk of overflowing, and involves 1440 * two non-simple arithmetic operations. 1441 */ 1442 frac *= ps->user_tsresol; 1443 frac /= ps->ifaces[interface_id].tsresol; 1444 break; 1445 } 1446 #ifdef _WIN32 1447 /* 1448 * tv_sec and tv_used in the Windows struct timeval are both 1449 * longs. 1450 */ 1451 hdr->ts.tv_sec = (long)sec; 1452 hdr->ts.tv_usec = (long)frac; 1453 #else 1454 /* 1455 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is 1456 * suseconds_t in UN*Xes that work the way the current Single 1457 * UNIX Standard specify - but not all older UN*Xes necessarily 1458 * support that type, so just cast to int. 1459 */ 1460 hdr->ts.tv_sec = (time_t)sec; 1461 hdr->ts.tv_usec = (int)frac; 1462 #endif 1463 1464 /* 1465 * Get a pointer to the packet data. 1466 */ 1467 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf); 1468 if (*data == NULL) 1469 return (-1); 1470 1471 if (p->swapped) 1472 swap_pseudo_headers(p->linktype, hdr, *data); 1473 1474 return (0); 1475 } 1476