pcap-linux.c revision 190225
126175Sfenner/* 275107Sfenner * pcap-linux.c: Packet capture interface to the Linux kernel 326175Sfenner * 475107Sfenner * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org> 575107Sfenner * Sebastian Krahmer <krahmer@cs.uni-potsdam.de> 6127664Sbms * 775107Sfenner * License: BSD 8127664Sbms * 975107Sfenner * Redistribution and use in source and binary forms, with or without 1075107Sfenner * modification, are permitted provided that the following conditions 1175107Sfenner * are met: 12127664Sbms * 1375107Sfenner * 1. Redistributions of source code must retain the above copyright 1475107Sfenner * notice, this list of conditions and the following disclaimer. 1575107Sfenner * 2. Redistributions in binary form must reproduce the above copyright 1675107Sfenner * notice, this list of conditions and the following disclaimer in 1775107Sfenner * the documentation and/or other materials provided with the 1875107Sfenner * distribution. 1975107Sfenner * 3. The names of the authors may not be used to endorse or promote 2075107Sfenner * products derived from this software without specific prior 2175107Sfenner * written permission. 22127664Sbms * 2375107Sfenner * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 2475107Sfenner * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 2575107Sfenner * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 26190225Srpaulo * 27190225Srpaulo * Modifications: Added PACKET_MMAP support 28190225Srpaulo * Paolo Abeni <paolo.abeni@email.it> 29190225Srpaulo * 30190225Srpaulo * based on previous works of: 31190225Srpaulo * Simon Patarin <patarin@cs.unibo.it> 32190225Srpaulo * Phil Wood <cpw@lanl.gov> 3326175Sfenner */ 34127664Sbms 3526175Sfenner#ifndef lint 36127664Sbmsstatic const char rcsid[] _U_ = 37190225Srpaulo "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.129.2.29 2008-10-28 00:50:39 guy Exp $ (LBL)"; 3826175Sfenner#endif 3926175Sfenner 4075107Sfenner/* 4175107Sfenner * Known problems with 2.0[.x] kernels: 4275107Sfenner * 4375107Sfenner * - The loopback device gives every packet twice; on 2.2[.x] kernels, 4475107Sfenner * if we use PF_PACKET, we can filter out the transmitted version 4575107Sfenner * of the packet by using data in the "sockaddr_ll" returned by 4675107Sfenner * "recvfrom()", but, on 2.0[.x] kernels, we have to use 4775107Sfenner * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 4875107Sfenner * "sockaddr_pkt" which doesn't give us enough information to let 4975107Sfenner * us do that. 5075107Sfenner * 5175107Sfenner * - We have to set the interface's IFF_PROMISC flag ourselves, if 5275107Sfenner * we're to run in promiscuous mode, which means we have to turn 5375107Sfenner * it off ourselves when we're done; the kernel doesn't keep track 5475107Sfenner * of how many sockets are listening promiscuously, which means 5575107Sfenner * it won't get turned off automatically when no sockets are 5675107Sfenner * listening promiscuously. We catch "pcap_close()" and, for 5775107Sfenner * interfaces we put into promiscuous mode, take them out of 5875107Sfenner * promiscuous mode - which isn't necessarily the right thing to 5975107Sfenner * do, if another socket also requested promiscuous mode between 6075107Sfenner * the time when we opened the socket and the time when we close 6175107Sfenner * the socket. 6298530Sfenner * 6398530Sfenner * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()" 6498530Sfenner * return the amount of data that you could have read, rather than 6598530Sfenner * the amount that was returned, so we can't just allocate a buffer 6698530Sfenner * whose size is the snapshot length and pass the snapshot length 6798530Sfenner * as the byte count, and also pass MSG_TRUNC, so that the return 6898530Sfenner * value tells us how long the packet was on the wire. 6998530Sfenner * 7098530Sfenner * This means that, if we want to get the actual size of the packet, 7198530Sfenner * so we can return it in the "len" field of the packet header, 7298530Sfenner * we have to read the entire packet, not just the part that fits 7398530Sfenner * within the snapshot length, and thus waste CPU time copying data 7498530Sfenner * from the kernel that our caller won't see. 7598530Sfenner * 7698530Sfenner * We have to get the actual size, and supply it in "len", because 7798530Sfenner * otherwise, the IP dissector in tcpdump, for example, will complain 7898530Sfenner * about "truncated-ip", as the packet will appear to have been 7998530Sfenner * shorter, on the wire, than the IP header said it should have been. 8075107Sfenner */ 8126175Sfenner 8275107Sfenner 8375107Sfenner#ifdef HAVE_CONFIG_H 8475107Sfenner#include "config.h" 8539291Sfenner#endif 8626175Sfenner 8726175Sfenner#include <errno.h> 8826175Sfenner#include <stdlib.h> 8975107Sfenner#include <unistd.h> 9075107Sfenner#include <fcntl.h> 9126175Sfenner#include <string.h> 9275107Sfenner#include <sys/socket.h> 9375107Sfenner#include <sys/ioctl.h> 9475107Sfenner#include <sys/utsname.h> 95190225Srpaulo#include <sys/mman.h> 9675107Sfenner#include <net/if.h> 9775107Sfenner#include <netinet/in.h> 9875107Sfenner#include <linux/if_ether.h> 9975107Sfenner#include <net/if_arp.h> 100190225Srpaulo#include <poll.h> 10126175Sfenner 10298530Sfenner/* 103190225Srpaulo * Got Wireless Extensions? 104190225Srpaulo */ 105190225Srpaulo#ifdef HAVE_LINUX_WIRELESS_H 106190225Srpaulo#include <linux/wireless.h> 107190225Srpaulo#endif 108190225Srpaulo 109190225Srpaulo#include "pcap-int.h" 110190225Srpaulo#include "pcap/sll.h" 111190225Srpaulo#include "pcap/vlan.h" 112190225Srpaulo 113190225Srpaulo#ifdef HAVE_DAG_API 114190225Srpaulo#include "pcap-dag.h" 115190225Srpaulo#endif /* HAVE_DAG_API */ 116190225Srpaulo 117190225Srpaulo#ifdef HAVE_SEPTEL_API 118190225Srpaulo#include "pcap-septel.h" 119190225Srpaulo#endif /* HAVE_SEPTEL_API */ 120190225Srpaulo 121190225Srpaulo#ifdef PCAP_SUPPORT_USB 122190225Srpaulo#include "pcap-usb-linux.h" 123190225Srpaulo#endif 124190225Srpaulo 125190225Srpaulo#ifdef PCAP_SUPPORT_BT 126190225Srpaulo#include "pcap-bt-linux.h" 127190225Srpaulo#endif 128190225Srpaulo 129190225Srpaulo/* 13098530Sfenner * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET 13198530Sfenner * sockets rather than SOCK_PACKET sockets. 13298530Sfenner * 13398530Sfenner * To use them, we include <linux/if_packet.h> rather than 13498530Sfenner * <netpacket/packet.h>; we do so because 13598530Sfenner * 13698530Sfenner * some Linux distributions (e.g., Slackware 4.0) have 2.2 or 13798530Sfenner * later kernels and libc5, and don't provide a <netpacket/packet.h> 13898530Sfenner * file; 13998530Sfenner * 14098530Sfenner * not all versions of glibc2 have a <netpacket/packet.h> file 14198530Sfenner * that defines stuff needed for some of the 2.4-or-later-kernel 14298530Sfenner * features, so if the system has a 2.4 or later kernel, we 14398530Sfenner * still can't use those features. 14498530Sfenner * 14598530Sfenner * We're already including a number of other <linux/XXX.h> headers, and 14698530Sfenner * this code is Linux-specific (no other OS has PF_PACKET sockets as 14798530Sfenner * a raw packet capture mechanism), so it's not as if you gain any 14898530Sfenner * useful portability by using <netpacket/packet.h> 14998530Sfenner * 15098530Sfenner * XXX - should we just include <linux/if_packet.h> even if PF_PACKET 15198530Sfenner * isn't defined? It only defines one data structure in 2.0.x, so 15298530Sfenner * it shouldn't cause any problems. 15398530Sfenner */ 154127664Sbms#ifdef PF_PACKET 15598530Sfenner# include <linux/if_packet.h> 15626175Sfenner 15775107Sfenner /* 15898530Sfenner * On at least some Linux distributions (for example, Red Hat 5.2), 15998530Sfenner * there's no <netpacket/packet.h> file, but PF_PACKET is defined if 16098530Sfenner * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 16175107Sfenner * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 16275107Sfenner * the PACKET_xxx stuff. 16375107Sfenner * 16475107Sfenner * So we check whether PACKET_HOST is defined, and assume that we have 16575107Sfenner * PF_PACKET sockets only if it is defined. 16675107Sfenner */ 16775107Sfenner# ifdef PACKET_HOST 16875107Sfenner# define HAVE_PF_PACKET_SOCKETS 169190225Srpaulo# ifdef PACKET_AUXDATA 170190225Srpaulo# define HAVE_PACKET_AUXDATA 171190225Srpaulo# endif /* PACKET_AUXDATA */ 17275107Sfenner# endif /* PACKET_HOST */ 173190225Srpaulo 174190225Srpaulo 175190225Srpaulo /* check for memory mapped access avaibility. We assume every needed 176190225Srpaulo * struct is defined if the macro TPACKET_HDRLEN is defined, because it 177190225Srpaulo * uses many ring related structs and macros */ 178190225Srpaulo# ifdef TPACKET_HDRLEN 179190225Srpaulo# define HAVE_PACKET_RING 180190225Srpaulo# ifdef TPACKET2_HDRLEN 181190225Srpaulo# define HAVE_TPACKET2 182190225Srpaulo# else 183190225Srpaulo# define TPACKET_V1 0 184190225Srpaulo# endif /* TPACKET2_HDRLEN */ 185190225Srpaulo# endif /* TPACKET_HDRLEN */ 18698530Sfenner#endif /* PF_PACKET */ 18775107Sfenner 18875107Sfenner#ifdef SO_ATTACH_FILTER 18975107Sfenner#include <linux/types.h> 19075107Sfenner#include <linux/filter.h> 19126175Sfenner#endif 19226175Sfenner 193190225Srpaulo#ifndef HAVE_SOCKLEN_T 19475107Sfennertypedef int socklen_t; 19575107Sfenner#endif 19626175Sfenner 19775107Sfenner#ifndef MSG_TRUNC 19898530Sfenner/* 19998530Sfenner * This is being compiled on a system that lacks MSG_TRUNC; define it 20098530Sfenner * with the value it has in the 2.2 and later kernels, so that, on 20198530Sfenner * those kernels, when we pass it in the flags argument to "recvfrom()" 20298530Sfenner * we're passing the right value and thus get the MSG_TRUNC behavior 20398530Sfenner * we want. (We don't get that behavior on 2.0[.x] kernels, because 20498530Sfenner * they didn't support MSG_TRUNC.) 20598530Sfenner */ 20698530Sfenner#define MSG_TRUNC 0x20 20775107Sfenner#endif 20875107Sfenner 209127664Sbms#ifndef SOL_PACKET 210127664Sbms/* 211127664Sbms * This is being compiled on a system that lacks SOL_PACKET; define it 212127664Sbms * with the value it has in the 2.2 and later kernels, so that we can 213127664Sbms * set promiscuous mode in the good modern way rather than the old 214127664Sbms * 2.0-kernel crappy way. 215127664Sbms */ 216127664Sbms#define SOL_PACKET 263 217127664Sbms#endif 218127664Sbms 21975107Sfenner#define MAX_LINKHEADER_SIZE 256 22075107Sfenner 221127664Sbms/* 222127664Sbms * When capturing on all interfaces we use this as the buffer size. 22375107Sfenner * Should be bigger then all MTUs that occur in real life. 22475107Sfenner * 64kB should be enough for now. 22575107Sfenner */ 22675107Sfenner#define BIGGER_THAN_ALL_MTUS (64*1024) 22775107Sfenner 22875107Sfenner/* 229190225Srpaulo * Prototypes for internal functions and methods. 23075107Sfenner */ 231127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *, int, int); 232190225Srpaulo#ifdef HAVE_PF_PACKET_SOCKETS 233190225Srpaulostatic short int map_packet_type_to_sll_type(short int); 234190225Srpaulo#endif 235190225Srpaulostatic int pcap_activate_linux(pcap_t *); 236190225Srpaulostatic int activate_old(pcap_t *); 237190225Srpaulostatic int activate_new(pcap_t *); 238190225Srpaulostatic int activate_mmap(pcap_t *); 239190225Srpaulostatic int pcap_can_set_rfmon_linux(pcap_t *); 240127664Sbmsstatic int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *); 24175107Sfennerstatic int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 242146768Ssamstatic int pcap_inject_linux(pcap_t *, const void *, size_t); 243127664Sbmsstatic int pcap_stats_linux(pcap_t *, struct pcap_stat *); 244127664Sbmsstatic int pcap_setfilter_linux(pcap_t *, struct bpf_program *); 245162012Ssamstatic int pcap_setdirection_linux(pcap_t *, pcap_direction_t); 246190225Srpaulostatic void pcap_cleanup_linux(pcap_t *); 24775107Sfenner 248190225Srpaulounion thdr { 249190225Srpaulo struct tpacket_hdr *h1; 250190225Srpaulo struct tpacket2_hdr *h2; 251190225Srpaulo void *raw; 252190225Srpaulo}; 253190225Srpaulo 254190225Srpaulo#ifdef HAVE_PACKET_RING 255190225Srpaulo#define RING_GET_FRAME(h) (((union thdr **)h->buffer)[h->offset]) 256190225Srpaulo 257190225Srpaulostatic void destroy_ring(pcap_t *handle); 258190225Srpaulostatic int create_ring(pcap_t *handle); 259190225Srpaulostatic int prepare_tpacket_socket(pcap_t *handle); 260190225Srpaulostatic void pcap_cleanup_linux_mmap(pcap_t *); 261190225Srpaulostatic int pcap_read_linux_mmap(pcap_t *, int, pcap_handler , u_char *); 262190225Srpaulostatic int pcap_setfilter_linux_mmap(pcap_t *, struct bpf_program *); 263190225Srpaulostatic int pcap_setnonblock_mmap(pcap_t *p, int nonblock, char *errbuf); 264190225Srpaulostatic int pcap_getnonblock_mmap(pcap_t *p, char *errbuf); 265190225Srpaulo#endif 266190225Srpaulo 26775107Sfenner/* 26875107Sfenner * Wrap some ioctl calls 26975107Sfenner */ 27075107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 27175107Sfennerstatic int iface_get_id(int fd, const char *device, char *ebuf); 27275107Sfenner#endif 27375107Sfennerstatic int iface_get_mtu(int fd, const char *device, char *ebuf); 27475107Sfennerstatic int iface_get_arptype(int fd, const char *device, char *ebuf); 27575107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 27675107Sfennerstatic int iface_bind(int fd, int ifindex, char *ebuf); 277190225Srpaulostatic int has_wext(int sock_fd, const char *device, char *ebuf); 278190225Srpaulostatic int enter_rfmon_mode_wext(pcap_t *handle, int sock_fd, 279190225Srpaulo const char *device); 28075107Sfenner#endif 28175107Sfennerstatic int iface_bind_old(int fd, const char *device, char *ebuf); 28275107Sfenner 28375107Sfenner#ifdef SO_ATTACH_FILTER 28475107Sfennerstatic int fix_program(pcap_t *handle, struct sock_fprog *fcode); 28575107Sfennerstatic int fix_offset(struct bpf_insn *p); 28698530Sfennerstatic int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode); 28798530Sfennerstatic int reset_kernel_filter(pcap_t *handle); 28898530Sfenner 28998530Sfennerstatic struct sock_filter total_insn 29098530Sfenner = BPF_STMT(BPF_RET | BPF_K, 0); 29198530Sfennerstatic struct sock_fprog total_fcode 29298530Sfenner = { 1, &total_insn }; 29375107Sfenner#endif 29475107Sfenner 29575107Sfennerpcap_t * 296190225Srpaulopcap_create(const char *device, char *ebuf) 29726175Sfenner{ 298190225Srpaulo pcap_t *handle; 29998530Sfenner 300127664Sbms#ifdef HAVE_DAG_API 301127664Sbms if (strstr(device, "dag")) { 302190225Srpaulo return dag_create(device, ebuf); 303127664Sbms } 304127664Sbms#endif /* HAVE_DAG_API */ 305127664Sbms 306147894Ssam#ifdef HAVE_SEPTEL_API 307147894Ssam if (strstr(device, "septel")) { 308190225Srpaulo return septel_create(device, ebuf); 309147894Ssam } 310147894Ssam#endif /* HAVE_SEPTEL_API */ 31126175Sfenner 312190225Srpaulo#ifdef PCAP_SUPPORT_BT 313190225Srpaulo if (strstr(device, "bluetooth")) { 314190225Srpaulo return bt_create(device, ebuf); 315190225Srpaulo } 316190225Srpaulo#endif 317147894Ssam 318190225Srpaulo#ifdef PCAP_SUPPORT_USB 319190225Srpaulo if (strstr(device, "usb")) { 320190225Srpaulo return usb_create(device, ebuf); 321190225Srpaulo } 322190225Srpaulo#endif 323190225Srpaulo 324190225Srpaulo handle = pcap_create_common(device, ebuf); 325190225Srpaulo if (handle == NULL) 32675107Sfenner return NULL; 327190225Srpaulo 328190225Srpaulo handle->activate_op = pcap_activate_linux; 329190225Srpaulo handle->can_set_rfmon_op = pcap_can_set_rfmon_linux; 330190225Srpaulo return handle; 331190225Srpaulo} 332190225Srpaulo 333190225Srpaulostatic int 334190225Srpaulopcap_can_set_rfmon_linux(pcap_t *p) 335190225Srpaulo{ 336190225Srpaulo#ifdef IW_MODE_MONITOR 337190225Srpaulo int sock_fd; 338190225Srpaulo struct iwreq ireq; 339190225Srpaulo#endif 340190225Srpaulo 341190225Srpaulo if (p->opt.source == NULL) { 342190225Srpaulo /* 343190225Srpaulo * This is equivalent to the "any" device, and we don't 344190225Srpaulo * support monitor mode on it. 345190225Srpaulo */ 346190225Srpaulo return 0; 34775107Sfenner } 34875107Sfenner 349190225Srpaulo#ifdef IW_MODE_MONITOR 350190225Srpaulo /* 351190225Srpaulo * Bleah. There doesn't appear to be an ioctl to use to ask 352190225Srpaulo * whether a device supports monitor mode; we'll just do 353190225Srpaulo * SIOCGIWMODE and, if it succeeds, assume the device supports 354190225Srpaulo * monitor mode. 355190225Srpaulo * 356190225Srpaulo * Open a socket on which to attempt to get the mode. 357190225Srpaulo * (We assume that if we have Wireless Extensions support 358190225Srpaulo * we also have PF_PACKET support.) 359190225Srpaulo */ 360190225Srpaulo sock_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); 361190225Srpaulo if (sock_fd == -1) { 362190225Srpaulo (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 363190225Srpaulo "socket: %s", pcap_strerror(errno)); 364190225Srpaulo return PCAP_ERROR; 365190225Srpaulo } 36675107Sfenner 367190225Srpaulo /* 368190225Srpaulo * Attempt to get the current mode. 369190225Srpaulo */ 370190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, p->opt.source, 371190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 372190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 373190225Srpaulo if (ioctl(sock_fd, SIOCGIWMODE, &ireq) != -1) { 374190225Srpaulo /* 375190225Srpaulo * Well, we got the mode; assume we can set it. 376190225Srpaulo */ 377190225Srpaulo close(sock_fd); 378190225Srpaulo return 1; 379190225Srpaulo } 380190225Srpaulo if (errno == ENODEV) { 381190225Srpaulo /* The device doesn't even exist. */ 382190225Srpaulo close(sock_fd); 383190225Srpaulo return PCAP_ERROR_NO_SUCH_DEVICE; 384190225Srpaulo } 385190225Srpaulo close(sock_fd); 386190225Srpaulo#endif 387190225Srpaulo return 0; 388190225Srpaulo} 38975107Sfenner 390190225Srpaulo/* 391190225Srpaulo * With older kernels promiscuous mode is kind of interesting because we 392190225Srpaulo * have to reset the interface before exiting. The problem can't really 393190225Srpaulo * be solved without some daemon taking care of managing usage counts. 394190225Srpaulo * If we put the interface into promiscuous mode, we set a flag indicating 395190225Srpaulo * that we must take it out of that mode when the interface is closed, 396190225Srpaulo * and, when closing the interface, if that flag is set we take it out 397190225Srpaulo * of promiscuous mode. 398190225Srpaulo * 399190225Srpaulo * Even with newer kernels, we have the same issue with rfmon mode. 400190225Srpaulo */ 401190225Srpaulo 402190225Srpaulostatic void pcap_cleanup_linux( pcap_t *handle ) 403190225Srpaulo{ 404190225Srpaulo struct ifreq ifr; 405190225Srpaulo#ifdef IW_MODE_MONITOR 406190225Srpaulo struct iwreq ireq; 407190225Srpaulo#endif 408190225Srpaulo 409190225Srpaulo if (handle->md.must_clear != 0) { 410190225Srpaulo /* 411190225Srpaulo * There's something we have to do when closing this 412190225Srpaulo * pcap_t. 413190225Srpaulo */ 414190225Srpaulo if (handle->md.must_clear & MUST_CLEAR_PROMISC) { 415190225Srpaulo /* 416190225Srpaulo * We put the interface into promiscuous mode; 417190225Srpaulo * take it out of promiscuous mode. 418190225Srpaulo * 419190225Srpaulo * XXX - if somebody else wants it in promiscuous 420190225Srpaulo * mode, this code cannot know that, so it'll take 421190225Srpaulo * it out of promiscuous mode. That's not fixable 422190225Srpaulo * in 2.0[.x] kernels. 423190225Srpaulo */ 424190225Srpaulo memset(&ifr, 0, sizeof(ifr)); 425190225Srpaulo strncpy(ifr.ifr_name, handle->md.device, 426190225Srpaulo sizeof(ifr.ifr_name)); 427190225Srpaulo if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 428190225Srpaulo fprintf(stderr, 429190225Srpaulo "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" 430190225Srpaulo "Please adjust manually.\n" 431190225Srpaulo "Hint: This can't happen with Linux >= 2.2.0.\n", 432190225Srpaulo strerror(errno)); 433190225Srpaulo } else { 434190225Srpaulo if (ifr.ifr_flags & IFF_PROMISC) { 435190225Srpaulo /* 436190225Srpaulo * Promiscuous mode is currently on; 437190225Srpaulo * turn it off. 438190225Srpaulo */ 439190225Srpaulo ifr.ifr_flags &= ~IFF_PROMISC; 440190225Srpaulo if (ioctl(handle->fd, SIOCSIFFLAGS, 441190225Srpaulo &ifr) == -1) { 442190225Srpaulo fprintf(stderr, 443190225Srpaulo "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" 444190225Srpaulo "Please adjust manually.\n" 445190225Srpaulo "Hint: This can't happen with Linux >= 2.2.0.\n", 446190225Srpaulo strerror(errno)); 447190225Srpaulo } 448190225Srpaulo } 449190225Srpaulo } 450190225Srpaulo } 451190225Srpaulo 452190225Srpaulo#ifdef IW_MODE_MONITOR 453190225Srpaulo if (handle->md.must_clear & MUST_CLEAR_RFMON) { 454190225Srpaulo /* 455190225Srpaulo * We put the interface into rfmon mode; 456190225Srpaulo * take it out of rfmon mode. 457190225Srpaulo * 458190225Srpaulo * XXX - if somebody else wants it in rfmon 459190225Srpaulo * mode, this code cannot know that, so it'll take 460190225Srpaulo * it out of rfmon mode. 461190225Srpaulo */ 462190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, handle->md.device, 463190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 464190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] 465190225Srpaulo = 0; 466190225Srpaulo ireq.u.mode = handle->md.oldmode; 467190225Srpaulo if (ioctl(handle->fd, SIOCSIWMODE, &ireq) == -1) { 468190225Srpaulo /* 469190225Srpaulo * Scientist, you've failed. 470190225Srpaulo */ 471190225Srpaulo fprintf(stderr, 472190225Srpaulo "Can't restore interface wireless mode (SIOCSIWMODE failed: %s).\n" 473190225Srpaulo "Please adjust manually.\n", 474190225Srpaulo strerror(errno)); 475190225Srpaulo } 476190225Srpaulo } 477190225Srpaulo#endif 478190225Srpaulo 479190225Srpaulo /* 480190225Srpaulo * Take this pcap out of the list of pcaps for which we 481190225Srpaulo * have to take the interface out of some mode. 482190225Srpaulo */ 483190225Srpaulo pcap_remove_from_pcaps_to_close(handle); 484190225Srpaulo } 485190225Srpaulo 486190225Srpaulo if (handle->md.device != NULL) { 487190225Srpaulo free(handle->md.device); 488190225Srpaulo handle->md.device = NULL; 489190225Srpaulo } 490190225Srpaulo pcap_cleanup_live_common(handle); 491190225Srpaulo} 492190225Srpaulo 493190225Srpaulo/* 494190225Srpaulo * Get a handle for a live capture from the given device. You can 495190225Srpaulo * pass NULL as device to get all packages (without link level 496190225Srpaulo * information of course). If you pass 1 as promisc the interface 497190225Srpaulo * will be set to promiscous mode (XXX: I think this usage should 498190225Srpaulo * be deprecated and functions be added to select that later allow 499190225Srpaulo * modification of that values -- Torsten). 500190225Srpaulo */ 501190225Srpaulostatic int 502190225Srpaulopcap_activate_linux(pcap_t *handle) 503190225Srpaulo{ 504190225Srpaulo const char *device; 505190225Srpaulo int status = 0; 506190225Srpaulo int activate_ok = 0; 507190225Srpaulo 508190225Srpaulo device = handle->opt.source; 509190225Srpaulo 510190225Srpaulo handle->inject_op = pcap_inject_linux; 511190225Srpaulo handle->setfilter_op = pcap_setfilter_linux; 512190225Srpaulo handle->setdirection_op = pcap_setdirection_linux; 513190225Srpaulo handle->set_datalink_op = NULL; /* can't change data link type */ 514190225Srpaulo handle->getnonblock_op = pcap_getnonblock_fd; 515190225Srpaulo handle->setnonblock_op = pcap_setnonblock_fd; 516190225Srpaulo handle->cleanup_op = pcap_cleanup_linux; 517190225Srpaulo handle->read_op = pcap_read_linux; 518190225Srpaulo handle->stats_op = pcap_stats_linux; 519190225Srpaulo 52075107Sfenner /* 521127664Sbms * NULL and "any" are special devices which give us the hint to 52275107Sfenner * monitor all devices. 52375107Sfenner */ 52475107Sfenner if (!device || strcmp(device, "any") == 0) { 52575107Sfenner device = NULL; 52675107Sfenner handle->md.device = strdup("any"); 527190225Srpaulo if (handle->opt.promisc) { 528190225Srpaulo handle->opt.promisc = 0; 52998530Sfenner /* Just a warning. */ 530190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 53198530Sfenner "Promiscuous mode not supported on the \"any\" device"); 532190225Srpaulo status = PCAP_WARNING_PROMISC_NOTSUP; 53398530Sfenner } 534127664Sbms 53575107Sfenner } else 53675107Sfenner handle->md.device = strdup(device); 53775107Sfenner 53875107Sfenner if (handle->md.device == NULL) { 539190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s", 54075107Sfenner pcap_strerror(errno) ); 541190225Srpaulo return PCAP_ERROR; 54275107Sfenner } 54375107Sfenner 544127664Sbms /* 545127664Sbms * Current Linux kernels use the protocol family PF_PACKET to 546127664Sbms * allow direct access to all packets on the network while 547127664Sbms * older kernels had a special socket type SOCK_PACKET to 54875107Sfenner * implement this feature. 54975107Sfenner * While this old implementation is kind of obsolete we need 550127664Sbms * to be compatible with older kernels for a while so we are 55175107Sfenner * trying both methods with the newer method preferred. 55275107Sfenner */ 55375107Sfenner 554190225Srpaulo if ((status = activate_new(handle)) == 1) { 555190225Srpaulo activate_ok = 1; 556190225Srpaulo /* 557190225Srpaulo * Try to use memory-mapped access. 558190225Srpaulo */ 559190225Srpaulo if (activate_mmap(handle) == 1) 560190225Srpaulo return 0; /* we succeeded; nothing more to do */ 561190225Srpaulo } 562190225Srpaulo else if (status == 0) { 563127664Sbms /* Non-fatal error; try old way */ 564190225Srpaulo if ((status = activate_old(handle)) == 1) 565190225Srpaulo activate_ok = 1; 566127664Sbms } 567190225Srpaulo if (!activate_ok) { 568127664Sbms /* 56975107Sfenner * Both methods to open the packet socket failed. Tidy 57075107Sfenner * up and report our failure (ebuf is expected to be 571127664Sbms * set by the functions above). 57275107Sfenner */ 573190225Srpaulo goto fail; 57475107Sfenner } 57575107Sfenner 576190225Srpaulo if (handle->opt.buffer_size != 0) { 57798530Sfenner /* 578190225Srpaulo * Set the socket buffer size to the specified value. 57998530Sfenner */ 580190225Srpaulo if (setsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF, 581190225Srpaulo &handle->opt.buffer_size, 582190225Srpaulo sizeof(handle->opt.buffer_size)) == -1) { 583190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 584190225Srpaulo "SO_RCVBUF: %s", pcap_strerror(errno)); 585190225Srpaulo status = PCAP_ERROR; 586190225Srpaulo goto fail; 58798530Sfenner } 58898530Sfenner } 58998530Sfenner 59098530Sfenner /* Allocate the buffer */ 59198530Sfenner 59298530Sfenner handle->buffer = malloc(handle->bufsize + handle->offset); 59398530Sfenner if (!handle->buffer) { 594190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 59598530Sfenner "malloc: %s", pcap_strerror(errno)); 596190225Srpaulo status = PCAP_ERROR; 597190225Srpaulo goto fail; 59898530Sfenner } 59998530Sfenner 600127664Sbms /* 601127664Sbms * "handle->fd" is a socket, so "select()" and "poll()" 602127664Sbms * should work on it. 603127664Sbms */ 604127664Sbms handle->selectable_fd = handle->fd; 605127664Sbms 606190225Srpaulo return status; 607127664Sbms 608190225Srpaulofail: 609190225Srpaulo pcap_cleanup_linux(handle); 610190225Srpaulo return status; 61126175Sfenner} 61226175Sfenner 61375107Sfenner/* 61475107Sfenner * Read at most max_packets from the capture stream and call the callback 61575107Sfenner * for each of them. Returns the number of packets handled or -1 if an 616127664Sbms * error occured. 61775107Sfenner */ 618127664Sbmsstatic int 619127664Sbmspcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 62026175Sfenner{ 62175107Sfenner /* 62275107Sfenner * Currently, on Linux only one packet is delivered per read, 62375107Sfenner * so we don't loop. 62475107Sfenner */ 62575107Sfenner return pcap_read_packet(handle, callback, user); 62675107Sfenner} 62726175Sfenner 62875107Sfenner/* 629127664Sbms * Read a packet from the socket calling the handler provided by 63075107Sfenner * the user. Returns the number of packets received or -1 if an 63175107Sfenner * error occured. 63275107Sfenner */ 63375107Sfennerstatic int 63475107Sfennerpcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 63575107Sfenner{ 63698530Sfenner u_char *bp; 63775107Sfenner int offset; 63875107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 63975107Sfenner struct sockaddr_ll from; 64075107Sfenner struct sll_header *hdrp; 64175107Sfenner#else 64275107Sfenner struct sockaddr from; 64375107Sfenner#endif 644190225Srpaulo#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 645190225Srpaulo struct iovec iov; 646190225Srpaulo struct msghdr msg; 647190225Srpaulo struct cmsghdr *cmsg; 648190225Srpaulo union { 649190225Srpaulo struct cmsghdr cmsg; 650190225Srpaulo char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))]; 651190225Srpaulo } cmsg_buf; 652190225Srpaulo#else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 65375107Sfenner socklen_t fromlen; 654190225Srpaulo#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 65575107Sfenner int packet_len, caplen; 65675107Sfenner struct pcap_pkthdr pcap_header; 65726175Sfenner 65875107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 65975107Sfenner /* 66075107Sfenner * If this is a cooked device, leave extra room for a 66175107Sfenner * fake packet header. 66275107Sfenner */ 66375107Sfenner if (handle->md.cooked) 66475107Sfenner offset = SLL_HDR_LEN; 66575107Sfenner else 66675107Sfenner offset = 0; 66775107Sfenner#else 66875107Sfenner /* 66975107Sfenner * This system doesn't have PF_PACKET sockets, so it doesn't 67075107Sfenner * support cooked devices. 67175107Sfenner */ 67275107Sfenner offset = 0; 67375107Sfenner#endif 67475107Sfenner 675190225Srpaulo /* 676190225Srpaulo * Receive a single packet from the kernel. 677190225Srpaulo * We ignore EINTR, as that might just be due to a signal 678190225Srpaulo * being delivered - if the signal should interrupt the 679190225Srpaulo * loop, the signal handler should call pcap_breakloop() 680190225Srpaulo * to set handle->break_loop (we ignore it on other 681190225Srpaulo * platforms as well). 682190225Srpaulo * We also ignore ENETDOWN, so that we can continue to 683190225Srpaulo * capture traffic if the interface goes down and comes 684190225Srpaulo * back up again; comments in the kernel indicate that 685190225Srpaulo * we'll just block waiting for packets if we try to 686190225Srpaulo * receive from a socket that delivered ENETDOWN, and, 687190225Srpaulo * if we're using a memory-mapped buffer, we won't even 688190225Srpaulo * get notified of "network down" events. 689190225Srpaulo */ 690190225Srpaulo bp = handle->buffer + handle->offset; 69175107Sfenner 692190225Srpaulo#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 693190225Srpaulo msg.msg_name = &from; 694190225Srpaulo msg.msg_namelen = sizeof(from); 695190225Srpaulo msg.msg_iov = &iov; 696190225Srpaulo msg.msg_iovlen = 1; 697190225Srpaulo msg.msg_control = &cmsg_buf; 698190225Srpaulo msg.msg_controllen = sizeof(cmsg_buf); 699190225Srpaulo msg.msg_flags = 0; 700190225Srpaulo 701190225Srpaulo iov.iov_len = handle->bufsize - offset; 702190225Srpaulo iov.iov_base = bp + offset; 703190225Srpaulo#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 704190225Srpaulo 70526175Sfenner do { 706127664Sbms /* 707127664Sbms * Has "pcap_breakloop()" been called? 708127664Sbms */ 709127664Sbms if (handle->break_loop) { 710127664Sbms /* 711127664Sbms * Yes - clear the flag that indicates that it 712127664Sbms * has, and return -2 as an indication that we 713127664Sbms * were told to break out of the loop. 714127664Sbms */ 715127664Sbms handle->break_loop = 0; 716127664Sbms return -2; 717127664Sbms } 718190225Srpaulo 719190225Srpaulo#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 720190225Srpaulo packet_len = recvmsg(handle->fd, &msg, MSG_TRUNC); 721190225Srpaulo#else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 72226175Sfenner fromlen = sizeof(from); 723127664Sbms packet_len = recvfrom( 72498530Sfenner handle->fd, bp + offset, 725127664Sbms handle->bufsize - offset, MSG_TRUNC, 72675107Sfenner (struct sockaddr *) &from, &fromlen); 727190225Srpaulo#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 728190225Srpaulo } while (packet_len == -1 && (errno == EINTR || errno == ENETDOWN)); 72926175Sfenner 73075107Sfenner /* Check if an error occured */ 73126175Sfenner 73275107Sfenner if (packet_len == -1) { 73375107Sfenner if (errno == EAGAIN) 73475107Sfenner return 0; /* no packet there */ 73575107Sfenner else { 736190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 73775107Sfenner "recvfrom: %s", pcap_strerror(errno)); 73875107Sfenner return -1; 73926175Sfenner } 74075107Sfenner } 74126175Sfenner 74275107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 743147894Ssam if (!handle->md.sock_packet) { 744147894Ssam /* 745172677Smlaier * Unfortunately, there is a window between socket() and 746172677Smlaier * bind() where the kernel may queue packets from any 747172677Smlaier * interface. If we're bound to a particular interface, 748172677Smlaier * discard packets not from that interface. 749172677Smlaier * 750172677Smlaier * (If socket filters are supported, we could do the 751172677Smlaier * same thing we do when changing the filter; however, 752172677Smlaier * that won't handle packet sockets without socket 753172677Smlaier * filter support, and it's a bit more complicated. 754172677Smlaier * It would save some instructions per packet, however.) 755172677Smlaier */ 756172677Smlaier if (handle->md.ifindex != -1 && 757172677Smlaier from.sll_ifindex != handle->md.ifindex) 758172677Smlaier return 0; 759172677Smlaier 760172677Smlaier /* 761147894Ssam * Do checks based on packet direction. 762147894Ssam * We can only do this if we're using PF_PACKET; the 763147894Ssam * address returned for SOCK_PACKET is a "sockaddr_pkt" 764147894Ssam * which lacks the relevant packet type information. 765147894Ssam */ 766147894Ssam if (from.sll_pkttype == PACKET_OUTGOING) { 767147894Ssam /* 768147894Ssam * Outgoing packet. 769147894Ssam * If this is from the loopback device, reject it; 770147894Ssam * we'll see the packet as an incoming packet as well, 771147894Ssam * and we don't want to see it twice. 772147894Ssam */ 773147894Ssam if (from.sll_ifindex == handle->md.lo_ifindex) 774147894Ssam return 0; 775147894Ssam 776147894Ssam /* 777147894Ssam * If the user only wants incoming packets, reject it. 778147894Ssam */ 779162012Ssam if (handle->direction == PCAP_D_IN) 780147894Ssam return 0; 781147894Ssam } else { 782147894Ssam /* 783147894Ssam * Incoming packet. 784147894Ssam * If the user only wants outgoing packets, reject it. 785147894Ssam */ 786162012Ssam if (handle->direction == PCAP_D_OUT) 787147894Ssam return 0; 788147894Ssam } 789147894Ssam } 79075107Sfenner#endif 79126175Sfenner 79275107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 79375107Sfenner /* 79475107Sfenner * If this is a cooked device, fill in the fake packet header. 79575107Sfenner */ 79675107Sfenner if (handle->md.cooked) { 79775107Sfenner /* 79875107Sfenner * Add the length of the fake header to the length 79975107Sfenner * of packet data we read. 80075107Sfenner */ 80175107Sfenner packet_len += SLL_HDR_LEN; 80226175Sfenner 80398530Sfenner hdrp = (struct sll_header *)bp; 804190225Srpaulo hdrp->sll_pkttype = map_packet_type_to_sll_type(from.sll_pkttype); 805190225Srpaulo hdrp->sll_hatype = htons(from.sll_hatype); 806190225Srpaulo hdrp->sll_halen = htons(from.sll_halen); 807190225Srpaulo memcpy(hdrp->sll_addr, from.sll_addr, 808190225Srpaulo (from.sll_halen > SLL_ADDRLEN) ? 809190225Srpaulo SLL_ADDRLEN : 810190225Srpaulo from.sll_halen); 811190225Srpaulo hdrp->sll_protocol = from.sll_protocol; 812190225Srpaulo } 81326175Sfenner 814190225Srpaulo#if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 815190225Srpaulo for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { 816190225Srpaulo struct tpacket_auxdata *aux; 817190225Srpaulo unsigned int len; 818190225Srpaulo struct vlan_tag *tag; 81926175Sfenner 820190225Srpaulo if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct tpacket_auxdata)) || 821190225Srpaulo cmsg->cmsg_level != SOL_PACKET || 822190225Srpaulo cmsg->cmsg_type != PACKET_AUXDATA) 823190225Srpaulo continue; 82426175Sfenner 825190225Srpaulo aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg); 826190225Srpaulo if (aux->tp_vlan_tci == 0) 827190225Srpaulo continue; 82875107Sfenner 829190225Srpaulo len = packet_len > iov.iov_len ? iov.iov_len : packet_len; 830190225Srpaulo if (len < 2 * ETH_ALEN) 83175107Sfenner break; 83275107Sfenner 833190225Srpaulo bp -= VLAN_TAG_LEN; 834190225Srpaulo memmove(bp, bp + VLAN_TAG_LEN, 2 * ETH_ALEN); 83575107Sfenner 836190225Srpaulo tag = (struct vlan_tag *)(bp + 2 * ETH_ALEN); 837190225Srpaulo tag->vlan_tpid = htons(ETH_P_8021Q); 838190225Srpaulo tag->vlan_tci = htons(aux->tp_vlan_tci); 83975107Sfenner 840190225Srpaulo packet_len += VLAN_TAG_LEN; 84126175Sfenner } 842190225Srpaulo#endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 843190225Srpaulo#endif /* HAVE_PF_PACKET_SOCKETS */ 84475107Sfenner 84575107Sfenner /* 846127664Sbms * XXX: According to the kernel source we should get the real 847127664Sbms * packet len if calling recvfrom with MSG_TRUNC set. It does 84875107Sfenner * not seem to work here :(, but it is supported by this code 849127664Sbms * anyway. 85075107Sfenner * To be honest the code RELIES on that feature so this is really 85175107Sfenner * broken with 2.2.x kernels. 85275107Sfenner * I spend a day to figure out what's going on and I found out 853127664Sbms * that the following is happening: 85475107Sfenner * 855127664Sbms * The packet comes from a random interface and the packet_rcv 85675107Sfenner * hook is called with a clone of the packet. That code inserts 85775107Sfenner * the packet into the receive queue of the packet socket. 85875107Sfenner * If a filter is attached to that socket that filter is run 85975107Sfenner * first - and there lies the problem. The default filter always 86075107Sfenner * cuts the packet at the snaplen: 86175107Sfenner * 86275107Sfenner * # tcpdump -d 86375107Sfenner * (000) ret #68 86475107Sfenner * 865127664Sbms * So the packet filter cuts down the packet. The recvfrom call 86675107Sfenner * says "hey, it's only 68 bytes, it fits into the buffer" with 867127664Sbms * the result that we don't get the real packet length. This 868127664Sbms * is valid at least until kernel 2.2.17pre6. 86975107Sfenner * 87075107Sfenner * We currently handle this by making a copy of the filter 87175107Sfenner * program, fixing all "ret" instructions with non-zero 87275107Sfenner * operands to have an operand of 65535 so that the filter 87375107Sfenner * doesn't truncate the packet, and supplying that modified 87475107Sfenner * filter to the kernel. 87575107Sfenner */ 87675107Sfenner 87775107Sfenner caplen = packet_len; 87875107Sfenner if (caplen > handle->snapshot) 87975107Sfenner caplen = handle->snapshot; 88075107Sfenner 88175107Sfenner /* Run the packet filter if not using kernel filter */ 88275107Sfenner if (!handle->md.use_bpf && handle->fcode.bf_insns) { 88398530Sfenner if (bpf_filter(handle->fcode.bf_insns, bp, 88475107Sfenner packet_len, caplen) == 0) 88575107Sfenner { 88675107Sfenner /* rejected by filter */ 88775107Sfenner return 0; 88875107Sfenner } 88975107Sfenner } 89075107Sfenner 89175107Sfenner /* Fill in our own header data */ 89275107Sfenner 89375107Sfenner if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 894190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 895172677Smlaier "SIOCGSTAMP: %s", pcap_strerror(errno)); 89675107Sfenner return -1; 89775107Sfenner } 89875107Sfenner pcap_header.caplen = caplen; 89975107Sfenner pcap_header.len = packet_len; 90075107Sfenner 90198530Sfenner /* 90298530Sfenner * Count the packet. 90398530Sfenner * 90498530Sfenner * Arguably, we should count them before we check the filter, 90598530Sfenner * as on many other platforms "ps_recv" counts packets 90698530Sfenner * handed to the filter rather than packets that passed 90798530Sfenner * the filter, but if filtering is done in the kernel, we 90898530Sfenner * can't get a count of packets that passed the filter, 90998530Sfenner * and that would mean the meaning of "ps_recv" wouldn't 91098530Sfenner * be the same on all Linux systems. 91198530Sfenner * 91298530Sfenner * XXX - it's not the same on all systems in any case; 91398530Sfenner * ideally, we should have a "get the statistics" call 91498530Sfenner * that supplies more counts and indicates which of them 91598530Sfenner * it supplies, so that we supply a count of packets 91698530Sfenner * handed to the filter only on platforms where that 91798530Sfenner * information is available. 91898530Sfenner * 91998530Sfenner * We count them here even if we can get the packet count 92098530Sfenner * from the kernel, as we can only determine at run time 92198530Sfenner * whether we'll be able to get it from the kernel (if 92298530Sfenner * HAVE_TPACKET_STATS isn't defined, we can't get it from 92398530Sfenner * the kernel, but if it is defined, the library might 92498530Sfenner * have been built with a 2.4 or later kernel, but we 92598530Sfenner * might be running on a 2.2[.x] kernel without Alexey 92698530Sfenner * Kuznetzov's turbopacket patches, and thus the kernel 92798530Sfenner * might not be able to supply those statistics). We 92898530Sfenner * could, I guess, try, when opening the socket, to get 92998530Sfenner * the statistics, and if we can not increment the count 93098530Sfenner * here, but it's not clear that always incrementing 93198530Sfenner * the count is more expensive than always testing a flag 93298530Sfenner * in memory. 933172677Smlaier * 934172677Smlaier * We keep the count in "md.packets_read", and use that for 935172677Smlaier * "ps_recv" if we can't get the statistics from the kernel. 936172677Smlaier * We do that because, if we *can* get the statistics from 937172677Smlaier * the kernel, we use "md.stat.ps_recv" and "md.stat.ps_drop" 938172677Smlaier * as running counts, as reading the statistics from the 939172677Smlaier * kernel resets the kernel statistics, and if we directly 940172677Smlaier * increment "md.stat.ps_recv" here, that means it will 941172677Smlaier * count packets *twice* on systems where we can get kernel 942172677Smlaier * statistics - once here, and once in pcap_stats_linux(). 94398530Sfenner */ 944172677Smlaier handle->md.packets_read++; 94575107Sfenner 94698530Sfenner /* Call the user supplied callback function */ 94798530Sfenner callback(userdata, &pcap_header, bp); 94898530Sfenner 94975107Sfenner return 1; 95026175Sfenner} 95126175Sfenner 952146768Ssamstatic int 953146768Ssampcap_inject_linux(pcap_t *handle, const void *buf, size_t size) 954146768Ssam{ 955146768Ssam int ret; 956146768Ssam 957146768Ssam#ifdef HAVE_PF_PACKET_SOCKETS 958146768Ssam if (!handle->md.sock_packet) { 959146768Ssam /* PF_PACKET socket */ 960146768Ssam if (handle->md.ifindex == -1) { 961146768Ssam /* 962146768Ssam * We don't support sending on the "any" device. 963146768Ssam */ 964146768Ssam strlcpy(handle->errbuf, 965146768Ssam "Sending packets isn't supported on the \"any\" device", 966146768Ssam PCAP_ERRBUF_SIZE); 967146768Ssam return (-1); 968146768Ssam } 969146768Ssam 970146768Ssam if (handle->md.cooked) { 971146768Ssam /* 972146768Ssam * We don't support sending on the "any" device. 973146768Ssam * 974146768Ssam * XXX - how do you send on a bound cooked-mode 975146768Ssam * socket? 976146768Ssam * Is a "sendto()" required there? 977146768Ssam */ 978146768Ssam strlcpy(handle->errbuf, 979146768Ssam "Sending packets isn't supported in cooked mode", 980146768Ssam PCAP_ERRBUF_SIZE); 981146768Ssam return (-1); 982146768Ssam } 983146768Ssam } 984146768Ssam#endif 985146768Ssam 986146768Ssam ret = send(handle->fd, buf, size, 0); 987146768Ssam if (ret == -1) { 988146768Ssam snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 989146768Ssam pcap_strerror(errno)); 990146768Ssam return (-1); 991146768Ssam } 992146768Ssam return (ret); 993146768Ssam} 994146768Ssam 99575107Sfenner/* 99675107Sfenner * Get the statistics for the given packet capture handle. 99798530Sfenner * Reports the number of dropped packets iff the kernel supports 99898530Sfenner * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later 99998530Sfenner * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket 100098530Sfenner * patches); otherwise, that information isn't available, and we lie 100198530Sfenner * and report 0 as the count of dropped packets. 100275107Sfenner */ 1003127664Sbmsstatic int 1004127664Sbmspcap_stats_linux(pcap_t *handle, struct pcap_stat *stats) 100526175Sfenner{ 100698530Sfenner#ifdef HAVE_TPACKET_STATS 100798530Sfenner struct tpacket_stats kstats; 100898530Sfenner socklen_t len = sizeof (struct tpacket_stats); 1009127664Sbms#endif 101098530Sfenner 1011127664Sbms#ifdef HAVE_TPACKET_STATS 101298530Sfenner /* 101398530Sfenner * Try to get the packet counts from the kernel. 101498530Sfenner */ 101598530Sfenner if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, 101698530Sfenner &kstats, &len) > -1) { 101798530Sfenner /* 1018172677Smlaier * On systems where the PACKET_STATISTICS "getsockopt()" 1019172677Smlaier * argument is supported on PF_PACKET sockets: 1020172677Smlaier * 1021172677Smlaier * "ps_recv" counts only packets that *passed* the 1022172677Smlaier * filter, not packets that didn't pass the filter. 1023172677Smlaier * This includes packets later dropped because we 1024172677Smlaier * ran out of buffer space. 1025172677Smlaier * 1026172677Smlaier * "ps_drop" counts packets dropped because we ran 1027172677Smlaier * out of buffer space. It doesn't count packets 1028172677Smlaier * dropped by the interface driver. It counts only 1029172677Smlaier * packets that passed the filter. 1030172677Smlaier * 1031172677Smlaier * Both statistics include packets not yet read from 1032172677Smlaier * the kernel by libpcap, and thus not yet seen by 1033172677Smlaier * the application. 1034172677Smlaier * 103598530Sfenner * In "linux/net/packet/af_packet.c", at least in the 103698530Sfenner * 2.4.9 kernel, "tp_packets" is incremented for every 103798530Sfenner * packet that passes the packet filter *and* is 103898530Sfenner * successfully queued on the socket; "tp_drops" is 103998530Sfenner * incremented for every packet dropped because there's 104098530Sfenner * not enough free space in the socket buffer. 104198530Sfenner * 104298530Sfenner * When the statistics are returned for a PACKET_STATISTICS 104398530Sfenner * "getsockopt()" call, "tp_drops" is added to "tp_packets", 104498530Sfenner * so that "tp_packets" counts all packets handed to 104598530Sfenner * the PF_PACKET socket, including packets dropped because 104698530Sfenner * there wasn't room on the socket buffer - but not 104798530Sfenner * including packets that didn't pass the filter. 104898530Sfenner * 104998530Sfenner * In the BSD BPF, the count of received packets is 105098530Sfenner * incremented for every packet handed to BPF, regardless 105198530Sfenner * of whether it passed the filter. 105298530Sfenner * 105398530Sfenner * We can't make "pcap_stats()" work the same on both 105498530Sfenner * platforms, but the best approximation is to return 105598530Sfenner * "tp_packets" as the count of packets and "tp_drops" 105698530Sfenner * as the count of drops. 1057146768Ssam * 1058146768Ssam * Keep a running total because each call to 1059146768Ssam * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, .... 1060146768Ssam * resets the counters to zero. 106198530Sfenner */ 1062146768Ssam handle->md.stat.ps_recv += kstats.tp_packets; 1063146768Ssam handle->md.stat.ps_drop += kstats.tp_drops; 1064172677Smlaier *stats = handle->md.stat; 1065172677Smlaier return 0; 106698530Sfenner } 106798530Sfenner else 106898530Sfenner { 106998530Sfenner /* 107098530Sfenner * If the error was EOPNOTSUPP, fall through, so that 107198530Sfenner * if you build the library on a system with 107298530Sfenner * "struct tpacket_stats" and run it on a system 107398530Sfenner * that doesn't, it works as it does if the library 107498530Sfenner * is built on a system without "struct tpacket_stats". 107598530Sfenner */ 107698530Sfenner if (errno != EOPNOTSUPP) { 107798530Sfenner snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 107898530Sfenner "pcap_stats: %s", pcap_strerror(errno)); 107998530Sfenner return -1; 108098530Sfenner } 108198530Sfenner } 108298530Sfenner#endif 108398530Sfenner /* 108498530Sfenner * On systems where the PACKET_STATISTICS "getsockopt()" argument 108598530Sfenner * is not supported on PF_PACKET sockets: 108698530Sfenner * 108798530Sfenner * "ps_recv" counts only packets that *passed* the filter, 108898530Sfenner * not packets that didn't pass the filter. It does not 108998530Sfenner * count packets dropped because we ran out of buffer 109098530Sfenner * space. 109198530Sfenner * 109298530Sfenner * "ps_drop" is not supported. 109398530Sfenner * 109498530Sfenner * "ps_recv" doesn't include packets not yet read from 109598530Sfenner * the kernel by libpcap. 1096172677Smlaier * 1097172677Smlaier * We maintain the count of packets processed by libpcap in 1098172677Smlaier * "md.packets_read", for reasons described in the comment 1099172677Smlaier * at the end of pcap_read_packet(). We have no idea how many 1100172677Smlaier * packets were dropped. 110198530Sfenner */ 1102172677Smlaier stats->ps_recv = handle->md.packets_read; 1103172677Smlaier stats->ps_drop = 0; 110475107Sfenner return 0; 110575107Sfenner} 110626175Sfenner 110775107Sfenner/* 1108127664Sbms * Description string for the "any" device. 110975107Sfenner */ 1110127664Sbmsstatic const char any_descr[] = "Pseudo-device that captures on all interfaces"; 1111127664Sbms 111275107Sfennerint 1113127664Sbmspcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 111475107Sfenner{ 1115127664Sbms if (pcap_add_if(alldevsp, "any", 0, any_descr, errbuf) < 0) 1116127664Sbms return (-1); 1117127664Sbms 1118127664Sbms#ifdef HAVE_DAG_API 1119127664Sbms if (dag_platform_finddevs(alldevsp, errbuf) < 0) 1120127664Sbms return (-1); 1121127664Sbms#endif /* HAVE_DAG_API */ 1122127664Sbms 1123147894Ssam#ifdef HAVE_SEPTEL_API 1124147894Ssam if (septel_platform_finddevs(alldevsp, errbuf) < 0) 1125147894Ssam return (-1); 1126147894Ssam#endif /* HAVE_SEPTEL_API */ 1127147894Ssam 1128190225Srpaulo#ifdef PCAP_SUPPORT_BT 1129190225Srpaulo if (bt_platform_finddevs(alldevsp, errbuf) < 0) 1130190225Srpaulo return (-1); 1131190225Srpaulo#endif 1132190225Srpaulo 1133190225Srpaulo#ifdef PCAP_SUPPORT_USB 1134190225Srpaulo if (usb_platform_finddevs(alldevsp, errbuf) < 0) 1135190225Srpaulo return (-1); 1136190225Srpaulo#endif 1137190225Srpaulo 1138127664Sbms return (0); 1139127664Sbms} 1140127664Sbms 1141127664Sbms/* 1142127664Sbms * Attach the given BPF code to the packet capture device. 1143127664Sbms */ 1144127664Sbmsstatic int 1145127664Sbmspcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter) 1146127664Sbms{ 114775107Sfenner#ifdef SO_ATTACH_FILTER 114875107Sfenner struct sock_fprog fcode; 114975107Sfenner int can_filter_in_kernel; 1150127664Sbms int err = 0; 115175107Sfenner#endif 115275107Sfenner 115375107Sfenner if (!handle) 115475107Sfenner return -1; 115575107Sfenner if (!filter) { 115675107Sfenner strncpy(handle->errbuf, "setfilter: No filter specified", 1157190225Srpaulo PCAP_ERRBUF_SIZE); 115875107Sfenner return -1; 115926175Sfenner } 116026175Sfenner 116175107Sfenner /* Make our private copy of the filter */ 116275107Sfenner 1163127664Sbms if (install_bpf_program(handle, filter) < 0) 1164127664Sbms /* install_bpf_program() filled in errbuf */ 116575107Sfenner return -1; 116639291Sfenner 1167127664Sbms /* 1168127664Sbms * Run user level packet filter by default. Will be overriden if 1169127664Sbms * installing a kernel filter succeeds. 117075107Sfenner */ 117175107Sfenner handle->md.use_bpf = 0; 117275107Sfenner 117375107Sfenner /* Install kernel level filter if possible */ 117475107Sfenner 117575107Sfenner#ifdef SO_ATTACH_FILTER 117675107Sfenner#ifdef USHRT_MAX 117775107Sfenner if (handle->fcode.bf_len > USHRT_MAX) { 117875107Sfenner /* 1179127664Sbms * fcode.len is an unsigned short for current kernel. 118075107Sfenner * I have yet to see BPF-Code with that much 118175107Sfenner * instructions but still it is possible. So for the 118275107Sfenner * sake of correctness I added this check. 118375107Sfenner */ 118475107Sfenner fprintf(stderr, "Warning: Filter too complex for kernel\n"); 1185172677Smlaier fcode.len = 0; 118675107Sfenner fcode.filter = NULL; 118775107Sfenner can_filter_in_kernel = 0; 118875107Sfenner } else 118975107Sfenner#endif /* USHRT_MAX */ 119075107Sfenner { 119175107Sfenner /* 119275107Sfenner * Oh joy, the Linux kernel uses struct sock_fprog instead 119375107Sfenner * of struct bpf_program and of course the length field is 119475107Sfenner * of different size. Pointed out by Sebastian 119575107Sfenner * 119675107Sfenner * Oh, and we also need to fix it up so that all "ret" 119775107Sfenner * instructions with non-zero operands have 65535 as the 119875107Sfenner * operand, and so that, if we're in cooked mode, all 119975107Sfenner * memory-reference instructions use special magic offsets 120075107Sfenner * in references to the link-layer header and assume that 120175107Sfenner * the link-layer payload begins at 0; "fix_program()" 120275107Sfenner * will do that. 120375107Sfenner */ 120475107Sfenner switch (fix_program(handle, &fcode)) { 120575107Sfenner 120675107Sfenner case -1: 120775107Sfenner default: 120875107Sfenner /* 120975107Sfenner * Fatal error; just quit. 121075107Sfenner * (The "default" case shouldn't happen; we 121175107Sfenner * return -1 for that reason.) 121275107Sfenner */ 121375107Sfenner return -1; 121475107Sfenner 121575107Sfenner case 0: 121675107Sfenner /* 121775107Sfenner * The program performed checks that we can't make 121875107Sfenner * work in the kernel. 121975107Sfenner */ 122075107Sfenner can_filter_in_kernel = 0; 122175107Sfenner break; 122275107Sfenner 122375107Sfenner case 1: 122475107Sfenner /* 122575107Sfenner * We have a filter that'll work in the kernel. 122675107Sfenner */ 122775107Sfenner can_filter_in_kernel = 1; 122875107Sfenner break; 122975107Sfenner } 123039291Sfenner } 123139291Sfenner 123275107Sfenner if (can_filter_in_kernel) { 1233127664Sbms if ((err = set_kernel_filter(handle, &fcode)) == 0) 123475107Sfenner { 123575107Sfenner /* Installation succeded - using kernel filter. */ 123675107Sfenner handle->md.use_bpf = 1; 123775107Sfenner } 1238127664Sbms else if (err == -1) /* Non-fatal error */ 123975107Sfenner { 1240127664Sbms /* 124175107Sfenner * Print a warning if we weren't able to install 124275107Sfenner * the filter for a reason other than "this kernel 124375107Sfenner * isn't configured to support socket filters. 124475107Sfenner */ 124575107Sfenner if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 124675107Sfenner fprintf(stderr, 1247127664Sbms "Warning: Kernel filter failed: %s\n", 124875107Sfenner pcap_strerror(errno)); 124975107Sfenner } 125075107Sfenner } 125139291Sfenner } 125239291Sfenner 125375107Sfenner /* 125498530Sfenner * If we're not using the kernel filter, get rid of any kernel 125598530Sfenner * filter that might've been there before, e.g. because the 125698530Sfenner * previous filter could work in the kernel, or because some other 125798530Sfenner * code attached a filter to the socket by some means other than 125898530Sfenner * calling "pcap_setfilter()". Otherwise, the kernel filter may 125998530Sfenner * filter out packets that would pass the new userland filter. 126098530Sfenner */ 126198530Sfenner if (!handle->md.use_bpf) 126298530Sfenner reset_kernel_filter(handle); 126398530Sfenner 126498530Sfenner /* 126575107Sfenner * Free up the copy of the filter that was made by "fix_program()". 126675107Sfenner */ 126775107Sfenner if (fcode.filter != NULL) 126875107Sfenner free(fcode.filter); 1269127664Sbms 1270127664Sbms if (err == -2) 1271127664Sbms /* Fatal error */ 1272127664Sbms return -1; 127375107Sfenner#endif /* SO_ATTACH_FILTER */ 127475107Sfenner 127575107Sfenner return 0; 127675107Sfenner} 127775107Sfenner 127875107Sfenner/* 1279147894Ssam * Set direction flag: Which packets do we accept on a forwarding 1280147894Ssam * single device? IN, OUT or both? 1281147894Ssam */ 1282147894Ssamstatic int 1283162012Ssampcap_setdirection_linux(pcap_t *handle, pcap_direction_t d) 1284147894Ssam{ 1285147894Ssam#ifdef HAVE_PF_PACKET_SOCKETS 1286147894Ssam if (!handle->md.sock_packet) { 1287147894Ssam handle->direction = d; 1288147894Ssam return 0; 1289147894Ssam } 1290147894Ssam#endif 1291147894Ssam /* 1292147894Ssam * We're not using PF_PACKET sockets, so we can't determine 1293147894Ssam * the direction of the packet. 1294147894Ssam */ 1295190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1296147894Ssam "Setting direction is not supported on SOCK_PACKET sockets"); 1297147894Ssam return -1; 1298147894Ssam} 1299147894Ssam 1300190225Srpaulo 1301190225Srpaulo#ifdef HAVE_PF_PACKET_SOCKETS 1302147894Ssam/* 1303190225Srpaulo * Map the PACKET_ value to a LINUX_SLL_ value; we 1304190225Srpaulo * want the same numerical value to be used in 1305190225Srpaulo * the link-layer header even if the numerical values 1306190225Srpaulo * for the PACKET_ #defines change, so that programs 1307190225Srpaulo * that look at the packet type field will always be 1308190225Srpaulo * able to handle DLT_LINUX_SLL captures. 1309190225Srpaulo */ 1310190225Srpaulostatic short int 1311190225Srpaulomap_packet_type_to_sll_type(short int sll_pkttype) 1312190225Srpaulo{ 1313190225Srpaulo switch (sll_pkttype) { 1314190225Srpaulo 1315190225Srpaulo case PACKET_HOST: 1316190225Srpaulo return htons(LINUX_SLL_HOST); 1317190225Srpaulo 1318190225Srpaulo case PACKET_BROADCAST: 1319190225Srpaulo return htons(LINUX_SLL_BROADCAST); 1320190225Srpaulo 1321190225Srpaulo case PACKET_MULTICAST: 1322190225Srpaulo return htons(LINUX_SLL_MULTICAST); 1323190225Srpaulo 1324190225Srpaulo case PACKET_OTHERHOST: 1325190225Srpaulo return htons(LINUX_SLL_OTHERHOST); 1326190225Srpaulo 1327190225Srpaulo case PACKET_OUTGOING: 1328190225Srpaulo return htons(LINUX_SLL_OUTGOING); 1329190225Srpaulo 1330190225Srpaulo default: 1331190225Srpaulo return -1; 1332190225Srpaulo } 1333190225Srpaulo} 1334190225Srpaulo#endif 1335190225Srpaulo 1336190225Srpaulo/* 1337127664Sbms * Linux uses the ARP hardware type to identify the type of an 1338127664Sbms * interface. pcap uses the DLT_xxx constants for this. This 133998530Sfenner * function takes a pointer to a "pcap_t", and an ARPHRD_xxx 134098530Sfenner * constant, as arguments, and sets "handle->linktype" to the 134198530Sfenner * appropriate DLT_XXX constant and sets "handle->offset" to 134298530Sfenner * the appropriate value (to make "handle->offset" plus link-layer 134398530Sfenner * header length be a multiple of 4, so that the link-layer payload 134498530Sfenner * will be aligned on a 4-byte boundary when capturing packets). 134598530Sfenner * (If the offset isn't set here, it'll be 0; add code as appropriate 134698530Sfenner * for cases where it shouldn't be 0.) 1347127664Sbms * 1348127664Sbms * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture 1349127664Sbms * in cooked mode; otherwise, we can't use cooked mode, so we have 1350127664Sbms * to pick some type that works in raw mode, or fail. 1351127664Sbms * 135298530Sfenner * Sets the link type to -1 if unable to map the type. 135375107Sfenner */ 1354127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok) 135575107Sfenner{ 135675107Sfenner switch (arptype) { 135798530Sfenner 135839291Sfenner case ARPHRD_ETHER: 1359146768Ssam /* 1360146768Ssam * This is (presumably) a real Ethernet capture; give it a 1361146768Ssam * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 1362146768Ssam * that an application can let you choose it, in case you're 1363146768Ssam * capturing DOCSIS traffic that a Cisco Cable Modem 1364146768Ssam * Termination System is putting out onto an Ethernet (it 1365146768Ssam * doesn't put an Ethernet header onto the wire, it puts raw 1366146768Ssam * DOCSIS frames out on the wire inside the low-level 1367146768Ssam * Ethernet framing). 1368146768Ssam * 1369146768Ssam * XXX - are there any sorts of "fake Ethernet" that have 1370146768Ssam * ARPHRD_ETHER but that *shouldn't offer DLT_DOCSIS as 1371146768Ssam * a Cisco CMTS won't put traffic onto it or get traffic 1372190225Srpaulo * bridged onto it? ISDN is handled in "activate_new()", 1373146768Ssam * as we fall back on cooked mode there; are there any 1374146768Ssam * others? 1375146768Ssam */ 1376146768Ssam handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1377146768Ssam /* 1378146768Ssam * If that fails, just leave the list empty. 1379146768Ssam */ 1380146768Ssam if (handle->dlt_list != NULL) { 1381146768Ssam handle->dlt_list[0] = DLT_EN10MB; 1382146768Ssam handle->dlt_list[1] = DLT_DOCSIS; 1383146768Ssam handle->dlt_count = 2; 1384146768Ssam } 1385146768Ssam /* FALLTHROUGH */ 1386146768Ssam 138739291Sfenner case ARPHRD_METRICOM: 138898530Sfenner case ARPHRD_LOOPBACK: 138998530Sfenner handle->linktype = DLT_EN10MB; 139098530Sfenner handle->offset = 2; 139198530Sfenner break; 139298530Sfenner 139398530Sfenner case ARPHRD_EETHER: 139498530Sfenner handle->linktype = DLT_EN3MB; 139598530Sfenner break; 139698530Sfenner 139798530Sfenner case ARPHRD_AX25: 1398190225Srpaulo handle->linktype = DLT_AX25_KISS; 139998530Sfenner break; 140098530Sfenner 140198530Sfenner case ARPHRD_PRONET: 140298530Sfenner handle->linktype = DLT_PRONET; 140398530Sfenner break; 140498530Sfenner 140598530Sfenner case ARPHRD_CHAOS: 140698530Sfenner handle->linktype = DLT_CHAOS; 140798530Sfenner break; 140898530Sfenner 140975107Sfenner#ifndef ARPHRD_IEEE802_TR 141075107Sfenner#define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 141175107Sfenner#endif 141275107Sfenner case ARPHRD_IEEE802_TR: 141398530Sfenner case ARPHRD_IEEE802: 141498530Sfenner handle->linktype = DLT_IEEE802; 141598530Sfenner handle->offset = 2; 141698530Sfenner break; 141739291Sfenner 141898530Sfenner case ARPHRD_ARCNET: 1419127664Sbms handle->linktype = DLT_ARCNET_LINUX; 142098530Sfenner break; 142198530Sfenner 1422127664Sbms#ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ 1423127664Sbms#define ARPHRD_FDDI 774 1424127664Sbms#endif 142598530Sfenner case ARPHRD_FDDI: 142698530Sfenner handle->linktype = DLT_FDDI; 142798530Sfenner handle->offset = 3; 142898530Sfenner break; 142998530Sfenner 143075107Sfenner#ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 143175107Sfenner#define ARPHRD_ATM 19 143275107Sfenner#endif 143398530Sfenner case ARPHRD_ATM: 143498530Sfenner /* 143598530Sfenner * The Classical IP implementation in ATM for Linux 143698530Sfenner * supports both what RFC 1483 calls "LLC Encapsulation", 143798530Sfenner * in which each packet has an LLC header, possibly 143898530Sfenner * with a SNAP header as well, prepended to it, and 143998530Sfenner * what RFC 1483 calls "VC Based Multiplexing", in which 144098530Sfenner * different virtual circuits carry different network 144198530Sfenner * layer protocols, and no header is prepended to packets. 144298530Sfenner * 144398530Sfenner * They both have an ARPHRD_ type of ARPHRD_ATM, so 144498530Sfenner * you can't use the ARPHRD_ type to find out whether 144598530Sfenner * captured packets will have an LLC header, and, 144698530Sfenner * while there's a socket ioctl to *set* the encapsulation 144798530Sfenner * type, there's no ioctl to *get* the encapsulation type. 144898530Sfenner * 144998530Sfenner * This means that 145098530Sfenner * 145198530Sfenner * programs that dissect Linux Classical IP frames 145298530Sfenner * would have to check for an LLC header and, 145398530Sfenner * depending on whether they see one or not, dissect 145498530Sfenner * the frame as LLC-encapsulated or as raw IP (I 145598530Sfenner * don't know whether there's any traffic other than 145698530Sfenner * IP that would show up on the socket, or whether 145798530Sfenner * there's any support for IPv6 in the Linux 145898530Sfenner * Classical IP code); 145998530Sfenner * 146098530Sfenner * filter expressions would have to compile into 146198530Sfenner * code that checks for an LLC header and does 146298530Sfenner * the right thing. 146398530Sfenner * 146498530Sfenner * Both of those are a nuisance - and, at least on systems 146598530Sfenner * that support PF_PACKET sockets, we don't have to put 146698530Sfenner * up with those nuisances; instead, we can just capture 1467127664Sbms * in cooked mode. That's what we'll do, if we can. 1468127664Sbms * Otherwise, we'll just fail. 146998530Sfenner */ 1470127664Sbms if (cooked_ok) 1471127664Sbms handle->linktype = DLT_LINUX_SLL; 1472127664Sbms else 1473127664Sbms handle->linktype = -1; 147498530Sfenner break; 147539291Sfenner 147698530Sfenner#ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ 147798530Sfenner#define ARPHRD_IEEE80211 801 147898530Sfenner#endif 147998530Sfenner case ARPHRD_IEEE80211: 148098530Sfenner handle->linktype = DLT_IEEE802_11; 148198530Sfenner break; 148298530Sfenner 1483127664Sbms#ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ 1484127664Sbms#define ARPHRD_IEEE80211_PRISM 802 1485127664Sbms#endif 1486127664Sbms case ARPHRD_IEEE80211_PRISM: 1487127664Sbms handle->linktype = DLT_PRISM_HEADER; 1488127664Sbms break; 1489127664Sbms 1490162012Ssam#ifndef ARPHRD_IEEE80211_RADIOTAP /* new */ 1491162012Ssam#define ARPHRD_IEEE80211_RADIOTAP 803 1492162012Ssam#endif 1493162012Ssam case ARPHRD_IEEE80211_RADIOTAP: 1494162012Ssam handle->linktype = DLT_IEEE802_11_RADIO; 1495162012Ssam break; 1496162012Ssam 149775107Sfenner case ARPHRD_PPP: 149898530Sfenner /* 149998530Sfenner * Some PPP code in the kernel supplies no link-layer 150098530Sfenner * header whatsoever to PF_PACKET sockets; other PPP 150198530Sfenner * code supplies PPP link-layer headers ("syncppp.c"); 150298530Sfenner * some PPP code might supply random link-layer 150398530Sfenner * headers (PPP over ISDN - there's code in Ethereal, 150498530Sfenner * for example, to cope with PPP-over-ISDN captures 150598530Sfenner * with which the Ethereal developers have had to cope, 150698530Sfenner * heuristically trying to determine which of the 150798530Sfenner * oddball link-layer headers particular packets have). 150898530Sfenner * 150998530Sfenner * As such, we just punt, and run all PPP interfaces 1510127664Sbms * in cooked mode, if we can; otherwise, we just treat 1511127664Sbms * it as DLT_RAW, for now - if somebody needs to capture, 1512127664Sbms * on a 2.0[.x] kernel, on PPP devices that supply a 1513127664Sbms * link-layer header, they'll have to add code here to 1514127664Sbms * map to the appropriate DLT_ type (possibly adding a 1515127664Sbms * new DLT_ type, if necessary). 151698530Sfenner */ 1517127664Sbms if (cooked_ok) 1518127664Sbms handle->linktype = DLT_LINUX_SLL; 1519127664Sbms else { 1520127664Sbms /* 1521127664Sbms * XXX - handle ISDN types here? We can't fall 1522127664Sbms * back on cooked sockets, so we'd have to 1523127664Sbms * figure out from the device name what type of 1524127664Sbms * link-layer encapsulation it's using, and map 1525127664Sbms * that to an appropriate DLT_ value, meaning 1526127664Sbms * we'd map "isdnN" devices to DLT_RAW (they 1527127664Sbms * supply raw IP packets with no link-layer 1528127664Sbms * header) and "isdY" devices to a new DLT_I4L_IP 1529127664Sbms * type that has only an Ethernet packet type as 1530127664Sbms * a link-layer header. 1531127664Sbms * 1532127664Sbms * But sometimes we seem to get random crap 1533127664Sbms * in the link-layer header when capturing on 1534127664Sbms * ISDN devices.... 1535127664Sbms */ 1536127664Sbms handle->linktype = DLT_RAW; 1537127664Sbms } 153898530Sfenner break; 153998530Sfenner 1540127664Sbms#ifndef ARPHRD_CISCO 1541127664Sbms#define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */ 1542127664Sbms#endif 1543127664Sbms case ARPHRD_CISCO: 154498530Sfenner handle->linktype = DLT_C_HDLC; 154598530Sfenner break; 154698530Sfenner 154775107Sfenner /* Not sure if this is correct for all tunnels, but it 154875107Sfenner * works for CIPE */ 154975107Sfenner case ARPHRD_TUNNEL: 155075107Sfenner#ifndef ARPHRD_SIT 1551127664Sbms#define ARPHRD_SIT 776 /* From Linux 2.2.13 */ 155275107Sfenner#endif 155375107Sfenner case ARPHRD_SIT: 155475107Sfenner case ARPHRD_CSLIP: 155575107Sfenner case ARPHRD_SLIP6: 155675107Sfenner case ARPHRD_CSLIP6: 155798530Sfenner case ARPHRD_ADAPT: 155898530Sfenner case ARPHRD_SLIP: 1559127664Sbms#ifndef ARPHRD_RAWHDLC 1560127664Sbms#define ARPHRD_RAWHDLC 518 1561127664Sbms#endif 1562127664Sbms case ARPHRD_RAWHDLC: 1563127664Sbms#ifndef ARPHRD_DLCI 1564127664Sbms#define ARPHRD_DLCI 15 1565127664Sbms#endif 1566127664Sbms case ARPHRD_DLCI: 156798530Sfenner /* 156898530Sfenner * XXX - should some of those be mapped to DLT_LINUX_SLL 156998530Sfenner * instead? Should we just map all of them to DLT_LINUX_SLL? 157098530Sfenner */ 157198530Sfenner handle->linktype = DLT_RAW; 157298530Sfenner break; 157398530Sfenner 1574127664Sbms#ifndef ARPHRD_FRAD 1575127664Sbms#define ARPHRD_FRAD 770 1576127664Sbms#endif 1577127664Sbms case ARPHRD_FRAD: 1578127664Sbms handle->linktype = DLT_FRELAY; 1579127664Sbms break; 1580127664Sbms 158198530Sfenner case ARPHRD_LOCALTLK: 158298530Sfenner handle->linktype = DLT_LTALK; 158398530Sfenner break; 158498530Sfenner 1585127664Sbms#ifndef ARPHRD_FCPP 1586127664Sbms#define ARPHRD_FCPP 784 1587127664Sbms#endif 1588127664Sbms case ARPHRD_FCPP: 1589127664Sbms#ifndef ARPHRD_FCAL 1590127664Sbms#define ARPHRD_FCAL 785 1591127664Sbms#endif 1592127664Sbms case ARPHRD_FCAL: 1593127664Sbms#ifndef ARPHRD_FCPL 1594127664Sbms#define ARPHRD_FCPL 786 1595127664Sbms#endif 1596127664Sbms case ARPHRD_FCPL: 1597127664Sbms#ifndef ARPHRD_FCFABRIC 1598127664Sbms#define ARPHRD_FCFABRIC 787 1599127664Sbms#endif 1600127664Sbms case ARPHRD_FCFABRIC: 1601127664Sbms /* 1602127664Sbms * We assume that those all mean RFC 2625 IP-over- 1603127664Sbms * Fibre Channel, with the RFC 2625 header at 1604127664Sbms * the beginning of the packet. 1605127664Sbms */ 1606127664Sbms handle->linktype = DLT_IP_OVER_FC; 1607127664Sbms break; 1608127664Sbms 1609146768Ssam#ifndef ARPHRD_IRDA 1610146768Ssam#define ARPHRD_IRDA 783 1611146768Ssam#endif 1612127664Sbms case ARPHRD_IRDA: 1613127664Sbms /* Don't expect IP packet out of this interfaces... */ 1614127664Sbms handle->linktype = DLT_LINUX_IRDA; 1615127664Sbms /* We need to save packet direction for IrDA decoding, 1616127664Sbms * so let's use "Linux-cooked" mode. Jean II */ 1617127664Sbms //handle->md.cooked = 1; 1618127664Sbms break; 1619127664Sbms 1620172677Smlaier /* ARPHRD_LAPD is unofficial and randomly allocated, if reallocation 1621172677Smlaier * is needed, please report it to <daniele@orlandi.com> */ 1622172677Smlaier#ifndef ARPHRD_LAPD 1623172677Smlaier#define ARPHRD_LAPD 8445 1624172677Smlaier#endif 1625172677Smlaier case ARPHRD_LAPD: 1626172677Smlaier /* Don't expect IP packet out of this interfaces... */ 1627172677Smlaier handle->linktype = DLT_LINUX_LAPD; 1628172677Smlaier break; 1629172677Smlaier 1630190225Srpaulo#ifndef ARPHRD_NONE 1631190225Srpaulo#define ARPHRD_NONE 0xFFFE 1632190225Srpaulo#endif 1633190225Srpaulo case ARPHRD_NONE: 1634190225Srpaulo /* 1635190225Srpaulo * No link-layer header; packets are just IP 1636190225Srpaulo * packets, so use DLT_RAW. 1637190225Srpaulo */ 1638190225Srpaulo handle->linktype = DLT_RAW; 1639190225Srpaulo break; 1640190225Srpaulo 164198530Sfenner default: 164298530Sfenner handle->linktype = -1; 164398530Sfenner break; 164475107Sfenner } 164575107Sfenner} 164639291Sfenner 164775107Sfenner/* ===== Functions to interface to the newer kernels ================== */ 164839291Sfenner 164975107Sfenner/* 1650190225Srpaulo * Try to open a packet socket using the new kernel PF_PACKET interface. 1651190225Srpaulo * Returns 1 on success, 0 on an error that means the new interface isn't 1652190225Srpaulo * present (so the old SOCK_PACKET interface should be tried), and a 1653190225Srpaulo * PCAP_ERROR_ value on an error that means that the old mechanism won't 1654190225Srpaulo * work either (so it shouldn't be tried). 165575107Sfenner */ 165675107Sfennerstatic int 1657190225Srpauloactivate_new(pcap_t *handle) 165875107Sfenner{ 165975107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 1660190225Srpaulo int sock_fd = -1, arptype, val; 1661190225Srpaulo int err = 0; 166275107Sfenner struct packet_mreq mr; 1663190225Srpaulo const char* device = handle->opt.source; 166439291Sfenner 1665190225Srpaulo /* 1666190225Srpaulo * Open a socket with protocol family packet. If a device is 1667190225Srpaulo * given we try to open it in raw mode otherwise we use 1668190225Srpaulo * the cooked interface. 1669190225Srpaulo */ 1670190225Srpaulo sock_fd = device ? 1671190225Srpaulo socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) 1672190225Srpaulo : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); 167339291Sfenner 1674190225Srpaulo if (sock_fd == -1) { 1675190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "socket: %s", 1676190225Srpaulo pcap_strerror(errno) ); 1677190225Srpaulo return 0; /* try old mechanism */ 1678190225Srpaulo } 167939291Sfenner 1680190225Srpaulo /* It seems the kernel supports the new interface. */ 1681190225Srpaulo handle->md.sock_packet = 0; 168239291Sfenner 1683190225Srpaulo /* 1684190225Srpaulo * Get the interface index of the loopback device. 1685190225Srpaulo * If the attempt fails, don't fail, just set the 1686190225Srpaulo * "md.lo_ifindex" to -1. 1687190225Srpaulo * 1688190225Srpaulo * XXX - can there be more than one device that loops 1689190225Srpaulo * packets back, i.e. devices other than "lo"? If so, 1690190225Srpaulo * we'd need to find them all, and have an array of 1691190225Srpaulo * indices for them, and check all of them in 1692190225Srpaulo * "pcap_read_packet()". 1693190225Srpaulo */ 1694190225Srpaulo handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", handle->errbuf); 169575107Sfenner 1696190225Srpaulo /* 1697190225Srpaulo * Default value for offset to align link-layer payload 1698190225Srpaulo * on a 4-byte boundary. 1699190225Srpaulo */ 1700190225Srpaulo handle->offset = 0; 170175107Sfenner 1702190225Srpaulo /* 1703190225Srpaulo * What kind of frames do we have to deal with? Fall back 1704190225Srpaulo * to cooked mode if we have an unknown interface type 1705190225Srpaulo * or a type we know doesn't work well in raw mode. 1706190225Srpaulo */ 1707190225Srpaulo if (device) { 1708190225Srpaulo /* Assume for now we don't need cooked mode. */ 1709190225Srpaulo handle->md.cooked = 0; 171098530Sfenner 1711190225Srpaulo if (handle->opt.rfmon) { 1712190225Srpaulo /* 1713190225Srpaulo * We were asked to turn on monitor mode. 1714190225Srpaulo * Do so before we get the link-layer type, 1715190225Srpaulo * because entering monitor mode could change 1716190225Srpaulo * the link-layer type. 1717190225Srpaulo */ 1718190225Srpaulo err = enter_rfmon_mode_wext(handle, sock_fd, device); 1719190225Srpaulo if (err < 0) { 1720190225Srpaulo /* Hard failure */ 1721190225Srpaulo close(sock_fd); 1722190225Srpaulo return err; 1723127664Sbms } 1724190225Srpaulo if (err == 0) { 172575107Sfenner /* 1726190225Srpaulo * Nothing worked for turning monitor mode 1727190225Srpaulo * on. 172875107Sfenner */ 1729190225Srpaulo close(sock_fd); 1730190225Srpaulo return PCAP_ERROR_RFMON_NOTSUP; 1731190225Srpaulo } 1732190225Srpaulo } 1733190225Srpaulo arptype = iface_get_arptype(sock_fd, device, handle->errbuf); 1734190225Srpaulo if (arptype < 0) { 1735190225Srpaulo close(sock_fd); 1736190225Srpaulo return arptype; 1737190225Srpaulo } 1738190225Srpaulo map_arphrd_to_dlt(handle, arptype, 1); 1739190225Srpaulo if (handle->linktype == -1 || 1740190225Srpaulo handle->linktype == DLT_LINUX_SLL || 1741190225Srpaulo handle->linktype == DLT_LINUX_IRDA || 1742190225Srpaulo handle->linktype == DLT_LINUX_LAPD || 1743190225Srpaulo (handle->linktype == DLT_EN10MB && 1744190225Srpaulo (strncmp("isdn", device, 4) == 0 || 1745190225Srpaulo strncmp("isdY", device, 4) == 0))) { 1746190225Srpaulo /* 1747190225Srpaulo * Unknown interface type (-1), or a 1748190225Srpaulo * device we explicitly chose to run 1749190225Srpaulo * in cooked mode (e.g., PPP devices), 1750190225Srpaulo * or an ISDN device (whose link-layer 1751190225Srpaulo * type we can only determine by using 1752190225Srpaulo * APIs that may be different on different 1753190225Srpaulo * kernels) - reopen in cooked mode. 1754190225Srpaulo */ 1755190225Srpaulo if (close(sock_fd) == -1) { 1756190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1757190225Srpaulo "close: %s", pcap_strerror(errno)); 1758190225Srpaulo return PCAP_ERROR; 1759190225Srpaulo } 1760190225Srpaulo sock_fd = socket(PF_PACKET, SOCK_DGRAM, 1761190225Srpaulo htons(ETH_P_ALL)); 1762190225Srpaulo if (sock_fd == -1) { 1763190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1764190225Srpaulo "socket: %s", pcap_strerror(errno)); 1765190225Srpaulo return PCAP_ERROR; 1766190225Srpaulo } 1767190225Srpaulo handle->md.cooked = 1; 176875107Sfenner 1769190225Srpaulo /* 1770190225Srpaulo * Get rid of any link-layer type list 1771190225Srpaulo * we allocated - this only supports cooked 1772190225Srpaulo * capture. 1773190225Srpaulo */ 1774190225Srpaulo if (handle->dlt_list != NULL) { 1775190225Srpaulo free(handle->dlt_list); 1776190225Srpaulo handle->dlt_list = NULL; 1777190225Srpaulo handle->dlt_count = 0; 1778190225Srpaulo } 1779190225Srpaulo 1780190225Srpaulo if (handle->linktype == -1) { 1781146768Ssam /* 1782190225Srpaulo * Warn that we're falling back on 1783190225Srpaulo * cooked mode; we may want to 1784190225Srpaulo * update "map_arphrd_to_dlt()" 1785190225Srpaulo * to handle the new type. 1786146768Ssam */ 1787190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1788190225Srpaulo "arptype %d not " 1789190225Srpaulo "supported by libpcap - " 1790190225Srpaulo "falling back to cooked " 1791190225Srpaulo "socket", 1792190225Srpaulo arptype); 179375107Sfenner } 179475107Sfenner 179575107Sfenner /* 1796190225Srpaulo * IrDA capture is not a real "cooked" capture, 1797190225Srpaulo * it's IrLAP frames, not IP packets. The 1798190225Srpaulo * same applies to LAPD capture. 179975107Sfenner */ 1800190225Srpaulo if (handle->linktype != DLT_LINUX_IRDA && 1801190225Srpaulo handle->linktype != DLT_LINUX_LAPD) 1802190225Srpaulo handle->linktype = DLT_LINUX_SLL; 1803190225Srpaulo } 180475107Sfenner 1805190225Srpaulo handle->md.ifindex = iface_get_id(sock_fd, device, 1806190225Srpaulo handle->errbuf); 1807190225Srpaulo if (handle->md.ifindex == -1) { 1808190225Srpaulo close(sock_fd); 1809190225Srpaulo return PCAP_ERROR; 181075107Sfenner } 181175107Sfenner 1812190225Srpaulo if ((err = iface_bind(sock_fd, handle->md.ifindex, 1813190225Srpaulo handle->errbuf)) != 1) { 1814190225Srpaulo close(sock_fd); 1815190225Srpaulo if (err < 0) 1816190225Srpaulo return err; 1817190225Srpaulo else 1818190225Srpaulo return 0; /* try old mechanism */ 1819190225Srpaulo } 1820190225Srpaulo } else { 1821127664Sbms /* 1822190225Srpaulo * This is cooked mode. 1823127664Sbms */ 1824190225Srpaulo handle->md.cooked = 1; 1825190225Srpaulo handle->linktype = DLT_LINUX_SLL; 182675107Sfenner 1827127664Sbms /* 1828190225Srpaulo * We're not bound to a device. 1829190225Srpaulo * XXX - true? Or true only if we're using 1830190225Srpaulo * the "any" device? 1831190225Srpaulo * For now, we're using this as an indication 1832190225Srpaulo * that we can't transmit; stop doing that only 1833190225Srpaulo * if we figure out how to transmit in cooked 1834190225Srpaulo * mode. 183575107Sfenner */ 1836190225Srpaulo handle->md.ifindex = -1; 1837190225Srpaulo } 183875107Sfenner 1839190225Srpaulo /* 1840190225Srpaulo * Select promiscuous mode on if "promisc" is set. 1841190225Srpaulo * 1842190225Srpaulo * Do not turn allmulti mode on if we don't select 1843190225Srpaulo * promiscuous mode - on some devices (e.g., Orinoco 1844190225Srpaulo * wireless interfaces), allmulti mode isn't supported 1845190225Srpaulo * and the driver implements it by turning promiscuous 1846190225Srpaulo * mode on, and that screws up the operation of the 1847190225Srpaulo * card as a normal networking interface, and on no 1848190225Srpaulo * other platform I know of does starting a non- 1849190225Srpaulo * promiscuous capture affect which multicast packets 1850190225Srpaulo * are received by the interface. 1851190225Srpaulo */ 185239291Sfenner 1853190225Srpaulo /* 1854190225Srpaulo * Hmm, how can we set promiscuous mode on all interfaces? 1855190225Srpaulo * I am not sure if that is possible at all. 1856190225Srpaulo */ 185775107Sfenner 1858190225Srpaulo if (device && handle->opt.promisc) { 1859190225Srpaulo memset(&mr, 0, sizeof(mr)); 1860190225Srpaulo mr.mr_ifindex = handle->md.ifindex; 1861190225Srpaulo mr.mr_type = PACKET_MR_PROMISC; 1862190225Srpaulo if (setsockopt(sock_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP, 1863190225Srpaulo &mr, sizeof(mr)) == -1) { 1864190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1865190225Srpaulo "setsockopt: %s", pcap_strerror(errno)); 1866190225Srpaulo close(sock_fd); 1867190225Srpaulo return PCAP_ERROR; 1868190225Srpaulo } 1869190225Srpaulo } 187075107Sfenner 1871190225Srpaulo /* Enable auxillary data if supported and reserve room for 1872190225Srpaulo * reconstructing VLAN headers. */ 1873190225Srpaulo#ifdef HAVE_PACKET_AUXDATA 1874190225Srpaulo val = 1; 1875190225Srpaulo if (setsockopt(sock_fd, SOL_PACKET, PACKET_AUXDATA, &val, 1876190225Srpaulo sizeof(val)) == -1 && errno != ENOPROTOOPT) { 1877190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1878190225Srpaulo "setsockopt: %s", pcap_strerror(errno)); 1879190225Srpaulo close(sock_fd); 1880190225Srpaulo return PCAP_ERROR; 1881190225Srpaulo } 1882190225Srpaulo handle->offset += VLAN_TAG_LEN; 1883190225Srpaulo#endif /* HAVE_PACKET_AUXDATA */ 188475107Sfenner 1885190225Srpaulo /* 1886190225Srpaulo * This is a 2.2[.x] or later kernel (we know that 1887190225Srpaulo * because we're not using a SOCK_PACKET socket - 1888190225Srpaulo * PF_PACKET is supported only in 2.2 and later 1889190225Srpaulo * kernels). 1890190225Srpaulo * 1891190225Srpaulo * We can safely pass "recvfrom()" a byte count 1892190225Srpaulo * based on the snapshot length. 1893190225Srpaulo * 1894190225Srpaulo * If we're in cooked mode, make the snapshot length 1895190225Srpaulo * large enough to hold a "cooked mode" header plus 1896190225Srpaulo * 1 byte of packet data (so we don't pass a byte 1897190225Srpaulo * count of 0 to "recvfrom()"). 1898190225Srpaulo */ 1899190225Srpaulo if (handle->md.cooked) { 1900190225Srpaulo if (handle->snapshot < SLL_HDR_LEN + 1) 1901190225Srpaulo handle->snapshot = SLL_HDR_LEN + 1; 1902190225Srpaulo } 1903190225Srpaulo handle->bufsize = handle->snapshot; 190475107Sfenner 1905190225Srpaulo /* Save the socket FD in the pcap structure */ 1906190225Srpaulo handle->fd = sock_fd; 1907127664Sbms 1908190225Srpaulo return 1; 190975107Sfenner#else 1910127664Sbms strncpy(ebuf, 1911127664Sbms "New packet capturing interface not supported by build " 191275107Sfenner "environment", PCAP_ERRBUF_SIZE); 191375107Sfenner return 0; 191439291Sfenner#endif 191575107Sfenner} 191639291Sfenner 1917190225Srpaulostatic int 1918190225Srpauloactivate_mmap(pcap_t *handle) 1919190225Srpaulo{ 1920190225Srpaulo#ifdef HAVE_PACKET_RING 1921190225Srpaulo int ret; 1922190225Srpaulo 1923190225Srpaulo if (handle->opt.buffer_size == 0) { 1924190225Srpaulo /* by default request 2M for the ring buffer */ 1925190225Srpaulo handle->opt.buffer_size = 2*1024*1024; 1926190225Srpaulo } 1927190225Srpaulo ret = prepare_tpacket_socket(handle); 1928190225Srpaulo if (ret == 0) 1929190225Srpaulo return ret; 1930190225Srpaulo ret = create_ring(handle); 1931190225Srpaulo if (ret == 0) 1932190225Srpaulo return ret; 1933190225Srpaulo 1934190225Srpaulo /* override some defaults and inherit the other fields from 1935190225Srpaulo * activate_new 1936190225Srpaulo * handle->offset is used to get the current position into the rx ring 1937190225Srpaulo * handle->cc is used to store the ring size */ 1938190225Srpaulo handle->read_op = pcap_read_linux_mmap; 1939190225Srpaulo handle->cleanup_op = pcap_cleanup_linux_mmap; 1940190225Srpaulo handle->setfilter_op = pcap_setfilter_linux_mmap; 1941190225Srpaulo handle->setnonblock_op = pcap_setnonblock_mmap; 1942190225Srpaulo handle->getnonblock_op = pcap_getnonblock_mmap; 1943190225Srpaulo handle->selectable_fd = handle->fd; 1944190225Srpaulo return 1; 1945190225Srpaulo#else /* HAVE_PACKET_RING */ 1946190225Srpaulo return 0; 1947190225Srpaulo#endif /* HAVE_PACKET_RING */ 1948190225Srpaulo} 1949190225Srpaulo 1950190225Srpaulo#ifdef HAVE_PACKET_RING 1951190225Srpaulostatic int 1952190225Srpauloprepare_tpacket_socket(pcap_t *handle) 1953190225Srpaulo{ 1954190225Srpaulo#ifdef HAVE_TPACKET2 1955190225Srpaulo socklen_t len; 1956190225Srpaulo int val; 1957190225Srpaulo#endif 1958190225Srpaulo 1959190225Srpaulo handle->md.tp_version = TPACKET_V1; 1960190225Srpaulo handle->md.tp_hdrlen = sizeof(struct tpacket_hdr); 1961190225Srpaulo 1962190225Srpaulo#ifdef HAVE_TPACKET2 1963190225Srpaulo /* Probe whether kernel supports TPACKET_V2 */ 1964190225Srpaulo val = TPACKET_V2; 1965190225Srpaulo len = sizeof(val); 1966190225Srpaulo if (getsockopt(handle->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) { 1967190225Srpaulo if (errno == ENOPROTOOPT) 1968190225Srpaulo return 1; 1969190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1970190225Srpaulo "can't get TPACKET_V2 header len on socket %d: %d-%s", 1971190225Srpaulo handle->fd, errno, pcap_strerror(errno)); 1972190225Srpaulo return 0; 1973190225Srpaulo } 1974190225Srpaulo handle->md.tp_hdrlen = val; 1975190225Srpaulo 1976190225Srpaulo val = TPACKET_V2; 1977190225Srpaulo if (setsockopt(handle->fd, SOL_PACKET, PACKET_VERSION, &val, 1978190225Srpaulo sizeof(val)) < 0) { 1979190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1980190225Srpaulo "can't activate TPACKET_V2 on socket %d: %d-%s", 1981190225Srpaulo handle->fd, errno, pcap_strerror(errno)); 1982190225Srpaulo return 0; 1983190225Srpaulo } 1984190225Srpaulo handle->md.tp_version = TPACKET_V2; 1985190225Srpaulo 1986190225Srpaulo /* Reserve space for VLAN tag reconstruction */ 1987190225Srpaulo val = VLAN_TAG_LEN; 1988190225Srpaulo if (setsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE, &val, 1989190225Srpaulo sizeof(val)) < 0) { 1990190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1991190225Srpaulo "can't set up reserve on socket %d: %d-%s", 1992190225Srpaulo handle->fd, errno, pcap_strerror(errno)); 1993190225Srpaulo return 0; 1994190225Srpaulo } 1995190225Srpaulo 1996190225Srpaulo#endif /* HAVE_TPACKET2 */ 1997190225Srpaulo return 1; 1998190225Srpaulo} 1999190225Srpaulo 2000190225Srpaulostatic void 2001190225Srpaulocompute_ring_block(int frame_size, unsigned *block_size, unsigned *frames_per_block) 2002190225Srpaulo{ 2003190225Srpaulo /* compute the minumum block size that will handle this frame. 2004190225Srpaulo * The block has to be page size aligned. 2005190225Srpaulo * The max block size allowed by the kernel is arch-dependent and 2006190225Srpaulo * it's not explicitly checked here. */ 2007190225Srpaulo *block_size = getpagesize(); 2008190225Srpaulo while (*block_size < frame_size) 2009190225Srpaulo *block_size <<= 1; 2010190225Srpaulo 2011190225Srpaulo *frames_per_block = *block_size/frame_size; 2012190225Srpaulo} 2013190225Srpaulo 2014190225Srpaulostatic int 2015190225Srpaulocreate_ring(pcap_t *handle) 2016190225Srpaulo{ 2017190225Srpaulo unsigned i, j, ringsize, frames_per_block; 2018190225Srpaulo struct tpacket_req req; 2019190225Srpaulo 2020190225Srpaulo /* Note that with large snapshot (say 64K) only a few frames 2021190225Srpaulo * will be available in the ring even with pretty large ring size 2022190225Srpaulo * (and a lot of memory will be unused). 2023190225Srpaulo * The snap len should be carefully chosen to achive best 2024190225Srpaulo * performance */ 2025190225Srpaulo req.tp_frame_size = TPACKET_ALIGN(handle->snapshot + 2026190225Srpaulo TPACKET_ALIGN(handle->md.tp_hdrlen) + 2027190225Srpaulo sizeof(struct sockaddr_ll)); 2028190225Srpaulo req.tp_frame_nr = handle->opt.buffer_size/req.tp_frame_size; 2029190225Srpaulo compute_ring_block(req.tp_frame_size, &req.tp_block_size, &frames_per_block); 2030190225Srpaulo req.tp_block_nr = req.tp_frame_nr / frames_per_block; 2031190225Srpaulo 2032190225Srpaulo /* req.tp_frame_nr is requested to match frames_per_block*req.tp_block_nr */ 2033190225Srpaulo req.tp_frame_nr = req.tp_block_nr * frames_per_block; 2034190225Srpaulo 2035190225Srpaulo /* ask the kernel to create the ring */ 2036190225Srpauloretry: 2037190225Srpaulo if (setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, 2038190225Srpaulo (void *) &req, sizeof(req))) { 2039190225Srpaulo /* try to reduce requested ring size to prevent memory failure */ 2040190225Srpaulo if ((errno == ENOMEM) && (req.tp_block_nr > 1)) { 2041190225Srpaulo req.tp_frame_nr >>= 1; 2042190225Srpaulo req.tp_block_nr = req.tp_frame_nr/frames_per_block; 2043190225Srpaulo goto retry; 2044190225Srpaulo } 2045190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "can't create rx ring on " 2046190225Srpaulo "packet socket %d: %d-%s", handle->fd, errno, 2047190225Srpaulo pcap_strerror(errno)); 2048190225Srpaulo return 0; 2049190225Srpaulo } 2050190225Srpaulo 2051190225Srpaulo /* memory map the rx ring */ 2052190225Srpaulo ringsize = req.tp_block_nr * req.tp_block_size; 2053190225Srpaulo handle->bp = mmap(0, ringsize, PROT_READ| PROT_WRITE, MAP_SHARED, 2054190225Srpaulo handle->fd, 0); 2055190225Srpaulo if (handle->bp == MAP_FAILED) { 2056190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "can't mmap rx ring: %d-%s", 2057190225Srpaulo errno, pcap_strerror(errno)); 2058190225Srpaulo 2059190225Srpaulo /* clear the allocated ring on error*/ 2060190225Srpaulo destroy_ring(handle); 2061190225Srpaulo return 0; 2062190225Srpaulo } 2063190225Srpaulo 2064190225Srpaulo /* allocate a ring for each frame header pointer*/ 2065190225Srpaulo handle->cc = req.tp_frame_nr; 2066190225Srpaulo handle->buffer = malloc(handle->cc * sizeof(union thdr *)); 2067190225Srpaulo if (!handle->buffer) { 2068190225Srpaulo destroy_ring(handle); 2069190225Srpaulo return 0; 2070190225Srpaulo } 2071190225Srpaulo 2072190225Srpaulo /* fill the header ring with proper frame ptr*/ 2073190225Srpaulo handle->offset = 0; 2074190225Srpaulo for (i=0; i<req.tp_block_nr; ++i) { 2075190225Srpaulo void *base = &handle->bp[i*req.tp_block_size]; 2076190225Srpaulo for (j=0; j<frames_per_block; ++j, ++handle->offset) { 2077190225Srpaulo RING_GET_FRAME(handle) = base; 2078190225Srpaulo base += req.tp_frame_size; 2079190225Srpaulo } 2080190225Srpaulo } 2081190225Srpaulo 2082190225Srpaulo handle->bufsize = req.tp_frame_size; 2083190225Srpaulo handle->offset = 0; 2084190225Srpaulo return 1; 2085190225Srpaulo} 2086190225Srpaulo 2087190225Srpaulo/* free all ring related resources*/ 2088190225Srpaulostatic void 2089190225Srpaulodestroy_ring(pcap_t *handle) 2090190225Srpaulo{ 2091190225Srpaulo /* tell the kernel to destroy the ring*/ 2092190225Srpaulo struct tpacket_req req; 2093190225Srpaulo memset(&req, 0, sizeof(req)); 2094190225Srpaulo setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, 2095190225Srpaulo (void *) &req, sizeof(req)); 2096190225Srpaulo 2097190225Srpaulo /* if ring is mapped, unmap it*/ 2098190225Srpaulo if (handle->bp) { 2099190225Srpaulo /* need to re-compute the ring size */ 2100190225Srpaulo unsigned frames_per_block, block_size; 2101190225Srpaulo compute_ring_block(handle->bufsize, &block_size, &frames_per_block); 2102190225Srpaulo 2103190225Srpaulo /* do not perform sanity check here: we can't recover any error */ 2104190225Srpaulo munmap(handle->bp, block_size * handle->cc / frames_per_block); 2105190225Srpaulo handle->bp = 0; 2106190225Srpaulo } 2107190225Srpaulo} 2108190225Srpaulo 2109190225Srpaulostatic void 2110190225Srpaulopcap_cleanup_linux_mmap( pcap_t *handle ) 2111190225Srpaulo{ 2112190225Srpaulo destroy_ring(handle); 2113190225Srpaulo pcap_cleanup_linux(handle); 2114190225Srpaulo} 2115190225Srpaulo 2116190225Srpaulo 2117190225Srpaulostatic int 2118190225Srpaulopcap_getnonblock_mmap(pcap_t *p, char *errbuf) 2119190225Srpaulo{ 2120190225Srpaulo /* use negative value of timeout to indicate non blocking ops */ 2121190225Srpaulo return (p->md.timeout<0); 2122190225Srpaulo} 2123190225Srpaulo 2124190225Srpaulostatic int 2125190225Srpaulopcap_setnonblock_mmap(pcap_t *p, int nonblock, char *errbuf) 2126190225Srpaulo{ 2127190225Srpaulo /* map each value to the corresponding 2's complement, to 2128190225Srpaulo * preserve the timeout value provided with pcap_set_timeout */ 2129190225Srpaulo if (nonblock) { 2130190225Srpaulo if (p->md.timeout > 0) 2131190225Srpaulo p->md.timeout = p->md.timeout*-1 - 1; 2132190225Srpaulo } else 2133190225Srpaulo if (p->md.timeout < 0) 2134190225Srpaulo p->md.timeout = (p->md.timeout+1)*-1; 2135190225Srpaulo return 0; 2136190225Srpaulo} 2137190225Srpaulo 2138190225Srpaulostatic inline union thdr * 2139190225Srpaulopcap_get_ring_frame(pcap_t *handle, int status) 2140190225Srpaulo{ 2141190225Srpaulo union thdr h; 2142190225Srpaulo 2143190225Srpaulo h.raw = RING_GET_FRAME(handle); 2144190225Srpaulo switch (handle->md.tp_version) { 2145190225Srpaulo case TPACKET_V1: 2146190225Srpaulo if (status != (h.h1->tp_status ? TP_STATUS_USER : 2147190225Srpaulo TP_STATUS_KERNEL)) 2148190225Srpaulo return NULL; 2149190225Srpaulo break; 2150190225Srpaulo#ifdef HAVE_TPACKET2 2151190225Srpaulo case TPACKET_V2: 2152190225Srpaulo if (status != (h.h2->tp_status ? TP_STATUS_USER : 2153190225Srpaulo TP_STATUS_KERNEL)) 2154190225Srpaulo return NULL; 2155190225Srpaulo break; 2156190225Srpaulo#endif 2157190225Srpaulo } 2158190225Srpaulo return h.raw; 2159190225Srpaulo} 2160190225Srpaulo 2161190225Srpaulostatic int 2162190225Srpaulopcap_read_linux_mmap(pcap_t *handle, int max_packets, pcap_handler callback, 2163190225Srpaulo u_char *user) 2164190225Srpaulo{ 2165190225Srpaulo int pkts = 0; 2166190225Srpaulo 2167190225Srpaulo /* wait for frames availability.*/ 2168190225Srpaulo if ((handle->md.timeout >= 0) && 2169190225Srpaulo !pcap_get_ring_frame(handle, TP_STATUS_USER)) { 2170190225Srpaulo struct pollfd pollinfo; 2171190225Srpaulo int ret; 2172190225Srpaulo 2173190225Srpaulo pollinfo.fd = handle->fd; 2174190225Srpaulo pollinfo.events = POLLIN; 2175190225Srpaulo 2176190225Srpaulo do { 2177190225Srpaulo /* poll() requires a negative timeout to wait forever */ 2178190225Srpaulo ret = poll(&pollinfo, 1, (handle->md.timeout > 0)? 2179190225Srpaulo handle->md.timeout: -1); 2180190225Srpaulo if ((ret < 0) && (errno != EINTR)) { 2181190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2182190225Srpaulo "can't poll on packet socket fd %d: %d-%s", 2183190225Srpaulo handle->fd, errno, pcap_strerror(errno)); 2184190225Srpaulo return -1; 2185190225Srpaulo } 2186190225Srpaulo /* check for break loop condition on interrupted syscall*/ 2187190225Srpaulo if (handle->break_loop) { 2188190225Srpaulo handle->break_loop = 0; 2189190225Srpaulo return -2; 2190190225Srpaulo } 2191190225Srpaulo } while (ret < 0); 2192190225Srpaulo } 2193190225Srpaulo 2194190225Srpaulo /* non-positive values of max_packets are used to require all 2195190225Srpaulo * packets currently available in the ring */ 2196190225Srpaulo while ((pkts < max_packets) || (max_packets <= 0)) { 2197190225Srpaulo int run_bpf; 2198190225Srpaulo struct sockaddr_ll *sll; 2199190225Srpaulo struct pcap_pkthdr pcaphdr; 2200190225Srpaulo unsigned char *bp; 2201190225Srpaulo union thdr h; 2202190225Srpaulo unsigned int tp_len; 2203190225Srpaulo unsigned int tp_mac; 2204190225Srpaulo unsigned int tp_snaplen; 2205190225Srpaulo unsigned int tp_sec; 2206190225Srpaulo unsigned int tp_usec; 2207190225Srpaulo 2208190225Srpaulo h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 2209190225Srpaulo if (!h.raw) 2210190225Srpaulo break; 2211190225Srpaulo 2212190225Srpaulo switch (handle->md.tp_version) { 2213190225Srpaulo case TPACKET_V1: 2214190225Srpaulo tp_len = h.h1->tp_len; 2215190225Srpaulo tp_mac = h.h1->tp_mac; 2216190225Srpaulo tp_snaplen = h.h1->tp_snaplen; 2217190225Srpaulo tp_sec = h.h1->tp_sec; 2218190225Srpaulo tp_usec = h.h1->tp_usec; 2219190225Srpaulo break; 2220190225Srpaulo#ifdef HAVE_TPACKET2 2221190225Srpaulo case TPACKET_V2: 2222190225Srpaulo tp_len = h.h2->tp_len; 2223190225Srpaulo tp_mac = h.h2->tp_mac; 2224190225Srpaulo tp_snaplen = h.h2->tp_snaplen; 2225190225Srpaulo tp_sec = h.h2->tp_sec; 2226190225Srpaulo tp_usec = h.h2->tp_nsec / 1000; 2227190225Srpaulo break; 2228190225Srpaulo#endif 2229190225Srpaulo default: 2230190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2231190225Srpaulo "unsupported tpacket version %d", 2232190225Srpaulo handle->md.tp_version); 2233190225Srpaulo return -1; 2234190225Srpaulo } 2235190225Srpaulo /* perform sanity check on internal offset. */ 2236190225Srpaulo if (tp_mac + tp_snaplen > handle->bufsize) { 2237190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2238190225Srpaulo "corrupted frame on kernel ring mac " 2239190225Srpaulo "offset %d + caplen %d > frame len %d", 2240190225Srpaulo tp_mac, tp_snaplen, handle->bufsize); 2241190225Srpaulo return -1; 2242190225Srpaulo } 2243190225Srpaulo 2244190225Srpaulo /* run filter on received packet 2245190225Srpaulo * If the kernel filtering is enabled we need to run the 2246190225Srpaulo * filter until all the frames present into the ring 2247190225Srpaulo * at filter creation time are processed. 2248190225Srpaulo * In such case md.use_bpf is used as a counter for the 2249190225Srpaulo * packet we need to filter. 2250190225Srpaulo * Note: alternatively it could be possible to stop applying 2251190225Srpaulo * the filter when the ring became empty, but it can possibly 2252190225Srpaulo * happen a lot later... */ 2253190225Srpaulo bp = (unsigned char*)h.raw + tp_mac; 2254190225Srpaulo run_bpf = (!handle->md.use_bpf) || 2255190225Srpaulo ((handle->md.use_bpf>1) && handle->md.use_bpf--); 2256190225Srpaulo if (run_bpf && handle->fcode.bf_insns && 2257190225Srpaulo (bpf_filter(handle->fcode.bf_insns, bp, 2258190225Srpaulo tp_len, tp_snaplen) == 0)) 2259190225Srpaulo goto skip; 2260190225Srpaulo 2261190225Srpaulo /* check direction and interface index */ 2262190225Srpaulo sll = (void *)h.raw + TPACKET_ALIGN(handle->md.tp_hdrlen); 2263190225Srpaulo if ((sll->sll_ifindex == handle->md.lo_ifindex) && 2264190225Srpaulo (sll->sll_pkttype == PACKET_OUTGOING)) 2265190225Srpaulo goto skip; 2266190225Srpaulo 2267190225Srpaulo /* get required packet info from ring header */ 2268190225Srpaulo pcaphdr.ts.tv_sec = tp_sec; 2269190225Srpaulo pcaphdr.ts.tv_usec = tp_usec; 2270190225Srpaulo pcaphdr.caplen = tp_snaplen; 2271190225Srpaulo pcaphdr.len = tp_len; 2272190225Srpaulo 2273190225Srpaulo /* if required build in place the sll header*/ 2274190225Srpaulo if (handle->md.cooked) { 2275190225Srpaulo struct sll_header *hdrp; 2276190225Srpaulo 2277190225Srpaulo /* 2278190225Srpaulo * The kernel should have left us with enough 2279190225Srpaulo * space for an sll header; back up the packet 2280190225Srpaulo * data pointer into that space, as that'll be 2281190225Srpaulo * the beginning of the packet we pass to the 2282190225Srpaulo * callback. 2283190225Srpaulo */ 2284190225Srpaulo bp -= SLL_HDR_LEN; 2285190225Srpaulo 2286190225Srpaulo /* 2287190225Srpaulo * Let's make sure that's past the end of 2288190225Srpaulo * the tpacket header, i.e. >= 2289190225Srpaulo * ((u_char *)thdr + TPACKET_HDRLEN), so we 2290190225Srpaulo * don't step on the header when we construct 2291190225Srpaulo * the sll header. 2292190225Srpaulo */ 2293190225Srpaulo if (bp < (u_char *)h.raw + 2294190225Srpaulo TPACKET_ALIGN(handle->md.tp_hdrlen) + 2295190225Srpaulo sizeof(struct sockaddr_ll)) { 2296190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2297190225Srpaulo "cooked-mode frame doesn't have room for sll header"); 2298190225Srpaulo return -1; 2299190225Srpaulo } 2300190225Srpaulo 2301190225Srpaulo /* 2302190225Srpaulo * OK, that worked; construct the sll header. 2303190225Srpaulo */ 2304190225Srpaulo hdrp = (struct sll_header *)bp; 2305190225Srpaulo hdrp->sll_pkttype = map_packet_type_to_sll_type( 2306190225Srpaulo sll->sll_pkttype); 2307190225Srpaulo hdrp->sll_hatype = htons(sll->sll_hatype); 2308190225Srpaulo hdrp->sll_halen = htons(sll->sll_halen); 2309190225Srpaulo memcpy(hdrp->sll_addr, sll->sll_addr, SLL_ADDRLEN); 2310190225Srpaulo hdrp->sll_protocol = sll->sll_protocol; 2311190225Srpaulo 2312190225Srpaulo /* update packet len */ 2313190225Srpaulo pcaphdr.caplen += SLL_HDR_LEN; 2314190225Srpaulo pcaphdr.len += SLL_HDR_LEN; 2315190225Srpaulo } 2316190225Srpaulo 2317190225Srpaulo#ifdef HAVE_TPACKET2 2318190225Srpaulo if (handle->md.tp_version == TPACKET_V2 && h.h2->tp_vlan_tci && 2319190225Srpaulo tp_snaplen >= 2 * ETH_ALEN) { 2320190225Srpaulo struct vlan_tag *tag; 2321190225Srpaulo 2322190225Srpaulo bp -= VLAN_TAG_LEN; 2323190225Srpaulo memmove(bp, bp + VLAN_TAG_LEN, 2 * ETH_ALEN); 2324190225Srpaulo 2325190225Srpaulo tag = (struct vlan_tag *)(bp + 2 * ETH_ALEN); 2326190225Srpaulo tag->vlan_tpid = htons(ETH_P_8021Q); 2327190225Srpaulo tag->vlan_tci = htons(h.h2->tp_vlan_tci); 2328190225Srpaulo 2329190225Srpaulo pcaphdr.caplen += VLAN_TAG_LEN; 2330190225Srpaulo pcaphdr.len += VLAN_TAG_LEN; 2331190225Srpaulo } 2332190225Srpaulo#endif 2333190225Srpaulo 2334190225Srpaulo /* pass the packet to the user */ 2335190225Srpaulo pkts++; 2336190225Srpaulo callback(user, &pcaphdr, bp); 2337190225Srpaulo handle->md.packets_read++; 2338190225Srpaulo 2339190225Srpauloskip: 2340190225Srpaulo /* next packet */ 2341190225Srpaulo switch (handle->md.tp_version) { 2342190225Srpaulo case TPACKET_V1: 2343190225Srpaulo h.h1->tp_status = TP_STATUS_KERNEL; 2344190225Srpaulo break; 2345190225Srpaulo#ifdef HAVE_TPACKET2 2346190225Srpaulo case TPACKET_V2: 2347190225Srpaulo h.h2->tp_status = TP_STATUS_KERNEL; 2348190225Srpaulo break; 2349190225Srpaulo#endif 2350190225Srpaulo } 2351190225Srpaulo if (++handle->offset >= handle->cc) 2352190225Srpaulo handle->offset = 0; 2353190225Srpaulo 2354190225Srpaulo /* check for break loop condition*/ 2355190225Srpaulo if (handle->break_loop) { 2356190225Srpaulo handle->break_loop = 0; 2357190225Srpaulo return -2; 2358190225Srpaulo } 2359190225Srpaulo } 2360190225Srpaulo return pkts; 2361190225Srpaulo} 2362190225Srpaulo 2363190225Srpaulostatic int 2364190225Srpaulopcap_setfilter_linux_mmap(pcap_t *handle, struct bpf_program *filter) 2365190225Srpaulo{ 2366190225Srpaulo int n, offset; 2367190225Srpaulo int ret = pcap_setfilter_linux(handle, filter); 2368190225Srpaulo if (ret < 0) 2369190225Srpaulo return ret; 2370190225Srpaulo 2371190225Srpaulo /* if the kernel filter is enabled, we need to apply the filter on 2372190225Srpaulo * all packets present into the ring. Get an upper bound of their number 2373190225Srpaulo */ 2374190225Srpaulo if (!handle->md.use_bpf) 2375190225Srpaulo return ret; 2376190225Srpaulo 2377190225Srpaulo /* walk the ring backward and count the free slot */ 2378190225Srpaulo offset = handle->offset; 2379190225Srpaulo if (--handle->offset < 0) 2380190225Srpaulo handle->offset = handle->cc - 1; 2381190225Srpaulo for (n=0; n < handle->cc; ++n) { 2382190225Srpaulo if (--handle->offset < 0) 2383190225Srpaulo handle->offset = handle->cc - 1; 2384190225Srpaulo if (!pcap_get_ring_frame(handle, TP_STATUS_KERNEL)) 2385190225Srpaulo break; 2386190225Srpaulo } 2387190225Srpaulo 2388190225Srpaulo /* be careful to not change current ring position */ 2389190225Srpaulo handle->offset = offset; 2390190225Srpaulo 2391190225Srpaulo /* store the number of packets currently present in the ring */ 2392190225Srpaulo handle->md.use_bpf = 1 + (handle->cc - n); 2393190225Srpaulo return ret; 2394190225Srpaulo} 2395190225Srpaulo 2396190225Srpaulo#endif /* HAVE_PACKET_RING */ 2397190225Srpaulo 2398190225Srpaulo 239975107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 240075107Sfenner/* 2401127664Sbms * Return the index of the given device name. Fill ebuf and return 240275107Sfenner * -1 on failure. 240375107Sfenner */ 240475107Sfennerstatic int 240575107Sfenneriface_get_id(int fd, const char *device, char *ebuf) 240675107Sfenner{ 240775107Sfenner struct ifreq ifr; 240826175Sfenner 240939291Sfenner memset(&ifr, 0, sizeof(ifr)); 241039291Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 241175107Sfenner 241275107Sfenner if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 241375107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 2414172677Smlaier "SIOCGIFINDEX: %s", pcap_strerror(errno)); 241575107Sfenner return -1; 241626175Sfenner } 241726175Sfenner 241875107Sfenner return ifr.ifr_ifindex; 241975107Sfenner} 242026175Sfenner 242175107Sfenner/* 2422127664Sbms * Bind the socket associated with FD to the given device. 2423190225Srpaulo * Return 1 on success, 0 if we should try a SOCK_PACKET socket, 2424190225Srpaulo * or a PCAP_ERROR_ value on a hard error. 242575107Sfenner */ 242675107Sfennerstatic int 242775107Sfenneriface_bind(int fd, int ifindex, char *ebuf) 242875107Sfenner{ 242975107Sfenner struct sockaddr_ll sll; 2430127664Sbms int err; 2431127664Sbms socklen_t errlen = sizeof(err); 243275107Sfenner 243375107Sfenner memset(&sll, 0, sizeof(sll)); 243475107Sfenner sll.sll_family = AF_PACKET; 243575107Sfenner sll.sll_ifindex = ifindex; 243675107Sfenner sll.sll_protocol = htons(ETH_P_ALL); 243775107Sfenner 243875107Sfenner if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 2439190225Srpaulo if (errno == ENETDOWN) { 2440190225Srpaulo /* 2441190225Srpaulo * Return a "network down" indication, so that 2442190225Srpaulo * the application can report that rather than 2443190225Srpaulo * saying we had a mysterious failure and 2444190225Srpaulo * suggest that they report a problem to the 2445190225Srpaulo * libpcap developers. 2446190225Srpaulo */ 2447190225Srpaulo return PCAP_ERROR_IFACE_NOT_UP; 2448190225Srpaulo } else { 2449190225Srpaulo snprintf(ebuf, PCAP_ERRBUF_SIZE, 2450190225Srpaulo "bind: %s", pcap_strerror(errno)); 2451190225Srpaulo return PCAP_ERROR; 2452190225Srpaulo } 245326175Sfenner } 245426175Sfenner 2455127664Sbms /* Any pending errors, e.g., network is down? */ 2456127664Sbms 2457127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 2458127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 2459127664Sbms "getsockopt: %s", pcap_strerror(errno)); 2460190225Srpaulo return 0; 2461127664Sbms } 2462127664Sbms 2463190225Srpaulo if (err == ENETDOWN) { 2464190225Srpaulo /* 2465190225Srpaulo * Return a "network down" indication, so that 2466190225Srpaulo * the application can report that rather than 2467190225Srpaulo * saying we had a mysterious failure and 2468190225Srpaulo * suggest that they report a problem to the 2469190225Srpaulo * libpcap developers. 2470190225Srpaulo */ 2471190225Srpaulo return PCAP_ERROR_IFACE_NOT_UP; 2472190225Srpaulo } else if (err > 0) { 2473127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 2474127664Sbms "bind: %s", pcap_strerror(err)); 2475190225Srpaulo return 0; 2476127664Sbms } 2477127664Sbms 2478190225Srpaulo return 1; 247975107Sfenner} 248075107Sfenner 248175107Sfenner/* 2482190225Srpaulo * Check whether the device supports the Wireless Extensions. 2483190225Srpaulo * Returns 1 if it does, 0 if it doesn't, PCAP_ERROR_NO_SUCH_DEVICE 2484190225Srpaulo * if the device doesn't even exist. 248575107Sfenner */ 2486190225Srpaulostatic int 2487190225Srpaulohas_wext(int sock_fd, const char *device, char *ebuf) 2488190225Srpaulo{ 2489190225Srpaulo#ifdef IW_MODE_MONITOR 2490190225Srpaulo struct iwreq ireq; 249175107Sfenner 2492190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2493190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2494190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2495190225Srpaulo if (ioctl(sock_fd, SIOCGIWNAME, &ireq) >= 0) 2496190225Srpaulo return 1; /* yes */ 2497190225Srpaulo snprintf(ebuf, PCAP_ERRBUF_SIZE, 2498190225Srpaulo "%s: SIOCGIWPRIV: %s", device, pcap_strerror(errno)); 2499190225Srpaulo if (errno == ENODEV) 2500190225Srpaulo return PCAP_ERROR_NO_SUCH_DEVICE; 2501190225Srpaulo#endif 2502190225Srpaulo return 0; 2503190225Srpaulo} 2504190225Srpaulo 250575107Sfenner/* 2506190225Srpaulo * Per me si va ne la citta dolente, 2507190225Srpaulo * Per me si va ne l'etterno dolore, 2508190225Srpaulo * ... 2509190225Srpaulo * Lasciate ogne speranza, voi ch'intrate. 2510190225Srpaulo * 2511190225Srpaulo * XXX - airmon-ng does special stuff with the Orinoco driver and the 2512190225Srpaulo * wlan-ng driver. 251375107Sfenner */ 2514190225Srpaulotypedef enum { 2515190225Srpaulo MONITOR_WEXT, 2516190225Srpaulo MONITOR_HOSTAP, 2517190225Srpaulo MONITOR_PRISM, 2518190225Srpaulo MONITOR_PRISM54, 2519190225Srpaulo MONITOR_ACX100, 2520190225Srpaulo MONITOR_RT2500, 2521190225Srpaulo MONITOR_RT2570, 2522190225Srpaulo MONITOR_RT73, 2523190225Srpaulo MONITOR_RTL8XXX 2524190225Srpaulo} monitor_type; 252575107Sfenner 252675107Sfenner/* 2527190225Srpaulo * Use the Wireless Extensions, if we have them, to try to turn monitor mode 2528190225Srpaulo * on if it's not already on. 2529190225Srpaulo * 2530190225Srpaulo * Returns 1 on success, 0 if we don't support the Wireless Extensions 2531190225Srpaulo * on this device, or a PCAP_ERROR_ value if we do support them but 2532190225Srpaulo * we weren't able to turn monitor mode on. 253375107Sfenner */ 2534190225Srpaulostatic int 2535190225Srpauloenter_rfmon_mode_wext(pcap_t *handle, int sock_fd, const char *device) 253675107Sfenner{ 2537190225Srpaulo#ifdef IW_MODE_MONITOR 2538190225Srpaulo /* 2539190225Srpaulo * XXX - at least some adapters require non-Wireless Extensions 2540190225Srpaulo * mechanisms to turn monitor mode on. 2541190225Srpaulo * 2542190225Srpaulo * Atheros cards might require that a separate "monitor virtual access 2543190225Srpaulo * point" be created, with later versions of the madwifi driver. 2544190225Srpaulo * airmon-ng does "wlanconfig ath create wlandev {if} wlanmode 2545190225Srpaulo * monitor -bssid", which apparently spits out a line "athN" 2546190225Srpaulo * where "athN" is the monitor mode device. To leave monitor 2547190225Srpaulo * mode, it destroys the monitor mode device. 2548190225Srpaulo * 2549190225Srpaulo * Some Intel Centrino adapters might require private ioctls to get 2550190225Srpaulo * radio headers; the ipw2200 and ipw3945 drivers allow you to 2551190225Srpaulo * configure a separate "rtapN" interface to capture in monitor 2552190225Srpaulo * mode without preventing the adapter from operating normally. 2553190225Srpaulo * (airmon-ng doesn't appear to use that, though.) 2554190225Srpaulo * 2555190225Srpaulo * It would be Truly Wonderful if mac80211 and nl80211 cleaned this 2556190225Srpaulo * up, and if all drivers were converted to mac80211 drivers. 2557190225Srpaulo * 2558190225Srpaulo * If interface {if} is a mac80211 driver, the file 2559190225Srpaulo * /sys/class/net/{if}/phy80211 is a symlink to 2560190225Srpaulo * /sys/class/ieee80211/{phydev}, for some {phydev}. 2561190225Srpaulo * 2562190225Srpaulo * On Fedora 9, with a 2.6.26.3-29 kernel, my Zydas stick, at 2563190225Srpaulo * least, has a "wmaster0" device and a "wlan0" device; the 2564190225Srpaulo * latter is the one with the IP address. Both show up in 2565190225Srpaulo * "tcpdump -D" output. Capturing on the wmaster0 device 2566190225Srpaulo * captures with 802.11 headers. 2567190225Srpaulo * 2568190225Srpaulo * airmon-ng searches through /sys/class/net for devices named 2569190225Srpaulo * monN, starting with mon0; as soon as one *doesn't* exist, 2570190225Srpaulo * it chooses that as the monitor device name. If the "iw" 2571190225Srpaulo * command exists, it does "iw dev {if} interface add {monif} 2572190225Srpaulo * type monitor", where {monif} is the monitor device. It 2573190225Srpaulo * then (sigh) sleeps .1 second, and then configures the 2574190225Srpaulo * device up. Otherwise, if /sys/class/ieee80211/{phydev}/add_iface 2575190225Srpaulo * is a file, it writes {mondev}, without a newline, to that file, 2576190225Srpaulo * and again (sigh) sleeps .1 second, and then iwconfig's that 2577190225Srpaulo * device into monitor mode and configures it up. Otherwise, 2578190225Srpaulo * you can't do monitor mode. 2579190225Srpaulo * 2580190225Srpaulo * All these devices are "glued" together by having the 2581190225Srpaulo * /sys/class/net/{device}/phy80211 links pointing to the same 2582190225Srpaulo * place, so, given a wmaster, wlan, or mon device, you can 2583190225Srpaulo * find the other devices by looking for devices with 2584190225Srpaulo * the same phy80211 link. 2585190225Srpaulo * 2586190225Srpaulo * To turn monitor mode off, delete the monitor interface, 2587190225Srpaulo * either with "iw dev {monif} interface del" or by sending 2588190225Srpaulo * {monif}, with no NL, down /sys/class/ieee80211/{phydev}/remove_iface 2589190225Srpaulo * 2590190225Srpaulo * Note: if you try to create a monitor device named "monN", and 2591190225Srpaulo * there's already a "monN" device, it fails, as least with 2592190225Srpaulo * the netlink interface (which is what iw uses), with a return 2593190225Srpaulo * value of -ENFILE. (Return values are negative errnos.) We 2594190225Srpaulo * could probably use that to find an unused device. 2595190225Srpaulo */ 2596190225Srpaulo int err; 2597190225Srpaulo struct iwreq ireq; 2598190225Srpaulo struct iw_priv_args *priv; 2599190225Srpaulo monitor_type montype; 2600190225Srpaulo int i; 2601190225Srpaulo __u32 cmd; 2602190225Srpaulo int args[2]; 2603190225Srpaulo int channel; 260475107Sfenner 2605190225Srpaulo /* 2606190225Srpaulo * Does this device *support* the Wireless Extensions? 2607190225Srpaulo */ 2608190225Srpaulo err = has_wext(sock_fd, device, handle->errbuf); 2609190225Srpaulo if (err <= 0) 2610190225Srpaulo return err; /* either it doesn't or the device doesn't even exist */ 2611190225Srpaulo /* 2612190225Srpaulo * Try to get all the Wireless Extensions private ioctls 2613190225Srpaulo * supported by this device. 2614190225Srpaulo * 2615190225Srpaulo * First, get the size of the buffer we need, by supplying no 2616190225Srpaulo * buffer and a length of 0. If the device supports private 2617190225Srpaulo * ioctls, it should return E2BIG, with ireq.u.data.length set 2618190225Srpaulo * to the length we need. If it doesn't support them, it should 2619190225Srpaulo * return EOPNOTSUPP. 2620190225Srpaulo */ 2621190225Srpaulo memset(&ireq, 0, sizeof ireq); 2622190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2623190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2624190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2625190225Srpaulo ireq.u.data.pointer = args; 2626190225Srpaulo ireq.u.data.length = 0; 2627190225Srpaulo ireq.u.data.flags = 0; 2628190225Srpaulo if (ioctl(sock_fd, SIOCGIWPRIV, &ireq) != -1) { 2629190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2630190225Srpaulo "%s: SIOCGIWPRIV with a zero-length buffer didn't fail!", 2631190225Srpaulo device); 2632190225Srpaulo return PCAP_ERROR; 2633190225Srpaulo } 2634190225Srpaulo if (errno == EOPNOTSUPP) { 2635190225Srpaulo /* 2636190225Srpaulo * No private ioctls, so we assume that there's only one 2637190225Srpaulo * DLT_ for monitor mode. 2638190225Srpaulo */ 2639190225Srpaulo return 0; 2640190225Srpaulo } 2641190225Srpaulo if (errno != E2BIG) { 2642190225Srpaulo /* 2643190225Srpaulo * Failed. 2644190225Srpaulo */ 2645190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2646190225Srpaulo "%s: SIOCGIWPRIV: %s", device, pcap_strerror(errno)); 2647190225Srpaulo return PCAP_ERROR; 2648190225Srpaulo } 2649190225Srpaulo priv = malloc(ireq.u.data.length * sizeof (struct iw_priv_args)); 2650190225Srpaulo if (priv == NULL) { 2651190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2652190225Srpaulo "malloc: %s", pcap_strerror(errno)); 2653190225Srpaulo return PCAP_ERROR; 2654190225Srpaulo } 2655190225Srpaulo ireq.u.data.pointer = priv; 2656190225Srpaulo if (ioctl(sock_fd, SIOCGIWPRIV, &ireq) == -1) { 2657190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2658190225Srpaulo "%s: SIOCGIWPRIV: %s", device, pcap_strerror(errno)); 2659190225Srpaulo free(priv); 2660190225Srpaulo return PCAP_ERROR; 2661190225Srpaulo } 266275107Sfenner 2663190225Srpaulo /* 2664190225Srpaulo * Look for private ioctls to turn monitor mode on or, if 2665190225Srpaulo * monitor mode is on, to set the header type. 2666190225Srpaulo */ 2667190225Srpaulo montype = MONITOR_WEXT; 2668190225Srpaulo cmd = 0; 2669190225Srpaulo for (i = 0; i < ireq.u.data.length; i++) { 2670190225Srpaulo if (strcmp(priv[i].name, "monitor_type") == 0) { 2671190225Srpaulo /* 2672190225Srpaulo * Hostap driver, use this one. 2673190225Srpaulo * Set monitor mode first. 2674190225Srpaulo * You can set it to 0 to get DLT_IEEE80211, 2675190225Srpaulo * 1 to get DLT_PRISM, or 2 to get 2676190225Srpaulo * DLT_IEEE80211_RADIO_AVS. 2677190225Srpaulo */ 2678190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2679190225Srpaulo break; 2680190225Srpaulo if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2681190225Srpaulo break; 2682190225Srpaulo if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2683190225Srpaulo break; 2684190225Srpaulo montype = MONITOR_HOSTAP; 2685190225Srpaulo cmd = priv[i].cmd; 2686190225Srpaulo break; 2687190225Srpaulo } 2688190225Srpaulo if (strcmp(priv[i].name, "set_prismhdr") == 0) { 2689190225Srpaulo /* 2690190225Srpaulo * Prism54 driver, use this one. 2691190225Srpaulo * Set monitor mode first. 2692190225Srpaulo * You can set it to 2 to get DLT_IEEE80211 2693190225Srpaulo * or 3 or get DLT_PRISM. 2694190225Srpaulo */ 2695190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2696190225Srpaulo break; 2697190225Srpaulo if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2698190225Srpaulo break; 2699190225Srpaulo if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2700190225Srpaulo break; 2701190225Srpaulo montype = MONITOR_PRISM54; 2702190225Srpaulo cmd = priv[i].cmd; 2703190225Srpaulo break; 2704190225Srpaulo } 2705190225Srpaulo if (strcmp(priv[i].name, "forceprismheader") == 0) { 2706190225Srpaulo /* 2707190225Srpaulo * RT2570 driver, use this one. 2708190225Srpaulo * Do this after turning monitor mode on. 2709190225Srpaulo * You can set it to 1 to get DLT_PRISM or 2 2710190225Srpaulo * to get DLT_IEEE80211. 2711190225Srpaulo */ 2712190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2713190225Srpaulo break; 2714190225Srpaulo if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2715190225Srpaulo break; 2716190225Srpaulo if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2717190225Srpaulo break; 2718190225Srpaulo montype = MONITOR_RT2570; 2719190225Srpaulo cmd = priv[i].cmd; 2720190225Srpaulo break; 2721190225Srpaulo } 2722190225Srpaulo if (strcmp(priv[i].name, "forceprism") == 0) { 2723190225Srpaulo /* 2724190225Srpaulo * RT73 driver, use this one. 2725190225Srpaulo * Do this after turning monitor mode on. 2726190225Srpaulo * Its argument is a *string*; you can 2727190225Srpaulo * set it to "1" to get DLT_PRISM or "2" 2728190225Srpaulo * to get DLT_IEEE80211. 2729190225Srpaulo */ 2730190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_CHAR) 2731190225Srpaulo break; 2732190225Srpaulo if (priv[i].set_args & IW_PRIV_SIZE_FIXED) 2733190225Srpaulo break; 2734190225Srpaulo montype = MONITOR_RT73; 2735190225Srpaulo cmd = priv[i].cmd; 2736190225Srpaulo break; 2737190225Srpaulo } 2738190225Srpaulo if (strcmp(priv[i].name, "prismhdr") == 0) { 2739190225Srpaulo /* 2740190225Srpaulo * One of the RTL8xxx drivers, use this one. 2741190225Srpaulo * It can only be done after monitor mode 2742190225Srpaulo * has been turned on. You can set it to 1 2743190225Srpaulo * to get DLT_PRISM or 0 to get DLT_IEEE80211. 2744190225Srpaulo */ 2745190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2746190225Srpaulo break; 2747190225Srpaulo if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2748190225Srpaulo break; 2749190225Srpaulo if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2750190225Srpaulo break; 2751190225Srpaulo montype = MONITOR_RTL8XXX; 2752190225Srpaulo cmd = priv[i].cmd; 2753190225Srpaulo break; 2754190225Srpaulo } 2755190225Srpaulo if (strcmp(priv[i].name, "rfmontx") == 0) { 2756190225Srpaulo /* 2757190225Srpaulo * RT2500 or RT61 driver, use this one. 2758190225Srpaulo * It has one one-byte parameter; set 2759190225Srpaulo * u.data.length to 1 and u.data.pointer to 2760190225Srpaulo * point to the parameter. 2761190225Srpaulo * It doesn't itself turn monitor mode on. 2762190225Srpaulo * You can set it to 1 to allow transmitting 2763190225Srpaulo * in monitor mode(?) and get DLT_IEEE80211, 2764190225Srpaulo * or set it to 0 to disallow transmitting in 2765190225Srpaulo * monitor mode(?) and get DLT_PRISM. 2766190225Srpaulo */ 2767190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2768190225Srpaulo break; 2769190225Srpaulo if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 2) 2770190225Srpaulo break; 2771190225Srpaulo montype = MONITOR_RT2500; 2772190225Srpaulo cmd = priv[i].cmd; 2773190225Srpaulo break; 2774190225Srpaulo } 2775190225Srpaulo if (strcmp(priv[i].name, "monitor") == 0) { 2776190225Srpaulo /* 2777190225Srpaulo * Either ACX100 or hostap, use this one. 2778190225Srpaulo * It turns monitor mode on. 2779190225Srpaulo * If it takes two arguments, it's ACX100; 2780190225Srpaulo * the first argument is 1 for DLT_PRISM 2781190225Srpaulo * or 2 for DLT_IEEE80211, and the second 2782190225Srpaulo * argument is the channel on which to 2783190225Srpaulo * run. If it takes one argument, it's 2784190225Srpaulo * HostAP, and the argument is 2 for 2785190225Srpaulo * DLT_IEEE80211 and 3 for DLT_PRISM. 2786190225Srpaulo * 2787190225Srpaulo * If we see this, we don't quit, as this 2788190225Srpaulo * might be a version of the hostap driver 2789190225Srpaulo * that also supports "monitor_type". 2790190225Srpaulo */ 2791190225Srpaulo if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2792190225Srpaulo break; 2793190225Srpaulo if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2794190225Srpaulo break; 2795190225Srpaulo switch (priv[i].set_args & IW_PRIV_SIZE_MASK) { 279675107Sfenner 2797190225Srpaulo case 1: 2798190225Srpaulo montype = MONITOR_PRISM; 2799190225Srpaulo cmd = priv[i].cmd; 2800190225Srpaulo break; 2801190225Srpaulo 2802190225Srpaulo case 2: 2803190225Srpaulo montype = MONITOR_ACX100; 2804190225Srpaulo cmd = priv[i].cmd; 2805190225Srpaulo break; 2806190225Srpaulo 2807190225Srpaulo default: 2808190225Srpaulo break; 2809190225Srpaulo } 2810190225Srpaulo } 2811190225Srpaulo } 2812190225Srpaulo free(priv); 2813190225Srpaulo 2814190225Srpaulo /* 2815190225Srpaulo * XXX - ipw3945? islism? 2816190225Srpaulo */ 2817190225Srpaulo 2818190225Srpaulo /* 2819190225Srpaulo * Get the old mode. 2820190225Srpaulo */ 2821190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2822190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2823190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2824190225Srpaulo if (ioctl(sock_fd, SIOCGIWMODE, &ireq) == -1) { 282575107Sfenner /* 2826190225Srpaulo * We probably won't be able to set the mode, either. 2827190225Srpaulo */ 2828190225Srpaulo return PCAP_ERROR_RFMON_NOTSUP; 2829190225Srpaulo } 2830190225Srpaulo 2831190225Srpaulo /* 2832190225Srpaulo * Is it currently in monitor mode? 2833190225Srpaulo */ 2834190225Srpaulo if (ireq.u.mode == IW_MODE_MONITOR) { 2835190225Srpaulo /* 2836190225Srpaulo * Yes. Just leave things as they are. 2837190225Srpaulo * We don't offer multiple link-layer types, as 2838190225Srpaulo * changing the link-layer type out from under 2839190225Srpaulo * somebody else capturing in monitor mode would 2840190225Srpaulo * be considered rude. 2841190225Srpaulo */ 2842190225Srpaulo return 1; 2843190225Srpaulo } 2844190225Srpaulo /* 2845190225Srpaulo * No. We have to put the adapter into rfmon mode. 2846190225Srpaulo */ 2847190225Srpaulo 2848190225Srpaulo /* 2849190225Srpaulo * If we haven't already done so, arrange to have 2850190225Srpaulo * "pcap_close_all()" called when we exit. 2851190225Srpaulo */ 2852190225Srpaulo if (!pcap_do_addexit(handle)) { 2853190225Srpaulo /* 2854190225Srpaulo * "atexit()" failed; don't put the interface 2855190225Srpaulo * in rfmon mode, just give up. 2856190225Srpaulo */ 2857190225Srpaulo return PCAP_ERROR_RFMON_NOTSUP; 2858190225Srpaulo } 2859190225Srpaulo 2860190225Srpaulo /* 2861190225Srpaulo * Save the old mode. 2862190225Srpaulo */ 2863190225Srpaulo handle->md.oldmode = ireq.u.mode; 2864190225Srpaulo 2865190225Srpaulo /* 2866190225Srpaulo * Put the adapter in rfmon mode. How we do this depends 2867190225Srpaulo * on whether we have a special private ioctl or not. 2868190225Srpaulo */ 2869190225Srpaulo if (montype == MONITOR_PRISM) { 2870190225Srpaulo /* 2871190225Srpaulo * We have the "monitor" private ioctl, but none of 2872190225Srpaulo * the other private ioctls. Use this, and select 2873190225Srpaulo * the Prism header. 287475107Sfenner * 2875190225Srpaulo * If it fails, just fall back on SIOCSIWMODE. 287675107Sfenner */ 2877190225Srpaulo memset(&ireq, 0, sizeof ireq); 2878190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2879190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2880190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2881190225Srpaulo ireq.u.data.length = 1; /* 1 argument */ 2882190225Srpaulo args[0] = 3; /* request Prism header */ 2883190225Srpaulo memcpy(ireq.u.name, args, IFNAMSIZ); 2884190225Srpaulo if (ioctl(sock_fd, cmd, &ireq) != -1) { 2885190225Srpaulo /* 2886190225Srpaulo * Success. 2887190225Srpaulo * Note that we have to put the old mode back 2888190225Srpaulo * when we close the device. 2889190225Srpaulo */ 2890190225Srpaulo handle->md.must_clear |= MUST_CLEAR_RFMON; 2891190225Srpaulo 2892190225Srpaulo /* 2893190225Srpaulo * Add this to the list of pcaps to close 2894190225Srpaulo * when we exit. 2895190225Srpaulo */ 2896190225Srpaulo pcap_add_to_pcaps_to_close(handle); 2897190225Srpaulo 2898190225Srpaulo return 1; 289926175Sfenner } 290075107Sfenner 290175107Sfenner /* 2902190225Srpaulo * Failure. Fall back on SIOCSIWMODE. 290375107Sfenner */ 2904190225Srpaulo } 2905190225Srpaulo 2906190225Srpaulo /* 2907190225Srpaulo * First, turn monitor mode on. 2908190225Srpaulo */ 2909190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2910190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2911190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2912190225Srpaulo ireq.u.mode = IW_MODE_MONITOR; 2913190225Srpaulo if (ioctl(sock_fd, SIOCSIWMODE, &ireq) == -1) { 2914190225Srpaulo /* 2915190225Srpaulo * Scientist, you've failed. 2916190225Srpaulo */ 2917190225Srpaulo return PCAP_ERROR_RFMON_NOTSUP; 2918190225Srpaulo } 2919190225Srpaulo 2920190225Srpaulo /* 2921190225Srpaulo * XXX - airmon-ng does "iwconfig {if} key off" after setting 2922190225Srpaulo * monitor mode and setting the channel, and then does 2923190225Srpaulo * "iwconfig up". 2924190225Srpaulo */ 2925190225Srpaulo 2926190225Srpaulo /* 2927190225Srpaulo * Now select the appropriate radio header. 2928190225Srpaulo */ 2929190225Srpaulo switch (montype) { 2930190225Srpaulo 2931190225Srpaulo case MONITOR_WEXT: 2932190225Srpaulo /* 2933190225Srpaulo * We don't have any private ioctl to set the header. 2934190225Srpaulo */ 2935190225Srpaulo break; 2936190225Srpaulo 2937190225Srpaulo case MONITOR_HOSTAP: 2938190225Srpaulo /* 2939190225Srpaulo * Select the AVS header if we can, otherwise 2940190225Srpaulo * select the Prism header. 2941190225Srpaulo */ 2942190225Srpaulo memset(&ireq, 0, sizeof ireq); 2943190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2944190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2945190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2946190225Srpaulo args[0] = 2; /* request AVS header */ 2947190225Srpaulo memcpy(ireq.u.name, args, sizeof (int)); 2948190225Srpaulo if (ioctl(sock_fd, cmd, &ireq) == -1) { 2949190225Srpaulo /* 2950190225Srpaulo * Failure - try the Prism header. 2951190225Srpaulo */ 2952190225Srpaulo memset(&ireq, 0, sizeof ireq); 2953190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2954190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2955190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2956190225Srpaulo args[0] = 1; /* request Prism header */ 2957190225Srpaulo memcpy(ireq.u.name, args, sizeof (int)); 2958190225Srpaulo ioctl(sock_fd, cmd, &ireq); 295926175Sfenner } 2960190225Srpaulo break; 2961190225Srpaulo 2962190225Srpaulo case MONITOR_PRISM: 2963190225Srpaulo /* 2964190225Srpaulo * The private ioctl failed. 2965190225Srpaulo */ 2966190225Srpaulo break; 2967190225Srpaulo 2968190225Srpaulo case MONITOR_PRISM54: 2969190225Srpaulo /* 2970190225Srpaulo * Select the Prism header. 2971190225Srpaulo */ 2972190225Srpaulo memset(&ireq, 0, sizeof ireq); 2973190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2974190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2975190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2976190225Srpaulo args[0] = 3; /* request Prism header */ 2977190225Srpaulo memcpy(ireq.u.name, args, sizeof (int)); 2978190225Srpaulo ioctl(sock_fd, cmd, &ireq); 2979190225Srpaulo break; 2980190225Srpaulo 2981190225Srpaulo case MONITOR_ACX100: 2982190225Srpaulo /* 2983190225Srpaulo * Get the current channel. 2984190225Srpaulo */ 2985190225Srpaulo memset(&ireq, 0, sizeof ireq); 2986190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 2987190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 2988190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2989190225Srpaulo if (ioctl(sock_fd, SIOCGIWFREQ, &ireq) == -1) { 2990190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2991190225Srpaulo "%s: SIOCGIWFREQ: %s", device, 2992190225Srpaulo pcap_strerror(errno)); 2993190225Srpaulo return PCAP_ERROR; 2994190225Srpaulo } 2995190225Srpaulo channel = ireq.u.freq.m; 2996190225Srpaulo 2997190225Srpaulo /* 2998190225Srpaulo * Select the Prism header, and set the channel to the 2999190225Srpaulo * current value. 3000190225Srpaulo */ 3001190225Srpaulo memset(&ireq, 0, sizeof ireq); 3002190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 3003190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 3004190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3005190225Srpaulo args[0] = 1; /* request Prism header */ 3006190225Srpaulo args[1] = channel; /* set channel */ 3007190225Srpaulo memcpy(ireq.u.name, args, 2*sizeof (int)); 3008190225Srpaulo ioctl(sock_fd, cmd, &ireq); 3009190225Srpaulo break; 3010190225Srpaulo 3011190225Srpaulo case MONITOR_RT2500: 3012190225Srpaulo /* 3013190225Srpaulo * Disallow transmission - that turns on the 3014190225Srpaulo * Prism header. 3015190225Srpaulo */ 3016190225Srpaulo memset(&ireq, 0, sizeof ireq); 3017190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 3018190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 3019190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3020190225Srpaulo args[0] = 0; /* disallow transmitting */ 3021190225Srpaulo memcpy(ireq.u.name, args, sizeof (int)); 3022190225Srpaulo ioctl(sock_fd, cmd, &ireq); 3023190225Srpaulo break; 3024190225Srpaulo 3025190225Srpaulo case MONITOR_RT2570: 3026190225Srpaulo /* 3027190225Srpaulo * Force the Prism header. 3028190225Srpaulo */ 3029190225Srpaulo memset(&ireq, 0, sizeof ireq); 3030190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 3031190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 3032190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3033190225Srpaulo args[0] = 1; /* request Prism header */ 3034190225Srpaulo memcpy(ireq.u.name, args, sizeof (int)); 3035190225Srpaulo ioctl(sock_fd, cmd, &ireq); 3036190225Srpaulo break; 3037190225Srpaulo 3038190225Srpaulo case MONITOR_RT73: 3039190225Srpaulo /* 3040190225Srpaulo * Force the Prism header. 3041190225Srpaulo */ 3042190225Srpaulo memset(&ireq, 0, sizeof ireq); 3043190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 3044190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 3045190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3046190225Srpaulo ireq.u.data.length = 1; /* 1 argument */ 3047190225Srpaulo ireq.u.data.pointer = "1"; 3048190225Srpaulo ireq.u.data.flags = 0; 3049190225Srpaulo ioctl(sock_fd, cmd, &ireq); 3050190225Srpaulo break; 3051190225Srpaulo 3052190225Srpaulo case MONITOR_RTL8XXX: 3053190225Srpaulo /* 3054190225Srpaulo * Force the Prism header. 3055190225Srpaulo */ 3056190225Srpaulo memset(&ireq, 0, sizeof ireq); 3057190225Srpaulo strncpy(ireq.ifr_ifrn.ifrn_name, device, 3058190225Srpaulo sizeof ireq.ifr_ifrn.ifrn_name); 3059190225Srpaulo ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3060190225Srpaulo args[0] = 1; /* request Prism header */ 3061190225Srpaulo memcpy(ireq.u.name, args, sizeof (int)); 3062190225Srpaulo ioctl(sock_fd, cmd, &ireq); 3063190225Srpaulo break; 306426175Sfenner } 3065127664Sbms 3066190225Srpaulo /* 3067190225Srpaulo * Note that we have to put the old mode back when we 3068190225Srpaulo * close the device. 3069190225Srpaulo */ 3070190225Srpaulo handle->md.must_clear |= MUST_CLEAR_RFMON; 3071190225Srpaulo 3072190225Srpaulo /* 3073190225Srpaulo * Add this to the list of pcaps to close when we exit. 3074190225Srpaulo */ 3075190225Srpaulo pcap_add_to_pcaps_to_close(handle); 3076190225Srpaulo 3077190225Srpaulo return 1; 3078190225Srpaulo#else 3079190225Srpaulo /* 3080190225Srpaulo * We don't have the Wireless Extensions available, so we can't 3081190225Srpaulo * do monitor mode. 3082190225Srpaulo */ 3083190225Srpaulo return 0; 3084190225Srpaulo#endif 308575107Sfenner} 308626175Sfenner 3087190225Srpaulo#endif /* HAVE_PF_PACKET_SOCKETS */ 3088190225Srpaulo 3089190225Srpaulo/* ===== Functions to interface to the older kernels ================== */ 3090190225Srpaulo 309175107Sfenner/* 3092190225Srpaulo * Try to open a packet socket using the old kernel interface. 3093190225Srpaulo * Returns 1 on success and a PCAP_ERROR_ value on an error. 309475107Sfenner */ 309575107Sfennerstatic int 3096190225Srpauloactivate_old(pcap_t *handle) 309775107Sfenner{ 3098127664Sbms int arptype; 309975107Sfenner struct ifreq ifr; 3100190225Srpaulo const char *device = handle->opt.source; 3101190225Srpaulo struct utsname utsname; 3102190225Srpaulo int mtu; 310375107Sfenner 3104190225Srpaulo /* Open the socket */ 310575107Sfenner 3106190225Srpaulo handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 3107190225Srpaulo if (handle->fd == -1) { 3108190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3109190225Srpaulo "socket: %s", pcap_strerror(errno)); 3110190225Srpaulo return PCAP_ERROR_PERM_DENIED; 3111190225Srpaulo } 311275107Sfenner 3113190225Srpaulo /* It worked - we are using the old interface */ 3114190225Srpaulo handle->md.sock_packet = 1; 311575107Sfenner 3116190225Srpaulo /* ...which means we get the link-layer header. */ 3117190225Srpaulo handle->md.cooked = 0; 311875107Sfenner 3119190225Srpaulo /* Bind to the given device */ 312075107Sfenner 3121190225Srpaulo if (!device) { 3122190225Srpaulo strncpy(handle->errbuf, "pcap_activate: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 3123190225Srpaulo PCAP_ERRBUF_SIZE); 3124190225Srpaulo return PCAP_ERROR; 3125190225Srpaulo } 3126190225Srpaulo if (iface_bind_old(handle->fd, device, handle->errbuf) == -1) 3127190225Srpaulo return PCAP_ERROR; 312875107Sfenner 3129190225Srpaulo /* 3130190225Srpaulo * Try to get the link-layer type. 3131190225Srpaulo */ 3132190225Srpaulo arptype = iface_get_arptype(handle->fd, device, handle->errbuf); 3133190225Srpaulo if (arptype < 0) 3134190225Srpaulo return PCAP_ERROR; 3135127664Sbms 3136190225Srpaulo /* 3137190225Srpaulo * Try to find the DLT_ type corresponding to that 3138190225Srpaulo * link-layer type. 3139190225Srpaulo */ 3140190225Srpaulo map_arphrd_to_dlt(handle, arptype, 0); 3141190225Srpaulo if (handle->linktype == -1) { 3142190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3143190225Srpaulo "unknown arptype %d", arptype); 3144190225Srpaulo return PCAP_ERROR; 3145190225Srpaulo } 3146127664Sbms 3147190225Srpaulo /* Go to promisc mode if requested */ 3148127664Sbms 3149190225Srpaulo if (handle->opt.promisc) { 3150190225Srpaulo memset(&ifr, 0, sizeof(ifr)); 3151190225Srpaulo strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 3152190225Srpaulo if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 3153190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3154190225Srpaulo "SIOCGIFFLAGS: %s", pcap_strerror(errno)); 3155190225Srpaulo return PCAP_ERROR; 3156190225Srpaulo } 3157190225Srpaulo if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 3158190225Srpaulo /* 3159190225Srpaulo * Promiscuous mode isn't currently on, 3160190225Srpaulo * so turn it on, and remember that 3161190225Srpaulo * we should turn it off when the 3162190225Srpaulo * pcap_t is closed. 3163190225Srpaulo */ 316475107Sfenner 3165190225Srpaulo /* 3166190225Srpaulo * If we haven't already done so, arrange 3167190225Srpaulo * to have "pcap_close_all()" called when 3168190225Srpaulo * we exit. 3169190225Srpaulo */ 3170190225Srpaulo if (!pcap_do_addexit(handle)) { 317175107Sfenner /* 3172190225Srpaulo * "atexit()" failed; don't put 3173190225Srpaulo * the interface in promiscuous 3174190225Srpaulo * mode, just give up. 317575107Sfenner */ 3176190225Srpaulo return PCAP_ERROR; 3177190225Srpaulo } 317875107Sfenner 3179190225Srpaulo ifr.ifr_flags |= IFF_PROMISC; 3180190225Srpaulo if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 3181190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3182190225Srpaulo "SIOCSIFFLAGS: %s", 3183190225Srpaulo pcap_strerror(errno)); 3184190225Srpaulo return PCAP_ERROR; 3185190225Srpaulo } 3186190225Srpaulo handle->md.must_clear |= MUST_CLEAR_PROMISC; 318775107Sfenner 3188190225Srpaulo /* 3189190225Srpaulo * Add this to the list of pcaps 3190190225Srpaulo * to close when we exit. 3191190225Srpaulo */ 3192190225Srpaulo pcap_add_to_pcaps_to_close(handle); 319375107Sfenner } 3194190225Srpaulo } 319575107Sfenner 3196190225Srpaulo /* 3197190225Srpaulo * Compute the buffer size. 3198190225Srpaulo * 3199190225Srpaulo * We're using SOCK_PACKET, so this might be a 2.0[.x] 3200190225Srpaulo * kernel, and might require special handling - check. 3201190225Srpaulo */ 3202190225Srpaulo if (uname(&utsname) < 0 || 3203190225Srpaulo strncmp(utsname.release, "2.0", 3) == 0) { 320498530Sfenner /* 3205190225Srpaulo * Either we couldn't find out what kernel release 3206190225Srpaulo * this is, or it's a 2.0[.x] kernel. 3207190225Srpaulo * 3208190225Srpaulo * In the 2.0[.x] kernel, a "recvfrom()" on 3209190225Srpaulo * a SOCK_PACKET socket, with MSG_TRUNC set, will 3210190225Srpaulo * return the number of bytes read, so if we pass 3211190225Srpaulo * a length based on the snapshot length, it'll 3212190225Srpaulo * return the number of bytes from the packet 3213190225Srpaulo * copied to userland, not the actual length 3214190225Srpaulo * of the packet. 3215190225Srpaulo * 3216190225Srpaulo * This means that, for example, the IP dissector 3217190225Srpaulo * in tcpdump will get handed a packet length less 3218190225Srpaulo * than the length in the IP header, and will 3219190225Srpaulo * complain about "truncated-ip". 3220190225Srpaulo * 3221190225Srpaulo * So we don't bother trying to copy from the 3222190225Srpaulo * kernel only the bytes in which we're interested, 3223190225Srpaulo * but instead copy them all, just as the older 3224190225Srpaulo * versions of libpcap for Linux did. 3225190225Srpaulo * 3226190225Srpaulo * The buffer therefore needs to be big enough to 3227190225Srpaulo * hold the largest packet we can get from this 3228190225Srpaulo * device. Unfortunately, we can't get the MRU 3229190225Srpaulo * of the network; we can only get the MTU. The 3230190225Srpaulo * MTU may be too small, in which case a packet larger 3231190225Srpaulo * than the buffer size will be truncated *and* we 3232190225Srpaulo * won't get the actual packet size. 3233190225Srpaulo * 3234190225Srpaulo * However, if the snapshot length is larger than 3235190225Srpaulo * the buffer size based on the MTU, we use the 3236190225Srpaulo * snapshot length as the buffer size, instead; 3237190225Srpaulo * this means that with a sufficiently large snapshot 3238190225Srpaulo * length we won't artificially truncate packets 3239190225Srpaulo * to the MTU-based size. 3240190225Srpaulo * 3241190225Srpaulo * This mess just one of many problems with packet 3242190225Srpaulo * capture on 2.0[.x] kernels; you really want a 3243190225Srpaulo * 2.2[.x] or later kernel if you want packet capture 3244190225Srpaulo * to work well. 324598530Sfenner */ 3246190225Srpaulo mtu = iface_get_mtu(handle->fd, device, handle->errbuf); 3247190225Srpaulo if (mtu == -1) 3248190225Srpaulo return PCAP_ERROR; 3249190225Srpaulo handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 3250190225Srpaulo if (handle->bufsize < handle->snapshot) 3251190225Srpaulo handle->bufsize = handle->snapshot; 3252190225Srpaulo } else { 3253190225Srpaulo /* 3254190225Srpaulo * This is a 2.2[.x] or later kernel. 3255190225Srpaulo * 3256190225Srpaulo * We can safely pass "recvfrom()" a byte count 3257190225Srpaulo * based on the snapshot length. 3258190225Srpaulo */ 3259190225Srpaulo handle->bufsize = handle->snapshot; 3260190225Srpaulo } 326198530Sfenner 3262190225Srpaulo /* 3263190225Srpaulo * Default value for offset to align link-layer payload 3264190225Srpaulo * on a 4-byte boundary. 3265190225Srpaulo */ 3266190225Srpaulo handle->offset = 0; 326775107Sfenner 3268190225Srpaulo return 1; 326975107Sfenner} 327075107Sfenner 327175107Sfenner/* 3272127664Sbms * Bind the socket associated with FD to the given device using the 327375107Sfenner * interface of the old kernels. 327475107Sfenner */ 327575107Sfennerstatic int 327675107Sfenneriface_bind_old(int fd, const char *device, char *ebuf) 327775107Sfenner{ 327875107Sfenner struct sockaddr saddr; 3279127664Sbms int err; 3280127664Sbms socklen_t errlen = sizeof(err); 328175107Sfenner 328275107Sfenner memset(&saddr, 0, sizeof(saddr)); 328375107Sfenner strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 328475107Sfenner if (bind(fd, &saddr, sizeof(saddr)) == -1) { 328575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 328675107Sfenner "bind: %s", pcap_strerror(errno)); 328775107Sfenner return -1; 328826175Sfenner } 328926175Sfenner 3290127664Sbms /* Any pending errors, e.g., network is down? */ 3291127664Sbms 3292127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 3293127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 3294127664Sbms "getsockopt: %s", pcap_strerror(errno)); 3295127664Sbms return -1; 3296127664Sbms } 3297127664Sbms 3298127664Sbms if (err > 0) { 3299127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 3300127664Sbms "bind: %s", pcap_strerror(err)); 3301127664Sbms return -1; 3302127664Sbms } 3303127664Sbms 330475107Sfenner return 0; 330526175Sfenner} 330626175Sfenner 330775107Sfenner 330875107Sfenner/* ===== System calls available on all supported kernels ============== */ 330975107Sfenner 331075107Sfenner/* 3311127664Sbms * Query the kernel for the MTU of the given interface. 331275107Sfenner */ 331375107Sfennerstatic int 331475107Sfenneriface_get_mtu(int fd, const char *device, char *ebuf) 331526175Sfenner{ 331675107Sfenner struct ifreq ifr; 331726175Sfenner 331875107Sfenner if (!device) 331975107Sfenner return BIGGER_THAN_ALL_MTUS; 332075107Sfenner 332175107Sfenner memset(&ifr, 0, sizeof(ifr)); 332275107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 332375107Sfenner 332475107Sfenner if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 332575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 3326172677Smlaier "SIOCGIFMTU: %s", pcap_strerror(errno)); 332775107Sfenner return -1; 332875107Sfenner } 332975107Sfenner 333075107Sfenner return ifr.ifr_mtu; 333126175Sfenner} 333226175Sfenner 333375107Sfenner/* 333475107Sfenner * Get the hardware type of the given interface as ARPHRD_xxx constant. 333575107Sfenner */ 333675107Sfennerstatic int 333775107Sfenneriface_get_arptype(int fd, const char *device, char *ebuf) 333826175Sfenner{ 333975107Sfenner struct ifreq ifr; 334026175Sfenner 334175107Sfenner memset(&ifr, 0, sizeof(ifr)); 334275107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 334375107Sfenner 334475107Sfenner if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 334575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 3346172677Smlaier "SIOCGIFHWADDR: %s", pcap_strerror(errno)); 3347190225Srpaulo if (errno == ENODEV) { 3348190225Srpaulo /* 3349190225Srpaulo * No such device. 3350190225Srpaulo */ 3351190225Srpaulo return PCAP_ERROR_NO_SUCH_DEVICE; 3352190225Srpaulo } 3353190225Srpaulo return PCAP_ERROR; 335475107Sfenner } 335575107Sfenner 335675107Sfenner return ifr.ifr_hwaddr.sa_family; 335726175Sfenner} 335875107Sfenner 335998530Sfenner#ifdef SO_ATTACH_FILTER 336075107Sfennerstatic int 336175107Sfennerfix_program(pcap_t *handle, struct sock_fprog *fcode) 336275107Sfenner{ 336375107Sfenner size_t prog_size; 336475107Sfenner register int i; 336575107Sfenner register struct bpf_insn *p; 336675107Sfenner struct bpf_insn *f; 336775107Sfenner int len; 336875107Sfenner 336975107Sfenner /* 337075107Sfenner * Make a copy of the filter, and modify that copy if 337175107Sfenner * necessary. 337275107Sfenner */ 337375107Sfenner prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 337475107Sfenner len = handle->fcode.bf_len; 337575107Sfenner f = (struct bpf_insn *)malloc(prog_size); 337675107Sfenner if (f == NULL) { 3377190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 337875107Sfenner "malloc: %s", pcap_strerror(errno)); 337975107Sfenner return -1; 338075107Sfenner } 338175107Sfenner memcpy(f, handle->fcode.bf_insns, prog_size); 338275107Sfenner fcode->len = len; 338375107Sfenner fcode->filter = (struct sock_filter *) f; 338475107Sfenner 338575107Sfenner for (i = 0; i < len; ++i) { 338675107Sfenner p = &f[i]; 338775107Sfenner /* 338875107Sfenner * What type of instruction is this? 338975107Sfenner */ 339075107Sfenner switch (BPF_CLASS(p->code)) { 339175107Sfenner 339275107Sfenner case BPF_RET: 339375107Sfenner /* 339475107Sfenner * It's a return instruction; is the snapshot 339575107Sfenner * length a constant, rather than the contents 339675107Sfenner * of the accumulator? 339775107Sfenner */ 339875107Sfenner if (BPF_MODE(p->code) == BPF_K) { 339975107Sfenner /* 340075107Sfenner * Yes - if the value to be returned, 340175107Sfenner * i.e. the snapshot length, is anything 340275107Sfenner * other than 0, make it 65535, so that 340375107Sfenner * the packet is truncated by "recvfrom()", 340475107Sfenner * not by the filter. 340575107Sfenner * 340675107Sfenner * XXX - there's nothing we can easily do 340775107Sfenner * if it's getting the value from the 340875107Sfenner * accumulator; we'd have to insert 340975107Sfenner * code to force non-zero values to be 341075107Sfenner * 65535. 341175107Sfenner */ 341275107Sfenner if (p->k != 0) 341375107Sfenner p->k = 65535; 341475107Sfenner } 341575107Sfenner break; 341675107Sfenner 341775107Sfenner case BPF_LD: 341875107Sfenner case BPF_LDX: 341975107Sfenner /* 342075107Sfenner * It's a load instruction; is it loading 342175107Sfenner * from the packet? 342275107Sfenner */ 342375107Sfenner switch (BPF_MODE(p->code)) { 342475107Sfenner 342575107Sfenner case BPF_ABS: 342675107Sfenner case BPF_IND: 342775107Sfenner case BPF_MSH: 342875107Sfenner /* 342975107Sfenner * Yes; are we in cooked mode? 343075107Sfenner */ 343175107Sfenner if (handle->md.cooked) { 343275107Sfenner /* 343375107Sfenner * Yes, so we need to fix this 343475107Sfenner * instruction. 343575107Sfenner */ 343675107Sfenner if (fix_offset(p) < 0) { 343775107Sfenner /* 343875107Sfenner * We failed to do so. 343975107Sfenner * Return 0, so our caller 344075107Sfenner * knows to punt to userland. 344175107Sfenner */ 344275107Sfenner return 0; 344375107Sfenner } 344475107Sfenner } 344575107Sfenner break; 344675107Sfenner } 344775107Sfenner break; 344875107Sfenner } 344975107Sfenner } 345075107Sfenner return 1; /* we succeeded */ 345175107Sfenner} 345275107Sfenner 345375107Sfennerstatic int 345475107Sfennerfix_offset(struct bpf_insn *p) 345575107Sfenner{ 345675107Sfenner /* 345775107Sfenner * What's the offset? 345875107Sfenner */ 345975107Sfenner if (p->k >= SLL_HDR_LEN) { 346075107Sfenner /* 346175107Sfenner * It's within the link-layer payload; that starts at an 346275107Sfenner * offset of 0, as far as the kernel packet filter is 346375107Sfenner * concerned, so subtract the length of the link-layer 346475107Sfenner * header. 346575107Sfenner */ 346675107Sfenner p->k -= SLL_HDR_LEN; 346775107Sfenner } else if (p->k == 14) { 346875107Sfenner /* 346975107Sfenner * It's the protocol field; map it to the special magic 347075107Sfenner * kernel offset for that field. 347175107Sfenner */ 347275107Sfenner p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 347375107Sfenner } else { 347475107Sfenner /* 347575107Sfenner * It's within the header, but it's not one of those 347675107Sfenner * fields; we can't do that in the kernel, so punt 347775107Sfenner * to userland. 347875107Sfenner */ 347975107Sfenner return -1; 348075107Sfenner } 348175107Sfenner return 0; 348275107Sfenner} 348398530Sfenner 348498530Sfennerstatic int 348598530Sfennerset_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) 348698530Sfenner{ 348798530Sfenner int total_filter_on = 0; 348898530Sfenner int save_mode; 348998530Sfenner int ret; 349098530Sfenner int save_errno; 349198530Sfenner 349298530Sfenner /* 349398530Sfenner * The socket filter code doesn't discard all packets queued 349498530Sfenner * up on the socket when the filter is changed; this means 349598530Sfenner * that packets that don't match the new filter may show up 349698530Sfenner * after the new filter is put onto the socket, if those 349798530Sfenner * packets haven't yet been read. 349898530Sfenner * 349998530Sfenner * This means, for example, that if you do a tcpdump capture 350098530Sfenner * with a filter, the first few packets in the capture might 350198530Sfenner * be packets that wouldn't have passed the filter. 350298530Sfenner * 350398530Sfenner * We therefore discard all packets queued up on the socket 350498530Sfenner * when setting a kernel filter. (This isn't an issue for 350598530Sfenner * userland filters, as the userland filtering is done after 350698530Sfenner * packets are queued up.) 350798530Sfenner * 350898530Sfenner * To flush those packets, we put the socket in read-only mode, 350998530Sfenner * and read packets from the socket until there are no more to 351098530Sfenner * read. 351198530Sfenner * 351298530Sfenner * In order to keep that from being an infinite loop - i.e., 351398530Sfenner * to keep more packets from arriving while we're draining 351498530Sfenner * the queue - we put the "total filter", which is a filter 351598530Sfenner * that rejects all packets, onto the socket before draining 351698530Sfenner * the queue. 351798530Sfenner * 351898530Sfenner * This code deliberately ignores any errors, so that you may 351998530Sfenner * get bogus packets if an error occurs, rather than having 352098530Sfenner * the filtering done in userland even if it could have been 352198530Sfenner * done in the kernel. 352298530Sfenner */ 3523127664Sbms if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 352498530Sfenner &total_fcode, sizeof(total_fcode)) == 0) { 352598530Sfenner char drain[1]; 352698530Sfenner 352798530Sfenner /* 352898530Sfenner * Note that we've put the total filter onto the socket. 352998530Sfenner */ 353098530Sfenner total_filter_on = 1; 353198530Sfenner 353298530Sfenner /* 353398530Sfenner * Save the socket's current mode, and put it in 353498530Sfenner * non-blocking mode; we drain it by reading packets 3535127664Sbms * until we get an error (which is normally a 353698530Sfenner * "nothing more to be read" error). 353798530Sfenner */ 353898530Sfenner save_mode = fcntl(handle->fd, F_GETFL, 0); 353998530Sfenner if (save_mode != -1 && 354098530Sfenner fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) { 354198530Sfenner while (recv(handle->fd, &drain, sizeof drain, 354298530Sfenner MSG_TRUNC) >= 0) 354398530Sfenner ; 3544127664Sbms save_errno = errno; 354598530Sfenner fcntl(handle->fd, F_SETFL, save_mode); 3546127664Sbms if (save_errno != EAGAIN) { 3547127664Sbms /* Fatal error */ 3548127664Sbms reset_kernel_filter(handle); 3549190225Srpaulo snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3550127664Sbms "recv: %s", pcap_strerror(save_errno)); 3551127664Sbms return -2; 3552127664Sbms } 355398530Sfenner } 355498530Sfenner } 355598530Sfenner 355698530Sfenner /* 355798530Sfenner * Now attach the new filter. 355898530Sfenner */ 3559127664Sbms ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 356098530Sfenner fcode, sizeof(*fcode)); 356198530Sfenner if (ret == -1 && total_filter_on) { 356298530Sfenner /* 356398530Sfenner * Well, we couldn't set that filter on the socket, 356498530Sfenner * but we could set the total filter on the socket. 356598530Sfenner * 356698530Sfenner * This could, for example, mean that the filter was 356798530Sfenner * too big to put into the kernel, so we'll have to 356898530Sfenner * filter in userland; in any case, we'll be doing 356998530Sfenner * filtering in userland, so we need to remove the 357098530Sfenner * total filter so we see packets. 357198530Sfenner */ 357298530Sfenner save_errno = errno; 357398530Sfenner 357498530Sfenner /* 357598530Sfenner * XXX - if this fails, we're really screwed; 357698530Sfenner * we have the total filter on the socket, 357798530Sfenner * and it won't come off. What do we do then? 357898530Sfenner */ 357998530Sfenner reset_kernel_filter(handle); 358098530Sfenner 358198530Sfenner errno = save_errno; 358298530Sfenner } 3583127664Sbms return ret; 358498530Sfenner} 358598530Sfenner 358698530Sfennerstatic int 358798530Sfennerreset_kernel_filter(pcap_t *handle) 358898530Sfenner{ 3589172677Smlaier /* 3590172677Smlaier * setsockopt() barfs unless it get a dummy parameter. 3591172677Smlaier * valgrind whines unless the value is initialized, 3592172677Smlaier * as it has no idea that setsockopt() ignores its 3593172677Smlaier * parameter. 3594172677Smlaier */ 3595172677Smlaier int dummy = 0; 359698530Sfenner 359798530Sfenner return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, 359898530Sfenner &dummy, sizeof(dummy)); 359998530Sfenner} 360075107Sfenner#endif 3601