2 * Utility routines for packet capture
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * SPDX-License-Identifier: GPL-2.0-or-later
22 #ifdef HAVE_SYS_TYPES_H
23 # include <sys/types.h>
26 #ifdef HAVE_SYS_SOCKET_H
27 #include <sys/socket.h>
30 #include "ws_attributes.h"
33 * Linux bonding devices mishandle unknown ioctls; they fail
34 * with ENODEV rather than ENOTSUP, EOPNOTSUPP, or ENOTTY,
35 * so pcap_can_set_rfmon() returns a "no such device" indication
36 * if we try to do SIOCGIWMODE on them.
38 * So, on Linux, we check for bonding devices, if we can, before
39 * trying pcap_can_set_rfmon(), as pcap_can_set_rfmon() will
40 * end up trying SIOCGIWMODE on the device if that ioctl exists.
42 #if defined(HAVE_PCAP_CREATE) && defined(__linux__)
44 #include <sys/ioctl.h>
47 * If we're building for a Linux version that supports bonding,
48 * HAVE_BONDING will be defined.
51 #ifdef HAVE_LINUX_SOCKIOS_H
52 #include <linux/sockios.h>
55 #ifdef HAVE_LINUX_IF_BONDING_H
56 #include <linux/if_bonding.h>
59 #if defined(BOND_INFO_QUERY_OLD) || defined(SIOCBONDINFOQUERY)
63 #endif /* defined(HAVE_PCAP_CREATE) && defined(__linux__) */
65 #include "caputils/capture_ifinfo.h"
66 #include "caputils/capture-pcap-util.h"
67 #include "caputils/capture-pcap-util-int.h"
71 #include <wsutil/file_util.h>
74 #include <netinet/in.h>
78 #include "caputils/capture_win_ifnames.h" /* windows friendly interface names */
82 * Standard secondary message for unexpected errors.
84 static const char please_report[] =
85 "Please report this to the Wireshark developers.\n"
86 "https://bugs.wireshark.org/\n"
87 "(This is not a crash; please do not report it as such.)";
90 * Given an interface name, find the "friendly name" and interface
91 * type for the interface.
94 #if defined(HAVE_MACOS_FRAMEWORKS)
96 #include <CoreFoundation/CoreFoundation.h>
97 #include <SystemConfiguration/SystemConfiguration.h>
99 #include <wsutil/cfutils.h>
102 * On macOS, we get the "friendly name" and interface type for the interface
103 * from the System Configuration framework.
105 * To find the System Configuration framework information for the
106 * interface, we get all the interfaces that the System Configuration
107 * framework knows about and look for the one with a "BSD name" matching
108 * the interface name.
110 * If we find it, we use its "localized display name", if it has one, as
111 * the "friendly name".
113 * As for the interface type:
115 * Yes, fetching all the network addresses for an interface gets you an
116 * AF_LINK address, of type "struct sockaddr_dl", and, yes, that includes
117 * an SNMP MIB-II ifType value.
119 * However, it's IFT_ETHER, i.e. Ethernet, for AirPort interfaces,
120 * not IFT_IEEE80211 (which isn't defined in macOS in any case).
122 * Perhaps some other BSD-flavored OSes won't make this mistake;
123 * however, FreeBSD 7.0 and OpenBSD 4.2, at least, appear to have
124 * made the same mistake, at least for my Belkin ZyDAS stick.
126 * SCNetworkInterfaceGetInterfaceType() will get the interface
127 * type. The interface type is a CFString, and:
129 * kSCNetworkInterfaceTypeIEEE80211 means IF_WIRELESS;
130 * kSCNetworkInterfaceTypeBluetooth means IF_BLUETOOTH;
131 * kSCNetworkInterfaceTypeModem or
132 * kSCNetworkInterfaceTypePPP or
133 * maybe kSCNetworkInterfaceTypeWWAN means IF_DIALUP
136 add_unix_interface_ifinfo(if_info_t *if_info, const char *name,
137 const char *description _U_)
139 CFStringRef name_CFString;
140 CFArrayRef interfaces;
141 CFIndex num_interfaces;
143 SCNetworkInterfaceRef interface;
144 CFStringRef bsdname_CFString;
145 CFStringRef friendly_name_CFString;
146 CFStringRef interface_type_CFString;
148 interfaces = SCNetworkInterfaceCopyAll();
149 if (interfaces == NULL) {
151 * Couldn't get a list of interfaces.
156 name_CFString = CFStringCreateWithCString(kCFAllocatorDefault,
157 name, kCFStringEncodingUTF8);
158 if (name_CFString == NULL) {
160 * Couldn't convert the interface name to a CFString.
162 CFRelease(interfaces);
166 num_interfaces = CFArrayGetCount(interfaces);
167 for (i = 0; i < num_interfaces; i++) {
168 interface = (SCNetworkInterfaceRef)CFArrayGetValueAtIndex(interfaces, i);
169 bsdname_CFString = SCNetworkInterfaceGetBSDName(interface);
170 if (bsdname_CFString == NULL) {
172 * This interface has no BSD name, so it's not
173 * a regular network interface.
177 if (CFStringCompare(name_CFString, bsdname_CFString, 0) == 0) {
179 * This is the interface.
180 * First, get the friendly name.
182 friendly_name_CFString = SCNetworkInterfaceGetLocalizedDisplayName(interface);
183 if (friendly_name_CFString != NULL)
184 if_info->friendly_name = CFString_to_C_string(friendly_name_CFString);
187 * Now get the interface type.
189 interface_type_CFString = SCNetworkInterfaceGetInterfaceType(interface);
190 if (CFStringCompare(interface_type_CFString,
191 kSCNetworkInterfaceTypeIEEE80211, 0) == kCFCompareEqualTo)
192 if_info->type = IF_WIRELESS;
193 else if (CFStringCompare(interface_type_CFString,
194 kSCNetworkInterfaceTypeBluetooth, 0) == kCFCompareEqualTo)
195 if_info->type = IF_BLUETOOTH;
196 else if (CFStringCompare(interface_type_CFString,
197 kSCNetworkInterfaceTypeModem, 0) == kCFCompareEqualTo)
198 if_info->type = IF_DIALUP;
199 else if (CFStringCompare(interface_type_CFString,
200 kSCNetworkInterfaceTypePPP, 0) == kCFCompareEqualTo)
201 if_info->type = IF_DIALUP;
202 else if (CFStringCompare(interface_type_CFString,
203 kSCNetworkInterfaceTypeWWAN, 0) == kCFCompareEqualTo)
204 if_info->type = IF_DIALUP;
206 if_info->type = IF_WIRED;
211 CFRelease(interfaces);
212 CFRelease(name_CFString);
214 #elif defined(__linux__)
216 * Linux doesn't offer any form of "friendly name", but you can
217 * determine an interface type to some degree.
220 add_unix_interface_ifinfo(if_info_t *if_info, const char *name,
221 const char *description _U_)
227 * Look for /sys/class/net/{device}/wireless. If it exists,
228 * it's a wireless interface.
230 wireless_path = g_strdup_printf("/sys/class/net/%s/wireless", name);
231 if (wireless_path != NULL) {
232 if (ws_stat64(wireless_path, &statb) == 0)
233 if_info->type = IF_WIRELESS;
234 g_free(wireless_path);
236 if (if_info->type == IF_WIRED) {
238 * We still don't know what it is. Check for
239 * Bluetooth and USB devices.
241 if (strstr(name, "bluetooth") != NULL) {
243 * XXX - this is for raw Bluetooth capture; what
244 * about IP-over-Bluetooth devices?
246 if_info->type = IF_BLUETOOTH;
247 } else if (strstr(name, "usbmon") != NULL)
248 if_info->type = IF_USB;
253 * On other UN*Xes, if there is a description, it's a friendly
254 * name, and there is no vendor description. ("Other UN*Xes"
255 * currently means "FreeBSD and OpenBSD".)
258 add_unix_interface_ifinfo(if_info_t *if_info, const char *name _U_,
259 const char *description)
261 if_info->friendly_name = g_strdup(description);
266 if_info_new(const char *name, const char *description, gboolean loopback)
270 const char *guid_text;
274 if_info = (if_info_t *)g_malloc(sizeof (if_info_t));
275 if_info->name = g_strdup(name);
276 if_info->friendly_name = NULL; /* default - unknown */
277 if_info->vendor_description = NULL;
278 if_info->type = IF_WIRED; /* default */
279 if_info->extcap = g_strdup("");
282 * Get the interface type.
284 * Much digging failed to reveal any obvious way to get something
285 * such as the SNMP MIB-II ifType value for an interface:
287 * http://www.iana.org/assignments/ianaiftype-mib
289 * by making some NDIS request. And even if there were such
290 * a way, there's no guarantee that the ifType reflects an
291 * interface type that a user would view as correct (for
292 * example, some systems report Wi-Fi interfaces as
293 * Ethernet interfaces).
295 * So we look for keywords in the vendor's interface
298 if (description && (strstr(description, "generic dialup") != NULL ||
299 strstr(description, "PPP/SLIP") != NULL)) {
300 if_info->type = IF_DIALUP;
301 } else if (description && (strstr(description, "Wireless") != NULL ||
302 strstr(description,"802.11") != NULL)) {
303 if_info->type = IF_WIRELESS;
304 } else if (description && strstr(description, "AirPcap") != NULL ||
305 strstr(name, "airpcap") != NULL) {
306 if_info->type = IF_AIRPCAP;
307 } else if (description && strstr(description, "Bluetooth") != NULL ) {
308 if_info->type = IF_BLUETOOTH;
309 } else if (description && strstr(description, "VMware") != NULL) {
311 * Bridge, NAT, or host-only interface on a VMware host.
313 * XXX - what about guest interfaces?
315 if_info->type = IF_VIRTUAL;
319 * On Windows, the "description" is a vendor description,
320 * and the friendly name isn't returned by WinPcap.
321 * Fetch it ourselves.
325 * Skip over the "\Device\NPF_" prefix in the device name,
328 if (strncmp("\\Device\\NPF_", name, 12) == 0)
329 guid_text = name + 12;
333 /* Now try to parse what remains as a GUID. */
334 if (parse_as_guid(guid_text, &guid)) {
336 * Success. Try to get a friendly name using the GUID.
337 * As this is a regular interface, the description is a
338 * vendor description.
340 if_info->friendly_name = get_interface_friendly_name_from_device_guid(&guid);
341 if_info->vendor_description = g_strdup(description);
344 * This is probably not a regular interface; we only
345 * support NT 5 (W2K) and later, so all regular interfaces
346 * should have GUIDs at the end of the name. Therefore,
347 * the description, if supplied, is a friendly name
348 * provided by WinPcap, and there is no vendor
351 if_info->friendly_name = g_strdup(description);
352 if_info->vendor_description = NULL;
356 * On UN*X, if there is a description, it's a friendly
357 * name, and there is no vendor description.
359 * Try the platform's way of getting a friendly name and
360 * interface type first.
362 * If that fails, then, for a loopback interface, give it the
363 * friendly name "Loopback" and, for VMware interfaces,
364 * give them the type IF_VIRTUAL.
366 add_unix_interface_ifinfo(if_info, name, description);
367 if (if_info->type == IF_WIRED) {
369 * This is the default interface type.
371 * Bridge, NAT, or host-only interfaces on VMWare hosts
372 * have the name vmnet[0-9]+. Guests might use a native
373 * (LANCE or E1000) driver or the vmxnet driver. Check
376 if (g_ascii_strncasecmp(name, "vmnet", 5) == 0)
377 if_info->type = IF_VIRTUAL;
378 else if (g_ascii_strncasecmp(name, "vmxnet", 6) == 0)
379 if_info->type = IF_VIRTUAL;
381 if (if_info->friendly_name == NULL) {
383 * We couldn't get interface information using platform-
386 * If this is a loopback interface, give it a
387 * "friendly name" of "Loopback".
390 if_info->friendly_name = g_strdup("Loopback");
392 if_info->vendor_description = NULL;
394 if_info->loopback = loopback;
395 if_info->addrs = NULL;
400 if_info_add_address(if_info_t *if_info, struct sockaddr *addr)
403 struct sockaddr_in *ai;
404 struct sockaddr_in6 *ai6;
406 switch (addr->sa_family) {
409 ai = (struct sockaddr_in *)(void *)addr;
410 if_addr = (if_addr_t *)g_malloc(sizeof(*if_addr));
411 if_addr->ifat_type = IF_AT_IPv4;
412 if_addr->addr.ip4_addr =
413 *((guint32 *)&(ai->sin_addr.s_addr));
414 if_info->addrs = g_slist_prepend(if_info->addrs, if_addr);
418 ai6 = (struct sockaddr_in6 *)(void *)addr;
419 if_addr = (if_addr_t *)g_malloc(sizeof(*if_addr));
420 if_addr->ifat_type = IF_AT_IPv6;
421 memcpy((void *)&if_addr->addr.ip6_addr,
422 (void *)&ai6->sin6_addr.s6_addr,
423 sizeof if_addr->addr.ip6_addr);
424 if_info->addrs = g_slist_prepend(if_info->addrs, if_addr);
429 #ifdef HAVE_PCAP_FINDALLDEVS
431 * Get all IP address information for the given interface.
434 if_info_ip(if_info_t *if_info, pcap_if_t *d)
439 for (a = d->addresses; a != NULL; a = a->next) {
441 if_info_add_address(if_info, a->addr);
445 if_info->addrs = g_slist_reverse(if_info->addrs);
449 #ifdef HAVE_PCAP_REMOTE
451 get_interface_list_findalldevs_ex(const char *source,
452 struct pcap_rmtauth *auth,
453 int *err, char **err_str)
456 pcap_if_t *alldevs, *dev;
459 * WinPcap can overflow PCAP_ERRBUF_SIZE if the host is unreachable.
460 * Fudge a larger size.
462 char errbuf[PCAP_ERRBUF_SIZE*4];
464 if (pcap_findalldevs_ex((char *)source, auth, &alldevs, errbuf) == -1) {
465 *err = CANT_GET_INTERFACE_LIST;
467 *err_str = cant_get_if_list_error_message(errbuf);
471 if (alldevs == NULL) {
473 * No interfaces found.
481 for (dev = alldevs; dev != NULL; dev = dev->next) {
482 if_info = if_info_new(dev->name, dev->description,
483 (dev->flags & PCAP_IF_LOOPBACK) ? TRUE : FALSE);
484 il = g_list_append(il, if_info);
485 if_info_ip(if_info, dev);
487 pcap_freealldevs(alldevs);
494 get_interface_list_findalldevs(int *err, char **err_str)
497 pcap_if_t *alldevs, *dev;
499 char errbuf[PCAP_ERRBUF_SIZE];
501 if (pcap_findalldevs(&alldevs, errbuf) == -1) {
502 *err = CANT_GET_INTERFACE_LIST;
504 *err_str = cant_get_if_list_error_message(errbuf);
508 if (alldevs == NULL) {
510 * No interfaces found.
518 for (dev = alldevs; dev != NULL; dev = dev->next) {
519 if_info = if_info_new(dev->name, dev->description,
520 (dev->flags & PCAP_IF_LOOPBACK) ? TRUE : FALSE);
521 il = g_list_append(il, if_info);
522 if_info_ip(if_info, dev);
524 pcap_freealldevs(alldevs);
528 #endif /* HAVE_PCAP_FINDALLDEVS */
531 free_if_cb(gpointer data, gpointer user_data _U_)
533 if_info_t *if_info = (if_info_t *)data;
535 g_free(if_info->name);
536 g_free(if_info->friendly_name);
537 g_free(if_info->vendor_description);
538 g_free(if_info->extcap);
539 g_slist_free_full(if_info->addrs, g_free);
544 free_interface_list(GList *if_list)
546 g_list_foreach(if_list, free_if_cb, NULL);
547 g_list_free(if_list);
550 #if !defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) || !defined(HAVE_PCAP_DATALINK_VAL_TO_NAME) || !defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION)
553 const char *description;
557 #define DLT_CHOICE(code, description) { #code, description, code }
558 #define DLT_CHOICE_SENTINEL { NULL, NULL, 0 }
560 static struct dlt_choice dlt_choices[] = {
561 DLT_CHOICE(DLT_NULL, "BSD loopback"),
562 DLT_CHOICE(DLT_EN10MB, "Ethernet"),
563 DLT_CHOICE(DLT_IEEE802, "Token ring"),
564 DLT_CHOICE(DLT_ARCNET, "ARCNET"),
565 DLT_CHOICE(DLT_SLIP, "SLIP"),
566 DLT_CHOICE(DLT_PPP, "PPP"),
567 DLT_CHOICE(DLT_FDDI, "FDDI"),
568 DLT_CHOICE(DLT_ATM_RFC1483, "RFC 1483 IP-over-ATM"),
569 DLT_CHOICE(DLT_RAW, "Raw IP"),
570 DLT_CHOICE(DLT_SLIP_BSDOS, "BSD/OS SLIP"),
571 DLT_CHOICE(DLT_PPP_BSDOS, "BSD/OS PPP"),
572 DLT_CHOICE(DLT_ATM_CLIP, "Linux Classical IP-over-ATM"),
573 DLT_CHOICE(DLT_PPP_SERIAL, "PPP over serial"),
574 DLT_CHOICE(DLT_PPP_ETHER, "PPPoE"),
575 DLT_CHOICE(DLT_C_HDLC, "Cisco HDLC"),
576 DLT_CHOICE(DLT_IEEE802_11, "802.11"),
577 DLT_CHOICE(DLT_FRELAY, "Frame Relay"),
578 DLT_CHOICE(DLT_LOOP, "OpenBSD loopback"),
579 DLT_CHOICE(DLT_ENC, "OpenBSD encapsulated IP"),
580 DLT_CHOICE(DLT_LINUX_SLL, "Linux cooked"),
581 DLT_CHOICE(DLT_LTALK, "Localtalk"),
582 DLT_CHOICE(DLT_PFLOG, "OpenBSD pflog file"),
583 DLT_CHOICE(DLT_PRISM_HEADER, "802.11 plus Prism header"),
584 DLT_CHOICE(DLT_IP_OVER_FC, "RFC 2625 IP-over-Fibre Channel"),
585 DLT_CHOICE(DLT_SUNATM, "Sun raw ATM"),
586 DLT_CHOICE(DLT_IEEE802_11_RADIO, "802.11 plus BSD radio information header"),
587 DLT_CHOICE(DLT_APPLE_IP_OVER_IEEE1394, "Apple IP-over-IEEE 1394"),
588 DLT_CHOICE(DLT_ARCNET_LINUX, "Linux ARCNET"),
589 DLT_CHOICE(DLT_LINUX_IRDA, "Linux IrDA"),
590 DLT_CHOICE(DLT_IEEE802_11_RADIO_AVS, "802.11 plus AVS radio information header"),
594 #if !defined(HAVE_PCAP_DATALINK_NAME_TO_VAL)
596 pcap_datalink_name_to_val(const char *name)
600 for (i = 0; dlt_choices[i].name != NULL; i++) {
601 if (g_ascii_strcasecmp(dlt_choices[i].name + sizeof("DLT_") - 1,
603 return (dlt_choices[i].dlt);
607 #endif /* defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) */
609 #if !defined(HAVE_PCAP_DATALINK_VAL_TO_NAME)
611 pcap_datalink_val_to_name(int dlt)
615 for (i = 0; dlt_choices[i].name != NULL; i++) {
616 if (dlt_choices[i].dlt == dlt)
617 return (dlt_choices[i].name + sizeof("DLT_") - 1);
621 #endif /* defined(HAVE_PCAP_DATALINK_VAL_TO_NAME) */
623 #if !defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION)
625 pcap_datalink_val_to_description(int dlt)
629 for (i = 0; dlt_choices[i].name != NULL; i++) {
630 if (dlt_choices[i].dlt == dlt)
631 return (dlt_choices[i].description);
635 #endif /* defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION) */
637 #endif /* !defined(HAVE_PCAP_DATALINK_VAL_TO_NAME) || !defined(HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION) */
640 free_linktype_cb(gpointer data, gpointer user_data _U_)
642 data_link_info_t *linktype_info = (data_link_info_t *)data;
644 g_free(linktype_info->name);
645 g_free(linktype_info->description);
646 g_free(linktype_info);
650 free_timestamp_cb(gpointer data, gpointer user_data _U_)
652 timestamp_info_t *timestamp_info = (timestamp_info_t *)data;
654 g_free(timestamp_info->name);
655 g_free(timestamp_info->description);
660 free_if_capabilities(if_capabilities_t *caps)
662 g_list_foreach(caps->data_link_types, free_linktype_cb, NULL);
663 g_list_free(caps->data_link_types);
665 g_list_foreach(caps->timestamp_types, free_timestamp_cb, NULL);
666 g_list_free(caps->timestamp_types);
672 linktype_val_to_name(int dlt)
674 return pcap_datalink_val_to_name(dlt);
678 linktype_name_to_val(const char *linktype)
680 return pcap_datalink_name_to_val(linktype);
684 * Get the data-link type for a libpcap device.
685 * This works around AIX 5.x's non-standard and incompatible-with-the-
686 * rest-of-the-universe libpcap.
689 get_pcap_datalink(pcap_t *pch, const char *devicename
698 const char *ifacename;
701 datalink = pcap_datalink(pch);
705 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
706 * rather than DLT_ values for link-layer types; the ifType values
707 * for LAN devices are:
714 * and the ifType value for a loopback device is 24.
716 * The AIX names for LAN devices begin with:
723 * and the AIX names for loopback devices begin with "lo".
725 * (The difference between "Ethernet" and "802.3" is presumably
726 * whether packets have an Ethernet header, with a packet type,
727 * or an 802.3 header, with a packet length, followed by an 802.2
728 * header and possibly a SNAP header.)
730 * If the device name matches "datalink" interpreted as an ifType
731 * value, rather than as a DLT_ value, we will assume this is AIX's
732 * non-standard, incompatible libpcap, rather than a standard libpcap,
733 * and will map the link-layer type to the standard DLT_ value for
734 * that link-layer type, as that's what the rest of Wireshark expects.
736 * (This means the capture files won't be readable by a tcpdump
737 * linked with AIX's non-standard libpcap, but so it goes. They
738 * *will* be readable by standard versions of tcpdump, Wireshark,
741 * XXX - if we conclude we're using AIX libpcap, should we also
742 * set a flag to cause us to assume the time stamps are in
743 * seconds-and-nanoseconds form, and to convert them to
744 * seconds-and-microseconds form before processing them and
749 * Find the last component of the device name, which is the
752 ifacename = strchr(devicename, '/');
753 if (ifacename == NULL)
754 ifacename = devicename;
756 /* See if it matches any of the LAN device names. */
757 if (strncmp(ifacename, "en", 2) == 0) {
760 * That's the RFC 1573 value for Ethernet;
761 * map it to DLT_EN10MB.
765 } else if (strncmp(ifacename, "et", 2) == 0) {
768 * That's the RFC 1573 value for 802.3;
769 * map it to DLT_EN10MB.
771 * (libpcap, tcpdump, Wireshark, etc. don't
772 * care if it's Ethernet or 802.3.)
776 } else if (strncmp(ifacename, "tr", 2) == 0) {
779 * That's the RFC 1573 value for 802.5 (Token Ring);
780 * map it to DLT_IEEE802, which is what's used for
785 } else if (strncmp(ifacename, "fi", 2) == 0) {
786 if (datalink == 15) {
788 * That's the RFC 1573 value for FDDI;
789 * map it to DLT_FDDI.
793 } else if (strncmp(ifacename, "lo", 2) == 0) {
794 if (datalink == 24) {
796 * That's the RFC 1573 value for "software loopback"
797 * devices; map it to DLT_NULL, which is what's used
798 * for loopback devices on BSD.
808 /* Set the data link type on a pcap. */
810 set_pcap_datalink(pcap_t *pcap_h, int datalink, char *name,
811 char *errmsg, size_t errmsg_len,
812 char *secondary_errmsg, size_t secondary_errmsg_len)
814 char *set_datalink_err_str;
817 return TRUE; /* just use the default */
818 #ifdef HAVE_PCAP_SET_DATALINK
819 if (pcap_set_datalink(pcap_h, datalink) == 0)
820 return TRUE; /* no error */
821 set_datalink_err_str = pcap_geterr(pcap_h);
823 /* Let them set it to the type it is; reject any other request. */
824 if (get_pcap_datalink(pcap_h, name) == datalink)
825 return TRUE; /* no error */
826 set_datalink_err_str =
827 "That DLT isn't one of the DLTs supported by this device";
829 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type on interface '%s' (%s).",
830 name, set_datalink_err_str);
832 * If the error isn't "XXX is not one of the DLTs supported by this device",
833 * tell the user to tell the Wireshark developers about it.
835 if (strstr(set_datalink_err_str, "is not one of the DLTs supported by this device") == NULL)
836 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
838 secondary_errmsg[0] = '\0';
842 static data_link_info_t *
843 create_data_link_info(int dlt)
845 data_link_info_t *data_link_info;
848 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
849 data_link_info->dlt = dlt;
850 text = pcap_datalink_val_to_name(dlt);
852 data_link_info->name = g_strdup(text);
854 data_link_info->name = g_strdup_printf("DLT %d", dlt);
855 text = pcap_datalink_val_to_description(dlt);
856 data_link_info->description = g_strdup(text);
857 return data_link_info;
861 get_data_link_types(pcap_t *pch, interface_options *interface_opts,
864 GList *data_link_types;
866 #ifdef HAVE_PCAP_LIST_DATALINKS
870 data_link_info_t *data_link_info;
872 deflt = get_pcap_datalink(pch, interface_opts->name);
873 #ifdef HAVE_PCAP_LIST_DATALINKS
874 nlt = pcap_list_datalinks(pch, &linktypes);
877 * A negative return is an error.
879 if (err_str != NULL) {
880 #ifdef HAVE_PCAP_CREATE
882 * If we have pcap_create(), we have
883 * pcap_statustostr(), and we can get back errors
884 * other than PCAP_ERROR (-1), such as
885 * PCAP_ERROR_NOT_ACTIVATED. and we should report
888 if (nlt == PCAP_ERROR)
889 *err_str = g_strdup_printf("pcap_list_datalinks() failed: %s",
892 *err_str = g_strdup(pcap_statustostr(nlt));
893 #else /* HAVE_PCAP_CREATE */
894 *err_str = g_strdup_printf("pcap_list_datalinks() failed: %s",
896 #endif /* HAVE_PCAP_CREATE */
900 data_link_types = NULL;
901 for (i = 0; i < nlt; i++) {
902 data_link_info = create_data_link_info(linktypes[i]);
905 * XXX - for 802.11, make the most detailed 802.11
906 * version the default, rather than the one the
907 * device has as the default?
909 if (linktypes[i] == deflt)
910 data_link_types = g_list_prepend(data_link_types,
913 data_link_types = g_list_append(data_link_types,
916 #ifdef HAVE_PCAP_FREE_DATALINKS
917 pcap_free_datalinks(linktypes);
920 * In Windows, there's no guarantee that if you have a library
921 * built with one version of the MSVC++ run-time library, and
922 * it returns a pointer to allocated data, you can free that
923 * data from a program linked with another version of the
924 * MSVC++ run-time library.
926 * This is not an issue on UN*X.
928 * See the mail threads starting at
930 * https://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
934 * https://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
937 #define xx_free free /* hack so checkAPIs doesn't complain */
940 #endif /* HAVE_PCAP_FREE_DATALINKS */
941 #else /* HAVE_PCAP_LIST_DATALINKS */
943 data_link_info = create_data_link_info(deflt);
944 data_link_types = g_list_append(data_link_types, data_link_info);
945 #endif /* HAVE_PCAP_LIST_DATALINKS */
949 return data_link_types;
952 /* Get supported timestamp types for a libpcap device. */
954 get_pcap_timestamp_types(pcap_t *pch _U_, char **err_str _U_)
957 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
959 int ntypes = pcap_list_tstamp_types(pch, &types);
962 *err_str = ntypes < 0 ? pcap_geterr(pch) : NULL;
968 timestamp_info_t *info = (timestamp_info_t *)g_malloc(sizeof *info);
969 info->name = g_strdup(pcap_tstamp_type_val_to_name(types[ntypes]));
970 info->description = g_strdup(pcap_tstamp_type_val_to_description(types[ntypes]));
971 list = g_list_prepend(list, info);
974 pcap_free_tstamp_types(types);
980 #ifdef HAVE_PCAP_CREATE
983 is_linux_bonding_device(const char *ifname)
989 fd = socket(PF_INET, SOCK_DGRAM, 0);
993 memset(&ifr, 0, sizeof ifr);
994 g_strlcpy(ifr.ifr_name, ifname, sizeof ifr.ifr_name);
995 memset(&ifb, 0, sizeof ifb);
996 ifr.ifr_data = (caddr_t)&ifb;
997 #if defined(SIOCBONDINFOQUERY)
998 if (ioctl(fd, SIOCBONDINFOQUERY, &ifr) == 0) {
1003 if (ioctl(fd, BOND_INFO_QUERY_OLD, &ifr) == 0) {
1014 is_linux_bonding_device(const char *ifname _U_)
1021 get_if_capabilities_pcap_create(interface_options *interface_opts,
1024 if_capabilities_t *caps;
1025 char errbuf[PCAP_ERRBUF_SIZE];
1029 pch = pcap_create(interface_opts->name, errbuf);
1031 if (err_str != NULL)
1032 *err_str = g_strdup(errbuf);
1036 if (is_linux_bonding_device(interface_opts->name)) {
1038 * Linux bonding device; not Wi-Fi, so no monitor mode, and
1039 * calling pcap_can_set_rfmon() might get a "no such device"
1045 * Not a Linux bonding device, so go ahead.
1047 status = pcap_can_set_rfmon(pch);
1051 if (status == PCAP_ERROR)
1052 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1055 *err_str = g_strdup(pcap_statustostr(status));
1059 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1061 caps->can_set_rfmon = FALSE;
1062 else if (status == 1) {
1063 caps->can_set_rfmon = TRUE;
1064 if (interface_opts->monitor_mode)
1065 pcap_set_rfmon(pch, 1);
1067 if (err_str != NULL) {
1068 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1076 status = pcap_activate(pch);
1078 /* Error. We ignore warnings (status > 0). */
1079 if (err_str != NULL) {
1080 if (status == PCAP_ERROR)
1081 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1084 *err_str = g_strdup(pcap_statustostr(status));
1091 caps->data_link_types = get_data_link_types(pch, interface_opts,
1093 if (caps->data_link_types == NULL) {
1099 caps->timestamp_types = get_pcap_timestamp_types(pch, NULL);
1103 if (err_str != NULL)
1109 open_capture_device_pcap_create(capture_options *capture_opts
1110 #if defined(HAVE_PCAP_SET_TSTAMP_PRECISION) || defined (HAVE_PCAP_SET_TSTAMP_TYPE)
1115 interface_options *interface_opts, int timeout,
1116 char (*open_err_str)[PCAP_ERRBUF_SIZE])
1121 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1122 "Calling pcap_create() using %s.", interface_opts->name);
1123 pcap_h = pcap_create(interface_opts->name, *open_err_str);
1124 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1125 "pcap_create() returned %p.", (void *)pcap_h);
1126 if (pcap_h != NULL) {
1127 if (interface_opts->has_snaplen) {
1128 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1129 "Calling pcap_set_snaplen() with snaplen %d.",
1130 interface_opts->snaplen);
1131 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
1133 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1134 "Calling pcap_set_promisc() with promisc_mode %d.",
1135 interface_opts->promisc_mode);
1136 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
1137 pcap_set_timeout(pcap_h, timeout);
1139 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1141 * If we're writing pcapng files, try to enable
1142 * nanosecond-resolution capture; any code that
1143 * can read pcapng files must be able to handle
1144 * nanosecond-resolution time stamps. We don't
1145 * care whether it succeeds or fails - if it fails,
1146 * we just use the microsecond-precision time stamps
1149 * If we're writing pcap files, don't try to enable
1150 * nanosecond-resolution capture, as not all code
1151 * that reads pcap files recognizes the nanosecond-
1152 * resolution pcap file magic number.
1153 * We don't care whether this succeeds or fails; if it
1154 * fails (because we don't have pcap_set_tstamp_precision(),
1155 * or because we do but the OS or device doesn't support
1156 * nanosecond resolution timing), we just use microsecond-
1157 * resolution time stamps.
1159 if (capture_opts->use_pcapng)
1160 request_high_resolution_timestamp(pcap_h);
1161 #endif /* HAVE_PCAP_SET_TSTAMP_PRECISION */
1163 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1164 if (interface_opts->timestamp_type) {
1165 err = pcap_set_tstamp_type(pcap_h, interface_opts->timestamp_type_id);
1166 if (err == PCAP_ERROR) {
1167 g_strlcpy(*open_err_str, pcap_geterr(pcap_h),
1168 sizeof *open_err_str);
1173 #endif /* HAVE_PCAP_SET_TSTAMP_PRECISION */
1175 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1176 "buffersize %d.", interface_opts->buffer_size);
1177 if (interface_opts->buffer_size != 0)
1178 pcap_set_buffer_size(pcap_h,
1179 interface_opts->buffer_size * 1024 * 1024);
1180 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1181 "monitor_mode %d.", interface_opts->monitor_mode);
1182 if (interface_opts->monitor_mode)
1183 pcap_set_rfmon(pcap_h, 1);
1184 err = pcap_activate(pcap_h);
1185 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1186 "pcap_activate() returned %d.", err);
1188 /* Failed to activate, set to NULL */
1189 if (err == PCAP_ERROR)
1190 g_strlcpy(*open_err_str, pcap_geterr(pcap_h),
1191 sizeof *open_err_str);
1193 g_strlcpy(*open_err_str, pcap_statustostr(err),
1194 sizeof *open_err_str);
1201 #endif /* HAVE_PCAP_CREATE */
1204 get_if_capabilities_pcap_open_live(interface_options *interface_opts,
1207 if_capabilities_t *caps;
1208 char errbuf[PCAP_ERRBUF_SIZE];
1211 pch = pcap_open_live(interface_opts->name, MIN_PACKET_SIZE, 0, 0,
1214 if (err_str != NULL)
1215 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1219 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1220 caps->can_set_rfmon = FALSE;
1221 caps->data_link_types = get_data_link_types(pch, interface_opts,
1223 if (caps->data_link_types == NULL) {
1229 caps->timestamp_types = get_pcap_timestamp_types(pch, NULL);
1233 if (err_str != NULL)
1239 open_capture_device_pcap_open_live(interface_options *interface_opts,
1240 int timeout, char (*open_err_str)[PCAP_ERRBUF_SIZE])
1245 if (interface_opts->has_snaplen)
1246 snaplen = interface_opts->snaplen;
1249 * Default - use the non-D-Bus maximum snapshot length of
1250 * 256KB, which should be big enough (libpcap didn't get
1251 * D-Bus support until after it goet pcap_create() and
1252 * pcap_activate(), so we don't have D-Bus support and
1253 * don't have to worry about really huge packets).
1257 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1258 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
1259 interface_opts->name, snaplen, interface_opts->promisc_mode);
1260 pcap_h = pcap_open_live(interface_opts->name, snaplen,
1261 interface_opts->promisc_mode, timeout, *open_err_str);
1262 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1263 "pcap_open_live() returned %p.", (void *)pcap_h);
1266 /* If the open succeeded, try to set the capture buffer size. */
1267 if (pcap_h && interface_opts->buffer_size > 1) {
1269 * We have no mechanism to report a warning if this
1270 * fails; we just keep capturing with the smaller buffer,
1271 * as is the case on systems with BPF and pcap_create()
1272 * and pcap_set_buffer_size(), where pcap_activate() just
1273 * silently clamps the buffer size to the maximum.
1275 pcap_setbuff(pcap_h, interface_opts->buffer_size * 1024 * 1024);
1283 * Get the capabilities of a network device.
1286 get_if_capabilities(interface_options *interface_opts, char **err_str)
1288 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
1289 if_capabilities_t *caps;
1290 char errbuf[PCAP_ERRBUF_SIZE];
1293 data_link_info_t *data_link_info;
1295 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
1296 struct pcap_rmtauth auth;
1298 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
1299 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
1300 auth.username = interface_opts->auth_username;
1301 auth.password = interface_opts->auth_password;
1304 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1305 * wherein, when an open with an rpcap: URL fails, the error
1306 * message for the error is not copied to errbuf and whatever
1307 * on-the-stack junk is in errbuf is treated as the error
1310 * To work around that (and any other bugs of that sort), we
1311 * initialize errbuf to an empty string. If we get an error
1312 * and the string is empty, we report it as an unknown error.
1313 * (If we *don't* get an error, and the string is *non*-empty,
1314 * that could be a warning returned, such as "can't turn
1315 * promiscuous mode on"; we currently don't do so.)
1318 pch = pcap_open(interface_opts->name, MIN_PACKET_SIZE, 0, 0, &auth,
1321 if (err_str != NULL)
1322 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1326 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1327 caps->can_set_rfmon = FALSE;
1328 caps->data_link_types = NULL;
1329 deflt = get_pcap_datalink(pch, interface_opts->name);
1330 data_link_info = create_data_link_info(deflt);
1331 caps->data_link_types = g_list_append(caps->data_link_types, data_link_info);
1332 caps->timestamp_types = get_pcap_timestamp_types(pch, NULL);
1335 if (err_str != NULL)
1339 #endif /* defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE) */
1344 return get_if_capabilities_local(interface_opts, err_str);
1348 open_capture_device(capture_options *capture_opts,
1349 interface_options *interface_opts, int timeout,
1350 char (*open_err_str)[PCAP_ERRBUF_SIZE])
1353 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
1354 struct pcap_rmtauth auth;
1357 /* Open the network interface to capture from it.
1358 Some versions of libpcap may put warnings into the error buffer
1359 if they succeed; to tell if that's happened, we have to clear
1360 the error buffer, and check if it's still a null string. */
1361 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
1362 (*open_err_str)[0] = '\0';
1363 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
1365 * If we're opening a remote device, use pcap_open(); that's currently
1366 * the only open routine that supports remote devices.
1368 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
1371 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
1372 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
1373 auth.username = interface_opts->auth_username;
1374 auth.password = interface_opts->auth_password;
1376 if (interface_opts->has_snaplen)
1377 snaplen = interface_opts->snaplen;
1380 * Default - use the non-D-Bus maximum snapshot length,
1381 * which should be big enough, except for D-Bus.
1385 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1386 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
1387 interface_opts->name, snaplen,
1388 interface_opts->promisc_mode, interface_opts->datatx_udp,
1389 interface_opts->nocap_rpcap);
1390 pcap_h = pcap_open(interface_opts->name, snaplen,
1392 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
1393 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
1394 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
1395 timeout, &auth, *open_err_str);
1396 if (pcap_h == NULL) {
1397 /* Error - did pcap actually supply an error message? */
1398 if ((*open_err_str)[0] == '\0') {
1400 * Work around known WinPcap bug wherein
1401 * no error message is filled in on a
1402 * failure to open an rpcap: URL.
1404 g_strlcpy(*open_err_str,
1405 "Unknown error (pcap bug; actual error cause not reported)",
1406 sizeof *open_err_str);
1409 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1410 "pcap_open() returned %p.", (void *)pcap_h);
1411 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
1416 pcap_h = open_capture_device_local(capture_opts, interface_opts,
1417 timeout, open_err_str);
1418 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
1422 #endif /* HAVE_LIBPCAP */
1425 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1430 * indent-tabs-mode: t
1433 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1434 * :indentSize=8:tabSize=8:noTabs=false: