2 * pcap-linux.c: Packet capture interface to the Linux kernel
4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org>
5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
19 * 3. The names of the authors may not be used to endorse or promote
20 * products derived from this software without specific prior
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
28 static const char rcsid[] =
29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.51.2.3 2001/01/18 03:59:56 guy Exp $ (LBL)";
33 * Known problems with 2.0[.x] kernels:
35 * - The loopback device gives every packet twice; on 2.2[.x] kernels,
36 * if we use PF_PACKET, we can filter out the transmitted version
37 * of the packet by using data in the "sockaddr_ll" returned by
38 * "recvfrom()", but, on 2.0[.x] kernels, we have to use
39 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a
40 * "sockaddr_pkt" which doesn't give us enough information to let
43 * - We have to set the interface's IFF_PROMISC flag ourselves, if
44 * we're to run in promiscuous mode, which means we have to turn
45 * it off ourselves when we're done; the kernel doesn't keep track
46 * of how many sockets are listening promiscuously, which means
47 * it won't get turned off automatically when no sockets are
48 * listening promiscuously. We catch "pcap_close()" and, for
49 * interfaces we put into promiscuous mode, take them out of
50 * promiscuous mode - which isn't necessarily the right thing to
51 * do, if another socket also requested promiscuous mode between
52 * the time when we opened the socket and the time when we close
69 #include <sys/socket.h>
70 #include <sys/ioctl.h>
71 #include <sys/utsname.h>
73 #include <netinet/in.h>
74 #include <linux/if_ether.h>
75 #include <net/if_arp.h>
77 #ifdef HAVE_NETPACKET_PACKET_H
78 # include <netpacket/packet.h>
81 * We assume this means we really do have PF_PACKET sockets.
83 # define HAVE_PF_PACKET_SOCKETS
86 * Oh, joy. Some Linux distributions have 2.2 or later kernels and
87 * libc5. On at least one of those systems (Slackware 4.0), it
88 * appears that "/usr/include/sys/socket.h" includes <linux/socket.h>,
89 * which means it picks up all the AF_, PF_, and SO_ definitions
90 * appropriate for the current kernel; however, it also appears that
91 * they did not see fit to provide a "/usr/include/netpacket/packet.h"
94 * However, you should be able to get the right definitions by including
95 * <linux/if_packet.h>.
97 * So if this system has PF_PACKET defined but doesn't have the
98 * <netpacket/packet.h> header file, we include <linux/if_packet.h>
102 # include <linux/if_packet.h>
105 * However, on at least some Linux distributions (for example, Red Hat
106 * 5.2), there's no <netpacket/packet.h> file, but PF_PACKET is defined
107 * if you include <sys/socket.h>, but <linux/if_packet.h> doesn't define
108 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of
109 * the PACKET_xxx stuff.
111 * So we check whether PACKET_HOST is defined, and assume that we have
112 * PF_PACKET sockets only if it is defined.
115 # define HAVE_PF_PACKET_SOCKETS
116 # endif /* PACKET_HOST */
117 # endif /* PF_PACKET */
118 #endif /* HAVE_NETPACKET_PACKET_H */
120 #ifdef SO_ATTACH_FILTER
121 #include <linux/types.h>
122 #include <linux/filter.h>
126 typedef int socklen_t;
133 #define MAX_LINKHEADER_SIZE 256
136 * When capturing on all interfaces we use this as the buffer size.
137 * Should be bigger then all MTUs that occur in real life.
138 * 64kB should be enough for now.
140 #define BIGGER_THAN_ALL_MTUS (64*1024)
143 * Prototypes for internal functions
145 static int map_arphrd_to_dlt(int arptype );
146 static int live_open_old(pcap_t *, char *, int, int, char *);
147 static int live_open_new(pcap_t *, char *, int, int, char *);
148 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *);
151 * Wrap some ioctl calls
153 #ifdef HAVE_PF_PACKET_SOCKETS
154 static int iface_get_id(int fd, const char *device, char *ebuf);
156 static int iface_get_mtu(int fd, const char *device, char *ebuf);
157 static int iface_get_arptype(int fd, const char *device, char *ebuf);
158 #ifdef HAVE_PF_PACKET_SOCKETS
159 static int iface_bind(int fd, int ifindex, char *ebuf);
161 static int iface_bind_old(int fd, const char *device, char *ebuf);
163 #ifdef SO_ATTACH_FILTER
164 static int fix_program(pcap_t *handle, struct sock_fprog *fcode);
165 static int fix_offset(struct bpf_insn *p);
169 * Get a handle for a live capture from the given device. You can
170 * pass NULL as device to get all packages (without link level
171 * information of course). If you pass 1 as promisc the interface
172 * will be set to promiscous mode (XXX: I think this usage should
173 * be deprecated and functions be added to select that later allow
174 * modification of that values -- Torsten).
179 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
181 /* Allocate a handle for this session. */
183 pcap_t *handle = malloc(sizeof(*handle));
184 if (handle == NULL) {
185 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
186 pcap_strerror(errno));
190 /* Initialize some components of the pcap structure. */
192 memset(handle, 0, sizeof(*handle));
193 handle->snapshot = snaplen;
194 handle->md.timeout = to_ms;
197 * NULL and "any" are special devices which give us the hint to
198 * monitor all devices.
200 if (!device || strcmp(device, "any") == 0) {
202 handle->md.device = strdup("any");
204 handle->md.device = strdup(device);
206 if (handle->md.device == NULL) {
207 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s",
208 pcap_strerror(errno) );
214 * Current Linux kernels use the protocol family PF_PACKET to
215 * allow direct access to all packets on the network while
216 * older kernels had a special socket type SOCK_PACKET to
217 * implement this feature.
218 * While this old implementation is kind of obsolete we need
219 * to be compatible with older kernels for a while so we are
220 * trying both methods with the newer method preferred.
223 if (! (live_open_new(handle, device, promisc, to_ms, ebuf) ||
224 live_open_old(handle, device, promisc, to_ms, ebuf)) )
227 * Both methods to open the packet socket failed. Tidy
228 * up and report our failure (ebuf is expected to be
229 * set by the functions above).
232 free(handle->md.device);
241 * Read at most max_packets from the capture stream and call the callback
242 * for each of them. Returns the number of packets handled or -1 if an
246 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
249 * Currently, on Linux only one packet is delivered per read,
252 return pcap_read_packet(handle, callback, user);
256 * Read a packet from the socket calling the handler provided by
257 * the user. Returns the number of packets received or -1 if an
261 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata)
264 #ifdef HAVE_PF_PACKET_SOCKETS
265 struct sockaddr_ll from;
266 struct sll_header *hdrp;
268 struct sockaddr from;
271 int packet_len, caplen;
272 struct pcap_pkthdr pcap_header;
274 #ifdef HAVE_PF_PACKET_SOCKETS
276 * If this is a cooked device, leave extra room for a
277 * fake packet header.
279 if (handle->md.cooked)
280 offset = SLL_HDR_LEN;
285 * This system doesn't have PF_PACKET sockets, so it doesn't
286 * support cooked devices.
291 /* Receive a single packet from the kernel */
294 fromlen = sizeof(from);
295 packet_len = recvfrom(
296 handle->fd, handle->buffer + offset + handle->offset,
297 handle->md.readlen - offset, MSG_TRUNC,
298 (struct sockaddr *) &from, &fromlen);
299 } while (packet_len == -1 && errno == EINTR);
301 /* Check if an error occured */
303 if (packet_len == -1) {
305 return 0; /* no packet there */
307 snprintf(handle->errbuf, sizeof(handle->errbuf),
308 "recvfrom: %s", pcap_strerror(errno));
313 #ifdef HAVE_PF_PACKET_SOCKETS
315 * If this is from the loopback device, reject outgoing packets;
316 * we'll see the packet as an incoming packet as well, and
317 * we don't want to see it twice.
319 * We can only do this if we're using PF_PACKET; the address
320 * returned for SOCK_PACKET is a "sockaddr_pkt" which lacks
321 * the relevant packet type information.
323 if (!handle->md.sock_packet &&
324 from.sll_ifindex == handle->md.lo_ifindex &&
325 from.sll_pkttype == PACKET_OUTGOING)
329 #ifdef HAVE_PF_PACKET_SOCKETS
331 * If this is a cooked device, fill in the fake packet header.
333 if (handle->md.cooked) {
335 * Add the length of the fake header to the length
336 * of packet data we read.
338 packet_len += SLL_HDR_LEN;
340 hdrp = (struct sll_header *)handle->buffer;
343 * Map the PACKET_ value to a LINUX_SLL_ value; we
344 * want the same numerical value to be used in
345 * the link-layer header even if the numerical values
346 * for the PACKET_ #defines change, so that programs
347 * that look at the packet type field will always be
348 * able to handle DLT_LINUX_SLL captures.
350 switch (from.sll_pkttype) {
353 hdrp->sll_pkttype = htons(LINUX_SLL_HOST);
356 case PACKET_BROADCAST:
357 hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST);
360 case PACKET_MULTICAST:
361 hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST);
364 case PACKET_OTHERHOST:
365 hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST);
368 case PACKET_OUTGOING:
369 hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING);
373 hdrp->sll_pkttype = -1;
377 hdrp->sll_hatype = htons(from.sll_hatype);
378 hdrp->sll_halen = htons(from.sll_halen);
379 memcpy(hdrp->sll_addr, from.sll_addr,
380 (from.sll_halen > SLL_ADDRLEN) ?
383 hdrp->sll_protocol = from.sll_protocol;
388 * XXX: According to the kernel source we should get the real
389 * packet len if calling recvfrom with MSG_TRUNC set. It does
390 * not seem to work here :(, but it is supported by this code
392 * To be honest the code RELIES on that feature so this is really
393 * broken with 2.2.x kernels.
394 * I spend a day to figure out what's going on and I found out
395 * that the following is happening:
397 * The packet comes from a random interface and the packet_rcv
398 * hook is called with a clone of the packet. That code inserts
399 * the packet into the receive queue of the packet socket.
400 * If a filter is attached to that socket that filter is run
401 * first - and there lies the problem. The default filter always
402 * cuts the packet at the snaplen:
407 * So the packet filter cuts down the packet. The recvfrom call
408 * says "hey, it's only 68 bytes, it fits into the buffer" with
409 * the result that we don't get the real packet length. This
410 * is valid at least until kernel 2.2.17pre6.
412 * We currently handle this by making a copy of the filter
413 * program, fixing all "ret" instructions with non-zero
414 * operands to have an operand of 65535 so that the filter
415 * doesn't truncate the packet, and supplying that modified
416 * filter to the kernel.
420 if (caplen > handle->snapshot)
421 caplen = handle->snapshot;
423 /* Run the packet filter if not using kernel filter */
424 if (!handle->md.use_bpf && handle->fcode.bf_insns) {
425 if (bpf_filter(handle->fcode.bf_insns, handle->buffer,
426 packet_len, caplen) == 0)
428 /* rejected by filter */
433 /* Fill in our own header data */
435 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) {
436 snprintf(handle->errbuf, sizeof(handle->errbuf),
437 "ioctl: %s", pcap_strerror(errno));
440 pcap_header.caplen = caplen;
441 pcap_header.len = packet_len;
443 /* Call the user supplied callback function */
444 handle->md.stat.ps_recv++;
445 callback(userdata, &pcap_header, handle->buffer + handle->offset);
451 * Get the statistics for the given packet capture handle.
452 * FIXME: Currently does not report the number of dropped packets.
455 pcap_stats(pcap_t *handle, struct pcap_stat *stats)
457 *stats = handle->md.stat;
462 * Attach the given BPF code to the packet capture device.
465 pcap_setfilter(pcap_t *handle, struct bpf_program *filter)
467 #ifdef SO_ATTACH_FILTER
468 struct sock_fprog fcode;
469 int can_filter_in_kernel;
475 strncpy(handle->errbuf, "setfilter: No filter specified",
476 sizeof(handle->errbuf));
480 /* Make our private copy of the filter */
482 if (install_bpf_program(handle, filter) < 0) {
483 snprintf(handle->errbuf, sizeof(handle->errbuf),
484 "malloc: %s", pcap_strerror(errno));
489 * Run user level packet filter by default. Will be overriden if
490 * installing a kernel filter succeeds.
492 handle->md.use_bpf = 0;
495 * If we're reading from a savefile, don't try to install
498 if (handle->sf.rfile != NULL)
501 /* Install kernel level filter if possible */
503 #ifdef SO_ATTACH_FILTER
505 if (handle->fcode.bf_len > USHRT_MAX) {
507 * fcode.len is an unsigned short for current kernel.
508 * I have yet to see BPF-Code with that much
509 * instructions but still it is possible. So for the
510 * sake of correctness I added this check.
512 fprintf(stderr, "Warning: Filter too complex for kernel\n");
514 can_filter_in_kernel = 0;
516 #endif /* USHRT_MAX */
519 * Oh joy, the Linux kernel uses struct sock_fprog instead
520 * of struct bpf_program and of course the length field is
521 * of different size. Pointed out by Sebastian
523 * Oh, and we also need to fix it up so that all "ret"
524 * instructions with non-zero operands have 65535 as the
525 * operand, and so that, if we're in cooked mode, all
526 * memory-reference instructions use special magic offsets
527 * in references to the link-layer header and assume that
528 * the link-layer payload begins at 0; "fix_program()"
531 switch (fix_program(handle, &fcode)) {
536 * Fatal error; just quit.
537 * (The "default" case shouldn't happen; we
538 * return -1 for that reason.)
544 * The program performed checks that we can't make
545 * work in the kernel.
547 can_filter_in_kernel = 0;
552 * We have a filter that'll work in the kernel.
554 can_filter_in_kernel = 1;
559 if (can_filter_in_kernel) {
560 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER,
561 &fcode, sizeof(fcode)) == 0)
563 /* Installation succeded - using kernel filter. */
564 handle->md.use_bpf = 1;
569 * Print a warning if we weren't able to install
570 * the filter for a reason other than "this kernel
571 * isn't configured to support socket filters.
573 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) {
575 "Warning: Kernel filter failed: %s\n",
576 pcap_strerror(errno));
582 * Free up the copy of the filter that was made by "fix_program()".
584 if (fcode.filter != NULL)
586 #endif /* SO_ATTACH_FILTER */
592 * Linux uses the ARP hardware type to identify the type of an
593 * interface. pcap uses the DLT_xxx constants for this. This
594 * function maps the ARPHRD_xxx constant to an appropriate
597 * Returns -1 if unable to map the type; we print a message and,
598 * if we're using PF_PACKET/SOCK_RAW rather than PF_INET/SOCK_PACKET,
599 * we fall back on using PF_PACKET/SOCK_DGRAM.
601 static int map_arphrd_to_dlt(int arptype)
605 case ARPHRD_METRICOM:
606 case ARPHRD_LOOPBACK: return DLT_EN10MB;
607 case ARPHRD_EETHER: return DLT_EN3MB;
608 case ARPHRD_AX25: return DLT_AX25;
609 case ARPHRD_PRONET: return DLT_PRONET;
610 case ARPHRD_CHAOS: return DLT_CHAOS;
611 #ifndef ARPHRD_IEEE802_TR
612 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */
614 case ARPHRD_IEEE802_TR:
615 case ARPHRD_IEEE802: return DLT_IEEE802;
616 case ARPHRD_ARCNET: return DLT_ARCNET;
617 case ARPHRD_FDDI: return DLT_FDDI;
619 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */
620 #define ARPHRD_ATM 19
622 case ARPHRD_ATM: return DLT_ATM_CLIP;
625 /* Not sure if this is correct for all tunnels, but it
629 #define ARPHRD_SIT 776 /* From Linux 2.2.14 */
635 case ARPHRD_SLIP: return DLT_RAW;
641 /* ===== Functions to interface to the newer kernels ================== */
644 * Try to open a packet socket using the new kernel interface.
645 * Returns 0 on failure.
646 * FIXME: 0 uses to mean success (Sebastian)
649 live_open_new(pcap_t *handle, char *device, int promisc,
650 int to_ms, char *ebuf)
652 #ifdef HAVE_PF_PACKET_SOCKETS
653 int sock_fd = -1, device_id, mtu, arptype;
654 struct packet_mreq mr;
656 /* One shot loop used for error handling - bail out with break */
660 * Open a socket with protocol family packet. If a device is
661 * given we try to open it in raw mode otherwise we use
662 * the cooked interface.
665 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
666 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL));
669 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s",
670 pcap_strerror(errno) );
674 /* It seems the kernel supports the new interface. */
675 handle->md.sock_packet = 0;
678 * Get the interface index of the loopback device.
679 * If the attempt fails, don't fail, just set the
680 * "md.lo_ifindex" to -1.
682 * XXX - can there be more than one device that loops
683 * packets back, i.e. devices other than "lo"? If so,
684 * we'd need to find them all, and have an array of
685 * indices for them, and check all of them in
686 * "pcap_read_packet()".
688 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf);
691 * What kind of frames do we have to deal with? Fall back
692 * to cooked mode if we have an unknown interface type.
696 /* Assume for now we don't need cooked mode. */
697 handle->md.cooked = 0;
699 arptype = iface_get_arptype(sock_fd, device, ebuf);
702 handle->linktype = map_arphrd_to_dlt(arptype);
703 if (handle->linktype == -1 ||
704 (handle->linktype == DLT_EN10MB &&
705 (strncmp("isdn", device, 4) == 0 ||
706 strncmp("isdY", device, 4) == 0)) ||
707 (handle->linktype == DLT_RAW &&
708 (strncmp("ippp", device, 4) == 0))) {
710 * Unknown interface type (-1), or an ISDN
711 * device (whose link-layer type we
712 * can only determine by using APIs
713 * that may be different on different
714 * kernels) - reopen in cooked mode.
716 * XXX - do that with DLT_RAW as well?
718 if (close(sock_fd) == -1) {
719 snprintf(ebuf, PCAP_ERRBUF_SIZE,
720 "close: %s", pcap_strerror(errno));
723 sock_fd = socket(PF_PACKET, SOCK_DGRAM,
726 snprintf(ebuf, PCAP_ERRBUF_SIZE,
727 "socket: %s", pcap_strerror(errno));
730 handle->md.cooked = 1;
732 if (handle->linktype == -1) {
734 * Warn that we're falling back on
735 * cooked mode; we may want to
736 * update "map_arphrd_to_dlt()"
737 * to handle the new type.
740 "Warning: arptype %d not "
741 "supported by libpcap - "
742 "falling back to cooked "
746 handle->linktype = DLT_LINUX_SLL;
749 device_id = iface_get_id(sock_fd, device, ebuf);
753 if (iface_bind(sock_fd, device_id, ebuf) == -1)
757 * This is cooked mode.
759 handle->md.cooked = 1;
760 handle->linktype = DLT_LINUX_SLL;
763 * XXX - squelch GCC complaints about
764 * uninitialized variables; if we can't
765 * select promiscuous mode on all interfaces,
766 * we should move the code below into the
767 * "if (device)" branch of the "if" and
768 * get rid of the next statement.
773 /* Select promiscuous mode on/off */
777 * Hmm, how can we set promiscuous mode on all interfaces?
778 * I am not sure if that is possible at all.
782 memset(&mr, 0, sizeof(mr));
783 mr.mr_ifindex = device_id;
784 mr.mr_type = promisc ?
785 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI;
786 if (setsockopt(sock_fd, SOL_PACKET,
787 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1)
789 snprintf(ebuf, PCAP_ERRBUF_SIZE,
790 "setsockopt: %s", pcap_strerror(errno));
796 /* Compute the buffersize */
798 mtu = iface_get_mtu(sock_fd, device, ebuf);
801 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
803 /* Fill in the pcap structure */
805 handle->fd = sock_fd;
808 handle->buffer = malloc(handle->bufsize);
809 if (!handle->buffer) {
810 snprintf(ebuf, PCAP_ERRBUF_SIZE,
811 "malloc: %s", pcap_strerror(errno));
816 * This is a 2.2 or later kernel, as it has PF_PACKET;
817 * "recvfrom()", when passed the MSG_TRUNC flag, will
818 * return the actual length of the packet, not the
819 * number of bytes from the packet copied to userland,
820 * so we can safely pass it a byte count based on the
823 handle->md.readlen = handle->snapshot;
833 "New packet capturing interface not supported by build "
834 "environment", PCAP_ERRBUF_SIZE);
839 #ifdef HAVE_PF_PACKET_SOCKETS
841 * Return the index of the given device name. Fill ebuf and return
845 iface_get_id(int fd, const char *device, char *ebuf)
849 memset(&ifr, 0, sizeof(ifr));
850 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
852 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) {
853 snprintf(ebuf, PCAP_ERRBUF_SIZE,
854 "ioctl: %s", pcap_strerror(errno));
858 return ifr.ifr_ifindex;
862 * Bind the socket associated with FD to the given device.
865 iface_bind(int fd, int ifindex, char *ebuf)
867 struct sockaddr_ll sll;
869 memset(&sll, 0, sizeof(sll));
870 sll.sll_family = AF_PACKET;
871 sll.sll_ifindex = ifindex;
872 sll.sll_protocol = htons(ETH_P_ALL);
874 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) {
875 snprintf(ebuf, PCAP_ERRBUF_SIZE,
876 "bind: %s", pcap_strerror(errno));
886 /* ===== Functions to interface to the older kernels ================== */
889 * With older kernels promiscuous mode is kind of interesting because we
890 * have to reset the interface before exiting. The problem can't really
891 * be solved without some daemon taking care of managing usage counts.
892 * If we put the interface into promiscuous mode, we set a flag indicating
893 * that we must take it out of that mode when the interface is closed,
894 * and, when closing the interface, if that flag is set we take it out
895 * of promiscuous mode.
899 * List of pcaps for which we turned promiscuous mode on by hand.
900 * If there are any such pcaps, we arrange to call "pcap_close_all()"
901 * when we exit, and have it close all of them to turn promiscuous mode
904 static struct pcap *pcaps_to_close;
907 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to
910 static int did_atexit;
912 static void pcap_close_all(void)
916 while ((handle = pcaps_to_close) != NULL)
920 void pcap_close_linux( pcap_t *handle )
922 struct pcap *p, *prevp;
925 if (handle->md.clear_promisc) {
927 * We put the interface into promiscuous mode; take
928 * it out of promiscuous mode.
930 * XXX - if somebody else wants it in promiscuous mode,
931 * this code cannot know that, so it'll take it out
932 * of promiscuous mode. That's not fixable in 2.0[.x]
935 memset(&ifr, 0, sizeof(ifr));
936 strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name));
937 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) {
939 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n"
940 "Please adjust manually.\n"
941 "Hint: This can't happen with Linux >= 2.2.0.\n",
944 if (ifr.ifr_flags & IFF_PROMISC) {
946 * Promiscuous mode is currently on; turn it
949 ifr.ifr_flags &= ~IFF_PROMISC;
950 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) {
952 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n"
953 "Please adjust manually.\n"
954 "Hint: This can't happen with Linux >= 2.2.0.\n",
961 * Take this pcap out of the list of pcaps for which we
962 * have to take the interface out of promiscuous mode.
964 for (p = pcaps_to_close, prevp = NULL; p != NULL;
965 prevp = p, p = p->md.next) {
968 * Found it. Remove it from the list.
972 * It was at the head of the list.
974 pcaps_to_close = p->md.next;
977 * It was in the middle of the list.
979 prevp->md.next = p->md.next;
985 if (handle->md.device != NULL)
986 free(handle->md.device);
990 * Try to open a packet socket using the old kernel interface.
991 * Returns 0 on failure.
992 * FIXME: 0 uses to mean success (Sebastian)
995 live_open_old(pcap_t *handle, char *device, int promisc,
996 int to_ms, char *ebuf)
998 int sock_fd = -1, mtu, arptype;
999 struct utsname utsname;
1003 /* Open the socket */
1005 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL));
1006 if (sock_fd == -1) {
1007 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1008 "socket: %s", pcap_strerror(errno));
1012 /* It worked - we are using the old interface */
1013 handle->md.sock_packet = 1;
1015 /* ...which means we get the link-layer header. */
1016 handle->md.cooked = 0;
1018 /* Bind to the given device */
1021 strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems",
1025 if (iface_bind_old(sock_fd, device, ebuf) == -1)
1028 /* Go to promisc mode */
1030 memset(&ifr, 0, sizeof(ifr));
1031 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1032 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) {
1033 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1034 "ioctl: %s", pcap_strerror(errno));
1037 if ((ifr.ifr_flags & IFF_PROMISC) == 0) {
1039 * Promiscuous mode isn't currently on,
1040 * so turn it on, and remember that
1041 * we should turn it off when the
1046 * If we haven't already done so, arrange
1047 * to have "pcap_close_all()" called when
1051 if (atexit(pcap_close_all) == -1) {
1053 * "atexit()" failed; don't
1054 * put the interface in
1055 * promiscuous mode, just
1058 strncpy(ebuf, "atexit failed",
1064 ifr.ifr_flags |= IFF_PROMISC;
1065 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) {
1066 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1068 pcap_strerror(errno));
1071 handle->md.clear_promisc = 1;
1074 * Add this to the list of pcaps
1075 * to close when we exit.
1077 handle->md.next = pcaps_to_close;
1078 pcaps_to_close = handle;
1082 /* Compute the buffersize */
1084 mtu = iface_get_mtu(sock_fd, device, ebuf);
1087 handle->bufsize = MAX_LINKHEADER_SIZE + mtu;
1088 if (handle->bufsize < handle->snapshot)
1089 handle->bufsize = handle->snapshot;
1091 /* All done - fill in the pcap handle */
1093 arptype = iface_get_arptype(sock_fd, device, ebuf);
1097 handle->fd = sock_fd;
1099 handle->linktype = map_arphrd_to_dlt(arptype);
1101 * XXX - handle ISDN types here? We can't fall back on
1102 * cooked sockets, so we'd have to figure out from the
1103 * device name what type of link-layer encapsulation
1104 * it's using, and map that to an appropriate DLT_
1105 * value, meaning we'd map "isdnN" devices to DLT_RAW
1106 * (they supply raw IP packets with no link-layer
1107 * header) and "isdY" devices to a new DLT_I4L_IP
1108 * type that has only an Ethernet packet type as
1109 * a link-layer header.
1111 if (handle->linktype == -1) {
1112 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1113 "interface type of %s not supported", device);
1116 handle->buffer = malloc(handle->bufsize);
1117 if (!handle->buffer) {
1118 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1119 "malloc: %s", pcap_strerror(errno));
1124 * This might be a 2.0[.x] kernel - check.
1126 if (uname(&utsname) < 0 ||
1127 strncmp(utsname.release, "2.0", 3) == 0) {
1129 * Either we couldn't find out what kernel release
1130 * this is, or it's a 2.0[.x] kernel.
1132 * In the 2.0[.x] kernel, a "recvfrom()" on
1133 * a SOCK_PACKET socket, with MSG_TRUNC set, will
1134 * return the number of bytes read, so if we pass
1135 * a length based on the snapshot length, it'll
1136 * return the number of bytes from the packet
1137 * copied to userland, not the actual length
1140 * This means that, for example, the IP dissector
1141 * in tcpdump will get handed a packet length less
1142 * than the length in the IP header, and will
1143 * complain about "truncated-ip".
1145 * So we don't bother trying to copy from the
1146 * kernel only the bytes in which we're interested,
1147 * but instead copy them all, just as the older
1148 * versions of libpcap for Linux did.
1150 * Just one of many problems with packet capture
1151 * on 2.0[.x] kernels; you really want a 2.2[.x]
1152 * or later kernel if you want packet capture to
1155 handle->md.readlen = handle->bufsize;
1158 * This is a 2.2[.x] or later kernel (although
1159 * why we're using SOCK_PACKET on such a system
1160 * is unknown to me).
1162 * We can safely pass "recvfrom()" a byte count
1163 * based on the snapshot length.
1165 handle->md.readlen = handle->snapshot;
1177 * Bind the socket associated with FD to the given device using the
1178 * interface of the old kernels.
1181 iface_bind_old(int fd, const char *device, char *ebuf)
1183 struct sockaddr saddr;
1185 memset(&saddr, 0, sizeof(saddr));
1186 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data));
1187 if (bind(fd, &saddr, sizeof(saddr)) == -1) {
1188 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1189 "bind: %s", pcap_strerror(errno));
1197 /* ===== System calls available on all supported kernels ============== */
1200 * Query the kernel for the MTU of the given interface.
1203 iface_get_mtu(int fd, const char *device, char *ebuf)
1208 return BIGGER_THAN_ALL_MTUS;
1210 memset(&ifr, 0, sizeof(ifr));
1211 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1213 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) {
1214 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1215 "ioctl: %s", pcap_strerror(errno));
1223 * Get the hardware type of the given interface as ARPHRD_xxx constant.
1226 iface_get_arptype(int fd, const char *device, char *ebuf)
1230 memset(&ifr, 0, sizeof(ifr));
1231 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
1233 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
1234 snprintf(ebuf, PCAP_ERRBUF_SIZE,
1235 "ioctl: %s", pcap_strerror(errno));
1239 return ifr.ifr_hwaddr.sa_family;
1242 #ifdef HAVE_PF_PACKET_SOCKETS
1244 fix_program(pcap_t *handle, struct sock_fprog *fcode)
1248 register struct bpf_insn *p;
1253 * Make a copy of the filter, and modify that copy if
1256 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len;
1257 len = handle->fcode.bf_len;
1258 f = (struct bpf_insn *)malloc(prog_size);
1260 snprintf(handle->errbuf, sizeof(handle->errbuf),
1261 "malloc: %s", pcap_strerror(errno));
1264 memcpy(f, handle->fcode.bf_insns, prog_size);
1266 fcode->filter = (struct sock_filter *) f;
1268 for (i = 0; i < len; ++i) {
1271 * What type of instruction is this?
1273 switch (BPF_CLASS(p->code)) {
1277 * It's a return instruction; is the snapshot
1278 * length a constant, rather than the contents
1279 * of the accumulator?
1281 if (BPF_MODE(p->code) == BPF_K) {
1283 * Yes - if the value to be returned,
1284 * i.e. the snapshot length, is anything
1285 * other than 0, make it 65535, so that
1286 * the packet is truncated by "recvfrom()",
1287 * not by the filter.
1289 * XXX - there's nothing we can easily do
1290 * if it's getting the value from the
1291 * accumulator; we'd have to insert
1292 * code to force non-zero values to be
1303 * It's a load instruction; is it loading
1306 switch (BPF_MODE(p->code)) {
1312 * Yes; are we in cooked mode?
1314 if (handle->md.cooked) {
1316 * Yes, so we need to fix this
1319 if (fix_offset(p) < 0) {
1321 * We failed to do so.
1322 * Return 0, so our caller
1323 * knows to punt to userland.
1333 return 1; /* we succeeded */
1337 fix_offset(struct bpf_insn *p)
1340 * What's the offset?
1342 if (p->k >= SLL_HDR_LEN) {
1344 * It's within the link-layer payload; that starts at an
1345 * offset of 0, as far as the kernel packet filter is
1346 * concerned, so subtract the length of the link-layer
1349 p->k -= SLL_HDR_LEN;
1350 } else if (p->k == 14) {
1352 * It's the protocol field; map it to the special magic
1353 * kernel offset for that field.
1355 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL;
1358 * It's within the header, but it's not one of those
1359 * fields; we can't do that in the kernel, so punt
projects / FreeBSD / FreeBSD.git / blob