Lines Matching +full:magic +full:- +full:packet
21 * sf-pcap.c - libpcap-file-format-specific code from savefile.c
25 * Used to save the received packet headers, after filtering, to
33 #include <pcap-types.h>
46 #include "pcap-int.h"
47 #include "pcap-util.h"
49 #include "pcap-common.h"
52 #include "os-proto.h"
55 #include "sf-pcap.h"
75 * byte-swap some host-byte-order metadata.
105 * `struct timeval'; `struct timeval' has 32-bit tv_sec values on some
106 * platforms and 64-bit tv_sec values on other platforms, and writing
112 * says they are. (That gives pcap a 68-year Y2.038K reprieve, although
132 * send mail to "tcpdump-workers@lists.tcpdump.org", requesting
133 * a new magic number for your new capture file format, and, when
134 * you get the new magic number, put it in "savefile.c";
136 * use that magic number for save files with the changed record
141 * (using the magic number to determine the header format).
145 * https://github.com/the-tcpdump-group/libpcap/tree/master
155 bpf_u_int32 len; /* length of this packet (off wire) */
171 bpf_u_int32 len; /* length of this packet (off wire) */
219 pcap_check_header(const uint8_t *magic, FILE *fp, u_int precision, char *errbuf,
235 * Check whether the first 4 bytes of the file are the magic
236 * number for a pcap savefile, or for a byte-swapped pcap
239 memcpy(&magic_int, magic, sizeof(magic_int));
252 * They are. Put the magic number in the header, and read
255 hdr.magic = magic_int;
256 amt_read = fread(((char *)&hdr) + sizeof hdr.magic, 1,
257 sizeof(hdr) - sizeof(hdr.magic), fp);
258 if (amt_read != sizeof(hdr) - sizeof(hdr.magic)) {
272 * If it's a byte-swapped capture file, byte-swap the header.
291 * currently only versions 2.[0-4] are supported with
326 p->swapped = swapped;
327 p->version_major = hdr.version_major;
328 p->version_minor = hdr.version_minor;
329 p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype));
330 p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype);
331 p->snapshot = pcapint_adjust_snapshot(p->linktype, hdr.snaplen);
333 p->next_packet_op = pcap_next_packet;
335 ps = p->priv;
337 p->opt.tstamp_precision = precision;
352 ps->scale_type = SCALE_DOWN;
358 ps->scale_type = PASS_THROUGH;
368 ps->scale_type = PASS_THROUGH;
375 ps->scale_type = SCALE_UP;
395 * pre-2.3 order.
401 ps->lengths_swapped = SWAPPED;
403 ps->lengths_swapped = MAYBE_SWAPPED;
405 ps->lengths_swapped = NOT_SWAPPED;
409 ps->lengths_swapped = SWAPPED;
413 ps->lengths_swapped = NOT_SWAPPED;
419 * XXX - the patch that's in some versions of libpcap
420 * changes the packet header but not the magic number,
421 * and some other versions with this magic number have
422 * some extra debugging information in the packet header;
435 ps->hdrsize = sizeof(struct pcap_sf_patched_pkthdr);
437 if (p->linktype == DLT_EN10MB) {
442 * If it was done in cooked mode, p->snapshot was
444 * that the most packet data that would be copied
445 * would be p->snapshot. However, a faked Ethernet
447 * most data that would be in a packet in the file
448 * would be p->snapshot + 14.
455 * out why a capture doesn't have all the packet data,
461 if (p->snapshot <= INT_MAX - 14)
462 p->snapshot += 14;
464 p->snapshot = INT_MAX;
467 ps->hdrsize = sizeof(struct pcap_sf_pkthdr);
470 * Allocate a buffer for the packet data.
472 * that should be enough for most network packets - we'll grow it
476 * packet.
478 p->bufsize = p->snapshot;
479 if (p->bufsize > 2048)
480 p->bufsize = 2048;
481 p->buffer = malloc(p->bufsize);
482 if (p->buffer == NULL) {
489 p->cleanup_op = pcapint_sf_cleanup;
495 * Grow the packet buffer to the specified size.
502 bigger_buffer = realloc(p->buffer, bufsize);
504 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "out of memory");
507 p->buffer = bigger_buffer;
508 p->bufsize = bufsize;
513 * Read and return the next packet from the savefile. Return the header
515 * if there were no more packets, and -1 on an error.
520 struct pcap_sf *ps = p->priv;
522 FILE *fp = p->rfile;
527 * Read the packet header; the structure we use as a buffer
529 * libpcap, but if the file has the magic number for an
533 amt_read = fread(&sf_hdr, 1, ps->hdrsize, fp);
534 if (amt_read != ps->hdrsize) {
536 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
538 return (-1);
541 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
543 ps->hdrsize, amt_read);
544 return (-1);
551 if (p->swapped) {
553 hdr->caplen = SWAPLONG(sf_hdr.caplen);
554 hdr->len = SWAPLONG(sf_hdr.len);
555 hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec);
556 hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec);
558 hdr->caplen = sf_hdr.caplen;
559 hdr->len = sf_hdr.len;
560 hdr->ts.tv_sec = sf_hdr.ts.tv_sec;
561 hdr->ts.tv_usec = sf_hdr.ts.tv_usec;
564 switch (ps->scale_type) {
577 hdr->ts.tv_usec = hdr->ts.tv_usec * 1000;
585 hdr->ts.tv_usec = hdr->ts.tv_usec / 1000;
590 switch (ps->lengths_swapped) {
596 if (hdr->caplen <= hdr->len) {
606 t = hdr->caplen;
607 hdr->caplen = hdr->len;
608 hdr->len = t;
613 * Is the packet bigger than we consider sane?
615 if (hdr->caplen > max_snaplen_for_dlt(p->linktype)) {
624 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
625 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
626 "invalid packet capture length %u, bigger than "
627 "snaplen of %d", hdr->caplen, p->snapshot);
629 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
630 "invalid packet capture length %u, bigger than "
631 "maximum of %u", hdr->caplen,
632 max_snaplen_for_dlt(p->linktype));
634 return (-1);
637 if (hdr->caplen > (bpf_u_int32)p->snapshot) {
639 * The packet is bigger than the snapshot length
650 * packet if a snapshot length is specified); they should
652 * per-packet callback, to the snapshot length if it's
654 * libpcap should see the packet cut off at the snapshot
655 * length, even though the full packet is copied up to
660 * or the per-packet header, or perhaps this is a
665 * packet, and report the snapshot length as the captured
666 * length; we don't want to hand our caller a packet
668 * be assuming they'll never be handed such a packet,
669 * and might copy the packet into a snapshot-length-
676 if (hdr->caplen > p->bufsize) {
680 if (!grow_buffer(p, p->snapshot))
681 return (-1);
685 * Read the first p->snapshot bytes into the buffer.
687 amt_read = fread(p->buffer, 1, p->snapshot, fp);
688 if (amt_read != (bpf_u_int32)p->snapshot) {
690 pcapint_fmt_errmsg_for_errno(p->errbuf,
695 * Yes, this uses hdr->caplen; technically,
701 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
703 p->snapshot, amt_read);
705 return (-1);
711 bytes_to_discard = hdr->caplen - p->snapshot;
721 pcapint_fmt_errmsg_for_errno(p->errbuf,
725 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
727 hdr->caplen, bytes_read);
729 return (-1);
731 bytes_to_discard -= amt_read;
738 hdr->caplen = p->snapshot;
741 * The packet is within the snapshot length for this file.
743 if (hdr->caplen > p->bufsize) {
750 new_bufsize = hdr->caplen;
754 new_bufsize--;
762 if (new_bufsize > (u_int)p->snapshot)
763 new_bufsize = p->snapshot;
766 return (-1);
769 /* read the packet itself */
770 amt_read = fread(p->buffer, 1, hdr->caplen, fp);
771 if (amt_read != hdr->caplen) {
773 pcapint_fmt_errmsg_for_errno(p->errbuf,
777 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
779 hdr->caplen, amt_read);
781 return (-1);
784 *data = p->buffer;
786 pcapint_post_process(p->linktype, p->swapped, hdr, *data);
796 hdr.magic = p->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO ? NSEC_TCPDUMP_MAGIC : TCPDUMP_MAGIC;
801 * https://www.tcpdump.org/manpages/pcap-savefile.5.txt states:
802 * thiszone (Reserved1): 4-byte not used - SHOULD be filled with 0
803 * sigfigs (Reserved2): 4-byte not used - SHOULD be filled with 0
811 return (-1);
817 * Output a packet to the initialized dump file.
846 * 2106-02-07 06:28:15 UTC; switch to pcapng.
848 * that predate 1970-01-01 00:00:00 UTC; that's not supported.
851 * stamps, but you may also have to get a link-layer type for
855 sf_hdr.ts.tv_sec = (bpf_u_int32)h->ts.tv_sec;
856 sf_hdr.ts.tv_usec = (bpf_u_int32)h->ts.tv_usec;
857 sf_hdr.caplen = h->caplen;
858 sf_hdr.len = h->len;
860 * We only write the packet if we can write the header properly.
868 (void)fwrite(sp, h->caplen, 1, f);
882 * XXX - why? And why not on the standard output?
889 if (sf_write_header(p, f, linktype, p->snapshot) == -1) {
890 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
910 * link-layer type, so we can't use it.
912 if (!p->activated) {
913 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
914 "%s: not-yet-activated pcap_t passed to pcap_dump_open",
918 linktype = dlt_to_linktype(p->linktype);
919 if (linktype == -1) {
920 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
921 "%s: link-layer type %d isn't supported in savefiles",
922 fname, p->linktype);
925 linktype |= p->linktype_ext;
928 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
932 if (fname[0] == '-' && fname[1] == '\0') {
944 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
965 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
972 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
993 linktype = dlt_to_linktype(p->linktype);
994 if (linktype == -1) {
995 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
996 "stream: link-layer type %d isn't supported in savefiles",
997 p->linktype);
1000 linktype |= p->linktype_ext;
1013 linktype = dlt_to_linktype(p->linktype);
1014 if (linktype == -1) {
1015 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1016 "%s: link-layer type %d isn't supported in savefiles",
1022 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1026 if (fname[0] == '-' && fname[1] == '\0')
1044 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1053 * beginning immediately after we've opened it - we seek to
1054 * the beginning. ISO C says it's implementation-defined
1056 * or the end of the file after an append-mode open, and
1058 * or the Microsoft documentation how that works on SUS-
1061 if (fseek(f, 0, SEEK_SET) == -1) {
1062 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1070 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1075 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1085 * XXX - why? And why not on the standard output?
1096 * the link-layer header types don't match;
1107 switch (ph.magic) {
1110 if (p->opt.tstamp_precision != PCAP_TSTAMP_PRECISION_MICRO) {
1111 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1119 if (p->opt.tstamp_precision != PCAP_TSTAMP_PRECISION_NANO) {
1120 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1129 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1138 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1144 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1155 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1162 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1167 if ((bpf_u_int32)p->snapshot != ph.snaplen) {
1168 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1177 if (sf_write_header(p, f, linktype, p->snapshot) == -1) {
1178 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1188 * XXX - this shouldn't be necessary, given that we're opening
1192 if (fseek(f, 0, SEEK_END) == -1) {
1193 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1216 * If we have large file support (files larger than 2^31-1 bytes),
1239 * or this is probably an older 32-bit UN*X without large file
1241 * write files > 2^31-1, so it won't matter anyway.
1243 * XXX - what about MinGW?
1257 return (-1);
1268 return-an-error;