]> The Tcpdump Group git mirrors - libpcap/blob - pcap-linux.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Fix white space.
[libpcap] / pcap-linux.c
1 /*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
21 * written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27 #ifndef lint
28 static const char rcsid[] =
29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.80 2002-06-01 09:36:26 guy Exp $ (LBL)";
30 #endif
31
32 /*
33 * Known problems with 2.0[.x] kernels:
34 *
35 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
36 * if we use PF_PACKET, we can filter out the transmitted version
37 * of the packet by using data in the "sockaddr_ll" returned by
38 * "recvfrom()", but, on 2.0[.x] kernels, we have to use
39 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a
40 * "sockaddr_pkt" which doesn't give us enough information to let
41 * us do that.
42 *
43 * - We have to set the interface's IFF_PROMISC flag ourselves, if
44 * we're to run in promiscuous mode, which means we have to turn
45 * it off ourselves when we're done; the kernel doesn't keep track
46 * of how many sockets are listening promiscuously, which means
47 * it won't get turned off automatically when no sockets are
48 * listening promiscuously. We catch "pcap_close()" and, for
49 * interfaces we put into promiscuous mode, take them out of
50 * promiscuous mode - which isn't necessarily the right thing to
51 * do, if another socket also requested promiscuous mode between
52 * the time when we opened the socket and the time when we close
53 * the socket.
54 *
55 * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()"
56 * return the amount of data that you could have read, rather than
57 * the amount that was returned, so we can't just allocate a buffer
58 * whose size is the snapshot length and pass the snapshot length
59 * as the byte count, and also pass MSG_TRUNC, so that the return
60 * value tells us how long the packet was on the wire.
61 *
62 * This means that, if we want to get the actual size of the packet,
63 * so we can return it in the "len" field of the packet header,
64 * we have to read the entire packet, not just the part that fits
65 * within the snapshot length, and thus waste CPU time copying data
66 * from the kernel that our caller won't see.
67 *
68 * We have to get the actual size, and supply it in "len", because
69 * otherwise, the IP dissector in tcpdump, for example, will complain
70 * about "truncated-ip", as the packet will appear to have been
71 * shorter, on the wire, than the IP header said it should have been.
72 */
73
74
75 #ifdef HAVE_CONFIG_H
76 #include "config.h"
77 #endif
78
79 #include "pcap-int.h"
80 #include "sll.h"
81
82 #include <errno.h>
83 #include <stdlib.h>
84 #include <unistd.h>
85 #include <fcntl.h>
86 #include <string.h>
87 #include <sys/socket.h>
88 #include <sys/ioctl.h>
89 #include <sys/utsname.h>
90 #include <net/if.h>
91 #include <netinet/in.h>
92 #include <linux/if_ether.h>
93 #include <net/if_arp.h>
94
95 /*
96 * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET
97 * sockets rather than SOCK_PACKET sockets.
98 *
99 * To use them, we include <linux/if_packet.h> rather than
100 * <netpacket/packet.h>; we do so because
101 *
102 * some Linux distributions (e.g., Slackware 4.0) have 2.2 or
103 * later kernels and libc5, and don't provide a <netpacket/packet.h>
104 * file;
105 *
106 * not all versions of glibc2 have a <netpacket/packet.h> file
107 * that defines stuff needed for some of the 2.4-or-later-kernel
108 * features, so if the system has a 2.4 or later kernel, we
109 * still can't use those features.
110 *
111 * We're already including a number of other <linux/XXX.h> headers, and
112 * this code is Linux-specific (no other OS has PF_PACKET sockets as
113 * a raw packet capture mechanism), so it's not as if you gain any
114 * useful portability by using <netpacket/packet.h>
115 *
116 * XXX - should we just include <linux/if_packet.h> even if PF_PACKET
117 * isn't defined? It only defines one data structure in 2.0.x, so
118 * it shouldn't cause any problems.
119 */
120 #ifdef PF_PACKET
121 # include <linux/if_packet.h>
122
123 /*
124 * On at least some Linux distributions (for example, Red Hat 5.2),
125 * there's no <netpacket/packet.h> file, but PF_PACKET is defined if
126 * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define
127 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of
128 * the PACKET_xxx stuff.
129 *
130 * So we check whether PACKET_HOST is defined, and assume that we have
131 * PF_PACKET sockets only if it is defined.
132 */
133 # ifdef PACKET_HOST
134 # define HAVE_PF_PACKET_SOCKETS
135 # endif /* PACKET_HOST */
136 #endif /* PF_PACKET */
137
138 #ifdef SO_ATTACH_FILTER
139 #include <linux/types.h>
140 #include <linux/filter.h>
141 #endif
142
143 #ifndef __GLIBC__
144 typedef int socklen_t;
145 #endif
146
147 #ifndef MSG_TRUNC
148 /*
149 * This is being compiled on a system that lacks MSG_TRUNC; define it
150 * with the value it has in the 2.2 and later kernels, so that, on
151 * those kernels, when we pass it in the flags argument to "recvfrom()"
152 * we're passing the right value and thus get the MSG_TRUNC behavior
153 * we want. (We don't get that behavior on 2.0[.x] kernels, because
154 * they didn't support MSG_TRUNC.)
155 */
156 #define MSG_TRUNC 0x20
157 #endif
158
159 #define MAX_LINKHEADER_SIZE 256
160
161 /*
162 * When capturing on all interfaces we use this as the buffer size.
163 * Should be bigger then all MTUs that occur in real life.
164 * 64kB should be enough for now.
165 */
166 #define BIGGER_THAN_ALL_MTUS (64*1024)
167
168 /*
169 * Prototypes for internal functions
170 */
171 static void map_arphrd_to_dlt(pcap_t *, int, int);
172 static int live_open_old(pcap_t *, char *, int, int, char *);
173 static int live_open_new(pcap_t *, char *, int, int, char *);
174 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
175
176 /*
177 * Wrap some ioctl calls
178 */
179 #ifdef HAVE_PF_PACKET_SOCKETS
180 static int iface_get_id(int fd, const char *device, char *ebuf);
181 #endif
182 static int iface_get_mtu(int fd, const char *device, char *ebuf);
183 static int iface_get_arptype(int fd, const char *device, char *ebuf);
184 #ifdef HAVE_PF_PACKET_SOCKETS
185 static int iface_bind(int fd, int ifindex, char *ebuf);
186 #endif
187 static int iface_bind_old(int fd, const char *device, char *ebuf);
188
189 #ifdef SO_ATTACH_FILTER
190 static int fix_program(pcap_t *handle, struct sock_fprog *fcode);
191 static int fix_offset(struct bpf_insn *p);
192 static int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode);
193 static int reset_kernel_filter(pcap_t *handle);
194
195 static struct sock_filter total_insn
196 = BPF_STMT(BPF_RET | BPF_K, 0);
197 static struct sock_fprog total_fcode
198 = { 1, &total_insn };
199 #endif
200
201 /*
202 * Get a handle for a live capture from the given device. You can
203 * pass NULL as device to get all packages (without link level
204 * information of course). If you pass 1 as promisc the interface
205 * will be set to promiscous mode (XXX: I think this usage should
206 * be deprecated and functions be added to select that later allow
207 * modification of that values -- Torsten).
208 *
209 * See also pcap(3).
210 */
211 pcap_t *
212 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
213 {
214 pcap_t *handle;
215 int mtu;
216 int err;
217 int live_open_ok = 0;
218 struct utsname utsname;
219
220 /* Allocate a handle for this session. */
221
222 handle = malloc(sizeof(*handle));
223 if (handle == NULL) {
224 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
225 pcap_strerror(errno));
226 return NULL;
227 }
228
229 /* Initialize some components of the pcap structure. */
230
231 memset(handle, 0, sizeof(*handle));
232 handle->snapshot = snaplen;
233 handle->md.timeout = to_ms;
234
235 /*
236 * NULL and "any" are special devices which give us the hint to
237 * monitor all devices.
238 */
239 if (!device || strcmp(device, "any") == 0) {
240 device = NULL;
241 handle->md.device = strdup("any");
242 if (promisc) {
243 promisc = 0;
244 /* Just a warning. */
245 snprintf(ebuf, PCAP_ERRBUF_SIZE,
246 "Promiscuous mode not supported on the \"any\" device");
247 }
248
249 } else
250 handle->md.device = strdup(device);
251
252 if (handle->md.device == NULL) {
253 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
254 pcap_strerror(errno) );
255 free(handle);
256 return NULL;
257 }
258
259 /*
260 * Current Linux kernels use the protocol family PF_PACKET to
261 * allow direct access to all packets on the network while
262 * older kernels had a special socket type SOCK_PACKET to
263 * implement this feature.
264 * While this old implementation is kind of obsolete we need
265 * to be compatible with older kernels for a while so we are
266 * trying both methods with the newer method preferred.
267 */
268
269 if ((err = live_open_new(handle, device, promisc, to_ms, ebuf)) == 1)
270 live_open_ok = 1;
271 else if (err == 0) {
272 /* Non-fatal error; try old way */
273 if (live_open_old(handle, device, promisc, to_ms, ebuf))
274 live_open_ok = 1;
275 }
276 if (!live_open_ok) {
277 /*
278 * Both methods to open the packet socket failed. Tidy
279 * up and report our failure (ebuf is expected to be
280 * set by the functions above).
281 */
282
283 if (handle->md.device != NULL)
284 free(handle->md.device);
285 free(handle);
286 return NULL;
287 }
288
289 /*
290 * Compute the buffer size.
291 *
292 * If we're using SOCK_PACKET, this might be a 2.0[.x] kernel,
293 * and might require special handling - check.
294 */
295 if (handle->md.sock_packet && (uname(&utsname) < 0 ||
296 strncmp(utsname.release, "2.0", 3) == 0)) {
297 /*
298 * We're using a SOCK_PACKET structure, and either
299 * we couldn't find out what kernel release this is,
300 * or it's a 2.0[.x] kernel.
301 *
302 * In the 2.0[.x] kernel, a "recvfrom()" on
303 * a SOCK_PACKET socket, with MSG_TRUNC set, will
304 * return the number of bytes read, so if we pass
305 * a length based on the snapshot length, it'll
306 * return the number of bytes from the packet
307 * copied to userland, not the actual length
308 * of the packet.
309 *
310 * This means that, for example, the IP dissector
311 * in tcpdump will get handed a packet length less
312 * than the length in the IP header, and will
313 * complain about "truncated-ip".
314 *
315 * So we don't bother trying to copy from the
316 * kernel only the bytes in which we're interested,
317 * but instead copy them all, just as the older
318 * versions of libpcap for Linux did.
319 *
320 * The buffer therefore needs to be big enough to
321 * hold the largest packet we can get from this
322 * device. Unfortunately, we can't get the MRU
323 * of the network; we can only get the MTU. The
324 * MTU may be too small, in which case a packet larger
325 * than the buffer size will be truncated *and* we
326 * won't get the actual packet size.
327 *
328 * However, if the snapshot length is larger than
329 * the buffer size based on the MTU, we use the
330 * snapshot length as the buffer size, instead;
331 * this means that with a sufficiently large snapshot
332 * length we won't artificially truncate packets
333 * to the MTU-based size.
334 *
335 * This mess just one of many problems with packet
336 * capture on 2.0[.x] kernels; you really want a
337 * 2.2[.x] or later kernel if you want packet capture
338 * to work well.
339 */
340 mtu = iface_get_mtu(handle->fd, device, ebuf);
341 if (mtu == -1) {
342 if (handle->md.clear_promisc)
343 /* 2.0.x kernel */
344 pcap_close_linux(handle);
345 close(handle->fd);
346 if (handle->md.device != NULL)
347 free(handle->md.device);
348 free(handle);
349 return NULL;
350 }
351 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
352 if (handle->bufsize < handle->snapshot)
353 handle->bufsize = handle->snapshot;
354 } else {
355 /*
356 * This is a 2.2[.x] or later kernel (we know that
357 * either because we're not using a SOCK_PACKET
358 * socket - PF_PACKET is supported only in 2.2
359 * and later kernels - or because we checked the
360 * kernel version).
361 *
362 * We can safely pass "recvfrom()" a byte count
363 * based on the snapshot length.
364 */
365 handle->bufsize = handle->snapshot;
366 }
367
368 /* Allocate the buffer */
369
370 handle->buffer = malloc(handle->bufsize + handle->offset);
371 if (!handle->buffer) {
372 snprintf(ebuf, PCAP_ERRBUF_SIZE,
373 "malloc: %s", pcap_strerror(errno));
374 if (handle->md.clear_promisc)
375 /* 2.0.x kernel */
376 pcap_close_linux(handle);
377 close(handle->fd);
378 if (handle->md.device != NULL)
379 free(handle->md.device);
380 free(handle);
381 return NULL;
382 }
383
384 return handle;
385 }
386
387 /*
388 * Read at most max_packets from the capture stream and call the callback
389 * for each of them. Returns the number of packets handled or -1 if an
390 * error occured.
391 */
392 int
393 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
394 {
395 /*
396 * Currently, on Linux only one packet is delivered per read,
397 * so we don't loop.
398 */
399 return pcap_read_packet(handle, callback, user);
400 }
401
402 /*
403 * Read a packet from the socket calling the handler provided by
404 * the user. Returns the number of packets received or -1 if an
405 * error occured.
406 */
407 static int
408 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
409 {
410 u_char *bp;
411 int offset;
412 #ifdef HAVE_PF_PACKET_SOCKETS
413 struct sockaddr_ll from;
414 struct sll_header *hdrp;
415 #else
416 struct sockaddr from;
417 #endif
418 socklen_t fromlen;
419 int packet_len, caplen;
420 struct pcap_pkthdr pcap_header;
421
422 #ifdef HAVE_PF_PACKET_SOCKETS
423 /*
424 * If this is a cooked device, leave extra room for a
425 * fake packet header.
426 */
427 if (handle->md.cooked)
428 offset = SLL_HDR_LEN;
429 else
430 offset = 0;
431 #else
432 /*
433 * This system doesn't have PF_PACKET sockets, so it doesn't
434 * support cooked devices.
435 */
436 offset = 0;
437 #endif
438
439 /* Receive a single packet from the kernel */
440
441 bp = handle->buffer + handle->offset;
442 do {
443 fromlen = sizeof(from);
444 packet_len = recvfrom(
445 handle->fd, bp + offset,
446 handle->bufsize - offset, MSG_TRUNC,
447 (struct sockaddr *) &from, &fromlen);
448 } while (packet_len == -1 && errno == EINTR);
449
450 /* Check if an error occured */
451
452 if (packet_len == -1) {
453 if (errno == EAGAIN)
454 return 0; /* no packet there */
455 else {
456 snprintf(handle->errbuf, sizeof(handle->errbuf),
457 "recvfrom: %s", pcap_strerror(errno));
458 return -1;
459 }
460 }
461
462 #ifdef HAVE_PF_PACKET_SOCKETS
463 /*
464 * If this is from the loopback device, reject outgoing packets;
465 * we'll see the packet as an incoming packet as well, and
466 * we don't want to see it twice.
467 *
468 * We can only do this if we're using PF_PACKET; the address
469 * returned for SOCK_PACKET is a "sockaddr_pkt" which lacks
470 * the relevant packet type information.
471 */
472 if (!handle->md.sock_packet &&
473 from.sll_ifindex == handle->md.lo_ifindex &&
474 from.sll_pkttype == PACKET_OUTGOING)
475 return 0;
476 #endif
477
478 #ifdef HAVE_PF_PACKET_SOCKETS
479 /*
480 * If this is a cooked device, fill in the fake packet header.
481 */
482 if (handle->md.cooked) {
483 /*
484 * Add the length of the fake header to the length
485 * of packet data we read.
486 */
487 packet_len += SLL_HDR_LEN;
488
489 hdrp = (struct sll_header *)bp;
490
491 /*
492 * Map the PACKET_ value to a LINUX_SLL_ value; we
493 * want the same numerical value to be used in
494 * the link-layer header even if the numerical values
495 * for the PACKET_ #defines change, so that programs
496 * that look at the packet type field will always be
497 * able to handle DLT_LINUX_SLL captures.
498 */
499 switch (from.sll_pkttype) {
500
501 case PACKET_HOST:
502 hdrp->sll_pkttype = htons(LINUX_SLL_HOST);
503 break;
504
505 case PACKET_BROADCAST:
506 hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST);
507 break;
508
509 case PACKET_MULTICAST:
510 hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST);
511 break;
512
513 case PACKET_OTHERHOST:
514 hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST);
515 break;
516
517 case PACKET_OUTGOING:
518 hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING);
519 break;
520
521 default:
522 hdrp->sll_pkttype = -1;
523 break;
524 }
525
526 hdrp->sll_hatype = htons(from.sll_hatype);
527 hdrp->sll_halen = htons(from.sll_halen);
528 memcpy(hdrp->sll_addr, from.sll_addr,
529 (from.sll_halen > SLL_ADDRLEN) ?
530 SLL_ADDRLEN :
531 from.sll_halen);
532 hdrp->sll_protocol = from.sll_protocol;
533 }
534 #endif
535
536 /*
537 * XXX: According to the kernel source we should get the real
538 * packet len if calling recvfrom with MSG_TRUNC set. It does
539 * not seem to work here :(, but it is supported by this code
540 * anyway.
541 * To be honest the code RELIES on that feature so this is really
542 * broken with 2.2.x kernels.
543 * I spend a day to figure out what's going on and I found out
544 * that the following is happening:
545 *
546 * The packet comes from a random interface and the packet_rcv
547 * hook is called with a clone of the packet. That code inserts
548 * the packet into the receive queue of the packet socket.
549 * If a filter is attached to that socket that filter is run
550 * first - and there lies the problem. The default filter always
551 * cuts the packet at the snaplen:
552 *
553 * # tcpdump -d
554 * (000) ret #68
555 *
556 * So the packet filter cuts down the packet. The recvfrom call
557 * says "hey, it's only 68 bytes, it fits into the buffer" with
558 * the result that we don't get the real packet length. This
559 * is valid at least until kernel 2.2.17pre6.
560 *
561 * We currently handle this by making a copy of the filter
562 * program, fixing all "ret" instructions with non-zero
563 * operands to have an operand of 65535 so that the filter
564 * doesn't truncate the packet, and supplying that modified
565 * filter to the kernel.
566 */
567
568 caplen = packet_len;
569 if (caplen > handle->snapshot)
570 caplen = handle->snapshot;
571
572 /* Run the packet filter if not using kernel filter */
573 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
574 if (bpf_filter(handle->fcode.bf_insns, bp,
575 packet_len, caplen) == 0)
576 {
577 /* rejected by filter */
578 return 0;
579 }
580 }
581
582 /* Fill in our own header data */
583
584 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
585 snprintf(handle->errbuf, sizeof(handle->errbuf),
586 "ioctl: %s", pcap_strerror(errno));
587 return -1;
588 }
589 pcap_header.caplen = caplen;
590 pcap_header.len = packet_len;
591
592 /*
593 * Count the packet.
594 *
595 * Arguably, we should count them before we check the filter,
596 * as on many other platforms "ps_recv" counts packets
597 * handed to the filter rather than packets that passed
598 * the filter, but if filtering is done in the kernel, we
599 * can't get a count of packets that passed the filter,
600 * and that would mean the meaning of "ps_recv" wouldn't
601 * be the same on all Linux systems.
602 *
603 * XXX - it's not the same on all systems in any case;
604 * ideally, we should have a "get the statistics" call
605 * that supplies more counts and indicates which of them
606 * it supplies, so that we supply a count of packets
607 * handed to the filter only on platforms where that
608 * information is available.
609 *
610 * We count them here even if we can get the packet count
611 * from the kernel, as we can only determine at run time
612 * whether we'll be able to get it from the kernel (if
613 * HAVE_TPACKET_STATS isn't defined, we can't get it from
614 * the kernel, but if it is defined, the library might
615 * have been built with a 2.4 or later kernel, but we
616 * might be running on a 2.2[.x] kernel without Alexey
617 * Kuznetzov's turbopacket patches, and thus the kernel
618 * might not be able to supply those statistics). We
619 * could, I guess, try, when opening the socket, to get
620 * the statistics, and if we can not increment the count
621 * here, but it's not clear that always incrementing
622 * the count is more expensive than always testing a flag
623 * in memory.
624 */
625 handle->md.stat.ps_recv++;
626
627 /* Call the user supplied callback function */
628 callback(userdata, &pcap_header, bp);
629
630 return 1;
631 }
632
633 /*
634 * Get the statistics for the given packet capture handle.
635 * Reports the number of dropped packets iff the kernel supports
636 * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later
637 * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket
638 * patches); otherwise, that information isn't available, and we lie
639 * and report 0 as the count of dropped packets.
640 */
641 int
642 pcap_stats(pcap_t *handle, struct pcap_stat *stats)
643 {
644 #ifdef HAVE_TPACKET_STATS
645 struct tpacket_stats kstats;
646 socklen_t len = sizeof (struct tpacket_stats);
647
648 /*
649 * Try to get the packet counts from the kernel.
650 */
651 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS,
652 &kstats, &len) > -1) {
653 /*
654 * In "linux/net/packet/af_packet.c", at least in the
655 * 2.4.9 kernel, "tp_packets" is incremented for every
656 * packet that passes the packet filter *and* is
657 * successfully queued on the socket; "tp_drops" is
658 * incremented for every packet dropped because there's
659 * not enough free space in the socket buffer.
660 *
661 * When the statistics are returned for a PACKET_STATISTICS
662 * "getsockopt()" call, "tp_drops" is added to "tp_packets",
663 * so that "tp_packets" counts all packets handed to
664 * the PF_PACKET socket, including packets dropped because
665 * there wasn't room on the socket buffer - but not
666 * including packets that didn't pass the filter.
667 *
668 * In the BSD BPF, the count of received packets is
669 * incremented for every packet handed to BPF, regardless
670 * of whether it passed the filter.
671 *
672 * We can't make "pcap_stats()" work the same on both
673 * platforms, but the best approximation is to return
674 * "tp_packets" as the count of packets and "tp_drops"
675 * as the count of drops.
676 */
677 handle->md.stat.ps_recv = kstats.tp_packets;
678 handle->md.stat.ps_drop = kstats.tp_drops;
679 }
680 else
681 {
682 /*
683 * If the error was EOPNOTSUPP, fall through, so that
684 * if you build the library on a system with
685 * "struct tpacket_stats" and run it on a system
686 * that doesn't, it works as it does if the library
687 * is built on a system without "struct tpacket_stats".
688 */
689 if (errno != EOPNOTSUPP) {
690 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
691 "pcap_stats: %s", pcap_strerror(errno));
692 return -1;
693 }
694 }
695 #endif
696 /*
697 * On systems where the PACKET_STATISTICS "getsockopt()" argument
698 * is supported on PF_PACKET sockets:
699 *
700 * "ps_recv" counts only packets that *passed* the filter,
701 * not packets that didn't pass the filter. This includes
702 * packets later dropped because we ran out of buffer space.
703 *
704 * "ps_drop" counts packets dropped because we ran out of
705 * buffer space. It doesn't count packets dropped by the
706 * interface driver. It counts only packets that passed
707 * the filter.
708 *
709 * Both statistics include packets not yet read from the
710 * kernel by libpcap, and thus not yet seen by the application.
711 *
712 * On systems where the PACKET_STATISTICS "getsockopt()" argument
713 * is not supported on PF_PACKET sockets:
714 *
715 * "ps_recv" counts only packets that *passed* the filter,
716 * not packets that didn't pass the filter. It does not
717 * count packets dropped because we ran out of buffer
718 * space.
719 *
720 * "ps_drop" is not supported.
721 *
722 * "ps_recv" doesn't include packets not yet read from
723 * the kernel by libpcap.
724 */
725 *stats = handle->md.stat;
726 return 0;
727 }
728
729 /*
730 * Attach the given BPF code to the packet capture device.
731 */
732 int
733 pcap_setfilter(pcap_t *handle, struct bpf_program *filter)
734 {
735 #ifdef SO_ATTACH_FILTER
736 struct sock_fprog fcode;
737 int can_filter_in_kernel;
738 int err = 0;
739 #endif
740
741 if (!handle)
742 return -1;
743 if (!filter) {
744 strncpy(handle->errbuf, "setfilter: No filter specified",
745 sizeof(handle->errbuf));
746 return -1;
747 }
748
749 /* Make our private copy of the filter */
750
751 if (install_bpf_program(handle, filter) < 0)
752 /* install_bpf_program() filled in errbuf */
753 return -1;
754
755 /*
756 * Run user level packet filter by default. Will be overriden if
757 * installing a kernel filter succeeds.
758 */
759 handle->md.use_bpf = 0;
760
761 /*
762 * If we're reading from a savefile, don't try to install
763 * a kernel filter.
764 */
765 if (handle->sf.rfile != NULL)
766 return 0;
767
768 /* Install kernel level filter if possible */
769
770 #ifdef SO_ATTACH_FILTER
771 #ifdef USHRT_MAX
772 if (handle->fcode.bf_len > USHRT_MAX) {
773 /*
774 * fcode.len is an unsigned short for current kernel.
775 * I have yet to see BPF-Code with that much
776 * instructions but still it is possible. So for the
777 * sake of correctness I added this check.
778 */
779 fprintf(stderr, "Warning: Filter too complex for kernel\n");
780 fcode.filter = NULL;
781 can_filter_in_kernel = 0;
782 } else
783 #endif /* USHRT_MAX */
784 {
785 /*
786 * Oh joy, the Linux kernel uses struct sock_fprog instead
787 * of struct bpf_program and of course the length field is
788 * of different size. Pointed out by Sebastian
789 *
790 * Oh, and we also need to fix it up so that all "ret"
791 * instructions with non-zero operands have 65535 as the
792 * operand, and so that, if we're in cooked mode, all
793 * memory-reference instructions use special magic offsets
794 * in references to the link-layer header and assume that
795 * the link-layer payload begins at 0; "fix_program()"
796 * will do that.
797 */
798 switch (fix_program(handle, &fcode)) {
799
800 case -1:
801 default:
802 /*
803 * Fatal error; just quit.
804 * (The "default" case shouldn't happen; we
805 * return -1 for that reason.)
806 */
807 return -1;
808
809 case 0:
810 /*
811 * The program performed checks that we can't make
812 * work in the kernel.
813 */
814 can_filter_in_kernel = 0;
815 break;
816
817 case 1:
818 /*
819 * We have a filter that'll work in the kernel.
820 */
821 can_filter_in_kernel = 1;
822 break;
823 }
824 }
825
826 if (can_filter_in_kernel) {
827 if ((err = set_kernel_filter(handle, &fcode)) == 0)
828 {
829 /* Installation succeded - using kernel filter. */
830 handle->md.use_bpf = 1;
831 }
832 else if (err == -1) /* Non-fatal error */
833 {
834 /*
835 * Print a warning if we weren't able to install
836 * the filter for a reason other than "this kernel
837 * isn't configured to support socket filters.
838 */
839 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
840 fprintf(stderr,
841 "Warning: Kernel filter failed: %s\n",
842 pcap_strerror(errno));
843 }
844 }
845 }
846
847 /*
848 * If we're not using the kernel filter, get rid of any kernel
849 * filter that might've been there before, e.g. because the
850 * previous filter could work in the kernel, or because some other
851 * code attached a filter to the socket by some means other than
852 * calling "pcap_setfilter()". Otherwise, the kernel filter may
853 * filter out packets that would pass the new userland filter.
854 */
855 if (!handle->md.use_bpf)
856 reset_kernel_filter(handle);
857
858 /*
859 * Free up the copy of the filter that was made by "fix_program()".
860 */
861 if (fcode.filter != NULL)
862 free(fcode.filter);
863
864 if (err == -2)
865 /* Fatal error */
866 return -1;
867 #endif /* SO_ATTACH_FILTER */
868
869 return 0;
870 }
871
872 /*
873 * Linux uses the ARP hardware type to identify the type of an
874 * interface. pcap uses the DLT_xxx constants for this. This
875 * function takes a pointer to a "pcap_t", and an ARPHRD_xxx
876 * constant, as arguments, and sets "handle->linktype" to the
877 * appropriate DLT_XXX constant and sets "handle->offset" to
878 * the appropriate value (to make "handle->offset" plus link-layer
879 * header length be a multiple of 4, so that the link-layer payload
880 * will be aligned on a 4-byte boundary when capturing packets).
881 * (If the offset isn't set here, it'll be 0; add code as appropriate
882 * for cases where it shouldn't be 0.)
883 *
884 * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture
885 * in cooked mode; otherwise, we can't use cooked mode, so we have
886 * to pick some type that works in raw mode, or fail.
887 *
888 * Sets the link type to -1 if unable to map the type.
889 */
890 static void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok)
891 {
892 switch (arptype) {
893
894 case ARPHRD_ETHER:
895 case ARPHRD_METRICOM:
896 case ARPHRD_LOOPBACK:
897 handle->linktype = DLT_EN10MB;
898 handle->offset = 2;
899 break;
900
901 case ARPHRD_EETHER:
902 handle->linktype = DLT_EN3MB;
903 break;
904
905 case ARPHRD_AX25:
906 handle->linktype = DLT_AX25;
907 break;
908
909 case ARPHRD_PRONET:
910 handle->linktype = DLT_PRONET;
911 break;
912
913 case ARPHRD_CHAOS:
914 handle->linktype = DLT_CHAOS;
915 break;
916
917 #ifndef ARPHRD_IEEE802_TR
918 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */
919 #endif
920 case ARPHRD_IEEE802_TR:
921 case ARPHRD_IEEE802:
922 handle->linktype = DLT_IEEE802;
923 handle->offset = 2;
924 break;
925
926 case ARPHRD_ARCNET:
927 handle->linktype = DLT_ARCNET;
928 break;
929
930 #ifndef ARPHRD_FDDI /* From Linux 2.2.13 */
931 #define ARPHRD_FDDI 774
932 #endif
933 case ARPHRD_FDDI:
934 handle->linktype = DLT_FDDI;
935 handle->offset = 3;
936 break;
937
938 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
939 #define ARPHRD_ATM 19
940 #endif
941 case ARPHRD_ATM:
942 /*
943 * The Classical IP implementation in ATM for Linux
944 * supports both what RFC 1483 calls "LLC Encapsulation",
945 * in which each packet has an LLC header, possibly
946 * with a SNAP header as well, prepended to it, and
947 * what RFC 1483 calls "VC Based Multiplexing", in which
948 * different virtual circuits carry different network
949 * layer protocols, and no header is prepended to packets.
950 *
951 * They both have an ARPHRD_ type of ARPHRD_ATM, so
952 * you can't use the ARPHRD_ type to find out whether
953 * captured packets will have an LLC header, and,
954 * while there's a socket ioctl to *set* the encapsulation
955 * type, there's no ioctl to *get* the encapsulation type.
956 *
957 * This means that
958 *
959 * programs that dissect Linux Classical IP frames
960 * would have to check for an LLC header and,
961 * depending on whether they see one or not, dissect
962 * the frame as LLC-encapsulated or as raw IP (I
963 * don't know whether there's any traffic other than
964 * IP that would show up on the socket, or whether
965 * there's any support for IPv6 in the Linux
966 * Classical IP code);
967 *
968 * filter expressions would have to compile into
969 * code that checks for an LLC header and does
970 * the right thing.
971 *
972 * Both of those are a nuisance - and, at least on systems
973 * that support PF_PACKET sockets, we don't have to put
974 * up with those nuisances; instead, we can just capture
975 * in cooked mode. That's what we'll do, if we can.
976 * Otherwise, we'll just fail.
977 */
978 if (cooked_ok)
979 handle->linktype = DLT_LINUX_SLL;
980 else
981 handle->linktype = -1;
982 break;
983
984 #ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */
985 #define ARPHRD_IEEE80211 801
986 #endif
987 case ARPHRD_IEEE80211:
988 handle->linktype = DLT_IEEE802_11;
989 break;
990
991 #ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */
992 #define ARPHRD_IEEE80211_PRISM 802
993 #endif
994 case ARPHRD_IEEE80211_PRISM:
995 handle->linktype = DLT_PRISM_HEADER;
996 break;
997
998 case ARPHRD_PPP:
999 /*
1000 * Some PPP code in the kernel supplies no link-layer
1001 * header whatsoever to PF_PACKET sockets; other PPP
1002 * code supplies PPP link-layer headers ("syncppp.c");
1003 * some PPP code might supply random link-layer
1004 * headers (PPP over ISDN - there's code in Ethereal,
1005 * for example, to cope with PPP-over-ISDN captures
1006 * with which the Ethereal developers have had to cope,
1007 * heuristically trying to determine which of the
1008 * oddball link-layer headers particular packets have).
1009 *
1010 * As such, we just punt, and run all PPP interfaces
1011 * in cooked mode, if we can; otherwise, we just treat
1012 * it as DLT_RAW, for now - if somebody needs to capture,
1013 * on a 2.0[.x] kernel, on PPP devices that supply a
1014 * link-layer header, they'll have to add code here to
1015 * map to the appropriate DLT_ type (possibly adding a
1016 * new DLT_ type, if necessary).
1017 */
1018 if (cooked_ok)
1019 handle->linktype = DLT_LINUX_SLL;
1020 else {
1021 /*
1022 * XXX - handle ISDN types here? We can't fall
1023 * back on cooked sockets, so we'd have to
1024 * figure out from the device name what type of
1025 * link-layer encapsulation it's using, and map
1026 * that to an appropriate DLT_ value, meaning
1027 * we'd map "isdnN" devices to DLT_RAW (they
1028 * supply raw IP packets with no link-layer
1029 * header) and "isdY" devices to a new DLT_I4L_IP
1030 * type that has only an Ethernet packet type as
1031 * a link-layer header.
1032 *
1033 * But sometimes we seem to get random crap
1034 * in the link-layer header when capturing on
1035 * ISDN devices....
1036 */
1037 handle->linktype = DLT_RAW;
1038 }
1039 break;
1040
1041 #ifndef ARPHRD_HDLC
1042 #define ARPHRD_HDLC 513 /* From Linux 2.2.13 */
1043 #endif
1044 case ARPHRD_HDLC:
1045 handle->linktype = DLT_C_HDLC;
1046 break;
1047
1048 /* Not sure if this is correct for all tunnels, but it
1049 * works for CIPE */
1050 case ARPHRD_TUNNEL:
1051 #ifndef ARPHRD_SIT
1052 #define ARPHRD_SIT 776 /* From Linux 2.2.13 */
1053 #endif
1054 case ARPHRD_SIT:
1055 case ARPHRD_CSLIP:
1056 case ARPHRD_SLIP6:
1057 case ARPHRD_CSLIP6:
1058 case ARPHRD_ADAPT:
1059 case ARPHRD_SLIP:
1060 #ifndef ARPHRD_RAWHDLC
1061 #define ARPHRD_RAWHDLC 518
1062 #endif
1063 case ARPHRD_RAWHDLC:
1064 /*
1065 * XXX - should some of those be mapped to DLT_LINUX_SLL
1066 * instead? Should we just map all of them to DLT_LINUX_SLL?
1067 */
1068 handle->linktype = DLT_RAW;
1069 break;
1070
1071 case ARPHRD_LOCALTLK:
1072 handle->linktype = DLT_LTALK;
1073 break;
1074
1075 default:
1076 handle->linktype = -1;
1077 break;
1078 }
1079 }
1080
1081 /* ===== Functions to interface to the newer kernels ================== */
1082
1083 /*
1084 * Try to open a packet socket using the new kernel interface.
1085 * Returns 0 on failure.
1086 * FIXME: 0 uses to mean success (Sebastian)
1087 */
1088 static int
1089 live_open_new(pcap_t *handle, char *device, int promisc,
1090 int to_ms, char *ebuf)
1091 {
1092 #ifdef HAVE_PF_PACKET_SOCKETS
1093 int sock_fd = -1, device_id, arptype;
1094 int err;
1095 int fatal_err = 0;
1096 struct packet_mreq mr;
1097
1098 /* One shot loop used for error handling - bail out with break */
1099
1100 do {
1101 /*
1102 * Open a socket with protocol family packet. If a device is
1103 * given we try to open it in raw mode otherwise we use
1104 * the cooked interface.
1105 */
1106 sock_fd = device ?
1107 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
1108 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
1109
1110 if (sock_fd == -1) {
1111 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
1112 pcap_strerror(errno) );
1113 break;
1114 }
1115
1116 /* It seems the kernel supports the new interface. */
1117 handle->md.sock_packet = 0;
1118
1119 /*
1120 * Get the interface index of the loopback device.
1121 * If the attempt fails, don't fail, just set the
1122 * "md.lo_ifindex" to -1.
1123 *
1124 * XXX - can there be more than one device that loops
1125 * packets back, i.e. devices other than "lo"? If so,
1126 * we'd need to find them all, and have an array of
1127 * indices for them, and check all of them in
1128 * "pcap_read_packet()".
1129 */
1130 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf);
1131
1132 /*
1133 * Default value for offset to align link-layer payload
1134 * on a 4-byte boundary.
1135 */
1136 handle->offset = 0;
1137
1138 /*
1139 * What kind of frames do we have to deal with? Fall back
1140 * to cooked mode if we have an unknown interface type.
1141 */
1142
1143 if (device) {
1144 /* Assume for now we don't need cooked mode. */
1145 handle->md.cooked = 0;
1146
1147 arptype = iface_get_arptype(sock_fd, device, ebuf);
1148 if (arptype == -1) {
1149 fatal_err = 1;
1150 break;
1151 }
1152 map_arphrd_to_dlt(handle, arptype, 1);
1153 if (handle->linktype == -1 ||
1154 handle->linktype == DLT_LINUX_SLL ||
1155 (handle->linktype == DLT_EN10MB &&
1156 (strncmp("isdn", device, 4) == 0 ||
1157 strncmp("isdY", device, 4) == 0))) {
1158 /*
1159 * Unknown interface type (-1), or a
1160 * device we explicitly chose to run
1161 * in cooked mode (e.g., PPP devices),
1162 * or an ISDN device (whose link-layer
1163 * type we can only determine by using
1164 * APIs that may be different on different
1165 * kernels) - reopen in cooked mode.
1166 */
1167 if (close(sock_fd) == -1) {
1168 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1169 "close: %s", pcap_strerror(errno));
1170 break;
1171 }
1172 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
1173 htons(ETH_P_ALL));
1174 if (sock_fd == -1) {
1175 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1176 "socket: %s", pcap_strerror(errno));
1177 break;
1178 }
1179 handle->md.cooked = 1;
1180
1181 if (handle->linktype == -1) {
1182 /*
1183 * Warn that we're falling back on
1184 * cooked mode; we may want to
1185 * update "map_arphrd_to_dlt()"
1186 * to handle the new type.
1187 */
1188 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1189 "arptype %d not "
1190 "supported by libpcap - "
1191 "falling back to cooked "
1192 "socket",
1193 arptype);
1194 }
1195 handle->linktype = DLT_LINUX_SLL;
1196 }
1197
1198 device_id = iface_get_id(sock_fd, device, ebuf);
1199 if (device_id == -1)
1200 break;
1201
1202 if ((err = iface_bind(sock_fd, device_id, ebuf)) < 0) {
1203 if (err == -2)
1204 fatal_err = 1;
1205 break;
1206 }
1207 } else {
1208 /*
1209 * This is cooked mode.
1210 */
1211 handle->md.cooked = 1;
1212 handle->linktype = DLT_LINUX_SLL;
1213
1214 /*
1215 * XXX - squelch GCC complaints about
1216 * uninitialized variables; if we can't
1217 * select promiscuous mode on all interfaces,
1218 * we should move the code below into the
1219 * "if (device)" branch of the "if" and
1220 * get rid of the next statement.
1221 */
1222 device_id = -1;
1223 }
1224
1225 /* Select promiscuous mode on/off */
1226
1227 #ifdef SOL_PACKET
1228 /*
1229 * Hmm, how can we set promiscuous mode on all interfaces?
1230 * I am not sure if that is possible at all.
1231 */
1232
1233 if (device) {
1234 memset(&mr, 0, sizeof(mr));
1235 mr.mr_ifindex = device_id;
1236 mr.mr_type = promisc ?
1237 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
1238 if (setsockopt(sock_fd, SOL_PACKET,
1239 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1)
1240 {
1241 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1242 "setsockopt: %s", pcap_strerror(errno));
1243 break;
1244 }
1245 }
1246 #endif
1247
1248 /* Save the socket FD in the pcap structure */
1249
1250 handle->fd = sock_fd;
1251
1252 return 1;
1253
1254 } while(0);
1255
1256 if (sock_fd != -1)
1257 close(sock_fd);
1258
1259 if (fatal_err)
1260 return -2;
1261 else
1262 return 0;
1263 #else
1264 strncpy(ebuf,
1265 "New packet capturing interface not supported by build "
1266 "environment", PCAP_ERRBUF_SIZE);
1267 return 0;
1268 #endif
1269 }
1270
1271 #ifdef HAVE_PF_PACKET_SOCKETS
1272 /*
1273 * Return the index of the given device name. Fill ebuf and return
1274 * -1 on failure.
1275 */
1276 static int
1277 iface_get_id(int fd, const char *device, char *ebuf)
1278 {
1279 struct ifreq ifr;
1280
1281 memset(&ifr, 0, sizeof(ifr));
1282 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1283
1284 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1285 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1286 "ioctl: %s", pcap_strerror(errno));
1287 return -1;
1288 }
1289
1290 return ifr.ifr_ifindex;
1291 }
1292
1293 /*
1294 * Bind the socket associated with FD to the given device.
1295 */
1296 static int
1297 iface_bind(int fd, int ifindex, char *ebuf)
1298 {
1299 struct sockaddr_ll sll;
1300 int err;
1301 socklen_t errlen = sizeof(err);
1302
1303 memset(&sll, 0, sizeof(sll));
1304 sll.sll_family = AF_PACKET;
1305 sll.sll_ifindex = ifindex;
1306 sll.sll_protocol = htons(ETH_P_ALL);
1307
1308 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
1309 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1310 "bind: %s", pcap_strerror(errno));
1311 return -1;
1312 }
1313
1314 /* Any pending errors, e.g., network is down? */
1315
1316 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) {
1317 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1318 "getsockopt: %s", pcap_strerror(errno));
1319 return -2;
1320 }
1321
1322 if (err > 0) {
1323 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1324 "bind: %s", pcap_strerror(err));
1325 return -2;
1326 }
1327
1328 return 0;
1329 }
1330
1331 #endif
1332
1333
1334 /* ===== Functions to interface to the older kernels ================== */
1335
1336 /*
1337 * With older kernels promiscuous mode is kind of interesting because we
1338 * have to reset the interface before exiting. The problem can't really
1339 * be solved without some daemon taking care of managing usage counts.
1340 * If we put the interface into promiscuous mode, we set a flag indicating
1341 * that we must take it out of that mode when the interface is closed,
1342 * and, when closing the interface, if that flag is set we take it out
1343 * of promiscuous mode.
1344 */
1345
1346 /*
1347 * List of pcaps for which we turned promiscuous mode on by hand.
1348 * If there are any such pcaps, we arrange to call "pcap_close_all()"
1349 * when we exit, and have it close all of them to turn promiscuous mode
1350 * off.
1351 */
1352 static struct pcap *pcaps_to_close;
1353
1354 /*
1355 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to
1356 * be called on exit.
1357 */
1358 static int did_atexit;
1359
1360 static void pcap_close_all(void)
1361 {
1362 struct pcap *handle;
1363
1364 while ((handle = pcaps_to_close) != NULL)
1365 pcap_close(handle);
1366 }
1367
1368 void pcap_close_linux( pcap_t *handle )
1369 {
1370 struct pcap *p, *prevp;
1371 struct ifreq ifr;
1372
1373 if (handle->md.clear_promisc) {
1374 /*
1375 * We put the interface into promiscuous mode; take
1376 * it out of promiscuous mode.
1377 *
1378 * XXX - if somebody else wants it in promiscuous mode,
1379 * this code cannot know that, so it'll take it out
1380 * of promiscuous mode. That's not fixable in 2.0[.x]
1381 * kernels.
1382 */
1383 memset(&ifr, 0, sizeof(ifr));
1384 strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name));
1385 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
1386 fprintf(stderr,
1387 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n"
1388 "Please adjust manually.\n"
1389 "Hint: This can't happen with Linux >= 2.2.0.\n",
1390 strerror(errno));
1391 } else {
1392 if (ifr.ifr_flags & IFF_PROMISC) {
1393 /*
1394 * Promiscuous mode is currently on; turn it
1395 * off.
1396 */
1397 ifr.ifr_flags &= ~IFF_PROMISC;
1398 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
1399 fprintf(stderr,
1400 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n"
1401 "Please adjust manually.\n"
1402 "Hint: This can't happen with Linux >= 2.2.0.\n",
1403 strerror(errno));
1404 }
1405 }
1406 }
1407
1408 /*
1409 * Take this pcap out of the list of pcaps for which we
1410 * have to take the interface out of promiscuous mode.
1411 */
1412 for (p = pcaps_to_close, prevp = NULL; p != NULL;
1413 prevp = p, p = p->md.next) {
1414 if (p == handle) {
1415 /*
1416 * Found it. Remove it from the list.
1417 */
1418 if (prevp == NULL) {
1419 /*
1420 * It was at the head of the list.
1421 */
1422 pcaps_to_close = p->md.next;
1423 } else {
1424 /*
1425 * It was in the middle of the list.
1426 */
1427 prevp->md.next = p->md.next;
1428 }
1429 break;
1430 }
1431 }
1432 }
1433
1434 if (handle->md.device != NULL)
1435 free(handle->md.device);
1436 handle->md.device = NULL;
1437 }
1438
1439 /*
1440 * Try to open a packet socket using the old kernel interface.
1441 * Returns 0 on failure.
1442 * FIXME: 0 uses to mean success (Sebastian)
1443 */
1444 static int
1445 live_open_old(pcap_t *handle, char *device, int promisc,
1446 int to_ms, char *ebuf)
1447 {
1448 int sock_fd = -1, arptype;
1449 struct ifreq ifr;
1450
1451 do {
1452 /* Open the socket */
1453
1454 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
1455 if (sock_fd == -1) {
1456 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1457 "socket: %s", pcap_strerror(errno));
1458 break;
1459 }
1460
1461 /* It worked - we are using the old interface */
1462 handle->md.sock_packet = 1;
1463
1464 /* ...which means we get the link-layer header. */
1465 handle->md.cooked = 0;
1466
1467 /* Bind to the given device */
1468
1469 if (!device) {
1470 strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems",
1471 PCAP_ERRBUF_SIZE);
1472 break;
1473 }
1474 if (iface_bind_old(sock_fd, device, ebuf) == -1)
1475 break;
1476
1477 /*
1478 * Try to get the link-layer type.
1479 */
1480 arptype = iface_get_arptype(sock_fd, device, ebuf);
1481 if (arptype == -1)
1482 break;
1483
1484 /*
1485 * Try to find the DLT_ type corresponding to that
1486 * link-layer type.
1487 */
1488 map_arphrd_to_dlt(handle, arptype, 0);
1489 if (handle->linktype == -1) {
1490 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1491 "unknown arptype %d", arptype);
1492 break;
1493 }
1494
1495 /* Go to promisc mode if requested */
1496
1497 if (promisc) {
1498 memset(&ifr, 0, sizeof(ifr));
1499 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1500 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) {
1501 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1502 "ioctl: %s", pcap_strerror(errno));
1503 break;
1504 }
1505 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
1506 /*
1507 * Promiscuous mode isn't currently on,
1508 * so turn it on, and remember that
1509 * we should turn it off when the
1510 * pcap_t is closed.
1511 */
1512
1513 /*
1514 * If we haven't already done so, arrange
1515 * to have "pcap_close_all()" called when
1516 * we exit.
1517 */
1518 if (!did_atexit) {
1519 if (atexit(pcap_close_all) == -1) {
1520 /*
1521 * "atexit()" failed; don't
1522 * put the interface in
1523 * promiscuous mode, just
1524 * give up.
1525 */
1526 strncpy(ebuf, "atexit failed",
1527 PCAP_ERRBUF_SIZE);
1528 break;
1529 }
1530 did_atexit = 1;
1531 }
1532
1533 ifr.ifr_flags |= IFF_PROMISC;
1534 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) {
1535 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1536 "ioctl: %s",
1537 pcap_strerror(errno));
1538 break;
1539 }
1540 handle->md.clear_promisc = 1;
1541
1542 /*
1543 * Add this to the list of pcaps
1544 * to close when we exit.
1545 */
1546 handle->md.next = pcaps_to_close;
1547 pcaps_to_close = handle;
1548 }
1549 }
1550
1551 /* Save the socket FD in the pcap structure */
1552
1553 handle->fd = sock_fd;
1554
1555 /*
1556 * Default value for offset to align link-layer payload
1557 * on a 4-byte boundary.
1558 */
1559 handle->offset = 0;
1560
1561 return 1;
1562
1563 } while (0);
1564
1565 if (handle->md.clear_promisc)
1566 pcap_close_linux(handle);
1567 if (sock_fd != -1)
1568 close(sock_fd);
1569 return 0;
1570 }
1571
1572 /*
1573 * Bind the socket associated with FD to the given device using the
1574 * interface of the old kernels.
1575 */
1576 static int
1577 iface_bind_old(int fd, const char *device, char *ebuf)
1578 {
1579 struct sockaddr saddr;
1580 int err;
1581 socklen_t errlen = sizeof(err);
1582
1583 memset(&saddr, 0, sizeof(saddr));
1584 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
1585 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
1586 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1587 "bind: %s", pcap_strerror(errno));
1588 return -1;
1589 }
1590
1591 /* Any pending errors, e.g., network is down? */
1592
1593 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) {
1594 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1595 "getsockopt: %s", pcap_strerror(errno));
1596 return -1;
1597 }
1598
1599 if (err > 0) {
1600 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1601 "bind: %s", pcap_strerror(err));
1602 return -1;
1603 }
1604
1605 return 0;
1606 }
1607
1608
1609 /* ===== System calls available on all supported kernels ============== */
1610
1611 /*
1612 * Query the kernel for the MTU of the given interface.
1613 */
1614 static int
1615 iface_get_mtu(int fd, const char *device, char *ebuf)
1616 {
1617 struct ifreq ifr;
1618
1619 if (!device)
1620 return BIGGER_THAN_ALL_MTUS;
1621
1622 memset(&ifr, 0, sizeof(ifr));
1623 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1624
1625 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
1626 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1627 "ioctl: %s", pcap_strerror(errno));
1628 return -1;
1629 }
1630
1631 return ifr.ifr_mtu;
1632 }
1633
1634 /*
1635 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1636 */
1637 static int
1638 iface_get_arptype(int fd, const char *device, char *ebuf)
1639 {
1640 struct ifreq ifr;
1641
1642 memset(&ifr, 0, sizeof(ifr));
1643 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1644
1645 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1646 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1647 "ioctl: %s", pcap_strerror(errno));
1648 return -1;
1649 }
1650
1651 return ifr.ifr_hwaddr.sa_family;
1652 }
1653
1654 #ifdef SO_ATTACH_FILTER
1655 static int
1656 fix_program(pcap_t *handle, struct sock_fprog *fcode)
1657 {
1658 size_t prog_size;
1659 register int i;
1660 register struct bpf_insn *p;
1661 struct bpf_insn *f;
1662 int len;
1663
1664 /*
1665 * Make a copy of the filter, and modify that copy if
1666 * necessary.
1667 */
1668 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len;
1669 len = handle->fcode.bf_len;
1670 f = (struct bpf_insn *)malloc(prog_size);
1671 if (f == NULL) {
1672 snprintf(handle->errbuf, sizeof(handle->errbuf),
1673 "malloc: %s", pcap_strerror(errno));
1674 return -1;
1675 }
1676 memcpy(f, handle->fcode.bf_insns, prog_size);
1677 fcode->len = len;
1678 fcode->filter = (struct sock_filter *) f;
1679
1680 for (i = 0; i < len; ++i) {
1681 p = &f[i];
1682 /*
1683 * What type of instruction is this?
1684 */
1685 switch (BPF_CLASS(p->code)) {
1686
1687 case BPF_RET:
1688 /*
1689 * It's a return instruction; is the snapshot
1690 * length a constant, rather than the contents
1691 * of the accumulator?
1692 */
1693 if (BPF_MODE(p->code) == BPF_K) {
1694 /*
1695 * Yes - if the value to be returned,
1696 * i.e. the snapshot length, is anything
1697 * other than 0, make it 65535, so that
1698 * the packet is truncated by "recvfrom()",
1699 * not by the filter.
1700 *
1701 * XXX - there's nothing we can easily do
1702 * if it's getting the value from the
1703 * accumulator; we'd have to insert
1704 * code to force non-zero values to be
1705 * 65535.
1706 */
1707 if (p->k != 0)
1708 p->k = 65535;
1709 }
1710 break;
1711
1712 case BPF_LD:
1713 case BPF_LDX:
1714 /*
1715 * It's a load instruction; is it loading
1716 * from the packet?
1717 */
1718 switch (BPF_MODE(p->code)) {
1719
1720 case BPF_ABS:
1721 case BPF_IND:
1722 case BPF_MSH:
1723 /*
1724 * Yes; are we in cooked mode?
1725 */
1726 if (handle->md.cooked) {
1727 /*
1728 * Yes, so we need to fix this
1729 * instruction.
1730 */
1731 if (fix_offset(p) < 0) {
1732 /*
1733 * We failed to do so.
1734 * Return 0, so our caller
1735 * knows to punt to userland.
1736 */
1737 return 0;
1738 }
1739 }
1740 break;
1741 }
1742 break;
1743 }
1744 }
1745 return 1; /* we succeeded */
1746 }
1747
1748 static int
1749 fix_offset(struct bpf_insn *p)
1750 {
1751 /*
1752 * What's the offset?
1753 */
1754 if (p->k >= SLL_HDR_LEN) {
1755 /*
1756 * It's within the link-layer payload; that starts at an
1757 * offset of 0, as far as the kernel packet filter is
1758 * concerned, so subtract the length of the link-layer
1759 * header.
1760 */
1761 p->k -= SLL_HDR_LEN;
1762 } else if (p->k == 14) {
1763 /*
1764 * It's the protocol field; map it to the special magic
1765 * kernel offset for that field.
1766 */
1767 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL;
1768 } else {
1769 /*
1770 * It's within the header, but it's not one of those
1771 * fields; we can't do that in the kernel, so punt
1772 * to userland.
1773 */
1774 return -1;
1775 }
1776 return 0;
1777 }
1778
1779 static int
1780 set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode)
1781 {
1782 int total_filter_on = 0;
1783 int save_mode;
1784 int ret;
1785 int save_errno;
1786
1787 /*
1788 * The socket filter code doesn't discard all packets queued
1789 * up on the socket when the filter is changed; this means
1790 * that packets that don't match the new filter may show up
1791 * after the new filter is put onto the socket, if those
1792 * packets haven't yet been read.
1793 *
1794 * This means, for example, that if you do a tcpdump capture
1795 * with a filter, the first few packets in the capture might
1796 * be packets that wouldn't have passed the filter.
1797 *
1798 * We therefore discard all packets queued up on the socket
1799 * when setting a kernel filter. (This isn't an issue for
1800 * userland filters, as the userland filtering is done after
1801 * packets are queued up.)
1802 *
1803 * To flush those packets, we put the socket in read-only mode,
1804 * and read packets from the socket until there are no more to
1805 * read.
1806 *
1807 * In order to keep that from being an infinite loop - i.e.,
1808 * to keep more packets from arriving while we're draining
1809 * the queue - we put the "total filter", which is a filter
1810 * that rejects all packets, onto the socket before draining
1811 * the queue.
1812 *
1813 * This code deliberately ignores any errors, so that you may
1814 * get bogus packets if an error occurs, rather than having
1815 * the filtering done in userland even if it could have been
1816 * done in the kernel.
1817 */
1818 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
1819 &total_fcode, sizeof(total_fcode)) == 0) {
1820 char drain[1];
1821
1822 /*
1823 * Note that we've put the total filter onto the socket.
1824 */
1825 total_filter_on = 1;
1826
1827 /*
1828 * Save the socket's current mode, and put it in
1829 * non-blocking mode; we drain it by reading packets
1830 * until we get an error (which is normally a
1831 * "nothing more to be read" error).
1832 */
1833 save_mode = fcntl(handle->fd, F_GETFL, 0);
1834 if (save_mode != -1 &&
1835 fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) {
1836 while (recv(handle->fd, &drain, sizeof drain,
1837 MSG_TRUNC) >= 0)
1838 ;
1839 save_errno = errno;
1840 fcntl(handle->fd, F_SETFL, save_mode);
1841 if (save_errno != EAGAIN) {
1842 /* Fatal error */
1843 reset_kernel_filter(handle);
1844 snprintf(handle->errbuf, sizeof(handle->errbuf),
1845 "recv: %s", pcap_strerror(save_errno));
1846 return -2;
1847 }
1848 }
1849 }
1850
1851 /*
1852 * Now attach the new filter.
1853 */
1854 ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
1855 fcode, sizeof(*fcode));
1856 if (ret == -1 && total_filter_on) {
1857 /*
1858 * Well, we couldn't set that filter on the socket,
1859 * but we could set the total filter on the socket.
1860 *
1861 * This could, for example, mean that the filter was
1862 * too big to put into the kernel, so we'll have to
1863 * filter in userland; in any case, we'll be doing
1864 * filtering in userland, so we need to remove the
1865 * total filter so we see packets.
1866 */
1867 save_errno = errno;
1868
1869 /*
1870 * XXX - if this fails, we're really screwed;
1871 * we have the total filter on the socket,
1872 * and it won't come off. What do we do then?
1873 */
1874 reset_kernel_filter(handle);
1875
1876 errno = save_errno;
1877 }
1878 return ret;
1879 }
1880
1881 static int
1882 reset_kernel_filter(pcap_t *handle)
1883 {
1884 /* setsockopt() barfs unless it get a dummy parameter */
1885 int dummy;
1886
1887 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER,
1888 &dummy, sizeof(dummy));
1889 }
1890 #endif
[mirror] the LIBpcap interface to various kernel packet capture mechanism