1/* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * sf-pcap.c - libpcap-file-format-specific code from savefile.c 22 * Extraction/creation by Jeffrey Mogul, DECWRL 23 * Modified by Steve McCanne, LBL. 24 * 25 * Used to save the received packet headers, after filtering, to 26 * a file, and then read them later. 27 * The first record in the file contains saved values for the machine 28 * dependent values so we can print the dump file on any architecture. 29 */ 30 31#ifndef lint 32static const char rcsid[] _U_ = 33 "@(#) $Header$ (LBL)"; 34#endif 35 36#ifdef HAVE_CONFIG_H 37#include "config.h" 38#endif 39 40#ifdef WIN32 41#include <pcap-stdinc.h> 42#else /* WIN32 */ 43#if HAVE_INTTYPES_H 44#include <inttypes.h> 45#elif HAVE_STDINT_H 46#include <stdint.h> 47#endif 48#ifdef HAVE_SYS_BITYPES_H 49#include <sys/bitypes.h> 50#endif 51#include <sys/types.h> 52#endif /* WIN32 */ 53 54#include <errno.h> 55#include <memory.h> 56#include <stdio.h> 57#include <stdlib.h> 58#include <string.h> 59 60#include "pcap-int.h" 61 62#include "pcap-common.h" 63 64#ifdef HAVE_OS_PROTO_H 65#include "os-proto.h" 66#endif 67 68#include "sf-pcap.h" 69 70/* 71 * Setting O_BINARY on DOS/Windows is a bit tricky 72 */ 73#if defined(WIN32) 74 #define SET_BINMODE(f) _setmode(_fileno(f), _O_BINARY) 75#elif defined(MSDOS) 76 #if defined(__HIGHC__) 77 #define SET_BINMODE(f) setmode(f, O_BINARY) 78 #else 79 #define SET_BINMODE(f) setmode(fileno(f), O_BINARY) 80 #endif 81#endif 82 83/* 84 * Standard libpcap format. 85 */ 86#define TCPDUMP_MAGIC 0xa1b2c3d4 87 88/* 89 * Alexey Kuznetzov's modified libpcap format. 90 */ 91#define KUZNETZOV_TCPDUMP_MAGIC 0xa1b2cd34 92 93/* 94 * Reserved for Francisco Mesquita <francisco.mesquita@radiomovel.pt> 95 * for another modified format. 96 */ 97#define FMESQUITA_TCPDUMP_MAGIC 0xa1b234cd 98 99/* 100 * Navtel Communcations' format, with nanosecond timestamps, 101 * as per a request from Dumas Hwang <dumas.hwang@navtelcom.com>. 102 */ 103#define NAVTEL_TCPDUMP_MAGIC 0xa12b3c4d 104 105/* 106 * Normal libpcap format, except for seconds/nanoseconds timestamps, 107 * as per a request by Ulf Lamping <ulf.lamping@web.de> 108 */ 109#define NSEC_TCPDUMP_MAGIC 0xa1b23c4d 110 111/* 112 * Mechanism for storing information about a capture in the upper 113 * 6 bits of a linktype value in a capture file. 114 * 115 * LT_LINKTYPE_EXT(x) extracts the additional information. 116 * 117 * The rest of the bits are for a value describing the link-layer 118 * value. LT_LINKTYPE(x) extracts that value. 119 */ 120#define LT_LINKTYPE(x) ((x) & 0x03FFFFFF) 121#define LT_LINKTYPE_EXT(x) ((x) & 0xFC000000) 122 123static int pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **datap); 124 125/* 126 * Check whether this is a pcap savefile and, if it is, extract the 127 * relevant information from the header. 128 */ 129int 130pcap_check_header(pcap_t *p, bpf_u_int32 magic, FILE *fp, char *errbuf, int isng) 131{ 132 struct pcap_file_header hdr; 133 size_t amt_read; 134 135 /* 136 * Check whether the first 4 bytes of the file are the magic 137 * number for a pcap savefile, or for a byte-swapped pcap 138 * savefile. 139 */ 140 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) { 141 magic = SWAPLONG(magic); 142 if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) 143 return (0); /* nope */ 144 p->sf.swapped = 1; 145 } 146 147 /* 148 * They are. Put the magic number in the header, and read 149 * the rest of the header. 150 */ 151 hdr.magic = magic; 152 amt_read = fread(((char *)&hdr) + sizeof hdr.magic, 1, 153 sizeof(hdr) - sizeof(hdr.magic), fp); 154 if (amt_read != sizeof(hdr) - sizeof(hdr.magic)) { 155 if (ferror(fp)) { 156 snprintf(errbuf, PCAP_ERRBUF_SIZE, 157 "error reading dump file: %s", 158 pcap_strerror(errno)); 159 } else { 160 snprintf(errbuf, PCAP_ERRBUF_SIZE, 161 "truncated dump file; tried to read %lu file header bytes, only got %lu", 162 (unsigned long)sizeof(hdr), 163 (unsigned long)amt_read); 164 } 165 return (-1); 166 } 167 168 /* 169 * If it's a byte-swapped capture file, byte-swap the header. 170 */ 171 if (p->sf.swapped) { 172 hdr.version_major = SWAPSHORT(hdr.version_major); 173 hdr.version_minor = SWAPSHORT(hdr.version_minor); 174 hdr.thiszone = SWAPLONG(hdr.thiszone); 175 hdr.sigfigs = SWAPLONG(hdr.sigfigs); 176 hdr.snaplen = SWAPLONG(hdr.snaplen); 177 hdr.linktype = SWAPLONG(hdr.linktype); 178 } 179 180 if (hdr.version_major < PCAP_VERSION_MAJOR) { 181 snprintf(errbuf, PCAP_ERRBUF_SIZE, 182 "archaic pcap savefile format"); 183 return (-1); 184 } 185 p->sf.version_major = hdr.version_major; 186 p->sf.version_minor = hdr.version_minor; 187 p->tzoff = hdr.thiszone; 188 p->snapshot = hdr.snaplen; 189 p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype)); 190 p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype); 191 192 p->sf.next_packet_op = pcap_next_packet; 193 194 /* 195 * We interchanged the caplen and len fields at version 2.3, 196 * in order to match the bpf header layout. But unfortunately 197 * some files were written with version 2.3 in their headers 198 * but without the interchanged fields. 199 * 200 * In addition, DG/UX tcpdump writes out files with a version 201 * number of 543.0, and with the caplen and len fields in the 202 * pre-2.3 order. 203 */ 204 switch (hdr.version_major) { 205 206 case 2: 207 if (hdr.version_minor < 3) 208 p->sf.lengths_swapped = SWAPPED; 209 else if (hdr.version_minor == 3) 210 p->sf.lengths_swapped = MAYBE_SWAPPED; 211 else 212 p->sf.lengths_swapped = NOT_SWAPPED; 213 break; 214 215 case 543: 216 p->sf.lengths_swapped = SWAPPED; 217 break; 218 219 default: 220 p->sf.lengths_swapped = NOT_SWAPPED; 221 break; 222 } 223 224 if (magic == KUZNETZOV_TCPDUMP_MAGIC) { 225 /* 226 * XXX - the patch that's in some versions of libpcap 227 * changes the packet header but not the magic number, 228 * and some other versions with this magic number have 229 * some extra debugging information in the packet header; 230 * we'd have to use some hacks^H^H^H^H^Hheuristics to 231 * detect those variants. 232 * 233 * Ethereal does that, but it does so by trying to read 234 * the first two packets of the file with each of the 235 * record header formats. That currently means it seeks 236 * backwards and retries the reads, which doesn't work 237 * on pipes. We want to be able to read from a pipe, so 238 * that strategy won't work; we'd have to buffer some 239 * data ourselves and read from that buffer in order to 240 * make that work. 241 */ 242 p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr); 243 244 if (p->linktype == DLT_EN10MB) { 245 /* 246 * This capture might have been done in raw mode 247 * or cooked mode. 248 * 249 * If it was done in cooked mode, p->snapshot was 250 * passed to recvfrom() as the buffer size, meaning 251 * that the most packet data that would be copied 252 * would be p->snapshot. However, a faked Ethernet 253 * header would then have been added to it, so the 254 * most data that would be in a packet in the file 255 * would be p->snapshot + 14. 256 * 257 * We can't easily tell whether the capture was done 258 * in raw mode or cooked mode, so we'll assume it was 259 * cooked mode, and add 14 to the snapshot length. 260 * That means that, for a raw capture, the snapshot 261 * length will be misleading if you use it to figure 262 * out why a capture doesn't have all the packet data, 263 * but there's not much we can do to avoid that. 264 */ 265 p->snapshot += 14; 266 } 267 } else 268 p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr); 269 270 /* 271 * Allocate a buffer for the packet data. 272 */ 273 p->bufsize = p->snapshot; 274 if (p->bufsize <= 0) { 275 /* 276 * Bogus snapshot length; use 64KiB as a fallback. 277 */ 278 p->bufsize = 65536; 279 } 280 p->buffer = malloc(p->bufsize); 281 if (p->buffer == NULL) { 282 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory"); 283 return (-1); 284 } 285 286 return (1); 287} 288 289/* 290 * Read and return the next packet from the savefile. Return the header 291 * in hdr and a pointer to the contents in data. Return 0 on success, 1 292 * if there were no more packets, and -1 on an error. 293 */ 294static int 295pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data) 296{ 297 struct pcap_sf_patched_pkthdr sf_hdr; 298 FILE *fp = p->sf.rfile; 299 size_t amt_read; 300 bpf_u_int32 t; 301 302 /* 303 * Read the packet header; the structure we use as a buffer 304 * is the longer structure for files generated by the patched 305 * libpcap, but if the file has the magic number for an 306 * unpatched libpcap we only read as many bytes as the regular 307 * header has. 308 */ 309 amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp); 310 if (amt_read != p->sf.hdrsize) { 311 if (ferror(fp)) { 312 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 313 "error reading dump file: %s", 314 pcap_strerror(errno)); 315 return (-1); 316 } else { 317 if (amt_read != 0) { 318 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 319 "truncated dump file; tried to read %lu header bytes, only got %lu", 320 (unsigned long)p->sf.hdrsize, 321 (unsigned long)amt_read); 322 return (-1); 323 } 324 /* EOF */ 325 return (1); 326 } 327 } 328#ifdef __APPLE__ 329 memset(hdr->comment, 0, sizeof(hdr->comment)); 330#endif 331 332 if (p->sf.swapped) { 333 /* these were written in opposite byte order */ 334 hdr->caplen = SWAPLONG(sf_hdr.caplen); 335 hdr->len = SWAPLONG(sf_hdr.len); 336 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec); 337 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec); 338 } else { 339 hdr->caplen = sf_hdr.caplen; 340 hdr->len = sf_hdr.len; 341 hdr->ts.tv_sec = sf_hdr.ts.tv_sec; 342 hdr->ts.tv_usec = sf_hdr.ts.tv_usec; 343 } 344 /* Swap the caplen and len fields, if necessary. */ 345 switch (p->sf.lengths_swapped) { 346 347 case NOT_SWAPPED: 348 break; 349 350 case MAYBE_SWAPPED: 351 if (hdr->caplen <= hdr->len) { 352 /* 353 * The captured length is <= the actual length, 354 * so presumably they weren't swapped. 355 */ 356 break; 357 } 358 /* FALLTHROUGH */ 359 360 case SWAPPED: 361 t = hdr->caplen; 362 hdr->caplen = hdr->len; 363 hdr->len = t; 364 break; 365 } 366 367 if (hdr->caplen > p->bufsize) { 368 /* 369 * This can happen due to Solaris 2.3 systems tripping 370 * over the BUFMOD problem and not setting the snapshot 371 * correctly in the savefile header. If the caplen isn't 372 * grossly wrong, try to salvage. 373 */ 374 static u_char *tp = NULL; 375 static size_t tsize = 0; 376 377 if (hdr->caplen > 65535) { 378 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 379 "bogus savefile header"); 380 return (-1); 381 } 382 383 if (tsize < hdr->caplen) { 384 tsize = ((hdr->caplen + 1023) / 1024) * 1024; 385 if (tp != NULL) 386 free((u_char *)tp); 387 tp = (u_char *)malloc(tsize); 388 if (tp == NULL) { 389 tsize = 0; 390 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 391 "BUFMOD hack malloc"); 392 return (-1); 393 } 394 } 395 amt_read = fread((char *)tp, 1, hdr->caplen, fp); 396 if (amt_read != hdr->caplen) { 397 if (ferror(fp)) { 398 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 399 "error reading dump file: %s", 400 pcap_strerror(errno)); 401 } else { 402 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 403 "truncated dump file; tried to read %u captured bytes, only got %lu", 404 hdr->caplen, (unsigned long)amt_read); 405 } 406 return (-1); 407 } 408 /* 409 * We can only keep up to p->bufsize bytes. Since 410 * caplen > p->bufsize is exactly how we got here, 411 * we know we can only keep the first p->bufsize bytes 412 * and must drop the remainder. Adjust caplen accordingly, 413 * so we don't get confused later as to how many bytes we 414 * have to play with. 415 */ 416 hdr->caplen = p->bufsize; 417 memcpy(p->buffer, (char *)tp, p->bufsize); 418 } else { 419 /* read the packet itself */ 420 amt_read = fread(p->buffer, 1, hdr->caplen, fp); 421 if (amt_read != hdr->caplen) { 422 if (ferror(fp)) { 423 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 424 "error reading dump file: %s", 425 pcap_strerror(errno)); 426 } else { 427 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 428 "truncated dump file; tried to read %u captured bytes, only got %lu", 429 hdr->caplen, (unsigned long)amt_read); 430 } 431 return (-1); 432 } 433 } 434 *data = p->buffer; 435 436 if (p->sf.swapped) { 437 /* 438 * Convert pseudo-headers from the byte order of 439 * the host on which the file was saved to our 440 * byte order, as necessary. 441 */ 442 switch (p->linktype) { 443 444 case DLT_USB_LINUX: 445 swap_linux_usb_header(hdr, *data, 0); 446 break; 447 448 case DLT_USB_LINUX_MMAPPED: 449 swap_linux_usb_header(hdr, *data, 1); 450 break; 451 } 452 } 453 454 return (0); 455} 456 457static int 458sf_write_header(FILE *fp, int linktype, int thiszone, int snaplen) 459{ 460 struct pcap_file_header hdr; 461 462 hdr.magic = TCPDUMP_MAGIC; 463 hdr.version_major = PCAP_VERSION_MAJOR; 464 hdr.version_minor = PCAP_VERSION_MINOR; 465 466 hdr.thiszone = thiszone; 467 hdr.snaplen = snaplen; 468 hdr.sigfigs = 0; 469 hdr.linktype = linktype; 470 471 if (fwrite((char *)&hdr, sizeof(hdr), 1, fp) != 1) 472 return (-1); 473 474 return (0); 475} 476 477/* 478 * Output a packet to the initialized dump file. 479 */ 480void 481pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 482{ 483 register FILE *f; 484 struct pcap_sf_pkthdr sf_hdr; 485 486 f = (FILE *)user; 487 sf_hdr.ts.tv_sec = h->ts.tv_sec; 488 sf_hdr.ts.tv_usec = h->ts.tv_usec; 489 sf_hdr.caplen = h->caplen; 490 sf_hdr.len = h->len; 491 /* XXX we should check the return status */ 492 (void)fwrite(&sf_hdr, sizeof(sf_hdr), 1, f); 493 (void)fwrite(sp, h->caplen, 1, f); 494} 495 496static pcap_dumper_t * 497pcap_setup_dump(pcap_t *p, int linktype, FILE *f, const char *fname) 498{ 499 500#if defined(WIN32) || defined(MSDOS) 501 /* 502 * If we're writing to the standard output, put it in binary 503 * mode, as savefiles are binary files. 504 * 505 * Otherwise, we turn off buffering. 506 * XXX - why? And why not on the standard output? 507 */ 508 if (f == stdout) 509 SET_BINMODE(f); 510 else 511 setbuf(f, NULL); 512#endif 513 if (sf_write_header(f, linktype, p->tzoff, p->snapshot) == -1) { 514 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Can't write to %s: %s", 515 fname, pcap_strerror(errno)); 516 if (f != stdout) 517 (void)fclose(f); 518 return (NULL); 519 } 520 return ((pcap_dumper_t *)f); 521} 522 523/* 524 * Initialize so that sf_write() will output to the file named 'fname'. 525 */ 526pcap_dumper_t * 527pcap_dump_open(pcap_t *p, const char *fname) 528{ 529 FILE *f; 530 int linktype; 531 532 /* 533 * If this pcap_t hasn't been activated, it doesn't have a 534 * link-layer type, so we can't use it. 535 */ 536 if (!p->activated) { 537 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 538 "%s: not-yet-activated pcap_t passed to pcap_dump_open", 539 fname); 540 return (NULL); 541 } 542 linktype = dlt_to_linktype(p->linktype); 543 if (linktype == -1) { 544 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 545 "%s: link-layer type %d isn't supported in savefiles", 546 fname, p->linktype); 547 return (NULL); 548 } 549 linktype |= p->linktype_ext; 550 551 if (fname[0] == '-' && fname[1] == '\0') { 552 f = stdout; 553 fname = "standard output"; 554 } else { 555#if !defined(WIN32) && !defined(MSDOS) 556 f = fopen(fname, "w"); 557#else 558 f = fopen(fname, "wb"); 559#endif 560 if (f == NULL) { 561 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", 562 fname, pcap_strerror(errno)); 563 return (NULL); 564 } 565 } 566 return (pcap_setup_dump(p, linktype, f, fname)); 567} 568 569/* 570 * Initialize so that sf_write() will output to the given stream. 571 */ 572pcap_dumper_t * 573pcap_dump_fopen(pcap_t *p, FILE *f) 574{ 575 int linktype; 576 577 linktype = dlt_to_linktype(p->linktype); 578 if (linktype == -1) { 579 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 580 "stream: link-layer type %d isn't supported in savefiles", 581 p->linktype); 582 return (NULL); 583 } 584 linktype |= p->linktype_ext; 585 586 return (pcap_setup_dump(p, linktype, f, "stream")); 587} 588 589FILE * 590pcap_dump_file(pcap_dumper_t *p) 591{ 592 return ((FILE *)p); 593} 594 595long 596pcap_dump_ftell(pcap_dumper_t *p) 597{ 598 return (ftell((FILE *)p)); 599} 600 601int 602pcap_dump_flush(pcap_dumper_t *p) 603{ 604 605 if (fflush((FILE *)p) == EOF) 606 return (-1); 607 else 608 return (0); 609} 610 611void 612pcap_dump_close(pcap_dumper_t *p) 613{ 614 615#ifdef notyet 616 if (ferror((FILE *)p)) 617 return-an-error; 618 /* XXX should check return from fclose() too */ 619#endif 620 (void)fclose((FILE *)p); 621} 622