pcap-bpf.c revision 146768
112651Skvn/* 212651Skvn * Copyright (c) 1993, 1994, 1995, 1996, 1998 312651Skvn * The Regents of the University of California. All rights reserved. 412651Skvn * 512651Skvn * Redistribution and use in source and binary forms, with or without 612651Skvn * modification, are permitted provided that: (1) source code distributions 712651Skvn * retain the above copyright notice and this paragraph in its entirety, (2) 812651Skvn * distributions including binary code include the above copyright notice and 912651Skvn * this paragraph in its entirety in the documentation or other materials 1012651Skvn * provided with the distribution, and (3) all advertising materials mentioning 1112651Skvn * features or use of this software display the following acknowledgement: 1212651Skvn * ``This product includes software developed by the University of California, 1312651Skvn * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 1412651Skvn * the University nor the names of its contributors may be used to endorse 1512651Skvn * or promote products derived from this software without specific prior 1612651Skvn * written permission. 1712651Skvn * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 1812651Skvn * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 1912651Skvn * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2012651Skvn */ 2112651Skvn#ifndef lint 2212651Skvnstatic const char rcsid[] _U_ = 2312651Skvn "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.86 2005/02/26 21:58:05 guy Exp $ (LBL)"; 2412651Skvn#endif 2512651Skvn 2612651Skvn#ifdef HAVE_CONFIG_H 2712651Skvn#include "config.h" 2812651Skvn#endif 2912651Skvn 3012651Skvn#include <sys/param.h> /* optionally get BSD define */ 3112651Skvn#include <sys/time.h> 3212651Skvn#include <sys/timeb.h> 3312651Skvn#include <sys/socket.h> 3412651Skvn#include <sys/file.h> 3512651Skvn#include <sys/ioctl.h> 3612651Skvn#include <sys/utsname.h> 3712651Skvn 3812651Skvn#include <net/if.h> 3912651Skvn 4012651Skvn#ifdef _AIX 4112651Skvn 4212651Skvn/* 4312651Skvn * Make "pcap.h" not include "pcap-bpf.h"; we are going to include the 4412651Skvn * native OS version, as we need "struct bpf_config" from it. 4512651Skvn */ 4612651Skvn#define PCAP_DONT_INCLUDE_PCAP_BPF_H 4712651Skvn 4812651Skvn#include <sys/types.h> 4912651Skvn 5012651Skvn/* 5112651Skvn * Prevent bpf.h from redefining the DLT_ values to their 5212651Skvn * IFT_ values, as we're going to return the standard libpcap 5312651Skvn * values, not IBM's non-standard IFT_ values. 5412651Skvn */ 5512651Skvn#undef _AIX 5612651Skvn#include <net/bpf.h> 5712651Skvn#define _AIX 5812651Skvn 5912651Skvn#include <net/if_types.h> /* for IFT_ values */ 6012651Skvn#include <sys/sysconfig.h> 6112651Skvn#include <sys/device.h> 6212651Skvn#include <odmi.h> 6312651Skvn#include <cf.h> 6412651Skvn 6512651Skvn#ifdef __64BIT__ 6612651Skvn#define domakedev makedev64 6712651Skvn#define getmajor major64 6812651Skvn#define bpf_hdr bpf_hdr32 6912651Skvn#else /* __64BIT__ */ 7012651Skvn#define domakedev makedev 7112651Skvn#define getmajor major 7212651Skvn#endif /* __64BIT__ */ 7312651Skvn 7412651Skvn#define BPF_NAME "bpf" 7512651Skvn#define BPF_MINORS 4 7612651Skvn#define DRIVER_PATH "/usr/lib/drivers" 7712651Skvn#define BPF_NODE "/dev/bpf" 7812651Skvnstatic int bpfloadedflag = 0; 7912651Skvnstatic int odmlockid = 0; 8012651Skvn 8112651Skvn#else /* _AIX */ 8212651Skvn 8312651Skvn#include <net/bpf.h> 8412651Skvn 8512651Skvn#endif /* _AIX */ 8612651Skvn 8712651Skvn#include <ctype.h> 8812651Skvn#include <errno.h> 8912651Skvn#include <netdb.h> 9012651Skvn#include <stdio.h> 9112651Skvn#include <stdlib.h> 9212651Skvn#include <string.h> 9312651Skvn#include <unistd.h> 9412651Skvn 9512651Skvn#include "pcap-int.h" 9612651Skvn 9712651Skvn#ifdef HAVE_DAG_API 9812651Skvn#include "pcap-dag.h" 9912651Skvn#endif /* HAVE_DAG_API */ 10012651Skvn 10112651Skvn#ifdef HAVE_OS_PROTO_H 10212651Skvn#include "os-proto.h" 10312651Skvn#endif 10412651Skvn 10512651Skvn#include "gencode.h" /* for "no_optimize" */ 10612651Skvn 10712651Skvnstatic int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp); 10812651Skvnstatic int pcap_set_datalink_bpf(pcap_t *p, int dlt); 10912651Skvn 11012651Skvnstatic int 11112651Skvnpcap_stats_bpf(pcap_t *p, struct pcap_stat *ps) 11212651Skvn{ 11312651Skvn struct bpf_stat s; 11412651Skvn 11512651Skvn /* 11612651Skvn * "ps_recv" counts packets handed to the filter, not packets 11712651Skvn * that passed the filter. This includes packets later dropped 11812651Skvn * because we ran out of buffer space. 11912651Skvn * 12012651Skvn * "ps_drop" counts packets dropped inside the BPF device 12112651Skvn * because we ran out of buffer space. It doesn't count 12212651Skvn * packets dropped by the interface driver. It counts 12312651Skvn * only packets that passed the filter. 12412651Skvn * 12512651Skvn * Both statistics include packets not yet read from the kernel 12612651Skvn * by libpcap, and thus not yet seen by the application. 12712651Skvn */ 12812651Skvn if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) { 12912651Skvn snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s", 13012651Skvn pcap_strerror(errno)); 13112651Skvn return (-1); 13212651Skvn } 13312651Skvn 13412651Skvn ps->ps_recv = s.bs_recv; 13512651Skvn ps->ps_drop = s.bs_drop; 13612651Skvn return (0); 13712651Skvn} 13812651Skvn 13912651Skvnstatic int 14012651Skvnpcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 14112651Skvn{ 14212651Skvn int cc; 14312651Skvn int n = 0; 14412651Skvn register u_char *bp, *ep; 14512651Skvn u_char *datap; 14612651Skvn struct bpf_insn *fcode; 14712651Skvn#ifdef PCAP_FDDIPAD 14812651Skvn register int pad; 14912651Skvn#endif 15012651Skvn 15112651Skvn fcode = p->md.use_bpf ? NULL : p->fcode.bf_insns; 15212651Skvn again: 15312651Skvn /* 15412651Skvn * Has "pcap_breakloop()" been called? 15512651Skvn */ 15612651Skvn if (p->break_loop) { 15712651Skvn /* 15812651Skvn * Yes - clear the flag that indicates that it 15912651Skvn * has, and return -2 to indicate that we were 16012651Skvn * told to break out of the loop. 16112651Skvn */ 16212651Skvn p->break_loop = 0; 16312651Skvn return (-2); 16412651Skvn } 16512651Skvn cc = p->cc; 16612651Skvn if (p->cc == 0) { 16712651Skvn cc = read(p->fd, (char *)p->buffer, p->bufsize); 16812651Skvn if (cc < 0) { 16912651Skvn /* Don't choke when we get ptraced */ 17012651Skvn switch (errno) { 17112651Skvn 17212651Skvn case EINTR: 17312651Skvn goto again; 17412651Skvn 17512651Skvn#ifdef _AIX 17612651Skvn case EFAULT: 17712651Skvn /* 17812651Skvn * Sigh. More AIX wonderfulness. 17912651Skvn * 18012651Skvn * For some unknown reason the uiomove() 18112651Skvn * operation in the bpf kernel extension 18212651Skvn * used to copy the buffer into user 18312651Skvn * space sometimes returns EFAULT. I have 18412651Skvn * no idea why this is the case given that 18512651Skvn * a kernel debugger shows the user buffer 18612651Skvn * is correct. This problem appears to 18712651Skvn * be mostly mitigated by the memset of 18812651Skvn * the buffer before it is first used. 18912651Skvn * Very strange.... Shaun Clowes 19012651Skvn * 19112651Skvn * In any case this means that we shouldn't 19212651Skvn * treat EFAULT as a fatal error; as we 19312651Skvn * don't have an API for returning 19412651Skvn * a "some packets were dropped since 19512651Skvn * the last packet you saw" indication, 19612651Skvn * we just ignore EFAULT and keep reading. 19712651Skvn */ 19812651Skvn goto again; 19912651Skvn#endif 20012651Skvn 20112651Skvn case EWOULDBLOCK: 20212651Skvn return (0); 20312651Skvn#if defined(sun) && !defined(BSD) 20412651Skvn /* 20512651Skvn * Due to a SunOS bug, after 2^31 bytes, the kernel 20612651Skvn * file offset overflows and read fails with EINVAL. 20712651Skvn * The lseek() to 0 will fix things. 20812651Skvn */ 20912651Skvn case EINVAL: 21012651Skvn if (lseek(p->fd, 0L, SEEK_CUR) + 21112651Skvn p->bufsize < 0) { 21212651Skvn (void)lseek(p->fd, 0L, SEEK_SET); 21312651Skvn goto again; 21412651Skvn } 21512651Skvn /* fall through */ 21612651Skvn#endif 21712651Skvn } 21812651Skvn snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s", 21912651Skvn pcap_strerror(errno)); 22012651Skvn return (-1); 22112651Skvn } 22212651Skvn bp = p->buffer; 22312651Skvn } else 22412651Skvn bp = p->bp; 22512651Skvn 22612651Skvn /* 22712651Skvn * Loop through each packet. 22812651Skvn */ 22912651Skvn#define bhp ((struct bpf_hdr *)bp) 23012651Skvn ep = bp + cc; 23112651Skvn#ifdef PCAP_FDDIPAD 23212651Skvn pad = p->fddipad; 23312651Skvn#endif 23412651Skvn while (bp < ep) { 23512651Skvn register int caplen, hdrlen; 23612651Skvn 23712651Skvn /* 23812651Skvn * Has "pcap_breakloop()" been called? 23912651Skvn * If so, return immediately - if we haven't read any 24012651Skvn * packets, clear the flag and return -2 to indicate 24112651Skvn * that we were told to break out of the loop, otherwise 24212651Skvn * leave the flag set, so that the *next* call will break 24312651Skvn * out of the loop without having read any packets, and 24412651Skvn * return the number of packets we've processed so far. 24512651Skvn */ 24612651Skvn if (p->break_loop) { 24712651Skvn if (n == 0) { 24812651Skvn p->break_loop = 0; 24912651Skvn return (-2); 25012651Skvn } else { 25112651Skvn p->bp = bp; 25212651Skvn p->cc = ep - bp; 25312651Skvn return (n); 25412651Skvn } 25512651Skvn } 25612651Skvn 25712651Skvn caplen = bhp->bh_caplen; 25812651Skvn hdrlen = bhp->bh_hdrlen; 25912651Skvn datap = bp + hdrlen; 26012651Skvn /* 26112651Skvn * Short-circuit evaluation: if using BPF filter 26212651Skvn * in kernel, no need to do it now. 26312651Skvn * 26412651Skvn#ifdef PCAP_FDDIPAD 26512651Skvn * Note: the filter code was generated assuming 26612651Skvn * that p->fddipad was the amount of padding 26712651Skvn * before the header, as that's what's required 26812651Skvn * in the kernel, so we run the filter before 26912651Skvn * skipping that padding. 27012651Skvn#endif 27112651Skvn */ 27212651Skvn if (fcode == NULL || 27312651Skvn bpf_filter(fcode, datap, bhp->bh_datalen, caplen)) { 27412651Skvn struct pcap_pkthdr pkthdr; 27512651Skvn 276 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec; 277#ifdef _AIX 278 /* 279 * AIX's BPF returns seconds/nanoseconds time 280 * stamps, not seconds/microseconds time stamps. 281 */ 282 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000; 283#else 284 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec; 285#endif 286#ifdef PCAP_FDDIPAD 287 if (caplen > pad) 288 pkthdr.caplen = caplen - pad; 289 else 290 pkthdr.caplen = 0; 291 if (bhp->bh_datalen > pad) 292 pkthdr.len = bhp->bh_datalen - pad; 293 else 294 pkthdr.len = 0; 295 datap += pad; 296#else 297 pkthdr.caplen = caplen; 298 pkthdr.len = bhp->bh_datalen; 299#endif 300 (*callback)(user, &pkthdr, datap); 301 bp += BPF_WORDALIGN(caplen + hdrlen); 302 if (++n >= cnt && cnt > 0) { 303 p->bp = bp; 304 p->cc = ep - bp; 305 return (n); 306 } 307 } else { 308 /* 309 * Skip this packet. 310 */ 311 bp += BPF_WORDALIGN(caplen + hdrlen); 312 } 313 } 314#undef bhp 315 p->cc = 0; 316 return (n); 317} 318 319static int 320pcap_inject_bpf(pcap_t *p, const void *buf, size_t size) 321{ 322 int ret; 323 324 ret = write(p->fd, buf, size); 325#ifdef __APPLE__ 326 if (ret == -1 && errno == EAFNOSUPPORT) { 327 /* 328 * In Mac OS X, there's a bug wherein setting the 329 * BIOCSHDRCMPLT flag causes writes to fail; see, 330 * for example: 331 * 332 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch 333 * 334 * So, if, on OS X, we get EAFNOSUPPORT from the write, we 335 * assume it's due to that bug, and turn off that flag 336 * and try again. If we succeed, it either means that 337 * somebody applied the fix from that URL, or other patches 338 * for that bug from 339 * 340 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/ 341 * 342 * and are running a Darwin kernel with those fixes, or 343 * that Apple fixed the problem in some OS X release. 344 */ 345 u_int spoof_eth_src = 0; 346 347 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 348 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 349 "send: can't turn off BIOCSHDRCMPLT: %s", 350 pcap_strerror(errno)); 351 return (-1); 352 } 353 354 /* 355 * Now try the write again. 356 */ 357 ret = write(p->fd, buf, size); 358 } 359#endif /* __APPLE__ */ 360 if (ret == -1) { 361 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 362 pcap_strerror(errno)); 363 return (-1); 364 } 365 return (ret); 366} 367 368#ifdef _AIX 369static int 370bpf_odminit(char *errbuf) 371{ 372 char *errstr; 373 374 if (odm_initialize() == -1) { 375 if (odm_err_msg(odmerrno, &errstr) == -1) 376 errstr = "Unknown error"; 377 snprintf(errbuf, PCAP_ERRBUF_SIZE, 378 "bpf_load: odm_initialize failed: %s", 379 errstr); 380 return (-1); 381 } 382 383 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) { 384 if (odm_err_msg(odmerrno, &errstr) == -1) 385 errstr = "Unknown error"; 386 snprintf(errbuf, PCAP_ERRBUF_SIZE, 387 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s", 388 errstr); 389 return (-1); 390 } 391 392 return (0); 393} 394 395static int 396bpf_odmcleanup(char *errbuf) 397{ 398 char *errstr; 399 400 if (odm_unlock(odmlockid) == -1) { 401 if (odm_err_msg(odmerrno, &errstr) == -1) 402 errstr = "Unknown error"; 403 snprintf(errbuf, PCAP_ERRBUF_SIZE, 404 "bpf_load: odm_unlock failed: %s", 405 errstr); 406 return (-1); 407 } 408 409 if (odm_terminate() == -1) { 410 if (odm_err_msg(odmerrno, &errstr) == -1) 411 errstr = "Unknown error"; 412 snprintf(errbuf, PCAP_ERRBUF_SIZE, 413 "bpf_load: odm_terminate failed: %s", 414 errstr); 415 return (-1); 416 } 417 418 return (0); 419} 420 421static int 422bpf_load(char *errbuf) 423{ 424 long major; 425 int *minors; 426 int numminors, i, rc; 427 char buf[1024]; 428 struct stat sbuf; 429 struct bpf_config cfg_bpf; 430 struct cfg_load cfg_ld; 431 struct cfg_kmod cfg_km; 432 433 /* 434 * This is very very close to what happens in the real implementation 435 * but I've fixed some (unlikely) bug situations. 436 */ 437 if (bpfloadedflag) 438 return (0); 439 440 if (bpf_odminit(errbuf) != 0) 441 return (-1); 442 443 major = genmajor(BPF_NAME); 444 if (major == -1) { 445 snprintf(errbuf, PCAP_ERRBUF_SIZE, 446 "bpf_load: genmajor failed: %s", pcap_strerror(errno)); 447 return (-1); 448 } 449 450 minors = getminor(major, &numminors, BPF_NAME); 451 if (!minors) { 452 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1); 453 if (!minors) { 454 snprintf(errbuf, PCAP_ERRBUF_SIZE, 455 "bpf_load: genminor failed: %s", 456 pcap_strerror(errno)); 457 return (-1); 458 } 459 } 460 461 if (bpf_odmcleanup(errbuf)) 462 return (-1); 463 464 rc = stat(BPF_NODE "0", &sbuf); 465 if (rc == -1 && errno != ENOENT) { 466 snprintf(errbuf, PCAP_ERRBUF_SIZE, 467 "bpf_load: can't stat %s: %s", 468 BPF_NODE "0", pcap_strerror(errno)); 469 return (-1); 470 } 471 472 if (rc == -1 || getmajor(sbuf.st_rdev) != major) { 473 for (i = 0; i < BPF_MINORS; i++) { 474 sprintf(buf, "%s%d", BPF_NODE, i); 475 unlink(buf); 476 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) { 477 snprintf(errbuf, PCAP_ERRBUF_SIZE, 478 "bpf_load: can't mknod %s: %s", 479 buf, pcap_strerror(errno)); 480 return (-1); 481 } 482 } 483 } 484 485 /* Check if the driver is loaded */ 486 memset(&cfg_ld, 0x0, sizeof(cfg_ld)); 487 cfg_ld.path = buf; 488 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME); 489 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) || 490 (cfg_ld.kmid == 0)) { 491 /* Driver isn't loaded, load it now */ 492 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) { 493 snprintf(errbuf, PCAP_ERRBUF_SIZE, 494 "bpf_load: could not load driver: %s", 495 strerror(errno)); 496 return (-1); 497 } 498 } 499 500 /* Configure the driver */ 501 cfg_km.cmd = CFG_INIT; 502 cfg_km.kmid = cfg_ld.kmid; 503 cfg_km.mdilen = sizeof(cfg_bpf); 504 cfg_km.mdiptr = (void *)&cfg_bpf; 505 for (i = 0; i < BPF_MINORS; i++) { 506 cfg_bpf.devno = domakedev(major, i); 507 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) { 508 snprintf(errbuf, PCAP_ERRBUF_SIZE, 509 "bpf_load: could not configure driver: %s", 510 strerror(errno)); 511 return (-1); 512 } 513 } 514 515 bpfloadedflag = 1; 516 517 return (0); 518} 519#endif 520 521static inline int 522bpf_open(pcap_t *p, char *errbuf) 523{ 524 int fd; 525 int n = 0; 526 char device[sizeof "/dev/bpf0000000000"]; 527 528#ifdef _AIX 529 /* 530 * Load the bpf driver, if it isn't already loaded, 531 * and create the BPF device entries, if they don't 532 * already exist. 533 */ 534 if (bpf_load(errbuf) == -1) 535 return (-1); 536#endif 537 538 /* 539 * Go through all the minors and find one that isn't in use. 540 */ 541 do { 542 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++); 543 /* 544 * Initially try a read/write open (to allow the inject 545 * method to work). If that fails due to permission 546 * issues, fall back to read-only. This allows a 547 * non-root user to be granted specific access to pcap 548 * capabilities via file permissions. 549 * 550 * XXX - we should have an API that has a flag that 551 * controls whether to open read-only or read-write, 552 * so that denial of permission to send (or inability 553 * to send, if sending packets isn't supported on 554 * the device in question) can be indicated at open 555 * time. 556 */ 557 fd = open(device, O_RDWR); 558 if (fd == -1 && errno == EACCES) 559 fd = open(device, O_RDONLY); 560 } while (fd < 0 && errno == EBUSY); 561 562 /* 563 * XXX better message for all minors used 564 */ 565 if (fd < 0) 566 snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s", 567 device, pcap_strerror(errno)); 568 569 return (fd); 570} 571 572/* 573 * We include the OS's <net/bpf.h>, not our "pcap-bpf.h", so we probably 574 * don't get DLT_DOCSIS defined. 575 */ 576#ifndef DLT_DOCSIS 577#define DLT_DOCSIS 143 578#endif 579 580pcap_t * 581pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, 582 char *ebuf) 583{ 584 int fd; 585 struct ifreq ifr; 586 struct bpf_version bv; 587#ifdef BIOCGDLTLIST 588 struct bpf_dltlist bdl; 589#endif 590#if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 591 u_int spoof_eth_src = 1; 592#endif 593 u_int v; 594 pcap_t *p; 595 struct bpf_insn total_insn; 596 struct bpf_program total_prog; 597 struct utsname osinfo; 598 599#ifdef HAVE_DAG_API 600 if (strstr(device, "dag")) { 601 return dag_open_live(device, snaplen, promisc, to_ms, ebuf); 602 } 603#endif /* HAVE_DAG_API */ 604 605#ifdef BIOCGDLTLIST 606 memset(&bdl, 0, sizeof(bdl)); 607#endif 608 609 p = (pcap_t *)malloc(sizeof(*p)); 610 if (p == NULL) { 611 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 612 pcap_strerror(errno)); 613 return (NULL); 614 } 615 memset(p, 0, sizeof(*p)); 616 fd = bpf_open(p, ebuf); 617 if (fd < 0) 618 goto bad; 619 620 p->fd = fd; 621 p->snapshot = snaplen; 622 623 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { 624 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s", 625 pcap_strerror(errno)); 626 goto bad; 627 } 628 if (bv.bv_major != BPF_MAJOR_VERSION || 629 bv.bv_minor < BPF_MINOR_VERSION) { 630 snprintf(ebuf, PCAP_ERRBUF_SIZE, 631 "kernel bpf filter out of date"); 632 goto bad; 633 } 634 635 /* 636 * Try finding a good size for the buffer; 32768 may be too 637 * big, so keep cutting it in half until we find a size 638 * that works, or run out of sizes to try. If the default 639 * is larger, don't make it smaller. 640 * 641 * XXX - there should be a user-accessible hook to set the 642 * initial buffer size. 643 */ 644 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768) 645 v = 32768; 646 for ( ; v != 0; v >>= 1) { 647 /* Ignore the return value - this is because the call fails 648 * on BPF systems that don't have kernel malloc. And if 649 * the call fails, it's no big deal, we just continue to 650 * use the standard buffer size. 651 */ 652 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); 653 654 (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 655 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0) 656 break; /* that size worked; we're done */ 657 658 if (errno != ENOBUFS) { 659 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 660 device, pcap_strerror(errno)); 661 goto bad; 662 } 663 } 664 665 if (v == 0) { 666 snprintf(ebuf, PCAP_ERRBUF_SIZE, 667 "BIOCSBLEN: %s: No buffer size worked", device); 668 goto bad; 669 } 670 671 /* Get the data link layer type. */ 672 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { 673 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s", 674 pcap_strerror(errno)); 675 goto bad; 676 } 677#ifdef _AIX 678 /* 679 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT. 680 */ 681 switch (v) { 682 683 case IFT_ETHER: 684 case IFT_ISO88023: 685 v = DLT_EN10MB; 686 break; 687 688 case IFT_FDDI: 689 v = DLT_FDDI; 690 break; 691 692 case IFT_ISO88025: 693 v = DLT_IEEE802; 694 break; 695 696 case IFT_LOOP: 697 v = DLT_NULL; 698 break; 699 700 default: 701 /* 702 * We don't know what to map this to yet. 703 */ 704 snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %u", 705 v); 706 goto bad; 707 } 708#endif 709#if _BSDI_VERSION - 0 >= 199510 710 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */ 711 switch (v) { 712 713 case DLT_SLIP: 714 v = DLT_SLIP_BSDOS; 715 break; 716 717 case DLT_PPP: 718 v = DLT_PPP_BSDOS; 719 break; 720 721 case 11: /*DLT_FR*/ 722 v = DLT_FRELAY; 723 break; 724 725 case 12: /*DLT_C_HDLC*/ 726 v = DLT_CHDLC; 727 break; 728 } 729#endif 730#ifdef PCAP_FDDIPAD 731 if (v == DLT_FDDI) 732 p->fddipad = PCAP_FDDIPAD: 733 else 734 p->fddipad = 0; 735#endif 736 p->linktype = v; 737 738#ifdef BIOCGDLTLIST 739 /* 740 * We know the default link type -- now determine all the DLTs 741 * this interface supports. If this fails with EINVAL, it's 742 * not fatal; we just don't get to use the feature later. 743 */ 744 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) == 0) { 745 u_int i; 746 int is_ethernet; 747 748 bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * bdl.bfl_len + 1); 749 if (bdl.bfl_list == NULL) { 750 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 751 pcap_strerror(errno)); 752 goto bad; 753 } 754 755 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) < 0) { 756 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 757 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 758 free(bdl.bfl_list); 759 goto bad; 760 } 761 762 /* 763 * OK, for real Ethernet devices, add DLT_DOCSIS to the 764 * list, so that an application can let you choose it, 765 * in case you're capturing DOCSIS traffic that a Cisco 766 * Cable Modem Termination System is putting out onto 767 * an Ethernet (it doesn't put an Ethernet header onto 768 * the wire, it puts raw DOCSIS frames out on the wire 769 * inside the low-level Ethernet framing). 770 * 771 * A "real Ethernet device" is defined here as a device 772 * that has a link-layer type of DLT_EN10MB and that has 773 * no alternate link-layer types; that's done to exclude 774 * 802.11 interfaces (which might or might not be the 775 * right thing to do, but I suspect it is - Ethernet <-> 776 * 802.11 bridges would probably badly mishandle frames 777 * that don't have Ethernet headers). 778 */ 779 if (p->linktype == DLT_EN10MB) { 780 is_ethernet = 1; 781 for (i = 0; i < bdl.bfl_len; i++) { 782 if (bdl.bfl_list[i] != DLT_EN10MB) { 783 is_ethernet = 0; 784 break; 785 } 786 } 787 if (is_ethernet) { 788 /* 789 * We reserved one more slot at the end of 790 * the list. 791 */ 792 bdl.bfl_list[bdl.bfl_len] = DLT_DOCSIS; 793 bdl.bfl_len++; 794 } 795 } 796 p->dlt_count = bdl.bfl_len; 797 p->dlt_list = bdl.bfl_list; 798 } else { 799 if (errno != EINVAL) { 800 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 801 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 802 goto bad; 803 } 804 } 805#endif 806 807 /* 808 * If this is an Ethernet device, and we don't have a DLT_ list, 809 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give 810 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to 811 * do, but there's not much we can do about that without finding 812 * some other way of determining whether it's an Ethernet or 802.11 813 * device.) 814 */ 815 if (p->linktype == DLT_EN10MB && p->dlt_count == 0) { 816 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 817 /* 818 * If that fails, just leave the list empty. 819 */ 820 if (p->dlt_list != NULL) { 821 p->dlt_list[0] = DLT_EN10MB; 822 p->dlt_list[1] = DLT_DOCSIS; 823 p->dlt_count = 2; 824 } 825 } 826 827#if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 828 /* 829 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so 830 * the link-layer source address isn't forcibly overwritten. 831 * (Should we ignore errors? Should we do this only if 832 * we're open for writing?) 833 * 834 * XXX - I seem to remember some packet-sending bug in some 835 * BSDs - check CVS log for "bpf.c"? 836 */ 837 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 838 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 839 "BIOCSHDRCMPLT: %s", pcap_strerror(errno)); 840 goto bad; 841 } 842#endif 843 /* set timeout */ 844 if (to_ms != 0) { 845 /* 846 * XXX - is this seconds/nanoseconds in AIX? 847 * (Treating it as such doesn't fix the timeout 848 * problem described below.) 849 */ 850 struct timeval to; 851 to.tv_sec = to_ms / 1000; 852 to.tv_usec = (to_ms * 1000) % 1000000; 853 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { 854 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s", 855 pcap_strerror(errno)); 856 goto bad; 857 } 858 } 859 860#ifdef _AIX 861#ifdef BIOCIMMEDIATE 862 /* 863 * Darren Reed notes that 864 * 865 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the 866 * timeout appears to be ignored and it waits until the buffer 867 * is filled before returning. The result of not having it 868 * set is almost worse than useless if your BPF filter 869 * is reducing things to only a few packets (i.e. one every 870 * second or so). 871 * 872 * so we turn BIOCIMMEDIATE mode on if this is AIX. 873 * 874 * We don't turn it on for other platforms, as that means we 875 * get woken up for every packet, which may not be what we want; 876 * in the Winter 1993 USENIX paper on BPF, they say: 877 * 878 * Since a process might want to look at every packet on a 879 * network and the time between packets can be only a few 880 * microseconds, it is not possible to do a read system call 881 * per packet and BPF must collect the data from several 882 * packets and return it as a unit when the monitoring 883 * application does a read. 884 * 885 * which I infer is the reason for the timeout - it means we 886 * wait that amount of time, in the hopes that more packets 887 * will arrive and we'll get them all with one read. 888 * 889 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other 890 * BSDs) causes the timeout to be ignored. 891 * 892 * On the other hand, some platforms (e.g., Linux) don't support 893 * timeouts, they just hand stuff to you as soon as it arrives; 894 * if that doesn't cause a problem on those platforms, it may 895 * be OK to have BIOCIMMEDIATE mode on BSD as well. 896 * 897 * (Note, though, that applications may depend on the read 898 * completing, even if no packets have arrived, when the timeout 899 * expires, e.g. GUI applications that have to check for input 900 * while waiting for packets to arrive; a non-zero timeout 901 * prevents "select()" from working right on FreeBSD and 902 * possibly other BSDs, as the timer doesn't start until a 903 * "read()" is done, so the timer isn't in effect if the 904 * application is blocked on a "select()", and the "select()" 905 * doesn't get woken up for a BPF device until the buffer 906 * fills up.) 907 */ 908 v = 1; 909 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) { 910 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s", 911 pcap_strerror(errno)); 912 goto bad; 913 } 914#endif /* BIOCIMMEDIATE */ 915#endif /* _AIX */ 916 917 if (promisc) { 918 /* set promiscuous mode, okay if it fails */ 919 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) { 920 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s", 921 pcap_strerror(errno)); 922 } 923 } 924 925 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { 926 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s", 927 pcap_strerror(errno)); 928 goto bad; 929 } 930 p->bufsize = v; 931 p->buffer = (u_char *)malloc(p->bufsize); 932 if (p->buffer == NULL) { 933 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 934 pcap_strerror(errno)); 935 goto bad; 936 } 937#ifdef _AIX 938 /* For some strange reason this seems to prevent the EFAULT 939 * problems we have experienced from AIX BPF. */ 940 memset(p->buffer, 0x0, p->bufsize); 941#endif 942 943 /* 944 * If there's no filter program installed, there's 945 * no indication to the kernel of what the snapshot 946 * length should be, so no snapshotting is done. 947 * 948 * Therefore, when we open the device, we install 949 * an "accept everything" filter with the specified 950 * snapshot length. 951 */ 952 total_insn.code = (u_short)(BPF_RET | BPF_K); 953 total_insn.jt = 0; 954 total_insn.jf = 0; 955 total_insn.k = snaplen; 956 957 total_prog.bf_len = 1; 958 total_prog.bf_insns = &total_insn; 959 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) { 960 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 961 pcap_strerror(errno)); 962 goto bad; 963 } 964 965 /* 966 * On most BPF platforms, either you can do a "select()" or 967 * "poll()" on a BPF file descriptor and it works correctly, 968 * or you can do it and it will return "readable" if the 969 * hold buffer is full but not if the timeout expires *and* 970 * a non-blocking read will, if the hold buffer is empty 971 * but the store buffer isn't empty, rotate the buffers 972 * and return what packets are available. 973 * 974 * In the latter case, the fact that a non-blocking read 975 * will give you the available packets means you can work 976 * around the failure of "select()" and "poll()" to wake up 977 * and return "readable" when the timeout expires by using 978 * the timeout as the "select()" or "poll()" timeout, putting 979 * the BPF descriptor into non-blocking mode, and read from 980 * it regardless of whether "select()" reports it as readable 981 * or not. 982 * 983 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()" 984 * won't wake up and return "readable" if the timer expires 985 * and non-blocking reads return EWOULDBLOCK if the hold 986 * buffer is empty, even if the store buffer is non-empty. 987 * 988 * This means the workaround in question won't work. 989 * 990 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd" 991 * to -1, which means "sorry, you can't use 'select()' or 'poll()' 992 * here". On all other BPF platforms, we set it to the FD for 993 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking 994 * read will, if the hold buffer is empty and the store buffer 995 * isn't empty, rotate the buffers and return what packets are 996 * there (and in sufficiently recent versions of OpenBSD 997 * "select()" and "poll()" should work correctly). 998 * 999 * XXX - what about AIX? 1000 */ 1001 if (uname(&osinfo) == 0) { 1002 /* 1003 * We can check what OS this is. 1004 */ 1005 if (strcmp(osinfo.sysname, "FreeBSD") == 0 && 1006 (strncmp(osinfo.release, "4.3-", 4) == 0 || 1007 strncmp(osinfo.release, "4.4-", 4) == 0)) 1008 p->selectable_fd = -1; 1009 else 1010 p->selectable_fd = p->fd; 1011 } else { 1012 /* 1013 * We can't find out what OS this is, so assume we can 1014 * do a "select()" or "poll()". 1015 */ 1016 p->selectable_fd = p->fd; 1017 } 1018 1019 p->read_op = pcap_read_bpf; 1020 p->inject_op = pcap_inject_bpf; 1021 p->setfilter_op = pcap_setfilter_bpf; 1022 p->set_datalink_op = pcap_set_datalink_bpf; 1023 p->getnonblock_op = pcap_getnonblock_fd; 1024 p->setnonblock_op = pcap_setnonblock_fd; 1025 p->stats_op = pcap_stats_bpf; 1026 p->close_op = pcap_close_common; 1027 1028 return (p); 1029 bad: 1030 (void)close(fd); 1031 if (p->dlt_list != NULL) 1032 free(p->dlt_list); 1033 free(p); 1034 return (NULL); 1035} 1036 1037int 1038pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 1039{ 1040#ifdef HAVE_DAG_API 1041 if (dag_platform_finddevs(alldevsp, errbuf) < 0) 1042 return (-1); 1043#endif /* HAVE_DAG_API */ 1044 1045 return (0); 1046} 1047 1048static int 1049pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp) 1050{ 1051 /* 1052 * It looks that BPF code generated by gen_protochain() is not 1053 * compatible with some of kernel BPF code (for example BSD/OS 3.1). 1054 * Take a safer side for now. 1055 */ 1056 if (no_optimize) { 1057 /* 1058 * XXX - what if we already have a filter in the kernel? 1059 */ 1060 if (install_bpf_program(p, fp) < 0) 1061 return (-1); 1062 p->md.use_bpf = 0; /* filtering in userland */ 1063 return (0); 1064 } 1065 1066 /* 1067 * Free any user-mode filter we might happen to have installed. 1068 */ 1069 pcap_freecode(&p->fcode); 1070 1071 /* 1072 * Try to install the kernel filter. 1073 */ 1074 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) { 1075 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 1076 pcap_strerror(errno)); 1077 return (-1); 1078 } 1079 p->md.use_bpf = 1; /* filtering in the kernel */ 1080 1081 /* 1082 * Discard any previously-received packets, as they might have 1083 * passed whatever filter was formerly in effect, but might 1084 * not pass this filter (BIOCSETF discards packets buffered 1085 * in the kernel, so you can lose packets in any case). 1086 */ 1087 p->cc = 0; 1088 return (0); 1089} 1090 1091static int 1092pcap_set_datalink_bpf(pcap_t *p, int dlt) 1093{ 1094#ifdef BIOCSDLT 1095 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) { 1096 (void) snprintf(p->errbuf, sizeof(p->errbuf), 1097 "Cannot set DLT %d: %s", dlt, strerror(errno)); 1098 return (-1); 1099 } 1100#endif 1101 return (0); 1102} 1103