1 /*
2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16 * nor the names of its contributors may be used to endorse or promote
17 * products derived from this software without specific prior written
18 * permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 *
32 */
33
34 #ifdef HAVE_CONFIG_H
35 #include <config.h>
36 #endif
37
38 #include "ftmacros.h"
39
40 #include <string.h> /* for strlen(), ... */
41 #include <stdlib.h> /* for malloc(), free(), ... */
42 #include <stdarg.h> /* for functions with variable number of arguments */
43 #include <errno.h> /* for the errno variable */
44 #include "sockutils.h"
45 #include "pcap-int.h"
46 #include "rpcap-protocol.h"
47 #include "pcap-rpcap.h"
48
49 /*
50 * This file contains the pcap module for capturing from a remote machine's
51 * interfaces using the RPCAP protocol.
52 *
53 * WARNING: All the RPCAP functions that are allowed to return a buffer
54 * containing the error description can return max PCAP_ERRBUF_SIZE characters.
55 * However there is no guarantees that the string will be zero-terminated.
56 * Best practice is to define the errbuf variable as a char of size
57 * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
58 * of the buffer. This will guarantee that no buffer overflows occur even
59 * if we use the printf() to show the error on the screen.
60 *
61 * XXX - actually, null-terminating the error string is part of the
62 * contract for the pcap API; if there's any place in the pcap code
63 * that doesn't guarantee null-termination, even at the expense of
64 * cutting the message short, that's a bug and needs to be fixed.
65 */
66
67 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
68 #ifdef _WIN32
69 #define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
70 #endif
71
72 /*
73 * \brief Keeps a list of all the opened connections in the active mode.
74 *
75 * This structure defines a linked list of items that are needed to keep the info required to
76 * manage the active mode.
77 * In other words, when a new connection in active mode starts, this structure is updated so that
78 * it reflects the list of active mode connections currently opened.
79 * This structure is required by findalldevs() and open_remote() to see if they have to open a new
80 * control connection toward the host, or they already have a control connection in place.
81 */
82 struct activehosts
83 {
84 struct sockaddr_storage host;
85 SOCKET sockctrl;
86 uint8 protocol_version;
87 struct activehosts *next;
88 };
89
90 /* Keeps a list of all the opened connections in the active mode. */
91 static struct activehosts *activeHosts;
92
93 /*
94 * Keeps the main socket identifier when we want to accept a new remote
95 * connection (active mode only).
96 * See the documentation of pcap_remoteact_accept() and
97 * pcap_remoteact_cleanup() for more details.
98 */
99 static SOCKET sockmain;
100
101 /*
102 * Private data for capturing remotely using the rpcap protocol.
103 */
104 struct pcap_rpcap {
105 /*
106 * This is '1' if we're the network client; it is needed by several
107 * functions (such as pcap_setfilter()) to know whether they have
108 * to use the socket or have to open the local adapter.
109 */
110 int rmt_clientside;
111
112 SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */
113 SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */
114 int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
115 int rmt_capstarted; /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */
116 char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
117
118 uint8 protocol_version; /* negotiated protocol version */
119
120 unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */
121
122 /*
123 * This keeps the number of packets that have been received by the
124 * application.
125 *
126 * Packets dropped by the kernel buffer are not counted in this
127 * variable. It is always equal to (TotAccepted - TotDrops),
128 * except for the case of remote capture, in which we have also
129 * packets in flight, i.e. that have been transmitted by the remote
130 * host, but that have not been received (yet) from the client.
131 * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
132 * wrong result, since this number does not corresponds always to
133 * the number of packet received by the application. For this reason,
134 * in the remote capture we need another variable that takes into
135 * account of the number of packets actually received by the
136 * application.
137 */
138 unsigned int TotCapt;
139
140 struct pcap_stat stat;
141 /* XXX */
142 struct pcap *next; /* list of open pcaps that need stuff cleared on close */
143 };
144
145 /****************************************************
146 * *
147 * Locally defined functions *
148 * *
149 ****************************************************/
150 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
151 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
152 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
153 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
154 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
155 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
156 static int pcap_setsampling_remote(pcap_t *fp);
157 static int pcap_startcapture_remote(pcap_t *fp);
158 static int rpcap_sendauth(SOCKET sock, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf);
159 static int rpcap_recv_msg_header(SOCKET sock, struct rpcap_header *header, char *errbuf);
160 static int rpcap_check_msg_ver(SOCKET sock, uint8 expected_ver, struct rpcap_header *header, char *errbuf);
161 static int rpcap_check_msg_type(SOCKET sock, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf);
162 static int rpcap_process_msg_header(SOCKET sock, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf);
163 static int rpcap_recv(SOCKET sock, void *buffer, size_t toread, uint32 *plen, char *errbuf);
164 static void rpcap_msg_err(SOCKET sockctrl, uint32 plen, char *remote_errbuf);
165 static int rpcap_discard(SOCKET sock, uint32 len, char *errbuf);
166 static int rpcap_read_packet_msg(SOCKET sock, pcap_t *p, size_t size);
167
168 /****************************************************
169 * *
170 * Function bodies *
171 * *
172 ****************************************************/
173
174 /*
175 * This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
176 * structure from the network byte order to a 'sockaddr_in" or
177 * 'sockaddr_in6' structure in the host byte order.
178 *
179 * It accepts an 'rpcap_sockaddr' structure as it is received from the
180 * network, and checks the address family field against various values
181 * to see whether it looks like an IPv4 address, an IPv6 address, or
182 * neither of those. It checks for multiple values in order to try
183 * to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
184 * or 'sockaddr_in6' structures over the wire with some members
185 * byte-swapped, and to handle the fact that AF_INET6 has different
186 * values on different OSes.
187 *
188 * For IPv4 addresses, it converts the address family to host byte
189 * order from network byte order and puts it into the structure,
190 * sets the length if a sockaddr structure has a length, converts the
191 * port number to host byte order from network byte order and puts
192 * it into the structure, copies over the IPv4 address, and zeroes
193 * out the zero padding.
194 *
195 * For IPv6 addresses, it converts the address family to host byte
196 * order from network byte order and puts it into the structure,
197 * sets the length if a sockaddr structure has a length, converts the
198 * port number and flow information to host byte order from network
199 * byte order and puts them into the structure, copies over the IPv6
200 * address, and converts the scope ID to host byte order from network
201 * byte order and puts it into the structure.
202 *
203 * The function will allocate the 'sockaddrout' variable according to the
204 * address family in use. In case the address does not belong to the
205 * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
206 * NULL pointer is returned. This usually happens because that address
207 * does not exist on the other host, or is of an address family other
208 * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
209 * structure containing all 'zero' values.
210 *
211 * Older RPCAPDs sent the addresses over the wire in the OS's native
212 * structure format. For most OSes, this looks like the over-the-wire
213 * format, but might have a different value for AF_INET6 than the value
214 * on the machine receiving the reply. For OSes with the newer BSD-style
215 * sockaddr structures, this has, instead of a 2-byte address family,
216 * a 1-byte structure length followed by a 1-byte address family. The
217 * RPCAPD code would put the address family in network byte order before
218 * sending it; that would set it to 0 on a little-endian machine, as
219 * htons() of any value between 1 and 255 would result in a value > 255,
220 * with its lower 8 bits zero, so putting that back into a 1-byte field
221 * would set it to 0.
222 *
223 * Therefore, for older RPCAPDs running on an OS with newer BSD-style
224 * sockaddr structures, the family field, if treated as a big-endian
225 * (network byte order) 16-bit field, would be:
226 *
227 * (length << 8) | family if sent by a big-endian machine
228 * (length << 8) if sent by a little-endian machine
229 *
230 * For current RPCAPDs, and for older RPCAPDs running on an OS with
231 * older BSD-style sockaddr structures, the family field, if treated
232 * as a big-endian 16-bit field, would just contain the family.
233 *
234 * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
235 * to be de-serialized.
236 *
237 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
238 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
239 * This variable will be allocated automatically inside this function.
240 *
241 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
242 * that will contain the error message (in case there is one).
243 *
244 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
245 * can be only the fact that the malloc() failed to allocate memory.
246 * The error message is returned in the 'errbuf' variable, while the deserialized address
247 * is returned into the 'sockaddrout' variable.
248 *
249 * \warning This function supports only AF_INET and AF_INET6 address families.
250 *
251 * \warning The sockaddrout (if not NULL) must be deallocated by the user.
252 */
253
254 /*
255 * Possible IPv4 family values other than the designated over-the-wire value,
256 * which is 2 (because everybody uses 2 for AF_INET4).
257 */
258 #define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */
259 #define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */
260 #define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2)
261 #define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8)
262
263 /*
264 * Possible IPv6 family values other than the designated over-the-wire value,
265 * which is 23 (because that's what Windows uses, and most RPCAP servers
266 * out there are probably running Windows, as WinPcap includes the server
267 * but few if any UN*Xes build and ship it).
268 *
269 * The new BSD sockaddr structure format was in place before 4.4-Lite, so
270 * all the free-software BSDs use it.
271 */
272 #define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */
273 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */
274 #define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */
275 #define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8)
276 #define LINUX_AF_INET6 10
277 #define HPUX_AF_INET6 22
278 #define AIX_AF_INET6 24
279 #define SOLARIS_AF_INET6 26
280
281 static int
rpcap_deseraddr(struct rpcap_sockaddr * sockaddrin,struct sockaddr_storage ** sockaddrout,char * errbuf)282 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
283 {
284 /* Warning: we support only AF_INET and AF_INET6 */
285 switch (ntohs(sockaddrin->family))
286 {
287 case RPCAP_AF_INET:
288 case NEW_BSD_AF_INET_BE:
289 case NEW_BSD_AF_INET_LE:
290 {
291 struct rpcap_sockaddr_in *sockaddrin_ipv4;
292 struct sockaddr_in *sockaddrout_ipv4;
293
294 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in));
295 if ((*sockaddrout) == NULL)
296 {
297 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
298 errno, "malloc() failed");
299 return -1;
300 }
301 sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
302 sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
303 sockaddrout_ipv4->sin_family = AF_INET;
304 sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
305 memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
306 memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
307 break;
308 }
309
310 #ifdef AF_INET6
311 case RPCAP_AF_INET6:
312 case NEW_BSD_AF_INET6_BSD_BE:
313 case NEW_BSD_AF_INET6_FREEBSD_BE:
314 case NEW_BSD_AF_INET6_DARWIN_BE:
315 case NEW_BSD_AF_INET6_LE:
316 case LINUX_AF_INET6:
317 case HPUX_AF_INET6:
318 case AIX_AF_INET6:
319 case SOLARIS_AF_INET6:
320 {
321 struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
322 struct sockaddr_in6 *sockaddrout_ipv6;
323
324 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6));
325 if ((*sockaddrout) == NULL)
326 {
327 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
328 errno, "malloc() failed");
329 return -1;
330 }
331 sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
332 sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
333 sockaddrout_ipv6->sin6_family = AF_INET6;
334 sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
335 sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
336 memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
337 sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
338 break;
339 }
340 #endif
341
342 default:
343 /*
344 * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
345 * support AF_INET6, it's not AF_INET).
346 */
347 *sockaddrout = NULL;
348 break;
349 }
350 return 0;
351 }
352
353 /*
354 * This function reads a packet from the network socket. It does not
355 * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
356 * the "nocb" string into its name).
357 *
358 * This function is called by pcap_read_rpcap().
359 *
360 * WARNING: By choice, this function does not make use of semaphores. A smarter
361 * implementation should put a semaphore into the data thread, and a signal will
362 * be raised as soon as there is data into the socket buffer.
363 * However this is complicated and it does not bring any advantages when reading
364 * from the network, in which network delays can be much more important than
365 * these optimizations. Therefore, we chose the following approach:
366 * - the 'timeout' chosen by the user is split in two (half on the server side,
367 * with the usual meaning, and half on the client side)
368 * - this function checks for packets; if there are no packets, it waits for
369 * timeout/2 and then it checks again. If packets are still missing, it returns,
370 * otherwise it reads packets.
371 */
pcap_read_nocb_remote(pcap_t * p,struct pcap_pkthdr * pkt_header,u_char ** pkt_data)372 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
373 {
374 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
375 struct rpcap_header *header; /* general header according to the RPCAP format */
376 struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */
377 u_char *net_pkt_data; /* packet data from the message */
378 uint32 plen;
379 int retval; /* generic return value */
380 int msglen;
381
382 /* Structures needed for the select() call */
383 struct timeval tv; /* maximum time the select() can block waiting for data */
384 fd_set rfds; /* set of socket descriptors we have to check */
385
386 /*
387 * Define the packet buffer timeout, to be used in the select()
388 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
389 */
390 tv.tv_sec = p->opt.timeout / 1000;
391 tv.tv_usec = (p->opt.timeout - tv.tv_sec * 1000) * 1000;
392
393 /* Watch out sockdata to see if it has input */
394 FD_ZERO(&rfds);
395
396 /*
397 * 'fp->rmt_sockdata' has always to be set before calling the select(),
398 * since it is cleared by the select()
399 */
400 FD_SET(pr->rmt_sockdata, &rfds);
401
402 retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
403 if (retval == -1)
404 {
405 #ifndef _WIN32
406 if (errno == EINTR)
407 {
408 /* Interrupted. */
409 return 0;
410 }
411 #endif
412 sock_geterror("select(): ", p->errbuf, PCAP_ERRBUF_SIZE);
413 return -1;
414 }
415
416 /* There is no data waiting, so return '0' */
417 if (retval == 0)
418 return 0;
419
420 /*
421 * We have to define 'header' as a pointer to a larger buffer,
422 * because in case of UDP we have to read all the message within a single call
423 */
424 header = (struct rpcap_header *) p->buffer;
425 net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
426 net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
427
428 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
429 {
430 /* Read the entire message from the network */
431 msglen = sock_recv_dgram(pr->rmt_sockdata, p->buffer,
432 p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE);
433 if (msglen == -1)
434 {
435 /* Network error. */
436 return -1;
437 }
438 if (msglen == -3)
439 {
440 /* Interrupted receive. */
441 return 0;
442 }
443 if ((size_t)msglen < sizeof(struct rpcap_header))
444 {
445 /*
446 * Message is shorter than an rpcap header.
447 */
448 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
449 "UDP packet message is shorter than an rpcap header");
450 return -1;
451 }
452 plen = ntohl(header->plen);
453 if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
454 {
455 /*
456 * Message is shorter than the header claims it
457 * is.
458 */
459 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
460 "UDP packet message is shorter than its rpcap header claims");
461 return -1;
462 }
463 }
464 else
465 {
466 int status;
467
468 if ((size_t)p->cc < sizeof(struct rpcap_header))
469 {
470 /*
471 * We haven't read any of the packet header yet.
472 * The size we should get is the size of the
473 * packet header.
474 */
475 status = rpcap_read_packet_msg(pr->rmt_sockdata, p,
476 sizeof(struct rpcap_header));
477 if (status == -1)
478 {
479 /* Network error. */
480 return -1;
481 }
482 if (status == -3)
483 {
484 /* Interrupted receive. */
485 return 0;
486 }
487 }
488
489 /*
490 * We have the header, so we know how long the
491 * message payload is. The size we should get
492 * is the size of the packet header plus the
493 * size of the payload.
494 */
495 plen = ntohl(header->plen);
496 if (plen > p->bufsize - sizeof(struct rpcap_header))
497 {
498 /*
499 * This is bigger than the largest
500 * record we'd expect. (We do it by
501 * subtracting in order to avoid an
502 * overflow.)
503 */
504 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
505 "Server sent us a message larger than the largest expected packet message");
506 return -1;
507 }
508 status = rpcap_read_packet_msg(pr->rmt_sockdata, p,
509 sizeof(struct rpcap_header) + plen);
510 if (status == -1)
511 {
512 /* Network error. */
513 return -1;
514 }
515 if (status == -3)
516 {
517 /* Interrupted receive. */
518 return 0;
519 }
520
521 /*
522 * We have the entire message; reset the buffer pointer
523 * and count, as the next read should start a new
524 * message.
525 */
526 p->bp = p->buffer;
527 p->cc = 0;
528 }
529
530 /*
531 * We have the entire message.
532 */
533 header->plen = plen;
534
535 /*
536 * Did the server specify the version we negotiated?
537 */
538 if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->protocol_version,
539 header, p->errbuf) == -1)
540 {
541 return 0; /* Return 'no packets received' */
542 }
543
544 /*
545 * Is this a RPCAP_MSG_PACKET message?
546 */
547 if (header->type != RPCAP_MSG_PACKET)
548 {
549 return 0; /* Return 'no packets received' */
550 }
551
552 if (ntohl(net_pkt_header->caplen) > plen)
553 {
554 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
555 "Packet's captured data goes past the end of the received packet message.");
556 return -1;
557 }
558
559 /* Fill in packet header */
560 pkt_header->caplen = ntohl(net_pkt_header->caplen);
561 pkt_header->len = ntohl(net_pkt_header->len);
562 pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
563 pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
564
565 /* Supply a pointer to the beginning of the packet data */
566 *pkt_data = net_pkt_data;
567
568 /*
569 * I don't update the counter of the packets dropped by the network since we're using TCP,
570 * therefore no packets are dropped. Just update the number of packets received correctly
571 */
572 pr->TotCapt++;
573
574 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
575 {
576 unsigned int npkt;
577
578 /* We're using UDP, so we need to update the counter of the packets dropped by the network */
579 npkt = ntohl(net_pkt_header->npkt);
580
581 if (pr->TotCapt != npkt)
582 {
583 pr->TotNetDrops += (npkt - pr->TotCapt);
584 pr->TotCapt = npkt;
585 }
586 }
587
588 /* Packet read successfully */
589 return 1;
590 }
591
592 /*
593 * This function reads a packet from the network socket.
594 *
595 * This function relies on the pcap_read_nocb_remote to deliver packets. The
596 * difference, here, is that as soon as a packet is read, it is delivered
597 * to the application by means of a callback function.
598 */
pcap_read_rpcap(pcap_t * p,int cnt,pcap_handler callback,u_char * user)599 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
600 {
601 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
602 struct pcap_pkthdr pkt_header;
603 u_char *pkt_data;
604 int n = 0;
605 int ret;
606
607 /*
608 * If this is client-side, and we haven't already started
609 * the capture, start it now.
610 */
611 if (pr->rmt_clientside)
612 {
613 /* We are on an remote capture */
614 if (!pr->rmt_capstarted)
615 {
616 /*
617 * The capture isn't started yet, so try to
618 * start it.
619 */
620 if (pcap_startcapture_remote(p))
621 return -1;
622 }
623 }
624
625 while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
626 {
627 /*
628 * Has "pcap_breakloop()" been called?
629 */
630 if (p->break_loop) {
631 /*
632 * Yes - clear the flag that indicates that it
633 * has, and return PCAP_ERROR_BREAK to indicate
634 * that we were told to break out of the loop.
635 */
636 p->break_loop = 0;
637 return (PCAP_ERROR_BREAK);
638 }
639
640 /*
641 * Read some packets.
642 */
643 ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
644 if (ret == 1)
645 {
646 /*
647 * We got a packet. Hand it to the callback
648 * and count it so we can return the count.
649 */
650 (*callback)(user, &pkt_header, pkt_data);
651 n++;
652 }
653 else if (ret == -1)
654 {
655 /* Error. */
656 return ret;
657 }
658 else
659 {
660 /*
661 * No packet; this could mean that we timed
662 * out, or that we got interrupted, or that
663 * we got a bad packet.
664 *
665 * Were we told to break out of the loop?
666 */
667 if (p->break_loop) {
668 /*
669 * Yes.
670 */
671 p->break_loop = 0;
672 return (PCAP_ERROR_BREAK);
673 }
674 /* No - return the number of packets we've processed. */
675 return n;
676 }
677 }
678 return n;
679 }
680
681 /*
682 * This function sends a CLOSE command to the capture server.
683 *
684 * It is called when the user calls pcap_close(). It sends a command
685 * to our peer that says 'ok, let's stop capturing'.
686 *
687 * WARNING: Since we're closing the connection, we do not check for errors.
688 */
pcap_cleanup_rpcap(pcap_t * fp)689 static void pcap_cleanup_rpcap(pcap_t *fp)
690 {
691 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
692 struct rpcap_header header; /* header of the RPCAP packet */
693 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
694 int active = 0; /* active mode or not? */
695
696 /* detect if we're in active mode */
697 temp = activeHosts;
698 while (temp)
699 {
700 if (temp->sockctrl == pr->rmt_sockctrl)
701 {
702 active = 1;
703 break;
704 }
705 temp = temp->next;
706 }
707
708 if (!active)
709 {
710 rpcap_createhdr(&header, pr->protocol_version,
711 RPCAP_MSG_CLOSE, 0, 0);
712
713 /*
714 * Send the close request; don't report any errors, as
715 * we're closing this pcap_t, and have no place to report
716 * the error. No reply is sent to this message.
717 */
718 (void)sock_send(pr->rmt_sockctrl, (char *)&header,
719 sizeof(struct rpcap_header), NULL, 0);
720 }
721 else
722 {
723 rpcap_createhdr(&header, pr->protocol_version,
724 RPCAP_MSG_ENDCAP_REQ, 0, 0);
725
726 /*
727 * Send the end capture request; don't report any errors,
728 * as we're closing this pcap_t, and have no place to
729 * report the error.
730 */
731 if (sock_send(pr->rmt_sockctrl, (char *)&header,
732 sizeof(struct rpcap_header), NULL, 0) == 0)
733 {
734 /*
735 * Wait for the answer; don't report any errors,
736 * as we're closing this pcap_t, and have no
737 * place to report the error.
738 */
739 if (rpcap_process_msg_header(pr->rmt_sockctrl,
740 pr->protocol_version, RPCAP_MSG_ENDCAP_REQ,
741 &header, NULL) == 0)
742 {
743 (void)rpcap_discard(pr->rmt_sockctrl,
744 header.plen, NULL);
745 }
746 }
747 }
748
749 if (pr->rmt_sockdata)
750 {
751 sock_close(pr->rmt_sockdata, NULL, 0);
752 pr->rmt_sockdata = 0;
753 }
754
755 if ((!active) && (pr->rmt_sockctrl))
756 sock_close(pr->rmt_sockctrl, NULL, 0);
757
758 pr->rmt_sockctrl = 0;
759
760 if (pr->currentfilter)
761 {
762 free(pr->currentfilter);
763 pr->currentfilter = NULL;
764 }
765
766 /* To avoid inconsistencies in the number of sock_init() */
767 sock_cleanup();
768 }
769
770 /*
771 * This function retrieves network statistics from our peer;
772 * it provides only the standard statistics.
773 */
pcap_stats_rpcap(pcap_t * p,struct pcap_stat * ps)774 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
775 {
776 struct pcap_stat *retval;
777
778 retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
779
780 if (retval)
781 return 0;
782 else
783 return -1;
784 }
785
786 #ifdef _WIN32
787 /*
788 * This function retrieves network statistics from our peer;
789 * it provides the additional statistics supported by pcap_stats_ex().
790 */
pcap_stats_ex_rpcap(pcap_t * p,int * pcap_stat_size)791 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
792 {
793 *pcap_stat_size = sizeof (p->stat);
794
795 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
796 return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
797 }
798 #endif
799
800 /*
801 * This function retrieves network statistics from our peer. It
802 * is used by the two previous functions.
803 *
804 * It can be called in two modes:
805 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
806 * for pcap_stats())
807 * - PCAP_STATS_EX: if we want extended statistics (i.e., for
808 * pcap_stats_ex())
809 *
810 * This 'mode' parameter is needed because in pcap_stats() the variable that
811 * keeps the statistics is allocated by the user. On Windows, this structure
812 * has been extended in order to keep new stats. However, if the user has a
813 * smaller structure and it passes it to pcap_stats(), this function will
814 * try to fill in more data than the size of the structure, so that memory
815 * after the structure will be overwritten.
816 *
817 * So, we need to know it we have to copy just the standard fields, or the
818 * extended fields as well.
819 *
820 * In case we want to copy the extended fields as well, the problem of
821 * memory overflow no longer exists because the structure that's filled
822 * in is part of the pcap_t, so that it can be guaranteed to be large
823 * enough for the additional statistics.
824 *
825 * \param p: the pcap_t structure related to the current instance.
826 *
827 * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
828 * with pcap_stat(), where the structure is allocated by the user. In case
829 * of pcap_stats_ex(), this structure and the function return value point
830 * to the same variable.
831 *
832 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
833 *
834 * \return The structure that keeps the statistics, or NULL in case of error.
835 * The error string is placed in the pcap_t structure.
836 */
rpcap_stats_rpcap(pcap_t * p,struct pcap_stat * ps,int mode)837 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
838 {
839 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
840 struct rpcap_header header; /* header of the RPCAP packet */
841 struct rpcap_stats netstats; /* statistics sent on the network */
842 uint32 plen; /* data remaining in the message */
843
844 #ifdef _WIN32
845 if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
846 #else
847 if (mode != PCAP_STATS_STANDARD)
848 #endif
849 {
850 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
851 "Invalid stats mode %d", mode);
852 return NULL;
853 }
854
855 /*
856 * If the capture has not yet started, we cannot request statistics
857 * for the capture from our peer, so we return 0 for all statistics,
858 * as nothing's been seen yet.
859 */
860 if (!pr->rmt_capstarted)
861 {
862 ps->ps_drop = 0;
863 ps->ps_ifdrop = 0;
864 ps->ps_recv = 0;
865 #ifdef _WIN32
866 if (mode == PCAP_STATS_EX)
867 {
868 ps->ps_capt = 0;
869 ps->ps_sent = 0;
870 ps->ps_netdrop = 0;
871 }
872 #endif /* _WIN32 */
873
874 return ps;
875 }
876
877 rpcap_createhdr(&header, pr->protocol_version,
878 RPCAP_MSG_STATS_REQ, 0, 0);
879
880 /* Send the PCAP_STATS command */
881 if (sock_send(pr->rmt_sockctrl, (char *)&header,
882 sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
883 return NULL; /* Unrecoverable network error */
884
885 /* Receive and process the reply message header. */
886 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
887 RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
888 return NULL; /* Error */
889
890 plen = header.plen;
891
892 /* Read the reply body */
893 if (rpcap_recv(pr->rmt_sockctrl, (char *)&netstats,
894 sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
895 goto error;
896
897 ps->ps_drop = ntohl(netstats.krnldrop);
898 ps->ps_ifdrop = ntohl(netstats.ifdrop);
899 ps->ps_recv = ntohl(netstats.ifrecv);
900 #ifdef _WIN32
901 if (mode == PCAP_STATS_EX)
902 {
903 ps->ps_capt = pr->TotCapt;
904 ps->ps_netdrop = pr->TotNetDrops;
905 ps->ps_sent = ntohl(netstats.svrcapt);
906 }
907 #endif /* _WIN32 */
908
909 /* Discard the rest of the message. */
910 if (rpcap_discard(pr->rmt_sockctrl, plen, p->errbuf) == -1)
911 goto error_nodiscard;
912
913 return ps;
914
915 error:
916 /*
917 * Discard the rest of the message.
918 * We already reported an error; if this gets an error, just
919 * drive on.
920 */
921 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL);
922
923 error_nodiscard:
924 return NULL;
925 }
926
927 /*
928 * This function returns the entry in the list of active hosts for this
929 * active connection (active mode only), or NULL if there is no
930 * active connection or an error occurred. It is just for internal
931 * use.
932 *
933 * \param host: a string that keeps the host name of the host for which we
934 * want to get the socket ID for that active connection.
935 *
936 * \param error: a pointer to an int that is set to 1 if an error occurred
937 * and 0 otherwise.
938 *
939 * \param errbuf: a pointer to a user-allocated buffer (of size
940 * PCAP_ERRBUF_SIZE) that will contain the error message (in case
941 * there is one).
942 *
943 * \return the entry for this host in the list of active connections
944 * if found, NULL if it's not found or there's an error.
945 */
946 static struct activehosts *
rpcap_remoteact_getsock(const char * host,int * error,char * errbuf)947 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
948 {
949 struct activehosts *temp; /* temp var needed to scan the host list chain */
950 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
951 int retval;
952
953 /* retrieve the network address corresponding to 'host' */
954 addrinfo = NULL;
955 memset(&hints, 0, sizeof(struct addrinfo));
956 hints.ai_family = PF_UNSPEC;
957 hints.ai_socktype = SOCK_STREAM;
958
959 retval = getaddrinfo(host, "0", &hints, &addrinfo);
960 if (retval != 0)
961 {
962 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s",
963 gai_strerror(retval));
964 *error = 1;
965 return NULL;
966 }
967
968 temp = activeHosts;
969
970 while (temp)
971 {
972 ai_next = addrinfo;
973 while (ai_next)
974 {
975 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
976 {
977 *error = 0;
978 freeaddrinfo(addrinfo);
979 return temp;
980 }
981
982 ai_next = ai_next->ai_next;
983 }
984 temp = temp->next;
985 }
986
987 if (addrinfo)
988 freeaddrinfo(addrinfo);
989
990 /*
991 * The host for which you want to get the socket ID does not have an
992 * active connection.
993 */
994 *error = 0;
995 return NULL;
996 }
997
998 /*
999 * This function starts a remote capture.
1000 *
1001 * This function is required since the RPCAP protocol decouples the 'open'
1002 * from the 'start capture' functions.
1003 * This function takes all the parameters needed (which have been stored
1004 * into the pcap_t structure) and sends them to the server.
1005 *
1006 * \param fp: the pcap_t descriptor of the device currently open.
1007 *
1008 * \return '0' if everything is fine, '-1' otherwise. The error message
1009 * (if one) is returned into the 'errbuf' field of the pcap_t structure.
1010 */
pcap_startcapture_remote(pcap_t * fp)1011 static int pcap_startcapture_remote(pcap_t *fp)
1012 {
1013 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1014 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1015 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1016 char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the data connection */
1017 uint32 plen;
1018 int active = 0; /* '1' if we're in active mode */
1019 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
1020 char host[INET6_ADDRSTRLEN + 1]; /* numeric name of the other host */
1021
1022 /* socket-related variables*/
1023 struct addrinfo hints; /* temp, needed to open a socket connection */
1024 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */
1025 SOCKET sockdata = 0; /* socket descriptor of the data connection */
1026 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1027 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1028 int ai_family; /* temp, keeps the address family used by the control connection */
1029
1030 /* RPCAP-related variables*/
1031 struct rpcap_header header; /* header of the RPCAP packet */
1032 struct rpcap_startcapreq *startcapreq; /* start capture request message */
1033 struct rpcap_startcapreply startcapreply; /* start capture reply message */
1034
1035 /* Variables related to the buffer setting */
1036 int res;
1037 socklen_t itemp;
1038 int sockbufsize = 0;
1039 uint32 server_sockbufsize;
1040
1041 /*
1042 * Let's check if sampling has been required.
1043 * If so, let's set it first
1044 */
1045 if (pcap_setsampling_remote(fp) != 0)
1046 return -1;
1047
1048 /* detect if we're in active mode */
1049 temp = activeHosts;
1050 while (temp)
1051 {
1052 if (temp->sockctrl == pr->rmt_sockctrl)
1053 {
1054 active = 1;
1055 break;
1056 }
1057 temp = temp->next;
1058 }
1059
1060 addrinfo = NULL;
1061
1062 /*
1063 * Gets the complete sockaddr structure used in the ctrl connection
1064 * This is needed to get the address family of the control socket
1065 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
1066 * since the ctrl socket can already be open in case of active mode;
1067 * so I would have to call getpeername() anyway
1068 */
1069 saddrlen = sizeof(struct sockaddr_storage);
1070 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1071 {
1072 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1073 goto error_nodiscard;
1074 }
1075 ai_family = ((struct sockaddr_storage *) &saddr)->ss_family;
1076
1077 /* Get the numeric address of the remote host we are connected to */
1078 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host,
1079 sizeof(host), NULL, 0, NI_NUMERICHOST))
1080 {
1081 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1082 goto error_nodiscard;
1083 }
1084
1085 /*
1086 * Data connection is opened by the server toward the client if:
1087 * - we're using TCP, and the user wants us to be in active mode
1088 * - we're using UDP
1089 */
1090 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1091 {
1092 /*
1093 * We have to create a new socket to receive packets
1094 * We have to do that immediately, since we have to tell the other
1095 * end which network port we picked up
1096 */
1097 memset(&hints, 0, sizeof(struct addrinfo));
1098 /* TEMP addrinfo is NULL in case of active */
1099 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1100 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1101 hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
1102
1103 /* Let's the server pick up a free network port for us */
1104 if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1105 goto error_nodiscard;
1106
1107 if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
1108 1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1109 goto error_nodiscard;
1110
1111 /* addrinfo is no longer used */
1112 freeaddrinfo(addrinfo);
1113 addrinfo = NULL;
1114
1115 /* get the complete sockaddr structure used in the data connection */
1116 saddrlen = sizeof(struct sockaddr_storage);
1117 if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1118 {
1119 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1120 goto error_nodiscard;
1121 }
1122
1123 /* Get the local port the system picked up */
1124 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
1125 0, portdata, sizeof(portdata), NI_NUMERICSERV))
1126 {
1127 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1128 goto error_nodiscard;
1129 }
1130 }
1131
1132 /*
1133 * Now it's time to start playing with the RPCAP protocol
1134 * RPCAP start capture command: create the request message
1135 */
1136 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1137 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1138 goto error_nodiscard;
1139
1140 rpcap_createhdr((struct rpcap_header *) sendbuf,
1141 pr->protocol_version, RPCAP_MSG_STARTCAP_REQ, 0,
1142 sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
1143
1144 /* Fill the structure needed to open an adapter remotely */
1145 startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx];
1146
1147 if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL,
1148 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1149 goto error_nodiscard;
1150
1151 memset(startcapreq, 0, sizeof(struct rpcap_startcapreq));
1152
1153 /* By default, apply half the timeout on one side, half of the other */
1154 fp->opt.timeout = fp->opt.timeout / 2;
1155 startcapreq->read_timeout = htonl(fp->opt.timeout);
1156
1157 /* portdata on the openreq is meaningful only if we're in active mode */
1158 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1159 {
1160 sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */
1161 startcapreq->portdata = htons(startcapreq->portdata);
1162 }
1163
1164 startcapreq->snaplen = htonl(fp->snapshot);
1165 startcapreq->flags = 0;
1166
1167 if (pr->rmt_flags & PCAP_OPENFLAG_PROMISCUOUS)
1168 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC;
1169 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
1170 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM;
1171 if (active)
1172 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN;
1173
1174 startcapreq->flags = htons(startcapreq->flags);
1175
1176 /* Pack the capture filter */
1177 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode))
1178 goto error_nodiscard;
1179
1180 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf,
1181 PCAP_ERRBUF_SIZE) < 0)
1182 goto error_nodiscard;
1183
1184 /* Receive and process the reply message header. */
1185 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
1186 RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1)
1187 goto error_nodiscard;
1188
1189 plen = header.plen;
1190
1191 if (rpcap_recv(pr->rmt_sockctrl, (char *)&startcapreply,
1192 sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1)
1193 goto error;
1194
1195 /*
1196 * In case of UDP data stream, the connection is always opened by the daemon
1197 * So, this case is already covered by the code above.
1198 * Now, we have still to handle TCP connections, because:
1199 * - if we're in active mode, we have to wait for a remote connection
1200 * - if we're in passive more, we have to start a connection
1201 *
1202 * We have to do he job in two steps because in case we're opening a TCP connection, we have
1203 * to tell the port we're using to the remote side; in case we're accepting a TCP
1204 * connection, we have to wait this info from the remote side.
1205 */
1206 if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1207 {
1208 if (!active)
1209 {
1210 memset(&hints, 0, sizeof(struct addrinfo));
1211 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1212 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1213 pcap_snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
1214
1215 /* Let's the server pick up a free network port for us */
1216 if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1217 goto error;
1218
1219 if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1220 goto error;
1221
1222 /* addrinfo is no longer used */
1223 freeaddrinfo(addrinfo);
1224 addrinfo = NULL;
1225 }
1226 else
1227 {
1228 SOCKET socktemp; /* We need another socket, since we're going to accept() a connection */
1229
1230 /* Connection creation */
1231 saddrlen = sizeof(struct sockaddr_storage);
1232
1233 socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen);
1234
1235 if (socktemp == INVALID_SOCKET)
1236 {
1237 sock_geterror("accept(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1238 goto error;
1239 }
1240
1241 /* Now that I accepted the connection, the server socket is no longer needed */
1242 sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1243 sockdata = socktemp;
1244 }
1245 }
1246
1247 /* Let's save the socket of the data connection */
1248 pr->rmt_sockdata = sockdata;
1249
1250 /*
1251 * Set the size of the socket buffer for the data socket.
1252 * It has the same size as the local capture buffer used
1253 * on the other side of the connection.
1254 */
1255 server_sockbufsize = ntohl(startcapreply.bufsize);
1256
1257 /* Let's get the actual size of the socket buffer */
1258 itemp = sizeof(sockbufsize);
1259
1260 res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp);
1261 if (res == -1)
1262 {
1263 sock_geterror("pcap_startcapture_remote()", fp->errbuf, PCAP_ERRBUF_SIZE);
1264 SOCK_DEBUG_MESSAGE(fp->errbuf);
1265 }
1266
1267 /*
1268 * Warning: on some kernels (e.g. Linux), the size of the user
1269 * buffer does not take into account the pcap_header and such,
1270 * and it is set equal to the snaplen.
1271 *
1272 * In my view, this is wrong (the meaning of the bufsize became
1273 * a bit strange). So, here bufsize is the whole size of the
1274 * user buffer. In case the bufsize returned is too small,
1275 * let's adjust it accordingly.
1276 */
1277 if (server_sockbufsize <= (u_int) fp->snapshot)
1278 server_sockbufsize += sizeof(struct pcap_pkthdr);
1279
1280 /* if the current socket buffer is smaller than the desired one */
1281 if ((u_int) sockbufsize < server_sockbufsize)
1282 {
1283 /*
1284 * Loop until the buffer size is OK or the original
1285 * socket buffer size is larger than this one.
1286 */
1287 for (;;)
1288 {
1289 res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF,
1290 (char *)&(server_sockbufsize),
1291 sizeof(server_sockbufsize));
1292
1293 if (res == 0)
1294 break;
1295
1296 /*
1297 * If something goes wrong, halve the buffer size
1298 * (checking that it does not become smaller than
1299 * the current one).
1300 */
1301 server_sockbufsize /= 2;
1302
1303 if ((u_int) sockbufsize >= server_sockbufsize)
1304 {
1305 server_sockbufsize = sockbufsize;
1306 break;
1307 }
1308 }
1309 }
1310
1311 /*
1312 * Let's allocate the packet; this is required in order to put
1313 * the packet somewhere when extracting data from the socket.
1314 * Since buffering has already been done in the socket buffer,
1315 * here we need just a buffer whose size is equal to the
1316 * largest possible packet message for the snapshot size,
1317 * namely the length of the message header plus the length
1318 * of the packet header plus the snapshot length.
1319 */
1320 fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot;
1321
1322 fp->buffer = (u_char *)malloc(fp->bufsize);
1323 if (fp->buffer == NULL)
1324 {
1325 pcap_fmt_errmsg_for_errno(fp->errbuf, PCAP_ERRBUF_SIZE,
1326 errno, "malloc");
1327 goto error;
1328 }
1329
1330 /*
1331 * The buffer is currently empty.
1332 */
1333 fp->bp = fp->buffer;
1334 fp->cc = 0;
1335
1336 /* Discard the rest of the message. */
1337 if (rpcap_discard(pr->rmt_sockctrl, plen, fp->errbuf) == -1)
1338 goto error_nodiscard;
1339
1340 /*
1341 * In case the user does not want to capture RPCAP packets, let's update the filter
1342 * We have to update it here (instead of sending it into the 'StartCapture' message
1343 * because when we generate the 'start capture' we do not know (yet) all the ports
1344 * we're currently using.
1345 */
1346 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1347 {
1348 struct bpf_program fcode;
1349
1350 if (pcap_createfilter_norpcappkt(fp, &fcode) == -1)
1351 goto error;
1352
1353 /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */
1354 /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */
1355 if (pcap_updatefilter_remote(fp, &fcode) == -1)
1356 goto error;
1357
1358 pcap_freecode(&fcode);
1359 }
1360
1361 pr->rmt_capstarted = 1;
1362 return 0;
1363
1364 error:
1365 /*
1366 * When the connection has been established, we have to close it. So, at the
1367 * beginning of this function, if an error occur we return immediately with
1368 * a return NULL; when the connection is established, we have to come here
1369 * ('goto error;') in order to close everything properly.
1370 */
1371
1372 /*
1373 * Discard the rest of the message.
1374 * We already reported an error; if this gets an error, just
1375 * drive on.
1376 */
1377 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL);
1378
1379 error_nodiscard:
1380 if ((sockdata) && (sockdata != -1)) /* we can be here because sockdata said 'error' */
1381 sock_close(sockdata, NULL, 0);
1382
1383 if (!active)
1384 sock_close(pr->rmt_sockctrl, NULL, 0);
1385
1386 if (addrinfo != NULL)
1387 freeaddrinfo(addrinfo);
1388
1389 /*
1390 * We do not have to call pcap_close() here, because this function is always called
1391 * by the user in case something bad happens
1392 */
1393 #if 0
1394 if (fp)
1395 {
1396 pcap_close(fp);
1397 fp= NULL;
1398 }
1399 #endif
1400
1401 return -1;
1402 }
1403
1404 /*
1405 * This function takes a bpf program and sends it to the other host.
1406 *
1407 * This function can be called in two cases:
1408 * - pcap_startcapture_remote() is called (we have to send the filter
1409 * along with the 'start capture' command)
1410 * - we want to udpate the filter during a capture (i.e. pcap_setfilter()
1411 * after the capture has been started)
1412 *
1413 * This function serializes the filter into the sending buffer ('sendbuf',
1414 * passed as a parameter) and return back. It does not send anything on
1415 * the network.
1416 *
1417 * \param fp: the pcap_t descriptor of the device currently opened.
1418 *
1419 * \param sendbuf: the buffer on which the serialized data has to copied.
1420 *
1421 * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
1422 *
1423 * \param prog: the bpf program we have to copy.
1424 *
1425 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1426 * is returned into the 'errbuf' field of the pcap_t structure.
1427 */
pcap_pack_bpffilter(pcap_t * fp,char * sendbuf,int * sendbufidx,struct bpf_program * prog)1428 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
1429 {
1430 struct rpcap_filter *filter;
1431 struct rpcap_filterbpf_insn *insn;
1432 struct bpf_insn *bf_insn;
1433 struct bpf_program fake_prog; /* To be used just in case the user forgot to set a filter */
1434 unsigned int i;
1435
1436 if (prog->bf_len == 0) /* No filters have been specified; so, let's apply a "fake" filter */
1437 {
1438 if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1)
1439 return -1;
1440
1441 prog = &fake_prog;
1442 }
1443
1444 filter = (struct rpcap_filter *) sendbuf;
1445
1446 if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx,
1447 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1448 return -1;
1449
1450 filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF);
1451 filter->nitems = htonl((int32)prog->bf_len);
1452
1453 if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn),
1454 NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1455 return -1;
1456
1457 insn = (struct rpcap_filterbpf_insn *) (filter + 1);
1458 bf_insn = prog->bf_insns;
1459
1460 for (i = 0; i < prog->bf_len; i++)
1461 {
1462 insn->code = htons(bf_insn->code);
1463 insn->jf = bf_insn->jf;
1464 insn->jt = bf_insn->jt;
1465 insn->k = htonl(bf_insn->k);
1466
1467 insn++;
1468 bf_insn++;
1469 }
1470
1471 return 0;
1472 }
1473
1474 /*
1475 * This function updates a filter on a remote host.
1476 *
1477 * It is called when the user wants to update a filter.
1478 * In case we're capturing from the network, it sends the filter to our
1479 * peer.
1480 * This function is *not* called automatically when the user calls
1481 * pcap_setfilter().
1482 * There will be two cases:
1483 * - the capture has been started: in this case, pcap_setfilter_rpcap()
1484 * calls pcap_updatefilter_remote()
1485 * - the capture has not started yet: in this case, pcap_setfilter_rpcap()
1486 * stores the filter into the pcap_t structure, and then the filter is
1487 * sent with pcap_startcap().
1488 *
1489 * WARNING This function *does not* clear the packet currently into the
1490 * buffers. Therefore, the user has to expect to receive some packets
1491 * that are related to the previous filter. If you want to discard all
1492 * the packets before applying a new filter, you have to close the
1493 * current capture session and start a new one.
1494 *
1495 * XXX - we really should have pcap_setfilter() always discard packets
1496 * received with the old filter, and have a separate pcap_setfilter_noflush()
1497 * function that doesn't discard any packets.
1498 */
pcap_updatefilter_remote(pcap_t * fp,struct bpf_program * prog)1499 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
1500 {
1501 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1502 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1503 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1504 struct rpcap_header header; /* To keep the reply message */
1505
1506 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx,
1507 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1508 return -1;
1509
1510 rpcap_createhdr((struct rpcap_header *) sendbuf,
1511 pr->protocol_version, RPCAP_MSG_UPDATEFILTER_REQ, 0,
1512 sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn));
1513
1514 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog))
1515 return -1;
1516
1517 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf,
1518 PCAP_ERRBUF_SIZE) < 0)
1519 return -1;
1520
1521 /* Receive and process the reply message header. */
1522 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
1523 RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1)
1524 return -1;
1525
1526 /*
1527 * It shouldn't have any contents; discard it if it does.
1528 */
1529 if (rpcap_discard(pr->rmt_sockctrl, header.plen, fp->errbuf) == -1)
1530 return -1;
1531
1532 return 0;
1533 }
1534
1535 static void
pcap_save_current_filter_rpcap(pcap_t * fp,const char * filter)1536 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
1537 {
1538 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1539
1540 /*
1541 * Check if:
1542 * - We are on an remote capture
1543 * - we do not want to capture RPCAP traffic
1544 *
1545 * If so, we have to save the current filter, because we have to
1546 * add some piece of stuff later
1547 */
1548 if (pr->rmt_clientside &&
1549 (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP))
1550 {
1551 if (pr->currentfilter)
1552 free(pr->currentfilter);
1553
1554 if (filter == NULL)
1555 filter = "";
1556
1557 pr->currentfilter = strdup(filter);
1558 }
1559 }
1560
1561 /*
1562 * This function sends a filter to a remote host.
1563 *
1564 * This function is called when the user wants to set a filter.
1565 * It sends the filter to our peer.
1566 * This function is called automatically when the user calls pcap_setfilter().
1567 *
1568 * Parameters and return values are exactly the same of pcap_setfilter().
1569 */
pcap_setfilter_rpcap(pcap_t * fp,struct bpf_program * prog)1570 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
1571 {
1572 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1573
1574 if (!pr->rmt_capstarted)
1575 {
1576 /* copy filter into the pcap_t structure */
1577 if (install_bpf_program(fp, prog) == -1)
1578 return -1;
1579 return 0;
1580 }
1581
1582 /* we have to update a filter during run-time */
1583 if (pcap_updatefilter_remote(fp, prog))
1584 return -1;
1585
1586 return 0;
1587 }
1588
1589 /*
1590 * This function updates the current filter in order not to capture rpcap
1591 * packets.
1592 *
1593 * This function is called *only* when the user wants exclude RPCAP packets
1594 * related to the current session from the captured packets.
1595 *
1596 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1597 * is returned into the 'errbuf' field of the pcap_t structure.
1598 */
pcap_createfilter_norpcappkt(pcap_t * fp,struct bpf_program * prog)1599 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
1600 {
1601 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1602 int RetVal = 0;
1603
1604 /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1605 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1606 {
1607 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1608 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1609 char myaddress[128];
1610 char myctrlport[128];
1611 char mydataport[128];
1612 char peeraddress[128];
1613 char peerctrlport[128];
1614 char *newfilter;
1615 const int newstringsize = 1024;
1616 size_t currentfiltersize;
1617
1618 /* Get the name/port of our peer */
1619 saddrlen = sizeof(struct sockaddr_storage);
1620 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1621 {
1622 sock_geterror("getpeername(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1623 return -1;
1624 }
1625
1626 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress,
1627 sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1628 {
1629 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1630 return -1;
1631 }
1632
1633 /* We cannot check the data port, because this is available only in case of TCP sockets */
1634 /* Get the name/port of the current host */
1635 if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1636 {
1637 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1638 return -1;
1639 }
1640
1641 /* Get the local port the system picked up */
1642 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress,
1643 sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1644 {
1645 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1646 return -1;
1647 }
1648
1649 /* Let's now check the data port */
1650 if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1651 {
1652 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1653 return -1;
1654 }
1655
1656 /* Get the local port the system picked up */
1657 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
1658 {
1659 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE);
1660 return -1;
1661 }
1662
1663 currentfiltersize = pr->currentfilter ? strlen(pr->currentfilter) : 0;
1664
1665 newfilter = (char *)malloc(currentfiltersize + newstringsize + 1);
1666
1667 if (currentfiltersize)
1668 {
1669 pcap_snprintf(newfilter, currentfiltersize + newstringsize,
1670 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1671 pr->currentfilter, myaddress, peeraddress, myctrlport, peerctrlport, myaddress, peeraddress, mydataport);
1672 }
1673 else
1674 {
1675 pcap_snprintf(newfilter, currentfiltersize + newstringsize,
1676 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1677 myaddress, peeraddress, myctrlport, peerctrlport, myaddress, peeraddress, mydataport);
1678 }
1679
1680 newfilter[currentfiltersize + newstringsize] = 0;
1681
1682 /*
1683 * This is only an hack to prevent the save_current_filter
1684 * routine, which will be called when we call pcap_compile(),
1685 * from saving the modified filter.
1686 */
1687 pr->rmt_clientside = 0;
1688
1689 if (pcap_compile(fp, prog, newfilter, 1, 0) == -1)
1690 RetVal = -1;
1691
1692 /* Undo the hack. */
1693 pr->rmt_clientside = 1;
1694
1695 free(newfilter);
1696 }
1697
1698 return RetVal;
1699 }
1700
1701 /*
1702 * This function sets sampling parameters in the remote host.
1703 *
1704 * It is called when the user wants to set activate sampling on the
1705 * remote host.
1706 *
1707 * Sampling parameters are defined into the 'pcap_t' structure.
1708 *
1709 * \param p: the pcap_t descriptor of the device currently opened.
1710 *
1711 * \return '0' if everything is OK, '-1' is something goes wrong. The
1712 * error message is returned in the 'errbuf' member of the pcap_t structure.
1713 */
pcap_setsampling_remote(pcap_t * fp)1714 static int pcap_setsampling_remote(pcap_t *fp)
1715 {
1716 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1717 char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */
1718 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1719 struct rpcap_header header; /* To keep the reply message */
1720 struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */
1721
1722 /* If no samping is requested, return 'ok' */
1723 if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP)
1724 return 0;
1725
1726 /*
1727 * Check for sampling parameters that don't fit in a message.
1728 * We'll let the server complain about invalid parameters
1729 * that do fit into the message.
1730 */
1731 if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) {
1732 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1733 "Invalid sampling method %d", fp->rmt_samp.method);
1734 return -1;
1735 }
1736 if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) {
1737 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1738 "Invalid sampling value %d", fp->rmt_samp.value);
1739 return -1;
1740 }
1741
1742 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1743 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1744 return -1;
1745
1746 rpcap_createhdr((struct rpcap_header *) sendbuf,
1747 pr->protocol_version, RPCAP_MSG_SETSAMPLING_REQ, 0,
1748 sizeof(struct rpcap_sampling));
1749
1750 /* Fill the structure needed to open an adapter remotely */
1751 sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx];
1752
1753 if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL,
1754 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1755 return -1;
1756
1757 memset(sampling_pars, 0, sizeof(struct rpcap_sampling));
1758
1759 sampling_pars->method = (uint8)fp->rmt_samp.method;
1760 sampling_pars->value = (uint16)htonl(fp->rmt_samp.value);
1761
1762 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf,
1763 PCAP_ERRBUF_SIZE) < 0)
1764 return -1;
1765
1766 /* Receive and process the reply message header. */
1767 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
1768 RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1)
1769 return -1;
1770
1771 /*
1772 * It shouldn't have any contents; discard it if it does.
1773 */
1774 if (rpcap_discard(pr->rmt_sockctrl, header.plen, fp->errbuf) == -1)
1775 return -1;
1776
1777 return 0;
1778 }
1779
1780 /*********************************************************
1781 * *
1782 * Miscellaneous functions *
1783 * *
1784 *********************************************************/
1785
1786 /*
1787 * This function performs authentication and protocol version
1788 * negotiation. It first tries to authenticate with the maximum
1789 * version we support and, if that fails with an "I don't support
1790 * that version" error from the server, and the version number in
1791 * the reply from the server is one we support, tries again with
1792 * that version.
1793 *
1794 * \param sock: the socket we are currently using.
1795 *
1796 * \param ver: pointer to variable holding protocol version number to send
1797 * and to set to the protocol version number in the reply.
1798 *
1799 * \param auth: authentication parameters that have to be sent.
1800 *
1801 * \param errbuf: a pointer to a user-allocated buffer (of size
1802 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
1803 * is one). It could be a network problem or the fact that the authorization
1804 * failed.
1805 *
1806 * \return '0' if everything is fine, '-1' for an error. For errors,
1807 * an error message string is returned in the 'errbuf' variable.
1808 */
rpcap_doauth(SOCKET sockctrl,uint8 * ver,struct pcap_rmtauth * auth,char * errbuf)1809 static int rpcap_doauth(SOCKET sockctrl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
1810 {
1811 int status;
1812
1813 /*
1814 * Send authentication to the remote machine.
1815 *
1816 * First try with the maximum version number we support.
1817 */
1818 *ver = RPCAP_MAX_VERSION;
1819 status = rpcap_sendauth(sockctrl, ver, auth, errbuf);
1820 if (status == 0)
1821 {
1822 //
1823 // Success.
1824 //
1825 return 0;
1826 }
1827 if (status == -1)
1828 {
1829 /* Unrecoverable error. */
1830 return -1;
1831 }
1832
1833 /*
1834 * The server doesn't support the version we used in the initial
1835 * message, and it sent us back a reply either with the maximum
1836 * version they do support, or with the version we sent, and we
1837 * support that version. *ver has been set to that version; try
1838 * authenticating again with that version.
1839 */
1840 status = rpcap_sendauth(sockctrl, ver, auth, errbuf);
1841 if (status == 0)
1842 {
1843 //
1844 // Success.
1845 //
1846 return 0;
1847 }
1848 if (status == -1)
1849 {
1850 /* Unrecoverable error. */
1851 return -1;
1852 }
1853 if (status == -2)
1854 {
1855 /*
1856 * The server doesn't support that version, which
1857 * means there is no version we both support, so
1858 * this is a fatal error.
1859 */
1860 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The server doesn't support any protocol version that we support");
1861 return -1;
1862 }
1863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "rpcap_sendauth() returned %d", status);
1864 return -1;
1865 }
1866
1867 /*
1868 * This function sends the authentication message.
1869 *
1870 * It sends the authentication parameters on the control socket.
1871 * It is required in order to open the connection with the other end party.
1872 *
1873 * \param sock: the socket we are currently using.
1874 *
1875 * \param ver: pointer to variable holding protocol version number to send
1876 * and to set to the protocol version number in the reply.
1877 *
1878 * \param auth: authentication parameters that have to be sent.
1879 *
1880 * \param errbuf: a pointer to a user-allocated buffer (of size
1881 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
1882 * is one). It could be a network problem or the fact that the authorization
1883 * failed.
1884 *
1885 * \return '0' if everything is fine, '-2' if the server didn't reply with
1886 * the protocol version we requested but replied with a version we do
1887 * support, or '-1' for other errors. For errors, an error message string
1888 * is returned in the 'errbuf' variable.
1889 */
rpcap_sendauth(SOCKET sock,uint8 * ver,struct pcap_rmtauth * auth,char * errbuf)1890 static int rpcap_sendauth(SOCKET sock, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
1891 {
1892 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */
1893 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1894 uint16 length; /* length of the payload of this message */
1895 uint16 errcode;
1896 struct rpcap_auth *rpauth;
1897 uint16 auth_type;
1898 struct rpcap_header header;
1899 size_t str_length;
1900
1901 if (auth)
1902 {
1903 switch (auth->type)
1904 {
1905 case RPCAP_RMTAUTH_NULL:
1906 length = sizeof(struct rpcap_auth);
1907 break;
1908
1909 case RPCAP_RMTAUTH_PWD:
1910 length = sizeof(struct rpcap_auth);
1911 if (auth->username)
1912 {
1913 str_length = strlen(auth->username);
1914 if (str_length > 65535)
1915 {
1916 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)");
1917 return -1;
1918 }
1919 length += (uint16)str_length;
1920 }
1921 if (auth->password)
1922 {
1923 str_length = strlen(auth->password);
1924 if (str_length > 65535)
1925 {
1926 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)");
1927 return -1;
1928 }
1929 length += (uint16)str_length;
1930 }
1931 break;
1932
1933 default:
1934 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
1935 return -1;
1936 }
1937
1938 auth_type = (uint16)auth->type;
1939 }
1940 else
1941 {
1942 auth_type = RPCAP_RMTAUTH_NULL;
1943 length = sizeof(struct rpcap_auth);
1944 }
1945
1946
1947 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1948 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1949 return -1;
1950
1951 rpcap_createhdr((struct rpcap_header *) sendbuf, *ver,
1952 RPCAP_MSG_AUTH_REQ, 0, length);
1953
1954 rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx];
1955
1956 if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL,
1957 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1958 return -1;
1959
1960 memset(rpauth, 0, sizeof(struct rpcap_auth));
1961
1962 rpauth->type = htons(auth_type);
1963
1964 if (auth_type == RPCAP_RMTAUTH_PWD)
1965 {
1966 if (auth->username)
1967 rpauth->slen1 = (uint16)strlen(auth->username);
1968 else
1969 rpauth->slen1 = 0;
1970
1971 if (sock_bufferize(auth->username, rpauth->slen1, sendbuf,
1972 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
1973 return -1;
1974
1975 if (auth->password)
1976 rpauth->slen2 = (uint16)strlen(auth->password);
1977 else
1978 rpauth->slen2 = 0;
1979
1980 if (sock_bufferize(auth->password, rpauth->slen2, sendbuf,
1981 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
1982 return -1;
1983
1984 rpauth->slen1 = htons(rpauth->slen1);
1985 rpauth->slen2 = htons(rpauth->slen2);
1986 }
1987
1988 if (sock_send(sock, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) < 0)
1989 return -1;
1990
1991 /* Receive the reply */
1992 if (rpcap_recv_msg_header(sock, &header, errbuf) == -1)
1993 return -1;
1994
1995 if (rpcap_check_msg_type(sock, RPCAP_MSG_AUTH_REQ, &header,
1996 &errcode, errbuf) == -1)
1997 {
1998 /* Error message - or something else, which is a protocol error. */
1999 if (header.type == RPCAP_MSG_ERROR &&
2000 errcode == PCAP_ERR_WRONGVER)
2001 {
2002 /*
2003 * The server didn't support the version we sent,
2004 * and replied with the maximum version it supports
2005 * if our version was too big or with the version
2006 * we sent if out version was too small.
2007 *
2008 * Do we also support it?
2009 */
2010 if (!RPCAP_VERSION_IS_SUPPORTED(header.ver))
2011 {
2012 /*
2013 * No, so there's no version we both support.
2014 * This is an unrecoverable error.
2015 */
2016 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The server doesn't support any protocol version that we support");
2017 return -1;
2018 }
2019
2020 /*
2021 * OK, use that version, and tell our caller to
2022 * try again.
2023 */
2024 *ver = header.ver;
2025 return -2;
2026 }
2027
2028 /*
2029 * Other error - unrecoverable.
2030 */
2031 return -1;
2032 }
2033
2034 /*
2035 * OK, it's an authentication reply, so they're OK with the
2036 * protocol version we sent.
2037 *
2038 * Discard the rest of it.
2039 */
2040 if (rpcap_discard(sock, header.plen, errbuf) == -1)
2041 return -1;
2042
2043 return 0;
2044 }
2045
2046 /* We don't currently support non-blocking mode. */
2047 static int
pcap_getnonblock_rpcap(pcap_t * p)2048 pcap_getnonblock_rpcap(pcap_t *p)
2049 {
2050 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2051 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2052 return (-1);
2053 }
2054
2055 static int
pcap_setnonblock_rpcap(pcap_t * p,int nonblock _U_)2056 pcap_setnonblock_rpcap(pcap_t *p, int nonblock _U_)
2057 {
2058 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2059 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2060 return (-1);
2061 }
2062
2063 /*
2064 * This function opens a remote adapter by opening an RPCAP connection and
2065 * so on.
2066 *
2067 * It does the job of pcap_open_live() for a remote interface; it's called
2068 * by pcap_open() for remote interfaces.
2069 *
2070 * We do not start the capture until pcap_startcapture_remote() is called.
2071 *
2072 * This is because, when doing a remote capture, we cannot start capturing
2073 * data as soon as the 'open adapter' command is sent. Suppose the remote
2074 * adapter is already overloaded; if we start a capture (which, by default,
2075 * has a NULL filter) the new traffic can saturate the network.
2076 *
2077 * Instead, we want to "open" the adapter, then send a "start capture"
2078 * command only when we're ready to start the capture.
2079 * This function does this job: it sends an "open adapter" command
2080 * (according to the RPCAP protocol), but it does not start the capture.
2081 *
2082 * Since the other libpcap functions do not share this way of life, we
2083 * have to do some dirty things in order to make everything work.
2084 *
2085 * \param source: see pcap_open().
2086 * \param snaplen: see pcap_open().
2087 * \param flags: see pcap_open().
2088 * \param read_timeout: see pcap_open().
2089 * \param auth: see pcap_open().
2090 * \param errbuf: see pcap_open().
2091 *
2092 * \return a pcap_t pointer in case of success, NULL otherwise. In case of
2093 * success, the pcap_t pointer can be used as a parameter to the following
2094 * calls (pcap_compile() and so on). In case of problems, errbuf contains
2095 * a text explanation of error.
2096 *
2097 * WARNING: In case we call pcap_compile() and the capture has not yet
2098 * been started, the filter will be saved into the pcap_t structure,
2099 * and it will be sent to the other host later (when
2100 * pcap_startcapture_remote() is called).
2101 */
pcap_open_rpcap(const char * source,int snaplen,int flags,int read_timeout,struct pcap_rmtauth * auth,char * errbuf)2102 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
2103 {
2104 pcap_t *fp;
2105 char *source_str;
2106 struct pcap_rpcap *pr; /* structure used when doing a remote live capture */
2107 char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE];
2108 struct activehosts *activeconn; /* active connection, if there is one */
2109 int error; /* '1' if rpcap_remoteact_getsock returned an error */
2110 SOCKET sockctrl;
2111 uint8 protocol_version; /* negotiated protocol version */
2112 int active;
2113 uint32 plen;
2114 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
2115 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
2116 int retval; /* store the return value of the functions */
2117
2118 /* RPCAP-related variables */
2119 struct rpcap_header header; /* header of the RPCAP packet */
2120 struct rpcap_openreply openreply; /* open reply message */
2121
2122 fp = pcap_create_common(errbuf, sizeof (struct pcap_rpcap));
2123 if (fp == NULL)
2124 {
2125 return NULL;
2126 }
2127 source_str = strdup(source);
2128 if (source_str == NULL) {
2129 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2130 errno, "malloc");
2131 return NULL;
2132 }
2133
2134 /*
2135 * Turn a negative snapshot value (invalid), a snapshot value of
2136 * 0 (unspecified), or a value bigger than the normal maximum
2137 * value, into the maximum allowed value.
2138 *
2139 * If some application really *needs* a bigger snapshot
2140 * length, we should just increase MAXIMUM_SNAPLEN.
2141 *
2142 * XXX - should we leave this up to the remote server to
2143 * do?
2144 */
2145 if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN)
2146 snaplen = MAXIMUM_SNAPLEN;
2147
2148 fp->opt.device = source_str;
2149 fp->snapshot = snaplen;
2150 fp->opt.timeout = read_timeout;
2151 pr = fp->priv;
2152 pr->rmt_flags = flags;
2153
2154 /*
2155 * determine the type of the source (NULL, file, local, remote)
2156 * You must have a valid source string even if we're in active mode, because otherwise
2157 * the call to the following function will fail.
2158 */
2159 if (pcap_parsesrcstr(fp->opt.device, &retval, host, ctrlport, iface, errbuf) == -1)
2160 {
2161 pcap_close(fp);
2162 return NULL;
2163 }
2164
2165 if (retval != PCAP_SRC_IFREMOTE)
2166 {
2167 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "This function is able to open only remote interfaces");
2168 pcap_close(fp);
2169 return NULL;
2170 }
2171
2172 /*
2173 * Warning: this call can be the first one called by the user.
2174 * For this reason, we have to initialize the WinSock support.
2175 */
2176 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2177 {
2178 pcap_close(fp);
2179 return NULL;
2180 }
2181
2182 /* Check for active mode */
2183 activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
2184 if (activeconn != NULL)
2185 {
2186 sockctrl = activeconn->sockctrl;
2187 protocol_version = activeconn->protocol_version;
2188 active = 1;
2189 }
2190 else
2191 {
2192 struct addrinfo hints; /* temp, needed to open a socket connection */
2193 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */
2194
2195 if (error)
2196 {
2197 /*
2198 * Call failed.
2199 */
2200 pcap_close(fp);
2201 return NULL;
2202 }
2203
2204 /*
2205 * We're not in active mode; let's try to open a new
2206 * control connection.
2207 */
2208 memset(&hints, 0, sizeof(struct addrinfo));
2209 hints.ai_family = PF_UNSPEC;
2210 hints.ai_socktype = SOCK_STREAM;
2211
2212 if (ctrlport[0] == 0)
2213 {
2214 /* the user chose not to specify the port */
2215 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2216 {
2217 pcap_close(fp);
2218 return NULL;
2219 }
2220 }
2221 else
2222 {
2223 if (sock_initaddress(host, ctrlport, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2224 {
2225 pcap_close(fp);
2226 return NULL;
2227 }
2228 }
2229
2230 if ((sockctrl = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2231 {
2232 freeaddrinfo(addrinfo);
2233 pcap_close(fp);
2234 return NULL;
2235 }
2236
2237 /* addrinfo is no longer used */
2238 freeaddrinfo(addrinfo);
2239
2240 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1)
2241 {
2242 sock_close(sockctrl, NULL, 0);
2243 pcap_close(fp);
2244 return NULL;
2245 }
2246 active = 0;
2247 }
2248
2249 /*
2250 * Now it's time to start playing with the RPCAP protocol
2251 * RPCAP open command: create the request message
2252 */
2253 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
2254 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2255 goto error_nodiscard;
2256
2257 rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version,
2258 RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface));
2259
2260 if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx,
2261 RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2262 goto error_nodiscard;
2263
2264 if (sock_send(sockctrl, sendbuf, sendbufidx, errbuf,
2265 PCAP_ERRBUF_SIZE) < 0)
2266 goto error_nodiscard;
2267
2268 /* Receive and process the reply message header. */
2269 if (rpcap_process_msg_header(sockctrl, protocol_version,
2270 RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1)
2271 goto error_nodiscard;
2272 plen = header.plen;
2273
2274 /* Read the reply body */
2275 if (rpcap_recv(sockctrl, (char *)&openreply,
2276 sizeof(struct rpcap_openreply), &plen, errbuf) == -1)
2277 goto error;
2278
2279 /* Discard the rest of the message, if there is any. */
2280 if (rpcap_discard(pr->rmt_sockctrl, plen, errbuf) == -1)
2281 goto error_nodiscard;
2282
2283 /* Set proper fields into the pcap_t struct */
2284 fp->linktype = ntohl(openreply.linktype);
2285 fp->tzoff = ntohl(openreply.tzoff);
2286 pr->rmt_sockctrl = sockctrl;
2287 pr->protocol_version = protocol_version;
2288 pr->rmt_clientside = 1;
2289
2290 /* This code is duplicated from the end of this function */
2291 fp->read_op = pcap_read_rpcap;
2292 fp->save_current_filter_op = pcap_save_current_filter_rpcap;
2293 fp->setfilter_op = pcap_setfilter_rpcap;
2294 fp->getnonblock_op = pcap_getnonblock_rpcap;
2295 fp->setnonblock_op = pcap_setnonblock_rpcap;
2296 fp->stats_op = pcap_stats_rpcap;
2297 #ifdef _WIN32
2298 fp->stats_ex_op = pcap_stats_ex_rpcap;
2299 #endif
2300 fp->cleanup_op = pcap_cleanup_rpcap;
2301
2302 fp->activated = 1;
2303 return fp;
2304
2305 error:
2306 /*
2307 * When the connection has been established, we have to close it. So, at the
2308 * beginning of this function, if an error occur we return immediately with
2309 * a return NULL; when the connection is established, we have to come here
2310 * ('goto error;') in order to close everything properly.
2311 */
2312
2313 /*
2314 * Discard the rest of the message.
2315 * We already reported an error; if this gets an error, just
2316 * drive on.
2317 */
2318 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL);
2319
2320 error_nodiscard:
2321 if (!active)
2322 sock_close(sockctrl, NULL, 0);
2323
2324 pcap_close(fp);
2325 return NULL;
2326 }
2327
2328 /* String identifier to be used in the pcap_findalldevs_ex() */
2329 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter"
2330 /* String identifier to be used in the pcap_findalldevs_ex() */
2331 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node"
2332
2333 static void
freeaddr(struct pcap_addr * addr)2334 freeaddr(struct pcap_addr *addr)
2335 {
2336 free(addr->addr);
2337 free(addr->netmask);
2338 free(addr->broadaddr);
2339 free(addr->dstaddr);
2340 free(addr);
2341 }
2342
2343 int
pcap_findalldevs_ex_remote(char * source,struct pcap_rmtauth * auth,pcap_if_t ** alldevs,char * errbuf)2344 pcap_findalldevs_ex_remote(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
2345 {
2346 struct activehosts *activeconn; /* active connection, if there is one */
2347 int error; /* '1' if rpcap_remoteact_getsock returned an error */
2348 uint8 protocol_version; /* protocol version */
2349 SOCKET sockctrl; /* socket descriptor of the control connection */
2350 uint32 plen;
2351 struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */
2352 int i, j; /* temp variables */
2353 int nif; /* Number of interfaces listed */
2354 int active; /* 'true' if we the other end-party is in active mode */
2355 int type;
2356 char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE];
2357 char tmpstring[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2358 pcap_if_t *lastdev; /* Last device in the pcap_if_t list */
2359 pcap_if_t *dev; /* Device we're adding to the pcap_if_t list */
2360
2361 /* List starts out empty. */
2362 (*alldevs) = NULL;
2363 lastdev = NULL;
2364
2365 /* Retrieve the needed data for getting adapter list */
2366 if (pcap_parsesrcstr(source, &type, host, port, NULL, errbuf) == -1)
2367 return -1;
2368
2369 /* Warning: this call can be the first one called by the user. */
2370 /* For this reason, we have to initialize the WinSock support. */
2371 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2372 return -1;
2373
2374 /* Check for active mode */
2375 activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
2376 if (activeconn != NULL)
2377 {
2378 sockctrl = activeconn->sockctrl;
2379 protocol_version = activeconn->protocol_version;
2380 active = 1;
2381 }
2382 else
2383 {
2384 struct addrinfo hints; /* temp variable needed to resolve hostnames into to socket representation */
2385 struct addrinfo *addrinfo; /* temp variable needed to resolve hostnames into to socket representation */
2386
2387 if (error)
2388 {
2389 /*
2390 * Call failed.
2391 */
2392 return -1;
2393 }
2394
2395 /*
2396 * We're not in active mode; let's try to open a new
2397 * control connection.
2398 */
2399 memset(&hints, 0, sizeof(struct addrinfo));
2400 hints.ai_family = PF_UNSPEC;
2401 hints.ai_socktype = SOCK_STREAM;
2402
2403 if (port[0] == 0)
2404 {
2405 /* the user chose not to specify the port */
2406 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2407 return -1;
2408 }
2409 else
2410 {
2411 if (sock_initaddress(host, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2412 return -1;
2413 }
2414
2415 if ((sockctrl = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2416 {
2417 freeaddrinfo(addrinfo);
2418 return -1;
2419 }
2420
2421 /* addrinfo is no longer used */
2422 freeaddrinfo(addrinfo);
2423 addrinfo = NULL;
2424
2425 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1)
2426 {
2427 sock_close(sockctrl, NULL, 0);
2428 return -1;
2429 }
2430 active = 0;
2431 }
2432
2433 /* RPCAP findalldevs command */
2434 rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ,
2435 0, 0);
2436
2437 if (sock_send(sockctrl, (char *)&header, sizeof(struct rpcap_header),
2438 errbuf, PCAP_ERRBUF_SIZE) < 0)
2439 goto error_nodiscard;
2440
2441 /* Receive and process the reply message header. */
2442 if (rpcap_process_msg_header(sockctrl, protocol_version,
2443 RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1)
2444 goto error_nodiscard;
2445
2446 plen = header.plen;
2447
2448 /* read the number of interfaces */
2449 nif = ntohs(header.value);
2450
2451 /* loop until all interfaces have been received */
2452 for (i = 0; i < nif; i++)
2453 {
2454 struct rpcap_findalldevs_if findalldevs_if;
2455 char tmpstring2[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2456 size_t stringlen;
2457 struct pcap_addr *addr, *prevaddr;
2458
2459 tmpstring2[PCAP_BUF_SIZE] = 0;
2460
2461 /* receive the findalldevs structure from remote host */
2462 if (rpcap_recv(sockctrl, (char *)&findalldevs_if,
2463 sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1)
2464 goto error;
2465
2466 findalldevs_if.namelen = ntohs(findalldevs_if.namelen);
2467 findalldevs_if.desclen = ntohs(findalldevs_if.desclen);
2468 findalldevs_if.naddr = ntohs(findalldevs_if.naddr);
2469
2470 /* allocate the main structure */
2471 dev = (pcap_if_t *)malloc(sizeof(pcap_if_t));
2472 if (dev == NULL)
2473 {
2474 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2475 errno, "malloc() failed");
2476 goto error;
2477 }
2478
2479 /* Initialize the structure to 'zero' */
2480 memset(dev, 0, sizeof(pcap_if_t));
2481
2482 /* Append it to the list. */
2483 if (lastdev == NULL)
2484 {
2485 /*
2486 * List is empty, so it's also the first device.
2487 */
2488 *alldevs = dev;
2489 }
2490 else
2491 {
2492 /*
2493 * Append after the last device.
2494 */
2495 lastdev->next = dev;
2496 }
2497 /* It's now the last device. */
2498 lastdev = dev;
2499
2500 /* allocate mem for name and description */
2501 if (findalldevs_if.namelen)
2502 {
2503
2504 if (findalldevs_if.namelen >= sizeof(tmpstring))
2505 {
2506 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long");
2507 goto error;
2508 }
2509
2510 /* Retrieve adapter name */
2511 if (rpcap_recv(sockctrl, tmpstring,
2512 findalldevs_if.namelen, &plen, errbuf) == -1)
2513 goto error;
2514
2515 tmpstring[findalldevs_if.namelen] = 0;
2516
2517 /* Create the new device identifier */
2518 if (pcap_createsrcstr(tmpstring2, PCAP_SRC_IFREMOTE, host, port, tmpstring, errbuf) == -1)
2519 return -1;
2520
2521 stringlen = strlen(tmpstring2);
2522
2523 dev->name = (char *)malloc(stringlen + 1);
2524 if (dev->name == NULL)
2525 {
2526 pcap_fmt_errmsg_for_errno(errbuf,
2527 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2528 goto error;
2529 }
2530
2531 /* Copy the new device name into the correct memory location */
2532 strlcpy(dev->name, tmpstring2, stringlen + 1);
2533 }
2534
2535 if (findalldevs_if.desclen)
2536 {
2537 if (findalldevs_if.desclen >= sizeof(tmpstring))
2538 {
2539 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long");
2540 goto error;
2541 }
2542
2543 /* Retrieve adapter description */
2544 if (rpcap_recv(sockctrl, tmpstring,
2545 findalldevs_if.desclen, &plen, errbuf) == -1)
2546 goto error;
2547
2548 tmpstring[findalldevs_if.desclen] = 0;
2549
2550 pcap_snprintf(tmpstring2, sizeof(tmpstring2) - 1, "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER,
2551 tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host);
2552
2553 stringlen = strlen(tmpstring2);
2554
2555 dev->description = (char *)malloc(stringlen + 1);
2556
2557 if (dev->description == NULL)
2558 {
2559 pcap_fmt_errmsg_for_errno(errbuf,
2560 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2561 goto error;
2562 }
2563
2564 /* Copy the new device description into the correct memory location */
2565 strlcpy(dev->description, tmpstring2, stringlen + 1);
2566 }
2567
2568 dev->flags = ntohl(findalldevs_if.flags);
2569
2570 prevaddr = NULL;
2571 /* loop until all addresses have been received */
2572 for (j = 0; j < findalldevs_if.naddr; j++)
2573 {
2574 struct rpcap_findalldevs_ifaddr ifaddr;
2575
2576 /* Retrieve the interface addresses */
2577 if (rpcap_recv(sockctrl, (char *)&ifaddr,
2578 sizeof(struct rpcap_findalldevs_ifaddr),
2579 &plen, errbuf) == -1)
2580 goto error;
2581
2582 /*
2583 * Deserialize all the address components.
2584 */
2585 addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr));
2586 if (addr == NULL)
2587 {
2588 pcap_fmt_errmsg_for_errno(errbuf,
2589 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2590 goto error;
2591 }
2592 addr->next = NULL;
2593 addr->addr = NULL;
2594 addr->netmask = NULL;
2595 addr->broadaddr = NULL;
2596 addr->dstaddr = NULL;
2597
2598 if (rpcap_deseraddr(&ifaddr.addr,
2599 (struct sockaddr_storage **) &addr->addr, errbuf) == -1)
2600 {
2601 freeaddr(addr);
2602 goto error;
2603 }
2604 if (rpcap_deseraddr(&ifaddr.netmask,
2605 (struct sockaddr_storage **) &addr->netmask, errbuf) == -1)
2606 {
2607 freeaddr(addr);
2608 goto error;
2609 }
2610 if (rpcap_deseraddr(&ifaddr.broadaddr,
2611 (struct sockaddr_storage **) &addr->broadaddr, errbuf) == -1)
2612 {
2613 freeaddr(addr);
2614 goto error;
2615 }
2616 if (rpcap_deseraddr(&ifaddr.dstaddr,
2617 (struct sockaddr_storage **) &addr->dstaddr, errbuf) == -1)
2618 {
2619 freeaddr(addr);
2620 goto error;
2621 }
2622
2623 if ((addr->addr == NULL) && (addr->netmask == NULL) &&
2624 (addr->broadaddr == NULL) && (addr->dstaddr == NULL))
2625 {
2626 /*
2627 * None of the addresses are IPv4 or IPv6
2628 * addresses, so throw this entry away.
2629 */
2630 free(addr);
2631 }
2632 else
2633 {
2634 /*
2635 * Add this entry to the list.
2636 */
2637 if (prevaddr == NULL)
2638 {
2639 dev->addresses = addr;
2640 }
2641 else
2642 {
2643 prevaddr->next = addr;
2644 }
2645 prevaddr = addr;
2646 }
2647 }
2648 }
2649
2650 /* Discard the rest of the message. */
2651 if (rpcap_discard(sockctrl, plen, errbuf) == 1)
2652 goto error_nodiscard;
2653
2654 /* Control connection has to be closed only in case the remote machine is in passive mode */
2655 if (!active)
2656 {
2657 /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */
2658 if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE))
2659 return -1;
2660 }
2661
2662 /* To avoid inconsistencies in the number of sock_init() */
2663 sock_cleanup();
2664
2665 return 0;
2666
2667 error:
2668 /*
2669 * In case there has been an error, I don't want to overwrite it with a new one
2670 * if the following call fails. I want to return always the original error.
2671 *
2672 * Take care: this connection can already be closed when we try to close it.
2673 * This happens because a previous error in the rpcapd, which requested to
2674 * closed the connection. In that case, we already recognized that into the
2675 * rpspck_isheaderok() and we already acknowledged the closing.
2676 * In that sense, this call is useless here (however it is needed in case
2677 * the client generates the error).
2678 *
2679 * Checks if all the data has been read; if not, discard the data in excess
2680 */
2681 (void) rpcap_discard(sockctrl, plen, NULL);
2682
2683 error_nodiscard:
2684 /* Control connection has to be closed only in case the remote machine is in passive mode */
2685 if (!active)
2686 sock_close(sockctrl, NULL, 0);
2687
2688 /* To avoid inconsistencies in the number of sock_init() */
2689 sock_cleanup();
2690
2691 /* Free whatever interfaces we've allocated. */
2692 pcap_freealldevs(*alldevs);
2693
2694 return -1;
2695 }
2696
2697 /*
2698 * Active mode routines.
2699 *
2700 * The old libpcap API is somewhat ugly, and makes active mode difficult
2701 * to implement; we provide some APIs for it that work only with rpcap.
2702 */
2703
pcap_remoteact_accept(const char * address,const char * port,const char * hostlist,char * connectinghost,struct pcap_rmtauth * auth,char * errbuf)2704 SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
2705 {
2706 /* socket-related variables */
2707 struct addrinfo hints; /* temporary struct to keep settings needed to open the new socket */
2708 struct addrinfo *addrinfo; /* keeps the addrinfo chain; required to open a new socket */
2709 struct sockaddr_storage from; /* generic sockaddr_storage variable */
2710 socklen_t fromlen; /* keeps the length of the sockaddr_storage variable */
2711 SOCKET sockctrl; /* keeps the main socket identifier */
2712 uint8 protocol_version; /* negotiated protocol version */
2713 struct activehosts *temp, *prev; /* temp var needed to scan he host list chain */
2714
2715 *connectinghost = 0; /* just in case */
2716
2717 /* Prepare to open a new server socket */
2718 memset(&hints, 0, sizeof(struct addrinfo));
2719 /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6 */
2720 hints.ai_family = AF_INET; /* PF_UNSPEC to have both IPv4 and IPv6 server */
2721 hints.ai_flags = AI_PASSIVE; /* Ready to a bind() socket */
2722 hints.ai_socktype = SOCK_STREAM;
2723
2724 /* Warning: this call can be the first one called by the user. */
2725 /* For this reason, we have to initialize the WinSock support. */
2726 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2727 return (SOCKET)-1;
2728
2729 /* Do the work */
2730 if ((port == NULL) || (port[0] == 0))
2731 {
2732 if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2733 {
2734 SOCK_DEBUG_MESSAGE(errbuf);
2735 return (SOCKET)-2;
2736 }
2737 }
2738 else
2739 {
2740 if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2741 {
2742 SOCK_DEBUG_MESSAGE(errbuf);
2743 return (SOCKET)-2;
2744 }
2745 }
2746
2747
2748 if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2749 {
2750 SOCK_DEBUG_MESSAGE(errbuf);
2751 freeaddrinfo(addrinfo);
2752 return (SOCKET)-2;
2753 }
2754 freeaddrinfo(addrinfo);
2755
2756 /* Connection creation */
2757 fromlen = sizeof(struct sockaddr_storage);
2758
2759 sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen);
2760
2761 /* We're not using sock_close, since we do not want to send a shutdown */
2762 /* (which is not allowed on a non-connected socket) */
2763 closesocket(sockmain);
2764 sockmain = 0;
2765
2766 if (sockctrl == INVALID_SOCKET)
2767 {
2768 sock_geterror("accept(): ", errbuf, PCAP_ERRBUF_SIZE);
2769 return (SOCKET)-2;
2770 }
2771
2772 /* Get the numeric for of the name of the connecting host */
2773 if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST))
2774 {
2775 sock_geterror("getnameinfo(): ", errbuf, PCAP_ERRBUF_SIZE);
2776 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2777 sock_close(sockctrl, NULL, 0);
2778 return (SOCKET)-1;
2779 }
2780
2781 /* checks if the connecting host is among the ones allowed */
2782 if (sock_check_hostlist((char *)hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0)
2783 {
2784 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2785 sock_close(sockctrl, NULL, 0);
2786 return (SOCKET)-1;
2787 }
2788
2789 /*
2790 * Send authentication to the remote machine.
2791 */
2792 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1)
2793 {
2794 /* Unrecoverable error. */
2795 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2796 sock_close(sockctrl, NULL, 0);
2797 return (SOCKET)-3;
2798 }
2799
2800 /* Checks that this host does not already have a cntrl connection in place */
2801
2802 /* Initialize pointers */
2803 temp = activeHosts;
2804 prev = NULL;
2805
2806 while (temp)
2807 {
2808 /* This host already has an active connection in place, so I don't have to update the host list */
2809 if (sock_cmpaddr(&temp->host, &from) == 0)
2810 return sockctrl;
2811
2812 prev = temp;
2813 temp = temp->next;
2814 }
2815
2816 /* The host does not exist in the list; so I have to update the list */
2817 if (prev)
2818 {
2819 prev->next = (struct activehosts *) malloc(sizeof(struct activehosts));
2820 temp = prev->next;
2821 }
2822 else
2823 {
2824 activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts));
2825 temp = activeHosts;
2826 }
2827
2828 if (temp == NULL)
2829 {
2830 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2831 errno, "malloc() failed");
2832 rpcap_senderror(sockctrl, protocol_version, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2833 sock_close(sockctrl, NULL, 0);
2834 return (SOCKET)-1;
2835 }
2836
2837 memcpy(&temp->host, &from, fromlen);
2838 temp->sockctrl = sockctrl;
2839 temp->protocol_version = protocol_version;
2840 temp->next = NULL;
2841
2842 return sockctrl;
2843 }
2844
pcap_remoteact_close(const char * host,char * errbuf)2845 int pcap_remoteact_close(const char *host, char *errbuf)
2846 {
2847 struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */
2848 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
2849 int retval;
2850
2851 temp = activeHosts;
2852 prev = NULL;
2853
2854 /* retrieve the network address corresponding to 'host' */
2855 addrinfo = NULL;
2856 memset(&hints, 0, sizeof(struct addrinfo));
2857 hints.ai_family = PF_UNSPEC;
2858 hints.ai_socktype = SOCK_STREAM;
2859
2860 retval = getaddrinfo(host, "0", &hints, &addrinfo);
2861 if (retval != 0)
2862 {
2863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s", gai_strerror(retval));
2864 return -1;
2865 }
2866
2867 while (temp)
2868 {
2869 ai_next = addrinfo;
2870 while (ai_next)
2871 {
2872 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
2873 {
2874 struct rpcap_header header;
2875 int status = 0;
2876
2877 /* Close this connection */
2878 rpcap_createhdr(&header, temp->protocol_version,
2879 RPCAP_MSG_CLOSE, 0, 0);
2880
2881 /*
2882 * Don't check for errors, since we're
2883 * just cleaning up.
2884 */
2885 if (sock_send(temp->sockctrl,
2886 (char *)&header,
2887 sizeof(struct rpcap_header), errbuf,
2888 PCAP_ERRBUF_SIZE) < 0)
2889 {
2890 /*
2891 * Let that error be the one we
2892 * report.
2893 */
2894 (void)sock_close(temp->sockctrl, NULL,
2895 0);
2896 status = -1;
2897 }
2898 else
2899 {
2900 if (sock_close(temp->sockctrl, errbuf,
2901 PCAP_ERRBUF_SIZE) == -1)
2902 status = -1;
2903 }
2904
2905 /*
2906 * Remove the host from the list of active
2907 * hosts.
2908 */
2909 if (prev)
2910 prev->next = temp->next;
2911 else
2912 activeHosts = temp->next;
2913
2914 freeaddrinfo(addrinfo);
2915
2916 free(temp);
2917
2918 /* To avoid inconsistencies in the number of sock_init() */
2919 sock_cleanup();
2920
2921 return status;
2922 }
2923
2924 ai_next = ai_next->ai_next;
2925 }
2926 prev = temp;
2927 temp = temp->next;
2928 }
2929
2930 if (addrinfo)
2931 freeaddrinfo(addrinfo);
2932
2933 /* To avoid inconsistencies in the number of sock_init() */
2934 sock_cleanup();
2935
2936 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known");
2937 return -1;
2938 }
2939
pcap_remoteact_cleanup(void)2940 void pcap_remoteact_cleanup(void)
2941 {
2942 /* Very dirty, but it works */
2943 if (sockmain)
2944 {
2945 closesocket(sockmain);
2946
2947 /* To avoid inconsistencies in the number of sock_init() */
2948 sock_cleanup();
2949 }
2950
2951 }
2952
pcap_remoteact_list(char * hostlist,char sep,int size,char * errbuf)2953 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
2954 {
2955 struct activehosts *temp; /* temp var needed to scan the host list chain */
2956 size_t len;
2957 char hoststr[RPCAP_HOSTLIST_SIZE + 1];
2958
2959 temp = activeHosts;
2960
2961 len = 0;
2962 *hostlist = 0;
2963
2964 while (temp)
2965 {
2966 /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */
2967
2968 /* Get the numeric form of the name of the connecting host */
2969 if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr,
2970 RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1)
2971 /* if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */
2972 /* RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */
2973 {
2974 /* sock_geterror("getnameinfo(): ", errbuf, PCAP_ERRBUF_SIZE); */
2975 return -1;
2976 }
2977
2978 len = len + strlen(hoststr) + 1 /* the separator */;
2979
2980 if ((size < 0) || (len >= (size_t)size))
2981 {
2982 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep "
2983 "the hostnames for all the active connections");
2984 return -1;
2985 }
2986
2987 strlcat(hostlist, hoststr, PCAP_ERRBUF_SIZE);
2988 hostlist[len - 1] = sep;
2989 hostlist[len] = 0;
2990
2991 temp = temp->next;
2992 }
2993
2994 return 0;
2995 }
2996
2997 /*
2998 * Receive the header of a message.
2999 */
rpcap_recv_msg_header(SOCKET sock,struct rpcap_header * header,char * errbuf)3000 static int rpcap_recv_msg_header(SOCKET sock, struct rpcap_header *header, char *errbuf)
3001 {
3002 int nrecv;
3003
3004 nrecv = sock_recv(sock, (char *) header, sizeof(struct rpcap_header),
3005 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3006 PCAP_ERRBUF_SIZE);
3007 if (nrecv == -1)
3008 {
3009 /* Network error. */
3010 return -1;
3011 }
3012 header->plen = ntohl(header->plen);
3013 return 0;
3014 }
3015
3016 /*
3017 * Make sure the protocol version of a received message is what we were
3018 * expecting.
3019 */
rpcap_check_msg_ver(SOCKET sock,uint8 expected_ver,struct rpcap_header * header,char * errbuf)3020 static int rpcap_check_msg_ver(SOCKET sock, uint8 expected_ver, struct rpcap_header *header, char *errbuf)
3021 {
3022 /*
3023 * Did the server specify the version we negotiated?
3024 */
3025 if (header->ver != expected_ver)
3026 {
3027 /*
3028 * Discard the rest of the message.
3029 */
3030 if (rpcap_discard(sock, header->plen, errbuf) == -1)
3031 return -1;
3032
3033 /*
3034 * Tell our caller that it's not the negotiated version.
3035 */
3036 if (errbuf != NULL)
3037 {
3038 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3039 "Server sent us a message with version %u when we were expecting %u",
3040 header->ver, expected_ver);
3041 }
3042 return -1;
3043 }
3044 return 0;
3045 }
3046
3047 /*
3048 * Check the message type of a received message, which should either be
3049 * the expected message type or RPCAP_MSG_ERROR.
3050 */
rpcap_check_msg_type(SOCKET sock,uint8 request_type,struct rpcap_header * header,uint16 * errcode,char * errbuf)3051 static int rpcap_check_msg_type(SOCKET sock, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf)
3052 {
3053 const char *request_type_string;
3054 const char *msg_type_string;
3055
3056 /*
3057 * What type of message is it?
3058 */
3059 if (header->type == RPCAP_MSG_ERROR)
3060 {
3061 /*
3062 * The server reported an error.
3063 * Hand that error back to our caller.
3064 */
3065 *errcode = ntohs(header->value);
3066 rpcap_msg_err(sock, header->plen, errbuf);
3067 return -1;
3068 }
3069
3070 *errcode = 0;
3071
3072 /*
3073 * For a given request type value, the expected reply type value
3074 * is the request type value with ORed with RPCAP_MSG_IS_REPLY.
3075 */
3076 if (header->type != (request_type | RPCAP_MSG_IS_REPLY))
3077 {
3078 /*
3079 * This isn't a reply to the request we sent.
3080 */
3081
3082 /*
3083 * Discard the rest of the message.
3084 */
3085 if (rpcap_discard(sock, header->plen, errbuf) == -1)
3086 return -1;
3087
3088 /*
3089 * Tell our caller about it.
3090 */
3091 request_type_string = rpcap_msg_type_string(request_type);
3092 msg_type_string = rpcap_msg_type_string(header->type);
3093 if (errbuf != NULL)
3094 {
3095 if (request_type_string == NULL)
3096 {
3097 /* This should not happen. */
3098 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3099 "rpcap_check_msg_type called for request message with type %u",
3100 request_type);
3101 return -1;
3102 }
3103 if (msg_type_string != NULL)
3104 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3105 "%s message received in response to a %s message",
3106 msg_type_string, request_type_string);
3107 else
3108 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3109 "Message of unknown type %u message received in response to a %s request",
3110 header->type, request_type_string);
3111 }
3112 return -1;
3113 }
3114
3115 return 0;
3116 }
3117
3118 /*
3119 * Receive and process the header of a message.
3120 */
rpcap_process_msg_header(SOCKET sock,uint8 expected_ver,uint8 request_type,struct rpcap_header * header,char * errbuf)3121 static int rpcap_process_msg_header(SOCKET sock, uint8 expected_ver, uint8 request_type, struct rpcap_header *header, char *errbuf)
3122 {
3123 uint16 errcode;
3124
3125 if (rpcap_recv_msg_header(sock, header, errbuf) == -1)
3126 {
3127 /* Network error. */
3128 return -1;
3129 }
3130
3131 /*
3132 * Did the server specify the version we negotiated?
3133 */
3134 if (rpcap_check_msg_ver(sock, expected_ver, header, errbuf) == -1)
3135 return -1;
3136
3137 /*
3138 * Check the message type.
3139 */
3140 return rpcap_check_msg_type(sock, request_type, header,
3141 &errcode, errbuf);
3142 }
3143
3144 /*
3145 * Read data from a message.
3146 * If we're trying to read more data that remains, puts an error
3147 * message into errmsgbuf and returns -2. Otherwise, tries to read
3148 * the data and, if that succeeds, subtracts the amount read from
3149 * the number of bytes of data that remains.
3150 * Returns 0 on success, logs a message and returns -1 on a network
3151 * error.
3152 */
rpcap_recv(SOCKET sock,void * buffer,size_t toread,uint32 * plen,char * errbuf)3153 static int rpcap_recv(SOCKET sock, void *buffer, size_t toread, uint32 *plen, char *errbuf)
3154 {
3155 int nread;
3156
3157 if (toread > *plen)
3158 {
3159 /* The server sent us a bad message */
3160 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short");
3161 return -1;
3162 }
3163 nread = sock_recv(sock, buffer, toread,
3164 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE);
3165 if (nread == -1)
3166 {
3167 return -1;
3168 }
3169 *plen -= nread;
3170 return 0;
3171 }
3172
3173 /*
3174 * This handles the RPCAP_MSG_ERROR message.
3175 */
rpcap_msg_err(SOCKET sockctrl,uint32 plen,char * remote_errbuf)3176 static void rpcap_msg_err(SOCKET sockctrl, uint32 plen, char *remote_errbuf)
3177 {
3178 char errbuf[PCAP_ERRBUF_SIZE];
3179
3180 if (plen >= PCAP_ERRBUF_SIZE)
3181 {
3182 /*
3183 * Message is too long; just read as much of it as we
3184 * can into the buffer provided, and discard the rest.
3185 */
3186 if (sock_recv(sockctrl, remote_errbuf, PCAP_ERRBUF_SIZE - 1,
3187 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3188 PCAP_ERRBUF_SIZE) == -1)
3189 {
3190 // Network error.
3191 pcap_snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3192 return;
3193 }
3194
3195 /*
3196 * Null-terminate it.
3197 */
3198 remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0';
3199
3200 /*
3201 * Throw away the rest.
3202 */
3203 (void)rpcap_discard(sockctrl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf);
3204 }
3205 else if (plen == 0)
3206 {
3207 /* Empty error string. */
3208 remote_errbuf[0] = '\0';
3209 }
3210 else
3211 {
3212 if (sock_recv(sockctrl, remote_errbuf, plen,
3213 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3214 PCAP_ERRBUF_SIZE) == -1)
3215 {
3216 // Network error.
3217 pcap_snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3218 return;
3219 }
3220
3221 /*
3222 * Null-terminate it.
3223 */
3224 remote_errbuf[plen] = '\0';
3225 }
3226 }
3227
3228 /*
3229 * Discard data from a connection.
3230 * Mostly used to discard wrong-sized messages.
3231 * Returns 0 on success, logs a message and returns -1 on a network
3232 * error.
3233 */
rpcap_discard(SOCKET sock,uint32 len,char * errbuf)3234 static int rpcap_discard(SOCKET sock, uint32 len, char *errbuf)
3235 {
3236 if (len != 0)
3237 {
3238 if (sock_discard(sock, len, errbuf, PCAP_ERRBUF_SIZE) == -1)
3239 {
3240 // Network error.
3241 return -1;
3242 }
3243 }
3244 return 0;
3245 }
3246
3247 /*
3248 * Read bytes into the pcap_t's buffer until we have the specified
3249 * number of bytes read or we get an error or interrupt indication.
3250 */
rpcap_read_packet_msg(SOCKET sock,pcap_t * p,size_t size)3251 static int rpcap_read_packet_msg(SOCKET sock, pcap_t *p, size_t size)
3252 {
3253 u_char *bp;
3254 int cc;
3255 int bytes_read;
3256
3257 bp = p->bp;
3258 cc = p->cc;
3259
3260 /*
3261 * Loop until we have the amount of data requested or we get
3262 * an error or interrupt.
3263 */
3264 while ((size_t)cc < size)
3265 {
3266 /*
3267 * We haven't read all of the packet header yet.
3268 * Read what remains, which could be all of it.
3269 */
3270 bytes_read = sock_recv(sock, bp, size - cc,
3271 SOCK_RECEIVEALL_NO|SOCK_EOF_IS_ERROR, p->errbuf,
3272 PCAP_ERRBUF_SIZE);
3273 if (bytes_read == -1)
3274 {
3275 /*
3276 * Network error. Update the read pointer and
3277 * byte count, and return an error indication.
3278 */
3279 p->bp = bp;
3280 p->cc = cc;
3281 return -1;
3282 }
3283 if (bytes_read == -3)
3284 {
3285 /*
3286 * Interrupted receive. Update the read
3287 * pointer and byte count, and return
3288 * an interrupted indication.
3289 */
3290 p->bp = bp;
3291 p->cc = cc;
3292 return -3;
3293 }
3294 if (bytes_read == 0)
3295 {
3296 /*
3297 * EOF - server terminated the connection.
3298 * Update the read pointer and byte count, and
3299 * return an error indication.
3300 */
3301 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
3302 "The server terminated the connection.");
3303 return -1;
3304 }
3305 bp += bytes_read;
3306 cc += bytes_read;
3307 }
3308 p->bp = bp;
3309 p->cc = cc;
3310 return 0;
3311 }
3312