5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
63 #include "wsutil/wsgetopt.h"
71 # include <sys/prctl.h>
72 # include <sys/capability.h>
75 #include "ringbuffer.h"
76 #include "clopts_common.h"
77 #include "console_io.h"
78 #include "cmdarg_err.h"
79 #include "version_info.h"
81 #include "capture-pcap-util.h"
83 #include "capture-wpcap.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
128 #include <conio.h> /* _getch() */
132 #ifdef DEBUG_CHILD_DUMPCAP
133 FILE *debug_log; /* for logging debug messages to */
134 /* a file if DEBUG_CHILD_DUMPCAP */
138 static GAsyncQueue *pcap_queue;
139 static gint64 pcap_queue_bytes;
140 static gint64 pcap_queue_packets;
141 static gint64 pcap_queue_byte_limit = 1024 * 1024;
142 static gint64 pcap_queue_packet_limit = 1000;
144 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
146 static gchar *sig_pipe_name = NULL;
147 static HANDLE sig_pipe_handle = NULL;
148 static gboolean signal_pipe_check_running(void);
152 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
153 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
156 /** Stop a low-level capture (stops the capture child). */
157 static void capture_loop_stop(void);
159 #if !defined (__linux__)
160 #ifndef HAVE_PCAP_BREAKLOOP
162 * We don't have pcap_breakloop(), which is the only way to ensure that
163 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
164 * won't, if the call to read the next packet or batch of packets is
165 * is interrupted by a signal on UN*X, just go back and try again to
168 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
169 * the signal handler, set a flag to stop capturing; however, without
170 * a guarantee of that sort, we can't guarantee that we'll stop capturing
171 * if the read will be retried and won't time out if no packets arrive.
173 * Therefore, on at least some platforms, we work around the lack of
174 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
175 * to wait for packets to arrive, so that we're probably going to be
176 * blocked in the select() when the signal arrives, and can just bail
177 * out of the loop at that point.
179 * However, we don't want to do that on BSD (because "select()" doesn't work
180 * correctly on BPF devices on at least some releases of some flavors of
181 * BSD), and we don't want to do it on Windows (because "select()" is
182 * something for sockets, not for arbitrary handles). (Note that "Windows"
183 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
184 * using WinPcap, not a UNIX libpcap.)
186 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
187 * on BSD times out even if no packets have arrived, so we'll eventually
188 * exit pcap_dispatch() with an indication that no packets have arrived,
189 * and will break out of the capture loop at that point.
191 * On Windows, we can't send a SIGINT to stop capturing, so none of this
192 * applies in any case.
194 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
195 * want to include it if it's not present on this platform, however.
197 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
198 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
200 # define MUST_DO_SELECT
201 # endif /* avoid select */
202 #endif /* HAVE_PCAP_BREAKLOOP */
204 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
205 * in pcap_dispatch(); on the other hand, select() works just fine there.
206 * Hence we use a select for that come what may.
208 #define MUST_DO_SELECT
211 /** init the capture filter */
214 INITFILTER_BAD_FILTER,
215 INITFILTER_OTHER_ERROR
216 } initfilter_status_t;
218 typedef struct _pcap_options {
222 #ifdef MUST_DO_SELECT
223 int pcap_fd; /* pcap file descriptor */
230 gboolean ts_nsec; /* TRUE if we're using nanosecond precision. */
231 /* capture pipe (unix only "input file") */
232 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
233 gboolean from_cap_socket; /* TRUE if we're capturing from socket */
234 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
235 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
237 HANDLE cap_pipe_h; /* The handle of the capture pipe */
239 int cap_pipe_fd; /* the file descriptor of the capture pipe */
240 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
241 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
243 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
245 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
246 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
248 STATE_EXPECT_REC_HDR,
253 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
255 GMutex *cap_pipe_read_mtx;
256 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
260 typedef struct _loop_data {
262 gboolean go; /* TRUE as long as we're supposed to keep capturing */
263 int err; /* if non-zero, error seen while capturing */
264 gint packet_count; /* Number of packets we have already captured */
265 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
266 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
268 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
275 guint32 autostop_files;
278 typedef struct _pcap_queue_element {
279 pcap_options *pcap_opts;
280 struct pcap_pkthdr phdr;
282 } pcap_queue_element;
285 * Standard secondary message for unexpected errors.
287 static const char please_report[] =
288 "Please report this to the Wireshark developers.\n"
289 "(This is not a crash; please do not report it as such.)";
292 * This needs to be static, so that the SIGINT handler can clear the "go"
295 static loop_data global_ld;
299 * Timeout, in milliseconds, for reads from the stream of captured packets
300 * from a capture device.
302 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
303 * 64-bit applications, with sub-second timeouts not to work. The bug is
304 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
306 #if defined(__APPLE__) && defined(__LP64__)
307 static gboolean need_timeout_workaround;
309 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
311 #define CAP_READ_TIMEOUT 250
315 * Timeout, in microseconds, for reads from the stream of captured packets
316 * from a pipe. Pipes don't have the same problem that BPF devices do
317 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
318 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
319 * of the offending versions of Snow Leopard.
321 * On Windows this value is converted to milliseconds and passed to
322 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
323 * will return immediately.
326 #define PIPE_READ_TIMEOUT 100000
328 #define PIPE_READ_TIMEOUT 250000
331 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
334 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
335 const char *message, gpointer user_data _U_);
337 /* capture related options */
338 static capture_options global_capture_opts;
339 static gboolean quiet = FALSE;
340 static gboolean use_threads = FALSE;
341 static guint64 start_time;
343 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
345 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
347 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
348 int err, gboolean is_close);
350 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
352 static void report_new_capture_file(const char *filename);
353 static void report_packet_count(int packet_count);
354 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
355 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
356 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
358 #define MSG_MAX_LENGTH 4096
360 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
362 create_timestamp(void) {
372 * Current time, represented as 100-nanosecond intervals since
373 * January 1, 1601, 00:00:00 UTC.
375 * I think DWORD might be signed, so cast both parts of "now"
376 * to guint32 so that the sign bit doesn't get treated specially.
378 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
379 * might want to use instead.
381 GetSystemTimeAsFileTime(&now);
382 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
383 (guint32)now.dwLowDateTime;
386 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
392 * Subtract difference, in microseconds, between January 1, 1601
393 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
395 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
398 * Current time, represented as seconds and microseconds since
399 * January 1, 1970, 00:00:00 UTC.
401 gettimeofday(&now, NULL);
404 * Convert to delta in microseconds.
406 timestamp = (guint64)(now.tv_sec) * 1000000 +
407 (guint64)(now.tv_usec);
413 print_usage(gboolean print_ver)
420 "Dumpcap " VERSION "%s\n"
421 "Capture network packets and dump them into a pcapng file.\n"
422 "See http://www.wireshark.org for more information.\n",
423 wireshark_svnversion);
427 fprintf(output, "\nUsage: dumpcap [options] ...\n");
428 fprintf(output, "\n");
429 fprintf(output, "Capture interface:\n");
430 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
431 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
432 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
433 fprintf(output, " -p don't capture in promiscuous mode\n");
434 #ifdef HAVE_PCAP_CREATE
435 fprintf(output, " -I capture in monitor mode, if available\n");
437 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
438 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
440 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
441 fprintf(output, " -D print list of interfaces and exit\n");
442 fprintf(output, " -L print list of link-layer types of iface and exit\n");
443 #ifdef HAVE_BPF_IMAGE
444 fprintf(output, " -d print generated BPF code for capture filter\n");
446 fprintf(output, " -S print statistics for each interface once per second\n");
447 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
448 fprintf(output, "\n");
449 #ifdef HAVE_PCAP_REMOTE
450 fprintf(output, "RPCAP options:\n");
451 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
452 fprintf(output, " -u use UDP for RPCAP data transfer\n");
453 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
454 #ifdef HAVE_PCAP_SETSAMPLING
455 fprintf(output, " -m <sampling type> use packet sampling\n");
456 fprintf(output, " count:NUM - capture one packet of every NUM\n");
457 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
460 fprintf(output, "Stop conditions:\n");
461 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
462 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
463 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
464 fprintf(output, " files:NUM - stop after NUM files\n");
465 /*fprintf(output, "\n");*/
466 fprintf(output, "Output (files):\n");
467 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
468 fprintf(output, " -g enable group read access on the output file(s)\n");
469 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
470 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
471 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
472 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
473 fprintf(output, " -P use libpcap format instead of pcapng\n");
474 fprintf(output, "\n");
475 fprintf(output, "Miscellaneous:\n");
476 fprintf(output, " -t use a separate thread per interface\n");
477 fprintf(output, " -q don't report packet capture counts\n");
478 fprintf(output, " -v print version information and exit\n");
479 fprintf(output, " -h display this help and exit\n");
480 fprintf(output, "\n");
481 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
482 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcapng\"\n");
483 fprintf(output, "\n");
484 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
488 show_version(GString *comp_info_str, GString *runtime_info_str)
491 "Dumpcap " VERSION "%s\n"
496 "See http://www.wireshark.org for more information.\n",
497 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
501 * Print to the standard error. This is a command-line tool, so there's
502 * no need to pop up a console.
505 vfprintf_stderr(const char *fmt, va_list ap)
507 vfprintf(stderr, fmt, ap);
511 fprintf_stderr(const char *fmt, ...)
516 vfprintf_stderr(fmt, ap);
521 * Report an error in command-line arguments.
524 cmdarg_err(const char *fmt, ...)
530 /* Generate a 'special format' message back to parent */
532 msg = g_strdup_vprintf(fmt, ap);
533 sync_pipe_errmsg_to_parent(2, msg, "");
538 fprintf(stderr, "dumpcap: ");
539 vfprintf(stderr, fmt, ap);
540 fprintf(stderr, "\n");
546 * Report additional information for an error in command-line arguments.
549 cmdarg_err_cont(const char *fmt, ...)
556 msg = g_strdup_vprintf(fmt, ap);
557 sync_pipe_errmsg_to_parent(2, msg, "");
562 vfprintf(stderr, fmt, ap);
563 fprintf(stderr, "\n");
570 #if 0 /* Set to enable capability debugging */
571 /* see 'man cap_to_text()' for explanation of output */
572 /* '=' means 'all= ' ie: no capabilities */
573 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
575 print_caps(const char *pfx) {
576 cap_t caps = cap_get_proc();
577 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
578 "%s: EUID: %d Capabilities: %s", pfx,
579 geteuid(), cap_to_text(caps, NULL));
582 print_caps(const char *pfx _U_) {
587 relinquish_all_capabilities(void)
589 /* Drop any and all capabilities this process may have. */
590 /* Allowed whether or not process has any privileges. */
591 cap_t caps = cap_init(); /* all capabilities initialized to off */
592 print_caps("Pre-clear");
593 if (cap_set_proc(caps)) {
594 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
596 print_caps("Post-clear");
602 open_capture_device(interface_options *interface_opts,
603 char (*open_err_str)[PCAP_ERRBUF_SIZE])
606 #ifdef HAVE_PCAP_CREATE
609 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
610 struct pcap_rmtauth auth;
613 /* Open the network interface to capture from it.
614 Some versions of libpcap may put warnings into the error buffer
615 if they succeed; to tell if that's happened, we have to clear
616 the error buffer, and check if it's still a null string. */
617 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
618 (*open_err_str)[0] = '\0';
619 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
621 * If we're opening a remote device, use pcap_open(); that's currently
622 * the only open routine that supports remote devices.
624 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
625 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
626 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
627 auth.username = interface_opts->auth_username;
628 auth.password = interface_opts->auth_password;
630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
631 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
632 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
633 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
634 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
636 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
637 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
638 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
639 CAP_READ_TIMEOUT, &auth, *open_err_str);
640 if ((*open_err_str)[0] == '\0') {
641 /* Work around known WinPcap bug wherein no error message is
642 filled in on a failure to open an rpcap: URL. */
643 g_strlcpy(*open_err_str,
644 "Unknown error (pcap bug; actual error cause not reported)",
645 sizeof *open_err_str);
647 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
648 "pcap_open() returned %p.", (void *)pcap_h);
653 * If we're not opening a remote device, use pcap_create() and
654 * pcap_activate() if we have them, so that we can set the buffer
655 * size, otherwise use pcap_open_live().
657 #ifdef HAVE_PCAP_CREATE
658 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
659 "Calling pcap_create() using %s.", interface_opts->name);
660 pcap_h = pcap_create(interface_opts->name, *open_err_str);
661 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
662 "pcap_create() returned %p.", (void *)pcap_h);
663 if (pcap_h != NULL) {
664 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
665 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
666 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
667 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
668 "Calling pcap_set_promisc() with promisc_mode %d.", interface_opts->promisc_mode);
669 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
670 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
672 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
673 "buffersize %d.", interface_opts->buffer_size);
674 if (interface_opts->buffer_size != 0) {
675 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
677 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
678 "monitor_mode %d.", interface_opts->monitor_mode);
679 if (interface_opts->monitor_mode)
680 pcap_set_rfmon(pcap_h, 1);
681 err = pcap_activate(pcap_h);
682 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
683 "pcap_activate() returned %d.", err);
685 /* Failed to activate, set to NULL */
686 if (err == PCAP_ERROR)
687 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
689 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
695 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
696 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
697 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
698 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
699 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
702 "pcap_open_live() returned %p.", (void *)pcap_h);
705 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
710 get_capture_device_open_failure_messages(const char *open_err_str,
716 char *errmsg, size_t errmsg_len,
717 char *secondary_errmsg,
718 size_t secondary_errmsg_len)
721 const char *libpcap_warn;
722 static const char ppamsg[] = "can't find PPA for ";
725 g_snprintf(errmsg, (gulong) errmsg_len,
726 "The capture session could not be initiated (%s).", open_err_str);
729 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
731 "In order to capture packets, WinPcap must be installed; see\n"
733 " http://www.winpcap.org/\n"
737 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
741 " http://winpcap.cs.pu.edu.tw/\n"
743 "for a downloadable version of WinPcap and for instructions on how to install\n"
746 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
748 "Please check that \"%s\" is the proper interface.\n"
751 "Help can be found at:\n"
753 " http://wiki.wireshark.org/WinPcap\n"
754 " http://wiki.wireshark.org/CaptureSetup\n",
758 /* If we got a "can't find PPA for X" message, warn the user (who
759 is running dumpcap on HP-UX) that they don't have a version of
760 libpcap that properly handles HP-UX (libpcap 0.6.x and later
761 versions, which properly handle HP-UX, say "can't find /dev/dlpi
762 PPA for X" rather than "can't find PPA for X"). */
763 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
766 "You are running (T)Wireshark with a version of the libpcap library\n"
767 "that doesn't handle HP-UX network devices well; this means that\n"
768 "(T)Wireshark may not be able to capture packets.\n"
770 "To fix this, you should install libpcap 0.6.2, or a later version\n"
771 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
772 "packaged binary form from the Software Porting And Archive Centre\n"
773 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
774 "at the URL lists a number of mirror sites.";
778 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
779 "Please check to make sure you have sufficient permissions, and that you have "
780 "the proper interface or pipe specified.%s", libpcap_warn);
784 /* Set the data link type on a pcap. */
786 set_pcap_linktype(pcap_t *pcap_h, int linktype,
787 #ifdef HAVE_PCAP_SET_DATALINK
792 char *errmsg, size_t errmsg_len,
793 char *secondary_errmsg, size_t secondary_errmsg_len)
795 char *set_linktype_err_str;
798 return TRUE; /* just use the default */
799 #ifdef HAVE_PCAP_SET_DATALINK
800 if (pcap_set_datalink(pcap_h, linktype) == 0)
801 return TRUE; /* no error */
802 set_linktype_err_str = pcap_geterr(pcap_h);
804 /* Let them set it to the type it is; reject any other request. */
805 if (get_pcap_linktype(pcap_h, name) == linktype)
806 return TRUE; /* no error */
807 set_linktype_err_str =
808 "That DLT isn't one of the DLTs supported by this device";
810 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
811 set_linktype_err_str);
813 * If the error isn't "XXX is not one of the DLTs supported by this device",
814 * tell the user to tell the Wireshark developers about it.
816 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
817 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
819 secondary_errmsg[0] = '\0';
824 compile_capture_filter(const char *iface, pcap_t *pcap_h,
825 struct bpf_program *fcode, const char *cfilter)
827 bpf_u_int32 netnum, netmask;
828 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
830 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
832 * Well, we can't get the netmask for this interface; it's used
833 * only for filters that check for broadcast IP addresses, so
834 * we just punt and use 0. It might be nice to warn the user,
835 * but that's a pain in a GUI application, as it'd involve popping
836 * up a message box, and it's not clear how often this would make
837 * a difference (only filters that check for IP broadcast addresses
841 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
846 * Sigh. Older versions of libpcap don't properly declare the
847 * third argument to pcap_compile() as a const pointer. Cast
850 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
855 #ifdef HAVE_BPF_IMAGE
857 show_filter_code(capture_options *capture_opts)
859 interface_options interface_opts;
861 gchar open_err_str[PCAP_ERRBUF_SIZE];
862 char errmsg[MSG_MAX_LENGTH+1];
863 char secondary_errmsg[MSG_MAX_LENGTH+1];
864 struct bpf_program fcode;
865 struct bpf_insn *insn;
869 for (j = 0; j < capture_opts->ifaces->len; j++) {
870 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
871 pcap_h = open_capture_device(&interface_opts, &open_err_str);
872 if (pcap_h == NULL) {
873 /* Open failed; get messages */
874 get_capture_device_open_failure_messages(open_err_str,
876 errmsg, sizeof errmsg,
878 sizeof secondary_errmsg);
879 /* And report them */
880 report_capture_error(errmsg, secondary_errmsg);
884 /* Set the link-layer type. */
885 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
886 errmsg, sizeof errmsg,
887 secondary_errmsg, sizeof secondary_errmsg)) {
889 report_capture_error(errmsg, secondary_errmsg);
893 /* OK, try to compile the capture filter. */
894 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
895 interface_opts.cfilter)) {
897 report_cfilter_error(capture_opts, j, errmsg);
902 /* Now print the filter code. */
903 insn = fcode.bf_insns;
905 for (i = 0; i < fcode.bf_len; insn++, i++)
906 printf("%s\n", bpf_image(insn, i));
908 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
909 /* to remove any suid privileges. */
910 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
911 /* (euid/egid have already previously been set to ruid/rgid. */
912 /* (See comment in main() for details) */
914 relinquish_special_privs_perm();
916 relinquish_all_capabilities();
919 /* Let our parent know we succeeded. */
920 pipe_write_block(2, SP_SUCCESS, NULL);
927 * capture_interface_list() is expected to do the right thing to get
928 * a list of interfaces.
930 * In most of the programs in the Wireshark suite, "the right thing"
931 * is to run dumpcap and ask it for the list, because dumpcap may
932 * be the only program in the suite with enough privileges to get
935 * In dumpcap itself, however, we obviously can't run dumpcap to
936 * ask for the list. Therefore, our capture_interface_list() should
937 * just call get_interface_list().
940 capture_interface_list(int *err, char **err_str)
942 return get_interface_list(err, err_str);
946 * Get the data-link type for a libpcap device.
947 * This works around AIX 5.x's non-standard and incompatible-with-the-
948 * rest-of-the-universe libpcap.
951 get_pcap_linktype(pcap_t *pch, const char *devname
959 const char *ifacename;
962 linktype = pcap_datalink(pch);
966 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
967 * rather than DLT_ values for link-layer types; the ifType values
968 * for LAN devices are:
975 * and the ifType value for a loopback device is 24.
977 * The AIX names for LAN devices begin with:
984 * and the AIX names for loopback devices begin with "lo".
986 * (The difference between "Ethernet" and "802.3" is presumably
987 * whether packets have an Ethernet header, with a packet type,
988 * or an 802.3 header, with a packet length, followed by an 802.2
989 * header and possibly a SNAP header.)
991 * If the device name matches "linktype" interpreted as an ifType
992 * value, rather than as a DLT_ value, we will assume this is AIX's
993 * non-standard, incompatible libpcap, rather than a standard libpcap,
994 * and will map the link-layer type to the standard DLT_ value for
995 * that link-layer type, as that's what the rest of Wireshark expects.
997 * (This means the capture files won't be readable by a tcpdump
998 * linked with AIX's non-standard libpcap, but so it goes. They
999 * *will* be readable by standard versions of tcpdump, Wireshark,
1002 * XXX - if we conclude we're using AIX libpcap, should we also
1003 * set a flag to cause us to assume the time stamps are in
1004 * seconds-and-nanoseconds form, and to convert them to
1005 * seconds-and-microseconds form before processing them and
1010 * Find the last component of the device name, which is the
1013 ifacename = strchr(devname, '/');
1014 if (ifacename == NULL)
1015 ifacename = devname;
1017 /* See if it matches any of the LAN device names. */
1018 if (strncmp(ifacename, "en", 2) == 0) {
1019 if (linktype == 6) {
1021 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1025 } else if (strncmp(ifacename, "et", 2) == 0) {
1026 if (linktype == 7) {
1028 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1029 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1034 } else if (strncmp(ifacename, "tr", 2) == 0) {
1035 if (linktype == 9) {
1037 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1038 * DLT_IEEE802, which is what's used for Token Ring.
1042 } else if (strncmp(ifacename, "fi", 2) == 0) {
1043 if (linktype == 15) {
1045 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1049 } else if (strncmp(ifacename, "lo", 2) == 0) {
1050 if (linktype == 24) {
1052 * That's the RFC 1573 value for "software loopback" devices; map it
1053 * to DLT_NULL, which is what's used for loopback devices on BSD.
1063 static data_link_info_t *
1064 create_data_link_info(int dlt)
1066 data_link_info_t *data_link_info;
1069 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1070 data_link_info->dlt = dlt;
1071 text = pcap_datalink_val_to_name(dlt);
1073 data_link_info->name = g_strdup(text);
1075 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1076 text = pcap_datalink_val_to_description(dlt);
1078 data_link_info->description = g_strdup(text);
1080 data_link_info->description = NULL;
1081 return data_link_info;
1085 * Get the capabilities of a network device.
1087 static if_capabilities_t *
1088 get_if_capabilities(const char *devname, gboolean monitor_mode
1089 #ifndef HAVE_PCAP_CREATE
1094 if_capabilities_t *caps;
1095 char errbuf[PCAP_ERRBUF_SIZE];
1097 #ifdef HAVE_PCAP_CREATE
1101 #ifdef HAVE_PCAP_LIST_DATALINKS
1105 data_link_info_t *data_link_info;
1108 * Allocate the interface capabilities structure.
1110 caps = g_malloc(sizeof *caps);
1113 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1114 * wherein, when an open with an rpcap: URL fails, the error
1115 * message for the error is not copied to errbuf and whatever
1116 * on-the-stack junk is in errbuf is treated as the error
1119 * To work around that (and any other bugs of that sort, we
1120 * initialize errbuf to an empty string. If we get an error
1121 * and the string is empty, we report it as an unknown error.
1122 * (If we *don't* get an error, and the string is *non*-empty,
1123 * that could be a warning returned, such as "can't turn
1124 * promiscuous mode on"; we currently don't do so.)
1127 #ifdef HAVE_PCAP_OPEN
1128 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1129 caps->can_set_rfmon = FALSE;
1131 if (err_str != NULL)
1132 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1136 #elif defined(HAVE_PCAP_CREATE)
1137 pch = pcap_create(devname, errbuf);
1139 if (err_str != NULL)
1140 *err_str = g_strdup(errbuf);
1144 status = pcap_can_set_rfmon(pch);
1147 if (status == PCAP_ERROR)
1148 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1151 *err_str = g_strdup(pcap_statustostr(status));
1157 caps->can_set_rfmon = FALSE;
1158 else if (status == 1) {
1159 caps->can_set_rfmon = TRUE;
1161 pcap_set_rfmon(pch, 1);
1163 if (err_str != NULL) {
1164 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1172 status = pcap_activate(pch);
1174 /* Error. We ignore warnings (status > 0). */
1175 if (err_str != NULL) {
1176 if (status == PCAP_ERROR)
1177 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1180 *err_str = g_strdup(pcap_statustostr(status));
1187 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1188 caps->can_set_rfmon = FALSE;
1190 if (err_str != NULL)
1191 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1196 deflt = get_pcap_linktype(pch, devname);
1197 #ifdef HAVE_PCAP_LIST_DATALINKS
1198 nlt = pcap_list_datalinks(pch, &linktypes);
1199 if (nlt == 0 || linktypes == NULL) {
1201 if (err_str != NULL)
1202 *err_str = NULL; /* an empty list doesn't mean an error */
1206 caps->data_link_types = NULL;
1207 for (i = 0; i < nlt; i++) {
1208 data_link_info = create_data_link_info(linktypes[i]);
1211 * XXX - for 802.11, make the most detailed 802.11
1212 * version the default, rather than the one the
1213 * device has as the default?
1215 if (linktypes[i] == deflt)
1216 caps->data_link_types = g_list_prepend(caps->data_link_types,
1219 caps->data_link_types = g_list_append(caps->data_link_types,
1222 #ifdef HAVE_PCAP_FREE_DATALINKS
1223 pcap_free_datalinks(linktypes);
1226 * In Windows, there's no guarantee that if you have a library
1227 * built with one version of the MSVC++ run-time library, and
1228 * it returns a pointer to allocated data, you can free that
1229 * data from a program linked with another version of the
1230 * MSVC++ run-time library.
1232 * This is not an issue on UN*X.
1234 * See the mail threads starting at
1236 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1240 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1243 #define xx_free free /* hack so checkAPIs doesn't complain */
1246 #endif /* HAVE_PCAP_FREE_DATALINKS */
1247 #else /* HAVE_PCAP_LIST_DATALINKS */
1249 data_link_info = create_data_link_info(deflt);
1250 caps->data_link_types = g_list_append(caps->data_link_types,
1252 #endif /* HAVE_PCAP_LIST_DATALINKS */
1256 if (err_str != NULL)
1261 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1263 print_machine_readable_interfaces(GList *if_list)
1270 char addr_str[ADDRSTRLEN];
1272 if (capture_child) {
1273 /* Let our parent know we succeeded. */
1274 pipe_write_block(2, SP_SUCCESS, NULL);
1277 i = 1; /* Interface id number */
1278 for (if_entry = g_list_first(if_list); if_entry != NULL;
1279 if_entry = g_list_next(if_entry)) {
1280 if_info = (if_info_t *)if_entry->data;
1281 printf("%d. %s", i++, if_info->name);
1284 * Print the contents of the if_entry struct in a parseable format.
1285 * Each if_entry element is tab-separated. Addresses are comma-
1288 /* XXX - Make sure our description doesn't contain a tab */
1289 if (if_info->description != NULL)
1290 printf("\t%s\t", if_info->description);
1294 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1295 addr = g_slist_next(addr)) {
1296 if (addr != g_slist_nth(if_info->addrs, 0))
1299 if_addr = (if_addr_t *)addr->data;
1300 switch(if_addr->ifat_type) {
1302 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1304 printf("%s", addr_str);
1306 printf("<unknown IPv4>");
1310 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1311 addr_str, ADDRSTRLEN)) {
1312 printf("%s", addr_str);
1314 printf("<unknown IPv6>");
1318 printf("<type unknown %u>", if_addr->ifat_type);
1322 if (if_info->loopback)
1323 printf("\tloopback");
1325 printf("\tnetwork");
1332 * If you change the machine-readable output format of this function,
1333 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1336 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1339 data_link_info_t *data_link_info;
1340 const gchar *desc_str;
1342 if (capture_child) {
1343 /* Let our parent know we succeeded. */
1344 pipe_write_block(2, SP_SUCCESS, NULL);
1347 if (caps->can_set_rfmon)
1351 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1352 lt_entry = g_list_next(lt_entry)) {
1353 data_link_info = (data_link_info_t *)lt_entry->data;
1354 if (data_link_info->description != NULL)
1355 desc_str = data_link_info->description;
1357 desc_str = "(not supported)";
1358 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1368 /* Print the number of packets captured for each interface until we're killed. */
1370 print_statistics_loop(gboolean machine_readable)
1372 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1378 char errbuf[PCAP_ERRBUF_SIZE];
1379 struct pcap_stat ps;
1381 if_list = get_interface_list(&err, &err_str);
1382 if (if_list == NULL) {
1384 case CANT_GET_INTERFACE_LIST:
1385 case DONT_HAVE_PCAP:
1386 cmdarg_err("%s", err_str);
1390 case NO_INTERFACES_FOUND:
1391 cmdarg_err("There are no interfaces on which a capture can be done");
1397 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1398 if_info = (if_info_t *)if_entry->data;
1399 #ifdef HAVE_PCAP_OPEN
1400 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1402 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1406 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1407 if_stat->name = g_strdup(if_info->name);
1409 stat_list = g_list_append(stat_list, if_stat);
1414 cmdarg_err("There are no interfaces on which a capture can be done");
1418 if (capture_child) {
1419 /* Let our parent know we succeeded. */
1420 pipe_write_block(2, SP_SUCCESS, NULL);
1423 if (!machine_readable) {
1424 printf("%-15s %10s %10s\n", "Interface", "Received",
1428 global_ld.go = TRUE;
1429 while (global_ld.go) {
1430 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1431 if_stat = (if_stat_t *)stat_entry->data;
1432 pcap_stats(if_stat->pch, &ps);
1434 if (!machine_readable) {
1435 printf("%-15s %10u %10u\n", if_stat->name,
1436 ps.ps_recv, ps.ps_drop);
1438 printf("%s\t%u\t%u\n", if_stat->name,
1439 ps.ps_recv, ps.ps_drop);
1450 /* XXX - Not reached. Should we look for 'q' in stdin? */
1451 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1452 if_stat = (if_stat_t *)stat_entry->data;
1453 pcap_close(if_stat->pch);
1454 g_free(if_stat->name);
1457 g_list_free(stat_list);
1458 free_interface_list(if_list);
1466 capture_cleanup_handler(DWORD dwCtrlType)
1468 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1469 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1470 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1471 like SIGTERM at least when the machine's shutting down.
1473 For now, if we're running as a command rather than a capture child,
1474 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1475 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1476 in that way on UN*X.
1478 If we're not running as a capture child, we might be running as
1479 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1480 user logs out. (XXX - can we explicitly check whether we're
1481 running as a service?) */
1483 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1484 "Console: Control signal");
1485 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1486 "Console: Control signal, CtrlType: %u", dwCtrlType);
1488 /* Keep capture running if we're a service and a user logs off */
1489 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1490 capture_loop_stop();
1498 capture_cleanup_handler(int signum _U_)
1500 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1501 SIGTERM. We assume that if the user wanted it to keep running
1502 after they logged out, they'd have nohupped it. */
1504 /* Note: don't call g_log() in the signal handler: if we happened to be in
1505 * g_log() in process context when the signal came in, g_log will detect
1506 * the "recursion" and abort.
1509 capture_loop_stop();
1515 report_capture_count(gboolean reportit)
1517 /* Don't print this if we're a capture child. */
1518 if (!capture_child && reportit) {
1519 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1520 /* stderr could be line buffered */
1528 report_counts_for_siginfo(void)
1530 report_capture_count(quiet);
1531 infoprint = FALSE; /* we just reported it */
1535 report_counts_siginfo(int signum _U_)
1537 int sav_errno = errno;
1539 /* If we've been told to delay printing, just set a flag asking
1540 that we print counts (if we're supposed to), otherwise print
1541 the count of packets captured (if we're supposed to). */
1545 report_counts_for_siginfo();
1548 #endif /* SIGINFO */
1551 exit_main(int status)
1554 /* Shutdown windows sockets */
1557 /* can be helpful for debugging */
1558 #ifdef DEBUG_DUMPCAP
1559 printf("Press any key\n");
1570 * If we were linked with libcap (not libpcap), make sure we have
1571 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1572 * (See comment in main() for details)
1575 relinquish_privs_except_capture(void)
1577 /* If 'started_with_special_privs' (ie: suid) then enable for
1578 * ourself the NET_ADMIN and NET_RAW capabilities and then
1579 * drop our suid privileges.
1581 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1582 * stuff we don't need (and shouldn't have).
1583 * CAP_NET_RAW: Packet capture (raw sockets).
1586 if (started_with_special_privs()) {
1587 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1588 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1590 cap_t caps = cap_init(); /* all capabilities initialized to off */
1592 print_caps("Pre drop, pre set");
1594 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1595 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1598 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1599 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1601 if (cap_set_proc(caps)) {
1602 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1604 print_caps("Pre drop, post set");
1606 relinquish_special_privs_perm();
1608 print_caps("Post drop, pre set");
1609 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1610 if (cap_set_proc(caps)) {
1611 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1613 print_caps("Post drop, post set");
1619 #endif /* HAVE_LIBCAP */
1621 /* Take care of byte order in the libpcap headers read from pipes.
1622 * (function taken from wiretap/libpcap.c) */
1624 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1627 /* Byte-swap the record header fields. */
1628 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1629 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1630 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1631 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1634 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1635 swapped, in order to match the BPF header layout.
1637 Unfortunately, some files were, according to a comment in the "libpcap"
1638 source, written with version 2.3 in their headers but without the
1639 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1640 would make no sense - we assume that we need to swap them. */
1641 if (hdr->version_major == 2 &&
1642 (hdr->version_minor < 3 ||
1643 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1646 temp = rechdr->orig_len;
1647 rechdr->orig_len = rechdr->incl_len;
1648 rechdr->incl_len = temp;
1652 /* Wrapper: distinguish between recv/read if we're reading on Windows,
1656 cap_pipe_read(int pipe_fd, char *buf, size_t sz, gboolean from_socket _U_)
1660 return recv(pipe_fd, buf, sz, 0);
1665 return ws_read(pipe_fd, buf, sz);
1671 * Thread function that reads from a pipe and pushes the data
1672 * to the main application thread.
1675 * XXX Right now we use async queues for basic signaling. The main thread
1676 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1677 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1678 * Iff the read is successful cap_pipe_read pushes an item onto
1679 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1680 * the queues themselves (yet).
1682 * We might want to move some of the cap_pipe_dispatch logic here so that
1683 * we can let cap_thread_read run independently, queuing up multiple reads
1684 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1686 static void *cap_thread_read(void *arg)
1688 pcap_options *pcap_opts;
1697 pcap_opts = (pcap_options *)arg;
1698 while (pcap_opts->cap_pipe_err == PIPOK) {
1699 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1700 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1702 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1703 if ((pcap_opts->from_cap_socket)
1709 b = cap_pipe_read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1710 pcap_opts->cap_pipe_bytes_to_read - bytes_read, pcap_opts->from_cap_socket);
1713 pcap_opts->cap_pipe_err = PIPEOF;
1717 pcap_opts->cap_pipe_err = PIPERR;
1728 /* If we try to use read() on a named pipe on Windows with partial
1729 * data it appears to return EOF.
1731 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1732 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1737 last_err = GetLastError();
1738 if (last_err == ERROR_MORE_DATA) {
1740 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1741 pcap_opts->cap_pipe_err = PIPEOF;
1745 pcap_opts->cap_pipe_err = PIPERR;
1748 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1749 pcap_opts->cap_pipe_err = PIPEOF;
1756 pcap_opts->cap_pipe_bytes_read = bytes_read;
1757 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1758 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1760 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1766 /* Provide select() functionality for a single file descriptor
1767 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1769 * Returns the same values as select.
1772 cap_pipe_select(int pipe_fd)
1775 struct timeval timeout;
1778 FD_SET(pipe_fd, &rfds);
1780 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1781 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1783 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1786 #define DEF_TCP_PORT 19000
1789 cap_open_socket(char *pipename, pcap_options *pcap_opts, char *errmsg, int errmsgl)
1791 char *sockname = pipename + 4;
1792 struct sockaddr_in sa;
1799 memset(&sa, 0, sizeof(sa));
1801 p = strchr(sockname, ':');
1803 len = strlen(sockname);
1804 port = DEF_TCP_PORT;
1808 port = strtoul(p + 1, &p, 10);
1809 if (*p || port > 65535) {
1818 strncpy(buf, sockname, len);
1820 if (!inet_pton(AF_INET, buf, &sa.sin_addr)) {
1824 sa.sin_family = AF_INET;
1825 sa.sin_port = htons((u_short)port);
1827 if (((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) ||
1828 (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0)) {
1829 g_snprintf(errmsg, errmsgl,
1830 "The capture session could not be initiated due to\n"
1832 "the socket error: %d", WSAGetLastError());
1834 "the socket error: %s", strerror(errno));
1836 pcap_opts->cap_pipe_err = PIPERR;
1840 pcap_opts->from_cap_socket = TRUE;
1844 g_snprintf(errmsg, errmsgl,
1845 "The capture session could not be initiated because\n"
1846 "\"%s\" is not a valid socket specification", pipename);
1847 pcap_opts->cap_pipe_err = PIPERR;
1851 /* Wrapper: distinguish between closesocket on Windows; use ws_close
1855 cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
1859 closesocket(pipe_fd);
1866 /* Mimic pcap_open_live() for pipe captures
1868 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1869 * open it, and read the header.
1871 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1872 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1874 cap_pipe_open_live(char *pipename,
1875 pcap_options *pcap_opts,
1876 struct pcap_hdr *hdr,
1877 char *errmsg, int errmsgl)
1880 ws_statb64 pipe_stat;
1881 struct sockaddr_un sa;
1887 unsigned int bytes_read;
1890 pcap_opts->cap_pipe_fd = -1;
1892 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1894 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1897 * XXX - this blocks until a pcap per-file header has been written to
1898 * the pipe, so it could block indefinitely.
1900 if (strcmp(pipename, "-") == 0) {
1902 fd = 0; /* read from stdin */
1904 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1906 } else if (!strncmp(pipename, "TCP@", 4)) {
1907 if ((fd = cap_open_socket(pipename, pcap_opts, errmsg, errmsgl)) < 0) {
1912 if (ws_stat64(pipename, &pipe_stat) < 0) {
1913 if (errno == ENOENT || errno == ENOTDIR)
1914 pcap_opts->cap_pipe_err = PIPNEXIST;
1916 g_snprintf(errmsg, errmsgl,
1917 "The capture session could not be initiated "
1918 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1919 pcap_opts->cap_pipe_err = PIPERR;
1923 if (S_ISFIFO(pipe_stat.st_mode)) {
1924 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1926 g_snprintf(errmsg, errmsgl,
1927 "The capture session could not be initiated "
1928 "due to error on pipe open: %s", g_strerror(errno));
1929 pcap_opts->cap_pipe_err = PIPERR;
1932 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1933 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1935 g_snprintf(errmsg, errmsgl,
1936 "The capture session could not be initiated "
1937 "due to error on socket create: %s", g_strerror(errno));
1938 pcap_opts->cap_pipe_err = PIPERR;
1941 sa.sun_family = AF_UNIX;
1943 * The Single UNIX Specification says:
1945 * The size of sun_path has intentionally been left undefined.
1946 * This is because different implementations use different sizes.
1947 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1948 * of 104. Since most implementations originate from BSD versions,
1949 * the size is typically in the range 92 to 108.
1951 * Applications should not assume a particular length for sun_path
1952 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1956 * The <sys/un.h> header shall define the sockaddr_un structure,
1957 * which shall include at least the following members:
1959 * sa_family_t sun_family Address family.
1960 * char sun_path[] Socket pathname.
1962 * so we assume that it's an array, with a specified size,
1963 * and that the size reflects the maximum path length.
1965 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1966 /* Path name too long */
1967 g_snprintf(errmsg, errmsgl,
1968 "The capture session coud not be initiated "
1969 "due to error on socket connect: Path name too long");
1970 pcap_opts->cap_pipe_err = PIPERR;
1974 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1976 g_snprintf(errmsg, errmsgl,
1977 "The capture session coud not be initiated "
1978 "due to error on socket connect: %s", g_strerror(errno));
1979 pcap_opts->cap_pipe_err = PIPERR;
1984 if (S_ISCHR(pipe_stat.st_mode)) {
1986 * Assume the user specified an interface on a system where
1987 * interfaces are in /dev. Pretend we haven't seen it.
1989 pcap_opts->cap_pipe_err = PIPNEXIST;
1992 g_snprintf(errmsg, errmsgl,
1993 "The capture session could not be initiated because\n"
1994 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1995 pcap_opts->cap_pipe_err = PIPERR;
2000 #define PIPE_STR "\\pipe\\"
2001 /* Under Windows, named pipes _must_ have the form
2002 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
2004 pncopy = g_strdup(pipename);
2005 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
2006 pos = strchr(pncopy + 3, '\\');
2007 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
2014 g_snprintf(errmsg, errmsgl,
2015 "The capture session could not be initiated because\n"
2016 "\"%s\" is neither an interface nor a pipe", pipename);
2017 pcap_opts->cap_pipe_err = PIPNEXIST;
2021 /* Wait for the pipe to appear */
2023 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
2024 OPEN_EXISTING, 0, NULL);
2026 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
2029 if (GetLastError() != ERROR_PIPE_BUSY) {
2030 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2031 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2032 g_snprintf(errmsg, errmsgl,
2033 "The capture session on \"%s\" could not be started "
2034 "due to error on pipe open: %s (error %d)",
2035 pipename, utf_16to8(err_str), GetLastError());
2037 pcap_opts->cap_pipe_err = PIPERR;
2041 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
2042 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2043 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2044 g_snprintf(errmsg, errmsgl,
2045 "The capture session on \"%s\" timed out during "
2046 "pipe open: %s (error %d)",
2047 pipename, utf_16to8(err_str), GetLastError());
2049 pcap_opts->cap_pipe_err = PIPERR;
2056 pcap_opts->from_cap_pipe = TRUE;
2058 if ((pcap_opts->from_cap_socket)
2064 /* read the pcap header */
2066 while (bytes_read < sizeof magic) {
2067 sel_ret = cap_pipe_select(fd);
2069 g_snprintf(errmsg, errmsgl,
2070 "Unexpected error from select: %s", g_strerror(errno));
2072 } else if (sel_ret > 0) {
2073 b = cap_pipe_read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read, pcap_opts->from_cap_socket);
2076 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2078 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2088 g_thread_create(&cap_thread_read, pcap_opts, FALSE, NULL);
2090 pcap_opts->cap_pipe_buf = (char *) &magic;
2091 pcap_opts->cap_pipe_bytes_read = 0;
2092 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
2093 /* We don't have to worry about cap_pipe_read_mtx here */
2094 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2095 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2096 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2097 if (pcap_opts->cap_pipe_bytes_read == 0)
2098 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2100 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2109 case PCAP_NSEC_MAGIC:
2110 /* Host that wrote it has our byte order, and was running
2111 a program using either standard or ss990417 libpcap. */
2112 pcap_opts->cap_pipe_byte_swapped = FALSE;
2113 pcap_opts->cap_pipe_modified = FALSE;
2114 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
2116 case PCAP_MODIFIED_MAGIC:
2117 /* Host that wrote it has our byte order, but was running
2118 a program using either ss990915 or ss991029 libpcap. */
2119 pcap_opts->cap_pipe_byte_swapped = FALSE;
2120 pcap_opts->cap_pipe_modified = TRUE;
2122 case PCAP_SWAPPED_MAGIC:
2123 case PCAP_SWAPPED_NSEC_MAGIC:
2124 /* Host that wrote it has a byte order opposite to ours,
2125 and was running a program using either standard or
2126 ss990417 libpcap. */
2127 pcap_opts->cap_pipe_byte_swapped = TRUE;
2128 pcap_opts->cap_pipe_modified = FALSE;
2129 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
2131 case PCAP_SWAPPED_MODIFIED_MAGIC:
2132 /* Host that wrote it out has a byte order opposite to
2133 ours, and was running a program using either ss990915
2134 or ss991029 libpcap. */
2135 pcap_opts->cap_pipe_byte_swapped = TRUE;
2136 pcap_opts->cap_pipe_modified = TRUE;
2139 /* Not a "libpcap" type we know about. */
2140 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2144 if ((pcap_opts->from_cap_socket)
2150 /* Read the rest of the header */
2152 while (bytes_read < sizeof(struct pcap_hdr)) {
2153 sel_ret = cap_pipe_select(fd);
2155 g_snprintf(errmsg, errmsgl,
2156 "Unexpected error from select: %s", g_strerror(errno));
2158 } else if (sel_ret > 0) {
2159 b = cap_pipe_read(fd, ((char *)hdr)+bytes_read,
2160 sizeof(struct pcap_hdr) - bytes_read, pcap_opts->from_cap_socket);
2163 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2165 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2175 pcap_opts->cap_pipe_buf = (char *) hdr;
2176 pcap_opts->cap_pipe_bytes_read = 0;
2177 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2178 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2179 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2180 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2181 if (pcap_opts->cap_pipe_bytes_read == 0)
2182 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2184 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2191 if (pcap_opts->cap_pipe_byte_swapped) {
2192 /* Byte-swap the header fields about which we care. */
2193 hdr->version_major = BSWAP16(hdr->version_major);
2194 hdr->version_minor = BSWAP16(hdr->version_minor);
2195 hdr->snaplen = BSWAP32(hdr->snaplen);
2196 hdr->network = BSWAP32(hdr->network);
2198 pcap_opts->linktype = hdr->network;
2200 if (hdr->version_major < 2) {
2201 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2205 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2206 pcap_opts->cap_pipe_err = PIPOK;
2207 pcap_opts->cap_pipe_fd = fd;
2211 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2212 pcap_opts->cap_pipe_err = PIPERR;
2213 cap_pipe_close(fd, pcap_opts->from_cap_socket);
2214 pcap_opts->cap_pipe_fd = -1;
2220 /* We read one record from the pipe, take care of byte order in the record
2221 * header, write the record to the capture file, and update capture statistics. */
2223 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2225 struct pcap_pkthdr phdr;
2226 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2229 #if !GLIB_CHECK_VERSION(2,31,18)
2237 #ifdef LOG_CAPTURE_VERBOSE
2238 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2241 switch (pcap_opts->cap_pipe_state) {
2243 case STATE_EXPECT_REC_HDR:
2245 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2248 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2249 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2250 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2251 pcap_opts->cap_pipe_bytes_read = 0;
2254 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2255 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2256 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2261 case STATE_READ_REC_HDR:
2262 if ((pcap_opts->from_cap_socket)
2268 b = cap_pipe_read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2269 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
2272 result = PD_PIPE_EOF;
2274 result = PD_PIPE_ERR;
2277 pcap_opts->cap_pipe_bytes_read += b;
2282 #if GLIB_CHECK_VERSION(2,31,18)
2283 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2285 g_get_current_time(&wait_time);
2286 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2287 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2289 if (pcap_opts->cap_pipe_err == PIPEOF) {
2290 result = PD_PIPE_EOF;
2292 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2293 result = PD_PIPE_ERR;
2301 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2303 result = PD_REC_HDR_READ;
2306 case STATE_EXPECT_DATA:
2308 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2311 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2312 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2313 pcap_opts->cap_pipe_bytes_read = 0;
2316 pcap_opts->cap_pipe_buf = (char *) data;
2317 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2318 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2323 case STATE_READ_DATA:
2324 if ((pcap_opts->from_cap_socket)
2330 b = cap_pipe_read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2331 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
2334 result = PD_PIPE_EOF;
2336 result = PD_PIPE_ERR;
2339 pcap_opts->cap_pipe_bytes_read += b;
2345 #if GLIB_CHECK_VERSION(2,31,18)
2346 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2348 g_get_current_time(&wait_time);
2349 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2350 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2352 if (pcap_opts->cap_pipe_err == PIPEOF) {
2353 result = PD_PIPE_EOF;
2355 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2356 result = PD_PIPE_ERR;
2364 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2366 result = PD_DATA_READ;
2370 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2373 } /* switch (pcap_opts->cap_pipe_state) */
2376 * We've now read as much data as we were expecting, so process it.
2380 case PD_REC_HDR_READ:
2381 /* We've read the header. Take care of byte order. */
2382 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2383 &pcap_opts->cap_pipe_rechdr.hdr);
2384 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2385 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2386 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2390 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2391 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2394 /* no data to read? fall through */
2397 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2398 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2399 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2400 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2401 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2404 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2406 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2408 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2412 pcap_opts->cap_pipe_err = PIPEOF;
2417 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2418 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2419 g_snprintf(errmsg, errmsgl,
2420 "Error reading from pipe: %s (error %d)",
2421 utf_16to8(err_str), GetLastError());
2424 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2432 pcap_opts->cap_pipe_err = PIPERR;
2433 /* Return here rather than inside the switch to prevent GCC warning */
2438 /** Open the capture input file (pcap or capture pipe).
2439 * Returns TRUE if it succeeds, FALSE otherwise. */
2441 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2442 char *errmsg, size_t errmsg_len,
2443 char *secondary_errmsg, size_t secondary_errmsg_len)
2445 gchar open_err_str[PCAP_ERRBUF_SIZE];
2446 gchar *sync_msg_str;
2447 interface_options interface_opts;
2448 pcap_options *pcap_opts;
2452 gchar *sync_secondary_msg_str;
2453 WORD wVersionRequested;
2457 /* XXX - opening Winsock on tshark? */
2459 /* Initialize Windows Socket if we are in a WIN32 OS
2460 This needs to be done before querying the interface for network/netmask */
2462 /* XXX - do we really require 1.1 or earlier?
2463 Are there any versions that support only 2.0 or higher? */
2464 wVersionRequested = MAKEWORD(1, 1);
2465 err = WSAStartup(wVersionRequested, &wsaData);
2469 case WSASYSNOTREADY:
2470 g_snprintf(errmsg, (gulong) errmsg_len,
2471 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2474 case WSAVERNOTSUPPORTED:
2475 g_snprintf(errmsg, (gulong) errmsg_len,
2476 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2477 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2480 case WSAEINPROGRESS:
2481 g_snprintf(errmsg, (gulong) errmsg_len,
2482 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2486 g_snprintf(errmsg, (gulong) errmsg_len,
2487 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2491 g_snprintf(errmsg, (gulong) errmsg_len,
2492 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2496 g_snprintf(errmsg, (gulong) errmsg_len,
2497 "Couldn't initialize Windows Sockets: error %d", err);
2500 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2504 if ((use_threads == FALSE) &&
2505 (capture_opts->ifaces->len > 1)) {
2506 g_snprintf(errmsg, (gulong) errmsg_len,
2507 "Using threads is required for capturing on multiple interfaces!");
2511 for (i = 0; i < capture_opts->ifaces->len; i++) {
2512 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2513 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2514 if (pcap_opts == NULL) {
2515 g_snprintf(errmsg, (gulong) errmsg_len,
2516 "Could not allocate memory.");
2519 pcap_opts->received = 0;
2520 pcap_opts->dropped = 0;
2521 pcap_opts->pcap_h = NULL;
2522 #ifdef MUST_DO_SELECT
2523 pcap_opts->pcap_fd = -1;
2525 pcap_opts->pcap_err = FALSE;
2526 pcap_opts->interface_id = i;
2527 pcap_opts->tid = NULL;
2528 pcap_opts->snaplen = 0;
2529 pcap_opts->linktype = -1;
2530 pcap_opts->ts_nsec = FALSE;
2531 pcap_opts->from_cap_pipe = FALSE;
2532 pcap_opts->from_cap_socket = FALSE;
2533 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2534 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2536 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2538 pcap_opts->cap_pipe_fd = -1;
2539 pcap_opts->cap_pipe_modified = FALSE;
2540 pcap_opts->cap_pipe_byte_swapped = FALSE;
2542 pcap_opts->cap_pipe_buf = NULL;
2544 pcap_opts->cap_pipe_bytes_to_read = 0;
2545 pcap_opts->cap_pipe_bytes_read = 0;
2546 pcap_opts->cap_pipe_state = 0;
2547 pcap_opts->cap_pipe_err = PIPOK;
2549 #if GLIB_CHECK_VERSION(2,31,0)
2550 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2551 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2553 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2555 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2556 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2558 g_array_append_val(ld->pcaps, pcap_opts);
2560 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2561 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2563 if (pcap_opts->pcap_h != NULL) {
2564 /* we've opened "iface" as a network device */
2566 /* try to set the capture buffer size */
2567 if (interface_opts.buffer_size > 1 &&
2568 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2569 sync_secondary_msg_str = g_strdup_printf(
2570 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2571 "the default of 1MB will be used.\n"
2573 "Nonetheless, the capture is started.\n",
2574 interface_opts.buffer_size);
2575 report_capture_error("Couldn't set the capture buffer size!",
2576 sync_secondary_msg_str);
2577 g_free(sync_secondary_msg_str);
2581 #if defined(HAVE_PCAP_SETSAMPLING)
2582 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2583 struct pcap_samp *samp;
2585 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2586 switch (interface_opts.sampling_method) {
2587 case CAPTURE_SAMP_BY_COUNT:
2588 samp->method = PCAP_SAMP_1_EVERY_N;
2591 case CAPTURE_SAMP_BY_TIMER:
2592 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2596 sync_msg_str = g_strdup_printf(
2597 "Unknown sampling method %d specified,\n"
2598 "continue without packet sampling",
2599 interface_opts.sampling_method);
2600 report_capture_error("Couldn't set the capture "
2601 "sampling", sync_msg_str);
2602 g_free(sync_msg_str);
2604 samp->value = interface_opts.sampling_param;
2606 report_capture_error("Couldn't set the capture sampling",
2607 "Cannot get packet sampling data structure");
2612 /* setting the data link type only works on real interfaces */
2613 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2615 secondary_errmsg, secondary_errmsg_len)) {
2618 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2620 /* We couldn't open "iface" as a network device. */
2621 /* Try to open it as a pipe */
2622 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2625 if (pcap_opts->cap_pipe_fd == -1) {
2627 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2629 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2630 /* Pipe doesn't exist, so output message for interface */
2631 get_capture_device_open_failure_messages(open_err_str,
2632 interface_opts.name,
2636 secondary_errmsg_len);
2639 * Else pipe (or file) does exist and cap_pipe_open_live() has
2644 /* cap_pipe_open_live() succeeded; don't want
2645 error message from pcap_open_live() */
2646 open_err_str[0] = '\0';
2650 /* XXX - will this work for tshark? */
2651 #ifdef MUST_DO_SELECT
2652 if (!pcap_opts->from_cap_pipe) {
2653 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2654 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2656 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2661 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2662 returned a warning; print it, but keep capturing. */
2663 if (open_err_str[0] != '\0') {
2664 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2665 report_capture_error(sync_msg_str, "");
2666 g_free(sync_msg_str);
2668 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2669 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2672 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2673 /* to remove any suid privileges. */
2674 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2675 /* (euid/egid have already previously been set to ruid/rgid. */
2676 /* (See comment in main() for details) */
2678 relinquish_special_privs_perm();
2680 relinquish_all_capabilities();
2685 /* close the capture input file (pcap or capture pipe) */
2686 static void capture_loop_close_input(loop_data *ld)
2689 pcap_options *pcap_opts;
2691 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2693 for (i = 0; i < ld->pcaps->len; i++) {
2694 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2695 /* if open, close the capture pipe "input file" */
2696 if (pcap_opts->cap_pipe_fd >= 0) {
2697 g_assert(pcap_opts->from_cap_pipe);
2698 cap_pipe_close(pcap_opts->cap_pipe_fd, pcap_opts->from_cap_socket);
2699 pcap_opts->cap_pipe_fd = -1;
2702 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2703 CloseHandle(pcap_opts->cap_pipe_h);
2704 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2707 /* if open, close the pcap "input file" */
2708 if (pcap_opts->pcap_h != NULL) {
2709 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2710 pcap_close(pcap_opts->pcap_h);
2711 pcap_opts->pcap_h = NULL;
2718 /* Shut down windows sockets */
2724 /* init the capture filter */
2725 static initfilter_status_t
2726 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2727 const gchar * name, const gchar * cfilter)
2729 struct bpf_program fcode;
2731 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2733 /* capture filters only work on real interfaces */
2734 if (cfilter && !from_cap_pipe) {
2735 /* A capture filter was specified; set it up. */
2736 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2737 /* Treat this specially - our caller might try to compile this
2738 as a display filter and, if that succeeds, warn the user that
2739 the display and capture filter syntaxes are different. */
2740 return INITFILTER_BAD_FILTER;
2742 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2743 #ifdef HAVE_PCAP_FREECODE
2744 pcap_freecode(&fcode);
2746 return INITFILTER_OTHER_ERROR;
2748 #ifdef HAVE_PCAP_FREECODE
2749 pcap_freecode(&fcode);
2753 return INITFILTER_NO_ERROR;
2757 /* set up to write to the already-opened capture output file/files */
2759 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2763 pcap_options *pcap_opts;
2764 interface_options interface_opts;
2765 gboolean successful;
2767 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2769 if ((capture_opts->use_pcapng == FALSE) &&
2770 (capture_opts->ifaces->len > 1)) {
2771 g_snprintf(errmsg, errmsg_len,
2772 "Using PCAPNG is required for capturing on multiple interfaces! Use the -n option.");
2776 /* Set up to write to the capture file. */
2777 if (capture_opts->multi_files_on) {
2778 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2780 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2783 if (capture_opts->use_pcapng) {
2785 GString *os_info_str;
2787 os_info_str = g_string_new("");
2788 get_os_version_info(os_info_str);
2790 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2791 successful = libpcap_write_session_header_block(ld->pdh,
2794 os_info_str->str, /* OS*/
2796 -1, /* section_length */
2800 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2801 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2802 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2803 if (pcap_opts->from_cap_pipe) {
2804 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2806 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2808 successful = libpcap_write_interface_description_block(global_ld.pdh,
2809 NULL, /* OPT_COMMENT 1 */
2810 interface_opts.name, /* IDB_NAME 2 */
2811 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2812 interface_opts.cfilter, /* IDB_FILTER 11 */
2813 os_info_str->str, /* IDB_OS 12 */
2814 pcap_opts->linktype,
2816 &(global_ld.bytes_written),
2817 0, /* IDB_IF_SPEED 8 */
2818 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2822 g_string_free(os_info_str, TRUE);
2825 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2826 if (pcap_opts->from_cap_pipe) {
2827 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2829 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2831 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2832 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2840 if (ld->pdh == NULL) {
2841 /* We couldn't set up to write to the capture file. */
2842 /* XXX - use cf_open_error_message from tshark instead? */
2847 g_snprintf(errmsg, errmsg_len,
2848 "The file to which the capture would be"
2849 " saved (\"%s\") could not be opened: Error %d.",
2850 capture_opts->save_file, err);
2852 g_snprintf(errmsg, errmsg_len,
2853 "The file to which the capture would be"
2854 " saved (\"%s\") could not be opened: %s.",
2855 capture_opts->save_file, g_strerror(err));
2867 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2871 pcap_options *pcap_opts;
2872 guint64 end_time = create_timestamp();
2874 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2876 if (capture_opts->multi_files_on) {
2877 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2879 if (capture_opts->use_pcapng) {
2880 for (i = 0; i < global_ld.pcaps->len; i++) {
2881 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2882 if (!pcap_opts->from_cap_pipe) {
2883 guint64 isb_ifrecv, isb_ifdrop;
2884 struct pcap_stat stats;
2886 if (pcap_stats(pcap_opts->pcap_h, &stats) >= 0) {
2887 isb_ifrecv = pcap_opts->received;
2888 isb_ifdrop = stats.ps_drop + pcap_opts->dropped;
2890 isb_ifrecv = G_MAXUINT64;
2891 isb_ifdrop = G_MAXUINT64;
2893 libpcap_write_interface_statistics_block(ld->pdh,
2896 "Counters provided by dumpcap",
2905 return libpcap_dump_close(ld->pdh, err_close);
2909 /* dispatch incoming packets (pcap or capture pipe)
2911 * Waits for incoming packets to be available, and calls pcap_dispatch()
2912 * to cause them to be processed.
2914 * Returns the number of packets which were processed.
2916 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2917 * packet-batching behaviour does not cause packets to get held back
2921 capture_loop_dispatch(loop_data *ld,
2922 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2925 gint packet_count_before;
2926 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2931 packet_count_before = ld->packet_count;
2932 if (pcap_opts->from_cap_pipe) {
2933 /* dispatch from capture pipe */
2934 #ifdef LOG_CAPTURE_VERBOSE
2935 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2938 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2940 if (sel_ret < 0 && errno != EINTR) {
2941 g_snprintf(errmsg, errmsg_len,
2942 "Unexpected error from select: %s", g_strerror(errno));
2943 report_capture_error(errmsg, please_report);
2948 * "select()" says we can read from the pipe without blocking
2951 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2961 /* dispatch from pcap */
2962 #ifdef MUST_DO_SELECT
2964 * If we have "pcap_get_selectable_fd()", we use it to get the
2965 * descriptor on which to select; if that's -1, it means there
2966 * is no descriptor on which you can do a "select()" (perhaps
2967 * because you're capturing on a special device, and that device's
2968 * driver unfortunately doesn't support "select()", in which case
2969 * we don't do the select - which means it might not be possible
2970 * to stop a capture until a packet arrives. If that's unacceptable,
2971 * plead with whoever supplies the software for that device to add
2972 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2973 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2974 * later, so it can use pcap_breakloop().
2976 #ifdef LOG_CAPTURE_VERBOSE
2977 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2979 if (pcap_opts->pcap_fd != -1) {
2980 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2983 * "select()" says we can read from it without blocking; go for
2986 * We don't have pcap_breakloop(), so we only process one packet
2987 * per pcap_dispatch() call, to allow a signal to stop the
2988 * processing immediately, rather than processing all packets
2989 * in a batch before quitting.
2992 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2994 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2998 /* Error, rather than pcap_breakloop(). */
2999 pcap_opts->pcap_err = TRUE;
3001 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3004 if (sel_ret < 0 && errno != EINTR) {
3005 g_snprintf(errmsg, errmsg_len,
3006 "Unexpected error from select: %s", g_strerror(errno));
3007 report_capture_error(errmsg, please_report);
3013 #endif /* MUST_DO_SELECT */
3015 /* dispatch from pcap without select */
3017 #ifdef LOG_CAPTURE_VERBOSE
3018 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
3022 * On Windows, we don't support asynchronously telling a process to
3023 * stop capturing; instead, we check for an indication on a pipe
3024 * after processing packets. We therefore process only one packet
3025 * at a time, so that we can check the pipe after every packet.
3028 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3030 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3034 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3036 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3041 /* Error, rather than pcap_breakloop(). */
3042 pcap_opts->pcap_err = TRUE;
3044 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3046 #else /* pcap_next_ex */
3047 #ifdef LOG_CAPTURE_VERBOSE
3048 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
3050 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
3053 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
3054 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
3055 * This should be fixed in the WinPcap 4.0 alpha release.
3057 * For reference, an example remote interface:
3058 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
3061 /* emulate dispatch from pcap */
3064 struct pcap_pkthdr *pkt_header;
3069 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
3071 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3073 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3078 pcap_opts->pcap_err = TRUE;
3082 #endif /* pcap_next_ex */
3086 #ifdef LOG_CAPTURE_VERBOSE
3087 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
3090 return ld->packet_count - packet_count_before;
3094 /* Isolate the Universally Unique Identifier from the interface. Basically, we
3095 * want to grab only the characters between the '{' and '}' delimiters.
3097 * Returns a GString that must be freed with g_string_free(). */
3099 isolate_uuid(const char *iface)
3104 ptr = strchr(iface, '{');
3106 return g_string_new(iface);
3107 gstr = g_string_new(ptr + 1);
3109 ptr = strchr(gstr->str, '}');
3113 gstr = g_string_truncate(gstr, ptr - gstr->str);
3118 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
3119 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
3121 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
3122 char *errmsg, int errmsg_len)
3125 gchar *capfile_name;
3127 gboolean is_tempfile;
3129 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
3130 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
3132 if (capture_opts->save_file != NULL) {
3133 /* We return to the caller while the capture is in progress.
3134 * Therefore we need to take a copy of save_file in
3135 * case the caller destroys it after we return.
3137 capfile_name = g_strdup(capture_opts->save_file);
3139 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
3140 if (capture_opts->multi_files_on) {
3141 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
3142 g_snprintf(errmsg, errmsg_len,
3143 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
3144 g_free(capfile_name);
3147 if (strcmp(capfile_name, "-") == 0) {
3148 /* write to stdout */
3151 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
3152 _setmode(1, O_BINARY);
3155 } /* if (...output_to_pipe ... */
3158 if (capture_opts->multi_files_on) {
3159 /* ringbuffer is enabled */
3160 *save_file_fd = ringbuf_init(capfile_name,
3161 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
3162 capture_opts->group_read_access);
3164 /* we need the ringbuf name */
3165 if(*save_file_fd != -1) {
3166 g_free(capfile_name);
3167 capfile_name = g_strdup(ringbuf_current_filename());
3170 /* Try to open/create the specified file for use as a capture buffer. */
3171 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
3172 (capture_opts->group_read_access) ? 0640 : 0600);
3175 is_tempfile = FALSE;
3177 /* Choose a random name for the temporary capture buffer */
3178 if (global_capture_opts.ifaces->len > 1) {
3179 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3184 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3185 basename = g_path_get_basename(iface->str);
3186 g_string_free(iface, TRUE);
3188 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3190 prefix = g_strconcat("wireshark_", basename, NULL);
3193 *save_file_fd = create_tempfile(&tmpname, prefix);
3195 capfile_name = g_strdup(tmpname);
3199 /* did we fail to open the output file? */
3200 if (*save_file_fd == -1) {
3202 g_snprintf(errmsg, errmsg_len,
3203 "The temporary file to which the capture would be saved (\"%s\") "
3204 "could not be opened: %s.", capfile_name, g_strerror(errno));
3206 if (capture_opts->multi_files_on) {
3207 ringbuf_error_cleanup();
3210 g_snprintf(errmsg, errmsg_len,
3211 "The file to which the capture would be saved (\"%s\") "
3212 "could not be opened: %s.", capfile_name,
3215 g_free(capfile_name);
3219 if(capture_opts->save_file != NULL) {
3220 g_free(capture_opts->save_file);
3222 capture_opts->save_file = capfile_name;
3223 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3224 "g_free(capfile_name)". */
3230 /* Do the work of handling either the file size or file duration capture
3231 conditions being reached, and switching files or stopping. */
3233 do_file_switch_or_stop(capture_options *capture_opts,
3234 condition *cnd_autostop_files,
3235 condition *cnd_autostop_size,
3236 condition *cnd_file_duration)
3239 pcap_options *pcap_opts;
3240 interface_options interface_opts;
3241 gboolean successful;
3243 if (capture_opts->multi_files_on) {
3244 if (cnd_autostop_files != NULL &&
3245 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3246 /* no files left: stop here */
3247 global_ld.go = FALSE;
3251 /* Switch to the next ringbuffer file */
3252 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3253 &global_ld.save_file_fd, &global_ld.err)) {
3255 /* File switch succeeded: reset the conditions */
3256 global_ld.bytes_written = 0;
3257 if (capture_opts->use_pcapng) {
3259 GString *os_info_str;
3261 os_info_str = g_string_new("");
3262 get_os_version_info(os_info_str);
3264 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3265 successful = libpcap_write_session_header_block(global_ld.pdh,
3268 os_info_str->str, /* OS */
3270 -1, /* section_length */
3271 &(global_ld.bytes_written),
3274 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3275 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3276 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3277 successful = libpcap_write_interface_description_block(global_ld.pdh,
3278 NULL, /* OPT_COMMENT 1 */
3279 interface_opts.name, /* IDB_NAME 2 */
3280 interface_opts.descr, /* IDB_DESCRIPTION 3 */
3281 interface_opts.cfilter, /* IDB_FILTER 11 */
3282 os_info_str->str, /* IDB_OS 12 */
3283 pcap_opts->linktype,
3285 &(global_ld.bytes_written),
3286 0, /* IDB_IF_SPEED 8 */
3287 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
3291 g_string_free(os_info_str, TRUE);
3294 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3295 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3296 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
3299 fclose(global_ld.pdh);
3300 global_ld.pdh = NULL;
3301 global_ld.go = FALSE;
3304 if (cnd_autostop_size)
3305 cnd_reset(cnd_autostop_size);
3306 if (cnd_file_duration)
3307 cnd_reset(cnd_file_duration);
3308 libpcap_dump_flush(global_ld.pdh, NULL);
3310 report_packet_count(global_ld.inpkts_to_sync_pipe);
3311 global_ld.inpkts_to_sync_pipe = 0;
3312 report_new_capture_file(capture_opts->save_file);
3314 /* File switch failed: stop here */
3315 global_ld.go = FALSE;
3319 /* single file, stop now */
3320 global_ld.go = FALSE;
3327 pcap_read_handler(void* arg)
3329 pcap_options *pcap_opts;
3330 char errmsg[MSG_MAX_LENGTH+1];
3332 pcap_opts = (pcap_options *)arg;
3334 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3335 pcap_opts->interface_id);
3337 while (global_ld.go) {
3338 /* dispatch incoming packets */
3339 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3341 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3342 pcap_opts->interface_id);
3343 g_thread_exit(NULL);
3347 /* Do the low-level work of a capture.
3348 Returns TRUE if it succeeds, FALSE otherwise. */
3350 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3353 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3355 struct timeval upd_time, cur_time;
3359 condition *cnd_file_duration = NULL;
3360 condition *cnd_autostop_files = NULL;
3361 condition *cnd_autostop_size = NULL;
3362 condition *cnd_autostop_duration = NULL;
3365 gboolean cfilter_error = FALSE;
3366 char errmsg[MSG_MAX_LENGTH+1];
3367 char secondary_errmsg[MSG_MAX_LENGTH+1];
3368 pcap_options *pcap_opts;
3369 interface_options interface_opts;
3370 guint i, error_index = 0;
3373 *secondary_errmsg = '\0';
3375 /* init the loop data */
3376 global_ld.go = TRUE;
3377 global_ld.packet_count = 0;
3379 global_ld.report_packet_count = FALSE;
3381 if (capture_opts->has_autostop_packets)
3382 global_ld.packet_max = capture_opts->autostop_packets;
3384 global_ld.packet_max = 0; /* no limit */
3385 global_ld.inpkts_to_sync_pipe = 0;
3386 global_ld.err = 0; /* no error seen yet */
3387 global_ld.pdh = NULL;
3388 global_ld.autostop_files = 0;
3389 global_ld.save_file_fd = -1;
3391 /* We haven't yet gotten the capture statistics. */
3392 *stats_known = FALSE;
3394 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3395 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3397 /* open the "input file" from network interface or capture pipe */
3398 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3399 secondary_errmsg, sizeof(secondary_errmsg))) {
3402 for (i = 0; i < capture_opts->ifaces->len; i++) {
3403 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3404 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3405 /* init the input filter from the network interface (capture pipe will do nothing) */
3407 * When remote capturing WinPCap crashes when the capture filter
3408 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3411 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3412 interface_opts.name,
3413 interface_opts.cfilter?interface_opts.cfilter:"")) {
3415 case INITFILTER_NO_ERROR:
3418 case INITFILTER_BAD_FILTER:
3419 cfilter_error = TRUE;
3421 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3424 case INITFILTER_OTHER_ERROR:
3425 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3426 pcap_geterr(pcap_opts->pcap_h));
3427 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3432 /* If we're supposed to write to a capture file, open it for output
3433 (temporary/specified name/ringbuffer) */
3434 if (capture_opts->saving_to_file) {
3435 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3436 errmsg, sizeof(errmsg))) {
3440 /* set up to write to the already-opened capture output file/files */
3441 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3446 /* XXX - capture SIGTERM and close the capture, in case we're on a
3447 Linux 2.0[.x] system and you have to explicitly close the capture
3448 stream in order to turn promiscuous mode off? We need to do that
3449 in other places as well - and I don't think that works all the
3450 time in any case, due to libpcap bugs. */
3452 /* Well, we should be able to start capturing.
3454 Sync out the capture file, so the header makes it to the file system,
3455 and send a "capture started successfully and capture file created"
3456 message to our parent so that they'll open the capture file and
3457 update its windows to indicate that we have a live capture in
3459 libpcap_dump_flush(global_ld.pdh, NULL);
3460 report_new_capture_file(capture_opts->save_file);
3463 /* initialize capture stop (and alike) conditions */
3464 init_capture_stop_conditions();
3465 /* create stop conditions */
3466 if (capture_opts->has_autostop_filesize)
3468 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3469 if (capture_opts->has_autostop_duration)
3470 cnd_autostop_duration =
3471 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3473 if (capture_opts->multi_files_on) {
3474 if (capture_opts->has_file_duration)
3476 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3478 if (capture_opts->has_autostop_files)
3479 cnd_autostop_files =
3480 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3483 /* init the time values */
3485 upd_time = GetTickCount();
3487 gettimeofday(&upd_time, NULL);
3489 start_time = create_timestamp();
3490 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3492 /* WOW, everything is prepared! */
3493 /* please fasten your seat belts, we will enter now the actual capture loop */
3495 pcap_queue = g_async_queue_new();
3496 pcap_queue_bytes = 0;
3497 pcap_queue_packets = 0;
3498 for (i = 0; i < global_ld.pcaps->len; i++) {
3499 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3500 #if GLIB_CHECK_VERSION(2,31,0)
3501 /* XXX - Add an interface name here? */
3502 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3504 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3508 while (global_ld.go) {
3509 /* dispatch incoming packets */
3511 pcap_queue_element *queue_element;
3512 #if GLIB_CHECK_VERSION(2,31,18)
3514 g_async_queue_lock(pcap_queue);
3515 queue_element = g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3517 GTimeVal write_thread_time;
3519 g_get_current_time(&write_thread_time);
3520 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3521 g_async_queue_lock(pcap_queue);
3522 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3524 if (queue_element) {
3525 pcap_queue_bytes -= queue_element->phdr.caplen;
3526 pcap_queue_packets -= 1;
3528 g_async_queue_unlock(pcap_queue);
3529 if (queue_element) {
3530 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3531 "Dequeued a packet of length %d captured on interface %d.",
3532 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3534 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3535 &queue_element->phdr,
3537 g_free(queue_element->pd);
3538 g_free(queue_element);
3544 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3545 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3546 sizeof(errmsg), pcap_opts);
3549 /* Were we asked to print packet counts by the SIGINFO handler? */
3550 if (global_ld.report_packet_count) {
3551 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3552 plurality(global_ld.packet_count, "", "s"));
3553 global_ld.report_packet_count = FALSE;
3558 /* any news from our parent (signal pipe)? -> just stop the capture */
3559 if (!signal_pipe_check_running()) {
3560 global_ld.go = FALSE;
3565 global_ld.inpkts_to_sync_pipe += inpkts;
3567 /* check capture size condition */
3568 if (cnd_autostop_size != NULL &&
3569 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3570 /* Capture size limit reached, do we have another file? */
3571 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3572 cnd_autostop_size, cnd_file_duration))
3574 } /* cnd_autostop_size */
3575 if (capture_opts->output_to_pipe) {
3576 libpcap_dump_flush(global_ld.pdh, NULL);
3580 /* Only update once every 500ms so as not to overload slow displays.
3581 * This also prevents too much context-switching between the dumpcap
3582 * and wireshark processes.
3584 #define DUMPCAP_UPD_TIME 500
3587 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3588 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3590 gettimeofday(&cur_time, NULL);
3591 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3592 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3595 upd_time = cur_time;
3598 if (pcap_stats(pch, stats) >= 0) {
3599 *stats_known = TRUE;
3602 /* Let the parent process know. */
3603 if (global_ld.inpkts_to_sync_pipe) {
3605 libpcap_dump_flush(global_ld.pdh, NULL);
3607 /* Send our parent a message saying we've written out
3608 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3610 report_packet_count(global_ld.inpkts_to_sync_pipe);
3612 global_ld.inpkts_to_sync_pipe = 0;
3615 /* check capture duration condition */
3616 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3617 /* The maximum capture time has elapsed; stop the capture. */
3618 global_ld.go = FALSE;
3622 /* check capture file duration condition */
3623 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3624 /* duration limit reached, do we have another file? */
3625 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3626 cnd_autostop_size, cnd_file_duration))
3628 } /* cnd_file_duration */
3632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3634 pcap_queue_element *queue_element;
3636 for (i = 0; i < global_ld.pcaps->len; i++) {
3637 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3638 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3639 pcap_opts->interface_id);
3640 g_thread_join(pcap_opts->tid);
3641 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3642 pcap_opts->interface_id);
3645 g_async_queue_lock(pcap_queue);
3646 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3647 if (queue_element) {
3648 pcap_queue_bytes -= queue_element->phdr.caplen;
3649 pcap_queue_packets -= 1;
3651 g_async_queue_unlock(pcap_queue);
3652 if (queue_element == NULL) {
3655 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3656 "Dequeued a packet of length %d captured on interface %d.",
3657 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3658 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3659 &queue_element->phdr,
3661 g_free(queue_element->pd);
3662 g_free(queue_element);
3663 global_ld.inpkts_to_sync_pipe += 1;
3664 if (capture_opts->output_to_pipe) {
3665 libpcap_dump_flush(global_ld.pdh, NULL);
3671 /* delete stop conditions */
3672 if (cnd_file_duration != NULL)
3673 cnd_delete(cnd_file_duration);
3674 if (cnd_autostop_files != NULL)
3675 cnd_delete(cnd_autostop_files);
3676 if (cnd_autostop_size != NULL)
3677 cnd_delete(cnd_autostop_size);
3678 if (cnd_autostop_duration != NULL)
3679 cnd_delete(cnd_autostop_duration);
3681 /* did we have a pcap (input) error? */
3682 for (i = 0; i < capture_opts->ifaces->len; i++) {
3683 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3684 if (pcap_opts->pcap_err) {
3685 /* On Linux, if an interface goes down while you're capturing on it,
3686 you'll get a "recvfrom: Network is down" or
3687 "The interface went down" error (ENETDOWN).
3688 (At least you will if g_strerror() doesn't show a local translation
3691 On FreeBSD and OS X, if a network adapter disappears while
3692 you're capturing on it, you'll get a "read: Device not configured"
3693 error (ENXIO). (See previous parenthetical note.)
3695 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3697 These should *not* be reported to the Wireshark developers. */
3700 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3701 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3702 strcmp(cap_err_str, "The interface went down") == 0 ||
3703 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3704 strcmp(cap_err_str, "read: I/O error") == 0 ||
3705 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3706 report_capture_error("The network adapter on which the capture was being done "
3707 "is no longer running; the capture has stopped.",
3710 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3712 report_capture_error(errmsg, please_report);
3715 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3716 report_capture_error(errmsg, "");
3720 /* did we have an output error while capturing? */
3721 if (global_ld.err == 0) {
3724 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3725 global_ld.err, FALSE);
3726 report_capture_error(errmsg, please_report);
3730 if (capture_opts->saving_to_file) {
3731 /* close the output file */
3732 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3736 /* there might be packets not yet notified to the parent */
3737 /* (do this after closing the file, so all packets are already flushed) */
3738 if(global_ld.inpkts_to_sync_pipe) {
3740 report_packet_count(global_ld.inpkts_to_sync_pipe);
3741 global_ld.inpkts_to_sync_pipe = 0;
3744 /* If we've displayed a message about a write error, there's no point
3745 in displaying another message about an error on close. */
3746 if (!close_ok && write_ok) {
3747 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3749 report_capture_error(errmsg, "");
3753 * XXX We exhibit different behaviour between normal mode and sync mode
3754 * when the pipe is stdin and not already at EOF. If we're a child, the
3755 * parent's stdin isn't closed, so if the user starts another capture,
3756 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3757 * will say "Unrecognized libpcap format". On the other hand, in normal
3758 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3761 report_capture_count(TRUE);
3763 /* get packet drop statistics from pcap */
3764 for (i = 0; i < capture_opts->ifaces->len; i++) {
3768 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3769 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3770 received = pcap_opts->received;
3771 dropped = pcap_opts->dropped;
3772 if (pcap_opts->pcap_h != NULL) {
3773 g_assert(!pcap_opts->from_cap_pipe);
3774 /* Get the capture statistics, so we know how many packets were dropped. */
3775 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3776 *stats_known = TRUE;
3777 /* Let the parent process know. */
3778 dropped += stats->ps_drop;
3780 g_snprintf(errmsg, sizeof(errmsg),
3781 "Can't get packet-drop statistics: %s",
3782 pcap_geterr(pcap_opts->pcap_h));
3783 report_capture_error(errmsg, please_report);
3786 report_packet_drops(received, dropped, interface_opts.name);
3789 /* close the input file (pcap or capture pipe) */
3790 capture_loop_close_input(&global_ld);
3792 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3794 /* ok, if the write and the close were successful. */
3795 return write_ok && close_ok;
3798 if (capture_opts->multi_files_on) {
3799 /* cleanup ringbuffer */
3800 ringbuf_error_cleanup();
3802 /* We can't use the save file, and we have no FILE * for the stream
3803 to close in order to close it, so close the FD directly. */
3804 if (global_ld.save_file_fd != -1) {
3805 ws_close(global_ld.save_file_fd);
3808 /* We couldn't even start the capture, so get rid of the capture
3810 if (capture_opts->save_file != NULL) {
3811 ws_unlink(capture_opts->save_file);
3812 g_free(capture_opts->save_file);
3815 capture_opts->save_file = NULL;
3817 report_cfilter_error(capture_opts, error_index, errmsg);
3819 report_capture_error(errmsg, secondary_errmsg);
3821 /* close the input file (pcap or cap_pipe) */
3822 capture_loop_close_input(&global_ld);
3824 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3830 static void capture_loop_stop(void)
3832 #ifdef HAVE_PCAP_BREAKLOOP
3834 pcap_options *pcap_opts;
3836 for (i = 0; i < global_ld.pcaps->len; i++) {
3837 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3838 if (pcap_opts->pcap_h != NULL)
3839 pcap_breakloop(pcap_opts->pcap_h);
3842 global_ld.go = FALSE;
3847 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3848 int err, gboolean is_close)
3853 g_snprintf(errmsg, errmsglen,
3854 "Not all the packets could be written to the file"
3855 " to which the capture was being saved\n"
3856 "(\"%s\") because there is no space left on the file system\n"
3857 "on which that file resides.",
3863 g_snprintf(errmsg, errmsglen,
3864 "Not all the packets could be written to the file"
3865 " to which the capture was being saved\n"
3866 "(\"%s\") because you are too close to, or over,"
3867 " your disk quota\n"
3868 "on the file system on which that file resides.",
3875 g_snprintf(errmsg, errmsglen,
3876 "The file to which the capture was being saved\n"
3877 "(\"%s\") could not be closed: %s.",
3878 fname, g_strerror(err));
3880 g_snprintf(errmsg, errmsglen,
3881 "An error occurred while writing to the file"
3882 " to which the capture was being saved\n"
3884 fname, g_strerror(err));
3891 /* one packet was captured, process it */
3893 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3896 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3898 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3900 /* We may be called multiple times from pcap_dispatch(); if we've set
3901 the "stop capturing" flag, ignore this packet, as we're not
3902 supposed to be saving any more packets. */
3906 if (global_ld.pdh) {
3907 gboolean successful;
3909 /* We're supposed to write the packet to a file; do so.
3910 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3911 "ld->err" to the error. */
3912 if (global_capture_opts.use_pcapng) {
3913 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, ts_mul, pd, &global_ld.bytes_written, &err);
3915 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3918 global_ld.go = FALSE;
3919 global_ld.err = err;
3921 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3922 "Wrote a packet of length %d captured on interface %u.",
3923 phdr->caplen, pcap_opts->interface_id);
3924 global_ld.packet_count++;
3925 /* if the user told us to stop after x packets, do we already have enough? */
3926 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3927 global_ld.go = FALSE;
3933 /* one packet was captured, queue it */
3935 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3938 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3939 pcap_queue_element *queue_element;
3940 gboolean limit_reached;
3942 /* We may be called multiple times from pcap_dispatch(); if we've set
3943 the "stop capturing" flag, ignore this packet, as we're not
3944 supposed to be saving any more packets. */
3945 if (!global_ld.go) {
3946 pcap_opts->dropped++;
3950 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3951 if (queue_element == NULL) {
3952 pcap_opts->dropped++;
3955 queue_element->pcap_opts = pcap_opts;
3956 queue_element->phdr = *phdr;
3957 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3958 if (queue_element->pd == NULL) {
3959 pcap_opts->dropped++;
3960 g_free(queue_element);
3963 memcpy(queue_element->pd, pd, phdr->caplen);
3964 g_async_queue_lock(pcap_queue);
3965 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3966 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3967 limit_reached = FALSE;
3968 g_async_queue_push_unlocked(pcap_queue, queue_element);
3969 pcap_queue_bytes += phdr->caplen;
3970 pcap_queue_packets += 1;
3972 limit_reached = TRUE;
3974 g_async_queue_unlock(pcap_queue);
3975 if (limit_reached) {
3976 pcap_opts->dropped++;
3977 g_free(queue_element->pd);
3978 g_free(queue_element);
3979 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3980 "Dropped a packet of length %d captured on interface %u.",
3981 phdr->caplen, pcap_opts->interface_id);
3983 pcap_opts->received++;
3984 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3985 "Queued a packet of length %d captured on interface %u.",
3986 phdr->caplen, pcap_opts->interface_id);
3988 /* I don't want to hold the mutex over the debug output. So the
3989 output may be wrong */
3990 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3991 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3992 pcap_queue_bytes, pcap_queue_packets);
3995 /* And now our feature presentation... [ fade to music ] */
3997 main(int argc, char *argv[])
4000 gboolean arg_error = FALSE;
4005 struct sigaction action, oldaction;
4008 gboolean start_capture = TRUE;
4009 gboolean stats_known;
4010 struct pcap_stat stats;
4011 GLogLevelFlags log_flags;
4012 gboolean list_interfaces = FALSE;
4013 gboolean list_link_layer_types = FALSE;
4014 #ifdef HAVE_BPF_IMAGE
4015 gboolean print_bpf_code = FALSE;
4017 gboolean machine_readable = FALSE;
4018 gboolean print_statistics = FALSE;
4019 int status, run_once_args = 0;
4022 #if defined(__APPLE__) && defined(__LP64__)
4023 struct utsname osinfo;
4028 arg_list_utf_16to8(argc, argv);
4033 * Initialize our DLL search path. MUST be called before LoadLibrary
4036 ws_init_dll_search_path();
4039 #ifdef HAVE_PCAP_REMOTE
4040 #define OPTSTRING_A "A:"
4041 #define OPTSTRING_r "r"
4042 #define OPTSTRING_u "u"
4044 #define OPTSTRING_A ""
4045 #define OPTSTRING_r ""
4046 #define OPTSTRING_u ""
4049 #ifdef HAVE_PCAP_SETSAMPLING
4050 #define OPTSTRING_m "m:"
4052 #define OPTSTRING_m ""
4055 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4056 #define OPTSTRING_B "B:"
4058 #define OPTSTRING_B ""
4059 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4061 #ifdef HAVE_PCAP_CREATE
4062 #define OPTSTRING_I "I"
4064 #define OPTSTRING_I ""
4067 #ifdef HAVE_BPF_IMAGE
4068 #define OPTSTRING_d "d"
4070 #define OPTSTRING_d ""
4073 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
4075 #ifdef DEBUG_CHILD_DUMPCAP
4076 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
4077 fprintf (stderr, "Unable to open debug log file !\n");
4082 #if defined(__APPLE__) && defined(__LP64__)
4084 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
4085 * a bug workaround - timeouts less than 1 second don't work with libpcap
4086 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
4087 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
4088 * The problem is extremely unlikely to be reintroduced in a future
4091 if (uname(&osinfo) == 0) {
4093 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
4094 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
4095 * number of 10.0.0, not 10.1.0 - go figure).
4097 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
4098 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
4099 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
4100 need_timeout_workaround = TRUE;
4105 * Determine if dumpcap is being requested to run in a special
4106 * capture_child mode by going thru the command line args to see if
4107 * a -Z is present. (-Z is a hidden option).
4109 * The primary result of running in capture_child mode is that
4110 * all messages sent out on stderr are in a special type/len/string
4111 * format to allow message processing by type. These messages include
4112 * error messages if dumpcap fails to start the operation it was
4113 * requested to do, as well as various "status" messages which are sent
4114 * when an actual capture is in progress, and a "success" message sent
4115 * if dumpcap was requested to perform an operation other than a
4118 * Capture_child mode would normally be requested by a parent process
4119 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
4120 * to which dumpcap stderr has been redirected. It might also have
4121 * another pipe to obtain dumpcap stdout output; for operations other
4122 * than a capture, that information is formatted specially for easier
4123 * parsing by the parent process.
4125 * Capture_child mode needs to be determined immediately upon
4126 * startup so that any messages generated by dumpcap in this mode
4127 * (eg: during initialization) will be formatted properly.
4130 for (i=1; i<argc; i++) {
4131 if (strcmp("-Z", argv[i]) == 0) {
4132 capture_child = TRUE;
4133 machine_readable = TRUE; /* request machine-readable output */
4135 /* set output pipe to binary mode, to avoid ugly text conversions */
4136 _setmode(2, O_BINARY);
4141 /* The default_log_handler will use stdout, which makes trouble in */
4142 /* capture child mode, as it uses stdout for it's sync_pipe. */
4143 /* So: the filtering is done in the console_log_handler and not here.*/
4144 /* We set the log handlers right up front to make sure that any log */
4145 /* messages when running as child will be sent back to the parent */
4146 /* with the correct format. */
4150 G_LOG_LEVEL_CRITICAL|
4151 G_LOG_LEVEL_WARNING|
4152 G_LOG_LEVEL_MESSAGE|
4155 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
4157 g_log_set_handler(NULL,
4159 console_log_handler, NULL /* user_data */);
4160 g_log_set_handler(LOG_DOMAIN_MAIN,
4162 console_log_handler, NULL /* user_data */);
4163 g_log_set_handler(LOG_DOMAIN_CAPTURE,
4165 console_log_handler, NULL /* user_data */);
4166 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
4168 console_log_handler, NULL /* user_data */);
4170 /* Initialize the pcaps list */
4171 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
4173 #if !GLIB_CHECK_VERSION(2,31,0)
4174 /* Initialize the thread system */
4175 g_thread_init(NULL);
4179 /* Load wpcap if possible. Do this before collecting the run-time version information */
4182 /* ... and also load the packet.dll from wpcap */
4183 /* XXX - currently not required, may change later. */
4184 /*wpcap_packet_load();*/
4186 /* Start windows sockets */
4187 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
4189 /* Set handler for Ctrl+C key */
4190 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4192 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4193 and exit. Do the same with SIGPIPE, in case, for example,
4194 we're writing to our standard output and it's a pipe.
4195 Do the same with SIGHUP if it's not being ignored (if we're
4196 being run under nohup, it might be ignored, in which case we
4197 should leave it ignored).
4199 XXX - apparently, Coverity complained that part of action
4200 wasn't initialized. Perhaps it's running on Linux, where
4201 struct sigaction has an ignored "sa_restorer" element and
4202 where "sa_handler" and "sa_sigaction" might not be two
4203 members of a union. */
4204 memset(&action, 0, sizeof(action));
4205 action.sa_handler = capture_cleanup_handler;
4207 * Arrange that system calls not get restarted, because when
4208 * our signal handler returns we don't want to restart
4209 * a call that was waiting for packets to arrive.
4211 action.sa_flags = 0;
4212 sigemptyset(&action.sa_mask);
4213 sigaction(SIGTERM, &action, NULL);
4214 sigaction(SIGINT, &action, NULL);
4215 sigaction(SIGPIPE, &action, NULL);
4216 sigaction(SIGHUP, NULL, &oldaction);
4217 if (oldaction.sa_handler == SIG_DFL)
4218 sigaction(SIGHUP, &action, NULL);
4221 /* Catch SIGINFO and, if we get it and we're capturing in
4222 quiet mode, report the number of packets we've captured. */
4223 action.sa_handler = report_counts_siginfo;
4224 action.sa_flags = SA_RESTART;
4225 sigemptyset(&action.sa_mask);
4226 sigaction(SIGINFO, &action, NULL);
4227 #endif /* SIGINFO */
4230 /* ----------------------------------------------------------------- */
4231 /* Privilege and capability handling */
4233 /* 1. Running not as root or suid root; no special capabilities. */
4236 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4239 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4241 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4242 /* capabilities; Drop all other capabilities; */
4243 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4244 /* else: after pcap_open_live() in capture_loop_open_input() */
4245 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4246 /* (Note: this means that the process, although logged in */
4247 /* as root, does not have various permissions such as the */
4248 /* ability to bypass file access permissions). */
4249 /* XXX: Should we just leave capabilities alone in this case */
4250 /* so that user gets expected effect that root can do */
4253 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4255 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4256 /* else: after pcap_open_live() in capture_loop_open_input() */
4257 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4258 /* pcap_open_live). */
4260 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4262 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4263 /* capabilities; Drop all other capabilities; */
4264 /* Drop suid privileges (euid=ruid); */
4265 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4266 /* else: after pcap_open_live() in capture_loop_open_input() */
4267 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4269 /* XXX: For some Linux versions/distros with capabilities */
4270 /* a 'normal' process with any capabilities cannot be */
4271 /* 'killed' (signaled) from another (same uid) non-privileged */
4273 /* For example: If (non-suid) Wireshark forks a */
4274 /* child suid dumpcap which acts as described here (case 5), */
4275 /* Wireshark will be unable to kill (signal) the child */
4276 /* dumpcap process until the capabilities have been dropped */
4277 /* (after pcap_open_live()). */
4278 /* This behaviour will apparently be changed in the kernel */
4279 /* to allow the kill (signal) in this case. */
4280 /* See the following for details: */
4281 /* http://www.mail-archive.com/ [wrapped] */
4282 /* linux-security-module@vger.kernel.org/msg02913.html */
4284 /* It is therefore conceivable that if dumpcap somehow hangs */
4285 /* in pcap_open_live or before that wireshark will not */
4286 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4287 /* In this case, exiting wireshark will kill the child */
4288 /* dumpcap process. */
4290 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4291 /* capabilities; Using libcap. Note: capset cmd (which see) */
4292 /* used to assign capabilities to file. */
4294 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4295 /* else: after pcap_open_live() in capture_loop_open_input() */
4296 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4298 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4299 /* longer required (similar to capture). */
4301 /* ----------------------------------------------------------------- */
4303 init_process_policies();
4306 /* If 'started with special privileges' (and using libcap) */
4307 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4308 /* Set euid/egid = ruid/rgid to remove suid privileges */
4309 relinquish_privs_except_capture();
4312 /* Set the initial values in the capture options. This might be overwritten
4313 by the command line parameters. */
4314 capture_opts_init(&global_capture_opts, NULL);
4316 /* We always save to a file - if no file was specified, we save to a
4318 global_capture_opts.saving_to_file = TRUE;
4319 global_capture_opts.has_ring_num_files = TRUE;
4321 /* Now get our args */
4322 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4324 case 'h': /* Print help and exit */
4328 case 'v': /* Show version and exit */
4330 GString *comp_info_str;
4331 GString *runtime_info_str;
4332 /* Assemble the compile-time version information string */
4333 comp_info_str = g_string_new("Compiled ");
4334 get_compiled_version_info(comp_info_str, NULL, NULL);
4336 /* Assemble the run-time version information string */
4337 runtime_info_str = g_string_new("Running ");
4338 get_runtime_version_info(runtime_info_str, NULL);
4339 show_version(comp_info_str, runtime_info_str);
4340 g_string_free(comp_info_str, TRUE);
4341 g_string_free(runtime_info_str, TRUE);
4345 /*** capture option specific ***/
4346 case 'a': /* autostop criteria */
4347 case 'b': /* Ringbuffer option */
4348 case 'c': /* Capture x packets */
4349 case 'f': /* capture filter */
4350 case 'i': /* Use interface x */
4351 case 'n': /* Use pcapng format */
4352 case 'p': /* Don't capture in promiscuous mode */
4353 case 'P': /* Use pcap format */
4354 case 's': /* Set the snapshot (capture) length */
4355 case 'w': /* Write to capture file x */
4356 case 'g': /* enable group read accesson file(s) */
4357 case 'y': /* Set the pcap data link type */
4358 #ifdef HAVE_PCAP_REMOTE
4359 case 'u': /* Use UDP for data transfer */
4360 case 'r': /* Capture own RPCAP traffic too */
4361 case 'A': /* Authentication */
4363 #ifdef HAVE_PCAP_SETSAMPLING
4364 case 'm': /* Sampling */
4366 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4367 case 'B': /* Buffer size */
4368 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4369 #ifdef HAVE_PCAP_CREATE
4370 case 'I': /* Monitor mode */
4372 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4377 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4379 capture_child = TRUE;
4381 /* set output pipe to binary mode, to avoid ugly text conversions */
4382 _setmode(2, O_BINARY);
4384 * optarg = the control ID, aka the PPID, currently used for the
4387 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4388 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4389 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4390 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4392 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4393 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4394 "Signal pipe: Unable to open %s. Dead parent?",
4402 case 'q': /* Quiet */
4408 /*** all non capture option specific ***/
4409 case 'D': /* Print a list of capture devices and exit */
4410 list_interfaces = TRUE;
4413 case 'L': /* Print list of link-layer types and exit */
4414 list_link_layer_types = TRUE;
4417 #ifdef HAVE_BPF_IMAGE
4418 case 'd': /* Print BPF code for capture filter and exit */
4419 print_bpf_code = TRUE;
4423 case 'S': /* Print interface statistics once a second */
4424 print_statistics = TRUE;
4427 case 'M': /* For -D, -L, and -S, print machine-readable output */
4428 machine_readable = TRUE;
4431 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4433 case '?': /* Bad flag - print usage message */
4442 /* user specified file name as regular command-line argument */
4443 /* XXX - use it as the capture file name (or something else)? */
4449 * Extra command line arguments were specified; complain.
4450 * XXX - interpret as capture filter, as tcpdump and tshark do?
4452 cmdarg_err("Invalid argument: %s", argv[0]);
4462 if (run_once_args > 1) {
4463 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4465 } else if (run_once_args == 1) {
4466 /* We're supposed to print some information, rather than
4467 to capture traffic; did they specify a ring buffer option? */
4468 if (global_capture_opts.multi_files_on) {
4469 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4473 /* We're supposed to capture traffic; */
4474 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4475 if (global_capture_opts.ifaces->len > 1) {
4477 global_capture_opts.use_pcapng = TRUE;
4479 /* Was the ring buffer option specified and, if so, does it make sense? */
4480 if (global_capture_opts.multi_files_on) {
4481 /* Ring buffer works only under certain conditions:
4482 a) ring buffer does not work with temporary files;
4483 b) it makes no sense to enable the ring buffer if the maximum
4484 file size is set to "infinite". */
4485 if (global_capture_opts.save_file == NULL) {
4486 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4487 global_capture_opts.multi_files_on = FALSE;
4489 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4490 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4492 /* XXX - this must be redesigned as the conditions changed */
4493 global_capture_opts.multi_files_on = FALSE;
4500 * "-D" requires no interface to be selected; it's supposed to list
4503 if (list_interfaces) {
4504 /* Get the list of interfaces */
4509 if_list = capture_interface_list(&err, &err_str);
4510 if (if_list == NULL) {
4512 case CANT_GET_INTERFACE_LIST:
4513 case DONT_HAVE_PCAP:
4514 cmdarg_err("%s", err_str);
4519 case NO_INTERFACES_FOUND:
4521 * If we're being run by another program, just give them
4522 * an empty list of interfaces, don't report this as
4523 * an error; that lets them decide whether to report
4524 * this as an error or not.
4526 if (!machine_readable) {
4527 cmdarg_err("There are no interfaces on which a capture can be done");
4534 if (machine_readable) /* tab-separated values to stdout */
4535 print_machine_readable_interfaces(if_list);
4537 capture_opts_print_interfaces(if_list);
4538 free_interface_list(if_list);
4543 * "-S" requires no interface to be selected; it gives statistics
4544 * for all interfaces.
4546 if (print_statistics) {
4547 status = print_statistics_loop(machine_readable);
4552 * "-L", "-d", and capturing act on a particular interface, so we have to
4553 * have an interface; if none was specified, pick a default.
4555 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4556 /* cmdarg_err() already called .... */
4560 /* Let the user know what interfaces were chosen. */
4561 /* get_interface_descriptive_name() is not available! */
4562 if (capture_child) {
4563 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4564 interface_options interface_opts;
4566 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4567 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4568 interface_opts.name);
4571 str = g_string_new("");
4573 if (global_capture_opts.ifaces->len < 2) {
4575 if (global_capture_opts.ifaces->len < 4) {
4577 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4578 interface_options interface_opts;
4580 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4582 if (global_capture_opts.ifaces->len > 2) {
4583 g_string_append_printf(str, ",");
4585 g_string_append_printf(str, " ");
4586 if (j == global_capture_opts.ifaces->len - 1) {
4587 g_string_append_printf(str, "and ");
4590 g_string_append_printf(str, "%s", interface_opts.name);
4593 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4595 fprintf(stderr, "Capturing on %s\n", str->str);
4596 g_string_free(str, TRUE);
4599 if (list_link_layer_types) {
4600 /* Get the list of link-layer types for the capture device. */
4601 if_capabilities_t *caps;
4605 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4606 interface_options interface_opts;
4608 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4609 caps = get_if_capabilities(interface_opts.name,
4610 interface_opts.monitor_mode, &err_str);
4612 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4613 "Please check to make sure you have sufficient permissions, and that\n"
4614 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4618 if (caps->data_link_types == NULL) {
4619 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4622 if (machine_readable) /* tab-separated values to stdout */
4623 /* XXX: We need to change the format and adopt consumers */
4624 print_machine_readable_if_capabilities(caps);
4626 /* XXX: We might want to print also the interface name */
4627 capture_opts_print_if_capabilities(caps, interface_opts.name,
4628 interface_opts.monitor_mode);
4629 free_if_capabilities(caps);
4634 /* We're supposed to do a capture, or print the BPF code for a filter.
4635 Process the snapshot length, as that affects the generated BPF code. */
4636 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4638 #ifdef HAVE_BPF_IMAGE
4639 if (print_bpf_code) {
4640 show_filter_code(&global_capture_opts);
4645 /* We're supposed to do a capture. Process the ring buffer arguments. */
4646 capture_opts_trim_ring_num_files(&global_capture_opts);
4648 /* Now start the capture. */
4650 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4654 /* capture failed */
4657 return 0; /* never here, make compiler happy */
4662 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4663 const char *message, gpointer user_data _U_)
4670 /* ignore log message, if log_level isn't interesting */
4671 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4672 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4677 /* create a "timestamp" */
4679 today = localtime(&curr);
4681 switch(log_level & G_LOG_LEVEL_MASK) {
4682 case G_LOG_LEVEL_ERROR:
4685 case G_LOG_LEVEL_CRITICAL:
4688 case G_LOG_LEVEL_WARNING:
4691 case G_LOG_LEVEL_MESSAGE:
4694 case G_LOG_LEVEL_INFO:
4697 case G_LOG_LEVEL_DEBUG:
4701 fprintf(stderr, "unknown log_level %u\n", log_level);
4703 g_assert_not_reached();
4706 /* Generate the output message */
4707 if(log_level & G_LOG_LEVEL_MESSAGE) {
4708 /* normal user messages without additional infos */
4709 msg = g_strdup_printf("%s\n", message);
4711 /* info/debug messages with additional infos */
4712 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4713 today->tm_hour, today->tm_min, today->tm_sec,
4714 log_domain != NULL ? log_domain : "",
4718 /* DEBUG & INFO msgs (if we're debugging today) */
4719 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4720 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4721 #ifdef DEBUG_DUMPCAP
4722 fprintf(stderr, "%s", msg);
4725 #ifdef DEBUG_CHILD_DUMPCAP
4726 fprintf(debug_log, "%s", msg);
4734 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4735 /* to parent especially formatted if dumpcap running as child. */
4736 if (capture_child) {
4737 sync_pipe_errmsg_to_parent(2, msg, "");
4739 fprintf(stderr, "%s", msg);
4746 /****************************************************************************************************************/
4747 /* indication report routines */
4751 report_packet_count(int packet_count)
4753 char tmp[SP_DECISIZE+1+1];
4754 static int count = 0;
4757 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4758 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4759 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4761 count += packet_count;
4762 fprintf(stderr, "\rPackets: %u ", count);
4763 /* stderr could be line buffered */
4769 report_new_capture_file(const char *filename)
4772 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4773 pipe_write_block(2, SP_FILE, filename);
4777 * Prevent a SIGINFO handler from writing to the standard error
4778 * while we're doing so; instead, have it just set a flag telling
4779 * us to print that information when we're done.
4782 #endif /* SIGINFO */
4783 fprintf(stderr, "File: %s\n", filename);
4784 /* stderr could be line buffered */
4789 * Allow SIGINFO handlers to write.
4794 * If a SIGINFO handler asked us to write out capture counts, do so.
4797 report_counts_for_siginfo();
4798 #endif /* SIGINFO */
4803 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4805 interface_options interface_opts;
4806 char tmp[MSG_MAX_LENGTH+1+6];
4808 if (i < capture_opts->ifaces->len) {
4809 if (capture_child) {
4810 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4811 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4812 pipe_write_block(2, SP_BAD_FILTER, tmp);
4815 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4816 * the error message below.
4818 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4820 "Invalid capture filter: \"%s\" for interface %s!\n"
4822 "That string isn't a valid capture filter (%s).\n"
4823 "See the User's Guide for a description of the capture filter syntax.",
4824 interface_opts.cfilter, interface_opts.name, errmsg);
4830 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4833 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4834 "Primary Error: %s", error_msg);
4835 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4836 "Secondary Error: %s", secondary_error_msg);
4837 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4839 cmdarg_err("%s", error_msg);
4840 if (secondary_error_msg[0] != '\0')
4841 cmdarg_err_cont("%s", secondary_error_msg);
4846 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4848 char tmp[SP_DECISIZE+1+1];
4850 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4853 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4854 "Packets received/dropped on interface %s: %u/%u",
4855 name, received, drops);
4856 /* XXX: Need to provide interface id, changes to consumers required. */
4857 pipe_write_block(2, SP_DROPS, tmp);
4860 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4861 name, received, drops,
4862 received ? 100.0 * received / (received + drops) : 0.0);
4863 /* stderr could be line buffered */
4869 /****************************************************************************************************************/
4870 /* signal_pipe handling */
4875 signal_pipe_check_running(void)
4877 /* any news from our parent? -> just stop the capture */
4881 /* if we are running standalone, no check required */
4882 if(!capture_child) {
4886 if(!sig_pipe_name || !sig_pipe_handle) {
4887 /* This shouldn't happen */
4888 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4889 "Signal pipe: No name or handle");
4894 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4895 * at this point. Should we check to see if the parent is still alive,
4896 * e.g. by using OpenProcess?
4899 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4901 if(!result || avail > 0) {
4902 /* peek failed or some bytes really available */
4903 /* (if not piping from stdin this would fail) */
4904 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4905 "Signal pipe: Stop capture: %s", sig_pipe_name);
4906 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4907 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4908 sig_pipe_handle, result, avail);
4911 /* pipe ok and no bytes available */
4918 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4923 * indent-tabs-mode: nil
4926 * vi: set shiftwidth=4 tabstop=8 expandtab:
4927 * :indentSize=4:tabSize=8:noTabs=true: