2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * packet filter subroutines for tcpdump
22 * Extraction/creation by Jeffrey Mogul, DECWRL
29 #include <sys/types.h>
31 #include <sys/timeb.h>
32 #include <sys/socket.h>
34 #include <sys/ioctl.h>
35 #include <net/pfilt.h>
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44 #include <netinet/if_ether.h>
45 #include <netinet/ip_var.h>
46 #include <netinet/udp.h>
47 #include <netinet/udp_var.h>
48 #include <netinet/tcp.h>
49 #include <netinet/tcpip.h>
59 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
60 * native OS version, as we need various BPF ioctls from it.
62 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
67 #ifdef HAVE_OS_PROTO_H
72 * FDDI packets are padded to make everything line up on a nice boundary.
74 #define PCAP_FDDIPAD 3
77 * Private data for capturing on Ultrix and DEC OSF/1^WDigital UNIX^W^W
78 * Tru64 UNIX packetfilter devices.
81 int filtering_in_kernel; /* using kernel filter */
82 u_long TotPkts; /* can't oflow for 79 hrs on ether */
83 u_long TotAccepted; /* count accepted by filter */
84 u_long TotDrops; /* count of dropped packets */
85 long TotMissed; /* missed by i/f during this run */
86 long OrigMissed; /* missed by i/f before this run */
89 static int pcap_setfilter_pf(pcap_t *, struct bpf_program *);
92 * BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump
93 * applications aren't going to need more than 200 bytes of packet header
94 * and the read shouldn't return more packets than packetfilter's internal
95 * queue limit (bounded at 256).
97 #define BUFSPACE (200 * 256)
100 pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
102 struct pcap_pf *pf = pc->priv;
103 register u_char *p, *bp;
104 register int cc, n, buflen, inc;
105 register struct enstamp *sp;
106 struct enstamp stamp;
112 cc = read(pc->fd, (char *)pc->buffer + pc->offset, pc->bufsize);
114 if (errno == EWOULDBLOCK)
116 if (errno == EINVAL &&
117 lseek(pc->fd, 0L, SEEK_CUR) + pc->bufsize < 0) {
119 * Due to a kernel bug, after 2^31 bytes,
120 * the kernel file offset overflows and
121 * read fails with EINVAL. The lseek()
122 * to 0 will fix things.
124 (void)lseek(pc->fd, 0L, SEEK_SET);
127 pcap_fmt_errmsg_for_errno(pc->errbuf,
128 sizeof(pc->errbuf), errno, "pf read");
131 bp = (u_char *)pc->buffer + pc->offset;
135 * Loop through each packet.
137 * This assumes that a single buffer of packets will have
138 * <= INT_MAX packets, so the packet count doesn't overflow.
144 * Has "pcap_breakloop()" been called?
145 * If so, return immediately - if we haven't read any
146 * packets, clear the flag and return -2 to indicate
147 * that we were told to break out of the loop, otherwise
148 * leave the flag set, so that the *next* call will break
149 * out of the loop without having read any packets, and
150 * return the number of packets we've processed so far.
152 if (pc->break_loop) {
162 if (cc < sizeof(*sp)) {
163 snprintf(pc->errbuf, sizeof(pc->errbuf),
164 "pf short read (%d)", cc);
169 memcpy((char *)sp, (char *)bp, sizeof(*sp));
171 sp = (struct enstamp *)bp;
172 if (sp->ens_stamplen != sizeof(*sp)) {
173 snprintf(pc->errbuf, sizeof(pc->errbuf),
174 "pf short stamplen (%d)",
179 p = bp + sp->ens_stamplen;
180 buflen = sp->ens_count;
181 if (buflen > pc->snapshot)
182 buflen = pc->snapshot;
184 /* Calculate inc before possible pad update */
185 inc = ENALIGN(buflen + sp->ens_stamplen);
189 pf->TotDrops += sp->ens_dropped;
190 pf->TotMissed = sp->ens_ifoverflows;
191 if (pf->OrigMissed < 0)
192 pf->OrigMissed = pf->TotMissed;
195 * Short-circuit evaluation: if using BPF filter
196 * in kernel, no need to do it now - we already know
197 * the packet passed the filter.
199 * Note: the filter code was generated assuming
200 * that pc->fddipad was the amount of padding
201 * before the header, as that's what's required
202 * in the kernel, so we run the filter before
203 * skipping that padding.
205 if (pf->filtering_in_kernel ||
206 pcap_filter(pc->fcode.bf_insns, p, sp->ens_count, buflen)) {
207 struct pcap_pkthdr h;
209 h.ts = sp->ens_tstamp;
210 h.len = sp->ens_count - pad;
214 (*callback)(user, &h, p);
215 if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) {
227 pcap_inject_pf(pcap_t *p, const void *buf, int size)
231 ret = write(p->fd, buf, size);
233 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
241 pcap_stats_pf(pcap_t *p, struct pcap_stat *ps)
243 struct pcap_pf *pf = p->priv;
246 * If packet filtering is being done in the kernel:
248 * "ps_recv" counts only packets that passed the filter.
249 * This does not include packets dropped because we
250 * ran out of buffer space. (XXX - perhaps it should,
251 * by adding "ps_drop" to "ps_recv", for compatibility
252 * with some other platforms. On the other hand, on
253 * some platforms "ps_recv" counts only packets that
254 * passed the filter, and on others it counts packets
255 * that didn't pass the filter....)
257 * "ps_drop" counts packets that passed the kernel filter
258 * (if any) but were dropped because the input queue was
261 * "ps_ifdrop" counts packets dropped by the network
262 * interface (regardless of whether they would have passed
263 * the input filter, of course).
265 * If packet filtering is not being done in the kernel:
267 * "ps_recv" counts only packets that passed the filter.
269 * "ps_drop" counts packets that were dropped because the
270 * input queue was full, regardless of whether they passed
271 * the userland filter.
273 * "ps_ifdrop" counts packets dropped by the network
274 * interface (regardless of whether they would have passed
275 * the input filter, of course).
277 * These statistics don't include packets not yet read from
278 * the kernel by libpcap, but they may include packets not
279 * yet read from libpcap by the application.
281 ps->ps_recv = pf->TotAccepted;
282 ps->ps_drop = pf->TotDrops;
283 ps->ps_ifdrop = pf->TotMissed - pf->OrigMissed;
288 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
289 * don't get DLT_DOCSIS defined.
292 #define DLT_DOCSIS 143
296 pcap_activate_pf(pcap_t *p)
298 struct pcap_pf *pf = p->priv;
300 int backlog = -1; /* request the most */
301 struct enfilter Filter;
302 struct endevp devparams;
306 * Initially try a read/write open (to allow the inject
307 * method to work). If that fails due to permission
308 * issues, fall back to read-only. This allows a
309 * non-root user to be granted specific access to pcap
310 * capabilities via file permissions.
312 * XXX - we should have an API that has a flag that
313 * controls whether to open read-only or read-write,
314 * so that denial of permission to send (or inability
315 * to send, if sending packets isn't supported on
316 * the device in question) can be indicated at open
319 * XXX - we assume here that "pfopen()" does not, in fact, modify
320 * its argument, even though it takes a "char *" rather than a
321 * "const char *" as its first argument. That appears to be
322 * the case, at least on Digital UNIX 4.0.
324 * XXX - is there an error that means "no such device"? Is
325 * there one that means "that device doesn't support pf"?
327 p->fd = pfopen(p->opt.device, O_RDWR);
328 if (p->fd == -1 && errno == EACCES)
329 p->fd = pfopen(p->opt.device, O_RDONLY);
331 if (errno == EACCES) {
332 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
333 "pf open: %s: Permission denied\n"
334 "your system may not be properly configured; see the packetfilter(4) man page",
336 err = PCAP_ERROR_PERM_DENIED;
338 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
339 errno, "pf open: %s", p->opt.device);
346 * Turn a negative snapshot value (invalid), a snapshot value of
347 * 0 (unspecified), or a value bigger than the normal maximum
348 * value, into the maximum allowed value.
350 * If some application really *needs* a bigger snapshot
351 * length, we should just increase MAXIMUM_SNAPLEN.
353 if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
354 p->snapshot = MAXIMUM_SNAPLEN;
357 enmode = ENTSTAMP|ENNONEXCL;
358 if (!p->opt.immediate)
362 if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
363 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
369 /* Try to set COPYALL mode so that we see packets to ourself */
371 (void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */
373 /* set the backlog */
374 if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
375 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
380 /* discover interface type */
381 if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
382 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
387 /* HACK: to compile prior to Ultrix 4.2 */
391 switch (devparams.end_dev_type) {
394 p->linktype = DLT_EN10MB;
397 * This is (presumably) a real Ethernet capture; give it a
398 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
399 * that an application can let you choose it, in case you're
400 * capturing DOCSIS traffic that a Cisco Cable Modem
401 * Termination System is putting out onto an Ethernet (it
402 * doesn't put an Ethernet header onto the wire, it puts raw
403 * DOCSIS frames out on the wire inside the low-level
406 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
408 * If that fails, just leave the list empty.
410 if (p->dlt_list != NULL) {
411 p->dlt_list[0] = DLT_EN10MB;
412 p->dlt_list[1] = DLT_DOCSIS;
418 p->linktype = DLT_FDDI;
423 p->linktype = DLT_SLIP;
429 p->linktype = DLT_PPP;
436 * It appears to use Ethernet framing, at least on
439 p->linktype = DLT_EN10MB;
446 p->linktype = DLT_IEEE802;
452 * XXX - what about ENDT_IEEE802? The pfilt.h header
453 * file calls this "IEEE 802 networks (non-Ethernet)",
454 * but that doesn't specify a specific link layer type;
455 * it could be 802.4, or 802.5 (except that 802.5 is
456 * ENDT_TRN), or 802.6, or 802.11, or.... That's why
457 * DLT_IEEE802 was hijacked to mean Token Ring in various
458 * BSDs, and why we went along with that hijacking.
460 * XXX - what about ENDT_HDLC and ENDT_NULL?
461 * Presumably, as ENDT_OTHER is just "Miscellaneous
462 * framing", there's not much we can do, as that
463 * doesn't specify a particular type of header.
465 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
466 "unknown data-link type %u", devparams.end_dev_type);
471 if (p->linktype == DLT_FDDI) {
472 p->fddipad = PCAP_FDDIPAD;
474 /* packetfilter includes the padding in the snapshot */
475 p->snapshot += PCAP_FDDIPAD;
478 if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&p->snapshot) < 0) {
479 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
480 errno, "EIOCTRUNCATE");
484 /* accept all packets */
485 memset(&Filter, 0, sizeof(Filter));
486 Filter.enf_Priority = 37; /* anything > 2 */
487 Filter.enf_FilterLen = 0; /* means "always true" */
488 if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
489 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
495 if (p->opt.timeout != 0) {
496 struct timeval timeout;
497 timeout.tv_sec = p->opt.timeout / 1000;
498 timeout.tv_usec = (p->opt.timeout * 1000) % 1000000;
499 if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
500 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
501 errno, "EIOCSRTIMEOUT");
507 p->bufsize = BUFSPACE;
508 p->buffer = malloc(p->bufsize + p->offset);
509 if (p->buffer == NULL) {
510 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
517 * "select()" and "poll()" work on packetfilter devices.
519 p->selectable_fd = p->fd;
521 p->read_op = pcap_read_pf;
522 p->inject_op = pcap_inject_pf;
523 p->setfilter_op = pcap_setfilter_pf;
524 p->setdirection_op = NULL; /* Not implemented. */
525 p->set_datalink_op = NULL; /* can't change data link type */
526 p->getnonblock_op = pcap_getnonblock_fd;
527 p->setnonblock_op = pcap_setnonblock_fd;
528 p->stats_op = pcap_stats_pf;
532 pcap_cleanup_live_common(p);
537 pcap_create_interface(const char *device _U_, char *ebuf)
541 p = PCAP_CREATE_COMMON(ebuf, struct pcap_pf);
545 p->activate_op = pcap_activate_pf;
550 * XXX - is there an error from pfopen() that means "no such device"?
551 * Is there one that means "that device doesn't support pf"?
554 can_be_bound(const char *name _U_)
560 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
563 * Nothing we can do other than mark loopback devices as "the
564 * connected/disconnected status doesn't apply".
566 * XXX - is there a way to find out whether an adapter has
567 * something plugged into it?
569 if (*flags & PCAP_IF_LOOPBACK) {
571 * Loopback devices aren't wireless, and "connected"/
572 * "disconnected" doesn't apply to them.
574 *flags |= PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE;
581 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
583 return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound,
588 pcap_setfilter_pf(pcap_t *p, struct bpf_program *fp)
590 struct pcap_pf *pf = p->priv;
591 struct bpf_version bv;
594 * See if BIOCVERSION works. If not, we assume the kernel doesn't
595 * support BPF-style filters (it's not documented in the bpf(7)
596 * or packetfiler(7) man pages, but the code used to fail if
597 * BIOCSETF worked but BIOCVERSION didn't, and I've seen it do
598 * kernel filtering in DU 4.0, so presumably BIOCVERSION works
601 if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) >= 0) {
603 * OK, we have the version of the BPF interpreter;
604 * is it the same major version as us, and the same
605 * or better minor version?
607 if (bv.bv_major == BPF_MAJOR_VERSION &&
608 bv.bv_minor >= BPF_MINOR_VERSION) {
610 * Yes. Try to install the filter.
612 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
613 pcap_fmt_errmsg_for_errno(p->errbuf,
614 sizeof(p->errbuf), errno, "BIOCSETF");
619 * OK, that succeeded. We're doing filtering in
620 * the kernel. (We assume we don't have a
621 * userland filter installed - that'd require
622 * a previous version check to have failed but
623 * this one to succeed.)
625 * XXX - this message should be supplied to the
626 * application as a warning of some sort,
627 * except that if it's a GUI application, it's
628 * not clear that it should be displayed in
629 * a window to annoy the user.
631 fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
632 pf->filtering_in_kernel = 1;
635 * Discard any previously-received packets,
636 * as they might have passed whatever filter
637 * was formerly in effect, but might not pass
638 * this filter (BIOCSETF discards packets buffered
639 * in the kernel, so you can lose packets in any
647 * We can't use the kernel's BPF interpreter; don't give
648 * up, just log a message and be inefficient.
650 * XXX - this should really be supplied to the application
651 * as a warning of some sort.
654 "tcpdump: Requires BPF language %d.%d or higher; kernel is %d.%d\n",
655 BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
656 bv.bv_major, bv.bv_minor);
660 * We couldn't do filtering in the kernel; do it in userland.
662 if (install_bpf_program(p, fp) < 0)
666 * XXX - this message should be supplied by the application as
667 * a warning of some sort.
669 fprintf(stderr, "tcpdump: Filtering in user process\n");
670 pf->filtering_in_kernel = 0;
675 * Libpcap version string.
678 pcap_lib_version(void)
680 return (PCAP_VERSION_STRING);