2 * packet tap interface 2002 Ronnie Sahlberg
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License
10 * as published by the Free Software Foundation; either version 2
11 * of the License, or (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #ifdef HAVE_SYS_TYPES_H
28 # include <sys/types.h>
31 #ifdef HAVE_NETINET_IN_H
32 # include <netinet/in.h>
36 #include <epan/packet_info.h>
37 #include <epan/dfilter/dfilter.h>
40 static gboolean tapping_is_active=FALSE;
42 typedef struct _tap_dissector_t {
43 struct _tap_dissector_t *next;
46 static tap_dissector_t *tap_dissector_list=NULL;
49 * This is the list of free and used packets queued for a tap.
50 * It is implemented here explicitly instead of using GLib objects
51 * in order to be as fast as possible as we need to build and tear down the
52 * queued list at least once for each packet we see and thus we must be able
53 * to build and tear it down as fast as possible.
55 * XXX - some fields in packet_info get overwritten in the dissection
56 * process, such as the addresses and the "this is an error packet" flag.
57 * A packet may be queued at multiple protocol layers, but the packet_info
58 * structure will, when the tap listeners are run, contain the values as
59 * set by the topmost protocol layers.
61 * This means that the tap listener code can't rely on pinfo->flags.in_error_pkt
62 * to determine whether the packet should be handed to the listener, as, for
63 * a protocol with error report packets that include a copy of the
64 * packet in error (ICMP, ICMPv6, CLNP), that flag changes during the
65 * processing of the packet depending on whether we're currently dissecting
66 * the packet in error or not.
69 * It also means that a tap listener can't depend on the source and destination
70 * addresses being the correct ones for the packet being processed if, for
71 * example, you have some tunneling that causes multiple layers of the same
74 * For now, we handle the error packet flag by setting a bit in the flags
75 * field of the tap_packet_t structure. We may ultimately want stacks of
76 * addresses for this and other reasons.
78 typedef struct _tap_packet_t {
82 const void *tap_specific_data;
85 #define TAP_PACKET_IS_ERROR_PACKET 0x00000001 /* packet being queued is an error packet */
87 #define TAP_PACKET_QUEUE_LEN 5000
88 static tap_packet_t tap_packet_array[TAP_PACKET_QUEUE_LEN];
89 static guint tap_packet_index;
91 typedef struct _tap_listener_t {
92 struct _tap_listener_t *next;
94 gboolean needs_redraw;
102 static volatile tap_listener_t *tap_listener_queue=NULL;
108 #include <wsutil/plugins.h>
111 * List of tap plugins.
114 void (*register_tap_listener_fn)(void); /* routine to call to register tap listener */
117 static GSList *tap_plugins = NULL;
120 * Callback for each plugin found.
123 check_for_tap_plugin(GModule *handle)
126 void (*register_tap_listener_fn)(void);
130 * Do we have a register_tap_listener routine?
132 if (!g_module_symbol(handle, "plugin_register_tap_listener", &gp)) {
133 /* No, so this isn't a tap plugin. */
138 * Yes - this plugin includes one or more taps.
140 register_tap_listener_fn = (void (*)(void))gp;
143 * Add this one to the list of tap plugins.
145 plugin = (tap_plugin *)g_malloc(sizeof (tap_plugin));
146 plugin->register_tap_listener_fn = register_tap_listener_fn;
147 tap_plugins = g_slist_append(tap_plugins, plugin);
152 register_tap_plugin_type(void)
154 add_plugin_type("tap", check_for_tap_plugin);
158 register_tap_plugin_listener(gpointer data, gpointer user_data _U_)
160 tap_plugin *plugin = (tap_plugin *)data;
162 (plugin->register_tap_listener_fn)();
166 * For all tap plugins, call their register routines.
169 register_all_plugin_tap_listeners(void)
171 g_slist_foreach(tap_plugins, register_tap_plugin_listener, NULL);
173 #endif /* HAVE_PLUGINS */
175 /* **********************************************************************
176 * Init routine only called from epan at application startup
177 * ********************************************************************** */
178 /* This function is called once when wireshark starts up and is used
179 to init any data structures we may need later.
187 /* **********************************************************************
188 * Functions called from dissector when made tappable
189 * ********************************************************************** */
190 /* the following two functions are used from dissectors to
191 1. register the ability to tap packets from this subdissector
192 2. push packets encountered by the subdissector to anyone tapping
195 /* This function registers that a dissector has the packet tap ability
196 available. The name parameter is the name of this tap and extensions can
197 use open_tap(char *name,... to specify that it wants to receive packets/
198 events from this tap.
200 This function is only to be called once, when the dissector initializes.
202 The return value from this call is later used as a parameter to the
203 tap_packet(unsigned int *tap_id,...
204 call so that the tap subsystem knows to which tap point this tapped
205 packet is associated.
208 register_tap(const char *name)
210 tap_dissector_t *td, *tdl;
213 if(tap_dissector_list){
214 tap_id=find_tap_id(name);
219 td=(tap_dissector_t *)g_malloc(sizeof(tap_dissector_t));
221 td->name = g_strdup(name);
223 if(!tap_dissector_list){
224 tap_dissector_list=td;
227 for(i=2,tdl=tap_dissector_list;tdl->next;i++,tdl=tdl->next)
235 /* Everytime the dissector has finished dissecting a packet (and all
236 subdissectors have returned) and if the dissector has been made "tappable"
237 it will push some data to everyone tapping this layer by a call
238 to tap_queue_packet().
239 The first parameter is the tap_id returned by the register_tap()
240 call for this dissector (so the tap system can keep track of who it came
241 from and who is listening to it)
242 The second is the packet_info structure which many tap readers will find
244 The third argument is specific to each tap point or NULL if no additional
245 data is available to this tap. A tap point in say IP will probably want to
246 push the IP header structure here. Same thing for TCP and ONCRPC.
248 The pinfo and the specific pointer are what is supplied to every listener
249 in the read_callback() call made to every one currently listening to this
252 The tap reader is responsible to know how to parse any structure pointed
253 to by the tap specific data pointer.
256 tap_queue_packet(int tap_id, packet_info *pinfo, const void *tap_specific_data)
260 if(!tapping_is_active){
264 * XXX - should we allocate this with an ep_allocator,
265 * rather than having a fixed maximum number of entries?
267 if(tap_packet_index >= TAP_PACKET_QUEUE_LEN){
268 g_warning("Too many taps queued");
272 tpt=&tap_packet_array[tap_packet_index];
275 if (pinfo->flags.in_error_pkt)
276 tpt->flags |= TAP_PACKET_IS_ERROR_PACKET;
278 tpt->tap_specific_data=tap_specific_data;
286 /* **********************************************************************
287 * Functions used by file.c to drive the tap subsystem
288 * ********************************************************************** */
290 void tap_build_interesting (epan_dissect_t *edt)
294 /* nothing to do, just return */
295 if(!tap_listener_queue){
299 /* loop over all tap listeners and build the list of all
300 interesting hf_fields */
301 for(tl=(tap_listener_t *)tap_listener_queue;tl;tl=tl->next){
303 epan_dissect_prime_dfilter(edt, tl->code);
308 /* This function is used to delete/initialize the tap queue and prime an
309 epan_dissect_t with all the filters for tap listeners.
310 To free the tap queue, we just prepend the used queue to the free queue.
313 tap_queue_init(epan_dissect_t *edt)
315 /* nothing to do, just return */
316 if(!tap_listener_queue){
320 tapping_is_active=TRUE;
324 tap_build_interesting (edt);
327 /* this function is called after a packet has been fully dissected to push the tapped
328 data to all extensions that has callbacks registered.
331 tap_push_tapped_queue(epan_dissect_t *edt)
337 /* nothing to do, just return */
338 if(!tapping_is_active){
342 tapping_is_active=FALSE;
344 /* nothing to do, just return */
345 if(!tap_packet_index){
349 /* loop over all tap listeners and call the listener callback
350 for all packets that match the filter. */
351 for(i=0;i<tap_packet_index;i++){
352 for(tl=(tap_listener_t *)tap_listener_queue;tl;tl=tl->next){
353 tp=&tap_packet_array[i];
354 /* Don't tap the packet if it's an "error" unless the listener tells us to */
355 if (!(tp->flags & TAP_PACKET_IS_ERROR_PACKET) || (tl->flags & TL_REQUIRES_ERROR_PACKETS))
357 if(tp->tap_id==tl->tap_id){
358 gboolean passed=TRUE;
360 passed=dfilter_apply_edt(tl->code, edt);
362 if(passed && tl->packet){
363 tl->needs_redraw|=tl->packet(tl->tapdata, tp->pinfo, edt, tp->tap_specific_data);
372 /* This function can be used by a dissector to fetch any tapped data before
374 * This can be useful if one wants to extract the data inside dissector BEFORE
375 * it exists as an alternative to the callbacks that are all called AFTER the
376 * dissection has completed.
378 * Example: SMB2 uses this mechanism to extract the data tapped from NTLMSSP
379 * containing the account and domain names before exiting.
380 * Note that the SMB2 tap listener specifies all three callbacks as NULL.
382 * Beware: when using this mechanism to extract the tapped data you can not
383 * use "filters" and should specify the "filter" as NULL when registering
387 fetch_tapped_data(int tap_id, int idx)
392 /* nothing to do, just return */
393 if(!tapping_is_active){
397 /* nothing to do, just return */
398 if(!tap_packet_index){
402 /* loop over all tapped packets and return the one with index idx */
403 for(i=0;i<tap_packet_index;i++){
404 tp=&tap_packet_array[i];
405 if(tp->tap_id==tap_id){
407 return tp->tap_specific_data;
415 /* This function is called when we need to reset all tap listeners, for example
416 when we open/start a new capture or if we need to rescan the packet list.
419 reset_tap_listeners(void)
423 for(tl=(tap_listener_t *)tap_listener_queue;tl;tl=tl->next){
425 tl->reset(tl->tapdata);
427 tl->needs_redraw=TRUE;
433 /* This function is called when we need to redraw all tap listeners, for example
434 when we open/start a new capture or if we need to rescan the packet list.
435 It should be called from a low priority thread say once every 3 seconds
437 If draw_all is true, redraw all aplications regardless if they have
441 draw_tap_listeners(gboolean draw_all)
445 for(tl=(tap_listener_t *)tap_listener_queue;tl;tl=tl->next){
446 if(tl->needs_redraw || draw_all){
448 tl->draw(tl->tapdata);
451 tl->needs_redraw=FALSE;
455 /* Gets a GList of the tap names. The content of the list
456 is owned by the tap table and should not be modified or freed.
457 Use g_list_free() when done using the list. */
464 for(td=tap_dissector_list; td; td=td->next) {
465 list = g_list_prepend(list, td->name);
468 return g_list_reverse(list);
471 /* **********************************************************************
472 * Functions used by tap to
473 * 1. register that a really simple extension is available for use by
475 * 2. start tapping from a subdissector
476 * 3. close an already open tap
477 * ********************************************************************** */
478 /* this function will return the tap_id for the specific protocol tap
479 or 0 if no such tap was found.
482 find_tap_id(const char *name)
487 for(i=1,td=tap_dissector_list;td;i++,td=td->next) {
488 if(!strcmp(td->name,name)){
495 /* this function attaches the tap_listener to the named tap.
498 * non-NULL: error, return value points to GString containing error
502 register_tap_listener(const char *tapname, void *tapdata, const char *fstring,
503 guint flags, tap_reset_cb reset, tap_packet_cb packet, tap_draw_cb draw)
507 GString *error_string;
510 tap_id=find_tap_id(tapname);
512 error_string = g_string_new("");
513 g_string_printf(error_string, "Tap %s not found", tapname);
517 tl=(tap_listener_t *)g_malloc(sizeof(tap_listener_t));
519 tl->needs_redraw=TRUE;
522 if(!dfilter_compile(fstring, &tl->code, &err_msg)){
523 error_string = g_string_new("");
524 g_string_printf(error_string,
525 "Filter \"%s\" is invalid - %s",
538 tl->next=(tap_listener_t *)tap_listener_queue;
540 tap_listener_queue=tl;
545 /* this function sets a new dfilter to a tap listener
548 set_tap_dfilter(void *tapdata, const char *fstring)
550 tap_listener_t *tl=NULL,*tl2;
551 GString *error_string;
554 if(!tap_listener_queue){
558 if(tap_listener_queue->tapdata==tapdata){
559 tl=(tap_listener_t *)tap_listener_queue;
561 for(tl2=(tap_listener_t *)tap_listener_queue;tl2->next;tl2=tl2->next){
562 if(tl2->next->tapdata==tapdata){
572 dfilter_free(tl->code);
575 tl->needs_redraw=TRUE;
577 if(!dfilter_compile(fstring, &tl->code, &err_msg)){
578 error_string = g_string_new("");
579 g_string_printf(error_string,
580 "Filter \"%s\" is invalid - %s",
591 /* this function removes a tap listener
594 remove_tap_listener(void *tapdata)
596 tap_listener_t *tl=NULL,*tl2;
598 if(!tap_listener_queue){
602 if(tap_listener_queue->tapdata==tapdata){
603 tl=(tap_listener_t *)tap_listener_queue;
604 tap_listener_queue=tap_listener_queue->next;
606 for(tl2=(tap_listener_t *)tap_listener_queue;tl2->next;tl2=tl2->next){
607 if(tl2->next->tapdata==tapdata){
609 tl2->next=tl2->next->next;
618 dfilter_free(tl->code);
627 * Return TRUE if we have one or more tap listeners that require dissection,
631 tap_listeners_require_dissection(void)
633 volatile tap_listener_t *tap_queue = tap_listener_queue;
636 if(!(tap_queue->flags & TL_IS_DISSECTOR_HELPER))
639 tap_queue = tap_queue->next;
646 /* Returns TRUE there is an active tap listener for the specified tap id. */
648 have_tap_listener(int tap_id)
650 volatile tap_listener_t *tap_queue = tap_listener_queue;
653 if(tap_queue->tap_id == tap_id)
656 tap_queue = tap_queue->next;
663 * Return TRUE if we have any tap listeners with filters, FALSE otherwise.
666 have_filtering_tap_listeners(void)
670 for(tl=(tap_listener_t *)tap_listener_queue;tl;tl=tl->next){
678 * Get the union of all the flags for all the tap listeners; that gives
679 * an indication of whether the protocol tree, or the columns, are
680 * required by any taps.
683 union_of_tap_listener_flags(void)
688 for(tl=(tap_listener_t *)tap_listener_queue;tl;tl=tl->next){
695 * Editor modelines - http://www.wireshark.org/tools/modelines.html
700 * indent-tabs-mode: t
703 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
704 * :indentSize=8:tabSize=8:noTabs=false: