2 * Synchronisation between Wireshark capture parent and child instances
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
47 #include <wsutil/unicode-utils.h>
50 #ifdef HAVE_SYS_WAIT_H
51 # include <sys/wait.h>
54 #include "capture-pcap-util.h"
58 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
59 * macros) on UNIX systems that don't have them.
62 # define WIFEXITED(status) (((status) & 0177) == 0)
65 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
68 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
71 # define WEXITSTATUS(status) ((status) >> 8)
74 # define WTERMSIG(status) ((status) & 0177)
77 # define WCOREDUMP(status) ((status) & 0200)
80 # define WSTOPSIG(status) ((status) >> 8)
84 #include <epan/packet.h>
85 #include <epan/prefs.h>
89 #include <epan/filesystem.h>
90 #include <epan/report_err.h>
93 #include "capture_sync.h"
95 #include "sync_pipe.h"
98 #include "capture-wpcap.h"
101 #include <wsutil/file_util.h>
105 #include <process.h> /* For spawning child process */
111 static const char *sync_pipe_signame(int);
115 static gboolean sync_pipe_input_cb(gint source, gpointer user_data);
116 static int sync_pipe_wait_for_child(int fork_child, gchar **msgp);
117 static void pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len);
118 static int pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
123 /* Append an arg (realloc) to an argc/argv array */
124 /* (add a string pointer to a NULL-terminated array of string pointers) */
126 sync_pipe_add_arg(const char **args, int *argc, const char *arg)
128 /* Grow the array; "*argc" currently contains the number of string
129 pointers, *not* counting the NULL pointer at the end, so we have
130 to add 2 in order to get the new size of the array, including the
131 new pointer and the terminating NULL pointer. */
132 args = g_realloc( (gpointer) args, (*argc + 2) * sizeof (char *));
134 /* Stuff the pointer into the penultimate element of the array, which
135 is the one at the index specified by "*argc". */
136 args[*argc] = g_strdup(arg);
137 /* Now bump the count. */
140 /* We overwrite the NULL pointer; put it back right after the
150 /* Quote the argument element if necessary, so that it will get
151 * reconstructed correctly in the C runtime startup code. Note that
152 * the unquoting algorithm in the C runtime is really weird, and
153 * rather different than what Unix shells do. See stdargv.c in the C
154 * runtime sources (in the Platform SDK, in src/crt).
156 * Stolen from GLib's protect_argv(), an internal routine that quotes
157 * string in an argument list so that they arguments will be handled
158 * correctly in the command-line string passed to CreateProcess()
159 * if that string is constructed by gluing those strings together.
162 protect_arg (const gchar *argv)
165 const gchar *p = argv;
168 gboolean need_dblquotes = FALSE;
171 if (*p == ' ' || *p == '\t')
172 need_dblquotes = TRUE;
175 else if (*p == '\\') {
178 while (*pp && *pp == '\\')
187 q = new_arg = g_malloc (len + need_dblquotes*2 + 1);
196 else if (*p == '\\') {
199 while (*pp && *pp == '\\')
216 * Generate a string for a Win32 error.
218 #define ERRBUF_SIZE 1024
220 win32strerror(DWORD error)
222 static char errbuf[ERRBUF_SIZE+1];
226 FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, 0, errbuf,
230 * "FormatMessage()" "helpfully" sticks CR/LF at the end of the
231 * message. Get rid of it.
233 errlen = strlen(errbuf);
235 errbuf[errlen - 1] = '\0';
236 errbuf[errlen - 2] = '\0';
238 p = strchr(errbuf, '\0');
239 g_snprintf(p, (gulong)(sizeof errbuf - (p-errbuf)), " (%lu)", error);
244 * Generate a string for a Win32 exception code.
247 win32strexception(DWORD exception)
249 static char errbuf[ERRBUF_SIZE+1];
250 static const struct exception_msg {
254 { EXCEPTION_ACCESS_VIOLATION, "Access violation" },
255 { EXCEPTION_ARRAY_BOUNDS_EXCEEDED, "Array bounds exceeded" },
256 { EXCEPTION_BREAKPOINT, "Breakpoint" },
257 { EXCEPTION_DATATYPE_MISALIGNMENT, "Data type misalignment" },
258 { EXCEPTION_FLT_DENORMAL_OPERAND, "Denormal floating-point operand" },
259 { EXCEPTION_FLT_DIVIDE_BY_ZERO, "Floating-point divide by zero" },
260 { EXCEPTION_FLT_INEXACT_RESULT, "Floating-point inexact result" },
261 { EXCEPTION_FLT_INVALID_OPERATION, "Invalid floating-point operation" },
262 { EXCEPTION_FLT_OVERFLOW, "Floating-point overflow" },
263 { EXCEPTION_FLT_STACK_CHECK, "Floating-point stack check" },
264 { EXCEPTION_FLT_UNDERFLOW, "Floating-point underflow" },
265 { EXCEPTION_GUARD_PAGE, "Guard page violation" },
266 { EXCEPTION_ILLEGAL_INSTRUCTION, "Illegal instruction" },
267 { EXCEPTION_IN_PAGE_ERROR, "Page-in error" },
268 { EXCEPTION_INT_DIVIDE_BY_ZERO, "Integer divide by zero" },
269 { EXCEPTION_INT_OVERFLOW, "Integer overflow" },
270 { EXCEPTION_INVALID_DISPOSITION, "Invalid disposition" },
271 { EXCEPTION_INVALID_HANDLE, "Invalid handle" },
272 { EXCEPTION_NONCONTINUABLE_EXCEPTION, "Non-continuable exception" },
273 { EXCEPTION_PRIV_INSTRUCTION, "Privileged instruction" },
274 { EXCEPTION_SINGLE_STEP, "Single-step complete" },
275 { EXCEPTION_STACK_OVERFLOW, "Stack overflow" },
278 #define N_EXCEPTIONS (sizeof exceptions / sizeof exceptions[0])
281 for (i = 0; i < N_EXCEPTIONS; i++) {
282 if (exceptions[i].code == exception)
283 return exceptions[i].msg;
285 g_snprintf(errbuf, (gulong)sizeof errbuf, "Exception 0x%08x", exception);
290 /* Initialize an argument list and add dumpcap to it. */
292 init_pipe_args(int *argc) {
294 const char *progfile_dir;
297 progfile_dir = get_progfile_dir();
298 if (progfile_dir == NULL) {
302 /* Allocate the string pointer array with enough space for the
303 terminating NULL pointer. */
305 argv = g_malloc(sizeof (char *));
308 /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
309 exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir);
311 /* Make that the first argument in the argument list (argv[0]). */
312 argv = sync_pipe_add_arg(argv, argc, exename);
317 #define ARGV_NUMBER_LEN 24
318 /* a new capture run: start a new dumpcap task and hand over parameters through command line */
320 sync_pipe_start(capture_options *capture_opts) {
321 char ssnap[ARGV_NUMBER_LEN];
322 char sdlt[ARGV_NUMBER_LEN];
323 char scount[ARGV_NUMBER_LEN];
324 char sfilesize[ARGV_NUMBER_LEN];
325 char sfile_duration[ARGV_NUMBER_LEN];
326 char sring_num_files[ARGV_NUMBER_LEN];
327 char sautostop_files[ARGV_NUMBER_LEN];
328 char sautostop_filesize[ARGV_NUMBER_LEN];
329 char sautostop_duration[ARGV_NUMBER_LEN];
330 #ifdef HAVE_PCAP_REMOTE
333 #ifdef HAVE_PCAP_SETSAMPLING
334 char ssampling[ARGV_NUMBER_LEN];
337 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
338 char buffer_size[ARGV_NUMBER_LEN];
342 HANDLE sync_pipe_read; /* pipe used to send messages from child to parent */
343 HANDLE sync_pipe_write; /* pipe used to send messages from child to parent */
344 HANDLE signal_pipe; /* named pipe used to send messages from parent to child (currently only stop) */
345 GString *args = g_string_sized_new(200);
347 SECURITY_ATTRIBUTES sa;
349 PROCESS_INFORMATION pi;
350 char control_id[ARGV_NUMBER_LEN];
351 gchar *signal_pipe_name;
354 int sync_pipe[2]; /* pipe used to send messages from child to parent */
355 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
357 int sync_pipe_read_fd;
362 interface_options interface_opts;
364 if (capture_opts->ifaces->len > 1)
365 capture_opts->use_pcapng = TRUE;
366 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_start");
367 capture_opts_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, capture_opts);
369 capture_opts->fork_child = -1;
371 argv = init_pipe_args(&argc);
373 /* We don't know where to find dumpcap. */
374 report_failure("We don't know where to find dumpcap.");
378 if (capture_opts->ifaces->len > 1)
379 argv = sync_pipe_add_arg(argv, &argc, "-t");
381 if (capture_opts->use_pcapng)
382 argv = sync_pipe_add_arg(argv, &argc, "-n");
384 argv = sync_pipe_add_arg(argv, &argc, "-P");
386 if (capture_opts->multi_files_on) {
387 if (capture_opts->has_autostop_filesize) {
388 argv = sync_pipe_add_arg(argv, &argc, "-b");
389 g_snprintf(sfilesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
390 argv = sync_pipe_add_arg(argv, &argc, sfilesize);
393 if (capture_opts->has_file_duration) {
394 argv = sync_pipe_add_arg(argv, &argc, "-b");
395 g_snprintf(sfile_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->file_duration);
396 argv = sync_pipe_add_arg(argv, &argc, sfile_duration);
399 if (capture_opts->has_ring_num_files) {
400 argv = sync_pipe_add_arg(argv, &argc, "-b");
401 g_snprintf(sring_num_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->ring_num_files);
402 argv = sync_pipe_add_arg(argv, &argc, sring_num_files);
405 if (capture_opts->has_autostop_files) {
406 argv = sync_pipe_add_arg(argv, &argc, "-a");
407 g_snprintf(sautostop_files, ARGV_NUMBER_LEN, "files:%d",capture_opts->autostop_files);
408 argv = sync_pipe_add_arg(argv, &argc, sautostop_files);
411 if (capture_opts->has_autostop_filesize) {
412 argv = sync_pipe_add_arg(argv, &argc, "-a");
413 g_snprintf(sautostop_filesize, ARGV_NUMBER_LEN, "filesize:%d",capture_opts->autostop_filesize);
414 argv = sync_pipe_add_arg(argv, &argc, sautostop_filesize);
418 if (capture_opts->has_autostop_packets) {
419 argv = sync_pipe_add_arg(argv, &argc, "-c");
420 g_snprintf(scount, ARGV_NUMBER_LEN, "%d",capture_opts->autostop_packets);
421 argv = sync_pipe_add_arg(argv, &argc, scount);
424 if (capture_opts->has_autostop_duration) {
425 argv = sync_pipe_add_arg(argv, &argc, "-a");
426 g_snprintf(sautostop_duration, ARGV_NUMBER_LEN, "duration:%d",capture_opts->autostop_duration);
427 argv = sync_pipe_add_arg(argv, &argc, sautostop_duration);
430 for (j = 0; j < capture_opts->ifaces->len; j++) {
431 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
433 argv = sync_pipe_add_arg(argv, &argc, "-i");
434 argv = sync_pipe_add_arg(argv, &argc, interface_opts.name);
436 if (interface_opts.cfilter != NULL && strlen(interface_opts.cfilter) != 0) {
437 argv = sync_pipe_add_arg(argv, &argc, "-f");
438 argv = sync_pipe_add_arg(argv, &argc, interface_opts.cfilter);
440 if (interface_opts.snaplen != WTAP_MAX_PACKET_SIZE) {
441 argv = sync_pipe_add_arg(argv, &argc, "-s");
442 g_snprintf(ssnap, ARGV_NUMBER_LEN, "%d", interface_opts.snaplen);
443 argv = sync_pipe_add_arg(argv, &argc, ssnap);
446 if (interface_opts.linktype != -1) {
447 argv = sync_pipe_add_arg(argv, &argc, "-y");
448 g_snprintf(sdlt, ARGV_NUMBER_LEN, "%s", linktype_val_to_name(interface_opts.linktype));
449 argv = sync_pipe_add_arg(argv, &argc, sdlt);
452 if (!interface_opts.promisc_mode) {
453 argv = sync_pipe_add_arg(argv, &argc, "-p");
456 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
457 if (interface_opts.buffer_size != 1) {
458 argv = sync_pipe_add_arg(argv, &argc, "-B");
459 g_snprintf(buffer_size, ARGV_NUMBER_LEN, "%d", interface_opts.buffer_size);
460 argv = sync_pipe_add_arg(argv, &argc, buffer_size);
464 if (interface_opts.monitor_mode) {
465 argv = sync_pipe_add_arg(argv, &argc, "-I");
468 #ifdef HAVE_PCAP_REMOTE
469 if (interface_opts.datatx_udp)
470 argv = sync_pipe_add_arg(argv, &argc, "-u");
472 if (!interface_opts.nocap_rpcap)
473 argv = sync_pipe_add_arg(argv, &argc, "-r");
475 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
476 argv = sync_pipe_add_arg(argv, &argc, "-A");
477 g_snprintf(sauth, sizeof(sauth), "%s:%s",
478 interface_opts.auth_username,
479 interface_opts.auth_password);
480 argv = sync_pipe_add_arg(argv, &argc, sauth);
484 #ifdef HAVE_PCAP_SETSAMPLING
485 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
486 argv = sync_pipe_add_arg(argv, &argc, "-m");
487 g_snprintf(ssampling, ARGV_NUMBER_LEN, "%s:%d",
488 interface_opts.sampling_method == CAPTURE_SAMP_BY_COUNT ? "count" :
489 interface_opts.sampling_method == CAPTURE_SAMP_BY_TIMER ? "timer" :
491 interface_opts.sampling_param);
492 argv = sync_pipe_add_arg(argv, &argc, ssampling);
497 /* dumpcap should be running in capture child mode (hidden feature) */
499 argv = sync_pipe_add_arg(argv, &argc, "-Z");
501 g_snprintf(control_id, ARGV_NUMBER_LEN, "%d", GetCurrentProcessId());
502 argv = sync_pipe_add_arg(argv, &argc, control_id);
504 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
508 if (capture_opts->save_file) {
509 argv = sync_pipe_add_arg(argv, &argc, "-w");
510 argv = sync_pipe_add_arg(argv, &argc, capture_opts->save_file);
512 for (i = 0; i < argc; i++) {
513 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "argv[%d]: %s", i, argv[i]);
517 /* init SECURITY_ATTRIBUTES */
518 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
519 sa.bInheritHandle = TRUE;
520 sa.lpSecurityDescriptor = NULL;
522 /* Create a pipe for the child process */
523 /* (increase this value if you have trouble while fast capture file switches) */
524 if (! CreatePipe(&sync_pipe_read, &sync_pipe_write, &sa, 5120)) {
525 /* Couldn't create the pipe between parent and child. */
526 report_failure("Couldn't create sync pipe: %s",
527 win32strerror(GetLastError()));
528 for (i = 0; i < argc; i++) {
529 g_free( (gpointer) argv[i]);
531 g_free( (gpointer) argv);
535 /* Create the signal pipe */
536 signal_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, control_id);
537 signal_pipe = CreateNamedPipe(utf_8to16(signal_pipe_name),
538 PIPE_ACCESS_OUTBOUND, PIPE_TYPE_BYTE, 1, 65535, 65535, 0, NULL);
539 g_free(signal_pipe_name);
541 if (signal_pipe == INVALID_HANDLE_VALUE) {
542 /* Couldn't create the signal pipe between parent and child. */
543 report_failure("Couldn't create signal pipe: %s",
544 win32strerror(GetLastError()));
545 for (i = 0; i < argc; i++) {
546 g_free( (gpointer) argv[i]);
548 g_free( (gpointer) argv);
552 /* init STARTUPINFO */
553 memset(&si, 0, sizeof(si));
556 si.dwFlags = STARTF_USESHOWWINDOW;
557 si.wShowWindow = SW_SHOW;
559 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
560 si.wShowWindow = SW_HIDE; /* this hides the console window */
561 si.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
562 si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE);
563 si.hStdError = sync_pipe_write;
564 /*si.hStdError = (HANDLE) _get_osfhandle(2);*/
567 /* convert args array into a single string */
568 /* XXX - could change sync_pipe_add_arg() instead */
569 /* there is a drawback here: the length is internally limited to 1024 bytes */
570 for(i=0; argv[i] != 0; i++) {
571 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
572 quoted_arg = protect_arg(argv[i]);
573 g_string_append(args, quoted_arg);
578 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
579 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
580 report_failure("Couldn't run %s in child process: %s",
581 args->str, win32strerror(GetLastError()));
582 CloseHandle(sync_pipe_read);
583 CloseHandle(sync_pipe_write);
584 for (i = 0; i < argc; i++) {
585 g_free( (gpointer) argv[i]);
587 g_free( (gpointer) argv);
590 capture_opts->fork_child = (int) pi.hProcess;
591 g_string_free(args, TRUE);
593 /* associate the operating system filehandle to a C run-time file handle */
594 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
595 sync_pipe_read_fd = _open_osfhandle( (long) sync_pipe_read, _O_BINARY);
597 /* associate the operating system filehandle to a C run-time file handle */
598 capture_opts->signal_pipe_write_fd = _open_osfhandle( (long) signal_pipe, _O_BINARY);
601 if (pipe(sync_pipe) < 0) {
602 /* Couldn't create the pipe between parent and child. */
603 report_failure("Couldn't create sync pipe: %s", g_strerror(errno));
604 for (i = 0; i < argc; i++) {
605 g_free( (gpointer) argv[i]);
611 if ((capture_opts->fork_child = fork()) == 0) {
613 * Child process - run dumpcap with the right arguments to make
614 * it just capture with the specified capture parameters
616 dup2(sync_pipe[PIPE_WRITE], 2);
617 ws_close(sync_pipe[PIPE_READ]);
618 execv(argv[0], (gpointer)argv);
619 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
620 argv[0], g_strerror(errno));
621 sync_pipe_errmsg_to_parent(2, errmsg, "");
623 /* Exit with "_exit()", so that we don't close the connection
624 to the X server (and cause stuff buffered up by our parent but
625 not yet sent to be sent, as that stuff should only be sent by
626 our parent). We've sent an error message to the parent, so
627 we exit with an exit status of 1 (any exit status other than
628 0 or 1 will cause an additional message to report that exit
629 status, over and above the error message we sent to the parent). */
633 sync_pipe_read_fd = sync_pipe[PIPE_READ];
636 for (i = 0; i < argc; i++) {
637 g_free( (gpointer) argv[i]);
640 /* Parent process - read messages from the child process over the
642 g_free( (gpointer) argv); /* free up arg array */
644 /* Close the write side of the pipe, so that only the child has it
645 open, and thus it completely closes, and thus returns to us
646 an EOF indication, if the child closes it (either deliberately
647 or by exiting abnormally). */
649 CloseHandle(sync_pipe_write);
651 ws_close(sync_pipe[PIPE_WRITE]);
654 if (capture_opts->fork_child == -1) {
655 /* We couldn't even create the child process. */
656 report_failure("Couldn't create child process: %s", g_strerror(errno));
657 ws_close(sync_pipe_read_fd);
659 ws_close(capture_opts->signal_pipe_write_fd);
664 capture_opts->fork_child_status = 0;
666 /* we might wait for a moment till child is ready, so update screen now */
667 main_window_update();
669 /* We were able to set up to read the capture file;
670 arrange that our callback be called whenever it's possible
671 to read from the sync pipe, so that it's called when
672 the child process wants to tell us something. */
674 /* we have a running capture, now wait for the real capture filename */
675 pipe_input_set_handler(sync_pipe_read_fd, (gpointer) capture_opts,
676 &capture_opts->fork_child, sync_pipe_input_cb);
682 * Open two pipes to dumpcap with the supplied arguments, one for its
683 * standard output and one for its standard error.
685 * On success, *msg is unchanged and 0 is returned; data_read_fd,
686 * messsage_read_fd, and fork_child point to the standard output pipe's
687 * file descriptor, the standard error pipe's file descriptor, and
688 * the child's PID/handle, respectively.
690 * On failure, *msg points to an error message for the failure, and -1 is
691 * returned, in which case *msg must be freed with g_free().
693 /* XXX - This duplicates a lot of code in sync_pipe_start() */
694 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
695 #define PIPE_BUF_SIZE 5120
697 sync_pipe_open_command(const char** argv, int *data_read_fd,
698 int *message_read_fd, int *fork_child, gchar **msg)
700 enum PIPES { PIPE_READ, PIPE_WRITE }; /* Constants 0 and 1 for PIPE_READ and PIPE_WRITE */
702 HANDLE sync_pipe[2]; /* pipe used to send messages from child to parent */
703 HANDLE data_pipe[2]; /* pipe used to send data from child to parent */
704 GString *args = g_string_sized_new(200);
706 SECURITY_ATTRIBUTES sa;
708 PROCESS_INFORMATION pi;
711 int sync_pipe[2]; /* pipe used to send messages from child to parent */
712 int data_pipe[2]; /* pipe used to send data from child to parent */
717 *message_read_fd = -1;
718 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_open_command");
721 /* We can't return anything */
723 g_string_free(args, TRUE);
729 /* init SECURITY_ATTRIBUTES */
730 sa.nLength = sizeof(SECURITY_ATTRIBUTES);
731 sa.bInheritHandle = TRUE;
732 sa.lpSecurityDescriptor = NULL;
734 /* Create a pipe for the child process to send us messages */
735 /* (increase this value if you have trouble while fast capture file switches) */
736 if (! CreatePipe(&sync_pipe[PIPE_READ], &sync_pipe[PIPE_WRITE], &sa, 5120)) {
737 /* Couldn't create the message pipe between parent and child. */
738 *msg = g_strdup_printf("Couldn't create sync pipe: %s",
739 win32strerror(GetLastError()));
740 for (i = 0; argv[i] != NULL; i++) {
741 g_free( (gpointer) argv[i]);
743 g_free( (gpointer) argv);
747 /* Create a pipe for the child process to send us data */
748 /* (increase this value if you have trouble while fast capture file switches) */
749 if (! CreatePipe(&data_pipe[PIPE_READ], &data_pipe[PIPE_WRITE], &sa, 5120)) {
750 /* Couldn't create the message pipe between parent and child. */
751 *msg = g_strdup_printf("Couldn't create data pipe: %s",
752 win32strerror(GetLastError()));
753 CloseHandle(sync_pipe[PIPE_READ]);
754 CloseHandle(sync_pipe[PIPE_WRITE]);
755 for (i = 0; argv[i] != NULL; i++) {
756 g_free( (gpointer) argv[i]);
758 g_free( (gpointer) argv);
762 /* init STARTUPINFO */
763 memset(&si, 0, sizeof(si));
766 si.dwFlags = STARTF_USESHOWWINDOW;
767 si.wShowWindow = SW_SHOW;
769 si.dwFlags = STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW;
770 si.wShowWindow = SW_HIDE; /* this hides the console window */
772 si.hStdOutput = data_pipe[PIPE_WRITE];
773 si.hStdError = sync_pipe[PIPE_WRITE];
776 /* convert args array into a single string */
777 /* XXX - could change sync_pipe_add_arg() instead */
778 /* there is a drawback here: the length is internally limited to 1024 bytes */
779 for(i=0; argv[i] != 0; i++) {
780 if(i != 0) g_string_append_c(args, ' '); /* don't prepend a space before the path!!! */
781 quoted_arg = protect_arg(argv[i]);
782 g_string_append(args, quoted_arg);
787 if(!CreateProcess(NULL, utf_8to16(args->str), NULL, NULL, TRUE,
788 CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
789 *msg = g_strdup_printf("Couldn't run %s in child process: %s",
790 args->str, win32strerror(GetLastError()));
791 CloseHandle(data_pipe[PIPE_READ]);
792 CloseHandle(data_pipe[PIPE_WRITE]);
793 CloseHandle(sync_pipe[PIPE_READ]);
794 CloseHandle(sync_pipe[PIPE_WRITE]);
795 for (i = 0; argv[i] != NULL; i++) {
796 g_free( (gpointer) argv[i]);
798 g_free( (gpointer) argv);
801 *fork_child = (int) pi.hProcess;
802 g_string_free(args, TRUE);
804 /* associate the operating system filehandles to C run-time file handles */
805 /* (good file handle infos at: http://www.flounder.com/handles.htm) */
806 *data_read_fd = _open_osfhandle( (long) data_pipe[PIPE_READ], _O_BINARY);
807 *message_read_fd = _open_osfhandle( (long) sync_pipe[PIPE_READ], _O_BINARY);
809 /* Create a pipe for the child process to send us messages */
810 if (pipe(sync_pipe) < 0) {
811 /* Couldn't create the message pipe between parent and child. */
812 *msg = g_strdup_printf("Couldn't create sync pipe: %s", g_strerror(errno));
813 for (i = 0; argv[i] != NULL; i++) {
814 g_free( (gpointer) argv[i]);
820 /* Create a pipe for the child process to send us data */
821 if (pipe(data_pipe) < 0) {
822 /* Couldn't create the data pipe between parent and child. */
823 *msg = g_strdup_printf("Couldn't create data pipe: %s", g_strerror(errno));
824 ws_close(sync_pipe[PIPE_READ]);
825 ws_close(sync_pipe[PIPE_WRITE]);
826 for (i = 0; argv[i] != NULL; i++) {
827 g_free( (gpointer) argv[i]);
833 if ((*fork_child = fork()) == 0) {
835 * Child process - run dumpcap with the right arguments to make
836 * it just capture with the specified capture parameters
838 dup2(data_pipe[PIPE_WRITE], 1);
839 ws_close(data_pipe[PIPE_READ]);
840 ws_close(data_pipe[PIPE_WRITE]);
841 dup2(sync_pipe[PIPE_WRITE], 2);
842 ws_close(sync_pipe[PIPE_READ]);
843 ws_close(sync_pipe[PIPE_WRITE]);
844 execv(argv[0], (gpointer)argv);
845 g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
846 argv[0], g_strerror(errno));
847 sync_pipe_errmsg_to_parent(2, errmsg, "");
849 /* Exit with "_exit()", so that we don't close the connection
850 to the X server (and cause stuff buffered up by our parent but
851 not yet sent to be sent, as that stuff should only be sent by
852 our parent). We've sent an error message to the parent, so
853 we exit with an exit status of 1 (any exit status other than
854 0 or 1 will cause an additional message to report that exit
855 status, over and above the error message we sent to the parent). */
859 *data_read_fd = data_pipe[PIPE_READ];
860 *message_read_fd = sync_pipe[PIPE_READ];
863 for (i = 0; argv[i] != NULL; i++) {
864 g_free( (gpointer) argv[i]);
867 /* Parent process - read messages from the child process over the
869 g_free( (gpointer) argv); /* free up arg array */
871 /* Close the write sides of the pipes, so that only the child has them
872 open, and thus they completely close, and thus return to us
873 an EOF indication, if the child closes them (either deliberately
874 or by exiting abnormally). */
876 CloseHandle(data_pipe[PIPE_WRITE]);
877 CloseHandle(sync_pipe[PIPE_WRITE]);
879 ws_close(data_pipe[PIPE_WRITE]);
880 ws_close(sync_pipe[PIPE_WRITE]);
883 if (*fork_child == -1) {
884 /* We couldn't even create the child process. */
885 *msg = g_strdup_printf("Couldn't create child process: %s", g_strerror(errno));
886 ws_close(*data_read_fd);
887 ws_close(*message_read_fd);
891 /* we might wait for a moment till child is ready, so update screen now */
892 main_window_update();
897 * Wait for dumpcap to finish. On success, *msg is unchanged, and 0 is
898 * returned. On failure, *msg points to an error message for the
899 * failure, and -1 is returned. In the latter case, *msg must be
900 * freed with g_free().
903 sync_pipe_close_command(int *data_read_fd, int *message_read_fd,
904 int *fork_child, gchar **msg)
906 ws_close(*data_read_fd);
907 if (message_read_fd != NULL)
908 ws_close(*message_read_fd);
911 /* XXX - Should we signal the child somehow? */
912 sync_pipe_kill(*fork_child);
915 return sync_pipe_wait_for_child(*fork_child, msg);
919 * Run dumpcap with the supplied arguments.
921 * On success, *data points to a buffer containing the dumpcap output,
922 * *primary_msg and *secondary_message are NULL, and 0 is returned; *data
923 * must be freed with g_free().
925 * On failure, *data is NULL, *primary_msg points to an error message,
926 * *secondary_msg either points to an additional error message or is
927 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
928 * must be freed with g_free().
930 /* XXX - This duplicates a lot of code in sync_pipe_start() */
931 /* XXX - assumes PIPE_BUF_SIZE > SP_MAX_MSG_LEN */
932 #define PIPE_BUF_SIZE 5120
934 sync_pipe_run_command(const char** argv, gchar **data, gchar **primary_msg,
935 gchar **secondary_msg)
938 int data_pipe_read_fd, sync_pipe_read_fd, fork_child, ret;
940 gchar buffer[PIPE_BUF_SIZE+1];
944 char *primary_msg_text;
945 int secondary_msg_len;
946 char *secondary_msg_text;
948 GString *data_buf = NULL;
951 ret = sync_pipe_open_command(argv, &data_pipe_read_fd, &sync_pipe_read_fd,
955 *secondary_msg = NULL;
961 * We were able to set up to read dumpcap's output. Do so.
963 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
965 nread = pipe_read_block(sync_pipe_read_fd, &indicator, SP_MAX_MSG_LEN,
966 buffer, primary_msg);
968 /* We got a read error from the sync pipe, or we got no data at
969 all from the sync pipe, so we're not going to be getting any
970 data or error message from the child process. Pick up its
971 exit status, and complain.
973 We don't have to worry about killing the child, if the sync pipe
974 returned an error. Usually this error is caused as the child killed
975 itself while going down. Even in the rare cases that this isn't the
976 case, the child will get an error when writing to the broken pipe
977 the next time, cleaning itself up then. */
978 ret = sync_pipe_wait_for_child(fork_child, &wait_msg);
980 /* We got an EOF from the sync pipe. That means that it exited
981 before giving us any data to read. If ret is -1, we report
982 that as a bad exit (e.g., exiting due to a signal); otherwise,
983 we report it as a premature exit. */
985 *primary_msg = wait_msg;
987 *primary_msg = g_strdup("Child dumpcap closed sync pipe prematurely");
989 /* We got an error from the sync pipe. If ret is -1, report
990 both the sync pipe I/O error and the wait error. */
992 combined_msg = g_strdup_printf("%s\n\n%s", *primary_msg, wait_msg);
993 g_free(*primary_msg);
995 *primary_msg = combined_msg;
998 *secondary_msg = NULL;
1003 /* we got a valid message block from the child, process it */
1008 * Error from dumpcap; there will be a primary message and a
1009 * secondary message.
1012 /* convert primary message */
1013 pipe_convert_header(buffer, 4, &indicator, &primary_msg_len);
1014 primary_msg_text = buffer+4;
1015 /* convert secondary message */
1016 pipe_convert_header(primary_msg_text + primary_msg_len, 4, &indicator,
1017 &secondary_msg_len);
1018 secondary_msg_text = primary_msg_text + primary_msg_len + 4;
1019 /* the capture child will close the sync_pipe, nothing to do */
1022 * Pick up the child status.
1024 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1028 * Child process failed unexpectedly, or wait failed; msg is the
1032 *secondary_msg = NULL;
1035 * Child process failed, but returned the expected exit status.
1036 * Return the messages it gave us, and indicate failure.
1038 *primary_msg = g_strdup(primary_msg_text);
1039 *secondary_msg = g_strdup(secondary_msg_text);
1046 /* read the output from the command */
1047 data_buf = g_string_new("");
1048 while ((count = ws_read(data_pipe_read_fd, buffer, PIPE_BUF_SIZE)) > 0) {
1049 buffer[count] = '\0';
1050 g_string_append(data_buf, buffer);
1054 * Pick up the child status.
1056 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1060 * Child process failed unexpectedly, or wait failed; msg is the
1064 *secondary_msg = NULL;
1065 g_string_free(data_buf, TRUE);
1069 * Child process succeeded.
1071 *primary_msg = NULL;
1072 *secondary_msg = NULL;
1073 *data = data_buf->str;
1074 g_string_free(data_buf, FALSE);
1080 * Pick up the child status.
1082 ret = sync_pipe_close_command(&data_pipe_read_fd, &sync_pipe_read_fd,
1086 * Child process failed unexpectedly, or wait failed; msg is the
1090 *secondary_msg = NULL;
1093 * Child process returned an unknown status.
1095 *primary_msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1097 *secondary_msg = NULL;
1107 * Get the list of interfaces using dumpcap.
1109 * On success, *data points to a buffer containing the dumpcap output,
1110 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1111 * must be freed with g_free().
1113 * On failure, *data is NULL, *primary_msg points to an error message,
1114 * *secondary_msg either points to an additional error message or is
1115 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1116 * must be freed with g_free().
1119 sync_interface_list_open(gchar **data, gchar **primary_msg,
1120 gchar **secondary_msg)
1125 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_list_open");
1127 argv = init_pipe_args(&argc);
1130 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1131 *secondary_msg = NULL;
1136 /* Ask for the interface list */
1137 argv = sync_pipe_add_arg(argv, &argc, "-D");
1140 /* Run dumpcap in capture child mode */
1141 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1142 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1144 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1148 * Get the capabilities of an interface using dumpcap.
1150 * On success, *data points to a buffer containing the dumpcap output,
1151 * *primary_msg and *secondary_msg are NULL, and 0 is returned. *data
1152 * must be freed with g_free().
1154 * On failure, *data is NULL, *primary_msg points to an error message,
1155 * *secondary_msg either points to an additional error message or is
1156 * NULL, and -1 is returned; *primary_msg, and *secondary_msg if not NULL,
1157 * must be freed with g_free().
1160 sync_if_capabilities_open(const gchar *ifname, gboolean monitor_mode,
1161 gchar **data, gchar **primary_msg,
1162 gchar **secondary_msg)
1167 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_linktype_list_open");
1169 argv = init_pipe_args(&argc);
1172 *primary_msg = g_strdup("We don't know where to find dumpcap.");
1173 *secondary_msg = NULL;
1178 /* Ask for the interface capabilities */
1179 argv = sync_pipe_add_arg(argv, &argc, "-i");
1180 argv = sync_pipe_add_arg(argv, &argc, ifname);
1181 argv = sync_pipe_add_arg(argv, &argc, "-L");
1183 argv = sync_pipe_add_arg(argv, &argc, "-I");
1186 /* Run dumpcap in capture child mode */
1187 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1188 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1190 return sync_pipe_run_command(argv, data, primary_msg, secondary_msg);
1194 * Start getting interface statistics using dumpcap. On success, read_fd
1195 * contains the file descriptor for the pipe's stdout, *msg is unchanged,
1196 * and zero is returned. On failure, *msg will point to an error message
1197 * that must be g_free()d, and -1 will be returned.
1200 sync_interface_stats_open(int *data_read_fd, int *fork_child, gchar **msg)
1204 int message_read_fd, ret;
1206 gchar buffer[PIPE_BUF_SIZE+1];
1209 int primary_msg_len;
1210 char *primary_msg_text;
1211 int secondary_msg_len;
1212 /*char *secondary_msg_text;*/
1215 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_interface_stats_open");
1217 argv = init_pipe_args(&argc);
1220 *msg = g_strdup("We don't know where to find dumpcap.");
1224 /* Ask for the interface statistics */
1225 argv = sync_pipe_add_arg(argv, &argc, "-S");
1228 argv = sync_pipe_add_arg(argv, &argc, "-Z");
1229 argv = sync_pipe_add_arg(argv, &argc, SIGNAL_PIPE_CTRL_ID_NONE);
1231 ret = sync_pipe_open_command(argv, data_read_fd, &message_read_fd,
1237 * We were able to set up to read dumpcap's output. Do so.
1239 * First, wait for an SP_ERROR_MSG message or SP_SUCCESS message.
1241 nread = pipe_read_block(message_read_fd, &indicator, SP_MAX_MSG_LEN,
1244 /* We got a read error from the sync pipe, or we got no data at
1245 all from the sync pipe, so we're not going to be getting any
1246 data or error message from the child process. Pick up its
1247 exit status, and complain.
1249 We don't have to worry about killing the child, if the sync pipe
1250 returned an error. Usually this error is caused as the child killed
1251 itself while going down. Even in the rare cases that this isn't the
1252 case, the child will get an error when writing to the broken pipe
1253 the next time, cleaning itself up then. */
1254 ret = sync_pipe_wait_for_child(*fork_child, &wait_msg);
1256 /* We got an EOF from the sync pipe. That means that it exited
1257 before giving us any data to read. If ret is -1, we report
1258 that as a bad exit (e.g., exiting due to a signal); otherwise,
1259 we report it as a premature exit. */
1263 *msg = g_strdup("Child dumpcap closed sync pipe prematurely");
1265 /* We got an error from the sync pipe. If ret is -1, report
1266 both the sync pipe I/O error and the wait error. */
1268 combined_msg = g_strdup_printf("%s\n\n%s", *msg, wait_msg);
1271 *msg = combined_msg;
1278 /* we got a valid message block from the child, process it */
1283 * Error from dumpcap; there will be a primary message and a
1284 * secondary message.
1287 /* convert primary message */
1288 pipe_convert_header(buffer, 4, &indicator, &primary_msg_len);
1289 primary_msg_text = buffer+4;
1290 /* convert secondary message */
1291 pipe_convert_header(primary_msg_text + primary_msg_len, 4, &indicator,
1292 &secondary_msg_len);
1293 /*secondary_msg_text = primary_msg_text + primary_msg_len + 4;*/
1294 /* the capture child will close the sync_pipe, nothing to do */
1297 * Pick up the child status.
1299 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1303 * Child process failed unexpectedly, or wait failed; msg is the
1308 * Child process failed, but returned the expected exit status.
1309 * Return the messages it gave us, and indicate failure.
1311 *msg = g_strdup(primary_msg_text);
1317 /* Close the message pipe. */
1318 ws_close(message_read_fd);
1323 * Pick up the child status.
1325 ret = sync_pipe_close_command(data_read_fd, &message_read_fd,
1329 * Child process failed unexpectedly, or wait failed; msg is the
1334 * Child process returned an unknown status.
1336 *msg = g_strdup_printf("dumpcap process gave an unexpected message type: 0x%02x",
1345 /* Close down the stats process */
1347 sync_interface_stats_close(int *read_fd, int *fork_child, gchar **msg)
1349 return sync_pipe_close_command(read_fd, NULL, fork_child, msg);
1352 /* read a number of bytes from a pipe */
1353 /* (blocks until enough bytes read or an error occurs) */
1355 pipe_read_bytes(int pipe_fd, char *bytes, int required, char **msg)
1362 newly = read(pipe_fd, &bytes[offset], required);
1365 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1366 "read from pipe %d: EOF (capture closed?)", pipe_fd);
1373 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1374 "read from pipe %d: error(%u): %s", pipe_fd, error,
1376 *msg = g_strdup_printf("Error reading from sync pipe: %s",
1389 static gboolean pipe_data_available(int pipe_fd) {
1390 #ifdef _WIN32 /* PeekNamedPipe */
1391 HANDLE hPipe = (HANDLE) _get_osfhandle(pipe_fd);
1394 if (hPipe == INVALID_HANDLE_VALUE)
1397 if (! PeekNamedPipe(hPipe, NULL, 0, NULL, &bytes_avail, NULL))
1400 if (bytes_avail > 0)
1405 struct timeval timeout;
1408 FD_SET(pipe_fd, &rfds);
1410 timeout.tv_usec = 0;
1412 if (select(pipe_fd+1, &rfds, NULL, NULL, &timeout) > 0)
1419 /* Read a line from a pipe, similar to fgets */
1421 sync_pipe_gets_nonblock(int pipe_fd, char *bytes, int max) {
1425 while(offset < max - 1) {
1427 if (! pipe_data_available(pipe_fd))
1429 newly = read(pipe_fd, &bytes[offset], 1);
1431 /* EOF - not necessarily an error */
1433 } else if (newly < 0) {
1435 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1436 "read from pipe %d: error(%u): %s", pipe_fd, errno, g_strerror(errno));
1438 } else if (bytes[offset] == '\n') {
1444 bytes[offset] = '\0';
1450 /* convert header values (indicator and 3-byte length) */
1452 pipe_convert_header(const guchar *header, int header_len, char *indicator, int *block_len) {
1454 g_assert(header_len == 4);
1456 /* convert header values */
1457 *indicator = header[0];
1458 *block_len = header[1]<<16 | header[2]<<8 | header[3];
1461 /* read a message from the sending pipe in the standard format
1462 (1-byte message indicator, 3-byte message length (excluding length
1463 and indicator field), and the rest is the message) */
1465 pipe_read_block(int pipe_fd, char *indicator, int len, char *msg,
1472 /* read header (indicator and 3-byte length) */
1473 newly = pipe_read_bytes(pipe_fd, header, 4, err_msg);
1477 * Immediate EOF; if the capture child exits normally, this
1478 * is an "I'm done" indication, so don't report it as an
1481 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1482 "read %d got an EOF", pipe_fd);
1485 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1486 "read %d failed to read header: %u", pipe_fd, newly);
1489 * Short read, but not an immediate EOF.
1491 *err_msg = g_strdup_printf("Premature EOF reading from sync pipe: got only %d bytes",
1497 /* convert header values */
1498 pipe_convert_header(header, 4, indicator, &required);
1500 /* only indicator with no value? */
1502 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1503 "read %d indicator: %c empty value", pipe_fd, *indicator);
1507 /* does the data fit into the given buffer? */
1508 if(required > len) {
1509 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1510 "read %d length error, required %d > len %d, indicator: %u",
1511 pipe_fd, required, len, *indicator);
1513 /* we have a problem here, try to read some more bytes from the pipe to debug where the problem really is */
1514 memcpy(msg, header, sizeof(header));
1515 newly = read(pipe_fd, &msg[sizeof(header)], len-sizeof(header));
1516 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1522 /* read the actual block data */
1523 newly = pipe_read_bytes(pipe_fd, msg, required, err_msg);
1524 if(newly != required) {
1526 *err_msg = g_strdup_printf("Unknown message from dumpcap, try to show it as a string: %s",
1532 /* XXX If message is "2part", the msg probably won't be sent to debug log correctly */
1533 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
1534 "read %d ok indicator: %c len: %u msg: %s", pipe_fd, *indicator,
1541 /* There's stuff to read from the sync pipe, meaning the child has sent
1542 us a message, or the sync pipe has closed, meaning the child has
1543 closed it (perhaps because it exited). */
1545 sync_pipe_input_cb(gint source, gpointer user_data)
1547 capture_options *capture_opts = (capture_options *)user_data;
1549 char buffer[SP_MAX_MSG_LEN+1];
1555 char *secondary_msg;
1556 char *wait_msg, *combined_msg;
1558 nread = pipe_read_block(source, &indicator, SP_MAX_MSG_LEN, buffer,
1561 /* We got a read error, or a bad message, or an EOF, from the sync pipe.
1563 If we got a read error or a bad message, nread is -1 and
1564 primary_msg is set to point to an error message. We don't
1565 have to worry about killing the child; usually this error
1566 is caused as the child killed itself while going down.
1567 Even in the rare cases that this isn't the case, the child
1568 will get an error when writing to the broken pipe the next time,
1569 cleaning itself up then.
1571 If we got an EOF, nread is 0 and primary_msg isn't set. This
1572 is an indication that the capture is finished. */
1573 ret = sync_pipe_wait_for_child(capture_opts->fork_child, &wait_msg);
1575 /* We got an EOF from the sync pipe. That means that the capture
1576 child exited, and not in the middle of a message; we treat
1577 that as an indication that it's done, and only report an
1578 error if ret is -1, in which case wait_msg is the error
1581 primary_msg = wait_msg;
1583 /* We got an error from the sync pipe. If ret is -1, report
1584 both the sync pipe I/O error and the wait error. */
1586 combined_msg = g_strdup_printf("%s\n\n%s", primary_msg, wait_msg);
1587 g_free(primary_msg);
1589 primary_msg = combined_msg;
1593 /* No more child process. */
1594 capture_opts->fork_child = -1;
1595 capture_opts->fork_child_status = ret;
1598 ws_close(capture_opts->signal_pipe_write_fd);
1600 capture_input_closed(capture_opts, primary_msg);
1601 g_free(primary_msg);
1605 /* we got a valid message block from the child, process it */
1608 if(!capture_input_new_file(capture_opts, buffer)) {
1609 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: file failed, closing capture");
1611 /* We weren't able to open the new capture file; user has been
1612 alerted. Close the sync pipe. */
1615 /* The child has sent us a filename which we couldn't open.
1617 This could mean that the child is creating files faster
1618 than we can handle it. (XXX - why would that result in
1619 a failure to open the file?)
1621 That should only be the case for very fast file switches;
1622 We can't do much more than telling the child to stop.
1623 (This is the "emergency brake" if the user e.g. wants to
1624 switch files every second).
1626 This can also happen if the user specified "-", meaning
1627 "standard output", as the capture file. */
1628 sync_pipe_stop(capture_opts);
1629 capture_input_closed(capture_opts, NULL);
1633 case SP_PACKET_COUNT:
1634 nread = atoi(buffer);
1635 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_input_cb: new packets %u", nread);
1636 capture_input_new_packets(capture_opts, nread);
1639 /* convert primary message */
1640 pipe_convert_header(buffer, 4, &indicator, &primary_len);
1641 primary_msg = buffer+4;
1642 /* convert secondary message */
1643 pipe_convert_header(primary_msg + primary_len, 4, &indicator, &secondary_len);
1644 secondary_msg = primary_msg + primary_len + 4;
1645 /* message output */
1646 capture_input_error_message(capture_opts, primary_msg, secondary_msg);
1647 /* the capture child will close the sync_pipe, nothing to do for now */
1648 /* (an error message doesn't mean we have to stop capturing) */
1650 case SP_BAD_FILTER: {
1654 ch = strtok(buffer, ":");
1655 index = (int)strtol(ch, NULL, 10);
1656 ch = strtok(NULL, ":");
1657 capture_input_cfilter_error_message(capture_opts, index, ch);
1658 /* the capture child will close the sync_pipe, nothing to do for now */
1662 capture_input_drops(capture_opts, (guint32)strtoul(buffer, NULL, 10));
1665 g_assert_not_reached();
1673 /* the child process is going down, wait until it's completely terminated */
1675 sync_pipe_wait_for_child(int fork_child, gchar **msgp)
1677 int fork_child_status;
1680 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: wait till child closed");
1681 g_assert(fork_child != -1);
1683 *msgp = NULL; /* assume no error */
1686 if (_cwait(&fork_child_status, fork_child, _WAIT_CHILD) == -1) {
1687 *msgp = g_strdup_printf("Error from cwait(): %s", g_strerror(errno));
1691 * The child exited; return its exit status. Do not treat this as
1694 ret = fork_child_status;
1695 if ((fork_child_status & 0xC0000000) == ERROR_SEVERITY_ERROR) {
1696 /* Probably an exception code */
1697 *msgp = g_strdup_printf("Child dumpcap process died: %s",
1698 win32strexception(fork_child_status));
1703 if (waitpid(fork_child, &fork_child_status, 0) != -1) {
1704 if (WIFEXITED(fork_child_status)) {
1706 * The child exited; return its exit status. Do not treat this as
1709 ret = WEXITSTATUS(fork_child_status);
1710 } else if (WIFSTOPPED(fork_child_status)) {
1711 /* It stopped, rather than exiting. "Should not happen." */
1712 *msgp = g_strdup_printf("Child dumpcap process stopped: %s",
1713 sync_pipe_signame(WSTOPSIG(fork_child_status)));
1715 } else if (WIFSIGNALED(fork_child_status)) {
1716 /* It died with a signal. */
1717 *msgp = g_strdup_printf("Child dumpcap process died: %s%s",
1718 sync_pipe_signame(WTERMSIG(fork_child_status)),
1719 WCOREDUMP(fork_child_status) ? " - core dumped" : "");
1722 /* What? It had to either have exited, or stopped, or died with
1723 a signal; what happened here? */
1724 *msgp = g_strdup_printf("Bad status from waitpid(): %#o",
1729 *msgp = g_strdup_printf("Error from waitpid(): %s", g_strerror(errno));
1734 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "sync_pipe_wait_for_child: capture child closed");
1740 /* convert signal to corresponding name */
1742 sync_pipe_signame(int sig)
1745 static char sigmsg_buf[6+1+3+1];
1754 sigmsg = "Interrupted";
1762 sigmsg = "Illegal instruction";
1766 sigmsg = "Trace trap";
1774 sigmsg = "Arithmetic exception";
1782 sigmsg = "Bus error";
1786 sigmsg = "Segmentation violation";
1789 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
1790 Linux is POSIX compliant. These are not POSIX-defined signals ---
1791 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
1793 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
1794 were omitted from POSIX.1 because their behavior is
1795 implementation dependent and could not be adequately catego-
1796 rized. Conforming implementations may deliver these sig-
1797 nals, but must document the circumstances under which they
1798 are delivered and note any restrictions concerning their
1801 So we only check for SIGSYS on those systems that happen to
1802 implement them (a system can be POSIX-compliant and implement
1803 them, it's just that POSIX doesn't *require* a POSIX-compliant
1804 system to implement them).
1809 sigmsg = "Bad system call";
1814 sigmsg = "Broken pipe";
1818 sigmsg = "Alarm clock";
1822 sigmsg = "Terminated";
1826 /* Returning a static buffer is ok in the context we use it here */
1827 g_snprintf(sigmsg_buf, sizeof sigmsg_buf, "Signal %d", sig);
1828 sigmsg = sigmsg_buf;
1837 /* tell the child through the signal pipe that we want to quit the capture */
1839 signal_pipe_capquit_to_child(capture_options *capture_opts)
1841 const char quit_msg[] = "QUIT";
1845 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child");
1847 /* it doesn't matter *what* we send here, the first byte will stop the capture */
1848 /* simply sending a "QUIT" string */
1849 /*pipe_write_block(capture_opts->signal_pipe_write_fd, SP_QUIT, quit_msg);*/
1850 ret = write(capture_opts->signal_pipe_write_fd, quit_msg, sizeof quit_msg);
1852 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1853 "signal_pipe_capquit_to_child: %d header: error %s", capture_opts->signal_pipe_write_fd, g_strerror(errno));
1859 /* user wants to stop the capture run */
1861 sync_pipe_stop(capture_options *capture_opts)
1866 gboolean terminate = TRUE;
1869 if (capture_opts->fork_child != -1) {
1871 /* send the SIGINT signal to close the capture child gracefully. */
1872 int sts = kill(capture_opts->fork_child, SIGINT);
1874 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1875 "Sending SIGINT to child failed: %s\n", g_strerror(errno));
1878 #define STOP_SLEEP_TIME 500 /* ms */
1879 #define STOP_CHECK_TIME 50
1880 /* First, use the special signal pipe to try to close the capture child
1883 signal_pipe_capquit_to_child(capture_opts);
1885 /* Next, wait for the process to exit on its own */
1886 for (count = 0; count < STOP_SLEEP_TIME / STOP_CHECK_TIME; count++) {
1887 if (GetExitCodeProcess((HANDLE) capture_opts->fork_child, &childstatus) &&
1888 childstatus != STILL_ACTIVE) {
1892 Sleep(STOP_CHECK_TIME);
1895 /* Force the issue. */
1897 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1898 "sync_pipe_stop: forcing child to exit");
1899 sync_pipe_kill(capture_opts->fork_child);
1906 /* Wireshark has to exit, force the capture child to close */
1908 sync_pipe_kill(int fork_child)
1910 if (fork_child != -1) {
1912 int sts = kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
1914 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
1915 "Sending SIGTERM to child failed: %s\n", g_strerror(errno));
1918 /* Remark: This is not the preferred method of closing a process!
1919 * the clean way would be getting the process id of the child process,
1920 * then getting window handle hWnd of that process (using EnumChildWindows),
1921 * and then do a SendMessage(hWnd, WM_CLOSE, 0, 0)
1923 * Unfortunately, I don't know how to get the process id from the
1924 * handle. OpenProcess will get an handle (not a window handle)
1925 * from the process ID; it will not get a window handle from the
1926 * process ID. (How could it? A process can have more than one
1927 * window. For that matter, a process might have *no* windows,
1928 * as a process running dumpcap, the normal child process program,
1931 * Hint: GenerateConsoleCtrlEvent() will only work if both processes are
1932 * running in the same console; that's not necessarily the case for
1933 * us, as we might not be running in a console.
1934 * And this also will require to have the process id.
1936 TerminateProcess((HANDLE) (fork_child), 0);
1941 #endif /* HAVE_LIBPCAP */