2 * Routines for packet capture
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
40 #include <epan/packet.h>
41 #include <epan/dfilter/dfilter.h>
44 #include "capture_ifinfo.h"
45 #include "capture_sync.h"
46 #include "capture_info.h"
47 #include "capture_ui_utils.h"
49 #include "capture-pcap-util.h"
50 #include <epan/prefs.h>
53 #include "capture-wpcap.h"
56 #include "ui/simple_dialog.h"
57 #include "ui/ui_util.h"
59 #include "wsutil/file_util.h"
62 typedef struct if_stat_cache_item_s {
65 } if_stat_cache_item_t;
67 struct if_stat_cache_s {
70 GList *cache_list; /* List of if_stat_chache_entry_t */
73 /* this callback mechanism should possibly be replaced by the g_signal_...() stuff (if I only would know how :-) */
75 capture_callback_t cb_fct;
77 } capture_callback_data_t;
79 static GList *capture_callbacks = NULL;
82 capture_callback_invoke(int event, capture_options *capture_opts)
84 capture_callback_data_t *cb;
85 GList *cb_item = capture_callbacks;
87 /* there should be at least one interested */
88 g_assert(cb_item != NULL);
90 while(cb_item != NULL) {
92 cb->cb_fct(event, capture_opts, cb->user_data);
93 cb_item = g_list_next(cb_item);
99 capture_callback_add(capture_callback_t func, gpointer user_data)
101 capture_callback_data_t *cb;
103 cb = g_malloc(sizeof(capture_callback_data_t));
105 cb->user_data = user_data;
107 capture_callbacks = g_list_append(capture_callbacks, cb);
111 capture_callback_remove(capture_callback_t func)
113 capture_callback_data_t *cb;
114 GList *cb_item = capture_callbacks;
116 while(cb_item != NULL) {
118 if(cb->cb_fct == func) {
119 capture_callbacks = g_list_remove(capture_callbacks, cb);
123 cb_item = g_list_next(cb_item);
126 g_assert_not_reached();
132 * @return TRUE if the capture starts successfully, FALSE otherwise.
135 capture_start(capture_options *capture_opts)
139 GString *source = g_string_new("");
141 if (capture_opts->state != CAPTURE_STOPPED)
143 capture_opts->state = CAPTURE_PREPARING;
145 /* close the currently loaded capture file */
146 cf_close(capture_opts->cf);
147 collect_ifaces(capture_opts);
148 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start ...");
150 if (capture_opts->ifaces->len < 2) {
152 if (capture_opts->ifaces->len < 4) {
154 for (i = 0; i < capture_opts->ifaces->len; i++) {
155 interface_options interface_opts;
157 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
159 if (capture_opts->ifaces->len > 2) {
160 g_string_append_printf(source, ",");
162 g_string_append_printf(source, " ");
163 if (i == capture_opts->ifaces->len - 1) {
164 g_string_append_printf(source, "and ");
167 g_string_append_printf(source, "%s", get_iface_description_for_interface(capture_opts, i));
168 if ((interface_opts.cfilter != NULL) &&
169 (strlen(interface_opts.cfilter) > 0)) {
170 g_string_append_printf(source, " (%s)", interface_opts.cfilter);
174 g_string_append_printf(source, "%u interfaces", capture_opts->ifaces->len);
176 cf_set_tempfile_source(capture_opts->cf, source->str);
177 g_string_free(source, TRUE);
178 /* try to start the capture child process */
179 ret = sync_pipe_start(capture_opts);
181 if(capture_opts->save_file != NULL) {
182 g_free(capture_opts->save_file);
183 capture_opts->save_file = NULL;
186 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start failed!");
187 capture_opts->state = CAPTURE_STOPPED;
189 /* the capture child might not respond shortly after bringing it up */
190 /* (for example: it will block if no input arrives from an input capture pipe (e.g. mkfifo)) */
192 /* to prevent problems, bring the main GUI into "capture mode" right after a successful */
193 /* spawn/exec of the capture child, without waiting for any response from it */
194 capture_callback_invoke(capture_cb_capture_prepared, capture_opts);
196 if(capture_opts->show_info)
197 capture_info_open(capture_opts);
205 capture_stop(capture_options *capture_opts)
207 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Stop ...");
209 capture_callback_invoke(capture_cb_capture_stopping, capture_opts);
211 /* stop the capture child gracefully */
212 sync_pipe_stop(capture_opts);
217 capture_restart(capture_options *capture_opts)
219 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Restart");
221 capture_opts->restart = TRUE;
222 capture_stop(capture_opts);
227 capture_kill_child(capture_options *capture_opts)
229 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "Capture Kill");
231 /* kill the capture child */
232 sync_pipe_kill(capture_opts->fork_child);
237 /* We've succeeded in doing a (non real-time) capture; try to read it into a new capture file */
239 capture_input_read_all(capture_options *capture_opts, gboolean is_tempfile, gboolean drops_known,
244 /* Capture succeeded; attempt to open the capture file. */
245 if (cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err) != CF_OK) {
246 /* We're not doing a capture any more, so we don't have a save file. */
250 /* Set the read filter to NULL. */
251 /* XXX - this is odd here; try to put it somewhere where it fits better */
252 cf_set_rfcode(capture_opts->cf, NULL);
254 /* Get the packet-drop statistics.
256 XXX - there are currently no packet-drop statistics stored
257 in libpcap captures, and that's what we're reading.
259 At some point, we will add support in Wiretap to return
260 packet-drop statistics for capture file formats that store it,
261 and will make "cf_read()" get those statistics from Wiretap.
262 We clear the statistics (marking them as "not known") in
263 "cf_open()", and "cf_read()" will only fetch them and mark
264 them as known if Wiretap supplies them, so if we get the
265 statistics now, after calling "cf_open()" but before calling
266 "cf_read()", the values we store will be used by "cf_read()".
268 If a future libpcap capture file format stores the statistics,
269 we'll put them into the capture file that we write, and will
270 thus not have to set them here - "cf_read()" will get them from
271 the file and use them. */
273 cf_set_drops_known(capture_opts->cf, TRUE);
275 /* XXX - on some systems, libpcap doesn't bother filling in
276 "ps_ifdrop" - it doesn't even set it to zero - so we don't
277 bother looking at it.
279 Ideally, libpcap would have an interface that gave us
280 several statistics - perhaps including various interface
281 error statistics - and would tell us which of them it
282 supplies, allowing us to display only the ones it does. */
283 cf_set_drops(capture_opts->cf, drops);
286 /* read in the packet data */
287 switch (cf_read(capture_opts->cf, FALSE)) {
291 /* Just because we got an error, that doesn't mean we were unable
292 to read any of the file; we handle what we could get from the
296 case CF_READ_ABORTED:
297 /* User wants to quit program. Exit by leaving the main loop,
298 so that any quit functions we registered get called. */
299 main_window_nested_quit();
303 /* if we didn't capture even a single packet, close the file again */
304 if(cf_get_packet_count(capture_opts->cf) == 0 && !capture_opts->restart) {
305 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
306 "%sNo packets captured!%s\n"
308 "As no data was captured, closing the %scapture file!\n"
311 "Help about capturing can be found at:\n"
313 " http://wiki.wireshark.org/CaptureSetup"
316 "Wireless (Wi-Fi/WLAN):\n"
317 "Try to switch off promiscuous mode in the Capture Options!"
320 simple_dialog_primary_start(), simple_dialog_primary_end(),
321 (cf_is_tempfile(capture_opts->cf)) ? "temporary " : "");
322 cf_close(capture_opts->cf);
328 /* capture child tells us we have a new (or the first) capture file */
330 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
332 gboolean is_tempfile;
335 if(capture_opts->state == CAPTURE_PREPARING) {
336 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
338 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
340 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
342 /* free the old filename */
343 if(capture_opts->save_file != NULL) {
344 /* we start a new capture file, close the old one (if we had one before). */
345 /* (we can only have an open capture file in real_time_mode!) */
346 if( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
347 capture_callback_invoke(capture_cb_capture_update_finished, capture_opts);
348 cf_finish_tail(capture_opts->cf, &err);
349 cf_close(capture_opts->cf);
351 g_free(capture_opts->save_file);
353 cf_set_tempfile(capture_opts->cf, FALSE);
355 /* we didn't have a save_file before; must be a tempfile */
357 cf_set_tempfile(capture_opts->cf, TRUE);
360 /* save the new filename */
361 capture_opts->save_file = g_strdup(new_file);
363 /* if we are in real-time mode, open the new file now */
364 if(capture_opts->real_time_mode) {
365 /* Attempt to open the capture file and set up to read from it. */
366 switch(cf_start_tail(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
370 /* Don't unlink (delete) the save file - leave it around,
371 for debugging purposes. */
372 g_free(capture_opts->save_file);
373 capture_opts->save_file = NULL;
378 if(capture_opts->show_info) {
379 if (!capture_info_new_file(new_file))
383 if(capture_opts->real_time_mode) {
384 capture_callback_invoke(capture_cb_capture_update_started, capture_opts);
386 capture_callback_invoke(capture_cb_capture_fixed_started, capture_opts);
388 capture_opts->state = CAPTURE_RUNNING;
394 /* capture child tells us we have new packets to read */
396 capture_input_new_packets(capture_options *capture_opts, int to_read)
401 g_assert(capture_opts->save_file);
403 if(capture_opts->real_time_mode) {
404 /* Read from the capture file the number of records the child told us it added. */
405 switch (cf_continue_tail(capture_opts->cf, to_read, &err)) {
409 /* Just because we got an error, that doesn't mean we were unable
410 to read any of the file; we handle what we could get from the
413 XXX - abort on a read error? */
414 capture_callback_invoke(capture_cb_capture_update_continue, capture_opts);
417 case CF_READ_ABORTED:
418 /* Kill the child capture process; the user wants to exit, and we
419 shouldn't just leave it running. */
420 capture_kill_child(capture_opts);
424 /* increase the capture file packet counter by the number of incoming packets */
425 cf_set_packet_count(capture_opts->cf,
426 cf_get_packet_count(capture_opts->cf) + to_read);
427 cf_fake_continue_tail(capture_opts->cf);
429 capture_callback_invoke(capture_cb_capture_fixed_continue, capture_opts);
432 /* update the main window so we get events (e.g. from the stop toolbar button) */
433 main_window_update();
435 if(capture_opts->show_info)
436 capture_info_new_packets(to_read);
440 /* Capture child told us how many dropped packets it counted.
443 capture_input_drops(capture_options *capture_opts, guint32 dropped)
445 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "%u packet%s dropped", dropped, plurality(dropped, "", "s"));
447 g_assert(capture_opts->state == CAPTURE_RUNNING);
449 cf_set_drops_known(capture_opts->cf, TRUE);
450 cf_set_drops(capture_opts->cf, dropped);
454 /* Capture child told us that an error has occurred while starting/running
456 The buffer we're handed has *two* null-terminated strings in it - a
457 primary message and a secondary message, one right after the other.
458 The secondary message might be a null string.
461 capture_input_error_message(capture_options *capture_opts, char *error_msg, char *secondary_error_msg)
463 gchar *safe_error_msg;
464 gchar *safe_secondary_error_msg;
466 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Error message from child: \"%s\", \"%s\"",
467 error_msg, secondary_error_msg);
469 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
471 safe_error_msg = simple_dialog_format_message(error_msg);
472 if (*secondary_error_msg != '\0') {
473 /* We have both primary and secondary messages. */
474 safe_secondary_error_msg = simple_dialog_format_message(secondary_error_msg);
475 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s\n\n%s",
476 simple_dialog_primary_start(), safe_error_msg,
477 simple_dialog_primary_end(), safe_secondary_error_msg);
478 g_free(safe_secondary_error_msg);
480 /* We have only a primary message. */
481 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s",
482 simple_dialog_primary_start(), safe_error_msg,
483 simple_dialog_primary_end());
485 g_free(safe_error_msg);
487 /* the capture child will close the sync_pipe if required, nothing to do for now */
492 /* Capture child told us that an error has occurred while parsing a
493 capture filter when starting/running the capture.
496 capture_input_cfilter_error_message(capture_options *capture_opts, guint i, char *error_message)
498 dfilter_t *rfcode = NULL;
501 gchar *safe_cfilter_error_msg;
502 interface_options interface_opts;
504 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture filter error message from child: \"%s\"", error_message);
506 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
507 g_assert(i < capture_opts->ifaces->len);
509 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
510 safe_cfilter = simple_dialog_format_message(interface_opts.cfilter);
511 safe_descr = simple_dialog_format_message(interface_opts.descr);
512 safe_cfilter_error_msg = simple_dialog_format_message(error_message);
513 /* Did the user try a display filter? */
514 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
515 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
516 "%sInvalid capture filter \"%s\" for interface %s!%s\n"
518 "That string looks like a valid display filter; however, it isn't a valid\n"
519 "capture filter (%s).\n"
521 "Note that display filters and capture filters don't have the same syntax,\n"
522 "so you can't use most display filter expressions as capture filters.\n"
524 "See the User's Guide for a description of the capture filter syntax.",
525 simple_dialog_primary_start(), safe_cfilter, safe_descr,
526 simple_dialog_primary_end(), safe_cfilter_error_msg);
527 dfilter_free(rfcode);
529 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
530 "%sInvalid capture filter \"%s\" for interface %s!%s\n"
532 "That string isn't a valid capture filter (%s).\n"
533 "See the User's Guide for a description of the capture filter syntax.",
534 simple_dialog_primary_start(), safe_cfilter, safe_descr,
535 simple_dialog_primary_end(), safe_cfilter_error_msg);
537 g_free(safe_cfilter_error_msg);
539 g_free(safe_cfilter);
541 /* the capture child will close the sync_pipe if required, nothing to do for now */
545 /* capture child closed its side of the pipe, do the required cleanup */
547 capture_input_closed(capture_options *capture_opts, gchar *msg)
550 int packet_count_save;
552 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture stopped!");
553 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
556 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s", msg);
558 /* if we didn't start the capture, do a fake start. */
559 /* (happens if we got an error message - we won't get a filename then). */
560 if(capture_opts->state == CAPTURE_PREPARING) {
561 if(capture_opts->real_time_mode) {
562 capture_callback_invoke(capture_cb_capture_update_started, capture_opts);
564 capture_callback_invoke(capture_cb_capture_fixed_started, capture_opts);
568 if(capture_opts->real_time_mode) {
569 cf_read_status_t status;
571 /* Read what remains of the capture file. */
572 status = cf_finish_tail(capture_opts->cf, &err);
574 /* XXX: If -Q (quit-after-cap) then cf->count clr'd below so save it first */
575 packet_count_save = cf_get_packet_count(capture_opts->cf);
576 /* Tell the GUI we are not doing a capture any more.
577 Must be done after the cf_finish_tail(), so file lengths are
578 correctly displayed */
579 capture_callback_invoke(capture_cb_capture_update_finished, capture_opts);
581 /* Finish the capture. */
585 if ((packet_count_save == 0) && !capture_opts->restart) {
586 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
587 "%sNo packets captured!%s\n"
589 "As no data was captured, closing the %scapture file!\n"
592 "Help about capturing can be found at:\n"
594 " http://wiki.wireshark.org/CaptureSetup"
597 "Wireless (Wi-Fi/WLAN):\n"
598 "Try to switch off promiscuous mode in the Capture Options!"
601 simple_dialog_primary_start(), simple_dialog_primary_end(),
602 cf_is_tempfile(capture_opts->cf) ? "temporary " : "");
603 cf_close(capture_opts->cf);
607 /* Just because we got an error, that doesn't mean we were unable
608 to read any of the file; we handle what we could get from the
612 case CF_READ_ABORTED:
613 /* Exit by leaving the main loop, so that any quit functions
614 we registered get called. */
620 /* first of all, we are not doing a capture any more */
621 capture_callback_invoke(capture_cb_capture_fixed_finished, capture_opts);
623 /* this is a normal mode capture and if no error happened, read in the capture file data */
624 if(capture_opts->save_file != NULL) {
625 capture_input_read_all(capture_opts, cf_is_tempfile(capture_opts->cf),
626 cf_get_drops_known(capture_opts->cf), cf_get_drops(capture_opts->cf));
630 if(capture_opts->show_info)
631 capture_info_close();
633 capture_opts->state = CAPTURE_STOPPED;
635 /* if we couldn't open a capture file, there's nothing more for us to do */
636 if(capture_opts->save_file == NULL) {
637 cf_close(capture_opts->cf);
641 /* does the user wants to restart the current capture? */
642 if(capture_opts->restart) {
643 capture_opts->restart = FALSE;
645 ws_unlink(capture_opts->save_file);
647 /* if it was a tempfile, throw away the old filename (so it will become a tempfile again) */
648 if(cf_is_tempfile(capture_opts->cf)) {
649 g_free(capture_opts->save_file);
650 capture_opts->save_file = NULL;
653 /* ... and start the capture again */
654 if (capture_opts->ifaces->len == 0) {
655 collect_ifaces(capture_opts);
657 capture_start(capture_opts);
659 /* We're not doing a capture any more, so we don't have a save file. */
660 g_free(capture_opts->save_file);
661 capture_opts->save_file = NULL;
666 capture_stat_start(capture_options *capture_opts) {
667 int stat_fd, fork_child;
669 if_stat_cache_t *sc = NULL;
670 if_stat_cache_item_t *sc_item;
674 /* Fire up dumpcap. */
676 * XXX - on systems with BPF, the number of BPF devices limits the
677 * number of devices on which you can capture simultaneously.
681 * 1) this might fail if you run out of BPF devices
685 * 2) opening every interface could leave too few BPF devices
686 * for *other* programs.
688 * It also means the system could end up getting a lot of traffic
689 * that it has to pass through the networking stack and capture
690 * mechanism, so opening all the devices and presenting packet
691 * counts might not always be a good idea.
693 if (sync_interface_stats_open(&stat_fd, &fork_child, &msg) == 0) {
694 sc = g_malloc(sizeof(if_stat_cache_t));
695 sc->stat_fd = stat_fd;
696 sc->fork_child = fork_child;
697 sc->cache_list = NULL;
699 /* Initialize the cache */
700 for (i = 0; i < capture_opts->all_ifaces->len; i++) {
701 device = g_array_index(capture_opts->all_ifaces, interface_t, i);
702 if (device.type != IF_PIPE && &(device.if_info)) {
703 sc_item = g_malloc0(sizeof(if_stat_cache_item_t));
704 sc_item->name = g_strdup(device.if_info.name);
705 sc->cache_list = g_list_append(sc->cache_list, sc_item);
712 #define MAX_STAT_LINE_LEN 500
715 capture_stat_cache_update(if_stat_cache_t *sc) {
716 gchar stat_line[MAX_STAT_LINE_LEN];
719 if_stat_cache_item_t *sc_item;
724 while (sync_pipe_gets_nonblock(sc->stat_fd, stat_line, MAX_STAT_LINE_LEN) > 0) {
725 g_strstrip(stat_line);
726 stat_parts = g_strsplit(stat_line, "\t", 3);
727 if (stat_parts[0] == NULL || stat_parts[1] == NULL ||
728 stat_parts[2] == NULL) {
729 g_strfreev(stat_parts);
732 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
733 sc_item = sc_entry->data;
734 if (strcmp(sc_item->name, stat_parts[0]) == 0) {
735 sc_item->ps.ps_recv = (u_int) strtoul(stat_parts[1], NULL, 10);
736 sc_item->ps.ps_drop = (u_int) strtoul(stat_parts[2], NULL, 10);
739 g_strfreev(stat_parts);
744 capture_stats(if_stat_cache_t *sc, char *ifname, struct pcap_stat *ps) {
746 if_stat_cache_item_t *sc_item;
748 if (!sc || !ifname || !ps) {
752 capture_stat_cache_update(sc);
753 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
754 sc_item = sc_entry->data;
755 if (strcmp(sc_item->name, ifname) == 0) {
756 memcpy(ps, &sc_item->ps, sizeof(struct pcap_stat));
764 capture_stat_stop(if_stat_cache_t *sc) {
766 if_stat_cache_item_t *sc_item;
773 ret = sync_interface_stats_close(&sc->stat_fd, &sc->fork_child, &msg);
775 /* XXX - report failure? */
779 for (sc_entry = sc->cache_list; sc_entry != NULL; sc_entry = g_list_next(sc_entry)) {
780 sc_item = sc_entry->data;
781 g_free(sc_item->name);
787 #endif /* HAVE_LIBPCAP */