1 /* 2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy) 3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California) 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies 16 * nor the names of its contributors may be used to endorse or promote 17 * products derived from this software without specific prior written 18 * permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 * 32 */ 33 34 #ifndef __PCAP_RPCAP_H__ 35 #define __PCAP_RPCAP_H__ 36 37 38 #include "pcap.h" 39 #include "sockutils.h" /* Needed for some structures (like SOCKET, sockaddr_in) which are used here */ 40 41 42 /* 43 * \file pcap-pcap.h 44 * 45 * This file keeps all the new definitions and typedefs that are exported to the user and 46 * that are needed for the RPCAP protocol. 47 * 48 * \warning All the RPCAP functions that are allowed to return a buffer containing 49 * the error description can return max PCAP_ERRBUF_SIZE characters. 50 * However there is no guarantees that the string will be zero-terminated. 51 * Best practice is to define the errbuf variable as a char of size 'PCAP_ERRBUF_SIZE+1' 52 * and to insert manually the termination char at the end of the buffer. This will 53 * guarantee that no buffer overflows occur even if we use the printf() to show 54 * the error on the screen. 55 * 56 * \warning This file declares some typedefs that MUST be of a specific size. 57 * These definitions (i.e. typedefs) could need to be changed on other platforms than 58 * Intel IA32. 59 * 60 * \warning This file defines some structures that are used to transfer data on the network. 61 * Be careful that you compiler MUST not insert padding into these structures 62 * for better alignment. 63 * These structures have been created in order to be correctly aligned to a 32 bits 64 * boundary, but be careful in any case. 65 */ 66 67 68 69 70 71 72 73 74 /********************************************************* 75 * * 76 * General definitions / typedefs for the RPCAP protocol * 77 * * 78 *********************************************************/ 79 80 /* All the following structures and typedef belongs to the Private Documentation */ 81 /* 82 * \addtogroup remote_pri_struct 83 * \{ 84 */ 85 86 #define RPCAP_DEFAULT_NETPORT "2002" /* Default port on which the RPCAP daemon is waiting for connections. */ 87 /* Default port on which the client workstation is waiting for connections in case of active mode. */ 88 #define RPCAP_DEFAULT_NETPORT_ACTIVE "2003" 89 #define RPCAP_DEFAULT_NETADDR "" /* Default network address on which the RPCAP daemon binds to. */ 90 #define RPCAP_VERSION 0 /* Present version of the RPCAP protocol (0 = Experimental). */ 91 #define RPCAP_TIMEOUT_INIT 90 /* Initial timeout for RPCAP connections (default: 90 sec) */ 92 #define RPCAP_TIMEOUT_RUNTIME 180 /* Run-time timeout for RPCAP connections (default: 3 min) */ 93 #define RPCAP_ACTIVE_WAIT 30 /* Waiting time between two attempts to open a connection, in active mode (default: 30 sec) */ 94 #define RPCAP_SUSPEND_WRONGAUTH 1 /* If the authentication is wrong, stops 1 sec before accepting a new auth message */ 95 96 /* 97 * \brief Buffer used by socket functions to send-receive packets. 98 * In case you plan to have messages larger than this value, you have to increase it. 99 */ 100 #define RPCAP_NETBUF_SIZE 64000 101 102 103 /* 104 * \brief Separators used for the host list. 105 * 106 * It is used: 107 * - by the rpcapd daemon, when you types a list of allowed connecting hosts 108 * - by the rpcap in active mode, when the client waits for incoming connections from other hosts 109 */ 110 #define RPCAP_HOSTLIST_SEP " ,;\n\r" 111 112 113 114 115 /* WARNING: These could need to be changed on other platforms */ 116 typedef unsigned char uint8; /* Provides an 8-bits unsigned integer */ 117 typedef unsigned short uint16; /* Provides a 16-bits unsigned integer */ 118 typedef unsigned int uint32; /* Provides a 32-bits unsigned integer */ 119 typedef int int32; /* Provides a 32-bits integer */ 120 121 122 123 124 /* 125 * \brief Keeps a list of all the opened connections in the active mode. 126 * 127 * This structure defines a linked list of items that are needed to keep the info required to 128 * manage the active mode. 129 * In other words, when a new connection in active mode starts, this structure is updated so that 130 * it reflects the list of active mode connections currently opened. 131 * This structure is required by findalldevs() and open_remote() to see if they have to open a new 132 * control connection toward the host, or they already have a control connection in place. 133 */ 134 struct activehosts 135 { 136 struct sockaddr_storage host; 137 SOCKET sockctrl; 138 struct activehosts *next; 139 }; 140 141 142 /********************************************************* 143 * * 144 * Protocol messages formats * 145 * * 146 *********************************************************/ 147 /* WARNING Take care you compiler does not insert padding for better alignments into these structs */ 148 149 150 /* Common header for all the RPCAP messages */ 151 struct rpcap_header 152 { 153 uint8 ver; /* RPCAP version number */ 154 uint8 type; /* RPCAP message type (error, findalldevs, ...) */ 155 uint16 value; /* Message-dependent value (not always used) */ 156 uint32 plen; /* Length of the payload of this RPCAP message */ 157 }; 158 159 160 /* Format of the message for the interface description (findalldevs command) */ 161 struct rpcap_findalldevs_if 162 { 163 uint16 namelen; /* Length of the interface name */ 164 uint16 desclen; /* Length of the interface description */ 165 uint32 flags; /* Interface flags */ 166 uint16 naddr; /* Number of addresses */ 167 uint16 dummy; /* Must be zero */ 168 }; 169 170 171 /* Format of the message for the address listing (findalldevs command) */ 172 struct rpcap_findalldevs_ifaddr 173 { 174 struct sockaddr_storage addr; /* Network address */ 175 struct sockaddr_storage netmask; /* Netmask for that address */ 176 struct sockaddr_storage broadaddr; /* Broadcast address for that address */ 177 struct sockaddr_storage dstaddr; /* P2P destination address for that address */ 178 }; 179 180 181 182 /* 183 * \brief Format of the message of the connection opening reply (open command). 184 * 185 * This structure transfers over the network some of the values useful on the client side. 186 */ 187 struct rpcap_openreply 188 { 189 int32 linktype; /* Link type */ 190 int32 tzoff; /* Timezone offset */ 191 }; 192 193 194 195 /* Format of the message that starts a remote capture (startcap command) */ 196 struct rpcap_startcapreq 197 { 198 uint32 snaplen; /* Length of the snapshot (number of bytes to capture for each packet) */ 199 uint32 read_timeout; /* Read timeout in milliseconds */ 200 uint16 flags; /* Flags (see RPCAP_STARTCAPREQ_FLAG_xxx) */ 201 uint16 portdata; /* Network port on which the client is waiting at (if 'serveropen') */ 202 }; 203 204 205 /* Format of the reply message that devoted to start a remote capture (startcap reply command) */ 206 struct rpcap_startcapreply 207 { 208 int32 bufsize; /* Size of the user buffer allocated by WinPcap; it can be different from the one we chose */ 209 uint16 portdata; /* Network port on which the server is waiting at (passive mode only) */ 210 uint16 dummy; /* Must be zero */ 211 }; 212 213 214 /* 215 * \brief Format of the header which encapsulates captured packets when transmitted on the network. 216 * 217 * This message requires the general header as well, since we want to be able to exchange 218 * more information across the network in the future (for example statistics, and kind like that). 219 */ 220 struct rpcap_pkthdr 221 { 222 uint32 timestamp_sec; /* 'struct timeval' compatible, it represents the 'tv_sec' field */ 223 uint32 timestamp_usec; /* 'struct timeval' compatible, it represents the 'tv_usec' field */ 224 uint32 caplen; /* Length of portion present in the capture */ 225 uint32 len; /* Real length this packet (off wire) */ 226 uint32 npkt; /* Ordinal number of the packet (i.e. the first one captured has '1', the second one '2', etc) */ 227 }; 228 229 230 /* General header used for the pcap_setfilter() command; keeps just the number of BPF instructions */ 231 struct rpcap_filter 232 { 233 uint16 filtertype; /* type of the filter transferred (BPF instructions, ...) */ 234 uint16 dummy; /* Must be zero */ 235 uint32 nitems; /* Number of items contained into the filter (e.g. BPF instructions for BPF filters) */ 236 }; 237 238 239 /* Structure that keeps a single BPF instuction; it is repeated 'ninsn' times according to the 'rpcap_filterbpf' header */ 240 struct rpcap_filterbpf_insn 241 { 242 uint16 code; /* opcode of the instruction */ 243 uint8 jt; /* relative offset to jump to in case of 'true' */ 244 uint8 jf; /* relative offset to jump to in case of 'false' */ 245 int32 k; /* instruction-dependent value */ 246 }; 247 248 249 /* Structure that keeps the data required for the authentication on the remote host */ 250 struct rpcap_auth 251 { 252 uint16 type; /* Authentication type */ 253 uint16 dummy; /* Must be zero */ 254 uint16 slen1; /* Length of the first authentication item (e.g. username) */ 255 uint16 slen2; /* Length of the second authentication item (e.g. password) */ 256 }; 257 258 259 /* Structure that keeps the statistics about the number of packets captured, dropped, etc. */ 260 struct rpcap_stats 261 { 262 uint32 ifrecv; /* Packets received by the kernel filter (i.e. pcap_stats.ps_recv) */ 263 uint32 ifdrop; /* Packets dropped by the network interface (e.g. not enough buffers) (i.e. pcap_stats.ps_ifdrop) */ 264 uint32 krnldrop; /* Packets dropped by the kernel filter (i.e. pcap_stats.ps_drop) */ 265 uint32 svrcapt; /* Packets captured by the RPCAP daemon and sent on the network */ 266 }; 267 268 269 /* Structure that is needed to set sampling parameters */ 270 struct rpcap_sampling 271 { 272 uint8 method; /* Sampling method */ 273 uint8 dummy1; /* Must be zero */ 274 uint16 dummy2; /* Must be zero */ 275 uint32 value; /* Parameter related to the sampling method */ 276 }; 277 278 279 /* 280 * Private data for doing a live capture. 281 */ 282 struct pcap_md { 283 struct pcap_stat stat; 284 /* XXX */ 285 int use_bpf; /* using kernel filter */ 286 u_long TotPkts; /* can't overflow for 79 hrs on ether */ 287 u_long TotAccepted; /* count accepted by filter */ 288 u_long TotDrops; /* count of dropped packets */ 289 long TotMissed; /* missed by i/f during this run */ 290 long OrigMissed; /* missed by i/f before this run */ 291 char *device; /* device name */ 292 int timeout; /* timeout for buffering */ 293 int must_clear; /* stuff we must clear when we close */ 294 struct pcap *next; /* list of open pcaps that need stuff cleared on close */ 295 #ifdef linux 296 int sock_packet; /* using Linux 2.0 compatible interface */ 297 int cooked; /* using SOCK_DGRAM rather than SOCK_RAW */ 298 int ifindex; /* interface index of device we're bound to */ 299 int lo_ifindex; /* interface index of the loopback device */ 300 u_int packets_read; /* count of packets read with recvfrom() */ 301 bpf_u_int32 oldmode; /* mode to restore when turning monitor mode off */ 302 u_int tp_version; /* version of tpacket_hdr for mmaped ring */ 303 u_int tp_hdrlen; /* hdrlen of tpacket_hdr for mmaped ring */ 304 #endif /* linux */ 305 306 #ifdef HAVE_DAG_API 307 #ifdef HAVE_DAG_STREAMS_API 308 u_char *dag_mem_bottom;/* DAG card current memory bottom pointer */ 309 u_char *dag_mem_top; /* DAG card current memory top pointer */ 310 #else /* HAVE_DAG_STREAMS_API */ 311 void *dag_mem_base; /* DAG card memory base address */ 312 u_int dag_mem_bottom; /* DAG card current memory bottom offset */ 313 u_int dag_mem_top; /* DAG card current memory top offset */ 314 #endif /* HAVE_DAG_STREAMS_API */ 315 int dag_fcs_bits; /* Number of checksum bits from link layer */ 316 int dag_offset_flags; /* Flags to pass to dag_offset(). */ 317 int dag_stream; /* DAG stream number */ 318 int dag_timeout; /* timeout specified to pcap_open_live. 319 * Same as in linux above, introduce 320 * generally? 321 */ 322 #endif /* HAVE_DAG_API */ 323 #ifdef HAVE_ZEROCOPY_BPF 324 /* 325 * Zero-copy read buffer -- for zero-copy BPF. 'buffer' above will 326 * alternative between these two actual mmap'd buffers as required. 327 * As there is a header on the front size of the mmap'd buffer, only 328 * some of the buffer is exposed to libpcap as a whole via bufsize; 329 * zbufsize is the true size. zbuffer tracks the current zbuf 330 * associated with buffer so that it can be used to decide which the 331 * next buffer to read will be. 332 */ 333 u_char *zbuf1, *zbuf2, *zbuffer; 334 u_int zbufsize; 335 u_int zerocopy; 336 u_int interrupted; 337 struct timespec firstsel; 338 /* 339 * If there's currently a buffer being actively processed, then it is 340 * referenced here; 'buffer' is also pointed at it, but offset by the 341 * size of the header. 342 */ 343 struct bpf_zbuf_header *bzh; 344 #endif /* HAVE_ZEROCOPY_BPF */ 345 346 347 348 #ifdef HAVE_REMOTE 349 /* 350 * There is really a mess with previous variables, and it seems to me that they are not used 351 * (they are used in pcap_pf.c only). I think we have to start using them. 352 * The meaning is the following: 353 * 354 * - TotPkts: the amount of packets received by the bpf filter, *before* applying the filter 355 * - TotAccepted: the amount of packets that satisfies the filter 356 * - TotDrops: the amount of packet that were dropped into the kernel buffer because of lack of space 357 * - TotMissed: the amount of packets that were dropped by the physical interface; it is basically 358 * the value of the hardware counter into the card. This number is never put to zero, so this number 359 * takes into account the *total* number of interface drops starting from the interface power-on. 360 * - OrigMissed: the amount of packets that were dropped by the interface *when the capture begins*. 361 * This value is used to detect the number of packets dropped by the interface *during the present 362 * capture*, so that (ps_ifdrops= TotMissed - OrigMissed). 363 */ 364 unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */ 365 /* 366 * \brief It keeps the number of packets that have been received by the application. 367 * 368 * Packets dropped by the kernel buffer are not counted in this variable. The variable is always 369 * equal to (TotAccepted - TotDrops), except for the case of remote capture, in which we have also 370 * packets in flight, i.e. that have been transmitted by the remote host, but that have not been 371 * received (yet) from the client. In this case, (TotAccepted - TotDrops - TotNetDrops) gives a 372 * wrong result, since this number does not corresponds always to the number of packet received by 373 * the application. For this reason, in the remote capture we need another variable that takes 374 * into account of the number of packets actually received by the application. 375 */ 376 unsigned int TotCapt; 377 378 /*! \brief '1' if we're the network client; needed by several functions (like pcap_setfilter() ) to know if 379 they have to use the socket or they have to open the local adapter. */ 380 int rmt_clientside; 381 382 SOCKET rmt_sockctrl; //!< socket ID of the socket used for the control connection 383 SOCKET rmt_sockdata; //!< socket ID of the socket used for the data connection 384 int rmt_flags; //!< we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() 385 int rmt_capstarted; //!< 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() 386 struct pcap_samp rmt_samp; //!< Keeps the parameters related to the sampling process. 387 char *currentfilter; //!< Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. 388 #endif /* HAVE_REMOTE */ 389 390 }; 391 392 393 /* Messages field coding */ 394 #define RPCAP_MSG_ERROR 1 /* Message that keeps an error notification */ 395 #define RPCAP_MSG_FINDALLIF_REQ 2 /* Request to list all the remote interfaces */ 396 #define RPCAP_MSG_OPEN_REQ 3 /* Request to open a remote device */ 397 #define RPCAP_MSG_STARTCAP_REQ 4 /* Request to start a capture on a remote device */ 398 #define RPCAP_MSG_UPDATEFILTER_REQ 5 /* Send a compiled filter into the remote device */ 399 #define RPCAP_MSG_CLOSE 6 /* Close the connection with the remote peer */ 400 #define RPCAP_MSG_PACKET 7 /* This is a 'data' message, which carries a network packet */ 401 #define RPCAP_MSG_AUTH_REQ 8 /* Message that keeps the authentication parameters */ 402 #define RPCAP_MSG_STATS_REQ 9 /* It requires to have network statistics */ 403 #define RPCAP_MSG_ENDCAP_REQ 10 /* Stops the current capture, keeping the device open */ 404 #define RPCAP_MSG_SETSAMPLING_REQ 11 /* Set sampling parameters */ 405 406 #define RPCAP_MSG_FINDALLIF_REPLY (128+RPCAP_MSG_FINDALLIF_REQ) /* Keeps the list of all the remote interfaces */ 407 #define RPCAP_MSG_OPEN_REPLY (128+RPCAP_MSG_OPEN_REQ) /* The remote device has been opened correctly */ 408 #define RPCAP_MSG_STARTCAP_REPLY (128+RPCAP_MSG_STARTCAP_REQ) /* The capture is starting correctly */ 409 #define RPCAP_MSG_UPDATEFILTER_REPLY (128+RPCAP_MSG_UPDATEFILTER_REQ) /* The filter has been applied correctly on the remote device */ 410 #define RPCAP_MSG_AUTH_REPLY (128+RPCAP_MSG_AUTH_REQ) /* Sends a message that says 'ok, authorization successful' */ 411 #define RPCAP_MSG_STATS_REPLY (128+RPCAP_MSG_STATS_REQ) /* Message that keeps the network statistics */ 412 #define RPCAP_MSG_ENDCAP_REPLY (128+RPCAP_MSG_ENDCAP_REQ) /* Confirms that the capture stopped successfully */ 413 #define RPCAP_MSG_SETSAMPLING_REPLY (128+RPCAP_MSG_SETSAMPLING_REQ) /* Confirms that the capture stopped successfully */ 414 415 #define RPCAP_STARTCAPREQ_FLAG_PROMISC 1 /* Enables promiscuous mode (default: disabled) */ 416 #define RPCAP_STARTCAPREQ_FLAG_DGRAM 2 /* Use a datagram (i.e. UDP) connection for the data stream (default: use TCP)*/ 417 #define RPCAP_STARTCAPREQ_FLAG_SERVEROPEN 4 /* The server has to open the data connection toward the client */ 418 #define RPCAP_STARTCAPREQ_FLAG_INBOUND 8 /* Capture only inbound packets (take care: the flag has no effects with promiscuous enabled) */ 419 #define RPCAP_STARTCAPREQ_FLAG_OUTBOUND 16 /* Capture only outbound packets (take care: the flag has no effects with promiscuous enabled) */ 420 421 #define RPCAP_UPDATEFILTER_BPF 1 /* This code tells us that the filter is encoded with the BPF/NPF syntax */ 422 423 424 /* Network error codes */ 425 #define PCAP_ERR_NETW 1 /* Network error */ 426 #define PCAP_ERR_INITTIMEOUT 2 /* The RPCAP initial timeout has expired */ 427 #define PCAP_ERR_AUTH 3 /* Generic authentication error */ 428 #define PCAP_ERR_FINDALLIF 4 /* Generic findalldevs error */ 429 #define PCAP_ERR_NOREMOTEIF 5 /* The findalldevs was ok, but the remote end had no interfaces to list */ 430 #define PCAP_ERR_OPEN 6 /* Generic pcap_open error */ 431 #define PCAP_ERR_UPDATEFILTER 7 /* Generic updatefilter error */ 432 #define PCAP_ERR_GETSTATS 8 /* Generic pcap_stats error */ 433 #define PCAP_ERR_READEX 9 /* Generic pcap_next_ex error */ 434 #define PCAP_ERR_HOSTNOAUTH 10 /* The host is not authorized to connect to this server */ 435 #define PCAP_ERR_REMOTEACCEPT 11 /* Generic pcap_remoteaccept error */ 436 #define PCAP_ERR_STARTCAPTURE 12 /* Generic pcap_startcapture error */ 437 #define PCAP_ERR_ENDCAPTURE 13 /* Generic pcap_endcapture error */ 438 #define PCAP_ERR_RUNTIMETIMEOUT 14 /* The RPCAP run-time timeout has expired */ 439 #define PCAP_ERR_SETSAMPLING 15 /* Error during the settings of sampling parameters */ 440 #define PCAP_ERR_WRONGMSG 16 /* The other end endpoint sent a message which has not been recognized */ 441 #define PCAP_ERR_WRONGVER 17 /* The other end endpoint has a version number that is not compatible with our */ 442 /* 443 * \} 444 * // end of private documentation 445 */ 446 447 448 /********************************************************* 449 * * 450 * Exported function prototypes * 451 * * 452 *********************************************************/ 453 int pcap_opensource_remote(pcap_t *p, struct pcap_rmtauth *auth); 454 int pcap_startcapture_remote(pcap_t *fp); 455 456 void rpcap_createhdr(struct rpcap_header *header, uint8 type, uint16 value, uint32 length); 457 int rpcap_deseraddr(struct sockaddr_storage *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf); 458 int rpcap_checkmsg(char *errbuf, SOCKET sock, struct rpcap_header *header, uint8 first, ...); 459 int rpcap_senderror(SOCKET sock, char *error, unsigned short errcode, char *errbuf); 460 int rpcap_sendauth(SOCKET sock, struct pcap_rmtauth *auth, char *errbuf); 461 462 SOCKET rpcap_remoteact_getsock(const char *host, int *isactive, char *errbuf); 463 464 #endif 465 466