3 * Wireshark - Network traffic analyzer
4 * By Gerald Combs <gerald@wireshark.org>
5 * Copyright 1998 Gerald Combs
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 #include <stdlib.h> /* for exit() */
30 #ifdef HAVE_SYS_TYPES_H
31 # include <sys/types.h>
34 #ifdef HAVE_SYS_SOCKET_H
35 #include <sys/socket.h>
38 #ifdef HAVE_NETINET_IN_H
39 #include <netinet/in.h>
46 #ifdef HAVE_ARPA_INET_H
47 #include <arpa/inet.h>
50 #if defined(__APPLE__) && defined(__LP64__)
51 #include <sys/utsname.h>
57 #include <wsutil/cmdarg_err.h>
58 #include <wsutil/crash_info.h>
59 #include <ws_version_info.h>
61 #ifndef HAVE_GETOPT_LONG
62 #include "wsutil/wsgetopt.h"
70 # include <sys/prctl.h>
71 # include <sys/capability.h>
74 #include "ringbuffer.h"
76 #include "caputils/capture_ifinfo.h"
77 #include "caputils/capture-pcap-util.h"
78 #include "caputils/capture-pcap-util-int.h"
80 #include "caputils/capture-wpcap.h"
83 #include "writecap/pcapio.h"
86 #include <wsutil/unicode-utils.h>
93 #include <wsutil/clopts_common.h>
94 #include <wsutil/privileges.h>
96 #include "sync_pipe.h"
98 #include "capture_opts.h"
99 #include <capchild/capture_session.h>
100 #include <capchild/capture_sync.h>
102 #include "conditions.h"
103 #include "capture_stop_conditions.h"
105 #include "wsutil/tempfile.h"
107 #include "wsutil/file_util.h"
108 #include "wsutil/os_version_info.h"
109 #include "wsutil/str_util.h"
110 #include "wsutil/inet_addr.h"
112 #include "caputils/ws80211_utils.h"
119 * Get information about libpcap format from "wiretap/libpcap.h".
120 * Get information about pcapng format from "wiretap/pcapng_module.h".
121 * XXX - can we just use pcap_open_offline() to read the pipe?
123 #include "wiretap/libpcap.h"
124 #include "wiretap/pcapng_module.h"
126 /**#define DEBUG_DUMPCAP**/
127 /**#define DEBUG_CHILD_DUMPCAP**/
131 #include <conio.h> /* _getch() */
135 #ifdef DEBUG_CHILD_DUMPCAP
136 FILE *debug_log; /* for logging debug messages to */
137 /* a file if DEBUG_CHILD_DUMPCAP */
141 static GAsyncQueue *pcap_queue;
142 static gint64 pcap_queue_bytes;
143 static gint64 pcap_queue_packets;
144 static gint64 pcap_queue_byte_limit = 0;
145 static gint64 pcap_queue_packet_limit = 0;
147 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
149 static gchar *sig_pipe_name = NULL;
150 static HANDLE sig_pipe_handle = NULL;
151 static gboolean signal_pipe_check_running(void);
155 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
156 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
159 /** Stop a low-level capture (stops the capture child). */
160 static void capture_loop_stop(void);
161 /** Close a pipe, or socket if \a from_socket is TRUE */
162 static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_);
166 * Enable kernel BPF JIT compiler if available.
167 * If any calls fail, just drive on - the JIT compiler might not be
168 * enabled, but filtering will still work, and it's not clear what
169 * we could do if the calls fail; should we just report the error
170 * and not continue to capture, should we report it as a warning, or
174 enable_kernel_bpf_jit_compiler(void)
178 static const char file[] = "/proc/sys/net/core/bpf_jit_enable";
180 fd = ws_open(file, O_WRONLY);
184 written = ws_write(fd, "1", strlen("1"));
190 #if !defined (__linux__)
191 #ifndef HAVE_PCAP_BREAKLOOP
193 * We don't have pcap_breakloop(), which is the only way to ensure that
194 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
195 * won't, if the call to read the next packet or batch of packets is
196 * is interrupted by a signal on UN*X, just go back and try again to
199 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
200 * the signal handler, set a flag to stop capturing; however, without
201 * a guarantee of that sort, we can't guarantee that we'll stop capturing
202 * if the read will be retried and won't time out if no packets arrive.
204 * Therefore, on at least some platforms, we work around the lack of
205 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
206 * to wait for packets to arrive, so that we're probably going to be
207 * blocked in the select() when the signal arrives, and can just bail
208 * out of the loop at that point.
210 * However, we don't want to do that on BSD (because "select()" doesn't work
211 * correctly on BPF devices on at least some releases of some flavors of
212 * BSD), and we don't want to do it on Windows (because "select()" is
213 * something for sockets, not for arbitrary handles). (Note that "Windows"
214 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
215 * using WinPcap, not a UNIX libpcap.)
217 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
218 * on BSD times out even if no packets have arrived, so we'll eventually
219 * exit pcap_dispatch() with an indication that no packets have arrived,
220 * and will break out of the capture loop at that point.
222 * On Windows, we can't send a SIGINT to stop capturing, so none of this
223 * applies in any case.
225 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
226 * want to include it if it's not present on this platform, however.
228 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
229 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
231 # define MUST_DO_SELECT
232 # endif /* avoid select */
233 #endif /* HAVE_PCAP_BREAKLOOP */
235 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
236 * in pcap_dispatch(); on the other hand, select() works just fine there.
237 * Hence we use a select for that come what may.
239 * XXX - with TPACKET_V1 and TPACKET_V2, it currently uses select()
240 * internally, and, with TPACKET_V3, once that's supported, it'll
241 * support timeouts, at least as I understand the way the code works.
243 #define MUST_DO_SELECT
246 /** init the capture filter */
249 INITFILTER_BAD_FILTER,
250 INITFILTER_OTHER_ERROR
251 } initfilter_status_t;
254 STATE_EXPECT_REC_HDR,
267 typedef struct _pcap_options {
272 #ifdef MUST_DO_SELECT
273 int pcap_fd; /**< pcap file descriptor */
280 gboolean ts_nsec; /**< TRUE if we're using nanosecond precision. */
281 /**< capture pipe (unix only "input file") */
282 gboolean from_cap_pipe; /**< TRUE if we are capturing data from a capture pipe */
283 gboolean from_cap_socket; /**< TRUE if we're capturing from socket */
284 struct pcap_hdr cap_pipe_hdr; /**< Pcap header when capturing from a pipe */
285 struct pcaprec_modified_hdr cap_pipe_rechdr; /**< Pcap record header when capturing from a pipe */
287 HANDLE cap_pipe_h; /**< The handle of the capture pipe */
289 int cap_pipe_fd; /**< the file descriptor of the capture pipe */
290 gboolean cap_pipe_modified; /**< TRUE if data in the pipe uses modified pcap headers */
291 gboolean cap_pipe_byte_swapped; /**< TRUE if data in the pipe is byte swapped */
293 char * cap_pipe_buf; /**< Pointer to the data buffer we read into */
294 DWORD cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
295 DWORD cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
297 size_t cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
298 size_t cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
300 cap_pipe_state_t cap_pipe_state;
301 cap_pipe_err_t cap_pipe_err;
304 GMutex *cap_pipe_read_mtx;
305 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
309 typedef struct _loop_data {
311 gboolean go; /**< TRUE as long as we're supposed to keep capturing */
312 int err; /**< if non-zero, error seen while capturing */
313 gint packet_count; /**< Number of packets we have already captured */
314 gint packet_max; /**< Number of packets we're supposed to capture - 0 means infinite */
315 guint inpkts_to_sync_pipe; /**< Packets not already send out to the sync_pipe */
317 gboolean report_packet_count; /**< Set by SIGINFO handler; print packet count */
323 guint64 bytes_written;
324 guint32 autostop_files;
327 typedef struct _pcap_queue_element {
328 pcap_options *pcap_opts;
329 struct pcap_pkthdr phdr;
331 } pcap_queue_element;
334 * Standard secondary message for unexpected errors.
336 static const char please_report[] =
337 "Please report this to the Wireshark developers.\n"
338 "https://bugs.wireshark.org/\n"
339 "(This is not a crash; please do not report it as such.)";
342 * This needs to be static, so that the SIGINT handler can clear the "go"
345 static loop_data global_ld;
348 * Timeout, in milliseconds, for reads from the stream of captured packets
349 * from a capture device.
351 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
352 * 64-bit applications, with sub-second timeouts not to work. The bug is
353 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
355 #if defined(__APPLE__) && defined(__LP64__)
356 static gboolean need_timeout_workaround;
358 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
360 #define CAP_READ_TIMEOUT 250
364 * Timeout, in microseconds, for reads from the stream of captured packets
365 * from a pipe. Pipes don't have the same problem that BPF devices do
366 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
367 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
368 * of the offending versions of Snow Leopard.
370 * On Windows this value is converted to milliseconds and passed to
371 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
372 * will return immediately.
375 #define PIPE_READ_TIMEOUT 100000
377 #define PIPE_READ_TIMEOUT 250000
380 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
383 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
384 const char *message, gpointer user_data _U_);
386 /* capture related options */
387 static capture_options global_capture_opts;
388 static gboolean quiet = FALSE;
389 static gboolean use_threads = FALSE;
390 static guint64 start_time;
392 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
394 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
396 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
397 int err, gboolean is_close);
399 static void WS_NORETURN exit_main(int err);
401 static void report_new_capture_file(const char *filename);
402 static void report_packet_count(unsigned int packet_count);
403 static void report_packet_drops(guint32 received, guint32 pcap_drops, guint32 drops, guint32 flushed, guint32 ps_ifdrop, gchar *name);
404 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
405 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
407 #define MSG_MAX_LENGTH 4096
409 /* Copied from pcapio.c pcapng_write_interface_statistics_block()*/
411 create_timestamp(void) {
421 * Current time, represented as 100-nanosecond intervals since
422 * January 1, 1601, 00:00:00 UTC.
424 * I think DWORD might be signed, so cast both parts of "now"
425 * to guint32 so that the sign bit doesn't get treated specially.
427 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
428 * might want to use instead.
430 GetSystemTimeAsFileTime(&now);
431 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
432 (guint32)now.dwLowDateTime;
435 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
441 * Subtract difference, in microseconds, between January 1, 1601
442 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
444 timestamp -= G_GUINT64_CONSTANT(11644473600000000);
447 * Current time, represented as seconds and microseconds since
448 * January 1, 1970, 00:00:00 UTC.
450 gettimeofday(&now, NULL);
453 * Convert to delta in microseconds.
455 timestamp = (guint64)(now.tv_sec) * 1000000 +
456 (guint64)(now.tv_usec);
462 print_usage(FILE *output)
464 fprintf(output, "\nUsage: dumpcap [options] ...\n");
465 fprintf(output, "\n");
466 fprintf(output, "Capture interface:\n");
467 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback),\n"
468 " or for remote capturing, use one of these formats:\n"
469 " rpcap://<host>/<interface>\n"
470 " TCP@<host>:<port>\n");
471 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
472 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
473 fprintf(output, " -p don't capture in promiscuous mode\n");
474 #ifdef HAVE_PCAP_CREATE
475 fprintf(output, " -I capture in monitor mode, if available\n");
477 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
478 fprintf(output, " -B <buffer size> size of kernel buffer in MiB (def: %dMiB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
480 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
481 fprintf(output, " -D print list of interfaces and exit\n");
482 fprintf(output, " -L print list of link-layer types of iface and exit\n");
483 #ifdef HAVE_BPF_IMAGE
484 fprintf(output, " -d print generated BPF code for capture filter\n");
486 fprintf(output, " -k set channel on wifi interface:\n"
487 " <freq>,[<type>],[<center_freq1>],[<center_freq2>]\n");
488 fprintf(output, " -S print statistics for each interface once per second\n");
489 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
490 fprintf(output, "\n");
491 #ifdef HAVE_PCAP_REMOTE
492 fprintf(output, "RPCAP options:\n");
493 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
494 fprintf(output, " -u use UDP for RPCAP data transfer\n");
495 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
496 #ifdef HAVE_PCAP_SETSAMPLING
497 fprintf(output, " -m <sampling type> use packet sampling\n");
498 fprintf(output, " count:NUM - capture one packet of every NUM\n");
499 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
502 fprintf(output, "Stop conditions:\n");
503 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
504 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
505 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
506 fprintf(output, " files:NUM - stop after NUM files\n");
507 /*fprintf(output, "\n");*/
508 fprintf(output, "Output (files):\n");
509 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
510 fprintf(output, " -g enable group read access on the output file(s)\n");
511 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
512 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
513 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
514 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
515 fprintf(output, " -P use libpcap format instead of pcapng\n");
516 fprintf(output, " --capture-comment <comment>\n");
517 fprintf(output, " add a capture comment to the output file\n");
518 fprintf(output, " (only for pcapng)\n");
519 fprintf(output, "\n");
520 fprintf(output, "Miscellaneous:\n");
521 fprintf(output, " -N <packet_limit> maximum number of packets buffered within dumpcap\n");
522 fprintf(output, " -C <byte_limit> maximum number of bytes used for buffering packets\n");
523 fprintf(output, " within dumpcap\n");
524 fprintf(output, " -t use a separate thread per interface\n");
525 fprintf(output, " -q don't report packet capture counts\n");
526 fprintf(output, " -v print version information and exit\n");
527 fprintf(output, " -h display this help and exit\n");
528 fprintf(output, "\n");
530 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
531 fprintf(output, "You might want to reset it\n");
532 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
533 fprintf(output, "\n");
535 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
536 fprintf(output, "\"Capture packets from interface eth0 until 60s passed into output.pcapng\"\n");
537 fprintf(output, "\n");
538 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
542 * Report an error in command-line arguments.
543 * If we're a capture child, send a message back to the parent, otherwise
547 dumpcap_cmdarg_err(const char *fmt, va_list ap)
551 /* Generate a 'special format' message back to parent */
552 msg = g_strdup_vprintf(fmt, ap);
553 sync_pipe_errmsg_to_parent(2, msg, "");
556 fprintf(stderr, "dumpcap: ");
557 vfprintf(stderr, fmt, ap);
558 fprintf(stderr, "\n");
563 * Report additional information for an error in command-line arguments.
564 * If we're a capture child, send a message back to the parent, otherwise
568 dumpcap_cmdarg_err_cont(const char *fmt, va_list ap)
572 msg = g_strdup_vprintf(fmt, ap);
573 sync_pipe_errmsg_to_parent(2, msg, "");
576 vfprintf(stderr, fmt, ap);
577 fprintf(stderr, "\n");
583 #if 0 /* Set to enable capability debugging */
584 /* see 'man cap_to_text()' for explanation of output */
585 /* '=' means 'all= ' ie: no capabilities */
586 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
588 print_caps(const char *pfx) {
589 cap_t caps = cap_get_proc();
590 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
591 "%s: EUID: %d Capabilities: %s", pfx,
592 geteuid(), cap_to_text(caps, NULL));
595 print_caps(const char *pfx _U_) {
600 relinquish_all_capabilities(void)
602 /* Drop any and all capabilities this process may have. */
603 /* Allowed whether or not process has any privileges. */
604 cap_t caps = cap_init(); /* all capabilities initialized to off */
605 print_caps("Pre-clear");
606 if (cap_set_proc(caps)) {
607 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
609 print_caps("Post-clear");
615 get_capture_device_open_failure_messages(const char *open_err_str,
617 char *errmsg, size_t errmsg_len,
618 char *secondary_errmsg,
619 size_t secondary_errmsg_len)
622 const char *libpcap_warn;
623 static const char ppamsg[] = "can't find PPA for ";
626 g_snprintf(errmsg, (gulong) errmsg_len,
627 "The capture session could not be initiated on interface '%s' (%s).",
628 iface, open_err_str);
631 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
633 "In order to capture packets, WinPcap must be installed; see\n"
635 " https://www.winpcap.org/\n"
637 "for a downloadable version of WinPcap and for instructions on how to install\n"
640 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
642 "Please check that \"%s\" is the proper interface.\n"
645 "Help can be found at:\n"
647 " https://wiki.wireshark.org/WinPcap\n"
648 " https://wiki.wireshark.org/CaptureSetup\n",
652 /* If we got a "can't find PPA for X" message, warn the user (who
653 is running dumpcap on HP-UX) that they don't have a version of
654 libpcap that properly handles HP-UX (libpcap 0.6.x and later
655 versions, which properly handle HP-UX, say "can't find /dev/dlpi
656 PPA for X" rather than "can't find PPA for X"). */
657 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
660 "You are running (T)Wireshark with a version of the libpcap library\n"
661 "that doesn't handle HP-UX network devices well; this means that\n"
662 "(T)Wireshark may not be able to capture packets.\n"
664 "To fix this, you should install libpcap 0.6.2, or a later version\n"
665 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
666 "packaged binary form from the Software Porting And Archive Centre\n"
667 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
668 "at the URL lists a number of mirror sites.";
672 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
673 "Please check to make sure you have sufficient permissions, and that you have "
674 "the proper interface or pipe specified.%s", libpcap_warn);
679 compile_capture_filter(const char *iface, pcap_t *pcap_h,
680 struct bpf_program *fcode, const char *cfilter)
682 bpf_u_int32 netnum, netmask;
683 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
685 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
687 * Well, we can't get the netmask for this interface; it's used
688 * only for filters that check for broadcast IP addresses, so
689 * we just punt and use 0. It might be nice to warn the user,
690 * but that's a pain in a GUI application, as it'd involve popping
691 * up a message box, and it's not clear how often this would make
692 * a difference (only filters that check for IP broadcast addresses
696 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
701 * Sigh. Older versions of libpcap don't properly declare the
702 * third argument to pcap_compile() as a const pointer. Cast
706 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
712 #ifdef HAVE_BPF_IMAGE
714 show_filter_code(capture_options *capture_opts)
716 interface_options interface_opts;
718 gchar open_err_str[PCAP_ERRBUF_SIZE];
719 char errmsg[MSG_MAX_LENGTH+1];
720 char secondary_errmsg[MSG_MAX_LENGTH+1];
721 struct bpf_program fcode;
722 struct bpf_insn *insn;
726 for (j = 0; j < capture_opts->ifaces->len; j++) {
727 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
728 pcap_h = open_capture_device(capture_opts, &interface_opts,
729 CAP_READ_TIMEOUT, &open_err_str);
730 if (pcap_h == NULL) {
731 /* Open failed; get messages */
732 get_capture_device_open_failure_messages(open_err_str,
734 errmsg, sizeof errmsg,
736 sizeof secondary_errmsg);
737 /* And report them */
738 report_capture_error(errmsg, secondary_errmsg);
742 /* Set the link-layer type. */
743 if (!set_pcap_datalink(pcap_h, interface_opts.linktype, interface_opts.name,
744 errmsg, sizeof errmsg,
745 secondary_errmsg, sizeof secondary_errmsg)) {
747 report_capture_error(errmsg, secondary_errmsg);
751 /* OK, try to compile the capture filter. */
752 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
753 interface_opts.cfilter)) {
755 report_cfilter_error(capture_opts, j, errmsg);
760 /* Now print the filter code. */
761 insn = fcode.bf_insns;
763 for (i = 0; i < fcode.bf_len; insn++, i++)
764 printf("%s\n", bpf_image(insn, i));
766 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
767 /* to remove any suid privileges. */
768 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
769 /* (euid/egid have already previously been set to ruid/rgid. */
770 /* (See comment in main() for details) */
772 relinquish_special_privs_perm();
774 relinquish_all_capabilities();
777 /* Let our parent know we succeeded. */
778 pipe_write_block(2, SP_SUCCESS, NULL);
785 * capture_interface_list() is expected to do the right thing to get
786 * a list of interfaces.
788 * In most of the programs in the Wireshark suite, "the right thing"
789 * is to run dumpcap and ask it for the list, because dumpcap may
790 * be the only program in the suite with enough privileges to get
793 * In dumpcap itself, however, we obviously can't run dumpcap to
794 * ask for the list. Therefore, our capture_interface_list() should
795 * just call get_interface_list().
798 capture_interface_list(int *err, char **err_str, void(*update_cb)(void) _U_)
800 return get_interface_list(err, err_str);
803 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
805 * Output a machine readable list of the interfaces
806 * This list is retrieved by the sync_interface_list_open() function
807 * The actual output of this function can be viewed with the command "dumpcap -D -Z none"
810 print_machine_readable_interfaces(GList *if_list)
817 char addr_str[ADDRSTRLEN];
820 /* Let our parent know we succeeded. */
821 pipe_write_block(2, SP_SUCCESS, NULL);
824 i = 1; /* Interface id number */
825 for (if_entry = g_list_first(if_list); if_entry != NULL;
826 if_entry = g_list_next(if_entry)) {
827 if_info = (if_info_t *)if_entry->data;
828 printf("%d. %s\t", i++, if_info->name);
831 * Print the contents of the if_entry struct in a parseable format.
832 * Each if_entry element is tab-separated. Addresses are comma-
835 /* XXX - Make sure our description doesn't contain a tab */
836 if (if_info->vendor_description != NULL)
837 printf("%s\t", if_info->vendor_description);
841 /* XXX - Make sure our friendly name doesn't contain a tab */
842 if (if_info->friendly_name != NULL)
843 printf("%s\t", if_info->friendly_name);
847 printf("%i\t", if_info->type);
849 for (addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
850 addr = g_slist_next(addr)) {
851 if (addr != g_slist_nth(if_info->addrs, 0))
854 if_addr = (if_addr_t *)addr->data;
855 switch(if_addr->ifat_type) {
857 if (ws_inet_ntop4(&if_addr->addr.ip4_addr, addr_str,
859 printf("%s", addr_str);
861 printf("<unknown IPv4>");
865 if (ws_inet_ntop6(&if_addr->addr.ip6_addr,
866 addr_str, ADDRSTRLEN)) {
867 printf("%s", addr_str);
869 printf("<unknown IPv6>");
873 printf("<type unknown %i>", if_addr->ifat_type);
877 if (if_info->loopback)
878 printf("\tloopback");
882 printf("\t%s", if_info->extcap);
889 * If you change the machine-readable output format of this function,
890 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
893 print_machine_readable_if_capabilities(if_capabilities_t *caps)
896 data_link_info_t *data_link_info;
897 const gchar *desc_str;
900 /* Let our parent know we succeeded. */
901 pipe_write_block(2, SP_SUCCESS, NULL);
904 if (caps->can_set_rfmon)
908 for (lt_entry = caps->data_link_types; lt_entry != NULL;
909 lt_entry = g_list_next(lt_entry)) {
910 data_link_info = (data_link_info_t *)lt_entry->data;
911 if (data_link_info->description != NULL)
912 desc_str = data_link_info->description;
914 desc_str = "(not supported)";
915 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
925 /* Print the number of packets captured for each interface until we're killed. */
927 print_statistics_loop(gboolean machine_readable)
929 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
935 char errbuf[PCAP_ERRBUF_SIZE];
938 if_list = get_interface_list(&err, &err_str);
939 if (if_list == NULL) {
941 cmdarg_err("There are no interfaces on which a capture can be done");
943 cmdarg_err("%s", err_str);
949 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
950 if_info = (if_info_t *)if_entry->data;
953 /* On Linux nf* interfaces don't collect stats properly and don't allows multiple
954 * connections. We avoid collecting stats on them.
956 if (!strncmp(if_info->name, "nf", 2)) {
957 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Skipping interface %s for stats",
963 #ifdef HAVE_PCAP_OPEN
964 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
966 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
970 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
971 if_stat->name = g_strdup(if_info->name);
973 stat_list = g_list_append(stat_list, if_stat);
978 cmdarg_err("There are no interfaces on which a capture can be done");
983 /* Let our parent know we succeeded. */
984 pipe_write_block(2, SP_SUCCESS, NULL);
987 if (!machine_readable) {
988 printf("%-15s %10s %10s\n", "Interface", "Received",
993 while (global_ld.go) {
994 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
995 if_stat = (if_stat_t *)stat_entry->data;
996 pcap_stats(if_stat->pch, &ps);
998 if (!machine_readable) {
999 printf("%-15s %10u %10u\n", if_stat->name,
1000 ps.ps_recv, ps.ps_drop);
1002 printf("%s\t%u\t%u\n", if_stat->name,
1003 ps.ps_recv, ps.ps_drop);
1008 /* If we have a dummy signal pipe check it */
1009 if (!signal_pipe_check_running()) {
1010 global_ld.go = FALSE;
1018 /* XXX - Not reached. Should we look for 'q' in stdin? */
1019 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1020 if_stat = (if_stat_t *)stat_entry->data;
1021 pcap_close(if_stat->pch);
1022 g_free(if_stat->name);
1025 g_list_free(stat_list);
1026 free_interface_list(if_list);
1034 capture_cleanup_handler(DWORD dwCtrlType)
1036 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1037 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1038 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1039 like SIGTERM at least when the machine's shutting down.
1041 For now, if we're running as a command rather than a capture child,
1042 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1043 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1044 in that way on UN*X.
1046 If we're not running as a capture child, we might be running as
1047 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1048 user logs out. (XXX - can we explicitly check whether we're
1049 running as a service?) */
1051 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1052 "Console: Control signal");
1053 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1054 "Console: Control signal, CtrlType: %u", dwCtrlType);
1056 /* Keep capture running if we're a service and a user logs off */
1057 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1058 capture_loop_stop();
1066 capture_cleanup_handler(int signum _U_)
1068 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1069 SIGTERM. We assume that if the user wanted it to keep running
1070 after they logged out, they'd have nohupped it. */
1072 /* Note: don't call g_log() in the signal handler: if we happened to be in
1073 * g_log() in process context when the signal came in, g_log will detect
1074 * the "recursion" and abort.
1077 capture_loop_stop();
1083 report_capture_count(gboolean reportit)
1085 /* Don't print this if we're a capture child. */
1086 if (!capture_child && reportit) {
1087 fprintf(stderr, "\rPackets captured: %d\n", global_ld.packet_count);
1088 /* stderr could be line buffered */
1096 report_counts_for_siginfo(void)
1098 report_capture_count(quiet);
1099 infoprint = FALSE; /* we just reported it */
1103 report_counts_siginfo(int signum _U_)
1105 int sav_errno = errno;
1107 /* If we've been told to delay printing, just set a flag asking
1108 that we print counts (if we're supposed to), otherwise print
1109 the count of packets captured (if we're supposed to). */
1113 report_counts_for_siginfo();
1116 #endif /* SIGINFO */
1119 exit_main(int status)
1122 /* Shutdown windows sockets */
1125 /* can be helpful for debugging */
1126 #ifdef DEBUG_DUMPCAP
1127 printf("Press any key\n");
1138 * If we were linked with libcap (not related to libpcap), make sure we have
1139 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1140 * (See comment in main() for details)
1143 relinquish_privs_except_capture(void)
1145 /* If 'started_with_special_privs' (ie: suid) then enable for
1146 * ourself the NET_ADMIN and NET_RAW capabilities and then
1147 * drop our suid privileges.
1149 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1150 * stuff we don't need (and shouldn't have).
1151 * CAP_NET_RAW: Packet capture (raw sockets).
1154 if (started_with_special_privs()) {
1155 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1156 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1158 cap_t caps = cap_init(); /* all capabilities initialized to off */
1160 print_caps("Pre drop, pre set");
1162 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1163 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1166 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1167 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1169 if (cap_set_proc(caps)) {
1170 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1172 print_caps("Pre drop, post set");
1174 relinquish_special_privs_perm();
1176 print_caps("Post drop, pre set");
1177 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1178 if (cap_set_proc(caps)) {
1179 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1181 print_caps("Post drop, post set");
1187 #endif /* HAVE_LIBCAP */
1189 /* Take care of byte order in the libpcap headers read from pipes.
1190 * (function taken from wiretap/libpcap.c) */
1192 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1195 /* Byte-swap the record header fields. */
1196 rechdr->ts_sec = GUINT32_SWAP_LE_BE(rechdr->ts_sec);
1197 rechdr->ts_usec = GUINT32_SWAP_LE_BE(rechdr->ts_usec);
1198 rechdr->incl_len = GUINT32_SWAP_LE_BE(rechdr->incl_len);
1199 rechdr->orig_len = GUINT32_SWAP_LE_BE(rechdr->orig_len);
1202 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1203 swapped, in order to match the BPF header layout.
1205 Unfortunately, some files were, according to a comment in the "libpcap"
1206 source, written with version 2.3 in their headers but without the
1207 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1208 would make no sense - we assume that we need to swap them. */
1209 if (hdr->version_major == 2 &&
1210 (hdr->version_minor < 3 ||
1211 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1214 temp = rechdr->orig_len;
1215 rechdr->orig_len = rechdr->incl_len;
1216 rechdr->incl_len = temp;
1220 /* Wrapper: distinguish between recv/read if we're reading on Windows,
1224 cap_pipe_read(int pipe_fd, char *buf, size_t sz, gboolean from_socket _U_)
1228 return recv(pipe_fd, buf, (int)sz, 0);
1233 return ws_read(pipe_fd, buf, sz);
1239 * Thread function that reads from a pipe and pushes the data
1240 * to the main application thread.
1243 * XXX Right now we use async queues for basic signaling. The main thread
1244 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1245 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1246 * Iff the read is successful cap_pipe_read pushes an item onto
1247 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1248 * the queues themselves (yet).
1250 * We might want to move some of the cap_pipe_dispatch logic here so that
1251 * we can let cap_thread_read run independently, queuing up multiple reads
1252 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1254 static void *cap_thread_read(void *arg)
1256 pcap_options *pcap_opts;
1259 DWORD b, last_err, bytes_read;
1265 pcap_opts = (pcap_options *)arg;
1266 while (pcap_opts->cap_pipe_err == PIPOK) {
1267 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1268 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1270 while (bytes_read < pcap_opts->cap_pipe_bytes_to_read) {
1271 if ((pcap_opts->from_cap_socket)
1277 b = cap_pipe_read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1278 pcap_opts->cap_pipe_bytes_to_read - bytes_read, pcap_opts->from_cap_socket);
1281 pcap_opts->cap_pipe_err = PIPEOF;
1285 pcap_opts->cap_pipe_err = PIPERR;
1296 /* If we try to use read() on a named pipe on Windows with partial
1297 * data it appears to return EOF.
1299 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1300 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1305 last_err = GetLastError();
1306 if (last_err == ERROR_MORE_DATA) {
1308 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1309 pcap_opts->cap_pipe_err = PIPEOF;
1313 pcap_opts->cap_pipe_err = PIPERR;
1316 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1317 pcap_opts->cap_pipe_err = PIPEOF;
1324 pcap_opts->cap_pipe_bytes_read = bytes_read;
1325 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1326 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1328 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1334 /* Provide select() functionality for a single file descriptor
1335 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1337 * Returns the same values as select.
1340 cap_pipe_select(int pipe_fd)
1343 struct timeval timeout;
1346 FD_SET(pipe_fd, &rfds);
1348 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1349 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1351 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1354 #define DEF_TCP_PORT 19000
1357 cap_open_socket(char *pipename, pcap_options *pcap_opts, char *errmsg, int errmsgl)
1359 char *sockname = pipename + 4;
1360 struct sockaddr_in sa;
1367 memset(&sa, 0, sizeof(sa));
1369 p = strchr(sockname, ':');
1371 len = strlen(sockname);
1372 port = DEF_TCP_PORT;
1376 port = strtoul(p + 1, &p, 10);
1377 if (*p || port > 65535) {
1386 g_snprintf ( buf,(gulong)len + 1, "%s", sockname );
1388 if (!ws_inet_pton4(buf, (guint32 *)&sa.sin_addr)) {
1392 sa.sin_family = AF_INET;
1393 sa.sin_port = g_htons((u_short)port);
1395 if (((fd = (int)socket(AF_INET, SOCK_STREAM, 0)) < 0) ||
1396 (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0)) {
1398 LPTSTR errorText = NULL;
1401 lastError = WSAGetLastError();
1402 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
1403 FORMAT_MESSAGE_ALLOCATE_BUFFER |
1404 FORMAT_MESSAGE_IGNORE_INSERTS,
1405 NULL, lastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
1406 (LPTSTR)&errorText, 0, NULL);
1408 g_snprintf(errmsg, errmsgl,
1409 "The capture session could not be initiated due to the socket error: \n"
1411 " %d: %S", lastError, errorText ? (char *)errorText : "Unknown");
1413 LocalFree(errorText);
1415 " %d: %s", errno, g_strerror(errno));
1417 pcap_opts->cap_pipe_err = PIPERR;
1420 cap_pipe_close(fd, TRUE);
1424 pcap_opts->from_cap_socket = TRUE;
1428 g_snprintf(errmsg, errmsgl,
1429 "The capture session could not be initiated because\n"
1430 "\"%s\" is not a valid socket specification", pipename);
1431 pcap_opts->cap_pipe_err = PIPERR;
1435 /* Wrapper: distinguish between closesocket on Windows; use ws_close
1439 cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
1443 closesocket(pipe_fd);
1450 /* Mimic pcap_open_live() for pipe captures
1452 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1453 * open it, and read the header.
1455 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1456 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1458 cap_pipe_open_live(char *pipename,
1459 pcap_options *pcap_opts,
1460 struct pcap_hdr *hdr,
1461 char *errmsg, int errmsgl)
1464 ws_statb64 pipe_stat;
1465 struct sockaddr_un sa;
1470 char* extcap_pipe_name;
1474 gboolean extcap_pipe = FALSE;
1475 interface_options interface_opts;
1478 int fd = -1, sel_ret;
1481 pcap_opts->cap_pipe_fd = -1;
1483 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1486 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1489 * XXX - this blocks until a pcap per-file header has been written to
1490 * the pipe, so it could block indefinitely.
1492 if (strcmp(pipename, "-") == 0) {
1494 fd = 0; /* read from stdin */
1496 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1498 } else if (!strncmp(pipename, "TCP@", 4)) {
1499 if ((fd = cap_open_socket(pipename, pcap_opts, errmsg, errmsgl)) < 0) {
1505 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, 0);
1510 if ( g_strrstr(interface_opts.name, EXTCAP_PIPE_PREFIX) != NULL )
1514 if (ws_stat64(pipename, &pipe_stat) < 0) {
1515 if (errno == ENOENT || errno == ENOTDIR)
1516 pcap_opts->cap_pipe_err = PIPNEXIST;
1518 g_snprintf(errmsg, errmsgl,
1519 "The capture session could not be initiated "
1520 "due to error getting information on pipe/socket: %s.", g_strerror(errno));
1521 pcap_opts->cap_pipe_err = PIPERR;
1525 if (S_ISFIFO(pipe_stat.st_mode)) {
1526 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1528 g_snprintf(errmsg, errmsgl,
1529 "The capture session could not be initiated "
1530 "due to error on pipe open: %s.", g_strerror(errno));
1531 pcap_opts->cap_pipe_err = PIPERR;
1534 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1535 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1537 g_snprintf(errmsg, errmsgl,
1538 "The capture session could not be initiated "
1539 "due to error on socket create: %s.", g_strerror(errno));
1540 pcap_opts->cap_pipe_err = PIPERR;
1543 sa.sun_family = AF_UNIX;
1545 * The Single UNIX Specification says:
1547 * The size of sun_path has intentionally been left undefined.
1548 * This is because different implementations use different sizes.
1549 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1550 * of 104. Since most implementations originate from BSD versions,
1551 * the size is typically in the range 92 to 108.
1553 * Applications should not assume a particular length for sun_path
1554 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1558 * The <sys/un.h> header shall define the sockaddr_un structure,
1559 * which shall include at least the following members:
1561 * sa_family_t sun_family Address family.
1562 * char sun_path[] Socket pathname.
1564 * so we assume that it's an array, with a specified size,
1565 * and that the size reflects the maximum path length.
1567 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1568 /* Path name too long */
1569 g_snprintf(errmsg, errmsgl,
1570 "The capture session coud not be initiated "
1571 "due to error on socket connect: Path name too long.");
1572 pcap_opts->cap_pipe_err = PIPERR;
1576 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1578 g_snprintf(errmsg, errmsgl,
1579 "The capture session coud not be initiated "
1580 "due to error on socket connect: %s.", g_strerror(errno));
1581 pcap_opts->cap_pipe_err = PIPERR;
1586 if (S_ISCHR(pipe_stat.st_mode)) {
1588 * Assume the user specified an interface on a system where
1589 * interfaces are in /dev. Pretend we haven't seen it.
1591 pcap_opts->cap_pipe_err = PIPNEXIST;
1593 g_snprintf(errmsg, errmsgl,
1594 "The capture session could not be initiated because\n"
1595 "\"%s\" is neither an interface nor a socket nor a pipe.", pipename);
1596 pcap_opts->cap_pipe_err = PIPERR;
1602 #define PIPE_STR "\\pipe\\"
1603 /* Under Windows, named pipes _must_ have the form
1604 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1606 pncopy = g_strdup(pipename);
1607 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1608 pos = strchr(pncopy + 3, '\\');
1609 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1616 g_snprintf(errmsg, errmsgl,
1617 "The capture session could not be initiated because\n"
1618 "\"%s\" is neither an interface nor a pipe.", pipename);
1619 pcap_opts->cap_pipe_err = PIPNEXIST;
1623 extcap_pipe_name = g_strconcat("\\\\.\\pipe\\", EXTCAP_PIPE_PREFIX, NULL);
1624 extcap_pipe = strstr(interface_opts.name, extcap_pipe_name) ? TRUE : FALSE;
1625 g_free(extcap_pipe_name);
1628 /* Wait for the pipe to appear */
1633 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1636 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1637 OPEN_EXISTING, 0, NULL);
1639 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1642 if (GetLastError() != ERROR_PIPE_BUSY) {
1643 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
1644 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1645 g_snprintf(errmsg, errmsgl,
1646 "The capture session on \"%s\" could not be started "
1647 "due to error on pipe open: %s (error %d).",
1648 pipename, utf_16to8(err_str), GetLastError());
1650 pcap_opts->cap_pipe_err = PIPERR;
1654 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1655 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
1656 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1657 g_snprintf(errmsg, errmsgl,
1658 "The capture session on \"%s\" timed out during "
1659 "pipe open: %s (error %d).",
1660 pipename, utf_16to8(err_str), GetLastError());
1662 pcap_opts->cap_pipe_err = PIPERR;
1669 pcap_opts->from_cap_pipe = TRUE;
1672 if (pcap_opts->from_cap_socket)
1675 /* read the pcap header */
1677 while (bytes_read < sizeof magic) {
1679 g_snprintf(errmsg, errmsgl, "Invalid file descriptor.");
1683 sel_ret = cap_pipe_select(fd);
1685 g_snprintf(errmsg, errmsgl,
1686 "Unexpected error from select: %s.", g_strerror(errno));
1688 } else if (sel_ret > 0) {
1689 b = cap_pipe_read(fd, ((char *)&magic)+bytes_read,
1690 sizeof magic-bytes_read,
1691 pcap_opts->from_cap_socket);
1693 /* jump messaging, if extcap had an error, stderr will provide the correct message */
1694 if (extcap_pipe && b <= 0)
1699 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open.");
1701 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s.",
1711 #if GLIB_CHECK_VERSION(2,31,0)
1712 g_thread_new("cap_pipe_open_live", &cap_thread_read, pcap_opts);
1714 g_thread_create(&cap_thread_read, pcap_opts, FALSE, NULL);
1717 pcap_opts->cap_pipe_buf = (char *) &magic;
1718 pcap_opts->cap_pipe_bytes_read = 0;
1719 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1720 /* We don't have to worry about cap_pipe_read_mtx here */
1721 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1722 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1723 /* jump messaging, if extcap had an error, stderr will provide the correct message */
1724 if (pcap_opts->cap_pipe_bytes_read <= 0 && extcap_pipe)
1727 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1728 if (pcap_opts->cap_pipe_bytes_read == 0)
1729 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open.");
1731 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s.",
1740 case PCAP_NSEC_MAGIC:
1741 /* Host that wrote it has our byte order, and was running
1742 a program using either standard or ss990417 libpcap. */
1743 pcap_opts->cap_pipe_byte_swapped = FALSE;
1744 pcap_opts->cap_pipe_modified = FALSE;
1745 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
1747 case PCAP_MODIFIED_MAGIC:
1748 /* Host that wrote it has our byte order, but was running
1749 a program using either ss990915 or ss991029 libpcap. */
1750 pcap_opts->cap_pipe_byte_swapped = FALSE;
1751 pcap_opts->cap_pipe_modified = TRUE;
1753 case PCAP_SWAPPED_MAGIC:
1754 case PCAP_SWAPPED_NSEC_MAGIC:
1755 /* Host that wrote it has a byte order opposite to ours,
1756 and was running a program using either standard or
1757 ss990417 libpcap. */
1758 pcap_opts->cap_pipe_byte_swapped = TRUE;
1759 pcap_opts->cap_pipe_modified = FALSE;
1760 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
1762 case PCAP_SWAPPED_MODIFIED_MAGIC:
1763 /* Host that wrote it out has a byte order opposite to
1764 ours, and was running a program using either ss990915
1765 or ss991029 libpcap. */
1766 pcap_opts->cap_pipe_byte_swapped = TRUE;
1767 pcap_opts->cap_pipe_modified = TRUE;
1769 case BLOCK_TYPE_SHB:
1770 /* This isn't pcap, it's pcapng. We don't yet support
1772 g_snprintf(errmsg, errmsgl, "Capturing from a pipe doesn't support pcapng format.");
1775 /* Not a pcap type we know about, or not pcap at all. */
1776 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format or not libpcap data.");
1781 if (pcap_opts->from_cap_socket)
1784 /* Read the rest of the header */
1786 while (bytes_read < sizeof(struct pcap_hdr)) {
1787 sel_ret = cap_pipe_select(fd);
1789 g_snprintf(errmsg, errmsgl,
1790 "Unexpected error from select: %s.", g_strerror(errno));
1792 } else if (sel_ret > 0) {
1793 b = cap_pipe_read(fd, ((char *)hdr)+bytes_read,
1794 sizeof(struct pcap_hdr) - bytes_read,
1795 pcap_opts->from_cap_socket);
1798 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open.");
1800 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s.",
1810 pcap_opts->cap_pipe_buf = (char *) hdr;
1811 pcap_opts->cap_pipe_bytes_read = 0;
1812 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1813 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1814 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1815 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1816 if (pcap_opts->cap_pipe_bytes_read == 0)
1817 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open.");
1819 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s.",
1826 if (pcap_opts->cap_pipe_byte_swapped) {
1827 /* Byte-swap the header fields about which we care. */
1828 hdr->version_major = GUINT16_SWAP_LE_BE(hdr->version_major);
1829 hdr->version_minor = GUINT16_SWAP_LE_BE(hdr->version_minor);
1830 hdr->snaplen = GUINT32_SWAP_LE_BE(hdr->snaplen);
1831 hdr->network = GUINT32_SWAP_LE_BE(hdr->network);
1833 pcap_opts->linktype = hdr->network;
1835 if (hdr->version_major < 2) {
1836 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1840 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
1841 pcap_opts->cap_pipe_err = PIPOK;
1842 pcap_opts->cap_pipe_fd = fd;
1846 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1847 pcap_opts->cap_pipe_err = PIPERR;
1848 cap_pipe_close(fd, pcap_opts->from_cap_socket);
1849 pcap_opts->cap_pipe_fd = -1;
1853 /* We read one record from the pipe, take care of byte order in the record
1854 * header, write the record to the capture file, and update capture statistics. */
1856 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
1858 struct pcap_pkthdr phdr;
1859 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1862 #if !GLIB_CHECK_VERSION(2,31,18)
1870 #ifdef LOG_CAPTURE_VERBOSE
1871 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1874 switch (pcap_opts->cap_pipe_state) {
1876 case STATE_EXPECT_REC_HDR:
1878 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
1881 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
1882 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
1883 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1884 pcap_opts->cap_pipe_bytes_read = 0;
1887 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
1888 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1889 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1894 case STATE_READ_REC_HDR:
1896 if (pcap_opts->from_cap_socket)
1899 b = cap_pipe_read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
1900 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
1903 result = PD_PIPE_EOF;
1905 result = PD_PIPE_ERR;
1908 pcap_opts->cap_pipe_bytes_read += b;
1912 #if GLIB_CHECK_VERSION(2,31,18)
1913 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
1915 g_get_current_time(&wait_time);
1916 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
1917 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
1919 if (pcap_opts->cap_pipe_err == PIPEOF) {
1920 result = PD_PIPE_EOF;
1922 } else if (pcap_opts->cap_pipe_err == PIPERR) {
1923 result = PD_PIPE_ERR;
1931 if (pcap_opts->cap_pipe_bytes_read < pcap_opts->cap_pipe_bytes_to_read)
1933 result = PD_REC_HDR_READ;
1936 case STATE_EXPECT_DATA:
1938 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
1941 pcap_opts->cap_pipe_state = STATE_READ_DATA;
1942 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
1943 pcap_opts->cap_pipe_bytes_read = 0;
1946 pcap_opts->cap_pipe_buf = (char *) data;
1947 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1948 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1953 case STATE_READ_DATA:
1955 if (pcap_opts->from_cap_socket)
1958 b = cap_pipe_read(pcap_opts->cap_pipe_fd,
1959 data+pcap_opts->cap_pipe_bytes_read,
1960 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read,
1961 pcap_opts->from_cap_socket);
1964 result = PD_PIPE_EOF;
1966 result = PD_PIPE_ERR;
1969 pcap_opts->cap_pipe_bytes_read += b;
1974 #if GLIB_CHECK_VERSION(2,31,18)
1975 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
1977 g_get_current_time(&wait_time);
1978 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
1979 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
1980 #endif /* GLIB_CHECK_VERSION(2,31,18) */
1981 if (pcap_opts->cap_pipe_err == PIPEOF) {
1982 result = PD_PIPE_EOF;
1984 } else if (pcap_opts->cap_pipe_err == PIPERR) {
1985 result = PD_PIPE_ERR;
1993 if (pcap_opts->cap_pipe_bytes_read < pcap_opts->cap_pipe_bytes_to_read)
1995 result = PD_DATA_READ;
1999 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2002 } /* switch (pcap_opts->cap_pipe_state) */
2005 * We've now read as much data as we were expecting, so process it.
2009 case PD_REC_HDR_READ:
2010 /* We've read the header. Take care of byte order. */
2011 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2012 &pcap_opts->cap_pipe_rechdr.hdr);
2013 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2014 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2015 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2019 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2020 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2023 /* no data to read? fall through */
2026 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2027 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2028 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2029 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2030 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2033 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2035 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2037 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2041 pcap_opts->cap_pipe_err = PIPEOF;
2046 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2047 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2048 g_snprintf(errmsg, errmsgl,
2049 "Error reading from pipe: %s (error %d)",
2050 utf_16to8(err_str), GetLastError());
2053 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2061 pcap_opts->cap_pipe_err = PIPERR;
2062 /* Return here rather than inside the switch to prevent GCC warning */
2067 /** Open the capture input file (pcap or capture pipe).
2068 * Returns TRUE if it succeeds, FALSE otherwise. */
2070 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2071 char *errmsg, size_t errmsg_len,
2072 char *secondary_errmsg, size_t secondary_errmsg_len)
2074 gchar open_err_str[PCAP_ERRBUF_SIZE];
2075 gchar *sync_msg_str;
2076 interface_options interface_opts;
2077 pcap_options *pcap_opts;
2081 WORD wVersionRequested;
2085 /* XXX - opening Winsock on tshark? */
2087 /* Initialize Windows Socket if we are in a Win32 OS
2088 This needs to be done before querying the interface for network/netmask */
2090 /* XXX - do we really require 1.1 or earlier?
2091 Are there any versions that support only 2.0 or higher? */
2092 wVersionRequested = MAKEWORD(1, 1);
2093 err = WSAStartup(wVersionRequested, &wsaData);
2097 case WSASYSNOTREADY:
2098 g_snprintf(errmsg, (gulong) errmsg_len,
2099 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2102 case WSAVERNOTSUPPORTED:
2103 g_snprintf(errmsg, (gulong) errmsg_len,
2104 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2105 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2108 case WSAEINPROGRESS:
2109 g_snprintf(errmsg, (gulong) errmsg_len,
2110 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2114 g_snprintf(errmsg, (gulong) errmsg_len,
2115 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2119 g_snprintf(errmsg, (gulong) errmsg_len,
2120 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2124 g_snprintf(errmsg, (gulong) errmsg_len,
2125 "Couldn't initialize Windows Sockets: error %d", err);
2128 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2132 if ((use_threads == FALSE) &&
2133 (capture_opts->ifaces->len > 1)) {
2134 g_snprintf(errmsg, (gulong) errmsg_len,
2135 "Using threads is required for capturing on multiple interfaces.");
2139 for (i = 0; i < capture_opts->ifaces->len; i++) {
2140 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2141 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2142 if (pcap_opts == NULL) {
2143 g_snprintf(errmsg, (gulong) errmsg_len,
2144 "Could not allocate memory.");
2147 pcap_opts->received = 0;
2148 pcap_opts->dropped = 0;
2149 pcap_opts->flushed = 0;
2150 pcap_opts->pcap_h = NULL;
2151 #ifdef MUST_DO_SELECT
2152 pcap_opts->pcap_fd = -1;
2154 pcap_opts->pcap_err = FALSE;
2155 pcap_opts->interface_id = i;
2156 pcap_opts->tid = NULL;
2157 pcap_opts->snaplen = 0;
2158 pcap_opts->linktype = -1;
2159 pcap_opts->ts_nsec = FALSE;
2160 pcap_opts->from_cap_pipe = FALSE;
2161 pcap_opts->from_cap_socket = FALSE;
2162 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2163 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2165 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2167 pcap_opts->cap_pipe_fd = -1;
2168 pcap_opts->cap_pipe_modified = FALSE;
2169 pcap_opts->cap_pipe_byte_swapped = FALSE;
2171 pcap_opts->cap_pipe_buf = NULL;
2173 pcap_opts->cap_pipe_bytes_to_read = 0;
2174 pcap_opts->cap_pipe_bytes_read = 0;
2175 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2176 pcap_opts->cap_pipe_err = PIPOK;
2178 #if GLIB_CHECK_VERSION(2,31,0)
2179 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2180 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2182 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2184 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2185 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2187 g_array_append_val(ld->pcaps, pcap_opts);
2189 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2190 pcap_opts->pcap_h = open_capture_device(capture_opts, &interface_opts,
2191 CAP_READ_TIMEOUT, &open_err_str);
2193 if (pcap_opts->pcap_h != NULL) {
2194 /* we've opened "iface" as a network device */
2196 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
2197 /* Find out if we're getting nanosecond-precision time stamps */
2198 pcap_opts->ts_nsec = have_high_resolution_timestamp(pcap_opts->pcap_h);
2201 #if defined(HAVE_PCAP_SETSAMPLING)
2202 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2203 struct pcap_samp *samp;
2205 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2206 switch (interface_opts.sampling_method) {
2207 case CAPTURE_SAMP_BY_COUNT:
2208 samp->method = PCAP_SAMP_1_EVERY_N;
2211 case CAPTURE_SAMP_BY_TIMER:
2212 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2216 sync_msg_str = g_strdup_printf(
2217 "Unknown sampling method %d specified,\n"
2218 "continue without packet sampling",
2219 interface_opts.sampling_method);
2220 report_capture_error("Couldn't set the capture "
2221 "sampling", sync_msg_str);
2222 g_free(sync_msg_str);
2224 samp->value = interface_opts.sampling_param;
2226 report_capture_error("Couldn't set the capture sampling",
2227 "Cannot get packet sampling data structure");
2232 /* setting the data link type only works on real interfaces */
2233 if (!set_pcap_datalink(pcap_opts->pcap_h, interface_opts.linktype,
2234 interface_opts.name,
2236 secondary_errmsg, secondary_errmsg_len)) {
2239 pcap_opts->linktype = get_pcap_datalink(pcap_opts->pcap_h, interface_opts.name);
2241 /* We couldn't open "iface" as a network device. */
2242 /* Try to open it as a pipe */
2243 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2246 if (pcap_opts->cap_pipe_fd == -1) {
2248 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2250 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2252 * We tried opening as an interface, and that failed,
2253 * so we tried to open it as a pipe, but the pipe
2254 * doesn't exist. Report the error message for
2257 get_capture_device_open_failure_messages(open_err_str,
2258 interface_opts.name,
2262 secondary_errmsg_len);
2265 * Else pipe (or file) does exist and cap_pipe_open_live() has
2270 /* cap_pipe_open_live() succeeded; don't want
2271 error message from pcap_open_live() */
2272 open_err_str[0] = '\0';
2276 /* XXX - will this work for tshark? */
2277 #ifdef MUST_DO_SELECT
2278 if (!pcap_opts->from_cap_pipe) {
2279 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2280 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2282 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2287 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2288 returned a warning; print it, but keep capturing. */
2289 if (open_err_str[0] != '\0') {
2290 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2291 report_capture_error(sync_msg_str, "");
2292 g_free(sync_msg_str);
2294 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2295 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2298 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2299 /* to remove any suid privileges. */
2300 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2301 /* (euid/egid have already previously been set to ruid/rgid. */
2302 /* (See comment in main() for details) */
2304 relinquish_special_privs_perm();
2306 relinquish_all_capabilities();
2311 /* close the capture input file (pcap or capture pipe) */
2312 static void capture_loop_close_input(loop_data *ld)
2315 pcap_options *pcap_opts;
2317 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2319 for (i = 0; i < ld->pcaps->len; i++) {
2320 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2321 /* if open, close the capture pipe "input file" */
2322 if (pcap_opts->cap_pipe_fd >= 0) {
2323 g_assert(pcap_opts->from_cap_pipe);
2324 cap_pipe_close(pcap_opts->cap_pipe_fd, pcap_opts->from_cap_socket);
2325 pcap_opts->cap_pipe_fd = -1;
2328 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2329 CloseHandle(pcap_opts->cap_pipe_h);
2330 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2333 /* if open, close the pcap "input file" */
2334 if (pcap_opts->pcap_h != NULL) {
2335 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2336 pcap_close(pcap_opts->pcap_h);
2337 pcap_opts->pcap_h = NULL;
2344 /* Shut down windows sockets */
2350 /* init the capture filter */
2351 static initfilter_status_t
2352 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2353 const gchar * name, const gchar * cfilter)
2355 struct bpf_program fcode;
2357 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2359 /* capture filters only work on real interfaces */
2360 if (cfilter && !from_cap_pipe) {
2361 /* A capture filter was specified; set it up. */
2362 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2363 /* Treat this specially - our caller might try to compile this
2364 as a display filter and, if that succeeds, warn the user that
2365 the display and capture filter syntaxes are different. */
2366 return INITFILTER_BAD_FILTER;
2368 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2369 #ifdef HAVE_PCAP_FREECODE
2370 pcap_freecode(&fcode);
2372 return INITFILTER_OTHER_ERROR;
2374 #ifdef HAVE_PCAP_FREECODE
2375 pcap_freecode(&fcode);
2379 return INITFILTER_NO_ERROR;
2383 /* set up to write to the already-opened capture output file/files */
2385 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2389 pcap_options *pcap_opts;
2390 interface_options interface_opts;
2391 gboolean successful;
2393 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2395 if ((capture_opts->use_pcapng == FALSE) &&
2396 (capture_opts->ifaces->len > 1)) {
2397 g_snprintf(errmsg, errmsg_len,
2398 "Using PCAPNG is required for capturing on multiple interfaces. Use the -n option.");
2402 /* Set up to write to the capture file. */
2403 if (capture_opts->multi_files_on) {
2404 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2406 ld->pdh = ws_fdopen(ld->save_file_fd, "wb");
2407 if (ld->pdh == NULL) {
2412 if (capture_opts->use_pcapng) {
2414 GString *os_info_str;
2416 os_info_str = g_string_new("");
2417 get_os_version_info(os_info_str);
2419 appname = g_strdup_printf("Dumpcap (Wireshark) %s", get_ws_vcs_version_info());
2420 successful = pcapng_write_session_header_block(ld->pdh,
2421 (const char *)capture_opts->capture_comment, /* Comment*/
2423 os_info_str->str, /* OS*/
2425 -1, /* section_length */
2430 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2431 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2432 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2433 if (pcap_opts->from_cap_pipe) {
2434 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2436 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2438 successful = pcapng_write_interface_description_block(global_ld.pdh,
2439 NULL, /* OPT_COMMENT 1 */
2440 interface_opts.name, /* IDB_NAME 2 */
2441 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2442 interface_opts.cfilter, /* IDB_FILTER 11 */
2443 os_info_str->str, /* IDB_OS 12 */
2444 pcap_opts->linktype,
2446 &(global_ld.bytes_written),
2447 0, /* IDB_IF_SPEED 8 */
2448 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2452 g_string_free(os_info_str, TRUE);
2455 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2456 if (pcap_opts->from_cap_pipe) {
2457 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2459 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2461 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2462 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2470 if (ld->pdh == NULL) {
2471 /* We couldn't set up to write to the capture file. */
2472 /* XXX - use cf_open_error_message from tshark instead? */
2477 g_snprintf(errmsg, errmsg_len,
2478 "The file to which the capture would be"
2479 " saved (\"%s\") could not be opened: Error %d.",
2480 capture_opts->save_file, err);
2482 g_snprintf(errmsg, errmsg_len,
2483 "The file to which the capture would be"
2484 " saved (\"%s\") could not be opened: %s.",
2485 capture_opts->save_file, g_strerror(err));
2497 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2501 pcap_options *pcap_opts;
2502 guint64 end_time = create_timestamp();
2504 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2506 if (capture_opts->multi_files_on) {
2507 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2509 if (capture_opts->use_pcapng) {
2510 for (i = 0; i < global_ld.pcaps->len; i++) {
2511 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2512 if (!pcap_opts->from_cap_pipe) {
2513 guint64 isb_ifrecv, isb_ifdrop;
2514 struct pcap_stat stats;
2516 if (pcap_stats(pcap_opts->pcap_h, &stats) >= 0) {
2517 isb_ifrecv = pcap_opts->received;
2518 isb_ifdrop = stats.ps_drop + pcap_opts->dropped + pcap_opts->flushed;
2520 isb_ifrecv = G_MAXUINT64;
2521 isb_ifdrop = G_MAXUINT64;
2523 pcapng_write_interface_statistics_block(ld->pdh,
2526 "Counters provided by dumpcap",
2535 if (fclose(ld->pdh) == EOF) {
2536 if (err_close != NULL) {
2546 /* dispatch incoming packets (pcap or capture pipe)
2548 * Waits for incoming packets to be available, and calls pcap_dispatch()
2549 * to cause them to be processed.
2551 * Returns the number of packets which were processed.
2553 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2554 * packet-batching behaviour does not cause packets to get held back
2558 capture_loop_dispatch(loop_data *ld,
2559 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2562 gint packet_count_before;
2563 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2568 packet_count_before = ld->packet_count;
2569 if (pcap_opts->from_cap_pipe) {
2570 /* dispatch from capture pipe */
2571 #ifdef LOG_CAPTURE_VERBOSE
2572 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2575 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2577 if (sel_ret < 0 && errno != EINTR) {
2578 g_snprintf(errmsg, errmsg_len,
2579 "Unexpected error from select: %s", g_strerror(errno));
2580 report_capture_error(errmsg, please_report);
2585 * "select()" says we can read from the pipe without blocking
2588 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2598 /* dispatch from pcap */
2599 #ifdef MUST_DO_SELECT
2601 * If we have "pcap_get_selectable_fd()", we use it to get the
2602 * descriptor on which to select; if that's -1, it means there
2603 * is no descriptor on which you can do a "select()" (perhaps
2604 * because you're capturing on a special device, and that device's
2605 * driver unfortunately doesn't support "select()", in which case
2606 * we don't do the select - which means it might not be possible
2607 * to stop a capture until a packet arrives. If that's unacceptable,
2608 * plead with whoever supplies the software for that device to add
2609 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2610 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2611 * later, so it can use pcap_breakloop().
2613 #ifdef LOG_CAPTURE_VERBOSE
2614 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2616 if (pcap_opts->pcap_fd != -1) {
2617 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2620 * "select()" says we can read from it without blocking; go for
2623 * We don't have pcap_breakloop(), so we only process one packet
2624 * per pcap_dispatch() call, to allow a signal to stop the
2625 * processing immediately, rather than processing all packets
2626 * in a batch before quitting.
2629 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2631 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2635 /* Error, rather than pcap_breakloop(). */
2636 pcap_opts->pcap_err = TRUE;
2638 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2641 if (sel_ret < 0 && errno != EINTR) {
2642 g_snprintf(errmsg, errmsg_len,
2643 "Unexpected error from select: %s", g_strerror(errno));
2644 report_capture_error(errmsg, please_report);
2650 #endif /* MUST_DO_SELECT */
2652 /* dispatch from pcap without select */
2654 #ifdef LOG_CAPTURE_VERBOSE
2655 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2659 * On Windows, we don't support asynchronously telling a process to
2660 * stop capturing; instead, we check for an indication on a pipe
2661 * after processing packets. We therefore process only one packet
2662 * at a time, so that we can check the pipe after every packet.
2665 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2667 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2671 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2673 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2678 /* Error, rather than pcap_breakloop(). */
2679 pcap_opts->pcap_err = TRUE;
2681 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2683 #else /* pcap_next_ex */
2684 #ifdef LOG_CAPTURE_VERBOSE
2685 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2687 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2690 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2691 * see https://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2692 * This should be fixed in the WinPcap 4.0 alpha release.
2694 * For reference, an example remote interface:
2695 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2698 /* emulate dispatch from pcap */
2701 struct pcap_pkthdr *pkt_header;
2706 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2708 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2710 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2715 pcap_opts->pcap_err = TRUE;
2719 #endif /* pcap_next_ex */
2723 #ifdef LOG_CAPTURE_VERBOSE
2724 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2727 return ld->packet_count - packet_count_before;
2731 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2732 * want to grab only the characters between the '{' and '}' delimiters.
2734 * Returns a GString that must be freed with g_string_free(). */
2736 isolate_uuid(const char *iface)
2741 ptr = strchr(iface, '{');
2743 return g_string_new(iface);
2744 gstr = g_string_new(ptr + 1);
2746 ptr = strchr(gstr->str, '}');
2750 gstr = g_string_truncate(gstr, ptr - gstr->str);
2755 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2756 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2758 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2759 char *errmsg, int errmsg_len)
2762 gchar *capfile_name;
2763 gchar *prefix, *suffix;
2764 gboolean is_tempfile;
2766 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2767 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2769 if (capture_opts->save_file != NULL) {
2770 /* We return to the caller while the capture is in progress.
2771 * Therefore we need to take a copy of save_file in
2772 * case the caller destroys it after we return.
2774 capfile_name = g_strdup(capture_opts->save_file);
2776 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2777 if (capture_opts->multi_files_on) {
2778 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2779 g_snprintf(errmsg, errmsg_len,
2780 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2781 g_free(capfile_name);
2784 if (strcmp(capfile_name, "-") == 0) {
2785 /* write to stdout */
2788 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2789 _setmode(1, O_BINARY);
2792 } /* if (...output_to_pipe ... */
2795 if (capture_opts->multi_files_on) {
2796 /* ringbuffer is enabled */
2797 *save_file_fd = ringbuf_init(capfile_name,
2798 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2799 capture_opts->group_read_access);
2801 /* we need the ringbuf name */
2802 if (*save_file_fd != -1) {
2803 g_free(capfile_name);
2804 capfile_name = g_strdup(ringbuf_current_filename());
2807 /* Try to open/create the specified file for use as a capture buffer. */
2808 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2809 (capture_opts->group_read_access) ? 0640 : 0600);
2812 is_tempfile = FALSE;
2814 /* Choose a random name for the temporary capture buffer */
2815 if (global_capture_opts.ifaces->len > 1) {
2816 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
2817 if (capture_opts->use_pcapng) {
2824 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).console_display_name);
2826 /* use the generic portion of the interface guid to form the basis of the filename */
2827 if (strncmp("NPF_{", basename, 5)==0)
2829 /* we have a windows guid style device name, extract the guid digits as the basis of the filename */
2831 iface = isolate_uuid(basename);
2833 basename = g_strdup(iface->str);
2834 g_string_free(iface, TRUE);
2837 /* generate the temp file name prefix and suffix */
2838 if (capture_opts->use_pcapng) {
2839 prefix = g_strconcat("wireshark_", basename, NULL);
2842 prefix = g_strconcat("wireshark_", basename, NULL);
2847 *save_file_fd = create_tempfile(&tmpname, prefix, suffix);
2849 capfile_name = g_strdup(tmpname);
2853 /* did we fail to open the output file? */
2854 if (*save_file_fd == -1) {
2856 g_snprintf(errmsg, errmsg_len,
2857 "The temporary file to which the capture would be saved (\"%s\") "
2858 "could not be opened: %s.", capfile_name, g_strerror(errno));
2860 if (capture_opts->multi_files_on) {
2861 ringbuf_error_cleanup();
2864 g_snprintf(errmsg, errmsg_len,
2865 "The file to which the capture would be saved (\"%s\") "
2866 "could not be opened: %s.", capfile_name,
2869 g_free(capfile_name);
2873 if (capture_opts->save_file != NULL) {
2874 g_free(capture_opts->save_file);
2876 capture_opts->save_file = capfile_name;
2877 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2878 "g_free(capfile_name)". */
2884 /* Do the work of handling either the file size or file duration capture
2885 conditions being reached, and switching files or stopping. */
2887 do_file_switch_or_stop(capture_options *capture_opts,
2888 condition *cnd_autostop_files,
2889 condition *cnd_autostop_size,
2890 condition *cnd_file_duration)
2893 pcap_options *pcap_opts;
2894 interface_options interface_opts;
2895 gboolean successful;
2897 if (capture_opts->multi_files_on) {
2898 if (cnd_autostop_files != NULL &&
2899 cnd_eval(cnd_autostop_files, (guint64)++global_ld.autostop_files)) {
2900 /* no files left: stop here */
2901 global_ld.go = FALSE;
2905 /* Switch to the next ringbuffer file */
2906 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2907 &global_ld.save_file_fd, &global_ld.err)) {
2909 /* File switch succeeded: reset the conditions */
2910 global_ld.bytes_written = 0;
2911 if (capture_opts->use_pcapng) {
2913 GString *os_info_str;
2915 os_info_str = g_string_new("");
2916 get_os_version_info(os_info_str);
2918 appname = g_strdup_printf("Dumpcap (Wireshark) %s", get_ws_vcs_version_info());
2919 successful = pcapng_write_session_header_block(global_ld.pdh,
2922 os_info_str->str, /* OS */
2924 -1, /* section_length */
2925 &(global_ld.bytes_written),
2929 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2930 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2931 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2932 successful = pcapng_write_interface_description_block(global_ld.pdh,
2933 NULL, /* OPT_COMMENT 1 */
2934 interface_opts.name, /* IDB_NAME 2 */
2935 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2936 interface_opts.cfilter, /* IDB_FILTER 11 */
2937 os_info_str->str, /* IDB_OS 12 */
2938 pcap_opts->linktype,
2940 &(global_ld.bytes_written),
2941 0, /* IDB_IF_SPEED 8 */
2942 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2946 g_string_free(os_info_str, TRUE);
2949 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
2950 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
2951 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
2954 fclose(global_ld.pdh);
2955 global_ld.pdh = NULL;
2956 global_ld.go = FALSE;
2959 if (cnd_autostop_size)
2960 cnd_reset(cnd_autostop_size);
2961 if (cnd_file_duration)
2962 cnd_reset(cnd_file_duration);
2963 fflush(global_ld.pdh);
2965 report_packet_count(global_ld.inpkts_to_sync_pipe);
2966 global_ld.inpkts_to_sync_pipe = 0;
2967 report_new_capture_file(capture_opts->save_file);
2969 /* File switch failed: stop here */
2970 global_ld.go = FALSE;
2974 /* single file, stop now */
2975 global_ld.go = FALSE;
2982 pcap_read_handler(void* arg)
2984 pcap_options *pcap_opts;
2985 char errmsg[MSG_MAX_LENGTH+1];
2987 pcap_opts = (pcap_options *)arg;
2989 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
2990 pcap_opts->interface_id);
2992 while (global_ld.go) {
2993 /* dispatch incoming packets */
2994 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
2996 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
2997 pcap_opts->interface_id);
2998 g_thread_exit(NULL);
3002 /* Do the low-level work of a capture.
3003 Returns TRUE if it succeeds, FALSE otherwise. */
3005 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3008 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3010 struct timeval upd_time, cur_time;
3014 condition *cnd_file_duration = NULL;
3015 condition *cnd_autostop_files = NULL;
3016 condition *cnd_autostop_size = NULL;
3017 condition *cnd_autostop_duration = NULL;
3020 gboolean cfilter_error = FALSE;
3021 char errmsg[MSG_MAX_LENGTH+1];
3022 char secondary_errmsg[MSG_MAX_LENGTH+1];
3023 pcap_options *pcap_opts;
3024 interface_options interface_opts;
3025 guint i, error_index = 0;
3028 *secondary_errmsg = '\0';
3030 /* init the loop data */
3031 global_ld.go = TRUE;
3032 global_ld.packet_count = 0;
3034 global_ld.report_packet_count = FALSE;
3036 if (capture_opts->has_autostop_packets)
3037 global_ld.packet_max = capture_opts->autostop_packets;
3039 global_ld.packet_max = 0; /* no limit */
3040 global_ld.inpkts_to_sync_pipe = 0;
3041 global_ld.err = 0; /* no error seen yet */
3042 global_ld.pdh = NULL;
3043 global_ld.autostop_files = 0;
3044 global_ld.save_file_fd = -1;
3046 /* We haven't yet gotten the capture statistics. */
3047 *stats_known = FALSE;
3049 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3050 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3052 /* open the "input file" from network interface or capture pipe */
3053 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3054 secondary_errmsg, sizeof(secondary_errmsg))) {
3057 for (i = 0; i < capture_opts->ifaces->len; i++) {
3058 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3059 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3060 /* init the input filter from the network interface (capture pipe will do nothing) */
3062 * When remote capturing WinPCap crashes when the capture filter
3063 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3066 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3067 interface_opts.name,
3068 interface_opts.cfilter?interface_opts.cfilter:"")) {
3070 case INITFILTER_NO_ERROR:
3073 case INITFILTER_BAD_FILTER:
3074 cfilter_error = TRUE;
3076 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3079 case INITFILTER_OTHER_ERROR:
3080 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3081 pcap_geterr(pcap_opts->pcap_h));
3082 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3087 /* If we're supposed to write to a capture file, open it for output
3088 (temporary/specified name/ringbuffer) */
3089 if (capture_opts->saving_to_file) {
3090 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3091 errmsg, sizeof(errmsg))) {
3095 /* set up to write to the already-opened capture output file/files */
3096 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3101 /* XXX - capture SIGTERM and close the capture, in case we're on a
3102 Linux 2.0[.x] system and you have to explicitly close the capture
3103 stream in order to turn promiscuous mode off? We need to do that
3104 in other places as well - and I don't think that works all the
3105 time in any case, due to libpcap bugs. */
3107 /* Well, we should be able to start capturing.
3109 Sync out the capture file, so the header makes it to the file system,
3110 and send a "capture started successfully and capture file created"
3111 message to our parent so that they'll open the capture file and
3112 update its windows to indicate that we have a live capture in
3114 fflush(global_ld.pdh);
3115 report_new_capture_file(capture_opts->save_file);
3118 /* initialize capture stop (and alike) conditions */
3119 init_capture_stop_conditions();
3120 /* create stop conditions */
3121 if (capture_opts->has_autostop_filesize) {
3122 if (capture_opts->autostop_filesize > (((guint32)INT_MAX + 1) / 1000)) {
3123 capture_opts->autostop_filesize = ((guint32)INT_MAX + 1) / 1000;
3126 cnd_new(CND_CLASS_CAPTURESIZE, (guint64)capture_opts->autostop_filesize * 1000);
3128 if (capture_opts->has_autostop_duration)
3129 cnd_autostop_duration =
3130 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3132 if (capture_opts->multi_files_on) {
3133 if (capture_opts->has_file_duration)
3135 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3137 if (capture_opts->has_autostop_files)
3138 cnd_autostop_files =
3139 cnd_new(CND_CLASS_CAPTURESIZE, (guint64)capture_opts->autostop_files);
3142 /* init the time values */
3144 upd_time = GetTickCount();
3146 gettimeofday(&upd_time, NULL);
3148 start_time = create_timestamp();
3149 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running.");
3151 /* WOW, everything is prepared! */
3152 /* please fasten your seat belts, we will enter now the actual capture loop */
3154 pcap_queue = g_async_queue_new();
3155 pcap_queue_bytes = 0;
3156 pcap_queue_packets = 0;
3157 for (i = 0; i < global_ld.pcaps->len; i++) {
3158 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3159 #if GLIB_CHECK_VERSION(2,31,0)
3160 /* XXX - Add an interface name here? */
3161 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3163 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3167 while (global_ld.go) {
3168 /* dispatch incoming packets */
3170 pcap_queue_element *queue_element;
3171 #if GLIB_CHECK_VERSION(2,31,18)
3173 g_async_queue_lock(pcap_queue);
3174 queue_element = (pcap_queue_element *)g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3176 GTimeVal write_thread_time;
3178 g_get_current_time(&write_thread_time);
3179 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3180 g_async_queue_lock(pcap_queue);
3181 queue_element = (pcap_queue_element *)g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3183 if (queue_element) {
3184 pcap_queue_bytes -= queue_element->phdr.caplen;
3185 pcap_queue_packets -= 1;
3187 g_async_queue_unlock(pcap_queue);
3188 if (queue_element) {
3189 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3190 "Dequeued a packet of length %d captured on interface %d.",
3191 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3193 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3194 &queue_element->phdr,
3196 g_free(queue_element->pd);
3197 g_free(queue_element);
3203 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3204 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3205 sizeof(errmsg), pcap_opts);
3208 /* Were we asked to print packet counts by the SIGINFO handler? */
3209 if (global_ld.report_packet_count) {
3210 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3211 plurality(global_ld.packet_count, "", "s"));
3212 global_ld.report_packet_count = FALSE;
3217 /* any news from our parent (signal pipe)? -> just stop the capture */
3218 if (!signal_pipe_check_running()) {
3219 global_ld.go = FALSE;
3224 global_ld.inpkts_to_sync_pipe += inpkts;
3226 /* check capture size condition */
3227 if (cnd_autostop_size != NULL &&
3228 cnd_eval(cnd_autostop_size, global_ld.bytes_written)) {
3229 /* Capture size limit reached, do we have another file? */
3230 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3231 cnd_autostop_size, cnd_file_duration))
3233 } /* cnd_autostop_size */
3234 if (capture_opts->output_to_pipe) {
3235 fflush(global_ld.pdh);
3239 /* Only update once every 500ms so as not to overload slow displays.
3240 * This also prevents too much context-switching between the dumpcap
3241 * and wireshark processes.
3243 #define DUMPCAP_UPD_TIME 500
3246 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3247 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3249 gettimeofday(&cur_time, NULL);
3250 if (((guint64)cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3251 ((guint64)upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3254 upd_time = cur_time;
3257 if (pcap_stats(pch, stats) >= 0) {
3258 *stats_known = TRUE;
3261 /* Let the parent process know. */
3262 if (global_ld.inpkts_to_sync_pipe) {
3264 fflush(global_ld.pdh);
3266 /* Send our parent a message saying we've written out
3267 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3269 report_packet_count(global_ld.inpkts_to_sync_pipe);
3271 global_ld.inpkts_to_sync_pipe = 0;
3274 /* check capture duration condition */
3275 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3276 /* The maximum capture time has elapsed; stop the capture. */
3277 global_ld.go = FALSE;
3281 /* check capture file duration condition */
3282 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3283 /* duration limit reached, do we have another file? */
3284 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3285 cnd_autostop_size, cnd_file_duration))
3287 } /* cnd_file_duration */
3291 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3293 pcap_queue_element *queue_element;
3295 for (i = 0; i < global_ld.pcaps->len; i++) {
3296 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3297 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3298 pcap_opts->interface_id);
3299 g_thread_join(pcap_opts->tid);
3300 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3301 pcap_opts->interface_id);
3304 g_async_queue_lock(pcap_queue);
3305 queue_element = (pcap_queue_element *)g_async_queue_try_pop_unlocked(pcap_queue);
3306 if (queue_element) {
3307 pcap_queue_bytes -= queue_element->phdr.caplen;
3308 pcap_queue_packets -= 1;
3310 g_async_queue_unlock(pcap_queue);
3311 if (queue_element == NULL) {
3314 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3315 "Dequeued a packet of length %d captured on interface %d.",
3316 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3317 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3318 &queue_element->phdr,
3320 g_free(queue_element->pd);
3321 g_free(queue_element);
3322 global_ld.inpkts_to_sync_pipe += 1;
3323 if (capture_opts->output_to_pipe) {
3324 fflush(global_ld.pdh);
3330 /* delete stop conditions */
3331 if (cnd_file_duration != NULL)
3332 cnd_delete(cnd_file_duration);
3333 if (cnd_autostop_files != NULL)
3334 cnd_delete(cnd_autostop_files);
3335 if (cnd_autostop_size != NULL)
3336 cnd_delete(cnd_autostop_size);
3337 if (cnd_autostop_duration != NULL)
3338 cnd_delete(cnd_autostop_duration);
3340 /* did we have a pcap (input) error? */
3341 for (i = 0; i < capture_opts->ifaces->len; i++) {
3342 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3343 if (pcap_opts->pcap_err) {
3344 /* On Linux, if an interface goes down while you're capturing on it,
3345 you'll get a "recvfrom: Network is down" or
3346 "The interface went down" error (ENETDOWN).
3347 (At least you will if g_strerror() doesn't show a local translation
3350 On FreeBSD and OS X, if a network adapter disappears while
3351 you're capturing on it, you'll get a "read: Device not configured"
3352 error (ENXIO). (See previous parenthetical note.)
3354 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3356 These should *not* be reported to the Wireshark developers. */
3359 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3360 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3361 strcmp(cap_err_str, "The interface went down") == 0 ||
3362 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3363 strcmp(cap_err_str, "read: I/O error") == 0 ||
3364 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3365 report_capture_error("The network adapter on which the capture was being done "
3366 "is no longer running; the capture has stopped.",
3369 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3371 report_capture_error(errmsg, please_report);
3374 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3375 report_capture_error(errmsg, "");
3379 /* did we have an output error while capturing? */
3380 if (global_ld.err == 0) {
3383 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3384 global_ld.err, FALSE);
3385 report_capture_error(errmsg, please_report);
3389 if (capture_opts->saving_to_file) {
3390 /* close the output file */
3391 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3395 /* there might be packets not yet notified to the parent */
3396 /* (do this after closing the file, so all packets are already flushed) */
3397 if (global_ld.inpkts_to_sync_pipe) {
3399 report_packet_count(global_ld.inpkts_to_sync_pipe);
3400 global_ld.inpkts_to_sync_pipe = 0;
3403 /* If we've displayed a message about a write error, there's no point
3404 in displaying another message about an error on close. */
3405 if (!close_ok && write_ok) {
3406 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3408 report_capture_error(errmsg, "");
3412 * XXX We exhibit different behaviour between normal mode and sync mode
3413 * when the pipe is stdin and not already at EOF. If we're a child, the
3414 * parent's stdin isn't closed, so if the user starts another capture,
3415 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3416 * will say "Unrecognized libpcap format". On the other hand, in normal
3417 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3420 report_capture_count(TRUE);
3422 /* get packet drop statistics from pcap */
3423 for (i = 0; i < capture_opts->ifaces->len; i++) {
3425 guint32 pcap_dropped = 0;
3427 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3428 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3429 received = pcap_opts->received;
3430 if (pcap_opts->pcap_h != NULL) {
3431 g_assert(!pcap_opts->from_cap_pipe);
3432 /* Get the capture statistics, so we know how many packets were dropped. */
3434 * Older versions of libpcap didn't set ps_ifdrop on some
3435 * platforms; initialize it to 0 to handle that.
3437 stats->ps_ifdrop = 0;
3438 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3439 *stats_known = TRUE;
3440 /* Let the parent process know. */
3441 pcap_dropped += stats->ps_drop;
3443 g_snprintf(errmsg, sizeof(errmsg),
3444 "Can't get packet-drop statistics: %s",
3445 pcap_geterr(pcap_opts->pcap_h));
3446 report_capture_error(errmsg, please_report);
3449 report_packet_drops(received, pcap_dropped, pcap_opts->dropped, pcap_opts->flushed, stats->ps_ifdrop, interface_opts.console_display_name);
3452 /* close the input file (pcap or capture pipe) */
3453 capture_loop_close_input(&global_ld);
3455 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped.");
3457 /* ok, if the write and the close were successful. */
3458 return write_ok && close_ok;
3461 if (capture_opts->multi_files_on) {
3462 /* cleanup ringbuffer */
3463 ringbuf_error_cleanup();
3465 /* We can't use the save file, and we have no FILE * for the stream
3466 to close in order to close it, so close the FD directly. */
3467 if (global_ld.save_file_fd != -1) {
3468 ws_close(global_ld.save_file_fd);
3471 /* We couldn't even start the capture, so get rid of the capture
3473 if (capture_opts->save_file != NULL) {
3474 ws_unlink(capture_opts->save_file);
3475 g_free(capture_opts->save_file);
3478 capture_opts->save_file = NULL;
3480 report_cfilter_error(capture_opts, error_index, errmsg);
3482 report_capture_error(errmsg, secondary_errmsg);
3484 /* close the input file (pcap or cap_pipe) */
3485 capture_loop_close_input(&global_ld);
3487 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3494 capture_loop_stop(void)
3496 #ifdef HAVE_PCAP_BREAKLOOP
3498 pcap_options *pcap_opts;
3500 for (i = 0; i < global_ld.pcaps->len; i++) {
3501 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3502 if (pcap_opts->pcap_h != NULL)
3503 pcap_breakloop(pcap_opts->pcap_h);
3506 global_ld.go = FALSE;
3511 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3512 int err, gboolean is_close)
3517 g_snprintf(errmsg, errmsglen,
3518 "Not all the packets could be written to the file"
3519 " to which the capture was being saved\n"
3520 "(\"%s\") because there is no space left on the file system\n"
3521 "on which that file resides.",
3527 g_snprintf(errmsg, errmsglen,
3528 "Not all the packets could be written to the file"
3529 " to which the capture was being saved\n"
3530 "(\"%s\") because you are too close to, or over,"
3531 " your disk quota\n"
3532 "on the file system on which that file resides.",
3539 g_snprintf(errmsg, errmsglen,
3540 "The file to which the capture was being saved\n"
3541 "(\"%s\") could not be closed: %s.",
3542 fname, g_strerror(err));
3544 g_snprintf(errmsg, errmsglen,
3545 "An error occurred while writing to the file"
3546 " to which the capture was being saved\n"
3548 fname, g_strerror(err));
3555 /* one packet was captured, process it */
3557 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3560 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3562 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3564 /* We may be called multiple times from pcap_dispatch(); if we've set
3565 the "stop capturing" flag, ignore this packet, as we're not
3566 supposed to be saving any more packets. */
3567 if (!global_ld.go) {
3568 pcap_opts->flushed++;
3572 if (global_ld.pdh) {
3573 gboolean successful;
3575 /* We're supposed to write the packet to a file; do so.
3576 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3577 "ld->err" to the error. */
3578 if (global_capture_opts.use_pcapng) {
3579 successful = pcapng_write_enhanced_packet_block(global_ld.pdh,
3581 phdr->ts.tv_sec, (gint32)phdr->ts.tv_usec,
3582 phdr->caplen, phdr->len,
3583 pcap_opts->interface_id,
3586 &global_ld.bytes_written, &err);
3588 successful = libpcap_write_packet(global_ld.pdh,
3589 phdr->ts.tv_sec, (gint32)phdr->ts.tv_usec,
3590 phdr->caplen, phdr->len,
3592 &global_ld.bytes_written, &err);
3595 global_ld.go = FALSE;
3596 global_ld.err = err;
3597 pcap_opts->dropped++;
3599 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3600 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3601 "Wrote a packet of length %d captured on interface %u.",
3602 phdr->caplen, pcap_opts->interface_id);
3604 global_ld.packet_count++;
3605 pcap_opts->received++;
3606 /* if the user told us to stop after x packets, do we already have enough? */
3607 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3608 global_ld.go = FALSE;
3614 /* one packet was captured, queue it */
3616 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3619 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3620 pcap_queue_element *queue_element;
3621 gboolean limit_reached;
3623 /* We may be called multiple times from pcap_dispatch(); if we've set
3624 the "stop capturing" flag, ignore this packet, as we're not
3625 supposed to be saving any more packets. */
3626 if (!global_ld.go) {
3627 pcap_opts->flushed++;
3631 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3632 if (queue_element == NULL) {
3633 pcap_opts->dropped++;
3636 queue_element->pcap_opts = pcap_opts;
3637 queue_element->phdr = *phdr;
3638 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3639 if (queue_element->pd == NULL) {
3640 pcap_opts->dropped++;
3641 g_free(queue_element);
3644 memcpy(queue_element->pd, pd, phdr->caplen);
3645 g_async_queue_lock(pcap_queue);
3646 if (((pcap_queue_byte_limit == 0) || (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3647 ((pcap_queue_packet_limit == 0) || (pcap_queue_packets < pcap_queue_packet_limit))) {
3648 limit_reached = FALSE;
3649 g_async_queue_push_unlocked(pcap_queue, queue_element);
3650 pcap_queue_bytes += phdr->caplen;
3651 pcap_queue_packets += 1;
3653 limit_reached = TRUE;
3655 g_async_queue_unlock(pcap_queue);
3656 if (limit_reached) {
3657 pcap_opts->dropped++;
3658 g_free(queue_element->pd);
3659 g_free(queue_element);
3660 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3661 "Dropped a packet of length %d captured on interface %u.",
3662 phdr->caplen, pcap_opts->interface_id);
3664 pcap_opts->received++;
3665 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3666 "Queued a packet of length %d captured on interface %u.",
3667 phdr->caplen, pcap_opts->interface_id);
3669 /* I don't want to hold the mutex over the debug output. So the
3670 output may be wrong */
3671 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3672 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3673 pcap_queue_bytes, pcap_queue_packets);
3677 set_80211_channel(const char *iface, const char *opt)
3681 int center_freq1 = -1;
3682 int center_freq2 = -1;
3685 gchar **options = NULL;
3687 options = g_strsplit_set(opt, ",", 4);
3688 for (args = 0; options[args]; args++);
3691 freq = get_positive_int(options[0], "802.11 channel frequency");
3693 if (args >= 1 && options[1]) {
3694 type = ws80211_str_to_chan_type(options[1]);
3696 cmdarg_err("\"%s\" is not a valid 802.11 channel type", options[1]);
3702 if (args >= 2 && options[2])
3703 center_freq1 = get_positive_int(options[2], "VHT center frequency");
3705 if (args >= 3 && options[3])
3706 center_freq2 = get_positive_int(options[3], "VHT center frequency 2");
3708 ret = ws80211_init();
3710 cmdarg_err("%d: Failed to init ws80211: %s\n", abs(ret), g_strerror(abs(ret)));
3714 ret = ws80211_set_freq(iface, freq, type, center_freq1, center_freq2);
3717 cmdarg_err("%d: Failed to set channel: %s\n", abs(ret), g_strerror(abs(ret)));
3723 pipe_write_block(2, SP_SUCCESS, NULL);
3727 g_strfreev(options);
3732 get_dumpcap_compiled_info(GString *str)
3734 /* Capture libraries */
3735 g_string_append(str, ", ");
3736 get_compiled_caplibs_version(str);
3740 get_dumpcap_runtime_info(GString *str)
3742 /* Capture libraries */
3743 g_string_append(str, ", ");
3744 get_runtime_caplibs_version(str);
3747 /* And now our feature presentation... [ fade to music ] */
3749 main(int argc, char *argv[])
3751 GString *comp_info_str;
3752 GString *runtime_info_str;
3754 static const struct option long_options[] = {
3755 {"help", no_argument, NULL, 'h'},
3756 {"version", no_argument, NULL, 'v'},
3757 LONGOPT_CAPTURE_COMMON
3761 gboolean arg_error = FALSE;
3766 struct sigaction action, oldaction;
3769 gboolean start_capture = TRUE;
3770 gboolean stats_known;
3771 struct pcap_stat stats;
3772 GLogLevelFlags log_flags;
3773 gboolean list_interfaces = FALSE;
3774 gboolean list_link_layer_types = FALSE;
3775 #ifdef HAVE_BPF_IMAGE
3776 gboolean print_bpf_code = FALSE;
3778 gboolean set_chan = FALSE;
3779 gchar *set_chan_arg = NULL;
3780 gboolean machine_readable = FALSE;
3781 gboolean print_statistics = FALSE;
3782 int status, run_once_args = 0;
3785 #if defined(__APPLE__) && defined(__LP64__)
3786 struct utsname osinfo;
3790 cmdarg_err_init(dumpcap_cmdarg_err, dumpcap_cmdarg_err_cont);
3792 /* Get the compile-time version information string */
3793 comp_info_str = get_compiled_version_info(NULL, get_dumpcap_compiled_info);
3795 /* Get the run-time version information string */
3796 runtime_info_str = get_runtime_version_info(get_dumpcap_runtime_info);
3798 /* Add it to the information to be reported on a crash. */
3799 ws_add_crash_info("Dumpcap (Wireshark) %s\n"
3804 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
3807 arg_list_utf_16to8(argc, argv);
3808 create_app_running_mutex();
3811 * Initialize our DLL search path. MUST be called before LoadLibrary
3814 ws_init_dll_search_path();
3817 #ifdef HAVE_BPF_IMAGE
3818 #define OPTSTRING_d "d"
3820 #define OPTSTRING_d ""
3823 #ifdef HAVE_PCAP_REMOTE
3824 #define OPTSTRING_r "r"
3825 #define OPTSTRING_u "u"
3827 #define OPTSTRING_r ""
3828 #define OPTSTRING_u ""
3831 #ifdef HAVE_PCAP_SETSAMPLING
3832 #define OPTSTRING_m "m:"
3834 #define OPTSTRING_m ""
3837 #define OPTSTRING OPTSTRING_CAPTURE_COMMON "C:" OPTSTRING_d "gh" "k:" OPTSTRING_m "MN:nPq" OPTSTRING_r "St" OPTSTRING_u "vw:Z:"
3839 #ifdef DEBUG_CHILD_DUMPCAP
3840 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3841 fprintf (stderr, "Unable to open debug log file .\n");
3846 #if defined(__APPLE__) && defined(__LP64__)
3848 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3849 * a bug workaround - timeouts less than 1 second don't work with libpcap
3850 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3851 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3852 * The problem is extremely unlikely to be reintroduced in a future
3855 if (uname(&osinfo) == 0) {
3857 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3858 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3859 * number of 10.0.0, not 10.1.0 - go figure).
3861 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3862 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3863 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3864 need_timeout_workaround = TRUE;
3869 * Determine if dumpcap is being requested to run in a special
3870 * capture_child mode by going thru the command line args to see if
3871 * a -Z is present. (-Z is a hidden option).
3873 * The primary result of running in capture_child mode is that
3874 * all messages sent out on stderr are in a special type/len/string
3875 * format to allow message processing by type. These messages include
3876 * error messages if dumpcap fails to start the operation it was
3877 * requested to do, as well as various "status" messages which are sent
3878 * when an actual capture is in progress, and a "success" message sent
3879 * if dumpcap was requested to perform an operation other than a
3882 * Capture_child mode would normally be requested by a parent process
3883 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3884 * to which dumpcap stderr has been redirected. It might also have
3885 * another pipe to obtain dumpcap stdout output; for operations other
3886 * than a capture, that information is formatted specially for easier
3887 * parsing by the parent process.
3889 * Capture_child mode needs to be determined immediately upon
3890 * startup so that any messages generated by dumpcap in this mode
3891 * (eg: during initialization) will be formatted properly.
3894 for (i=1; i<argc; i++) {
3895 if (strcmp("-Z", argv[i]) == 0) {
3896 capture_child = TRUE;
3897 machine_readable = TRUE; /* request machine-readable output */
3899 /* set output pipe to binary mode, to avoid ugly text conversions */
3900 _setmode(2, O_BINARY);
3905 /* The default_log_handler will use stdout, which makes trouble in */
3906 /* capture child mode, as it uses stdout for its sync_pipe. */
3907 /* So: the filtering is done in the console_log_handler and not here.*/
3908 /* We set the log handlers right up front to make sure that any log */
3909 /* messages when running as child will be sent back to the parent */
3910 /* with the correct format. */
3915 G_LOG_LEVEL_CRITICAL|
3916 G_LOG_LEVEL_WARNING|
3917 G_LOG_LEVEL_MESSAGE|
3921 G_LOG_FLAG_RECURSION);
3923 g_log_set_handler(NULL,
3925 console_log_handler, NULL /* user_data */);
3926 g_log_set_handler(LOG_DOMAIN_MAIN,
3928 console_log_handler, NULL /* user_data */);
3929 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3931 console_log_handler, NULL /* user_data */);
3932 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3934 console_log_handler, NULL /* user_data */);
3936 /* Initialize the pcaps list */
3937 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
3939 #if !GLIB_CHECK_VERSION(2,31,0)
3940 /* Initialize the thread system */
3941 g_thread_init(NULL);
3945 /* Load wpcap if possible. Do this before collecting the run-time version information */
3948 /* ... and also load the packet.dll from wpcap */
3949 /* XXX - currently not required, may change later. */
3950 /*wpcap_packet_load();*/
3952 /* Start windows sockets */
3953 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3955 /* Set handler for Ctrl+C key */
3956 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3958 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3959 and exit. Do the same with SIGPIPE, in case, for example,
3960 we're writing to our standard output and it's a pipe.
3961 Do the same with SIGHUP if it's not being ignored (if we're
3962 being run under nohup, it might be ignored, in which case we
3963 should leave it ignored).
3965 XXX - apparently, Coverity complained that part of action
3966 wasn't initialized. Perhaps it's running on Linux, where
3967 struct sigaction has an ignored "sa_restorer" element and
3968 where "sa_handler" and "sa_sigaction" might not be two
3969 members of a union. */
3970 memset(&action, 0, sizeof(action));
3971 action.sa_handler = capture_cleanup_handler;
3973 * Arrange that system calls not get restarted, because when
3974 * our signal handler returns we don't want to restart
3975 * a call that was waiting for packets to arrive.
3977 action.sa_flags = 0;
3978 sigemptyset(&action.sa_mask);
3979 sigaction(SIGTERM, &action, NULL);
3980 sigaction(SIGINT, &action, NULL);
3981 sigaction(SIGPIPE, &action, NULL);
3982 sigaction(SIGHUP, NULL, &oldaction);
3983 if (oldaction.sa_handler == SIG_DFL)
3984 sigaction(SIGHUP, &action, NULL);
3987 /* Catch SIGINFO and, if we get it and we're capturing in
3988 quiet mode, report the number of packets we've captured. */
3989 action.sa_handler = report_counts_siginfo;
3990 action.sa_flags = SA_RESTART;
3991 sigemptyset(&action.sa_mask);
3992 sigaction(SIGINFO, &action, NULL);
3993 #endif /* SIGINFO */
3997 enable_kernel_bpf_jit_compiler();
4000 /* ----------------------------------------------------------------- */
4001 /* Privilege and capability handling */
4003 /* 1. Running not as root or suid root; no special capabilities. */
4006 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4009 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4011 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4012 /* capabilities; Drop all other capabilities; */
4013 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4014 /* else: after pcap_open_live() in capture_loop_open_input() */
4015 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4016 /* (Note: this means that the process, although logged in */
4017 /* as root, does not have various permissions such as the */
4018 /* ability to bypass file access permissions). */
4019 /* XXX: Should we just leave capabilities alone in this case */
4020 /* so that user gets expected effect that root can do */
4023 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4025 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4026 /* else: after pcap_open_live() in capture_loop_open_input() */
4027 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4028 /* pcap_open_live). */
4030 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4032 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4033 /* capabilities; Drop all other capabilities; */
4034 /* Drop suid privileges (euid=ruid); */
4035 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4036 /* else: after pcap_open_live() in capture_loop_open_input() */
4037 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4039 /* XXX: For some Linux versions/distros with capabilities */
4040 /* a 'normal' process with any capabilities cannot be */
4041 /* 'killed' (signaled) from another (same uid) non-privileged */
4043 /* For example: If (non-suid) Wireshark forks a */
4044 /* child suid dumpcap which acts as described here (case 5), */
4045 /* Wireshark will be unable to kill (signal) the child */
4046 /* dumpcap process until the capabilities have been dropped */
4047 /* (after pcap_open_live()). */
4048 /* This behaviour will apparently be changed in the kernel */
4049 /* to allow the kill (signal) in this case. */
4050 /* See the following for details: */
4051 /* https://www.mail-archive.com/ [wrapped] */
4052 /* linux-security-module@vger.kernel.org/msg02913.html */
4054 /* It is therefore conceivable that if dumpcap somehow hangs */
4055 /* in pcap_open_live or before that wireshark will not */
4056 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4057 /* In this case, exiting wireshark will kill the child */
4058 /* dumpcap process. */
4060 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4061 /* capabilities; Using libcap. Note: capset cmd (which see) */
4062 /* used to assign capabilities to file. */
4064 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4065 /* else: after pcap_open_live() in capture_loop_open_input() */
4066 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4068 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4069 /* longer required (similar to capture). */
4071 /* ----------------------------------------------------------------- */
4073 init_process_policies();
4076 /* If 'started with special privileges' (and using libcap) */
4077 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4078 /* Set euid/egid = ruid/rgid to remove suid privileges */
4079 relinquish_privs_except_capture();
4082 /* Set the initial values in the capture options. This might be overwritten
4083 by the command line parameters. */
4084 capture_opts_init(&global_capture_opts);
4085 /* We always save to a file - if no file was specified, we save to a
4087 global_capture_opts.saving_to_file = TRUE;
4088 global_capture_opts.has_ring_num_files = TRUE;
4090 /* Pass on capture_child mode for capture_opts */
4091 global_capture_opts.capture_child = capture_child;
4093 /* Now get our args */
4094 while ((opt = getopt_long(argc, argv, OPTSTRING, long_options, NULL)) != -1) {
4096 case 'h': /* Print help and exit */
4097 printf("Dumpcap (Wireshark) %s\n"
4098 "Capture network packets and dump them into a pcapng or pcap file.\n"
4099 "See https://www.wireshark.org for more information.\n",
4100 get_ws_vcs_version_info());
4101 print_usage(stdout);
4104 case 'v': /* Show version and exit */
4106 show_version("Dumpcap (Wireshark)", comp_info_str, runtime_info_str);
4107 g_string_free(comp_info_str, TRUE);
4108 g_string_free(runtime_info_str, TRUE);
4112 /*** capture option specific ***/
4113 case 'a': /* autostop criteria */
4114 case 'b': /* Ringbuffer option */
4115 case 'c': /* Capture x packets */
4116 case 'f': /* capture filter */
4117 case 'g': /* enable group read access on file(s) */
4118 case 'i': /* Use interface x */
4119 case 'n': /* Use pcapng format */
4120 case 'p': /* Don't capture in promiscuous mode */
4121 case 'P': /* Use pcap format */
4122 case 's': /* Set the snapshot (capture) length */
4123 case 'w': /* Write to capture file x */
4124 case 'y': /* Set the pcap data link type */
4125 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
4126 #ifdef HAVE_PCAP_REMOTE
4127 case 'u': /* Use UDP for data transfer */
4128 case 'r': /* Capture own RPCAP traffic too */
4129 case 'A': /* Authentication */
4131 #ifdef HAVE_PCAP_SETSAMPLING
4132 case 'm': /* Sampling */
4134 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
4135 case 'B': /* Buffer size */
4137 #ifdef HAVE_PCAP_CREATE
4138 case 'I': /* Monitor mode */
4140 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4145 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4147 capture_child = TRUE;
4149 /* set output pipe to binary mode, to avoid ugly text conversions */
4150 _setmode(2, O_BINARY);
4152 * optarg = the control ID, aka the PPID, currently used for the
4155 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4156 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4157 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4158 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4160 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4161 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4162 "Signal pipe: Unable to open %s. Dead parent?",
4170 case 'q': /* Quiet */
4176 /*** all non capture option specific ***/
4177 case 'D': /* Print a list of capture devices and exit */
4178 if (!list_interfaces) {
4179 list_interfaces = TRUE;
4183 case 'L': /* Print list of link-layer types and exit */
4184 if (!list_link_layer_types) {
4185 list_link_layer_types = TRUE;
4189 #ifdef HAVE_BPF_IMAGE
4190 case 'd': /* Print BPF code for capture filter and exit */
4191 if (!print_bpf_code) {
4192 print_bpf_code = TRUE;
4197 case 'S': /* Print interface statistics once a second */
4198 if (!print_statistics) {
4199 print_statistics = TRUE;
4203 case 'k': /* Set wireless channel */
4206 set_chan_arg = optarg;
4209 cmdarg_err("Only one -k flag may be specified");
4213 case 'M': /* For -D, -L, and -S, print machine-readable output */
4214 machine_readable = TRUE;
4217 pcap_queue_byte_limit = get_positive_int(optarg, "byte_limit");
4220 pcap_queue_packet_limit = get_positive_int(optarg, "packet_limit");
4223 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4225 case '?': /* Bad flag - print usage message */
4234 /* user specified file name as regular command-line argument */
4235 /* XXX - use it as the capture file name (or something else)? */
4241 * Extra command line arguments were specified; complain.
4242 * XXX - interpret as capture filter, as tcpdump and tshark do?
4244 cmdarg_err("Invalid argument: %s", argv[0]);
4249 if ((pcap_queue_byte_limit > 0) || (pcap_queue_packet_limit > 0)) {
4252 if ((pcap_queue_byte_limit == 0) && (pcap_queue_packet_limit == 0)) {
4253 /* Use some default if the user hasn't specified some */
4254 /* XXX: Are these defaults good enough? */
4255 pcap_queue_byte_limit = 1000 * 1000;
4256 pcap_queue_packet_limit = 1000;
4259 print_usage(stderr);
4263 if (run_once_args > 1) {
4264 #ifdef HAVE_BPF_IMAGE
4265 cmdarg_err("Only one of -D, -L, -d, -k, or -S may be supplied.");
4267 cmdarg_err("Only one of -D, -L, -k, or -S may be supplied.");
4270 } else if (run_once_args == 1) {
4271 /* We're supposed to print some information, rather than
4272 to capture traffic; did they specify a ring buffer option? */
4273 if (global_capture_opts.multi_files_on) {
4274 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4278 /* We're supposed to capture traffic; */
4280 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4281 if (global_capture_opts.ifaces->len > 1) {
4283 global_capture_opts.use_pcapng = TRUE;
4286 if (global_capture_opts.capture_comment &&
4287 (!global_capture_opts.use_pcapng || global_capture_opts.multi_files_on)) {
4288 /* XXX - for ringbuffer, should we apply the comment to each file? */
4289 cmdarg_err("A capture comment can only be set if we capture into a single pcapng file.");
4293 /* Was the ring buffer option specified and, if so, does it make sense? */
4294 if (global_capture_opts.multi_files_on) {
4295 /* Ring buffer works only under certain conditions:
4296 a) ring buffer does not work with temporary files;
4297 b) it makes no sense to enable the ring buffer if the maximum
4298 file size is set to "infinite". */
4299 if (global_capture_opts.save_file == NULL) {
4300 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4301 global_capture_opts.multi_files_on = FALSE;
4303 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4304 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4306 /* XXX - this must be redesigned as the conditions changed */
4307 global_capture_opts.multi_files_on = FALSE;
4314 * "-D" requires no interface to be selected; it's supposed to list
4317 if (list_interfaces) {
4318 /* Get the list of interfaces */
4323 if_list = capture_interface_list(&err, &err_str,NULL);
4324 if (if_list == NULL) {
4327 * If we're being run by another program, just give them
4328 * an empty list of interfaces, don't report this as
4329 * an error; that lets them decide whether to report
4330 * this as an error or not.
4332 if (!machine_readable) {
4333 cmdarg_err("There are no interfaces on which a capture can be done");
4337 cmdarg_err("%s", err_str);
4343 if (machine_readable) /* tab-separated values to stdout */
4344 print_machine_readable_interfaces(if_list);
4346 capture_opts_print_interfaces(if_list);
4347 free_interface_list(if_list);
4352 * "-S" requires no interface to be selected; it gives statistics
4353 * for all interfaces.
4355 if (print_statistics) {
4356 status = print_statistics_loop(machine_readable);
4361 interface_options interface_opts;
4363 if (global_capture_opts.ifaces->len != 1) {
4364 cmdarg_err("Need one interface");
4368 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, 0);
4369 status = set_80211_channel(interface_opts.name, set_chan_arg);
4374 * "-L", "-d", and capturing act on a particular interface, so we have to
4375 * have an interface; if none was specified, pick a default.
4377 status = capture_opts_default_iface_if_necessary(&global_capture_opts, NULL);
4379 /* cmdarg_err() already called .... */
4383 if (list_link_layer_types) {
4384 /* Get the list of link-layer types for the capture device. */
4385 if_capabilities_t *caps;
4389 for (ii = 0; ii < global_capture_opts.ifaces->len; ii++) {
4390 interface_options interface_opts;
4392 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, ii);
4394 caps = get_if_capabilities(&interface_opts, &err_str);
4396 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4397 "Please check to make sure you have sufficient permissions, and that\n"
4398 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4402 if (caps->data_link_types == NULL) {
4403 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4406 if (machine_readable) /* tab-separated values to stdout */
4407 /* XXX: We need to change the format and adopt consumers */
4408 print_machine_readable_if_capabilities(caps);
4410 /* XXX: We might want to print also the interface name */
4411 capture_opts_print_if_capabilities(caps, interface_opts.name,
4412 interface_opts.monitor_mode);
4413 free_if_capabilities(caps);
4418 /* We're supposed to do a capture, or print the BPF code for a filter. */
4420 /* Let the user know what interfaces were chosen. */
4421 if (capture_child) {
4422 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4423 interface_options interface_opts;
4425 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4426 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4427 interface_opts.name);
4430 str = g_string_new("");
4432 if (global_capture_opts.ifaces->len < 2)
4434 if (global_capture_opts.ifaces->len < 4)
4437 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4438 interface_options interface_opts;
4440 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4442 if (global_capture_opts.ifaces->len > 2) {
4443 g_string_append_printf(str, ",");
4445 g_string_append_printf(str, " ");
4446 if (j == global_capture_opts.ifaces->len - 1) {
4447 g_string_append_printf(str, "and ");
4450 g_string_append_printf(str, "'%s'", interface_opts.console_display_name);
4453 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4455 fprintf(stderr, "Capturing on %s\n", str->str);
4456 g_string_free(str, TRUE);
4459 /* Process the snapshot length, as that affects the generated BPF code. */
4460 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4462 #ifdef HAVE_BPF_IMAGE
4463 if (print_bpf_code) {
4464 show_filter_code(&global_capture_opts);
4469 /* We're supposed to do a capture. Process the ring buffer arguments. */
4470 capture_opts_trim_ring_num_files(&global_capture_opts);
4472 /* flush stderr prior to starting the main capture loop */
4475 /* Now start the capture. */
4476 if (capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4480 /* capture failed */
4483 return 0; /* never here, make compiler happy */
4488 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4489 const char *message, gpointer user_data _U_)
4496 /* ignore log message, if log_level isn't interesting */
4497 if ( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4498 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4503 /* create a "timestamp" */
4505 today = localtime(&curr);
4507 switch(log_level & G_LOG_LEVEL_MASK) {
4508 case G_LOG_LEVEL_ERROR:
4511 case G_LOG_LEVEL_CRITICAL:
4514 case G_LOG_LEVEL_WARNING:
4517 case G_LOG_LEVEL_MESSAGE:
4520 case G_LOG_LEVEL_INFO:
4523 case G_LOG_LEVEL_DEBUG:
4527 fprintf(stderr, "unknown log_level %d\n", log_level);
4529 g_assert_not_reached();
4532 /* Generate the output message */
4533 if (log_level & G_LOG_LEVEL_MESSAGE) {
4534 /* normal user messages without additional infos */
4535 msg = g_strdup_printf("%s\n", message);
4537 /* info/debug messages with additional infos */
4538 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4539 today->tm_hour, today->tm_min, today->tm_sec,
4540 log_domain != NULL ? log_domain : "",
4544 /* DEBUG & INFO msgs (if we're debugging today) */
4545 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4546 if ( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4547 #ifdef DEBUG_DUMPCAP
4548 fprintf(stderr, "%s", msg);
4551 #ifdef DEBUG_CHILD_DUMPCAP
4552 fprintf(debug_log, "%s", msg);
4560 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4561 /* to parent especially formatted if dumpcap running as child. */
4562 if (capture_child) {
4563 sync_pipe_errmsg_to_parent(2, msg, "");
4565 fprintf(stderr, "%s", msg);
4572 /****************************************************************************************************************/
4573 /* indication report routines */
4577 report_packet_count(unsigned int packet_count)
4579 char tmp[SP_DECISIZE+1+1];
4580 static unsigned int count = 0;
4582 if (capture_child) {
4583 g_snprintf(tmp, sizeof(tmp), "%u", packet_count);
4584 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4585 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4587 count += packet_count;
4588 fprintf(stderr, "\rPackets: %u ", count);
4589 /* stderr could be line buffered */
4595 report_new_capture_file(const char *filename)
4597 if (capture_child) {
4598 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4599 pipe_write_block(2, SP_FILE, filename);
4603 * Prevent a SIGINFO handler from writing to the standard error
4604 * while we're doing so; instead, have it just set a flag telling
4605 * us to print that information when we're done.
4608 #endif /* SIGINFO */
4609 fprintf(stderr, "File: %s\n", filename);
4610 /* stderr could be line buffered */
4615 * Allow SIGINFO handlers to write.
4620 * If a SIGINFO handler asked us to write out capture counts, do so.
4623 report_counts_for_siginfo();
4624 #endif /* SIGINFO */
4629 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4631 interface_options interface_opts;
4632 char tmp[MSG_MAX_LENGTH+1+6];
4634 if (i < capture_opts->ifaces->len) {
4635 if (capture_child) {
4636 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4637 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4638 pipe_write_block(2, SP_BAD_FILTER, tmp);
4641 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4642 * the error message below.
4644 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4646 "Invalid capture filter \"%s\" for interface '%s'.\n"
4648 "That string isn't a valid capture filter (%s).\n"
4649 "See the User's Guide for a description of the capture filter syntax.",
4650 interface_opts.cfilter, interface_opts.name, errmsg);
4656 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4658 if (capture_child) {
4659 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4660 "Primary Error: %s", error_msg);
4661 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4662 "Secondary Error: %s", secondary_error_msg);
4663 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4665 cmdarg_err("%s", error_msg);
4666 if (secondary_error_msg[0] != '\0')
4667 cmdarg_err_cont("%s", secondary_error_msg);
4672 report_packet_drops(guint32 received, guint32 pcap_drops, guint32 drops, guint32 flushed, guint32 ps_ifdrop, gchar *name)
4674 char tmp[SP_DECISIZE+1+1];
4675 guint32 total_drops = pcap_drops + drops + flushed;
4677 g_snprintf(tmp, sizeof(tmp), "%u", total_drops);
4679 if (capture_child) {
4680 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4681 "Packets received/dropped on interface '%s': %u/%u (pcap:%u/dumpcap:%u/flushed:%u/ps_ifdrop:%u)",
4682 name, received, total_drops, pcap_drops, drops, flushed, ps_ifdrop);
4683 /* XXX: Need to provide interface id, changes to consumers required. */
4684 pipe_write_block(2, SP_DROPS, tmp);
4687 "Packets received/dropped on interface '%s': %u/%u (pcap:%u/dumpcap:%u/flushed:%u/ps_ifdrop:%u) (%.1f%%)\n",
4688 name, received, total_drops, pcap_drops, drops, flushed, ps_ifdrop,
4689 received ? 100.0 * received / (received + total_drops) : 0.0);
4690 /* stderr could be line buffered */
4696 /************************************************************************************************/
4697 /* signal_pipe handling */
4702 signal_pipe_check_running(void)
4704 /* any news from our parent? -> just stop the capture */
4708 /* if we are running standalone, no check required */
4709 if (!capture_child) {
4713 if (!sig_pipe_name || !sig_pipe_handle) {
4714 /* This shouldn't happen */
4715 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4716 "Signal pipe: No name or handle");
4721 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4722 * at this point. Should we check to see if the parent is still alive,
4723 * e.g. by using OpenProcess?
4726 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4728 if (!result || avail > 0) {
4729 /* peek failed or some bytes really available */
4730 /* (if not piping from stdin this would fail) */
4731 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4732 "Signal pipe: Stop capture: %s", sig_pipe_name);
4733 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4734 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4735 sig_pipe_handle, result, avail);
4738 /* pipe ok and no bytes available */
4745 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4750 * indent-tabs-mode: nil
4753 * vi: set shiftwidth=4 tabstop=8 expandtab:
4754 * :indentSize=4:tabSize=8:noTabs=true: