pcap-linux.c revision 162012
126175Sfenner/* 275107Sfenner * pcap-linux.c: Packet capture interface to the Linux kernel 326175Sfenner * 475107Sfenner * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org> 575107Sfenner * Sebastian Krahmer <krahmer@cs.uni-potsdam.de> 6127664Sbms * 775107Sfenner * License: BSD 8127664Sbms * 975107Sfenner * Redistribution and use in source and binary forms, with or without 1075107Sfenner * modification, are permitted provided that the following conditions 1175107Sfenner * are met: 12127664Sbms * 1375107Sfenner * 1. Redistributions of source code must retain the above copyright 1475107Sfenner * notice, this list of conditions and the following disclaimer. 1575107Sfenner * 2. Redistributions in binary form must reproduce the above copyright 1675107Sfenner * notice, this list of conditions and the following disclaimer in 1775107Sfenner * the documentation and/or other materials provided with the 1875107Sfenner * distribution. 1975107Sfenner * 3. The names of the authors may not be used to endorse or promote 2075107Sfenner * products derived from this software without specific prior 2175107Sfenner * written permission. 22127664Sbms * 2375107Sfenner * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 2475107Sfenner * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 2575107Sfenner * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 2626175Sfenner */ 27127664Sbms 2826175Sfenner#ifndef lint 29127664Sbmsstatic const char rcsid[] _U_ = 30162012Ssam "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.110.2.6 2005/08/16 04:25:26 guy Exp $ (LBL)"; 3126175Sfenner#endif 3226175Sfenner 3375107Sfenner/* 3475107Sfenner * Known problems with 2.0[.x] kernels: 3575107Sfenner * 3675107Sfenner * - The loopback device gives every packet twice; on 2.2[.x] kernels, 3775107Sfenner * if we use PF_PACKET, we can filter out the transmitted version 3875107Sfenner * of the packet by using data in the "sockaddr_ll" returned by 3975107Sfenner * "recvfrom()", but, on 2.0[.x] kernels, we have to use 4075107Sfenner * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 4175107Sfenner * "sockaddr_pkt" which doesn't give us enough information to let 4275107Sfenner * us do that. 4375107Sfenner * 4475107Sfenner * - We have to set the interface's IFF_PROMISC flag ourselves, if 4575107Sfenner * we're to run in promiscuous mode, which means we have to turn 4675107Sfenner * it off ourselves when we're done; the kernel doesn't keep track 4775107Sfenner * of how many sockets are listening promiscuously, which means 4875107Sfenner * it won't get turned off automatically when no sockets are 4975107Sfenner * listening promiscuously. We catch "pcap_close()" and, for 5075107Sfenner * interfaces we put into promiscuous mode, take them out of 5175107Sfenner * promiscuous mode - which isn't necessarily the right thing to 5275107Sfenner * do, if another socket also requested promiscuous mode between 5375107Sfenner * the time when we opened the socket and the time when we close 5475107Sfenner * the socket. 5598530Sfenner * 5698530Sfenner * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()" 5798530Sfenner * return the amount of data that you could have read, rather than 5898530Sfenner * the amount that was returned, so we can't just allocate a buffer 5998530Sfenner * whose size is the snapshot length and pass the snapshot length 6098530Sfenner * as the byte count, and also pass MSG_TRUNC, so that the return 6198530Sfenner * value tells us how long the packet was on the wire. 6298530Sfenner * 6398530Sfenner * This means that, if we want to get the actual size of the packet, 6498530Sfenner * so we can return it in the "len" field of the packet header, 6598530Sfenner * we have to read the entire packet, not just the part that fits 6698530Sfenner * within the snapshot length, and thus waste CPU time copying data 6798530Sfenner * from the kernel that our caller won't see. 6898530Sfenner * 6998530Sfenner * We have to get the actual size, and supply it in "len", because 7098530Sfenner * otherwise, the IP dissector in tcpdump, for example, will complain 7198530Sfenner * about "truncated-ip", as the packet will appear to have been 7298530Sfenner * shorter, on the wire, than the IP header said it should have been. 7375107Sfenner */ 7426175Sfenner 7575107Sfenner 7675107Sfenner#ifdef HAVE_CONFIG_H 7775107Sfenner#include "config.h" 7839291Sfenner#endif 7926175Sfenner 8075107Sfenner#include "pcap-int.h" 8175107Sfenner#include "sll.h" 8226175Sfenner 83127664Sbms#ifdef HAVE_DAG_API 84127664Sbms#include "pcap-dag.h" 85127664Sbms#endif /* HAVE_DAG_API */ 86147894Ssam 87147894Ssam#ifdef HAVE_SEPTEL_API 88147894Ssam#include "pcap-septel.h" 89147894Ssam#endif /* HAVE_SEPTEL_API */ 90127664Sbms 9126175Sfenner#include <errno.h> 9226175Sfenner#include <stdlib.h> 9375107Sfenner#include <unistd.h> 9475107Sfenner#include <fcntl.h> 9526175Sfenner#include <string.h> 9675107Sfenner#include <sys/socket.h> 9775107Sfenner#include <sys/ioctl.h> 9875107Sfenner#include <sys/utsname.h> 9975107Sfenner#include <net/if.h> 10075107Sfenner#include <netinet/in.h> 10175107Sfenner#include <linux/if_ether.h> 10275107Sfenner#include <net/if_arp.h> 10326175Sfenner 10498530Sfenner/* 10598530Sfenner * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET 10698530Sfenner * sockets rather than SOCK_PACKET sockets. 10798530Sfenner * 10898530Sfenner * To use them, we include <linux/if_packet.h> rather than 10998530Sfenner * <netpacket/packet.h>; we do so because 11098530Sfenner * 11198530Sfenner * some Linux distributions (e.g., Slackware 4.0) have 2.2 or 11298530Sfenner * later kernels and libc5, and don't provide a <netpacket/packet.h> 11398530Sfenner * file; 11498530Sfenner * 11598530Sfenner * not all versions of glibc2 have a <netpacket/packet.h> file 11698530Sfenner * that defines stuff needed for some of the 2.4-or-later-kernel 11798530Sfenner * features, so if the system has a 2.4 or later kernel, we 11898530Sfenner * still can't use those features. 11998530Sfenner * 12098530Sfenner * We're already including a number of other <linux/XXX.h> headers, and 12198530Sfenner * this code is Linux-specific (no other OS has PF_PACKET sockets as 12298530Sfenner * a raw packet capture mechanism), so it's not as if you gain any 12398530Sfenner * useful portability by using <netpacket/packet.h> 12498530Sfenner * 12598530Sfenner * XXX - should we just include <linux/if_packet.h> even if PF_PACKET 12698530Sfenner * isn't defined? It only defines one data structure in 2.0.x, so 12798530Sfenner * it shouldn't cause any problems. 12898530Sfenner */ 129127664Sbms#ifdef PF_PACKET 13098530Sfenner# include <linux/if_packet.h> 13126175Sfenner 13275107Sfenner /* 13398530Sfenner * On at least some Linux distributions (for example, Red Hat 5.2), 13498530Sfenner * there's no <netpacket/packet.h> file, but PF_PACKET is defined if 13598530Sfenner * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 13675107Sfenner * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 13775107Sfenner * the PACKET_xxx stuff. 13875107Sfenner * 13975107Sfenner * So we check whether PACKET_HOST is defined, and assume that we have 14075107Sfenner * PF_PACKET sockets only if it is defined. 14175107Sfenner */ 14275107Sfenner# ifdef PACKET_HOST 14375107Sfenner# define HAVE_PF_PACKET_SOCKETS 14475107Sfenner# endif /* PACKET_HOST */ 14598530Sfenner#endif /* PF_PACKET */ 14675107Sfenner 14775107Sfenner#ifdef SO_ATTACH_FILTER 14875107Sfenner#include <linux/types.h> 14975107Sfenner#include <linux/filter.h> 15026175Sfenner#endif 15126175Sfenner 15275107Sfenner#ifndef __GLIBC__ 15375107Sfennertypedef int socklen_t; 15475107Sfenner#endif 15526175Sfenner 15675107Sfenner#ifndef MSG_TRUNC 15798530Sfenner/* 15898530Sfenner * This is being compiled on a system that lacks MSG_TRUNC; define it 15998530Sfenner * with the value it has in the 2.2 and later kernels, so that, on 16098530Sfenner * those kernels, when we pass it in the flags argument to "recvfrom()" 16198530Sfenner * we're passing the right value and thus get the MSG_TRUNC behavior 16298530Sfenner * we want. (We don't get that behavior on 2.0[.x] kernels, because 16398530Sfenner * they didn't support MSG_TRUNC.) 16498530Sfenner */ 16598530Sfenner#define MSG_TRUNC 0x20 16675107Sfenner#endif 16775107Sfenner 168127664Sbms#ifndef SOL_PACKET 169127664Sbms/* 170127664Sbms * This is being compiled on a system that lacks SOL_PACKET; define it 171127664Sbms * with the value it has in the 2.2 and later kernels, so that we can 172127664Sbms * set promiscuous mode in the good modern way rather than the old 173127664Sbms * 2.0-kernel crappy way. 174127664Sbms */ 175127664Sbms#define SOL_PACKET 263 176127664Sbms#endif 177127664Sbms 17875107Sfenner#define MAX_LINKHEADER_SIZE 256 17975107Sfenner 180127664Sbms/* 181127664Sbms * When capturing on all interfaces we use this as the buffer size. 18275107Sfenner * Should be bigger then all MTUs that occur in real life. 18375107Sfenner * 64kB should be enough for now. 18475107Sfenner */ 18575107Sfenner#define BIGGER_THAN_ALL_MTUS (64*1024) 18675107Sfenner 18775107Sfenner/* 18875107Sfenner * Prototypes for internal functions 18975107Sfenner */ 190127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *, int, int); 191127664Sbmsstatic int live_open_old(pcap_t *, const char *, int, int, char *); 192127664Sbmsstatic int live_open_new(pcap_t *, const char *, int, int, char *); 193127664Sbmsstatic int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *); 19475107Sfennerstatic int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 195146768Ssamstatic int pcap_inject_linux(pcap_t *, const void *, size_t); 196127664Sbmsstatic int pcap_stats_linux(pcap_t *, struct pcap_stat *); 197127664Sbmsstatic int pcap_setfilter_linux(pcap_t *, struct bpf_program *); 198162012Ssamstatic int pcap_setdirection_linux(pcap_t *, pcap_direction_t); 199127664Sbmsstatic void pcap_close_linux(pcap_t *); 20075107Sfenner 20175107Sfenner/* 20275107Sfenner * Wrap some ioctl calls 20375107Sfenner */ 20475107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 20575107Sfennerstatic int iface_get_id(int fd, const char *device, char *ebuf); 20675107Sfenner#endif 20775107Sfennerstatic int iface_get_mtu(int fd, const char *device, char *ebuf); 20875107Sfennerstatic int iface_get_arptype(int fd, const char *device, char *ebuf); 20975107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 21075107Sfennerstatic int iface_bind(int fd, int ifindex, char *ebuf); 21175107Sfenner#endif 21275107Sfennerstatic int iface_bind_old(int fd, const char *device, char *ebuf); 21375107Sfenner 21475107Sfenner#ifdef SO_ATTACH_FILTER 21575107Sfennerstatic int fix_program(pcap_t *handle, struct sock_fprog *fcode); 21675107Sfennerstatic int fix_offset(struct bpf_insn *p); 21798530Sfennerstatic int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode); 21898530Sfennerstatic int reset_kernel_filter(pcap_t *handle); 21998530Sfenner 22098530Sfennerstatic struct sock_filter total_insn 22198530Sfenner = BPF_STMT(BPF_RET | BPF_K, 0); 22298530Sfennerstatic struct sock_fprog total_fcode 22398530Sfenner = { 1, &total_insn }; 22475107Sfenner#endif 22575107Sfenner 22675107Sfenner/* 227127664Sbms * Get a handle for a live capture from the given device. You can 228127664Sbms * pass NULL as device to get all packages (without link level 22975107Sfenner * information of course). If you pass 1 as promisc the interface 230127664Sbms * will be set to promiscous mode (XXX: I think this usage should 23175107Sfenner * be deprecated and functions be added to select that later allow 23275107Sfenner * modification of that values -- Torsten). 233127664Sbms * 23475107Sfenner * See also pcap(3). 23575107Sfenner */ 23675107Sfennerpcap_t * 237127664Sbmspcap_open_live(const char *device, int snaplen, int promisc, int to_ms, 238127664Sbms char *ebuf) 23926175Sfenner{ 24098530Sfenner pcap_t *handle; 24198530Sfenner int mtu; 242127664Sbms int err; 243127664Sbms int live_open_ok = 0; 24498530Sfenner struct utsname utsname; 24598530Sfenner 246127664Sbms#ifdef HAVE_DAG_API 247127664Sbms if (strstr(device, "dag")) { 248127664Sbms return dag_open_live(device, snaplen, promisc, to_ms, ebuf); 249127664Sbms } 250127664Sbms#endif /* HAVE_DAG_API */ 251127664Sbms 252147894Ssam#ifdef HAVE_SEPTEL_API 253147894Ssam if (strstr(device, "septel")) { 254147894Ssam return septel_open_live(device, snaplen, promisc, to_ms, ebuf); 255147894Ssam } 256147894Ssam#endif /* HAVE_SEPTEL_API */ 25726175Sfenner 258147894Ssam /* Allocate a handle for this session. */ 259147894Ssam 26098530Sfenner handle = malloc(sizeof(*handle)); 26175107Sfenner if (handle == NULL) { 26275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 26375107Sfenner pcap_strerror(errno)); 26475107Sfenner return NULL; 26575107Sfenner } 26675107Sfenner 26775107Sfenner /* Initialize some components of the pcap structure. */ 26875107Sfenner 26975107Sfenner memset(handle, 0, sizeof(*handle)); 27075107Sfenner handle->snapshot = snaplen; 27175107Sfenner handle->md.timeout = to_ms; 27275107Sfenner 27375107Sfenner /* 274127664Sbms * NULL and "any" are special devices which give us the hint to 27575107Sfenner * monitor all devices. 27675107Sfenner */ 27775107Sfenner if (!device || strcmp(device, "any") == 0) { 27875107Sfenner device = NULL; 27975107Sfenner handle->md.device = strdup("any"); 28098530Sfenner if (promisc) { 28198530Sfenner promisc = 0; 28298530Sfenner /* Just a warning. */ 28398530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 28498530Sfenner "Promiscuous mode not supported on the \"any\" device"); 28598530Sfenner } 286127664Sbms 28775107Sfenner } else 28875107Sfenner handle->md.device = strdup(device); 28975107Sfenner 29075107Sfenner if (handle->md.device == NULL) { 29175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s", 29275107Sfenner pcap_strerror(errno) ); 29375107Sfenner free(handle); 29475107Sfenner return NULL; 29575107Sfenner } 29675107Sfenner 297127664Sbms /* 298127664Sbms * Current Linux kernels use the protocol family PF_PACKET to 299127664Sbms * allow direct access to all packets on the network while 300127664Sbms * older kernels had a special socket type SOCK_PACKET to 30175107Sfenner * implement this feature. 30275107Sfenner * While this old implementation is kind of obsolete we need 303127664Sbms * to be compatible with older kernels for a while so we are 30475107Sfenner * trying both methods with the newer method preferred. 30575107Sfenner */ 30675107Sfenner 307127664Sbms if ((err = live_open_new(handle, device, promisc, to_ms, ebuf)) == 1) 308127664Sbms live_open_ok = 1; 309127664Sbms else if (err == 0) { 310127664Sbms /* Non-fatal error; try old way */ 311127664Sbms if (live_open_old(handle, device, promisc, to_ms, ebuf)) 312127664Sbms live_open_ok = 1; 313127664Sbms } 314127664Sbms if (!live_open_ok) { 315127664Sbms /* 31675107Sfenner * Both methods to open the packet socket failed. Tidy 31775107Sfenner * up and report our failure (ebuf is expected to be 318127664Sbms * set by the functions above). 31975107Sfenner */ 32075107Sfenner 321127664Sbms if (handle->md.device != NULL) 322127664Sbms free(handle->md.device); 32375107Sfenner free(handle); 32475107Sfenner return NULL; 32575107Sfenner } 32675107Sfenner 32798530Sfenner /* 32898530Sfenner * Compute the buffer size. 32998530Sfenner * 33098530Sfenner * If we're using SOCK_PACKET, this might be a 2.0[.x] kernel, 33198530Sfenner * and might require special handling - check. 33298530Sfenner */ 33398530Sfenner if (handle->md.sock_packet && (uname(&utsname) < 0 || 33498530Sfenner strncmp(utsname.release, "2.0", 3) == 0)) { 33598530Sfenner /* 33698530Sfenner * We're using a SOCK_PACKET structure, and either 33798530Sfenner * we couldn't find out what kernel release this is, 33898530Sfenner * or it's a 2.0[.x] kernel. 33998530Sfenner * 34098530Sfenner * In the 2.0[.x] kernel, a "recvfrom()" on 34198530Sfenner * a SOCK_PACKET socket, with MSG_TRUNC set, will 34298530Sfenner * return the number of bytes read, so if we pass 34398530Sfenner * a length based on the snapshot length, it'll 34498530Sfenner * return the number of bytes from the packet 34598530Sfenner * copied to userland, not the actual length 34698530Sfenner * of the packet. 34798530Sfenner * 34898530Sfenner * This means that, for example, the IP dissector 34998530Sfenner * in tcpdump will get handed a packet length less 35098530Sfenner * than the length in the IP header, and will 35198530Sfenner * complain about "truncated-ip". 35298530Sfenner * 35398530Sfenner * So we don't bother trying to copy from the 35498530Sfenner * kernel only the bytes in which we're interested, 35598530Sfenner * but instead copy them all, just as the older 35698530Sfenner * versions of libpcap for Linux did. 35798530Sfenner * 35898530Sfenner * The buffer therefore needs to be big enough to 35998530Sfenner * hold the largest packet we can get from this 36098530Sfenner * device. Unfortunately, we can't get the MRU 36198530Sfenner * of the network; we can only get the MTU. The 36298530Sfenner * MTU may be too small, in which case a packet larger 36398530Sfenner * than the buffer size will be truncated *and* we 36498530Sfenner * won't get the actual packet size. 36598530Sfenner * 36698530Sfenner * However, if the snapshot length is larger than 36798530Sfenner * the buffer size based on the MTU, we use the 36898530Sfenner * snapshot length as the buffer size, instead; 36998530Sfenner * this means that with a sufficiently large snapshot 37098530Sfenner * length we won't artificially truncate packets 37198530Sfenner * to the MTU-based size. 37298530Sfenner * 37398530Sfenner * This mess just one of many problems with packet 37498530Sfenner * capture on 2.0[.x] kernels; you really want a 37598530Sfenner * 2.2[.x] or later kernel if you want packet capture 37698530Sfenner * to work well. 37798530Sfenner */ 37898530Sfenner mtu = iface_get_mtu(handle->fd, device, ebuf); 37998530Sfenner if (mtu == -1) { 380127664Sbms pcap_close_linux(handle); 38198530Sfenner free(handle); 38298530Sfenner return NULL; 38398530Sfenner } 38498530Sfenner handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 38598530Sfenner if (handle->bufsize < handle->snapshot) 38698530Sfenner handle->bufsize = handle->snapshot; 38798530Sfenner } else { 38898530Sfenner /* 38998530Sfenner * This is a 2.2[.x] or later kernel (we know that 39098530Sfenner * either because we're not using a SOCK_PACKET 39198530Sfenner * socket - PF_PACKET is supported only in 2.2 39298530Sfenner * and later kernels - or because we checked the 39398530Sfenner * kernel version). 39498530Sfenner * 39598530Sfenner * We can safely pass "recvfrom()" a byte count 39698530Sfenner * based on the snapshot length. 39798530Sfenner */ 39898530Sfenner handle->bufsize = handle->snapshot; 39998530Sfenner } 40098530Sfenner 40198530Sfenner /* Allocate the buffer */ 40298530Sfenner 40398530Sfenner handle->buffer = malloc(handle->bufsize + handle->offset); 40498530Sfenner if (!handle->buffer) { 40598530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 40698530Sfenner "malloc: %s", pcap_strerror(errno)); 407127664Sbms pcap_close_linux(handle); 40898530Sfenner free(handle); 40998530Sfenner return NULL; 41098530Sfenner } 41198530Sfenner 412127664Sbms /* 413127664Sbms * "handle->fd" is a socket, so "select()" and "poll()" 414127664Sbms * should work on it. 415127664Sbms */ 416127664Sbms handle->selectable_fd = handle->fd; 417127664Sbms 418127664Sbms handle->read_op = pcap_read_linux; 419146768Ssam handle->inject_op = pcap_inject_linux; 420127664Sbms handle->setfilter_op = pcap_setfilter_linux; 421147894Ssam handle->setdirection_op = pcap_setdirection_linux; 422127664Sbms handle->set_datalink_op = NULL; /* can't change data link type */ 423127664Sbms handle->getnonblock_op = pcap_getnonblock_fd; 424127664Sbms handle->setnonblock_op = pcap_setnonblock_fd; 425127664Sbms handle->stats_op = pcap_stats_linux; 426127664Sbms handle->close_op = pcap_close_linux; 427127664Sbms 42875107Sfenner return handle; 42926175Sfenner} 43026175Sfenner 43175107Sfenner/* 43275107Sfenner * Read at most max_packets from the capture stream and call the callback 43375107Sfenner * for each of them. Returns the number of packets handled or -1 if an 434127664Sbms * error occured. 43575107Sfenner */ 436127664Sbmsstatic int 437127664Sbmspcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 43826175Sfenner{ 43975107Sfenner /* 44075107Sfenner * Currently, on Linux only one packet is delivered per read, 44175107Sfenner * so we don't loop. 44275107Sfenner */ 44375107Sfenner return pcap_read_packet(handle, callback, user); 44475107Sfenner} 44526175Sfenner 44675107Sfenner/* 447127664Sbms * Read a packet from the socket calling the handler provided by 44875107Sfenner * the user. Returns the number of packets received or -1 if an 44975107Sfenner * error occured. 45075107Sfenner */ 45175107Sfennerstatic int 45275107Sfennerpcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 45375107Sfenner{ 45498530Sfenner u_char *bp; 45575107Sfenner int offset; 45675107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 45775107Sfenner struct sockaddr_ll from; 45875107Sfenner struct sll_header *hdrp; 45975107Sfenner#else 46075107Sfenner struct sockaddr from; 46175107Sfenner#endif 46275107Sfenner socklen_t fromlen; 46375107Sfenner int packet_len, caplen; 46475107Sfenner struct pcap_pkthdr pcap_header; 46526175Sfenner 46675107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 46775107Sfenner /* 46875107Sfenner * If this is a cooked device, leave extra room for a 46975107Sfenner * fake packet header. 47075107Sfenner */ 47175107Sfenner if (handle->md.cooked) 47275107Sfenner offset = SLL_HDR_LEN; 47375107Sfenner else 47475107Sfenner offset = 0; 47575107Sfenner#else 47675107Sfenner /* 47775107Sfenner * This system doesn't have PF_PACKET sockets, so it doesn't 47875107Sfenner * support cooked devices. 47975107Sfenner */ 48075107Sfenner offset = 0; 48175107Sfenner#endif 48275107Sfenner 48375107Sfenner /* Receive a single packet from the kernel */ 48475107Sfenner 48598530Sfenner bp = handle->buffer + handle->offset; 48626175Sfenner do { 487127664Sbms /* 488127664Sbms * Has "pcap_breakloop()" been called? 489127664Sbms */ 490127664Sbms if (handle->break_loop) { 491127664Sbms /* 492127664Sbms * Yes - clear the flag that indicates that it 493127664Sbms * has, and return -2 as an indication that we 494127664Sbms * were told to break out of the loop. 495127664Sbms */ 496127664Sbms handle->break_loop = 0; 497127664Sbms return -2; 498127664Sbms } 49926175Sfenner fromlen = sizeof(from); 500127664Sbms packet_len = recvfrom( 50198530Sfenner handle->fd, bp + offset, 502127664Sbms handle->bufsize - offset, MSG_TRUNC, 50375107Sfenner (struct sockaddr *) &from, &fromlen); 50475107Sfenner } while (packet_len == -1 && errno == EINTR); 50526175Sfenner 50675107Sfenner /* Check if an error occured */ 50726175Sfenner 50875107Sfenner if (packet_len == -1) { 50975107Sfenner if (errno == EAGAIN) 51075107Sfenner return 0; /* no packet there */ 51175107Sfenner else { 51275107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 51375107Sfenner "recvfrom: %s", pcap_strerror(errno)); 51475107Sfenner return -1; 51526175Sfenner } 51675107Sfenner } 51726175Sfenner 51875107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 519147894Ssam if (!handle->md.sock_packet) { 520147894Ssam /* 521147894Ssam * Do checks based on packet direction. 522147894Ssam * We can only do this if we're using PF_PACKET; the 523147894Ssam * address returned for SOCK_PACKET is a "sockaddr_pkt" 524147894Ssam * which lacks the relevant packet type information. 525147894Ssam */ 526147894Ssam if (from.sll_pkttype == PACKET_OUTGOING) { 527147894Ssam /* 528147894Ssam * Outgoing packet. 529147894Ssam * If this is from the loopback device, reject it; 530147894Ssam * we'll see the packet as an incoming packet as well, 531147894Ssam * and we don't want to see it twice. 532147894Ssam */ 533147894Ssam if (from.sll_ifindex == handle->md.lo_ifindex) 534147894Ssam return 0; 535147894Ssam 536147894Ssam /* 537147894Ssam * If the user only wants incoming packets, reject it. 538147894Ssam */ 539162012Ssam if (handle->direction == PCAP_D_IN) 540147894Ssam return 0; 541147894Ssam } else { 542147894Ssam /* 543147894Ssam * Incoming packet. 544147894Ssam * If the user only wants outgoing packets, reject it. 545147894Ssam */ 546162012Ssam if (handle->direction == PCAP_D_OUT) 547147894Ssam return 0; 548147894Ssam } 549147894Ssam } 55075107Sfenner#endif 55126175Sfenner 55275107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 55375107Sfenner /* 55475107Sfenner * If this is a cooked device, fill in the fake packet header. 55575107Sfenner */ 55675107Sfenner if (handle->md.cooked) { 55775107Sfenner /* 55875107Sfenner * Add the length of the fake header to the length 55975107Sfenner * of packet data we read. 56075107Sfenner */ 56175107Sfenner packet_len += SLL_HDR_LEN; 56226175Sfenner 56398530Sfenner hdrp = (struct sll_header *)bp; 56426175Sfenner 56575107Sfenner /* 56675107Sfenner * Map the PACKET_ value to a LINUX_SLL_ value; we 56775107Sfenner * want the same numerical value to be used in 56875107Sfenner * the link-layer header even if the numerical values 56975107Sfenner * for the PACKET_ #defines change, so that programs 57075107Sfenner * that look at the packet type field will always be 57175107Sfenner * able to handle DLT_LINUX_SLL captures. 57275107Sfenner */ 57375107Sfenner switch (from.sll_pkttype) { 57426175Sfenner 57575107Sfenner case PACKET_HOST: 57675107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_HOST); 57775107Sfenner break; 57826175Sfenner 57975107Sfenner case PACKET_BROADCAST: 58075107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST); 58175107Sfenner break; 58275107Sfenner 58375107Sfenner case PACKET_MULTICAST: 58475107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST); 58575107Sfenner break; 58675107Sfenner 58775107Sfenner case PACKET_OTHERHOST: 58875107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST); 58975107Sfenner break; 59075107Sfenner 59175107Sfenner case PACKET_OUTGOING: 59275107Sfenner hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING); 59375107Sfenner break; 59475107Sfenner 59575107Sfenner default: 59675107Sfenner hdrp->sll_pkttype = -1; 59775107Sfenner break; 59826175Sfenner } 59975107Sfenner 60075107Sfenner hdrp->sll_hatype = htons(from.sll_hatype); 60175107Sfenner hdrp->sll_halen = htons(from.sll_halen); 60275107Sfenner memcpy(hdrp->sll_addr, from.sll_addr, 60375107Sfenner (from.sll_halen > SLL_ADDRLEN) ? 60475107Sfenner SLL_ADDRLEN : 60575107Sfenner from.sll_halen); 60675107Sfenner hdrp->sll_protocol = from.sll_protocol; 60726175Sfenner } 60875107Sfenner#endif 60975107Sfenner 61075107Sfenner /* 611127664Sbms * XXX: According to the kernel source we should get the real 612127664Sbms * packet len if calling recvfrom with MSG_TRUNC set. It does 61375107Sfenner * not seem to work here :(, but it is supported by this code 614127664Sbms * anyway. 61575107Sfenner * To be honest the code RELIES on that feature so this is really 61675107Sfenner * broken with 2.2.x kernels. 61775107Sfenner * I spend a day to figure out what's going on and I found out 618127664Sbms * that the following is happening: 61975107Sfenner * 620127664Sbms * The packet comes from a random interface and the packet_rcv 62175107Sfenner * hook is called with a clone of the packet. That code inserts 62275107Sfenner * the packet into the receive queue of the packet socket. 62375107Sfenner * If a filter is attached to that socket that filter is run 62475107Sfenner * first - and there lies the problem. The default filter always 62575107Sfenner * cuts the packet at the snaplen: 62675107Sfenner * 62775107Sfenner * # tcpdump -d 62875107Sfenner * (000) ret #68 62975107Sfenner * 630127664Sbms * So the packet filter cuts down the packet. The recvfrom call 63175107Sfenner * says "hey, it's only 68 bytes, it fits into the buffer" with 632127664Sbms * the result that we don't get the real packet length. This 633127664Sbms * is valid at least until kernel 2.2.17pre6. 63475107Sfenner * 63575107Sfenner * We currently handle this by making a copy of the filter 63675107Sfenner * program, fixing all "ret" instructions with non-zero 63775107Sfenner * operands to have an operand of 65535 so that the filter 63875107Sfenner * doesn't truncate the packet, and supplying that modified 63975107Sfenner * filter to the kernel. 64075107Sfenner */ 64175107Sfenner 64275107Sfenner caplen = packet_len; 64375107Sfenner if (caplen > handle->snapshot) 64475107Sfenner caplen = handle->snapshot; 64575107Sfenner 64675107Sfenner /* Run the packet filter if not using kernel filter */ 64775107Sfenner if (!handle->md.use_bpf && handle->fcode.bf_insns) { 64898530Sfenner if (bpf_filter(handle->fcode.bf_insns, bp, 64975107Sfenner packet_len, caplen) == 0) 65075107Sfenner { 65175107Sfenner /* rejected by filter */ 65275107Sfenner return 0; 65375107Sfenner } 65475107Sfenner } 65575107Sfenner 65675107Sfenner /* Fill in our own header data */ 65775107Sfenner 65875107Sfenner if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 65975107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 66075107Sfenner "ioctl: %s", pcap_strerror(errno)); 66175107Sfenner return -1; 66275107Sfenner } 66375107Sfenner pcap_header.caplen = caplen; 66475107Sfenner pcap_header.len = packet_len; 66575107Sfenner 66698530Sfenner /* 66798530Sfenner * Count the packet. 66898530Sfenner * 66998530Sfenner * Arguably, we should count them before we check the filter, 67098530Sfenner * as on many other platforms "ps_recv" counts packets 67198530Sfenner * handed to the filter rather than packets that passed 67298530Sfenner * the filter, but if filtering is done in the kernel, we 67398530Sfenner * can't get a count of packets that passed the filter, 67498530Sfenner * and that would mean the meaning of "ps_recv" wouldn't 67598530Sfenner * be the same on all Linux systems. 67698530Sfenner * 67798530Sfenner * XXX - it's not the same on all systems in any case; 67898530Sfenner * ideally, we should have a "get the statistics" call 67998530Sfenner * that supplies more counts and indicates which of them 68098530Sfenner * it supplies, so that we supply a count of packets 68198530Sfenner * handed to the filter only on platforms where that 68298530Sfenner * information is available. 68398530Sfenner * 68498530Sfenner * We count them here even if we can get the packet count 68598530Sfenner * from the kernel, as we can only determine at run time 68698530Sfenner * whether we'll be able to get it from the kernel (if 68798530Sfenner * HAVE_TPACKET_STATS isn't defined, we can't get it from 68898530Sfenner * the kernel, but if it is defined, the library might 68998530Sfenner * have been built with a 2.4 or later kernel, but we 69098530Sfenner * might be running on a 2.2[.x] kernel without Alexey 69198530Sfenner * Kuznetzov's turbopacket patches, and thus the kernel 69298530Sfenner * might not be able to supply those statistics). We 69398530Sfenner * could, I guess, try, when opening the socket, to get 69498530Sfenner * the statistics, and if we can not increment the count 69598530Sfenner * here, but it's not clear that always incrementing 69698530Sfenner * the count is more expensive than always testing a flag 69798530Sfenner * in memory. 69898530Sfenner */ 69975107Sfenner handle->md.stat.ps_recv++; 70075107Sfenner 70198530Sfenner /* Call the user supplied callback function */ 70298530Sfenner callback(userdata, &pcap_header, bp); 70398530Sfenner 70475107Sfenner return 1; 70526175Sfenner} 70626175Sfenner 707146768Ssamstatic int 708146768Ssampcap_inject_linux(pcap_t *handle, const void *buf, size_t size) 709146768Ssam{ 710146768Ssam int ret; 711146768Ssam 712146768Ssam#ifdef HAVE_PF_PACKET_SOCKETS 713146768Ssam if (!handle->md.sock_packet) { 714146768Ssam /* PF_PACKET socket */ 715146768Ssam if (handle->md.ifindex == -1) { 716146768Ssam /* 717146768Ssam * We don't support sending on the "any" device. 718146768Ssam */ 719146768Ssam strlcpy(handle->errbuf, 720146768Ssam "Sending packets isn't supported on the \"any\" device", 721146768Ssam PCAP_ERRBUF_SIZE); 722146768Ssam return (-1); 723146768Ssam } 724146768Ssam 725146768Ssam if (handle->md.cooked) { 726146768Ssam /* 727146768Ssam * We don't support sending on the "any" device. 728146768Ssam * 729146768Ssam * XXX - how do you send on a bound cooked-mode 730146768Ssam * socket? 731146768Ssam * Is a "sendto()" required there? 732146768Ssam */ 733146768Ssam strlcpy(handle->errbuf, 734146768Ssam "Sending packets isn't supported in cooked mode", 735146768Ssam PCAP_ERRBUF_SIZE); 736146768Ssam return (-1); 737146768Ssam } 738146768Ssam } 739146768Ssam#endif 740146768Ssam 741146768Ssam ret = send(handle->fd, buf, size, 0); 742146768Ssam if (ret == -1) { 743146768Ssam snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 744146768Ssam pcap_strerror(errno)); 745146768Ssam return (-1); 746146768Ssam } 747146768Ssam return (ret); 748146768Ssam} 749146768Ssam 75075107Sfenner/* 75175107Sfenner * Get the statistics for the given packet capture handle. 75298530Sfenner * Reports the number of dropped packets iff the kernel supports 75398530Sfenner * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later 75498530Sfenner * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket 75598530Sfenner * patches); otherwise, that information isn't available, and we lie 75698530Sfenner * and report 0 as the count of dropped packets. 75775107Sfenner */ 758127664Sbmsstatic int 759127664Sbmspcap_stats_linux(pcap_t *handle, struct pcap_stat *stats) 76026175Sfenner{ 76198530Sfenner#ifdef HAVE_TPACKET_STATS 76298530Sfenner struct tpacket_stats kstats; 76398530Sfenner socklen_t len = sizeof (struct tpacket_stats); 764127664Sbms#endif 76598530Sfenner 766127664Sbms#ifdef HAVE_TPACKET_STATS 76798530Sfenner /* 76898530Sfenner * Try to get the packet counts from the kernel. 76998530Sfenner */ 77098530Sfenner if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, 77198530Sfenner &kstats, &len) > -1) { 77298530Sfenner /* 77398530Sfenner * In "linux/net/packet/af_packet.c", at least in the 77498530Sfenner * 2.4.9 kernel, "tp_packets" is incremented for every 77598530Sfenner * packet that passes the packet filter *and* is 77698530Sfenner * successfully queued on the socket; "tp_drops" is 77798530Sfenner * incremented for every packet dropped because there's 77898530Sfenner * not enough free space in the socket buffer. 77998530Sfenner * 78098530Sfenner * When the statistics are returned for a PACKET_STATISTICS 78198530Sfenner * "getsockopt()" call, "tp_drops" is added to "tp_packets", 78298530Sfenner * so that "tp_packets" counts all packets handed to 78398530Sfenner * the PF_PACKET socket, including packets dropped because 78498530Sfenner * there wasn't room on the socket buffer - but not 78598530Sfenner * including packets that didn't pass the filter. 78698530Sfenner * 78798530Sfenner * In the BSD BPF, the count of received packets is 78898530Sfenner * incremented for every packet handed to BPF, regardless 78998530Sfenner * of whether it passed the filter. 79098530Sfenner * 79198530Sfenner * We can't make "pcap_stats()" work the same on both 79298530Sfenner * platforms, but the best approximation is to return 79398530Sfenner * "tp_packets" as the count of packets and "tp_drops" 79498530Sfenner * as the count of drops. 795146768Ssam * 796146768Ssam * Keep a running total because each call to 797146768Ssam * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, .... 798146768Ssam * resets the counters to zero. 79998530Sfenner */ 800146768Ssam handle->md.stat.ps_recv += kstats.tp_packets; 801146768Ssam handle->md.stat.ps_drop += kstats.tp_drops; 80298530Sfenner } 80398530Sfenner else 80498530Sfenner { 80598530Sfenner /* 80698530Sfenner * If the error was EOPNOTSUPP, fall through, so that 80798530Sfenner * if you build the library on a system with 80898530Sfenner * "struct tpacket_stats" and run it on a system 80998530Sfenner * that doesn't, it works as it does if the library 81098530Sfenner * is built on a system without "struct tpacket_stats". 81198530Sfenner */ 81298530Sfenner if (errno != EOPNOTSUPP) { 81398530Sfenner snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 81498530Sfenner "pcap_stats: %s", pcap_strerror(errno)); 81598530Sfenner return -1; 81698530Sfenner } 81798530Sfenner } 81898530Sfenner#endif 81998530Sfenner /* 82098530Sfenner * On systems where the PACKET_STATISTICS "getsockopt()" argument 82198530Sfenner * is supported on PF_PACKET sockets: 82298530Sfenner * 82398530Sfenner * "ps_recv" counts only packets that *passed* the filter, 82498530Sfenner * not packets that didn't pass the filter. This includes 82598530Sfenner * packets later dropped because we ran out of buffer space. 82698530Sfenner * 82798530Sfenner * "ps_drop" counts packets dropped because we ran out of 82898530Sfenner * buffer space. It doesn't count packets dropped by the 82998530Sfenner * interface driver. It counts only packets that passed 83098530Sfenner * the filter. 83198530Sfenner * 83298530Sfenner * Both statistics include packets not yet read from the 83398530Sfenner * kernel by libpcap, and thus not yet seen by the application. 83498530Sfenner * 83598530Sfenner * On systems where the PACKET_STATISTICS "getsockopt()" argument 83698530Sfenner * is not supported on PF_PACKET sockets: 83798530Sfenner * 83898530Sfenner * "ps_recv" counts only packets that *passed* the filter, 83998530Sfenner * not packets that didn't pass the filter. It does not 84098530Sfenner * count packets dropped because we ran out of buffer 84198530Sfenner * space. 84298530Sfenner * 84398530Sfenner * "ps_drop" is not supported. 84498530Sfenner * 84598530Sfenner * "ps_recv" doesn't include packets not yet read from 84698530Sfenner * the kernel by libpcap. 84798530Sfenner */ 84875107Sfenner *stats = handle->md.stat; 84975107Sfenner return 0; 85075107Sfenner} 85126175Sfenner 85275107Sfenner/* 853127664Sbms * Description string for the "any" device. 85475107Sfenner */ 855127664Sbmsstatic const char any_descr[] = "Pseudo-device that captures on all interfaces"; 856127664Sbms 85775107Sfennerint 858127664Sbmspcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 85975107Sfenner{ 860127664Sbms if (pcap_add_if(alldevsp, "any", 0, any_descr, errbuf) < 0) 861127664Sbms return (-1); 862127664Sbms 863127664Sbms#ifdef HAVE_DAG_API 864127664Sbms if (dag_platform_finddevs(alldevsp, errbuf) < 0) 865127664Sbms return (-1); 866127664Sbms#endif /* HAVE_DAG_API */ 867127664Sbms 868147894Ssam#ifdef HAVE_SEPTEL_API 869147894Ssam if (septel_platform_finddevs(alldevsp, errbuf) < 0) 870147894Ssam return (-1); 871147894Ssam#endif /* HAVE_SEPTEL_API */ 872147894Ssam 873127664Sbms return (0); 874127664Sbms} 875127664Sbms 876127664Sbms/* 877127664Sbms * Attach the given BPF code to the packet capture device. 878127664Sbms */ 879127664Sbmsstatic int 880127664Sbmspcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter) 881127664Sbms{ 88275107Sfenner#ifdef SO_ATTACH_FILTER 88375107Sfenner struct sock_fprog fcode; 88475107Sfenner int can_filter_in_kernel; 885127664Sbms int err = 0; 88675107Sfenner#endif 88775107Sfenner 88875107Sfenner if (!handle) 88975107Sfenner return -1; 89075107Sfenner if (!filter) { 89175107Sfenner strncpy(handle->errbuf, "setfilter: No filter specified", 89275107Sfenner sizeof(handle->errbuf)); 89375107Sfenner return -1; 89426175Sfenner } 89526175Sfenner 89675107Sfenner /* Make our private copy of the filter */ 89775107Sfenner 898127664Sbms if (install_bpf_program(handle, filter) < 0) 899127664Sbms /* install_bpf_program() filled in errbuf */ 90075107Sfenner return -1; 90139291Sfenner 902127664Sbms /* 903127664Sbms * Run user level packet filter by default. Will be overriden if 904127664Sbms * installing a kernel filter succeeds. 90575107Sfenner */ 90675107Sfenner handle->md.use_bpf = 0; 90775107Sfenner 90875107Sfenner /* Install kernel level filter if possible */ 90975107Sfenner 91075107Sfenner#ifdef SO_ATTACH_FILTER 91175107Sfenner#ifdef USHRT_MAX 91275107Sfenner if (handle->fcode.bf_len > USHRT_MAX) { 91375107Sfenner /* 914127664Sbms * fcode.len is an unsigned short for current kernel. 91575107Sfenner * I have yet to see BPF-Code with that much 91675107Sfenner * instructions but still it is possible. So for the 91775107Sfenner * sake of correctness I added this check. 91875107Sfenner */ 91975107Sfenner fprintf(stderr, "Warning: Filter too complex for kernel\n"); 92075107Sfenner fcode.filter = NULL; 92175107Sfenner can_filter_in_kernel = 0; 92275107Sfenner } else 92375107Sfenner#endif /* USHRT_MAX */ 92475107Sfenner { 92575107Sfenner /* 92675107Sfenner * Oh joy, the Linux kernel uses struct sock_fprog instead 92775107Sfenner * of struct bpf_program and of course the length field is 92875107Sfenner * of different size. Pointed out by Sebastian 92975107Sfenner * 93075107Sfenner * Oh, and we also need to fix it up so that all "ret" 93175107Sfenner * instructions with non-zero operands have 65535 as the 93275107Sfenner * operand, and so that, if we're in cooked mode, all 93375107Sfenner * memory-reference instructions use special magic offsets 93475107Sfenner * in references to the link-layer header and assume that 93575107Sfenner * the link-layer payload begins at 0; "fix_program()" 93675107Sfenner * will do that. 93775107Sfenner */ 93875107Sfenner switch (fix_program(handle, &fcode)) { 93975107Sfenner 94075107Sfenner case -1: 94175107Sfenner default: 94275107Sfenner /* 94375107Sfenner * Fatal error; just quit. 94475107Sfenner * (The "default" case shouldn't happen; we 94575107Sfenner * return -1 for that reason.) 94675107Sfenner */ 94775107Sfenner return -1; 94875107Sfenner 94975107Sfenner case 0: 95075107Sfenner /* 95175107Sfenner * The program performed checks that we can't make 95275107Sfenner * work in the kernel. 95375107Sfenner */ 95475107Sfenner can_filter_in_kernel = 0; 95575107Sfenner break; 95675107Sfenner 95775107Sfenner case 1: 95875107Sfenner /* 95975107Sfenner * We have a filter that'll work in the kernel. 96075107Sfenner */ 96175107Sfenner can_filter_in_kernel = 1; 96275107Sfenner break; 96375107Sfenner } 96439291Sfenner } 96539291Sfenner 96675107Sfenner if (can_filter_in_kernel) { 967127664Sbms if ((err = set_kernel_filter(handle, &fcode)) == 0) 96875107Sfenner { 96975107Sfenner /* Installation succeded - using kernel filter. */ 97075107Sfenner handle->md.use_bpf = 1; 97175107Sfenner } 972127664Sbms else if (err == -1) /* Non-fatal error */ 97375107Sfenner { 974127664Sbms /* 97575107Sfenner * Print a warning if we weren't able to install 97675107Sfenner * the filter for a reason other than "this kernel 97775107Sfenner * isn't configured to support socket filters. 97875107Sfenner */ 97975107Sfenner if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 98075107Sfenner fprintf(stderr, 981127664Sbms "Warning: Kernel filter failed: %s\n", 98275107Sfenner pcap_strerror(errno)); 98375107Sfenner } 98475107Sfenner } 98539291Sfenner } 98639291Sfenner 98775107Sfenner /* 98898530Sfenner * If we're not using the kernel filter, get rid of any kernel 98998530Sfenner * filter that might've been there before, e.g. because the 99098530Sfenner * previous filter could work in the kernel, or because some other 99198530Sfenner * code attached a filter to the socket by some means other than 99298530Sfenner * calling "pcap_setfilter()". Otherwise, the kernel filter may 99398530Sfenner * filter out packets that would pass the new userland filter. 99498530Sfenner */ 99598530Sfenner if (!handle->md.use_bpf) 99698530Sfenner reset_kernel_filter(handle); 99798530Sfenner 99898530Sfenner /* 99975107Sfenner * Free up the copy of the filter that was made by "fix_program()". 100075107Sfenner */ 100175107Sfenner if (fcode.filter != NULL) 100275107Sfenner free(fcode.filter); 1003127664Sbms 1004127664Sbms if (err == -2) 1005127664Sbms /* Fatal error */ 1006127664Sbms return -1; 100775107Sfenner#endif /* SO_ATTACH_FILTER */ 100875107Sfenner 100975107Sfenner return 0; 101075107Sfenner} 101175107Sfenner 101275107Sfenner/* 1013147894Ssam * Set direction flag: Which packets do we accept on a forwarding 1014147894Ssam * single device? IN, OUT or both? 1015147894Ssam */ 1016147894Ssamstatic int 1017162012Ssampcap_setdirection_linux(pcap_t *handle, pcap_direction_t d) 1018147894Ssam{ 1019147894Ssam#ifdef HAVE_PF_PACKET_SOCKETS 1020147894Ssam if (!handle->md.sock_packet) { 1021147894Ssam handle->direction = d; 1022147894Ssam return 0; 1023147894Ssam } 1024147894Ssam#endif 1025147894Ssam /* 1026147894Ssam * We're not using PF_PACKET sockets, so we can't determine 1027147894Ssam * the direction of the packet. 1028147894Ssam */ 1029147894Ssam snprintf(handle->errbuf, sizeof(handle->errbuf), 1030147894Ssam "Setting direction is not supported on SOCK_PACKET sockets"); 1031147894Ssam return -1; 1032147894Ssam} 1033147894Ssam 1034147894Ssam/* 1035127664Sbms * Linux uses the ARP hardware type to identify the type of an 1036127664Sbms * interface. pcap uses the DLT_xxx constants for this. This 103798530Sfenner * function takes a pointer to a "pcap_t", and an ARPHRD_xxx 103898530Sfenner * constant, as arguments, and sets "handle->linktype" to the 103998530Sfenner * appropriate DLT_XXX constant and sets "handle->offset" to 104098530Sfenner * the appropriate value (to make "handle->offset" plus link-layer 104198530Sfenner * header length be a multiple of 4, so that the link-layer payload 104298530Sfenner * will be aligned on a 4-byte boundary when capturing packets). 104398530Sfenner * (If the offset isn't set here, it'll be 0; add code as appropriate 104498530Sfenner * for cases where it shouldn't be 0.) 1045127664Sbms * 1046127664Sbms * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture 1047127664Sbms * in cooked mode; otherwise, we can't use cooked mode, so we have 1048127664Sbms * to pick some type that works in raw mode, or fail. 1049127664Sbms * 105098530Sfenner * Sets the link type to -1 if unable to map the type. 105175107Sfenner */ 1052127664Sbmsstatic void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok) 105375107Sfenner{ 105475107Sfenner switch (arptype) { 105598530Sfenner 105639291Sfenner case ARPHRD_ETHER: 1057146768Ssam /* 1058146768Ssam * This is (presumably) a real Ethernet capture; give it a 1059146768Ssam * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 1060146768Ssam * that an application can let you choose it, in case you're 1061146768Ssam * capturing DOCSIS traffic that a Cisco Cable Modem 1062146768Ssam * Termination System is putting out onto an Ethernet (it 1063146768Ssam * doesn't put an Ethernet header onto the wire, it puts raw 1064146768Ssam * DOCSIS frames out on the wire inside the low-level 1065146768Ssam * Ethernet framing). 1066146768Ssam * 1067146768Ssam * XXX - are there any sorts of "fake Ethernet" that have 1068146768Ssam * ARPHRD_ETHER but that *shouldn't offer DLT_DOCSIS as 1069146768Ssam * a Cisco CMTS won't put traffic onto it or get traffic 1070146768Ssam * bridged onto it? ISDN is handled in "live_open_new()", 1071146768Ssam * as we fall back on cooked mode there; are there any 1072146768Ssam * others? 1073146768Ssam */ 1074146768Ssam handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1075146768Ssam /* 1076146768Ssam * If that fails, just leave the list empty. 1077146768Ssam */ 1078146768Ssam if (handle->dlt_list != NULL) { 1079146768Ssam handle->dlt_list[0] = DLT_EN10MB; 1080146768Ssam handle->dlt_list[1] = DLT_DOCSIS; 1081146768Ssam handle->dlt_count = 2; 1082146768Ssam } 1083146768Ssam /* FALLTHROUGH */ 1084146768Ssam 108539291Sfenner case ARPHRD_METRICOM: 108698530Sfenner case ARPHRD_LOOPBACK: 108798530Sfenner handle->linktype = DLT_EN10MB; 108898530Sfenner handle->offset = 2; 108998530Sfenner break; 109098530Sfenner 109198530Sfenner case ARPHRD_EETHER: 109298530Sfenner handle->linktype = DLT_EN3MB; 109398530Sfenner break; 109498530Sfenner 109598530Sfenner case ARPHRD_AX25: 109698530Sfenner handle->linktype = DLT_AX25; 109798530Sfenner break; 109898530Sfenner 109998530Sfenner case ARPHRD_PRONET: 110098530Sfenner handle->linktype = DLT_PRONET; 110198530Sfenner break; 110298530Sfenner 110398530Sfenner case ARPHRD_CHAOS: 110498530Sfenner handle->linktype = DLT_CHAOS; 110598530Sfenner break; 110698530Sfenner 110775107Sfenner#ifndef ARPHRD_IEEE802_TR 110875107Sfenner#define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 110975107Sfenner#endif 111075107Sfenner case ARPHRD_IEEE802_TR: 111198530Sfenner case ARPHRD_IEEE802: 111298530Sfenner handle->linktype = DLT_IEEE802; 111398530Sfenner handle->offset = 2; 111498530Sfenner break; 111539291Sfenner 111698530Sfenner case ARPHRD_ARCNET: 1117127664Sbms handle->linktype = DLT_ARCNET_LINUX; 111898530Sfenner break; 111998530Sfenner 1120127664Sbms#ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ 1121127664Sbms#define ARPHRD_FDDI 774 1122127664Sbms#endif 112398530Sfenner case ARPHRD_FDDI: 112498530Sfenner handle->linktype = DLT_FDDI; 112598530Sfenner handle->offset = 3; 112698530Sfenner break; 112798530Sfenner 112875107Sfenner#ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 112975107Sfenner#define ARPHRD_ATM 19 113075107Sfenner#endif 113198530Sfenner case ARPHRD_ATM: 113298530Sfenner /* 113398530Sfenner * The Classical IP implementation in ATM for Linux 113498530Sfenner * supports both what RFC 1483 calls "LLC Encapsulation", 113598530Sfenner * in which each packet has an LLC header, possibly 113698530Sfenner * with a SNAP header as well, prepended to it, and 113798530Sfenner * what RFC 1483 calls "VC Based Multiplexing", in which 113898530Sfenner * different virtual circuits carry different network 113998530Sfenner * layer protocols, and no header is prepended to packets. 114098530Sfenner * 114198530Sfenner * They both have an ARPHRD_ type of ARPHRD_ATM, so 114298530Sfenner * you can't use the ARPHRD_ type to find out whether 114398530Sfenner * captured packets will have an LLC header, and, 114498530Sfenner * while there's a socket ioctl to *set* the encapsulation 114598530Sfenner * type, there's no ioctl to *get* the encapsulation type. 114698530Sfenner * 114798530Sfenner * This means that 114898530Sfenner * 114998530Sfenner * programs that dissect Linux Classical IP frames 115098530Sfenner * would have to check for an LLC header and, 115198530Sfenner * depending on whether they see one or not, dissect 115298530Sfenner * the frame as LLC-encapsulated or as raw IP (I 115398530Sfenner * don't know whether there's any traffic other than 115498530Sfenner * IP that would show up on the socket, or whether 115598530Sfenner * there's any support for IPv6 in the Linux 115698530Sfenner * Classical IP code); 115798530Sfenner * 115898530Sfenner * filter expressions would have to compile into 115998530Sfenner * code that checks for an LLC header and does 116098530Sfenner * the right thing. 116198530Sfenner * 116298530Sfenner * Both of those are a nuisance - and, at least on systems 116398530Sfenner * that support PF_PACKET sockets, we don't have to put 116498530Sfenner * up with those nuisances; instead, we can just capture 1165127664Sbms * in cooked mode. That's what we'll do, if we can. 1166127664Sbms * Otherwise, we'll just fail. 116798530Sfenner */ 1168127664Sbms if (cooked_ok) 1169127664Sbms handle->linktype = DLT_LINUX_SLL; 1170127664Sbms else 1171127664Sbms handle->linktype = -1; 117298530Sfenner break; 117339291Sfenner 117498530Sfenner#ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ 117598530Sfenner#define ARPHRD_IEEE80211 801 117698530Sfenner#endif 117798530Sfenner case ARPHRD_IEEE80211: 117898530Sfenner handle->linktype = DLT_IEEE802_11; 117998530Sfenner break; 118098530Sfenner 1181127664Sbms#ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ 1182127664Sbms#define ARPHRD_IEEE80211_PRISM 802 1183127664Sbms#endif 1184127664Sbms case ARPHRD_IEEE80211_PRISM: 1185127664Sbms handle->linktype = DLT_PRISM_HEADER; 1186127664Sbms break; 1187127664Sbms 1188162012Ssam#ifndef ARPHRD_IEEE80211_RADIOTAP /* new */ 1189162012Ssam#define ARPHRD_IEEE80211_RADIOTAP 803 1190162012Ssam#endif 1191162012Ssam case ARPHRD_IEEE80211_RADIOTAP: 1192162012Ssam handle->linktype = DLT_IEEE802_11_RADIO; 1193162012Ssam break; 1194162012Ssam 119575107Sfenner case ARPHRD_PPP: 119698530Sfenner /* 119798530Sfenner * Some PPP code in the kernel supplies no link-layer 119898530Sfenner * header whatsoever to PF_PACKET sockets; other PPP 119998530Sfenner * code supplies PPP link-layer headers ("syncppp.c"); 120098530Sfenner * some PPP code might supply random link-layer 120198530Sfenner * headers (PPP over ISDN - there's code in Ethereal, 120298530Sfenner * for example, to cope with PPP-over-ISDN captures 120398530Sfenner * with which the Ethereal developers have had to cope, 120498530Sfenner * heuristically trying to determine which of the 120598530Sfenner * oddball link-layer headers particular packets have). 120698530Sfenner * 120798530Sfenner * As such, we just punt, and run all PPP interfaces 1208127664Sbms * in cooked mode, if we can; otherwise, we just treat 1209127664Sbms * it as DLT_RAW, for now - if somebody needs to capture, 1210127664Sbms * on a 2.0[.x] kernel, on PPP devices that supply a 1211127664Sbms * link-layer header, they'll have to add code here to 1212127664Sbms * map to the appropriate DLT_ type (possibly adding a 1213127664Sbms * new DLT_ type, if necessary). 121498530Sfenner */ 1215127664Sbms if (cooked_ok) 1216127664Sbms handle->linktype = DLT_LINUX_SLL; 1217127664Sbms else { 1218127664Sbms /* 1219127664Sbms * XXX - handle ISDN types here? We can't fall 1220127664Sbms * back on cooked sockets, so we'd have to 1221127664Sbms * figure out from the device name what type of 1222127664Sbms * link-layer encapsulation it's using, and map 1223127664Sbms * that to an appropriate DLT_ value, meaning 1224127664Sbms * we'd map "isdnN" devices to DLT_RAW (they 1225127664Sbms * supply raw IP packets with no link-layer 1226127664Sbms * header) and "isdY" devices to a new DLT_I4L_IP 1227127664Sbms * type that has only an Ethernet packet type as 1228127664Sbms * a link-layer header. 1229127664Sbms * 1230127664Sbms * But sometimes we seem to get random crap 1231127664Sbms * in the link-layer header when capturing on 1232127664Sbms * ISDN devices.... 1233127664Sbms */ 1234127664Sbms handle->linktype = DLT_RAW; 1235127664Sbms } 123698530Sfenner break; 123798530Sfenner 1238127664Sbms#ifndef ARPHRD_CISCO 1239127664Sbms#define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */ 1240127664Sbms#endif 1241127664Sbms case ARPHRD_CISCO: 124298530Sfenner handle->linktype = DLT_C_HDLC; 124398530Sfenner break; 124498530Sfenner 124575107Sfenner /* Not sure if this is correct for all tunnels, but it 124675107Sfenner * works for CIPE */ 124775107Sfenner case ARPHRD_TUNNEL: 124875107Sfenner#ifndef ARPHRD_SIT 1249127664Sbms#define ARPHRD_SIT 776 /* From Linux 2.2.13 */ 125075107Sfenner#endif 125175107Sfenner case ARPHRD_SIT: 125275107Sfenner case ARPHRD_CSLIP: 125375107Sfenner case ARPHRD_SLIP6: 125475107Sfenner case ARPHRD_CSLIP6: 125598530Sfenner case ARPHRD_ADAPT: 125698530Sfenner case ARPHRD_SLIP: 1257127664Sbms#ifndef ARPHRD_RAWHDLC 1258127664Sbms#define ARPHRD_RAWHDLC 518 1259127664Sbms#endif 1260127664Sbms case ARPHRD_RAWHDLC: 1261127664Sbms#ifndef ARPHRD_DLCI 1262127664Sbms#define ARPHRD_DLCI 15 1263127664Sbms#endif 1264127664Sbms case ARPHRD_DLCI: 126598530Sfenner /* 126698530Sfenner * XXX - should some of those be mapped to DLT_LINUX_SLL 126798530Sfenner * instead? Should we just map all of them to DLT_LINUX_SLL? 126898530Sfenner */ 126998530Sfenner handle->linktype = DLT_RAW; 127098530Sfenner break; 127198530Sfenner 1272127664Sbms#ifndef ARPHRD_FRAD 1273127664Sbms#define ARPHRD_FRAD 770 1274127664Sbms#endif 1275127664Sbms case ARPHRD_FRAD: 1276127664Sbms handle->linktype = DLT_FRELAY; 1277127664Sbms break; 1278127664Sbms 127998530Sfenner case ARPHRD_LOCALTLK: 128098530Sfenner handle->linktype = DLT_LTALK; 128198530Sfenner break; 128298530Sfenner 1283127664Sbms#ifndef ARPHRD_FCPP 1284127664Sbms#define ARPHRD_FCPP 784 1285127664Sbms#endif 1286127664Sbms case ARPHRD_FCPP: 1287127664Sbms#ifndef ARPHRD_FCAL 1288127664Sbms#define ARPHRD_FCAL 785 1289127664Sbms#endif 1290127664Sbms case ARPHRD_FCAL: 1291127664Sbms#ifndef ARPHRD_FCPL 1292127664Sbms#define ARPHRD_FCPL 786 1293127664Sbms#endif 1294127664Sbms case ARPHRD_FCPL: 1295127664Sbms#ifndef ARPHRD_FCFABRIC 1296127664Sbms#define ARPHRD_FCFABRIC 787 1297127664Sbms#endif 1298127664Sbms case ARPHRD_FCFABRIC: 1299127664Sbms /* 1300127664Sbms * We assume that those all mean RFC 2625 IP-over- 1301127664Sbms * Fibre Channel, with the RFC 2625 header at 1302127664Sbms * the beginning of the packet. 1303127664Sbms */ 1304127664Sbms handle->linktype = DLT_IP_OVER_FC; 1305127664Sbms break; 1306127664Sbms 1307146768Ssam#ifndef ARPHRD_IRDA 1308146768Ssam#define ARPHRD_IRDA 783 1309146768Ssam#endif 1310127664Sbms case ARPHRD_IRDA: 1311127664Sbms /* Don't expect IP packet out of this interfaces... */ 1312127664Sbms handle->linktype = DLT_LINUX_IRDA; 1313127664Sbms /* We need to save packet direction for IrDA decoding, 1314127664Sbms * so let's use "Linux-cooked" mode. Jean II */ 1315127664Sbms //handle->md.cooked = 1; 1316127664Sbms break; 1317127664Sbms 131898530Sfenner default: 131998530Sfenner handle->linktype = -1; 132098530Sfenner break; 132175107Sfenner } 132275107Sfenner} 132339291Sfenner 132475107Sfenner/* ===== Functions to interface to the newer kernels ================== */ 132539291Sfenner 132675107Sfenner/* 132775107Sfenner * Try to open a packet socket using the new kernel interface. 132875107Sfenner * Returns 0 on failure. 132975107Sfenner * FIXME: 0 uses to mean success (Sebastian) 133075107Sfenner */ 133175107Sfennerstatic int 1332127664Sbmslive_open_new(pcap_t *handle, const char *device, int promisc, 133375107Sfenner int to_ms, char *ebuf) 133475107Sfenner{ 133575107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 1336146768Ssam int sock_fd = -1, arptype; 1337127664Sbms int err; 1338127664Sbms int fatal_err = 0; 133975107Sfenner struct packet_mreq mr; 134039291Sfenner 134175107Sfenner /* One shot loop used for error handling - bail out with break */ 134239291Sfenner 134375107Sfenner do { 134475107Sfenner /* 134575107Sfenner * Open a socket with protocol family packet. If a device is 1346127664Sbms * given we try to open it in raw mode otherwise we use 1347127664Sbms * the cooked interface. 134875107Sfenner */ 1349127664Sbms sock_fd = device ? 135075107Sfenner socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) 135175107Sfenner : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); 135239291Sfenner 135375107Sfenner if (sock_fd == -1) { 135475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s", 135575107Sfenner pcap_strerror(errno) ); 135675107Sfenner break; 135775107Sfenner } 135839291Sfenner 135975107Sfenner /* It seems the kernel supports the new interface. */ 136075107Sfenner handle->md.sock_packet = 0; 136175107Sfenner 136275107Sfenner /* 136375107Sfenner * Get the interface index of the loopback device. 136475107Sfenner * If the attempt fails, don't fail, just set the 136575107Sfenner * "md.lo_ifindex" to -1. 136675107Sfenner * 136775107Sfenner * XXX - can there be more than one device that loops 136875107Sfenner * packets back, i.e. devices other than "lo"? If so, 136975107Sfenner * we'd need to find them all, and have an array of 137075107Sfenner * indices for them, and check all of them in 137175107Sfenner * "pcap_read_packet()". 137275107Sfenner */ 137375107Sfenner handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf); 137475107Sfenner 137575107Sfenner /* 137698530Sfenner * Default value for offset to align link-layer payload 137798530Sfenner * on a 4-byte boundary. 137898530Sfenner */ 137998530Sfenner handle->offset = 0; 138098530Sfenner 138198530Sfenner /* 1382127664Sbms * What kind of frames do we have to deal with? Fall back 1383127664Sbms * to cooked mode if we have an unknown interface type. 138475107Sfenner */ 138575107Sfenner 138675107Sfenner if (device) { 138775107Sfenner /* Assume for now we don't need cooked mode. */ 138875107Sfenner handle->md.cooked = 0; 138975107Sfenner 139075107Sfenner arptype = iface_get_arptype(sock_fd, device, ebuf); 1391127664Sbms if (arptype == -1) { 1392127664Sbms fatal_err = 1; 139375107Sfenner break; 1394127664Sbms } 1395127664Sbms map_arphrd_to_dlt(handle, arptype, 1); 139675107Sfenner if (handle->linktype == -1 || 139798530Sfenner handle->linktype == DLT_LINUX_SLL || 1398127664Sbms handle->linktype == DLT_LINUX_IRDA || 139975107Sfenner (handle->linktype == DLT_EN10MB && 140075107Sfenner (strncmp("isdn", device, 4) == 0 || 140198530Sfenner strncmp("isdY", device, 4) == 0))) { 140275107Sfenner /* 140398530Sfenner * Unknown interface type (-1), or a 140498530Sfenner * device we explicitly chose to run 140598530Sfenner * in cooked mode (e.g., PPP devices), 140698530Sfenner * or an ISDN device (whose link-layer 140798530Sfenner * type we can only determine by using 140898530Sfenner * APIs that may be different on different 140975107Sfenner * kernels) - reopen in cooked mode. 141075107Sfenner */ 141175107Sfenner if (close(sock_fd) == -1) { 141275107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 141375107Sfenner "close: %s", pcap_strerror(errno)); 141475107Sfenner break; 141575107Sfenner } 1416127664Sbms sock_fd = socket(PF_PACKET, SOCK_DGRAM, 141775107Sfenner htons(ETH_P_ALL)); 141875107Sfenner if (sock_fd == -1) { 141975107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 142075107Sfenner "socket: %s", pcap_strerror(errno)); 142175107Sfenner break; 142275107Sfenner } 142375107Sfenner handle->md.cooked = 1; 142475107Sfenner 1425146768Ssam /* 1426146768Ssam * Get rid of any link-layer type list 1427146768Ssam * we allocated - this only supports cooked 1428146768Ssam * capture. 1429146768Ssam */ 1430146768Ssam if (handle->dlt_list != NULL) { 1431146768Ssam free(handle->dlt_list); 1432146768Ssam handle->dlt_list = NULL; 1433146768Ssam handle->dlt_count = 0; 1434146768Ssam } 1435146768Ssam 143675107Sfenner if (handle->linktype == -1) { 143775107Sfenner /* 143875107Sfenner * Warn that we're falling back on 143975107Sfenner * cooked mode; we may want to 144075107Sfenner * update "map_arphrd_to_dlt()" 144175107Sfenner * to handle the new type. 144275107Sfenner */ 144398530Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 144498530Sfenner "arptype %d not " 144575107Sfenner "supported by libpcap - " 144675107Sfenner "falling back to cooked " 144798530Sfenner "socket", 144875107Sfenner arptype); 144975107Sfenner } 1450127664Sbms /* IrDA capture is not a real "cooked" capture, 1451127664Sbms * it's IrLAP frames, not IP packets. */ 1452146768Ssam if (handle->linktype != DLT_LINUX_IRDA) 1453127664Sbms handle->linktype = DLT_LINUX_SLL; 145475107Sfenner } 145575107Sfenner 1456146768Ssam handle->md.ifindex = iface_get_id(sock_fd, device, ebuf); 1457146768Ssam if (handle->md.ifindex == -1) 145875107Sfenner break; 145975107Sfenner 1460146768Ssam if ((err = iface_bind(sock_fd, handle->md.ifindex, 1461146768Ssam ebuf)) < 0) { 1462127664Sbms if (err == -2) 1463127664Sbms fatal_err = 1; 146475107Sfenner break; 1465127664Sbms } 146675107Sfenner } else { 146775107Sfenner /* 146875107Sfenner * This is cooked mode. 146975107Sfenner */ 147075107Sfenner handle->md.cooked = 1; 147175107Sfenner handle->linktype = DLT_LINUX_SLL; 147275107Sfenner 147375107Sfenner /* 1474146768Ssam * We're not bound to a device. 1475146768Ssam * XXX - true? Or true only if we're using 1476146768Ssam * the "any" device? 1477146768Ssam * For now, we're using this as an indication 1478146768Ssam * that we can't transmit; stop doing that only 1479146768Ssam * if we figure out how to transmit in cooked 1480146768Ssam * mode. 148175107Sfenner */ 1482146768Ssam handle->md.ifindex = -1; 148375107Sfenner } 148475107Sfenner 1485127664Sbms /* 1486127664Sbms * Select promiscuous mode on if "promisc" is set. 1487127664Sbms * 1488127664Sbms * Do not turn allmulti mode on if we don't select 1489127664Sbms * promiscuous mode - on some devices (e.g., Orinoco 1490127664Sbms * wireless interfaces), allmulti mode isn't supported 1491127664Sbms * and the driver implements it by turning promiscuous 1492127664Sbms * mode on, and that screws up the operation of the 1493127664Sbms * card as a normal networking interface, and on no 1494127664Sbms * other platform I know of does starting a non- 1495127664Sbms * promiscuous capture affect which multicast packets 1496127664Sbms * are received by the interface. 1497127664Sbms */ 149875107Sfenner 1499127664Sbms /* 150075107Sfenner * Hmm, how can we set promiscuous mode on all interfaces? 150175107Sfenner * I am not sure if that is possible at all. 150275107Sfenner */ 150375107Sfenner 1504127664Sbms if (device && promisc) { 150575107Sfenner memset(&mr, 0, sizeof(mr)); 1506146768Ssam mr.mr_ifindex = handle->md.ifindex; 1507127664Sbms mr.mr_type = PACKET_MR_PROMISC; 1508127664Sbms if (setsockopt(sock_fd, SOL_PACKET, 150975107Sfenner PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1) 151075107Sfenner { 1511127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 151275107Sfenner "setsockopt: %s", pcap_strerror(errno)); 151375107Sfenner break; 151475107Sfenner } 151575107Sfenner } 151639291Sfenner 151798530Sfenner /* Save the socket FD in the pcap structure */ 151875107Sfenner 151975107Sfenner handle->fd = sock_fd; 152075107Sfenner 152175107Sfenner return 1; 152275107Sfenner 152375107Sfenner } while(0); 152475107Sfenner 152575107Sfenner if (sock_fd != -1) 152675107Sfenner close(sock_fd); 1527127664Sbms 1528146768Ssam if (fatal_err) { 1529146768Ssam /* 1530146768Ssam * Get rid of any link-layer type list we allocated. 1531146768Ssam */ 1532146768Ssam if (handle->dlt_list != NULL) 1533146768Ssam free(handle->dlt_list); 1534127664Sbms return -2; 1535146768Ssam } else 1536127664Sbms return 0; 153775107Sfenner#else 1538127664Sbms strncpy(ebuf, 1539127664Sbms "New packet capturing interface not supported by build " 154075107Sfenner "environment", PCAP_ERRBUF_SIZE); 154175107Sfenner return 0; 154239291Sfenner#endif 154375107Sfenner} 154439291Sfenner 154575107Sfenner#ifdef HAVE_PF_PACKET_SOCKETS 154675107Sfenner/* 1547127664Sbms * Return the index of the given device name. Fill ebuf and return 154875107Sfenner * -1 on failure. 154975107Sfenner */ 155075107Sfennerstatic int 155175107Sfenneriface_get_id(int fd, const char *device, char *ebuf) 155275107Sfenner{ 155375107Sfenner struct ifreq ifr; 155426175Sfenner 155539291Sfenner memset(&ifr, 0, sizeof(ifr)); 155639291Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 155775107Sfenner 155875107Sfenner if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 155975107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 156075107Sfenner "ioctl: %s", pcap_strerror(errno)); 156175107Sfenner return -1; 156226175Sfenner } 156326175Sfenner 156475107Sfenner return ifr.ifr_ifindex; 156575107Sfenner} 156626175Sfenner 156775107Sfenner/* 1568127664Sbms * Bind the socket associated with FD to the given device. 156975107Sfenner */ 157075107Sfennerstatic int 157175107Sfenneriface_bind(int fd, int ifindex, char *ebuf) 157275107Sfenner{ 157375107Sfenner struct sockaddr_ll sll; 1574127664Sbms int err; 1575127664Sbms socklen_t errlen = sizeof(err); 157675107Sfenner 157775107Sfenner memset(&sll, 0, sizeof(sll)); 157875107Sfenner sll.sll_family = AF_PACKET; 157975107Sfenner sll.sll_ifindex = ifindex; 158075107Sfenner sll.sll_protocol = htons(ETH_P_ALL); 158175107Sfenner 158275107Sfenner if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 158375107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 158475107Sfenner "bind: %s", pcap_strerror(errno)); 158575107Sfenner return -1; 158626175Sfenner } 158726175Sfenner 1588127664Sbms /* Any pending errors, e.g., network is down? */ 1589127664Sbms 1590127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 1591127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1592127664Sbms "getsockopt: %s", pcap_strerror(errno)); 1593127664Sbms return -2; 1594127664Sbms } 1595127664Sbms 1596127664Sbms if (err > 0) { 1597127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1598127664Sbms "bind: %s", pcap_strerror(err)); 1599127664Sbms return -2; 1600127664Sbms } 1601127664Sbms 160275107Sfenner return 0; 160375107Sfenner} 160475107Sfenner 160575107Sfenner#endif 160675107Sfenner 160775107Sfenner 160875107Sfenner/* ===== Functions to interface to the older kernels ================== */ 160975107Sfenner 161075107Sfenner/* 161175107Sfenner * With older kernels promiscuous mode is kind of interesting because we 161275107Sfenner * have to reset the interface before exiting. The problem can't really 1613127664Sbms * be solved without some daemon taking care of managing usage counts. 161475107Sfenner * If we put the interface into promiscuous mode, we set a flag indicating 161575107Sfenner * that we must take it out of that mode when the interface is closed, 161675107Sfenner * and, when closing the interface, if that flag is set we take it out 161775107Sfenner * of promiscuous mode. 161875107Sfenner */ 161975107Sfenner 162075107Sfenner/* 162175107Sfenner * List of pcaps for which we turned promiscuous mode on by hand. 162275107Sfenner * If there are any such pcaps, we arrange to call "pcap_close_all()" 162375107Sfenner * when we exit, and have it close all of them to turn promiscuous mode 162475107Sfenner * off. 162575107Sfenner */ 162675107Sfennerstatic struct pcap *pcaps_to_close; 162775107Sfenner 162875107Sfenner/* 162975107Sfenner * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to 163075107Sfenner * be called on exit. 163175107Sfenner */ 163275107Sfennerstatic int did_atexit; 163375107Sfenner 163475107Sfennerstatic void pcap_close_all(void) 163575107Sfenner{ 163675107Sfenner struct pcap *handle; 163775107Sfenner 163875107Sfenner while ((handle = pcaps_to_close) != NULL) 163975107Sfenner pcap_close(handle); 164075107Sfenner} 164175107Sfenner 1642127664Sbmsstatic void pcap_close_linux( pcap_t *handle ) 164375107Sfenner{ 164475107Sfenner struct pcap *p, *prevp; 164575107Sfenner struct ifreq ifr; 164675107Sfenner 164775107Sfenner if (handle->md.clear_promisc) { 164875107Sfenner /* 164975107Sfenner * We put the interface into promiscuous mode; take 165075107Sfenner * it out of promiscuous mode. 165175107Sfenner * 165275107Sfenner * XXX - if somebody else wants it in promiscuous mode, 165375107Sfenner * this code cannot know that, so it'll take it out 165475107Sfenner * of promiscuous mode. That's not fixable in 2.0[.x] 165575107Sfenner * kernels. 165675107Sfenner */ 165726175Sfenner memset(&ifr, 0, sizeof(ifr)); 165875107Sfenner strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)); 165975107Sfenner if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 1660127664Sbms fprintf(stderr, 166175107Sfenner "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" 166275107Sfenner "Please adjust manually.\n" 166375107Sfenner "Hint: This can't happen with Linux >= 2.2.0.\n", 166475107Sfenner strerror(errno)); 166575107Sfenner } else { 166675107Sfenner if (ifr.ifr_flags & IFF_PROMISC) { 166775107Sfenner /* 166875107Sfenner * Promiscuous mode is currently on; turn it 166975107Sfenner * off. 167075107Sfenner */ 167175107Sfenner ifr.ifr_flags &= ~IFF_PROMISC; 167275107Sfenner if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 1673127664Sbms fprintf(stderr, 167475107Sfenner "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" 167575107Sfenner "Please adjust manually.\n" 167675107Sfenner "Hint: This can't happen with Linux >= 2.2.0.\n", 167775107Sfenner strerror(errno)); 167875107Sfenner } 167975107Sfenner } 168026175Sfenner } 168175107Sfenner 168275107Sfenner /* 168375107Sfenner * Take this pcap out of the list of pcaps for which we 168475107Sfenner * have to take the interface out of promiscuous mode. 168575107Sfenner */ 168675107Sfenner for (p = pcaps_to_close, prevp = NULL; p != NULL; 168775107Sfenner prevp = p, p = p->md.next) { 168875107Sfenner if (p == handle) { 168975107Sfenner /* 169075107Sfenner * Found it. Remove it from the list. 169175107Sfenner */ 169275107Sfenner if (prevp == NULL) { 169375107Sfenner /* 169475107Sfenner * It was at the head of the list. 169575107Sfenner */ 169675107Sfenner pcaps_to_close = p->md.next; 169775107Sfenner } else { 169875107Sfenner /* 169975107Sfenner * It was in the middle of the list. 170075107Sfenner */ 170175107Sfenner prevp->md.next = p->md.next; 170275107Sfenner } 170375107Sfenner break; 170475107Sfenner } 170526175Sfenner } 170626175Sfenner } 1707127664Sbms 170875107Sfenner if (handle->md.device != NULL) 170975107Sfenner free(handle->md.device); 1710127664Sbms handle->md.device = NULL; 1711146768Ssam pcap_close_common(handle); 171275107Sfenner} 171326175Sfenner 171475107Sfenner/* 171575107Sfenner * Try to open a packet socket using the old kernel interface. 171675107Sfenner * Returns 0 on failure. 171775107Sfenner * FIXME: 0 uses to mean success (Sebastian) 171875107Sfenner */ 171975107Sfennerstatic int 1720127664Sbmslive_open_old(pcap_t *handle, const char *device, int promisc, 172175107Sfenner int to_ms, char *ebuf) 172275107Sfenner{ 1723127664Sbms int arptype; 172475107Sfenner struct ifreq ifr; 172575107Sfenner 172675107Sfenner do { 172775107Sfenner /* Open the socket */ 172875107Sfenner 1729127664Sbms handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 1730127664Sbms if (handle->fd == -1) { 173175107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 173275107Sfenner "socket: %s", pcap_strerror(errno)); 173375107Sfenner break; 173475107Sfenner } 173575107Sfenner 173675107Sfenner /* It worked - we are using the old interface */ 173775107Sfenner handle->md.sock_packet = 1; 173875107Sfenner 173975107Sfenner /* ...which means we get the link-layer header. */ 174075107Sfenner handle->md.cooked = 0; 174175107Sfenner 174275107Sfenner /* Bind to the given device */ 174375107Sfenner 174475107Sfenner if (!device) { 174575107Sfenner strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 174675107Sfenner PCAP_ERRBUF_SIZE); 174775107Sfenner break; 174875107Sfenner } 1749127664Sbms if (iface_bind_old(handle->fd, device, ebuf) == -1) 175075107Sfenner break; 175175107Sfenner 1752127664Sbms /* 1753127664Sbms * Try to get the link-layer type. 1754127664Sbms */ 1755127664Sbms arptype = iface_get_arptype(handle->fd, device, ebuf); 1756127664Sbms if (arptype == -1) 1757127664Sbms break; 1758127664Sbms 1759127664Sbms /* 1760127664Sbms * Try to find the DLT_ type corresponding to that 1761127664Sbms * link-layer type. 1762127664Sbms */ 1763127664Sbms map_arphrd_to_dlt(handle, arptype, 0); 1764127664Sbms if (handle->linktype == -1) { 1765127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1766127664Sbms "unknown arptype %d", arptype); 1767127664Sbms break; 1768127664Sbms } 1769127664Sbms 1770127664Sbms /* Go to promisc mode if requested */ 1771127664Sbms 177275107Sfenner if (promisc) { 177375107Sfenner memset(&ifr, 0, sizeof(ifr)); 177475107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 1775127664Sbms if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 177675107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 177775107Sfenner "ioctl: %s", pcap_strerror(errno)); 177875107Sfenner break; 177975107Sfenner } 178075107Sfenner if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 178175107Sfenner /* 178275107Sfenner * Promiscuous mode isn't currently on, 178375107Sfenner * so turn it on, and remember that 178475107Sfenner * we should turn it off when the 178575107Sfenner * pcap_t is closed. 178675107Sfenner */ 178775107Sfenner 178875107Sfenner /* 178975107Sfenner * If we haven't already done so, arrange 179075107Sfenner * to have "pcap_close_all()" called when 179175107Sfenner * we exit. 179275107Sfenner */ 179375107Sfenner if (!did_atexit) { 179475107Sfenner if (atexit(pcap_close_all) == -1) { 179575107Sfenner /* 179675107Sfenner * "atexit()" failed; don't 179775107Sfenner * put the interface in 179875107Sfenner * promiscuous mode, just 179975107Sfenner * give up. 180075107Sfenner */ 180175107Sfenner strncpy(ebuf, "atexit failed", 180275107Sfenner PCAP_ERRBUF_SIZE); 180375107Sfenner break; 180475107Sfenner } 1805127664Sbms did_atexit = 1; 180675107Sfenner } 180775107Sfenner 180875107Sfenner ifr.ifr_flags |= IFF_PROMISC; 1809127664Sbms if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 181075107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 181175107Sfenner "ioctl: %s", 181275107Sfenner pcap_strerror(errno)); 181375107Sfenner break; 181475107Sfenner } 181575107Sfenner handle->md.clear_promisc = 1; 181675107Sfenner 181775107Sfenner /* 181875107Sfenner * Add this to the list of pcaps 181975107Sfenner * to close when we exit. 182075107Sfenner */ 182175107Sfenner handle->md.next = pcaps_to_close; 182275107Sfenner pcaps_to_close = handle; 182375107Sfenner } 182475107Sfenner } 182575107Sfenner 182698530Sfenner /* 182798530Sfenner * Default value for offset to align link-layer payload 182898530Sfenner * on a 4-byte boundary. 182998530Sfenner */ 183075107Sfenner handle->offset = 0; 183198530Sfenner 183275107Sfenner return 1; 183375107Sfenner 183475107Sfenner } while (0); 183575107Sfenner 1836127664Sbms pcap_close_linux(handle); 183775107Sfenner return 0; 183875107Sfenner} 183975107Sfenner 184075107Sfenner/* 1841127664Sbms * Bind the socket associated with FD to the given device using the 184275107Sfenner * interface of the old kernels. 184375107Sfenner */ 184475107Sfennerstatic int 184575107Sfenneriface_bind_old(int fd, const char *device, char *ebuf) 184675107Sfenner{ 184775107Sfenner struct sockaddr saddr; 1848127664Sbms int err; 1849127664Sbms socklen_t errlen = sizeof(err); 185075107Sfenner 185175107Sfenner memset(&saddr, 0, sizeof(saddr)); 185275107Sfenner strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 185375107Sfenner if (bind(fd, &saddr, sizeof(saddr)) == -1) { 185475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 185575107Sfenner "bind: %s", pcap_strerror(errno)); 185675107Sfenner return -1; 185726175Sfenner } 185826175Sfenner 1859127664Sbms /* Any pending errors, e.g., network is down? */ 1860127664Sbms 1861127664Sbms if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 1862127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1863127664Sbms "getsockopt: %s", pcap_strerror(errno)); 1864127664Sbms return -1; 1865127664Sbms } 1866127664Sbms 1867127664Sbms if (err > 0) { 1868127664Sbms snprintf(ebuf, PCAP_ERRBUF_SIZE, 1869127664Sbms "bind: %s", pcap_strerror(err)); 1870127664Sbms return -1; 1871127664Sbms } 1872127664Sbms 187375107Sfenner return 0; 187426175Sfenner} 187526175Sfenner 187675107Sfenner 187775107Sfenner/* ===== System calls available on all supported kernels ============== */ 187875107Sfenner 187975107Sfenner/* 1880127664Sbms * Query the kernel for the MTU of the given interface. 188175107Sfenner */ 188275107Sfennerstatic int 188375107Sfenneriface_get_mtu(int fd, const char *device, char *ebuf) 188426175Sfenner{ 188575107Sfenner struct ifreq ifr; 188626175Sfenner 188775107Sfenner if (!device) 188875107Sfenner return BIGGER_THAN_ALL_MTUS; 188975107Sfenner 189075107Sfenner memset(&ifr, 0, sizeof(ifr)); 189175107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 189275107Sfenner 189375107Sfenner if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 189475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 189575107Sfenner "ioctl: %s", pcap_strerror(errno)); 189675107Sfenner return -1; 189775107Sfenner } 189875107Sfenner 189975107Sfenner return ifr.ifr_mtu; 190026175Sfenner} 190126175Sfenner 190275107Sfenner/* 190375107Sfenner * Get the hardware type of the given interface as ARPHRD_xxx constant. 190475107Sfenner */ 190575107Sfennerstatic int 190675107Sfenneriface_get_arptype(int fd, const char *device, char *ebuf) 190726175Sfenner{ 190875107Sfenner struct ifreq ifr; 190926175Sfenner 191075107Sfenner memset(&ifr, 0, sizeof(ifr)); 191175107Sfenner strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 191275107Sfenner 191375107Sfenner if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 191475107Sfenner snprintf(ebuf, PCAP_ERRBUF_SIZE, 191575107Sfenner "ioctl: %s", pcap_strerror(errno)); 191675107Sfenner return -1; 191775107Sfenner } 191875107Sfenner 191975107Sfenner return ifr.ifr_hwaddr.sa_family; 192026175Sfenner} 192175107Sfenner 192298530Sfenner#ifdef SO_ATTACH_FILTER 192375107Sfennerstatic int 192475107Sfennerfix_program(pcap_t *handle, struct sock_fprog *fcode) 192575107Sfenner{ 192675107Sfenner size_t prog_size; 192775107Sfenner register int i; 192875107Sfenner register struct bpf_insn *p; 192975107Sfenner struct bpf_insn *f; 193075107Sfenner int len; 193175107Sfenner 193275107Sfenner /* 193375107Sfenner * Make a copy of the filter, and modify that copy if 193475107Sfenner * necessary. 193575107Sfenner */ 193675107Sfenner prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 193775107Sfenner len = handle->fcode.bf_len; 193875107Sfenner f = (struct bpf_insn *)malloc(prog_size); 193975107Sfenner if (f == NULL) { 194075107Sfenner snprintf(handle->errbuf, sizeof(handle->errbuf), 194175107Sfenner "malloc: %s", pcap_strerror(errno)); 194275107Sfenner return -1; 194375107Sfenner } 194475107Sfenner memcpy(f, handle->fcode.bf_insns, prog_size); 194575107Sfenner fcode->len = len; 194675107Sfenner fcode->filter = (struct sock_filter *) f; 194775107Sfenner 194875107Sfenner for (i = 0; i < len; ++i) { 194975107Sfenner p = &f[i]; 195075107Sfenner /* 195175107Sfenner * What type of instruction is this? 195275107Sfenner */ 195375107Sfenner switch (BPF_CLASS(p->code)) { 195475107Sfenner 195575107Sfenner case BPF_RET: 195675107Sfenner /* 195775107Sfenner * It's a return instruction; is the snapshot 195875107Sfenner * length a constant, rather than the contents 195975107Sfenner * of the accumulator? 196075107Sfenner */ 196175107Sfenner if (BPF_MODE(p->code) == BPF_K) { 196275107Sfenner /* 196375107Sfenner * Yes - if the value to be returned, 196475107Sfenner * i.e. the snapshot length, is anything 196575107Sfenner * other than 0, make it 65535, so that 196675107Sfenner * the packet is truncated by "recvfrom()", 196775107Sfenner * not by the filter. 196875107Sfenner * 196975107Sfenner * XXX - there's nothing we can easily do 197075107Sfenner * if it's getting the value from the 197175107Sfenner * accumulator; we'd have to insert 197275107Sfenner * code to force non-zero values to be 197375107Sfenner * 65535. 197475107Sfenner */ 197575107Sfenner if (p->k != 0) 197675107Sfenner p->k = 65535; 197775107Sfenner } 197875107Sfenner break; 197975107Sfenner 198075107Sfenner case BPF_LD: 198175107Sfenner case BPF_LDX: 198275107Sfenner /* 198375107Sfenner * It's a load instruction; is it loading 198475107Sfenner * from the packet? 198575107Sfenner */ 198675107Sfenner switch (BPF_MODE(p->code)) { 198775107Sfenner 198875107Sfenner case BPF_ABS: 198975107Sfenner case BPF_IND: 199075107Sfenner case BPF_MSH: 199175107Sfenner /* 199275107Sfenner * Yes; are we in cooked mode? 199375107Sfenner */ 199475107Sfenner if (handle->md.cooked) { 199575107Sfenner /* 199675107Sfenner * Yes, so we need to fix this 199775107Sfenner * instruction. 199875107Sfenner */ 199975107Sfenner if (fix_offset(p) < 0) { 200075107Sfenner /* 200175107Sfenner * We failed to do so. 200275107Sfenner * Return 0, so our caller 200375107Sfenner * knows to punt to userland. 200475107Sfenner */ 200575107Sfenner return 0; 200675107Sfenner } 200775107Sfenner } 200875107Sfenner break; 200975107Sfenner } 201075107Sfenner break; 201175107Sfenner } 201275107Sfenner } 201375107Sfenner return 1; /* we succeeded */ 201475107Sfenner} 201575107Sfenner 201675107Sfennerstatic int 201775107Sfennerfix_offset(struct bpf_insn *p) 201875107Sfenner{ 201975107Sfenner /* 202075107Sfenner * What's the offset? 202175107Sfenner */ 202275107Sfenner if (p->k >= SLL_HDR_LEN) { 202375107Sfenner /* 202475107Sfenner * It's within the link-layer payload; that starts at an 202575107Sfenner * offset of 0, as far as the kernel packet filter is 202675107Sfenner * concerned, so subtract the length of the link-layer 202775107Sfenner * header. 202875107Sfenner */ 202975107Sfenner p->k -= SLL_HDR_LEN; 203075107Sfenner } else if (p->k == 14) { 203175107Sfenner /* 203275107Sfenner * It's the protocol field; map it to the special magic 203375107Sfenner * kernel offset for that field. 203475107Sfenner */ 203575107Sfenner p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 203675107Sfenner } else { 203775107Sfenner /* 203875107Sfenner * It's within the header, but it's not one of those 203975107Sfenner * fields; we can't do that in the kernel, so punt 204075107Sfenner * to userland. 204175107Sfenner */ 204275107Sfenner return -1; 204375107Sfenner } 204475107Sfenner return 0; 204575107Sfenner} 204698530Sfenner 204798530Sfennerstatic int 204898530Sfennerset_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) 204998530Sfenner{ 205098530Sfenner int total_filter_on = 0; 205198530Sfenner int save_mode; 205298530Sfenner int ret; 205398530Sfenner int save_errno; 205498530Sfenner 205598530Sfenner /* 205698530Sfenner * The socket filter code doesn't discard all packets queued 205798530Sfenner * up on the socket when the filter is changed; this means 205898530Sfenner * that packets that don't match the new filter may show up 205998530Sfenner * after the new filter is put onto the socket, if those 206098530Sfenner * packets haven't yet been read. 206198530Sfenner * 206298530Sfenner * This means, for example, that if you do a tcpdump capture 206398530Sfenner * with a filter, the first few packets in the capture might 206498530Sfenner * be packets that wouldn't have passed the filter. 206598530Sfenner * 206698530Sfenner * We therefore discard all packets queued up on the socket 206798530Sfenner * when setting a kernel filter. (This isn't an issue for 206898530Sfenner * userland filters, as the userland filtering is done after 206998530Sfenner * packets are queued up.) 207098530Sfenner * 207198530Sfenner * To flush those packets, we put the socket in read-only mode, 207298530Sfenner * and read packets from the socket until there are no more to 207398530Sfenner * read. 207498530Sfenner * 207598530Sfenner * In order to keep that from being an infinite loop - i.e., 207698530Sfenner * to keep more packets from arriving while we're draining 207798530Sfenner * the queue - we put the "total filter", which is a filter 207898530Sfenner * that rejects all packets, onto the socket before draining 207998530Sfenner * the queue. 208098530Sfenner * 208198530Sfenner * This code deliberately ignores any errors, so that you may 208298530Sfenner * get bogus packets if an error occurs, rather than having 208398530Sfenner * the filtering done in userland even if it could have been 208498530Sfenner * done in the kernel. 208598530Sfenner */ 2086127664Sbms if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 208798530Sfenner &total_fcode, sizeof(total_fcode)) == 0) { 208898530Sfenner char drain[1]; 208998530Sfenner 209098530Sfenner /* 209198530Sfenner * Note that we've put the total filter onto the socket. 209298530Sfenner */ 209398530Sfenner total_filter_on = 1; 209498530Sfenner 209598530Sfenner /* 209698530Sfenner * Save the socket's current mode, and put it in 209798530Sfenner * non-blocking mode; we drain it by reading packets 2098127664Sbms * until we get an error (which is normally a 209998530Sfenner * "nothing more to be read" error). 210098530Sfenner */ 210198530Sfenner save_mode = fcntl(handle->fd, F_GETFL, 0); 210298530Sfenner if (save_mode != -1 && 210398530Sfenner fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) { 210498530Sfenner while (recv(handle->fd, &drain, sizeof drain, 210598530Sfenner MSG_TRUNC) >= 0) 210698530Sfenner ; 2107127664Sbms save_errno = errno; 210898530Sfenner fcntl(handle->fd, F_SETFL, save_mode); 2109127664Sbms if (save_errno != EAGAIN) { 2110127664Sbms /* Fatal error */ 2111127664Sbms reset_kernel_filter(handle); 2112127664Sbms snprintf(handle->errbuf, sizeof(handle->errbuf), 2113127664Sbms "recv: %s", pcap_strerror(save_errno)); 2114127664Sbms return -2; 2115127664Sbms } 211698530Sfenner } 211798530Sfenner } 211898530Sfenner 211998530Sfenner /* 212098530Sfenner * Now attach the new filter. 212198530Sfenner */ 2122127664Sbms ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 212398530Sfenner fcode, sizeof(*fcode)); 212498530Sfenner if (ret == -1 && total_filter_on) { 212598530Sfenner /* 212698530Sfenner * Well, we couldn't set that filter on the socket, 212798530Sfenner * but we could set the total filter on the socket. 212898530Sfenner * 212998530Sfenner * This could, for example, mean that the filter was 213098530Sfenner * too big to put into the kernel, so we'll have to 213198530Sfenner * filter in userland; in any case, we'll be doing 213298530Sfenner * filtering in userland, so we need to remove the 213398530Sfenner * total filter so we see packets. 213498530Sfenner */ 213598530Sfenner save_errno = errno; 213698530Sfenner 213798530Sfenner /* 213898530Sfenner * XXX - if this fails, we're really screwed; 213998530Sfenner * we have the total filter on the socket, 214098530Sfenner * and it won't come off. What do we do then? 214198530Sfenner */ 214298530Sfenner reset_kernel_filter(handle); 214398530Sfenner 214498530Sfenner errno = save_errno; 214598530Sfenner } 2146127664Sbms return ret; 214798530Sfenner} 214898530Sfenner 214998530Sfennerstatic int 215098530Sfennerreset_kernel_filter(pcap_t *handle) 215198530Sfenner{ 215298530Sfenner /* setsockopt() barfs unless it get a dummy parameter */ 215398530Sfenner int dummy; 215498530Sfenner 215598530Sfenner return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, 215698530Sfenner &dummy, sizeof(dummy)); 215798530Sfenner} 215875107Sfenner#endif 2159