]> The Tcpdump Group git mirrors - libpcap/blob - pcap-linux.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
From Pawel Pokrywka: add support for requesting that only received
[libpcap] / pcap-linux.c
1 /*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
21 * written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27
28 #ifndef lint
29 static const char rcsid[] _U_ =
30 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.111 2005-05-03 18:53:59 guy Exp $ (LBL)";
31 #endif
32
33 /*
34 * Known problems with 2.0[.x] kernels:
35 *
36 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
37 * if we use PF_PACKET, we can filter out the transmitted version
38 * of the packet by using data in the "sockaddr_ll" returned by
39 * "recvfrom()", but, on 2.0[.x] kernels, we have to use
40 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a
41 * "sockaddr_pkt" which doesn't give us enough information to let
42 * us do that.
43 *
44 * - We have to set the interface's IFF_PROMISC flag ourselves, if
45 * we're to run in promiscuous mode, which means we have to turn
46 * it off ourselves when we're done; the kernel doesn't keep track
47 * of how many sockets are listening promiscuously, which means
48 * it won't get turned off automatically when no sockets are
49 * listening promiscuously. We catch "pcap_close()" and, for
50 * interfaces we put into promiscuous mode, take them out of
51 * promiscuous mode - which isn't necessarily the right thing to
52 * do, if another socket also requested promiscuous mode between
53 * the time when we opened the socket and the time when we close
54 * the socket.
55 *
56 * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()"
57 * return the amount of data that you could have read, rather than
58 * the amount that was returned, so we can't just allocate a buffer
59 * whose size is the snapshot length and pass the snapshot length
60 * as the byte count, and also pass MSG_TRUNC, so that the return
61 * value tells us how long the packet was on the wire.
62 *
63 * This means that, if we want to get the actual size of the packet,
64 * so we can return it in the "len" field of the packet header,
65 * we have to read the entire packet, not just the part that fits
66 * within the snapshot length, and thus waste CPU time copying data
67 * from the kernel that our caller won't see.
68 *
69 * We have to get the actual size, and supply it in "len", because
70 * otherwise, the IP dissector in tcpdump, for example, will complain
71 * about "truncated-ip", as the packet will appear to have been
72 * shorter, on the wire, than the IP header said it should have been.
73 */
74
75
76 #ifdef HAVE_CONFIG_H
77 #include "config.h"
78 #endif
79
80 #include "pcap-int.h"
81 #include "sll.h"
82
83 #ifdef HAVE_DAG_API
84 #include "pcap-dag.h"
85 #endif /* HAVE_DAG_API */
86
87 #include <errno.h>
88 #include <stdlib.h>
89 #include <unistd.h>
90 #include <fcntl.h>
91 #include <string.h>
92 #include <sys/socket.h>
93 #include <sys/ioctl.h>
94 #include <sys/utsname.h>
95 #include <net/if.h>
96 #include <netinet/in.h>
97 #include <linux/if_ether.h>
98 #include <net/if_arp.h>
99
100 /*
101 * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET
102 * sockets rather than SOCK_PACKET sockets.
103 *
104 * To use them, we include <linux/if_packet.h> rather than
105 * <netpacket/packet.h>; we do so because
106 *
107 * some Linux distributions (e.g., Slackware 4.0) have 2.2 or
108 * later kernels and libc5, and don't provide a <netpacket/packet.h>
109 * file;
110 *
111 * not all versions of glibc2 have a <netpacket/packet.h> file
112 * that defines stuff needed for some of the 2.4-or-later-kernel
113 * features, so if the system has a 2.4 or later kernel, we
114 * still can't use those features.
115 *
116 * We're already including a number of other <linux/XXX.h> headers, and
117 * this code is Linux-specific (no other OS has PF_PACKET sockets as
118 * a raw packet capture mechanism), so it's not as if you gain any
119 * useful portability by using <netpacket/packet.h>
120 *
121 * XXX - should we just include <linux/if_packet.h> even if PF_PACKET
122 * isn't defined? It only defines one data structure in 2.0.x, so
123 * it shouldn't cause any problems.
124 */
125 #ifdef PF_PACKET
126 # include <linux/if_packet.h>
127
128 /*
129 * On at least some Linux distributions (for example, Red Hat 5.2),
130 * there's no <netpacket/packet.h> file, but PF_PACKET is defined if
131 * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define
132 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of
133 * the PACKET_xxx stuff.
134 *
135 * So we check whether PACKET_HOST is defined, and assume that we have
136 * PF_PACKET sockets only if it is defined.
137 */
138 # ifdef PACKET_HOST
139 # define HAVE_PF_PACKET_SOCKETS
140 # endif /* PACKET_HOST */
141 #endif /* PF_PACKET */
142
143 #ifdef SO_ATTACH_FILTER
144 #include <linux/types.h>
145 #include <linux/filter.h>
146 #endif
147
148 #ifndef __GLIBC__
149 typedef int socklen_t;
150 #endif
151
152 #ifndef MSG_TRUNC
153 /*
154 * This is being compiled on a system that lacks MSG_TRUNC; define it
155 * with the value it has in the 2.2 and later kernels, so that, on
156 * those kernels, when we pass it in the flags argument to "recvfrom()"
157 * we're passing the right value and thus get the MSG_TRUNC behavior
158 * we want. (We don't get that behavior on 2.0[.x] kernels, because
159 * they didn't support MSG_TRUNC.)
160 */
161 #define MSG_TRUNC 0x20
162 #endif
163
164 #ifndef SOL_PACKET
165 /*
166 * This is being compiled on a system that lacks SOL_PACKET; define it
167 * with the value it has in the 2.2 and later kernels, so that we can
168 * set promiscuous mode in the good modern way rather than the old
169 * 2.0-kernel crappy way.
170 */
171 #define SOL_PACKET 263
172 #endif
173
174 #define MAX_LINKHEADER_SIZE 256
175
176 /*
177 * When capturing on all interfaces we use this as the buffer size.
178 * Should be bigger then all MTUs that occur in real life.
179 * 64kB should be enough for now.
180 */
181 #define BIGGER_THAN_ALL_MTUS (64*1024)
182
183 /*
184 * Prototypes for internal functions
185 */
186 static void map_arphrd_to_dlt(pcap_t *, int, int);
187 static int live_open_old(pcap_t *, const char *, int, int, char *);
188 static int live_open_new(pcap_t *, const char *, int, int, char *);
189 static int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *);
190 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
191 static int pcap_inject_linux(pcap_t *, const void *, size_t);
192 static int pcap_stats_linux(pcap_t *, struct pcap_stat *);
193 static int pcap_setfilter_linux(pcap_t *, struct bpf_program *);
194 static int pcap_setdirection_linux(pcap_t *, direction_t);
195 static void pcap_close_linux(pcap_t *);
196
197 /*
198 * Wrap some ioctl calls
199 */
200 #ifdef HAVE_PF_PACKET_SOCKETS
201 static int iface_get_id(int fd, const char *device, char *ebuf);
202 #endif
203 static int iface_get_mtu(int fd, const char *device, char *ebuf);
204 static int iface_get_arptype(int fd, const char *device, char *ebuf);
205 #ifdef HAVE_PF_PACKET_SOCKETS
206 static int iface_bind(int fd, int ifindex, char *ebuf);
207 #endif
208 static int iface_bind_old(int fd, const char *device, char *ebuf);
209
210 #ifdef SO_ATTACH_FILTER
211 static int fix_program(pcap_t *handle, struct sock_fprog *fcode);
212 static int fix_offset(struct bpf_insn *p);
213 static int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode);
214 static int reset_kernel_filter(pcap_t *handle);
215
216 static struct sock_filter total_insn
217 = BPF_STMT(BPF_RET | BPF_K, 0);
218 static struct sock_fprog total_fcode
219 = { 1, &total_insn };
220 #endif
221
222 /*
223 * Get a handle for a live capture from the given device. You can
224 * pass NULL as device to get all packages (without link level
225 * information of course). If you pass 1 as promisc the interface
226 * will be set to promiscous mode (XXX: I think this usage should
227 * be deprecated and functions be added to select that later allow
228 * modification of that values -- Torsten).
229 *
230 * See also pcap(3).
231 */
232 pcap_t *
233 pcap_open_live(const char *device, int snaplen, int promisc, int to_ms,
234 char *ebuf)
235 {
236 pcap_t *handle;
237 int mtu;
238 int err;
239 int live_open_ok = 0;
240 struct utsname utsname;
241
242 #ifdef HAVE_DAG_API
243 if (strstr(device, "dag")) {
244 return dag_open_live(device, snaplen, promisc, to_ms, ebuf);
245 }
246 #endif /* HAVE_DAG_API */
247
248 /* Allocate a handle for this session. */
249
250 handle = malloc(sizeof(*handle));
251 if (handle == NULL) {
252 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
253 pcap_strerror(errno));
254 return NULL;
255 }
256
257 /* Initialize some components of the pcap structure. */
258
259 memset(handle, 0, sizeof(*handle));
260 handle->snapshot = snaplen;
261 handle->md.timeout = to_ms;
262
263 /*
264 * NULL and "any" are special devices which give us the hint to
265 * monitor all devices.
266 */
267 if (!device || strcmp(device, "any") == 0) {
268 device = NULL;
269 handle->md.device = strdup("any");
270 if (promisc) {
271 promisc = 0;
272 /* Just a warning. */
273 snprintf(ebuf, PCAP_ERRBUF_SIZE,
274 "Promiscuous mode not supported on the \"any\" device");
275 }
276
277 } else
278 handle->md.device = strdup(device);
279
280 if (handle->md.device == NULL) {
281 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
282 pcap_strerror(errno) );
283 free(handle);
284 return NULL;
285 }
286
287 /*
288 * Current Linux kernels use the protocol family PF_PACKET to
289 * allow direct access to all packets on the network while
290 * older kernels had a special socket type SOCK_PACKET to
291 * implement this feature.
292 * While this old implementation is kind of obsolete we need
293 * to be compatible with older kernels for a while so we are
294 * trying both methods with the newer method preferred.
295 */
296
297 if ((err = live_open_new(handle, device, promisc, to_ms, ebuf)) == 1)
298 live_open_ok = 1;
299 else if (err == 0) {
300 /* Non-fatal error; try old way */
301 if (live_open_old(handle, device, promisc, to_ms, ebuf))
302 live_open_ok = 1;
303 }
304 if (!live_open_ok) {
305 /*
306 * Both methods to open the packet socket failed. Tidy
307 * up and report our failure (ebuf is expected to be
308 * set by the functions above).
309 */
310
311 if (handle->md.device != NULL)
312 free(handle->md.device);
313 free(handle);
314 return NULL;
315 }
316
317 /*
318 * Compute the buffer size.
319 *
320 * If we're using SOCK_PACKET, this might be a 2.0[.x] kernel,
321 * and might require special handling - check.
322 */
323 if (handle->md.sock_packet && (uname(&utsname) < 0 ||
324 strncmp(utsname.release, "2.0", 3) == 0)) {
325 /*
326 * We're using a SOCK_PACKET structure, and either
327 * we couldn't find out what kernel release this is,
328 * or it's a 2.0[.x] kernel.
329 *
330 * In the 2.0[.x] kernel, a "recvfrom()" on
331 * a SOCK_PACKET socket, with MSG_TRUNC set, will
332 * return the number of bytes read, so if we pass
333 * a length based on the snapshot length, it'll
334 * return the number of bytes from the packet
335 * copied to userland, not the actual length
336 * of the packet.
337 *
338 * This means that, for example, the IP dissector
339 * in tcpdump will get handed a packet length less
340 * than the length in the IP header, and will
341 * complain about "truncated-ip".
342 *
343 * So we don't bother trying to copy from the
344 * kernel only the bytes in which we're interested,
345 * but instead copy them all, just as the older
346 * versions of libpcap for Linux did.
347 *
348 * The buffer therefore needs to be big enough to
349 * hold the largest packet we can get from this
350 * device. Unfortunately, we can't get the MRU
351 * of the network; we can only get the MTU. The
352 * MTU may be too small, in which case a packet larger
353 * than the buffer size will be truncated *and* we
354 * won't get the actual packet size.
355 *
356 * However, if the snapshot length is larger than
357 * the buffer size based on the MTU, we use the
358 * snapshot length as the buffer size, instead;
359 * this means that with a sufficiently large snapshot
360 * length we won't artificially truncate packets
361 * to the MTU-based size.
362 *
363 * This mess just one of many problems with packet
364 * capture on 2.0[.x] kernels; you really want a
365 * 2.2[.x] or later kernel if you want packet capture
366 * to work well.
367 */
368 mtu = iface_get_mtu(handle->fd, device, ebuf);
369 if (mtu == -1) {
370 pcap_close_linux(handle);
371 free(handle);
372 return NULL;
373 }
374 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
375 if (handle->bufsize < handle->snapshot)
376 handle->bufsize = handle->snapshot;
377 } else {
378 /*
379 * This is a 2.2[.x] or later kernel (we know that
380 * either because we're not using a SOCK_PACKET
381 * socket - PF_PACKET is supported only in 2.2
382 * and later kernels - or because we checked the
383 * kernel version).
384 *
385 * We can safely pass "recvfrom()" a byte count
386 * based on the snapshot length.
387 */
388 handle->bufsize = handle->snapshot;
389 }
390
391 /* Allocate the buffer */
392
393 handle->buffer = malloc(handle->bufsize + handle->offset);
394 if (!handle->buffer) {
395 snprintf(ebuf, PCAP_ERRBUF_SIZE,
396 "malloc: %s", pcap_strerror(errno));
397 pcap_close_linux(handle);
398 free(handle);
399 return NULL;
400 }
401
402 /*
403 * "handle->fd" is a socket, so "select()" and "poll()"
404 * should work on it.
405 */
406 handle->selectable_fd = handle->fd;
407
408 handle->read_op = pcap_read_linux;
409 handle->inject_op = pcap_inject_linux;
410 handle->setfilter_op = pcap_setfilter_linux;
411 handle->setdirection_op = pcap_setdirection_linux;
412 handle->set_datalink_op = NULL; /* can't change data link type */
413 handle->getnonblock_op = pcap_getnonblock_fd;
414 handle->setnonblock_op = pcap_setnonblock_fd;
415 handle->stats_op = pcap_stats_linux;
416 handle->close_op = pcap_close_linux;
417
418 return handle;
419 }
420
421 /*
422 * Read at most max_packets from the capture stream and call the callback
423 * for each of them. Returns the number of packets handled or -1 if an
424 * error occured.
425 */
426 static int
427 pcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
428 {
429 /*
430 * Currently, on Linux only one packet is delivered per read,
431 * so we don't loop.
432 */
433 return pcap_read_packet(handle, callback, user);
434 }
435
436 /*
437 * Read a packet from the socket calling the handler provided by
438 * the user. Returns the number of packets received or -1 if an
439 * error occured.
440 */
441 static int
442 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
443 {
444 u_char *bp;
445 int offset;
446 #ifdef HAVE_PF_PACKET_SOCKETS
447 struct sockaddr_ll from;
448 struct sll_header *hdrp;
449 #else
450 struct sockaddr from;
451 #endif
452 socklen_t fromlen;
453 int packet_len, caplen;
454 struct pcap_pkthdr pcap_header;
455
456 #ifdef HAVE_PF_PACKET_SOCKETS
457 /*
458 * If this is a cooked device, leave extra room for a
459 * fake packet header.
460 */
461 if (handle->md.cooked)
462 offset = SLL_HDR_LEN;
463 else
464 offset = 0;
465 #else
466 /*
467 * This system doesn't have PF_PACKET sockets, so it doesn't
468 * support cooked devices.
469 */
470 offset = 0;
471 #endif
472
473 /* Receive a single packet from the kernel */
474
475 bp = handle->buffer + handle->offset;
476 do {
477 /*
478 * Has "pcap_breakloop()" been called?
479 */
480 if (handle->break_loop) {
481 /*
482 * Yes - clear the flag that indicates that it
483 * has, and return -2 as an indication that we
484 * were told to break out of the loop.
485 */
486 handle->break_loop = 0;
487 return -2;
488 }
489 fromlen = sizeof(from);
490 packet_len = recvfrom(
491 handle->fd, bp + offset,
492 handle->bufsize - offset, MSG_TRUNC,
493 (struct sockaddr *) &from, &fromlen);
494 } while (packet_len == -1 && errno == EINTR);
495
496 /* Check if an error occured */
497
498 if (packet_len == -1) {
499 if (errno == EAGAIN)
500 return 0; /* no packet there */
501 else {
502 snprintf(handle->errbuf, sizeof(handle->errbuf),
503 "recvfrom: %s", pcap_strerror(errno));
504 return -1;
505 }
506 }
507
508 #ifdef HAVE_PF_PACKET_SOCKETS
509 if (!handle->md.sock_packet) {
510 /*
511 * Do checks based on packet direction.
512 * We can only do this if we're using PF_PACKET; the
513 * address returned for SOCK_PACKET is a "sockaddr_pkt"
514 * which lacks the relevant packet type information.
515 */
516 if (from.sll_pkttype == PACKET_OUTGOING) {
517 /*
518 * Outgoing packet.
519 * If this is from the loopback device, reject it;
520 * we'll see the packet as an incoming packet as well,
521 * and we don't want to see it twice.
522 */
523 if (from.sll_ifindex == handle->md.lo_ifindex)
524 return 0;
525
526 /*
527 * If the user only wants incoming packets, reject it.
528 */
529 if (handle->direction == D_IN)
530 return 0;
531 } else {
532 /*
533 * Incoming packet.
534 * If the user only wants outgoing packets, reject it.
535 */
536 if (handle->direction == D_OUT)
537 return 0;
538 }
539 }
540 #endif
541
542 #ifdef HAVE_PF_PACKET_SOCKETS
543 /*
544 * If this is a cooked device, fill in the fake packet header.
545 */
546 if (handle->md.cooked) {
547 /*
548 * Add the length of the fake header to the length
549 * of packet data we read.
550 */
551 packet_len += SLL_HDR_LEN;
552
553 hdrp = (struct sll_header *)bp;
554
555 /*
556 * Map the PACKET_ value to a LINUX_SLL_ value; we
557 * want the same numerical value to be used in
558 * the link-layer header even if the numerical values
559 * for the PACKET_ #defines change, so that programs
560 * that look at the packet type field will always be
561 * able to handle DLT_LINUX_SLL captures.
562 */
563 switch (from.sll_pkttype) {
564
565 case PACKET_HOST:
566 hdrp->sll_pkttype = htons(LINUX_SLL_HOST);
567 break;
568
569 case PACKET_BROADCAST:
570 hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST);
571 break;
572
573 case PACKET_MULTICAST:
574 hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST);
575 break;
576
577 case PACKET_OTHERHOST:
578 hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST);
579 break;
580
581 case PACKET_OUTGOING:
582 hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING);
583 break;
584
585 default:
586 hdrp->sll_pkttype = -1;
587 break;
588 }
589
590 hdrp->sll_hatype = htons(from.sll_hatype);
591 hdrp->sll_halen = htons(from.sll_halen);
592 memcpy(hdrp->sll_addr, from.sll_addr,
593 (from.sll_halen > SLL_ADDRLEN) ?
594 SLL_ADDRLEN :
595 from.sll_halen);
596 hdrp->sll_protocol = from.sll_protocol;
597 }
598 #endif
599
600 /*
601 * XXX: According to the kernel source we should get the real
602 * packet len if calling recvfrom with MSG_TRUNC set. It does
603 * not seem to work here :(, but it is supported by this code
604 * anyway.
605 * To be honest the code RELIES on that feature so this is really
606 * broken with 2.2.x kernels.
607 * I spend a day to figure out what's going on and I found out
608 * that the following is happening:
609 *
610 * The packet comes from a random interface and the packet_rcv
611 * hook is called with a clone of the packet. That code inserts
612 * the packet into the receive queue of the packet socket.
613 * If a filter is attached to that socket that filter is run
614 * first - and there lies the problem. The default filter always
615 * cuts the packet at the snaplen:
616 *
617 * # tcpdump -d
618 * (000) ret #68
619 *
620 * So the packet filter cuts down the packet. The recvfrom call
621 * says "hey, it's only 68 bytes, it fits into the buffer" with
622 * the result that we don't get the real packet length. This
623 * is valid at least until kernel 2.2.17pre6.
624 *
625 * We currently handle this by making a copy of the filter
626 * program, fixing all "ret" instructions with non-zero
627 * operands to have an operand of 65535 so that the filter
628 * doesn't truncate the packet, and supplying that modified
629 * filter to the kernel.
630 */
631
632 caplen = packet_len;
633 if (caplen > handle->snapshot)
634 caplen = handle->snapshot;
635
636 /* Run the packet filter if not using kernel filter */
637 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
638 if (bpf_filter(handle->fcode.bf_insns, bp,
639 packet_len, caplen) == 0)
640 {
641 /* rejected by filter */
642 return 0;
643 }
644 }
645
646 /* Fill in our own header data */
647
648 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
649 snprintf(handle->errbuf, sizeof(handle->errbuf),
650 "ioctl: %s", pcap_strerror(errno));
651 return -1;
652 }
653 pcap_header.caplen = caplen;
654 pcap_header.len = packet_len;
655
656 /*
657 * Count the packet.
658 *
659 * Arguably, we should count them before we check the filter,
660 * as on many other platforms "ps_recv" counts packets
661 * handed to the filter rather than packets that passed
662 * the filter, but if filtering is done in the kernel, we
663 * can't get a count of packets that passed the filter,
664 * and that would mean the meaning of "ps_recv" wouldn't
665 * be the same on all Linux systems.
666 *
667 * XXX - it's not the same on all systems in any case;
668 * ideally, we should have a "get the statistics" call
669 * that supplies more counts and indicates which of them
670 * it supplies, so that we supply a count of packets
671 * handed to the filter only on platforms where that
672 * information is available.
673 *
674 * We count them here even if we can get the packet count
675 * from the kernel, as we can only determine at run time
676 * whether we'll be able to get it from the kernel (if
677 * HAVE_TPACKET_STATS isn't defined, we can't get it from
678 * the kernel, but if it is defined, the library might
679 * have been built with a 2.4 or later kernel, but we
680 * might be running on a 2.2[.x] kernel without Alexey
681 * Kuznetzov's turbopacket patches, and thus the kernel
682 * might not be able to supply those statistics). We
683 * could, I guess, try, when opening the socket, to get
684 * the statistics, and if we can not increment the count
685 * here, but it's not clear that always incrementing
686 * the count is more expensive than always testing a flag
687 * in memory.
688 */
689 handle->md.stat.ps_recv++;
690
691 /* Call the user supplied callback function */
692 callback(userdata, &pcap_header, bp);
693
694 return 1;
695 }
696
697 static int
698 pcap_inject_linux(pcap_t *handle, const void *buf, size_t size)
699 {
700 int ret;
701
702 #ifdef HAVE_PF_PACKET_SOCKETS
703 if (!handle->md.sock_packet) {
704 /* PF_PACKET socket */
705 if (handle->md.ifindex == -1) {
706 /*
707 * We don't support sending on the "any" device.
708 */
709 strlcpy(handle->errbuf,
710 "Sending packets isn't supported on the \"any\" device",
711 PCAP_ERRBUF_SIZE);
712 return (-1);
713 }
714
715 if (handle->md.cooked) {
716 /*
717 * We don't support sending on the "any" device.
718 *
719 * XXX - how do you send on a bound cooked-mode
720 * socket?
721 * Is a "sendto()" required there?
722 */
723 strlcpy(handle->errbuf,
724 "Sending packets isn't supported in cooked mode",
725 PCAP_ERRBUF_SIZE);
726 return (-1);
727 }
728 }
729 #endif
730
731 ret = send(handle->fd, buf, size, 0);
732 if (ret == -1) {
733 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
734 pcap_strerror(errno));
735 return (-1);
736 }
737 return (ret);
738 }
739
740 /*
741 * Get the statistics for the given packet capture handle.
742 * Reports the number of dropped packets iff the kernel supports
743 * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later
744 * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket
745 * patches); otherwise, that information isn't available, and we lie
746 * and report 0 as the count of dropped packets.
747 */
748 static int
749 pcap_stats_linux(pcap_t *handle, struct pcap_stat *stats)
750 {
751 #ifdef HAVE_TPACKET_STATS
752 struct tpacket_stats kstats;
753 socklen_t len = sizeof (struct tpacket_stats);
754 #endif
755
756 #ifdef HAVE_TPACKET_STATS
757 /*
758 * Try to get the packet counts from the kernel.
759 */
760 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS,
761 &kstats, &len) > -1) {
762 /*
763 * In "linux/net/packet/af_packet.c", at least in the
764 * 2.4.9 kernel, "tp_packets" is incremented for every
765 * packet that passes the packet filter *and* is
766 * successfully queued on the socket; "tp_drops" is
767 * incremented for every packet dropped because there's
768 * not enough free space in the socket buffer.
769 *
770 * When the statistics are returned for a PACKET_STATISTICS
771 * "getsockopt()" call, "tp_drops" is added to "tp_packets",
772 * so that "tp_packets" counts all packets handed to
773 * the PF_PACKET socket, including packets dropped because
774 * there wasn't room on the socket buffer - but not
775 * including packets that didn't pass the filter.
776 *
777 * In the BSD BPF, the count of received packets is
778 * incremented for every packet handed to BPF, regardless
779 * of whether it passed the filter.
780 *
781 * We can't make "pcap_stats()" work the same on both
782 * platforms, but the best approximation is to return
783 * "tp_packets" as the count of packets and "tp_drops"
784 * as the count of drops.
785 *
786 * Keep a running total because each call to
787 * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, ....
788 * resets the counters to zero.
789 */
790 handle->md.stat.ps_recv += kstats.tp_packets;
791 handle->md.stat.ps_drop += kstats.tp_drops;
792 }
793 else
794 {
795 /*
796 * If the error was EOPNOTSUPP, fall through, so that
797 * if you build the library on a system with
798 * "struct tpacket_stats" and run it on a system
799 * that doesn't, it works as it does if the library
800 * is built on a system without "struct tpacket_stats".
801 */
802 if (errno != EOPNOTSUPP) {
803 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
804 "pcap_stats: %s", pcap_strerror(errno));
805 return -1;
806 }
807 }
808 #endif
809 /*
810 * On systems where the PACKET_STATISTICS "getsockopt()" argument
811 * is supported on PF_PACKET sockets:
812 *
813 * "ps_recv" counts only packets that *passed* the filter,
814 * not packets that didn't pass the filter. This includes
815 * packets later dropped because we ran out of buffer space.
816 *
817 * "ps_drop" counts packets dropped because we ran out of
818 * buffer space. It doesn't count packets dropped by the
819 * interface driver. It counts only packets that passed
820 * the filter.
821 *
822 * Both statistics include packets not yet read from the
823 * kernel by libpcap, and thus not yet seen by the application.
824 *
825 * On systems where the PACKET_STATISTICS "getsockopt()" argument
826 * is not supported on PF_PACKET sockets:
827 *
828 * "ps_recv" counts only packets that *passed* the filter,
829 * not packets that didn't pass the filter. It does not
830 * count packets dropped because we ran out of buffer
831 * space.
832 *
833 * "ps_drop" is not supported.
834 *
835 * "ps_recv" doesn't include packets not yet read from
836 * the kernel by libpcap.
837 */
838 *stats = handle->md.stat;
839 return 0;
840 }
841
842 /*
843 * Description string for the "any" device.
844 */
845 static const char any_descr[] = "Pseudo-device that captures on all interfaces";
846
847 int
848 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
849 {
850 if (pcap_add_if(alldevsp, "any", 0, any_descr, errbuf) < 0)
851 return (-1);
852
853 #ifdef HAVE_DAG_API
854 if (dag_platform_finddevs(alldevsp, errbuf) < 0)
855 return (-1);
856 #endif /* HAVE_DAG_API */
857
858 return (0);
859 }
860
861 /*
862 * Attach the given BPF code to the packet capture device.
863 */
864 static int
865 pcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter)
866 {
867 #ifdef SO_ATTACH_FILTER
868 struct sock_fprog fcode;
869 int can_filter_in_kernel;
870 int err = 0;
871 #endif
872
873 if (!handle)
874 return -1;
875 if (!filter) {
876 strncpy(handle->errbuf, "setfilter: No filter specified",
877 sizeof(handle->errbuf));
878 return -1;
879 }
880
881 /* Make our private copy of the filter */
882
883 if (install_bpf_program(handle, filter) < 0)
884 /* install_bpf_program() filled in errbuf */
885 return -1;
886
887 /*
888 * Run user level packet filter by default. Will be overriden if
889 * installing a kernel filter succeeds.
890 */
891 handle->md.use_bpf = 0;
892
893 /* Install kernel level filter if possible */
894
895 #ifdef SO_ATTACH_FILTER
896 #ifdef USHRT_MAX
897 if (handle->fcode.bf_len > USHRT_MAX) {
898 /*
899 * fcode.len is an unsigned short for current kernel.
900 * I have yet to see BPF-Code with that much
901 * instructions but still it is possible. So for the
902 * sake of correctness I added this check.
903 */
904 fprintf(stderr, "Warning: Filter too complex for kernel\n");
905 fcode.filter = NULL;
906 can_filter_in_kernel = 0;
907 } else
908 #endif /* USHRT_MAX */
909 {
910 /*
911 * Oh joy, the Linux kernel uses struct sock_fprog instead
912 * of struct bpf_program and of course the length field is
913 * of different size. Pointed out by Sebastian
914 *
915 * Oh, and we also need to fix it up so that all "ret"
916 * instructions with non-zero operands have 65535 as the
917 * operand, and so that, if we're in cooked mode, all
918 * memory-reference instructions use special magic offsets
919 * in references to the link-layer header and assume that
920 * the link-layer payload begins at 0; "fix_program()"
921 * will do that.
922 */
923 switch (fix_program(handle, &fcode)) {
924
925 case -1:
926 default:
927 /*
928 * Fatal error; just quit.
929 * (The "default" case shouldn't happen; we
930 * return -1 for that reason.)
931 */
932 return -1;
933
934 case 0:
935 /*
936 * The program performed checks that we can't make
937 * work in the kernel.
938 */
939 can_filter_in_kernel = 0;
940 break;
941
942 case 1:
943 /*
944 * We have a filter that'll work in the kernel.
945 */
946 can_filter_in_kernel = 1;
947 break;
948 }
949 }
950
951 if (can_filter_in_kernel) {
952 if ((err = set_kernel_filter(handle, &fcode)) == 0)
953 {
954 /* Installation succeded - using kernel filter. */
955 handle->md.use_bpf = 1;
956 }
957 else if (err == -1) /* Non-fatal error */
958 {
959 /*
960 * Print a warning if we weren't able to install
961 * the filter for a reason other than "this kernel
962 * isn't configured to support socket filters.
963 */
964 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
965 fprintf(stderr,
966 "Warning: Kernel filter failed: %s\n",
967 pcap_strerror(errno));
968 }
969 }
970 }
971
972 /*
973 * If we're not using the kernel filter, get rid of any kernel
974 * filter that might've been there before, e.g. because the
975 * previous filter could work in the kernel, or because some other
976 * code attached a filter to the socket by some means other than
977 * calling "pcap_setfilter()". Otherwise, the kernel filter may
978 * filter out packets that would pass the new userland filter.
979 */
980 if (!handle->md.use_bpf)
981 reset_kernel_filter(handle);
982
983 /*
984 * Free up the copy of the filter that was made by "fix_program()".
985 */
986 if (fcode.filter != NULL)
987 free(fcode.filter);
988
989 if (err == -2)
990 /* Fatal error */
991 return -1;
992 #endif /* SO_ATTACH_FILTER */
993
994 return 0;
995 }
996
997 /*
998 * Set direction flag: Which packets do we accept on a forwarding
999 * single device? IN, OUT or both?
1000 */
1001 static int
1002 pcap_setdirection_linux(pcap_t *handle, direction_t d)
1003 {
1004 #ifdef HAVE_PF_PACKET_SOCKETS
1005 if (!handle->md.sock_packet) {
1006 handle->direction = d;
1007 return 0;
1008 }
1009 #endif
1010 /*
1011 * We're not using PF_PACKET sockets, so we can't determine
1012 * the direction of the packet.
1013 */
1014 snprintf(handle->errbuf, sizeof(handle->errbuf),
1015 "Setting direction is not supported on SOCK_PACKET sockets");
1016 return -1;
1017 }
1018
1019 /*
1020 * Linux uses the ARP hardware type to identify the type of an
1021 * interface. pcap uses the DLT_xxx constants for this. This
1022 * function takes a pointer to a "pcap_t", and an ARPHRD_xxx
1023 * constant, as arguments, and sets "handle->linktype" to the
1024 * appropriate DLT_XXX constant and sets "handle->offset" to
1025 * the appropriate value (to make "handle->offset" plus link-layer
1026 * header length be a multiple of 4, so that the link-layer payload
1027 * will be aligned on a 4-byte boundary when capturing packets).
1028 * (If the offset isn't set here, it'll be 0; add code as appropriate
1029 * for cases where it shouldn't be 0.)
1030 *
1031 * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture
1032 * in cooked mode; otherwise, we can't use cooked mode, so we have
1033 * to pick some type that works in raw mode, or fail.
1034 *
1035 * Sets the link type to -1 if unable to map the type.
1036 */
1037 static void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok)
1038 {
1039 switch (arptype) {
1040
1041 case ARPHRD_ETHER:
1042 /*
1043 * This is (presumably) a real Ethernet capture; give it a
1044 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
1045 * that an application can let you choose it, in case you're
1046 * capturing DOCSIS traffic that a Cisco Cable Modem
1047 * Termination System is putting out onto an Ethernet (it
1048 * doesn't put an Ethernet header onto the wire, it puts raw
1049 * DOCSIS frames out on the wire inside the low-level
1050 * Ethernet framing).
1051 *
1052 * XXX - are there any sorts of "fake Ethernet" that have
1053 * ARPHRD_ETHER but that *shouldn't offer DLT_DOCSIS as
1054 * a Cisco CMTS won't put traffic onto it or get traffic
1055 * bridged onto it? ISDN is handled in "live_open_new()",
1056 * as we fall back on cooked mode there; are there any
1057 * others?
1058 */
1059 handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
1060 /*
1061 * If that fails, just leave the list empty.
1062 */
1063 if (handle->dlt_list != NULL) {
1064 handle->dlt_list[0] = DLT_EN10MB;
1065 handle->dlt_list[1] = DLT_DOCSIS;
1066 handle->dlt_count = 2;
1067 }
1068 /* FALLTHROUGH */
1069
1070 case ARPHRD_METRICOM:
1071 case ARPHRD_LOOPBACK:
1072 handle->linktype = DLT_EN10MB;
1073 handle->offset = 2;
1074 break;
1075
1076 case ARPHRD_EETHER:
1077 handle->linktype = DLT_EN3MB;
1078 break;
1079
1080 case ARPHRD_AX25:
1081 handle->linktype = DLT_AX25;
1082 break;
1083
1084 case ARPHRD_PRONET:
1085 handle->linktype = DLT_PRONET;
1086 break;
1087
1088 case ARPHRD_CHAOS:
1089 handle->linktype = DLT_CHAOS;
1090 break;
1091
1092 #ifndef ARPHRD_IEEE802_TR
1093 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */
1094 #endif
1095 case ARPHRD_IEEE802_TR:
1096 case ARPHRD_IEEE802:
1097 handle->linktype = DLT_IEEE802;
1098 handle->offset = 2;
1099 break;
1100
1101 case ARPHRD_ARCNET:
1102 handle->linktype = DLT_ARCNET_LINUX;
1103 break;
1104
1105 #ifndef ARPHRD_FDDI /* From Linux 2.2.13 */
1106 #define ARPHRD_FDDI 774
1107 #endif
1108 case ARPHRD_FDDI:
1109 handle->linktype = DLT_FDDI;
1110 handle->offset = 3;
1111 break;
1112
1113 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
1114 #define ARPHRD_ATM 19
1115 #endif
1116 case ARPHRD_ATM:
1117 /*
1118 * The Classical IP implementation in ATM for Linux
1119 * supports both what RFC 1483 calls "LLC Encapsulation",
1120 * in which each packet has an LLC header, possibly
1121 * with a SNAP header as well, prepended to it, and
1122 * what RFC 1483 calls "VC Based Multiplexing", in which
1123 * different virtual circuits carry different network
1124 * layer protocols, and no header is prepended to packets.
1125 *
1126 * They both have an ARPHRD_ type of ARPHRD_ATM, so
1127 * you can't use the ARPHRD_ type to find out whether
1128 * captured packets will have an LLC header, and,
1129 * while there's a socket ioctl to *set* the encapsulation
1130 * type, there's no ioctl to *get* the encapsulation type.
1131 *
1132 * This means that
1133 *
1134 * programs that dissect Linux Classical IP frames
1135 * would have to check for an LLC header and,
1136 * depending on whether they see one or not, dissect
1137 * the frame as LLC-encapsulated or as raw IP (I
1138 * don't know whether there's any traffic other than
1139 * IP that would show up on the socket, or whether
1140 * there's any support for IPv6 in the Linux
1141 * Classical IP code);
1142 *
1143 * filter expressions would have to compile into
1144 * code that checks for an LLC header and does
1145 * the right thing.
1146 *
1147 * Both of those are a nuisance - and, at least on systems
1148 * that support PF_PACKET sockets, we don't have to put
1149 * up with those nuisances; instead, we can just capture
1150 * in cooked mode. That's what we'll do, if we can.
1151 * Otherwise, we'll just fail.
1152 */
1153 if (cooked_ok)
1154 handle->linktype = DLT_LINUX_SLL;
1155 else
1156 handle->linktype = -1;
1157 break;
1158
1159 #ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */
1160 #define ARPHRD_IEEE80211 801
1161 #endif
1162 case ARPHRD_IEEE80211:
1163 handle->linktype = DLT_IEEE802_11;
1164 break;
1165
1166 #ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */
1167 #define ARPHRD_IEEE80211_PRISM 802
1168 #endif
1169 case ARPHRD_IEEE80211_PRISM:
1170 handle->linktype = DLT_PRISM_HEADER;
1171 break;
1172
1173 case ARPHRD_PPP:
1174 /*
1175 * Some PPP code in the kernel supplies no link-layer
1176 * header whatsoever to PF_PACKET sockets; other PPP
1177 * code supplies PPP link-layer headers ("syncppp.c");
1178 * some PPP code might supply random link-layer
1179 * headers (PPP over ISDN - there's code in Ethereal,
1180 * for example, to cope with PPP-over-ISDN captures
1181 * with which the Ethereal developers have had to cope,
1182 * heuristically trying to determine which of the
1183 * oddball link-layer headers particular packets have).
1184 *
1185 * As such, we just punt, and run all PPP interfaces
1186 * in cooked mode, if we can; otherwise, we just treat
1187 * it as DLT_RAW, for now - if somebody needs to capture,
1188 * on a 2.0[.x] kernel, on PPP devices that supply a
1189 * link-layer header, they'll have to add code here to
1190 * map to the appropriate DLT_ type (possibly adding a
1191 * new DLT_ type, if necessary).
1192 */
1193 if (cooked_ok)
1194 handle->linktype = DLT_LINUX_SLL;
1195 else {
1196 /*
1197 * XXX - handle ISDN types here? We can't fall
1198 * back on cooked sockets, so we'd have to
1199 * figure out from the device name what type of
1200 * link-layer encapsulation it's using, and map
1201 * that to an appropriate DLT_ value, meaning
1202 * we'd map "isdnN" devices to DLT_RAW (they
1203 * supply raw IP packets with no link-layer
1204 * header) and "isdY" devices to a new DLT_I4L_IP
1205 * type that has only an Ethernet packet type as
1206 * a link-layer header.
1207 *
1208 * But sometimes we seem to get random crap
1209 * in the link-layer header when capturing on
1210 * ISDN devices....
1211 */
1212 handle->linktype = DLT_RAW;
1213 }
1214 break;
1215
1216 #ifndef ARPHRD_CISCO
1217 #define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */
1218 #endif
1219 case ARPHRD_CISCO:
1220 handle->linktype = DLT_C_HDLC;
1221 break;
1222
1223 /* Not sure if this is correct for all tunnels, but it
1224 * works for CIPE */
1225 case ARPHRD_TUNNEL:
1226 #ifndef ARPHRD_SIT
1227 #define ARPHRD_SIT 776 /* From Linux 2.2.13 */
1228 #endif
1229 case ARPHRD_SIT:
1230 case ARPHRD_CSLIP:
1231 case ARPHRD_SLIP6:
1232 case ARPHRD_CSLIP6:
1233 case ARPHRD_ADAPT:
1234 case ARPHRD_SLIP:
1235 #ifndef ARPHRD_RAWHDLC
1236 #define ARPHRD_RAWHDLC 518
1237 #endif
1238 case ARPHRD_RAWHDLC:
1239 #ifndef ARPHRD_DLCI
1240 #define ARPHRD_DLCI 15
1241 #endif
1242 case ARPHRD_DLCI:
1243 /*
1244 * XXX - should some of those be mapped to DLT_LINUX_SLL
1245 * instead? Should we just map all of them to DLT_LINUX_SLL?
1246 */
1247 handle->linktype = DLT_RAW;
1248 break;
1249
1250 #ifndef ARPHRD_FRAD
1251 #define ARPHRD_FRAD 770
1252 #endif
1253 case ARPHRD_FRAD:
1254 handle->linktype = DLT_FRELAY;
1255 break;
1256
1257 case ARPHRD_LOCALTLK:
1258 handle->linktype = DLT_LTALK;
1259 break;
1260
1261 #ifndef ARPHRD_FCPP
1262 #define ARPHRD_FCPP 784
1263 #endif
1264 case ARPHRD_FCPP:
1265 #ifndef ARPHRD_FCAL
1266 #define ARPHRD_FCAL 785
1267 #endif
1268 case ARPHRD_FCAL:
1269 #ifndef ARPHRD_FCPL
1270 #define ARPHRD_FCPL 786
1271 #endif
1272 case ARPHRD_FCPL:
1273 #ifndef ARPHRD_FCFABRIC
1274 #define ARPHRD_FCFABRIC 787
1275 #endif
1276 case ARPHRD_FCFABRIC:
1277 /*
1278 * We assume that those all mean RFC 2625 IP-over-
1279 * Fibre Channel, with the RFC 2625 header at
1280 * the beginning of the packet.
1281 */
1282 handle->linktype = DLT_IP_OVER_FC;
1283 break;
1284
1285 #ifndef ARPHRD_IRDA
1286 #define ARPHRD_IRDA 783
1287 #endif
1288 case ARPHRD_IRDA:
1289 /* Don't expect IP packet out of this interfaces... */
1290 handle->linktype = DLT_LINUX_IRDA;
1291 /* We need to save packet direction for IrDA decoding,
1292 * so let's use "Linux-cooked" mode. Jean II */
1293 //handle->md.cooked = 1;
1294 break;
1295
1296 default:
1297 handle->linktype = -1;
1298 break;
1299 }
1300 }
1301
1302 /* ===== Functions to interface to the newer kernels ================== */
1303
1304 /*
1305 * Try to open a packet socket using the new kernel interface.
1306 * Returns 0 on failure.
1307 * FIXME: 0 uses to mean success (Sebastian)
1308 */
1309 static int
1310 live_open_new(pcap_t *handle, const char *device, int promisc,
1311 int to_ms, char *ebuf)
1312 {
1313 #ifdef HAVE_PF_PACKET_SOCKETS
1314 int sock_fd = -1, arptype;
1315 int err;
1316 int fatal_err = 0;
1317 struct packet_mreq mr;
1318
1319 /* One shot loop used for error handling - bail out with break */
1320
1321 do {
1322 /*
1323 * Open a socket with protocol family packet. If a device is
1324 * given we try to open it in raw mode otherwise we use
1325 * the cooked interface.
1326 */
1327 sock_fd = device ?
1328 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
1329 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
1330
1331 if (sock_fd == -1) {
1332 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
1333 pcap_strerror(errno) );
1334 break;
1335 }
1336
1337 /* It seems the kernel supports the new interface. */
1338 handle->md.sock_packet = 0;
1339
1340 /*
1341 * Get the interface index of the loopback device.
1342 * If the attempt fails, don't fail, just set the
1343 * "md.lo_ifindex" to -1.
1344 *
1345 * XXX - can there be more than one device that loops
1346 * packets back, i.e. devices other than "lo"? If so,
1347 * we'd need to find them all, and have an array of
1348 * indices for them, and check all of them in
1349 * "pcap_read_packet()".
1350 */
1351 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf);
1352
1353 /*
1354 * Default value for offset to align link-layer payload
1355 * on a 4-byte boundary.
1356 */
1357 handle->offset = 0;
1358
1359 /*
1360 * What kind of frames do we have to deal with? Fall back
1361 * to cooked mode if we have an unknown interface type.
1362 */
1363
1364 if (device) {
1365 /* Assume for now we don't need cooked mode. */
1366 handle->md.cooked = 0;
1367
1368 arptype = iface_get_arptype(sock_fd, device, ebuf);
1369 if (arptype == -1) {
1370 fatal_err = 1;
1371 break;
1372 }
1373 map_arphrd_to_dlt(handle, arptype, 1);
1374 if (handle->linktype == -1 ||
1375 handle->linktype == DLT_LINUX_SLL ||
1376 handle->linktype == DLT_LINUX_IRDA ||
1377 (handle->linktype == DLT_EN10MB &&
1378 (strncmp("isdn", device, 4) == 0 ||
1379 strncmp("isdY", device, 4) == 0))) {
1380 /*
1381 * Unknown interface type (-1), or a
1382 * device we explicitly chose to run
1383 * in cooked mode (e.g., PPP devices),
1384 * or an ISDN device (whose link-layer
1385 * type we can only determine by using
1386 * APIs that may be different on different
1387 * kernels) - reopen in cooked mode.
1388 */
1389 if (close(sock_fd) == -1) {
1390 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1391 "close: %s", pcap_strerror(errno));
1392 break;
1393 }
1394 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
1395 htons(ETH_P_ALL));
1396 if (sock_fd == -1) {
1397 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1398 "socket: %s", pcap_strerror(errno));
1399 break;
1400 }
1401 handle->md.cooked = 1;
1402
1403 /*
1404 * Get rid of any link-layer type list
1405 * we allocated - this only supports cooked
1406 * capture.
1407 */
1408 if (handle->dlt_list != NULL) {
1409 free(handle->dlt_list);
1410 handle->dlt_list = NULL;
1411 handle->dlt_count = 0;
1412 }
1413
1414 if (handle->linktype == -1) {
1415 /*
1416 * Warn that we're falling back on
1417 * cooked mode; we may want to
1418 * update "map_arphrd_to_dlt()"
1419 * to handle the new type.
1420 */
1421 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1422 "arptype %d not "
1423 "supported by libpcap - "
1424 "falling back to cooked "
1425 "socket",
1426 arptype);
1427 }
1428 /* IrDA capture is not a real "cooked" capture,
1429 * it's IrLAP frames, not IP packets. */
1430 if (handle->linktype != DLT_LINUX_IRDA)
1431 handle->linktype = DLT_LINUX_SLL;
1432 }
1433
1434 handle->md.ifindex = iface_get_id(sock_fd, device, ebuf);
1435 if (handle->md.ifindex == -1)
1436 break;
1437
1438 if ((err = iface_bind(sock_fd, handle->md.ifindex,
1439 ebuf)) < 0) {
1440 if (err == -2)
1441 fatal_err = 1;
1442 break;
1443 }
1444 } else {
1445 /*
1446 * This is cooked mode.
1447 */
1448 handle->md.cooked = 1;
1449 handle->linktype = DLT_LINUX_SLL;
1450
1451 /*
1452 * We're not bound to a device.
1453 * XXX - true? Or true only if we're using
1454 * the "any" device?
1455 * For now, we're using this as an indication
1456 * that we can't transmit; stop doing that only
1457 * if we figure out how to transmit in cooked
1458 * mode.
1459 */
1460 handle->md.ifindex = -1;
1461 }
1462
1463 /*
1464 * Select promiscuous mode on if "promisc" is set.
1465 *
1466 * Do not turn allmulti mode on if we don't select
1467 * promiscuous mode - on some devices (e.g., Orinoco
1468 * wireless interfaces), allmulti mode isn't supported
1469 * and the driver implements it by turning promiscuous
1470 * mode on, and that screws up the operation of the
1471 * card as a normal networking interface, and on no
1472 * other platform I know of does starting a non-
1473 * promiscuous capture affect which multicast packets
1474 * are received by the interface.
1475 */
1476
1477 /*
1478 * Hmm, how can we set promiscuous mode on all interfaces?
1479 * I am not sure if that is possible at all.
1480 */
1481
1482 if (device && promisc) {
1483 memset(&mr, 0, sizeof(mr));
1484 mr.mr_ifindex = handle->md.ifindex;
1485 mr.mr_type = PACKET_MR_PROMISC;
1486 if (setsockopt(sock_fd, SOL_PACKET,
1487 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1)
1488 {
1489 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1490 "setsockopt: %s", pcap_strerror(errno));
1491 break;
1492 }
1493 }
1494
1495 /* Save the socket FD in the pcap structure */
1496
1497 handle->fd = sock_fd;
1498
1499 return 1;
1500
1501 } while(0);
1502
1503 if (sock_fd != -1)
1504 close(sock_fd);
1505
1506 if (fatal_err) {
1507 /*
1508 * Get rid of any link-layer type list we allocated.
1509 */
1510 if (handle->dlt_list != NULL)
1511 free(handle->dlt_list);
1512 return -2;
1513 } else
1514 return 0;
1515 #else
1516 strncpy(ebuf,
1517 "New packet capturing interface not supported by build "
1518 "environment", PCAP_ERRBUF_SIZE);
1519 return 0;
1520 #endif
1521 }
1522
1523 #ifdef HAVE_PF_PACKET_SOCKETS
1524 /*
1525 * Return the index of the given device name. Fill ebuf and return
1526 * -1 on failure.
1527 */
1528 static int
1529 iface_get_id(int fd, const char *device, char *ebuf)
1530 {
1531 struct ifreq ifr;
1532
1533 memset(&ifr, 0, sizeof(ifr));
1534 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1535
1536 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1537 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1538 "ioctl: %s", pcap_strerror(errno));
1539 return -1;
1540 }
1541
1542 return ifr.ifr_ifindex;
1543 }
1544
1545 /*
1546 * Bind the socket associated with FD to the given device.
1547 */
1548 static int
1549 iface_bind(int fd, int ifindex, char *ebuf)
1550 {
1551 struct sockaddr_ll sll;
1552 int err;
1553 socklen_t errlen = sizeof(err);
1554
1555 memset(&sll, 0, sizeof(sll));
1556 sll.sll_family = AF_PACKET;
1557 sll.sll_ifindex = ifindex;
1558 sll.sll_protocol = htons(ETH_P_ALL);
1559
1560 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
1561 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1562 "bind: %s", pcap_strerror(errno));
1563 return -1;
1564 }
1565
1566 /* Any pending errors, e.g., network is down? */
1567
1568 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) {
1569 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1570 "getsockopt: %s", pcap_strerror(errno));
1571 return -2;
1572 }
1573
1574 if (err > 0) {
1575 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1576 "bind: %s", pcap_strerror(err));
1577 return -2;
1578 }
1579
1580 return 0;
1581 }
1582
1583 #endif
1584
1585
1586 /* ===== Functions to interface to the older kernels ================== */
1587
1588 /*
1589 * With older kernels promiscuous mode is kind of interesting because we
1590 * have to reset the interface before exiting. The problem can't really
1591 * be solved without some daemon taking care of managing usage counts.
1592 * If we put the interface into promiscuous mode, we set a flag indicating
1593 * that we must take it out of that mode when the interface is closed,
1594 * and, when closing the interface, if that flag is set we take it out
1595 * of promiscuous mode.
1596 */
1597
1598 /*
1599 * List of pcaps for which we turned promiscuous mode on by hand.
1600 * If there are any such pcaps, we arrange to call "pcap_close_all()"
1601 * when we exit, and have it close all of them to turn promiscuous mode
1602 * off.
1603 */
1604 static struct pcap *pcaps_to_close;
1605
1606 /*
1607 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to
1608 * be called on exit.
1609 */
1610 static int did_atexit;
1611
1612 static void pcap_close_all(void)
1613 {
1614 struct pcap *handle;
1615
1616 while ((handle = pcaps_to_close) != NULL)
1617 pcap_close(handle);
1618 }
1619
1620 static void pcap_close_linux( pcap_t *handle )
1621 {
1622 struct pcap *p, *prevp;
1623 struct ifreq ifr;
1624
1625 if (handle->md.clear_promisc) {
1626 /*
1627 * We put the interface into promiscuous mode; take
1628 * it out of promiscuous mode.
1629 *
1630 * XXX - if somebody else wants it in promiscuous mode,
1631 * this code cannot know that, so it'll take it out
1632 * of promiscuous mode. That's not fixable in 2.0[.x]
1633 * kernels.
1634 */
1635 memset(&ifr, 0, sizeof(ifr));
1636 strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name));
1637 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
1638 fprintf(stderr,
1639 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n"
1640 "Please adjust manually.\n"
1641 "Hint: This can't happen with Linux >= 2.2.0.\n",
1642 strerror(errno));
1643 } else {
1644 if (ifr.ifr_flags & IFF_PROMISC) {
1645 /*
1646 * Promiscuous mode is currently on; turn it
1647 * off.
1648 */
1649 ifr.ifr_flags &= ~IFF_PROMISC;
1650 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
1651 fprintf(stderr,
1652 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n"
1653 "Please adjust manually.\n"
1654 "Hint: This can't happen with Linux >= 2.2.0.\n",
1655 strerror(errno));
1656 }
1657 }
1658 }
1659
1660 /*
1661 * Take this pcap out of the list of pcaps for which we
1662 * have to take the interface out of promiscuous mode.
1663 */
1664 for (p = pcaps_to_close, prevp = NULL; p != NULL;
1665 prevp = p, p = p->md.next) {
1666 if (p == handle) {
1667 /*
1668 * Found it. Remove it from the list.
1669 */
1670 if (prevp == NULL) {
1671 /*
1672 * It was at the head of the list.
1673 */
1674 pcaps_to_close = p->md.next;
1675 } else {
1676 /*
1677 * It was in the middle of the list.
1678 */
1679 prevp->md.next = p->md.next;
1680 }
1681 break;
1682 }
1683 }
1684 }
1685
1686 if (handle->md.device != NULL)
1687 free(handle->md.device);
1688 handle->md.device = NULL;
1689 pcap_close_common(handle);
1690 }
1691
1692 /*
1693 * Try to open a packet socket using the old kernel interface.
1694 * Returns 0 on failure.
1695 * FIXME: 0 uses to mean success (Sebastian)
1696 */
1697 static int
1698 live_open_old(pcap_t *handle, const char *device, int promisc,
1699 int to_ms, char *ebuf)
1700 {
1701 int arptype;
1702 struct ifreq ifr;
1703
1704 do {
1705 /* Open the socket */
1706
1707 handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
1708 if (handle->fd == -1) {
1709 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1710 "socket: %s", pcap_strerror(errno));
1711 break;
1712 }
1713
1714 /* It worked - we are using the old interface */
1715 handle->md.sock_packet = 1;
1716
1717 /* ...which means we get the link-layer header. */
1718 handle->md.cooked = 0;
1719
1720 /* Bind to the given device */
1721
1722 if (!device) {
1723 strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems",
1724 PCAP_ERRBUF_SIZE);
1725 break;
1726 }
1727 if (iface_bind_old(handle->fd, device, ebuf) == -1)
1728 break;
1729
1730 /*
1731 * Try to get the link-layer type.
1732 */
1733 arptype = iface_get_arptype(handle->fd, device, ebuf);
1734 if (arptype == -1)
1735 break;
1736
1737 /*
1738 * Try to find the DLT_ type corresponding to that
1739 * link-layer type.
1740 */
1741 map_arphrd_to_dlt(handle, arptype, 0);
1742 if (handle->linktype == -1) {
1743 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1744 "unknown arptype %d", arptype);
1745 break;
1746 }
1747
1748 /* Go to promisc mode if requested */
1749
1750 if (promisc) {
1751 memset(&ifr, 0, sizeof(ifr));
1752 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1753 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
1754 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1755 "ioctl: %s", pcap_strerror(errno));
1756 break;
1757 }
1758 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
1759 /*
1760 * Promiscuous mode isn't currently on,
1761 * so turn it on, and remember that
1762 * we should turn it off when the
1763 * pcap_t is closed.
1764 */
1765
1766 /*
1767 * If we haven't already done so, arrange
1768 * to have "pcap_close_all()" called when
1769 * we exit.
1770 */
1771 if (!did_atexit) {
1772 if (atexit(pcap_close_all) == -1) {
1773 /*
1774 * "atexit()" failed; don't
1775 * put the interface in
1776 * promiscuous mode, just
1777 * give up.
1778 */
1779 strncpy(ebuf, "atexit failed",
1780 PCAP_ERRBUF_SIZE);
1781 break;
1782 }
1783 did_atexit = 1;
1784 }
1785
1786 ifr.ifr_flags |= IFF_PROMISC;
1787 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
1788 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1789 "ioctl: %s",
1790 pcap_strerror(errno));
1791 break;
1792 }
1793 handle->md.clear_promisc = 1;
1794
1795 /*
1796 * Add this to the list of pcaps
1797 * to close when we exit.
1798 */
1799 handle->md.next = pcaps_to_close;
1800 pcaps_to_close = handle;
1801 }
1802 }
1803
1804 /*
1805 * Default value for offset to align link-layer payload
1806 * on a 4-byte boundary.
1807 */
1808 handle->offset = 0;
1809
1810 return 1;
1811
1812 } while (0);
1813
1814 pcap_close_linux(handle);
1815 return 0;
1816 }
1817
1818 /*
1819 * Bind the socket associated with FD to the given device using the
1820 * interface of the old kernels.
1821 */
1822 static int
1823 iface_bind_old(int fd, const char *device, char *ebuf)
1824 {
1825 struct sockaddr saddr;
1826 int err;
1827 socklen_t errlen = sizeof(err);
1828
1829 memset(&saddr, 0, sizeof(saddr));
1830 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
1831 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
1832 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1833 "bind: %s", pcap_strerror(errno));
1834 return -1;
1835 }
1836
1837 /* Any pending errors, e.g., network is down? */
1838
1839 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) {
1840 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1841 "getsockopt: %s", pcap_strerror(errno));
1842 return -1;
1843 }
1844
1845 if (err > 0) {
1846 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1847 "bind: %s", pcap_strerror(err));
1848 return -1;
1849 }
1850
1851 return 0;
1852 }
1853
1854
1855 /* ===== System calls available on all supported kernels ============== */
1856
1857 /*
1858 * Query the kernel for the MTU of the given interface.
1859 */
1860 static int
1861 iface_get_mtu(int fd, const char *device, char *ebuf)
1862 {
1863 struct ifreq ifr;
1864
1865 if (!device)
1866 return BIGGER_THAN_ALL_MTUS;
1867
1868 memset(&ifr, 0, sizeof(ifr));
1869 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1870
1871 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
1872 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1873 "ioctl: %s", pcap_strerror(errno));
1874 return -1;
1875 }
1876
1877 return ifr.ifr_mtu;
1878 }
1879
1880 /*
1881 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1882 */
1883 static int
1884 iface_get_arptype(int fd, const char *device, char *ebuf)
1885 {
1886 struct ifreq ifr;
1887
1888 memset(&ifr, 0, sizeof(ifr));
1889 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1890
1891 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1892 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1893 "ioctl: %s", pcap_strerror(errno));
1894 return -1;
1895 }
1896
1897 return ifr.ifr_hwaddr.sa_family;
1898 }
1899
1900 #ifdef SO_ATTACH_FILTER
1901 static int
1902 fix_program(pcap_t *handle, struct sock_fprog *fcode)
1903 {
1904 size_t prog_size;
1905 register int i;
1906 register struct bpf_insn *p;
1907 struct bpf_insn *f;
1908 int len;
1909
1910 /*
1911 * Make a copy of the filter, and modify that copy if
1912 * necessary.
1913 */
1914 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len;
1915 len = handle->fcode.bf_len;
1916 f = (struct bpf_insn *)malloc(prog_size);
1917 if (f == NULL) {
1918 snprintf(handle->errbuf, sizeof(handle->errbuf),
1919 "malloc: %s", pcap_strerror(errno));
1920 return -1;
1921 }
1922 memcpy(f, handle->fcode.bf_insns, prog_size);
1923 fcode->len = len;
1924 fcode->filter = (struct sock_filter *) f;
1925
1926 for (i = 0; i < len; ++i) {
1927 p = &f[i];
1928 /*
1929 * What type of instruction is this?
1930 */
1931 switch (BPF_CLASS(p->code)) {
1932
1933 case BPF_RET:
1934 /*
1935 * It's a return instruction; is the snapshot
1936 * length a constant, rather than the contents
1937 * of the accumulator?
1938 */
1939 if (BPF_MODE(p->code) == BPF_K) {
1940 /*
1941 * Yes - if the value to be returned,
1942 * i.e. the snapshot length, is anything
1943 * other than 0, make it 65535, so that
1944 * the packet is truncated by "recvfrom()",
1945 * not by the filter.
1946 *
1947 * XXX - there's nothing we can easily do
1948 * if it's getting the value from the
1949 * accumulator; we'd have to insert
1950 * code to force non-zero values to be
1951 * 65535.
1952 */
1953 if (p->k != 0)
1954 p->k = 65535;
1955 }
1956 break;
1957
1958 case BPF_LD:
1959 case BPF_LDX:
1960 /*
1961 * It's a load instruction; is it loading
1962 * from the packet?
1963 */
1964 switch (BPF_MODE(p->code)) {
1965
1966 case BPF_ABS:
1967 case BPF_IND:
1968 case BPF_MSH:
1969 /*
1970 * Yes; are we in cooked mode?
1971 */
1972 if (handle->md.cooked) {
1973 /*
1974 * Yes, so we need to fix this
1975 * instruction.
1976 */
1977 if (fix_offset(p) < 0) {
1978 /*
1979 * We failed to do so.
1980 * Return 0, so our caller
1981 * knows to punt to userland.
1982 */
1983 return 0;
1984 }
1985 }
1986 break;
1987 }
1988 break;
1989 }
1990 }
1991 return 1; /* we succeeded */
1992 }
1993
1994 static int
1995 fix_offset(struct bpf_insn *p)
1996 {
1997 /*
1998 * What's the offset?
1999 */
2000 if (p->k >= SLL_HDR_LEN) {
2001 /*
2002 * It's within the link-layer payload; that starts at an
2003 * offset of 0, as far as the kernel packet filter is
2004 * concerned, so subtract the length of the link-layer
2005 * header.
2006 */
2007 p->k -= SLL_HDR_LEN;
2008 } else if (p->k == 14) {
2009 /*
2010 * It's the protocol field; map it to the special magic
2011 * kernel offset for that field.
2012 */
2013 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL;
2014 } else {
2015 /*
2016 * It's within the header, but it's not one of those
2017 * fields; we can't do that in the kernel, so punt
2018 * to userland.
2019 */
2020 return -1;
2021 }
2022 return 0;
2023 }
2024
2025 static int
2026 set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode)
2027 {
2028 int total_filter_on = 0;
2029 int save_mode;
2030 int ret;
2031 int save_errno;
2032
2033 /*
2034 * The socket filter code doesn't discard all packets queued
2035 * up on the socket when the filter is changed; this means
2036 * that packets that don't match the new filter may show up
2037 * after the new filter is put onto the socket, if those
2038 * packets haven't yet been read.
2039 *
2040 * This means, for example, that if you do a tcpdump capture
2041 * with a filter, the first few packets in the capture might
2042 * be packets that wouldn't have passed the filter.
2043 *
2044 * We therefore discard all packets queued up on the socket
2045 * when setting a kernel filter. (This isn't an issue for
2046 * userland filters, as the userland filtering is done after
2047 * packets are queued up.)
2048 *
2049 * To flush those packets, we put the socket in read-only mode,
2050 * and read packets from the socket until there are no more to
2051 * read.
2052 *
2053 * In order to keep that from being an infinite loop - i.e.,
2054 * to keep more packets from arriving while we're draining
2055 * the queue - we put the "total filter", which is a filter
2056 * that rejects all packets, onto the socket before draining
2057 * the queue.
2058 *
2059 * This code deliberately ignores any errors, so that you may
2060 * get bogus packets if an error occurs, rather than having
2061 * the filtering done in userland even if it could have been
2062 * done in the kernel.
2063 */
2064 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
2065 &total_fcode, sizeof(total_fcode)) == 0) {
2066 char drain[1];
2067
2068 /*
2069 * Note that we've put the total filter onto the socket.
2070 */
2071 total_filter_on = 1;
2072
2073 /*
2074 * Save the socket's current mode, and put it in
2075 * non-blocking mode; we drain it by reading packets
2076 * until we get an error (which is normally a
2077 * "nothing more to be read" error).
2078 */
2079 save_mode = fcntl(handle->fd, F_GETFL, 0);
2080 if (save_mode != -1 &&
2081 fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) {
2082 while (recv(handle->fd, &drain, sizeof drain,
2083 MSG_TRUNC) >= 0)
2084 ;
2085 save_errno = errno;
2086 fcntl(handle->fd, F_SETFL, save_mode);
2087 if (save_errno != EAGAIN) {
2088 /* Fatal error */
2089 reset_kernel_filter(handle);
2090 snprintf(handle->errbuf, sizeof(handle->errbuf),
2091 "recv: %s", pcap_strerror(save_errno));
2092 return -2;
2093 }
2094 }
2095 }
2096
2097 /*
2098 * Now attach the new filter.
2099 */
2100 ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
2101 fcode, sizeof(*fcode));
2102 if (ret == -1 && total_filter_on) {
2103 /*
2104 * Well, we couldn't set that filter on the socket,
2105 * but we could set the total filter on the socket.
2106 *
2107 * This could, for example, mean that the filter was
2108 * too big to put into the kernel, so we'll have to
2109 * filter in userland; in any case, we'll be doing
2110 * filtering in userland, so we need to remove the
2111 * total filter so we see packets.
2112 */
2113 save_errno = errno;
2114
2115 /*
2116 * XXX - if this fails, we're really screwed;
2117 * we have the total filter on the socket,
2118 * and it won't come off. What do we do then?
2119 */
2120 reset_kernel_filter(handle);
2121
2122 errno = save_errno;
2123 }
2124 return ret;
2125 }
2126
2127 static int
2128 reset_kernel_filter(pcap_t *handle)
2129 {
2130 /* setsockopt() barfs unless it get a dummy parameter */
2131 int dummy;
2132
2133 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER,
2134 &dummy, sizeof(dummy));
2135 }
2136 #endif
[mirror] the LIBpcap interface to various kernel packet capture mechanism