5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include <stdlib.h> /* for exit() */
33 #ifdef HAVE_SYS_TYPES_H
34 # include <sys/types.h>
37 #ifdef HAVE_SYS_SOCKET_H
38 #include <sys/socket.h>
41 #ifdef HAVE_NETINET_IN_H
42 #include <netinet/in.h>
45 #ifdef HAVE_SYS_STAT_H
46 # include <sys/stat.h>
57 #ifdef HAVE_ARPA_INET_H
58 #include <arpa/inet.h>
61 #if defined(__APPLE__) && defined(__LP64__)
62 #include <sys/utsname.h>
68 #include <wsutil/crash_info.h>
71 #include "wsutil/wsgetopt.h"
79 # include <sys/prctl.h>
80 # include <sys/capability.h>
83 #include "ringbuffer.h"
84 #include "clopts_common.h"
85 #include "console_io.h"
86 #include "cmdarg_err.h"
87 #include "version_info.h"
89 #include "capture-pcap-util.h"
91 #include "capture-wpcap.h"
97 #include "capture-wpcap.h"
98 #include <wsutil/unicode-utils.h>
105 #ifdef NEED_INET_V6DEFS_H
106 # include "wsutil/inet_v6defs.h"
109 #include <wsutil/privileges.h>
111 #include "sync_pipe.h"
113 #include "capture_opts.h"
114 #include "capture_ifinfo.h"
115 #include "capture_sync.h"
117 #include "conditions.h"
118 #include "capture_stop_conditions.h"
120 #include "tempfile.h"
122 #include "wsutil/file_util.h"
124 #include "ws80211_utils.h"
127 * Get information about libpcap format from "wiretap/libpcap.h".
128 * XXX - can we just use pcap_open_offline() to read the pipe?
130 #include "wiretap/libpcap.h"
132 /**#define DEBUG_DUMPCAP**/
133 /**#define DEBUG_CHILD_DUMPCAP**/
137 #include <conio.h> /* _getch() */
141 #ifdef DEBUG_CHILD_DUMPCAP
142 FILE *debug_log; /* for logging debug messages to */
143 /* a file if DEBUG_CHILD_DUMPCAP */
147 static GAsyncQueue *pcap_queue;
148 static gint64 pcap_queue_bytes;
149 static gint64 pcap_queue_packets;
150 static gint64 pcap_queue_byte_limit = 1024 * 1024;
151 static gint64 pcap_queue_packet_limit = 1000;
153 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
155 static gchar *sig_pipe_name = NULL;
156 static HANDLE sig_pipe_handle = NULL;
157 static gboolean signal_pipe_check_running(void);
161 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
162 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
165 /** Stop a low-level capture (stops the capture child). */
166 static void capture_loop_stop(void);
167 /** Close a pipe, or socket if \a from_socket is TRUE */
168 static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_);
170 #if !defined (__linux__)
171 #ifndef HAVE_PCAP_BREAKLOOP
173 * We don't have pcap_breakloop(), which is the only way to ensure that
174 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
175 * won't, if the call to read the next packet or batch of packets is
176 * is interrupted by a signal on UN*X, just go back and try again to
179 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
180 * the signal handler, set a flag to stop capturing; however, without
181 * a guarantee of that sort, we can't guarantee that we'll stop capturing
182 * if the read will be retried and won't time out if no packets arrive.
184 * Therefore, on at least some platforms, we work around the lack of
185 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
186 * to wait for packets to arrive, so that we're probably going to be
187 * blocked in the select() when the signal arrives, and can just bail
188 * out of the loop at that point.
190 * However, we don't want to do that on BSD (because "select()" doesn't work
191 * correctly on BPF devices on at least some releases of some flavors of
192 * BSD), and we don't want to do it on Windows (because "select()" is
193 * something for sockets, not for arbitrary handles). (Note that "Windows"
194 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
195 * using WinPcap, not a UNIX libpcap.)
197 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
198 * on BSD times out even if no packets have arrived, so we'll eventually
199 * exit pcap_dispatch() with an indication that no packets have arrived,
200 * and will break out of the capture loop at that point.
202 * On Windows, we can't send a SIGINT to stop capturing, so none of this
203 * applies in any case.
205 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
206 * want to include it if it's not present on this platform, however.
208 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
209 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
211 # define MUST_DO_SELECT
212 # endif /* avoid select */
213 #endif /* HAVE_PCAP_BREAKLOOP */
215 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
216 * in pcap_dispatch(); on the other hand, select() works just fine there.
217 * Hence we use a select for that come what may.
219 #define MUST_DO_SELECT
222 /** init the capture filter */
225 INITFILTER_BAD_FILTER,
226 INITFILTER_OTHER_ERROR
227 } initfilter_status_t;
230 STATE_EXPECT_REC_HDR,
241 typedef struct _pcap_options {
245 #ifdef MUST_DO_SELECT
246 int pcap_fd; /**< pcap file descriptor */
253 gboolean ts_nsec; /**< TRUE if we're using nanosecond precision. */
254 /**< capture pipe (unix only "input file") */
255 gboolean from_cap_pipe; /**< TRUE if we are capturing data from a capture pipe */
256 gboolean from_cap_socket; /**< TRUE if we're capturing from socket */
257 struct pcap_hdr cap_pipe_hdr; /**< Pcap header when capturing from a pipe */
258 struct pcaprec_modified_hdr cap_pipe_rechdr; /**< Pcap record header when capturing from a pipe */
260 HANDLE cap_pipe_h; /**< The handle of the capture pipe */
262 int cap_pipe_fd; /**< the file descriptor of the capture pipe */
263 gboolean cap_pipe_modified; /**< TRUE if data in the pipe uses modified pcap headers */
264 gboolean cap_pipe_byte_swapped; /**< TRUE if data in the pipe is byte swapped */
266 char * cap_pipe_buf; /**< Pointer to the data buffer we read into */
267 DWORD cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
268 DWORD cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
270 size_t cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
271 size_t cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
273 cap_pipe_state_t cap_pipe_state;
274 cap_pipe_err_t cap_pipe_err;
277 GMutex *cap_pipe_read_mtx;
278 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
282 typedef struct _loop_data {
284 gboolean go; /**< TRUE as long as we're supposed to keep capturing */
285 int err; /**< if non-zero, error seen while capturing */
286 gint packet_count; /**< Number of packets we have already captured */
287 gint packet_max; /**< Number of packets we're supposed to capture - 0 means infinite */
288 guint inpkts_to_sync_pipe; /**< Packets not already send out to the sync_pipe */
290 gboolean report_packet_count; /**< Set by SIGINFO handler; print packet count */
296 guint64 bytes_written;
297 guint32 autostop_files;
300 typedef struct _pcap_queue_element {
301 pcap_options *pcap_opts;
302 struct pcap_pkthdr phdr;
304 } pcap_queue_element;
307 * Standard secondary message for unexpected errors.
309 static const char please_report[] =
310 "Please report this to the Wireshark developers.\n"
311 "(This is not a crash; please do not report it as such.)";
314 * This needs to be static, so that the SIGINT handler can clear the "go"
317 static loop_data global_ld;
321 * Timeout, in milliseconds, for reads from the stream of captured packets
322 * from a capture device.
324 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
325 * 64-bit applications, with sub-second timeouts not to work. The bug is
326 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
328 #if defined(__APPLE__) && defined(__LP64__)
329 static gboolean need_timeout_workaround;
331 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
333 #define CAP_READ_TIMEOUT 250
337 * Timeout, in microseconds, for reads from the stream of captured packets
338 * from a pipe. Pipes don't have the same problem that BPF devices do
339 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
340 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
341 * of the offending versions of Snow Leopard.
343 * On Windows this value is converted to milliseconds and passed to
344 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
345 * will return immediately.
348 #define PIPE_READ_TIMEOUT 100000
350 #define PIPE_READ_TIMEOUT 250000
353 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
356 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
357 const char *message, gpointer user_data _U_);
359 /* capture related options */
360 static capture_options global_capture_opts;
361 static gboolean quiet = FALSE;
362 static gboolean use_threads = FALSE;
363 static guint64 start_time;
365 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
367 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
369 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
370 int err, gboolean is_close);
372 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
374 static void report_new_capture_file(const char *filename);
375 static void report_packet_count(unsigned int packet_count);
376 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
377 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
378 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
380 #define MSG_MAX_LENGTH 4096
382 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
384 create_timestamp(void) {
394 * Current time, represented as 100-nanosecond intervals since
395 * January 1, 1601, 00:00:00 UTC.
397 * I think DWORD might be signed, so cast both parts of "now"
398 * to guint32 so that the sign bit doesn't get treated specially.
400 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
401 * might want to use instead.
403 GetSystemTimeAsFileTime(&now);
404 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
405 (guint32)now.dwLowDateTime;
408 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
414 * Subtract difference, in microseconds, between January 1, 1601
415 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
417 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
420 * Current time, represented as seconds and microseconds since
421 * January 1, 1970, 00:00:00 UTC.
423 gettimeofday(&now, NULL);
426 * Convert to delta in microseconds.
428 timestamp = (guint64)(now.tv_sec) * 1000000 +
429 (guint64)(now.tv_usec);
435 print_usage(gboolean print_ver)
442 "Dumpcap " VERSION "%s\n"
443 "Capture network packets and dump them into a pcapng file.\n"
444 "See http://www.wireshark.org for more information.\n",
445 wireshark_svnversion);
449 fprintf(output, "\nUsage: dumpcap [options] ...\n");
450 fprintf(output, "\n");
451 fprintf(output, "Capture interface:\n");
452 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback),\n"
453 " or for remote capturing, use one of these formats:\n"
454 " rpcap://<host>/<interface>\n"
455 " TCP@<host>:<port>\n");
456 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
457 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
458 fprintf(output, " -p don't capture in promiscuous mode\n");
459 #ifdef HAVE_PCAP_CREATE
460 fprintf(output, " -I capture in monitor mode, if available\n");
462 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
463 fprintf(output, " -B <buffer size> size of kernel buffer in MB (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
465 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
466 fprintf(output, " -D print list of interfaces and exit\n");
467 fprintf(output, " -L print list of link-layer types of iface and exit\n");
468 #ifdef HAVE_BPF_IMAGE
469 fprintf(output, " -d print generated BPF code for capture filter\n");
471 fprintf(output, " -k set channel on wifi interface <freq>,[<type>]\n");
472 fprintf(output, " -S print statistics for each interface once per second\n");
473 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
474 fprintf(output, "\n");
475 #ifdef HAVE_PCAP_REMOTE
476 fprintf(output, "RPCAP options:\n");
477 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
478 fprintf(output, " -u use UDP for RPCAP data transfer\n");
479 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
480 #ifdef HAVE_PCAP_SETSAMPLING
481 fprintf(output, " -m <sampling type> use packet sampling\n");
482 fprintf(output, " count:NUM - capture one packet of every NUM\n");
483 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
486 fprintf(output, "Stop conditions:\n");
487 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
488 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
489 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
490 fprintf(output, " files:NUM - stop after NUM files\n");
491 /*fprintf(output, "\n");*/
492 fprintf(output, "Output (files):\n");
493 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
494 fprintf(output, " -g enable group read access on the output file(s)\n");
495 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
496 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
497 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
498 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
499 fprintf(output, " -P use libpcap format instead of pcapng\n");
500 fprintf(output, "\n");
501 fprintf(output, "Miscellaneous:\n");
502 fprintf(output, " -t use a separate thread per interface\n");
503 fprintf(output, " -q don't report packet capture counts\n");
504 fprintf(output, " -v print version information and exit\n");
505 fprintf(output, " -h display this help and exit\n");
506 fprintf(output, "\n");
507 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
508 fprintf(output, "\"Capture packets from interface eth0 until 60s passed into output.pcapng\"\n");
509 fprintf(output, "\n");
510 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
514 show_version(GString *comp_info_str, GString *runtime_info_str)
517 "Dumpcap " VERSION "%s\n"
522 "See http://www.wireshark.org for more information.\n",
523 wireshark_svnversion, get_copyright_info(), comp_info_str->str, runtime_info_str->str);
527 * Print to the standard error. This is a command-line tool, so there's
528 * no need to pop up a console.
531 vfprintf_stderr(const char *fmt, va_list ap)
533 vfprintf(stderr, fmt, ap);
537 fprintf_stderr(const char *fmt, ...)
542 vfprintf_stderr(fmt, ap);
547 * Report an error in command-line arguments.
550 cmdarg_err(const char *fmt, ...)
556 /* Generate a 'special format' message back to parent */
558 msg = g_strdup_vprintf(fmt, ap);
559 sync_pipe_errmsg_to_parent(2, msg, "");
564 fprintf(stderr, "dumpcap: ");
565 vfprintf(stderr, fmt, ap);
566 fprintf(stderr, "\n");
572 * Report additional information for an error in command-line arguments.
575 cmdarg_err_cont(const char *fmt, ...)
582 msg = g_strdup_vprintf(fmt, ap);
583 sync_pipe_errmsg_to_parent(2, msg, "");
588 vfprintf(stderr, fmt, ap);
589 fprintf(stderr, "\n");
596 #if 0 /* Set to enable capability debugging */
597 /* see 'man cap_to_text()' for explanation of output */
598 /* '=' means 'all= ' ie: no capabilities */
599 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
601 print_caps(const char *pfx) {
602 cap_t caps = cap_get_proc();
603 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
604 "%s: EUID: %d Capabilities: %s", pfx,
605 geteuid(), cap_to_text(caps, NULL));
608 print_caps(const char *pfx _U_) {
613 relinquish_all_capabilities(void)
615 /* Drop any and all capabilities this process may have. */
616 /* Allowed whether or not process has any privileges. */
617 cap_t caps = cap_init(); /* all capabilities initialized to off */
618 print_caps("Pre-clear");
619 if (cap_set_proc(caps)) {
620 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
622 print_caps("Post-clear");
628 open_capture_device(interface_options *interface_opts,
629 char (*open_err_str)[PCAP_ERRBUF_SIZE])
632 #ifdef HAVE_PCAP_CREATE
635 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
636 struct pcap_rmtauth auth;
639 /* Open the network interface to capture from it.
640 Some versions of libpcap may put warnings into the error buffer
641 if they succeed; to tell if that's happened, we have to clear
642 the error buffer, and check if it's still a null string. */
643 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
644 (*open_err_str)[0] = '\0';
645 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
647 * If we're opening a remote device, use pcap_open(); that's currently
648 * the only open routine that supports remote devices.
650 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
651 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
652 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
653 auth.username = interface_opts->auth_username;
654 auth.password = interface_opts->auth_password;
656 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
657 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
658 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
659 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
660 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
662 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
663 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
664 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
665 CAP_READ_TIMEOUT, &auth, *open_err_str);
666 if (pcap_h == NULL) {
667 /* Error - did pcap actually supply an error message? */
668 if ((*open_err_str)[0] == '\0') {
669 /* Work around known WinPcap bug wherein no error message is
670 filled in on a failure to open an rpcap: URL. */
671 g_strlcpy(*open_err_str,
672 "Unknown error (pcap bug; actual error cause not reported)",
673 sizeof *open_err_str);
676 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
677 "pcap_open() returned %p.", (void *)pcap_h);
682 * If we're not opening a remote device, use pcap_create() and
683 * pcap_activate() if we have them, so that we can set the buffer
684 * size, otherwise use pcap_open_live().
686 #ifdef HAVE_PCAP_CREATE
687 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
688 "Calling pcap_create() using %s.", interface_opts->name);
689 pcap_h = pcap_create(interface_opts->name, *open_err_str);
690 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
691 "pcap_create() returned %p.", (void *)pcap_h);
692 if (pcap_h != NULL) {
693 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
694 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
695 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
696 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
697 "Calling pcap_set_promisc() with promisc_mode %d.", interface_opts->promisc_mode);
698 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
699 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
702 "buffersize %d.", interface_opts->buffer_size);
703 if (interface_opts->buffer_size != 0) {
704 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
706 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
707 "monitor_mode %d.", interface_opts->monitor_mode);
708 if (interface_opts->monitor_mode)
709 pcap_set_rfmon(pcap_h, 1);
710 err = pcap_activate(pcap_h);
711 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
712 "pcap_activate() returned %d.", err);
714 /* Failed to activate, set to NULL */
715 if (err == PCAP_ERROR)
716 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
718 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
724 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
725 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
726 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
727 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
728 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
730 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
731 "pcap_open_live() returned %p.", (void *)pcap_h);
734 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
739 get_capture_device_open_failure_messages(const char *open_err_str,
745 char *errmsg, size_t errmsg_len,
746 char *secondary_errmsg,
747 size_t secondary_errmsg_len)
750 const char *libpcap_warn;
751 static const char ppamsg[] = "can't find PPA for ";
754 g_snprintf(errmsg, (gulong) errmsg_len,
755 "The capture session could not be initiated (%s).", open_err_str);
758 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
760 "In order to capture packets, WinPcap must be installed; see\n"
762 " http://www.winpcap.org/\n"
766 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
770 " http://winpcap.cs.pu.edu.tw/\n"
772 "for a downloadable version of WinPcap and for instructions on how to install\n"
775 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
777 "Please check that \"%s\" is the proper interface.\n"
780 "Help can be found at:\n"
782 " http://wiki.wireshark.org/WinPcap\n"
783 " http://wiki.wireshark.org/CaptureSetup\n",
787 /* If we got a "can't find PPA for X" message, warn the user (who
788 is running dumpcap on HP-UX) that they don't have a version of
789 libpcap that properly handles HP-UX (libpcap 0.6.x and later
790 versions, which properly handle HP-UX, say "can't find /dev/dlpi
791 PPA for X" rather than "can't find PPA for X"). */
792 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
795 "You are running (T)Wireshark with a version of the libpcap library\n"
796 "that doesn't handle HP-UX network devices well; this means that\n"
797 "(T)Wireshark may not be able to capture packets.\n"
799 "To fix this, you should install libpcap 0.6.2, or a later version\n"
800 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
801 "packaged binary form from the Software Porting And Archive Centre\n"
802 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
803 "at the URL lists a number of mirror sites.";
807 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
808 "Please check to make sure you have sufficient permissions, and that you have "
809 "the proper interface or pipe specified.%s", libpcap_warn);
813 /* Set the data link type on a pcap. */
815 set_pcap_linktype(pcap_t *pcap_h, int linktype,
816 #ifdef HAVE_PCAP_SET_DATALINK
821 char *errmsg, size_t errmsg_len,
822 char *secondary_errmsg, size_t secondary_errmsg_len)
824 char *set_linktype_err_str;
827 return TRUE; /* just use the default */
828 #ifdef HAVE_PCAP_SET_DATALINK
829 if (pcap_set_datalink(pcap_h, linktype) == 0)
830 return TRUE; /* no error */
831 set_linktype_err_str = pcap_geterr(pcap_h);
833 /* Let them set it to the type it is; reject any other request. */
834 if (get_pcap_linktype(pcap_h, name) == linktype)
835 return TRUE; /* no error */
836 set_linktype_err_str =
837 "That DLT isn't one of the DLTs supported by this device";
839 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
840 set_linktype_err_str);
842 * If the error isn't "XXX is not one of the DLTs supported by this device",
843 * tell the user to tell the Wireshark developers about it.
845 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
846 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
848 secondary_errmsg[0] = '\0';
853 compile_capture_filter(const char *iface, pcap_t *pcap_h,
854 struct bpf_program *fcode, const char *cfilter)
856 bpf_u_int32 netnum, netmask;
857 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
859 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
861 * Well, we can't get the netmask for this interface; it's used
862 * only for filters that check for broadcast IP addresses, so
863 * we just punt and use 0. It might be nice to warn the user,
864 * but that's a pain in a GUI application, as it'd involve popping
865 * up a message box, and it's not clear how often this would make
866 * a difference (only filters that check for IP broadcast addresses
870 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
875 * Sigh. Older versions of libpcap don't properly declare the
876 * third argument to pcap_compile() as a const pointer. Cast
879 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
884 #ifdef HAVE_BPF_IMAGE
886 show_filter_code(capture_options *capture_opts)
888 interface_options interface_opts;
890 gchar open_err_str[PCAP_ERRBUF_SIZE];
891 char errmsg[MSG_MAX_LENGTH+1];
892 char secondary_errmsg[MSG_MAX_LENGTH+1];
893 struct bpf_program fcode;
894 struct bpf_insn *insn;
898 for (j = 0; j < capture_opts->ifaces->len; j++) {
899 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
900 pcap_h = open_capture_device(&interface_opts, &open_err_str);
901 if (pcap_h == NULL) {
902 /* Open failed; get messages */
903 get_capture_device_open_failure_messages(open_err_str,
905 errmsg, sizeof errmsg,
907 sizeof secondary_errmsg);
908 /* And report them */
909 report_capture_error(errmsg, secondary_errmsg);
913 /* Set the link-layer type. */
914 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
915 errmsg, sizeof errmsg,
916 secondary_errmsg, sizeof secondary_errmsg)) {
918 report_capture_error(errmsg, secondary_errmsg);
922 /* OK, try to compile the capture filter. */
923 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
924 interface_opts.cfilter)) {
926 report_cfilter_error(capture_opts, j, errmsg);
931 /* Now print the filter code. */
932 insn = fcode.bf_insns;
934 for (i = 0; i < fcode.bf_len; insn++, i++)
935 printf("%s\n", bpf_image(insn, i));
937 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
938 /* to remove any suid privileges. */
939 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
940 /* (euid/egid have already previously been set to ruid/rgid. */
941 /* (See comment in main() for details) */
943 relinquish_special_privs_perm();
945 relinquish_all_capabilities();
948 /* Let our parent know we succeeded. */
949 pipe_write_block(2, SP_SUCCESS, NULL);
956 * capture_interface_list() is expected to do the right thing to get
957 * a list of interfaces.
959 * In most of the programs in the Wireshark suite, "the right thing"
960 * is to run dumpcap and ask it for the list, because dumpcap may
961 * be the only program in the suite with enough privileges to get
964 * In dumpcap itself, however, we obviously can't run dumpcap to
965 * ask for the list. Therefore, our capture_interface_list() should
966 * just call get_interface_list().
969 capture_interface_list(int *err, char **err_str)
971 return get_interface_list(err, err_str);
975 * Get the data-link type for a libpcap device.
976 * This works around AIX 5.x's non-standard and incompatible-with-the-
977 * rest-of-the-universe libpcap.
980 get_pcap_linktype(pcap_t *pch, const char *devicename
988 const char *ifacename;
991 linktype = pcap_datalink(pch);
995 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
996 * rather than DLT_ values for link-layer types; the ifType values
997 * for LAN devices are:
1004 * and the ifType value for a loopback device is 24.
1006 * The AIX names for LAN devices begin with:
1013 * and the AIX names for loopback devices begin with "lo".
1015 * (The difference between "Ethernet" and "802.3" is presumably
1016 * whether packets have an Ethernet header, with a packet type,
1017 * or an 802.3 header, with a packet length, followed by an 802.2
1018 * header and possibly a SNAP header.)
1020 * If the device name matches "linktype" interpreted as an ifType
1021 * value, rather than as a DLT_ value, we will assume this is AIX's
1022 * non-standard, incompatible libpcap, rather than a standard libpcap,
1023 * and will map the link-layer type to the standard DLT_ value for
1024 * that link-layer type, as that's what the rest of Wireshark expects.
1026 * (This means the capture files won't be readable by a tcpdump
1027 * linked with AIX's non-standard libpcap, but so it goes. They
1028 * *will* be readable by standard versions of tcpdump, Wireshark,
1031 * XXX - if we conclude we're using AIX libpcap, should we also
1032 * set a flag to cause us to assume the time stamps are in
1033 * seconds-and-nanoseconds form, and to convert them to
1034 * seconds-and-microseconds form before processing them and
1039 * Find the last component of the device name, which is the
1042 ifacename = strchr(devicename, '/');
1043 if (ifacename == NULL)
1044 ifacename = devicename;
1046 /* See if it matches any of the LAN device names. */
1047 if (strncmp(ifacename, "en", 2) == 0) {
1048 if (linktype == 6) {
1050 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1054 } else if (strncmp(ifacename, "et", 2) == 0) {
1055 if (linktype == 7) {
1057 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1058 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1063 } else if (strncmp(ifacename, "tr", 2) == 0) {
1064 if (linktype == 9) {
1066 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1067 * DLT_IEEE802, which is what's used for Token Ring.
1071 } else if (strncmp(ifacename, "fi", 2) == 0) {
1072 if (linktype == 15) {
1074 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1078 } else if (strncmp(ifacename, "lo", 2) == 0) {
1079 if (linktype == 24) {
1081 * That's the RFC 1573 value for "software loopback" devices; map it
1082 * to DLT_NULL, which is what's used for loopback devices on BSD.
1092 static data_link_info_t *
1093 create_data_link_info(int dlt)
1095 data_link_info_t *data_link_info;
1098 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1099 data_link_info->dlt = dlt;
1100 text = pcap_datalink_val_to_name(dlt);
1102 data_link_info->name = g_strdup(text);
1104 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1105 text = pcap_datalink_val_to_description(dlt);
1107 data_link_info->description = g_strdup(text);
1109 data_link_info->description = NULL;
1110 return data_link_info;
1114 * Get the capabilities of a network device.
1116 static if_capabilities_t *
1117 get_if_capabilities(const char *devicename, gboolean monitor_mode
1118 #ifndef HAVE_PCAP_CREATE
1123 if_capabilities_t *caps;
1124 char errbuf[PCAP_ERRBUF_SIZE];
1126 #ifdef HAVE_PCAP_CREATE
1130 #ifdef HAVE_PCAP_LIST_DATALINKS
1134 data_link_info_t *data_link_info;
1137 * Allocate the interface capabilities structure.
1139 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1142 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1143 * wherein, when an open with an rpcap: URL fails, the error
1144 * message for the error is not copied to errbuf and whatever
1145 * on-the-stack junk is in errbuf is treated as the error
1148 * To work around that (and any other bugs of that sort, we
1149 * initialize errbuf to an empty string. If we get an error
1150 * and the string is empty, we report it as an unknown error.
1151 * (If we *don't* get an error, and the string is *non*-empty,
1152 * that could be a warning returned, such as "can't turn
1153 * promiscuous mode on"; we currently don't do so.)
1156 #ifdef HAVE_PCAP_OPEN
1157 pch = pcap_open(devicename, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1158 caps->can_set_rfmon = FALSE;
1160 if (err_str != NULL)
1161 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1165 #elif defined(HAVE_PCAP_CREATE)
1166 pch = pcap_create(devicename, errbuf);
1168 if (err_str != NULL)
1169 *err_str = g_strdup(errbuf);
1173 status = pcap_can_set_rfmon(pch);
1176 if (status == PCAP_ERROR)
1177 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1180 *err_str = g_strdup(pcap_statustostr(status));
1186 caps->can_set_rfmon = FALSE;
1187 else if (status == 1) {
1188 caps->can_set_rfmon = TRUE;
1190 pcap_set_rfmon(pch, 1);
1192 if (err_str != NULL) {
1193 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1201 status = pcap_activate(pch);
1203 /* Error. We ignore warnings (status > 0). */
1204 if (err_str != NULL) {
1205 if (status == PCAP_ERROR)
1206 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1209 *err_str = g_strdup(pcap_statustostr(status));
1216 pch = pcap_open_live(devicename, MIN_PACKET_SIZE, 0, 0, errbuf);
1217 caps->can_set_rfmon = FALSE;
1219 if (err_str != NULL)
1220 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1225 deflt = get_pcap_linktype(pch, devicename);
1226 #ifdef HAVE_PCAP_LIST_DATALINKS
1227 nlt = pcap_list_datalinks(pch, &linktypes);
1228 if (nlt == 0 || linktypes == NULL) {
1230 if (err_str != NULL)
1231 *err_str = NULL; /* an empty list doesn't mean an error */
1235 caps->data_link_types = NULL;
1236 for (i = 0; i < nlt; i++) {
1237 data_link_info = create_data_link_info(linktypes[i]);
1240 * XXX - for 802.11, make the most detailed 802.11
1241 * version the default, rather than the one the
1242 * device has as the default?
1244 if (linktypes[i] == deflt)
1245 caps->data_link_types = g_list_prepend(caps->data_link_types,
1248 caps->data_link_types = g_list_append(caps->data_link_types,
1251 #ifdef HAVE_PCAP_FREE_DATALINKS
1252 pcap_free_datalinks(linktypes);
1255 * In Windows, there's no guarantee that if you have a library
1256 * built with one version of the MSVC++ run-time library, and
1257 * it returns a pointer to allocated data, you can free that
1258 * data from a program linked with another version of the
1259 * MSVC++ run-time library.
1261 * This is not an issue on UN*X.
1263 * See the mail threads starting at
1265 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1269 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1272 #define xx_free free /* hack so checkAPIs doesn't complain */
1275 #endif /* HAVE_PCAP_FREE_DATALINKS */
1276 #else /* HAVE_PCAP_LIST_DATALINKS */
1278 data_link_info = create_data_link_info(deflt);
1279 caps->data_link_types = g_list_append(caps->data_link_types,
1281 #endif /* HAVE_PCAP_LIST_DATALINKS */
1285 if (err_str != NULL)
1290 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1292 * Output a machine readable list of the interfaces
1293 * This list is retrieved by the sync_interface_list_open() function
1294 * The actual output of this function can be viewed with the command "dumpcap -D -Z none"
1297 print_machine_readable_interfaces(GList *if_list)
1304 char addr_str[ADDRSTRLEN];
1306 if (capture_child) {
1307 /* Let our parent know we succeeded. */
1308 pipe_write_block(2, SP_SUCCESS, NULL);
1311 i = 1; /* Interface id number */
1312 for (if_entry = g_list_first(if_list); if_entry != NULL;
1313 if_entry = g_list_next(if_entry)) {
1314 if_info = (if_info_t *)if_entry->data;
1315 printf("%d. %s", i++, if_info->name);
1318 * Print the contents of the if_entry struct in a parseable format.
1319 * Each if_entry element is tab-separated. Addresses are comma-
1322 /* XXX - Make sure our description doesn't contain a tab */
1323 if (if_info->vendor_description != NULL)
1324 printf("\t%s\t", if_info->vendor_description);
1328 /* XXX - Make sure our friendly name doesn't contain a tab */
1329 if (if_info->friendly_name != NULL)
1330 printf("%s\t", if_info->friendly_name);
1334 for (addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1335 addr = g_slist_next(addr)) {
1336 if (addr != g_slist_nth(if_info->addrs, 0))
1339 if_addr = (if_addr_t *)addr->data;
1340 switch(if_addr->ifat_type) {
1342 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1344 printf("%s", addr_str);
1346 printf("<unknown IPv4>");
1350 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1351 addr_str, ADDRSTRLEN)) {
1352 printf("%s", addr_str);
1354 printf("<unknown IPv6>");
1358 printf("<type unknown %u>", if_addr->ifat_type);
1362 if (if_info->loopback)
1363 printf("\tloopback");
1365 printf("\tnetwork");
1372 * If you change the machine-readable output format of this function,
1373 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1376 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1379 data_link_info_t *data_link_info;
1380 const gchar *desc_str;
1382 if (capture_child) {
1383 /* Let our parent know we succeeded. */
1384 pipe_write_block(2, SP_SUCCESS, NULL);
1387 if (caps->can_set_rfmon)
1391 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1392 lt_entry = g_list_next(lt_entry)) {
1393 data_link_info = (data_link_info_t *)lt_entry->data;
1394 if (data_link_info->description != NULL)
1395 desc_str = data_link_info->description;
1397 desc_str = "(not supported)";
1398 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1408 /* Print the number of packets captured for each interface until we're killed. */
1410 print_statistics_loop(gboolean machine_readable)
1412 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1418 char errbuf[PCAP_ERRBUF_SIZE];
1419 struct pcap_stat ps;
1421 if_list = get_interface_list(&err, &err_str);
1422 if (if_list == NULL) {
1424 case CANT_GET_INTERFACE_LIST:
1425 case DONT_HAVE_PCAP:
1426 cmdarg_err("%s", err_str);
1430 case NO_INTERFACES_FOUND:
1431 cmdarg_err("There are no interfaces on which a capture can be done");
1437 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1438 if_info = (if_info_t *)if_entry->data;
1439 #ifdef HAVE_PCAP_OPEN
1440 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1442 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1446 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1447 if_stat->name = g_strdup(if_info->name);
1449 stat_list = g_list_append(stat_list, if_stat);
1454 cmdarg_err("There are no interfaces on which a capture can be done");
1458 if (capture_child) {
1459 /* Let our parent know we succeeded. */
1460 pipe_write_block(2, SP_SUCCESS, NULL);
1463 if (!machine_readable) {
1464 printf("%-15s %10s %10s\n", "Interface", "Received",
1468 global_ld.go = TRUE;
1469 while (global_ld.go) {
1470 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1471 if_stat = (if_stat_t *)stat_entry->data;
1472 pcap_stats(if_stat->pch, &ps);
1474 if (!machine_readable) {
1475 printf("%-15s %10u %10u\n", if_stat->name,
1476 ps.ps_recv, ps.ps_drop);
1478 printf("%s\t%u\t%u\n", if_stat->name,
1479 ps.ps_recv, ps.ps_drop);
1490 /* XXX - Not reached. Should we look for 'q' in stdin? */
1491 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1492 if_stat = (if_stat_t *)stat_entry->data;
1493 pcap_close(if_stat->pch);
1494 g_free(if_stat->name);
1497 g_list_free(stat_list);
1498 free_interface_list(if_list);
1506 capture_cleanup_handler(DWORD dwCtrlType)
1508 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1509 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1510 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1511 like SIGTERM at least when the machine's shutting down.
1513 For now, if we're running as a command rather than a capture child,
1514 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1515 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1516 in that way on UN*X.
1518 If we're not running as a capture child, we might be running as
1519 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1520 user logs out. (XXX - can we explicitly check whether we're
1521 running as a service?) */
1523 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1524 "Console: Control signal");
1525 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1526 "Console: Control signal, CtrlType: %u", dwCtrlType);
1528 /* Keep capture running if we're a service and a user logs off */
1529 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1530 capture_loop_stop();
1538 capture_cleanup_handler(int signum _U_)
1540 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1541 SIGTERM. We assume that if the user wanted it to keep running
1542 after they logged out, they'd have nohupped it. */
1544 /* Note: don't call g_log() in the signal handler: if we happened to be in
1545 * g_log() in process context when the signal came in, g_log will detect
1546 * the "recursion" and abort.
1549 capture_loop_stop();
1555 report_capture_count(gboolean reportit)
1557 /* Don't print this if we're a capture child. */
1558 if (!capture_child && reportit) {
1559 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1560 /* stderr could be line buffered */
1568 report_counts_for_siginfo(void)
1570 report_capture_count(quiet);
1571 infoprint = FALSE; /* we just reported it */
1575 report_counts_siginfo(int signum _U_)
1577 int sav_errno = errno;
1579 /* If we've been told to delay printing, just set a flag asking
1580 that we print counts (if we're supposed to), otherwise print
1581 the count of packets captured (if we're supposed to). */
1585 report_counts_for_siginfo();
1588 #endif /* SIGINFO */
1591 exit_main(int status)
1594 /* Shutdown windows sockets */
1597 /* can be helpful for debugging */
1598 #ifdef DEBUG_DUMPCAP
1599 printf("Press any key\n");
1610 * If we were linked with libcap (not related to libpcap), make sure we have
1611 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1612 * (See comment in main() for details)
1615 relinquish_privs_except_capture(void)
1617 /* If 'started_with_special_privs' (ie: suid) then enable for
1618 * ourself the NET_ADMIN and NET_RAW capabilities and then
1619 * drop our suid privileges.
1621 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1622 * stuff we don't need (and shouldn't have).
1623 * CAP_NET_RAW: Packet capture (raw sockets).
1626 if (started_with_special_privs()) {
1627 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1628 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1630 cap_t caps = cap_init(); /* all capabilities initialized to off */
1632 print_caps("Pre drop, pre set");
1634 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1635 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1638 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1639 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1641 if (cap_set_proc(caps)) {
1642 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1644 print_caps("Pre drop, post set");
1646 relinquish_special_privs_perm();
1648 print_caps("Post drop, pre set");
1649 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1650 if (cap_set_proc(caps)) {
1651 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1653 print_caps("Post drop, post set");
1659 #endif /* HAVE_LIBCAP */
1661 /* Take care of byte order in the libpcap headers read from pipes.
1662 * (function taken from wiretap/libpcap.c) */
1664 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1667 /* Byte-swap the record header fields. */
1668 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1669 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1670 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1671 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1674 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1675 swapped, in order to match the BPF header layout.
1677 Unfortunately, some files were, according to a comment in the "libpcap"
1678 source, written with version 2.3 in their headers but without the
1679 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1680 would make no sense - we assume that we need to swap them. */
1681 if (hdr->version_major == 2 &&
1682 (hdr->version_minor < 3 ||
1683 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1686 temp = rechdr->orig_len;
1687 rechdr->orig_len = rechdr->incl_len;
1688 rechdr->incl_len = temp;
1692 /* Wrapper: distinguish between recv/read if we're reading on Windows,
1696 cap_pipe_read(int pipe_fd, char *buf, size_t sz, gboolean from_socket _U_)
1700 return recv(pipe_fd, buf, (int)sz, 0);
1705 return ws_read(pipe_fd, buf, sz);
1711 * Thread function that reads from a pipe and pushes the data
1712 * to the main application thread.
1715 * XXX Right now we use async queues for basic signaling. The main thread
1716 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1717 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1718 * Iff the read is successful cap_pipe_read pushes an item onto
1719 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1720 * the queues themselves (yet).
1722 * We might want to move some of the cap_pipe_dispatch logic here so that
1723 * we can let cap_thread_read run independently, queuing up multiple reads
1724 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1726 static void *cap_thread_read(void *arg)
1728 pcap_options *pcap_opts;
1731 DWORD b, last_err, bytes_read;
1737 pcap_opts = (pcap_options *)arg;
1738 while (pcap_opts->cap_pipe_err == PIPOK) {
1739 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1740 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1742 while (bytes_read < pcap_opts->cap_pipe_bytes_to_read) {
1743 if ((pcap_opts->from_cap_socket)
1749 b = cap_pipe_read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1750 pcap_opts->cap_pipe_bytes_to_read - bytes_read, pcap_opts->from_cap_socket);
1753 pcap_opts->cap_pipe_err = PIPEOF;
1757 pcap_opts->cap_pipe_err = PIPERR;
1768 /* If we try to use read() on a named pipe on Windows with partial
1769 * data it appears to return EOF.
1771 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1772 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1777 last_err = GetLastError();
1778 if (last_err == ERROR_MORE_DATA) {
1780 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1781 pcap_opts->cap_pipe_err = PIPEOF;
1785 pcap_opts->cap_pipe_err = PIPERR;
1788 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1789 pcap_opts->cap_pipe_err = PIPEOF;
1796 pcap_opts->cap_pipe_bytes_read = bytes_read;
1797 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1798 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1800 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1806 /* Provide select() functionality for a single file descriptor
1807 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1809 * Returns the same values as select.
1812 cap_pipe_select(int pipe_fd)
1815 struct timeval timeout;
1818 FD_SET(pipe_fd, &rfds);
1820 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1821 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1823 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1826 #define DEF_TCP_PORT 19000
1829 cap_open_socket(char *pipename, pcap_options *pcap_opts, char *errmsg, int errmsgl)
1831 char *sockname = pipename + 4;
1832 struct sockaddr_in sa;
1839 memset(&sa, 0, sizeof(sa));
1841 p = strchr(sockname, ':');
1843 len = strlen(sockname);
1844 port = DEF_TCP_PORT;
1848 port = strtoul(p + 1, &p, 10);
1849 if (*p || port > 65535) {
1858 strncpy(buf, sockname, len);
1860 if (!inet_pton(AF_INET, buf, &sa.sin_addr)) {
1864 sa.sin_family = AF_INET;
1865 sa.sin_port = htons((u_short)port);
1867 if (((fd = (int)socket(AF_INET, SOCK_STREAM, 0)) < 0) ||
1868 (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0)) {
1870 LPTSTR errorText = NULL;
1873 lastError = WSAGetLastError();
1874 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
1875 FORMAT_MESSAGE_ALLOCATE_BUFFER |
1876 FORMAT_MESSAGE_IGNORE_INSERTS,
1877 NULL, lastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
1878 (LPTSTR)&errorText, 0, NULL);
1880 g_snprintf(errmsg, errmsgl,
1881 "The capture session could not be initiated due to the socket error: \n"
1883 " %d: %S", lastError, errorText ? (char *)errorText : "Unknown");
1885 LocalFree(errorText);
1887 " %d: %s", errno, strerror(errno));
1889 pcap_opts->cap_pipe_err = PIPERR;
1892 cap_pipe_close(fd, TRUE);
1896 pcap_opts->from_cap_socket = TRUE;
1900 g_snprintf(errmsg, errmsgl,
1901 "The capture session could not be initiated because\n"
1902 "\"%s\" is not a valid socket specification", pipename);
1903 pcap_opts->cap_pipe_err = PIPERR;
1907 /* Wrapper: distinguish between closesocket on Windows; use ws_close
1911 cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
1915 closesocket(pipe_fd);
1922 /* Mimic pcap_open_live() for pipe captures
1924 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1925 * open it, and read the header.
1927 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1928 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1930 cap_pipe_open_live(char *pipename,
1931 pcap_options *pcap_opts,
1932 struct pcap_hdr *hdr,
1933 char *errmsg, int errmsgl)
1936 ws_statb64 pipe_stat;
1937 struct sockaddr_un sa;
1947 pcap_opts->cap_pipe_fd = -1;
1949 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1951 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1954 * XXX - this blocks until a pcap per-file header has been written to
1955 * the pipe, so it could block indefinitely.
1957 if (strcmp(pipename, "-") == 0) {
1959 fd = 0; /* read from stdin */
1961 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1963 } else if (!strncmp(pipename, "TCP@", 4)) {
1964 if ((fd = cap_open_socket(pipename, pcap_opts, errmsg, errmsgl)) < 0) {
1969 if (ws_stat64(pipename, &pipe_stat) < 0) {
1970 if (errno == ENOENT || errno == ENOTDIR)
1971 pcap_opts->cap_pipe_err = PIPNEXIST;
1973 g_snprintf(errmsg, errmsgl,
1974 "The capture session could not be initiated "
1975 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1976 pcap_opts->cap_pipe_err = PIPERR;
1980 if (S_ISFIFO(pipe_stat.st_mode)) {
1981 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1983 g_snprintf(errmsg, errmsgl,
1984 "The capture session could not be initiated "
1985 "due to error on pipe open: %s", g_strerror(errno));
1986 pcap_opts->cap_pipe_err = PIPERR;
1989 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1990 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1992 g_snprintf(errmsg, errmsgl,
1993 "The capture session could not be initiated "
1994 "due to error on socket create: %s", g_strerror(errno));
1995 pcap_opts->cap_pipe_err = PIPERR;
1998 sa.sun_family = AF_UNIX;
2000 * The Single UNIX Specification says:
2002 * The size of sun_path has intentionally been left undefined.
2003 * This is because different implementations use different sizes.
2004 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
2005 * of 104. Since most implementations originate from BSD versions,
2006 * the size is typically in the range 92 to 108.
2008 * Applications should not assume a particular length for sun_path
2009 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
2013 * The <sys/un.h> header shall define the sockaddr_un structure,
2014 * which shall include at least the following members:
2016 * sa_family_t sun_family Address family.
2017 * char sun_path[] Socket pathname.
2019 * so we assume that it's an array, with a specified size,
2020 * and that the size reflects the maximum path length.
2022 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
2023 /* Path name too long */
2024 g_snprintf(errmsg, errmsgl,
2025 "The capture session coud not be initiated "
2026 "due to error on socket connect: Path name too long");
2027 pcap_opts->cap_pipe_err = PIPERR;
2031 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
2033 g_snprintf(errmsg, errmsgl,
2034 "The capture session coud not be initiated "
2035 "due to error on socket connect: %s", g_strerror(errno));
2036 pcap_opts->cap_pipe_err = PIPERR;
2041 if (S_ISCHR(pipe_stat.st_mode)) {
2043 * Assume the user specified an interface on a system where
2044 * interfaces are in /dev. Pretend we haven't seen it.
2046 pcap_opts->cap_pipe_err = PIPNEXIST;
2048 g_snprintf(errmsg, errmsgl,
2049 "The capture session could not be initiated because\n"
2050 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
2051 pcap_opts->cap_pipe_err = PIPERR;
2056 #define PIPE_STR "\\pipe\\"
2057 /* Under Windows, named pipes _must_ have the form
2058 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
2060 pncopy = g_strdup(pipename);
2061 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
2062 pos = strchr(pncopy + 3, '\\');
2063 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
2070 g_snprintf(errmsg, errmsgl,
2071 "The capture session could not be initiated because\n"
2072 "\"%s\" is neither an interface nor a pipe", pipename);
2073 pcap_opts->cap_pipe_err = PIPNEXIST;
2077 /* Wait for the pipe to appear */
2079 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
2080 OPEN_EXISTING, 0, NULL);
2082 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
2085 if (GetLastError() != ERROR_PIPE_BUSY) {
2086 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2087 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2088 g_snprintf(errmsg, errmsgl,
2089 "The capture session on \"%s\" could not be started "
2090 "due to error on pipe open: %s (error %d)",
2091 pipename, utf_16to8(err_str), GetLastError());
2093 pcap_opts->cap_pipe_err = PIPERR;
2097 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
2098 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2099 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2100 g_snprintf(errmsg, errmsgl,
2101 "The capture session on \"%s\" timed out during "
2102 "pipe open: %s (error %d)",
2103 pipename, utf_16to8(err_str), GetLastError());
2105 pcap_opts->cap_pipe_err = PIPERR;
2112 pcap_opts->from_cap_pipe = TRUE;
2114 if ((pcap_opts->from_cap_socket)
2119 /* read the pcap header */
2121 while (bytes_read < sizeof magic) {
2122 sel_ret = cap_pipe_select(fd);
2124 g_snprintf(errmsg, errmsgl,
2125 "Unexpected error from select: %s", g_strerror(errno));
2127 } else if (sel_ret > 0) {
2128 b = cap_pipe_read(fd, ((char *)&magic)+bytes_read,
2129 sizeof magic-bytes_read,
2130 pcap_opts->from_cap_socket);
2133 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2135 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2145 #if GLIB_CHECK_VERSION(2,31,0)
2146 g_thread_new("cap_pipe_open_live", &cap_thread_read, pcap_opts);
2148 g_thread_create(&cap_thread_read, pcap_opts, FALSE, NULL);
2151 pcap_opts->cap_pipe_buf = (char *) &magic;
2152 pcap_opts->cap_pipe_bytes_read = 0;
2153 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
2154 /* We don't have to worry about cap_pipe_read_mtx here */
2155 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2156 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2157 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2158 if (pcap_opts->cap_pipe_bytes_read == 0)
2159 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2161 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2170 case PCAP_NSEC_MAGIC:
2171 /* Host that wrote it has our byte order, and was running
2172 a program using either standard or ss990417 libpcap. */
2173 pcap_opts->cap_pipe_byte_swapped = FALSE;
2174 pcap_opts->cap_pipe_modified = FALSE;
2175 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
2177 case PCAP_MODIFIED_MAGIC:
2178 /* Host that wrote it has our byte order, but was running
2179 a program using either ss990915 or ss991029 libpcap. */
2180 pcap_opts->cap_pipe_byte_swapped = FALSE;
2181 pcap_opts->cap_pipe_modified = TRUE;
2183 case PCAP_SWAPPED_MAGIC:
2184 case PCAP_SWAPPED_NSEC_MAGIC:
2185 /* Host that wrote it has a byte order opposite to ours,
2186 and was running a program using either standard or
2187 ss990417 libpcap. */
2188 pcap_opts->cap_pipe_byte_swapped = TRUE;
2189 pcap_opts->cap_pipe_modified = FALSE;
2190 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
2192 case PCAP_SWAPPED_MODIFIED_MAGIC:
2193 /* Host that wrote it out has a byte order opposite to
2194 ours, and was running a program using either ss990915
2195 or ss991029 libpcap. */
2196 pcap_opts->cap_pipe_byte_swapped = TRUE;
2197 pcap_opts->cap_pipe_modified = TRUE;
2200 /* Not a "libpcap" type we know about. */
2201 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2205 if ((pcap_opts->from_cap_socket)
2210 /* Read the rest of the header */
2212 while (bytes_read < sizeof(struct pcap_hdr)) {
2213 sel_ret = cap_pipe_select(fd);
2215 g_snprintf(errmsg, errmsgl,
2216 "Unexpected error from select: %s", g_strerror(errno));
2218 } else if (sel_ret > 0) {
2219 b = cap_pipe_read(fd, ((char *)hdr)+bytes_read,
2220 sizeof(struct pcap_hdr) - bytes_read,
2221 pcap_opts->from_cap_socket);
2224 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2226 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2236 pcap_opts->cap_pipe_buf = (char *) hdr;
2237 pcap_opts->cap_pipe_bytes_read = 0;
2238 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2239 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2240 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2241 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2242 if (pcap_opts->cap_pipe_bytes_read == 0)
2243 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2245 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2252 if (pcap_opts->cap_pipe_byte_swapped) {
2253 /* Byte-swap the header fields about which we care. */
2254 hdr->version_major = BSWAP16(hdr->version_major);
2255 hdr->version_minor = BSWAP16(hdr->version_minor);
2256 hdr->snaplen = BSWAP32(hdr->snaplen);
2257 hdr->network = BSWAP32(hdr->network);
2259 pcap_opts->linktype = hdr->network;
2261 if (hdr->version_major < 2) {
2262 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2266 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2267 pcap_opts->cap_pipe_err = PIPOK;
2268 pcap_opts->cap_pipe_fd = fd;
2272 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2273 pcap_opts->cap_pipe_err = PIPERR;
2274 cap_pipe_close(fd, pcap_opts->from_cap_socket);
2275 pcap_opts->cap_pipe_fd = -1;
2279 /* We read one record from the pipe, take care of byte order in the record
2280 * header, write the record to the capture file, and update capture statistics. */
2282 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2284 struct pcap_pkthdr phdr;
2285 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2288 #if !GLIB_CHECK_VERSION(2,31,18)
2296 #ifdef LOG_CAPTURE_VERBOSE
2297 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2300 switch (pcap_opts->cap_pipe_state) {
2302 case STATE_EXPECT_REC_HDR:
2304 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2307 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2308 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2309 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2310 pcap_opts->cap_pipe_bytes_read = 0;
2313 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2314 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2315 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2320 case STATE_READ_REC_HDR:
2321 if ((pcap_opts->from_cap_socket)
2326 b = cap_pipe_read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2327 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
2330 result = PD_PIPE_EOF;
2332 result = PD_PIPE_ERR;
2335 pcap_opts->cap_pipe_bytes_read += b;
2339 #if GLIB_CHECK_VERSION(2,31,18)
2340 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2342 g_get_current_time(&wait_time);
2343 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2344 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2346 if (pcap_opts->cap_pipe_err == PIPEOF) {
2347 result = PD_PIPE_EOF;
2349 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2350 result = PD_PIPE_ERR;
2358 if (pcap_opts->cap_pipe_bytes_read < pcap_opts->cap_pipe_bytes_to_read)
2360 result = PD_REC_HDR_READ;
2363 case STATE_EXPECT_DATA:
2365 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2368 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2369 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2370 pcap_opts->cap_pipe_bytes_read = 0;
2373 pcap_opts->cap_pipe_buf = (char *) data;
2374 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2375 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2380 case STATE_READ_DATA:
2381 if ((pcap_opts->from_cap_socket)
2386 b = cap_pipe_read(pcap_opts->cap_pipe_fd,
2387 data+pcap_opts->cap_pipe_bytes_read,
2388 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read,
2389 pcap_opts->from_cap_socket);
2392 result = PD_PIPE_EOF;
2394 result = PD_PIPE_ERR;
2397 pcap_opts->cap_pipe_bytes_read += b;
2402 #if GLIB_CHECK_VERSION(2,31,18)
2403 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2405 g_get_current_time(&wait_time);
2406 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2407 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2409 if (pcap_opts->cap_pipe_err == PIPEOF) {
2410 result = PD_PIPE_EOF;
2412 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2413 result = PD_PIPE_ERR;
2421 if (pcap_opts->cap_pipe_bytes_read < pcap_opts->cap_pipe_bytes_to_read)
2423 result = PD_DATA_READ;
2427 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2430 } /* switch (pcap_opts->cap_pipe_state) */
2433 * We've now read as much data as we were expecting, so process it.
2437 case PD_REC_HDR_READ:
2438 /* We've read the header. Take care of byte order. */
2439 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2440 &pcap_opts->cap_pipe_rechdr.hdr);
2441 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2442 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2443 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2447 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2448 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2451 /* no data to read? fall through */
2454 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2455 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2456 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2457 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2458 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2461 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2463 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2465 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2469 pcap_opts->cap_pipe_err = PIPEOF;
2474 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2475 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2476 g_snprintf(errmsg, errmsgl,
2477 "Error reading from pipe: %s (error %d)",
2478 utf_16to8(err_str), GetLastError());
2481 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2489 pcap_opts->cap_pipe_err = PIPERR;
2490 /* Return here rather than inside the switch to prevent GCC warning */
2495 /** Open the capture input file (pcap or capture pipe).
2496 * Returns TRUE if it succeeds, FALSE otherwise. */
2498 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2499 char *errmsg, size_t errmsg_len,
2500 char *secondary_errmsg, size_t secondary_errmsg_len)
2502 gchar open_err_str[PCAP_ERRBUF_SIZE];
2503 gchar *sync_msg_str;
2504 interface_options interface_opts;
2505 pcap_options *pcap_opts;
2509 gchar *sync_secondary_msg_str;
2510 WORD wVersionRequested;
2514 /* XXX - opening Winsock on tshark? */
2516 /* Initialize Windows Socket if we are in a WIN32 OS
2517 This needs to be done before querying the interface for network/netmask */
2519 /* XXX - do we really require 1.1 or earlier?
2520 Are there any versions that support only 2.0 or higher? */
2521 wVersionRequested = MAKEWORD(1, 1);
2522 err = WSAStartup(wVersionRequested, &wsaData);
2526 case WSASYSNOTREADY:
2527 g_snprintf(errmsg, (gulong) errmsg_len,
2528 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2531 case WSAVERNOTSUPPORTED:
2532 g_snprintf(errmsg, (gulong) errmsg_len,
2533 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2534 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2537 case WSAEINPROGRESS:
2538 g_snprintf(errmsg, (gulong) errmsg_len,
2539 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2543 g_snprintf(errmsg, (gulong) errmsg_len,
2544 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2548 g_snprintf(errmsg, (gulong) errmsg_len,
2549 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2553 g_snprintf(errmsg, (gulong) errmsg_len,
2554 "Couldn't initialize Windows Sockets: error %d", err);
2557 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2561 if ((use_threads == FALSE) &&
2562 (capture_opts->ifaces->len > 1)) {
2563 g_snprintf(errmsg, (gulong) errmsg_len,
2564 "Using threads is required for capturing on multiple interfaces!");
2568 for (i = 0; i < capture_opts->ifaces->len; i++) {
2569 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2570 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2571 if (pcap_opts == NULL) {
2572 g_snprintf(errmsg, (gulong) errmsg_len,
2573 "Could not allocate memory.");
2576 pcap_opts->received = 0;
2577 pcap_opts->dropped = 0;
2578 pcap_opts->pcap_h = NULL;
2579 #ifdef MUST_DO_SELECT
2580 pcap_opts->pcap_fd = -1;
2582 pcap_opts->pcap_err = FALSE;
2583 pcap_opts->interface_id = i;
2584 pcap_opts->tid = NULL;
2585 pcap_opts->snaplen = 0;
2586 pcap_opts->linktype = -1;
2587 pcap_opts->ts_nsec = FALSE;
2588 pcap_opts->from_cap_pipe = FALSE;
2589 pcap_opts->from_cap_socket = FALSE;
2590 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2591 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2593 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2595 pcap_opts->cap_pipe_fd = -1;
2596 pcap_opts->cap_pipe_modified = FALSE;
2597 pcap_opts->cap_pipe_byte_swapped = FALSE;
2599 pcap_opts->cap_pipe_buf = NULL;
2601 pcap_opts->cap_pipe_bytes_to_read = 0;
2602 pcap_opts->cap_pipe_bytes_read = 0;
2603 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2604 pcap_opts->cap_pipe_err = PIPOK;
2606 #if GLIB_CHECK_VERSION(2,31,0)
2607 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2608 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2610 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2612 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2613 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2615 g_array_append_val(ld->pcaps, pcap_opts);
2617 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2618 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2620 if (pcap_opts->pcap_h != NULL) {
2621 /* we've opened "iface" as a network device */
2623 /* try to set the capture buffer size */
2624 if (interface_opts.buffer_size > 1 &&
2625 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2626 sync_secondary_msg_str = g_strdup_printf(
2627 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2628 "the default of 1MB will be used.\n"
2630 "Nonetheless, the capture is started.\n",
2631 interface_opts.buffer_size);
2632 report_capture_error("Couldn't set the capture buffer size!",
2633 sync_secondary_msg_str);
2634 g_free(sync_secondary_msg_str);
2638 #if defined(HAVE_PCAP_SETSAMPLING)
2639 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2640 struct pcap_samp *samp;
2642 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2643 switch (interface_opts.sampling_method) {
2644 case CAPTURE_SAMP_BY_COUNT:
2645 samp->method = PCAP_SAMP_1_EVERY_N;
2648 case CAPTURE_SAMP_BY_TIMER:
2649 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2653 sync_msg_str = g_strdup_printf(
2654 "Unknown sampling method %d specified,\n"
2655 "continue without packet sampling",
2656 interface_opts.sampling_method);
2657 report_capture_error("Couldn't set the capture "
2658 "sampling", sync_msg_str);
2659 g_free(sync_msg_str);
2661 samp->value = interface_opts.sampling_param;
2663 report_capture_error("Couldn't set the capture sampling",
2664 "Cannot get packet sampling data structure");
2669 /* setting the data link type only works on real interfaces */
2670 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2672 secondary_errmsg, secondary_errmsg_len)) {
2675 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2677 /* We couldn't open "iface" as a network device. */
2678 /* Try to open it as a pipe */
2679 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2682 if (pcap_opts->cap_pipe_fd == -1) {
2684 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2686 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2687 /* Pipe doesn't exist, so output message for interface */
2688 get_capture_device_open_failure_messages(open_err_str,
2689 interface_opts.name,
2693 secondary_errmsg_len);
2696 * Else pipe (or file) does exist and cap_pipe_open_live() has
2701 /* cap_pipe_open_live() succeeded; don't want
2702 error message from pcap_open_live() */
2703 open_err_str[0] = '\0';
2707 /* XXX - will this work for tshark? */
2708 #ifdef MUST_DO_SELECT
2709 if (!pcap_opts->from_cap_pipe) {
2710 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2711 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2713 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2718 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2719 returned a warning; print it, but keep capturing. */
2720 if (open_err_str[0] != '\0') {
2721 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2722 report_capture_error(sync_msg_str, "");
2723 g_free(sync_msg_str);
2725 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2726 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2729 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2730 /* to remove any suid privileges. */
2731 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2732 /* (euid/egid have already previously been set to ruid/rgid. */
2733 /* (See comment in main() for details) */
2735 relinquish_special_privs_perm();
2737 relinquish_all_capabilities();
2742 /* close the capture input file (pcap or capture pipe) */
2743 static void capture_loop_close_input(loop_data *ld)
2746 pcap_options *pcap_opts;
2748 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2750 for (i = 0; i < ld->pcaps->len; i++) {
2751 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2752 /* if open, close the capture pipe "input file" */
2753 if (pcap_opts->cap_pipe_fd >= 0) {
2754 g_assert(pcap_opts->from_cap_pipe);
2755 cap_pipe_close(pcap_opts->cap_pipe_fd, pcap_opts->from_cap_socket);
2756 pcap_opts->cap_pipe_fd = -1;
2759 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2760 CloseHandle(pcap_opts->cap_pipe_h);
2761 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2764 /* if open, close the pcap "input file" */
2765 if (pcap_opts->pcap_h != NULL) {
2766 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2767 pcap_close(pcap_opts->pcap_h);
2768 pcap_opts->pcap_h = NULL;
2775 /* Shut down windows sockets */
2781 /* init the capture filter */
2782 static initfilter_status_t
2783 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2784 const gchar * name, const gchar * cfilter)
2786 struct bpf_program fcode;
2788 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2790 /* capture filters only work on real interfaces */
2791 if (cfilter && !from_cap_pipe) {
2792 /* A capture filter was specified; set it up. */
2793 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2794 /* Treat this specially - our caller might try to compile this
2795 as a display filter and, if that succeeds, warn the user that
2796 the display and capture filter syntaxes are different. */
2797 return INITFILTER_BAD_FILTER;
2799 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2800 #ifdef HAVE_PCAP_FREECODE
2801 pcap_freecode(&fcode);
2803 return INITFILTER_OTHER_ERROR;
2805 #ifdef HAVE_PCAP_FREECODE
2806 pcap_freecode(&fcode);
2810 return INITFILTER_NO_ERROR;
2814 /* set up to write to the already-opened capture output file/files */
2816 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2820 pcap_options *pcap_opts;
2821 interface_options interface_opts;
2822 gboolean successful;
2824 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2826 if ((capture_opts->use_pcapng == FALSE) &&
2827 (capture_opts->ifaces->len > 1)) {
2828 g_snprintf(errmsg, errmsg_len,
2829 "Using PCAPNG is required for capturing on multiple interfaces! Use the -n option.");
2833 /* Set up to write to the capture file. */
2834 if (capture_opts->multi_files_on) {
2835 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2837 ld->pdh = ws_fdopen(ld->save_file_fd, "wb");
2838 if (ld->pdh == NULL) {
2843 if (capture_opts->use_pcapng) {
2845 GString *os_info_str;
2847 os_info_str = g_string_new("");
2848 get_os_version_info(os_info_str);
2850 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2851 successful = libpcap_write_session_header_block(libpcap_write_to_file, ld->pdh,
2854 os_info_str->str, /* OS*/
2856 -1, /* section_length */
2860 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2861 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2862 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2863 if (pcap_opts->from_cap_pipe) {
2864 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2866 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2868 successful = libpcap_write_interface_description_block(libpcap_write_to_file, global_ld.pdh,
2869 NULL, /* OPT_COMMENT 1 */
2870 interface_opts.name, /* IDB_NAME 2 */
2871 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2872 interface_opts.cfilter, /* IDB_FILTER 11 */
2873 os_info_str->str, /* IDB_OS 12 */
2874 pcap_opts->linktype,
2876 &(global_ld.bytes_written),
2877 0, /* IDB_IF_SPEED 8 */
2878 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2882 g_string_free(os_info_str, TRUE);
2885 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2886 if (pcap_opts->from_cap_pipe) {
2887 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2889 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2891 successful = libpcap_write_file_header(libpcap_write_to_file, ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2892 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2900 if (ld->pdh == NULL) {
2901 /* We couldn't set up to write to the capture file. */
2902 /* XXX - use cf_open_error_message from tshark instead? */
2907 g_snprintf(errmsg, errmsg_len,
2908 "The file to which the capture would be"
2909 " saved (\"%s\") could not be opened: Error %d.",
2910 capture_opts->save_file, err);
2912 g_snprintf(errmsg, errmsg_len,
2913 "The file to which the capture would be"
2914 " saved (\"%s\") could not be opened: %s.",
2915 capture_opts->save_file, g_strerror(err));
2927 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2931 pcap_options *pcap_opts;
2932 guint64 end_time = create_timestamp();
2934 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2936 if (capture_opts->multi_files_on) {
2937 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2939 if (capture_opts->use_pcapng) {
2940 for (i = 0; i < global_ld.pcaps->len; i++) {
2941 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2942 if (!pcap_opts->from_cap_pipe) {
2943 guint64 isb_ifrecv, isb_ifdrop;
2944 struct pcap_stat stats;
2946 if (pcap_stats(pcap_opts->pcap_h, &stats) >= 0) {
2947 isb_ifrecv = pcap_opts->received;
2948 isb_ifdrop = stats.ps_drop + pcap_opts->dropped;
2950 isb_ifrecv = G_MAXUINT64;
2951 isb_ifdrop = G_MAXUINT64;
2953 libpcap_write_interface_statistics_block(libpcap_write_to_file, ld->pdh,
2956 "Counters provided by dumpcap",
2965 if (fclose(ld->pdh) == EOF) {
2966 if (err_close != NULL) {
2976 /* dispatch incoming packets (pcap or capture pipe)
2978 * Waits for incoming packets to be available, and calls pcap_dispatch()
2979 * to cause them to be processed.
2981 * Returns the number of packets which were processed.
2983 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2984 * packet-batching behaviour does not cause packets to get held back
2988 capture_loop_dispatch(loop_data *ld,
2989 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2992 gint packet_count_before;
2993 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2998 packet_count_before = ld->packet_count;
2999 if (pcap_opts->from_cap_pipe) {
3000 /* dispatch from capture pipe */
3001 #ifdef LOG_CAPTURE_VERBOSE
3002 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
3005 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
3007 if (sel_ret < 0 && errno != EINTR) {
3008 g_snprintf(errmsg, errmsg_len,
3009 "Unexpected error from select: %s", g_strerror(errno));
3010 report_capture_error(errmsg, please_report);
3015 * "select()" says we can read from the pipe without blocking
3018 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
3028 /* dispatch from pcap */
3029 #ifdef MUST_DO_SELECT
3031 * If we have "pcap_get_selectable_fd()", we use it to get the
3032 * descriptor on which to select; if that's -1, it means there
3033 * is no descriptor on which you can do a "select()" (perhaps
3034 * because you're capturing on a special device, and that device's
3035 * driver unfortunately doesn't support "select()", in which case
3036 * we don't do the select - which means it might not be possible
3037 * to stop a capture until a packet arrives. If that's unacceptable,
3038 * plead with whoever supplies the software for that device to add
3039 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
3040 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
3041 * later, so it can use pcap_breakloop().
3043 #ifdef LOG_CAPTURE_VERBOSE
3044 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
3046 if (pcap_opts->pcap_fd != -1) {
3047 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
3050 * "select()" says we can read from it without blocking; go for
3053 * We don't have pcap_breakloop(), so we only process one packet
3054 * per pcap_dispatch() call, to allow a signal to stop the
3055 * processing immediately, rather than processing all packets
3056 * in a batch before quitting.
3059 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3061 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3065 /* Error, rather than pcap_breakloop(). */
3066 pcap_opts->pcap_err = TRUE;
3068 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3071 if (sel_ret < 0 && errno != EINTR) {
3072 g_snprintf(errmsg, errmsg_len,
3073 "Unexpected error from select: %s", g_strerror(errno));
3074 report_capture_error(errmsg, please_report);
3080 #endif /* MUST_DO_SELECT */
3082 /* dispatch from pcap without select */
3084 #ifdef LOG_CAPTURE_VERBOSE
3085 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
3089 * On Windows, we don't support asynchronously telling a process to
3090 * stop capturing; instead, we check for an indication on a pipe
3091 * after processing packets. We therefore process only one packet
3092 * at a time, so that we can check the pipe after every packet.
3095 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3097 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3101 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3103 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3108 /* Error, rather than pcap_breakloop(). */
3109 pcap_opts->pcap_err = TRUE;
3111 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3113 #else /* pcap_next_ex */
3114 #ifdef LOG_CAPTURE_VERBOSE
3115 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
3117 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
3120 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
3121 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
3122 * This should be fixed in the WinPcap 4.0 alpha release.
3124 * For reference, an example remote interface:
3125 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
3128 /* emulate dispatch from pcap */
3131 struct pcap_pkthdr *pkt_header;
3136 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
3138 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3140 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3145 pcap_opts->pcap_err = TRUE;
3149 #endif /* pcap_next_ex */
3153 #ifdef LOG_CAPTURE_VERBOSE
3154 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
3157 return ld->packet_count - packet_count_before;
3161 /* Isolate the Universally Unique Identifier from the interface. Basically, we
3162 * want to grab only the characters between the '{' and '}' delimiters.
3164 * Returns a GString that must be freed with g_string_free(). */
3166 isolate_uuid(const char *iface)
3171 ptr = strchr(iface, '{');
3173 return g_string_new(iface);
3174 gstr = g_string_new(ptr + 1);
3176 ptr = strchr(gstr->str, '}');
3180 gstr = g_string_truncate(gstr, ptr - gstr->str);
3185 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
3186 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
3188 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
3189 char *errmsg, int errmsg_len)
3192 gchar *capfile_name;
3194 gboolean is_tempfile;
3196 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
3197 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
3199 if (capture_opts->save_file != NULL) {
3200 /* We return to the caller while the capture is in progress.
3201 * Therefore we need to take a copy of save_file in
3202 * case the caller destroys it after we return.
3204 capfile_name = g_strdup(capture_opts->save_file);
3206 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
3207 if (capture_opts->multi_files_on) {
3208 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
3209 g_snprintf(errmsg, errmsg_len,
3210 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
3211 g_free(capfile_name);
3214 if (strcmp(capfile_name, "-") == 0) {
3215 /* write to stdout */
3218 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
3219 _setmode(1, O_BINARY);
3222 } /* if (...output_to_pipe ... */
3225 if (capture_opts->multi_files_on) {
3226 /* ringbuffer is enabled */
3227 *save_file_fd = ringbuf_init(capfile_name,
3228 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
3229 capture_opts->group_read_access);
3231 /* we need the ringbuf name */
3232 if (*save_file_fd != -1) {
3233 g_free(capfile_name);
3234 capfile_name = g_strdup(ringbuf_current_filename());
3237 /* Try to open/create the specified file for use as a capture buffer. */
3238 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
3239 (capture_opts->group_read_access) ? 0640 : 0600);
3242 is_tempfile = FALSE;
3244 /* Choose a random name for the temporary capture buffer */
3245 if (global_capture_opts.ifaces->len > 1) {
3246 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3249 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).console_display_name);
3251 /* use the generic portion of the interface guid to form the basis of the filename */
3252 if (strncmp("NPF_{", basename, 5)==0)
3254 /* we have a windows guid style device name, extract the guid digits as the basis of the filename */
3256 iface = isolate_uuid(basename);
3258 basename = g_strdup(iface->str);
3259 g_string_free(iface, TRUE);
3262 /* generate the temp file name prefix...
3263 * It would be nice if we could specify a pcapng/pcap filename suffix,
3264 * create_tempfile() however currently uses mkstemp() which doesn't allow this - one day perhaps*/
3265 if (capture_opts->use_pcapng) {
3266 prefix = g_strconcat("wireshark_pcapng_", basename, NULL);
3268 prefix = g_strconcat("wireshark_pcap_", basename, NULL);
3272 *save_file_fd = create_tempfile(&tmpname, prefix);
3274 capfile_name = g_strdup(tmpname);
3278 /* did we fail to open the output file? */
3279 if (*save_file_fd == -1) {
3281 g_snprintf(errmsg, errmsg_len,
3282 "The temporary file to which the capture would be saved (\"%s\") "
3283 "could not be opened: %s.", capfile_name, g_strerror(errno));
3285 if (capture_opts->multi_files_on) {
3286 ringbuf_error_cleanup();
3289 g_snprintf(errmsg, errmsg_len,
3290 "The file to which the capture would be saved (\"%s\") "
3291 "could not be opened: %s.", capfile_name,
3294 g_free(capfile_name);
3298 if (capture_opts->save_file != NULL) {
3299 g_free(capture_opts->save_file);
3301 capture_opts->save_file = capfile_name;
3302 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3303 "g_free(capfile_name)". */
3309 /* Do the work of handling either the file size or file duration capture
3310 conditions being reached, and switching files or stopping. */
3312 do_file_switch_or_stop(capture_options *capture_opts,
3313 condition *cnd_autostop_files,
3314 condition *cnd_autostop_size,
3315 condition *cnd_file_duration)
3318 pcap_options *pcap_opts;
3319 interface_options interface_opts;
3320 gboolean successful;
3322 if (capture_opts->multi_files_on) {
3323 if (cnd_autostop_files != NULL &&
3324 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3325 /* no files left: stop here */
3326 global_ld.go = FALSE;
3330 /* Switch to the next ringbuffer file */
3331 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3332 &global_ld.save_file_fd, &global_ld.err)) {
3334 /* File switch succeeded: reset the conditions */
3335 global_ld.bytes_written = 0;
3336 if (capture_opts->use_pcapng) {
3338 GString *os_info_str;
3340 os_info_str = g_string_new("");
3341 get_os_version_info(os_info_str);
3343 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3344 successful = libpcap_write_session_header_block(libpcap_write_to_file, global_ld.pdh,
3347 os_info_str->str, /* OS */
3349 -1, /* section_length */
3350 &(global_ld.bytes_written),
3353 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3354 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3355 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3356 successful = libpcap_write_interface_description_block(libpcap_write_to_file, global_ld.pdh,
3357 NULL, /* OPT_COMMENT 1 */
3358 interface_opts.name, /* IDB_NAME 2 */
3359 interface_opts.descr, /* IDB_DESCRIPTION 3 */
3360 interface_opts.cfilter, /* IDB_FILTER 11 */
3361 os_info_str->str, /* IDB_OS 12 */
3362 pcap_opts->linktype,
3364 &(global_ld.bytes_written),
3365 0, /* IDB_IF_SPEED 8 */
3366 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
3370 g_string_free(os_info_str, TRUE);
3373 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3374 successful = libpcap_write_file_header(libpcap_write_to_file, global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3375 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
3378 fclose(global_ld.pdh);
3379 global_ld.pdh = NULL;
3380 global_ld.go = FALSE;
3383 if (cnd_autostop_size)
3384 cnd_reset(cnd_autostop_size);
3385 if (cnd_file_duration)
3386 cnd_reset(cnd_file_duration);
3387 fflush(global_ld.pdh);
3389 report_packet_count(global_ld.inpkts_to_sync_pipe);
3390 global_ld.inpkts_to_sync_pipe = 0;
3391 report_new_capture_file(capture_opts->save_file);
3393 /* File switch failed: stop here */
3394 global_ld.go = FALSE;
3398 /* single file, stop now */
3399 global_ld.go = FALSE;
3406 pcap_read_handler(void* arg)
3408 pcap_options *pcap_opts;
3409 char errmsg[MSG_MAX_LENGTH+1];
3411 pcap_opts = (pcap_options *)arg;
3413 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3414 pcap_opts->interface_id);
3416 while (global_ld.go) {
3417 /* dispatch incoming packets */
3418 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3420 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3421 pcap_opts->interface_id);
3422 g_thread_exit(NULL);
3426 /* Do the low-level work of a capture.
3427 Returns TRUE if it succeeds, FALSE otherwise. */
3429 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3432 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3434 struct timeval upd_time, cur_time;
3438 condition *cnd_file_duration = NULL;
3439 condition *cnd_autostop_files = NULL;
3440 condition *cnd_autostop_size = NULL;
3441 condition *cnd_autostop_duration = NULL;
3444 gboolean cfilter_error = FALSE;
3445 char errmsg[MSG_MAX_LENGTH+1];
3446 char secondary_errmsg[MSG_MAX_LENGTH+1];
3447 pcap_options *pcap_opts;
3448 interface_options interface_opts;
3449 guint i, error_index = 0;
3452 *secondary_errmsg = '\0';
3454 /* init the loop data */
3455 global_ld.go = TRUE;
3456 global_ld.packet_count = 0;
3458 global_ld.report_packet_count = FALSE;
3460 if (capture_opts->has_autostop_packets)
3461 global_ld.packet_max = capture_opts->autostop_packets;
3463 global_ld.packet_max = 0; /* no limit */
3464 global_ld.inpkts_to_sync_pipe = 0;
3465 global_ld.err = 0; /* no error seen yet */
3466 global_ld.pdh = NULL;
3467 global_ld.autostop_files = 0;
3468 global_ld.save_file_fd = -1;
3470 /* We haven't yet gotten the capture statistics. */
3471 *stats_known = FALSE;
3473 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3474 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3476 /* open the "input file" from network interface or capture pipe */
3477 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3478 secondary_errmsg, sizeof(secondary_errmsg))) {
3481 for (i = 0; i < capture_opts->ifaces->len; i++) {
3482 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3483 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3484 /* init the input filter from the network interface (capture pipe will do nothing) */
3486 * When remote capturing WinPCap crashes when the capture filter
3487 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3490 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3491 interface_opts.name,
3492 interface_opts.cfilter?interface_opts.cfilter:"")) {
3494 case INITFILTER_NO_ERROR:
3497 case INITFILTER_BAD_FILTER:
3498 cfilter_error = TRUE;
3500 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3503 case INITFILTER_OTHER_ERROR:
3504 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3505 pcap_geterr(pcap_opts->pcap_h));
3506 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3511 /* If we're supposed to write to a capture file, open it for output
3512 (temporary/specified name/ringbuffer) */
3513 if (capture_opts->saving_to_file) {
3514 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3515 errmsg, sizeof(errmsg))) {
3519 /* set up to write to the already-opened capture output file/files */
3520 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3525 /* XXX - capture SIGTERM and close the capture, in case we're on a
3526 Linux 2.0[.x] system and you have to explicitly close the capture
3527 stream in order to turn promiscuous mode off? We need to do that
3528 in other places as well - and I don't think that works all the
3529 time in any case, due to libpcap bugs. */
3531 /* Well, we should be able to start capturing.
3533 Sync out the capture file, so the header makes it to the file system,
3534 and send a "capture started successfully and capture file created"
3535 message to our parent so that they'll open the capture file and
3536 update its windows to indicate that we have a live capture in
3538 fflush(global_ld.pdh);
3539 report_new_capture_file(capture_opts->save_file);
3542 /* initialize capture stop (and alike) conditions */
3543 init_capture_stop_conditions();
3544 /* create stop conditions */
3545 if (capture_opts->has_autostop_filesize)
3547 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3548 if (capture_opts->has_autostop_duration)
3549 cnd_autostop_duration =
3550 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3552 if (capture_opts->multi_files_on) {
3553 if (capture_opts->has_file_duration)
3555 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3557 if (capture_opts->has_autostop_files)
3558 cnd_autostop_files =
3559 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3562 /* init the time values */
3564 upd_time = GetTickCount();
3566 gettimeofday(&upd_time, NULL);
3568 start_time = create_timestamp();
3569 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3571 /* WOW, everything is prepared! */
3572 /* please fasten your seat belts, we will enter now the actual capture loop */
3574 pcap_queue = g_async_queue_new();
3575 pcap_queue_bytes = 0;
3576 pcap_queue_packets = 0;
3577 for (i = 0; i < global_ld.pcaps->len; i++) {
3578 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3579 #if GLIB_CHECK_VERSION(2,31,0)
3580 /* XXX - Add an interface name here? */
3581 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3583 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3587 while (global_ld.go) {
3588 /* dispatch incoming packets */
3590 pcap_queue_element *queue_element;
3591 #if GLIB_CHECK_VERSION(2,31,18)
3593 g_async_queue_lock(pcap_queue);
3594 queue_element = (pcap_queue_element *)g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3596 GTimeVal write_thread_time;
3598 g_get_current_time(&write_thread_time);
3599 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3600 g_async_queue_lock(pcap_queue);
3601 queue_element = (pcap_queue_element *)g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3603 if (queue_element) {
3604 pcap_queue_bytes -= queue_element->phdr.caplen;
3605 pcap_queue_packets -= 1;
3607 g_async_queue_unlock(pcap_queue);
3608 if (queue_element) {
3609 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3610 "Dequeued a packet of length %d captured on interface %d.",
3611 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3613 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3614 &queue_element->phdr,
3616 g_free(queue_element->pd);
3617 g_free(queue_element);
3623 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3624 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3625 sizeof(errmsg), pcap_opts);
3628 /* Were we asked to print packet counts by the SIGINFO handler? */
3629 if (global_ld.report_packet_count) {
3630 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3631 plurality(global_ld.packet_count, "", "s"));
3632 global_ld.report_packet_count = FALSE;
3637 /* any news from our parent (signal pipe)? -> just stop the capture */
3638 if (!signal_pipe_check_running()) {
3639 global_ld.go = FALSE;
3644 global_ld.inpkts_to_sync_pipe += inpkts;
3646 /* check capture size condition */
3647 if (cnd_autostop_size != NULL &&
3648 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3649 /* Capture size limit reached, do we have another file? */
3650 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3651 cnd_autostop_size, cnd_file_duration))
3653 } /* cnd_autostop_size */
3654 if (capture_opts->output_to_pipe) {
3655 fflush(global_ld.pdh);
3659 /* Only update once every 500ms so as not to overload slow displays.
3660 * This also prevents too much context-switching between the dumpcap
3661 * and wireshark processes.
3663 #define DUMPCAP_UPD_TIME 500
3666 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3667 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3669 gettimeofday(&cur_time, NULL);
3670 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3671 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3674 upd_time = cur_time;
3677 if (pcap_stats(pch, stats) >= 0) {
3678 *stats_known = TRUE;
3681 /* Let the parent process know. */
3682 if (global_ld.inpkts_to_sync_pipe) {
3684 fflush(global_ld.pdh);
3686 /* Send our parent a message saying we've written out
3687 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3689 report_packet_count(global_ld.inpkts_to_sync_pipe);
3691 global_ld.inpkts_to_sync_pipe = 0;
3694 /* check capture duration condition */
3695 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3696 /* The maximum capture time has elapsed; stop the capture. */
3697 global_ld.go = FALSE;
3701 /* check capture file duration condition */
3702 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3703 /* duration limit reached, do we have another file? */
3704 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3705 cnd_autostop_size, cnd_file_duration))
3707 } /* cnd_file_duration */
3711 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3713 pcap_queue_element *queue_element;
3715 for (i = 0; i < global_ld.pcaps->len; i++) {
3716 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3717 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3718 pcap_opts->interface_id);
3719 g_thread_join(pcap_opts->tid);
3720 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3721 pcap_opts->interface_id);
3724 g_async_queue_lock(pcap_queue);
3725 queue_element = (pcap_queue_element *)g_async_queue_try_pop_unlocked(pcap_queue);
3726 if (queue_element) {
3727 pcap_queue_bytes -= queue_element->phdr.caplen;
3728 pcap_queue_packets -= 1;
3730 g_async_queue_unlock(pcap_queue);
3731 if (queue_element == NULL) {
3734 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3735 "Dequeued a packet of length %d captured on interface %d.",
3736 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3737 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3738 &queue_element->phdr,
3740 g_free(queue_element->pd);
3741 g_free(queue_element);
3742 global_ld.inpkts_to_sync_pipe += 1;
3743 if (capture_opts->output_to_pipe) {
3744 fflush(global_ld.pdh);
3750 /* delete stop conditions */
3751 if (cnd_file_duration != NULL)
3752 cnd_delete(cnd_file_duration);
3753 if (cnd_autostop_files != NULL)
3754 cnd_delete(cnd_autostop_files);
3755 if (cnd_autostop_size != NULL)
3756 cnd_delete(cnd_autostop_size);
3757 if (cnd_autostop_duration != NULL)
3758 cnd_delete(cnd_autostop_duration);
3760 /* did we have a pcap (input) error? */
3761 for (i = 0; i < capture_opts->ifaces->len; i++) {
3762 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3763 if (pcap_opts->pcap_err) {
3764 /* On Linux, if an interface goes down while you're capturing on it,
3765 you'll get a "recvfrom: Network is down" or
3766 "The interface went down" error (ENETDOWN).
3767 (At least you will if g_strerror() doesn't show a local translation
3770 On FreeBSD and OS X, if a network adapter disappears while
3771 you're capturing on it, you'll get a "read: Device not configured"
3772 error (ENXIO). (See previous parenthetical note.)
3774 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3776 These should *not* be reported to the Wireshark developers. */
3779 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3780 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3781 strcmp(cap_err_str, "The interface went down") == 0 ||
3782 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3783 strcmp(cap_err_str, "read: I/O error") == 0 ||
3784 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3785 report_capture_error("The network adapter on which the capture was being done "
3786 "is no longer running; the capture has stopped.",
3789 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3791 report_capture_error(errmsg, please_report);
3794 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3795 report_capture_error(errmsg, "");
3799 /* did we have an output error while capturing? */
3800 if (global_ld.err == 0) {
3803 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3804 global_ld.err, FALSE);
3805 report_capture_error(errmsg, please_report);
3809 if (capture_opts->saving_to_file) {
3810 /* close the output file */
3811 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3815 /* there might be packets not yet notified to the parent */
3816 /* (do this after closing the file, so all packets are already flushed) */
3817 if (global_ld.inpkts_to_sync_pipe) {
3819 report_packet_count(global_ld.inpkts_to_sync_pipe);
3820 global_ld.inpkts_to_sync_pipe = 0;
3823 /* If we've displayed a message about a write error, there's no point
3824 in displaying another message about an error on close. */
3825 if (!close_ok && write_ok) {
3826 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3828 report_capture_error(errmsg, "");
3832 * XXX We exhibit different behaviour between normal mode and sync mode
3833 * when the pipe is stdin and not already at EOF. If we're a child, the
3834 * parent's stdin isn't closed, so if the user starts another capture,
3835 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3836 * will say "Unrecognized libpcap format". On the other hand, in normal
3837 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3840 report_capture_count(TRUE);
3842 /* get packet drop statistics from pcap */
3843 for (i = 0; i < capture_opts->ifaces->len; i++) {
3847 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3848 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3849 received = pcap_opts->received;
3850 dropped = pcap_opts->dropped;
3851 if (pcap_opts->pcap_h != NULL) {
3852 g_assert(!pcap_opts->from_cap_pipe);
3853 /* Get the capture statistics, so we know how many packets were dropped. */
3854 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3855 *stats_known = TRUE;
3856 /* Let the parent process know. */
3857 dropped += stats->ps_drop;
3859 g_snprintf(errmsg, sizeof(errmsg),
3860 "Can't get packet-drop statistics: %s",
3861 pcap_geterr(pcap_opts->pcap_h));
3862 report_capture_error(errmsg, please_report);
3865 report_packet_drops(received, dropped, interface_opts.console_display_name);
3868 /* close the input file (pcap or capture pipe) */
3869 capture_loop_close_input(&global_ld);
3871 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3873 /* ok, if the write and the close were successful. */
3874 return write_ok && close_ok;
3877 if (capture_opts->multi_files_on) {
3878 /* cleanup ringbuffer */
3879 ringbuf_error_cleanup();
3881 /* We can't use the save file, and we have no FILE * for the stream
3882 to close in order to close it, so close the FD directly. */
3883 if (global_ld.save_file_fd != -1) {
3884 ws_close(global_ld.save_file_fd);
3887 /* We couldn't even start the capture, so get rid of the capture
3889 if (capture_opts->save_file != NULL) {
3890 ws_unlink(capture_opts->save_file);
3891 g_free(capture_opts->save_file);
3894 capture_opts->save_file = NULL;
3896 report_cfilter_error(capture_opts, error_index, errmsg);
3898 report_capture_error(errmsg, secondary_errmsg);
3900 /* close the input file (pcap or cap_pipe) */
3901 capture_loop_close_input(&global_ld);
3903 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3910 capture_loop_stop(void)
3912 #ifdef HAVE_PCAP_BREAKLOOP
3914 pcap_options *pcap_opts;
3916 for (i = 0; i < global_ld.pcaps->len; i++) {
3917 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3918 if (pcap_opts->pcap_h != NULL)
3919 pcap_breakloop(pcap_opts->pcap_h);
3922 global_ld.go = FALSE;
3927 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3928 int err, gboolean is_close)
3933 g_snprintf(errmsg, errmsglen,
3934 "Not all the packets could be written to the file"
3935 " to which the capture was being saved\n"
3936 "(\"%s\") because there is no space left on the file system\n"
3937 "on which that file resides.",
3943 g_snprintf(errmsg, errmsglen,
3944 "Not all the packets could be written to the file"
3945 " to which the capture was being saved\n"
3946 "(\"%s\") because you are too close to, or over,"
3947 " your disk quota\n"
3948 "on the file system on which that file resides.",
3955 g_snprintf(errmsg, errmsglen,
3956 "The file to which the capture was being saved\n"
3957 "(\"%s\") could not be closed: %s.",
3958 fname, g_strerror(err));
3960 g_snprintf(errmsg, errmsglen,
3961 "An error occurred while writing to the file"
3962 " to which the capture was being saved\n"
3964 fname, g_strerror(err));
3971 /* one packet was captured, process it */
3973 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3976 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3978 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3980 /* We may be called multiple times from pcap_dispatch(); if we've set
3981 the "stop capturing" flag, ignore this packet, as we're not
3982 supposed to be saving any more packets. */
3983 if (!global_ld.go) {
3984 pcap_opts->dropped++;
3988 if (global_ld.pdh) {
3989 gboolean successful;
3991 /* We're supposed to write the packet to a file; do so.
3992 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3993 "ld->err" to the error. */
3994 if (global_capture_opts.use_pcapng) {
3995 successful = libpcap_write_enhanced_packet_block(libpcap_write_to_file, global_ld.pdh,
3997 phdr->ts.tv_sec, phdr->ts.tv_usec,
3998 phdr->caplen, phdr->len,
3999 pcap_opts->interface_id,
4002 &global_ld.bytes_written, &err);
4004 successful = libpcap_write_packet(libpcap_write_to_file, global_ld.pdh,
4005 phdr->ts.tv_sec, phdr->ts.tv_usec,
4006 phdr->caplen, phdr->len,
4008 &global_ld.bytes_written, &err);
4011 global_ld.go = FALSE;
4012 global_ld.err = err;
4013 pcap_opts->dropped++;
4015 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4016 "Wrote a packet of length %d captured on interface %u.",
4017 phdr->caplen, pcap_opts->interface_id);
4018 global_ld.packet_count++;
4019 pcap_opts->received++;
4020 /* if the user told us to stop after x packets, do we already have enough? */
4021 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
4022 global_ld.go = FALSE;
4028 /* one packet was captured, queue it */
4030 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
4033 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
4034 pcap_queue_element *queue_element;
4035 gboolean limit_reached;
4037 /* We may be called multiple times from pcap_dispatch(); if we've set
4038 the "stop capturing" flag, ignore this packet, as we're not
4039 supposed to be saving any more packets. */
4040 if (!global_ld.go) {
4041 pcap_opts->dropped++;
4045 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
4046 if (queue_element == NULL) {
4047 pcap_opts->dropped++;
4050 queue_element->pcap_opts = pcap_opts;
4051 queue_element->phdr = *phdr;
4052 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
4053 if (queue_element->pd == NULL) {
4054 pcap_opts->dropped++;
4055 g_free(queue_element);
4058 memcpy(queue_element->pd, pd, phdr->caplen);
4059 g_async_queue_lock(pcap_queue);
4060 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
4061 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
4062 limit_reached = FALSE;
4063 g_async_queue_push_unlocked(pcap_queue, queue_element);
4064 pcap_queue_bytes += phdr->caplen;
4065 pcap_queue_packets += 1;
4067 limit_reached = TRUE;
4069 g_async_queue_unlock(pcap_queue);
4070 if (limit_reached) {
4071 pcap_opts->dropped++;
4072 g_free(queue_element->pd);
4073 g_free(queue_element);
4074 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4075 "Dropped a packet of length %d captured on interface %u.",
4076 phdr->caplen, pcap_opts->interface_id);
4078 pcap_opts->received++;
4079 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4080 "Queued a packet of length %d captured on interface %u.",
4081 phdr->caplen, pcap_opts->interface_id);
4083 /* I don't want to hold the mutex over the debug output. So the
4084 output may be wrong */
4085 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4086 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
4087 pcap_queue_bytes, pcap_queue_packets);
4091 set_80211_channel(const char *iface, const char *opt)
4093 int freq = 0, type, ret;
4094 gchar **options = NULL;
4096 options = g_strsplit_set(opt, ",", 2);
4099 freq = atoi(options[0]);
4102 type = ws80211_str_to_chan_type(options[1]);
4111 ret = ws80211_init();
4113 cmdarg_err("%d: Failed to init ws80211: %s\n", abs(ret), g_strerror(abs(ret)));
4117 ret = ws80211_set_freq(iface, freq, type);
4120 cmdarg_err("%d: Failed to set channel: %s\n", abs(ret), g_strerror(abs(ret)));
4126 pipe_write_block(2, SP_SUCCESS, NULL);
4130 g_strfreev(options);
4134 /* And now our feature presentation... [ fade to music ] */
4136 main(int argc, char *argv[])
4138 GString *comp_info_str;
4139 GString *runtime_info_str;
4141 gboolean arg_error = FALSE;
4146 struct sigaction action, oldaction;
4149 gboolean start_capture = TRUE;
4150 gboolean stats_known;
4151 struct pcap_stat stats;
4152 GLogLevelFlags log_flags;
4153 gboolean list_interfaces = FALSE;
4154 gboolean list_link_layer_types = FALSE;
4155 #ifdef HAVE_BPF_IMAGE
4156 gboolean print_bpf_code = FALSE;
4158 gboolean set_chan = FALSE;
4159 gchar *set_chan_arg = NULL;
4160 gboolean machine_readable = FALSE;
4161 gboolean print_statistics = FALSE;
4162 int status, run_once_args = 0;
4165 #if defined(__APPLE__) && defined(__LP64__)
4166 struct utsname osinfo;
4170 /* Assemble the compile-time version information string */
4171 comp_info_str = g_string_new("Compiled ");
4172 get_compiled_version_info(comp_info_str, NULL, NULL);
4174 /* Assemble the run-time version information string */
4175 runtime_info_str = g_string_new("Running ");
4176 get_runtime_version_info(runtime_info_str, NULL);
4178 /* Add it to the information to be reported on a crash. */
4179 ws_add_crash_info("Dumpcap " VERSION "%s\n"
4184 wireshark_svnversion, comp_info_str->str, runtime_info_str->str);
4187 arg_list_utf_16to8(argc, argv);
4188 create_app_running_mutex();
4191 * Initialize our DLL search path. MUST be called before LoadLibrary
4194 ws_init_dll_search_path();
4197 #ifdef HAVE_PCAP_REMOTE
4198 #define OPTSTRING_A "A:"
4199 #define OPTSTRING_r "r"
4200 #define OPTSTRING_u "u"
4202 #define OPTSTRING_A ""
4203 #define OPTSTRING_r ""
4204 #define OPTSTRING_u ""
4207 #ifdef HAVE_PCAP_SETSAMPLING
4208 #define OPTSTRING_m "m:"
4210 #define OPTSTRING_m ""
4213 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4214 #define OPTSTRING_B "B:"
4216 #define OPTSTRING_B ""
4217 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4219 #ifdef HAVE_PCAP_CREATE
4220 #define OPTSTRING_I "I"
4222 #define OPTSTRING_I ""
4225 #ifdef HAVE_BPF_IMAGE
4226 #define OPTSTRING_d "d"
4228 #define OPTSTRING_d ""
4231 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "k:L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
4233 #ifdef DEBUG_CHILD_DUMPCAP
4234 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
4235 fprintf (stderr, "Unable to open debug log file !\n");
4240 #if defined(__APPLE__) && defined(__LP64__)
4242 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
4243 * a bug workaround - timeouts less than 1 second don't work with libpcap
4244 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
4245 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
4246 * The problem is extremely unlikely to be reintroduced in a future
4249 if (uname(&osinfo) == 0) {
4251 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
4252 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
4253 * number of 10.0.0, not 10.1.0 - go figure).
4255 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
4256 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
4257 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
4258 need_timeout_workaround = TRUE;
4263 * Determine if dumpcap is being requested to run in a special
4264 * capture_child mode by going thru the command line args to see if
4265 * a -Z is present. (-Z is a hidden option).
4267 * The primary result of running in capture_child mode is that
4268 * all messages sent out on stderr are in a special type/len/string
4269 * format to allow message processing by type. These messages include
4270 * error messages if dumpcap fails to start the operation it was
4271 * requested to do, as well as various "status" messages which are sent
4272 * when an actual capture is in progress, and a "success" message sent
4273 * if dumpcap was requested to perform an operation other than a
4276 * Capture_child mode would normally be requested by a parent process
4277 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
4278 * to which dumpcap stderr has been redirected. It might also have
4279 * another pipe to obtain dumpcap stdout output; for operations other
4280 * than a capture, that information is formatted specially for easier
4281 * parsing by the parent process.
4283 * Capture_child mode needs to be determined immediately upon
4284 * startup so that any messages generated by dumpcap in this mode
4285 * (eg: during initialization) will be formatted properly.
4288 for (i=1; i<argc; i++) {
4289 if (strcmp("-Z", argv[i]) == 0) {
4290 capture_child = TRUE;
4291 machine_readable = TRUE; /* request machine-readable output */
4293 /* set output pipe to binary mode, to avoid ugly text conversions */
4294 _setmode(2, O_BINARY);
4299 /* The default_log_handler will use stdout, which makes trouble in */
4300 /* capture child mode, as it uses stdout for its sync_pipe. */
4301 /* So: the filtering is done in the console_log_handler and not here.*/
4302 /* We set the log handlers right up front to make sure that any log */
4303 /* messages when running as child will be sent back to the parent */
4304 /* with the correct format. */
4309 G_LOG_LEVEL_CRITICAL|
4310 G_LOG_LEVEL_WARNING|
4311 G_LOG_LEVEL_MESSAGE|
4315 G_LOG_FLAG_RECURSION);
4317 g_log_set_handler(NULL,
4319 console_log_handler, NULL /* user_data */);
4320 g_log_set_handler(LOG_DOMAIN_MAIN,
4322 console_log_handler, NULL /* user_data */);
4323 g_log_set_handler(LOG_DOMAIN_CAPTURE,
4325 console_log_handler, NULL /* user_data */);
4326 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
4328 console_log_handler, NULL /* user_data */);
4330 /* Initialize the pcaps list */
4331 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
4333 #if !GLIB_CHECK_VERSION(2,31,0)
4334 /* Initialize the thread system */
4335 g_thread_init(NULL);
4339 /* Load wpcap if possible. Do this before collecting the run-time version information */
4342 /* ... and also load the packet.dll from wpcap */
4343 /* XXX - currently not required, may change later. */
4344 /*wpcap_packet_load();*/
4346 /* Start windows sockets */
4347 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
4349 /* Set handler for Ctrl+C key */
4350 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4352 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4353 and exit. Do the same with SIGPIPE, in case, for example,
4354 we're writing to our standard output and it's a pipe.
4355 Do the same with SIGHUP if it's not being ignored (if we're
4356 being run under nohup, it might be ignored, in which case we
4357 should leave it ignored).
4359 XXX - apparently, Coverity complained that part of action
4360 wasn't initialized. Perhaps it's running on Linux, where
4361 struct sigaction has an ignored "sa_restorer" element and
4362 where "sa_handler" and "sa_sigaction" might not be two
4363 members of a union. */
4364 memset(&action, 0, sizeof(action));
4365 action.sa_handler = capture_cleanup_handler;
4367 * Arrange that system calls not get restarted, because when
4368 * our signal handler returns we don't want to restart
4369 * a call that was waiting for packets to arrive.
4371 action.sa_flags = 0;
4372 sigemptyset(&action.sa_mask);
4373 sigaction(SIGTERM, &action, NULL);
4374 sigaction(SIGINT, &action, NULL);
4375 sigaction(SIGPIPE, &action, NULL);
4376 sigaction(SIGHUP, NULL, &oldaction);
4377 if (oldaction.sa_handler == SIG_DFL)
4378 sigaction(SIGHUP, &action, NULL);
4381 /* Catch SIGINFO and, if we get it and we're capturing in
4382 quiet mode, report the number of packets we've captured. */
4383 action.sa_handler = report_counts_siginfo;
4384 action.sa_flags = SA_RESTART;
4385 sigemptyset(&action.sa_mask);
4386 sigaction(SIGINFO, &action, NULL);
4387 #endif /* SIGINFO */
4390 /* ----------------------------------------------------------------- */
4391 /* Privilege and capability handling */
4393 /* 1. Running not as root or suid root; no special capabilities. */
4396 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4399 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4401 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4402 /* capabilities; Drop all other capabilities; */
4403 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4404 /* else: after pcap_open_live() in capture_loop_open_input() */
4405 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4406 /* (Note: this means that the process, although logged in */
4407 /* as root, does not have various permissions such as the */
4408 /* ability to bypass file access permissions). */
4409 /* XXX: Should we just leave capabilities alone in this case */
4410 /* so that user gets expected effect that root can do */
4413 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4415 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4416 /* else: after pcap_open_live() in capture_loop_open_input() */
4417 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4418 /* pcap_open_live). */
4420 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4422 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4423 /* capabilities; Drop all other capabilities; */
4424 /* Drop suid privileges (euid=ruid); */
4425 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4426 /* else: after pcap_open_live() in capture_loop_open_input() */
4427 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4429 /* XXX: For some Linux versions/distros with capabilities */
4430 /* a 'normal' process with any capabilities cannot be */
4431 /* 'killed' (signaled) from another (same uid) non-privileged */
4433 /* For example: If (non-suid) Wireshark forks a */
4434 /* child suid dumpcap which acts as described here (case 5), */
4435 /* Wireshark will be unable to kill (signal) the child */
4436 /* dumpcap process until the capabilities have been dropped */
4437 /* (after pcap_open_live()). */
4438 /* This behaviour will apparently be changed in the kernel */
4439 /* to allow the kill (signal) in this case. */
4440 /* See the following for details: */
4441 /* http://www.mail-archive.com/ [wrapped] */
4442 /* linux-security-module@vger.kernel.org/msg02913.html */
4444 /* It is therefore conceivable that if dumpcap somehow hangs */
4445 /* in pcap_open_live or before that wireshark will not */
4446 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4447 /* In this case, exiting wireshark will kill the child */
4448 /* dumpcap process. */
4450 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4451 /* capabilities; Using libcap. Note: capset cmd (which see) */
4452 /* used to assign capabilities to file. */
4454 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4455 /* else: after pcap_open_live() in capture_loop_open_input() */
4456 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4458 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4459 /* longer required (similar to capture). */
4461 /* ----------------------------------------------------------------- */
4463 init_process_policies();
4466 /* If 'started with special privileges' (and using libcap) */
4467 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4468 /* Set euid/egid = ruid/rgid to remove suid privileges */
4469 relinquish_privs_except_capture();
4472 /* Set the initial values in the capture options. This might be overwritten
4473 by the command line parameters. */
4474 capture_opts_init(&global_capture_opts, NULL);
4476 /* We always save to a file - if no file was specified, we save to a
4478 global_capture_opts.saving_to_file = TRUE;
4479 global_capture_opts.has_ring_num_files = TRUE;
4481 /* Now get our args */
4482 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4484 case 'h': /* Print help and exit */
4488 case 'v': /* Show version and exit */
4490 show_version(comp_info_str, runtime_info_str);
4491 g_string_free(comp_info_str, TRUE);
4492 g_string_free(runtime_info_str, TRUE);
4496 /*** capture option specific ***/
4497 case 'a': /* autostop criteria */
4498 case 'b': /* Ringbuffer option */
4499 case 'c': /* Capture x packets */
4500 case 'f': /* capture filter */
4501 case 'g': /* enable group read access on file(s) */
4502 case 'i': /* Use interface x */
4503 case 'n': /* Use pcapng format */
4504 case 'p': /* Don't capture in promiscuous mode */
4505 case 'P': /* Use pcap format */
4506 case 's': /* Set the snapshot (capture) length */
4507 case 'w': /* Write to capture file x */
4508 case 'y': /* Set the pcap data link type */
4509 #ifdef HAVE_PCAP_REMOTE
4510 case 'u': /* Use UDP for data transfer */
4511 case 'r': /* Capture own RPCAP traffic too */
4512 case 'A': /* Authentication */
4514 #ifdef HAVE_PCAP_SETSAMPLING
4515 case 'm': /* Sampling */
4517 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4518 case 'B': /* Buffer size */
4519 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4520 #ifdef HAVE_PCAP_CREATE
4521 case 'I': /* Monitor mode */
4523 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4528 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4530 capture_child = TRUE;
4532 /* set output pipe to binary mode, to avoid ugly text conversions */
4533 _setmode(2, O_BINARY);
4535 * optarg = the control ID, aka the PPID, currently used for the
4538 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4539 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4540 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4541 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4543 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4544 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4545 "Signal pipe: Unable to open %s. Dead parent?",
4553 case 'q': /* Quiet */
4559 /*** all non capture option specific ***/
4560 case 'D': /* Print a list of capture devices and exit */
4561 list_interfaces = TRUE;
4564 case 'L': /* Print list of link-layer types and exit */
4565 list_link_layer_types = TRUE;
4568 #ifdef HAVE_BPF_IMAGE
4569 case 'd': /* Print BPF code for capture filter and exit */
4570 print_bpf_code = TRUE;
4574 case 'S': /* Print interface statistics once a second */
4575 print_statistics = TRUE;
4578 case 'k': /* Set wireless channel */
4580 set_chan_arg = optarg;
4583 case 'M': /* For -D, -L, and -S, print machine-readable output */
4584 machine_readable = TRUE;
4587 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4589 case '?': /* Bad flag - print usage message */
4598 /* user specified file name as regular command-line argument */
4599 /* XXX - use it as the capture file name (or something else)? */
4605 * Extra command line arguments were specified; complain.
4606 * XXX - interpret as capture filter, as tcpdump and tshark do?
4608 cmdarg_err("Invalid argument: %s", argv[0]);
4618 if (run_once_args > 1) {
4619 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4621 } else if (run_once_args == 1) {
4622 /* We're supposed to print some information, rather than
4623 to capture traffic; did they specify a ring buffer option? */
4624 if (global_capture_opts.multi_files_on) {
4625 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4629 /* We're supposed to capture traffic; */
4630 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4631 if (global_capture_opts.ifaces->len > 1) {
4633 global_capture_opts.use_pcapng = TRUE;
4635 /* Was the ring buffer option specified and, if so, does it make sense? */
4636 if (global_capture_opts.multi_files_on) {
4637 /* Ring buffer works only under certain conditions:
4638 a) ring buffer does not work with temporary files;
4639 b) it makes no sense to enable the ring buffer if the maximum
4640 file size is set to "infinite". */
4641 if (global_capture_opts.save_file == NULL) {
4642 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4643 global_capture_opts.multi_files_on = FALSE;
4645 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4646 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4648 /* XXX - this must be redesigned as the conditions changed */
4649 global_capture_opts.multi_files_on = FALSE;
4656 * "-D" requires no interface to be selected; it's supposed to list
4659 if (list_interfaces) {
4660 /* Get the list of interfaces */
4665 if_list = capture_interface_list(&err, &err_str);
4666 if (if_list == NULL) {
4668 case CANT_GET_INTERFACE_LIST:
4669 case DONT_HAVE_PCAP:
4670 cmdarg_err("%s", err_str);
4675 case NO_INTERFACES_FOUND:
4677 * If we're being run by another program, just give them
4678 * an empty list of interfaces, don't report this as
4679 * an error; that lets them decide whether to report
4680 * this as an error or not.
4682 if (!machine_readable) {
4683 cmdarg_err("There are no interfaces on which a capture can be done");
4690 if (machine_readable) /* tab-separated values to stdout */
4691 print_machine_readable_interfaces(if_list);
4693 capture_opts_print_interfaces(if_list);
4694 free_interface_list(if_list);
4699 * "-S" requires no interface to be selected; it gives statistics
4700 * for all interfaces.
4702 if (print_statistics) {
4703 status = print_statistics_loop(machine_readable);
4708 interface_options interface_opts;
4710 if (global_capture_opts.ifaces->len != 1) {
4711 cmdarg_err("Need one interface");
4715 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, 0);
4716 status = set_80211_channel(interface_opts.name, set_chan_arg);
4721 * "-L", "-d", and capturing act on a particular interface, so we have to
4722 * have an interface; if none was specified, pick a default.
4724 status = capture_opts_trim_iface(&global_capture_opts, NULL);
4726 /* cmdarg_err() already called .... */
4730 /* Let the user know what interfaces were chosen. */
4731 if (capture_child) {
4732 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4733 interface_options interface_opts;
4735 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4736 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4737 interface_opts.name);
4740 str = g_string_new("");
4742 if (global_capture_opts.ifaces->len < 2)
4744 if (global_capture_opts.ifaces->len < 4)
4747 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4748 interface_options interface_opts;
4750 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4752 if (global_capture_opts.ifaces->len > 2) {
4753 g_string_append_printf(str, ",");
4755 g_string_append_printf(str, " ");
4756 if (j == global_capture_opts.ifaces->len - 1) {
4757 g_string_append_printf(str, "and ");
4760 g_string_append_printf(str, "'%s'", interface_opts.console_display_name);
4763 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4765 fprintf(stderr, "Capturing on %s\n", str->str);
4766 g_string_free(str, TRUE);
4769 if (list_link_layer_types) {
4770 /* Get the list of link-layer types for the capture device. */
4771 if_capabilities_t *caps;
4775 for (ii = 0; ii < global_capture_opts.ifaces->len; ii++) {
4776 interface_options interface_opts;
4778 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, ii);
4779 caps = get_if_capabilities(interface_opts.name,
4780 interface_opts.monitor_mode, &err_str);
4782 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4783 "Please check to make sure you have sufficient permissions, and that\n"
4784 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4788 if (caps->data_link_types == NULL) {
4789 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4792 if (machine_readable) /* tab-separated values to stdout */
4793 /* XXX: We need to change the format and adopt consumers */
4794 print_machine_readable_if_capabilities(caps);
4796 /* XXX: We might want to print also the interface name */
4797 capture_opts_print_if_capabilities(caps, interface_opts.name,
4798 interface_opts.monitor_mode);
4799 free_if_capabilities(caps);
4804 /* We're supposed to do a capture, or print the BPF code for a filter.
4805 Process the snapshot length, as that affects the generated BPF code. */
4806 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4808 #ifdef HAVE_BPF_IMAGE
4809 if (print_bpf_code) {
4810 show_filter_code(&global_capture_opts);
4815 /* We're supposed to do a capture. Process the ring buffer arguments. */
4816 capture_opts_trim_ring_num_files(&global_capture_opts);
4818 /* flush stderr prior to starting the main capture loop */
4821 /* Now start the capture. */
4823 if (capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4827 /* capture failed */
4830 return 0; /* never here, make compiler happy */
4835 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4836 const char *message, gpointer user_data _U_)
4843 /* ignore log message, if log_level isn't interesting */
4844 if ( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4845 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4850 /* create a "timestamp" */
4852 today = localtime(&curr);
4854 switch(log_level & G_LOG_LEVEL_MASK) {
4855 case G_LOG_LEVEL_ERROR:
4858 case G_LOG_LEVEL_CRITICAL:
4861 case G_LOG_LEVEL_WARNING:
4864 case G_LOG_LEVEL_MESSAGE:
4867 case G_LOG_LEVEL_INFO:
4870 case G_LOG_LEVEL_DEBUG:
4874 fprintf(stderr, "unknown log_level %u\n", log_level);
4876 g_assert_not_reached();
4879 /* Generate the output message */
4880 if (log_level & G_LOG_LEVEL_MESSAGE) {
4881 /* normal user messages without additional infos */
4882 msg = g_strdup_printf("%s\n", message);
4884 /* info/debug messages with additional infos */
4885 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4886 today->tm_hour, today->tm_min, today->tm_sec,
4887 log_domain != NULL ? log_domain : "",
4891 /* DEBUG & INFO msgs (if we're debugging today) */
4892 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4893 if ( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4894 #ifdef DEBUG_DUMPCAP
4895 fprintf(stderr, "%s", msg);
4898 #ifdef DEBUG_CHILD_DUMPCAP
4899 fprintf(debug_log, "%s", msg);
4907 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4908 /* to parent especially formatted if dumpcap running as child. */
4909 if (capture_child) {
4910 sync_pipe_errmsg_to_parent(2, msg, "");
4912 fprintf(stderr, "%s", msg);
4919 /****************************************************************************************************************/
4920 /* indication report routines */
4924 report_packet_count(unsigned int packet_count)
4926 char tmp[SP_DECISIZE+1+1];
4927 static unsigned int count = 0;
4929 if (capture_child) {
4930 g_snprintf(tmp, sizeof(tmp), "%u", packet_count);
4931 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4932 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4934 count += packet_count;
4935 fprintf(stderr, "\rPackets: %u ", count);
4936 /* stderr could be line buffered */
4942 report_new_capture_file(const char *filename)
4944 if (capture_child) {
4945 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4946 pipe_write_block(2, SP_FILE, filename);
4950 * Prevent a SIGINFO handler from writing to the standard error
4951 * while we're doing so; instead, have it just set a flag telling
4952 * us to print that information when we're done.
4955 #endif /* SIGINFO */
4956 fprintf(stderr, "File: %s\n", filename);
4957 /* stderr could be line buffered */
4962 * Allow SIGINFO handlers to write.
4967 * If a SIGINFO handler asked us to write out capture counts, do so.
4970 report_counts_for_siginfo();
4971 #endif /* SIGINFO */
4976 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4978 interface_options interface_opts;
4979 char tmp[MSG_MAX_LENGTH+1+6];
4981 if (i < capture_opts->ifaces->len) {
4982 if (capture_child) {
4983 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4984 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4985 pipe_write_block(2, SP_BAD_FILTER, tmp);
4988 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4989 * the error message below.
4991 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4993 "Invalid capture filter \"%s\" for interface %s!\n"
4995 "That string isn't a valid capture filter (%s).\n"
4996 "See the User's Guide for a description of the capture filter syntax.",
4997 interface_opts.cfilter, interface_opts.name, errmsg);
5003 report_capture_error(const char *error_msg, const char *secondary_error_msg)
5005 if (capture_child) {
5006 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5007 "Primary Error: %s", error_msg);
5008 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5009 "Secondary Error: %s", secondary_error_msg);
5010 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
5012 cmdarg_err("%s", error_msg);
5013 if (secondary_error_msg[0] != '\0')
5014 cmdarg_err_cont("%s", secondary_error_msg);
5019 report_packet_drops(guint32 received, guint32 drops, gchar *name)
5021 char tmp[SP_DECISIZE+1+1];
5023 g_snprintf(tmp, sizeof(tmp), "%u", drops);
5025 if (capture_child) {
5026 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5027 "Packets received/dropped on interface %s: %u/%u",
5028 name, received, drops);
5029 /* XXX: Need to provide interface id, changes to consumers required. */
5030 pipe_write_block(2, SP_DROPS, tmp);
5033 "Packets received/dropped on interface '%s': %u/%u (%.1f%%)\n",
5034 name, received, drops,
5035 received ? 100.0 * received / (received + drops) : 0.0);
5036 /* stderr could be line buffered */
5042 /************************************************************************************************/
5043 /* signal_pipe handling */
5048 signal_pipe_check_running(void)
5050 /* any news from our parent? -> just stop the capture */
5054 /* if we are running standalone, no check required */
5055 if (!capture_child) {
5059 if (!sig_pipe_name || !sig_pipe_handle) {
5060 /* This shouldn't happen */
5061 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
5062 "Signal pipe: No name or handle");
5067 * XXX - We should have the process ID of the parent (from the "-Z" flag)
5068 * at this point. Should we check to see if the parent is still alive,
5069 * e.g. by using OpenProcess?
5072 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
5074 if (!result || avail > 0) {
5075 /* peek failed or some bytes really available */
5076 /* (if not piping from stdin this would fail) */
5077 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
5078 "Signal pipe: Stop capture: %s", sig_pipe_name);
5079 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5080 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
5081 sig_pipe_handle, result, avail);
5084 /* pipe ok and no bytes available */
5091 * Editor modelines - http://www.wireshark.org/tools/modelines.html
5096 * indent-tabs-mode: nil
5099 * vi: set shiftwidth=4 tabstop=8 expandtab:
5100 * :indentSize=4:tabSize=8:noTabs=true: