2 * Synchronisation between Wireshark capture parent and child instances
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
47 #include <wsutil/unicode-utils.h>
50 #ifdef HAVE_SYS_WAIT_H
51 # include <sys/wait.h>
54 #include "capture-pcap-util.h"
58 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
59 * macros) on UNIX systems that don't have them.
62 # define WIFEXITED(status) (((status) & 0177) == 0)
65 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
68 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
71 # define WEXITSTATUS(status) ((status) >> 8)
74 # define WTERMSIG(status) ((status) & 0177)
77 # define WCOREDUMP(status) ((status) & 0200)
80 # define WSTOPSIG(status) ((status) >> 8)
84 #include <epan/packet.h>
85 #include <epan/prefs.h>
89 #include <epan/filesystem.h>
90 #include <epan/report_err.h>
93 #include "capture_sync.h"
95 #include "sync_pipe.h"
98 #include "capture-wpcap.h"
101 #include <wsutil/file_util.h>
105 #include <process.h> /* For spawning child process */
111 static const char *sync_pipe_signame(int);
115 static gboolean sync_pipe_input_cb(gint source, gpointer user_data);
116 static int sync_pipe_wait_for_child(int fork_child, gchar **msgp);
117 static void pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len);
118 static int pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
123 /* Append an arg (realloc) to an argc/argv array */
124 /* (add a string pointer to a NULL-terminated array of string pointers) */
126 sync_pipe_add_arg(const char **args, int *argc, const char *arg)
128 /* Grow the array; "*argc" currently contains the number of string
129 pointers, *not* counting the NULL pointer at the end, so we have
130 to add 2 in order to get the new size of the array, including the
131 new pointer and the terminating NULL pointer. */
132 args = g_realloc( (gpointer) args, (*argc + 2) * sizeof (char *));
134 /* Stuff the pointer into the penultimate element of the array, which
135 is the one at the index specified by "*argc". */
136 args[*argc] = g_strdup(arg);
137 /* Now bump the count. */
140 /* We overwrite the NULL pointer; put it back right after the
150 /* Quote the argument element if necessary, so that it will get
151 * reconstructed correctly in the C runtime startup code. Note that
152 * the unquoting algorithm in the C runtime is really weird, and
153 * rather different than what Unix shells do. See stdargv.c in the C
154 * runtime sources (in the Platform SDK, in src/crt).
156 * Stolen from GLib's protect_argv(), an internal routine that quotes
157 * string in an argument list so that they arguments will be handled
158 * correctly in the command-line string passed to CreateProcess()
159 * if that string is constructed by gluing those strings together.
162 protect_arg (const gchar *argv)
165 const gchar *p = argv;
168 gboolean need_dblquotes = FALSE;
171 if (*p == ' ' || *p == '\t')
172 need_dblquotes = TRUE;
175 else if (*p == '\\') {
178 while (*pp && *pp == '\\')
187 q = new_arg = g_malloc (len + need_dblquotes*2 + 1);
196 else if (*p == '\\') {
199 while (*pp && *pp == '\\')
216 * Generate a string for a Win32 error.
218 #define ERRBUF_SIZE 1024
220 win32strerror(DWORD error)
222 static char errbuf[ERRBUF_SIZE+1];
226 FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, 0, errbuf,
230 * "FormatMessage()" "helpfully" sticks CR/LF at the end of the
231 * message. Get rid of it.
233 errlen = strlen(errbuf);
235 errbuf[errlen - 1] = '\0';
236 errbuf[errlen - 2] = '\0';
238 p = strchr(errbuf, '\0');
239 g_snprintf(p, (gulong)(sizeof errbuf - (p-errbuf)), " (%lu)", error);
244 * Generate a string for a Win32 exception code.
247 win32strexception(DWORD exception)
249 static char errbuf[ERRBUF_SIZE+1];
250 static const struct exception_msg {
254 { EXCEPTION_ACCESS_VIOLATION, "Access violation" },
255 { EXCEPTION_ARRAY_BOUNDS_EXCEEDED, "Array bounds exceeded" },
256 { EXCEPTION_BREAKPOINT, "Breakpoint" },
257 { EXCEPTION_DATATYPE_MISALIGNMENT, "Data type misalignment" },
258 { EXCEPTION_FLT_DENORMAL_OPERAND, "Denormal floating-point operand" },
259 { EXCEPTION_FLT_DIVIDE_BY_ZERO, "Floating-point divide by zero" },
260 { EXCEPTION_FLT_INEXACT_RESULT, "Floating-point inexact result" },
261 { EXCEPTION_FLT_INVALID_OPERATION, "Invalid floating-point operation" },
262 { EXCEPTION_FLT_OVERFLOW, "Floating-point overflow" },
263 { EXCEPTION_FLT_STACK_CHECK, "Floating-point stack check" },
264 { EXCEPTION_FLT_UNDERFLOW, "Floating-point underflow" },
265 { EXCEPTION_GUARD_PAGE, "Guard page violation" },
266 { EXCEPTION_ILLEGAL_INSTRUCTION, "Illegal instruction" },
267 { EXCEPTION_IN_PAGE_ERROR, "Page-in error" },
268 { EXCEPTION_INT_DIVIDE_BY_ZERO, "Integer divide by zero" },
269 { EXCEPTION_INT_OVERFLOW, "Integer overflow" },
270 { EXCEPTION_INVALID_DISPOSITION, "Invalid disposition" },
271 { EXCEPTION_INVALID_HANDLE, "Invalid handle" },
272 { EXCEPTION_NONCONTINUABLE_EXCEPTION, "Non-continuable exception" },
273 { EXCEPTION_PRIV_INSTRUCTION, "Privileged instruction" },
274 { EXCEPTION_SINGLE_STEP, "Single-step complete" },
275 { EXCEPTION_STACK_OVERFLOW, "Stack overflow" },
278 #define N_EXCEPTIONS (sizeof exceptions / sizeof exceptions[0])
281 for (i = 0; i < N_EXCEPTIONS; i++) {
282 if (exceptions[i].code == exception)
283 return exceptions[i].msg;
285 g_snprintf(errbuf, (gulong)sizeof errbuf, "Exception 0x%08x", exception);
290 /* Initialize an argument list and add dumpcap to it. */
292 init_pipe_args(int *argc) {
294 const char *progfile_dir;
297 progfile_dir = get_progfile_dir();
298 if (progfile_dir == NULL) {
302 /* Allocate the string pointer array with enough space for the
303 terminating NULL pointer. */
305 argv = g_malloc(sizeof (char *));
308 /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
309 exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir);
311 /* Make that the first argument in the argument list (argv[0]). */
312 argv = sync_pipe_add_arg(argv, argc, exename);
317 #define ARGV_NUMBER_LEN 24
318 /* a new capture run: start a new dumpcap task and hand over parameters through command line */
320 sync_pipe_start(capture_options *capture_opts) {
321 char ssnap[ARGV_NUMBER_LEN];
322 char sdlt[ARGV_NUMBER_LEN];
323 char scount[ARGV_NUMBER_LEN];
324 char sfilesize[ARGV_NUMBER_LEN];
325 char sfile_duration[ARGV_NUMBER_LEN];
326 char sring_num_files[ARGV_NUMBER_LEN];
327 char sautostop_files[ARGV_NUMBER_LEN];
328 char sautostop_filesize[ARGV_NUMBER_LEN];
329 char sautostop_duration[ARGV_NUMBER_LEN];
330 #ifdef HAVE_PCAP_REMOTE
333 #ifdef HAVE_PCAP_SETSAMPLING
334 char ssampling[ARGV_NUMBER_LEN];
337 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
338 char buffer_size[ARGV_NUMBER_LEN];
342 HANDLE sync_pipe_read; /* pipe used to send messages from child to parent */
343 HANDLE sync_pipe_write; /* pipe used to send messages from child to parent */
344 HANDLE signal_pipe; /* named pipe used to send messages from parent to child (currently only stop) */
345 GString *args = g_string_sized_new(200);
347 SECURITY_ATTRIBUTES sa;
349 PROCESS_INFORMATION pi;
350 char control_id[ARGV_NUMBER_LEN];
351 gchar *signal_pipe_name;
354 int sync_pipe[2]; /* pipe used to send messages from child to parent */
355 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
357 int sync_pipe_read_fd;
362 interface_options interface_opts;
364 if (capture_opts->ifaces->len > 1)
365 capture_opts->use_pcapng = TRUE;
366 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_start");
367 capture_opts_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, capture_opts);
369 capture_opts->fork_child = -1;
371 argv = init_pipe_args(&argc);
373 /* We don't know where to find dumpcap. */
374 report_failure("We don't know where to find dumpcap.");
378 if (capture_opts->ifaces->len > 1)
379 argv = sync_pipe_add_arg(argv, &argc, "-t");
381 if (capture_opts->use_pcapng)
382 argv = sync_pipe_add_arg(argv, &argc, "-n");
384 argv = sync_pipe_add_arg(argv, &argc, "-P");
386 if (capture_opts->multi_files_on) {
387 if (capture_opts->has_autostop_filesize) {
388 argv = sync_pipe_add_arg(argv, &argc, "-b");
389 g_snprintf(sfilesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
390 argv = sync_pipe_add_arg(argv, &argc, sfilesize);
393 if (capture_opts->has_file_duration) {
394 argv = sync_pipe_add_arg(argv, &argc, "-b");
395 g_snprintf(sfile_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->file_duration);
396 argv = sync_pipe_add_arg(argv, &argc, sfile_duration);
399 if (capture_opts->has_ring_num_files) {
400 argv = sync_pipe_add_arg(argv, &argc, "-b");
401 g_snprintf(sring_num_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->ring_num_files);
402 argv = sync_pipe_add_arg(argv, &argc, sring_num_files);
405 if (capture_opts->has_autostop_files) {
406 argv = sync_pipe_add_arg(argv, &argc, "-a");
407 g_snprintf(sautostop_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->autostop_files);
408 argv = sync_pipe_add_arg(argv, &argc, sautostop_files);
411 if (capture_opts->has_autostop_filesize) {
412 argv = sync_pipe_add_arg(argv, &argc, "-a");
413 g_snprintf(sautostop_filesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
414 argv = sync_pipe_add_arg(argv, &argc, sautostop_filesize);
418 if (capture_opts->has_autostop_packets) {
419 argv = sync_pipe_add_arg(argv, &argc, "-c");
420 g_snprintf(scount, ARGV_NUMBER_LEN, "%d",capture_opts->autostop_packets);
421 argv = sync_pipe_add_arg(argv, &argc, scount);
424 if (capture_opts->has_autostop_duration) {
425 argv = sync_pipe_add_arg(argv, &argc, "-a");
426 g_snprintf(sautostop_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->autostop_duration);
427 argv = sync_pipe_add_arg(argv, &argc, sautostop_duration);
430 for (j = 0; j < capture_opts->ifaces->len; j++) {
431 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
433 argv = sync_pipe_add_arg(argv, &argc, "-i");
434 argv = sync_pipe_add_arg(argv, &argc, interface_opts.name);
436 if (interface_opts.cfilter != NULL && strlen(interface_opts.cfilter) != 0) {
437 argv = sync_pipe_add_arg(argv, &argc, "-f");
438 argv = sync_pipe_add_arg(argv, &argc, interface_opts.cfilter);
440 if (interface_opts.snaplen != WTAP_MAX_PACKET_SIZE) {
441 argv = sync_pipe_add_arg(argv, &argc, "-s");
442 g_snprintf(ssnap, ARGV_NUMBER_LEN, "%d", interface_opts.snaplen);
443 argv = sync_pipe_add_arg(argv, &argc, ssnap);
446 if (interface_opts.linktype != -1) {
447 argv = sync_pipe_add_arg(argv, &argc, "-y");
448 g_snprintf(sdlt, ARGV_NUMBER_LEN, "%s", linktype_val_to_name(interface_opts.linktype));
449 argv = sync_pipe_add_arg(argv, &argc, sdlt);
452 if (!interface_opts.promisc_mode) {
453 argv = sync_pipe_add_arg(argv, &argc, "-p");
456 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
457 if (interface_opts.buffer_size != 1) {
458 argv = sync_pipe_add_arg(argv, &argc, "-B");
459 g_snprintf(buffer_size, ARGV_NUMBER_LEN, "%d", interface_opts.buffer_size);
460 argv = sync_pipe_add_arg(argv, &argc, buffer_size);
464 if (interface_opts.monitor_mode) {
465 argv = sync_pipe_add_arg(argv, &argc, "-I");
468 #ifdef HAVE_PCAP_REMOTE
469 if (interface_opts.datatx_udp)
470 argv = sync_pipe_add_arg(argv, &argc, "-u");
472 if (!interface_opts.nocap_rpcap)
473 argv = sync_pipe_add_arg(argv, &argc, "-r");
475 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
476 argv = sync_pipe_add_arg(argv, &argc, "-A");
477 g_snprintf(sauth, sizeof(sauth), "%s:%s",
478 interface_opts.auth_username,
479 interface_opts.auth_password);
480 argv = sync_pipe_add_arg(argv, &argc, sauth);
484 #ifdef HAVE_PCAP_SETSAMPLING
485 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
486 argv = sync_pipe_add_arg(argv, &argc, "-m");
487 g_snprintf(ssampling, ARGV_NUMBER_LEN, "%s:%d",
488 interface_opts.sampling_method == CAPTURE_SAMP_BY_COUNT ? "count" :
489 interface_opts.sampling_method == CAPTURE_SAMP_BY_TIMER ? "timer" :
491 interface_opts.sampling_param);
492 argv = sync_pipe_add_arg(argv, &argc, ssampling);
497 /* dumpcap should be running in capture child mode (hidden feature) */
499 argv = sync_pipe_add_arg(argv, &argc, "-Z");
501 g_snprintf(control_id, ARGV_NUMBER_LEN, "%d", GetCurrentProcessId());
502 argv = sync_pipe_add_arg(argv, &argc, control_id);
504 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
508 if (capture_opts->save_file) {
509 argv = sync_pipe_add_arg(argv, &argc, "-w");
510 argv = sync_pipe_add_arg(argv, &argc, capture_opts->save_file);
512 for (i = 0; i < argc; i++) {
513 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "argv[%d]: %s", i, argv[i]);
517 /* init SECURITY_ATTRIBUTES */
518 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
519 sa.bInheritHandle = TRUE;
520 sa.lpSecurityDescriptor = NULL;
522 /* Create a pipe for the child process */
523 /* (increase this value if you have trouble while fast capture file switches) */
524 if (! CreatePipe(&sync_pipe_read, &sync_pipe_write, &sa, 5120)) {
525 /* Couldn't create the pipe between parent and child. */
526 report_failure("Couldn't create sync pipe: %s",
527 win32strerror(GetLastError()));
528 for (i = 0; i < argc; i++) {
529 g_free( (gpointer) argv[i]);
531 g_free( (gpointer) argv);
535 /* Create the signal pipe */
536 signal_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, control_id);
537 signal_pipe = CreateNamedPipe(utf_8to16(signal_pipe_name),
538 PIPE_ACCESS_OUTBOUND, PIPE_TYPE_BYTE, 1, 65535, 65535, 0, NULL);
539 g_free(signal_pipe_name);
541 if (signal_pipe == INVALID_HANDLE_VALUE) {
542 /* Couldn't create the signal pipe between parent and child. */
543 report_failure("Couldn't create signal pipe: %s",
544 win32strerror(GetLastError()));
545 for (i = 0; i < argc; i++) {
546 g_free( (gpointer) argv[i]);
548 g_free( (gpointer) argv);
552 /* init STARTUPINFO */
553 memset(&si, 0, sizeof(si));
556 si.dwFlags = STARTF_USESHOWWINDOW;
557 si.wShowWindow = SW_SHOW;
559 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
560 si.wShowWindow = SW_HIDE; /* this hides the console window */
561 si.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
562 si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
563 si.hStdError = sync_pipe_write;
564 /*si.hStdError = (HANDLE) _get_osfhandle(2);*/
567 /* convert args array into a single string */
568 /* XXX - could change sync_pipe_add_arg() instead */
569 /* there is a drawback here: the length is internally limited to 1024 bytes */
570 for(i=0; argv[i] != 0; i++) {
571 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
572 quoted_arg = protect_arg(argv[i]);
573 g_string_append(args, quoted_arg);
578 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
579 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
580 report_failure("Couldn't run %s in child process: %s",
581 args->str, win32strerror(GetLastError()));
582 CloseHandle(sync_pipe_read);
583 CloseHandle(sync_pipe_write);
584 for (i = 0; i < argc; i++) {
585 g_free( (gpointer) argv[i]);
587 g_free( (gpointer) argv);
590 capture_opts->fork_child = (int) pi.hProcess;
591 g_string_free(args, TRUE);
593 /* associate the operating system filehandle to a C run-time file handle */
594 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
595 sync_pipe_read_fd = _open_osfhandle( (long) sync_pipe_read, _O_BINARY);
597 /* associate the operating system filehandle to a C run-time file handle */
598 capture_opts->signal_pipe_write_fd = _open_osfhandle( (long) signal_pipe, _O_BINARY);
601 if (pipe(sync_pipe) < 0) {
602 /* Couldn't create the pipe between parent and child. */
603 report_failure("Couldn't create sync pipe: %s", g_strerror(errno));
604 for (i = 0; i < argc; i++) {
605 g_free( (gpointer) argv[i]);
611 if ((capture_opts->fork_child = fork()) == 0) {
613 * Child process - run dumpcap with the right arguments to make
614 * it just capture with the specified capture parameters
616 dup2(sync_pipe[PIPE_WRITE], 2);
617 ws_close(sync_pipe[PIPE_READ]);
618 execv(argv[0], (gpointer)argv);
619 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
620 argv[0], g_strerror(errno));
621 sync_pipe_errmsg_to_parent(2, errmsg, "");
623 /* Exit with "_exit()", so that we don't close the connection
624 to the X server (and cause stuff buffered up by our parent but
625 not yet sent to be sent, as that stuff should only be sent by
626 our parent). We've sent an error message to the parent, so
627 we exit with an exit status of 1 (any exit status other than
628 0 or 1 will cause an additional message to report that exit
629 status, over and above the error message we sent to the parent). */
633 sync_pipe_read_fd = sync_pipe[PIPE_READ];
636 for (i = 0; i < argc; i++) {
637 g_free( (gpointer) argv[i]);
640 /* Parent process - read messages from the child process over the
642 g_free( (gpointer) argv); /* free up arg array */
644 /* Close the write side of the pipe, so that only the child has it
645 open, and thus it completely closes, and thus returns to us
646 an EOF indication, if the child closes it (either deliberately
647 or by exiting abnormally). */
649 CloseHandle(sync_pipe_write);
651 ws_close(sync_pipe[PIPE_WRITE]);
654 if (capture_opts->fork_child == -1) {
655 /* We couldn't even create the child process. */
656 report_failure("Couldn't create child process: %s", g_strerror(errno));
657 ws_close(sync_pipe_read_fd);
659 ws_close(capture_opts->signal_pipe_write_fd);
664 capture_opts->fork_child_status = 0;
666 /* we might wait for a moment till child is ready, so update screen now */
667 main_window_update();
669 /* We were able to set up to read the capture file;
670 arrange that our callback be called whenever it's possible
671 to read from the sync pipe, so that it's called when
672 the child process wants to tell us something. */
674 /* we have a running capture, now wait for the real capture filename */
675 pipe_input_set_handler(sync_pipe_read_fd, (gpointer) capture_opts,
676 &capture_opts->fork_child, sync_pipe_input_cb);
682 * Open two pipes to dumpcap with the supplied arguments, one for its
683 * standard output and one for its standard error.
685 * On success, *msg is unchanged and 0 is returned; data_read_fd,
686 * messsage_read_fd, and fork_child point to the standard output pipe's
687 * file descriptor, the standard error pipe's file descriptor, and
688 * the child's PID/handle, respectively.
690 * On failure, *msg points to an error message for the failure, and -1 is
691 * returned, in which case *msg must be freed with g_free().
693 /* XXX - This duplicates a lot of code in sync_pipe_start() */
694 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
695 #define PIPE_BUF_SIZE 5120
697 sync_pipe_open_command(const char** argv, int *data_read_fd,
698 int *message_read_fd, int *fork_child, gchar **msg)
700 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
702 HANDLE sync_pipe[2]; /* pipe used to send messages from child to parent */
703 HANDLE data_pipe[2]; /* pipe used to send data from child to parent */
704 GString *args = g_string_sized_new(200);
706 SECURITY_ATTRIBUTES sa;
708 PROCESS_INFORMATION pi;
711 int sync_pipe[2]; /* pipe used to send messages from child to parent */
712 int data_pipe[2]; /* pipe used to send data from child to parent */
717 *message_read_fd = -1;
718 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_open_command");
721 /* We can't return anything */
723 g_string_free(args, TRUE);
729 /* init SECURITY_ATTRIBUTES */
730 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
731 sa.bInheritHandle = TRUE;
732 sa.lpSecurityDescriptor = NULL;
734 /* Create a pipe for the child process to send us messages */
735 /* (increase this value if you have trouble while fast capture file switches) */
736 if (! CreatePipe(&sync_pipe[PIPE_READ], &sync_pipe[PIPE_WRITE], &sa, 5120)) {
737 /* Couldn't create the message pipe between parent and child. */
738 *msg = g_strdup_printf("Couldn't create sync pipe: %s",
739 win32strerror(GetLastError()));
740 for (i = 0; argv[i] != NULL; i++) {
741 g_free( (gpointer) argv[i]);
743 g_free( (gpointer) argv);
747 /* Create a pipe for the child process to send us data */
748 /* (increase this value if you have trouble while fast capture file switches) */
749 if (! CreatePipe(&data_pipe[PIPE_READ], &data_pipe[PIPE_WRITE], &sa, 5120)) {
750 /* Couldn't create the message pipe between parent and child. */
751 *msg = g_strdup_printf("Couldn't create data pipe: %s",
752 win32strerror(GetLastError()));
753 CloseHandle(sync_pipe[PIPE_READ]);
754 CloseHandle(sync_pipe[PIPE_WRITE]);
755 for (i = 0; argv[i] != NULL; i++) {
756 g_free( (gpointer) argv[i]);
758 g_free( (gpointer) argv);
762 /* init STARTUPINFO */
763 memset(&si, 0, sizeof(si));
766 si.dwFlags = STARTF_USESHOWWINDOW;
767 si.wShowWindow = SW_SHOW;
769 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
770 si.wShowWindow = SW_HIDE; /* this hides the console window */
772 si.hStdOutput = data_pipe[PIPE_WRITE];
773 si.hStdError = sync_pipe[PIPE_WRITE];
776 /* convert args array into a single string */
777 /* XXX - could change sync_pipe_add_arg() instead */
778 /* there is a drawback here: the length is internally limited to 1024 bytes */
779 for(i=0; argv[i] != 0; i++) {
780 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
781 quoted_arg = protect_arg(argv[i]);
782 g_string_append(args, quoted_arg);
787 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
788 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
789 *msg = g_strdup_printf("Couldn't run %s in child process: %s",
790 args->str, win32strerror(GetLastError()));
791 CloseHandle(data_pipe[PIPE_READ]);
792 CloseHandle(data_pipe[PIPE_WRITE]);
793 CloseHandle(sync_pipe[PIPE_READ]);
794 CloseHandle(sync_pipe[PIPE_WRITE]);
795 for (i = 0; argv[i] != NULL; i++) {
796 g_free( (gpointer) argv[i]);
798 g_free( (gpointer) argv);
801 *fork_child = (int) pi.hProcess;
802 g_string_free(args, TRUE);
804 /* associate the operating system filehandles to C run-time file handles */
805 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
806 *data_read_fd = _open_osfhandle( (long) data_pipe[PIPE_READ], _O_BINARY);
807 *message_read_fd = _open_osfhandle( (long) sync_pipe[PIPE_READ], _O_BINARY);
809 /* Create a pipe for the child process to send us messages */
810 if (pipe(sync_pipe) < 0) {
811 /* Couldn't create the message pipe between parent and child. */
812 *msg = g_strdup_printf("Couldn't create sync pipe: %s", g_strerror(errno));
813 for (i = 0; argv[i] != NULL; i++) {
814 g_free( (gpointer) argv[i]);
820 /* Create a pipe for the child process to send us data */
821 if (pipe(data_pipe) < 0) {
822 /* Couldn't create the data pipe between parent and child. */
823 *msg = g_strdup_printf("Couldn't create data pipe: %s", g_strerror(errno));
824 ws_close(sync_pipe[PIPE_READ]);
825 ws_close(sync_pipe[PIPE_WRITE]);
826 for (i = 0; argv[i] != NULL; i++) {
827 g_free( (gpointer) argv[i]);
833 if ((*fork_child = fork()) == 0) {
835 * Child process - run dumpcap with the right arguments to make
836 * it just capture with the specified capture parameters
838 dup2(data_pipe[PIPE_WRITE], 1);
839 ws_close(data_pipe[PIPE_READ]);
840 ws_close(data_pipe[PIPE_WRITE]);
841 dup2(sync_pipe[PIPE_WRITE], 2);
842 ws_close(sync_pipe[PIPE_READ]);
843 ws_close(sync_pipe[PIPE_WRITE]);
844 execv(argv[0], (gpointer)argv);
845 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
846 argv[0], g_strerror(errno));
847 sync_pipe_errmsg_to_parent(2, errmsg, "");
849 /* Exit with "_exit()", so that we don't close the connection
850 to the X server (and cause stuff buffered up by our parent but
851 not yet sent to be sent, as that stuff should only be sent by
852 our parent). We've sent an error message to the parent, so
853 we exit with an exit status of 1 (any exit status other than
854 0 or 1 will cause an additional message to report that exit
855 status, over and above the error message we sent to the parent). */
859 *data_read_fd = data_pipe[PIPE_READ];
860 *message_read_fd = sync_pipe[PIPE_READ];
863 for (i = 0; argv[i] != NULL; i++) {
864 g_free( (gpointer) argv[i]);
867 /* Parent process - read messages from the child process over the
869 g_free( (gpointer) argv); /* free up arg array */
871 /* Close the write sides of the pipes, so that only the child has them
872 open, and thus they completely close, and thus return to us
873 an EOF indication, if the child closes them (either deliberately
874 or by exiting abnormally). */
876 CloseHandle(data_pipe[PIPE_WRITE]);
877 CloseHandle(sync_pipe[PIPE_WRITE]);
879 ws_close(data_pipe[PIPE_WRITE]);
880 ws_close(sync_pipe[PIPE_WRITE]);
883 if (*fork_child == -1) {
884 /* We couldn't even create the child process. */
885 *msg = g_strdup_printf("Couldn't create child process: %s", g_strerror(errno));
886 ws_close(*data_read_fd);
887 ws_close(*message_read_fd);
891 /* we might wait for a moment till child is ready, so update screen now */
892 main_window_update();
897 * Close the pipes we're using to read from dumpcap, and wait for it
898 * to exit. On success, *msgp is unchanged, and the exit status of
899 * dumpcap is returned. On failure (which includes "dumpcap exited
900 * due to being killed by a signal or an exception"), *msgp points
901 * to an error message for the failure, and -1 is returned. In the
902 * latter case, *msgp must be freed with g_free().
905 sync_pipe_close_command(int *data_read_fd, int *message_read_fd,
906 int *fork_child, gchar **msgp)
908 ws_close(*data_read_fd);
909 if (message_read_fd != NULL)
910 ws_close(*message_read_fd);
913 /* XXX - Should we signal the child somehow? */
914 sync_pipe_kill(*fork_child);
917 return sync_pipe_wait_for_child(*fork_child, msgp);
921 * Run dumpcap with the supplied arguments.
923 * On success, *data points to a buffer containing the dumpcap output,
924 * *primary_msg and *secondary_message are NULL, and 0 is returned; *data
925 * must be freed with g_free().
927 * On failure, *data is NULL, *primary_msg points to an error message,
928 * *secondary_msg either points to an additional error message or is
929 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
930 * must be freed with g_free().
932 /* XXX - This duplicates a lot of code in sync_pipe_start() */
933 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
934 #define PIPE_BUF_SIZE 5120
936 sync_pipe_run_command(const char** argv, gchar **data, gchar **primary_msg,
937 gchar **secondary_msg)
940 int data_pipe_read_fd, sync_pipe_read_fd, fork_child, ret;
942 gchar buffer[PIPE_BUF_SIZE+1];
946 char *primary_msg_text;
947 int secondary_msg_len;
948 char *secondary_msg_text;
950 GString *data_buf = NULL;
953 ret = sync_pipe_open_command(argv, &data_pipe_read_fd, &sync_pipe_read_fd,
957 *secondary_msg = NULL;
963 * We were able to set up to read dumpcap's output. Do so.
965 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
967 nread = pipe_read_block(sync_pipe_read_fd, &indicator, SP_MAX_MSG_LEN,
968 buffer, primary_msg);
970 /* We got a read error from the sync pipe, or we got no data at
971 all from the sync pipe, so we're not going to be getting any
972 data or error message from the child process. Pick up its
973 exit status, and complain.
975 We don't have to worry about killing the child, if the sync pipe
976 returned an error. Usually this error is caused as the child killed
977 itself while going down. Even in the rare cases that this isn't the
978 case, the child will get an error when writing to the broken pipe
979 the next time, cleaning itself up then. */
980 ret = sync_pipe_wait_for_child(fork_child, &wait_msg);
982 /* We got an EOF from the sync pipe. That means that it exited
983 before giving us any data to read. If ret is -1, we report
984 that as a bad exit (e.g., exiting due to a signal); otherwise,
985 we report it as a premature exit. */
987 *primary_msg = wait_msg;
989 *primary_msg = g_strdup("Child dumpcap closed sync pipe prematurely");
991 /* We got an error from the sync pipe. If ret is -1, report
992 both the sync pipe I/O error and the wait error. */
994 combined_msg = g_strdup_printf("%s\n\n%s", *primary_msg, wait_msg);
995 g_free(*primary_msg);
997 *primary_msg = combined_msg;
1000 *secondary_msg = NULL;
1005 /* we got a valid message block from the child, process it */
1010 * Error from dumpcap; there will be a primary message and a
1011 * secondary message.
1014 /* convert primary message */
1015 pipe_convert_header(buffer, 4, &indicator, &primary_msg_len);
1016 primary_msg_text = buffer+4;
1017 /* convert secondary message */
1018 pipe_convert_header(primary_msg_text + primary_msg_len, 4, &indicator,
1019 &secondary_msg_len);
1020 secondary_msg_text = primary_msg_text + primary_msg_len + 4;
1021 /* the capture child will close the sync_pipe, nothing to do */
1024 * Pick up the child status.
1026 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1030 * Child process failed unexpectedly, or wait failed; msg is the
1034 *secondary_msg = NULL;
1037 * Child process failed, but returned the expected exit status.
1038 * Return the messages it gave us, and indicate failure.
1040 *primary_msg = g_strdup(primary_msg_text);
1041 *secondary_msg = g_strdup(secondary_msg_text);
1048 /* read the output from the command */
1049 data_buf = g_string_new("");
1050 while ((count = ws_read(data_pipe_read_fd, buffer, PIPE_BUF_SIZE)) > 0) {
1051 buffer[count] = '\0';
1052 g_string_append(data_buf, buffer);
1056 * Pick up the child status.
1058 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1062 * Child process failed unexpectedly, or wait failed; msg is the
1066 *secondary_msg = NULL;
1067 g_string_free(data_buf, TRUE);
1071 * Child process succeeded.
1073 *primary_msg = NULL;
1074 *secondary_msg = NULL;
1075 *data = data_buf->str;
1076 g_string_free(data_buf, FALSE);
1082 * Pick up the child status.
1084 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1088 * Child process failed unexpectedly, or wait failed; msg is the
1092 *secondary_msg = NULL;
1095 * Child process returned an unknown status.
1097 *primary_msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1099 *secondary_msg = NULL;
1109 * Get the list of interfaces using dumpcap.
1111 * On success, *data points to a buffer containing the dumpcap output,
1112 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1113 * must be freed with g_free().
1115 * On failure, *data is NULL, *primary_msg points to an error message,
1116 * *secondary_msg either points to an additional error message or is
1117 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1118 * must be freed with g_free().
1121 sync_interface_list_open(gchar **data, gchar **primary_msg,
1122 gchar **secondary_msg)
1127 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_list_open");
1129 argv = init_pipe_args(&argc);
1132 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1133 *secondary_msg = NULL;
1138 /* Ask for the interface list */
1139 argv = sync_pipe_add_arg(argv, &argc, "-D");
1142 /* Run dumpcap in capture child mode */
1143 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1144 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1146 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1150 * Get the capabilities of an interface using dumpcap.
1152 * On success, *data points to a buffer containing the dumpcap output,
1153 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1154 * must be freed with g_free().
1156 * On failure, *data is NULL, *primary_msg points to an error message,
1157 * *secondary_msg either points to an additional error message or is
1158 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1159 * must be freed with g_free().
1162 sync_if_capabilities_open(const gchar *ifname, gboolean monitor_mode,
1163 gchar **data, gchar **primary_msg,
1164 gchar **secondary_msg)
1169 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_linktype_list_open");
1171 argv = init_pipe_args(&argc);
1174 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1175 *secondary_msg = NULL;
1180 /* Ask for the interface capabilities */
1181 argv = sync_pipe_add_arg(argv, &argc, "-i");
1182 argv = sync_pipe_add_arg(argv, &argc, ifname);
1183 argv = sync_pipe_add_arg(argv, &argc, "-L");
1185 argv = sync_pipe_add_arg(argv, &argc, "-I");
1188 /* Run dumpcap in capture child mode */
1189 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1190 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1192 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1196 * Start getting interface statistics using dumpcap. On success, read_fd
1197 * contains the file descriptor for the pipe's stdout, *msg is unchanged,
1198 * and zero is returned. On failure, *msg will point to an error message
1199 * that must be g_free()d, and -1 will be returned.
1202 sync_interface_stats_open(int *data_read_fd, int *fork_child, gchar **msg)
1206 int message_read_fd, ret;
1208 gchar buffer[PIPE_BUF_SIZE+1];
1211 int primary_msg_len;
1212 char *primary_msg_text;
1213 int secondary_msg_len;
1214 /*char *secondary_msg_text;*/
1217 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_stats_open");
1219 argv = init_pipe_args(&argc);
1222 *msg = g_strdup("We don't know where to find dumpcap.");
1226 /* Ask for the interface statistics */
1227 argv = sync_pipe_add_arg(argv, &argc, "-S");
1230 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1231 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1233 ret = sync_pipe_open_command(argv, data_read_fd, &message_read_fd,
1239 * We were able to set up to read dumpcap's output. Do so.
1241 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
1243 nread = pipe_read_block(message_read_fd, &indicator, SP_MAX_MSG_LEN,
1246 /* We got a read error from the sync pipe, or we got no data at
1247 all from the sync pipe, so we're not going to be getting any
1248 data or error message from the child process. Pick up its
1249 exit status, and complain.
1251 We don't have to worry about killing the child, if the sync pipe
1252 returned an error. Usually this error is caused as the child killed
1253 itself while going down. Even in the rare cases that this isn't the
1254 case, the child will get an error when writing to the broken pipe
1255 the next time, cleaning itself up then. */
1256 ret = sync_pipe_wait_for_child(*fork_child, &wait_msg);
1258 /* We got an EOF from the sync pipe. That means that it exited
1259 before giving us any data to read. If ret is -1, we report
1260 that as a bad exit (e.g., exiting due to a signal); otherwise,
1261 we report it as a premature exit. */
1265 *msg = g_strdup("Child dumpcap closed sync pipe prematurely");
1267 /* We got an error from the sync pipe. If ret is -1, report
1268 both the sync pipe I/O error and the wait error. */
1270 combined_msg = g_strdup_printf("%s\n\n%s", *msg, wait_msg);
1273 *msg = combined_msg;
1280 /* we got a valid message block from the child, process it */
1285 * Error from dumpcap; there will be a primary message and a
1286 * secondary message.
1289 /* convert primary message */
1290 pipe_convert_header(buffer, 4, &indicator, &primary_msg_len);
1291 primary_msg_text = buffer+4;
1292 /* convert secondary message */
1293 pipe_convert_header(primary_msg_text + primary_msg_len, 4, &indicator,
1294 &secondary_msg_len);
1295 /*secondary_msg_text = primary_msg_text + primary_msg_len + 4;*/
1296 /* the capture child will close the sync_pipe, nothing to do */
1299 * Pick up the child status.
1301 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1305 * Child process failed unexpectedly, or wait failed; msg is the
1310 * Child process failed, but returned the expected exit status.
1311 * Return the messages it gave us, and indicate failure.
1313 *msg = g_strdup(primary_msg_text);
1319 /* Close the message pipe. */
1320 ws_close(message_read_fd);
1325 * Pick up the child status.
1327 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1331 * Child process failed unexpectedly, or wait failed; msg is the
1336 * Child process returned an unknown status.
1338 *msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1347 /* Close down the stats process */
1349 sync_interface_stats_close(int *read_fd, int *fork_child, gchar **msg)
1351 return sync_pipe_close_command(read_fd, NULL, fork_child, msg);
1354 /* read a number of bytes from a pipe */
1355 /* (blocks until enough bytes read or an error occurs) */
1357 pipe_read_bytes(int pipe_fd, char *bytes, int required, char **msg)
1364 newly = read(pipe_fd, &bytes[offset], required);
1367 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1368 "read from pipe %d: EOF (capture closed?)", pipe_fd);
1375 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1376 "read from pipe %d: error(%u): %s", pipe_fd, error,
1378 *msg = g_strdup_printf("Error reading from sync pipe: %s",
1391 static gboolean pipe_data_available(int pipe_fd) {
1392 #ifdef _WIN32 /* PeekNamedPipe */
1393 HANDLE hPipe = (HANDLE) _get_osfhandle(pipe_fd);
1396 if (hPipe == INVALID_HANDLE_VALUE)
1399 if (! PeekNamedPipe(hPipe, NULL, 0, NULL, &bytes_avail, NULL))
1402 if (bytes_avail > 0)
1407 struct timeval timeout;
1410 FD_SET(pipe_fd, &rfds);
1412 timeout.tv_usec = 0;
1414 if (select(pipe_fd+1, &rfds, NULL, NULL, &timeout) > 0)
1421 /* Read a line from a pipe, similar to fgets */
1423 sync_pipe_gets_nonblock(int pipe_fd, char *bytes, int max) {
1427 while(offset < max - 1) {
1429 if (! pipe_data_available(pipe_fd))
1431 newly = read(pipe_fd, &bytes[offset], 1);
1433 /* EOF - not necessarily an error */
1435 } else if (newly < 0) {
1437 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1438 "read from pipe %d: error(%u): %s", pipe_fd, errno, g_strerror(errno));
1440 } else if (bytes[offset] == '\n') {
1446 bytes[offset] = '\0';
1452 /* convert header values (indicator and 3-byte length) */
1454 pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len) {
1456 g_assert(header_len == 4);
1458 /* convert header values */
1459 *indicator = header[0];
1460 *block_len = header[1]<<16 | header[2]<<8 | header[3];
1463 /* read a message from the sending pipe in the standard format
1464 (1-byte message indicator, 3-byte message length (excluding length
1465 and indicator field), and the rest is the message) */
1467 pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
1474 /* read header (indicator and 3-byte length) */
1475 newly = pipe_read_bytes(pipe_fd, header, 4, err_msg);
1479 * Immediate EOF; if the capture child exits normally, this
1480 * is an "I'm done" indication, so don't report it as an
1483 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1484 "read %d got an EOF", pipe_fd);
1487 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1488 "read %d failed to read header: %u", pipe_fd, newly);
1491 * Short read, but not an immediate EOF.
1493 *err_msg = g_strdup_printf("Premature EOF reading from sync pipe: got only %d bytes",
1499 /* convert header values */
1500 pipe_convert_header(header, 4, indicator, &required);
1502 /* only indicator with no value? */
1504 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1505 "read %d indicator: %c empty value", pipe_fd, *indicator);
1509 /* does the data fit into the given buffer? */
1510 if(required > len) {
1511 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1512 "read %d length error, required %d > len %d, indicator: %u",
1513 pipe_fd, required, len, *indicator);
1515 /* we have a problem here, try to read some more bytes from the pipe to debug where the problem really is */
1516 memcpy(msg, header, sizeof(header));
1517 newly = read(pipe_fd, &msg[sizeof(header)], len-sizeof(header));
1518 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1524 /* read the actual block data */
1525 newly = pipe_read_bytes(pipe_fd, msg, required, err_msg);
1526 if(newly != required) {
1528 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1534 /* XXX If message is "2part", the msg probably won't be sent to debug log correctly */
1535 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1536 "read %d ok indicator: %c len: %u msg: %s", pipe_fd, *indicator,
1543 /* There's stuff to read from the sync pipe, meaning the child has sent
1544 us a message, or the sync pipe has closed, meaning the child has
1545 closed it (perhaps because it exited). */
1547 sync_pipe_input_cb(gint source, gpointer user_data)
1549 capture_options *capture_opts = (capture_options *)user_data;
1551 char buffer[SP_MAX_MSG_LEN+1];
1557 char *secondary_msg;
1558 char *wait_msg, *combined_msg;
1560 nread = pipe_read_block(source, &indicator, SP_MAX_MSG_LEN, buffer,
1563 /* We got a read error, or a bad message, or an EOF, from the sync pipe.
1565 If we got a read error or a bad message, nread is -1 and
1566 primary_msg is set to point to an error message. We don't
1567 have to worry about killing the child; usually this error
1568 is caused as the child killed itself while going down.
1569 Even in the rare cases that this isn't the case, the child
1570 will get an error when writing to the broken pipe the next time,
1571 cleaning itself up then.
1573 If we got an EOF, nread is 0 and primary_msg isn't set. This
1574 is an indication that the capture is finished. */
1575 ret = sync_pipe_wait_for_child(capture_opts->fork_child, &wait_msg);
1577 /* We got an EOF from the sync pipe. That means that the capture
1578 child exited, and not in the middle of a message; we treat
1579 that as an indication that it's done, and only report an
1580 error if ret is -1, in which case wait_msg is the error
1583 primary_msg = wait_msg;
1585 /* We got an error from the sync pipe. If ret is -1, report
1586 both the sync pipe I/O error and the wait error. */
1588 combined_msg = g_strdup_printf("%s\n\n%s", primary_msg, wait_msg);
1589 g_free(primary_msg);
1591 primary_msg = combined_msg;
1595 /* No more child process. */
1596 capture_opts->fork_child = -1;
1597 capture_opts->fork_child_status = ret;
1600 ws_close(capture_opts->signal_pipe_write_fd);
1602 capture_input_closed(capture_opts, primary_msg);
1603 g_free(primary_msg);
1607 /* we got a valid message block from the child, process it */
1610 if(!capture_input_new_file(capture_opts, buffer)) {
1611 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: file failed, closing capture");
1613 /* We weren't able to open the new capture file; user has been
1614 alerted. Close the sync pipe. */
1617 /* The child has sent us a filename which we couldn't open.
1619 This could mean that the child is creating files faster
1620 than we can handle it. (XXX - why would that result in
1621 a failure to open the file?)
1623 That should only be the case for very fast file switches;
1624 We can't do much more than telling the child to stop.
1625 (This is the "emergency brake" if the user e.g. wants to
1626 switch files every second).
1628 This can also happen if the user specified "-", meaning
1629 "standard output", as the capture file. */
1630 sync_pipe_stop(capture_opts);
1631 capture_input_closed(capture_opts, NULL);
1635 case SP_PACKET_COUNT:
1636 nread = atoi(buffer);
1637 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: new packets %u", nread);
1638 capture_input_new_packets(capture_opts, nread);
1641 /* convert primary message */
1642 pipe_convert_header(buffer, 4, &indicator, &primary_len);
1643 primary_msg = buffer+4;
1644 /* convert secondary message */
1645 pipe_convert_header(primary_msg + primary_len, 4, &indicator, &secondary_len);
1646 secondary_msg = primary_msg + primary_len + 4;
1647 /* message output */
1648 capture_input_error_message(capture_opts, primary_msg, secondary_msg);
1649 /* the capture child will close the sync_pipe, nothing to do for now */
1650 /* (an error message doesn't mean we have to stop capturing) */
1652 case SP_BAD_FILTER: {
1656 ch = strtok(buffer, ":");
1657 index = (int)strtol(ch, NULL, 10);
1658 ch = strtok(NULL, ":");
1659 capture_input_cfilter_error_message(capture_opts, index, ch);
1660 /* the capture child will close the sync_pipe, nothing to do for now */
1664 capture_input_drops(capture_opts, (guint32)strtoul(buffer, NULL, 10));
1667 g_assert_not_reached();
1676 * dumpcap is exiting; wait for it to exit. On success, *msgp is
1677 * unchanged, and the exit status of dumpcap is returned. On
1678 * failure (which includes "dumpcap exited due to being killed by
1679 * a signal or an exception"), *msgp points to an error message
1680 * for the failure, and -1 is returned. In the latter case, *msgp
1681 * must be freed with g_free().
1684 sync_pipe_wait_for_child(int fork_child, gchar **msgp)
1686 int fork_child_status;
1689 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: wait till child closed");
1690 g_assert(fork_child != -1);
1692 *msgp = NULL; /* assume no error */
1694 if (_cwait(&fork_child_status, fork_child, _WAIT_CHILD) == -1) {
1695 *msgp = g_strdup_printf("Error from cwait(): %s", g_strerror(errno));
1699 * The child exited; return its exit status. Do not treat this as
1702 ret = fork_child_status;
1703 if ((fork_child_status & 0xC0000000) == ERROR_SEVERITY_ERROR) {
1704 /* Probably an exception code */
1705 *msgp = g_strdup_printf("Child dumpcap process died: %s",
1706 win32strexception(fork_child_status));
1711 if (waitpid(fork_child, &fork_child_status, 0) != -1) {
1712 if (WIFEXITED(fork_child_status)) {
1714 * The child exited; return its exit status. Do not treat this as
1717 ret = WEXITSTATUS(fork_child_status);
1718 } else if (WIFSTOPPED(fork_child_status)) {
1719 /* It stopped, rather than exiting. "Should not happen." */
1720 *msgp = g_strdup_printf("Child dumpcap process stopped: %s",
1721 sync_pipe_signame(WSTOPSIG(fork_child_status)));
1723 } else if (WIFSIGNALED(fork_child_status)) {
1724 /* It died with a signal. */
1725 *msgp = g_strdup_printf("Child dumpcap process died: %s%s",
1726 sync_pipe_signame(WTERMSIG(fork_child_status)),
1727 WCOREDUMP(fork_child_status) ? " - core dumped" : "");
1730 /* What? It had to either have exited, or stopped, or died with
1731 a signal; what happened here? */
1732 *msgp = g_strdup_printf("Bad status from waitpid(): %#o",
1737 *msgp = g_strdup_printf("Error from waitpid(): %s", g_strerror(errno));
1742 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: capture child closed");
1748 /* convert signal to corresponding name */
1750 sync_pipe_signame(int sig)
1753 static char sigmsg_buf[6+1+3+1];
1762 sigmsg = "Interrupted";
1770 sigmsg = "Illegal instruction";
1774 sigmsg = "Trace trap";
1782 sigmsg = "Arithmetic exception";
1790 sigmsg = "Bus error";
1794 sigmsg = "Segmentation violation";
1797 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
1798 Linux is POSIX compliant. These are not POSIX-defined signals ---
1799 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
1801 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
1802 were omitted from POSIX.1 because their behavior is
1803 implementation dependent and could not be adequately catego-
1804 rized. Conforming implementations may deliver these sig-
1805 nals, but must document the circumstances under which they
1806 are delivered and note any restrictions concerning their
1809 So we only check for SIGSYS on those systems that happen to
1810 implement them (a system can be POSIX-compliant and implement
1811 them, it's just that POSIX doesn't *require* a POSIX-compliant
1812 system to implement them).
1817 sigmsg = "Bad system call";
1822 sigmsg = "Broken pipe";
1826 sigmsg = "Alarm clock";
1830 sigmsg = "Terminated";
1834 /* Returning a static buffer is ok in the context we use it here */
1835 g_snprintf(sigmsg_buf, sizeof sigmsg_buf, "Signal %d", sig);
1836 sigmsg = sigmsg_buf;
1845 /* tell the child through the signal pipe that we want to quit the capture */
1847 signal_pipe_capquit_to_child(capture_options *capture_opts)
1849 const char quit_msg[] = "QUIT";
1853 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child");
1855 /* it doesn't matter *what* we send here, the first byte will stop the capture */
1856 /* simply sending a "QUIT" string */
1857 /*pipe_write_block(capture_opts->signal_pipe_write_fd, SP_QUIT, quit_msg);*/
1858 ret = write(capture_opts->signal_pipe_write_fd, quit_msg, sizeof quit_msg);
1860 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1861 "signal_pipe_capquit_to_child: %d header: error %s", capture_opts->signal_pipe_write_fd, g_strerror(errno));
1867 /* user wants to stop the capture run */
1869 sync_pipe_stop(capture_options *capture_opts)
1874 gboolean terminate = TRUE;
1877 if (capture_opts->fork_child != -1) {
1879 /* send the SIGINT signal to close the capture child gracefully. */
1880 int sts = kill(capture_opts->fork_child, SIGINT);
1882 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1883 "Sending SIGINT to child failed: %s\n", g_strerror(errno));
1886 #define STOP_SLEEP_TIME 500 /* ms */
1887 #define STOP_CHECK_TIME 50
1888 /* First, use the special signal pipe to try to close the capture child
1891 signal_pipe_capquit_to_child(capture_opts);
1893 /* Next, wait for the process to exit on its own */
1894 for (count = 0; count < STOP_SLEEP_TIME / STOP_CHECK_TIME; count++) {
1895 if (GetExitCodeProcess((HANDLE) capture_opts->fork_child, &childstatus) &&
1896 childstatus != STILL_ACTIVE) {
1900 Sleep(STOP_CHECK_TIME);
1903 /* Force the issue. */
1905 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1906 "sync_pipe_stop: forcing child to exit");
1907 sync_pipe_kill(capture_opts->fork_child);
1914 /* Wireshark has to exit, force the capture child to close */
1916 sync_pipe_kill(int fork_child)
1918 if (fork_child != -1) {
1920 int sts = kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
1922 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1923 "Sending SIGTERM to child failed: %s\n", g_strerror(errno));
1926 /* Remark: This is not the preferred method of closing a process!
1927 * the clean way would be getting the process id of the child process,
1928 * then getting window handle hWnd of that process (using EnumChildWindows),
1929 * and then do a SendMessage(hWnd, WM_CLOSE, 0, 0)
1931 * Unfortunately, I don't know how to get the process id from the
1932 * handle. OpenProcess will get an handle (not a window handle)
1933 * from the process ID; it will not get a window handle from the
1934 * process ID. (How could it? A process can have more than one
1935 * window. For that matter, a process might have *no* windows,
1936 * as a process running dumpcap, the normal child process program,
1939 * Hint: GenerateConsoleCtrlEvent() will only work if both processes are
1940 * running in the same console; that's not necessarily the case for
1941 * us, as we might not be running in a console.
1942 * And this also will require to have the process id.
1944 TerminateProcess((HANDLE) (fork_child), 0);
1949 #endif /* HAVE_LIBPCAP */