5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
63 #include "wsutil/wsgetopt.h"
71 # include <sys/prctl.h>
72 # include <sys/capability.h>
75 #include "ringbuffer.h"
76 #include "clopts_common.h"
77 #include "console_io.h"
78 #include "cmdarg_err.h"
79 #include "version_info.h"
81 #include "capture-pcap-util.h"
83 #include "capture-wpcap.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
128 #include <conio.h> /* _getch() */
132 #ifdef DEBUG_CHILD_DUMPCAP
133 FILE *debug_log; /* for logging debug messages to */
134 /* a file if DEBUG_CHILD_DUMPCAP */
138 static GAsyncQueue *pcap_queue;
139 static gint64 pcap_queue_bytes;
140 static gint64 pcap_queue_packets;
141 static gint64 pcap_queue_byte_limit = 1024 * 1024;
142 static gint64 pcap_queue_packet_limit = 1000;
144 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
146 static gchar *sig_pipe_name = NULL;
147 static HANDLE sig_pipe_handle = NULL;
148 static gboolean signal_pipe_check_running(void);
152 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
153 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
156 /** Stop a low-level capture (stops the capture child). */
157 static void capture_loop_stop(void);
159 #if !defined (__linux__)
160 #ifndef HAVE_PCAP_BREAKLOOP
162 * We don't have pcap_breakloop(), which is the only way to ensure that
163 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
164 * won't, if the call to read the next packet or batch of packets is
165 * is interrupted by a signal on UN*X, just go back and try again to
168 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
169 * the signal handler, set a flag to stop capturing; however, without
170 * a guarantee of that sort, we can't guarantee that we'll stop capturing
171 * if the read will be retried and won't time out if no packets arrive.
173 * Therefore, on at least some platforms, we work around the lack of
174 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
175 * to wait for packets to arrive, so that we're probably going to be
176 * blocked in the select() when the signal arrives, and can just bail
177 * out of the loop at that point.
179 * However, we don't want to do that on BSD (because "select()" doesn't work
180 * correctly on BPF devices on at least some releases of some flavors of
181 * BSD), and we don't want to do it on Windows (because "select()" is
182 * something for sockets, not for arbitrary handles). (Note that "Windows"
183 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
184 * using WinPcap, not a UNIX libpcap.)
186 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
187 * on BSD times out even if no packets have arrived, so we'll eventually
188 * exit pcap_dispatch() with an indication that no packets have arrived,
189 * and will break out of the capture loop at that point.
191 * On Windows, we can't send a SIGINT to stop capturing, so none of this
192 * applies in any case.
194 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
195 * want to include it if it's not present on this platform, however.
197 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
198 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
200 # define MUST_DO_SELECT
201 # endif /* avoid select */
202 #endif /* HAVE_PCAP_BREAKLOOP */
204 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
205 * in pcap_dispatch(); on the other hand, select() works just fine there.
206 * Hence we use a select for that come what may.
208 #define MUST_DO_SELECT
211 /** init the capture filter */
214 INITFILTER_BAD_FILTER,
215 INITFILTER_OTHER_ERROR
216 } initfilter_status_t;
218 typedef struct _pcap_options {
222 #ifdef MUST_DO_SELECT
223 int pcap_fd; /* pcap file descriptor */
230 gboolean ts_nsec; /* TRUE if we're using nanosecond precision. */
231 /* capture pipe (unix only "input file") */
232 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
233 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
234 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
236 HANDLE cap_pipe_h; /* The handle of the capture pipe */
238 int cap_pipe_fd; /* the file descriptor of the capture pipe */
240 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
241 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
243 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
245 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
246 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
248 STATE_EXPECT_REC_HDR,
253 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
255 GMutex *cap_pipe_read_mtx;
256 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
260 typedef struct _loop_data {
262 gboolean go; /* TRUE as long as we're supposed to keep capturing */
263 int err; /* if non-zero, error seen while capturing */
264 gint packet_count; /* Number of packets we have already captured */
265 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
266 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
268 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
275 guint32 autostop_files;
278 typedef struct _pcap_queue_element {
279 pcap_options *pcap_opts;
280 struct pcap_pkthdr phdr;
282 } pcap_queue_element;
285 * Standard secondary message for unexpected errors.
287 static const char please_report[] =
288 "Please report this to the Wireshark developers.\n"
289 "(This is not a crash; please do not report it as such.)";
292 * This needs to be static, so that the SIGINT handler can clear the "go"
295 static loop_data global_ld;
299 * Timeout, in milliseconds, for reads from the stream of captured packets
300 * from a capture device.
302 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
303 * 64-bit applications, with sub-second timeouts not to work. The bug is
304 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
306 #if defined(__APPLE__) && defined(__LP64__)
307 static gboolean need_timeout_workaround;
309 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
311 #define CAP_READ_TIMEOUT 250
315 * Timeout, in microseconds, for reads from the stream of captured packets
316 * from a pipe. Pipes don't have the same problem that BPF devices do
317 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
318 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
319 * of the offending versions of Snow Leopard.
321 * On Windows this value is converted to milliseconds and passed to
322 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
323 * will return immediately.
326 #define PIPE_READ_TIMEOUT 100000
328 #define PIPE_READ_TIMEOUT 250000
331 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
334 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
335 const char *message, gpointer user_data _U_);
337 /* capture related options */
338 static capture_options global_capture_opts;
339 static gboolean quiet = FALSE;
340 static gboolean use_threads = FALSE;
341 static guint64 start_time;
343 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
345 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
347 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
348 int err, gboolean is_close);
350 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
352 static void report_new_capture_file(const char *filename);
353 static void report_packet_count(int packet_count);
354 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
355 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
356 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
358 #define MSG_MAX_LENGTH 4096
360 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
362 create_timestamp(void) {
372 * Current time, represented as 100-nanosecond intervals since
373 * January 1, 1601, 00:00:00 UTC.
375 * I think DWORD might be signed, so cast both parts of "now"
376 * to guint32 so that the sign bit doesn't get treated specially.
378 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
379 * might want to use instead.
381 GetSystemTimeAsFileTime(&now);
382 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
383 (guint32)now.dwLowDateTime;
386 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
392 * Subtract difference, in microseconds, between January 1, 1601
393 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
395 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
398 * Current time, represented as seconds and microseconds since
399 * January 1, 1970, 00:00:00 UTC.
401 gettimeofday(&now, NULL);
404 * Convert to delta in microseconds.
406 timestamp = (guint64)(now.tv_sec) * 1000000 +
407 (guint64)(now.tv_usec);
413 print_usage(gboolean print_ver)
420 "Dumpcap " VERSION "%s\n"
421 "Capture network packets and dump them into a pcapng file.\n"
422 "See http://www.wireshark.org for more information.\n",
423 wireshark_svnversion);
427 fprintf(output, "\nUsage: dumpcap [options] ...\n");
428 fprintf(output, "\n");
429 fprintf(output, "Capture interface:\n");
430 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
431 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
432 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
433 fprintf(output, " -p don't capture in promiscuous mode\n");
434 #ifdef HAVE_PCAP_CREATE
435 fprintf(output, " -I capture in monitor mode, if available\n");
437 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
438 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
440 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
441 fprintf(output, " -D print list of interfaces and exit\n");
442 fprintf(output, " -L print list of link-layer types of iface and exit\n");
443 #ifdef HAVE_BPF_IMAGE
444 fprintf(output, " -d print generated BPF code for capture filter\n");
446 fprintf(output, " -S print statistics for each interface once per second\n");
447 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
448 fprintf(output, "\n");
449 #ifdef HAVE_PCAP_REMOTE
450 fprintf(output, "RPCAP options:\n");
451 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
452 fprintf(output, " -u use UDP for RPCAP data transfer\n");
453 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
454 #ifdef HAVE_PCAP_SETSAMPLING
455 fprintf(output, " -m <sampling type> use packet sampling\n");
456 fprintf(output, " count:NUM - capture one packet of every NUM\n");
457 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
460 fprintf(output, "Stop conditions:\n");
461 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
462 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
463 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
464 fprintf(output, " files:NUM - stop after NUM files\n");
465 /*fprintf(output, "\n");*/
466 fprintf(output, "Output (files):\n");
467 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
468 fprintf(output, " -g enable group read access on the output file(s)\n");
469 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
470 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
471 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
472 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
473 fprintf(output, " -P use libpcap format instead of pcapng\n");
474 fprintf(output, "\n");
475 fprintf(output, "Miscellaneous:\n");
476 fprintf(output, " -t use a separate thread per interface\n");
477 fprintf(output, " -q don't report packet capture counts\n");
478 fprintf(output, " -v print version information and exit\n");
479 fprintf(output, " -h display this help and exit\n");
480 fprintf(output, "\n");
481 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
482 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcapng\"\n");
483 fprintf(output, "\n");
484 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
488 show_version(GString *comp_info_str, GString *runtime_info_str)
491 "Dumpcap " VERSION "%s\n"
496 "See http://www.wireshark.org for more information.\n",
497 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
501 * Print to the standard error. This is a command-line tool, so there's
502 * no need to pop up a console.
505 vfprintf_stderr(const char *fmt, va_list ap)
507 vfprintf(stderr, fmt, ap);
511 fprintf_stderr(const char *fmt, ...)
516 vfprintf_stderr(fmt, ap);
521 * Report an error in command-line arguments.
524 cmdarg_err(const char *fmt, ...)
530 /* Generate a 'special format' message back to parent */
532 msg = g_strdup_vprintf(fmt, ap);
533 sync_pipe_errmsg_to_parent(2, msg, "");
538 fprintf(stderr, "dumpcap: ");
539 vfprintf(stderr, fmt, ap);
540 fprintf(stderr, "\n");
546 * Report additional information for an error in command-line arguments.
549 cmdarg_err_cont(const char *fmt, ...)
556 msg = g_strdup_vprintf(fmt, ap);
557 sync_pipe_errmsg_to_parent(2, msg, "");
562 vfprintf(stderr, fmt, ap);
563 fprintf(stderr, "\n");
570 #if 0 /* Set to enable capability debugging */
571 /* see 'man cap_to_text()' for explanation of output */
572 /* '=' means 'all= ' ie: no capabilities */
573 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
575 print_caps(const char *pfx) {
576 cap_t caps = cap_get_proc();
577 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
578 "%s: EUID: %d Capabilities: %s", pfx,
579 geteuid(), cap_to_text(caps, NULL));
582 print_caps(const char *pfx _U_) {
587 relinquish_all_capabilities(void)
589 /* Drop any and all capabilities this process may have. */
590 /* Allowed whether or not process has any privileges. */
591 cap_t caps = cap_init(); /* all capabilities initialized to off */
592 print_caps("Pre-clear");
593 if (cap_set_proc(caps)) {
594 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
596 print_caps("Post-clear");
602 open_capture_device(interface_options *interface_opts,
603 char (*open_err_str)[PCAP_ERRBUF_SIZE])
606 #ifdef HAVE_PCAP_CREATE
609 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
610 struct pcap_rmtauth auth;
613 /* Open the network interface to capture from it.
614 Some versions of libpcap may put warnings into the error buffer
615 if they succeed; to tell if that's happened, we have to clear
616 the error buffer, and check if it's still a null string. */
617 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
618 (*open_err_str)[0] = '\0';
619 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
621 * If we're opening a remote device, use pcap_open(); that's currently
622 * the only open routine that supports remote devices.
624 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
625 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
626 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
627 auth.username = interface_opts->auth_username;
628 auth.password = interface_opts->auth_password;
630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
631 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
632 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
633 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
634 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
636 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
637 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
638 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
639 CAP_READ_TIMEOUT, &auth, *open_err_str);
640 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
641 "pcap_open() returned %p.", (void *)pcap_h);
646 * If we're not opening a remote device, use pcap_create() and
647 * pcap_activate() if we have them, so that we can set the buffer
648 * size, otherwise use pcap_open_live().
650 #ifdef HAVE_PCAP_CREATE
651 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
652 "Calling pcap_create() using %s.", interface_opts->name);
653 pcap_h = pcap_create(interface_opts->name, *open_err_str);
654 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
655 "pcap_create() returned %p.", (void *)pcap_h);
656 if (pcap_h != NULL) {
657 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
658 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
659 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
660 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
661 "Calling pcap_set_promisc() with promisc_mode %d.", interface_opts->promisc_mode);
662 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
663 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
665 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
666 "buffersize %d.", interface_opts->buffer_size);
667 if (interface_opts->buffer_size > 1) {
668 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
670 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
671 "monitor_mode %d.", interface_opts->monitor_mode);
672 if (interface_opts->monitor_mode)
673 pcap_set_rfmon(pcap_h, 1);
674 err = pcap_activate(pcap_h);
675 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
676 "pcap_activate() returned %d.", err);
678 /* Failed to activate, set to NULL */
679 if (err == PCAP_ERROR)
680 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
682 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
688 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
689 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
690 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
691 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
692 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
694 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
695 "pcap_open_live() returned %p.", (void *)pcap_h);
698 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
703 get_capture_device_open_failure_messages(const char *open_err_str,
709 char *errmsg, size_t errmsg_len,
710 char *secondary_errmsg,
711 size_t secondary_errmsg_len)
713 const char *libpcap_warn;
714 static const char ppamsg[] = "can't find PPA for ";
716 /* If we got a "can't find PPA for X" message, warn the user (who
717 is running dumpcap on HP-UX) that they don't have a version of
718 libpcap that properly handles HP-UX (libpcap 0.6.x and later
719 versions, which properly handle HP-UX, say "can't find /dev/dlpi
720 PPA for X" rather than "can't find PPA for X"). */
721 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
724 "You are running (T)Wireshark with a version of the libpcap library\n"
725 "that doesn't handle HP-UX network devices well; this means that\n"
726 "(T)Wireshark may not be able to capture packets.\n"
728 "To fix this, you should install libpcap 0.6.2, or a later version\n"
729 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
730 "packaged binary form from the Software Porting And Archive Centre\n"
731 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
732 "at the URL lists a number of mirror sites.";
735 g_snprintf(errmsg, (gulong) errmsg_len,
736 "The capture session could not be initiated (%s).", open_err_str);
739 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
741 "In order to capture packets, WinPcap must be installed; see\n"
743 " http://www.winpcap.org/\n"
747 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
751 " http://winpcap.cs.pu.edu.tw/\n"
753 "for a downloadable version of WinPcap and for instructions on how to install\n"
756 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
758 "Please check that \"%s\" is the proper interface.\n"
761 "Help can be found at:\n"
763 " http://wiki.wireshark.org/WinPcap\n"
764 " http://wiki.wireshark.org/CaptureSetup\n",
768 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
769 "Please check to make sure you have sufficient permissions, and that you have "
770 "the proper interface or pipe specified.%s", libpcap_warn);
774 /* Set the data link type on a pcap. */
776 set_pcap_linktype(pcap_t *pcap_h, int linktype,
777 #ifdef HAVE_PCAP_SET_DATALINK
782 char *errmsg, size_t errmsg_len,
783 char *secondary_errmsg, size_t secondary_errmsg_len)
785 char *set_linktype_err_str;
788 return TRUE; /* just use the default */
789 #ifdef HAVE_PCAP_SET_DATALINK
790 if (pcap_set_datalink(pcap_h, linktype) == 0)
791 return TRUE; /* no error */
792 set_linktype_err_str = pcap_geterr(pcap_h);
794 /* Let them set it to the type it is; reject any other request. */
795 if (get_pcap_linktype(pcap_h, name) == linktype)
796 return TRUE; /* no error */
797 set_linktype_err_str =
798 "That DLT isn't one of the DLTs supported by this device";
800 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
801 set_linktype_err_str);
803 * If the error isn't "XXX is not one of the DLTs supported by this device",
804 * tell the user to tell the Wireshark developers about it.
806 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
807 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
809 secondary_errmsg[0] = '\0';
814 compile_capture_filter(const char *iface, pcap_t *pcap_h,
815 struct bpf_program *fcode, const char *cfilter)
817 bpf_u_int32 netnum, netmask;
818 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
820 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
822 * Well, we can't get the netmask for this interface; it's used
823 * only for filters that check for broadcast IP addresses, so
824 * we just punt and use 0. It might be nice to warn the user,
825 * but that's a pain in a GUI application, as it'd involve popping
826 * up a message box, and it's not clear how often this would make
827 * a difference (only filters that check for IP broadcast addresses
831 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
836 * Sigh. Older versions of libpcap don't properly declare the
837 * third argument to pcap_compile() as a const pointer. Cast
840 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
845 #ifdef HAVE_BPF_IMAGE
847 show_filter_code(capture_options *capture_opts)
849 interface_options interface_opts;
851 gchar open_err_str[PCAP_ERRBUF_SIZE];
852 char errmsg[MSG_MAX_LENGTH+1];
853 char secondary_errmsg[MSG_MAX_LENGTH+1];
854 struct bpf_program fcode;
855 struct bpf_insn *insn;
859 for (j = 0; j < capture_opts->ifaces->len; j++) {
860 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
861 pcap_h = open_capture_device(&interface_opts, &open_err_str);
862 if (pcap_h == NULL) {
863 /* Open failed; get messages */
864 get_capture_device_open_failure_messages(open_err_str,
866 errmsg, sizeof errmsg,
868 sizeof secondary_errmsg);
869 /* And report them */
870 report_capture_error(errmsg, secondary_errmsg);
874 /* Set the link-layer type. */
875 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
876 errmsg, sizeof errmsg,
877 secondary_errmsg, sizeof secondary_errmsg)) {
879 report_capture_error(errmsg, secondary_errmsg);
883 /* OK, try to compile the capture filter. */
884 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
885 interface_opts.cfilter)) {
887 report_cfilter_error(capture_opts, j, errmsg);
892 /* Now print the filter code. */
893 insn = fcode.bf_insns;
895 for (i = 0; i < fcode.bf_len; insn++, i++)
896 printf("%s\n", bpf_image(insn, i));
898 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
899 /* to remove any suid privileges. */
900 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
901 /* (euid/egid have already previously been set to ruid/rgid. */
902 /* (See comment in main() for details) */
904 relinquish_special_privs_perm();
906 relinquish_all_capabilities();
909 /* Let our parent know we succeeded. */
910 pipe_write_block(2, SP_SUCCESS, NULL);
917 * capture_interface_list() is expected to do the right thing to get
918 * a list of interfaces.
920 * In most of the programs in the Wireshark suite, "the right thing"
921 * is to run dumpcap and ask it for the list, because dumpcap may
922 * be the only program in the suite with enough privileges to get
925 * In dumpcap itself, however, we obviously can't run dumpcap to
926 * ask for the list. Therefore, our capture_interface_list() should
927 * just call get_interface_list().
930 capture_interface_list(int *err, char **err_str)
932 return get_interface_list(err, err_str);
936 * Get the data-link type for a libpcap device.
937 * This works around AIX 5.x's non-standard and incompatible-with-the-
938 * rest-of-the-universe libpcap.
941 get_pcap_linktype(pcap_t *pch, const char *devname
949 const char *ifacename;
952 linktype = pcap_datalink(pch);
956 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
957 * rather than DLT_ values for link-layer types; the ifType values
958 * for LAN devices are:
965 * and the ifType value for a loopback device is 24.
967 * The AIX names for LAN devices begin with:
974 * and the AIX names for loopback devices begin with "lo".
976 * (The difference between "Ethernet" and "802.3" is presumably
977 * whether packets have an Ethernet header, with a packet type,
978 * or an 802.3 header, with a packet length, followed by an 802.2
979 * header and possibly a SNAP header.)
981 * If the device name matches "linktype" interpreted as an ifType
982 * value, rather than as a DLT_ value, we will assume this is AIX's
983 * non-standard, incompatible libpcap, rather than a standard libpcap,
984 * and will map the link-layer type to the standard DLT_ value for
985 * that link-layer type, as that's what the rest of Wireshark expects.
987 * (This means the capture files won't be readable by a tcpdump
988 * linked with AIX's non-standard libpcap, but so it goes. They
989 * *will* be readable by standard versions of tcpdump, Wireshark,
992 * XXX - if we conclude we're using AIX libpcap, should we also
993 * set a flag to cause us to assume the time stamps are in
994 * seconds-and-nanoseconds form, and to convert them to
995 * seconds-and-microseconds form before processing them and
1000 * Find the last component of the device name, which is the
1003 ifacename = strchr(devname, '/');
1004 if (ifacename == NULL)
1005 ifacename = devname;
1007 /* See if it matches any of the LAN device names. */
1008 if (strncmp(ifacename, "en", 2) == 0) {
1009 if (linktype == 6) {
1011 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1015 } else if (strncmp(ifacename, "et", 2) == 0) {
1016 if (linktype == 7) {
1018 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1019 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1024 } else if (strncmp(ifacename, "tr", 2) == 0) {
1025 if (linktype == 9) {
1027 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1028 * DLT_IEEE802, which is what's used for Token Ring.
1032 } else if (strncmp(ifacename, "fi", 2) == 0) {
1033 if (linktype == 15) {
1035 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1039 } else if (strncmp(ifacename, "lo", 2) == 0) {
1040 if (linktype == 24) {
1042 * That's the RFC 1573 value for "software loopback" devices; map it
1043 * to DLT_NULL, which is what's used for loopback devices on BSD.
1053 static data_link_info_t *
1054 create_data_link_info(int dlt)
1056 data_link_info_t *data_link_info;
1059 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1060 data_link_info->dlt = dlt;
1061 text = pcap_datalink_val_to_name(dlt);
1063 data_link_info->name = g_strdup(text);
1065 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1066 text = pcap_datalink_val_to_description(dlt);
1068 data_link_info->description = g_strdup(text);
1070 data_link_info->description = NULL;
1071 return data_link_info;
1075 * Get the capabilities of a network device.
1077 static if_capabilities_t *
1078 get_if_capabilities(const char *devname, gboolean monitor_mode
1079 #ifndef HAVE_PCAP_CREATE
1084 if_capabilities_t *caps;
1085 char errbuf[PCAP_ERRBUF_SIZE];
1087 #ifdef HAVE_PCAP_CREATE
1091 #ifdef HAVE_PCAP_LIST_DATALINKS
1095 data_link_info_t *data_link_info;
1098 * Allocate the interface capabilities structure.
1100 caps = g_malloc(sizeof *caps);
1102 #ifdef HAVE_PCAP_OPEN
1103 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1104 caps->can_set_rfmon = FALSE;
1106 if (err_str != NULL)
1107 *err_str = g_strdup(errbuf);
1111 #elif defined(HAVE_PCAP_CREATE)
1112 pch = pcap_create(devname, errbuf);
1114 if (err_str != NULL)
1115 *err_str = g_strdup(errbuf);
1119 status = pcap_can_set_rfmon(pch);
1122 if (status == PCAP_ERROR)
1123 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1126 *err_str = g_strdup(pcap_statustostr(status));
1132 caps->can_set_rfmon = FALSE;
1133 else if (status == 1) {
1134 caps->can_set_rfmon = TRUE;
1136 pcap_set_rfmon(pch, 1);
1138 if (err_str != NULL) {
1139 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1147 status = pcap_activate(pch);
1149 /* Error. We ignore warnings (status > 0). */
1150 if (err_str != NULL) {
1151 if (status == PCAP_ERROR)
1152 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1155 *err_str = g_strdup(pcap_statustostr(status));
1162 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1163 caps->can_set_rfmon = FALSE;
1165 if (err_str != NULL)
1166 *err_str = g_strdup(errbuf);
1171 deflt = get_pcap_linktype(pch, devname);
1172 #ifdef HAVE_PCAP_LIST_DATALINKS
1173 nlt = pcap_list_datalinks(pch, &linktypes);
1174 if (nlt == 0 || linktypes == NULL) {
1176 if (err_str != NULL)
1177 *err_str = NULL; /* an empty list doesn't mean an error */
1180 caps->data_link_types = NULL;
1181 for (i = 0; i < nlt; i++) {
1182 data_link_info = create_data_link_info(linktypes[i]);
1185 * XXX - for 802.11, make the most detailed 802.11
1186 * version the default, rather than the one the
1187 * device has as the default?
1189 if (linktypes[i] == deflt)
1190 caps->data_link_types = g_list_prepend(caps->data_link_types,
1193 caps->data_link_types = g_list_append(caps->data_link_types,
1196 #ifdef HAVE_PCAP_FREE_DATALINKS
1197 pcap_free_datalinks(linktypes);
1200 * In Windows, there's no guarantee that if you have a library
1201 * built with one version of the MSVC++ run-time library, and
1202 * it returns a pointer to allocated data, you can free that
1203 * data from a program linked with another version of the
1204 * MSVC++ run-time library.
1206 * This is not an issue on UN*X.
1208 * See the mail threads starting at
1210 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1214 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1217 #define xx_free free /* hack so checkAPIs doesn't complain */
1220 #endif /* HAVE_PCAP_FREE_DATALINKS */
1221 #else /* HAVE_PCAP_LIST_DATALINKS */
1223 data_link_info = create_data_link_info(deflt);
1224 caps->data_link_types = g_list_append(caps->data_link_types,
1226 #endif /* HAVE_PCAP_LIST_DATALINKS */
1230 if (err_str != NULL)
1235 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1237 print_machine_readable_interfaces(GList *if_list)
1244 char addr_str[ADDRSTRLEN];
1246 if (capture_child) {
1247 /* Let our parent know we succeeded. */
1248 pipe_write_block(2, SP_SUCCESS, NULL);
1251 i = 1; /* Interface id number */
1252 for (if_entry = g_list_first(if_list); if_entry != NULL;
1253 if_entry = g_list_next(if_entry)) {
1254 if_info = (if_info_t *)if_entry->data;
1255 printf("%d. %s", i++, if_info->name);
1258 * Print the contents of the if_entry struct in a parseable format.
1259 * Each if_entry element is tab-separated. Addresses are comma-
1262 /* XXX - Make sure our description doesn't contain a tab */
1263 if (if_info->description != NULL)
1264 printf("\t%s\t", if_info->description);
1268 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1269 addr = g_slist_next(addr)) {
1270 if (addr != g_slist_nth(if_info->addrs, 0))
1273 if_addr = (if_addr_t *)addr->data;
1274 switch(if_addr->ifat_type) {
1276 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1278 printf("%s", addr_str);
1280 printf("<unknown IPv4>");
1284 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1285 addr_str, ADDRSTRLEN)) {
1286 printf("%s", addr_str);
1288 printf("<unknown IPv6>");
1292 printf("<type unknown %u>", if_addr->ifat_type);
1296 if (if_info->loopback)
1297 printf("\tloopback");
1299 printf("\tnetwork");
1306 * If you change the machine-readable output format of this function,
1307 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1310 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1313 data_link_info_t *data_link_info;
1314 const gchar *desc_str;
1316 if (capture_child) {
1317 /* Let our parent know we succeeded. */
1318 pipe_write_block(2, SP_SUCCESS, NULL);
1321 if (caps->can_set_rfmon)
1325 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1326 lt_entry = g_list_next(lt_entry)) {
1327 data_link_info = (data_link_info_t *)lt_entry->data;
1328 if (data_link_info->description != NULL)
1329 desc_str = data_link_info->description;
1331 desc_str = "(not supported)";
1332 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1342 /* Print the number of packets captured for each interface until we're killed. */
1344 print_statistics_loop(gboolean machine_readable)
1346 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1352 char errbuf[PCAP_ERRBUF_SIZE];
1353 struct pcap_stat ps;
1355 if_list = get_interface_list(&err, &err_str);
1356 if (if_list == NULL) {
1358 case CANT_GET_INTERFACE_LIST:
1359 case DONT_HAVE_PCAP:
1360 cmdarg_err("%s", err_str);
1364 case NO_INTERFACES_FOUND:
1365 cmdarg_err("There are no interfaces on which a capture can be done");
1371 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1372 if_info = (if_info_t *)if_entry->data;
1373 #ifdef HAVE_PCAP_OPEN
1374 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1376 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1380 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1381 if_stat->name = g_strdup(if_info->name);
1383 stat_list = g_list_append(stat_list, if_stat);
1388 cmdarg_err("There are no interfaces on which a capture can be done");
1392 if (capture_child) {
1393 /* Let our parent know we succeeded. */
1394 pipe_write_block(2, SP_SUCCESS, NULL);
1397 if (!machine_readable) {
1398 printf("%-15s %10s %10s\n", "Interface", "Received",
1402 global_ld.go = TRUE;
1403 while (global_ld.go) {
1404 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1405 if_stat = (if_stat_t *)stat_entry->data;
1406 pcap_stats(if_stat->pch, &ps);
1408 if (!machine_readable) {
1409 printf("%-15s %10u %10u\n", if_stat->name,
1410 ps.ps_recv, ps.ps_drop);
1412 printf("%s\t%u\t%u\n", if_stat->name,
1413 ps.ps_recv, ps.ps_drop);
1424 /* XXX - Not reached. Should we look for 'q' in stdin? */
1425 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1426 if_stat = (if_stat_t *)stat_entry->data;
1427 pcap_close(if_stat->pch);
1428 g_free(if_stat->name);
1431 g_list_free(stat_list);
1432 free_interface_list(if_list);
1440 capture_cleanup_handler(DWORD dwCtrlType)
1442 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1443 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1444 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1445 like SIGTERM at least when the machine's shutting down.
1447 For now, if we're running as a command rather than a capture child,
1448 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1449 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1450 in that way on UN*X.
1452 If we're not running as a capture child, we might be running as
1453 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1454 user logs out. (XXX - can we explicitly check whether we're
1455 running as a service?) */
1457 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1458 "Console: Control signal");
1459 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1460 "Console: Control signal, CtrlType: %u", dwCtrlType);
1462 /* Keep capture running if we're a service and a user logs off */
1463 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1464 capture_loop_stop();
1472 capture_cleanup_handler(int signum _U_)
1474 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1475 SIGTERM. We assume that if the user wanted it to keep running
1476 after they logged out, they'd have nohupped it. */
1478 /* Note: don't call g_log() in the signal handler: if we happened to be in
1479 * g_log() in process context when the signal came in, g_log will detect
1480 * the "recursion" and abort.
1483 capture_loop_stop();
1489 report_capture_count(gboolean reportit)
1491 /* Don't print this if we're a capture child. */
1492 if (!capture_child && reportit) {
1493 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1494 /* stderr could be line buffered */
1502 report_counts_for_siginfo(void)
1504 report_capture_count(quiet);
1505 infoprint = FALSE; /* we just reported it */
1509 report_counts_siginfo(int signum _U_)
1511 int sav_errno = errno;
1513 /* If we've been told to delay printing, just set a flag asking
1514 that we print counts (if we're supposed to), otherwise print
1515 the count of packets captured (if we're supposed to). */
1519 report_counts_for_siginfo();
1522 #endif /* SIGINFO */
1525 exit_main(int status)
1528 /* Shutdown windows sockets */
1531 /* can be helpful for debugging */
1532 #ifdef DEBUG_DUMPCAP
1533 printf("Press any key\n");
1544 * If we were linked with libcap (not libpcap), make sure we have
1545 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1546 * (See comment in main() for details)
1549 relinquish_privs_except_capture(void)
1551 /* If 'started_with_special_privs' (ie: suid) then enable for
1552 * ourself the NET_ADMIN and NET_RAW capabilities and then
1553 * drop our suid privileges.
1555 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1556 * stuff we don't need (and shouldn't have).
1557 * CAP_NET_RAW: Packet capture (raw sockets).
1560 if (started_with_special_privs()) {
1561 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1562 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1564 cap_t caps = cap_init(); /* all capabilities initialized to off */
1566 print_caps("Pre drop, pre set");
1568 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1569 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1572 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1573 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1575 if (cap_set_proc(caps)) {
1576 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1578 print_caps("Pre drop, post set");
1580 relinquish_special_privs_perm();
1582 print_caps("Post drop, pre set");
1583 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1584 if (cap_set_proc(caps)) {
1585 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1587 print_caps("Post drop, post set");
1593 #endif /* HAVE_LIBCAP */
1595 /* Take care of byte order in the libpcap headers read from pipes.
1596 * (function taken from wiretap/libpcap.c) */
1598 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1601 /* Byte-swap the record header fields. */
1602 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1603 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1604 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1605 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1608 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1609 swapped, in order to match the BPF header layout.
1611 Unfortunately, some files were, according to a comment in the "libpcap"
1612 source, written with version 2.3 in their headers but without the
1613 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1614 would make no sense - we assume that we need to swap them. */
1615 if (hdr->version_major == 2 &&
1616 (hdr->version_minor < 3 ||
1617 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1620 temp = rechdr->orig_len;
1621 rechdr->orig_len = rechdr->incl_len;
1622 rechdr->incl_len = temp;
1628 * Thread function that reads from a pipe and pushes the data
1629 * to the main application thread.
1632 * XXX Right now we use async queues for basic signaling. The main thread
1633 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1634 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1635 * Iff the read is successful cap_pipe_read pushes an item onto
1636 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1637 * the queues themselves (yet).
1639 * We might want to move some of the cap_pipe_dispatch logic here so that
1640 * we can let cap_pipe_read run independently, queuing up multiple reads
1641 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1643 static void *cap_pipe_read(void *arg)
1645 pcap_options *pcap_opts;
1654 pcap_opts = (pcap_options *)arg;
1655 while (pcap_opts->cap_pipe_err == PIPOK) {
1656 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1657 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1659 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1661 /* If we try to use read() on a named pipe on Windows with partial
1662 * data it appears to return EOF.
1664 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1665 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1670 last_err = GetLastError();
1671 if (last_err == ERROR_MORE_DATA) {
1673 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1674 pcap_opts->cap_pipe_err = PIPEOF;
1678 pcap_opts->cap_pipe_err = PIPERR;
1681 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1682 pcap_opts->cap_pipe_err = PIPEOF;
1687 b = read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1688 pcap_opts->cap_pipe_bytes_to_read - bytes_read);
1691 pcap_opts->cap_pipe_err = PIPEOF;
1695 pcap_opts->cap_pipe_err = PIPERR;
1704 pcap_opts->cap_pipe_bytes_read = bytes_read;
1705 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1706 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1708 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1714 #if !defined(_WIN32) || defined(MUST_DO_SELECT)
1715 /* Provide select() functionality for a single file descriptor
1716 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1718 * Returns the same values as select.
1721 cap_pipe_select(int pipe_fd)
1724 struct timeval timeout;
1727 FD_SET(pipe_fd, &rfds);
1729 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1730 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1732 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1737 /* Mimic pcap_open_live() for pipe captures
1739 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1740 * open it, and read the header.
1742 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1743 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1745 cap_pipe_open_live(char *pipename,
1746 pcap_options *pcap_opts,
1747 struct pcap_hdr *hdr,
1748 char *errmsg, int errmsgl)
1751 ws_statb64 pipe_stat;
1752 struct sockaddr_un sa;
1763 unsigned int bytes_read;
1768 pcap_opts->cap_pipe_fd = -1;
1770 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1772 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1775 * XXX - this blocks until a pcap per-file header has been written to
1776 * the pipe, so it could block indefinitely.
1778 if (strcmp(pipename, "-") == 0) {
1780 fd = 0; /* read from stdin */
1782 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1786 if (ws_stat64(pipename, &pipe_stat) < 0) {
1787 if (errno == ENOENT || errno == ENOTDIR)
1788 pcap_opts->cap_pipe_err = PIPNEXIST;
1790 g_snprintf(errmsg, errmsgl,
1791 "The capture session could not be initiated "
1792 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1793 pcap_opts->cap_pipe_err = PIPERR;
1797 if (S_ISFIFO(pipe_stat.st_mode)) {
1798 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1800 g_snprintf(errmsg, errmsgl,
1801 "The capture session could not be initiated "
1802 "due to error on pipe open: %s", g_strerror(errno));
1803 pcap_opts->cap_pipe_err = PIPERR;
1806 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1807 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1809 g_snprintf(errmsg, errmsgl,
1810 "The capture session could not be initiated "
1811 "due to error on socket create: %s", g_strerror(errno));
1812 pcap_opts->cap_pipe_err = PIPERR;
1815 sa.sun_family = AF_UNIX;
1817 * The Single UNIX Specification says:
1819 * The size of sun_path has intentionally been left undefined.
1820 * This is because different implementations use different sizes.
1821 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1822 * of 104. Since most implementations originate from BSD versions,
1823 * the size is typically in the range 92 to 108.
1825 * Applications should not assume a particular length for sun_path
1826 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1830 * The <sys/un.h> header shall define the sockaddr_un structure,
1831 * which shall include at least the following members:
1833 * sa_family_t sun_family Address family.
1834 * char sun_path[] Socket pathname.
1836 * so we assume that it's an array, with a specified size,
1837 * and that the size reflects the maximum path length.
1839 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1840 /* Path name too long */
1841 g_snprintf(errmsg, errmsgl,
1842 "The capture session coud not be initiated "
1843 "due to error on socket connect: Path name too long");
1844 pcap_opts->cap_pipe_err = PIPERR;
1847 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1849 g_snprintf(errmsg, errmsgl,
1850 "The capture session coud not be initiated "
1851 "due to error on socket connect: %s", g_strerror(errno));
1852 pcap_opts->cap_pipe_err = PIPERR;
1856 if (S_ISCHR(pipe_stat.st_mode)) {
1858 * Assume the user specified an interface on a system where
1859 * interfaces are in /dev. Pretend we haven't seen it.
1861 pcap_opts->cap_pipe_err = PIPNEXIST;
1864 g_snprintf(errmsg, errmsgl,
1865 "The capture session could not be initiated because\n"
1866 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1867 pcap_opts->cap_pipe_err = PIPERR;
1872 #define PIPE_STR "\\pipe\\"
1873 /* Under Windows, named pipes _must_ have the form
1874 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1876 pncopy = g_strdup(pipename);
1877 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1878 pos = strchr(pncopy + 3, '\\');
1879 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1886 g_snprintf(errmsg, errmsgl,
1887 "The capture session could not be initiated because\n"
1888 "\"%s\" is neither an interface nor a pipe", pipename);
1889 pcap_opts->cap_pipe_err = PIPNEXIST;
1893 /* Wait for the pipe to appear */
1895 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1896 OPEN_EXISTING, 0, NULL);
1898 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1901 if (GetLastError() != ERROR_PIPE_BUSY) {
1902 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1903 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1904 g_snprintf(errmsg, errmsgl,
1905 "The capture session on \"%s\" could not be started "
1906 "due to error on pipe open: %s (error %d)",
1907 pipename, utf_16to8(err_str), GetLastError());
1909 pcap_opts->cap_pipe_err = PIPERR;
1913 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1914 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1915 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1916 g_snprintf(errmsg, errmsgl,
1917 "The capture session on \"%s\" timed out during "
1918 "pipe open: %s (error %d)",
1919 pipename, utf_16to8(err_str), GetLastError());
1921 pcap_opts->cap_pipe_err = PIPERR;
1928 pcap_opts->from_cap_pipe = TRUE;
1931 /* read the pcap header */
1933 while (bytes_read < sizeof magic) {
1934 sel_ret = cap_pipe_select(fd);
1936 g_snprintf(errmsg, errmsgl,
1937 "Unexpected error from select: %s", g_strerror(errno));
1939 } else if (sel_ret > 0) {
1940 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1943 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1945 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1953 g_thread_create(&cap_pipe_read, pcap_opts, FALSE, NULL);
1955 pcap_opts->cap_pipe_buf = (char *) &magic;
1956 pcap_opts->cap_pipe_bytes_read = 0;
1957 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1958 /* We don't have to worry about cap_pipe_read_mtx here */
1959 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1960 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1961 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1962 if (pcap_opts->cap_pipe_bytes_read == 0)
1963 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1965 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1974 case PCAP_NSEC_MAGIC:
1975 /* Host that wrote it has our byte order, and was running
1976 a program using either standard or ss990417 libpcap. */
1977 pcap_opts->cap_pipe_byte_swapped = FALSE;
1978 pcap_opts->cap_pipe_modified = FALSE;
1979 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
1981 case PCAP_MODIFIED_MAGIC:
1982 /* Host that wrote it has our byte order, but was running
1983 a program using either ss990915 or ss991029 libpcap. */
1984 pcap_opts->cap_pipe_byte_swapped = FALSE;
1985 pcap_opts->cap_pipe_modified = TRUE;
1987 case PCAP_SWAPPED_MAGIC:
1988 case PCAP_SWAPPED_NSEC_MAGIC:
1989 /* Host that wrote it has a byte order opposite to ours,
1990 and was running a program using either standard or
1991 ss990417 libpcap. */
1992 pcap_opts->cap_pipe_byte_swapped = TRUE;
1993 pcap_opts->cap_pipe_modified = FALSE;
1994 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
1996 case PCAP_SWAPPED_MODIFIED_MAGIC:
1997 /* Host that wrote it out has a byte order opposite to
1998 ours, and was running a program using either ss990915
1999 or ss991029 libpcap. */
2000 pcap_opts->cap_pipe_byte_swapped = TRUE;
2001 pcap_opts->cap_pipe_modified = TRUE;
2004 /* Not a "libpcap" type we know about. */
2005 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2010 /* Read the rest of the header */
2012 while (bytes_read < sizeof(struct pcap_hdr)) {
2013 sel_ret = cap_pipe_select(fd);
2015 g_snprintf(errmsg, errmsgl,
2016 "Unexpected error from select: %s", g_strerror(errno));
2018 } else if (sel_ret > 0) {
2019 b = read(fd, ((char *)hdr)+bytes_read,
2020 sizeof(struct pcap_hdr) - bytes_read);
2023 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2025 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2033 pcap_opts->cap_pipe_buf = (char *) hdr;
2034 pcap_opts->cap_pipe_bytes_read = 0;
2035 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2036 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2037 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2038 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2039 if (pcap_opts->cap_pipe_bytes_read == 0)
2040 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2042 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2048 if (pcap_opts->cap_pipe_byte_swapped) {
2049 /* Byte-swap the header fields about which we care. */
2050 hdr->version_major = BSWAP16(hdr->version_major);
2051 hdr->version_minor = BSWAP16(hdr->version_minor);
2052 hdr->snaplen = BSWAP32(hdr->snaplen);
2053 hdr->network = BSWAP32(hdr->network);
2055 pcap_opts->linktype = hdr->network;
2057 if (hdr->version_major < 2) {
2058 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2062 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2063 pcap_opts->cap_pipe_err = PIPOK;
2065 pcap_opts->cap_pipe_fd = fd;
2070 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2071 pcap_opts->cap_pipe_err = PIPERR;
2074 pcap_opts->cap_pipe_fd = -1;
2081 /* We read one record from the pipe, take care of byte order in the record
2082 * header, write the record to the capture file, and update capture statistics. */
2084 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2086 struct pcap_pkthdr phdr;
2087 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2090 #if !GLIB_CHECK_VERSION(2,31,18)
2101 #ifdef LOG_CAPTURE_VERBOSE
2102 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2105 switch (pcap_opts->cap_pipe_state) {
2107 case STATE_EXPECT_REC_HDR:
2109 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2112 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2113 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2114 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2115 pcap_opts->cap_pipe_bytes_read = 0;
2118 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2119 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2120 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2125 case STATE_READ_REC_HDR:
2127 b = read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2128 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2131 result = PD_PIPE_EOF;
2133 result = PD_PIPE_ERR;
2136 pcap_opts->cap_pipe_bytes_read += b;
2138 #if GLIB_CHECK_VERSION(2,31,18)
2139 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2141 g_get_current_time(&wait_time);
2142 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2143 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2145 if (pcap_opts->cap_pipe_err == PIPEOF) {
2146 result = PD_PIPE_EOF;
2148 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2149 result = PD_PIPE_ERR;
2156 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2158 result = PD_REC_HDR_READ;
2161 case STATE_EXPECT_DATA:
2163 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2166 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2167 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2168 pcap_opts->cap_pipe_bytes_read = 0;
2171 pcap_opts->cap_pipe_buf = (char *) data;
2172 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2173 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2178 case STATE_READ_DATA:
2180 b = read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2181 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2184 result = PD_PIPE_EOF;
2186 result = PD_PIPE_ERR;
2189 pcap_opts->cap_pipe_bytes_read += b;
2191 #if GLIB_CHECK_VERSION(2,31,18)
2192 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2194 g_get_current_time(&wait_time);
2195 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2196 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2198 if (pcap_opts->cap_pipe_err == PIPEOF) {
2199 result = PD_PIPE_EOF;
2201 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2202 result = PD_PIPE_ERR;
2209 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2211 result = PD_DATA_READ;
2215 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2218 } /* switch (pcap_opts->cap_pipe_state) */
2221 * We've now read as much data as we were expecting, so process it.
2225 case PD_REC_HDR_READ:
2226 /* We've read the header. Take care of byte order. */
2227 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2228 &pcap_opts->cap_pipe_rechdr.hdr);
2229 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2230 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2231 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2235 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2236 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2239 /* no data to read? fall through */
2242 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2243 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2244 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2245 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2246 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2249 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2251 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2253 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2257 pcap_opts->cap_pipe_err = PIPEOF;
2262 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2263 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2264 g_snprintf(errmsg, errmsgl,
2265 "Error reading from pipe: %s (error %d)",
2266 utf_16to8(err_str), GetLastError());
2269 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2277 pcap_opts->cap_pipe_err = PIPERR;
2278 /* Return here rather than inside the switch to prevent GCC warning */
2283 /** Open the capture input file (pcap or capture pipe).
2284 * Returns TRUE if it succeeds, FALSE otherwise. */
2286 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2287 char *errmsg, size_t errmsg_len,
2288 char *secondary_errmsg, size_t secondary_errmsg_len)
2290 gchar open_err_str[PCAP_ERRBUF_SIZE];
2291 gchar *sync_msg_str;
2292 interface_options interface_opts;
2293 pcap_options *pcap_opts;
2297 gchar *sync_secondary_msg_str;
2298 WORD wVersionRequested;
2302 /* XXX - opening Winsock on tshark? */
2304 /* Initialize Windows Socket if we are in a WIN32 OS
2305 This needs to be done before querying the interface for network/netmask */
2307 /* XXX - do we really require 1.1 or earlier?
2308 Are there any versions that support only 2.0 or higher? */
2309 wVersionRequested = MAKEWORD(1, 1);
2310 err = WSAStartup(wVersionRequested, &wsaData);
2314 case WSASYSNOTREADY:
2315 g_snprintf(errmsg, (gulong) errmsg_len,
2316 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2319 case WSAVERNOTSUPPORTED:
2320 g_snprintf(errmsg, (gulong) errmsg_len,
2321 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2322 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2325 case WSAEINPROGRESS:
2326 g_snprintf(errmsg, (gulong) errmsg_len,
2327 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2331 g_snprintf(errmsg, (gulong) errmsg_len,
2332 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2336 g_snprintf(errmsg, (gulong) errmsg_len,
2337 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2341 g_snprintf(errmsg, (gulong) errmsg_len,
2342 "Couldn't initialize Windows Sockets: error %d", err);
2345 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2349 if ((use_threads == FALSE) &&
2350 (capture_opts->ifaces->len > 1)) {
2351 g_snprintf(errmsg, (gulong) errmsg_len,
2352 "Using threads is required for capturing on multiple interfaces!");
2356 for (i = 0; i < capture_opts->ifaces->len; i++) {
2357 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2358 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2359 if (pcap_opts == NULL) {
2360 g_snprintf(errmsg, (gulong) errmsg_len,
2361 "Could not allocate memory.");
2364 pcap_opts->received = 0;
2365 pcap_opts->dropped = 0;
2366 pcap_opts->pcap_h = NULL;
2367 #ifdef MUST_DO_SELECT
2368 pcap_opts->pcap_fd = -1;
2370 pcap_opts->pcap_err = FALSE;
2371 pcap_opts->interface_id = i;
2372 pcap_opts->tid = NULL;
2373 pcap_opts->snaplen = 0;
2374 pcap_opts->linktype = -1;
2375 pcap_opts->ts_nsec = FALSE;
2376 pcap_opts->from_cap_pipe = FALSE;
2377 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2378 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2380 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2382 pcap_opts->cap_pipe_fd = -1;
2384 pcap_opts->cap_pipe_modified = FALSE;
2385 pcap_opts->cap_pipe_byte_swapped = FALSE;
2387 pcap_opts->cap_pipe_buf = NULL;
2389 pcap_opts->cap_pipe_bytes_to_read = 0;
2390 pcap_opts->cap_pipe_bytes_read = 0;
2391 pcap_opts->cap_pipe_state = 0;
2392 pcap_opts->cap_pipe_err = PIPOK;
2394 #if GLIB_CHECK_VERSION(2,31,0)
2395 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2396 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2398 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2400 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2401 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2403 g_array_append_val(ld->pcaps, pcap_opts);
2405 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2406 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2408 if (pcap_opts->pcap_h != NULL) {
2409 /* we've opened "iface" as a network device */
2411 /* try to set the capture buffer size */
2412 if (interface_opts.buffer_size > 1 &&
2413 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2414 sync_secondary_msg_str = g_strdup_printf(
2415 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2416 "the default of 1MB will be used.\n"
2418 "Nonetheless, the capture is started.\n",
2419 interface_opts.buffer_size);
2420 report_capture_error("Couldn't set the capture buffer size!",
2421 sync_secondary_msg_str);
2422 g_free(sync_secondary_msg_str);
2426 #if defined(HAVE_PCAP_SETSAMPLING)
2427 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2428 struct pcap_samp *samp;
2430 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2431 switch (interface_opts.sampling_method) {
2432 case CAPTURE_SAMP_BY_COUNT:
2433 samp->method = PCAP_SAMP_1_EVERY_N;
2436 case CAPTURE_SAMP_BY_TIMER:
2437 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2441 sync_msg_str = g_strdup_printf(
2442 "Unknown sampling method %d specified,\n"
2443 "continue without packet sampling",
2444 interface_opts.sampling_method);
2445 report_capture_error("Couldn't set the capture "
2446 "sampling", sync_msg_str);
2447 g_free(sync_msg_str);
2449 samp->value = interface_opts.sampling_param;
2451 report_capture_error("Couldn't set the capture sampling",
2452 "Cannot get packet sampling data structure");
2457 /* setting the data link type only works on real interfaces */
2458 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2460 secondary_errmsg, secondary_errmsg_len)) {
2463 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2465 /* We couldn't open "iface" as a network device. */
2466 /* Try to open it as a pipe */
2467 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2470 if (pcap_opts->cap_pipe_fd == -1) {
2472 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2474 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2475 /* Pipe doesn't exist, so output message for interface */
2476 get_capture_device_open_failure_messages(open_err_str,
2477 interface_opts.name,
2481 secondary_errmsg_len);
2484 * Else pipe (or file) does exist and cap_pipe_open_live() has
2489 /* cap_pipe_open_live() succeeded; don't want
2490 error message from pcap_open_live() */
2491 open_err_str[0] = '\0';
2495 /* XXX - will this work for tshark? */
2496 #ifdef MUST_DO_SELECT
2497 if (!pcap_opts->from_cap_pipe) {
2498 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2499 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2501 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2506 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2507 returned a warning; print it, but keep capturing. */
2508 if (open_err_str[0] != '\0') {
2509 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2510 report_capture_error(sync_msg_str, "");
2511 g_free(sync_msg_str);
2513 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2514 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2517 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2518 /* to remove any suid privileges. */
2519 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2520 /* (euid/egid have already previously been set to ruid/rgid. */
2521 /* (See comment in main() for details) */
2523 relinquish_special_privs_perm();
2525 relinquish_all_capabilities();
2530 /* close the capture input file (pcap or capture pipe) */
2531 static void capture_loop_close_input(loop_data *ld)
2534 pcap_options *pcap_opts;
2536 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2538 for (i = 0; i < ld->pcaps->len; i++) {
2539 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2540 /* if open, close the capture pipe "input file" */
2542 if (pcap_opts->cap_pipe_fd >= 0) {
2543 g_assert(pcap_opts->from_cap_pipe);
2544 ws_close(pcap_opts->cap_pipe_fd);
2545 pcap_opts->cap_pipe_fd = -1;
2548 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2549 CloseHandle(pcap_opts->cap_pipe_h);
2550 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2553 /* if open, close the pcap "input file" */
2554 if (pcap_opts->pcap_h != NULL) {
2555 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2556 pcap_close(pcap_opts->pcap_h);
2557 pcap_opts->pcap_h = NULL;
2564 /* Shut down windows sockets */
2570 /* init the capture filter */
2571 static initfilter_status_t
2572 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2573 const gchar * name, const gchar * cfilter)
2575 struct bpf_program fcode;
2577 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2579 /* capture filters only work on real interfaces */
2580 if (cfilter && !from_cap_pipe) {
2581 /* A capture filter was specified; set it up. */
2582 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2583 /* Treat this specially - our caller might try to compile this
2584 as a display filter and, if that succeeds, warn the user that
2585 the display and capture filter syntaxes are different. */
2586 return INITFILTER_BAD_FILTER;
2588 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2589 #ifdef HAVE_PCAP_FREECODE
2590 pcap_freecode(&fcode);
2592 return INITFILTER_OTHER_ERROR;
2594 #ifdef HAVE_PCAP_FREECODE
2595 pcap_freecode(&fcode);
2599 return INITFILTER_NO_ERROR;
2603 /* set up to write to the already-opened capture output file/files */
2605 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2609 pcap_options *pcap_opts;
2610 interface_options interface_opts;
2611 gboolean successful;
2613 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2615 if ((capture_opts->use_pcapng == FALSE) &&
2616 (capture_opts->ifaces->len > 1)) {
2617 g_snprintf(errmsg, errmsg_len,
2618 "Using PCAPNG is required for capturing on multiple interfaces! Use the -n option.");
2622 /* Set up to write to the capture file. */
2623 if (capture_opts->multi_files_on) {
2624 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2626 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2629 if (capture_opts->use_pcapng) {
2631 GString *os_info_str;
2633 os_info_str = g_string_new("");
2634 get_os_version_info(os_info_str);
2636 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2637 successful = libpcap_write_session_header_block(ld->pdh,
2640 os_info_str->str, /* OS*/
2642 -1, /* section_length */
2646 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2647 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2648 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2649 if (pcap_opts->from_cap_pipe) {
2650 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2652 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2654 successful = libpcap_write_interface_description_block(global_ld.pdh,
2655 NULL, /* OPT_COMMENT 1 */
2656 interface_opts.name, /* IDB_NAME 2 */
2657 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2658 interface_opts.cfilter, /* IDB_FILTER 11 */
2659 os_info_str->str, /* IDB_OS 12 */
2660 pcap_opts->linktype,
2662 &(global_ld.bytes_written),
2663 0, /* IDB_IF_SPEED 8 */
2664 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2668 g_string_free(os_info_str, TRUE);
2671 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2672 if (pcap_opts->from_cap_pipe) {
2673 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2675 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2677 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2678 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2686 if (ld->pdh == NULL) {
2687 /* We couldn't set up to write to the capture file. */
2688 /* XXX - use cf_open_error_message from tshark instead? */
2693 g_snprintf(errmsg, errmsg_len,
2694 "The file to which the capture would be"
2695 " saved (\"%s\") could not be opened: Error %d.",
2696 capture_opts->save_file, err);
2698 g_snprintf(errmsg, errmsg_len,
2699 "The file to which the capture would be"
2700 " saved (\"%s\") could not be opened: %s.",
2701 capture_opts->save_file, g_strerror(err));
2713 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2717 pcap_options *pcap_opts;
2718 guint64 end_time = create_timestamp();
2720 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2722 if (capture_opts->multi_files_on) {
2723 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2725 if (capture_opts->use_pcapng) {
2726 for (i = 0; i < global_ld.pcaps->len; i++) {
2727 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2728 if (!pcap_opts->from_cap_pipe) {
2729 libpcap_write_interface_statistics_block(ld->pdh,
2733 "Counters provided by libpcap",
2740 return libpcap_dump_close(ld->pdh, err_close);
2744 /* dispatch incoming packets (pcap or capture pipe)
2746 * Waits for incoming packets to be available, and calls pcap_dispatch()
2747 * to cause them to be processed.
2749 * Returns the number of packets which were processed.
2751 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2752 * packet-batching behaviour does not cause packets to get held back
2756 capture_loop_dispatch(loop_data *ld,
2757 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2760 gint packet_count_before;
2761 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2766 packet_count_before = ld->packet_count;
2767 if (pcap_opts->from_cap_pipe) {
2768 /* dispatch from capture pipe */
2769 #ifdef LOG_CAPTURE_VERBOSE
2770 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2773 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2775 if (sel_ret < 0 && errno != EINTR) {
2776 g_snprintf(errmsg, errmsg_len,
2777 "Unexpected error from select: %s", g_strerror(errno));
2778 report_capture_error(errmsg, please_report);
2783 * "select()" says we can read from the pipe without blocking
2786 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2796 /* dispatch from pcap */
2797 #ifdef MUST_DO_SELECT
2799 * If we have "pcap_get_selectable_fd()", we use it to get the
2800 * descriptor on which to select; if that's -1, it means there
2801 * is no descriptor on which you can do a "select()" (perhaps
2802 * because you're capturing on a special device, and that device's
2803 * driver unfortunately doesn't support "select()", in which case
2804 * we don't do the select - which means it might not be possible
2805 * to stop a capture until a packet arrives. If that's unacceptable,
2806 * plead with whoever supplies the software for that device to add
2807 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2808 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2809 * later, so it can use pcap_breakloop().
2811 #ifdef LOG_CAPTURE_VERBOSE
2812 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2814 if (pcap_opts->pcap_fd != -1) {
2815 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2818 * "select()" says we can read from it without blocking; go for
2821 * We don't have pcap_breakloop(), so we only process one packet
2822 * per pcap_dispatch() call, to allow a signal to stop the
2823 * processing immediately, rather than processing all packets
2824 * in a batch before quitting.
2827 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2829 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2833 /* Error, rather than pcap_breakloop(). */
2834 pcap_opts->pcap_err = TRUE;
2836 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2839 if (sel_ret < 0 && errno != EINTR) {
2840 g_snprintf(errmsg, errmsg_len,
2841 "Unexpected error from select: %s", g_strerror(errno));
2842 report_capture_error(errmsg, please_report);
2848 #endif /* MUST_DO_SELECT */
2850 /* dispatch from pcap without select */
2852 #ifdef LOG_CAPTURE_VERBOSE
2853 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2857 * On Windows, we don't support asynchronously telling a process to
2858 * stop capturing; instead, we check for an indication on a pipe
2859 * after processing packets. We therefore process only one packet
2860 * at a time, so that we can check the pipe after every packet.
2863 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2865 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2869 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2871 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2876 /* Error, rather than pcap_breakloop(). */
2877 pcap_opts->pcap_err = TRUE;
2879 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2881 #else /* pcap_next_ex */
2882 #ifdef LOG_CAPTURE_VERBOSE
2883 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2885 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2888 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2889 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2890 * This should be fixed in the WinPcap 4.0 alpha release.
2892 * For reference, an example remote interface:
2893 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2896 /* emulate dispatch from pcap */
2899 struct pcap_pkthdr *pkt_header;
2904 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2906 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2908 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2913 pcap_opts->pcap_err = TRUE;
2917 #endif /* pcap_next_ex */
2921 #ifdef LOG_CAPTURE_VERBOSE
2922 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2925 return ld->packet_count - packet_count_before;
2929 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2930 * want to grab only the characters between the '{' and '}' delimiters.
2932 * Returns a GString that must be freed with g_string_free(). */
2934 isolate_uuid(const char *iface)
2939 ptr = strchr(iface, '{');
2941 return g_string_new(iface);
2942 gstr = g_string_new(ptr + 1);
2944 ptr = strchr(gstr->str, '}');
2948 gstr = g_string_truncate(gstr, ptr - gstr->str);
2953 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2954 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2956 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2957 char *errmsg, int errmsg_len)
2960 gchar *capfile_name;
2962 gboolean is_tempfile;
2964 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2965 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2967 if (capture_opts->save_file != NULL) {
2968 /* We return to the caller while the capture is in progress.
2969 * Therefore we need to take a copy of save_file in
2970 * case the caller destroys it after we return.
2972 capfile_name = g_strdup(capture_opts->save_file);
2974 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2975 if (capture_opts->multi_files_on) {
2976 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2977 g_snprintf(errmsg, errmsg_len,
2978 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2979 g_free(capfile_name);
2982 if (strcmp(capfile_name, "-") == 0) {
2983 /* write to stdout */
2986 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2987 _setmode(1, O_BINARY);
2990 } /* if (...output_to_pipe ... */
2993 if (capture_opts->multi_files_on) {
2994 /* ringbuffer is enabled */
2995 *save_file_fd = ringbuf_init(capfile_name,
2996 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2997 capture_opts->group_read_access);
2999 /* we need the ringbuf name */
3000 if(*save_file_fd != -1) {
3001 g_free(capfile_name);
3002 capfile_name = g_strdup(ringbuf_current_filename());
3005 /* Try to open/create the specified file for use as a capture buffer. */
3006 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
3007 (capture_opts->group_read_access) ? 0640 : 0600);
3010 is_tempfile = FALSE;
3012 /* Choose a random name for the temporary capture buffer */
3013 if (global_capture_opts.ifaces->len > 1) {
3014 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3019 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3020 basename = g_path_get_basename(iface->str);
3021 g_string_free(iface, TRUE);
3023 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3025 prefix = g_strconcat("wireshark_", basename, NULL);
3028 *save_file_fd = create_tempfile(&tmpname, prefix);
3030 capfile_name = g_strdup(tmpname);
3034 /* did we fail to open the output file? */
3035 if (*save_file_fd == -1) {
3037 g_snprintf(errmsg, errmsg_len,
3038 "The temporary file to which the capture would be saved (\"%s\") "
3039 "could not be opened: %s.", capfile_name, g_strerror(errno));
3041 if (capture_opts->multi_files_on) {
3042 ringbuf_error_cleanup();
3045 g_snprintf(errmsg, errmsg_len,
3046 "The file to which the capture would be saved (\"%s\") "
3047 "could not be opened: %s.", capfile_name,
3050 g_free(capfile_name);
3054 if(capture_opts->save_file != NULL) {
3055 g_free(capture_opts->save_file);
3057 capture_opts->save_file = capfile_name;
3058 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3059 "g_free(capfile_name)". */
3065 /* Do the work of handling either the file size or file duration capture
3066 conditions being reached, and switching files or stopping. */
3068 do_file_switch_or_stop(capture_options *capture_opts,
3069 condition *cnd_autostop_files,
3070 condition *cnd_autostop_size,
3071 condition *cnd_file_duration)
3074 pcap_options *pcap_opts;
3075 interface_options interface_opts;
3076 gboolean successful;
3078 if (capture_opts->multi_files_on) {
3079 if (cnd_autostop_files != NULL &&
3080 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3081 /* no files left: stop here */
3082 global_ld.go = FALSE;
3086 /* Switch to the next ringbuffer file */
3087 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3088 &global_ld.save_file_fd, &global_ld.err)) {
3090 /* File switch succeeded: reset the conditions */
3091 global_ld.bytes_written = 0;
3092 if (capture_opts->use_pcapng) {
3094 GString *os_info_str;
3096 os_info_str = g_string_new("");
3097 get_os_version_info(os_info_str);
3099 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3100 successful = libpcap_write_session_header_block(global_ld.pdh,
3103 os_info_str->str, /* OS */
3105 -1, /* section_length */
3106 &(global_ld.bytes_written),
3109 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3110 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3111 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3112 successful = libpcap_write_interface_description_block(global_ld.pdh,
3113 NULL, /* OPT_COMMENT 1 */
3114 interface_opts.name, /* IDB_NAME 2 */
3115 interface_opts.descr, /* IDB_DESCRIPTION 3 */
3116 interface_opts.cfilter, /* IDB_FILTER 11 */
3117 os_info_str->str, /* IDB_OS 12 */
3118 pcap_opts->linktype,
3120 &(global_ld.bytes_written),
3121 0, /* IDB_IF_SPEED 8 */
3122 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
3126 g_string_free(os_info_str, TRUE);
3129 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3130 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3131 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
3134 fclose(global_ld.pdh);
3135 global_ld.pdh = NULL;
3136 global_ld.go = FALSE;
3139 if (cnd_autostop_size)
3140 cnd_reset(cnd_autostop_size);
3141 if (cnd_file_duration)
3142 cnd_reset(cnd_file_duration);
3143 libpcap_dump_flush(global_ld.pdh, NULL);
3145 report_packet_count(global_ld.inpkts_to_sync_pipe);
3146 global_ld.inpkts_to_sync_pipe = 0;
3147 report_new_capture_file(capture_opts->save_file);
3149 /* File switch failed: stop here */
3150 global_ld.go = FALSE;
3154 /* single file, stop now */
3155 global_ld.go = FALSE;
3162 pcap_read_handler(void* arg)
3164 pcap_options *pcap_opts;
3165 char errmsg[MSG_MAX_LENGTH+1];
3167 pcap_opts = (pcap_options *)arg;
3169 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3170 pcap_opts->interface_id);
3172 while (global_ld.go) {
3173 /* dispatch incoming packets */
3174 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3176 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3177 pcap_opts->interface_id);
3178 g_thread_exit(NULL);
3182 /* Do the low-level work of a capture.
3183 Returns TRUE if it succeeds, FALSE otherwise. */
3185 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3188 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3190 struct timeval upd_time, cur_time;
3194 condition *cnd_file_duration = NULL;
3195 condition *cnd_autostop_files = NULL;
3196 condition *cnd_autostop_size = NULL;
3197 condition *cnd_autostop_duration = NULL;
3200 gboolean cfilter_error = FALSE;
3201 char errmsg[MSG_MAX_LENGTH+1];
3202 char secondary_errmsg[MSG_MAX_LENGTH+1];
3203 pcap_options *pcap_opts;
3204 interface_options interface_opts;
3205 guint i, error_index = 0;
3208 *secondary_errmsg = '\0';
3210 /* init the loop data */
3211 global_ld.go = TRUE;
3212 global_ld.packet_count = 0;
3214 global_ld.report_packet_count = FALSE;
3216 if (capture_opts->has_autostop_packets)
3217 global_ld.packet_max = capture_opts->autostop_packets;
3219 global_ld.packet_max = 0; /* no limit */
3220 global_ld.inpkts_to_sync_pipe = 0;
3221 global_ld.err = 0; /* no error seen yet */
3222 global_ld.pdh = NULL;
3223 global_ld.autostop_files = 0;
3224 global_ld.save_file_fd = -1;
3226 /* We haven't yet gotten the capture statistics. */
3227 *stats_known = FALSE;
3229 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3230 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3232 /* open the "input file" from network interface or capture pipe */
3233 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3234 secondary_errmsg, sizeof(secondary_errmsg))) {
3237 for (i = 0; i < capture_opts->ifaces->len; i++) {
3238 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3239 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3240 /* init the input filter from the network interface (capture pipe will do nothing) */
3242 * When remote capturing WinPCap crashes when the capture filter
3243 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3246 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3247 interface_opts.name,
3248 interface_opts.cfilter?interface_opts.cfilter:"")) {
3250 case INITFILTER_NO_ERROR:
3253 case INITFILTER_BAD_FILTER:
3254 cfilter_error = TRUE;
3256 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3259 case INITFILTER_OTHER_ERROR:
3260 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3261 pcap_geterr(pcap_opts->pcap_h));
3262 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3267 /* If we're supposed to write to a capture file, open it for output
3268 (temporary/specified name/ringbuffer) */
3269 if (capture_opts->saving_to_file) {
3270 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3271 errmsg, sizeof(errmsg))) {
3275 /* set up to write to the already-opened capture output file/files */
3276 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3281 /* XXX - capture SIGTERM and close the capture, in case we're on a
3282 Linux 2.0[.x] system and you have to explicitly close the capture
3283 stream in order to turn promiscuous mode off? We need to do that
3284 in other places as well - and I don't think that works all the
3285 time in any case, due to libpcap bugs. */
3287 /* Well, we should be able to start capturing.
3289 Sync out the capture file, so the header makes it to the file system,
3290 and send a "capture started successfully and capture file created"
3291 message to our parent so that they'll open the capture file and
3292 update its windows to indicate that we have a live capture in
3294 libpcap_dump_flush(global_ld.pdh, NULL);
3295 report_new_capture_file(capture_opts->save_file);
3298 /* initialize capture stop (and alike) conditions */
3299 init_capture_stop_conditions();
3300 /* create stop conditions */
3301 if (capture_opts->has_autostop_filesize)
3303 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3304 if (capture_opts->has_autostop_duration)
3305 cnd_autostop_duration =
3306 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3308 if (capture_opts->multi_files_on) {
3309 if (capture_opts->has_file_duration)
3311 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3313 if (capture_opts->has_autostop_files)
3314 cnd_autostop_files =
3315 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3318 /* init the time values */
3320 upd_time = GetTickCount();
3322 gettimeofday(&upd_time, NULL);
3324 start_time = create_timestamp();
3325 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3327 /* WOW, everything is prepared! */
3328 /* please fasten your seat belts, we will enter now the actual capture loop */
3330 pcap_queue = g_async_queue_new();
3331 pcap_queue_bytes = 0;
3332 pcap_queue_packets = 0;
3333 for (i = 0; i < global_ld.pcaps->len; i++) {
3334 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3335 #if GLIB_CHECK_VERSION(2,31,0)
3336 /* XXX - Add an interface name here? */
3337 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3339 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3343 while (global_ld.go) {
3344 /* dispatch incoming packets */
3346 pcap_queue_element *queue_element;
3347 #if GLIB_CHECK_VERSION(2,31,18)
3349 queue_element = g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3351 GTimeVal write_thread_time;
3353 g_get_current_time(&write_thread_time);
3354 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3355 g_async_queue_lock(pcap_queue);
3356 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3358 if (queue_element) {
3359 pcap_queue_bytes -= queue_element->phdr.caplen;
3360 pcap_queue_packets -= 1;
3362 g_async_queue_unlock(pcap_queue);
3363 if (queue_element) {
3364 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3365 "Dequeued a packet of length %d captured on interface %d.",
3366 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3368 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3369 &queue_element->phdr,
3371 g_free(queue_element->pd);
3372 g_free(queue_element);
3378 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3379 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3380 sizeof(errmsg), pcap_opts);
3383 /* Were we asked to print packet counts by the SIGINFO handler? */
3384 if (global_ld.report_packet_count) {
3385 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3386 plurality(global_ld.packet_count, "", "s"));
3387 global_ld.report_packet_count = FALSE;
3392 /* any news from our parent (signal pipe)? -> just stop the capture */
3393 if (!signal_pipe_check_running()) {
3394 global_ld.go = FALSE;
3399 global_ld.inpkts_to_sync_pipe += inpkts;
3401 /* check capture size condition */
3402 if (cnd_autostop_size != NULL &&
3403 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3404 /* Capture size limit reached, do we have another file? */
3405 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3406 cnd_autostop_size, cnd_file_duration))
3408 } /* cnd_autostop_size */
3409 if (capture_opts->output_to_pipe) {
3410 libpcap_dump_flush(global_ld.pdh, NULL);
3414 /* Only update once every 500ms so as not to overload slow displays.
3415 * This also prevents too much context-switching between the dumpcap
3416 * and wireshark processes.
3418 #define DUMPCAP_UPD_TIME 500
3421 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3422 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3424 gettimeofday(&cur_time, NULL);
3425 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3426 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3429 upd_time = cur_time;
3432 if (pcap_stats(pch, stats) >= 0) {
3433 *stats_known = TRUE;
3436 /* Let the parent process know. */
3437 if (global_ld.inpkts_to_sync_pipe) {
3439 libpcap_dump_flush(global_ld.pdh, NULL);
3441 /* Send our parent a message saying we've written out
3442 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3444 report_packet_count(global_ld.inpkts_to_sync_pipe);
3446 global_ld.inpkts_to_sync_pipe = 0;
3449 /* check capture duration condition */
3450 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3451 /* The maximum capture time has elapsed; stop the capture. */
3452 global_ld.go = FALSE;
3456 /* check capture file duration condition */
3457 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3458 /* duration limit reached, do we have another file? */
3459 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3460 cnd_autostop_size, cnd_file_duration))
3462 } /* cnd_file_duration */
3466 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3468 pcap_queue_element *queue_element;
3470 for (i = 0; i < global_ld.pcaps->len; i++) {
3471 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3472 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3473 pcap_opts->interface_id);
3474 g_thread_join(pcap_opts->tid);
3475 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3476 pcap_opts->interface_id);
3479 g_async_queue_lock(pcap_queue);
3480 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3481 if (queue_element) {
3482 pcap_queue_bytes -= queue_element->phdr.caplen;
3483 pcap_queue_packets -= 1;
3485 g_async_queue_unlock(pcap_queue);
3486 if (queue_element == NULL) {
3489 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3490 "Dequeued a packet of length %d captured on interface %d.",
3491 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3492 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3493 &queue_element->phdr,
3495 g_free(queue_element->pd);
3496 g_free(queue_element);
3497 global_ld.inpkts_to_sync_pipe += 1;
3498 if (capture_opts->output_to_pipe) {
3499 libpcap_dump_flush(global_ld.pdh, NULL);
3505 /* delete stop conditions */
3506 if (cnd_file_duration != NULL)
3507 cnd_delete(cnd_file_duration);
3508 if (cnd_autostop_files != NULL)
3509 cnd_delete(cnd_autostop_files);
3510 if (cnd_autostop_size != NULL)
3511 cnd_delete(cnd_autostop_size);
3512 if (cnd_autostop_duration != NULL)
3513 cnd_delete(cnd_autostop_duration);
3515 /* did we have a pcap (input) error? */
3516 for (i = 0; i < capture_opts->ifaces->len; i++) {
3517 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3518 if (pcap_opts->pcap_err) {
3519 /* On Linux, if an interface goes down while you're capturing on it,
3520 you'll get a "recvfrom: Network is down" or
3521 "The interface went down" error (ENETDOWN).
3522 (At least you will if g_strerror() doesn't show a local translation
3525 On FreeBSD and OS X, if a network adapter disappears while
3526 you're capturing on it, you'll get a "read: Device not configured"
3527 error (ENXIO). (See previous parenthetical note.)
3529 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3531 These should *not* be reported to the Wireshark developers. */
3534 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3535 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3536 strcmp(cap_err_str, "The interface went down") == 0 ||
3537 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3538 strcmp(cap_err_str, "read: I/O error") == 0 ||
3539 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3540 report_capture_error("The network adapter on which the capture was being done "
3541 "is no longer running; the capture has stopped.",
3544 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3546 report_capture_error(errmsg, please_report);
3549 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3550 report_capture_error(errmsg, "");
3554 /* did we have an output error while capturing? */
3555 if (global_ld.err == 0) {
3558 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3559 global_ld.err, FALSE);
3560 report_capture_error(errmsg, please_report);
3564 if (capture_opts->saving_to_file) {
3565 /* close the output file */
3566 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3570 /* there might be packets not yet notified to the parent */
3571 /* (do this after closing the file, so all packets are already flushed) */
3572 if(global_ld.inpkts_to_sync_pipe) {
3574 report_packet_count(global_ld.inpkts_to_sync_pipe);
3575 global_ld.inpkts_to_sync_pipe = 0;
3578 /* If we've displayed a message about a write error, there's no point
3579 in displaying another message about an error on close. */
3580 if (!close_ok && write_ok) {
3581 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3583 report_capture_error(errmsg, "");
3587 * XXX We exhibit different behaviour between normal mode and sync mode
3588 * when the pipe is stdin and not already at EOF. If we're a child, the
3589 * parent's stdin isn't closed, so if the user starts another capture,
3590 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3591 * will say "Unrecognized libpcap format". On the other hand, in normal
3592 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3595 report_capture_count(TRUE);
3597 /* get packet drop statistics from pcap */
3598 for (i = 0; i < capture_opts->ifaces->len; i++) {
3602 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3603 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3604 received = pcap_opts->received;
3605 dropped = pcap_opts->dropped;
3606 if (pcap_opts->pcap_h != NULL) {
3607 g_assert(!pcap_opts->from_cap_pipe);
3608 /* Get the capture statistics, so we know how many packets were dropped. */
3609 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3610 *stats_known = TRUE;
3611 /* Let the parent process know. */
3612 dropped += stats->ps_drop;
3614 g_snprintf(errmsg, sizeof(errmsg),
3615 "Can't get packet-drop statistics: %s",
3616 pcap_geterr(pcap_opts->pcap_h));
3617 report_capture_error(errmsg, please_report);
3620 report_packet_drops(received, dropped, interface_opts.name);
3623 /* close the input file (pcap or capture pipe) */
3624 capture_loop_close_input(&global_ld);
3626 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3628 /* ok, if the write and the close were successful. */
3629 return write_ok && close_ok;
3632 if (capture_opts->multi_files_on) {
3633 /* cleanup ringbuffer */
3634 ringbuf_error_cleanup();
3636 /* We can't use the save file, and we have no FILE * for the stream
3637 to close in order to close it, so close the FD directly. */
3638 if (global_ld.save_file_fd != -1) {
3639 ws_close(global_ld.save_file_fd);
3642 /* We couldn't even start the capture, so get rid of the capture
3644 if (capture_opts->save_file != NULL) {
3645 ws_unlink(capture_opts->save_file);
3646 g_free(capture_opts->save_file);
3649 capture_opts->save_file = NULL;
3651 report_cfilter_error(capture_opts, error_index, errmsg);
3653 report_capture_error(errmsg, secondary_errmsg);
3655 /* close the input file (pcap or cap_pipe) */
3656 capture_loop_close_input(&global_ld);
3658 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3664 static void capture_loop_stop(void)
3666 #ifdef HAVE_PCAP_BREAKLOOP
3668 pcap_options *pcap_opts;
3670 for (i = 0; i < global_ld.pcaps->len; i++) {
3671 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3672 if (pcap_opts->pcap_h != NULL)
3673 pcap_breakloop(pcap_opts->pcap_h);
3676 global_ld.go = FALSE;
3681 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3682 int err, gboolean is_close)
3687 g_snprintf(errmsg, errmsglen,
3688 "Not all the packets could be written to the file"
3689 " to which the capture was being saved\n"
3690 "(\"%s\") because there is no space left on the file system\n"
3691 "on which that file resides.",
3697 g_snprintf(errmsg, errmsglen,
3698 "Not all the packets could be written to the file"
3699 " to which the capture was being saved\n"
3700 "(\"%s\") because you are too close to, or over,"
3701 " your disk quota\n"
3702 "on the file system on which that file resides.",
3709 g_snprintf(errmsg, errmsglen,
3710 "The file to which the capture was being saved\n"
3711 "(\"%s\") could not be closed: %s.",
3712 fname, g_strerror(err));
3714 g_snprintf(errmsg, errmsglen,
3715 "An error occurred while writing to the file"
3716 " to which the capture was being saved\n"
3718 fname, g_strerror(err));
3725 /* one packet was captured, process it */
3727 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3730 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3732 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3734 /* We may be called multiple times from pcap_dispatch(); if we've set
3735 the "stop capturing" flag, ignore this packet, as we're not
3736 supposed to be saving any more packets. */
3740 if (global_ld.pdh) {
3741 gboolean successful;
3743 /* We're supposed to write the packet to a file; do so.
3744 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3745 "ld->err" to the error. */
3746 if (global_capture_opts.use_pcapng) {
3747 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, ts_mul, pd, &global_ld.bytes_written, &err);
3749 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3752 global_ld.go = FALSE;
3753 global_ld.err = err;
3755 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3756 "Wrote a packet of length %d captured on interface %u.",
3757 phdr->caplen, pcap_opts->interface_id);
3758 global_ld.packet_count++;
3759 pcap_opts->received++;
3760 /* if the user told us to stop after x packets, do we already have enough? */
3761 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3762 global_ld.go = FALSE;
3768 /* one packet was captured, queue it */
3770 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3773 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3774 pcap_queue_element *queue_element;
3775 gboolean limit_reached;
3777 /* We may be called multiple times from pcap_dispatch(); if we've set
3778 the "stop capturing" flag, ignore this packet, as we're not
3779 supposed to be saving any more packets. */
3783 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3784 if (queue_element == NULL) {
3785 pcap_opts->dropped++;
3788 queue_element->pcap_opts = pcap_opts;
3789 queue_element->phdr = *phdr;
3790 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3791 if (queue_element->pd == NULL) {
3792 pcap_opts->dropped++;
3793 g_free(queue_element);
3796 memcpy(queue_element->pd, pd, phdr->caplen);
3797 g_async_queue_lock(pcap_queue);
3798 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3799 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3800 limit_reached = FALSE;
3801 g_async_queue_push_unlocked(pcap_queue, queue_element);
3802 pcap_queue_bytes += phdr->caplen;
3803 pcap_queue_packets += 1;
3805 limit_reached = TRUE;
3807 g_async_queue_unlock(pcap_queue);
3808 if (limit_reached) {
3809 pcap_opts->dropped++;
3810 g_free(queue_element->pd);
3811 g_free(queue_element);
3812 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3813 "Dropped a packet of length %d captured on interface %u.",
3814 phdr->caplen, pcap_opts->interface_id);
3816 pcap_opts->received++;
3817 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3818 "Queued a packet of length %d captured on interface %u.",
3819 phdr->caplen, pcap_opts->interface_id);
3821 /* I don't want to hold the mutex over the debug output. So the
3822 output may be wrong */
3823 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3824 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3825 pcap_queue_bytes, pcap_queue_packets);
3828 /* And now our feature presentation... [ fade to music ] */
3830 main(int argc, char *argv[])
3833 gboolean arg_error = FALSE;
3838 struct sigaction action, oldaction;
3841 gboolean start_capture = TRUE;
3842 gboolean stats_known;
3843 struct pcap_stat stats;
3844 GLogLevelFlags log_flags;
3845 gboolean list_interfaces = FALSE;
3846 gboolean list_link_layer_types = FALSE;
3847 #ifdef HAVE_BPF_IMAGE
3848 gboolean print_bpf_code = FALSE;
3850 gboolean machine_readable = FALSE;
3851 gboolean print_statistics = FALSE;
3852 int status, run_once_args = 0;
3855 #if defined(__APPLE__) && defined(__LP64__)
3856 struct utsname osinfo;
3861 arg_list_utf_16to8(argc, argv);
3866 * Initialize our DLL search path. MUST be called before LoadLibrary
3869 ws_init_dll_search_path();
3872 #ifdef HAVE_PCAP_REMOTE
3873 #define OPTSTRING_A "A:"
3874 #define OPTSTRING_r "r"
3875 #define OPTSTRING_u "u"
3877 #define OPTSTRING_A ""
3878 #define OPTSTRING_r ""
3879 #define OPTSTRING_u ""
3882 #ifdef HAVE_PCAP_SETSAMPLING
3883 #define OPTSTRING_m "m:"
3885 #define OPTSTRING_m ""
3888 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3889 #define OPTSTRING_B "B:"
3891 #define OPTSTRING_B ""
3892 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3894 #ifdef HAVE_PCAP_CREATE
3895 #define OPTSTRING_I "I"
3897 #define OPTSTRING_I ""
3900 #ifdef HAVE_BPF_IMAGE
3901 #define OPTSTRING_d "d"
3903 #define OPTSTRING_d ""
3906 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
3908 #ifdef DEBUG_CHILD_DUMPCAP
3909 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3910 fprintf (stderr, "Unable to open debug log file !\n");
3915 #if defined(__APPLE__) && defined(__LP64__)
3917 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3918 * a bug workaround - timeouts less than 1 second don't work with libpcap
3919 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3920 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3921 * The problem is extremely unlikely to be reintroduced in a future
3924 if (uname(&osinfo) == 0) {
3926 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3927 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3928 * number of 10.0.0, not 10.1.0 - go figure).
3930 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3931 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3932 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3933 need_timeout_workaround = TRUE;
3938 * Determine if dumpcap is being requested to run in a special
3939 * capture_child mode by going thru the command line args to see if
3940 * a -Z is present. (-Z is a hidden option).
3942 * The primary result of running in capture_child mode is that
3943 * all messages sent out on stderr are in a special type/len/string
3944 * format to allow message processing by type. These messages include
3945 * error messages if dumpcap fails to start the operation it was
3946 * requested to do, as well as various "status" messages which are sent
3947 * when an actual capture is in progress, and a "success" message sent
3948 * if dumpcap was requested to perform an operation other than a
3951 * Capture_child mode would normally be requested by a parent process
3952 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3953 * to which dumpcap stderr has been redirected. It might also have
3954 * another pipe to obtain dumpcap stdout output; for operations other
3955 * than a capture, that information is formatted specially for easier
3956 * parsing by the parent process.
3958 * Capture_child mode needs to be determined immediately upon
3959 * startup so that any messages generated by dumpcap in this mode
3960 * (eg: during initialization) will be formatted properly.
3963 for (i=1; i<argc; i++) {
3964 if (strcmp("-Z", argv[i]) == 0) {
3965 capture_child = TRUE;
3966 machine_readable = TRUE; /* request machine-readable output */
3968 /* set output pipe to binary mode, to avoid ugly text conversions */
3969 _setmode(2, O_BINARY);
3974 /* The default_log_handler will use stdout, which makes trouble in */
3975 /* capture child mode, as it uses stdout for it's sync_pipe. */
3976 /* So: the filtering is done in the console_log_handler and not here.*/
3977 /* We set the log handlers right up front to make sure that any log */
3978 /* messages when running as child will be sent back to the parent */
3979 /* with the correct format. */
3983 G_LOG_LEVEL_CRITICAL|
3984 G_LOG_LEVEL_WARNING|
3985 G_LOG_LEVEL_MESSAGE|
3988 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3990 g_log_set_handler(NULL,
3992 console_log_handler, NULL /* user_data */);
3993 g_log_set_handler(LOG_DOMAIN_MAIN,
3995 console_log_handler, NULL /* user_data */);
3996 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3998 console_log_handler, NULL /* user_data */);
3999 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
4001 console_log_handler, NULL /* user_data */);
4003 /* Initialize the pcaps list */
4004 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
4006 #if !GLIB_CHECK_VERSION(2,31,0)
4007 /* Initialize the thread system */
4008 g_thread_init(NULL);
4012 /* Load wpcap if possible. Do this before collecting the run-time version information */
4015 /* ... and also load the packet.dll from wpcap */
4016 /* XXX - currently not required, may change later. */
4017 /*wpcap_packet_load();*/
4019 /* Start windows sockets */
4020 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
4022 /* Set handler for Ctrl+C key */
4023 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4025 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4027 action.sa_handler = capture_cleanup_handler;
4029 * Arrange that system calls not get restarted, because when
4030 * our signal handler returns we don't want to restart
4031 * a call that was waiting for packets to arrive.
4033 action.sa_flags = 0;
4034 sigemptyset(&action.sa_mask);
4035 sigaction(SIGTERM, &action, NULL);
4036 sigaction(SIGINT, &action, NULL);
4037 sigaction(SIGPIPE, &action, NULL);
4038 sigaction(SIGHUP, NULL, &oldaction);
4039 if (oldaction.sa_handler == SIG_DFL)
4040 sigaction(SIGHUP, &action, NULL);
4043 /* Catch SIGINFO and, if we get it and we're capturing in
4044 quiet mode, report the number of packets we've captured. */
4045 action.sa_handler = report_counts_siginfo;
4046 action.sa_flags = SA_RESTART;
4047 sigemptyset(&action.sa_mask);
4048 sigaction(SIGINFO, &action, NULL);
4049 #endif /* SIGINFO */
4052 /* ----------------------------------------------------------------- */
4053 /* Privilege and capability handling */
4055 /* 1. Running not as root or suid root; no special capabilities. */
4058 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4061 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4063 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4064 /* capabilities; Drop all other capabilities; */
4065 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4066 /* else: after pcap_open_live() in capture_loop_open_input() */
4067 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4068 /* (Note: this means that the process, although logged in */
4069 /* as root, does not have various permissions such as the */
4070 /* ability to bypass file access permissions). */
4071 /* XXX: Should we just leave capabilities alone in this case */
4072 /* so that user gets expected effect that root can do */
4075 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4077 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4078 /* else: after pcap_open_live() in capture_loop_open_input() */
4079 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4080 /* pcap_open_live). */
4082 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4084 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4085 /* capabilities; Drop all other capabilities; */
4086 /* Drop suid privileges (euid=ruid); */
4087 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4088 /* else: after pcap_open_live() in capture_loop_open_input() */
4089 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4091 /* XXX: For some Linux versions/distros with capabilities */
4092 /* a 'normal' process with any capabilities cannot be */
4093 /* 'killed' (signaled) from another (same uid) non-privileged */
4095 /* For example: If (non-suid) Wireshark forks a */
4096 /* child suid dumpcap which acts as described here (case 5), */
4097 /* Wireshark will be unable to kill (signal) the child */
4098 /* dumpcap process until the capabilities have been dropped */
4099 /* (after pcap_open_live()). */
4100 /* This behaviour will apparently be changed in the kernel */
4101 /* to allow the kill (signal) in this case. */
4102 /* See the following for details: */
4103 /* http://www.mail-archive.com/ [wrapped] */
4104 /* linux-security-module@vger.kernel.org/msg02913.html */
4106 /* It is therefore conceivable that if dumpcap somehow hangs */
4107 /* in pcap_open_live or before that wireshark will not */
4108 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4109 /* In this case, exiting wireshark will kill the child */
4110 /* dumpcap process. */
4112 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4113 /* capabilities; Using libcap. Note: capset cmd (which see) */
4114 /* used to assign capabilities to file. */
4116 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4117 /* else: after pcap_open_live() in capture_loop_open_input() */
4118 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4120 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4121 /* longer required (similar to capture). */
4123 /* ----------------------------------------------------------------- */
4125 init_process_policies();
4128 /* If 'started with special privileges' (and using libcap) */
4129 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4130 /* Set euid/egid = ruid/rgid to remove suid privileges */
4131 relinquish_privs_except_capture();
4134 /* Set the initial values in the capture options. This might be overwritten
4135 by the command line parameters. */
4136 capture_opts_init(&global_capture_opts, NULL);
4138 /* We always save to a file - if no file was specified, we save to a
4140 global_capture_opts.saving_to_file = TRUE;
4141 global_capture_opts.has_ring_num_files = TRUE;
4143 /* Now get our args */
4144 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4146 case 'h': /* Print help and exit */
4150 case 'v': /* Show version and exit */
4152 GString *comp_info_str;
4153 GString *runtime_info_str;
4154 /* Assemble the compile-time version information string */
4155 comp_info_str = g_string_new("Compiled ");
4156 get_compiled_version_info(comp_info_str, NULL, NULL);
4158 /* Assemble the run-time version information string */
4159 runtime_info_str = g_string_new("Running ");
4160 get_runtime_version_info(runtime_info_str, NULL);
4161 show_version(comp_info_str, runtime_info_str);
4162 g_string_free(comp_info_str, TRUE);
4163 g_string_free(runtime_info_str, TRUE);
4167 /*** capture option specific ***/
4168 case 'a': /* autostop criteria */
4169 case 'b': /* Ringbuffer option */
4170 case 'c': /* Capture x packets */
4171 case 'f': /* capture filter */
4172 case 'i': /* Use interface x */
4173 case 'n': /* Use pcapng format */
4174 case 'p': /* Don't capture in promiscuous mode */
4175 case 'P': /* Use pcap format */
4176 case 's': /* Set the snapshot (capture) length */
4177 case 'w': /* Write to capture file x */
4178 case 'g': /* enable group read accesson file(s) */
4179 case 'y': /* Set the pcap data link type */
4180 #ifdef HAVE_PCAP_REMOTE
4181 case 'u': /* Use UDP for data transfer */
4182 case 'r': /* Capture own RPCAP traffic too */
4183 case 'A': /* Authentication */
4185 #ifdef HAVE_PCAP_SETSAMPLING
4186 case 'm': /* Sampling */
4188 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4189 case 'B': /* Buffer size */
4190 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4191 #ifdef HAVE_PCAP_CREATE
4192 case 'I': /* Monitor mode */
4194 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4199 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4201 capture_child = TRUE;
4203 /* set output pipe to binary mode, to avoid ugly text conversions */
4204 _setmode(2, O_BINARY);
4206 * optarg = the control ID, aka the PPID, currently used for the
4209 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4210 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4211 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4212 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4214 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4215 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4216 "Signal pipe: Unable to open %s. Dead parent?",
4224 case 'q': /* Quiet */
4230 /*** all non capture option specific ***/
4231 case 'D': /* Print a list of capture devices and exit */
4232 list_interfaces = TRUE;
4235 case 'L': /* Print list of link-layer types and exit */
4236 list_link_layer_types = TRUE;
4239 #ifdef HAVE_BPF_IMAGE
4240 case 'd': /* Print BPF code for capture filter and exit */
4241 print_bpf_code = TRUE;
4245 case 'S': /* Print interface statistics once a second */
4246 print_statistics = TRUE;
4249 case 'M': /* For -D, -L, and -S, print machine-readable output */
4250 machine_readable = TRUE;
4253 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4255 case '?': /* Bad flag - print usage message */
4264 /* user specified file name as regular command-line argument */
4265 /* XXX - use it as the capture file name (or something else)? */
4271 * Extra command line arguments were specified; complain.
4272 * XXX - interpret as capture filter, as tcpdump and tshark do?
4274 cmdarg_err("Invalid argument: %s", argv[0]);
4284 if (run_once_args > 1) {
4285 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4287 } else if (run_once_args == 1) {
4288 /* We're supposed to print some information, rather than
4289 to capture traffic; did they specify a ring buffer option? */
4290 if (global_capture_opts.multi_files_on) {
4291 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4295 /* We're supposed to capture traffic; */
4296 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4297 if (global_capture_opts.ifaces->len > 1) {
4299 global_capture_opts.use_pcapng = TRUE;
4301 /* Was the ring buffer option specified and, if so, does it make sense? */
4302 if (global_capture_opts.multi_files_on) {
4303 /* Ring buffer works only under certain conditions:
4304 a) ring buffer does not work with temporary files;
4305 b) it makes no sense to enable the ring buffer if the maximum
4306 file size is set to "infinite". */
4307 if (global_capture_opts.save_file == NULL) {
4308 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4309 global_capture_opts.multi_files_on = FALSE;
4311 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4312 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4314 /* XXX - this must be redesigned as the conditions changed */
4315 global_capture_opts.multi_files_on = FALSE;
4322 * "-D" requires no interface to be selected; it's supposed to list
4325 if (list_interfaces) {
4326 /* Get the list of interfaces */
4331 if_list = capture_interface_list(&err, &err_str);
4332 if (if_list == NULL) {
4334 case CANT_GET_INTERFACE_LIST:
4335 case DONT_HAVE_PCAP:
4336 cmdarg_err("%s", err_str);
4341 case NO_INTERFACES_FOUND:
4343 * If we're being run by another program, just give them
4344 * an empty list of interfaces, don't report this as
4345 * an error; that lets them decide whether to report
4346 * this as an error or not.
4348 if (!machine_readable) {
4349 cmdarg_err("There are no interfaces on which a capture can be done");
4356 if (machine_readable) /* tab-separated values to stdout */
4357 print_machine_readable_interfaces(if_list);
4359 capture_opts_print_interfaces(if_list);
4360 free_interface_list(if_list);
4365 * "-S" requires no interface to be selected; it gives statistics
4366 * for all interfaces.
4368 if (print_statistics) {
4369 status = print_statistics_loop(machine_readable);
4374 * "-L", "-d", and capturing act on a particular interface, so we have to
4375 * have an interface; if none was specified, pick a default.
4377 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4378 /* cmdarg_err() already called .... */
4382 /* Let the user know what interfaces were chosen. */
4383 /* get_interface_descriptive_name() is not available! */
4384 if (capture_child) {
4385 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4386 interface_options interface_opts;
4388 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4389 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4390 interface_opts.name);
4393 str = g_string_new("");
4395 if (global_capture_opts.ifaces->len < 2) {
4397 if (global_capture_opts.ifaces->len < 4) {
4399 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4400 interface_options interface_opts;
4402 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4404 if (global_capture_opts.ifaces->len > 2) {
4405 g_string_append_printf(str, ",");
4407 g_string_append_printf(str, " ");
4408 if (j == global_capture_opts.ifaces->len - 1) {
4409 g_string_append_printf(str, "and ");
4412 g_string_append_printf(str, "%s", interface_opts.name);
4415 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4417 fprintf(stderr, "Capturing on %s\n", str->str);
4418 g_string_free(str, TRUE);
4421 if (list_link_layer_types) {
4422 /* Get the list of link-layer types for the capture device. */
4423 if_capabilities_t *caps;
4427 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4428 interface_options interface_opts;
4430 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4431 caps = get_if_capabilities(interface_opts.name,
4432 interface_opts.monitor_mode, &err_str);
4434 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4435 "Please check to make sure you have sufficient permissions, and that\n"
4436 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4440 if (caps->data_link_types == NULL) {
4441 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4444 if (machine_readable) /* tab-separated values to stdout */
4445 /* XXX: We need to change the format and adopt consumers */
4446 print_machine_readable_if_capabilities(caps);
4448 /* XXX: We might want to print also the interface name */
4449 capture_opts_print_if_capabilities(caps, interface_opts.name,
4450 interface_opts.monitor_mode);
4451 free_if_capabilities(caps);
4456 /* We're supposed to do a capture, or print the BPF code for a filter.
4457 Process the snapshot length, as that affects the generated BPF code. */
4458 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4460 #ifdef HAVE_BPF_IMAGE
4461 if (print_bpf_code) {
4462 show_filter_code(&global_capture_opts);
4467 /* We're supposed to do a capture. Process the ring buffer arguments. */
4468 capture_opts_trim_ring_num_files(&global_capture_opts);
4470 /* Now start the capture. */
4472 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4476 /* capture failed */
4479 return 0; /* never here, make compiler happy */
4484 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4485 const char *message, gpointer user_data _U_)
4492 /* ignore log message, if log_level isn't interesting */
4493 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4494 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4499 /* create a "timestamp" */
4501 today = localtime(&curr);
4503 switch(log_level & G_LOG_LEVEL_MASK) {
4504 case G_LOG_LEVEL_ERROR:
4507 case G_LOG_LEVEL_CRITICAL:
4510 case G_LOG_LEVEL_WARNING:
4513 case G_LOG_LEVEL_MESSAGE:
4516 case G_LOG_LEVEL_INFO:
4519 case G_LOG_LEVEL_DEBUG:
4523 fprintf(stderr, "unknown log_level %u\n", log_level);
4525 g_assert_not_reached();
4528 /* Generate the output message */
4529 if(log_level & G_LOG_LEVEL_MESSAGE) {
4530 /* normal user messages without additional infos */
4531 msg = g_strdup_printf("%s\n", message);
4533 /* info/debug messages with additional infos */
4534 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4535 today->tm_hour, today->tm_min, today->tm_sec,
4536 log_domain != NULL ? log_domain : "",
4540 /* DEBUG & INFO msgs (if we're debugging today) */
4541 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4542 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4543 #ifdef DEBUG_DUMPCAP
4544 fprintf(stderr, "%s", msg);
4547 #ifdef DEBUG_CHILD_DUMPCAP
4548 fprintf(debug_log, "%s", msg);
4556 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4557 /* to parent especially formatted if dumpcap running as child. */
4558 if (capture_child) {
4559 sync_pipe_errmsg_to_parent(2, msg, "");
4561 fprintf(stderr, "%s", msg);
4568 /****************************************************************************************************************/
4569 /* indication report routines */
4573 report_packet_count(int packet_count)
4575 char tmp[SP_DECISIZE+1+1];
4576 static int count = 0;
4579 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4580 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4581 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4583 count += packet_count;
4584 fprintf(stderr, "\rPackets: %u ", count);
4585 /* stderr could be line buffered */
4591 report_new_capture_file(const char *filename)
4594 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4595 pipe_write_block(2, SP_FILE, filename);
4599 * Prevent a SIGINFO handler from writing to the standard error
4600 * while we're doing so; instead, have it just set a flag telling
4601 * us to print that information when we're done.
4604 #endif /* SIGINFO */
4605 fprintf(stderr, "File: %s\n", filename);
4606 /* stderr could be line buffered */
4611 * Allow SIGINFO handlers to write.
4616 * If a SIGINFO handler asked us to write out capture counts, do so.
4619 report_counts_for_siginfo();
4620 #endif /* SIGINFO */
4625 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4627 interface_options interface_opts;
4628 char tmp[MSG_MAX_LENGTH+1+6];
4630 if (i < capture_opts->ifaces->len) {
4631 if (capture_child) {
4632 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4633 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4634 pipe_write_block(2, SP_BAD_FILTER, tmp);
4637 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4638 * the error message below.
4640 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4642 "Invalid capture filter: \"%s\" for interface %s!\n"
4644 "That string isn't a valid capture filter (%s).\n"
4645 "See the User's Guide for a description of the capture filter syntax.",
4646 interface_opts.cfilter, interface_opts.name, errmsg);
4652 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4655 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4656 "Primary Error: %s", error_msg);
4657 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4658 "Secondary Error: %s", secondary_error_msg);
4659 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4661 cmdarg_err("%s", error_msg);
4662 if (secondary_error_msg[0] != '\0')
4663 cmdarg_err_cont("%s", secondary_error_msg);
4668 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4670 char tmp[SP_DECISIZE+1+1];
4672 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4675 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4676 "Packets received/dropped on interface %s: %u/%u",
4677 name, received, drops);
4678 /* XXX: Need to provide interface id, changes to consumers required. */
4679 pipe_write_block(2, SP_DROPS, tmp);
4682 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4683 name, received, drops,
4684 received ? 100.0 * received / (received + drops) : 0.0);
4685 /* stderr could be line buffered */
4691 /****************************************************************************************************************/
4692 /* signal_pipe handling */
4697 signal_pipe_check_running(void)
4699 /* any news from our parent? -> just stop the capture */
4703 /* if we are running standalone, no check required */
4704 if(!capture_child) {
4708 if(!sig_pipe_name || !sig_pipe_handle) {
4709 /* This shouldn't happen */
4710 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4711 "Signal pipe: No name or handle");
4716 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4717 * at this point. Should we check to see if the parent is still alive,
4718 * e.g. by using OpenProcess?
4721 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4723 if(!result || avail > 0) {
4724 /* peek failed or some bytes really available */
4725 /* (if not piping from stdin this would fail) */
4726 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4727 "Signal pipe: Stop capture: %s", sig_pipe_name);
4728 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4729 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4730 sig_pipe_handle, result, avail);
4733 /* pipe ok and no bytes available */
4740 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4745 * indent-tabs-mode: nil
4748 * vi: set shiftwidth=4 tabstop=8 expandtab:
4749 * :indentSize=4:tabSize=8:noTabs=true: