pcap-linux.c revision 127664
126175Sfenner/* 275107Sfenner * pcap-linux.c: Packet capture interface to the Linux kernel 326175Sfenner * 475107Sfenner * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org> 575107Sfenner * Sebastian Krahmer <krahmer@cs.uni-potsdam.de> 6127664Sbms * 775107Sfenner * License: BSD 8127664Sbms * 975107Sfenner * Redistribution and use in source and binary forms, with or without 1075107Sfenner * modification, are permitted provided that the following conditions 1175107Sfenner * are met: 12127664Sbms * 1375107Sfenner * 1. Redistributions of source code must retain the above copyright 1475107Sfenner * notice, this list of conditions and the following disclaimer. 1575107Sfenner * 2. Redistributions in binary form must reproduce the above copyright 1675107Sfenner * notice, this list of conditions and the following disclaimer in 1775107Sfenner * the documentation and/or other materials provided with the 1875107Sfenner * distribution. 1975107Sfenner * 3. The names of the authors may not be used to endorse or promote 2075107Sfenner * products derived from this software without specific prior 2175107Sfenner * written permission. 22127664Sbms * 2375107Sfenner * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 2475107Sfenner * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 2575107Sfenner * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2626175Sfenner */ 27127664Sbms 2826175Sfenner#ifndef lint 29127664Sbmsstatic const char rcsid[] _U_ = 30127664Sbms "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.98.2.4 2003/11/21 10:20:46 guy Exp $ (LBL)"; 3126175Sfenner#endif 3226175Sfenner 3375107Sfenner/* 3475107Sfenner * Known problems with 2.0[.x] kernels: 3575107Sfenner * 3675107Sfenner * - The loopback device gives every packet twice; on 2.2[.x] kernels, 3775107Sfenner * if we use PF_PACKET, we can filter out the transmitted version 3875107Sfenner * of the packet by using data in the "sockaddr_ll" returned by 3975107Sfenner * "recvfrom()", but, on 2.0[.x] kernels, we have to use 4075107Sfenner * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 4175107Sfenner * "sockaddr_pkt" which doesn't give us enough information to let 4275107Sfenner * us do that. 4375107Sfenner * 4475107Sfenner * - We have to set the interface's IFF_PROMISC flag ourselves, if 4575107Sfenner * we're to run in promiscuous mode, which means we have to turn 4675107Sfenner * it off ourselves when we're done; the kernel doesn't keep track 4775107Sfenner * of how many sockets are listening promiscuously, which means 4875107Sfenner * it won't get turned off automatically when no sockets are 4975107Sfenner * listening promiscuously. We catch "pcap_close()" and, for 5075107Sfenner * interfaces we put into promiscuous mode, take them out of 5175107Sfenner * promiscuous mode - which isn't necessarily the right thing to 5275107Sfenner * do, if another socket also requested promiscuous mode between 5375107Sfenner * the time when we opened the socket and the time when we close 5475107Sfenner * the socket. 5598530Sfenner * 5698530Sfenner * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()" 5798530Sfenner * return the amount of data that you could have read, rather than 5898530Sfenner * the amount that was returned, so we can't just allocate a buffer 5998530Sfenner * whose size is the snapshot length and pass the snapshot length 6098530Sfenner * as the byte count, and also pass MSG_TRUNC, so that the return 6198530Sfenner * value tells us how long the packet was on the wire. 6298530Sfenner * 6398530Sfenner * This means that, if we want to get the actual size of the packet, 6498530Sfenner * so we can return it in the "len" field of the packet header, 6598530Sfenner * we have to read the entire packet, not just the part that fits 6698530Sfenner * within the snapshot length, and thus waste CPU time copying data 6798530Sfenner * from the kernel that our caller won't see. 6898530Sfenner * 6998530Sfenner * We have to get the actual size, and supply it in "len", because 7098530Sfenner * otherwise, the IP dissector in tcpdump, for example, will complain 7198530Sfenner * about "truncated-ip", as the packet will appear to have been 7298530Sfenner * shorter, on the wire, than the IP header said it should have been. 7375107Sfenner */ 7426175Sfenner 7575107Sfenner 7675107Sfenner#ifdef HAVE_CONFIG_H 7775107Sfenner#include "config.h" 7839291Sfenner#endif 7926175Sfenner 8075107Sfenner#include "pcap-int.h" 8175107Sfenner#include "sll.h" 8226175Sfenner 83127664Sbms#ifdef HAVE_DAG_API 84127664Sbms#include "pcap-dag.h" 85127664Sbms#endif /* HAVE_DAG_API */ 86127664Sbms 8726175Sfenner#include <errno.h> 8826175Sfenner#include <stdlib.h> 8975107Sfenner#include <unistd.h> 9075107Sfenner#include <fcntl.h> 9126175Sfenner#include <string.h> 9275107Sfenner#include <sys/socket.h> 9375107Sfenner#include <sys/ioctl.h> 9475107Sfenner#include <sys/utsname.h> 9575107Sfenner#include <net/if.h> 9675107Sfenner#include <netinet/in.h> 9775107Sfenner#include <linux/if_ether.h> 9875107Sfenner#include <net/if_arp.h> 9926175Sfenner 10098530Sfenner/* 10198530Sfenner * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET 10298530Sfenner * sockets rather than SOCK_PACKET sockets. 10398530Sfenner * 10498530Sfenner * To use them, we include <linux/if_packet.h> rather than 10598530Sfenner * <netpacket/packet.h>; we do so because 10698530Sfenner * 10798530Sfenner * some Linux distributions (e.g., Slackware 4.0) have 2.2 or 10898530Sfenner * later kernels and libc5, and don't provide a <netpacket/packet.h> 10998530Sfenner * file; 11098530Sfenner * 11198530Sfenner * not all versions of glibc2 have a <netpacket/packet.h> file 11298530Sfenner * that defines stuff needed for some of the 2.4-or-later-kernel 11398530Sfenner * features, so if the system has a 2.4 or later kernel, we 11498530Sfenner * still can't use those features. 11598530Sfenner * 11698530Sfenner * We're already including a number of other <linux/XXX.h> headers, and 11798530Sfenner * this code is Linux-specific (no other OS has PF_PACKET sockets as 11898530Sfenner * a raw packet capture mechanism), so it's not as if you gain any 11998530Sfenner * useful portability by using <netpacket/packet.h> 12098530Sfenner * 12198530Sfenner * XXX - should we just include <linux/if_packet.h> even if PF_PACKET 12298530Sfenner * isn't defined? It only defines one data structure in 2.0.x, so 12398530Sfenner * it shouldn't cause any problems. 12498530Sfenner */ 125127664Sbms#ifdef PF_PACKET 12698530Sfenner# include <linux/if_packet.h> 12726175Sfenner 12875107Sfenner /* 12998530Sfenner * On at least some Linux distributions (for example, Red Hat 5.2), 13098530Sfenner * there's no <netpacket/packet.h> file, but PF_PACKET is defined if 13198530Sfenner * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 13275107Sfenner * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 13375107Sfenner * the PACKET_xxx stuff. 13475107Sfenner * 13575107Sfenner * So we check whether PACKET_HOST is defined, and assume that we have 13675107Sfenner * PF_PACKET sockets only if it is defined. 13775107Sfenner */ 13875107Sfenner# ifdef PACKET_HOST 13975107Sfenner# define HAVE_PF_PACKET_SOCKETS 14075107Sfenner# endif /* PACKET_HOST */ 14198530Sfenner#endif /* PF_PACKET */ 14275107Sfenner 14375107Sfenner#ifdef SO_ATTACH_FILTER 14475107Sfenner#include <linux/types.h> 14575107Sfenner#include <linux/filter.h> 14626175Sfenner#endif 14726175Sfenner 14875107Sfenner#ifndef __GLIBC__ 14975107Sfennertypedef int socklen_t; 15075107Sfenner#endif 15126175Sfenner 15275107Sfenner#ifndef MSG_TRUNC 15398530Sfenner/* 15498530Sfenner * This is being compiled on a system that lacks MSG_TRUNC; define it 15598530Sfenner * with the value it has in the 2.2 and later kernels, so that, on 15698530Sfenner * those kernels, when we pass it in the flags argument to "recvfrom()" 15798530Sfenner * we're passing the right value and thus get the MSG_TRUNC behavior 15898530Sfenner * we want. (We don't get that behavior on 2.0[.x] kernels, because 15998530Sfenner * they didn't support MSG_TRUNC.) 16098530Sfenner */ 16198530Sfenner#define MSG_TRUNC 0x20 16275107Sfenner#endif 16375107Sfenner 164127664Sbms#ifndef SOL_PACKET 165127664Sbms/* 166127664Sbms * This is being compiled on a system that lacks SOL_PACKET; define it 167127664Sbms * with the value it has in the 2.2 and later kernels, so that we can 168127664Sbms * set promiscuous mode in the good modern way rather than the old 169127664Sbms * 2.0-kernel crappy way. 170127664Sbms */ 171127664Sbms#define SOL_PACKET 263 172127664Sbms#endif 173127664Sbms 17475107Sfenner#define MAX_LINKHEADER_SIZE 256 17575107Sfenner 176127664Sbms/* 177127664Sbms * When capturing on all interfaces we use this as the buffer size. 17875107Sfenner * Should be bigger then all MTUs that occur in real life. 17975107Sfenner * 64kB should be enough for now. 18075107Sfenner */ 18175107Sfenner#define BIGGER_THAN_ALL_MTUS (64*1024) 18275107Sfenner 18375107Sfenner/* 18475107Sfenner * Prototypes for internal functions 18575107Sfenner */ 186127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *, int, int); 187127664Sbmsstatic int live_open_old(pcap_t *, const char *, int, int, char *); 188127664Sbmsstatic int live_open_new(pcap_t *, const char *, int, int, char *); 189127664Sbmsstatic int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *); 19075107Sfennerstatic int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 191127664Sbmsstatic int pcap_stats_linux(pcap_t *, struct pcap_stat *); 192127664Sbmsstatic int pcap_setfilter_linux(pcap_t *, struct bpf_program *); 193127664Sbmsstatic void pcap_close_linux(pcap_t *); 19475107Sfenner 19575107Sfenner/* 19675107Sfenner * Wrap some ioctl calls 19775107Sfenner */ 19875107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 19975107Sfennerstatic int iface_get_id(int fd, const char *device, char *ebuf); 20075107Sfenner#endif 20175107Sfennerstatic int iface_get_mtu(int fd, const char *device, char *ebuf); 20275107Sfennerstatic int iface_get_arptype(int fd, const char *device, char *ebuf); 20375107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 20475107Sfennerstatic int iface_bind(int fd, int ifindex, char *ebuf); 20575107Sfenner#endif 20675107Sfennerstatic int iface_bind_old(int fd, const char *device, char *ebuf); 20775107Sfenner 20875107Sfenner#ifdef SO_ATTACH_FILTER 20975107Sfennerstatic int fix_program(pcap_t *handle, struct sock_fprog *fcode); 21075107Sfennerstatic int fix_offset(struct bpf_insn *p); 21198530Sfennerstatic int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode); 21298530Sfennerstatic int reset_kernel_filter(pcap_t *handle); 21398530Sfenner 21498530Sfennerstatic struct sock_filter total_insn 21598530Sfenner = BPF_STMT(BPF_RET | BPF_K, 0); 21698530Sfennerstatic struct sock_fprog total_fcode 21798530Sfenner = { 1, &total_insn }; 21875107Sfenner#endif 21975107Sfenner 22075107Sfenner/* 221127664Sbms * Get a handle for a live capture from the given device. You can 222127664Sbms * pass NULL as device to get all packages (without link level 22375107Sfenner * information of course). If you pass 1 as promisc the interface 224127664Sbms * will be set to promiscous mode (XXX: I think this usage should 22575107Sfenner * be deprecated and functions be added to select that later allow 22675107Sfenner * modification of that values -- Torsten). 227127664Sbms * 22875107Sfenner * See also pcap(3). 22975107Sfenner */ 23075107Sfennerpcap_t * 231127664Sbmspcap_open_live(const char *device, int snaplen, int promisc, int to_ms, 232127664Sbms char *ebuf) 23326175Sfenner{ 23498530Sfenner pcap_t *handle; 23598530Sfenner int mtu; 236127664Sbms int err; 237127664Sbms int live_open_ok = 0; 23898530Sfenner struct utsname utsname; 23998530Sfenner 240127664Sbms#ifdef HAVE_DAG_API 241127664Sbms if (strstr(device, "dag")) { 242127664Sbms return dag_open_live(device, snaplen, promisc, to_ms, ebuf); 243127664Sbms } 244127664Sbms#endif /* HAVE_DAG_API */ 245127664Sbms 24675107Sfenner /* Allocate a handle for this session. */ 24726175Sfenner 24898530Sfenner handle = malloc(sizeof(*handle)); 24975107Sfenner if (handle == NULL) { 25075107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 25175107Sfenner pcap_strerror(errno)); 25275107Sfenner return NULL; 25375107Sfenner } 25475107Sfenner 25575107Sfenner /* Initialize some components of the pcap structure. */ 25675107Sfenner 25775107Sfenner memset(handle, 0, sizeof(*handle)); 25875107Sfenner handle->snapshot = snaplen; 25975107Sfenner handle->md.timeout = to_ms; 26075107Sfenner 26175107Sfenner /* 262127664Sbms * NULL and "any" are special devices which give us the hint to 26375107Sfenner * monitor all devices. 26475107Sfenner */ 26575107Sfenner if (!device || strcmp(device, "any") == 0) { 26675107Sfenner device = NULL; 26775107Sfenner handle->md.device = strdup("any"); 26898530Sfenner if (promisc) { 26998530Sfenner promisc = 0; 27098530Sfenner /* Just a warning. */ 27198530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 27298530Sfenner "Promiscuous mode not supported on the \"any\" device"); 27398530Sfenner } 274127664Sbms 27575107Sfenner } else 27675107Sfenner handle->md.device = strdup(device); 27775107Sfenner 27875107Sfenner if (handle->md.device == NULL) { 27975107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s", 28075107Sfenner pcap_strerror(errno) ); 28175107Sfenner free(handle); 28275107Sfenner return NULL; 28375107Sfenner } 28475107Sfenner 285127664Sbms /* 286127664Sbms * Current Linux kernels use the protocol family PF_PACKET to 287127664Sbms * allow direct access to all packets on the network while 288127664Sbms * older kernels had a special socket type SOCK_PACKET to 28975107Sfenner * implement this feature. 29075107Sfenner * While this old implementation is kind of obsolete we need 291127664Sbms * to be compatible with older kernels for a while so we are 29275107Sfenner * trying both methods with the newer method preferred. 29375107Sfenner */ 29475107Sfenner 295127664Sbms if ((err = live_open_new(handle, device, promisc, to_ms, ebuf)) == 1) 296127664Sbms live_open_ok = 1; 297127664Sbms else if (err == 0) { 298127664Sbms /* Non-fatal error; try old way */ 299127664Sbms if (live_open_old(handle, device, promisc, to_ms, ebuf)) 300127664Sbms live_open_ok = 1; 301127664Sbms } 302127664Sbms if (!live_open_ok) { 303127664Sbms /* 30475107Sfenner * Both methods to open the packet socket failed. Tidy 30575107Sfenner * up and report our failure (ebuf is expected to be 306127664Sbms * set by the functions above). 30775107Sfenner */ 30875107Sfenner 309127664Sbms if (handle->md.device != NULL) 310127664Sbms free(handle->md.device); 31175107Sfenner free(handle); 31275107Sfenner return NULL; 31375107Sfenner } 31475107Sfenner 31598530Sfenner /* 31698530Sfenner * Compute the buffer size. 31798530Sfenner * 31898530Sfenner * If we're using SOCK_PACKET, this might be a 2.0[.x] kernel, 31998530Sfenner * and might require special handling - check. 32098530Sfenner */ 32198530Sfenner if (handle->md.sock_packet && (uname(&utsname) < 0 || 32298530Sfenner strncmp(utsname.release, "2.0", 3) == 0)) { 32398530Sfenner /* 32498530Sfenner * We're using a SOCK_PACKET structure, and either 32598530Sfenner * we couldn't find out what kernel release this is, 32698530Sfenner * or it's a 2.0[.x] kernel. 32798530Sfenner * 32898530Sfenner * In the 2.0[.x] kernel, a "recvfrom()" on 32998530Sfenner * a SOCK_PACKET socket, with MSG_TRUNC set, will 33098530Sfenner * return the number of bytes read, so if we pass 33198530Sfenner * a length based on the snapshot length, it'll 33298530Sfenner * return the number of bytes from the packet 33398530Sfenner * copied to userland, not the actual length 33498530Sfenner * of the packet. 33598530Sfenner * 33698530Sfenner * This means that, for example, the IP dissector 33798530Sfenner * in tcpdump will get handed a packet length less 33898530Sfenner * than the length in the IP header, and will 33998530Sfenner * complain about "truncated-ip". 34098530Sfenner * 34198530Sfenner * So we don't bother trying to copy from the 34298530Sfenner * kernel only the bytes in which we're interested, 34398530Sfenner * but instead copy them all, just as the older 34498530Sfenner * versions of libpcap for Linux did. 34598530Sfenner * 34698530Sfenner * The buffer therefore needs to be big enough to 34798530Sfenner * hold the largest packet we can get from this 34898530Sfenner * device. Unfortunately, we can't get the MRU 34998530Sfenner * of the network; we can only get the MTU. The 35098530Sfenner * MTU may be too small, in which case a packet larger 35198530Sfenner * than the buffer size will be truncated *and* we 35298530Sfenner * won't get the actual packet size. 35398530Sfenner * 35498530Sfenner * However, if the snapshot length is larger than 35598530Sfenner * the buffer size based on the MTU, we use the 35698530Sfenner * snapshot length as the buffer size, instead; 35798530Sfenner * this means that with a sufficiently large snapshot 35898530Sfenner * length we won't artificially truncate packets 35998530Sfenner * to the MTU-based size. 36098530Sfenner * 36198530Sfenner * This mess just one of many problems with packet 36298530Sfenner * capture on 2.0[.x] kernels; you really want a 36398530Sfenner * 2.2[.x] or later kernel if you want packet capture 36498530Sfenner * to work well. 36598530Sfenner */ 36698530Sfenner mtu = iface_get_mtu(handle->fd, device, ebuf); 36798530Sfenner if (mtu == -1) { 368127664Sbms pcap_close_linux(handle); 36998530Sfenner free(handle); 37098530Sfenner return NULL; 37198530Sfenner } 37298530Sfenner handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 37398530Sfenner if (handle->bufsize < handle->snapshot) 37498530Sfenner handle->bufsize = handle->snapshot; 37598530Sfenner } else { 37698530Sfenner /* 37798530Sfenner * This is a 2.2[.x] or later kernel (we know that 37898530Sfenner * either because we're not using a SOCK_PACKET 37998530Sfenner * socket - PF_PACKET is supported only in 2.2 38098530Sfenner * and later kernels - or because we checked the 38198530Sfenner * kernel version). 38298530Sfenner * 38398530Sfenner * We can safely pass "recvfrom()" a byte count 38498530Sfenner * based on the snapshot length. 38598530Sfenner */ 38698530Sfenner handle->bufsize = handle->snapshot; 38798530Sfenner } 38898530Sfenner 38998530Sfenner /* Allocate the buffer */ 39098530Sfenner 39198530Sfenner handle->buffer = malloc(handle->bufsize + handle->offset); 39298530Sfenner if (!handle->buffer) { 39398530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 39498530Sfenner "malloc: %s", pcap_strerror(errno)); 395127664Sbms pcap_close_linux(handle); 39698530Sfenner free(handle); 39798530Sfenner return NULL; 39898530Sfenner } 39998530Sfenner 400127664Sbms /* 401127664Sbms * "handle->fd" is a socket, so "select()" and "poll()" 402127664Sbms * should work on it. 403127664Sbms */ 404127664Sbms handle->selectable_fd = handle->fd; 405127664Sbms 406127664Sbms handle->read_op = pcap_read_linux; 407127664Sbms handle->setfilter_op = pcap_setfilter_linux; 408127664Sbms handle->set_datalink_op = NULL; /* can't change data link type */ 409127664Sbms handle->getnonblock_op = pcap_getnonblock_fd; 410127664Sbms handle->setnonblock_op = pcap_setnonblock_fd; 411127664Sbms handle->stats_op = pcap_stats_linux; 412127664Sbms handle->close_op = pcap_close_linux; 413127664Sbms 41475107Sfenner return handle; 41526175Sfenner} 41626175Sfenner 41775107Sfenner/* 41875107Sfenner * Read at most max_packets from the capture stream and call the callback 41975107Sfenner * for each of them. Returns the number of packets handled or -1 if an 420127664Sbms * error occured. 42175107Sfenner */ 422127664Sbmsstatic int 423127664Sbmspcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 42426175Sfenner{ 42575107Sfenner /* 42675107Sfenner * Currently, on Linux only one packet is delivered per read, 42775107Sfenner * so we don't loop. 42875107Sfenner */ 42975107Sfenner return pcap_read_packet(handle, callback, user); 43075107Sfenner} 43126175Sfenner 43275107Sfenner/* 433127664Sbms * Read a packet from the socket calling the handler provided by 43475107Sfenner * the user. Returns the number of packets received or -1 if an 43575107Sfenner * error occured. 43675107Sfenner */ 43775107Sfennerstatic int 43875107Sfennerpcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 43975107Sfenner{ 44098530Sfenner u_char *bp; 44175107Sfenner int offset; 44275107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 44375107Sfenner struct sockaddr_ll from; 44475107Sfenner struct sll_header *hdrp; 44575107Sfenner#else 44675107Sfenner struct sockaddr from; 44775107Sfenner#endif 44875107Sfenner socklen_t fromlen; 44975107Sfenner int packet_len, caplen; 45075107Sfenner struct pcap_pkthdr pcap_header; 45126175Sfenner 45275107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 45375107Sfenner /* 45475107Sfenner * If this is a cooked device, leave extra room for a 45575107Sfenner * fake packet header. 45675107Sfenner */ 45775107Sfenner if (handle->md.cooked) 45875107Sfenner offset = SLL_HDR_LEN; 45975107Sfenner else 46075107Sfenner offset = 0; 46175107Sfenner#else 46275107Sfenner /* 46375107Sfenner * This system doesn't have PF_PACKET sockets, so it doesn't 46475107Sfenner * support cooked devices. 46575107Sfenner */ 46675107Sfenner offset = 0; 46775107Sfenner#endif 46875107Sfenner 46975107Sfenner /* Receive a single packet from the kernel */ 47075107Sfenner 47198530Sfenner bp = handle->buffer + handle->offset; 47226175Sfenner do { 473127664Sbms /* 474127664Sbms * Has "pcap_breakloop()" been called? 475127664Sbms */ 476127664Sbms if (handle->break_loop) { 477127664Sbms /* 478127664Sbms * Yes - clear the flag that indicates that it 479127664Sbms * has, and return -2 as an indication that we 480127664Sbms * were told to break out of the loop. 481127664Sbms */ 482127664Sbms handle->break_loop = 0; 483127664Sbms return -2; 484127664Sbms } 48526175Sfenner fromlen = sizeof(from); 486127664Sbms packet_len = recvfrom( 48798530Sfenner handle->fd, bp + offset, 488127664Sbms handle->bufsize - offset, MSG_TRUNC, 48975107Sfenner (struct sockaddr *) &from, &fromlen); 49075107Sfenner } while (packet_len == -1 && errno == EINTR); 49126175Sfenner 49275107Sfenner /* Check if an error occured */ 49326175Sfenner 49475107Sfenner if (packet_len == -1) { 49575107Sfenner if (errno == EAGAIN) 49675107Sfenner return 0; /* no packet there */ 49775107Sfenner else { 49875107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 49975107Sfenner "recvfrom: %s", pcap_strerror(errno)); 50075107Sfenner return -1; 50126175Sfenner } 50275107Sfenner } 50326175Sfenner 50475107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 50575107Sfenner /* 50675107Sfenner * If this is from the loopback device, reject outgoing packets; 50775107Sfenner * we'll see the packet as an incoming packet as well, and 50875107Sfenner * we don't want to see it twice. 50975107Sfenner * 51075107Sfenner * We can only do this if we're using PF_PACKET; the address 51175107Sfenner * returned for SOCK_PACKET is a "sockaddr_pkt" which lacks 51275107Sfenner * the relevant packet type information. 51375107Sfenner */ 51475107Sfenner if (!handle->md.sock_packet && 51575107Sfenner from.sll_ifindex == handle->md.lo_ifindex && 51675107Sfenner from.sll_pkttype == PACKET_OUTGOING) 51775107Sfenner return 0; 51875107Sfenner#endif 51926175Sfenner 52075107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 52175107Sfenner /* 52275107Sfenner * If this is a cooked device, fill in the fake packet header. 52375107Sfenner */ 52475107Sfenner if (handle->md.cooked) { 52575107Sfenner /* 52675107Sfenner * Add the length of the fake header to the length 52775107Sfenner * of packet data we read. 52875107Sfenner */ 52975107Sfenner packet_len += SLL_HDR_LEN; 53026175Sfenner 53198530Sfenner hdrp = (struct sll_header *)bp; 53226175Sfenner 53375107Sfenner /* 53475107Sfenner * Map the PACKET_ value to a LINUX_SLL_ value; we 53575107Sfenner * want the same numerical value to be used in 53675107Sfenner * the link-layer header even if the numerical values 53775107Sfenner * for the PACKET_ #defines change, so that programs 53875107Sfenner * that look at the packet type field will always be 53975107Sfenner * able to handle DLT_LINUX_SLL captures. 54075107Sfenner */ 54175107Sfenner switch (from.sll_pkttype) { 54226175Sfenner 54375107Sfenner case PACKET_HOST: 54475107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_HOST); 54575107Sfenner break; 54626175Sfenner 54775107Sfenner case PACKET_BROADCAST: 54875107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST); 54975107Sfenner break; 55075107Sfenner 55175107Sfenner case PACKET_MULTICAST: 55275107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST); 55375107Sfenner break; 55475107Sfenner 55575107Sfenner case PACKET_OTHERHOST: 55675107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST); 55775107Sfenner break; 55875107Sfenner 55975107Sfenner case PACKET_OUTGOING: 56075107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING); 56175107Sfenner break; 56275107Sfenner 56375107Sfenner default: 56475107Sfenner hdrp->sll_pkttype = -1; 56575107Sfenner break; 56626175Sfenner } 56775107Sfenner 56875107Sfenner hdrp->sll_hatype = htons(from.sll_hatype); 56975107Sfenner hdrp->sll_halen = htons(from.sll_halen); 57075107Sfenner memcpy(hdrp->sll_addr, from.sll_addr, 57175107Sfenner (from.sll_halen > SLL_ADDRLEN) ? 57275107Sfenner SLL_ADDRLEN : 57375107Sfenner from.sll_halen); 57475107Sfenner hdrp->sll_protocol = from.sll_protocol; 57526175Sfenner } 57675107Sfenner#endif 57775107Sfenner 57875107Sfenner /* 579127664Sbms * XXX: According to the kernel source we should get the real 580127664Sbms * packet len if calling recvfrom with MSG_TRUNC set. It does 58175107Sfenner * not seem to work here :(, but it is supported by this code 582127664Sbms * anyway. 58375107Sfenner * To be honest the code RELIES on that feature so this is really 58475107Sfenner * broken with 2.2.x kernels. 58575107Sfenner * I spend a day to figure out what's going on and I found out 586127664Sbms * that the following is happening: 58775107Sfenner * 588127664Sbms * The packet comes from a random interface and the packet_rcv 58975107Sfenner * hook is called with a clone of the packet. That code inserts 59075107Sfenner * the packet into the receive queue of the packet socket. 59175107Sfenner * If a filter is attached to that socket that filter is run 59275107Sfenner * first - and there lies the problem. The default filter always 59375107Sfenner * cuts the packet at the snaplen: 59475107Sfenner * 59575107Sfenner * # tcpdump -d 59675107Sfenner * (000) ret #68 59775107Sfenner * 598127664Sbms * So the packet filter cuts down the packet. The recvfrom call 59975107Sfenner * says "hey, it's only 68 bytes, it fits into the buffer" with 600127664Sbms * the result that we don't get the real packet length. This 601127664Sbms * is valid at least until kernel 2.2.17pre6. 60275107Sfenner * 60375107Sfenner * We currently handle this by making a copy of the filter 60475107Sfenner * program, fixing all "ret" instructions with non-zero 60575107Sfenner * operands to have an operand of 65535 so that the filter 60675107Sfenner * doesn't truncate the packet, and supplying that modified 60775107Sfenner * filter to the kernel. 60875107Sfenner */ 60975107Sfenner 61075107Sfenner caplen = packet_len; 61175107Sfenner if (caplen > handle->snapshot) 61275107Sfenner caplen = handle->snapshot; 61375107Sfenner 61475107Sfenner /* Run the packet filter if not using kernel filter */ 61575107Sfenner if (!handle->md.use_bpf && handle->fcode.bf_insns) { 61698530Sfenner if (bpf_filter(handle->fcode.bf_insns, bp, 61775107Sfenner packet_len, caplen) == 0) 61875107Sfenner { 61975107Sfenner /* rejected by filter */ 62075107Sfenner return 0; 62175107Sfenner } 62275107Sfenner } 62375107Sfenner 62475107Sfenner /* Fill in our own header data */ 62575107Sfenner 62675107Sfenner if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 62775107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 62875107Sfenner "ioctl: %s", pcap_strerror(errno)); 62975107Sfenner return -1; 63075107Sfenner } 63175107Sfenner pcap_header.caplen = caplen; 63275107Sfenner pcap_header.len = packet_len; 63375107Sfenner 63498530Sfenner /* 63598530Sfenner * Count the packet. 63698530Sfenner * 63798530Sfenner * Arguably, we should count them before we check the filter, 63898530Sfenner * as on many other platforms "ps_recv" counts packets 63998530Sfenner * handed to the filter rather than packets that passed 64098530Sfenner * the filter, but if filtering is done in the kernel, we 64198530Sfenner * can't get a count of packets that passed the filter, 64298530Sfenner * and that would mean the meaning of "ps_recv" wouldn't 64398530Sfenner * be the same on all Linux systems. 64498530Sfenner * 64598530Sfenner * XXX - it's not the same on all systems in any case; 64698530Sfenner * ideally, we should have a "get the statistics" call 64798530Sfenner * that supplies more counts and indicates which of them 64898530Sfenner * it supplies, so that we supply a count of packets 64998530Sfenner * handed to the filter only on platforms where that 65098530Sfenner * information is available. 65198530Sfenner * 65298530Sfenner * We count them here even if we can get the packet count 65398530Sfenner * from the kernel, as we can only determine at run time 65498530Sfenner * whether we'll be able to get it from the kernel (if 65598530Sfenner * HAVE_TPACKET_STATS isn't defined, we can't get it from 65698530Sfenner * the kernel, but if it is defined, the library might 65798530Sfenner * have been built with a 2.4 or later kernel, but we 65898530Sfenner * might be running on a 2.2[.x] kernel without Alexey 65998530Sfenner * Kuznetzov's turbopacket patches, and thus the kernel 66098530Sfenner * might not be able to supply those statistics). We 66198530Sfenner * could, I guess, try, when opening the socket, to get 66298530Sfenner * the statistics, and if we can not increment the count 66398530Sfenner * here, but it's not clear that always incrementing 66498530Sfenner * the count is more expensive than always testing a flag 66598530Sfenner * in memory. 66698530Sfenner */ 66775107Sfenner handle->md.stat.ps_recv++; 66875107Sfenner 66998530Sfenner /* Call the user supplied callback function */ 67098530Sfenner callback(userdata, &pcap_header, bp); 67198530Sfenner 67275107Sfenner return 1; 67326175Sfenner} 67426175Sfenner 67575107Sfenner/* 67675107Sfenner * Get the statistics for the given packet capture handle. 67798530Sfenner * Reports the number of dropped packets iff the kernel supports 67898530Sfenner * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later 67998530Sfenner * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket 68098530Sfenner * patches); otherwise, that information isn't available, and we lie 68198530Sfenner * and report 0 as the count of dropped packets. 68275107Sfenner */ 683127664Sbmsstatic int 684127664Sbmspcap_stats_linux(pcap_t *handle, struct pcap_stat *stats) 68526175Sfenner{ 68698530Sfenner#ifdef HAVE_TPACKET_STATS 68798530Sfenner struct tpacket_stats kstats; 68898530Sfenner socklen_t len = sizeof (struct tpacket_stats); 689127664Sbms#endif 69098530Sfenner 691127664Sbms#ifdef HAVE_TPACKET_STATS 69298530Sfenner /* 69398530Sfenner * Try to get the packet counts from the kernel. 69498530Sfenner */ 69598530Sfenner if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, 69698530Sfenner &kstats, &len) > -1) { 69798530Sfenner /* 69898530Sfenner * In "linux/net/packet/af_packet.c", at least in the 69998530Sfenner * 2.4.9 kernel, "tp_packets" is incremented for every 70098530Sfenner * packet that passes the packet filter *and* is 70198530Sfenner * successfully queued on the socket; "tp_drops" is 70298530Sfenner * incremented for every packet dropped because there's 70398530Sfenner * not enough free space in the socket buffer. 70498530Sfenner * 70598530Sfenner * When the statistics are returned for a PACKET_STATISTICS 70698530Sfenner * "getsockopt()" call, "tp_drops" is added to "tp_packets", 70798530Sfenner * so that "tp_packets" counts all packets handed to 70898530Sfenner * the PF_PACKET socket, including packets dropped because 70998530Sfenner * there wasn't room on the socket buffer - but not 71098530Sfenner * including packets that didn't pass the filter. 71198530Sfenner * 71298530Sfenner * In the BSD BPF, the count of received packets is 71398530Sfenner * incremented for every packet handed to BPF, regardless 71498530Sfenner * of whether it passed the filter. 71598530Sfenner * 71698530Sfenner * We can't make "pcap_stats()" work the same on both 71798530Sfenner * platforms, but the best approximation is to return 71898530Sfenner * "tp_packets" as the count of packets and "tp_drops" 71998530Sfenner * as the count of drops. 72098530Sfenner */ 72198530Sfenner handle->md.stat.ps_recv = kstats.tp_packets; 72298530Sfenner handle->md.stat.ps_drop = kstats.tp_drops; 72398530Sfenner } 72498530Sfenner else 72598530Sfenner { 72698530Sfenner /* 72798530Sfenner * If the error was EOPNOTSUPP, fall through, so that 72898530Sfenner * if you build the library on a system with 72998530Sfenner * "struct tpacket_stats" and run it on a system 73098530Sfenner * that doesn't, it works as it does if the library 73198530Sfenner * is built on a system without "struct tpacket_stats". 73298530Sfenner */ 73398530Sfenner if (errno != EOPNOTSUPP) { 73498530Sfenner snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 73598530Sfenner "pcap_stats: %s", pcap_strerror(errno)); 73698530Sfenner return -1; 73798530Sfenner } 73898530Sfenner } 73998530Sfenner#endif 74098530Sfenner /* 74198530Sfenner * On systems where the PACKET_STATISTICS "getsockopt()" argument 74298530Sfenner * is supported on PF_PACKET sockets: 74398530Sfenner * 74498530Sfenner * "ps_recv" counts only packets that *passed* the filter, 74598530Sfenner * not packets that didn't pass the filter. This includes 74698530Sfenner * packets later dropped because we ran out of buffer space. 74798530Sfenner * 74898530Sfenner * "ps_drop" counts packets dropped because we ran out of 74998530Sfenner * buffer space. It doesn't count packets dropped by the 75098530Sfenner * interface driver. It counts only packets that passed 75198530Sfenner * the filter. 75298530Sfenner * 75398530Sfenner * Both statistics include packets not yet read from the 75498530Sfenner * kernel by libpcap, and thus not yet seen by the application. 75598530Sfenner * 75698530Sfenner * On systems where the PACKET_STATISTICS "getsockopt()" argument 75798530Sfenner * is not supported on PF_PACKET sockets: 75898530Sfenner * 75998530Sfenner * "ps_recv" counts only packets that *passed* the filter, 76098530Sfenner * not packets that didn't pass the filter. It does not 76198530Sfenner * count packets dropped because we ran out of buffer 76298530Sfenner * space. 76398530Sfenner * 76498530Sfenner * "ps_drop" is not supported. 76598530Sfenner * 76698530Sfenner * "ps_recv" doesn't include packets not yet read from 76798530Sfenner * the kernel by libpcap. 76898530Sfenner */ 76975107Sfenner *stats = handle->md.stat; 77075107Sfenner return 0; 77175107Sfenner} 77226175Sfenner 77375107Sfenner/* 774127664Sbms * Description string for the "any" device. 77575107Sfenner */ 776127664Sbmsstatic const char any_descr[] = "Pseudo-device that captures on all interfaces"; 777127664Sbms 77875107Sfennerint 779127664Sbmspcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 78075107Sfenner{ 781127664Sbms if (pcap_add_if(alldevsp, "any", 0, any_descr, errbuf) < 0) 782127664Sbms return (-1); 783127664Sbms 784127664Sbms#ifdef HAVE_DAG_API 785127664Sbms if (dag_platform_finddevs(alldevsp, errbuf) < 0) 786127664Sbms return (-1); 787127664Sbms#endif /* HAVE_DAG_API */ 788127664Sbms 789127664Sbms return (0); 790127664Sbms} 791127664Sbms 792127664Sbms/* 793127664Sbms * Attach the given BPF code to the packet capture device. 794127664Sbms */ 795127664Sbmsstatic int 796127664Sbmspcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter) 797127664Sbms{ 79875107Sfenner#ifdef SO_ATTACH_FILTER 79975107Sfenner struct sock_fprog fcode; 80075107Sfenner int can_filter_in_kernel; 801127664Sbms int err = 0; 80275107Sfenner#endif 80375107Sfenner 80475107Sfenner if (!handle) 80575107Sfenner return -1; 80675107Sfenner if (!filter) { 80775107Sfenner strncpy(handle->errbuf, "setfilter: No filter specified", 80875107Sfenner sizeof(handle->errbuf)); 80975107Sfenner return -1; 81026175Sfenner } 81126175Sfenner 81275107Sfenner /* Make our private copy of the filter */ 81375107Sfenner 814127664Sbms if (install_bpf_program(handle, filter) < 0) 815127664Sbms /* install_bpf_program() filled in errbuf */ 81675107Sfenner return -1; 81739291Sfenner 818127664Sbms /* 819127664Sbms * Run user level packet filter by default. Will be overriden if 820127664Sbms * installing a kernel filter succeeds. 82175107Sfenner */ 82275107Sfenner handle->md.use_bpf = 0; 82375107Sfenner 82475107Sfenner /* Install kernel level filter if possible */ 82575107Sfenner 82675107Sfenner#ifdef SO_ATTACH_FILTER 82775107Sfenner#ifdef USHRT_MAX 82875107Sfenner if (handle->fcode.bf_len > USHRT_MAX) { 82975107Sfenner /* 830127664Sbms * fcode.len is an unsigned short for current kernel. 83175107Sfenner * I have yet to see BPF-Code with that much 83275107Sfenner * instructions but still it is possible. So for the 83375107Sfenner * sake of correctness I added this check. 83475107Sfenner */ 83575107Sfenner fprintf(stderr, "Warning: Filter too complex for kernel\n"); 83675107Sfenner fcode.filter = NULL; 83775107Sfenner can_filter_in_kernel = 0; 83875107Sfenner } else 83975107Sfenner#endif /* USHRT_MAX */ 84075107Sfenner { 84175107Sfenner /* 84275107Sfenner * Oh joy, the Linux kernel uses struct sock_fprog instead 84375107Sfenner * of struct bpf_program and of course the length field is 84475107Sfenner * of different size. Pointed out by Sebastian 84575107Sfenner * 84675107Sfenner * Oh, and we also need to fix it up so that all "ret" 84775107Sfenner * instructions with non-zero operands have 65535 as the 84875107Sfenner * operand, and so that, if we're in cooked mode, all 84975107Sfenner * memory-reference instructions use special magic offsets 85075107Sfenner * in references to the link-layer header and assume that 85175107Sfenner * the link-layer payload begins at 0; "fix_program()" 85275107Sfenner * will do that. 85375107Sfenner */ 85475107Sfenner switch (fix_program(handle, &fcode)) { 85575107Sfenner 85675107Sfenner case -1: 85775107Sfenner default: 85875107Sfenner /* 85975107Sfenner * Fatal error; just quit. 86075107Sfenner * (The "default" case shouldn't happen; we 86175107Sfenner * return -1 for that reason.) 86275107Sfenner */ 86375107Sfenner return -1; 86475107Sfenner 86575107Sfenner case 0: 86675107Sfenner /* 86775107Sfenner * The program performed checks that we can't make 86875107Sfenner * work in the kernel. 86975107Sfenner */ 87075107Sfenner can_filter_in_kernel = 0; 87175107Sfenner break; 87275107Sfenner 87375107Sfenner case 1: 87475107Sfenner /* 87575107Sfenner * We have a filter that'll work in the kernel. 87675107Sfenner */ 87775107Sfenner can_filter_in_kernel = 1; 87875107Sfenner break; 87975107Sfenner } 88039291Sfenner } 88139291Sfenner 88275107Sfenner if (can_filter_in_kernel) { 883127664Sbms if ((err = set_kernel_filter(handle, &fcode)) == 0) 88475107Sfenner { 88575107Sfenner /* Installation succeded - using kernel filter. */ 88675107Sfenner handle->md.use_bpf = 1; 88775107Sfenner } 888127664Sbms else if (err == -1) /* Non-fatal error */ 88975107Sfenner { 890127664Sbms /* 89175107Sfenner * Print a warning if we weren't able to install 89275107Sfenner * the filter for a reason other than "this kernel 89375107Sfenner * isn't configured to support socket filters. 89475107Sfenner */ 89575107Sfenner if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 89675107Sfenner fprintf(stderr, 897127664Sbms "Warning: Kernel filter failed: %s\n", 89875107Sfenner pcap_strerror(errno)); 89975107Sfenner } 90075107Sfenner } 90139291Sfenner } 90239291Sfenner 90375107Sfenner /* 90498530Sfenner * If we're not using the kernel filter, get rid of any kernel 90598530Sfenner * filter that might've been there before, e.g. because the 90698530Sfenner * previous filter could work in the kernel, or because some other 90798530Sfenner * code attached a filter to the socket by some means other than 90898530Sfenner * calling "pcap_setfilter()". Otherwise, the kernel filter may 90998530Sfenner * filter out packets that would pass the new userland filter. 91098530Sfenner */ 91198530Sfenner if (!handle->md.use_bpf) 91298530Sfenner reset_kernel_filter(handle); 91398530Sfenner 91498530Sfenner /* 91575107Sfenner * Free up the copy of the filter that was made by "fix_program()". 91675107Sfenner */ 91775107Sfenner if (fcode.filter != NULL) 91875107Sfenner free(fcode.filter); 919127664Sbms 920127664Sbms if (err == -2) 921127664Sbms /* Fatal error */ 922127664Sbms return -1; 92375107Sfenner#endif /* SO_ATTACH_FILTER */ 92475107Sfenner 92575107Sfenner return 0; 92675107Sfenner} 92775107Sfenner 92875107Sfenner/* 929127664Sbms * Linux uses the ARP hardware type to identify the type of an 930127664Sbms * interface. pcap uses the DLT_xxx constants for this. This 93198530Sfenner * function takes a pointer to a "pcap_t", and an ARPHRD_xxx 93298530Sfenner * constant, as arguments, and sets "handle->linktype" to the 93398530Sfenner * appropriate DLT_XXX constant and sets "handle->offset" to 93498530Sfenner * the appropriate value (to make "handle->offset" plus link-layer 93598530Sfenner * header length be a multiple of 4, so that the link-layer payload 93698530Sfenner * will be aligned on a 4-byte boundary when capturing packets). 93798530Sfenner * (If the offset isn't set here, it'll be 0; add code as appropriate 93898530Sfenner * for cases where it shouldn't be 0.) 939127664Sbms * 940127664Sbms * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture 941127664Sbms * in cooked mode; otherwise, we can't use cooked mode, so we have 942127664Sbms * to pick some type that works in raw mode, or fail. 943127664Sbms * 94498530Sfenner * Sets the link type to -1 if unable to map the type. 94575107Sfenner */ 946127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok) 94775107Sfenner{ 94875107Sfenner switch (arptype) { 94998530Sfenner 95039291Sfenner case ARPHRD_ETHER: 95139291Sfenner case ARPHRD_METRICOM: 95298530Sfenner case ARPHRD_LOOPBACK: 95398530Sfenner handle->linktype = DLT_EN10MB; 95498530Sfenner handle->offset = 2; 95598530Sfenner break; 95698530Sfenner 95798530Sfenner case ARPHRD_EETHER: 95898530Sfenner handle->linktype = DLT_EN3MB; 95998530Sfenner break; 96098530Sfenner 96198530Sfenner case ARPHRD_AX25: 96298530Sfenner handle->linktype = DLT_AX25; 96398530Sfenner break; 96498530Sfenner 96598530Sfenner case ARPHRD_PRONET: 96698530Sfenner handle->linktype = DLT_PRONET; 96798530Sfenner break; 96898530Sfenner 96998530Sfenner case ARPHRD_CHAOS: 97098530Sfenner handle->linktype = DLT_CHAOS; 97198530Sfenner break; 97298530Sfenner 97375107Sfenner#ifndef ARPHRD_IEEE802_TR 97475107Sfenner#define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 97575107Sfenner#endif 97675107Sfenner case ARPHRD_IEEE802_TR: 97798530Sfenner case ARPHRD_IEEE802: 97898530Sfenner handle->linktype = DLT_IEEE802; 97998530Sfenner handle->offset = 2; 98098530Sfenner break; 98139291Sfenner 98298530Sfenner case ARPHRD_ARCNET: 983127664Sbms handle->linktype = DLT_ARCNET_LINUX; 98498530Sfenner break; 98598530Sfenner 986127664Sbms#ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ 987127664Sbms#define ARPHRD_FDDI 774 988127664Sbms#endif 98998530Sfenner case ARPHRD_FDDI: 99098530Sfenner handle->linktype = DLT_FDDI; 99198530Sfenner handle->offset = 3; 99298530Sfenner break; 99398530Sfenner 99475107Sfenner#ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 99575107Sfenner#define ARPHRD_ATM 19 99675107Sfenner#endif 99798530Sfenner case ARPHRD_ATM: 99898530Sfenner /* 99998530Sfenner * The Classical IP implementation in ATM for Linux 100098530Sfenner * supports both what RFC 1483 calls "LLC Encapsulation", 100198530Sfenner * in which each packet has an LLC header, possibly 100298530Sfenner * with a SNAP header as well, prepended to it, and 100398530Sfenner * what RFC 1483 calls "VC Based Multiplexing", in which 100498530Sfenner * different virtual circuits carry different network 100598530Sfenner * layer protocols, and no header is prepended to packets. 100698530Sfenner * 100798530Sfenner * They both have an ARPHRD_ type of ARPHRD_ATM, so 100898530Sfenner * you can't use the ARPHRD_ type to find out whether 100998530Sfenner * captured packets will have an LLC header, and, 101098530Sfenner * while there's a socket ioctl to *set* the encapsulation 101198530Sfenner * type, there's no ioctl to *get* the encapsulation type. 101298530Sfenner * 101398530Sfenner * This means that 101498530Sfenner * 101598530Sfenner * programs that dissect Linux Classical IP frames 101698530Sfenner * would have to check for an LLC header and, 101798530Sfenner * depending on whether they see one or not, dissect 101898530Sfenner * the frame as LLC-encapsulated or as raw IP (I 101998530Sfenner * don't know whether there's any traffic other than 102098530Sfenner * IP that would show up on the socket, or whether 102198530Sfenner * there's any support for IPv6 in the Linux 102298530Sfenner * Classical IP code); 102398530Sfenner * 102498530Sfenner * filter expressions would have to compile into 102598530Sfenner * code that checks for an LLC header and does 102698530Sfenner * the right thing. 102798530Sfenner * 102898530Sfenner * Both of those are a nuisance - and, at least on systems 102998530Sfenner * that support PF_PACKET sockets, we don't have to put 103098530Sfenner * up with those nuisances; instead, we can just capture 1031127664Sbms * in cooked mode. That's what we'll do, if we can. 1032127664Sbms * Otherwise, we'll just fail. 103398530Sfenner */ 1034127664Sbms if (cooked_ok) 1035127664Sbms handle->linktype = DLT_LINUX_SLL; 1036127664Sbms else 1037127664Sbms handle->linktype = -1; 103898530Sfenner break; 103939291Sfenner 104098530Sfenner#ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ 104198530Sfenner#define ARPHRD_IEEE80211 801 104298530Sfenner#endif 104398530Sfenner case ARPHRD_IEEE80211: 104498530Sfenner handle->linktype = DLT_IEEE802_11; 104598530Sfenner break; 104698530Sfenner 1047127664Sbms#ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ 1048127664Sbms#define ARPHRD_IEEE80211_PRISM 802 1049127664Sbms#endif 1050127664Sbms case ARPHRD_IEEE80211_PRISM: 1051127664Sbms handle->linktype = DLT_PRISM_HEADER; 1052127664Sbms break; 1053127664Sbms 105475107Sfenner case ARPHRD_PPP: 105598530Sfenner /* 105698530Sfenner * Some PPP code in the kernel supplies no link-layer 105798530Sfenner * header whatsoever to PF_PACKET sockets; other PPP 105898530Sfenner * code supplies PPP link-layer headers ("syncppp.c"); 105998530Sfenner * some PPP code might supply random link-layer 106098530Sfenner * headers (PPP over ISDN - there's code in Ethereal, 106198530Sfenner * for example, to cope with PPP-over-ISDN captures 106298530Sfenner * with which the Ethereal developers have had to cope, 106398530Sfenner * heuristically trying to determine which of the 106498530Sfenner * oddball link-layer headers particular packets have). 106598530Sfenner * 106698530Sfenner * As such, we just punt, and run all PPP interfaces 1067127664Sbms * in cooked mode, if we can; otherwise, we just treat 1068127664Sbms * it as DLT_RAW, for now - if somebody needs to capture, 1069127664Sbms * on a 2.0[.x] kernel, on PPP devices that supply a 1070127664Sbms * link-layer header, they'll have to add code here to 1071127664Sbms * map to the appropriate DLT_ type (possibly adding a 1072127664Sbms * new DLT_ type, if necessary). 107398530Sfenner */ 1074127664Sbms if (cooked_ok) 1075127664Sbms handle->linktype = DLT_LINUX_SLL; 1076127664Sbms else { 1077127664Sbms /* 1078127664Sbms * XXX - handle ISDN types here? We can't fall 1079127664Sbms * back on cooked sockets, so we'd have to 1080127664Sbms * figure out from the device name what type of 1081127664Sbms * link-layer encapsulation it's using, and map 1082127664Sbms * that to an appropriate DLT_ value, meaning 1083127664Sbms * we'd map "isdnN" devices to DLT_RAW (they 1084127664Sbms * supply raw IP packets with no link-layer 1085127664Sbms * header) and "isdY" devices to a new DLT_I4L_IP 1086127664Sbms * type that has only an Ethernet packet type as 1087127664Sbms * a link-layer header. 1088127664Sbms * 1089127664Sbms * But sometimes we seem to get random crap 1090127664Sbms * in the link-layer header when capturing on 1091127664Sbms * ISDN devices.... 1092127664Sbms */ 1093127664Sbms handle->linktype = DLT_RAW; 1094127664Sbms } 109598530Sfenner break; 109698530Sfenner 1097127664Sbms#ifndef ARPHRD_CISCO 1098127664Sbms#define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */ 1099127664Sbms#endif 1100127664Sbms case ARPHRD_CISCO: 110198530Sfenner handle->linktype = DLT_C_HDLC; 110298530Sfenner break; 110398530Sfenner 110475107Sfenner /* Not sure if this is correct for all tunnels, but it 110575107Sfenner * works for CIPE */ 110675107Sfenner case ARPHRD_TUNNEL: 110775107Sfenner#ifndef ARPHRD_SIT 1108127664Sbms#define ARPHRD_SIT 776 /* From Linux 2.2.13 */ 110975107Sfenner#endif 111075107Sfenner case ARPHRD_SIT: 111175107Sfenner case ARPHRD_CSLIP: 111275107Sfenner case ARPHRD_SLIP6: 111375107Sfenner case ARPHRD_CSLIP6: 111498530Sfenner case ARPHRD_ADAPT: 111598530Sfenner case ARPHRD_SLIP: 1116127664Sbms#ifndef ARPHRD_RAWHDLC 1117127664Sbms#define ARPHRD_RAWHDLC 518 1118127664Sbms#endif 1119127664Sbms case ARPHRD_RAWHDLC: 1120127664Sbms#ifndef ARPHRD_DLCI 1121127664Sbms#define ARPHRD_DLCI 15 1122127664Sbms#endif 1123127664Sbms case ARPHRD_DLCI: 112498530Sfenner /* 112598530Sfenner * XXX - should some of those be mapped to DLT_LINUX_SLL 112698530Sfenner * instead? Should we just map all of them to DLT_LINUX_SLL? 112798530Sfenner */ 112898530Sfenner handle->linktype = DLT_RAW; 112998530Sfenner break; 113098530Sfenner 1131127664Sbms#ifndef ARPHRD_FRAD 1132127664Sbms#define ARPHRD_FRAD 770 1133127664Sbms#endif 1134127664Sbms case ARPHRD_FRAD: 1135127664Sbms handle->linktype = DLT_FRELAY; 1136127664Sbms break; 1137127664Sbms 113898530Sfenner case ARPHRD_LOCALTLK: 113998530Sfenner handle->linktype = DLT_LTALK; 114098530Sfenner break; 114198530Sfenner 1142127664Sbms#ifndef ARPHRD_FCPP 1143127664Sbms#define ARPHRD_FCPP 784 1144127664Sbms#endif 1145127664Sbms case ARPHRD_FCPP: 1146127664Sbms#ifndef ARPHRD_FCAL 1147127664Sbms#define ARPHRD_FCAL 785 1148127664Sbms#endif 1149127664Sbms case ARPHRD_FCAL: 1150127664Sbms#ifndef ARPHRD_FCPL 1151127664Sbms#define ARPHRD_FCPL 786 1152127664Sbms#endif 1153127664Sbms case ARPHRD_FCPL: 1154127664Sbms#ifndef ARPHRD_FCFABRIC 1155127664Sbms#define ARPHRD_FCFABRIC 787 1156127664Sbms#endif 1157127664Sbms case ARPHRD_FCFABRIC: 1158127664Sbms /* 1159127664Sbms * We assume that those all mean RFC 2625 IP-over- 1160127664Sbms * Fibre Channel, with the RFC 2625 header at 1161127664Sbms * the beginning of the packet. 1162127664Sbms */ 1163127664Sbms handle->linktype = DLT_IP_OVER_FC; 1164127664Sbms break; 1165127664Sbms 1166127664Sbms case ARPHRD_IRDA: 1167127664Sbms /* Don't expect IP packet out of this interfaces... */ 1168127664Sbms handle->linktype = DLT_LINUX_IRDA; 1169127664Sbms /* We need to save packet direction for IrDA decoding, 1170127664Sbms * so let's use "Linux-cooked" mode. Jean II */ 1171127664Sbms //handle->md.cooked = 1; 1172127664Sbms break; 1173127664Sbms 117498530Sfenner default: 117598530Sfenner handle->linktype = -1; 117698530Sfenner break; 117775107Sfenner } 117875107Sfenner} 117939291Sfenner 118075107Sfenner/* ===== Functions to interface to the newer kernels ================== */ 118139291Sfenner 118275107Sfenner/* 118375107Sfenner * Try to open a packet socket using the new kernel interface. 118475107Sfenner * Returns 0 on failure. 118575107Sfenner * FIXME: 0 uses to mean success (Sebastian) 118675107Sfenner */ 118775107Sfennerstatic int 1188127664Sbmslive_open_new(pcap_t *handle, const char *device, int promisc, 118975107Sfenner int to_ms, char *ebuf) 119075107Sfenner{ 119175107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 119298530Sfenner int sock_fd = -1, device_id, arptype; 1193127664Sbms int err; 1194127664Sbms int fatal_err = 0; 119575107Sfenner struct packet_mreq mr; 119639291Sfenner 119775107Sfenner /* One shot loop used for error handling - bail out with break */ 119839291Sfenner 119975107Sfenner do { 120075107Sfenner /* 120175107Sfenner * Open a socket with protocol family packet. If a device is 1202127664Sbms * given we try to open it in raw mode otherwise we use 1203127664Sbms * the cooked interface. 120475107Sfenner */ 1205127664Sbms sock_fd = device ? 120675107Sfenner socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) 120775107Sfenner : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); 120839291Sfenner 120975107Sfenner if (sock_fd == -1) { 121075107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s", 121175107Sfenner pcap_strerror(errno) ); 121275107Sfenner break; 121375107Sfenner } 121439291Sfenner 121575107Sfenner /* It seems the kernel supports the new interface. */ 121675107Sfenner handle->md.sock_packet = 0; 121775107Sfenner 121875107Sfenner /* 121975107Sfenner * Get the interface index of the loopback device. 122075107Sfenner * If the attempt fails, don't fail, just set the 122175107Sfenner * "md.lo_ifindex" to -1. 122275107Sfenner * 122375107Sfenner * XXX - can there be more than one device that loops 122475107Sfenner * packets back, i.e. devices other than "lo"? If so, 122575107Sfenner * we'd need to find them all, and have an array of 122675107Sfenner * indices for them, and check all of them in 122775107Sfenner * "pcap_read_packet()". 122875107Sfenner */ 122975107Sfenner handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf); 123075107Sfenner 123175107Sfenner /* 123298530Sfenner * Default value for offset to align link-layer payload 123398530Sfenner * on a 4-byte boundary. 123498530Sfenner */ 123598530Sfenner handle->offset = 0; 123698530Sfenner 123798530Sfenner /* 1238127664Sbms * What kind of frames do we have to deal with? Fall back 1239127664Sbms * to cooked mode if we have an unknown interface type. 124075107Sfenner */ 124175107Sfenner 124275107Sfenner if (device) { 124375107Sfenner /* Assume for now we don't need cooked mode. */ 124475107Sfenner handle->md.cooked = 0; 124575107Sfenner 124675107Sfenner arptype = iface_get_arptype(sock_fd, device, ebuf); 1247127664Sbms if (arptype == -1) { 1248127664Sbms fatal_err = 1; 124975107Sfenner break; 1250127664Sbms } 1251127664Sbms map_arphrd_to_dlt(handle, arptype, 1); 125275107Sfenner if (handle->linktype == -1 || 125398530Sfenner handle->linktype == DLT_LINUX_SLL || 1254127664Sbms handle->linktype == DLT_LINUX_IRDA || 125575107Sfenner (handle->linktype == DLT_EN10MB && 125675107Sfenner (strncmp("isdn", device, 4) == 0 || 125798530Sfenner strncmp("isdY", device, 4) == 0))) { 125875107Sfenner /* 125998530Sfenner * Unknown interface type (-1), or a 126098530Sfenner * device we explicitly chose to run 126198530Sfenner * in cooked mode (e.g., PPP devices), 126298530Sfenner * or an ISDN device (whose link-layer 126398530Sfenner * type we can only determine by using 126498530Sfenner * APIs that may be different on different 126575107Sfenner * kernels) - reopen in cooked mode. 126675107Sfenner */ 126775107Sfenner if (close(sock_fd) == -1) { 126875107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 126975107Sfenner "close: %s", pcap_strerror(errno)); 127075107Sfenner break; 127175107Sfenner } 1272127664Sbms sock_fd = socket(PF_PACKET, SOCK_DGRAM, 127375107Sfenner htons(ETH_P_ALL)); 127475107Sfenner if (sock_fd == -1) { 127575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 127675107Sfenner "socket: %s", pcap_strerror(errno)); 127775107Sfenner break; 127875107Sfenner } 127975107Sfenner handle->md.cooked = 1; 128075107Sfenner 128175107Sfenner if (handle->linktype == -1) { 128275107Sfenner /* 128375107Sfenner * Warn that we're falling back on 128475107Sfenner * cooked mode; we may want to 128575107Sfenner * update "map_arphrd_to_dlt()" 128675107Sfenner * to handle the new type. 128775107Sfenner */ 128898530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 128998530Sfenner "arptype %d not " 129075107Sfenner "supported by libpcap - " 129175107Sfenner "falling back to cooked " 129298530Sfenner "socket", 129375107Sfenner arptype); 129475107Sfenner } 1295127664Sbms /* IrDA capture is not a real "cooked" capture, 1296127664Sbms * it's IrLAP frames, not IP packets. */ 1297127664Sbms if(handle->linktype != DLT_LINUX_IRDA) 1298127664Sbms handle->linktype = DLT_LINUX_SLL; 129975107Sfenner } 130075107Sfenner 130175107Sfenner device_id = iface_get_id(sock_fd, device, ebuf); 130275107Sfenner if (device_id == -1) 130375107Sfenner break; 130475107Sfenner 1305127664Sbms if ((err = iface_bind(sock_fd, device_id, ebuf)) < 0) { 1306127664Sbms if (err == -2) 1307127664Sbms fatal_err = 1; 130875107Sfenner break; 1309127664Sbms } 131075107Sfenner } else { 131175107Sfenner /* 131275107Sfenner * This is cooked mode. 131375107Sfenner */ 131475107Sfenner handle->md.cooked = 1; 131575107Sfenner handle->linktype = DLT_LINUX_SLL; 131675107Sfenner 131775107Sfenner /* 131875107Sfenner * XXX - squelch GCC complaints about 131975107Sfenner * uninitialized variables; if we can't 132075107Sfenner * select promiscuous mode on all interfaces, 132175107Sfenner * we should move the code below into the 132275107Sfenner * "if (device)" branch of the "if" and 132375107Sfenner * get rid of the next statement. 132475107Sfenner */ 132575107Sfenner device_id = -1; 132675107Sfenner } 132775107Sfenner 1328127664Sbms /* 1329127664Sbms * Select promiscuous mode on if "promisc" is set. 1330127664Sbms * 1331127664Sbms * Do not turn allmulti mode on if we don't select 1332127664Sbms * promiscuous mode - on some devices (e.g., Orinoco 1333127664Sbms * wireless interfaces), allmulti mode isn't supported 1334127664Sbms * and the driver implements it by turning promiscuous 1335127664Sbms * mode on, and that screws up the operation of the 1336127664Sbms * card as a normal networking interface, and on no 1337127664Sbms * other platform I know of does starting a non- 1338127664Sbms * promiscuous capture affect which multicast packets 1339127664Sbms * are received by the interface. 1340127664Sbms */ 134175107Sfenner 1342127664Sbms /* 134375107Sfenner * Hmm, how can we set promiscuous mode on all interfaces? 134475107Sfenner * I am not sure if that is possible at all. 134575107Sfenner */ 134675107Sfenner 1347127664Sbms if (device && promisc) { 134875107Sfenner memset(&mr, 0, sizeof(mr)); 134975107Sfenner mr.mr_ifindex = device_id; 1350127664Sbms mr.mr_type = PACKET_MR_PROMISC; 1351127664Sbms if (setsockopt(sock_fd, SOL_PACKET, 135275107Sfenner PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1) 135375107Sfenner { 1354127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 135575107Sfenner "setsockopt: %s", pcap_strerror(errno)); 135675107Sfenner break; 135775107Sfenner } 135875107Sfenner } 135939291Sfenner 136098530Sfenner /* Save the socket FD in the pcap structure */ 136175107Sfenner 136275107Sfenner handle->fd = sock_fd; 136375107Sfenner 136475107Sfenner return 1; 136575107Sfenner 136675107Sfenner } while(0); 136775107Sfenner 136875107Sfenner if (sock_fd != -1) 136975107Sfenner close(sock_fd); 1370127664Sbms 1371127664Sbms if (fatal_err) 1372127664Sbms return -2; 1373127664Sbms else 1374127664Sbms return 0; 137575107Sfenner#else 1376127664Sbms strncpy(ebuf, 1377127664Sbms "New packet capturing interface not supported by build " 137875107Sfenner "environment", PCAP_ERRBUF_SIZE); 137975107Sfenner return 0; 138039291Sfenner#endif 138175107Sfenner} 138239291Sfenner 138375107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 138475107Sfenner/* 1385127664Sbms * Return the index of the given device name. Fill ebuf and return 138675107Sfenner * -1 on failure. 138775107Sfenner */ 138875107Sfennerstatic int 138975107Sfenneriface_get_id(int fd, const char *device, char *ebuf) 139075107Sfenner{ 139175107Sfenner struct ifreq ifr; 139226175Sfenner 139339291Sfenner memset(&ifr, 0, sizeof(ifr)); 139439291Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 139575107Sfenner 139675107Sfenner if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 139775107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 139875107Sfenner "ioctl: %s", pcap_strerror(errno)); 139975107Sfenner return -1; 140026175Sfenner } 140126175Sfenner 140275107Sfenner return ifr.ifr_ifindex; 140375107Sfenner} 140426175Sfenner 140575107Sfenner/* 1406127664Sbms * Bind the socket associated with FD to the given device. 140775107Sfenner */ 140875107Sfennerstatic int 140975107Sfenneriface_bind(int fd, int ifindex, char *ebuf) 141075107Sfenner{ 141175107Sfenner struct sockaddr_ll sll; 1412127664Sbms int err; 1413127664Sbms socklen_t errlen = sizeof(err); 141475107Sfenner 141575107Sfenner memset(&sll, 0, sizeof(sll)); 141675107Sfenner sll.sll_family = AF_PACKET; 141775107Sfenner sll.sll_ifindex = ifindex; 141875107Sfenner sll.sll_protocol = htons(ETH_P_ALL); 141975107Sfenner 142075107Sfenner if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 142175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 142275107Sfenner "bind: %s", pcap_strerror(errno)); 142375107Sfenner return -1; 142426175Sfenner } 142526175Sfenner 1426127664Sbms /* Any pending errors, e.g., network is down? */ 1427127664Sbms 1428127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 1429127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1430127664Sbms "getsockopt: %s", pcap_strerror(errno)); 1431127664Sbms return -2; 1432127664Sbms } 1433127664Sbms 1434127664Sbms if (err > 0) { 1435127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1436127664Sbms "bind: %s", pcap_strerror(err)); 1437127664Sbms return -2; 1438127664Sbms } 1439127664Sbms 144075107Sfenner return 0; 144175107Sfenner} 144275107Sfenner 144375107Sfenner#endif 144475107Sfenner 144575107Sfenner 144675107Sfenner/* ===== Functions to interface to the older kernels ================== */ 144775107Sfenner 144875107Sfenner/* 144975107Sfenner * With older kernels promiscuous mode is kind of interesting because we 145075107Sfenner * have to reset the interface before exiting. The problem can't really 1451127664Sbms * be solved without some daemon taking care of managing usage counts. 145275107Sfenner * If we put the interface into promiscuous mode, we set a flag indicating 145375107Sfenner * that we must take it out of that mode when the interface is closed, 145475107Sfenner * and, when closing the interface, if that flag is set we take it out 145575107Sfenner * of promiscuous mode. 145675107Sfenner */ 145775107Sfenner 145875107Sfenner/* 145975107Sfenner * List of pcaps for which we turned promiscuous mode on by hand. 146075107Sfenner * If there are any such pcaps, we arrange to call "pcap_close_all()" 146175107Sfenner * when we exit, and have it close all of them to turn promiscuous mode 146275107Sfenner * off. 146375107Sfenner */ 146475107Sfennerstatic struct pcap *pcaps_to_close; 146575107Sfenner 146675107Sfenner/* 146775107Sfenner * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to 146875107Sfenner * be called on exit. 146975107Sfenner */ 147075107Sfennerstatic int did_atexit; 147175107Sfenner 147275107Sfennerstatic void pcap_close_all(void) 147375107Sfenner{ 147475107Sfenner struct pcap *handle; 147575107Sfenner 147675107Sfenner while ((handle = pcaps_to_close) != NULL) 147775107Sfenner pcap_close(handle); 147875107Sfenner} 147975107Sfenner 1480127664Sbmsstatic void pcap_close_linux( pcap_t *handle ) 148175107Sfenner{ 148275107Sfenner struct pcap *p, *prevp; 148375107Sfenner struct ifreq ifr; 148475107Sfenner 148575107Sfenner if (handle->md.clear_promisc) { 148675107Sfenner /* 148775107Sfenner * We put the interface into promiscuous mode; take 148875107Sfenner * it out of promiscuous mode. 148975107Sfenner * 149075107Sfenner * XXX - if somebody else wants it in promiscuous mode, 149175107Sfenner * this code cannot know that, so it'll take it out 149275107Sfenner * of promiscuous mode. That's not fixable in 2.0[.x] 149375107Sfenner * kernels. 149475107Sfenner */ 149526175Sfenner memset(&ifr, 0, sizeof(ifr)); 149675107Sfenner strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)); 149775107Sfenner if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 1498127664Sbms fprintf(stderr, 149975107Sfenner "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" 150075107Sfenner "Please adjust manually.\n" 150175107Sfenner "Hint: This can't happen with Linux >= 2.2.0.\n", 150275107Sfenner strerror(errno)); 150375107Sfenner } else { 150475107Sfenner if (ifr.ifr_flags & IFF_PROMISC) { 150575107Sfenner /* 150675107Sfenner * Promiscuous mode is currently on; turn it 150775107Sfenner * off. 150875107Sfenner */ 150975107Sfenner ifr.ifr_flags &= ~IFF_PROMISC; 151075107Sfenner if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 1511127664Sbms fprintf(stderr, 151275107Sfenner "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" 151375107Sfenner "Please adjust manually.\n" 151475107Sfenner "Hint: This can't happen with Linux >= 2.2.0.\n", 151575107Sfenner strerror(errno)); 151675107Sfenner } 151775107Sfenner } 151826175Sfenner } 151975107Sfenner 152075107Sfenner /* 152175107Sfenner * Take this pcap out of the list of pcaps for which we 152275107Sfenner * have to take the interface out of promiscuous mode. 152375107Sfenner */ 152475107Sfenner for (p = pcaps_to_close, prevp = NULL; p != NULL; 152575107Sfenner prevp = p, p = p->md.next) { 152675107Sfenner if (p == handle) { 152775107Sfenner /* 152875107Sfenner * Found it. Remove it from the list. 152975107Sfenner */ 153075107Sfenner if (prevp == NULL) { 153175107Sfenner /* 153275107Sfenner * It was at the head of the list. 153375107Sfenner */ 153475107Sfenner pcaps_to_close = p->md.next; 153575107Sfenner } else { 153675107Sfenner /* 153775107Sfenner * It was in the middle of the list. 153875107Sfenner */ 153975107Sfenner prevp->md.next = p->md.next; 154075107Sfenner } 154175107Sfenner break; 154275107Sfenner } 154326175Sfenner } 154426175Sfenner } 1545127664Sbms 154675107Sfenner if (handle->md.device != NULL) 154775107Sfenner free(handle->md.device); 1548127664Sbms handle->md.device = NULL; 1549127664Sbms if (handle->buffer != NULL) 1550127664Sbms free(handle->buffer); 1551127664Sbms if (handle->fd >= 0) 1552127664Sbms close(handle->fd); 155375107Sfenner} 155426175Sfenner 155575107Sfenner/* 155675107Sfenner * Try to open a packet socket using the old kernel interface. 155775107Sfenner * Returns 0 on failure. 155875107Sfenner * FIXME: 0 uses to mean success (Sebastian) 155975107Sfenner */ 156075107Sfennerstatic int 1561127664Sbmslive_open_old(pcap_t *handle, const char *device, int promisc, 156275107Sfenner int to_ms, char *ebuf) 156375107Sfenner{ 1564127664Sbms int arptype; 156575107Sfenner struct ifreq ifr; 156675107Sfenner 156775107Sfenner do { 156875107Sfenner /* Open the socket */ 156975107Sfenner 1570127664Sbms handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 1571127664Sbms if (handle->fd == -1) { 157275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 157375107Sfenner "socket: %s", pcap_strerror(errno)); 157475107Sfenner break; 157575107Sfenner } 157675107Sfenner 157775107Sfenner /* It worked - we are using the old interface */ 157875107Sfenner handle->md.sock_packet = 1; 157975107Sfenner 158075107Sfenner /* ...which means we get the link-layer header. */ 158175107Sfenner handle->md.cooked = 0; 158275107Sfenner 158375107Sfenner /* Bind to the given device */ 158475107Sfenner 158575107Sfenner if (!device) { 158675107Sfenner strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 158775107Sfenner PCAP_ERRBUF_SIZE); 158875107Sfenner break; 158975107Sfenner } 1590127664Sbms if (iface_bind_old(handle->fd, device, ebuf) == -1) 159175107Sfenner break; 159275107Sfenner 1593127664Sbms /* 1594127664Sbms * Try to get the link-layer type. 1595127664Sbms */ 1596127664Sbms arptype = iface_get_arptype(handle->fd, device, ebuf); 1597127664Sbms if (arptype == -1) 1598127664Sbms break; 1599127664Sbms 1600127664Sbms /* 1601127664Sbms * Try to find the DLT_ type corresponding to that 1602127664Sbms * link-layer type. 1603127664Sbms */ 1604127664Sbms map_arphrd_to_dlt(handle, arptype, 0); 1605127664Sbms if (handle->linktype == -1) { 1606127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1607127664Sbms "unknown arptype %d", arptype); 1608127664Sbms break; 1609127664Sbms } 1610127664Sbms 1611127664Sbms /* Go to promisc mode if requested */ 1612127664Sbms 161375107Sfenner if (promisc) { 161475107Sfenner memset(&ifr, 0, sizeof(ifr)); 161575107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 1616127664Sbms if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 161775107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 161875107Sfenner "ioctl: %s", pcap_strerror(errno)); 161975107Sfenner break; 162075107Sfenner } 162175107Sfenner if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 162275107Sfenner /* 162375107Sfenner * Promiscuous mode isn't currently on, 162475107Sfenner * so turn it on, and remember that 162575107Sfenner * we should turn it off when the 162675107Sfenner * pcap_t is closed. 162775107Sfenner */ 162875107Sfenner 162975107Sfenner /* 163075107Sfenner * If we haven't already done so, arrange 163175107Sfenner * to have "pcap_close_all()" called when 163275107Sfenner * we exit. 163375107Sfenner */ 163475107Sfenner if (!did_atexit) { 163575107Sfenner if (atexit(pcap_close_all) == -1) { 163675107Sfenner /* 163775107Sfenner * "atexit()" failed; don't 163875107Sfenner * put the interface in 163975107Sfenner * promiscuous mode, just 164075107Sfenner * give up. 164175107Sfenner */ 164275107Sfenner strncpy(ebuf, "atexit failed", 164375107Sfenner PCAP_ERRBUF_SIZE); 164475107Sfenner break; 164575107Sfenner } 1646127664Sbms did_atexit = 1; 164775107Sfenner } 164875107Sfenner 164975107Sfenner ifr.ifr_flags |= IFF_PROMISC; 1650127664Sbms if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 165175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 165275107Sfenner "ioctl: %s", 165375107Sfenner pcap_strerror(errno)); 165475107Sfenner break; 165575107Sfenner } 165675107Sfenner handle->md.clear_promisc = 1; 165775107Sfenner 165875107Sfenner /* 165975107Sfenner * Add this to the list of pcaps 166075107Sfenner * to close when we exit. 166175107Sfenner */ 166275107Sfenner handle->md.next = pcaps_to_close; 166375107Sfenner pcaps_to_close = handle; 166475107Sfenner } 166575107Sfenner } 166675107Sfenner 166798530Sfenner /* 166898530Sfenner * Default value for offset to align link-layer payload 166998530Sfenner * on a 4-byte boundary. 167098530Sfenner */ 167175107Sfenner handle->offset = 0; 167298530Sfenner 167375107Sfenner return 1; 167475107Sfenner 167575107Sfenner } while (0); 167675107Sfenner 1677127664Sbms pcap_close_linux(handle); 167875107Sfenner return 0; 167975107Sfenner} 168075107Sfenner 168175107Sfenner/* 1682127664Sbms * Bind the socket associated with FD to the given device using the 168375107Sfenner * interface of the old kernels. 168475107Sfenner */ 168575107Sfennerstatic int 168675107Sfenneriface_bind_old(int fd, const char *device, char *ebuf) 168775107Sfenner{ 168875107Sfenner struct sockaddr saddr; 1689127664Sbms int err; 1690127664Sbms socklen_t errlen = sizeof(err); 169175107Sfenner 169275107Sfenner memset(&saddr, 0, sizeof(saddr)); 169375107Sfenner strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 169475107Sfenner if (bind(fd, &saddr, sizeof(saddr)) == -1) { 169575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 169675107Sfenner "bind: %s", pcap_strerror(errno)); 169775107Sfenner return -1; 169826175Sfenner } 169926175Sfenner 1700127664Sbms /* Any pending errors, e.g., network is down? */ 1701127664Sbms 1702127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 1703127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1704127664Sbms "getsockopt: %s", pcap_strerror(errno)); 1705127664Sbms return -1; 1706127664Sbms } 1707127664Sbms 1708127664Sbms if (err > 0) { 1709127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1710127664Sbms "bind: %s", pcap_strerror(err)); 1711127664Sbms return -1; 1712127664Sbms } 1713127664Sbms 171475107Sfenner return 0; 171526175Sfenner} 171626175Sfenner 171775107Sfenner 171875107Sfenner/* ===== System calls available on all supported kernels ============== */ 171975107Sfenner 172075107Sfenner/* 1721127664Sbms * Query the kernel for the MTU of the given interface. 172275107Sfenner */ 172375107Sfennerstatic int 172475107Sfenneriface_get_mtu(int fd, const char *device, char *ebuf) 172526175Sfenner{ 172675107Sfenner struct ifreq ifr; 172726175Sfenner 172875107Sfenner if (!device) 172975107Sfenner return BIGGER_THAN_ALL_MTUS; 173075107Sfenner 173175107Sfenner memset(&ifr, 0, sizeof(ifr)); 173275107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 173375107Sfenner 173475107Sfenner if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 173575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 173675107Sfenner "ioctl: %s", pcap_strerror(errno)); 173775107Sfenner return -1; 173875107Sfenner } 173975107Sfenner 174075107Sfenner return ifr.ifr_mtu; 174126175Sfenner} 174226175Sfenner 174375107Sfenner/* 174475107Sfenner * Get the hardware type of the given interface as ARPHRD_xxx constant. 174575107Sfenner */ 174675107Sfennerstatic int 174775107Sfenneriface_get_arptype(int fd, const char *device, char *ebuf) 174826175Sfenner{ 174975107Sfenner struct ifreq ifr; 175026175Sfenner 175175107Sfenner memset(&ifr, 0, sizeof(ifr)); 175275107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 175375107Sfenner 175475107Sfenner if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 175575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 175675107Sfenner "ioctl: %s", pcap_strerror(errno)); 175775107Sfenner return -1; 175875107Sfenner } 175975107Sfenner 176075107Sfenner return ifr.ifr_hwaddr.sa_family; 176126175Sfenner} 176275107Sfenner 176398530Sfenner#ifdef SO_ATTACH_FILTER 176475107Sfennerstatic int 176575107Sfennerfix_program(pcap_t *handle, struct sock_fprog *fcode) 176675107Sfenner{ 176775107Sfenner size_t prog_size; 176875107Sfenner register int i; 176975107Sfenner register struct bpf_insn *p; 177075107Sfenner struct bpf_insn *f; 177175107Sfenner int len; 177275107Sfenner 177375107Sfenner /* 177475107Sfenner * Make a copy of the filter, and modify that copy if 177575107Sfenner * necessary. 177675107Sfenner */ 177775107Sfenner prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 177875107Sfenner len = handle->fcode.bf_len; 177975107Sfenner f = (struct bpf_insn *)malloc(prog_size); 178075107Sfenner if (f == NULL) { 178175107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 178275107Sfenner "malloc: %s", pcap_strerror(errno)); 178375107Sfenner return -1; 178475107Sfenner } 178575107Sfenner memcpy(f, handle->fcode.bf_insns, prog_size); 178675107Sfenner fcode->len = len; 178775107Sfenner fcode->filter = (struct sock_filter *) f; 178875107Sfenner 178975107Sfenner for (i = 0; i < len; ++i) { 179075107Sfenner p = &f[i]; 179175107Sfenner /* 179275107Sfenner * What type of instruction is this? 179375107Sfenner */ 179475107Sfenner switch (BPF_CLASS(p->code)) { 179575107Sfenner 179675107Sfenner case BPF_RET: 179775107Sfenner /* 179875107Sfenner * It's a return instruction; is the snapshot 179975107Sfenner * length a constant, rather than the contents 180075107Sfenner * of the accumulator? 180175107Sfenner */ 180275107Sfenner if (BPF_MODE(p->code) == BPF_K) { 180375107Sfenner /* 180475107Sfenner * Yes - if the value to be returned, 180575107Sfenner * i.e. the snapshot length, is anything 180675107Sfenner * other than 0, make it 65535, so that 180775107Sfenner * the packet is truncated by "recvfrom()", 180875107Sfenner * not by the filter. 180975107Sfenner * 181075107Sfenner * XXX - there's nothing we can easily do 181175107Sfenner * if it's getting the value from the 181275107Sfenner * accumulator; we'd have to insert 181375107Sfenner * code to force non-zero values to be 181475107Sfenner * 65535. 181575107Sfenner */ 181675107Sfenner if (p->k != 0) 181775107Sfenner p->k = 65535; 181875107Sfenner } 181975107Sfenner break; 182075107Sfenner 182175107Sfenner case BPF_LD: 182275107Sfenner case BPF_LDX: 182375107Sfenner /* 182475107Sfenner * It's a load instruction; is it loading 182575107Sfenner * from the packet? 182675107Sfenner */ 182775107Sfenner switch (BPF_MODE(p->code)) { 182875107Sfenner 182975107Sfenner case BPF_ABS: 183075107Sfenner case BPF_IND: 183175107Sfenner case BPF_MSH: 183275107Sfenner /* 183375107Sfenner * Yes; are we in cooked mode? 183475107Sfenner */ 183575107Sfenner if (handle->md.cooked) { 183675107Sfenner /* 183775107Sfenner * Yes, so we need to fix this 183875107Sfenner * instruction. 183975107Sfenner */ 184075107Sfenner if (fix_offset(p) < 0) { 184175107Sfenner /* 184275107Sfenner * We failed to do so. 184375107Sfenner * Return 0, so our caller 184475107Sfenner * knows to punt to userland. 184575107Sfenner */ 184675107Sfenner return 0; 184775107Sfenner } 184875107Sfenner } 184975107Sfenner break; 185075107Sfenner } 185175107Sfenner break; 185275107Sfenner } 185375107Sfenner } 185475107Sfenner return 1; /* we succeeded */ 185575107Sfenner} 185675107Sfenner 185775107Sfennerstatic int 185875107Sfennerfix_offset(struct bpf_insn *p) 185975107Sfenner{ 186075107Sfenner /* 186175107Sfenner * What's the offset? 186275107Sfenner */ 186375107Sfenner if (p->k >= SLL_HDR_LEN) { 186475107Sfenner /* 186575107Sfenner * It's within the link-layer payload; that starts at an 186675107Sfenner * offset of 0, as far as the kernel packet filter is 186775107Sfenner * concerned, so subtract the length of the link-layer 186875107Sfenner * header. 186975107Sfenner */ 187075107Sfenner p->k -= SLL_HDR_LEN; 187175107Sfenner } else if (p->k == 14) { 187275107Sfenner /* 187375107Sfenner * It's the protocol field; map it to the special magic 187475107Sfenner * kernel offset for that field. 187575107Sfenner */ 187675107Sfenner p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 187775107Sfenner } else { 187875107Sfenner /* 187975107Sfenner * It's within the header, but it's not one of those 188075107Sfenner * fields; we can't do that in the kernel, so punt 188175107Sfenner * to userland. 188275107Sfenner */ 188375107Sfenner return -1; 188475107Sfenner } 188575107Sfenner return 0; 188675107Sfenner} 188798530Sfenner 188898530Sfennerstatic int 188998530Sfennerset_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) 189098530Sfenner{ 189198530Sfenner int total_filter_on = 0; 189298530Sfenner int save_mode; 189398530Sfenner int ret; 189498530Sfenner int save_errno; 189598530Sfenner 189698530Sfenner /* 189798530Sfenner * The socket filter code doesn't discard all packets queued 189898530Sfenner * up on the socket when the filter is changed; this means 189998530Sfenner * that packets that don't match the new filter may show up 190098530Sfenner * after the new filter is put onto the socket, if those 190198530Sfenner * packets haven't yet been read. 190298530Sfenner * 190398530Sfenner * This means, for example, that if you do a tcpdump capture 190498530Sfenner * with a filter, the first few packets in the capture might 190598530Sfenner * be packets that wouldn't have passed the filter. 190698530Sfenner * 190798530Sfenner * We therefore discard all packets queued up on the socket 190898530Sfenner * when setting a kernel filter. (This isn't an issue for 190998530Sfenner * userland filters, as the userland filtering is done after 191098530Sfenner * packets are queued up.) 191198530Sfenner * 191298530Sfenner * To flush those packets, we put the socket in read-only mode, 191398530Sfenner * and read packets from the socket until there are no more to 191498530Sfenner * read. 191598530Sfenner * 191698530Sfenner * In order to keep that from being an infinite loop - i.e., 191798530Sfenner * to keep more packets from arriving while we're draining 191898530Sfenner * the queue - we put the "total filter", which is a filter 191998530Sfenner * that rejects all packets, onto the socket before draining 192098530Sfenner * the queue. 192198530Sfenner * 192298530Sfenner * This code deliberately ignores any errors, so that you may 192398530Sfenner * get bogus packets if an error occurs, rather than having 192498530Sfenner * the filtering done in userland even if it could have been 192598530Sfenner * done in the kernel. 192698530Sfenner */ 1927127664Sbms if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 192898530Sfenner &total_fcode, sizeof(total_fcode)) == 0) { 192998530Sfenner char drain[1]; 193098530Sfenner 193198530Sfenner /* 193298530Sfenner * Note that we've put the total filter onto the socket. 193398530Sfenner */ 193498530Sfenner total_filter_on = 1; 193598530Sfenner 193698530Sfenner /* 193798530Sfenner * Save the socket's current mode, and put it in 193898530Sfenner * non-blocking mode; we drain it by reading packets 1939127664Sbms * until we get an error (which is normally a 194098530Sfenner * "nothing more to be read" error). 194198530Sfenner */ 194298530Sfenner save_mode = fcntl(handle->fd, F_GETFL, 0); 194398530Sfenner if (save_mode != -1 && 194498530Sfenner fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) { 194598530Sfenner while (recv(handle->fd, &drain, sizeof drain, 194698530Sfenner MSG_TRUNC) >= 0) 194798530Sfenner ; 1948127664Sbms save_errno = errno; 194998530Sfenner fcntl(handle->fd, F_SETFL, save_mode); 1950127664Sbms if (save_errno != EAGAIN) { 1951127664Sbms /* Fatal error */ 1952127664Sbms reset_kernel_filter(handle); 1953127664Sbms snprintf(handle->errbuf, sizeof(handle->errbuf), 1954127664Sbms "recv: %s", pcap_strerror(save_errno)); 1955127664Sbms return -2; 1956127664Sbms } 195798530Sfenner } 195898530Sfenner } 195998530Sfenner 196098530Sfenner /* 196198530Sfenner * Now attach the new filter. 196298530Sfenner */ 1963127664Sbms ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 196498530Sfenner fcode, sizeof(*fcode)); 196598530Sfenner if (ret == -1 && total_filter_on) { 196698530Sfenner /* 196798530Sfenner * Well, we couldn't set that filter on the socket, 196898530Sfenner * but we could set the total filter on the socket. 196998530Sfenner * 197098530Sfenner * This could, for example, mean that the filter was 197198530Sfenner * too big to put into the kernel, so we'll have to 197298530Sfenner * filter in userland; in any case, we'll be doing 197398530Sfenner * filtering in userland, so we need to remove the 197498530Sfenner * total filter so we see packets. 197598530Sfenner */ 197698530Sfenner save_errno = errno; 197798530Sfenner 197898530Sfenner /* 197998530Sfenner * XXX - if this fails, we're really screwed; 198098530Sfenner * we have the total filter on the socket, 198198530Sfenner * and it won't come off. What do we do then? 198298530Sfenner */ 198398530Sfenner reset_kernel_filter(handle); 198498530Sfenner 198598530Sfenner errno = save_errno; 198698530Sfenner } 1987127664Sbms return ret; 198898530Sfenner} 198998530Sfenner 199098530Sfennerstatic int 199198530Sfennerreset_kernel_filter(pcap_t *handle) 199298530Sfenner{ 199398530Sfenner /* setsockopt() barfs unless it get a dummy parameter */ 199498530Sfenner int dummy; 199598530Sfenner 199698530Sfenner return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, 199798530Sfenner &dummy, sizeof(dummy)); 199898530Sfenner} 199975107Sfenner#endif 2000