]> The Tcpdump Group git mirrors - libpcap/blob - pcap-linux.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Declare "install_bpf_program()" in "pcap-int.h", not "gencode.h"; it has
[libpcap] / pcap-linux.c
1 /*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
21 * written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27 #ifndef lint
28 static const char rcsid[] =
29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.40 2000-11-04 07:19:23 guy Exp $ (LBL)";
30 #endif
31
32 /*
33 * Known problems with 2.0[.x] kernels:
34 *
35 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
36 * if we use PF_PACKET, we can filter out the transmitted version
37 * of the packet by using data in the "sockaddr_ll" returned by
38 * "recvfrom()", but, on 2.0[.x] kernels, we have to use
39 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a
40 * "sockaddr_pkt" which doesn't give us enough information to let
41 * us do that.
42 *
43 * - We have to set the interface's IFF_PROMISC flag ourselves, if
44 * we're to run in promiscuous mode, which means we have to turn
45 * it off ourselves when we're done; the kernel doesn't keep track
46 * of how many sockets are listening promiscuously, which means
47 * it won't get turned off automatically when no sockets are
48 * listening promiscuously. We'd have to catch "pcap_close()"
49 * and restore the value the promiscuous flag had when we opened
50 * the device - which may not be the value it should have, if
51 * another socket also requested promiscuous mode between the time
52 * when we opened the socket and the time when we close the socket.
53 * We currently just punt, printing a warning and hinting that the
54 * user should upgrade to a 2.2 or later kernel.
55 */
56
57
58 #ifdef HAVE_CONFIG_H
59 #include "config.h"
60 #endif
61
62 #include "pcap-int.h"
63
64 #include <errno.h>
65 #include <stdlib.h>
66 #include <unistd.h>
67 #include <fcntl.h>
68 #include <string.h>
69 #include <sys/socket.h>
70 #include <sys/ioctl.h>
71 #include <net/if.h>
72 #include <netinet/in.h>
73 #include <linux/if_ether.h>
74 #include <netinet/if_ether.h>
75
76 #ifdef HAVE_NETPACKET_PACKET_H
77 #include <netpacket/packet.h>
78 #endif
79 #ifdef SO_ATTACH_FILTER
80 #include <linux/types.h>
81 #include <linux/filter.h>
82 #endif
83
84 #ifndef __GLIBC__
85 typedef int socklen_t;
86 #endif
87
88 #ifndef MSG_TRUNC
89 #define MSG_TRUNC 0
90 #endif
91
92 #define MAX_LINKHEADER_SIZE 256
93
94 /*
95 * When capturing on all interfaces we use this as the buffer size.
96 * Should be bigger then all MTUs that occur in real life.
97 * 64kB should be enough for now.
98 */
99 #define BIGGER_THAN_ALL_MTUS (64*1024)
100
101 /*
102 * Prototypes for internal functions
103 */
104 static int map_arphrd_to_dlt(int arptype );
105 static int live_open_old(pcap_t *, char *, int, int, char *);
106 static int live_open_new(pcap_t *, char *, int, int, char *);
107 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
108
109 /*
110 * Wrap some ioctl calls
111 */
112 #ifdef HAVE_NETPACKET_PACKET_H
113 static int iface_get_id(int fd, const char *device, char *ebuf);
114 #endif
115 static int iface_get_mtu(int fd, const char *device, char *ebuf);
116 static int iface_get_arptype(int fd, const char *device, char *ebuf);
117 #ifdef HAVE_NETPACKET_PACKET_H
118 static int iface_bind(int fd, int ifindex, char *ebuf);
119 #endif
120 static int iface_bind_old(int fd, const char *device, char *ebuf);
121
122 /*
123 * Get a handle for a live capture from the given device. You can
124 * pass NULL as device to get all packages (without link level
125 * information of course). If you pass 1 as promisc the interface
126 * will be set to promiscous mode (XXX: I think this usage should
127 * be deprecated and functions be added to select that later allow
128 * modification of that values -- Torsten).
129 *
130 * See also pcap(3).
131 */
132 pcap_t *
133 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
134 {
135 /* Allocate a handle for this session. */
136
137 pcap_t *handle = malloc(sizeof(*handle));
138 if (handle == NULL) {
139 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
140 pcap_strerror(errno));
141 return NULL;
142 }
143
144 /* Initialize some components of the pcap structure. */
145
146 memset(handle, 0, sizeof(*handle));
147 handle->snapshot = snaplen;
148 handle->md.timeout = to_ms;
149 handle->md.promisc = promisc;
150
151 /*
152 * NULL and "any" are special devices which give us the hint to
153 * monitor all devices.
154 */
155 if (!device || strcmp(device, "any") == 0) {
156 device = NULL;
157 handle->md.device = strdup("any");
158 } else
159 handle->md.device = strdup(device);
160
161 if (handle->md.device == NULL) {
162 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
163 pcap_strerror(errno) );
164 free(handle);
165 return NULL;
166 }
167
168 /*
169 * Current Linux kernels use the protocol family PF_PACKET to
170 * allow direct access to all packets on the network while
171 * older kernels had a special socket type SOCK_PACKET to
172 * implement this feature.
173 * While this old implementation is kind of obsolete we need
174 * to be compatible with older kernels for a while so we are
175 * trying both methods with the newer method preferred.
176 */
177
178 if (! (live_open_new(handle, device, promisc, to_ms, ebuf) ||
179 live_open_old(handle, device, promisc, to_ms, ebuf)) )
180 {
181 /*
182 * Both methods to open the packet socket failed. Tidy
183 * up and report our failure (ebuf is expected to be
184 * set by the functions above).
185 */
186
187 free(handle->md.device);
188 free(handle);
189 return NULL;
190 }
191
192 /*
193 * Okay, now we have a packet stream open. Maybe we need to handle
194 * a timeout? In that case we set the filehandle to nonblocking
195 * so pcap_read can try reading the fd and call select if no data
196 * is available at first.
197 */
198
199 if (to_ms > 0) {
200 int flags = fcntl(handle->fd, F_GETFL);
201 if (flags != -1) {
202 flags |= O_NONBLOCK;
203 flags = fcntl(handle->fd, F_SETFL, flags);
204 }
205 if (flags == -1) {
206 snprintf(ebuf, PCAP_ERRBUF_SIZE, "fcntl: %s",
207 pcap_strerror(errno));
208 pcap_close(handle);
209 return NULL;
210 }
211 }
212
213 return handle;
214 }
215
216 /*
217 * Read at most max_packets from the capture stream and call the callback
218 * for each of them. Returns the number of packets handled or -1 if an
219 * error occured.
220 *
221 * XXX: Can I rely on the Linux-specified behaviour of select (returning
222 * the time left in the timeval structure)? I really don't want to query
223 * the system time before each select call...
224 *
225 * pcap_read currently gets not only a packet from the kernel but also
226 * the sockaddr_ll returned as source of the packet. This way we can at
227 * some time extend tcpdump and libpcap to sniff on all devices at a time
228 * and find the right printing routine by using the information in the
229 * sockaddr_ll structure.
230 */
231 int
232 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
233 {
234 int status, packets;
235 fd_set read_fds;
236 struct timeval tv;
237
238 /*
239 * Fill in a timeval structure for select if we need to obeye a
240 * timeout.
241 */
242 if (handle->md.timeout > 0) {
243 tv.tv_usec = (handle->md.timeout % 1000) * 1000;
244 tv.tv_sec = (handle->md.timeout / 1000);
245 }
246
247 /*
248 * Read packets until the packet limit has been reached or
249 * an error occured while reading. Call the user function
250 * for each received packet.
251 */
252 for (packets = 0; max_packets == -1 || packets < max_packets;)
253 {
254 status = pcap_read_packet(handle, callback, user);
255
256 if (status > 0) {
257 packets += status;
258 continue;
259 } else if (status == -1)
260 return -1;
261
262 /*
263 * If no packet is available we go to sleep. FIXME: This
264 * might be better implemented using poll(?)
265 */
266 FD_ZERO(&read_fds);
267 FD_SET(handle->fd, &read_fds);
268 status = select(handle->fd + 1,
269 &read_fds, NULL, NULL, &tv);
270
271 if (status == -1) {
272 if (errno == EINTR)
273 return packets;
274 snprintf(handle->errbuf, sizeof(handle->errbuf),
275 "select: %s", pcap_strerror(errno));
276 return -1;
277 }
278 else if (status == 0 ||
279 (tv.tv_usec == 0 && tv.tv_sec == 0))
280 return packets;
281 }
282
283 return packets;
284 }
285
286 /*
287 * Read a packet from the socket calling the handler provided by
288 * the user. Returns the number of packets received or -1 if an
289 * error occured.
290 */
291 static int
292 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
293 {
294 #ifdef HAVE_NETPACKET_PACKET_H
295 struct sockaddr_ll from;
296 #else
297 struct sockaddr from;
298 #endif
299 socklen_t fromlen;
300 int packet_len, caplen;
301 struct pcap_pkthdr pcap_header;
302
303 /*
304 * We don't currently use the from return value of recvfrom but
305 * this will probably be implemented in the future.
306 */
307
308 /* Receive a single packet from the kernel */
309
310 do {
311 fromlen = sizeof(from);
312 packet_len = recvfrom(
313 handle->fd, handle->buffer + handle->offset,
314 handle->snapshot, MSG_TRUNC,
315 (struct sockaddr *) &from, &fromlen);
316 } while (packet_len == -1 && errno == EINTR);
317
318 /* Check if an error occured */
319
320 if (packet_len == -1) {
321 if (errno == EAGAIN)
322 return 0; /* no packet there */
323 else {
324 snprintf(handle->errbuf, sizeof(handle->errbuf),
325 "recvfrom: %s", pcap_strerror(errno));
326 return -1;
327 }
328 }
329
330 #ifdef HAVE_NETPACKET_PACKET_H
331 /*
332 * If this is from the loopback device, reject outgoing packets;
333 * we'll see the packet as an incoming packet as well, and
334 * we don't want to see it twice.
335 *
336 * We can only do this if we're using PF_PACKET; the address
337 * returned for SOCK_PACKET is a "sockaddr_pkt" which lacks
338 * the relevant packet type information.
339 */
340 if (!handle->md.sock_packet &&
341 from.sll_ifindex == handle->md.lo_ifindex &&
342 from.sll_pkttype == PACKET_OUTGOING)
343 return 0;
344 #endif
345
346 /*
347 * XXX: According to the kernel source we should get the real
348 * packet len if calling recvfrom with MSG_TRUNC set. It does
349 * not seem to work here :(, but it is supported by this code
350 * anyway.
351 * To be honest the code RELIES on that feature so this is really
352 * broken with 2.2.x kernels.
353 * I spend a day to figure out what's going on and I found out
354 * that the following is happening:
355 *
356 * The packet comes from a random interface and the packet_rcv
357 * hook is called with a clone of the packet. That code inserts
358 * the packet into the receive queue of the packet socket.
359 * If a filter is attached to that socket that filter is run
360 * first - and there lies the problem. The default filter always
361 * cuts the packet at the snaplen:
362 *
363 * # tcpdump -d
364 * (000) ret #68
365 *
366 * So the packet filter cuts down the packet. The recvfrom call
367 * says "hey, it's only 68 bytes, it fits into the buffer" with
368 * the result that we don't get the real packet length. This
369 * is valid at least until kernel 2.2.17pre6.
370 *
371 * tcpdump is currently fixed by changing the BPF code generator
372 * to not truncate the received packet.
373 */
374
375 caplen = packet_len;
376 if (caplen > handle->snapshot)
377 caplen = handle->snapshot;
378
379 /* Run the packet filter if not using kernel filter */
380 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
381 if (bpf_filter(handle->fcode.bf_insns, handle->buffer,
382 packet_len, caplen) == 0)
383 {
384 /* rejected by filter */
385 return 0;
386 }
387 }
388
389 /* Fill in our own header data */
390
391 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
392 snprintf(handle->errbuf, sizeof(handle->errbuf),
393 "ioctl: %s", pcap_strerror(errno));
394 return -1;
395 }
396 pcap_header.caplen = caplen;
397 pcap_header.len = packet_len;
398
399 /* Call the user supplied callback function */
400 handle->md.stat.ps_recv++;
401 callback(userdata, &pcap_header, handle->buffer + handle->offset);
402
403 return 1;
404 }
405
406 /*
407 * Get the statistics for the given packet capture handle.
408 * FIXME: Currently does not report the number of dropped packets.
409 */
410 int
411 pcap_stats(pcap_t *handle, struct pcap_stat *stats)
412 {
413 *stats = handle->md.stat;
414 return 0;
415 }
416
417 /*
418 * Attach the given BPF code to the packet capture device.
419 */
420 int
421 pcap_setfilter(pcap_t *handle, struct bpf_program *filter)
422 {
423 #ifdef SO_ATTACH_FILTER
424 struct sock_fprog fcode;
425 #endif
426
427 if (!handle)
428 return -1;
429 if (!filter) {
430 strncpy(handle->errbuf, "setfilter: No filter specified",
431 sizeof(handle->errbuf));
432 return -1;
433 }
434
435 /* Make our private copy of the filter */
436
437 if (install_bpf_program(handle, filter) < 0) {
438 snprintf(handle->errbuf, sizeof(handle->errbuf),
439 "malloc: %s", pcap_strerror(errno));
440 return -1;
441 }
442
443 /*
444 * Run user level packet filter by default. Will be overriden if
445 * installing a kernel filter succeeds.
446 */
447 handle->md.use_bpf = 0;
448
449 /*
450 * If we're reading from a savefile, don't try to install
451 * a kernel filter.
452 */
453 if (handle->sf.rfile != NULL)
454 return 0;
455
456 /* Install kernel level filter if possible */
457
458 #ifdef SO_ATTACH_FILTER
459 /*
460 * Oh joy, the Linux kernel uses struct sock_fprog instead of
461 * struct bpf_program and of course the length field is of
462 * different size. Pointed out by Sebastian
463 */
464
465 fcode.filter = (struct sock_filter *) handle->fcode.bf_insns;
466 fcode.len = filter->bf_len;
467 #ifdef USHRT_MAX
468 if (filter->bf_len > USHRT_MAX) {
469 /*
470 * fcode.len is an unsigned short for current kernel.
471 * I have yet to see BPF-Code with that much instructions
472 * but still it is possible. So for the sake of
473 * correctness I added this check.
474 */
475 fprintf(stderr, "Warning: Filter to complex for kernel\n");
476 }
477 else
478 #endif
479 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
480 &fcode, sizeof(fcode)) == 0)
481 {
482 /* Installation succeded - using kernel filter. */
483 handle->md.use_bpf = 1;
484 }
485 else
486 {
487 /*
488 * Print a warning if kernel filter available but a problem
489 * occured using it.
490 */
491 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
492 fprintf(stderr, "Warning: Kernel filter failed: %s\n",
493 pcap_strerror(errno));
494 }
495 }
496 #endif
497
498 return 0;
499 }
500
501 /*
502 * Linux uses the ARP hardware type to identify the type of an
503 * interface. pcap uses the DLT_xxx constants for this. This
504 * function maps the ARPHRD_xxx constant to an appropriate
505 * DLT_xxx constant.
506 *
507 * Returns -1 if unable to map the type.
508 */
509 static int map_arphrd_to_dlt(int arptype)
510 {
511 switch (arptype) {
512 case ARPHRD_ETHER:
513 case ARPHRD_METRICOM:
514 case ARPHRD_LOOPBACK: return DLT_EN10MB;
515 case ARPHRD_EETHER: return DLT_EN3MB;
516 case ARPHRD_AX25: return DLT_AX25;
517 case ARPHRD_PRONET: return DLT_PRONET;
518 case ARPHRD_CHAOS: return DLT_CHAOS;
519 case ARPHRD_IEEE802: return DLT_IEEE802;
520 case ARPHRD_ARCNET: return DLT_ARCNET;
521 case ARPHRD_FDDI: return DLT_FDDI;
522
523 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
524 #define ARPHRD_ATM 19
525 #endif
526 case ARPHRD_ATM: return DLT_ATM_CLIP;
527
528 case ARPHRD_SIT:
529 case ARPHRD_PPP:
530 case ARPHRD_CSLIP:
531 case ARPHRD_SLIP6:
532 case ARPHRD_CSLIP6:
533 case ARPHRD_SLIP: return DLT_RAW;
534 }
535
536 return -1;
537 }
538
539 /* ===== Functions to interface to the newer kernels ================== */
540
541 /*
542 * Try to open a packet socket using the new kernel interface.
543 * Returns 0 on failure.
544 * FIXME: 0 uses to mean success (Sebastian)
545 */
546 static int
547 live_open_new(pcap_t *handle, char *device, int promisc,
548 int to_ms, char *ebuf)
549 {
550 #ifdef HAVE_NETPACKET_PACKET_H
551 int sock_fd = -1, device_id, mtu, arptype;
552 struct packet_mreq mr;
553
554 /* One shot loop used for error handling - bail out with break */
555
556 do {
557 /*
558 * Open a socket with protocol family packet. If a device is
559 * given we try to open it in raw mode otherwise we use
560 * the cooked interface.
561 */
562 sock_fd = device ?
563 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
564 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
565
566 if (sock_fd == -1) {
567 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
568 pcap_strerror(errno) );
569 break;
570 }
571
572 /* It seems the kernel supports the new interface. */
573 handle->md.sock_packet = 0;
574
575 /*
576 * Get the interface index of the loopback device.
577 * If the attempt fails, don't fail, just set the
578 * "md.lo_ifindex" to -1.
579 *
580 * XXX - can there be more than one device that loops
581 * packets back, i.e. devices other than "lo"? If so,
582 * we'd need to find them all, and have an array of
583 * indices for them, and check all of them in
584 * "pcap_read_packet()".
585 */
586 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf);
587
588 /*
589 * What kind of frames do we have to deal with? Fall back
590 * to cooked mode if we have an unknown interface type.
591 */
592
593 if (device) {
594 arptype = iface_get_arptype(sock_fd, device, ebuf);
595 if (arptype == -1)
596 break;
597 handle->linktype = map_arphrd_to_dlt(arptype);
598 if (handle->linktype == -1) {
599 /*
600 * Unknown interface type - reopen in cooked
601 * mode.
602 */
603 if (close(sock_fd) == -1) {
604 snprintf(ebuf, PCAP_ERRBUF_SIZE,
605 "close: %s", pcap_strerror(errno));
606 break;
607 }
608 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
609 htons(ETH_P_ALL));
610 if (sock_fd == -1) {
611 snprintf(ebuf, PCAP_ERRBUF_SIZE,
612 "socket: %s", pcap_strerror(errno));
613 break;
614 }
615
616 fprintf(stderr,
617 "Warning: arptype %d not supported by "
618 "libpcap - falling back to cooked "
619 "socket\n",
620 arptype);
621 handle->linktype = DLT_RAW;
622 }
623
624 device_id = iface_get_id(sock_fd, device, ebuf);
625 if (device_id == -1)
626 break;
627
628 if (iface_bind(sock_fd, device_id, ebuf) == -1)
629 break;
630 } else {
631 handle->linktype = DLT_RAW;
632
633 /*
634 * XXX - squelch GCC complaints about
635 * uninitialized variables; if we can't
636 * select promiscuous mode on all interfaces,
637 * we should move the code below into the
638 * "if (device)" branch of the "if" and
639 * get rid of the next statement.
640 */
641 device_id = -1;
642 }
643
644 /* Select promiscuous mode on/off */
645
646 #ifdef SOL_PACKET
647 /*
648 * Hmm, how can we set promiscuous mode on all interfaces?
649 * I am not sure if that is possible at all.
650 */
651
652 if (device) {
653 memset(&mr, 0, sizeof(mr));
654 mr.mr_ifindex = device_id;
655 mr.mr_type = promisc ?
656 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
657 if (setsockopt(sock_fd, SOL_PACKET,
658 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1)
659 {
660 snprintf(ebuf, PCAP_ERRBUF_SIZE,
661 "setsockopt: %s", pcap_strerror(errno));
662 break;
663 }
664 }
665 #endif
666
667 /* Compute the buffersize */
668
669 mtu = iface_get_mtu(sock_fd, device, ebuf);
670 if (mtu == -1)
671 break;
672 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
673
674 /* Fill in the pcap structure */
675
676 handle->fd = sock_fd;
677 handle->offset = 0;
678
679 handle->buffer = malloc(handle->bufsize);
680 if (!handle->buffer) {
681 snprintf(ebuf, PCAP_ERRBUF_SIZE,
682 "malloc: %s", pcap_strerror(errno));
683 break;
684 }
685
686 return 1;
687
688 } while(0);
689
690 if (sock_fd != -1)
691 close(sock_fd);
692 return 0;
693 #else
694 strncpy(ebuf,
695 "New packet capturing interface not supported by build "
696 "environment", PCAP_ERRBUF_SIZE);
697 return 0;
698 #endif
699 }
700
701 #ifdef HAVE_NETPACKET_PACKET_H
702 /*
703 * Return the index of the given device name. Fill ebuf and return
704 * -1 on failure.
705 */
706 static int
707 iface_get_id(int fd, const char *device, char *ebuf)
708 {
709 struct ifreq ifr;
710
711 memset(&ifr, 0, sizeof(ifr));
712 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
713
714 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
715 snprintf(ebuf, PCAP_ERRBUF_SIZE,
716 "ioctl: %s", pcap_strerror(errno));
717 return -1;
718 }
719
720 return ifr.ifr_ifindex;
721 }
722
723 /*
724 * Bind the socket associated with FD to the given device.
725 */
726 static int
727 iface_bind(int fd, int ifindex, char *ebuf)
728 {
729 struct sockaddr_ll sll;
730
731 memset(&sll, 0, sizeof(sll));
732 sll.sll_family = AF_PACKET;
733 sll.sll_ifindex = ifindex;
734 sll.sll_protocol = htons(ETH_P_ALL);
735
736 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
737 snprintf(ebuf, PCAP_ERRBUF_SIZE,
738 "bind: %s", pcap_strerror(errno));
739 return -1;
740 }
741
742 return 0;
743 }
744
745 #endif
746
747
748 /* ===== Functions to interface to the older kernels ================== */
749
750 /*
751 * With older kernels promiscuous mode is kind of interesting because we
752 * have to reset the interface before exiting. The problem can't really
753 * be solved without some daemon taking care of managing usage counts.
754 * We save the promiscuous state of the device when opening the capture
755 * stream and arrange for it to be reset on process exit.
756 *
757 * XXX: This solution is still not correct even for this case. The
758 * devices stay in promiscuous mode until the process exits. I need to
759 * modify pcap_close to solve this.
760 */
761
762 /*
763 * The device name and the interface flags to be restored at exit
764 */
765 struct ifreq restore_ifr;
766
767 static void restore_interface( void )
768 {
769 int status = socket(PF_INET, SOCK_PACKET, 0);
770
771 if (status != -1)
772 status = ioctl(status, SIOCSIFFLAGS, &restore_ifr);
773
774 if (status == -1) {
775 fprintf(stderr,
776 "Can't restore interface flags. Please adjust manually. \n"
777 "Hint: This can't happen with Linux >= 2.2.0.\n");
778 }
779 }
780
781 /*
782 * Try to open a packet socket using the old kernel interface.
783 * Returns 0 on failure.
784 * FIXME: 0 uses to mean success (Sebastian)
785 */
786 static int
787 live_open_old(pcap_t *handle, char *device, int promisc,
788 int to_ms, char *ebuf)
789 {
790 int sock_fd = -1, mtu, arptype;
791 struct ifreq ifr;
792
793 do {
794 /* Open the socket */
795
796 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
797 if (sock_fd == -1) {
798 snprintf(ebuf, PCAP_ERRBUF_SIZE,
799 "socket: %s", pcap_strerror(errno));
800 break;
801 }
802
803 /* It worked - we are using the old interface */
804 handle->md.sock_packet = 1;
805
806 /* Bind to the given device */
807
808 if (!device) {
809 strncpy(ebuf, "pcap_open_live: No interface given",
810 PCAP_ERRBUF_SIZE);
811 break;
812 }
813 if (iface_bind_old(sock_fd, device, ebuf) == -1)
814 break;
815
816 /* Go to promisc mode */
817 if (promisc) {
818 memset(&ifr, 0, sizeof(ifr));
819 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
820 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) {
821 snprintf(ebuf, PCAP_ERRBUF_SIZE,
822 "ioctl: %s", pcap_strerror(errno));
823 break;
824 }
825 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
826 restore_ifr = ifr;
827 ifr.ifr_flags |= IFF_PROMISC;
828 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) {
829 snprintf(ebuf, PCAP_ERRBUF_SIZE,
830 "ioctl: %s",
831 pcap_strerror(errno));
832 break;
833 }
834 if (atexit(restore_interface) == -1) {
835 restore_interface();
836 strncpy(ebuf, "atexit failed",
837 PCAP_ERRBUF_SIZE);
838 break;
839 }
840 }
841 }
842
843 /* Compute the buffersize */
844
845 mtu = iface_get_mtu(sock_fd, device, ebuf);
846 if (mtu == -1)
847 break;
848 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
849 if (handle->bufsize < handle->snapshot)
850 handle->bufsize = handle->snapshot;
851
852 /* All done - fill in the pcap handle */
853
854 arptype = iface_get_arptype(sock_fd, device, ebuf);
855 if (arptype == -1)
856 break;
857
858 handle->fd = sock_fd;
859 handle->offset = 0;
860 handle->linktype = map_arphrd_to_dlt(arptype);
861 if (handle->linktype == -1) {
862 snprintf(ebuf, PCAP_ERRBUF_SIZE,
863 "interface type of %s not supported", device);
864 break;
865 }
866 handle->buffer = malloc(handle->bufsize);
867 if (!handle->buffer) {
868 snprintf(ebuf, PCAP_ERRBUF_SIZE,
869 "malloc: %s", pcap_strerror(errno));
870 break;
871 }
872
873 return 1;
874
875 } while (0);
876
877 if (sock_fd != -1)
878 close(sock_fd);
879 return 0;
880 }
881
882 /*
883 * Bind the socket associated with FD to the given device using the
884 * interface of the old kernels.
885 */
886 static int
887 iface_bind_old(int fd, const char *device, char *ebuf)
888 {
889 struct sockaddr saddr;
890
891 memset(&saddr, 0, sizeof(saddr));
892 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
893 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
894 snprintf(ebuf, PCAP_ERRBUF_SIZE,
895 "bind: %s", pcap_strerror(errno));
896 return -1;
897 }
898
899 return 0;
900 }
901
902
903 /* ===== System calls available on all supported kernels ============== */
904
905 /*
906 * Query the kernel for the MTU of the given interface.
907 */
908 static int
909 iface_get_mtu(int fd, const char *device, char *ebuf)
910 {
911 struct ifreq ifr;
912
913 if (!device)
914 return BIGGER_THAN_ALL_MTUS;
915
916 memset(&ifr, 0, sizeof(ifr));
917 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
918
919 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
920 snprintf(ebuf, PCAP_ERRBUF_SIZE,
921 "ioctl: %s", pcap_strerror(errno));
922 return -1;
923 }
924
925 return ifr.ifr_mtu;
926 }
927
928 /*
929 * Get the hardware type of the given interface as ARPHRD_xxx constant.
930 */
931 static int
932 iface_get_arptype(int fd, const char *device, char *ebuf)
933 {
934 struct ifreq ifr;
935
936 memset(&ifr, 0, sizeof(ifr));
937 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
938
939 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
940 snprintf(ebuf, PCAP_ERRBUF_SIZE,
941 "ioctl: %s", pcap_strerror(errno));
942 return -1;
943 }
944
945 return ifr.ifr_hwaddr.sa_family;
946 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism