5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
88 #include "capture-wpcap.h"
89 #include <wsutil/unicode-utils.h>
93 #include <sys/socket.h>
97 #ifdef NEED_INET_V6DEFS_H
98 # include "wsutil/inet_v6defs.h"
101 #include <wsutil/privileges.h>
103 #include "sync_pipe.h"
105 #include "capture_opts.h"
106 #include "capture_ifinfo.h"
107 #include "capture_sync.h"
109 #include "conditions.h"
110 #include "capture_stop_conditions.h"
112 #include "tempfile.h"
114 #include "wsutil/file_util.h"
117 * Get information about libpcap format from "wiretap/libpcap.h".
118 * XXX - can we just use pcap_open_offline() to read the pipe?
120 #include "wiretap/libpcap.h"
122 /**#define DEBUG_DUMPCAP**/
123 /**#define DEBUG_CHILD_DUMPCAP**/
125 #ifdef DEBUG_CHILD_DUMPCAP
126 FILE *debug_log; /* for logging debug messages to */
127 /* a file if DEBUG_CHILD_DUMPCAP */
135 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
137 static gchar *sig_pipe_name = NULL;
138 static HANDLE sig_pipe_handle = NULL;
139 static gboolean signal_pipe_check_running(void);
143 static GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
144 static GMutex *cap_pipe_read_mtx;
148 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
149 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
152 /** Stop a low-level capture (stops the capture child). */
153 static void capture_loop_stop(void);
155 #if !defined (__linux__)
156 #ifndef HAVE_PCAP_BREAKLOOP
158 * We don't have pcap_breakloop(), which is the only way to ensure that
159 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
160 * won't, if the call to read the next packet or batch of packets is
161 * is interrupted by a signal on UN*X, just go back and try again to
164 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
165 * the signal handler, set a flag to stop capturing; however, without
166 * a guarantee of that sort, we can't guarantee that we'll stop capturing
167 * if the read will be retried and won't time out if no packets arrive.
169 * Therefore, on at least some platforms, we work around the lack of
170 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
171 * to wait for packets to arrive, so that we're probably going to be
172 * blocked in the select() when the signal arrives, and can just bail
173 * out of the loop at that point.
175 * However, we don't want to that on BSD (because "select()" doesn't work
176 * correctly on BPF devices on at least some releases of some flavors of
177 * BSD), and we don't want to do it on Windows (because "select()" is
178 * something for sockets, not for arbitrary handles). (Note that "Windows"
179 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
180 * using WinPcap, not a UNIX libpcap.)
182 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
183 * on BSD times out even if no packets have arrived, so we'll eventually
184 * exit pcap_dispatch() with an indication that no packets have arrived,
185 * and will break out of the capture loop at that point.
187 * On Windows, we can't send a SIGINT to stop capturing, so none of this
188 * applies in any case.
190 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
191 * want to include it if it's not present on this platform, however.
193 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
194 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
196 # define MUST_DO_SELECT
197 # endif /* avoid select */
198 #endif /* HAVE_PCAP_BREAKLOOP */
200 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
201 * in pcap_dispatch(); on the other hand, select() works just fine there.
202 * Hence we use a select for that come what may.
204 #define MUST_DO_SELECT
207 /** init the capture filter */
210 INITFILTER_BAD_FILTER,
211 INITFILTER_OTHER_ERROR
212 } initfilter_status_t;
214 typedef struct _loop_data {
216 gboolean go; /* TRUE as long as we're supposed to keep capturing */
217 int err; /* if non-zero, error seen while capturing */
218 gint packet_count; /* Number of packets we have already captured */
219 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
220 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
222 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
225 /* pcap "input file" */
226 pcap_t *pcap_h; /* pcap handle */
227 gboolean pcap_err; /* TRUE if error from pcap */
228 #ifdef MUST_DO_SELECT
229 int pcap_fd; /* pcap file descriptor */
232 /* capture pipe (unix only "input file") */
233 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
234 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
235 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
237 HANDLE cap_pipe_h; /* The handle of the capture pipe */
239 int cap_pipe_fd; /* the file descriptor of the capture pipe */
241 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
242 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
244 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
245 #endif /* USE_THREADS */
246 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
247 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
249 STATE_EXPECT_REC_HDR,
254 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 guint32 autostop_files;
267 * Standard secondary message for unexpected errors.
269 static const char please_report[] =
270 "Please report this to the Wireshark developers.\n"
271 "(This is not a crash; please do not report it as such.)";
274 * This needs to be static, so that the SIGINT handler can clear the "go"
277 static loop_data global_ld;
281 * Timeout, in milliseconds, for reads from the stream of captured packets
282 * from a capture device.
284 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
285 * 64-bit applications, with sub-second timeouts not to work. The bug is
286 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
288 #if defined(__APPLE__) && defined(__LP64__)
289 static gboolean need_timeout_workaround;
291 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
293 #define CAP_READ_TIMEOUT 250
297 * Timeout, in microseconds, for reads from the stream of captured packets
298 * from a pipe. Pipes don't have the same problem that BPF devices do
299 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
300 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
301 * of the offending versions of Snow Leopard.
303 * XXX - why is it 100 for threaded capturing?
306 #define PIPE_READ_TIMEOUT 250000
308 #define PIPE_READ_TIMEOUT 100
310 static const char *cap_pipe_err_str;
313 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
314 const char *message, gpointer user_data _U_);
316 /* capture related options */
317 static capture_options global_capture_opts;
318 static gboolean quiet;
320 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
322 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
323 int err, gboolean is_close);
325 static void exit_main(int err) G_GNUC_NORETURN;
327 static void report_new_capture_file(const char *filename);
328 static void report_packet_count(int packet_count);
329 static void report_packet_drops(guint32 drops);
330 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
331 static void report_cfilter_error(const char *cfilter, const char *errmsg);
333 #define MSG_MAX_LENGTH 4096
336 print_usage(gboolean print_ver) {
344 "Dumpcap " VERSION "%s\n"
345 "Capture network packets and dump them into a libpcap file.\n"
346 "See http://www.wireshark.org for more information.\n",
347 wireshark_svnversion);
351 fprintf(output, "\nUsage: dumpcap [options] ...\n");
352 fprintf(output, "\n");
353 fprintf(output, "Capture interface:\n");
354 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
355 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
356 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
357 fprintf(output, " -p don't capture in promiscuous mode\n");
358 #ifdef HAVE_PCAP_CREATE
359 fprintf(output, " -I capture in monitor mode, if available\n");
361 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
362 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
364 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
365 fprintf(output, " -D print list of interfaces and exit\n");
366 fprintf(output, " -L print list of link-layer types of iface and exit\n");
367 #ifdef HAVE_BPF_IMAGE
368 fprintf(output, " -d print generated BPF code for capture filter\n");
370 fprintf(output, " -S print statistics for each interface once every second\n");
371 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
372 fprintf(output, "\n");
373 #ifdef HAVE_PCAP_REMOTE
374 fprintf(output, "\nRPCAP options:\n");
375 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
376 fprintf(output, " -u use UDP for RPCAP data transfer\n");
377 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
378 #ifdef HAVE_PCAP_SETSAMPLING
379 fprintf(output, " -m <sampling type> use packet sampling\n");
380 fprintf(output, " count:NUM - capture one packet of every NUM\n");
381 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
384 fprintf(output, "Stop conditions:\n");
385 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
386 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
387 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
388 fprintf(output, " files:NUM - stop after NUM files\n");
389 /*fprintf(output, "\n");*/
390 fprintf(output, "Output (files):\n");
391 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
392 fprintf(output, " -g enable group read access on the output file(s)\n");
393 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
394 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
395 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
396 fprintf(output, " -n use pcapng format instead of pcap\n");
397 /*fprintf(output, "\n");*/
398 fprintf(output, "Miscellaneous:\n");
399 fprintf(output, " -q don't report packet capture counts\n");
400 fprintf(output, " -v print version information and exit\n");
401 fprintf(output, " -h display this help and exit\n");
402 fprintf(output, "\n");
403 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
404 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
405 fprintf(output, "\n");
406 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
410 show_version(GString *comp_info_str, GString *runtime_info_str)
414 "Dumpcap " VERSION "%s\n"
419 "See http://www.wireshark.org for more information.\n",
420 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
424 * Print to the standard error. This is a command-line tool, so there's
425 * no need to pop up a console.
428 vfprintf_stderr(const char *fmt, va_list ap)
430 vfprintf(stderr, fmt, ap);
434 fprintf_stderr(const char *fmt, ...)
439 vfprintf_stderr(fmt, ap);
444 * Report an error in command-line arguments.
447 cmdarg_err(const char *fmt, ...)
453 /* Generate a 'special format' message back to parent */
455 msg = g_strdup_vprintf(fmt, ap);
456 sync_pipe_errmsg_to_parent(2, msg, "");
461 fprintf(stderr, "dumpcap: ");
462 vfprintf(stderr, fmt, ap);
463 fprintf(stderr, "\n");
469 * Report additional information for an error in command-line arguments.
472 cmdarg_err_cont(const char *fmt, ...)
479 msg = g_strdup_vprintf(fmt, ap);
480 sync_pipe_errmsg_to_parent(2, msg, "");
485 vfprintf(stderr, fmt, ap);
486 fprintf(stderr, "\n");
493 #if 0 /* Set to enable capability debugging */
494 /* see 'man cap_to_text()' for explanation of output */
495 /* '=' means 'all= ' ie: no capabilities */
496 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
498 print_caps(const char *pfx) {
499 cap_t caps = cap_get_proc();
500 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
501 "%s: EUID: %d Capabilities: %s", pfx,
502 geteuid(), cap_to_text(caps, NULL));
505 print_caps(const char *pfx _U_) {
510 relinquish_all_capabilities(void)
512 /* Drop any and all capabilities this process may have. */
513 /* Allowed whether or not process has any privileges. */
514 cap_t caps = cap_init(); /* all capabilities initialized to off */
515 print_caps("Pre-clear");
516 if (cap_set_proc(caps)) {
517 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
519 print_caps("Post-clear");
525 open_capture_device(capture_options *capture_opts,
526 char (*open_err_str)[PCAP_ERRBUF_SIZE])
529 #ifdef HAVE_PCAP_CREATE
532 #ifdef HAVE_PCAP_REMOTE
533 struct pcap_rmtauth auth;
536 /* Open the network interface to capture from it.
537 Some versions of libpcap may put warnings into the error buffer
538 if they succeed; to tell if that's happened, we have to clear
539 the error buffer, and check if it's still a null string. */
540 (*open_err_str)[0] = '\0';
541 #ifdef HAVE_PCAP_OPEN
543 * If we're opening a remote device, use pcap_open(); that's currently
544 * the only open routine that supports remote devices.
546 if (strncmp (capture_opts->iface, "rpcap://", 8) == 0) {
547 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
548 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
549 auth.username = capture_opts->auth_username;
550 auth.password = capture_opts->auth_password;
552 pcap_h = pcap_open(capture_opts->iface,
553 capture_opts->has_snaplen ? capture_opts->snaplen :
554 WTAP_MAX_PACKET_SIZE,
556 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
557 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
558 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
559 CAP_READ_TIMEOUT, &auth, *open_err_str);
561 #endif /* HAVE_PCAP_OPEN */
564 * If we're not opening a remote device, use pcap_create() and
565 * pcap_activate() if we have them, so that we can set the buffer
566 * size, otherwise use pcap_open_live().
568 #ifdef HAVE_PCAP_CREATE
569 pcap_h = pcap_create(capture_opts->iface, *open_err_str);
570 if (pcap_h != NULL) {
571 pcap_set_snaplen(pcap_h, capture_opts->has_snaplen ? capture_opts->snaplen : WTAP_MAX_PACKET_SIZE);
572 pcap_set_promisc(pcap_h, capture_opts->promisc_mode);
573 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
575 if (capture_opts->buffer_size > 1) {
576 pcap_set_buffer_size(pcap_h, capture_opts->buffer_size * 1024 * 1024);
578 if (capture_opts->monitor_mode)
579 pcap_set_rfmon(pcap_h, 1);
580 err = pcap_activate(pcap_h);
582 /* Failed to activate, set to NULL */
583 if (err == PCAP_ERROR)
584 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
586 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
592 pcap_h = pcap_open_live(capture_opts->iface,
593 capture_opts->has_snaplen ? capture_opts->snaplen :
594 WTAP_MAX_PACKET_SIZE,
595 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
600 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
601 /* to remove any suid privileges. */
602 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
603 /* (euid/egid have already previously been set to ruid/rgid. */
604 /* (See comment in main() for details) */
606 relinquish_special_privs_perm();
608 relinquish_all_capabilities();
615 get_capture_device_open_failure_messages(const char *open_err_str,
621 char *errmsg, size_t errmsg_len,
622 char *secondary_errmsg,
623 size_t secondary_errmsg_len)
625 const char *libpcap_warn;
626 static const char ppamsg[] = "can't find PPA for ";
628 /* If we got a "can't find PPA for X" message, warn the user (who
629 is running dumcap on HP-UX) that they don't have a version of
630 libpcap that properly handles HP-UX (libpcap 0.6.x and later
631 versions, which properly handle HP-UX, say "can't find /dev/dlpi
632 PPA for X" rather than "can't find PPA for X"). */
633 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
636 "You are running (T)Wireshark with a version of the libpcap library\n"
637 "that doesn't handle HP-UX network devices well; this means that\n"
638 "(T)Wireshark may not be able to capture packets.\n"
640 "To fix this, you should install libpcap 0.6.2, or a later version\n"
641 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
642 "packaged binary form from the Software Porting And Archive Centre\n"
643 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
644 "at the URL lists a number of mirror sites.";
647 g_snprintf(errmsg, (gulong) errmsg_len,
648 "The capture session could not be initiated (%s).", open_err_str);
650 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
651 "Please check to make sure you have sufficient permissions, and that you have "
652 "the proper interface or pipe specified.%s", libpcap_warn);
654 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
656 "Please check that \"%s\" is the proper interface.\n"
659 "Help can be found at:\n"
661 " http://wiki.wireshark.org/WinPcap\n"
662 " http://wiki.wireshark.org/CaptureSetup\n",
667 /* Set the data link type on a pcap. */
669 set_pcap_linktype(pcap_t *pcap_h, capture_options *capture_opts,
670 char *errmsg, size_t errmsg_len,
671 char *secondary_errmsg, size_t secondary_errmsg_len)
673 char *set_linktype_err_str;
675 if (capture_opts->linktype == -1)
676 return TRUE; /* just use the default */
677 #ifdef HAVE_PCAP_SET_DATALINK
678 if (pcap_set_datalink(pcap_h, capture_opts->linktype) == 0)
679 return TRUE; /* no error */
680 set_linktype_err_str = pcap_geterr(pcap_h);
682 /* Let them set it to the type it is; reject any other request. */
683 if (get_pcap_linktype(pcap_h, capture_opts->iface) == capture_opts->linktype)
684 return TRUE; /* no error */
685 set_linktype_err_str =
686 "That DLT isn't one of the DLTs supported by this device";
688 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
689 set_linktype_err_str);
691 * If the error isn't "XXX is not one of the DLTs supported by this device",
692 * tell the user to tell the Wireshark developers about it.
694 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
695 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
697 secondary_errmsg[0] = '\0';
702 compile_capture_filter(const char *iface, pcap_t *pcap_h,
703 struct bpf_program *fcode, char *cfilter)
705 bpf_u_int32 netnum, netmask;
706 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
708 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
710 * Well, we can't get the netmask for this interface; it's used
711 * only for filters that check for broadcast IP addresses, so
712 * we just punt and use 0. It might be nice to warn the user,
713 * but that's a pain in a GUI application, as it'd involve popping
714 * up a message box, and it's not clear how often this would make
715 * a difference (only filters that check for IP broadcast addresses
719 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
722 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
727 #ifdef HAVE_BPF_IMAGE
729 show_filter_code(capture_options *capture_opts)
732 gchar open_err_str[PCAP_ERRBUF_SIZE];
733 char errmsg[MSG_MAX_LENGTH+1];
734 char secondary_errmsg[MSG_MAX_LENGTH+1];
735 struct bpf_program fcode;
736 struct bpf_insn *insn;
739 pcap_h = open_capture_device(capture_opts, &open_err_str);
740 if (pcap_h == NULL) {
741 /* Open failed; get messages */
742 get_capture_device_open_failure_messages(open_err_str,
744 errmsg, sizeof errmsg,
746 sizeof secondary_errmsg);
747 /* And report them */
748 report_capture_error(errmsg, secondary_errmsg);
752 /* Set the link-layer type. */
753 if (!set_pcap_linktype(pcap_h, capture_opts, errmsg, sizeof errmsg,
754 secondary_errmsg, sizeof secondary_errmsg)) {
756 report_capture_error(errmsg, secondary_errmsg);
760 /* OK, try to compile the capture filter. */
761 if (!compile_capture_filter(capture_opts->iface, pcap_h, &fcode,
762 capture_opts->cfilter)) {
764 report_cfilter_error(capture_opts->cfilter, errmsg);
770 /* Let our parent know we succeeded. */
771 pipe_write_block(2, SP_SUCCESS, NULL);
774 /* Now print the filter code. */
775 insn = fcode.bf_insns;
777 for (i = 0; i < fcode.bf_len; insn++, i++)
778 printf("%s\n", bpf_image(insn, i));
784 * capture_interface_list() is expected to do the right thing to get
785 * a list of interfaces.
787 * In most of the programs in the Wireshark suite, "the right thing"
788 * is to run dumpcap and ask it for the list, because dumpcap may
789 * be the only program in the suite with enough privileges to get
792 * In dumpcap itself, however, we obviously can't run dumpcap to
793 * ask for the list. Therefore, our capture_interface_list() should
794 * just call get_interface_list().
797 capture_interface_list(int *err, char **err_str)
799 return get_interface_list(err, err_str);
803 * Get the data-link type for a libpcap device.
804 * This works around AIX 5.x's non-standard and incompatible-with-the-
805 * rest-of-the-universe libpcap.
808 get_pcap_linktype(pcap_t *pch, const char *devname
816 const char *ifacename;
819 linktype = pcap_datalink(pch);
823 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
824 * rather than DLT_ values for link-layer types; the ifType values
825 * for LAN devices are:
832 * and the ifType value for a loopback device is 24.
834 * The AIX names for LAN devices begin with:
841 * and the AIX names for loopback devices begin with "lo".
843 * (The difference between "Ethernet" and "802.3" is presumably
844 * whether packets have an Ethernet header, with a packet type,
845 * or an 802.3 header, with a packet length, followed by an 802.2
846 * header and possibly a SNAP header.)
848 * If the device name matches "linktype" interpreted as an ifType
849 * value, rather than as a DLT_ value, we will assume this is AIX's
850 * non-standard, incompatible libpcap, rather than a standard libpcap,
851 * and will map the link-layer type to the standard DLT_ value for
852 * that link-layer type, as that's what the rest of Wireshark expects.
854 * (This means the capture files won't be readable by a tcpdump
855 * linked with AIX's non-standard libpcap, but so it goes. They
856 * *will* be readable by standard versions of tcpdump, Wireshark,
859 * XXX - if we conclude we're using AIX libpcap, should we also
860 * set a flag to cause us to assume the time stamps are in
861 * seconds-and-nanoseconds form, and to convert them to
862 * seconds-and-microseconds form before processing them and
867 * Find the last component of the device name, which is the
870 ifacename = strchr(devname, '/');
871 if (ifacename == NULL)
874 /* See if it matches any of the LAN device names. */
875 if (strncmp(ifacename, "en", 2) == 0) {
878 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
882 } else if (strncmp(ifacename, "et", 2) == 0) {
885 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
886 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
891 } else if (strncmp(ifacename, "tr", 2) == 0) {
894 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
895 * DLT_IEEE802, which is what's used for Token Ring.
899 } else if (strncmp(ifacename, "fi", 2) == 0) {
900 if (linktype == 15) {
902 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
906 } else if (strncmp(ifacename, "lo", 2) == 0) {
907 if (linktype == 24) {
909 * That's the RFC 1573 value for "software loopback" devices; map it
910 * to DLT_NULL, which is what's used for loopback devices on BSD.
920 static data_link_info_t *
921 create_data_link_info(int dlt)
923 data_link_info_t *data_link_info;
926 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
927 data_link_info->dlt = dlt;
928 text = pcap_datalink_val_to_name(dlt);
930 data_link_info->name = g_strdup(text);
932 data_link_info->name = g_strdup_printf("DLT %d", dlt);
933 text = pcap_datalink_val_to_description(dlt);
935 data_link_info->description = g_strdup(text);
937 data_link_info->description = NULL;
938 return data_link_info;
942 * Get the capabilities of a network device.
944 static if_capabilities_t *
945 get_if_capabilities(const char *devname, gboolean monitor_mode
946 #ifndef HAVE_PCAP_CREATE
951 if_capabilities_t *caps;
952 char errbuf[PCAP_ERRBUF_SIZE];
954 #ifdef HAVE_PCAP_CREATE
958 #ifdef HAVE_PCAP_LIST_DATALINKS
962 data_link_info_t *data_link_info;
965 * Allocate the interface capabilities structure.
967 caps = g_malloc(sizeof *caps);
969 #ifdef HAVE_PCAP_OPEN
970 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
971 caps->can_set_rfmon = FALSE;
974 *err_str = g_strdup(errbuf);
978 #elif defined(HAVE_PCAP_CREATE)
979 pch = pcap_create(devname, errbuf);
982 *err_str = g_strdup(errbuf);
986 status = pcap_can_set_rfmon(pch);
989 if (status == PCAP_ERROR)
990 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
993 *err_str = g_strdup(pcap_statustostr(status));
999 caps->can_set_rfmon = FALSE;
1000 else if (status == 1) {
1001 caps->can_set_rfmon = TRUE;
1003 pcap_set_rfmon(pch, 1);
1005 if (err_str != NULL) {
1006 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1014 status = pcap_activate(pch);
1016 /* Error. We ignore warnings (status > 0). */
1017 if (err_str != NULL) {
1018 if (status == PCAP_ERROR)
1019 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1022 *err_str = g_strdup(pcap_statustostr(status));
1029 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1030 caps->can_set_rfmon = FALSE;
1032 if (err_str != NULL)
1033 *err_str = g_strdup(errbuf);
1038 deflt = get_pcap_linktype(pch, devname);
1039 #ifdef HAVE_PCAP_LIST_DATALINKS
1040 nlt = pcap_list_datalinks(pch, &linktypes);
1041 if (nlt == 0 || linktypes == NULL) {
1043 if (err_str != NULL)
1044 *err_str = NULL; /* an empty list doesn't mean an error */
1047 caps->data_link_types = NULL;
1048 for (i = 0; i < nlt; i++) {
1049 data_link_info = create_data_link_info(linktypes[i]);
1052 * XXX - for 802.11, make the most detailed 802.11
1053 * version the default, rather than the one the
1054 * device has as the default?
1056 if (linktypes[i] == deflt)
1057 caps->data_link_types = g_list_prepend(caps->data_link_types,
1060 caps->data_link_types = g_list_append(caps->data_link_types,
1063 #ifdef HAVE_PCAP_FREE_DATALINKS
1064 pcap_free_datalinks(linktypes);
1067 * In Windows, there's no guarantee that if you have a library
1068 * built with one version of the MSVC++ run-time library, and
1069 * it returns a pointer to allocated data, you can free that
1070 * data from a program linked with another version of the
1071 * MSVC++ run-time library.
1073 * This is not an issue on UN*X.
1075 * See the mail threads starting at
1077 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1081 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1084 #define xx_free free /* hack so checkAPIs doesn't complain */
1087 #endif /* HAVE_PCAP_FREE_DATALINKS */
1088 #else /* HAVE_PCAP_LIST_DATALINKS */
1090 data_link_info = create_data_link_info(deflt);
1091 caps->data_link_types = g_list_append(caps->data_link_types,
1093 #endif /* HAVE_PCAP_LIST_DATALINKS */
1097 if (err_str != NULL)
1102 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1104 print_machine_readable_interfaces(GList *if_list)
1111 char addr_str[ADDRSTRLEN];
1113 if (capture_child) {
1114 /* Let our parent know we succeeded. */
1115 pipe_write_block(2, SP_SUCCESS, NULL);
1118 i = 1; /* Interface id number */
1119 for (if_entry = g_list_first(if_list); if_entry != NULL;
1120 if_entry = g_list_next(if_entry)) {
1121 if_info = (if_info_t *)if_entry->data;
1122 printf("%d. %s", i++, if_info->name);
1125 * Print the contents of the if_entry struct in a parseable format.
1126 * Each if_entry element is tab-separated. Addresses are comma-
1129 /* XXX - Make sure our description doesn't contain a tab */
1130 if (if_info->description != NULL)
1131 printf("\t%s\t", if_info->description);
1135 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1136 addr = g_slist_next(addr)) {
1137 if (addr != g_slist_nth(if_info->addrs, 0))
1140 if_addr = (if_addr_t *)addr->data;
1141 switch(if_addr->ifat_type) {
1143 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1145 printf("%s", addr_str);
1147 printf("<unknown IPv4>");
1151 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1152 addr_str, ADDRSTRLEN)) {
1153 printf("%s", addr_str);
1155 printf("<unknown IPv6>");
1159 printf("<type unknown %u>", if_addr->ifat_type);
1163 if (if_info->loopback)
1164 printf("\tloopback");
1166 printf("\tnetwork");
1173 * If you change the machine-readable output format of this function,
1174 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1177 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1180 data_link_info_t *data_link_info;
1181 const gchar *desc_str;
1183 if (capture_child) {
1184 /* Let our parent know we succeeded. */
1185 pipe_write_block(2, SP_SUCCESS, NULL);
1188 if (caps->can_set_rfmon)
1192 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1193 lt_entry = g_list_next(lt_entry)) {
1194 data_link_info = (data_link_info_t *)lt_entry->data;
1195 if (data_link_info->description != NULL)
1196 desc_str = data_link_info->description;
1198 desc_str = "(not supported)";
1199 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1209 /* Print the number of packets captured for each interface until we're killed. */
1211 print_statistics_loop(gboolean machine_readable)
1213 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1219 char errbuf[PCAP_ERRBUF_SIZE];
1220 struct pcap_stat ps;
1222 if_list = get_interface_list(&err, &err_str);
1223 if (if_list == NULL) {
1225 case CANT_GET_INTERFACE_LIST:
1226 cmdarg_err("%s", err_str);
1230 case NO_INTERFACES_FOUND:
1231 cmdarg_err("There are no interfaces on which a capture can be done");
1237 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1238 if_info = (if_info_t *)if_entry->data;
1239 #ifdef HAVE_PCAP_OPEN
1240 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1242 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1246 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1247 if_stat->name = g_strdup(if_info->name);
1249 stat_list = g_list_append(stat_list, if_stat);
1254 cmdarg_err("There are no interfaces on which a capture can be done");
1258 if (capture_child) {
1259 /* Let our parent know we succeeded. */
1260 pipe_write_block(2, SP_SUCCESS, NULL);
1263 if (!machine_readable) {
1264 printf("%-15s %10s %10s\n", "Interface", "Received",
1268 global_ld.go = TRUE;
1269 while (global_ld.go) {
1270 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1271 if_stat = (if_stat_t *)stat_entry->data;
1272 pcap_stats(if_stat->pch, &ps);
1274 if (!machine_readable) {
1275 printf("%-15s %10u %10u\n", if_stat->name,
1276 ps.ps_recv, ps.ps_drop);
1278 printf("%s\t%u\t%u\n", if_stat->name,
1279 ps.ps_recv, ps.ps_drop);
1284 if (! global_ld.from_cap_pipe)
1291 /* XXX - Not reached. Should we look for 'q' in stdin? */
1292 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1293 if_stat = (if_stat_t *)stat_entry->data;
1294 pcap_close(if_stat->pch);
1295 g_free(if_stat->name);
1298 g_list_free(stat_list);
1299 free_interface_list(if_list);
1307 capture_cleanup_handler(DWORD dwCtrlType)
1309 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1310 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1311 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1312 like SIGTERM at least when the machine's shutting down.
1314 For now, if we're running as a command rather than a capture child,
1315 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1316 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1317 in that way on UN*X.
1319 If we're not running as a capture child, we might be running as
1320 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1321 user logs out. (XXX - can we explicitly check whether we're
1322 running as a service?) */
1324 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1325 "Console: Control signal");
1326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1327 "Console: Control signal, CtrlType: %u", dwCtrlType);
1329 /* Keep capture running if we're a service and a user logs off */
1330 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1331 capture_loop_stop();
1339 capture_cleanup_handler(int signum _U_)
1341 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1342 SIGTERM. We assume that if the user wanted it to keep running
1343 after they logged out, they'd have nohupped it. */
1345 /* Note: don't call g_log() in the signal handler: if we happened to be in
1346 * g_log() in process context when the signal came in, g_log will detect
1347 * the "recursion" and abort.
1350 capture_loop_stop();
1359 /* Don't print this if we're a capture child. */
1360 if (!capture_child) {
1362 /* Report the count only if we aren't printing a packet count
1363 as packets arrive. */
1364 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
1365 plurality(global_ld.packet_count, "", "s"));
1368 infoprint = FALSE; /* we just reported it */
1372 report_counts_siginfo(int signum _U_)
1374 int sav_errno = errno;
1376 /* If we've been told to delay printing, just set a flag asking
1377 that we print counts (if we're supposed to), otherwise print
1378 the count of packets captured (if we're supposed to). */
1385 #endif /* SIGINFO */
1387 static void exit_main(int status)
1390 /* Shutdown windows sockets */
1393 /* can be helpful for debugging */
1394 #ifdef DEBUG_DUMPCAP
1395 printf("Press any key\n");
1406 * If we were linked with libcap (not libpcap), make sure we have
1407 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1408 * (See comment in main() for details)
1411 relinquish_privs_except_capture(void)
1413 /* If 'started_with_special_privs' (ie: suid) then enable for
1414 * ourself the NET_ADMIN and NET_RAW capabilities and then
1415 * drop our suid privileges.
1417 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1418 * stuff we don't need (and shouldn't have).
1419 * CAP_NET_RAW: Packet capture (raw sockets).
1422 if (started_with_special_privs()) {
1423 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1424 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1426 cap_t caps = cap_init(); /* all capabilities initialized to off */
1428 print_caps("Pre drop, pre set");
1430 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1431 cmdarg_err("prctl() fail return: %s", strerror(errno));
1434 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1435 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1437 if (cap_set_proc(caps)) {
1438 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1440 print_caps("Pre drop, post set");
1442 relinquish_special_privs_perm();
1444 print_caps("Post drop, pre set");
1445 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1446 if (cap_set_proc(caps)) {
1447 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1449 print_caps("Post drop, post set");
1455 #endif /* HAVE_LIBCAP */
1457 /* Take care of byte order in the libpcap headers read from pipes.
1458 * (function taken from wiretap/libpcap.c) */
1460 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1463 /* Byte-swap the record header fields. */
1464 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1465 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1466 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1467 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1470 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1471 swapped, in order to match the BPF header layout.
1473 Unfortunately, some files were, according to a comment in the "libpcap"
1474 source, written with version 2.3 in their headers but without the
1475 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1476 would make no sense - we assume that we need to swap them. */
1477 if (hdr->version_major == 2 &&
1478 (hdr->version_minor < 3 ||
1479 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1482 temp = rechdr->orig_len;
1483 rechdr->orig_len = rechdr->incl_len;
1484 rechdr->incl_len = temp;
1490 * Thread function that reads from a pipe and pushes the data
1491 * to the main application thread.
1494 * XXX Right now we use async queues for basic signaling. The main thread
1495 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1496 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1497 * Iff the read is successful cap_pipe_read pushes an item onto
1498 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1499 * the queues themselves (yet).
1501 * We might want to move some of the cap_pipe_dispatch logic here so that
1502 * we can let cap_pipe_read run independently, queuing up multiple reads
1503 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1505 static void *cap_pipe_read(void *ld_ptr) {
1506 loop_data *ld = (loop_data *)ld_ptr;
1515 while (ld->cap_pipe_err == PIPOK) {
1516 g_async_queue_pop(cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1517 g_mutex_lock(cap_pipe_read_mtx);
1519 while (bytes_read < (int) ld->cap_pipe_bytes_to_read) {
1521 /* If we try to use read() on a named pipe on Windows with partial
1522 * data it appears to return EOF.
1524 res = ReadFile(ld->cap_pipe_h, ld->cap_pipe_buf+bytes_read,
1525 ld->cap_pipe_bytes_to_read - bytes_read,
1530 last_err = GetLastError();
1531 if (last_err == ERROR_MORE_DATA) {
1533 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1534 ld->cap_pipe_err = PIPEOF;
1538 ld->cap_pipe_err = PIPERR;
1541 } else if (b == 0 && ld->cap_pipe_bytes_to_read > 0) {
1542 ld->cap_pipe_err = PIPEOF;
1547 b = read(ld->cap_pipe_fd, ld->cap_pipe_buf+bytes_read,
1548 ld->cap_pipe_bytes_to_read - bytes_read);
1551 ld->cap_pipe_err = PIPEOF;
1555 ld->cap_pipe_err = PIPERR;
1564 ld->cap_pipe_bytes_read = bytes_read;
1565 if (ld->cap_pipe_bytes_read >= ld->cap_pipe_bytes_to_read) {
1566 g_async_queue_push(cap_pipe_done_q, ld->cap_pipe_buf); /* Any non-NULL value will do */
1568 g_mutex_unlock(cap_pipe_read_mtx);
1572 #endif /* USE_THREADS */
1574 /* Provide select() functionality for a single file descriptor
1575 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1577 * Returns the same values as select. If an error is returned,
1578 * the string cap_pipe_err_str should be used instead of errno.
1581 cap_pipe_select(int pipe_fd) {
1583 struct timeval timeout;
1586 cap_pipe_err_str = "Unknown error";
1589 FD_SET(pipe_fd, &rfds);
1591 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1592 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1594 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1596 cap_pipe_err_str = strerror(errno);
1601 /* Mimic pcap_open_live() for pipe captures
1603 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1604 * open it, and read the header.
1606 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1607 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1609 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1610 char *errmsg, int errmsgl)
1613 struct stat pipe_stat;
1614 struct sockaddr_un sa;
1617 unsigned int bytes_read;
1628 ld->cap_pipe_fd = -1;
1630 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
1632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1635 * XXX - this blocks until a pcap per-file header has been written to
1636 * the pipe, so it could block indefinitely.
1638 if (strcmp(pipename, "-") == 0) {
1640 fd = 0; /* read from stdin */
1642 ld->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1646 if (ws_stat(pipename, &pipe_stat) < 0) {
1647 if (errno == ENOENT || errno == ENOTDIR)
1648 ld->cap_pipe_err = PIPNEXIST;
1650 g_snprintf(errmsg, errmsgl,
1651 "The capture session could not be initiated "
1652 "due to error getting information on pipe/socket: %s", strerror(errno));
1653 ld->cap_pipe_err = PIPERR;
1657 if (S_ISFIFO(pipe_stat.st_mode)) {
1658 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1660 g_snprintf(errmsg, errmsgl,
1661 "The capture session could not be initiated "
1662 "due to error on pipe open: %s", strerror(errno));
1663 ld->cap_pipe_err = PIPERR;
1666 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1667 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1669 g_snprintf(errmsg, errmsgl,
1670 "The capture session could not be initiated "
1671 "due to error on socket create: %s", strerror(errno));
1672 ld->cap_pipe_err = PIPERR;
1675 sa.sun_family = AF_UNIX;
1677 * The Single UNIX Specification says:
1679 * The size of sun_path has intentionally been left undefined.
1680 * This is because different implementations use different sizes.
1681 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1682 * of 104. Since most implementations originate from BSD versions,
1683 * the size is typically in the range 92 to 108.
1685 * Applications should not assume a particular length for sun_path
1686 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1690 * The <sys/un.h> header shall define the sockaddr_un structure,
1691 * which shall include at least the following members:
1693 * sa_family_t sun_family Address family.
1694 * char sun_path[] Socket pathname.
1696 * so we assume that it's an array, with a specified size,
1697 * and that the size reflects the maximum path length.
1699 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1700 /* Path name too long */
1701 g_snprintf(errmsg, errmsgl,
1702 "The capture session coud not be initiated "
1703 "due to error on socket connect: Path name too long");
1704 ld->cap_pipe_err = PIPERR;
1707 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1709 g_snprintf(errmsg, errmsgl,
1710 "The capture session coud not be initiated "
1711 "due to error on socket connect: %s", strerror(errno));
1712 ld->cap_pipe_err = PIPERR;
1716 if (S_ISCHR(pipe_stat.st_mode)) {
1718 * Assume the user specified an interface on a system where
1719 * interfaces are in /dev. Pretend we haven't seen it.
1721 ld->cap_pipe_err = PIPNEXIST;
1724 g_snprintf(errmsg, errmsgl,
1725 "The capture session could not be initiated because\n"
1726 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1727 ld->cap_pipe_err = PIPERR;
1732 #define PIPE_STR "\\pipe\\"
1733 /* Under Windows, named pipes _must_ have the form
1734 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1736 pncopy = g_strdup(pipename);
1737 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1738 pos = strchr(pncopy + 3, '\\');
1739 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1746 g_snprintf(errmsg, errmsgl,
1747 "The capture session could not be initiated because\n"
1748 "\"%s\" is neither an interface nor a pipe", pipename);
1749 ld->cap_pipe_err = PIPNEXIST;
1753 /* Wait for the pipe to appear */
1755 ld->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1756 OPEN_EXISTING, 0, NULL);
1758 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE)
1761 if (GetLastError() != ERROR_PIPE_BUSY) {
1762 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1763 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1764 g_snprintf(errmsg, errmsgl,
1765 "The capture session on \"%s\" could not be started "
1766 "due to error on pipe open: %s (error %d)",
1767 pipename, utf_16to8(err_str), GetLastError());
1769 ld->cap_pipe_err = PIPERR;
1773 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1774 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1775 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1776 g_snprintf(errmsg, errmsgl,
1777 "The capture session on \"%s\" timed out during "
1778 "pipe open: %s (error %d)",
1779 pipename, utf_16to8(err_str), GetLastError());
1781 ld->cap_pipe_err = PIPERR;
1788 ld->from_cap_pipe = TRUE;
1791 /* read the pcap header */
1793 while (bytes_read < sizeof magic) {
1794 sel_ret = cap_pipe_select(fd);
1796 g_snprintf(errmsg, errmsgl,
1797 "Unexpected error from select: %s", strerror(errno));
1799 } else if (sel_ret > 0) {
1800 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1803 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1805 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1812 #else /* USE_THREADS */
1813 g_thread_create(&cap_pipe_read, ld, FALSE, NULL);
1815 ld->cap_pipe_buf = (char *) &magic;
1816 ld->cap_pipe_bytes_read = 0;
1817 ld->cap_pipe_bytes_to_read = sizeof(magic);
1818 /* We don't have to worry about cap_pipe_read_mtx here */
1819 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1820 g_async_queue_pop(cap_pipe_done_q);
1821 if (ld->cap_pipe_bytes_read <= 0) {
1822 if (ld->cap_pipe_bytes_read == 0)
1823 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1825 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1830 #endif /* USE_THREADS */
1834 /* Host that wrote it has our byte order, and was running
1835 a program using either standard or ss990417 libpcap. */
1836 ld->cap_pipe_byte_swapped = FALSE;
1837 ld->cap_pipe_modified = FALSE;
1839 case PCAP_MODIFIED_MAGIC:
1840 /* Host that wrote it has our byte order, but was running
1841 a program using either ss990915 or ss991029 libpcap. */
1842 ld->cap_pipe_byte_swapped = FALSE;
1843 ld->cap_pipe_modified = TRUE;
1845 case PCAP_SWAPPED_MAGIC:
1846 /* Host that wrote it has a byte order opposite to ours,
1847 and was running a program using either standard or
1848 ss990417 libpcap. */
1849 ld->cap_pipe_byte_swapped = TRUE;
1850 ld->cap_pipe_modified = FALSE;
1852 case PCAP_SWAPPED_MODIFIED_MAGIC:
1853 /* Host that wrote it out has a byte order opposite to
1854 ours, and was running a program using either ss990915
1855 or ss991029 libpcap. */
1856 ld->cap_pipe_byte_swapped = TRUE;
1857 ld->cap_pipe_modified = TRUE;
1860 /* Not a "libpcap" type we know about. */
1861 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1866 /* Read the rest of the header */
1868 while (bytes_read < sizeof(struct pcap_hdr)) {
1869 sel_ret = cap_pipe_select(fd);
1871 g_snprintf(errmsg, errmsgl,
1872 "Unexpected error from select: %s", strerror(errno));
1874 } else if (sel_ret > 0) {
1875 b = read(fd, ((char *)hdr)+bytes_read,
1876 sizeof(struct pcap_hdr) - bytes_read);
1879 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1881 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1888 #else /* USE_THREADS */
1889 ld->cap_pipe_buf = (char *) hdr;
1890 ld->cap_pipe_bytes_read = 0;
1891 ld->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1892 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1893 g_async_queue_pop(cap_pipe_done_q);
1894 if (ld->cap_pipe_bytes_read <= 0) {
1895 if (ld->cap_pipe_bytes_read == 0)
1896 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1898 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1902 #endif /* USE_THREADS */
1904 if (ld->cap_pipe_byte_swapped) {
1905 /* Byte-swap the header fields about which we care. */
1906 hdr->version_major = BSWAP16(hdr->version_major);
1907 hdr->version_minor = BSWAP16(hdr->version_minor);
1908 hdr->snaplen = BSWAP32(hdr->snaplen);
1909 hdr->network = BSWAP32(hdr->network);
1911 ld->linktype = hdr->network;
1913 if (hdr->version_major < 2) {
1914 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1918 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1919 ld->cap_pipe_err = PIPOK;
1921 ld->cap_pipe_fd = fd;
1926 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1927 ld->cap_pipe_err = PIPERR;
1930 ld->cap_pipe_fd = -1;
1937 /* We read one record from the pipe, take care of byte order in the record
1938 * header, write the record to the capture file, and update capture statistics. */
1940 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1942 struct pcap_pkthdr phdr;
1943 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1955 #ifdef LOG_CAPTURE_VERBOSE
1956 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1959 switch (ld->cap_pipe_state) {
1961 case STATE_EXPECT_REC_HDR:
1963 if (g_mutex_trylock(cap_pipe_read_mtx)) {
1966 ld->cap_pipe_state = STATE_READ_REC_HDR;
1967 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1968 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1969 ld->cap_pipe_bytes_read = 0;
1972 ld->cap_pipe_buf = (char *) &ld->cap_pipe_rechdr;
1973 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1974 g_mutex_unlock(cap_pipe_read_mtx);
1979 case STATE_READ_REC_HDR:
1981 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1982 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1985 result = PD_PIPE_EOF;
1987 result = PD_PIPE_ERR;
1990 ld->cap_pipe_bytes_read += b;
1991 #else /* USE_THREADS */
1992 g_get_current_time(&wait_time);
1993 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
1994 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
1995 if (ld->cap_pipe_err == PIPEOF) {
1996 result = PD_PIPE_EOF;
1998 } else if (ld->cap_pipe_err == PIPERR) {
1999 result = PD_PIPE_ERR;
2005 #endif /* USE_THREADS */
2006 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2008 result = PD_REC_HDR_READ;
2011 case STATE_EXPECT_DATA:
2013 if (g_mutex_trylock(cap_pipe_read_mtx)) {
2016 ld->cap_pipe_state = STATE_READ_DATA;
2017 ld->cap_pipe_bytes_to_read = ld->cap_pipe_rechdr.hdr.incl_len;
2018 ld->cap_pipe_bytes_read = 0;
2021 ld->cap_pipe_buf = (char *) data;
2022 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
2023 g_mutex_unlock(cap_pipe_read_mtx);
2028 case STATE_READ_DATA:
2030 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
2031 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
2034 result = PD_PIPE_EOF;
2036 result = PD_PIPE_ERR;
2039 ld->cap_pipe_bytes_read += b;
2040 #else /* USE_THREADS */
2041 g_get_current_time(&wait_time);
2042 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2043 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2044 if (ld->cap_pipe_err == PIPEOF) {
2045 result = PD_PIPE_EOF;
2047 } else if (ld->cap_pipe_err == PIPERR) {
2048 result = PD_PIPE_ERR;
2054 #endif /* USE_THREADS */
2055 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2057 result = PD_DATA_READ;
2061 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2064 } /* switch (ld->cap_pipe_state) */
2067 * We've now read as much data as we were expecting, so process it.
2071 case PD_REC_HDR_READ:
2072 /* We've read the header. Take care of byte order. */
2073 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
2074 &ld->cap_pipe_rechdr.hdr);
2075 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2076 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2077 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
2080 ld->cap_pipe_state = STATE_EXPECT_DATA;
2084 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2085 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
2086 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
2087 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
2088 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
2090 capture_loop_packet_cb((u_char *)ld, &phdr, data);
2092 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
2096 ld->cap_pipe_err = PIPEOF;
2101 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2102 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2103 g_snprintf(errmsg, errmsgl,
2104 "Error reading from pipe: %s (error %d)",
2105 utf_16to8(err_str), GetLastError());
2108 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2116 ld->cap_pipe_err = PIPERR;
2117 /* Return here rather than inside the switch to prevent GCC warning */
2122 /** Open the capture input file (pcap or capture pipe).
2123 * Returns TRUE if it succeeds, FALSE otherwise. */
2125 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2126 char *errmsg, size_t errmsg_len,
2127 char *secondary_errmsg, size_t secondary_errmsg_len)
2129 gchar open_err_str[PCAP_ERRBUF_SIZE];
2130 gchar *sync_msg_str;
2133 gchar *sync_secondary_msg_str;
2134 WORD wVersionRequested;
2138 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
2141 /* XXX - opening Winsock on tshark? */
2143 /* Initialize Windows Socket if we are in a WIN32 OS
2144 This needs to be done before querying the interface for network/netmask */
2146 /* XXX - do we really require 1.1 or earlier?
2147 Are there any versions that support only 2.0 or higher? */
2148 wVersionRequested = MAKEWORD(1, 1);
2149 err = WSAStartup(wVersionRequested, &wsaData);
2153 case WSASYSNOTREADY:
2154 g_snprintf(errmsg, (gulong) errmsg_len,
2155 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2158 case WSAVERNOTSUPPORTED:
2159 g_snprintf(errmsg, (gulong) errmsg_len,
2160 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2161 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2164 case WSAEINPROGRESS:
2165 g_snprintf(errmsg, (gulong) errmsg_len,
2166 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2170 g_snprintf(errmsg, (gulong) errmsg_len,
2171 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2175 g_snprintf(errmsg, (gulong) errmsg_len,
2176 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2180 g_snprintf(errmsg, (gulong) errmsg_len,
2181 "Couldn't initialize Windows Sockets: error %d", err);
2184 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2189 ld->pcap_h = open_capture_device(capture_opts, &open_err_str);
2191 if (ld->pcap_h != NULL) {
2192 /* we've opened "iface" as a network device */
2194 /* try to set the capture buffer size */
2195 if (capture_opts->buffer_size > 1 &&
2196 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
2197 sync_secondary_msg_str = g_strdup_printf(
2198 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2199 "the default of 1MB will be used.\n"
2201 "Nonetheless, the capture is started.\n",
2202 capture_opts->buffer_size);
2203 report_capture_error("Couldn't set the capture buffer size!",
2204 sync_secondary_msg_str);
2205 g_free(sync_secondary_msg_str);
2209 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
2210 if ((capture_opts->sampling_method != CAPTURE_SAMP_NONE) &&
2211 (strncmp (capture_opts->iface, "rpcap://", 8) == 0))
2213 struct pcap_samp *samp;
2215 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
2217 switch (capture_opts->sampling_method)
2219 case CAPTURE_SAMP_BY_COUNT:
2220 samp->method = PCAP_SAMP_1_EVERY_N;
2223 case CAPTURE_SAMP_BY_TIMER:
2224 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2228 sync_msg_str = g_strdup_printf(
2229 "Unknown sampling method %d specified,\n"
2230 "continue without packet sampling",
2231 capture_opts->sampling_method);
2232 report_capture_error("Couldn't set the capture "
2233 "sampling", sync_msg_str);
2234 g_free(sync_msg_str);
2236 samp->value = capture_opts->sampling_param;
2240 report_capture_error("Couldn't set the capture sampling",
2241 "Cannot get packet sampling data structure");
2247 /* setting the data link type only works on real interfaces */
2248 if (!set_pcap_linktype(ld->pcap_h, capture_opts, errmsg, errmsg_len,
2249 secondary_errmsg, secondary_errmsg_len))
2251 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
2253 /* We couldn't open "iface" as a network device. */
2254 /* Try to open it as a pipe */
2255 cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
2258 if (ld->cap_pipe_fd == -1) {
2260 if (ld->cap_pipe_h == INVALID_HANDLE_VALUE) {
2263 if (ld->cap_pipe_err == PIPNEXIST) {
2264 /* Pipe doesn't exist, so output message for interface */
2265 get_capture_device_open_failure_messages(open_err_str,
2266 capture_opts->iface,
2270 secondary_errmsg_len);
2273 * Else pipe (or file) does exist and cap_pipe_open_live() has
2278 /* cap_pipe_open_live() succeeded; don't want
2279 error message from pcap_open_live() */
2280 open_err_str[0] = '\0';
2283 /* XXX - will this work for tshark? */
2284 #ifdef MUST_DO_SELECT
2285 if (!ld->from_cap_pipe) {
2286 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2287 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
2289 ld->pcap_fd = pcap_fileno(ld->pcap_h);
2294 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2295 returned a warning; print it, but keep capturing. */
2296 if (open_err_str[0] != '\0') {
2297 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2298 report_capture_error(sync_msg_str, "");
2299 g_free(sync_msg_str);
2305 /* close the capture input file (pcap or capture pipe) */
2306 static void capture_loop_close_input(loop_data *ld) {
2308 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2310 /* if open, close the capture pipe "input file" */
2312 if (ld->cap_pipe_fd >= 0) {
2313 g_assert(ld->from_cap_pipe);
2314 ws_close(ld->cap_pipe_fd);
2315 ld->cap_pipe_fd = 0;
2318 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE) {
2319 CloseHandle(ld->cap_pipe_h);
2320 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
2324 /* if open, close the pcap "input file" */
2325 if(ld->pcap_h != NULL) {
2326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)ld->pcap_h);
2327 g_assert(!ld->from_cap_pipe);
2328 pcap_close(ld->pcap_h);
2335 /* Shut down windows sockets */
2341 /* init the capture filter */
2342 static initfilter_status_t
2343 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2344 gchar * iface, gchar * cfilter)
2346 struct bpf_program fcode;
2348 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2350 /* capture filters only work on real interfaces */
2351 if (cfilter && !from_cap_pipe) {
2352 /* A capture filter was specified; set it up. */
2353 if (!compile_capture_filter(iface, pcap_h, &fcode, cfilter)) {
2354 /* Treat this specially - our caller might try to compile this
2355 as a display filter and, if that succeeds, warn the user that
2356 the display and capture filter syntaxes are different. */
2357 return INITFILTER_BAD_FILTER;
2359 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2360 #ifdef HAVE_PCAP_FREECODE
2361 pcap_freecode(&fcode);
2363 return INITFILTER_OTHER_ERROR;
2365 #ifdef HAVE_PCAP_FREECODE
2366 pcap_freecode(&fcode);
2370 return INITFILTER_NO_ERROR;
2374 /* set up to write to the already-opened capture output file/files */
2376 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
2380 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2383 if (ld->from_cap_pipe) {
2384 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
2387 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
2390 /* Set up to write to the capture file. */
2391 if (capture_opts->multi_files_on) {
2392 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2394 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2397 gboolean successful;
2399 ld->bytes_written = 0;
2400 if (capture_opts->use_pcapng) {
2403 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2404 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err) &&
2405 libpcap_write_interface_description_block(ld->pdh, capture_opts->iface, capture_opts->cfilter, ld->linktype, ld->file_snaplen, &ld->bytes_written, &err);
2407 successful = libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
2408 &ld->bytes_written, &err);
2416 if (ld->pdh == NULL) {
2417 /* We couldn't set up to write to the capture file. */
2418 /* XXX - use cf_open_error_message from tshark instead? */
2421 case WTAP_ERR_CANT_OPEN:
2422 g_snprintf(errmsg, errmsg_len, "The file to which the capture would be saved"
2423 " couldn't be created for some unknown reason.");
2426 case WTAP_ERR_SHORT_WRITE:
2427 g_snprintf(errmsg, errmsg_len, "A full header couldn't be written to the file"
2428 " to which the capture would be saved.");
2433 g_snprintf(errmsg, errmsg_len,
2434 "The file to which the capture would be"
2435 " saved (\"%s\") could not be opened: Error %d.",
2436 capture_opts->save_file, err);
2438 g_snprintf(errmsg, errmsg_len,
2439 "The file to which the capture would be"
2440 " saved (\"%s\") could not be opened: %s.",
2441 capture_opts->save_file, strerror(err));
2453 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
2455 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2457 if (capture_opts->multi_files_on) {
2458 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2460 if (capture_opts->use_pcapng) {
2461 libpcap_write_interface_statistics_block(ld->pdh, 0, ld->pcap_h, &ld->bytes_written, err_close);
2463 return libpcap_dump_close(ld->pdh, err_close);
2467 /* dispatch incoming packets (pcap or capture pipe)
2469 * Waits for incoming packets to be available, and calls pcap_dispatch()
2470 * to cause them to be processed.
2472 * Returns the number of packets which were processed.
2474 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2475 * packet-batching behaviour does not cause packets to get held back
2479 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
2480 char *errmsg, int errmsg_len)
2483 gint packet_count_before;
2484 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2489 packet_count_before = ld->packet_count;
2490 if (ld->from_cap_pipe) {
2491 /* dispatch from capture pipe */
2492 #ifdef LOG_CAPTURE_VERBOSE
2493 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2496 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
2499 if (sel_ret < 0 && errno != EINTR) {
2500 g_snprintf(errmsg, errmsg_len,
2501 "Unexpected error from select: %s", strerror(errno));
2502 report_capture_error(errmsg, please_report);
2507 * "select()" says we can read from the pipe without blocking
2509 #endif /* USE_THREADS */
2510 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
2520 /* dispatch from pcap */
2521 #ifdef MUST_DO_SELECT
2523 * If we have "pcap_get_selectable_fd()", we use it to get the
2524 * descriptor on which to select; if that's -1, it means there
2525 * is no descriptor on which you can do a "select()" (perhaps
2526 * because you're capturing on a special device, and that device's
2527 * driver unfortunately doesn't support "select()", in which case
2528 * we don't do the select - which means it might not be possible
2529 * to stop a capture until a packet arrives. If that's unacceptable,
2530 * plead with whoever supplies the software for that device to add
2531 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2532 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2533 * later, so it can use pcap_breakloop().
2535 #ifdef LOG_CAPTURE_VERBOSE
2536 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2538 if (ld->pcap_fd != -1) {
2539 sel_ret = cap_pipe_select(ld->pcap_fd);
2542 * "select()" says we can read from it without blocking; go for
2545 * We don't have pcap_breakloop(), so we only process one packet
2546 * per pcap_dispatch() call, to allow a signal to stop the
2547 * processing immediately, rather than processing all packets
2548 * in a batch before quitting.
2550 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
2554 /* Error, rather than pcap_breakloop(). */
2555 ld->pcap_err = TRUE;
2557 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2560 if (sel_ret < 0 && errno != EINTR) {
2561 g_snprintf(errmsg, errmsg_len,
2562 "Unexpected error from select: %s", strerror(errno));
2563 report_capture_error(errmsg, please_report);
2569 #endif /* MUST_DO_SELECT */
2571 /* dispatch from pcap without select */
2573 #ifdef LOG_CAPTURE_VERBOSE
2574 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2578 * On Windows, we don't support asynchronously telling a process to
2579 * stop capturing; instead, we check for an indication on a pipe
2580 * after processing packets. We therefore process only one packet
2581 * at a time, so that we can check the pipe after every packet.
2583 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
2585 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
2589 /* Error, rather than pcap_breakloop(). */
2590 ld->pcap_err = TRUE;
2592 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2594 #else /* pcap_next_ex */
2595 #ifdef LOG_CAPTURE_VERBOSE
2596 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2598 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2601 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2602 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2603 * This should be fixed in the WinPcap 4.0 alpha release.
2605 * For reference, an example remote interface:
2606 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2609 /* emulate dispatch from pcap */
2612 struct pcap_pkthdr *pkt_header;
2617 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
2618 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
2621 ld->pcap_err = TRUE;
2625 #endif /* pcap_next_ex */
2629 #ifdef LOG_CAPTURE_VERBOSE
2630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2633 return ld->packet_count - packet_count_before;
2637 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2638 * want to grab only the characters between the '{' and '}' delimiters.
2640 * Returns a GString that must be freed with g_string_free(). */
2641 static GString *isolate_uuid(const char *iface)
2646 ptr = strchr(iface, '{');
2648 return g_string_new(iface);
2649 gstr = g_string_new(ptr + 1);
2651 ptr = strchr(gstr->str, '}');
2655 gstr = g_string_truncate(gstr, ptr - gstr->str);
2660 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2661 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2663 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2664 char *errmsg, int errmsg_len) {
2667 gchar *capfile_name;
2669 gboolean is_tempfile;
2674 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2675 (capture_opts->save_file) ? capture_opts->save_file : "");
2677 if (capture_opts->save_file != NULL) {
2678 /* We return to the caller while the capture is in progress.
2679 * Therefore we need to take a copy of save_file in
2680 * case the caller destroys it after we return.
2682 capfile_name = g_strdup(capture_opts->save_file);
2684 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2685 if (capture_opts->multi_files_on) {
2686 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2687 g_snprintf(errmsg, errmsg_len,
2688 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2689 g_free(capfile_name);
2692 if (strcmp(capfile_name, "-") == 0) {
2693 /* write to stdout */
2696 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2697 _setmode(1, O_BINARY);
2700 } /* if (...output_to_pipe ... */
2703 if (capture_opts->multi_files_on) {
2704 /* ringbuffer is enabled */
2705 *save_file_fd = ringbuf_init(capfile_name,
2706 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2707 capture_opts->group_read_access);
2709 /* we need the ringbuf name */
2710 if(*save_file_fd != -1) {
2711 g_free(capfile_name);
2712 capfile_name = g_strdup(ringbuf_current_filename());
2715 /* Try to open/create the specified file for use as a capture buffer. */
2716 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2717 (capture_opts->group_read_access) ? 0640 : 0600);
2720 is_tempfile = FALSE;
2722 /* Choose a random name for the temporary capture buffer */
2726 iface = isolate_uuid(capture_opts->iface);
2727 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2728 g_string_free(iface, TRUE);
2730 prefix = g_strconcat("wireshark_", g_basename(capture_opts->iface), NULL);
2732 *save_file_fd = create_tempfile(&tmpname, prefix);
2734 capfile_name = g_strdup(tmpname);
2738 /* did we fail to open the output file? */
2739 if (*save_file_fd == -1) {
2741 g_snprintf(errmsg, errmsg_len,
2742 "The temporary file to which the capture would be saved (\"%s\") "
2743 "could not be opened: %s.", capfile_name, strerror(errno));
2745 if (capture_opts->multi_files_on) {
2746 ringbuf_error_cleanup();
2749 g_snprintf(errmsg, errmsg_len,
2750 "The file to which the capture would be saved (\"%s\") "
2751 "could not be opened: %s.", capfile_name,
2754 g_free(capfile_name);
2758 if(capture_opts->save_file != NULL) {
2759 g_free(capture_opts->save_file);
2761 capture_opts->save_file = capfile_name;
2762 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2763 "g_free(capfile_name)". */
2765 ret = fchown(*save_file_fd, capture_opts->owner, capture_opts->group);
2773 #define TIME_GET() GetTickCount()
2775 #define TIME_GET() time(NULL)
2778 /* Do the work of handling either the file size or file duration capture
2779 conditions being reached, and switching files or stopping. */
2781 do_file_switch_or_stop(capture_options *capture_opts,
2782 condition *cnd_autostop_files,
2783 condition *cnd_autostop_size,
2784 condition *cnd_file_duration)
2786 if (capture_opts->multi_files_on) {
2787 if (cnd_autostop_files != NULL &&
2788 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2789 /* no files left: stop here */
2790 global_ld.go = FALSE;
2794 /* Switch to the next ringbuffer file */
2795 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2796 &global_ld.save_file_fd, &global_ld.err)) {
2797 gboolean successful;
2802 /* File switch succeeded: reset the conditions */
2803 global_ld.bytes_written = 0;
2804 if (capture_opts->use_pcapng) {
2807 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2808 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &global_ld.bytes_written, &global_ld.err) &&
2809 libpcap_write_interface_description_block(global_ld.pdh, capture_opts->iface, capture_opts->cfilter, global_ld.linktype, global_ld.file_snaplen, &global_ld.bytes_written, &global_ld.err);
2811 successful = libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2812 &global_ld.bytes_written, &global_ld.err);
2815 fclose(global_ld.pdh);
2816 global_ld.pdh = NULL;
2817 global_ld.go = FALSE;
2820 if(cnd_autostop_size)
2821 cnd_reset(cnd_autostop_size);
2822 if(cnd_file_duration)
2823 cnd_reset(cnd_file_duration);
2824 libpcap_dump_flush(global_ld.pdh, NULL);
2826 report_packet_count(global_ld.inpkts_to_sync_pipe);
2827 global_ld.inpkts_to_sync_pipe = 0;
2828 report_new_capture_file(capture_opts->save_file);
2831 ret = fchown(global_ld.save_file_fd, capture_opts->owner, capture_opts->group);
2834 /* File switch failed: stop here */
2835 global_ld.go = FALSE;
2839 /* single file, stop now */
2840 global_ld.go = FALSE;
2846 /* Do the low-level work of a capture.
2847 Returns TRUE if it succeeds, FALSE otherwise. */
2849 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
2851 time_t upd_time, cur_time;
2855 condition *cnd_file_duration = NULL;
2856 condition *cnd_autostop_files = NULL;
2857 condition *cnd_autostop_size = NULL;
2858 condition *cnd_autostop_duration = NULL;
2861 gboolean cfilter_error = FALSE;
2862 char errmsg[MSG_MAX_LENGTH+1];
2863 char secondary_errmsg[MSG_MAX_LENGTH+1];
2866 *secondary_errmsg = '\0';
2868 /* init the loop data */
2869 global_ld.go = TRUE;
2870 global_ld.packet_count = 0;
2872 global_ld.report_packet_count = FALSE;
2874 if (capture_opts->has_autostop_packets)
2875 global_ld.packet_max = capture_opts->autostop_packets;
2877 global_ld.packet_max = 0; /* no limit */
2878 global_ld.inpkts_to_sync_pipe = 0;
2879 global_ld.err = 0; /* no error seen yet */
2880 global_ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
2881 global_ld.pcap_err = FALSE;
2882 global_ld.from_cap_pipe = FALSE;
2883 global_ld.pdh = NULL;
2885 global_ld.cap_pipe_fd = -1;
2887 global_ld.cap_pipe_h = INVALID_HANDLE_VALUE;
2889 #ifdef MUST_DO_SELECT
2890 global_ld.pcap_fd = 0;
2892 global_ld.autostop_files = 0;
2893 global_ld.save_file_fd = -1;
2895 /* We haven't yet gotten the capture statistics. */
2896 *stats_known = FALSE;
2898 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
2899 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
2901 /* open the "input file" from network interface or capture pipe */
2902 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
2903 secondary_errmsg, sizeof(secondary_errmsg))) {
2907 /* init the input filter from the network interface (capture pipe will do nothing) */
2908 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
2909 capture_opts->iface,
2910 capture_opts->cfilter)) {
2912 case INITFILTER_NO_ERROR:
2915 case INITFILTER_BAD_FILTER:
2916 cfilter_error = TRUE;
2917 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
2920 case INITFILTER_OTHER_ERROR:
2921 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
2922 pcap_geterr(global_ld.pcap_h));
2923 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
2927 /* If we're supposed to write to a capture file, open it for output
2928 (temporary/specified name/ringbuffer) */
2929 if (capture_opts->saving_to_file) {
2930 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
2931 errmsg, sizeof(errmsg))) {
2935 /* set up to write to the already-opened capture output file/files */
2936 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
2941 /* XXX - capture SIGTERM and close the capture, in case we're on a
2942 Linux 2.0[.x] system and you have to explicitly close the capture
2943 stream in order to turn promiscuous mode off? We need to do that
2944 in other places as well - and I don't think that works all the
2945 time in any case, due to libpcap bugs. */
2947 /* Well, we should be able to start capturing.
2949 Sync out the capture file, so the header makes it to the file system,
2950 and send a "capture started successfully and capture file created"
2951 message to our parent so that they'll open the capture file and
2952 update its windows to indicate that we have a live capture in
2954 libpcap_dump_flush(global_ld.pdh, NULL);
2955 report_new_capture_file(capture_opts->save_file);
2958 /* initialize capture stop (and alike) conditions */
2959 init_capture_stop_conditions();
2960 /* create stop conditions */
2961 if (capture_opts->has_autostop_filesize)
2963 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
2964 if (capture_opts->has_autostop_duration)
2965 cnd_autostop_duration =
2966 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
2968 if (capture_opts->multi_files_on) {
2969 if (capture_opts->has_file_duration)
2971 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
2973 if (capture_opts->has_autostop_files)
2974 cnd_autostop_files =
2975 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
2978 /* init the time values */
2979 start_time = TIME_GET();
2980 upd_time = TIME_GET();
2982 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
2984 /* WOW, everything is prepared! */
2985 /* please fasten your seat belts, we will enter now the actual capture loop */
2986 while (global_ld.go) {
2987 /* dispatch incoming packets */
2988 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
2992 /* Were we asked to print packet counts by the SIGINFO handler? */
2993 if (global_ld.report_packet_count) {
2994 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
2995 plurality(global_ld.packet_count, "", "s"));
2996 global_ld.report_packet_count = FALSE;
3001 /* any news from our parent (signal pipe)? -> just stop the capture */
3002 if (!signal_pipe_check_running()) {
3003 global_ld.go = FALSE;
3008 global_ld.inpkts_to_sync_pipe += inpkts;
3010 /* check capture size condition */
3011 if (cnd_autostop_size != NULL &&
3012 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3013 /* Capture size limit reached, do we have another file? */
3014 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3015 cnd_autostop_size, cnd_file_duration))
3017 } /* cnd_autostop_size */
3018 if (capture_opts->output_to_pipe) {
3019 libpcap_dump_flush(global_ld.pdh, NULL);
3023 /* Only update once a second (Win32: 500ms) so as not to overload slow
3024 * displays. This also prevents too much context-switching between the
3025 * dumpcap and wireshark processes */
3026 cur_time = TIME_GET();
3028 if ( (cur_time - upd_time) > 500) {
3030 if (cur_time - upd_time > 0) {
3032 upd_time = cur_time;
3034 /*if (pcap_stats(pch, stats) >= 0) {
3035 *stats_known = TRUE;
3038 /* Let the parent process know. */
3039 if (global_ld.inpkts_to_sync_pipe) {
3041 libpcap_dump_flush(global_ld.pdh, NULL);
3043 /* Send our parent a message saying we've written out
3044 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3046 report_packet_count(global_ld.inpkts_to_sync_pipe);
3048 global_ld.inpkts_to_sync_pipe = 0;
3051 /* check capture duration condition */
3052 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3053 /* The maximum capture time has elapsed; stop the capture. */
3054 global_ld.go = FALSE;
3058 /* check capture file duration condition */
3059 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3060 /* duration limit reached, do we have another file? */
3061 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3062 cnd_autostop_size, cnd_file_duration))
3064 } /* cnd_file_duration */
3067 } /* while (global_ld.go) */
3069 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3071 /* delete stop conditions */
3072 if (cnd_file_duration != NULL)
3073 cnd_delete(cnd_file_duration);
3074 if (cnd_autostop_files != NULL)
3075 cnd_delete(cnd_autostop_files);
3076 if (cnd_autostop_size != NULL)
3077 cnd_delete(cnd_autostop_size);
3078 if (cnd_autostop_duration != NULL)
3079 cnd_delete(cnd_autostop_duration);
3081 /* did we had a pcap (input) error? */
3082 if (global_ld.pcap_err) {
3083 /* On Linux, if an interface goes down while you're capturing on it,
3084 you'll get a "recvfrom: Network is down" error (ENETDOWN).
3085 (At least you will if strerror() doesn't show a local translation
3088 On FreeBSD and OS X, if a network adapter disappears while
3089 you're capturing on it, you'll get a "read: Device not configured"
3090 error (ENXIO). (See previous parenthetical note.)
3092 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3094 These should *not* be reported to the Wireshark developers. */
3097 cap_err_str = pcap_geterr(global_ld.pcap_h);
3098 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3099 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3100 strcmp(cap_err_str, "read: I/O error") == 0 ||
3101 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3102 report_capture_error("The network adapter on which the capture was being done "
3103 "is no longer running; the capture has stopped.",
3106 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3108 report_capture_error(errmsg, please_report);
3111 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
3112 report_capture_error(errmsg, "");
3114 /* did we had an error while capturing? */
3115 if (global_ld.err == 0) {
3118 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3119 global_ld.err, FALSE);
3120 report_capture_error(errmsg, please_report);
3124 if (capture_opts->saving_to_file) {
3125 /* close the wiretap (output) file */
3126 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3130 /* there might be packets not yet notified to the parent */
3131 /* (do this after closing the file, so all packets are already flushed) */
3132 if(global_ld.inpkts_to_sync_pipe) {
3134 report_packet_count(global_ld.inpkts_to_sync_pipe);
3135 global_ld.inpkts_to_sync_pipe = 0;
3138 /* If we've displayed a message about a write error, there's no point
3139 in displaying another message about an error on close. */
3140 if (!close_ok && write_ok) {
3141 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3143 report_capture_error(errmsg, "");
3147 * XXX We exhibit different behaviour between normal mode and sync mode
3148 * when the pipe is stdin and not already at EOF. If we're a child, the
3149 * parent's stdin isn't closed, so if the user starts another capture,
3150 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3151 * will say "Unrecognized libpcap format". On the other hand, in normal
3152 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3155 /* get packet drop statistics from pcap */
3156 if(global_ld.pcap_h != NULL) {
3157 g_assert(!global_ld.from_cap_pipe);
3158 /* Get the capture statistics, so we know how many packets were
3160 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
3161 *stats_known = TRUE;
3162 /* Let the parent process know. */
3163 report_packet_drops(stats->ps_drop);
3165 g_snprintf(errmsg, sizeof(errmsg),
3166 "Can't get packet-drop statistics: %s",
3167 pcap_geterr(global_ld.pcap_h));
3168 report_capture_error(errmsg, please_report);
3172 /* close the input file (pcap or capture pipe) */
3173 capture_loop_close_input(&global_ld);
3175 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3177 /* ok, if the write and the close were successful. */
3178 return write_ok && close_ok;
3181 if (capture_opts->multi_files_on) {
3182 /* cleanup ringbuffer */
3183 ringbuf_error_cleanup();
3185 /* We can't use the save file, and we have no FILE * for the stream
3186 to close in order to close it, so close the FD directly. */
3187 if(global_ld.save_file_fd != -1) {
3188 ws_close(global_ld.save_file_fd);
3191 /* We couldn't even start the capture, so get rid of the capture
3193 if(capture_opts->save_file != NULL) {
3194 ws_unlink(capture_opts->save_file);
3195 g_free(capture_opts->save_file);
3198 capture_opts->save_file = NULL;
3200 report_cfilter_error(capture_opts->cfilter, errmsg);
3202 report_capture_error(errmsg, secondary_errmsg);
3204 /* close the input file (pcap or cap_pipe) */
3205 capture_loop_close_input(&global_ld);
3207 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3213 static void capture_loop_stop(void)
3215 #ifdef HAVE_PCAP_BREAKLOOP
3216 if(global_ld.pcap_h != NULL)
3217 pcap_breakloop(global_ld.pcap_h);
3219 global_ld.go = FALSE;
3224 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3225 int err, gboolean is_close)
3230 g_snprintf(errmsg, errmsglen,
3231 "Not all the packets could be written to the file"
3232 " to which the capture was being saved\n"
3233 "(\"%s\") because there is no space left on the file system\n"
3234 "on which that file resides.",
3240 g_snprintf(errmsg, errmsglen,
3241 "Not all the packets could be written to the file"
3242 " to which the capture was being saved\n"
3243 "(\"%s\") because you are too close to, or over,"
3244 " your disk quota\n"
3245 "on the file system on which that file resides.",
3250 case WTAP_ERR_CANT_CLOSE:
3251 g_snprintf(errmsg, errmsglen,
3252 "The file to which the capture was being saved"
3253 " couldn't be closed for some unknown reason.");
3256 case WTAP_ERR_SHORT_WRITE:
3257 g_snprintf(errmsg, errmsglen,
3258 "Not all the packets could be written to the file"
3259 " to which the capture was being saved\n"
3266 g_snprintf(errmsg, errmsglen,
3267 "The file to which the capture was being saved\n"
3268 "(\"%s\") could not be closed: %s.",
3269 fname, wtap_strerror(err));
3271 g_snprintf(errmsg, errmsglen,
3272 "An error occurred while writing to the file"
3273 " to which the capture was being saved\n"
3275 fname, wtap_strerror(err));
3282 /* one packet was captured, process it */
3284 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3287 loop_data *ld = (loop_data *) (void *) user;
3290 /* We may be called multiple times from pcap_dispatch(); if we've set
3291 the "stop capturing" flag, ignore this packet, as we're not
3292 supposed to be saving any more packets. */
3297 gboolean successful;
3298 /* We're supposed to write the packet to a file; do so.
3299 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3300 "ld->err" to the error. */
3301 if (global_capture_opts.use_pcapng) {
3302 successful = libpcap_write_enhanced_packet_block(ld->pdh, phdr, 0, pd, &ld->bytes_written, &err);
3304 successful = libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err);
3311 /* if the user told us to stop after x packets, do we already have enough? */
3312 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
3321 /* And now our feature presentation... [ fade to music ] */
3323 main(int argc, char *argv[])
3326 gboolean arg_error = FALSE;
3331 struct sigaction action, oldaction;
3334 gboolean start_capture = TRUE;
3335 gboolean stats_known;
3336 struct pcap_stat stats;
3337 GLogLevelFlags log_flags;
3338 gboolean list_interfaces = FALSE;
3339 gboolean list_link_layer_types = FALSE;
3340 #ifdef HAVE_BPF_IMAGE
3341 gboolean print_bpf_code = FALSE;
3343 gboolean machine_readable = FALSE;
3344 gboolean print_statistics = FALSE;
3345 int status, run_once_args = 0;
3347 #if defined(__APPLE__) && defined(__LP64__)
3348 struct utsname osinfo;
3353 * Initialize our DLL search path. MUST be called before LoadLibrary
3356 ws_init_dll_search_path();
3359 #ifdef HAVE_PCAP_REMOTE
3360 #define OPTSTRING_A "A:"
3361 #define OPTSTRING_r "r"
3362 #define OPTSTRING_u "u"
3364 #define OPTSTRING_A ""
3365 #define OPTSTRING_r ""
3366 #define OPTSTRING_u ""
3369 #ifdef HAVE_PCAP_SETSAMPLING
3370 #define OPTSTRING_m "m:"
3372 #define OPTSTRING_m ""
3375 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3376 #define OPTSTRING_B "B:"
3378 #define OPTSTRING_B ""
3379 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3381 #ifdef HAVE_PCAP_CREATE
3382 #define OPTSTRING_I "I"
3384 #define OPTSTRING_I ""
3387 #ifdef HAVE_BPF_IMAGE
3388 #define OPTSTRING_d "d"
3390 #define OPTSTRING_d ""
3393 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:" OPTSTRING_u "vw:y:Z:"
3395 #ifdef DEBUG_CHILD_DUMPCAP
3396 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3397 fprintf (stderr, "Unable to open debug log file !\n");
3402 #if defined(__APPLE__) && defined(__LP64__)
3404 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3405 * a bug workaround - timeouts less than 1 second don't work with libpcap
3406 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3407 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3408 * The problem is extremely unlikely to be reintroduced in a future
3411 if (uname(&osinfo) == 0) {
3413 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3414 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3415 * number of 10.0.0, not 10.1.0 - go figure).
3417 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3418 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3419 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3420 need_timeout_workaround = TRUE;
3425 * Determine if dumpcap is being requested to run in a special
3426 * capture_child mode by going thru the command line args to see if
3427 * a -Z is present. (-Z is a hidden option).
3429 * The primary result of running in capture_child mode is that
3430 * all messages sent out on stderr are in a special type/len/string
3431 * format to allow message processing by type. These messages include
3432 * error messages if dumpcap fails to start the operation it was
3433 * requested to do, as well as various "status" messages which are sent
3434 * when an actual capture is in progress, and a "success" message sent
3435 * if dumpcap was requested to perform an operation other than a
3438 * Capture_child mode would normally be requested by a parent process
3439 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3440 * to which dumpcap stderr has been redirected. It might also have
3441 * another pipe to obtain dumpcap stdout output; for operations other
3442 * than a capture, that information is formatted specially for easier
3443 * parsing by the parent process.
3445 * Capture_child mode needs to be determined immediately upon
3446 * startup so that any messages generated by dumpcap in this mode
3447 * (eg: during initialization) will be formatted properly.
3450 for (i=1; i<argc; i++) {
3451 if (strcmp("-Z", argv[i]) == 0) {
3452 capture_child = TRUE;
3453 machine_readable = TRUE; /* request machine-readable output */
3455 /* set output pipe to binary mode, to avoid ugly text conversions */
3456 _setmode(2, O_BINARY);
3461 /* The default_log_handler will use stdout, which makes trouble in */
3462 /* capture child mode, as it uses stdout for it's sync_pipe. */
3463 /* So: the filtering is done in the console_log_handler and not here.*/
3464 /* We set the log handlers right up front to make sure that any log */
3465 /* messages when running as child will be sent back to the parent */
3466 /* with the correct format. */
3470 G_LOG_LEVEL_CRITICAL|
3471 G_LOG_LEVEL_WARNING|
3472 G_LOG_LEVEL_MESSAGE|
3475 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3477 g_log_set_handler(NULL,
3479 console_log_handler, NULL /* user_data */);
3480 g_log_set_handler(LOG_DOMAIN_MAIN,
3482 console_log_handler, NULL /* user_data */);
3483 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3485 console_log_handler, NULL /* user_data */);
3486 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3488 console_log_handler, NULL /* user_data */);
3491 /* Load wpcap if possible. Do this before collecting the run-time version information */
3494 /* ... and also load the packet.dll from wpcap */
3495 /* XXX - currently not required, may change later. */
3496 /*wpcap_packet_load();*/
3498 /* Start windows sockets */
3499 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3501 /* Set handler for Ctrl+C key */
3502 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3504 /* Prepare to read from a pipe */
3505 if (!g_thread_supported ())
3506 g_thread_init (NULL);
3507 cap_pipe_pending_q = g_async_queue_new();
3508 cap_pipe_done_q = g_async_queue_new();
3509 cap_pipe_read_mtx = g_mutex_new();
3512 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3514 action.sa_handler = capture_cleanup_handler;
3516 * Arrange that system calls not get restarted, because when
3517 * our signal handler returns we don't want to restart
3518 * a call that was waiting for packets to arrive.
3520 action.sa_flags = 0;
3521 sigemptyset(&action.sa_mask);
3522 sigaction(SIGTERM, &action, NULL);
3523 sigaction(SIGINT, &action, NULL);
3524 sigaction(SIGPIPE, &action, NULL);
3525 sigaction(SIGHUP, NULL, &oldaction);
3526 if (oldaction.sa_handler == SIG_DFL)
3527 sigaction(SIGHUP, &action, NULL);
3530 /* Catch SIGINFO and, if we get it and we're capturing in
3531 quiet mode, report the number of packets we've captured. */
3532 action.sa_handler = report_counts_siginfo;
3533 action.sa_flags = SA_RESTART;
3534 sigemptyset(&action.sa_mask);
3535 sigaction(SIGINFO, &action, NULL);
3536 #endif /* SIGINFO */
3539 /* ----------------------------------------------------------------- */
3540 /* Privilege and capability handling */
3542 /* 1. Running not as root or suid root; no special capabilities. */
3545 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3548 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3550 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3551 /* capabilities; Drop all other capabilities; */
3552 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3553 /* else: after pcap_open_live() in capture_loop_open_input() */
3554 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3555 /* (Note: this means that the process, although logged in */
3556 /* as root, does not have various permissions such as the */
3557 /* ability to bypass file access permissions). */
3558 /* XXX: Should we just leave capabilities alone in this case */
3559 /* so that user gets expected effect that root can do */
3562 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3564 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3565 /* else: after pcap_open_live() in capture_loop_open_input() */
3566 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3567 /* pcap_open_live). */
3569 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3571 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3572 /* capabilities; Drop all other capabilities; */
3573 /* Drop suid privileges (euid=ruid); */
3574 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3575 /* else: after pcap_open_live() in capture_loop_open_input() */
3576 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3578 /* XXX: For some Linux versions/distros with capabilities */
3579 /* a 'normal' process with any capabilities cannot be */
3580 /* 'killed' (signaled) from another (same uid) non-privileged */
3582 /* For example: If (non-suid) Wireshark forks a */
3583 /* child suid dumpcap which acts as described here (case 5), */
3584 /* Wireshark will be unable to kill (signal) the child */
3585 /* dumpcap process until the capabilities have been dropped */
3586 /* (after pcap_open_live()). */
3587 /* This behaviour will apparently be changed in the kernel */
3588 /* to allow the kill (signal) in this case. */
3589 /* See the following for details: */
3590 /* http://www.mail-archive.com/ [wrapped] */
3591 /* linux-security-module@vger.kernel.org/msg02913.html */
3593 /* It is therefore conceivable that if dumpcap somehow hangs */
3594 /* in pcap_open_live or before that wireshark will not */
3595 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3596 /* In this case, exiting wireshark will kill the child */
3597 /* dumpcap process. */
3599 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3600 /* capabilities; Using libcap. Note: capset cmd (which see) */
3601 /* used to assign capabilities to file. */
3603 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3604 /* else: after pcap_open_live() in capture_loop_open_input() */
3605 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3607 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3608 /* longer required (similar to capture). */
3610 /* ----------------------------------------------------------------- */
3612 init_process_policies();
3615 /* If 'started with special privileges' (and using libcap) */
3616 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3617 /* Set euid/egid = ruid/rgid to remove suid privileges */
3618 relinquish_privs_except_capture();
3621 /* Set the initial values in the capture options. This might be overwritten
3622 by the command line parameters. */
3623 capture_opts_init(&global_capture_opts, NULL);
3625 /* Default to capturing the entire packet. */
3626 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3628 /* We always save to a file - if no file was specified, we save to a
3630 global_capture_opts.saving_to_file = TRUE;
3631 global_capture_opts.has_ring_num_files = TRUE;
3633 /* Now get our args */
3634 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3636 case 'h': /* Print help and exit */
3640 case 'v': /* Show version and exit */
3642 GString *comp_info_str;
3643 GString *runtime_info_str;
3644 /* Assemble the compile-time version information string */
3645 comp_info_str = g_string_new("Compiled ");
3646 get_compiled_version_info(comp_info_str, NULL, NULL);
3648 /* Assemble the run-time version information string */
3649 runtime_info_str = g_string_new("Running ");
3650 get_runtime_version_info(runtime_info_str, NULL);
3651 show_version(comp_info_str, runtime_info_str);
3652 g_string_free(comp_info_str, TRUE);
3653 g_string_free(runtime_info_str, TRUE);
3657 /*** capture option specific ***/
3658 case 'a': /* autostop criteria */
3659 case 'b': /* Ringbuffer option */
3660 case 'c': /* Capture x packets */
3661 case 'f': /* capture filter */
3662 case 'i': /* Use interface x */
3663 case 'n': /* Use pcapng format */
3664 case 'p': /* Don't capture in promiscuous mode */
3665 case 's': /* Set the snapshot (capture) length */
3666 case 'w': /* Write to capture file x */
3667 case 'g': /* enable group read accesson file(s) */
3668 case 'y': /* Set the pcap data link type */
3669 #ifdef HAVE_PCAP_REMOTE
3670 case 'u': /* Use UDP for data transfer */
3671 case 'r': /* Capture own RPCAP traffic too */
3672 case 'A': /* Authentication */
3674 #ifdef HAVE_PCAP_SETSAMPLING
3675 case 'm': /* Sampling */
3677 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3678 case 'B': /* Buffer size */
3679 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3680 #ifdef HAVE_PCAP_CREATE
3681 case 'I': /* Monitor mode */
3683 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
3688 /*** hidden option: Wireshark child mode (using binary output messages) ***/
3690 capture_child = TRUE;
3692 /* set output pipe to binary mode, to avoid ugly text conversions */
3693 _setmode(2, O_BINARY);
3695 * optarg = the control ID, aka the PPID, currently used for the
3698 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
3699 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
3700 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
3701 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
3703 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
3704 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3705 "Signal pipe: Unable to open %s. Dead parent?",
3713 case 'q': /* Quiet */
3717 /*** all non capture option specific ***/
3718 case 'D': /* Print a list of capture devices and exit */
3719 list_interfaces = TRUE;
3722 case 'L': /* Print list of link-layer types and exit */
3723 list_link_layer_types = TRUE;
3726 #ifdef HAVE_BPF_IMAGE
3727 case 'd': /* Print BPF code for capture filter and exit */
3728 print_bpf_code = TRUE;
3732 case 'S': /* Print interface statistics once a second */
3733 print_statistics = TRUE;
3736 case 'M': /* For -D, -L, and -S, print machine-readable output */
3737 machine_readable = TRUE;
3740 case '?': /* Bad flag - print usage message */
3741 cmdarg_err("Invalid Option: %s", argv[optind-1]);
3749 /* user specified file name as regular command-line argument */
3750 /* XXX - use it as the capture file name (or something else)? */
3757 * Extra command line arguments were specified; complain.
3758 * XXX - interpret as capture filter, as tcpdump and tshark do?
3760 cmdarg_err("Invalid argument: %s", argv[0]);
3769 if (run_once_args > 1) {
3770 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
3772 } else if (run_once_args == 1) {
3773 /* We're supposed to print some information, rather than
3774 to capture traffic; did they specify a ring buffer option? */
3775 if (global_capture_opts.multi_files_on) {
3776 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
3780 /* We're supposed to capture traffic; was the ring buffer option
3781 specified and, if so, does it make sense? */
3782 if (global_capture_opts.multi_files_on) {
3783 /* Ring buffer works only under certain conditions:
3784 a) ring buffer does not work with temporary files;
3785 b) it makes no sense to enable the ring buffer if the maximum
3786 file size is set to "infinite". */
3787 if (global_capture_opts.save_file == NULL) {
3788 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
3789 global_capture_opts.multi_files_on = FALSE;
3791 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
3792 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
3793 /* XXX - this must be redesigned as the conditions changed */
3794 /* global_capture_opts.multi_files_on = FALSE;*/
3800 * "-D" requires no interface to be selected; it's supposed to list
3803 if (list_interfaces) {
3804 /* Get the list of interfaces */
3809 if_list = capture_interface_list(&err, &err_str);
3810 if (if_list == NULL) {
3812 case CANT_GET_INTERFACE_LIST:
3813 cmdarg_err("%s", err_str);
3818 case NO_INTERFACES_FOUND:
3820 * If we're being run by another program, just give them
3821 * an empty list of interfaces, don't report this as
3822 * an error; that lets them decide whether to report
3823 * this as an error or not.
3825 if (!machine_readable) {
3826 cmdarg_err("There are no interfaces on which a capture can be done");
3833 if (machine_readable) /* tab-separated values to stdout */
3834 print_machine_readable_interfaces(if_list);
3836 capture_opts_print_interfaces(if_list);
3837 free_interface_list(if_list);
3842 * "-S" requires no interface to be selected; it gives statistics
3843 * for all interfaces.
3845 if (print_statistics) {
3846 status = print_statistics_loop(machine_readable);
3851 * "-L", "-d", and capturing act on a particular interface, so we have to
3852 * have an interface; if none was specified, pick a default.
3854 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
3855 /* cmdarg_err() already called .... */
3859 /* Let the user know what interface was chosen. */
3860 /* get_interface_descriptive_name() is not available! */
3861 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
3863 if (list_link_layer_types) {
3864 /* Get the list of link-layer types for the capture device. */
3865 if_capabilities_t *caps;
3868 caps = get_if_capabilities(global_capture_opts.iface,
3869 global_capture_opts.monitor_mode, &err_str);
3871 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
3872 "Please check to make sure you have sufficient permissions, and that\n"
3873 "you have the proper interface or pipe specified.", global_capture_opts.iface, err_str);
3877 if (caps->data_link_types == NULL) {
3878 cmdarg_err("The capture device \"%s\" has no data link types.", global_capture_opts.iface);
3881 if (machine_readable) /* tab-separated values to stdout */
3882 print_machine_readable_if_capabilities(caps);
3884 capture_opts_print_if_capabilities(caps,
3885 global_capture_opts.monitor_mode);
3886 free_if_capabilities(caps);
3890 /* We're supposed to do a capture, or print the BPF code for a filter.
3891 Process the snapshot length, as that affects the generated BPF code. */
3892 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
3894 #ifdef HAVE_BPF_IMAGE
3895 if (print_bpf_code) {
3896 show_filter_code(&global_capture_opts);
3901 /* We're supposed to do a capture. Process the ring buffer arguments. */
3902 capture_opts_trim_ring_num_files(&global_capture_opts);
3904 /* Now start the capture. */
3906 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
3910 /* capture failed */
3917 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
3918 const char *message, gpointer user_data _U_)
3925 /* ignore log message, if log_level isn't interesting */
3926 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3927 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
3932 /* create a "timestamp" */
3934 today = localtime(&curr);
3936 switch(log_level & G_LOG_LEVEL_MASK) {
3937 case G_LOG_LEVEL_ERROR:
3940 case G_LOG_LEVEL_CRITICAL:
3943 case G_LOG_LEVEL_WARNING:
3946 case G_LOG_LEVEL_MESSAGE:
3949 case G_LOG_LEVEL_INFO:
3952 case G_LOG_LEVEL_DEBUG:
3956 fprintf(stderr, "unknown log_level %u\n", log_level);
3958 g_assert_not_reached();
3961 /* Generate the output message */
3962 if(log_level & G_LOG_LEVEL_MESSAGE) {
3963 /* normal user messages without additional infos */
3964 msg = g_strdup_printf("%s\n", message);
3966 /* info/debug messages with additional infos */
3967 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
3968 today->tm_hour, today->tm_min, today->tm_sec,
3969 log_domain != NULL ? log_domain : "",
3973 /* DEBUG & INFO msgs (if we're debugging today) */
3974 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3975 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3976 #ifdef DEBUG_DUMPCAP
3977 fprintf(stderr, "%s", msg);
3980 #ifdef DEBUG_CHILD_DUMPCAP
3981 fprintf(debug_log, "%s", msg);
3989 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
3990 /* to parent especially formatted if dumpcap running as child. */
3991 if (capture_child) {
3992 sync_pipe_errmsg_to_parent(2, msg, "");
3994 fprintf(stderr, "%s", msg);
4001 /****************************************************************************************************************/
4002 /* indication report routines */
4006 report_packet_count(int packet_count)
4008 char tmp[SP_DECISIZE+1+1];
4009 static int count = 0;
4012 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4013 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4014 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4016 count += packet_count;
4017 fprintf(stderr, "\rPackets: %u ", count);
4018 /* stderr could be line buffered */
4024 report_new_capture_file(const char *filename)
4027 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4028 pipe_write_block(2, SP_FILE, filename);
4032 * Prevent a SIGINFO handler from writing to the standard error
4033 * while we're doing so; instead, have it just set a flag telling
4034 * us to print that information when we're done.
4037 #endif /* SIGINFO */
4038 fprintf(stderr, "File: %s\n", filename);
4039 /* stderr could be line buffered */
4044 * Allow SIGINFO handlers to write.
4049 * If a SIGINFO handler asked us to write out capture counts, do so.
4053 #endif /* SIGINFO */
4058 report_cfilter_error(const char *cfilter, const char *errmsg)
4060 if (capture_child) {
4061 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4062 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4065 "Invalid capture filter: \"%s\"!\n"
4067 "That string isn't a valid capture filter (%s).\n"
4068 "See the User's Guide for a description of the capture filter syntax.\n",
4074 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4077 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4078 "Primary Error: %s", error_msg);
4079 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4080 "Secondary Error: %s", secondary_error_msg);
4081 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4083 fprintf(stderr, "%s\n", error_msg);
4084 if (secondary_error_msg[0] != '\0')
4085 fprintf(stderr, "%s\n", secondary_error_msg);
4090 report_packet_drops(guint32 drops)
4092 char tmp[SP_DECISIZE+1+1];
4094 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4097 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets dropped: %s", tmp);
4098 pipe_write_block(2, SP_DROPS, tmp);
4100 fprintf(stderr, "Packets dropped: %s\n", tmp);
4101 /* stderr could be line buffered */
4107 /****************************************************************************************************************/
4108 /* signal_pipe handling */
4113 signal_pipe_check_running(void)
4115 /* any news from our parent? -> just stop the capture */
4119 /* if we are running standalone, no check required */
4120 if(!capture_child) {
4124 if(!sig_pipe_name || !sig_pipe_handle) {
4125 /* This shouldn't happen */
4126 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4127 "Signal pipe: No name or handle");
4132 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4133 * at this point. Should we check to see if the parent is still alive,
4134 * e.g. by using OpenProcess?
4137 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4139 if(!result || avail > 0) {
4140 /* peek failed or some bytes really available */
4141 /* (if not piping from stdin this would fail) */
4142 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4143 "Signal pipe: Stop capture: %s", sig_pipe_name);
4144 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4145 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4146 sig_pipe_handle, result, avail);
4149 /* pipe ok and no bytes available */
4156 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4161 * indent-tabs-mode: nil
4164 * vi: set shiftwidth=4 tabstop=8 expandtab
4165 * :indentSize=4:tabSize=8:noTabs=true: