1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1997
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 #ifdef HAVE_CONFIG_H
23 #include <config.h>
24 #endif
25
26 #include <sys/param.h>
27 #include <sys/file.h>
28 #include <sys/ioctl.h>
29 #include <sys/socket.h>
30 #include <sys/time.h>
31
32 #include <net/raw.h>
33 #include <net/if.h>
34
35 #include <netinet/in.h>
36 #include <netinet/in_systm.h>
37 #include <netinet/ip.h>
38 #include <netinet/if_ether.h>
39 #include <netinet/ip_var.h>
40 #include <netinet/udp.h>
41 #include <netinet/udp_var.h>
42 #include <netinet/tcp.h>
43 #include <netinet/tcpip.h>
44
45 #include <errno.h>
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <unistd.h>
50
51 #include "pcap-int.h"
52
53 #ifdef HAVE_OS_PROTO_H
54 #include "os-proto.h"
55 #endif
56
57 /*
58 * Private data for capturing on snoop devices.
59 */
60 struct pcap_snoop {
61 struct pcap_stat stat;
62 };
63
64 static int
pcap_read_snoop(pcap_t * p,int cnt,pcap_handler callback,u_char * user)65 pcap_read_snoop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
66 {
67 struct pcap_snoop *psn = p->priv;
68 int cc;
69 register struct snoopheader *sh;
70 register u_int datalen;
71 register u_int caplen;
72 register u_char *cp;
73
74 again:
75 /*
76 * Has "pcap_breakloop()" been called?
77 */
78 if (p->break_loop) {
79 /*
80 * Yes - clear the flag that indicates that it
81 * has, and return -2 to indicate that we were
82 * told to break out of the loop.
83 */
84 p->break_loop = 0;
85 return (-2);
86 }
87 cc = read(p->fd, (char *)p->buffer, p->bufsize);
88 if (cc < 0) {
89 /* Don't choke when we get ptraced */
90 switch (errno) {
91
92 case EINTR:
93 goto again;
94
95 case EWOULDBLOCK:
96 return (0); /* XXX */
97 }
98 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
99 errno, "read");
100 return (-1);
101 }
102 sh = (struct snoopheader *)p->buffer;
103 datalen = sh->snoop_packetlen;
104
105 /*
106 * XXX - Sigh, snoop_packetlen is a 16 bit quantity. If we
107 * got a short length, but read a full sized snoop pakcet,
108 * assume we overflowed and add back the 64K...
109 */
110 if (cc == (p->snapshot + sizeof(struct snoopheader)) &&
111 (datalen < p->snapshot))
112 datalen += (64 * 1024);
113
114 caplen = (datalen < p->snapshot) ? datalen : p->snapshot;
115 cp = (u_char *)(sh + 1) + p->offset; /* XXX */
116
117 /*
118 * XXX unfortunately snoop loopback isn't exactly like
119 * BSD's. The address family is encoded in the first 2
120 * bytes rather than the first 4 bytes! Luckily the last
121 * two snoop loopback bytes are zeroed.
122 */
123 if (p->linktype == DLT_NULL && *((short *)(cp + 2)) == 0) {
124 u_int *uip = (u_int *)cp;
125 *uip >>= 16;
126 }
127
128 if (p->fcode.bf_insns == NULL ||
129 bpf_filter(p->fcode.bf_insns, cp, datalen, caplen)) {
130 struct pcap_pkthdr h;
131 ++psn->stat.ps_recv;
132 h.ts.tv_sec = sh->snoop_timestamp.tv_sec;
133 h.ts.tv_usec = sh->snoop_timestamp.tv_usec;
134 h.len = datalen;
135 h.caplen = caplen;
136 (*callback)(user, &h, cp);
137 return (1);
138 }
139 return (0);
140 }
141
142 static int
pcap_inject_snoop(pcap_t * p,const void * buf,size_t size)143 pcap_inject_snoop(pcap_t *p, const void *buf, size_t size)
144 {
145 int ret;
146
147 /*
148 * XXX - libnet overwrites the source address with what I
149 * presume is the interface's address; is that required?
150 */
151 ret = write(p->fd, buf, size);
152 if (ret == -1) {
153 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
154 errno, "send");
155 return (-1);
156 }
157 return (ret);
158 }
159
160 static int
pcap_stats_snoop(pcap_t * p,struct pcap_stat * ps)161 pcap_stats_snoop(pcap_t *p, struct pcap_stat *ps)
162 {
163 struct pcap_snoop *psn = p->priv;
164 register struct rawstats *rs;
165 struct rawstats rawstats;
166
167 rs = &rawstats;
168 memset(rs, 0, sizeof(*rs));
169 if (ioctl(p->fd, SIOCRAWSTATS, (char *)rs) < 0) {
170 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
171 errno, "SIOCRAWSTATS");
172 return (-1);
173 }
174
175 /*
176 * "ifdrops" are those dropped by the network interface
177 * due to resource shortages or hardware errors.
178 *
179 * "sbdrops" are those dropped due to socket buffer limits.
180 *
181 * As filter is done in userland, "sbdrops" counts packets
182 * regardless of whether they would've passed the filter.
183 *
184 * XXX - does this count *all* Snoop or Drain sockets,
185 * rather than just this socket? If not, why does it have
186 * both Snoop and Drain statistics?
187 */
188 psn->stat.ps_drop =
189 rs->rs_snoop.ss_ifdrops + rs->rs_snoop.ss_sbdrops +
190 rs->rs_drain.ds_ifdrops + rs->rs_drain.ds_sbdrops;
191
192 /*
193 * "ps_recv" counts only packets that passed the filter.
194 * As filtering is done in userland, this does not include
195 * packets dropped because we ran out of buffer space.
196 */
197 *ps = psn->stat;
198 return (0);
199 }
200
201 /* XXX can't disable promiscuous */
202 static int
pcap_activate_snoop(pcap_t * p)203 pcap_activate_snoop(pcap_t *p)
204 {
205 int fd;
206 struct sockaddr_raw sr;
207 struct snoopfilter sf;
208 u_int v;
209 int ll_hdrlen;
210 int snooplen;
211 struct ifreq ifr;
212
213 fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP);
214 if (fd < 0) {
215 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
216 errno, "snoop socket");
217 goto bad;
218 }
219 p->fd = fd;
220 memset(&sr, 0, sizeof(sr));
221 sr.sr_family = AF_RAW;
222 (void)strncpy(sr.sr_ifname, p->opt.device, sizeof(sr.sr_ifname));
223 if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) {
224 /*
225 * XXX - there's probably a particular bind error that
226 * means "there's no such device" and a particular bind
227 * error that means "that device doesn't support snoop";
228 * they might be the same error, if they both end up
229 * meaning "snoop doesn't know about that device".
230 */
231 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
232 errno, "snoop bind");
233 goto bad;
234 }
235 memset(&sf, 0, sizeof(sf));
236 if (ioctl(fd, SIOCADDSNOOP, &sf) < 0) {
237 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
238 errno, "SIOCADDSNOOP");
239 goto bad;
240 }
241 if (p->opt.buffer_size != 0)
242 v = p->opt.buffer_size;
243 else
244 v = 64 * 1024; /* default to 64K buffer size */
245 (void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (char *)&v, sizeof(v));
246 /*
247 * XXX hack - map device name to link layer type
248 */
249 if (strncmp("et", p->opt.device, 2) == 0 || /* Challenge 10 Mbit */
250 strncmp("ec", p->opt.device, 2) == 0 || /* Indigo/Indy 10 Mbit,
251 O2 10/100 */
252 strncmp("ef", p->opt.device, 2) == 0 || /* O200/2000 10/100 Mbit */
253 strncmp("eg", p->opt.device, 2) == 0 || /* Octane/O2xxx/O3xxx Gigabit */
254 strncmp("gfe", p->opt.device, 3) == 0 || /* GIO 100 Mbit */
255 strncmp("fxp", p->opt.device, 3) == 0 || /* Challenge VME Enet */
256 strncmp("ep", p->opt.device, 2) == 0 || /* Challenge 8x10 Mbit EPLEX */
257 strncmp("vfe", p->opt.device, 3) == 0 || /* Challenge VME 100Mbit */
258 strncmp("fa", p->opt.device, 2) == 0 ||
259 strncmp("qaa", p->opt.device, 3) == 0 ||
260 strncmp("cip", p->opt.device, 3) == 0 ||
261 strncmp("el", p->opt.device, 2) == 0) {
262 p->linktype = DLT_EN10MB;
263 p->offset = RAW_HDRPAD(sizeof(struct ether_header));
264 ll_hdrlen = sizeof(struct ether_header);
265 /*
266 * This is (presumably) a real Ethernet capture; give it a
267 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
268 * that an application can let you choose it, in case you're
269 * capturing DOCSIS traffic that a Cisco Cable Modem
270 * Termination System is putting out onto an Ethernet (it
271 * doesn't put an Ethernet header onto the wire, it puts raw
272 * DOCSIS frames out on the wire inside the low-level
273 * Ethernet framing).
274 *
275 * XXX - are there any sorts of "fake Ethernet" that have
276 * Ethernet link-layer headers but that *shouldn't offer
277 * DLT_DOCSIS as a Cisco CMTS won't put traffic onto it
278 * or get traffic bridged onto it? "el" is for ATM LANE
279 * Ethernet devices, so that might be the case for them;
280 * the same applies for "qaa" classical IP devices. If
281 * "fa" devices are for FORE SPANS, that'd apply to them
282 * as well; what are "cip" devices - some other ATM
283 * Classical IP devices?
284 */
285 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
286 /*
287 * If that fails, just leave the list empty.
288 */
289 if (p->dlt_list != NULL) {
290 p->dlt_list[0] = DLT_EN10MB;
291 p->dlt_list[1] = DLT_DOCSIS;
292 p->dlt_count = 2;
293 }
294 } else if (strncmp("ipg", p->opt.device, 3) == 0 ||
295 strncmp("rns", p->opt.device, 3) == 0 || /* O2/200/2000 FDDI */
296 strncmp("xpi", p->opt.device, 3) == 0) {
297 p->linktype = DLT_FDDI;
298 p->offset = 3; /* XXX yeah? */
299 ll_hdrlen = 13;
300 } else if (strncmp("ppp", p->opt.device, 3) == 0) {
301 p->linktype = DLT_RAW;
302 ll_hdrlen = 0; /* DLT_RAW meaning "no PPP header, just the IP packet"? */
303 } else if (strncmp("qfa", p->opt.device, 3) == 0) {
304 p->linktype = DLT_IP_OVER_FC;
305 ll_hdrlen = 24;
306 } else if (strncmp("pl", p->opt.device, 2) == 0) {
307 p->linktype = DLT_RAW;
308 ll_hdrlen = 0; /* Cray UNICOS/mp pseudo link */
309 } else if (strncmp("lo", p->opt.device, 2) == 0) {
310 p->linktype = DLT_NULL;
311 ll_hdrlen = 4;
312 } else {
313 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
314 "snoop: unknown physical layer type");
315 goto bad;
316 }
317
318 if (p->opt.rfmon) {
319 /*
320 * No monitor mode on Irix (no Wi-Fi devices on
321 * hardware supported by Irix).
322 */
323 return (PCAP_ERROR_RFMON_NOTSUP);
324 }
325
326 /*
327 * Turn a negative snapshot value (invalid), a snapshot value of
328 * 0 (unspecified), or a value bigger than the normal maximum
329 * value, into the maximum allowed value.
330 *
331 * If some application really *needs* a bigger snapshot
332 * length, we should just increase MAXIMUM_SNAPLEN.
333 */
334 if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
335 p->snapshot = MAXIMUM_SNAPLEN;
336
337 #ifdef SIOCGIFMTU
338 /*
339 * XXX - IRIX appears to give you an error if you try to set the
340 * capture length to be greater than the MTU, so let's try to get
341 * the MTU first and, if that succeeds, trim the snap length
342 * to be no greater than the MTU.
343 */
344 (void)strncpy(ifr.ifr_name, p->opt.device, sizeof(ifr.ifr_name));
345 if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) {
346 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
347 errno, "SIOCGIFMTU");
348 goto bad;
349 }
350 /*
351 * OK, we got it.
352 *
353 * XXX - some versions of IRIX 6.5 define "ifr_mtu" and have an
354 * "ifru_metric" member of the "ifr_ifru" union in an "ifreq"
355 * structure, others don't.
356 *
357 * I've no idea what's going on, so, if "ifr_mtu" isn't defined,
358 * we define it as "ifr_metric", as using that field appears to
359 * work on the versions that lack "ifr_mtu" (and, on those that
360 * don't lack it, "ifru_metric" and "ifru_mtu" are both "int"
361 * members of the "ifr_ifru" union, which suggests that they
362 * may be interchangeable in this case).
363 */
364 #ifndef ifr_mtu
365 #define ifr_mtu ifr_metric
366 #endif
367 if (p->snapshot > ifr.ifr_mtu + ll_hdrlen)
368 p->snapshot = ifr.ifr_mtu + ll_hdrlen;
369 #endif
370
371 /*
372 * The argument to SIOCSNOOPLEN is the number of link-layer
373 * payload bytes to capture - it doesn't count link-layer
374 * header bytes.
375 */
376 snooplen = p->snapshot - ll_hdrlen;
377 if (snooplen < 0)
378 snooplen = 0;
379 if (ioctl(fd, SIOCSNOOPLEN, &snooplen) < 0) {
380 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
381 errno, "SIOCSNOOPLEN");
382 goto bad;
383 }
384 v = 1;
385 if (ioctl(fd, SIOCSNOOPING, &v) < 0) {
386 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
387 errno, "SIOCSNOOPING");
388 goto bad;
389 }
390
391 p->bufsize = 4096; /* XXX */
392 p->buffer = malloc(p->bufsize);
393 if (p->buffer == NULL) {
394 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
395 errno, "malloc");
396 goto bad;
397 }
398
399 /*
400 * "p->fd" is a socket, so "select()" should work on it.
401 */
402 p->selectable_fd = p->fd;
403
404 p->read_op = pcap_read_snoop;
405 p->inject_op = pcap_inject_snoop;
406 p->setfilter_op = install_bpf_program; /* no kernel filtering */
407 p->setdirection_op = NULL; /* Not implemented. */
408 p->set_datalink_op = NULL; /* can't change data link type */
409 p->getnonblock_op = pcap_getnonblock_fd;
410 p->setnonblock_op = pcap_setnonblock_fd;
411 p->stats_op = pcap_stats_snoop;
412
413 return (0);
414 bad:
415 pcap_cleanup_live_common(p);
416 return (PCAP_ERROR);
417 }
418
419 pcap_t *
pcap_create_interface(const char * device _U_,char * ebuf)420 pcap_create_interface(const char *device _U_, char *ebuf)
421 {
422 pcap_t *p;
423
424 p = pcap_create_common(ebuf, sizeof (struct pcap_snoop));
425 if (p == NULL)
426 return (NULL);
427
428 p->activate_op = pcap_activate_snoop;
429 return (p);
430 }
431
432 /*
433 * XXX - there's probably a particular bind error that means "that device
434 * doesn't support snoop"; if so, we should try a bind and use that.
435 */
436 static int
can_be_bound(const char * name _U_)437 can_be_bound(const char *name _U_)
438 {
439 return (1);
440 }
441
442 static int
get_if_flags(const char * name _U_,bpf_u_int32 * flags _U_,char * errbuf _U_)443 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
444 {
445 /*
446 * Nothing we can do.
447 * XXX - is there a way to find out whether an adapter has
448 * something plugged into it?
449 */
450 return (0);
451 }
452
453 int
pcap_platform_finddevs(pcap_if_list_t * devlistp,char * errbuf)454 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
455 {
456 return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound,
457 get_if_flags));
458 }
459
460 /*
461 * Libpcap version string.
462 */
463 const char *
pcap_lib_version(void)464 pcap_lib_version(void)
465 {
466 return (PCAP_VERSION_STRING);
467 }
468