]> The Tcpdump Group git mirrors - libpcap/blob - pcap-bpf.c
projects / libpcap / blob


60caac6e66c61b36aae3d7a428eec7f9c4c03ea3
[libpcap] / pcap-bpf.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1998
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21 #ifndef lint
22 static const char rcsid[] =
23 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.53 2002-10-08 07:18:08 guy Exp $ (LBL)";
24 #endif
25
26 #ifdef HAVE_CONFIG_H
27 #include "config.h"
28 #endif
29
30 #include <sys/param.h> /* optionally get BSD define */
31 #include <sys/time.h>
32 #include <sys/timeb.h>
33 #include <sys/socket.h>
34 #include <sys/file.h>
35 #include <sys/ioctl.h>
36
37 #include <net/if.h>
38 #ifdef _AIX
39 #include <net/if_types.h> /* for IFT_ values */
40 #endif
41
42 #include <ctype.h>
43 #include <errno.h>
44 #include <netdb.h>
45 #include <stdio.h>
46 #include <stdlib.h>
47 #include <string.h>
48 #include <unistd.h>
49
50 #include "pcap-int.h"
51
52 #ifdef HAVE_OS_PROTO_H
53 #include "os-proto.h"
54 #endif
55
56 #include "gencode.h"
57
58 int
59 pcap_stats(pcap_t *p, struct pcap_stat *ps)
60 {
61 struct bpf_stat s;
62
63 /*
64 * "ps_recv" counts packets handed to the filter, not packets
65 * that passed the filter. This includes packets later dropped
66 * because we ran out of buffer space.
67 *
68 * "ps_drop" counts packets dropped inside the BPF device
69 * because we ran out of buffer space. It doesn't count
70 * packets dropped by the interface driver. It counts
71 * only packets that passed the filter.
72 *
73 * Both statistics include packets not yet read from the kernel
74 * by libpcap, and thus not yet seen by the application.
75 */
76 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
77 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
78 pcap_strerror(errno));
79 return (-1);
80 }
81
82 ps->ps_recv = s.bs_recv;
83 ps->ps_drop = s.bs_drop;
84 return (0);
85 }
86
87 int
88 pcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
89 {
90 int cc;
91 int n = 0;
92 register u_char *bp, *ep;
93
94 again:
95 cc = p->cc;
96 if (p->cc == 0) {
97 cc = read(p->fd, (char *)p->buffer, p->bufsize);
98 if (cc < 0) {
99 /* Don't choke when we get ptraced */
100 switch (errno) {
101
102 case EINTR:
103 goto again;
104
105 #ifdef _AIX
106 case EFAULT:
107 /*
108 * Sigh. More AIX wonderfulness.
109 *
110 * It appears, according to Don
111 * Ebright, that a read from a BPF
112 * device returns -1 with "errno"
113 * set to EFAULT as an indication
114 * that packets have been dropped
115 * since the last successful read.
116 *
117 * This means that we shouldn't treat
118 * EFAULT as a fatal error; as we
119 * don't have an API for returning
120 * a "some packets were dropped since
121 * the last packet you saw" indication,
122 * we just ignore EFAULT and keep reading.
123 */
124 goto again;
125 #endif
126
127 case EWOULDBLOCK:
128 return (0);
129 #if defined(sun) && !defined(BSD)
130 /*
131 * Due to a SunOS bug, after 2^31 bytes, the kernel
132 * file offset overflows and read fails with EINVAL.
133 * The lseek() to 0 will fix things.
134 */
135 case EINVAL:
136 if (lseek(p->fd, 0L, SEEK_CUR) +
137 p->bufsize < 0) {
138 (void)lseek(p->fd, 0L, SEEK_SET);
139 goto again;
140 }
141 /* fall through */
142 #endif
143 }
144 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s",
145 pcap_strerror(errno));
146 return (-1);
147 }
148 bp = p->buffer;
149 } else
150 bp = p->bp;
151
152 /*
153 * Loop through each packet.
154 */
155 #define bhp ((struct bpf_hdr *)bp)
156 ep = bp + cc;
157 while (bp < ep) {
158 register int caplen, hdrlen;
159 caplen = bhp->bh_caplen;
160 hdrlen = bhp->bh_hdrlen;
161 /*
162 * XXX A bpf_hdr matches a pcap_pkthdr.
163 */
164 #ifdef _AIX
165 /*
166 * AIX's BPF returns seconds/nanoseconds time stamps, not
167 * seconds/microseconds time stamps.
168 *
169 * XXX - I'm guessing here that it's a "struct timestamp";
170 * if not, this code won't compile, but, if not, you
171 * want to send us a bug report and fall back on using
172 * DLPI. It's not as if BPF used to work right on
173 * AIX before this change; this change attempts to fix
174 * the fact that it didn't....
175 */
176 bhp->bh_tstamp.tv_usec = bhp->bh_tstamp.tv_usec/1000;
177 #endif
178 (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen);
179 bp += BPF_WORDALIGN(caplen + hdrlen);
180 if (++n >= cnt && cnt > 0) {
181 p->bp = bp;
182 p->cc = ep - bp;
183 return (n);
184 }
185 }
186 #undef bhp
187 p->cc = 0;
188 return (n);
189 }
190
191 static inline int
192 bpf_open(pcap_t *p, char *errbuf)
193 {
194 int fd;
195 int n = 0;
196 char device[sizeof "/dev/bpf0000000000"];
197
198 /*
199 * Go through all the minors and find one that isn't in use.
200 */
201 do {
202 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
203 fd = open(device, O_RDONLY);
204 } while (fd < 0 && errno == EBUSY);
205
206 /*
207 * XXX better message for all minors used
208 */
209 if (fd < 0)
210 snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s",
211 device, pcap_strerror(errno));
212
213 return (fd);
214 }
215
216 /*
217 * XXX - on AIX, IBM's tcpdump (and perhaps the incompatible-with-everybody-
218 * else's libpcap in AIX 5.1) appears to forcibly load the BPF driver
219 * if it's not already loaded, and to create the BPF devices if they
220 * don't exist.
221 *
222 * It'd be nice if we could do the same, although the code to do so
223 * might be version-dependent, alas (the way to do it isn't necessarily
224 * documented).
225 */
226 pcap_t *
227 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
228 {
229 int fd;
230 struct ifreq ifr;
231 struct bpf_version bv;
232 u_int v;
233 pcap_t *p;
234
235 p = (pcap_t *)malloc(sizeof(*p));
236 if (p == NULL) {
237 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
238 pcap_strerror(errno));
239 return (NULL);
240 }
241 memset(p, 0, sizeof(*p));
242 fd = bpf_open(p, ebuf);
243 if (fd < 0)
244 goto bad;
245
246 p->fd = fd;
247 p->snapshot = snaplen;
248
249 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
250 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
251 pcap_strerror(errno));
252 goto bad;
253 }
254 if (bv.bv_major != BPF_MAJOR_VERSION ||
255 bv.bv_minor < BPF_MINOR_VERSION) {
256 snprintf(ebuf, PCAP_ERRBUF_SIZE,
257 "kernel bpf filter out of date");
258 goto bad;
259 }
260
261 /*
262 * Try finding a good size for the buffer; 32768 may be too
263 * big, so keep cutting it in half until we find a size
264 * that works, or run out of sizes to try.
265 *
266 * XXX - there should be a user-accessible hook to set the
267 * initial buffer size.
268 */
269 for (v = 32768; v != 0; v >>= 1) {
270 /* Ignore the return value - this is because the call fails
271 * on BPF systems that don't have kernel malloc. And if
272 * the call fails, it's no big deal, we just continue to
273 * use the standard buffer size.
274 */
275 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
276
277 (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
278 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0)
279 break; /* that size worked; we're done */
280
281 if (errno != ENOBUFS) {
282 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
283 device, pcap_strerror(errno));
284 goto bad;
285 }
286 }
287
288 if (v == 0) {
289 snprintf(ebuf, PCAP_ERRBUF_SIZE,
290 "BIOCSBLEN: %s: No buffer size worked", device);
291 goto bad;
292 }
293
294 /* Get the data link layer type. */
295 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
296 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
297 pcap_strerror(errno));
298 goto bad;
299 }
300 #ifdef _AIX
301 /*
302 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
303 */
304 switch (v) {
305
306 case IFT_ETHER:
307 case IFT_ISO88023:
308 v = DLT_EN10MB;
309 break;
310
311 case IFT_FDDI:
312 v = DLT_FDDI;
313 break;
314
315 case IFT_ISO88025:
316 v = DLT_IEEE802;
317 break;
318
319 default:
320 /*
321 * We don't know what to map this to yet.
322 */
323 snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
324 v);
325 goto bad;
326 }
327 #endif
328 #if _BSDI_VERSION - 0 >= 199510
329 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
330 switch (v) {
331
332 case DLT_SLIP:
333 v = DLT_SLIP_BSDOS;
334 break;
335
336 case DLT_PPP:
337 v = DLT_PPP_BSDOS;
338 break;
339
340 case 11: /*DLT_FR*/
341 v = DLT_FRELAY;
342 break;
343
344 case 12: /*DLT_C_HDLC*/
345 v = DLT_CHDLC;
346 break;
347 }
348 #endif
349 p->linktype = v;
350
351 /* set timeout */
352 if (to_ms != 0) {
353 /*
354 * XXX - is this seconds/nanoseconds in AIX?
355 * (Treating it as such doesn't fix the timeout
356 * problem described below.)
357 */
358 struct timeval to;
359 to.tv_sec = to_ms / 1000;
360 to.tv_usec = (to_ms * 1000) % 1000000;
361 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
362 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
363 pcap_strerror(errno));
364 goto bad;
365 }
366 }
367
368 #ifdef _AIX
369 #ifdef BIOCIMMEDIATE
370 /*
371 * Darren Reed notes that
372 *
373 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
374 * timeout appears to be ignored and it waits until the buffer
375 * is filled before returning. The result of not having it
376 * set is almost worse than useless if your BPF filter
377 * is reducing things to only a few packets (i.e. one every
378 * second or so).
379 *
380 * so we turn BIOCIMMEDIATE mode on if this is AIX.
381 *
382 * We don't turn it on for other platforms, as that means we
383 * get woken up for every packet, which may not be what we want;
384 * in the Winter 1993 USENIX paper on BPF, they say:
385 *
386 * Since a process might want to look at every packet on a
387 * network and the time between packets can be only a few
388 * microseconds, it is not possible to do a read system call
389 * per packet and BPF must collect the data from several
390 * packets and return it as a unit when the monitoring
391 * application does a read.
392 *
393 * which I infer is the reason for the timeout - it means we
394 * wait that amount of time, in the hopes that more packets
395 * will arrive and we'll get them all with one read.
396 *
397 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other
398 * BSDs) causes the timeout to be ignored.
399 *
400 * On the other hand, some platforms (e.g., Linux) don't support
401 * timeouts, they just hand stuff to you as soon as it arrives;
402 * if that doesn't cause a problem on those platforms, it may
403 * be OK to have BIOCIMMEDIATE mode on BSD as well.
404 *
405 * (Note, though, that applications may depend on the read
406 * completing, even if no packets have arrived, when the timeout
407 * expires, e.g. GUI applications that have to check for input
408 * while waiting for packets to arrive; a non-zero timeout
409 * prevents "select()" from working right on FreeBSD and
410 * possibly other BSDs, as the timer doesn't start until a
411 * "read()" is done, so the timer isn't in effect if the
412 * application is blocked on a "select()", and the "select()"
413 * doesn't get woken up for a BPF device until the buffer
414 * fills up.)
415 */
416 v = 1;
417 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
418 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
419 pcap_strerror(errno));
420 goto bad;
421 }
422 #endif /* BIOCIMMEDIATE */
423 #endif /* _AIX */
424
425 if (promisc) {
426 /* set promiscuous mode, okay if it fails */
427 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
428 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s",
429 pcap_strerror(errno));
430 }
431 }
432
433 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
434 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
435 pcap_strerror(errno));
436 goto bad;
437 }
438 p->bufsize = v;
439 p->buffer = (u_char *)malloc(p->bufsize);
440 if (p->buffer == NULL) {
441 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
442 pcap_strerror(errno));
443 goto bad;
444 }
445
446 return (p);
447 bad:
448 (void)close(fd);
449 free(p);
450 return (NULL);
451 }
452
453 int
454 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
455 {
456 return (0);
457 }
458
459 int
460 pcap_setfilter(pcap_t *p, struct bpf_program *fp)
461 {
462 /*
463 * It looks that BPF code generated by gen_protochain() is not
464 * compatible with some of kernel BPF code (for example BSD/OS 3.1).
465 * Take a safer side for now.
466 */
467 if (no_optimize) {
468 if (install_bpf_program(p, fp) < 0)
469 return (-1);
470 } else if (p->sf.rfile != NULL) {
471 if (install_bpf_program(p, fp) < 0)
472 return (-1);
473 } else if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
474 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
475 pcap_strerror(errno));
476 return (-1);
477 }
478 return (0);
479 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism