2 * Routines for packet capture
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
40 #include <epan/packet.h>
41 #include <epan/dfilter/dfilter.h>
44 #include "capture_ifinfo.h"
45 #include "capture_sync.h"
46 #include "capture_info.h"
47 #include "capture_ui_utils.h"
49 #include "capture-pcap-util.h"
50 #include "simple_dialog.h"
51 #include <epan/prefs.h>
54 #include "capture-wpcap.h"
57 #include "wsutil/file_util.h"
60 typedef struct if_stat_cache_item_s {
63 } if_stat_cache_item_t;
65 struct if_stat_cache_s {
68 GList *cache_list; /* List of if_stat_chache_entry_t */
71 /* this callback mechanism should possibly be replaced by the g_signal_...() stuff (if I only would know how :-) */
73 capture_callback_t cb_fct;
75 } capture_callback_data_t;
77 static GList *capture_callbacks = NULL;
80 capture_callback_invoke(int event, capture_options *capture_opts)
82 capture_callback_data_t *cb;
83 GList *cb_item = capture_callbacks;
85 /* there should be at least one interested */
86 g_assert(cb_item != NULL);
88 while(cb_item != NULL) {
90 cb->cb_fct(event, capture_opts, cb->user_data);
91 cb_item = g_list_next(cb_item);
97 capture_callback_add(capture_callback_t func, gpointer user_data)
99 capture_callback_data_t *cb;
101 cb = g_malloc(sizeof(capture_callback_data_t));
103 cb->user_data = user_data;
105 capture_callbacks = g_list_append(capture_callbacks, cb);
109 capture_callback_remove(capture_callback_t func)
111 capture_callback_data_t *cb;
112 GList *cb_item = capture_callbacks;
114 while(cb_item != NULL) {
116 if(cb->cb_fct == func) {
117 capture_callbacks = g_list_remove(capture_callbacks, cb);
121 cb_item = g_list_next(cb_item);
124 g_assert_not_reached();
130 * @return TRUE if the capture starts successfully, FALSE otherwise.
133 capture_start(capture_options *capture_opts)
137 GString *source = g_string_new("");
139 if (capture_opts->state != CAPTURE_STOPPED)
141 capture_opts->state = CAPTURE_PREPARING;
143 /* close the currently loaded capture file */
144 cf_close(capture_opts->cf);
146 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start ...");
149 if (capture_opts->ifaces->len < 2) {
151 if (capture_opts->ifaces->len < 4) {
153 for (i = 0; i < capture_opts->ifaces->len; i++) {
154 interface_options interface_opts;
156 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
158 if (capture_opts->ifaces->len > 2) {
159 g_string_append_printf(source, ",");
161 g_string_append_printf(source, " ");
162 if (i == capture_opts->ifaces->len - 1) {
163 g_string_append_printf(source, "and ");
166 g_string_append_printf(source, "%s", get_iface_description_for_interface(capture_opts, i));
167 if ((interface_opts.cfilter != NULL) &&
168 (strlen(interface_opts.cfilter) > 0)) {
169 g_string_append_printf(source, " (%s)", interface_opts.cfilter);
173 g_string_append_printf(source, "%u interfaces", capture_opts->ifaces->len);
175 cf_set_tempfile_source(capture_opts->cf, source->str);
176 g_string_free(source, TRUE);
178 /* try to start the capture child process */
179 ret = sync_pipe_start(capture_opts);
181 if(capture_opts->save_file != NULL) {
182 g_free(capture_opts->save_file);
183 capture_opts->save_file = NULL;
186 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start failed!");
187 capture_opts->state = CAPTURE_STOPPED;
189 /* the capture child might not respond shortly after bringing it up */
190 /* (for example: it will block if no input arrives from an input capture pipe (e.g. mkfifo)) */
192 /* to prevent problems, bring the main GUI into "capture mode" right after a successful */
193 /* spawn/exec of the capture child, without waiting for any response from it */
194 capture_callback_invoke(capture_cb_capture_prepared, capture_opts);
196 if(capture_opts->show_info)
197 capture_info_open(capture_opts);
205 capture_stop(capture_options *capture_opts)
207 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Stop ...");
209 capture_callback_invoke(capture_cb_capture_stopping, capture_opts);
211 /* stop the capture child gracefully */
212 sync_pipe_stop(capture_opts);
217 capture_restart(capture_options *capture_opts)
219 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Restart");
221 capture_opts->restart = TRUE;
222 capture_stop(capture_opts);
227 capture_kill_child(capture_options *capture_opts)
229 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "Capture Kill");
231 /* kill the capture child */
232 sync_pipe_kill(capture_opts->fork_child);
237 /* We've succeeded in doing a (non real-time) capture; try to read it into a new capture file */
239 capture_input_read_all(capture_options *capture_opts, gboolean is_tempfile, gboolean drops_known,
244 /* Capture succeeded; attempt to open the capture file. */
245 if (cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err) != CF_OK) {
246 /* We're not doing a capture any more, so we don't have a save file. */
250 /* Set the read filter to NULL. */
251 /* XXX - this is odd here; try to put it somewhere where it fits better */
252 cf_set_rfcode(capture_opts->cf, NULL);
254 /* Get the packet-drop statistics.
256 XXX - there are currently no packet-drop statistics stored
257 in libpcap captures, and that's what we're reading.
259 At some point, we will add support in Wiretap to return
260 packet-drop statistics for capture file formats that store it,
261 and will make "cf_read()" get those statistics from Wiretap.
262 We clear the statistics (marking them as "not known") in
263 "cf_open()", and "cf_read()" will only fetch them and mark
264 them as known if Wiretap supplies them, so if we get the
265 statistics now, after calling "cf_open()" but before calling
266 "cf_read()", the values we store will be used by "cf_read()".
268 If a future libpcap capture file format stores the statistics,
269 we'll put them into the capture file that we write, and will
270 thus not have to set them here - "cf_read()" will get them from
271 the file and use them. */
273 cf_set_drops_known(capture_opts->cf, TRUE);
275 /* XXX - on some systems, libpcap doesn't bother filling in
276 "ps_ifdrop" - it doesn't even set it to zero - so we don't
277 bother looking at it.
279 Ideally, libpcap would have an interface that gave us
280 several statistics - perhaps including various interface
281 error statistics - and would tell us which of them it
282 supplies, allowing us to display only the ones it does. */
283 cf_set_drops(capture_opts->cf, drops);
286 /* read in the packet data */
287 switch (cf_read(capture_opts->cf, FALSE)) {
291 /* Just because we got an error, that doesn't mean we were unable
292 to read any of the file; we handle what we could get from the
296 case CF_READ_ABORTED:
297 /* User wants to quit program. Exit by leaving the main loop,
298 so that any quit functions we registered get called. */
299 main_window_nested_quit();
303 /* if we didn't capture even a single packet, close the file again */
304 if(cf_get_packet_count(capture_opts->cf) == 0 && !capture_opts->restart) {
305 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
306 "%sNo packets captured!%s\n"
308 "As no data was captured, closing the %scapture file!\n"
311 "Help about capturing can be found at:\n"
313 " http://wiki.wireshark.org/CaptureSetup"
316 "Wireless (Wi-Fi/WLAN):\n"
317 "Try to switch off promiscuous mode in the Capture Options!"
320 simple_dialog_primary_start(), simple_dialog_primary_end(),
321 (cf_is_tempfile(capture_opts->cf)) ? "temporary " : "");
322 cf_close(capture_opts->cf);
328 /* capture child tells us we have a new (or the first) capture file */
330 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
332 gboolean is_tempfile;
335 if(capture_opts->state == CAPTURE_PREPARING) {
336 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
338 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
340 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
342 /* free the old filename */
343 if(capture_opts->save_file != NULL) {
344 /* we start a new capture file, close the old one (if we had one before). */
345 /* (we can only have an open capture file in real_time_mode!) */
346 if( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
347 capture_callback_invoke(capture_cb_capture_update_finished, capture_opts);
348 cf_finish_tail(capture_opts->cf, &err);
349 cf_close(capture_opts->cf);
351 g_free(capture_opts->save_file);
353 cf_set_tempfile(capture_opts->cf, FALSE);
355 /* we didn't have a save_file before; must be a tempfile */
357 cf_set_tempfile(capture_opts->cf, TRUE);
360 /* save the new filename */
361 capture_opts->save_file = g_strdup(new_file);
363 /* if we are in real-time mode, open the new file now */
364 if(capture_opts->real_time_mode) {
365 /* Attempt to open the capture file and set up to read from it. */
366 switch(cf_start_tail(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
370 /* Don't unlink (delete) the save file - leave it around,
371 for debugging purposes. */
372 g_free(capture_opts->save_file);
373 capture_opts->save_file = NULL;
378 if(capture_opts->show_info) {
379 if (!capture_info_new_file(new_file))
383 if(capture_opts->real_time_mode) {
384 capture_callback_invoke(capture_cb_capture_update_started, capture_opts);
386 capture_callback_invoke(capture_cb_capture_fixed_started, capture_opts);
388 capture_opts->state = CAPTURE_RUNNING;
394 /* capture child tells us we have new packets to read */
396 capture_input_new_packets(capture_options *capture_opts, int to_read)
401 g_assert(capture_opts->save_file);
403 if(capture_opts->real_time_mode) {
404 /* Read from the capture file the number of records the child told us it added. */
405 switch (cf_continue_tail(capture_opts->cf, to_read, &err)) {
409 /* Just because we got an error, that doesn't mean we were unable
410 to read any of the file; we handle what we could get from the
413 XXX - abort on a read error? */
414 capture_callback_invoke(capture_cb_capture_update_continue, capture_opts);
417 case CF_READ_ABORTED:
418 /* Kill the child capture process; the user wants to exit, and we
419 shouldn't just leave it running. */
420 capture_kill_child(capture_opts);
424 /* increase the capture file packet counter by the number of incoming packets */
425 cf_set_packet_count(capture_opts->cf,
426 cf_get_packet_count(capture_opts->cf) + to_read);
427 cf_fake_continue_tail(capture_opts->cf);
429 capture_callback_invoke(capture_cb_capture_fixed_continue, capture_opts);
432 /* update the main window so we get events (e.g. from the stop toolbar button) */
433 main_window_update();
435 if(capture_opts->show_info)
436 capture_info_new_packets(to_read);
440 /* Capture child told us how many dropped packets it counted.
443 capture_input_drops(capture_options *capture_opts, guint32 dropped)
445 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "%u packet%s dropped", dropped, plurality(dropped, "", "s"));
447 g_assert(capture_opts->state == CAPTURE_RUNNING);
449 cf_set_drops_known(capture_opts->cf, TRUE);
450 cf_set_drops(capture_opts->cf, dropped);
454 /* Capture child told us that an error has occurred while starting/running
456 The buffer we're handed has *two* null-terminated strings in it - a
457 primary message and a secondary message, one right after the other.
458 The secondary message might be a null string.
461 capture_input_error_message(capture_options *capture_opts, char *error_msg, char *secondary_error_msg)
463 gchar *safe_error_msg;
464 gchar *safe_secondary_error_msg;
466 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Error message from child: \"%s\", \"%s\"",
467 error_msg, secondary_error_msg);
469 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
471 safe_error_msg = simple_dialog_format_message(error_msg);
472 if (*secondary_error_msg != '\0') {
473 /* We have both primary and secondary messages. */
474 safe_secondary_error_msg = simple_dialog_format_message(secondary_error_msg);
475 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s\n\n%s",
476 simple_dialog_primary_start(), safe_error_msg,
477 simple_dialog_primary_end(), safe_secondary_error_msg);
478 g_free(safe_secondary_error_msg);
480 /* We have only a primary message. */
481 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s",
482 simple_dialog_primary_start(), safe_error_msg,
483 simple_dialog_primary_end());
485 g_free(safe_error_msg);
487 /* the capture child will close the sync_pipe if required, nothing to do for now */
492 /* Capture child told us that an error has occurred while parsing a
493 capture filter when starting/running the capture.
496 capture_input_cfilter_error_message(capture_options *capture_opts, guint i, char *error_message)
498 dfilter_t *rfcode = NULL;
501 gchar *safe_cfilter_error_msg;
502 interface_options interface_opts;
504 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture filter error message from child: \"%s\"", error_message);
506 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
507 g_assert(i < capture_opts->ifaces->len);
509 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
510 safe_cfilter = simple_dialog_format_message(interface_opts.cfilter);
511 safe_descr = simple_dialog_format_message(interface_opts.descr);
512 safe_cfilter_error_msg = simple_dialog_format_message(error_message);
513 /* Did the user try a display filter? */
514 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
515 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
516 "%sInvalid capture filter \"%s\" for interface %s!%s\n"
518 "That string looks like a valid display filter; however, it isn't a valid\n"
519 "capture filter (%s).\n"
521 "Note that display filters and capture filters don't have the same syntax,\n"
522 "so you can't use most display filter expressions as capture filters.\n"
524 "See the User's Guide for a description of the capture filter syntax.",
525 simple_dialog_primary_start(), safe_cfilter, safe_descr,
526 simple_dialog_primary_end(), safe_cfilter_error_msg);
527 dfilter_free(rfcode);
529 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
530 "%sInvalid capture filter \"%s\" for interface %s!%s\n"
532 "That string isn't a valid capture filter (%s).\n"
533 "See the User's Guide for a description of the capture filter syntax.",
534 simple_dialog_primary_start(), safe_cfilter, safe_descr,
535 simple_dialog_primary_end(), safe_cfilter_error_msg);
537 g_free(safe_cfilter_error_msg);
539 g_free(safe_cfilter);
541 /* the capture child will close the sync_pipe if required, nothing to do for now */
545 /* capture child closed its side of the pipe, do the required cleanup */
547 capture_input_closed(capture_options *capture_opts, gchar *msg)
550 int packet_count_save;
552 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture stopped!");
553 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
556 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s", msg);
558 /* if we didn't start the capture, do a fake start. */
559 /* (happens if we got an error message - we won't get a filename then). */
560 if(capture_opts->state == CAPTURE_PREPARING) {
561 if(capture_opts->real_time_mode) {
562 capture_callback_invoke(capture_cb_capture_update_started, capture_opts);
564 capture_callback_invoke(capture_cb_capture_fixed_started, capture_opts);
568 if(capture_opts->real_time_mode) {
569 cf_read_status_t status;
571 /* Read what remains of the capture file. */
572 status = cf_finish_tail(capture_opts->cf, &err);
574 /* XXX: If -Q (quit-after-cap) then cf->count clr'd below so save it first */
575 packet_count_save = cf_get_packet_count(capture_opts->cf);
576 /* Tell the GUI we are not doing a capture any more.
577 Must be done after the cf_finish_tail(), so file lengths are
578 correctly displayed */
579 capture_callback_invoke(capture_cb_capture_update_finished, capture_opts);
581 /* Finish the capture. */
585 if ((packet_count_save == 0) && !capture_opts->restart) {
586 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
587 "%sNo packets captured!%s\n"
589 "As no data was captured, closing the %scapture file!\n"
592 "Help about capturing can be found at:\n"
594 " http://wiki.wireshark.org/CaptureSetup"
597 "Wireless (Wi-Fi/WLAN):\n"
598 "Try to switch off promiscuous mode in the Capture Options!"
601 simple_dialog_primary_start(), simple_dialog_primary_end(),
602 cf_is_tempfile(capture_opts->cf) ? "temporary " : "");
603 cf_close(capture_opts->cf);
607 /* Just because we got an error, that doesn't mean we were unable
608 to read any of the file; we handle what we could get from the
612 case CF_READ_ABORTED:
613 /* Exit by leaving the main loop, so that any quit functions
614 we registered get called. */
620 /* first of all, we are not doing a capture any more */
621 capture_callback_invoke(capture_cb_capture_fixed_finished, capture_opts);
623 /* this is a normal mode capture and if no error happened, read in the capture file data */
624 if(capture_opts->save_file != NULL) {
625 capture_input_read_all(capture_opts, cf_is_tempfile(capture_opts->cf),
626 cf_get_drops_known(capture_opts->cf), cf_get_drops(capture_opts->cf));
630 if(capture_opts->show_info)
631 capture_info_close();
633 capture_opts->state = CAPTURE_STOPPED;
635 /* if we couldn't open a capture file, there's nothing more for us to do */
636 if(capture_opts->save_file == NULL) {
637 cf_close(capture_opts->cf);
641 /* does the user wants to restart the current capture? */
642 if(capture_opts->restart) {
643 capture_opts->restart = FALSE;
645 ws_unlink(capture_opts->save_file);
647 /* if it was a tempfile, throw away the old filename (so it will become a tempfile again) */
648 if(cf_is_tempfile(capture_opts->cf)) {
649 g_free(capture_opts->save_file);
650 capture_opts->save_file = NULL;
653 /* ... and start the capture again */
654 capture_start(capture_opts);
656 /* We're not doing a capture any more, so we don't have a save file. */
657 g_free(capture_opts->save_file);
658 capture_opts->save_file = NULL;
663 capture_stat_start(GList *if_list) {
664 int stat_fd, fork_child;
666 if_stat_cache_t *sc = NULL;
669 if_stat_cache_item_t *sc_item;
671 /* Fire up dumpcap. */
673 * XXX - on systems with BPF, the number of BPF devices limits the
674 * number of devices on which you can capture simultaneously.
678 * 1) this might fail if you run out of BPF devices
682 * 2) opening every interface could leave too few BPF devices
683 * for *other* programs.
685 * It also means the system could end up getting a lot of traffic
686 * that it has to pass through the networking stack and capture
687 * mechanism, so opening all the devices and presenting packet
688 * counts might not always be a good idea.
690 if (sync_interface_stats_open(&stat_fd, &fork_child, &msg) == 0) {
691 sc = g_malloc(sizeof(if_stat_cache_t));
692 sc->stat_fd = stat_fd;
693 sc->fork_child = fork_child;
694 sc->cache_list = NULL;
696 /* Initialize the cache */
697 for (if_entry = if_list; if_entry != NULL; if_entry = g_list_next(if_entry)) {
698 if_info = if_entry->data;
700 sc_item = g_malloc0(sizeof(if_stat_cache_item_t));
701 sc_item->name = g_strdup(if_info->name);
702 sc->cache_list = g_list_append(sc->cache_list, sc_item);
709 #define MAX_STAT_LINE_LEN 500
712 capture_stat_cache_update(if_stat_cache_t *sc) {
713 gchar stat_line[MAX_STAT_LINE_LEN];
716 if_stat_cache_item_t *sc_item;
721 while (sync_pipe_gets_nonblock(sc->stat_fd, stat_line, MAX_STAT_LINE_LEN) > 0) {
722 g_strstrip(stat_line);
723 stat_parts = g_strsplit(stat_line, "\t", 3);
724 if (stat_parts[0] == NULL || stat_parts[1] == NULL ||
725 stat_parts[2] == NULL) {
726 g_strfreev(stat_parts);
729 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
730 sc_item = sc_entry->data;
731 if (strcmp(sc_item->name, stat_parts[0]) == 0) {
732 sc_item->ps.ps_recv = (u_int) strtoul(stat_parts[1], NULL, 10);
733 sc_item->ps.ps_drop = (u_int) strtoul(stat_parts[2], NULL, 10);
736 g_strfreev(stat_parts);
741 capture_stats(if_stat_cache_t *sc, char *ifname, struct pcap_stat *ps) {
743 if_stat_cache_item_t *sc_item;
745 if (!sc || !ifname || !ps) {
749 capture_stat_cache_update(sc);
750 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
751 sc_item = sc_entry->data;
752 if (strcmp(sc_item->name, ifname) == 0) {
753 memcpy(ps, &sc_item->ps, sizeof(struct pcap_stat));
761 capture_stat_stop(if_stat_cache_t *sc) {
763 if_stat_cache_item_t *sc_item;
770 ret = sync_interface_stats_close(&sc->stat_fd, &sc->fork_child, &msg);
772 /* XXX - report failure? */
776 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
777 sc_item = sc_entry->data;
778 g_free(sc_item->name);
784 #endif /* HAVE_LIBPCAP */
git.samba.org / obnox / wireshark / wip.git / blob