pcap-bpf.c revision 109839
117683Spst/* 239291Sfenner * Copyright (c) 1993, 1994, 1995, 1996, 1998 317683Spst * The Regents of the University of California. All rights reserved. 417683Spst * 517683Spst * Redistribution and use in source and binary forms, with or without 617683Spst * modification, are permitted provided that: (1) source code distributions 717683Spst * retain the above copyright notice and this paragraph in its entirety, (2) 817683Spst * distributions including binary code include the above copyright notice and 917683Spst * this paragraph in its entirety in the documentation or other materials 1017683Spst * provided with the distribution, and (3) all advertising materials mentioning 1117683Spst * features or use of this software display the following acknowledgement: 1217683Spst * ``This product includes software developed by the University of California, 1317683Spst * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 1417683Spst * the University nor the names of its contributors may be used to endorse 1517683Spst * or promote products derived from this software without specific prior 1617683Spst * written permission. 1717683Spst * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 1817683Spst * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 1917683Spst * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2017683Spst */ 2117683Spst#ifndef lint 2226175Sfennerstatic const char rcsid[] = 2398530Sfenner "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.48 2001/12/10 07:14:14 guy Exp $ (LBL)"; 2417683Spst#endif 2517683Spst 2675107Sfenner#ifdef HAVE_CONFIG_H 2775107Sfenner#include "config.h" 2875107Sfenner#endif 2975107Sfenner 3017683Spst#include <sys/param.h> /* optionally get BSD define */ 3117683Spst#include <sys/time.h> 3217683Spst#include <sys/timeb.h> 3317683Spst#include <sys/socket.h> 3417683Spst#include <sys/file.h> 3517683Spst#include <sys/ioctl.h> 3617683Spst 3717683Spst#include <net/if.h> 3898530Sfenner#ifdef _AIX 3998530Sfenner/* 4098530Sfenner * XXX - I'm guessing here AIX defines IFT_ values in <net/if_types.h>, 4198530Sfenner * as BSD does. If not, this code won't compile, but, if not, you 4298530Sfenner * want to send us a bug report and fall back on using DLPI. 4398530Sfenner * It's not as if BPF used to work right on AIX before this change; 4498530Sfenner * this change attempts to fix the fact that it didn't.... 4598530Sfenner */ 4698530Sfenner#include <net/if_types.h> /* for IFT_ values */ 4798530Sfenner#endif 4817683Spst 4917683Spst#include <ctype.h> 5017683Spst#include <errno.h> 5117683Spst#include <netdb.h> 5217683Spst#include <stdio.h> 5317683Spst#include <stdlib.h> 5417683Spst#include <string.h> 5517683Spst#include <unistd.h> 5617683Spst 5717683Spst#include "pcap-int.h" 5817683Spst 5917683Spst#ifdef HAVE_OS_PROTO_H 6017683Spst#include "os-proto.h" 6117683Spst#endif 6217683Spst 6356889Sfenner#include "gencode.h" 6456889Sfenner 6517683Spstint 6617683Spstpcap_stats(pcap_t *p, struct pcap_stat *ps) 6717683Spst{ 6817683Spst struct bpf_stat s; 6917683Spst 7098530Sfenner /* 7198530Sfenner * "ps_recv" counts packets handed to the filter, not packets 7298530Sfenner * that passed the filter. This includes packets later dropped 7398530Sfenner * because we ran out of buffer space. 7498530Sfenner * 7598530Sfenner * "ps_drop" counts packets dropped inside the BPF device 7698530Sfenner * because we ran out of buffer space. It doesn't count 7798530Sfenner * packets dropped by the interface driver. It counts 7898530Sfenner * only packets that passed the filter. 7998530Sfenner * 8098530Sfenner * Both statistics include packets not yet read from the kernel 8198530Sfenner * by libpcap, and thus not yet seen by the application. 8298530Sfenner */ 8317683Spst if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) { 8475107Sfenner snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s", 8575107Sfenner pcap_strerror(errno)); 8617683Spst return (-1); 8717683Spst } 8817683Spst 8917683Spst ps->ps_recv = s.bs_recv; 9017683Spst ps->ps_drop = s.bs_drop; 9117683Spst return (0); 9217683Spst} 9317683Spst 9417683Spstint 9517683Spstpcap_read(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 9617683Spst{ 9717683Spst int cc; 9817683Spst int n = 0; 9917683Spst register u_char *bp, *ep; 10017683Spst 10117683Spst again: 10217683Spst cc = p->cc; 10317683Spst if (p->cc == 0) { 10417683Spst cc = read(p->fd, (char *)p->buffer, p->bufsize); 10517683Spst if (cc < 0) { 10617683Spst /* Don't choke when we get ptraced */ 10717683Spst switch (errno) { 10817683Spst 10917683Spst case EINTR: 11017683Spst goto again; 11117683Spst 11217683Spst case EWOULDBLOCK: 11317683Spst return (0); 11417683Spst#if defined(sun) && !defined(BSD) 11517683Spst /* 11617683Spst * Due to a SunOS bug, after 2^31 bytes, the kernel 11717683Spst * file offset overflows and read fails with EINVAL. 11817683Spst * The lseek() to 0 will fix things. 11917683Spst */ 12017683Spst case EINVAL: 12117683Spst if (lseek(p->fd, 0L, SEEK_CUR) + 12217683Spst p->bufsize < 0) { 12317683Spst (void)lseek(p->fd, 0L, SEEK_SET); 12417683Spst goto again; 12517683Spst } 12617683Spst /* fall through */ 12717683Spst#endif 12817683Spst } 12975107Sfenner snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s", 13075107Sfenner pcap_strerror(errno)); 13117683Spst return (-1); 13217683Spst } 13317683Spst bp = p->buffer; 13417683Spst } else 13517683Spst bp = p->bp; 13617683Spst 13717683Spst /* 13817683Spst * Loop through each packet. 13917683Spst */ 14017683Spst#define bhp ((struct bpf_hdr *)bp) 14117683Spst ep = bp + cc; 14217683Spst while (bp < ep) { 14317683Spst register int caplen, hdrlen; 14417683Spst caplen = bhp->bh_caplen; 14517683Spst hdrlen = bhp->bh_hdrlen; 14617683Spst /* 14717683Spst * XXX A bpf_hdr matches a pcap_pkthdr. 14817683Spst */ 14998530Sfenner#ifdef _AIX 15098530Sfenner /* 15198530Sfenner * AIX's BPF returns seconds/nanoseconds time stamps, not 15298530Sfenner * seconds/microseconds time stamps. 15398530Sfenner * 15498530Sfenner * XXX - I'm guessing here that it's a "struct timestamp"; 15598530Sfenner * if not, this code won't compile, but, if not, you 15698530Sfenner * want to send us a bug report and fall back on using 15798530Sfenner * DLPI. It's not as if BPF used to work right on 15898530Sfenner * AIX before this change; this change attempts to fix 15998530Sfenner * the fact that it didn't.... 16098530Sfenner */ 16198530Sfenner bhp->bh_tstamp.tv_usec = bhp->bh_tstamp.tv_usec/1000; 16298530Sfenner#endif 16317683Spst (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen); 16417683Spst bp += BPF_WORDALIGN(caplen + hdrlen); 16517683Spst if (++n >= cnt && cnt > 0) { 16617683Spst p->bp = bp; 16717683Spst p->cc = ep - bp; 16817683Spst return (n); 16917683Spst } 17017683Spst } 17117683Spst#undef bhp 17217683Spst p->cc = 0; 17317683Spst return (n); 17417683Spst} 17517683Spst 17617683Spststatic inline int 17717683Spstbpf_open(pcap_t *p, char *errbuf) 17817683Spst{ 17917683Spst int fd; 18017683Spst int n = 0; 18175107Sfenner char device[sizeof "/dev/bpf0000000000"]; 18217683Spst 18317683Spst /* 18417683Spst * Go through all the minors and find one that isn't in use. 18517683Spst */ 18617683Spst do { 18775107Sfenner (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++); 18817683Spst fd = open(device, O_RDONLY); 18917683Spst } while (fd < 0 && errno == EBUSY); 19017683Spst 19117683Spst /* 19217683Spst * XXX better message for all minors used 19317683Spst */ 19417683Spst if (fd < 0) 19575107Sfenner snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s", 19675107Sfenner device, pcap_strerror(errno)); 19717683Spst 19817683Spst return (fd); 19917683Spst} 20017683Spst 20117683Spstpcap_t * 20217683Spstpcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) 20317683Spst{ 20417683Spst int fd; 20517683Spst struct ifreq ifr; 20617683Spst struct bpf_version bv; 207109839Sfenner struct bpf_dltlist bdl; 20817683Spst u_int v; 20917683Spst pcap_t *p; 21017683Spst 211109839Sfenner bzero(&bdl, sizeof(bdl)); 212109839Sfenner 21317683Spst p = (pcap_t *)malloc(sizeof(*p)); 21417683Spst if (p == NULL) { 21575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 21675107Sfenner pcap_strerror(errno)); 21717683Spst return (NULL); 21817683Spst } 21975107Sfenner memset(p, 0, sizeof(*p)); 22017683Spst fd = bpf_open(p, ebuf); 22117683Spst if (fd < 0) 22217683Spst goto bad; 22317683Spst 22417683Spst p->fd = fd; 22517683Spst p->snapshot = snaplen; 22617683Spst 22717683Spst if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { 22875107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s", 22975107Sfenner pcap_strerror(errno)); 23017683Spst goto bad; 23117683Spst } 23217683Spst if (bv.bv_major != BPF_MAJOR_VERSION || 23317683Spst bv.bv_minor < BPF_MINOR_VERSION) { 23475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 23575107Sfenner "kernel bpf filter out of date"); 23617683Spst goto bad; 23717683Spst } 23875107Sfenner 23975107Sfenner /* 24075107Sfenner * Try finding a good size for the buffer; 32768 may be too 24175107Sfenner * big, so keep cutting it in half until we find a size 24275107Sfenner * that works, or run out of sizes to try. 24375107Sfenner * 24475107Sfenner * XXX - there should be a user-accessible hook to set the 24575107Sfenner * initial buffer size. 24639291Sfenner */ 24775107Sfenner for (v = 32768; v != 0; v >>= 1) { 24875107Sfenner /* Ignore the return value - this is because the call fails 24975107Sfenner * on BPF systems that don't have kernel malloc. And if 25075107Sfenner * the call fails, it's no big deal, we just continue to 25175107Sfenner * use the standard buffer size. 25275107Sfenner */ 25375107Sfenner (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); 25439291Sfenner 25575107Sfenner (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 25675107Sfenner if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0) 25775107Sfenner break; /* that size worked; we're done */ 25875107Sfenner 25975107Sfenner if (errno != ENOBUFS) { 26075107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 26175107Sfenner device, pcap_strerror(errno)); 26275107Sfenner goto bad; 26375107Sfenner } 26475107Sfenner } 26575107Sfenner 26675107Sfenner if (v == 0) { 26775107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 26875107Sfenner "BIOCSBLEN: %s: No buffer size worked", device); 26917683Spst goto bad; 27017683Spst } 27175107Sfenner 27217683Spst /* Get the data link layer type. */ 27317683Spst if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { 27475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s", 27575107Sfenner pcap_strerror(errno)); 27617683Spst goto bad; 27717683Spst } 27898530Sfenner#ifdef _AIX 27998530Sfenner /* 28098530Sfenner * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT. 28198530Sfenner */ 28256889Sfenner switch (v) { 28398530Sfenner 28498530Sfenner case IFT_ETHER: 28598530Sfenner case IFT_ISO88023: 28698530Sfenner v = DLT_EN10MB; 28798530Sfenner break; 28898530Sfenner 28998530Sfenner case IFT_FDDI: 29098530Sfenner v = DLT_FDDI; 29198530Sfenner break; 29298530Sfenner 29398530Sfenner case IFT_ISO88025: 29498530Sfenner v = DLT_IEEE802; 29598530Sfenner break; 29698530Sfenner 29798530Sfenner default: 29875107Sfenner /* 29998530Sfenner * We don't know what to map this to yet. 30075107Sfenner */ 30198530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %lu", 30298530Sfenner v); 30398530Sfenner goto bad; 30456889Sfenner } 30556889Sfenner#endif 30639291Sfenner#if _BSDI_VERSION - 0 >= 199510 30739291Sfenner /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */ 30839291Sfenner switch (v) { 30939291Sfenner 31039291Sfenner case DLT_SLIP: 31139291Sfenner v = DLT_SLIP_BSDOS; 31239291Sfenner break; 31339291Sfenner 31439291Sfenner case DLT_PPP: 31539291Sfenner v = DLT_PPP_BSDOS; 31639291Sfenner break; 31756889Sfenner 31856889Sfenner case 11: /*DLT_FR*/ 31956889Sfenner v = DLT_RAW; /*XXX*/ 32056889Sfenner break; 32156889Sfenner 32256889Sfenner case 12: /*DLT_C_HDLC*/ 32356889Sfenner v = DLT_CHDLC; 32456889Sfenner break; 32539291Sfenner } 32639291Sfenner#endif 32717683Spst p->linktype = v; 32817683Spst 329109839Sfenner /* 330109839Sfenner * We know the default link type -- now determine any additional 331109839Sfenner * DLTs this interface supports. If this fails, it's not fatal; 332109839Sfenner * we just don't get to use the feature later. 333109839Sfenner */ 334109839Sfenner if (ioctl(fd, BIOCGDLTLIST, (caddr_t) &bdl) == 0) { 335109839Sfenner bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * bdl.bfl_len); 336109839Sfenner if (bdl.bfl_list == NULL) { 337109839Sfenner (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 338109839Sfenner pcap_strerror(errno)); 339109839Sfenner goto bad; 340109839Sfenner } 341109839Sfenner 342109839Sfenner if (ioctl(fd, BIOCGDLTLIST, (caddr_t) &bdl) < 0) { 343109839Sfenner (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 344109839Sfenner "BIOCGDLTLIST: %s", pcap_strerror(errno)); 345109839Sfenner free(bdl.bfl_list); 346109839Sfenner goto bad; 347109839Sfenner } 348109839Sfenner 349109839Sfenner p->dlt_count = bdl.bfl_len; 350109839Sfenner p->dlt_list = bdl.bfl_list; 351109839Sfenner } 352109839Sfenner 35317683Spst /* set timeout */ 35417683Spst if (to_ms != 0) { 35517683Spst struct timeval to; 35617683Spst to.tv_sec = to_ms / 1000; 35717683Spst to.tv_usec = (to_ms * 1000) % 1000000; 35817683Spst if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { 35975107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s", 36075107Sfenner pcap_strerror(errno)); 36117683Spst goto bad; 36217683Spst } 36317683Spst } 36475107Sfenner 36575107Sfenner#ifdef _AIX 36675107Sfenner#ifdef BIOCIMMEDIATE 36775107Sfenner /* 36875107Sfenner * Darren Reed notes that 36975107Sfenner * 37075107Sfenner * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the 37175107Sfenner * timeout appears to be ignored and it waits until the buffer 37275107Sfenner * is filled before returning. The result of not having it 37375107Sfenner * set is almost worse than useless if your BPF filter 37475107Sfenner * is reducing things to only a few packets (i.e. one every 37575107Sfenner * second or so). 37675107Sfenner * 37775107Sfenner * so we turn BIOCIMMEDIATE mode on if this is AIX. 37875107Sfenner * 37975107Sfenner * We don't turn it on for other platforms, as that means we 38075107Sfenner * get woken up for every packet, which may not be what we want; 38175107Sfenner * in the Winter 1993 USENIX paper on BPF, they say: 38275107Sfenner * 38375107Sfenner * Since a process might want to look at every packet on a 38475107Sfenner * network and the time between packets can be only a few 38575107Sfenner * microseconds, it is not possible to do a read system call 38675107Sfenner * per packet and BPF must collect the data from several 38775107Sfenner * packets and return it as a unit when the monitoring 38875107Sfenner * application does a read. 38975107Sfenner * 39075107Sfenner * which I infer is the reason for the timeout - it means we 39175107Sfenner * wait that amount of time, in the hopes that more packets 39275107Sfenner * will arrive and we'll get them all with one read. 39375107Sfenner * 39475107Sfenner * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other 39575107Sfenner * BSDs) causes the timeout to be ignored. 39675107Sfenner * 39775107Sfenner * On the other hand, some platforms (e.g., Linux) don't support 39875107Sfenner * timeouts, they just hand stuff to you as soon as it arrives; 39975107Sfenner * if that doesn't cause a problem on those platforms, it may 40075107Sfenner * be OK to have BIOCIMMEDIATE mode on BSD as well. 40175107Sfenner * 40275107Sfenner * (Note, though, that applications may depend on the read 40375107Sfenner * completing, even if no packets have arrived, when the timeout 40475107Sfenner * expires, e.g. GUI applications that have to check for input 40575107Sfenner * while waiting for packets to arrive; a non-zero timeout 40675107Sfenner * prevents "select()" from working right on FreeBSD and 40775107Sfenner * possibly other BSDs, as the timer doesn't start until a 40875107Sfenner * "read()" is done, so the timer isn't in effect if the 40975107Sfenner * application is blocked on a "select()", and the "select()" 41075107Sfenner * doesn't get woken up for a BPF device until the buffer 41175107Sfenner * fills up.) 41275107Sfenner */ 41375107Sfenner v = 1; 41475107Sfenner if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) { 41575107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s", 41675107Sfenner pcap_strerror(errno)); 41775107Sfenner goto bad; 41875107Sfenner } 41975107Sfenner#endif /* BIOCIMMEDIATE */ 42075107Sfenner#endif /* _AIX */ 42175107Sfenner 42298530Sfenner if (promisc) { 42317683Spst /* set promiscuous mode, okay if it fails */ 42498530Sfenner if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) { 42598530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s", 42698530Sfenner pcap_strerror(errno)); 42798530Sfenner } 42898530Sfenner } 42917683Spst 43017683Spst if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { 43175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s", 43275107Sfenner pcap_strerror(errno)); 43317683Spst goto bad; 43417683Spst } 43517683Spst p->bufsize = v; 43617683Spst p->buffer = (u_char *)malloc(p->bufsize); 43717683Spst if (p->buffer == NULL) { 43875107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 43975107Sfenner pcap_strerror(errno)); 44017683Spst goto bad; 44117683Spst } 44217683Spst 44317683Spst return (p); 44417683Spst bad: 44517683Spst (void)close(fd); 446109839Sfenner if (bdl.bfl_list != NULL) 447109839Sfenner free(bdl.bfl_list); 44817683Spst free(p); 44917683Spst return (NULL); 45017683Spst} 45117683Spst 45217683Spstint 45317683Spstpcap_setfilter(pcap_t *p, struct bpf_program *fp) 45417683Spst{ 45556889Sfenner /* 45656889Sfenner * It looks that BPF code generated by gen_protochain() is not 45756889Sfenner * compatible with some of kernel BPF code (for example BSD/OS 3.1). 45856889Sfenner * Take a safer side for now. 45956889Sfenner */ 46075107Sfenner if (no_optimize) { 46175107Sfenner if (install_bpf_program(p, fp) < 0) 46275107Sfenner return (-1); 46375107Sfenner } else if (p->sf.rfile != NULL) { 46475107Sfenner if (install_bpf_program(p, fp) < 0) 46575107Sfenner return (-1); 46675107Sfenner } else if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) { 46775107Sfenner snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 46875107Sfenner pcap_strerror(errno)); 46917683Spst return (-1); 47017683Spst } 47117683Spst return (0); 47217683Spst} 473109839Sfenner 474109839Sfennerint 475109839Sfennerpcap_set_datalink(pcap_t *p, int dlt) 476109839Sfenner{ 477109839Sfenner int i; 478109839Sfenner 479109839Sfenner for (i = 0; i < p->dlt_count; i++) 480109839Sfenner if (p->dlt_list[i] == dlt) 481109839Sfenner break; 482109839Sfenner if (i >= p->dlt_count) { 483109839Sfenner (void) snprintf(p->errbuf, sizeof(p->errbuf), 484109839Sfenner "No such DLT as %d", dlt); 485109839Sfenner return -1; 486109839Sfenner } 487109839Sfenner if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) { 488109839Sfenner (void) snprintf(p->errbuf, sizeof(p->errbuf), 489109839Sfenner "Cannot set DLT %d: %s", dlt, strerror(errno)); 490109839Sfenner return -1; 491109839Sfenner } 492109839Sfenner p->linktype = dlt; 493109839Sfenner return 0; 494109839Sfenner} 495