]> The Tcpdump Group git mirrors - libpcap/blob - pcap-linux.c
projects / libpcap / blob


32fb31b3339e3362f6fc79daec2304d696e3aa8b
[libpcap] / pcap-linux.c
1 /*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
21 * written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27 #ifndef lint
28 static const char rcsid[] =
29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.36 2000-10-25 05:59:04 guy Exp $ (LBL)";
30 #endif
31
32 /*
33 * Known bugs:
34 * - setting promiscuous on loopback gives every packet twice
35 */
36
37
38 #ifdef HAVE_CONFIG_H
39 #include "config.h"
40 #endif
41
42 #include "pcap-int.h"
43
44 #include <errno.h>
45 #include <stdlib.h>
46 #include <unistd.h>
47 #include <fcntl.h>
48 #include <string.h>
49 #include <sys/socket.h>
50 #include <sys/ioctl.h>
51 #include <net/if.h>
52 #include <netinet/in.h>
53 #include <linux/if_ether.h>
54 #include <netinet/if_ether.h>
55
56 #ifdef HAVE_NETPACKET_PACKET_H
57 #include <netpacket/packet.h>
58 #endif
59 #ifdef SO_ATTACH_FILTER
60 #include <linux/types.h>
61 #include <linux/filter.h>
62 #endif
63
64 #ifndef __GLIBC__
65 typedef int socklen_t;
66 #endif
67
68 #ifndef MSG_TRUNC
69 #define MSG_TRUNC 0
70 #endif
71
72 #define MAX_LINKHEADER_SIZE 256
73
74 /*
75 * When capturing on all interfaces we use this as the buffer size.
76 * Should be bigger then all MTUs that occur in real life.
77 * 64kB should be enough for now.
78 */
79 #define BIGGER_THAN_ALL_MTUS (64*1024)
80
81 /*
82 * Prototypes for internal functions
83 */
84 static int map_arphrd_to_dlt(int arptype );
85 static int live_open_old(pcap_t *, char *, int, int, char *);
86 static int live_open_new(pcap_t *, char *, int, int, char *);
87 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
88
89 /*
90 * Wrap some ioctl calls
91 */
92 #ifdef HAVE_NETPACKET_PACKET_H
93 static int iface_get_id(int fd, const char *device, char *ebuf);
94 #endif
95 static int iface_get_mtu(int fd, const char *device, char *ebuf);
96 static int iface_get_arptype(int fd, const char *device, char *ebuf);
97 #ifdef HAVE_NETPACKET_PACKET_H
98 static int iface_bind(int fd, int ifindex, char *ebuf);
99 #endif
100 static int iface_bind_old(int fd, const char *device, char *ebuf);
101
102 /*
103 * Get a handle for a live capture from the given device. You can
104 * pass NULL as device to get all packages (without link level
105 * information of course). If you pass 1 as promisc the interface
106 * will be set to promiscous mode (XXX: I think this usage should
107 * be deprecated and functions be added to select that later allow
108 * modification of that values -- Torsten).
109 *
110 * See also pcap(3).
111 */
112 pcap_t *
113 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
114 {
115 /* Allocate a handle for this session. */
116
117 pcap_t *handle = malloc(sizeof(*handle));
118 if (handle == NULL) {
119 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
120 pcap_strerror(errno));
121 return NULL;
122 }
123
124 /* Initialize some components of the pcap structure. */
125
126 memset(handle, 0, sizeof(*handle));
127 handle->snapshot = snaplen;
128 handle->md.timeout = to_ms;
129 handle->md.promisc = promisc;
130
131 /*
132 * NULL and "any" are special devices which give us the hint to
133 * monitor all devices.
134 */
135 if (!device || strcmp(device, "any") == 0) {
136 device = NULL;
137 handle->md.device = strdup("any");
138 } else
139 handle->md.device = strdup(device);
140
141 if (handle->md.device == NULL) {
142 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
143 pcap_strerror(errno) );
144 free(handle);
145 return NULL;
146 }
147
148 /*
149 * Current Linux kernels use the protocol family PF_PACKET to
150 * allow direct access to all packets on the network while
151 * older kernels had a special socket type SOCK_PACKET to
152 * implement this feature.
153 * While this old implementation is kind of obsolete we need
154 * to be compatible with older kernels for a while so we are
155 * trying both methods with the newer method preferred.
156 */
157
158 if (! (live_open_new(handle, device, promisc, to_ms, ebuf) ||
159 live_open_old(handle, device, promisc, to_ms, ebuf)) )
160 {
161 /*
162 * Both methods to open the packet socket failed. Tidy
163 * up and report our failure (ebuf is expected to be
164 * set by the functions above).
165 */
166
167 free(handle->md.device);
168 free(handle);
169 return NULL;
170 }
171
172 /*
173 * Okay, now we have a packet stream open. Maybe we need to handle
174 * a timeout? In that case we set the filehandle to nonblocking
175 * so pcap_read can try reading the fd and call select if no data
176 * is available at first.
177 */
178
179 if (to_ms > 0) {
180 int flags = fcntl(handle->fd, F_GETFL);
181 if (flags != -1) {
182 flags |= O_NONBLOCK;
183 flags = fcntl(handle->fd, F_SETFL, flags);
184 }
185 if (flags == -1) {
186 snprintf(ebuf, PCAP_ERRBUF_SIZE, "fcntl: %s",
187 pcap_strerror(errno));
188 pcap_close(handle);
189 return NULL;
190 }
191 }
192
193 return handle;
194 }
195
196 /*
197 * Read at most max_packets from the capture stream and call the callback
198 * for each of them. Returns the number of packets handled or -1 if an
199 * error occured.
200 *
201 * XXX: Can I rely on the Linux-specified behaviour of select (returning
202 * the time left in the timeval structure)? I really don't want to query
203 * the system time before each select call...
204 *
205 * pcap_read currently gets not only a packet from the kernel but also
206 * the sockaddr_ll returned as source of the packet. This way we can at
207 * some time extend tcpdump and libpcap to sniff on all devices at a time
208 * and find the right printing routine by using the information in the
209 * sockaddr_ll structure.
210 */
211 int
212 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
213 {
214 int status, packets;
215 fd_set read_fds;
216 struct timeval tv;
217
218 /*
219 * Fill in a timeval structure for select if we need to obeye a
220 * timeout.
221 */
222 if (handle->md.timeout > 0) {
223 tv.tv_usec = (handle->md.timeout % 1000) * 1000;
224 tv.tv_sec = (handle->md.timeout / 1000);
225 }
226
227 /*
228 * Read packets until the packet limit has been reached or
229 * an error occured while reading. Call the user function
230 * for each received packet.
231 */
232 for (packets = 0; max_packets == -1 || packets < max_packets;)
233 {
234 status = pcap_read_packet(handle, callback, user);
235
236 if (status > 0) {
237 packets += status;
238 continue;
239 } else if (status == -1)
240 return -1;
241
242 /*
243 * If no packet is available we go to sleep. FIXME: This
244 * might be better implemented using poll(?)
245 */
246 FD_ZERO(&read_fds);
247 FD_SET(handle->fd, &read_fds);
248 status = select(handle->fd + 1,
249 &read_fds, NULL, NULL, &tv);
250
251 if (status == -1) {
252 if (errno == EINTR)
253 return packets;
254 snprintf(handle->errbuf, sizeof(handle->errbuf),
255 "select: %s", pcap_strerror(errno));
256 return -1;
257 }
258 else if (status == 0 ||
259 (tv.tv_usec == 0 && tv.tv_sec == 0))
260 return packets;
261 }
262
263 return packets;
264 }
265
266 /*
267 * Read a packet from the socket calling the handler provided by
268 * the user. Returns the number of packets received or -1 if an
269 * error occured.
270 */
271 static int
272 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
273 {
274 struct sockaddr from;
275 socklen_t fromlen;
276 int packet_len, caplen;
277 struct pcap_pkthdr pcap_header;
278
279 /*
280 * We don't currently use the from return value of recvfrom but
281 * this will probably be implemented in the future.
282 */
283
284 /* Receive a single packet from the kernel */
285
286 do {
287 fromlen = sizeof(from);
288 packet_len = recvfrom(
289 handle->fd, handle->buffer + handle->offset,
290 handle->snapshot, MSG_TRUNC,
291 (struct sockaddr *) &from, &fromlen);
292 } while (packet_len == -1 && errno == EINTR);
293
294 /* Check if an error occured */
295
296 if (packet_len == -1) {
297 if (errno == EAGAIN)
298 return 0; /* no packet there */
299 else {
300 snprintf(handle->errbuf, sizeof(handle->errbuf),
301 "recvfrom: %s", pcap_strerror(errno));
302 return -1;
303 }
304 }
305
306 /*
307 * XXX: According to the kernel source we should get the real
308 * packet len if calling recvfrom with MSG_TRUNC set. It does
309 * not seem to work here :(, but it is supported by this code
310 * anyway.
311 * To be honest the code RELIES on that feature so this is really
312 * broken with 2.2.x kernels.
313 * I spend a day to figure out what's going on and I found out
314 * that the following is happening:
315 *
316 * The packet comes from a random interface and the packet_rcv
317 * hook is called with a clone of the packet. That code inserts
318 * the packet into the receive queue of the packet socket.
319 * If a filter is attached to that socket that filter is run
320 * first - and there lies the problem. The default filter always
321 * cuts the packet at the snaplen:
322 *
323 * # tcpdump -d
324 * (000) ret #68
325 *
326 * So the packet filter cuts down the packet. The recvfrom call
327 * says "hey, it's only 68 bytes, it fits into the buffer" with
328 * the result that we don't get the real packet length. This
329 * is valid at least until kernel 2.2.17pre6.
330 *
331 * tcpdump is currently fixed by changing the BPF code generator
332 * to not truncate the received packet.
333 */
334
335 caplen = packet_len;
336 if (caplen > handle->snapshot)
337 caplen = handle->snapshot;
338
339 /* Run the packet filter if not using kernel filter */
340 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
341 if (bpf_filter(handle->fcode.bf_insns, handle->buffer,
342 packet_len, caplen) == 0)
343 {
344 /* rejected by filter */
345 return 0;
346 }
347 }
348
349 /* Fill in our own header data */
350
351 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
352 snprintf(handle->errbuf, sizeof(handle->errbuf),
353 "ioctl: %s", pcap_strerror(errno));
354 return -1;
355 }
356 pcap_header.caplen = caplen;
357 pcap_header.len = packet_len;
358
359 /* Call the user supplied callback function */
360 handle->md.stat.ps_recv++;
361 callback(userdata, &pcap_header, handle->buffer + handle->offset);
362
363 return 1;
364 }
365
366 /*
367 * Get the statistics for the given packet capture handle.
368 * FIXME: Currently does not report the number of dropped packets.
369 */
370 int
371 pcap_stats(pcap_t *handle, struct pcap_stat *stats)
372 {
373 *stats = handle->md.stat;
374 return 0;
375 }
376
377 /*
378 * Attach the given BPF code to the packet capture device.
379 */
380 int
381 pcap_setfilter(pcap_t *handle, struct bpf_program *filter)
382 {
383 #ifdef SO_ATTACH_FILTER
384 struct sock_fprog fcode;
385 #endif
386
387 if (!handle)
388 return -1;
389 if (!filter) {
390 strncpy(handle->errbuf, "setfilter: No filter specified",
391 sizeof(handle->errbuf));
392 return -1;
393 }
394
395 /* Free old filter code if existing */
396
397 handle->fcode.bf_len = 0;
398 if (handle->fcode.bf_insns) {
399 free(handle->fcode.bf_insns);
400 handle->fcode.bf_insns = NULL;
401 }
402
403
404 /* Make our private copy of the filter */
405
406 handle->fcode.bf_len = filter->bf_len;
407 handle->fcode.bf_insns =
408 malloc(filter->bf_len * sizeof(*filter->bf_insns));
409 if (handle->fcode.bf_insns == NULL) {
410 snprintf(handle->errbuf, sizeof(handle->errbuf),
411 "malloc: %s", pcap_strerror(errno));
412 return -1;
413 }
414 memcpy(handle->fcode.bf_insns, filter->bf_insns,
415 filter->bf_len * sizeof(*filter->bf_insns));
416
417 /*
418 * Run user level packet filter by default. Will be overriden if
419 * installing a kernel filter succeeds.
420 */
421 handle->md.use_bpf = 0;
422
423 /*
424 * If we're reading from a savefile, don't try to install
425 * a kernel filter.
426 */
427 if (handle->sf.rfile != NULL)
428 return 0;
429
430 /* Install kernel level filter if possible */
431
432 #ifdef SO_ATTACH_FILTER
433 /*
434 * Oh joy, the Linux kernel uses struct sock_fprog instead of
435 * struct bpf_program and of course the length field is of
436 * different size. Pointed out by Sebastian
437 */
438
439 fcode.filter = (struct sock_filter *) handle->fcode.bf_insns;
440 fcode.len = filter->bf_len;
441 #ifdef USHRT_MAX
442 if (filter->bf_len > USHRT_MAX) {
443 /*
444 * fcode.len is an unsigned short for current kernel.
445 * I have yet to see BPF-Code with that much instructions
446 * but still it is possible. So for the sake of
447 * correctness I added this check.
448 */
449 fprintf(stderr, "Warning: Filter to complex for kernel\n");
450 }
451 else
452 #endif
453 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
454 &fcode, sizeof(fcode)) == 0)
455 {
456 /* Installation succeded - using kernel filter. */
457 handle->md.use_bpf = 1;
458 }
459 else
460 {
461 /*
462 * Print a warning if kernel filter available but a problem
463 * occured using it.
464 */
465 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
466 fprintf(stderr, "Warning: Kernel filter failed: %s\n",
467 pcap_strerror(errno));
468 }
469 }
470 #endif
471
472 return 0;
473 }
474
475 /*
476 * Linux uses the ARP hardware type to identify the type of an
477 * interface. pcap uses the DLT_xxx constants for this. This
478 * function maps the ARPHRD_xxx constant to an appropriate
479 * DLT_xxx constant.
480 *
481 * Returns -1 if unable to map the type.
482 */
483 static int map_arphrd_to_dlt(int arptype)
484 {
485 switch (arptype) {
486 case ARPHRD_ETHER:
487 case ARPHRD_METRICOM:
488 case ARPHRD_LOOPBACK: return DLT_EN10MB;
489 case ARPHRD_EETHER: return DLT_EN3MB;
490 case ARPHRD_AX25: return DLT_AX25;
491 case ARPHRD_PRONET: return DLT_PRONET;
492 case ARPHRD_CHAOS: return DLT_CHAOS;
493 case ARPHRD_IEEE802: return DLT_IEEE802;
494 case ARPHRD_ARCNET: return DLT_ARCNET;
495 case ARPHRD_FDDI: return DLT_FDDI;
496
497 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
498 #define ARPHRD_ATM 19
499 #endif
500 case ARPHRD_ATM: return DLT_ATM_CLIP;
501
502 case ARPHRD_PPP:
503 case ARPHRD_CSLIP:
504 case ARPHRD_SLIP6:
505 case ARPHRD_CSLIP6:
506 case ARPHRD_SLIP: return DLT_RAW;
507 }
508
509 return -1;
510 }
511
512 /* ===== Functions to interface to the newer kernels ================== */
513
514 /*
515 * Try to open a packet socket using the new kernel interface.
516 * Returns 0 on failure.
517 * FIXME: 0 uses to mean success (Sebastian)
518 */
519 static int
520 live_open_new(pcap_t *handle, char *device, int promisc,
521 int to_ms, char *ebuf)
522 {
523 #ifdef HAVE_NETPACKET_PACKET_H
524 int sock_fd = -1, device_id, mtu, arptype;
525 struct packet_mreq mr;
526
527 /* One shot loop used for error handling - bail out with break */
528
529 do {
530 /*
531 * Open a socket with protocol family packet. If a device is
532 * given we try to open it in raw mode otherwise we use
533 * the cooked interface.
534 */
535 sock_fd = device ?
536 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
537 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
538
539 if (sock_fd == -1) {
540 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
541 pcap_strerror(errno) );
542 break;
543 }
544
545 /* It seems the kernel supports the new interface. */
546 handle->md.sock_packet = 0;
547
548 /*
549 * What kind of frames do we have to deal with? Fall back
550 * to cooked mode if we have an unknown interface type.
551 */
552
553 if (device) {
554 arptype = iface_get_arptype(sock_fd, device, ebuf);
555 if (arptype == -1)
556 break;
557 handle->linktype = map_arphrd_to_dlt(arptype);
558 } else
559 handle->linktype = DLT_RAW;
560
561 if (handle->linktype == -1) {
562 /* Unknown interface type - reopen in cooked mode */
563
564 if (close(sock_fd) == -1) {
565 snprintf(ebuf, PCAP_ERRBUF_SIZE,
566 "close: %s", pcap_strerror(errno));
567 break;
568 }
569 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
570 htons(ETH_P_ALL));
571 if (sock_fd == -1) {
572 snprintf(ebuf, PCAP_ERRBUF_SIZE,
573 "socket: %s", pcap_strerror(errno));
574 break;
575 }
576
577 fprintf(stderr,
578 "Warning: Falling back to cooked socket\n");
579 handle->linktype = DLT_RAW;
580 }
581
582
583 if (device) {
584 device_id = iface_get_id(sock_fd, device, ebuf);
585 if (device_id == -1)
586 break;
587
588 if (iface_bind(sock_fd, device_id, ebuf) == -1)
589 break;
590 }
591
592 /* Select promiscuous mode on/off */
593
594 #ifdef SOL_PACKET
595 /*
596 * Hmm, how can we set promiscuous mode on all interfaces?
597 * I am not sure if that is possible at all.
598 */
599
600 if (device) {
601 memset(&mr, 0, sizeof(mr));
602 mr.mr_ifindex = device_id;
603 mr.mr_type = promisc ?
604 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
605 if (setsockopt(sock_fd, SOL_PACKET,
606 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1)
607 {
608 snprintf(ebuf, PCAP_ERRBUF_SIZE,
609 "setsockopt: %s", pcap_strerror(errno));
610 break;
611 }
612 }
613 #endif
614
615 /* Compute the buffersize */
616
617 mtu = iface_get_mtu(sock_fd, device, ebuf);
618 if (mtu == -1)
619 break;
620 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
621
622 /* Fill in the pcap structure */
623
624 handle->fd = sock_fd;
625 handle->offset = 0;
626
627 handle->buffer = malloc(handle->bufsize);
628 if (!handle->buffer) {
629 snprintf(ebuf, PCAP_ERRBUF_SIZE,
630 "malloc: %s", pcap_strerror(errno));
631 break;
632 }
633
634 return 1;
635
636 } while(0);
637
638 if (sock_fd != -1)
639 close(sock_fd);
640 return 0;
641 #else
642 strncpy(ebuf,
643 "New packet capturing interface not supported by build "
644 "environment", PCAP_ERRBUF_SIZE);
645 return 0;
646 #endif
647 }
648
649 #ifdef HAVE_NETPACKET_PACKET_H
650 /*
651 * Return the index of the given device name. Fill ebuf and return
652 * -1 on failure.
653 */
654 static int
655 iface_get_id(int fd, const char *device, char *ebuf)
656 {
657 struct ifreq ifr;
658
659 memset(&ifr, 0, sizeof(ifr));
660 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
661
662 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
663 snprintf(ebuf, PCAP_ERRBUF_SIZE,
664 "ioctl: %s", pcap_strerror(errno));
665 return -1;
666 }
667
668 return ifr.ifr_ifindex;
669 }
670
671 /*
672 * Bind the socket associated with FD to the given device.
673 */
674 static int
675 iface_bind(int fd, int ifindex, char *ebuf)
676 {
677 struct sockaddr_ll sll;
678
679 memset(&sll, 0, sizeof(sll));
680 sll.sll_family = AF_PACKET;
681 sll.sll_ifindex = ifindex;
682 sll.sll_protocol = htons(ETH_P_ALL);
683
684 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
685 snprintf(ebuf, PCAP_ERRBUF_SIZE,
686 "bind: %s", pcap_strerror(errno));
687 return -1;
688 }
689
690 return 0;
691 }
692
693 #endif
694
695
696 /* ===== Functions to interface to the older kernels ================== */
697
698 /*
699 * With older kernels promiscuous mode is kind of interesting because we
700 * have to reset the interface before exiting. The problem can't really
701 * be solved without some daemon taking care of managing usage counts.
702 * We save the promiscuous state of the device when opening the capture
703 * stream and arrange for it to be reset on process exit.
704 *
705 * XXX: This solution is still not correct even for this case. The
706 * devices stay in promiscuous mode until the process exits. I need to
707 * modify pcap_close to solve this.
708 */
709
710 /*
711 * The device name and the interface flags to be restored at exit
712 */
713 struct ifreq restore_ifr;
714
715 static void restore_interface( void )
716 {
717 int status = socket(PF_INET, SOCK_PACKET, 0);
718
719 if (status != -1)
720 status = ioctl(status, SIOCSIFFLAGS, &restore_ifr);
721
722 if (status == -1) {
723 fprintf(stderr,
724 "Can't restore interface flags. Please adjust manually. \n"
725 "Hint: This can't happen with Linux >= 2.2.0.\n");
726 }
727 }
728
729 /*
730 * Try to open a packet socket using the old kernel interface.
731 * Returns 0 on failure.
732 * FIXME: 0 uses to mean success (Sebastian)
733 */
734 static int
735 live_open_old(pcap_t *handle, char *device, int promisc,
736 int to_ms, char *ebuf)
737 {
738 int sock_fd = -1, mtu, arptype;
739 struct ifreq ifr;
740
741 do {
742 /* Open the socket */
743
744 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
745 if (sock_fd == -1) {
746 snprintf(ebuf, PCAP_ERRBUF_SIZE,
747 "socket: %s", pcap_strerror(errno));
748 break;
749 }
750
751 /* It worked - we are using the old interface */
752 handle->md.sock_packet = 1;
753
754 /* Bind to the given device */
755
756 if (!device) {
757 strncpy(ebuf, "pcap_open_live: No interface given",
758 PCAP_ERRBUF_SIZE);
759 break;
760 }
761 if (iface_bind_old(sock_fd, device, ebuf) == -1)
762 break;
763
764 /* Go to promisc mode */
765 if (promisc) {
766 memset(&ifr, 0, sizeof(ifr));
767 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
768 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) {
769 snprintf(ebuf, PCAP_ERRBUF_SIZE,
770 "ioctl: %s", pcap_strerror(errno));
771 break;
772 }
773 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
774 restore_ifr = ifr;
775 ifr.ifr_flags |= IFF_PROMISC;
776 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) {
777 snprintf(ebuf, PCAP_ERRBUF_SIZE,
778 "ioctl: %s",
779 pcap_strerror(errno));
780 break;
781 }
782 if (atexit(restore_interface) == -1) {
783 restore_interface();
784 strncpy(ebuf, "atexit failed",
785 PCAP_ERRBUF_SIZE);
786 break;
787 }
788 }
789 }
790
791
792 /* Compute the buffersize */
793
794 mtu = iface_get_mtu(sock_fd, device, ebuf);
795 if (mtu == -1)
796 break;
797 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
798 if (handle->bufsize < handle->snapshot)
799 handle->bufsize = handle->snapshot;
800
801 /* All done - fill in the pcap handle */
802
803 arptype = iface_get_arptype(sock_fd, device, ebuf);
804 if (arptype == -1)
805 break;
806
807 handle->fd = sock_fd;
808 handle->offset = 0;
809 handle->linktype = map_arphrd_to_dlt(arptype);
810 if (handle->linktype == -1) {
811 snprintf(ebuf, PCAP_ERRBUF_SIZE,
812 "interface type of %s not supported", device);
813 break;
814 }
815 handle->buffer = malloc(handle->bufsize);
816 if (!handle->buffer) {
817 snprintf(ebuf, PCAP_ERRBUF_SIZE,
818 "malloc: %s", pcap_strerror(errno));
819 break;
820 }
821
822 return 1;
823
824 } while (0);
825
826 if (sock_fd != -1)
827 close(sock_fd);
828 return 0;
829 }
830
831 /*
832 * Bind the socket associated with FD to the given device using the
833 * interface of the old kernels.
834 */
835 static int
836 iface_bind_old(int fd, const char *device, char *ebuf)
837 {
838 struct sockaddr saddr;
839
840 memset(&saddr, 0, sizeof(saddr));
841 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
842 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
843 snprintf(ebuf, PCAP_ERRBUF_SIZE,
844 "bind: %s", pcap_strerror(errno));
845 return -1;
846 }
847
848 return 0;
849 }
850
851
852 /* ===== System calls available on all supported kernels ============== */
853
854 /*
855 * Query the kernel for the MTU of the given interface.
856 */
857 static int
858 iface_get_mtu(int fd, const char *device, char *ebuf)
859 {
860 struct ifreq ifr;
861
862 if (!device)
863 return BIGGER_THAN_ALL_MTUS;
864
865 memset(&ifr, 0, sizeof(ifr));
866 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
867
868 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
869 snprintf(ebuf, PCAP_ERRBUF_SIZE,
870 "ioctl: %s", pcap_strerror(errno));
871 return -1;
872 }
873
874 return ifr.ifr_mtu;
875 }
876
877 /*
878 * Get the hardware type of the given interface as ARPHRD_xxx constant.
879 */
880 static int
881 iface_get_arptype(int fd, const char *device, char *ebuf)
882 {
883 struct ifreq ifr;
884
885 memset(&ifr, 0, sizeof(ifr));
886 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
887
888 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
889 snprintf(ebuf, PCAP_ERRBUF_SIZE,
890 "ioctl: %s", pcap_strerror(errno));
891 return -1;
892 }
893
894 return ifr.ifr_hwaddr.sa_family;
895 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism