2 * Synchronisation between Wireshark capture parent and child instances
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
45 #include <wsutil/unicode-utils.h>
48 #ifdef HAVE_SYS_WAIT_H
49 # include <sys/wait.h>
52 #include "capture-pcap-util.h"
56 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
57 * macros) on UNIX systems that don't have them.
60 # define WIFEXITED(status) (((status) & 0177) == 0)
63 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
66 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
69 # define WEXITSTATUS(status) ((status) >> 8)
72 # define WTERMSIG(status) ((status) & 0177)
75 # define WCOREDUMP(status) ((status) & 0200)
78 # define WSTOPSIG(status) ((status) >> 8)
82 #include <epan/packet.h>
83 #include <epan/prefs.h>
87 #include <epan/filesystem.h>
88 #include <epan/report_err.h>
91 #include "capture_sync.h"
93 #include "sync_pipe.h"
96 #include "capture-wpcap.h"
99 #include "ui/ui_util.h"
101 #include <wsutil/file_util.h>
105 #include <process.h> /* For spawning child process */
111 static const char *sync_pipe_signame(int);
115 static gboolean sync_pipe_input_cb(gint source, gpointer user_data);
116 static int sync_pipe_wait_for_child(int fork_child, gchar **msgp);
117 static void pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len);
118 static ssize_t pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
123 /* Append an arg (realloc) to an argc/argv array */
124 /* (add a string pointer to a NULL-terminated array of string pointers) */
126 sync_pipe_add_arg(const char **args, int *argc, const char *arg)
128 /* Grow the array; "*argc" currently contains the number of string
129 pointers, *not* counting the NULL pointer at the end, so we have
130 to add 2 in order to get the new size of the array, including the
131 new pointer and the terminating NULL pointer. */
132 args = (const char **)g_realloc( (gpointer) args, (*argc + 2) * sizeof (char *));
134 /* Stuff the pointer into the penultimate element of the array, which
135 is the one at the index specified by "*argc". */
136 args[*argc] = g_strdup(arg);
137 /* Now bump the count. */
140 /* We overwrite the NULL pointer; put it back right after the
150 /* Quote the argument element if necessary, so that it will get
151 * reconstructed correctly in the C runtime startup code. Note that
152 * the unquoting algorithm in the C runtime is really weird, and
153 * rather different than what Unix shells do. See stdargv.c in the C
154 * runtime sources (in the Platform SDK, in src/crt).
156 * Stolen from GLib's protect_argv(), an internal routine that quotes
157 * string in an argument list so that they arguments will be handled
158 * correctly in the command-line string passed to CreateProcess()
159 * if that string is constructed by gluing those strings together.
162 protect_arg (const gchar *argv)
165 const gchar *p = argv;
168 gboolean need_dblquotes = FALSE;
171 if (*p == ' ' || *p == '\t')
172 need_dblquotes = TRUE;
175 else if (*p == '\\') {
178 while (*pp && *pp == '\\')
187 q = new_arg = g_malloc (len + need_dblquotes*2 + 1);
196 else if (*p == '\\') {
199 while (*pp && *pp == '\\')
216 * Generate a string for a Win32 error.
218 #define ERRBUF_SIZE 1024
220 win32strerror(DWORD error)
222 static char errbuf[ERRBUF_SIZE+1];
226 FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
227 NULL, error, 0, errbuf, ERRBUF_SIZE, NULL);
230 * "FormatMessage()" "helpfully" sticks CR/LF at the end of the
231 * message. Get rid of it.
233 errlen = strlen(errbuf);
235 errbuf[errlen - 1] = '\0';
236 errbuf[errlen - 2] = '\0';
238 p = strchr(errbuf, '\0');
239 g_snprintf(p, (gulong)(sizeof errbuf - (p-errbuf)), " (%lu)", error);
244 * Generate a string for a Win32 exception code.
247 win32strexception(DWORD exception)
249 static char errbuf[ERRBUF_SIZE+1];
250 static const struct exception_msg {
254 { EXCEPTION_ACCESS_VIOLATION, "Access violation" },
255 { EXCEPTION_ARRAY_BOUNDS_EXCEEDED, "Array bounds exceeded" },
256 { EXCEPTION_BREAKPOINT, "Breakpoint" },
257 { EXCEPTION_DATATYPE_MISALIGNMENT, "Data type misalignment" },
258 { EXCEPTION_FLT_DENORMAL_OPERAND, "Denormal floating-point operand" },
259 { EXCEPTION_FLT_DIVIDE_BY_ZERO, "Floating-point divide by zero" },
260 { EXCEPTION_FLT_INEXACT_RESULT, "Floating-point inexact result" },
261 { EXCEPTION_FLT_INVALID_OPERATION, "Invalid floating-point operation" },
262 { EXCEPTION_FLT_OVERFLOW, "Floating-point overflow" },
263 { EXCEPTION_FLT_STACK_CHECK, "Floating-point stack check" },
264 { EXCEPTION_FLT_UNDERFLOW, "Floating-point underflow" },
265 { EXCEPTION_GUARD_PAGE, "Guard page violation" },
266 { EXCEPTION_ILLEGAL_INSTRUCTION, "Illegal instruction" },
267 { EXCEPTION_IN_PAGE_ERROR, "Page-in error" },
268 { EXCEPTION_INT_DIVIDE_BY_ZERO, "Integer divide by zero" },
269 { EXCEPTION_INT_OVERFLOW, "Integer overflow" },
270 { EXCEPTION_INVALID_DISPOSITION, "Invalid disposition" },
271 { EXCEPTION_INVALID_HANDLE, "Invalid handle" },
272 { EXCEPTION_NONCONTINUABLE_EXCEPTION, "Non-continuable exception" },
273 { EXCEPTION_PRIV_INSTRUCTION, "Privileged instruction" },
274 { EXCEPTION_SINGLE_STEP, "Single-step complete" },
275 { EXCEPTION_STACK_OVERFLOW, "Stack overflow" },
278 #define N_EXCEPTIONS (sizeof exceptions / sizeof exceptions[0])
281 for (i = 0; i < N_EXCEPTIONS; i++) {
282 if (exceptions[i].code == exception)
283 return exceptions[i].msg;
285 g_snprintf(errbuf, (gulong)sizeof errbuf, "Exception 0x%08x", exception);
290 /* Initialize an argument list and add dumpcap to it. */
292 init_pipe_args(int *argc) {
294 const char *progfile_dir;
297 progfile_dir = get_progfile_dir();
298 if (progfile_dir == NULL) {
302 /* Allocate the string pointer array with enough space for the
303 terminating NULL pointer. */
305 argv = (const char **)g_malloc(sizeof (char *));
308 /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
309 exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir);
311 /* Make that the first argument in the argument list (argv[0]). */
312 argv = sync_pipe_add_arg(argv, argc, exename);
314 /* sync_pipe_add_arg strdupes exename, so we should free our copy */
320 #define ARGV_NUMBER_LEN 24
321 /* a new capture run: start a new dumpcap task and hand over parameters through command line */
323 sync_pipe_start(capture_options *capture_opts) {
324 char ssnap[ARGV_NUMBER_LEN];
325 char scount[ARGV_NUMBER_LEN];
326 char sfilesize[ARGV_NUMBER_LEN];
327 char sfile_duration[ARGV_NUMBER_LEN];
328 char sring_num_files[ARGV_NUMBER_LEN];
329 char sautostop_files[ARGV_NUMBER_LEN];
330 char sautostop_filesize[ARGV_NUMBER_LEN];
331 char sautostop_duration[ARGV_NUMBER_LEN];
332 #ifdef HAVE_PCAP_REMOTE
335 #ifdef HAVE_PCAP_SETSAMPLING
336 char ssampling[ARGV_NUMBER_LEN];
339 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
340 char buffer_size[ARGV_NUMBER_LEN];
344 HANDLE sync_pipe_read; /* pipe used to send messages from child to parent */
345 HANDLE sync_pipe_write; /* pipe used to send messages from child to parent */
346 HANDLE signal_pipe; /* named pipe used to send messages from parent to child (currently only stop) */
347 GString *args = g_string_sized_new(200);
349 SECURITY_ATTRIBUTES sa;
351 PROCESS_INFORMATION pi;
352 char control_id[ARGV_NUMBER_LEN];
353 gchar *signal_pipe_name;
356 int sync_pipe[2]; /* pipe used to send messages from child to parent */
357 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
359 int sync_pipe_read_fd;
364 interface_options interface_opts;
366 if (capture_opts->ifaces->len > 1)
367 capture_opts->use_pcapng = TRUE;
368 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_start");
369 capture_opts_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, capture_opts);
371 capture_opts->fork_child = -1;
373 argv = init_pipe_args(&argc);
375 /* We don't know where to find dumpcap. */
376 report_failure("We don't know where to find dumpcap.");
380 if (capture_opts->ifaces->len > 1)
381 argv = sync_pipe_add_arg(argv, &argc, "-t");
383 if (capture_opts->use_pcapng)
384 argv = sync_pipe_add_arg(argv, &argc, "-n");
386 argv = sync_pipe_add_arg(argv, &argc, "-P");
388 if (capture_opts->multi_files_on) {
389 if (capture_opts->has_autostop_filesize) {
390 argv = sync_pipe_add_arg(argv, &argc, "-b");
391 g_snprintf(sfilesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
392 argv = sync_pipe_add_arg(argv, &argc, sfilesize);
395 if (capture_opts->has_file_duration) {
396 argv = sync_pipe_add_arg(argv, &argc, "-b");
397 g_snprintf(sfile_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->file_duration);
398 argv = sync_pipe_add_arg(argv, &argc, sfile_duration);
401 if (capture_opts->has_ring_num_files) {
402 argv = sync_pipe_add_arg(argv, &argc, "-b");
403 g_snprintf(sring_num_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->ring_num_files);
404 argv = sync_pipe_add_arg(argv, &argc, sring_num_files);
407 if (capture_opts->has_autostop_files) {
408 argv = sync_pipe_add_arg(argv, &argc, "-a");
409 g_snprintf(sautostop_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->autostop_files);
410 argv = sync_pipe_add_arg(argv, &argc, sautostop_files);
413 if (capture_opts->has_autostop_filesize) {
414 argv = sync_pipe_add_arg(argv, &argc, "-a");
415 g_snprintf(sautostop_filesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
416 argv = sync_pipe_add_arg(argv, &argc, sautostop_filesize);
420 if (capture_opts->has_autostop_packets) {
421 argv = sync_pipe_add_arg(argv, &argc, "-c");
422 g_snprintf(scount, ARGV_NUMBER_LEN, "%d",capture_opts->autostop_packets);
423 argv = sync_pipe_add_arg(argv, &argc, scount);
426 if (capture_opts->has_autostop_duration) {
427 argv = sync_pipe_add_arg(argv, &argc, "-a");
428 g_snprintf(sautostop_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->autostop_duration);
429 argv = sync_pipe_add_arg(argv, &argc, sautostop_duration);
432 if (capture_opts->group_read_access) {
433 argv = sync_pipe_add_arg(argv, &argc, "-g");
436 for (j = 0; j < capture_opts->ifaces->len; j++) {
437 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
439 argv = sync_pipe_add_arg(argv, &argc, "-i");
440 argv = sync_pipe_add_arg(argv, &argc, interface_opts.name);
442 if (interface_opts.cfilter != NULL && strlen(interface_opts.cfilter) != 0) {
443 argv = sync_pipe_add_arg(argv, &argc, "-f");
444 argv = sync_pipe_add_arg(argv, &argc, interface_opts.cfilter);
446 if (interface_opts.snaplen != WTAP_MAX_PACKET_SIZE) {
447 argv = sync_pipe_add_arg(argv, &argc, "-s");
448 g_snprintf(ssnap, ARGV_NUMBER_LEN, "%d", interface_opts.snaplen);
449 argv = sync_pipe_add_arg(argv, &argc, ssnap);
452 if (interface_opts.linktype != -1) {
453 argv = sync_pipe_add_arg(argv, &argc, "-y");
454 argv = sync_pipe_add_arg(argv, &argc, linktype_val_to_name(interface_opts.linktype));
457 if (!interface_opts.promisc_mode) {
458 argv = sync_pipe_add_arg(argv, &argc, "-p");
461 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
462 if (interface_opts.buffer_size != DEFAULT_CAPTURE_BUFFER_SIZE) {
463 argv = sync_pipe_add_arg(argv, &argc, "-B");
464 g_snprintf(buffer_size, ARGV_NUMBER_LEN, "%d", interface_opts.buffer_size);
465 argv = sync_pipe_add_arg(argv, &argc, buffer_size);
469 #ifdef HAVE_PCAP_CREATE
470 if (interface_opts.monitor_mode) {
471 argv = sync_pipe_add_arg(argv, &argc, "-I");
475 #ifdef HAVE_PCAP_REMOTE
476 if (interface_opts.datatx_udp)
477 argv = sync_pipe_add_arg(argv, &argc, "-u");
479 if (!interface_opts.nocap_rpcap)
480 argv = sync_pipe_add_arg(argv, &argc, "-r");
482 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
483 argv = sync_pipe_add_arg(argv, &argc, "-A");
484 g_snprintf(sauth, sizeof(sauth), "%s:%s",
485 interface_opts.auth_username,
486 interface_opts.auth_password);
487 argv = sync_pipe_add_arg(argv, &argc, sauth);
491 #ifdef HAVE_PCAP_SETSAMPLING
492 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
493 argv = sync_pipe_add_arg(argv, &argc, "-m");
494 g_snprintf(ssampling, ARGV_NUMBER_LEN, "%s:%d",
495 interface_opts.sampling_method == CAPTURE_SAMP_BY_COUNT ? "count" :
496 interface_opts.sampling_method == CAPTURE_SAMP_BY_TIMER ? "timer" :
498 interface_opts.sampling_param);
499 argv = sync_pipe_add_arg(argv, &argc, ssampling);
504 /* dumpcap should be running in capture child mode (hidden feature) */
506 argv = sync_pipe_add_arg(argv, &argc, "-Z");
508 g_snprintf(control_id, ARGV_NUMBER_LEN, "%d", GetCurrentProcessId());
509 argv = sync_pipe_add_arg(argv, &argc, control_id);
511 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
515 if (capture_opts->save_file) {
516 argv = sync_pipe_add_arg(argv, &argc, "-w");
517 argv = sync_pipe_add_arg(argv, &argc, capture_opts->save_file);
519 for (i = 0; i < argc; i++) {
520 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "argv[%d]: %s", i, argv[i]);
524 /* init SECURITY_ATTRIBUTES */
525 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
526 sa.bInheritHandle = TRUE;
527 sa.lpSecurityDescriptor = NULL;
529 /* Create a pipe for the child process */
530 /* (increase this value if you have trouble while fast capture file switches) */
531 if (! CreatePipe(&sync_pipe_read, &sync_pipe_write, &sa, 5120)) {
532 /* Couldn't create the pipe between parent and child. */
533 report_failure("Couldn't create sync pipe: %s",
534 win32strerror(GetLastError()));
535 for (i = 0; i < argc; i++) {
536 g_free( (gpointer) argv[i]);
538 g_free( (gpointer) argv);
542 /* Create the signal pipe */
543 signal_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, control_id);
544 signal_pipe = CreateNamedPipe(utf_8to16(signal_pipe_name),
545 PIPE_ACCESS_OUTBOUND, PIPE_TYPE_BYTE, 1, 65535, 65535, 0, NULL);
546 g_free(signal_pipe_name);
548 if (signal_pipe == INVALID_HANDLE_VALUE) {
549 /* Couldn't create the signal pipe between parent and child. */
550 report_failure("Couldn't create signal pipe: %s",
551 win32strerror(GetLastError()));
552 for (i = 0; i < argc; i++) {
553 g_free( (gpointer) argv[i]);
555 g_free( (gpointer) argv);
559 /* init STARTUPINFO */
560 memset(&si, 0, sizeof(si));
563 si.dwFlags = STARTF_USESHOWWINDOW;
564 si.wShowWindow = SW_SHOW;
566 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
567 si.wShowWindow = SW_HIDE; /* this hides the console window */
568 si.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
569 si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
570 si.hStdError = sync_pipe_write;
571 /*si.hStdError = (HANDLE) _get_osfhandle(2);*/
574 /* convert args array into a single string */
575 /* XXX - could change sync_pipe_add_arg() instead */
576 /* there is a drawback here: the length is internally limited to 1024 bytes */
577 for(i=0; argv[i] != 0; i++) {
578 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
579 quoted_arg = protect_arg(argv[i]);
580 g_string_append(args, quoted_arg);
585 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
586 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
587 report_failure("Couldn't run %s in child process: %s",
588 args->str, win32strerror(GetLastError()));
589 CloseHandle(sync_pipe_read);
590 CloseHandle(sync_pipe_write);
591 for (i = 0; i < argc; i++) {
592 g_free( (gpointer) argv[i]);
594 g_free( (gpointer) argv);
597 capture_opts->fork_child = (int) pi.hProcess;
598 g_string_free(args, TRUE);
600 /* associate the operating system filehandle to a C run-time file handle */
601 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
602 sync_pipe_read_fd = _open_osfhandle( (long) sync_pipe_read, _O_BINARY);
604 /* associate the operating system filehandle to a C run-time file handle */
605 capture_opts->signal_pipe_write_fd = _open_osfhandle( (long) signal_pipe, _O_BINARY);
608 if (pipe(sync_pipe) < 0) {
609 /* Couldn't create the pipe between parent and child. */
610 report_failure("Couldn't create sync pipe: %s", g_strerror(errno));
611 for (i = 0; i < argc; i++) {
612 g_free( (gpointer) argv[i]);
618 if ((capture_opts->fork_child = fork()) == 0) {
620 * Child process - run dumpcap with the right arguments to make
621 * it just capture with the specified capture parameters
623 dup2(sync_pipe[PIPE_WRITE], 2);
624 ws_close(sync_pipe[PIPE_READ]);
625 execv(argv[0], (char * const*)argv);
626 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
627 argv[0], g_strerror(errno));
628 sync_pipe_errmsg_to_parent(2, errmsg, "");
630 /* Exit with "_exit()", so that we don't close the connection
631 to the X server (and cause stuff buffered up by our parent but
632 not yet sent to be sent, as that stuff should only be sent by
633 our parent). We've sent an error message to the parent, so
634 we exit with an exit status of 1 (any exit status other than
635 0 or 1 will cause an additional message to report that exit
636 status, over and above the error message we sent to the parent). */
640 sync_pipe_read_fd = sync_pipe[PIPE_READ];
643 for (i = 0; i < argc; i++) {
644 g_free( (gpointer) argv[i]);
647 /* Parent process - read messages from the child process over the
649 g_free( (gpointer) argv); /* free up arg array */
651 /* Close the write side of the pipe, so that only the child has it
652 open, and thus it completely closes, and thus returns to us
653 an EOF indication, if the child closes it (either deliberately
654 or by exiting abnormally). */
656 CloseHandle(sync_pipe_write);
658 ws_close(sync_pipe[PIPE_WRITE]);
661 if (capture_opts->fork_child == -1) {
662 /* We couldn't even create the child process. */
663 report_failure("Couldn't create child process: %s", g_strerror(errno));
664 ws_close(sync_pipe_read_fd);
666 ws_close(capture_opts->signal_pipe_write_fd);
671 capture_opts->fork_child_status = 0;
673 /* we might wait for a moment till child is ready, so update screen now */
674 main_window_update();
676 /* We were able to set up to read the capture file;
677 arrange that our callback be called whenever it's possible
678 to read from the sync pipe, so that it's called when
679 the child process wants to tell us something. */
681 /* we have a running capture, now wait for the real capture filename */
682 pipe_input_set_handler(sync_pipe_read_fd, (gpointer) capture_opts,
683 &capture_opts->fork_child, sync_pipe_input_cb);
689 * Open two pipes to dumpcap with the supplied arguments, one for its
690 * standard output and one for its standard error.
692 * On success, *msg is unchanged and 0 is returned; data_read_fd,
693 * messsage_read_fd, and fork_child point to the standard output pipe's
694 * file descriptor, the standard error pipe's file descriptor, and
695 * the child's PID/handle, respectively.
697 * On failure, *msg points to an error message for the failure, and -1 is
698 * returned, in which case *msg must be freed with g_free().
700 /* XXX - This duplicates a lot of code in sync_pipe_start() */
701 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
702 #define PIPE_BUF_SIZE 5120
704 sync_pipe_open_command(const char** argv, int *data_read_fd,
705 int *message_read_fd, int *fork_child, gchar **msg)
707 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
709 HANDLE sync_pipe[2]; /* pipe used to send messages from child to parent */
710 HANDLE data_pipe[2]; /* pipe used to send data from child to parent */
711 GString *args = g_string_sized_new(200);
713 SECURITY_ATTRIBUTES sa;
715 PROCESS_INFORMATION pi;
718 int sync_pipe[2]; /* pipe used to send messages from child to parent */
719 int data_pipe[2]; /* pipe used to send data from child to parent */
724 *message_read_fd = -1;
725 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_open_command");
728 /* We can't return anything */
730 g_string_free(args, TRUE);
736 /* init SECURITY_ATTRIBUTES */
737 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
738 sa.bInheritHandle = TRUE;
739 sa.lpSecurityDescriptor = NULL;
741 /* Create a pipe for the child process to send us messages */
742 /* (increase this value if you have trouble while fast capture file switches) */
743 if (! CreatePipe(&sync_pipe[PIPE_READ], &sync_pipe[PIPE_WRITE], &sa, 5120)) {
744 /* Couldn't create the message pipe between parent and child. */
745 *msg = g_strdup_printf("Couldn't create sync pipe: %s",
746 win32strerror(GetLastError()));
747 for (i = 0; argv[i] != NULL; i++) {
748 g_free( (gpointer) argv[i]);
750 g_free( (gpointer) argv);
754 /* Create a pipe for the child process to send us data */
755 /* (increase this value if you have trouble while fast capture file switches) */
756 if (! CreatePipe(&data_pipe[PIPE_READ], &data_pipe[PIPE_WRITE], &sa, 5120)) {
757 /* Couldn't create the message pipe between parent and child. */
758 *msg = g_strdup_printf("Couldn't create data pipe: %s",
759 win32strerror(GetLastError()));
760 CloseHandle(sync_pipe[PIPE_READ]);
761 CloseHandle(sync_pipe[PIPE_WRITE]);
762 for (i = 0; argv[i] != NULL; i++) {
763 g_free( (gpointer) argv[i]);
765 g_free( (gpointer) argv);
769 /* init STARTUPINFO */
770 memset(&si, 0, sizeof(si));
773 si.dwFlags = STARTF_USESHOWWINDOW;
774 si.wShowWindow = SW_SHOW;
776 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
777 si.wShowWindow = SW_HIDE; /* this hides the console window */
779 si.hStdOutput = data_pipe[PIPE_WRITE];
780 si.hStdError = sync_pipe[PIPE_WRITE];
783 /* convert args array into a single string */
784 /* XXX - could change sync_pipe_add_arg() instead */
785 /* there is a drawback here: the length is internally limited to 1024 bytes */
786 for(i=0; argv[i] != 0; i++) {
787 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
788 quoted_arg = protect_arg(argv[i]);
789 g_string_append(args, quoted_arg);
794 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
795 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
796 *msg = g_strdup_printf("Couldn't run %s in child process: %s",
797 args->str, win32strerror(GetLastError()));
798 CloseHandle(data_pipe[PIPE_READ]);
799 CloseHandle(data_pipe[PIPE_WRITE]);
800 CloseHandle(sync_pipe[PIPE_READ]);
801 CloseHandle(sync_pipe[PIPE_WRITE]);
802 for (i = 0; argv[i] != NULL; i++) {
803 g_free( (gpointer) argv[i]);
805 g_free( (gpointer) argv);
808 *fork_child = (int) pi.hProcess;
809 g_string_free(args, TRUE);
811 /* associate the operating system filehandles to C run-time file handles */
812 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
813 *data_read_fd = _open_osfhandle( (long) data_pipe[PIPE_READ], _O_BINARY);
814 *message_read_fd = _open_osfhandle( (long) sync_pipe[PIPE_READ], _O_BINARY);
816 /* Create a pipe for the child process to send us messages */
817 if (pipe(sync_pipe) < 0) {
818 /* Couldn't create the message pipe between parent and child. */
819 *msg = g_strdup_printf("Couldn't create sync pipe: %s", g_strerror(errno));
820 for (i = 0; argv[i] != NULL; i++) {
821 g_free( (gpointer) argv[i]);
827 /* Create a pipe for the child process to send us data */
828 if (pipe(data_pipe) < 0) {
829 /* Couldn't create the data pipe between parent and child. */
830 *msg = g_strdup_printf("Couldn't create data pipe: %s", g_strerror(errno));
831 ws_close(sync_pipe[PIPE_READ]);
832 ws_close(sync_pipe[PIPE_WRITE]);
833 for (i = 0; argv[i] != NULL; i++) {
834 g_free( (gpointer) argv[i]);
840 if ((*fork_child = fork()) == 0) {
842 * Child process - run dumpcap with the right arguments to make
843 * it just capture with the specified capture parameters
845 dup2(data_pipe[PIPE_WRITE], 1);
846 ws_close(data_pipe[PIPE_READ]);
847 ws_close(data_pipe[PIPE_WRITE]);
848 dup2(sync_pipe[PIPE_WRITE], 2);
849 ws_close(sync_pipe[PIPE_READ]);
850 ws_close(sync_pipe[PIPE_WRITE]);
851 execv(argv[0], (char * const*)argv);
852 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
853 argv[0], g_strerror(errno));
854 sync_pipe_errmsg_to_parent(2, errmsg, "");
856 /* Exit with "_exit()", so that we don't close the connection
857 to the X server (and cause stuff buffered up by our parent but
858 not yet sent to be sent, as that stuff should only be sent by
859 our parent). We've sent an error message to the parent, so
860 we exit with an exit status of 1 (any exit status other than
861 0 or 1 will cause an additional message to report that exit
862 status, over and above the error message we sent to the parent). */
866 *data_read_fd = data_pipe[PIPE_READ];
867 *message_read_fd = sync_pipe[PIPE_READ];
870 for (i = 0; argv[i] != NULL; i++) {
871 g_free( (gpointer) argv[i]);
874 /* Parent process - read messages from the child process over the
876 g_free( (gpointer) argv); /* free up arg array */
878 /* Close the write sides of the pipes, so that only the child has them
879 open, and thus they completely close, and thus return to us
880 an EOF indication, if the child closes them (either deliberately
881 or by exiting abnormally). */
883 CloseHandle(data_pipe[PIPE_WRITE]);
884 CloseHandle(sync_pipe[PIPE_WRITE]);
886 ws_close(data_pipe[PIPE_WRITE]);
887 ws_close(sync_pipe[PIPE_WRITE]);
890 if (*fork_child == -1) {
891 /* We couldn't even create the child process. */
892 *msg = g_strdup_printf("Couldn't create child process: %s", g_strerror(errno));
893 ws_close(*data_read_fd);
894 ws_close(*message_read_fd);
898 /* we might wait for a moment till child is ready, so update screen now */
899 main_window_update();
904 * Close the pipes we're using to read from dumpcap, and wait for it
905 * to exit. On success, *msgp is unchanged, and the exit status of
906 * dumpcap is returned. On failure (which includes "dumpcap exited
907 * due to being killed by a signal or an exception"), *msgp points
908 * to an error message for the failure, and -1 is returned. In the
909 * latter case, *msgp must be freed with g_free().
912 sync_pipe_close_command(int *data_read_fd, int *message_read_fd,
913 int *fork_child, gchar **msgp)
915 ws_close(*data_read_fd);
916 if (message_read_fd != NULL)
917 ws_close(*message_read_fd);
920 /* XXX - Should we signal the child somehow? */
921 sync_pipe_kill(*fork_child);
924 return sync_pipe_wait_for_child(*fork_child, msgp);
928 * Run dumpcap with the supplied arguments.
930 * On success, *data points to a buffer containing the dumpcap output,
931 * *primary_msg and *secondary_message are NULL, and 0 is returned; *data
932 * must be freed with g_free().
934 * On failure, *data is NULL, *primary_msg points to an error message,
935 * *secondary_msg either points to an additional error message or is
936 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
937 * must be freed with g_free().
939 /* XXX - This duplicates a lot of code in sync_pipe_start() */
940 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
941 #define PIPE_BUF_SIZE 5120
943 sync_pipe_run_command(const char** argv, gchar **data, gchar **primary_msg,
944 gchar **secondary_msg)
947 int data_pipe_read_fd, sync_pipe_read_fd, fork_child, ret;
949 gchar buffer[PIPE_BUF_SIZE+1];
953 char *primary_msg_text;
954 int secondary_msg_len;
955 char *secondary_msg_text;
957 GString *data_buf = NULL;
960 ret = sync_pipe_open_command(argv, &data_pipe_read_fd, &sync_pipe_read_fd,
964 *secondary_msg = NULL;
970 * We were able to set up to read dumpcap's output. Do so.
972 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
974 nread = pipe_read_block(sync_pipe_read_fd, &indicator, SP_MAX_MSG_LEN,
975 buffer, primary_msg);
977 /* We got a read error from the sync pipe, or we got no data at
978 all from the sync pipe, so we're not going to be getting any
979 data or error message from the child process. Pick up its
980 exit status, and complain.
982 We don't have to worry about killing the child, if the sync pipe
983 returned an error. Usually this error is caused as the child killed
984 itself while going down. Even in the rare cases that this isn't the
985 case, the child will get an error when writing to the broken pipe
986 the next time, cleaning itself up then. */
987 ret = sync_pipe_wait_for_child(fork_child, &wait_msg);
989 /* We got an EOF from the sync pipe. That means that it exited
990 before giving us any data to read. If ret is -1, we report
991 that as a bad exit (e.g., exiting due to a signal); otherwise,
992 we report it as a premature exit. */
994 *primary_msg = wait_msg;
996 *primary_msg = g_strdup("Child dumpcap closed sync pipe prematurely");
998 /* We got an error from the sync pipe. If ret is -1, report
999 both the sync pipe I/O error and the wait error. */
1001 combined_msg = g_strdup_printf("%s\n\n%s", *primary_msg, wait_msg);
1002 g_free(*primary_msg);
1004 *primary_msg = combined_msg;
1007 *secondary_msg = NULL;
1012 /* we got a valid message block from the child, process it */
1017 * Error from dumpcap; there will be a primary message and a
1018 * secondary message.
1021 /* convert primary message */
1022 pipe_convert_header((guchar*)buffer, 4, &indicator, &primary_msg_len);
1023 primary_msg_text = buffer+4;
1024 /* convert secondary message */
1025 pipe_convert_header((guchar*)primary_msg_text + primary_msg_len, 4, &indicator,
1026 &secondary_msg_len);
1027 secondary_msg_text = primary_msg_text + primary_msg_len + 4;
1028 /* the capture child will close the sync_pipe, nothing to do */
1031 * Pick up the child status.
1033 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1037 * Child process failed unexpectedly, or wait failed; msg is the
1041 *secondary_msg = NULL;
1044 * Child process failed, but returned the expected exit status.
1045 * Return the messages it gave us, and indicate failure.
1047 *primary_msg = g_strdup(primary_msg_text);
1048 *secondary_msg = g_strdup(secondary_msg_text);
1055 /* read the output from the command */
1056 data_buf = g_string_new("");
1057 while ((count = ws_read(data_pipe_read_fd, buffer, PIPE_BUF_SIZE)) > 0) {
1058 buffer[count] = '\0';
1059 g_string_append(data_buf, buffer);
1063 * Pick up the child status.
1065 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1069 * Child process failed unexpectedly, or wait failed; msg is the
1073 *secondary_msg = NULL;
1074 g_string_free(data_buf, TRUE);
1078 * Child process succeeded.
1080 *primary_msg = NULL;
1081 *secondary_msg = NULL;
1082 *data = data_buf->str;
1083 g_string_free(data_buf, FALSE);
1089 * Pick up the child status.
1091 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1095 * Child process failed unexpectedly, or wait failed; msg is the
1099 *secondary_msg = NULL;
1102 * Child process returned an unknown status.
1104 *primary_msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1106 *secondary_msg = NULL;
1116 sync_interface_set_80211_chan(const gchar *iface, const char *freq, const gchar *type,
1117 gchar **data, gchar **primary_msg,
1118 gchar **secondary_msg)
1124 argv = init_pipe_args(&argc);
1127 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1128 *secondary_msg = NULL;
1133 argv = sync_pipe_add_arg(argv, &argc, "-i");
1134 argv = sync_pipe_add_arg(argv, &argc, iface);
1137 opt = g_strdup_printf("%s,%s", freq, type);
1139 opt = g_strdup_printf("%s", freq);
1142 *primary_msg = g_strdup("Out of mem.");
1143 *secondary_msg = NULL;
1148 argv = sync_pipe_add_arg(argv, &argc, "-k");
1149 argv = sync_pipe_add_arg(argv, &argc, opt);
1152 /* Run dumpcap in capture child mode */
1153 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1154 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1157 ret = sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1163 * Get the list of interfaces using dumpcap.
1165 * On success, *data points to a buffer containing the dumpcap output,
1166 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1167 * must be freed with g_free().
1169 * On failure, *data is NULL, *primary_msg points to an error message,
1170 * *secondary_msg either points to an additional error message or is
1171 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1172 * must be freed with g_free().
1175 sync_interface_list_open(gchar **data, gchar **primary_msg,
1176 gchar **secondary_msg)
1181 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_list_open");
1183 argv = init_pipe_args(&argc);
1186 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1187 *secondary_msg = NULL;
1192 /* Ask for the interface list */
1193 argv = sync_pipe_add_arg(argv, &argc, "-D");
1196 /* Run dumpcap in capture child mode */
1197 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1198 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1200 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1204 * Get the capabilities of an interface using dumpcap.
1206 * On success, *data points to a buffer containing the dumpcap output,
1207 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1208 * must be freed with g_free().
1210 * On failure, *data is NULL, *primary_msg points to an error message,
1211 * *secondary_msg either points to an additional error message or is
1212 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1213 * must be freed with g_free().
1216 sync_if_capabilities_open(const gchar *ifname, gboolean monitor_mode,
1217 gchar **data, gchar **primary_msg,
1218 gchar **secondary_msg)
1223 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_linktype_list_open");
1225 argv = init_pipe_args(&argc);
1228 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1229 *secondary_msg = NULL;
1234 /* Ask for the interface capabilities */
1235 argv = sync_pipe_add_arg(argv, &argc, "-i");
1236 argv = sync_pipe_add_arg(argv, &argc, ifname);
1237 argv = sync_pipe_add_arg(argv, &argc, "-L");
1239 argv = sync_pipe_add_arg(argv, &argc, "-I");
1242 /* Run dumpcap in capture child mode */
1243 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1244 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1246 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1250 * Start getting interface statistics using dumpcap. On success, read_fd
1251 * contains the file descriptor for the pipe's stdout, *msg is unchanged,
1252 * and zero is returned. On failure, *msg will point to an error message
1253 * that must be g_free()d, and -1 will be returned.
1256 sync_interface_stats_open(int *data_read_fd, int *fork_child, gchar **msg)
1260 int message_read_fd, ret;
1262 gchar buffer[PIPE_BUF_SIZE+1];
1265 int primary_msg_len;
1266 char *primary_msg_text;
1267 int secondary_msg_len;
1268 /*char *secondary_msg_text;*/
1271 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_stats_open");
1273 argv = init_pipe_args(&argc);
1276 *msg = g_strdup("We don't know where to find dumpcap.");
1280 /* Ask for the interface statistics */
1281 argv = sync_pipe_add_arg(argv, &argc, "-S");
1284 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1285 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1287 ret = sync_pipe_open_command(argv, data_read_fd, &message_read_fd,
1293 * We were able to set up to read dumpcap's output. Do so.
1295 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
1297 nread = pipe_read_block(message_read_fd, &indicator, SP_MAX_MSG_LEN,
1300 /* We got a read error from the sync pipe, or we got no data at
1301 all from the sync pipe, so we're not going to be getting any
1302 data or error message from the child process. Pick up its
1303 exit status, and complain.
1305 We don't have to worry about killing the child, if the sync pipe
1306 returned an error. Usually this error is caused as the child killed
1307 itself while going down. Even in the rare cases that this isn't the
1308 case, the child will get an error when writing to the broken pipe
1309 the next time, cleaning itself up then. */
1310 ret = sync_pipe_wait_for_child(*fork_child, &wait_msg);
1312 /* We got an EOF from the sync pipe. That means that it exited
1313 before giving us any data to read. If ret is -1, we report
1314 that as a bad exit (e.g., exiting due to a signal); otherwise,
1315 we report it as a premature exit. */
1319 *msg = g_strdup("Child dumpcap closed sync pipe prematurely");
1321 /* We got an error from the sync pipe. If ret is -1, report
1322 both the sync pipe I/O error and the wait error. */
1324 combined_msg = g_strdup_printf("%s\n\n%s", *msg, wait_msg);
1327 *msg = combined_msg;
1334 /* we got a valid message block from the child, process it */
1339 * Error from dumpcap; there will be a primary message and a
1340 * secondary message.
1343 /* convert primary message */
1344 pipe_convert_header((guchar*)buffer, 4, &indicator, &primary_msg_len);
1345 primary_msg_text = buffer+4;
1346 /* convert secondary message */
1347 pipe_convert_header((guchar*)primary_msg_text + primary_msg_len, 4, &indicator,
1348 &secondary_msg_len);
1349 /*secondary_msg_text = primary_msg_text + primary_msg_len + 4;*/
1350 /* the capture child will close the sync_pipe, nothing to do */
1353 * Pick up the child status.
1355 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1359 * Child process failed unexpectedly, or wait failed; msg is the
1364 * Child process failed, but returned the expected exit status.
1365 * Return the messages it gave us, and indicate failure.
1367 *msg = g_strdup(primary_msg_text);
1373 /* Close the message pipe. */
1374 ws_close(message_read_fd);
1379 * Pick up the child status.
1381 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1385 * Child process failed unexpectedly, or wait failed; msg is the
1390 * Child process returned an unknown status.
1392 *msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1401 /* Close down the stats process */
1403 sync_interface_stats_close(int *read_fd, int *fork_child, gchar **msg)
1407 * Don't bother waiting for the child. sync_pipe_close_command
1408 * does this for us on Windows.
1410 sync_pipe_kill(*fork_child);
1412 return sync_pipe_close_command(read_fd, NULL, fork_child, msg);
1415 /* read a number of bytes from a pipe */
1416 /* (blocks until enough bytes read or an error occurs) */
1418 pipe_read_bytes(int pipe_fd, char *bytes, int required, char **msg)
1425 newly = read(pipe_fd, &bytes[offset], required);
1428 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1429 "read from pipe %d: EOF (capture closed?)", pipe_fd);
1436 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1437 "read from pipe %d: error(%u): %s", pipe_fd, error,
1439 *msg = g_strdup_printf("Error reading from sync pipe: %s",
1444 required -= (int)newly;
1452 static gboolean pipe_data_available(int pipe_fd) {
1453 #ifdef _WIN32 /* PeekNamedPipe */
1454 HANDLE hPipe = (HANDLE) _get_osfhandle(pipe_fd);
1457 if (hPipe == INVALID_HANDLE_VALUE)
1460 if (! PeekNamedPipe(hPipe, NULL, 0, NULL, &bytes_avail, NULL))
1463 if (bytes_avail > 0)
1468 struct timeval timeout;
1471 FD_SET(pipe_fd, &rfds);
1473 timeout.tv_usec = 0;
1475 if (select(pipe_fd+1, &rfds, NULL, NULL, &timeout) > 0)
1482 /* Read a line from a pipe, similar to fgets */
1484 sync_pipe_gets_nonblock(int pipe_fd, char *bytes, int max) {
1488 while(offset < max - 1) {
1490 if (! pipe_data_available(pipe_fd))
1492 newly = read(pipe_fd, &bytes[offset], 1);
1494 /* EOF - not necessarily an error */
1496 } else if (newly == -1) {
1498 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1499 "read from pipe %d: error(%u): %s", pipe_fd, errno, g_strerror(errno));
1501 } else if (bytes[offset] == '\n') {
1507 bytes[offset] = '\0';
1513 /* convert header values (indicator and 3-byte length) */
1515 pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len) {
1517 g_assert(header_len == 4);
1519 /* convert header values */
1520 *indicator = header[0];
1521 *block_len = (header[1]&0xFF)<<16 | (header[2]&0xFF)<<8 | (header[3]&0xFF);
1524 /* read a message from the sending pipe in the standard format
1525 (1-byte message indicator, 3-byte message length (excluding length
1526 and indicator field), and the rest is the message) */
1528 pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
1535 /* read header (indicator and 3-byte length) */
1536 newly = pipe_read_bytes(pipe_fd, header, 4, err_msg);
1540 * Immediate EOF; if the capture child exits normally, this
1541 * is an "I'm done" indication, so don't report it as an
1544 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1545 "read %d got an EOF", pipe_fd);
1548 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1549 "read %d failed to read header: %lu", pipe_fd, (long)newly);
1552 * Short read, but not an immediate EOF.
1554 *err_msg = g_strdup_printf("Premature EOF reading from sync pipe: got only %ld bytes",
1560 /* convert header values */
1561 pipe_convert_header((guchar*)header, 4, indicator, &required);
1563 /* only indicator with no value? */
1565 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1566 "read %d indicator: %c empty value", pipe_fd, *indicator);
1570 /* does the data fit into the given buffer? */
1571 if(required > len) {
1572 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1573 "read %d length error, required %d > len %d, header: 0x%02x 0x%02x 0x%02x 0x%02x",
1574 pipe_fd, required, len,
1575 header[0], header[1], header[2], header[3]);
1577 /* we have a problem here, try to read some more bytes from the pipe to debug where the problem really is */
1578 memcpy(msg, header, sizeof(header));
1579 newly = read(pipe_fd, &msg[sizeof(header)], len-sizeof(header));
1580 if (newly < 0) { /* error */
1581 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1582 "read from pipe %d: error(%u): %s", pipe_fd, errno, g_strerror(errno));
1584 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1590 /* read the actual block data */
1591 newly = pipe_read_bytes(pipe_fd, msg, required, err_msg);
1592 if(newly != required) {
1594 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1600 /* XXX If message is "2part", the msg probably won't be sent to debug log correctly */
1601 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1602 "read %d ok indicator: %c len: %u msg: %s", pipe_fd, *indicator,
1609 /* There's stuff to read from the sync pipe, meaning the child has sent
1610 us a message, or the sync pipe has closed, meaning the child has
1611 closed it (perhaps because it exited). */
1613 sync_pipe_input_cb(gint source, gpointer user_data)
1615 capture_options *capture_opts = (capture_options *)user_data;
1617 char buffer[SP_MAX_MSG_LEN+1];
1623 char *secondary_msg;
1624 char *wait_msg, *combined_msg;
1627 nread = pipe_read_block(source, &indicator, SP_MAX_MSG_LEN, buffer,
1630 /* We got a read error, or a bad message, or an EOF, from the sync pipe.
1632 If we got a read error or a bad message, nread is -1 and
1633 primary_msg is set to point to an error message. We don't
1634 have to worry about killing the child; usually this error
1635 is caused as the child killed itself while going down.
1636 Even in the rare cases that this isn't the case, the child
1637 will get an error when writing to the broken pipe the next time,
1638 cleaning itself up then.
1640 If we got an EOF, nread is 0 and primary_msg isn't set. This
1641 is an indication that the capture is finished. */
1642 ret = sync_pipe_wait_for_child(capture_opts->fork_child, &wait_msg);
1644 /* We got an EOF from the sync pipe. That means that the capture
1645 child exited, and not in the middle of a message; we treat
1646 that as an indication that it's done, and only report an
1647 error if ret is -1, in which case wait_msg is the error
1650 primary_msg = wait_msg;
1652 /* We got an error from the sync pipe. If ret is -1, report
1653 both the sync pipe I/O error and the wait error. */
1655 combined_msg = g_strdup_printf("%s\n\n%s", primary_msg, wait_msg);
1656 g_free(primary_msg);
1658 primary_msg = combined_msg;
1662 /* No more child process. */
1663 capture_opts->fork_child = -1;
1664 capture_opts->fork_child_status = ret;
1667 ws_close(capture_opts->signal_pipe_write_fd);
1669 capture_input_closed(capture_opts, primary_msg);
1670 g_free(primary_msg);
1674 /* we got a valid message block from the child, process it */
1677 if(!capture_input_new_file(capture_opts, buffer)) {
1678 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: file failed, closing capture");
1680 /* We weren't able to open the new capture file; user has been
1681 alerted. Close the sync pipe. */
1684 /* The child has sent us a filename which we couldn't open.
1686 This could mean that the child is creating files faster
1687 than we can handle it. (XXX - why would that result in
1688 a failure to open the file?)
1690 That should only be the case for very fast file switches;
1691 We can't do much more than telling the child to stop.
1692 (This is the "emergency brake" if the user e.g. wants to
1693 switch files every second).
1695 This can also happen if the user specified "-", meaning
1696 "standard output", as the capture file. */
1697 sync_pipe_stop(capture_opts);
1698 capture_input_closed(capture_opts, NULL);
1702 case SP_PACKET_COUNT:
1703 npackets = atoi(buffer);
1704 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: new packets %u", npackets);
1705 capture_input_new_packets(capture_opts, npackets);
1708 /* convert primary message */
1709 pipe_convert_header((guchar*)buffer, 4, &indicator, &primary_len);
1710 primary_msg = buffer+4;
1711 /* convert secondary message */
1712 pipe_convert_header((guchar*)primary_msg + primary_len, 4, &indicator, &secondary_len);
1713 secondary_msg = primary_msg + primary_len + 4;
1714 /* message output */
1715 capture_input_error_message(capture_opts, primary_msg, secondary_msg);
1716 /* the capture child will close the sync_pipe, nothing to do for now */
1717 /* (an error message doesn't mean we have to stop capturing) */
1719 case SP_BAD_FILTER: {
1723 ch = strtok(buffer, ":");
1724 indx = (int)strtol(ch, NULL, 10);
1725 ch = strtok(NULL, ":");
1726 capture_input_cfilter_error_message(capture_opts, indx, ch);
1727 /* the capture child will close the sync_pipe, nothing to do for now */
1731 capture_input_drops(capture_opts, (guint32)strtoul(buffer, NULL, 10));
1734 g_assert_not_reached();
1743 * dumpcap is exiting; wait for it to exit. On success, *msgp is
1744 * unchanged, and the exit status of dumpcap is returned. On
1745 * failure (which includes "dumpcap exited due to being killed by
1746 * a signal or an exception"), *msgp points to an error message
1747 * for the failure, and -1 is returned. In the latter case, *msgp
1748 * must be freed with g_free().
1751 sync_pipe_wait_for_child(int fork_child, gchar **msgp)
1753 int fork_child_status;
1755 GTimeVal start_time;
1760 * GLIB_CHECK_VERSION(2,28,0) adds g_get_real_time which could minimize or
1763 g_get_current_time(&start_time);
1765 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: wait till child closed");
1766 g_assert(fork_child != -1);
1768 *msgp = NULL; /* assume no error */
1770 if (_cwait(&fork_child_status, fork_child, _WAIT_CHILD) == -1) {
1771 *msgp = g_strdup_printf("Error from cwait(): %s", g_strerror(errno));
1775 * The child exited; return its exit status. Do not treat this as
1778 ret = fork_child_status;
1779 if ((fork_child_status & 0xC0000000) == ERROR_SEVERITY_ERROR) {
1780 /* Probably an exception code */
1781 *msgp = g_strdup_printf("Child dumpcap process died: %s",
1782 win32strexception(fork_child_status));
1787 if (waitpid(fork_child, &fork_child_status, 0) != -1) {
1788 if (WIFEXITED(fork_child_status)) {
1790 * The child exited; return its exit status. Do not treat this as
1793 ret = WEXITSTATUS(fork_child_status);
1794 } else if (WIFSTOPPED(fork_child_status)) {
1795 /* It stopped, rather than exiting. "Should not happen." */
1796 *msgp = g_strdup_printf("Child dumpcap process stopped: %s",
1797 sync_pipe_signame(WSTOPSIG(fork_child_status)));
1799 } else if (WIFSIGNALED(fork_child_status)) {
1800 /* It died with a signal. */
1801 *msgp = g_strdup_printf("Child dumpcap process died: %s%s",
1802 sync_pipe_signame(WTERMSIG(fork_child_status)),
1803 WCOREDUMP(fork_child_status) ? " - core dumped" : "");
1806 /* What? It had to either have exited, or stopped, or died with
1807 a signal; what happened here? */
1808 *msgp = g_strdup_printf("Bad status from waitpid(): %#o",
1813 *msgp = g_strdup_printf("Error from waitpid(): %s", g_strerror(errno));
1818 g_get_current_time(&end_time);
1819 elapsed = (float) ((end_time.tv_sec - start_time.tv_sec) +
1820 ((end_time.tv_usec - start_time.tv_usec) / 1e6));
1821 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: capture child closed after %.3fs", elapsed);
1827 /* convert signal to corresponding name */
1829 sync_pipe_signame(int sig)
1832 static char sigmsg_buf[6+1+3+1];
1841 sigmsg = "Interrupted";
1849 sigmsg = "Illegal instruction";
1853 sigmsg = "Trace trap";
1861 sigmsg = "Arithmetic exception";
1869 sigmsg = "Bus error";
1873 sigmsg = "Segmentation violation";
1876 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
1877 Linux is POSIX compliant. These are not POSIX-defined signals ---
1878 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
1880 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
1881 were omitted from POSIX.1 because their behavior is
1882 implementation dependent and could not be adequately catego-
1883 rized. Conforming implementations may deliver these sig-
1884 nals, but must document the circumstances under which they
1885 are delivered and note any restrictions concerning their
1888 So we only check for SIGSYS on those systems that happen to
1889 implement them (a system can be POSIX-compliant and implement
1890 them, it's just that POSIX doesn't *require* a POSIX-compliant
1891 system to implement them).
1896 sigmsg = "Bad system call";
1901 sigmsg = "Broken pipe";
1905 sigmsg = "Alarm clock";
1909 sigmsg = "Terminated";
1913 /* Returning a static buffer is ok in the context we use it here */
1914 g_snprintf(sigmsg_buf, sizeof sigmsg_buf, "Signal %d", sig);
1915 sigmsg = sigmsg_buf;
1924 /* tell the child through the signal pipe that we want to quit the capture */
1926 signal_pipe_capquit_to_child(capture_options *capture_opts)
1928 const char quit_msg[] = "QUIT";
1932 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child");
1934 /* it doesn't matter *what* we send here, the first byte will stop the capture */
1935 /* simply sending a "QUIT" string */
1936 /*pipe_write_block(capture_opts->signal_pipe_write_fd, SP_QUIT, quit_msg);*/
1937 ret = write(capture_opts->signal_pipe_write_fd, quit_msg, sizeof quit_msg);
1939 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1940 "signal_pipe_capquit_to_child: %d header: error %s", capture_opts->signal_pipe_write_fd, g_strerror(errno));
1946 /* user wants to stop the capture run */
1948 sync_pipe_stop(capture_options *capture_opts)
1953 gboolean terminate = TRUE;
1956 if (capture_opts->fork_child != -1) {
1958 /* send the SIGINT signal to close the capture child gracefully. */
1959 int sts = kill(capture_opts->fork_child, SIGINT);
1961 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1962 "Sending SIGINT to child failed: %s\n", g_strerror(errno));
1965 #define STOP_SLEEP_TIME 500 /* ms */
1966 #define STOP_CHECK_TIME 50
1967 /* First, use the special signal pipe to try to close the capture child
1970 signal_pipe_capquit_to_child(capture_opts);
1972 /* Next, wait for the process to exit on its own */
1973 for (count = 0; count < STOP_SLEEP_TIME / STOP_CHECK_TIME; count++) {
1974 if (GetExitCodeProcess((HANDLE) capture_opts->fork_child, &childstatus) &&
1975 childstatus != STILL_ACTIVE) {
1979 Sleep(STOP_CHECK_TIME);
1982 /* Force the issue. */
1984 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1985 "sync_pipe_stop: forcing child to exit");
1986 sync_pipe_kill(capture_opts->fork_child);
1993 /* Wireshark has to exit, force the capture child to close */
1995 sync_pipe_kill(int fork_child)
1997 if (fork_child != -1) {
1999 int sts = kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
2001 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
2002 "Sending SIGTERM to child failed: %s\n", g_strerror(errno));
2005 /* Remark: This is not the preferred method of closing a process!
2006 * the clean way would be getting the process id of the child process,
2007 * then getting window handle hWnd of that process (using EnumChildWindows),
2008 * and then do a SendMessage(hWnd, WM_CLOSE, 0, 0)
2010 * Unfortunately, I don't know how to get the process id from the
2011 * handle. OpenProcess will get an handle (not a window handle)
2012 * from the process ID; it will not get a window handle from the
2013 * process ID. (How could it? A process can have more than one
2014 * window. For that matter, a process might have *no* windows,
2015 * as a process running dumpcap, the normal child process program,
2018 * Hint: GenerateConsoleCtrlEvent() will only work if both processes are
2019 * running in the same console; that's not necessarily the case for
2020 * us, as we might not be running in a console.
2021 * And this also will require to have the process id.
2023 TerminateProcess((HANDLE) (fork_child), 0);
2028 #endif /* HAVE_LIBPCAP */