2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 * Support for splitting captures into multiple files with a maximum
25 * Seth Webster <swebster@sst.ll.mit.edu>
29 static const char copyright[] _U_ =
30 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\
31 The Regents of the University of California. All rights reserved.\n";
37 * tcpdump - monitor tcp/ip traffic on an ethernet.
39 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory.
40 * Mercilessly hacked and occasionally improved since then via the
41 * combined efforts of Van, Steve McCanne and Craig Leres of LBL.
49 * Mac OS X may ship pcap.h from libpcap 0.6 with a libpcap based on
50 * 0.8. That means it has pcap_findalldevs() but the header doesn't
51 * define pcap_if_t, meaning that we can't actually *use* pcap_findalldevs().
53 #ifdef HAVE_PCAP_FINDALLDEVS
54 #ifndef HAVE_PCAP_IF_T
55 #undef HAVE_PCAP_FINDALLDEVS
59 #include <tcpdump-stdinc.h>
63 extern int strcasecmp (const char *__s1, const char *__s2);
74 #include <openssl/crypto.h>
77 #ifdef HAVE_GETOPT_LONG
80 #include "getopt_long.h"
82 /* Capsicum-specific code requires macros from <net/bpf.h>, which will fail
83 * to compile if <pcap.h> has already been included; including the headers
84 * in the opposite order works fine.
87 #include <sys/capsicum.h>
88 #include <sys/sysctl.h>
89 #endif /* __FreeBSD__ */
91 #include <libcapsicum.h>
92 #include <libcapsicum_dns.h>
93 #include <libcapsicum_service.h>
95 #include <sys/capability.h>
96 #include <sys/ioccom.h>
100 #endif /* HAVE_CAPSICUM */
108 #include <sys/wait.h>
109 #include <sys/resource.h>
114 /* capabilities convenience library */
115 /* If a code depends on HAVE_LIBCAP_NG, it depends also on HAVE_CAP_NG_H.
116 * If HAVE_CAP_NG_H is not defined, undefine HAVE_LIBCAP_NG.
117 * Thus, the later tests are done only on HAVE_LIBCAP_NG.
119 #ifdef HAVE_LIBCAP_NG
123 #undef HAVE_LIBCAP_NG
124 #endif /* HAVE_CAP_NG_H */
125 #endif /* HAVE_LIBCAP_NG */
127 #include "netdissect.h"
128 #include "interface.h"
129 #include "addrtoname.h"
131 #include "setsignal.h"
132 #include "gmt2local.h"
133 #include "pcap-missing.h"
136 #define PATH_MAX 1024
140 #define SIGNAL_REQ_INFO SIGINFO
142 #define SIGNAL_REQ_INFO SIGUSR1
145 netdissect_options Gndo;
146 netdissect_options *gndo = &Gndo;
148 static int Dflag; /* list available devices and exit */
149 static int dflag; /* print filter code */
150 static int Lflag; /* list available data link types and exit */
151 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
152 static int Jflag; /* list available time stamp types */
154 #ifdef HAVE_PCAP_SETDIRECTION
155 int Qflag = -1; /* restrict captured packet by send/receive direction */
157 static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */
159 static int infodelay;
160 static int infoprint;
165 cap_channel_t *capdns;
168 int32_t thiszone; /* seconds offset from gmt to local time */
171 static RETSIGTYPE cleanup(int);
172 static RETSIGTYPE child_cleanup(int);
173 static void print_version(void);
174 static void print_usage(void);
175 static void show_dlts_and_exit(const char *device, pcap_t *pd) __attribute__((noreturn));
177 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
178 static void ndo_default_print(netdissect_options *, const u_char *, u_int);
179 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *);
180 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
181 static void droproot(const char *, const char *);
182 static void ndo_error(netdissect_options *ndo, const char *fmt, ...)
183 __attribute__((noreturn))
184 #ifdef __ATTRIBUTE___FORMAT_OK
185 __attribute__((format (printf, 2, 3)))
186 #endif /* __ATTRIBUTE___FORMAT_OK */
188 static void ndo_warning(netdissect_options *ndo, const char *fmt, ...)
189 #ifdef __ATTRIBUTE___FORMAT_OK
190 __attribute__((format (printf, 2, 3)))
191 #endif /* __ATTRIBUTE___FORMAT_OK */
194 #ifdef SIGNAL_REQ_INFO
195 RETSIGTYPE requestinfo(int);
198 #if defined(USE_WIN32_MM_TIMER)
199 #include <MMsystem.h>
200 static UINT timer_id;
201 static void CALLBACK verbose_stats_dump(UINT, UINT, DWORD_PTR, DWORD_PTR, DWORD_PTR);
202 #elif defined(HAVE_ALARM)
203 static void verbose_stats_dump(int sig);
206 static void info(int);
207 static u_int packets_captured;
221 static const struct printer printers[] = {
225 static const struct ndo_printer ndo_printers[] = {
226 { ether_if_print, DLT_EN10MB },
228 { ipnet_if_print, DLT_IPNET },
230 #ifdef DLT_IEEE802_15_4
231 { ieee802_15_4_if_print, DLT_IEEE802_15_4 },
233 #ifdef DLT_IEEE802_15_4_NOFCS
234 { ieee802_15_4_if_print, DLT_IEEE802_15_4_NOFCS },
237 { ppi_if_print, DLT_PPI },
239 #ifdef DLT_NETANALYZER
240 { netanalyzer_if_print, DLT_NETANALYZER },
242 #ifdef DLT_NETANALYZER_TRANSPARENT
243 { netanalyzer_transparent_if_print, DLT_NETANALYZER_TRANSPARENT },
245 #if defined(DLT_NFLOG) && defined(HAVE_PCAP_NFLOG_H)
246 { nflog_if_print, DLT_NFLOG},
249 { cip_if_print, DLT_CIP },
252 { cip_if_print, DLT_ATM_CLIP },
254 #ifdef DLT_IP_OVER_FC
255 { ipfc_if_print, DLT_IP_OVER_FC },
257 { null_if_print, DLT_NULL },
259 { null_if_print, DLT_LOOP },
261 #ifdef DLT_APPLE_IP_OVER_IEEE1394
262 { ap1394_if_print, DLT_APPLE_IP_OVER_IEEE1394 },
264 #if defined(DLT_BLUETOOTH_HCI_H4_WITH_PHDR) && defined(HAVE_PCAP_BLUETOOTH_H)
265 { bt_if_print, DLT_BLUETOOTH_HCI_H4_WITH_PHDR},
268 { lane_if_print, DLT_LANE8023 },
270 { arcnet_if_print, DLT_ARCNET },
271 #ifdef DLT_ARCNET_LINUX
272 { arcnet_linux_if_print, DLT_ARCNET_LINUX },
274 { raw_if_print, DLT_RAW },
276 { raw_if_print, DLT_IPV4 },
279 { raw_if_print, DLT_IPV6 },
281 #ifdef HAVE_PCAP_USB_H
283 { usb_linux_48_byte_print, DLT_USB_LINUX},
284 #endif /* DLT_USB_LINUX */
285 #ifdef DLT_USB_LINUX_MMAPPED
286 { usb_linux_64_byte_print, DLT_USB_LINUX_MMAPPED},
287 #endif /* DLT_USB_LINUX_MMAPPED */
288 #endif /* HAVE_PCAP_USB_H */
289 #ifdef DLT_SYMANTEC_FIREWALL
290 { symantec_if_print, DLT_SYMANTEC_FIREWALL },
293 { chdlc_if_print, DLT_C_HDLC },
296 { chdlc_if_print, DLT_HDLC },
299 { pppoe_if_print, DLT_PPP_ETHER },
301 #if defined(DLT_PFLOG) && defined(HAVE_NET_PFVAR_H)
302 { pflog_if_print, DLT_PFLOG },
304 { token_if_print, DLT_IEEE802 },
305 { fddi_if_print, DLT_FDDI },
307 { sll_if_print, DLT_LINUX_SLL },
310 { fr_if_print, DLT_FR },
313 { fr_if_print, DLT_FRELAY },
316 { mfr_if_print, DLT_MFR },
318 { atm_if_print, DLT_ATM_RFC1483 },
320 { sunatm_if_print, DLT_SUNATM },
323 { enc_if_print, DLT_ENC },
325 { sl_if_print, DLT_SLIP },
326 #ifdef DLT_SLIP_BSDOS
327 { sl_bsdos_if_print, DLT_SLIP_BSDOS },
330 { ltalk_if_print, DLT_LTALK },
332 #ifdef DLT_JUNIPER_ATM1
333 { juniper_atm1_print, DLT_JUNIPER_ATM1 },
335 #ifdef DLT_JUNIPER_ATM2
336 { juniper_atm2_print, DLT_JUNIPER_ATM2 },
338 #ifdef DLT_JUNIPER_MFR
339 { juniper_mfr_print, DLT_JUNIPER_MFR },
341 #ifdef DLT_JUNIPER_MLFR
342 { juniper_mlfr_print, DLT_JUNIPER_MLFR },
344 #ifdef DLT_JUNIPER_MLPPP
345 { juniper_mlppp_print, DLT_JUNIPER_MLPPP },
347 #ifdef DLT_JUNIPER_PPPOE
348 { juniper_pppoe_print, DLT_JUNIPER_PPPOE },
350 #ifdef DLT_JUNIPER_PPPOE_ATM
351 { juniper_pppoe_atm_print, DLT_JUNIPER_PPPOE_ATM },
353 #ifdef DLT_JUNIPER_GGSN
354 { juniper_ggsn_print, DLT_JUNIPER_GGSN },
356 #ifdef DLT_JUNIPER_ES
357 { juniper_es_print, DLT_JUNIPER_ES },
359 #ifdef DLT_JUNIPER_MONITOR
360 { juniper_monitor_print, DLT_JUNIPER_MONITOR },
362 #ifdef DLT_JUNIPER_SERVICES
363 { juniper_services_print, DLT_JUNIPER_SERVICES },
365 #ifdef DLT_JUNIPER_ETHER
366 { juniper_ether_print, DLT_JUNIPER_ETHER },
368 #ifdef DLT_JUNIPER_PPP
369 { juniper_ppp_print, DLT_JUNIPER_PPP },
371 #ifdef DLT_JUNIPER_FRELAY
372 { juniper_frelay_print, DLT_JUNIPER_FRELAY },
374 #ifdef DLT_JUNIPER_CHDLC
375 { juniper_chdlc_print, DLT_JUNIPER_CHDLC },
378 { pktap_if_print, DLT_PKTAP },
380 #ifdef DLT_IEEE802_11_RADIO
381 { ieee802_11_radio_if_print, DLT_IEEE802_11_RADIO },
383 #ifdef DLT_IEEE802_11
384 { ieee802_11_if_print, DLT_IEEE802_11},
386 #ifdef DLT_IEEE802_11_RADIO_AVS
387 { ieee802_11_radio_avs_if_print, DLT_IEEE802_11_RADIO_AVS },
389 #ifdef DLT_PRISM_HEADER
390 { prism_if_print, DLT_PRISM_HEADER },
392 { ppp_if_print, DLT_PPP },
393 #ifdef DLT_PPP_WITHDIRECTION
394 { ppp_if_print, DLT_PPP_WITHDIRECTION },
397 { ppp_bsdos_if_print, DLT_PPP_BSDOS },
399 #ifdef DLT_PPP_SERIAL
400 { ppp_hdlc_if_print, DLT_PPP_SERIAL },
405 static const struct tok status_flags[] = {
407 { PCAP_IF_UP, "Up" },
409 #ifdef PCAP_IF_RUNNING
410 { PCAP_IF_RUNNING, "Running" },
412 { PCAP_IF_LOOPBACK, "Loopback" },
417 lookup_printer(int type)
419 const struct printer *p;
421 for (p = printers; p->f; ++p)
430 lookup_ndo_printer(int type)
432 const struct ndo_printer *p;
434 for (p = ndo_printers; p->f; ++p)
438 #if defined(DLT_USER2) && defined(DLT_PKTAP)
440 * Apple incorrectly chose to use DLT_USER2 for their PKTAP
443 * We map DLT_PKTAP, whether it's DLT_USER2 as it is on Darwin-
444 * based OSes or the same value as LINKTYPE_PKTAP as it is on
445 * other OSes, to LINKTYPE_PKTAP, so files written with
446 * this version of libpcap for a DLT_PKTAP capture have a link-
447 * layer header type of LINKTYPE_PKTAP.
449 * However, files written on OS X Mavericks for a DLT_PKTAP
450 * capture have a link-layer header type of LINKTYPE_USER2.
451 * If we don't have a printer for DLT_USER2, and type is
452 * DLT_USER2, we look up the printer for DLT_PKTAP and use
455 if (type == DLT_USER2) {
456 for (p = ndo_printers; p->f; ++p)
457 if (DLT_PKTAP == p->type)
468 static int supports_monitor_mode;
475 netdissect_options *ndo;
478 if_ndo_printer ndo_printer;
485 char *CurrentFileName;
493 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
495 show_tstamp_types_and_exit(const char *device, pcap_t *pd)
498 int *tstamp_types = 0;
499 const char *tstamp_type_name;
502 n_tstamp_types = pcap_list_tstamp_types(pd, &tstamp_types);
503 if (n_tstamp_types < 0)
504 error("%s", pcap_geterr(pd));
506 if (n_tstamp_types == 0) {
507 fprintf(stderr, "Time stamp type cannot be set for %s\n",
511 fprintf(stderr, "Time stamp types for %s (use option -j to set):\n",
513 for (i = 0; i < n_tstamp_types; i++) {
514 tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]);
515 if (tstamp_type_name != NULL) {
516 (void) fprintf(stderr, " %s (%s)\n", tstamp_type_name,
517 pcap_tstamp_type_val_to_description(tstamp_types[i]));
519 (void) fprintf(stderr, " %d\n", tstamp_types[i]);
522 pcap_free_tstamp_types(tstamp_types);
528 show_dlts_and_exit(const char *device, pcap_t *pd)
532 const char *dlt_name;
534 n_dlts = pcap_list_datalinks(pd, &dlts);
536 error("%s", pcap_geterr(pd));
537 else if (n_dlts == 0 || !dlts)
538 error("No data link types.");
541 * If the interface is known to support monitor mode, indicate
542 * whether these are the data link types available when not in
543 * monitor mode, if -I wasn't specified, or when in monitor mode,
544 * when -I was specified (the link-layer types available in
545 * monitor mode might be different from the ones available when
546 * not in monitor mode).
548 if (supports_monitor_mode)
549 (void) fprintf(stderr, "Data link types for %s %s (use option -y to set):\n",
551 Iflag ? "when in monitor mode" : "when not in monitor mode");
553 (void) fprintf(stderr, "Data link types for %s (use option -y to set):\n",
556 while (--n_dlts >= 0) {
557 dlt_name = pcap_datalink_val_to_name(dlts[n_dlts]);
558 if (dlt_name != NULL) {
559 (void) fprintf(stderr, " %s (%s)", dlt_name,
560 pcap_datalink_val_to_description(dlts[n_dlts]));
563 * OK, does tcpdump handle that type?
565 if (lookup_printer(dlts[n_dlts]) == NULL
566 && lookup_ndo_printer(dlts[n_dlts]) == NULL)
567 (void) fprintf(stderr, " (printing not supported)");
568 fprintf(stderr, "\n");
570 (void) fprintf(stderr, " DLT %d (printing not supported)\n",
574 #ifdef HAVE_PCAP_FREE_DATALINKS
575 pcap_free_datalinks(dlts);
580 #ifdef HAVE_PCAP_FINDALLDEVS
582 show_devices_and_exit (void)
584 pcap_if_t *devpointer;
585 char ebuf[PCAP_ERRBUF_SIZE];
588 if (pcap_findalldevs(&devpointer, ebuf) < 0)
591 for (i = 0; devpointer != NULL; i++) {
592 printf("%d.%s", i+1, devpointer->name);
593 if (devpointer->description != NULL)
594 printf(" (%s)", devpointer->description);
595 if (devpointer->flags != 0)
596 printf(" [%s]", bittok2str(status_flags, "none", devpointer->flags));
598 devpointer = devpointer->next;
603 #endif /* HAVE_PCAP_FINDALLDEVS */
608 * Note that there we use all letters for short options except for g, k,
609 * o, and P, and those are used by other versions of tcpdump, and we should
610 * only use them for the same purposes that the other versions of tcpdump
613 * OS X tcpdump uses -g to force non--v output for IP to be on one
614 * line, making it more "g"repable;
616 * OS X tcpdump uses -k tospecify that packet comments in pcap-ng files
619 * OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done
620 * for hosts sending TCP SYN packets;
622 * OS X tcpdump uses -P to indicate that -w should write pcap-ng rather
625 * OS X tcpdump also uses -Q to specify expressions that match packet
626 * metadata, including but not limited to the packet direction.
627 * The expression syntax is different from a simple "in|out|inout",
628 * and those expressions aren't accepted by OS X tcpdump, but the
629 * equivalents would be "in" = "dir=in", "out" = "dir=out", and
630 * "inout" = "dir=in or dir=out", and the parser could conceivably
631 * special-case "in", "out", and "inout" as expressions for backwards
632 * compatibility, so all is not (yet) lost.
636 * Set up flags that might or might not be supported depending on the
637 * version of libpcap we're using.
639 #if defined(HAVE_PCAP_CREATE) || defined(WIN32)
641 #define B_FLAG_USAGE " [ -B size ]"
642 #else /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */
645 #endif /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */
647 #ifdef HAVE_PCAP_CREATE
649 #else /* HAVE_PCAP_CREATE */
651 #endif /* HAVE_PCAP_CREATE */
653 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
655 #define j_FLAG_USAGE " [ -j tstamptype ]"
657 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */
661 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */
663 #ifdef HAVE_PCAP_FINDALLDEVS
669 #ifdef HAVE_PCAP_DUMP_FLUSH
675 #ifdef HAVE_PCAP_SETDIRECTION
681 #define SHORTOPTS "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpq" Q_FLAG "r:Rs:StT:u" U_FLAG "vV:w:W:xXy:Yz:Z:#"
686 * We do not currently have long options corresponding to all short
687 * options; we should probably pick appropriate option names for them.
689 * However, the short options where the number of times the option is
690 * specified matters, such as -v and -d and -t, should probably not
691 * just map to a long option, as saying
693 * tcpdump --verbose --verbose
695 * doesn't make sense; it should be --verbosity={N} or something such
698 * For long options with no corresponding short options, we define values
699 * outside the range of ASCII graphic characters, make that the last
700 * component of the entry for the long option, and have a case for that
701 * option in the switch statement.
703 #define OPTION_VERSION 128
704 #define OPTION_TSTAMP_PRECISION 129
705 #define OPTION_IMMEDIATE_MODE 130
707 static const struct option longopts[] = {
708 #if defined(HAVE_PCAP_CREATE) || defined(WIN32)
709 { "buffer-size", required_argument, NULL, 'B' },
711 { "list-interfaces", no_argument, NULL, 'D' },
712 { "help", no_argument, NULL, 'h' },
713 { "interface", required_argument, NULL, 'i' },
714 #ifdef HAVE_PCAP_CREATE
715 { "monitor-mode", no_argument, NULL, 'I' },
717 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
718 { "time-stamp-type", required_argument, NULL, 'j' },
719 { "list-time-stamp-types", no_argument, NULL, 'J' },
721 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
722 { "time-stamp-precision", required_argument, NULL, OPTION_TSTAMP_PRECISION},
724 { "dont-verify-checksums", no_argument, NULL, 'K' },
725 { "list-data-link-types", no_argument, NULL, 'L' },
726 { "no-optimize", no_argument, NULL, 'O' },
727 { "no-promiscuous-mode", no_argument, NULL, 'p' },
728 #ifdef HAVE_PCAP_SETDIRECTION
729 { "direction", required_argument, NULL, 'Q' },
731 { "snapshot-length", required_argument, NULL, 's' },
732 { "absolute-tcp-sequence-numbers", no_argument, NULL, 'S' },
733 #ifdef HAVE_PCAP_DUMP_FLUSH
734 { "packet-buffered", no_argument, NULL, 'U' },
736 { "linktype", required_argument, NULL, 'y' },
737 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
738 { "immediate-mode", no_argument, NULL, OPTION_IMMEDIATE_MODE },
740 #if defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG)
741 { "debug-filter-parser", no_argument, NULL, 'Y' },
743 { "relinquish-privileges", required_argument, NULL, 'Z' },
744 { "number", no_argument, NULL, '#' },
745 { "version", no_argument, NULL, OPTION_VERSION },
750 /* Drop root privileges and chroot if necessary */
752 droproot(const char *username, const char *chroot_dir)
754 struct passwd *pw = NULL;
756 if (chroot_dir && !username) {
757 fprintf(stderr, "tcpdump: Chroot without dropping root is insecure\n");
761 pw = getpwnam(username);
764 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) {
765 fprintf(stderr, "tcpdump: Couldn't chroot/chdir to '%.64s': %s\n",
766 chroot_dir, pcap_strerror(errno));
770 #ifdef HAVE_LIBCAP_NG
771 int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
773 fprintf(stderr, "error : ret %d\n", ret);
776 fprintf(stderr, "dropped privs to %s\n", username);
779 if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
780 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
781 fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n",
783 (unsigned long)pw->pw_uid,
784 (unsigned long)pw->pw_gid,
785 pcap_strerror(errno));
789 fprintf(stderr, "dropped privs to %s\n", username);
791 #endif /* HAVE_LIBCAP_NG */
794 fprintf(stderr, "tcpdump: Couldn't find user '%.32s'\n",
798 #ifdef HAVE_LIBCAP_NG
799 /* We don't need CAP_SETUID and CAP_SETGID any more. */
802 CAPNG_EFFECTIVE | CAPNG_PERMITTED,
806 capng_apply(CAPNG_SELECT_BOTH);
807 #endif /* HAVE_LIBCAP_NG */
828 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars)
830 char *filename = malloc(PATH_MAX + 1);
831 if (filename == NULL)
832 error("Makefilename: malloc");
834 /* Process with strftime if Gflag is set. */
838 /* Convert Gflag_time to a usable format */
839 if ((local_tm = localtime(&Gflag_time)) == NULL) {
840 error("MakeTimedFilename: localtime");
843 /* There's no good way to detect an error in strftime since a return
844 * value of 0 isn't necessarily failure.
846 strftime(filename, PATH_MAX, orig_name, local_tm);
848 strncpy(filename, orig_name, PATH_MAX);
851 if (cnt == 0 && max_chars == 0)
852 strncpy(buffer, filename, PATH_MAX + 1);
854 if (snprintf(buffer, PATH_MAX + 1, "%s%0*d", filename, max_chars, cnt) > PATH_MAX)
855 /* Report an error if the filename is too large */
856 error("too many output files or filename is too long (> %d)", PATH_MAX);
860 static int tcpdump_printf(netdissect_options *ndo _U_,
861 const char *fmt, ...)
868 ret=vfprintf(stdout, fmt, args);
874 static struct print_info
875 get_print_info(int type)
877 struct print_info printinfo;
879 printinfo.ndo_type = 1;
880 printinfo.ndo = gndo;
881 printinfo.p.ndo_printer = lookup_ndo_printer(type);
882 if (printinfo.p.ndo_printer == NULL) {
883 printinfo.p.printer = lookup_printer(type);
884 printinfo.ndo_type = 0;
885 if (printinfo.p.printer == NULL) {
886 gndo->ndo_dltname = pcap_datalink_val_to_name(type);
887 if (gndo->ndo_dltname != NULL)
888 error("packet printing is not supported for link type %s: use -w",
891 error("packet printing is not supported for link type %d: use -w", type);
898 get_next_file(FILE *VFile, char *ptr)
902 ret = fgets(ptr, PATH_MAX, VFile);
906 if (ptr[strlen(ptr) - 1] == '\n')
907 ptr[strlen(ptr) - 1] = '\0';
913 static cap_channel_t *
916 cap_channel_t *capcas, *capdnsloc;
917 const char *types[1];
921 if (capcas == NULL) {
922 warning("unable to contact casperd");
925 capdnsloc = cap_service_open(capcas, "system.dns");
926 /* Casper capability no longer needed. */
928 if (capdnsloc == NULL)
929 error("unable to open system.dns service");
930 /* Limit system.dns to reverse DNS lookups. */
932 if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
933 error("unable to limit access to system.dns service");
934 families[0] = AF_INET;
935 families[1] = AF_INET6;
936 if (cap_dns_family_limit(capdnsloc, families, 2) < 0)
937 error("unable to limit access to system.dns service");
941 #endif /* HAVE_CAPSICUM */
943 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
945 tstamp_precision_from_string(const char *precision)
947 if (strncmp(precision, "nano", strlen("nano")) == 0)
948 return PCAP_TSTAMP_PRECISION_NANO;
950 if (strncmp(precision, "micro", strlen("micro")) == 0)
951 return PCAP_TSTAMP_PRECISION_MICRO;
957 tstamp_precision_to_string(int precision)
961 case PCAP_TSTAMP_PRECISION_MICRO:
964 case PCAP_TSTAMP_PRECISION_NANO:
975 * Ensure that, on a dump file's descriptor, we have all the rights
976 * necessary to make the standard I/O library work with an fdopen()ed
977 * FILE * from that descriptor.
979 * A long time ago, in a galaxy far far away, AT&T decided that, instead
980 * of providing separate APIs for getting and setting the FD_ flags on a
981 * descriptor, getting and setting the O_ flags on a descriptor, and
982 * locking files, they'd throw them all into a kitchen-sink fcntl() call
983 * along the lines of ioctl(), the fact that ioctl() operations are
984 * largely specific to particular character devices but fcntl() operations
985 * are either generic to all descriptors or generic to all descriptors for
986 * regular files nonwithstanding.
988 * The Capsicum people decided that fine-grained control of descriptor
989 * operations was required, so that you need to grant permission for
990 * reading, writing, seeking, and fcntl-ing. The latter, courtesy of
991 * AT&T's decision, means that "fcntl-ing" isn't a thing, but a motley
992 * collection of things, so there are *individual* fcntls for which
993 * permission needs to be granted.
995 * The FreeBSD standard I/O people implemented some optimizations that
996 * requires that the standard I/O routines be able to determine whether
997 * the descriptor for the FILE * is open append-only or not; as that
998 * descriptor could have come from an open() rather than an fopen(),
999 * that requires that it be able to do an F_GETFL fcntl() to read
1002 * Tcpdump uses ftell() to determine how much data has been written
1003 * to a file in order to, when used with -C, determine when it's time
1004 * to rotate capture files. ftell() therefore needs to do an lseek()
1005 * to find out the file offset and must, thanks to the aforementioned
1006 * optimization, also know whether the descriptor is open append-only
1009 * The net result of all the above is that we need to grant CAP_SEEK,
1010 * CAP_WRITE, and CAP_FCNTL with the CAP_FCNTL_GETFL subcapability.
1012 * Perhaps this is the universe's way of saying that either
1014 * 1) there needs to be an fopenat() call and a pcap_dump_openat() call
1015 * using it, so that Capsicum-capable tcpdump wouldn't need to do
1020 * 2) there needs to be a cap_fdopen() call in the FreeBSD standard
1021 * I/O library that knows what rights are needed by the standard
1022 * I/O library, based on the open mode, and assigns them, perhaps
1023 * with an additional argument indicating, for example, whether
1024 * seeking should be allowed, so that tcpdump doesn't need to know
1025 * what the standard I/O library happens to require this week.
1028 set_dumper_capsicum_rights(pcap_dumper_t *p)
1030 int fd = fileno(pcap_dump_file(p));
1031 cap_rights_t rights;
1033 cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL);
1034 if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) {
1035 error("unable to limit dump descriptor");
1037 if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) {
1038 error("unable to limit dump descriptor fcntls");
1044 main(int argc, char **argv)
1046 register int cnt, op, i;
1047 bpf_u_int32 localnet =0 , netmask = 0;
1048 register char *cp, *infile, *cmdbuf, *device, *RFileName, *VFileName, *WFileName;
1049 pcap_handler callback;
1053 const char *dlt_name;
1054 struct bpf_program fcode;
1056 RETSIGTYPE (*oldhandler)(int);
1058 struct print_info printinfo;
1059 struct dump_info dumpinfo;
1060 u_char *pcap_userdata;
1061 char ebuf[PCAP_ERRBUF_SIZE];
1062 char VFileLine[PATH_MAX + 1];
1063 char *username = NULL;
1064 char *chroot_dir = NULL;
1067 #ifdef HAVE_PCAP_FINDALLDEVS
1068 pcap_if_t *devpointer;
1073 #ifdef HAVE_CAPSICUM
1074 cap_rights_t rights;
1075 #endif /* HAVE_CAPSICUM */
1079 if(wsockinit() != 0) return 1;
1082 jflag=-1; /* not set */
1086 gndo->ndo_default_print=ndo_default_print;
1087 gndo->ndo_printf=tcpdump_printf;
1088 gndo->ndo_error=ndo_error;
1089 gndo->ndo_warning=ndo_warning;
1090 gndo->ndo_snaplen = DEFAULT_SNAPLEN;
1091 gndo->ndo_immediate = 0;
1101 if ((cp = strrchr(argv[0], '/')) != NULL)
1102 program_name = cp + 1;
1104 program_name = argv[0];
1107 * On platforms where the CPU doesn't support unaligned loads,
1108 * force unaligned accesses to abort with SIGBUS, rather than
1109 * being fixed up (slowly) by the OS kernel; on those platforms,
1110 * misaligned accesses are bugs, and we want tcpdump to crash so
1111 * that the bugs are reported.
1113 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0)
1121 (op = getopt_long(argc, argv, SHORTOPTS, longopts, NULL)) != -1)
1125 /* compatibility for old -a */
1136 #if defined(HAVE_PCAP_CREATE) || defined(WIN32)
1138 Bflag = atoi(optarg)*1024;
1140 error("invalid packet buffer size %s", optarg);
1142 #endif /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */
1147 error("invalid packet count %s", optarg);
1151 Cflag = atoi(optarg) * 1000000;
1153 error("invalid file size %s", optarg);
1173 #ifndef HAVE_LIBCRYPTO
1174 warning("crypto code not compiled in");
1176 gndo->ndo_espsecret = optarg;
1188 Gflag = atoi(optarg);
1190 error("invalid number of seconds %s", optarg);
1192 /* We will create one file initially. */
1195 /* Grab the current time for rotation use. */
1196 if ((Gflag_time = time(NULL)) == (time_t)-1) {
1197 error("main: can't get current time: %s",
1198 pcap_strerror(errno));
1212 if (optarg[0] == '0' && optarg[1] == 0)
1213 error("Invalid adapter index");
1215 #ifdef HAVE_PCAP_FINDALLDEVS
1217 * If the argument is a number, treat it as
1218 * an index into the list of adapters, as
1219 * printed by "tcpdump -D".
1221 * This should be OK on UNIX systems, as interfaces
1222 * shouldn't have names that begin with digits.
1223 * It can be useful on Windows, where more than
1224 * one interface can have the same name.
1226 devnum = strtol(optarg, &end, 10);
1227 if (optarg != end && *end == '\0') {
1229 error("Invalid adapter index");
1231 if (pcap_findalldevs(&devpointer, ebuf) < 0)
1235 * Look for the devnum-th entry
1236 * in the list of devices
1240 i < devnum-1 && devpointer != NULL;
1241 i++, devpointer = devpointer->next)
1243 if (devpointer == NULL)
1244 error("Invalid adapter index");
1246 device = devpointer->name;
1249 #endif /* HAVE_PCAP_FINDALLDEVS */
1253 #ifdef HAVE_PCAP_CREATE
1257 #endif /* HAVE_PCAP_CREATE */
1259 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1261 jflag = pcap_tstamp_type_name_to_val(optarg);
1263 error("invalid time stamp type %s", optarg);
1274 * _IOLBF is the same as _IOFBF in Microsoft's C
1275 * libraries; the only alternative they offer
1278 * XXX - this should really be checking for MSVC++,
1279 * not WIN32, if, for example, MinGW has its own
1280 * C library that is more UNIX-compatible.
1282 setvbuf(stdout, NULL, _IONBF, 0);
1284 #ifdef HAVE_SETLINEBUF
1287 setvbuf(stdout, NULL, _IOLBF, 0);
1298 if (smiLoadModule(optarg) == 0) {
1299 error("could not load MIB module %s", optarg);
1303 (void)fprintf(stderr, "%s: ignoring option `-m %s' ",
1304 program_name, optarg);
1305 (void)fprintf(stderr, "(no libsmi support)\n");
1310 /* TCP-MD5 shared secret */
1311 #ifndef HAVE_LIBCRYPTO
1312 warning("crypto code not compiled in");
1335 ++suppress_default_print;
1338 #ifdef HAVE_PCAP_SETDIRECTION
1340 if (strcasecmp(optarg, "in") == 0)
1342 else if (strcasecmp(optarg, "out") == 0)
1344 else if (strcasecmp(optarg, "inout") == 0)
1345 Qflag = PCAP_D_INOUT;
1347 error("unknown capture direction `%s'", optarg);
1349 #endif /* HAVE_PCAP_SETDIRECTION */
1360 snaplen = strtol(optarg, &end, 0);
1361 if (optarg == end || *end != '\0'
1362 || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN)
1363 error("invalid snaplen %s", optarg);
1364 else if (snaplen == 0)
1365 snaplen = MAXIMUM_SNAPLEN;
1377 if (strcasecmp(optarg, "vat") == 0)
1378 packettype = PT_VAT;
1379 else if (strcasecmp(optarg, "wb") == 0)
1381 else if (strcasecmp(optarg, "rpc") == 0)
1382 packettype = PT_RPC;
1383 else if (strcasecmp(optarg, "rtp") == 0)
1384 packettype = PT_RTP;
1385 else if (strcasecmp(optarg, "rtcp") == 0)
1386 packettype = PT_RTCP;
1387 else if (strcasecmp(optarg, "snmp") == 0)
1388 packettype = PT_SNMP;
1389 else if (strcasecmp(optarg, "cnfp") == 0)
1390 packettype = PT_CNFP;
1391 else if (strcasecmp(optarg, "tftp") == 0)
1392 packettype = PT_TFTP;
1393 else if (strcasecmp(optarg, "aodv") == 0)
1394 packettype = PT_AODV;
1395 else if (strcasecmp(optarg, "carp") == 0)
1396 packettype = PT_CARP;
1397 else if (strcasecmp(optarg, "radius") == 0)
1398 packettype = PT_RADIUS;
1399 else if (strcasecmp(optarg, "zmtp1") == 0)
1400 packettype = PT_ZMTP1;
1401 else if (strcasecmp(optarg, "vxlan") == 0)
1402 packettype = PT_VXLAN;
1403 else if (strcasecmp(optarg, "pgm") == 0)
1404 packettype = PT_PGM;
1405 else if (strcasecmp(optarg, "pgm_zmtp1") == 0)
1406 packettype = PT_PGM_ZMTP1;
1407 else if (strcasecmp(optarg, "lmp") == 0)
1408 packettype = PT_LMP;
1410 error("unknown packet type `%s'", optarg);
1417 #ifdef HAVE_PCAP_DUMP_FLUSH
1436 Wflag = atoi(optarg);
1438 error("invalid number of output files %s", optarg);
1439 WflagChars = getWflagChars(Wflag);
1444 ++suppress_default_print;
1449 ++suppress_default_print;
1453 gndo->ndo_dltname = optarg;
1455 pcap_datalink_name_to_val(gndo->ndo_dltname);
1456 if (gndo->ndo_dlt < 0)
1457 error("invalid data link type %s", gndo->ndo_dltname);
1460 #if defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG)
1463 /* Undocumented flag */
1464 #ifdef HAVE_PCAP_DEBUG
1465 extern int pcap_debug;
1475 zflag = strdup(optarg);
1479 username = strdup(optarg);
1483 gndo->ndo_packet_number = 1;
1486 case OPTION_VERSION:
1491 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1492 case OPTION_TSTAMP_PRECISION:
1493 gndo->ndo_tstamp_precision = tstamp_precision_from_string(optarg);
1494 if (gndo->ndo_tstamp_precision < 0)
1495 error("unsupported time stamp precision");
1499 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
1500 case OPTION_IMMEDIATE_MODE:
1501 gndo->ndo_immediate = 1;
1511 #ifdef HAVE_PCAP_FINDALLDEVS
1513 show_devices_and_exit();
1518 case 0: /* Default */
1519 case 4: /* Default + Date*/
1520 thiszone = gmt2local(0);
1523 case 1: /* No time stamp */
1524 case 2: /* Unix timeval style */
1525 case 3: /* Microseconds since previous packet */
1526 case 5: /* Microseconds since first packet */
1529 default: /* Not supported */
1530 error("only -t, -tt, -ttt, -tttt and -ttttt are supported");
1534 if (fflag != 0 && (VFileName != NULL || RFileName != NULL))
1535 error("-f can not be used with -V or -r");
1537 if (VFileName != NULL && RFileName != NULL)
1538 error("-V and -r are mutually exclusive.");
1540 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
1542 * If we're printing dissected packets to the standard output
1543 * rather than saving raw packets to a file, and the standard
1544 * output is a terminal, use immediate mode, as the user's
1545 * probably expecting to see packets pop up immediately.
1547 if (WFileName == NULL && isatty(1))
1548 gndo->ndo_immediate = 1;
1552 /* if run as root, prepare for chrooting */
1553 if (getuid() == 0 || geteuid() == 0) {
1554 /* future extensibility for cmd-line arguments */
1556 chroot_dir = WITH_CHROOT;
1561 /* if run as root, prepare for dropping root privileges */
1562 if (getuid() == 0 || geteuid() == 0) {
1563 /* Run with '-Z root' to restore old behaviour */
1565 username = WITH_USER;
1569 if (RFileName != NULL || VFileName != NULL) {
1571 * If RFileName is non-null, it's the pathname of a
1572 * savefile to read. If VFileName is non-null, it's
1573 * the pathname of a file containing a list of pathnames
1574 * (one per line) of savefiles to read.
1576 * In either case, we're reading a savefile, not doing
1581 * We don't need network access, so relinquish any set-UID
1582 * or set-GID privileges we have (if any).
1584 * We do *not* want set-UID privileges when opening a
1585 * trace file, as that might let the user read other
1586 * people's trace files (especially if we're set-UID
1589 if (setgid(getgid()) != 0 || setuid(getuid()) != 0 )
1590 fprintf(stderr, "Warning: setgid/setuid failed !\n");
1592 if (VFileName != NULL) {
1593 if (VFileName[0] == '-' && VFileName[1] == '\0')
1596 VFile = fopen(VFileName, "r");
1599 error("Unable to open file: %s\n", strerror(errno));
1601 ret = get_next_file(VFile, VFileLine);
1603 error("Nothing in %s\n", VFileName);
1604 RFileName = VFileLine;
1607 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1608 pd = pcap_open_offline_with_tstamp_precision(RFileName,
1609 gndo->ndo_tstamp_precision, ebuf);
1611 pd = pcap_open_offline(RFileName, ebuf);
1616 #ifdef HAVE_CAPSICUM
1617 cap_rights_init(&rights, CAP_READ);
1618 if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 &&
1620 error("unable to limit pcap descriptor");
1623 dlt = pcap_datalink(pd);
1624 dlt_name = pcap_datalink_val_to_name(dlt);
1625 if (dlt_name == NULL) {
1626 fprintf(stderr, "reading from file %s, link-type %u\n",
1630 "reading from file %s, link-type %s (%s)\n",
1631 RFileName, dlt_name,
1632 pcap_datalink_val_to_description(dlt));
1636 * We're doing a live capture.
1638 if (device == NULL) {
1639 device = pcap_lookupdev(ebuf);
1645 * Print a message to the standard error on Windows.
1646 * XXX - why do it here, with a different message?
1648 if(strlen(device) == 1) /* we assume that an ASCII string is always longer than 1 char */
1649 { /* a Unicode string has a \0 as second byte (so strlen() is 1) */
1650 fprintf(stderr, "%s: listening on %ws\n", program_name, device);
1654 fprintf(stderr, "%s: listening on %s\n", program_name, device);
1659 #ifdef HAVE_PCAP_CREATE
1660 pd = pcap_create(device, ebuf);
1663 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1665 show_tstamp_types_and_exit(device, pd);
1667 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1668 status = pcap_set_tstamp_precision(pd, gndo->ndo_tstamp_precision);
1670 error("%s: Can't set %ssecond time stamp precision: %s",
1672 tstamp_precision_to_string(gndo->ndo_tstamp_precision),
1673 pcap_statustostr(status));
1676 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
1677 if (gndo->ndo_immediate) {
1678 status = pcap_set_immediate_mode(pd, 1);
1680 error("%s: Can't set immediate mode: %s",
1682 pcap_statustostr(status));
1686 * Is this an interface that supports monitor mode?
1688 if (pcap_can_set_rfmon(pd) == 1)
1689 supports_monitor_mode = 1;
1691 supports_monitor_mode = 0;
1692 status = pcap_set_snaplen(pd, snaplen);
1694 error("%s: Can't set snapshot length: %s",
1695 device, pcap_statustostr(status));
1696 status = pcap_set_promisc(pd, !pflag);
1698 error("%s: Can't set promiscuous mode: %s",
1699 device, pcap_statustostr(status));
1701 status = pcap_set_rfmon(pd, 1);
1703 error("%s: Can't set monitor mode: %s",
1704 device, pcap_statustostr(status));
1706 status = pcap_set_timeout(pd, 1000);
1708 error("%s: pcap_set_timeout failed: %s",
1709 device, pcap_statustostr(status));
1711 status = pcap_set_buffer_size(pd, Bflag);
1713 error("%s: Can't set buffer size: %s",
1714 device, pcap_statustostr(status));
1716 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1718 status = pcap_set_tstamp_type(pd, jflag);
1720 error("%s: Can't set time stamp type: %s",
1721 device, pcap_statustostr(status));
1724 status = pcap_activate(pd);
1727 * pcap_activate() failed.
1729 cp = pcap_geterr(pd);
1730 if (status == PCAP_ERROR)
1732 else if ((status == PCAP_ERROR_NO_SUCH_DEVICE ||
1733 status == PCAP_ERROR_PERM_DENIED) &&
1735 error("%s: %s\n(%s)", device,
1736 pcap_statustostr(status), cp);
1738 else if (status == PCAP_ERROR_RFMON_NOTSUP &&
1739 strncmp(device, "wlan", 4) == 0) {
1740 char parent[8], newdev[8];
1742 size_t s = sizeof(parent);
1744 snprintf(sysctl, sizeof(sysctl),
1745 "net.wlan.%d.%%parent", atoi(device + 4));
1746 sysctlbyname(sysctl, parent, &s, NULL, 0);
1747 strlcpy(newdev, device, sizeof(newdev));
1748 /* Suggest a new wlan device. */
1749 newdev[strlen(newdev)-1]++;
1750 error("%s is not a monitor mode VAP\n"
1751 "To create a new monitor mode VAP use:\n"
1752 " ifconfig %s create wlandev %s wlanmode "
1753 "monitor\nand use %s as the tcpdump "
1754 "interface", device, newdev, parent,
1759 error("%s: %s", device,
1760 pcap_statustostr(status));
1761 } else if (status > 0) {
1763 * pcap_activate() succeeded, but it's warning us
1764 * of a problem it had.
1766 cp = pcap_geterr(pd);
1767 if (status == PCAP_WARNING)
1769 else if (status == PCAP_WARNING_PROMISC_NOTSUP &&
1771 warning("%s: %s\n(%s)", device,
1772 pcap_statustostr(status), cp);
1774 warning("%s: %s", device,
1775 pcap_statustostr(status));
1777 #ifdef HAVE_PCAP_SETDIRECTION
1779 status = pcap_setdirection(pd, Qflag);
1781 error("%s: pcap_setdirection() failed: %s",
1782 device, pcap_geterr(pd));
1784 #endif /* HAVE_PCAP_SETDIRECTION */
1787 pd = pcap_open_live(device, snaplen, !pflag, 1000, ebuf);
1791 warning("%s", ebuf);
1792 #endif /* HAVE_PCAP_CREATE */
1794 * Let user own process after socket has been opened.
1797 if (setgid(getgid()) != 0 || setuid(getuid()) != 0)
1798 fprintf(stderr, "Warning: setgid/setuid failed !\n");
1800 #if !defined(HAVE_PCAP_CREATE) && defined(WIN32)
1802 if(pcap_setbuff(pd, Bflag)==-1){
1803 error("%s", pcap_geterr(pd));
1805 #endif /* !defined(HAVE_PCAP_CREATE) && defined(WIN32) */
1807 show_dlts_and_exit(device, pd);
1808 if (gndo->ndo_dlt >= 0) {
1809 #ifdef HAVE_PCAP_SET_DATALINK
1810 if (pcap_set_datalink(pd, gndo->ndo_dlt) < 0)
1811 error("%s", pcap_geterr(pd));
1814 * We don't actually support changing the
1815 * data link type, so we only let them
1816 * set it to what it already is.
1818 if (gndo->ndo_dlt != pcap_datalink(pd)) {
1819 error("%s is not one of the DLTs supported by this device\n",
1823 (void)fprintf(stderr, "%s: data link type %s\n",
1824 program_name, gndo->ndo_dltname);
1825 (void)fflush(stderr);
1827 i = pcap_snapshot(pd);
1829 warning("snaplen raised from %d to %d", snaplen, i);
1833 if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) {
1834 warning("foreign (-f) flag used but: %s", ebuf);
1840 cmdbuf = read_infile(infile);
1842 cmdbuf = copy_argv(&argv[optind]);
1844 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0)
1845 error("%s", pcap_geterr(pd));
1847 bpf_dump(&fcode, dflag);
1853 #ifdef HAVE_CAPSICUM
1855 capdns = capdns_setup();
1856 #endif /* HAVE_CAPSICUM */
1858 init_addrtoname(gndo, localnet, netmask);
1862 (void)setsignal(SIGPIPE, cleanup);
1863 (void)setsignal(SIGTERM, cleanup);
1864 (void)setsignal(SIGINT, cleanup);
1866 #if defined(HAVE_FORK) || defined(HAVE_VFORK)
1867 (void)setsignal(SIGCHLD, child_cleanup);
1869 /* Cooperate with nohup(1) */
1871 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
1872 (void)setsignal(SIGHUP, oldhandler);
1877 * If a user name was specified with "-Z", attempt to switch to
1878 * that user's UID. This would probably be used with sudo,
1879 * to allow tcpdump to be run in a special restricted
1880 * account (if you just want to allow users to open capture
1881 * devices, and can't just give users that permission,
1882 * you'd make tcpdump set-UID or set-GID).
1884 * Tcpdump doesn't necessarily write only to one savefile;
1885 * the general only way to allow a -Z instance to write to
1886 * savefiles as the user under whose UID it's run, rather
1887 * than as the user specified with -Z, would thus be to switch
1888 * to the original user ID before opening a capture file and
1889 * then switch back to the -Z user ID after opening the savefile.
1890 * Switching to the -Z user ID only after opening the first
1891 * savefile doesn't handle the general case.
1894 if (getuid() == 0 || geteuid() == 0) {
1895 #ifdef HAVE_LIBCAP_NG
1896 /* Initialize capng */
1897 capng_clear(CAPNG_SELECT_BOTH);
1901 CAPNG_PERMITTED | CAPNG_EFFECTIVE,
1910 CAPNG_PERMITTED | CAPNG_EFFECTIVE,
1914 capng_apply(CAPNG_SELECT_BOTH);
1915 #endif /* HAVE_LIBCAP_NG */
1916 if (username || chroot_dir)
1917 droproot(username, chroot_dir);
1922 if (pcap_setfilter(pd, &fcode) < 0)
1923 error("%s", pcap_geterr(pd));
1924 #ifdef HAVE_CAPSICUM
1925 if (RFileName == NULL && VFileName == NULL) {
1926 static const unsigned long cmds[] = { BIOCGSTATS };
1929 * The various libpcap devices use a combination of
1930 * read (bpf), ioctl (bpf, netmap), poll (netmap).
1931 * Grant the relevant access rights, sorted by name.
1933 cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ);
1934 if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
1936 error("unable to limit pcap descriptor");
1938 if (cap_ioctls_limit(pcap_fileno(pd), cmds,
1939 sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
1940 error("unable to limit ioctls on pcap descriptor");
1946 /* Do not exceed the default PATH_MAX for files. */
1947 dumpinfo.CurrentFileName = (char *)malloc(PATH_MAX + 1);
1949 if (dumpinfo.CurrentFileName == NULL)
1950 error("malloc of dumpinfo.CurrentFileName");
1952 /* We do not need numbering for dumpfiles if Cflag isn't set. */
1954 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars);
1956 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);
1958 p = pcap_dump_open(pd, dumpinfo.CurrentFileName);
1959 #ifdef HAVE_LIBCAP_NG
1960 /* Give up CAP_DAC_OVERRIDE capability.
1961 * Only allow it to be restored if the -C or -G flag have been
1962 * set since we may need to create more files later on.
1966 (Cflag || Gflag ? 0 : CAPNG_PERMITTED)
1970 capng_apply(CAPNG_SELECT_BOTH);
1971 #endif /* HAVE_LIBCAP_NG */
1973 error("%s", pcap_geterr(pd));
1974 #ifdef HAVE_CAPSICUM
1975 set_dumper_capsicum_rights(p);
1977 if (Cflag != 0 || Gflag != 0) {
1978 #ifdef HAVE_CAPSICUM
1979 dumpinfo.WFileName = strdup(basename(WFileName));
1980 dumpinfo.dirfd = open(dirname(WFileName),
1981 O_DIRECTORY | O_RDONLY);
1982 if (dumpinfo.dirfd < 0) {
1983 error("unable to open directory %s",
1984 dirname(WFileName));
1986 cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL,
1987 CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE);
1988 if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 &&
1990 error("unable to limit directory rights");
1992 if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 &&
1994 error("unable to limit dump descriptor fcntls");
1996 #else /* !HAVE_CAPSICUM */
1997 dumpinfo.WFileName = WFileName;
1999 callback = dump_packet_and_trunc;
2002 pcap_userdata = (u_char *)&dumpinfo;
2004 callback = dump_packet;
2005 pcap_userdata = (u_char *)p;
2007 #ifdef HAVE_PCAP_DUMP_FLUSH
2012 type = pcap_datalink(pd);
2013 printinfo = get_print_info(type);
2014 callback = print_packet;
2015 pcap_userdata = (u_char *)&printinfo;
2018 #ifdef SIGNAL_REQ_INFO
2020 * We can't get statistics when reading from a file rather
2021 * than capturing from a device.
2023 if (RFileName == NULL)
2024 (void)setsignal(SIGNAL_REQ_INFO, requestinfo);
2027 if (vflag > 0 && WFileName) {
2029 * When capturing to a file, "-v" means tcpdump should,
2030 * every 10 secodns, "v"erbosely report the number of
2033 #ifdef USE_WIN32_MM_TIMER
2034 /* call verbose_stats_dump() each 1000 +/-100msec */
2035 timer_id = timeSetEvent(1000, 100, verbose_stats_dump, 0, TIME_PERIODIC);
2036 setvbuf(stderr, NULL, _IONBF, 0);
2037 #elif defined(HAVE_ALARM)
2038 (void)setsignal(SIGALRM, verbose_stats_dump);
2044 if (RFileName == NULL) {
2046 * Live capture (if -V was specified, we set RFileName
2047 * to a file from the -V file). Print a message to
2048 * the standard error on UN*X.
2050 if (!vflag && !WFileName) {
2051 (void)fprintf(stderr,
2052 "%s: verbose output suppressed, use -v or -vv for full protocol decode\n",
2055 (void)fprintf(stderr, "%s: ", program_name);
2056 dlt = pcap_datalink(pd);
2057 dlt_name = pcap_datalink_val_to_name(dlt);
2058 if (dlt_name == NULL) {
2059 (void)fprintf(stderr, "listening on %s, link-type %u, capture size %u bytes\n",
2060 device, dlt, snaplen);
2062 (void)fprintf(stderr, "listening on %s, link-type %s (%s), capture size %u bytes\n",
2064 pcap_datalink_val_to_description(dlt), snaplen);
2066 (void)fflush(stderr);
2071 cansandbox = (VFileName == NULL && zflag == NULL);
2072 #ifdef HAVE_CAPSICUM
2073 cansandbox = (cansandbox && (nflag || capdns != NULL));
2075 cansandbox = (cansandbox && nflag);
2077 if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
2078 error("unable to enter the capability mode");
2079 #endif /* __FreeBSD__ */
2082 status = pcap_loop(pd, cnt, callback, pcap_userdata);
2083 if (WFileName == NULL) {
2085 * We're printing packets. Flush the printed output,
2086 * so it doesn't get intermingled with error output.
2090 * We got interrupted, so perhaps we didn't
2091 * manage to finish a line we were printing.
2092 * Print an extra newline, just in case.
2096 (void)fflush(stdout);
2100 * We got interrupted. If we are reading multiple
2101 * files (via -V) set these so that we stop.
2110 (void)fprintf(stderr, "%s: pcap_loop: %s\n",
2111 program_name, pcap_geterr(pd));
2113 if (RFileName == NULL) {
2115 * We're doing a live capture. Report the capture
2121 if (VFileName != NULL) {
2122 ret = get_next_file(VFile, VFileLine);
2124 RFileName = VFileLine;
2125 pd = pcap_open_offline(RFileName, ebuf);
2128 #ifdef HAVE_CAPSICUM
2129 cap_rights_init(&rights, CAP_READ);
2130 if (cap_rights_limit(fileno(pcap_file(pd)),
2131 &rights) < 0 && errno != ENOSYS) {
2132 error("unable to limit pcap descriptor");
2135 new_dlt = pcap_datalink(pd);
2136 if (WFileName && new_dlt != dlt)
2137 error("%s: new dlt does not match original", RFileName);
2138 printinfo = get_print_info(new_dlt);
2139 dlt_name = pcap_datalink_val_to_name(new_dlt);
2140 if (dlt_name == NULL) {
2141 fprintf(stderr, "reading from file %s, link-type %u\n",
2142 RFileName, new_dlt);
2145 "reading from file %s, link-type %s (%s)\n",
2146 RFileName, dlt_name,
2147 pcap_datalink_val_to_description(new_dlt));
2149 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0)
2150 error("%s", pcap_geterr(pd));
2151 if (pcap_setfilter(pd, &fcode) < 0)
2152 error("%s", pcap_geterr(pd));
2156 while (ret != NULL);
2159 exit(status == -1 ? 1 : 0);
2162 /* make a clean exit on interrupts */
2164 cleanup(int signo _U_)
2166 #ifdef USE_WIN32_MM_TIMER
2168 timeKillEvent(timer_id);
2170 #elif defined(HAVE_ALARM)
2174 #ifdef HAVE_PCAP_BREAKLOOP
2176 * We have "pcap_breakloop()"; use it, so that we do as little
2177 * as possible in the signal handler (it's probably not safe
2178 * to do anything with standard I/O streams in a signal handler -
2179 * the ANSI C standard doesn't say it is).
2184 * We don't have "pcap_breakloop()"; this isn't safe, but
2185 * it's the best we can do. Print the summary if we're
2186 * not reading from a savefile - i.e., if we're doing a
2187 * live capture - and exit.
2189 if (pd != NULL && pcap_file(pd) == NULL) {
2191 * We got interrupted, so perhaps we didn't
2192 * manage to finish a line we were printing.
2193 * Print an extra newline, just in case.
2196 (void)fflush(stdout);
2204 On windows, we do not use a fork, so we do not care less about
2205 waiting a child processes to die
2207 #if defined(HAVE_FORK) || defined(HAVE_VFORK)
2209 child_cleanup(int signo _U_)
2213 #endif /* HAVE_FORK && HAVE_VFORK */
2216 info(register int verbose)
2218 struct pcap_stat stat;
2221 * Older versions of libpcap didn't set ps_ifdrop on some
2222 * platforms; initialize it to 0 to handle that.
2225 if (pcap_stats(pd, &stat) < 0) {
2226 (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd));
2232 fprintf(stderr, "%s: ", program_name);
2234 (void)fprintf(stderr, "%u packet%s captured", packets_captured,
2235 PLURAL_SUFFIX(packets_captured));
2237 fputs(", ", stderr);
2240 (void)fprintf(stderr, "%u packet%s received by filter", stat.ps_recv,
2241 PLURAL_SUFFIX(stat.ps_recv));
2243 fputs(", ", stderr);
2246 (void)fprintf(stderr, "%u packet%s dropped by kernel", stat.ps_drop,
2247 PLURAL_SUFFIX(stat.ps_drop));
2248 if (stat.ps_ifdrop != 0) {
2250 fputs(", ", stderr);
2253 (void)fprintf(stderr, "%u packet%s dropped by interface\n",
2254 stat.ps_ifdrop, PLURAL_SUFFIX(stat.ps_ifdrop));
2260 #if defined(HAVE_FORK) || defined(HAVE_VFORK)
2262 compress_savefile(const char *filename)
2271 * Set to lowest priority so that this doesn't disturb the capture
2274 setpriority(PRIO_PROCESS, 0, NZERO - 1);
2276 setpriority(PRIO_PROCESS, 0, 19);
2278 if (execlp(zflag, zflag, filename, (char *)NULL) == -1)
2280 "compress_savefile:execlp(%s, %s): %s\n",
2290 #else /* HAVE_FORK && HAVE_VFORK */
2292 compress_savefile(const char *filename)
2295 "compress_savefile failed. Functionality not implemented under your system\n");
2297 #endif /* HAVE_FORK && HAVE_VFORK */
2300 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
2302 struct dump_info *dump_info;
2308 dump_info = (struct dump_info *)user;
2311 * XXX - this won't force the file to rotate on the specified time
2312 * boundary, but it will rotate on the first packet received after the
2313 * specified Gflag number of seconds. Note: if a Gflag time boundary
2314 * and a Cflag size boundary coincide, the time rotation will occur
2315 * first thereby cancelling the Cflag boundary (since the file should
2319 /* Check if it is time to rotate */
2322 /* Get the current time */
2323 if ((t = time(NULL)) == (time_t)-1) {
2324 error("dump_and_trunc_packet: can't get current_time: %s",
2325 pcap_strerror(errno));
2329 /* If the time is greater than the specified window, rotate */
2330 if (t - Gflag_time >= Gflag) {
2331 #ifdef HAVE_CAPSICUM
2336 /* Update the Gflag_time */
2338 /* Update Gflag_count */
2341 * Close the current file and open a new one.
2343 pcap_dump_close(dump_info->p);
2346 * Compress the file we just closed, if the user asked for it
2349 compress_savefile(dump_info->CurrentFileName);
2352 * Check to see if we've exceeded the Wflag (when
2355 if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) {
2356 (void)fprintf(stderr, "Maximum file limit reached: %d\n",
2361 if (dump_info->CurrentFileName != NULL)
2362 free(dump_info->CurrentFileName);
2363 /* Allocate space for max filename + \0. */
2364 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1);
2365 if (dump_info->CurrentFileName == NULL)
2366 error("dump_packet_and_trunc: malloc");
2368 * Gflag was set otherwise we wouldn't be here. Reset the count
2369 * so multiple files would end with 1,2,3 in the filename.
2370 * The counting is handled with the -C flow after this.
2375 * This is always the first file in the Cflag
2377 * We also don't need numbering if Cflag is not set.
2380 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0,
2383 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0);
2385 #ifdef HAVE_LIBCAP_NG
2386 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2387 capng_apply(CAPNG_SELECT_BOTH);
2388 #endif /* HAVE_LIBCAP_NG */
2389 #ifdef HAVE_CAPSICUM
2390 fd = openat(dump_info->dirfd,
2391 dump_info->CurrentFileName,
2392 O_CREAT | O_WRONLY | O_TRUNC, 0644);
2394 error("unable to open file %s",
2395 dump_info->CurrentFileName);
2397 fp = fdopen(fd, "w");
2399 error("unable to fdopen file %s",
2400 dump_info->CurrentFileName);
2402 dump_info->p = pcap_dump_fopen(dump_info->pd, fp);
2403 #else /* !HAVE_CAPSICUM */
2404 dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName);
2406 #ifdef HAVE_LIBCAP_NG
2407 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2408 capng_apply(CAPNG_SELECT_BOTH);
2409 #endif /* HAVE_LIBCAP_NG */
2410 if (dump_info->p == NULL)
2411 error("%s", pcap_geterr(pd));
2412 #ifdef HAVE_CAPSICUM
2413 set_dumper_capsicum_rights(dump_info->p);
2419 * XXX - this won't prevent capture files from getting
2420 * larger than Cflag - the last packet written to the
2421 * file could put it over Cflag.
2424 long size = pcap_dump_ftell(dump_info->p);
2427 error("ftell fails on output file");
2429 #ifdef HAVE_CAPSICUM
2435 * Close the current file and open a new one.
2437 pcap_dump_close(dump_info->p);
2440 * Compress the file we just closed, if the user
2444 compress_savefile(dump_info->CurrentFileName);
2448 if (Cflag_count >= Wflag)
2451 if (dump_info->CurrentFileName != NULL)
2452 free(dump_info->CurrentFileName);
2453 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1);
2454 if (dump_info->CurrentFileName == NULL)
2455 error("dump_packet_and_trunc: malloc");
2456 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars);
2457 #ifdef HAVE_LIBCAP_NG
2458 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2459 capng_apply(CAPNG_SELECT_BOTH);
2460 #endif /* HAVE_LIBCAP_NG */
2461 #ifdef HAVE_CAPSICUM
2462 fd = openat(dump_info->dirfd, dump_info->CurrentFileName,
2463 O_CREAT | O_WRONLY | O_TRUNC, 0644);
2465 error("unable to open file %s",
2466 dump_info->CurrentFileName);
2468 fp = fdopen(fd, "w");
2470 error("unable to fdopen file %s",
2471 dump_info->CurrentFileName);
2473 dump_info->p = pcap_dump_fopen(dump_info->pd, fp);
2474 #else /* !HAVE_CAPSICUM */
2475 dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName);
2477 #ifdef HAVE_LIBCAP_NG
2478 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2479 capng_apply(CAPNG_SELECT_BOTH);
2480 #endif /* HAVE_LIBCAP_NG */
2481 if (dump_info->p == NULL)
2482 error("%s", pcap_geterr(pd));
2483 #ifdef HAVE_CAPSICUM
2484 set_dumper_capsicum_rights(dump_info->p);
2489 pcap_dump((u_char *)dump_info->p, h, sp);
2490 #ifdef HAVE_PCAP_DUMP_FLUSH
2492 pcap_dump_flush(dump_info->p);
2501 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
2507 pcap_dump(user, h, sp);
2508 #ifdef HAVE_PCAP_DUMP_FLUSH
2510 pcap_dump_flush((pcap_dumper_t *)user);
2519 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
2521 struct print_info *print_info;
2523 netdissect_options *ndo;
2529 print_info = (struct print_info *)user;
2530 ndo = print_info->ndo;
2532 if(ndo->ndo_packet_number)
2533 ND_PRINT((ndo, "%5u ", packets_captured));
2535 ts_print(ndo, &h->ts);
2538 * Some printers want to check that they're not walking off the
2539 * end of the packet.
2540 * Rather than pass it all the way down, we set this member
2541 * of the netdissect_options structure.
2543 ndo->ndo_snapend = sp + h->caplen;
2545 if(print_info->ndo_type) {
2546 hdrlen = (*print_info->p.ndo_printer)(print_info->ndo, h, sp);
2548 hdrlen = (*print_info->p.printer)(h, sp);
2552 * Restore the original snapend, as a printer might have
2555 ndo->ndo_snapend = sp + h->caplen;
2556 if (ndo->ndo_Xflag) {
2558 * Print the raw packet data in hex and ASCII.
2560 if (ndo->ndo_Xflag > 1) {
2562 * Include the link-layer header.
2564 hex_and_ascii_print(ndo, "\n\t", sp, h->caplen);
2567 * Don't include the link-layer header - and if
2568 * we have nothing past the link-layer header,
2571 if (h->caplen > hdrlen)
2572 hex_and_ascii_print(ndo, "\n\t", sp + hdrlen,
2573 h->caplen - hdrlen);
2575 } else if (ndo->ndo_xflag) {
2577 * Print the raw packet data in hex.
2579 if (ndo->ndo_xflag > 1) {
2581 * Include the link-layer header.
2583 hex_print(ndo, "\n\t", sp, h->caplen);
2586 * Don't include the link-layer header - and if
2587 * we have nothing past the link-layer header,
2590 if (h->caplen > hdrlen)
2591 hex_print(ndo, "\n\t", sp + hdrlen,
2592 h->caplen - hdrlen);
2594 } else if (ndo->ndo_Aflag) {
2596 * Print the raw packet data in ASCII.
2598 if (ndo->ndo_Aflag > 1) {
2600 * Include the link-layer header.
2602 ascii_print(ndo, sp, h->caplen);
2605 * Don't include the link-layer header - and if
2606 * we have nothing past the link-layer header,
2609 if (h->caplen > hdrlen)
2610 ascii_print(ndo, sp + hdrlen, h->caplen - hdrlen);
2623 * XXX - there should really be libpcap calls to get the version
2624 * number as a string (the string would be generated from #defines
2625 * at run time, so that it's not generated from string constants
2626 * in the library, as, on many UNIX systems, those constants would
2627 * be statically linked into the application executable image, and
2628 * would thus reflect the version of libpcap on the system on
2629 * which the application was *linked*, not the system on which it's
2632 * That routine should be documented, unlike the "version[]"
2633 * string, so that UNIX vendors providing their own libpcaps
2634 * don't omit it (as a couple of vendors have...).
2636 * Packet.dll should perhaps also export a routine to return the
2637 * version number of the Packet.dll code, to supply the
2638 * "Wpcap_version" information on Windows.
2640 char WDversion[]="current-git.tcpdump.org";
2641 #if !defined(HAVE_GENERATED_VERSION)
2642 char version[]="current-git.tcpdump.org";
2644 char pcap_version[]="current-git.tcpdump.org";
2645 char Wpcap_version[]="3.1";
2649 * By default, print the specified data out in hex and ASCII.
2652 ndo_default_print(netdissect_options *ndo, const u_char *bp, u_int length)
2654 hex_and_ascii_print(ndo, "\n\t", bp, length); /* pass on lf and indentation string */
2658 default_print(const u_char *bp, u_int length)
2660 ndo_default_print(gndo, bp, length);
2663 #ifdef SIGNAL_REQ_INFO
2664 RETSIGTYPE requestinfo(int signo _U_)
2674 * Called once each second in verbose mode while dumping to file
2676 #ifdef USE_WIN32_MM_TIMER
2677 void CALLBACK verbose_stats_dump (UINT timer_id _U_, UINT msg _U_, DWORD_PTR arg _U_,
2678 DWORD_PTR dw1 _U_, DWORD_PTR dw2 _U_)
2680 struct pcap_stat stat;
2682 if (infodelay == 0 && pcap_stats(pd, &stat) >= 0)
2683 fprintf(stderr, "Got %u\r", packets_captured);
2685 #elif defined(HAVE_ALARM)
2686 static void verbose_stats_dump(int sig _U_)
2688 struct pcap_stat stat;
2690 if (infodelay == 0 && pcap_stats(pd, &stat) >= 0)
2691 fprintf(stderr, "Got %u\r", packets_captured);
2696 USES_APPLE_DEPRECATED_API
2700 extern char version[];
2701 #ifndef HAVE_PCAP_LIB_VERSION
2702 #if defined(WIN32) || defined(HAVE_PCAP_VERSION)
2703 extern char pcap_version[];
2704 #else /* defined(WIN32) || defined(HAVE_PCAP_VERSION) */
2705 static char pcap_version[] = "unknown";
2706 #endif /* defined(WIN32) || defined(HAVE_PCAP_VERSION) */
2707 #endif /* HAVE_PCAP_LIB_VERSION */
2709 #ifdef HAVE_PCAP_LIB_VERSION
2711 (void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version);
2713 (void)fprintf(stderr, "%s version %s\n", program_name, version);
2715 (void)fprintf(stderr, "%s\n",pcap_lib_version());
2716 #else /* HAVE_PCAP_LIB_VERSION */
2718 (void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version);
2719 (void)fprintf(stderr, "WinPcap version %s, based on libpcap version %s\n",Wpcap_version, pcap_version);
2721 (void)fprintf(stderr, "%s version %s\n", program_name, version);
2722 (void)fprintf(stderr, "libpcap version %s\n", pcap_version);
2724 #endif /* HAVE_PCAP_LIB_VERSION */
2726 #if defined(HAVE_LIBCRYPTO) && defined(SSLEAY_VERSION)
2727 (void)fprintf (stderr, "%s\n", SSLeay_version(SSLEAY_VERSION));
2731 (void)fprintf (stderr, "SMI-library: %s\n", smi_version_string);
2740 (void)fprintf(stderr,
2741 "Usage: %s [-aAbd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqRStu" U_FLAG "vxX#]" B_FLAG_USAGE " [ -c count ]\n", program_name);
2742 (void)fprintf(stderr,
2743 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n");
2744 (void)fprintf(stderr,
2745 "\t\t[ -i interface ]" j_FLAG_USAGE " [ -M secret ] [ --number ]\n");
2746 #ifdef HAVE_PCAP_SETDIRECTION
2747 (void)fprintf(stderr,
2748 "\t\t[ -Q in|out|inout ]\n");
2750 (void)fprintf(stderr,
2751 "\t\t[ -r file ] [ -s snaplen ] ");
2752 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
2753 (void)fprintf(stderr, "[ --time-stamp-precision precision ]\n");
2754 (void)fprintf(stderr,
2757 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
2758 (void)fprintf(stderr, "[ --immediate-mode ] ");
2760 (void)fprintf(stderr, "[ -T type ] [ --version ] [ -V file ]\n");
2761 (void)fprintf(stderr,
2762 "\t\t[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]\n");
2763 (void)fprintf(stderr,
2764 "\t\t[ -Z user ] [ expression ]\n");
2771 ndo_error(netdissect_options *ndo _U_, const char *fmt, ...)
2775 (void)fprintf(stderr, "%s: ", program_name);
2777 (void)vfprintf(stderr, fmt, ap);
2781 if (fmt[-1] != '\n')
2782 (void)fputc('\n', stderr);
2790 ndo_warning(netdissect_options *ndo _U_, const char *fmt, ...)
2794 (void)fprintf(stderr, "%s: WARNING: ", program_name);
2796 (void)vfprintf(stderr, fmt, ap);
2800 if (fmt[-1] != '\n')
2801 (void)fputc('\n', stderr);
2806 * c-style: whitesmith