1/* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c 22 */ 23 24#ifdef HAVE_CONFIG_H 25#include <config.h> 26#endif 27 28#include <pcap/pcap-inttypes.h> 29 30#include <errno.h> 31#include <memory.h> 32#include <stdio.h> 33#include <stdlib.h> 34#include <string.h> 35 36#include "pcap-int.h" 37 38#include "pcap-common.h" 39 40#ifdef HAVE_OS_PROTO_H 41#include "os-proto.h" 42#endif 43 44#include "sf-pcapng.h" 45 46/* 47 * Block types. 48 */ 49 50/* 51 * Common part at the beginning of all blocks. 52 */ 53struct block_header { 54 bpf_u_int32 block_type; 55 bpf_u_int32 total_length; 56}; 57 58/* 59 * Common trailer at the end of all blocks. 60 */ 61struct block_trailer { 62 bpf_u_int32 total_length; 63}; 64 65/* 66 * Common options. 67 */ 68#define OPT_ENDOFOPT 0 /* end of options */ 69#define OPT_COMMENT 1 /* comment string */ 70 71/* 72 * Option header. 73 */ 74struct option_header { 75 u_short option_code; 76 u_short option_length; 77}; 78 79/* 80 * Structures for the part of each block type following the common 81 * part. 82 */ 83 84/* 85 * Section Header Block. 86 */ 87#define BT_SHB 0x0A0D0D0A 88#define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */ 89struct section_header_block { 90 bpf_u_int32 byte_order_magic; 91 u_short major_version; 92 u_short minor_version; 93 uint64_t section_length; 94 /* followed by options and trailer */ 95}; 96 97/* 98 * Byte-order magic value. 99 */ 100#define BYTE_ORDER_MAGIC 0x1A2B3C4D 101 102/* 103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR, 104 * that means that this code can't read the file. 105 */ 106#define PCAP_NG_VERSION_MAJOR 1 107#define PCAP_NG_VERSION_MINOR 0 108 109/* 110 * Interface Description Block. 111 */ 112#define BT_IDB 0x00000001 113 114struct interface_description_block { 115 u_short linktype; 116 u_short reserved; 117 bpf_u_int32 snaplen; 118 /* followed by options and trailer */ 119}; 120 121/* 122 * Options in the IDB. 123 */ 124#define IF_NAME 2 /* interface name string */ 125#define IF_DESCRIPTION 3 /* interface description string */ 126#define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */ 127#define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */ 128#define IF_MACADDR 6 /* interface's MAC address */ 129#define IF_EUIADDR 7 /* interface's EUI address */ 130#define IF_SPEED 8 /* interface's speed, in bits/s */ 131#define IF_TSRESOL 9 /* interface's time stamp resolution */ 132#define IF_TZONE 10 /* interface's time zone */ 133#define IF_FILTER 11 /* filter used when capturing on interface */ 134#define IF_OS 12 /* string OS on which capture on this interface was done */ 135#define IF_FCSLEN 13 /* FCS length for this interface */ 136#define IF_TSOFFSET 14 /* time stamp offset for this interface */ 137 138/* 139 * Enhanced Packet Block. 140 */ 141#define BT_EPB 0x00000006 142 143struct enhanced_packet_block { 144 bpf_u_int32 interface_id; 145 bpf_u_int32 timestamp_high; 146 bpf_u_int32 timestamp_low; 147 bpf_u_int32 caplen; 148 bpf_u_int32 len; 149 /* followed by packet data, options, and trailer */ 150}; 151 152/* 153 * Simple Packet Block. 154 */ 155#define BT_SPB 0x00000003 156 157struct simple_packet_block { 158 bpf_u_int32 len; 159 /* followed by packet data and trailer */ 160}; 161 162/* 163 * Packet Block. 164 */ 165#define BT_PB 0x00000002 166 167struct packet_block { 168 u_short interface_id; 169 u_short drops_count; 170 bpf_u_int32 timestamp_high; 171 bpf_u_int32 timestamp_low; 172 bpf_u_int32 caplen; 173 bpf_u_int32 len; 174 /* followed by packet data, options, and trailer */ 175}; 176 177/* 178 * Block cursor - used when processing the contents of a block. 179 * Contains a pointer into the data being processed and a count 180 * of bytes remaining in the block. 181 */ 182struct block_cursor { 183 u_char *data; 184 size_t data_remaining; 185 bpf_u_int32 block_type; 186}; 187 188typedef enum { 189 PASS_THROUGH, 190 SCALE_UP_DEC, 191 SCALE_DOWN_DEC, 192 SCALE_UP_BIN, 193 SCALE_DOWN_BIN 194} tstamp_scale_type_t; 195 196/* 197 * Per-interface information. 198 */ 199struct pcap_ng_if { 200 uint64_t tsresol; /* time stamp resolution */ 201 tstamp_scale_type_t scale_type; /* how to scale */ 202 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */ 203 uint64_t tsoffset; /* time stamp offset */ 204}; 205 206/* 207 * Per-pcap_t private data. 208 * 209 * max_blocksize is the maximum size of a block that we'll accept. We 210 * reject blocks bigger than this, so we don't consume too much memory 211 * with a truly huge block. It can change as we see IDBs with different 212 * link-layer header types. (Currently, we don't support IDBs with 213 * different link-layer header types, but we will support it in the 214 * future, when we offer file-reading APIs that support it.) 215 * 216 * XXX - that's an issue on ILP32 platforms, where the maximum block 217 * size of 2^31-1 would eat all but one byte of the entire address space. 218 * It's less of an issue on ILP64/LLP64 platforms, but the actual size 219 * of the address space may be limited by 1) the number of *significant* 220 * address bits (currently, x86-64 only supports 48 bits of address), 2) 221 * any limitations imposed by the operating system; 3) any limitations 222 * imposed by the amount of available backing store for anonymous pages, 223 * so we impose a limit regardless of the size of a pointer. 224 */ 225struct pcap_ng_sf { 226 uint64_t user_tsresol; /* time stamp resolution requested by the user */ 227 u_int max_blocksize; /* don't grow buffer size past this */ 228 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */ 229 bpf_u_int32 ifaces_size; /* size of array below */ 230 struct pcap_ng_if *ifaces; /* array of interface information */ 231}; 232 233/* 234 * The maximum block size we start with; we use an arbitrary value of 235 * 16 MiB. 236 */ 237#define INITIAL_MAX_BLOCKSIZE (16*1024*1024) 238 239/* 240 * Maximum block size for a given maximum snapshot length; we define it 241 * as the size of an EPB with a max_snaplen-sized packet and 128KB of 242 * options. 243 */ 244#define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \ 245 (sizeof (struct block_header) + \ 246 sizeof (struct enhanced_packet_block) + \ 247 (max_snaplen) + 131072 + \ 248 sizeof (struct block_trailer)) 249 250static void pcap_ng_cleanup(pcap_t *p); 251static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, 252 u_char **data); 253 254static int 255read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof, 256 char *errbuf) 257{ 258 size_t amt_read; 259 260 amt_read = fread(buf, 1, bytes_to_read, fp); 261 if (amt_read != bytes_to_read) { 262 if (ferror(fp)) { 263 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 264 errno, "error reading dump file"); 265 } else { 266 if (amt_read == 0 && !fail_on_eof) 267 return (0); /* EOF */ 268 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 269 "truncated pcapng dump file; tried to read %" PRIsize " bytes, only got %" PRIsize, 270 bytes_to_read, amt_read); 271 } 272 return (-1); 273 } 274 return (1); 275} 276 277static int 278read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf) 279{ 280 struct pcap_ng_sf *ps; 281 int status; 282 struct block_header bhdr; 283 struct block_trailer *btrlr; 284 u_char *bdata; 285 size_t data_remaining; 286 287 ps = p->priv; 288 289 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf); 290 if (status <= 0) 291 return (status); /* error or EOF */ 292 293 if (p->swapped) { 294 bhdr.block_type = SWAPLONG(bhdr.block_type); 295 bhdr.total_length = SWAPLONG(bhdr.total_length); 296 } 297 298 /* 299 * Is this block "too small" - i.e., is it shorter than a block 300 * header plus a block trailer? 301 */ 302 if (bhdr.total_length < sizeof(struct block_header) + 303 sizeof(struct block_trailer)) { 304 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 305 "block in pcapng dump file has a length of %u < %" PRIsize, 306 bhdr.total_length, 307 sizeof(struct block_header) + sizeof(struct block_trailer)); 308 return (-1); 309 } 310 311 /* 312 * Is the block total length a multiple of 4? 313 */ 314 if ((bhdr.total_length % 4) != 0) { 315 /* 316 * No. Report that as an error. 317 */ 318 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 319 "block in pcapng dump file has a length of %u that is not a multiple of 4" PRIsize, 320 bhdr.total_length); 321 return (-1); 322 } 323 324 /* 325 * Is the buffer big enough? 326 */ 327 if (p->bufsize < bhdr.total_length) { 328 /* 329 * No - make it big enough, unless it's too big, in 330 * which case we fail. 331 */ 332 void *bigger_buffer; 333 334 if (bhdr.total_length > ps->max_blocksize) { 335 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length, 336 ps->max_blocksize); 337 return (-1); 338 } 339 bigger_buffer = realloc(p->buffer, bhdr.total_length); 340 if (bigger_buffer == NULL) { 341 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 342 return (-1); 343 } 344 p->buffer = bigger_buffer; 345 } 346 347 /* 348 * Copy the stuff we've read to the buffer, and read the rest 349 * of the block. 350 */ 351 memcpy(p->buffer, &bhdr, sizeof(bhdr)); 352 bdata = (u_char *)p->buffer + sizeof(bhdr); 353 data_remaining = bhdr.total_length - sizeof(bhdr); 354 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1) 355 return (-1); 356 357 /* 358 * Get the block size from the trailer. 359 */ 360 btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer)); 361 if (p->swapped) 362 btrlr->total_length = SWAPLONG(btrlr->total_length); 363 364 /* 365 * Is the total length from the trailer the same as the total 366 * length from the header? 367 */ 368 if (bhdr.total_length != btrlr->total_length) { 369 /* 370 * No. 371 */ 372 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 373 "block total length in header and trailer don't match"); 374 return (-1); 375 } 376 377 /* 378 * Initialize the cursor. 379 */ 380 cursor->data = bdata; 381 cursor->data_remaining = data_remaining - sizeof(struct block_trailer); 382 cursor->block_type = bhdr.block_type; 383 return (1); 384} 385 386static void * 387get_from_block_data(struct block_cursor *cursor, size_t chunk_size, 388 char *errbuf) 389{ 390 void *data; 391 392 /* 393 * Make sure we have the specified amount of data remaining in 394 * the block data. 395 */ 396 if (cursor->data_remaining < chunk_size) { 397 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 398 "block of type %u in pcapng dump file is too short", 399 cursor->block_type); 400 return (NULL); 401 } 402 403 /* 404 * Return the current pointer, and skip past the chunk. 405 */ 406 data = cursor->data; 407 cursor->data += chunk_size; 408 cursor->data_remaining -= chunk_size; 409 return (data); 410} 411 412static struct option_header * 413get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf) 414{ 415 struct option_header *opthdr; 416 417 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf); 418 if (opthdr == NULL) { 419 /* 420 * Option header is cut short. 421 */ 422 return (NULL); 423 } 424 425 /* 426 * Byte-swap it if necessary. 427 */ 428 if (p->swapped) { 429 opthdr->option_code = SWAPSHORT(opthdr->option_code); 430 opthdr->option_length = SWAPSHORT(opthdr->option_length); 431 } 432 433 return (opthdr); 434} 435 436static void * 437get_optvalue_from_block_data(struct block_cursor *cursor, 438 struct option_header *opthdr, char *errbuf) 439{ 440 size_t padded_option_len; 441 void *optvalue; 442 443 /* Pad option length to 4-byte boundary */ 444 padded_option_len = opthdr->option_length; 445 padded_option_len = ((padded_option_len + 3)/4)*4; 446 447 optvalue = get_from_block_data(cursor, padded_option_len, errbuf); 448 if (optvalue == NULL) { 449 /* 450 * Option value is cut short. 451 */ 452 return (NULL); 453 } 454 455 return (optvalue); 456} 457 458static int 459process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol, 460 uint64_t *tsoffset, int *is_binary, char *errbuf) 461{ 462 struct option_header *opthdr; 463 void *optvalue; 464 int saw_tsresol, saw_tsoffset; 465 uint8_t tsresol_opt; 466 u_int i; 467 468 saw_tsresol = 0; 469 saw_tsoffset = 0; 470 while (cursor->data_remaining != 0) { 471 /* 472 * Get the option header. 473 */ 474 opthdr = get_opthdr_from_block_data(p, cursor, errbuf); 475 if (opthdr == NULL) { 476 /* 477 * Option header is cut short. 478 */ 479 return (-1); 480 } 481 482 /* 483 * Get option value. 484 */ 485 optvalue = get_optvalue_from_block_data(cursor, opthdr, 486 errbuf); 487 if (optvalue == NULL) { 488 /* 489 * Option value is cut short. 490 */ 491 return (-1); 492 } 493 494 switch (opthdr->option_code) { 495 496 case OPT_ENDOFOPT: 497 if (opthdr->option_length != 0) { 498 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 499 "Interface Description Block has opt_endofopt option with length %u != 0", 500 opthdr->option_length); 501 return (-1); 502 } 503 goto done; 504 505 case IF_TSRESOL: 506 if (opthdr->option_length != 1) { 507 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 508 "Interface Description Block has if_tsresol option with length %u != 1", 509 opthdr->option_length); 510 return (-1); 511 } 512 if (saw_tsresol) { 513 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 514 "Interface Description Block has more than one if_tsresol option"); 515 return (-1); 516 } 517 saw_tsresol = 1; 518 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt)); 519 if (tsresol_opt & 0x80) { 520 /* 521 * Resolution is negative power of 2. 522 */ 523 uint8_t tsresol_shift = (tsresol_opt & 0x7F); 524 525 if (tsresol_shift > 63) { 526 /* 527 * Resolution is too high; 2^-{res} 528 * won't fit in a 64-bit value. 529 */ 530 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 531 "Interface Description Block if_tsresol option resolution 2^-%u is too high", 532 tsresol_shift); 533 return (-1); 534 } 535 *is_binary = 1; 536 *tsresol = ((uint64_t)1) << tsresol_shift; 537 } else { 538 /* 539 * Resolution is negative power of 10. 540 */ 541 if (tsresol_opt > 19) { 542 /* 543 * Resolution is too high; 2^-{res} 544 * won't fit in a 64-bit value (the 545 * largest power of 10 that fits 546 * in a 64-bit value is 10^19, as 547 * the largest 64-bit unsigned 548 * value is ~1.8*10^19). 549 */ 550 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 551 "Interface Description Block if_tsresol option resolution 10^-%u is too high", 552 tsresol_opt); 553 return (-1); 554 } 555 *is_binary = 0; 556 *tsresol = 1; 557 for (i = 0; i < tsresol_opt; i++) 558 *tsresol *= 10; 559 } 560 break; 561 562 case IF_TSOFFSET: 563 if (opthdr->option_length != 8) { 564 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 565 "Interface Description Block has if_tsoffset option with length %u != 8", 566 opthdr->option_length); 567 return (-1); 568 } 569 if (saw_tsoffset) { 570 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 571 "Interface Description Block has more than one if_tsoffset option"); 572 return (-1); 573 } 574 saw_tsoffset = 1; 575 memcpy(tsoffset, optvalue, sizeof(*tsoffset)); 576 if (p->swapped) 577 *tsoffset = SWAPLL(*tsoffset); 578 break; 579 580 default: 581 break; 582 } 583 } 584 585done: 586 return (0); 587} 588 589static int 590add_interface(pcap_t *p, struct block_cursor *cursor, char *errbuf) 591{ 592 struct pcap_ng_sf *ps; 593 uint64_t tsresol; 594 uint64_t tsoffset; 595 int is_binary; 596 597 ps = p->priv; 598 599 /* 600 * Count this interface. 601 */ 602 ps->ifcount++; 603 604 /* 605 * Grow the array of per-interface information as necessary. 606 */ 607 if (ps->ifcount > ps->ifaces_size) { 608 /* 609 * We need to grow the array. 610 */ 611 bpf_u_int32 new_ifaces_size; 612 struct pcap_ng_if *new_ifaces; 613 614 if (ps->ifaces_size == 0) { 615 /* 616 * It's currently empty. 617 * 618 * (The Clang static analyzer doesn't do enough, 619 * err, umm, dataflow *analysis* to realize that 620 * ps->ifaces_size == 0 if ps->ifaces == NULL, 621 * and so complains about a possible zero argument 622 * to realloc(), so we check for the former 623 * condition to shut it up. 624 * 625 * However, it doesn't complain that one of the 626 * multiplications below could overflow, which is 627 * a real, albeit extremely unlikely, problem (you'd 628 * need a pcapng file with tens of millions of 629 * interfaces).) 630 */ 631 new_ifaces_size = 1; 632 new_ifaces = malloc(sizeof (struct pcap_ng_if)); 633 } else { 634 /* 635 * It's not currently empty; double its size. 636 * (Perhaps overkill once we have a lot of interfaces.) 637 * 638 * Check for overflow if we double it. 639 */ 640 if (ps->ifaces_size * 2 < ps->ifaces_size) { 641 /* 642 * The maximum number of interfaces before 643 * ps->ifaces_size overflows is the largest 644 * possible 32-bit power of 2, as we do 645 * size doubling. 646 */ 647 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 648 "more than %u interfaces in the file", 649 0x80000000U); 650 return (0); 651 } 652 653 /* 654 * ps->ifaces_size * 2 doesn't overflow, so it's 655 * safe to multiply. 656 */ 657 new_ifaces_size = ps->ifaces_size * 2; 658 659 /* 660 * Now make sure that's not so big that it overflows 661 * if we multiply by sizeof (struct pcap_ng_if). 662 * 663 * That can happen on 32-bit platforms, with a 32-bit 664 * size_t; it shouldn't happen on 64-bit platforms, 665 * with a 64-bit size_t, as new_ifaces_size is 666 * 32 bits. 667 */ 668 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) { 669 /* 670 * As this fails only with 32-bit size_t, 671 * the multiplication was 32x32->32, and 672 * the largest 32-bit value that can safely 673 * be multiplied by sizeof (struct pcap_ng_if) 674 * without overflow is the largest 32-bit 675 * (unsigned) value divided by 676 * sizeof (struct pcap_ng_if). 677 */ 678 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 679 "more than %u interfaces in the file", 680 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if))); 681 return (0); 682 } 683 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if)); 684 } 685 if (new_ifaces == NULL) { 686 /* 687 * We ran out of memory. 688 * Give up. 689 */ 690 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 691 "out of memory for per-interface information (%u interfaces)", 692 ps->ifcount); 693 return (0); 694 } 695 ps->ifaces_size = new_ifaces_size; 696 ps->ifaces = new_ifaces; 697 } 698 699 /* 700 * Set the default time stamp resolution and offset. 701 */ 702 tsresol = 1000000; /* microsecond resolution */ 703 is_binary = 0; /* which is a power of 10 */ 704 tsoffset = 0; /* absolute timestamps */ 705 706 /* 707 * Now look for various time stamp options, so we know 708 * how to interpret the time stamps for this interface. 709 */ 710 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary, 711 errbuf) == -1) 712 return (0); 713 714 ps->ifaces[ps->ifcount - 1].tsresol = tsresol; 715 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset; 716 717 /* 718 * Determine whether we're scaling up or down or not 719 * at all for this interface. 720 */ 721 if (tsresol == ps->user_tsresol) { 722 /* 723 * The resolution is the resolution the user wants, 724 * so we don't have to do scaling. 725 */ 726 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH; 727 } else if (tsresol > ps->user_tsresol) { 728 /* 729 * The resolution is greater than what the user wants, 730 * so we have to scale the timestamps down. 731 */ 732 if (is_binary) 733 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN; 734 else { 735 /* 736 * Calculate the scale factor. 737 */ 738 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol; 739 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC; 740 } 741 } else { 742 /* 743 * The resolution is less than what the user wants, 744 * so we have to scale the timestamps up. 745 */ 746 if (is_binary) 747 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN; 748 else { 749 /* 750 * Calculate the scale factor. 751 */ 752 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol; 753 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC; 754 } 755 } 756 return (1); 757} 758 759/* 760 * Check whether this is a pcapng savefile and, if it is, extract the 761 * relevant information from the header. 762 */ 763pcap_t * 764pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision, 765 char *errbuf, int *err) 766{ 767 bpf_u_int32 magic_int; 768 size_t amt_read; 769 bpf_u_int32 total_length; 770 bpf_u_int32 byte_order_magic; 771 struct block_header *bhdrp; 772 struct section_header_block *shbp; 773 pcap_t *p; 774 int swapped = 0; 775 struct pcap_ng_sf *ps; 776 int status; 777 struct block_cursor cursor; 778 struct interface_description_block *idbp; 779 780 /* 781 * Assume no read errors. 782 */ 783 *err = 0; 784 785 /* 786 * Check whether the first 4 bytes of the file are the block 787 * type for a pcapng savefile. 788 */ 789 memcpy(&magic_int, magic, sizeof(magic_int)); 790 if (magic_int != BT_SHB) { 791 /* 792 * XXX - check whether this looks like what the block 793 * type would be after being munged by mapping between 794 * UN*X and DOS/Windows text file format and, if it 795 * does, look for the byte-order magic number in 796 * the appropriate place and, if we find it, report 797 * this as possibly being a pcapng file transferred 798 * between UN*X and Windows in text file format? 799 */ 800 return (NULL); /* nope */ 801 } 802 803 /* 804 * OK, they are. However, that's just \n\r\r\n, so it could, 805 * conceivably, be an ordinary text file. 806 * 807 * It could not, however, conceivably be any other type of 808 * capture file, so we can read the rest of the putative 809 * Section Header Block; put the block type in the common 810 * header, read the rest of the common header and the 811 * fixed-length portion of the SHB, and look for the byte-order 812 * magic value. 813 */ 814 amt_read = fread(&total_length, 1, sizeof(total_length), fp); 815 if (amt_read < sizeof(total_length)) { 816 if (ferror(fp)) { 817 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 818 errno, "error reading dump file"); 819 *err = 1; 820 return (NULL); /* fail */ 821 } 822 823 /* 824 * Possibly a weird short text file, so just say 825 * "not pcapng". 826 */ 827 return (NULL); 828 } 829 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp); 830 if (amt_read < sizeof(byte_order_magic)) { 831 if (ferror(fp)) { 832 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 833 errno, "error reading dump file"); 834 *err = 1; 835 return (NULL); /* fail */ 836 } 837 838 /* 839 * Possibly a weird short text file, so just say 840 * "not pcapng". 841 */ 842 return (NULL); 843 } 844 if (byte_order_magic != BYTE_ORDER_MAGIC) { 845 byte_order_magic = SWAPLONG(byte_order_magic); 846 if (byte_order_magic != BYTE_ORDER_MAGIC) { 847 /* 848 * Not a pcapng file. 849 */ 850 return (NULL); 851 } 852 swapped = 1; 853 total_length = SWAPLONG(total_length); 854 } 855 856 /* 857 * Check the sanity of the total length. 858 */ 859 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) || 860 (total_length > BT_SHB_INSANE_MAX)) { 861 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 862 "Section Header Block in pcapng dump file has invalid length %" PRIsize " < _%u_ < %u (BT_SHB_INSANE_MAX)", 863 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer), 864 total_length, 865 BT_SHB_INSANE_MAX); 866 867 *err = 1; 868 return (NULL); 869 } 870 871 /* 872 * OK, this is a good pcapng file. 873 * Allocate a pcap_t for it. 874 */ 875 p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf)); 876 if (p == NULL) { 877 /* Allocation failed. */ 878 *err = 1; 879 return (NULL); 880 } 881 p->swapped = swapped; 882 ps = p->priv; 883 884 /* 885 * What precision does the user want? 886 */ 887 switch (precision) { 888 889 case PCAP_TSTAMP_PRECISION_MICRO: 890 ps->user_tsresol = 1000000; 891 break; 892 893 case PCAP_TSTAMP_PRECISION_NANO: 894 ps->user_tsresol = 1000000000; 895 break; 896 897 default: 898 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 899 "unknown time stamp resolution %u", precision); 900 free(p); 901 *err = 1; 902 return (NULL); 903 } 904 905 p->opt.tstamp_precision = precision; 906 907 /* 908 * Allocate a buffer into which to read blocks. We default to 909 * the maximum of: 910 * 911 * the total length of the SHB for which we read the header; 912 * 913 * 2K, which should be more than large enough for an Enhanced 914 * Packet Block containing a full-size Ethernet frame, and 915 * leaving room for some options. 916 * 917 * If we find a bigger block, we reallocate the buffer, up to 918 * the maximum size. We start out with a maximum size of 919 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types 920 * with a maximum snapshot that results in a larger maximum 921 * block length, we boost the maximum. 922 */ 923 p->bufsize = 2048; 924 if (p->bufsize < total_length) 925 p->bufsize = total_length; 926 p->buffer = malloc(p->bufsize); 927 if (p->buffer == NULL) { 928 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 929 free(p); 930 *err = 1; 931 return (NULL); 932 } 933 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE; 934 935 /* 936 * Copy the stuff we've read to the buffer, and read the rest 937 * of the SHB. 938 */ 939 bhdrp = (struct block_header *)p->buffer; 940 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header)); 941 bhdrp->block_type = magic_int; 942 bhdrp->total_length = total_length; 943 shbp->byte_order_magic = byte_order_magic; 944 if (read_bytes(fp, 945 (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)), 946 total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)), 947 1, errbuf) == -1) 948 goto fail; 949 950 if (p->swapped) { 951 /* 952 * Byte-swap the fields we've read. 953 */ 954 shbp->major_version = SWAPSHORT(shbp->major_version); 955 shbp->minor_version = SWAPSHORT(shbp->minor_version); 956 957 /* 958 * XXX - we don't care about the section length. 959 */ 960 } 961 /* currently only SHB version 1.0 is supported */ 962 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR && 963 shbp->minor_version == PCAP_NG_VERSION_MINOR)) { 964 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 965 "unsupported pcapng savefile version %u.%u", 966 shbp->major_version, shbp->minor_version); 967 goto fail; 968 } 969 p->version_major = shbp->major_version; 970 p->version_minor = shbp->minor_version; 971 972 /* 973 * Save the time stamp resolution the user requested. 974 */ 975 p->opt.tstamp_precision = precision; 976 977 /* 978 * Now start looking for an Interface Description Block. 979 */ 980 for (;;) { 981 /* 982 * Read the next block. 983 */ 984 status = read_block(fp, p, &cursor, errbuf); 985 if (status == 0) { 986 /* EOF - no IDB in this file */ 987 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 988 "the capture file has no Interface Description Blocks"); 989 goto fail; 990 } 991 if (status == -1) 992 goto fail; /* error */ 993 switch (cursor.block_type) { 994 995 case BT_IDB: 996 /* 997 * Get a pointer to the fixed-length portion of the 998 * IDB. 999 */ 1000 idbp = get_from_block_data(&cursor, sizeof(*idbp), 1001 errbuf); 1002 if (idbp == NULL) 1003 goto fail; /* error */ 1004 1005 /* 1006 * Byte-swap it if necessary. 1007 */ 1008 if (p->swapped) { 1009 idbp->linktype = SWAPSHORT(idbp->linktype); 1010 idbp->snaplen = SWAPLONG(idbp->snaplen); 1011 } 1012 1013 /* 1014 * Try to add this interface. 1015 */ 1016 if (!add_interface(p, &cursor, errbuf)) 1017 goto fail; 1018 1019 goto done; 1020 1021 case BT_EPB: 1022 case BT_SPB: 1023 case BT_PB: 1024 /* 1025 * Saw a packet before we saw any IDBs. That's 1026 * not valid, as we don't know what link-layer 1027 * encapsulation the packet has. 1028 */ 1029 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 1030 "the capture file has a packet block before any Interface Description Blocks"); 1031 goto fail; 1032 1033 default: 1034 /* 1035 * Just ignore it. 1036 */ 1037 break; 1038 } 1039 } 1040 1041done: 1042 p->tzoff = 0; /* XXX - not used in pcap */ 1043 p->linktype = linktype_to_dlt(idbp->linktype); 1044 p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen); 1045 p->linktype_ext = 0; 1046 1047 /* 1048 * If the maximum block size for a packet with the maximum 1049 * snapshot length for this DLT_ is bigger than the current 1050 * maximum block size, increase the maximum. 1051 */ 1052 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize) 1053 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)); 1054 1055 p->next_packet_op = pcap_ng_next_packet; 1056 p->cleanup_op = pcap_ng_cleanup; 1057 1058 return (p); 1059 1060fail: 1061 free(ps->ifaces); 1062 free(p->buffer); 1063 free(p); 1064 *err = 1; 1065 return (NULL); 1066} 1067 1068static void 1069pcap_ng_cleanup(pcap_t *p) 1070{ 1071 struct pcap_ng_sf *ps = p->priv; 1072 1073 free(ps->ifaces); 1074 sf_cleanup(p); 1075} 1076 1077/* 1078 * Read and return the next packet from the savefile. Return the header 1079 * in hdr and a pointer to the contents in data. Return 0 on success, 1 1080 * if there were no more packets, and -1 on an error. 1081 */ 1082static int 1083pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data) 1084{ 1085 struct pcap_ng_sf *ps = p->priv; 1086 struct block_cursor cursor; 1087 int status; 1088 struct enhanced_packet_block *epbp; 1089 struct simple_packet_block *spbp; 1090 struct packet_block *pbp; 1091 bpf_u_int32 interface_id = 0xFFFFFFFF; 1092 struct interface_description_block *idbp; 1093 struct section_header_block *shbp; 1094 FILE *fp = p->rfile; 1095 uint64_t t, sec, frac; 1096 1097 /* 1098 * Look for an Enhanced Packet Block, a Simple Packet Block, 1099 * or a Packet Block. 1100 */ 1101 for (;;) { 1102 /* 1103 * Read the block type and length; those are common 1104 * to all blocks. 1105 */ 1106 status = read_block(fp, p, &cursor, p->errbuf); 1107 if (status == 0) 1108 return (1); /* EOF */ 1109 if (status == -1) 1110 return (-1); /* error */ 1111 switch (cursor.block_type) { 1112 1113 case BT_EPB: 1114 /* 1115 * Get a pointer to the fixed-length portion of the 1116 * EPB. 1117 */ 1118 epbp = get_from_block_data(&cursor, sizeof(*epbp), 1119 p->errbuf); 1120 if (epbp == NULL) 1121 return (-1); /* error */ 1122 1123 /* 1124 * Byte-swap it if necessary. 1125 */ 1126 if (p->swapped) { 1127 /* these were written in opposite byte order */ 1128 interface_id = SWAPLONG(epbp->interface_id); 1129 hdr->caplen = SWAPLONG(epbp->caplen); 1130 hdr->len = SWAPLONG(epbp->len); 1131 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 | 1132 SWAPLONG(epbp->timestamp_low); 1133 } else { 1134 interface_id = epbp->interface_id; 1135 hdr->caplen = epbp->caplen; 1136 hdr->len = epbp->len; 1137 t = ((uint64_t)epbp->timestamp_high) << 32 | 1138 epbp->timestamp_low; 1139 } 1140 goto found; 1141 1142 case BT_SPB: 1143 /* 1144 * Get a pointer to the fixed-length portion of the 1145 * SPB. 1146 */ 1147 spbp = get_from_block_data(&cursor, sizeof(*spbp), 1148 p->errbuf); 1149 if (spbp == NULL) 1150 return (-1); /* error */ 1151 1152 /* 1153 * SPB packets are assumed to have arrived on 1154 * the first interface. 1155 */ 1156 interface_id = 0; 1157 1158 /* 1159 * Byte-swap it if necessary. 1160 */ 1161 if (p->swapped) { 1162 /* these were written in opposite byte order */ 1163 hdr->len = SWAPLONG(spbp->len); 1164 } else 1165 hdr->len = spbp->len; 1166 1167 /* 1168 * The SPB doesn't give the captured length; 1169 * it's the minimum of the snapshot length 1170 * and the packet length. 1171 */ 1172 hdr->caplen = hdr->len; 1173 if (hdr->caplen > (bpf_u_int32)p->snapshot) 1174 hdr->caplen = p->snapshot; 1175 t = 0; /* no time stamps */ 1176 goto found; 1177 1178 case BT_PB: 1179 /* 1180 * Get a pointer to the fixed-length portion of the 1181 * PB. 1182 */ 1183 pbp = get_from_block_data(&cursor, sizeof(*pbp), 1184 p->errbuf); 1185 if (pbp == NULL) 1186 return (-1); /* error */ 1187 1188 /* 1189 * Byte-swap it if necessary. 1190 */ 1191 if (p->swapped) { 1192 /* these were written in opposite byte order */ 1193 interface_id = SWAPSHORT(pbp->interface_id); 1194 hdr->caplen = SWAPLONG(pbp->caplen); 1195 hdr->len = SWAPLONG(pbp->len); 1196 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 | 1197 SWAPLONG(pbp->timestamp_low); 1198 } else { 1199 interface_id = pbp->interface_id; 1200 hdr->caplen = pbp->caplen; 1201 hdr->len = pbp->len; 1202 t = ((uint64_t)pbp->timestamp_high) << 32 | 1203 pbp->timestamp_low; 1204 } 1205 goto found; 1206 1207 case BT_IDB: 1208 /* 1209 * Interface Description Block. Get a pointer 1210 * to its fixed-length portion. 1211 */ 1212 idbp = get_from_block_data(&cursor, sizeof(*idbp), 1213 p->errbuf); 1214 if (idbp == NULL) 1215 return (-1); /* error */ 1216 1217 /* 1218 * Byte-swap it if necessary. 1219 */ 1220 if (p->swapped) { 1221 idbp->linktype = SWAPSHORT(idbp->linktype); 1222 idbp->snaplen = SWAPLONG(idbp->snaplen); 1223 } 1224 1225 /* 1226 * If the link-layer type or snapshot length 1227 * differ from the ones for the first IDB we 1228 * saw, quit. 1229 * 1230 * XXX - just discard packets from those 1231 * interfaces? 1232 */ 1233 if (p->linktype != idbp->linktype) { 1234 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1235 "an interface has a type %u different from the type of the first interface", 1236 idbp->linktype); 1237 return (-1); 1238 } 1239 1240 /* 1241 * Check against the *adjusted* value of this IDB's 1242 * snapshot length. 1243 */ 1244 if ((bpf_u_int32)p->snapshot != 1245 pcap_adjust_snapshot(p->linktype, idbp->snaplen)) { 1246 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1247 "an interface has a snapshot length %u different from the type of the first interface", 1248 idbp->snaplen); 1249 return (-1); 1250 } 1251 1252 /* 1253 * Try to add this interface. 1254 */ 1255 if (!add_interface(p, &cursor, p->errbuf)) 1256 return (-1); 1257 break; 1258 1259 case BT_SHB: 1260 /* 1261 * Section Header Block. Get a pointer 1262 * to its fixed-length portion. 1263 */ 1264 shbp = get_from_block_data(&cursor, sizeof(*shbp), 1265 p->errbuf); 1266 if (shbp == NULL) 1267 return (-1); /* error */ 1268 1269 /* 1270 * Assume the byte order of this section is 1271 * the same as that of the previous section. 1272 * We'll check for that later. 1273 */ 1274 if (p->swapped) { 1275 shbp->byte_order_magic = 1276 SWAPLONG(shbp->byte_order_magic); 1277 shbp->major_version = 1278 SWAPSHORT(shbp->major_version); 1279 } 1280 1281 /* 1282 * Make sure the byte order doesn't change; 1283 * pcap_is_swapped() shouldn't change its 1284 * return value in the middle of reading a capture. 1285 */ 1286 switch (shbp->byte_order_magic) { 1287 1288 case BYTE_ORDER_MAGIC: 1289 /* 1290 * OK. 1291 */ 1292 break; 1293 1294 case SWAPLONG(BYTE_ORDER_MAGIC): 1295 /* 1296 * Byte order changes. 1297 */ 1298 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1299 "the file has sections with different byte orders"); 1300 return (-1); 1301 1302 default: 1303 /* 1304 * Not a valid SHB. 1305 */ 1306 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1307 "the file has a section with a bad byte order magic field"); 1308 return (-1); 1309 } 1310 1311 /* 1312 * Make sure the major version is the version 1313 * we handle. 1314 */ 1315 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) { 1316 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1317 "unknown pcapng savefile major version number %u", 1318 shbp->major_version); 1319 return (-1); 1320 } 1321 1322 /* 1323 * Reset the interface count; this section should 1324 * have its own set of IDBs. If any of them 1325 * don't have the same interface type, snapshot 1326 * length, or resolution as the first interface 1327 * we saw, we'll fail. (And if we don't see 1328 * any IDBs, we'll fail when we see a packet 1329 * block.) 1330 */ 1331 ps->ifcount = 0; 1332 break; 1333 1334 default: 1335 /* 1336 * Not a packet block, IDB, or SHB; ignore it. 1337 */ 1338 break; 1339 } 1340 } 1341 1342found: 1343 /* 1344 * Is the interface ID an interface we know? 1345 */ 1346 if (interface_id >= ps->ifcount) { 1347 /* 1348 * Yes. Fail. 1349 */ 1350 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1351 "a packet arrived on interface %u, but there's no Interface Description Block for that interface", 1352 interface_id); 1353 return (-1); 1354 } 1355 1356 if (hdr->caplen > (bpf_u_int32)p->snapshot) { 1357 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1358 "invalid packet capture length %u, bigger than " 1359 "snaplen of %d", hdr->caplen, p->snapshot); 1360 return (-1); 1361 } 1362 1363 /* 1364 * Convert the time stamp to seconds and fractions of a second, 1365 * with the fractions being in units of the file-supplied resolution. 1366 */ 1367 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset; 1368 frac = t % ps->ifaces[interface_id].tsresol; 1369 1370 /* 1371 * Convert the fractions from units of the file-supplied resolution 1372 * to units of the user-requested resolution. 1373 */ 1374 switch (ps->ifaces[interface_id].scale_type) { 1375 1376 case PASS_THROUGH: 1377 /* 1378 * The interface resolution is what the user wants, 1379 * so we're done. 1380 */ 1381 break; 1382 1383 case SCALE_UP_DEC: 1384 /* 1385 * The interface resolution is less than what the user 1386 * wants; scale the fractional part up to the units of 1387 * the resolution the user requested by multiplying by 1388 * the quotient of the user-requested resolution and the 1389 * file-supplied resolution. 1390 * 1391 * Those resolutions are both powers of 10, and the user- 1392 * requested resolution is greater than the file-supplied 1393 * resolution, so the quotient in question is an integer. 1394 * We've calculated that quotient already, so we just 1395 * multiply by it. 1396 */ 1397 frac *= ps->ifaces[interface_id].scale_factor; 1398 break; 1399 1400 case SCALE_UP_BIN: 1401 /* 1402 * The interface resolution is less than what the user 1403 * wants; scale the fractional part up to the units of 1404 * the resolution the user requested by multiplying by 1405 * the quotient of the user-requested resolution and the 1406 * file-supplied resolution. 1407 * 1408 * The file-supplied resolution is a power of 2, so the 1409 * quotient is not an integer, so, in order to do this 1410 * entirely with integer arithmetic, we multiply by the 1411 * user-requested resolution and divide by the file- 1412 * supplied resolution. 1413 * 1414 * XXX - Is there something clever we could do here, 1415 * given that we know that the file-supplied resolution 1416 * is a power of 2? Doing a multiplication followed by 1417 * a division runs the risk of overflowing, and involves 1418 * two non-simple arithmetic operations. 1419 */ 1420 frac *= ps->user_tsresol; 1421 frac /= ps->ifaces[interface_id].tsresol; 1422 break; 1423 1424 case SCALE_DOWN_DEC: 1425 /* 1426 * The interface resolution is greater than what the user 1427 * wants; scale the fractional part up to the units of 1428 * the resolution the user requested by multiplying by 1429 * the quotient of the user-requested resolution and the 1430 * file-supplied resolution. 1431 * 1432 * Those resolutions are both powers of 10, and the user- 1433 * requested resolution is less than the file-supplied 1434 * resolution, so the quotient in question isn't an 1435 * integer, but its reciprocal is, and we can just divide 1436 * by the reciprocal of the quotient. We've calculated 1437 * the reciprocal of that quotient already, so we must 1438 * divide by it. 1439 */ 1440 frac /= ps->ifaces[interface_id].scale_factor; 1441 break; 1442 1443 1444 case SCALE_DOWN_BIN: 1445 /* 1446 * The interface resolution is greater than what the user 1447 * wants; convert the fractional part to units of the 1448 * resolution the user requested by multiplying by the 1449 * quotient of the user-requested resolution and the 1450 * file-supplied resolution. We do that by multiplying 1451 * by the user-requested resolution and dividing by the 1452 * file-supplied resolution, as the quotient might not 1453 * fit in an integer. 1454 * 1455 * The file-supplied resolution is a power of 2, so the 1456 * quotient is not an integer, and neither is its 1457 * reciprocal, so, in order to do this entirely with 1458 * integer arithmetic, we multiply by the user-requested 1459 * resolution and divide by the file-supplied resolution. 1460 * 1461 * XXX - Is there something clever we could do here, 1462 * given that we know that the file-supplied resolution 1463 * is a power of 2? Doing a multiplication followed by 1464 * a division runs the risk of overflowing, and involves 1465 * two non-simple arithmetic operations. 1466 */ 1467 frac *= ps->user_tsresol; 1468 frac /= ps->ifaces[interface_id].tsresol; 1469 break; 1470 } 1471#ifdef _WIN32 1472 /* 1473 * tv_sec and tv_used in the Windows struct timeval are both 1474 * longs. 1475 */ 1476 hdr->ts.tv_sec = (long)sec; 1477 hdr->ts.tv_usec = (long)frac; 1478#else 1479 /* 1480 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is 1481 * suseconds_t in UN*Xes that work the way the current Single 1482 * UNIX Standard specify - but not all older UN*Xes necessarily 1483 * support that type, so just cast to int. 1484 */ 1485 hdr->ts.tv_sec = (time_t)sec; 1486 hdr->ts.tv_usec = (int)frac; 1487#endif 1488 1489 /* 1490 * Get a pointer to the packet data. 1491 */ 1492 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf); 1493 if (*data == NULL) 1494 return (-1); 1495 1496 if (p->swapped) 1497 swap_pseudo_headers(p->linktype, hdr, *data); 1498 1499 return (0); 1500} 1501