5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include <stdlib.h> /* for exit() */
33 #ifdef HAVE_SYS_TYPES_H
34 # include <sys/types.h>
37 #ifdef HAVE_SYS_SOCKET_H
38 #include <sys/socket.h>
41 #ifdef HAVE_NETINET_IN_H
42 #include <netinet/in.h>
45 #ifdef HAVE_SYS_STAT_H
46 # include <sys/stat.h>
57 #ifdef HAVE_ARPA_INET_H
58 #include <arpa/inet.h>
61 #if defined(__APPLE__) && defined(__LP64__)
62 #include <sys/utsname.h>
68 #include <wsutil/crash_info.h>
71 #include "wsutil/wsgetopt.h"
79 # include <sys/prctl.h>
80 # include <sys/capability.h>
83 #include "ringbuffer.h"
84 #include "clopts_common.h"
85 #include "cmdarg_err.h"
86 #include "version_info.h"
88 #include "capture-pcap-util.h"
90 #include "capture-wpcap.h"
96 #include "capture-wpcap.h"
97 #include <wsutil/unicode-utils.h>
104 #ifdef NEED_INET_V6DEFS_H
105 # include "wsutil/inet_v6defs.h"
108 #include <wsutil/privileges.h>
110 #include "sync_pipe.h"
112 #include "capture_opts.h"
113 #include "capture_session.h"
114 #include "capture_ifinfo.h"
115 #include "capture_sync.h"
117 #include "conditions.h"
118 #include "capture_stop_conditions.h"
120 #include "wsutil/tempfile.h"
122 #include "wsutil/file_util.h"
124 #include "ws80211_utils.h"
127 * Get information about libpcap format from "wiretap/libpcap.h".
128 * XXX - can we just use pcap_open_offline() to read the pipe?
130 #include "wiretap/libpcap.h"
132 /**#define DEBUG_DUMPCAP**/
133 /**#define DEBUG_CHILD_DUMPCAP**/
137 #include <conio.h> /* _getch() */
141 #ifdef DEBUG_CHILD_DUMPCAP
142 FILE *debug_log; /* for logging debug messages to */
143 /* a file if DEBUG_CHILD_DUMPCAP */
147 static GAsyncQueue *pcap_queue;
148 static gint64 pcap_queue_bytes;
149 static gint64 pcap_queue_packets;
150 static gint64 pcap_queue_byte_limit = 0;
151 static gint64 pcap_queue_packet_limit = 0;
153 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
155 static gchar *sig_pipe_name = NULL;
156 static HANDLE sig_pipe_handle = NULL;
157 static gboolean signal_pipe_check_running(void);
161 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
162 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
165 /** Stop a low-level capture (stops the capture child). */
166 static void capture_loop_stop(void);
167 /** Close a pipe, or socket if \a from_socket is TRUE */
168 static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_);
170 #if !defined (__linux__)
171 #ifndef HAVE_PCAP_BREAKLOOP
173 * We don't have pcap_breakloop(), which is the only way to ensure that
174 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
175 * won't, if the call to read the next packet or batch of packets is
176 * is interrupted by a signal on UN*X, just go back and try again to
179 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
180 * the signal handler, set a flag to stop capturing; however, without
181 * a guarantee of that sort, we can't guarantee that we'll stop capturing
182 * if the read will be retried and won't time out if no packets arrive.
184 * Therefore, on at least some platforms, we work around the lack of
185 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
186 * to wait for packets to arrive, so that we're probably going to be
187 * blocked in the select() when the signal arrives, and can just bail
188 * out of the loop at that point.
190 * However, we don't want to do that on BSD (because "select()" doesn't work
191 * correctly on BPF devices on at least some releases of some flavors of
192 * BSD), and we don't want to do it on Windows (because "select()" is
193 * something for sockets, not for arbitrary handles). (Note that "Windows"
194 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
195 * using WinPcap, not a UNIX libpcap.)
197 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
198 * on BSD times out even if no packets have arrived, so we'll eventually
199 * exit pcap_dispatch() with an indication that no packets have arrived,
200 * and will break out of the capture loop at that point.
202 * On Windows, we can't send a SIGINT to stop capturing, so none of this
203 * applies in any case.
205 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
206 * want to include it if it's not present on this platform, however.
208 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
209 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
211 # define MUST_DO_SELECT
212 # endif /* avoid select */
213 #endif /* HAVE_PCAP_BREAKLOOP */
215 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
216 * in pcap_dispatch(); on the other hand, select() works just fine there.
217 * Hence we use a select for that come what may.
219 #define MUST_DO_SELECT
222 /** init the capture filter */
225 INITFILTER_BAD_FILTER,
226 INITFILTER_OTHER_ERROR
227 } initfilter_status_t;
230 STATE_EXPECT_REC_HDR,
243 typedef struct _pcap_options {
248 #ifdef MUST_DO_SELECT
249 int pcap_fd; /**< pcap file descriptor */
256 gboolean ts_nsec; /**< TRUE if we're using nanosecond precision. */
257 /**< capture pipe (unix only "input file") */
258 gboolean from_cap_pipe; /**< TRUE if we are capturing data from a capture pipe */
259 gboolean from_cap_socket; /**< TRUE if we're capturing from socket */
260 struct pcap_hdr cap_pipe_hdr; /**< Pcap header when capturing from a pipe */
261 struct pcaprec_modified_hdr cap_pipe_rechdr; /**< Pcap record header when capturing from a pipe */
263 HANDLE cap_pipe_h; /**< The handle of the capture pipe */
265 int cap_pipe_fd; /**< the file descriptor of the capture pipe */
266 gboolean cap_pipe_modified; /**< TRUE if data in the pipe uses modified pcap headers */
267 gboolean cap_pipe_byte_swapped; /**< TRUE if data in the pipe is byte swapped */
269 char * cap_pipe_buf; /**< Pointer to the data buffer we read into */
270 DWORD cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
271 DWORD cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
273 size_t cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
274 size_t cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
276 cap_pipe_state_t cap_pipe_state;
277 cap_pipe_err_t cap_pipe_err;
280 GMutex *cap_pipe_read_mtx;
281 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
285 typedef struct _loop_data {
287 gboolean go; /**< TRUE as long as we're supposed to keep capturing */
288 int err; /**< if non-zero, error seen while capturing */
289 gint packet_count; /**< Number of packets we have already captured */
290 gint packet_max; /**< Number of packets we're supposed to capture - 0 means infinite */
291 guint inpkts_to_sync_pipe; /**< Packets not already send out to the sync_pipe */
293 gboolean report_packet_count; /**< Set by SIGINFO handler; print packet count */
299 guint64 bytes_written;
300 guint32 autostop_files;
303 typedef struct _pcap_queue_element {
304 pcap_options *pcap_opts;
305 struct pcap_pkthdr phdr;
307 } pcap_queue_element;
310 * Standard secondary message for unexpected errors.
312 static const char please_report[] =
313 "Please report this to the Wireshark developers.\n"
314 "http://bugs.wireshark.org/\n"
315 "(This is not a crash; please do not report it as such.)";
318 * This needs to be static, so that the SIGINT handler can clear the "go"
321 static loop_data global_ld;
325 * Timeout, in milliseconds, for reads from the stream of captured packets
326 * from a capture device.
328 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
329 * 64-bit applications, with sub-second timeouts not to work. The bug is
330 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
332 #if defined(__APPLE__) && defined(__LP64__)
333 static gboolean need_timeout_workaround;
335 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
337 #define CAP_READ_TIMEOUT 250
341 * Timeout, in microseconds, for reads from the stream of captured packets
342 * from a pipe. Pipes don't have the same problem that BPF devices do
343 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
344 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
345 * of the offending versions of Snow Leopard.
347 * On Windows this value is converted to milliseconds and passed to
348 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
349 * will return immediately.
352 #define PIPE_READ_TIMEOUT 100000
354 #define PIPE_READ_TIMEOUT 250000
357 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
360 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
361 const char *message, gpointer user_data _U_);
363 /* capture related options */
364 static capture_options global_capture_opts;
365 static gboolean quiet = FALSE;
366 static gboolean use_threads = FALSE;
367 static guint64 start_time;
369 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
371 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
373 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
374 int err, gboolean is_close);
376 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
378 static void report_new_capture_file(const char *filename);
379 static void report_packet_count(unsigned int packet_count);
380 static void report_packet_drops(guint32 received, guint32 pcap_drops, guint32 drops, guint32 flushed, gchar *name);
381 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
382 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
384 #define MSG_MAX_LENGTH 4096
386 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
388 create_timestamp(void) {
398 * Current time, represented as 100-nanosecond intervals since
399 * January 1, 1601, 00:00:00 UTC.
401 * I think DWORD might be signed, so cast both parts of "now"
402 * to guint32 so that the sign bit doesn't get treated specially.
404 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
405 * might want to use instead.
407 GetSystemTimeAsFileTime(&now);
408 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
409 (guint32)now.dwLowDateTime;
412 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
418 * Subtract difference, in microseconds, between January 1, 1601
419 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
421 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
424 * Current time, represented as seconds and microseconds since
425 * January 1, 1970, 00:00:00 UTC.
427 gettimeofday(&now, NULL);
430 * Convert to delta in microseconds.
432 timestamp = (guint64)(now.tv_sec) * 1000000 +
433 (guint64)(now.tv_usec);
439 print_usage(gboolean print_ver)
446 "Dumpcap " VERSION "%s\n"
447 "Capture network packets and dump them into a pcapng file.\n"
448 "See http://www.wireshark.org for more information.\n",
449 wireshark_svnversion);
453 fprintf(output, "\nUsage: dumpcap [options] ...\n");
454 fprintf(output, "\n");
455 fprintf(output, "Capture interface:\n");
456 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback),\n"
457 " or for remote capturing, use one of these formats:\n"
458 " rpcap://<host>/<interface>\n"
459 " TCP@<host>:<port>\n");
460 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
461 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
462 fprintf(output, " -p don't capture in promiscuous mode\n");
463 #ifdef HAVE_PCAP_CREATE
464 fprintf(output, " -I capture in monitor mode, if available\n");
466 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
467 fprintf(output, " -B <buffer size> size of kernel buffer in MB (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
469 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
470 fprintf(output, " -D print list of interfaces and exit\n");
471 fprintf(output, " -L print list of link-layer types of iface and exit\n");
472 #ifdef HAVE_BPF_IMAGE
473 fprintf(output, " -d print generated BPF code for capture filter\n");
475 fprintf(output, " -k set channel on wifi interface <freq>,[<type>]\n");
476 fprintf(output, " -S print statistics for each interface once per second\n");
477 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
478 fprintf(output, "\n");
479 #ifdef HAVE_PCAP_REMOTE
480 fprintf(output, "RPCAP options:\n");
481 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
482 fprintf(output, " -u use UDP for RPCAP data transfer\n");
483 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
484 #ifdef HAVE_PCAP_SETSAMPLING
485 fprintf(output, " -m <sampling type> use packet sampling\n");
486 fprintf(output, " count:NUM - capture one packet of every NUM\n");
487 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
490 fprintf(output, "Stop conditions:\n");
491 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
492 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
493 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
494 fprintf(output, " files:NUM - stop after NUM files\n");
495 /*fprintf(output, "\n");*/
496 fprintf(output, "Output (files):\n");
497 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
498 fprintf(output, " -g enable group read access on the output file(s)\n");
499 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
500 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
501 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
502 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
503 fprintf(output, " -P use libpcap format instead of pcapng\n");
504 fprintf(output, "\n");
505 fprintf(output, "Miscellaneous:\n");
506 fprintf(output, " -N <packet_limit> maximum number of packets buffered within dumpcap\n");
507 fprintf(output, " -C <byte_limit> maximum number of bytes used for buffering packets within dumpcap\n");
508 fprintf(output, " -t use a separate thread per interface\n");
509 fprintf(output, " -q don't report packet capture counts\n");
510 fprintf(output, " -v print version information and exit\n");
511 fprintf(output, " -h display this help and exit\n");
512 fprintf(output, "\n");
513 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
514 fprintf(output, "\"Capture packets from interface eth0 until 60s passed into output.pcapng\"\n");
515 fprintf(output, "\n");
516 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
520 show_version(GString *comp_info_str, GString *runtime_info_str)
523 "Dumpcap " VERSION "%s\n"
528 "See http://www.wireshark.org for more information.\n",
529 wireshark_svnversion, get_copyright_info(), comp_info_str->str, runtime_info_str->str);
533 * Report an error in command-line arguments.
536 cmdarg_err(const char *fmt, ...)
542 /* Generate a 'special format' message back to parent */
544 msg = g_strdup_vprintf(fmt, ap);
545 sync_pipe_errmsg_to_parent(2, msg, "");
550 fprintf(stderr, "dumpcap: ");
551 vfprintf(stderr, fmt, ap);
552 fprintf(stderr, "\n");
558 * Report additional information for an error in command-line arguments.
561 cmdarg_err_cont(const char *fmt, ...)
568 msg = g_strdup_vprintf(fmt, ap);
569 sync_pipe_errmsg_to_parent(2, msg, "");
574 vfprintf(stderr, fmt, ap);
575 fprintf(stderr, "\n");
582 #if 0 /* Set to enable capability debugging */
583 /* see 'man cap_to_text()' for explanation of output */
584 /* '=' means 'all= ' ie: no capabilities */
585 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
587 print_caps(const char *pfx) {
588 cap_t caps = cap_get_proc();
589 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
590 "%s: EUID: %d Capabilities: %s", pfx,
591 geteuid(), cap_to_text(caps, NULL));
594 print_caps(const char *pfx _U_) {
599 relinquish_all_capabilities(void)
601 /* Drop any and all capabilities this process may have. */
602 /* Allowed whether or not process has any privileges. */
603 cap_t caps = cap_init(); /* all capabilities initialized to off */
604 print_caps("Pre-clear");
605 if (cap_set_proc(caps)) {
606 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
608 print_caps("Post-clear");
614 open_capture_device(interface_options *interface_opts,
615 char (*open_err_str)[PCAP_ERRBUF_SIZE])
618 #ifdef HAVE_PCAP_CREATE
621 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
622 struct pcap_rmtauth auth;
625 /* Open the network interface to capture from it.
626 Some versions of libpcap may put warnings into the error buffer
627 if they succeed; to tell if that's happened, we have to clear
628 the error buffer, and check if it's still a null string. */
629 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
630 (*open_err_str)[0] = '\0';
631 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
633 * If we're opening a remote device, use pcap_open(); that's currently
634 * the only open routine that supports remote devices.
636 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
637 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
638 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
639 auth.username = interface_opts->auth_username;
640 auth.password = interface_opts->auth_password;
642 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
643 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
644 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
645 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
646 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
648 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
649 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
650 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
651 CAP_READ_TIMEOUT, &auth, *open_err_str);
652 if (pcap_h == NULL) {
653 /* Error - did pcap actually supply an error message? */
654 if ((*open_err_str)[0] == '\0') {
655 /* Work around known WinPcap bug wherein no error message is
656 filled in on a failure to open an rpcap: URL. */
657 g_strlcpy(*open_err_str,
658 "Unknown error (pcap bug; actual error cause not reported)",
659 sizeof *open_err_str);
662 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
663 "pcap_open() returned %p.", (void *)pcap_h);
668 * If we're not opening a remote device, use pcap_create() and
669 * pcap_activate() if we have them, so that we can set the buffer
670 * size, otherwise use pcap_open_live().
672 #ifdef HAVE_PCAP_CREATE
673 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
674 "Calling pcap_create() using %s.", interface_opts->name);
675 pcap_h = pcap_create(interface_opts->name, *open_err_str);
676 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
677 "pcap_create() returned %p.", (void *)pcap_h);
678 if (pcap_h != NULL) {
679 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
680 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
681 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
682 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
683 "Calling pcap_set_promisc() with promisc_mode %d.", interface_opts->promisc_mode);
684 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
685 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
687 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
688 "buffersize %d.", interface_opts->buffer_size);
689 if (interface_opts->buffer_size != 0) {
690 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
692 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
693 "monitor_mode %d.", interface_opts->monitor_mode);
694 if (interface_opts->monitor_mode)
695 pcap_set_rfmon(pcap_h, 1);
696 err = pcap_activate(pcap_h);
697 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
698 "pcap_activate() returned %d.", err);
700 /* Failed to activate, set to NULL */
701 if (err == PCAP_ERROR)
702 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
704 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
710 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
711 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
712 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
713 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
714 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
716 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
717 "pcap_open_live() returned %p.", (void *)pcap_h);
720 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
725 get_capture_device_open_failure_messages(const char *open_err_str,
731 char *errmsg, size_t errmsg_len,
732 char *secondary_errmsg,
733 size_t secondary_errmsg_len)
736 const char *libpcap_warn;
737 static const char ppamsg[] = "can't find PPA for ";
740 g_snprintf(errmsg, (gulong) errmsg_len,
741 "The capture session could not be initiated (%s).", open_err_str);
744 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
746 "In order to capture packets, WinPcap must be installed; see\n"
748 " http://www.winpcap.org/\n"
752 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
756 " http://winpcap.cs.pu.edu.tw/\n"
758 "for a downloadable version of WinPcap and for instructions on how to install\n"
761 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
763 "Please check that \"%s\" is the proper interface.\n"
766 "Help can be found at:\n"
768 " http://wiki.wireshark.org/WinPcap\n"
769 " http://wiki.wireshark.org/CaptureSetup\n",
773 /* If we got a "can't find PPA for X" message, warn the user (who
774 is running dumpcap on HP-UX) that they don't have a version of
775 libpcap that properly handles HP-UX (libpcap 0.6.x and later
776 versions, which properly handle HP-UX, say "can't find /dev/dlpi
777 PPA for X" rather than "can't find PPA for X"). */
778 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
781 "You are running (T)Wireshark with a version of the libpcap library\n"
782 "that doesn't handle HP-UX network devices well; this means that\n"
783 "(T)Wireshark may not be able to capture packets.\n"
785 "To fix this, you should install libpcap 0.6.2, or a later version\n"
786 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
787 "packaged binary form from the Software Porting And Archive Centre\n"
788 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
789 "at the URL lists a number of mirror sites.";
793 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
794 "Please check to make sure you have sufficient permissions, and that you have "
795 "the proper interface or pipe specified.%s", libpcap_warn);
799 /* Set the data link type on a pcap. */
801 set_pcap_linktype(pcap_t *pcap_h, int linktype,
802 #ifdef HAVE_PCAP_SET_DATALINK
807 char *errmsg, size_t errmsg_len,
808 char *secondary_errmsg, size_t secondary_errmsg_len)
810 char *set_linktype_err_str;
813 return TRUE; /* just use the default */
814 #ifdef HAVE_PCAP_SET_DATALINK
815 if (pcap_set_datalink(pcap_h, linktype) == 0)
816 return TRUE; /* no error */
817 set_linktype_err_str = pcap_geterr(pcap_h);
819 /* Let them set it to the type it is; reject any other request. */
820 if (get_pcap_linktype(pcap_h, name) == linktype)
821 return TRUE; /* no error */
822 set_linktype_err_str =
823 "That DLT isn't one of the DLTs supported by this device";
825 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
826 set_linktype_err_str);
828 * If the error isn't "XXX is not one of the DLTs supported by this device",
829 * tell the user to tell the Wireshark developers about it.
831 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
832 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
834 secondary_errmsg[0] = '\0';
839 compile_capture_filter(const char *iface, pcap_t *pcap_h,
840 struct bpf_program *fcode, const char *cfilter)
842 bpf_u_int32 netnum, netmask;
843 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
845 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
847 * Well, we can't get the netmask for this interface; it's used
848 * only for filters that check for broadcast IP addresses, so
849 * we just punt and use 0. It might be nice to warn the user,
850 * but that's a pain in a GUI application, as it'd involve popping
851 * up a message box, and it's not clear how often this would make
852 * a difference (only filters that check for IP broadcast addresses
856 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
861 * Sigh. Older versions of libpcap don't properly declare the
862 * third argument to pcap_compile() as a const pointer. Cast
865 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
870 #ifdef HAVE_BPF_IMAGE
872 show_filter_code(capture_options *capture_opts)
874 interface_options interface_opts;
876 gchar open_err_str[PCAP_ERRBUF_SIZE];
877 char errmsg[MSG_MAX_LENGTH+1];
878 char secondary_errmsg[MSG_MAX_LENGTH+1];
879 struct bpf_program fcode;
880 struct bpf_insn *insn;
884 for (j = 0; j < capture_opts->ifaces->len; j++) {
885 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
886 pcap_h = open_capture_device(&interface_opts, &open_err_str);
887 if (pcap_h == NULL) {
888 /* Open failed; get messages */
889 get_capture_device_open_failure_messages(open_err_str,
891 errmsg, sizeof errmsg,
893 sizeof secondary_errmsg);
894 /* And report them */
895 report_capture_error(errmsg, secondary_errmsg);
899 /* Set the link-layer type. */
900 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
901 errmsg, sizeof errmsg,
902 secondary_errmsg, sizeof secondary_errmsg)) {
904 report_capture_error(errmsg, secondary_errmsg);
908 /* OK, try to compile the capture filter. */
909 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
910 interface_opts.cfilter)) {
912 report_cfilter_error(capture_opts, j, errmsg);
917 /* Now print the filter code. */
918 insn = fcode.bf_insns;
920 for (i = 0; i < fcode.bf_len; insn++, i++)
921 printf("%s\n", bpf_image(insn, i));
923 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
924 /* to remove any suid privileges. */
925 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
926 /* (euid/egid have already previously been set to ruid/rgid. */
927 /* (See comment in main() for details) */
929 relinquish_special_privs_perm();
931 relinquish_all_capabilities();
934 /* Let our parent know we succeeded. */
935 pipe_write_block(2, SP_SUCCESS, NULL); ///
942 * capture_interface_list() is expected to do the right thing to get
943 * a list of interfaces.
945 * In most of the programs in the Wireshark suite, "the right thing"
946 * is to run dumpcap and ask it for the list, because dumpcap may
947 * be the only program in the suite with enough privileges to get
950 * In dumpcap itself, however, we obviously can't run dumpcap to
951 * ask for the list. Therefore, our capture_interface_list() should
952 * just call get_interface_list().
955 capture_interface_list(int *err, char **err_str, void(*update_cb)(void) _U_)
957 return get_interface_list(err, err_str);
961 * Get the data-link type for a libpcap device.
962 * This works around AIX 5.x's non-standard and incompatible-with-the-
963 * rest-of-the-universe libpcap.
966 get_pcap_linktype(pcap_t *pch, const char *devicename
974 const char *ifacename;
977 linktype = pcap_datalink(pch);
981 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
982 * rather than DLT_ values for link-layer types; the ifType values
983 * for LAN devices are:
990 * and the ifType value for a loopback device is 24.
992 * The AIX names for LAN devices begin with:
999 * and the AIX names for loopback devices begin with "lo".
1001 * (The difference between "Ethernet" and "802.3" is presumably
1002 * whether packets have an Ethernet header, with a packet type,
1003 * or an 802.3 header, with a packet length, followed by an 802.2
1004 * header and possibly a SNAP header.)
1006 * If the device name matches "linktype" interpreted as an ifType
1007 * value, rather than as a DLT_ value, we will assume this is AIX's
1008 * non-standard, incompatible libpcap, rather than a standard libpcap,
1009 * and will map the link-layer type to the standard DLT_ value for
1010 * that link-layer type, as that's what the rest of Wireshark expects.
1012 * (This means the capture files won't be readable by a tcpdump
1013 * linked with AIX's non-standard libpcap, but so it goes. They
1014 * *will* be readable by standard versions of tcpdump, Wireshark,
1017 * XXX - if we conclude we're using AIX libpcap, should we also
1018 * set a flag to cause us to assume the time stamps are in
1019 * seconds-and-nanoseconds form, and to convert them to
1020 * seconds-and-microseconds form before processing them and
1025 * Find the last component of the device name, which is the
1028 ifacename = strchr(devicename, '/');
1029 if (ifacename == NULL)
1030 ifacename = devicename;
1032 /* See if it matches any of the LAN device names. */
1033 if (strncmp(ifacename, "en", 2) == 0) {
1034 if (linktype == 6) {
1036 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1040 } else if (strncmp(ifacename, "et", 2) == 0) {
1041 if (linktype == 7) {
1043 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1044 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1049 } else if (strncmp(ifacename, "tr", 2) == 0) {
1050 if (linktype == 9) {
1052 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1053 * DLT_IEEE802, which is what's used for Token Ring.
1057 } else if (strncmp(ifacename, "fi", 2) == 0) {
1058 if (linktype == 15) {
1060 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1064 } else if (strncmp(ifacename, "lo", 2) == 0) {
1065 if (linktype == 24) {
1067 * That's the RFC 1573 value for "software loopback" devices; map it
1068 * to DLT_NULL, which is what's used for loopback devices on BSD.
1078 static data_link_info_t *
1079 create_data_link_info(int dlt)
1081 data_link_info_t *data_link_info;
1084 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1085 data_link_info->dlt = dlt;
1086 text = pcap_datalink_val_to_name(dlt);
1088 data_link_info->name = g_strdup(text);
1090 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1091 text = pcap_datalink_val_to_description(dlt);
1093 data_link_info->description = g_strdup(text);
1095 data_link_info->description = NULL;
1096 return data_link_info;
1100 * Get the capabilities of a network device.
1102 static if_capabilities_t *
1103 get_if_capabilities(const char *devicename, gboolean monitor_mode
1104 #ifndef HAVE_PCAP_CREATE
1109 if_capabilities_t *caps;
1110 char errbuf[PCAP_ERRBUF_SIZE];
1112 #ifdef HAVE_PCAP_CREATE
1116 #ifdef HAVE_PCAP_LIST_DATALINKS
1120 data_link_info_t *data_link_info;
1123 * Allocate the interface capabilities structure.
1125 caps = (if_capabilities_t *)g_malloc(sizeof *caps);
1128 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1129 * wherein, when an open with an rpcap: URL fails, the error
1130 * message for the error is not copied to errbuf and whatever
1131 * on-the-stack junk is in errbuf is treated as the error
1134 * To work around that (and any other bugs of that sort, we
1135 * initialize errbuf to an empty string. If we get an error
1136 * and the string is empty, we report it as an unknown error.
1137 * (If we *don't* get an error, and the string is *non*-empty,
1138 * that could be a warning returned, such as "can't turn
1139 * promiscuous mode on"; we currently don't do so.)
1142 #ifdef HAVE_PCAP_OPEN
1143 pch = pcap_open(devicename, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1144 caps->can_set_rfmon = FALSE;
1146 if (err_str != NULL)
1147 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1151 #elif defined(HAVE_PCAP_CREATE)
1152 pch = pcap_create(devicename, errbuf);
1154 if (err_str != NULL)
1155 *err_str = g_strdup(errbuf);
1159 status = pcap_can_set_rfmon(pch);
1162 if (status == PCAP_ERROR)
1163 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1166 *err_str = g_strdup(pcap_statustostr(status));
1172 caps->can_set_rfmon = FALSE;
1173 else if (status == 1) {
1174 caps->can_set_rfmon = TRUE;
1176 pcap_set_rfmon(pch, 1);
1178 if (err_str != NULL) {
1179 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1187 status = pcap_activate(pch);
1189 /* Error. We ignore warnings (status > 0). */
1190 if (err_str != NULL) {
1191 if (status == PCAP_ERROR)
1192 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1195 *err_str = g_strdup(pcap_statustostr(status));
1202 pch = pcap_open_live(devicename, MIN_PACKET_SIZE, 0, 0, errbuf);
1203 caps->can_set_rfmon = FALSE;
1205 if (err_str != NULL)
1206 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1211 deflt = get_pcap_linktype(pch, devicename);
1212 #ifdef HAVE_PCAP_LIST_DATALINKS
1213 nlt = pcap_list_datalinks(pch, &linktypes);
1214 if (nlt == 0 || linktypes == NULL) {
1216 if (err_str != NULL)
1217 *err_str = NULL; /* an empty list doesn't mean an error */
1221 caps->data_link_types = NULL;
1222 for (i = 0; i < nlt; i++) {
1223 data_link_info = create_data_link_info(linktypes[i]);
1226 * XXX - for 802.11, make the most detailed 802.11
1227 * version the default, rather than the one the
1228 * device has as the default?
1230 if (linktypes[i] == deflt)
1231 caps->data_link_types = g_list_prepend(caps->data_link_types,
1234 caps->data_link_types = g_list_append(caps->data_link_types,
1237 #ifdef HAVE_PCAP_FREE_DATALINKS
1238 pcap_free_datalinks(linktypes);
1241 * In Windows, there's no guarantee that if you have a library
1242 * built with one version of the MSVC++ run-time library, and
1243 * it returns a pointer to allocated data, you can free that
1244 * data from a program linked with another version of the
1245 * MSVC++ run-time library.
1247 * This is not an issue on UN*X.
1249 * See the mail threads starting at
1251 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1255 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1258 #define xx_free free /* hack so checkAPIs doesn't complain */
1261 #endif /* HAVE_PCAP_FREE_DATALINKS */
1262 #else /* HAVE_PCAP_LIST_DATALINKS */
1264 data_link_info = create_data_link_info(deflt);
1265 caps->data_link_types = g_list_append(caps->data_link_types,
1267 #endif /* HAVE_PCAP_LIST_DATALINKS */
1271 if (err_str != NULL)
1276 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1278 * Output a machine readable list of the interfaces
1279 * This list is retrieved by the sync_interface_list_open() function
1280 * The actual output of this function can be viewed with the command "dumpcap -D -Z none"
1283 print_machine_readable_interfaces(GList *if_list)
1290 char addr_str[ADDRSTRLEN];
1292 if (capture_child) {
1293 /* Let our parent know we succeeded. */
1294 pipe_write_block(2, SP_SUCCESS, NULL); ///
1297 i = 1; /* Interface id number */
1298 for (if_entry = g_list_first(if_list); if_entry != NULL;
1299 if_entry = g_list_next(if_entry)) {
1300 if_info = (if_info_t *)if_entry->data;
1301 printf("%d. %s\t", i++, if_info->name);
1304 * Print the contents of the if_entry struct in a parseable format.
1305 * Each if_entry element is tab-separated. Addresses are comma-
1308 /* XXX - Make sure our description doesn't contain a tab */
1309 if (if_info->vendor_description != NULL)
1310 printf("%s\t", if_info->vendor_description);
1314 /* XXX - Make sure our friendly name doesn't contain a tab */
1315 if (if_info->friendly_name != NULL)
1316 printf("%s\t", if_info->friendly_name);
1320 printf("%u\t", if_info->type);
1322 for (addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1323 addr = g_slist_next(addr)) {
1324 if (addr != g_slist_nth(if_info->addrs, 0))
1327 if_addr = (if_addr_t *)addr->data;
1328 switch(if_addr->ifat_type) {
1330 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1332 printf("%s", addr_str);
1334 printf("<unknown IPv4>");
1338 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1339 addr_str, ADDRSTRLEN)) {
1340 printf("%s", addr_str);
1342 printf("<unknown IPv6>");
1346 printf("<type unknown %u>", if_addr->ifat_type);
1350 if (if_info->loopback)
1351 printf("\tloopback");
1353 printf("\tnetwork");
1360 * If you change the machine-readable output format of this function,
1361 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1364 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1367 data_link_info_t *data_link_info;
1368 const gchar *desc_str;
1370 if (capture_child) {
1371 /* Let our parent know we succeeded. */
1372 pipe_write_block(2, SP_SUCCESS, NULL); ///
1375 if (caps->can_set_rfmon)
1379 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1380 lt_entry = g_list_next(lt_entry)) {
1381 data_link_info = (data_link_info_t *)lt_entry->data;
1382 if (data_link_info->description != NULL)
1383 desc_str = data_link_info->description;
1385 desc_str = "(not supported)";
1386 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1396 /* Print the number of packets captured for each interface until we're killed. */
1398 print_statistics_loop(gboolean machine_readable)
1400 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1406 char errbuf[PCAP_ERRBUF_SIZE];
1407 struct pcap_stat ps;
1409 if_list = get_interface_list(&err, &err_str);
1410 if (if_list == NULL) {
1412 case CANT_GET_INTERFACE_LIST:
1413 case DONT_HAVE_PCAP:
1414 cmdarg_err("%s", err_str);
1418 case NO_INTERFACES_FOUND:
1419 cmdarg_err("There are no interfaces on which a capture can be done");
1425 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1426 if_info = (if_info_t *)if_entry->data;
1427 #ifdef HAVE_PCAP_OPEN
1428 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1430 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1434 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1435 if_stat->name = g_strdup(if_info->name);
1437 stat_list = g_list_append(stat_list, if_stat);
1442 cmdarg_err("There are no interfaces on which a capture can be done");
1446 if (capture_child) {
1447 /* Let our parent know we succeeded. */
1448 pipe_write_block(2, SP_SUCCESS, NULL); ///
1451 if (!machine_readable) {
1452 printf("%-15s %10s %10s\n", "Interface", "Received",
1456 global_ld.go = TRUE;
1457 while (global_ld.go) {
1458 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1459 if_stat = (if_stat_t *)stat_entry->data;
1460 pcap_stats(if_stat->pch, &ps);
1462 if (!machine_readable) {
1463 printf("%-15s %10u %10u\n", if_stat->name,
1464 ps.ps_recv, ps.ps_drop);
1466 printf("%s\t%u\t%u\n", if_stat->name,
1467 ps.ps_recv, ps.ps_drop);
1478 /* XXX - Not reached. Should we look for 'q' in stdin? */
1479 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1480 if_stat = (if_stat_t *)stat_entry->data;
1481 pcap_close(if_stat->pch);
1482 g_free(if_stat->name);
1485 g_list_free(stat_list);
1486 free_interface_list(if_list);
1494 capture_cleanup_handler(DWORD dwCtrlType)
1496 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1497 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1498 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1499 like SIGTERM at least when the machine's shutting down.
1501 For now, if we're running as a command rather than a capture child,
1502 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1503 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1504 in that way on UN*X.
1506 If we're not running as a capture child, we might be running as
1507 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1508 user logs out. (XXX - can we explicitly check whether we're
1509 running as a service?) */
1511 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1512 "Console: Control signal");
1513 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1514 "Console: Control signal, CtrlType: %u", dwCtrlType);
1516 /* Keep capture running if we're a service and a user logs off */
1517 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1518 capture_loop_stop();
1526 capture_cleanup_handler(int signum _U_)
1528 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1529 SIGTERM. We assume that if the user wanted it to keep running
1530 after they logged out, they'd have nohupped it. */
1532 /* Note: don't call g_log() in the signal handler: if we happened to be in
1533 * g_log() in process context when the signal came in, g_log will detect
1534 * the "recursion" and abort.
1537 capture_loop_stop();
1543 report_capture_count(gboolean reportit)
1545 /* Don't print this if we're a capture child. */
1546 if (!capture_child && reportit) {
1547 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1548 /* stderr could be line buffered */
1556 report_counts_for_siginfo(void)
1558 report_capture_count(quiet);
1559 infoprint = FALSE; /* we just reported it */
1563 report_counts_siginfo(int signum _U_)
1565 int sav_errno = errno;
1567 /* If we've been told to delay printing, just set a flag asking
1568 that we print counts (if we're supposed to), otherwise print
1569 the count of packets captured (if we're supposed to). */
1573 report_counts_for_siginfo();
1576 #endif /* SIGINFO */
1579 exit_main(int status)
1582 /* Shutdown windows sockets */
1585 /* can be helpful for debugging */
1586 #ifdef DEBUG_DUMPCAP
1587 printf("Press any key\n");
1598 * If we were linked with libcap (not related to libpcap), make sure we have
1599 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1600 * (See comment in main() for details)
1603 relinquish_privs_except_capture(void)
1605 /* If 'started_with_special_privs' (ie: suid) then enable for
1606 * ourself the NET_ADMIN and NET_RAW capabilities and then
1607 * drop our suid privileges.
1609 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1610 * stuff we don't need (and shouldn't have).
1611 * CAP_NET_RAW: Packet capture (raw sockets).
1614 if (started_with_special_privs()) {
1615 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1616 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1618 cap_t caps = cap_init(); /* all capabilities initialized to off */
1620 print_caps("Pre drop, pre set");
1622 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1623 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1626 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1627 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1629 if (cap_set_proc(caps)) {
1630 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1632 print_caps("Pre drop, post set");
1634 relinquish_special_privs_perm();
1636 print_caps("Post drop, pre set");
1637 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1638 if (cap_set_proc(caps)) {
1639 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1641 print_caps("Post drop, post set");
1647 #endif /* HAVE_LIBCAP */
1649 /* Take care of byte order in the libpcap headers read from pipes.
1650 * (function taken from wiretap/libpcap.c) */
1652 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1655 /* Byte-swap the record header fields. */
1656 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1657 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1658 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1659 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1662 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1663 swapped, in order to match the BPF header layout.
1665 Unfortunately, some files were, according to a comment in the "libpcap"
1666 source, written with version 2.3 in their headers but without the
1667 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1668 would make no sense - we assume that we need to swap them. */
1669 if (hdr->version_major == 2 &&
1670 (hdr->version_minor < 3 ||
1671 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1674 temp = rechdr->orig_len;
1675 rechdr->orig_len = rechdr->incl_len;
1676 rechdr->incl_len = temp;
1680 /* Wrapper: distinguish between recv/read if we're reading on Windows,
1684 cap_pipe_read(int pipe_fd, char *buf, size_t sz, gboolean from_socket _U_)
1688 return recv(pipe_fd, buf, (int)sz, 0);
1693 return ws_read(pipe_fd, buf, sz);
1699 * Thread function that reads from a pipe and pushes the data
1700 * to the main application thread.
1703 * XXX Right now we use async queues for basic signaling. The main thread
1704 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1705 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1706 * Iff the read is successful cap_pipe_read pushes an item onto
1707 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1708 * the queues themselves (yet).
1710 * We might want to move some of the cap_pipe_dispatch logic here so that
1711 * we can let cap_thread_read run independently, queuing up multiple reads
1712 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1714 static void *cap_thread_read(void *arg)
1716 pcap_options *pcap_opts;
1719 DWORD b, last_err, bytes_read;
1725 pcap_opts = (pcap_options *)arg;
1726 while (pcap_opts->cap_pipe_err == PIPOK) {
1727 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1728 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1730 while (bytes_read < pcap_opts->cap_pipe_bytes_to_read) {
1731 if ((pcap_opts->from_cap_socket)
1737 b = cap_pipe_read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1738 pcap_opts->cap_pipe_bytes_to_read - bytes_read, pcap_opts->from_cap_socket);
1741 pcap_opts->cap_pipe_err = PIPEOF;
1745 pcap_opts->cap_pipe_err = PIPERR;
1756 /* If we try to use read() on a named pipe on Windows with partial
1757 * data it appears to return EOF.
1759 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1760 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1765 last_err = GetLastError();
1766 if (last_err == ERROR_MORE_DATA) {
1768 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1769 pcap_opts->cap_pipe_err = PIPEOF;
1773 pcap_opts->cap_pipe_err = PIPERR;
1776 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1777 pcap_opts->cap_pipe_err = PIPEOF;
1784 pcap_opts->cap_pipe_bytes_read = bytes_read;
1785 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1786 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1788 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1794 /* Provide select() functionality for a single file descriptor
1795 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1797 * Returns the same values as select.
1800 cap_pipe_select(int pipe_fd)
1803 struct timeval timeout;
1806 FD_SET(pipe_fd, &rfds);
1808 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1809 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1811 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1814 #define DEF_TCP_PORT 19000
1817 cap_open_socket(char *pipename, pcap_options *pcap_opts, char *errmsg, int errmsgl)
1819 char *sockname = pipename + 4;
1820 struct sockaddr_in sa;
1827 memset(&sa, 0, sizeof(sa));
1829 p = strchr(sockname, ':');
1831 len = strlen(sockname);
1832 port = DEF_TCP_PORT;
1836 port = strtoul(p + 1, &p, 10);
1837 if (*p || port > 65535) {
1846 strncpy(buf, sockname, len);
1848 if (!inet_pton(AF_INET, buf, &sa.sin_addr)) {
1852 sa.sin_family = AF_INET;
1853 sa.sin_port = htons((u_short)port);
1855 if (((fd = (int)socket(AF_INET, SOCK_STREAM, 0)) < 0) ||
1856 (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0)) {
1858 LPTSTR errorText = NULL;
1861 lastError = WSAGetLastError();
1862 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
1863 FORMAT_MESSAGE_ALLOCATE_BUFFER |
1864 FORMAT_MESSAGE_IGNORE_INSERTS,
1865 NULL, lastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
1866 (LPTSTR)&errorText, 0, NULL);
1868 g_snprintf(errmsg, errmsgl,
1869 "The capture session could not be initiated due to the socket error: \n"
1871 " %d: %S", lastError, errorText ? (char *)errorText : "Unknown");
1873 LocalFree(errorText);
1875 " %d: %s", errno, strerror(errno));
1877 pcap_opts->cap_pipe_err = PIPERR;
1880 cap_pipe_close(fd, TRUE);
1884 pcap_opts->from_cap_socket = TRUE;
1888 g_snprintf(errmsg, errmsgl,
1889 "The capture session could not be initiated because\n"
1890 "\"%s\" is not a valid socket specification", pipename);
1891 pcap_opts->cap_pipe_err = PIPERR;
1895 /* Wrapper: distinguish between closesocket on Windows; use ws_close
1899 cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
1903 closesocket(pipe_fd);
1910 /* Mimic pcap_open_live() for pipe captures
1912 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1913 * open it, and read the header.
1915 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1916 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1918 cap_pipe_open_live(char *pipename,
1919 pcap_options *pcap_opts,
1920 struct pcap_hdr *hdr,
1921 char *errmsg, int errmsgl)
1924 ws_statb64 pipe_stat;
1925 struct sockaddr_un sa;
1935 pcap_opts->cap_pipe_fd = -1;
1937 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1939 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1942 * XXX - this blocks until a pcap per-file header has been written to
1943 * the pipe, so it could block indefinitely.
1945 if (strcmp(pipename, "-") == 0) {
1947 fd = 0; /* read from stdin */
1949 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1951 } else if (!strncmp(pipename, "TCP@", 4)) {
1952 if ((fd = cap_open_socket(pipename, pcap_opts, errmsg, errmsgl)) < 0) {
1957 if (ws_stat64(pipename, &pipe_stat) < 0) {
1958 if (errno == ENOENT || errno == ENOTDIR)
1959 pcap_opts->cap_pipe_err = PIPNEXIST;
1961 g_snprintf(errmsg, errmsgl,
1962 "The capture session could not be initiated "
1963 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1964 pcap_opts->cap_pipe_err = PIPERR;
1968 if (S_ISFIFO(pipe_stat.st_mode)) {
1969 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1971 g_snprintf(errmsg, errmsgl,
1972 "The capture session could not be initiated "
1973 "due to error on pipe open: %s", g_strerror(errno));
1974 pcap_opts->cap_pipe_err = PIPERR;
1977 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1978 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1980 g_snprintf(errmsg, errmsgl,
1981 "The capture session could not be initiated "
1982 "due to error on socket create: %s", g_strerror(errno));
1983 pcap_opts->cap_pipe_err = PIPERR;
1986 sa.sun_family = AF_UNIX;
1988 * The Single UNIX Specification says:
1990 * The size of sun_path has intentionally been left undefined.
1991 * This is because different implementations use different sizes.
1992 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1993 * of 104. Since most implementations originate from BSD versions,
1994 * the size is typically in the range 92 to 108.
1996 * Applications should not assume a particular length for sun_path
1997 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
2001 * The <sys/un.h> header shall define the sockaddr_un structure,
2002 * which shall include at least the following members:
2004 * sa_family_t sun_family Address family.
2005 * char sun_path[] Socket pathname.
2007 * so we assume that it's an array, with a specified size,
2008 * and that the size reflects the maximum path length.
2010 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
2011 /* Path name too long */
2012 g_snprintf(errmsg, errmsgl,
2013 "The capture session coud not be initiated "
2014 "due to error on socket connect: Path name too long");
2015 pcap_opts->cap_pipe_err = PIPERR;
2019 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
2021 g_snprintf(errmsg, errmsgl,
2022 "The capture session coud not be initiated "
2023 "due to error on socket connect: %s", g_strerror(errno));
2024 pcap_opts->cap_pipe_err = PIPERR;
2029 if (S_ISCHR(pipe_stat.st_mode)) {
2031 * Assume the user specified an interface on a system where
2032 * interfaces are in /dev. Pretend we haven't seen it.
2034 pcap_opts->cap_pipe_err = PIPNEXIST;
2036 g_snprintf(errmsg, errmsgl,
2037 "The capture session could not be initiated because\n"
2038 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
2039 pcap_opts->cap_pipe_err = PIPERR;
2044 #define PIPE_STR "\\pipe\\"
2045 /* Under Windows, named pipes _must_ have the form
2046 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
2048 pncopy = g_strdup(pipename);
2049 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
2050 pos = strchr(pncopy + 3, '\\');
2051 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
2058 g_snprintf(errmsg, errmsgl,
2059 "The capture session could not be initiated because\n"
2060 "\"%s\" is neither an interface nor a pipe", pipename);
2061 pcap_opts->cap_pipe_err = PIPNEXIST;
2065 /* Wait for the pipe to appear */
2067 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
2068 OPEN_EXISTING, 0, NULL);
2070 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
2073 if (GetLastError() != ERROR_PIPE_BUSY) {
2074 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2075 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2076 g_snprintf(errmsg, errmsgl,
2077 "The capture session on \"%s\" could not be started "
2078 "due to error on pipe open: %s (error %d)",
2079 pipename, utf_16to8(err_str), GetLastError());
2081 pcap_opts->cap_pipe_err = PIPERR;
2085 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
2086 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2087 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2088 g_snprintf(errmsg, errmsgl,
2089 "The capture session on \"%s\" timed out during "
2090 "pipe open: %s (error %d)",
2091 pipename, utf_16to8(err_str), GetLastError());
2093 pcap_opts->cap_pipe_err = PIPERR;
2100 pcap_opts->from_cap_pipe = TRUE;
2103 if (pcap_opts->from_cap_socket)
2106 /* read the pcap header */
2108 while (bytes_read < sizeof magic) {
2109 sel_ret = cap_pipe_select(fd);
2111 g_snprintf(errmsg, errmsgl,
2112 "Unexpected error from select: %s", g_strerror(errno));
2114 } else if (sel_ret > 0) {
2115 b = cap_pipe_read(fd, ((char *)&magic)+bytes_read,
2116 sizeof magic-bytes_read,
2117 pcap_opts->from_cap_socket);
2120 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2122 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2132 #if GLIB_CHECK_VERSION(2,31,0)
2133 g_thread_new("cap_pipe_open_live", &cap_thread_read, pcap_opts);
2135 g_thread_create(&cap_thread_read, pcap_opts, FALSE, NULL);
2138 pcap_opts->cap_pipe_buf = (char *) &magic;
2139 pcap_opts->cap_pipe_bytes_read = 0;
2140 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
2141 /* We don't have to worry about cap_pipe_read_mtx here */
2142 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2143 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2144 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2145 if (pcap_opts->cap_pipe_bytes_read == 0)
2146 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2148 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2157 case PCAP_NSEC_MAGIC:
2158 /* Host that wrote it has our byte order, and was running
2159 a program using either standard or ss990417 libpcap. */
2160 pcap_opts->cap_pipe_byte_swapped = FALSE;
2161 pcap_opts->cap_pipe_modified = FALSE;
2162 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
2164 case PCAP_MODIFIED_MAGIC:
2165 /* Host that wrote it has our byte order, but was running
2166 a program using either ss990915 or ss991029 libpcap. */
2167 pcap_opts->cap_pipe_byte_swapped = FALSE;
2168 pcap_opts->cap_pipe_modified = TRUE;
2170 case PCAP_SWAPPED_MAGIC:
2171 case PCAP_SWAPPED_NSEC_MAGIC:
2172 /* Host that wrote it has a byte order opposite to ours,
2173 and was running a program using either standard or
2174 ss990417 libpcap. */
2175 pcap_opts->cap_pipe_byte_swapped = TRUE;
2176 pcap_opts->cap_pipe_modified = FALSE;
2177 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
2179 case PCAP_SWAPPED_MODIFIED_MAGIC:
2180 /* Host that wrote it out has a byte order opposite to
2181 ours, and was running a program using either ss990915
2182 or ss991029 libpcap. */
2183 pcap_opts->cap_pipe_byte_swapped = TRUE;
2184 pcap_opts->cap_pipe_modified = TRUE;
2187 /* Not a "libpcap" type we know about. */
2188 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2193 if (pcap_opts->from_cap_socket)
2196 /* Read the rest of the header */
2198 while (bytes_read < sizeof(struct pcap_hdr)) {
2199 sel_ret = cap_pipe_select(fd);
2201 g_snprintf(errmsg, errmsgl,
2202 "Unexpected error from select: %s", g_strerror(errno));
2204 } else if (sel_ret > 0) {
2205 b = cap_pipe_read(fd, ((char *)hdr)+bytes_read,
2206 sizeof(struct pcap_hdr) - bytes_read,
2207 pcap_opts->from_cap_socket);
2210 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2212 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2222 pcap_opts->cap_pipe_buf = (char *) hdr;
2223 pcap_opts->cap_pipe_bytes_read = 0;
2224 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2225 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2226 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2227 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2228 if (pcap_opts->cap_pipe_bytes_read == 0)
2229 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2231 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2238 if (pcap_opts->cap_pipe_byte_swapped) {
2239 /* Byte-swap the header fields about which we care. */
2240 hdr->version_major = BSWAP16(hdr->version_major);
2241 hdr->version_minor = BSWAP16(hdr->version_minor);
2242 hdr->snaplen = BSWAP32(hdr->snaplen);
2243 hdr->network = BSWAP32(hdr->network);
2245 pcap_opts->linktype = hdr->network;
2247 if (hdr->version_major < 2) {
2248 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2252 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2253 pcap_opts->cap_pipe_err = PIPOK;
2254 pcap_opts->cap_pipe_fd = fd;
2258 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2259 pcap_opts->cap_pipe_err = PIPERR;
2260 cap_pipe_close(fd, pcap_opts->from_cap_socket);
2261 pcap_opts->cap_pipe_fd = -1;
2265 /* We read one record from the pipe, take care of byte order in the record
2266 * header, write the record to the capture file, and update capture statistics. */
2268 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2270 struct pcap_pkthdr phdr;
2271 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2274 #if !GLIB_CHECK_VERSION(2,31,18)
2282 #ifdef LOG_CAPTURE_VERBOSE
2283 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2286 switch (pcap_opts->cap_pipe_state) {
2288 case STATE_EXPECT_REC_HDR:
2290 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2293 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2294 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2295 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2296 pcap_opts->cap_pipe_bytes_read = 0;
2299 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2300 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2301 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2306 case STATE_READ_REC_HDR:
2308 if (pcap_opts->from_cap_socket)
2311 b = cap_pipe_read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2312 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
2315 result = PD_PIPE_EOF;
2317 result = PD_PIPE_ERR;
2320 pcap_opts->cap_pipe_bytes_read += b;
2324 #if GLIB_CHECK_VERSION(2,31,18)
2325 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2327 g_get_current_time(&wait_time);
2328 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2329 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2331 if (pcap_opts->cap_pipe_err == PIPEOF) {
2332 result = PD_PIPE_EOF;
2334 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2335 result = PD_PIPE_ERR;
2343 if (pcap_opts->cap_pipe_bytes_read < pcap_opts->cap_pipe_bytes_to_read)
2345 result = PD_REC_HDR_READ;
2348 case STATE_EXPECT_DATA:
2350 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2353 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2354 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2355 pcap_opts->cap_pipe_bytes_read = 0;
2358 pcap_opts->cap_pipe_buf = (char *) data;
2359 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2360 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2365 case STATE_READ_DATA:
2367 if (pcap_opts->from_cap_socket)
2370 b = cap_pipe_read(pcap_opts->cap_pipe_fd,
2371 data+pcap_opts->cap_pipe_bytes_read,
2372 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read,
2373 pcap_opts->from_cap_socket);
2376 result = PD_PIPE_EOF;
2378 result = PD_PIPE_ERR;
2381 pcap_opts->cap_pipe_bytes_read += b;
2386 #if GLIB_CHECK_VERSION(2,31,18)
2387 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2389 g_get_current_time(&wait_time);
2390 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2391 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2392 #endif /* GLIB_CHECK_VERSION(2,31,18) */
2393 if (pcap_opts->cap_pipe_err == PIPEOF) {
2394 result = PD_PIPE_EOF;
2396 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2397 result = PD_PIPE_ERR;
2405 if (pcap_opts->cap_pipe_bytes_read < pcap_opts->cap_pipe_bytes_to_read)
2407 result = PD_DATA_READ;
2411 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2414 } /* switch (pcap_opts->cap_pipe_state) */
2417 * We've now read as much data as we were expecting, so process it.
2421 case PD_REC_HDR_READ:
2422 /* We've read the header. Take care of byte order. */
2423 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2424 &pcap_opts->cap_pipe_rechdr.hdr);
2425 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2426 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2427 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2431 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2432 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2435 /* no data to read? fall through */
2438 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2439 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2440 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2441 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2442 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2445 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2447 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2449 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2453 pcap_opts->cap_pipe_err = PIPEOF;
2458 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2459 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2460 g_snprintf(errmsg, errmsgl,
2461 "Error reading from pipe: %s (error %d)",
2462 utf_16to8(err_str), GetLastError());
2465 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2473 pcap_opts->cap_pipe_err = PIPERR;
2474 /* Return here rather than inside the switch to prevent GCC warning */
2479 /** Open the capture input file (pcap or capture pipe).
2480 * Returns TRUE if it succeeds, FALSE otherwise. */
2482 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2483 char *errmsg, size_t errmsg_len,
2484 char *secondary_errmsg, size_t secondary_errmsg_len)
2486 gchar open_err_str[PCAP_ERRBUF_SIZE];
2487 gchar *sync_msg_str;
2488 interface_options interface_opts;
2489 pcap_options *pcap_opts;
2493 gchar *sync_secondary_msg_str;
2494 WORD wVersionRequested;
2498 /* XXX - opening Winsock on tshark? */
2500 /* Initialize Windows Socket if we are in a WIN32 OS
2501 This needs to be done before querying the interface for network/netmask */
2503 /* XXX - do we really require 1.1 or earlier?
2504 Are there any versions that support only 2.0 or higher? */
2505 wVersionRequested = MAKEWORD(1, 1);
2506 err = WSAStartup(wVersionRequested, &wsaData);
2510 case WSASYSNOTREADY:
2511 g_snprintf(errmsg, (gulong) errmsg_len,
2512 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2515 case WSAVERNOTSUPPORTED:
2516 g_snprintf(errmsg, (gulong) errmsg_len,
2517 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2518 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2521 case WSAEINPROGRESS:
2522 g_snprintf(errmsg, (gulong) errmsg_len,
2523 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2527 g_snprintf(errmsg, (gulong) errmsg_len,
2528 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2532 g_snprintf(errmsg, (gulong) errmsg_len,
2533 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2537 g_snprintf(errmsg, (gulong) errmsg_len,
2538 "Couldn't initialize Windows Sockets: error %d", err);
2541 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2545 if ((use_threads == FALSE) &&
2546 (capture_opts->ifaces->len > 1)) {
2547 g_snprintf(errmsg, (gulong) errmsg_len,
2548 "Using threads is required for capturing on multiple interfaces!");
2552 for (i = 0; i < capture_opts->ifaces->len; i++) {
2553 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2554 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2555 if (pcap_opts == NULL) {
2556 g_snprintf(errmsg, (gulong) errmsg_len,
2557 "Could not allocate memory.");
2560 pcap_opts->received = 0;
2561 pcap_opts->dropped = 0;
2562 pcap_opts->flushed = 0;
2563 pcap_opts->pcap_h = NULL;
2564 #ifdef MUST_DO_SELECT
2565 pcap_opts->pcap_fd = -1;
2567 pcap_opts->pcap_err = FALSE;
2568 pcap_opts->interface_id = i;
2569 pcap_opts->tid = NULL;
2570 pcap_opts->snaplen = 0;
2571 pcap_opts->linktype = -1;
2572 pcap_opts->ts_nsec = FALSE;
2573 pcap_opts->from_cap_pipe = FALSE;
2574 pcap_opts->from_cap_socket = FALSE;
2575 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2576 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2578 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2580 pcap_opts->cap_pipe_fd = -1;
2581 pcap_opts->cap_pipe_modified = FALSE;
2582 pcap_opts->cap_pipe_byte_swapped = FALSE;
2584 pcap_opts->cap_pipe_buf = NULL;
2586 pcap_opts->cap_pipe_bytes_to_read = 0;
2587 pcap_opts->cap_pipe_bytes_read = 0;
2588 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2589 pcap_opts->cap_pipe_err = PIPOK;
2591 #if GLIB_CHECK_VERSION(2,31,0)
2592 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2593 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2595 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2597 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2598 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2600 g_array_append_val(ld->pcaps, pcap_opts);
2602 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2603 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2605 if (pcap_opts->pcap_h != NULL) {
2606 /* we've opened "iface" as a network device */
2608 /* try to set the capture buffer size */
2609 if (interface_opts.buffer_size > 1 &&
2610 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2611 sync_secondary_msg_str = g_strdup_printf(
2612 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2613 "the default of 1MB will be used.\n"
2615 "Nonetheless, the capture is started.\n",
2616 interface_opts.buffer_size);
2617 report_capture_error("Couldn't set the capture buffer size!",
2618 sync_secondary_msg_str);
2619 g_free(sync_secondary_msg_str);
2623 #if defined(HAVE_PCAP_SETSAMPLING)
2624 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2625 struct pcap_samp *samp;
2627 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2628 switch (interface_opts.sampling_method) {
2629 case CAPTURE_SAMP_BY_COUNT:
2630 samp->method = PCAP_SAMP_1_EVERY_N;
2633 case CAPTURE_SAMP_BY_TIMER:
2634 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2638 sync_msg_str = g_strdup_printf(
2639 "Unknown sampling method %d specified,\n"
2640 "continue without packet sampling",
2641 interface_opts.sampling_method);
2642 report_capture_error("Couldn't set the capture "
2643 "sampling", sync_msg_str);
2644 g_free(sync_msg_str);
2646 samp->value = interface_opts.sampling_param;
2648 report_capture_error("Couldn't set the capture sampling",
2649 "Cannot get packet sampling data structure");
2654 /* setting the data link type only works on real interfaces */
2655 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2657 secondary_errmsg, secondary_errmsg_len)) {
2660 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2662 /* We couldn't open "iface" as a network device. */
2663 /* Try to open it as a pipe */
2664 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2667 if (pcap_opts->cap_pipe_fd == -1) {
2669 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2671 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2672 /* Pipe doesn't exist, so output message for interface */
2673 get_capture_device_open_failure_messages(open_err_str,
2674 interface_opts.name,
2678 secondary_errmsg_len);
2681 * Else pipe (or file) does exist and cap_pipe_open_live() has
2686 /* cap_pipe_open_live() succeeded; don't want
2687 error message from pcap_open_live() */
2688 open_err_str[0] = '\0';
2692 /* XXX - will this work for tshark? */
2693 #ifdef MUST_DO_SELECT
2694 if (!pcap_opts->from_cap_pipe) {
2695 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2696 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2698 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2703 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2704 returned a warning; print it, but keep capturing. */
2705 if (open_err_str[0] != '\0') {
2706 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2707 report_capture_error(sync_msg_str, "");
2708 g_free(sync_msg_str);
2710 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2711 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2714 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2715 /* to remove any suid privileges. */
2716 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2717 /* (euid/egid have already previously been set to ruid/rgid. */
2718 /* (See comment in main() for details) */
2720 relinquish_special_privs_perm();
2722 relinquish_all_capabilities();
2727 /* close the capture input file (pcap or capture pipe) */
2728 static void capture_loop_close_input(loop_data *ld)
2731 pcap_options *pcap_opts;
2733 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2735 for (i = 0; i < ld->pcaps->len; i++) {
2736 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2737 /* if open, close the capture pipe "input file" */
2738 if (pcap_opts->cap_pipe_fd >= 0) {
2739 g_assert(pcap_opts->from_cap_pipe);
2740 cap_pipe_close(pcap_opts->cap_pipe_fd, pcap_opts->from_cap_socket);
2741 pcap_opts->cap_pipe_fd = -1;
2744 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2745 CloseHandle(pcap_opts->cap_pipe_h);
2746 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2749 /* if open, close the pcap "input file" */
2750 if (pcap_opts->pcap_h != NULL) {
2751 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2752 pcap_close(pcap_opts->pcap_h);
2753 pcap_opts->pcap_h = NULL;
2760 /* Shut down windows sockets */
2766 /* init the capture filter */
2767 static initfilter_status_t
2768 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2769 const gchar * name, const gchar * cfilter)
2771 struct bpf_program fcode;
2773 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2775 /* capture filters only work on real interfaces */
2776 if (cfilter && !from_cap_pipe) {
2777 /* A capture filter was specified; set it up. */
2778 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2779 /* Treat this specially - our caller might try to compile this
2780 as a display filter and, if that succeeds, warn the user that
2781 the display and capture filter syntaxes are different. */
2782 return INITFILTER_BAD_FILTER;
2784 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2785 #ifdef HAVE_PCAP_FREECODE
2786 pcap_freecode(&fcode);
2788 return INITFILTER_OTHER_ERROR;
2790 #ifdef HAVE_PCAP_FREECODE
2791 pcap_freecode(&fcode);
2795 return INITFILTER_NO_ERROR;
2799 /* set up to write to the already-opened capture output file/files */
2801 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2805 pcap_options *pcap_opts;
2806 interface_options interface_opts;
2807 gboolean successful;
2809 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2811 if ((capture_opts->use_pcapng == FALSE) &&
2812 (capture_opts->ifaces->len > 1)) {
2813 g_snprintf(errmsg, errmsg_len,
2814 "Using PCAPNG is required for capturing on multiple interfaces! Use the -n option.");
2818 /* Set up to write to the capture file. */
2819 if (capture_opts->multi_files_on) {
2820 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2822 ld->pdh = ws_fdopen(ld->save_file_fd, "wb");
2823 if (ld->pdh == NULL) {
2828 if (capture_opts->use_pcapng) {
2830 GString *os_info_str;
2832 os_info_str = g_string_new("");
2833 get_os_version_info(os_info_str);
2835 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2836 successful = libpcap_write_session_header_block(libpcap_write_to_file, ld->pdh,
2839 os_info_str->str, /* OS*/
2841 -1, /* section_length */
2845 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2846 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2847 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2848 if (pcap_opts->from_cap_pipe) {
2849 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2851 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2853 successful = libpcap_write_interface_description_block(libpcap_write_to_file, global_ld.pdh,
2854 NULL, /* OPT_COMMENT 1 */
2855 interface_opts.name, /* IDB_NAME 2 */
2856 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2857 interface_opts.cfilter, /* IDB_FILTER 11 */
2858 os_info_str->str, /* IDB_OS 12 */
2859 pcap_opts->linktype,
2861 &(global_ld.bytes_written),
2862 0, /* IDB_IF_SPEED 8 */
2863 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2867 g_string_free(os_info_str, TRUE);
2870 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2871 if (pcap_opts->from_cap_pipe) {
2872 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2874 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2876 successful = libpcap_write_file_header(libpcap_write_to_file, ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2877 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2885 if (ld->pdh == NULL) {
2886 /* We couldn't set up to write to the capture file. */
2887 /* XXX - use cf_open_error_message from tshark instead? */
2892 g_snprintf(errmsg, errmsg_len,
2893 "The file to which the capture would be"
2894 " saved (\"%s\") could not be opened: Error %d.",
2895 capture_opts->save_file, err);
2897 g_snprintf(errmsg, errmsg_len,
2898 "The file to which the capture would be"
2899 " saved (\"%s\") could not be opened: %s.",
2900 capture_opts->save_file, g_strerror(err));
2912 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2916 pcap_options *pcap_opts;
2917 guint64 end_time = create_timestamp();
2919 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2921 if (capture_opts->multi_files_on) {
2922 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2924 if (capture_opts->use_pcapng) {
2925 for (i = 0; i < global_ld.pcaps->len; i++) {
2926 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2927 if (!pcap_opts->from_cap_pipe) {
2928 guint64 isb_ifrecv, isb_ifdrop;
2929 struct pcap_stat stats;
2931 if (pcap_stats(pcap_opts->pcap_h, &stats) >= 0) {
2932 isb_ifrecv = pcap_opts->received;
2933 isb_ifdrop = stats.ps_drop + pcap_opts->dropped + pcap_opts->flushed;
2935 isb_ifrecv = G_MAXUINT64;
2936 isb_ifdrop = G_MAXUINT64;
2938 libpcap_write_interface_statistics_block(libpcap_write_to_file, ld->pdh,
2941 "Counters provided by dumpcap",
2950 if (fclose(ld->pdh) == EOF) {
2951 if (err_close != NULL) {
2961 /* dispatch incoming packets (pcap or capture pipe)
2963 * Waits for incoming packets to be available, and calls pcap_dispatch()
2964 * to cause them to be processed.
2966 * Returns the number of packets which were processed.
2968 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2969 * packet-batching behaviour does not cause packets to get held back
2973 capture_loop_dispatch(loop_data *ld,
2974 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2977 gint packet_count_before;
2978 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2983 packet_count_before = ld->packet_count;
2984 if (pcap_opts->from_cap_pipe) {
2985 /* dispatch from capture pipe */
2986 #ifdef LOG_CAPTURE_VERBOSE
2987 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2990 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2992 if (sel_ret < 0 && errno != EINTR) {
2993 g_snprintf(errmsg, errmsg_len,
2994 "Unexpected error from select: %s", g_strerror(errno));
2995 report_capture_error(errmsg, please_report);
3000 * "select()" says we can read from the pipe without blocking
3003 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
3013 /* dispatch from pcap */
3014 #ifdef MUST_DO_SELECT
3016 * If we have "pcap_get_selectable_fd()", we use it to get the
3017 * descriptor on which to select; if that's -1, it means there
3018 * is no descriptor on which you can do a "select()" (perhaps
3019 * because you're capturing on a special device, and that device's
3020 * driver unfortunately doesn't support "select()", in which case
3021 * we don't do the select - which means it might not be possible
3022 * to stop a capture until a packet arrives. If that's unacceptable,
3023 * plead with whoever supplies the software for that device to add
3024 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
3025 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
3026 * later, so it can use pcap_breakloop().
3028 #ifdef LOG_CAPTURE_VERBOSE
3029 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
3031 if (pcap_opts->pcap_fd != -1) {
3032 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
3035 * "select()" says we can read from it without blocking; go for
3038 * We don't have pcap_breakloop(), so we only process one packet
3039 * per pcap_dispatch() call, to allow a signal to stop the
3040 * processing immediately, rather than processing all packets
3041 * in a batch before quitting.
3044 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3046 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3050 /* Error, rather than pcap_breakloop(). */
3051 pcap_opts->pcap_err = TRUE;
3053 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3056 if (sel_ret < 0 && errno != EINTR) {
3057 g_snprintf(errmsg, errmsg_len,
3058 "Unexpected error from select: %s", g_strerror(errno));
3059 report_capture_error(errmsg, please_report);
3065 #endif /* MUST_DO_SELECT */
3067 /* dispatch from pcap without select */
3069 #ifdef LOG_CAPTURE_VERBOSE
3070 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
3074 * On Windows, we don't support asynchronously telling a process to
3075 * stop capturing; instead, we check for an indication on a pipe
3076 * after processing packets. We therefore process only one packet
3077 * at a time, so that we can check the pipe after every packet.
3080 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3082 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3086 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3088 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3093 /* Error, rather than pcap_breakloop(). */
3094 pcap_opts->pcap_err = TRUE;
3096 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3098 #else /* pcap_next_ex */
3099 #ifdef LOG_CAPTURE_VERBOSE
3100 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
3102 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
3105 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
3106 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
3107 * This should be fixed in the WinPcap 4.0 alpha release.
3109 * For reference, an example remote interface:
3110 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
3113 /* emulate dispatch from pcap */
3116 struct pcap_pkthdr *pkt_header;
3121 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
3123 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3125 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3130 pcap_opts->pcap_err = TRUE;
3134 #endif /* pcap_next_ex */
3138 #ifdef LOG_CAPTURE_VERBOSE
3139 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
3142 return ld->packet_count - packet_count_before;
3146 /* Isolate the Universally Unique Identifier from the interface. Basically, we
3147 * want to grab only the characters between the '{' and '}' delimiters.
3149 * Returns a GString that must be freed with g_string_free(). */
3151 isolate_uuid(const char *iface)
3156 ptr = strchr(iface, '{');
3158 return g_string_new(iface);
3159 gstr = g_string_new(ptr + 1);
3161 ptr = strchr(gstr->str, '}');
3165 gstr = g_string_truncate(gstr, ptr - gstr->str);
3170 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
3171 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
3173 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
3174 char *errmsg, int errmsg_len)
3177 gchar *capfile_name;
3179 gboolean is_tempfile;
3181 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
3182 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
3184 if (capture_opts->save_file != NULL) {
3185 /* We return to the caller while the capture is in progress.
3186 * Therefore we need to take a copy of save_file in
3187 * case the caller destroys it after we return.
3189 capfile_name = g_strdup(capture_opts->save_file);
3191 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
3192 if (capture_opts->multi_files_on) {
3193 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
3194 g_snprintf(errmsg, errmsg_len,
3195 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
3196 g_free(capfile_name);
3199 if (strcmp(capfile_name, "-") == 0) {
3200 /* write to stdout */
3203 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
3204 _setmode(1, O_BINARY);
3207 } /* if (...output_to_pipe ... */
3210 if (capture_opts->multi_files_on) {
3211 /* ringbuffer is enabled */
3212 *save_file_fd = ringbuf_init(capfile_name,
3213 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
3214 capture_opts->group_read_access);
3216 /* we need the ringbuf name */
3217 if (*save_file_fd != -1) {
3218 g_free(capfile_name);
3219 capfile_name = g_strdup(ringbuf_current_filename());
3222 /* Try to open/create the specified file for use as a capture buffer. */
3223 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
3224 (capture_opts->group_read_access) ? 0640 : 0600);
3227 is_tempfile = FALSE;
3229 /* Choose a random name for the temporary capture buffer */
3230 if (global_capture_opts.ifaces->len > 1) {
3231 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3234 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).console_display_name);
3236 /* use the generic portion of the interface guid to form the basis of the filename */
3237 if (strncmp("NPF_{", basename, 5)==0)
3239 /* we have a windows guid style device name, extract the guid digits as the basis of the filename */
3241 iface = isolate_uuid(basename);
3243 basename = g_strdup(iface->str);
3244 g_string_free(iface, TRUE);
3247 /* generate the temp file name prefix...
3248 * It would be nice if we could specify a pcapng/pcap filename suffix,
3249 * create_tempfile() however currently uses mkstemp() which doesn't allow this - one day perhaps*/
3250 if (capture_opts->use_pcapng) {
3251 prefix = g_strconcat("wireshark_pcapng_", basename, NULL);
3253 prefix = g_strconcat("wireshark_pcap_", basename, NULL);
3257 *save_file_fd = create_tempfile(&tmpname, prefix);
3259 capfile_name = g_strdup(tmpname);
3263 /* did we fail to open the output file? */
3264 if (*save_file_fd == -1) {
3266 g_snprintf(errmsg, errmsg_len,
3267 "The temporary file to which the capture would be saved (\"%s\") "
3268 "could not be opened: %s.", capfile_name, g_strerror(errno));
3270 if (capture_opts->multi_files_on) {
3271 ringbuf_error_cleanup();
3274 g_snprintf(errmsg, errmsg_len,
3275 "The file to which the capture would be saved (\"%s\") "
3276 "could not be opened: %s.", capfile_name,
3279 g_free(capfile_name);
3283 if (capture_opts->save_file != NULL) {
3284 g_free(capture_opts->save_file);
3286 capture_opts->save_file = capfile_name;
3287 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3288 "g_free(capfile_name)". */
3294 /* Do the work of handling either the file size or file duration capture
3295 conditions being reached, and switching files or stopping. */
3297 do_file_switch_or_stop(capture_options *capture_opts,
3298 condition *cnd_autostop_files,
3299 condition *cnd_autostop_size,
3300 condition *cnd_file_duration)
3303 pcap_options *pcap_opts;
3304 interface_options interface_opts;
3305 gboolean successful;
3307 if (capture_opts->multi_files_on) {
3308 if (cnd_autostop_files != NULL &&
3309 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3310 /* no files left: stop here */
3311 global_ld.go = FALSE;
3315 /* Switch to the next ringbuffer file */
3316 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3317 &global_ld.save_file_fd, &global_ld.err)) {
3319 /* File switch succeeded: reset the conditions */
3320 global_ld.bytes_written = 0;
3321 if (capture_opts->use_pcapng) {
3323 GString *os_info_str;
3325 os_info_str = g_string_new("");
3326 get_os_version_info(os_info_str);
3328 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3329 successful = libpcap_write_session_header_block(libpcap_write_to_file, global_ld.pdh,
3332 os_info_str->str, /* OS */
3334 -1, /* section_length */
3335 &(global_ld.bytes_written),
3338 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3339 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3340 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3341 successful = libpcap_write_interface_description_block(libpcap_write_to_file, global_ld.pdh,
3342 NULL, /* OPT_COMMENT 1 */
3343 interface_opts.name, /* IDB_NAME 2 */
3344 interface_opts.descr, /* IDB_DESCRIPTION 3 */
3345 interface_opts.cfilter, /* IDB_FILTER 11 */
3346 os_info_str->str, /* IDB_OS 12 */
3347 pcap_opts->linktype,
3349 &(global_ld.bytes_written),
3350 0, /* IDB_IF_SPEED 8 */
3351 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
3355 g_string_free(os_info_str, TRUE);
3358 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3359 successful = libpcap_write_file_header(libpcap_write_to_file, global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3360 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
3363 fclose(global_ld.pdh);
3364 global_ld.pdh = NULL;
3365 global_ld.go = FALSE;
3368 if (cnd_autostop_size)
3369 cnd_reset(cnd_autostop_size);
3370 if (cnd_file_duration)
3371 cnd_reset(cnd_file_duration);
3372 fflush(global_ld.pdh);
3374 report_packet_count(global_ld.inpkts_to_sync_pipe);
3375 global_ld.inpkts_to_sync_pipe = 0;
3376 report_new_capture_file(capture_opts->save_file);
3378 /* File switch failed: stop here */
3379 global_ld.go = FALSE;
3383 /* single file, stop now */
3384 global_ld.go = FALSE;
3391 pcap_read_handler(void* arg)
3393 pcap_options *pcap_opts;
3394 char errmsg[MSG_MAX_LENGTH+1];
3396 pcap_opts = (pcap_options *)arg;
3398 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3399 pcap_opts->interface_id);
3401 while (global_ld.go) {
3402 /* dispatch incoming packets */
3403 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3405 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3406 pcap_opts->interface_id);
3407 g_thread_exit(NULL);
3411 /* Do the low-level work of a capture.
3412 Returns TRUE if it succeeds, FALSE otherwise. */
3414 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3417 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3419 struct timeval upd_time, cur_time;
3423 condition *cnd_file_duration = NULL;
3424 condition *cnd_autostop_files = NULL;
3425 condition *cnd_autostop_size = NULL;
3426 condition *cnd_autostop_duration = NULL;
3429 gboolean cfilter_error = FALSE;
3430 char errmsg[MSG_MAX_LENGTH+1];
3431 char secondary_errmsg[MSG_MAX_LENGTH+1];
3432 pcap_options *pcap_opts;
3433 interface_options interface_opts;
3434 guint i, error_index = 0;
3437 *secondary_errmsg = '\0';
3439 /* init the loop data */
3440 global_ld.go = TRUE;
3441 global_ld.packet_count = 0;
3443 global_ld.report_packet_count = FALSE;
3445 if (capture_opts->has_autostop_packets)
3446 global_ld.packet_max = capture_opts->autostop_packets;
3448 global_ld.packet_max = 0; /* no limit */
3449 global_ld.inpkts_to_sync_pipe = 0;
3450 global_ld.err = 0; /* no error seen yet */
3451 global_ld.pdh = NULL;
3452 global_ld.autostop_files = 0;
3453 global_ld.save_file_fd = -1;
3455 /* We haven't yet gotten the capture statistics. */
3456 *stats_known = FALSE;
3458 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3459 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3461 /* open the "input file" from network interface or capture pipe */
3462 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3463 secondary_errmsg, sizeof(secondary_errmsg))) {
3466 for (i = 0; i < capture_opts->ifaces->len; i++) {
3467 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3468 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3469 /* init the input filter from the network interface (capture pipe will do nothing) */
3471 * When remote capturing WinPCap crashes when the capture filter
3472 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3475 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3476 interface_opts.name,
3477 interface_opts.cfilter?interface_opts.cfilter:"")) {
3479 case INITFILTER_NO_ERROR:
3482 case INITFILTER_BAD_FILTER:
3483 cfilter_error = TRUE;
3485 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3488 case INITFILTER_OTHER_ERROR:
3489 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3490 pcap_geterr(pcap_opts->pcap_h));
3491 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3496 /* If we're supposed to write to a capture file, open it for output
3497 (temporary/specified name/ringbuffer) */
3498 if (capture_opts->saving_to_file) {
3499 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3500 errmsg, sizeof(errmsg))) {
3504 /* set up to write to the already-opened capture output file/files */
3505 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3510 /* XXX - capture SIGTERM and close the capture, in case we're on a
3511 Linux 2.0[.x] system and you have to explicitly close the capture
3512 stream in order to turn promiscuous mode off? We need to do that
3513 in other places as well - and I don't think that works all the
3514 time in any case, due to libpcap bugs. */
3516 /* Well, we should be able to start capturing.
3518 Sync out the capture file, so the header makes it to the file system,
3519 and send a "capture started successfully and capture file created"
3520 message to our parent so that they'll open the capture file and
3521 update its windows to indicate that we have a live capture in
3523 fflush(global_ld.pdh);
3524 report_new_capture_file(capture_opts->save_file);
3527 /* initialize capture stop (and alike) conditions */
3528 init_capture_stop_conditions();
3529 /* create stop conditions */
3530 if (capture_opts->has_autostop_filesize)
3532 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3533 if (capture_opts->has_autostop_duration)
3534 cnd_autostop_duration =
3535 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3537 if (capture_opts->multi_files_on) {
3538 if (capture_opts->has_file_duration)
3540 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3542 if (capture_opts->has_autostop_files)
3543 cnd_autostop_files =
3544 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3547 /* init the time values */
3549 upd_time = GetTickCount();
3551 gettimeofday(&upd_time, NULL);
3553 start_time = create_timestamp();
3554 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3556 /* WOW, everything is prepared! */
3557 /* please fasten your seat belts, we will enter now the actual capture loop */
3559 pcap_queue = g_async_queue_new();
3560 pcap_queue_bytes = 0;
3561 pcap_queue_packets = 0;
3562 for (i = 0; i < global_ld.pcaps->len; i++) {
3563 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3564 #if GLIB_CHECK_VERSION(2,31,0)
3565 /* XXX - Add an interface name here? */
3566 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3568 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3572 while (global_ld.go) {
3573 /* dispatch incoming packets */
3575 pcap_queue_element *queue_element;
3576 #if GLIB_CHECK_VERSION(2,31,18)
3578 g_async_queue_lock(pcap_queue);
3579 queue_element = (pcap_queue_element *)g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3581 GTimeVal write_thread_time;
3583 g_get_current_time(&write_thread_time);
3584 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3585 g_async_queue_lock(pcap_queue);
3586 queue_element = (pcap_queue_element *)g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3588 if (queue_element) {
3589 pcap_queue_bytes -= queue_element->phdr.caplen;
3590 pcap_queue_packets -= 1;
3592 g_async_queue_unlock(pcap_queue);
3593 if (queue_element) {
3594 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3595 "Dequeued a packet of length %d captured on interface %d.",
3596 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3598 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3599 &queue_element->phdr,
3601 g_free(queue_element->pd);
3602 g_free(queue_element);
3608 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3609 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3610 sizeof(errmsg), pcap_opts);
3613 /* Were we asked to print packet counts by the SIGINFO handler? */
3614 if (global_ld.report_packet_count) {
3615 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3616 plurality(global_ld.packet_count, "", "s"));
3617 global_ld.report_packet_count = FALSE;
3622 /* any news from our parent (signal pipe)? -> just stop the capture */
3623 if (!signal_pipe_check_running()) {
3624 global_ld.go = FALSE;
3629 global_ld.inpkts_to_sync_pipe += inpkts;
3631 /* check capture size condition */
3632 if (cnd_autostop_size != NULL &&
3633 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3634 /* Capture size limit reached, do we have another file? */
3635 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3636 cnd_autostop_size, cnd_file_duration))
3638 } /* cnd_autostop_size */
3639 if (capture_opts->output_to_pipe) {
3640 fflush(global_ld.pdh);
3644 /* Only update once every 500ms so as not to overload slow displays.
3645 * This also prevents too much context-switching between the dumpcap
3646 * and wireshark processes.
3648 #define DUMPCAP_UPD_TIME 500
3651 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3652 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3654 gettimeofday(&cur_time, NULL);
3655 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3656 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3659 upd_time = cur_time;
3662 if (pcap_stats(pch, stats) >= 0) {
3663 *stats_known = TRUE;
3666 /* Let the parent process know. */
3667 if (global_ld.inpkts_to_sync_pipe) {
3669 fflush(global_ld.pdh);
3671 /* Send our parent a message saying we've written out
3672 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3674 report_packet_count(global_ld.inpkts_to_sync_pipe);
3676 global_ld.inpkts_to_sync_pipe = 0;
3679 /* check capture duration condition */
3680 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3681 /* The maximum capture time has elapsed; stop the capture. */
3682 global_ld.go = FALSE;
3686 /* check capture file duration condition */
3687 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3688 /* duration limit reached, do we have another file? */
3689 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3690 cnd_autostop_size, cnd_file_duration))
3692 } /* cnd_file_duration */
3696 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3698 pcap_queue_element *queue_element;
3700 for (i = 0; i < global_ld.pcaps->len; i++) {
3701 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3702 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3703 pcap_opts->interface_id);
3704 g_thread_join(pcap_opts->tid);
3705 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3706 pcap_opts->interface_id);
3709 g_async_queue_lock(pcap_queue);
3710 queue_element = (pcap_queue_element *)g_async_queue_try_pop_unlocked(pcap_queue);
3711 if (queue_element) {
3712 pcap_queue_bytes -= queue_element->phdr.caplen;
3713 pcap_queue_packets -= 1;
3715 g_async_queue_unlock(pcap_queue);
3716 if (queue_element == NULL) {
3719 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3720 "Dequeued a packet of length %d captured on interface %d.",
3721 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3722 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3723 &queue_element->phdr,
3725 g_free(queue_element->pd);
3726 g_free(queue_element);
3727 global_ld.inpkts_to_sync_pipe += 1;
3728 if (capture_opts->output_to_pipe) {
3729 fflush(global_ld.pdh);
3735 /* delete stop conditions */
3736 if (cnd_file_duration != NULL)
3737 cnd_delete(cnd_file_duration);
3738 if (cnd_autostop_files != NULL)
3739 cnd_delete(cnd_autostop_files);
3740 if (cnd_autostop_size != NULL)
3741 cnd_delete(cnd_autostop_size);
3742 if (cnd_autostop_duration != NULL)
3743 cnd_delete(cnd_autostop_duration);
3745 /* did we have a pcap (input) error? */
3746 for (i = 0; i < capture_opts->ifaces->len; i++) {
3747 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3748 if (pcap_opts->pcap_err) {
3749 /* On Linux, if an interface goes down while you're capturing on it,
3750 you'll get a "recvfrom: Network is down" or
3751 "The interface went down" error (ENETDOWN).
3752 (At least you will if g_strerror() doesn't show a local translation
3755 On FreeBSD and OS X, if a network adapter disappears while
3756 you're capturing on it, you'll get a "read: Device not configured"
3757 error (ENXIO). (See previous parenthetical note.)
3759 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3761 These should *not* be reported to the Wireshark developers. */
3764 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3765 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3766 strcmp(cap_err_str, "The interface went down") == 0 ||
3767 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3768 strcmp(cap_err_str, "read: I/O error") == 0 ||
3769 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3770 report_capture_error("The network adapter on which the capture was being done "
3771 "is no longer running; the capture has stopped.",
3774 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3776 report_capture_error(errmsg, please_report);
3779 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3780 report_capture_error(errmsg, "");
3784 /* did we have an output error while capturing? */
3785 if (global_ld.err == 0) {
3788 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3789 global_ld.err, FALSE);
3790 report_capture_error(errmsg, please_report);
3794 if (capture_opts->saving_to_file) {
3795 /* close the output file */
3796 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3800 /* there might be packets not yet notified to the parent */
3801 /* (do this after closing the file, so all packets are already flushed) */
3802 if (global_ld.inpkts_to_sync_pipe) {
3804 report_packet_count(global_ld.inpkts_to_sync_pipe);
3805 global_ld.inpkts_to_sync_pipe = 0;
3808 /* If we've displayed a message about a write error, there's no point
3809 in displaying another message about an error on close. */
3810 if (!close_ok && write_ok) {
3811 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3813 report_capture_error(errmsg, "");
3817 * XXX We exhibit different behaviour between normal mode and sync mode
3818 * when the pipe is stdin and not already at EOF. If we're a child, the
3819 * parent's stdin isn't closed, so if the user starts another capture,
3820 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3821 * will say "Unrecognized libpcap format". On the other hand, in normal
3822 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3825 report_capture_count(TRUE);
3827 /* get packet drop statistics from pcap */
3828 for (i = 0; i < capture_opts->ifaces->len; i++) {
3830 guint32 pcap_dropped = 0;
3832 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3833 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3834 received = pcap_opts->received;
3835 if (pcap_opts->pcap_h != NULL) {
3836 g_assert(!pcap_opts->from_cap_pipe);
3837 /* Get the capture statistics, so we know how many packets were dropped. */
3838 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3839 *stats_known = TRUE;
3840 /* Let the parent process know. */
3841 pcap_dropped += stats->ps_drop;
3843 g_snprintf(errmsg, sizeof(errmsg),
3844 "Can't get packet-drop statistics: %s",
3845 pcap_geterr(pcap_opts->pcap_h));
3846 report_capture_error(errmsg, please_report);
3849 report_packet_drops(received, pcap_dropped, pcap_opts->dropped, pcap_opts->flushed, interface_opts.console_display_name);
3852 /* close the input file (pcap or capture pipe) */
3853 capture_loop_close_input(&global_ld);
3855 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3857 /* ok, if the write and the close were successful. */
3858 return write_ok && close_ok;
3861 if (capture_opts->multi_files_on) {
3862 /* cleanup ringbuffer */
3863 ringbuf_error_cleanup();
3865 /* We can't use the save file, and we have no FILE * for the stream
3866 to close in order to close it, so close the FD directly. */
3867 if (global_ld.save_file_fd != -1) {
3868 ws_close(global_ld.save_file_fd);
3871 /* We couldn't even start the capture, so get rid of the capture
3873 if (capture_opts->save_file != NULL) {
3874 ws_unlink(capture_opts->save_file);
3875 g_free(capture_opts->save_file);
3878 capture_opts->save_file = NULL;
3880 report_cfilter_error(capture_opts, error_index, errmsg);
3882 report_capture_error(errmsg, secondary_errmsg);
3884 /* close the input file (pcap or cap_pipe) */
3885 capture_loop_close_input(&global_ld);
3887 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3894 capture_loop_stop(void)
3896 #ifdef HAVE_PCAP_BREAKLOOP
3898 pcap_options *pcap_opts;
3900 for (i = 0; i < global_ld.pcaps->len; i++) {
3901 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3902 if (pcap_opts->pcap_h != NULL)
3903 pcap_breakloop(pcap_opts->pcap_h);
3906 global_ld.go = FALSE;
3911 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3912 int err, gboolean is_close)
3917 g_snprintf(errmsg, errmsglen,
3918 "Not all the packets could be written to the file"
3919 " to which the capture was being saved\n"
3920 "(\"%s\") because there is no space left on the file system\n"
3921 "on which that file resides.",
3927 g_snprintf(errmsg, errmsglen,
3928 "Not all the packets could be written to the file"
3929 " to which the capture was being saved\n"
3930 "(\"%s\") because you are too close to, or over,"
3931 " your disk quota\n"
3932 "on the file system on which that file resides.",
3939 g_snprintf(errmsg, errmsglen,
3940 "The file to which the capture was being saved\n"
3941 "(\"%s\") could not be closed: %s.",
3942 fname, g_strerror(err));
3944 g_snprintf(errmsg, errmsglen,
3945 "An error occurred while writing to the file"
3946 " to which the capture was being saved\n"
3948 fname, g_strerror(err));
3955 /* one packet was captured, process it */
3957 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3960 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3962 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3964 /* We may be called multiple times from pcap_dispatch(); if we've set
3965 the "stop capturing" flag, ignore this packet, as we're not
3966 supposed to be saving any more packets. */
3967 if (!global_ld.go) {
3968 pcap_opts->flushed++;
3972 if (global_ld.pdh) {
3973 gboolean successful;
3975 /* We're supposed to write the packet to a file; do so.
3976 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3977 "ld->err" to the error. */
3978 if (global_capture_opts.use_pcapng) {
3979 successful = libpcap_write_enhanced_packet_block(libpcap_write_to_file, global_ld.pdh,
3981 phdr->ts.tv_sec, phdr->ts.tv_usec,
3982 phdr->caplen, phdr->len,
3983 pcap_opts->interface_id,
3986 &global_ld.bytes_written, &err);
3988 successful = libpcap_write_packet(libpcap_write_to_file, global_ld.pdh,
3989 phdr->ts.tv_sec, phdr->ts.tv_usec,
3990 phdr->caplen, phdr->len,
3992 &global_ld.bytes_written, &err);
3995 global_ld.go = FALSE;
3996 global_ld.err = err;
3997 pcap_opts->dropped++;
3999 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4000 "Wrote a packet of length %d captured on interface %u.",
4001 phdr->caplen, pcap_opts->interface_id);
4002 global_ld.packet_count++;
4003 pcap_opts->received++;
4004 /* if the user told us to stop after x packets, do we already have enough? */
4005 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
4006 global_ld.go = FALSE;
4012 /* one packet was captured, queue it */
4014 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
4017 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
4018 pcap_queue_element *queue_element;
4019 gboolean limit_reached;
4021 /* We may be called multiple times from pcap_dispatch(); if we've set
4022 the "stop capturing" flag, ignore this packet, as we're not
4023 supposed to be saving any more packets. */
4024 if (!global_ld.go) {
4025 pcap_opts->flushed++;
4029 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
4030 if (queue_element == NULL) {
4031 pcap_opts->dropped++;
4034 queue_element->pcap_opts = pcap_opts;
4035 queue_element->phdr = *phdr;
4036 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
4037 if (queue_element->pd == NULL) {
4038 pcap_opts->dropped++;
4039 g_free(queue_element);
4042 memcpy(queue_element->pd, pd, phdr->caplen);
4043 g_async_queue_lock(pcap_queue);
4044 if (((pcap_queue_byte_limit == 0) || (pcap_queue_bytes < pcap_queue_byte_limit)) &&
4045 ((pcap_queue_packet_limit == 0) || (pcap_queue_packets < pcap_queue_packet_limit))) {
4046 limit_reached = FALSE;
4047 g_async_queue_push_unlocked(pcap_queue, queue_element);
4048 pcap_queue_bytes += phdr->caplen;
4049 pcap_queue_packets += 1;
4051 limit_reached = TRUE;
4053 g_async_queue_unlock(pcap_queue);
4054 if (limit_reached) {
4055 pcap_opts->dropped++;
4056 g_free(queue_element->pd);
4057 g_free(queue_element);
4058 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4059 "Dropped a packet of length %d captured on interface %u.",
4060 phdr->caplen, pcap_opts->interface_id);
4062 pcap_opts->received++;
4063 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4064 "Queued a packet of length %d captured on interface %u.",
4065 phdr->caplen, pcap_opts->interface_id);
4067 /* I don't want to hold the mutex over the debug output. So the
4068 output may be wrong */
4069 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4070 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
4071 pcap_queue_bytes, pcap_queue_packets);
4075 set_80211_channel(const char *iface, const char *opt)
4077 int freq = 0, type, ret;
4078 gchar **options = NULL;
4080 options = g_strsplit_set(opt, ",", 2);
4083 freq = atoi(options[0]);
4086 type = ws80211_str_to_chan_type(options[1]);
4095 ret = ws80211_init();
4097 cmdarg_err("%d: Failed to init ws80211: %s\n", abs(ret), g_strerror(abs(ret)));
4101 ret = ws80211_set_freq(iface, freq, type);
4104 cmdarg_err("%d: Failed to set channel: %s\n", abs(ret), g_strerror(abs(ret)));
4110 pipe_write_block(2, SP_SUCCESS, NULL); ///
4114 g_strfreev(options);
4118 /* And now our feature presentation... [ fade to music ] */
4120 main(int argc, char *argv[])
4122 GString *comp_info_str;
4123 GString *runtime_info_str;
4125 gboolean arg_error = FALSE;
4130 struct sigaction action, oldaction;
4133 gboolean start_capture = TRUE;
4134 gboolean stats_known;
4135 struct pcap_stat stats;
4136 GLogLevelFlags log_flags;
4137 gboolean list_interfaces = FALSE;
4138 gboolean list_link_layer_types = FALSE;
4139 #ifdef HAVE_BPF_IMAGE
4140 gboolean print_bpf_code = FALSE;
4142 gboolean set_chan = FALSE;
4143 gchar *set_chan_arg = NULL;
4144 gboolean machine_readable = FALSE;
4145 gboolean print_statistics = FALSE;
4146 int status, run_once_args = 0;
4149 #if defined(__APPLE__) && defined(__LP64__)
4150 struct utsname osinfo;
4154 /* Assemble the compile-time version information string */
4155 comp_info_str = g_string_new("Compiled ");
4156 get_compiled_version_info(comp_info_str, NULL, NULL);
4158 /* Assemble the run-time version information string */
4159 runtime_info_str = g_string_new("Running ");
4160 get_runtime_version_info(runtime_info_str, NULL);
4162 /* Add it to the information to be reported on a crash. */
4163 ws_add_crash_info("Dumpcap " VERSION "%s\n"
4168 wireshark_svnversion, comp_info_str->str, runtime_info_str->str);
4171 arg_list_utf_16to8(argc, argv);
4172 create_app_running_mutex();
4175 * Initialize our DLL search path. MUST be called before LoadLibrary
4178 ws_init_dll_search_path();
4181 #ifdef HAVE_PCAP_REMOTE
4182 #define OPTSTRING_A "A:"
4183 #define OPTSTRING_r "r"
4184 #define OPTSTRING_u "u"
4186 #define OPTSTRING_A ""
4187 #define OPTSTRING_r ""
4188 #define OPTSTRING_u ""
4191 #ifdef HAVE_PCAP_SETSAMPLING
4192 #define OPTSTRING_m "m:"
4194 #define OPTSTRING_m ""
4197 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4198 #define OPTSTRING_B "B:"
4200 #define OPTSTRING_B ""
4201 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4203 #ifdef HAVE_PCAP_CREATE
4204 #define OPTSTRING_I "I"
4206 #define OPTSTRING_I ""
4209 #ifdef HAVE_BPF_IMAGE
4210 #define OPTSTRING_d "d"
4212 #define OPTSTRING_d ""
4215 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "C:c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "k:L" OPTSTRING_m "MN:npPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
4217 #ifdef DEBUG_CHILD_DUMPCAP
4218 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
4219 fprintf (stderr, "Unable to open debug log file !\n");
4224 #if defined(__APPLE__) && defined(__LP64__)
4226 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
4227 * a bug workaround - timeouts less than 1 second don't work with libpcap
4228 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
4229 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
4230 * The problem is extremely unlikely to be reintroduced in a future
4233 if (uname(&osinfo) == 0) {
4235 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
4236 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
4237 * number of 10.0.0, not 10.1.0 - go figure).
4239 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
4240 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
4241 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
4242 need_timeout_workaround = TRUE;
4247 * Determine if dumpcap is being requested to run in a special
4248 * capture_child mode by going thru the command line args to see if
4249 * a -Z is present. (-Z is a hidden option).
4251 * The primary result of running in capture_child mode is that
4252 * all messages sent out on stderr are in a special type/len/string
4253 * format to allow message processing by type. These messages include
4254 * error messages if dumpcap fails to start the operation it was
4255 * requested to do, as well as various "status" messages which are sent
4256 * when an actual capture is in progress, and a "success" message sent
4257 * if dumpcap was requested to perform an operation other than a
4260 * Capture_child mode would normally be requested by a parent process
4261 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
4262 * to which dumpcap stderr has been redirected. It might also have
4263 * another pipe to obtain dumpcap stdout output; for operations other
4264 * than a capture, that information is formatted specially for easier
4265 * parsing by the parent process.
4267 * Capture_child mode needs to be determined immediately upon
4268 * startup so that any messages generated by dumpcap in this mode
4269 * (eg: during initialization) will be formatted properly.
4272 for (i=1; i<argc; i++) {
4273 if (strcmp("-Z", argv[i]) == 0) {
4274 capture_child = TRUE;
4275 machine_readable = TRUE; /* request machine-readable output */
4277 /* set output pipe to binary mode, to avoid ugly text conversions */
4278 _setmode(2, O_BINARY);
4283 /* The default_log_handler will use stdout, which makes trouble in */
4284 /* capture child mode, as it uses stdout for its sync_pipe. */
4285 /* So: the filtering is done in the console_log_handler and not here.*/
4286 /* We set the log handlers right up front to make sure that any log */
4287 /* messages when running as child will be sent back to the parent */
4288 /* with the correct format. */
4293 G_LOG_LEVEL_CRITICAL|
4294 G_LOG_LEVEL_WARNING|
4295 G_LOG_LEVEL_MESSAGE|
4299 G_LOG_FLAG_RECURSION);
4301 g_log_set_handler(NULL,
4303 console_log_handler, NULL /* user_data */);
4304 g_log_set_handler(LOG_DOMAIN_MAIN,
4306 console_log_handler, NULL /* user_data */);
4307 g_log_set_handler(LOG_DOMAIN_CAPTURE,
4309 console_log_handler, NULL /* user_data */);
4310 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
4312 console_log_handler, NULL /* user_data */);
4314 /* Initialize the pcaps list */
4315 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
4317 #if !GLIB_CHECK_VERSION(2,31,0)
4318 /* Initialize the thread system */
4319 g_thread_init(NULL);
4323 /* Load wpcap if possible. Do this before collecting the run-time version information */
4326 /* ... and also load the packet.dll from wpcap */
4327 /* XXX - currently not required, may change later. */
4328 /*wpcap_packet_load();*/
4330 /* Start windows sockets */
4331 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
4333 /* Set handler for Ctrl+C key */
4334 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4336 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4337 and exit. Do the same with SIGPIPE, in case, for example,
4338 we're writing to our standard output and it's a pipe.
4339 Do the same with SIGHUP if it's not being ignored (if we're
4340 being run under nohup, it might be ignored, in which case we
4341 should leave it ignored).
4343 XXX - apparently, Coverity complained that part of action
4344 wasn't initialized. Perhaps it's running on Linux, where
4345 struct sigaction has an ignored "sa_restorer" element and
4346 where "sa_handler" and "sa_sigaction" might not be two
4347 members of a union. */
4348 memset(&action, 0, sizeof(action));
4349 action.sa_handler = capture_cleanup_handler;
4351 * Arrange that system calls not get restarted, because when
4352 * our signal handler returns we don't want to restart
4353 * a call that was waiting for packets to arrive.
4355 action.sa_flags = 0;
4356 sigemptyset(&action.sa_mask);
4357 sigaction(SIGTERM, &action, NULL);
4358 sigaction(SIGINT, &action, NULL);
4359 sigaction(SIGPIPE, &action, NULL);
4360 sigaction(SIGHUP, NULL, &oldaction);
4361 if (oldaction.sa_handler == SIG_DFL)
4362 sigaction(SIGHUP, &action, NULL);
4365 /* Catch SIGINFO and, if we get it and we're capturing in
4366 quiet mode, report the number of packets we've captured. */
4367 action.sa_handler = report_counts_siginfo;
4368 action.sa_flags = SA_RESTART;
4369 sigemptyset(&action.sa_mask);
4370 sigaction(SIGINFO, &action, NULL);
4371 #endif /* SIGINFO */
4374 /* ----------------------------------------------------------------- */
4375 /* Privilege and capability handling */
4377 /* 1. Running not as root or suid root; no special capabilities. */
4380 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4383 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4385 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4386 /* capabilities; Drop all other capabilities; */
4387 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4388 /* else: after pcap_open_live() in capture_loop_open_input() */
4389 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4390 /* (Note: this means that the process, although logged in */
4391 /* as root, does not have various permissions such as the */
4392 /* ability to bypass file access permissions). */
4393 /* XXX: Should we just leave capabilities alone in this case */
4394 /* so that user gets expected effect that root can do */
4397 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4399 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4400 /* else: after pcap_open_live() in capture_loop_open_input() */
4401 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4402 /* pcap_open_live). */
4404 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4406 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4407 /* capabilities; Drop all other capabilities; */
4408 /* Drop suid privileges (euid=ruid); */
4409 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4410 /* else: after pcap_open_live() in capture_loop_open_input() */
4411 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4413 /* XXX: For some Linux versions/distros with capabilities */
4414 /* a 'normal' process with any capabilities cannot be */
4415 /* 'killed' (signaled) from another (same uid) non-privileged */
4417 /* For example: If (non-suid) Wireshark forks a */
4418 /* child suid dumpcap which acts as described here (case 5), */
4419 /* Wireshark will be unable to kill (signal) the child */
4420 /* dumpcap process until the capabilities have been dropped */
4421 /* (after pcap_open_live()). */
4422 /* This behaviour will apparently be changed in the kernel */
4423 /* to allow the kill (signal) in this case. */
4424 /* See the following for details: */
4425 /* http://www.mail-archive.com/ [wrapped] */
4426 /* linux-security-module@vger.kernel.org/msg02913.html */
4428 /* It is therefore conceivable that if dumpcap somehow hangs */
4429 /* in pcap_open_live or before that wireshark will not */
4430 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4431 /* In this case, exiting wireshark will kill the child */
4432 /* dumpcap process. */
4434 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4435 /* capabilities; Using libcap. Note: capset cmd (which see) */
4436 /* used to assign capabilities to file. */
4438 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4439 /* else: after pcap_open_live() in capture_loop_open_input() */
4440 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4442 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4443 /* longer required (similar to capture). */
4445 /* ----------------------------------------------------------------- */
4447 init_process_policies();
4450 /* If 'started with special privileges' (and using libcap) */
4451 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4452 /* Set euid/egid = ruid/rgid to remove suid privileges */
4453 relinquish_privs_except_capture();
4456 /* Set the initial values in the capture options. This might be overwritten
4457 by the command line parameters. */
4458 capture_opts_init(&global_capture_opts);
4460 /* We always save to a file - if no file was specified, we save to a
4462 global_capture_opts.saving_to_file = TRUE;
4463 global_capture_opts.has_ring_num_files = TRUE;
4465 /* Pass on capture_child mode for capture_opts */
4466 global_capture_opts.capture_child = capture_child;
4468 /* Now get our args */
4469 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4471 case 'h': /* Print help and exit */
4475 case 'v': /* Show version and exit */
4477 show_version(comp_info_str, runtime_info_str);
4478 g_string_free(comp_info_str, TRUE);
4479 g_string_free(runtime_info_str, TRUE);
4483 /*** capture option specific ***/
4484 case 'a': /* autostop criteria */
4485 case 'b': /* Ringbuffer option */
4486 case 'c': /* Capture x packets */
4487 case 'f': /* capture filter */
4488 case 'g': /* enable group read access on file(s) */
4489 case 'i': /* Use interface x */
4490 case 'n': /* Use pcapng format */
4491 case 'p': /* Don't capture in promiscuous mode */
4492 case 'P': /* Use pcap format */
4493 case 's': /* Set the snapshot (capture) length */
4494 case 'w': /* Write to capture file x */
4495 case 'y': /* Set the pcap data link type */
4496 #ifdef HAVE_PCAP_REMOTE
4497 case 'u': /* Use UDP for data transfer */
4498 case 'r': /* Capture own RPCAP traffic too */
4499 case 'A': /* Authentication */
4501 #ifdef HAVE_PCAP_SETSAMPLING
4502 case 'm': /* Sampling */
4504 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4505 case 'B': /* Buffer size */
4506 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4507 #ifdef HAVE_PCAP_CREATE
4508 case 'I': /* Monitor mode */
4510 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4515 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4517 capture_child = TRUE;
4519 /* set output pipe to binary mode, to avoid ugly text conversions */
4520 _setmode(2, O_BINARY);
4522 * optarg = the control ID, aka the PPID, currently used for the
4525 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4526 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4527 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4528 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4530 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4531 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4532 "Signal pipe: Unable to open %s. Dead parent?",
4540 case 'q': /* Quiet */
4546 /*** all non capture option specific ***/
4547 case 'D': /* Print a list of capture devices and exit */
4548 list_interfaces = TRUE;
4551 case 'L': /* Print list of link-layer types and exit */
4552 list_link_layer_types = TRUE;
4555 #ifdef HAVE_BPF_IMAGE
4556 case 'd': /* Print BPF code for capture filter and exit */
4557 print_bpf_code = TRUE;
4561 case 'S': /* Print interface statistics once a second */
4562 print_statistics = TRUE;
4565 case 'k': /* Set wireless channel */
4567 set_chan_arg = optarg;
4570 case 'M': /* For -D, -L, and -S, print machine-readable output */
4571 machine_readable = TRUE;
4574 pcap_queue_byte_limit = get_positive_int(optarg, "byte_limit");
4577 pcap_queue_packet_limit = get_positive_int(optarg, "packet_limit");
4580 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4582 case '?': /* Bad flag - print usage message */
4591 /* user specified file name as regular command-line argument */
4592 /* XXX - use it as the capture file name (or something else)? */
4598 * Extra command line arguments were specified; complain.
4599 * XXX - interpret as capture filter, as tcpdump and tshark do?
4601 cmdarg_err("Invalid argument: %s", argv[0]);
4606 if ((pcap_queue_byte_limit > 0) || (pcap_queue_packet_limit > 0)) {
4609 if ((pcap_queue_byte_limit == 0) && (pcap_queue_packet_limit == 0)) {
4610 /* Use some default if the user hasn't specified some */
4611 /* XXX: Are these defaults good enough? */
4612 pcap_queue_byte_limit = 1000 * 1000;
4613 pcap_queue_packet_limit = 1000;
4620 if (run_once_args > 1) {
4621 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4623 } else if (run_once_args == 1) {
4624 /* We're supposed to print some information, rather than
4625 to capture traffic; did they specify a ring buffer option? */
4626 if (global_capture_opts.multi_files_on) {
4627 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4631 /* We're supposed to capture traffic; */
4632 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4633 if (global_capture_opts.ifaces->len > 1) {
4635 global_capture_opts.use_pcapng = TRUE;
4637 /* Was the ring buffer option specified and, if so, does it make sense? */
4638 if (global_capture_opts.multi_files_on) {
4639 /* Ring buffer works only under certain conditions:
4640 a) ring buffer does not work with temporary files;
4641 b) it makes no sense to enable the ring buffer if the maximum
4642 file size is set to "infinite". */
4643 if (global_capture_opts.save_file == NULL) {
4644 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4645 global_capture_opts.multi_files_on = FALSE;
4647 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4648 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4650 /* XXX - this must be redesigned as the conditions changed */
4651 global_capture_opts.multi_files_on = FALSE;
4658 * "-D" requires no interface to be selected; it's supposed to list
4661 if (list_interfaces) {
4662 /* Get the list of interfaces */
4667 if_list = capture_interface_list(&err, &err_str,NULL);
4668 if (if_list == NULL) {
4670 case CANT_GET_INTERFACE_LIST:
4671 case DONT_HAVE_PCAP:
4672 cmdarg_err("%s", err_str);
4677 case NO_INTERFACES_FOUND:
4679 * If we're being run by another program, just give them
4680 * an empty list of interfaces, don't report this as
4681 * an error; that lets them decide whether to report
4682 * this as an error or not.
4684 if (!machine_readable) {
4685 cmdarg_err("There are no interfaces on which a capture can be done");
4692 if (machine_readable) /* tab-separated values to stdout */
4693 print_machine_readable_interfaces(if_list);
4695 capture_opts_print_interfaces(if_list);
4696 free_interface_list(if_list);
4701 * "-S" requires no interface to be selected; it gives statistics
4702 * for all interfaces.
4704 if (print_statistics) {
4705 status = print_statistics_loop(machine_readable);
4710 interface_options interface_opts;
4712 if (global_capture_opts.ifaces->len != 1) {
4713 cmdarg_err("Need one interface");
4717 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, 0);
4718 status = set_80211_channel(interface_opts.name, set_chan_arg);
4723 * "-L", "-d", and capturing act on a particular interface, so we have to
4724 * have an interface; if none was specified, pick a default.
4726 status = capture_opts_default_iface_if_necessary(&global_capture_opts, NULL);
4728 /* cmdarg_err() already called .... */
4732 /* Let the user know what interfaces were chosen. */
4733 if (capture_child) {
4734 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4735 interface_options interface_opts;
4737 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4738 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4739 interface_opts.name);
4742 str = g_string_new("");
4744 if (global_capture_opts.ifaces->len < 2)
4746 if (global_capture_opts.ifaces->len < 4)
4749 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4750 interface_options interface_opts;
4752 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4754 if (global_capture_opts.ifaces->len > 2) {
4755 g_string_append_printf(str, ",");
4757 g_string_append_printf(str, " ");
4758 if (j == global_capture_opts.ifaces->len - 1) {
4759 g_string_append_printf(str, "and ");
4762 g_string_append_printf(str, "'%s'", interface_opts.console_display_name);
4765 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4767 fprintf(stderr, "Capturing on %s\n", str->str);
4768 g_string_free(str, TRUE);
4771 if (list_link_layer_types) {
4772 /* Get the list of link-layer types for the capture device. */
4773 if_capabilities_t *caps;
4777 for (ii = 0; ii < global_capture_opts.ifaces->len; ii++) {
4778 interface_options interface_opts;
4780 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, ii);
4781 caps = get_if_capabilities(interface_opts.name,
4782 interface_opts.monitor_mode, &err_str);
4784 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4785 "Please check to make sure you have sufficient permissions, and that\n"
4786 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4790 if (caps->data_link_types == NULL) {
4791 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4794 if (machine_readable) /* tab-separated values to stdout */
4795 /* XXX: We need to change the format and adopt consumers */
4796 print_machine_readable_if_capabilities(caps);
4798 /* XXX: We might want to print also the interface name */
4799 capture_opts_print_if_capabilities(caps, interface_opts.name,
4800 interface_opts.monitor_mode);
4801 free_if_capabilities(caps);
4806 /* We're supposed to do a capture, or print the BPF code for a filter.
4807 Process the snapshot length, as that affects the generated BPF code. */
4808 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4810 #ifdef HAVE_BPF_IMAGE
4811 if (print_bpf_code) {
4812 show_filter_code(&global_capture_opts);
4817 /* We're supposed to do a capture. Process the ring buffer arguments. */
4818 capture_opts_trim_ring_num_files(&global_capture_opts);
4820 /* flush stderr prior to starting the main capture loop */
4823 /* Now start the capture. */
4825 if (capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4829 /* capture failed */
4832 return 0; /* never here, make compiler happy */
4837 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4838 const char *message, gpointer user_data _U_)
4845 /* ignore log message, if log_level isn't interesting */
4846 if ( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4847 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4852 /* create a "timestamp" */
4854 today = localtime(&curr);
4856 switch(log_level & G_LOG_LEVEL_MASK) {
4857 case G_LOG_LEVEL_ERROR:
4860 case G_LOG_LEVEL_CRITICAL:
4863 case G_LOG_LEVEL_WARNING:
4866 case G_LOG_LEVEL_MESSAGE:
4869 case G_LOG_LEVEL_INFO:
4872 case G_LOG_LEVEL_DEBUG:
4876 fprintf(stderr, "unknown log_level %u\n", log_level);
4878 g_assert_not_reached();
4881 /* Generate the output message */
4882 if (log_level & G_LOG_LEVEL_MESSAGE) {
4883 /* normal user messages without additional infos */
4884 msg = g_strdup_printf("%s\n", message);
4886 /* info/debug messages with additional infos */
4887 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4888 today->tm_hour, today->tm_min, today->tm_sec,
4889 log_domain != NULL ? log_domain : "",
4893 /* DEBUG & INFO msgs (if we're debugging today) */
4894 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4895 if ( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4896 #ifdef DEBUG_DUMPCAP
4897 fprintf(stderr, "%s", msg);
4900 #ifdef DEBUG_CHILD_DUMPCAP
4901 fprintf(debug_log, "%s", msg);
4909 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4910 /* to parent especially formatted if dumpcap running as child. */
4911 if (capture_child) {
4912 sync_pipe_errmsg_to_parent(2, msg, "");
4914 fprintf(stderr, "%s", msg);
4921 /****************************************************************************************************************/
4922 /* indication report routines */
4926 report_packet_count(unsigned int packet_count)
4928 char tmp[SP_DECISIZE+1+1];
4929 static unsigned int count = 0;
4931 if (capture_child) {
4932 g_snprintf(tmp, sizeof(tmp), "%u", packet_count);
4933 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4934 pipe_write_block(2, SP_PACKET_COUNT, tmp); ///
4936 count += packet_count;
4937 fprintf(stderr, "\rPackets: %u ", count);
4938 /* stderr could be line buffered */
4944 report_new_capture_file(const char *filename)
4946 if (capture_child) {
4947 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4948 pipe_write_block(2, SP_FILE, filename); ///
4952 * Prevent a SIGINFO handler from writing to the standard error
4953 * while we're doing so; instead, have it just set a flag telling
4954 * us to print that information when we're done.
4957 #endif /* SIGINFO */
4958 fprintf(stderr, "File: %s\n", filename);
4959 /* stderr could be line buffered */
4964 * Allow SIGINFO handlers to write.
4969 * If a SIGINFO handler asked us to write out capture counts, do so.
4972 report_counts_for_siginfo();
4973 #endif /* SIGINFO */
4978 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4980 interface_options interface_opts;
4981 char tmp[MSG_MAX_LENGTH+1+6];
4983 if (i < capture_opts->ifaces->len) {
4984 if (capture_child) {
4985 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4986 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4987 pipe_write_block(2, SP_BAD_FILTER, tmp); ///
4990 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4991 * the error message below.
4993 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4995 "Invalid capture filter \"%s\" for interface %s!\n"
4997 "That string isn't a valid capture filter (%s).\n"
4998 "See the User's Guide for a description of the capture filter syntax.",
4999 interface_opts.cfilter, interface_opts.name, errmsg);
5005 report_capture_error(const char *error_msg, const char *secondary_error_msg)
5007 if (capture_child) {
5008 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5009 "Primary Error: %s", error_msg);
5010 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5011 "Secondary Error: %s", secondary_error_msg);
5012 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
5014 cmdarg_err("%s", error_msg);
5015 if (secondary_error_msg[0] != '\0')
5016 cmdarg_err_cont("%s", secondary_error_msg);
5021 report_packet_drops(guint32 received, guint32 pcap_drops, guint32 drops, guint32 flushed, gchar *name)
5023 char tmp[SP_DECISIZE+1+1];
5024 guint32 total_drops = pcap_drops + drops + flushed;
5026 g_snprintf(tmp, sizeof(tmp), "%u", total_drops);
5028 if (capture_child) {
5029 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5030 "Packets received/dropped on interface %s: %u/%u (pcap:%u/dumpcap:%u/flushed:%u)",
5031 name, received, total_drops, pcap_drops, drops, flushed);
5032 /* XXX: Need to provide interface id, changes to consumers required. */
5033 pipe_write_block(2, SP_DROPS, tmp); ///
5036 "Packets received/dropped on interface '%s': %u/%u (pcap:%u/dumpcap:%u/flushed:%u) (%.1f%%)\n",
5037 name, received, total_drops, pcap_drops, drops, flushed,
5038 received ? 100.0 * received / (received + total_drops) : 0.0);
5039 /* stderr could be line buffered */
5045 /************************************************************************************************/
5046 /* signal_pipe handling */
5051 signal_pipe_check_running(void)
5053 /* any news from our parent? -> just stop the capture */
5057 /* if we are running standalone, no check required */
5058 if (!capture_child) {
5062 if (!sig_pipe_name || !sig_pipe_handle) {
5063 /* This shouldn't happen */
5064 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
5065 "Signal pipe: No name or handle");
5070 * XXX - We should have the process ID of the parent (from the "-Z" flag)
5071 * at this point. Should we check to see if the parent is still alive,
5072 * e.g. by using OpenProcess?
5075 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
5077 if (!result || avail > 0) {
5078 /* peek failed or some bytes really available */
5079 /* (if not piping from stdin this would fail) */
5080 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
5081 "Signal pipe: Stop capture: %s", sig_pipe_name);
5082 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5083 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
5084 sig_pipe_handle, result, avail);
5087 /* pipe ok and no bytes available */
5098 * Editor modelines - http://www.wireshark.org/tools/modelines.html
5103 * indent-tabs-mode: nil
5106 * vi: set shiftwidth=4 tabstop=8 expandtab:
5107 * :indentSize=4:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob