]> The Tcpdump Group git mirrors - libpcap/blob - pcap-linux.c
projects / libpcap / blob


4bb2496319ac2e71783a0e7fd516da828e199a84
[libpcap] / pcap-linux.c
1 /*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
21 * written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27 #ifndef lint
28 static const char rcsid[] =
29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.29 2000-09-20 07:52:04 guy Exp $ (LBL)";
30 #endif
31
32 /*
33 * Known bugs:
34 * - setting promiscuous on loopback gives every packet twice
35 */
36
37
38 #ifdef HAVE_CONFIG_H
39 #include "config.h"
40 #endif
41
42 #include "pcap-int.h"
43
44 #include <errno.h>
45 #include <stdlib.h>
46 #include <unistd.h>
47 #include <fcntl.h>
48 #include <string.h>
49 #include <sys/socket.h>
50 #include <sys/ioctl.h>
51 #include <net/if.h>
52 #include <netinet/in.h>
53 #include <linux/if_ether.h>
54 #include <netinet/if_ether.h>
55
56 #ifdef HAVE_NETPACKET_PACKET_H
57 #include <netpacket/packet.h>
58 #endif
59 #ifdef SO_ATTACH_FILTER
60 #include <linux/types.h>
61 #include <linux/filter.h>
62 #endif
63
64 #ifndef __GLIBC__
65 typedef int socklen_t;
66 #endif
67
68 #ifndef MSG_TRUNC
69 #define MSG_TRUNC 0
70 #endif
71
72 #define MAX_LINKHEADER_SIZE 256
73
74 /*
75 * Prototypes for internal functions
76 */
77 static int map_arphrd_to_dlt(int arptype );
78 static int live_open_old(pcap_t *, char *, int, int, char *);
79 static int live_open_new(pcap_t *, char *, int, int, char *);
80 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
81
82 /*
83 * Wrap some ioctl calls
84 */
85 static int iface_get_id(int fd, const char *device, char *ebuf);
86 static int iface_get_mtu(int fd, const char *device, char *ebuf);
87 static int iface_get_arptype(int fd, const char *device, char *ebuf);
88 static int iface_bind(int fd, int ifindex, char *ebuf);
89 static int iface_bind_old(int fd, const char *device, char *ebuf);
90
91 /*
92 * Get a handle for a live capture from the given device. You can
93 * pass NULL as device to get all packages (without link level
94 * information of course). If you pass 1 as promisc the interface
95 * will be set to promiscous mode (XXX: I think this usage should
96 * be deprecated and functions be added to select that later allow
97 * modification of that values -- Torsten).
98 *
99 * See also pcap(3).
100 */
101 pcap_t *
102 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
103 {
104 /* Allocate a handle for this session. */
105
106 pcap_t *handle = malloc(sizeof(*handle));
107 if (handle == NULL) {
108 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
109 pcap_strerror(errno));
110 return NULL;
111 }
112
113 /* Initialize some components of the pcap structure. */
114
115 memset(handle, 0, sizeof(*handle));
116 handle->snapshot = snaplen;
117 handle->md.timeout = to_ms;
118 handle->md.promisc = promisc;
119 handle->md.device = strdup(device);
120 if (handle->md.device == NULL) {
121 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
122 pcap_strerror(errno) );
123 free(handle);
124 return NULL;
125 }
126
127 /*
128 * Current Linux kernels use the protocol family PF_PACKET to
129 * allow direct access to all packets on the network while
130 * older kernels had a special socket type SOCK_PACKET to
131 * implement this feature.
132 * While this old implementation is kind of obsolete we need
133 * to be compatible with older kernels for a while so we are
134 * trying both methods with the newer method preferred.
135 */
136
137 if (! (live_open_new(handle, device, promisc, to_ms, ebuf) ||
138 live_open_old(handle, device, promisc, to_ms, ebuf)) )
139 {
140 /*
141 * Both methods to open the packet socket failed. Tidy
142 * up and report our failure (ebuf is expected to be
143 * set by the functions above).
144 */
145
146 free(handle->md.device);
147 free(handle);
148 return NULL;
149 }
150
151 /*
152 * Okay, now we have a packet stream open. Maybe we need to handle
153 * a timeout? In that case we set the filehandle to nonblocking
154 * so pcap_read can try reading the fd and call select if no data
155 * is available at first.
156 */
157
158 if (to_ms > 0) {
159 int flags = fcntl(handle->fd, F_GETFL);
160 if (flags != -1) {
161 flags |= O_NONBLOCK;
162 flags = fcntl(handle->fd, F_SETFL, flags);
163 }
164 if (flags == -1) {
165 snprintf(ebuf, PCAP_ERRBUF_SIZE, "fcntl: %s",
166 pcap_strerror(errno));
167 pcap_close(handle);
168 return NULL;
169 }
170 }
171
172 return handle;
173 }
174
175 /*
176 * Read at most max_packets from the capture stream and call the callback
177 * for each of them. Returns the number of packets handled or -1 if an
178 * error occured.
179 *
180 * XXX: Can I rely on the Linux-specified behaviour of select (returning
181 * the time left in the timeval structure)? I really don't want to query
182 * the system time before each select call...
183 *
184 * pcap_read currently gets not only a packet from the kernel but also
185 * the sockaddr_ll returned as source of the packet. This way we can at
186 * some time extend tcpdump and libpcap to sniff on all devices at a time
187 * and find the right printing routine by using the information in the
188 * sockaddr_ll structure.
189 */
190 int
191 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
192 {
193 int status, packets;
194 fd_set read_fds;
195 struct timeval tv;
196
197 /*
198 * Fill in a timeval structure for select if we need to obeye a
199 * timeout.
200 */
201 if (handle->md.timeout > 0) {
202 tv.tv_usec = (handle->md.timeout % 1000) * 1000;
203 tv.tv_sec = (handle->md.timeout / 1000);
204 }
205
206 /*
207 * Read packets until the packet limit has been reached or
208 * an error occured while reading. Call the user function
209 * for each received packet.
210 */
211 for (packets = 0; max_packets == -1 || packets < max_packets;)
212 {
213 status = pcap_read_packet(handle, callback, user);
214
215 if (status > 0) {
216 packets += status;
217 continue;
218 } else if (status == -1)
219 return -1;
220
221 /*
222 * If no packet is available we go to sleep. FIXME: This
223 * might be better implemented using poll(?)
224 */
225 FD_ZERO(&read_fds);
226 FD_SET(handle->fd, &read_fds);
227 status = select(handle->fd + 1,
228 &read_fds, NULL, NULL, &tv);
229 if (status == -1) {
230 snprintf(handle->errbuf, sizeof(handle->errbuf),
231 "select: %s", pcap_strerror(errno));
232 return -1;
233 } else if (status == 0 ||
234 (tv.tv_usec == 0 && tv.tv_sec == 0))
235 return packets;
236 }
237
238 return packets;
239 }
240
241 /*
242 * Read a packet from the socket calling the handler provided by
243 * the user. Returns the number of packets received or -1 if an
244 * error occured.
245 */
246 static int
247 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
248 {
249 struct sockaddr from;
250 socklen_t fromlen;
251 int packet_len, caplen;
252 struct pcap_pkthdr pcap_header;
253
254 /*
255 * We don't currently use the from return value of recvfrom but
256 * this will probably be implemented in the future.
257 */
258
259 /* Receive a single packet from the kernel */
260
261 do {
262 fromlen = sizeof(from);
263 packet_len = recvfrom(
264 handle->fd, handle->buffer + handle->offset,
265 handle->snapshot, MSG_TRUNC,
266 (struct sockaddr *) &from, &fromlen);
267 } while (packet_len == -1 && errno == EINTR);
268
269 /* Check if an error occured */
270
271 if (packet_len == -1) {
272 if (errno == EAGAIN)
273 return 0; /* no packet there */
274 else {
275 snprintf(handle->errbuf, sizeof(handle->errbuf),
276 "recvfrom: %s", pcap_strerror(errno));
277 return -1;
278 }
279 }
280
281 /*
282 * XXX: According to the kernel source we should get the real
283 * packet len if calling recvfrom with MSG_TRUNC set. It does
284 * not seem to work here :(, but it is supported by this code
285 * anyway.
286 * To be honest the code RELIES on that feature so this is really
287 * broken with 2.2.x kernels.
288 * I spend a day to figure out what's going on and I found out
289 * that the following is happening:
290 *
291 * The packet comes from a random interface and the packet_rcv
292 * hook is called with a clone of the packet. That code inserts
293 * the packet into the receive queue of the packet socket.
294 * If a filter is attached to that socket that filter is run
295 * first - and there lies the problem. The default filter always
296 * cuts the packet at the snaplen:
297 *
298 * # tcpdump -d
299 * (000) ret #68
300 *
301 * So the packet filter cuts down the packet. The recvfrom call
302 * says "hey, it's only 68 bytes, it fits into the buffer" with
303 * the result that we don't get the real packet length. This
304 * is valid at least until kernel 2.2.17pre6.
305 *
306 * tcpdump is currently fixed by changing the BPF code generator
307 * to not truncate the received packet.
308 */
309
310 caplen = packet_len;
311 if (caplen > handle->snapshot)
312 caplen = handle->snapshot;
313
314 /* Run the packet filter if not using kernel filter */
315 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
316 if (bpf_filter(handle->fcode.bf_insns, handle->buffer,
317 packet_len, caplen) == 0)
318 {
319 /* rejected by filter */
320 return 0;
321 }
322 }
323
324 /* Fill in our own header data */
325
326 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
327 snprintf(handle->errbuf, sizeof(handle->errbuf),
328 "ioctl: %s", pcap_strerror(errno));
329 return -1;
330 }
331 pcap_header.caplen = caplen;
332 pcap_header.len = packet_len;
333
334 /* Call the user supplied callback function */
335 handle->md.stat.ps_recv++;
336 callback(userdata, &pcap_header, handle->buffer + handle->offset);
337
338 return 1;
339 }
340
341 /*
342 * Get the statistics for the given packet capture handle.
343 * FIXME: Currently does not report the number of dropped packets.
344 */
345 int
346 pcap_stats(pcap_t *handle, struct pcap_stat *stats)
347 {
348 *stats = handle->md.stat;
349 return 0;
350 }
351
352 /*
353 * Attach the given BPF code to the packet capture device.
354 */
355 int
356 pcap_setfilter(pcap_t *handle, struct bpf_program *filter)
357 {
358 #ifdef SO_ATTACH_FILTER
359 struct sock_fprog fcode;
360 #endif
361
362 if (!handle)
363 return -1;
364 if (!filter) {
365 strncpy(handle->errbuf, "setfilter: No filter specified",
366 sizeof(handle->errbuf));
367 return -1;
368 }
369
370 /* Free old filter code if existing */
371
372 handle->fcode.bf_len = 0;
373 if (handle->fcode.bf_insns) {
374 free(handle->fcode.bf_insns);
375 handle->fcode.bf_insns = NULL;
376 }
377
378
379 /* Make our private copy of the filter */
380
381 handle->fcode.bf_len = filter->bf_len;
382 handle->fcode.bf_insns =
383 malloc(filter->bf_len * sizeof(*filter->bf_insns));
384 if (handle->fcode.bf_insns == NULL) {
385 snprintf(handle->errbuf, sizeof(handle->errbuf),
386 "malloc: %s", pcap_strerror(errno));
387 return -1;
388 }
389 memcpy(handle->fcode.bf_insns, filter->bf_insns,
390 filter->bf_len * sizeof(*filter->bf_insns));
391
392 /*
393 * Run user level packet filter by default. Will be overriden if
394 * installing a kernel filter succeeds.
395 */
396 handle->md.use_bpf = 0;
397
398 /* Install kernel level filter if possible */
399
400 #ifdef SO_ATTACH_FILTER
401 /*
402 * Oh joy, the Linux kernel uses struct sock_fprog instead of
403 * struct bpf_program and of course the length field is of
404 * different size. Pointed out by Sebastian
405 */
406
407 fcode.filter = (struct sock_filter *) handle->fcode.bf_insns;
408 fcode.len = filter->bf_len;
409 #ifdef USHRT_MAX
410 if (filter->bf_len > USHRT_MAX) {
411 /*
412 * fcode.len is an unsigned short for current kernel.
413 * I have yet to see BPF-Code with that much instructions
414 * but still it is possible. So for the sake of
415 * correctness I added this check.
416 */
417 fprintf(stderr, "Warning: Filter to complex for kernel\n");
418 }
419 else
420 #endif
421 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
422 &fcode, sizeof(fcode)) == 0)
423 {
424 /* Installation succeded - using kernel filter. */
425 handle->md.use_bpf = 1;
426 }
427 else
428 {
429 /*
430 * Print a warning if kernel filter available but a problem
431 * occured using it.
432 */
433 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
434 fprintf(stderr, "Warning: Kernel filter failed: %s\n",
435 pcap_strerror(errno));
436 }
437 }
438 #endif
439
440 return 0;
441 }
442
443 /*
444 * Linux uses the ARP hardware type to identify the type of an
445 * interface. pcap uses the PCAP_ENCAP_xxx constants for this. This
446 * function maps the ARPHRD_xxx constant to an appropriate
447 * PCAP_ENCAP__xxx constant.
448 *
449 * Returns -1 if unable to map the type.
450 */
451 static int map_arphrd_to_dlt(int arptype)
452 {
453 switch (arptype) {
454 case ARPHRD_ETHER:
455 case ARPHRD_METRICOM:
456 case ARPHRD_LOOPBACK:
457 return PCAP_ENCAP_ETHERNET;
458
459 case ARPHRD_EETHER:
460 return PCAP_ENCAP_EXP_ETHERNET;
461
462 case ARPHRD_AX25:
463 return PCAP_ENCAP_AX25;
464
465 case ARPHRD_PRONET:
466 return PCAP_ENCAP_PRONET;
467
468 case ARPHRD_CHAOS:
469 return PCAP_ENCAP_CHAOS;
470
471 case ARPHRD_IEEE802:
472 return PCAP_ENCAP_TOKEN_RING;
473
474 case ARPHRD_ARCNET:
475 return PCAP_ENCAP_ARCNET;
476
477 case ARPHRD_FDDI:
478 return PCAP_ENCAP_FDDI;
479
480 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
481 #define ARPHRD_ATM 19
482 #endif
483 case ARPHRD_ATM:
484 return PCAP_ENCAP_ATM_CLIP;
485
486 case ARPHRD_PPP:
487 case ARPHRD_CSLIP:
488 case ARPHRD_SLIP6:
489 case ARPHRD_CSLIP6:
490 case ARPHRD_SLIP:
491 return PCAP_ENCAP_RAW;
492 }
493
494 return -1;
495 }
496
497 /* ===== Functions to interface to the newer kernels ================== */
498
499 /*
500 * Try to open a packet socket using the new kernel interface.
501 * Returns 0 on failure.
502 * FIXME: 0 uses to mean success (Sebastian)
503 */
504 static int
505 live_open_new(pcap_t *handle, char *device, int promisc,
506 int to_ms, char *ebuf)
507 {
508 #ifdef HAVE_NETPACKET_PACKET_H
509 int sock_fd = -1, device_id, mtu, arptype;
510 struct packet_mreq mr;
511
512 /* One shot loop used for error handling - bail out with break */
513
514 do {
515 /* Open a socket with protocol family packet. */
516 sock_fd = socket( PF_PACKET, SOCK_RAW, htons(ETH_P_ALL) );
517 if (sock_fd == -1) {
518 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
519 pcap_strerror(errno) );
520 break;
521 }
522
523 /* It seems the kernel supports the new interface. */
524 handle->md.sock_packet = 0;
525
526 /*
527 * Currently we only support monitoring a single interface.
528 * While the kernel can do more I want to reimplement the
529 * old features first before adding new.
530 */
531
532 if (!device) {
533 snprintf(ebuf, PCAP_ERRBUF_SIZE,
534 "pcap_open_live: No device given");
535 break;
536 }
537
538 /*
539 * What kind of frames do we have to deal with? Fall back
540 * to cooked mode if we have an unknown interface type.
541 */
542
543 arptype = iface_get_arptype(sock_fd, device, ebuf);
544 if (arptype == -1)
545 break;
546 handle->linktype = map_arphrd_to_dlt(arptype);
547 if (handle->linktype == -1) {
548 /* Unknown interface type - reopen in cooked mode */
549
550 if (close(sock_fd) == -1) {
551 snprintf(ebuf, PCAP_ERRBUF_SIZE,
552 "close: %s", pcap_strerror(errno));
553 break;
554 }
555 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
556 htons(ETH_P_ALL));
557 if (sock_fd == -1) {
558 snprintf(ebuf, PCAP_ERRBUF_SIZE,
559 "socket: %s", pcap_strerror(errno));
560 break;
561 }
562
563 fprintf(stderr,
564 "Warning: Falling back to cooked socket\n");
565 handle->linktype = PCAP_ENCAP_RAW;
566 }
567
568
569 device_id = iface_get_id(sock_fd, device, ebuf);
570 if (device_id == -1)
571 break;
572
573 if (iface_bind(sock_fd, device_id, ebuf) == -1)
574 break;
575
576 /* Select promiscous mode on/off */
577
578 #ifdef SOL_PACKET
579 /*
580 * XXX: We got reports that this does not work in 2.3.99.
581 * Need to investigate. Using ioctl to switch the promisc
582 * mode at device level costs us most of the benefits of
583 * using the new kernel interface.
584 * UPDATE: I found the bug. The kernel checks mr_alen
585 * even if it is of zero interest for the request. A
586 * random value there made the kernel return EINVAL.
587 * Probably the right solution is to memset the whole
588 * struct at first.
589 */
590
591 memset(&mr, 0, sizeof(mr));
592 mr.mr_ifindex = device_id;
593 mr.mr_type = promisc ?
594 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
595 if (setsockopt(sock_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
596 &mr, sizeof(mr)) == -1)
597 {
598 snprintf(ebuf, PCAP_ERRBUF_SIZE,
599 "setsockopt: %s", pcap_strerror(errno));
600 break;
601 }
602 #endif
603
604 /* Compute the buffersize */
605
606 mtu = iface_get_mtu(sock_fd, device, ebuf);
607 if( mtu == -1 )
608 break;
609 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
610
611 /* Fill in the pcap structure */
612
613 handle->fd = sock_fd;
614 handle->offset = 0;
615
616 handle->buffer = malloc(handle->bufsize);
617 if (!handle->buffer) {
618 snprintf(ebuf, PCAP_ERRBUF_SIZE,
619 "malloc: %s", pcap_strerror(errno));
620 break;
621 }
622
623 return 1;
624
625 } while(0);
626
627 if (sock_fd != -1)
628 close(sock_fd);
629 return 0;
630 #else
631 strncpy(ebuf,
632 "New packet capturing interface not supported by build "
633 "environment", PCAP_ERRBUF_SIZE);
634 return 0;
635 #endif
636 }
637
638 #ifdef HAVE_NETPACKET_PACKET_H
639 /*
640 * Return the index of the given device name. Fill ebuf and return
641 * -1 on failure.
642 */
643 static int
644 iface_get_id(int fd, const char *device, char *ebuf)
645 {
646 struct ifreq ifr;
647
648 memset(&ifr, 0, sizeof(ifr));
649 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
650
651 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
652 snprintf(ebuf, PCAP_ERRBUF_SIZE,
653 "ioctl: %s", pcap_strerror(errno));
654 return -1;
655 }
656
657 return ifr.ifr_ifindex;
658 }
659
660 /*
661 * Bind the socket associated with FD to the given device.
662 */
663 static int
664 iface_bind(int fd, int ifindex, char *ebuf)
665 {
666 struct sockaddr_ll sll;
667
668 memset(&sll, 0, sizeof(sll));
669 sll.sll_family = AF_PACKET;
670 sll.sll_ifindex = ifindex;
671 sll.sll_protocol = htons(ETH_P_ALL);
672
673 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
674 snprintf(ebuf, PCAP_ERRBUF_SIZE,
675 "bind: %s", pcap_strerror(errno));
676 return -1;
677 }
678
679 return 0;
680 }
681
682 #endif
683
684
685 /* ===== Functions to interface to the older kernels ================== */
686
687 /*
688 * With older kernels promiscuous mode is kind of interesting because we
689 * have to reset the interface before exiting. The problem can't really
690 * be solved without some daemon taking care of managing usage counts.
691 * We save the promiscuous state of the device when opening the capture
692 * stream and arrange for it to be reset on process exit.
693 *
694 * XXX: This solution is still not correct even for this case. The
695 * devices stay in promiscuous mode until the process exits. I need to
696 * modify pcap_close to solve this.
697 */
698
699 /*
700 * The device name and the interface flags to be restored at exit
701 */
702 struct ifreq restore_ifr;
703
704 static void restore_interface( void )
705 {
706 int status = socket(PF_INET, SOCK_PACKET, 0);
707
708 if (status != -1)
709 status = ioctl(status, SIOCSIFFLAGS, &restore_ifr);
710
711 if (status == -1) {
712 fprintf(stderr,
713 "Can't restore interface flags. Please adjust manually. \n"
714 "Hint: This can't happen with Linux >= 2.2.0.\n");
715 }
716 }
717
718 /*
719 * Try to open a packet socket using the old kernel interface.
720 * Returns 0 on failure.
721 * FIXME: 0 uses to mean success (Sebastian)
722 */
723 static int
724 live_open_old(pcap_t *handle, char *device, int promisc,
725 int to_ms, char *ebuf)
726 {
727 int sock_fd = -1, mtu, arptype;
728 struct ifreq ifr;
729
730 do {
731 /* Open the socket */
732
733 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
734 if (sock_fd == -1) {
735 snprintf(ebuf, PCAP_ERRBUF_SIZE,
736 "socket: %s", pcap_strerror(errno));
737 break;
738 }
739
740 /* It worked - we are using the old interface */
741 handle->md.sock_packet = 1;
742
743 /* Bind to the given device */
744
745 if (!device) {
746 strncpy(ebuf, "pcap_open_live: No interface given",
747 PCAP_ERRBUF_SIZE);
748 break;
749 }
750 if (iface_bind_old(sock_fd, device, ebuf) == -1)
751 break;
752
753 /* Go to promisc mode */
754 if (promisc) {
755 memset(&ifr, 0, sizeof(ifr));
756 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
757 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) {
758 snprintf(ebuf, PCAP_ERRBUF_SIZE,
759 "ioctl: %s", pcap_strerror(errno));
760 break;
761 }
762 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
763 restore_ifr = ifr;
764 ifr.ifr_flags |= IFF_PROMISC;
765 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) {
766 snprintf(ebuf, PCAP_ERRBUF_SIZE,
767 "ioctl: %s",
768 pcap_strerror(errno));
769 break;
770 }
771 if (atexit(restore_interface) == -1) {
772 restore_interface();
773 strncpy(ebuf, "atexit failed",
774 PCAP_ERRBUF_SIZE);
775 break;
776 }
777 }
778 }
779
780
781 /* Compute the buffersize */
782
783 mtu = iface_get_mtu(sock_fd, device, ebuf);
784 if (mtu == -1)
785 break;
786 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
787
788 /* All done - fill in the pcap handle */
789
790 arptype = iface_get_arptype(sock_fd, device, ebuf);
791 if (arptype == -1)
792 break;
793
794 handle->fd = sock_fd;
795 handle->offset = 0;
796 handle->linktype = map_arphrd_to_dlt(arptype);
797 if(handle->linktype == -1) {
798 snprintf(ebuf, PCAP_ERRBUF_SIZE,
799 "interface type of %s not supported", device);
800 break;
801 }
802 handle->buffer = malloc(handle->bufsize);
803 if (!handle->buffer) {
804 snprintf(ebuf, PCAP_ERRBUF_SIZE,
805 "malloc: %s", pcap_strerror(errno));
806 break;
807 }
808
809 return 1;
810
811 } while (0);
812
813 if(sock_fd != -1)
814 close(sock_fd);
815 return 0;
816 }
817
818 /*
819 * Bind the socket associated with FD to the given device using the
820 * interface of the old kernels.
821 */
822 static int
823 iface_bind_old(int fd, const char *device, char *ebuf)
824 {
825 struct sockaddr saddr;
826
827 memset(&saddr, 0, sizeof(saddr));
828 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
829 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
830 snprintf(ebuf, PCAP_ERRBUF_SIZE,
831 "bind: %s", pcap_strerror(errno));
832 return -1;
833 }
834
835 return 0;
836 }
837
838
839 /* ===== System calls available on all supported kernels ============== */
840
841 /*
842 * Query the kernel for the MTU of the given interface.
843 */
844 static int
845 iface_get_mtu(int fd, const char *device, char *ebuf)
846 {
847 struct ifreq ifr;
848
849 memset(&ifr, 0, sizeof(ifr));
850 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
851
852 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
853 snprintf(ebuf, PCAP_ERRBUF_SIZE,
854 "ioctl: %s", pcap_strerror(errno));
855 return -1;
856 }
857
858 return ifr.ifr_mtu;
859 }
860
861 /*
862 * Get the hardware type of the given interface as ARPHRD_xxx constant.
863 */
864 static int
865 iface_get_arptype(int fd, const char *device, char *ebuf)
866 {
867 struct ifreq ifr;
868
869 memset(&ifr, 0, sizeof(ifr));
870 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
871
872 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
873 snprintf(ebuf, PCAP_ERRBUF_SIZE,
874 "ioctl: %s", pcap_strerror(errno));
875 return -1;
876 }
877
878 return ifr.ifr_hwaddr.sa_family;
879 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism