pcap-linux.c revision 172677
126175Sfenner/* 275107Sfenner * pcap-linux.c: Packet capture interface to the Linux kernel 326175Sfenner * 475107Sfenner * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org> 575107Sfenner * Sebastian Krahmer <krahmer@cs.uni-potsdam.de> 6127664Sbms * 775107Sfenner * License: BSD 8127664Sbms * 975107Sfenner * Redistribution and use in source and binary forms, with or without 1075107Sfenner * modification, are permitted provided that the following conditions 1175107Sfenner * are met: 12127664Sbms * 1375107Sfenner * 1. Redistributions of source code must retain the above copyright 1475107Sfenner * notice, this list of conditions and the following disclaimer. 1575107Sfenner * 2. Redistributions in binary form must reproduce the above copyright 1675107Sfenner * notice, this list of conditions and the following disclaimer in 1775107Sfenner * the documentation and/or other materials provided with the 1875107Sfenner * distribution. 1975107Sfenner * 3. The names of the authors may not be used to endorse or promote 2075107Sfenner * products derived from this software without specific prior 2175107Sfenner * written permission. 22127664Sbms * 2375107Sfenner * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 2475107Sfenner * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 2575107Sfenner * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2626175Sfenner */ 27127664Sbms 2826175Sfenner#ifndef lint 29127664Sbmsstatic const char rcsid[] _U_ = 30172677Smlaier "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.110.2.14 2006/10/12 17:26:58 guy Exp $ (LBL)"; 3126175Sfenner#endif 3226175Sfenner 3375107Sfenner/* 3475107Sfenner * Known problems with 2.0[.x] kernels: 3575107Sfenner * 3675107Sfenner * - The loopback device gives every packet twice; on 2.2[.x] kernels, 3775107Sfenner * if we use PF_PACKET, we can filter out the transmitted version 3875107Sfenner * of the packet by using data in the "sockaddr_ll" returned by 3975107Sfenner * "recvfrom()", but, on 2.0[.x] kernels, we have to use 4075107Sfenner * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 4175107Sfenner * "sockaddr_pkt" which doesn't give us enough information to let 4275107Sfenner * us do that. 4375107Sfenner * 4475107Sfenner * - We have to set the interface's IFF_PROMISC flag ourselves, if 4575107Sfenner * we're to run in promiscuous mode, which means we have to turn 4675107Sfenner * it off ourselves when we're done; the kernel doesn't keep track 4775107Sfenner * of how many sockets are listening promiscuously, which means 4875107Sfenner * it won't get turned off automatically when no sockets are 4975107Sfenner * listening promiscuously. We catch "pcap_close()" and, for 5075107Sfenner * interfaces we put into promiscuous mode, take them out of 5175107Sfenner * promiscuous mode - which isn't necessarily the right thing to 5275107Sfenner * do, if another socket also requested promiscuous mode between 5375107Sfenner * the time when we opened the socket and the time when we close 5475107Sfenner * the socket. 5598530Sfenner * 5698530Sfenner * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()" 5798530Sfenner * return the amount of data that you could have read, rather than 5898530Sfenner * the amount that was returned, so we can't just allocate a buffer 5998530Sfenner * whose size is the snapshot length and pass the snapshot length 6098530Sfenner * as the byte count, and also pass MSG_TRUNC, so that the return 6198530Sfenner * value tells us how long the packet was on the wire. 6298530Sfenner * 6398530Sfenner * This means that, if we want to get the actual size of the packet, 6498530Sfenner * so we can return it in the "len" field of the packet header, 6598530Sfenner * we have to read the entire packet, not just the part that fits 6698530Sfenner * within the snapshot length, and thus waste CPU time copying data 6798530Sfenner * from the kernel that our caller won't see. 6898530Sfenner * 6998530Sfenner * We have to get the actual size, and supply it in "len", because 7098530Sfenner * otherwise, the IP dissector in tcpdump, for example, will complain 7198530Sfenner * about "truncated-ip", as the packet will appear to have been 7298530Sfenner * shorter, on the wire, than the IP header said it should have been. 7375107Sfenner */ 7426175Sfenner 7575107Sfenner 7675107Sfenner#ifdef HAVE_CONFIG_H 7775107Sfenner#include "config.h" 7839291Sfenner#endif 7926175Sfenner 8075107Sfenner#include "pcap-int.h" 8175107Sfenner#include "sll.h" 8226175Sfenner 83127664Sbms#ifdef HAVE_DAG_API 84127664Sbms#include "pcap-dag.h" 85127664Sbms#endif /* HAVE_DAG_API */ 86147894Ssam 87147894Ssam#ifdef HAVE_SEPTEL_API 88147894Ssam#include "pcap-septel.h" 89147894Ssam#endif /* HAVE_SEPTEL_API */ 90127664Sbms 9126175Sfenner#include <errno.h> 9226175Sfenner#include <stdlib.h> 9375107Sfenner#include <unistd.h> 9475107Sfenner#include <fcntl.h> 9526175Sfenner#include <string.h> 9675107Sfenner#include <sys/socket.h> 9775107Sfenner#include <sys/ioctl.h> 9875107Sfenner#include <sys/utsname.h> 9975107Sfenner#include <net/if.h> 10075107Sfenner#include <netinet/in.h> 10175107Sfenner#include <linux/if_ether.h> 10275107Sfenner#include <net/if_arp.h> 10326175Sfenner 10498530Sfenner/* 10598530Sfenner * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET 10698530Sfenner * sockets rather than SOCK_PACKET sockets. 10798530Sfenner * 10898530Sfenner * To use them, we include <linux/if_packet.h> rather than 10998530Sfenner * <netpacket/packet.h>; we do so because 11098530Sfenner * 11198530Sfenner * some Linux distributions (e.g., Slackware 4.0) have 2.2 or 11298530Sfenner * later kernels and libc5, and don't provide a <netpacket/packet.h> 11398530Sfenner * file; 11498530Sfenner * 11598530Sfenner * not all versions of glibc2 have a <netpacket/packet.h> file 11698530Sfenner * that defines stuff needed for some of the 2.4-or-later-kernel 11798530Sfenner * features, so if the system has a 2.4 or later kernel, we 11898530Sfenner * still can't use those features. 11998530Sfenner * 12098530Sfenner * We're already including a number of other <linux/XXX.h> headers, and 12198530Sfenner * this code is Linux-specific (no other OS has PF_PACKET sockets as 12298530Sfenner * a raw packet capture mechanism), so it's not as if you gain any 12398530Sfenner * useful portability by using <netpacket/packet.h> 12498530Sfenner * 12598530Sfenner * XXX - should we just include <linux/if_packet.h> even if PF_PACKET 12698530Sfenner * isn't defined? It only defines one data structure in 2.0.x, so 12798530Sfenner * it shouldn't cause any problems. 12898530Sfenner */ 129127664Sbms#ifdef PF_PACKET 13098530Sfenner# include <linux/if_packet.h> 13126175Sfenner 13275107Sfenner /* 13398530Sfenner * On at least some Linux distributions (for example, Red Hat 5.2), 13498530Sfenner * there's no <netpacket/packet.h> file, but PF_PACKET is defined if 13598530Sfenner * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 13675107Sfenner * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 13775107Sfenner * the PACKET_xxx stuff. 13875107Sfenner * 13975107Sfenner * So we check whether PACKET_HOST is defined, and assume that we have 14075107Sfenner * PF_PACKET sockets only if it is defined. 14175107Sfenner */ 14275107Sfenner# ifdef PACKET_HOST 14375107Sfenner# define HAVE_PF_PACKET_SOCKETS 14475107Sfenner# endif /* PACKET_HOST */ 14598530Sfenner#endif /* PF_PACKET */ 14675107Sfenner 14775107Sfenner#ifdef SO_ATTACH_FILTER 14875107Sfenner#include <linux/types.h> 14975107Sfenner#include <linux/filter.h> 15026175Sfenner#endif 15126175Sfenner 15275107Sfenner#ifndef __GLIBC__ 15375107Sfennertypedef int socklen_t; 15475107Sfenner#endif 15526175Sfenner 15675107Sfenner#ifndef MSG_TRUNC 15798530Sfenner/* 15898530Sfenner * This is being compiled on a system that lacks MSG_TRUNC; define it 15998530Sfenner * with the value it has in the 2.2 and later kernels, so that, on 16098530Sfenner * those kernels, when we pass it in the flags argument to "recvfrom()" 16198530Sfenner * we're passing the right value and thus get the MSG_TRUNC behavior 16298530Sfenner * we want. (We don't get that behavior on 2.0[.x] kernels, because 16398530Sfenner * they didn't support MSG_TRUNC.) 16498530Sfenner */ 16598530Sfenner#define MSG_TRUNC 0x20 16675107Sfenner#endif 16775107Sfenner 168127664Sbms#ifndef SOL_PACKET 169127664Sbms/* 170127664Sbms * This is being compiled on a system that lacks SOL_PACKET; define it 171127664Sbms * with the value it has in the 2.2 and later kernels, so that we can 172127664Sbms * set promiscuous mode in the good modern way rather than the old 173127664Sbms * 2.0-kernel crappy way. 174127664Sbms */ 175127664Sbms#define SOL_PACKET 263 176127664Sbms#endif 177127664Sbms 17875107Sfenner#define MAX_LINKHEADER_SIZE 256 17975107Sfenner 180127664Sbms/* 181127664Sbms * When capturing on all interfaces we use this as the buffer size. 18275107Sfenner * Should be bigger then all MTUs that occur in real life. 18375107Sfenner * 64kB should be enough for now. 18475107Sfenner */ 18575107Sfenner#define BIGGER_THAN_ALL_MTUS (64*1024) 18675107Sfenner 18775107Sfenner/* 18875107Sfenner * Prototypes for internal functions 18975107Sfenner */ 190127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *, int, int); 191127664Sbmsstatic int live_open_old(pcap_t *, const char *, int, int, char *); 192127664Sbmsstatic int live_open_new(pcap_t *, const char *, int, int, char *); 193127664Sbmsstatic int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *); 19475107Sfennerstatic int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 195146768Ssamstatic int pcap_inject_linux(pcap_t *, const void *, size_t); 196127664Sbmsstatic int pcap_stats_linux(pcap_t *, struct pcap_stat *); 197127664Sbmsstatic int pcap_setfilter_linux(pcap_t *, struct bpf_program *); 198162012Ssamstatic int pcap_setdirection_linux(pcap_t *, pcap_direction_t); 199127664Sbmsstatic void pcap_close_linux(pcap_t *); 20075107Sfenner 20175107Sfenner/* 20275107Sfenner * Wrap some ioctl calls 20375107Sfenner */ 20475107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 20575107Sfennerstatic int iface_get_id(int fd, const char *device, char *ebuf); 20675107Sfenner#endif 20775107Sfennerstatic int iface_get_mtu(int fd, const char *device, char *ebuf); 20875107Sfennerstatic int iface_get_arptype(int fd, const char *device, char *ebuf); 20975107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 21075107Sfennerstatic int iface_bind(int fd, int ifindex, char *ebuf); 21175107Sfenner#endif 21275107Sfennerstatic int iface_bind_old(int fd, const char *device, char *ebuf); 21375107Sfenner 21475107Sfenner#ifdef SO_ATTACH_FILTER 21575107Sfennerstatic int fix_program(pcap_t *handle, struct sock_fprog *fcode); 21675107Sfennerstatic int fix_offset(struct bpf_insn *p); 21798530Sfennerstatic int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode); 21898530Sfennerstatic int reset_kernel_filter(pcap_t *handle); 21998530Sfenner 22098530Sfennerstatic struct sock_filter total_insn 22198530Sfenner = BPF_STMT(BPF_RET | BPF_K, 0); 22298530Sfennerstatic struct sock_fprog total_fcode 22398530Sfenner = { 1, &total_insn }; 22475107Sfenner#endif 22575107Sfenner 22675107Sfenner/* 227127664Sbms * Get a handle for a live capture from the given device. You can 228127664Sbms * pass NULL as device to get all packages (without link level 22975107Sfenner * information of course). If you pass 1 as promisc the interface 230127664Sbms * will be set to promiscous mode (XXX: I think this usage should 23175107Sfenner * be deprecated and functions be added to select that later allow 23275107Sfenner * modification of that values -- Torsten). 233127664Sbms * 23475107Sfenner * See also pcap(3). 23575107Sfenner */ 23675107Sfennerpcap_t * 237127664Sbmspcap_open_live(const char *device, int snaplen, int promisc, int to_ms, 238127664Sbms char *ebuf) 23926175Sfenner{ 24098530Sfenner pcap_t *handle; 24198530Sfenner int mtu; 242127664Sbms int err; 243127664Sbms int live_open_ok = 0; 24498530Sfenner struct utsname utsname; 24598530Sfenner 246127664Sbms#ifdef HAVE_DAG_API 247127664Sbms if (strstr(device, "dag")) { 248127664Sbms return dag_open_live(device, snaplen, promisc, to_ms, ebuf); 249127664Sbms } 250127664Sbms#endif /* HAVE_DAG_API */ 251127664Sbms 252147894Ssam#ifdef HAVE_SEPTEL_API 253147894Ssam if (strstr(device, "septel")) { 254147894Ssam return septel_open_live(device, snaplen, promisc, to_ms, ebuf); 255147894Ssam } 256147894Ssam#endif /* HAVE_SEPTEL_API */ 25726175Sfenner 258147894Ssam /* Allocate a handle for this session. */ 259147894Ssam 26098530Sfenner handle = malloc(sizeof(*handle)); 26175107Sfenner if (handle == NULL) { 26275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 26375107Sfenner pcap_strerror(errno)); 26475107Sfenner return NULL; 26575107Sfenner } 26675107Sfenner 26775107Sfenner /* Initialize some components of the pcap structure. */ 26875107Sfenner 26975107Sfenner memset(handle, 0, sizeof(*handle)); 27075107Sfenner handle->snapshot = snaplen; 27175107Sfenner handle->md.timeout = to_ms; 27275107Sfenner 27375107Sfenner /* 274127664Sbms * NULL and "any" are special devices which give us the hint to 27575107Sfenner * monitor all devices. 27675107Sfenner */ 27775107Sfenner if (!device || strcmp(device, "any") == 0) { 27875107Sfenner device = NULL; 27975107Sfenner handle->md.device = strdup("any"); 28098530Sfenner if (promisc) { 28198530Sfenner promisc = 0; 28298530Sfenner /* Just a warning. */ 28398530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 28498530Sfenner "Promiscuous mode not supported on the \"any\" device"); 28598530Sfenner } 286127664Sbms 28775107Sfenner } else 28875107Sfenner handle->md.device = strdup(device); 28975107Sfenner 29075107Sfenner if (handle->md.device == NULL) { 29175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s", 29275107Sfenner pcap_strerror(errno) ); 29375107Sfenner free(handle); 29475107Sfenner return NULL; 29575107Sfenner } 29675107Sfenner 297127664Sbms /* 298127664Sbms * Current Linux kernels use the protocol family PF_PACKET to 299127664Sbms * allow direct access to all packets on the network while 300127664Sbms * older kernels had a special socket type SOCK_PACKET to 30175107Sfenner * implement this feature. 30275107Sfenner * While this old implementation is kind of obsolete we need 303127664Sbms * to be compatible with older kernels for a while so we are 30475107Sfenner * trying both methods with the newer method preferred. 30575107Sfenner */ 30675107Sfenner 307127664Sbms if ((err = live_open_new(handle, device, promisc, to_ms, ebuf)) == 1) 308127664Sbms live_open_ok = 1; 309127664Sbms else if (err == 0) { 310127664Sbms /* Non-fatal error; try old way */ 311127664Sbms if (live_open_old(handle, device, promisc, to_ms, ebuf)) 312127664Sbms live_open_ok = 1; 313127664Sbms } 314127664Sbms if (!live_open_ok) { 315127664Sbms /* 31675107Sfenner * Both methods to open the packet socket failed. Tidy 31775107Sfenner * up and report our failure (ebuf is expected to be 318127664Sbms * set by the functions above). 31975107Sfenner */ 32075107Sfenner 321127664Sbms if (handle->md.device != NULL) 322127664Sbms free(handle->md.device); 32375107Sfenner free(handle); 32475107Sfenner return NULL; 32575107Sfenner } 32675107Sfenner 32798530Sfenner /* 32898530Sfenner * Compute the buffer size. 32998530Sfenner * 33098530Sfenner * If we're using SOCK_PACKET, this might be a 2.0[.x] kernel, 33198530Sfenner * and might require special handling - check. 33298530Sfenner */ 33398530Sfenner if (handle->md.sock_packet && (uname(&utsname) < 0 || 33498530Sfenner strncmp(utsname.release, "2.0", 3) == 0)) { 33598530Sfenner /* 33698530Sfenner * We're using a SOCK_PACKET structure, and either 33798530Sfenner * we couldn't find out what kernel release this is, 33898530Sfenner * or it's a 2.0[.x] kernel. 33998530Sfenner * 34098530Sfenner * In the 2.0[.x] kernel, a "recvfrom()" on 34198530Sfenner * a SOCK_PACKET socket, with MSG_TRUNC set, will 34298530Sfenner * return the number of bytes read, so if we pass 34398530Sfenner * a length based on the snapshot length, it'll 34498530Sfenner * return the number of bytes from the packet 34598530Sfenner * copied to userland, not the actual length 34698530Sfenner * of the packet. 34798530Sfenner * 34898530Sfenner * This means that, for example, the IP dissector 34998530Sfenner * in tcpdump will get handed a packet length less 35098530Sfenner * than the length in the IP header, and will 35198530Sfenner * complain about "truncated-ip". 35298530Sfenner * 35398530Sfenner * So we don't bother trying to copy from the 35498530Sfenner * kernel only the bytes in which we're interested, 35598530Sfenner * but instead copy them all, just as the older 35698530Sfenner * versions of libpcap for Linux did. 35798530Sfenner * 35898530Sfenner * The buffer therefore needs to be big enough to 35998530Sfenner * hold the largest packet we can get from this 36098530Sfenner * device. Unfortunately, we can't get the MRU 36198530Sfenner * of the network; we can only get the MTU. The 36298530Sfenner * MTU may be too small, in which case a packet larger 36398530Sfenner * than the buffer size will be truncated *and* we 36498530Sfenner * won't get the actual packet size. 36598530Sfenner * 36698530Sfenner * However, if the snapshot length is larger than 36798530Sfenner * the buffer size based on the MTU, we use the 36898530Sfenner * snapshot length as the buffer size, instead; 36998530Sfenner * this means that with a sufficiently large snapshot 37098530Sfenner * length we won't artificially truncate packets 37198530Sfenner * to the MTU-based size. 37298530Sfenner * 37398530Sfenner * This mess just one of many problems with packet 37498530Sfenner * capture on 2.0[.x] kernels; you really want a 37598530Sfenner * 2.2[.x] or later kernel if you want packet capture 37698530Sfenner * to work well. 37798530Sfenner */ 37898530Sfenner mtu = iface_get_mtu(handle->fd, device, ebuf); 37998530Sfenner if (mtu == -1) { 380127664Sbms pcap_close_linux(handle); 38198530Sfenner free(handle); 38298530Sfenner return NULL; 38398530Sfenner } 38498530Sfenner handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 38598530Sfenner if (handle->bufsize < handle->snapshot) 38698530Sfenner handle->bufsize = handle->snapshot; 38798530Sfenner } else { 38898530Sfenner /* 38998530Sfenner * This is a 2.2[.x] or later kernel (we know that 39098530Sfenner * either because we're not using a SOCK_PACKET 39198530Sfenner * socket - PF_PACKET is supported only in 2.2 39298530Sfenner * and later kernels - or because we checked the 39398530Sfenner * kernel version). 39498530Sfenner * 39598530Sfenner * We can safely pass "recvfrom()" a byte count 39698530Sfenner * based on the snapshot length. 397172677Smlaier * 398172677Smlaier * If we're in cooked mode, make the snapshot length 399172677Smlaier * large enough to hold a "cooked mode" header plus 400172677Smlaier * 1 byte of packet data (so we don't pass a byte 401172677Smlaier * count of 0 to "recvfrom()"). 40298530Sfenner */ 403172677Smlaier if (handle->md.cooked) { 404172677Smlaier if (handle->snapshot < SLL_HDR_LEN + 1) 405172677Smlaier handle->snapshot = SLL_HDR_LEN + 1; 406172677Smlaier } 40798530Sfenner handle->bufsize = handle->snapshot; 40898530Sfenner } 40998530Sfenner 41098530Sfenner /* Allocate the buffer */ 41198530Sfenner 41298530Sfenner handle->buffer = malloc(handle->bufsize + handle->offset); 41398530Sfenner if (!handle->buffer) { 41498530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 41598530Sfenner "malloc: %s", pcap_strerror(errno)); 416127664Sbms pcap_close_linux(handle); 41798530Sfenner free(handle); 41898530Sfenner return NULL; 41998530Sfenner } 42098530Sfenner 421127664Sbms /* 422127664Sbms * "handle->fd" is a socket, so "select()" and "poll()" 423127664Sbms * should work on it. 424127664Sbms */ 425127664Sbms handle->selectable_fd = handle->fd; 426127664Sbms 427127664Sbms handle->read_op = pcap_read_linux; 428146768Ssam handle->inject_op = pcap_inject_linux; 429127664Sbms handle->setfilter_op = pcap_setfilter_linux; 430147894Ssam handle->setdirection_op = pcap_setdirection_linux; 431127664Sbms handle->set_datalink_op = NULL; /* can't change data link type */ 432127664Sbms handle->getnonblock_op = pcap_getnonblock_fd; 433127664Sbms handle->setnonblock_op = pcap_setnonblock_fd; 434127664Sbms handle->stats_op = pcap_stats_linux; 435127664Sbms handle->close_op = pcap_close_linux; 436127664Sbms 43775107Sfenner return handle; 43826175Sfenner} 43926175Sfenner 44075107Sfenner/* 44175107Sfenner * Read at most max_packets from the capture stream and call the callback 44275107Sfenner * for each of them. Returns the number of packets handled or -1 if an 443127664Sbms * error occured. 44475107Sfenner */ 445127664Sbmsstatic int 446127664Sbmspcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 44726175Sfenner{ 44875107Sfenner /* 44975107Sfenner * Currently, on Linux only one packet is delivered per read, 45075107Sfenner * so we don't loop. 45175107Sfenner */ 45275107Sfenner return pcap_read_packet(handle, callback, user); 45375107Sfenner} 45426175Sfenner 45575107Sfenner/* 456127664Sbms * Read a packet from the socket calling the handler provided by 45775107Sfenner * the user. Returns the number of packets received or -1 if an 45875107Sfenner * error occured. 45975107Sfenner */ 46075107Sfennerstatic int 46175107Sfennerpcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 46275107Sfenner{ 46398530Sfenner u_char *bp; 46475107Sfenner int offset; 46575107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 46675107Sfenner struct sockaddr_ll from; 46775107Sfenner struct sll_header *hdrp; 46875107Sfenner#else 46975107Sfenner struct sockaddr from; 47075107Sfenner#endif 47175107Sfenner socklen_t fromlen; 47275107Sfenner int packet_len, caplen; 47375107Sfenner struct pcap_pkthdr pcap_header; 47426175Sfenner 47575107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 47675107Sfenner /* 47775107Sfenner * If this is a cooked device, leave extra room for a 47875107Sfenner * fake packet header. 47975107Sfenner */ 48075107Sfenner if (handle->md.cooked) 48175107Sfenner offset = SLL_HDR_LEN; 48275107Sfenner else 48375107Sfenner offset = 0; 48475107Sfenner#else 48575107Sfenner /* 48675107Sfenner * This system doesn't have PF_PACKET sockets, so it doesn't 48775107Sfenner * support cooked devices. 48875107Sfenner */ 48975107Sfenner offset = 0; 49075107Sfenner#endif 49175107Sfenner 49275107Sfenner /* Receive a single packet from the kernel */ 49375107Sfenner 49498530Sfenner bp = handle->buffer + handle->offset; 49526175Sfenner do { 496127664Sbms /* 497127664Sbms * Has "pcap_breakloop()" been called? 498127664Sbms */ 499127664Sbms if (handle->break_loop) { 500127664Sbms /* 501127664Sbms * Yes - clear the flag that indicates that it 502127664Sbms * has, and return -2 as an indication that we 503127664Sbms * were told to break out of the loop. 504127664Sbms */ 505127664Sbms handle->break_loop = 0; 506127664Sbms return -2; 507127664Sbms } 50826175Sfenner fromlen = sizeof(from); 509127664Sbms packet_len = recvfrom( 51098530Sfenner handle->fd, bp + offset, 511127664Sbms handle->bufsize - offset, MSG_TRUNC, 51275107Sfenner (struct sockaddr *) &from, &fromlen); 51375107Sfenner } while (packet_len == -1 && errno == EINTR); 51426175Sfenner 51575107Sfenner /* Check if an error occured */ 51626175Sfenner 51775107Sfenner if (packet_len == -1) { 51875107Sfenner if (errno == EAGAIN) 51975107Sfenner return 0; /* no packet there */ 52075107Sfenner else { 52175107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 52275107Sfenner "recvfrom: %s", pcap_strerror(errno)); 52375107Sfenner return -1; 52426175Sfenner } 52575107Sfenner } 52626175Sfenner 52775107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 528147894Ssam if (!handle->md.sock_packet) { 529147894Ssam /* 530172677Smlaier * Unfortunately, there is a window between socket() and 531172677Smlaier * bind() where the kernel may queue packets from any 532172677Smlaier * interface. If we're bound to a particular interface, 533172677Smlaier * discard packets not from that interface. 534172677Smlaier * 535172677Smlaier * (If socket filters are supported, we could do the 536172677Smlaier * same thing we do when changing the filter; however, 537172677Smlaier * that won't handle packet sockets without socket 538172677Smlaier * filter support, and it's a bit more complicated. 539172677Smlaier * It would save some instructions per packet, however.) 540172677Smlaier */ 541172677Smlaier if (handle->md.ifindex != -1 && 542172677Smlaier from.sll_ifindex != handle->md.ifindex) 543172677Smlaier return 0; 544172677Smlaier 545172677Smlaier /* 546147894Ssam * Do checks based on packet direction. 547147894Ssam * We can only do this if we're using PF_PACKET; the 548147894Ssam * address returned for SOCK_PACKET is a "sockaddr_pkt" 549147894Ssam * which lacks the relevant packet type information. 550147894Ssam */ 551147894Ssam if (from.sll_pkttype == PACKET_OUTGOING) { 552147894Ssam /* 553147894Ssam * Outgoing packet. 554147894Ssam * If this is from the loopback device, reject it; 555147894Ssam * we'll see the packet as an incoming packet as well, 556147894Ssam * and we don't want to see it twice. 557147894Ssam */ 558147894Ssam if (from.sll_ifindex == handle->md.lo_ifindex) 559147894Ssam return 0; 560147894Ssam 561147894Ssam /* 562147894Ssam * If the user only wants incoming packets, reject it. 563147894Ssam */ 564162012Ssam if (handle->direction == PCAP_D_IN) 565147894Ssam return 0; 566147894Ssam } else { 567147894Ssam /* 568147894Ssam * Incoming packet. 569147894Ssam * If the user only wants outgoing packets, reject it. 570147894Ssam */ 571162012Ssam if (handle->direction == PCAP_D_OUT) 572147894Ssam return 0; 573147894Ssam } 574147894Ssam } 57575107Sfenner#endif 57626175Sfenner 57775107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 57875107Sfenner /* 57975107Sfenner * If this is a cooked device, fill in the fake packet header. 58075107Sfenner */ 58175107Sfenner if (handle->md.cooked) { 58275107Sfenner /* 58375107Sfenner * Add the length of the fake header to the length 58475107Sfenner * of packet data we read. 58575107Sfenner */ 58675107Sfenner packet_len += SLL_HDR_LEN; 58726175Sfenner 58898530Sfenner hdrp = (struct sll_header *)bp; 58926175Sfenner 59075107Sfenner /* 59175107Sfenner * Map the PACKET_ value to a LINUX_SLL_ value; we 59275107Sfenner * want the same numerical value to be used in 59375107Sfenner * the link-layer header even if the numerical values 59475107Sfenner * for the PACKET_ #defines change, so that programs 59575107Sfenner * that look at the packet type field will always be 59675107Sfenner * able to handle DLT_LINUX_SLL captures. 59775107Sfenner */ 59875107Sfenner switch (from.sll_pkttype) { 59926175Sfenner 60075107Sfenner case PACKET_HOST: 60175107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_HOST); 60275107Sfenner break; 60326175Sfenner 60475107Sfenner case PACKET_BROADCAST: 60575107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST); 60675107Sfenner break; 60775107Sfenner 60875107Sfenner case PACKET_MULTICAST: 60975107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST); 61075107Sfenner break; 61175107Sfenner 61275107Sfenner case PACKET_OTHERHOST: 61375107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST); 61475107Sfenner break; 61575107Sfenner 61675107Sfenner case PACKET_OUTGOING: 61775107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING); 61875107Sfenner break; 61975107Sfenner 62075107Sfenner default: 62175107Sfenner hdrp->sll_pkttype = -1; 62275107Sfenner break; 62326175Sfenner } 62475107Sfenner 62575107Sfenner hdrp->sll_hatype = htons(from.sll_hatype); 62675107Sfenner hdrp->sll_halen = htons(from.sll_halen); 62775107Sfenner memcpy(hdrp->sll_addr, from.sll_addr, 62875107Sfenner (from.sll_halen > SLL_ADDRLEN) ? 62975107Sfenner SLL_ADDRLEN : 63075107Sfenner from.sll_halen); 63175107Sfenner hdrp->sll_protocol = from.sll_protocol; 63226175Sfenner } 63375107Sfenner#endif 63475107Sfenner 63575107Sfenner /* 636127664Sbms * XXX: According to the kernel source we should get the real 637127664Sbms * packet len if calling recvfrom with MSG_TRUNC set. It does 63875107Sfenner * not seem to work here :(, but it is supported by this code 639127664Sbms * anyway. 64075107Sfenner * To be honest the code RELIES on that feature so this is really 64175107Sfenner * broken with 2.2.x kernels. 64275107Sfenner * I spend a day to figure out what's going on and I found out 643127664Sbms * that the following is happening: 64475107Sfenner * 645127664Sbms * The packet comes from a random interface and the packet_rcv 64675107Sfenner * hook is called with a clone of the packet. That code inserts 64775107Sfenner * the packet into the receive queue of the packet socket. 64875107Sfenner * If a filter is attached to that socket that filter is run 64975107Sfenner * first - and there lies the problem. The default filter always 65075107Sfenner * cuts the packet at the snaplen: 65175107Sfenner * 65275107Sfenner * # tcpdump -d 65375107Sfenner * (000) ret #68 65475107Sfenner * 655127664Sbms * So the packet filter cuts down the packet. The recvfrom call 65675107Sfenner * says "hey, it's only 68 bytes, it fits into the buffer" with 657127664Sbms * the result that we don't get the real packet length. This 658127664Sbms * is valid at least until kernel 2.2.17pre6. 65975107Sfenner * 66075107Sfenner * We currently handle this by making a copy of the filter 66175107Sfenner * program, fixing all "ret" instructions with non-zero 66275107Sfenner * operands to have an operand of 65535 so that the filter 66375107Sfenner * doesn't truncate the packet, and supplying that modified 66475107Sfenner * filter to the kernel. 66575107Sfenner */ 66675107Sfenner 66775107Sfenner caplen = packet_len; 66875107Sfenner if (caplen > handle->snapshot) 66975107Sfenner caplen = handle->snapshot; 67075107Sfenner 67175107Sfenner /* Run the packet filter if not using kernel filter */ 67275107Sfenner if (!handle->md.use_bpf && handle->fcode.bf_insns) { 67398530Sfenner if (bpf_filter(handle->fcode.bf_insns, bp, 67475107Sfenner packet_len, caplen) == 0) 67575107Sfenner { 67675107Sfenner /* rejected by filter */ 67775107Sfenner return 0; 67875107Sfenner } 67975107Sfenner } 68075107Sfenner 68175107Sfenner /* Fill in our own header data */ 68275107Sfenner 68375107Sfenner if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 68475107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 685172677Smlaier "SIOCGSTAMP: %s", pcap_strerror(errno)); 68675107Sfenner return -1; 68775107Sfenner } 68875107Sfenner pcap_header.caplen = caplen; 68975107Sfenner pcap_header.len = packet_len; 69075107Sfenner 69198530Sfenner /* 69298530Sfenner * Count the packet. 69398530Sfenner * 69498530Sfenner * Arguably, we should count them before we check the filter, 69598530Sfenner * as on many other platforms "ps_recv" counts packets 69698530Sfenner * handed to the filter rather than packets that passed 69798530Sfenner * the filter, but if filtering is done in the kernel, we 69898530Sfenner * can't get a count of packets that passed the filter, 69998530Sfenner * and that would mean the meaning of "ps_recv" wouldn't 70098530Sfenner * be the same on all Linux systems. 70198530Sfenner * 70298530Sfenner * XXX - it's not the same on all systems in any case; 70398530Sfenner * ideally, we should have a "get the statistics" call 70498530Sfenner * that supplies more counts and indicates which of them 70598530Sfenner * it supplies, so that we supply a count of packets 70698530Sfenner * handed to the filter only on platforms where that 70798530Sfenner * information is available. 70898530Sfenner * 70998530Sfenner * We count them here even if we can get the packet count 71098530Sfenner * from the kernel, as we can only determine at run time 71198530Sfenner * whether we'll be able to get it from the kernel (if 71298530Sfenner * HAVE_TPACKET_STATS isn't defined, we can't get it from 71398530Sfenner * the kernel, but if it is defined, the library might 71498530Sfenner * have been built with a 2.4 or later kernel, but we 71598530Sfenner * might be running on a 2.2[.x] kernel without Alexey 71698530Sfenner * Kuznetzov's turbopacket patches, and thus the kernel 71798530Sfenner * might not be able to supply those statistics). We 71898530Sfenner * could, I guess, try, when opening the socket, to get 71998530Sfenner * the statistics, and if we can not increment the count 72098530Sfenner * here, but it's not clear that always incrementing 72198530Sfenner * the count is more expensive than always testing a flag 72298530Sfenner * in memory. 723172677Smlaier * 724172677Smlaier * We keep the count in "md.packets_read", and use that for 725172677Smlaier * "ps_recv" if we can't get the statistics from the kernel. 726172677Smlaier * We do that because, if we *can* get the statistics from 727172677Smlaier * the kernel, we use "md.stat.ps_recv" and "md.stat.ps_drop" 728172677Smlaier * as running counts, as reading the statistics from the 729172677Smlaier * kernel resets the kernel statistics, and if we directly 730172677Smlaier * increment "md.stat.ps_recv" here, that means it will 731172677Smlaier * count packets *twice* on systems where we can get kernel 732172677Smlaier * statistics - once here, and once in pcap_stats_linux(). 73398530Sfenner */ 734172677Smlaier handle->md.packets_read++; 73575107Sfenner 73698530Sfenner /* Call the user supplied callback function */ 73798530Sfenner callback(userdata, &pcap_header, bp); 73898530Sfenner 73975107Sfenner return 1; 74026175Sfenner} 74126175Sfenner 742146768Ssamstatic int 743146768Ssampcap_inject_linux(pcap_t *handle, const void *buf, size_t size) 744146768Ssam{ 745146768Ssam int ret; 746146768Ssam 747146768Ssam#ifdef HAVE_PF_PACKET_SOCKETS 748146768Ssam if (!handle->md.sock_packet) { 749146768Ssam /* PF_PACKET socket */ 750146768Ssam if (handle->md.ifindex == -1) { 751146768Ssam /* 752146768Ssam * We don't support sending on the "any" device. 753146768Ssam */ 754146768Ssam strlcpy(handle->errbuf, 755146768Ssam "Sending packets isn't supported on the \"any\" device", 756146768Ssam PCAP_ERRBUF_SIZE); 757146768Ssam return (-1); 758146768Ssam } 759146768Ssam 760146768Ssam if (handle->md.cooked) { 761146768Ssam /* 762146768Ssam * We don't support sending on the "any" device. 763146768Ssam * 764146768Ssam * XXX - how do you send on a bound cooked-mode 765146768Ssam * socket? 766146768Ssam * Is a "sendto()" required there? 767146768Ssam */ 768146768Ssam strlcpy(handle->errbuf, 769146768Ssam "Sending packets isn't supported in cooked mode", 770146768Ssam PCAP_ERRBUF_SIZE); 771146768Ssam return (-1); 772146768Ssam } 773146768Ssam } 774146768Ssam#endif 775146768Ssam 776146768Ssam ret = send(handle->fd, buf, size, 0); 777146768Ssam if (ret == -1) { 778146768Ssam snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 779146768Ssam pcap_strerror(errno)); 780146768Ssam return (-1); 781146768Ssam } 782146768Ssam return (ret); 783146768Ssam} 784146768Ssam 78575107Sfenner/* 78675107Sfenner * Get the statistics for the given packet capture handle. 78798530Sfenner * Reports the number of dropped packets iff the kernel supports 78898530Sfenner * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later 78998530Sfenner * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket 79098530Sfenner * patches); otherwise, that information isn't available, and we lie 79198530Sfenner * and report 0 as the count of dropped packets. 79275107Sfenner */ 793127664Sbmsstatic int 794127664Sbmspcap_stats_linux(pcap_t *handle, struct pcap_stat *stats) 79526175Sfenner{ 79698530Sfenner#ifdef HAVE_TPACKET_STATS 79798530Sfenner struct tpacket_stats kstats; 79898530Sfenner socklen_t len = sizeof (struct tpacket_stats); 799127664Sbms#endif 80098530Sfenner 801127664Sbms#ifdef HAVE_TPACKET_STATS 80298530Sfenner /* 80398530Sfenner * Try to get the packet counts from the kernel. 80498530Sfenner */ 80598530Sfenner if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, 80698530Sfenner &kstats, &len) > -1) { 80798530Sfenner /* 808172677Smlaier * On systems where the PACKET_STATISTICS "getsockopt()" 809172677Smlaier * argument is supported on PF_PACKET sockets: 810172677Smlaier * 811172677Smlaier * "ps_recv" counts only packets that *passed* the 812172677Smlaier * filter, not packets that didn't pass the filter. 813172677Smlaier * This includes packets later dropped because we 814172677Smlaier * ran out of buffer space. 815172677Smlaier * 816172677Smlaier * "ps_drop" counts packets dropped because we ran 817172677Smlaier * out of buffer space. It doesn't count packets 818172677Smlaier * dropped by the interface driver. It counts only 819172677Smlaier * packets that passed the filter. 820172677Smlaier * 821172677Smlaier * Both statistics include packets not yet read from 822172677Smlaier * the kernel by libpcap, and thus not yet seen by 823172677Smlaier * the application. 824172677Smlaier * 82598530Sfenner * In "linux/net/packet/af_packet.c", at least in the 82698530Sfenner * 2.4.9 kernel, "tp_packets" is incremented for every 82798530Sfenner * packet that passes the packet filter *and* is 82898530Sfenner * successfully queued on the socket; "tp_drops" is 82998530Sfenner * incremented for every packet dropped because there's 83098530Sfenner * not enough free space in the socket buffer. 83198530Sfenner * 83298530Sfenner * When the statistics are returned for a PACKET_STATISTICS 83398530Sfenner * "getsockopt()" call, "tp_drops" is added to "tp_packets", 83498530Sfenner * so that "tp_packets" counts all packets handed to 83598530Sfenner * the PF_PACKET socket, including packets dropped because 83698530Sfenner * there wasn't room on the socket buffer - but not 83798530Sfenner * including packets that didn't pass the filter. 83898530Sfenner * 83998530Sfenner * In the BSD BPF, the count of received packets is 84098530Sfenner * incremented for every packet handed to BPF, regardless 84198530Sfenner * of whether it passed the filter. 84298530Sfenner * 84398530Sfenner * We can't make "pcap_stats()" work the same on both 84498530Sfenner * platforms, but the best approximation is to return 84598530Sfenner * "tp_packets" as the count of packets and "tp_drops" 84698530Sfenner * as the count of drops. 847146768Ssam * 848146768Ssam * Keep a running total because each call to 849146768Ssam * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, .... 850146768Ssam * resets the counters to zero. 85198530Sfenner */ 852146768Ssam handle->md.stat.ps_recv += kstats.tp_packets; 853146768Ssam handle->md.stat.ps_drop += kstats.tp_drops; 854172677Smlaier *stats = handle->md.stat; 855172677Smlaier return 0; 85698530Sfenner } 85798530Sfenner else 85898530Sfenner { 85998530Sfenner /* 86098530Sfenner * If the error was EOPNOTSUPP, fall through, so that 86198530Sfenner * if you build the library on a system with 86298530Sfenner * "struct tpacket_stats" and run it on a system 86398530Sfenner * that doesn't, it works as it does if the library 86498530Sfenner * is built on a system without "struct tpacket_stats". 86598530Sfenner */ 86698530Sfenner if (errno != EOPNOTSUPP) { 86798530Sfenner snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 86898530Sfenner "pcap_stats: %s", pcap_strerror(errno)); 86998530Sfenner return -1; 87098530Sfenner } 87198530Sfenner } 87298530Sfenner#endif 87398530Sfenner /* 87498530Sfenner * On systems where the PACKET_STATISTICS "getsockopt()" argument 87598530Sfenner * is not supported on PF_PACKET sockets: 87698530Sfenner * 87798530Sfenner * "ps_recv" counts only packets that *passed* the filter, 87898530Sfenner * not packets that didn't pass the filter. It does not 87998530Sfenner * count packets dropped because we ran out of buffer 88098530Sfenner * space. 88198530Sfenner * 88298530Sfenner * "ps_drop" is not supported. 88398530Sfenner * 88498530Sfenner * "ps_recv" doesn't include packets not yet read from 88598530Sfenner * the kernel by libpcap. 886172677Smlaier * 887172677Smlaier * We maintain the count of packets processed by libpcap in 888172677Smlaier * "md.packets_read", for reasons described in the comment 889172677Smlaier * at the end of pcap_read_packet(). We have no idea how many 890172677Smlaier * packets were dropped. 89198530Sfenner */ 892172677Smlaier stats->ps_recv = handle->md.packets_read; 893172677Smlaier stats->ps_drop = 0; 89475107Sfenner return 0; 89575107Sfenner} 89626175Sfenner 89775107Sfenner/* 898127664Sbms * Description string for the "any" device. 89975107Sfenner */ 900127664Sbmsstatic const char any_descr[] = "Pseudo-device that captures on all interfaces"; 901127664Sbms 90275107Sfennerint 903127664Sbmspcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 90475107Sfenner{ 905127664Sbms if (pcap_add_if(alldevsp, "any", 0, any_descr, errbuf) < 0) 906127664Sbms return (-1); 907127664Sbms 908127664Sbms#ifdef HAVE_DAG_API 909127664Sbms if (dag_platform_finddevs(alldevsp, errbuf) < 0) 910127664Sbms return (-1); 911127664Sbms#endif /* HAVE_DAG_API */ 912127664Sbms 913147894Ssam#ifdef HAVE_SEPTEL_API 914147894Ssam if (septel_platform_finddevs(alldevsp, errbuf) < 0) 915147894Ssam return (-1); 916147894Ssam#endif /* HAVE_SEPTEL_API */ 917147894Ssam 918127664Sbms return (0); 919127664Sbms} 920127664Sbms 921127664Sbms/* 922127664Sbms * Attach the given BPF code to the packet capture device. 923127664Sbms */ 924127664Sbmsstatic int 925127664Sbmspcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter) 926127664Sbms{ 92775107Sfenner#ifdef SO_ATTACH_FILTER 92875107Sfenner struct sock_fprog fcode; 92975107Sfenner int can_filter_in_kernel; 930127664Sbms int err = 0; 93175107Sfenner#endif 93275107Sfenner 93375107Sfenner if (!handle) 93475107Sfenner return -1; 93575107Sfenner if (!filter) { 93675107Sfenner strncpy(handle->errbuf, "setfilter: No filter specified", 93775107Sfenner sizeof(handle->errbuf)); 93875107Sfenner return -1; 93926175Sfenner } 94026175Sfenner 94175107Sfenner /* Make our private copy of the filter */ 94275107Sfenner 943127664Sbms if (install_bpf_program(handle, filter) < 0) 944127664Sbms /* install_bpf_program() filled in errbuf */ 94575107Sfenner return -1; 94639291Sfenner 947127664Sbms /* 948127664Sbms * Run user level packet filter by default. Will be overriden if 949127664Sbms * installing a kernel filter succeeds. 95075107Sfenner */ 95175107Sfenner handle->md.use_bpf = 0; 95275107Sfenner 95375107Sfenner /* Install kernel level filter if possible */ 95475107Sfenner 95575107Sfenner#ifdef SO_ATTACH_FILTER 95675107Sfenner#ifdef USHRT_MAX 95775107Sfenner if (handle->fcode.bf_len > USHRT_MAX) { 95875107Sfenner /* 959127664Sbms * fcode.len is an unsigned short for current kernel. 96075107Sfenner * I have yet to see BPF-Code with that much 96175107Sfenner * instructions but still it is possible. So for the 96275107Sfenner * sake of correctness I added this check. 96375107Sfenner */ 96475107Sfenner fprintf(stderr, "Warning: Filter too complex for kernel\n"); 965172677Smlaier fcode.len = 0; 96675107Sfenner fcode.filter = NULL; 96775107Sfenner can_filter_in_kernel = 0; 96875107Sfenner } else 96975107Sfenner#endif /* USHRT_MAX */ 97075107Sfenner { 97175107Sfenner /* 97275107Sfenner * Oh joy, the Linux kernel uses struct sock_fprog instead 97375107Sfenner * of struct bpf_program and of course the length field is 97475107Sfenner * of different size. Pointed out by Sebastian 97575107Sfenner * 97675107Sfenner * Oh, and we also need to fix it up so that all "ret" 97775107Sfenner * instructions with non-zero operands have 65535 as the 97875107Sfenner * operand, and so that, if we're in cooked mode, all 97975107Sfenner * memory-reference instructions use special magic offsets 98075107Sfenner * in references to the link-layer header and assume that 98175107Sfenner * the link-layer payload begins at 0; "fix_program()" 98275107Sfenner * will do that. 98375107Sfenner */ 98475107Sfenner switch (fix_program(handle, &fcode)) { 98575107Sfenner 98675107Sfenner case -1: 98775107Sfenner default: 98875107Sfenner /* 98975107Sfenner * Fatal error; just quit. 99075107Sfenner * (The "default" case shouldn't happen; we 99175107Sfenner * return -1 for that reason.) 99275107Sfenner */ 99375107Sfenner return -1; 99475107Sfenner 99575107Sfenner case 0: 99675107Sfenner /* 99775107Sfenner * The program performed checks that we can't make 99875107Sfenner * work in the kernel. 99975107Sfenner */ 100075107Sfenner can_filter_in_kernel = 0; 100175107Sfenner break; 100275107Sfenner 100375107Sfenner case 1: 100475107Sfenner /* 100575107Sfenner * We have a filter that'll work in the kernel. 100675107Sfenner */ 100775107Sfenner can_filter_in_kernel = 1; 100875107Sfenner break; 100975107Sfenner } 101039291Sfenner } 101139291Sfenner 101275107Sfenner if (can_filter_in_kernel) { 1013127664Sbms if ((err = set_kernel_filter(handle, &fcode)) == 0) 101475107Sfenner { 101575107Sfenner /* Installation succeded - using kernel filter. */ 101675107Sfenner handle->md.use_bpf = 1; 101775107Sfenner } 1018127664Sbms else if (err == -1) /* Non-fatal error */ 101975107Sfenner { 1020127664Sbms /* 102175107Sfenner * Print a warning if we weren't able to install 102275107Sfenner * the filter for a reason other than "this kernel 102375107Sfenner * isn't configured to support socket filters. 102475107Sfenner */ 102575107Sfenner if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 102675107Sfenner fprintf(stderr, 1027127664Sbms "Warning: Kernel filter failed: %s\n", 102875107Sfenner pcap_strerror(errno)); 102975107Sfenner } 103075107Sfenner } 103139291Sfenner } 103239291Sfenner 103375107Sfenner /* 103498530Sfenner * If we're not using the kernel filter, get rid of any kernel 103598530Sfenner * filter that might've been there before, e.g. because the 103698530Sfenner * previous filter could work in the kernel, or because some other 103798530Sfenner * code attached a filter to the socket by some means other than 103898530Sfenner * calling "pcap_setfilter()". Otherwise, the kernel filter may 103998530Sfenner * filter out packets that would pass the new userland filter. 104098530Sfenner */ 104198530Sfenner if (!handle->md.use_bpf) 104298530Sfenner reset_kernel_filter(handle); 104398530Sfenner 104498530Sfenner /* 104575107Sfenner * Free up the copy of the filter that was made by "fix_program()". 104675107Sfenner */ 104775107Sfenner if (fcode.filter != NULL) 104875107Sfenner free(fcode.filter); 1049127664Sbms 1050127664Sbms if (err == -2) 1051127664Sbms /* Fatal error */ 1052127664Sbms return -1; 105375107Sfenner#endif /* SO_ATTACH_FILTER */ 105475107Sfenner 105575107Sfenner return 0; 105675107Sfenner} 105775107Sfenner 105875107Sfenner/* 1059147894Ssam * Set direction flag: Which packets do we accept on a forwarding 1060147894Ssam * single device? IN, OUT or both? 1061147894Ssam */ 1062147894Ssamstatic int 1063162012Ssampcap_setdirection_linux(pcap_t *handle, pcap_direction_t d) 1064147894Ssam{ 1065147894Ssam#ifdef HAVE_PF_PACKET_SOCKETS 1066147894Ssam if (!handle->md.sock_packet) { 1067147894Ssam handle->direction = d; 1068147894Ssam return 0; 1069147894Ssam } 1070147894Ssam#endif 1071147894Ssam /* 1072147894Ssam * We're not using PF_PACKET sockets, so we can't determine 1073147894Ssam * the direction of the packet. 1074147894Ssam */ 1075147894Ssam snprintf(handle->errbuf, sizeof(handle->errbuf), 1076147894Ssam "Setting direction is not supported on SOCK_PACKET sockets"); 1077147894Ssam return -1; 1078147894Ssam} 1079147894Ssam 1080147894Ssam/* 1081127664Sbms * Linux uses the ARP hardware type to identify the type of an 1082127664Sbms * interface. pcap uses the DLT_xxx constants for this. This 108398530Sfenner * function takes a pointer to a "pcap_t", and an ARPHRD_xxx 108498530Sfenner * constant, as arguments, and sets "handle->linktype" to the 108598530Sfenner * appropriate DLT_XXX constant and sets "handle->offset" to 108698530Sfenner * the appropriate value (to make "handle->offset" plus link-layer 108798530Sfenner * header length be a multiple of 4, so that the link-layer payload 108898530Sfenner * will be aligned on a 4-byte boundary when capturing packets). 108998530Sfenner * (If the offset isn't set here, it'll be 0; add code as appropriate 109098530Sfenner * for cases where it shouldn't be 0.) 1091127664Sbms * 1092127664Sbms * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture 1093127664Sbms * in cooked mode; otherwise, we can't use cooked mode, so we have 1094127664Sbms * to pick some type that works in raw mode, or fail. 1095127664Sbms * 109698530Sfenner * Sets the link type to -1 if unable to map the type. 109775107Sfenner */ 1098127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok) 109975107Sfenner{ 110075107Sfenner switch (arptype) { 110198530Sfenner 110239291Sfenner case ARPHRD_ETHER: 1103146768Ssam /* 1104146768Ssam * This is (presumably) a real Ethernet capture; give it a 1105146768Ssam * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 1106146768Ssam * that an application can let you choose it, in case you're 1107146768Ssam * capturing DOCSIS traffic that a Cisco Cable Modem 1108146768Ssam * Termination System is putting out onto an Ethernet (it 1109146768Ssam * doesn't put an Ethernet header onto the wire, it puts raw 1110146768Ssam * DOCSIS frames out on the wire inside the low-level 1111146768Ssam * Ethernet framing). 1112146768Ssam * 1113146768Ssam * XXX - are there any sorts of "fake Ethernet" that have 1114146768Ssam * ARPHRD_ETHER but that *shouldn't offer DLT_DOCSIS as 1115146768Ssam * a Cisco CMTS won't put traffic onto it or get traffic 1116146768Ssam * bridged onto it? ISDN is handled in "live_open_new()", 1117146768Ssam * as we fall back on cooked mode there; are there any 1118146768Ssam * others? 1119146768Ssam */ 1120146768Ssam handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1121146768Ssam /* 1122146768Ssam * If that fails, just leave the list empty. 1123146768Ssam */ 1124146768Ssam if (handle->dlt_list != NULL) { 1125146768Ssam handle->dlt_list[0] = DLT_EN10MB; 1126146768Ssam handle->dlt_list[1] = DLT_DOCSIS; 1127146768Ssam handle->dlt_count = 2; 1128146768Ssam } 1129146768Ssam /* FALLTHROUGH */ 1130146768Ssam 113139291Sfenner case ARPHRD_METRICOM: 113298530Sfenner case ARPHRD_LOOPBACK: 113398530Sfenner handle->linktype = DLT_EN10MB; 113498530Sfenner handle->offset = 2; 113598530Sfenner break; 113698530Sfenner 113798530Sfenner case ARPHRD_EETHER: 113898530Sfenner handle->linktype = DLT_EN3MB; 113998530Sfenner break; 114098530Sfenner 114198530Sfenner case ARPHRD_AX25: 114298530Sfenner handle->linktype = DLT_AX25; 114398530Sfenner break; 114498530Sfenner 114598530Sfenner case ARPHRD_PRONET: 114698530Sfenner handle->linktype = DLT_PRONET; 114798530Sfenner break; 114898530Sfenner 114998530Sfenner case ARPHRD_CHAOS: 115098530Sfenner handle->linktype = DLT_CHAOS; 115198530Sfenner break; 115298530Sfenner 115375107Sfenner#ifndef ARPHRD_IEEE802_TR 115475107Sfenner#define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 115575107Sfenner#endif 115675107Sfenner case ARPHRD_IEEE802_TR: 115798530Sfenner case ARPHRD_IEEE802: 115898530Sfenner handle->linktype = DLT_IEEE802; 115998530Sfenner handle->offset = 2; 116098530Sfenner break; 116139291Sfenner 116298530Sfenner case ARPHRD_ARCNET: 1163127664Sbms handle->linktype = DLT_ARCNET_LINUX; 116498530Sfenner break; 116598530Sfenner 1166127664Sbms#ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ 1167127664Sbms#define ARPHRD_FDDI 774 1168127664Sbms#endif 116998530Sfenner case ARPHRD_FDDI: 117098530Sfenner handle->linktype = DLT_FDDI; 117198530Sfenner handle->offset = 3; 117298530Sfenner break; 117398530Sfenner 117475107Sfenner#ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 117575107Sfenner#define ARPHRD_ATM 19 117675107Sfenner#endif 117798530Sfenner case ARPHRD_ATM: 117898530Sfenner /* 117998530Sfenner * The Classical IP implementation in ATM for Linux 118098530Sfenner * supports both what RFC 1483 calls "LLC Encapsulation", 118198530Sfenner * in which each packet has an LLC header, possibly 118298530Sfenner * with a SNAP header as well, prepended to it, and 118398530Sfenner * what RFC 1483 calls "VC Based Multiplexing", in which 118498530Sfenner * different virtual circuits carry different network 118598530Sfenner * layer protocols, and no header is prepended to packets. 118698530Sfenner * 118798530Sfenner * They both have an ARPHRD_ type of ARPHRD_ATM, so 118898530Sfenner * you can't use the ARPHRD_ type to find out whether 118998530Sfenner * captured packets will have an LLC header, and, 119098530Sfenner * while there's a socket ioctl to *set* the encapsulation 119198530Sfenner * type, there's no ioctl to *get* the encapsulation type. 119298530Sfenner * 119398530Sfenner * This means that 119498530Sfenner * 119598530Sfenner * programs that dissect Linux Classical IP frames 119698530Sfenner * would have to check for an LLC header and, 119798530Sfenner * depending on whether they see one or not, dissect 119898530Sfenner * the frame as LLC-encapsulated or as raw IP (I 119998530Sfenner * don't know whether there's any traffic other than 120098530Sfenner * IP that would show up on the socket, or whether 120198530Sfenner * there's any support for IPv6 in the Linux 120298530Sfenner * Classical IP code); 120398530Sfenner * 120498530Sfenner * filter expressions would have to compile into 120598530Sfenner * code that checks for an LLC header and does 120698530Sfenner * the right thing. 120798530Sfenner * 120898530Sfenner * Both of those are a nuisance - and, at least on systems 120998530Sfenner * that support PF_PACKET sockets, we don't have to put 121098530Sfenner * up with those nuisances; instead, we can just capture 1211127664Sbms * in cooked mode. That's what we'll do, if we can. 1212127664Sbms * Otherwise, we'll just fail. 121398530Sfenner */ 1214127664Sbms if (cooked_ok) 1215127664Sbms handle->linktype = DLT_LINUX_SLL; 1216127664Sbms else 1217127664Sbms handle->linktype = -1; 121898530Sfenner break; 121939291Sfenner 122098530Sfenner#ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ 122198530Sfenner#define ARPHRD_IEEE80211 801 122298530Sfenner#endif 122398530Sfenner case ARPHRD_IEEE80211: 122498530Sfenner handle->linktype = DLT_IEEE802_11; 122598530Sfenner break; 122698530Sfenner 1227127664Sbms#ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ 1228127664Sbms#define ARPHRD_IEEE80211_PRISM 802 1229127664Sbms#endif 1230127664Sbms case ARPHRD_IEEE80211_PRISM: 1231127664Sbms handle->linktype = DLT_PRISM_HEADER; 1232127664Sbms break; 1233127664Sbms 1234162012Ssam#ifndef ARPHRD_IEEE80211_RADIOTAP /* new */ 1235162012Ssam#define ARPHRD_IEEE80211_RADIOTAP 803 1236162012Ssam#endif 1237162012Ssam case ARPHRD_IEEE80211_RADIOTAP: 1238162012Ssam handle->linktype = DLT_IEEE802_11_RADIO; 1239162012Ssam break; 1240162012Ssam 124175107Sfenner case ARPHRD_PPP: 124298530Sfenner /* 124398530Sfenner * Some PPP code in the kernel supplies no link-layer 124498530Sfenner * header whatsoever to PF_PACKET sockets; other PPP 124598530Sfenner * code supplies PPP link-layer headers ("syncppp.c"); 124698530Sfenner * some PPP code might supply random link-layer 124798530Sfenner * headers (PPP over ISDN - there's code in Ethereal, 124898530Sfenner * for example, to cope with PPP-over-ISDN captures 124998530Sfenner * with which the Ethereal developers have had to cope, 125098530Sfenner * heuristically trying to determine which of the 125198530Sfenner * oddball link-layer headers particular packets have). 125298530Sfenner * 125398530Sfenner * As such, we just punt, and run all PPP interfaces 1254127664Sbms * in cooked mode, if we can; otherwise, we just treat 1255127664Sbms * it as DLT_RAW, for now - if somebody needs to capture, 1256127664Sbms * on a 2.0[.x] kernel, on PPP devices that supply a 1257127664Sbms * link-layer header, they'll have to add code here to 1258127664Sbms * map to the appropriate DLT_ type (possibly adding a 1259127664Sbms * new DLT_ type, if necessary). 126098530Sfenner */ 1261127664Sbms if (cooked_ok) 1262127664Sbms handle->linktype = DLT_LINUX_SLL; 1263127664Sbms else { 1264127664Sbms /* 1265127664Sbms * XXX - handle ISDN types here? We can't fall 1266127664Sbms * back on cooked sockets, so we'd have to 1267127664Sbms * figure out from the device name what type of 1268127664Sbms * link-layer encapsulation it's using, and map 1269127664Sbms * that to an appropriate DLT_ value, meaning 1270127664Sbms * we'd map "isdnN" devices to DLT_RAW (they 1271127664Sbms * supply raw IP packets with no link-layer 1272127664Sbms * header) and "isdY" devices to a new DLT_I4L_IP 1273127664Sbms * type that has only an Ethernet packet type as 1274127664Sbms * a link-layer header. 1275127664Sbms * 1276127664Sbms * But sometimes we seem to get random crap 1277127664Sbms * in the link-layer header when capturing on 1278127664Sbms * ISDN devices.... 1279127664Sbms */ 1280127664Sbms handle->linktype = DLT_RAW; 1281127664Sbms } 128298530Sfenner break; 128398530Sfenner 1284127664Sbms#ifndef ARPHRD_CISCO 1285127664Sbms#define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */ 1286127664Sbms#endif 1287127664Sbms case ARPHRD_CISCO: 128898530Sfenner handle->linktype = DLT_C_HDLC; 128998530Sfenner break; 129098530Sfenner 129175107Sfenner /* Not sure if this is correct for all tunnels, but it 129275107Sfenner * works for CIPE */ 129375107Sfenner case ARPHRD_TUNNEL: 129475107Sfenner#ifndef ARPHRD_SIT 1295127664Sbms#define ARPHRD_SIT 776 /* From Linux 2.2.13 */ 129675107Sfenner#endif 129775107Sfenner case ARPHRD_SIT: 129875107Sfenner case ARPHRD_CSLIP: 129975107Sfenner case ARPHRD_SLIP6: 130075107Sfenner case ARPHRD_CSLIP6: 130198530Sfenner case ARPHRD_ADAPT: 130298530Sfenner case ARPHRD_SLIP: 1303127664Sbms#ifndef ARPHRD_RAWHDLC 1304127664Sbms#define ARPHRD_RAWHDLC 518 1305127664Sbms#endif 1306127664Sbms case ARPHRD_RAWHDLC: 1307127664Sbms#ifndef ARPHRD_DLCI 1308127664Sbms#define ARPHRD_DLCI 15 1309127664Sbms#endif 1310127664Sbms case ARPHRD_DLCI: 131198530Sfenner /* 131298530Sfenner * XXX - should some of those be mapped to DLT_LINUX_SLL 131398530Sfenner * instead? Should we just map all of them to DLT_LINUX_SLL? 131498530Sfenner */ 131598530Sfenner handle->linktype = DLT_RAW; 131698530Sfenner break; 131798530Sfenner 1318127664Sbms#ifndef ARPHRD_FRAD 1319127664Sbms#define ARPHRD_FRAD 770 1320127664Sbms#endif 1321127664Sbms case ARPHRD_FRAD: 1322127664Sbms handle->linktype = DLT_FRELAY; 1323127664Sbms break; 1324127664Sbms 132598530Sfenner case ARPHRD_LOCALTLK: 132698530Sfenner handle->linktype = DLT_LTALK; 132798530Sfenner break; 132898530Sfenner 1329127664Sbms#ifndef ARPHRD_FCPP 1330127664Sbms#define ARPHRD_FCPP 784 1331127664Sbms#endif 1332127664Sbms case ARPHRD_FCPP: 1333127664Sbms#ifndef ARPHRD_FCAL 1334127664Sbms#define ARPHRD_FCAL 785 1335127664Sbms#endif 1336127664Sbms case ARPHRD_FCAL: 1337127664Sbms#ifndef ARPHRD_FCPL 1338127664Sbms#define ARPHRD_FCPL 786 1339127664Sbms#endif 1340127664Sbms case ARPHRD_FCPL: 1341127664Sbms#ifndef ARPHRD_FCFABRIC 1342127664Sbms#define ARPHRD_FCFABRIC 787 1343127664Sbms#endif 1344127664Sbms case ARPHRD_FCFABRIC: 1345127664Sbms /* 1346127664Sbms * We assume that those all mean RFC 2625 IP-over- 1347127664Sbms * Fibre Channel, with the RFC 2625 header at 1348127664Sbms * the beginning of the packet. 1349127664Sbms */ 1350127664Sbms handle->linktype = DLT_IP_OVER_FC; 1351127664Sbms break; 1352127664Sbms 1353146768Ssam#ifndef ARPHRD_IRDA 1354146768Ssam#define ARPHRD_IRDA 783 1355146768Ssam#endif 1356127664Sbms case ARPHRD_IRDA: 1357127664Sbms /* Don't expect IP packet out of this interfaces... */ 1358127664Sbms handle->linktype = DLT_LINUX_IRDA; 1359127664Sbms /* We need to save packet direction for IrDA decoding, 1360127664Sbms * so let's use "Linux-cooked" mode. Jean II */ 1361127664Sbms //handle->md.cooked = 1; 1362127664Sbms break; 1363127664Sbms 1364172677Smlaier /* ARPHRD_LAPD is unofficial and randomly allocated, if reallocation 1365172677Smlaier * is needed, please report it to <daniele@orlandi.com> */ 1366172677Smlaier#ifndef ARPHRD_LAPD 1367172677Smlaier#define ARPHRD_LAPD 8445 1368172677Smlaier#endif 1369172677Smlaier case ARPHRD_LAPD: 1370172677Smlaier /* Don't expect IP packet out of this interfaces... */ 1371172677Smlaier handle->linktype = DLT_LINUX_LAPD; 1372172677Smlaier break; 1373172677Smlaier 137498530Sfenner default: 137598530Sfenner handle->linktype = -1; 137698530Sfenner break; 137775107Sfenner } 137875107Sfenner} 137939291Sfenner 138075107Sfenner/* ===== Functions to interface to the newer kernels ================== */ 138139291Sfenner 138275107Sfenner/* 138375107Sfenner * Try to open a packet socket using the new kernel interface. 138475107Sfenner * Returns 0 on failure. 138575107Sfenner * FIXME: 0 uses to mean success (Sebastian) 138675107Sfenner */ 138775107Sfennerstatic int 1388127664Sbmslive_open_new(pcap_t *handle, const char *device, int promisc, 138975107Sfenner int to_ms, char *ebuf) 139075107Sfenner{ 139175107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 1392146768Ssam int sock_fd = -1, arptype; 1393127664Sbms int err; 1394127664Sbms int fatal_err = 0; 139575107Sfenner struct packet_mreq mr; 139639291Sfenner 139775107Sfenner /* One shot loop used for error handling - bail out with break */ 139839291Sfenner 139975107Sfenner do { 140075107Sfenner /* 140175107Sfenner * Open a socket with protocol family packet. If a device is 1402127664Sbms * given we try to open it in raw mode otherwise we use 1403127664Sbms * the cooked interface. 140475107Sfenner */ 1405127664Sbms sock_fd = device ? 140675107Sfenner socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) 140775107Sfenner : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); 140839291Sfenner 140975107Sfenner if (sock_fd == -1) { 141075107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s", 141175107Sfenner pcap_strerror(errno) ); 141275107Sfenner break; 141375107Sfenner } 141439291Sfenner 141575107Sfenner /* It seems the kernel supports the new interface. */ 141675107Sfenner handle->md.sock_packet = 0; 141775107Sfenner 141875107Sfenner /* 141975107Sfenner * Get the interface index of the loopback device. 142075107Sfenner * If the attempt fails, don't fail, just set the 142175107Sfenner * "md.lo_ifindex" to -1. 142275107Sfenner * 142375107Sfenner * XXX - can there be more than one device that loops 142475107Sfenner * packets back, i.e. devices other than "lo"? If so, 142575107Sfenner * we'd need to find them all, and have an array of 142675107Sfenner * indices for them, and check all of them in 142775107Sfenner * "pcap_read_packet()". 142875107Sfenner */ 142975107Sfenner handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf); 143075107Sfenner 143175107Sfenner /* 143298530Sfenner * Default value for offset to align link-layer payload 143398530Sfenner * on a 4-byte boundary. 143498530Sfenner */ 143598530Sfenner handle->offset = 0; 143698530Sfenner 143798530Sfenner /* 1438127664Sbms * What kind of frames do we have to deal with? Fall back 1439127664Sbms * to cooked mode if we have an unknown interface type. 144075107Sfenner */ 144175107Sfenner 144275107Sfenner if (device) { 144375107Sfenner /* Assume for now we don't need cooked mode. */ 144475107Sfenner handle->md.cooked = 0; 144575107Sfenner 144675107Sfenner arptype = iface_get_arptype(sock_fd, device, ebuf); 1447127664Sbms if (arptype == -1) { 1448127664Sbms fatal_err = 1; 144975107Sfenner break; 1450127664Sbms } 1451127664Sbms map_arphrd_to_dlt(handle, arptype, 1); 145275107Sfenner if (handle->linktype == -1 || 145398530Sfenner handle->linktype == DLT_LINUX_SLL || 1454127664Sbms handle->linktype == DLT_LINUX_IRDA || 1455172677Smlaier handle->linktype == DLT_LINUX_LAPD || 145675107Sfenner (handle->linktype == DLT_EN10MB && 145775107Sfenner (strncmp("isdn", device, 4) == 0 || 145898530Sfenner strncmp("isdY", device, 4) == 0))) { 145975107Sfenner /* 146098530Sfenner * Unknown interface type (-1), or a 146198530Sfenner * device we explicitly chose to run 146298530Sfenner * in cooked mode (e.g., PPP devices), 146398530Sfenner * or an ISDN device (whose link-layer 146498530Sfenner * type we can only determine by using 146598530Sfenner * APIs that may be different on different 146675107Sfenner * kernels) - reopen in cooked mode. 146775107Sfenner */ 146875107Sfenner if (close(sock_fd) == -1) { 146975107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 147075107Sfenner "close: %s", pcap_strerror(errno)); 147175107Sfenner break; 147275107Sfenner } 1473127664Sbms sock_fd = socket(PF_PACKET, SOCK_DGRAM, 147475107Sfenner htons(ETH_P_ALL)); 147575107Sfenner if (sock_fd == -1) { 147675107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 147775107Sfenner "socket: %s", pcap_strerror(errno)); 147875107Sfenner break; 147975107Sfenner } 148075107Sfenner handle->md.cooked = 1; 148175107Sfenner 1482146768Ssam /* 1483146768Ssam * Get rid of any link-layer type list 1484146768Ssam * we allocated - this only supports cooked 1485146768Ssam * capture. 1486146768Ssam */ 1487146768Ssam if (handle->dlt_list != NULL) { 1488146768Ssam free(handle->dlt_list); 1489146768Ssam handle->dlt_list = NULL; 1490146768Ssam handle->dlt_count = 0; 1491146768Ssam } 1492146768Ssam 149375107Sfenner if (handle->linktype == -1) { 149475107Sfenner /* 149575107Sfenner * Warn that we're falling back on 149675107Sfenner * cooked mode; we may want to 149775107Sfenner * update "map_arphrd_to_dlt()" 149875107Sfenner * to handle the new type. 149975107Sfenner */ 150098530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 150198530Sfenner "arptype %d not " 150275107Sfenner "supported by libpcap - " 150375107Sfenner "falling back to cooked " 150498530Sfenner "socket", 150575107Sfenner arptype); 150675107Sfenner } 1507127664Sbms /* IrDA capture is not a real "cooked" capture, 1508127664Sbms * it's IrLAP frames, not IP packets. */ 1509172677Smlaier if (handle->linktype != DLT_LINUX_IRDA && 1510172677Smlaier handle->linktype != DLT_LINUX_LAPD) 1511127664Sbms handle->linktype = DLT_LINUX_SLL; 151275107Sfenner } 151375107Sfenner 1514146768Ssam handle->md.ifindex = iface_get_id(sock_fd, device, ebuf); 1515146768Ssam if (handle->md.ifindex == -1) 151675107Sfenner break; 151775107Sfenner 1518146768Ssam if ((err = iface_bind(sock_fd, handle->md.ifindex, 1519146768Ssam ebuf)) < 0) { 1520127664Sbms if (err == -2) 1521127664Sbms fatal_err = 1; 152275107Sfenner break; 1523127664Sbms } 152475107Sfenner } else { 152575107Sfenner /* 152675107Sfenner * This is cooked mode. 152775107Sfenner */ 152875107Sfenner handle->md.cooked = 1; 152975107Sfenner handle->linktype = DLT_LINUX_SLL; 153075107Sfenner 153175107Sfenner /* 1532146768Ssam * We're not bound to a device. 1533146768Ssam * XXX - true? Or true only if we're using 1534146768Ssam * the "any" device? 1535146768Ssam * For now, we're using this as an indication 1536146768Ssam * that we can't transmit; stop doing that only 1537146768Ssam * if we figure out how to transmit in cooked 1538146768Ssam * mode. 153975107Sfenner */ 1540146768Ssam handle->md.ifindex = -1; 154175107Sfenner } 154275107Sfenner 1543127664Sbms /* 1544127664Sbms * Select promiscuous mode on if "promisc" is set. 1545127664Sbms * 1546127664Sbms * Do not turn allmulti mode on if we don't select 1547127664Sbms * promiscuous mode - on some devices (e.g., Orinoco 1548127664Sbms * wireless interfaces), allmulti mode isn't supported 1549127664Sbms * and the driver implements it by turning promiscuous 1550127664Sbms * mode on, and that screws up the operation of the 1551127664Sbms * card as a normal networking interface, and on no 1552127664Sbms * other platform I know of does starting a non- 1553127664Sbms * promiscuous capture affect which multicast packets 1554127664Sbms * are received by the interface. 1555127664Sbms */ 155675107Sfenner 1557127664Sbms /* 155875107Sfenner * Hmm, how can we set promiscuous mode on all interfaces? 155975107Sfenner * I am not sure if that is possible at all. 156075107Sfenner */ 156175107Sfenner 1562127664Sbms if (device && promisc) { 156375107Sfenner memset(&mr, 0, sizeof(mr)); 1564146768Ssam mr.mr_ifindex = handle->md.ifindex; 1565127664Sbms mr.mr_type = PACKET_MR_PROMISC; 1566127664Sbms if (setsockopt(sock_fd, SOL_PACKET, 156775107Sfenner PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1) 156875107Sfenner { 1569127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 157075107Sfenner "setsockopt: %s", pcap_strerror(errno)); 157175107Sfenner break; 157275107Sfenner } 157375107Sfenner } 157439291Sfenner 157598530Sfenner /* Save the socket FD in the pcap structure */ 157675107Sfenner 157775107Sfenner handle->fd = sock_fd; 157875107Sfenner 157975107Sfenner return 1; 158075107Sfenner 158175107Sfenner } while(0); 158275107Sfenner 158375107Sfenner if (sock_fd != -1) 158475107Sfenner close(sock_fd); 1585127664Sbms 1586146768Ssam if (fatal_err) { 1587146768Ssam /* 1588146768Ssam * Get rid of any link-layer type list we allocated. 1589146768Ssam */ 1590146768Ssam if (handle->dlt_list != NULL) 1591146768Ssam free(handle->dlt_list); 1592127664Sbms return -2; 1593146768Ssam } else 1594127664Sbms return 0; 159575107Sfenner#else 1596127664Sbms strncpy(ebuf, 1597127664Sbms "New packet capturing interface not supported by build " 159875107Sfenner "environment", PCAP_ERRBUF_SIZE); 159975107Sfenner return 0; 160039291Sfenner#endif 160175107Sfenner} 160239291Sfenner 160375107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 160475107Sfenner/* 1605127664Sbms * Return the index of the given device name. Fill ebuf and return 160675107Sfenner * -1 on failure. 160775107Sfenner */ 160875107Sfennerstatic int 160975107Sfenneriface_get_id(int fd, const char *device, char *ebuf) 161075107Sfenner{ 161175107Sfenner struct ifreq ifr; 161226175Sfenner 161339291Sfenner memset(&ifr, 0, sizeof(ifr)); 161439291Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 161575107Sfenner 161675107Sfenner if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 161775107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 1618172677Smlaier "SIOCGIFINDEX: %s", pcap_strerror(errno)); 161975107Sfenner return -1; 162026175Sfenner } 162126175Sfenner 162275107Sfenner return ifr.ifr_ifindex; 162375107Sfenner} 162426175Sfenner 162575107Sfenner/* 1626127664Sbms * Bind the socket associated with FD to the given device. 162775107Sfenner */ 162875107Sfennerstatic int 162975107Sfenneriface_bind(int fd, int ifindex, char *ebuf) 163075107Sfenner{ 163175107Sfenner struct sockaddr_ll sll; 1632127664Sbms int err; 1633127664Sbms socklen_t errlen = sizeof(err); 163475107Sfenner 163575107Sfenner memset(&sll, 0, sizeof(sll)); 163675107Sfenner sll.sll_family = AF_PACKET; 163775107Sfenner sll.sll_ifindex = ifindex; 163875107Sfenner sll.sll_protocol = htons(ETH_P_ALL); 163975107Sfenner 164075107Sfenner if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 164175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 164275107Sfenner "bind: %s", pcap_strerror(errno)); 164375107Sfenner return -1; 164426175Sfenner } 164526175Sfenner 1646127664Sbms /* Any pending errors, e.g., network is down? */ 1647127664Sbms 1648127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 1649127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1650127664Sbms "getsockopt: %s", pcap_strerror(errno)); 1651127664Sbms return -2; 1652127664Sbms } 1653127664Sbms 1654127664Sbms if (err > 0) { 1655127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1656127664Sbms "bind: %s", pcap_strerror(err)); 1657127664Sbms return -2; 1658127664Sbms } 1659127664Sbms 166075107Sfenner return 0; 166175107Sfenner} 166275107Sfenner 166375107Sfenner#endif 166475107Sfenner 166575107Sfenner 166675107Sfenner/* ===== Functions to interface to the older kernels ================== */ 166775107Sfenner 166875107Sfenner/* 166975107Sfenner * With older kernels promiscuous mode is kind of interesting because we 167075107Sfenner * have to reset the interface before exiting. The problem can't really 1671127664Sbms * be solved without some daemon taking care of managing usage counts. 167275107Sfenner * If we put the interface into promiscuous mode, we set a flag indicating 167375107Sfenner * that we must take it out of that mode when the interface is closed, 167475107Sfenner * and, when closing the interface, if that flag is set we take it out 167575107Sfenner * of promiscuous mode. 167675107Sfenner */ 167775107Sfenner 167875107Sfenner/* 167975107Sfenner * List of pcaps for which we turned promiscuous mode on by hand. 168075107Sfenner * If there are any such pcaps, we arrange to call "pcap_close_all()" 168175107Sfenner * when we exit, and have it close all of them to turn promiscuous mode 168275107Sfenner * off. 168375107Sfenner */ 168475107Sfennerstatic struct pcap *pcaps_to_close; 168575107Sfenner 168675107Sfenner/* 168775107Sfenner * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to 168875107Sfenner * be called on exit. 168975107Sfenner */ 169075107Sfennerstatic int did_atexit; 169175107Sfenner 169275107Sfennerstatic void pcap_close_all(void) 169375107Sfenner{ 169475107Sfenner struct pcap *handle; 169575107Sfenner 169675107Sfenner while ((handle = pcaps_to_close) != NULL) 169775107Sfenner pcap_close(handle); 169875107Sfenner} 169975107Sfenner 1700127664Sbmsstatic void pcap_close_linux( pcap_t *handle ) 170175107Sfenner{ 170275107Sfenner struct pcap *p, *prevp; 170375107Sfenner struct ifreq ifr; 170475107Sfenner 170575107Sfenner if (handle->md.clear_promisc) { 170675107Sfenner /* 170775107Sfenner * We put the interface into promiscuous mode; take 170875107Sfenner * it out of promiscuous mode. 170975107Sfenner * 171075107Sfenner * XXX - if somebody else wants it in promiscuous mode, 171175107Sfenner * this code cannot know that, so it'll take it out 171275107Sfenner * of promiscuous mode. That's not fixable in 2.0[.x] 171375107Sfenner * kernels. 171475107Sfenner */ 171526175Sfenner memset(&ifr, 0, sizeof(ifr)); 171675107Sfenner strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)); 171775107Sfenner if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 1718127664Sbms fprintf(stderr, 171975107Sfenner "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" 172075107Sfenner "Please adjust manually.\n" 172175107Sfenner "Hint: This can't happen with Linux >= 2.2.0.\n", 172275107Sfenner strerror(errno)); 172375107Sfenner } else { 172475107Sfenner if (ifr.ifr_flags & IFF_PROMISC) { 172575107Sfenner /* 172675107Sfenner * Promiscuous mode is currently on; turn it 172775107Sfenner * off. 172875107Sfenner */ 172975107Sfenner ifr.ifr_flags &= ~IFF_PROMISC; 173075107Sfenner if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 1731127664Sbms fprintf(stderr, 173275107Sfenner "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" 173375107Sfenner "Please adjust manually.\n" 173475107Sfenner "Hint: This can't happen with Linux >= 2.2.0.\n", 173575107Sfenner strerror(errno)); 173675107Sfenner } 173775107Sfenner } 173826175Sfenner } 173975107Sfenner 174075107Sfenner /* 174175107Sfenner * Take this pcap out of the list of pcaps for which we 174275107Sfenner * have to take the interface out of promiscuous mode. 174375107Sfenner */ 174475107Sfenner for (p = pcaps_to_close, prevp = NULL; p != NULL; 174575107Sfenner prevp = p, p = p->md.next) { 174675107Sfenner if (p == handle) { 174775107Sfenner /* 174875107Sfenner * Found it. Remove it from the list. 174975107Sfenner */ 175075107Sfenner if (prevp == NULL) { 175175107Sfenner /* 175275107Sfenner * It was at the head of the list. 175375107Sfenner */ 175475107Sfenner pcaps_to_close = p->md.next; 175575107Sfenner } else { 175675107Sfenner /* 175775107Sfenner * It was in the middle of the list. 175875107Sfenner */ 175975107Sfenner prevp->md.next = p->md.next; 176075107Sfenner } 176175107Sfenner break; 176275107Sfenner } 176326175Sfenner } 176426175Sfenner } 1765127664Sbms 176675107Sfenner if (handle->md.device != NULL) 176775107Sfenner free(handle->md.device); 1768127664Sbms handle->md.device = NULL; 1769146768Ssam pcap_close_common(handle); 177075107Sfenner} 177126175Sfenner 177275107Sfenner/* 177375107Sfenner * Try to open a packet socket using the old kernel interface. 177475107Sfenner * Returns 0 on failure. 177575107Sfenner * FIXME: 0 uses to mean success (Sebastian) 177675107Sfenner */ 177775107Sfennerstatic int 1778127664Sbmslive_open_old(pcap_t *handle, const char *device, int promisc, 177975107Sfenner int to_ms, char *ebuf) 178075107Sfenner{ 1781127664Sbms int arptype; 178275107Sfenner struct ifreq ifr; 178375107Sfenner 178475107Sfenner do { 178575107Sfenner /* Open the socket */ 178675107Sfenner 1787127664Sbms handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 1788127664Sbms if (handle->fd == -1) { 178975107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 179075107Sfenner "socket: %s", pcap_strerror(errno)); 179175107Sfenner break; 179275107Sfenner } 179375107Sfenner 179475107Sfenner /* It worked - we are using the old interface */ 179575107Sfenner handle->md.sock_packet = 1; 179675107Sfenner 179775107Sfenner /* ...which means we get the link-layer header. */ 179875107Sfenner handle->md.cooked = 0; 179975107Sfenner 180075107Sfenner /* Bind to the given device */ 180175107Sfenner 180275107Sfenner if (!device) { 180375107Sfenner strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 180475107Sfenner PCAP_ERRBUF_SIZE); 180575107Sfenner break; 180675107Sfenner } 1807127664Sbms if (iface_bind_old(handle->fd, device, ebuf) == -1) 180875107Sfenner break; 180975107Sfenner 1810127664Sbms /* 1811127664Sbms * Try to get the link-layer type. 1812127664Sbms */ 1813127664Sbms arptype = iface_get_arptype(handle->fd, device, ebuf); 1814127664Sbms if (arptype == -1) 1815127664Sbms break; 1816127664Sbms 1817127664Sbms /* 1818127664Sbms * Try to find the DLT_ type corresponding to that 1819127664Sbms * link-layer type. 1820127664Sbms */ 1821127664Sbms map_arphrd_to_dlt(handle, arptype, 0); 1822127664Sbms if (handle->linktype == -1) { 1823127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1824127664Sbms "unknown arptype %d", arptype); 1825127664Sbms break; 1826127664Sbms } 1827127664Sbms 1828127664Sbms /* Go to promisc mode if requested */ 1829127664Sbms 183075107Sfenner if (promisc) { 183175107Sfenner memset(&ifr, 0, sizeof(ifr)); 183275107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 1833127664Sbms if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 183475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 1835172677Smlaier "SIOCGIFFLAGS: %s", pcap_strerror(errno)); 183675107Sfenner break; 183775107Sfenner } 183875107Sfenner if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 183975107Sfenner /* 184075107Sfenner * Promiscuous mode isn't currently on, 184175107Sfenner * so turn it on, and remember that 184275107Sfenner * we should turn it off when the 184375107Sfenner * pcap_t is closed. 184475107Sfenner */ 184575107Sfenner 184675107Sfenner /* 184775107Sfenner * If we haven't already done so, arrange 184875107Sfenner * to have "pcap_close_all()" called when 184975107Sfenner * we exit. 185075107Sfenner */ 185175107Sfenner if (!did_atexit) { 185275107Sfenner if (atexit(pcap_close_all) == -1) { 185375107Sfenner /* 185475107Sfenner * "atexit()" failed; don't 185575107Sfenner * put the interface in 185675107Sfenner * promiscuous mode, just 185775107Sfenner * give up. 185875107Sfenner */ 185975107Sfenner strncpy(ebuf, "atexit failed", 186075107Sfenner PCAP_ERRBUF_SIZE); 186175107Sfenner break; 186275107Sfenner } 1863127664Sbms did_atexit = 1; 186475107Sfenner } 186575107Sfenner 186675107Sfenner ifr.ifr_flags |= IFF_PROMISC; 1867127664Sbms if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 186875107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 1869172677Smlaier "SIOCSIFFLAGS: %s", 187075107Sfenner pcap_strerror(errno)); 187175107Sfenner break; 187275107Sfenner } 187375107Sfenner handle->md.clear_promisc = 1; 187475107Sfenner 187575107Sfenner /* 187675107Sfenner * Add this to the list of pcaps 187775107Sfenner * to close when we exit. 187875107Sfenner */ 187975107Sfenner handle->md.next = pcaps_to_close; 188075107Sfenner pcaps_to_close = handle; 188175107Sfenner } 188275107Sfenner } 188375107Sfenner 188498530Sfenner /* 188598530Sfenner * Default value for offset to align link-layer payload 188698530Sfenner * on a 4-byte boundary. 188798530Sfenner */ 188875107Sfenner handle->offset = 0; 188998530Sfenner 189075107Sfenner return 1; 189175107Sfenner 189275107Sfenner } while (0); 189375107Sfenner 1894127664Sbms pcap_close_linux(handle); 189575107Sfenner return 0; 189675107Sfenner} 189775107Sfenner 189875107Sfenner/* 1899127664Sbms * Bind the socket associated with FD to the given device using the 190075107Sfenner * interface of the old kernels. 190175107Sfenner */ 190275107Sfennerstatic int 190375107Sfenneriface_bind_old(int fd, const char *device, char *ebuf) 190475107Sfenner{ 190575107Sfenner struct sockaddr saddr; 1906127664Sbms int err; 1907127664Sbms socklen_t errlen = sizeof(err); 190875107Sfenner 190975107Sfenner memset(&saddr, 0, sizeof(saddr)); 191075107Sfenner strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 191175107Sfenner if (bind(fd, &saddr, sizeof(saddr)) == -1) { 191275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 191375107Sfenner "bind: %s", pcap_strerror(errno)); 191475107Sfenner return -1; 191526175Sfenner } 191626175Sfenner 1917127664Sbms /* Any pending errors, e.g., network is down? */ 1918127664Sbms 1919127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 1920127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1921127664Sbms "getsockopt: %s", pcap_strerror(errno)); 1922127664Sbms return -1; 1923127664Sbms } 1924127664Sbms 1925127664Sbms if (err > 0) { 1926127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1927127664Sbms "bind: %s", pcap_strerror(err)); 1928127664Sbms return -1; 1929127664Sbms } 1930127664Sbms 193175107Sfenner return 0; 193226175Sfenner} 193326175Sfenner 193475107Sfenner 193575107Sfenner/* ===== System calls available on all supported kernels ============== */ 193675107Sfenner 193775107Sfenner/* 1938127664Sbms * Query the kernel for the MTU of the given interface. 193975107Sfenner */ 194075107Sfennerstatic int 194175107Sfenneriface_get_mtu(int fd, const char *device, char *ebuf) 194226175Sfenner{ 194375107Sfenner struct ifreq ifr; 194426175Sfenner 194575107Sfenner if (!device) 194675107Sfenner return BIGGER_THAN_ALL_MTUS; 194775107Sfenner 194875107Sfenner memset(&ifr, 0, sizeof(ifr)); 194975107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 195075107Sfenner 195175107Sfenner if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 195275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 1953172677Smlaier "SIOCGIFMTU: %s", pcap_strerror(errno)); 195475107Sfenner return -1; 195575107Sfenner } 195675107Sfenner 195775107Sfenner return ifr.ifr_mtu; 195826175Sfenner} 195926175Sfenner 196075107Sfenner/* 196175107Sfenner * Get the hardware type of the given interface as ARPHRD_xxx constant. 196275107Sfenner */ 196375107Sfennerstatic int 196475107Sfenneriface_get_arptype(int fd, const char *device, char *ebuf) 196526175Sfenner{ 196675107Sfenner struct ifreq ifr; 196726175Sfenner 196875107Sfenner memset(&ifr, 0, sizeof(ifr)); 196975107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 197075107Sfenner 197175107Sfenner if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 197275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 1973172677Smlaier "SIOCGIFHWADDR: %s", pcap_strerror(errno)); 197475107Sfenner return -1; 197575107Sfenner } 197675107Sfenner 197775107Sfenner return ifr.ifr_hwaddr.sa_family; 197826175Sfenner} 197975107Sfenner 198098530Sfenner#ifdef SO_ATTACH_FILTER 198175107Sfennerstatic int 198275107Sfennerfix_program(pcap_t *handle, struct sock_fprog *fcode) 198375107Sfenner{ 198475107Sfenner size_t prog_size; 198575107Sfenner register int i; 198675107Sfenner register struct bpf_insn *p; 198775107Sfenner struct bpf_insn *f; 198875107Sfenner int len; 198975107Sfenner 199075107Sfenner /* 199175107Sfenner * Make a copy of the filter, and modify that copy if 199275107Sfenner * necessary. 199375107Sfenner */ 199475107Sfenner prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 199575107Sfenner len = handle->fcode.bf_len; 199675107Sfenner f = (struct bpf_insn *)malloc(prog_size); 199775107Sfenner if (f == NULL) { 199875107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 199975107Sfenner "malloc: %s", pcap_strerror(errno)); 200075107Sfenner return -1; 200175107Sfenner } 200275107Sfenner memcpy(f, handle->fcode.bf_insns, prog_size); 200375107Sfenner fcode->len = len; 200475107Sfenner fcode->filter = (struct sock_filter *) f; 200575107Sfenner 200675107Sfenner for (i = 0; i < len; ++i) { 200775107Sfenner p = &f[i]; 200875107Sfenner /* 200975107Sfenner * What type of instruction is this? 201075107Sfenner */ 201175107Sfenner switch (BPF_CLASS(p->code)) { 201275107Sfenner 201375107Sfenner case BPF_RET: 201475107Sfenner /* 201575107Sfenner * It's a return instruction; is the snapshot 201675107Sfenner * length a constant, rather than the contents 201775107Sfenner * of the accumulator? 201875107Sfenner */ 201975107Sfenner if (BPF_MODE(p->code) == BPF_K) { 202075107Sfenner /* 202175107Sfenner * Yes - if the value to be returned, 202275107Sfenner * i.e. the snapshot length, is anything 202375107Sfenner * other than 0, make it 65535, so that 202475107Sfenner * the packet is truncated by "recvfrom()", 202575107Sfenner * not by the filter. 202675107Sfenner * 202775107Sfenner * XXX - there's nothing we can easily do 202875107Sfenner * if it's getting the value from the 202975107Sfenner * accumulator; we'd have to insert 203075107Sfenner * code to force non-zero values to be 203175107Sfenner * 65535. 203275107Sfenner */ 203375107Sfenner if (p->k != 0) 203475107Sfenner p->k = 65535; 203575107Sfenner } 203675107Sfenner break; 203775107Sfenner 203875107Sfenner case BPF_LD: 203975107Sfenner case BPF_LDX: 204075107Sfenner /* 204175107Sfenner * It's a load instruction; is it loading 204275107Sfenner * from the packet? 204375107Sfenner */ 204475107Sfenner switch (BPF_MODE(p->code)) { 204575107Sfenner 204675107Sfenner case BPF_ABS: 204775107Sfenner case BPF_IND: 204875107Sfenner case BPF_MSH: 204975107Sfenner /* 205075107Sfenner * Yes; are we in cooked mode? 205175107Sfenner */ 205275107Sfenner if (handle->md.cooked) { 205375107Sfenner /* 205475107Sfenner * Yes, so we need to fix this 205575107Sfenner * instruction. 205675107Sfenner */ 205775107Sfenner if (fix_offset(p) < 0) { 205875107Sfenner /* 205975107Sfenner * We failed to do so. 206075107Sfenner * Return 0, so our caller 206175107Sfenner * knows to punt to userland. 206275107Sfenner */ 206375107Sfenner return 0; 206475107Sfenner } 206575107Sfenner } 206675107Sfenner break; 206775107Sfenner } 206875107Sfenner break; 206975107Sfenner } 207075107Sfenner } 207175107Sfenner return 1; /* we succeeded */ 207275107Sfenner} 207375107Sfenner 207475107Sfennerstatic int 207575107Sfennerfix_offset(struct bpf_insn *p) 207675107Sfenner{ 207775107Sfenner /* 207875107Sfenner * What's the offset? 207975107Sfenner */ 208075107Sfenner if (p->k >= SLL_HDR_LEN) { 208175107Sfenner /* 208275107Sfenner * It's within the link-layer payload; that starts at an 208375107Sfenner * offset of 0, as far as the kernel packet filter is 208475107Sfenner * concerned, so subtract the length of the link-layer 208575107Sfenner * header. 208675107Sfenner */ 208775107Sfenner p->k -= SLL_HDR_LEN; 208875107Sfenner } else if (p->k == 14) { 208975107Sfenner /* 209075107Sfenner * It's the protocol field; map it to the special magic 209175107Sfenner * kernel offset for that field. 209275107Sfenner */ 209375107Sfenner p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 209475107Sfenner } else { 209575107Sfenner /* 209675107Sfenner * It's within the header, but it's not one of those 209775107Sfenner * fields; we can't do that in the kernel, so punt 209875107Sfenner * to userland. 209975107Sfenner */ 210075107Sfenner return -1; 210175107Sfenner } 210275107Sfenner return 0; 210375107Sfenner} 210498530Sfenner 210598530Sfennerstatic int 210698530Sfennerset_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) 210798530Sfenner{ 210898530Sfenner int total_filter_on = 0; 210998530Sfenner int save_mode; 211098530Sfenner int ret; 211198530Sfenner int save_errno; 211298530Sfenner 211398530Sfenner /* 211498530Sfenner * The socket filter code doesn't discard all packets queued 211598530Sfenner * up on the socket when the filter is changed; this means 211698530Sfenner * that packets that don't match the new filter may show up 211798530Sfenner * after the new filter is put onto the socket, if those 211898530Sfenner * packets haven't yet been read. 211998530Sfenner * 212098530Sfenner * This means, for example, that if you do a tcpdump capture 212198530Sfenner * with a filter, the first few packets in the capture might 212298530Sfenner * be packets that wouldn't have passed the filter. 212398530Sfenner * 212498530Sfenner * We therefore discard all packets queued up on the socket 212598530Sfenner * when setting a kernel filter. (This isn't an issue for 212698530Sfenner * userland filters, as the userland filtering is done after 212798530Sfenner * packets are queued up.) 212898530Sfenner * 212998530Sfenner * To flush those packets, we put the socket in read-only mode, 213098530Sfenner * and read packets from the socket until there are no more to 213198530Sfenner * read. 213298530Sfenner * 213398530Sfenner * In order to keep that from being an infinite loop - i.e., 213498530Sfenner * to keep more packets from arriving while we're draining 213598530Sfenner * the queue - we put the "total filter", which is a filter 213698530Sfenner * that rejects all packets, onto the socket before draining 213798530Sfenner * the queue. 213898530Sfenner * 213998530Sfenner * This code deliberately ignores any errors, so that you may 214098530Sfenner * get bogus packets if an error occurs, rather than having 214198530Sfenner * the filtering done in userland even if it could have been 214298530Sfenner * done in the kernel. 214398530Sfenner */ 2144127664Sbms if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 214598530Sfenner &total_fcode, sizeof(total_fcode)) == 0) { 214698530Sfenner char drain[1]; 214798530Sfenner 214898530Sfenner /* 214998530Sfenner * Note that we've put the total filter onto the socket. 215098530Sfenner */ 215198530Sfenner total_filter_on = 1; 215298530Sfenner 215398530Sfenner /* 215498530Sfenner * Save the socket's current mode, and put it in 215598530Sfenner * non-blocking mode; we drain it by reading packets 2156127664Sbms * until we get an error (which is normally a 215798530Sfenner * "nothing more to be read" error). 215898530Sfenner */ 215998530Sfenner save_mode = fcntl(handle->fd, F_GETFL, 0); 216098530Sfenner if (save_mode != -1 && 216198530Sfenner fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) { 216298530Sfenner while (recv(handle->fd, &drain, sizeof drain, 216398530Sfenner MSG_TRUNC) >= 0) 216498530Sfenner ; 2165127664Sbms save_errno = errno; 216698530Sfenner fcntl(handle->fd, F_SETFL, save_mode); 2167127664Sbms if (save_errno != EAGAIN) { 2168127664Sbms /* Fatal error */ 2169127664Sbms reset_kernel_filter(handle); 2170127664Sbms snprintf(handle->errbuf, sizeof(handle->errbuf), 2171127664Sbms "recv: %s", pcap_strerror(save_errno)); 2172127664Sbms return -2; 2173127664Sbms } 217498530Sfenner } 217598530Sfenner } 217698530Sfenner 217798530Sfenner /* 217898530Sfenner * Now attach the new filter. 217998530Sfenner */ 2180127664Sbms ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 218198530Sfenner fcode, sizeof(*fcode)); 218298530Sfenner if (ret == -1 && total_filter_on) { 218398530Sfenner /* 218498530Sfenner * Well, we couldn't set that filter on the socket, 218598530Sfenner * but we could set the total filter on the socket. 218698530Sfenner * 218798530Sfenner * This could, for example, mean that the filter was 218898530Sfenner * too big to put into the kernel, so we'll have to 218998530Sfenner * filter in userland; in any case, we'll be doing 219098530Sfenner * filtering in userland, so we need to remove the 219198530Sfenner * total filter so we see packets. 219298530Sfenner */ 219398530Sfenner save_errno = errno; 219498530Sfenner 219598530Sfenner /* 219698530Sfenner * XXX - if this fails, we're really screwed; 219798530Sfenner * we have the total filter on the socket, 219898530Sfenner * and it won't come off. What do we do then? 219998530Sfenner */ 220098530Sfenner reset_kernel_filter(handle); 220198530Sfenner 220298530Sfenner errno = save_errno; 220398530Sfenner } 2204127664Sbms return ret; 220598530Sfenner} 220698530Sfenner 220798530Sfennerstatic int 220898530Sfennerreset_kernel_filter(pcap_t *handle) 220998530Sfenner{ 2210172677Smlaier /* 2211172677Smlaier * setsockopt() barfs unless it get a dummy parameter. 2212172677Smlaier * valgrind whines unless the value is initialized, 2213172677Smlaier * as it has no idea that setsockopt() ignores its 2214172677Smlaier * parameter. 2215172677Smlaier */ 2216172677Smlaier int dummy = 0; 221798530Sfenner 221898530Sfenner return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, 221998530Sfenner &dummy, sizeof(dummy)); 222098530Sfenner} 222175107Sfenner#endif 2222