]> The Tcpdump Group git mirrors - libpcap/blob - pcap-pf.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add support for sending packets; includes contributions from Mark
[libpcap] / pcap-pf.c
1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * packet filter subroutines for tcpdump
22 * Extraction/creation by Jeffrey Mogul, DECWRL
23 */
24
25 #ifndef lint
26 static const char rcsid[] _U_ =
27 "@(#) $Header: /tcpdump/master/libpcap/pcap-pf.c,v 1.87 2004-03-23 19:18:06 guy Exp $ (LBL)";
28 #endif
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33
34 #include <sys/types.h>
35 #include <sys/time.h>
36 #include <sys/timeb.h>
37 #include <sys/socket.h>
38 #include <sys/file.h>
39 #include <sys/ioctl.h>
40 #include <net/pfilt.h>
41
42 struct mbuf;
43 struct rtentry;
44 #include <net/if.h>
45
46 #include <netinet/in.h>
47 #include <netinet/in_systm.h>
48 #include <netinet/ip.h>
49 #include <netinet/if_ether.h>
50 #include <netinet/ip_var.h>
51 #include <netinet/udp.h>
52 #include <netinet/udp_var.h>
53 #include <netinet/tcp.h>
54 #include <netinet/tcpip.h>
55
56 #include <ctype.h>
57 #include <errno.h>
58 #include <netdb.h>
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 #include <unistd.h>
63
64 /*
65 * Make "pcap.h" not include "pcap-bpf.h"; we are going to include the
66 * native OS version, as we need various BPF ioctls from it.
67 */
68 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
69 #include <net/bpf.h>
70
71 #include "pcap-int.h"
72
73 #ifdef HAVE_OS_PROTO_H
74 #include "os-proto.h"
75 #endif
76
77 static int pcap_setfilter_pf(pcap_t *, struct bpf_program *);
78
79 /*
80 * BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump
81 * applications aren't going to need more than 200 bytes of packet header
82 * and the read shouldn't return more packets than packetfilter's internal
83 * queue limit (bounded at 256).
84 */
85 #define BUFSPACE (200 * 256)
86
87 static int
88 pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
89 {
90 register u_char *p, *bp;
91 struct bpf_insn *fcode;
92 register int cc, n, buflen, inc;
93 register struct enstamp *sp;
94 #ifdef LBL_ALIGN
95 struct enstamp stamp;
96 #endif
97 #ifdef PCAP_FDDIPAD
98 register int pad;
99 #endif
100
101 fcode = pc->md.use_bpf ? NULL : pc->fcode.bf_insns;
102 again:
103 cc = pc->cc;
104 if (cc == 0) {
105 cc = read(pc->fd, (char *)pc->buffer + pc->offset, pc->bufsize);
106 if (cc < 0) {
107 if (errno == EWOULDBLOCK)
108 return (0);
109 if (errno == EINVAL &&
110 lseek(pc->fd, 0L, SEEK_CUR) + pc->bufsize < 0) {
111 /*
112 * Due to a kernel bug, after 2^31 bytes,
113 * the kernel file offset overflows and
114 * read fails with EINVAL. The lseek()
115 * to 0 will fix things.
116 */
117 (void)lseek(pc->fd, 0L, SEEK_SET);
118 goto again;
119 }
120 snprintf(pc->errbuf, sizeof(pc->errbuf), "pf read: %s",
121 pcap_strerror(errno));
122 return (-1);
123 }
124 bp = pc->buffer + pc->offset;
125 } else
126 bp = pc->bp;
127 /*
128 * Loop through each packet.
129 */
130 n = 0;
131 #ifdef PCAP_FDDIPAD
132 if (pc->linktype == DLT_FDDI)
133 pad = pcap_fddipad;
134 else
135 pad = 0;
136 #endif
137 while (cc > 0) {
138 /*
139 * Has "pcap_breakloop()" been called?
140 * If so, return immediately - if we haven't read any
141 * packets, clear the flag and return -2 to indicate
142 * that we were told to break out of the loop, otherwise
143 * leave the flag set, so that the *next* call will break
144 * out of the loop without having read any packets, and
145 * return the number of packets we've processed so far.
146 */
147 if (pc->break_loop) {
148 if (n == 0) {
149 pc->break_loop = 0;
150 return (-2);
151 } else {
152 pc->cc = cc;
153 pc->bp = bp;
154 return (n);
155 }
156 }
157 if (cc < sizeof(*sp)) {
158 snprintf(pc->errbuf, sizeof(pc->errbuf),
159 "pf short read (%d)", cc);
160 return (-1);
161 }
162 #ifdef LBL_ALIGN
163 if ((long)bp & 3) {
164 sp = &stamp;
165 memcpy((char *)sp, (char *)bp, sizeof(*sp));
166 } else
167 #endif
168 sp = (struct enstamp *)bp;
169 if (sp->ens_stamplen != sizeof(*sp)) {
170 snprintf(pc->errbuf, sizeof(pc->errbuf),
171 "pf short stamplen (%d)",
172 sp->ens_stamplen);
173 return (-1);
174 }
175
176 p = bp + sp->ens_stamplen;
177 buflen = sp->ens_count;
178 if (buflen > pc->snapshot)
179 buflen = pc->snapshot;
180
181 /* Calculate inc before possible pad update */
182 inc = ENALIGN(buflen + sp->ens_stamplen);
183 cc -= inc;
184 bp += inc;
185 #ifdef PCAP_FDDIPAD
186 p += pad;
187 buflen -= pad;
188 #endif
189 pc->md.TotPkts++;
190 pc->md.TotDrops += sp->ens_dropped;
191 pc->md.TotMissed = sp->ens_ifoverflows;
192 if (pc->md.OrigMissed < 0)
193 pc->md.OrigMissed = pc->md.TotMissed;
194
195 /*
196 * Short-circuit evaluation: if using BPF filter
197 * in kernel, no need to do it now.
198 */
199 if (fcode == NULL ||
200 bpf_filter(fcode, p, sp->ens_count, buflen)) {
201 struct pcap_pkthdr h;
202 pc->md.TotAccepted++;
203 h.ts = sp->ens_tstamp;
204 #ifdef PCAP_FDDIPAD
205 h.len = sp->ens_count - pad;
206 #else
207 h.len = sp->ens_count;
208 #endif
209 h.caplen = buflen;
210 (*callback)(user, &h, p);
211 if (++n >= cnt && cnt > 0) {
212 pc->cc = cc;
213 pc->bp = bp;
214 return (n);
215 }
216 }
217 }
218 pc->cc = 0;
219 return (n);
220 }
221
222 static int
223 pcap_inject_pf(pcap_t *p, const void *buf, size_t size)
224 {
225 int ret;
226
227 ret = write(p->fd, buf, size);
228 if (ret == -1) {
229 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
230 pcap_strerror(errno));
231 return (-1);
232 }
233 return (ret);
234 }
235
236 static int
237 pcap_stats_pf(pcap_t *p, struct pcap_stat *ps)
238 {
239
240 /*
241 * If packet filtering is being done in the kernel:
242 *
243 * "ps_recv" counts only packets that passed the filter.
244 * This does not include packets dropped because we
245 * ran out of buffer space. (XXX - perhaps it should,
246 * by adding "ps_drop" to "ps_recv", for compatibility
247 * with some other platforms. On the other hand, on
248 * some platforms "ps_recv" counts only packets that
249 * passed the filter, and on others it counts packets
250 * that didn't pass the filter....)
251 *
252 * "ps_drop" counts packets that passed the kernel filter
253 * (if any) but were dropped because the input queue was
254 * full.
255 *
256 * "ps_ifdrop" counts packets dropped by the network
257 * inteface (regardless of whether they would have passed
258 * the input filter, of course).
259 *
260 * If packet filtering is not being done in the kernel:
261 *
262 * "ps_recv" counts only packets that passed the filter.
263 *
264 * "ps_drop" counts packets that were dropped because the
265 * input queue was full, regardless of whether they passed
266 * the userland filter.
267 *
268 * "ps_ifdrop" counts packets dropped by the network
269 * inteface (regardless of whether they would have passed
270 * the input filter, of course).
271 *
272 * These statistics don't include packets not yet read from
273 * the kernel by libpcap, but they may include packets not
274 * yet read from libpcap by the application.
275 */
276 ps->ps_recv = p->md.TotAccepted;
277 ps->ps_drop = p->md.TotDrops;
278 ps->ps_ifdrop = p->md.TotMissed - p->md.OrigMissed;
279 return (0);
280 }
281
282 static void
283 pcap_close_pf(pcap_t *p)
284 {
285 if (p->buffer != NULL)
286 free(p->buffer);
287 if (p->fd >= 0)
288 close(p->fd);
289 }
290
291 /*
292 * We include the OS's <net/bpf.h>, not our "pcap-bpf.h", so we probably
293 * don't get DLT_DOCSIS defined.
294 */
295 #ifndef DLT_DOCSIS
296 #define DLT_DOCSIS 143
297 #endif
298
299 pcap_t *
300 pcap_open_live(const char *device, int snaplen, int promisc, int to_ms,
301 char *ebuf)
302 {
303 pcap_t *p;
304 short enmode;
305 int backlog = -1; /* request the most */
306 struct enfilter Filter;
307 struct endevp devparams;
308
309 p = (pcap_t *)malloc(sizeof(*p));
310 if (p == NULL) {
311 snprintf(ebuf, PCAP_ERRBUF_SIZE,
312 "pcap_open_live: %s", pcap_strerror(errno));
313 return (0);
314 }
315 memset(p, 0, sizeof(*p));
316 /*
317 * Initially try a read/write open (to allow the inject
318 * method to work). If that fails due to permission
319 * issues, fall back to read-only. This allows a
320 * non-root user to be granted specific access to pcap
321 * capabilities via file permissions.
322 *
323 * XXX - we should have an API that has a flag that
324 * controls whether to open read-only or read-write,
325 * so that denial of permission to send (or inability
326 * to send, if sending packets isn't supported on
327 * the device in question) can be indicated at open
328 * time.
329 *
330 * XXX - we assume here that "pfopen()" does not, in fact, modify
331 * its argument, even though it takes a "char *" rather than a
332 * "const char *" as its first argument. That appears to be
333 * the case, at least on Digital UNIX 4.0.
334 */
335 p->fd = pfopen(device, O_RDWR);
336 if (p->fd == -1 && errno == EACCES)
337 p->fd = pfopen(device, O_RDONLY);
338 if (p->fd < 0) {
339 snprintf(ebuf, PCAP_ERRBUF_SIZE, "pf open: %s: %s\n\
340 your system may not be properly configured; see the packetfilter(4) man page\n",
341 device, pcap_strerror(errno));
342 goto bad;
343 }
344 p->md.OrigMissed = -1;
345 enmode = ENTSTAMP|ENBATCH|ENNONEXCL;
346 if (promisc)
347 enmode |= ENPROMISC;
348 if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
349 snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCMBIS: %s",
350 pcap_strerror(errno));
351 goto bad;
352 }
353 #ifdef ENCOPYALL
354 /* Try to set COPYALL mode so that we see packets to ourself */
355 enmode = ENCOPYALL;
356 (void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */
357 #endif
358 /* set the backlog */
359 if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
360 snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCSETW: %s",
361 pcap_strerror(errno));
362 goto bad;
363 }
364 /* discover interface type */
365 if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
366 snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCDEVP: %s",
367 pcap_strerror(errno));
368 goto bad;
369 }
370 /* HACK: to compile prior to Ultrix 4.2 */
371 #ifndef ENDT_FDDI
372 #define ENDT_FDDI 4
373 #endif
374 switch (devparams.end_dev_type) {
375
376 case ENDT_10MB:
377 p->linktype = DLT_EN10MB;
378 p->offset = 2;
379 /*
380 * This is (presumably) a real Ethernet capture; give it a
381 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
382 * that an application can let you choose it, in case you're
383 * capturing DOCSIS traffic that a Cisco Cable Modem
384 * Termination System is putting out onto an Ethernet (it
385 * doesn't put an Ethernet header onto the wire, it puts raw
386 * DOCSIS frames out on the wire inside the low-level
387 * Ethernet framing).
388 */
389 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
390 /*
391 * If that fails, just leave the list empty.
392 */
393 if (p->dlt_list != NULL) {
394 p->dlt_list[0] = DLT_EN10MB;
395 p->dlt_list[1] = DLT_DOCSIS;
396 p->dlt_count = 2;
397 }
398 break;
399
400 case ENDT_FDDI:
401 p->linktype = DLT_FDDI;
402 break;
403
404 #ifdef ENDT_SLIP
405 case ENDT_SLIP:
406 p->linktype = DLT_SLIP;
407 break;
408 #endif
409
410 #ifdef ENDT_PPP
411 case ENDT_PPP:
412 p->linktype = DLT_PPP;
413 break;
414 #endif
415
416 #ifdef ENDT_LOOPBACK
417 case ENDT_LOOPBACK:
418 /*
419 * It appears to use Ethernet framing, at least on
420 * Digital UNIX 4.0.
421 */
422 p->linktype = DLT_EN10MB;
423 p->offset = 2;
424 break;
425 #endif
426
427 #ifdef ENDT_TRN
428 case ENDT_TRN:
429 p->linktype = DLT_IEEE802;
430 break;
431 #endif
432
433 default:
434 /*
435 * XXX - what about ENDT_IEEE802? The pfilt.h header
436 * file calls this "IEEE 802 networks (non-Ethernet)",
437 * but that doesn't specify a specific link layer type;
438 * it could be 802.4, or 802.5 (except that 802.5 is
439 * ENDT_TRN), or 802.6, or 802.11, or.... That's why
440 * DLT_IEEE802 was hijacked to mean Token Ring in various
441 * BSDs, and why we went along with that hijacking.
442 *
443 * XXX - what about ENDT_HDLC and ENDT_NULL?
444 * Presumably, as ENDT_OTHER is just "Miscellaneous
445 * framing", there's not much we can do, as that
446 * doesn't specify a particular type of header.
447 */
448 snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown data-link type %u",
449 devparams.end_dev_type);
450 goto bad;
451 }
452 /* set truncation */
453 #ifdef PCAP_FDDIPAD
454 if (p->linktype == DLT_FDDI)
455 /* packetfilter includes the padding in the snapshot */
456 snaplen += pcap_fddipad;
457 #endif
458 if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&snaplen) < 0) {
459 snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCTRUNCATE: %s",
460 pcap_strerror(errno));
461 goto bad;
462 }
463 p->snapshot = snaplen;
464 /* accept all packets */
465 memset(&Filter, 0, sizeof(Filter));
466 Filter.enf_Priority = 37; /* anything > 2 */
467 Filter.enf_FilterLen = 0; /* means "always true" */
468 if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
469 snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCSETF: %s",
470 pcap_strerror(errno));
471 goto bad;
472 }
473
474 if (to_ms != 0) {
475 struct timeval timeout;
476 timeout.tv_sec = to_ms / 1000;
477 timeout.tv_usec = (to_ms * 1000) % 1000000;
478 if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
479 snprintf(ebuf, PCAP_ERRBUF_SIZE, "EIOCSRTIMEOUT: %s",
480 pcap_strerror(errno));
481 goto bad;
482 }
483 }
484
485 p->bufsize = BUFSPACE;
486 p->buffer = (u_char*)malloc(p->bufsize + p->offset);
487 if (p->buffer == NULL) {
488 strlcpy(ebuf, pcap_strerror(errno), PCAP_ERRBUF_SIZE);
489 goto bad;
490 }
491
492 /*
493 * "select()" and "poll()" work on packetfilter devices.
494 */
495 p->selectable_fd = p->fd;
496
497 p->read_op = pcap_read_pf;
498 p->inject_op = pcap_inject_pf;
499 p->setfilter_op = pcap_setfilter_pf;
500 p->set_datalink_op = NULL; /* can't change data link type */
501 p->getnonblock_op = pcap_getnonblock_fd;
502 p->setnonblock_op = pcap_setnonblock_fd;
503 p->stats_op = pcap_stats_pf;
504 p->close_op = pcap_close_pf;
505
506 return (p);
507 bad:
508 if (p->fd >= 0)
509 close(p->fd);
510 /*
511 * Get rid of any link-layer type list we allocated.
512 */
513 if (p->dlt_list != NULL)
514 free(p->dlt_list);
515 free(p);
516 return (NULL);
517 }
518
519 int
520 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
521 {
522 return (0);
523 }
524
525 static int
526 pcap_setfilter_pf(pcap_t *p, struct bpf_program *fp)
527 {
528 struct bpf_version bv;
529
530 /*
531 * See if BIOCVERSION works. If not, we assume the kernel doesn't
532 * support BPF-style filters (it's not documented in the bpf(7)
533 * or packetfiler(7) man pages, but the code used to fail if
534 * BIOCSETF worked but BIOCVERSION didn't, and I've seen it do
535 * kernel filtering in DU 4.0, so presumably BIOCVERSION works
536 * there, at least).
537 */
538 if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) >= 0) {
539 /*
540 * OK, we have the version of the BPF interpreter;
541 * is it the same major version as us, and the same
542 * or better minor version?
543 */
544 if (bv.bv_major == BPF_MAJOR_VERSION &&
545 bv.bv_minor >= BPF_MINOR_VERSION) {
546 /*
547 * Yes. Try to install the filter.
548 */
549 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
550 snprintf(p->errbuf, sizeof(p->errbuf),
551 "BIOCSETF: %s", pcap_strerror(errno));
552 return (-1);
553 }
554
555 /*
556 * OK, that succeeded. We're doing filtering in
557 * the kernel. (We assume we don't have a
558 * userland filter installed - that'd require
559 * a previous version check to have failed but
560 * this one to succeed.)
561 *
562 * XXX - this message should be supplied to the
563 * application as a warning of some sort,
564 * except that if it's a GUI application, it's
565 * not clear that it should be displayed in
566 * a window to annoy the user.
567 */
568 fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
569 p->md.use_bpf = 1;
570 return (0);
571 }
572
573 /*
574 * We can't use the kernel's BPF interpreter; don't give
575 * up, just log a message and be inefficient.
576 *
577 * XXX - this should really be supplied to the application
578 * as a warning of some sort.
579 */
580 fprintf(stderr,
581 "tcpdump: Requires BPF language %d.%d or higher; kernel is %d.%d\n",
582 BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
583 bv.bv_major, bv.bv_minor);
584 }
585
586 /*
587 * We couldn't do filtering in the kernel; do it in userland.
588 */
589 if (install_bpf_program(p, fp) < 0)
590 return (-1);
591
592 /*
593 * XXX - this message should be supplied by the application as
594 * a warning of some sort.
595 */
596 fprintf(stderr, "tcpdump: Filtering in user process\n");
597 p->md.use_bpf = 0;
598 return (0);
599 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism