5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
88 #include "capture-wpcap.h"
89 #include <wsutil/unicode-utils.h>
93 #include <sys/socket.h>
97 #ifdef NEED_INET_V6DEFS_H
98 # include "wsutil/inet_v6defs.h"
101 #include <wsutil/privileges.h>
103 #include "sync_pipe.h"
105 #include "capture_opts.h"
106 #include "capture_ifinfo.h"
107 #include "capture_sync.h"
109 #include "conditions.h"
110 #include "capture_stop_conditions.h"
112 #include "tempfile.h"
114 #include "wsutil/file_util.h"
117 * Get information about libpcap format from "wiretap/libpcap.h".
118 * XXX - can we just use pcap_open_offline() to read the pipe?
120 #include "wiretap/libpcap.h"
122 /**#define DEBUG_DUMPCAP**/
123 /**#define DEBUG_CHILD_DUMPCAP**/
127 #include <conio.h> /* _getch() */
131 #ifdef DEBUG_CHILD_DUMPCAP
132 FILE *debug_log; /* for logging debug messages to */
133 /* a file if DEBUG_CHILD_DUMPCAP */
141 static GAsyncQueue *pcap_queue;
142 static gint64 pcap_queue_bytes;
143 static gint64 pcap_queue_packets;
144 static gint64 pcap_queue_byte_limit = 1024 * 1024;
145 static gint64 pcap_queue_packet_limit = 1000;
147 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
149 static gchar *sig_pipe_name = NULL;
150 static HANDLE sig_pipe_handle = NULL;
151 static gboolean signal_pipe_check_running(void);
155 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
156 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
159 /** Stop a low-level capture (stops the capture child). */
160 static void capture_loop_stop(void);
162 #if !defined (__linux__)
163 #ifndef HAVE_PCAP_BREAKLOOP
165 * We don't have pcap_breakloop(), which is the only way to ensure that
166 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
167 * won't, if the call to read the next packet or batch of packets is
168 * is interrupted by a signal on UN*X, just go back and try again to
171 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
172 * the signal handler, set a flag to stop capturing; however, without
173 * a guarantee of that sort, we can't guarantee that we'll stop capturing
174 * if the read will be retried and won't time out if no packets arrive.
176 * Therefore, on at least some platforms, we work around the lack of
177 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
178 * to wait for packets to arrive, so that we're probably going to be
179 * blocked in the select() when the signal arrives, and can just bail
180 * out of the loop at that point.
182 * However, we don't want to do that on BSD (because "select()" doesn't work
183 * correctly on BPF devices on at least some releases of some flavors of
184 * BSD), and we don't want to do it on Windows (because "select()" is
185 * something for sockets, not for arbitrary handles). (Note that "Windows"
186 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
187 * using WinPcap, not a UNIX libpcap.)
189 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
190 * on BSD times out even if no packets have arrived, so we'll eventually
191 * exit pcap_dispatch() with an indication that no packets have arrived,
192 * and will break out of the capture loop at that point.
194 * On Windows, we can't send a SIGINT to stop capturing, so none of this
195 * applies in any case.
197 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
198 * want to include it if it's not present on this platform, however.
200 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
201 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
203 # define MUST_DO_SELECT
204 # endif /* avoid select */
205 #endif /* HAVE_PCAP_BREAKLOOP */
207 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
208 * in pcap_dispatch(); on the other hand, select() works just fine there.
209 * Hence we use a select for that come what may.
211 #define MUST_DO_SELECT
214 /** init the capture filter */
217 INITFILTER_BAD_FILTER,
218 INITFILTER_OTHER_ERROR
219 } initfilter_status_t;
221 typedef struct _pcap_options {
225 #ifdef MUST_DO_SELECT
226 int pcap_fd; /* pcap file descriptor */
233 /* capture pipe (unix only "input file") */
234 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
235 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
236 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
238 HANDLE cap_pipe_h; /* The handle of the capture pipe */
240 int cap_pipe_fd; /* the file descriptor of the capture pipe */
242 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
243 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
245 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
246 #endif /* USE_THREADS */
247 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
248 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
250 STATE_EXPECT_REC_HDR,
255 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
257 GMutex *cap_pipe_read_mtx;
258 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
262 typedef struct _loop_data {
264 gboolean go; /* TRUE as long as we're supposed to keep capturing */
265 int err; /* if non-zero, error seen while capturing */
266 gint packet_count; /* Number of packets we have already captured */
267 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
268 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
270 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
277 guint32 autostop_files;
280 typedef struct _pcap_queue_element {
281 pcap_options *pcap_opts;
282 struct pcap_pkthdr phdr;
284 } pcap_queue_element;
287 * Standard secondary message for unexpected errors.
289 static const char please_report[] =
290 "Please report this to the Wireshark developers.\n"
291 "(This is not a crash; please do not report it as such.)";
294 * This needs to be static, so that the SIGINT handler can clear the "go"
297 static loop_data global_ld;
301 * Timeout, in milliseconds, for reads from the stream of captured packets
302 * from a capture device.
304 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
305 * 64-bit applications, with sub-second timeouts not to work. The bug is
306 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
308 #if defined(__APPLE__) && defined(__LP64__)
309 static gboolean need_timeout_workaround;
311 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
313 #define CAP_READ_TIMEOUT 250
317 * Timeout, in microseconds, for reads from the stream of captured packets
318 * from a pipe. Pipes don't have the same problem that BPF devices do
319 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
320 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
321 * of the offending versions of Snow Leopard.
323 * On Windows this value is converted to milliseconds and passed to
324 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
325 * will return immediately.
328 #define PIPE_READ_TIMEOUT 250000
330 #define PIPE_READ_TIMEOUT 100000
333 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
336 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
337 const char *message, gpointer user_data _U_);
339 /* capture related options */
340 static capture_options global_capture_opts;
341 static gboolean quiet = FALSE;
342 static gboolean use_threads = FALSE;
344 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
346 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
348 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
349 int err, gboolean is_close);
351 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
353 static void report_new_capture_file(const char *filename);
354 static void report_packet_count(int packet_count);
355 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
356 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
357 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
359 #define MSG_MAX_LENGTH 4096
362 print_usage(gboolean print_ver)
369 "Dumpcap " VERSION "%s\n"
370 "Capture network packets and dump them into a libpcap file.\n"
371 "See http://www.wireshark.org for more information.\n",
372 wireshark_svnversion);
376 fprintf(output, "\nUsage: dumpcap [options] ...\n");
377 fprintf(output, "\n");
378 fprintf(output, "Capture interface:\n");
379 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
380 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
381 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
382 fprintf(output, " -p don't capture in promiscuous mode\n");
383 #ifdef HAVE_PCAP_CREATE
384 fprintf(output, " -I capture in monitor mode, if available\n");
386 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
387 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
389 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
390 fprintf(output, " -D print list of interfaces and exit\n");
391 fprintf(output, " -L print list of link-layer types of iface and exit\n");
392 #ifdef HAVE_BPF_IMAGE
393 fprintf(output, " -d print generated BPF code for capture filter\n");
395 fprintf(output, " -S print statistics for each interface once every second\n");
396 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
397 fprintf(output, "\n");
398 #ifdef HAVE_PCAP_REMOTE
399 fprintf(output, "\nRPCAP options:\n");
400 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
401 fprintf(output, " -u use UDP for RPCAP data transfer\n");
402 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
403 #ifdef HAVE_PCAP_SETSAMPLING
404 fprintf(output, " -m <sampling type> use packet sampling\n");
405 fprintf(output, " count:NUM - capture one packet of every NUM\n");
406 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
409 fprintf(output, "Stop conditions:\n");
410 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
411 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
412 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
413 fprintf(output, " files:NUM - stop after NUM files\n");
414 /*fprintf(output, "\n");*/
415 fprintf(output, "Output (files):\n");
416 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
417 fprintf(output, " -g enable group read access on the output file(s)\n");
418 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
419 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
420 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
421 fprintf(output, " -n use pcapng format instead of pcap\n");
422 /*fprintf(output, "\n");*/
423 fprintf(output, "Miscellaneous:\n");
424 fprintf(output, " -t use a separate thread per interface\n");
425 fprintf(output, " -q don't report packet capture counts\n");
426 fprintf(output, " -v print version information and exit\n");
427 fprintf(output, " -h display this help and exit\n");
428 fprintf(output, "\n");
429 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
430 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
431 fprintf(output, "\n");
432 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
436 show_version(GString *comp_info_str, GString *runtime_info_str)
439 "Dumpcap " VERSION "%s\n"
444 "See http://www.wireshark.org for more information.\n",
445 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
449 * Print to the standard error. This is a command-line tool, so there's
450 * no need to pop up a console.
453 vfprintf_stderr(const char *fmt, va_list ap)
455 vfprintf(stderr, fmt, ap);
459 fprintf_stderr(const char *fmt, ...)
464 vfprintf_stderr(fmt, ap);
469 * Report an error in command-line arguments.
472 cmdarg_err(const char *fmt, ...)
478 /* Generate a 'special format' message back to parent */
480 msg = g_strdup_vprintf(fmt, ap);
481 sync_pipe_errmsg_to_parent(2, msg, "");
486 fprintf(stderr, "dumpcap: ");
487 vfprintf(stderr, fmt, ap);
488 fprintf(stderr, "\n");
494 * Report additional information for an error in command-line arguments.
497 cmdarg_err_cont(const char *fmt, ...)
504 msg = g_strdup_vprintf(fmt, ap);
505 sync_pipe_errmsg_to_parent(2, msg, "");
510 vfprintf(stderr, fmt, ap);
511 fprintf(stderr, "\n");
518 #if 0 /* Set to enable capability debugging */
519 /* see 'man cap_to_text()' for explanation of output */
520 /* '=' means 'all= ' ie: no capabilities */
521 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
523 print_caps(const char *pfx) {
524 cap_t caps = cap_get_proc();
525 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
526 "%s: EUID: %d Capabilities: %s", pfx,
527 geteuid(), cap_to_text(caps, NULL));
530 print_caps(const char *pfx _U_) {
535 relinquish_all_capabilities(void)
537 /* Drop any and all capabilities this process may have. */
538 /* Allowed whether or not process has any privileges. */
539 cap_t caps = cap_init(); /* all capabilities initialized to off */
540 print_caps("Pre-clear");
541 if (cap_set_proc(caps)) {
542 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
544 print_caps("Post-clear");
550 open_capture_device(interface_options *interface_opts,
551 char (*open_err_str)[PCAP_ERRBUF_SIZE])
554 #ifdef HAVE_PCAP_CREATE
557 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
558 struct pcap_rmtauth auth;
561 /* Open the network interface to capture from it.
562 Some versions of libpcap may put warnings into the error buffer
563 if they succeed; to tell if that's happened, we have to clear
564 the error buffer, and check if it's still a null string. */
565 (*open_err_str)[0] = '\0';
566 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
568 * If we're opening a remote device, use pcap_open(); that's currently
569 * the only open routine that supports remote devices.
571 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
572 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
573 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
574 auth.username = interface_opts->auth_username;
575 auth.password = interface_opts->auth_password;
577 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
579 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
580 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
581 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
582 CAP_READ_TIMEOUT, &auth, *open_err_str);
587 * If we're not opening a remote device, use pcap_create() and
588 * pcap_activate() if we have them, so that we can set the buffer
589 * size, otherwise use pcap_open_live().
591 #ifdef HAVE_PCAP_CREATE
592 pcap_h = pcap_create(interface_opts->name, *open_err_str);
593 if (pcap_h != NULL) {
594 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
595 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
596 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
598 if (interface_opts->buffer_size > 1) {
599 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
601 if (interface_opts->monitor_mode)
602 pcap_set_rfmon(pcap_h, 1);
603 err = pcap_activate(pcap_h);
605 /* Failed to activate, set to NULL */
606 if (err == PCAP_ERROR)
607 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
609 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
615 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
616 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
624 get_capture_device_open_failure_messages(const char *open_err_str,
630 char *errmsg, size_t errmsg_len,
631 char *secondary_errmsg,
632 size_t secondary_errmsg_len)
634 const char *libpcap_warn;
635 static const char ppamsg[] = "can't find PPA for ";
637 /* If we got a "can't find PPA for X" message, warn the user (who
638 is running dumcap on HP-UX) that they don't have a version of
639 libpcap that properly handles HP-UX (libpcap 0.6.x and later
640 versions, which properly handle HP-UX, say "can't find /dev/dlpi
641 PPA for X" rather than "can't find PPA for X"). */
642 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
645 "You are running (T)Wireshark with a version of the libpcap library\n"
646 "that doesn't handle HP-UX network devices well; this means that\n"
647 "(T)Wireshark may not be able to capture packets.\n"
649 "To fix this, you should install libpcap 0.6.2, or a later version\n"
650 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
651 "packaged binary form from the Software Porting And Archive Centre\n"
652 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
653 "at the URL lists a number of mirror sites.";
656 g_snprintf(errmsg, (gulong) errmsg_len,
657 "The capture session could not be initiated (%s).", open_err_str);
659 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
660 "Please check to make sure you have sufficient permissions, and that you have "
661 "the proper interface or pipe specified.%s", libpcap_warn);
663 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
665 "Please check that \"%s\" is the proper interface.\n"
668 "Help can be found at:\n"
670 " http://wiki.wireshark.org/WinPcap\n"
671 " http://wiki.wireshark.org/CaptureSetup\n",
676 /* Set the data link type on a pcap. */
678 set_pcap_linktype(pcap_t *pcap_h, int linktype,
679 #ifdef HAVE_PCAP_SET_DATALINK
684 char *errmsg, size_t errmsg_len,
685 char *secondary_errmsg, size_t secondary_errmsg_len)
687 char *set_linktype_err_str;
690 return TRUE; /* just use the default */
691 #ifdef HAVE_PCAP_SET_DATALINK
692 if (pcap_set_datalink(pcap_h, linktype) == 0)
693 return TRUE; /* no error */
694 set_linktype_err_str = pcap_geterr(pcap_h);
696 /* Let them set it to the type it is; reject any other request. */
697 if (get_pcap_linktype(pcap_h, name) == linktype)
698 return TRUE; /* no error */
699 set_linktype_err_str =
700 "That DLT isn't one of the DLTs supported by this device";
702 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
703 set_linktype_err_str);
705 * If the error isn't "XXX is not one of the DLTs supported by this device",
706 * tell the user to tell the Wireshark developers about it.
708 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
709 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
711 secondary_errmsg[0] = '\0';
716 compile_capture_filter(const char *iface, pcap_t *pcap_h,
717 struct bpf_program *fcode, const char *cfilter)
719 bpf_u_int32 netnum, netmask;
720 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
722 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
724 * Well, we can't get the netmask for this interface; it's used
725 * only for filters that check for broadcast IP addresses, so
726 * we just punt and use 0. It might be nice to warn the user,
727 * but that's a pain in a GUI application, as it'd involve popping
728 * up a message box, and it's not clear how often this would make
729 * a difference (only filters that check for IP broadcast addresses
733 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
738 * Sigh. Older versions of libpcap don't properly declare the
739 * third argument to pcap_compile() as a const pointer. Cast
742 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
747 #ifdef HAVE_BPF_IMAGE
749 show_filter_code(capture_options *capture_opts)
751 interface_options interface_opts;
753 gchar open_err_str[PCAP_ERRBUF_SIZE];
754 char errmsg[MSG_MAX_LENGTH+1];
755 char secondary_errmsg[MSG_MAX_LENGTH+1];
756 struct bpf_program fcode;
757 struct bpf_insn *insn;
761 for (j = 0; j < capture_opts->ifaces->len; j++) {
762 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
763 pcap_h = open_capture_device(&interface_opts, &open_err_str);
764 if (pcap_h == NULL) {
765 /* Open failed; get messages */
766 get_capture_device_open_failure_messages(open_err_str,
768 errmsg, sizeof errmsg,
770 sizeof secondary_errmsg);
771 /* And report them */
772 report_capture_error(errmsg, secondary_errmsg);
776 /* Set the link-layer type. */
777 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
778 errmsg, sizeof errmsg,
779 secondary_errmsg, sizeof secondary_errmsg)) {
781 report_capture_error(errmsg, secondary_errmsg);
785 /* OK, try to compile the capture filter. */
786 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
787 interface_opts.cfilter)) {
789 report_cfilter_error(capture_opts, j, errmsg);
794 /* Now print the filter code. */
795 insn = fcode.bf_insns;
797 for (i = 0; i < fcode.bf_len; insn++, i++)
798 printf("%s\n", bpf_image(insn, i));
800 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
801 /* to remove any suid privileges. */
802 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
803 /* (euid/egid have already previously been set to ruid/rgid. */
804 /* (See comment in main() for details) */
806 relinquish_special_privs_perm();
808 relinquish_all_capabilities();
811 /* Let our parent know we succeeded. */
812 pipe_write_block(2, SP_SUCCESS, NULL);
819 * capture_interface_list() is expected to do the right thing to get
820 * a list of interfaces.
822 * In most of the programs in the Wireshark suite, "the right thing"
823 * is to run dumpcap and ask it for the list, because dumpcap may
824 * be the only program in the suite with enough privileges to get
827 * In dumpcap itself, however, we obviously can't run dumpcap to
828 * ask for the list. Therefore, our capture_interface_list() should
829 * just call get_interface_list().
832 capture_interface_list(int *err, char **err_str)
834 return get_interface_list(err, err_str);
838 * Get the data-link type for a libpcap device.
839 * This works around AIX 5.x's non-standard and incompatible-with-the-
840 * rest-of-the-universe libpcap.
843 get_pcap_linktype(pcap_t *pch, const char *devname
851 const char *ifacename;
854 linktype = pcap_datalink(pch);
858 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
859 * rather than DLT_ values for link-layer types; the ifType values
860 * for LAN devices are:
867 * and the ifType value for a loopback device is 24.
869 * The AIX names for LAN devices begin with:
876 * and the AIX names for loopback devices begin with "lo".
878 * (The difference between "Ethernet" and "802.3" is presumably
879 * whether packets have an Ethernet header, with a packet type,
880 * or an 802.3 header, with a packet length, followed by an 802.2
881 * header and possibly a SNAP header.)
883 * If the device name matches "linktype" interpreted as an ifType
884 * value, rather than as a DLT_ value, we will assume this is AIX's
885 * non-standard, incompatible libpcap, rather than a standard libpcap,
886 * and will map the link-layer type to the standard DLT_ value for
887 * that link-layer type, as that's what the rest of Wireshark expects.
889 * (This means the capture files won't be readable by a tcpdump
890 * linked with AIX's non-standard libpcap, but so it goes. They
891 * *will* be readable by standard versions of tcpdump, Wireshark,
894 * XXX - if we conclude we're using AIX libpcap, should we also
895 * set a flag to cause us to assume the time stamps are in
896 * seconds-and-nanoseconds form, and to convert them to
897 * seconds-and-microseconds form before processing them and
902 * Find the last component of the device name, which is the
905 ifacename = strchr(devname, '/');
906 if (ifacename == NULL)
909 /* See if it matches any of the LAN device names. */
910 if (strncmp(ifacename, "en", 2) == 0) {
913 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
917 } else if (strncmp(ifacename, "et", 2) == 0) {
920 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
921 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
926 } else if (strncmp(ifacename, "tr", 2) == 0) {
929 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
930 * DLT_IEEE802, which is what's used for Token Ring.
934 } else if (strncmp(ifacename, "fi", 2) == 0) {
935 if (linktype == 15) {
937 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
941 } else if (strncmp(ifacename, "lo", 2) == 0) {
942 if (linktype == 24) {
944 * That's the RFC 1573 value for "software loopback" devices; map it
945 * to DLT_NULL, which is what's used for loopback devices on BSD.
955 static data_link_info_t *
956 create_data_link_info(int dlt)
958 data_link_info_t *data_link_info;
961 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
962 data_link_info->dlt = dlt;
963 text = pcap_datalink_val_to_name(dlt);
965 data_link_info->name = g_strdup(text);
967 data_link_info->name = g_strdup_printf("DLT %d", dlt);
968 text = pcap_datalink_val_to_description(dlt);
970 data_link_info->description = g_strdup(text);
972 data_link_info->description = NULL;
973 return data_link_info;
977 * Get the capabilities of a network device.
979 static if_capabilities_t *
980 get_if_capabilities(const char *devname, gboolean monitor_mode
981 #ifndef HAVE_PCAP_CREATE
986 if_capabilities_t *caps;
987 char errbuf[PCAP_ERRBUF_SIZE];
989 #ifdef HAVE_PCAP_CREATE
993 #ifdef HAVE_PCAP_LIST_DATALINKS
997 data_link_info_t *data_link_info;
1000 * Allocate the interface capabilities structure.
1002 caps = g_malloc(sizeof *caps);
1004 #ifdef HAVE_PCAP_OPEN
1005 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1006 caps->can_set_rfmon = FALSE;
1008 if (err_str != NULL)
1009 *err_str = g_strdup(errbuf);
1013 #elif defined(HAVE_PCAP_CREATE)
1014 pch = pcap_create(devname, errbuf);
1016 if (err_str != NULL)
1017 *err_str = g_strdup(errbuf);
1021 status = pcap_can_set_rfmon(pch);
1024 if (status == PCAP_ERROR)
1025 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1028 *err_str = g_strdup(pcap_statustostr(status));
1034 caps->can_set_rfmon = FALSE;
1035 else if (status == 1) {
1036 caps->can_set_rfmon = TRUE;
1038 pcap_set_rfmon(pch, 1);
1040 if (err_str != NULL) {
1041 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1049 status = pcap_activate(pch);
1051 /* Error. We ignore warnings (status > 0). */
1052 if (err_str != NULL) {
1053 if (status == PCAP_ERROR)
1054 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1057 *err_str = g_strdup(pcap_statustostr(status));
1064 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1065 caps->can_set_rfmon = FALSE;
1067 if (err_str != NULL)
1068 *err_str = g_strdup(errbuf);
1073 deflt = get_pcap_linktype(pch, devname);
1074 #ifdef HAVE_PCAP_LIST_DATALINKS
1075 nlt = pcap_list_datalinks(pch, &linktypes);
1076 if (nlt == 0 || linktypes == NULL) {
1078 if (err_str != NULL)
1079 *err_str = NULL; /* an empty list doesn't mean an error */
1082 caps->data_link_types = NULL;
1083 for (i = 0; i < nlt; i++) {
1084 data_link_info = create_data_link_info(linktypes[i]);
1087 * XXX - for 802.11, make the most detailed 802.11
1088 * version the default, rather than the one the
1089 * device has as the default?
1091 if (linktypes[i] == deflt)
1092 caps->data_link_types = g_list_prepend(caps->data_link_types,
1095 caps->data_link_types = g_list_append(caps->data_link_types,
1098 #ifdef HAVE_PCAP_FREE_DATALINKS
1099 pcap_free_datalinks(linktypes);
1102 * In Windows, there's no guarantee that if you have a library
1103 * built with one version of the MSVC++ run-time library, and
1104 * it returns a pointer to allocated data, you can free that
1105 * data from a program linked with another version of the
1106 * MSVC++ run-time library.
1108 * This is not an issue on UN*X.
1110 * See the mail threads starting at
1112 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1116 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1119 #define xx_free free /* hack so checkAPIs doesn't complain */
1122 #endif /* HAVE_PCAP_FREE_DATALINKS */
1123 #else /* HAVE_PCAP_LIST_DATALINKS */
1125 data_link_info = create_data_link_info(deflt);
1126 caps->data_link_types = g_list_append(caps->data_link_types,
1128 #endif /* HAVE_PCAP_LIST_DATALINKS */
1132 if (err_str != NULL)
1137 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1139 print_machine_readable_interfaces(GList *if_list)
1146 char addr_str[ADDRSTRLEN];
1148 if (capture_child) {
1149 /* Let our parent know we succeeded. */
1150 pipe_write_block(2, SP_SUCCESS, NULL);
1153 i = 1; /* Interface id number */
1154 for (if_entry = g_list_first(if_list); if_entry != NULL;
1155 if_entry = g_list_next(if_entry)) {
1156 if_info = (if_info_t *)if_entry->data;
1157 printf("%d. %s", i++, if_info->name);
1160 * Print the contents of the if_entry struct in a parseable format.
1161 * Each if_entry element is tab-separated. Addresses are comma-
1164 /* XXX - Make sure our description doesn't contain a tab */
1165 if (if_info->description != NULL)
1166 printf("\t%s\t", if_info->description);
1170 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1171 addr = g_slist_next(addr)) {
1172 if (addr != g_slist_nth(if_info->addrs, 0))
1175 if_addr = (if_addr_t *)addr->data;
1176 switch(if_addr->ifat_type) {
1178 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1180 printf("%s", addr_str);
1182 printf("<unknown IPv4>");
1186 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1187 addr_str, ADDRSTRLEN)) {
1188 printf("%s", addr_str);
1190 printf("<unknown IPv6>");
1194 printf("<type unknown %u>", if_addr->ifat_type);
1198 if (if_info->loopback)
1199 printf("\tloopback");
1201 printf("\tnetwork");
1208 * If you change the machine-readable output format of this function,
1209 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1212 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1215 data_link_info_t *data_link_info;
1216 const gchar *desc_str;
1218 if (capture_child) {
1219 /* Let our parent know we succeeded. */
1220 pipe_write_block(2, SP_SUCCESS, NULL);
1223 if (caps->can_set_rfmon)
1227 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1228 lt_entry = g_list_next(lt_entry)) {
1229 data_link_info = (data_link_info_t *)lt_entry->data;
1230 if (data_link_info->description != NULL)
1231 desc_str = data_link_info->description;
1233 desc_str = "(not supported)";
1234 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1244 /* Print the number of packets captured for each interface until we're killed. */
1246 print_statistics_loop(gboolean machine_readable)
1248 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1254 char errbuf[PCAP_ERRBUF_SIZE];
1255 struct pcap_stat ps;
1257 if_list = get_interface_list(&err, &err_str);
1258 if (if_list == NULL) {
1260 case CANT_GET_INTERFACE_LIST:
1261 cmdarg_err("%s", err_str);
1265 case NO_INTERFACES_FOUND:
1266 cmdarg_err("There are no interfaces on which a capture can be done");
1272 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1273 if_info = (if_info_t *)if_entry->data;
1274 #ifdef HAVE_PCAP_OPEN
1275 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1277 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1281 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1282 if_stat->name = g_strdup(if_info->name);
1284 stat_list = g_list_append(stat_list, if_stat);
1289 cmdarg_err("There are no interfaces on which a capture can be done");
1293 if (capture_child) {
1294 /* Let our parent know we succeeded. */
1295 pipe_write_block(2, SP_SUCCESS, NULL);
1298 if (!machine_readable) {
1299 printf("%-15s %10s %10s\n", "Interface", "Received",
1303 global_ld.go = TRUE;
1304 while (global_ld.go) {
1305 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1306 if_stat = (if_stat_t *)stat_entry->data;
1307 pcap_stats(if_stat->pch, &ps);
1309 if (!machine_readable) {
1310 printf("%-15s %10u %10u\n", if_stat->name,
1311 ps.ps_recv, ps.ps_drop);
1313 printf("%s\t%u\t%u\n", if_stat->name,
1314 ps.ps_recv, ps.ps_drop);
1325 /* XXX - Not reached. Should we look for 'q' in stdin? */
1326 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1327 if_stat = (if_stat_t *)stat_entry->data;
1328 pcap_close(if_stat->pch);
1329 g_free(if_stat->name);
1332 g_list_free(stat_list);
1333 free_interface_list(if_list);
1341 capture_cleanup_handler(DWORD dwCtrlType)
1343 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1344 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1345 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1346 like SIGTERM at least when the machine's shutting down.
1348 For now, if we're running as a command rather than a capture child,
1349 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1350 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1351 in that way on UN*X.
1353 If we're not running as a capture child, we might be running as
1354 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1355 user logs out. (XXX - can we explicitly check whether we're
1356 running as a service?) */
1358 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1359 "Console: Control signal");
1360 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1361 "Console: Control signal, CtrlType: %u", dwCtrlType);
1363 /* Keep capture running if we're a service and a user logs off */
1364 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1365 capture_loop_stop();
1373 capture_cleanup_handler(int signum _U_)
1375 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1376 SIGTERM. We assume that if the user wanted it to keep running
1377 after they logged out, they'd have nohupped it. */
1379 /* Note: don't call g_log() in the signal handler: if we happened to be in
1380 * g_log() in process context when the signal came in, g_log will detect
1381 * the "recursion" and abort.
1384 capture_loop_stop();
1390 report_capture_count(gboolean reportit)
1392 /* Don't print this if we're a capture child. */
1393 if (!capture_child && reportit) {
1394 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1395 /* stderr could be line buffered */
1403 report_counts_for_siginfo(void)
1405 report_capture_count(quiet);
1406 infoprint = FALSE; /* we just reported it */
1410 report_counts_siginfo(int signum _U_)
1412 int sav_errno = errno;
1414 /* If we've been told to delay printing, just set a flag asking
1415 that we print counts (if we're supposed to), otherwise print
1416 the count of packets captured (if we're supposed to). */
1420 report_counts_for_siginfo();
1423 #endif /* SIGINFO */
1426 exit_main(int status)
1429 /* Shutdown windows sockets */
1432 /* can be helpful for debugging */
1433 #ifdef DEBUG_DUMPCAP
1434 printf("Press any key\n");
1445 * If we were linked with libcap (not libpcap), make sure we have
1446 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1447 * (See comment in main() for details)
1450 relinquish_privs_except_capture(void)
1452 /* If 'started_with_special_privs' (ie: suid) then enable for
1453 * ourself the NET_ADMIN and NET_RAW capabilities and then
1454 * drop our suid privileges.
1456 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1457 * stuff we don't need (and shouldn't have).
1458 * CAP_NET_RAW: Packet capture (raw sockets).
1461 if (started_with_special_privs()) {
1462 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1463 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1465 cap_t caps = cap_init(); /* all capabilities initialized to off */
1467 print_caps("Pre drop, pre set");
1469 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1470 cmdarg_err("prctl() fail return: %s", strerror(errno));
1473 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1474 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1476 if (cap_set_proc(caps)) {
1477 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1479 print_caps("Pre drop, post set");
1481 relinquish_special_privs_perm();
1483 print_caps("Post drop, pre set");
1484 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1485 if (cap_set_proc(caps)) {
1486 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1488 print_caps("Post drop, post set");
1494 #endif /* HAVE_LIBCAP */
1496 /* Take care of byte order in the libpcap headers read from pipes.
1497 * (function taken from wiretap/libpcap.c) */
1499 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1502 /* Byte-swap the record header fields. */
1503 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1504 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1505 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1506 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1509 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1510 swapped, in order to match the BPF header layout.
1512 Unfortunately, some files were, according to a comment in the "libpcap"
1513 source, written with version 2.3 in their headers but without the
1514 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1515 would make no sense - we assume that we need to swap them. */
1516 if (hdr->version_major == 2 &&
1517 (hdr->version_minor < 3 ||
1518 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1521 temp = rechdr->orig_len;
1522 rechdr->orig_len = rechdr->incl_len;
1523 rechdr->incl_len = temp;
1529 * Thread function that reads from a pipe and pushes the data
1530 * to the main application thread.
1533 * XXX Right now we use async queues for basic signaling. The main thread
1534 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1535 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1536 * Iff the read is successful cap_pipe_read pushes an item onto
1537 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1538 * the queues themselves (yet).
1540 * We might want to move some of the cap_pipe_dispatch logic here so that
1541 * we can let cap_pipe_read run independently, queuing up multiple reads
1542 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1544 static void *cap_pipe_read(void *arg)
1546 pcap_options *pcap_opts;
1555 pcap_opts = (pcap_options *)arg;
1556 while (pcap_opts->cap_pipe_err == PIPOK) {
1557 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1558 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1560 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1562 /* If we try to use read() on a named pipe on Windows with partial
1563 * data it appears to return EOF.
1565 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1566 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1571 last_err = GetLastError();
1572 if (last_err == ERROR_MORE_DATA) {
1574 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1575 pcap_opts->cap_pipe_err = PIPEOF;
1579 pcap_opts->cap_pipe_err = PIPERR;
1582 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1583 pcap_opts->cap_pipe_err = PIPEOF;
1588 b = read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1589 pcap_opts->cap_pipe_bytes_to_read - bytes_read);
1592 pcap_opts->cap_pipe_err = PIPEOF;
1596 pcap_opts->cap_pipe_err = PIPERR;
1605 pcap_opts->cap_pipe_bytes_read = bytes_read;
1606 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1607 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1609 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1613 #endif /* USE_THREADS */
1615 /* Provide select() functionality for a single file descriptor
1616 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1618 * Returns the same values as select.
1621 cap_pipe_select(int pipe_fd)
1624 struct timeval timeout;
1627 FD_SET(pipe_fd, &rfds);
1629 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1630 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1632 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1636 /* Mimic pcap_open_live() for pipe captures
1638 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1639 * open it, and read the header.
1641 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1642 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1644 cap_pipe_open_live(char *pipename,
1645 pcap_options *pcap_opts,
1646 struct pcap_hdr *hdr,
1647 char *errmsg, int errmsgl)
1650 ws_statb64 pipe_stat;
1651 struct sockaddr_un sa;
1662 unsigned int bytes_read;
1667 pcap_opts->cap_pipe_fd = -1;
1669 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1671 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1674 * XXX - this blocks until a pcap per-file header has been written to
1675 * the pipe, so it could block indefinitely.
1677 if (strcmp(pipename, "-") == 0) {
1679 fd = 0; /* read from stdin */
1681 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1685 if (ws_stat64(pipename, &pipe_stat) < 0) {
1686 if (errno == ENOENT || errno == ENOTDIR)
1687 pcap_opts->cap_pipe_err = PIPNEXIST;
1689 g_snprintf(errmsg, errmsgl,
1690 "The capture session could not be initiated "
1691 "due to error getting information on pipe/socket: %s", strerror(errno));
1692 pcap_opts->cap_pipe_err = PIPERR;
1696 if (S_ISFIFO(pipe_stat.st_mode)) {
1697 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1699 g_snprintf(errmsg, errmsgl,
1700 "The capture session could not be initiated "
1701 "due to error on pipe open: %s", strerror(errno));
1702 pcap_opts->cap_pipe_err = PIPERR;
1705 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1706 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1708 g_snprintf(errmsg, errmsgl,
1709 "The capture session could not be initiated "
1710 "due to error on socket create: %s", strerror(errno));
1711 pcap_opts->cap_pipe_err = PIPERR;
1714 sa.sun_family = AF_UNIX;
1716 * The Single UNIX Specification says:
1718 * The size of sun_path has intentionally been left undefined.
1719 * This is because different implementations use different sizes.
1720 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1721 * of 104. Since most implementations originate from BSD versions,
1722 * the size is typically in the range 92 to 108.
1724 * Applications should not assume a particular length for sun_path
1725 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1729 * The <sys/un.h> header shall define the sockaddr_un structure,
1730 * which shall include at least the following members:
1732 * sa_family_t sun_family Address family.
1733 * char sun_path[] Socket pathname.
1735 * so we assume that it's an array, with a specified size,
1736 * and that the size reflects the maximum path length.
1738 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1739 /* Path name too long */
1740 g_snprintf(errmsg, errmsgl,
1741 "The capture session coud not be initiated "
1742 "due to error on socket connect: Path name too long");
1743 pcap_opts->cap_pipe_err = PIPERR;
1746 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1748 g_snprintf(errmsg, errmsgl,
1749 "The capture session coud not be initiated "
1750 "due to error on socket connect: %s", strerror(errno));
1751 pcap_opts->cap_pipe_err = PIPERR;
1755 if (S_ISCHR(pipe_stat.st_mode)) {
1757 * Assume the user specified an interface on a system where
1758 * interfaces are in /dev. Pretend we haven't seen it.
1760 pcap_opts->cap_pipe_err = PIPNEXIST;
1763 g_snprintf(errmsg, errmsgl,
1764 "The capture session could not be initiated because\n"
1765 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1766 pcap_opts->cap_pipe_err = PIPERR;
1771 #define PIPE_STR "\\pipe\\"
1772 /* Under Windows, named pipes _must_ have the form
1773 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1775 pncopy = g_strdup(pipename);
1776 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1777 pos = strchr(pncopy + 3, '\\');
1778 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1785 g_snprintf(errmsg, errmsgl,
1786 "The capture session could not be initiated because\n"
1787 "\"%s\" is neither an interface nor a pipe", pipename);
1788 pcap_opts->cap_pipe_err = PIPNEXIST;
1792 /* Wait for the pipe to appear */
1794 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1795 OPEN_EXISTING, 0, NULL);
1797 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1800 if (GetLastError() != ERROR_PIPE_BUSY) {
1801 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1802 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1803 g_snprintf(errmsg, errmsgl,
1804 "The capture session on \"%s\" could not be started "
1805 "due to error on pipe open: %s (error %d)",
1806 pipename, utf_16to8(err_str), GetLastError());
1808 pcap_opts->cap_pipe_err = PIPERR;
1812 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1813 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1814 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1815 g_snprintf(errmsg, errmsgl,
1816 "The capture session on \"%s\" timed out during "
1817 "pipe open: %s (error %d)",
1818 pipename, utf_16to8(err_str), GetLastError());
1820 pcap_opts->cap_pipe_err = PIPERR;
1827 pcap_opts->from_cap_pipe = TRUE;
1830 /* read the pcap header */
1832 while (bytes_read < sizeof magic) {
1833 sel_ret = cap_pipe_select(fd);
1835 g_snprintf(errmsg, errmsgl,
1836 "Unexpected error from select: %s", strerror(errno));
1838 } else if (sel_ret > 0) {
1839 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1842 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1844 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1851 #else /* USE_THREADS */
1852 g_thread_create(&cap_pipe_read, pcap_opts, FALSE, NULL);
1854 pcap_opts->cap_pipe_buf = (char *) &magic;
1855 pcap_opts->cap_pipe_bytes_read = 0;
1856 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1857 /* We don't have to worry about cap_pipe_read_mtx here */
1858 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1859 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1860 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1861 if (pcap_opts->cap_pipe_bytes_read == 0)
1862 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1864 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1869 #endif /* USE_THREADS */
1873 /* Host that wrote it has our byte order, and was running
1874 a program using either standard or ss990417 libpcap. */
1875 pcap_opts->cap_pipe_byte_swapped = FALSE;
1876 pcap_opts->cap_pipe_modified = FALSE;
1878 case PCAP_MODIFIED_MAGIC:
1879 /* Host that wrote it has our byte order, but was running
1880 a program using either ss990915 or ss991029 libpcap. */
1881 pcap_opts->cap_pipe_byte_swapped = FALSE;
1882 pcap_opts->cap_pipe_modified = TRUE;
1884 case PCAP_SWAPPED_MAGIC:
1885 /* Host that wrote it has a byte order opposite to ours,
1886 and was running a program using either standard or
1887 ss990417 libpcap. */
1888 pcap_opts->cap_pipe_byte_swapped = TRUE;
1889 pcap_opts->cap_pipe_modified = FALSE;
1891 case PCAP_SWAPPED_MODIFIED_MAGIC:
1892 /* Host that wrote it out has a byte order opposite to
1893 ours, and was running a program using either ss990915
1894 or ss991029 libpcap. */
1895 pcap_opts->cap_pipe_byte_swapped = TRUE;
1896 pcap_opts->cap_pipe_modified = TRUE;
1899 /* Not a "libpcap" type we know about. */
1900 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1905 /* Read the rest of the header */
1907 while (bytes_read < sizeof(struct pcap_hdr)) {
1908 sel_ret = cap_pipe_select(fd);
1910 g_snprintf(errmsg, errmsgl,
1911 "Unexpected error from select: %s", strerror(errno));
1913 } else if (sel_ret > 0) {
1914 b = read(fd, ((char *)hdr)+bytes_read,
1915 sizeof(struct pcap_hdr) - bytes_read);
1918 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1920 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1927 #else /* USE_THREADS */
1928 pcap_opts->cap_pipe_buf = (char *) hdr;
1929 pcap_opts->cap_pipe_bytes_read = 0;
1930 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1931 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1932 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1933 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1934 if (pcap_opts->cap_pipe_bytes_read == 0)
1935 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1937 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1941 #endif /* USE_THREADS */
1943 if (pcap_opts->cap_pipe_byte_swapped) {
1944 /* Byte-swap the header fields about which we care. */
1945 hdr->version_major = BSWAP16(hdr->version_major);
1946 hdr->version_minor = BSWAP16(hdr->version_minor);
1947 hdr->snaplen = BSWAP32(hdr->snaplen);
1948 hdr->network = BSWAP32(hdr->network);
1950 pcap_opts->linktype = hdr->network;
1952 if (hdr->version_major < 2) {
1953 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1957 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
1958 pcap_opts->cap_pipe_err = PIPOK;
1960 pcap_opts->cap_pipe_fd = fd;
1965 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1966 pcap_opts->cap_pipe_err = PIPERR;
1969 pcap_opts->cap_pipe_fd = -1;
1976 /* We read one record from the pipe, take care of byte order in the record
1977 * header, write the record to the capture file, and update capture statistics. */
1979 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
1981 struct pcap_pkthdr phdr;
1982 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1994 #ifdef LOG_CAPTURE_VERBOSE
1995 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1998 switch (pcap_opts->cap_pipe_state) {
2000 case STATE_EXPECT_REC_HDR:
2002 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2005 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2006 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2007 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2008 pcap_opts->cap_pipe_bytes_read = 0;
2011 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2012 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2013 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2018 case STATE_READ_REC_HDR:
2020 b = read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2021 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2024 result = PD_PIPE_EOF;
2026 result = PD_PIPE_ERR;
2029 pcap_opts->cap_pipe_bytes_read += b;
2030 #else /* USE_THREADS */
2031 g_get_current_time(&wait_time);
2032 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2033 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2034 if (pcap_opts->cap_pipe_err == PIPEOF) {
2035 result = PD_PIPE_EOF;
2037 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2038 result = PD_PIPE_ERR;
2044 #endif /* USE_THREADS */
2045 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2047 result = PD_REC_HDR_READ;
2050 case STATE_EXPECT_DATA:
2052 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2055 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2056 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2057 pcap_opts->cap_pipe_bytes_read = 0;
2060 pcap_opts->cap_pipe_buf = (char *) data;
2061 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2062 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2067 case STATE_READ_DATA:
2069 b = read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2070 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2073 result = PD_PIPE_EOF;
2075 result = PD_PIPE_ERR;
2078 pcap_opts->cap_pipe_bytes_read += b;
2079 #else /* USE_THREADS */
2080 g_get_current_time(&wait_time);
2081 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2082 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2083 if (pcap_opts->cap_pipe_err == PIPEOF) {
2084 result = PD_PIPE_EOF;
2086 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2087 result = PD_PIPE_ERR;
2093 #endif /* USE_THREADS */
2094 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2096 result = PD_DATA_READ;
2100 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2103 } /* switch (ld->cap_pipe_state) */
2106 * We've now read as much data as we were expecting, so process it.
2110 case PD_REC_HDR_READ:
2111 /* We've read the header. Take care of byte order. */
2112 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2113 &pcap_opts->cap_pipe_rechdr.hdr);
2114 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2115 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2116 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2119 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2123 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2124 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2125 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2126 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2127 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2130 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2132 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2134 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2138 pcap_opts->cap_pipe_err = PIPEOF;
2143 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2144 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2145 g_snprintf(errmsg, errmsgl,
2146 "Error reading from pipe: %s (error %d)",
2147 utf_16to8(err_str), GetLastError());
2150 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2158 pcap_opts->cap_pipe_err = PIPERR;
2159 /* Return here rather than inside the switch to prevent GCC warning */
2164 /** Open the capture input file (pcap or capture pipe).
2165 * Returns TRUE if it succeeds, FALSE otherwise. */
2167 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2168 char *errmsg, size_t errmsg_len,
2169 char *secondary_errmsg, size_t secondary_errmsg_len)
2171 gchar open_err_str[PCAP_ERRBUF_SIZE];
2172 gchar *sync_msg_str;
2173 interface_options interface_opts;
2174 pcap_options *pcap_opts;
2178 gchar *sync_secondary_msg_str;
2179 WORD wVersionRequested;
2183 /* XXX - opening Winsock on tshark? */
2185 /* Initialize Windows Socket if we are in a WIN32 OS
2186 This needs to be done before querying the interface for network/netmask */
2188 /* XXX - do we really require 1.1 or earlier?
2189 Are there any versions that support only 2.0 or higher? */
2190 wVersionRequested = MAKEWORD(1, 1);
2191 err = WSAStartup(wVersionRequested, &wsaData);
2195 case WSASYSNOTREADY:
2196 g_snprintf(errmsg, (gulong) errmsg_len,
2197 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2200 case WSAVERNOTSUPPORTED:
2201 g_snprintf(errmsg, (gulong) errmsg_len,
2202 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2203 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2206 case WSAEINPROGRESS:
2207 g_snprintf(errmsg, (gulong) errmsg_len,
2208 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2212 g_snprintf(errmsg, (gulong) errmsg_len,
2213 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2217 g_snprintf(errmsg, (gulong) errmsg_len,
2218 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2222 g_snprintf(errmsg, (gulong) errmsg_len,
2223 "Couldn't initialize Windows Sockets: error %d", err);
2226 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2230 if ((use_threads == FALSE) &&
2231 (capture_opts->ifaces->len > 1)) {
2232 g_snprintf(errmsg, (gulong) errmsg_len,
2233 "Using threads is required for capturing on mulitple interfaces! Use the -t option.");
2237 for (i = 0; i < capture_opts->ifaces->len; i++) {
2238 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2239 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2240 if (pcap_opts == NULL) {
2241 g_snprintf(errmsg, (gulong) errmsg_len,
2242 "Could not allocate memory.");
2245 pcap_opts->received = 0;
2246 pcap_opts->dropped = 0;
2247 pcap_opts->pcap_h = NULL;
2248 #ifdef MUST_DO_SELECT
2249 pcap_opts->pcap_fd = -1;
2251 pcap_opts->pcap_err = FALSE;
2252 pcap_opts->interface_id = i;
2253 pcap_opts->tid = NULL;
2254 pcap_opts->snaplen = 0;
2255 pcap_opts->linktype = -1;
2256 pcap_opts->from_cap_pipe = FALSE;
2257 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2258 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2260 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2262 pcap_opts->cap_pipe_fd = -1;
2264 pcap_opts->cap_pipe_modified = FALSE;
2265 pcap_opts->cap_pipe_byte_swapped = FALSE;
2267 pcap_opts->cap_pipe_buf = NULL;
2268 #endif /* USE_THREADS */
2269 pcap_opts->cap_pipe_bytes_to_read = 0;
2270 pcap_opts->cap_pipe_bytes_read = 0;
2271 pcap_opts->cap_pipe_state = 0;
2272 pcap_opts->cap_pipe_err = PIPOK;
2274 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2275 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2276 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2278 g_array_append_val(ld->pcaps, pcap_opts);
2280 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2281 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2283 if (pcap_opts->pcap_h != NULL) {
2284 /* we've opened "iface" as a network device */
2286 /* try to set the capture buffer size */
2287 if (interface_opts.buffer_size > 1 &&
2288 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2289 sync_secondary_msg_str = g_strdup_printf(
2290 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2291 "the default of 1MB will be used.\n"
2293 "Nonetheless, the capture is started.\n",
2294 interface_opts.buffer_size);
2295 report_capture_error("Couldn't set the capture buffer size!",
2296 sync_secondary_msg_str);
2297 g_free(sync_secondary_msg_str);
2301 #if defined(HAVE_PCAP_SETSAMPLING)
2302 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2303 struct pcap_samp *samp;
2305 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2306 switch (interface_opts.sampling_method) {
2307 case CAPTURE_SAMP_BY_COUNT:
2308 samp->method = PCAP_SAMP_1_EVERY_N;
2311 case CAPTURE_SAMP_BY_TIMER:
2312 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2316 sync_msg_str = g_strdup_printf(
2317 "Unknown sampling method %d specified,\n"
2318 "continue without packet sampling",
2319 interface_opts.sampling_method);
2320 report_capture_error("Couldn't set the capture "
2321 "sampling", sync_msg_str);
2322 g_free(sync_msg_str);
2324 samp->value = interface_opts.sampling_param;
2326 report_capture_error("Couldn't set the capture sampling",
2327 "Cannot get packet sampling data structure");
2332 /* setting the data link type only works on real interfaces */
2333 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2335 secondary_errmsg, secondary_errmsg_len)) {
2338 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2340 /* We couldn't open "iface" as a network device. */
2341 /* Try to open it as a pipe */
2342 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2345 if (pcap_opts->cap_pipe_fd == -1) {
2347 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2349 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2350 /* Pipe doesn't exist, so output message for interface */
2351 get_capture_device_open_failure_messages(open_err_str,
2352 interface_opts.name,
2356 secondary_errmsg_len);
2359 * Else pipe (or file) does exist and cap_pipe_open_live() has
2364 /* cap_pipe_open_live() succeeded; don't want
2365 error message from pcap_open_live() */
2366 open_err_str[0] = '\0';
2370 /* XXX - will this work for tshark? */
2371 #ifdef MUST_DO_SELECT
2372 if (!pcap_opts->from_cap_pipe) {
2373 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2374 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2376 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2381 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2382 returned a warning; print it, but keep capturing. */
2383 if (open_err_str[0] != '\0') {
2384 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2385 report_capture_error(sync_msg_str, "");
2386 g_free(sync_msg_str);
2388 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2389 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2392 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2393 /* to remove any suid privileges. */
2394 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2395 /* (euid/egid have already previously been set to ruid/rgid. */
2396 /* (See comment in main() for details) */
2398 relinquish_special_privs_perm();
2400 relinquish_all_capabilities();
2405 /* close the capture input file (pcap or capture pipe) */
2406 static void capture_loop_close_input(loop_data *ld)
2409 pcap_options *pcap_opts;
2411 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2413 for (i = 0; i < ld->pcaps->len; i++) {
2414 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2415 /* if open, close the capture pipe "input file" */
2417 if (pcap_opts->cap_pipe_fd >= 0) {
2418 g_assert(pcap_opts->from_cap_pipe);
2419 ws_close(pcap_opts->cap_pipe_fd);
2420 pcap_opts->cap_pipe_fd = -1;
2423 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2424 CloseHandle(pcap_opts->cap_pipe_h);
2425 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2428 /* if open, close the pcap "input file" */
2429 if (pcap_opts->pcap_h != NULL) {
2430 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2431 pcap_close(pcap_opts->pcap_h);
2432 pcap_opts->pcap_h = NULL;
2439 /* Shut down windows sockets */
2445 /* init the capture filter */
2446 static initfilter_status_t
2447 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2448 const gchar * name, const gchar * cfilter)
2450 struct bpf_program fcode;
2452 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2454 /* capture filters only work on real interfaces */
2455 if (cfilter && !from_cap_pipe) {
2456 /* A capture filter was specified; set it up. */
2457 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2458 /* Treat this specially - our caller might try to compile this
2459 as a display filter and, if that succeeds, warn the user that
2460 the display and capture filter syntaxes are different. */
2461 return INITFILTER_BAD_FILTER;
2463 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2464 #ifdef HAVE_PCAP_FREECODE
2465 pcap_freecode(&fcode);
2467 return INITFILTER_OTHER_ERROR;
2469 #ifdef HAVE_PCAP_FREECODE
2470 pcap_freecode(&fcode);
2474 return INITFILTER_NO_ERROR;
2478 /* set up to write to the already-opened capture output file/files */
2480 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2484 pcap_options *pcap_opts;
2485 interface_options interface_opts;
2486 gboolean successful;
2488 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2490 if ((capture_opts->use_pcapng == FALSE) &&
2491 (capture_opts->ifaces->len > 1)) {
2492 g_snprintf(errmsg, errmsg_len,
2493 "Using PCAPNG is required for capturing on mulitple interfaces! Use the -n option.");
2497 /* Set up to write to the capture file. */
2498 if (capture_opts->multi_files_on) {
2499 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2501 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2504 if (capture_opts->use_pcapng) {
2507 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2508 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err);
2509 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2510 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2511 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2512 if (pcap_opts->from_cap_pipe) {
2513 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2515 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2517 successful = libpcap_write_interface_description_block(ld->pdh,
2518 interface_opts.name,
2519 interface_opts.cfilter?interface_opts.cfilter:"",
2520 pcap_opts->linktype,
2526 interface_opts = g_array_index(capture_opts->ifaces, interface_options, 0);
2527 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2528 if (pcap_opts->from_cap_pipe) {
2529 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2531 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2533 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2534 &ld->bytes_written, &err);
2542 if (ld->pdh == NULL) {
2543 /* We couldn't set up to write to the capture file. */
2544 /* XXX - use cf_open_error_message from tshark instead? */
2549 g_snprintf(errmsg, errmsg_len,
2550 "The file to which the capture would be"
2551 " saved (\"%s\") could not be opened: Error %d.",
2552 capture_opts->save_file, err);
2554 g_snprintf(errmsg, errmsg_len,
2555 "The file to which the capture would be"
2556 " saved (\"%s\") could not be opened: %s.",
2557 capture_opts->save_file, strerror(err));
2569 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2573 pcap_options *pcap_opts;
2575 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2577 if (capture_opts->multi_files_on) {
2578 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2580 if (capture_opts->use_pcapng) {
2581 for (i = 0; i < global_ld.pcaps->len; i++) {
2582 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2583 if (!pcap_opts->from_cap_pipe) {
2584 libpcap_write_interface_statistics_block(ld->pdh, i, pcap_opts->pcap_h, &ld->bytes_written, err_close);
2588 return libpcap_dump_close(ld->pdh, err_close);
2592 /* dispatch incoming packets (pcap or capture pipe)
2594 * Waits for incoming packets to be available, and calls pcap_dispatch()
2595 * to cause them to be processed.
2597 * Returns the number of packets which were processed.
2599 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2600 * packet-batching behaviour does not cause packets to get held back
2604 capture_loop_dispatch(loop_data *ld,
2605 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2608 gint packet_count_before;
2609 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2614 packet_count_before = ld->packet_count;
2615 if (pcap_opts->from_cap_pipe) {
2616 /* dispatch from capture pipe */
2617 #ifdef LOG_CAPTURE_VERBOSE
2618 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2621 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2623 if (sel_ret < 0 && errno != EINTR) {
2624 g_snprintf(errmsg, errmsg_len,
2625 "Unexpected error from select: %s", strerror(errno));
2626 report_capture_error(errmsg, please_report);
2631 * "select()" says we can read from the pipe without blocking
2633 #endif /* USE_THREADS */
2634 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2644 /* dispatch from pcap */
2645 #ifdef MUST_DO_SELECT
2647 * If we have "pcap_get_selectable_fd()", we use it to get the
2648 * descriptor on which to select; if that's -1, it means there
2649 * is no descriptor on which you can do a "select()" (perhaps
2650 * because you're capturing on a special device, and that device's
2651 * driver unfortunately doesn't support "select()", in which case
2652 * we don't do the select - which means it might not be possible
2653 * to stop a capture until a packet arrives. If that's unacceptable,
2654 * plead with whoever supplies the software for that device to add
2655 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2656 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2657 * later, so it can use pcap_breakloop().
2659 #ifdef LOG_CAPTURE_VERBOSE
2660 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2662 if (pcap_opts->pcap_fd != -1) {
2663 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2666 * "select()" says we can read from it without blocking; go for
2669 * We don't have pcap_breakloop(), so we only process one packet
2670 * per pcap_dispatch() call, to allow a signal to stop the
2671 * processing immediately, rather than processing all packets
2672 * in a batch before quitting.
2675 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2677 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2681 /* Error, rather than pcap_breakloop(). */
2682 pcap_opts->pcap_err = TRUE;
2684 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2687 if (sel_ret < 0 && errno != EINTR) {
2688 g_snprintf(errmsg, errmsg_len,
2689 "Unexpected error from select: %s", strerror(errno));
2690 report_capture_error(errmsg, please_report);
2696 #endif /* MUST_DO_SELECT */
2698 /* dispatch from pcap without select */
2700 #ifdef LOG_CAPTURE_VERBOSE
2701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2705 * On Windows, we don't support asynchronously telling a process to
2706 * stop capturing; instead, we check for an indication on a pipe
2707 * after processing packets. We therefore process only one packet
2708 * at a time, so that we can check the pipe after every packet.
2711 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2713 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2717 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2719 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2724 /* Error, rather than pcap_breakloop(). */
2725 pcap_opts->pcap_err = TRUE;
2727 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2729 #else /* pcap_next_ex */
2730 #ifdef LOG_CAPTURE_VERBOSE
2731 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2733 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2736 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2737 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2738 * This should be fixed in the WinPcap 4.0 alpha release.
2740 * For reference, an example remote interface:
2741 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2744 /* emulate dispatch from pcap */
2747 struct pcap_pkthdr *pkt_header;
2752 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2754 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2756 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2761 pcap_opts->pcap_err = TRUE;
2765 #endif /* pcap_next_ex */
2769 #ifdef LOG_CAPTURE_VERBOSE
2770 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2773 return ld->packet_count - packet_count_before;
2777 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2778 * want to grab only the characters between the '{' and '}' delimiters.
2780 * Returns a GString that must be freed with g_string_free(). */
2782 isolate_uuid(const char *iface)
2787 ptr = strchr(iface, '{');
2789 return g_string_new(iface);
2790 gstr = g_string_new(ptr + 1);
2792 ptr = strchr(gstr->str, '}');
2796 gstr = g_string_truncate(gstr, ptr - gstr->str);
2801 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2802 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2804 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2805 char *errmsg, int errmsg_len)
2808 gchar *capfile_name;
2810 gboolean is_tempfile;
2812 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2813 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2815 if (capture_opts->save_file != NULL) {
2816 /* We return to the caller while the capture is in progress.
2817 * Therefore we need to take a copy of save_file in
2818 * case the caller destroys it after we return.
2820 capfile_name = g_strdup(capture_opts->save_file);
2822 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2823 if (capture_opts->multi_files_on) {
2824 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2825 g_snprintf(errmsg, errmsg_len,
2826 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2827 g_free(capfile_name);
2830 if (strcmp(capfile_name, "-") == 0) {
2831 /* write to stdout */
2834 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2835 _setmode(1, O_BINARY);
2838 } /* if (...output_to_pipe ... */
2841 if (capture_opts->multi_files_on) {
2842 /* ringbuffer is enabled */
2843 *save_file_fd = ringbuf_init(capfile_name,
2844 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2845 capture_opts->group_read_access);
2847 /* we need the ringbuf name */
2848 if(*save_file_fd != -1) {
2849 g_free(capfile_name);
2850 capfile_name = g_strdup(ringbuf_current_filename());
2853 /* Try to open/create the specified file for use as a capture buffer. */
2854 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2855 (capture_opts->group_read_access) ? 0640 : 0600);
2858 is_tempfile = FALSE;
2860 /* Choose a random name for the temporary capture buffer */
2861 if (global_capture_opts.ifaces->len > 1) {
2862 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
2867 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
2868 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2869 g_string_free(iface, TRUE);
2871 prefix = g_strconcat("wireshark_", g_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name), NULL);
2874 *save_file_fd = create_tempfile(&tmpname, prefix);
2876 capfile_name = g_strdup(tmpname);
2880 /* did we fail to open the output file? */
2881 if (*save_file_fd == -1) {
2883 g_snprintf(errmsg, errmsg_len,
2884 "The temporary file to which the capture would be saved (\"%s\") "
2885 "could not be opened: %s.", capfile_name, strerror(errno));
2887 if (capture_opts->multi_files_on) {
2888 ringbuf_error_cleanup();
2891 g_snprintf(errmsg, errmsg_len,
2892 "The file to which the capture would be saved (\"%s\") "
2893 "could not be opened: %s.", capfile_name,
2896 g_free(capfile_name);
2900 if(capture_opts->save_file != NULL) {
2901 g_free(capture_opts->save_file);
2903 capture_opts->save_file = capfile_name;
2904 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2905 "g_free(capfile_name)". */
2911 /* Do the work of handling either the file size or file duration capture
2912 conditions being reached, and switching files or stopping. */
2914 do_file_switch_or_stop(capture_options *capture_opts,
2915 condition *cnd_autostop_files,
2916 condition *cnd_autostop_size,
2917 condition *cnd_file_duration)
2920 pcap_options *pcap_opts;
2921 interface_options interface_opts;
2922 gboolean successful;
2924 if (capture_opts->multi_files_on) {
2925 if (cnd_autostop_files != NULL &&
2926 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2927 /* no files left: stop here */
2928 global_ld.go = FALSE;
2932 /* Switch to the next ringbuffer file */
2933 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2934 &global_ld.save_file_fd, &global_ld.err)) {
2936 /* File switch succeeded: reset the conditions */
2937 global_ld.bytes_written = 0;
2938 if (capture_opts->use_pcapng) {
2941 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2942 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &(global_ld.bytes_written), &global_ld.err);
2943 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2944 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2945 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2946 successful = libpcap_write_interface_description_block(global_ld.pdh,
2947 interface_opts.name,
2948 interface_opts.cfilter?interface_opts.cfilter:"",
2949 pcap_opts->linktype,
2951 &(global_ld.bytes_written),
2955 interface_opts = g_array_index(capture_opts->ifaces, interface_options, 0);
2956 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
2957 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
2958 &global_ld.bytes_written, &global_ld.err);
2961 fclose(global_ld.pdh);
2962 global_ld.pdh = NULL;
2963 global_ld.go = FALSE;
2966 if (cnd_autostop_size)
2967 cnd_reset(cnd_autostop_size);
2968 if (cnd_file_duration)
2969 cnd_reset(cnd_file_duration);
2970 libpcap_dump_flush(global_ld.pdh, NULL);
2972 report_packet_count(global_ld.inpkts_to_sync_pipe);
2973 global_ld.inpkts_to_sync_pipe = 0;
2974 report_new_capture_file(capture_opts->save_file);
2976 /* File switch failed: stop here */
2977 global_ld.go = FALSE;
2981 /* single file, stop now */
2982 global_ld.go = FALSE;
2989 pcap_read_handler(void* arg)
2991 pcap_options *pcap_opts;
2992 char errmsg[MSG_MAX_LENGTH+1];
2994 pcap_opts = (pcap_options *)arg;
2996 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
2997 pcap_opts->interface_id);
2999 while (global_ld.go) {
3000 /* dispatch incoming packets */
3001 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3003 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3004 pcap_opts->interface_id);
3005 g_thread_exit(NULL);
3009 /* Do the low-level work of a capture.
3010 Returns TRUE if it succeeds, FALSE otherwise. */
3012 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3015 time_t upd_time, cur_time;
3017 struct timeval upd_time, cur_time;
3021 condition *cnd_file_duration = NULL;
3022 condition *cnd_autostop_files = NULL;
3023 condition *cnd_autostop_size = NULL;
3024 condition *cnd_autostop_duration = NULL;
3027 gboolean cfilter_error = FALSE;
3028 char errmsg[MSG_MAX_LENGTH+1];
3029 char secondary_errmsg[MSG_MAX_LENGTH+1];
3030 pcap_options *pcap_opts;
3031 interface_options interface_opts;
3032 guint i, error_index = 0;
3034 interface_opts = capture_opts->default_options;
3036 *secondary_errmsg = '\0';
3038 /* init the loop data */
3039 global_ld.go = TRUE;
3040 global_ld.packet_count = 0;
3042 global_ld.report_packet_count = FALSE;
3044 if (capture_opts->has_autostop_packets)
3045 global_ld.packet_max = capture_opts->autostop_packets;
3047 global_ld.packet_max = 0; /* no limit */
3048 global_ld.inpkts_to_sync_pipe = 0;
3049 global_ld.err = 0; /* no error seen yet */
3050 global_ld.pdh = NULL;
3051 global_ld.autostop_files = 0;
3052 global_ld.save_file_fd = -1;
3054 /* We haven't yet gotten the capture statistics. */
3055 *stats_known = FALSE;
3057 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3058 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3060 /* open the "input file" from network interface or capture pipe */
3061 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3062 secondary_errmsg, sizeof(secondary_errmsg))) {
3065 for (i = 0; i < capture_opts->ifaces->len; i++) {
3066 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3067 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3068 /* init the input filter from the network interface (capture pipe will do nothing) */
3070 * When remote capturing WinPCap crashes when the capture filter
3071 * is NULL. This might be a bug in WPCap. Therefore we provide an emtpy
3074 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3075 interface_opts.name,
3076 interface_opts.cfilter?interface_opts.cfilter:"")) {
3078 case INITFILTER_NO_ERROR:
3081 case INITFILTER_BAD_FILTER:
3082 cfilter_error = TRUE;
3084 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3087 case INITFILTER_OTHER_ERROR:
3088 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3089 pcap_geterr(pcap_opts->pcap_h));
3090 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3095 /* If we're supposed to write to a capture file, open it for output
3096 (temporary/specified name/ringbuffer) */
3097 if (capture_opts->saving_to_file) {
3098 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3099 errmsg, sizeof(errmsg))) {
3103 /* set up to write to the already-opened capture output file/files */
3104 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3109 /* XXX - capture SIGTERM and close the capture, in case we're on a
3110 Linux 2.0[.x] system and you have to explicitly close the capture
3111 stream in order to turn promiscuous mode off? We need to do that
3112 in other places as well - and I don't think that works all the
3113 time in any case, due to libpcap bugs. */
3115 /* Well, we should be able to start capturing.
3117 Sync out the capture file, so the header makes it to the file system,
3118 and send a "capture started successfully and capture file created"
3119 message to our parent so that they'll open the capture file and
3120 update its windows to indicate that we have a live capture in
3122 libpcap_dump_flush(global_ld.pdh, NULL);
3123 report_new_capture_file(capture_opts->save_file);
3126 /* initialize capture stop (and alike) conditions */
3127 init_capture_stop_conditions();
3128 /* create stop conditions */
3129 if (capture_opts->has_autostop_filesize)
3131 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3132 if (capture_opts->has_autostop_duration)
3133 cnd_autostop_duration =
3134 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3136 if (capture_opts->multi_files_on) {
3137 if (capture_opts->has_file_duration)
3139 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3141 if (capture_opts->has_autostop_files)
3142 cnd_autostop_files =
3143 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3146 /* init the time values */
3148 upd_time = GetTickCount();
3150 gettimeofday(&upd_time, NULL);
3153 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3155 /* WOW, everything is prepared! */
3156 /* please fasten your seat belts, we will enter now the actual capture loop */
3158 pcap_queue = g_async_queue_new();
3159 pcap_queue_bytes = 0;
3160 pcap_queue_packets = 0;
3161 for (i = 0; i < global_ld.pcaps->len; i++) {
3162 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3163 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3166 while (global_ld.go) {
3167 /* dispatch incoming packets */
3169 GTimeVal write_thread_time;
3170 pcap_queue_element *queue_element;
3172 g_get_current_time(&write_thread_time);
3173 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3174 g_async_queue_lock(pcap_queue);
3175 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3176 if (queue_element) {
3177 pcap_queue_bytes -= queue_element->phdr.caplen;
3178 pcap_queue_packets -= 1;
3180 g_async_queue_unlock(pcap_queue);
3181 if (queue_element) {
3182 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3183 "Dequeued a packet of length %d captured on interface %d.",
3184 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3186 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3187 &queue_element->phdr,
3189 g_free(queue_element->pd);
3190 g_free(queue_element);
3196 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3197 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3198 sizeof(errmsg), pcap_opts);
3201 /* Were we asked to print packet counts by the SIGINFO handler? */
3202 if (global_ld.report_packet_count) {
3203 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3204 plurality(global_ld.packet_count, "", "s"));
3205 global_ld.report_packet_count = FALSE;
3210 /* any news from our parent (signal pipe)? -> just stop the capture */
3211 if (!signal_pipe_check_running()) {
3212 global_ld.go = FALSE;
3217 global_ld.inpkts_to_sync_pipe += inpkts;
3219 /* check capture size condition */
3220 if (cnd_autostop_size != NULL &&
3221 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3222 /* Capture size limit reached, do we have another file? */
3223 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3224 cnd_autostop_size, cnd_file_duration))
3226 } /* cnd_autostop_size */
3227 if (capture_opts->output_to_pipe) {
3228 libpcap_dump_flush(global_ld.pdh, NULL);
3232 /* Only update once every 500ms so as not to overload slow displays.
3233 * This also prevents too much context-switching between the dumpcap
3234 * and wireshark processes.
3236 #define DUMPCAP_UPD_TIME 500
3239 cur_time = GetTickCount();
3240 if ( (cur_time - upd_time) > DUMPCAP_UPD_TIME) {
3242 gettimeofday(&cur_time, NULL);
3243 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3244 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3247 upd_time = cur_time;
3250 if (pcap_stats(pch, stats) >= 0) {
3251 *stats_known = TRUE;
3254 /* Let the parent process know. */
3255 if (global_ld.inpkts_to_sync_pipe) {
3257 libpcap_dump_flush(global_ld.pdh, NULL);
3259 /* Send our parent a message saying we've written out
3260 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3262 report_packet_count(global_ld.inpkts_to_sync_pipe);
3264 global_ld.inpkts_to_sync_pipe = 0;
3267 /* check capture duration condition */
3268 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3269 /* The maximum capture time has elapsed; stop the capture. */
3270 global_ld.go = FALSE;
3274 /* check capture file duration condition */
3275 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3276 /* duration limit reached, do we have another file? */
3277 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3278 cnd_autostop_size, cnd_file_duration))
3280 } /* cnd_file_duration */
3284 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3286 pcap_queue_element *queue_element;
3288 for (i = 0; i < global_ld.pcaps->len; i++) {
3289 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3290 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3291 pcap_opts->interface_id);
3292 g_thread_join(pcap_opts->tid);
3293 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3294 pcap_opts->interface_id);
3297 g_async_queue_lock(pcap_queue);
3298 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3299 if (queue_element) {
3300 pcap_queue_bytes -= queue_element->phdr.caplen;
3301 pcap_queue_packets -= 1;
3303 g_async_queue_unlock(pcap_queue);
3304 if (queue_element == NULL) {
3307 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3308 "Dequeued a packet of length %d captured on interface %d.",
3309 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3310 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3311 &queue_element->phdr,
3313 g_free(queue_element->pd);
3314 g_free(queue_element);
3315 global_ld.inpkts_to_sync_pipe += 1;
3316 if (capture_opts->output_to_pipe) {
3317 libpcap_dump_flush(global_ld.pdh, NULL);
3323 /* delete stop conditions */
3324 if (cnd_file_duration != NULL)
3325 cnd_delete(cnd_file_duration);
3326 if (cnd_autostop_files != NULL)
3327 cnd_delete(cnd_autostop_files);
3328 if (cnd_autostop_size != NULL)
3329 cnd_delete(cnd_autostop_size);
3330 if (cnd_autostop_duration != NULL)
3331 cnd_delete(cnd_autostop_duration);
3333 /* did we have a pcap (input) error? */
3334 for (i = 0; i < capture_opts->ifaces->len; i++) {
3335 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3336 if (pcap_opts->pcap_err) {
3337 /* On Linux, if an interface goes down while you're capturing on it,
3338 you'll get a "recvfrom: Network is down" or
3339 "The interface went down" error (ENETDOWN).
3340 (At least you will if strerror() doesn't show a local translation
3343 On FreeBSD and OS X, if a network adapter disappears while
3344 you're capturing on it, you'll get a "read: Device not configured"
3345 error (ENXIO). (See previous parenthetical note.)
3347 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3349 These should *not* be reported to the Wireshark developers. */
3352 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3353 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3354 strcmp(cap_err_str, "The interface went down") == 0 ||
3355 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3356 strcmp(cap_err_str, "read: I/O error") == 0 ||
3357 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3358 report_capture_error("The network adapter on which the capture was being done "
3359 "is no longer running; the capture has stopped.",
3362 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3364 report_capture_error(errmsg, please_report);
3367 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3368 report_capture_error(errmsg, "");
3372 /* did we have an output error while capturing? */
3373 if (global_ld.err == 0) {
3376 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3377 global_ld.err, FALSE);
3378 report_capture_error(errmsg, please_report);
3382 if (capture_opts->saving_to_file) {
3383 /* close the output file */
3384 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3388 /* there might be packets not yet notified to the parent */
3389 /* (do this after closing the file, so all packets are already flushed) */
3390 if(global_ld.inpkts_to_sync_pipe) {
3392 report_packet_count(global_ld.inpkts_to_sync_pipe);
3393 global_ld.inpkts_to_sync_pipe = 0;
3396 /* If we've displayed a message about a write error, there's no point
3397 in displaying another message about an error on close. */
3398 if (!close_ok && write_ok) {
3399 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3401 report_capture_error(errmsg, "");
3405 * XXX We exhibit different behaviour between normal mode and sync mode
3406 * when the pipe is stdin and not already at EOF. If we're a child, the
3407 * parent's stdin isn't closed, so if the user starts another capture,
3408 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3409 * will say "Unrecognized libpcap format". On the other hand, in normal
3410 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3413 report_capture_count(TRUE);
3415 /* get packet drop statistics from pcap */
3416 for (i = 0; i < capture_opts->ifaces->len; i++) {
3420 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3421 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3422 received = pcap_opts->received;
3423 dropped = pcap_opts->dropped;
3424 if (pcap_opts->pcap_h != NULL) {
3425 g_assert(!pcap_opts->from_cap_pipe);
3426 /* Get the capture statistics, so we know how many packets were dropped. */
3427 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3428 *stats_known = TRUE;
3429 /* Let the parent process know. */
3430 dropped += stats->ps_drop;
3432 g_snprintf(errmsg, sizeof(errmsg),
3433 "Can't get packet-drop statistics: %s",
3434 pcap_geterr(pcap_opts->pcap_h));
3435 report_capture_error(errmsg, please_report);
3438 report_packet_drops(received, dropped, interface_opts.name);
3441 /* close the input file (pcap or capture pipe) */
3442 capture_loop_close_input(&global_ld);
3444 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3446 /* ok, if the write and the close were successful. */
3447 return write_ok && close_ok;
3450 if (capture_opts->multi_files_on) {
3451 /* cleanup ringbuffer */
3452 ringbuf_error_cleanup();
3454 /* We can't use the save file, and we have no FILE * for the stream
3455 to close in order to close it, so close the FD directly. */
3456 if (global_ld.save_file_fd != -1) {
3457 ws_close(global_ld.save_file_fd);
3460 /* We couldn't even start the capture, so get rid of the capture
3462 if (capture_opts->save_file != NULL) {
3463 ws_unlink(capture_opts->save_file);
3464 g_free(capture_opts->save_file);
3467 capture_opts->save_file = NULL;
3469 report_cfilter_error(capture_opts, error_index, errmsg);
3471 report_capture_error(errmsg, secondary_errmsg);
3473 /* close the input file (pcap or cap_pipe) */
3474 capture_loop_close_input(&global_ld);
3476 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3482 static void capture_loop_stop(void)
3484 #ifdef HAVE_PCAP_BREAKLOOP
3486 pcap_options *pcap_opts;
3488 for (i = 0; i < global_ld.pcaps->len; i++) {
3489 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3490 if (pcap_opts->pcap_h != NULL)
3491 pcap_breakloop(pcap_opts->pcap_h);
3494 global_ld.go = FALSE;
3499 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3500 int err, gboolean is_close)
3505 g_snprintf(errmsg, errmsglen,
3506 "Not all the packets could be written to the file"
3507 " to which the capture was being saved\n"
3508 "(\"%s\") because there is no space left on the file system\n"
3509 "on which that file resides.",
3515 g_snprintf(errmsg, errmsglen,
3516 "Not all the packets could be written to the file"
3517 " to which the capture was being saved\n"
3518 "(\"%s\") because you are too close to, or over,"
3519 " your disk quota\n"
3520 "on the file system on which that file resides.",
3527 g_snprintf(errmsg, errmsglen,
3528 "The file to which the capture was being saved\n"
3529 "(\"%s\") could not be closed: %s.",
3530 fname, strerror(err));
3532 g_snprintf(errmsg, errmsglen,
3533 "An error occurred while writing to the file"
3534 " to which the capture was being saved\n"
3536 fname, strerror(err));
3543 /* one packet was captured, process it */
3545 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3548 pcap_options *pcap_opts = (pcap_options *) pcap_opts_p;
3551 /* We may be called multiple times from pcap_dispatch(); if we've set
3552 the "stop capturing" flag, ignore this packet, as we're not
3553 supposed to be saving any more packets. */
3557 if (global_ld.pdh) {
3558 gboolean successful;
3560 /* We're supposed to write the packet to a file; do so.
3561 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3562 "ld->err" to the error. */
3563 if (global_capture_opts.use_pcapng) {
3564 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, pd, &global_ld.bytes_written, &err);
3566 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3569 global_ld.go = FALSE;
3570 global_ld.err = err;
3572 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3573 "Wrote a packet of length %d captured on interface %u.",
3574 phdr->caplen, pcap_opts->interface_id);
3575 global_ld.packet_count++;
3576 pcap_opts->received++;
3577 /* if the user told us to stop after x packets, do we already have enough? */
3578 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3579 global_ld.go = FALSE;
3585 /* one packet was captured, queue it */
3587 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3590 pcap_options *pcap_opts = (pcap_options *) pcap_opts_p;
3591 pcap_queue_element *queue_element;
3592 gboolean limit_reached;
3594 /* We may be called multiple times from pcap_dispatch(); if we've set
3595 the "stop capturing" flag, ignore this packet, as we're not
3596 supposed to be saving any more packets. */
3600 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3601 if (queue_element == NULL) {
3602 pcap_opts->dropped++;
3605 queue_element->pcap_opts = pcap_opts;
3606 queue_element->phdr = *phdr;
3607 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3608 if (queue_element->pd == NULL) {
3609 pcap_opts->dropped++;
3610 g_free(queue_element);
3613 memcpy(queue_element->pd, pd, phdr->caplen);
3614 g_async_queue_lock(pcap_queue);
3615 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3616 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3617 limit_reached = FALSE;
3618 g_async_queue_push_unlocked(pcap_queue, queue_element);
3619 pcap_queue_bytes += phdr->caplen;
3620 pcap_queue_packets += 1;
3622 limit_reached = TRUE;
3624 g_async_queue_unlock(pcap_queue);
3625 if (limit_reached) {
3626 pcap_opts->dropped++;
3627 g_free(queue_element->pd);
3628 g_free(queue_element);
3629 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3630 "Dropped a packet of length %d captured on interface %u.",
3631 phdr->caplen, pcap_opts->interface_id);
3633 pcap_opts->received++;
3634 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3635 "Queued a packet of length %d captured on interface %u.",
3636 phdr->caplen, pcap_opts->interface_id);
3638 /* I don't want to hold the mutex over the debug output. So the
3639 output may be wrong */
3640 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3641 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3642 pcap_queue_bytes, pcap_queue_packets);
3645 /* And now our feature presentation... [ fade to music ] */
3647 main(int argc, char *argv[])
3650 gboolean arg_error = FALSE;
3655 struct sigaction action, oldaction;
3658 gboolean start_capture = TRUE;
3659 gboolean stats_known;
3660 struct pcap_stat stats;
3661 GLogLevelFlags log_flags;
3662 gboolean list_interfaces = FALSE;
3663 gboolean list_link_layer_types = FALSE;
3664 #ifdef HAVE_BPF_IMAGE
3665 gboolean print_bpf_code = FALSE;
3667 gboolean machine_readable = FALSE;
3668 gboolean print_statistics = FALSE;
3669 int status, run_once_args = 0;
3672 #if defined(__APPLE__) && defined(__LP64__)
3673 struct utsname osinfo;
3677 arg_list_utf_16to8(argc, argv);
3682 * Initialize our DLL search path. MUST be called before LoadLibrary
3685 ws_init_dll_search_path();
3688 #ifdef HAVE_PCAP_REMOTE
3689 #define OPTSTRING_A "A:"
3690 #define OPTSTRING_r "r"
3691 #define OPTSTRING_u "u"
3693 #define OPTSTRING_A ""
3694 #define OPTSTRING_r ""
3695 #define OPTSTRING_u ""
3698 #ifdef HAVE_PCAP_SETSAMPLING
3699 #define OPTSTRING_m "m:"
3701 #define OPTSTRING_m ""
3704 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3705 #define OPTSTRING_B "B:"
3707 #define OPTSTRING_B ""
3708 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3710 #ifdef HAVE_PCAP_CREATE
3711 #define OPTSTRING_I "I"
3713 #define OPTSTRING_I ""
3716 #ifdef HAVE_BPF_IMAGE
3717 #define OPTSTRING_d "d"
3719 #define OPTSTRING_d ""
3722 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
3724 #ifdef DEBUG_CHILD_DUMPCAP
3725 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3726 fprintf (stderr, "Unable to open debug log file !\n");
3731 #if defined(__APPLE__) && defined(__LP64__)
3733 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3734 * a bug workaround - timeouts less than 1 second don't work with libpcap
3735 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3736 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3737 * The problem is extremely unlikely to be reintroduced in a future
3740 if (uname(&osinfo) == 0) {
3742 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3743 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3744 * number of 10.0.0, not 10.1.0 - go figure).
3746 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3747 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3748 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3749 need_timeout_workaround = TRUE;
3754 * Determine if dumpcap is being requested to run in a special
3755 * capture_child mode by going thru the command line args to see if
3756 * a -Z is present. (-Z is a hidden option).
3758 * The primary result of running in capture_child mode is that
3759 * all messages sent out on stderr are in a special type/len/string
3760 * format to allow message processing by type. These messages include
3761 * error messages if dumpcap fails to start the operation it was
3762 * requested to do, as well as various "status" messages which are sent
3763 * when an actual capture is in progress, and a "success" message sent
3764 * if dumpcap was requested to perform an operation other than a
3767 * Capture_child mode would normally be requested by a parent process
3768 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3769 * to which dumpcap stderr has been redirected. It might also have
3770 * another pipe to obtain dumpcap stdout output; for operations other
3771 * than a capture, that information is formatted specially for easier
3772 * parsing by the parent process.
3774 * Capture_child mode needs to be determined immediately upon
3775 * startup so that any messages generated by dumpcap in this mode
3776 * (eg: during initialization) will be formatted properly.
3779 for (i=1; i<argc; i++) {
3780 if (strcmp("-Z", argv[i]) == 0) {
3781 capture_child = TRUE;
3782 machine_readable = TRUE; /* request machine-readable output */
3784 /* set output pipe to binary mode, to avoid ugly text conversions */
3785 _setmode(2, O_BINARY);
3790 /* The default_log_handler will use stdout, which makes trouble in */
3791 /* capture child mode, as it uses stdout for it's sync_pipe. */
3792 /* So: the filtering is done in the console_log_handler and not here.*/
3793 /* We set the log handlers right up front to make sure that any log */
3794 /* messages when running as child will be sent back to the parent */
3795 /* with the correct format. */
3799 G_LOG_LEVEL_CRITICAL|
3800 G_LOG_LEVEL_WARNING|
3801 G_LOG_LEVEL_MESSAGE|
3804 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3806 g_log_set_handler(NULL,
3808 console_log_handler, NULL /* user_data */);
3809 g_log_set_handler(LOG_DOMAIN_MAIN,
3811 console_log_handler, NULL /* user_data */);
3812 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3814 console_log_handler, NULL /* user_data */);
3815 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3817 console_log_handler, NULL /* user_data */);
3819 /* Initialize the pcaps list */
3820 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
3822 /* Initialize the thread system */
3823 if (!g_thread_supported())
3824 g_thread_init(NULL);
3826 /* Load wpcap if possible. Do this before collecting the run-time version information */
3829 /* ... and also load the packet.dll from wpcap */
3830 /* XXX - currently not required, may change later. */
3831 /*wpcap_packet_load();*/
3833 /* Start windows sockets */
3834 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3836 /* Set handler for Ctrl+C key */
3837 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3839 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3841 action.sa_handler = capture_cleanup_handler;
3843 * Arrange that system calls not get restarted, because when
3844 * our signal handler returns we don't want to restart
3845 * a call that was waiting for packets to arrive.
3847 action.sa_flags = 0;
3848 sigemptyset(&action.sa_mask);
3849 sigaction(SIGTERM, &action, NULL);
3850 sigaction(SIGINT, &action, NULL);
3851 sigaction(SIGPIPE, &action, NULL);
3852 sigaction(SIGHUP, NULL, &oldaction);
3853 if (oldaction.sa_handler == SIG_DFL)
3854 sigaction(SIGHUP, &action, NULL);
3857 /* Catch SIGINFO and, if we get it and we're capturing in
3858 quiet mode, report the number of packets we've captured. */
3859 action.sa_handler = report_counts_siginfo;
3860 action.sa_flags = SA_RESTART;
3861 sigemptyset(&action.sa_mask);
3862 sigaction(SIGINFO, &action, NULL);
3863 #endif /* SIGINFO */
3866 /* ----------------------------------------------------------------- */
3867 /* Privilege and capability handling */
3869 /* 1. Running not as root or suid root; no special capabilities. */
3872 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3875 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3877 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3878 /* capabilities; Drop all other capabilities; */
3879 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3880 /* else: after pcap_open_live() in capture_loop_open_input() */
3881 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3882 /* (Note: this means that the process, although logged in */
3883 /* as root, does not have various permissions such as the */
3884 /* ability to bypass file access permissions). */
3885 /* XXX: Should we just leave capabilities alone in this case */
3886 /* so that user gets expected effect that root can do */
3889 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3891 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3892 /* else: after pcap_open_live() in capture_loop_open_input() */
3893 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3894 /* pcap_open_live). */
3896 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3898 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3899 /* capabilities; Drop all other capabilities; */
3900 /* Drop suid privileges (euid=ruid); */
3901 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3902 /* else: after pcap_open_live() in capture_loop_open_input() */
3903 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3905 /* XXX: For some Linux versions/distros with capabilities */
3906 /* a 'normal' process with any capabilities cannot be */
3907 /* 'killed' (signaled) from another (same uid) non-privileged */
3909 /* For example: If (non-suid) Wireshark forks a */
3910 /* child suid dumpcap which acts as described here (case 5), */
3911 /* Wireshark will be unable to kill (signal) the child */
3912 /* dumpcap process until the capabilities have been dropped */
3913 /* (after pcap_open_live()). */
3914 /* This behaviour will apparently be changed in the kernel */
3915 /* to allow the kill (signal) in this case. */
3916 /* See the following for details: */
3917 /* http://www.mail-archive.com/ [wrapped] */
3918 /* linux-security-module@vger.kernel.org/msg02913.html */
3920 /* It is therefore conceivable that if dumpcap somehow hangs */
3921 /* in pcap_open_live or before that wireshark will not */
3922 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3923 /* In this case, exiting wireshark will kill the child */
3924 /* dumpcap process. */
3926 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3927 /* capabilities; Using libcap. Note: capset cmd (which see) */
3928 /* used to assign capabilities to file. */
3930 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3931 /* else: after pcap_open_live() in capture_loop_open_input() */
3932 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3934 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3935 /* longer required (similar to capture). */
3937 /* ----------------------------------------------------------------- */
3939 init_process_policies();
3942 /* If 'started with special privileges' (and using libcap) */
3943 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3944 /* Set euid/egid = ruid/rgid to remove suid privileges */
3945 relinquish_privs_except_capture();
3948 /* Set the initial values in the capture options. This might be overwritten
3949 by the command line parameters. */
3950 capture_opts_init(&global_capture_opts, NULL);
3952 /* We always save to a file - if no file was specified, we save to a
3954 global_capture_opts.saving_to_file = TRUE;
3955 global_capture_opts.has_ring_num_files = TRUE;
3957 /* Now get our args */
3958 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3960 case 'h': /* Print help and exit */
3964 case 'v': /* Show version and exit */
3966 GString *comp_info_str;
3967 GString *runtime_info_str;
3968 /* Assemble the compile-time version information string */
3969 comp_info_str = g_string_new("Compiled ");
3970 get_compiled_version_info(comp_info_str, NULL, NULL);
3972 /* Assemble the run-time version information string */
3973 runtime_info_str = g_string_new("Running ");
3974 get_runtime_version_info(runtime_info_str, NULL);
3975 show_version(comp_info_str, runtime_info_str);
3976 g_string_free(comp_info_str, TRUE);
3977 g_string_free(runtime_info_str, TRUE);
3981 /*** capture option specific ***/
3982 case 'a': /* autostop criteria */
3983 case 'b': /* Ringbuffer option */
3984 case 'c': /* Capture x packets */
3985 case 'f': /* capture filter */
3986 case 'i': /* Use interface x */
3987 case 'n': /* Use pcapng format */
3988 case 'p': /* Don't capture in promiscuous mode */
3989 case 'P': /* Use pcap format */
3990 case 's': /* Set the snapshot (capture) length */
3991 case 'w': /* Write to capture file x */
3992 case 'g': /* enable group read accesson file(s) */
3993 case 'y': /* Set the pcap data link type */
3994 #ifdef HAVE_PCAP_REMOTE
3995 case 'u': /* Use UDP for data transfer */
3996 case 'r': /* Capture own RPCAP traffic too */
3997 case 'A': /* Authentication */
3999 #ifdef HAVE_PCAP_SETSAMPLING
4000 case 'm': /* Sampling */
4002 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4003 case 'B': /* Buffer size */
4004 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4005 #ifdef HAVE_PCAP_CREATE
4006 case 'I': /* Monitor mode */
4008 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4013 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4015 capture_child = TRUE;
4017 /* set output pipe to binary mode, to avoid ugly text conversions */
4018 _setmode(2, O_BINARY);
4020 * optarg = the control ID, aka the PPID, currently used for the
4023 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4024 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4025 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4026 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4028 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4029 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4030 "Signal pipe: Unable to open %s. Dead parent?",
4038 case 'q': /* Quiet */
4045 /*** all non capture option specific ***/
4046 case 'D': /* Print a list of capture devices and exit */
4047 list_interfaces = TRUE;
4050 case 'L': /* Print list of link-layer types and exit */
4051 list_link_layer_types = TRUE;
4054 #ifdef HAVE_BPF_IMAGE
4055 case 'd': /* Print BPF code for capture filter and exit */
4056 print_bpf_code = TRUE;
4060 case 'S': /* Print interface statistics once a second */
4061 print_statistics = TRUE;
4064 case 'M': /* For -D, -L, and -S, print machine-readable output */
4065 machine_readable = TRUE;
4068 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4069 case '?': /* Bad flag - print usage message */
4078 /* user specified file name as regular command-line argument */
4079 /* XXX - use it as the capture file name (or something else)? */
4085 * Extra command line arguments were specified; complain.
4086 * XXX - interpret as capture filter, as tcpdump and tshark do?
4088 cmdarg_err("Invalid argument: %s", argv[0]);
4098 if (run_once_args > 1) {
4099 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4101 } else if (run_once_args == 1) {
4102 /* We're supposed to print some information, rather than
4103 to capture traffic; did they specify a ring buffer option? */
4104 if (global_capture_opts.multi_files_on) {
4105 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4109 /* We're supposed to capture traffic; */
4110 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4111 if (global_capture_opts.ifaces->len > 1) {
4113 global_capture_opts.use_pcapng = TRUE;
4115 /* Was the ring buffer option specified and, if so, does it make sense? */
4116 if (global_capture_opts.multi_files_on) {
4117 /* Ring buffer works only under certain conditions:
4118 a) ring buffer does not work with temporary files;
4119 b) it makes no sense to enable the ring buffer if the maximum
4120 file size is set to "infinite". */
4121 if (global_capture_opts.save_file == NULL) {
4122 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4123 global_capture_opts.multi_files_on = FALSE;
4125 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4126 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4128 /* XXX - this must be redesigned as the conditions changed */
4129 global_capture_opts.multi_files_on = FALSE;
4136 * "-D" requires no interface to be selected; it's supposed to list
4139 if (list_interfaces) {
4140 /* Get the list of interfaces */
4145 if_list = capture_interface_list(&err, &err_str);
4146 if (if_list == NULL) {
4148 case CANT_GET_INTERFACE_LIST:
4149 cmdarg_err("%s", err_str);
4154 case NO_INTERFACES_FOUND:
4156 * If we're being run by another program, just give them
4157 * an empty list of interfaces, don't report this as
4158 * an error; that lets them decide whether to report
4159 * this as an error or not.
4161 if (!machine_readable) {
4162 cmdarg_err("There are no interfaces on which a capture can be done");
4169 if (machine_readable) /* tab-separated values to stdout */
4170 print_machine_readable_interfaces(if_list);
4172 capture_opts_print_interfaces(if_list);
4173 free_interface_list(if_list);
4178 * "-S" requires no interface to be selected; it gives statistics
4179 * for all interfaces.
4181 if (print_statistics) {
4182 status = print_statistics_loop(machine_readable);
4187 * "-L", "-d", and capturing act on a particular interface, so we have to
4188 * have an interface; if none was specified, pick a default.
4190 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4191 /* cmdarg_err() already called .... */
4195 /* Let the user know what interfaces were chosen. */
4196 /* get_interface_descriptive_name() is not available! */
4197 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4198 interface_options interface_opts;
4200 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4201 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s", interface_opts.name);
4204 if (list_link_layer_types) {
4205 /* Get the list of link-layer types for the capture device. */
4206 if_capabilities_t *caps;
4210 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4211 interface_options interface_opts;
4213 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4214 caps = get_if_capabilities(interface_opts.name,
4215 interface_opts.monitor_mode, &err_str);
4217 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4218 "Please check to make sure you have sufficient permissions, and that\n"
4219 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4223 if (caps->data_link_types == NULL) {
4224 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4227 if (machine_readable) /* tab-separated values to stdout */
4228 /* XXX: We need to change the format and adopt consumers */
4229 print_machine_readable_if_capabilities(caps);
4231 /* XXX: We might want to print also the interface name */
4232 capture_opts_print_if_capabilities(caps, interface_opts.name,
4233 interface_opts.monitor_mode);
4234 free_if_capabilities(caps);
4239 /* We're supposed to do a capture, or print the BPF code for a filter.
4240 Process the snapshot length, as that affects the generated BPF code. */
4241 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4243 #ifdef HAVE_BPF_IMAGE
4244 if (print_bpf_code) {
4245 show_filter_code(&global_capture_opts);
4250 /* We're supposed to do a capture. Process the ring buffer arguments. */
4251 capture_opts_trim_ring_num_files(&global_capture_opts);
4253 /* Now start the capture. */
4255 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4259 /* capture failed */
4262 return 0; /* never here, make compiler happy */
4267 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4268 const char *message, gpointer user_data _U_)
4275 /* ignore log message, if log_level isn't interesting */
4276 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4277 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4282 /* create a "timestamp" */
4284 today = localtime(&curr);
4286 switch(log_level & G_LOG_LEVEL_MASK) {
4287 case G_LOG_LEVEL_ERROR:
4290 case G_LOG_LEVEL_CRITICAL:
4293 case G_LOG_LEVEL_WARNING:
4296 case G_LOG_LEVEL_MESSAGE:
4299 case G_LOG_LEVEL_INFO:
4302 case G_LOG_LEVEL_DEBUG:
4306 fprintf(stderr, "unknown log_level %u\n", log_level);
4308 g_assert_not_reached();
4311 /* Generate the output message */
4312 if(log_level & G_LOG_LEVEL_MESSAGE) {
4313 /* normal user messages without additional infos */
4314 msg = g_strdup_printf("%s\n", message);
4316 /* info/debug messages with additional infos */
4317 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4318 today->tm_hour, today->tm_min, today->tm_sec,
4319 log_domain != NULL ? log_domain : "",
4323 /* DEBUG & INFO msgs (if we're debugging today) */
4324 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4325 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4326 #ifdef DEBUG_DUMPCAP
4327 fprintf(stderr, "%s", msg);
4330 #ifdef DEBUG_CHILD_DUMPCAP
4331 fprintf(debug_log, "%s", msg);
4339 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4340 /* to parent especially formatted if dumpcap running as child. */
4341 if (capture_child) {
4342 sync_pipe_errmsg_to_parent(2, msg, "");
4344 fprintf(stderr, "%s", msg);
4351 /****************************************************************************************************************/
4352 /* indication report routines */
4356 report_packet_count(int packet_count)
4358 char tmp[SP_DECISIZE+1+1];
4359 static int count = 0;
4362 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4363 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4364 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4366 count += packet_count;
4367 fprintf(stderr, "\rPackets: %u ", count);
4368 /* stderr could be line buffered */
4374 report_new_capture_file(const char *filename)
4377 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4378 pipe_write_block(2, SP_FILE, filename);
4382 * Prevent a SIGINFO handler from writing to the standard error
4383 * while we're doing so; instead, have it just set a flag telling
4384 * us to print that information when we're done.
4387 #endif /* SIGINFO */
4388 fprintf(stderr, "File: %s\n", filename);
4389 /* stderr could be line buffered */
4394 * Allow SIGINFO handlers to write.
4399 * If a SIGINFO handler asked us to write out capture counts, do so.
4402 report_counts_for_siginfo();
4403 #endif /* SIGINFO */
4408 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4410 interface_options interface_opts;
4411 char tmp[MSG_MAX_LENGTH+1+6];
4413 if (i < capture_opts->ifaces->len) {
4414 if (capture_child) {
4415 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4416 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4417 pipe_write_block(2, SP_BAD_FILTER, tmp);
4420 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4421 * the error message below.
4423 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4425 "Invalid capture filter \"%s\" for interface %s!\n"
4427 "That string isn't a valid capture filter (%s).\n"
4428 "See the User's Guide for a description of the capture filter syntax.\n",
4429 interface_opts.cfilter, interface_opts.name, errmsg);
4435 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4438 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4439 "Primary Error: %s", error_msg);
4440 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4441 "Secondary Error: %s", secondary_error_msg);
4442 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4444 fprintf(stderr, "%s\n", error_msg);
4445 if (secondary_error_msg[0] != '\0')
4446 fprintf(stderr, "%s\n", secondary_error_msg);
4451 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4453 char tmp[SP_DECISIZE+1+1];
4455 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4458 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4459 "Packets received/dropped on interface %s: %u/%u",
4460 name, received, drops);
4461 /* XXX: Need to provide interface id, changes to consumers required. */
4462 pipe_write_block(2, SP_DROPS, tmp);
4465 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4466 name, received, drops,
4467 received ? 100.0 * received / (received + drops) : 0.0);
4468 /* stderr could be line buffered */
4474 /****************************************************************************************************************/
4475 /* signal_pipe handling */
4480 signal_pipe_check_running(void)
4482 /* any news from our parent? -> just stop the capture */
4486 /* if we are running standalone, no check required */
4487 if(!capture_child) {
4491 if(!sig_pipe_name || !sig_pipe_handle) {
4492 /* This shouldn't happen */
4493 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4494 "Signal pipe: No name or handle");
4499 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4500 * at this point. Should we check to see if the parent is still alive,
4501 * e.g. by using OpenProcess?
4504 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4506 if(!result || avail > 0) {
4507 /* peek failed or some bytes really available */
4508 /* (if not piping from stdin this would fail) */
4509 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4510 "Signal pipe: Stop capture: %s", sig_pipe_name);
4511 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4512 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4513 sig_pipe_handle, result, avail);
4516 /* pipe ok and no bytes available */
4523 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4528 * indent-tabs-mode: nil
4531 * vi: set shiftwidth=4 tabstop=8 expandtab
4532 * :indentSize=4:tabSize=8:noTabs=true: