]> The Tcpdump Group git mirrors - libpcap/blob - pcap-linux.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
802.11 support, from Javier Achirica <[email protected]>.
[libpcap] / pcap-linux.c
1 /*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
21 * written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27 #ifndef lint
28 static const char rcsid[] =
29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.58 2001-06-10 01:11:41 guy Exp $ (LBL)";
30 #endif
31
32 /*
33 * Known problems with 2.0[.x] kernels:
34 *
35 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
36 * if we use PF_PACKET, we can filter out the transmitted version
37 * of the packet by using data in the "sockaddr_ll" returned by
38 * "recvfrom()", but, on 2.0[.x] kernels, we have to use
39 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a
40 * "sockaddr_pkt" which doesn't give us enough information to let
41 * us do that.
42 *
43 * - We have to set the interface's IFF_PROMISC flag ourselves, if
44 * we're to run in promiscuous mode, which means we have to turn
45 * it off ourselves when we're done; the kernel doesn't keep track
46 * of how many sockets are listening promiscuously, which means
47 * it won't get turned off automatically when no sockets are
48 * listening promiscuously. We catch "pcap_close()" and, for
49 * interfaces we put into promiscuous mode, take them out of
50 * promiscuous mode - which isn't necessarily the right thing to
51 * do, if another socket also requested promiscuous mode between
52 * the time when we opened the socket and the time when we close
53 * the socket.
54 */
55
56
57 #ifdef HAVE_CONFIG_H
58 #include "config.h"
59 #endif
60
61 #include "pcap-int.h"
62 #include "sll.h"
63
64 #include <errno.h>
65 #include <stdlib.h>
66 #include <unistd.h>
67 #include <fcntl.h>
68 #include <string.h>
69 #include <sys/socket.h>
70 #include <sys/ioctl.h>
71 #include <sys/utsname.h>
72 #include <net/if.h>
73 #include <netinet/in.h>
74 #include <linux/if_ether.h>
75 #include <net/if_arp.h>
76
77 #ifdef HAVE_NETPACKET_PACKET_H
78 # include <netpacket/packet.h>
79
80 /*
81 * We assume this means we really do have PF_PACKET sockets.
82 */
83 # define HAVE_PF_PACKET_SOCKETS
84 #else
85 /*
86 * Oh, joy. Some Linux distributions have 2.2 or later kernels and
87 * libc5. On at least one of those systems (Slackware 4.0), it
88 * appears that "/usr/include/sys/socket.h" includes <linux/socket.h>,
89 * which means it picks up all the AF_, PF_, and SO_ definitions
90 * appropriate for the current kernel; however, it also appears that
91 * they did not see fit to provide a "/usr/include/netpacket/packet.h"
92 * file.
93 *
94 * However, you should be able to get the right definitions by including
95 * <linux/if_packet.h>.
96 *
97 * So if this system has PF_PACKET defined but doesn't have the
98 * <netpacket/packet.h> header file, we include <linux/if_packet.h>
99 * instead.
100 */
101 # ifdef PF_PACKET
102 # include <linux/if_packet.h>
103
104 /*
105 * However, on at least some Linux distributions (for example, Red Hat
106 * 5.2), there's no <netpacket/packet.h> file, but PF_PACKET is defined
107 * if you include <sys/socket.h>, but <linux/if_packet.h> doesn't define
108 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of
109 * the PACKET_xxx stuff.
110 *
111 * So we check whether PACKET_HOST is defined, and assume that we have
112 * PF_PACKET sockets only if it is defined.
113 */
114 # ifdef PACKET_HOST
115 # define HAVE_PF_PACKET_SOCKETS
116 # endif /* PACKET_HOST */
117 # endif /* PF_PACKET */
118 #endif /* HAVE_NETPACKET_PACKET_H */
119
120 #ifdef SO_ATTACH_FILTER
121 #include <linux/types.h>
122 #include <linux/filter.h>
123 #endif
124
125 #ifndef __GLIBC__
126 typedef int socklen_t;
127 #endif
128
129 #ifndef MSG_TRUNC
130 #define MSG_TRUNC 0
131 #endif
132
133 #define MAX_LINKHEADER_SIZE 256
134
135 /*
136 * When capturing on all interfaces we use this as the buffer size.
137 * Should be bigger then all MTUs that occur in real life.
138 * 64kB should be enough for now.
139 */
140 #define BIGGER_THAN_ALL_MTUS (64*1024)
141
142 /*
143 * Prototypes for internal functions
144 */
145 static int map_arphrd_to_dlt(pcap_t *, int);
146 static int live_open_old(pcap_t *, char *, int, int, char *);
147 static int live_open_new(pcap_t *, char *, int, int, char *);
148 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
149
150 /*
151 * Wrap some ioctl calls
152 */
153 #ifdef HAVE_PF_PACKET_SOCKETS
154 static int iface_get_id(int fd, const char *device, char *ebuf);
155 #endif
156 static int iface_get_mtu(int fd, const char *device, char *ebuf);
157 static int iface_get_arptype(int fd, const char *device, char *ebuf);
158 #ifdef HAVE_PF_PACKET_SOCKETS
159 static int iface_bind(int fd, int ifindex, char *ebuf);
160 #endif
161 static int iface_bind_old(int fd, const char *device, char *ebuf);
162
163 #ifdef SO_ATTACH_FILTER
164 static int fix_program(pcap_t *handle, struct sock_fprog *fcode);
165 static int fix_offset(struct bpf_insn *p);
166 #endif
167
168 /*
169 * Get a handle for a live capture from the given device. You can
170 * pass NULL as device to get all packages (without link level
171 * information of course). If you pass 1 as promisc the interface
172 * will be set to promiscous mode (XXX: I think this usage should
173 * be deprecated and functions be added to select that later allow
174 * modification of that values -- Torsten).
175 *
176 * See also pcap(3).
177 */
178 pcap_t *
179 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
180 {
181 /* Allocate a handle for this session. */
182
183 pcap_t *handle = malloc(sizeof(*handle));
184 if (handle == NULL) {
185 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
186 pcap_strerror(errno));
187 return NULL;
188 }
189
190 /* Initialize some components of the pcap structure. */
191
192 memset(handle, 0, sizeof(*handle));
193 handle->snapshot = snaplen;
194 handle->md.timeout = to_ms;
195
196 /*
197 * NULL and "any" are special devices which give us the hint to
198 * monitor all devices.
199 */
200 if (!device || strcmp(device, "any") == 0) {
201 device = NULL;
202 handle->md.device = strdup("any");
203 } else
204 handle->md.device = strdup(device);
205
206 if (handle->md.device == NULL) {
207 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
208 pcap_strerror(errno) );
209 free(handle);
210 return NULL;
211 }
212
213 /*
214 * Current Linux kernels use the protocol family PF_PACKET to
215 * allow direct access to all packets on the network while
216 * older kernels had a special socket type SOCK_PACKET to
217 * implement this feature.
218 * While this old implementation is kind of obsolete we need
219 * to be compatible with older kernels for a while so we are
220 * trying both methods with the newer method preferred.
221 */
222
223 if (! (live_open_new(handle, device, promisc, to_ms, ebuf) ||
224 live_open_old(handle, device, promisc, to_ms, ebuf)) )
225 {
226 /*
227 * Both methods to open the packet socket failed. Tidy
228 * up and report our failure (ebuf is expected to be
229 * set by the functions above).
230 */
231
232 free(handle->md.device);
233 free(handle);
234 return NULL;
235 }
236
237 return handle;
238 }
239
240 /*
241 * Read at most max_packets from the capture stream and call the callback
242 * for each of them. Returns the number of packets handled or -1 if an
243 * error occured.
244 */
245 int
246 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
247 {
248 /*
249 * Currently, on Linux only one packet is delivered per read,
250 * so we don't loop.
251 */
252 return pcap_read_packet(handle, callback, user);
253 }
254
255 /*
256 * Read a packet from the socket calling the handler provided by
257 * the user. Returns the number of packets received or -1 if an
258 * error occured.
259 */
260 static int
261 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
262 {
263 int offset;
264 #ifdef HAVE_PF_PACKET_SOCKETS
265 struct sockaddr_ll from;
266 struct sll_header *hdrp;
267 #else
268 struct sockaddr from;
269 #endif
270 socklen_t fromlen;
271 int packet_len, caplen;
272 struct pcap_pkthdr pcap_header;
273
274 #ifdef HAVE_PF_PACKET_SOCKETS
275 /*
276 * If this is a cooked device, leave extra room for a
277 * fake packet header.
278 */
279 if (handle->md.cooked)
280 offset = SLL_HDR_LEN;
281 else
282 offset = 0;
283 #else
284 /*
285 * This system doesn't have PF_PACKET sockets, so it doesn't
286 * support cooked devices.
287 */
288 offset = 0;
289 #endif
290
291 /* Receive a single packet from the kernel */
292
293 do {
294 fromlen = sizeof(from);
295 packet_len = recvfrom(
296 handle->fd, handle->buffer + offset + handle->offset,
297 handle->md.readlen - offset, MSG_TRUNC,
298 (struct sockaddr *) &from, &fromlen);
299 } while (packet_len == -1 && errno == EINTR);
300
301 /* Check if an error occured */
302
303 if (packet_len == -1) {
304 if (errno == EAGAIN)
305 return 0; /* no packet there */
306 else {
307 snprintf(handle->errbuf, sizeof(handle->errbuf),
308 "recvfrom: %s", pcap_strerror(errno));
309 return -1;
310 }
311 }
312
313 #ifdef HAVE_PF_PACKET_SOCKETS
314 /*
315 * If this is from the loopback device, reject outgoing packets;
316 * we'll see the packet as an incoming packet as well, and
317 * we don't want to see it twice.
318 *
319 * We can only do this if we're using PF_PACKET; the address
320 * returned for SOCK_PACKET is a "sockaddr_pkt" which lacks
321 * the relevant packet type information.
322 */
323 if (!handle->md.sock_packet &&
324 from.sll_ifindex == handle->md.lo_ifindex &&
325 from.sll_pkttype == PACKET_OUTGOING)
326 return 0;
327 #endif
328
329 #ifdef HAVE_PF_PACKET_SOCKETS
330 /*
331 * If this is a cooked device, fill in the fake packet header.
332 */
333 if (handle->md.cooked) {
334 /*
335 * Add the length of the fake header to the length
336 * of packet data we read.
337 */
338 packet_len += SLL_HDR_LEN;
339
340 hdrp = (struct sll_header *)handle->buffer;
341
342 /*
343 * Map the PACKET_ value to a LINUX_SLL_ value; we
344 * want the same numerical value to be used in
345 * the link-layer header even if the numerical values
346 * for the PACKET_ #defines change, so that programs
347 * that look at the packet type field will always be
348 * able to handle DLT_LINUX_SLL captures.
349 */
350 switch (from.sll_pkttype) {
351
352 case PACKET_HOST:
353 hdrp->sll_pkttype = htons(LINUX_SLL_HOST);
354 break;
355
356 case PACKET_BROADCAST:
357 hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST);
358 break;
359
360 case PACKET_MULTICAST:
361 hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST);
362 break;
363
364 case PACKET_OTHERHOST:
365 hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST);
366 break;
367
368 case PACKET_OUTGOING:
369 hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING);
370 break;
371
372 default:
373 hdrp->sll_pkttype = -1;
374 break;
375 }
376
377 hdrp->sll_hatype = htons(from.sll_hatype);
378 hdrp->sll_halen = htons(from.sll_halen);
379 memcpy(hdrp->sll_addr, from.sll_addr,
380 (from.sll_halen > SLL_ADDRLEN) ?
381 SLL_ADDRLEN :
382 from.sll_halen);
383 hdrp->sll_protocol = from.sll_protocol;
384 }
385 #endif
386
387 /*
388 * XXX: According to the kernel source we should get the real
389 * packet len if calling recvfrom with MSG_TRUNC set. It does
390 * not seem to work here :(, but it is supported by this code
391 * anyway.
392 * To be honest the code RELIES on that feature so this is really
393 * broken with 2.2.x kernels.
394 * I spend a day to figure out what's going on and I found out
395 * that the following is happening:
396 *
397 * The packet comes from a random interface and the packet_rcv
398 * hook is called with a clone of the packet. That code inserts
399 * the packet into the receive queue of the packet socket.
400 * If a filter is attached to that socket that filter is run
401 * first - and there lies the problem. The default filter always
402 * cuts the packet at the snaplen:
403 *
404 * # tcpdump -d
405 * (000) ret #68
406 *
407 * So the packet filter cuts down the packet. The recvfrom call
408 * says "hey, it's only 68 bytes, it fits into the buffer" with
409 * the result that we don't get the real packet length. This
410 * is valid at least until kernel 2.2.17pre6.
411 *
412 * We currently handle this by making a copy of the filter
413 * program, fixing all "ret" instructions with non-zero
414 * operands to have an operand of 65535 so that the filter
415 * doesn't truncate the packet, and supplying that modified
416 * filter to the kernel.
417 */
418
419 caplen = packet_len;
420 if (caplen > handle->snapshot)
421 caplen = handle->snapshot;
422
423 /* Run the packet filter if not using kernel filter */
424 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
425 if (bpf_filter(handle->fcode.bf_insns, handle->buffer,
426 packet_len, caplen) == 0)
427 {
428 /* rejected by filter */
429 return 0;
430 }
431 }
432
433 /* Fill in our own header data */
434
435 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
436 snprintf(handle->errbuf, sizeof(handle->errbuf),
437 "ioctl: %s", pcap_strerror(errno));
438 return -1;
439 }
440 pcap_header.caplen = caplen;
441 pcap_header.len = packet_len;
442
443 /* Call the user supplied callback function */
444 handle->md.stat.ps_recv++;
445 callback(userdata, &pcap_header, handle->buffer + handle->offset);
446
447 return 1;
448 }
449
450 /*
451 * Get the statistics for the given packet capture handle.
452 * FIXME: Currently does not report the number of dropped packets.
453 */
454 int
455 pcap_stats(pcap_t *handle, struct pcap_stat *stats)
456 {
457 *stats = handle->md.stat;
458 return 0;
459 }
460
461 /*
462 * Attach the given BPF code to the packet capture device.
463 */
464 int
465 pcap_setfilter(pcap_t *handle, struct bpf_program *filter)
466 {
467 #ifdef SO_ATTACH_FILTER
468 struct sock_fprog fcode;
469 int can_filter_in_kernel;
470 #endif
471
472 if (!handle)
473 return -1;
474 if (!filter) {
475 strncpy(handle->errbuf, "setfilter: No filter specified",
476 sizeof(handle->errbuf));
477 return -1;
478 }
479
480 /* Make our private copy of the filter */
481
482 if (install_bpf_program(handle, filter) < 0) {
483 snprintf(handle->errbuf, sizeof(handle->errbuf),
484 "malloc: %s", pcap_strerror(errno));
485 return -1;
486 }
487
488 /*
489 * Run user level packet filter by default. Will be overriden if
490 * installing a kernel filter succeeds.
491 */
492 handle->md.use_bpf = 0;
493
494 /*
495 * If we're reading from a savefile, don't try to install
496 * a kernel filter.
497 */
498 if (handle->sf.rfile != NULL)
499 return 0;
500
501 /* Install kernel level filter if possible */
502
503 #ifdef SO_ATTACH_FILTER
504 #ifdef USHRT_MAX
505 if (handle->fcode.bf_len > USHRT_MAX) {
506 /*
507 * fcode.len is an unsigned short for current kernel.
508 * I have yet to see BPF-Code with that much
509 * instructions but still it is possible. So for the
510 * sake of correctness I added this check.
511 */
512 fprintf(stderr, "Warning: Filter too complex for kernel\n");
513 fcode.filter = NULL;
514 can_filter_in_kernel = 0;
515 } else
516 #endif /* USHRT_MAX */
517 {
518 /*
519 * Oh joy, the Linux kernel uses struct sock_fprog instead
520 * of struct bpf_program and of course the length field is
521 * of different size. Pointed out by Sebastian
522 *
523 * Oh, and we also need to fix it up so that all "ret"
524 * instructions with non-zero operands have 65535 as the
525 * operand, and so that, if we're in cooked mode, all
526 * memory-reference instructions use special magic offsets
527 * in references to the link-layer header and assume that
528 * the link-layer payload begins at 0; "fix_program()"
529 * will do that.
530 */
531 switch (fix_program(handle, &fcode)) {
532
533 case -1:
534 default:
535 /*
536 * Fatal error; just quit.
537 * (The "default" case shouldn't happen; we
538 * return -1 for that reason.)
539 */
540 return -1;
541
542 case 0:
543 /*
544 * The program performed checks that we can't make
545 * work in the kernel.
546 */
547 can_filter_in_kernel = 0;
548 break;
549
550 case 1:
551 /*
552 * We have a filter that'll work in the kernel.
553 */
554 can_filter_in_kernel = 1;
555 break;
556 }
557 }
558
559 if (can_filter_in_kernel) {
560 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
561 &fcode, sizeof(fcode)) == 0)
562 {
563 /* Installation succeded - using kernel filter. */
564 handle->md.use_bpf = 1;
565 }
566 else
567 {
568 /*
569 * Print a warning if we weren't able to install
570 * the filter for a reason other than "this kernel
571 * isn't configured to support socket filters.
572 */
573 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
574 fprintf(stderr,
575 "Warning: Kernel filter failed: %s\n",
576 pcap_strerror(errno));
577 }
578 }
579 }
580
581 /*
582 * Free up the copy of the filter that was made by "fix_program()".
583 */
584 if (fcode.filter != NULL)
585 free(fcode.filter);
586 #endif /* SO_ATTACH_FILTER */
587
588 return 0;
589 }
590
591 /*
592 * Linux uses the ARP hardware type to identify the type of an
593 * interface. pcap uses the DLT_xxx constants for this. This
594 * function takes a pointer to a "pcap_t", and an ARPHRD_xxx
595 * constant, as arguments, and sets "handle->linktype" to the
596 * appropriate DLT_XXX constant and sets "handle->offset" to
597 * the appropriate value (to make "handle->offset" plus link-layer
598 * header length be a multiple of 4, so that the link-layer payload
599 * will be aligned on a 4-byte boundary when capturing packets).
600 * (If the offset isn't set here, it'll be 0; add code as appropriate
601 * for cases where it shouldn't be 0.)
602 *
603 * Returns -1 if unable to map the type; we print a message and,
604 * if we're using PF_PACKET/SOCK_RAW rather than PF_INET/SOCK_PACKET,
605 * we fall back on using PF_PACKET/SOCK_DGRAM.
606 */
607 static int map_arphrd_to_dlt(pcap_t *handle, int arptype)
608 {
609 switch (arptype) {
610
611 case ARPHRD_ETHER:
612 case ARPHRD_METRICOM:
613 case ARPHRD_LOOPBACK:
614 handle->linktype = DLT_EN10MB;
615 handle->offset = 2;
616 break;
617
618 case ARPHRD_EETHER:
619 handle->linktype = DLT_EN3MB;
620 break;
621
622 case ARPHRD_AX25:
623 handle->linktype = DLT_AX25;
624 break;
625
626 case ARPHRD_PRONET:
627 handle->linktype = DLT_PRONET;
628 break;
629
630 case ARPHRD_CHAOS:
631 handle->linktype = DLT_CHAOS;
632 break;
633
634 #ifndef ARPHRD_IEEE802_TR
635 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */
636 #endif
637 case ARPHRD_IEEE802_TR:
638 case ARPHRD_IEEE802:
639 handle->linktype = DLT_IEEE802;
640 handle->offset = 2;
641 break;
642
643 case ARPHRD_ARCNET:
644 handle->linktype = DLT_ARCNET;
645 break;
646
647 case ARPHRD_FDDI:
648 handle->linktype = DLT_FDDI;
649 handle->offset = 3;
650 break;
651
652 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
653 #define ARPHRD_ATM 19
654 #endif
655 case ARPHRD_ATM:
656 handle->linktype = DLT_ATM_CLIP;
657 break;
658
659 #ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */
660 #define ARPHRD_IEEE80211 801
661 #endif
662 case ARPHRD_IEEE80211:
663 handle->linktype = DLT_IEEE802_11;
664 break;
665
666 case ARPHRD_PPP:
667 /*
668 * Some PPP code in the kernel supplies no link-layer
669 * header whatsoever to PF_PACKET sockets; other PPP
670 * code supplies PPP link-layer headers ("syncppp.c");
671 * some PPP code might supply random link-layer
672 * headers (PPP over ISDN - there's code in Ethereal,
673 * for example, to cope with PPP-over-ISDN captures
674 * with which the Ethereal developers have had to cope,
675 * heuristically trying to determine which of the
676 * oddball link-layer headers particular packets have).
677 *
678 * As such, we just punt, and run all PPP interfaces
679 * in cooked mode.
680 */
681 handle->linktype = DLT_LINUX_SLL;
682 break;
683
684 case ARPHRD_HDLC:
685 handle->linktype = DLT_C_HDLC;
686 break;
687
688 /* Not sure if this is correct for all tunnels, but it
689 * works for CIPE */
690 case ARPHRD_TUNNEL:
691 #ifndef ARPHRD_SIT
692 #define ARPHRD_SIT 776 /* From Linux 2.2.14 */
693 #endif
694 case ARPHRD_SIT:
695 case ARPHRD_CSLIP:
696 case ARPHRD_SLIP6:
697 case ARPHRD_CSLIP6:
698 case ARPHRD_ADAPT:
699 case ARPHRD_SLIP:
700 /*
701 * XXX - should some of those be mapped to DLT_LINUX_SLL
702 * instead? Should we just map all of them to DLT_LINUX_SLL?
703 */
704 handle->linktype = DLT_RAW;
705 break;
706
707 default:
708 return -1;
709 }
710 return 0;
711 }
712
713 /* ===== Functions to interface to the newer kernels ================== */
714
715 /*
716 * Try to open a packet socket using the new kernel interface.
717 * Returns 0 on failure.
718 * FIXME: 0 uses to mean success (Sebastian)
719 */
720 static int
721 live_open_new(pcap_t *handle, char *device, int promisc,
722 int to_ms, char *ebuf)
723 {
724 #ifdef HAVE_PF_PACKET_SOCKETS
725 int sock_fd = -1, device_id, mtu, arptype;
726 struct packet_mreq mr;
727
728 /* One shot loop used for error handling - bail out with break */
729
730 do {
731 /*
732 * Open a socket with protocol family packet. If a device is
733 * given we try to open it in raw mode otherwise we use
734 * the cooked interface.
735 */
736 sock_fd = device ?
737 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
738 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
739
740 if (sock_fd == -1) {
741 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
742 pcap_strerror(errno) );
743 break;
744 }
745
746 /* It seems the kernel supports the new interface. */
747 handle->md.sock_packet = 0;
748
749 /*
750 * Get the interface index of the loopback device.
751 * If the attempt fails, don't fail, just set the
752 * "md.lo_ifindex" to -1.
753 *
754 * XXX - can there be more than one device that loops
755 * packets back, i.e. devices other than "lo"? If so,
756 * we'd need to find them all, and have an array of
757 * indices for them, and check all of them in
758 * "pcap_read_packet()".
759 */
760 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf);
761
762 /*
763 * Default value for offset to align link-layer payload
764 * on a 4-byte boundary.
765 */
766 handle->offset = 0;
767
768 /*
769 * What kind of frames do we have to deal with? Fall back
770 * to cooked mode if we have an unknown interface type.
771 */
772
773 if (device) {
774 /* Assume for now we don't need cooked mode. */
775 handle->md.cooked = 0;
776
777 arptype = iface_get_arptype(sock_fd, device, ebuf);
778 if (arptype == -1)
779 break;
780 if (map_arphrd_to_dlt(handle, arptype) == -1 ||
781 handle->linktype == DLT_LINUX_SLL ||
782 (handle->linktype == DLT_EN10MB &&
783 (strncmp("isdn", device, 4) == 0 ||
784 strncmp("isdY", device, 4) == 0))) {
785 /*
786 * Unknown interface type (-1), or a
787 * device we explicitly chose to run
788 * in cooked mode (e.g., PPP devices),
789 * or an ISDN device (whose link-layer
790 * type we can only determine by using
791 * APIs that may be different on different
792 * kernels) - reopen in cooked mode.
793 */
794 if (close(sock_fd) == -1) {
795 snprintf(ebuf, PCAP_ERRBUF_SIZE,
796 "close: %s", pcap_strerror(errno));
797 break;
798 }
799 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
800 htons(ETH_P_ALL));
801 if (sock_fd == -1) {
802 snprintf(ebuf, PCAP_ERRBUF_SIZE,
803 "socket: %s", pcap_strerror(errno));
804 break;
805 }
806 handle->md.cooked = 1;
807
808 if (handle->linktype == -1) {
809 /*
810 * Warn that we're falling back on
811 * cooked mode; we may want to
812 * update "map_arphrd_to_dlt()"
813 * to handle the new type.
814 */
815 fprintf(stderr,
816 "Warning: arptype %d not "
817 "supported by libpcap - "
818 "falling back to cooked "
819 "socket\n",
820 arptype);
821 }
822 handle->linktype = DLT_LINUX_SLL;
823 }
824
825 device_id = iface_get_id(sock_fd, device, ebuf);
826 if (device_id == -1)
827 break;
828
829 if (iface_bind(sock_fd, device_id, ebuf) == -1)
830 break;
831 } else {
832 /*
833 * This is cooked mode.
834 */
835 handle->md.cooked = 1;
836 handle->linktype = DLT_LINUX_SLL;
837
838 /*
839 * XXX - squelch GCC complaints about
840 * uninitialized variables; if we can't
841 * select promiscuous mode on all interfaces,
842 * we should move the code below into the
843 * "if (device)" branch of the "if" and
844 * get rid of the next statement.
845 */
846 device_id = -1;
847 }
848
849 /* Select promiscuous mode on/off */
850
851 #ifdef SOL_PACKET
852 /*
853 * Hmm, how can we set promiscuous mode on all interfaces?
854 * I am not sure if that is possible at all.
855 */
856
857 if (device) {
858 memset(&mr, 0, sizeof(mr));
859 mr.mr_ifindex = device_id;
860 mr.mr_type = promisc ?
861 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
862 if (setsockopt(sock_fd, SOL_PACKET,
863 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1)
864 {
865 snprintf(ebuf, PCAP_ERRBUF_SIZE,
866 "setsockopt: %s", pcap_strerror(errno));
867 break;
868 }
869 }
870 #endif
871
872 /* Compute the buffersize */
873
874 mtu = iface_get_mtu(sock_fd, device, ebuf);
875 if (mtu == -1)
876 break;
877 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
878
879 /* Fill in the pcap structure */
880
881 handle->fd = sock_fd;
882
883 handle->buffer = malloc(handle->bufsize + handle->offset);
884 if (!handle->buffer) {
885 snprintf(ebuf, PCAP_ERRBUF_SIZE,
886 "malloc: %s", pcap_strerror(errno));
887 break;
888 }
889
890 /*
891 * This is a 2.2 or later kernel, as it has PF_PACKET;
892 * "recvfrom()", when passed the MSG_TRUNC flag, will
893 * return the actual length of the packet, not the
894 * number of bytes from the packet copied to userland,
895 * so we can safely pass it a byte count based on the
896 * snapshot length.
897 */
898 handle->md.readlen = handle->snapshot;
899 return 1;
900
901 } while(0);
902
903 if (sock_fd != -1)
904 close(sock_fd);
905 return 0;
906 #else
907 strncpy(ebuf,
908 "New packet capturing interface not supported by build "
909 "environment", PCAP_ERRBUF_SIZE);
910 return 0;
911 #endif
912 }
913
914 #ifdef HAVE_PF_PACKET_SOCKETS
915 /*
916 * Return the index of the given device name. Fill ebuf and return
917 * -1 on failure.
918 */
919 static int
920 iface_get_id(int fd, const char *device, char *ebuf)
921 {
922 struct ifreq ifr;
923
924 memset(&ifr, 0, sizeof(ifr));
925 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
926
927 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
928 snprintf(ebuf, PCAP_ERRBUF_SIZE,
929 "ioctl: %s", pcap_strerror(errno));
930 return -1;
931 }
932
933 return ifr.ifr_ifindex;
934 }
935
936 /*
937 * Bind the socket associated with FD to the given device.
938 */
939 static int
940 iface_bind(int fd, int ifindex, char *ebuf)
941 {
942 struct sockaddr_ll sll;
943
944 memset(&sll, 0, sizeof(sll));
945 sll.sll_family = AF_PACKET;
946 sll.sll_ifindex = ifindex;
947 sll.sll_protocol = htons(ETH_P_ALL);
948
949 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
950 snprintf(ebuf, PCAP_ERRBUF_SIZE,
951 "bind: %s", pcap_strerror(errno));
952 return -1;
953 }
954
955 return 0;
956 }
957
958 #endif
959
960
961 /* ===== Functions to interface to the older kernels ================== */
962
963 /*
964 * With older kernels promiscuous mode is kind of interesting because we
965 * have to reset the interface before exiting. The problem can't really
966 * be solved without some daemon taking care of managing usage counts.
967 * If we put the interface into promiscuous mode, we set a flag indicating
968 * that we must take it out of that mode when the interface is closed,
969 * and, when closing the interface, if that flag is set we take it out
970 * of promiscuous mode.
971 */
972
973 /*
974 * List of pcaps for which we turned promiscuous mode on by hand.
975 * If there are any such pcaps, we arrange to call "pcap_close_all()"
976 * when we exit, and have it close all of them to turn promiscuous mode
977 * off.
978 */
979 static struct pcap *pcaps_to_close;
980
981 /*
982 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to
983 * be called on exit.
984 */
985 static int did_atexit;
986
987 static void pcap_close_all(void)
988 {
989 struct pcap *handle;
990
991 while ((handle = pcaps_to_close) != NULL)
992 pcap_close(handle);
993 }
994
995 void pcap_close_linux( pcap_t *handle )
996 {
997 struct pcap *p, *prevp;
998 struct ifreq ifr;
999
1000 if (handle->md.clear_promisc) {
1001 /*
1002 * We put the interface into promiscuous mode; take
1003 * it out of promiscuous mode.
1004 *
1005 * XXX - if somebody else wants it in promiscuous mode,
1006 * this code cannot know that, so it'll take it out
1007 * of promiscuous mode. That's not fixable in 2.0[.x]
1008 * kernels.
1009 */
1010 memset(&ifr, 0, sizeof(ifr));
1011 strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name));
1012 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
1013 fprintf(stderr,
1014 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n"
1015 "Please adjust manually.\n"
1016 "Hint: This can't happen with Linux >= 2.2.0.\n",
1017 strerror(errno));
1018 } else {
1019 if (ifr.ifr_flags & IFF_PROMISC) {
1020 /*
1021 * Promiscuous mode is currently on; turn it
1022 * off.
1023 */
1024 ifr.ifr_flags &= ~IFF_PROMISC;
1025 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
1026 fprintf(stderr,
1027 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n"
1028 "Please adjust manually.\n"
1029 "Hint: This can't happen with Linux >= 2.2.0.\n",
1030 strerror(errno));
1031 }
1032 }
1033 }
1034
1035 /*
1036 * Take this pcap out of the list of pcaps for which we
1037 * have to take the interface out of promiscuous mode.
1038 */
1039 for (p = pcaps_to_close, prevp = NULL; p != NULL;
1040 prevp = p, p = p->md.next) {
1041 if (p == handle) {
1042 /*
1043 * Found it. Remove it from the list.
1044 */
1045 if (prevp == NULL) {
1046 /*
1047 * It was at the head of the list.
1048 */
1049 pcaps_to_close = p->md.next;
1050 } else {
1051 /*
1052 * It was in the middle of the list.
1053 */
1054 prevp->md.next = p->md.next;
1055 }
1056 break;
1057 }
1058 }
1059 }
1060 if (handle->md.device != NULL)
1061 free(handle->md.device);
1062 }
1063
1064 /*
1065 * Try to open a packet socket using the old kernel interface.
1066 * Returns 0 on failure.
1067 * FIXME: 0 uses to mean success (Sebastian)
1068 */
1069 static int
1070 live_open_old(pcap_t *handle, char *device, int promisc,
1071 int to_ms, char *ebuf)
1072 {
1073 int sock_fd = -1, mtu, arptype;
1074 struct utsname utsname;
1075 struct ifreq ifr;
1076
1077 do {
1078 /* Open the socket */
1079
1080 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
1081 if (sock_fd == -1) {
1082 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1083 "socket: %s", pcap_strerror(errno));
1084 break;
1085 }
1086
1087 /* It worked - we are using the old interface */
1088 handle->md.sock_packet = 1;
1089
1090 /* ...which means we get the link-layer header. */
1091 handle->md.cooked = 0;
1092
1093 /* Bind to the given device */
1094
1095 if (!device) {
1096 strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems",
1097 PCAP_ERRBUF_SIZE);
1098 break;
1099 }
1100 if (iface_bind_old(sock_fd, device, ebuf) == -1)
1101 break;
1102
1103 /* Go to promisc mode */
1104 if (promisc) {
1105 memset(&ifr, 0, sizeof(ifr));
1106 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1107 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) {
1108 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1109 "ioctl: %s", pcap_strerror(errno));
1110 break;
1111 }
1112 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
1113 /*
1114 * Promiscuous mode isn't currently on,
1115 * so turn it on, and remember that
1116 * we should turn it off when the
1117 * pcap_t is closed.
1118 */
1119
1120 /*
1121 * If we haven't already done so, arrange
1122 * to have "pcap_close_all()" called when
1123 * we exit.
1124 */
1125 if (!did_atexit) {
1126 if (atexit(pcap_close_all) == -1) {
1127 /*
1128 * "atexit()" failed; don't
1129 * put the interface in
1130 * promiscuous mode, just
1131 * give up.
1132 */
1133 strncpy(ebuf, "atexit failed",
1134 PCAP_ERRBUF_SIZE);
1135 break;
1136 }
1137 }
1138
1139 ifr.ifr_flags |= IFF_PROMISC;
1140 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) {
1141 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1142 "ioctl: %s",
1143 pcap_strerror(errno));
1144 break;
1145 }
1146 handle->md.clear_promisc = 1;
1147
1148 /*
1149 * Add this to the list of pcaps
1150 * to close when we exit.
1151 */
1152 handle->md.next = pcaps_to_close;
1153 pcaps_to_close = handle;
1154 }
1155 }
1156
1157 /* Compute the buffersize */
1158
1159 mtu = iface_get_mtu(sock_fd, device, ebuf);
1160 if (mtu == -1)
1161 break;
1162 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
1163 if (handle->bufsize < handle->snapshot)
1164 handle->bufsize = handle->snapshot;
1165
1166 /* All done - fill in the pcap handle */
1167
1168 arptype = iface_get_arptype(sock_fd, device, ebuf);
1169 if (arptype == -1)
1170 break;
1171
1172 /*
1173 * Default value for offset to align link-layer payload
1174 * on a 4-byte boundary.
1175 */
1176 handle->offset = 0;
1177
1178 handle->fd = sock_fd;
1179
1180 /*
1181 * XXX - handle ISDN types here? We can't fall back on
1182 * cooked sockets, so we'd have to figure out from the
1183 * device name what type of link-layer encapsulation
1184 * it's using, and map that to an appropriate DLT_
1185 * value, meaning we'd map "isdnN" devices to DLT_RAW
1186 * (they supply raw IP packets with no link-layer
1187 * header) and "isdY" devices to a new DLT_I4L_IP
1188 * type that has only an Ethernet packet type as
1189 * a link-layer header.
1190 */
1191 if (map_arphrd_to_dlt(handle, arptype) == -1) {
1192 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1193 "interface type of %s not supported", device);
1194 break;
1195 }
1196 handle->buffer = malloc(handle->bufsize + handle->offset);
1197 if (!handle->buffer) {
1198 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1199 "malloc: %s", pcap_strerror(errno));
1200 break;
1201 }
1202
1203 /*
1204 * This might be a 2.0[.x] kernel - check.
1205 */
1206 if (uname(&utsname) < 0 ||
1207 strncmp(utsname.release, "2.0", 3) == 0) {
1208 /*
1209 * Either we couldn't find out what kernel release
1210 * this is, or it's a 2.0[.x] kernel.
1211 *
1212 * In the 2.0[.x] kernel, a "recvfrom()" on
1213 * a SOCK_PACKET socket, with MSG_TRUNC set, will
1214 * return the number of bytes read, so if we pass
1215 * a length based on the snapshot length, it'll
1216 * return the number of bytes from the packet
1217 * copied to userland, not the actual length
1218 * of the packet.
1219 *
1220 * This means that, for example, the IP dissector
1221 * in tcpdump will get handed a packet length less
1222 * than the length in the IP header, and will
1223 * complain about "truncated-ip".
1224 *
1225 * So we don't bother trying to copy from the
1226 * kernel only the bytes in which we're interested,
1227 * but instead copy them all, just as the older
1228 * versions of libpcap for Linux did.
1229 *
1230 * Just one of many problems with packet capture
1231 * on 2.0[.x] kernels; you really want a 2.2[.x]
1232 * or later kernel if you want packet capture to
1233 * work well.
1234 */
1235 handle->md.readlen = handle->bufsize;
1236 } else {
1237 /*
1238 * This is a 2.2[.x] or later kernel (although
1239 * why we're using SOCK_PACKET on such a system
1240 * is unknown to me).
1241 *
1242 * We can safely pass "recvfrom()" a byte count
1243 * based on the snapshot length.
1244 */
1245 handle->md.readlen = handle->snapshot;
1246 }
1247 return 1;
1248
1249 } while (0);
1250
1251 if (sock_fd != -1)
1252 close(sock_fd);
1253 return 0;
1254 }
1255
1256 /*
1257 * Bind the socket associated with FD to the given device using the
1258 * interface of the old kernels.
1259 */
1260 static int
1261 iface_bind_old(int fd, const char *device, char *ebuf)
1262 {
1263 struct sockaddr saddr;
1264
1265 memset(&saddr, 0, sizeof(saddr));
1266 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
1267 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
1268 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1269 "bind: %s", pcap_strerror(errno));
1270 return -1;
1271 }
1272
1273 return 0;
1274 }
1275
1276
1277 /* ===== System calls available on all supported kernels ============== */
1278
1279 /*
1280 * Query the kernel for the MTU of the given interface.
1281 */
1282 static int
1283 iface_get_mtu(int fd, const char *device, char *ebuf)
1284 {
1285 struct ifreq ifr;
1286
1287 if (!device)
1288 return BIGGER_THAN_ALL_MTUS;
1289
1290 memset(&ifr, 0, sizeof(ifr));
1291 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1292
1293 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
1294 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1295 "ioctl: %s", pcap_strerror(errno));
1296 return -1;
1297 }
1298
1299 return ifr.ifr_mtu;
1300 }
1301
1302 /*
1303 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1304 */
1305 static int
1306 iface_get_arptype(int fd, const char *device, char *ebuf)
1307 {
1308 struct ifreq ifr;
1309
1310 memset(&ifr, 0, sizeof(ifr));
1311 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1312
1313 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1314 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1315 "ioctl: %s", pcap_strerror(errno));
1316 return -1;
1317 }
1318
1319 return ifr.ifr_hwaddr.sa_family;
1320 }
1321
1322 #ifdef HAVE_PF_PACKET_SOCKETS
1323 static int
1324 fix_program(pcap_t *handle, struct sock_fprog *fcode)
1325 {
1326 size_t prog_size;
1327 register int i;
1328 register struct bpf_insn *p;
1329 struct bpf_insn *f;
1330 int len;
1331
1332 /*
1333 * Make a copy of the filter, and modify that copy if
1334 * necessary.
1335 */
1336 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len;
1337 len = handle->fcode.bf_len;
1338 f = (struct bpf_insn *)malloc(prog_size);
1339 if (f == NULL) {
1340 snprintf(handle->errbuf, sizeof(handle->errbuf),
1341 "malloc: %s", pcap_strerror(errno));
1342 return -1;
1343 }
1344 memcpy(f, handle->fcode.bf_insns, prog_size);
1345 fcode->len = len;
1346 fcode->filter = (struct sock_filter *) f;
1347
1348 for (i = 0; i < len; ++i) {
1349 p = &f[i];
1350 /*
1351 * What type of instruction is this?
1352 */
1353 switch (BPF_CLASS(p->code)) {
1354
1355 case BPF_RET:
1356 /*
1357 * It's a return instruction; is the snapshot
1358 * length a constant, rather than the contents
1359 * of the accumulator?
1360 */
1361 if (BPF_MODE(p->code) == BPF_K) {
1362 /*
1363 * Yes - if the value to be returned,
1364 * i.e. the snapshot length, is anything
1365 * other than 0, make it 65535, so that
1366 * the packet is truncated by "recvfrom()",
1367 * not by the filter.
1368 *
1369 * XXX - there's nothing we can easily do
1370 * if it's getting the value from the
1371 * accumulator; we'd have to insert
1372 * code to force non-zero values to be
1373 * 65535.
1374 */
1375 if (p->k != 0)
1376 p->k = 65535;
1377 }
1378 break;
1379
1380 case BPF_LD:
1381 case BPF_LDX:
1382 /*
1383 * It's a load instruction; is it loading
1384 * from the packet?
1385 */
1386 switch (BPF_MODE(p->code)) {
1387
1388 case BPF_ABS:
1389 case BPF_IND:
1390 case BPF_MSH:
1391 /*
1392 * Yes; are we in cooked mode?
1393 */
1394 if (handle->md.cooked) {
1395 /*
1396 * Yes, so we need to fix this
1397 * instruction.
1398 */
1399 if (fix_offset(p) < 0) {
1400 /*
1401 * We failed to do so.
1402 * Return 0, so our caller
1403 * knows to punt to userland.
1404 */
1405 return 0;
1406 }
1407 }
1408 break;
1409 }
1410 break;
1411 }
1412 }
1413 return 1; /* we succeeded */
1414 }
1415
1416 static int
1417 fix_offset(struct bpf_insn *p)
1418 {
1419 /*
1420 * What's the offset?
1421 */
1422 if (p->k >= SLL_HDR_LEN) {
1423 /*
1424 * It's within the link-layer payload; that starts at an
1425 * offset of 0, as far as the kernel packet filter is
1426 * concerned, so subtract the length of the link-layer
1427 * header.
1428 */
1429 p->k -= SLL_HDR_LEN;
1430 } else if (p->k == 14) {
1431 /*
1432 * It's the protocol field; map it to the special magic
1433 * kernel offset for that field.
1434 */
1435 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL;
1436 } else {
1437 /*
1438 * It's within the header, but it's not one of those
1439 * fields; we can't do that in the kernel, so punt
1440 * to userland.
1441 */
1442 return -1;
1443 }
1444 return 0;
1445 }
1446 #endif
[mirror] the LIBpcap interface to various kernel packet capture mechanism