1/*
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
--- 13 unchanged lines hidden (view full) ---
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27
28#ifndef lint
29static const char rcsid[] _U_ =
30 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.110.2.6 2005/08/16 04:25:26 guy Exp $ (LBL)";
31#endif
32
33/*
34 * Known problems with 2.0[.x] kernels:
35 *
36 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
37 * if we use PF_PACKET, we can filter out the transmitted version
38 * of the packet by using data in the "sockaddr_ll" returned by
--- 350 unchanged lines hidden (view full) ---
389 * This is a 2.2[.x] or later kernel (we know that
390 * either because we're not using a SOCK_PACKET
391 * socket - PF_PACKET is supported only in 2.2
392 * and later kernels - or because we checked the
393 * kernel version).
394 *
395 * We can safely pass "recvfrom()" a byte count
396 * based on the snapshot length.
397 */
398 handle->bufsize = handle->snapshot;
399 }
400
401 /* Allocate the buffer */
402
403 handle->buffer = malloc(handle->bufsize + handle->offset);
404 if (!handle->buffer) {
405 snprintf(ebuf, PCAP_ERRBUF_SIZE,
--- 107 unchanged lines hidden (view full) ---
513 "recvfrom: %s", pcap_strerror(errno));
514 return -1;
515 }
516 }
517
518#ifdef HAVE_PF_PACKET_SOCKETS
519 if (!handle->md.sock_packet) {
520 /*
521 * Do checks based on packet direction.
522 * We can only do this if we're using PF_PACKET; the
523 * address returned for SOCK_PACKET is a "sockaddr_pkt"
524 * which lacks the relevant packet type information.
525 */
526 if (from.sll_pkttype == PACKET_OUTGOING) {
527 /*
528 * Outgoing packet.
--- 123 unchanged lines hidden (view full) ---
652 return 0;
653 }
654 }
655
656 /* Fill in our own header data */
657
658 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
659 snprintf(handle->errbuf, sizeof(handle->errbuf),
660 "ioctl: %s", pcap_strerror(errno));
661 return -1;
662 }
663 pcap_header.caplen = caplen;
664 pcap_header.len = packet_len;
665
666 /*
667 * Count the packet.
668 *
--- 21 unchanged lines hidden (view full) ---
690 * might be running on a 2.2[.x] kernel without Alexey
691 * Kuznetzov's turbopacket patches, and thus the kernel
692 * might not be able to supply those statistics). We
693 * could, I guess, try, when opening the socket, to get
694 * the statistics, and if we can not increment the count
695 * here, but it's not clear that always incrementing
696 * the count is more expensive than always testing a flag
697 * in memory.
698 */
699 handle->md.stat.ps_recv++;
700
701 /* Call the user supplied callback function */
702 callback(userdata, &pcap_header, bp);
703
704 return 1;
705}
706
707static int
--- 57 unchanged lines hidden (view full) ---
765
766#ifdef HAVE_TPACKET_STATS
767 /*
768 * Try to get the packet counts from the kernel.
769 */
770 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS,
771 &kstats, &len) > -1) {
772 /*
773 * In "linux/net/packet/af_packet.c", at least in the
774 * 2.4.9 kernel, "tp_packets" is incremented for every
775 * packet that passes the packet filter *and* is
776 * successfully queued on the socket; "tp_drops" is
777 * incremented for every packet dropped because there's
778 * not enough free space in the socket buffer.
779 *
780 * When the statistics are returned for a PACKET_STATISTICS
--- 13 unchanged lines hidden (view full) ---
794 * as the count of drops.
795 *
796 * Keep a running total because each call to
797 * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, ....
798 * resets the counters to zero.
799 */
800 handle->md.stat.ps_recv += kstats.tp_packets;
801 handle->md.stat.ps_drop += kstats.tp_drops;
802 }
803 else
804 {
805 /*
806 * If the error was EOPNOTSUPP, fall through, so that
807 * if you build the library on a system with
808 * "struct tpacket_stats" and run it on a system
809 * that doesn't, it works as it does if the library
810 * is built on a system without "struct tpacket_stats".
811 */
812 if (errno != EOPNOTSUPP) {
813 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
814 "pcap_stats: %s", pcap_strerror(errno));
815 return -1;
816 }
817 }
818#endif
819 /*
820 * On systems where the PACKET_STATISTICS "getsockopt()" argument
821 * is supported on PF_PACKET sockets:
822 *
823 * "ps_recv" counts only packets that *passed* the filter,
824 * not packets that didn't pass the filter. This includes
825 * packets later dropped because we ran out of buffer space.
826 *
827 * "ps_drop" counts packets dropped because we ran out of
828 * buffer space. It doesn't count packets dropped by the
829 * interface driver. It counts only packets that passed
830 * the filter.
831 *
832 * Both statistics include packets not yet read from the
833 * kernel by libpcap, and thus not yet seen by the application.
834 *
835 * On systems where the PACKET_STATISTICS "getsockopt()" argument
836 * is not supported on PF_PACKET sockets:
837 *
838 * "ps_recv" counts only packets that *passed* the filter,
839 * not packets that didn't pass the filter. It does not
840 * count packets dropped because we ran out of buffer
841 * space.
842 *
843 * "ps_drop" is not supported.
844 *
845 * "ps_recv" doesn't include packets not yet read from
846 * the kernel by libpcap.
847 */
848 *stats = handle->md.stat;
849 return 0;
850}
851
852/*
853 * Description string for the "any" device.
854 */
855static const char any_descr[] = "Pseudo-device that captures on all interfaces";
856
--- 55 unchanged lines hidden (view full) ---
912 if (handle->fcode.bf_len > USHRT_MAX) {
913 /*
914 * fcode.len is an unsigned short for current kernel.
915 * I have yet to see BPF-Code with that much
916 * instructions but still it is possible. So for the
917 * sake of correctness I added this check.
918 */
919 fprintf(stderr, "Warning: Filter too complex for kernel\n");
920 fcode.filter = NULL;
921 can_filter_in_kernel = 0;
922 } else
923#endif /* USHRT_MAX */
924 {
925 /*
926 * Oh joy, the Linux kernel uses struct sock_fprog instead
927 * of struct bpf_program and of course the length field is
--- 382 unchanged lines hidden (view full) ---
1310 case ARPHRD_IRDA:
1311 /* Don't expect IP packet out of this interfaces... */
1312 handle->linktype = DLT_LINUX_IRDA;
1313 /* We need to save packet direction for IrDA decoding,
1314 * so let's use "Linux-cooked" mode. Jean II */
1315 //handle->md.cooked = 1;
1316 break;
1317
1318 default:
1319 handle->linktype = -1;
1320 break;
1321 }
1322}
1323
1324/* ===== Functions to interface to the newer kernels ================== */
1325
--- 65 unchanged lines hidden (view full) ---
1391 if (arptype == -1) {
1392 fatal_err = 1;
1393 break;
1394 }
1395 map_arphrd_to_dlt(handle, arptype, 1);
1396 if (handle->linktype == -1 ||
1397 handle->linktype == DLT_LINUX_SLL ||
1398 handle->linktype == DLT_LINUX_IRDA ||
1399 (handle->linktype == DLT_EN10MB &&
1400 (strncmp("isdn", device, 4) == 0 ||
1401 strncmp("isdY", device, 4) == 0))) {
1402 /*
1403 * Unknown interface type (-1), or a
1404 * device we explicitly chose to run
1405 * in cooked mode (e.g., PPP devices),
1406 * or an ISDN device (whose link-layer
--- 37 unchanged lines hidden (view full) ---
1444 "arptype %d not "
1445 "supported by libpcap - "
1446 "falling back to cooked "
1447 "socket",
1448 arptype);
1449 }
1450 /* IrDA capture is not a real "cooked" capture,
1451 * it's IrLAP frames, not IP packets. */
1452 if (handle->linktype != DLT_LINUX_IRDA)
1453 handle->linktype = DLT_LINUX_SLL;
1454 }
1455
1456 handle->md.ifindex = iface_get_id(sock_fd, device, ebuf);
1457 if (handle->md.ifindex == -1)
1458 break;
1459
1460 if ((err = iface_bind(sock_fd, handle->md.ifindex,
--- 91 unchanged lines hidden (view full) ---
1552{
1553 struct ifreq ifr;
1554
1555 memset(&ifr, 0, sizeof(ifr));
1556 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1557
1558 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1559 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1560 "ioctl: %s", pcap_strerror(errno));
1561 return -1;
1562 }
1563
1564 return ifr.ifr_ifindex;
1565}
1566
1567/*
1568 * Bind the socket associated with FD to the given device.
--- 200 unchanged lines hidden (view full) ---
1769
1770 /* Go to promisc mode if requested */
1771
1772 if (promisc) {
1773 memset(&ifr, 0, sizeof(ifr));
1774 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1775 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
1776 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1777 "ioctl: %s", pcap_strerror(errno));
1778 break;
1779 }
1780 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
1781 /*
1782 * Promiscuous mode isn't currently on,
1783 * so turn it on, and remember that
1784 * we should turn it off when the
1785 * pcap_t is closed.
--- 17 unchanged lines hidden (view full) ---
1803 break;
1804 }
1805 did_atexit = 1;
1806 }
1807
1808 ifr.ifr_flags |= IFF_PROMISC;
1809 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
1810 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1811 "ioctl: %s",
1812 pcap_strerror(errno));
1813 break;
1814 }
1815 handle->md.clear_promisc = 1;
1816
1817 /*
1818 * Add this to the list of pcaps
1819 * to close when we exit.
--- 67 unchanged lines hidden (view full) ---
1887 if (!device)
1888 return BIGGER_THAN_ALL_MTUS;
1889
1890 memset(&ifr, 0, sizeof(ifr));
1891 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1892
1893 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
1894 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1895 "ioctl: %s", pcap_strerror(errno));
1896 return -1;
1897 }
1898
1899 return ifr.ifr_mtu;
1900}
1901
1902/*
1903 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1904 */
1905static int
1906iface_get_arptype(int fd, const char *device, char *ebuf)
1907{
1908 struct ifreq ifr;
1909
1910 memset(&ifr, 0, sizeof(ifr));
1911 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1912
1913 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1914 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1915 "ioctl: %s", pcap_strerror(errno));
1916 return -1;
1917 }
1918
1919 return ifr.ifr_hwaddr.sa_family;
1920}
1921
1922#ifdef SO_ATTACH_FILTER
1923static int
--- 220 unchanged lines hidden (view full) ---
2144 errno = save_errno;
2145 }
2146 return ret;
2147}
2148
2149static int
2150reset_kernel_filter(pcap_t *handle)
2151{
2152 /* setsockopt() barfs unless it get a dummy parameter */
2153 int dummy;
2154
2155 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER,
2156 &dummy, sizeof(dummy));
2157}
2158#endif
2 * pcap-linux.c: Packet capture interface to the Linux kernel
3 *
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
6 *
7 * License: BSD
8 *
--- 13 unchanged lines hidden (view full) ---
22 *
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
26 */
27
28#ifndef lint
29static const char rcsid[] _U_ =
30 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.110.2.6 2005/08/16 04:25:26 guy Exp $ (LBL)";
31#endif
32
33/*
34 * Known problems with 2.0[.x] kernels:
35 *
36 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
37 * if we use PF_PACKET, we can filter out the transmitted version
38 * of the packet by using data in the "sockaddr_ll" returned by
--- 350 unchanged lines hidden (view full) ---
389 * This is a 2.2[.x] or later kernel (we know that
390 * either because we're not using a SOCK_PACKET
391 * socket - PF_PACKET is supported only in 2.2
392 * and later kernels - or because we checked the
393 * kernel version).
394 *
395 * We can safely pass "recvfrom()" a byte count
396 * based on the snapshot length.
397 */
398 handle->bufsize = handle->snapshot;
399 }
400
401 /* Allocate the buffer */
402
403 handle->buffer = malloc(handle->bufsize + handle->offset);
404 if (!handle->buffer) {
405 snprintf(ebuf, PCAP_ERRBUF_SIZE,
--- 107 unchanged lines hidden (view full) ---
513 "recvfrom: %s", pcap_strerror(errno));
514 return -1;
515 }
516 }
517
518#ifdef HAVE_PF_PACKET_SOCKETS
519 if (!handle->md.sock_packet) {
520 /*
521 * Do checks based on packet direction.
522 * We can only do this if we're using PF_PACKET; the
523 * address returned for SOCK_PACKET is a "sockaddr_pkt"
524 * which lacks the relevant packet type information.
525 */
526 if (from.sll_pkttype == PACKET_OUTGOING) {
527 /*
528 * Outgoing packet.
--- 123 unchanged lines hidden (view full) ---
652 return 0;
653 }
654 }
655
656 /* Fill in our own header data */
657
658 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
659 snprintf(handle->errbuf, sizeof(handle->errbuf),
660 "ioctl: %s", pcap_strerror(errno));
661 return -1;
662 }
663 pcap_header.caplen = caplen;
664 pcap_header.len = packet_len;
665
666 /*
667 * Count the packet.
668 *
--- 21 unchanged lines hidden (view full) ---
690 * might be running on a 2.2[.x] kernel without Alexey
691 * Kuznetzov's turbopacket patches, and thus the kernel
692 * might not be able to supply those statistics). We
693 * could, I guess, try, when opening the socket, to get
694 * the statistics, and if we can not increment the count
695 * here, but it's not clear that always incrementing
696 * the count is more expensive than always testing a flag
697 * in memory.
698 */
699 handle->md.stat.ps_recv++;
700
701 /* Call the user supplied callback function */
702 callback(userdata, &pcap_header, bp);
703
704 return 1;
705}
706
707static int
--- 57 unchanged lines hidden (view full) ---
765
766#ifdef HAVE_TPACKET_STATS
767 /*
768 * Try to get the packet counts from the kernel.
769 */
770 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS,
771 &kstats, &len) > -1) {
772 /*
773 * In "linux/net/packet/af_packet.c", at least in the
774 * 2.4.9 kernel, "tp_packets" is incremented for every
775 * packet that passes the packet filter *and* is
776 * successfully queued on the socket; "tp_drops" is
777 * incremented for every packet dropped because there's
778 * not enough free space in the socket buffer.
779 *
780 * When the statistics are returned for a PACKET_STATISTICS
--- 13 unchanged lines hidden (view full) ---
794 * as the count of drops.
795 *
796 * Keep a running total because each call to
797 * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, ....
798 * resets the counters to zero.
799 */
800 handle->md.stat.ps_recv += kstats.tp_packets;
801 handle->md.stat.ps_drop += kstats.tp_drops;
802 }
803 else
804 {
805 /*
806 * If the error was EOPNOTSUPP, fall through, so that
807 * if you build the library on a system with
808 * "struct tpacket_stats" and run it on a system
809 * that doesn't, it works as it does if the library
810 * is built on a system without "struct tpacket_stats".
811 */
812 if (errno != EOPNOTSUPP) {
813 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE,
814 "pcap_stats: %s", pcap_strerror(errno));
815 return -1;
816 }
817 }
818#endif
819 /*
820 * On systems where the PACKET_STATISTICS "getsockopt()" argument
821 * is supported on PF_PACKET sockets:
822 *
823 * "ps_recv" counts only packets that *passed* the filter,
824 * not packets that didn't pass the filter. This includes
825 * packets later dropped because we ran out of buffer space.
826 *
827 * "ps_drop" counts packets dropped because we ran out of
828 * buffer space. It doesn't count packets dropped by the
829 * interface driver. It counts only packets that passed
830 * the filter.
831 *
832 * Both statistics include packets not yet read from the
833 * kernel by libpcap, and thus not yet seen by the application.
834 *
835 * On systems where the PACKET_STATISTICS "getsockopt()" argument
836 * is not supported on PF_PACKET sockets:
837 *
838 * "ps_recv" counts only packets that *passed* the filter,
839 * not packets that didn't pass the filter. It does not
840 * count packets dropped because we ran out of buffer
841 * space.
842 *
843 * "ps_drop" is not supported.
844 *
845 * "ps_recv" doesn't include packets not yet read from
846 * the kernel by libpcap.
847 */
848 *stats = handle->md.stat;
849 return 0;
850}
851
852/*
853 * Description string for the "any" device.
854 */
855static const char any_descr[] = "Pseudo-device that captures on all interfaces";
856
--- 55 unchanged lines hidden (view full) ---
912 if (handle->fcode.bf_len > USHRT_MAX) {
913 /*
914 * fcode.len is an unsigned short for current kernel.
915 * I have yet to see BPF-Code with that much
916 * instructions but still it is possible. So for the
917 * sake of correctness I added this check.
918 */
919 fprintf(stderr, "Warning: Filter too complex for kernel\n");
920 fcode.filter = NULL;
921 can_filter_in_kernel = 0;
922 } else
923#endif /* USHRT_MAX */
924 {
925 /*
926 * Oh joy, the Linux kernel uses struct sock_fprog instead
927 * of struct bpf_program and of course the length field is
--- 382 unchanged lines hidden (view full) ---
1310 case ARPHRD_IRDA:
1311 /* Don't expect IP packet out of this interfaces... */
1312 handle->linktype = DLT_LINUX_IRDA;
1313 /* We need to save packet direction for IrDA decoding,
1314 * so let's use "Linux-cooked" mode. Jean II */
1315 //handle->md.cooked = 1;
1316 break;
1317
1318 default:
1319 handle->linktype = -1;
1320 break;
1321 }
1322}
1323
1324/* ===== Functions to interface to the newer kernels ================== */
1325
--- 65 unchanged lines hidden (view full) ---
1391 if (arptype == -1) {
1392 fatal_err = 1;
1393 break;
1394 }
1395 map_arphrd_to_dlt(handle, arptype, 1);
1396 if (handle->linktype == -1 ||
1397 handle->linktype == DLT_LINUX_SLL ||
1398 handle->linktype == DLT_LINUX_IRDA ||
1399 (handle->linktype == DLT_EN10MB &&
1400 (strncmp("isdn", device, 4) == 0 ||
1401 strncmp("isdY", device, 4) == 0))) {
1402 /*
1403 * Unknown interface type (-1), or a
1404 * device we explicitly chose to run
1405 * in cooked mode (e.g., PPP devices),
1406 * or an ISDN device (whose link-layer
--- 37 unchanged lines hidden (view full) ---
1444 "arptype %d not "
1445 "supported by libpcap - "
1446 "falling back to cooked "
1447 "socket",
1448 arptype);
1449 }
1450 /* IrDA capture is not a real "cooked" capture,
1451 * it's IrLAP frames, not IP packets. */
1452 if (handle->linktype != DLT_LINUX_IRDA)
1453 handle->linktype = DLT_LINUX_SLL;
1454 }
1455
1456 handle->md.ifindex = iface_get_id(sock_fd, device, ebuf);
1457 if (handle->md.ifindex == -1)
1458 break;
1459
1460 if ((err = iface_bind(sock_fd, handle->md.ifindex,
--- 91 unchanged lines hidden (view full) ---
1552{
1553 struct ifreq ifr;
1554
1555 memset(&ifr, 0, sizeof(ifr));
1556 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1557
1558 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
1559 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1560 "ioctl: %s", pcap_strerror(errno));
1561 return -1;
1562 }
1563
1564 return ifr.ifr_ifindex;
1565}
1566
1567/*
1568 * Bind the socket associated with FD to the given device.
--- 200 unchanged lines hidden (view full) ---
1769
1770 /* Go to promisc mode if requested */
1771
1772 if (promisc) {
1773 memset(&ifr, 0, sizeof(ifr));
1774 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1775 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
1776 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1777 "ioctl: %s", pcap_strerror(errno));
1778 break;
1779 }
1780 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
1781 /*
1782 * Promiscuous mode isn't currently on,
1783 * so turn it on, and remember that
1784 * we should turn it off when the
1785 * pcap_t is closed.
--- 17 unchanged lines hidden (view full) ---
1803 break;
1804 }
1805 did_atexit = 1;
1806 }
1807
1808 ifr.ifr_flags |= IFF_PROMISC;
1809 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
1810 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1811 "ioctl: %s",
1812 pcap_strerror(errno));
1813 break;
1814 }
1815 handle->md.clear_promisc = 1;
1816
1817 /*
1818 * Add this to the list of pcaps
1819 * to close when we exit.
--- 67 unchanged lines hidden (view full) ---
1887 if (!device)
1888 return BIGGER_THAN_ALL_MTUS;
1889
1890 memset(&ifr, 0, sizeof(ifr));
1891 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1892
1893 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
1894 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1895 "ioctl: %s", pcap_strerror(errno));
1896 return -1;
1897 }
1898
1899 return ifr.ifr_mtu;
1900}
1901
1902/*
1903 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1904 */
1905static int
1906iface_get_arptype(int fd, const char *device, char *ebuf)
1907{
1908 struct ifreq ifr;
1909
1910 memset(&ifr, 0, sizeof(ifr));
1911 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1912
1913 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1914 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1915 "ioctl: %s", pcap_strerror(errno));
1916 return -1;
1917 }
1918
1919 return ifr.ifr_hwaddr.sa_family;
1920}
1921
1922#ifdef SO_ATTACH_FILTER
1923static int
--- 220 unchanged lines hidden (view full) ---
2144 errno = save_errno;
2145 }
2146 return ret;
2147}
2148
2149static int
2150reset_kernel_filter(pcap_t *handle)
2151{
2152 /* setsockopt() barfs unless it get a dummy parameter */
2153 int dummy;
2154
2155 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER,
2156 &dummy, sizeof(dummy));
2157}
2158#endif