2 * Utility routines for packet capture
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
34 #ifdef HAVE_SYS_TYPES_H
35 # include <sys/types.h>
38 #ifdef HAVE_SYS_SOCKET_H
39 #include <sys/socket.h>
43 * Linux bonding devices mishandle unknown ioctls; they fail
44 * with ENODEV rather than ENOTSUP, EOPNOTSUPP, or ENOTTY,
45 * so pcap_can_set_rfmon() returns a "no such device" indication
46 * if we try to do SIOCGIWMODE on them.
48 * So, on Linux, we check for bonding devices, if we can, before
49 * trying pcap_can_set_rfmon(), as pcap_can_set_rfmon() will
50 * end up trying SIOCGIWMODE on the device if that ioctl exists.
52 #if defined(HAVE_PCAP_CREATE) && defined(__linux__)
54 #include <sys/ioctl.h>
57 * If we're building for a Linux version that supports bonding,
58 * HAVE_BONDING will be defined.
61 #ifdef HAVE_LINUX_SOCKIOS_H
62 #include <linux/sockios.h>
65 #ifdef HAVE_LINUX_IF_BONDING_H
66 #include <linux/if_bonding.h>
69 #if defined(BOND_INFO_QUERY_OLD) || defined(SIOCBONDINFOQUERY)
73 #endif /* defined(HAVE_PCAP_CREATE) && defined(__linux__) */
75 #include "caputils/capture_ifinfo.h"
76 #include "caputils/capture-pcap-util.h"
77 #include "caputils/capture-pcap-util-int.h"
81 #include <wsutil/file_util.h>
84 #include <netinet/in.h>
88 #include "caputils/capture_win_ifnames.h" /* windows friendly interface names */
92 * Standard secondary message for unexpected errors.
94 static const char please_report[] =
95 "Please report this to the Wireshark developers.\n"
96 "https://bugs.wireshark.org/\n"
97 "(This is not a crash; please do not report it as such.)";
100 * Given an interface name, find the "friendly name" and interface
101 * type for the interface.
104 #if defined(__APPLE__)
106 #include <CoreFoundation/CoreFoundation.h>
107 #include <SystemConfiguration/SystemConfiguration.h>
109 #include <wsutil/cfutils.h>
112 * On OS X, we get the "friendly name" and interface type for the interface
113 * from the System Configuration framework.
115 * To find the System Configuration framework information for the
116 * interface, we get all the interfaces that the System Configuration
117 * framework knows about and look for the one with a "BSD name" matching
118 * the interface name.
120 * If we find it, we use its "localized display name", if it has one, as
121 * the "friendly name".
123 * As for the interface type:
125 * Yes, fetching all the network addresses for an interface gets you an
126 * AF_LINK address, of type "struct sockaddr_dl", and, yes, that includes
127 * an SNMP MIB-II ifType value.
129 * However, it's IFT_ETHER, i.e. Ethernet, for AirPort interfaces,
130 * not IFT_IEEE80211 (which isn't defined in OS X in any case).
132 * Perhaps some other BSD-flavored OSes won't make this mistake;
133 * however, FreeBSD 7.0 and OpenBSD 4.2, at least, appear to have
134 * made the same mistake, at least for my Belkin ZyDAS stick.
136 * SCNetworkInterfaceGetInterfaceType() will get the interface
137 * type. The interface type is a CFString, and:
139 * kSCNetworkInterfaceTypeIEEE80211 means IF_WIRELESS;
140 * kSCNetworkInterfaceTypeBluetooth means IF_BLUETOOTH;
141 * kSCNetworkInterfaceTypeModem or
142 * kSCNetworkInterfaceTypePPP or
143 * maybe kSCNetworkInterfaceTypeWWAN means IF_DIALUP
146 add_unix_interface_ifinfo(if_info_t *if_info, const char *name,
147 const char *description _U_)
149 CFStringRef name_CFString;
150 CFArrayRef interfaces;
151 CFIndex num_interfaces;
153 SCNetworkInterfaceRef interface;
154 CFStringRef bsdname_CFString;
155 CFStringRef friendly_name_CFString;
156 CFStringRef interface_type_CFString;
158 interfaces = SCNetworkInterfaceCopyAll();
159 if (interfaces == NULL) {
161 * Couldn't get a list of interfaces.
166 name_CFString = CFStringCreateWithCString(kCFAllocatorDefault,
167 name, kCFStringEncodingUTF8);
168 if (name_CFString == NULL) {
170 * Couldn't convert the interface name to a CFString.
172 CFRelease(interfaces);
176 num_interfaces = CFArrayGetCount(interfaces);
177 for (i = 0; i < num_interfaces; i++) {
178 interface = (SCNetworkInterfaceRef)CFArrayGetValueAtIndex(interfaces, i);
179 bsdname_CFString = SCNetworkInterfaceGetBSDName(interface);
180 if (bsdname_CFString == NULL) {
182 * This interface has no BSD name, so it's not
183 * a regular network interface.
187 if (CFStringCompare(name_CFString, bsdname_CFString, 0) == 0) {
189 * This is the interface.
190 * First, get the friendly name.
192 friendly_name_CFString = SCNetworkInterfaceGetLocalizedDisplayName(interface);
193 if (friendly_name_CFString != NULL)
194 if_info->friendly_name = CFString_to_C_string(friendly_name_CFString);
197 * Now get the interface type.
199 interface_type_CFString = SCNetworkInterfaceGetInterfaceType(interface);
200 if (CFStringCompare(interface_type_CFString,
201 kSCNetworkInterfaceTypeIEEE80211, 0) == kCFCompareEqualTo)
202 if_info->type = IF_WIRELESS;
203 else if (CFStringCompare(interface_type_CFString,
204 kSCNetworkInterfaceTypeBluetooth, 0) == kCFCompareEqualTo)
205 if_info->type = IF_BLUETOOTH;
206 else if (CFStringCompare(interface_type_CFString,
207 kSCNetworkInterfaceTypeModem, 0) == kCFCompareEqualTo)
208 if_info->type = IF_DIALUP;
209 else if (CFStringCompare(interface_type_CFString,
210 kSCNetworkInterfaceTypePPP, 0) == kCFCompareEqualTo)
211 if_info->type = IF_DIALUP;
212 else if (CFStringCompare(interface_type_CFString,
213 kSCNetworkInterfaceTypeWWAN, 0) == kCFCompareEqualTo)
214 if_info->type = IF_DIALUP;
216 if_info->type = IF_WIRED;
221 CFRelease(interfaces);
222 CFRelease(name_CFString);
224 #elif defined(__linux__)
226 * Linux doesn't offer any form of "friendly name", but you can
227 * determine an interface type to some degree.
230 add_unix_interface_ifinfo(if_info_t *if_info, const char *name,
231 const char *description _U_)
237 * Look for /sys/class/net/{device}/wireless. If it exists,
238 * it's a wireless interface.
240 wireless_path = g_strdup_printf("/sys/class/net/%s/wireless", name);
241 if (wireless_path != NULL) {
242 if (ws_stat64(wireless_path, &statb) == 0)
243 if_info->type = IF_WIRELESS;
244 g_free(wireless_path);
246 if (if_info->type == IF_WIRED) {
248 * We still don't know what it is. Check for
249 * Bluetooth and USB devices.
251 if (strstr(name, "bluetooth") != NULL) {
253 * XXX - this is for raw Bluetooth capture; what
254 * about IP-over-Bluetooth devices?
256 if_info->type = IF_BLUETOOTH;
257 } else if (strstr(name, "usbmon") != NULL)
258 if_info->type = IF_USB;
263 * On other UN*Xes, if there is a description, it's a friendly
264 * name, and there is no vendor description. ("Other UN*Xes"
265 * currently means "FreeBSD and OpenBSD".)
268 add_unix_interface_ifinfo(if_info_t *if_info, const char *name _U_,
269 const char *description)
271 if_info->friendly_name = g_strdup(description);
276 if_info_new(const char *name, const char *description, gboolean loopback)
280 const char *guid_text;
284 if_info = (if_info_t *)g_malloc(sizeof (if_info_t));
285 if_info->name = g_strdup(name);
286 if_info->friendly_name = NULL; /* default - unknown */
287 if_info->vendor_description = NULL;
288 if_info->type = IF_WIRED; /* default */
290 if_info->extcap = g_strdup("");
294 * Get the interface type.
296 * Much digging failed to reveal any obvious way to get something
297 * such as the SNMP MIB-II ifType value for an interface:
299 * http://www.iana.org/assignments/ianaiftype-mib
301 * by making some NDIS request. And even if there were such
302 * a way, there's no guarantee that the ifType reflects an
303 * interface type that a user would view as correct (for
304 * example, some systems report Wi-Fi interfaces as
305 * Ethernet interfaces).
307 * So we look for keywords in the vendor's interface
310 if (description && (strstr(description, "generic dialup") != NULL ||
311 strstr(description, "PPP/SLIP") != NULL)) {
312 if_info->type = IF_DIALUP;
313 } else if (description && (strstr(description, "Wireless") != NULL ||
314 strstr(description,"802.11") != NULL)) {
315 if_info->type = IF_WIRELESS;
316 } else if (description && strstr(description, "AirPcap") != NULL ||
317 strstr(name, "airpcap") != NULL) {
318 if_info->type = IF_AIRPCAP;
319 } else if (description && strstr(description, "Bluetooth") != NULL ) {
320 if_info->type = IF_BLUETOOTH;
321 } else if (description && strstr(description, "VMware") != NULL) {
323 * Bridge, NAT, or host-only interface on a VMware host.
325 * XXX - what about guest interfaces?
327 if_info->type = IF_VIRTUAL;
331 * On Windows, the "description" is a vendor description,
332 * and the friendly name isn't returned by WinPcap.
333 * Fetch it ourselves.
337 * Skip over the "\Device\NPF_" prefix in the device name,
340 if (strncmp("\\Device\\NPF_", name, 12) == 0)
341 guid_text = name + 12;
345 /* Now try to parse what remains as a GUID. */
346 if (parse_as_guid(guid_text, &guid)) {
348 * Success. Try to get a friendly name using the GUID.
349 * As this is a regular interface, the description is a
350 * vendor description.
352 if_info->friendly_name = get_interface_friendly_name_from_device_guid(&guid);
353 if_info->vendor_description = g_strdup(description);
356 * This is probably not a regular interface; we only
357 * support NT 5 (W2K) and later, so all regular interfaces
358 * should have GUIDs at the end of the name. Therefore,
359 * the description, if supplied, is a friendly name
360 * provided by WinPcap, and there is no vendor
363 if_info->friendly_name = g_strdup(description);
364 if_info->vendor_description = NULL;
368 * On UN*X, if there is a description, it's a friendly
369 * name, and there is no vendor description.
371 * Try the platform's way of getting a friendly name and
372 * interface type first.
374 * If that fails, then, for a loopback interface, give it the
375 * friendly name "Loopback" and, for VMware interfaces,
376 * give them the type IF_VIRTUAL.
378 add_unix_interface_ifinfo(if_info, name, description);
379 if (if_info->type == IF_WIRED) {
381 * This is the default interface type.
383 * Bridge, NAT, or host-only interfaces on VMWare hosts
384 * have the name vmnet[0-9]+. Guests might use a native
385 * (LANCE or E1000) driver or the vmxnet driver. Check
388 if (g_ascii_strncasecmp(name, "vmnet", 5) == 0)
389 if_info->type = IF_VIRTUAL;
390 else if (g_ascii_strncasecmp(name, "vmxnet", 6) == 0)
391 if_info->type = IF_VIRTUAL;
393 if (if_info->friendly_name == NULL) {
395 * We couldn't get interface information using platform-
398 * If this is a loopback interface, give it a
399 * "friendly name" of "Loopback".
402 if_info->friendly_name = g_strdup("Loopback");
404 if_info->vendor_description = NULL;
406 if_info->loopback = loopback;
407 if_info->addrs = NULL;
412 if_info_add_address(if_info_t *if_info, struct sockaddr *addr)
415 struct sockaddr_in *ai;
416 struct sockaddr_in6 *ai6;
418 switch (addr->sa_family) {
421 ai = (struct sockaddr_in *)(void *)addr;
422 if_addr = (if_addr_t *)g_malloc(sizeof(*if_addr));
423 if_addr->ifat_type = IF_AT_IPv4;
424 if_addr->addr.ip4_addr =
425 *((guint32 *)&(ai->sin_addr.s_addr));
426 if_info->addrs = g_slist_prepend(if_info->addrs, if_addr);
430 ai6 = (struct sockaddr_in6 *)(void *)addr;
431 if_addr = (if_addr_t *)g_malloc(sizeof(*if_addr));
432 if_addr->ifat_type = IF_AT_IPv6;
433 memcpy((void *)&if_addr->addr.ip6_addr,
434 (void *)&ai6->sin6_addr.s6_addr,
435 sizeof if_addr->addr.ip6_addr);
436 if_info->addrs = g_slist_prepend(if_info->addrs, if_addr);
441 #ifdef HAVE_PCAP_FINDALLDEVS
443 * Get all IP address information for the given interface.
446 if_info_ip(if_info_t *if_info, pcap_if_t *d)
451 for (a = d->addresses; a != NULL; a = a->next) {
453 if_info_add_address(if_info, a->addr);
457 if_info->addrs = g_slist_reverse(if_info->addrs);
461 #ifdef HAVE_PCAP_REMOTE
463 get_interface_list_findalldevs_ex(const char *source,
464 struct pcap_rmtauth *auth,
465 int *err, char **err_str)
468 pcap_if_t *alldevs, *dev;
471 * WinPcap can overflow PCAP_ERRBUF_SIZE if the host is unreachable.
472 * Fudge a larger size.
474 char errbuf[PCAP_ERRBUF_SIZE*4];
476 if (pcap_findalldevs_ex((char *)source, auth, &alldevs, errbuf) == -1) {
477 *err = CANT_GET_INTERFACE_LIST;
479 *err_str = cant_get_if_list_error_message(errbuf);
483 if (alldevs == NULL) {
485 * No interfaces found.
493 for (dev = alldevs; dev != NULL; dev = dev->next) {
494 if_info = if_info_new(dev->name, dev->description,
495 (dev->flags & PCAP_IF_LOOPBACK) ? TRUE : FALSE);
496 il = g_list_append(il, if_info);
497 if_info_ip(if_info, dev);
499 pcap_freealldevs(alldevs);
506 get_interface_list_findalldevs(int *err, char **err_str)
509 pcap_if_t *alldevs, *dev;
511 char errbuf[PCAP_ERRBUF_SIZE];
513 if (pcap_findalldevs(&alldevs, errbuf) == -1) {
514 *err = CANT_GET_INTERFACE_LIST;
516 *err_str = cant_get_if_list_error_message(errbuf);
520 if (alldevs == NULL) {
522 * No interfaces found.
530 for (dev = alldevs; dev != NULL; dev = dev->next) {
531 if_info = if_info_new(dev->name, dev->description,
532 (dev->flags & PCAP_IF_LOOPBACK) ? TRUE : FALSE);
533 il = g_list_append(il, if_info);
534 if_info_ip(if_info, dev);
536 pcap_freealldevs(alldevs);
540 #endif /* HAVE_PCAP_FINDALLDEVS */
543 free_if_info_addr_cb(gpointer addr, gpointer user_data _U_)
549 free_if_cb(gpointer data, gpointer user_data _U_)
551 if_info_t *if_info = (if_info_t *)data;
553 g_free(if_info->name);
554 g_free(if_info->friendly_name);
555 g_free(if_info->vendor_description);
557 g_free(if_info->extcap);
560 g_slist_foreach(if_info->addrs, free_if_info_addr_cb, NULL);
561 g_slist_free(if_info->addrs);
566 free_interface_list(GList *if_list)
568 g_list_foreach(if_list, free_if_cb, NULL);
569 g_list_free(if_list);
572 #if !defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) || !defined(HAVE_PCAP_DATALINK_VAL_TO_NAME) || !defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION)
575 const char *description;
579 #define DLT_CHOICE(code, description) { #code, description, code }
580 #define DLT_CHOICE_SENTINEL { NULL, NULL, 0 }
582 static struct dlt_choice dlt_choices[] = {
583 DLT_CHOICE(DLT_NULL, "BSD loopback"),
584 DLT_CHOICE(DLT_EN10MB, "Ethernet"),
585 DLT_CHOICE(DLT_IEEE802, "Token ring"),
586 DLT_CHOICE(DLT_ARCNET, "ARCNET"),
587 DLT_CHOICE(DLT_SLIP, "SLIP"),
588 DLT_CHOICE(DLT_PPP, "PPP"),
589 DLT_CHOICE(DLT_FDDI, "FDDI"),
590 DLT_CHOICE(DLT_ATM_RFC1483, "RFC 1483 IP-over-ATM"),
591 DLT_CHOICE(DLT_RAW, "Raw IP"),
592 DLT_CHOICE(DLT_SLIP_BSDOS, "BSD/OS SLIP"),
593 DLT_CHOICE(DLT_PPP_BSDOS, "BSD/OS PPP"),
594 DLT_CHOICE(DLT_ATM_CLIP, "Linux Classical IP-over-ATM"),
595 DLT_CHOICE(DLT_PPP_SERIAL, "PPP over serial"),
596 DLT_CHOICE(DLT_PPP_ETHER, "PPPoE"),
597 DLT_CHOICE(DLT_C_HDLC, "Cisco HDLC"),
598 DLT_CHOICE(DLT_IEEE802_11, "802.11"),
599 DLT_CHOICE(DLT_FRELAY, "Frame Relay"),
600 DLT_CHOICE(DLT_LOOP, "OpenBSD loopback"),
601 DLT_CHOICE(DLT_ENC, "OpenBSD encapsulated IP"),
602 DLT_CHOICE(DLT_LINUX_SLL, "Linux cooked"),
603 DLT_CHOICE(DLT_LTALK, "Localtalk"),
604 DLT_CHOICE(DLT_PFLOG, "OpenBSD pflog file"),
605 DLT_CHOICE(DLT_PRISM_HEADER, "802.11 plus Prism header"),
606 DLT_CHOICE(DLT_IP_OVER_FC, "RFC 2625 IP-over-Fibre Channel"),
607 DLT_CHOICE(DLT_SUNATM, "Sun raw ATM"),
608 DLT_CHOICE(DLT_IEEE802_11_RADIO, "802.11 plus BSD radio information header"),
609 DLT_CHOICE(DLT_APPLE_IP_OVER_IEEE1394, "Apple IP-over-IEEE 1394"),
610 DLT_CHOICE(DLT_ARCNET_LINUX, "Linux ARCNET"),
611 DLT_CHOICE(DLT_LINUX_IRDA, "Linux IrDA"),
612 DLT_CHOICE(DLT_IEEE802_11_RADIO_AVS, "802.11 plus AVS radio information header"),
616 #if !defined(HAVE_PCAP_DATALINK_NAME_TO_VAL)
618 pcap_datalink_name_to_val(const char *name)
622 for (i = 0; dlt_choices[i].name != NULL; i++) {
623 if (g_ascii_strcasecmp(dlt_choices[i].name + sizeof("DLT_") - 1,
625 return (dlt_choices[i].dlt);
629 #endif /* defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) */
631 #if !defined(HAVE_PCAP_DATALINK_VAL_TO_NAME)
633 pcap_datalink_val_to_name(int dlt)
637 for (i = 0; dlt_choices[i].name != NULL; i++) {
638 if (dlt_choices[i].dlt == dlt)
639 return (dlt_choices[i].name + sizeof("DLT_") - 1);
643 #endif /* defined(HAVE_PCAP_DATALINK_VAL_TO_NAME) */
645 #if !defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION)
647 pcap_datalink_val_to_description(int dlt)
651 for (i = 0; dlt_choices[i].name != NULL; i++) {
652 if (dlt_choices[i].dlt == dlt)
653 return (dlt_choices[i].description);
657 #endif /* defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION) */
659 #endif /* !defined(HAVE_PCAP_DATALINK_VAL_TO_NAME) || !defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION) */
662 free_linktype_cb(gpointer data, gpointer user_data _U_)
664 data_link_info_t *linktype_info = (data_link_info_t *)data;
666 g_free(linktype_info->name);
667 g_free(linktype_info->description);
668 g_free(linktype_info);
672 free_if_capabilities(if_capabilities_t *caps)
674 g_list_foreach(caps->data_link_types, free_linktype_cb, NULL);
675 g_list_free(caps->data_link_types);
680 linktype_val_to_name(int dlt)
682 return pcap_datalink_val_to_name(dlt);
686 linktype_name_to_val(const char *linktype)
688 return pcap_datalink_name_to_val(linktype);
692 * Get the data-link type for a libpcap device.
693 * This works around AIX 5.x's non-standard and incompatible-with-the-
694 * rest-of-the-universe libpcap.
697 get_pcap_datalink(pcap_t *pch, const char *devicename
706 const char *ifacename;
709 datalink = pcap_datalink(pch);
713 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
714 * rather than DLT_ values for link-layer types; the ifType values
715 * for LAN devices are:
722 * and the ifType value for a loopback device is 24.
724 * The AIX names for LAN devices begin with:
731 * and the AIX names for loopback devices begin with "lo".
733 * (The difference between "Ethernet" and "802.3" is presumably
734 * whether packets have an Ethernet header, with a packet type,
735 * or an 802.3 header, with a packet length, followed by an 802.2
736 * header and possibly a SNAP header.)
738 * If the device name matches "datalink" interpreted as an ifType
739 * value, rather than as a DLT_ value, we will assume this is AIX's
740 * non-standard, incompatible libpcap, rather than a standard libpcap,
741 * and will map the link-layer type to the standard DLT_ value for
742 * that link-layer type, as that's what the rest of Wireshark expects.
744 * (This means the capture files won't be readable by a tcpdump
745 * linked with AIX's non-standard libpcap, but so it goes. They
746 * *will* be readable by standard versions of tcpdump, Wireshark,
749 * XXX - if we conclude we're using AIX libpcap, should we also
750 * set a flag to cause us to assume the time stamps are in
751 * seconds-and-nanoseconds form, and to convert them to
752 * seconds-and-microseconds form before processing them and
757 * Find the last component of the device name, which is the
760 ifacename = strchr(devicename, '/');
761 if (ifacename == NULL)
762 ifacename = devicename;
764 /* See if it matches any of the LAN device names. */
765 if (strncmp(ifacename, "en", 2) == 0) {
768 * That's the RFC 1573 value for Ethernet;
769 * map it to DLT_EN10MB.
773 } else if (strncmp(ifacename, "et", 2) == 0) {
776 * That's the RFC 1573 value for 802.3;
777 * map it to DLT_EN10MB.
779 * (libpcap, tcpdump, Wireshark, etc. don't
780 * care if it's Ethernet or 802.3.)
784 } else if (strncmp(ifacename, "tr", 2) == 0) {
787 * That's the RFC 1573 value for 802.5 (Token Ring);
788 * map it to DLT_IEEE802, which is what's used for
793 } else if (strncmp(ifacename, "fi", 2) == 0) {
794 if (datalink == 15) {
796 * That's the RFC 1573 value for FDDI;
797 * map it to DLT_FDDI.
801 } else if (strncmp(ifacename, "lo", 2) == 0) {
802 if (datalink == 24) {
804 * That's the RFC 1573 value for "software loopback"
805 * devices; map it to DLT_NULL, which is what's used
806 * for loopback devices on BSD.
816 /* Set the data link type on a pcap. */
818 set_pcap_datalink(pcap_t *pcap_h, int datalink, char *name,
819 char *errmsg, size_t errmsg_len,
820 char *secondary_errmsg, size_t secondary_errmsg_len)
822 char *set_datalink_err_str;
825 return TRUE; /* just use the default */
826 #ifdef HAVE_PCAP_SET_DATALINK
827 if (pcap_set_datalink(pcap_h, datalink) == 0)
828 return TRUE; /* no error */
829 set_datalink_err_str = pcap_geterr(pcap_h);
831 /* Let them set it to the type it is; reject any other request. */
832 if (get_pcap_datalink(pcap_h, name) == datalink)
833 return TRUE; /* no error */
834 set_datalink_err_str =
835 "That DLT isn't one of the DLTs supported by this device";
837 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type on interface '%s' (%s).",
838 name, set_datalink_err_str);
840 * If the error isn't "XXX is not one of the DLTs supported by this device",
841 * tell the user to tell the Wireshark developers about it.
843 if (strstr(set_datalink_err_str, "is not one of the DLTs supported by this device") == NULL)
844 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
846 secondary_errmsg[0] = '\0';
850 static data_link_info_t *
851 create_data_link_info(int dlt)
853 data_link_info_t *data_link_info;
856 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
857 data_link_info->dlt = dlt;
858 text = pcap_datalink_val_to_name(dlt);
860 data_link_info->name = g_strdup(text);
862 data_link_info->name = g_strdup_printf("DLT %d", dlt);
863 text = pcap_datalink_val_to_description(dlt);
865 data_link_info->description = g_strdup(text);
867 data_link_info->description = NULL;
868 return data_link_info;
872 get_data_link_types(pcap_t *pch, interface_options *interface_opts,
875 GList *data_link_types;
877 #ifdef HAVE_PCAP_LIST_DATALINKS
881 data_link_info_t *data_link_info;
883 deflt = get_pcap_datalink(pch, interface_opts->name);
884 #ifdef HAVE_PCAP_LIST_DATALINKS
885 nlt = pcap_list_datalinks(pch, &linktypes);
888 * This either returns a negative number for an error
889 * or returns a number > 0 and sets linktypes.
892 if (err_str != NULL) {
894 *err_str = g_strdup_printf("pcap_list_datalinks() failed: %s",
897 *err_str = g_strdup(pcap_statustostr(nlt));
901 data_link_types = NULL;
902 for (i = 0; i < nlt; i++) {
903 data_link_info = create_data_link_info(linktypes[i]);
906 * XXX - for 802.11, make the most detailed 802.11
907 * version the default, rather than the one the
908 * device has as the default?
910 if (linktypes[i] == deflt)
911 data_link_types = g_list_prepend(data_link_types,
914 data_link_types = g_list_append(data_link_types,
917 #ifdef HAVE_PCAP_FREE_DATALINKS
918 pcap_free_datalinks(linktypes);
921 * In Windows, there's no guarantee that if you have a library
922 * built with one version of the MSVC++ run-time library, and
923 * it returns a pointer to allocated data, you can free that
924 * data from a program linked with another version of the
925 * MSVC++ run-time library.
927 * This is not an issue on UN*X.
929 * See the mail threads starting at
931 * https://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
935 * https://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
938 #define xx_free free /* hack so checkAPIs doesn't complain */
941 #endif /* HAVE_PCAP_FREE_DATALINKS */
942 #else /* HAVE_PCAP_LIST_DATALINKS */
944 data_link_info = create_data_link_info(deflt);
945 data_link_types = g_list_append(data_link_types, data_link_info);
946 #endif /* HAVE_PCAP_LIST_DATALINKS */
950 return data_link_types;
953 #ifdef HAVE_PCAP_CREATE
956 is_linux_bonding_device(const char *ifname)
962 fd = socket(PF_INET, SOCK_DGRAM, 0);
966 memset(&ifr, 0, sizeof ifr);
967 g_strlcpy(ifr.ifr_name, ifname, sizeof ifr.ifr_name);
968 memset(&ifb, 0, sizeof ifb);
969 ifr.ifr_data = (caddr_t)&ifb;
970 #if defined(SIOCBONDINFOQUERY)
971 if (ioctl(fd, SIOCBONDINFOQUERY, &ifr) == 0) {
976 if (ioctl(fd, BOND_INFO_QUERY_OLD, &ifr) == 0) {
987 is_linux_bonding_device(const char *ifname _U_)
994 get_if_capabilities_pcap_create(interface_options *interface_opts,
997 if_capabilities_t *caps;
998 char errbuf[PCAP_ERRBUF_SIZE];
1003 * Allocate the interface capabilities structure.
1005 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1007 pch = pcap_create(interface_opts->name, errbuf);
1009 if (err_str != NULL)
1010 *err_str = g_strdup(errbuf);
1014 if (is_linux_bonding_device(interface_opts->name)) {
1016 * Linux bonding device; not Wi-Fi, so no monitor mode, and
1017 * calling pcap_can_set_rfmon() might get a "no such device"
1023 * Not a Linux bonding device, so go ahead.
1025 status = pcap_can_set_rfmon(pch);
1029 if (status == PCAP_ERROR)
1030 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1033 *err_str = g_strdup(pcap_statustostr(status));
1039 caps->can_set_rfmon = FALSE;
1040 else if (status == 1) {
1041 caps->can_set_rfmon = TRUE;
1042 if (interface_opts->monitor_mode)
1043 pcap_set_rfmon(pch, 1);
1045 if (err_str != NULL) {
1046 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1054 status = pcap_activate(pch);
1056 /* Error. We ignore warnings (status > 0). */
1057 if (err_str != NULL) {
1058 if (status == PCAP_ERROR)
1059 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1062 *err_str = g_strdup(pcap_statustostr(status));
1069 caps->data_link_types = get_data_link_types(pch, interface_opts,
1071 if (caps->data_link_types == NULL) {
1079 if (err_str != NULL)
1085 open_capture_device_pcap_create(capture_options *capture_opts
1086 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1091 interface_options *interface_opts, int timeout,
1092 char (*open_err_str)[PCAP_ERRBUF_SIZE])
1097 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1098 "Calling pcap_create() using %s.", interface_opts->name);
1099 pcap_h = pcap_create(interface_opts->name, *open_err_str);
1100 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1101 "pcap_create() returned %p.", (void *)pcap_h);
1102 if (pcap_h != NULL) {
1103 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1104 "Calling pcap_set_snaplen() with snaplen %d.",
1105 interface_opts->snaplen);
1106 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
1107 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1108 "Calling pcap_set_promisc() with promisc_mode %d.",
1109 interface_opts->promisc_mode);
1110 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
1111 pcap_set_timeout(pcap_h, timeout);
1113 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1115 * If we're writing pcap-ng files, try to enable
1116 * nanosecond-resolution capture; any code that
1117 * can read pcap-ng files must be able to handle
1118 * nanosecond-resolution time stamps. We don't
1119 * care whether it succeeds or fails - if it fails,
1120 * we just use the microsecond-precision time stamps
1123 * If we're writing pcap files, don't try to enable
1124 * nanosecond-resolution capture, as not all code
1125 * that reads pcap files recognizes the nanosecond-
1126 * resolution pcap file magic number.
1127 * We don't care whether this succeeds or fails; if it
1128 * fails (because we don't have pcap_set_tstamp_precision(),
1129 * or because we do but the OS or device doesn't support
1130 * nanosecond resolution timing), we just use microsecond-
1131 * resolution time stamps.
1133 if (capture_opts->use_pcapng)
1134 request_high_resolution_timestamp(pcap_h);
1135 #endif /* HAVE_PCAP_SET_TSTAMP_PRECISION */
1137 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1138 "buffersize %d.", interface_opts->buffer_size);
1139 if (interface_opts->buffer_size != 0)
1140 pcap_set_buffer_size(pcap_h,
1141 interface_opts->buffer_size * 1024 * 1024);
1142 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1143 "monitor_mode %d.", interface_opts->monitor_mode);
1144 if (interface_opts->monitor_mode)
1145 pcap_set_rfmon(pcap_h, 1);
1146 err = pcap_activate(pcap_h);
1147 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1148 "pcap_activate() returned %d.", err);
1150 /* Failed to activate, set to NULL */
1151 if (err == PCAP_ERROR)
1152 g_strlcpy(*open_err_str, pcap_geterr(pcap_h),
1153 sizeof *open_err_str);
1155 g_strlcpy(*open_err_str, pcap_statustostr(err),
1156 sizeof *open_err_str);
1163 #endif /* HAVE_PCAP_CREATE */
1166 get_if_capabilities_pcap_open_live(interface_options *interface_opts,
1169 if_capabilities_t *caps;
1170 char errbuf[PCAP_ERRBUF_SIZE];
1174 * Allocate the interface capabilities structure.
1176 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1178 pch = pcap_open_live(interface_opts->name, MIN_PACKET_SIZE, 0, 0,
1180 caps->can_set_rfmon = FALSE;
1182 if (err_str != NULL)
1183 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1187 caps->data_link_types = get_data_link_types(pch, interface_opts,
1189 if (caps->data_link_types == NULL) {
1197 if (err_str != NULL)
1203 open_capture_device_pcap_open_live(interface_options *interface_opts,
1204 int timeout, char (*open_err_str)[PCAP_ERRBUF_SIZE])
1208 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1209 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
1210 interface_opts->name, interface_opts->snaplen,
1211 interface_opts->promisc_mode);
1212 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
1213 interface_opts->promisc_mode, timeout, *open_err_str);
1214 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1215 "pcap_open_live() returned %p.", (void *)pcap_h);
1218 /* If the open succeeded, try to set the capture buffer size. */
1219 if (pcap_h && interface_opts->buffer_size > 1) {
1221 * We have no mechanism to report a warning if this
1222 * fails; we just keep capturing with the smaller buffer,
1223 * as is the case on systems with BPF and pcap_create()
1224 * and pcap_set_buffer_size(), where pcap_activate() just
1225 * silently clamps the buffer size to the maximum.
1227 pcap_setbuff(pcap_h, interface_opts->buffer_size * 1024 * 1024);
1235 * Get the capabilities of a network device.
1238 get_if_capabilities(interface_options *interface_opts, char **err_str)
1240 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
1241 if_capabilities_t *caps;
1242 char errbuf[PCAP_ERRBUF_SIZE];
1245 data_link_info_t *data_link_info;
1247 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
1248 struct pcap_rmtauth auth;
1251 * Allocate the interface capabilities structure.
1253 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1255 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
1256 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
1257 auth.username = interface_opts->auth_username;
1258 auth.password = interface_opts->auth_password;
1261 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1262 * wherein, when an open with an rpcap: URL fails, the error
1263 * message for the error is not copied to errbuf and whatever
1264 * on-the-stack junk is in errbuf is treated as the error
1267 * To work around that (and any other bugs of that sort), we
1268 * initialize errbuf to an empty string. If we get an error
1269 * and the string is empty, we report it as an unknown error.
1270 * (If we *don't* get an error, and the string is *non*-empty,
1271 * that could be a warning returned, such as "can't turn
1272 * promiscuous mode on"; we currently don't do so.)
1275 pch = pcap_open(interface_opts->name, MIN_PACKET_SIZE, 0, 0, &auth,
1278 if (err_str != NULL)
1279 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1283 deflt = get_pcap_datalink(pch, interface_opts->name);
1284 data_link_info = create_data_link_info(deflt);
1285 caps->data_link_types = g_list_append(caps->data_link_types,
1289 if (err_str != NULL)
1293 #endif /* defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE) */
1298 return get_if_capabilities_local(interface_opts, err_str);
1302 open_capture_device(capture_options *capture_opts,
1303 interface_options *interface_opts, int timeout,
1304 char (*open_err_str)[PCAP_ERRBUF_SIZE])
1307 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
1308 struct pcap_rmtauth auth;
1311 /* Open the network interface to capture from it.
1312 Some versions of libpcap may put warnings into the error buffer
1313 if they succeed; to tell if that's happened, we have to clear
1314 the error buffer, and check if it's still a null string. */
1315 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
1316 (*open_err_str)[0] = '\0';
1317 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
1319 * If we're opening a remote device, use pcap_open(); that's currently
1320 * the only open routine that supports remote devices.
1322 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
1323 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
1324 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
1325 auth.username = interface_opts->auth_username;
1326 auth.password = interface_opts->auth_password;
1328 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1329 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
1330 interface_opts->name, interface_opts->snaplen,
1331 interface_opts->promisc_mode, interface_opts->datatx_udp,
1332 interface_opts->nocap_rpcap);
1333 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
1335 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
1336 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
1337 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
1338 timeout, &auth, *open_err_str);
1339 if (pcap_h == NULL) {
1340 /* Error - did pcap actually supply an error message? */
1341 if ((*open_err_str)[0] == '\0') {
1343 * Work around known WinPcap bug wherein
1344 * no error message is filled in on a
1345 * failure to open an rpcap: URL.
1347 g_strlcpy(*open_err_str,
1348 "Unknown error (pcap bug; actual error cause not reported)",
1349 sizeof *open_err_str);
1352 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1353 "pcap_open() returned %p.", (void *)pcap_h);
1354 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
1359 pcap_h = open_capture_device_local(capture_opts, interface_opts,
1360 timeout, open_err_str);
1361 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
1365 #endif /* HAVE_LIBPCAP */
1368 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1373 * indent-tabs-mode: t
1376 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1377 * :indentSize=8:tabSize=8:noTabs=false: