]> The Tcpdump Group git mirrors - libpcap/blob - pcap-pf.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add more interface flags to pcap_findalldevs().
[libpcap] / pcap-pf.c
1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 *
21 * packet filter subroutines for tcpdump
22 * Extraction/creation by Jeffrey Mogul, DECWRL
23 */
24
25 #ifdef HAVE_CONFIG_H
26 #include <config.h>
27 #endif
28
29 #include <sys/types.h>
30 #include <sys/time.h>
31 #include <sys/timeb.h>
32 #include <sys/socket.h>
33 #include <sys/file.h>
34 #include <sys/ioctl.h>
35 #include <net/pfilt.h>
36
37 struct mbuf;
38 struct rtentry;
39 #include <net/if.h>
40
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44 #include <netinet/if_ether.h>
45 #include <netinet/ip_var.h>
46 #include <netinet/udp.h>
47 #include <netinet/udp_var.h>
48 #include <netinet/tcp.h>
49 #include <netinet/tcpip.h>
50
51 #include <ctype.h>
52 #include <errno.h>
53 #include <netdb.h>
54 #include <stdio.h>
55 #include <stdlib.h>
56 #include <string.h>
57 #include <unistd.h>
58
59 /*
60 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
61 * native OS version, as we need various BPF ioctls from it.
62 */
63 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
64 #include <net/bpf.h>
65
66 #include "pcap-int.h"
67
68 #ifdef HAVE_OS_PROTO_H
69 #include "os-proto.h"
70 #endif
71
72 /*
73 * FDDI packets are padded to make everything line up on a nice boundary.
74 */
75 #define PCAP_FDDIPAD 3
76
77 /*
78 * Private data for capturing on Ultrix and DEC OSF/1^WDigital UNIX^W^W
79 * Tru64 UNIX packetfilter devices.
80 */
81 struct pcap_pf {
82 int filtering_in_kernel; /* using kernel filter */
83 u_long TotPkts; /* can't oflow for 79 hrs on ether */
84 u_long TotAccepted; /* count accepted by filter */
85 u_long TotDrops; /* count of dropped packets */
86 long TotMissed; /* missed by i/f during this run */
87 long OrigMissed; /* missed by i/f before this run */
88 };
89
90 static int pcap_setfilter_pf(pcap_t *, struct bpf_program *);
91
92 /*
93 * BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump
94 * applications aren't going to need more than 200 bytes of packet header
95 * and the read shouldn't return more packets than packetfilter's internal
96 * queue limit (bounded at 256).
97 */
98 #define BUFSPACE (200 * 256)
99
100 static int
101 pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
102 {
103 struct pcap_pf *pf = pc->priv;
104 register u_char *p, *bp;
105 register int cc, n, buflen, inc;
106 register struct enstamp *sp;
107 #ifdef LBL_ALIGN
108 struct enstamp stamp;
109 #endif
110 register u_int pad;
111
112 again:
113 cc = pc->cc;
114 if (cc == 0) {
115 cc = read(pc->fd, (char *)pc->buffer + pc->offset, pc->bufsize);
116 if (cc < 0) {
117 if (errno == EWOULDBLOCK)
118 return (0);
119 if (errno == EINVAL &&
120 lseek(pc->fd, 0L, SEEK_CUR) + pc->bufsize < 0) {
121 /*
122 * Due to a kernel bug, after 2^31 bytes,
123 * the kernel file offset overflows and
124 * read fails with EINVAL. The lseek()
125 * to 0 will fix things.
126 */
127 (void)lseek(pc->fd, 0L, SEEK_SET);
128 goto again;
129 }
130 pcap_fmt_errmsg_for_errno(pc->errbuf,
131 sizeof(pc->errbuf), errno, "pf read");
132 return (-1);
133 }
134 bp = (u_char *)pc->buffer + pc->offset;
135 } else
136 bp = pc->bp;
137 /*
138 * Loop through each packet.
139 */
140 n = 0;
141 pad = pc->fddipad;
142 while (cc > 0) {
143 /*
144 * Has "pcap_breakloop()" been called?
145 * If so, return immediately - if we haven't read any
146 * packets, clear the flag and return -2 to indicate
147 * that we were told to break out of the loop, otherwise
148 * leave the flag set, so that the *next* call will break
149 * out of the loop without having read any packets, and
150 * return the number of packets we've processed so far.
151 */
152 if (pc->break_loop) {
153 if (n == 0) {
154 pc->break_loop = 0;
155 return (-2);
156 } else {
157 pc->cc = cc;
158 pc->bp = bp;
159 return (n);
160 }
161 }
162 if (cc < sizeof(*sp)) {
163 pcap_snprintf(pc->errbuf, sizeof(pc->errbuf),
164 "pf short read (%d)", cc);
165 return (-1);
166 }
167 #ifdef LBL_ALIGN
168 if ((long)bp & 3) {
169 sp = &stamp;
170 memcpy((char *)sp, (char *)bp, sizeof(*sp));
171 } else
172 #endif
173 sp = (struct enstamp *)bp;
174 if (sp->ens_stamplen != sizeof(*sp)) {
175 pcap_snprintf(pc->errbuf, sizeof(pc->errbuf),
176 "pf short stamplen (%d)",
177 sp->ens_stamplen);
178 return (-1);
179 }
180
181 p = bp + sp->ens_stamplen;
182 buflen = sp->ens_count;
183 if (buflen > pc->snapshot)
184 buflen = pc->snapshot;
185
186 /* Calculate inc before possible pad update */
187 inc = ENALIGN(buflen + sp->ens_stamplen);
188 cc -= inc;
189 bp += inc;
190 pf->TotPkts++;
191 pf->TotDrops += sp->ens_dropped;
192 pf->TotMissed = sp->ens_ifoverflows;
193 if (pf->OrigMissed < 0)
194 pf->OrigMissed = pf->TotMissed;
195
196 /*
197 * Short-circuit evaluation: if using BPF filter
198 * in kernel, no need to do it now - we already know
199 * the packet passed the filter.
200 *
201 * Note: the filter code was generated assuming
202 * that pc->fddipad was the amount of padding
203 * before the header, as that's what's required
204 * in the kernel, so we run the filter before
205 * skipping that padding.
206 */
207 if (pf->filtering_in_kernel ||
208 bpf_filter(pc->fcode.bf_insns, p, sp->ens_count, buflen)) {
209 struct pcap_pkthdr h;
210 pf->TotAccepted++;
211 h.ts = sp->ens_tstamp;
212 h.len = sp->ens_count - pad;
213 p += pad;
214 buflen -= pad;
215 h.caplen = buflen;
216 (*callback)(user, &h, p);
217 if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) {
218 pc->cc = cc;
219 pc->bp = bp;
220 return (n);
221 }
222 }
223 }
224 pc->cc = 0;
225 return (n);
226 }
227
228 static int
229 pcap_inject_pf(pcap_t *p, const void *buf, size_t size)
230 {
231 int ret;
232
233 ret = write(p->fd, buf, size);
234 if (ret == -1) {
235 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
236 errno, "send");
237 return (-1);
238 }
239 return (ret);
240 }
241
242 static int
243 pcap_stats_pf(pcap_t *p, struct pcap_stat *ps)
244 {
245 struct pcap_pf *pf = p->priv;
246
247 /*
248 * If packet filtering is being done in the kernel:
249 *
250 * "ps_recv" counts only packets that passed the filter.
251 * This does not include packets dropped because we
252 * ran out of buffer space. (XXX - perhaps it should,
253 * by adding "ps_drop" to "ps_recv", for compatibility
254 * with some other platforms. On the other hand, on
255 * some platforms "ps_recv" counts only packets that
256 * passed the filter, and on others it counts packets
257 * that didn't pass the filter....)
258 *
259 * "ps_drop" counts packets that passed the kernel filter
260 * (if any) but were dropped because the input queue was
261 * full.
262 *
263 * "ps_ifdrop" counts packets dropped by the network
264 * inteface (regardless of whether they would have passed
265 * the input filter, of course).
266 *
267 * If packet filtering is not being done in the kernel:
268 *
269 * "ps_recv" counts only packets that passed the filter.
270 *
271 * "ps_drop" counts packets that were dropped because the
272 * input queue was full, regardless of whether they passed
273 * the userland filter.
274 *
275 * "ps_ifdrop" counts packets dropped by the network
276 * inteface (regardless of whether they would have passed
277 * the input filter, of course).
278 *
279 * These statistics don't include packets not yet read from
280 * the kernel by libpcap, but they may include packets not
281 * yet read from libpcap by the application.
282 */
283 ps->ps_recv = pf->TotAccepted;
284 ps->ps_drop = pf->TotDrops;
285 ps->ps_ifdrop = pf->TotMissed - pf->OrigMissed;
286 return (0);
287 }
288
289 /*
290 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
291 * don't get DLT_DOCSIS defined.
292 */
293 #ifndef DLT_DOCSIS
294 #define DLT_DOCSIS 143
295 #endif
296
297 static int
298 pcap_activate_pf(pcap_t *p)
299 {
300 struct pcap_pf *pf = p->priv;
301 short enmode;
302 int backlog = -1; /* request the most */
303 struct enfilter Filter;
304 struct endevp devparams;
305 int err;
306
307 /*
308 * Initially try a read/write open (to allow the inject
309 * method to work). If that fails due to permission
310 * issues, fall back to read-only. This allows a
311 * non-root user to be granted specific access to pcap
312 * capabilities via file permissions.
313 *
314 * XXX - we should have an API that has a flag that
315 * controls whether to open read-only or read-write,
316 * so that denial of permission to send (or inability
317 * to send, if sending packets isn't supported on
318 * the device in question) can be indicated at open
319 * time.
320 *
321 * XXX - we assume here that "pfopen()" does not, in fact, modify
322 * its argument, even though it takes a "char *" rather than a
323 * "const char *" as its first argument. That appears to be
324 * the case, at least on Digital UNIX 4.0.
325 *
326 * XXX - is there an error that means "no such device"? Is
327 * there one that means "that device doesn't support pf"?
328 */
329 p->fd = pfopen(p->opt.device, O_RDWR);
330 if (p->fd == -1 && errno == EACCES)
331 p->fd = pfopen(p->opt.device, O_RDONLY);
332 if (p->fd < 0) {
333 if (errno == EACCES) {
334 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
335 "pf open: %s: Permission denied\n"
336 "your system may not be properly configured; see the packetfilter(4) man page",
337 p->opt.device);
338 err = PCAP_ERROR_PERM_DENIED;
339 } else {
340 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
341 errno, "pf open: %s", p->opt.device);
342 err = PCAP_ERROR;
343 }
344 goto bad;
345 }
346
347 /*
348 * Turn a negative snapshot value (invalid), a snapshot value of
349 * 0 (unspecified), or a value bigger than the normal maximum
350 * value, into the maximum allowed value.
351 *
352 * If some application really *needs* a bigger snapshot
353 * length, we should just increase MAXIMUM_SNAPLEN.
354 */
355 if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
356 p->snapshot = MAXIMUM_SNAPLEN;
357
358 pf->OrigMissed = -1;
359 enmode = ENTSTAMP|ENNONEXCL;
360 if (!p->opt.immediate)
361 enmode |= ENBATCH;
362 if (p->opt.promisc)
363 enmode |= ENPROMISC;
364 if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
365 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
366 errno, "EIOCMBIS");
367 err = PCAP_ERROR;
368 goto bad;
369 }
370 #ifdef ENCOPYALL
371 /* Try to set COPYALL mode so that we see packets to ourself */
372 enmode = ENCOPYALL;
373 (void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */
374 #endif
375 /* set the backlog */
376 if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
377 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
378 errno, "EIOCSETW");
379 err = PCAP_ERROR;
380 goto bad;
381 }
382 /* discover interface type */
383 if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
384 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
385 errno, "EIOCDEVP");
386 err = PCAP_ERROR;
387 goto bad;
388 }
389 /* HACK: to compile prior to Ultrix 4.2 */
390 #ifndef ENDT_FDDI
391 #define ENDT_FDDI 4
392 #endif
393 switch (devparams.end_dev_type) {
394
395 case ENDT_10MB:
396 p->linktype = DLT_EN10MB;
397 p->offset = 2;
398 /*
399 * This is (presumably) a real Ethernet capture; give it a
400 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
401 * that an application can let you choose it, in case you're
402 * capturing DOCSIS traffic that a Cisco Cable Modem
403 * Termination System is putting out onto an Ethernet (it
404 * doesn't put an Ethernet header onto the wire, it puts raw
405 * DOCSIS frames out on the wire inside the low-level
406 * Ethernet framing).
407 */
408 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
409 /*
410 * If that fails, just leave the list empty.
411 */
412 if (p->dlt_list != NULL) {
413 p->dlt_list[0] = DLT_EN10MB;
414 p->dlt_list[1] = DLT_DOCSIS;
415 p->dlt_count = 2;
416 }
417 break;
418
419 case ENDT_FDDI:
420 p->linktype = DLT_FDDI;
421 break;
422
423 #ifdef ENDT_SLIP
424 case ENDT_SLIP:
425 p->linktype = DLT_SLIP;
426 break;
427 #endif
428
429 #ifdef ENDT_PPP
430 case ENDT_PPP:
431 p->linktype = DLT_PPP;
432 break;
433 #endif
434
435 #ifdef ENDT_LOOPBACK
436 case ENDT_LOOPBACK:
437 /*
438 * It appears to use Ethernet framing, at least on
439 * Digital UNIX 4.0.
440 */
441 p->linktype = DLT_EN10MB;
442 p->offset = 2;
443 break;
444 #endif
445
446 #ifdef ENDT_TRN
447 case ENDT_TRN:
448 p->linktype = DLT_IEEE802;
449 break;
450 #endif
451
452 default:
453 /*
454 * XXX - what about ENDT_IEEE802? The pfilt.h header
455 * file calls this "IEEE 802 networks (non-Ethernet)",
456 * but that doesn't specify a specific link layer type;
457 * it could be 802.4, or 802.5 (except that 802.5 is
458 * ENDT_TRN), or 802.6, or 802.11, or.... That's why
459 * DLT_IEEE802 was hijacked to mean Token Ring in various
460 * BSDs, and why we went along with that hijacking.
461 *
462 * XXX - what about ENDT_HDLC and ENDT_NULL?
463 * Presumably, as ENDT_OTHER is just "Miscellaneous
464 * framing", there's not much we can do, as that
465 * doesn't specify a particular type of header.
466 */
467 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
468 "unknown data-link type %u", devparams.end_dev_type);
469 err = PCAP_ERROR;
470 goto bad;
471 }
472 /* set truncation */
473 if (p->linktype == DLT_FDDI) {
474 p->fddipad = PCAP_FDDIPAD;
475
476 /* packetfilter includes the padding in the snapshot */
477 p->snapshot += PCAP_FDDIPAD;
478 } else
479 p->fddipad = 0;
480 if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&p->snapshot) < 0) {
481 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
482 errno, "EIOCTRUNCATE");
483 err = PCAP_ERROR;
484 goto bad;
485 }
486 /* accept all packets */
487 memset(&Filter, 0, sizeof(Filter));
488 Filter.enf_Priority = 37; /* anything > 2 */
489 Filter.enf_FilterLen = 0; /* means "always true" */
490 if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
491 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
492 errno, "EIOCSETF");
493 err = PCAP_ERROR;
494 goto bad;
495 }
496
497 if (p->opt.timeout != 0) {
498 struct timeval timeout;
499 timeout.tv_sec = p->opt.timeout / 1000;
500 timeout.tv_usec = (p->opt.timeout * 1000) % 1000000;
501 if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
502 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
503 errno, "EIOCSRTIMEOUT");
504 err = PCAP_ERROR;
505 goto bad;
506 }
507 }
508
509 p->bufsize = BUFSPACE;
510 p->buffer = malloc(p->bufsize + p->offset);
511 if (p->buffer == NULL) {
512 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
513 errno, "malloc");
514 err = PCAP_ERROR;
515 goto bad;
516 }
517
518 /*
519 * "select()" and "poll()" work on packetfilter devices.
520 */
521 p->selectable_fd = p->fd;
522
523 p->read_op = pcap_read_pf;
524 p->inject_op = pcap_inject_pf;
525 p->setfilter_op = pcap_setfilter_pf;
526 p->setdirection_op = NULL; /* Not implemented. */
527 p->set_datalink_op = NULL; /* can't change data link type */
528 p->getnonblock_op = pcap_getnonblock_fd;
529 p->setnonblock_op = pcap_setnonblock_fd;
530 p->stats_op = pcap_stats_pf;
531
532 return (0);
533 bad:
534 pcap_cleanup_live_common(p);
535 return (err);
536 }
537
538 pcap_t *
539 pcap_create_interface(const char *device _U_, char *ebuf)
540 {
541 pcap_t *p;
542
543 p = pcap_create_common(ebuf, sizeof (struct pcap_pf));
544 if (p == NULL)
545 return (NULL);
546
547 p->activate_op = pcap_activate_pf;
548 return (p);
549 }
550
551 /*
552 * XXX - is there an error from pfopen() that means "no such device"?
553 * Is there one that means "that device doesn't support pf"?
554 */
555 static int
556 can_be_bound(const char *name _U_)
557 {
558 return (1);
559 }
560
561 int
562 get_if_flags(const char *name _U_, bpf_u_int32 flags _U_, char *errbuf _U_)
563 {
564 /*
565 * Nothing we can do.
566 * XXX - is there a way to find out whether an adapter has
567 * something plugged into it?
568 */
569 return (0);
570 }
571
572 int
573 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
574 {
575 return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound));
576 }
577
578 static int
579 pcap_setfilter_pf(pcap_t *p, struct bpf_program *fp)
580 {
581 struct pcap_pf *pf = p->priv;
582 struct bpf_version bv;
583
584 /*
585 * See if BIOCVERSION works. If not, we assume the kernel doesn't
586 * support BPF-style filters (it's not documented in the bpf(7)
587 * or packetfiler(7) man pages, but the code used to fail if
588 * BIOCSETF worked but BIOCVERSION didn't, and I've seen it do
589 * kernel filtering in DU 4.0, so presumably BIOCVERSION works
590 * there, at least).
591 */
592 if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) >= 0) {
593 /*
594 * OK, we have the version of the BPF interpreter;
595 * is it the same major version as us, and the same
596 * or better minor version?
597 */
598 if (bv.bv_major == BPF_MAJOR_VERSION &&
599 bv.bv_minor >= BPF_MINOR_VERSION) {
600 /*
601 * Yes. Try to install the filter.
602 */
603 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
604 pcap_fmt_errmsg_for_errno(p->errbuf,
605 sizeof(p->errbuf), errno, "BIOCSETF");
606 return (-1);
607 }
608
609 /*
610 * OK, that succeeded. We're doing filtering in
611 * the kernel. (We assume we don't have a
612 * userland filter installed - that'd require
613 * a previous version check to have failed but
614 * this one to succeed.)
615 *
616 * XXX - this message should be supplied to the
617 * application as a warning of some sort,
618 * except that if it's a GUI application, it's
619 * not clear that it should be displayed in
620 * a window to annoy the user.
621 */
622 fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
623 pf->filtering_in_kernel = 1;
624
625 /*
626 * Discard any previously-received packets,
627 * as they might have passed whatever filter
628 * was formerly in effect, but might not pass
629 * this filter (BIOCSETF discards packets buffered
630 * in the kernel, so you can lose packets in any
631 * case).
632 */
633 p->cc = 0;
634 return (0);
635 }
636
637 /*
638 * We can't use the kernel's BPF interpreter; don't give
639 * up, just log a message and be inefficient.
640 *
641 * XXX - this should really be supplied to the application
642 * as a warning of some sort.
643 */
644 fprintf(stderr,
645 "tcpdump: Requires BPF language %d.%d or higher; kernel is %d.%d\n",
646 BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
647 bv.bv_major, bv.bv_minor);
648 }
649
650 /*
651 * We couldn't do filtering in the kernel; do it in userland.
652 */
653 if (install_bpf_program(p, fp) < 0)
654 return (-1);
655
656 /*
657 * XXX - this message should be supplied by the application as
658 * a warning of some sort.
659 */
660 fprintf(stderr, "tcpdump: Filtering in user process\n");
661 pf->filtering_in_kernel = 0;
662 return (0);
663 }
664
665 /*
666 * Libpcap version string.
667 */
668 const char *
669 pcap_lib_version(void)
670 {
671 return (PCAP_VERSION_STRING);
672 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism