2 * Routines for packet capture
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
48 #include <epan/packet.h>
49 #include <epan/dfilter/dfilter.h>
52 #include "capture_sync.h"
53 #include "capture_info.h"
54 #include "capture_ui_utils.h"
56 #include "capture-pcap-util.h"
57 #include "alert_box.h"
58 #include "simple_dialog.h"
59 #include <epan/prefs.h>
60 #include "conditions.h"
61 #include "ringbuffer.h"
64 #include "capture-wpcap.h"
67 #include "file_util.h"
75 * @return TRUE if the capture starts successfully, FALSE otherwise.
78 capture_start(capture_options *capture_opts)
83 /* close the currently loaded capture file */
84 cf_close(capture_opts->cf);
86 g_assert(capture_opts->state == CAPTURE_STOPPED);
87 capture_opts->state = CAPTURE_PREPARING;
89 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start ...");
91 /* try to start the capture child process */
92 ret = sync_pipe_start(capture_opts);
94 if(capture_opts->save_file != NULL) {
95 g_free(capture_opts->save_file);
96 capture_opts->save_file = NULL;
99 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Start failed!");
100 capture_opts->state = CAPTURE_STOPPED;
102 /* the capture child might not respond shortly after bringing it up */
103 /* (especially it will block, if no input coming from an input capture pipe (e.g. mkfifo) is coming in) */
105 /* to prevent problems, bring the main GUI into "capture mode" right after successfully */
106 /* spawn/exec the capture child, without waiting for any response from it */
107 cf_callback_invoke(cf_cb_live_capture_prepared, capture_opts);
109 if(capture_opts->show_info)
110 capture_info_open(capture_opts->iface);
118 capture_stop(capture_options *capture_opts)
120 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Stop ...");
122 cf_callback_invoke(cf_cb_live_capture_stopping, capture_opts);
124 /* stop the capture child gracefully */
125 sync_pipe_stop(capture_opts);
130 capture_restart(capture_options *capture_opts)
132 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture Restart");
134 capture_opts->restart = TRUE;
135 capture_stop(capture_opts);
140 capture_kill_child(capture_options *capture_opts)
142 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "Capture Kill");
144 /* kill the capture child */
145 sync_pipe_kill(capture_opts);
150 /* We've succeeded a (non real-time) capture, try to read it into a new capture file */
152 capture_input_read_all(capture_options *capture_opts, gboolean is_tempfile, gboolean drops_known,
158 /* Capture succeeded; attempt to open the capture file. */
159 if (cf_open(capture_opts->cf, capture_opts->save_file, is_tempfile, &err) != CF_OK) {
160 /* We're not doing a capture any more, so we don't have a save
165 /* Set the read filter to NULL. */
166 /* XXX - this is odd here, try to put it somewhere, where it fits better */
167 cf_set_rfcode(capture_opts->cf, NULL);
169 /* Get the packet-drop statistics.
171 XXX - there are currently no packet-drop statistics stored
172 in libpcap captures, and that's what we're reading.
174 At some point, we will add support in Wiretap to return
175 packet-drop statistics for capture file formats that store it,
176 and will make "cf_read()" get those statistics from Wiretap.
177 We clear the statistics (marking them as "not known") in
178 "cf_open()", and "cf_read()" will only fetch them and mark
179 them as known if Wiretap supplies them, so if we get the
180 statistics now, after calling "cf_open()" but before calling
181 "cf_read()", the values we store will be used by "cf_read()".
183 If a future libpcap capture file format stores the statistics,
184 we'll put them into the capture file that we write, and will
185 thus not have to set them here - "cf_read()" will get them from
186 the file and use them. */
188 cf_set_drops_known(capture_opts->cf, TRUE);
190 /* XXX - on some systems, libpcap doesn't bother filling in
191 "ps_ifdrop" - it doesn't even set it to zero - so we don't
192 bother looking at it.
194 Ideally, libpcap would have an interface that gave us
195 several statistics - perhaps including various interface
196 error statistics - and would tell us which of them it
197 supplies, allowing us to display only the ones it does. */
198 cf_set_drops(capture_opts->cf, drops);
201 /* read in the packet data */
202 switch (cf_read(capture_opts->cf)) {
206 /* Just because we got an error, that doesn't mean we were unable
207 to read any of the file; we handle what we could get from the
211 case CF_READ_ABORTED:
212 /* User wants to quit program. Exit by leaving the main loop,
213 so that any quit functions we registered get called. */
214 main_window_nested_quit();
218 /* if we didn't captured even a single packet, close the file again */
219 if(cf_get_packet_count(capture_opts->cf) == 0 && !capture_opts->restart) {
220 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
221 "%sNo packets captured!%s\n"
223 "As no data was captured, closing the %scapture file!\n"
226 "Help about capturing can be found at:\n"
228 " http://wiki.wireshark.org/CaptureSetup"
231 "Wireless (Wi-Fi/WLAN):\n"
232 "Try to switch off promiscuous mode in the Capture Options!"
235 simple_dialog_primary_start(), simple_dialog_primary_end(),
236 (cf_is_tempfile(capture_opts->cf)) ? "temporary " : "");
237 cf_close(capture_opts->cf);
243 /* capture child tells us we have a new (or the first) capture file */
245 capture_input_new_file(capture_options *capture_opts, gchar *new_file)
247 gboolean is_tempfile;
251 if(capture_opts->state == CAPTURE_PREPARING) {
252 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
254 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
256 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
258 /* free the old filename */
259 if(capture_opts->save_file != NULL) {
260 /* we start a new capture file, close the old one (if we had one before) */
261 /* (we can only have an open capture file in real_time_mode!) */
262 if( ((capture_file *) capture_opts->cf)->state != FILE_CLOSED) {
263 cf_callback_invoke(cf_cb_live_capture_update_finished, capture_opts->cf);
264 cf_finish_tail(capture_opts->cf, &err);
265 cf_close(capture_opts->cf);
267 g_free(capture_opts->save_file);
269 cf_set_tempfile(capture_opts->cf, FALSE);
271 /* we didn't had a save_file before, must be a tempfile */
273 cf_set_tempfile(capture_opts->cf, TRUE);
276 /* save the new filename */
277 capture_opts->save_file = g_strdup(new_file);
279 /* if we are in real-time mode, open the new file now */
280 if(capture_opts->real_time_mode) {
281 /* Attempt to open the capture file and set up to read from it. */
282 switch(cf_start_tail(capture_opts->cf, capture_opts->save_file, is_tempfile, &err)) {
286 /* Don't unlink (delete) the save file - leave it around,
287 for debugging purposes. */
288 g_free(capture_opts->save_file);
289 capture_opts->save_file = NULL;
295 if(capture_opts->show_info) {
296 if (!capture_info_new_file(new_file))
300 if(capture_opts->real_time_mode) {
301 cf_callback_invoke(cf_cb_live_capture_update_started, capture_opts);
303 cf_callback_invoke(cf_cb_live_capture_fixed_started, capture_opts);
305 capture_opts->state = CAPTURE_RUNNING;
311 /* capture child tells us we have new packets to read */
313 capture_input_new_packets(capture_options *capture_opts, int to_read)
318 g_assert(capture_opts->save_file);
320 if(capture_opts->real_time_mode) {
321 /* Read from the capture file the number of records the child told us it added. */
322 switch (cf_continue_tail(capture_opts->cf, to_read, &err)) {
326 /* Just because we got an error, that doesn't mean we were unable
327 to read any of the file; we handle what we could get from the
330 XXX - abort on a read error? */
331 cf_callback_invoke(cf_cb_live_capture_update_continue, capture_opts->cf);
334 case CF_READ_ABORTED:
335 /* Kill the child capture process; the user wants to exit, and we
336 shouldn't just leave it running. */
337 capture_kill_child(capture_opts);
341 /* increase capture file packet counter by the number or incoming packets */
342 cf_set_packet_count(capture_opts->cf,
343 cf_get_packet_count(capture_opts->cf) + to_read);
345 cf_callback_invoke(cf_cb_live_capture_fixed_continue, capture_opts->cf);
348 /* update the main window, so we get events (e.g. from the stop toolbar button) */
349 main_window_update();
351 if(capture_opts->show_info)
352 capture_info_new_packets(to_read);
356 /* Capture child told us how many dropped packets it counted.
359 capture_input_drops(capture_options *capture_opts, int dropped)
361 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "%d packet%s dropped", dropped, plurality(dropped, "", "s"));
363 g_assert(capture_opts->state == CAPTURE_RUNNING);
365 cf_set_drops_known(capture_opts->cf, TRUE);
366 cf_set_drops(capture_opts->cf, dropped);
370 /* Capture child told us that an error has occurred while starting/running
372 The buffer we're handed has *two* null-terminated strings in it - a
373 primary message and a secondary message, one right after the other.
374 The secondary message might be a null string.
377 capture_input_error_message(capture_options *capture_opts, char *error_msg, char *secondary_error_msg)
379 gchar *safe_error_msg;
380 gchar *safe_secondary_error_msg;
382 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Error message from child: \"%s\", \"%s\"",
383 error_msg, secondary_error_msg);
385 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
387 safe_error_msg = simple_dialog_format_message(error_msg);
388 if (*secondary_error_msg != '\0') {
389 /* We have both primary and secondary messages. */
390 safe_secondary_error_msg = simple_dialog_format_message(secondary_error_msg);
391 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s\n\n%s",
392 simple_dialog_primary_start(), safe_error_msg,
393 simple_dialog_primary_end(), safe_secondary_error_msg);
394 g_free(safe_secondary_error_msg);
396 /* We have only a primary message. */
397 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s%s%s",
398 simple_dialog_primary_start(), safe_error_msg,
399 simple_dialog_primary_end());
401 g_free(safe_error_msg);
403 /* the capture child will close the sync_pipe if required, nothing to do for now */
408 /* Capture child told us that an error has occurred while parsing a
409 capture filter when starting/running the capture.
412 capture_input_cfilter_error_message(capture_options *capture_opts, char *error_message)
414 dfilter_t *rfcode = NULL;
415 gchar *safe_cfilter = simple_dialog_format_message(capture_opts->cfilter);
416 gchar *safe_cfilter_error_msg = simple_dialog_format_message(error_message);
418 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture filter error message from child: \"%s\"", error_message);
420 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
422 /* Did the user try a display filter? */
423 if (dfilter_compile(capture_opts->cfilter, &rfcode) && rfcode != NULL) {
424 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
425 "%sInvalid capture filter: \"%s\"!%s\n"
427 "That string looks like a valid display filter; however, it isn't a valid\n"
428 "capture filter (%s).\n"
430 "Note that display filters and capture filters don't have the same syntax,\n"
431 "so you can't use most display filter expressions as capture filters.\n"
433 "See the User's Guide for a description of the capture filter syntax.",
434 simple_dialog_primary_start(), safe_cfilter,
435 simple_dialog_primary_end(), safe_cfilter_error_msg);
436 dfilter_free(rfcode);
438 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
439 "%sInvalid capture filter: \"%s\"!%s\n"
441 "That string isn't a valid capture filter (%s).\n"
442 "See the User's Guide for a description of the capture filter syntax.",
443 simple_dialog_primary_start(), safe_cfilter,
444 simple_dialog_primary_end(), safe_cfilter_error_msg);
446 g_free(safe_cfilter_error_msg);
447 g_free(safe_cfilter);
449 /* the capture child will close the sync_pipe if required, nothing to do for now */
453 /* capture child closed its side of the pipe, do the required cleanup */
455 capture_input_closed(capture_options *capture_opts)
460 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture stopped!");
461 g_assert(capture_opts->state == CAPTURE_PREPARING || capture_opts->state == CAPTURE_RUNNING);
463 /* if we didn't started the capture, do a fake start */
464 /* (happens if we got an error message - we won't get a filename then) */
465 if(capture_opts->state == CAPTURE_PREPARING) {
466 if(capture_opts->real_time_mode) {
467 cf_callback_invoke(cf_cb_live_capture_update_started, capture_opts);
469 cf_callback_invoke(cf_cb_live_capture_fixed_started, capture_opts);
473 if(capture_opts->real_time_mode) {
474 cf_read_status_t status;
476 /* Read what remains of the capture file. */
477 status = cf_finish_tail(capture_opts->cf, &err);
479 /* Tell the GUI, we are not doing a capture any more.
480 Must be done after the cf_finish_tail(), so file lengths are displayed
482 cf_callback_invoke(cf_cb_live_capture_update_finished, capture_opts->cf);
484 /* Finish the capture. */
488 if(cf_get_packet_count(capture_opts->cf) == 0 && !capture_opts->restart) {
489 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
490 "%sNo packets captured!%s\n"
492 "As no data was captured, closing the %scapture file!\n"
495 "Help about capturing can be found at:\n"
497 " http://wiki.wireshark.org/CaptureSetup"
500 "Wireless (Wi-Fi/WLAN):\n"
501 "Try to switch off promiscuous mode in the Capture Options!"
504 simple_dialog_primary_start(), simple_dialog_primary_end(),
505 cf_is_tempfile(capture_opts->cf) ? "temporary " : "");
506 cf_close(capture_opts->cf);
510 /* Just because we got an error, that doesn't mean we were unable
511 to read any of the file; we handle what we could get from the
515 case CF_READ_ABORTED:
516 /* Exit by leaving the main loop, so that any quit functions
517 we registered get called. */
522 /* first of all, we are not doing a capture any more */
523 cf_callback_invoke(cf_cb_live_capture_fixed_finished, capture_opts->cf);
525 /* this is a normal mode capture and if no error happened, read in the capture file data */
526 if(capture_opts->save_file != NULL) {
527 capture_input_read_all(capture_opts, cf_is_tempfile(capture_opts->cf),
528 cf_get_drops_known(capture_opts->cf), cf_get_drops(capture_opts->cf));
532 if(capture_opts->show_info)
533 capture_info_close();
535 capture_opts->state = CAPTURE_STOPPED;
537 /* if we couldn't open a capture file, there's nothing more for us to do */
538 if(capture_opts->save_file == NULL) {
539 cf_close(capture_opts->cf);
543 /* does the user wants to restart the current capture? */
544 if(capture_opts->restart) {
545 capture_opts->restart = FALSE;
547 eth_unlink(capture_opts->save_file);
549 /* if it was a tempfile, throw away the old filename (so it will become a tempfile again) */
550 if(cf_is_tempfile(capture_opts->cf)) {
551 g_free(capture_opts->save_file);
552 capture_opts->save_file = NULL;
555 /* ... and start the capture again */
556 capture_start(capture_opts);
558 /* We're not doing a capture any more, so we don't have a save file. */
559 g_free(capture_opts->save_file);
560 capture_opts->save_file = NULL;
565 #endif /* HAVE_LIBPCAP */