]> The Tcpdump Group git mirrors - libpcap/blob - pcap-bpf.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Turn close_op into cleanup_op; the routine that handles it can also be
[libpcap] / pcap-bpf.c
1 /*
2 * Copyright (c) 1993, 1994, 1995, 1996, 1998
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21 #ifndef lint
22 static const char rcsid[] _U_ =
23 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.99.2.11 2008-04-14 20:41:51 guy Exp $ (LBL)";
24 #endif
25
26 #ifdef HAVE_CONFIG_H
27 #include "config.h"
28 #endif
29
30 #include <sys/param.h> /* optionally get BSD define */
31 #include <sys/time.h>
32 #include <sys/timeb.h>
33 #include <sys/socket.h>
34 #include <sys/file.h>
35 #include <sys/ioctl.h>
36 #include <sys/utsname.h>
37
38 #include <net/if.h>
39
40 #ifdef _AIX
41
42 /*
43 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
44 * native OS version, as we need "struct bpf_config" from it.
45 */
46 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
47
48 #include <sys/types.h>
49
50 /*
51 * Prevent bpf.h from redefining the DLT_ values to their
52 * IFT_ values, as we're going to return the standard libpcap
53 * values, not IBM's non-standard IFT_ values.
54 */
55 #undef _AIX
56 #include <net/bpf.h>
57 #define _AIX
58
59 #include <net/if_types.h> /* for IFT_ values */
60 #include <sys/sysconfig.h>
61 #include <sys/device.h>
62 #include <sys/cfgodm.h>
63 #include <cf.h>
64
65 #ifdef __64BIT__
66 #define domakedev makedev64
67 #define getmajor major64
68 #define bpf_hdr bpf_hdr32
69 #else /* __64BIT__ */
70 #define domakedev makedev
71 #define getmajor major
72 #endif /* __64BIT__ */
73
74 #define BPF_NAME "bpf"
75 #define BPF_MINORS 4
76 #define DRIVER_PATH "/usr/lib/drivers"
77 #define BPF_NODE "/dev/bpf"
78 static int bpfloadedflag = 0;
79 static int odmlockid = 0;
80
81 #else /* _AIX */
82
83 #include <net/bpf.h>
84
85 #endif /* _AIX */
86
87 #include <ctype.h>
88 #include <errno.h>
89 #include <netdb.h>
90 #include <stdio.h>
91 #include <stdlib.h>
92 #include <string.h>
93 #include <unistd.h>
94
95 #ifdef HAVE_NET_IF_MEDIA_H
96 # include <net/if_media.h>
97 #endif
98
99 #include "pcap-int.h"
100
101 #ifdef HAVE_DAG_API
102 #include "pcap-dag.h"
103 #endif /* HAVE_DAG_API */
104
105 #ifdef HAVE_OS_PROTO_H
106 #include "os-proto.h"
107 #endif
108
109 #ifdef BIOCGDLTLIST
110 # if (defined(HAVE_NET_IF_MEDIA_H) && defined(IFM_IEEE80211)) && !defined(__APPLE__)
111 #define HAVE_BSD_IEEE80211
112 # endif
113
114 # if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)
115 static int find_802_11(struct bpf_dltlist *);
116
117 # ifdef HAVE_BSD_IEEE80211
118 static int monitor_mode(pcap_t *, int);
119 # endif
120
121 # if defined(__APPLE__)
122 static void remove_en(pcap_t *);
123 static void remove_802_11(pcap_t *);
124 # endif
125
126 # endif /* defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) */
127
128 #endif /* BIOCGDLTLIST */
129
130 /*
131 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
132 * don't get DLT_DOCSIS defined.
133 */
134 #ifndef DLT_DOCSIS
135 #define DLT_DOCSIS 143
136 #endif
137
138 /*
139 * On OS X, we don't even get any of the 802.11-plus-radio-header DLT_'s
140 * defined, even though some of them are used by various Airport drivers.
141 */
142 #ifndef DLT_PRISM_HEADER
143 #define DLT_PRISM_HEADER 119
144 #endif
145 #ifndef DLT_AIRONET_HEADER
146 #define DLT_AIRONET_HEADER 120
147 #endif
148 #ifndef DLT_IEEE802_11_RADIO
149 #define DLT_IEEE802_11_RADIO 127
150 #endif
151 #ifndef DLT_IEEE802_11_RADIO_AVS
152 #define DLT_IEEE802_11_RADIO_AVS 163
153 #endif
154
155 static int pcap_can_set_rfmon_bpf(pcap_t *p);
156 static int pcap_activate_bpf(pcap_t *p);
157 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
158 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t);
159 static int pcap_set_datalink_bpf(pcap_t *p, int dlt);
160
161 pcap_t *
162 pcap_create(const char *device, char *ebuf)
163 {
164 pcap_t *p;
165
166 #ifdef HAVE_DAG_API
167 if (strstr(device, "dag"))
168 return (dag_create(device, ebuf));
169 #endif /* HAVE_DAG_API */
170
171 p = pcap_create_common(device, ebuf);
172 if (p == NULL)
173 return (NULL);
174
175 p->activate_op = pcap_activate_bpf;
176 p->can_set_rfmon_op = pcap_can_set_rfmon_bpf;
177 return (p);
178 }
179
180 static int
181 bpf_open(pcap_t *p)
182 {
183 int fd;
184 #ifdef HAVE_CLONING_BPF
185 static const char device[] = "/dev/bpf";
186 #else
187 int n = 0;
188 char device[sizeof "/dev/bpf0000000000"];
189 #endif
190
191 #ifdef _AIX
192 /*
193 * Load the bpf driver, if it isn't already loaded,
194 * and create the BPF device entries, if they don't
195 * already exist.
196 */
197 if (bpf_load(p->errbuf) == -1)
198 return (PCAP_ERROR);
199 #endif
200
201 #ifdef HAVE_CLONING_BPF
202 if ((fd = open(device, O_RDWR)) == -1 &&
203 (errno != EACCES || (fd = open(device, O_RDONLY)) == -1)) {
204 if (errno == EACCES)
205 fd = PCAP_ERROR_PERM_DENIED;
206 else
207 fd = PCAP_ERROR;
208 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
209 "(cannot open device) %s: %s", device, pcap_strerror(errno));
210 }
211 #else
212 /*
213 * Go through all the minors and find one that isn't in use.
214 */
215 do {
216 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
217 /*
218 * Initially try a read/write open (to allow the inject
219 * method to work). If that fails due to permission
220 * issues, fall back to read-only. This allows a
221 * non-root user to be granted specific access to pcap
222 * capabilities via file permissions.
223 *
224 * XXX - we should have an API that has a flag that
225 * controls whether to open read-only or read-write,
226 * so that denial of permission to send (or inability
227 * to send, if sending packets isn't supported on
228 * the device in question) can be indicated at open
229 * time.
230 */
231 fd = open(device, O_RDWR);
232 if (fd == -1 && errno == EACCES)
233 fd = open(device, O_RDONLY);
234 } while (fd < 0 && errno == EBUSY);
235
236 /*
237 * XXX better message for all minors used
238 */
239 if (fd < 0) {
240 if (errno == EACCES)
241 fd = PCAP_ERROR_PERM_DENIED;
242 else
243 fd = PCAP_ERROR;
244 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s",
245 device, pcap_strerror(errno));
246 }
247 #endif
248
249 return (fd);
250 }
251
252 #ifdef BIOCGDLTLIST
253 static int
254 get_dlt_list(int fd, int v, struct bpf_dltlist *bdlp, char *ebuf)
255 {
256 memset(bdlp, 0, sizeof(*bdlp));
257 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) == 0) {
258 u_int i;
259 int is_ethernet;
260
261 bdlp->bfl_list = (u_int *) malloc(sizeof(u_int) * (bdlp->bfl_len + 1));
262 if (bdlp->bfl_list == NULL) {
263 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
264 pcap_strerror(errno));
265 return (-1);
266 }
267
268 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) < 0) {
269 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
270 "BIOCGDLTLIST: %s", pcap_strerror(errno));
271 free(bdlp->bfl_list);
272 return (-1);
273 }
274
275 /*
276 * OK, for real Ethernet devices, add DLT_DOCSIS to the
277 * list, so that an application can let you choose it,
278 * in case you're capturing DOCSIS traffic that a Cisco
279 * Cable Modem Termination System is putting out onto
280 * an Ethernet (it doesn't put an Ethernet header onto
281 * the wire, it puts raw DOCSIS frames out on the wire
282 * inside the low-level Ethernet framing).
283 *
284 * A "real Ethernet device" is defined here as a device
285 * that has a link-layer type of DLT_EN10MB and that has
286 * no alternate link-layer types; that's done to exclude
287 * 802.11 interfaces (which might or might not be the
288 * right thing to do, but I suspect it is - Ethernet <->
289 * 802.11 bridges would probably badly mishandle frames
290 * that don't have Ethernet headers).
291 */
292 if (v == DLT_EN10MB) {
293 is_ethernet = 1;
294 for (i = 0; i < bdlp->bfl_len; i++) {
295 if (bdlp->bfl_list[i] != DLT_EN10MB) {
296 is_ethernet = 0;
297 break;
298 }
299 }
300 if (is_ethernet) {
301 /*
302 * We reserved one more slot at the end of
303 * the list.
304 */
305 bdlp->bfl_list[bdlp->bfl_len] = DLT_DOCSIS;
306 bdlp->bfl_len++;
307 }
308 }
309 } else {
310 /*
311 * EINVAL just means "we don't support this ioctl on
312 * this device"; don't treat it as an error.
313 */
314 if (errno != EINVAL) {
315 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
316 "BIOCGDLTLIST: %s", pcap_strerror(errno));
317 return (-1);
318 }
319 }
320 return (0);
321 }
322 #endif
323
324 static int
325 pcap_can_set_rfmon_bpf(pcap_t *p)
326 {
327 #if defined(__APPLE__)
328 struct utsname osinfo;
329 struct ifreq ifr;
330 int fd;
331 #ifdef BIOCGDLTLIST
332 struct bpf_dltlist bdl;
333 #endif
334
335 /*
336 * The joys of monitor mode on OS X.
337 *
338 * Prior to 10.4, it's not supported at all.
339 *
340 * In 10.4, if adapter enN supports monitor mode, there's a
341 * wltN adapter corresponding to it; you open it, instead of
342 * enN, to get monitor mode. You get whatever link-layer
343 * headers it supplies.
344 *
345 * In 10.5, and, we assume, later releases, if adapter enN
346 * supports monitor mode, it offers, among its selectable
347 * DLT_ values, values that let you get the 802.11 header;
348 * selecting one of those values puts the adapter into monitor
349 * mode (i.e., you can't get 802.11 headers except in monitor
350 * mode, and you can't get Ethernet headers in monitor mode).
351 */
352 if (uname(&osinfo) == -1) {
353 /*
354 * Can't get the OS version; just say "no".
355 */
356 return (0);
357 }
358 /*
359 * We assume osinfo.sysname is "Darwin", because
360 * __APPLE__ is defined. We just check the version.
361 */
362 if (osinfo.release[0] < '8' && osinfo.release[1] == '.') {
363 /*
364 * 10.3 (Darwin 7.x) or earlier.
365 * Monitor mode not supported.
366 */
367 return (0);
368 }
369 if (osinfo.release[0] == '8' && osinfo.release[1] == '.') {
370 /*
371 * 10.4 (Darwin 8.x). s/en/wlt/, and check
372 * whether the device exists.
373 */
374 if (strncmp(p->opt.source, "en", 2) != 0) {
375 /*
376 * Not an enN device; no monitor mode.
377 */
378 return (0);
379 }
380 fd = socket(AF_INET, SOCK_DGRAM, 0);
381 if (fd == -1) {
382 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
383 "socket: %s", pcap_strerror(errno));
384 return (PCAP_ERROR);
385 }
386 strlcpy(ifr.ifr_name, "wlt", sizeof(ifr.ifr_name));
387 strlcat(ifr.ifr_name, p->opt.source + 2, sizeof(ifr.ifr_name));
388 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) {
389 /*
390 * No such device?
391 */
392 close(fd);
393 return (0);
394 }
395 close(fd);
396 return (1);
397 }
398
399 #ifdef BIOCGDLTLIST
400 /*
401 * Everything else is 10.5 or later; for those,
402 * we just open the enN device, and check whether
403 * we have any 802.11 devices.
404 *
405 * First, open a BPF device.
406 */
407 fd = bpf_open(p);
408 if (fd < 0)
409 return (fd);
410
411 /*
412 * Now bind to the device.
413 */
414 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name));
415 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
416 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
417 "BIOCSETIF: %s: %s",
418 p->opt.source, pcap_strerror(errno));
419 close(fd);
420 return (PCAP_ERROR);
421 }
422
423 /*
424 * We know the default link type -- now determine all the DLTs
425 * this interface supports. If this fails with EINVAL, it's
426 * not fatal; we just don't get to use the feature later.
427 * (We don't care about DLT_DOCSIS, so we pass DLT_NULL
428 * as the default DLT for this adapter.)
429 */
430 if (get_dlt_list(fd, DLT_NULL, &bdl, p->errbuf) == -1) {
431 close(fd);
432 return (PCAP_ERROR);
433 }
434 if (find_802_11(&bdl) != -1) {
435 /*
436 * We have an 802.11 DLT, so we can set monitor mode.
437 */
438 free(bdl.bfl_list);
439 close(fd);
440 return (1);
441 }
442 free(bdl.bfl_list);
443 #endif /* BIOCGDLTLIST */
444 return (0);
445 #elif defined(HAVE_BSD_IEEE80211)
446 int ret;
447
448 ret = monitor_mode(p, 0);
449 if (ret == PCAP_ERROR_RFMON_NOTSUP)
450 return (0); /* not an error, just a "can't do" */
451 if (ret == 0)
452 return (1); /* success */
453 return (ret);
454 #else
455 return (0);
456 #endif
457 }
458
459 static int
460 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps)
461 {
462 struct bpf_stat s;
463
464 /*
465 * "ps_recv" counts packets handed to the filter, not packets
466 * that passed the filter. This includes packets later dropped
467 * because we ran out of buffer space.
468 *
469 * "ps_drop" counts packets dropped inside the BPF device
470 * because we ran out of buffer space. It doesn't count
471 * packets dropped by the interface driver. It counts
472 * only packets that passed the filter.
473 *
474 * Both statistics include packets not yet read from the kernel
475 * by libpcap, and thus not yet seen by the application.
476 */
477 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
478 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
479 pcap_strerror(errno));
480 return (-1);
481 }
482
483 ps->ps_recv = s.bs_recv;
484 ps->ps_drop = s.bs_drop;
485 return (0);
486 }
487
488 static int
489 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
490 {
491 int cc;
492 int n = 0;
493 register u_char *bp, *ep;
494 u_char *datap;
495 #ifdef PCAP_FDDIPAD
496 register int pad;
497 #endif
498
499 again:
500 /*
501 * Has "pcap_breakloop()" been called?
502 */
503 if (p->break_loop) {
504 /*
505 * Yes - clear the flag that indicates that it
506 * has, and return -2 to indicate that we were
507 * told to break out of the loop.
508 */
509 p->break_loop = 0;
510 return (-2);
511 }
512 cc = p->cc;
513 if (p->cc == 0) {
514 cc = read(p->fd, (char *)p->buffer, p->bufsize);
515 if (cc < 0) {
516 /* Don't choke when we get ptraced */
517 switch (errno) {
518
519 case EINTR:
520 goto again;
521
522 #ifdef _AIX
523 case EFAULT:
524 /*
525 * Sigh. More AIX wonderfulness.
526 *
527 * For some unknown reason the uiomove()
528 * operation in the bpf kernel extension
529 * used to copy the buffer into user
530 * space sometimes returns EFAULT. I have
531 * no idea why this is the case given that
532 * a kernel debugger shows the user buffer
533 * is correct. This problem appears to
534 * be mostly mitigated by the memset of
535 * the buffer before it is first used.
536 * Very strange.... Shaun Clowes
537 *
538 * In any case this means that we shouldn't
539 * treat EFAULT as a fatal error; as we
540 * don't have an API for returning
541 * a "some packets were dropped since
542 * the last packet you saw" indication,
543 * we just ignore EFAULT and keep reading.
544 */
545 goto again;
546 #endif
547
548 case EWOULDBLOCK:
549 return (0);
550 #if defined(sun) && !defined(BSD)
551 /*
552 * Due to a SunOS bug, after 2^31 bytes, the kernel
553 * file offset overflows and read fails with EINVAL.
554 * The lseek() to 0 will fix things.
555 */
556 case EINVAL:
557 if (lseek(p->fd, 0L, SEEK_CUR) +
558 p->bufsize < 0) {
559 (void)lseek(p->fd, 0L, SEEK_SET);
560 goto again;
561 }
562 /* fall through */
563 #endif
564 }
565 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s",
566 pcap_strerror(errno));
567 return (-1);
568 }
569 bp = p->buffer;
570 } else
571 bp = p->bp;
572
573 /*
574 * Loop through each packet.
575 */
576 #define bhp ((struct bpf_hdr *)bp)
577 ep = bp + cc;
578 #ifdef PCAP_FDDIPAD
579 pad = p->fddipad;
580 #endif
581 while (bp < ep) {
582 register int caplen, hdrlen;
583
584 /*
585 * Has "pcap_breakloop()" been called?
586 * If so, return immediately - if we haven't read any
587 * packets, clear the flag and return -2 to indicate
588 * that we were told to break out of the loop, otherwise
589 * leave the flag set, so that the *next* call will break
590 * out of the loop without having read any packets, and
591 * return the number of packets we've processed so far.
592 */
593 if (p->break_loop) {
594 if (n == 0) {
595 p->break_loop = 0;
596 return (-2);
597 } else {
598 p->bp = bp;
599 p->cc = ep - bp;
600 return (n);
601 }
602 }
603
604 caplen = bhp->bh_caplen;
605 hdrlen = bhp->bh_hdrlen;
606 datap = bp + hdrlen;
607 /*
608 * Short-circuit evaluation: if using BPF filter
609 * in kernel, no need to do it now - we already know
610 * the packet passed the filter.
611 *
612 #ifdef PCAP_FDDIPAD
613 * Note: the filter code was generated assuming
614 * that p->fddipad was the amount of padding
615 * before the header, as that's what's required
616 * in the kernel, so we run the filter before
617 * skipping that padding.
618 #endif
619 */
620 if (p->md.use_bpf ||
621 bpf_filter(p->fcode.bf_insns, datap, bhp->bh_datalen, caplen)) {
622 struct pcap_pkthdr pkthdr;
623
624 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec;
625 #ifdef _AIX
626 /*
627 * AIX's BPF returns seconds/nanoseconds time
628 * stamps, not seconds/microseconds time stamps.
629 */
630 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000;
631 #else
632 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec;
633 #endif
634 #ifdef PCAP_FDDIPAD
635 if (caplen > pad)
636 pkthdr.caplen = caplen - pad;
637 else
638 pkthdr.caplen = 0;
639 if (bhp->bh_datalen > pad)
640 pkthdr.len = bhp->bh_datalen - pad;
641 else
642 pkthdr.len = 0;
643 datap += pad;
644 #else
645 pkthdr.caplen = caplen;
646 pkthdr.len = bhp->bh_datalen;
647 #endif
648 (*callback)(user, &pkthdr, datap);
649 bp += BPF_WORDALIGN(caplen + hdrlen);
650 if (++n >= cnt && cnt > 0) {
651 p->bp = bp;
652 p->cc = ep - bp;
653 return (n);
654 }
655 } else {
656 /*
657 * Skip this packet.
658 */
659 bp += BPF_WORDALIGN(caplen + hdrlen);
660 }
661 }
662 #undef bhp
663 p->cc = 0;
664 return (n);
665 }
666
667 static int
668 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size)
669 {
670 int ret;
671
672 ret = write(p->fd, buf, size);
673 #ifdef __APPLE__
674 if (ret == -1 && errno == EAFNOSUPPORT) {
675 /*
676 * In Mac OS X, there's a bug wherein setting the
677 * BIOCSHDRCMPLT flag causes writes to fail; see,
678 * for example:
679 *
680 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch
681 *
682 * So, if, on OS X, we get EAFNOSUPPORT from the write, we
683 * assume it's due to that bug, and turn off that flag
684 * and try again. If we succeed, it either means that
685 * somebody applied the fix from that URL, or other patches
686 * for that bug from
687 *
688 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/
689 *
690 * and are running a Darwin kernel with those fixes, or
691 * that Apple fixed the problem in some OS X release.
692 */
693 u_int spoof_eth_src = 0;
694
695 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
696 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
697 "send: can't turn off BIOCSHDRCMPLT: %s",
698 pcap_strerror(errno));
699 return (-1);
700 }
701
702 /*
703 * Now try the write again.
704 */
705 ret = write(p->fd, buf, size);
706 }
707 #endif /* __APPLE__ */
708 if (ret == -1) {
709 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
710 pcap_strerror(errno));
711 return (-1);
712 }
713 return (ret);
714 }
715
716 #ifdef _AIX
717 static int
718 bpf_odminit(char *errbuf)
719 {
720 char *errstr;
721
722 if (odm_initialize() == -1) {
723 if (odm_err_msg(odmerrno, &errstr) == -1)
724 errstr = "Unknown error";
725 snprintf(errbuf, PCAP_ERRBUF_SIZE,
726 "bpf_load: odm_initialize failed: %s",
727 errstr);
728 return (-1);
729 }
730
731 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) {
732 if (odm_err_msg(odmerrno, &errstr) == -1)
733 errstr = "Unknown error";
734 snprintf(errbuf, PCAP_ERRBUF_SIZE,
735 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s",
736 errstr);
737 return (-1);
738 }
739
740 return (0);
741 }
742
743 static int
744 bpf_odmcleanup(char *errbuf)
745 {
746 char *errstr;
747
748 if (odm_unlock(odmlockid) == -1) {
749 if (odm_err_msg(odmerrno, &errstr) == -1)
750 errstr = "Unknown error";
751 snprintf(errbuf, PCAP_ERRBUF_SIZE,
752 "bpf_load: odm_unlock failed: %s",
753 errstr);
754 return (-1);
755 }
756
757 if (odm_terminate() == -1) {
758 if (odm_err_msg(odmerrno, &errstr) == -1)
759 errstr = "Unknown error";
760 snprintf(errbuf, PCAP_ERRBUF_SIZE,
761 "bpf_load: odm_terminate failed: %s",
762 errstr);
763 return (-1);
764 }
765
766 return (0);
767 }
768
769 static int
770 bpf_load(char *errbuf)
771 {
772 long major;
773 int *minors;
774 int numminors, i, rc;
775 char buf[1024];
776 struct stat sbuf;
777 struct bpf_config cfg_bpf;
778 struct cfg_load cfg_ld;
779 struct cfg_kmod cfg_km;
780
781 /*
782 * This is very very close to what happens in the real implementation
783 * but I've fixed some (unlikely) bug situations.
784 */
785 if (bpfloadedflag)
786 return (0);
787
788 if (bpf_odminit(errbuf) != 0)
789 return (-1);
790
791 major = genmajor(BPF_NAME);
792 if (major == -1) {
793 snprintf(errbuf, PCAP_ERRBUF_SIZE,
794 "bpf_load: genmajor failed: %s", pcap_strerror(errno));
795 return (-1);
796 }
797
798 minors = getminor(major, &numminors, BPF_NAME);
799 if (!minors) {
800 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1);
801 if (!minors) {
802 snprintf(errbuf, PCAP_ERRBUF_SIZE,
803 "bpf_load: genminor failed: %s",
804 pcap_strerror(errno));
805 return (-1);
806 }
807 }
808
809 if (bpf_odmcleanup(errbuf))
810 return (-1);
811
812 rc = stat(BPF_NODE "0", &sbuf);
813 if (rc == -1 && errno != ENOENT) {
814 snprintf(errbuf, PCAP_ERRBUF_SIZE,
815 "bpf_load: can't stat %s: %s",
816 BPF_NODE "0", pcap_strerror(errno));
817 return (-1);
818 }
819
820 if (rc == -1 || getmajor(sbuf.st_rdev) != major) {
821 for (i = 0; i < BPF_MINORS; i++) {
822 sprintf(buf, "%s%d", BPF_NODE, i);
823 unlink(buf);
824 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) {
825 snprintf(errbuf, PCAP_ERRBUF_SIZE,
826 "bpf_load: can't mknod %s: %s",
827 buf, pcap_strerror(errno));
828 return (-1);
829 }
830 }
831 }
832
833 /* Check if the driver is loaded */
834 memset(&cfg_ld, 0x0, sizeof(cfg_ld));
835 cfg_ld.path = buf;
836 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME);
837 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) ||
838 (cfg_ld.kmid == 0)) {
839 /* Driver isn't loaded, load it now */
840 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) {
841 snprintf(errbuf, PCAP_ERRBUF_SIZE,
842 "bpf_load: could not load driver: %s",
843 strerror(errno));
844 return (-1);
845 }
846 }
847
848 /* Configure the driver */
849 cfg_km.cmd = CFG_INIT;
850 cfg_km.kmid = cfg_ld.kmid;
851 cfg_km.mdilen = sizeof(cfg_bpf);
852 cfg_km.mdiptr = (void *)&cfg_bpf;
853 for (i = 0; i < BPF_MINORS; i++) {
854 cfg_bpf.devno = domakedev(major, i);
855 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) {
856 snprintf(errbuf, PCAP_ERRBUF_SIZE,
857 "bpf_load: could not configure driver: %s",
858 strerror(errno));
859 return (-1);
860 }
861 }
862
863 bpfloadedflag = 1;
864
865 return (0);
866 }
867 #endif
868
869 /*
870 * Turn off rfmon mode if necessary.
871 */
872 static void
873 pcap_cleanup_bpf(pcap_t *p)
874 {
875 #ifdef HAVE_BSD_IEEE80211
876 int sock;
877 struct ifmediareq req;
878 struct ifreq ifr;
879 #endif
880
881 if (p->md.must_clear != 0) {
882 /*
883 * There's something we have to do when closing this
884 * pcap_t.
885 */
886 #ifdef HAVE_BSD_IEEE80211
887 if (p->md.must_clear & MUST_CLEAR_RFMON) {
888 /*
889 * We put the interface into rfmon mode;
890 * take it out of rfmon mode.
891 *
892 * XXX - if somebody else wants it in rfmon
893 * mode, this code cannot know that, so it'll take
894 * it out of rfmon mode.
895 */
896 sock = socket(AF_INET, SOCK_DGRAM, 0);
897 if (sock == -1) {
898 fprintf(stderr,
899 "Can't restore interface flags (socket() failed: %s).\n"
900 "Please adjust manually.\n",
901 strerror(errno));
902 } else {
903 memset(&req, 0, sizeof(req));
904 strncpy(req.ifm_name, p->md.device,
905 sizeof(req.ifm_name));
906 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
907 fprintf(stderr,
908 "Can't restore interface flags (SIOCGIFMEDIA failed: %s).\n"
909 "Please adjust manually.\n",
910 strerror(errno));
911 } else {
912 if (req.ifm_current & IFM_IEEE80211_MONITOR) {
913 /*
914 * Rfmon mode is currently on;
915 * turn it off.
916 */
917 memset(&ifr, 0, sizeof(ifr));
918 (void)strncpy(ifr.ifr_name,
919 p->md.device,
920 sizeof(ifr.ifr_name));
921 ifr.ifr_media =
922 req.ifm_current & ~IFM_IEEE80211_MONITOR;
923 if (ioctl(sock, SIOCSIFMEDIA,
924 &ifr) == -1) {
925 fprintf(stderr,
926 "Can't restore interface flags (SIOCSIFMEDIA failed: %s).\n"
927 "Please adjust manually.\n",
928 strerror(errno));
929 }
930 }
931 }
932 close(sock);
933 }
934 }
935 #endif /* HAVE_BSD_IEEE80211 */
936
937 /*
938 * Take this pcap out of the list of pcaps for which we
939 * have to take the interface out of some mode.
940 */
941 pcap_remove_from_pcaps_to_close(p);
942 p->md.must_clear = 0;
943 }
944
945 if (p->md.device != NULL) {
946 free(p->md.device);
947 p->md.device = NULL;
948 }
949 pcap_cleanup_live_common(p);
950 }
951
952 static int
953 check_setif_failure(pcap_t *p, int error)
954 {
955 #ifdef __APPLE__
956 int fd;
957 struct ifreq ifr;
958 int err;
959 #endif
960
961 if (error == ENXIO) {
962 /*
963 * No such device exists.
964 */
965 #ifdef __APPLE__
966 if (p->opt.rfmon && strncmp(p->opt.source, "wlt", 3) == 0) {
967 /*
968 * Monitor mode was requested, and we're trying
969 * to open a "wltN" device. Assume that this
970 * is 10.4 and that we were asked to open an
971 * "enN" device; if that device exists, return
972 * "monitor mode not supported on the device".
973 */
974 fd = socket(AF_INET, SOCK_DGRAM, 0);
975 if (fd != -1) {
976 strlcpy(ifr.ifr_name, "en",
977 sizeof(ifr.ifr_name));
978 strlcat(ifr.ifr_name, p->opt.source + 3,
979 sizeof(ifr.ifr_name));
980 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) {
981 /*
982 * We assume this failed because
983 * the underlying device doesn't
984 * exist.
985 */
986 err = PCAP_ERROR_NO_SUCH_DEVICE;
987 strcpy(p->errbuf, "");
988 } else {
989 /*
990 * The underlying "enN" device
991 * exists, but there's no
992 * corresponding "wltN" device;
993 * that means that the "enN"
994 * device doesn't support
995 * monitor mode, probably because
996 * it's an Ethernet device rather
997 * than a wireless device.
998 */
999 err = PCAP_ERROR_RFMON_NOTSUP;
1000 }
1001 close(fd);
1002 } else {
1003 /*
1004 * We can't find out whether there's
1005 * an underlying "enN" device, so
1006 * just report "no such device".
1007 */
1008 err = PCAP_ERROR_NO_SUCH_DEVICE;
1009 strcpy(p->errbuf, "");
1010 }
1011 return (err);
1012 }
1013 #endif
1014 /*
1015 * No such device.
1016 */
1017 strcpy(p->errbuf, "");
1018 return (PCAP_ERROR_NO_SUCH_DEVICE);
1019 } else {
1020 /*
1021 * Some other error; fill in the error string, and
1022 * return PCAP_ERROR.
1023 */
1024 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
1025 p->opt.source, pcap_strerror(errno));
1026 return (PCAP_ERROR);
1027 }
1028 }
1029
1030 static int
1031 pcap_activate_bpf(pcap_t *p)
1032 {
1033 int status = 0;
1034 int fd;
1035 struct ifreq ifr;
1036 struct bpf_version bv;
1037 #ifdef __APPLE__
1038 int sockfd;
1039 char *wltdev = NULL;
1040 #endif
1041 #ifdef BIOCGDLTLIST
1042 struct bpf_dltlist bdl;
1043 #if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)
1044 int new_dlt;
1045 #endif
1046 #endif /* BIOCGDLTLIST */
1047 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
1048 u_int spoof_eth_src = 1;
1049 #endif
1050 u_int v;
1051 struct bpf_insn total_insn;
1052 struct bpf_program total_prog;
1053 struct utsname osinfo;
1054 int have_osinfo = 0;
1055
1056 fd = bpf_open(p);
1057 if (fd < 0) {
1058 status = fd;
1059 goto bad;
1060 }
1061
1062 p->fd = fd;
1063
1064 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
1065 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
1066 pcap_strerror(errno));
1067 status = PCAP_ERROR;
1068 goto bad;
1069 }
1070 if (bv.bv_major != BPF_MAJOR_VERSION ||
1071 bv.bv_minor < BPF_MINOR_VERSION) {
1072 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1073 "kernel bpf filter out of date");
1074 status = PCAP_ERROR;
1075 goto bad;
1076 }
1077
1078 p->md.device = strdup(p->opt.source);
1079 if (p->md.device == NULL) {
1080 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s",
1081 pcap_strerror(errno));
1082 status = PCAP_ERROR;
1083 goto bad;
1084 }
1085
1086 /*
1087 * Attempt to find out the version of the OS on which we're running.
1088 */
1089 if (uname(&osinfo) == 0)
1090 have_osinfo = 1;
1091
1092 #ifdef __APPLE__
1093 /*
1094 * See comment in pcap_can_set_rfmon_bpf() for an explanation
1095 * of why we check the version number.
1096 */
1097 if (p->opt.rfmon) {
1098 if (have_osinfo) {
1099 /*
1100 * We assume osinfo.sysname is "Darwin", because
1101 * __APPLE__ is defined. We just check the version.
1102 */
1103 if (osinfo.release[0] < '8' &&
1104 osinfo.release[1] == '.') {
1105 /*
1106 * 10.3 (Darwin 7.x) or earlier.
1107 */
1108 status = PCAP_ERROR_RFMON_NOTSUP;
1109 goto bad;
1110 }
1111 if (osinfo.release[0] == '8' &&
1112 osinfo.release[1] == '.') {
1113 /*
1114 * 10.4 (Darwin 8.x). s/en/wlt/
1115 */
1116 if (strncmp(p->opt.source, "en", 2) != 0) {
1117 /*
1118 * Not an enN device; check
1119 * whether the device even exists.
1120 */
1121 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
1122 if (sockfd != -1) {
1123 strlcpy(ifr.ifr_name,
1124 p->opt.source,
1125 sizeof(ifr.ifr_name));
1126 if (ioctl(sockfd, SIOCGIFFLAGS,
1127 (char *)&ifr) < 0) {
1128 /*
1129 * We assume this
1130 * failed because
1131 * the underlying
1132 * device doesn't
1133 * exist.
1134 */
1135 status = PCAP_ERROR_NO_SUCH_DEVICE;
1136 strcpy(p->errbuf, "");
1137 } else
1138 status = PCAP_ERROR_RFMON_NOTSUP;
1139 close(sockfd);
1140 } else {
1141 /*
1142 * We can't find out whether
1143 * the device exists, so just
1144 * report "no such device".
1145 */
1146 status = PCAP_ERROR_NO_SUCH_DEVICE;
1147 strcpy(p->errbuf, "");
1148 }
1149 goto bad;
1150 }
1151 wltdev = malloc(strlen(p->opt.source) + 2);
1152 if (wltdev == NULL) {
1153 (void)snprintf(p->errbuf,
1154 PCAP_ERRBUF_SIZE, "malloc: %s",
1155 pcap_strerror(errno));
1156 status = PCAP_ERROR;
1157 goto bad;
1158 }
1159 strcpy(wltdev, "wlt");
1160 strcat(wltdev, p->opt.source + 2);
1161 free(p->opt.source);
1162 p->opt.source = wltdev;
1163 }
1164 /*
1165 * Everything else is 10.5 or later; for those,
1166 * we just open the enN device, and set the DLT.
1167 */
1168 }
1169 }
1170 #endif /* __APPLE__ */
1171
1172 /*
1173 * Set the buffer size.
1174 */
1175 if (p->opt.buffer_size != 0) {
1176 /*
1177 * A buffer size was explicitly specified; use it.
1178 */
1179 if (ioctl(fd, BIOCSBLEN, (caddr_t)&p->opt.buffer_size) < 0) {
1180 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1181 "BIOCSBLEN: %s: %s", p->opt.source,
1182 pcap_strerror(errno));
1183 status = PCAP_ERROR;
1184 goto bad;
1185 }
1186
1187 /*
1188 * Now bind to the device.
1189 */
1190 (void)strncpy(ifr.ifr_name, p->opt.source,
1191 sizeof(ifr.ifr_name));
1192 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
1193 status = check_setif_failure(p, errno);
1194 goto bad;
1195 }
1196 } else {
1197 /*
1198 * No buffer size was explicitly specified.
1199 *
1200 * Try finding a good size for the buffer; 32768 may
1201 * be too big, so keep cutting it in half until we
1202 * find a size that works, or run out of sizes to try.
1203 * If the default is larger, don't make it smaller.
1204 */
1205 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768)
1206 v = 32768;
1207 for ( ; v != 0; v >>= 1) {
1208 /*
1209 * Ignore the return value - this is because the
1210 * call fails on BPF systems that don't have
1211 * kernel malloc. And if the call fails, it's
1212 * no big deal, we just continue to use the
1213 * standard buffer size.
1214 */
1215 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
1216
1217 (void)strncpy(ifr.ifr_name, p->opt.source,
1218 sizeof(ifr.ifr_name));
1219 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0)
1220 break; /* that size worked; we're done */
1221
1222 if (errno != ENOBUFS) {
1223 status = check_setif_failure(p, errno);
1224 goto bad;
1225 }
1226 }
1227
1228 if (v == 0) {
1229 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1230 "BIOCSBLEN: %s: No buffer size worked",
1231 p->opt.source);
1232 status = PCAP_ERROR;
1233 goto bad;
1234 }
1235 }
1236
1237 /* Get the data link layer type. */
1238 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
1239 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
1240 pcap_strerror(errno));
1241 status = PCAP_ERROR;
1242 goto bad;
1243 }
1244
1245 #ifdef _AIX
1246 /*
1247 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
1248 */
1249 switch (v) {
1250
1251 case IFT_ETHER:
1252 case IFT_ISO88023:
1253 v = DLT_EN10MB;
1254 break;
1255
1256 case IFT_FDDI:
1257 v = DLT_FDDI;
1258 break;
1259
1260 case IFT_ISO88025:
1261 v = DLT_IEEE802;
1262 break;
1263
1264 case IFT_LOOP:
1265 v = DLT_NULL;
1266 break;
1267
1268 default:
1269 /*
1270 * We don't know what to map this to yet.
1271 */
1272 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
1273 v);
1274 status = PCAP_ERROR;
1275 goto bad;
1276 }
1277 #endif
1278 #if _BSDI_VERSION - 0 >= 199510
1279 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
1280 switch (v) {
1281
1282 case DLT_SLIP:
1283 v = DLT_SLIP_BSDOS;
1284 break;
1285
1286 case DLT_PPP:
1287 v = DLT_PPP_BSDOS;
1288 break;
1289
1290 case 11: /*DLT_FR*/
1291 v = DLT_FRELAY;
1292 break;
1293
1294 case 12: /*DLT_C_HDLC*/
1295 v = DLT_CHDLC;
1296 break;
1297 }
1298 #endif
1299
1300 #ifdef BIOCGDLTLIST
1301 /*
1302 * We know the default link type -- now determine all the DLTs
1303 * this interface supports. If this fails with EINVAL, it's
1304 * not fatal; we just don't get to use the feature later.
1305 */
1306 if (get_dlt_list(fd, v, &bdl, p->errbuf) == -1) {
1307 status = PCAP_ERROR;
1308 goto bad;
1309 }
1310 p->dlt_count = bdl.bfl_len;
1311 p->dlt_list = bdl.bfl_list;
1312
1313 #ifdef __APPLE__
1314 /*
1315 * Monitor mode fun, continued.
1316 *
1317 * For 10.5 and, we're assuming, later releases, as noted above,
1318 * 802.1 adapters that support monitor mode offer both DLT_EN10MB,
1319 * DLT_IEEE802_11, and possibly some 802.11-plus-radio-information
1320 * DLT_ value. Choosing one of the 802.11 DLT_ values will turn
1321 * monitor mode on.
1322 *
1323 * Therefore, if the user asked for monitor mode, we filter out
1324 * the DLT_EN10MB value, as you can't get that in monitor mode,
1325 * and, if the user didn't ask for monitor mode, we filter out
1326 * the 802.11 DLT_ values, because selecting those will turn
1327 * monitor mode on. Then, for monitor mode, if an 802.11-plus-
1328 * radio DLT_ value is offered, we try to select that, otherwise
1329 * we try to select DLT_IEEE802_11.
1330 */
1331 if (have_osinfo) {
1332 if (isdigit((unsigned)osinfo.release[0]) &&
1333 (osinfo.release[0] == '9' ||
1334 isdigit((unsigned)osinfo.release[1]))) {
1335 /*
1336 * 10.5 (Darwin 9.x), or later.
1337 */
1338 new_dlt = find_802_11(&bdl);
1339 if (new_dlt != -1) {
1340 /*
1341 * We have at least one 802.11 DLT_ value,
1342 * so this is an 802.11 interface.
1343 * new_dlt is the best of the 802.11
1344 * DLT_ values in the list.
1345 */
1346 if (p->opt.rfmon) {
1347 /*
1348 * Our caller wants monitor mode.
1349 * Purge DLT_EN10MB from the list
1350 * of link-layer types, as selecting
1351 * it will keep monitor mode off.
1352 */
1353 remove_en(p);
1354
1355 /*
1356 * If the new mode we want isn't
1357 * the default mode, attempt to
1358 * select the new mode.
1359 */
1360 if (new_dlt != v) {
1361 if (ioctl(p->fd, BIOCSDLT,
1362 &new_dlt) != -1) {
1363 /*
1364 * We succeeded;
1365 * make this the
1366 * new DLT_ value.
1367 */
1368 v = new_dlt;
1369 }
1370 }
1371 } else {
1372 /*
1373 * Our caller doesn't want
1374 * monitor mode. Unless this
1375 * is being done by pcap_open_live(),
1376 * purge the 802.11 link-layer types
1377 * from the list, as selecting
1378 * one of them will turn monitor
1379 * mode on.
1380 */
1381 if (!p->oldstyle)
1382 remove_802_11(p);
1383 }
1384 } else {
1385 if (p->opt.rfmon) {
1386 /*
1387 * The caller requested monitor
1388 * mode, but we have no 802.11
1389 * link-layer types, so they
1390 * can't have it.
1391 */
1392 status = PCAP_ERROR_RFMON_NOTSUP;
1393 goto bad;
1394 }
1395 }
1396 }
1397 }
1398 #elif defined(HAVE_BSD_IEEE80211)
1399 /*
1400 * *BSD with the new 802.11 ioctls.
1401 * Do we want monitor mode?
1402 */
1403 if (p->opt.rfmon) {
1404 /*
1405 * Try to put the interface into monitor mode.
1406 */
1407 status = monitor_mode(p, 1);
1408 if (status != 0) {
1409 /*
1410 * We failed.
1411 */
1412 goto bad;
1413 }
1414
1415 /*
1416 * We're in monitor mode.
1417 * Try to find the best 802.11 DLT_ value and, if we
1418 * succeed, try to switch to that mode if we're not
1419 * already in that mode.
1420 */
1421 new_dlt = find_802_11(&bdl);
1422 if (new_dlt != -1) {
1423 /*
1424 * We have at least one 802.11 DLT_ value.
1425 * new_dlt is the best of the 802.11
1426 * DLT_ values in the list.
1427 *
1428 * If the new mode we want isn't the default mode,
1429 * attempt to select the new mode.
1430 */
1431 if (new_dlt != v) {
1432 if (ioctl(p->fd, BIOCSDLT, &new_dlt) != -1) {
1433 /*
1434 * We succeeded; make this the
1435 * new DLT_ value.
1436 */
1437 v = new_dlt;
1438 }
1439 }
1440 }
1441 }
1442 #endif /* various platforms */
1443 #endif /* BIOCGDLTLIST */
1444
1445 /*
1446 * If this is an Ethernet device, and we don't have a DLT_ list,
1447 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give
1448 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to
1449 * do, but there's not much we can do about that without finding
1450 * some other way of determining whether it's an Ethernet or 802.11
1451 * device.)
1452 */
1453 if (v == DLT_EN10MB && p->dlt_count == 0) {
1454 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
1455 /*
1456 * If that fails, just leave the list empty.
1457 */
1458 if (p->dlt_list != NULL) {
1459 p->dlt_list[0] = DLT_EN10MB;
1460 p->dlt_list[1] = DLT_DOCSIS;
1461 p->dlt_count = 2;
1462 }
1463 }
1464 #ifdef PCAP_FDDIPAD
1465 if (v == DLT_FDDI)
1466 p->fddipad = PCAP_FDDIPAD;
1467 else
1468 p->fddipad = 0;
1469 #endif
1470 p->linktype = v;
1471
1472 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
1473 /*
1474 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so
1475 * the link-layer source address isn't forcibly overwritten.
1476 * (Should we ignore errors? Should we do this only if
1477 * we're open for writing?)
1478 *
1479 * XXX - I seem to remember some packet-sending bug in some
1480 * BSDs - check CVS log for "bpf.c"?
1481 */
1482 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
1483 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1484 "BIOCSHDRCMPLT: %s", pcap_strerror(errno));
1485 status = PCAP_ERROR;
1486 goto bad;
1487 }
1488 #endif
1489 /* set timeout */
1490 if (p->md.timeout != 0) {
1491 /*
1492 * XXX - is this seconds/nanoseconds in AIX?
1493 * (Treating it as such doesn't fix the timeout
1494 * problem described below.)
1495 */
1496 struct timeval to;
1497 to.tv_sec = p->md.timeout / 1000;
1498 to.tv_usec = (p->md.timeout * 1000) % 1000000;
1499 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
1500 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
1501 pcap_strerror(errno));
1502 status = PCAP_ERROR;
1503 goto bad;
1504 }
1505 }
1506
1507 #ifdef _AIX
1508 #ifdef BIOCIMMEDIATE
1509 /*
1510 * Darren Reed notes that
1511 *
1512 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
1513 * timeout appears to be ignored and it waits until the buffer
1514 * is filled before returning. The result of not having it
1515 * set is almost worse than useless if your BPF filter
1516 * is reducing things to only a few packets (i.e. one every
1517 * second or so).
1518 *
1519 * so we turn BIOCIMMEDIATE mode on if this is AIX.
1520 *
1521 * We don't turn it on for other platforms, as that means we
1522 * get woken up for every packet, which may not be what we want;
1523 * in the Winter 1993 USENIX paper on BPF, they say:
1524 *
1525 * Since a process might want to look at every packet on a
1526 * network and the time between packets can be only a few
1527 * microseconds, it is not possible to do a read system call
1528 * per packet and BPF must collect the data from several
1529 * packets and return it as a unit when the monitoring
1530 * application does a read.
1531 *
1532 * which I infer is the reason for the timeout - it means we
1533 * wait that amount of time, in the hopes that more packets
1534 * will arrive and we'll get them all with one read.
1535 *
1536 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other
1537 * BSDs) causes the timeout to be ignored.
1538 *
1539 * On the other hand, some platforms (e.g., Linux) don't support
1540 * timeouts, they just hand stuff to you as soon as it arrives;
1541 * if that doesn't cause a problem on those platforms, it may
1542 * be OK to have BIOCIMMEDIATE mode on BSD as well.
1543 *
1544 * (Note, though, that applications may depend on the read
1545 * completing, even if no packets have arrived, when the timeout
1546 * expires, e.g. GUI applications that have to check for input
1547 * while waiting for packets to arrive; a non-zero timeout
1548 * prevents "select()" from working right on FreeBSD and
1549 * possibly other BSDs, as the timer doesn't start until a
1550 * "read()" is done, so the timer isn't in effect if the
1551 * application is blocked on a "select()", and the "select()"
1552 * doesn't get woken up for a BPF device until the buffer
1553 * fills up.)
1554 */
1555 v = 1;
1556 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
1557 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
1558 pcap_strerror(errno));
1559 status = PCAP_ERROR;
1560 goto bad;
1561 }
1562 #endif /* BIOCIMMEDIATE */
1563 #endif /* _AIX */
1564
1565 if (p->opt.promisc) {
1566 /* set promiscuous mode, just warn if it fails */
1567 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
1568 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s",
1569 pcap_strerror(errno));
1570 status = PCAP_WARNING_PROMISC_NOTSUP;
1571 }
1572 }
1573
1574 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
1575 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
1576 pcap_strerror(errno));
1577 status = PCAP_ERROR;
1578 goto bad;
1579 }
1580 p->bufsize = v;
1581 p->buffer = (u_char *)malloc(p->bufsize);
1582 if (p->buffer == NULL) {
1583 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s",
1584 pcap_strerror(errno));
1585 status = PCAP_ERROR;
1586 goto bad;
1587 }
1588 #ifdef _AIX
1589 /* For some strange reason this seems to prevent the EFAULT
1590 * problems we have experienced from AIX BPF. */
1591 memset(p->buffer, 0x0, p->bufsize);
1592 #endif
1593
1594 /*
1595 * If there's no filter program installed, there's
1596 * no indication to the kernel of what the snapshot
1597 * length should be, so no snapshotting is done.
1598 *
1599 * Therefore, when we open the device, we install
1600 * an "accept everything" filter with the specified
1601 * snapshot length.
1602 */
1603 total_insn.code = (u_short)(BPF_RET | BPF_K);
1604 total_insn.jt = 0;
1605 total_insn.jf = 0;
1606 total_insn.k = p->snapshot;
1607
1608 total_prog.bf_len = 1;
1609 total_prog.bf_insns = &total_insn;
1610 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) {
1611 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
1612 pcap_strerror(errno));
1613 status = PCAP_ERROR;
1614 goto bad;
1615 }
1616
1617 /*
1618 * On most BPF platforms, either you can do a "select()" or
1619 * "poll()" on a BPF file descriptor and it works correctly,
1620 * or you can do it and it will return "readable" if the
1621 * hold buffer is full but not if the timeout expires *and*
1622 * a non-blocking read will, if the hold buffer is empty
1623 * but the store buffer isn't empty, rotate the buffers
1624 * and return what packets are available.
1625 *
1626 * In the latter case, the fact that a non-blocking read
1627 * will give you the available packets means you can work
1628 * around the failure of "select()" and "poll()" to wake up
1629 * and return "readable" when the timeout expires by using
1630 * the timeout as the "select()" or "poll()" timeout, putting
1631 * the BPF descriptor into non-blocking mode, and read from
1632 * it regardless of whether "select()" reports it as readable
1633 * or not.
1634 *
1635 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()"
1636 * won't wake up and return "readable" if the timer expires
1637 * and non-blocking reads return EWOULDBLOCK if the hold
1638 * buffer is empty, even if the store buffer is non-empty.
1639 *
1640 * This means the workaround in question won't work.
1641 *
1642 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd"
1643 * to -1, which means "sorry, you can't use 'select()' or 'poll()'
1644 * here". On all other BPF platforms, we set it to the FD for
1645 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking
1646 * read will, if the hold buffer is empty and the store buffer
1647 * isn't empty, rotate the buffers and return what packets are
1648 * there (and in sufficiently recent versions of OpenBSD
1649 * "select()" and "poll()" should work correctly).
1650 *
1651 * XXX - what about AIX?
1652 */
1653 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */
1654 if (have_osinfo) {
1655 /*
1656 * We can check what OS this is.
1657 */
1658 if (strcmp(osinfo.sysname, "FreeBSD") == 0) {
1659 if (strncmp(osinfo.release, "4.3-", 4) == 0 ||
1660 strncmp(osinfo.release, "4.4-", 4) == 0)
1661 p->selectable_fd = -1;
1662 }
1663 }
1664
1665 p->read_op = pcap_read_bpf;
1666 p->inject_op = pcap_inject_bpf;
1667 p->setfilter_op = pcap_setfilter_bpf;
1668 p->setdirection_op = pcap_setdirection_bpf;
1669 p->set_datalink_op = pcap_set_datalink_bpf;
1670 p->getnonblock_op = pcap_getnonblock_fd;
1671 p->setnonblock_op = pcap_setnonblock_fd;
1672 p->stats_op = pcap_stats_bpf;
1673 p->cleanup_op = pcap_cleanup_bpf;
1674
1675 return (status);
1676 bad:
1677 pcap_cleanup_bpf(p);
1678 return (status);
1679 }
1680
1681 int
1682 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
1683 {
1684 #ifdef HAVE_DAG_API
1685 if (dag_platform_finddevs(alldevsp, errbuf) < 0)
1686 return (-1);
1687 #endif /* HAVE_DAG_API */
1688
1689 return (0);
1690 }
1691
1692 #ifdef HAVE_BSD_IEEE80211
1693 static int
1694 monitor_mode(pcap_t *p, int set)
1695 {
1696 int sock;
1697 struct ifmediareq req;
1698 int *media_list;
1699 int i;
1700 int can_do;
1701 struct ifreq ifr;
1702
1703 sock = socket(AF_INET, SOCK_DGRAM, 0);
1704 if (sock == -1) {
1705 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't open socket: %s",
1706 pcap_strerror(errno));
1707 return (PCAP_ERROR);
1708 }
1709
1710 memset(&req, 0, sizeof req);
1711 strncpy(req.ifm_name, p->opt.source, sizeof req.ifm_name);
1712
1713 /*
1714 * Find out how many media types we have.
1715 */
1716 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
1717 /*
1718 * Can't get the media types.
1719 */
1720 if (errno == EINVAL) {
1721 /*
1722 * Interface doesn't support SIOC{G,S}IFMEDIA.
1723 */
1724 close(sock);
1725 return (PCAP_ERROR_RFMON_NOTSUP);
1726 }
1727 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA 1: %s",
1728 pcap_strerror(errno));
1729 close(sock);
1730 return (PCAP_ERROR);
1731 }
1732 if (req.ifm_count == 0) {
1733 /*
1734 * No media types.
1735 */
1736 close(sock);
1737 return (PCAP_ERROR_RFMON_NOTSUP);
1738 }
1739
1740 /*
1741 * Allocate a buffer to hold all the media types, and
1742 * get the media types.
1743 */
1744 media_list = malloc(req.ifm_count * sizeof(int));
1745 if (media_list == NULL) {
1746 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s",
1747 pcap_strerror(errno));
1748 close(sock);
1749 return (PCAP_ERROR);
1750 }
1751 req.ifm_ulist = media_list;
1752 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
1753 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA: %s",
1754 pcap_strerror(errno));
1755 free(media_list);
1756 close(sock);
1757 return (PCAP_ERROR);
1758 }
1759
1760 /*
1761 * Look for an 802.11 "automatic" media type.
1762 * We assume that all 802.11 adapters have that media type,
1763 * and that it will carry the monitor mode supported flag.
1764 */
1765 can_do = 0;
1766 for (i = 0; i < req.ifm_count; i++) {
1767 if (IFM_TYPE(media_list[i]) == IFM_IEEE80211
1768 && IFM_SUBTYPE(media_list[i]) == IFM_AUTO) {
1769 /* OK, does it do monitor mode? */
1770 if (media_list[i] & IFM_IEEE80211_MONITOR) {
1771 can_do = 1;
1772 break;
1773 }
1774 }
1775 }
1776 free(media_list);
1777 if (!can_do) {
1778 /*
1779 * This adapter doesn't support monitor mode.
1780 */
1781 close(sock);
1782 return (PCAP_ERROR_RFMON_NOTSUP);
1783 }
1784
1785 if (set) {
1786 /*
1787 * Don't just check whether we can enable monitor mode,
1788 * do so, if it's not already enabled.
1789 */
1790 if ((req.ifm_current & IFM_IEEE80211_MONITOR) == 0) {
1791 /*
1792 * Monitor mode isn't currently on, so turn it on,
1793 * and remember that we should turn it off when the
1794 * pcap_t is closed.
1795 */
1796
1797 /*
1798 * If we haven't already done so, arrange to have
1799 * "pcap_close_all()" called when we exit.
1800 */
1801 if (!pcap_do_addexit(p)) {
1802 /*
1803 * "atexit()" failed; don't put the interface
1804 * in monitor mode, just give up.
1805 */
1806 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1807 "atexit failed");
1808 close(sock);
1809 return (PCAP_ERROR);
1810 }
1811 memset(&ifr, 0, sizeof(ifr));
1812 (void)strncpy(ifr.ifr_name, p->opt.source,
1813 sizeof(ifr.ifr_name));
1814 ifr.ifr_media = req.ifm_current | IFM_IEEE80211_MONITOR;
1815 if (ioctl(sock, SIOCSIFMEDIA, &ifr) == -1) {
1816 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1817 "SIOCSIFMEDIA: %s", pcap_strerror(errno));
1818 close(sock);
1819 return (PCAP_ERROR);
1820 }
1821
1822 p->md.must_clear |= MUST_CLEAR_RFMON;
1823
1824 /*
1825 * Add this to the list of pcaps to close when we exit.
1826 */
1827 pcap_add_to_pcaps_to_close(p);
1828 }
1829 }
1830 return (0);
1831 }
1832 #endif /* HAVE_BSD_IEEE80211 */
1833
1834 #if defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211))
1835 /*
1836 * Check whether we have any 802.11 link-layer types; return the best
1837 * of the 802.11 link-layer types if we find one, and return -1
1838 * otherwise.
1839 *
1840 * DLT_IEEE802_11_RADIO, with the radiotap header, is considered the
1841 * best 802.11 link-layer type; any of the other 802.11-plus-radio
1842 * headers are second-best; 802.11 with no radio information is
1843 * the least good.
1844 */
1845 static int
1846 find_802_11(struct bpf_dltlist *bdlp)
1847 {
1848 int new_dlt;
1849 int i;
1850
1851 /*
1852 * Scan the list of DLT_ values, looking for 802.11 values,
1853 * and, if we find any, choose the best of them.
1854 */
1855 new_dlt = -1;
1856 for (i = 0; i < bdlp->bfl_len; i++) {
1857 switch (bdlp->bfl_list[i]) {
1858
1859 case DLT_IEEE802_11:
1860 /*
1861 * 802.11, but no radio.
1862 *
1863 * Offer this, and select it as the new mode
1864 * unless we've already found an 802.11
1865 * header with radio information.
1866 */
1867 if (new_dlt == -1)
1868 new_dlt = bdlp->bfl_list[i];
1869 break;
1870
1871 case DLT_PRISM_HEADER:
1872 case DLT_AIRONET_HEADER:
1873 case DLT_IEEE802_11_RADIO_AVS:
1874 /*
1875 * 802.11 with radio, but not radiotap.
1876 *
1877 * Offer this, and select it as the new mode
1878 * unless we've already found the radiotap DLT_.
1879 */
1880 if (new_dlt != DLT_IEEE802_11_RADIO)
1881 new_dlt = bdlp->bfl_list[i];
1882 break;
1883
1884 case DLT_IEEE802_11_RADIO:
1885 /*
1886 * 802.11 with radiotap.
1887 *
1888 * Offer this, and select it as the new mode.
1889 */
1890 new_dlt = bdlp->bfl_list[i];
1891 break;
1892
1893 default:
1894 /*
1895 * Not 802.11.
1896 */
1897 break;
1898 }
1899 }
1900
1901 return (new_dlt);
1902 }
1903 #endif /* defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) */
1904
1905 #if defined(__APPLE__) && defined(BIOCGDLTLIST)
1906 /*
1907 * Remove DLT_EN10MB from the list of DLT_ values.
1908 */
1909 static void
1910 remove_en(pcap_t *p)
1911 {
1912 int i, j;
1913
1914 /*
1915 * Scan the list of DLT_ values and discard DLT_EN10MB.
1916 */
1917 j = 0;
1918 for (i = 0; i < p->dlt_count; i++) {
1919 switch (p->dlt_list[i]) {
1920
1921 case DLT_EN10MB:
1922 /*
1923 * Don't offer this one.
1924 */
1925 continue;
1926
1927 default:
1928 /*
1929 * Just copy this mode over.
1930 */
1931 break;
1932 }
1933
1934 /*
1935 * Copy this DLT_ value to its new position.
1936 */
1937 p->dlt_list[j] = p->dlt_list[i];
1938 j++;
1939 }
1940
1941 /*
1942 * Set the DLT_ count to the number of entries we copied.
1943 */
1944 p->dlt_count = j;
1945 }
1946
1947 /*
1948 * Remove DLT_EN10MB from the list of DLT_ values, and look for the
1949 * best 802.11 link-layer type in that list and return it.
1950 * Radiotap is better than anything else; 802.11 with any other radio
1951 * header is better than 802.11 with no radio header.
1952 */
1953 static void
1954 remove_802_11(pcap_t *p)
1955 {
1956 int i, j;
1957
1958 /*
1959 * Scan the list of DLT_ values and discard 802.11 values.
1960 */
1961 j = 0;
1962 for (i = 0; i < p->dlt_count; i++) {
1963 switch (p->dlt_list[i]) {
1964
1965 case DLT_IEEE802_11:
1966 case DLT_PRISM_HEADER:
1967 case DLT_AIRONET_HEADER:
1968 case DLT_IEEE802_11_RADIO:
1969 case DLT_IEEE802_11_RADIO_AVS:
1970 /*
1971 * 802.11. Don't offer this one.
1972 */
1973 continue;
1974
1975 default:
1976 /*
1977 * Just copy this mode over.
1978 */
1979 break;
1980 }
1981
1982 /*
1983 * Copy this DLT_ value to its new position.
1984 */
1985 p->dlt_list[j] = p->dlt_list[i];
1986 j++;
1987 }
1988
1989 /*
1990 * Set the DLT_ count to the number of entries we copied.
1991 */
1992 p->dlt_count = j;
1993 }
1994 #endif /* defined(__APPLE__) && defined(BIOCGDLTLIST) */
1995
1996 static int
1997 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
1998 {
1999 /*
2000 * Free any user-mode filter we might happen to have installed.
2001 */
2002 pcap_freecode(&p->fcode);
2003
2004 /*
2005 * Try to install the kernel filter.
2006 */
2007 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) == 0) {
2008 /*
2009 * It worked.
2010 */
2011 p->md.use_bpf = 1; /* filtering in the kernel */
2012
2013 /*
2014 * Discard any previously-received packets, as they might
2015 * have passed whatever filter was formerly in effect, but
2016 * might not pass this filter (BIOCSETF discards packets
2017 * buffered in the kernel, so you can lose packets in any
2018 * case).
2019 */
2020 p->cc = 0;
2021 return (0);
2022 }
2023
2024 /*
2025 * We failed.
2026 *
2027 * If it failed with EINVAL, that's probably because the program
2028 * is invalid or too big. Validate it ourselves; if we like it
2029 * (we currently allow backward branches, to support protochain),
2030 * run it in userland. (There's no notion of "too big" for
2031 * userland.)
2032 *
2033 * Otherwise, just give up.
2034 * XXX - if the copy of the program into the kernel failed,
2035 * we will get EINVAL rather than, say, EFAULT on at least
2036 * some kernels.
2037 */
2038 if (errno != EINVAL) {
2039 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
2040 pcap_strerror(errno));
2041 return (-1);
2042 }
2043
2044 /*
2045 * install_bpf_program() validates the program.
2046 *
2047 * XXX - what if we already have a filter in the kernel?
2048 */
2049 if (install_bpf_program(p, fp) < 0)
2050 return (-1);
2051 p->md.use_bpf = 0; /* filtering in userland */
2052 return (0);
2053 }
2054
2055 /*
2056 * Set direction flag: Which packets do we accept on a forwarding
2057 * single device? IN, OUT or both?
2058 */
2059 static int
2060 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d)
2061 {
2062 #if defined(BIOCSDIRECTION)
2063 u_int direction;
2064
2065 direction = (d == PCAP_D_IN) ? BPF_D_IN :
2066 ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT);
2067 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) {
2068 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2069 "Cannot set direction to %s: %s",
2070 (d == PCAP_D_IN) ? "PCAP_D_IN" :
2071 ((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"),
2072 strerror(errno));
2073 return (-1);
2074 }
2075 return (0);
2076 #elif defined(BIOCSSEESENT)
2077 u_int seesent;
2078
2079 /*
2080 * We don't support PCAP_D_OUT.
2081 */
2082 if (d == PCAP_D_OUT) {
2083 snprintf(p->errbuf, sizeof(p->errbuf),
2084 "Setting direction to PCAP_D_OUT is not supported on BPF");
2085 return -1;
2086 }
2087
2088 seesent = (d == PCAP_D_INOUT);
2089 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) {
2090 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2091 "Cannot set direction to %s: %s",
2092 (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN",
2093 strerror(errno));
2094 return (-1);
2095 }
2096 return (0);
2097 #else
2098 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2099 "This system doesn't support BIOCSSEESENT, so the direction can't be set");
2100 return (-1);
2101 #endif
2102 }
2103
2104 static int
2105 pcap_set_datalink_bpf(pcap_t *p, int dlt)
2106 {
2107 #ifdef BIOCSDLT
2108 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) {
2109 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2110 "Cannot set DLT %d: %s", dlt, strerror(errno));
2111 return (-1);
2112 }
2113 #endif
2114 return (0);
2115 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism