]> The Tcpdump Group git mirrors - libpcap/blob - pcap-rpcap.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix typos in some comments
[libpcap] / pcap-rpcap.c
1 /*
2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16 * nor the names of its contributors may be used to endorse or promote
17 * products derived from this software without specific prior written
18 * permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 *
32 */
33
34 #ifdef HAVE_CONFIG_H
35 #include <config.h>
36 #endif
37
38 #include "ftmacros.h"
39
40 #include <string.h> /* for strlen(), ... */
41 #include <stdlib.h> /* for malloc(), free(), ... */
42 #include <stdarg.h> /* for functions with variable number of arguments */
43 #include <errno.h> /* for the errno variable */
44 #include "sockutils.h"
45 #include "pcap-int.h"
46 #include "rpcap-protocol.h"
47 #include "pcap-rpcap.h"
48
49 #ifdef _WIN32
50 #include "charconv.h" /* for utf_8_to_acp_truncated() */
51 #endif
52
53 #ifdef HAVE_OPENSSL
54 #include "sslutils.h"
55 #endif
56
57 /*
58 * This file contains the pcap module for capturing from a remote machine's
59 * interfaces using the RPCAP protocol.
60 *
61 * WARNING: All the RPCAP functions that are allowed to return a buffer
62 * containing the error description can return max PCAP_ERRBUF_SIZE characters.
63 * However there is no guarantees that the string will be zero-terminated.
64 * Best practice is to define the errbuf variable as a char of size
65 * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
66 * of the buffer. This will guarantee that no buffer overflows occur even
67 * if we use the printf() to show the error on the screen.
68 *
69 * XXX - actually, null-terminating the error string is part of the
70 * contract for the pcap API; if there's any place in the pcap code
71 * that doesn't guarantee null-termination, even at the expense of
72 * cutting the message short, that's a bug and needs to be fixed.
73 */
74
75 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
76 #ifdef _WIN32
77 #define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
78 #endif
79
80 /*
81 * \brief Keeps a list of all the opened connections in the active mode.
82 *
83 * This structure defines a linked list of items that are needed to keep the info required to
84 * manage the active mode.
85 * In other words, when a new connection in active mode starts, this structure is updated so that
86 * it reflects the list of active mode connections currently opened.
87 * This structure is required by findalldevs() and open_remote() to see if they have to open a new
88 * control connection toward the host, or they already have a control connection in place.
89 */
90 struct activehosts
91 {
92 struct sockaddr_storage host;
93 SOCKET sockctrl;
94 SSL *ssl;
95 uint8 protocol_version;
96 struct activehosts *next;
97 };
98
99 /* Keeps a list of all the opened connections in the active mode. */
100 static struct activehosts *activeHosts;
101
102 /*
103 * Keeps the main socket identifier when we want to accept a new remote
104 * connection (active mode only).
105 * See the documentation of pcap_remoteact_accept() and
106 * pcap_remoteact_cleanup() for more details.
107 */
108 static SOCKET sockmain;
109 static SSL *ssl_main;
110
111 /*
112 * Private data for capturing remotely using the rpcap protocol.
113 */
114 struct pcap_rpcap {
115 /*
116 * This is '1' if we're the network client; it is needed by several
117 * functions (such as pcap_setfilter()) to know whether they have
118 * to use the socket or have to open the local adapter.
119 */
120 int rmt_clientside;
121
122 SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */
123 SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */
124 SSL *ctrl_ssl, *data_ssl; /* optional transport of rmt_sockctrl and rmt_sockdata via TLS */
125 int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
126 int rmt_capstarted; /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */
127 char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
128
129 uint8 protocol_version; /* negotiated protocol version */
130 uint8 uses_ssl; /* User asked for rpcaps scheme */
131
132 unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */
133
134 /*
135 * This keeps the number of packets that have been received by the
136 * application.
137 *
138 * Packets dropped by the kernel buffer are not counted in this
139 * variable. It is always equal to (TotAccepted - TotDrops),
140 * except for the case of remote capture, in which we have also
141 * packets in flight, i.e. that have been transmitted by the remote
142 * host, but that have not been received (yet) from the client.
143 * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
144 * wrong result, since this number does not corresponds always to
145 * the number of packet received by the application. For this reason,
146 * in the remote capture we need another variable that takes into
147 * account of the number of packets actually received by the
148 * application.
149 */
150 unsigned int TotCapt;
151
152 struct pcap_stat stat;
153 /* XXX */
154 struct pcap *next; /* list of open pcaps that need stuff cleared on close */
155 };
156
157 /****************************************************
158 * *
159 * Locally defined functions *
160 * *
161 ****************************************************/
162 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
163 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
164 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
165 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
166 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
167 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
168 static int pcap_setsampling_remote(pcap_t *fp);
169 static int pcap_startcapture_remote(pcap_t *fp);
170 static int rpcap_recv_msg_header(SOCKET sock, SSL *, struct rpcap_header *header, char *errbuf);
171 static int rpcap_check_msg_ver(SOCKET sock, SSL *, uint8 expected_ver, struct rpcap_header *header, char *errbuf);
172 static int rpcap_check_msg_type(SOCKET sock, SSL *, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf);
173 static int rpcap_process_msg_header(SOCKET sock, SSL *, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf);
174 static int rpcap_recv(SOCKET sock, SSL *, void *buffer, size_t toread, uint32 *plen, char *errbuf);
175 static void rpcap_msg_err(SOCKET sockctrl, SSL *, uint32 plen, char *remote_errbuf);
176 static int rpcap_discard(SOCKET sock, SSL *, uint32 len, char *errbuf);
177 static int rpcap_read_packet_msg(struct pcap_rpcap const *, pcap_t *p, size_t size);
178
179 /****************************************************
180 * *
181 * Function bodies *
182 * *
183 ****************************************************/
184
185 /*
186 * This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
187 * structure from the network byte order to a 'sockaddr_in" or
188 * 'sockaddr_in6' structure in the host byte order.
189 *
190 * It accepts an 'rpcap_sockaddr' structure as it is received from the
191 * network, and checks the address family field against various values
192 * to see whether it looks like an IPv4 address, an IPv6 address, or
193 * neither of those. It checks for multiple values in order to try
194 * to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
195 * or 'sockaddr_in6' structures over the wire with some members
196 * byte-swapped, and to handle the fact that AF_INET6 has different
197 * values on different OSes.
198 *
199 * For IPv4 addresses, it converts the address family to host byte
200 * order from network byte order and puts it into the structure,
201 * sets the length if a sockaddr structure has a length, converts the
202 * port number to host byte order from network byte order and puts
203 * it into the structure, copies over the IPv4 address, and zeroes
204 * out the zero padding.
205 *
206 * For IPv6 addresses, it converts the address family to host byte
207 * order from network byte order and puts it into the structure,
208 * sets the length if a sockaddr structure has a length, converts the
209 * port number and flow information to host byte order from network
210 * byte order and puts them into the structure, copies over the IPv6
211 * address, and converts the scope ID to host byte order from network
212 * byte order and puts it into the structure.
213 *
214 * The function will allocate the 'sockaddrout' variable according to the
215 * address family in use. In case the address does not belong to the
216 * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
217 * NULL pointer is returned. This usually happens because that address
218 * does not exist on the other host, or is of an address family other
219 * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
220 * structure containing all 'zero' values.
221 *
222 * Older RPCAPDs sent the addresses over the wire in the OS's native
223 * structure format. For most OSes, this looks like the over-the-wire
224 * format, but might have a different value for AF_INET6 than the value
225 * on the machine receiving the reply. For OSes with the newer BSD-style
226 * sockaddr structures, this has, instead of a 2-byte address family,
227 * a 1-byte structure length followed by a 1-byte address family. The
228 * RPCAPD code would put the address family in network byte order before
229 * sending it; that would set it to 0 on a little-endian machine, as
230 * htons() of any value between 1 and 255 would result in a value > 255,
231 * with its lower 8 bits zero, so putting that back into a 1-byte field
232 * would set it to 0.
233 *
234 * Therefore, for older RPCAPDs running on an OS with newer BSD-style
235 * sockaddr structures, the family field, if treated as a big-endian
236 * (network byte order) 16-bit field, would be:
237 *
238 * (length << 8) | family if sent by a big-endian machine
239 * (length << 8) if sent by a little-endian machine
240 *
241 * For current RPCAPDs, and for older RPCAPDs running on an OS with
242 * older BSD-style sockaddr structures, the family field, if treated
243 * as a big-endian 16-bit field, would just contain the family.
244 *
245 * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
246 * to be de-serialized.
247 *
248 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
249 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
250 * This variable will be allocated automatically inside this function.
251 *
252 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
253 * that will contain the error message (in case there is one).
254 *
255 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
256 * can be only the fact that the malloc() failed to allocate memory.
257 * The error message is returned in the 'errbuf' variable, while the deserialized address
258 * is returned into the 'sockaddrout' variable.
259 *
260 * \warning This function supports only AF_INET and AF_INET6 address families.
261 *
262 * \warning The sockaddrout (if not NULL) must be deallocated by the user.
263 */
264
265 /*
266 * Possible IPv4 family values other than the designated over-the-wire value,
267 * which is 2 (because everybody uses 2 for AF_INET4).
268 */
269 #define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */
270 #define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */
271 #define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2)
272 #define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8)
273
274 /*
275 * Possible IPv6 family values other than the designated over-the-wire value,
276 * which is 23 (because that's what Windows uses, and most RPCAP servers
277 * out there are probably running Windows, as WinPcap includes the server
278 * but few if any UN*Xes build and ship it).
279 *
280 * The new BSD sockaddr structure format was in place before 4.4-Lite, so
281 * all the free-software BSDs use it.
282 */
283 #define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */
284 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */
285 #define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */
286 #define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8)
287 #define LINUX_AF_INET6 10
288 #define HPUX_AF_INET6 22
289 #define AIX_AF_INET6 24
290 #define SOLARIS_AF_INET6 26
291
292 static int
293 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
294 {
295 /* Warning: we support only AF_INET and AF_INET6 */
296 switch (ntohs(sockaddrin->family))
297 {
298 case RPCAP_AF_INET:
299 case NEW_BSD_AF_INET_BE:
300 case NEW_BSD_AF_INET_LE:
301 {
302 struct rpcap_sockaddr_in *sockaddrin_ipv4;
303 struct sockaddr_in *sockaddrout_ipv4;
304
305 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in));
306 if ((*sockaddrout) == NULL)
307 {
308 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
309 errno, "malloc() failed");
310 return -1;
311 }
312 sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
313 sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
314 sockaddrout_ipv4->sin_family = AF_INET;
315 sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
316 memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
317 memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
318 break;
319 }
320
321 #ifdef AF_INET6
322 case RPCAP_AF_INET6:
323 case NEW_BSD_AF_INET6_BSD_BE:
324 case NEW_BSD_AF_INET6_FREEBSD_BE:
325 case NEW_BSD_AF_INET6_DARWIN_BE:
326 case NEW_BSD_AF_INET6_LE:
327 case LINUX_AF_INET6:
328 case HPUX_AF_INET6:
329 case AIX_AF_INET6:
330 case SOLARIS_AF_INET6:
331 {
332 struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
333 struct sockaddr_in6 *sockaddrout_ipv6;
334
335 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6));
336 if ((*sockaddrout) == NULL)
337 {
338 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
339 errno, "malloc() failed");
340 return -1;
341 }
342 sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
343 sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
344 sockaddrout_ipv6->sin6_family = AF_INET6;
345 sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
346 sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
347 memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
348 sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
349 break;
350 }
351 #endif
352
353 default:
354 /*
355 * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
356 * support AF_INET6, it's not AF_INET).
357 */
358 *sockaddrout = NULL;
359 break;
360 }
361 return 0;
362 }
363
364 /*
365 * This function reads a packet from the network socket. It does not
366 * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
367 * the "nocb" string into its name).
368 *
369 * This function is called by pcap_read_rpcap().
370 *
371 * WARNING: By choice, this function does not make use of semaphores. A smarter
372 * implementation should put a semaphore into the data thread, and a signal will
373 * be raised as soon as there is data into the socket buffer.
374 * However this is complicated and it does not bring any advantages when reading
375 * from the network, in which network delays can be much more important than
376 * these optimizations. Therefore, we chose the following approach:
377 * - the 'timeout' chosen by the user is split in two (half on the server side,
378 * with the usual meaning, and half on the client side)
379 * - this function checks for packets; if there are no packets, it waits for
380 * timeout/2 and then it checks again. If packets are still missing, it returns,
381 * otherwise it reads packets.
382 */
383 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
384 {
385 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
386 struct rpcap_header *header; /* general header according to the RPCAP format */
387 struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */
388 u_char *net_pkt_data; /* packet data from the message */
389 uint32 plen;
390 int retval = 0; /* generic return value */
391 int msglen;
392
393 /* Structures needed for the select() call */
394 struct timeval tv; /* maximum time the select() can block waiting for data */
395 fd_set rfds; /* set of socket descriptors we have to check */
396
397 /*
398 * Define the packet buffer timeout, to be used in the select()
399 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
400 */
401 tv.tv_sec = p->opt.timeout / 1000;
402 tv.tv_usec = (suseconds_t)((p->opt.timeout - tv.tv_sec * 1000) * 1000);
403
404 #ifdef HAVE_OPENSSL
405 /* Check if we still have bytes available in the last decoded TLS record.
406 * If that's the case, we know SSL_read will not block. */
407 retval = pr->data_ssl && SSL_pending(pr->data_ssl) > 0;
408 #endif
409 if (! retval)
410 {
411 /* Watch out sockdata to see if it has input */
412 FD_ZERO(&rfds);
413
414 /*
415 * 'fp->rmt_sockdata' has always to be set before calling the select(),
416 * since it is cleared by the select()
417 */
418 FD_SET(pr->rmt_sockdata, &rfds);
419
420 retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
421
422 if (retval == -1)
423 {
424 #ifndef _WIN32
425 if (errno == EINTR)
426 {
427 /* Interrupted. */
428 return 0;
429 }
430 #endif
431 sock_geterror("select()", p->errbuf, PCAP_ERRBUF_SIZE);
432 return -1;
433 }
434 }
435
436 /* There is no data waiting, so return '0' */
437 if (retval == 0)
438 return 0;
439
440 /*
441 * We have to define 'header' as a pointer to a larger buffer,
442 * because in case of UDP we have to read all the message within a single call
443 */
444 header = (struct rpcap_header *) p->buffer;
445 net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
446 net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
447
448 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
449 {
450 /* Read the entire message from the network */
451 msglen = sock_recv_dgram(pr->rmt_sockdata, pr->data_ssl, p->buffer,
452 p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE);
453 if (msglen == -1)
454 {
455 /* Network error. */
456 return -1;
457 }
458 if (msglen == -3)
459 {
460 /* Interrupted receive. */
461 return 0;
462 }
463 if ((size_t)msglen < sizeof(struct rpcap_header))
464 {
465 /*
466 * Message is shorter than an rpcap header.
467 */
468 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
469 "UDP packet message is shorter than an rpcap header");
470 return -1;
471 }
472 plen = ntohl(header->plen);
473 if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
474 {
475 /*
476 * Message is shorter than the header claims it
477 * is.
478 */
479 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
480 "UDP packet message is shorter than its rpcap header claims");
481 return -1;
482 }
483 }
484 else
485 {
486 int status;
487
488 if ((size_t)p->cc < sizeof(struct rpcap_header))
489 {
490 /*
491 * We haven't read any of the packet header yet.
492 * The size we should get is the size of the
493 * packet header.
494 */
495 status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header));
496 if (status == -1)
497 {
498 /* Network error. */
499 return -1;
500 }
501 if (status == -3)
502 {
503 /* Interrupted receive. */
504 return 0;
505 }
506 }
507
508 /*
509 * We have the header, so we know how long the
510 * message payload is. The size we should get
511 * is the size of the packet header plus the
512 * size of the payload.
513 */
514 plen = ntohl(header->plen);
515 if (plen > p->bufsize - sizeof(struct rpcap_header))
516 {
517 /*
518 * This is bigger than the largest
519 * record we'd expect. (We do it by
520 * subtracting in order to avoid an
521 * overflow.)
522 */
523 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
524 "Server sent us a message larger than the largest expected packet message");
525 return -1;
526 }
527 status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header) + plen);
528 if (status == -1)
529 {
530 /* Network error. */
531 return -1;
532 }
533 if (status == -3)
534 {
535 /* Interrupted receive. */
536 return 0;
537 }
538
539 /*
540 * We have the entire message; reset the buffer pointer
541 * and count, as the next read should start a new
542 * message.
543 */
544 p->bp = p->buffer;
545 p->cc = 0;
546 }
547
548 /*
549 * We have the entire message.
550 */
551 header->plen = plen;
552
553 /*
554 * Did the server specify the version we negotiated?
555 */
556 if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->data_ssl, pr->protocol_version,
557 header, p->errbuf) == -1)
558 {
559 return 0; /* Return 'no packets received' */
560 }
561
562 /*
563 * Is this a RPCAP_MSG_PACKET message?
564 */
565 if (header->type != RPCAP_MSG_PACKET)
566 {
567 return 0; /* Return 'no packets received' */
568 }
569
570 if (ntohl(net_pkt_header->caplen) > plen)
571 {
572 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
573 "Packet's captured data goes past the end of the received packet message.");
574 return -1;
575 }
576
577 /* Fill in packet header */
578 pkt_header->caplen = ntohl(net_pkt_header->caplen);
579 pkt_header->len = ntohl(net_pkt_header->len);
580 pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
581 pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
582
583 /* Supply a pointer to the beginning of the packet data */
584 *pkt_data = net_pkt_data;
585
586 /*
587 * I don't update the counter of the packets dropped by the network since we're using TCP,
588 * therefore no packets are dropped. Just update the number of packets received correctly
589 */
590 pr->TotCapt++;
591
592 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
593 {
594 unsigned int npkt;
595
596 /* We're using UDP, so we need to update the counter of the packets dropped by the network */
597 npkt = ntohl(net_pkt_header->npkt);
598
599 if (pr->TotCapt != npkt)
600 {
601 pr->TotNetDrops += (npkt - pr->TotCapt);
602 pr->TotCapt = npkt;
603 }
604 }
605
606 /* Packet read successfully */
607 return 1;
608 }
609
610 /*
611 * This function reads a packet from the network socket.
612 *
613 * This function relies on the pcap_read_nocb_remote to deliver packets. The
614 * difference, here, is that as soon as a packet is read, it is delivered
615 * to the application by means of a callback function.
616 */
617 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
618 {
619 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
620 struct pcap_pkthdr pkt_header;
621 u_char *pkt_data;
622 int n = 0;
623 int ret;
624
625 /*
626 * If this is client-side, and we haven't already started
627 * the capture, start it now.
628 */
629 if (pr->rmt_clientside)
630 {
631 /* We are on an remote capture */
632 if (!pr->rmt_capstarted)
633 {
634 /*
635 * The capture isn't started yet, so try to
636 * start it.
637 */
638 if (pcap_startcapture_remote(p))
639 return -1;
640 }
641 }
642
643 while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
644 {
645 /*
646 * Has "pcap_breakloop()" been called?
647 */
648 if (p->break_loop) {
649 /*
650 * Yes - clear the flag that indicates that it
651 * has, and return PCAP_ERROR_BREAK to indicate
652 * that we were told to break out of the loop.
653 */
654 p->break_loop = 0;
655 return (PCAP_ERROR_BREAK);
656 }
657
658 /*
659 * Read some packets.
660 */
661 ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
662 if (ret == 1)
663 {
664 /*
665 * We got a packet. Hand it to the callback
666 * and count it so we can return the count.
667 */
668 (*callback)(user, &pkt_header, pkt_data);
669 n++;
670 }
671 else if (ret == -1)
672 {
673 /* Error. */
674 return ret;
675 }
676 else
677 {
678 /*
679 * No packet; this could mean that we timed
680 * out, or that we got interrupted, or that
681 * we got a bad packet.
682 *
683 * Were we told to break out of the loop?
684 */
685 if (p->break_loop) {
686 /*
687 * Yes.
688 */
689 p->break_loop = 0;
690 return (PCAP_ERROR_BREAK);
691 }
692 /* No - return the number of packets we've processed. */
693 return n;
694 }
695 }
696 return n;
697 }
698
699 /*
700 * This function sends a CLOSE command to the capture server if we're in
701 * passive mode and an ENDCAP command to the capture server if we're in
702 * active mode.
703 *
704 * It is called when the user calls pcap_close(). It sends a command
705 * to our peer that says 'ok, let's stop capturing'.
706 *
707 * WARNING: Since we're closing the connection, we do not check for errors.
708 */
709 static void pcap_cleanup_rpcap(pcap_t *fp)
710 {
711 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
712 struct rpcap_header header; /* header of the RPCAP packet */
713 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
714 int active = 0; /* active mode or not? */
715
716 /* detect if we're in active mode */
717 temp = activeHosts;
718 while (temp)
719 {
720 if (temp->sockctrl == pr->rmt_sockctrl)
721 {
722 active = 1;
723 break;
724 }
725 temp = temp->next;
726 }
727
728 if (!active)
729 {
730 rpcap_createhdr(&header, pr->protocol_version,
731 RPCAP_MSG_CLOSE, 0, 0);
732
733 /*
734 * Send the close request; don't report any errors, as
735 * we're closing this pcap_t, and have no place to report
736 * the error. No reply is sent to this message.
737 */
738 (void)sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
739 sizeof(struct rpcap_header), NULL, 0);
740 }
741 else
742 {
743 rpcap_createhdr(&header, pr->protocol_version,
744 RPCAP_MSG_ENDCAP_REQ, 0, 0);
745
746 /*
747 * Send the end capture request; don't report any errors,
748 * as we're closing this pcap_t, and have no place to
749 * report the error.
750 */
751 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
752 sizeof(struct rpcap_header), NULL, 0) == 0)
753 {
754 /*
755 * Wait for the answer; don't report any errors,
756 * as we're closing this pcap_t, and have no
757 * place to report the error.
758 */
759 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl,
760 pr->protocol_version, RPCAP_MSG_ENDCAP_REQ,
761 &header, NULL) == 0)
762 {
763 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl,
764 header.plen, NULL);
765 }
766 }
767 }
768
769 if (pr->rmt_sockdata)
770 {
771 #ifdef HAVE_OPENSSL
772 if (pr->data_ssl)
773 {
774 // Finish using the SSL handle for the data socket.
775 // This must be done *before* the socket is closed.
776 ssl_finish(pr->data_ssl);
777 pr->data_ssl = NULL;
778 }
779 #endif
780 sock_close(pr->rmt_sockdata, NULL, 0);
781 pr->rmt_sockdata = 0;
782 }
783
784 if ((!active) && (pr->rmt_sockctrl))
785 {
786 #ifdef HAVE_OPENSSL
787 if (pr->ctrl_ssl)
788 {
789 // Finish using the SSL handle for the control socket.
790 // This must be done *before* the socket is closed.
791 ssl_finish(pr->ctrl_ssl);
792 pr->ctrl_ssl = NULL;
793 }
794 #endif
795 sock_close(pr->rmt_sockctrl, NULL, 0);
796 }
797
798 pr->rmt_sockctrl = 0;
799 pr->ctrl_ssl = NULL;
800
801 if (pr->currentfilter)
802 {
803 free(pr->currentfilter);
804 pr->currentfilter = NULL;
805 }
806
807 pcap_cleanup_live_common(fp);
808
809 /* To avoid inconsistencies in the number of sock_init() */
810 sock_cleanup();
811 }
812
813 /*
814 * This function retrieves network statistics from our peer;
815 * it provides only the standard statistics.
816 */
817 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
818 {
819 struct pcap_stat *retval;
820
821 retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
822
823 if (retval)
824 return 0;
825 else
826 return -1;
827 }
828
829 #ifdef _WIN32
830 /*
831 * This function retrieves network statistics from our peer;
832 * it provides the additional statistics supported by pcap_stats_ex().
833 */
834 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
835 {
836 *pcap_stat_size = sizeof (p->stat);
837
838 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
839 return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
840 }
841 #endif
842
843 /*
844 * This function retrieves network statistics from our peer. It
845 * is used by the two previous functions.
846 *
847 * It can be called in two modes:
848 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
849 * for pcap_stats())
850 * - PCAP_STATS_EX: if we want extended statistics (i.e., for
851 * pcap_stats_ex())
852 *
853 * This 'mode' parameter is needed because in pcap_stats() the variable that
854 * keeps the statistics is allocated by the user. On Windows, this structure
855 * has been extended in order to keep new stats. However, if the user has a
856 * smaller structure and it passes it to pcap_stats(), this function will
857 * try to fill in more data than the size of the structure, so that memory
858 * after the structure will be overwritten.
859 *
860 * So, we need to know it we have to copy just the standard fields, or the
861 * extended fields as well.
862 *
863 * In case we want to copy the extended fields as well, the problem of
864 * memory overflow no longer exists because the structure that's filled
865 * in is part of the pcap_t, so that it can be guaranteed to be large
866 * enough for the additional statistics.
867 *
868 * \param p: the pcap_t structure related to the current instance.
869 *
870 * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
871 * with pcap_stat(), where the structure is allocated by the user. In case
872 * of pcap_stats_ex(), this structure and the function return value point
873 * to the same variable.
874 *
875 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
876 *
877 * \return The structure that keeps the statistics, or NULL in case of error.
878 * The error string is placed in the pcap_t structure.
879 */
880 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
881 {
882 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
883 struct rpcap_header header; /* header of the RPCAP packet */
884 struct rpcap_stats netstats; /* statistics sent on the network */
885 uint32 plen; /* data remaining in the message */
886
887 #ifdef _WIN32
888 if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
889 #else
890 if (mode != PCAP_STATS_STANDARD)
891 #endif
892 {
893 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
894 "Invalid stats mode %d", mode);
895 return NULL;
896 }
897
898 /*
899 * If the capture has not yet started, we cannot request statistics
900 * for the capture from our peer, so we return 0 for all statistics,
901 * as nothing's been seen yet.
902 */
903 if (!pr->rmt_capstarted)
904 {
905 ps->ps_drop = 0;
906 ps->ps_ifdrop = 0;
907 ps->ps_recv = 0;
908 #ifdef _WIN32
909 if (mode == PCAP_STATS_EX)
910 {
911 ps->ps_capt = 0;
912 ps->ps_sent = 0;
913 ps->ps_netdrop = 0;
914 }
915 #endif /* _WIN32 */
916
917 return ps;
918 }
919
920 rpcap_createhdr(&header, pr->protocol_version,
921 RPCAP_MSG_STATS_REQ, 0, 0);
922
923 /* Send the PCAP_STATS command */
924 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
925 sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
926 return NULL; /* Unrecoverable network error */
927
928 /* Receive and process the reply message header. */
929 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
930 RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
931 return NULL; /* Error */
932
933 plen = header.plen;
934
935 /* Read the reply body */
936 if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&netstats,
937 sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
938 goto error;
939
940 ps->ps_drop = ntohl(netstats.krnldrop);
941 ps->ps_ifdrop = ntohl(netstats.ifdrop);
942 ps->ps_recv = ntohl(netstats.ifrecv);
943 #ifdef _WIN32
944 if (mode == PCAP_STATS_EX)
945 {
946 ps->ps_capt = pr->TotCapt;
947 ps->ps_netdrop = pr->TotNetDrops;
948 ps->ps_sent = ntohl(netstats.svrcapt);
949 }
950 #endif /* _WIN32 */
951
952 /* Discard the rest of the message. */
953 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, p->errbuf) == -1)
954 goto error_nodiscard;
955
956 return ps;
957
958 error:
959 /*
960 * Discard the rest of the message.
961 * We already reported an error; if this gets an error, just
962 * drive on.
963 */
964 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
965
966 error_nodiscard:
967 return NULL;
968 }
969
970 /*
971 * This function returns the entry in the list of active hosts for this
972 * active connection (active mode only), or NULL if there is no
973 * active connection or an error occurred. It is just for internal
974 * use.
975 *
976 * \param host: a string that keeps the host name of the host for which we
977 * want to get the socket ID for that active connection.
978 *
979 * \param error: a pointer to an int that is set to 1 if an error occurred
980 * and 0 otherwise.
981 *
982 * \param errbuf: a pointer to a user-allocated buffer (of size
983 * PCAP_ERRBUF_SIZE) that will contain the error message (in case
984 * there is one).
985 *
986 * \return the entry for this host in the list of active connections
987 * if found, NULL if it's not found or there's an error.
988 */
989 static struct activehosts *
990 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
991 {
992 struct activehosts *temp; /* temp var needed to scan the host list chain */
993 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
994 int retval;
995
996 /* retrieve the network address corresponding to 'host' */
997 addrinfo = NULL;
998 memset(&hints, 0, sizeof(struct addrinfo));
999 hints.ai_family = PF_UNSPEC;
1000 hints.ai_socktype = SOCK_STREAM;
1001
1002 retval = getaddrinfo(host, "0", &hints, &addrinfo);
1003 if (retval != 0)
1004 {
1005 snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s",
1006 gai_strerror(retval));
1007 *error = 1;
1008 return NULL;
1009 }
1010
1011 temp = activeHosts;
1012
1013 while (temp)
1014 {
1015 ai_next = addrinfo;
1016 while (ai_next)
1017 {
1018 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
1019 {
1020 *error = 0;
1021 freeaddrinfo(addrinfo);
1022 return temp;
1023 }
1024
1025 ai_next = ai_next->ai_next;
1026 }
1027 temp = temp->next;
1028 }
1029
1030 if (addrinfo)
1031 freeaddrinfo(addrinfo);
1032
1033 /*
1034 * The host for which you want to get the socket ID does not have an
1035 * active connection.
1036 */
1037 *error = 0;
1038 return NULL;
1039 }
1040
1041 /*
1042 * This function starts a remote capture.
1043 *
1044 * This function is required since the RPCAP protocol decouples the 'open'
1045 * from the 'start capture' functions.
1046 * This function takes all the parameters needed (which have been stored
1047 * into the pcap_t structure) and sends them to the server.
1048 *
1049 * \param fp: the pcap_t descriptor of the device currently open.
1050 *
1051 * \return '0' if everything is fine, '-1' otherwise. The error message
1052 * (if one) is returned into the 'errbuf' field of the pcap_t structure.
1053 */
1054 static int pcap_startcapture_remote(pcap_t *fp)
1055 {
1056 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1057 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1058 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1059 char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the data connection */
1060 uint32 plen;
1061 int active = 0; /* '1' if we're in active mode */
1062 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
1063 char host[INET6_ADDRSTRLEN + 1]; /* numeric name of the other host */
1064
1065 /* socket-related variables*/
1066 struct addrinfo hints; /* temp, needed to open a socket connection */
1067 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */
1068 SOCKET sockdata = 0; /* socket descriptor of the data connection */
1069 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1070 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1071 int ai_family; /* temp, keeps the address family used by the control connection */
1072
1073 /* RPCAP-related variables*/
1074 struct rpcap_header header; /* header of the RPCAP packet */
1075 struct rpcap_startcapreq *startcapreq; /* start capture request message */
1076 struct rpcap_startcapreply startcapreply; /* start capture reply message */
1077
1078 /* Variables related to the buffer setting */
1079 int res;
1080 socklen_t itemp;
1081 int sockbufsize = 0;
1082 uint32 server_sockbufsize;
1083
1084 // Take the opportunity to clear pr->data_ssl before any goto error,
1085 // as it seems pr->priv is not zeroed after its malloced.
1086 pr->data_ssl = NULL;
1087
1088 /*
1089 * Let's check if sampling has been required.
1090 * If so, let's set it first
1091 */
1092 if (pcap_setsampling_remote(fp) != 0)
1093 return -1;
1094
1095 /* detect if we're in active mode */
1096 temp = activeHosts;
1097 while (temp)
1098 {
1099 if (temp->sockctrl == pr->rmt_sockctrl)
1100 {
1101 active = 1;
1102 break;
1103 }
1104 temp = temp->next;
1105 }
1106
1107 addrinfo = NULL;
1108
1109 /*
1110 * Gets the complete sockaddr structure used in the ctrl connection
1111 * This is needed to get the address family of the control socket
1112 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
1113 * since the ctrl socket can already be open in case of active mode;
1114 * so I would have to call getpeername() anyway
1115 */
1116 saddrlen = sizeof(struct sockaddr_storage);
1117 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1118 {
1119 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1120 goto error_nodiscard;
1121 }
1122 ai_family = ((struct sockaddr_storage *) &saddr)->ss_family;
1123
1124 /* Get the numeric address of the remote host we are connected to */
1125 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host,
1126 sizeof(host), NULL, 0, NI_NUMERICHOST))
1127 {
1128 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1129 goto error_nodiscard;
1130 }
1131
1132 /*
1133 * Data connection is opened by the server toward the client if:
1134 * - we're using TCP, and the user wants us to be in active mode
1135 * - we're using UDP
1136 */
1137 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1138 {
1139 /*
1140 * We have to create a new socket to receive packets
1141 * We have to do that immediately, since we have to tell the other
1142 * end which network port we picked up
1143 */
1144 memset(&hints, 0, sizeof(struct addrinfo));
1145 /* TEMP addrinfo is NULL in case of active */
1146 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1147 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1148 hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
1149
1150 /* Let's the server pick up a free network port for us */
1151 if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1152 goto error_nodiscard;
1153
1154 if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
1155 1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1156 goto error_nodiscard;
1157
1158 /* addrinfo is no longer used */
1159 freeaddrinfo(addrinfo);
1160 addrinfo = NULL;
1161
1162 /* get the complete sockaddr structure used in the data connection */
1163 saddrlen = sizeof(struct sockaddr_storage);
1164 if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1165 {
1166 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1167 goto error_nodiscard;
1168 }
1169
1170 /* Get the local port the system picked up */
1171 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
1172 0, portdata, sizeof(portdata), NI_NUMERICSERV))
1173 {
1174 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1175 goto error_nodiscard;
1176 }
1177 }
1178
1179 /*
1180 * Now it's time to start playing with the RPCAP protocol
1181 * RPCAP start capture command: create the request message
1182 */
1183 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1184 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1185 goto error_nodiscard;
1186
1187 rpcap_createhdr((struct rpcap_header *) sendbuf,
1188 pr->protocol_version, RPCAP_MSG_STARTCAP_REQ, 0,
1189 sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
1190
1191 /* Fill the structure needed to open an adapter remotely */
1192 startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx];
1193
1194 if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL,
1195 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1196 goto error_nodiscard;
1197
1198 memset(startcapreq, 0, sizeof(struct rpcap_startcapreq));
1199
1200 /* By default, apply half the timeout on one side, half of the other */
1201 fp->opt.timeout = fp->opt.timeout / 2;
1202 startcapreq->read_timeout = htonl(fp->opt.timeout);
1203
1204 /* portdata on the openreq is meaningful only if we're in active mode */
1205 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1206 {
1207 sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */
1208 startcapreq->portdata = htons(startcapreq->portdata);
1209 }
1210
1211 startcapreq->snaplen = htonl(fp->snapshot);
1212 startcapreq->flags = 0;
1213
1214 if (pr->rmt_flags & PCAP_OPENFLAG_PROMISCUOUS)
1215 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC;
1216 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
1217 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM;
1218 if (active)
1219 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN;
1220
1221 startcapreq->flags = htons(startcapreq->flags);
1222
1223 /* Pack the capture filter */
1224 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode))
1225 goto error_nodiscard;
1226
1227 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1228 PCAP_ERRBUF_SIZE) < 0)
1229 goto error_nodiscard;
1230
1231 /* Receive and process the reply message header. */
1232 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
1233 RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1)
1234 goto error_nodiscard;
1235
1236 plen = header.plen;
1237
1238 if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&startcapreply,
1239 sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1)
1240 goto error;
1241
1242 /*
1243 * In case of UDP data stream, the connection is always opened by the daemon
1244 * So, this case is already covered by the code above.
1245 * Now, we have still to handle TCP connections, because:
1246 * - if we're in active mode, we have to wait for a remote connection
1247 * - if we're in passive more, we have to start a connection
1248 *
1249 * We have to do he job in two steps because in case we're opening a TCP connection, we have
1250 * to tell the port we're using to the remote side; in case we're accepting a TCP
1251 * connection, we have to wait this info from the remote side.
1252 */
1253 if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1254 {
1255 if (!active)
1256 {
1257 memset(&hints, 0, sizeof(struct addrinfo));
1258 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1259 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1260 snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
1261
1262 /* Let's the server pick up a free network port for us */
1263 if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1264 goto error;
1265
1266 if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1267 goto error;
1268
1269 /* addrinfo is no longer used */
1270 freeaddrinfo(addrinfo);
1271 addrinfo = NULL;
1272 }
1273 else
1274 {
1275 SOCKET socktemp; /* We need another socket, since we're going to accept() a connection */
1276
1277 /* Connection creation */
1278 saddrlen = sizeof(struct sockaddr_storage);
1279
1280 socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen);
1281
1282 if (socktemp == INVALID_SOCKET)
1283 {
1284 sock_geterror("accept()", fp->errbuf, PCAP_ERRBUF_SIZE);
1285 goto error;
1286 }
1287
1288 /* Now that I accepted the connection, the server socket is no longer needed */
1289 sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1290 sockdata = socktemp;
1291 }
1292 }
1293
1294 /* Let's save the socket of the data connection */
1295 pr->rmt_sockdata = sockdata;
1296
1297 #ifdef HAVE_OPENSSL
1298 if (pr->uses_ssl)
1299 {
1300 pr->data_ssl = ssl_promotion(0, sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1301 if (! pr->data_ssl) goto error;
1302 }
1303 #endif
1304
1305 /*
1306 * Set the size of the socket buffer for the data socket.
1307 * It has the same size as the local capture buffer used
1308 * on the other side of the connection.
1309 */
1310 server_sockbufsize = ntohl(startcapreply.bufsize);
1311
1312 /* Let's get the actual size of the socket buffer */
1313 itemp = sizeof(sockbufsize);
1314
1315 res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp);
1316 if (res == -1)
1317 {
1318 sock_geterror("pcap_startcapture_remote(): getsockopt() failed", fp->errbuf, PCAP_ERRBUF_SIZE);
1319 goto error;
1320 }
1321
1322 /*
1323 * Warning: on some kernels (e.g. Linux), the size of the user
1324 * buffer does not take into account the pcap_header and such,
1325 * and it is set equal to the snaplen.
1326 *
1327 * In my view, this is wrong (the meaning of the bufsize became
1328 * a bit strange). So, here bufsize is the whole size of the
1329 * user buffer. In case the bufsize returned is too small,
1330 * let's adjust it accordingly.
1331 */
1332 if (server_sockbufsize <= (u_int) fp->snapshot)
1333 server_sockbufsize += sizeof(struct pcap_pkthdr);
1334
1335 /* if the current socket buffer is smaller than the desired one */
1336 if ((u_int) sockbufsize < server_sockbufsize)
1337 {
1338 /*
1339 * Loop until the buffer size is OK or the original
1340 * socket buffer size is larger than this one.
1341 */
1342 for (;;)
1343 {
1344 res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF,
1345 (char *)&(server_sockbufsize),
1346 sizeof(server_sockbufsize));
1347
1348 if (res == 0)
1349 break;
1350
1351 /*
1352 * If something goes wrong, halve the buffer size
1353 * (checking that it does not become smaller than
1354 * the current one).
1355 */
1356 server_sockbufsize /= 2;
1357
1358 if ((u_int) sockbufsize >= server_sockbufsize)
1359 {
1360 server_sockbufsize = sockbufsize;
1361 break;
1362 }
1363 }
1364 }
1365
1366 /*
1367 * Let's allocate the packet; this is required in order to put
1368 * the packet somewhere when extracting data from the socket.
1369 * Since buffering has already been done in the socket buffer,
1370 * here we need just a buffer whose size is equal to the
1371 * largest possible packet message for the snapshot size,
1372 * namely the length of the message header plus the length
1373 * of the packet header plus the snapshot length.
1374 */
1375 fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot;
1376
1377 fp->buffer = (u_char *)malloc(fp->bufsize);
1378 if (fp->buffer == NULL)
1379 {
1380 pcap_fmt_errmsg_for_errno(fp->errbuf, PCAP_ERRBUF_SIZE,
1381 errno, "malloc");
1382 goto error;
1383 }
1384
1385 /*
1386 * The buffer is currently empty.
1387 */
1388 fp->bp = fp->buffer;
1389 fp->cc = 0;
1390
1391 /* Discard the rest of the message. */
1392 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, fp->errbuf) == -1)
1393 goto error_nodiscard;
1394
1395 /*
1396 * In case the user does not want to capture RPCAP packets, let's update the filter
1397 * We have to update it here (instead of sending it into the 'StartCapture' message
1398 * because when we generate the 'start capture' we do not know (yet) all the ports
1399 * we're currently using.
1400 */
1401 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1402 {
1403 struct bpf_program fcode;
1404
1405 if (pcap_createfilter_norpcappkt(fp, &fcode) == -1)
1406 goto error;
1407
1408 /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */
1409 /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */
1410 if (pcap_updatefilter_remote(fp, &fcode) == -1)
1411 goto error;
1412
1413 pcap_freecode(&fcode);
1414 }
1415
1416 pr->rmt_capstarted = 1;
1417 return 0;
1418
1419 error:
1420 /*
1421 * When the connection has been established, we have to close it. So, at the
1422 * beginning of this function, if an error occur we return immediately with
1423 * a return NULL; when the connection is established, we have to come here
1424 * ('goto error;') in order to close everything properly.
1425 */
1426
1427 /*
1428 * Discard the rest of the message.
1429 * We already reported an error; if this gets an error, just
1430 * drive on.
1431 */
1432 (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
1433
1434 error_nodiscard:
1435 #ifdef HAVE_OPENSSL
1436 if (pr->data_ssl)
1437 {
1438 // Finish using the SSL handle for the data socket.
1439 // This must be done *before* the socket is closed.
1440 ssl_finish(pr->data_ssl);
1441 pr->data_ssl = NULL;
1442 }
1443 #endif
1444
1445 /* we can be here because sockdata said 'error' */
1446 if ((sockdata != 0) && (sockdata != INVALID_SOCKET))
1447 sock_close(sockdata, NULL, 0);
1448
1449 if (!active)
1450 {
1451 #ifdef HAVE_OPENSSL
1452 if (pr->ctrl_ssl)
1453 {
1454 // Finish using the SSL handle for the control socket.
1455 // This must be done *before* the socket is closed.
1456 ssl_finish(pr->ctrl_ssl);
1457 pr->ctrl_ssl = NULL;
1458 }
1459 #endif
1460 sock_close(pr->rmt_sockctrl, NULL, 0);
1461 }
1462
1463 if (addrinfo != NULL)
1464 freeaddrinfo(addrinfo);
1465
1466 /*
1467 * We do not have to call pcap_close() here, because this function is always called
1468 * by the user in case something bad happens
1469 */
1470 #if 0
1471 if (fp)
1472 {
1473 pcap_close(fp);
1474 fp= NULL;
1475 }
1476 #endif
1477
1478 return -1;
1479 }
1480
1481 /*
1482 * This function takes a bpf program and sends it to the other host.
1483 *
1484 * This function can be called in two cases:
1485 * - pcap_startcapture_remote() is called (we have to send the filter
1486 * along with the 'start capture' command)
1487 * - we want to udpate the filter during a capture (i.e. pcap_setfilter()
1488 * after the capture has been started)
1489 *
1490 * This function serializes the filter into the sending buffer ('sendbuf',
1491 * passed as a parameter) and return back. It does not send anything on
1492 * the network.
1493 *
1494 * \param fp: the pcap_t descriptor of the device currently opened.
1495 *
1496 * \param sendbuf: the buffer on which the serialized data has to copied.
1497 *
1498 * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
1499 *
1500 * \param prog: the bpf program we have to copy.
1501 *
1502 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1503 * is returned into the 'errbuf' field of the pcap_t structure.
1504 */
1505 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
1506 {
1507 struct rpcap_filter *filter;
1508 struct rpcap_filterbpf_insn *insn;
1509 struct bpf_insn *bf_insn;
1510 struct bpf_program fake_prog; /* To be used just in case the user forgot to set a filter */
1511 unsigned int i;
1512
1513 if (prog->bf_len == 0) /* No filters have been specified; so, let's apply a "fake" filter */
1514 {
1515 if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1)
1516 return -1;
1517
1518 prog = &fake_prog;
1519 }
1520
1521 filter = (struct rpcap_filter *) sendbuf;
1522
1523 if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx,
1524 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1525 return -1;
1526
1527 filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF);
1528 filter->nitems = htonl((int32)prog->bf_len);
1529
1530 if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn),
1531 NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1532 return -1;
1533
1534 insn = (struct rpcap_filterbpf_insn *) (filter + 1);
1535 bf_insn = prog->bf_insns;
1536
1537 for (i = 0; i < prog->bf_len; i++)
1538 {
1539 insn->code = htons(bf_insn->code);
1540 insn->jf = bf_insn->jf;
1541 insn->jt = bf_insn->jt;
1542 insn->k = htonl(bf_insn->k);
1543
1544 insn++;
1545 bf_insn++;
1546 }
1547
1548 return 0;
1549 }
1550
1551 /*
1552 * This function updates a filter on a remote host.
1553 *
1554 * It is called when the user wants to update a filter.
1555 * In case we're capturing from the network, it sends the filter to our
1556 * peer.
1557 * This function is *not* called automatically when the user calls
1558 * pcap_setfilter().
1559 * There will be two cases:
1560 * - the capture has been started: in this case, pcap_setfilter_rpcap()
1561 * calls pcap_updatefilter_remote()
1562 * - the capture has not started yet: in this case, pcap_setfilter_rpcap()
1563 * stores the filter into the pcap_t structure, and then the filter is
1564 * sent with pcap_startcap().
1565 *
1566 * WARNING This function *does not* clear the packet currently into the
1567 * buffers. Therefore, the user has to expect to receive some packets
1568 * that are related to the previous filter. If you want to discard all
1569 * the packets before applying a new filter, you have to close the
1570 * current capture session and start a new one.
1571 *
1572 * XXX - we really should have pcap_setfilter() always discard packets
1573 * received with the old filter, and have a separate pcap_setfilter_noflush()
1574 * function that doesn't discard any packets.
1575 */
1576 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
1577 {
1578 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1579 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1580 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1581 struct rpcap_header header; /* To keep the reply message */
1582
1583 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx,
1584 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1585 return -1;
1586
1587 rpcap_createhdr((struct rpcap_header *) sendbuf,
1588 pr->protocol_version, RPCAP_MSG_UPDATEFILTER_REQ, 0,
1589 sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn));
1590
1591 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog))
1592 return -1;
1593
1594 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1595 PCAP_ERRBUF_SIZE) < 0)
1596 return -1;
1597
1598 /* Receive and process the reply message header. */
1599 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
1600 RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1)
1601 return -1;
1602
1603 /*
1604 * It shouldn't have any contents; discard it if it does.
1605 */
1606 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
1607 return -1;
1608
1609 return 0;
1610 }
1611
1612 static void
1613 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
1614 {
1615 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1616
1617 /*
1618 * Check if:
1619 * - We are on an remote capture
1620 * - we do not want to capture RPCAP traffic
1621 *
1622 * If so, we have to save the current filter, because we have to
1623 * add some piece of stuff later
1624 */
1625 if (pr->rmt_clientside &&
1626 (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP))
1627 {
1628 if (pr->currentfilter)
1629 free(pr->currentfilter);
1630
1631 if (filter == NULL)
1632 filter = "";
1633
1634 pr->currentfilter = strdup(filter);
1635 }
1636 }
1637
1638 /*
1639 * This function sends a filter to a remote host.
1640 *
1641 * This function is called when the user wants to set a filter.
1642 * It sends the filter to our peer.
1643 * This function is called automatically when the user calls pcap_setfilter().
1644 *
1645 * Parameters and return values are exactly the same of pcap_setfilter().
1646 */
1647 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
1648 {
1649 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1650
1651 if (!pr->rmt_capstarted)
1652 {
1653 /* copy filter into the pcap_t structure */
1654 if (install_bpf_program(fp, prog) == -1)
1655 return -1;
1656 return 0;
1657 }
1658
1659 /* we have to update a filter during run-time */
1660 if (pcap_updatefilter_remote(fp, prog))
1661 return -1;
1662
1663 return 0;
1664 }
1665
1666 /*
1667 * This function updates the current filter in order not to capture rpcap
1668 * packets.
1669 *
1670 * This function is called *only* when the user wants exclude RPCAP packets
1671 * related to the current session from the captured packets.
1672 *
1673 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1674 * is returned into the 'errbuf' field of the pcap_t structure.
1675 */
1676 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
1677 {
1678 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1679 int RetVal = 0;
1680
1681 /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1682 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1683 {
1684 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1685 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1686 char myaddress[128];
1687 char myctrlport[128];
1688 char mydataport[128];
1689 char peeraddress[128];
1690 char peerctrlport[128];
1691 char *newfilter;
1692
1693 /* Get the name/port of our peer */
1694 saddrlen = sizeof(struct sockaddr_storage);
1695 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1696 {
1697 sock_geterror("getpeername()", fp->errbuf, PCAP_ERRBUF_SIZE);
1698 return -1;
1699 }
1700
1701 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress,
1702 sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1703 {
1704 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1705 return -1;
1706 }
1707
1708 /* We cannot check the data port, because this is available only in case of TCP sockets */
1709 /* Get the name/port of the current host */
1710 if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1711 {
1712 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1713 return -1;
1714 }
1715
1716 /* Get the local port the system picked up */
1717 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress,
1718 sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1719 {
1720 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1721 return -1;
1722 }
1723
1724 /* Let's now check the data port */
1725 if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1726 {
1727 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1728 return -1;
1729 }
1730
1731 /* Get the local port the system picked up */
1732 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
1733 {
1734 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1735 return -1;
1736 }
1737
1738 if (pr->currentfilter && pr->currentfilter[0] != '\0')
1739 {
1740 /*
1741 * We have a current filter; add items to it to
1742 * filter out this rpcap session.
1743 */
1744 if (pcap_asprintf(&newfilter,
1745 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1746 pr->currentfilter, myaddress, peeraddress,
1747 myctrlport, peerctrlport, myaddress, peeraddress,
1748 mydataport) == -1)
1749 {
1750 /* Failed. */
1751 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1752 "Can't allocate memory for new filter");
1753 return -1;
1754 }
1755 }
1756 else
1757 {
1758 /*
1759 * We have no current filter; construct a filter to
1760 * filter out this rpcap session.
1761 */
1762 if (pcap_asprintf(&newfilter,
1763 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1764 myaddress, peeraddress, myctrlport, peerctrlport,
1765 myaddress, peeraddress, mydataport) == -1)
1766 {
1767 /* Failed. */
1768 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1769 "Can't allocate memory for new filter");
1770 return -1;
1771 }
1772 }
1773
1774 /*
1775 * This is only an hack to prevent the save_current_filter
1776 * routine, which will be called when we call pcap_compile(),
1777 * from saving the modified filter.
1778 */
1779 pr->rmt_clientside = 0;
1780
1781 if (pcap_compile(fp, prog, newfilter, 1, 0) == -1)
1782 RetVal = -1;
1783
1784 /* Undo the hack. */
1785 pr->rmt_clientside = 1;
1786
1787 free(newfilter);
1788 }
1789
1790 return RetVal;
1791 }
1792
1793 /*
1794 * This function sets sampling parameters in the remote host.
1795 *
1796 * It is called when the user wants to set activate sampling on the
1797 * remote host.
1798 *
1799 * Sampling parameters are defined into the 'pcap_t' structure.
1800 *
1801 * \param p: the pcap_t descriptor of the device currently opened.
1802 *
1803 * \return '0' if everything is OK, '-1' is something goes wrong. The
1804 * error message is returned in the 'errbuf' member of the pcap_t structure.
1805 */
1806 static int pcap_setsampling_remote(pcap_t *fp)
1807 {
1808 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1809 char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */
1810 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1811 struct rpcap_header header; /* To keep the reply message */
1812 struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */
1813
1814 /* If no samping is requested, return 'ok' */
1815 if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP)
1816 return 0;
1817
1818 /*
1819 * Check for sampling parameters that don't fit in a message.
1820 * We'll let the server complain about invalid parameters
1821 * that do fit into the message.
1822 */
1823 if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) {
1824 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1825 "Invalid sampling method %d", fp->rmt_samp.method);
1826 return -1;
1827 }
1828 if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) {
1829 snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1830 "Invalid sampling value %d", fp->rmt_samp.value);
1831 return -1;
1832 }
1833
1834 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1835 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1836 return -1;
1837
1838 rpcap_createhdr((struct rpcap_header *) sendbuf,
1839 pr->protocol_version, RPCAP_MSG_SETSAMPLING_REQ, 0,
1840 sizeof(struct rpcap_sampling));
1841
1842 /* Fill the structure needed to open an adapter remotely */
1843 sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx];
1844
1845 if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL,
1846 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1847 return -1;
1848
1849 memset(sampling_pars, 0, sizeof(struct rpcap_sampling));
1850
1851 sampling_pars->method = (uint8)fp->rmt_samp.method;
1852 sampling_pars->value = (uint16)htonl(fp->rmt_samp.value);
1853
1854 if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1855 PCAP_ERRBUF_SIZE) < 0)
1856 return -1;
1857
1858 /* Receive and process the reply message header. */
1859 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
1860 RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1)
1861 return -1;
1862
1863 /*
1864 * It shouldn't have any contents; discard it if it does.
1865 */
1866 if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
1867 return -1;
1868
1869 return 0;
1870 }
1871
1872 /*********************************************************
1873 * *
1874 * Miscellaneous functions *
1875 * *
1876 *********************************************************/
1877
1878 /*
1879 * This function performs authentication and protocol version
1880 * negotiation. It is required in order to open the connection
1881 * with the other end party.
1882 *
1883 * It sends authentication parameters on the control socket and
1884 * reads the reply. If the reply is a success indication, it
1885 * checks whether the reply includes minimum and maximum supported
1886 * versions from the server; if not, it assumes both are 0, as
1887 * that means it's an older server that doesn't return supported
1888 * version numbers in authentication replies, so it only supports
1889 * version 0. It then tries to determine the maximum version
1890 * supported both by us and by the server. If it can find such a
1891 * version, it sets us up to use that version; otherwise, it fails,
1892 * indicating that there is no version supported by us and by the
1893 * server.
1894 *
1895 * \param sock: the socket we are currently using.
1896 *
1897 * \param ver: pointer to variable to which to set the protocol version
1898 * number we selected.
1899 *
1900 * \param auth: authentication parameters that have to be sent.
1901 *
1902 * \param errbuf: a pointer to a user-allocated buffer (of size
1903 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
1904 * is one). It could be a network problem or the fact that the authorization
1905 * failed.
1906 *
1907 * \return '0' if everything is fine, '-1' for an error. For errors,
1908 * an error message string is returned in the 'errbuf' variable.
1909 */
1910 static int rpcap_doauth(SOCKET sockctrl, SSL *ssl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
1911 {
1912 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */
1913 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1914 uint16 length; /* length of the payload of this message */
1915 struct rpcap_auth *rpauth;
1916 uint16 auth_type;
1917 struct rpcap_header header;
1918 size_t str_length;
1919 uint32 plen;
1920 struct rpcap_authreply authreply; /* authentication reply message */
1921 uint8 ourvers;
1922
1923 if (auth)
1924 {
1925 switch (auth->type)
1926 {
1927 case RPCAP_RMTAUTH_NULL:
1928 length = sizeof(struct rpcap_auth);
1929 break;
1930
1931 case RPCAP_RMTAUTH_PWD:
1932 length = sizeof(struct rpcap_auth);
1933 if (auth->username)
1934 {
1935 str_length = strlen(auth->username);
1936 if (str_length > 65535)
1937 {
1938 snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)");
1939 return -1;
1940 }
1941 length += (uint16)str_length;
1942 }
1943 if (auth->password)
1944 {
1945 str_length = strlen(auth->password);
1946 if (str_length > 65535)
1947 {
1948 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)");
1949 return -1;
1950 }
1951 length += (uint16)str_length;
1952 }
1953 break;
1954
1955 default:
1956 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
1957 return -1;
1958 }
1959
1960 auth_type = (uint16)auth->type;
1961 }
1962 else
1963 {
1964 auth_type = RPCAP_RMTAUTH_NULL;
1965 length = sizeof(struct rpcap_auth);
1966 }
1967
1968 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1969 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1970 return -1;
1971
1972 rpcap_createhdr((struct rpcap_header *) sendbuf, 0,
1973 RPCAP_MSG_AUTH_REQ, 0, length);
1974
1975 rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx];
1976
1977 if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL,
1978 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1979 return -1;
1980
1981 memset(rpauth, 0, sizeof(struct rpcap_auth));
1982
1983 rpauth->type = htons(auth_type);
1984
1985 if (auth_type == RPCAP_RMTAUTH_PWD)
1986 {
1987 if (auth->username)
1988 rpauth->slen1 = (uint16)strlen(auth->username);
1989 else
1990 rpauth->slen1 = 0;
1991
1992 if (sock_bufferize(auth->username, rpauth->slen1, sendbuf,
1993 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
1994 return -1;
1995
1996 if (auth->password)
1997 rpauth->slen2 = (uint16)strlen(auth->password);
1998 else
1999 rpauth->slen2 = 0;
2000
2001 if (sock_bufferize(auth->password, rpauth->slen2, sendbuf,
2002 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2003 return -1;
2004
2005 rpauth->slen1 = htons(rpauth->slen1);
2006 rpauth->slen2 = htons(rpauth->slen2);
2007 }
2008
2009 if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
2010 PCAP_ERRBUF_SIZE) < 0)
2011 return -1;
2012
2013 /* Receive and process the reply message header */
2014 if (rpcap_process_msg_header(sockctrl, ssl, 0, RPCAP_MSG_AUTH_REQ,
2015 &header, errbuf) == -1)
2016 return -1;
2017
2018 /*
2019 * OK, it's an authentication reply, so we're logged in.
2020 *
2021 * Did it send any additional information?
2022 */
2023 plen = header.plen;
2024 if (plen != 0)
2025 {
2026 /* Yes - is it big enough to be version information? */
2027 if (plen < sizeof(struct rpcap_authreply))
2028 {
2029 /* No - discard it and fail. */
2030 (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2031 return -1;
2032 }
2033
2034 /* Read the reply body */
2035 if (rpcap_recv(sockctrl, ssl, (char *)&authreply,
2036 sizeof(struct rpcap_authreply), &plen, errbuf) == -1)
2037 {
2038 (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2039 return -1;
2040 }
2041
2042 /* Discard the rest of the message, if there is any. */
2043 if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
2044 return -1;
2045
2046 /*
2047 * Check the minimum and maximum versions for sanity;
2048 * the minimum must be <= the maximum.
2049 */
2050 if (authreply.minvers > authreply.maxvers)
2051 {
2052 /*
2053 * Bogus - give up on this server.
2054 */
2055 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2056 "The server's minimum supported protocol version is greater than its maximum supported protocol version");
2057 return -1;
2058 }
2059 }
2060 else
2061 {
2062 /* No - it supports only version 0. */
2063 authreply.minvers = 0;
2064 authreply.maxvers = 0;
2065 }
2066
2067 /*
2068 * OK, let's start with the maximum version the server supports.
2069 */
2070 ourvers = authreply.maxvers;
2071
2072 #if RPCAP_MIN_VERSION != 0
2073 /*
2074 * If that's less than the minimum version we support, we
2075 * can't communicate.
2076 */
2077 if (ourvers < RPCAP_MIN_VERSION)
2078 goto novers;
2079 #endif
2080
2081 /*
2082 * If that's greater than the maximum version we support,
2083 * choose the maximum version we support.
2084 */
2085 if (ourvers > RPCAP_MAX_VERSION)
2086 {
2087 ourvers = RPCAP_MAX_VERSION;
2088
2089 /*
2090 * If that's less than the minimum version they
2091 * support, we can't communicate.
2092 */
2093 if (ourvers < authreply.minvers)
2094 goto novers;
2095 }
2096
2097 *ver = ourvers;
2098 return 0;
2099
2100 novers:
2101 /*
2102 * There is no version we both support; that is a fatal error.
2103 */
2104 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2105 "The server doesn't support any protocol version that we support");
2106 return -1;
2107 }
2108
2109 /* We don't currently support non-blocking mode. */
2110 static int
2111 pcap_getnonblock_rpcap(pcap_t *p)
2112 {
2113 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2114 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2115 return (-1);
2116 }
2117
2118 static int
2119 pcap_setnonblock_rpcap(pcap_t *p, int nonblock _U_)
2120 {
2121 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2122 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2123 return (-1);
2124 }
2125
2126 static int
2127 rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
2128 int *activep, SOCKET *sockctrlp, uint8 *uses_sslp, SSL **sslp,
2129 int rmt_flags, uint8 *protocol_versionp, char *host, char *port,
2130 char *iface, char *errbuf)
2131 {
2132 int type;
2133 struct activehosts *activeconn; /* active connection, if there is one */
2134 int error; /* 1 if rpcap_remoteact_getsock got an error */
2135
2136 /*
2137 * Determine the type of the source (NULL, file, local, remote).
2138 * You must have a valid source string even if we're in active mode,
2139 * because otherwise the call to the following function will fail.
2140 */
2141 if (pcap_parsesrcstr_ex(source, &type, host, port, iface, uses_sslp,
2142 errbuf) == -1)
2143 return -1;
2144
2145 /*
2146 * It must be remote.
2147 */
2148 if (type != PCAP_SRC_IFREMOTE)
2149 {
2150 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2151 "Non-remote interface passed to remote capture routine");
2152 return -1;
2153 }
2154
2155 /*
2156 * We don't yet support DTLS, so if the user asks for a TLS
2157 * connection and asks for data packets to be sent over UDP,
2158 * we have to give up.
2159 */
2160 if (*uses_sslp && (rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
2161 {
2162 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2163 "TLS not supported with UDP forward of remote packets");
2164 return -1;
2165 }
2166
2167 /* Warning: this call can be the first one called by the user. */
2168 /* For this reason, we have to initialize the Winsock support. */
2169 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2170 return -1;
2171
2172 /* Check for active mode */
2173 activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
2174 if (activeconn != NULL)
2175 {
2176 *activep = 1;
2177 *sockctrlp = activeconn->sockctrl;
2178 *sslp = activeconn->ssl;
2179 *protocol_versionp = activeconn->protocol_version;
2180 }
2181 else
2182 {
2183 *activep = 0;
2184 struct addrinfo hints; /* temp variable needed to resolve hostnames into to socket representation */
2185 struct addrinfo *addrinfo; /* temp variable needed to resolve hostnames into to socket representation */
2186
2187 if (error)
2188 {
2189 /*
2190 * Call failed.
2191 */
2192 return -1;
2193 }
2194
2195 /*
2196 * We're not in active mode; let's try to open a new
2197 * control connection.
2198 */
2199 memset(&hints, 0, sizeof(struct addrinfo));
2200 hints.ai_family = PF_UNSPEC;
2201 hints.ai_socktype = SOCK_STREAM;
2202
2203 if (port[0] == 0)
2204 {
2205 /* the user chose not to specify the port */
2206 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
2207 &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2208 return -1;
2209 }
2210 else
2211 {
2212 if (sock_initaddress(host, port, &hints, &addrinfo,
2213 errbuf, PCAP_ERRBUF_SIZE) == -1)
2214 return -1;
2215 }
2216
2217 if ((*sockctrlp = sock_open(addrinfo, SOCKOPEN_CLIENT, 0,
2218 errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2219 {
2220 freeaddrinfo(addrinfo);
2221 return -1;
2222 }
2223
2224 /* addrinfo is no longer used */
2225 freeaddrinfo(addrinfo);
2226 addrinfo = NULL;
2227
2228 if (*uses_sslp)
2229 {
2230 #ifdef HAVE_OPENSSL
2231 *sslp = ssl_promotion(0, *sockctrlp, errbuf,
2232 PCAP_ERRBUF_SIZE);
2233 if (!*sslp)
2234 {
2235 sock_close(*sockctrlp, NULL, 0);
2236 return -1;
2237 }
2238 #else
2239 snprintf(errbuf, PCAP_ERRBUF_SIZE,
2240 "No TLS support");
2241 sock_close(*sockctrlp, NULL, 0);
2242 return -1;
2243 #endif
2244 }
2245
2246 if (rpcap_doauth(*sockctrlp, *sslp, protocol_versionp, auth,
2247 errbuf) == -1)
2248 {
2249 #ifdef HAVE_OPENSSL
2250 if (*sslp)
2251 {
2252 // Finish using the SSL handle for the socket.
2253 // This must be done *before* the socket is
2254 // closed.
2255 ssl_finish(*sslp);
2256 }
2257 #endif
2258 sock_close(*sockctrlp, NULL, 0);
2259 return -1;
2260 }
2261 }
2262 return 0;
2263 }
2264
2265 /*
2266 * This function opens a remote adapter by opening an RPCAP connection and
2267 * so on.
2268 *
2269 * It does the job of pcap_open_live() for a remote interface; it's called
2270 * by pcap_open() for remote interfaces.
2271 *
2272 * We do not start the capture until pcap_startcapture_remote() is called.
2273 *
2274 * This is because, when doing a remote capture, we cannot start capturing
2275 * data as soon as the 'open adapter' command is sent. Suppose the remote
2276 * adapter is already overloaded; if we start a capture (which, by default,
2277 * has a NULL filter) the new traffic can saturate the network.
2278 *
2279 * Instead, we want to "open" the adapter, then send a "start capture"
2280 * command only when we're ready to start the capture.
2281 * This function does this job: it sends an "open adapter" command
2282 * (according to the RPCAP protocol), but it does not start the capture.
2283 *
2284 * Since the other libpcap functions do not share this way of life, we
2285 * have to do some dirty things in order to make everything work.
2286 *
2287 * \param source: see pcap_open().
2288 * \param snaplen: see pcap_open().
2289 * \param flags: see pcap_open().
2290 * \param read_timeout: see pcap_open().
2291 * \param auth: see pcap_open().
2292 * \param errbuf: see pcap_open().
2293 *
2294 * \return a pcap_t pointer in case of success, NULL otherwise. In case of
2295 * success, the pcap_t pointer can be used as a parameter to the following
2296 * calls (pcap_compile() and so on). In case of problems, errbuf contains
2297 * a text explanation of error.
2298 *
2299 * WARNING: In case we call pcap_compile() and the capture has not yet
2300 * been started, the filter will be saved into the pcap_t structure,
2301 * and it will be sent to the other host later (when
2302 * pcap_startcapture_remote() is called).
2303 */
2304 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
2305 {
2306 pcap_t *fp;
2307 char *source_str;
2308 struct pcap_rpcap *pr; /* structure used when doing a remote live capture */
2309 char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE];
2310 SOCKET sockctrl;
2311 SSL *ssl = NULL;
2312 uint8 protocol_version; /* negotiated protocol version */
2313 int active;
2314 uint32 plen;
2315 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
2316 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
2317
2318 /* RPCAP-related variables */
2319 struct rpcap_header header; /* header of the RPCAP packet */
2320 struct rpcap_openreply openreply; /* open reply message */
2321
2322 fp = pcap_create_common(errbuf, sizeof (struct pcap_rpcap));
2323 if (fp == NULL)
2324 {
2325 return NULL;
2326 }
2327 source_str = strdup(source);
2328 if (source_str == NULL) {
2329 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2330 errno, "malloc");
2331 return NULL;
2332 }
2333
2334 /*
2335 * Turn a negative snapshot value (invalid), a snapshot value of
2336 * 0 (unspecified), or a value bigger than the normal maximum
2337 * value, into the maximum allowed value.
2338 *
2339 * If some application really *needs* a bigger snapshot
2340 * length, we should just increase MAXIMUM_SNAPLEN.
2341 *
2342 * XXX - should we leave this up to the remote server to
2343 * do?
2344 */
2345 if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN)
2346 snaplen = MAXIMUM_SNAPLEN;
2347
2348 fp->opt.device = source_str;
2349 fp->snapshot = snaplen;
2350 fp->opt.timeout = read_timeout;
2351 pr = fp->priv;
2352 pr->rmt_flags = flags;
2353
2354 /*
2355 * Attempt to set up the session with the server.
2356 */
2357 if (rpcap_setup_session(fp->opt.device, auth, &active, &sockctrl,
2358 &pr->uses_ssl, &ssl, flags, &protocol_version, host, ctrlport,
2359 iface, errbuf) == -1)
2360 {
2361 /* Session setup failed. */
2362 pcap_close(fp);
2363 return NULL;
2364 }
2365
2366 /* All good so far, save the ssl handler */
2367 ssl_main = ssl;
2368
2369 /*
2370 * Now it's time to start playing with the RPCAP protocol
2371 * RPCAP open command: create the request message
2372 */
2373 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
2374 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2375 goto error_nodiscard;
2376
2377 rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version,
2378 RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface));
2379
2380 if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx,
2381 RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2382 goto error_nodiscard;
2383
2384 if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
2385 PCAP_ERRBUF_SIZE) < 0)
2386 goto error_nodiscard;
2387
2388 /* Receive and process the reply message header. */
2389 if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
2390 RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1)
2391 goto error_nodiscard;
2392 plen = header.plen;
2393
2394 /* Read the reply body */
2395 if (rpcap_recv(sockctrl, ssl, (char *)&openreply,
2396 sizeof(struct rpcap_openreply), &plen, errbuf) == -1)
2397 goto error;
2398
2399 /* Discard the rest of the message, if there is any. */
2400 if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
2401 goto error_nodiscard;
2402
2403 /* Set proper fields into the pcap_t struct */
2404 fp->linktype = ntohl(openreply.linktype);
2405 pr->rmt_sockctrl = sockctrl;
2406 pr->ctrl_ssl = ssl;
2407 pr->protocol_version = protocol_version;
2408 pr->rmt_clientside = 1;
2409
2410 /* This code is duplicated from the end of this function */
2411 fp->read_op = pcap_read_rpcap;
2412 fp->save_current_filter_op = pcap_save_current_filter_rpcap;
2413 fp->setfilter_op = pcap_setfilter_rpcap;
2414 fp->getnonblock_op = pcap_getnonblock_rpcap;
2415 fp->setnonblock_op = pcap_setnonblock_rpcap;
2416 fp->stats_op = pcap_stats_rpcap;
2417 #ifdef _WIN32
2418 fp->stats_ex_op = pcap_stats_ex_rpcap;
2419 #endif
2420 fp->cleanup_op = pcap_cleanup_rpcap;
2421
2422 fp->activated = 1;
2423 return fp;
2424
2425 error:
2426 /*
2427 * When the connection has been established, we have to close it. So, at the
2428 * beginning of this function, if an error occur we return immediately with
2429 * a return NULL; when the connection is established, we have to come here
2430 * ('goto error;') in order to close everything properly.
2431 */
2432
2433 /*
2434 * Discard the rest of the message.
2435 * We already reported an error; if this gets an error, just
2436 * drive on.
2437 */
2438 (void)rpcap_discard(sockctrl, pr->ctrl_ssl, plen, NULL);
2439
2440 error_nodiscard:
2441 if (!active)
2442 {
2443 #ifdef HAVE_OPENSSL
2444 if (ssl)
2445 {
2446 // Finish using the SSL handle for the socket.
2447 // This must be done *before* the socket is closed.
2448 ssl_finish(ssl);
2449 }
2450 #endif
2451 sock_close(sockctrl, NULL, 0);
2452 }
2453
2454 pcap_close(fp);
2455 return NULL;
2456 }
2457
2458 /* String identifier to be used in the pcap_findalldevs_ex() */
2459 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter"
2460 #define PCAP_TEXT_SOURCE_ADAPTER_LEN (sizeof PCAP_TEXT_SOURCE_ADAPTER - 1)
2461 /* String identifier to be used in the pcap_findalldevs_ex() */
2462 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node"
2463 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST_LEN (sizeof PCAP_TEXT_SOURCE_ON_REMOTE_HOST - 1)
2464
2465 static void
2466 freeaddr(struct pcap_addr *addr)
2467 {
2468 free(addr->addr);
2469 free(addr->netmask);
2470 free(addr->broadaddr);
2471 free(addr->dstaddr);
2472 free(addr);
2473 }
2474
2475 int
2476 pcap_findalldevs_ex_remote(const char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
2477 {
2478 uint8 protocol_version; /* protocol version */
2479 SOCKET sockctrl; /* socket descriptor of the control connection */
2480 SSL *ssl = NULL; /* optional SSL handler for sockctrl */
2481 uint32 plen;
2482 struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */
2483 int i, j; /* temp variables */
2484 int nif; /* Number of interfaces listed */
2485 int active; /* 'true' if we the other end-party is in active mode */
2486 uint8 uses_ssl;
2487 char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE];
2488 char tmpstring[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2489 pcap_if_t *lastdev; /* Last device in the pcap_if_t list */
2490 pcap_if_t *dev; /* Device we're adding to the pcap_if_t list */
2491
2492 /* List starts out empty. */
2493 (*alldevs) = NULL;
2494 lastdev = NULL;
2495
2496 /*
2497 * Attempt to set up the session with the server.
2498 */
2499 if (rpcap_setup_session(source, auth, &active, &sockctrl, &uses_ssl,
2500 &ssl, 0, &protocol_version, host, port, NULL, errbuf) == -1)
2501 {
2502 /* Session setup failed. */
2503 return -1;
2504 }
2505
2506 /* RPCAP findalldevs command */
2507 rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ,
2508 0, 0);
2509
2510 if (sock_send(sockctrl, ssl, (char *)&header, sizeof(struct rpcap_header),
2511 errbuf, PCAP_ERRBUF_SIZE) < 0)
2512 goto error_nodiscard;
2513
2514 /* Receive and process the reply message header. */
2515 if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
2516 RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1)
2517 goto error_nodiscard;
2518
2519 plen = header.plen;
2520
2521 /* read the number of interfaces */
2522 nif = ntohs(header.value);
2523
2524 /* loop until all interfaces have been received */
2525 for (i = 0; i < nif; i++)
2526 {
2527 struct rpcap_findalldevs_if findalldevs_if;
2528 char tmpstring2[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2529 struct pcap_addr *addr, *prevaddr;
2530
2531 tmpstring2[PCAP_BUF_SIZE] = 0;
2532
2533 /* receive the findalldevs structure from remote host */
2534 if (rpcap_recv(sockctrl, ssl, (char *)&findalldevs_if,
2535 sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1)
2536 goto error;
2537
2538 findalldevs_if.namelen = ntohs(findalldevs_if.namelen);
2539 findalldevs_if.desclen = ntohs(findalldevs_if.desclen);
2540 findalldevs_if.naddr = ntohs(findalldevs_if.naddr);
2541
2542 /* allocate the main structure */
2543 dev = (pcap_if_t *)malloc(sizeof(pcap_if_t));
2544 if (dev == NULL)
2545 {
2546 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2547 errno, "malloc() failed");
2548 goto error;
2549 }
2550
2551 /* Initialize the structure to 'zero' */
2552 memset(dev, 0, sizeof(pcap_if_t));
2553
2554 /* Append it to the list. */
2555 if (lastdev == NULL)
2556 {
2557 /*
2558 * List is empty, so it's also the first device.
2559 */
2560 *alldevs = dev;
2561 }
2562 else
2563 {
2564 /*
2565 * Append after the last device.
2566 */
2567 lastdev->next = dev;
2568 }
2569 /* It's now the last device. */
2570 lastdev = dev;
2571
2572 /* allocate mem for name and description */
2573 if (findalldevs_if.namelen)
2574 {
2575
2576 if (findalldevs_if.namelen >= sizeof(tmpstring))
2577 {
2578 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long");
2579 goto error;
2580 }
2581
2582 /* Retrieve adapter name */
2583 if (rpcap_recv(sockctrl, ssl, tmpstring,
2584 findalldevs_if.namelen, &plen, errbuf) == -1)
2585 goto error;
2586
2587 tmpstring[findalldevs_if.namelen] = 0;
2588
2589 /* Create the new device identifier */
2590 if (pcap_createsrcstr_ex(tmpstring2, PCAP_SRC_IFREMOTE,
2591 host, port, tmpstring, uses_ssl, errbuf) == -1)
2592 goto error;
2593
2594 dev->name = strdup(tmpstring2);
2595 if (dev->name == NULL)
2596 {
2597 pcap_fmt_errmsg_for_errno(errbuf,
2598 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2599 goto error;
2600 }
2601 }
2602
2603 if (findalldevs_if.desclen)
2604 {
2605 if (findalldevs_if.desclen >= sizeof(tmpstring))
2606 {
2607 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long");
2608 goto error;
2609 }
2610
2611 /* Retrieve adapter description */
2612 if (rpcap_recv(sockctrl, ssl, tmpstring,
2613 findalldevs_if.desclen, &plen, errbuf) == -1)
2614 goto error;
2615
2616 tmpstring[findalldevs_if.desclen] = 0;
2617
2618 if (pcap_asprintf(&dev->description,
2619 "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER,
2620 tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host) == -1)
2621 {
2622 pcap_fmt_errmsg_for_errno(errbuf,
2623 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2624 goto error;
2625 }
2626 }
2627
2628 dev->flags = ntohl(findalldevs_if.flags);
2629
2630 prevaddr = NULL;
2631 /* loop until all addresses have been received */
2632 for (j = 0; j < findalldevs_if.naddr; j++)
2633 {
2634 struct rpcap_findalldevs_ifaddr ifaddr;
2635
2636 /* Retrieve the interface addresses */
2637 if (rpcap_recv(sockctrl, ssl, (char *)&ifaddr,
2638 sizeof(struct rpcap_findalldevs_ifaddr),
2639 &plen, errbuf) == -1)
2640 goto error;
2641
2642 /*
2643 * Deserialize all the address components.
2644 */
2645 addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr));
2646 if (addr == NULL)
2647 {
2648 pcap_fmt_errmsg_for_errno(errbuf,
2649 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2650 goto error;
2651 }
2652 addr->next = NULL;
2653 addr->addr = NULL;
2654 addr->netmask = NULL;
2655 addr->broadaddr = NULL;
2656 addr->dstaddr = NULL;
2657
2658 if (rpcap_deseraddr(&ifaddr.addr,
2659 (struct sockaddr_storage **) &addr->addr, errbuf) == -1)
2660 {
2661 freeaddr(addr);
2662 goto error;
2663 }
2664 if (rpcap_deseraddr(&ifaddr.netmask,
2665 (struct sockaddr_storage **) &addr->netmask, errbuf) == -1)
2666 {
2667 freeaddr(addr);
2668 goto error;
2669 }
2670 if (rpcap_deseraddr(&ifaddr.broadaddr,
2671 (struct sockaddr_storage **) &addr->broadaddr, errbuf) == -1)
2672 {
2673 freeaddr(addr);
2674 goto error;
2675 }
2676 if (rpcap_deseraddr(&ifaddr.dstaddr,
2677 (struct sockaddr_storage **) &addr->dstaddr, errbuf) == -1)
2678 {
2679 freeaddr(addr);
2680 goto error;
2681 }
2682
2683 if ((addr->addr == NULL) && (addr->netmask == NULL) &&
2684 (addr->broadaddr == NULL) && (addr->dstaddr == NULL))
2685 {
2686 /*
2687 * None of the addresses are IPv4 or IPv6
2688 * addresses, so throw this entry away.
2689 */
2690 free(addr);
2691 }
2692 else
2693 {
2694 /*
2695 * Add this entry to the list.
2696 */
2697 if (prevaddr == NULL)
2698 {
2699 dev->addresses = addr;
2700 }
2701 else
2702 {
2703 prevaddr->next = addr;
2704 }
2705 prevaddr = addr;
2706 }
2707 }
2708 }
2709
2710 /* Discard the rest of the message. */
2711 if (rpcap_discard(sockctrl, ssl, plen, errbuf) == 1)
2712 goto error_nodiscard;
2713
2714 /* Control connection has to be closed only in case the remote machine is in passive mode */
2715 if (!active)
2716 {
2717 /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */
2718 #ifdef HAVE_OPENSSL
2719 if (ssl)
2720 {
2721 // Finish using the SSL handle for the socket.
2722 // This must be done *before* the socket is closed.
2723 ssl_finish(ssl);
2724 }
2725 #endif
2726 if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE))
2727 return -1;
2728 }
2729
2730 /* To avoid inconsistencies in the number of sock_init() */
2731 sock_cleanup();
2732
2733 return 0;
2734
2735 error:
2736 /*
2737 * In case there has been an error, I don't want to overwrite it with a new one
2738 * if the following call fails. I want to return always the original error.
2739 *
2740 * Take care: this connection can already be closed when we try to close it.
2741 * This happens because a previous error in the rpcapd, which requested to
2742 * closed the connection. In that case, we already recognized that into the
2743 * rpspck_isheaderok() and we already acknowledged the closing.
2744 * In that sense, this call is useless here (however it is needed in case
2745 * the client generates the error).
2746 *
2747 * Checks if all the data has been read; if not, discard the data in excess
2748 */
2749 (void) rpcap_discard(sockctrl, ssl, plen, NULL);
2750
2751 error_nodiscard:
2752 /* Control connection has to be closed only in case the remote machine is in passive mode */
2753 if (!active)
2754 {
2755 #ifdef HAVE_OPENSSL
2756 if (ssl)
2757 {
2758 // Finish using the SSL handle for the socket.
2759 // This must be done *before* the socket is closed.
2760 ssl_finish(ssl);
2761 }
2762 #endif
2763 sock_close(sockctrl, NULL, 0);
2764 }
2765
2766 /* To avoid inconsistencies in the number of sock_init() */
2767 sock_cleanup();
2768
2769 /* Free whatever interfaces we've allocated. */
2770 pcap_freealldevs(*alldevs);
2771
2772 return -1;
2773 }
2774
2775 /*
2776 * Active mode routines.
2777 *
2778 * The old libpcap API is somewhat ugly, and makes active mode difficult
2779 * to implement; we provide some APIs for it that work only with rpcap.
2780 */
2781
2782 SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, int uses_ssl, char *errbuf)
2783 {
2784 /* socket-related variables */
2785 struct addrinfo hints; /* temporary struct to keep settings needed to open the new socket */
2786 struct addrinfo *addrinfo; /* keeps the addrinfo chain; required to open a new socket */
2787 struct sockaddr_storage from; /* generic sockaddr_storage variable */
2788 socklen_t fromlen; /* keeps the length of the sockaddr_storage variable */
2789 SOCKET sockctrl; /* keeps the main socket identifier */
2790 SSL *ssl = NULL; /* Optional SSL handler for sockctrl */
2791 uint8 protocol_version; /* negotiated protocol version */
2792 struct activehosts *temp, *prev; /* temp var needed to scan he host list chain */
2793
2794 *connectinghost = 0; /* just in case */
2795
2796 /* Prepare to open a new server socket */
2797 memset(&hints, 0, sizeof(struct addrinfo));
2798 /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6 */
2799 hints.ai_family = AF_INET; /* PF_UNSPEC to have both IPv4 and IPv6 server */
2800 hints.ai_flags = AI_PASSIVE; /* Ready to a bind() socket */
2801 hints.ai_socktype = SOCK_STREAM;
2802
2803 /* Warning: this call can be the first one called by the user. */
2804 /* For this reason, we have to initialize the Winsock support. */
2805 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2806 return (SOCKET)-1;
2807
2808 /* Do the work */
2809 if ((port == NULL) || (port[0] == 0))
2810 {
2811 if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2812 {
2813 return (SOCKET)-2;
2814 }
2815 }
2816 else
2817 {
2818 if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2819 {
2820 return (SOCKET)-2;
2821 }
2822 }
2823
2824
2825 if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2826 {
2827 freeaddrinfo(addrinfo);
2828 return (SOCKET)-2;
2829 }
2830 freeaddrinfo(addrinfo);
2831
2832 /* Connection creation */
2833 fromlen = sizeof(struct sockaddr_storage);
2834
2835 sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen);
2836
2837 /* We're not using sock_close, since we do not want to send a shutdown */
2838 /* (which is not allowed on a non-connected socket) */
2839 closesocket(sockmain);
2840 sockmain = 0;
2841
2842 if (sockctrl == INVALID_SOCKET)
2843 {
2844 sock_geterror("accept()", errbuf, PCAP_ERRBUF_SIZE);
2845 return (SOCKET)-2;
2846 }
2847
2848 /* Promote to SSL early before any error message may be sent */
2849 if (uses_ssl)
2850 {
2851 #ifdef HAVE_OPENSSL
2852 ssl = ssl_promotion(0, sockctrl, errbuf, PCAP_ERRBUF_SIZE);
2853 if (! ssl)
2854 {
2855 sock_close(sockctrl, NULL, 0);
2856 return (SOCKET)-1;
2857 }
2858 #else
2859 snprintf(errbuf, PCAP_ERRBUF_SIZE, "No TLS support");
2860 sock_close(sockctrl, NULL, 0);
2861 return (SOCKET)-1;
2862 #endif
2863 }
2864
2865 /* Get the numeric for of the name of the connecting host */
2866 if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST))
2867 {
2868 sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE);
2869 rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2870 #ifdef HAVE_OPENSSL
2871 if (ssl)
2872 {
2873 // Finish using the SSL handle for the socket.
2874 // This must be done *before* the socket is closed.
2875 ssl_finish(ssl);
2876 }
2877 #endif
2878 sock_close(sockctrl, NULL, 0);
2879 return (SOCKET)-1;
2880 }
2881
2882 /* checks if the connecting host is among the ones allowed */
2883 if (sock_check_hostlist((char *)hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0)
2884 {
2885 rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2886 #ifdef HAVE_OPENSSL
2887 if (ssl)
2888 {
2889 // Finish using the SSL handle for the socket.
2890 // This must be done *before* the socket is closed.
2891 ssl_finish(ssl);
2892 }
2893 #endif
2894 sock_close(sockctrl, NULL, 0);
2895 return (SOCKET)-1;
2896 }
2897
2898 /*
2899 * Send authentication to the remote machine.
2900 */
2901 if (rpcap_doauth(sockctrl, ssl, &protocol_version, auth, errbuf) == -1)
2902 {
2903 /* Unrecoverable error. */
2904 rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2905 #ifdef HAVE_OPENSSL
2906 if (ssl)
2907 {
2908 // Finish using the SSL handle for the socket.
2909 // This must be done *before* the socket is closed.
2910 ssl_finish(ssl);
2911 }
2912 #endif
2913 sock_close(sockctrl, NULL, 0);
2914 return (SOCKET)-3;
2915 }
2916
2917 /* Checks that this host does not already have a cntrl connection in place */
2918
2919 /* Initialize pointers */
2920 temp = activeHosts;
2921 prev = NULL;
2922
2923 while (temp)
2924 {
2925 /* This host already has an active connection in place, so I don't have to update the host list */
2926 if (sock_cmpaddr(&temp->host, &from) == 0)
2927 return sockctrl;
2928
2929 prev = temp;
2930 temp = temp->next;
2931 }
2932
2933 /* The host does not exist in the list; so I have to update the list */
2934 if (prev)
2935 {
2936 prev->next = (struct activehosts *) malloc(sizeof(struct activehosts));
2937 temp = prev->next;
2938 }
2939 else
2940 {
2941 activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts));
2942 temp = activeHosts;
2943 }
2944
2945 if (temp == NULL)
2946 {
2947 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2948 errno, "malloc() failed");
2949 rpcap_senderror(sockctrl, ssl, protocol_version, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2950 #ifdef HAVE_OPENSSL
2951 if (ssl)
2952 {
2953 // Finish using the SSL handle for the socket.
2954 // This must be done *before* the socket is closed.
2955 ssl_finish(ssl);
2956 }
2957 #endif
2958 sock_close(sockctrl, NULL, 0);
2959 return (SOCKET)-1;
2960 }
2961
2962 memcpy(&temp->host, &from, fromlen);
2963 temp->sockctrl = sockctrl;
2964 temp->ssl = ssl;
2965 temp->protocol_version = protocol_version;
2966 temp->next = NULL;
2967
2968 return sockctrl;
2969 }
2970
2971 SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
2972 {
2973 return pcap_remoteact_accept_ex(address, port, hostlist, connectinghost, auth, 0, errbuf);
2974 }
2975
2976 int pcap_remoteact_close(const char *host, char *errbuf)
2977 {
2978 struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */
2979 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
2980 int retval;
2981
2982 temp = activeHosts;
2983 prev = NULL;
2984
2985 /* retrieve the network address corresponding to 'host' */
2986 addrinfo = NULL;
2987 memset(&hints, 0, sizeof(struct addrinfo));
2988 hints.ai_family = PF_UNSPEC;
2989 hints.ai_socktype = SOCK_STREAM;
2990
2991 retval = getaddrinfo(host, "0", &hints, &addrinfo);
2992 if (retval != 0)
2993 {
2994 snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s", gai_strerror(retval));
2995 return -1;
2996 }
2997
2998 while (temp)
2999 {
3000 ai_next = addrinfo;
3001 while (ai_next)
3002 {
3003 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
3004 {
3005 struct rpcap_header header;
3006 int status = 0;
3007
3008 /* Close this connection */
3009 rpcap_createhdr(&header, temp->protocol_version,
3010 RPCAP_MSG_CLOSE, 0, 0);
3011
3012 /*
3013 * Don't check for errors, since we're
3014 * just cleaning up.
3015 */
3016 if (sock_send(temp->sockctrl, temp->ssl,
3017 (char *)&header,
3018 sizeof(struct rpcap_header), errbuf,
3019 PCAP_ERRBUF_SIZE) < 0)
3020 {
3021 /*
3022 * Let that error be the one we
3023 * report.
3024 */
3025 #ifdef HAVE_OPENSSL
3026 if (temp->ssl)
3027 {
3028 // Finish using the SSL handle
3029 // for the socket.
3030 // This must be done *before*
3031 // the socket is closed.
3032 ssl_finish(temp->ssl);
3033 }
3034 #endif
3035 (void)sock_close(temp->sockctrl, NULL,
3036 0);
3037 status = -1;
3038 }
3039 else
3040 {
3041 #ifdef HAVE_OPENSSL
3042 if (temp->ssl)
3043 {
3044 // Finish using the SSL handle
3045 // for the socket.
3046 // This must be done *before*
3047 // the socket is closed.
3048 ssl_finish(temp->ssl);
3049 }
3050 #endif
3051 if (sock_close(temp->sockctrl, errbuf,
3052 PCAP_ERRBUF_SIZE) == -1)
3053 status = -1;
3054 }
3055
3056 /*
3057 * Remove the host from the list of active
3058 * hosts.
3059 */
3060 if (prev)
3061 prev->next = temp->next;
3062 else
3063 activeHosts = temp->next;
3064
3065 freeaddrinfo(addrinfo);
3066
3067 free(temp);
3068
3069 /* To avoid inconsistencies in the number of sock_init() */
3070 sock_cleanup();
3071
3072 return status;
3073 }
3074
3075 ai_next = ai_next->ai_next;
3076 }
3077 prev = temp;
3078 temp = temp->next;
3079 }
3080
3081 if (addrinfo)
3082 freeaddrinfo(addrinfo);
3083
3084 /* To avoid inconsistencies in the number of sock_init() */
3085 sock_cleanup();
3086
3087 snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known");
3088 return -1;
3089 }
3090
3091 void pcap_remoteact_cleanup(void)
3092 {
3093 # ifdef HAVE_OPENSSL
3094 if (ssl_main)
3095 {
3096 // Finish using the SSL handle for the main active socket.
3097 // This must be done *before* the socket is closed.
3098 ssl_finish(ssl_main);
3099 ssl_main = NULL;
3100 }
3101 # endif
3102
3103 /* Very dirty, but it works */
3104 if (sockmain)
3105 {
3106 closesocket(sockmain);
3107
3108 /* To avoid inconsistencies in the number of sock_init() */
3109 sock_cleanup();
3110 }
3111 }
3112
3113 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
3114 {
3115 struct activehosts *temp; /* temp var needed to scan the host list chain */
3116 size_t len;
3117 char hoststr[RPCAP_HOSTLIST_SIZE + 1];
3118
3119 temp = activeHosts;
3120
3121 len = 0;
3122 *hostlist = 0;
3123
3124 while (temp)
3125 {
3126 /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */
3127
3128 /* Get the numeric form of the name of the connecting host */
3129 if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr,
3130 RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1)
3131 /* if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */
3132 /* RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */
3133 {
3134 /* sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE); */
3135 return -1;
3136 }
3137
3138 len = len + strlen(hoststr) + 1 /* the separator */;
3139
3140 if ((size < 0) || (len >= (size_t)size))
3141 {
3142 snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep "
3143 "the hostnames for all the active connections");
3144 return -1;
3145 }
3146
3147 pcap_strlcat(hostlist, hoststr, PCAP_ERRBUF_SIZE);
3148 hostlist[len - 1] = sep;
3149 hostlist[len] = 0;
3150
3151 temp = temp->next;
3152 }
3153
3154 return 0;
3155 }
3156
3157 /*
3158 * Receive the header of a message.
3159 */
3160 static int rpcap_recv_msg_header(SOCKET sock, SSL *ssl, struct rpcap_header *header, char *errbuf)
3161 {
3162 int nrecv;
3163
3164 nrecv = sock_recv(sock, ssl, (char *) header, sizeof(struct rpcap_header),
3165 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3166 PCAP_ERRBUF_SIZE);
3167 if (nrecv == -1)
3168 {
3169 /* Network error. */
3170 return -1;
3171 }
3172 header->plen = ntohl(header->plen);
3173 return 0;
3174 }
3175
3176 /*
3177 * Make sure the protocol version of a received message is what we were
3178 * expecting.
3179 */
3180 static int rpcap_check_msg_ver(SOCKET sock, SSL *ssl, uint8 expected_ver, struct rpcap_header *header, char *errbuf)
3181 {
3182 /*
3183 * Did the server specify the version we negotiated?
3184 */
3185 if (header->ver != expected_ver)
3186 {
3187 /*
3188 * Discard the rest of the message.
3189 */
3190 if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
3191 return -1;
3192
3193 /*
3194 * Tell our caller that it's not the negotiated version.
3195 */
3196 if (errbuf != NULL)
3197 {
3198 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3199 "Server sent us a message with version %u when we were expecting %u",
3200 header->ver, expected_ver);
3201 }
3202 return -1;
3203 }
3204 return 0;
3205 }
3206
3207 /*
3208 * Check the message type of a received message, which should either be
3209 * the expected message type or RPCAP_MSG_ERROR.
3210 */
3211 static int rpcap_check_msg_type(SOCKET sock, SSL *ssl, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf)
3212 {
3213 const char *request_type_string;
3214 const char *msg_type_string;
3215
3216 /*
3217 * What type of message is it?
3218 */
3219 if (header->type == RPCAP_MSG_ERROR)
3220 {
3221 /*
3222 * The server reported an error.
3223 * Hand that error back to our caller.
3224 */
3225 *errcode = ntohs(header->value);
3226 rpcap_msg_err(sock, ssl, header->plen, errbuf);
3227 return -1;
3228 }
3229
3230 *errcode = 0;
3231
3232 /*
3233 * For a given request type value, the expected reply type value
3234 * is the request type value with ORed with RPCAP_MSG_IS_REPLY.
3235 */
3236 if (header->type != (request_type | RPCAP_MSG_IS_REPLY))
3237 {
3238 /*
3239 * This isn't a reply to the request we sent.
3240 */
3241
3242 /*
3243 * Discard the rest of the message.
3244 */
3245 if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
3246 return -1;
3247
3248 /*
3249 * Tell our caller about it.
3250 */
3251 request_type_string = rpcap_msg_type_string(request_type);
3252 msg_type_string = rpcap_msg_type_string(header->type);
3253 if (errbuf != NULL)
3254 {
3255 if (request_type_string == NULL)
3256 {
3257 /* This should not happen. */
3258 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3259 "rpcap_check_msg_type called for request message with type %u",
3260 request_type);
3261 return -1;
3262 }
3263 if (msg_type_string != NULL)
3264 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3265 "%s message received in response to a %s message",
3266 msg_type_string, request_type_string);
3267 else
3268 snprintf(errbuf, PCAP_ERRBUF_SIZE,
3269 "Message of unknown type %u message received in response to a %s request",
3270 header->type, request_type_string);
3271 }
3272 return -1;
3273 }
3274
3275 return 0;
3276 }
3277
3278 /*
3279 * Receive and process the header of a message.
3280 */
3281 static int rpcap_process_msg_header(SOCKET sock, SSL *ssl, uint8 expected_ver, uint8 request_type, struct rpcap_header *header, char *errbuf)
3282 {
3283 uint16 errcode;
3284
3285 if (rpcap_recv_msg_header(sock, ssl, header, errbuf) == -1)
3286 {
3287 /* Network error. */
3288 return -1;
3289 }
3290
3291 /*
3292 * Did the server specify the version we negotiated?
3293 */
3294 if (rpcap_check_msg_ver(sock, ssl, expected_ver, header, errbuf) == -1)
3295 return -1;
3296
3297 /*
3298 * Check the message type.
3299 */
3300 return rpcap_check_msg_type(sock, ssl, request_type, header,
3301 &errcode, errbuf);
3302 }
3303
3304 /*
3305 * Read data from a message.
3306 * If we're trying to read more data that remains, puts an error
3307 * message into errmsgbuf and returns -2. Otherwise, tries to read
3308 * the data and, if that succeeds, subtracts the amount read from
3309 * the number of bytes of data that remains.
3310 * Returns 0 on success, logs a message and returns -1 on a network
3311 * error.
3312 */
3313 static int rpcap_recv(SOCKET sock, SSL *ssl, void *buffer, size_t toread, uint32 *plen, char *errbuf)
3314 {
3315 int nread;
3316
3317 if (toread > *plen)
3318 {
3319 /* The server sent us a bad message */
3320 snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short");
3321 return -1;
3322 }
3323 nread = sock_recv(sock, ssl, buffer, toread,
3324 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE);
3325 if (nread == -1)
3326 {
3327 return -1;
3328 }
3329 *plen -= nread;
3330 return 0;
3331 }
3332
3333 /*
3334 * This handles the RPCAP_MSG_ERROR message.
3335 */
3336 static void rpcap_msg_err(SOCKET sockctrl, SSL *ssl, uint32 plen, char *remote_errbuf)
3337 {
3338 char errbuf[PCAP_ERRBUF_SIZE];
3339
3340 if (plen >= PCAP_ERRBUF_SIZE)
3341 {
3342 /*
3343 * Message is too long; just read as much of it as we
3344 * can into the buffer provided, and discard the rest.
3345 */
3346 if (sock_recv(sockctrl, ssl, remote_errbuf, PCAP_ERRBUF_SIZE - 1,
3347 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3348 PCAP_ERRBUF_SIZE) == -1)
3349 {
3350 // Network error.
3351 snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3352 return;
3353 }
3354
3355 /*
3356 * Null-terminate it.
3357 */
3358 remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0';
3359
3360 #ifdef _WIN32
3361 /*
3362 * If we're not in UTF-8 mode, convert it to the local
3363 * code page.
3364 */
3365 if (!pcap_utf_8_mode)
3366 utf_8_to_acp_truncated(remote_errbuf);
3367 #endif
3368
3369 /*
3370 * Throw away the rest.
3371 */
3372 (void)rpcap_discard(sockctrl, ssl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf);
3373 }
3374 else if (plen == 0)
3375 {
3376 /* Empty error string. */
3377 remote_errbuf[0] = '\0';
3378 }
3379 else
3380 {
3381 if (sock_recv(sockctrl, ssl, remote_errbuf, plen,
3382 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3383 PCAP_ERRBUF_SIZE) == -1)
3384 {
3385 // Network error.
3386 snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3387 return;
3388 }
3389
3390 /*
3391 * Null-terminate it.
3392 */
3393 remote_errbuf[plen] = '\0';
3394 }
3395 }
3396
3397 /*
3398 * Discard data from a connection.
3399 * Mostly used to discard wrong-sized messages.
3400 * Returns 0 on success, logs a message and returns -1 on a network
3401 * error.
3402 */
3403 static int rpcap_discard(SOCKET sock, SSL *ssl, uint32 len, char *errbuf)
3404 {
3405 if (len != 0)
3406 {
3407 if (sock_discard(sock, ssl, len, errbuf, PCAP_ERRBUF_SIZE) == -1)
3408 {
3409 // Network error.
3410 return -1;
3411 }
3412 }
3413 return 0;
3414 }
3415
3416 /*
3417 * Read bytes into the pcap_t's buffer until we have the specified
3418 * number of bytes read or we get an error or interrupt indication.
3419 */
3420 static int rpcap_read_packet_msg(struct pcap_rpcap const *rp, pcap_t *p, size_t size)
3421 {
3422 u_char *bp;
3423 int cc;
3424 int bytes_read;
3425
3426 bp = p->bp;
3427 cc = p->cc;
3428
3429 /*
3430 * Loop until we have the amount of data requested or we get
3431 * an error or interrupt.
3432 */
3433 while ((size_t)cc < size)
3434 {
3435 /*
3436 * We haven't read all of the packet header yet.
3437 * Read what remains, which could be all of it.
3438 */
3439 bytes_read = sock_recv(rp->rmt_sockdata, rp->data_ssl, bp, size - cc,
3440 SOCK_RECEIVEALL_NO|SOCK_EOF_IS_ERROR, p->errbuf,
3441 PCAP_ERRBUF_SIZE);
3442
3443 if (bytes_read == -1)
3444 {
3445 /*
3446 * Network error. Update the read pointer and
3447 * byte count, and return an error indication.
3448 */
3449 p->bp = bp;
3450 p->cc = cc;
3451 return -1;
3452 }
3453 if (bytes_read == -3)
3454 {
3455 /*
3456 * Interrupted receive. Update the read
3457 * pointer and byte count, and return
3458 * an interrupted indication.
3459 */
3460 p->bp = bp;
3461 p->cc = cc;
3462 return -3;
3463 }
3464 if (bytes_read == 0)
3465 {
3466 /*
3467 * EOF - server terminated the connection.
3468 * Update the read pointer and byte count, and
3469 * return an error indication.
3470 */
3471 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
3472 "The server terminated the connection.");
3473 return -1;
3474 }
3475 bp += bytes_read;
3476 cc += bytes_read;
3477 }
3478 p->bp = bp;
3479 p->cc = cc;
3480 return 0;
3481 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism