6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
40 #include <epan/address.h>
41 #include <epan/addr_resolv.h>
42 #include <epan/ws_strsplit.h>
47 * Collect command-line arguments as a string consisting of the arguments,
48 * separated by spaces.
51 get_args_as_string(int argc, char **argv, int optind)
58 * Find out how long the string will be.
61 for (i = optind; i < argc; i++) {
62 len += strlen(argv[i]);
63 len++; /* space, or '\0' if this is the last argument */
67 * Allocate the buffer for the string.
69 argstring = g_malloc(len);
72 * Now construct the string.
74 strcpy(argstring, "");
77 strcat(argstring, argv[i]);
81 strcat(argstring, " ");
86 /* Compute the difference between two seconds/microseconds time stamps. */
88 compute_timestamp_diff(gint *diffsec, gint *diffusec,
89 guint32 sec1, guint32 usec1, guint32 sec2, guint32 usec2)
92 /* The seconds part of the first time is the same as the seconds
93 part of the second time, so if the microseconds part of the first
94 time is less than the microseconds part of the second time, the
95 first time is before the second time. The microseconds part of
96 the delta should just be the difference between the microseconds
97 part of the first time and the microseconds part of the second
98 time; don't adjust the seconds part of the delta, as it's OK if
99 the microseconds part is negative. */
101 *diffsec = sec1 - sec2;
102 *diffusec = usec1 - usec2;
103 } else if (sec1 <= sec2) {
104 /* The seconds part of the first time is less than the seconds part
105 of the second time, so the first time is before the second time.
107 Both the "seconds" and "microseconds" value of the delta
108 should have the same sign, so if the difference between the
109 microseconds values would be *positive*, subtract 1,000,000
110 from it, and add one to the seconds value. */
111 *diffsec = sec1 - sec2;
112 if (usec2 >= usec1) {
113 *diffusec = usec1 - usec2;
115 *diffusec = (usec1 - 1000000) - usec2;
119 /* Oh, good, we're not caught in a chronosynclastic infindibulum. */
120 *diffsec = sec1 - sec2;
121 if (usec2 <= usec1) {
122 *diffusec = usec1 - usec2;
124 *diffusec = (usec1 + 1000000) - usec2;
130 /* Try to figure out if we're remotely connected, e.g. via ssh or
131 Terminal Server, and create a capture filter that matches aspects of the
132 connection. We match the following environment variables:
134 SSH_CONNECTION (ssh): <remote IP> <remote port> <local IP> <local port>
135 SSH_CLIENT (ssh): <remote IP> <remote port> <local port>
136 REMOTEHOST (tcsh, others?): <remote name>
137 DISPLAY (x11): [remote name]:<display num>
138 SESSIONNAME (terminal server): <remote name>
141 const gchar *get_conn_cfilter(void) {
142 static GString *filter_str = NULL;
143 gchar *env, **tokens;
144 char *lastp, *lastc, *p;
145 char *pprotocol = NULL;
146 char *phostname = NULL;
149 if (filter_str == NULL) {
150 filter_str = g_string_new("");
152 if ((env = getenv("SSH_CONNECTION")) != NULL) {
153 tokens = g_strsplit(env, " ", 4);
155 g_string_sprintf(filter_str, "not (tcp port %s and %s host %s "
156 "and tcp port %s and %s host %s)", tokens[1], host_ip_af(tokens[0]), tokens[0],
157 tokens[3], host_ip_af(tokens[2]), tokens[2]);
158 return filter_str->str;
160 } else if ((env = getenv("SSH_CLIENT")) != NULL) {
161 tokens = g_strsplit(env, " ", 3);
162 g_string_sprintf(filter_str, "not (tcp port %s and %s host %s "
163 "and tcp port %s)", tokens[1], host_ip_af(tokens[0]), tokens[0], tokens[2]);
164 return filter_str->str;
165 } else if ((env = getenv("REMOTEHOST")) != NULL) {
166 if (strcasecmp(env, "localhost") == 0 || strcmp(env, "127.0.0.1") == 0) {
169 g_string_sprintf(filter_str, "not %s host %s", host_ip_af(env), env);
170 return filter_str->str;
171 } else if ((env = getenv("DISPLAY")) != NULL) {
173 * This mirrors what _X11TransConnectDisplay() does.
174 * Note that, on some systems, the hostname can
175 * being with "/", which means that it's a pathname
176 * of a UNIX domain socket to connect to.
178 * The comments mirror those in _X11TransConnectDisplay(),
181 * Display names may be of the following format:
183 * [protoco./] [hostname] : [:] displaynumber [.screennumber]
185 * A string with exactly two colons separating hostname
186 * from the display indicates a DECnet style name. Colons
187 * in the hostname may occur if an IPv6 numeric address
188 * is used as the hostname. An IPv6 numeric address may
189 * also end in a double colon, so three colons in a row
190 * indicates an IPv6 address ending in :: followed by
191 * :display. To make it easier for people to read, an
192 * IPv6 numeric address hostname may be surrounded by []
193 * in a similar fashion to the IPv6 numeric address URL
194 * syntax defined by IETF RFC 2732.
196 * If no hostname and no protocol is specified, the string
197 * is interpreted as the most efficient local connection
198 * to a server on the same machine. This is usually:
202 * o UNIX domain socket
203 * o TCP to local host.
209 * Step 0, find the protocol. This is delimited by
210 * the optional slash ('/').
212 for (lastp = p; *p != '\0' && *p != ':' && *p != '/'; p++)
215 return ""; /* must have a colon */
217 if (p != lastp && *p != ':') { /* protocol given? */
222 if (p - lastp != 3 || strncasecmp(lastp, "tcp", 3) != 0)
223 return ""; /* not TCP */
224 p++; /* skip the '/' */
226 p = env; /* reset the pointer in
227 case no protocol was given */
230 * Step 1, find the hostname. This is delimited either by
231 * one colon, or two colons in the case of DECnet (DECnet
232 * Phase V allows a single colon in the hostname). (See
233 * note above regarding IPv6 numeric addresses with
234 * triple colons or [] brackets.)
238 for (; *p != '\0'; p++)
243 return ""; /* must have a colon */
245 if ((lastp != lastc) && (*(lastc - 1) == ':')
246 && (((lastc - 1) == lastp) || (*(lastc - 2) != ':'))) {
247 /* DECnet display specified */
250 hostlen = lastc - lastp;
253 return ""; /* no hostname supplied */
255 phostname = g_malloc(hostlen + 1);
256 memcpy(phostname, lastp, hostlen);
257 phostname[hostlen] = '\0';
259 if (pprotocol == NULL) {
261 * No protocol was explicitly specified, so it
262 * could be a local connection over a transport
265 * Does the host name refer to the local host?
266 * If so, the connection would probably be a
269 * XXX - compare against our host name?
270 * _X11TransConnectDisplay() does.
272 if (strcasecmp(phostname, "localhost") == 0 ||
273 strcmp(phostname, "127.0.0.1") == 0) {
279 * A host name of "unix" (case-sensitive) also
280 * causes a local connection.
282 if (strcmp(phostname, "unix") == 0) {
288 * Does the host name begin with "/"? If so,
289 * it's presumed to be the pathname of a
290 * UNIX domain socket.
292 if (phostname[0] == '/') {
298 g_string_sprintf(filter_str, "not %s host %s",
299 host_ip_af(phostname), phostname);
301 return filter_str->str;
302 } else if ((env = getenv("SESSIONNAME")) != NULL) {
303 /* Apparently the KB article at
304 * http://technet2.microsoft.com/WindowsServer/en/library/6caf87bf-3d70-4801-9485-87e9ec3df0171033.mspx?mfr=true
305 * is incorrect. There are _plenty_ of cases where CLIENTNAME
306 * and SESSIONNAME are set outside of a Terminal Terver session.
307 * It looks like Terminal Server sets SESSIONNAME to RDP-TCP#<number>
308 * for "real" sessions.
310 * XXX - There's a better way to do this described at
311 * http://www.microsoft.com/technet/archive/termsrv/maintain/featusability/tsrvapi.mspx?mfr=true
313 if (g_strncasecmp(env, "rdp", 3) == 0) {
314 g_string_sprintf(filter_str, "not tcp port 3389");
315 return filter_str->str;