5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
126 #ifdef DEBUG_CHILD_DUMPCAP
127 FILE *debug_log; /* for logging debug messages to */
128 /* a file if DEBUG_CHILD_DUMPCAP */
136 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
138 static gchar *sig_pipe_name = NULL;
139 static HANDLE sig_pipe_handle = NULL;
140 static gboolean signal_pipe_check_running(void);
144 static GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
145 static GMutex *cap_pipe_read_mtx;
149 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
150 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
153 /** Stop a low-level capture (stops the capture child). */
154 static void capture_loop_stop(void);
156 #if !defined (__linux__)
157 #ifndef HAVE_PCAP_BREAKLOOP
159 * We don't have pcap_breakloop(), which is the only way to ensure that
160 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
161 * won't, if the call to read the next packet or batch of packets is
162 * is interrupted by a signal on UN*X, just go back and try again to
165 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
166 * the signal handler, set a flag to stop capturing; however, without
167 * a guarantee of that sort, we can't guarantee that we'll stop capturing
168 * if the read will be retried and won't time out if no packets arrive.
170 * Therefore, on at least some platforms, we work around the lack of
171 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
172 * to wait for packets to arrive, so that we're probably going to be
173 * blocked in the select() when the signal arrives, and can just bail
174 * out of the loop at that point.
176 * However, we don't want to do that on BSD (because "select()" doesn't work
177 * correctly on BPF devices on at least some releases of some flavors of
178 * BSD), and we don't want to do it on Windows (because "select()" is
179 * something for sockets, not for arbitrary handles). (Note that "Windows"
180 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
181 * using WinPcap, not a UNIX libpcap.)
183 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
184 * on BSD times out even if no packets have arrived, so we'll eventually
185 * exit pcap_dispatch() with an indication that no packets have arrived,
186 * and will break out of the capture loop at that point.
188 * On Windows, we can't send a SIGINT to stop capturing, so none of this
189 * applies in any case.
191 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
192 * want to include it if it's not present on this platform, however.
194 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
195 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
197 # define MUST_DO_SELECT
198 # endif /* avoid select */
199 #endif /* HAVE_PCAP_BREAKLOOP */
201 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
202 * in pcap_dispatch(); on the other hand, select() works just fine there.
203 * Hence we use a select for that come what may.
205 #define MUST_DO_SELECT
208 /** init the capture filter */
211 INITFILTER_BAD_FILTER,
212 INITFILTER_OTHER_ERROR
213 } initfilter_status_t;
215 typedef struct _loop_data {
217 gboolean go; /* TRUE as long as we're supposed to keep capturing */
218 int err; /* if non-zero, error seen while capturing */
219 gint packet_count; /* Number of packets we have already captured */
220 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
221 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
223 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
226 /* pcap "input file" */
227 pcap_t *pcap_h; /* pcap handle */
228 gboolean pcap_err; /* TRUE if error from pcap */
229 #ifdef MUST_DO_SELECT
230 int pcap_fd; /* pcap file descriptor */
233 /* capture pipe (unix only "input file") */
234 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
235 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
236 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
238 HANDLE cap_pipe_h; /* The handle of the capture pipe */
240 int cap_pipe_fd; /* the file descriptor of the capture pipe */
242 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
243 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
245 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
246 #endif /* USE_THREADS */
247 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
248 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
250 STATE_EXPECT_REC_HDR,
255 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 guint32 autostop_files;
267 * Standard secondary message for unexpected errors.
269 static const char please_report[] =
270 "Please report this to the Wireshark developers.\n"
271 "(This is not a crash; please do not report it as such.)";
274 * This needs to be static, so that the SIGINT handler can clear the "go"
277 static loop_data global_ld;
281 * Timeout, in milliseconds, for reads from the stream of captured packets
282 * from a capture device.
284 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
285 * 64-bit applications, with sub-second timeouts not to work. The bug is
286 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
288 #if defined(__APPLE__) && defined(__LP64__)
289 static gboolean need_timeout_workaround;
291 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
293 #define CAP_READ_TIMEOUT 250
297 * Timeout, in microseconds, for reads from the stream of captured packets
298 * from a pipe. Pipes don't have the same problem that BPF devices do
299 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
300 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
301 * of the offending versions of Snow Leopard.
303 * On Windows this value is converted to milliseconds and passed to
304 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
305 * will return immediately.
308 #define PIPE_READ_TIMEOUT 250000
310 #define PIPE_READ_TIMEOUT 100000
312 static const char *cap_pipe_err_str;
315 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
316 const char *message, gpointer user_data _U_);
318 /* capture related options */
319 static capture_options global_capture_opts;
320 static gboolean quiet = FALSE;
322 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
324 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
325 int err, gboolean is_close);
327 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
329 static void report_new_capture_file(const char *filename);
330 static void report_packet_count(int packet_count);
331 static void report_packet_drops(guint32 drops);
332 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
333 static void report_cfilter_error(const char *cfilter, const char *errmsg);
335 #define MSG_MAX_LENGTH 4096
338 print_usage(gboolean print_ver) {
346 "Dumpcap " VERSION "%s\n"
347 "Capture network packets and dump them into a libpcap file.\n"
348 "See http://www.wireshark.org for more information.\n",
349 wireshark_svnversion);
353 fprintf(output, "\nUsage: dumpcap [options] ...\n");
354 fprintf(output, "\n");
355 fprintf(output, "Capture interface:\n");
356 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
357 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
358 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
359 fprintf(output, " -p don't capture in promiscuous mode\n");
360 #ifdef HAVE_PCAP_CREATE
361 fprintf(output, " -I capture in monitor mode, if available\n");
363 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
364 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
366 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
367 fprintf(output, " -D print list of interfaces and exit\n");
368 fprintf(output, " -L print list of link-layer types of iface and exit\n");
369 #ifdef HAVE_BPF_IMAGE
370 fprintf(output, " -d print generated BPF code for capture filter\n");
372 fprintf(output, " -S print statistics for each interface once every second\n");
373 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
374 fprintf(output, "\n");
375 #ifdef HAVE_PCAP_REMOTE
376 fprintf(output, "\nRPCAP options:\n");
377 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
378 fprintf(output, " -u use UDP for RPCAP data transfer\n");
379 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
380 #ifdef HAVE_PCAP_SETSAMPLING
381 fprintf(output, " -m <sampling type> use packet sampling\n");
382 fprintf(output, " count:NUM - capture one packet of every NUM\n");
383 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
386 fprintf(output, "Stop conditions:\n");
387 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
388 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
389 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
390 fprintf(output, " files:NUM - stop after NUM files\n");
391 /*fprintf(output, "\n");*/
392 fprintf(output, "Output (files):\n");
393 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
394 fprintf(output, " -g enable group read access on the output file(s)\n");
395 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
396 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
397 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
398 fprintf(output, " -n use pcapng format instead of pcap\n");
399 /*fprintf(output, "\n");*/
400 fprintf(output, "Miscellaneous:\n");
401 fprintf(output, " -q don't report packet capture counts\n");
402 fprintf(output, " -v print version information and exit\n");
403 fprintf(output, " -h display this help and exit\n");
404 fprintf(output, "\n");
405 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
406 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
407 fprintf(output, "\n");
408 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
412 show_version(GString *comp_info_str, GString *runtime_info_str)
416 "Dumpcap " VERSION "%s\n"
421 "See http://www.wireshark.org for more information.\n",
422 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
426 * Print to the standard error. This is a command-line tool, so there's
427 * no need to pop up a console.
430 vfprintf_stderr(const char *fmt, va_list ap)
432 vfprintf(stderr, fmt, ap);
436 fprintf_stderr(const char *fmt, ...)
441 vfprintf_stderr(fmt, ap);
446 * Report an error in command-line arguments.
449 cmdarg_err(const char *fmt, ...)
455 /* Generate a 'special format' message back to parent */
457 msg = g_strdup_vprintf(fmt, ap);
458 sync_pipe_errmsg_to_parent(2, msg, "");
463 fprintf(stderr, "dumpcap: ");
464 vfprintf(stderr, fmt, ap);
465 fprintf(stderr, "\n");
471 * Report additional information for an error in command-line arguments.
474 cmdarg_err_cont(const char *fmt, ...)
481 msg = g_strdup_vprintf(fmt, ap);
482 sync_pipe_errmsg_to_parent(2, msg, "");
487 vfprintf(stderr, fmt, ap);
488 fprintf(stderr, "\n");
495 #if 0 /* Set to enable capability debugging */
496 /* see 'man cap_to_text()' for explanation of output */
497 /* '=' means 'all= ' ie: no capabilities */
498 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
500 print_caps(const char *pfx) {
501 cap_t caps = cap_get_proc();
502 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
503 "%s: EUID: %d Capabilities: %s", pfx,
504 geteuid(), cap_to_text(caps, NULL));
507 print_caps(const char *pfx _U_) {
512 relinquish_all_capabilities(void)
514 /* Drop any and all capabilities this process may have. */
515 /* Allowed whether or not process has any privileges. */
516 cap_t caps = cap_init(); /* all capabilities initialized to off */
517 print_caps("Pre-clear");
518 if (cap_set_proc(caps)) {
519 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
521 print_caps("Post-clear");
527 open_capture_device(capture_options *capture_opts,
528 char (*open_err_str)[PCAP_ERRBUF_SIZE])
531 #ifdef HAVE_PCAP_CREATE
534 #ifdef HAVE_PCAP_REMOTE
535 struct pcap_rmtauth auth;
538 /* Open the network interface to capture from it.
539 Some versions of libpcap may put warnings into the error buffer
540 if they succeed; to tell if that's happened, we have to clear
541 the error buffer, and check if it's still a null string. */
542 (*open_err_str)[0] = '\0';
543 #ifdef HAVE_PCAP_OPEN
545 * If we're opening a remote device, use pcap_open(); that's currently
546 * the only open routine that supports remote devices.
548 if (strncmp (capture_opts->iface, "rpcap://", 8) == 0) {
549 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
550 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
551 auth.username = capture_opts->auth_username;
552 auth.password = capture_opts->auth_password;
554 pcap_h = pcap_open(capture_opts->iface,
555 capture_opts->has_snaplen ? capture_opts->snaplen :
556 WTAP_MAX_PACKET_SIZE,
558 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
559 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
560 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
561 CAP_READ_TIMEOUT, &auth, *open_err_str);
563 #endif /* HAVE_PCAP_OPEN */
566 * If we're not opening a remote device, use pcap_create() and
567 * pcap_activate() if we have them, so that we can set the buffer
568 * size, otherwise use pcap_open_live().
570 #ifdef HAVE_PCAP_CREATE
571 pcap_h = pcap_create(capture_opts->iface, *open_err_str);
572 if (pcap_h != NULL) {
573 pcap_set_snaplen(pcap_h, capture_opts->has_snaplen ? capture_opts->snaplen : WTAP_MAX_PACKET_SIZE);
574 pcap_set_promisc(pcap_h, capture_opts->promisc_mode);
575 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
577 if (capture_opts->buffer_size > 1) {
578 pcap_set_buffer_size(pcap_h, capture_opts->buffer_size * 1024 * 1024);
580 if (capture_opts->monitor_mode)
581 pcap_set_rfmon(pcap_h, 1);
582 err = pcap_activate(pcap_h);
584 /* Failed to activate, set to NULL */
585 if (err == PCAP_ERROR)
586 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
588 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
594 pcap_h = pcap_open_live(capture_opts->iface,
595 capture_opts->has_snaplen ? capture_opts->snaplen :
596 WTAP_MAX_PACKET_SIZE,
597 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
602 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
603 /* to remove any suid privileges. */
604 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
605 /* (euid/egid have already previously been set to ruid/rgid. */
606 /* (See comment in main() for details) */
608 relinquish_special_privs_perm();
610 relinquish_all_capabilities();
617 get_capture_device_open_failure_messages(const char *open_err_str,
623 char *errmsg, size_t errmsg_len,
624 char *secondary_errmsg,
625 size_t secondary_errmsg_len)
627 const char *libpcap_warn;
628 static const char ppamsg[] = "can't find PPA for ";
630 /* If we got a "can't find PPA for X" message, warn the user (who
631 is running dumcap on HP-UX) that they don't have a version of
632 libpcap that properly handles HP-UX (libpcap 0.6.x and later
633 versions, which properly handle HP-UX, say "can't find /dev/dlpi
634 PPA for X" rather than "can't find PPA for X"). */
635 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
638 "You are running (T)Wireshark with a version of the libpcap library\n"
639 "that doesn't handle HP-UX network devices well; this means that\n"
640 "(T)Wireshark may not be able to capture packets.\n"
642 "To fix this, you should install libpcap 0.6.2, or a later version\n"
643 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
644 "packaged binary form from the Software Porting And Archive Centre\n"
645 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
646 "at the URL lists a number of mirror sites.";
649 g_snprintf(errmsg, (gulong) errmsg_len,
650 "The capture session could not be initiated (%s).", open_err_str);
652 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
653 "Please check to make sure you have sufficient permissions, and that you have "
654 "the proper interface or pipe specified.%s", libpcap_warn);
656 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
658 "Please check that \"%s\" is the proper interface.\n"
661 "Help can be found at:\n"
663 " http://wiki.wireshark.org/WinPcap\n"
664 " http://wiki.wireshark.org/CaptureSetup\n",
669 /* Set the data link type on a pcap. */
671 set_pcap_linktype(pcap_t *pcap_h, capture_options *capture_opts,
672 char *errmsg, size_t errmsg_len,
673 char *secondary_errmsg, size_t secondary_errmsg_len)
675 char *set_linktype_err_str;
677 if (capture_opts->linktype == -1)
678 return TRUE; /* just use the default */
679 #ifdef HAVE_PCAP_SET_DATALINK
680 if (pcap_set_datalink(pcap_h, capture_opts->linktype) == 0)
681 return TRUE; /* no error */
682 set_linktype_err_str = pcap_geterr(pcap_h);
684 /* Let them set it to the type it is; reject any other request. */
685 if (get_pcap_linktype(pcap_h, capture_opts->iface) == capture_opts->linktype)
686 return TRUE; /* no error */
687 set_linktype_err_str =
688 "That DLT isn't one of the DLTs supported by this device";
690 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
691 set_linktype_err_str);
693 * If the error isn't "XXX is not one of the DLTs supported by this device",
694 * tell the user to tell the Wireshark developers about it.
696 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
697 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
699 secondary_errmsg[0] = '\0';
704 compile_capture_filter(const char *iface, pcap_t *pcap_h,
705 struct bpf_program *fcode, char *cfilter)
707 bpf_u_int32 netnum, netmask;
708 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
710 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
712 * Well, we can't get the netmask for this interface; it's used
713 * only for filters that check for broadcast IP addresses, so
714 * we just punt and use 0. It might be nice to warn the user,
715 * but that's a pain in a GUI application, as it'd involve popping
716 * up a message box, and it's not clear how often this would make
717 * a difference (only filters that check for IP broadcast addresses
721 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
724 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
729 #ifdef HAVE_BPF_IMAGE
731 show_filter_code(capture_options *capture_opts)
734 gchar open_err_str[PCAP_ERRBUF_SIZE];
735 char errmsg[MSG_MAX_LENGTH+1];
736 char secondary_errmsg[MSG_MAX_LENGTH+1];
737 struct bpf_program fcode;
738 struct bpf_insn *insn;
741 pcap_h = open_capture_device(capture_opts, &open_err_str);
742 if (pcap_h == NULL) {
743 /* Open failed; get messages */
744 get_capture_device_open_failure_messages(open_err_str,
746 errmsg, sizeof errmsg,
748 sizeof secondary_errmsg);
749 /* And report them */
750 report_capture_error(errmsg, secondary_errmsg);
754 /* Set the link-layer type. */
755 if (!set_pcap_linktype(pcap_h, capture_opts, errmsg, sizeof errmsg,
756 secondary_errmsg, sizeof secondary_errmsg)) {
758 report_capture_error(errmsg, secondary_errmsg);
762 /* OK, try to compile the capture filter. */
763 if (!compile_capture_filter(capture_opts->iface, pcap_h, &fcode,
764 capture_opts->cfilter)) {
766 report_cfilter_error(capture_opts->cfilter, errmsg);
772 /* Let our parent know we succeeded. */
773 pipe_write_block(2, SP_SUCCESS, NULL);
776 /* Now print the filter code. */
777 insn = fcode.bf_insns;
779 for (i = 0; i < fcode.bf_len; insn++, i++)
780 printf("%s\n", bpf_image(insn, i));
786 * capture_interface_list() is expected to do the right thing to get
787 * a list of interfaces.
789 * In most of the programs in the Wireshark suite, "the right thing"
790 * is to run dumpcap and ask it for the list, because dumpcap may
791 * be the only program in the suite with enough privileges to get
794 * In dumpcap itself, however, we obviously can't run dumpcap to
795 * ask for the list. Therefore, our capture_interface_list() should
796 * just call get_interface_list().
799 capture_interface_list(int *err, char **err_str)
801 return get_interface_list(err, err_str);
805 * Get the data-link type for a libpcap device.
806 * This works around AIX 5.x's non-standard and incompatible-with-the-
807 * rest-of-the-universe libpcap.
810 get_pcap_linktype(pcap_t *pch, const char *devname
818 const char *ifacename;
821 linktype = pcap_datalink(pch);
825 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
826 * rather than DLT_ values for link-layer types; the ifType values
827 * for LAN devices are:
834 * and the ifType value for a loopback device is 24.
836 * The AIX names for LAN devices begin with:
843 * and the AIX names for loopback devices begin with "lo".
845 * (The difference between "Ethernet" and "802.3" is presumably
846 * whether packets have an Ethernet header, with a packet type,
847 * or an 802.3 header, with a packet length, followed by an 802.2
848 * header and possibly a SNAP header.)
850 * If the device name matches "linktype" interpreted as an ifType
851 * value, rather than as a DLT_ value, we will assume this is AIX's
852 * non-standard, incompatible libpcap, rather than a standard libpcap,
853 * and will map the link-layer type to the standard DLT_ value for
854 * that link-layer type, as that's what the rest of Wireshark expects.
856 * (This means the capture files won't be readable by a tcpdump
857 * linked with AIX's non-standard libpcap, but so it goes. They
858 * *will* be readable by standard versions of tcpdump, Wireshark,
861 * XXX - if we conclude we're using AIX libpcap, should we also
862 * set a flag to cause us to assume the time stamps are in
863 * seconds-and-nanoseconds form, and to convert them to
864 * seconds-and-microseconds form before processing them and
869 * Find the last component of the device name, which is the
872 ifacename = strchr(devname, '/');
873 if (ifacename == NULL)
876 /* See if it matches any of the LAN device names. */
877 if (strncmp(ifacename, "en", 2) == 0) {
880 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
884 } else if (strncmp(ifacename, "et", 2) == 0) {
887 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
888 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
893 } else if (strncmp(ifacename, "tr", 2) == 0) {
896 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
897 * DLT_IEEE802, which is what's used for Token Ring.
901 } else if (strncmp(ifacename, "fi", 2) == 0) {
902 if (linktype == 15) {
904 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
908 } else if (strncmp(ifacename, "lo", 2) == 0) {
909 if (linktype == 24) {
911 * That's the RFC 1573 value for "software loopback" devices; map it
912 * to DLT_NULL, which is what's used for loopback devices on BSD.
922 static data_link_info_t *
923 create_data_link_info(int dlt)
925 data_link_info_t *data_link_info;
928 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
929 data_link_info->dlt = dlt;
930 text = pcap_datalink_val_to_name(dlt);
932 data_link_info->name = g_strdup(text);
934 data_link_info->name = g_strdup_printf("DLT %d", dlt);
935 text = pcap_datalink_val_to_description(dlt);
937 data_link_info->description = g_strdup(text);
939 data_link_info->description = NULL;
940 return data_link_info;
944 * Get the capabilities of a network device.
946 static if_capabilities_t *
947 get_if_capabilities(const char *devname, gboolean monitor_mode
948 #ifndef HAVE_PCAP_CREATE
953 if_capabilities_t *caps;
954 char errbuf[PCAP_ERRBUF_SIZE];
956 #ifdef HAVE_PCAP_CREATE
960 #ifdef HAVE_PCAP_LIST_DATALINKS
964 data_link_info_t *data_link_info;
967 * Allocate the interface capabilities structure.
969 caps = g_malloc(sizeof *caps);
971 #ifdef HAVE_PCAP_OPEN
972 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
973 caps->can_set_rfmon = FALSE;
976 *err_str = g_strdup(errbuf);
980 #elif defined(HAVE_PCAP_CREATE)
981 pch = pcap_create(devname, errbuf);
984 *err_str = g_strdup(errbuf);
988 status = pcap_can_set_rfmon(pch);
991 if (status == PCAP_ERROR)
992 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
995 *err_str = g_strdup(pcap_statustostr(status));
1001 caps->can_set_rfmon = FALSE;
1002 else if (status == 1) {
1003 caps->can_set_rfmon = TRUE;
1005 pcap_set_rfmon(pch, 1);
1007 if (err_str != NULL) {
1008 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1016 status = pcap_activate(pch);
1018 /* Error. We ignore warnings (status > 0). */
1019 if (err_str != NULL) {
1020 if (status == PCAP_ERROR)
1021 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1024 *err_str = g_strdup(pcap_statustostr(status));
1031 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1032 caps->can_set_rfmon = FALSE;
1034 if (err_str != NULL)
1035 *err_str = g_strdup(errbuf);
1040 deflt = get_pcap_linktype(pch, devname);
1041 #ifdef HAVE_PCAP_LIST_DATALINKS
1042 nlt = pcap_list_datalinks(pch, &linktypes);
1043 if (nlt == 0 || linktypes == NULL) {
1045 if (err_str != NULL)
1046 *err_str = NULL; /* an empty list doesn't mean an error */
1049 caps->data_link_types = NULL;
1050 for (i = 0; i < nlt; i++) {
1051 data_link_info = create_data_link_info(linktypes[i]);
1054 * XXX - for 802.11, make the most detailed 802.11
1055 * version the default, rather than the one the
1056 * device has as the default?
1058 if (linktypes[i] == deflt)
1059 caps->data_link_types = g_list_prepend(caps->data_link_types,
1062 caps->data_link_types = g_list_append(caps->data_link_types,
1065 #ifdef HAVE_PCAP_FREE_DATALINKS
1066 pcap_free_datalinks(linktypes);
1069 * In Windows, there's no guarantee that if you have a library
1070 * built with one version of the MSVC++ run-time library, and
1071 * it returns a pointer to allocated data, you can free that
1072 * data from a program linked with another version of the
1073 * MSVC++ run-time library.
1075 * This is not an issue on UN*X.
1077 * See the mail threads starting at
1079 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1083 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1086 #define xx_free free /* hack so checkAPIs doesn't complain */
1089 #endif /* HAVE_PCAP_FREE_DATALINKS */
1090 #else /* HAVE_PCAP_LIST_DATALINKS */
1092 data_link_info = create_data_link_info(deflt);
1093 caps->data_link_types = g_list_append(caps->data_link_types,
1095 #endif /* HAVE_PCAP_LIST_DATALINKS */
1099 if (err_str != NULL)
1104 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1106 print_machine_readable_interfaces(GList *if_list)
1113 char addr_str[ADDRSTRLEN];
1115 if (capture_child) {
1116 /* Let our parent know we succeeded. */
1117 pipe_write_block(2, SP_SUCCESS, NULL);
1120 i = 1; /* Interface id number */
1121 for (if_entry = g_list_first(if_list); if_entry != NULL;
1122 if_entry = g_list_next(if_entry)) {
1123 if_info = (if_info_t *)if_entry->data;
1124 printf("%d. %s", i++, if_info->name);
1127 * Print the contents of the if_entry struct in a parseable format.
1128 * Each if_entry element is tab-separated. Addresses are comma-
1131 /* XXX - Make sure our description doesn't contain a tab */
1132 if (if_info->description != NULL)
1133 printf("\t%s\t", if_info->description);
1137 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1138 addr = g_slist_next(addr)) {
1139 if (addr != g_slist_nth(if_info->addrs, 0))
1142 if_addr = (if_addr_t *)addr->data;
1143 switch(if_addr->ifat_type) {
1145 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1147 printf("%s", addr_str);
1149 printf("<unknown IPv4>");
1153 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1154 addr_str, ADDRSTRLEN)) {
1155 printf("%s", addr_str);
1157 printf("<unknown IPv6>");
1161 printf("<type unknown %u>", if_addr->ifat_type);
1165 if (if_info->loopback)
1166 printf("\tloopback");
1168 printf("\tnetwork");
1175 * If you change the machine-readable output format of this function,
1176 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1179 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1182 data_link_info_t *data_link_info;
1183 const gchar *desc_str;
1185 if (capture_child) {
1186 /* Let our parent know we succeeded. */
1187 pipe_write_block(2, SP_SUCCESS, NULL);
1190 if (caps->can_set_rfmon)
1194 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1195 lt_entry = g_list_next(lt_entry)) {
1196 data_link_info = (data_link_info_t *)lt_entry->data;
1197 if (data_link_info->description != NULL)
1198 desc_str = data_link_info->description;
1200 desc_str = "(not supported)";
1201 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1211 /* Print the number of packets captured for each interface until we're killed. */
1213 print_statistics_loop(gboolean machine_readable)
1215 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1221 char errbuf[PCAP_ERRBUF_SIZE];
1222 struct pcap_stat ps;
1224 if_list = get_interface_list(&err, &err_str);
1225 if (if_list == NULL) {
1227 case CANT_GET_INTERFACE_LIST:
1228 cmdarg_err("%s", err_str);
1232 case NO_INTERFACES_FOUND:
1233 cmdarg_err("There are no interfaces on which a capture can be done");
1239 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1240 if_info = (if_info_t *)if_entry->data;
1241 #ifdef HAVE_PCAP_OPEN
1242 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1244 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1248 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1249 if_stat->name = g_strdup(if_info->name);
1251 stat_list = g_list_append(stat_list, if_stat);
1256 cmdarg_err("There are no interfaces on which a capture can be done");
1260 if (capture_child) {
1261 /* Let our parent know we succeeded. */
1262 pipe_write_block(2, SP_SUCCESS, NULL);
1265 if (!machine_readable) {
1266 printf("%-15s %10s %10s\n", "Interface", "Received",
1270 global_ld.go = TRUE;
1271 while (global_ld.go) {
1272 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1273 if_stat = (if_stat_t *)stat_entry->data;
1274 pcap_stats(if_stat->pch, &ps);
1276 if (!machine_readable) {
1277 printf("%-15s %10u %10u\n", if_stat->name,
1278 ps.ps_recv, ps.ps_drop);
1280 printf("%s\t%u\t%u\n", if_stat->name,
1281 ps.ps_recv, ps.ps_drop);
1286 if (! global_ld.from_cap_pipe)
1293 /* XXX - Not reached. Should we look for 'q' in stdin? */
1294 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1295 if_stat = (if_stat_t *)stat_entry->data;
1296 pcap_close(if_stat->pch);
1297 g_free(if_stat->name);
1300 g_list_free(stat_list);
1301 free_interface_list(if_list);
1309 capture_cleanup_handler(DWORD dwCtrlType)
1311 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1312 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1313 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1314 like SIGTERM at least when the machine's shutting down.
1316 For now, if we're running as a command rather than a capture child,
1317 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1318 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1319 in that way on UN*X.
1321 If we're not running as a capture child, we might be running as
1322 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1323 user logs out. (XXX - can we explicitly check whether we're
1324 running as a service?) */
1326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1327 "Console: Control signal");
1328 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1329 "Console: Control signal, CtrlType: %u", dwCtrlType);
1331 /* Keep capture running if we're a service and a user logs off */
1332 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1333 capture_loop_stop();
1341 capture_cleanup_handler(int signum _U_)
1343 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1344 SIGTERM. We assume that if the user wanted it to keep running
1345 after they logged out, they'd have nohupped it. */
1347 /* Note: don't call g_log() in the signal handler: if we happened to be in
1348 * g_log() in process context when the signal came in, g_log will detect
1349 * the "recursion" and abort.
1352 capture_loop_stop();
1358 report_capture_count(void)
1360 /* Don't print this if we're a capture child. */
1361 if (!capture_child) {
1363 /* Report the count only if we aren't printing a packet count
1364 as packets arrive. */
1365 fprintf(stderr, "Packets captured: %u\n", global_ld.packet_count);
1366 /* stderr could be line buffered */
1375 report_counts_for_siginfo(void)
1377 report_capture_count();
1378 infoprint = FALSE; /* we just reported it */
1382 report_counts_siginfo(int signum _U_)
1384 int sav_errno = errno;
1386 /* If we've been told to delay printing, just set a flag asking
1387 that we print counts (if we're supposed to), otherwise print
1388 the count of packets captured (if we're supposed to). */
1392 report_counts_for_siginfo();
1395 #endif /* SIGINFO */
1397 static void exit_main(int status)
1400 /* Shutdown windows sockets */
1403 /* can be helpful for debugging */
1404 #ifdef DEBUG_DUMPCAP
1405 printf("Press any key\n");
1416 * If we were linked with libcap (not libpcap), make sure we have
1417 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1418 * (See comment in main() for details)
1421 relinquish_privs_except_capture(void)
1423 /* If 'started_with_special_privs' (ie: suid) then enable for
1424 * ourself the NET_ADMIN and NET_RAW capabilities and then
1425 * drop our suid privileges.
1427 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1428 * stuff we don't need (and shouldn't have).
1429 * CAP_NET_RAW: Packet capture (raw sockets).
1432 if (started_with_special_privs()) {
1433 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1434 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1436 cap_t caps = cap_init(); /* all capabilities initialized to off */
1438 print_caps("Pre drop, pre set");
1440 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1441 cmdarg_err("prctl() fail return: %s", strerror(errno));
1444 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1445 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1447 if (cap_set_proc(caps)) {
1448 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1450 print_caps("Pre drop, post set");
1452 relinquish_special_privs_perm();
1454 print_caps("Post drop, pre set");
1455 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1456 if (cap_set_proc(caps)) {
1457 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1459 print_caps("Post drop, post set");
1465 #endif /* HAVE_LIBCAP */
1467 /* Take care of byte order in the libpcap headers read from pipes.
1468 * (function taken from wiretap/libpcap.c) */
1470 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1473 /* Byte-swap the record header fields. */
1474 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1475 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1476 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1477 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1480 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1481 swapped, in order to match the BPF header layout.
1483 Unfortunately, some files were, according to a comment in the "libpcap"
1484 source, written with version 2.3 in their headers but without the
1485 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1486 would make no sense - we assume that we need to swap them. */
1487 if (hdr->version_major == 2 &&
1488 (hdr->version_minor < 3 ||
1489 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1492 temp = rechdr->orig_len;
1493 rechdr->orig_len = rechdr->incl_len;
1494 rechdr->incl_len = temp;
1500 * Thread function that reads from a pipe and pushes the data
1501 * to the main application thread.
1504 * XXX Right now we use async queues for basic signaling. The main thread
1505 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1506 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1507 * Iff the read is successful cap_pipe_read pushes an item onto
1508 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1509 * the queues themselves (yet).
1511 * We might want to move some of the cap_pipe_dispatch logic here so that
1512 * we can let cap_pipe_read run independently, queuing up multiple reads
1513 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1515 static void *cap_pipe_read(void *ld_ptr) {
1516 loop_data *ld = (loop_data *)ld_ptr;
1525 while (ld->cap_pipe_err == PIPOK) {
1526 g_async_queue_pop(cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1527 g_mutex_lock(cap_pipe_read_mtx);
1529 while (bytes_read < (int) ld->cap_pipe_bytes_to_read) {
1531 /* If we try to use read() on a named pipe on Windows with partial
1532 * data it appears to return EOF.
1534 res = ReadFile(ld->cap_pipe_h, ld->cap_pipe_buf+bytes_read,
1535 ld->cap_pipe_bytes_to_read - bytes_read,
1540 last_err = GetLastError();
1541 if (last_err == ERROR_MORE_DATA) {
1543 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1544 ld->cap_pipe_err = PIPEOF;
1548 ld->cap_pipe_err = PIPERR;
1551 } else if (b == 0 && ld->cap_pipe_bytes_to_read > 0) {
1552 ld->cap_pipe_err = PIPEOF;
1557 b = read(ld->cap_pipe_fd, ld->cap_pipe_buf+bytes_read,
1558 ld->cap_pipe_bytes_to_read - bytes_read);
1561 ld->cap_pipe_err = PIPEOF;
1565 ld->cap_pipe_err = PIPERR;
1574 ld->cap_pipe_bytes_read = bytes_read;
1575 if (ld->cap_pipe_bytes_read >= ld->cap_pipe_bytes_to_read) {
1576 g_async_queue_push(cap_pipe_done_q, ld->cap_pipe_buf); /* Any non-NULL value will do */
1578 g_mutex_unlock(cap_pipe_read_mtx);
1582 #endif /* USE_THREADS */
1584 /* Provide select() functionality for a single file descriptor
1585 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1587 * Returns the same values as select. If an error is returned,
1588 * the string cap_pipe_err_str should be used instead of errno.
1591 cap_pipe_select(int pipe_fd) {
1593 struct timeval timeout;
1596 cap_pipe_err_str = "Unknown error";
1599 FD_SET(pipe_fd, &rfds);
1601 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1602 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1604 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1606 cap_pipe_err_str = strerror(errno);
1611 /* Mimic pcap_open_live() for pipe captures
1613 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1614 * open it, and read the header.
1616 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1617 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1619 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1620 char *errmsg, int errmsgl)
1623 struct stat pipe_stat;
1624 struct sockaddr_un sa;
1627 unsigned int bytes_read;
1638 ld->cap_pipe_fd = -1;
1640 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
1642 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1645 * XXX - this blocks until a pcap per-file header has been written to
1646 * the pipe, so it could block indefinitely.
1648 if (strcmp(pipename, "-") == 0) {
1650 fd = 0; /* read from stdin */
1652 ld->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1656 if (ws_stat(pipename, &pipe_stat) < 0) {
1657 if (errno == ENOENT || errno == ENOTDIR)
1658 ld->cap_pipe_err = PIPNEXIST;
1660 g_snprintf(errmsg, errmsgl,
1661 "The capture session could not be initiated "
1662 "due to error getting information on pipe/socket: %s", strerror(errno));
1663 ld->cap_pipe_err = PIPERR;
1667 if (S_ISFIFO(pipe_stat.st_mode)) {
1668 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1670 g_snprintf(errmsg, errmsgl,
1671 "The capture session could not be initiated "
1672 "due to error on pipe open: %s", strerror(errno));
1673 ld->cap_pipe_err = PIPERR;
1676 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1677 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1679 g_snprintf(errmsg, errmsgl,
1680 "The capture session could not be initiated "
1681 "due to error on socket create: %s", strerror(errno));
1682 ld->cap_pipe_err = PIPERR;
1685 sa.sun_family = AF_UNIX;
1687 * The Single UNIX Specification says:
1689 * The size of sun_path has intentionally been left undefined.
1690 * This is because different implementations use different sizes.
1691 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1692 * of 104. Since most implementations originate from BSD versions,
1693 * the size is typically in the range 92 to 108.
1695 * Applications should not assume a particular length for sun_path
1696 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1700 * The <sys/un.h> header shall define the sockaddr_un structure,
1701 * which shall include at least the following members:
1703 * sa_family_t sun_family Address family.
1704 * char sun_path[] Socket pathname.
1706 * so we assume that it's an array, with a specified size,
1707 * and that the size reflects the maximum path length.
1709 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1710 /* Path name too long */
1711 g_snprintf(errmsg, errmsgl,
1712 "The capture session coud not be initiated "
1713 "due to error on socket connect: Path name too long");
1714 ld->cap_pipe_err = PIPERR;
1717 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1719 g_snprintf(errmsg, errmsgl,
1720 "The capture session coud not be initiated "
1721 "due to error on socket connect: %s", strerror(errno));
1722 ld->cap_pipe_err = PIPERR;
1726 if (S_ISCHR(pipe_stat.st_mode)) {
1728 * Assume the user specified an interface on a system where
1729 * interfaces are in /dev. Pretend we haven't seen it.
1731 ld->cap_pipe_err = PIPNEXIST;
1734 g_snprintf(errmsg, errmsgl,
1735 "The capture session could not be initiated because\n"
1736 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1737 ld->cap_pipe_err = PIPERR;
1742 #define PIPE_STR "\\pipe\\"
1743 /* Under Windows, named pipes _must_ have the form
1744 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1746 pncopy = g_strdup(pipename);
1747 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1748 pos = strchr(pncopy + 3, '\\');
1749 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1756 g_snprintf(errmsg, errmsgl,
1757 "The capture session could not be initiated because\n"
1758 "\"%s\" is neither an interface nor a pipe", pipename);
1759 ld->cap_pipe_err = PIPNEXIST;
1763 /* Wait for the pipe to appear */
1765 ld->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1766 OPEN_EXISTING, 0, NULL);
1768 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE)
1771 if (GetLastError() != ERROR_PIPE_BUSY) {
1772 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1773 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1774 g_snprintf(errmsg, errmsgl,
1775 "The capture session on \"%s\" could not be started "
1776 "due to error on pipe open: %s (error %d)",
1777 pipename, utf_16to8(err_str), GetLastError());
1779 ld->cap_pipe_err = PIPERR;
1783 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1784 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1785 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1786 g_snprintf(errmsg, errmsgl,
1787 "The capture session on \"%s\" timed out during "
1788 "pipe open: %s (error %d)",
1789 pipename, utf_16to8(err_str), GetLastError());
1791 ld->cap_pipe_err = PIPERR;
1798 ld->from_cap_pipe = TRUE;
1801 /* read the pcap header */
1803 while (bytes_read < sizeof magic) {
1804 sel_ret = cap_pipe_select(fd);
1806 g_snprintf(errmsg, errmsgl,
1807 "Unexpected error from select: %s", strerror(errno));
1809 } else if (sel_ret > 0) {
1810 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1813 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1815 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1822 #else /* USE_THREADS */
1823 g_thread_create(&cap_pipe_read, ld, FALSE, NULL);
1825 ld->cap_pipe_buf = (char *) &magic;
1826 ld->cap_pipe_bytes_read = 0;
1827 ld->cap_pipe_bytes_to_read = sizeof(magic);
1828 /* We don't have to worry about cap_pipe_read_mtx here */
1829 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1830 g_async_queue_pop(cap_pipe_done_q);
1831 if (ld->cap_pipe_bytes_read <= 0) {
1832 if (ld->cap_pipe_bytes_read == 0)
1833 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1835 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1840 #endif /* USE_THREADS */
1844 /* Host that wrote it has our byte order, and was running
1845 a program using either standard or ss990417 libpcap. */
1846 ld->cap_pipe_byte_swapped = FALSE;
1847 ld->cap_pipe_modified = FALSE;
1849 case PCAP_MODIFIED_MAGIC:
1850 /* Host that wrote it has our byte order, but was running
1851 a program using either ss990915 or ss991029 libpcap. */
1852 ld->cap_pipe_byte_swapped = FALSE;
1853 ld->cap_pipe_modified = TRUE;
1855 case PCAP_SWAPPED_MAGIC:
1856 /* Host that wrote it has a byte order opposite to ours,
1857 and was running a program using either standard or
1858 ss990417 libpcap. */
1859 ld->cap_pipe_byte_swapped = TRUE;
1860 ld->cap_pipe_modified = FALSE;
1862 case PCAP_SWAPPED_MODIFIED_MAGIC:
1863 /* Host that wrote it out has a byte order opposite to
1864 ours, and was running a program using either ss990915
1865 or ss991029 libpcap. */
1866 ld->cap_pipe_byte_swapped = TRUE;
1867 ld->cap_pipe_modified = TRUE;
1870 /* Not a "libpcap" type we know about. */
1871 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1876 /* Read the rest of the header */
1878 while (bytes_read < sizeof(struct pcap_hdr)) {
1879 sel_ret = cap_pipe_select(fd);
1881 g_snprintf(errmsg, errmsgl,
1882 "Unexpected error from select: %s", strerror(errno));
1884 } else if (sel_ret > 0) {
1885 b = read(fd, ((char *)hdr)+bytes_read,
1886 sizeof(struct pcap_hdr) - bytes_read);
1889 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1891 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1898 #else /* USE_THREADS */
1899 ld->cap_pipe_buf = (char *) hdr;
1900 ld->cap_pipe_bytes_read = 0;
1901 ld->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1902 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1903 g_async_queue_pop(cap_pipe_done_q);
1904 if (ld->cap_pipe_bytes_read <= 0) {
1905 if (ld->cap_pipe_bytes_read == 0)
1906 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1908 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1912 #endif /* USE_THREADS */
1914 if (ld->cap_pipe_byte_swapped) {
1915 /* Byte-swap the header fields about which we care. */
1916 hdr->version_major = BSWAP16(hdr->version_major);
1917 hdr->version_minor = BSWAP16(hdr->version_minor);
1918 hdr->snaplen = BSWAP32(hdr->snaplen);
1919 hdr->network = BSWAP32(hdr->network);
1921 ld->linktype = hdr->network;
1923 if (hdr->version_major < 2) {
1924 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1928 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1929 ld->cap_pipe_err = PIPOK;
1931 ld->cap_pipe_fd = fd;
1936 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1937 ld->cap_pipe_err = PIPERR;
1940 ld->cap_pipe_fd = -1;
1947 /* We read one record from the pipe, take care of byte order in the record
1948 * header, write the record to the capture file, and update capture statistics. */
1950 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1952 struct pcap_pkthdr phdr;
1953 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1965 #ifdef LOG_CAPTURE_VERBOSE
1966 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1969 switch (ld->cap_pipe_state) {
1971 case STATE_EXPECT_REC_HDR:
1973 if (g_mutex_trylock(cap_pipe_read_mtx)) {
1976 ld->cap_pipe_state = STATE_READ_REC_HDR;
1977 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1978 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1979 ld->cap_pipe_bytes_read = 0;
1982 ld->cap_pipe_buf = (char *) &ld->cap_pipe_rechdr;
1983 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1984 g_mutex_unlock(cap_pipe_read_mtx);
1989 case STATE_READ_REC_HDR:
1991 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1992 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1995 result = PD_PIPE_EOF;
1997 result = PD_PIPE_ERR;
2000 ld->cap_pipe_bytes_read += b;
2001 #else /* USE_THREADS */
2002 g_get_current_time(&wait_time);
2003 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2004 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2005 if (ld->cap_pipe_err == PIPEOF) {
2006 result = PD_PIPE_EOF;
2008 } else if (ld->cap_pipe_err == PIPERR) {
2009 result = PD_PIPE_ERR;
2015 #endif /* USE_THREADS */
2016 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2018 result = PD_REC_HDR_READ;
2021 case STATE_EXPECT_DATA:
2023 if (g_mutex_trylock(cap_pipe_read_mtx)) {
2026 ld->cap_pipe_state = STATE_READ_DATA;
2027 ld->cap_pipe_bytes_to_read = ld->cap_pipe_rechdr.hdr.incl_len;
2028 ld->cap_pipe_bytes_read = 0;
2031 ld->cap_pipe_buf = (char *) data;
2032 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
2033 g_mutex_unlock(cap_pipe_read_mtx);
2038 case STATE_READ_DATA:
2040 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
2041 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
2044 result = PD_PIPE_EOF;
2046 result = PD_PIPE_ERR;
2049 ld->cap_pipe_bytes_read += b;
2050 #else /* USE_THREADS */
2051 g_get_current_time(&wait_time);
2052 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2053 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2054 if (ld->cap_pipe_err == PIPEOF) {
2055 result = PD_PIPE_EOF;
2057 } else if (ld->cap_pipe_err == PIPERR) {
2058 result = PD_PIPE_ERR;
2064 #endif /* USE_THREADS */
2065 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2067 result = PD_DATA_READ;
2071 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2074 } /* switch (ld->cap_pipe_state) */
2077 * We've now read as much data as we were expecting, so process it.
2081 case PD_REC_HDR_READ:
2082 /* We've read the header. Take care of byte order. */
2083 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
2084 &ld->cap_pipe_rechdr.hdr);
2085 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2086 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2087 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
2090 ld->cap_pipe_state = STATE_EXPECT_DATA;
2094 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2095 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
2096 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
2097 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
2098 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
2100 capture_loop_packet_cb((u_char *)ld, &phdr, data);
2102 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
2106 ld->cap_pipe_err = PIPEOF;
2111 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2112 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2113 g_snprintf(errmsg, errmsgl,
2114 "Error reading from pipe: %s (error %d)",
2115 utf_16to8(err_str), GetLastError());
2118 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2126 ld->cap_pipe_err = PIPERR;
2127 /* Return here rather than inside the switch to prevent GCC warning */
2132 /** Open the capture input file (pcap or capture pipe).
2133 * Returns TRUE if it succeeds, FALSE otherwise. */
2135 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2136 char *errmsg, size_t errmsg_len,
2137 char *secondary_errmsg, size_t secondary_errmsg_len)
2139 gchar open_err_str[PCAP_ERRBUF_SIZE];
2140 gchar *sync_msg_str;
2143 gchar *sync_secondary_msg_str;
2144 WORD wVersionRequested;
2148 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
2151 /* XXX - opening Winsock on tshark? */
2153 /* Initialize Windows Socket if we are in a WIN32 OS
2154 This needs to be done before querying the interface for network/netmask */
2156 /* XXX - do we really require 1.1 or earlier?
2157 Are there any versions that support only 2.0 or higher? */
2158 wVersionRequested = MAKEWORD(1, 1);
2159 err = WSAStartup(wVersionRequested, &wsaData);
2163 case WSASYSNOTREADY:
2164 g_snprintf(errmsg, (gulong) errmsg_len,
2165 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2168 case WSAVERNOTSUPPORTED:
2169 g_snprintf(errmsg, (gulong) errmsg_len,
2170 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2171 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2174 case WSAEINPROGRESS:
2175 g_snprintf(errmsg, (gulong) errmsg_len,
2176 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2180 g_snprintf(errmsg, (gulong) errmsg_len,
2181 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2185 g_snprintf(errmsg, (gulong) errmsg_len,
2186 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2190 g_snprintf(errmsg, (gulong) errmsg_len,
2191 "Couldn't initialize Windows Sockets: error %d", err);
2194 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2199 ld->pcap_h = open_capture_device(capture_opts, &open_err_str);
2201 if (ld->pcap_h != NULL) {
2202 /* we've opened "iface" as a network device */
2204 /* try to set the capture buffer size */
2205 if (capture_opts->buffer_size > 1 &&
2206 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
2207 sync_secondary_msg_str = g_strdup_printf(
2208 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2209 "the default of 1MB will be used.\n"
2211 "Nonetheless, the capture is started.\n",
2212 capture_opts->buffer_size);
2213 report_capture_error("Couldn't set the capture buffer size!",
2214 sync_secondary_msg_str);
2215 g_free(sync_secondary_msg_str);
2219 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
2220 if ((capture_opts->sampling_method != CAPTURE_SAMP_NONE) &&
2221 (strncmp (capture_opts->iface, "rpcap://", 8) == 0))
2223 struct pcap_samp *samp;
2225 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
2227 switch (capture_opts->sampling_method)
2229 case CAPTURE_SAMP_BY_COUNT:
2230 samp->method = PCAP_SAMP_1_EVERY_N;
2233 case CAPTURE_SAMP_BY_TIMER:
2234 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2238 sync_msg_str = g_strdup_printf(
2239 "Unknown sampling method %d specified,\n"
2240 "continue without packet sampling",
2241 capture_opts->sampling_method);
2242 report_capture_error("Couldn't set the capture "
2243 "sampling", sync_msg_str);
2244 g_free(sync_msg_str);
2246 samp->value = capture_opts->sampling_param;
2250 report_capture_error("Couldn't set the capture sampling",
2251 "Cannot get packet sampling data structure");
2257 /* setting the data link type only works on real interfaces */
2258 if (!set_pcap_linktype(ld->pcap_h, capture_opts, errmsg, errmsg_len,
2259 secondary_errmsg, secondary_errmsg_len))
2261 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
2263 /* We couldn't open "iface" as a network device. */
2264 /* Try to open it as a pipe */
2265 cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
2268 if (ld->cap_pipe_fd == -1) {
2270 if (ld->cap_pipe_h == INVALID_HANDLE_VALUE) {
2273 if (ld->cap_pipe_err == PIPNEXIST) {
2274 /* Pipe doesn't exist, so output message for interface */
2275 get_capture_device_open_failure_messages(open_err_str,
2276 capture_opts->iface,
2280 secondary_errmsg_len);
2283 * Else pipe (or file) does exist and cap_pipe_open_live() has
2288 /* cap_pipe_open_live() succeeded; don't want
2289 error message from pcap_open_live() */
2290 open_err_str[0] = '\0';
2293 /* XXX - will this work for tshark? */
2294 #ifdef MUST_DO_SELECT
2295 if (!ld->from_cap_pipe) {
2296 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2297 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
2299 ld->pcap_fd = pcap_fileno(ld->pcap_h);
2304 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2305 returned a warning; print it, but keep capturing. */
2306 if (open_err_str[0] != '\0') {
2307 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2308 report_capture_error(sync_msg_str, "");
2309 g_free(sync_msg_str);
2315 /* close the capture input file (pcap or capture pipe) */
2316 static void capture_loop_close_input(loop_data *ld) {
2318 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2320 /* if open, close the capture pipe "input file" */
2322 if (ld->cap_pipe_fd >= 0) {
2323 g_assert(ld->from_cap_pipe);
2324 ws_close(ld->cap_pipe_fd);
2325 ld->cap_pipe_fd = 0;
2328 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE) {
2329 CloseHandle(ld->cap_pipe_h);
2330 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
2334 /* if open, close the pcap "input file" */
2335 if(ld->pcap_h != NULL) {
2336 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)ld->pcap_h);
2337 g_assert(!ld->from_cap_pipe);
2338 pcap_close(ld->pcap_h);
2345 /* Shut down windows sockets */
2351 /* init the capture filter */
2352 static initfilter_status_t
2353 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2354 gchar * iface, gchar * cfilter)
2356 struct bpf_program fcode;
2358 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2360 /* capture filters only work on real interfaces */
2361 if (cfilter && !from_cap_pipe) {
2362 /* A capture filter was specified; set it up. */
2363 if (!compile_capture_filter(iface, pcap_h, &fcode, cfilter)) {
2364 /* Treat this specially - our caller might try to compile this
2365 as a display filter and, if that succeeds, warn the user that
2366 the display and capture filter syntaxes are different. */
2367 return INITFILTER_BAD_FILTER;
2369 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2370 #ifdef HAVE_PCAP_FREECODE
2371 pcap_freecode(&fcode);
2373 return INITFILTER_OTHER_ERROR;
2375 #ifdef HAVE_PCAP_FREECODE
2376 pcap_freecode(&fcode);
2380 return INITFILTER_NO_ERROR;
2384 /* set up to write to the already-opened capture output file/files */
2386 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
2390 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2393 if (ld->from_cap_pipe) {
2394 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
2397 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
2400 /* Set up to write to the capture file. */
2401 if (capture_opts->multi_files_on) {
2402 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2404 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2407 gboolean successful;
2409 ld->bytes_written = 0;
2410 if (capture_opts->use_pcapng) {
2413 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2414 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err) &&
2415 libpcap_write_interface_description_block(ld->pdh, capture_opts->iface, capture_opts->cfilter, ld->linktype, ld->file_snaplen, &ld->bytes_written, &err);
2417 successful = libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
2418 &ld->bytes_written, &err);
2426 if (ld->pdh == NULL) {
2427 /* We couldn't set up to write to the capture file. */
2428 /* XXX - use cf_open_error_message from tshark instead? */
2433 g_snprintf(errmsg, errmsg_len,
2434 "The file to which the capture would be"
2435 " saved (\"%s\") could not be opened: Error %d.",
2436 capture_opts->save_file, err);
2438 g_snprintf(errmsg, errmsg_len,
2439 "The file to which the capture would be"
2440 " saved (\"%s\") could not be opened: %s.",
2441 capture_opts->save_file, strerror(err));
2453 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
2455 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2457 if (capture_opts->multi_files_on) {
2458 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2460 if (capture_opts->use_pcapng) {
2461 libpcap_write_interface_statistics_block(ld->pdh, 0, ld->pcap_h, &ld->bytes_written, err_close);
2463 return libpcap_dump_close(ld->pdh, err_close);
2467 /* dispatch incoming packets (pcap or capture pipe)
2469 * Waits for incoming packets to be available, and calls pcap_dispatch()
2470 * to cause them to be processed.
2472 * Returns the number of packets which were processed.
2474 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2475 * packet-batching behaviour does not cause packets to get held back
2479 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
2480 char *errmsg, int errmsg_len)
2483 gint packet_count_before;
2484 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2489 packet_count_before = ld->packet_count;
2490 if (ld->from_cap_pipe) {
2491 /* dispatch from capture pipe */
2492 #ifdef LOG_CAPTURE_VERBOSE
2493 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2496 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
2498 if (sel_ret < 0 && errno != EINTR) {
2499 g_snprintf(errmsg, errmsg_len,
2500 "Unexpected error from select: %s", strerror(errno));
2501 report_capture_error(errmsg, please_report);
2506 * "select()" says we can read from the pipe without blocking
2508 #endif /* USE_THREADS */
2509 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
2519 /* dispatch from pcap */
2520 #ifdef MUST_DO_SELECT
2522 * If we have "pcap_get_selectable_fd()", we use it to get the
2523 * descriptor on which to select; if that's -1, it means there
2524 * is no descriptor on which you can do a "select()" (perhaps
2525 * because you're capturing on a special device, and that device's
2526 * driver unfortunately doesn't support "select()", in which case
2527 * we don't do the select - which means it might not be possible
2528 * to stop a capture until a packet arrives. If that's unacceptable,
2529 * plead with whoever supplies the software for that device to add
2530 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2531 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2532 * later, so it can use pcap_breakloop().
2534 #ifdef LOG_CAPTURE_VERBOSE
2535 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2537 if (ld->pcap_fd != -1) {
2538 sel_ret = cap_pipe_select(ld->pcap_fd);
2541 * "select()" says we can read from it without blocking; go for
2544 * We don't have pcap_breakloop(), so we only process one packet
2545 * per pcap_dispatch() call, to allow a signal to stop the
2546 * processing immediately, rather than processing all packets
2547 * in a batch before quitting.
2549 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
2553 /* Error, rather than pcap_breakloop(). */
2554 ld->pcap_err = TRUE;
2556 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2559 if (sel_ret < 0 && errno != EINTR) {
2560 g_snprintf(errmsg, errmsg_len,
2561 "Unexpected error from select: %s", strerror(errno));
2562 report_capture_error(errmsg, please_report);
2568 #endif /* MUST_DO_SELECT */
2570 /* dispatch from pcap without select */
2572 #ifdef LOG_CAPTURE_VERBOSE
2573 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2577 * On Windows, we don't support asynchronously telling a process to
2578 * stop capturing; instead, we check for an indication on a pipe
2579 * after processing packets. We therefore process only one packet
2580 * at a time, so that we can check the pipe after every packet.
2582 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
2584 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
2588 /* Error, rather than pcap_breakloop(). */
2589 ld->pcap_err = TRUE;
2591 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2593 #else /* pcap_next_ex */
2594 #ifdef LOG_CAPTURE_VERBOSE
2595 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2597 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2600 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2601 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2602 * This should be fixed in the WinPcap 4.0 alpha release.
2604 * For reference, an example remote interface:
2605 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2608 /* emulate dispatch from pcap */
2611 struct pcap_pkthdr *pkt_header;
2616 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
2617 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
2620 ld->pcap_err = TRUE;
2624 #endif /* pcap_next_ex */
2628 #ifdef LOG_CAPTURE_VERBOSE
2629 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2632 return ld->packet_count - packet_count_before;
2636 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2637 * want to grab only the characters between the '{' and '}' delimiters.
2639 * Returns a GString that must be freed with g_string_free(). */
2640 static GString *isolate_uuid(const char *iface)
2645 ptr = strchr(iface, '{');
2647 return g_string_new(iface);
2648 gstr = g_string_new(ptr + 1);
2650 ptr = strchr(gstr->str, '}');
2654 gstr = g_string_truncate(gstr, ptr - gstr->str);
2659 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2660 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2662 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2663 char *errmsg, int errmsg_len) {
2666 gchar *capfile_name;
2668 gboolean is_tempfile;
2670 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2671 (capture_opts->save_file) ? capture_opts->save_file : "");
2673 if (capture_opts->save_file != NULL) {
2674 /* We return to the caller while the capture is in progress.
2675 * Therefore we need to take a copy of save_file in
2676 * case the caller destroys it after we return.
2678 capfile_name = g_strdup(capture_opts->save_file);
2680 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2681 if (capture_opts->multi_files_on) {
2682 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2683 g_snprintf(errmsg, errmsg_len,
2684 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2685 g_free(capfile_name);
2688 if (strcmp(capfile_name, "-") == 0) {
2689 /* write to stdout */
2692 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2693 _setmode(1, O_BINARY);
2696 } /* if (...output_to_pipe ... */
2699 if (capture_opts->multi_files_on) {
2700 /* ringbuffer is enabled */
2701 *save_file_fd = ringbuf_init(capfile_name,
2702 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2703 capture_opts->group_read_access);
2705 /* we need the ringbuf name */
2706 if(*save_file_fd != -1) {
2707 g_free(capfile_name);
2708 capfile_name = g_strdup(ringbuf_current_filename());
2711 /* Try to open/create the specified file for use as a capture buffer. */
2712 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2713 (capture_opts->group_read_access) ? 0640 : 0600);
2716 is_tempfile = FALSE;
2718 /* Choose a random name for the temporary capture buffer */
2722 iface = isolate_uuid(capture_opts->iface);
2723 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2724 g_string_free(iface, TRUE);
2726 prefix = g_strconcat("wireshark_", g_basename(capture_opts->iface), NULL);
2728 *save_file_fd = create_tempfile(&tmpname, prefix);
2730 capfile_name = g_strdup(tmpname);
2734 /* did we fail to open the output file? */
2735 if (*save_file_fd == -1) {
2737 g_snprintf(errmsg, errmsg_len,
2738 "The temporary file to which the capture would be saved (\"%s\") "
2739 "could not be opened: %s.", capfile_name, strerror(errno));
2741 if (capture_opts->multi_files_on) {
2742 ringbuf_error_cleanup();
2745 g_snprintf(errmsg, errmsg_len,
2746 "The file to which the capture would be saved (\"%s\") "
2747 "could not be opened: %s.", capfile_name,
2750 g_free(capfile_name);
2754 if(capture_opts->save_file != NULL) {
2755 g_free(capture_opts->save_file);
2757 capture_opts->save_file = capfile_name;
2758 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2759 "g_free(capfile_name)". */
2766 #define TIME_GET() GetTickCount()
2768 #define TIME_GET() time(NULL)
2771 /* Do the work of handling either the file size or file duration capture
2772 conditions being reached, and switching files or stopping. */
2774 do_file_switch_or_stop(capture_options *capture_opts,
2775 condition *cnd_autostop_files,
2776 condition *cnd_autostop_size,
2777 condition *cnd_file_duration)
2779 if (capture_opts->multi_files_on) {
2780 if (cnd_autostop_files != NULL &&
2781 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2782 /* no files left: stop here */
2783 global_ld.go = FALSE;
2787 /* Switch to the next ringbuffer file */
2788 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2789 &global_ld.save_file_fd, &global_ld.err)) {
2790 gboolean successful;
2792 /* File switch succeeded: reset the conditions */
2793 global_ld.bytes_written = 0;
2794 if (capture_opts->use_pcapng) {
2797 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2798 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &global_ld.bytes_written, &global_ld.err) &&
2799 libpcap_write_interface_description_block(global_ld.pdh, capture_opts->iface, capture_opts->cfilter, global_ld.linktype, global_ld.file_snaplen, &global_ld.bytes_written, &global_ld.err);
2801 successful = libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2802 &global_ld.bytes_written, &global_ld.err);
2805 fclose(global_ld.pdh);
2806 global_ld.pdh = NULL;
2807 global_ld.go = FALSE;
2810 if(cnd_autostop_size)
2811 cnd_reset(cnd_autostop_size);
2812 if(cnd_file_duration)
2813 cnd_reset(cnd_file_duration);
2814 libpcap_dump_flush(global_ld.pdh, NULL);
2816 report_packet_count(global_ld.inpkts_to_sync_pipe);
2817 global_ld.inpkts_to_sync_pipe = 0;
2818 report_new_capture_file(capture_opts->save_file);
2820 /* File switch failed: stop here */
2821 global_ld.go = FALSE;
2825 /* single file, stop now */
2826 global_ld.go = FALSE;
2832 /* Do the low-level work of a capture.
2833 Returns TRUE if it succeeds, FALSE otherwise. */
2835 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
2837 time_t upd_time, cur_time;
2840 condition *cnd_file_duration = NULL;
2841 condition *cnd_autostop_files = NULL;
2842 condition *cnd_autostop_size = NULL;
2843 condition *cnd_autostop_duration = NULL;
2846 gboolean cfilter_error = FALSE;
2847 char errmsg[MSG_MAX_LENGTH+1];
2848 char secondary_errmsg[MSG_MAX_LENGTH+1];
2851 *secondary_errmsg = '\0';
2853 /* init the loop data */
2854 global_ld.go = TRUE;
2855 global_ld.packet_count = 0;
2857 global_ld.report_packet_count = FALSE;
2859 if (capture_opts->has_autostop_packets)
2860 global_ld.packet_max = capture_opts->autostop_packets;
2862 global_ld.packet_max = 0; /* no limit */
2863 global_ld.inpkts_to_sync_pipe = 0;
2864 global_ld.err = 0; /* no error seen yet */
2865 global_ld.pcap_err = FALSE;
2866 global_ld.from_cap_pipe = FALSE;
2867 global_ld.pdh = NULL;
2869 global_ld.cap_pipe_fd = -1;
2871 global_ld.cap_pipe_h = INVALID_HANDLE_VALUE;
2873 #ifdef MUST_DO_SELECT
2874 global_ld.pcap_fd = 0;
2876 global_ld.autostop_files = 0;
2877 global_ld.save_file_fd = -1;
2879 /* We haven't yet gotten the capture statistics. */
2880 *stats_known = FALSE;
2882 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
2883 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
2885 /* open the "input file" from network interface or capture pipe */
2886 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
2887 secondary_errmsg, sizeof(secondary_errmsg))) {
2891 /* init the input filter from the network interface (capture pipe will do nothing) */
2892 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
2893 capture_opts->iface,
2894 capture_opts->cfilter)) {
2896 case INITFILTER_NO_ERROR:
2899 case INITFILTER_BAD_FILTER:
2900 cfilter_error = TRUE;
2901 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
2904 case INITFILTER_OTHER_ERROR:
2905 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
2906 pcap_geterr(global_ld.pcap_h));
2907 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
2911 /* If we're supposed to write to a capture file, open it for output
2912 (temporary/specified name/ringbuffer) */
2913 if (capture_opts->saving_to_file) {
2914 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
2915 errmsg, sizeof(errmsg))) {
2919 /* set up to write to the already-opened capture output file/files */
2920 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
2925 /* XXX - capture SIGTERM and close the capture, in case we're on a
2926 Linux 2.0[.x] system and you have to explicitly close the capture
2927 stream in order to turn promiscuous mode off? We need to do that
2928 in other places as well - and I don't think that works all the
2929 time in any case, due to libpcap bugs. */
2931 /* Well, we should be able to start capturing.
2933 Sync out the capture file, so the header makes it to the file system,
2934 and send a "capture started successfully and capture file created"
2935 message to our parent so that they'll open the capture file and
2936 update its windows to indicate that we have a live capture in
2938 libpcap_dump_flush(global_ld.pdh, NULL);
2939 report_new_capture_file(capture_opts->save_file);
2942 /* initialize capture stop (and alike) conditions */
2943 init_capture_stop_conditions();
2944 /* create stop conditions */
2945 if (capture_opts->has_autostop_filesize)
2947 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
2948 if (capture_opts->has_autostop_duration)
2949 cnd_autostop_duration =
2950 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
2952 if (capture_opts->multi_files_on) {
2953 if (capture_opts->has_file_duration)
2955 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
2957 if (capture_opts->has_autostop_files)
2958 cnd_autostop_files =
2959 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
2962 /* init the time values */
2963 upd_time = TIME_GET();
2965 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
2967 /* WOW, everything is prepared! */
2968 /* please fasten your seat belts, we will enter now the actual capture loop */
2969 while (global_ld.go) {
2970 /* dispatch incoming packets */
2971 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
2975 /* Were we asked to print packet counts by the SIGINFO handler? */
2976 if (global_ld.report_packet_count) {
2977 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
2978 plurality(global_ld.packet_count, "", "s"));
2979 global_ld.report_packet_count = FALSE;
2984 /* any news from our parent (signal pipe)? -> just stop the capture */
2985 if (!signal_pipe_check_running()) {
2986 global_ld.go = FALSE;
2991 global_ld.inpkts_to_sync_pipe += inpkts;
2993 /* check capture size condition */
2994 if (cnd_autostop_size != NULL &&
2995 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
2996 /* Capture size limit reached, do we have another file? */
2997 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
2998 cnd_autostop_size, cnd_file_duration))
3000 } /* cnd_autostop_size */
3001 if (capture_opts->output_to_pipe) {
3002 libpcap_dump_flush(global_ld.pdh, NULL);
3006 /* Only update once a second (Win32: 500ms) so as not to overload slow
3007 * displays. This also prevents too much context-switching between the
3008 * dumpcap and wireshark processes */
3009 cur_time = TIME_GET();
3011 if ( (cur_time - upd_time) > 500) {
3013 if (cur_time - upd_time > 0) {
3015 upd_time = cur_time;
3017 /*if (pcap_stats(pch, stats) >= 0) {
3018 *stats_known = TRUE;
3021 /* Let the parent process know. */
3022 if (global_ld.inpkts_to_sync_pipe) {
3024 libpcap_dump_flush(global_ld.pdh, NULL);
3026 /* Send our parent a message saying we've written out
3027 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3029 report_packet_count(global_ld.inpkts_to_sync_pipe);
3031 global_ld.inpkts_to_sync_pipe = 0;
3034 /* check capture duration condition */
3035 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3036 /* The maximum capture time has elapsed; stop the capture. */
3037 global_ld.go = FALSE;
3041 /* check capture file duration condition */
3042 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3043 /* duration limit reached, do we have another file? */
3044 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3045 cnd_autostop_size, cnd_file_duration))
3047 } /* cnd_file_duration */
3050 } /* while (global_ld.go) */
3052 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3054 /* delete stop conditions */
3055 if (cnd_file_duration != NULL)
3056 cnd_delete(cnd_file_duration);
3057 if (cnd_autostop_files != NULL)
3058 cnd_delete(cnd_autostop_files);
3059 if (cnd_autostop_size != NULL)
3060 cnd_delete(cnd_autostop_size);
3061 if (cnd_autostop_duration != NULL)
3062 cnd_delete(cnd_autostop_duration);
3064 /* did we had a pcap (input) error? */
3065 if (global_ld.pcap_err) {
3066 /* On Linux, if an interface goes down while you're capturing on it,
3067 you'll get a "recvfrom: Network is down" or
3068 "The interface went down" error (ENETDOWN).
3069 (At least you will if strerror() doesn't show a local translation
3072 On FreeBSD and OS X, if a network adapter disappears while
3073 you're capturing on it, you'll get a "read: Device not configured"
3074 error (ENXIO). (See previous parenthetical note.)
3076 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3078 These should *not* be reported to the Wireshark developers. */
3081 cap_err_str = pcap_geterr(global_ld.pcap_h);
3082 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3083 strcmp(cap_err_str, "The interface went down") == 0 ||
3084 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3085 strcmp(cap_err_str, "read: I/O error") == 0 ||
3086 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3087 report_capture_error("The network adapter on which the capture was being done "
3088 "is no longer running; the capture has stopped.",
3091 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3093 report_capture_error(errmsg, please_report);
3096 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
3097 report_capture_error(errmsg, "");
3099 /* did we had an error while capturing? */
3100 if (global_ld.err == 0) {
3103 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3104 global_ld.err, FALSE);
3105 report_capture_error(errmsg, please_report);
3109 if (capture_opts->saving_to_file) {
3110 /* close the output file */
3111 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3115 /* there might be packets not yet notified to the parent */
3116 /* (do this after closing the file, so all packets are already flushed) */
3117 if(global_ld.inpkts_to_sync_pipe) {
3119 report_packet_count(global_ld.inpkts_to_sync_pipe);
3120 global_ld.inpkts_to_sync_pipe = 0;
3123 /* If we've displayed a message about a write error, there's no point
3124 in displaying another message about an error on close. */
3125 if (!close_ok && write_ok) {
3126 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3128 report_capture_error(errmsg, "");
3132 * XXX We exhibit different behaviour between normal mode and sync mode
3133 * when the pipe is stdin and not already at EOF. If we're a child, the
3134 * parent's stdin isn't closed, so if the user starts another capture,
3135 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3136 * will say "Unrecognized libpcap format". On the other hand, in normal
3137 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3140 report_capture_count(); /* print final capture count only if (quiet && !capture_child) */
3142 /* get packet drop statistics from pcap */
3143 if(global_ld.pcap_h != NULL) {
3144 g_assert(!global_ld.from_cap_pipe);
3145 /* Get the capture statistics, so we know how many packets were
3147 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
3148 *stats_known = TRUE;
3149 /* Let the parent process know. */
3150 report_packet_drops(stats->ps_drop);
3152 g_snprintf(errmsg, sizeof(errmsg),
3153 "Can't get packet-drop statistics: %s",
3154 pcap_geterr(global_ld.pcap_h));
3155 report_capture_error(errmsg, please_report);
3159 /* close the input file (pcap or capture pipe) */
3160 capture_loop_close_input(&global_ld);
3162 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3164 /* ok, if the write and the close were successful. */
3165 return write_ok && close_ok;
3168 if (capture_opts->multi_files_on) {
3169 /* cleanup ringbuffer */
3170 ringbuf_error_cleanup();
3172 /* We can't use the save file, and we have no FILE * for the stream
3173 to close in order to close it, so close the FD directly. */
3174 if(global_ld.save_file_fd != -1) {
3175 ws_close(global_ld.save_file_fd);
3178 /* We couldn't even start the capture, so get rid of the capture
3180 if(capture_opts->save_file != NULL) {
3181 ws_unlink(capture_opts->save_file);
3182 g_free(capture_opts->save_file);
3185 capture_opts->save_file = NULL;
3187 report_cfilter_error(capture_opts->cfilter, errmsg);
3189 report_capture_error(errmsg, secondary_errmsg);
3191 /* close the input file (pcap or cap_pipe) */
3192 capture_loop_close_input(&global_ld);
3194 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3200 static void capture_loop_stop(void)
3202 #ifdef HAVE_PCAP_BREAKLOOP
3203 if(global_ld.pcap_h != NULL)
3204 pcap_breakloop(global_ld.pcap_h);
3206 global_ld.go = FALSE;
3211 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3212 int err, gboolean is_close)
3217 g_snprintf(errmsg, errmsglen,
3218 "Not all the packets could be written to the file"
3219 " to which the capture was being saved\n"
3220 "(\"%s\") because there is no space left on the file system\n"
3221 "on which that file resides.",
3227 g_snprintf(errmsg, errmsglen,
3228 "Not all the packets could be written to the file"
3229 " to which the capture was being saved\n"
3230 "(\"%s\") because you are too close to, or over,"
3231 " your disk quota\n"
3232 "on the file system on which that file resides.",
3239 g_snprintf(errmsg, errmsglen,
3240 "The file to which the capture was being saved\n"
3241 "(\"%s\") could not be closed: %s.",
3242 fname, strerror(err));
3244 g_snprintf(errmsg, errmsglen,
3245 "An error occurred while writing to the file"
3246 " to which the capture was being saved\n"
3248 fname, strerror(err));
3255 /* one packet was captured, process it */
3257 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3260 loop_data *ld = (loop_data *) (void *) user;
3263 /* We may be called multiple times from pcap_dispatch(); if we've set
3264 the "stop capturing" flag, ignore this packet, as we're not
3265 supposed to be saving any more packets. */
3270 gboolean successful;
3271 /* We're supposed to write the packet to a file; do so.
3272 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3273 "ld->err" to the error. */
3274 if (global_capture_opts.use_pcapng) {
3275 successful = libpcap_write_enhanced_packet_block(ld->pdh, phdr, 0, pd, &ld->bytes_written, &err);
3277 successful = libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err);
3284 /* if the user told us to stop after x packets, do we already have enough? */
3285 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
3294 /* And now our feature presentation... [ fade to music ] */
3296 main(int argc, char *argv[])
3299 gboolean arg_error = FALSE;
3306 struct sigaction action, oldaction;
3309 gboolean start_capture = TRUE;
3310 gboolean stats_known;
3311 struct pcap_stat stats;
3312 GLogLevelFlags log_flags;
3313 gboolean list_interfaces = FALSE;
3314 gboolean list_link_layer_types = FALSE;
3315 #ifdef HAVE_BPF_IMAGE
3316 gboolean print_bpf_code = FALSE;
3318 gboolean machine_readable = FALSE;
3319 gboolean print_statistics = FALSE;
3320 int status, run_once_args = 0;
3322 #if defined(__APPLE__) && defined(__LP64__)
3323 struct utsname osinfo;
3327 /* Convert our arg list to UTF-8. */
3328 wc_argv = CommandLineToArgvW(GetCommandLineW(), &wc_argc);
3329 if (wc_argv && wc_argc == argc) {
3330 for (i = 0; i < argc; i++) {
3331 argv[i] = g_utf16_to_utf8(wc_argv[i], -1, NULL, NULL, NULL);
3333 } /* XXX else bail because something is horribly, horribly wrong? */
3338 * Initialize our DLL search path. MUST be called before LoadLibrary
3341 ws_init_dll_search_path();
3344 #ifdef HAVE_PCAP_REMOTE
3345 #define OPTSTRING_A "A:"
3346 #define OPTSTRING_r "r"
3347 #define OPTSTRING_u "u"
3349 #define OPTSTRING_A ""
3350 #define OPTSTRING_r ""
3351 #define OPTSTRING_u ""
3354 #ifdef HAVE_PCAP_SETSAMPLING
3355 #define OPTSTRING_m "m:"
3357 #define OPTSTRING_m ""
3360 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3361 #define OPTSTRING_B "B:"
3363 #define OPTSTRING_B ""
3364 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3366 #ifdef HAVE_PCAP_CREATE
3367 #define OPTSTRING_I "I"
3369 #define OPTSTRING_I ""
3372 #ifdef HAVE_BPF_IMAGE
3373 #define OPTSTRING_d "d"
3375 #define OPTSTRING_d ""
3378 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:" OPTSTRING_u "vw:y:Z:"
3380 #ifdef DEBUG_CHILD_DUMPCAP
3381 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3382 fprintf (stderr, "Unable to open debug log file !\n");
3387 #if defined(__APPLE__) && defined(__LP64__)
3389 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3390 * a bug workaround - timeouts less than 1 second don't work with libpcap
3391 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3392 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3393 * The problem is extremely unlikely to be reintroduced in a future
3396 if (uname(&osinfo) == 0) {
3398 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3399 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3400 * number of 10.0.0, not 10.1.0 - go figure).
3402 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3403 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3404 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3405 need_timeout_workaround = TRUE;
3410 * Determine if dumpcap is being requested to run in a special
3411 * capture_child mode by going thru the command line args to see if
3412 * a -Z is present. (-Z is a hidden option).
3414 * The primary result of running in capture_child mode is that
3415 * all messages sent out on stderr are in a special type/len/string
3416 * format to allow message processing by type. These messages include
3417 * error messages if dumpcap fails to start the operation it was
3418 * requested to do, as well as various "status" messages which are sent
3419 * when an actual capture is in progress, and a "success" message sent
3420 * if dumpcap was requested to perform an operation other than a
3423 * Capture_child mode would normally be requested by a parent process
3424 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3425 * to which dumpcap stderr has been redirected. It might also have
3426 * another pipe to obtain dumpcap stdout output; for operations other
3427 * than a capture, that information is formatted specially for easier
3428 * parsing by the parent process.
3430 * Capture_child mode needs to be determined immediately upon
3431 * startup so that any messages generated by dumpcap in this mode
3432 * (eg: during initialization) will be formatted properly.
3435 for (i=1; i<argc; i++) {
3436 if (strcmp("-Z", argv[i]) == 0) {
3437 capture_child = TRUE;
3438 machine_readable = TRUE; /* request machine-readable output */
3440 /* set output pipe to binary mode, to avoid ugly text conversions */
3441 _setmode(2, O_BINARY);
3446 /* The default_log_handler will use stdout, which makes trouble in */
3447 /* capture child mode, as it uses stdout for it's sync_pipe. */
3448 /* So: the filtering is done in the console_log_handler and not here.*/
3449 /* We set the log handlers right up front to make sure that any log */
3450 /* messages when running as child will be sent back to the parent */
3451 /* with the correct format. */
3455 G_LOG_LEVEL_CRITICAL|
3456 G_LOG_LEVEL_WARNING|
3457 G_LOG_LEVEL_MESSAGE|
3460 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3462 g_log_set_handler(NULL,
3464 console_log_handler, NULL /* user_data */);
3465 g_log_set_handler(LOG_DOMAIN_MAIN,
3467 console_log_handler, NULL /* user_data */);
3468 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3470 console_log_handler, NULL /* user_data */);
3471 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3473 console_log_handler, NULL /* user_data */);
3476 /* Load wpcap if possible. Do this before collecting the run-time version information */
3479 /* ... and also load the packet.dll from wpcap */
3480 /* XXX - currently not required, may change later. */
3481 /*wpcap_packet_load();*/
3483 /* Start windows sockets */
3484 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3486 /* Set handler for Ctrl+C key */
3487 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3489 /* Prepare to read from a pipe */
3490 if (!g_thread_supported ())
3491 g_thread_init (NULL);
3492 cap_pipe_pending_q = g_async_queue_new();
3493 cap_pipe_done_q = g_async_queue_new();
3494 cap_pipe_read_mtx = g_mutex_new();
3497 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3499 action.sa_handler = capture_cleanup_handler;
3501 * Arrange that system calls not get restarted, because when
3502 * our signal handler returns we don't want to restart
3503 * a call that was waiting for packets to arrive.
3505 action.sa_flags = 0;
3506 sigemptyset(&action.sa_mask);
3507 sigaction(SIGTERM, &action, NULL);
3508 sigaction(SIGINT, &action, NULL);
3509 sigaction(SIGPIPE, &action, NULL);
3510 sigaction(SIGHUP, NULL, &oldaction);
3511 if (oldaction.sa_handler == SIG_DFL)
3512 sigaction(SIGHUP, &action, NULL);
3515 /* Catch SIGINFO and, if we get it and we're capturing in
3516 quiet mode, report the number of packets we've captured. */
3517 action.sa_handler = report_counts_siginfo;
3518 action.sa_flags = SA_RESTART;
3519 sigemptyset(&action.sa_mask);
3520 sigaction(SIGINFO, &action, NULL);
3521 #endif /* SIGINFO */
3524 /* ----------------------------------------------------------------- */
3525 /* Privilege and capability handling */
3527 /* 1. Running not as root or suid root; no special capabilities. */
3530 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3533 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3535 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3536 /* capabilities; Drop all other capabilities; */
3537 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3538 /* else: after pcap_open_live() in capture_loop_open_input() */
3539 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3540 /* (Note: this means that the process, although logged in */
3541 /* as root, does not have various permissions such as the */
3542 /* ability to bypass file access permissions). */
3543 /* XXX: Should we just leave capabilities alone in this case */
3544 /* so that user gets expected effect that root can do */
3547 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3549 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3550 /* else: after pcap_open_live() in capture_loop_open_input() */
3551 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3552 /* pcap_open_live). */
3554 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3556 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3557 /* capabilities; Drop all other capabilities; */
3558 /* Drop suid privileges (euid=ruid); */
3559 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3560 /* else: after pcap_open_live() in capture_loop_open_input() */
3561 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3563 /* XXX: For some Linux versions/distros with capabilities */
3564 /* a 'normal' process with any capabilities cannot be */
3565 /* 'killed' (signaled) from another (same uid) non-privileged */
3567 /* For example: If (non-suid) Wireshark forks a */
3568 /* child suid dumpcap which acts as described here (case 5), */
3569 /* Wireshark will be unable to kill (signal) the child */
3570 /* dumpcap process until the capabilities have been dropped */
3571 /* (after pcap_open_live()). */
3572 /* This behaviour will apparently be changed in the kernel */
3573 /* to allow the kill (signal) in this case. */
3574 /* See the following for details: */
3575 /* http://www.mail-archive.com/ [wrapped] */
3576 /* linux-security-module@vger.kernel.org/msg02913.html */
3578 /* It is therefore conceivable that if dumpcap somehow hangs */
3579 /* in pcap_open_live or before that wireshark will not */
3580 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3581 /* In this case, exiting wireshark will kill the child */
3582 /* dumpcap process. */
3584 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3585 /* capabilities; Using libcap. Note: capset cmd (which see) */
3586 /* used to assign capabilities to file. */
3588 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3589 /* else: after pcap_open_live() in capture_loop_open_input() */
3590 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3592 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3593 /* longer required (similar to capture). */
3595 /* ----------------------------------------------------------------- */
3597 init_process_policies();
3600 /* If 'started with special privileges' (and using libcap) */
3601 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3602 /* Set euid/egid = ruid/rgid to remove suid privileges */
3603 relinquish_privs_except_capture();
3606 /* Set the initial values in the capture options. This might be overwritten
3607 by the command line parameters. */
3608 capture_opts_init(&global_capture_opts, NULL);
3610 /* Default to capturing the entire packet. */
3611 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3613 /* We always save to a file - if no file was specified, we save to a
3615 global_capture_opts.saving_to_file = TRUE;
3616 global_capture_opts.has_ring_num_files = TRUE;
3618 /* Now get our args */
3619 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3621 case 'h': /* Print help and exit */
3625 case 'v': /* Show version and exit */
3627 GString *comp_info_str;
3628 GString *runtime_info_str;
3629 /* Assemble the compile-time version information string */
3630 comp_info_str = g_string_new("Compiled ");
3631 get_compiled_version_info(comp_info_str, NULL, NULL);
3633 /* Assemble the run-time version information string */
3634 runtime_info_str = g_string_new("Running ");
3635 get_runtime_version_info(runtime_info_str, NULL);
3636 show_version(comp_info_str, runtime_info_str);
3637 g_string_free(comp_info_str, TRUE);
3638 g_string_free(runtime_info_str, TRUE);
3642 /*** capture option specific ***/
3643 case 'a': /* autostop criteria */
3644 case 'b': /* Ringbuffer option */
3645 case 'c': /* Capture x packets */
3646 case 'f': /* capture filter */
3647 case 'i': /* Use interface x */
3648 case 'n': /* Use pcapng format */
3649 case 'p': /* Don't capture in promiscuous mode */
3650 case 's': /* Set the snapshot (capture) length */
3651 case 'w': /* Write to capture file x */
3652 case 'g': /* enable group read accesson file(s) */
3653 case 'y': /* Set the pcap data link type */
3654 #ifdef HAVE_PCAP_REMOTE
3655 case 'u': /* Use UDP for data transfer */
3656 case 'r': /* Capture own RPCAP traffic too */
3657 case 'A': /* Authentication */
3659 #ifdef HAVE_PCAP_SETSAMPLING
3660 case 'm': /* Sampling */
3662 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3663 case 'B': /* Buffer size */
3664 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3665 #ifdef HAVE_PCAP_CREATE
3666 case 'I': /* Monitor mode */
3668 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
3673 /*** hidden option: Wireshark child mode (using binary output messages) ***/
3675 capture_child = TRUE;
3677 /* set output pipe to binary mode, to avoid ugly text conversions */
3678 _setmode(2, O_BINARY);
3680 * optarg = the control ID, aka the PPID, currently used for the
3683 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
3684 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
3685 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
3686 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
3688 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
3689 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3690 "Signal pipe: Unable to open %s. Dead parent?",
3698 case 'q': /* Quiet */
3702 /*** all non capture option specific ***/
3703 case 'D': /* Print a list of capture devices and exit */
3704 list_interfaces = TRUE;
3707 case 'L': /* Print list of link-layer types and exit */
3708 list_link_layer_types = TRUE;
3711 #ifdef HAVE_BPF_IMAGE
3712 case 'd': /* Print BPF code for capture filter and exit */
3713 print_bpf_code = TRUE;
3717 case 'S': /* Print interface statistics once a second */
3718 print_statistics = TRUE;
3721 case 'M': /* For -D, -L, and -S, print machine-readable output */
3722 machine_readable = TRUE;
3725 case '?': /* Bad flag - print usage message */
3726 cmdarg_err("Invalid Option: %s", argv[optind-1]);
3734 /* user specified file name as regular command-line argument */
3735 /* XXX - use it as the capture file name (or something else)? */
3742 * Extra command line arguments were specified; complain.
3743 * XXX - interpret as capture filter, as tcpdump and tshark do?
3745 cmdarg_err("Invalid argument: %s", argv[0]);
3754 if (run_once_args > 1) {
3755 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
3757 } else if (run_once_args == 1) {
3758 /* We're supposed to print some information, rather than
3759 to capture traffic; did they specify a ring buffer option? */
3760 if (global_capture_opts.multi_files_on) {
3761 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
3765 /* We're supposed to capture traffic; was the ring buffer option
3766 specified and, if so, does it make sense? */
3767 if (global_capture_opts.multi_files_on) {
3768 /* Ring buffer works only under certain conditions:
3769 a) ring buffer does not work with temporary files;
3770 b) it makes no sense to enable the ring buffer if the maximum
3771 file size is set to "infinite". */
3772 if (global_capture_opts.save_file == NULL) {
3773 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
3774 global_capture_opts.multi_files_on = FALSE;
3776 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
3777 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
3778 /* XXX - this must be redesigned as the conditions changed */
3779 /* global_capture_opts.multi_files_on = FALSE;*/
3785 * "-D" requires no interface to be selected; it's supposed to list
3788 if (list_interfaces) {
3789 /* Get the list of interfaces */
3794 if_list = capture_interface_list(&err, &err_str);
3795 if (if_list == NULL) {
3797 case CANT_GET_INTERFACE_LIST:
3798 cmdarg_err("%s", err_str);
3803 case NO_INTERFACES_FOUND:
3805 * If we're being run by another program, just give them
3806 * an empty list of interfaces, don't report this as
3807 * an error; that lets them decide whether to report
3808 * this as an error or not.
3810 if (!machine_readable) {
3811 cmdarg_err("There are no interfaces on which a capture can be done");
3818 if (machine_readable) /* tab-separated values to stdout */
3819 print_machine_readable_interfaces(if_list);
3821 capture_opts_print_interfaces(if_list);
3822 free_interface_list(if_list);
3827 * "-S" requires no interface to be selected; it gives statistics
3828 * for all interfaces.
3830 if (print_statistics) {
3831 status = print_statistics_loop(machine_readable);
3836 * "-L", "-d", and capturing act on a particular interface, so we have to
3837 * have an interface; if none was specified, pick a default.
3839 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
3840 /* cmdarg_err() already called .... */
3844 /* Let the user know what interface was chosen. */
3845 /* get_interface_descriptive_name() is not available! */
3846 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
3848 if (list_link_layer_types) {
3849 /* Get the list of link-layer types for the capture device. */
3850 if_capabilities_t *caps;
3853 caps = get_if_capabilities(global_capture_opts.iface,
3854 global_capture_opts.monitor_mode, &err_str);
3856 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
3857 "Please check to make sure you have sufficient permissions, and that\n"
3858 "you have the proper interface or pipe specified.", global_capture_opts.iface, err_str);
3862 if (caps->data_link_types == NULL) {
3863 cmdarg_err("The capture device \"%s\" has no data link types.", global_capture_opts.iface);
3866 if (machine_readable) /* tab-separated values to stdout */
3867 print_machine_readable_if_capabilities(caps);
3869 capture_opts_print_if_capabilities(caps,
3870 global_capture_opts.monitor_mode);
3871 free_if_capabilities(caps);
3875 /* We're supposed to do a capture, or print the BPF code for a filter.
3876 Process the snapshot length, as that affects the generated BPF code. */
3877 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
3879 #ifdef HAVE_BPF_IMAGE
3880 if (print_bpf_code) {
3881 show_filter_code(&global_capture_opts);
3886 /* We're supposed to do a capture. Process the ring buffer arguments. */
3887 capture_opts_trim_ring_num_files(&global_capture_opts);
3889 /* Now start the capture. */
3891 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
3895 /* capture failed */
3902 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
3903 const char *message, gpointer user_data _U_)
3910 /* ignore log message, if log_level isn't interesting */
3911 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3912 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
3917 /* create a "timestamp" */
3919 today = localtime(&curr);
3921 switch(log_level & G_LOG_LEVEL_MASK) {
3922 case G_LOG_LEVEL_ERROR:
3925 case G_LOG_LEVEL_CRITICAL:
3928 case G_LOG_LEVEL_WARNING:
3931 case G_LOG_LEVEL_MESSAGE:
3934 case G_LOG_LEVEL_INFO:
3937 case G_LOG_LEVEL_DEBUG:
3941 fprintf(stderr, "unknown log_level %u\n", log_level);
3943 g_assert_not_reached();
3946 /* Generate the output message */
3947 if(log_level & G_LOG_LEVEL_MESSAGE) {
3948 /* normal user messages without additional infos */
3949 msg = g_strdup_printf("%s\n", message);
3951 /* info/debug messages with additional infos */
3952 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
3953 today->tm_hour, today->tm_min, today->tm_sec,
3954 log_domain != NULL ? log_domain : "",
3958 /* DEBUG & INFO msgs (if we're debugging today) */
3959 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3960 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3961 #ifdef DEBUG_DUMPCAP
3962 fprintf(stderr, "%s", msg);
3965 #ifdef DEBUG_CHILD_DUMPCAP
3966 fprintf(debug_log, "%s", msg);
3974 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
3975 /* to parent especially formatted if dumpcap running as child. */
3976 if (capture_child) {
3977 sync_pipe_errmsg_to_parent(2, msg, "");
3979 fprintf(stderr, "%s", msg);
3986 /****************************************************************************************************************/
3987 /* indication report routines */
3991 report_packet_count(int packet_count)
3993 char tmp[SP_DECISIZE+1+1];
3994 static int count = 0;
3997 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
3998 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
3999 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4001 count += packet_count;
4002 fprintf(stderr, "\rPackets: %u ", count);
4003 /* stderr could be line buffered */
4009 report_new_capture_file(const char *filename)
4012 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4013 pipe_write_block(2, SP_FILE, filename);
4017 * Prevent a SIGINFO handler from writing to the standard error
4018 * while we're doing so; instead, have it just set a flag telling
4019 * us to print that information when we're done.
4022 #endif /* SIGINFO */
4023 fprintf(stderr, "File: %s\n", filename);
4024 /* stderr could be line buffered */
4029 * Allow SIGINFO handlers to write.
4034 * If a SIGINFO handler asked us to write out capture counts, do so.
4037 report_counts_for_siginfo();
4038 #endif /* SIGINFO */
4043 report_cfilter_error(const char *cfilter, const char *errmsg)
4045 if (capture_child) {
4046 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4047 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4050 "Invalid capture filter: \"%s\"!\n"
4052 "That string isn't a valid capture filter (%s).\n"
4053 "See the User's Guide for a description of the capture filter syntax.\n",
4059 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4062 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4063 "Primary Error: %s", error_msg);
4064 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4065 "Secondary Error: %s", secondary_error_msg);
4066 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4068 fprintf(stderr, "%s\n", error_msg);
4069 if (secondary_error_msg[0] != '\0')
4070 fprintf(stderr, "%s\n", secondary_error_msg);
4075 report_packet_drops(guint32 drops)
4077 char tmp[SP_DECISIZE+1+1];
4079 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4082 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets dropped: %s", tmp);
4083 pipe_write_block(2, SP_DROPS, tmp);
4085 fprintf(stderr, "Packets dropped: %s\n", tmp);
4086 /* stderr could be line buffered */
4092 /****************************************************************************************************************/
4093 /* signal_pipe handling */
4098 signal_pipe_check_running(void)
4100 /* any news from our parent? -> just stop the capture */
4104 /* if we are running standalone, no check required */
4105 if(!capture_child) {
4109 if(!sig_pipe_name || !sig_pipe_handle) {
4110 /* This shouldn't happen */
4111 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4112 "Signal pipe: No name or handle");
4117 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4118 * at this point. Should we check to see if the parent is still alive,
4119 * e.g. by using OpenProcess?
4122 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4124 if(!result || avail > 0) {
4125 /* peek failed or some bytes really available */
4126 /* (if not piping from stdin this would fail) */
4127 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4128 "Signal pipe: Stop capture: %s", sig_pipe_name);
4129 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4130 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4131 sig_pipe_handle, result, avail);
4134 /* pipe ok and no bytes available */
4141 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4146 * indent-tabs-mode: nil
4149 * vi: set shiftwidth=4 tabstop=8 expandtab
4150 * :indentSize=4:tabSize=8:noTabs=true: