2 * Routines for packet capture
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
40 #include <epan/packet.h>
41 #include <epan/dfilter/dfilter.h>
44 #include "capture_ifinfo.h"
45 #include "capture_sync.h"
46 #include "capture_info.h"
47 #include "capture_ui_utils.h"
49 #include "capture-pcap-util.h"
50 #include "simple_dialog.h"
51 #include <epan/prefs.h>
54 #include "capture-wpcap.h"
57 #include "wsutil/file_util.h"
60 typedef struct if_stat_cache_item_s {
63 } if_stat_cache_item_t;
65 struct if_stat_cache_s {
68 GList *cache_list; /* List of if_stat_chache_entry_t */
71 /* this callback mechanism should possibly be replaced by the g_signal_...() stuff (if I only would know how :-) */
73 capture_callback_t cb_fct;
75 } capture_callback_data_t;
77 static GList *capture_callbacks = NULL;
80 capture_callback_invoke(int event, capture_options *capture_opts)
82 capture_callback_data_t *cb;
83 GList *cb_item = capture_callbacks;
85 /* there should be at least one interested */
86 g_assert(cb_item != NULL);
88 while(cb_item != NULL) {
90 cb->cb_fct(event, capture_opts, cb->user_data);
91 cb_item = g_list_next(cb_item);
97 capture_callback_add(capture_callback_t func, gpointer user_data)
99 capture_callback_data_t *cb;
101 cb = g_malloc(sizeof(capture_callback_data_t));
103 cb->user_data = user_data;
105 capture_callbacks = g_list_append(capture_callbacks, cb);
109 capture_callback_remove(capture_callback_t func)
111 capture_callback_data_t *cb;
112 GList *cb_item = capture_callbacks;
114 while(cb_item != NULL) {
116 if(cb->cb_fct == func) {
117 capture_callbacks = g_list_remove(capture_callbacks, cb);
121 cb_item = g_list_next(cb_item);
124 g_assert_not_reached();
130 * @return TRUE if the capture starts successfully, FALSE otherwise.
133 capture_start(capture_options *capture_opts)
138 /* close the currently loaded capture file */
139 cf_close(capture_opts->cf);
141 g_assert(capture_opts->state == CAPTURE_STOPPED);
142 capture_opts->state = CAPTURE_PREPARING;
144 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start ...");
146 /* try to start the capture child process */
147 ret = sync_pipe_start(capture_opts);
149 if(capture_opts->save_file != NULL) {
150 g_free(capture_opts->save_file);
151 capture_opts->save_file = NULL;
154 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start failed!");
155 capture_opts->state = CAPTURE_STOPPED;
157 /* the capture child might not respond shortly after bringing it up */
158 /* (for example: it will block if no input arrives from an input capture pipe (e.g. mkfifo)) */
160 /* to prevent problems, bring the main GUI into "capture mode" right after a successful */
161 /* spawn/exec of the capture child, without waiting for any response from it */
162 capture_callback_invoke(capture_cb_capture_prepared, capture_opts);
164 if(capture_opts->show_info)
165 capture_info_open(capture_opts);
173 capture_stop(capture_options *capture_opts)
175 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Stop ...");
177 capture_callback_invoke(capture_cb_capture_stopping, capture_opts);
179 /* stop the capture child gracefully */
180 sync_pipe_stop(capture_opts);
185 capture_restart(capture_options *capture_opts)
187 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Restart");
189 capture_opts->restart = TRUE;
190 capture_stop(capture_opts);
195 capture_kill_child(capture_options *capture_opts)
197 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "Capture Kill");
199 /* kill the capture child */
200 sync_pipe_kill(capture_opts->fork_child);
205 /* We've succeeded in doing a (non real-time) capture; try to read it into a new capture file */
207 capture_input_read_all(capture_options *capture_opts, gboolean is_tempfile, gboolean drops_known,
213 /* Capture succeeded; attempt to open the capture file. */
214 if (cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err) != CF_OK) {
215 /* We're not doing a capture any more, so we don't have a save file. */
219 /* Set the read filter to NULL. */
220 /* XXX - this is odd here; try to put it somewhere where it fits better */
221 cf_set_rfcode(capture_opts->cf, NULL);
223 /* Get the packet-drop statistics.
225 XXX - there are currently no packet-drop statistics stored
226 in libpcap captures, and that's what we're reading.
228 At some point, we will add support in Wiretap to return
229 packet-drop statistics for capture file formats that store it,
230 and will make "cf_read()" get those statistics from Wiretap.
231 We clear the statistics (marking them as "not known") in
232 "cf_open()", and "cf_read()" will only fetch them and mark
233 them as known if Wiretap supplies them, so if we get the
234 statistics now, after calling "cf_open()" but before calling
235 "cf_read()", the values we store will be used by "cf_read()".
237 If a future libpcap capture file format stores the statistics,
238 we'll put them into the capture file that we write, and will
239 thus not have to set them here - "cf_read()" will get them from
240 the file and use them. */
242 cf_set_drops_known(capture_opts->cf, TRUE);
244 /* XXX - on some systems, libpcap doesn't bother filling in
245 "ps_ifdrop" - it doesn't even set it to zero - so we don't
246 bother looking at it.
248 Ideally, libpcap would have an interface that gave us
249 several statistics - perhaps including various interface
250 error statistics - and would tell us which of them it
251 supplies, allowing us to display only the ones it does. */
252 cf_set_drops(capture_opts->cf, drops);
255 /* read in the packet data */
256 switch (cf_read(capture_opts->cf, FALSE)) {
260 /* Just because we got an error, that doesn't mean we were unable
261 to read any of the file; we handle what we could get from the
265 case CF_READ_ABORTED:
266 /* User wants to quit program. Exit by leaving the main loop,
267 so that any quit functions we registered get called. */
268 main_window_nested_quit();
272 /* if we didn't capture even a single packet, close the file again */
273 if(cf_get_packet_count(capture_opts->cf) == 0 && !capture_opts->restart) {
274 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
275 "%sNo packets captured!%s\n"
277 "As no data was captured, closing the %scapture file!\n"
280 "Help about capturing can be found at:\n"
282 " http://wiki.wireshark.org/CaptureSetup"
285 "Wireless (Wi-Fi/WLAN):\n"
286 "Try to switch off promiscuous mode in the Capture Options!"
289 simple_dialog_primary_start(), simple_dialog_primary_end(),
290 (cf_is_tempfile(capture_opts->cf)) ? "temporary " : "");
291 cf_close(capture_opts->cf);
297 /* capture child tells us we have a new (or the first) capture file */
299 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
301 gboolean is_tempfile;
305 if(capture_opts->state == CAPTURE_PREPARING) {
306 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
308 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
310 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
312 /* free the old filename */
313 if(capture_opts->save_file != NULL) {
314 /* we start a new capture file, close the old one (if we had one before). */
315 /* (we can only have an open capture file in real_time_mode!) */
316 if( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
317 capture_callback_invoke(capture_cb_capture_update_finished, capture_opts);
318 cf_finish_tail(capture_opts->cf, &err);
319 cf_close(capture_opts->cf);
321 g_free(capture_opts->save_file);
323 cf_set_tempfile(capture_opts->cf, FALSE);
325 /* we didn't have a save_file before; must be a tempfile */
327 cf_set_tempfile(capture_opts->cf, TRUE);
330 /* save the new filename */
331 capture_opts->save_file = g_strdup(new_file);
333 /* if we are in real-time mode, open the new file now */
334 if(capture_opts->real_time_mode) {
335 /* Attempt to open the capture file and set up to read from it. */
336 switch(cf_start_tail(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
340 /* Don't unlink (delete) the save file - leave it around,
341 for debugging purposes. */
342 g_free(capture_opts->save_file);
343 capture_opts->save_file = NULL;
348 if(capture_opts->show_info) {
349 if (!capture_info_new_file(new_file))
353 if(capture_opts->real_time_mode) {
354 capture_callback_invoke(capture_cb_capture_update_started, capture_opts);
356 capture_callback_invoke(capture_cb_capture_fixed_started, capture_opts);
358 capture_opts->state = CAPTURE_RUNNING;
364 /* capture child tells us we have new packets to read */
366 capture_input_new_packets(capture_options *capture_opts, int to_read)
371 g_assert(capture_opts->save_file);
373 if(capture_opts->real_time_mode) {
374 /* Read from the capture file the number of records the child told us it added. */
375 switch (cf_continue_tail(capture_opts->cf, to_read, &err)) {
379 /* Just because we got an error, that doesn't mean we were unable
380 to read any of the file; we handle what we could get from the
383 XXX - abort on a read error? */
384 capture_callback_invoke(capture_cb_capture_update_continue, capture_opts);
387 case CF_READ_ABORTED:
388 /* Kill the child capture process; the user wants to exit, and we
389 shouldn't just leave it running. */
390 capture_kill_child(capture_opts);
394 /* increase the capture file packet counter by the number of incoming packets */
395 cf_set_packet_count(capture_opts->cf,
396 cf_get_packet_count(capture_opts->cf) + to_read);
398 capture_callback_invoke(capture_cb_capture_fixed_continue, capture_opts);
401 /* update the main window so we get events (e.g. from the stop toolbar button) */
402 main_window_update();
404 if(capture_opts->show_info)
405 capture_info_new_packets(to_read);
409 /* Capture child told us how many dropped packets it counted.
412 capture_input_drops(capture_options *capture_opts, guint32 dropped)
414 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "%u packet%s dropped", dropped, plurality(dropped, "", "s"));
416 g_assert(capture_opts->state == CAPTURE_RUNNING);
418 cf_set_drops_known(capture_opts->cf, TRUE);
419 cf_set_drops(capture_opts->cf, dropped);
423 /* Capture child told us that an error has occurred while starting/running
425 The buffer we're handed has *two* null-terminated strings in it - a
426 primary message and a secondary message, one right after the other.
427 The secondary message might be a null string.
430 capture_input_error_message(capture_options *capture_opts, char *error_msg, char *secondary_error_msg)
432 gchar *safe_error_msg;
433 gchar *safe_secondary_error_msg;
435 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Error message from child: \"%s\", \"%s\"",
436 error_msg, secondary_error_msg);
438 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
440 safe_error_msg = simple_dialog_format_message(error_msg);
441 if (*secondary_error_msg != '\0') {
442 /* We have both primary and secondary messages. */
443 safe_secondary_error_msg = simple_dialog_format_message(secondary_error_msg);
444 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s\n\n%s",
445 simple_dialog_primary_start(), safe_error_msg,
446 simple_dialog_primary_end(), safe_secondary_error_msg);
447 g_free(safe_secondary_error_msg);
449 /* We have only a primary message. */
450 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s",
451 simple_dialog_primary_start(), safe_error_msg,
452 simple_dialog_primary_end());
454 g_free(safe_error_msg);
456 /* the capture child will close the sync_pipe if required, nothing to do for now */
461 /* Capture child told us that an error has occurred while parsing a
462 capture filter when starting/running the capture.
465 capture_input_cfilter_error_message(capture_options *capture_opts, char *error_message)
467 dfilter_t *rfcode = NULL;
468 gchar *safe_cfilter = simple_dialog_format_message(capture_opts->cfilter);
469 gchar *safe_cfilter_error_msg = simple_dialog_format_message(error_message);
471 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture filter error message from child: \"%s\"", error_message);
473 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
475 /* Did the user try a display filter? */
476 if (dfilter_compile(capture_opts->cfilter, &rfcode) && rfcode != NULL) {
477 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
478 "%sInvalid capture filter: \"%s\"!%s\n"
480 "That string looks like a valid display filter; however, it isn't a valid\n"
481 "capture filter (%s).\n"
483 "Note that display filters and capture filters don't have the same syntax,\n"
484 "so you can't use most display filter expressions as capture filters.\n"
486 "See the User's Guide for a description of the capture filter syntax.",
487 simple_dialog_primary_start(), safe_cfilter,
488 simple_dialog_primary_end(), safe_cfilter_error_msg);
489 dfilter_free(rfcode);
491 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
492 "%sInvalid capture filter: \"%s\"!%s\n"
494 "That string isn't a valid capture filter (%s).\n"
495 "See the User's Guide for a description of the capture filter syntax.",
496 simple_dialog_primary_start(), safe_cfilter,
497 simple_dialog_primary_end(), safe_cfilter_error_msg);
499 g_free(safe_cfilter_error_msg);
500 g_free(safe_cfilter);
502 /* the capture child will close the sync_pipe if required, nothing to do for now */
506 /* capture child closed its side of the pipe, do the required cleanup */
508 capture_input_closed(capture_options *capture_opts)
511 int packet_count_save;
513 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture stopped!");
514 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
516 /* if we didn't start the capture, do a fake start. */
517 /* (happens if we got an error message - we won't get a filename then). */
518 if(capture_opts->state == CAPTURE_PREPARING) {
519 if(capture_opts->real_time_mode) {
520 capture_callback_invoke(capture_cb_capture_update_started, capture_opts);
522 capture_callback_invoke(capture_cb_capture_fixed_started, capture_opts);
526 if(capture_opts->real_time_mode) {
527 cf_read_status_t status;
529 /* Read what remains of the capture file. */
530 status = cf_finish_tail(capture_opts->cf, &err);
532 /* XXX: If -Q (quit-after-cap) then cf->count clr'd below so save it first */
533 packet_count_save = cf_get_packet_count(capture_opts->cf);
534 /* Tell the GUI we are not doing a capture any more.
535 Must be done after the cf_finish_tail(), so file lengths are
536 correctly displayed */
537 capture_callback_invoke(capture_cb_capture_update_finished, capture_opts);
539 /* Finish the capture. */
543 if ((packet_count_save == 0) && !capture_opts->restart) {
544 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
545 "%sNo packets captured!%s\n"
547 "As no data was captured, closing the %scapture file!\n"
550 "Help about capturing can be found at:\n"
552 " http://wiki.wireshark.org/CaptureSetup"
555 "Wireless (Wi-Fi/WLAN):\n"
556 "Try to switch off promiscuous mode in the Capture Options!"
559 simple_dialog_primary_start(), simple_dialog_primary_end(),
560 cf_is_tempfile(capture_opts->cf) ? "temporary " : "");
561 cf_close(capture_opts->cf);
565 /* Just because we got an error, that doesn't mean we were unable
566 to read any of the file; we handle what we could get from the
570 case CF_READ_ABORTED:
571 /* Exit by leaving the main loop, so that any quit functions
572 we registered get called. */
577 /* first of all, we are not doing a capture any more */
578 capture_callback_invoke(capture_cb_capture_fixed_finished, capture_opts);
580 /* this is a normal mode capture and if no error happened, read in the capture file data */
581 if(capture_opts->save_file != NULL) {
582 capture_input_read_all(capture_opts, cf_is_tempfile(capture_opts->cf),
583 cf_get_drops_known(capture_opts->cf), cf_get_drops(capture_opts->cf));
587 if(capture_opts->show_info)
588 capture_info_close();
590 capture_opts->state = CAPTURE_STOPPED;
592 /* if we couldn't open a capture file, there's nothing more for us to do */
593 if(capture_opts->save_file == NULL) {
594 cf_close(capture_opts->cf);
598 /* does the user wants to restart the current capture? */
599 if(capture_opts->restart) {
600 capture_opts->restart = FALSE;
602 ws_unlink(capture_opts->save_file);
604 /* if it was a tempfile, throw away the old filename (so it will become a tempfile again) */
605 if(cf_is_tempfile(capture_opts->cf)) {
606 g_free(capture_opts->save_file);
607 capture_opts->save_file = NULL;
610 /* ... and start the capture again */
611 capture_start(capture_opts);
613 /* We're not doing a capture any more, so we don't have a save file. */
614 g_free(capture_opts->save_file);
615 capture_opts->save_file = NULL;
620 capture_stat_start(GList *if_list) {
621 int stat_fd, fork_child;
623 if_stat_cache_t *sc = NULL;
626 if_stat_cache_item_t *sc_item;
628 /* Fire up dumpcap. */
630 * XXX - on systems with BPF, the number of BPF devices limits the
631 * number of devices on which you can capture simultaneously.
635 * 1) this might fail if you run out of BPF devices
639 * 2) opening every interface could leave too few BPF devices
640 * for *other* programs.
642 * It also means the system could end up getting a lot of traffic
643 * that it has to pass through the networking stack and capture
644 * mechanism, so opening all the devices and presenting packet
645 * counts might not always be a good idea.
647 if (sync_interface_stats_open(&stat_fd, &fork_child, &msg) == 0) {
648 sc = g_malloc(sizeof(if_stat_cache_t));
649 sc->stat_fd = stat_fd;
650 sc->fork_child = fork_child;
651 sc->cache_list = NULL;
653 /* Initialize the cache */
654 for (if_entry = if_list; if_entry != NULL; if_entry = g_list_next(if_entry)) {
655 if_info = if_entry->data;
656 sc_item = g_malloc0(sizeof(if_stat_cache_item_t));
657 sc_item->name = g_strdup(if_info->name);
658 sc->cache_list = g_list_append(sc->cache_list, sc_item);
664 #define MAX_STAT_LINE_LEN 500
667 capture_stat_cache_update(if_stat_cache_t *sc) {
668 gchar stat_line[MAX_STAT_LINE_LEN];
671 if_stat_cache_item_t *sc_item;
676 while (sync_pipe_gets_nonblock(sc->stat_fd, stat_line, MAX_STAT_LINE_LEN) > 0) {
677 g_strstrip(stat_line);
678 stat_parts = g_strsplit(stat_line, "\t", 3);
679 if (stat_parts[0] == NULL || stat_parts[1] == NULL ||
680 stat_parts[2] == NULL) {
681 g_strfreev(stat_parts);
684 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
685 sc_item = sc_entry->data;
686 if (strcmp(sc_item->name, stat_parts[0]) == 0) {
687 sc_item->ps.ps_recv = (u_int) strtoul(stat_parts[1], NULL, 10);
688 sc_item->ps.ps_drop = (u_int) strtoul(stat_parts[2], NULL, 10);
691 g_strfreev(stat_parts);
696 capture_stats(if_stat_cache_t *sc, char *ifname, struct pcap_stat *ps) {
698 if_stat_cache_item_t *sc_item;
700 if (!sc || !ifname || !ps) {
704 capture_stat_cache_update(sc);
705 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
706 sc_item = sc_entry->data;
707 if (strcmp(sc_item->name, ifname) == 0) {
708 memcpy(ps, &sc_item->ps, sizeof(struct pcap_stat));
716 capture_stat_stop(if_stat_cache_t *sc) {
718 if_stat_cache_item_t *sc_item;
724 sync_interface_stats_close(&sc->stat_fd, &sc->fork_child, &msg);
726 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
727 sc_item = sc_entry->data;
728 g_free(sc_item->name);
734 #endif /* HAVE_LIBPCAP */