pcap-bpf.c revision 190225
1/* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1998 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * $FreeBSD: head/contrib/libpcap/pcap-bpf.c 190225 2009-03-21 22:58:08Z rpaulo $ 22 */ 23#ifndef lint 24static const char rcsid[] _U_ = 25 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.99.2.17 2008-09-16 18:43:02 guy Exp $ (LBL)"; 26#endif 27 28#ifdef HAVE_CONFIG_H 29#include "config.h" 30#endif 31 32#include <sys/param.h> /* optionally get BSD define */ 33#ifdef HAVE_ZEROCOPY_BPF 34#include <sys/mman.h> 35#endif 36#include <sys/time.h> 37#include <sys/timeb.h> 38#include <sys/socket.h> 39#include <sys/file.h> 40#include <sys/ioctl.h> 41#include <sys/utsname.h> 42 43#ifdef HAVE_ZEROCOPY_BPF 44#include <machine/atomic.h> 45#endif 46 47#include <net/if.h> 48 49#ifdef _AIX 50 51/* 52 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the 53 * native OS version, as we need "struct bpf_config" from it. 54 */ 55#define PCAP_DONT_INCLUDE_PCAP_BPF_H 56 57#include <sys/types.h> 58 59/* 60 * Prevent bpf.h from redefining the DLT_ values to their 61 * IFT_ values, as we're going to return the standard libpcap 62 * values, not IBM's non-standard IFT_ values. 63 */ 64#undef _AIX 65#include <net/bpf.h> 66#define _AIX 67 68#include <net/if_types.h> /* for IFT_ values */ 69#include <sys/sysconfig.h> 70#include <sys/device.h> 71#include <sys/cfgodm.h> 72#include <cf.h> 73 74#ifdef __64BIT__ 75#define domakedev makedev64 76#define getmajor major64 77#define bpf_hdr bpf_hdr32 78#else /* __64BIT__ */ 79#define domakedev makedev 80#define getmajor major 81#endif /* __64BIT__ */ 82 83#define BPF_NAME "bpf" 84#define BPF_MINORS 4 85#define DRIVER_PATH "/usr/lib/drivers" 86#define BPF_NODE "/dev/bpf" 87static int bpfloadedflag = 0; 88static int odmlockid = 0; 89 90#else /* _AIX */ 91 92#include <net/bpf.h> 93 94#endif /* _AIX */ 95 96#ifdef BIOCSETBUFMODE 97#include <machine/atomic.h> 98#endif 99 100#include <ctype.h> 101#include <errno.h> 102#include <netdb.h> 103#include <stdio.h> 104#include <stdlib.h> 105#include <string.h> 106#include <unistd.h> 107 108#ifdef HAVE_NET_IF_MEDIA_H 109# include <net/if_media.h> 110#endif 111 112#include "pcap-int.h" 113 114#ifdef HAVE_DAG_API 115#include "pcap-dag.h" 116#endif /* HAVE_DAG_API */ 117 118#ifdef HAVE_OS_PROTO_H 119#include "os-proto.h" 120#endif 121 122#ifdef BIOCGDLTLIST 123# if (defined(HAVE_NET_IF_MEDIA_H) && defined(IFM_IEEE80211)) && !defined(__APPLE__) 124#define HAVE_BSD_IEEE80211 125# endif 126 127# if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) 128static int find_802_11(struct bpf_dltlist *); 129 130# ifdef HAVE_BSD_IEEE80211 131static int monitor_mode(pcap_t *, int); 132# endif 133 134# if defined(__APPLE__) 135static void remove_en(pcap_t *); 136static void remove_802_11(pcap_t *); 137# endif 138 139# endif /* defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) */ 140 141#endif /* BIOCGDLTLIST */ 142 143/* 144 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably 145 * don't get DLT_DOCSIS defined. 146 */ 147#ifndef DLT_DOCSIS 148#define DLT_DOCSIS 143 149#endif 150 151/* 152 * On OS X, we don't even get any of the 802.11-plus-radio-header DLT_'s 153 * defined, even though some of them are used by various Airport drivers. 154 */ 155#ifndef DLT_PRISM_HEADER 156#define DLT_PRISM_HEADER 119 157#endif 158#ifndef DLT_AIRONET_HEADER 159#define DLT_AIRONET_HEADER 120 160#endif 161#ifndef DLT_IEEE802_11_RADIO 162#define DLT_IEEE802_11_RADIO 127 163#endif 164#ifndef DLT_IEEE802_11_RADIO_AVS 165#define DLT_IEEE802_11_RADIO_AVS 163 166#endif 167 168static int pcap_can_set_rfmon_bpf(pcap_t *p); 169static int pcap_activate_bpf(pcap_t *p); 170static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp); 171static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t); 172static int pcap_set_datalink_bpf(pcap_t *p, int dlt); 173 174#ifdef HAVE_ZEROCOPY_BPF 175/* 176 * For zerocopy bpf, we need to override the setnonblock/getnonblock routines 177 * so we don't call select(2) if the pcap handle is in non-blocking mode. We 178 * preserve the timeout supplied by pcap_open functions to make sure it 179 * does not get clobbered if the pcap handle moves between blocking and non- 180 * blocking mode. 181 */ 182static int 183pcap_getnonblock_zbuf(pcap_t *p, char *errbuf) 184{ 185 /* 186 * Use a negative value for the timeout to represent that the 187 * pcap handle is in non-blocking mode. 188 */ 189 return (p->md.timeout < 0); 190} 191 192static int 193pcap_setnonblock_zbuf(pcap_t *p, int nonblock, char *errbuf) 194{ 195 /* 196 * Map each value to the corresponding 2's complement, to 197 * preserve the timeout value provided with pcap_set_timeout. 198 * (from pcap-linux.c). 199 */ 200 if (nonblock) { 201 if (p->md.timeout > 0) 202 p->md.timeout = p->md.timeout * -1 - 1; 203 } else 204 if (p->md.timeout < 0) 205 p->md.timeout = (p->md.timeout + 1) * -1; 206 return (0); 207} 208 209/* 210 * Zero-copy specific close method. Un-map the shared buffers then call 211 * pcap_cleanup_live_common. 212 */ 213static void 214pcap_cleanup_zbuf(pcap_t *p) 215{ 216 /* 217 * Delete the mappings. Note that p->buffer gets initialized to one 218 * of the mmapped regions in this case, so do not try and free it 219 * directly; null it out so that pcap_cleanup_live_common() doesn't 220 * try to free it. 221 */ 222 if (p->md.zbuf1 != MAP_FAILED && p->md.zbuf1 != NULL) 223 (void) munmap(p->md.zbuf1, p->md.zbufsize); 224 if (p->md.zbuf2 != MAP_FAILED && p->md.zbuf2 != NULL) 225 (void) munmap(p->md.zbuf2, p->md.zbufsize); 226 p->buffer = NULL; 227 pcap_cleanup_live_common(p); 228} 229 230/* 231 * Zero-copy BPF buffer routines to check for and acknowledge BPF data in 232 * shared memory buffers. 233 * 234 * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer, 235 * and set up p->buffer and cc to reflect one if available. Notice that if 236 * there was no prior buffer, we select zbuf1 as this will be the first 237 * buffer filled for a fresh BPF session. 238 */ 239static int 240pcap_next_zbuf_shm(pcap_t *p, int *cc) 241{ 242 struct bpf_zbuf_header *bzh; 243 244 if (p->md.zbuffer == p->md.zbuf2 || p->md.zbuffer == NULL) { 245 bzh = (struct bpf_zbuf_header *)p->md.zbuf1; 246 if (bzh->bzh_user_gen != 247 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 248 p->md.bzh = bzh; 249 p->md.zbuffer = (u_char *)p->md.zbuf1; 250 p->buffer = p->md.zbuffer + sizeof(*bzh); 251 *cc = bzh->bzh_kernel_len; 252 return (1); 253 } 254 } else if (p->md.zbuffer == p->md.zbuf1) { 255 bzh = (struct bpf_zbuf_header *)p->md.zbuf2; 256 if (bzh->bzh_user_gen != 257 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 258 p->md.bzh = bzh; 259 p->md.zbuffer = (u_char *)p->md.zbuf2; 260 p->buffer = p->md.zbuffer + sizeof(*bzh); 261 *cc = bzh->bzh_kernel_len; 262 return (1); 263 } 264 } 265 *cc = 0; 266 return (0); 267} 268 269/* 270 * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using 271 * select() for data or a timeout, and possibly force rotation of the buffer 272 * in the event we time out or are in immediate mode. Invoke the shared 273 * memory check before doing system calls in order to avoid doing avoidable 274 * work. 275 */ 276static int 277pcap_next_zbuf(pcap_t *p, int *cc) 278{ 279 struct bpf_zbuf bz; 280 struct timeval tv; 281 struct timespec cur; 282 fd_set r_set; 283 int data, r; 284 int expire, tmout; 285 286#define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000)) 287 /* 288 * Start out by seeing whether anything is waiting by checking the 289 * next shared memory buffer for data. 290 */ 291 data = pcap_next_zbuf_shm(p, cc); 292 if (data) 293 return (data); 294 /* 295 * If a previous sleep was interrupted due to signal delivery, make 296 * sure that the timeout gets adjusted accordingly. This requires 297 * that we analyze when the timeout should be been expired, and 298 * subtract the current time from that. If after this operation, 299 * our timeout is less then or equal to zero, handle it like a 300 * regular timeout. 301 */ 302 tmout = p->md.timeout; 303 if (tmout) 304 (void) clock_gettime(CLOCK_MONOTONIC, &cur); 305 if (p->md.interrupted && p->md.timeout) { 306 expire = TSTOMILLI(&p->md.firstsel) + p->md.timeout; 307 tmout = expire - TSTOMILLI(&cur); 308#undef TSTOMILLI 309 if (tmout <= 0) { 310 p->md.interrupted = 0; 311 data = pcap_next_zbuf_shm(p, cc); 312 if (data) 313 return (data); 314 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 315 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 316 "BIOCROTZBUF: %s", strerror(errno)); 317 return (PCAP_ERROR); 318 } 319 return (pcap_next_zbuf_shm(p, cc)); 320 } 321 } 322 /* 323 * No data in the buffer, so must use select() to wait for data or 324 * the next timeout. Note that we only call select if the handle 325 * is in blocking mode. 326 */ 327 if (p->md.timeout >= 0) { 328 FD_ZERO(&r_set); 329 FD_SET(p->fd, &r_set); 330 if (tmout != 0) { 331 tv.tv_sec = tmout / 1000; 332 tv.tv_usec = (tmout * 1000) % 1000000; 333 } 334 r = select(p->fd + 1, &r_set, NULL, NULL, 335 p->md.timeout != 0 ? &tv : NULL); 336 if (r < 0 && errno == EINTR) { 337 if (!p->md.interrupted && p->md.timeout) { 338 p->md.interrupted = 1; 339 p->md.firstsel = cur; 340 } 341 return (0); 342 } else if (r < 0) { 343 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 344 "select: %s", strerror(errno)); 345 return (PCAP_ERROR); 346 } 347 } 348 p->md.interrupted = 0; 349 /* 350 * Check again for data, which may exist now that we've either been 351 * woken up as a result of data or timed out. Try the "there's data" 352 * case first since it doesn't require a system call. 353 */ 354 data = pcap_next_zbuf_shm(p, cc); 355 if (data) 356 return (data); 357 /* 358 * Try forcing a buffer rotation to dislodge timed out or immediate 359 * data. 360 */ 361 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 362 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 363 "BIOCROTZBUF: %s", strerror(errno)); 364 return (PCAP_ERROR); 365 } 366 return (pcap_next_zbuf_shm(p, cc)); 367} 368 369/* 370 * Notify kernel that we are done with the buffer. We don't reset zbuffer so 371 * that we know which buffer to use next time around. 372 */ 373static int 374pcap_ack_zbuf(pcap_t *p) 375{ 376 377 atomic_store_rel_int(&p->md.bzh->bzh_user_gen, 378 p->md.bzh->bzh_kernel_gen); 379 p->md.bzh = NULL; 380 p->buffer = NULL; 381 return (0); 382} 383#endif 384 385pcap_t * 386pcap_create(const char *device, char *ebuf) 387{ 388 pcap_t *p; 389 390#ifdef HAVE_DAG_API 391 if (strstr(device, "dag")) 392 return (dag_create(device, ebuf)); 393#endif /* HAVE_DAG_API */ 394 395 p = pcap_create_common(device, ebuf); 396 if (p == NULL) 397 return (NULL); 398 399 p->activate_op = pcap_activate_bpf; 400 p->can_set_rfmon_op = pcap_can_set_rfmon_bpf; 401 return (p); 402} 403 404static int 405bpf_open(pcap_t *p) 406{ 407 int fd; 408#ifdef HAVE_CLONING_BPF 409 static const char device[] = "/dev/bpf"; 410#else 411 int n = 0; 412 char device[sizeof "/dev/bpf0000000000"]; 413#endif 414 415#ifdef _AIX 416 /* 417 * Load the bpf driver, if it isn't already loaded, 418 * and create the BPF device entries, if they don't 419 * already exist. 420 */ 421 if (bpf_load(p->errbuf) == PCAP_ERROR) 422 return (PCAP_ERROR); 423#endif 424 425#ifdef HAVE_CLONING_BPF 426 if ((fd = open(device, O_RDWR)) == -1 && 427 (errno != EACCES || (fd = open(device, O_RDONLY)) == -1)) { 428 if (errno == EACCES) 429 fd = PCAP_ERROR_PERM_DENIED; 430 else 431 fd = PCAP_ERROR; 432 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 433 "(cannot open device) %s: %s", device, pcap_strerror(errno)); 434 } 435#else 436 /* 437 * Go through all the minors and find one that isn't in use. 438 */ 439 do { 440 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++); 441 /* 442 * Initially try a read/write open (to allow the inject 443 * method to work). If that fails due to permission 444 * issues, fall back to read-only. This allows a 445 * non-root user to be granted specific access to pcap 446 * capabilities via file permissions. 447 * 448 * XXX - we should have an API that has a flag that 449 * controls whether to open read-only or read-write, 450 * so that denial of permission to send (or inability 451 * to send, if sending packets isn't supported on 452 * the device in question) can be indicated at open 453 * time. 454 */ 455 fd = open(device, O_RDWR); 456 if (fd == -1 && errno == EACCES) 457 fd = open(device, O_RDONLY); 458 } while (fd < 0 && errno == EBUSY); 459 460 /* 461 * XXX better message for all minors used 462 */ 463 if (fd < 0) { 464 if (errno == EACCES) 465 fd = PCAP_ERROR_PERM_DENIED; 466 else 467 fd = PCAP_ERROR; 468 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s", 469 device, pcap_strerror(errno)); 470 } 471#endif 472 473 return (fd); 474} 475 476#ifdef BIOCGDLTLIST 477static int 478get_dlt_list(int fd, int v, struct bpf_dltlist *bdlp, char *ebuf) 479{ 480 memset(bdlp, 0, sizeof(*bdlp)); 481 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) == 0) { 482 u_int i; 483 int is_ethernet; 484 485 bdlp->bfl_list = (u_int *) malloc(sizeof(u_int) * (bdlp->bfl_len + 1)); 486 if (bdlp->bfl_list == NULL) { 487 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 488 pcap_strerror(errno)); 489 return (PCAP_ERROR); 490 } 491 492 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) < 0) { 493 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 494 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 495 free(bdlp->bfl_list); 496 return (PCAP_ERROR); 497 } 498 499 /* 500 * OK, for real Ethernet devices, add DLT_DOCSIS to the 501 * list, so that an application can let you choose it, 502 * in case you're capturing DOCSIS traffic that a Cisco 503 * Cable Modem Termination System is putting out onto 504 * an Ethernet (it doesn't put an Ethernet header onto 505 * the wire, it puts raw DOCSIS frames out on the wire 506 * inside the low-level Ethernet framing). 507 * 508 * A "real Ethernet device" is defined here as a device 509 * that has a link-layer type of DLT_EN10MB and that has 510 * no alternate link-layer types; that's done to exclude 511 * 802.11 interfaces (which might or might not be the 512 * right thing to do, but I suspect it is - Ethernet <-> 513 * 802.11 bridges would probably badly mishandle frames 514 * that don't have Ethernet headers). 515 */ 516 if (v == DLT_EN10MB) { 517 is_ethernet = 1; 518 for (i = 0; i < bdlp->bfl_len; i++) { 519 if (bdlp->bfl_list[i] != DLT_EN10MB) { 520 is_ethernet = 0; 521 break; 522 } 523 } 524 if (is_ethernet) { 525 /* 526 * We reserved one more slot at the end of 527 * the list. 528 */ 529 bdlp->bfl_list[bdlp->bfl_len] = DLT_DOCSIS; 530 bdlp->bfl_len++; 531 } 532 } 533 } else { 534 /* 535 * EINVAL just means "we don't support this ioctl on 536 * this device"; don't treat it as an error. 537 */ 538 if (errno != EINVAL) { 539 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 540 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 541 return (PCAP_ERROR); 542 } 543 } 544 return (0); 545} 546#endif 547 548static int 549pcap_can_set_rfmon_bpf(pcap_t *p) 550{ 551#if defined(__APPLE__) 552 struct utsname osinfo; 553 struct ifreq ifr; 554 int fd; 555#ifdef BIOCGDLTLIST 556 struct bpf_dltlist bdl; 557#endif 558 559 /* 560 * The joys of monitor mode on OS X. 561 * 562 * Prior to 10.4, it's not supported at all. 563 * 564 * In 10.4, if adapter enN supports monitor mode, there's a 565 * wltN adapter corresponding to it; you open it, instead of 566 * enN, to get monitor mode. You get whatever link-layer 567 * headers it supplies. 568 * 569 * In 10.5, and, we assume, later releases, if adapter enN 570 * supports monitor mode, it offers, among its selectable 571 * DLT_ values, values that let you get the 802.11 header; 572 * selecting one of those values puts the adapter into monitor 573 * mode (i.e., you can't get 802.11 headers except in monitor 574 * mode, and you can't get Ethernet headers in monitor mode). 575 */ 576 if (uname(&osinfo) == -1) { 577 /* 578 * Can't get the OS version; just say "no". 579 */ 580 return (0); 581 } 582 /* 583 * We assume osinfo.sysname is "Darwin", because 584 * __APPLE__ is defined. We just check the version. 585 */ 586 if (osinfo.release[0] < '8' && osinfo.release[1] == '.') { 587 /* 588 * 10.3 (Darwin 7.x) or earlier. 589 * Monitor mode not supported. 590 */ 591 return (0); 592 } 593 if (osinfo.release[0] == '8' && osinfo.release[1] == '.') { 594 /* 595 * 10.4 (Darwin 8.x). s/en/wlt/, and check 596 * whether the device exists. 597 */ 598 if (strncmp(p->opt.source, "en", 2) != 0) { 599 /* 600 * Not an enN device; no monitor mode. 601 */ 602 return (0); 603 } 604 fd = socket(AF_INET, SOCK_DGRAM, 0); 605 if (fd == -1) { 606 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 607 "socket: %s", pcap_strerror(errno)); 608 return (PCAP_ERROR); 609 } 610 strlcpy(ifr.ifr_name, "wlt", sizeof(ifr.ifr_name)); 611 strlcat(ifr.ifr_name, p->opt.source + 2, sizeof(ifr.ifr_name)); 612 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { 613 /* 614 * No such device? 615 */ 616 close(fd); 617 return (0); 618 } 619 close(fd); 620 return (1); 621 } 622 623#ifdef BIOCGDLTLIST 624 /* 625 * Everything else is 10.5 or later; for those, 626 * we just open the enN device, and check whether 627 * we have any 802.11 devices. 628 * 629 * First, open a BPF device. 630 */ 631 fd = bpf_open(p); 632 if (fd < 0) 633 return (fd); 634 635 /* 636 * Now bind to the device. 637 */ 638 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name)); 639 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 640 if (errno == ENETDOWN) { 641 /* 642 * Return a "network down" indication, so that 643 * the application can report that rather than 644 * saying we had a mysterious failure and 645 * suggest that they report a problem to the 646 * libpcap developers. 647 */ 648 close(fd); 649 return (PCAP_ERROR_IFACE_NOT_UP); 650 } else { 651 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 652 "BIOCSETIF: %s: %s", 653 p->opt.source, pcap_strerror(errno)); 654 close(fd); 655 return (PCAP_ERROR); 656 } 657 } 658 659 /* 660 * We know the default link type -- now determine all the DLTs 661 * this interface supports. If this fails with EINVAL, it's 662 * not fatal; we just don't get to use the feature later. 663 * (We don't care about DLT_DOCSIS, so we pass DLT_NULL 664 * as the default DLT for this adapter.) 665 */ 666 if (get_dlt_list(fd, DLT_NULL, &bdl, p->errbuf) == PCAP_ERROR) { 667 close(fd); 668 return (PCAP_ERROR); 669 } 670 if (find_802_11(&bdl) != -1) { 671 /* 672 * We have an 802.11 DLT, so we can set monitor mode. 673 */ 674 free(bdl.bfl_list); 675 close(fd); 676 return (1); 677 } 678 free(bdl.bfl_list); 679#endif /* BIOCGDLTLIST */ 680 return (0); 681#elif defined(HAVE_BSD_IEEE80211) 682 int ret; 683 684 ret = monitor_mode(p, 0); 685 if (ret == PCAP_ERROR_RFMON_NOTSUP) 686 return (0); /* not an error, just a "can't do" */ 687 if (ret == 0) 688 return (1); /* success */ 689 return (ret); 690#else 691 return (0); 692#endif 693} 694 695static int 696pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps) 697{ 698 struct bpf_stat s; 699 700 /* 701 * "ps_recv" counts packets handed to the filter, not packets 702 * that passed the filter. This includes packets later dropped 703 * because we ran out of buffer space. 704 * 705 * "ps_drop" counts packets dropped inside the BPF device 706 * because we ran out of buffer space. It doesn't count 707 * packets dropped by the interface driver. It counts 708 * only packets that passed the filter. 709 * 710 * Both statistics include packets not yet read from the kernel 711 * by libpcap, and thus not yet seen by the application. 712 */ 713 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) { 714 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s", 715 pcap_strerror(errno)); 716 return (PCAP_ERROR); 717 } 718 719 ps->ps_recv = s.bs_recv; 720 ps->ps_drop = s.bs_drop; 721 return (0); 722} 723 724#ifdef BIOCGETBUFMODE 725/* 726 * Zero-copy BPF buffer routines to check for and acknowledge BPF data in 727 * shared memory buffers. 728 * 729 * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer, 730 * and set up p->buffer and cc to reflect one if available. Notice that if 731 * there was no prior buffer, we select zbuf1 as this will be the first 732 * buffer filled for a fresh BPF session. 733 */ 734static int 735pcap_next_zbuf_shm(pcap_t *p, int *cc) 736{ 737 struct bpf_zbuf_header *bzh; 738 739 if (p->zbuffer == p->zbuf2 || p->zbuffer == NULL) { 740 bzh = (struct bpf_zbuf_header *)p->zbuf1; 741 if (bzh->bzh_user_gen != 742 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 743 p->bzh = bzh; 744 p->zbuffer = (u_char *)p->zbuf1; 745 p->buffer = p->zbuffer + sizeof(*bzh); 746 *cc = bzh->bzh_kernel_len; 747 return (1); 748 } 749 } else if (p->zbuffer == p->zbuf1) { 750 bzh = (struct bpf_zbuf_header *)p->zbuf2; 751 if (bzh->bzh_user_gen != 752 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 753 p->bzh = bzh; 754 p->zbuffer = (u_char *)p->zbuf2; 755 p->buffer = p->zbuffer + sizeof(*bzh); 756 *cc = bzh->bzh_kernel_len; 757 return (1); 758 } 759 } 760 *cc = 0; 761 return (0); 762} 763 764/* 765 * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using 766 * select() for data or a timeout, and possibly force rotation of the buffer 767 * in the event we time out or are in immediate mode. Invoke the shared 768 * memory check before doing system calls in order to avoid doing avoidable 769 * work. 770 */ 771static int 772pcap_next_zbuf(pcap_t *p, int *cc) 773{ 774 struct bpf_zbuf bz; 775 struct timeval tv; 776 struct timespec cur; 777 fd_set r_set; 778 int data, r; 779 int tmout, expire; 780 781#define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000)) 782 /* 783 * Start out by seeing whether anything is waiting by checking the 784 * next shared memory buffer for data. 785 */ 786 data = pcap_next_zbuf_shm(p, cc); 787 if (data) 788 return (data); 789 /* 790 * If a previous sleep was interrupted due to signal delivery, make 791 * sure that the timeout gets adjusted accordingly. This requires 792 * that we analyze when the timeout should be been expired, and 793 * subtract the current time from that. If after this operation, 794 * our timeout is less then or equal to zero, handle it like a 795 * regular timeout. 796 */ 797 tmout = p->to_ms; 798 if (tmout) 799 (void) clock_gettime(CLOCK_MONOTONIC, &cur); 800 if (p->interrupted && p->to_ms) { 801 expire = TSTOMILLI(&p->firstsel) + p->to_ms; 802 tmout = expire - TSTOMILLI(&cur); 803#undef TSTOMILLI 804 if (tmout <= 0) { 805 p->interrupted = 0; 806 data = pcap_next_zbuf_shm(p, cc); 807 if (data) 808 return (data); 809 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 810 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 811 "BIOCROTZBUF: %s", strerror(errno)); 812 return (-1); 813 } 814 return (pcap_next_zbuf_shm(p, cc)); 815 } 816 } 817 /* 818 * No data in the buffer, so must use select() to wait for data or 819 * the next timeout. 820 */ 821 FD_ZERO(&r_set); 822 FD_SET(p->fd, &r_set); 823 if (tmout != 0) { 824 tv.tv_sec = tmout / 1000; 825 tv.tv_usec = (tmout * 1000) % 1000000; 826 } 827 r = select(p->fd + 1, &r_set, NULL, NULL, p->to_ms != 0 ? &tv : 828 NULL); 829 if (r < 0 && errno == EINTR) { 830 if (!p->interrupted && p->to_ms) { 831 p->interrupted = 1; 832 p->firstsel = cur; 833 } 834 return (0); 835 } else if (r < 0) { 836 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 837 "select: %s", strerror(errno)); 838 return (-1); 839 } 840 p->interrupted = 0; 841 /* 842 * Check again for data, which may exist now that we've either been 843 * woken up as a result of data or timed out. Try the "there's data" 844 * case first since it doesn't require a system call. 845 */ 846 data = pcap_next_zbuf_shm(p, cc); 847 if (data) 848 return (data); 849 850 /* 851 * Try forcing a buffer rotation to dislodge timed out or immediate 852 * data. 853 */ 854 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 855 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 856 "BIOCROTZBUF: %s", strerror(errno)); 857 return (-1); 858 } 859 return (pcap_next_zbuf_shm(p, cc)); 860} 861 862/* 863 * Notify kernel that we are done with the buffer. We don't reset zbuffer so 864 * that we know which buffer to use next time around. 865 */ 866static int 867pcap_ack_zbuf(pcap_t *p) 868{ 869 870 atomic_store_rel_int(&p->bzh->bzh_user_gen, p->bzh->bzh_kernel_gen); 871 p->bzh = NULL; 872 p->buffer = NULL; 873 return (0); 874} 875#endif 876 877static int 878pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 879{ 880 int cc; 881 int n = 0; 882 register u_char *bp, *ep; 883 u_char *datap; 884#ifdef BIOCSETBUFMODE 885 int i; 886#endif 887#ifdef PCAP_FDDIPAD 888 register int pad; 889#endif 890#ifdef HAVE_ZEROCOPY_BPF 891 int i; 892#endif 893 894 again: 895 /* 896 * Has "pcap_breakloop()" been called? 897 */ 898 if (p->break_loop) { 899 /* 900 * Yes - clear the flag that indicates that it 901 * has, and return PCAP_ERROR_BREAK to indicate 902 * that we were told to break out of the loop. 903 */ 904 p->break_loop = 0; 905 return (PCAP_ERROR_BREAK); 906 } 907 cc = p->cc; 908 if (p->cc == 0) { 909 /* 910 * When reading without zero-copy from a file descriptor, we 911 * use a single buffer and return a length of data in the 912 * buffer. With zero-copy, we update the p->buffer pointer 913 * to point at whatever underlying buffer contains the next 914 * data and update cc to reflect the data found in the 915 * buffer. 916 */ 917#ifdef HAVE_ZEROCOPY_BPF 918 if (p->md.zerocopy) { 919 if (p->buffer != NULL) 920 pcap_ack_zbuf(p); 921 i = pcap_next_zbuf(p, &cc); 922 if (i == 0) 923 goto again; 924 if (i < 0) 925 return (PCAP_ERROR); 926 } else 927#endif 928 { 929 cc = read(p->fd, (char *)p->buffer, p->bufsize); 930 } 931 if (cc < 0) { 932 /* Don't choke when we get ptraced */ 933 switch (errno) { 934 935 case EINTR: 936 goto again; 937 938#ifdef _AIX 939 case EFAULT: 940 /* 941 * Sigh. More AIX wonderfulness. 942 * 943 * For some unknown reason the uiomove() 944 * operation in the bpf kernel extension 945 * used to copy the buffer into user 946 * space sometimes returns EFAULT. I have 947 * no idea why this is the case given that 948 * a kernel debugger shows the user buffer 949 * is correct. This problem appears to 950 * be mostly mitigated by the memset of 951 * the buffer before it is first used. 952 * Very strange.... Shaun Clowes 953 * 954 * In any case this means that we shouldn't 955 * treat EFAULT as a fatal error; as we 956 * don't have an API for returning 957 * a "some packets were dropped since 958 * the last packet you saw" indication, 959 * we just ignore EFAULT and keep reading. 960 */ 961 goto again; 962#endif 963 964 case EWOULDBLOCK: 965 return (0); 966#if defined(sun) && !defined(BSD) 967 /* 968 * Due to a SunOS bug, after 2^31 bytes, the kernel 969 * file offset overflows and read fails with EINVAL. 970 * The lseek() to 0 will fix things. 971 */ 972 case EINVAL: 973 if (lseek(p->fd, 0L, SEEK_CUR) + 974 p->bufsize < 0) { 975 (void)lseek(p->fd, 0L, SEEK_SET); 976 goto again; 977 } 978 /* fall through */ 979#endif 980 } 981 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s", 982 pcap_strerror(errno)); 983 return (PCAP_ERROR); 984 } 985 bp = p->buffer; 986 } else 987 bp = p->bp; 988 989 /* 990 * Loop through each packet. 991 */ 992#define bhp ((struct bpf_hdr *)bp) 993 ep = bp + cc; 994#ifdef PCAP_FDDIPAD 995 pad = p->fddipad; 996#endif 997 while (bp < ep) { 998 register int caplen, hdrlen; 999 1000 /* 1001 * Has "pcap_breakloop()" been called? 1002 * If so, return immediately - if we haven't read any 1003 * packets, clear the flag and return PCAP_ERROR_BREAK 1004 * to indicate that we were told to break out of the loop, 1005 * otherwise leave the flag set, so that the *next* call 1006 * will break out of the loop without having read any 1007 * packets, and return the number of packets we've 1008 * processed so far. 1009 */ 1010 if (p->break_loop) { 1011 if (n == 0) { 1012 p->break_loop = 0; 1013 return (PCAP_ERROR_BREAK); 1014 } else { 1015 p->bp = bp; 1016 p->cc = ep - bp; 1017 return (n); 1018 } 1019 } 1020 1021 caplen = bhp->bh_caplen; 1022 hdrlen = bhp->bh_hdrlen; 1023 datap = bp + hdrlen; 1024 /* 1025 * Short-circuit evaluation: if using BPF filter 1026 * in kernel, no need to do it now - we already know 1027 * the packet passed the filter. 1028 * 1029#ifdef PCAP_FDDIPAD 1030 * Note: the filter code was generated assuming 1031 * that p->fddipad was the amount of padding 1032 * before the header, as that's what's required 1033 * in the kernel, so we run the filter before 1034 * skipping that padding. 1035#endif 1036 */ 1037 if (p->md.use_bpf || 1038 bpf_filter(p->fcode.bf_insns, datap, bhp->bh_datalen, caplen)) { 1039 struct pcap_pkthdr pkthdr; 1040 1041 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec; 1042#ifdef _AIX 1043 /* 1044 * AIX's BPF returns seconds/nanoseconds time 1045 * stamps, not seconds/microseconds time stamps. 1046 */ 1047 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000; 1048#else 1049 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec; 1050#endif 1051#ifdef PCAP_FDDIPAD 1052 if (caplen > pad) 1053 pkthdr.caplen = caplen - pad; 1054 else 1055 pkthdr.caplen = 0; 1056 if (bhp->bh_datalen > pad) 1057 pkthdr.len = bhp->bh_datalen - pad; 1058 else 1059 pkthdr.len = 0; 1060 datap += pad; 1061#else 1062 pkthdr.caplen = caplen; 1063 pkthdr.len = bhp->bh_datalen; 1064#endif 1065 (*callback)(user, &pkthdr, datap); 1066 bp += BPF_WORDALIGN(caplen + hdrlen); 1067 if (++n >= cnt && cnt > 0) { 1068 p->bp = bp; 1069 p->cc = ep - bp; 1070 return (n); 1071 } 1072 } else { 1073 /* 1074 * Skip this packet. 1075 */ 1076 bp += BPF_WORDALIGN(caplen + hdrlen); 1077 } 1078 } 1079#undef bhp 1080 p->cc = 0; 1081 return (n); 1082} 1083 1084static int 1085pcap_inject_bpf(pcap_t *p, const void *buf, size_t size) 1086{ 1087 int ret; 1088 1089 ret = write(p->fd, buf, size); 1090#ifdef __APPLE__ 1091 if (ret == -1 && errno == EAFNOSUPPORT) { 1092 /* 1093 * In Mac OS X, there's a bug wherein setting the 1094 * BIOCSHDRCMPLT flag causes writes to fail; see, 1095 * for example: 1096 * 1097 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch 1098 * 1099 * So, if, on OS X, we get EAFNOSUPPORT from the write, we 1100 * assume it's due to that bug, and turn off that flag 1101 * and try again. If we succeed, it either means that 1102 * somebody applied the fix from that URL, or other patches 1103 * for that bug from 1104 * 1105 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/ 1106 * 1107 * and are running a Darwin kernel with those fixes, or 1108 * that Apple fixed the problem in some OS X release. 1109 */ 1110 u_int spoof_eth_src = 0; 1111 1112 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 1113 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1114 "send: can't turn off BIOCSHDRCMPLT: %s", 1115 pcap_strerror(errno)); 1116 return (PCAP_ERROR); 1117 } 1118 1119 /* 1120 * Now try the write again. 1121 */ 1122 ret = write(p->fd, buf, size); 1123 } 1124#endif /* __APPLE__ */ 1125 if (ret == -1) { 1126 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 1127 pcap_strerror(errno)); 1128 return (PCAP_ERROR); 1129 } 1130 return (ret); 1131} 1132 1133#ifdef _AIX 1134static int 1135bpf_odminit(char *errbuf) 1136{ 1137 char *errstr; 1138 1139 if (odm_initialize() == -1) { 1140 if (odm_err_msg(odmerrno, &errstr) == -1) 1141 errstr = "Unknown error"; 1142 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1143 "bpf_load: odm_initialize failed: %s", 1144 errstr); 1145 return (PCAP_ERROR); 1146 } 1147 1148 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) { 1149 if (odm_err_msg(odmerrno, &errstr) == -1) 1150 errstr = "Unknown error"; 1151 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1152 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s", 1153 errstr); 1154 return (PCAP_ERROR); 1155 } 1156 1157 return (0); 1158} 1159 1160static int 1161bpf_odmcleanup(char *errbuf) 1162{ 1163 char *errstr; 1164 1165 if (odm_unlock(odmlockid) == -1) { 1166 if (odm_err_msg(odmerrno, &errstr) == -1) 1167 errstr = "Unknown error"; 1168 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1169 "bpf_load: odm_unlock failed: %s", 1170 errstr); 1171 return (PCAP_ERROR); 1172 } 1173 1174 if (odm_terminate() == -1) { 1175 if (odm_err_msg(odmerrno, &errstr) == -1) 1176 errstr = "Unknown error"; 1177 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1178 "bpf_load: odm_terminate failed: %s", 1179 errstr); 1180 return (PCAP_ERROR); 1181 } 1182 1183 return (0); 1184} 1185 1186static int 1187bpf_load(char *errbuf) 1188{ 1189 long major; 1190 int *minors; 1191 int numminors, i, rc; 1192 char buf[1024]; 1193 struct stat sbuf; 1194 struct bpf_config cfg_bpf; 1195 struct cfg_load cfg_ld; 1196 struct cfg_kmod cfg_km; 1197 1198 /* 1199 * This is very very close to what happens in the real implementation 1200 * but I've fixed some (unlikely) bug situations. 1201 */ 1202 if (bpfloadedflag) 1203 return (0); 1204 1205 if (bpf_odminit(errbuf) == PCAP_ERROR) 1206 return (PCAP_ERROR); 1207 1208 major = genmajor(BPF_NAME); 1209 if (major == -1) { 1210 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1211 "bpf_load: genmajor failed: %s", pcap_strerror(errno)); 1212 return (PCAP_ERROR); 1213 } 1214 1215 minors = getminor(major, &numminors, BPF_NAME); 1216 if (!minors) { 1217 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1); 1218 if (!minors) { 1219 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1220 "bpf_load: genminor failed: %s", 1221 pcap_strerror(errno)); 1222 return (PCAP_ERROR); 1223 } 1224 } 1225 1226 if (bpf_odmcleanup(errbuf) == PCAP_ERROR) 1227 return (PCAP_ERROR); 1228 1229 rc = stat(BPF_NODE "0", &sbuf); 1230 if (rc == -1 && errno != ENOENT) { 1231 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1232 "bpf_load: can't stat %s: %s", 1233 BPF_NODE "0", pcap_strerror(errno)); 1234 return (PCAP_ERROR); 1235 } 1236 1237 if (rc == -1 || getmajor(sbuf.st_rdev) != major) { 1238 for (i = 0; i < BPF_MINORS; i++) { 1239 sprintf(buf, "%s%d", BPF_NODE, i); 1240 unlink(buf); 1241 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) { 1242 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1243 "bpf_load: can't mknod %s: %s", 1244 buf, pcap_strerror(errno)); 1245 return (PCAP_ERROR); 1246 } 1247 } 1248 } 1249 1250 /* Check if the driver is loaded */ 1251 memset(&cfg_ld, 0x0, sizeof(cfg_ld)); 1252 cfg_ld.path = buf; 1253 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME); 1254 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) || 1255 (cfg_ld.kmid == 0)) { 1256 /* Driver isn't loaded, load it now */ 1257 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) { 1258 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1259 "bpf_load: could not load driver: %s", 1260 strerror(errno)); 1261 return (PCAP_ERROR); 1262 } 1263 } 1264 1265 /* Configure the driver */ 1266 cfg_km.cmd = CFG_INIT; 1267 cfg_km.kmid = cfg_ld.kmid; 1268 cfg_km.mdilen = sizeof(cfg_bpf); 1269 cfg_km.mdiptr = (void *)&cfg_bpf; 1270 for (i = 0; i < BPF_MINORS; i++) { 1271 cfg_bpf.devno = domakedev(major, i); 1272 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) { 1273 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1274 "bpf_load: could not configure driver: %s", 1275 strerror(errno)); 1276 return (PCAP_ERROR); 1277 } 1278 } 1279 1280 bpfloadedflag = 1; 1281 1282 return (0); 1283} 1284#endif 1285 1286/* 1287 * Turn off rfmon mode if necessary. 1288 */ 1289static void 1290pcap_cleanup_bpf(pcap_t *p) 1291{ 1292#ifdef HAVE_BSD_IEEE80211 1293 int sock; 1294 struct ifmediareq req; 1295 struct ifreq ifr; 1296#endif 1297 1298 if (p->md.must_clear != 0) { 1299 /* 1300 * There's something we have to do when closing this 1301 * pcap_t. 1302 */ 1303#ifdef HAVE_BSD_IEEE80211 1304 if (p->md.must_clear & MUST_CLEAR_RFMON) { 1305 /* 1306 * We put the interface into rfmon mode; 1307 * take it out of rfmon mode. 1308 * 1309 * XXX - if somebody else wants it in rfmon 1310 * mode, this code cannot know that, so it'll take 1311 * it out of rfmon mode. 1312 */ 1313 sock = socket(AF_INET, SOCK_DGRAM, 0); 1314 if (sock == -1) { 1315 fprintf(stderr, 1316 "Can't restore interface flags (socket() failed: %s).\n" 1317 "Please adjust manually.\n", 1318 strerror(errno)); 1319 } else { 1320 memset(&req, 0, sizeof(req)); 1321 strncpy(req.ifm_name, p->md.device, 1322 sizeof(req.ifm_name)); 1323 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 1324 fprintf(stderr, 1325 "Can't restore interface flags (SIOCGIFMEDIA failed: %s).\n" 1326 "Please adjust manually.\n", 1327 strerror(errno)); 1328 } else { 1329 if (req.ifm_current & IFM_IEEE80211_MONITOR) { 1330 /* 1331 * Rfmon mode is currently on; 1332 * turn it off. 1333 */ 1334 memset(&ifr, 0, sizeof(ifr)); 1335 (void)strncpy(ifr.ifr_name, 1336 p->md.device, 1337 sizeof(ifr.ifr_name)); 1338 ifr.ifr_media = 1339 req.ifm_current & ~IFM_IEEE80211_MONITOR; 1340 if (ioctl(sock, SIOCSIFMEDIA, 1341 &ifr) == -1) { 1342 fprintf(stderr, 1343 "Can't restore interface flags (SIOCSIFMEDIA failed: %s).\n" 1344 "Please adjust manually.\n", 1345 strerror(errno)); 1346 } 1347 } 1348 } 1349 close(sock); 1350 } 1351 } 1352#endif /* HAVE_BSD_IEEE80211 */ 1353 1354 /* 1355 * Take this pcap out of the list of pcaps for which we 1356 * have to take the interface out of some mode. 1357 */ 1358 pcap_remove_from_pcaps_to_close(p); 1359 p->md.must_clear = 0; 1360 } 1361 1362#ifdef HAVE_ZEROCOPY_BPF 1363 /* 1364 * In zero-copy mode, p->buffer is just a pointer into one of the two 1365 * memory-mapped buffers, so no need to free it. 1366 */ 1367 if (p->md.zerocopy) { 1368 if (p->md.zbuf1 != MAP_FAILED && p->md.zbuf1 != NULL) 1369 munmap(p->md.zbuf1, p->md.zbufsize); 1370 if (p->md.zbuf2 != MAP_FAILED && p->md.zbuf2 != NULL) 1371 munmap(p->md.zbuf2, p->md.zbufsize); 1372 } 1373#endif 1374 if (p->md.device != NULL) { 1375 free(p->md.device); 1376 p->md.device = NULL; 1377 } 1378 pcap_cleanup_live_common(p); 1379} 1380 1381static int 1382check_setif_failure(pcap_t *p, int error) 1383{ 1384#ifdef __APPLE__ 1385 int fd; 1386 struct ifreq ifr; 1387 int err; 1388#endif 1389 1390 if (error == ENXIO) { 1391 /* 1392 * No such device exists. 1393 */ 1394#ifdef __APPLE__ 1395 if (p->opt.rfmon && strncmp(p->opt.source, "wlt", 3) == 0) { 1396 /* 1397 * Monitor mode was requested, and we're trying 1398 * to open a "wltN" device. Assume that this 1399 * is 10.4 and that we were asked to open an 1400 * "enN" device; if that device exists, return 1401 * "monitor mode not supported on the device". 1402 */ 1403 fd = socket(AF_INET, SOCK_DGRAM, 0); 1404 if (fd != -1) { 1405 strlcpy(ifr.ifr_name, "en", 1406 sizeof(ifr.ifr_name)); 1407 strlcat(ifr.ifr_name, p->opt.source + 3, 1408 sizeof(ifr.ifr_name)); 1409 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { 1410 /* 1411 * We assume this failed because 1412 * the underlying device doesn't 1413 * exist. 1414 */ 1415 err = PCAP_ERROR_NO_SUCH_DEVICE; 1416 strcpy(p->errbuf, ""); 1417 } else { 1418 /* 1419 * The underlying "enN" device 1420 * exists, but there's no 1421 * corresponding "wltN" device; 1422 * that means that the "enN" 1423 * device doesn't support 1424 * monitor mode, probably because 1425 * it's an Ethernet device rather 1426 * than a wireless device. 1427 */ 1428 err = PCAP_ERROR_RFMON_NOTSUP; 1429 } 1430 close(fd); 1431 } else { 1432 /* 1433 * We can't find out whether there's 1434 * an underlying "enN" device, so 1435 * just report "no such device". 1436 */ 1437 err = PCAP_ERROR_NO_SUCH_DEVICE; 1438 strcpy(p->errbuf, ""); 1439 } 1440 return (err); 1441 } 1442#endif 1443 /* 1444 * No such device. 1445 */ 1446 strcpy(p->errbuf, ""); 1447 return (PCAP_ERROR_NO_SUCH_DEVICE); 1448 } else if (errno == ENETDOWN) { 1449 /* 1450 * Return a "network down" indication, so that 1451 * the application can report that rather than 1452 * saying we had a mysterious failure and 1453 * suggest that they report a problem to the 1454 * libpcap developers. 1455 */ 1456 return (PCAP_ERROR_IFACE_NOT_UP); 1457 } else { 1458 /* 1459 * Some other error; fill in the error string, and 1460 * return PCAP_ERROR. 1461 */ 1462 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 1463 p->opt.source, pcap_strerror(errno)); 1464 return (PCAP_ERROR); 1465 } 1466} 1467 1468static int 1469pcap_activate_bpf(pcap_t *p) 1470{ 1471 int status = 0; 1472 int fd; 1473 struct ifreq ifr; 1474 struct bpf_version bv; 1475#ifdef __APPLE__ 1476 int sockfd; 1477 char *wltdev = NULL; 1478#endif 1479#ifdef BIOCGDLTLIST 1480 struct bpf_dltlist bdl; 1481#if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) 1482 int new_dlt; 1483#endif 1484#endif /* BIOCGDLTLIST */ 1485#if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 1486 u_int spoof_eth_src = 1; 1487#endif 1488 u_int v; 1489 struct bpf_insn total_insn; 1490 struct bpf_program total_prog; 1491 struct utsname osinfo; 1492 1493#ifdef HAVE_DAG_API 1494 if (strstr(device, "dag")) { 1495 return dag_open_live(device, snaplen, promisc, to_ms, ebuf); 1496 } 1497#endif /* HAVE_DAG_API */ 1498 1499#ifdef BIOCGDLTLIST 1500 memset(&bdl, 0, sizeof(bdl)); 1501 int have_osinfo = 0; 1502#ifdef HAVE_ZEROCOPY_BPF 1503 struct bpf_zbuf bz; 1504 u_int bufmode, zbufmax; 1505#endif 1506 1507 fd = bpf_open(p); 1508 if (fd < 0) { 1509 status = fd; 1510 goto bad; 1511 } 1512 1513 p->fd = fd; 1514 1515 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { 1516 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s", 1517 pcap_strerror(errno)); 1518 status = PCAP_ERROR; 1519 goto bad; 1520 } 1521 if (bv.bv_major != BPF_MAJOR_VERSION || 1522 bv.bv_minor < BPF_MINOR_VERSION) { 1523 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1524 "kernel bpf filter out of date"); 1525 status = PCAP_ERROR; 1526 goto bad; 1527 } 1528 1529 p->md.device = strdup(p->opt.source); 1530 if (p->md.device == NULL) { 1531 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s", 1532 pcap_strerror(errno)); 1533 status = PCAP_ERROR; 1534 goto bad; 1535 } 1536 1537 /* 1538 * Try finding a good size for the buffer; 32768 may be too 1539 * big, so keep cutting it in half until we find a size 1540 * that works, or run out of sizes to try. If the default 1541 * is larger, don't make it smaller. 1542 * 1543 * XXX - there should be a user-accessible hook to set the 1544 * initial buffer size. 1545 * Attempt to find out the version of the OS on which we're running. 1546 */ 1547 if (uname(&osinfo) == 0) 1548 have_osinfo = 1; 1549 1550#ifdef __APPLE__ 1551 /* 1552 * See comment in pcap_can_set_rfmon_bpf() for an explanation 1553 * of why we check the version number. 1554 */ 1555 if (p->opt.rfmon) { 1556 if (have_osinfo) { 1557 /* 1558 * We assume osinfo.sysname is "Darwin", because 1559 * __APPLE__ is defined. We just check the version. 1560 */ 1561 if (osinfo.release[0] < '8' && 1562 osinfo.release[1] == '.') { 1563 /* 1564 * 10.3 (Darwin 7.x) or earlier. 1565 */ 1566 status = PCAP_ERROR_RFMON_NOTSUP; 1567 goto bad; 1568 } 1569 if (osinfo.release[0] == '8' && 1570 osinfo.release[1] == '.') { 1571 /* 1572 * 10.4 (Darwin 8.x). s/en/wlt/ 1573 */ 1574 if (strncmp(p->opt.source, "en", 2) != 0) { 1575 /* 1576 * Not an enN device; check 1577 * whether the device even exists. 1578 */ 1579 sockfd = socket(AF_INET, SOCK_DGRAM, 0); 1580 if (sockfd != -1) { 1581 strlcpy(ifr.ifr_name, 1582 p->opt.source, 1583 sizeof(ifr.ifr_name)); 1584 if (ioctl(sockfd, SIOCGIFFLAGS, 1585 (char *)&ifr) < 0) { 1586 /* 1587 * We assume this 1588 * failed because 1589 * the underlying 1590 * device doesn't 1591 * exist. 1592 */ 1593 status = PCAP_ERROR_NO_SUCH_DEVICE; 1594 strcpy(p->errbuf, ""); 1595 } else 1596 status = PCAP_ERROR_RFMON_NOTSUP; 1597 close(sockfd); 1598 } else { 1599 /* 1600 * We can't find out whether 1601 * the device exists, so just 1602 * report "no such device". 1603 */ 1604 status = PCAP_ERROR_NO_SUCH_DEVICE; 1605 strcpy(p->errbuf, ""); 1606 } 1607 goto bad; 1608 } 1609 wltdev = malloc(strlen(p->opt.source) + 2); 1610 if (wltdev == NULL) { 1611 (void)snprintf(p->errbuf, 1612 PCAP_ERRBUF_SIZE, "malloc: %s", 1613 pcap_strerror(errno)); 1614 status = PCAP_ERROR; 1615 goto bad; 1616 } 1617 strcpy(wltdev, "wlt"); 1618 strcat(wltdev, p->opt.source + 2); 1619 free(p->opt.source); 1620 p->opt.source = wltdev; 1621 } 1622 /* 1623 * Everything else is 10.5 or later; for those, 1624 * we just open the enN device, and set the DLT. 1625 */ 1626 } 1627 } 1628#endif /* __APPLE__ */ 1629#ifdef HAVE_ZEROCOPY_BPF 1630 /* 1631 * If the BPF extension to set buffer mode is present, try setting 1632 * the mode to zero-copy. If that fails, use regular buffering. If 1633 * it succeeds but other setup fails, return an error to the user. 1634 */ 1635 bufmode = BPF_BUFMODE_ZBUF; 1636 if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) { 1637 /* 1638 * We have zerocopy BPF; use it. 1639 */ 1640 p->md.zerocopy = 1; 1641 1642 /* 1643 * Set the cleanup and set/get nonblocking mode ops 1644 * as appropriate for zero-copy mode. 1645 */ 1646 p->cleanup_op = pcap_cleanup_zbuf; 1647 p->setnonblock_op = pcap_setnonblock_zbuf; 1648 p->getnonblock_op = pcap_getnonblock_zbuf; 1649 1650 /* 1651 * How to pick a buffer size: first, query the maximum buffer 1652 * size supported by zero-copy. This also lets us quickly 1653 * determine whether the kernel generally supports zero-copy. 1654 * Then, if a buffer size was specified, use that, otherwise 1655 * query the default buffer size, which reflects kernel 1656 * policy for a desired default. Round to the nearest page 1657 * size. 1658 */ 1659 if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) { 1660 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGETZMAX: %s", 1661 pcap_strerror(errno)); 1662 goto bad; 1663 } 1664 1665 if (p->opt.buffer_size != 0) { 1666 /* 1667 * A buffer size was explicitly specified; use it. 1668 */ 1669 v = p->opt.buffer_size; 1670 } else { 1671 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || 1672 v < 32768) 1673 v = 32768; 1674 } 1675#ifndef roundup 1676#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */ 1677#endif 1678 p->md.zbufsize = roundup(v, getpagesize()); 1679 if (p->md.zbufsize > zbufmax) 1680 p->md.zbufsize = zbufmax; 1681 p->md.zbuf1 = mmap(NULL, p->md.zbufsize, PROT_READ | PROT_WRITE, 1682 MAP_ANON, -1, 0); 1683 p->md.zbuf2 = mmap(NULL, p->md.zbufsize, PROT_READ | PROT_WRITE, 1684 MAP_ANON, -1, 0); 1685 if (p->md.zbuf1 == MAP_FAILED || p->md.zbuf2 == MAP_FAILED) { 1686 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "mmap: %s", 1687 pcap_strerror(errno)); 1688 goto bad; 1689 } 1690 bzero(&bz, sizeof(bz)); 1691 bz.bz_bufa = p->md.zbuf1; 1692 bz.bz_bufb = p->md.zbuf2; 1693 bz.bz_buflen = p->md.zbufsize; 1694 if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) { 1695 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETZBUF: %s", 1696 pcap_strerror(errno)); 1697 goto bad; 1698 } 1699 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name)); 1700 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 1701 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 1702 p->opt.source, pcap_strerror(errno)); 1703 goto bad; 1704 } 1705 v = p->md.zbufsize - sizeof(struct bpf_zbuf_header); 1706 } else 1707#endif 1708 { 1709 /* 1710 * We don't have zerocopy BPF. 1711 * Set the buffer size. 1712 */ 1713 if (p->opt.buffer_size != 0) { 1714 /* 1715 * A buffer size was explicitly specified; use it. 1716 */ 1717 if (ioctl(fd, BIOCSBLEN, 1718 (caddr_t)&p->opt.buffer_size) < 0) { 1719 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1720 "BIOCSBLEN: %s: %s", p->opt.source, 1721 pcap_strerror(errno)); 1722 status = PCAP_ERROR; 1723 goto bad; 1724 } 1725 1726 /* 1727 * Now bind to the device. 1728 */ 1729 (void)strncpy(ifr.ifr_name, p->opt.source, 1730 sizeof(ifr.ifr_name)); 1731 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 1732 status = check_setif_failure(p, errno); 1733 goto bad; 1734 } 1735 } else { 1736 /* 1737 * No buffer size was explicitly specified. 1738 * 1739 * Try finding a good size for the buffer; 32768 may 1740 * be too big, so keep cutting it in half until we 1741 * find a size that works, or run out of sizes to try. 1742 * If the default is larger, don't make it smaller. 1743 */ 1744 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || 1745 v < 32768) 1746 v = 32768; 1747 for ( ; v != 0; v >>= 1) { 1748 /* 1749 * Ignore the return value - this is because the 1750 * call fails on BPF systems that don't have 1751 * kernel malloc. And if the call fails, it's 1752 * no big deal, we just continue to use the 1753 * standard buffer size. 1754 */ 1755 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); 1756 1757 (void)strncpy(ifr.ifr_name, p->opt.source, 1758 sizeof(ifr.ifr_name)); 1759 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0) 1760 break; /* that size worked; we're done */ 1761 1762 if (errno != ENOBUFS) { 1763 status = check_setif_failure(p, errno); 1764 goto bad; 1765 } 1766 } 1767 1768 if (v == 0) { 1769 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1770 "BIOCSBLEN: %s: No buffer size worked", 1771 p->opt.source); 1772 status = PCAP_ERROR; 1773 goto bad; 1774 } 1775 } 1776 } 1777#endif 1778 1779 /* Get the data link layer type. */ 1780 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { 1781 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s", 1782 pcap_strerror(errno)); 1783 status = PCAP_ERROR; 1784 goto bad; 1785 } 1786 1787#ifdef _AIX 1788 /* 1789 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT. 1790 */ 1791 switch (v) { 1792 1793 case IFT_ETHER: 1794 case IFT_ISO88023: 1795 v = DLT_EN10MB; 1796 break; 1797 1798 case IFT_FDDI: 1799 v = DLT_FDDI; 1800 break; 1801 1802 case IFT_ISO88025: 1803 v = DLT_IEEE802; 1804 break; 1805 1806 case IFT_LOOP: 1807 v = DLT_NULL; 1808 break; 1809 1810 default: 1811 /* 1812 * We don't know what to map this to yet. 1813 */ 1814 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "unknown interface type %u", 1815 v); 1816 status = PCAP_ERROR; 1817 goto bad; 1818 } 1819#endif 1820#if _BSDI_VERSION - 0 >= 199510 1821 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */ 1822 switch (v) { 1823 1824 case DLT_SLIP: 1825 v = DLT_SLIP_BSDOS; 1826 break; 1827 1828 case DLT_PPP: 1829 v = DLT_PPP_BSDOS; 1830 break; 1831 1832 case 11: /*DLT_FR*/ 1833 v = DLT_FRELAY; 1834 break; 1835 1836 case 12: /*DLT_C_HDLC*/ 1837 v = DLT_CHDLC; 1838 break; 1839 } 1840#endif 1841 1842#ifdef BIOCGDLTLIST 1843 /* 1844 * We know the default link type -- now determine all the DLTs 1845 * this interface supports. If this fails with EINVAL, it's 1846 * not fatal; we just don't get to use the feature later. 1847 */ 1848 if (get_dlt_list(fd, v, &bdl, p->errbuf) == -1) { 1849 status = PCAP_ERROR; 1850 goto bad; 1851 } 1852 p->dlt_count = bdl.bfl_len; 1853 p->dlt_list = bdl.bfl_list; 1854 1855#ifdef __APPLE__ 1856 /* 1857 * Monitor mode fun, continued. 1858 * 1859 * For 10.5 and, we're assuming, later releases, as noted above, 1860 * 802.1 adapters that support monitor mode offer both DLT_EN10MB, 1861 * DLT_IEEE802_11, and possibly some 802.11-plus-radio-information 1862 * DLT_ value. Choosing one of the 802.11 DLT_ values will turn 1863 * monitor mode on. 1864 * 1865 * Therefore, if the user asked for monitor mode, we filter out 1866 * the DLT_EN10MB value, as you can't get that in monitor mode, 1867 * and, if the user didn't ask for monitor mode, we filter out 1868 * the 802.11 DLT_ values, because selecting those will turn 1869 * monitor mode on. Then, for monitor mode, if an 802.11-plus- 1870 * radio DLT_ value is offered, we try to select that, otherwise 1871 * we try to select DLT_IEEE802_11. 1872 */ 1873 if (have_osinfo) { 1874 if (isdigit((unsigned)osinfo.release[0]) && 1875 (osinfo.release[0] == '9' || 1876 isdigit((unsigned)osinfo.release[1]))) { 1877 /* 1878 * 10.5 (Darwin 9.x), or later. 1879 */ 1880 new_dlt = find_802_11(&bdl); 1881 if (new_dlt != -1) { 1882 /* 1883 * We have at least one 802.11 DLT_ value, 1884 * so this is an 802.11 interface. 1885 * new_dlt is the best of the 802.11 1886 * DLT_ values in the list. 1887 */ 1888 if (p->opt.rfmon) { 1889 /* 1890 * Our caller wants monitor mode. 1891 * Purge DLT_EN10MB from the list 1892 * of link-layer types, as selecting 1893 * it will keep monitor mode off. 1894 */ 1895 remove_en(p); 1896 1897 /* 1898 * If the new mode we want isn't 1899 * the default mode, attempt to 1900 * select the new mode. 1901 */ 1902 if (new_dlt != v) { 1903 if (ioctl(p->fd, BIOCSDLT, 1904 &new_dlt) != -1) { 1905 /* 1906 * We succeeded; 1907 * make this the 1908 * new DLT_ value. 1909 */ 1910 v = new_dlt; 1911 } 1912 } 1913 } else { 1914 /* 1915 * Our caller doesn't want 1916 * monitor mode. Unless this 1917 * is being done by pcap_open_live(), 1918 * purge the 802.11 link-layer types 1919 * from the list, as selecting 1920 * one of them will turn monitor 1921 * mode on. 1922 */ 1923 if (!p->oldstyle) 1924 remove_802_11(p); 1925 } 1926 } else { 1927 if (p->opt.rfmon) { 1928 /* 1929 * The caller requested monitor 1930 * mode, but we have no 802.11 1931 * link-layer types, so they 1932 * can't have it. 1933 */ 1934 status = PCAP_ERROR_RFMON_NOTSUP; 1935 goto bad; 1936 } 1937 } 1938 } 1939 } 1940#elif defined(HAVE_BSD_IEEE80211) 1941 /* 1942 * *BSD with the new 802.11 ioctls. 1943 * Do we want monitor mode? 1944 */ 1945 if (p->opt.rfmon) { 1946 /* 1947 * Try to put the interface into monitor mode. 1948 */ 1949 status = monitor_mode(p, 1); 1950 if (status != 0) { 1951 /* 1952 * We failed. 1953 */ 1954 goto bad; 1955 } 1956 1957 /* 1958 * We're in monitor mode. 1959 * Try to find the best 802.11 DLT_ value and, if we 1960 * succeed, try to switch to that mode if we're not 1961 * already in that mode. 1962 */ 1963 new_dlt = find_802_11(&bdl); 1964 if (new_dlt != -1) { 1965 /* 1966 * We have at least one 802.11 DLT_ value. 1967 * new_dlt is the best of the 802.11 1968 * DLT_ values in the list. 1969 * 1970 * If the new mode we want isn't the default mode, 1971 * attempt to select the new mode. 1972 */ 1973 if (new_dlt != v) { 1974 if (ioctl(p->fd, BIOCSDLT, &new_dlt) != -1) { 1975 /* 1976 * We succeeded; make this the 1977 * new DLT_ value. 1978 */ 1979 v = new_dlt; 1980 } 1981 } 1982 } 1983 } 1984#endif /* various platforms */ 1985#endif /* BIOCGDLTLIST */ 1986 1987 /* 1988 * If this is an Ethernet device, and we don't have a DLT_ list, 1989 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give 1990 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to 1991 * do, but there's not much we can do about that without finding 1992 * some other way of determining whether it's an Ethernet or 802.11 1993 * device.) 1994 */ 1995 if (v == DLT_EN10MB && p->dlt_count == 0) { 1996 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1997 /* 1998 * If that fails, just leave the list empty. 1999 */ 2000 if (p->dlt_list != NULL) { 2001 p->dlt_list[0] = DLT_EN10MB; 2002 p->dlt_list[1] = DLT_DOCSIS; 2003 p->dlt_count = 2; 2004 } 2005 } 2006#ifdef PCAP_FDDIPAD 2007 if (v == DLT_FDDI) 2008 p->fddipad = PCAP_FDDIPAD; 2009 else 2010 p->fddipad = 0; 2011#endif 2012 p->linktype = v; 2013 2014#if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 2015 /* 2016 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so 2017 * the link-layer source address isn't forcibly overwritten. 2018 * (Should we ignore errors? Should we do this only if 2019 * we're open for writing?) 2020 * 2021 * XXX - I seem to remember some packet-sending bug in some 2022 * BSDs - check CVS log for "bpf.c"? 2023 */ 2024 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 2025 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2026 "BIOCSHDRCMPLT: %s", pcap_strerror(errno)); 2027 status = PCAP_ERROR; 2028 goto bad; 2029 } 2030#endif 2031 /* set timeout */ 2032#ifdef HAVE_ZEROCOPY_BPF 2033 if (p->md.timeout != 0 && !p->md.zerocopy) { 2034#else 2035 if (p->md.timeout) { 2036#endif 2037 /* 2038 * XXX - is this seconds/nanoseconds in AIX? 2039 * (Treating it as such doesn't fix the timeout 2040 * problem described below.) 2041 */ 2042 struct timeval to; 2043 to.tv_sec = p->md.timeout / 1000; 2044 to.tv_usec = (p->md.timeout * 1000) % 1000000; 2045 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { 2046 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s", 2047 pcap_strerror(errno)); 2048 status = PCAP_ERROR; 2049 goto bad; 2050 } 2051 } 2052#ifdef BIOCSETBUFMODE 2053 p->timeout = to_ms; 2054#endif 2055 2056#ifdef _AIX 2057#ifdef BIOCIMMEDIATE 2058 /* 2059 * Darren Reed notes that 2060 * 2061 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the 2062 * timeout appears to be ignored and it waits until the buffer 2063 * is filled before returning. The result of not having it 2064 * set is almost worse than useless if your BPF filter 2065 * is reducing things to only a few packets (i.e. one every 2066 * second or so). 2067 * 2068 * so we turn BIOCIMMEDIATE mode on if this is AIX. 2069 * 2070 * We don't turn it on for other platforms, as that means we 2071 * get woken up for every packet, which may not be what we want; 2072 * in the Winter 1993 USENIX paper on BPF, they say: 2073 * 2074 * Since a process might want to look at every packet on a 2075 * network and the time between packets can be only a few 2076 * microseconds, it is not possible to do a read system call 2077 * per packet and BPF must collect the data from several 2078 * packets and return it as a unit when the monitoring 2079 * application does a read. 2080 * 2081 * which I infer is the reason for the timeout - it means we 2082 * wait that amount of time, in the hopes that more packets 2083 * will arrive and we'll get them all with one read. 2084 * 2085 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other 2086 * BSDs) causes the timeout to be ignored. 2087 * 2088 * On the other hand, some platforms (e.g., Linux) don't support 2089 * timeouts, they just hand stuff to you as soon as it arrives; 2090 * if that doesn't cause a problem on those platforms, it may 2091 * be OK to have BIOCIMMEDIATE mode on BSD as well. 2092 * 2093 * (Note, though, that applications may depend on the read 2094 * completing, even if no packets have arrived, when the timeout 2095 * expires, e.g. GUI applications that have to check for input 2096 * while waiting for packets to arrive; a non-zero timeout 2097 * prevents "select()" from working right on FreeBSD and 2098 * possibly other BSDs, as the timer doesn't start until a 2099 * "read()" is done, so the timer isn't in effect if the 2100 * application is blocked on a "select()", and the "select()" 2101 * doesn't get woken up for a BPF device until the buffer 2102 * fills up.) 2103 */ 2104 v = 1; 2105 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) { 2106 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s", 2107 pcap_strerror(errno)); 2108 status = PCAP_ERROR; 2109 goto bad; 2110 } 2111#endif /* BIOCIMMEDIATE */ 2112#endif /* _AIX */ 2113 2114 if (p->opt.promisc) { 2115 /* set promiscuous mode, just warn if it fails */ 2116 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) { 2117 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s", 2118 pcap_strerror(errno)); 2119 status = PCAP_WARNING_PROMISC_NOTSUP; 2120 } 2121 } 2122 2123 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { 2124 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s", 2125 pcap_strerror(errno)); 2126 status = PCAP_ERROR; 2127 goto bad; 2128 } 2129 p->bufsize = v; 2130#ifdef HAVE_ZEROCOPY_BPF 2131 if (!p->md.zerocopy) { 2132#endif 2133 p->buffer = (u_char *)malloc(p->bufsize); 2134 if (p->buffer == NULL) { 2135 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", 2136 pcap_strerror(errno)); 2137 status = PCAP_ERROR; 2138 goto bad; 2139 } 2140#ifdef _AIX 2141 /* For some strange reason this seems to prevent the EFAULT 2142 * problems we have experienced from AIX BPF. */ 2143 memset(p->buffer, 0x0, p->bufsize); 2144#endif 2145#ifdef HAVE_ZEROCOPY_BPF 2146 } 2147#endif 2148 2149 /* 2150 * If there's no filter program installed, there's 2151 * no indication to the kernel of what the snapshot 2152 * length should be, so no snapshotting is done. 2153 * 2154 * Therefore, when we open the device, we install 2155 * an "accept everything" filter with the specified 2156 * snapshot length. 2157 */ 2158 total_insn.code = (u_short)(BPF_RET | BPF_K); 2159 total_insn.jt = 0; 2160 total_insn.jf = 0; 2161 total_insn.k = p->snapshot; 2162 2163 total_prog.bf_len = 1; 2164 total_prog.bf_insns = &total_insn; 2165 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) { 2166 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 2167 pcap_strerror(errno)); 2168 status = PCAP_ERROR; 2169 goto bad; 2170 } 2171 2172 /* 2173 * On most BPF platforms, either you can do a "select()" or 2174 * "poll()" on a BPF file descriptor and it works correctly, 2175 * or you can do it and it will return "readable" if the 2176 * hold buffer is full but not if the timeout expires *and* 2177 * a non-blocking read will, if the hold buffer is empty 2178 * but the store buffer isn't empty, rotate the buffers 2179 * and return what packets are available. 2180 * 2181 * In the latter case, the fact that a non-blocking read 2182 * will give you the available packets means you can work 2183 * around the failure of "select()" and "poll()" to wake up 2184 * and return "readable" when the timeout expires by using 2185 * the timeout as the "select()" or "poll()" timeout, putting 2186 * the BPF descriptor into non-blocking mode, and read from 2187 * it regardless of whether "select()" reports it as readable 2188 * or not. 2189 * 2190 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()" 2191 * won't wake up and return "readable" if the timer expires 2192 * and non-blocking reads return EWOULDBLOCK if the hold 2193 * buffer is empty, even if the store buffer is non-empty. 2194 * 2195 * This means the workaround in question won't work. 2196 * 2197 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd" 2198 * to -1, which means "sorry, you can't use 'select()' or 'poll()' 2199 * here". On all other BPF platforms, we set it to the FD for 2200 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking 2201 * read will, if the hold buffer is empty and the store buffer 2202 * isn't empty, rotate the buffers and return what packets are 2203 * there (and in sufficiently recent versions of OpenBSD 2204 * "select()" and "poll()" should work correctly). 2205 * 2206 * XXX - what about AIX? 2207 */ 2208 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */ 2209 if (have_osinfo) { 2210 /* 2211 * We can check what OS this is. 2212 */ 2213 if (strcmp(osinfo.sysname, "FreeBSD") == 0) { 2214 if (strncmp(osinfo.release, "4.3-", 4) == 0 || 2215 strncmp(osinfo.release, "4.4-", 4) == 0) 2216 p->selectable_fd = -1; 2217 } 2218 } 2219 2220 p->read_op = pcap_read_bpf; 2221 p->inject_op = pcap_inject_bpf; 2222 p->setfilter_op = pcap_setfilter_bpf; 2223 p->setdirection_op = pcap_setdirection_bpf; 2224 p->set_datalink_op = pcap_set_datalink_bpf; 2225 p->getnonblock_op = pcap_getnonblock_fd; 2226 p->setnonblock_op = pcap_setnonblock_fd; 2227 p->stats_op = pcap_stats_bpf; 2228 p->cleanup_op = pcap_cleanup_bpf; 2229 2230 return (status); 2231 bad: 2232 pcap_cleanup_bpf(p); 2233 return (status); 2234} 2235 2236int 2237pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 2238{ 2239#ifdef HAVE_DAG_API 2240 if (dag_platform_finddevs(alldevsp, errbuf) < 0) 2241 return (-1); 2242#endif /* HAVE_DAG_API */ 2243 2244 return (0); 2245} 2246 2247#ifdef HAVE_BSD_IEEE80211 2248static int 2249monitor_mode(pcap_t *p, int set) 2250{ 2251 int sock; 2252 struct ifmediareq req; 2253 int *media_list; 2254 int i; 2255 int can_do; 2256 struct ifreq ifr; 2257 2258 sock = socket(AF_INET, SOCK_DGRAM, 0); 2259 if (sock == -1) { 2260 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't open socket: %s", 2261 pcap_strerror(errno)); 2262 return (PCAP_ERROR); 2263 } 2264 2265 memset(&req, 0, sizeof req); 2266 strncpy(req.ifm_name, p->opt.source, sizeof req.ifm_name); 2267 2268 /* 2269 * Find out how many media types we have. 2270 */ 2271 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 2272 /* 2273 * Can't get the media types. 2274 */ 2275 if (errno == EINVAL) { 2276 /* 2277 * Interface doesn't support SIOC{G,S}IFMEDIA. 2278 */ 2279 close(sock); 2280 return (PCAP_ERROR_RFMON_NOTSUP); 2281 } 2282 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA 1: %s", 2283 pcap_strerror(errno)); 2284 close(sock); 2285 return (PCAP_ERROR); 2286 } 2287 if (req.ifm_count == 0) { 2288 /* 2289 * No media types. 2290 */ 2291 close(sock); 2292 return (PCAP_ERROR_RFMON_NOTSUP); 2293 } 2294 2295 /* 2296 * Allocate a buffer to hold all the media types, and 2297 * get the media types. 2298 */ 2299 media_list = malloc(req.ifm_count * sizeof(int)); 2300 if (media_list == NULL) { 2301 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", 2302 pcap_strerror(errno)); 2303 close(sock); 2304 return (PCAP_ERROR); 2305 } 2306 req.ifm_ulist = media_list; 2307 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 2308 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA: %s", 2309 pcap_strerror(errno)); 2310 free(media_list); 2311 close(sock); 2312 return (PCAP_ERROR); 2313 } 2314 2315 /* 2316 * Look for an 802.11 "automatic" media type. 2317 * We assume that all 802.11 adapters have that media type, 2318 * and that it will carry the monitor mode supported flag. 2319 */ 2320 can_do = 0; 2321 for (i = 0; i < req.ifm_count; i++) { 2322 if (IFM_TYPE(media_list[i]) == IFM_IEEE80211 2323 && IFM_SUBTYPE(media_list[i]) == IFM_AUTO) { 2324 /* OK, does it do monitor mode? */ 2325 if (media_list[i] & IFM_IEEE80211_MONITOR) { 2326 can_do = 1; 2327 break; 2328 } 2329 } 2330 } 2331 free(media_list); 2332 if (!can_do) { 2333 /* 2334 * This adapter doesn't support monitor mode. 2335 */ 2336 close(sock); 2337 return (PCAP_ERROR_RFMON_NOTSUP); 2338 } 2339 2340 if (set) { 2341 /* 2342 * Don't just check whether we can enable monitor mode, 2343 * do so, if it's not already enabled. 2344 */ 2345 if ((req.ifm_current & IFM_IEEE80211_MONITOR) == 0) { 2346 /* 2347 * Monitor mode isn't currently on, so turn it on, 2348 * and remember that we should turn it off when the 2349 * pcap_t is closed. 2350 */ 2351 2352 /* 2353 * If we haven't already done so, arrange to have 2354 * "pcap_close_all()" called when we exit. 2355 */ 2356 if (!pcap_do_addexit(p)) { 2357 /* 2358 * "atexit()" failed; don't put the interface 2359 * in monitor mode, just give up. 2360 */ 2361 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2362 "atexit failed"); 2363 close(sock); 2364 return (PCAP_ERROR); 2365 } 2366 memset(&ifr, 0, sizeof(ifr)); 2367 (void)strncpy(ifr.ifr_name, p->opt.source, 2368 sizeof(ifr.ifr_name)); 2369 ifr.ifr_media = req.ifm_current | IFM_IEEE80211_MONITOR; 2370 if (ioctl(sock, SIOCSIFMEDIA, &ifr) == -1) { 2371 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2372 "SIOCSIFMEDIA: %s", pcap_strerror(errno)); 2373 close(sock); 2374 return (PCAP_ERROR); 2375 } 2376 2377 p->md.must_clear |= MUST_CLEAR_RFMON; 2378 2379 /* 2380 * Add this to the list of pcaps to close when we exit. 2381 */ 2382 pcap_add_to_pcaps_to_close(p); 2383 } 2384 } 2385 return (0); 2386} 2387#endif /* HAVE_BSD_IEEE80211 */ 2388 2389#if defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) 2390/* 2391 * Check whether we have any 802.11 link-layer types; return the best 2392 * of the 802.11 link-layer types if we find one, and return -1 2393 * otherwise. 2394 * 2395 * DLT_IEEE802_11_RADIO, with the radiotap header, is considered the 2396 * best 802.11 link-layer type; any of the other 802.11-plus-radio 2397 * headers are second-best; 802.11 with no radio information is 2398 * the least good. 2399 */ 2400static int 2401find_802_11(struct bpf_dltlist *bdlp) 2402{ 2403 int new_dlt; 2404 int i; 2405 2406 /* 2407 * Scan the list of DLT_ values, looking for 802.11 values, 2408 * and, if we find any, choose the best of them. 2409 */ 2410 new_dlt = -1; 2411 for (i = 0; i < bdlp->bfl_len; i++) { 2412 switch (bdlp->bfl_list[i]) { 2413 2414 case DLT_IEEE802_11: 2415 /* 2416 * 802.11, but no radio. 2417 * 2418 * Offer this, and select it as the new mode 2419 * unless we've already found an 802.11 2420 * header with radio information. 2421 */ 2422 if (new_dlt == -1) 2423 new_dlt = bdlp->bfl_list[i]; 2424 break; 2425 2426 case DLT_PRISM_HEADER: 2427 case DLT_AIRONET_HEADER: 2428 case DLT_IEEE802_11_RADIO_AVS: 2429 /* 2430 * 802.11 with radio, but not radiotap. 2431 * 2432 * Offer this, and select it as the new mode 2433 * unless we've already found the radiotap DLT_. 2434 */ 2435 if (new_dlt != DLT_IEEE802_11_RADIO) 2436 new_dlt = bdlp->bfl_list[i]; 2437 break; 2438 2439 case DLT_IEEE802_11_RADIO: 2440 /* 2441 * 802.11 with radiotap. 2442 * 2443 * Offer this, and select it as the new mode. 2444 */ 2445 new_dlt = bdlp->bfl_list[i]; 2446 break; 2447 2448 default: 2449 /* 2450 * Not 802.11. 2451 */ 2452 break; 2453 } 2454 } 2455 2456 return (new_dlt); 2457} 2458#endif /* defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) */ 2459 2460#if defined(__APPLE__) && defined(BIOCGDLTLIST) 2461/* 2462 * Remove DLT_EN10MB from the list of DLT_ values. 2463 */ 2464static void 2465remove_en(pcap_t *p) 2466{ 2467 int i, j; 2468 2469 /* 2470 * Scan the list of DLT_ values and discard DLT_EN10MB. 2471 */ 2472 j = 0; 2473 for (i = 0; i < p->dlt_count; i++) { 2474 switch (p->dlt_list[i]) { 2475 2476 case DLT_EN10MB: 2477 /* 2478 * Don't offer this one. 2479 */ 2480 continue; 2481 2482 default: 2483 /* 2484 * Just copy this mode over. 2485 */ 2486 break; 2487 } 2488 2489 /* 2490 * Copy this DLT_ value to its new position. 2491 */ 2492 p->dlt_list[j] = p->dlt_list[i]; 2493 j++; 2494 } 2495 2496 /* 2497 * Set the DLT_ count to the number of entries we copied. 2498 */ 2499 p->dlt_count = j; 2500} 2501 2502/* 2503 * Remove DLT_EN10MB from the list of DLT_ values, and look for the 2504 * best 802.11 link-layer type in that list and return it. 2505 * Radiotap is better than anything else; 802.11 with any other radio 2506 * header is better than 802.11 with no radio header. 2507 */ 2508static void 2509remove_802_11(pcap_t *p) 2510{ 2511 int i, j; 2512 2513 /* 2514 * Scan the list of DLT_ values and discard 802.11 values. 2515 */ 2516 j = 0; 2517 for (i = 0; i < p->dlt_count; i++) { 2518 switch (p->dlt_list[i]) { 2519 2520 case DLT_IEEE802_11: 2521 case DLT_PRISM_HEADER: 2522 case DLT_AIRONET_HEADER: 2523 case DLT_IEEE802_11_RADIO: 2524 case DLT_IEEE802_11_RADIO_AVS: 2525 /* 2526 * 802.11. Don't offer this one. 2527 */ 2528 continue; 2529 2530 default: 2531 /* 2532 * Just copy this mode over. 2533 */ 2534 break; 2535 } 2536 2537 /* 2538 * Copy this DLT_ value to its new position. 2539 */ 2540 p->dlt_list[j] = p->dlt_list[i]; 2541 j++; 2542 } 2543 2544 /* 2545 * Set the DLT_ count to the number of entries we copied. 2546 */ 2547 p->dlt_count = j; 2548} 2549#endif /* defined(__APPLE__) && defined(BIOCGDLTLIST) */ 2550 2551static int 2552pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp) 2553{ 2554 /* 2555 * Free any user-mode filter we might happen to have installed. 2556 */ 2557 pcap_freecode(&p->fcode); 2558 2559 /* 2560 * Try to install the kernel filter. 2561 */ 2562 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) == 0) { 2563 /* 2564 * It worked. 2565 */ 2566 p->md.use_bpf = 1; /* filtering in the kernel */ 2567 2568 /* 2569 * Discard any previously-received packets, as they might 2570 * have passed whatever filter was formerly in effect, but 2571 * might not pass this filter (BIOCSETF discards packets 2572 * buffered in the kernel, so you can lose packets in any 2573 * case). 2574 */ 2575 p->cc = 0; 2576 return (0); 2577 } 2578 2579 /* 2580 * We failed. 2581 * 2582 * If it failed with EINVAL, that's probably because the program 2583 * is invalid or too big. Validate it ourselves; if we like it 2584 * (we currently allow backward branches, to support protochain), 2585 * run it in userland. (There's no notion of "too big" for 2586 * userland.) 2587 * 2588 * Otherwise, just give up. 2589 * XXX - if the copy of the program into the kernel failed, 2590 * we will get EINVAL rather than, say, EFAULT on at least 2591 * some kernels. 2592 */ 2593 if (errno != EINVAL) { 2594 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 2595 pcap_strerror(errno)); 2596 return (-1); 2597 } 2598 2599 /* 2600 * install_bpf_program() validates the program. 2601 * 2602 * XXX - what if we already have a filter in the kernel? 2603 */ 2604 if (install_bpf_program(p, fp) < 0) 2605 return (-1); 2606 p->md.use_bpf = 0; /* filtering in userland */ 2607 return (0); 2608} 2609 2610/* 2611 * Set direction flag: Which packets do we accept on a forwarding 2612 * single device? IN, OUT or both? 2613 */ 2614static int 2615pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d) 2616{ 2617#if defined(BIOCSDIRECTION) 2618 u_int direction; 2619 2620 direction = (d == PCAP_D_IN) ? BPF_D_IN : 2621 ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT); 2622 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) { 2623 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2624 "Cannot set direction to %s: %s", 2625 (d == PCAP_D_IN) ? "PCAP_D_IN" : 2626 ((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"), 2627 strerror(errno)); 2628 return (-1); 2629 } 2630 return (0); 2631#elif defined(BIOCSSEESENT) 2632 u_int seesent; 2633 2634 /* 2635 * We don't support PCAP_D_OUT. 2636 */ 2637 if (d == PCAP_D_OUT) { 2638 snprintf(p->errbuf, sizeof(p->errbuf), 2639 "Setting direction to PCAP_D_OUT is not supported on BPF"); 2640 return -1; 2641 } 2642 2643 seesent = (d == PCAP_D_INOUT); 2644 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) { 2645 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2646 "Cannot set direction to %s: %s", 2647 (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN", 2648 strerror(errno)); 2649 return (-1); 2650 } 2651 return (0); 2652#else 2653 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2654 "This system doesn't support BIOCSSEESENT, so the direction can't be set"); 2655 return (-1); 2656#endif 2657} 2658 2659static int 2660pcap_set_datalink_bpf(pcap_t *p, int dlt) 2661{ 2662#ifdef BIOCSDLT 2663 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) { 2664 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2665 "Cannot set DLT %d: %s", dlt, strerror(errno)); 2666 return (-1); 2667 } 2668#endif 2669 return (0); 2670} 2671