1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * sf-pcapng.c - pcapng-file-format-specific code from savefile.c
22 */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include <pcap/pcap-inttypes.h>
29
30 #include <errno.h>
31 #include <memory.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35
36 #include "pcap-int.h"
37
38 #include "pcap-common.h"
39
40 #ifdef HAVE_OS_PROTO_H
41 #include "os-proto.h"
42 #endif
43
44 #include "sf-pcapng.h"
45
46 /*
47 * Block types.
48 */
49
50 /*
51 * Common part at the beginning of all blocks.
52 */
53 struct block_header {
54 bpf_u_int32 block_type;
55 bpf_u_int32 total_length;
56 };
57
58 /*
59 * Common trailer at the end of all blocks.
60 */
61 struct block_trailer {
62 bpf_u_int32 total_length;
63 };
64
65 /*
66 * Common options.
67 */
68 #define OPT_ENDOFOPT 0 /* end of options */
69 #define OPT_COMMENT 1 /* comment string */
70
71 /*
72 * Option header.
73 */
74 struct option_header {
75 u_short option_code;
76 u_short option_length;
77 };
78
79 /*
80 * Structures for the part of each block type following the common
81 * part.
82 */
83
84 /*
85 * Section Header Block.
86 */
87 #define BT_SHB 0x0A0D0D0A
88 #define BT_SHB_INSANE_MAX 1024U*1024U*1U /* 1MB should be enough */
89 struct section_header_block {
90 bpf_u_int32 byte_order_magic;
91 u_short major_version;
92 u_short minor_version;
93 uint64_t section_length;
94 /* followed by options and trailer */
95 };
96
97 /*
98 * Byte-order magic value.
99 */
100 #define BYTE_ORDER_MAGIC 0x1A2B3C4D
101
102 /*
103 * Current version number. If major_version isn't PCAP_NG_VERSION_MAJOR,
104 * or if minor_version isn't PCAP_NG_VERSION_MINOR or 2, that means that
105 * this code can't read the file.
106 */
107 #define PCAP_NG_VERSION_MAJOR 1
108 #define PCAP_NG_VERSION_MINOR 0
109
110 /*
111 * Interface Description Block.
112 */
113 #define BT_IDB 0x00000001
114
115 struct interface_description_block {
116 u_short linktype;
117 u_short reserved;
118 bpf_u_int32 snaplen;
119 /* followed by options and trailer */
120 };
121
122 /*
123 * Options in the IDB.
124 */
125 #define IF_NAME 2 /* interface name string */
126 #define IF_DESCRIPTION 3 /* interface description string */
127 #define IF_IPV4ADDR 4 /* interface's IPv4 address and netmask */
128 #define IF_IPV6ADDR 5 /* interface's IPv6 address and prefix length */
129 #define IF_MACADDR 6 /* interface's MAC address */
130 #define IF_EUIADDR 7 /* interface's EUI address */
131 #define IF_SPEED 8 /* interface's speed, in bits/s */
132 #define IF_TSRESOL 9 /* interface's time stamp resolution */
133 #define IF_TZONE 10 /* interface's time zone */
134 #define IF_FILTER 11 /* filter used when capturing on interface */
135 #define IF_OS 12 /* string OS on which capture on this interface was done */
136 #define IF_FCSLEN 13 /* FCS length for this interface */
137 #define IF_TSOFFSET 14 /* time stamp offset for this interface */
138
139 /*
140 * Enhanced Packet Block.
141 */
142 #define BT_EPB 0x00000006
143
144 struct enhanced_packet_block {
145 bpf_u_int32 interface_id;
146 bpf_u_int32 timestamp_high;
147 bpf_u_int32 timestamp_low;
148 bpf_u_int32 caplen;
149 bpf_u_int32 len;
150 /* followed by packet data, options, and trailer */
151 };
152
153 /*
154 * Simple Packet Block.
155 */
156 #define BT_SPB 0x00000003
157
158 struct simple_packet_block {
159 bpf_u_int32 len;
160 /* followed by packet data and trailer */
161 };
162
163 /*
164 * Packet Block.
165 */
166 #define BT_PB 0x00000002
167
168 struct packet_block {
169 u_short interface_id;
170 u_short drops_count;
171 bpf_u_int32 timestamp_high;
172 bpf_u_int32 timestamp_low;
173 bpf_u_int32 caplen;
174 bpf_u_int32 len;
175 /* followed by packet data, options, and trailer */
176 };
177
178 /*
179 * Block cursor - used when processing the contents of a block.
180 * Contains a pointer into the data being processed and a count
181 * of bytes remaining in the block.
182 */
183 struct block_cursor {
184 u_char *data;
185 size_t data_remaining;
186 bpf_u_int32 block_type;
187 };
188
189 typedef enum {
190 PASS_THROUGH,
191 SCALE_UP_DEC,
192 SCALE_DOWN_DEC,
193 SCALE_UP_BIN,
194 SCALE_DOWN_BIN
195 } tstamp_scale_type_t;
196
197 /*
198 * Per-interface information.
199 */
200 struct pcap_ng_if {
201 uint32_t snaplen; /* snapshot length */
202 uint64_t tsresol; /* time stamp resolution */
203 tstamp_scale_type_t scale_type; /* how to scale */
204 uint64_t scale_factor; /* time stamp scale factor for power-of-10 tsresol */
205 uint64_t tsoffset; /* time stamp offset */
206 };
207
208 /*
209 * Per-pcap_t private data.
210 *
211 * max_blocksize is the maximum size of a block that we'll accept. We
212 * reject blocks bigger than this, so we don't consume too much memory
213 * with a truly huge block. It can change as we see IDBs with different
214 * link-layer header types. (Currently, we don't support IDBs with
215 * different link-layer header types, but we will support it in the
216 * future, when we offer file-reading APIs that support it.)
217 *
218 * XXX - that's an issue on ILP32 platforms, where the maximum block
219 * size of 2^31-1 would eat all but one byte of the entire address space.
220 * It's less of an issue on ILP64/LLP64 platforms, but the actual size
221 * of the address space may be limited by 1) the number of *significant*
222 * address bits (currently, x86-64 only supports 48 bits of address), 2)
223 * any limitations imposed by the operating system; 3) any limitations
224 * imposed by the amount of available backing store for anonymous pages,
225 * so we impose a limit regardless of the size of a pointer.
226 */
227 struct pcap_ng_sf {
228 uint64_t user_tsresol; /* time stamp resolution requested by the user */
229 u_int max_blocksize; /* don't grow buffer size past this */
230 bpf_u_int32 ifcount; /* number of interfaces seen in this capture */
231 bpf_u_int32 ifaces_size; /* size of array below */
232 struct pcap_ng_if *ifaces; /* array of interface information */
233 };
234
235 /*
236 * The maximum block size we start with; we use an arbitrary value of
237 * 16 MiB.
238 */
239 #define INITIAL_MAX_BLOCKSIZE (16*1024*1024)
240
241 /*
242 * Maximum block size for a given maximum snapshot length; we define it
243 * as the size of an EPB with a max_snaplen-sized packet and 128KB of
244 * options.
245 */
246 #define MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen) \
247 (sizeof (struct block_header) + \
248 sizeof (struct enhanced_packet_block) + \
249 (max_snaplen) + 131072 + \
250 sizeof (struct block_trailer))
251
252 static void pcap_ng_cleanup(pcap_t *p);
253 static int pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr,
254 u_char **data);
255
256 static int
read_bytes(FILE * fp,void * buf,size_t bytes_to_read,int fail_on_eof,char * errbuf)257 read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
258 char *errbuf)
259 {
260 size_t amt_read;
261
262 amt_read = fread(buf, 1, bytes_to_read, fp);
263 if (amt_read != bytes_to_read) {
264 if (ferror(fp)) {
265 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
266 errno, "error reading dump file");
267 } else {
268 if (amt_read == 0 && !fail_on_eof)
269 return (0); /* EOF */
270 snprintf(errbuf, PCAP_ERRBUF_SIZE,
271 "truncated pcapng dump file; tried to read %zu bytes, only got %zu",
272 bytes_to_read, amt_read);
273 }
274 return (-1);
275 }
276 return (1);
277 }
278
279 static int
read_block(FILE * fp,pcap_t * p,struct block_cursor * cursor,char * errbuf)280 read_block(FILE *fp, pcap_t *p, struct block_cursor *cursor, char *errbuf)
281 {
282 struct pcap_ng_sf *ps;
283 int status;
284 struct block_header bhdr;
285 struct block_trailer *btrlr;
286 u_char *bdata;
287 size_t data_remaining;
288
289 ps = p->priv;
290
291 status = read_bytes(fp, &bhdr, sizeof(bhdr), 0, errbuf);
292 if (status <= 0)
293 return (status); /* error or EOF */
294
295 if (p->swapped) {
296 bhdr.block_type = SWAPLONG(bhdr.block_type);
297 bhdr.total_length = SWAPLONG(bhdr.total_length);
298 }
299
300 /*
301 * Is this block "too small" - i.e., is it shorter than a block
302 * header plus a block trailer?
303 */
304 if (bhdr.total_length < sizeof(struct block_header) +
305 sizeof(struct block_trailer)) {
306 snprintf(errbuf, PCAP_ERRBUF_SIZE,
307 "block in pcapng dump file has a length of %u < %zu",
308 bhdr.total_length,
309 sizeof(struct block_header) + sizeof(struct block_trailer));
310 return (-1);
311 }
312
313 /*
314 * Is the block total length a multiple of 4?
315 */
316 if ((bhdr.total_length % 4) != 0) {
317 /*
318 * No. Report that as an error.
319 */
320 snprintf(errbuf, PCAP_ERRBUF_SIZE,
321 "block in pcapng dump file has a length of %u that is not a multiple of 4",
322 bhdr.total_length);
323 return (-1);
324 }
325
326 /*
327 * Is the buffer big enough?
328 */
329 if (p->bufsize < bhdr.total_length) {
330 /*
331 * No - make it big enough, unless it's too big, in
332 * which case we fail.
333 */
334 void *bigger_buffer;
335
336 if (bhdr.total_length > ps->max_blocksize) {
337 snprintf(errbuf, PCAP_ERRBUF_SIZE, "pcapng block size %u > maximum %u", bhdr.total_length,
338 ps->max_blocksize);
339 return (-1);
340 }
341 bigger_buffer = realloc(p->buffer, bhdr.total_length);
342 if (bigger_buffer == NULL) {
343 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
344 return (-1);
345 }
346 p->buffer = bigger_buffer;
347 }
348
349 /*
350 * Copy the stuff we've read to the buffer, and read the rest
351 * of the block.
352 */
353 memcpy(p->buffer, &bhdr, sizeof(bhdr));
354 bdata = (u_char *)p->buffer + sizeof(bhdr);
355 data_remaining = bhdr.total_length - sizeof(bhdr);
356 if (read_bytes(fp, bdata, data_remaining, 1, errbuf) == -1)
357 return (-1);
358
359 /*
360 * Get the block size from the trailer.
361 */
362 btrlr = (struct block_trailer *)(bdata + data_remaining - sizeof (struct block_trailer));
363 if (p->swapped)
364 btrlr->total_length = SWAPLONG(btrlr->total_length);
365
366 /*
367 * Is the total length from the trailer the same as the total
368 * length from the header?
369 */
370 if (bhdr.total_length != btrlr->total_length) {
371 /*
372 * No.
373 */
374 snprintf(errbuf, PCAP_ERRBUF_SIZE,
375 "block total length in header and trailer don't match");
376 return (-1);
377 }
378
379 /*
380 * Initialize the cursor.
381 */
382 cursor->data = bdata;
383 cursor->data_remaining = data_remaining - sizeof(struct block_trailer);
384 cursor->block_type = bhdr.block_type;
385 return (1);
386 }
387
388 static void *
get_from_block_data(struct block_cursor * cursor,size_t chunk_size,char * errbuf)389 get_from_block_data(struct block_cursor *cursor, size_t chunk_size,
390 char *errbuf)
391 {
392 void *data;
393
394 /*
395 * Make sure we have the specified amount of data remaining in
396 * the block data.
397 */
398 if (cursor->data_remaining < chunk_size) {
399 snprintf(errbuf, PCAP_ERRBUF_SIZE,
400 "block of type %u in pcapng dump file is too short",
401 cursor->block_type);
402 return (NULL);
403 }
404
405 /*
406 * Return the current pointer, and skip past the chunk.
407 */
408 data = cursor->data;
409 cursor->data += chunk_size;
410 cursor->data_remaining -= chunk_size;
411 return (data);
412 }
413
414 static struct option_header *
get_opthdr_from_block_data(pcap_t * p,struct block_cursor * cursor,char * errbuf)415 get_opthdr_from_block_data(pcap_t *p, struct block_cursor *cursor, char *errbuf)
416 {
417 struct option_header *opthdr;
418
419 opthdr = get_from_block_data(cursor, sizeof(*opthdr), errbuf);
420 if (opthdr == NULL) {
421 /*
422 * Option header is cut short.
423 */
424 return (NULL);
425 }
426
427 /*
428 * Byte-swap it if necessary.
429 */
430 if (p->swapped) {
431 opthdr->option_code = SWAPSHORT(opthdr->option_code);
432 opthdr->option_length = SWAPSHORT(opthdr->option_length);
433 }
434
435 return (opthdr);
436 }
437
438 static void *
get_optvalue_from_block_data(struct block_cursor * cursor,struct option_header * opthdr,char * errbuf)439 get_optvalue_from_block_data(struct block_cursor *cursor,
440 struct option_header *opthdr, char *errbuf)
441 {
442 size_t padded_option_len;
443 void *optvalue;
444
445 /* Pad option length to 4-byte boundary */
446 padded_option_len = opthdr->option_length;
447 padded_option_len = ((padded_option_len + 3)/4)*4;
448
449 optvalue = get_from_block_data(cursor, padded_option_len, errbuf);
450 if (optvalue == NULL) {
451 /*
452 * Option value is cut short.
453 */
454 return (NULL);
455 }
456
457 return (optvalue);
458 }
459
460 static int
process_idb_options(pcap_t * p,struct block_cursor * cursor,uint64_t * tsresol,uint64_t * tsoffset,int * is_binary,char * errbuf)461 process_idb_options(pcap_t *p, struct block_cursor *cursor, uint64_t *tsresol,
462 uint64_t *tsoffset, int *is_binary, char *errbuf)
463 {
464 struct option_header *opthdr;
465 void *optvalue;
466 int saw_tsresol, saw_tsoffset;
467 uint8_t tsresol_opt;
468 u_int i;
469
470 saw_tsresol = 0;
471 saw_tsoffset = 0;
472 while (cursor->data_remaining != 0) {
473 /*
474 * Get the option header.
475 */
476 opthdr = get_opthdr_from_block_data(p, cursor, errbuf);
477 if (opthdr == NULL) {
478 /*
479 * Option header is cut short.
480 */
481 return (-1);
482 }
483
484 /*
485 * Get option value.
486 */
487 optvalue = get_optvalue_from_block_data(cursor, opthdr,
488 errbuf);
489 if (optvalue == NULL) {
490 /*
491 * Option value is cut short.
492 */
493 return (-1);
494 }
495
496 switch (opthdr->option_code) {
497
498 case OPT_ENDOFOPT:
499 if (opthdr->option_length != 0) {
500 snprintf(errbuf, PCAP_ERRBUF_SIZE,
501 "Interface Description Block has opt_endofopt option with length %u != 0",
502 opthdr->option_length);
503 return (-1);
504 }
505 goto done;
506
507 case IF_TSRESOL:
508 if (opthdr->option_length != 1) {
509 snprintf(errbuf, PCAP_ERRBUF_SIZE,
510 "Interface Description Block has if_tsresol option with length %u != 1",
511 opthdr->option_length);
512 return (-1);
513 }
514 if (saw_tsresol) {
515 snprintf(errbuf, PCAP_ERRBUF_SIZE,
516 "Interface Description Block has more than one if_tsresol option");
517 return (-1);
518 }
519 saw_tsresol = 1;
520 memcpy(&tsresol_opt, optvalue, sizeof(tsresol_opt));
521 if (tsresol_opt & 0x80) {
522 /*
523 * Resolution is negative power of 2.
524 */
525 uint8_t tsresol_shift = (tsresol_opt & 0x7F);
526
527 if (tsresol_shift > 63) {
528 /*
529 * Resolution is too high; 2^-{res}
530 * won't fit in a 64-bit value.
531 */
532 snprintf(errbuf, PCAP_ERRBUF_SIZE,
533 "Interface Description Block if_tsresol option resolution 2^-%u is too high",
534 tsresol_shift);
535 return (-1);
536 }
537 *is_binary = 1;
538 *tsresol = ((uint64_t)1) << tsresol_shift;
539 } else {
540 /*
541 * Resolution is negative power of 10.
542 */
543 if (tsresol_opt > 19) {
544 /*
545 * Resolution is too high; 2^-{res}
546 * won't fit in a 64-bit value (the
547 * largest power of 10 that fits
548 * in a 64-bit value is 10^19, as
549 * the largest 64-bit unsigned
550 * value is ~1.8*10^19).
551 */
552 snprintf(errbuf, PCAP_ERRBUF_SIZE,
553 "Interface Description Block if_tsresol option resolution 10^-%u is too high",
554 tsresol_opt);
555 return (-1);
556 }
557 *is_binary = 0;
558 *tsresol = 1;
559 for (i = 0; i < tsresol_opt; i++)
560 *tsresol *= 10;
561 }
562 break;
563
564 case IF_TSOFFSET:
565 if (opthdr->option_length != 8) {
566 snprintf(errbuf, PCAP_ERRBUF_SIZE,
567 "Interface Description Block has if_tsoffset option with length %u != 8",
568 opthdr->option_length);
569 return (-1);
570 }
571 if (saw_tsoffset) {
572 snprintf(errbuf, PCAP_ERRBUF_SIZE,
573 "Interface Description Block has more than one if_tsoffset option");
574 return (-1);
575 }
576 saw_tsoffset = 1;
577 memcpy(tsoffset, optvalue, sizeof(*tsoffset));
578 if (p->swapped)
579 *tsoffset = SWAPLL(*tsoffset);
580 break;
581
582 default:
583 break;
584 }
585 }
586
587 done:
588 return (0);
589 }
590
591 static int
add_interface(pcap_t * p,struct interface_description_block * idbp,struct block_cursor * cursor,char * errbuf)592 add_interface(pcap_t *p, struct interface_description_block *idbp,
593 struct block_cursor *cursor, char *errbuf)
594 {
595 struct pcap_ng_sf *ps;
596 uint64_t tsresol;
597 uint64_t tsoffset;
598 int is_binary;
599
600 ps = p->priv;
601
602 /*
603 * Count this interface.
604 */
605 ps->ifcount++;
606
607 /*
608 * Grow the array of per-interface information as necessary.
609 */
610 if (ps->ifcount > ps->ifaces_size) {
611 /*
612 * We need to grow the array.
613 */
614 bpf_u_int32 new_ifaces_size;
615 struct pcap_ng_if *new_ifaces;
616
617 if (ps->ifaces_size == 0) {
618 /*
619 * It's currently empty.
620 *
621 * (The Clang static analyzer doesn't do enough,
622 * err, umm, dataflow *analysis* to realize that
623 * ps->ifaces_size == 0 if ps->ifaces == NULL,
624 * and so complains about a possible zero argument
625 * to realloc(), so we check for the former
626 * condition to shut it up.
627 *
628 * However, it doesn't complain that one of the
629 * multiplications below could overflow, which is
630 * a real, albeit extremely unlikely, problem (you'd
631 * need a pcapng file with tens of millions of
632 * interfaces).)
633 */
634 new_ifaces_size = 1;
635 new_ifaces = malloc(sizeof (struct pcap_ng_if));
636 } else {
637 /*
638 * It's not currently empty; double its size.
639 * (Perhaps overkill once we have a lot of interfaces.)
640 *
641 * Check for overflow if we double it.
642 */
643 if (ps->ifaces_size * 2 < ps->ifaces_size) {
644 /*
645 * The maximum number of interfaces before
646 * ps->ifaces_size overflows is the largest
647 * possible 32-bit power of 2, as we do
648 * size doubling.
649 */
650 snprintf(errbuf, PCAP_ERRBUF_SIZE,
651 "more than %u interfaces in the file",
652 0x80000000U);
653 return (0);
654 }
655
656 /*
657 * ps->ifaces_size * 2 doesn't overflow, so it's
658 * safe to multiply.
659 */
660 new_ifaces_size = ps->ifaces_size * 2;
661
662 /*
663 * Now make sure that's not so big that it overflows
664 * if we multiply by sizeof (struct pcap_ng_if).
665 *
666 * That can happen on 32-bit platforms, with a 32-bit
667 * size_t; it shouldn't happen on 64-bit platforms,
668 * with a 64-bit size_t, as new_ifaces_size is
669 * 32 bits.
670 */
671 if (new_ifaces_size * sizeof (struct pcap_ng_if) < new_ifaces_size) {
672 /*
673 * As this fails only with 32-bit size_t,
674 * the multiplication was 32x32->32, and
675 * the largest 32-bit value that can safely
676 * be multiplied by sizeof (struct pcap_ng_if)
677 * without overflow is the largest 32-bit
678 * (unsigned) value divided by
679 * sizeof (struct pcap_ng_if).
680 */
681 snprintf(errbuf, PCAP_ERRBUF_SIZE,
682 "more than %u interfaces in the file",
683 0xFFFFFFFFU / ((u_int)sizeof (struct pcap_ng_if)));
684 return (0);
685 }
686 new_ifaces = realloc(ps->ifaces, new_ifaces_size * sizeof (struct pcap_ng_if));
687 }
688 if (new_ifaces == NULL) {
689 /*
690 * We ran out of memory.
691 * Give up.
692 */
693 snprintf(errbuf, PCAP_ERRBUF_SIZE,
694 "out of memory for per-interface information (%u interfaces)",
695 ps->ifcount);
696 return (0);
697 }
698 ps->ifaces_size = new_ifaces_size;
699 ps->ifaces = new_ifaces;
700 }
701
702 ps->ifaces[ps->ifcount - 1].snaplen = idbp->snaplen;
703
704 /*
705 * Set the default time stamp resolution and offset.
706 */
707 tsresol = 1000000; /* microsecond resolution */
708 is_binary = 0; /* which is a power of 10 */
709 tsoffset = 0; /* absolute timestamps */
710
711 /*
712 * Now look for various time stamp options, so we know
713 * how to interpret the time stamps for this interface.
714 */
715 if (process_idb_options(p, cursor, &tsresol, &tsoffset, &is_binary,
716 errbuf) == -1)
717 return (0);
718
719 ps->ifaces[ps->ifcount - 1].tsresol = tsresol;
720 ps->ifaces[ps->ifcount - 1].tsoffset = tsoffset;
721
722 /*
723 * Determine whether we're scaling up or down or not
724 * at all for this interface.
725 */
726 if (tsresol == ps->user_tsresol) {
727 /*
728 * The resolution is the resolution the user wants,
729 * so we don't have to do scaling.
730 */
731 ps->ifaces[ps->ifcount - 1].scale_type = PASS_THROUGH;
732 } else if (tsresol > ps->user_tsresol) {
733 /*
734 * The resolution is greater than what the user wants,
735 * so we have to scale the timestamps down.
736 */
737 if (is_binary)
738 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_BIN;
739 else {
740 /*
741 * Calculate the scale factor.
742 */
743 ps->ifaces[ps->ifcount - 1].scale_factor = tsresol/ps->user_tsresol;
744 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_DOWN_DEC;
745 }
746 } else {
747 /*
748 * The resolution is less than what the user wants,
749 * so we have to scale the timestamps up.
750 */
751 if (is_binary)
752 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_BIN;
753 else {
754 /*
755 * Calculate the scale factor.
756 */
757 ps->ifaces[ps->ifcount - 1].scale_factor = ps->user_tsresol/tsresol;
758 ps->ifaces[ps->ifcount - 1].scale_type = SCALE_UP_DEC;
759 }
760 }
761 return (1);
762 }
763
764 /*
765 * Check whether this is a pcapng savefile and, if it is, extract the
766 * relevant information from the header.
767 */
768 pcap_t *
pcap_ng_check_header(const uint8_t * magic,FILE * fp,u_int precision,char * errbuf,int * err)769 pcap_ng_check_header(const uint8_t *magic, FILE *fp, u_int precision,
770 char *errbuf, int *err)
771 {
772 bpf_u_int32 magic_int;
773 size_t amt_read;
774 bpf_u_int32 total_length;
775 bpf_u_int32 byte_order_magic;
776 struct block_header *bhdrp;
777 struct section_header_block *shbp;
778 pcap_t *p;
779 int swapped = 0;
780 struct pcap_ng_sf *ps;
781 int status;
782 struct block_cursor cursor;
783 struct interface_description_block *idbp;
784
785 /*
786 * Assume no read errors.
787 */
788 *err = 0;
789
790 /*
791 * Check whether the first 4 bytes of the file are the block
792 * type for a pcapng savefile.
793 */
794 memcpy(&magic_int, magic, sizeof(magic_int));
795 if (magic_int != BT_SHB) {
796 /*
797 * XXX - check whether this looks like what the block
798 * type would be after being munged by mapping between
799 * UN*X and DOS/Windows text file format and, if it
800 * does, look for the byte-order magic number in
801 * the appropriate place and, if we find it, report
802 * this as possibly being a pcapng file transferred
803 * between UN*X and Windows in text file format?
804 */
805 return (NULL); /* nope */
806 }
807
808 /*
809 * OK, they are. However, that's just \n\r\r\n, so it could,
810 * conceivably, be an ordinary text file.
811 *
812 * It could not, however, conceivably be any other type of
813 * capture file, so we can read the rest of the putative
814 * Section Header Block; put the block type in the common
815 * header, read the rest of the common header and the
816 * fixed-length portion of the SHB, and look for the byte-order
817 * magic value.
818 */
819 amt_read = fread(&total_length, 1, sizeof(total_length), fp);
820 if (amt_read < sizeof(total_length)) {
821 if (ferror(fp)) {
822 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
823 errno, "error reading dump file");
824 *err = 1;
825 return (NULL); /* fail */
826 }
827
828 /*
829 * Possibly a weird short text file, so just say
830 * "not pcapng".
831 */
832 return (NULL);
833 }
834 amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
835 if (amt_read < sizeof(byte_order_magic)) {
836 if (ferror(fp)) {
837 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
838 errno, "error reading dump file");
839 *err = 1;
840 return (NULL); /* fail */
841 }
842
843 /*
844 * Possibly a weird short text file, so just say
845 * "not pcapng".
846 */
847 return (NULL);
848 }
849 if (byte_order_magic != BYTE_ORDER_MAGIC) {
850 byte_order_magic = SWAPLONG(byte_order_magic);
851 if (byte_order_magic != BYTE_ORDER_MAGIC) {
852 /*
853 * Not a pcapng file.
854 */
855 return (NULL);
856 }
857 swapped = 1;
858 total_length = SWAPLONG(total_length);
859 }
860
861 /*
862 * Check the sanity of the total length.
863 */
864 if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer) ||
865 (total_length > BT_SHB_INSANE_MAX)) {
866 snprintf(errbuf, PCAP_ERRBUF_SIZE,
867 "Section Header Block in pcapng dump file has invalid length %zu < _%u_ < %u (BT_SHB_INSANE_MAX)",
868 sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer),
869 total_length,
870 BT_SHB_INSANE_MAX);
871
872 *err = 1;
873 return (NULL);
874 }
875
876 /*
877 * OK, this is a good pcapng file.
878 * Allocate a pcap_t for it.
879 */
880 p = PCAP_OPEN_OFFLINE_COMMON(errbuf, struct pcap_ng_sf);
881 if (p == NULL) {
882 /* Allocation failed. */
883 *err = 1;
884 return (NULL);
885 }
886 p->swapped = swapped;
887 ps = p->priv;
888
889 /*
890 * What precision does the user want?
891 */
892 switch (precision) {
893
894 case PCAP_TSTAMP_PRECISION_MICRO:
895 ps->user_tsresol = 1000000;
896 break;
897
898 case PCAP_TSTAMP_PRECISION_NANO:
899 ps->user_tsresol = 1000000000;
900 break;
901
902 default:
903 snprintf(errbuf, PCAP_ERRBUF_SIZE,
904 "unknown time stamp resolution %u", precision);
905 free(p);
906 *err = 1;
907 return (NULL);
908 }
909
910 p->opt.tstamp_precision = precision;
911
912 /*
913 * Allocate a buffer into which to read blocks. We default to
914 * the maximum of:
915 *
916 * the total length of the SHB for which we read the header;
917 *
918 * 2K, which should be more than large enough for an Enhanced
919 * Packet Block containing a full-size Ethernet frame, and
920 * leaving room for some options.
921 *
922 * If we find a bigger block, we reallocate the buffer, up to
923 * the maximum size. We start out with a maximum size of
924 * INITIAL_MAX_BLOCKSIZE; if we see any link-layer header types
925 * with a maximum snapshot that results in a larger maximum
926 * block length, we boost the maximum.
927 */
928 p->bufsize = 2048;
929 if (p->bufsize < total_length)
930 p->bufsize = total_length;
931 p->buffer = malloc(p->bufsize);
932 if (p->buffer == NULL) {
933 snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
934 free(p);
935 *err = 1;
936 return (NULL);
937 }
938 ps->max_blocksize = INITIAL_MAX_BLOCKSIZE;
939
940 /*
941 * Copy the stuff we've read to the buffer, and read the rest
942 * of the SHB.
943 */
944 bhdrp = (struct block_header *)p->buffer;
945 shbp = (struct section_header_block *)((u_char *)p->buffer + sizeof(struct block_header));
946 bhdrp->block_type = magic_int;
947 bhdrp->total_length = total_length;
948 shbp->byte_order_magic = byte_order_magic;
949 if (read_bytes(fp,
950 (u_char *)p->buffer + (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
951 total_length - (sizeof(magic_int) + sizeof(total_length) + sizeof(byte_order_magic)),
952 1, errbuf) == -1)
953 goto fail;
954
955 if (p->swapped) {
956 /*
957 * Byte-swap the fields we've read.
958 */
959 shbp->major_version = SWAPSHORT(shbp->major_version);
960 shbp->minor_version = SWAPSHORT(shbp->minor_version);
961
962 /*
963 * XXX - we don't care about the section length.
964 */
965 }
966 /* Currently only SHB versions 1.0 and 1.2 are supported;
967 version 1.2 is treated as being the same as version 1.0.
968 See the current version of the pcapng specification.
969
970 Version 1.2 is written by some programs that write additional
971 block types (which can be read by any code that handles them,
972 regardless of whether the minor version if 0 or 2, so that's
973 not a reason to change the minor version number).
974
975 XXX - the pcapng specification says that readers should
976 just ignore sections with an unsupported version number;
977 presumably they can also report an error if they skip
978 all the way to the end of the file without finding
979 any versions that they support. */
980 if (! (shbp->major_version == PCAP_NG_VERSION_MAJOR &&
981 (shbp->minor_version == PCAP_NG_VERSION_MINOR ||
982 shbp->minor_version == 2))) {
983 snprintf(errbuf, PCAP_ERRBUF_SIZE,
984 "unsupported pcapng savefile version %u.%u",
985 shbp->major_version, shbp->minor_version);
986 goto fail;
987 }
988 p->version_major = shbp->major_version;
989 p->version_minor = shbp->minor_version;
990
991 /*
992 * Save the time stamp resolution the user requested.
993 */
994 p->opt.tstamp_precision = precision;
995
996 /*
997 * Now start looking for an Interface Description Block.
998 */
999 for (;;) {
1000 /*
1001 * Read the next block.
1002 */
1003 status = read_block(fp, p, &cursor, errbuf);
1004 if (status == 0) {
1005 /* EOF - no IDB in this file */
1006 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1007 "the capture file has no Interface Description Blocks");
1008 goto fail;
1009 }
1010 if (status == -1)
1011 goto fail; /* error */
1012 switch (cursor.block_type) {
1013
1014 case BT_IDB:
1015 /*
1016 * Get a pointer to the fixed-length portion of the
1017 * IDB.
1018 */
1019 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1020 errbuf);
1021 if (idbp == NULL)
1022 goto fail; /* error */
1023
1024 /*
1025 * Byte-swap it if necessary.
1026 */
1027 if (p->swapped) {
1028 idbp->linktype = SWAPSHORT(idbp->linktype);
1029 idbp->snaplen = SWAPLONG(idbp->snaplen);
1030 }
1031
1032 /*
1033 * Try to add this interface.
1034 */
1035 if (!add_interface(p, idbp, &cursor, errbuf))
1036 goto fail;
1037
1038 goto done;
1039
1040 case BT_EPB:
1041 case BT_SPB:
1042 case BT_PB:
1043 /*
1044 * Saw a packet before we saw any IDBs. That's
1045 * not valid, as we don't know what link-layer
1046 * encapsulation the packet has.
1047 */
1048 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1049 "the capture file has a packet block before any Interface Description Blocks");
1050 goto fail;
1051
1052 default:
1053 /*
1054 * Just ignore it.
1055 */
1056 break;
1057 }
1058 }
1059
1060 done:
1061 p->linktype = linktype_to_dlt(idbp->linktype);
1062 p->snapshot = pcap_adjust_snapshot(p->linktype, idbp->snaplen);
1063 p->linktype_ext = 0;
1064
1065 /*
1066 * If the maximum block size for a packet with the maximum
1067 * snapshot length for this DLT_ is bigger than the current
1068 * maximum block size, increase the maximum.
1069 */
1070 if (MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype)) > ps->max_blocksize)
1071 ps->max_blocksize = MAX_BLOCKSIZE_FOR_SNAPLEN(max_snaplen_for_dlt(p->linktype));
1072
1073 p->next_packet_op = pcap_ng_next_packet;
1074 p->cleanup_op = pcap_ng_cleanup;
1075
1076 return (p);
1077
1078 fail:
1079 free(ps->ifaces);
1080 free(p->buffer);
1081 free(p);
1082 *err = 1;
1083 return (NULL);
1084 }
1085
1086 static void
pcap_ng_cleanup(pcap_t * p)1087 pcap_ng_cleanup(pcap_t *p)
1088 {
1089 struct pcap_ng_sf *ps = p->priv;
1090
1091 free(ps->ifaces);
1092 sf_cleanup(p);
1093 }
1094
1095 /*
1096 * Read and return the next packet from the savefile. Return the header
1097 * in hdr and a pointer to the contents in data. Return 0 on success, 1
1098 * if there were no more packets, and -1 on an error.
1099 */
1100 static int
pcap_ng_next_packet(pcap_t * p,struct pcap_pkthdr * hdr,u_char ** data)1101 pcap_ng_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
1102 {
1103 struct pcap_ng_sf *ps = p->priv;
1104 struct block_cursor cursor;
1105 int status;
1106 struct enhanced_packet_block *epbp;
1107 struct simple_packet_block *spbp;
1108 struct packet_block *pbp;
1109 bpf_u_int32 interface_id = 0xFFFFFFFF;
1110 struct interface_description_block *idbp;
1111 struct section_header_block *shbp;
1112 FILE *fp = p->rfile;
1113 uint64_t t, sec, frac;
1114
1115 /*
1116 * Look for an Enhanced Packet Block, a Simple Packet Block,
1117 * or a Packet Block.
1118 */
1119 for (;;) {
1120 /*
1121 * Read the block type and length; those are common
1122 * to all blocks.
1123 */
1124 status = read_block(fp, p, &cursor, p->errbuf);
1125 if (status == 0)
1126 return (1); /* EOF */
1127 if (status == -1)
1128 return (-1); /* error */
1129 switch (cursor.block_type) {
1130
1131 case BT_EPB:
1132 /*
1133 * Get a pointer to the fixed-length portion of the
1134 * EPB.
1135 */
1136 epbp = get_from_block_data(&cursor, sizeof(*epbp),
1137 p->errbuf);
1138 if (epbp == NULL)
1139 return (-1); /* error */
1140
1141 /*
1142 * Byte-swap it if necessary.
1143 */
1144 if (p->swapped) {
1145 /* these were written in opposite byte order */
1146 interface_id = SWAPLONG(epbp->interface_id);
1147 hdr->caplen = SWAPLONG(epbp->caplen);
1148 hdr->len = SWAPLONG(epbp->len);
1149 t = ((uint64_t)SWAPLONG(epbp->timestamp_high)) << 32 |
1150 SWAPLONG(epbp->timestamp_low);
1151 } else {
1152 interface_id = epbp->interface_id;
1153 hdr->caplen = epbp->caplen;
1154 hdr->len = epbp->len;
1155 t = ((uint64_t)epbp->timestamp_high) << 32 |
1156 epbp->timestamp_low;
1157 }
1158 goto found;
1159
1160 case BT_SPB:
1161 /*
1162 * Get a pointer to the fixed-length portion of the
1163 * SPB.
1164 */
1165 spbp = get_from_block_data(&cursor, sizeof(*spbp),
1166 p->errbuf);
1167 if (spbp == NULL)
1168 return (-1); /* error */
1169
1170 /*
1171 * SPB packets are assumed to have arrived on
1172 * the first interface.
1173 */
1174 interface_id = 0;
1175
1176 /*
1177 * Byte-swap it if necessary.
1178 */
1179 if (p->swapped) {
1180 /* these were written in opposite byte order */
1181 hdr->len = SWAPLONG(spbp->len);
1182 } else
1183 hdr->len = spbp->len;
1184
1185 /*
1186 * The SPB doesn't give the captured length;
1187 * it's the minimum of the snapshot length
1188 * and the packet length.
1189 */
1190 hdr->caplen = hdr->len;
1191 if (hdr->caplen > (bpf_u_int32)p->snapshot)
1192 hdr->caplen = p->snapshot;
1193 t = 0; /* no time stamps */
1194 goto found;
1195
1196 case BT_PB:
1197 /*
1198 * Get a pointer to the fixed-length portion of the
1199 * PB.
1200 */
1201 pbp = get_from_block_data(&cursor, sizeof(*pbp),
1202 p->errbuf);
1203 if (pbp == NULL)
1204 return (-1); /* error */
1205
1206 /*
1207 * Byte-swap it if necessary.
1208 */
1209 if (p->swapped) {
1210 /* these were written in opposite byte order */
1211 interface_id = SWAPSHORT(pbp->interface_id);
1212 hdr->caplen = SWAPLONG(pbp->caplen);
1213 hdr->len = SWAPLONG(pbp->len);
1214 t = ((uint64_t)SWAPLONG(pbp->timestamp_high)) << 32 |
1215 SWAPLONG(pbp->timestamp_low);
1216 } else {
1217 interface_id = pbp->interface_id;
1218 hdr->caplen = pbp->caplen;
1219 hdr->len = pbp->len;
1220 t = ((uint64_t)pbp->timestamp_high) << 32 |
1221 pbp->timestamp_low;
1222 }
1223 goto found;
1224
1225 case BT_IDB:
1226 /*
1227 * Interface Description Block. Get a pointer
1228 * to its fixed-length portion.
1229 */
1230 idbp = get_from_block_data(&cursor, sizeof(*idbp),
1231 p->errbuf);
1232 if (idbp == NULL)
1233 return (-1); /* error */
1234
1235 /*
1236 * Byte-swap it if necessary.
1237 */
1238 if (p->swapped) {
1239 idbp->linktype = SWAPSHORT(idbp->linktype);
1240 idbp->snaplen = SWAPLONG(idbp->snaplen);
1241 }
1242
1243 /*
1244 * If the link-layer type or snapshot length
1245 * differ from the ones for the first IDB we
1246 * saw, quit.
1247 *
1248 * XXX - just discard packets from those
1249 * interfaces?
1250 */
1251 if (p->linktype != idbp->linktype) {
1252 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1253 "an interface has a type %u different from the type of the first interface",
1254 idbp->linktype);
1255 return (-1);
1256 }
1257
1258 /*
1259 * Check against the *adjusted* value of this IDB's
1260 * snapshot length.
1261 */
1262 if ((bpf_u_int32)p->snapshot !=
1263 pcap_adjust_snapshot(p->linktype, idbp->snaplen)) {
1264 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1265 "an interface has a snapshot length %u different from the snapshot length of the first interface",
1266 idbp->snaplen);
1267 return (-1);
1268 }
1269
1270 /*
1271 * Try to add this interface.
1272 */
1273 if (!add_interface(p, idbp, &cursor, p->errbuf))
1274 return (-1);
1275 break;
1276
1277 case BT_SHB:
1278 /*
1279 * Section Header Block. Get a pointer
1280 * to its fixed-length portion.
1281 */
1282 shbp = get_from_block_data(&cursor, sizeof(*shbp),
1283 p->errbuf);
1284 if (shbp == NULL)
1285 return (-1); /* error */
1286
1287 /*
1288 * Assume the byte order of this section is
1289 * the same as that of the previous section.
1290 * We'll check for that later.
1291 */
1292 if (p->swapped) {
1293 shbp->byte_order_magic =
1294 SWAPLONG(shbp->byte_order_magic);
1295 shbp->major_version =
1296 SWAPSHORT(shbp->major_version);
1297 }
1298
1299 /*
1300 * Make sure the byte order doesn't change;
1301 * pcap_is_swapped() shouldn't change its
1302 * return value in the middle of reading a capture.
1303 */
1304 switch (shbp->byte_order_magic) {
1305
1306 case BYTE_ORDER_MAGIC:
1307 /*
1308 * OK.
1309 */
1310 break;
1311
1312 case SWAPLONG(BYTE_ORDER_MAGIC):
1313 /*
1314 * Byte order changes.
1315 */
1316 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1317 "the file has sections with different byte orders");
1318 return (-1);
1319
1320 default:
1321 /*
1322 * Not a valid SHB.
1323 */
1324 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1325 "the file has a section with a bad byte order magic field");
1326 return (-1);
1327 }
1328
1329 /*
1330 * Make sure the major version is the version
1331 * we handle.
1332 */
1333 if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
1334 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1335 "unknown pcapng savefile major version number %u",
1336 shbp->major_version);
1337 return (-1);
1338 }
1339
1340 /*
1341 * Reset the interface count; this section should
1342 * have its own set of IDBs. If any of them
1343 * don't have the same interface type, snapshot
1344 * length, or resolution as the first interface
1345 * we saw, we'll fail. (And if we don't see
1346 * any IDBs, we'll fail when we see a packet
1347 * block.)
1348 */
1349 ps->ifcount = 0;
1350 break;
1351
1352 default:
1353 /*
1354 * Not a packet block, IDB, or SHB; ignore it.
1355 */
1356 break;
1357 }
1358 }
1359
1360 found:
1361 /*
1362 * Is the interface ID an interface we know?
1363 */
1364 if (interface_id >= ps->ifcount) {
1365 /*
1366 * Yes. Fail.
1367 */
1368 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1369 "a packet arrived on interface %u, but there's no Interface Description Block for that interface",
1370 interface_id);
1371 return (-1);
1372 }
1373
1374 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
1375 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1376 "invalid packet capture length %u, bigger than "
1377 "snaplen of %d", hdr->caplen, p->snapshot);
1378 return (-1);
1379 }
1380
1381 /*
1382 * Convert the time stamp to seconds and fractions of a second,
1383 * with the fractions being in units of the file-supplied resolution.
1384 */
1385 sec = t / ps->ifaces[interface_id].tsresol + ps->ifaces[interface_id].tsoffset;
1386 frac = t % ps->ifaces[interface_id].tsresol;
1387
1388 /*
1389 * Convert the fractions from units of the file-supplied resolution
1390 * to units of the user-requested resolution.
1391 */
1392 switch (ps->ifaces[interface_id].scale_type) {
1393
1394 case PASS_THROUGH:
1395 /*
1396 * The interface resolution is what the user wants,
1397 * so we're done.
1398 */
1399 break;
1400
1401 case SCALE_UP_DEC:
1402 /*
1403 * The interface resolution is less than what the user
1404 * wants; scale the fractional part up to the units of
1405 * the resolution the user requested by multiplying by
1406 * the quotient of the user-requested resolution and the
1407 * file-supplied resolution.
1408 *
1409 * Those resolutions are both powers of 10, and the user-
1410 * requested resolution is greater than the file-supplied
1411 * resolution, so the quotient in question is an integer.
1412 * We've calculated that quotient already, so we just
1413 * multiply by it.
1414 */
1415 frac *= ps->ifaces[interface_id].scale_factor;
1416 break;
1417
1418 case SCALE_UP_BIN:
1419 /*
1420 * The interface resolution is less than what the user
1421 * wants; scale the fractional part up to the units of
1422 * the resolution the user requested by multiplying by
1423 * the quotient of the user-requested resolution and the
1424 * file-supplied resolution.
1425 *
1426 * The file-supplied resolution is a power of 2, so the
1427 * quotient is not an integer, so, in order to do this
1428 * entirely with integer arithmetic, we multiply by the
1429 * user-requested resolution and divide by the file-
1430 * supplied resolution.
1431 *
1432 * XXX - Is there something clever we could do here,
1433 * given that we know that the file-supplied resolution
1434 * is a power of 2? Doing a multiplication followed by
1435 * a division runs the risk of overflowing, and involves
1436 * two non-simple arithmetic operations.
1437 */
1438 frac *= ps->user_tsresol;
1439 frac /= ps->ifaces[interface_id].tsresol;
1440 break;
1441
1442 case SCALE_DOWN_DEC:
1443 /*
1444 * The interface resolution is greater than what the user
1445 * wants; scale the fractional part up to the units of
1446 * the resolution the user requested by multiplying by
1447 * the quotient of the user-requested resolution and the
1448 * file-supplied resolution.
1449 *
1450 * Those resolutions are both powers of 10, and the user-
1451 * requested resolution is less than the file-supplied
1452 * resolution, so the quotient in question isn't an
1453 * integer, but its reciprocal is, and we can just divide
1454 * by the reciprocal of the quotient. We've calculated
1455 * the reciprocal of that quotient already, so we must
1456 * divide by it.
1457 */
1458 frac /= ps->ifaces[interface_id].scale_factor;
1459 break;
1460
1461
1462 case SCALE_DOWN_BIN:
1463 /*
1464 * The interface resolution is greater than what the user
1465 * wants; convert the fractional part to units of the
1466 * resolution the user requested by multiplying by the
1467 * quotient of the user-requested resolution and the
1468 * file-supplied resolution. We do that by multiplying
1469 * by the user-requested resolution and dividing by the
1470 * file-supplied resolution, as the quotient might not
1471 * fit in an integer.
1472 *
1473 * The file-supplied resolution is a power of 2, so the
1474 * quotient is not an integer, and neither is its
1475 * reciprocal, so, in order to do this entirely with
1476 * integer arithmetic, we multiply by the user-requested
1477 * resolution and divide by the file-supplied resolution.
1478 *
1479 * XXX - Is there something clever we could do here,
1480 * given that we know that the file-supplied resolution
1481 * is a power of 2? Doing a multiplication followed by
1482 * a division runs the risk of overflowing, and involves
1483 * two non-simple arithmetic operations.
1484 */
1485 frac *= ps->user_tsresol;
1486 frac /= ps->ifaces[interface_id].tsresol;
1487 break;
1488 }
1489 #ifdef _WIN32
1490 /*
1491 * tv_sec and tv_used in the Windows struct timeval are both
1492 * longs.
1493 */
1494 hdr->ts.tv_sec = (long)sec;
1495 hdr->ts.tv_usec = (long)frac;
1496 #else
1497 /*
1498 * tv_sec in the UN*X struct timeval is a time_t; tv_usec is
1499 * suseconds_t in UN*Xes that work the way the current Single
1500 * UNIX Standard specify - but not all older UN*Xes necessarily
1501 * support that type, so just cast to int.
1502 */
1503 hdr->ts.tv_sec = (time_t)sec;
1504 hdr->ts.tv_usec = (int)frac;
1505 #endif
1506
1507 /*
1508 * Get a pointer to the packet data.
1509 */
1510 *data = get_from_block_data(&cursor, hdr->caplen, p->errbuf);
1511 if (*data == NULL)
1512 return (-1);
1513
1514 if (p->swapped)
1515 swap_pseudo_headers(p->linktype, hdr, *data);
1516
1517 return (0);
1518 }
1519