Lines Matching +full:print +full:- +full:flags +full:. +full:pcap
2 * pcap-linux.c: Packet capture interface to the Linux kernel
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
21 * written permission.
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
30 …"@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.110.2.14 2006/10/12 17:26:58 guy Exp $ (LB…
34 * Known problems with 2.0[.x] kernels:
36 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
39 * "recvfrom()", but, on 2.0[.x] kernels, we have to use
42 * us do that.
44 * - We have to set the interface's IFF_PROMISC flag ourselves, if
49 * listening promiscuously. We catch "pcap_close()" and, for
51 * promiscuous mode - which isn't necessarily the right thing to
54 * the socket.
56 * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()"
61 * value tells us how long the packet was on the wire.
67 * from the kernel that our caller won't see.
71 * about "truncated-ip", as the packet will appear to have been
72 * shorter, on the wire, than the IP header said it should have been.
76 #include <stdlib.h>
78 #include "config.h"
81 #include "pcap-int.h"
82 #include "sll.h"
85 #include "pcap-dag.h"
89 #include "pcap-septel.h"
92 #include <errno.h>
93 #include <unistd.h>
94 #include <fcntl.h>
95 #include <string.h>
96 #include <sys/socket.h>
97 #include <sys/ioctl.h>
98 #include <sys/utsname.h>
99 #include <net/if.h>
100 #include <netinet/in.h>
101 #include <linux/if_ether.h>
102 #include <net/if_arp.h>
106 * sockets rather than SOCK_PACKET sockets.
108 * To use them, we include <linux/if_packet.h> rather than
109 * <netpacket/packet.h>; we do so because
111 * some Linux distributions (e.g., Slackware 4.0) have 2.2 or
112 * later kernels and libc5, and don't provide a <netpacket/packet.h>
115 * not all versions of glibc2 have a <netpacket/packet.h> file
116 * that defines stuff needed for some of the 2.4-or-later-kernel
118 * still can't use those features.
120 * We're already including a number of other <linux/XXX.h> headers, and
121 * this code is Linux-specific (no other OS has PF_PACKET sockets as
123 * useful portability by using <netpacket/packet.h>
125 * XXX - should we just include <linux/if_packet.h> even if PF_PACKET
126 * isn't defined? It only defines one data structure in 2.0.x, so
127 * it shouldn't cause any problems.
130 # include <linux/if_packet.h>
134 * there's no <netpacket/packet.h> file, but PF_PACKET is defined if
135 * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define
137 * the PACKET_xxx stuff.
140 * PF_PACKET sockets only if it is defined.
148 #include <linux/types.h>
149 #include <linux/filter.h>
160 * those kernels, when we pass it in the flags argument to "recvfrom()"
162 * we want. (We don't get that behavior on 2.0[.x] kernels, because
163 * they didn't support MSG_TRUNC.)
173 * 2.0-kernel crappy way.
181 * When capturing on all interfaces we use this as the buffer size.
182 * Should be bigger then all MTUs that occur in real life.
183 * 64kB should be enough for now.
227 * Get a handle for a live capture from the given device. You can
229 * information of course). If you pass 1 as promisc the interface
232 * modification of that values -- Torsten).
234 * See also pcap(3).
258 /* Allocate a handle for this session. */ in pcap_open_live()
267 /* Initialize some components of the pcap structure. */ in pcap_open_live()
270 handle->snapshot = snaplen; in pcap_open_live()
271 handle->md.timeout = to_ms; in pcap_open_live()
275 * monitor all devices. in pcap_open_live()
279 handle->md.device = strdup("any"); in pcap_open_live()
282 /* Just a warning. */ in pcap_open_live()
288 handle->md.device = strdup(device); in pcap_open_live()
290 if (handle->md.device == NULL) { in pcap_open_live()
301 * implement this feature. in pcap_open_live()
304 * trying both methods with the newer method preferred. in pcap_open_live()
310 /* Non-fatal error; try old way */ in pcap_open_live()
316 * Both methods to open the packet socket failed. Tidy in pcap_open_live()
318 * set by the functions above). in pcap_open_live()
321 if (handle->md.device != NULL) in pcap_open_live()
322 free(handle->md.device); in pcap_open_live()
328 * Compute the buffer size. in pcap_open_live()
330 * If we're using SOCK_PACKET, this might be a 2.0[.x] kernel, in pcap_open_live()
331 * and might require special handling - check. in pcap_open_live()
333 if (handle->md.sock_packet && (uname(&utsname) < 0 || in pcap_open_live()
334 strncmp(utsname.release, "2.0", 3) == 0)) { in pcap_open_live()
338 * or it's a 2.0[.x] kernel. in pcap_open_live()
340 * In the 2.0[.x] kernel, a "recvfrom()" on in pcap_open_live()
346 * of the packet. in pcap_open_live()
351 * complain about "truncated-ip". in pcap_open_live()
356 * versions of libpcap for Linux did. in pcap_open_live()
360 * device. Unfortunately, we can't get the MRU in pcap_open_live()
361 * of the network; we can only get the MTU. The in pcap_open_live()
364 * won't get the actual packet size. in pcap_open_live()
371 * to the MTU-based size. in pcap_open_live()
374 * capture on 2.0[.x] kernels; you really want a in pcap_open_live()
375 * 2.2[.x] or later kernel if you want packet capture in pcap_open_live()
376 * to work well. in pcap_open_live()
378 mtu = iface_get_mtu(handle->fd, device, ebuf); in pcap_open_live()
379 if (mtu == -1) { in pcap_open_live()
384 handle->bufsize = MAX_LINKHEADER_SIZE + mtu; in pcap_open_live()
385 if (handle->bufsize < handle->snapshot) in pcap_open_live()
386 handle->bufsize = handle->snapshot; in pcap_open_live()
389 * This is a 2.2[.x] or later kernel (we know that in pcap_open_live()
391 * socket - PF_PACKET is supported only in 2.2 in pcap_open_live()
392 * and later kernels - or because we checked the in pcap_open_live()
393 * kernel version). in pcap_open_live()
396 * based on the snapshot length. in pcap_open_live()
401 * count of 0 to "recvfrom()"). in pcap_open_live()
403 if (handle->md.cooked) { in pcap_open_live()
404 if (handle->snapshot < SLL_HDR_LEN + 1) in pcap_open_live()
405 handle->snapshot = SLL_HDR_LEN + 1; in pcap_open_live()
407 handle->bufsize = handle->snapshot; in pcap_open_live()
412 handle->buffer = malloc(handle->bufsize + handle->offset); in pcap_open_live()
413 if (!handle->buffer) { in pcap_open_live()
422 * "handle->fd" is a socket, so "select()" and "poll()" in pcap_open_live()
423 * should work on it. in pcap_open_live()
425 handle->selectable_fd = handle->fd; in pcap_open_live()
427 handle->read_op = pcap_read_linux; in pcap_open_live()
428 handle->inject_op = pcap_inject_linux; in pcap_open_live()
429 handle->setfilter_op = pcap_setfilter_linux; in pcap_open_live()
430 handle->setdirection_op = pcap_setdirection_linux; in pcap_open_live()
431 handle->set_datalink_op = NULL; /* can't change data link type */ in pcap_open_live()
432 handle->getnonblock_op = pcap_getnonblock_fd; in pcap_open_live()
433 handle->setnonblock_op = pcap_setnonblock_fd; in pcap_open_live()
434 handle->stats_op = pcap_stats_linux; in pcap_open_live()
435 handle->close_op = pcap_close_linux; in pcap_open_live()
442 * for each of them. Returns the number of packets handled or -1 if an
443 * error occured.
450 * so we don't loop. in pcap_read_linux()
457 * the user. Returns the number of packets received or -1 if an
458 * error occured.
478 * fake packet header. in pcap_read_packet()
480 if (handle->md.cooked) in pcap_read_packet()
487 * support cooked devices. in pcap_read_packet()
494 bp = handle->buffer + handle->offset; in pcap_read_packet()
499 if (handle->break_loop) { in pcap_read_packet()
501 * Yes - clear the flag that indicates that it in pcap_read_packet()
502 * has, and return -2 as an indication that we in pcap_read_packet()
503 * were told to break out of the loop. in pcap_read_packet()
505 handle->break_loop = 0; in pcap_read_packet()
506 return -2; in pcap_read_packet()
510 handle->fd, bp + offset, in pcap_read_packet()
511 handle->bufsize - offset, MSG_TRUNC, in pcap_read_packet()
513 } while (packet_len == -1 && errno == EINTR); in pcap_read_packet()
517 if (packet_len == -1) { in pcap_read_packet()
521 snprintf(handle->errbuf, sizeof(handle->errbuf), in pcap_read_packet()
523 return -1; in pcap_read_packet()
528 if (!handle->md.sock_packet) { in pcap_read_packet()
532 * interface. If we're bound to a particular interface, in pcap_read_packet()
533 * discard packets not from that interface. in pcap_read_packet()
538 * filter support, and it's a bit more complicated. in pcap_read_packet()
539 * It would save some instructions per packet, however.) in pcap_read_packet()
541 if (handle->md.ifindex != -1 && in pcap_read_packet()
542 from.sll_ifindex != handle->md.ifindex) in pcap_read_packet()
546 * Do checks based on packet direction. in pcap_read_packet()
549 * which lacks the relevant packet type information. in pcap_read_packet()
551 if (from.sll_pkttype == PACKET_OUTGOING) { in pcap_read_packet()
553 * Outgoing packet. in pcap_read_packet()
556 * and we don't want to see it twice. in pcap_read_packet()
558 if (from.sll_ifindex == handle->md.lo_ifindex) in pcap_read_packet()
562 * If the user only wants incoming packets, reject it. in pcap_read_packet()
564 if (handle->direction == PCAP_D_IN) in pcap_read_packet()
568 * Incoming packet. in pcap_read_packet()
569 * If the user only wants outgoing packets, reject it. in pcap_read_packet()
571 if (handle->direction == PCAP_D_OUT) in pcap_read_packet()
579 * If this is a cooked device, fill in the fake packet header. in pcap_read_packet()
581 if (handle->md.cooked) { in pcap_read_packet()
584 * of packet data we read. in pcap_read_packet()
593 * the link-layer header even if the numerical values in pcap_read_packet()
596 * able to handle DLT_LINUX_SLL captures. in pcap_read_packet()
598 switch (from.sll_pkttype) { in pcap_read_packet()
601 hdrp->sll_pkttype = htons(LINUX_SLL_HOST); in pcap_read_packet()
605 hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST); in pcap_read_packet()
609 hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST); in pcap_read_packet()
613 hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST); in pcap_read_packet()
617 hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING); in pcap_read_packet()
621 hdrp->sll_pkttype = -1; in pcap_read_packet()
625 hdrp->sll_hatype = htons(from.sll_hatype); in pcap_read_packet()
626 hdrp->sll_halen = htons(from.sll_halen); in pcap_read_packet()
627 memcpy(hdrp->sll_addr, from.sll_addr, in pcap_read_packet()
628 (from.sll_halen > SLL_ADDRLEN) ? in pcap_read_packet()
630 from.sll_halen); in pcap_read_packet()
631 hdrp->sll_protocol = from.sll_protocol; in pcap_read_packet()
637 * packet len if calling recvfrom with MSG_TRUNC set. It does in pcap_read_packet()
639 * anyway. in pcap_read_packet()
641 * broken with 2.2.x kernels. in pcap_read_packet()
646 * hook is called with a clone of the packet. That code inserts in pcap_read_packet()
647 * the packet into the receive queue of the packet socket. in pcap_read_packet()
649 * first - and there lies the problem. The default filter always in pcap_read_packet()
652 * # tcpdump -d in pcap_read_packet()
655 * So the packet filter cuts down the packet. The recvfrom call in pcap_read_packet()
657 * the result that we don't get the real packet length. This in pcap_read_packet()
658 * is valid at least until kernel 2.2.17pre6. in pcap_read_packet()
661 * program, fixing all "ret" instructions with non-zero in pcap_read_packet()
664 * filter to the kernel. in pcap_read_packet()
668 if (caplen > handle->snapshot) in pcap_read_packet()
669 caplen = handle->snapshot; in pcap_read_packet()
672 if (!handle->md.use_bpf && handle->fcode.bf_insns) { in pcap_read_packet()
673 if (bpf_filter(handle->fcode.bf_insns, bp, in pcap_read_packet()
683 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { in pcap_read_packet()
684 snprintf(handle->errbuf, sizeof(handle->errbuf), in pcap_read_packet()
686 return -1; in pcap_read_packet()
688 pcap_header.caplen = caplen; in pcap_read_packet()
689 pcap_header.len = packet_len; in pcap_read_packet()
692 * Count the packet. in pcap_read_packet()
700 * be the same on all Linux systems. in pcap_read_packet()
702 * XXX - it's not the same on all systems in any case; in pcap_read_packet()
707 * information is available. in pcap_read_packet()
715 * might be running on a 2.2[.x] kernel without Alexey in pcap_read_packet()
717 * might not be able to supply those statistics). We in pcap_read_packet()
722 * in memory. in pcap_read_packet()
724 * We keep the count in "md.packets_read", and use that for in pcap_read_packet()
725 * "ps_recv" if we can't get the statistics from the kernel. in pcap_read_packet()
727 * the kernel, we use "md.stat.ps_recv" and "md.stat.ps_drop" in pcap_read_packet()
730 * increment "md.stat.ps_recv" here, that means it will in pcap_read_packet()
732 * statistics - once here, and once in pcap_stats_linux(). in pcap_read_packet()
734 handle->md.packets_read++; in pcap_read_packet()
748 if (!handle->md.sock_packet) { in pcap_inject_linux()
750 if (handle->md.ifindex == -1) { in pcap_inject_linux()
752 * We don't support sending on the "any" device. in pcap_inject_linux()
754 strlcpy(handle->errbuf, in pcap_inject_linux()
757 return (-1); in pcap_inject_linux()
760 if (handle->md.cooked) { in pcap_inject_linux()
762 * We don't support sending on the "any" device. in pcap_inject_linux()
764 * XXX - how do you send on a bound cooked-mode in pcap_inject_linux()
768 strlcpy(handle->errbuf, in pcap_inject_linux()
771 return (-1); in pcap_inject_linux()
776 ret = send(handle->fd, buf, size, 0); in pcap_inject_linux()
777 if (ret == -1) { in pcap_inject_linux()
778 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s", in pcap_inject_linux()
780 return (-1); in pcap_inject_linux()
786 * Get the statistics for the given packet capture handle.
789 * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket
791 * and report 0 as the count of dropped packets.
803 * Try to get the packet counts from the kernel. in pcap_stats_linux()
805 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, in pcap_stats_linux()
806 &kstats, &len) > -1) { in pcap_stats_linux()
812 * filter, not packets that didn't pass the filter. in pcap_stats_linux()
814 * ran out of buffer space. in pcap_stats_linux()
817 * out of buffer space. It doesn't count packets in pcap_stats_linux()
818 * dropped by the interface driver. It counts only in pcap_stats_linux()
819 * packets that passed the filter. in pcap_stats_linux()
823 * the application. in pcap_stats_linux()
825 * In "linux/net/packet/af_packet.c", at least in the in pcap_stats_linux()
826 * 2.4.9 kernel, "tp_packets" is incremented for every in pcap_stats_linux()
830 * not enough free space in the socket buffer. in pcap_stats_linux()
836 * there wasn't room on the socket buffer - but not in pcap_stats_linux()
837 * including packets that didn't pass the filter. in pcap_stats_linux()
841 * of whether it passed the filter. in pcap_stats_linux()
846 * as the count of drops. in pcap_stats_linux()
849 * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, .... in pcap_stats_linux()
850 * resets the counters to zero. in pcap_stats_linux()
852 handle->md.stat.ps_recv += kstats.tp_packets; in pcap_stats_linux()
853 handle->md.stat.ps_drop += kstats.tp_drops; in pcap_stats_linux()
854 *stats = handle->md.stat; in pcap_stats_linux()
864 * is built on a system without "struct tpacket_stats". in pcap_stats_linux()
867 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, in pcap_stats_linux()
869 return -1; in pcap_stats_linux()
878 * not packets that didn't pass the filter. It does not in pcap_stats_linux()
880 * space. in pcap_stats_linux()
882 * "ps_drop" is not supported. in pcap_stats_linux()
885 * the kernel by libpcap. in pcap_stats_linux()
888 * "md.packets_read", for reasons described in the comment in pcap_stats_linux()
889 * at the end of pcap_read_packet(). We have no idea how many in pcap_stats_linux()
890 * packets were dropped. in pcap_stats_linux()
892 stats->ps_recv = handle->md.packets_read; in pcap_stats_linux()
893 stats->ps_drop = 0; in pcap_stats_linux()
898 * Description string for the "any" device.
900 static const char any_descr[] = "Pseudo-device that captures on all interfaces";
906 return (-1); in pcap_platform_finddevs()
910 return (-1); in pcap_platform_finddevs()
915 return (-1); in pcap_platform_finddevs()
922 * Attach the given BPF code to the packet capture device.
934 return -1; in pcap_setfilter_linux()
936 strncpy(handle->errbuf, "setfilter: No filter specified", in pcap_setfilter_linux()
937 sizeof(handle->errbuf)); in pcap_setfilter_linux()
938 return -1; in pcap_setfilter_linux()
945 return -1; in pcap_setfilter_linux()
948 * Run user level packet filter by default. Will be overriden if in pcap_setfilter_linux()
949 * installing a kernel filter succeeds. in pcap_setfilter_linux()
951 handle->md.use_bpf = 0; in pcap_setfilter_linux()
957 if (handle->fcode.bf_len > USHRT_MAX) { in pcap_setfilter_linux()
959 * fcode.len is an unsigned short for current kernel. in pcap_setfilter_linux()
960 * I have yet to see BPF-Code with that much in pcap_setfilter_linux()
961 * instructions but still it is possible. So for the in pcap_setfilter_linux()
962 * sake of correctness I added this check. in pcap_setfilter_linux()
965 fcode.len = 0; in pcap_setfilter_linux()
966 fcode.filter = NULL; in pcap_setfilter_linux()
974 * of different size. Pointed out by Sebastian in pcap_setfilter_linux()
977 * instructions with non-zero operands have 65535 as the in pcap_setfilter_linux()
979 * memory-reference instructions use special magic offsets in pcap_setfilter_linux()
980 * in references to the link-layer header and assume that in pcap_setfilter_linux()
981 * the link-layer payload begins at 0; "fix_program()" in pcap_setfilter_linux()
982 * will do that. in pcap_setfilter_linux()
986 case -1: in pcap_setfilter_linux()
989 * Fatal error; just quit. in pcap_setfilter_linux()
991 * return -1 for that reason.) in pcap_setfilter_linux()
993 return -1; in pcap_setfilter_linux()
998 * work in the kernel. in pcap_setfilter_linux()
1005 * We have a filter that'll work in the kernel. in pcap_setfilter_linux()
1015 /* Installation succeded - using kernel filter. */ in pcap_setfilter_linux()
1016 handle->md.use_bpf = 1; in pcap_setfilter_linux()
1018 else if (err == -1) /* Non-fatal error */ in pcap_setfilter_linux()
1021 * Print a warning if we weren't able to install in pcap_setfilter_linux()
1023 * isn't configured to support socket filters. in pcap_setfilter_linux()
1035 * filter that might've been there before, e.g. because the in pcap_setfilter_linux()
1038 * calling "pcap_setfilter()". Otherwise, the kernel filter may in pcap_setfilter_linux()
1039 * filter out packets that would pass the new userland filter. in pcap_setfilter_linux()
1041 if (!handle->md.use_bpf) in pcap_setfilter_linux()
1045 * Free up the copy of the filter that was made by "fix_program()". in pcap_setfilter_linux()
1047 if (fcode.filter != NULL) in pcap_setfilter_linux()
1048 free(fcode.filter); in pcap_setfilter_linux()
1050 if (err == -2) in pcap_setfilter_linux()
1052 return -1; in pcap_setfilter_linux()
1066 if (!handle->md.sock_packet) { in pcap_setdirection_linux()
1067 handle->direction = d; in pcap_setdirection_linux()
1073 * the direction of the packet. in pcap_setdirection_linux()
1075 snprintf(handle->errbuf, sizeof(handle->errbuf), in pcap_setdirection_linux()
1077 return -1; in pcap_setdirection_linux()
1082 * interface. pcap uses the DLT_xxx constants for this. This
1084 * constant, as arguments, and sets "handle->linktype" to the
1085 * appropriate DLT_XXX constant and sets "handle->offset" to
1086 * the appropriate value (to make "handle->offset" plus link-layer
1087 * header length be a multiple of 4, so that the link-layer payload
1088 * will be aligned on a 4-byte boundary when capturing packets).
1090 * for cases where it shouldn't be 0.)
1092 * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture
1094 * to pick some type that works in raw mode, or fail.
1096 * Sets the link type to -1 if unable to map the type.
1105 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so in map_arphrd_to_dlt()
1110 * DOCSIS frames out on the wire inside the low-level in map_arphrd_to_dlt()
1111 * Ethernet framing). in map_arphrd_to_dlt()
1113 * XXX - are there any sorts of "fake Ethernet" that have in map_arphrd_to_dlt()
1120 handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); in map_arphrd_to_dlt()
1122 * If that fails, just leave the list empty. in map_arphrd_to_dlt()
1124 if (handle->dlt_list != NULL) { in map_arphrd_to_dlt()
1125 handle->dlt_list[0] = DLT_EN10MB; in map_arphrd_to_dlt()
1126 handle->dlt_list[1] = DLT_DOCSIS; in map_arphrd_to_dlt()
1127 handle->dlt_count = 2; in map_arphrd_to_dlt()
1133 handle->linktype = DLT_EN10MB; in map_arphrd_to_dlt()
1134 handle->offset = 2; in map_arphrd_to_dlt()
1138 handle->linktype = DLT_EN3MB; in map_arphrd_to_dlt()
1142 handle->linktype = DLT_AX25; in map_arphrd_to_dlt()
1146 handle->linktype = DLT_PRONET; in map_arphrd_to_dlt()
1150 handle->linktype = DLT_CHAOS; in map_arphrd_to_dlt()
1158 handle->linktype = DLT_IEEE802; in map_arphrd_to_dlt()
1159 handle->offset = 2; in map_arphrd_to_dlt()
1163 handle->linktype = DLT_ARCNET_LINUX; in map_arphrd_to_dlt()
1166 #ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ in map_arphrd_to_dlt()
1170 handle->linktype = DLT_FDDI; in map_arphrd_to_dlt()
1171 handle->offset = 3; in map_arphrd_to_dlt()
1185 * layer protocols, and no header is prepended to packets. in map_arphrd_to_dlt()
1191 * type, there's no ioctl to *get* the encapsulation type. in map_arphrd_to_dlt()
1198 * the frame as LLC-encapsulated or as raw IP (I in map_arphrd_to_dlt()
1206 * the right thing. in map_arphrd_to_dlt()
1208 * Both of those are a nuisance - and, at least on systems in map_arphrd_to_dlt()
1211 * in cooked mode. That's what we'll do, if we can. in map_arphrd_to_dlt()
1212 * Otherwise, we'll just fail. in map_arphrd_to_dlt()
1215 handle->linktype = DLT_LINUX_SLL; in map_arphrd_to_dlt()
1217 handle->linktype = -1; in map_arphrd_to_dlt()
1220 #ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ in map_arphrd_to_dlt()
1224 handle->linktype = DLT_IEEE802_11; in map_arphrd_to_dlt()
1227 #ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ in map_arphrd_to_dlt()
1231 handle->linktype = DLT_PRISM_HEADER; in map_arphrd_to_dlt()
1238 handle->linktype = DLT_IEEE802_11_RADIO; in map_arphrd_to_dlt()
1243 * Some PPP code in the kernel supplies no link-layer in map_arphrd_to_dlt()
1245 * code supplies PPP link-layer headers ("syncppp.c"); in map_arphrd_to_dlt()
1246 * some PPP code might supply random link-layer in map_arphrd_to_dlt()
1247 * headers (PPP over ISDN - there's code in Ethereal, in map_arphrd_to_dlt()
1248 * for example, to cope with PPP-over-ISDN captures in map_arphrd_to_dlt()
1251 * oddball link-layer headers particular packets have). in map_arphrd_to_dlt()
1255 * it as DLT_RAW, for now - if somebody needs to capture, in map_arphrd_to_dlt()
1256 * on a 2.0[.x] kernel, on PPP devices that supply a in map_arphrd_to_dlt()
1257 * link-layer header, they'll have to add code here to in map_arphrd_to_dlt()
1259 * new DLT_ type, if necessary). in map_arphrd_to_dlt()
1262 handle->linktype = DLT_LINUX_SLL; in map_arphrd_to_dlt()
1265 * XXX - handle ISDN types here? We can't fall in map_arphrd_to_dlt()
1268 * link-layer encapsulation it's using, and map in map_arphrd_to_dlt()
1271 * supply raw IP packets with no link-layer in map_arphrd_to_dlt()
1274 * a link-layer header. in map_arphrd_to_dlt()
1277 * in the link-layer header when capturing on in map_arphrd_to_dlt()
1278 * ISDN devices.... in map_arphrd_to_dlt()
1280 handle->linktype = DLT_RAW; in map_arphrd_to_dlt()
1288 handle->linktype = DLT_C_HDLC; in map_arphrd_to_dlt()
1295 #define ARPHRD_SIT 776 /* From Linux 2.2.13 */ in map_arphrd_to_dlt()
1312 * XXX - should some of those be mapped to DLT_LINUX_SLL in map_arphrd_to_dlt()
1315 handle->linktype = DLT_RAW; in map_arphrd_to_dlt()
1322 handle->linktype = DLT_FRELAY; in map_arphrd_to_dlt()
1326 handle->linktype = DLT_LTALK; in map_arphrd_to_dlt()
1346 * We assume that those all mean RFC 2625 IP-over- in map_arphrd_to_dlt()
1348 * the beginning of the packet. in map_arphrd_to_dlt()
1350 handle->linktype = DLT_IP_OVER_FC; in map_arphrd_to_dlt()
1357 /* Don't expect IP packet out of this interfaces... */ in map_arphrd_to_dlt()
1358 handle->linktype = DLT_LINUX_IRDA; in map_arphrd_to_dlt()
1360 * so let's use "Linux-cooked" mode. Jean II */ in map_arphrd_to_dlt()
1361 //handle->md.cooked = 1; in map_arphrd_to_dlt()
1365 * is needed, please report it to <daniele@orlandi.com> */ in map_arphrd_to_dlt()
1370 /* Don't expect IP packet out of this interfaces... */ in map_arphrd_to_dlt()
1371 handle->linktype = DLT_LINUX_LAPD; in map_arphrd_to_dlt()
1375 handle->linktype = -1; in map_arphrd_to_dlt()
1383 * Try to open a packet socket using the new kernel interface.
1384 * Returns 0 on failure.
1392 int sock_fd = -1, arptype; in live_open_new()
1397 /* One shot loop used for error handling - bail out with break */ in live_open_new()
1401 * Open a socket with protocol family packet. If a device is in live_open_new()
1403 * the cooked interface. in live_open_new()
1409 if (sock_fd == -1) { in live_open_new()
1415 /* It seems the kernel supports the new interface. */ in live_open_new()
1416 handle->md.sock_packet = 0; in live_open_new()
1419 * Get the interface index of the loopback device. in live_open_new()
1421 * "md.lo_ifindex" to -1. in live_open_new()
1423 * XXX - can there be more than one device that loops in live_open_new()
1424 * packets back, i.e. devices other than "lo"? If so, in live_open_new()
1427 * "pcap_read_packet()". in live_open_new()
1429 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf); in live_open_new()
1432 * Default value for offset to align link-layer payload in live_open_new()
1433 * on a 4-byte boundary. in live_open_new()
1435 handle->offset = 0; in live_open_new()
1439 * to cooked mode if we have an unknown interface type. in live_open_new()
1443 /* Assume for now we don't need cooked mode. */ in live_open_new()
1444 handle->md.cooked = 0; in live_open_new()
1447 if (arptype == -1) { in live_open_new()
1452 if (handle->linktype == -1 || in live_open_new()
1453 handle->linktype == DLT_LINUX_SLL || in live_open_new()
1454 handle->linktype == DLT_LINUX_IRDA || in live_open_new()
1455 handle->linktype == DLT_LINUX_LAPD || in live_open_new()
1456 (handle->linktype == DLT_EN10MB && in live_open_new()
1460 * Unknown interface type (-1), or a in live_open_new()
1462 * in cooked mode (e.g., PPP devices), in live_open_new()
1463 * or an ISDN device (whose link-layer in live_open_new()
1466 * kernels) - reopen in cooked mode. in live_open_new()
1468 if (close(sock_fd) == -1) { in live_open_new()
1475 if (sock_fd == -1) { in live_open_new()
1480 handle->md.cooked = 1; in live_open_new()
1483 * Get rid of any link-layer type list in live_open_new()
1484 * we allocated - this only supports cooked in live_open_new()
1485 * capture. in live_open_new()
1487 if (handle->dlt_list != NULL) { in live_open_new()
1488 free(handle->dlt_list); in live_open_new()
1489 handle->dlt_list = NULL; in live_open_new()
1490 handle->dlt_count = 0; in live_open_new()
1493 if (handle->linktype == -1) { in live_open_new()
1498 * to handle the new type. in live_open_new()
1502 "supported by libpcap - " in live_open_new()
1508 * it's IrLAP frames, not IP packets. */ in live_open_new()
1509 if (handle->linktype != DLT_LINUX_IRDA && in live_open_new()
1510 handle->linktype != DLT_LINUX_LAPD) in live_open_new()
1511 handle->linktype = DLT_LINUX_SLL; in live_open_new()
1514 handle->md.ifindex = iface_get_id(sock_fd, device, ebuf); in live_open_new()
1515 if (handle->md.ifindex == -1) in live_open_new()
1518 if ((err = iface_bind(sock_fd, handle->md.ifindex, in live_open_new()
1520 if (err == -2) in live_open_new()
1526 * This is cooked mode. in live_open_new()
1528 handle->md.cooked = 1; in live_open_new()
1529 handle->linktype = DLT_LINUX_SLL; in live_open_new()
1532 * We're not bound to a device. in live_open_new()
1533 * XXX - true? Or true only if we're using in live_open_new()
1538 * mode. in live_open_new()
1540 handle->md.ifindex = -1; in live_open_new()
1544 * Select promiscuous mode on if "promisc" is set. in live_open_new()
1547 * promiscuous mode - on some devices (e.g., Orinoco in live_open_new()
1552 * other platform I know of does starting a non- in live_open_new()
1554 * are received by the interface. in live_open_new()
1559 * I am not sure if that is possible at all. in live_open_new()
1564 mr.mr_ifindex = handle->md.ifindex; in live_open_new()
1565 mr.mr_type = PACKET_MR_PROMISC; in live_open_new()
1567 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1) in live_open_new()
1575 /* Save the socket FD in the pcap structure */ in live_open_new()
1577 handle->fd = sock_fd; in live_open_new()
1583 if (sock_fd != -1) in live_open_new()
1588 * Get rid of any link-layer type list we allocated. in live_open_new()
1590 if (handle->dlt_list != NULL) in live_open_new()
1591 free(handle->dlt_list); in live_open_new()
1592 return -2; in live_open_new()
1605 * Return the index of the given device name. Fill ebuf and return
1606 * -1 on failure.
1614 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); in iface_get_id()
1616 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { in iface_get_id()
1619 return -1; in iface_get_id()
1622 return ifr.ifr_ifindex; in iface_get_id()
1626 * Bind the socket associated with FD to the given device.
1636 sll.sll_family = AF_PACKET; in iface_bind()
1637 sll.sll_ifindex = ifindex; in iface_bind()
1638 sll.sll_protocol = htons(ETH_P_ALL); in iface_bind()
1640 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { in iface_bind()
1643 return -1; in iface_bind()
1646 /* Any pending errors, e.g., network is down? */ in iface_bind()
1648 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { in iface_bind()
1651 return -2; in iface_bind()
1657 return -2; in iface_bind()
1670 * have to reset the interface before exiting. The problem can't really
1671 * be solved without some daemon taking care of managing usage counts.
1675 * of promiscuous mode.
1679 * List of pcaps for which we turned promiscuous mode on by hand.
1682 * off.
1684 static struct pcap *pcaps_to_close;
1688 * be called on exit.
1694 struct pcap *handle; in pcap_close_all()
1702 struct pcap *p, *prevp; in pcap_close_linux()
1705 if (handle->md.clear_promisc) { in pcap_close_linux()
1708 * it out of promiscuous mode. in pcap_close_linux()
1710 * XXX - if somebody else wants it in promiscuous mode, in pcap_close_linux()
1712 * of promiscuous mode. That's not fixable in 2.0[.x] in pcap_close_linux()
1713 * kernels. in pcap_close_linux()
1716 strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)); in pcap_close_linux()
1717 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { in pcap_close_linux()
1719 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" in pcap_close_linux()
1720 "Please adjust manually.\n" in pcap_close_linux()
1721 "Hint: This can't happen with Linux >= 2.2.0.\n", in pcap_close_linux()
1724 if (ifr.ifr_flags & IFF_PROMISC) { in pcap_close_linux()
1727 * off. in pcap_close_linux()
1729 ifr.ifr_flags &= ~IFF_PROMISC; in pcap_close_linux()
1730 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { in pcap_close_linux()
1732 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" in pcap_close_linux()
1733 "Please adjust manually.\n" in pcap_close_linux()
1734 "Hint: This can't happen with Linux >= 2.2.0.\n", in pcap_close_linux()
1741 * Take this pcap out of the list of pcaps for which we in pcap_close_linux()
1742 * have to take the interface out of promiscuous mode. in pcap_close_linux()
1745 prevp = p, p = p->md.next) { in pcap_close_linux()
1748 * Found it. Remove it from the list. in pcap_close_linux()
1752 * It was at the head of the list. in pcap_close_linux()
1754 pcaps_to_close = p->md.next; in pcap_close_linux()
1757 * It was in the middle of the list. in pcap_close_linux()
1759 prevp->md.next = p->md.next; in pcap_close_linux()
1766 if (handle->md.device != NULL) in pcap_close_linux()
1767 free(handle->md.device); in pcap_close_linux()
1768 handle->md.device = NULL; in pcap_close_linux()
1773 * Try to open a packet socket using the old kernel interface.
1774 * Returns 0 on failure.
1787 handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); in live_open_old()
1788 if (handle->fd == -1) { in live_open_old()
1794 /* It worked - we are using the old interface */ in live_open_old()
1795 handle->md.sock_packet = 1; in live_open_old()
1797 /* ...which means we get the link-layer header. */ in live_open_old()
1798 handle->md.cooked = 0; in live_open_old()
1803 … strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems", in live_open_old()
1807 if (iface_bind_old(handle->fd, device, ebuf) == -1) in live_open_old()
1811 * Try to get the link-layer type. in live_open_old()
1813 arptype = iface_get_arptype(handle->fd, device, ebuf); in live_open_old()
1814 if (arptype == -1) in live_open_old()
1819 * link-layer type. in live_open_old()
1822 if (handle->linktype == -1) { in live_open_old()
1832 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); in live_open_old()
1833 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { in live_open_old()
1838 if ((ifr.ifr_flags & IFF_PROMISC) == 0) { in live_open_old()
1843 * pcap_t is closed. in live_open_old()
1849 * we exit. in live_open_old()
1852 if (atexit(pcap_close_all) == -1) { in live_open_old()
1857 * give up. in live_open_old()
1866 ifr.ifr_flags |= IFF_PROMISC; in live_open_old()
1867 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { in live_open_old()
1873 handle->md.clear_promisc = 1; in live_open_old()
1877 * to close when we exit. in live_open_old()
1879 handle->md.next = pcaps_to_close; in live_open_old()
1885 * Default value for offset to align link-layer payload in live_open_old()
1886 * on a 4-byte boundary. in live_open_old()
1888 handle->offset = 0; in live_open_old()
1900 * interface of the old kernels.
1910 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); in iface_bind_old()
1911 if (bind(fd, &saddr, sizeof(saddr)) == -1) { in iface_bind_old()
1914 return -1; in iface_bind_old()
1917 /* Any pending errors, e.g., network is down? */ in iface_bind_old()
1919 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { in iface_bind_old()
1922 return -1; in iface_bind_old()
1928 return -1; in iface_bind_old()
1938 * Query the kernel for the MTU of the given interface.
1949 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); in iface_get_mtu()
1951 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { in iface_get_mtu()
1954 return -1; in iface_get_mtu()
1957 return ifr.ifr_mtu; in iface_get_mtu()
1961 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1969 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); in iface_get_arptype()
1971 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { in iface_get_arptype()
1974 return -1; in iface_get_arptype()
1977 return ifr.ifr_hwaddr.sa_family; in iface_get_arptype()
1992 * necessary. in fix_program()
1994 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; in fix_program()
1995 len = handle->fcode.bf_len; in fix_program()
1998 snprintf(handle->errbuf, sizeof(handle->errbuf), in fix_program()
2000 return -1; in fix_program()
2002 memcpy(f, handle->fcode.bf_insns, prog_size); in fix_program()
2003 fcode->len = len; in fix_program()
2004 fcode->filter = (struct sock_filter *) f; in fix_program()
2011 switch (BPF_CLASS(p->code)) { in fix_program()
2019 if (BPF_MODE(p->code) == BPF_K) { in fix_program()
2021 * Yes - if the value to be returned, in fix_program()
2022 * i.e. the snapshot length, is anything in fix_program()
2025 * not by the filter. in fix_program()
2027 * XXX - there's nothing we can easily do in fix_program()
2030 * code to force non-zero values to be in fix_program()
2031 * 65535. in fix_program()
2033 if (p->k != 0) in fix_program()
2034 p->k = 65535; in fix_program()
2044 switch (BPF_MODE(p->code)) { in fix_program()
2052 if (handle->md.cooked) { in fix_program()
2055 * instruction. in fix_program()
2059 * We failed to do so. in fix_program()
2061 * knows to punt to userland. in fix_program()
2080 if (p->k >= SLL_HDR_LEN) { in fix_offset()
2082 * It's within the link-layer payload; that starts at an in fix_offset()
2084 * concerned, so subtract the length of the link-layer in fix_offset()
2085 * header. in fix_offset()
2087 p->k -= SLL_HDR_LEN; in fix_offset()
2088 } else if (p->k == 14) { in fix_offset()
2091 * kernel offset for that field. in fix_offset()
2093 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; in fix_offset()
2098 * to userland. in fix_offset()
2100 return -1; in fix_offset()
2118 * packets haven't yet been read. in set_kernel_filter()
2122 * be packets that wouldn't have passed the filter. in set_kernel_filter()
2125 * when setting a kernel filter. (This isn't an issue for in set_kernel_filter()
2127 * packets are queued up.) in set_kernel_filter()
2129 * To flush those packets, we put the socket in read-only mode, in set_kernel_filter()
2131 * read. in set_kernel_filter()
2133 * In order to keep that from being an infinite loop - i.e., in set_kernel_filter()
2135 * the queue - we put the "total filter", which is a filter in set_kernel_filter()
2137 * the queue. in set_kernel_filter()
2142 * done in the kernel. in set_kernel_filter()
2144 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, in set_kernel_filter()
2149 * Note that we've put the total filter onto the socket. in set_kernel_filter()
2155 * non-blocking mode; we drain it by reading packets in set_kernel_filter()
2157 * "nothing more to be read" error). in set_kernel_filter()
2159 save_mode = fcntl(handle->fd, F_GETFL, 0); in set_kernel_filter()
2160 if (save_mode != -1 && in set_kernel_filter()
2161 fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) { in set_kernel_filter()
2162 while (recv(handle->fd, &drain, sizeof drain, in set_kernel_filter()
2166 fcntl(handle->fd, F_SETFL, save_mode); in set_kernel_filter()
2170 snprintf(handle->errbuf, sizeof(handle->errbuf), in set_kernel_filter()
2172 return -2; in set_kernel_filter()
2178 * Now attach the new filter. in set_kernel_filter()
2180 ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, in set_kernel_filter()
2182 if (ret == -1 && total_filter_on) { in set_kernel_filter()
2185 * but we could set the total filter on the socket. in set_kernel_filter()
2191 * total filter so we see packets. in set_kernel_filter()
2196 * XXX - if this fails, we're really screwed; in set_kernel_filter()
2198 * and it won't come off. What do we do then? in set_kernel_filter()
2211 * setsockopt() barfs unless it get a dummy parameter. in reset_kernel_filter()
2214 * parameter. in reset_kernel_filter()
2218 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, in reset_kernel_filter()