static int jflag = -1; /* packet time stamp source */
static int pflag; /* don't go promiscuous */
#ifdef HAVE_PCAP_SETDIRECTION
-int Qflag = -1; /* restrict captured packet by send/receive direction */
+static int Qflag = -1; /* restrict captured packet by send/receive direction */
#endif
static int Uflag; /* "unbuffered" output of dump files */
static int Wflag; /* recycle output files after this number of files */
static RETSIGTYPE child_cleanup(int);
static void print_version(void);
static void print_usage(void);
-static void show_tstamp_types_and_exit(const char *device) __attribute__((noreturn));
-static void show_dlts_and_exit(const char *device) __attribute__((noreturn));
+static void show_tstamp_types_and_exit(pcap_t *, const char *device) __attribute__((noreturn));
+static void show_dlts_and_exit(pcap_t *, const char *device) __attribute__((noreturn));
#ifdef HAVE_PCAP_FINDALLDEVS
static void show_devices_and_exit (void) __attribute__((noreturn));
#endif
#ifdef HAVE_PCAP_SET_TSTAMP_TYPE
static void
-show_tstamp_types_and_exit(const char *device)
+show_tstamp_types_and_exit(pcap_t *pc, const char *device)
{
int n_tstamp_types;
int *tstamp_types = 0;
const char *tstamp_type_name;
int i;
- n_tstamp_types = pcap_list_tstamp_types(pd, &tstamp_types);
+ n_tstamp_types = pcap_list_tstamp_types(pc, &tstamp_types);
if (n_tstamp_types < 0)
- error("%s", pcap_geterr(pd));
+ error("%s", pcap_geterr(pc));
if (n_tstamp_types == 0) {
fprintf(stderr, "Time stamp type cannot be set for %s\n",
#endif
static void
-show_dlts_and_exit(const char *device)
+show_dlts_and_exit(pcap_t *pc, const char *device)
{
int n_dlts, i;
int *dlts = 0;
const char *dlt_name;
- n_dlts = pcap_list_datalinks(pd, &dlts);
+ n_dlts = pcap_list_datalinks(pc, &dlts);
if (n_dlts < 0)
- error("%s", pcap_geterr(pd));
+ error("%s", pcap_geterr(pc));
else if (n_dlts == 0 || !dlts)
error("No data link types.");
* OS X tcpdump uses -g to force non--v output for IP to be on one
* line, making it more "g"repable;
*
- * OS X tcpdump uses -k tospecify that packet comments in pcap-ng files
+ * OS X tcpdump uses -k to specify that packet comments in pcap-ng files
* should be printed;
*
* OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done
exit_tcpdump(1);
}
#ifdef HAVE_LIBCAP_NG
- /* We don't need CAP_SETUID and CAP_SETGID any more. */
+ /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */
capng_updatev(
CAPNG_DROP,
CAPNG_EFFECTIVE | CAPNG_PERMITTED,
CAP_SETUID,
CAP_SETGID,
+ CAP_SYS_CHROOT,
-1);
capng_apply(CAPNG_SELECT_BOTH);
#endif /* HAVE_LIBCAP_NG */
}
#ifdef HAVE_PCAP_SET_TSTAMP_TYPE
if (Jflag)
- show_tstamp_types_and_exit(device);
+ show_tstamp_types_and_exit(pc, device);
#endif
#ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
status = pcap_set_tstamp_precision(pc, ndo->ndo_tstamp_precision);
}
#endif /* !defined(HAVE_PCAP_CREATE) && defined(_WIN32) */
if (Lflag)
- show_dlts_and_exit(device);
+ show_dlts_and_exit(pd, device);
if (yflag_dlt >= 0) {
#ifdef HAVE_PCAP_SET_DATALINK
if (pcap_set_datalink(pd, yflag_dlt) < 0)
CAP_SETGID,
-1);
}
+ if (chroot_dir) {
+ capng_update(
+ CAPNG_ADD,
+ CAPNG_PERMITTED | CAPNG_EFFECTIVE,
+ CAP_SYS_CHROOT
+ );
+ }
if (WFileName) {
capng_update(
if (RFileName == NULL && VFileName == NULL) {
static const unsigned long cmds[] = { BIOCGSTATS, BIOCROTZBUF };
- cap_rights_init(&rights, CAP_IOCTL, CAP_READ);
+ /*
+ * The various libpcap devices use a combination of
+ * read (bpf), ioctl (bpf, netmap), poll (netmap)
+ * so we add the relevant access rights.
+ */
+ cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT);
if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
errno != ENOSYS) {
error("unable to limit pcap descriptor");
if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) {
(void)fprintf(stderr, "Maximum file limit reached: %d\n",
Wflag);
+ info(1);
exit_tcpdump(0);
/* NOTREACHED */
}
projects / tcpdump / blobdiff