5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
126 #ifdef DEBUG_CHILD_DUMPCAP
127 FILE *debug_log; /* for logging debug messages to */
128 /* a file if DEBUG_CHILD_DUMPCAP */
136 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
138 static gchar *sig_pipe_name = NULL;
139 static HANDLE sig_pipe_handle = NULL;
140 static gboolean signal_pipe_check_running(void);
144 static GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
145 static GMutex *cap_pipe_read_mtx;
149 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
150 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
153 /** Stop a low-level capture (stops the capture child). */
154 static void capture_loop_stop(void);
156 #if !defined (__linux__)
157 #ifndef HAVE_PCAP_BREAKLOOP
159 * We don't have pcap_breakloop(), which is the only way to ensure that
160 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
161 * won't, if the call to read the next packet or batch of packets is
162 * is interrupted by a signal on UN*X, just go back and try again to
165 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
166 * the signal handler, set a flag to stop capturing; however, without
167 * a guarantee of that sort, we can't guarantee that we'll stop capturing
168 * if the read will be retried and won't time out if no packets arrive.
170 * Therefore, on at least some platforms, we work around the lack of
171 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
172 * to wait for packets to arrive, so that we're probably going to be
173 * blocked in the select() when the signal arrives, and can just bail
174 * out of the loop at that point.
176 * However, we don't want to do that on BSD (because "select()" doesn't work
177 * correctly on BPF devices on at least some releases of some flavors of
178 * BSD), and we don't want to do it on Windows (because "select()" is
179 * something for sockets, not for arbitrary handles). (Note that "Windows"
180 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
181 * using WinPcap, not a UNIX libpcap.)
183 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
184 * on BSD times out even if no packets have arrived, so we'll eventually
185 * exit pcap_dispatch() with an indication that no packets have arrived,
186 * and will break out of the capture loop at that point.
188 * On Windows, we can't send a SIGINT to stop capturing, so none of this
189 * applies in any case.
191 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
192 * want to include it if it's not present on this platform, however.
194 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
195 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
197 # define MUST_DO_SELECT
198 # endif /* avoid select */
199 #endif /* HAVE_PCAP_BREAKLOOP */
201 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
202 * in pcap_dispatch(); on the other hand, select() works just fine there.
203 * Hence we use a select for that come what may.
205 #define MUST_DO_SELECT
208 /** init the capture filter */
211 INITFILTER_BAD_FILTER,
212 INITFILTER_OTHER_ERROR
213 } initfilter_status_t;
215 typedef struct _loop_data {
217 gboolean go; /* TRUE as long as we're supposed to keep capturing */
218 int err; /* if non-zero, error seen while capturing */
219 gint packet_count; /* Number of packets we have already captured */
220 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
221 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
223 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
226 /* pcap "input file" */
227 pcap_t *pcap_h; /* pcap handle */
228 gboolean pcap_err; /* TRUE if error from pcap */
229 #ifdef MUST_DO_SELECT
230 int pcap_fd; /* pcap file descriptor */
233 /* capture pipe (unix only "input file") */
234 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
235 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
236 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
238 HANDLE cap_pipe_h; /* The handle of the capture pipe */
240 int cap_pipe_fd; /* the file descriptor of the capture pipe */
242 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
243 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
245 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
246 #endif /* USE_THREADS */
247 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
248 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
250 STATE_EXPECT_REC_HDR,
255 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 guint32 autostop_files;
267 * Standard secondary message for unexpected errors.
269 static const char please_report[] =
270 "Please report this to the Wireshark developers.\n"
271 "(This is not a crash; please do not report it as such.)";
274 * This needs to be static, so that the SIGINT handler can clear the "go"
277 static loop_data global_ld;
281 * Timeout, in milliseconds, for reads from the stream of captured packets
282 * from a capture device.
284 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
285 * 64-bit applications, with sub-second timeouts not to work. The bug is
286 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
288 #if defined(__APPLE__) && defined(__LP64__)
289 static gboolean need_timeout_workaround;
291 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
293 #define CAP_READ_TIMEOUT 250
297 * Timeout, in microseconds, for reads from the stream of captured packets
298 * from a pipe. Pipes don't have the same problem that BPF devices do
299 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
300 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
301 * of the offending versions of Snow Leopard.
303 * On Windows this value is converted to milliseconds and passed to
304 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
305 * will return immediately.
308 #define PIPE_READ_TIMEOUT 250000
310 #define PIPE_READ_TIMEOUT 100000
312 static const char *cap_pipe_err_str;
315 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
316 const char *message, gpointer user_data _U_);
318 /* capture related options */
319 static capture_options global_capture_opts;
320 static gboolean quiet = FALSE;
322 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
324 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
325 int err, gboolean is_close);
327 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
329 static void report_new_capture_file(const char *filename);
330 static void report_packet_count(int packet_count);
331 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
332 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
333 static void report_cfilter_error(const char *cfilter, const char *errmsg);
335 #define MSG_MAX_LENGTH 4096
338 print_usage(gboolean print_ver)
345 "Dumpcap " VERSION "%s\n"
346 "Capture network packets and dump them into a libpcap file.\n"
347 "See http://www.wireshark.org for more information.\n",
348 wireshark_svnversion);
352 fprintf(output, "\nUsage: dumpcap [options] ...\n");
353 fprintf(output, "\n");
354 fprintf(output, "Capture interface:\n");
355 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
356 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
357 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
358 fprintf(output, " -p don't capture in promiscuous mode\n");
359 #ifdef HAVE_PCAP_CREATE
360 fprintf(output, " -I capture in monitor mode, if available\n");
362 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
363 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
365 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
366 fprintf(output, " -D print list of interfaces and exit\n");
367 fprintf(output, " -L print list of link-layer types of iface and exit\n");
368 #ifdef HAVE_BPF_IMAGE
369 fprintf(output, " -d print generated BPF code for capture filter\n");
371 fprintf(output, " -S print statistics for each interface once every second\n");
372 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
373 fprintf(output, "\n");
374 #ifdef HAVE_PCAP_REMOTE
375 fprintf(output, "\nRPCAP options:\n");
376 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
377 fprintf(output, " -u use UDP for RPCAP data transfer\n");
378 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
379 #ifdef HAVE_PCAP_SETSAMPLING
380 fprintf(output, " -m <sampling type> use packet sampling\n");
381 fprintf(output, " count:NUM - capture one packet of every NUM\n");
382 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
385 fprintf(output, "Stop conditions:\n");
386 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
387 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
388 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
389 fprintf(output, " files:NUM - stop after NUM files\n");
390 /*fprintf(output, "\n");*/
391 fprintf(output, "Output (files):\n");
392 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
393 fprintf(output, " -g enable group read access on the output file(s)\n");
394 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
395 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
396 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
397 fprintf(output, " -n use pcapng format instead of pcap\n");
398 /*fprintf(output, "\n");*/
399 fprintf(output, "Miscellaneous:\n");
400 fprintf(output, " -q don't report packet capture counts\n");
401 fprintf(output, " -v print version information and exit\n");
402 fprintf(output, " -h display this help and exit\n");
403 fprintf(output, "\n");
404 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
405 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
406 fprintf(output, "\n");
407 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
411 show_version(GString *comp_info_str, GString *runtime_info_str)
414 "Dumpcap " VERSION "%s\n"
419 "See http://www.wireshark.org for more information.\n",
420 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
424 * Print to the standard error. This is a command-line tool, so there's
425 * no need to pop up a console.
428 vfprintf_stderr(const char *fmt, va_list ap)
430 vfprintf(stderr, fmt, ap);
434 fprintf_stderr(const char *fmt, ...)
439 vfprintf_stderr(fmt, ap);
444 * Report an error in command-line arguments.
447 cmdarg_err(const char *fmt, ...)
453 /* Generate a 'special format' message back to parent */
455 msg = g_strdup_vprintf(fmt, ap);
456 sync_pipe_errmsg_to_parent(2, msg, "");
461 fprintf(stderr, "dumpcap: ");
462 vfprintf(stderr, fmt, ap);
463 fprintf(stderr, "\n");
469 * Report additional information for an error in command-line arguments.
472 cmdarg_err_cont(const char *fmt, ...)
479 msg = g_strdup_vprintf(fmt, ap);
480 sync_pipe_errmsg_to_parent(2, msg, "");
485 vfprintf(stderr, fmt, ap);
486 fprintf(stderr, "\n");
493 #if 0 /* Set to enable capability debugging */
494 /* see 'man cap_to_text()' for explanation of output */
495 /* '=' means 'all= ' ie: no capabilities */
496 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
498 print_caps(const char *pfx) {
499 cap_t caps = cap_get_proc();
500 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
501 "%s: EUID: %d Capabilities: %s", pfx,
502 geteuid(), cap_to_text(caps, NULL));
505 print_caps(const char *pfx _U_) {
510 relinquish_all_capabilities(void)
512 /* Drop any and all capabilities this process may have. */
513 /* Allowed whether or not process has any privileges. */
514 cap_t caps = cap_init(); /* all capabilities initialized to off */
515 print_caps("Pre-clear");
516 if (cap_set_proc(caps)) {
517 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
519 print_caps("Post-clear");
525 open_capture_device(capture_options *capture_opts,
526 char (*open_err_str)[PCAP_ERRBUF_SIZE])
529 #ifdef HAVE_PCAP_CREATE
532 #ifdef HAVE_PCAP_REMOTE
533 struct pcap_rmtauth auth;
536 /* Open the network interface to capture from it.
537 Some versions of libpcap may put warnings into the error buffer
538 if they succeed; to tell if that's happened, we have to clear
539 the error buffer, and check if it's still a null string. */
540 (*open_err_str)[0] = '\0';
541 #ifdef HAVE_PCAP_OPEN
543 * If we're opening a remote device, use pcap_open(); that's currently
544 * the only open routine that supports remote devices.
546 if (strncmp (capture_opts->iface, "rpcap://", 8) == 0) {
547 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
548 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
549 auth.username = capture_opts->auth_username;
550 auth.password = capture_opts->auth_password;
552 pcap_h = pcap_open(capture_opts->iface,
553 capture_opts->has_snaplen ? capture_opts->snaplen :
554 WTAP_MAX_PACKET_SIZE,
556 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
557 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
558 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
559 CAP_READ_TIMEOUT, &auth, *open_err_str);
561 #endif /* HAVE_PCAP_OPEN */
564 * If we're not opening a remote device, use pcap_create() and
565 * pcap_activate() if we have them, so that we can set the buffer
566 * size, otherwise use pcap_open_live().
568 #ifdef HAVE_PCAP_CREATE
569 pcap_h = pcap_create(capture_opts->iface, *open_err_str);
570 if (pcap_h != NULL) {
571 pcap_set_snaplen(pcap_h, capture_opts->has_snaplen ? capture_opts->snaplen : WTAP_MAX_PACKET_SIZE);
572 pcap_set_promisc(pcap_h, capture_opts->promisc_mode);
573 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
575 if (capture_opts->buffer_size > 1) {
576 pcap_set_buffer_size(pcap_h, capture_opts->buffer_size * 1024 * 1024);
578 if (capture_opts->monitor_mode)
579 pcap_set_rfmon(pcap_h, 1);
580 err = pcap_activate(pcap_h);
582 /* Failed to activate, set to NULL */
583 if (err == PCAP_ERROR)
584 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
586 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
592 pcap_h = pcap_open_live(capture_opts->iface,
593 capture_opts->has_snaplen ? capture_opts->snaplen :
594 WTAP_MAX_PACKET_SIZE,
595 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
600 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
601 /* to remove any suid privileges. */
602 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
603 /* (euid/egid have already previously been set to ruid/rgid. */
604 /* (See comment in main() for details) */
606 relinquish_special_privs_perm();
608 relinquish_all_capabilities();
615 get_capture_device_open_failure_messages(const char *open_err_str,
621 char *errmsg, size_t errmsg_len,
622 char *secondary_errmsg,
623 size_t secondary_errmsg_len)
625 const char *libpcap_warn;
626 static const char ppamsg[] = "can't find PPA for ";
628 /* If we got a "can't find PPA for X" message, warn the user (who
629 is running dumcap on HP-UX) that they don't have a version of
630 libpcap that properly handles HP-UX (libpcap 0.6.x and later
631 versions, which properly handle HP-UX, say "can't find /dev/dlpi
632 PPA for X" rather than "can't find PPA for X"). */
633 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
636 "You are running (T)Wireshark with a version of the libpcap library\n"
637 "that doesn't handle HP-UX network devices well; this means that\n"
638 "(T)Wireshark may not be able to capture packets.\n"
640 "To fix this, you should install libpcap 0.6.2, or a later version\n"
641 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
642 "packaged binary form from the Software Porting And Archive Centre\n"
643 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
644 "at the URL lists a number of mirror sites.";
647 g_snprintf(errmsg, (gulong) errmsg_len,
648 "The capture session could not be initiated (%s).", open_err_str);
650 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
651 "Please check to make sure you have sufficient permissions, and that you have "
652 "the proper interface or pipe specified.%s", libpcap_warn);
654 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
656 "Please check that \"%s\" is the proper interface.\n"
659 "Help can be found at:\n"
661 " http://wiki.wireshark.org/WinPcap\n"
662 " http://wiki.wireshark.org/CaptureSetup\n",
667 /* Set the data link type on a pcap. */
669 set_pcap_linktype(pcap_t *pcap_h, capture_options *capture_opts,
670 char *errmsg, size_t errmsg_len,
671 char *secondary_errmsg, size_t secondary_errmsg_len)
673 char *set_linktype_err_str;
675 if (capture_opts->linktype == -1)
676 return TRUE; /* just use the default */
677 #ifdef HAVE_PCAP_SET_DATALINK
678 if (pcap_set_datalink(pcap_h, capture_opts->linktype) == 0)
679 return TRUE; /* no error */
680 set_linktype_err_str = pcap_geterr(pcap_h);
682 /* Let them set it to the type it is; reject any other request. */
683 if (get_pcap_linktype(pcap_h, capture_opts->iface) == capture_opts->linktype)
684 return TRUE; /* no error */
685 set_linktype_err_str =
686 "That DLT isn't one of the DLTs supported by this device";
688 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
689 set_linktype_err_str);
691 * If the error isn't "XXX is not one of the DLTs supported by this device",
692 * tell the user to tell the Wireshark developers about it.
694 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
695 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
697 secondary_errmsg[0] = '\0';
702 compile_capture_filter(const char *iface, pcap_t *pcap_h,
703 struct bpf_program *fcode, char *cfilter)
705 bpf_u_int32 netnum, netmask;
706 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
708 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
710 * Well, we can't get the netmask for this interface; it's used
711 * only for filters that check for broadcast IP addresses, so
712 * we just punt and use 0. It might be nice to warn the user,
713 * but that's a pain in a GUI application, as it'd involve popping
714 * up a message box, and it's not clear how often this would make
715 * a difference (only filters that check for IP broadcast addresses
719 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
722 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
727 #ifdef HAVE_BPF_IMAGE
729 show_filter_code(capture_options *capture_opts)
732 gchar open_err_str[PCAP_ERRBUF_SIZE];
733 char errmsg[MSG_MAX_LENGTH+1];
734 char secondary_errmsg[MSG_MAX_LENGTH+1];
735 struct bpf_program fcode;
736 struct bpf_insn *insn;
739 pcap_h = open_capture_device(capture_opts, &open_err_str);
740 if (pcap_h == NULL) {
741 /* Open failed; get messages */
742 get_capture_device_open_failure_messages(open_err_str,
744 errmsg, sizeof errmsg,
746 sizeof secondary_errmsg);
747 /* And report them */
748 report_capture_error(errmsg, secondary_errmsg);
752 /* Set the link-layer type. */
753 if (!set_pcap_linktype(pcap_h, capture_opts, errmsg, sizeof errmsg,
754 secondary_errmsg, sizeof secondary_errmsg)) {
756 report_capture_error(errmsg, secondary_errmsg);
760 /* OK, try to compile the capture filter. */
761 if (!compile_capture_filter(capture_opts->iface, pcap_h, &fcode,
762 capture_opts->cfilter)) {
764 report_cfilter_error(capture_opts->cfilter, errmsg);
770 /* Let our parent know we succeeded. */
771 pipe_write_block(2, SP_SUCCESS, NULL);
774 /* Now print the filter code. */
775 insn = fcode.bf_insns;
777 for (i = 0; i < fcode.bf_len; insn++, i++)
778 printf("%s\n", bpf_image(insn, i));
784 * capture_interface_list() is expected to do the right thing to get
785 * a list of interfaces.
787 * In most of the programs in the Wireshark suite, "the right thing"
788 * is to run dumpcap and ask it for the list, because dumpcap may
789 * be the only program in the suite with enough privileges to get
792 * In dumpcap itself, however, we obviously can't run dumpcap to
793 * ask for the list. Therefore, our capture_interface_list() should
794 * just call get_interface_list().
797 capture_interface_list(int *err, char **err_str)
799 return get_interface_list(err, err_str);
803 * Get the data-link type for a libpcap device.
804 * This works around AIX 5.x's non-standard and incompatible-with-the-
805 * rest-of-the-universe libpcap.
808 get_pcap_linktype(pcap_t *pch, const char *devname
816 const char *ifacename;
819 linktype = pcap_datalink(pch);
823 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
824 * rather than DLT_ values for link-layer types; the ifType values
825 * for LAN devices are:
832 * and the ifType value for a loopback device is 24.
834 * The AIX names for LAN devices begin with:
841 * and the AIX names for loopback devices begin with "lo".
843 * (The difference between "Ethernet" and "802.3" is presumably
844 * whether packets have an Ethernet header, with a packet type,
845 * or an 802.3 header, with a packet length, followed by an 802.2
846 * header and possibly a SNAP header.)
848 * If the device name matches "linktype" interpreted as an ifType
849 * value, rather than as a DLT_ value, we will assume this is AIX's
850 * non-standard, incompatible libpcap, rather than a standard libpcap,
851 * and will map the link-layer type to the standard DLT_ value for
852 * that link-layer type, as that's what the rest of Wireshark expects.
854 * (This means the capture files won't be readable by a tcpdump
855 * linked with AIX's non-standard libpcap, but so it goes. They
856 * *will* be readable by standard versions of tcpdump, Wireshark,
859 * XXX - if we conclude we're using AIX libpcap, should we also
860 * set a flag to cause us to assume the time stamps are in
861 * seconds-and-nanoseconds form, and to convert them to
862 * seconds-and-microseconds form before processing them and
867 * Find the last component of the device name, which is the
870 ifacename = strchr(devname, '/');
871 if (ifacename == NULL)
874 /* See if it matches any of the LAN device names. */
875 if (strncmp(ifacename, "en", 2) == 0) {
878 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
882 } else if (strncmp(ifacename, "et", 2) == 0) {
885 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
886 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
891 } else if (strncmp(ifacename, "tr", 2) == 0) {
894 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
895 * DLT_IEEE802, which is what's used for Token Ring.
899 } else if (strncmp(ifacename, "fi", 2) == 0) {
900 if (linktype == 15) {
902 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
906 } else if (strncmp(ifacename, "lo", 2) == 0) {
907 if (linktype == 24) {
909 * That's the RFC 1573 value for "software loopback" devices; map it
910 * to DLT_NULL, which is what's used for loopback devices on BSD.
920 static data_link_info_t *
921 create_data_link_info(int dlt)
923 data_link_info_t *data_link_info;
926 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
927 data_link_info->dlt = dlt;
928 text = pcap_datalink_val_to_name(dlt);
930 data_link_info->name = g_strdup(text);
932 data_link_info->name = g_strdup_printf("DLT %d", dlt);
933 text = pcap_datalink_val_to_description(dlt);
935 data_link_info->description = g_strdup(text);
937 data_link_info->description = NULL;
938 return data_link_info;
942 * Get the capabilities of a network device.
944 static if_capabilities_t *
945 get_if_capabilities(const char *devname, gboolean monitor_mode
946 #ifndef HAVE_PCAP_CREATE
951 if_capabilities_t *caps;
952 char errbuf[PCAP_ERRBUF_SIZE];
954 #ifdef HAVE_PCAP_CREATE
958 #ifdef HAVE_PCAP_LIST_DATALINKS
962 data_link_info_t *data_link_info;
965 * Allocate the interface capabilities structure.
967 caps = g_malloc(sizeof *caps);
969 #ifdef HAVE_PCAP_OPEN
970 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
971 caps->can_set_rfmon = FALSE;
974 *err_str = g_strdup(errbuf);
978 #elif defined(HAVE_PCAP_CREATE)
979 pch = pcap_create(devname, errbuf);
982 *err_str = g_strdup(errbuf);
986 status = pcap_can_set_rfmon(pch);
989 if (status == PCAP_ERROR)
990 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
993 *err_str = g_strdup(pcap_statustostr(status));
999 caps->can_set_rfmon = FALSE;
1000 else if (status == 1) {
1001 caps->can_set_rfmon = TRUE;
1003 pcap_set_rfmon(pch, 1);
1005 if (err_str != NULL) {
1006 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1014 status = pcap_activate(pch);
1016 /* Error. We ignore warnings (status > 0). */
1017 if (err_str != NULL) {
1018 if (status == PCAP_ERROR)
1019 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1022 *err_str = g_strdup(pcap_statustostr(status));
1029 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1030 caps->can_set_rfmon = FALSE;
1032 if (err_str != NULL)
1033 *err_str = g_strdup(errbuf);
1038 deflt = get_pcap_linktype(pch, devname);
1039 #ifdef HAVE_PCAP_LIST_DATALINKS
1040 nlt = pcap_list_datalinks(pch, &linktypes);
1041 if (nlt == 0 || linktypes == NULL) {
1043 if (err_str != NULL)
1044 *err_str = NULL; /* an empty list doesn't mean an error */
1047 caps->data_link_types = NULL;
1048 for (i = 0; i < nlt; i++) {
1049 data_link_info = create_data_link_info(linktypes[i]);
1052 * XXX - for 802.11, make the most detailed 802.11
1053 * version the default, rather than the one the
1054 * device has as the default?
1056 if (linktypes[i] == deflt)
1057 caps->data_link_types = g_list_prepend(caps->data_link_types,
1060 caps->data_link_types = g_list_append(caps->data_link_types,
1063 #ifdef HAVE_PCAP_FREE_DATALINKS
1064 pcap_free_datalinks(linktypes);
1067 * In Windows, there's no guarantee that if you have a library
1068 * built with one version of the MSVC++ run-time library, and
1069 * it returns a pointer to allocated data, you can free that
1070 * data from a program linked with another version of the
1071 * MSVC++ run-time library.
1073 * This is not an issue on UN*X.
1075 * See the mail threads starting at
1077 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1081 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1084 #define xx_free free /* hack so checkAPIs doesn't complain */
1087 #endif /* HAVE_PCAP_FREE_DATALINKS */
1088 #else /* HAVE_PCAP_LIST_DATALINKS */
1090 data_link_info = create_data_link_info(deflt);
1091 caps->data_link_types = g_list_append(caps->data_link_types,
1093 #endif /* HAVE_PCAP_LIST_DATALINKS */
1097 if (err_str != NULL)
1102 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1104 print_machine_readable_interfaces(GList *if_list)
1111 char addr_str[ADDRSTRLEN];
1113 if (capture_child) {
1114 /* Let our parent know we succeeded. */
1115 pipe_write_block(2, SP_SUCCESS, NULL);
1118 i = 1; /* Interface id number */
1119 for (if_entry = g_list_first(if_list); if_entry != NULL;
1120 if_entry = g_list_next(if_entry)) {
1121 if_info = (if_info_t *)if_entry->data;
1122 printf("%d. %s", i++, if_info->name);
1125 * Print the contents of the if_entry struct in a parseable format.
1126 * Each if_entry element is tab-separated. Addresses are comma-
1129 /* XXX - Make sure our description doesn't contain a tab */
1130 if (if_info->description != NULL)
1131 printf("\t%s\t", if_info->description);
1135 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1136 addr = g_slist_next(addr)) {
1137 if (addr != g_slist_nth(if_info->addrs, 0))
1140 if_addr = (if_addr_t *)addr->data;
1141 switch(if_addr->ifat_type) {
1143 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1145 printf("%s", addr_str);
1147 printf("<unknown IPv4>");
1151 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1152 addr_str, ADDRSTRLEN)) {
1153 printf("%s", addr_str);
1155 printf("<unknown IPv6>");
1159 printf("<type unknown %u>", if_addr->ifat_type);
1163 if (if_info->loopback)
1164 printf("\tloopback");
1166 printf("\tnetwork");
1173 * If you change the machine-readable output format of this function,
1174 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1177 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1180 data_link_info_t *data_link_info;
1181 const gchar *desc_str;
1183 if (capture_child) {
1184 /* Let our parent know we succeeded. */
1185 pipe_write_block(2, SP_SUCCESS, NULL);
1188 if (caps->can_set_rfmon)
1192 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1193 lt_entry = g_list_next(lt_entry)) {
1194 data_link_info = (data_link_info_t *)lt_entry->data;
1195 if (data_link_info->description != NULL)
1196 desc_str = data_link_info->description;
1198 desc_str = "(not supported)";
1199 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1209 /* Print the number of packets captured for each interface until we're killed. */
1211 print_statistics_loop(gboolean machine_readable)
1213 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1219 char errbuf[PCAP_ERRBUF_SIZE];
1220 struct pcap_stat ps;
1222 if_list = get_interface_list(&err, &err_str);
1223 if (if_list == NULL) {
1225 case CANT_GET_INTERFACE_LIST:
1226 cmdarg_err("%s", err_str);
1230 case NO_INTERFACES_FOUND:
1231 cmdarg_err("There are no interfaces on which a capture can be done");
1237 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1238 if_info = (if_info_t *)if_entry->data;
1239 #ifdef HAVE_PCAP_OPEN
1240 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1242 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1246 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1247 if_stat->name = g_strdup(if_info->name);
1249 stat_list = g_list_append(stat_list, if_stat);
1254 cmdarg_err("There are no interfaces on which a capture can be done");
1258 if (capture_child) {
1259 /* Let our parent know we succeeded. */
1260 pipe_write_block(2, SP_SUCCESS, NULL);
1263 if (!machine_readable) {
1264 printf("%-15s %10s %10s\n", "Interface", "Received",
1268 global_ld.go = TRUE;
1269 while (global_ld.go) {
1270 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1271 if_stat = (if_stat_t *)stat_entry->data;
1272 pcap_stats(if_stat->pch, &ps);
1274 if (!machine_readable) {
1275 printf("%-15s %10u %10u\n", if_stat->name,
1276 ps.ps_recv, ps.ps_drop);
1278 printf("%s\t%u\t%u\n", if_stat->name,
1279 ps.ps_recv, ps.ps_drop);
1284 if (! global_ld.from_cap_pipe)
1291 /* XXX - Not reached. Should we look for 'q' in stdin? */
1292 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1293 if_stat = (if_stat_t *)stat_entry->data;
1294 pcap_close(if_stat->pch);
1295 g_free(if_stat->name);
1298 g_list_free(stat_list);
1299 free_interface_list(if_list);
1307 capture_cleanup_handler(DWORD dwCtrlType)
1309 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1310 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1311 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1312 like SIGTERM at least when the machine's shutting down.
1314 For now, if we're running as a command rather than a capture child,
1315 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1316 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1317 in that way on UN*X.
1319 If we're not running as a capture child, we might be running as
1320 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1321 user logs out. (XXX - can we explicitly check whether we're
1322 running as a service?) */
1324 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1325 "Console: Control signal");
1326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1327 "Console: Control signal, CtrlType: %u", dwCtrlType);
1329 /* Keep capture running if we're a service and a user logs off */
1330 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1331 capture_loop_stop();
1339 capture_cleanup_handler(int signum _U_)
1341 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1342 SIGTERM. We assume that if the user wanted it to keep running
1343 after they logged out, they'd have nohupped it. */
1345 /* Note: don't call g_log() in the signal handler: if we happened to be in
1346 * g_log() in process context when the signal came in, g_log will detect
1347 * the "recursion" and abort.
1350 capture_loop_stop();
1356 report_capture_count(void)
1358 /* Don't print this if we're a capture child. */
1359 if (!capture_child) {
1361 /* Report the count only if we aren't printing a packet count
1362 as packets arrive. */
1363 fprintf(stderr, "Packets captured: %u\n", global_ld.packet_count);
1364 /* stderr could be line buffered */
1373 report_counts_for_siginfo(void)
1375 report_capture_count();
1376 infoprint = FALSE; /* we just reported it */
1380 report_counts_siginfo(int signum _U_)
1382 int sav_errno = errno;
1384 /* If we've been told to delay printing, just set a flag asking
1385 that we print counts (if we're supposed to), otherwise print
1386 the count of packets captured (if we're supposed to). */
1390 report_counts_for_siginfo();
1393 #endif /* SIGINFO */
1396 exit_main(int status)
1399 /* Shutdown windows sockets */
1402 /* can be helpful for debugging */
1403 #ifdef DEBUG_DUMPCAP
1404 printf("Press any key\n");
1415 * If we were linked with libcap (not libpcap), make sure we have
1416 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1417 * (See comment in main() for details)
1420 relinquish_privs_except_capture(void)
1422 /* If 'started_with_special_privs' (ie: suid) then enable for
1423 * ourself the NET_ADMIN and NET_RAW capabilities and then
1424 * drop our suid privileges.
1426 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1427 * stuff we don't need (and shouldn't have).
1428 * CAP_NET_RAW: Packet capture (raw sockets).
1431 if (started_with_special_privs()) {
1432 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1433 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1435 cap_t caps = cap_init(); /* all capabilities initialized to off */
1437 print_caps("Pre drop, pre set");
1439 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1440 cmdarg_err("prctl() fail return: %s", strerror(errno));
1443 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1444 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1446 if (cap_set_proc(caps)) {
1447 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1449 print_caps("Pre drop, post set");
1451 relinquish_special_privs_perm();
1453 print_caps("Post drop, pre set");
1454 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1455 if (cap_set_proc(caps)) {
1456 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1458 print_caps("Post drop, post set");
1464 #endif /* HAVE_LIBCAP */
1466 /* Take care of byte order in the libpcap headers read from pipes.
1467 * (function taken from wiretap/libpcap.c) */
1469 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1472 /* Byte-swap the record header fields. */
1473 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1474 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1475 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1476 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1479 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1480 swapped, in order to match the BPF header layout.
1482 Unfortunately, some files were, according to a comment in the "libpcap"
1483 source, written with version 2.3 in their headers but without the
1484 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1485 would make no sense - we assume that we need to swap them. */
1486 if (hdr->version_major == 2 &&
1487 (hdr->version_minor < 3 ||
1488 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1491 temp = rechdr->orig_len;
1492 rechdr->orig_len = rechdr->incl_len;
1493 rechdr->incl_len = temp;
1499 * Thread function that reads from a pipe and pushes the data
1500 * to the main application thread.
1503 * XXX Right now we use async queues for basic signaling. The main thread
1504 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1505 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1506 * Iff the read is successful cap_pipe_read pushes an item onto
1507 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1508 * the queues themselves (yet).
1510 * We might want to move some of the cap_pipe_dispatch logic here so that
1511 * we can let cap_pipe_read run independently, queuing up multiple reads
1512 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1514 static void *cap_pipe_read(void *ld_ptr)
1516 loop_data *ld = (loop_data *)ld_ptr;
1525 while (ld->cap_pipe_err == PIPOK) {
1526 g_async_queue_pop(cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1527 g_mutex_lock(cap_pipe_read_mtx);
1529 while (bytes_read < (int) ld->cap_pipe_bytes_to_read) {
1531 /* If we try to use read() on a named pipe on Windows with partial
1532 * data it appears to return EOF.
1534 res = ReadFile(ld->cap_pipe_h, ld->cap_pipe_buf+bytes_read,
1535 ld->cap_pipe_bytes_to_read - bytes_read,
1540 last_err = GetLastError();
1541 if (last_err == ERROR_MORE_DATA) {
1543 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1544 ld->cap_pipe_err = PIPEOF;
1548 ld->cap_pipe_err = PIPERR;
1551 } else if (b == 0 && ld->cap_pipe_bytes_to_read > 0) {
1552 ld->cap_pipe_err = PIPEOF;
1557 b = read(ld->cap_pipe_fd, ld->cap_pipe_buf+bytes_read,
1558 ld->cap_pipe_bytes_to_read - bytes_read);
1561 ld->cap_pipe_err = PIPEOF;
1565 ld->cap_pipe_err = PIPERR;
1574 ld->cap_pipe_bytes_read = bytes_read;
1575 if (ld->cap_pipe_bytes_read >= ld->cap_pipe_bytes_to_read) {
1576 g_async_queue_push(cap_pipe_done_q, ld->cap_pipe_buf); /* Any non-NULL value will do */
1578 g_mutex_unlock(cap_pipe_read_mtx);
1582 #endif /* USE_THREADS */
1584 /* Provide select() functionality for a single file descriptor
1585 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1587 * Returns the same values as select. If an error is returned,
1588 * the string cap_pipe_err_str should be used instead of errno.
1591 cap_pipe_select(int pipe_fd)
1594 struct timeval timeout;
1597 cap_pipe_err_str = "Unknown error";
1600 FD_SET(pipe_fd, &rfds);
1602 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1603 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1605 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1607 cap_pipe_err_str = strerror(errno);
1612 /* Mimic pcap_open_live() for pipe captures
1614 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1615 * open it, and read the header.
1617 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1618 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1620 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1621 char *errmsg, int errmsgl)
1624 ws_statb64 pipe_stat;
1625 struct sockaddr_un sa;
1628 unsigned int bytes_read;
1639 ld->cap_pipe_fd = -1;
1641 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
1643 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1646 * XXX - this blocks until a pcap per-file header has been written to
1647 * the pipe, so it could block indefinitely.
1649 if (strcmp(pipename, "-") == 0) {
1651 fd = 0; /* read from stdin */
1653 ld->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1657 if (ws_stat64(pipename, &pipe_stat) < 0) {
1658 if (errno == ENOENT || errno == ENOTDIR)
1659 ld->cap_pipe_err = PIPNEXIST;
1661 g_snprintf(errmsg, errmsgl,
1662 "The capture session could not be initiated "
1663 "due to error getting information on pipe/socket: %s", strerror(errno));
1664 ld->cap_pipe_err = PIPERR;
1668 if (S_ISFIFO(pipe_stat.st_mode)) {
1669 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1671 g_snprintf(errmsg, errmsgl,
1672 "The capture session could not be initiated "
1673 "due to error on pipe open: %s", strerror(errno));
1674 ld->cap_pipe_err = PIPERR;
1677 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1678 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1680 g_snprintf(errmsg, errmsgl,
1681 "The capture session could not be initiated "
1682 "due to error on socket create: %s", strerror(errno));
1683 ld->cap_pipe_err = PIPERR;
1686 sa.sun_family = AF_UNIX;
1688 * The Single UNIX Specification says:
1690 * The size of sun_path has intentionally been left undefined.
1691 * This is because different implementations use different sizes.
1692 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1693 * of 104. Since most implementations originate from BSD versions,
1694 * the size is typically in the range 92 to 108.
1696 * Applications should not assume a particular length for sun_path
1697 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1701 * The <sys/un.h> header shall define the sockaddr_un structure,
1702 * which shall include at least the following members:
1704 * sa_family_t sun_family Address family.
1705 * char sun_path[] Socket pathname.
1707 * so we assume that it's an array, with a specified size,
1708 * and that the size reflects the maximum path length.
1710 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1711 /* Path name too long */
1712 g_snprintf(errmsg, errmsgl,
1713 "The capture session coud not be initiated "
1714 "due to error on socket connect: Path name too long");
1715 ld->cap_pipe_err = PIPERR;
1718 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1720 g_snprintf(errmsg, errmsgl,
1721 "The capture session coud not be initiated "
1722 "due to error on socket connect: %s", strerror(errno));
1723 ld->cap_pipe_err = PIPERR;
1727 if (S_ISCHR(pipe_stat.st_mode)) {
1729 * Assume the user specified an interface on a system where
1730 * interfaces are in /dev. Pretend we haven't seen it.
1732 ld->cap_pipe_err = PIPNEXIST;
1735 g_snprintf(errmsg, errmsgl,
1736 "The capture session could not be initiated because\n"
1737 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1738 ld->cap_pipe_err = PIPERR;
1743 #define PIPE_STR "\\pipe\\"
1744 /* Under Windows, named pipes _must_ have the form
1745 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1747 pncopy = g_strdup(pipename);
1748 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1749 pos = strchr(pncopy + 3, '\\');
1750 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1757 g_snprintf(errmsg, errmsgl,
1758 "The capture session could not be initiated because\n"
1759 "\"%s\" is neither an interface nor a pipe", pipename);
1760 ld->cap_pipe_err = PIPNEXIST;
1764 /* Wait for the pipe to appear */
1766 ld->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1767 OPEN_EXISTING, 0, NULL);
1769 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE)
1772 if (GetLastError() != ERROR_PIPE_BUSY) {
1773 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1774 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1775 g_snprintf(errmsg, errmsgl,
1776 "The capture session on \"%s\" could not be started "
1777 "due to error on pipe open: %s (error %d)",
1778 pipename, utf_16to8(err_str), GetLastError());
1780 ld->cap_pipe_err = PIPERR;
1784 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1785 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1786 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1787 g_snprintf(errmsg, errmsgl,
1788 "The capture session on \"%s\" timed out during "
1789 "pipe open: %s (error %d)",
1790 pipename, utf_16to8(err_str), GetLastError());
1792 ld->cap_pipe_err = PIPERR;
1799 ld->from_cap_pipe = TRUE;
1802 /* read the pcap header */
1804 while (bytes_read < sizeof magic) {
1805 sel_ret = cap_pipe_select(fd);
1807 g_snprintf(errmsg, errmsgl,
1808 "Unexpected error from select: %s", strerror(errno));
1810 } else if (sel_ret > 0) {
1811 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1814 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1816 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1823 #else /* USE_THREADS */
1824 g_thread_create(&cap_pipe_read, ld, FALSE, NULL);
1826 ld->cap_pipe_buf = (char *) &magic;
1827 ld->cap_pipe_bytes_read = 0;
1828 ld->cap_pipe_bytes_to_read = sizeof(magic);
1829 /* We don't have to worry about cap_pipe_read_mtx here */
1830 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1831 g_async_queue_pop(cap_pipe_done_q);
1832 if (ld->cap_pipe_bytes_read <= 0) {
1833 if (ld->cap_pipe_bytes_read == 0)
1834 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1836 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1841 #endif /* USE_THREADS */
1845 /* Host that wrote it has our byte order, and was running
1846 a program using either standard or ss990417 libpcap. */
1847 ld->cap_pipe_byte_swapped = FALSE;
1848 ld->cap_pipe_modified = FALSE;
1850 case PCAP_MODIFIED_MAGIC:
1851 /* Host that wrote it has our byte order, but was running
1852 a program using either ss990915 or ss991029 libpcap. */
1853 ld->cap_pipe_byte_swapped = FALSE;
1854 ld->cap_pipe_modified = TRUE;
1856 case PCAP_SWAPPED_MAGIC:
1857 /* Host that wrote it has a byte order opposite to ours,
1858 and was running a program using either standard or
1859 ss990417 libpcap. */
1860 ld->cap_pipe_byte_swapped = TRUE;
1861 ld->cap_pipe_modified = FALSE;
1863 case PCAP_SWAPPED_MODIFIED_MAGIC:
1864 /* Host that wrote it out has a byte order opposite to
1865 ours, and was running a program using either ss990915
1866 or ss991029 libpcap. */
1867 ld->cap_pipe_byte_swapped = TRUE;
1868 ld->cap_pipe_modified = TRUE;
1871 /* Not a "libpcap" type we know about. */
1872 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1877 /* Read the rest of the header */
1879 while (bytes_read < sizeof(struct pcap_hdr)) {
1880 sel_ret = cap_pipe_select(fd);
1882 g_snprintf(errmsg, errmsgl,
1883 "Unexpected error from select: %s", strerror(errno));
1885 } else if (sel_ret > 0) {
1886 b = read(fd, ((char *)hdr)+bytes_read,
1887 sizeof(struct pcap_hdr) - bytes_read);
1890 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1892 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1899 #else /* USE_THREADS */
1900 ld->cap_pipe_buf = (char *) hdr;
1901 ld->cap_pipe_bytes_read = 0;
1902 ld->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1903 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1904 g_async_queue_pop(cap_pipe_done_q);
1905 if (ld->cap_pipe_bytes_read <= 0) {
1906 if (ld->cap_pipe_bytes_read == 0)
1907 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1909 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1913 #endif /* USE_THREADS */
1915 if (ld->cap_pipe_byte_swapped) {
1916 /* Byte-swap the header fields about which we care. */
1917 hdr->version_major = BSWAP16(hdr->version_major);
1918 hdr->version_minor = BSWAP16(hdr->version_minor);
1919 hdr->snaplen = BSWAP32(hdr->snaplen);
1920 hdr->network = BSWAP32(hdr->network);
1922 ld->linktype = hdr->network;
1924 if (hdr->version_major < 2) {
1925 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1929 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1930 ld->cap_pipe_err = PIPOK;
1932 ld->cap_pipe_fd = fd;
1937 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1938 ld->cap_pipe_err = PIPERR;
1941 ld->cap_pipe_fd = -1;
1948 /* We read one record from the pipe, take care of byte order in the record
1949 * header, write the record to the capture file, and update capture statistics. */
1951 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1953 struct pcap_pkthdr phdr;
1954 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1966 #ifdef LOG_CAPTURE_VERBOSE
1967 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1970 switch (ld->cap_pipe_state) {
1972 case STATE_EXPECT_REC_HDR:
1974 if (g_mutex_trylock(cap_pipe_read_mtx)) {
1977 ld->cap_pipe_state = STATE_READ_REC_HDR;
1978 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1979 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1980 ld->cap_pipe_bytes_read = 0;
1983 ld->cap_pipe_buf = (char *) &ld->cap_pipe_rechdr;
1984 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1985 g_mutex_unlock(cap_pipe_read_mtx);
1990 case STATE_READ_REC_HDR:
1992 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1993 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1996 result = PD_PIPE_EOF;
1998 result = PD_PIPE_ERR;
2001 ld->cap_pipe_bytes_read += b;
2002 #else /* USE_THREADS */
2003 g_get_current_time(&wait_time);
2004 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2005 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2006 if (ld->cap_pipe_err == PIPEOF) {
2007 result = PD_PIPE_EOF;
2009 } else if (ld->cap_pipe_err == PIPERR) {
2010 result = PD_PIPE_ERR;
2016 #endif /* USE_THREADS */
2017 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2019 result = PD_REC_HDR_READ;
2022 case STATE_EXPECT_DATA:
2024 if (g_mutex_trylock(cap_pipe_read_mtx)) {
2027 ld->cap_pipe_state = STATE_READ_DATA;
2028 ld->cap_pipe_bytes_to_read = ld->cap_pipe_rechdr.hdr.incl_len;
2029 ld->cap_pipe_bytes_read = 0;
2032 ld->cap_pipe_buf = (char *) data;
2033 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
2034 g_mutex_unlock(cap_pipe_read_mtx);
2039 case STATE_READ_DATA:
2041 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
2042 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
2045 result = PD_PIPE_EOF;
2047 result = PD_PIPE_ERR;
2050 ld->cap_pipe_bytes_read += b;
2051 #else /* USE_THREADS */
2052 g_get_current_time(&wait_time);
2053 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2054 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2055 if (ld->cap_pipe_err == PIPEOF) {
2056 result = PD_PIPE_EOF;
2058 } else if (ld->cap_pipe_err == PIPERR) {
2059 result = PD_PIPE_ERR;
2065 #endif /* USE_THREADS */
2066 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2068 result = PD_DATA_READ;
2072 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2075 } /* switch (ld->cap_pipe_state) */
2078 * We've now read as much data as we were expecting, so process it.
2082 case PD_REC_HDR_READ:
2083 /* We've read the header. Take care of byte order. */
2084 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
2085 &ld->cap_pipe_rechdr.hdr);
2086 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2087 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2088 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
2091 ld->cap_pipe_state = STATE_EXPECT_DATA;
2095 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2096 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
2097 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
2098 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
2099 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
2101 capture_loop_packet_cb((u_char *)ld, &phdr, data);
2103 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
2107 ld->cap_pipe_err = PIPEOF;
2112 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2113 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2114 g_snprintf(errmsg, errmsgl,
2115 "Error reading from pipe: %s (error %d)",
2116 utf_16to8(err_str), GetLastError());
2119 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2127 ld->cap_pipe_err = PIPERR;
2128 /* Return here rather than inside the switch to prevent GCC warning */
2133 /** Open the capture input file (pcap or capture pipe).
2134 * Returns TRUE if it succeeds, FALSE otherwise. */
2136 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2137 char *errmsg, size_t errmsg_len,
2138 char *secondary_errmsg, size_t secondary_errmsg_len)
2140 gchar open_err_str[PCAP_ERRBUF_SIZE];
2141 gchar *sync_msg_str;
2144 gchar *sync_secondary_msg_str;
2145 WORD wVersionRequested;
2149 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
2152 /* XXX - opening Winsock on tshark? */
2154 /* Initialize Windows Socket if we are in a WIN32 OS
2155 This needs to be done before querying the interface for network/netmask */
2157 /* XXX - do we really require 1.1 or earlier?
2158 Are there any versions that support only 2.0 or higher? */
2159 wVersionRequested = MAKEWORD(1, 1);
2160 err = WSAStartup(wVersionRequested, &wsaData);
2164 case WSASYSNOTREADY:
2165 g_snprintf(errmsg, (gulong) errmsg_len,
2166 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2169 case WSAVERNOTSUPPORTED:
2170 g_snprintf(errmsg, (gulong) errmsg_len,
2171 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2172 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2175 case WSAEINPROGRESS:
2176 g_snprintf(errmsg, (gulong) errmsg_len,
2177 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2181 g_snprintf(errmsg, (gulong) errmsg_len,
2182 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2186 g_snprintf(errmsg, (gulong) errmsg_len,
2187 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2191 g_snprintf(errmsg, (gulong) errmsg_len,
2192 "Couldn't initialize Windows Sockets: error %d", err);
2195 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2200 ld->pcap_h = open_capture_device(capture_opts, &open_err_str);
2202 if (ld->pcap_h != NULL) {
2203 /* we've opened "iface" as a network device */
2205 /* try to set the capture buffer size */
2206 if (capture_opts->buffer_size > 1 &&
2207 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
2208 sync_secondary_msg_str = g_strdup_printf(
2209 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2210 "the default of 1MB will be used.\n"
2212 "Nonetheless, the capture is started.\n",
2213 capture_opts->buffer_size);
2214 report_capture_error("Couldn't set the capture buffer size!",
2215 sync_secondary_msg_str);
2216 g_free(sync_secondary_msg_str);
2220 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
2221 if ((capture_opts->sampling_method != CAPTURE_SAMP_NONE) &&
2222 (strncmp (capture_opts->iface, "rpcap://", 8) == 0))
2224 struct pcap_samp *samp;
2226 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
2228 switch (capture_opts->sampling_method)
2230 case CAPTURE_SAMP_BY_COUNT:
2231 samp->method = PCAP_SAMP_1_EVERY_N;
2234 case CAPTURE_SAMP_BY_TIMER:
2235 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2239 sync_msg_str = g_strdup_printf(
2240 "Unknown sampling method %d specified,\n"
2241 "continue without packet sampling",
2242 capture_opts->sampling_method);
2243 report_capture_error("Couldn't set the capture "
2244 "sampling", sync_msg_str);
2245 g_free(sync_msg_str);
2247 samp->value = capture_opts->sampling_param;
2251 report_capture_error("Couldn't set the capture sampling",
2252 "Cannot get packet sampling data structure");
2258 /* setting the data link type only works on real interfaces */
2259 if (!set_pcap_linktype(ld->pcap_h, capture_opts, errmsg, errmsg_len,
2260 secondary_errmsg, secondary_errmsg_len))
2262 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
2264 /* We couldn't open "iface" as a network device. */
2265 /* Try to open it as a pipe */
2266 cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
2269 if (ld->cap_pipe_fd == -1)
2271 if (ld->cap_pipe_h == INVALID_HANDLE_VALUE)
2274 if (ld->cap_pipe_err == PIPNEXIST) {
2275 /* Pipe doesn't exist, so output message for interface */
2276 get_capture_device_open_failure_messages(open_err_str,
2277 capture_opts->iface,
2281 secondary_errmsg_len);
2284 * Else pipe (or file) does exist and cap_pipe_open_live() has
2289 /* cap_pipe_open_live() succeeded; don't want
2290 error message from pcap_open_live() */
2291 open_err_str[0] = '\0';
2294 /* XXX - will this work for tshark? */
2295 #ifdef MUST_DO_SELECT
2296 if (!ld->from_cap_pipe) {
2297 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2298 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
2300 ld->pcap_fd = pcap_fileno(ld->pcap_h);
2305 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2306 returned a warning; print it, but keep capturing. */
2307 if (open_err_str[0] != '\0') {
2308 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2309 report_capture_error(sync_msg_str, "");
2310 g_free(sync_msg_str);
2316 /* close the capture input file (pcap or capture pipe) */
2317 static void capture_loop_close_input(loop_data *ld)
2319 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2321 /* if open, close the capture pipe "input file" */
2323 if (ld->cap_pipe_fd >= 0) {
2324 g_assert(ld->from_cap_pipe);
2325 ws_close(ld->cap_pipe_fd);
2326 ld->cap_pipe_fd = 0;
2329 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE) {
2330 CloseHandle(ld->cap_pipe_h);
2331 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
2335 /* if open, close the pcap "input file" */
2336 if(ld->pcap_h != NULL) {
2337 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)ld->pcap_h);
2338 g_assert(!ld->from_cap_pipe);
2339 pcap_close(ld->pcap_h);
2346 /* Shut down windows sockets */
2352 /* init the capture filter */
2353 static initfilter_status_t
2354 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2355 gchar * iface, gchar * cfilter)
2357 struct bpf_program fcode;
2359 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2361 /* capture filters only work on real interfaces */
2362 if (cfilter && !from_cap_pipe) {
2363 /* A capture filter was specified; set it up. */
2364 if (!compile_capture_filter(iface, pcap_h, &fcode, cfilter)) {
2365 /* Treat this specially - our caller might try to compile this
2366 as a display filter and, if that succeeds, warn the user that
2367 the display and capture filter syntaxes are different. */
2368 return INITFILTER_BAD_FILTER;
2370 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2371 #ifdef HAVE_PCAP_FREECODE
2372 pcap_freecode(&fcode);
2374 return INITFILTER_OTHER_ERROR;
2376 #ifdef HAVE_PCAP_FREECODE
2377 pcap_freecode(&fcode);
2381 return INITFILTER_NO_ERROR;
2385 /* set up to write to the already-opened capture output file/files */
2387 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2391 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2394 if (ld->from_cap_pipe) {
2395 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
2398 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
2401 /* Set up to write to the capture file. */
2402 if (capture_opts->multi_files_on) {
2403 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2405 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2408 gboolean successful;
2410 ld->bytes_written = 0;
2411 if (capture_opts->use_pcapng) {
2414 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2415 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err) &&
2416 libpcap_write_interface_description_block(ld->pdh, capture_opts->iface, capture_opts->cfilter, ld->linktype, ld->file_snaplen, &ld->bytes_written, &err);
2418 successful = libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
2419 &ld->bytes_written, &err);
2427 if (ld->pdh == NULL) {
2428 /* We couldn't set up to write to the capture file. */
2429 /* XXX - use cf_open_error_message from tshark instead? */
2434 g_snprintf(errmsg, errmsg_len,
2435 "The file to which the capture would be"
2436 " saved (\"%s\") could not be opened: Error %d.",
2437 capture_opts->save_file, err);
2439 g_snprintf(errmsg, errmsg_len,
2440 "The file to which the capture would be"
2441 " saved (\"%s\") could not be opened: %s.",
2442 capture_opts->save_file, strerror(err));
2454 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2457 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2459 if (capture_opts->multi_files_on) {
2460 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2462 if (capture_opts->use_pcapng) {
2463 libpcap_write_interface_statistics_block(ld->pdh, 0, ld->pcap_h, &ld->bytes_written, err_close);
2465 return libpcap_dump_close(ld->pdh, err_close);
2469 /* dispatch incoming packets (pcap or capture pipe)
2471 * Waits for incoming packets to be available, and calls pcap_dispatch()
2472 * to cause them to be processed.
2474 * Returns the number of packets which were processed.
2476 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2477 * packet-batching behaviour does not cause packets to get held back
2481 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
2482 char *errmsg, int errmsg_len)
2485 gint packet_count_before;
2486 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2491 packet_count_before = ld->packet_count;
2492 if (ld->from_cap_pipe) {
2493 /* dispatch from capture pipe */
2494 #ifdef LOG_CAPTURE_VERBOSE
2495 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2498 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
2500 if (sel_ret < 0 && errno != EINTR) {
2501 g_snprintf(errmsg, errmsg_len,
2502 "Unexpected error from select: %s", strerror(errno));
2503 report_capture_error(errmsg, please_report);
2508 * "select()" says we can read from the pipe without blocking
2510 #endif /* USE_THREADS */
2511 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
2521 /* dispatch from pcap */
2522 #ifdef MUST_DO_SELECT
2524 * If we have "pcap_get_selectable_fd()", we use it to get the
2525 * descriptor on which to select; if that's -1, it means there
2526 * is no descriptor on which you can do a "select()" (perhaps
2527 * because you're capturing on a special device, and that device's
2528 * driver unfortunately doesn't support "select()", in which case
2529 * we don't do the select - which means it might not be possible
2530 * to stop a capture until a packet arrives. If that's unacceptable,
2531 * plead with whoever supplies the software for that device to add
2532 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2533 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2534 * later, so it can use pcap_breakloop().
2536 #ifdef LOG_CAPTURE_VERBOSE
2537 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2539 if (ld->pcap_fd != -1) {
2540 sel_ret = cap_pipe_select(ld->pcap_fd);
2543 * "select()" says we can read from it without blocking; go for
2546 * We don't have pcap_breakloop(), so we only process one packet
2547 * per pcap_dispatch() call, to allow a signal to stop the
2548 * processing immediately, rather than processing all packets
2549 * in a batch before quitting.
2551 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
2555 /* Error, rather than pcap_breakloop(). */
2556 ld->pcap_err = TRUE;
2558 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2561 if (sel_ret < 0 && errno != EINTR) {
2562 g_snprintf(errmsg, errmsg_len,
2563 "Unexpected error from select: %s", strerror(errno));
2564 report_capture_error(errmsg, please_report);
2570 #endif /* MUST_DO_SELECT */
2572 /* dispatch from pcap without select */
2574 #ifdef LOG_CAPTURE_VERBOSE
2575 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2579 * On Windows, we don't support asynchronously telling a process to
2580 * stop capturing; instead, we check for an indication on a pipe
2581 * after processing packets. We therefore process only one packet
2582 * at a time, so that we can check the pipe after every packet.
2584 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
2586 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
2590 /* Error, rather than pcap_breakloop(). */
2591 ld->pcap_err = TRUE;
2593 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2595 #else /* pcap_next_ex */
2596 #ifdef LOG_CAPTURE_VERBOSE
2597 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2599 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2602 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2603 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2604 * This should be fixed in the WinPcap 4.0 alpha release.
2606 * For reference, an example remote interface:
2607 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2610 /* emulate dispatch from pcap */
2613 struct pcap_pkthdr *pkt_header;
2618 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
2619 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
2622 ld->pcap_err = TRUE;
2626 #endif /* pcap_next_ex */
2630 #ifdef LOG_CAPTURE_VERBOSE
2631 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2634 return ld->packet_count - packet_count_before;
2638 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2639 * want to grab only the characters between the '{' and '}' delimiters.
2641 * Returns a GString that must be freed with g_string_free(). */
2643 isolate_uuid(const char *iface)
2648 ptr = strchr(iface, '{');
2650 return g_string_new(iface);
2651 gstr = g_string_new(ptr + 1);
2653 ptr = strchr(gstr->str, '}');
2657 gstr = g_string_truncate(gstr, ptr - gstr->str);
2662 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2663 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2665 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2666 char *errmsg, int errmsg_len)
2669 gchar *capfile_name;
2671 gboolean is_tempfile;
2673 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2674 (capture_opts->save_file) ? capture_opts->save_file : "");
2676 if (capture_opts->save_file != NULL) {
2677 /* We return to the caller while the capture is in progress.
2678 * Therefore we need to take a copy of save_file in
2679 * case the caller destroys it after we return.
2681 capfile_name = g_strdup(capture_opts->save_file);
2683 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2684 if (capture_opts->multi_files_on) {
2685 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2686 g_snprintf(errmsg, errmsg_len,
2687 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2688 g_free(capfile_name);
2691 if (strcmp(capfile_name, "-") == 0) {
2692 /* write to stdout */
2695 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2696 _setmode(1, O_BINARY);
2699 } /* if (...output_to_pipe ... */
2702 if (capture_opts->multi_files_on) {
2703 /* ringbuffer is enabled */
2704 *save_file_fd = ringbuf_init(capfile_name,
2705 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2706 capture_opts->group_read_access);
2708 /* we need the ringbuf name */
2709 if(*save_file_fd != -1) {
2710 g_free(capfile_name);
2711 capfile_name = g_strdup(ringbuf_current_filename());
2714 /* Try to open/create the specified file for use as a capture buffer. */
2715 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2716 (capture_opts->group_read_access) ? 0640 : 0600);
2719 is_tempfile = FALSE;
2721 /* Choose a random name for the temporary capture buffer */
2725 iface = isolate_uuid(capture_opts->iface);
2726 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2727 g_string_free(iface, TRUE);
2729 prefix = g_strconcat("wireshark_", g_basename(capture_opts->iface), NULL);
2731 *save_file_fd = create_tempfile(&tmpname, prefix);
2733 capfile_name = g_strdup(tmpname);
2737 /* did we fail to open the output file? */
2738 if (*save_file_fd == -1) {
2740 g_snprintf(errmsg, errmsg_len,
2741 "The temporary file to which the capture would be saved (\"%s\") "
2742 "could not be opened: %s.", capfile_name, strerror(errno));
2744 if (capture_opts->multi_files_on) {
2745 ringbuf_error_cleanup();
2748 g_snprintf(errmsg, errmsg_len,
2749 "The file to which the capture would be saved (\"%s\") "
2750 "could not be opened: %s.", capfile_name,
2753 g_free(capfile_name);
2757 if(capture_opts->save_file != NULL) {
2758 g_free(capture_opts->save_file);
2760 capture_opts->save_file = capfile_name;
2761 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2762 "g_free(capfile_name)". */
2768 /* Do the work of handling either the file size or file duration capture
2769 conditions being reached, and switching files or stopping. */
2771 do_file_switch_or_stop(capture_options *capture_opts,
2772 condition *cnd_autostop_files,
2773 condition *cnd_autostop_size,
2774 condition *cnd_file_duration)
2776 if (capture_opts->multi_files_on) {
2777 if (cnd_autostop_files != NULL &&
2778 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2779 /* no files left: stop here */
2780 global_ld.go = FALSE;
2784 /* Switch to the next ringbuffer file */
2785 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2786 &global_ld.save_file_fd, &global_ld.err)) {
2787 gboolean successful;
2789 /* File switch succeeded: reset the conditions */
2790 global_ld.bytes_written = 0;
2791 if (capture_opts->use_pcapng) {
2794 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2795 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &global_ld.bytes_written, &global_ld.err) &&
2796 libpcap_write_interface_description_block(global_ld.pdh, capture_opts->iface, capture_opts->cfilter, global_ld.linktype, global_ld.file_snaplen, &global_ld.bytes_written, &global_ld.err);
2798 successful = libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2799 &global_ld.bytes_written, &global_ld.err);
2802 fclose(global_ld.pdh);
2803 global_ld.pdh = NULL;
2804 global_ld.go = FALSE;
2807 if(cnd_autostop_size)
2808 cnd_reset(cnd_autostop_size);
2809 if(cnd_file_duration)
2810 cnd_reset(cnd_file_duration);
2811 libpcap_dump_flush(global_ld.pdh, NULL);
2813 report_packet_count(global_ld.inpkts_to_sync_pipe);
2814 global_ld.inpkts_to_sync_pipe = 0;
2815 report_new_capture_file(capture_opts->save_file);
2817 /* File switch failed: stop here */
2818 global_ld.go = FALSE;
2822 /* single file, stop now */
2823 global_ld.go = FALSE;
2829 /* Do the low-level work of a capture.
2830 Returns TRUE if it succeeds, FALSE otherwise. */
2832 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
2835 time_t upd_time, cur_time;
2837 struct timeval upd_time, cur_time;
2841 condition *cnd_file_duration = NULL;
2842 condition *cnd_autostop_files = NULL;
2843 condition *cnd_autostop_size = NULL;
2844 condition *cnd_autostop_duration = NULL;
2847 gboolean cfilter_error = FALSE;
2848 char errmsg[MSG_MAX_LENGTH+1];
2849 char secondary_errmsg[MSG_MAX_LENGTH+1];
2852 *secondary_errmsg = '\0';
2854 /* init the loop data */
2855 global_ld.go = TRUE;
2856 global_ld.packet_count = 0;
2858 global_ld.report_packet_count = FALSE;
2860 if (capture_opts->has_autostop_packets)
2861 global_ld.packet_max = capture_opts->autostop_packets;
2863 global_ld.packet_max = 0; /* no limit */
2864 global_ld.inpkts_to_sync_pipe = 0;
2865 global_ld.err = 0; /* no error seen yet */
2866 global_ld.pcap_err = FALSE;
2867 global_ld.from_cap_pipe = FALSE;
2868 global_ld.pdh = NULL;
2870 global_ld.cap_pipe_fd = -1;
2872 global_ld.cap_pipe_h = INVALID_HANDLE_VALUE;
2874 #ifdef MUST_DO_SELECT
2875 global_ld.pcap_fd = 0;
2877 global_ld.autostop_files = 0;
2878 global_ld.save_file_fd = -1;
2880 /* We haven't yet gotten the capture statistics. */
2881 *stats_known = FALSE;
2883 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
2884 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
2886 /* open the "input file" from network interface or capture pipe */
2887 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
2888 secondary_errmsg, sizeof(secondary_errmsg))) {
2892 /* init the input filter from the network interface (capture pipe will do nothing) */
2893 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
2894 capture_opts->iface,
2895 capture_opts->cfilter)) {
2897 case INITFILTER_NO_ERROR:
2900 case INITFILTER_BAD_FILTER:
2901 cfilter_error = TRUE;
2902 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
2905 case INITFILTER_OTHER_ERROR:
2906 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
2907 pcap_geterr(global_ld.pcap_h));
2908 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
2912 /* If we're supposed to write to a capture file, open it for output
2913 (temporary/specified name/ringbuffer) */
2914 if (capture_opts->saving_to_file) {
2915 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
2916 errmsg, sizeof(errmsg))) {
2920 /* set up to write to the already-opened capture output file/files */
2921 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
2926 /* XXX - capture SIGTERM and close the capture, in case we're on a
2927 Linux 2.0[.x] system and you have to explicitly close the capture
2928 stream in order to turn promiscuous mode off? We need to do that
2929 in other places as well - and I don't think that works all the
2930 time in any case, due to libpcap bugs. */
2932 /* Well, we should be able to start capturing.
2934 Sync out the capture file, so the header makes it to the file system,
2935 and send a "capture started successfully and capture file created"
2936 message to our parent so that they'll open the capture file and
2937 update its windows to indicate that we have a live capture in
2939 libpcap_dump_flush(global_ld.pdh, NULL);
2940 report_new_capture_file(capture_opts->save_file);
2943 /* initialize capture stop (and alike) conditions */
2944 init_capture_stop_conditions();
2945 /* create stop conditions */
2946 if (capture_opts->has_autostop_filesize)
2948 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
2949 if (capture_opts->has_autostop_duration)
2950 cnd_autostop_duration =
2951 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
2953 if (capture_opts->multi_files_on) {
2954 if (capture_opts->has_file_duration)
2956 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
2958 if (capture_opts->has_autostop_files)
2959 cnd_autostop_files =
2960 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
2963 /* init the time values */
2965 upd_time = GetTickCount();
2967 gettimeofday(&upd_time, NULL);
2970 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
2972 /* WOW, everything is prepared! */
2973 /* please fasten your seat belts, we will enter now the actual capture loop */
2974 while (global_ld.go) {
2975 /* dispatch incoming packets */
2976 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
2980 /* Were we asked to print packet counts by the SIGINFO handler? */
2981 if (global_ld.report_packet_count) {
2982 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
2983 plurality(global_ld.packet_count, "", "s"));
2984 global_ld.report_packet_count = FALSE;
2989 /* any news from our parent (signal pipe)? -> just stop the capture */
2990 if (!signal_pipe_check_running()) {
2991 global_ld.go = FALSE;
2996 global_ld.inpkts_to_sync_pipe += inpkts;
2998 /* check capture size condition */
2999 if (cnd_autostop_size != NULL &&
3000 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3001 /* Capture size limit reached, do we have another file? */
3002 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3003 cnd_autostop_size, cnd_file_duration))
3005 } /* cnd_autostop_size */
3006 if (capture_opts->output_to_pipe) {
3007 libpcap_dump_flush(global_ld.pdh, NULL);
3011 /* Only update once every 500ms so as not to overload slow displays.
3012 * This also prevents too much context-switching between the dumpcap
3013 * and wireshark processes.
3015 #define DUMPCAP_UPD_TIME 500
3018 cur_time = GetTickCount();
3019 if ( (cur_time - upd_time) > DUMPCAP_UPD_TIME) {
3021 gettimeofday(&cur_time, NULL);
3022 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3023 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3026 upd_time = cur_time;
3029 if (pcap_stats(pch, stats) >= 0) {
3030 *stats_known = TRUE;
3033 /* Let the parent process know. */
3034 if (global_ld.inpkts_to_sync_pipe) {
3036 libpcap_dump_flush(global_ld.pdh, NULL);
3038 /* Send our parent a message saying we've written out
3039 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3041 report_packet_count(global_ld.inpkts_to_sync_pipe);
3043 global_ld.inpkts_to_sync_pipe = 0;
3046 /* check capture duration condition */
3047 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3048 /* The maximum capture time has elapsed; stop the capture. */
3049 global_ld.go = FALSE;
3053 /* check capture file duration condition */
3054 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3055 /* duration limit reached, do we have another file? */
3056 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3057 cnd_autostop_size, cnd_file_duration))
3059 } /* cnd_file_duration */
3062 } /* while (global_ld.go) */
3064 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3066 /* delete stop conditions */
3067 if (cnd_file_duration != NULL)
3068 cnd_delete(cnd_file_duration);
3069 if (cnd_autostop_files != NULL)
3070 cnd_delete(cnd_autostop_files);
3071 if (cnd_autostop_size != NULL)
3072 cnd_delete(cnd_autostop_size);
3073 if (cnd_autostop_duration != NULL)
3074 cnd_delete(cnd_autostop_duration);
3076 /* did we had a pcap (input) error? */
3077 if (global_ld.pcap_err) {
3078 /* On Linux, if an interface goes down while you're capturing on it,
3079 you'll get a "recvfrom: Network is down" or
3080 "The interface went down" error (ENETDOWN).
3081 (At least you will if strerror() doesn't show a local translation
3084 On FreeBSD and OS X, if a network adapter disappears while
3085 you're capturing on it, you'll get a "read: Device not configured"
3086 error (ENXIO). (See previous parenthetical note.)
3088 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3090 These should *not* be reported to the Wireshark developers. */
3093 cap_err_str = pcap_geterr(global_ld.pcap_h);
3094 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3095 strcmp(cap_err_str, "The interface went down") == 0 ||
3096 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3097 strcmp(cap_err_str, "read: I/O error") == 0 ||
3098 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3099 report_capture_error("The network adapter on which the capture was being done "
3100 "is no longer running; the capture has stopped.",
3103 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3105 report_capture_error(errmsg, please_report);
3108 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
3109 report_capture_error(errmsg, "");
3111 /* did we have an output error while capturing? */
3112 if (global_ld.err == 0) {
3115 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3116 global_ld.err, FALSE);
3117 report_capture_error(errmsg, please_report);
3121 if (capture_opts->saving_to_file) {
3122 /* close the output file */
3123 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3127 /* there might be packets not yet notified to the parent */
3128 /* (do this after closing the file, so all packets are already flushed) */
3129 if(global_ld.inpkts_to_sync_pipe) {
3131 report_packet_count(global_ld.inpkts_to_sync_pipe);
3132 global_ld.inpkts_to_sync_pipe = 0;
3135 /* If we've displayed a message about a write error, there's no point
3136 in displaying another message about an error on close. */
3137 if (!close_ok && write_ok) {
3138 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3140 report_capture_error(errmsg, "");
3144 * XXX We exhibit different behaviour between normal mode and sync mode
3145 * when the pipe is stdin and not already at EOF. If we're a child, the
3146 * parent's stdin isn't closed, so if the user starts another capture,
3147 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3148 * will say "Unrecognized libpcap format". On the other hand, in normal
3149 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3152 report_capture_count(); /* print final capture count only if (quiet && !capture_child) */
3154 /* get packet drop statistics from pcap */
3155 if(global_ld.pcap_h != NULL) {
3156 g_assert(!global_ld.from_cap_pipe);
3157 /* Get the capture statistics, so we know how many packets were
3159 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
3160 *stats_known = TRUE;
3161 /* Let the parent process know. */
3162 report_packet_drops(stats->ps_recv, stats->ps_drop, capture_opts->iface);
3164 g_snprintf(errmsg, sizeof(errmsg),
3165 "Can't get packet-drop statistics: %s",
3166 pcap_geterr(global_ld.pcap_h));
3167 report_capture_error(errmsg, please_report);
3171 /* close the input file (pcap or capture pipe) */
3172 capture_loop_close_input(&global_ld);
3174 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3176 /* ok, if the write and the close were successful. */
3177 return write_ok && close_ok;
3180 if (capture_opts->multi_files_on) {
3181 /* cleanup ringbuffer */
3182 ringbuf_error_cleanup();
3184 /* We can't use the save file, and we have no FILE * for the stream
3185 to close in order to close it, so close the FD directly. */
3186 if(global_ld.save_file_fd != -1) {
3187 ws_close(global_ld.save_file_fd);
3190 /* We couldn't even start the capture, so get rid of the capture
3192 if(capture_opts->save_file != NULL) {
3193 ws_unlink(capture_opts->save_file);
3194 g_free(capture_opts->save_file);
3197 capture_opts->save_file = NULL;
3199 report_cfilter_error(capture_opts->cfilter, errmsg);
3201 report_capture_error(errmsg, secondary_errmsg);
3203 /* close the input file (pcap or cap_pipe) */
3204 capture_loop_close_input(&global_ld);
3206 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3212 static void capture_loop_stop(void)
3214 #ifdef HAVE_PCAP_BREAKLOOP
3215 if(global_ld.pcap_h != NULL)
3216 pcap_breakloop(global_ld.pcap_h);
3218 global_ld.go = FALSE;
3223 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3224 int err, gboolean is_close)
3229 g_snprintf(errmsg, errmsglen,
3230 "Not all the packets could be written to the file"
3231 " to which the capture was being saved\n"
3232 "(\"%s\") because there is no space left on the file system\n"
3233 "on which that file resides.",
3239 g_snprintf(errmsg, errmsglen,
3240 "Not all the packets could be written to the file"
3241 " to which the capture was being saved\n"
3242 "(\"%s\") because you are too close to, or over,"
3243 " your disk quota\n"
3244 "on the file system on which that file resides.",
3251 g_snprintf(errmsg, errmsglen,
3252 "The file to which the capture was being saved\n"
3253 "(\"%s\") could not be closed: %s.",
3254 fname, strerror(err));
3256 g_snprintf(errmsg, errmsglen,
3257 "An error occurred while writing to the file"
3258 " to which the capture was being saved\n"
3260 fname, strerror(err));
3267 /* one packet was captured, process it */
3269 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3272 loop_data *ld = (loop_data *) (void *) user;
3275 /* We may be called multiple times from pcap_dispatch(); if we've set
3276 the "stop capturing" flag, ignore this packet, as we're not
3277 supposed to be saving any more packets. */
3282 gboolean successful;
3283 /* We're supposed to write the packet to a file; do so.
3284 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3285 "ld->err" to the error. */
3286 if (global_capture_opts.use_pcapng) {
3287 successful = libpcap_write_enhanced_packet_block(ld->pdh, phdr, 0, pd, &ld->bytes_written, &err);
3289 successful = libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err);
3296 /* if the user told us to stop after x packets, do we already have enough? */
3297 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
3306 /* And now our feature presentation... [ fade to music ] */
3308 main(int argc, char *argv[])
3311 gboolean arg_error = FALSE;
3318 struct sigaction action, oldaction;
3321 gboolean start_capture = TRUE;
3322 gboolean stats_known;
3323 struct pcap_stat stats;
3324 GLogLevelFlags log_flags;
3325 gboolean list_interfaces = FALSE;
3326 gboolean list_link_layer_types = FALSE;
3327 #ifdef HAVE_BPF_IMAGE
3328 gboolean print_bpf_code = FALSE;
3330 gboolean machine_readable = FALSE;
3331 gboolean print_statistics = FALSE;
3332 int status, run_once_args = 0;
3334 #if defined(__APPLE__) && defined(__LP64__)
3335 struct utsname osinfo;
3339 /* Convert our arg list to UTF-8. */
3340 wc_argv = CommandLineToArgvW(GetCommandLineW(), &wc_argc);
3341 if (wc_argv && wc_argc == argc) {
3342 for (i = 0; i < argc; i++) {
3343 argv[i] = g_utf16_to_utf8(wc_argv[i], -1, NULL, NULL, NULL);
3345 } /* XXX else bail because something is horribly, horribly wrong? */
3350 * Initialize our DLL search path. MUST be called before LoadLibrary
3353 ws_init_dll_search_path();
3356 #ifdef HAVE_PCAP_REMOTE
3357 #define OPTSTRING_A "A:"
3358 #define OPTSTRING_r "r"
3359 #define OPTSTRING_u "u"
3361 #define OPTSTRING_A ""
3362 #define OPTSTRING_r ""
3363 #define OPTSTRING_u ""
3366 #ifdef HAVE_PCAP_SETSAMPLING
3367 #define OPTSTRING_m "m:"
3369 #define OPTSTRING_m ""
3372 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3373 #define OPTSTRING_B "B:"
3375 #define OPTSTRING_B ""
3376 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3378 #ifdef HAVE_PCAP_CREATE
3379 #define OPTSTRING_I "I"
3381 #define OPTSTRING_I ""
3384 #ifdef HAVE_BPF_IMAGE
3385 #define OPTSTRING_d "d"
3387 #define OPTSTRING_d ""
3390 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:" OPTSTRING_u "vw:y:Z:"
3392 #ifdef DEBUG_CHILD_DUMPCAP
3393 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3394 fprintf (stderr, "Unable to open debug log file !\n");
3399 #if defined(__APPLE__) && defined(__LP64__)
3401 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3402 * a bug workaround - timeouts less than 1 second don't work with libpcap
3403 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3404 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3405 * The problem is extremely unlikely to be reintroduced in a future
3408 if (uname(&osinfo) == 0) {
3410 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3411 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3412 * number of 10.0.0, not 10.1.0 - go figure).
3414 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3415 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3416 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3417 need_timeout_workaround = TRUE;
3422 * Determine if dumpcap is being requested to run in a special
3423 * capture_child mode by going thru the command line args to see if
3424 * a -Z is present. (-Z is a hidden option).
3426 * The primary result of running in capture_child mode is that
3427 * all messages sent out on stderr are in a special type/len/string
3428 * format to allow message processing by type. These messages include
3429 * error messages if dumpcap fails to start the operation it was
3430 * requested to do, as well as various "status" messages which are sent
3431 * when an actual capture is in progress, and a "success" message sent
3432 * if dumpcap was requested to perform an operation other than a
3435 * Capture_child mode would normally be requested by a parent process
3436 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3437 * to which dumpcap stderr has been redirected. It might also have
3438 * another pipe to obtain dumpcap stdout output; for operations other
3439 * than a capture, that information is formatted specially for easier
3440 * parsing by the parent process.
3442 * Capture_child mode needs to be determined immediately upon
3443 * startup so that any messages generated by dumpcap in this mode
3444 * (eg: during initialization) will be formatted properly.
3447 for (i=1; i<argc; i++) {
3448 if (strcmp("-Z", argv[i]) == 0) {
3449 capture_child = TRUE;
3450 machine_readable = TRUE; /* request machine-readable output */
3452 /* set output pipe to binary mode, to avoid ugly text conversions */
3453 _setmode(2, O_BINARY);
3458 /* The default_log_handler will use stdout, which makes trouble in */
3459 /* capture child mode, as it uses stdout for it's sync_pipe. */
3460 /* So: the filtering is done in the console_log_handler and not here.*/
3461 /* We set the log handlers right up front to make sure that any log */
3462 /* messages when running as child will be sent back to the parent */
3463 /* with the correct format. */
3467 G_LOG_LEVEL_CRITICAL|
3468 G_LOG_LEVEL_WARNING|
3469 G_LOG_LEVEL_MESSAGE|
3472 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3474 g_log_set_handler(NULL,
3476 console_log_handler, NULL /* user_data */);
3477 g_log_set_handler(LOG_DOMAIN_MAIN,
3479 console_log_handler, NULL /* user_data */);
3480 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3482 console_log_handler, NULL /* user_data */);
3483 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3485 console_log_handler, NULL /* user_data */);
3488 /* Load wpcap if possible. Do this before collecting the run-time version information */
3491 /* ... and also load the packet.dll from wpcap */
3492 /* XXX - currently not required, may change later. */
3493 /*wpcap_packet_load();*/
3495 /* Start windows sockets */
3496 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3498 /* Set handler for Ctrl+C key */
3499 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3501 /* Prepare to read from a pipe */
3502 if (!g_thread_supported ())
3503 g_thread_init (NULL);
3504 cap_pipe_pending_q = g_async_queue_new();
3505 cap_pipe_done_q = g_async_queue_new();
3506 cap_pipe_read_mtx = g_mutex_new();
3509 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3511 action.sa_handler = capture_cleanup_handler;
3513 * Arrange that system calls not get restarted, because when
3514 * our signal handler returns we don't want to restart
3515 * a call that was waiting for packets to arrive.
3517 action.sa_flags = 0;
3518 sigemptyset(&action.sa_mask);
3519 sigaction(SIGTERM, &action, NULL);
3520 sigaction(SIGINT, &action, NULL);
3521 sigaction(SIGPIPE, &action, NULL);
3522 sigaction(SIGHUP, NULL, &oldaction);
3523 if (oldaction.sa_handler == SIG_DFL)
3524 sigaction(SIGHUP, &action, NULL);
3527 /* Catch SIGINFO and, if we get it and we're capturing in
3528 quiet mode, report the number of packets we've captured. */
3529 action.sa_handler = report_counts_siginfo;
3530 action.sa_flags = SA_RESTART;
3531 sigemptyset(&action.sa_mask);
3532 sigaction(SIGINFO, &action, NULL);
3533 #endif /* SIGINFO */
3536 /* ----------------------------------------------------------------- */
3537 /* Privilege and capability handling */
3539 /* 1. Running not as root or suid root; no special capabilities. */
3542 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3545 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3547 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3548 /* capabilities; Drop all other capabilities; */
3549 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3550 /* else: after pcap_open_live() in capture_loop_open_input() */
3551 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3552 /* (Note: this means that the process, although logged in */
3553 /* as root, does not have various permissions such as the */
3554 /* ability to bypass file access permissions). */
3555 /* XXX: Should we just leave capabilities alone in this case */
3556 /* so that user gets expected effect that root can do */
3559 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3561 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3562 /* else: after pcap_open_live() in capture_loop_open_input() */
3563 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3564 /* pcap_open_live). */
3566 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3568 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3569 /* capabilities; Drop all other capabilities; */
3570 /* Drop suid privileges (euid=ruid); */
3571 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3572 /* else: after pcap_open_live() in capture_loop_open_input() */
3573 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3575 /* XXX: For some Linux versions/distros with capabilities */
3576 /* a 'normal' process with any capabilities cannot be */
3577 /* 'killed' (signaled) from another (same uid) non-privileged */
3579 /* For example: If (non-suid) Wireshark forks a */
3580 /* child suid dumpcap which acts as described here (case 5), */
3581 /* Wireshark will be unable to kill (signal) the child */
3582 /* dumpcap process until the capabilities have been dropped */
3583 /* (after pcap_open_live()). */
3584 /* This behaviour will apparently be changed in the kernel */
3585 /* to allow the kill (signal) in this case. */
3586 /* See the following for details: */
3587 /* http://www.mail-archive.com/ [wrapped] */
3588 /* linux-security-module@vger.kernel.org/msg02913.html */
3590 /* It is therefore conceivable that if dumpcap somehow hangs */
3591 /* in pcap_open_live or before that wireshark will not */
3592 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3593 /* In this case, exiting wireshark will kill the child */
3594 /* dumpcap process. */
3596 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3597 /* capabilities; Using libcap. Note: capset cmd (which see) */
3598 /* used to assign capabilities to file. */
3600 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3601 /* else: after pcap_open_live() in capture_loop_open_input() */
3602 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3604 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3605 /* longer required (similar to capture). */
3607 /* ----------------------------------------------------------------- */
3609 init_process_policies();
3612 /* If 'started with special privileges' (and using libcap) */
3613 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3614 /* Set euid/egid = ruid/rgid to remove suid privileges */
3615 relinquish_privs_except_capture();
3618 /* Set the initial values in the capture options. This might be overwritten
3619 by the command line parameters. */
3620 capture_opts_init(&global_capture_opts, NULL);
3622 /* Default to capturing the entire packet. */
3623 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3625 /* We always save to a file - if no file was specified, we save to a
3627 global_capture_opts.saving_to_file = TRUE;
3628 global_capture_opts.has_ring_num_files = TRUE;
3630 /* Now get our args */
3631 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3633 case 'h': /* Print help and exit */
3637 case 'v': /* Show version and exit */
3639 GString *comp_info_str;
3640 GString *runtime_info_str;
3641 /* Assemble the compile-time version information string */
3642 comp_info_str = g_string_new("Compiled ");
3643 get_compiled_version_info(comp_info_str, NULL, NULL);
3645 /* Assemble the run-time version information string */
3646 runtime_info_str = g_string_new("Running ");
3647 get_runtime_version_info(runtime_info_str, NULL);
3648 show_version(comp_info_str, runtime_info_str);
3649 g_string_free(comp_info_str, TRUE);
3650 g_string_free(runtime_info_str, TRUE);
3654 /*** capture option specific ***/
3655 case 'a': /* autostop criteria */
3656 case 'b': /* Ringbuffer option */
3657 case 'c': /* Capture x packets */
3658 case 'f': /* capture filter */
3659 case 'i': /* Use interface x */
3660 case 'n': /* Use pcapng format */
3661 case 'p': /* Don't capture in promiscuous mode */
3662 case 's': /* Set the snapshot (capture) length */
3663 case 'w': /* Write to capture file x */
3664 case 'g': /* enable group read accesson file(s) */
3665 case 'y': /* Set the pcap data link type */
3666 #ifdef HAVE_PCAP_REMOTE
3667 case 'u': /* Use UDP for data transfer */
3668 case 'r': /* Capture own RPCAP traffic too */
3669 case 'A': /* Authentication */
3671 #ifdef HAVE_PCAP_SETSAMPLING
3672 case 'm': /* Sampling */
3674 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3675 case 'B': /* Buffer size */
3676 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3677 #ifdef HAVE_PCAP_CREATE
3678 case 'I': /* Monitor mode */
3680 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
3685 /*** hidden option: Wireshark child mode (using binary output messages) ***/
3687 capture_child = TRUE;
3689 /* set output pipe to binary mode, to avoid ugly text conversions */
3690 _setmode(2, O_BINARY);
3692 * optarg = the control ID, aka the PPID, currently used for the
3695 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
3696 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
3697 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
3698 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
3700 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
3701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3702 "Signal pipe: Unable to open %s. Dead parent?",
3710 case 'q': /* Quiet */
3714 /*** all non capture option specific ***/
3715 case 'D': /* Print a list of capture devices and exit */
3716 list_interfaces = TRUE;
3719 case 'L': /* Print list of link-layer types and exit */
3720 list_link_layer_types = TRUE;
3723 #ifdef HAVE_BPF_IMAGE
3724 case 'd': /* Print BPF code for capture filter and exit */
3725 print_bpf_code = TRUE;
3729 case 'S': /* Print interface statistics once a second */
3730 print_statistics = TRUE;
3733 case 'M': /* For -D, -L, and -S, print machine-readable output */
3734 machine_readable = TRUE;
3737 case '?': /* Bad flag - print usage message */
3738 cmdarg_err("Invalid Option: %s", argv[optind-1]);
3746 /* user specified file name as regular command-line argument */
3747 /* XXX - use it as the capture file name (or something else)? */
3754 * Extra command line arguments were specified; complain.
3755 * XXX - interpret as capture filter, as tcpdump and tshark do?
3757 cmdarg_err("Invalid argument: %s", argv[0]);
3766 if (run_once_args > 1) {
3767 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
3769 } else if (run_once_args == 1) {
3770 /* We're supposed to print some information, rather than
3771 to capture traffic; did they specify a ring buffer option? */
3772 if (global_capture_opts.multi_files_on) {
3773 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
3777 /* We're supposed to capture traffic; was the ring buffer option
3778 specified and, if so, does it make sense? */
3779 if (global_capture_opts.multi_files_on) {
3780 /* Ring buffer works only under certain conditions:
3781 a) ring buffer does not work with temporary files;
3782 b) it makes no sense to enable the ring buffer if the maximum
3783 file size is set to "infinite". */
3784 if (global_capture_opts.save_file == NULL) {
3785 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
3786 global_capture_opts.multi_files_on = FALSE;
3788 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
3789 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
3791 /* XXX - this must be redesigned as the conditions changed */
3792 global_capture_opts.multi_files_on = FALSE;
3799 * "-D" requires no interface to be selected; it's supposed to list
3802 if (list_interfaces) {
3803 /* Get the list of interfaces */
3808 if_list = capture_interface_list(&err, &err_str);
3809 if (if_list == NULL) {
3811 case CANT_GET_INTERFACE_LIST:
3812 cmdarg_err("%s", err_str);
3817 case NO_INTERFACES_FOUND:
3819 * If we're being run by another program, just give them
3820 * an empty list of interfaces, don't report this as
3821 * an error; that lets them decide whether to report
3822 * this as an error or not.
3824 if (!machine_readable) {
3825 cmdarg_err("There are no interfaces on which a capture can be done");
3832 if (machine_readable) /* tab-separated values to stdout */
3833 print_machine_readable_interfaces(if_list);
3835 capture_opts_print_interfaces(if_list);
3836 free_interface_list(if_list);
3841 * "-S" requires no interface to be selected; it gives statistics
3842 * for all interfaces.
3844 if (print_statistics) {
3845 status = print_statistics_loop(machine_readable);
3850 * "-L", "-d", and capturing act on a particular interface, so we have to
3851 * have an interface; if none was specified, pick a default.
3853 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
3854 /* cmdarg_err() already called .... */
3858 /* Let the user know what interface was chosen. */
3859 /* get_interface_descriptive_name() is not available! */
3860 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
3862 if (list_link_layer_types) {
3863 /* Get the list of link-layer types for the capture device. */
3864 if_capabilities_t *caps;
3867 caps = get_if_capabilities(global_capture_opts.iface,
3868 global_capture_opts.monitor_mode, &err_str);
3870 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
3871 "Please check to make sure you have sufficient permissions, and that\n"
3872 "you have the proper interface or pipe specified.", global_capture_opts.iface, err_str);
3876 if (caps->data_link_types == NULL) {
3877 cmdarg_err("The capture device \"%s\" has no data link types.", global_capture_opts.iface);
3880 if (machine_readable) /* tab-separated values to stdout */
3881 print_machine_readable_if_capabilities(caps);
3883 capture_opts_print_if_capabilities(caps,
3884 global_capture_opts.monitor_mode);
3885 free_if_capabilities(caps);
3889 /* We're supposed to do a capture, or print the BPF code for a filter.
3890 Process the snapshot length, as that affects the generated BPF code. */
3891 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
3893 #ifdef HAVE_BPF_IMAGE
3894 if (print_bpf_code) {
3895 show_filter_code(&global_capture_opts);
3900 /* We're supposed to do a capture. Process the ring buffer arguments. */
3901 capture_opts_trim_ring_num_files(&global_capture_opts);
3903 /* Now start the capture. */
3905 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
3909 /* capture failed */
3912 return 0; /* never here, make compiler happy */
3917 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
3918 const char *message, gpointer user_data _U_)
3925 /* ignore log message, if log_level isn't interesting */
3926 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3927 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
3932 /* create a "timestamp" */
3934 today = localtime(&curr);
3936 switch(log_level & G_LOG_LEVEL_MASK) {
3937 case G_LOG_LEVEL_ERROR:
3940 case G_LOG_LEVEL_CRITICAL:
3943 case G_LOG_LEVEL_WARNING:
3946 case G_LOG_LEVEL_MESSAGE:
3949 case G_LOG_LEVEL_INFO:
3952 case G_LOG_LEVEL_DEBUG:
3956 fprintf(stderr, "unknown log_level %u\n", log_level);
3958 g_assert_not_reached();
3961 /* Generate the output message */
3962 if(log_level & G_LOG_LEVEL_MESSAGE) {
3963 /* normal user messages without additional infos */
3964 msg = g_strdup_printf("%s\n", message);
3966 /* info/debug messages with additional infos */
3967 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
3968 today->tm_hour, today->tm_min, today->tm_sec,
3969 log_domain != NULL ? log_domain : "",
3973 /* DEBUG & INFO msgs (if we're debugging today) */
3974 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3975 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3976 #ifdef DEBUG_DUMPCAP
3977 fprintf(stderr, "%s", msg);
3980 #ifdef DEBUG_CHILD_DUMPCAP
3981 fprintf(debug_log, "%s", msg);
3989 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
3990 /* to parent especially formatted if dumpcap running as child. */
3991 if (capture_child) {
3992 sync_pipe_errmsg_to_parent(2, msg, "");
3994 fprintf(stderr, "%s", msg);
4001 /****************************************************************************************************************/
4002 /* indication report routines */
4006 report_packet_count(int packet_count)
4008 char tmp[SP_DECISIZE+1+1];
4009 static int count = 0;
4012 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4013 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4014 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4016 count += packet_count;
4017 fprintf(stderr, "\rPackets: %u ", count);
4018 /* stderr could be line buffered */
4024 report_new_capture_file(const char *filename)
4027 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4028 pipe_write_block(2, SP_FILE, filename);
4032 * Prevent a SIGINFO handler from writing to the standard error
4033 * while we're doing so; instead, have it just set a flag telling
4034 * us to print that information when we're done.
4037 #endif /* SIGINFO */
4038 fprintf(stderr, "File: %s\n", filename);
4039 /* stderr could be line buffered */
4044 * Allow SIGINFO handlers to write.
4049 * If a SIGINFO handler asked us to write out capture counts, do so.
4052 report_counts_for_siginfo();
4053 #endif /* SIGINFO */
4058 report_cfilter_error(const char *cfilter, const char *errmsg)
4060 if (capture_child) {
4061 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4062 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4065 "Invalid capture filter: \"%s\"!\n"
4067 "That string isn't a valid capture filter (%s).\n"
4068 "See the User's Guide for a description of the capture filter syntax.\n",
4074 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4077 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4078 "Primary Error: %s", error_msg);
4079 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4080 "Secondary Error: %s", secondary_error_msg);
4081 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4083 fprintf(stderr, "%s\n", error_msg);
4084 if (secondary_error_msg[0] != '\0')
4085 fprintf(stderr, "%s\n", secondary_error_msg);
4090 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4092 char tmp1[SP_DECISIZE+1+1];
4093 char tmp2[SP_DECISIZE+1+1];
4095 g_snprintf(tmp1, sizeof(tmp1), "%u", received);
4096 g_snprintf(tmp2, sizeof(tmp2), "%u", drops);
4099 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets captured/dropped on interface %s: %s/%s", name, tmp1, tmp2);
4100 pipe_write_block(2, SP_DROPS, tmp2);
4102 fprintf(stderr, "Packets captured/dropped on interface %s: %s/%s\n", name, tmp1, tmp2);
4103 /* stderr could be line buffered */
4109 /****************************************************************************************************************/
4110 /* signal_pipe handling */
4115 signal_pipe_check_running(void)
4117 /* any news from our parent? -> just stop the capture */
4121 /* if we are running standalone, no check required */
4122 if(!capture_child) {
4126 if(!sig_pipe_name || !sig_pipe_handle) {
4127 /* This shouldn't happen */
4128 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4129 "Signal pipe: No name or handle");
4134 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4135 * at this point. Should we check to see if the parent is still alive,
4136 * e.g. by using OpenProcess?
4139 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4141 if(!result || avail > 0) {
4142 /* peek failed or some bytes really available */
4143 /* (if not piping from stdin this would fail) */
4144 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4145 "Signal pipe: Stop capture: %s", sig_pipe_name);
4146 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4147 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4148 sig_pipe_handle, result, avail);
4151 /* pipe ok and no bytes available */
4158 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4163 * indent-tabs-mode: nil
4166 * vi: set shiftwidth=4 tabstop=8 expandtab
4167 * :indentSize=4:tabSize=8:noTabs=true: