2 * Copyright (c) 1993, 1994, 1995, 1996, 1998
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
24 static const char rcsid[] _U_ =
25 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.86.2.12 2007/06/15 17:57:27 guy Exp $ (LBL)";
32 #include <sys/param.h> /* optionally get BSD define */
34 #include <sys/timeb.h>
35 #include <sys/socket.h>
37 #include <sys/ioctl.h>
38 #include <sys/utsname.h>
45 * Make "pcap.h" not include "pcap-bpf.h"; we are going to include the
46 * native OS version, as we need "struct bpf_config" from it.
48 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
50 #include <sys/types.h>
53 * Prevent bpf.h from redefining the DLT_ values to their
54 * IFT_ values, as we're going to return the standard libpcap
55 * values, not IBM's non-standard IFT_ values.
61 #include <net/if_types.h> /* for IFT_ values */
62 #include <sys/sysconfig.h>
63 #include <sys/device.h>
64 #include <sys/cfgodm.h>
68 #define domakedev makedev64
69 #define getmajor major64
70 #define bpf_hdr bpf_hdr32
72 #define domakedev makedev
73 #define getmajor major
74 #endif /* __64BIT__ */
76 #define BPF_NAME "bpf"
78 #define DRIVER_PATH "/usr/lib/drivers"
79 #define BPF_NODE "/dev/bpf"
80 static int bpfloadedflag = 0;
81 static int odmlockid = 0;
100 #include "pcap-dag.h"
101 #endif /* HAVE_DAG_API */
103 #ifdef HAVE_OS_PROTO_H
104 #include "os-proto.h"
107 #include "gencode.h" /* for "no_optimize" */
109 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
110 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t);
111 static int pcap_set_datalink_bpf(pcap_t *p, int dlt);
114 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps)
119 * "ps_recv" counts packets handed to the filter, not packets
120 * that passed the filter. This includes packets later dropped
121 * because we ran out of buffer space.
123 * "ps_drop" counts packets dropped inside the BPF device
124 * because we ran out of buffer space. It doesn't count
125 * packets dropped by the interface driver. It counts
126 * only packets that passed the filter.
128 * Both statistics include packets not yet read from the kernel
129 * by libpcap, and thus not yet seen by the application.
131 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
132 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
133 pcap_strerror(errno));
137 ps->ps_recv = s.bs_recv;
138 ps->ps_drop = s.bs_drop;
143 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
147 register u_char *bp, *ep;
149 struct bpf_insn *fcode;
154 fcode = p->md.use_bpf ? NULL : p->fcode.bf_insns;
157 * Has "pcap_breakloop()" been called?
161 * Yes - clear the flag that indicates that it
162 * has, and return -2 to indicate that we were
163 * told to break out of the loop.
170 cc = read(p->fd, (char *)p->buffer, p->bufsize);
172 /* Don't choke when we get ptraced */
181 * Sigh. More AIX wonderfulness.
183 * For some unknown reason the uiomove()
184 * operation in the bpf kernel extension
185 * used to copy the buffer into user
186 * space sometimes returns EFAULT. I have
187 * no idea why this is the case given that
188 * a kernel debugger shows the user buffer
189 * is correct. This problem appears to
190 * be mostly mitigated by the memset of
191 * the buffer before it is first used.
192 * Very strange.... Shaun Clowes
194 * In any case this means that we shouldn't
195 * treat EFAULT as a fatal error; as we
196 * don't have an API for returning
197 * a "some packets were dropped since
198 * the last packet you saw" indication,
199 * we just ignore EFAULT and keep reading.
206 #if defined(sun) && !defined(BSD)
208 * Due to a SunOS bug, after 2^31 bytes, the kernel
209 * file offset overflows and read fails with EINVAL.
210 * The lseek() to 0 will fix things.
213 if (lseek(p->fd, 0L, SEEK_CUR) +
215 (void)lseek(p->fd, 0L, SEEK_SET);
221 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s",
222 pcap_strerror(errno));
230 * Loop through each packet.
232 #define bhp ((struct bpf_hdr *)bp)
238 register int caplen, hdrlen;
241 * Has "pcap_breakloop()" been called?
242 * If so, return immediately - if we haven't read any
243 * packets, clear the flag and return -2 to indicate
244 * that we were told to break out of the loop, otherwise
245 * leave the flag set, so that the *next* call will break
246 * out of the loop without having read any packets, and
247 * return the number of packets we've processed so far.
260 caplen = bhp->bh_caplen;
261 hdrlen = bhp->bh_hdrlen;
264 * Short-circuit evaluation: if using BPF filter
265 * in kernel, no need to do it now.
268 * Note: the filter code was generated assuming
269 * that p->fddipad was the amount of padding
270 * before the header, as that's what's required
271 * in the kernel, so we run the filter before
272 * skipping that padding.
276 bpf_filter(fcode, datap, bhp->bh_datalen, caplen)) {
277 struct pcap_pkthdr pkthdr;
279 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec;
282 * AIX's BPF returns seconds/nanoseconds time
283 * stamps, not seconds/microseconds time stamps.
285 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000;
287 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec;
291 pkthdr.caplen = caplen - pad;
294 if (bhp->bh_datalen > pad)
295 pkthdr.len = bhp->bh_datalen - pad;
300 pkthdr.caplen = caplen;
301 pkthdr.len = bhp->bh_datalen;
303 (*callback)(user, &pkthdr, datap);
304 bp += BPF_WORDALIGN(caplen + hdrlen);
305 if (++n >= cnt && cnt > 0) {
314 bp += BPF_WORDALIGN(caplen + hdrlen);
323 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size)
327 ret = write(p->fd, buf, size);
329 if (ret == -1 && errno == EAFNOSUPPORT) {
331 * In Mac OS X, there's a bug wherein setting the
332 * BIOCSHDRCMPLT flag causes writes to fail; see,
335 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch
337 * So, if, on OS X, we get EAFNOSUPPORT from the write, we
338 * assume it's due to that bug, and turn off that flag
339 * and try again. If we succeed, it either means that
340 * somebody applied the fix from that URL, or other patches
343 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/
345 * and are running a Darwin kernel with those fixes, or
346 * that Apple fixed the problem in some OS X release.
348 u_int spoof_eth_src = 0;
350 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
351 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
352 "send: can't turn off BIOCSHDRCMPLT: %s",
353 pcap_strerror(errno));
358 * Now try the write again.
360 ret = write(p->fd, buf, size);
362 #endif /* __APPLE__ */
364 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
365 pcap_strerror(errno));
373 bpf_odminit(char *errbuf)
377 if (odm_initialize() == -1) {
378 if (odm_err_msg(odmerrno, &errstr) == -1)
379 errstr = "Unknown error";
380 snprintf(errbuf, PCAP_ERRBUF_SIZE,
381 "bpf_load: odm_initialize failed: %s",
386 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) {
387 if (odm_err_msg(odmerrno, &errstr) == -1)
388 errstr = "Unknown error";
389 snprintf(errbuf, PCAP_ERRBUF_SIZE,
390 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s",
399 bpf_odmcleanup(char *errbuf)
403 if (odm_unlock(odmlockid) == -1) {
404 if (odm_err_msg(odmerrno, &errstr) == -1)
405 errstr = "Unknown error";
406 snprintf(errbuf, PCAP_ERRBUF_SIZE,
407 "bpf_load: odm_unlock failed: %s",
412 if (odm_terminate() == -1) {
413 if (odm_err_msg(odmerrno, &errstr) == -1)
414 errstr = "Unknown error";
415 snprintf(errbuf, PCAP_ERRBUF_SIZE,
416 "bpf_load: odm_terminate failed: %s",
425 bpf_load(char *errbuf)
429 int numminors, i, rc;
432 struct bpf_config cfg_bpf;
433 struct cfg_load cfg_ld;
434 struct cfg_kmod cfg_km;
437 * This is very very close to what happens in the real implementation
438 * but I've fixed some (unlikely) bug situations.
443 if (bpf_odminit(errbuf) != 0)
446 major = genmajor(BPF_NAME);
448 snprintf(errbuf, PCAP_ERRBUF_SIZE,
449 "bpf_load: genmajor failed: %s", pcap_strerror(errno));
453 minors = getminor(major, &numminors, BPF_NAME);
455 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1);
457 snprintf(errbuf, PCAP_ERRBUF_SIZE,
458 "bpf_load: genminor failed: %s",
459 pcap_strerror(errno));
464 if (bpf_odmcleanup(errbuf))
467 rc = stat(BPF_NODE "0", &sbuf);
468 if (rc == -1 && errno != ENOENT) {
469 snprintf(errbuf, PCAP_ERRBUF_SIZE,
470 "bpf_load: can't stat %s: %s",
471 BPF_NODE "0", pcap_strerror(errno));
475 if (rc == -1 || getmajor(sbuf.st_rdev) != major) {
476 for (i = 0; i < BPF_MINORS; i++) {
477 sprintf(buf, "%s%d", BPF_NODE, i);
479 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) {
480 snprintf(errbuf, PCAP_ERRBUF_SIZE,
481 "bpf_load: can't mknod %s: %s",
482 buf, pcap_strerror(errno));
488 /* Check if the driver is loaded */
489 memset(&cfg_ld, 0x0, sizeof(cfg_ld));
491 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME);
492 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) ||
493 (cfg_ld.kmid == 0)) {
494 /* Driver isn't loaded, load it now */
495 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) {
496 snprintf(errbuf, PCAP_ERRBUF_SIZE,
497 "bpf_load: could not load driver: %s",
503 /* Configure the driver */
504 cfg_km.cmd = CFG_INIT;
505 cfg_km.kmid = cfg_ld.kmid;
506 cfg_km.mdilen = sizeof(cfg_bpf);
507 cfg_km.mdiptr = (void *)&cfg_bpf;
508 for (i = 0; i < BPF_MINORS; i++) {
509 cfg_bpf.devno = domakedev(major, i);
510 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) {
511 snprintf(errbuf, PCAP_ERRBUF_SIZE,
512 "bpf_load: could not configure driver: %s",
525 bpf_open(pcap_t *p, char *errbuf)
528 #ifdef HAVE_CLONING_BPF
529 static const char device[] = "/dev/bpf";
532 char device[sizeof "/dev/bpf0000000000"];
537 * Load the bpf driver, if it isn't already loaded,
538 * and create the BPF device entries, if they don't
541 if (bpf_load(errbuf) == -1)
545 #ifdef HAVE_CLONING_BPF
546 if ((fd = open(device, O_RDWR)) == -1 &&
547 (errno != EACCES || (fd = open(device, O_RDONLY)) == -1))
548 snprintf(errbuf, PCAP_ERRBUF_SIZE,
549 "(cannot open device) %s: %s", device, pcap_strerror(errno));
552 * Go through all the minors and find one that isn't in use.
555 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
557 * Initially try a read/write open (to allow the inject
558 * method to work). If that fails due to permission
559 * issues, fall back to read-only. This allows a
560 * non-root user to be granted specific access to pcap
561 * capabilities via file permissions.
563 * XXX - we should have an API that has a flag that
564 * controls whether to open read-only or read-write,
565 * so that denial of permission to send (or inability
566 * to send, if sending packets isn't supported on
567 * the device in question) can be indicated at open
570 fd = open(device, O_RDWR);
571 if (fd == -1 && errno == EACCES)
572 fd = open(device, O_RDONLY);
573 } while (fd < 0 && errno == EBUSY);
576 * XXX better message for all minors used
579 snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s",
580 device, pcap_strerror(errno));
587 * We include the OS's <net/bpf.h>, not our "pcap-bpf.h", so we probably
588 * don't get DLT_DOCSIS defined.
591 #define DLT_DOCSIS 143
595 pcap_open_live(const char *device, int snaplen, int promisc, int to_ms,
600 struct bpf_version bv;
602 struct bpf_dltlist bdl;
604 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
605 u_int spoof_eth_src = 1;
609 struct bpf_insn total_insn;
610 struct bpf_program total_prog;
611 struct utsname osinfo;
614 if (strstr(device, "dag")) {
615 return dag_open_live(device, snaplen, promisc, to_ms, ebuf);
617 #endif /* HAVE_DAG_API */
620 memset(&bdl, 0, sizeof(bdl));
623 p = (pcap_t *)malloc(sizeof(*p));
625 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
626 pcap_strerror(errno));
629 memset(p, 0, sizeof(*p));
630 fd = bpf_open(p, ebuf);
635 p->snapshot = snaplen;
637 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
638 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
639 pcap_strerror(errno));
642 if (bv.bv_major != BPF_MAJOR_VERSION ||
643 bv.bv_minor < BPF_MINOR_VERSION) {
644 snprintf(ebuf, PCAP_ERRBUF_SIZE,
645 "kernel bpf filter out of date");
650 * Try finding a good size for the buffer; 32768 may be too
651 * big, so keep cutting it in half until we find a size
652 * that works, or run out of sizes to try. If the default
653 * is larger, don't make it smaller.
655 * XXX - there should be a user-accessible hook to set the
656 * initial buffer size.
658 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768)
660 for ( ; v != 0; v >>= 1) {
661 /* Ignore the return value - this is because the call fails
662 * on BPF systems that don't have kernel malloc. And if
663 * the call fails, it's no big deal, we just continue to
664 * use the standard buffer size.
666 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
668 (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
669 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0)
670 break; /* that size worked; we're done */
672 if (errno != ENOBUFS) {
673 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
674 device, pcap_strerror(errno));
680 snprintf(ebuf, PCAP_ERRBUF_SIZE,
681 "BIOCSBLEN: %s: No buffer size worked", device);
685 /* Get the data link layer type. */
686 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
687 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
688 pcap_strerror(errno));
693 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
716 * We don't know what to map this to yet.
718 snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
723 #if _BSDI_VERSION - 0 >= 199510
724 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
739 case 12: /*DLT_C_HDLC*/
746 p->fddipad = PCAP_FDDIPAD;
754 * We know the default link type -- now determine all the DLTs
755 * this interface supports. If this fails with EINVAL, it's
756 * not fatal; we just don't get to use the feature later.
758 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) == 0) {
762 bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * (bdl.bfl_len + 1));
763 if (bdl.bfl_list == NULL) {
764 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
765 pcap_strerror(errno));
769 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) < 0) {
770 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
771 "BIOCGDLTLIST: %s", pcap_strerror(errno));
777 * OK, for real Ethernet devices, add DLT_DOCSIS to the
778 * list, so that an application can let you choose it,
779 * in case you're capturing DOCSIS traffic that a Cisco
780 * Cable Modem Termination System is putting out onto
781 * an Ethernet (it doesn't put an Ethernet header onto
782 * the wire, it puts raw DOCSIS frames out on the wire
783 * inside the low-level Ethernet framing).
785 * A "real Ethernet device" is defined here as a device
786 * that has a link-layer type of DLT_EN10MB and that has
787 * no alternate link-layer types; that's done to exclude
788 * 802.11 interfaces (which might or might not be the
789 * right thing to do, but I suspect it is - Ethernet <->
790 * 802.11 bridges would probably badly mishandle frames
791 * that don't have Ethernet headers).
793 if (p->linktype == DLT_EN10MB) {
795 for (i = 0; i < bdl.bfl_len; i++) {
796 if (bdl.bfl_list[i] != DLT_EN10MB) {
803 * We reserved one more slot at the end of
806 bdl.bfl_list[bdl.bfl_len] = DLT_DOCSIS;
810 p->dlt_count = bdl.bfl_len;
811 p->dlt_list = bdl.bfl_list;
813 if (errno != EINVAL) {
814 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
815 "BIOCGDLTLIST: %s", pcap_strerror(errno));
822 * If this is an Ethernet device, and we don't have a DLT_ list,
823 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give
824 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to
825 * do, but there's not much we can do about that without finding
826 * some other way of determining whether it's an Ethernet or 802.11
829 if (p->linktype == DLT_EN10MB && p->dlt_count == 0) {
830 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
832 * If that fails, just leave the list empty.
834 if (p->dlt_list != NULL) {
835 p->dlt_list[0] = DLT_EN10MB;
836 p->dlt_list[1] = DLT_DOCSIS;
841 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
843 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so
844 * the link-layer source address isn't forcibly overwritten.
845 * (Should we ignore errors? Should we do this only if
846 * we're open for writing?)
848 * XXX - I seem to remember some packet-sending bug in some
849 * BSDs - check CVS log for "bpf.c"?
851 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
852 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
853 "BIOCSHDRCMPLT: %s", pcap_strerror(errno));
860 * XXX - is this seconds/nanoseconds in AIX?
861 * (Treating it as such doesn't fix the timeout
862 * problem described below.)
865 to.tv_sec = to_ms / 1000;
866 to.tv_usec = (to_ms * 1000) % 1000000;
867 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
868 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
869 pcap_strerror(errno));
877 * Darren Reed notes that
879 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
880 * timeout appears to be ignored and it waits until the buffer
881 * is filled before returning. The result of not having it
882 * set is almost worse than useless if your BPF filter
883 * is reducing things to only a few packets (i.e. one every
886 * so we turn BIOCIMMEDIATE mode on if this is AIX.
888 * We don't turn it on for other platforms, as that means we
889 * get woken up for every packet, which may not be what we want;
890 * in the Winter 1993 USENIX paper on BPF, they say:
892 * Since a process might want to look at every packet on a
893 * network and the time between packets can be only a few
894 * microseconds, it is not possible to do a read system call
895 * per packet and BPF must collect the data from several
896 * packets and return it as a unit when the monitoring
897 * application does a read.
899 * which I infer is the reason for the timeout - it means we
900 * wait that amount of time, in the hopes that more packets
901 * will arrive and we'll get them all with one read.
903 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other
904 * BSDs) causes the timeout to be ignored.
906 * On the other hand, some platforms (e.g., Linux) don't support
907 * timeouts, they just hand stuff to you as soon as it arrives;
908 * if that doesn't cause a problem on those platforms, it may
909 * be OK to have BIOCIMMEDIATE mode on BSD as well.
911 * (Note, though, that applications may depend on the read
912 * completing, even if no packets have arrived, when the timeout
913 * expires, e.g. GUI applications that have to check for input
914 * while waiting for packets to arrive; a non-zero timeout
915 * prevents "select()" from working right on FreeBSD and
916 * possibly other BSDs, as the timer doesn't start until a
917 * "read()" is done, so the timer isn't in effect if the
918 * application is blocked on a "select()", and the "select()"
919 * doesn't get woken up for a BPF device until the buffer
923 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
924 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
925 pcap_strerror(errno));
928 #endif /* BIOCIMMEDIATE */
932 /* set promiscuous mode, okay if it fails */
933 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
934 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s",
935 pcap_strerror(errno));
939 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
940 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
941 pcap_strerror(errno));
945 p->buffer = (u_char *)malloc(p->bufsize);
946 if (p->buffer == NULL) {
947 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
948 pcap_strerror(errno));
952 /* For some strange reason this seems to prevent the EFAULT
953 * problems we have experienced from AIX BPF. */
954 memset(p->buffer, 0x0, p->bufsize);
958 * If there's no filter program installed, there's
959 * no indication to the kernel of what the snapshot
960 * length should be, so no snapshotting is done.
962 * Therefore, when we open the device, we install
963 * an "accept everything" filter with the specified
966 total_insn.code = (u_short)(BPF_RET | BPF_K);
969 total_insn.k = snaplen;
971 total_prog.bf_len = 1;
972 total_prog.bf_insns = &total_insn;
973 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) {
974 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
975 pcap_strerror(errno));
980 * On most BPF platforms, either you can do a "select()" or
981 * "poll()" on a BPF file descriptor and it works correctly,
982 * or you can do it and it will return "readable" if the
983 * hold buffer is full but not if the timeout expires *and*
984 * a non-blocking read will, if the hold buffer is empty
985 * but the store buffer isn't empty, rotate the buffers
986 * and return what packets are available.
988 * In the latter case, the fact that a non-blocking read
989 * will give you the available packets means you can work
990 * around the failure of "select()" and "poll()" to wake up
991 * and return "readable" when the timeout expires by using
992 * the timeout as the "select()" or "poll()" timeout, putting
993 * the BPF descriptor into non-blocking mode, and read from
994 * it regardless of whether "select()" reports it as readable
997 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()"
998 * won't wake up and return "readable" if the timer expires
999 * and non-blocking reads return EWOULDBLOCK if the hold
1000 * buffer is empty, even if the store buffer is non-empty.
1002 * This means the workaround in question won't work.
1004 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd"
1005 * to -1, which means "sorry, you can't use 'select()' or 'poll()'
1006 * here". On all other BPF platforms, we set it to the FD for
1007 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking
1008 * read will, if the hold buffer is empty and the store buffer
1009 * isn't empty, rotate the buffers and return what packets are
1010 * there (and in sufficiently recent versions of OpenBSD
1011 * "select()" and "poll()" should work correctly).
1013 * XXX - what about AIX?
1015 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */
1016 if (uname(&osinfo) == 0) {
1018 * We can check what OS this is.
1020 if (strcmp(osinfo.sysname, "FreeBSD") == 0) {
1021 if (strncmp(osinfo.release, "4.3-", 4) == 0 ||
1022 strncmp(osinfo.release, "4.4-", 4) == 0)
1023 p->selectable_fd = -1;
1027 p->read_op = pcap_read_bpf;
1028 p->inject_op = pcap_inject_bpf;
1029 p->setfilter_op = pcap_setfilter_bpf;
1030 p->setdirection_op = pcap_setdirection_bpf;
1031 p->set_datalink_op = pcap_set_datalink_bpf;
1032 p->getnonblock_op = pcap_getnonblock_fd;
1033 p->setnonblock_op = pcap_setnonblock_fd;
1034 p->stats_op = pcap_stats_bpf;
1035 p->close_op = pcap_close_common;
1040 if (p->dlt_list != NULL)
1047 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
1050 if (dag_platform_finddevs(alldevsp, errbuf) < 0)
1052 #endif /* HAVE_DAG_API */
1058 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
1061 * It looks that BPF code generated by gen_protochain() is not
1062 * compatible with some of kernel BPF code (for example BSD/OS 3.1).
1063 * Take a safer side for now.
1067 * XXX - what if we already have a filter in the kernel?
1069 if (install_bpf_program(p, fp) < 0)
1071 p->md.use_bpf = 0; /* filtering in userland */
1076 * Free any user-mode filter we might happen to have installed.
1078 pcap_freecode(&p->fcode);
1081 * Try to install the kernel filter.
1083 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
1084 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
1085 pcap_strerror(errno));
1088 p->md.use_bpf = 1; /* filtering in the kernel */
1091 * Discard any previously-received packets, as they might have
1092 * passed whatever filter was formerly in effect, but might
1093 * not pass this filter (BIOCSETF discards packets buffered
1094 * in the kernel, so you can lose packets in any case).
1101 * Set direction flag: Which packets do we accept on a forwarding
1102 * single device? IN, OUT or both?
1105 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d)
1107 #if defined(BIOCSDIRECTION)
1110 direction = (d == PCAP_D_IN) ? BPF_D_IN :
1111 ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT);
1112 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) {
1113 (void) snprintf(p->errbuf, sizeof(p->errbuf),
1114 "Cannot set direction to %s: %s",
1115 (d == PCAP_D_IN) ? "PCAP_D_IN" :
1116 ((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"),
1121 #elif defined(BIOCSSEESENT)
1125 * We don't support PCAP_D_OUT.
1127 if (d == PCAP_D_OUT) {
1128 snprintf(p->errbuf, sizeof(p->errbuf),
1129 "Setting direction to PCAP_D_OUT is not supported on BPF");
1133 seesent = (d == PCAP_D_INOUT);
1134 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) {
1135 (void) snprintf(p->errbuf, sizeof(p->errbuf),
1136 "Cannot set direction to %s: %s",
1137 (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN",
1143 (void) snprintf(p->errbuf, sizeof(p->errbuf),
1144 "This system doesn't support BIOCSSEESENT, so the direction can't be set");
1150 pcap_set_datalink_bpf(pcap_t *p, int dlt)
1153 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) {
1154 (void) snprintf(p->errbuf, sizeof(p->errbuf),
1155 "Cannot set DLT %d: %s", dlt, strerror(errno));
projects / FreeBSD / releng / 7.2.git / blob