2 * Routines for packet capture windows
4 * $Id: capture.c,v 1.141 2001/02/11 22:36:57 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@zing.org>
8 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #ifdef HAVE_SYS_TYPES_H
33 # include <sys/types.h>
36 #ifdef HAVE_SYS_STAT_H
37 # include <sys/stat.h>
40 #ifdef HAVE_SYS_WAIT_H
41 # include <sys/wait.h>
46 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
47 * macros) on UNIX systems that don't have them.
50 # define WIFEXITED(status) (((status) & 0177) == 0)
53 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
56 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
59 # define WEXITSTATUS(status) ((status) >> 8)
62 # define WTERMSIG(status) ((status) & 0177)
65 # define WCOREDUMP(status) ((status) & 0200)
68 # define WSTOPSIG(status) ((status) >> 8)
92 #ifdef HAVE_SYS_SOCKET_H
93 #include <sys/socket.h>
96 #ifdef HAVE_SYS_IOCTL_H
97 #include <sys/ioctl.h>
105 #ifdef NEED_SNPRINTF_H
106 # include "snprintf.h"
110 #include <process.h> /* For spawning child process */
114 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
115 * want to include it if it's not present on this platform, however.
117 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__)
121 #endif /* defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__) */
124 * We don't want to do a "select()" on the pcap_t's file descriptor on
125 * BSD (because "select()" doesn't work correctly on BPF devices on at
126 * least some releases of some flavors of BSD), and we don't want to do
127 * it on Windows (because "select()" is something for sockets, not for
128 * arbitrary handles).
130 * We *do* want to do it on other platforms, as, on other platforms (with
131 * the possible exception of Ultrix and Digital UNIX), the read timeout
132 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
133 * will block until packets arrive, causing the UI to hang.
135 #if !defined(BSD) && !defined(_WIN32)
136 # define MUST_DO_SELECT
139 #include "gtk/main.h"
140 #include "gtk/gtkglobals.h"
145 #include "simple_dialog.h"
149 #include "wiretap/libpcap.h"
150 #include "wiretap/wtap.h"
152 #include "packet-clip.h"
153 #include "packet-eth.h"
154 #include "packet-fddi.h"
155 #include "packet-null.h"
156 #include "packet-ppp.h"
157 #include "packet-raw.h"
158 #include "packet-sll.h"
159 #include "packet-tr.h"
160 #include "packet-ieee80211.h"
162 int promisc_mode = TRUE; /* capture in promiscuous mode */
163 int sync_mode; /* fork a child to do the capture, and sync between them */
164 static int sync_pipe[2]; /* used to sync father */
165 enum PIPES { READ, WRITE }; /* Constants 0 and 1 for READ and WRITE */
166 int quit_after_cap; /* Makes a "capture only mode". Implies -k */
167 gboolean capture_child; /* if this is the child for "-S" */
168 static int fork_child; /* In parent, process ID of child */
169 static guint cap_input_id;
172 * Indications sent out on the sync pipe.
174 #define SP_CAPSTART ';' /* capture start message */
175 #define SP_PACKET_COUNT '*' /* count of packets captured since last message */
176 #define SP_ERROR '!' /* length of error message that follows */
179 static guint cap_timer_id;
180 static int cap_timer_cb(gpointer); /* Win32 kludge to check for pipe input */
183 static void cap_file_input_cb(gpointer, gint, GdkInputCondition);
184 static void wait_for_child(gboolean);
186 static char *signame(int);
188 static void capture_delete_cb(GtkWidget *, GdkEvent *, gpointer);
189 static void capture_stop_cb(GtkWidget *, gpointer);
190 static void capture_pcap_cb(u_char *, const struct pcap_pkthdr *,
192 static void get_capture_file_io_error(char *, int, const char *, int, gboolean);
193 static void send_errmsg_to_parent(const char *);
194 static float pct(gint, gint);
195 static void stop_capture(int signo);
197 typedef struct _loop_data {
198 gint go; /* TRUE as long as we're supposed to keep capturing */
199 gint max; /* Number of packets we're supposed to capture - 0 means infinite */
200 int err; /* if non-zero, error seen while capturing */
203 gboolean from_pipe; /* TRUE if we are capturing data from a pipe */
204 gboolean modified; /* TRUE if data in the pipe uses modified pcap headers */
205 gboolean byte_swapped; /* TRUE if data in the pipe is byte swapped */
206 packet_counts counts;
211 static void adjust_header(loop_data *, struct pcap_hdr *, struct pcaprec_hdr *);
212 static int pipe_open_live(char *, struct pcap_hdr *, loop_data *, char *);
213 static int pipe_dispatch(int, loop_data *, struct pcap_hdr *);
216 /* Win32 needs the O_BINARY flag for open() */
222 /* Win32 needs a handle to the child capture process */
226 /* Add a string pointer to a NULL-terminated array of string pointers. */
228 add_arg(char **args, int *argc, char *arg)
230 /* Grow the array; "*argc" currently contains the number of string
231 pointers, *not* counting the NULL pointer at the end, so we have
232 to add 2 in order to get the new size of the array, including the
233 new pointer and the terminating NULL pointer. */
234 args = g_realloc(args, (*argc + 2) * sizeof (char *));
236 /* Stuff the pointer into the penultimate element of the array, which
237 is the one at the index specified by "*argc". */
240 /* Now bump the count. */
243 /* We overwrite the NULL pointer; put it back right after the
251 /* Given a string, return a pointer to a quote-encapsulated version of
252 the string, so we can pass it as an argument with "spawnvp" even
253 if it contains blanks. */
255 quote_encapsulate(const char *string)
257 char *encapsulated_string;
259 encapsulated_string = g_new(char, strlen(string) + 3);
260 sprintf(encapsulated_string, "\"%s\"", string);
261 return encapsulated_string;
265 /* Open a specified file, or create a temporary file, and start a capture
266 to the file in question. */
268 do_capture(char *capfile_name)
271 gboolean is_tempfile;
277 int capture_succeeded;
278 gboolean stats_known;
279 struct pcap_stat stats;
281 if (capfile_name != NULL) {
282 /* Try to open/create the specified file for use as a capture buffer. */
283 cfile.save_file_fd = open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT, 0600);
286 /* Choose a random name for the capture buffer */
287 cfile.save_file_fd = create_tempfile(tmpname, sizeof tmpname, "ether");
288 capfile_name = g_strdup(tmpname);
291 if (cfile.save_file_fd == -1) {
293 simple_dialog(ESD_TYPE_CRIT, NULL,
294 "The temporary file to which the capture would be saved (\"%s\")"
295 "could not be opened: %s.", capfile_name, strerror(errno));
297 simple_dialog(ESD_TYPE_CRIT, NULL,
298 file_open_error_message(errno, TRUE), capfile_name);
302 close_cap_file(&cfile, info_bar);
303 g_assert(cfile.save_file == NULL);
304 cfile.save_file = capfile_name;
306 if (sync_mode) { /* do the capture in a child process */
308 char scount[24]; /* need a constant for len of numbers */
309 char save_file_fd[24];
315 char sync_pipe_fd[24];
320 /* Allocate the string pointer array with enough space for the
321 terminating NULL pointer. */
323 argv = g_malloc(sizeof (char *));
326 /* Now add those arguments used on all platforms. */
327 argv = add_arg(argv, &argc, CHILD_NAME);
329 argv = add_arg(argv, &argc, "-i");
330 argv = add_arg(argv, &argc, cfile.iface);
332 argv = add_arg(argv, &argc, "-w");
333 argv = add_arg(argv, &argc, cfile.save_file);
335 argv = add_arg(argv, &argc, "-W");
336 sprintf(save_file_fd,"%d",cfile.save_file_fd); /* in lieu of itoa */
337 argv = add_arg(argv, &argc, save_file_fd);
339 argv = add_arg(argv, &argc, "-c");
340 sprintf(scount,"%d",cfile.count);
341 argv = add_arg(argv, &argc, scount);
343 argv = add_arg(argv, &argc, "-s");
344 sprintf(ssnap,"%d",cfile.snap);
345 argv = add_arg(argv, &argc, ssnap);
348 argv = add_arg(argv, &argc, "-p");
351 /* Create a pipe for the child process */
353 if(_pipe(sync_pipe, 512, O_BINARY) < 0) {
354 /* Couldn't create the pipe between parent and child. */
356 unlink(cfile.save_file);
357 g_free(cfile.save_file);
358 cfile.save_file = NULL;
359 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create sync pipe: %s",
364 /* Convert font name to a quote-encapsulated string and pass to child */
365 argv = add_arg(argv, &argc, "-m");
366 fontstring = quote_encapsulate(prefs.gui_font_name);
367 argv = add_arg(argv, &argc, fontstring);
369 /* Convert pipe write handle to a string and pass to child */
370 argv = add_arg(argv, &argc, "-Z");
371 itoa(sync_pipe[WRITE], sync_pipe_fd, 10);
372 argv = add_arg(argv, &argc, sync_pipe_fd);
374 /* Convert filter string to a quote delimited string and pass to child */
375 if (cfile.cfilter != NULL && strlen(cfile.cfilter) != 0) {
376 argv = add_arg(argv, &argc, "-f");
377 filterstring = quote_encapsulate(cfile.cfilter);
378 argv = add_arg(argv, &argc, filterstring);
382 fork_child = spawnvp(_P_NOWAIT, ethereal_path, argv);
384 g_free(filterstring);
385 /* Keep a copy for later evaluation by _cwait() */
386 child_process = fork_child;
388 signal(SIGCHLD, SIG_IGN);
389 if (pipe(sync_pipe) < 0) {
390 /* Couldn't create the pipe between parent and child. */
392 unlink(cfile.save_file);
393 g_free(cfile.save_file);
394 cfile.save_file = NULL;
395 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create sync pipe: %s",
400 argv = add_arg(argv, &argc, "-m");
401 argv = add_arg(argv, &argc, prefs.gui_font_name);
403 if (cfile.cfilter != NULL && strlen(cfile.cfilter) != 0) {
404 argv = add_arg(argv, &argc, "-f");
405 argv = add_arg(argv, &argc, cfile.cfilter);
408 if ((fork_child = fork()) == 0) {
410 * Child process - run Ethereal with the right arguments to make
411 * it just pop up the live capture dialog box and capture with
412 * the specified capture parameters, writing to the specified file.
414 * args: -i interface specification
416 * -W file descriptor to write
417 * -c count to capture
420 * -f "filter expression"
423 dup(sync_pipe[WRITE]);
424 close(sync_pipe[READ]);
425 execvp(ethereal_path, argv);
426 snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
427 ethereal_path, strerror(errno));
428 send_errmsg_to_parent(errmsg);
430 /* Exit with "_exit()", so that we don't close the connection
431 to the X server (and cause stuff buffered up by our parent but
432 not yet sent to be sent, as that stuff should only be sent by
438 /* Parent process - read messages from the child process over the
440 g_free(argv); /* free up arg array */
442 /* Close the write side of the pipe, so that only the child has it
443 open, and thus it completely closes, and thus returns to us
444 an EOF indication, if the child closes it (either deliberately
445 or by exiting abnormally). */
446 close(sync_pipe[WRITE]);
448 /* Close the save file FD, as we won't be using it - we'll be opening
449 it and reading the save file through Wiretap. */
450 close(cfile.save_file_fd);
452 if (fork_child == -1) {
453 /* We couldn't even create the child process. */
455 close(sync_pipe[READ]);
456 unlink(cfile.save_file);
457 g_free(cfile.save_file);
458 cfile.save_file = NULL;
459 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create child process: %s",
464 /* Read a byte count from "sync_pipe[READ]", terminated with a
465 colon; if the count is 0, the child process created the
466 capture file and we should start reading from it, otherwise
467 the capture couldn't start and the count is a count of bytes
468 of error message, and we should display the message. */
471 i = read(sync_pipe[READ], &c, 1);
473 /* EOF - the child process died.
474 Close the read side of the sync pipe, remove the capture file,
475 and report the failure. */
476 close(sync_pipe[READ]);
477 unlink(cfile.save_file);
478 g_free(cfile.save_file);
479 cfile.save_file = NULL;
480 wait_for_child(TRUE);
483 if (c == SP_CAPSTART || c == SP_ERROR)
486 /* Child process handed us crap.
487 Close the read side of the sync pipe, remove the capture file,
488 and report the failure. */
489 close(sync_pipe[READ]);
490 unlink(cfile.save_file);
491 g_free(cfile.save_file);
492 cfile.save_file = NULL;
493 simple_dialog(ESD_TYPE_WARN, NULL,
494 "Capture child process sent us a bad message");
497 byte_count = byte_count*10 + c - '0';
499 if (c == SP_CAPSTART) {
500 /* Success. Open the capture file, and set up to read it. */
501 err = start_tail_cap_file(cfile.save_file, is_tempfile, &cfile);
503 /* We were able to open and set up to read the capture file;
504 arrange that our callback be called whenever it's possible
505 to read from the sync pipe, so that it's called when
506 the child process wants to tell us something. */
508 /* Tricky to use pipes in win9x, as no concept of wait. NT can
509 do this but that doesn't cover all win32 platforms. GTK can do
510 this but doesn't seem to work over processes. Attempt to do
511 something similar here, start a timer and check for data on every
513 cap_timer_id = gtk_timeout_add(1000, cap_timer_cb, NULL);
515 cap_input_id = gtk_input_add_full(sync_pipe[READ],
516 GDK_INPUT_READ|GDK_INPUT_EXCEPTION,
523 /* We weren't able to open the capture file; complain, and
524 close the sync pipe. */
525 simple_dialog(ESD_TYPE_CRIT, NULL,
526 file_open_error_message(err, FALSE), cfile.save_file);
528 /* Close the sync pipe. */
529 close(sync_pipe[READ]);
531 /* Don't unlink the save file - leave it around, for debugging
533 g_free(cfile.save_file);
534 cfile.save_file = NULL;
537 /* Failure - the child process sent us a message indicating
538 what the problem was. */
539 msg = g_malloc(byte_count + 1);
541 simple_dialog(ESD_TYPE_WARN, NULL,
542 "Capture child process failed, but its error message was too big.");
543 } else if (byte_count == 0) {
544 /* Zero-length message? */
545 simple_dialog(ESD_TYPE_WARN, NULL,
546 "Capture child process failed, but its error message was empty.");
548 i = read(sync_pipe[READ], msg, byte_count);
550 simple_dialog(ESD_TYPE_WARN, NULL,
551 "Capture child process failed: Error %s reading its error message.",
554 simple_dialog(ESD_TYPE_WARN, NULL,
555 "Capture child process failed: EOF reading its error message.");
556 wait_for_child(FALSE);
558 simple_dialog(ESD_TYPE_WARN, NULL, msg);
561 /* Close the sync pipe. */
562 close(sync_pipe[READ]);
564 /* Get rid of the save file - the capture never started. */
565 unlink(cfile.save_file);
566 g_free(cfile.save_file);
567 cfile.save_file = NULL;
572 capture_succeeded = capture(&stats_known, &stats);
573 if (quit_after_cap) {
574 /* DON'T unlink the save file. Presumably someone wants it. */
577 if (capture_succeeded) {
578 /* Capture succeeded; read in the capture file. */
579 if ((err = open_cap_file(cfile.save_file, is_tempfile, &cfile)) == 0) {
580 /* Set the read filter to NULL. */
583 /* Get the packet-drop statistics.
585 XXX - there are currently no packet-drop statistics stored
586 in libpcap captures, and that's what we're reading.
588 At some point, we will add support in Wiretap to return
589 packet-drop statistics for capture file formats that store it,
590 and will make "read_cap_file()" get those statistics from
591 Wiretap. We clear the statistics (marking them as "not known")
592 in "open_cap_file()", and "read_cap_file()" will only fetch
593 them and mark them as known if Wiretap supplies them, so if
594 we get the statistics now, after calling "open_cap_file()" but
595 before calling "read_cap_file()", the values we store will
596 be used by "read_cap_file()".
598 If a future libpcap capture file format stores the statistics,
599 we'll put them into the capture file that we write, and will
600 thus not have to set them here - "read_cap_file()" will get
601 them from the file and use them. */
603 cfile.drops_known = TRUE;
605 /* XXX - on some systems, libpcap doesn't bother filling in
606 "ps_ifdrop" - it doesn't even set it to zero - so we don't
607 bother looking at it.
609 Ideally, libpcap would have an interface that gave us
610 several statistics - perhaps including various interface
611 error statistics - and would tell us which of them it
612 supplies, allowing us to display only the ones it does. */
613 cfile.drops = stats.ps_drop;
615 switch (read_cap_file(&cfile, &err)) {
619 /* Just because we got an error, that doesn't mean we were unable
620 to read any of the file; we handle what we could get from the
625 /* Exit by leaving the main loop, so that any quit functions
626 we registered get called. */
632 /* We're not doing a capture any more, so we don't have a save
634 g_free(cfile.save_file);
635 cfile.save_file = NULL;
640 /* The timer has expired, see if there's stuff to read from the pipe,
641 if so call the cap_file_input_cb */
643 cap_timer_cb(gpointer data)
647 gboolean result, result1;
650 /* Oddly enough although Named pipes don't work on win9x,
651 PeekNamedPipe does !!! */
652 handle = (HANDLE) _get_osfhandle (sync_pipe[READ]);
653 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
655 /* Get the child process exit status */
656 result1 = GetExitCodeProcess((HANDLE)child_process, &childstatus);
658 /* If the Peek returned an error, or there are bytes to be read
659 or the childwatcher thread has terminated then call the normal
661 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
663 /* avoid reentrancy problems and stack overflow */
664 gtk_timeout_remove(cap_timer_id);
666 /* And call the real handler */
667 cap_file_input_cb((gpointer) &cfile, 0, 0);
669 /* Return false so that the timer is not run again */
673 /* No data so let timer run again */
679 /* There's stuff to read from the sync pipe, meaning the child has sent
680 us a message, or the sync pipe has closed, meaning the child has
681 closed it (perhaps because it exited). */
683 cap_file_input_cb(gpointer data, gint source, GdkInputCondition condition)
685 capture_file *cf = (capture_file *)data;
687 char buffer[BUFSIZE+1], *p = buffer, *q = buffer, *msg, *r;
688 int nread, msglen, chars_to_copy;
693 /* avoid reentrancy problems and stack overflow */
694 gtk_input_remove(cap_input_id);
697 if ((nread = read(sync_pipe[READ], buffer, BUFSIZE)) <= 0) {
698 /* The child has closed the sync pipe, meaning it's not going to be
699 capturing any more packets. Pick up its exit status, and
700 complain if it did anything other than exit with status 0. */
701 wait_for_child(FALSE);
703 /* Read what remains of the capture file, and finish the capture.
704 XXX - do something if this fails? */
705 switch (finish_tail_cap_file(cf, &err)) {
709 /* Just because we got an error, that doesn't mean we were unable
710 to read any of the file; we handle what we could get from the
715 /* Exit by leaving the main loop, so that any quit functions
716 we registered get called. */
721 /* We're not doing a capture any more, so we don't have a save
723 g_free(cf->save_file);
724 cf->save_file = NULL;
729 buffer[nread] = '\0';
732 /* look for (possibly multiple) indications */
734 case SP_PACKET_COUNT :
746 /* Read the entire message.
747 XXX - if the child hasn't sent it all yet, this could cause us
748 to hang until they do. */
749 msg = g_malloc(msglen + 1);
751 while (msglen != 0) {
754 if ((nread = read(sync_pipe[READ], buffer, BUFSIZE)) <= 0)
759 chars_to_copy = MIN(msglen, nread);
760 memcpy(r, q, chars_to_copy);
763 nread -= chars_to_copy;
764 msglen -= chars_to_copy;
767 simple_dialog(ESD_TYPE_WARN, NULL, msg);
777 /* Read from the capture file the number of records the child told us
779 XXX - do something if this fails? */
780 switch (continue_tail_cap_file(cf, to_read, &err)) {
784 /* Just because we got an error, that doesn't mean we were unable
785 to read any of the file; we handle what we could get from the
788 XXX - abort on a read error? */
792 /* Kill the child capture process; the user wants to exit, and we
793 shouldn't just leave it running. */
797 kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
802 /* restore pipe handler */
804 cap_timer_id = gtk_timeout_add(1000, cap_timer_cb, NULL);
806 cap_input_id = gtk_input_add_full (sync_pipe[READ],
807 GDK_INPUT_READ|GDK_INPUT_EXCEPTION,
816 wait_for_child(gboolean always_report)
821 /* XXX - analyze the wait stuatus and display more information
822 in the dialog box? */
823 if (_cwait(&wstatus, child_process, _WAIT_CHILD) == -1) {
824 simple_dialog(ESD_TYPE_WARN, NULL, "Child capture process stopped unexpectedly");
827 if (wait(&wstatus) != -1) {
828 if (WIFEXITED(wstatus)) {
829 /* The child exited; display its exit status, if it's not zero,
830 and even if it's zero if "always_report" is true. */
831 if (always_report || WEXITSTATUS(wstatus) != 0) {
832 simple_dialog(ESD_TYPE_WARN, NULL,
833 "Child capture process exited: exit status %d",
834 WEXITSTATUS(wstatus));
836 } else if (WIFSTOPPED(wstatus)) {
837 /* It stopped, rather than exiting. "Should not happen." */
838 simple_dialog(ESD_TYPE_WARN, NULL,
839 "Child capture process stopped: %s",
840 signame(WSTOPSIG(wstatus)));
841 } else if (WIFSIGNALED(wstatus)) {
842 /* It died with a signal. */
843 simple_dialog(ESD_TYPE_WARN, NULL,
844 "Child capture process died: %s%s",
845 signame(WTERMSIG(wstatus)),
846 WCOREDUMP(wstatus) ? " - core dumped" : "");
848 /* What? It had to either have exited, or stopped, or died with
849 a signal; what happened here? */
850 simple_dialog(ESD_TYPE_WARN, NULL,
851 "Child capture process died: wait status %#o", wstatus);
862 static char sigmsg_buf[6+1+3+1];
871 sigmsg = "Interrupted";
879 sigmsg = "Illegal instruction";
883 sigmsg = "Trace trap";
891 sigmsg = "Arithmetic exception";
899 sigmsg = "Bus error";
903 sigmsg = "Segmentation violation";
906 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
907 Linux is POSIX compliant. These are not POSIX-defined signals ---
908 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
910 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
911 were omitted from POSIX.1 because their behavior is
912 implementation dependent and could not be adequately catego-
913 rized. Conforming implementations may deliver these sig-
914 nals, but must document the circumstances under which they
915 are delivered and note any restrictions concerning their
918 So we only check for SIGSYS on those systems that happen to
919 implement them (a system can be POSIX-compliant and implement
920 them, it's just that POSIX doesn't *require* a POSIX-compliant
921 system to implement them).
926 sigmsg = "Bad system call";
931 sigmsg = "Broken pipe";
935 sigmsg = "Alarm clock";
939 sigmsg = "Terminated";
943 sprintf(sigmsg_buf, "Signal %d", sig);
952 * Timeout, in milliseconds, for reads from the stream of captured packets.
954 #define CAP_READ_TIMEOUT 250
957 /* Take carre of byte order in the libpcap headers read from pipes.
958 * (function taken from wiretap/libpcap.c) */
960 adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
962 if (ld->byte_swapped) {
963 /* Byte-swap the record header fields. */
964 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
965 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
966 rechdr->incl_len = BSWAP32(rechdr->incl_len);
967 rechdr->orig_len = BSWAP32(rechdr->orig_len);
970 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
971 swapped, in order to match the BPF header layout.
973 Unfortunately, some files were, according to a comment in the "libpcap"
974 source, written with version 2.3 in their headers but without the
975 interchanged fields, so if "incl_len" is greater than "orig_len" - which
976 would make no sense - we assume that we need to swap them. */
977 if (hdr->version_major == 2 &&
978 (hdr->version_minor < 3 ||
979 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
982 temp = rechdr->orig_len;
983 rechdr->orig_len = rechdr->incl_len;
984 rechdr->incl_len = temp;
988 /* Mimic pcap_open_live() for pipe captures
989 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
991 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
992 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
994 pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld, char *ebuf)
996 struct stat pipe_stat;
1001 if (strcmp(pipename, "-") == 0) fd = 0; /* read from stdin */
1002 else if (stat(pipename, &pipe_stat) == 0 && S_ISFIFO(pipe_stat.st_mode)) {
1003 if ((fd = open(pipename, O_RDONLY)) == -1) return -1;
1006 ld->from_pipe = TRUE;
1007 /* read the pcap header */
1008 if (read(fd, &magic, sizeof magic) != sizeof magic) {
1015 /* Host that wrote it has our byte order, and was running
1016 a program using either standard or ss990417 libpcap. */
1017 ld->byte_swapped = FALSE;
1018 ld->modified = FALSE;
1020 case PCAP_MODIFIED_MAGIC:
1021 /* Host that wrote it has our byte order, but was running
1022 a program using either ss990915 or ss991029 libpcap. */
1023 ld->byte_swapped = FALSE;
1024 ld->modified = TRUE;
1026 case PCAP_SWAPPED_MAGIC:
1027 /* Host that wrote it has a byte order opposite to ours,
1028 and was running a program using either standard or
1029 ss990417 libpcap. */
1030 ld->byte_swapped = TRUE;
1031 ld->modified = FALSE;
1033 case PCAP_SWAPPED_MODIFIED_MAGIC:
1034 /* Host that wrote it out has a byte order opposite to
1035 ours, and was running a program using either ss990915
1036 or ss991029 libpcap. */
1037 ld->byte_swapped = TRUE;
1038 ld->modified = TRUE;
1041 /* Not a "libpcap" type we know about. */
1046 /* Read the rest of the header */
1047 bytes_read = read(fd, hdr, sizeof(struct pcap_hdr));
1048 if (bytes_read <= 0) {
1052 while (bytes_read < sizeof(struct pcap_hdr))
1054 b = read(fd, ((char *)&hdr)+bytes_read, sizeof(struct pcap_hdr) - bytes_read);
1061 if (ld->byte_swapped) {
1062 /* Byte-swap the header fields about which we care. */
1063 hdr->version_major = BSWAP16(hdr->version_major);
1064 hdr->version_minor = BSWAP16(hdr->version_minor);
1065 hdr->snaplen = BSWAP32(hdr->snaplen);
1066 hdr->network = BSWAP32(hdr->network);
1068 if (hdr->version_major < 2) {
1076 /* We read one record from the pipe, take care of byte order in the record
1077 * header, write the record in the capture file, and update capture statistics. */
1079 pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr)
1081 struct wtap_pkthdr whdr;
1082 struct pcaprec_modified_hdr rechdr;
1083 int bytes_to_read, bytes_read, b;
1084 u_char pd[WTAP_MAX_PACKET_SIZE];
1087 /* read the record header */
1088 bytes_to_read = ld->modified ? sizeof rechdr : sizeof rechdr.hdr;
1089 bytes_read = read(fd, &rechdr, bytes_to_read);
1090 if (bytes_read <= 0) {
1095 while (bytes_read < bytes_to_read)
1097 b = read(fd, ((char *)&rechdr)+bytes_read, bytes_to_read - bytes_read);
1105 /* take care of byte order */
1106 adjust_header(ld, hdr, &rechdr.hdr);
1107 if (rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1112 /* read the packet data */
1113 bytes_read = read(fd, pd, rechdr.hdr.incl_len);
1114 if (bytes_read <= 0) {
1119 while (bytes_read < rechdr.hdr.incl_len)
1121 b = read(fd, pd+bytes_read, rechdr.hdr.incl_len - bytes_read);
1129 /* dump the packet data to the capture file */
1130 whdr.ts.tv_sec = rechdr.hdr.ts_sec;
1131 whdr.ts.tv_usec = rechdr.hdr.ts_usec;
1132 whdr.caplen = rechdr.hdr.incl_len;
1133 whdr.len = rechdr.hdr.orig_len;
1134 whdr.pkt_encap = ld->linktype;
1135 wtap_dump(ld->pdh, &whdr, NULL, pd, &err);
1137 /* Set the initial payload to the packet length, and the initial
1138 captured payload to the capture length (other protocols may
1139 reduce them if their headers say they're less). */
1141 pi.captured_len = whdr.caplen;
1143 /* update capture statistics */
1144 switch (ld->linktype) {
1145 case WTAP_ENCAP_ETHERNET:
1146 capture_eth(pd, 0, &ld->counts);
1148 case WTAP_ENCAP_FDDI:
1149 case WTAP_ENCAP_FDDI_BITSWAPPED:
1150 capture_fddi(pd, &ld->counts);
1152 case WTAP_ENCAP_TOKEN_RING:
1153 capture_tr(pd, 0, &ld->counts);
1155 case WTAP_ENCAP_NULL:
1156 capture_null(pd, &ld->counts);
1158 case WTAP_ENCAP_PPP:
1159 capture_ppp(pd, 0, &ld->counts);
1161 case WTAP_ENCAP_RAW_IP:
1162 capture_raw(pd, &ld->counts);
1164 case WTAP_ENCAP_LINUX_ATM_CLIP:
1165 capture_clip(pd, &ld->counts);
1167 case WTAP_ENCAP_IEEE_802_11:
1168 capture_ieee80211(pd,0,&ld->counts);
1170 /* XXX - FreeBSD may append 4-byte ATM pseudo-header to DLT_ATM_RFC1483,
1171 with LLC header following; we should implement it at some
1180 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
1183 static loop_data ld;
1185 /* Do the low-level work of a capture.
1186 Returns TRUE if it succeeds, FALSE otherwise. */
1188 capture(gboolean *stats_known, struct pcap_stat *stats)
1190 GtkWidget *cap_w, *main_vb, *stop_bt, *counts_tb;
1194 gchar err_str[PCAP_ERRBUF_SIZE], label_str[64];
1195 bpf_u_int32 netnum, netmask;
1196 struct bpf_program fcode;
1197 time_t upd_time, cur_time;
1199 static const char capstart_msg = SP_CAPSTART;
1200 char errmsg[4096+1];
1202 static const char ppamsg[] = "can't find PPA for ";
1206 struct timeval timeout;
1207 #ifdef MUST_DO_SELECT
1211 WORD wVersionRequested;
1216 struct pcap_hdr hdr;
1221 GtkWidget *label, *value, *percent;
1223 { "Total", &ld.counts.total },
1224 { "SCTP", &ld.counts.sctp },
1225 { "TCP", &ld.counts.tcp },
1226 { "UDP", &ld.counts.udp },
1227 { "ICMP", &ld.counts.icmp },
1228 { "OSPF", &ld.counts.ospf },
1229 { "GRE", &ld.counts.gre },
1230 { "NetBIOS", &ld.counts.netbios },
1231 { "IPX", &ld.counts.ipx },
1232 { "VINES", &ld.counts.vines },
1233 { "Other", &ld.counts.other }
1236 #define N_COUNTS (sizeof counts / sizeof counts[0])
1238 /* Initialize Windows Socket if we are in a WIN32 OS
1239 This needs to be done before querying the interface for network/netmask */
1241 wVersionRequested = MAKEWORD( 1, 1 );
1242 err = WSAStartup( wVersionRequested, &wsaData );
1244 snprintf(errmsg, sizeof errmsg,
1245 "Couldn't initialize Windows Sockets.");
1252 ld.counts.total = 0;
1253 ld.max = cfile.count;
1254 ld.err = 0; /* no error seen yet */
1255 ld.linktype = WTAP_ENCAP_UNKNOWN;
1256 ld.from_pipe = FALSE;
1257 ld.sync_packets = 0;
1265 ld.counts.netbios = 0;
1266 ld.counts.vines = 0;
1267 ld.counts.other = 0;
1270 /* We haven't yet gotten the capture statistics. */
1271 *stats_known = FALSE;
1273 /* Open the network interface to capture from it. */
1274 pch = pcap_open_live(cfile.iface, cfile.snap, promisc_mode,
1275 CAP_READ_TIMEOUT, err_str);
1279 /* Well, we couldn't start the capture.
1280 If this is a child process that does the capturing in sync
1281 mode or fork mode, it shouldn't do any UI stuff until we pop up the
1282 capture-progress window, and, since we couldn't start the
1283 capture, we haven't popped it up. */
1284 if (!capture_child) {
1285 while (gtk_events_pending()) gtk_main_iteration();
1288 /* On Win32 OSes, the capture devices are probably available to all
1289 users; don't warn about permissions problems.
1291 Do, however, warn that Token Ring and PPP devices aren't supported. */
1292 snprintf(errmsg, sizeof errmsg,
1293 "The capture session could not be initiated (%s).\n"
1294 "Please check that you have the proper interface specified.\n"
1296 "Note that the driver Ethereal uses for packet capture on Windows\n"
1297 "doesn't support capturing on Token Ring interfaces, and doesn't\n"
1298 "support capturing on PPP/WAN interfaces in Windows NT/2000.\n",
1302 /* try to open cfile.iface as a pipe */
1303 pipe_fd = pipe_open_live(cfile.iface, &hdr, &ld, err_str);
1305 if (pipe_fd == -1) {
1306 /* Well, we couldn't start the capture.
1307 If this is a child process that does the capturing in sync
1308 mode or fork mode, it shouldn't do any UI stuff until we pop up the
1309 capture-progress window, and, since we couldn't start the
1310 capture, we haven't popped it up. */
1311 if (!capture_child) {
1312 while (gtk_events_pending()) gtk_main_iteration();
1315 /* If we got a "can't find PPA for XXX" message, warn the user (who
1316 is running Ethereal on HP-UX) that they don't have a version
1317 of libpcap patched to properly handle HP-UX (the patched version
1318 says "can't find /dev/dlpi PPA for XXX" rather than "can't find
1320 if (strncmp(err_str, ppamsg, sizeof ppamsg - 1) == 0)
1323 "You are running Ethereal with a version of the libpcap library\n"
1324 "that doesn't handle HP-UX network devices well; this means that\n"
1325 "Ethereal may not be able to capture packets.\n"
1327 "To fix this, you will need to download the source to Ethereal\n"
1328 "from www.ethereal.com if you have not already done so, read\n"
1329 "the instructions in the \"README.hpux\" file in the source\n"
1330 "distribution, download the source to libpcap if you have not\n"
1331 "already done so, patch libpcap as per the instructions, rebuild\n"
1332 "and install libpcap, and then build Ethereal (if you have already\n"
1333 "built Ethereal from source, do a \"make distclean\" and re-run\n"
1334 "configure before building).";
1337 snprintf(errmsg, sizeof errmsg,
1338 "The capture session could not be initiated (%s).\n"
1339 "Please check to make sure you have sufficient permissions, and that\n"
1340 "you have the proper interface or pipe specified.%s", err_str,
1347 /* capture filters only work on real interfaces */
1348 if (cfile.cfilter && !ld.from_pipe) {
1349 /* A capture filter was specified; set it up. */
1350 if (pcap_lookupnet (cfile.iface, &netnum, &netmask, err_str) < 0) {
1352 * Well, we can't get the netmask for this interface; it's used
1353 * only for filters that check for broadcast IP addresses, so
1354 * we just punt and use 0. It might be nice to warn the user,
1355 * but that's a pain in a GUI application, as it'd involve popping
1356 * up a message box, and it's not clear how often this would make
1357 * a difference (only filters that check for IP broadcast addresses
1362 if (pcap_compile(pch, &fcode, cfile.cfilter, 1, netmask) < 0) {
1363 snprintf(errmsg, sizeof errmsg, "Unable to parse filter string (%s).",
1367 if (pcap_setfilter(pch, &fcode) < 0) {
1368 snprintf(errmsg, sizeof errmsg, "Can't install filter (%s).",
1374 /* Set up to write to the capture file. */
1377 pcap_encap = hdr.network;
1378 snaplen = hdr.snaplen;
1382 pcap_encap = pcap_datalink(pch);
1383 snaplen = pcap_snapshot(pch);
1385 ld.linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
1386 if (ld.linktype == WTAP_ENCAP_UNKNOWN) {
1387 snprintf(errmsg, sizeof errmsg,
1388 "The network you're capturing from is of a type"
1389 " that Ethereal doesn't support (data link type %d).", pcap_encap);
1392 ld.pdh = wtap_dump_fdopen(cfile.save_file_fd, WTAP_FILE_PCAP,
1393 ld.linktype, snaplen, &err);
1395 if (ld.pdh == NULL) {
1396 /* We couldn't set up to write to the capture file. */
1399 case WTAP_ERR_CANT_OPEN:
1400 strcpy(errmsg, "The file to which the capture would be saved"
1401 " couldn't be created for some unknown reason.");
1404 case WTAP_ERR_SHORT_WRITE:
1405 strcpy(errmsg, "A full header couldn't be written to the file"
1406 " to which the capture would be saved.");
1411 snprintf(errmsg, sizeof(errmsg),
1412 "The file to which the capture would be"
1413 " saved (\"%s\") could not be opened: Error %d.",
1414 cfile.save_file, err);
1416 snprintf(errmsg, sizeof(errmsg),
1417 "The file to which the capture would be"
1418 " saved (\"%s\") could not be opened: %s.",
1419 cfile.save_file, strerror(err));
1426 /* XXX - capture SIGTERM and close the capture, in case we're on a
1427 Linux 2.0[.x] system and you have to explicitly close the capture
1428 stream in order to turn promiscuous mode off? We need to do that
1429 in other places as well - and I don't think that works all the
1430 time in any case, due to libpcap bugs. */
1432 if (capture_child) {
1433 /* Well, we should be able to start capturing.
1435 This is the child process for a sync mode capture, so sync out
1436 the capture file, so the header makes it to the file system,
1437 and send a "capture started successfully and capture file created"
1438 message to our parent so that they'll open the capture file and
1439 update its windows to indicate that we have a live capture in
1441 fflush(wtap_dump_file(ld.pdh));
1442 write(1, &capstart_msg, 1);
1445 cap_w = gtk_window_new(GTK_WINDOW_TOPLEVEL);
1446 gtk_window_set_title(GTK_WINDOW(cap_w), "Ethereal: Capture");
1447 gtk_window_set_modal(GTK_WINDOW(cap_w), TRUE);
1449 /* Container for capture display widgets */
1450 main_vb = gtk_vbox_new(FALSE, 1);
1451 gtk_container_border_width(GTK_CONTAINER(main_vb), 5);
1452 gtk_container_add(GTK_CONTAINER(cap_w), main_vb);
1453 gtk_widget_show(main_vb);
1455 /* Individual statistic elements */
1456 counts_tb = gtk_table_new(N_COUNTS, 3, TRUE);
1457 gtk_box_pack_start(GTK_BOX(main_vb), counts_tb, TRUE, TRUE, 3);
1458 gtk_widget_show(counts_tb);
1460 for (i = 0; i < N_COUNTS; i++) {
1461 counts[i].label = gtk_label_new(counts[i].title);
1462 gtk_misc_set_alignment(GTK_MISC(counts[i].label), 0.0f, 0.0f);
1464 counts[i].value = gtk_label_new("0");
1465 gtk_misc_set_alignment(GTK_MISC(counts[i].value), 0.0f, 0.0f);
1467 counts[i].percent = gtk_label_new("0.0%");
1468 gtk_misc_set_alignment(GTK_MISC(counts[i].percent), 0.0f, 0.0f);
1470 gtk_table_attach_defaults(GTK_TABLE(counts_tb),
1471 counts[i].label, 0, 1, i, i + 1);
1473 gtk_table_attach(GTK_TABLE(counts_tb),
1475 1, 2, i, i + 1, 0, 0, 5, 0);
1477 gtk_table_attach_defaults(GTK_TABLE(counts_tb),
1478 counts[i].percent, 2, 3, i, i + 1);
1480 gtk_widget_show(counts[i].label);
1481 gtk_widget_show(counts[i].value);
1482 gtk_widget_show(counts[i].percent);
1485 /* allow user to either click a stop button, or the close button on
1486 the window to stop a capture in progress. */
1487 stop_bt = gtk_button_new_with_label ("Stop");
1488 gtk_signal_connect(GTK_OBJECT(stop_bt), "clicked",
1489 GTK_SIGNAL_FUNC(capture_stop_cb), (gpointer) &ld);
1490 gtk_signal_connect(GTK_OBJECT(cap_w), "delete_event",
1491 GTK_SIGNAL_FUNC(capture_delete_cb), (gpointer) &ld);
1492 gtk_box_pack_end(GTK_BOX(main_vb), stop_bt, FALSE, FALSE, 3);
1493 GTK_WIDGET_SET_FLAGS(stop_bt, GTK_CAN_DEFAULT);
1494 gtk_widget_grab_default(stop_bt);
1495 GTK_WIDGET_SET_FLAGS(stop_bt, GTK_CAN_DEFAULT);
1496 gtk_widget_grab_default(stop_bt);
1497 gtk_widget_show(stop_bt);
1499 gtk_widget_show(cap_w);
1501 upd_time = time(NULL);
1502 #ifdef MUST_DO_SELECT
1503 if (!ld.from_pipe) pcap_fd = pcap_fileno(pch);
1508 * Catch SIGUSR1, so that we exit cleanly if the parent process
1509 * kills us with it due to the user selecting "Capture->Stop".
1511 signal(SIGUSR1, stop_capture);
1514 while (gtk_events_pending()) gtk_main_iteration();
1519 FD_SET(pipe_fd, &set1);
1521 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1522 if (select(pipe_fd+1, &set1, NULL, NULL, &timeout) != 0) {
1524 * "select()" says we can read from the pipe without blocking; go for
1525 * it. We are not sure we can read a whole record, but at least the
1526 * begninning of one. pipe_dispatch() will block reading the whole
1529 inpkts = pipe_dispatch(pipe_fd, &ld, &hdr);
1536 #ifdef MUST_DO_SELECT
1538 * Sigh. The semantics of the read timeout argument to
1539 * "pcap_open_live()" aren't particularly well specified by
1540 * the "pcap" man page - at least with the BSD BPF code, the
1541 * intent appears to be, at least in part, a way of cutting
1542 * down the number of reads done on a capture, by blocking
1543 * until the buffer fills or a timer expires - and the Linux
1544 * libpcap doesn't actually support it, so we can't use it
1545 * to break out of the "pcap_dispatch()" every 1/4 of a second
1546 * or so. Linux's libpcap is not the only libpcap that doesn't
1547 * support the read timeout.
1549 * Furthermore, at least on Solaris, the bufmod STREAMS module's
1550 * read timeout won't go off if no data has arrived, i.e. it cannot
1551 * be used to guarantee that a read from a DLPI stream will return
1552 * within a specified amount of time regardless of whether any
1553 * data arrives or not.
1555 * Thus, on all platforms other than BSD, we do a "select()" on the
1556 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
1557 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
1559 * "select()", on BPF devices, doesn't work as you might expect;
1560 * at least on some versions of some flavors of BSD, the timer
1561 * doesn't start until a read is done, so it won't expire if
1562 * only a "select()" or "poll()" is posted.
1565 FD_SET(pcap_fd, &set1);
1567 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1568 if (select(pcap_fd+1, &set1, NULL, NULL, &timeout) != 0) {
1570 * "select()" says we can read from it without blocking; go for
1573 inpkts = pcap_dispatch(pch, 1, capture_pcap_cb, (u_char *) &ld);
1577 inpkts = pcap_dispatch(pch, 1, capture_pcap_cb, (u_char *) &ld);
1581 ld.sync_packets += inpkts;
1582 /* Only update once a second so as not to overload slow displays */
1583 cur_time = time(NULL);
1584 if (cur_time > upd_time) {
1585 upd_time = cur_time;
1587 for (i = 0; i < N_COUNTS; i++) {
1588 snprintf(label_str, sizeof(label_str), "%d",
1589 *counts[i].value_ptr);
1591 gtk_label_set(GTK_LABEL(counts[i].value), label_str);
1593 snprintf(label_str, sizeof(label_str), "(%.1f%%)",
1594 pct(*counts[i].value_ptr, ld.counts.total));
1596 gtk_label_set(GTK_LABEL(counts[i].percent), label_str);
1599 /* do sync here, too */
1600 fflush(wtap_dump_file(ld.pdh));
1601 if (capture_child && ld.sync_packets) {
1602 /* This is the child process for a sync mode capture, so send
1603 our parent a message saying we've written out "ld.sync_packets"
1604 packets to the capture file. */
1606 sprintf(tmp, "%d%c", ld.sync_packets, SP_PACKET_COUNT);
1607 write(1, tmp, strlen(tmp));
1608 ld.sync_packets = 0;
1614 get_capture_file_io_error(errmsg, sizeof(errmsg), cfile.save_file, ld.err,
1616 if (capture_child) {
1617 /* Tell the parent, so that they can pop up the message;
1618 we're going to exit, so if we try to pop it up, either
1619 it won't pop up or it'll disappear as soon as we exit. */
1620 send_errmsg_to_parent(errmsg);
1622 /* Just pop up the message ourselves. */
1623 simple_dialog(ESD_TYPE_WARN, NULL, "%s", errmsg);
1626 /* A write failed, so we've already told the user there's a problem;
1627 if the close fails, there's no point in telling them about that
1629 wtap_dump_close(ld.pdh, &err);
1631 if (!wtap_dump_close(ld.pdh, &err)) {
1632 get_capture_file_io_error(errmsg, sizeof(errmsg), cfile.save_file, err,
1634 if (capture_child) {
1635 /* Tell the parent, so that they can pop up the message;
1636 we're going to exit, so if we try to pop it up, either
1637 it won't pop up or it'll disappear as soon as we exit. */
1638 send_errmsg_to_parent(errmsg);
1640 /* Just pop up the message ourselves. */
1641 simple_dialog(ESD_TYPE_WARN, NULL, "%s", errmsg);
1651 /* Get the capture statistics, so we know how many packets were
1653 if (pcap_stats(pch, stats) >= 0)
1654 *stats_known = TRUE;
1656 simple_dialog(ESD_TYPE_WARN, NULL,
1657 "Can't get packet-drop statistics: %s",
1664 /* Shut down windows sockets */
1668 gtk_grab_remove(GTK_WIDGET(cap_w));
1669 gtk_widget_destroy(GTK_WIDGET(cap_w));
1674 /* We can't use the save file, and we have no wtap_dump stream
1675 to close in order to close it, so close the FD directly. */
1676 close(cfile.save_file_fd);
1678 /* We couldn't even start the capture, so get rid of the capture
1680 unlink(cfile.save_file); /* silently ignore error */
1681 g_free(cfile.save_file);
1682 cfile.save_file = NULL;
1683 if (capture_child) {
1684 /* This is the child process for a sync mode capture.
1685 Send the error message to our parent, so they can display a
1686 dialog box containing it. */
1687 send_errmsg_to_parent(errmsg);
1689 /* Display the dialog box ourselves; there's no parent. */
1690 simple_dialog(ESD_TYPE_CRIT, NULL, "%s", errmsg);
1692 if (pch != NULL && !ld.from_pipe)
1699 get_capture_file_io_error(char *errmsg, int errmsglen, const char *fname,
1700 int err, gboolean is_close)
1705 snprintf(errmsg, errmsglen,
1706 "Not all the packets could be written to the file"
1707 " to which the capture was being saved\n"
1708 "(\"%s\") because there is no space left on the file system\n"
1709 "on which that file resides.",
1715 snprintf(errmsg, errmsglen,
1716 "Not all the packets could be written to the file"
1717 " to which the capture was being saved\n"
1718 "(\"%s\") because you are too close to, or over,"
1719 " your disk quota\n"
1720 "on the file system on which that file resides.",
1725 case WTAP_ERR_CANT_CLOSE:
1726 snprintf(errmsg, errmsglen,
1727 "The file to which the capture was being saved"
1728 " couldn't be closed for some unknown reason.");
1731 case WTAP_ERR_SHORT_WRITE:
1732 snprintf(errmsg, errmsglen,
1733 "Not all the packets could be written to the file"
1734 " to which the capture was being saved\n"
1741 snprintf(errmsg, errmsglen,
1742 "The file to which the capture was being saved\n"
1743 "(\"%s\") could not be closed: %s.",
1744 fname, wtap_strerror(err));
1746 snprintf(errmsg, errmsglen,
1747 "An error occurred while writing to the file"
1748 " to which the capture was being saved\n"
1750 fname, wtap_strerror(err));
1757 send_errmsg_to_parent(const char *errmsg)
1759 int msglen = strlen(errmsg);
1760 char lenbuf[10+1+1];
1762 sprintf(lenbuf, "%u%c", msglen, SP_ERROR);
1763 write(1, lenbuf, strlen(lenbuf));
1764 write(1, errmsg, msglen);
1768 pct(gint num, gint denom) {
1770 return (float) num * 100.0 / (float) denom;
1777 stop_capture(int signo)
1783 capture_delete_cb(GtkWidget *w, GdkEvent *event, gpointer data) {
1784 capture_stop_cb(NULL, data);
1788 capture_stop_cb(GtkWidget *w, gpointer data) {
1789 loop_data *ld = (loop_data *) data;
1798 * XXX - find some way of signaling the child in Win32.
1801 if (fork_child != -1)
1802 kill(fork_child, SIGUSR1);
1807 capture_pcap_cb(u_char *user, const struct pcap_pkthdr *phdr,
1809 struct wtap_pkthdr whdr;
1810 loop_data *ld = (loop_data *) user;
1813 if ((++ld->counts.total >= ld->max) && (ld->max > 0))
1818 /* "phdr->ts" may not necessarily be a "struct timeval" - it may
1819 be a "struct bpf_timeval", with member sizes wired to 32
1820 bits - and we may go that way ourselves in the future, so
1821 copy the members individually. */
1822 whdr.ts.tv_sec = phdr->ts.tv_sec;
1823 whdr.ts.tv_usec = phdr->ts.tv_usec;
1824 whdr.caplen = phdr->caplen;
1825 whdr.len = phdr->len;
1826 whdr.pkt_encap = ld->linktype;
1828 /* If this fails, set "ld->go" to FALSE, to stop the capture, and set
1829 "ld->err" to the error. */
1830 if (!wtap_dump(ld->pdh, &whdr, NULL, pd, &err)) {
1836 /* Set the initial payload to the packet length, and the initial
1837 captured payload to the capture length (other protocols may
1838 reduce them if their headers say they're less). */
1840 pi.captured_len = phdr->caplen;
1842 switch (ld->linktype) {
1843 case WTAP_ENCAP_ETHERNET:
1844 capture_eth(pd, 0, &ld->counts);
1846 case WTAP_ENCAP_FDDI:
1847 case WTAP_ENCAP_FDDI_BITSWAPPED:
1848 capture_fddi(pd, &ld->counts);
1850 case WTAP_ENCAP_TOKEN_RING:
1851 capture_tr(pd, 0, &ld->counts);
1853 case WTAP_ENCAP_NULL:
1854 capture_null(pd, &ld->counts);
1856 case WTAP_ENCAP_PPP:
1857 capture_ppp(pd, 0, &ld->counts);
1859 case WTAP_ENCAP_RAW_IP:
1860 capture_raw(pd, &ld->counts);
1862 case WTAP_ENCAP_SLL:
1863 capture_sll(pd, &ld->counts);
1865 case WTAP_ENCAP_LINUX_ATM_CLIP:
1866 capture_clip(pd, &ld->counts);
1868 /* XXX - FreeBSD may append 4-byte ATM pseudo-header to DLT_ATM_RFC1483,
1869 with LLC header following; we should implement it at some
1874 #endif /* HAVE_LIBPCAP */