4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #include "epan/address.h"
40 #include "epan/addr_resolv.h"
41 #include "epan/strutil.h"
46 * Collect command-line arguments as a string consisting of the arguments,
47 * separated by spaces.
50 get_args_as_string(int argc, char **argv, int optindex)
57 * Find out how long the string will be.
60 for (i = optindex; i < argc; i++) {
61 len += (int) strlen(argv[i]);
62 len++; /* space, or '\0' if this is the last argument */
66 * Allocate the buffer for the string.
68 argstring = (char *)g_malloc(len);
71 * Now construct the string.
76 g_strlcat(argstring, argv[i], len);
80 g_strlcat(argstring, " ", len);
85 /* Compute the difference between two seconds/microseconds time stamps. */
87 compute_timestamp_diff(gint *diffsec, gint *diffusec,
88 guint32 sec1, guint32 usec1, guint32 sec2, guint32 usec2)
91 /* The seconds part of the first time is the same as the seconds
92 part of the second time, so if the microseconds part of the first
93 time is less than the microseconds part of the second time, the
94 first time is before the second time. The microseconds part of
95 the delta should just be the difference between the microseconds
96 part of the first time and the microseconds part of the second
97 time; don't adjust the seconds part of the delta, as it's OK if
98 the microseconds part is negative. */
100 *diffsec = sec1 - sec2;
101 *diffusec = usec1 - usec2;
102 } else if (sec1 <= sec2) {
103 /* The seconds part of the first time is less than the seconds part
104 of the second time, so the first time is before the second time.
106 Both the "seconds" and "microseconds" value of the delta
107 should have the same sign, so if the difference between the
108 microseconds values would be *positive*, subtract 1,000,000
109 from it, and add one to the seconds value. */
110 *diffsec = sec1 - sec2;
111 if (usec2 >= usec1) {
112 *diffusec = usec1 - usec2;
114 *diffusec = (usec1 - 1000000) - usec2;
118 /* Oh, good, we're not caught in a chronosynclastic infindibulum. */
119 *diffsec = sec1 - sec2;
120 if (usec2 <= usec1) {
121 *diffusec = usec1 - usec2;
123 *diffusec = (usec1 + 1000000) - usec2;
129 /* Remove any %<interface_name> from an IP address. */
130 static char *sanitize_filter_ip(char *hostname) {
134 ret = g_strdup(hostname);
138 end = strchr(ret, '%');
144 /* Try to figure out if we're remotely connected, e.g. via ssh or
145 Terminal Server, and create a capture filter that matches aspects of the
146 connection. We match the following environment variables:
148 SSH_CONNECTION (ssh): <remote IP> <remote port> <local IP> <local port>
149 SSH_CLIENT (ssh): <remote IP> <remote port> <local port>
150 REMOTEHOST (tcsh, others?): <remote name>
151 DISPLAY (x11): [remote name]:<display num>
152 SESSIONNAME (terminal server): <remote name>
155 const gchar *get_conn_cfilter(void) {
156 static GString *filter_str = NULL;
157 gchar *env, **tokens;
158 char *lastp, *lastc, *p;
159 char *pprotocol = NULL;
160 char *phostname = NULL;
164 if (filter_str == NULL) {
165 filter_str = g_string_new("");
167 if ((env = getenv("SSH_CONNECTION")) != NULL) {
168 tokens = g_strsplit(env, " ", 4);
169 if (g_strv_length(tokens) == 4) {
170 remip = sanitize_filter_ip(tokens[0]);
171 locip = sanitize_filter_ip(tokens[2]);
172 g_string_printf(filter_str, "not (tcp port %s and host %s "
173 "and tcp port %s and host %s)", tokens[1], remip,
179 } else if ((env = getenv("SSH_CLIENT")) != NULL) {
180 tokens = g_strsplit(env, " ", 3);
181 if (g_strv_length(tokens) == 3) {
182 remip = sanitize_filter_ip(tokens[2]);
183 g_string_printf(filter_str, "not (tcp port %s and host %s "
184 "and tcp port %s)", tokens[1], tokens[0], remip);
188 } else if ((env = getenv("REMOTEHOST")) != NULL) {
189 /* FreeBSD 7.0 sets REMOTEHOST to an empty string */
190 if (g_ascii_strcasecmp(env, "localhost") == 0 ||
191 strcmp(env, "127.0.0.1") == 0 ||
192 strcmp(env, "") == 0) {
195 remip = sanitize_filter_ip(env);
196 g_string_printf(filter_str, "not host %s", remip);
198 } else if ((env = getenv("DISPLAY")) != NULL) {
200 * This mirrors what _X11TransConnectDisplay() does.
201 * Note that, on some systems, the hostname can
202 * begin with "/", which means that it's a pathname
203 * of a UNIX domain socket to connect to.
205 * The comments mirror those in _X11TransConnectDisplay(),
208 * Display names may be of the following format:
210 * [protoco./] [hostname] : [:] displaynumber [.screennumber]
212 * A string with exactly two colons separating hostname
213 * from the display indicates a DECnet style name. Colons
214 * in the hostname may occur if an IPv6 numeric address
215 * is used as the hostname. An IPv6 numeric address may
216 * also end in a double colon, so three colons in a row
217 * indicates an IPv6 address ending in :: followed by
218 * :display. To make it easier for people to read, an
219 * IPv6 numeric address hostname may be surrounded by []
220 * in a similar fashion to the IPv6 numeric address URL
221 * syntax defined by IETF RFC 2732.
223 * If no hostname and no protocol is specified, the string
224 * is interpreted as the most efficient local connection
225 * to a server on the same machine. This is usually:
229 * o UNIX domain socket
230 * o TCP to local host.
236 * Step 0, find the protocol. This is delimited by
237 * the optional slash ('/').
239 for (lastp = p; *p != '\0' && *p != ':' && *p != '/'; p++)
242 return ""; /* must have a colon */
244 if (p != lastp && *p != ':') { /* protocol given? */
249 if (p - lastp != 3 || g_ascii_strncasecmp(lastp, "tcp", 3) != 0)
250 return ""; /* not TCP */
251 p++; /* skip the '/' */
253 p = env; /* reset the pointer in
254 case no protocol was given */
257 * Step 1, find the hostname. This is delimited either by
258 * one colon, or two colons in the case of DECnet (DECnet
259 * Phase V allows a single colon in the hostname). (See
260 * note above regarding IPv6 numeric addresses with
261 * triple colons or [] brackets.)
265 for (; *p != '\0'; p++)
270 return ""; /* must have a colon */
272 if ((lastp != lastc) && (*(lastc - 1) == ':')
273 && (((lastc - 1) == lastp) || (*(lastc - 2) != ':'))) {
274 /* DECnet display specified */
277 hostlen = lastc - lastp;
280 return ""; /* no hostname supplied */
282 phostname = (char *)g_malloc(hostlen + 1);
283 memcpy(phostname, lastp, hostlen);
284 phostname[hostlen] = '\0';
286 if (pprotocol == NULL) {
288 * No protocol was explicitly specified, so it
289 * could be a local connection over a transport
292 * Does the host name refer to the local host?
293 * If so, the connection would probably be a
296 * XXX - compare against our host name?
297 * _X11TransConnectDisplay() does.
299 if (g_ascii_strcasecmp(phostname, "localhost") == 0 ||
300 strcmp(phostname, "127.0.0.1") == 0) {
306 * A host name of "unix" (case-sensitive) also
307 * causes a local connection.
309 if (strcmp(phostname, "unix") == 0) {
315 * Does the host name begin with "/"? If so,
316 * it's presumed to be the pathname of a
317 * UNIX domain socket.
319 if (phostname[0] == '/') {
325 g_string_printf(filter_str, "not host %s", phostname);
328 } else if (GetSystemMetrics(SM_REMOTESESSION)) {
329 /* We have a remote session: http://msdn.microsoft.com/en-us/library/aa380798%28VS.85%29.aspx */
330 g_string_printf(filter_str, "not port 3389");
335 return filter_str->str;
338 gboolean display_is_remote(void)
340 static gboolean remote_display_checked;
341 static gboolean is_remote;
343 if (!remote_display_checked) {
344 is_remote = (strlen(get_conn_cfilter()) > 0);
355 * indent-tabs-mode: nil
358 * ex: set shiftwidth=4 tabstop=8 expandtab:
359 * :indentSize=4:tabSize=8:noTabs=true: