2 * Synchronisation between Wireshark capture parent and child instances
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
45 #include <wsutil/unicode-utils.h>
48 #ifdef HAVE_SYS_WAIT_H
49 # include <sys/wait.h>
52 #include "capture-pcap-util.h"
56 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
57 * macros) on UNIX systems that don't have them.
60 # define WIFEXITED(status) (((status) & 0177) == 0)
63 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
66 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
69 # define WEXITSTATUS(status) ((status) >> 8)
72 # define WTERMSIG(status) ((status) & 0177)
75 # define WCOREDUMP(status) ((status) & 0200)
78 # define WSTOPSIG(status) ((status) >> 8)
82 #include <epan/packet.h>
83 #include <epan/prefs.h>
87 #include <epan/filesystem.h>
88 #include <epan/report_err.h>
91 #include "capture_sync.h"
93 #include "sync_pipe.h"
96 #include "capture-wpcap.h"
99 #include "ui/ui_util.h"
101 #include <wsutil/file_util.h>
105 #include <process.h> /* For spawning child process */
111 static const char *sync_pipe_signame(int);
115 static gboolean sync_pipe_input_cb(gint source, gpointer user_data);
116 static int sync_pipe_wait_for_child(int fork_child, gchar **msgp);
117 static void pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len);
118 static int pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
123 /* Append an arg (realloc) to an argc/argv array */
124 /* (add a string pointer to a NULL-terminated array of string pointers) */
126 sync_pipe_add_arg(const char **args, int *argc, const char *arg)
128 /* Grow the array; "*argc" currently contains the number of string
129 pointers, *not* counting the NULL pointer at the end, so we have
130 to add 2 in order to get the new size of the array, including the
131 new pointer and the terminating NULL pointer. */
132 args = g_realloc( (gpointer) args, (*argc + 2) * sizeof (char *));
134 /* Stuff the pointer into the penultimate element of the array, which
135 is the one at the index specified by "*argc". */
136 args[*argc] = g_strdup(arg);
137 /* Now bump the count. */
140 /* We overwrite the NULL pointer; put it back right after the
150 /* Quote the argument element if necessary, so that it will get
151 * reconstructed correctly in the C runtime startup code. Note that
152 * the unquoting algorithm in the C runtime is really weird, and
153 * rather different than what Unix shells do. See stdargv.c in the C
154 * runtime sources (in the Platform SDK, in src/crt).
156 * Stolen from GLib's protect_argv(), an internal routine that quotes
157 * string in an argument list so that they arguments will be handled
158 * correctly in the command-line string passed to CreateProcess()
159 * if that string is constructed by gluing those strings together.
162 protect_arg (const gchar *argv)
165 const gchar *p = argv;
168 gboolean need_dblquotes = FALSE;
171 if (*p == ' ' || *p == '\t')
172 need_dblquotes = TRUE;
175 else if (*p == '\\') {
178 while (*pp && *pp == '\\')
187 q = new_arg = g_malloc (len + need_dblquotes*2 + 1);
196 else if (*p == '\\') {
199 while (*pp && *pp == '\\')
216 * Generate a string for a Win32 error.
218 #define ERRBUF_SIZE 1024
220 win32strerror(DWORD error)
222 static char errbuf[ERRBUF_SIZE+1];
226 FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
227 NULL, error, 0, errbuf, ERRBUF_SIZE, NULL);
230 * "FormatMessage()" "helpfully" sticks CR/LF at the end of the
231 * message. Get rid of it.
233 errlen = strlen(errbuf);
235 errbuf[errlen - 1] = '\0';
236 errbuf[errlen - 2] = '\0';
238 p = strchr(errbuf, '\0');
239 g_snprintf(p, (gulong)(sizeof errbuf - (p-errbuf)), " (%lu)", error);
244 * Generate a string for a Win32 exception code.
247 win32strexception(DWORD exception)
249 static char errbuf[ERRBUF_SIZE+1];
250 static const struct exception_msg {
254 { EXCEPTION_ACCESS_VIOLATION, "Access violation" },
255 { EXCEPTION_ARRAY_BOUNDS_EXCEEDED, "Array bounds exceeded" },
256 { EXCEPTION_BREAKPOINT, "Breakpoint" },
257 { EXCEPTION_DATATYPE_MISALIGNMENT, "Data type misalignment" },
258 { EXCEPTION_FLT_DENORMAL_OPERAND, "Denormal floating-point operand" },
259 { EXCEPTION_FLT_DIVIDE_BY_ZERO, "Floating-point divide by zero" },
260 { EXCEPTION_FLT_INEXACT_RESULT, "Floating-point inexact result" },
261 { EXCEPTION_FLT_INVALID_OPERATION, "Invalid floating-point operation" },
262 { EXCEPTION_FLT_OVERFLOW, "Floating-point overflow" },
263 { EXCEPTION_FLT_STACK_CHECK, "Floating-point stack check" },
264 { EXCEPTION_FLT_UNDERFLOW, "Floating-point underflow" },
265 { EXCEPTION_GUARD_PAGE, "Guard page violation" },
266 { EXCEPTION_ILLEGAL_INSTRUCTION, "Illegal instruction" },
267 { EXCEPTION_IN_PAGE_ERROR, "Page-in error" },
268 { EXCEPTION_INT_DIVIDE_BY_ZERO, "Integer divide by zero" },
269 { EXCEPTION_INT_OVERFLOW, "Integer overflow" },
270 { EXCEPTION_INVALID_DISPOSITION, "Invalid disposition" },
271 { EXCEPTION_INVALID_HANDLE, "Invalid handle" },
272 { EXCEPTION_NONCONTINUABLE_EXCEPTION, "Non-continuable exception" },
273 { EXCEPTION_PRIV_INSTRUCTION, "Privileged instruction" },
274 { EXCEPTION_SINGLE_STEP, "Single-step complete" },
275 { EXCEPTION_STACK_OVERFLOW, "Stack overflow" },
278 #define N_EXCEPTIONS (sizeof exceptions / sizeof exceptions[0])
281 for (i = 0; i < N_EXCEPTIONS; i++) {
282 if (exceptions[i].code == exception)
283 return exceptions[i].msg;
285 g_snprintf(errbuf, (gulong)sizeof errbuf, "Exception 0x%08x", exception);
290 /* Initialize an argument list and add dumpcap to it. */
292 init_pipe_args(int *argc) {
294 const char *progfile_dir;
297 progfile_dir = get_progfile_dir();
298 if (progfile_dir == NULL) {
302 /* Allocate the string pointer array with enough space for the
303 terminating NULL pointer. */
305 argv = g_malloc(sizeof (char *));
308 /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
309 exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir);
311 /* Make that the first argument in the argument list (argv[0]). */
312 argv = sync_pipe_add_arg(argv, argc, exename);
314 /* sync_pipe_add_arg strdupes exename, so we should free our copy */
320 #define ARGV_NUMBER_LEN 24
321 /* a new capture run: start a new dumpcap task and hand over parameters through command line */
323 sync_pipe_start(capture_options *capture_opts) {
324 char ssnap[ARGV_NUMBER_LEN];
325 char sdlt[ARGV_NUMBER_LEN];
326 char scount[ARGV_NUMBER_LEN];
327 char sfilesize[ARGV_NUMBER_LEN];
328 char sfile_duration[ARGV_NUMBER_LEN];
329 char sring_num_files[ARGV_NUMBER_LEN];
330 char sautostop_files[ARGV_NUMBER_LEN];
331 char sautostop_filesize[ARGV_NUMBER_LEN];
332 char sautostop_duration[ARGV_NUMBER_LEN];
333 #ifdef HAVE_PCAP_REMOTE
336 #ifdef HAVE_PCAP_SETSAMPLING
337 char ssampling[ARGV_NUMBER_LEN];
340 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
341 char buffer_size[ARGV_NUMBER_LEN];
345 HANDLE sync_pipe_read; /* pipe used to send messages from child to parent */
346 HANDLE sync_pipe_write; /* pipe used to send messages from child to parent */
347 HANDLE signal_pipe; /* named pipe used to send messages from parent to child (currently only stop) */
348 GString *args = g_string_sized_new(200);
350 SECURITY_ATTRIBUTES sa;
352 PROCESS_INFORMATION pi;
353 char control_id[ARGV_NUMBER_LEN];
354 gchar *signal_pipe_name;
357 int sync_pipe[2]; /* pipe used to send messages from child to parent */
358 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
360 int sync_pipe_read_fd;
365 interface_options interface_opts;
367 if (capture_opts->ifaces->len > 1)
368 capture_opts->use_pcapng = TRUE;
369 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_start");
370 capture_opts_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, capture_opts);
372 capture_opts->fork_child = -1;
374 argv = init_pipe_args(&argc);
376 /* We don't know where to find dumpcap. */
377 report_failure("We don't know where to find dumpcap.");
381 if (capture_opts->ifaces->len > 1)
382 argv = sync_pipe_add_arg(argv, &argc, "-t");
384 if (capture_opts->use_pcapng)
385 argv = sync_pipe_add_arg(argv, &argc, "-n");
387 argv = sync_pipe_add_arg(argv, &argc, "-P");
389 if (capture_opts->multi_files_on) {
390 if (capture_opts->has_autostop_filesize) {
391 argv = sync_pipe_add_arg(argv, &argc, "-b");
392 g_snprintf(sfilesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
393 argv = sync_pipe_add_arg(argv, &argc, sfilesize);
396 if (capture_opts->has_file_duration) {
397 argv = sync_pipe_add_arg(argv, &argc, "-b");
398 g_snprintf(sfile_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->file_duration);
399 argv = sync_pipe_add_arg(argv, &argc, sfile_duration);
402 if (capture_opts->has_ring_num_files) {
403 argv = sync_pipe_add_arg(argv, &argc, "-b");
404 g_snprintf(sring_num_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->ring_num_files);
405 argv = sync_pipe_add_arg(argv, &argc, sring_num_files);
408 if (capture_opts->has_autostop_files) {
409 argv = sync_pipe_add_arg(argv, &argc, "-a");
410 g_snprintf(sautostop_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->autostop_files);
411 argv = sync_pipe_add_arg(argv, &argc, sautostop_files);
414 if (capture_opts->has_autostop_filesize) {
415 argv = sync_pipe_add_arg(argv, &argc, "-a");
416 g_snprintf(sautostop_filesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
417 argv = sync_pipe_add_arg(argv, &argc, sautostop_filesize);
421 if (capture_opts->has_autostop_packets) {
422 argv = sync_pipe_add_arg(argv, &argc, "-c");
423 g_snprintf(scount, ARGV_NUMBER_LEN, "%d",capture_opts->autostop_packets);
424 argv = sync_pipe_add_arg(argv, &argc, scount);
427 if (capture_opts->has_autostop_duration) {
428 argv = sync_pipe_add_arg(argv, &argc, "-a");
429 g_snprintf(sautostop_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->autostop_duration);
430 argv = sync_pipe_add_arg(argv, &argc, sautostop_duration);
433 for (j = 0; j < capture_opts->ifaces->len; j++) {
434 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
436 argv = sync_pipe_add_arg(argv, &argc, "-i");
437 argv = sync_pipe_add_arg(argv, &argc, interface_opts.name);
439 if (interface_opts.cfilter != NULL && strlen(interface_opts.cfilter) != 0) {
440 argv = sync_pipe_add_arg(argv, &argc, "-f");
441 argv = sync_pipe_add_arg(argv, &argc, interface_opts.cfilter);
443 if (interface_opts.snaplen != WTAP_MAX_PACKET_SIZE) {
444 argv = sync_pipe_add_arg(argv, &argc, "-s");
445 g_snprintf(ssnap, ARGV_NUMBER_LEN, "%d", interface_opts.snaplen);
446 argv = sync_pipe_add_arg(argv, &argc, ssnap);
449 if (interface_opts.linktype != -1) {
450 argv = sync_pipe_add_arg(argv, &argc, "-y");
451 g_snprintf(sdlt, ARGV_NUMBER_LEN, "%s", linktype_val_to_name(interface_opts.linktype));
452 argv = sync_pipe_add_arg(argv, &argc, sdlt);
455 if (!interface_opts.promisc_mode) {
456 argv = sync_pipe_add_arg(argv, &argc, "-p");
459 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
460 if (interface_opts.buffer_size != 1) {
461 argv = sync_pipe_add_arg(argv, &argc, "-B");
462 g_snprintf(buffer_size, ARGV_NUMBER_LEN, "%d", interface_opts.buffer_size);
463 argv = sync_pipe_add_arg(argv, &argc, buffer_size);
467 #ifdef HAVE_PCAP_CREATE
468 if (interface_opts.monitor_mode) {
469 argv = sync_pipe_add_arg(argv, &argc, "-I");
473 #ifdef HAVE_PCAP_REMOTE
474 if (interface_opts.datatx_udp)
475 argv = sync_pipe_add_arg(argv, &argc, "-u");
477 if (!interface_opts.nocap_rpcap)
478 argv = sync_pipe_add_arg(argv, &argc, "-r");
480 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
481 argv = sync_pipe_add_arg(argv, &argc, "-A");
482 g_snprintf(sauth, sizeof(sauth), "%s:%s",
483 interface_opts.auth_username,
484 interface_opts.auth_password);
485 argv = sync_pipe_add_arg(argv, &argc, sauth);
489 #ifdef HAVE_PCAP_SETSAMPLING
490 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
491 argv = sync_pipe_add_arg(argv, &argc, "-m");
492 g_snprintf(ssampling, ARGV_NUMBER_LEN, "%s:%d",
493 interface_opts.sampling_method == CAPTURE_SAMP_BY_COUNT ? "count" :
494 interface_opts.sampling_method == CAPTURE_SAMP_BY_TIMER ? "timer" :
496 interface_opts.sampling_param);
497 argv = sync_pipe_add_arg(argv, &argc, ssampling);
502 /* dumpcap should be running in capture child mode (hidden feature) */
504 argv = sync_pipe_add_arg(argv, &argc, "-Z");
506 g_snprintf(control_id, ARGV_NUMBER_LEN, "%d", GetCurrentProcessId());
507 argv = sync_pipe_add_arg(argv, &argc, control_id);
509 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
513 if (capture_opts->save_file) {
514 argv = sync_pipe_add_arg(argv, &argc, "-w");
515 argv = sync_pipe_add_arg(argv, &argc, capture_opts->save_file);
517 for (i = 0; i < argc; i++) {
518 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "argv[%d]: %s", i, argv[i]);
522 /* init SECURITY_ATTRIBUTES */
523 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
524 sa.bInheritHandle = TRUE;
525 sa.lpSecurityDescriptor = NULL;
527 /* Create a pipe for the child process */
528 /* (increase this value if you have trouble while fast capture file switches) */
529 if (! CreatePipe(&sync_pipe_read, &sync_pipe_write, &sa, 5120)) {
530 /* Couldn't create the pipe between parent and child. */
531 report_failure("Couldn't create sync pipe: %s",
532 win32strerror(GetLastError()));
533 for (i = 0; i < argc; i++) {
534 g_free( (gpointer) argv[i]);
536 g_free( (gpointer) argv);
540 /* Create the signal pipe */
541 signal_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, control_id);
542 signal_pipe = CreateNamedPipe(utf_8to16(signal_pipe_name),
543 PIPE_ACCESS_OUTBOUND, PIPE_TYPE_BYTE, 1, 65535, 65535, 0, NULL);
544 g_free(signal_pipe_name);
546 if (signal_pipe == INVALID_HANDLE_VALUE) {
547 /* Couldn't create the signal pipe between parent and child. */
548 report_failure("Couldn't create signal pipe: %s",
549 win32strerror(GetLastError()));
550 for (i = 0; i < argc; i++) {
551 g_free( (gpointer) argv[i]);
553 g_free( (gpointer) argv);
557 /* init STARTUPINFO */
558 memset(&si, 0, sizeof(si));
561 si.dwFlags = STARTF_USESHOWWINDOW;
562 si.wShowWindow = SW_SHOW;
564 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
565 si.wShowWindow = SW_HIDE; /* this hides the console window */
566 si.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
567 si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
568 si.hStdError = sync_pipe_write;
569 /*si.hStdError = (HANDLE) _get_osfhandle(2);*/
572 /* convert args array into a single string */
573 /* XXX - could change sync_pipe_add_arg() instead */
574 /* there is a drawback here: the length is internally limited to 1024 bytes */
575 for(i=0; argv[i] != 0; i++) {
576 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
577 quoted_arg = protect_arg(argv[i]);
578 g_string_append(args, quoted_arg);
583 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
584 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
585 report_failure("Couldn't run %s in child process: %s",
586 args->str, win32strerror(GetLastError()));
587 CloseHandle(sync_pipe_read);
588 CloseHandle(sync_pipe_write);
589 for (i = 0; i < argc; i++) {
590 g_free( (gpointer) argv[i]);
592 g_free( (gpointer) argv);
595 capture_opts->fork_child = (int) pi.hProcess;
596 g_string_free(args, TRUE);
598 /* associate the operating system filehandle to a C run-time file handle */
599 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
600 sync_pipe_read_fd = _open_osfhandle( (long) sync_pipe_read, _O_BINARY);
602 /* associate the operating system filehandle to a C run-time file handle */
603 capture_opts->signal_pipe_write_fd = _open_osfhandle( (long) signal_pipe, _O_BINARY);
606 if (pipe(sync_pipe) < 0) {
607 /* Couldn't create the pipe between parent and child. */
608 report_failure("Couldn't create sync pipe: %s", g_strerror(errno));
609 for (i = 0; i < argc; i++) {
610 g_free( (gpointer) argv[i]);
616 if ((capture_opts->fork_child = fork()) == 0) {
618 * Child process - run dumpcap with the right arguments to make
619 * it just capture with the specified capture parameters
621 dup2(sync_pipe[PIPE_WRITE], 2);
622 ws_close(sync_pipe[PIPE_READ]);
623 execv(argv[0], (gpointer)argv);
624 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
625 argv[0], g_strerror(errno));
626 sync_pipe_errmsg_to_parent(2, errmsg, "");
628 /* Exit with "_exit()", so that we don't close the connection
629 to the X server (and cause stuff buffered up by our parent but
630 not yet sent to be sent, as that stuff should only be sent by
631 our parent). We've sent an error message to the parent, so
632 we exit with an exit status of 1 (any exit status other than
633 0 or 1 will cause an additional message to report that exit
634 status, over and above the error message we sent to the parent). */
638 sync_pipe_read_fd = sync_pipe[PIPE_READ];
641 for (i = 0; i < argc; i++) {
642 g_free( (gpointer) argv[i]);
645 /* Parent process - read messages from the child process over the
647 g_free( (gpointer) argv); /* free up arg array */
649 /* Close the write side of the pipe, so that only the child has it
650 open, and thus it completely closes, and thus returns to us
651 an EOF indication, if the child closes it (either deliberately
652 or by exiting abnormally). */
654 CloseHandle(sync_pipe_write);
656 ws_close(sync_pipe[PIPE_WRITE]);
659 if (capture_opts->fork_child == -1) {
660 /* We couldn't even create the child process. */
661 report_failure("Couldn't create child process: %s", g_strerror(errno));
662 ws_close(sync_pipe_read_fd);
664 ws_close(capture_opts->signal_pipe_write_fd);
669 capture_opts->fork_child_status = 0;
671 /* we might wait for a moment till child is ready, so update screen now */
672 main_window_update();
674 /* We were able to set up to read the capture file;
675 arrange that our callback be called whenever it's possible
676 to read from the sync pipe, so that it's called when
677 the child process wants to tell us something. */
679 /* we have a running capture, now wait for the real capture filename */
680 pipe_input_set_handler(sync_pipe_read_fd, (gpointer) capture_opts,
681 &capture_opts->fork_child, sync_pipe_input_cb);
687 * Open two pipes to dumpcap with the supplied arguments, one for its
688 * standard output and one for its standard error.
690 * On success, *msg is unchanged and 0 is returned; data_read_fd,
691 * messsage_read_fd, and fork_child point to the standard output pipe's
692 * file descriptor, the standard error pipe's file descriptor, and
693 * the child's PID/handle, respectively.
695 * On failure, *msg points to an error message for the failure, and -1 is
696 * returned, in which case *msg must be freed with g_free().
698 /* XXX - This duplicates a lot of code in sync_pipe_start() */
699 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
700 #define PIPE_BUF_SIZE 5120
702 sync_pipe_open_command(const char** argv, int *data_read_fd,
703 int *message_read_fd, int *fork_child, gchar **msg)
705 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
707 HANDLE sync_pipe[2]; /* pipe used to send messages from child to parent */
708 HANDLE data_pipe[2]; /* pipe used to send data from child to parent */
709 GString *args = g_string_sized_new(200);
711 SECURITY_ATTRIBUTES sa;
713 PROCESS_INFORMATION pi;
716 int sync_pipe[2]; /* pipe used to send messages from child to parent */
717 int data_pipe[2]; /* pipe used to send data from child to parent */
722 *message_read_fd = -1;
723 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_open_command");
726 /* We can't return anything */
728 g_string_free(args, TRUE);
734 /* init SECURITY_ATTRIBUTES */
735 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
736 sa.bInheritHandle = TRUE;
737 sa.lpSecurityDescriptor = NULL;
739 /* Create a pipe for the child process to send us messages */
740 /* (increase this value if you have trouble while fast capture file switches) */
741 if (! CreatePipe(&sync_pipe[PIPE_READ], &sync_pipe[PIPE_WRITE], &sa, 5120)) {
742 /* Couldn't create the message pipe between parent and child. */
743 *msg = g_strdup_printf("Couldn't create sync pipe: %s",
744 win32strerror(GetLastError()));
745 for (i = 0; argv[i] != NULL; i++) {
746 g_free( (gpointer) argv[i]);
748 g_free( (gpointer) argv);
752 /* Create a pipe for the child process to send us data */
753 /* (increase this value if you have trouble while fast capture file switches) */
754 if (! CreatePipe(&data_pipe[PIPE_READ], &data_pipe[PIPE_WRITE], &sa, 5120)) {
755 /* Couldn't create the message pipe between parent and child. */
756 *msg = g_strdup_printf("Couldn't create data pipe: %s",
757 win32strerror(GetLastError()));
758 CloseHandle(sync_pipe[PIPE_READ]);
759 CloseHandle(sync_pipe[PIPE_WRITE]);
760 for (i = 0; argv[i] != NULL; i++) {
761 g_free( (gpointer) argv[i]);
763 g_free( (gpointer) argv);
767 /* init STARTUPINFO */
768 memset(&si, 0, sizeof(si));
771 si.dwFlags = STARTF_USESHOWWINDOW;
772 si.wShowWindow = SW_SHOW;
774 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
775 si.wShowWindow = SW_HIDE; /* this hides the console window */
777 si.hStdOutput = data_pipe[PIPE_WRITE];
778 si.hStdError = sync_pipe[PIPE_WRITE];
781 /* convert args array into a single string */
782 /* XXX - could change sync_pipe_add_arg() instead */
783 /* there is a drawback here: the length is internally limited to 1024 bytes */
784 for(i=0; argv[i] != 0; i++) {
785 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
786 quoted_arg = protect_arg(argv[i]);
787 g_string_append(args, quoted_arg);
792 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
793 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
794 *msg = g_strdup_printf("Couldn't run %s in child process: %s",
795 args->str, win32strerror(GetLastError()));
796 CloseHandle(data_pipe[PIPE_READ]);
797 CloseHandle(data_pipe[PIPE_WRITE]);
798 CloseHandle(sync_pipe[PIPE_READ]);
799 CloseHandle(sync_pipe[PIPE_WRITE]);
800 for (i = 0; argv[i] != NULL; i++) {
801 g_free( (gpointer) argv[i]);
803 g_free( (gpointer) argv);
806 *fork_child = (int) pi.hProcess;
807 g_string_free(args, TRUE);
809 /* associate the operating system filehandles to C run-time file handles */
810 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
811 *data_read_fd = _open_osfhandle( (long) data_pipe[PIPE_READ], _O_BINARY);
812 *message_read_fd = _open_osfhandle( (long) sync_pipe[PIPE_READ], _O_BINARY);
814 /* Create a pipe for the child process to send us messages */
815 if (pipe(sync_pipe) < 0) {
816 /* Couldn't create the message pipe between parent and child. */
817 *msg = g_strdup_printf("Couldn't create sync pipe: %s", g_strerror(errno));
818 for (i = 0; argv[i] != NULL; i++) {
819 g_free( (gpointer) argv[i]);
825 /* Create a pipe for the child process to send us data */
826 if (pipe(data_pipe) < 0) {
827 /* Couldn't create the data pipe between parent and child. */
828 *msg = g_strdup_printf("Couldn't create data pipe: %s", g_strerror(errno));
829 ws_close(sync_pipe[PIPE_READ]);
830 ws_close(sync_pipe[PIPE_WRITE]);
831 for (i = 0; argv[i] != NULL; i++) {
832 g_free( (gpointer) argv[i]);
838 if ((*fork_child = fork()) == 0) {
840 * Child process - run dumpcap with the right arguments to make
841 * it just capture with the specified capture parameters
843 dup2(data_pipe[PIPE_WRITE], 1);
844 ws_close(data_pipe[PIPE_READ]);
845 ws_close(data_pipe[PIPE_WRITE]);
846 dup2(sync_pipe[PIPE_WRITE], 2);
847 ws_close(sync_pipe[PIPE_READ]);
848 ws_close(sync_pipe[PIPE_WRITE]);
849 execv(argv[0], (gpointer)argv);
850 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
851 argv[0], g_strerror(errno));
852 sync_pipe_errmsg_to_parent(2, errmsg, "");
854 /* Exit with "_exit()", so that we don't close the connection
855 to the X server (and cause stuff buffered up by our parent but
856 not yet sent to be sent, as that stuff should only be sent by
857 our parent). We've sent an error message to the parent, so
858 we exit with an exit status of 1 (any exit status other than
859 0 or 1 will cause an additional message to report that exit
860 status, over and above the error message we sent to the parent). */
864 *data_read_fd = data_pipe[PIPE_READ];
865 *message_read_fd = sync_pipe[PIPE_READ];
868 for (i = 0; argv[i] != NULL; i++) {
869 g_free( (gpointer) argv[i]);
872 /* Parent process - read messages from the child process over the
874 g_free( (gpointer) argv); /* free up arg array */
876 /* Close the write sides of the pipes, so that only the child has them
877 open, and thus they completely close, and thus return to us
878 an EOF indication, if the child closes them (either deliberately
879 or by exiting abnormally). */
881 CloseHandle(data_pipe[PIPE_WRITE]);
882 CloseHandle(sync_pipe[PIPE_WRITE]);
884 ws_close(data_pipe[PIPE_WRITE]);
885 ws_close(sync_pipe[PIPE_WRITE]);
888 if (*fork_child == -1) {
889 /* We couldn't even create the child process. */
890 *msg = g_strdup_printf("Couldn't create child process: %s", g_strerror(errno));
891 ws_close(*data_read_fd);
892 ws_close(*message_read_fd);
896 /* we might wait for a moment till child is ready, so update screen now */
897 main_window_update();
902 * Close the pipes we're using to read from dumpcap, and wait for it
903 * to exit. On success, *msgp is unchanged, and the exit status of
904 * dumpcap is returned. On failure (which includes "dumpcap exited
905 * due to being killed by a signal or an exception"), *msgp points
906 * to an error message for the failure, and -1 is returned. In the
907 * latter case, *msgp must be freed with g_free().
910 sync_pipe_close_command(int *data_read_fd, int *message_read_fd,
911 int *fork_child, gchar **msgp)
913 ws_close(*data_read_fd);
914 if (message_read_fd != NULL)
915 ws_close(*message_read_fd);
918 /* XXX - Should we signal the child somehow? */
919 sync_pipe_kill(*fork_child);
922 return sync_pipe_wait_for_child(*fork_child, msgp);
926 * Run dumpcap with the supplied arguments.
928 * On success, *data points to a buffer containing the dumpcap output,
929 * *primary_msg and *secondary_message are NULL, and 0 is returned; *data
930 * must be freed with g_free().
932 * On failure, *data is NULL, *primary_msg points to an error message,
933 * *secondary_msg either points to an additional error message or is
934 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
935 * must be freed with g_free().
937 /* XXX - This duplicates a lot of code in sync_pipe_start() */
938 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
939 #define PIPE_BUF_SIZE 5120
941 sync_pipe_run_command(const char** argv, gchar **data, gchar **primary_msg,
942 gchar **secondary_msg)
945 int data_pipe_read_fd, sync_pipe_read_fd, fork_child, ret;
947 gchar buffer[PIPE_BUF_SIZE+1];
951 char *primary_msg_text;
952 int secondary_msg_len;
953 char *secondary_msg_text;
955 GString *data_buf = NULL;
958 ret = sync_pipe_open_command(argv, &data_pipe_read_fd, &sync_pipe_read_fd,
962 *secondary_msg = NULL;
968 * We were able to set up to read dumpcap's output. Do so.
970 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
972 nread = pipe_read_block(sync_pipe_read_fd, &indicator, SP_MAX_MSG_LEN,
973 buffer, primary_msg);
975 /* We got a read error from the sync pipe, or we got no data at
976 all from the sync pipe, so we're not going to be getting any
977 data or error message from the child process. Pick up its
978 exit status, and complain.
980 We don't have to worry about killing the child, if the sync pipe
981 returned an error. Usually this error is caused as the child killed
982 itself while going down. Even in the rare cases that this isn't the
983 case, the child will get an error when writing to the broken pipe
984 the next time, cleaning itself up then. */
985 ret = sync_pipe_wait_for_child(fork_child, &wait_msg);
987 /* We got an EOF from the sync pipe. That means that it exited
988 before giving us any data to read. If ret is -1, we report
989 that as a bad exit (e.g., exiting due to a signal); otherwise,
990 we report it as a premature exit. */
992 *primary_msg = wait_msg;
994 *primary_msg = g_strdup("Child dumpcap closed sync pipe prematurely");
996 /* We got an error from the sync pipe. If ret is -1, report
997 both the sync pipe I/O error and the wait error. */
999 combined_msg = g_strdup_printf("%s\n\n%s", *primary_msg, wait_msg);
1000 g_free(*primary_msg);
1002 *primary_msg = combined_msg;
1005 *secondary_msg = NULL;
1010 /* we got a valid message block from the child, process it */
1015 * Error from dumpcap; there will be a primary message and a
1016 * secondary message.
1019 /* convert primary message */
1020 pipe_convert_header(buffer, 4, &indicator, &primary_msg_len);
1021 primary_msg_text = buffer+4;
1022 /* convert secondary message */
1023 pipe_convert_header(primary_msg_text + primary_msg_len, 4, &indicator,
1024 &secondary_msg_len);
1025 secondary_msg_text = primary_msg_text + primary_msg_len + 4;
1026 /* the capture child will close the sync_pipe, nothing to do */
1029 * Pick up the child status.
1031 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1035 * Child process failed unexpectedly, or wait failed; msg is the
1039 *secondary_msg = NULL;
1042 * Child process failed, but returned the expected exit status.
1043 * Return the messages it gave us, and indicate failure.
1045 *primary_msg = g_strdup(primary_msg_text);
1046 *secondary_msg = g_strdup(secondary_msg_text);
1053 /* read the output from the command */
1054 data_buf = g_string_new("");
1055 while ((count = ws_read(data_pipe_read_fd, buffer, PIPE_BUF_SIZE)) > 0) {
1056 buffer[count] = '\0';
1057 g_string_append(data_buf, buffer);
1061 * Pick up the child status.
1063 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1067 * Child process failed unexpectedly, or wait failed; msg is the
1071 *secondary_msg = NULL;
1072 g_string_free(data_buf, TRUE);
1076 * Child process succeeded.
1078 *primary_msg = NULL;
1079 *secondary_msg = NULL;
1080 *data = data_buf->str;
1081 g_string_free(data_buf, FALSE);
1087 * Pick up the child status.
1089 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1093 * Child process failed unexpectedly, or wait failed; msg is the
1097 *secondary_msg = NULL;
1100 * Child process returned an unknown status.
1102 *primary_msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1104 *secondary_msg = NULL;
1114 sync_interface_set_80211_chan(gchar *iface, char *freq, gchar *type,
1115 gchar **data, gchar **primary_msg,
1116 gchar **secondary_msg)
1122 argv = init_pipe_args(&argc);
1125 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1126 *secondary_msg = NULL;
1131 argv = sync_pipe_add_arg(argv, &argc, "-i");
1132 argv = sync_pipe_add_arg(argv, &argc, iface);
1135 opt = g_strdup_printf("%s,%s", freq, type);
1137 opt = g_strdup_printf("%s", freq);
1140 *primary_msg = g_strdup("Out of mem.");
1141 *secondary_msg = NULL;
1146 argv = sync_pipe_add_arg(argv, &argc, "-k");
1147 argv = sync_pipe_add_arg(argv, &argc, opt);
1150 /* Run dumpcap in capture child mode */
1151 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1152 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1155 ret = sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1161 * Get the list of interfaces using dumpcap.
1163 * On success, *data points to a buffer containing the dumpcap output,
1164 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1165 * must be freed with g_free().
1167 * On failure, *data is NULL, *primary_msg points to an error message,
1168 * *secondary_msg either points to an additional error message or is
1169 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1170 * must be freed with g_free().
1173 sync_interface_list_open(gchar **data, gchar **primary_msg,
1174 gchar **secondary_msg)
1179 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_list_open");
1181 argv = init_pipe_args(&argc);
1184 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1185 *secondary_msg = NULL;
1190 /* Ask for the interface list */
1191 argv = sync_pipe_add_arg(argv, &argc, "-D");
1194 /* Run dumpcap in capture child mode */
1195 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1196 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1198 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1202 * Get the capabilities of an interface using dumpcap.
1204 * On success, *data points to a buffer containing the dumpcap output,
1205 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1206 * must be freed with g_free().
1208 * On failure, *data is NULL, *primary_msg points to an error message,
1209 * *secondary_msg either points to an additional error message or is
1210 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1211 * must be freed with g_free().
1214 sync_if_capabilities_open(const gchar *ifname, gboolean monitor_mode,
1215 gchar **data, gchar **primary_msg,
1216 gchar **secondary_msg)
1221 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_linktype_list_open");
1223 argv = init_pipe_args(&argc);
1226 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1227 *secondary_msg = NULL;
1232 /* Ask for the interface capabilities */
1233 argv = sync_pipe_add_arg(argv, &argc, "-i");
1234 argv = sync_pipe_add_arg(argv, &argc, ifname);
1235 argv = sync_pipe_add_arg(argv, &argc, "-L");
1237 argv = sync_pipe_add_arg(argv, &argc, "-I");
1240 /* Run dumpcap in capture child mode */
1241 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1242 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1244 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1248 * Start getting interface statistics using dumpcap. On success, read_fd
1249 * contains the file descriptor for the pipe's stdout, *msg is unchanged,
1250 * and zero is returned. On failure, *msg will point to an error message
1251 * that must be g_free()d, and -1 will be returned.
1254 sync_interface_stats_open(int *data_read_fd, int *fork_child, gchar **msg)
1258 int message_read_fd, ret;
1260 gchar buffer[PIPE_BUF_SIZE+1];
1263 int primary_msg_len;
1264 char *primary_msg_text;
1265 int secondary_msg_len;
1266 /*char *secondary_msg_text;*/
1269 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_stats_open");
1271 argv = init_pipe_args(&argc);
1274 *msg = g_strdup("We don't know where to find dumpcap.");
1278 /* Ask for the interface statistics */
1279 argv = sync_pipe_add_arg(argv, &argc, "-S");
1282 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1283 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1285 ret = sync_pipe_open_command(argv, data_read_fd, &message_read_fd,
1291 * We were able to set up to read dumpcap's output. Do so.
1293 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
1295 nread = pipe_read_block(message_read_fd, &indicator, SP_MAX_MSG_LEN,
1298 /* We got a read error from the sync pipe, or we got no data at
1299 all from the sync pipe, so we're not going to be getting any
1300 data or error message from the child process. Pick up its
1301 exit status, and complain.
1303 We don't have to worry about killing the child, if the sync pipe
1304 returned an error. Usually this error is caused as the child killed
1305 itself while going down. Even in the rare cases that this isn't the
1306 case, the child will get an error when writing to the broken pipe
1307 the next time, cleaning itself up then. */
1308 ret = sync_pipe_wait_for_child(*fork_child, &wait_msg);
1310 /* We got an EOF from the sync pipe. That means that it exited
1311 before giving us any data to read. If ret is -1, we report
1312 that as a bad exit (e.g., exiting due to a signal); otherwise,
1313 we report it as a premature exit. */
1317 *msg = g_strdup("Child dumpcap closed sync pipe prematurely");
1319 /* We got an error from the sync pipe. If ret is -1, report
1320 both the sync pipe I/O error and the wait error. */
1322 combined_msg = g_strdup_printf("%s\n\n%s", *msg, wait_msg);
1325 *msg = combined_msg;
1332 /* we got a valid message block from the child, process it */
1337 * Error from dumpcap; there will be a primary message and a
1338 * secondary message.
1341 /* convert primary message */
1342 pipe_convert_header(buffer, 4, &indicator, &primary_msg_len);
1343 primary_msg_text = buffer+4;
1344 /* convert secondary message */
1345 pipe_convert_header(primary_msg_text + primary_msg_len, 4, &indicator,
1346 &secondary_msg_len);
1347 /*secondary_msg_text = primary_msg_text + primary_msg_len + 4;*/
1348 /* the capture child will close the sync_pipe, nothing to do */
1351 * Pick up the child status.
1353 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1357 * Child process failed unexpectedly, or wait failed; msg is the
1362 * Child process failed, but returned the expected exit status.
1363 * Return the messages it gave us, and indicate failure.
1365 *msg = g_strdup(primary_msg_text);
1371 /* Close the message pipe. */
1372 ws_close(message_read_fd);
1377 * Pick up the child status.
1379 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1383 * Child process failed unexpectedly, or wait failed; msg is the
1388 * Child process returned an unknown status.
1390 *msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1399 /* Close down the stats process */
1401 sync_interface_stats_close(int *read_fd, int *fork_child, gchar **msg)
1405 * Don't bother waiting for the child. sync_pipe_close_command
1406 * does this for us on Windows.
1408 sync_pipe_kill(*fork_child);
1410 return sync_pipe_close_command(read_fd, NULL, fork_child, msg);
1413 /* read a number of bytes from a pipe */
1414 /* (blocks until enough bytes read or an error occurs) */
1416 pipe_read_bytes(int pipe_fd, char *bytes, int required, char **msg)
1423 newly = read(pipe_fd, &bytes[offset], required);
1426 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1427 "read from pipe %d: EOF (capture closed?)", pipe_fd);
1434 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1435 "read from pipe %d: error(%u): %s", pipe_fd, error,
1437 *msg = g_strdup_printf("Error reading from sync pipe: %s",
1450 static gboolean pipe_data_available(int pipe_fd) {
1451 #ifdef _WIN32 /* PeekNamedPipe */
1452 HANDLE hPipe = (HANDLE) _get_osfhandle(pipe_fd);
1455 if (hPipe == INVALID_HANDLE_VALUE)
1458 if (! PeekNamedPipe(hPipe, NULL, 0, NULL, &bytes_avail, NULL))
1461 if (bytes_avail > 0)
1466 struct timeval timeout;
1469 FD_SET(pipe_fd, &rfds);
1471 timeout.tv_usec = 0;
1473 if (select(pipe_fd+1, &rfds, NULL, NULL, &timeout) > 0)
1480 /* Read a line from a pipe, similar to fgets */
1482 sync_pipe_gets_nonblock(int pipe_fd, char *bytes, int max) {
1486 while(offset < max - 1) {
1488 if (! pipe_data_available(pipe_fd))
1490 newly = read(pipe_fd, &bytes[offset], 1);
1492 /* EOF - not necessarily an error */
1494 } else if (newly < 0) {
1496 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1497 "read from pipe %d: error(%u): %s", pipe_fd, errno, g_strerror(errno));
1499 } else if (bytes[offset] == '\n') {
1505 bytes[offset] = '\0';
1511 /* convert header values (indicator and 3-byte length) */
1513 pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len) {
1515 g_assert(header_len == 4);
1517 /* convert header values */
1518 *indicator = header[0];
1519 *block_len = header[1]<<16 | header[2]<<8 | header[3];
1522 /* read a message from the sending pipe in the standard format
1523 (1-byte message indicator, 3-byte message length (excluding length
1524 and indicator field), and the rest is the message) */
1526 pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
1533 /* read header (indicator and 3-byte length) */
1534 newly = pipe_read_bytes(pipe_fd, header, 4, err_msg);
1538 * Immediate EOF; if the capture child exits normally, this
1539 * is an "I'm done" indication, so don't report it as an
1542 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1543 "read %d got an EOF", pipe_fd);
1546 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1547 "read %d failed to read header: %u", pipe_fd, newly);
1550 * Short read, but not an immediate EOF.
1552 *err_msg = g_strdup_printf("Premature EOF reading from sync pipe: got only %d bytes",
1558 /* convert header values */
1559 pipe_convert_header(header, 4, indicator, &required);
1561 /* only indicator with no value? */
1563 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1564 "read %d indicator: %c empty value", pipe_fd, *indicator);
1568 /* does the data fit into the given buffer? */
1569 if(required > len) {
1570 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1571 "read %d length error, required %d > len %d, header: 0x%02x 0x%02x 0x%02x 0x%02x",
1572 pipe_fd, required, len,
1573 header[0], header[1], header[2], header[3]);
1575 /* we have a problem here, try to read some more bytes from the pipe to debug where the problem really is */
1576 memcpy(msg, header, sizeof(header));
1577 newly = read(pipe_fd, &msg[sizeof(header)], len-sizeof(header));
1578 if (newly < 0) { /* error */
1579 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1580 "read from pipe %d: error(%u): %s", pipe_fd, errno, g_strerror(errno));
1582 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1588 /* read the actual block data */
1589 newly = pipe_read_bytes(pipe_fd, msg, required, err_msg);
1590 if(newly != required) {
1592 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1598 /* XXX If message is "2part", the msg probably won't be sent to debug log correctly */
1599 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1600 "read %d ok indicator: %c len: %u msg: %s", pipe_fd, *indicator,
1607 /* There's stuff to read from the sync pipe, meaning the child has sent
1608 us a message, or the sync pipe has closed, meaning the child has
1609 closed it (perhaps because it exited). */
1611 sync_pipe_input_cb(gint source, gpointer user_data)
1613 capture_options *capture_opts = (capture_options *)user_data;
1615 char buffer[SP_MAX_MSG_LEN+1];
1621 char *secondary_msg;
1622 char *wait_msg, *combined_msg;
1624 nread = pipe_read_block(source, &indicator, SP_MAX_MSG_LEN, buffer,
1627 /* We got a read error, or a bad message, or an EOF, from the sync pipe.
1629 If we got a read error or a bad message, nread is -1 and
1630 primary_msg is set to point to an error message. We don't
1631 have to worry about killing the child; usually this error
1632 is caused as the child killed itself while going down.
1633 Even in the rare cases that this isn't the case, the child
1634 will get an error when writing to the broken pipe the next time,
1635 cleaning itself up then.
1637 If we got an EOF, nread is 0 and primary_msg isn't set. This
1638 is an indication that the capture is finished. */
1639 ret = sync_pipe_wait_for_child(capture_opts->fork_child, &wait_msg);
1641 /* We got an EOF from the sync pipe. That means that the capture
1642 child exited, and not in the middle of a message; we treat
1643 that as an indication that it's done, and only report an
1644 error if ret is -1, in which case wait_msg is the error
1647 primary_msg = wait_msg;
1649 /* We got an error from the sync pipe. If ret is -1, report
1650 both the sync pipe I/O error and the wait error. */
1652 combined_msg = g_strdup_printf("%s\n\n%s", primary_msg, wait_msg);
1653 g_free(primary_msg);
1655 primary_msg = combined_msg;
1659 /* No more child process. */
1660 capture_opts->fork_child = -1;
1661 capture_opts->fork_child_status = ret;
1664 ws_close(capture_opts->signal_pipe_write_fd);
1666 capture_input_closed(capture_opts, primary_msg);
1667 g_free(primary_msg);
1671 /* we got a valid message block from the child, process it */
1674 if(!capture_input_new_file(capture_opts, buffer)) {
1675 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: file failed, closing capture");
1677 /* We weren't able to open the new capture file; user has been
1678 alerted. Close the sync pipe. */
1681 /* The child has sent us a filename which we couldn't open.
1683 This could mean that the child is creating files faster
1684 than we can handle it. (XXX - why would that result in
1685 a failure to open the file?)
1687 That should only be the case for very fast file switches;
1688 We can't do much more than telling the child to stop.
1689 (This is the "emergency brake" if the user e.g. wants to
1690 switch files every second).
1692 This can also happen if the user specified "-", meaning
1693 "standard output", as the capture file. */
1694 sync_pipe_stop(capture_opts);
1695 capture_input_closed(capture_opts, NULL);
1699 case SP_PACKET_COUNT:
1700 nread = atoi(buffer);
1701 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: new packets %u", nread);
1702 capture_input_new_packets(capture_opts, nread);
1705 /* convert primary message */
1706 pipe_convert_header(buffer, 4, &indicator, &primary_len);
1707 primary_msg = buffer+4;
1708 /* convert secondary message */
1709 pipe_convert_header(primary_msg + primary_len, 4, &indicator, &secondary_len);
1710 secondary_msg = primary_msg + primary_len + 4;
1711 /* message output */
1712 capture_input_error_message(capture_opts, primary_msg, secondary_msg);
1713 /* the capture child will close the sync_pipe, nothing to do for now */
1714 /* (an error message doesn't mean we have to stop capturing) */
1716 case SP_BAD_FILTER: {
1720 ch = strtok(buffer, ":");
1721 indx = (int)strtol(ch, NULL, 10);
1722 ch = strtok(NULL, ":");
1723 capture_input_cfilter_error_message(capture_opts, indx, ch);
1724 /* the capture child will close the sync_pipe, nothing to do for now */
1728 capture_input_drops(capture_opts, (guint32)strtoul(buffer, NULL, 10));
1731 g_assert_not_reached();
1740 * dumpcap is exiting; wait for it to exit. On success, *msgp is
1741 * unchanged, and the exit status of dumpcap is returned. On
1742 * failure (which includes "dumpcap exited due to being killed by
1743 * a signal or an exception"), *msgp points to an error message
1744 * for the failure, and -1 is returned. In the latter case, *msgp
1745 * must be freed with g_free().
1748 sync_pipe_wait_for_child(int fork_child, gchar **msgp)
1750 int fork_child_status;
1752 GTimeVal start_time;
1757 * GLIB_CHECK_VERSION(2,28,0) adds g_get_real_time which could minimize or
1760 g_get_current_time(&start_time);
1762 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: wait till child closed");
1763 g_assert(fork_child != -1);
1765 *msgp = NULL; /* assume no error */
1767 if (_cwait(&fork_child_status, fork_child, _WAIT_CHILD) == -1) {
1768 *msgp = g_strdup_printf("Error from cwait(): %s", g_strerror(errno));
1772 * The child exited; return its exit status. Do not treat this as
1775 ret = fork_child_status;
1776 if ((fork_child_status & 0xC0000000) == ERROR_SEVERITY_ERROR) {
1777 /* Probably an exception code */
1778 *msgp = g_strdup_printf("Child dumpcap process died: %s",
1779 win32strexception(fork_child_status));
1784 if (waitpid(fork_child, &fork_child_status, 0) != -1) {
1785 if (WIFEXITED(fork_child_status)) {
1787 * The child exited; return its exit status. Do not treat this as
1790 ret = WEXITSTATUS(fork_child_status);
1791 } else if (WIFSTOPPED(fork_child_status)) {
1792 /* It stopped, rather than exiting. "Should not happen." */
1793 *msgp = g_strdup_printf("Child dumpcap process stopped: %s",
1794 sync_pipe_signame(WSTOPSIG(fork_child_status)));
1796 } else if (WIFSIGNALED(fork_child_status)) {
1797 /* It died with a signal. */
1798 *msgp = g_strdup_printf("Child dumpcap process died: %s%s",
1799 sync_pipe_signame(WTERMSIG(fork_child_status)),
1800 WCOREDUMP(fork_child_status) ? " - core dumped" : "");
1803 /* What? It had to either have exited, or stopped, or died with
1804 a signal; what happened here? */
1805 *msgp = g_strdup_printf("Bad status from waitpid(): %#o",
1810 *msgp = g_strdup_printf("Error from waitpid(): %s", g_strerror(errno));
1815 g_get_current_time(&end_time);
1816 elapsed = (end_time.tv_sec - start_time.tv_sec) +
1817 ((end_time.tv_usec - start_time.tv_usec) / (float) 1e6);
1818 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: capture child closed after %.3fs", elapsed);
1824 /* convert signal to corresponding name */
1826 sync_pipe_signame(int sig)
1829 static char sigmsg_buf[6+1+3+1];
1838 sigmsg = "Interrupted";
1846 sigmsg = "Illegal instruction";
1850 sigmsg = "Trace trap";
1858 sigmsg = "Arithmetic exception";
1866 sigmsg = "Bus error";
1870 sigmsg = "Segmentation violation";
1873 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
1874 Linux is POSIX compliant. These are not POSIX-defined signals ---
1875 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
1877 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
1878 were omitted from POSIX.1 because their behavior is
1879 implementation dependent and could not be adequately catego-
1880 rized. Conforming implementations may deliver these sig-
1881 nals, but must document the circumstances under which they
1882 are delivered and note any restrictions concerning their
1885 So we only check for SIGSYS on those systems that happen to
1886 implement them (a system can be POSIX-compliant and implement
1887 them, it's just that POSIX doesn't *require* a POSIX-compliant
1888 system to implement them).
1893 sigmsg = "Bad system call";
1898 sigmsg = "Broken pipe";
1902 sigmsg = "Alarm clock";
1906 sigmsg = "Terminated";
1910 /* Returning a static buffer is ok in the context we use it here */
1911 g_snprintf(sigmsg_buf, sizeof sigmsg_buf, "Signal %d", sig);
1912 sigmsg = sigmsg_buf;
1921 /* tell the child through the signal pipe that we want to quit the capture */
1923 signal_pipe_capquit_to_child(capture_options *capture_opts)
1925 const char quit_msg[] = "QUIT";
1929 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child");
1931 /* it doesn't matter *what* we send here, the first byte will stop the capture */
1932 /* simply sending a "QUIT" string */
1933 /*pipe_write_block(capture_opts->signal_pipe_write_fd, SP_QUIT, quit_msg);*/
1934 ret = write(capture_opts->signal_pipe_write_fd, quit_msg, sizeof quit_msg);
1936 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1937 "signal_pipe_capquit_to_child: %d header: error %s", capture_opts->signal_pipe_write_fd, g_strerror(errno));
1943 /* user wants to stop the capture run */
1945 sync_pipe_stop(capture_options *capture_opts)
1950 gboolean terminate = TRUE;
1953 if (capture_opts->fork_child != -1) {
1955 /* send the SIGINT signal to close the capture child gracefully. */
1956 int sts = kill(capture_opts->fork_child, SIGINT);
1958 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1959 "Sending SIGINT to child failed: %s\n", g_strerror(errno));
1962 #define STOP_SLEEP_TIME 500 /* ms */
1963 #define STOP_CHECK_TIME 50
1964 /* First, use the special signal pipe to try to close the capture child
1967 signal_pipe_capquit_to_child(capture_opts);
1969 /* Next, wait for the process to exit on its own */
1970 for (count = 0; count < STOP_SLEEP_TIME / STOP_CHECK_TIME; count++) {
1971 if (GetExitCodeProcess((HANDLE) capture_opts->fork_child, &childstatus) &&
1972 childstatus != STILL_ACTIVE) {
1976 Sleep(STOP_CHECK_TIME);
1979 /* Force the issue. */
1981 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1982 "sync_pipe_stop: forcing child to exit");
1983 sync_pipe_kill(capture_opts->fork_child);
1990 /* Wireshark has to exit, force the capture child to close */
1992 sync_pipe_kill(int fork_child)
1994 if (fork_child != -1) {
1996 int sts = kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
1998 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1999 "Sending SIGTERM to child failed: %s\n", g_strerror(errno));
2002 /* Remark: This is not the preferred method of closing a process!
2003 * the clean way would be getting the process id of the child process,
2004 * then getting window handle hWnd of that process (using EnumChildWindows),
2005 * and then do a SendMessage(hWnd, WM_CLOSE, 0, 0)
2007 * Unfortunately, I don't know how to get the process id from the
2008 * handle. OpenProcess will get an handle (not a window handle)
2009 * from the process ID; it will not get a window handle from the
2010 * process ID. (How could it? A process can have more than one
2011 * window. For that matter, a process might have *no* windows,
2012 * as a process running dumpcap, the normal child process program,
2015 * Hint: GenerateConsoleCtrlEvent() will only work if both processes are
2016 * running in the same console; that's not necessarily the case for
2017 * us, as we might not be running in a console.
2018 * And this also will require to have the process id.
2020 TerminateProcess((HANDLE) (fork_child), 0);
2025 #endif /* HAVE_LIBPCAP */