2 * Routines for packet capture windows
4 * $Id: capture.c,v 1.202 2003/01/01 03:51:02 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_STAT_H
32 # include <sys/stat.h>
35 #ifdef HAVE_SYS_WAIT_H
36 # include <sys/wait.h>
41 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
42 * macros) on UNIX systems that don't have them.
45 # define WIFEXITED(status) (((status) & 0177) == 0)
48 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
51 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
54 # define WEXITSTATUS(status) ((status) >> 8)
57 # define WTERMSIG(status) ((status) & 0177)
60 # define WCOREDUMP(status) ((status) & 0200)
63 # define WSTOPSIG(status) ((status) >> 8)
87 #ifdef HAVE_SYS_SOCKET_H
88 #include <sys/socket.h>
91 #ifdef HAVE_SYS_IOCTL_H
92 #include <sys/ioctl.h>
100 #ifdef NEED_SNPRINTF_H
101 # include "snprintf.h"
105 #include <process.h> /* For spawning child process */
109 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
110 * want to include it if it's not present on this platform, however.
112 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__) || defined(__APPLE__)
116 #endif /* defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__) || defined(__APPLE__) */
119 * We don't want to do a "select()" on the pcap_t's file descriptor on
120 * BSD (because "select()" doesn't work correctly on BPF devices on at
121 * least some releases of some flavors of BSD), and we don't want to do
122 * it on Windows (because "select()" is something for sockets, not for
123 * arbitrary handles).
125 * We *do* want to do it on other platforms, as, on other platforms (with
126 * the possible exception of Ultrix and Digital UNIX), the read timeout
127 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
128 * will block until packets arrive, causing the UI to hang.
130 #if !defined(BSD) && !defined(_WIN32)
131 # define MUST_DO_SELECT
134 #include <epan/packet.h>
138 #include "pcap-util.h"
139 #include "simple_dialog.h"
142 #include "conditions.h"
143 #include "capture_stop_conditions.h"
144 #include "ringbuffer.h"
146 #include "wiretap/libpcap.h"
147 #include "wiretap/wtap.h"
148 #include "wiretap/wtap-capture.h"
150 #include "packet-atalk.h"
151 #include "packet-atm.h"
152 #include "packet-clip.h"
153 #include "packet-eth.h"
154 #include "packet-fddi.h"
155 #include "packet-null.h"
156 #include "packet-ppp.h"
157 #include "packet-raw.h"
158 #include "packet-sll.h"
159 #include "packet-tr.h"
160 #include "packet-ieee80211.h"
161 #include "packet-chdlc.h"
162 #include "packet-prism.h"
163 #include "packet-ipfc.h"
166 #include "capture-wpcap.h"
172 capture_options capture_opts;
174 static int sync_pipe[2]; /* used to sync father */
175 enum PIPES { READ, WRITE }; /* Constants 0 and 1 for READ and WRITE */
176 int quit_after_cap; /* Makes a "capture only mode". Implies -k */
177 gboolean capture_child; /* if this is the child for "-S" */
178 static int fork_child = -1; /* If not -1, in parent, process ID of child */
179 static guint cap_input_id;
182 * Indications sent out on the sync pipe.
184 #define SP_CAPSTART ';' /* capture start message */
185 #define SP_PACKET_COUNT '*' /* followed by count of packets captured since last message */
186 #define SP_ERROR_MSG '!' /* followed by length of error message that follows */
187 #define SP_DROPS '#' /* followed by count of packets dropped in capture */
190 static guint cap_timer_id;
191 static int cap_timer_cb(gpointer); /* Win32 kludge to check for pipe input */
194 static void cap_file_input_cb(gpointer, gint, GdkInputCondition);
195 static void wait_for_child(gboolean);
197 static char *signame(int);
199 static void capture_delete_cb(GtkWidget *, GdkEvent *, gpointer);
200 static void capture_stop_cb(GtkWidget *, gpointer);
201 static void capture_pcap_cb(guchar *, const struct pcap_pkthdr *,
203 static void get_capture_file_io_error(char *, int, const char *, int, gboolean);
204 static void popup_errmsg(const char *);
205 static void send_errmsg_to_parent(const char *);
206 static float pct(gint, gint);
207 static void stop_capture(int signo);
209 typedef struct _loop_data {
210 gboolean go; /* TRUE as long as we're supposed to keep capturing */
211 gint max; /* Number of packets we're supposed to capture - 0 means infinite */
212 int err; /* if non-zero, error seen while capturing */
215 gboolean pcap_err; /* TRUE if error from pcap */
216 gboolean from_pipe; /* TRUE if we are capturing data from a pipe */
217 packet_counts counts;
220 gboolean modified; /* TRUE if data in the pipe uses modified pcap headers */
221 gboolean byte_swapped; /* TRUE if data in the pipe is byte swapped */
222 unsigned int bytes_to_read, bytes_read; /* Used by pipe_dispatch */
224 STATE_EXPECT_REC_HDR, STATE_READ_REC_HDR,
225 STATE_EXPECT_DATA, STATE_READ_DATA
228 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } pipe_err;
233 static void adjust_header(loop_data *, struct pcap_hdr *, struct pcaprec_hdr *);
234 static int pipe_open_live(char *, struct pcap_hdr *, loop_data *, char *, int);
235 static int pipe_dispatch(int, loop_data *, struct pcap_hdr *, \
236 struct pcaprec_modified_hdr *, guchar *, char *, int);
239 /* Win32 needs the O_BINARY flag for open() */
245 /* Win32 needs a handle to the child capture process */
249 /* Add a string pointer to a NULL-terminated array of string pointers. */
251 add_arg(char **args, int *argc, char *arg)
253 /* Grow the array; "*argc" currently contains the number of string
254 pointers, *not* counting the NULL pointer at the end, so we have
255 to add 2 in order to get the new size of the array, including the
256 new pointer and the terminating NULL pointer. */
257 args = g_realloc(args, (*argc + 2) * sizeof (char *));
259 /* Stuff the pointer into the penultimate element of the array, which
260 is the one at the index specified by "*argc". */
263 /* Now bump the count. */
266 /* We overwrite the NULL pointer; put it back right after the
274 /* Given a string, return a pointer to a quote-encapsulated version of
275 the string, so we can pass it as an argument with "spawnvp" even
276 if it contains blanks. */
278 quote_encapsulate(const char *string)
280 char *encapsulated_string;
282 encapsulated_string = g_new(char, strlen(string) + 3);
283 sprintf(encapsulated_string, "\"%s\"", string);
284 return encapsulated_string;
288 /* Open a specified file, or create a temporary file, and start a capture
289 to the file in question. */
291 do_capture(const char *save_file)
294 gboolean is_tempfile;
300 int capture_succeeded;
301 gboolean stats_known;
302 struct pcap_stat stats;
305 if (save_file != NULL) {
306 /* If the Sync option is set, we return to the caller while the capture
307 * is in progress. Therefore we need to take a copy of save_file in
308 * case the caller destroys it after we return.
310 capfile_name = g_strdup(save_file);
311 if (capture_opts.ringbuffer_on) {
312 /* ringbuffer is enabled */
313 cfile.save_file_fd = ringbuf_init(capfile_name,
314 capture_opts.ringbuffer_num_files);
316 /* Try to open/create the specified file for use as a capture buffer. */
317 cfile.save_file_fd = open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
322 /* Choose a random name for the capture buffer */
323 cfile.save_file_fd = create_tempfile(tmpname, sizeof tmpname, "ether");
324 capfile_name = g_strdup(tmpname);
327 if (cfile.save_file_fd == -1) {
329 simple_dialog(ESD_TYPE_CRIT, NULL,
330 "The temporary file to which the capture would be saved (\"%s\")"
331 "could not be opened: %s.", capfile_name, strerror(errno));
333 if (capture_opts.ringbuffer_on) {
334 ringbuf_error_cleanup();
336 simple_dialog(ESD_TYPE_CRIT, NULL,
337 file_open_error_message(errno, TRUE, WTAP_FILE_PCAP), capfile_name);
339 g_free(capfile_name);
342 close_cap_file(&cfile);
343 g_assert(cfile.save_file == NULL);
344 cfile.save_file = capfile_name;
345 /* cfile.save_file is "g_free"ed below, which is equivalent to
346 "g_free(capfile_name)". */
348 if (capture_opts.sync_mode) { /* do the capture in a child process */
350 char scount[24]; /* need a constant for len of numbers */
351 char sautostop_filesize[24]; /* need a constant for len of numbers */
352 char sautostop_duration[24]; /* need a constant for len of numbers */
353 char save_file_fd[24];
359 char sync_pipe_fd[24];
364 /* Allocate the string pointer array with enough space for the
365 terminating NULL pointer. */
367 argv = g_malloc(sizeof (char *));
370 /* Now add those arguments used on all platforms. */
371 argv = add_arg(argv, &argc, CHILD_NAME);
373 argv = add_arg(argv, &argc, "-i");
374 argv = add_arg(argv, &argc, cfile.iface);
376 argv = add_arg(argv, &argc, "-w");
377 argv = add_arg(argv, &argc, cfile.save_file);
379 argv = add_arg(argv, &argc, "-W");
380 sprintf(save_file_fd,"%d",cfile.save_file_fd); /* in lieu of itoa */
381 argv = add_arg(argv, &argc, save_file_fd);
383 if (capture_opts.has_autostop_count) {
384 argv = add_arg(argv, &argc, "-c");
385 sprintf(scount,"%d",capture_opts.autostop_count);
386 argv = add_arg(argv, &argc, scount);
389 if (capture_opts.has_snaplen) {
390 argv = add_arg(argv, &argc, "-s");
391 sprintf(ssnap,"%d",capture_opts.snaplen);
392 argv = add_arg(argv, &argc, ssnap);
395 if (capture_opts.has_autostop_filesize) {
396 argv = add_arg(argv, &argc, "-a");
397 sprintf(sautostop_filesize,"filesize:%d",capture_opts.autostop_filesize);
398 argv = add_arg(argv, &argc, sautostop_filesize);
401 if (capture_opts.has_autostop_duration) {
402 argv = add_arg(argv, &argc, "-a");
403 sprintf(sautostop_duration,"duration:%d",capture_opts.autostop_duration);
404 argv = add_arg(argv, &argc, sautostop_duration);
407 if (!capture_opts.promisc_mode)
408 argv = add_arg(argv, &argc, "-p");
411 /* Create a pipe for the child process */
413 if(_pipe(sync_pipe, 512, O_BINARY) < 0) {
414 /* Couldn't create the pipe between parent and child. */
416 unlink(cfile.save_file);
417 g_free(cfile.save_file);
418 cfile.save_file = NULL;
419 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create sync pipe: %s",
424 /* Convert font name to a quote-encapsulated string and pass to child */
425 argv = add_arg(argv, &argc, "-m");
426 fontstring = quote_encapsulate(prefs.gui_font_name);
427 argv = add_arg(argv, &argc, fontstring);
429 /* Convert pipe write handle to a string and pass to child */
430 argv = add_arg(argv, &argc, "-Z");
431 itoa(sync_pipe[WRITE], sync_pipe_fd, 10);
432 argv = add_arg(argv, &argc, sync_pipe_fd);
434 /* Convert filter string to a quote delimited string and pass to child */
436 if (cfile.cfilter != NULL && strlen(cfile.cfilter) != 0) {
437 argv = add_arg(argv, &argc, "-f");
438 filterstring = quote_encapsulate(cfile.cfilter);
439 argv = add_arg(argv, &argc, filterstring);
443 fork_child = spawnvp(_P_NOWAIT, ethereal_path, argv);
446 g_free(filterstring);
448 /* Keep a copy for later evaluation by _cwait() */
449 child_process = fork_child;
451 signal(SIGCHLD, SIG_IGN);
452 if (pipe(sync_pipe) < 0) {
453 /* Couldn't create the pipe between parent and child. */
455 unlink(cfile.save_file);
456 g_free(cfile.save_file);
457 cfile.save_file = NULL;
458 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create sync pipe: %s",
463 argv = add_arg(argv, &argc, "-m");
464 argv = add_arg(argv, &argc, prefs.gui_font_name);
466 if (cfile.cfilter != NULL && strlen(cfile.cfilter) != 0) {
467 argv = add_arg(argv, &argc, "-f");
468 argv = add_arg(argv, &argc, cfile.cfilter);
471 if ((fork_child = fork()) == 0) {
473 * Child process - run Ethereal with the right arguments to make
474 * it just pop up the live capture dialog box and capture with
475 * the specified capture parameters, writing to the specified file.
477 * args: -i interface specification
479 * -W file descriptor to write
480 * -c count to capture
483 * -f "filter expression"
486 dup(sync_pipe[WRITE]);
487 close(sync_pipe[READ]);
488 execvp(ethereal_path, argv);
489 snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
490 ethereal_path, strerror(errno));
491 send_errmsg_to_parent(errmsg);
493 /* Exit with "_exit()", so that we don't close the connection
494 to the X server (and cause stuff buffered up by our parent but
495 not yet sent to be sent, as that stuff should only be sent by
501 /* Parent process - read messages from the child process over the
503 g_free(argv); /* free up arg array */
505 /* Close the write side of the pipe, so that only the child has it
506 open, and thus it completely closes, and thus returns to us
507 an EOF indication, if the child closes it (either deliberately
508 or by exiting abnormally). */
509 close(sync_pipe[WRITE]);
511 /* Close the save file FD, as we won't be using it - we'll be opening
512 it and reading the save file through Wiretap. */
513 close(cfile.save_file_fd);
515 if (fork_child == -1) {
516 /* We couldn't even create the child process. */
518 close(sync_pipe[READ]);
519 unlink(cfile.save_file);
520 g_free(cfile.save_file);
521 cfile.save_file = NULL;
522 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create child process: %s",
527 /* Read a byte count from "sync_pipe[READ]", terminated with a
528 colon; if the count is 0, the child process created the
529 capture file and we should start reading from it, otherwise
530 the capture couldn't start and the count is a count of bytes
531 of error message, and we should display the message. */
534 i = read(sync_pipe[READ], &c, 1);
536 /* EOF - the child process died.
537 Close the read side of the sync pipe, remove the capture file,
538 and report the failure. */
539 close(sync_pipe[READ]);
540 unlink(cfile.save_file);
541 g_free(cfile.save_file);
542 cfile.save_file = NULL;
543 wait_for_child(TRUE);
546 if (c == SP_CAPSTART || c == SP_ERROR_MSG)
549 /* Child process handed us crap.
550 Close the read side of the sync pipe, remove the capture file,
551 and report the failure. */
552 close(sync_pipe[READ]);
553 unlink(cfile.save_file);
554 g_free(cfile.save_file);
555 cfile.save_file = NULL;
556 simple_dialog(ESD_TYPE_WARN, NULL,
557 "Capture child process sent us a bad message");
560 byte_count = byte_count*10 + c - '0';
562 if (c == SP_CAPSTART) {
563 /* Success. Open the capture file, and set up to read it. */
564 err = start_tail_cap_file(cfile.save_file, is_tempfile, &cfile);
566 /* We were able to open and set up to read the capture file;
567 arrange that our callback be called whenever it's possible
568 to read from the sync pipe, so that it's called when
569 the child process wants to tell us something. */
571 /* Tricky to use pipes in win9x, as no concept of wait. NT can
572 do this but that doesn't cover all win32 platforms. GTK can do
573 this but doesn't seem to work over processes. Attempt to do
574 something similar here, start a timer and check for data on every
576 cap_timer_id = gtk_timeout_add(1000, cap_timer_cb, NULL);
578 cap_input_id = gtk_input_add_full(sync_pipe[READ],
579 GDK_INPUT_READ|GDK_INPUT_EXCEPTION,
586 /* We weren't able to open the capture file; user has been
587 alerted. Close the sync pipe. */
589 close(sync_pipe[READ]);
591 /* Don't unlink the save file - leave it around, for debugging
593 g_free(cfile.save_file);
594 cfile.save_file = NULL;
597 /* Failure - the child process sent us a message indicating
598 what the problem was. */
599 if (byte_count == 0) {
600 /* Zero-length message? */
601 simple_dialog(ESD_TYPE_WARN, NULL,
602 "Capture child process failed, but its error message was empty.");
604 msg = g_malloc(byte_count + 1);
606 simple_dialog(ESD_TYPE_WARN, NULL,
607 "Capture child process failed, but its error message was too big.");
609 i = read(sync_pipe[READ], msg, byte_count);
610 msg[byte_count] = '\0';
612 simple_dialog(ESD_TYPE_WARN, NULL,
613 "Capture child process failed: Error %s reading its error message.",
616 simple_dialog(ESD_TYPE_WARN, NULL,
617 "Capture child process failed: EOF reading its error message.");
618 wait_for_child(FALSE);
620 simple_dialog(ESD_TYPE_CRIT, NULL, msg);
624 /* Close the sync pipe. */
625 close(sync_pipe[READ]);
627 /* Get rid of the save file - the capture never started. */
628 unlink(cfile.save_file);
629 g_free(cfile.save_file);
630 cfile.save_file = NULL;
635 capture_succeeded = capture(&stats_known, &stats);
636 if (quit_after_cap) {
637 /* DON'T unlink the save file. Presumably someone wants it. */
640 if (capture_succeeded) {
641 /* Capture succeeded; read in the capture file. */
642 if ((err = open_cap_file(cfile.save_file, is_tempfile, &cfile)) == 0) {
643 /* Set the read filter to NULL. */
646 /* Get the packet-drop statistics.
648 XXX - there are currently no packet-drop statistics stored
649 in libpcap captures, and that's what we're reading.
651 At some point, we will add support in Wiretap to return
652 packet-drop statistics for capture file formats that store it,
653 and will make "read_cap_file()" get those statistics from
654 Wiretap. We clear the statistics (marking them as "not known")
655 in "open_cap_file()", and "read_cap_file()" will only fetch
656 them and mark them as known if Wiretap supplies them, so if
657 we get the statistics now, after calling "open_cap_file()" but
658 before calling "read_cap_file()", the values we store will
659 be used by "read_cap_file()".
661 If a future libpcap capture file format stores the statistics,
662 we'll put them into the capture file that we write, and will
663 thus not have to set them here - "read_cap_file()" will get
664 them from the file and use them. */
666 cfile.drops_known = TRUE;
668 /* XXX - on some systems, libpcap doesn't bother filling in
669 "ps_ifdrop" - it doesn't even set it to zero - so we don't
670 bother looking at it.
672 Ideally, libpcap would have an interface that gave us
673 several statistics - perhaps including various interface
674 error statistics - and would tell us which of them it
675 supplies, allowing us to display only the ones it does. */
676 cfile.drops = stats.ps_drop;
678 switch (read_cap_file(&cfile, &err)) {
682 /* Just because we got an error, that doesn't mean we were unable
683 to read any of the file; we handle what we could get from the
688 /* Exit by leaving the main loop, so that any quit functions
689 we registered get called. */
690 if (gtk_main_level() > 0)
696 /* We're not doing a capture any more, so we don't have a save
698 if (capture_opts.ringbuffer_on) {
701 g_free(cfile.save_file);
703 cfile.save_file = NULL;
708 /* The timer has expired, see if there's stuff to read from the pipe,
709 if so call the cap_file_input_cb */
711 cap_timer_cb(gpointer data)
715 gboolean result, result1;
718 /* Oddly enough although Named pipes don't work on win9x,
719 PeekNamedPipe does !!! */
720 handle = (HANDLE) _get_osfhandle (sync_pipe[READ]);
721 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
723 /* Get the child process exit status */
724 result1 = GetExitCodeProcess((HANDLE)child_process, &childstatus);
726 /* If the Peek returned an error, or there are bytes to be read
727 or the childwatcher thread has terminated then call the normal
729 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
731 /* avoid reentrancy problems and stack overflow */
732 gtk_timeout_remove(cap_timer_id);
734 /* And call the real handler */
735 cap_file_input_cb((gpointer) &cfile, 0, 0);
737 /* Return false so that the timer is not run again */
741 /* No data so let timer run again */
747 /* There's stuff to read from the sync pipe, meaning the child has sent
748 us a message, or the sync pipe has closed, meaning the child has
749 closed it (perhaps because it exited). */
751 cap_file_input_cb(gpointer data, gint source _U_,
752 GdkInputCondition condition _U_)
754 capture_file *cf = (capture_file *)data;
756 char buffer[BUFSIZE+1], *p = buffer, *q = buffer, *msg, *r;
757 int nread, msglen, chars_to_copy;
762 /* avoid reentrancy problems and stack overflow */
763 gtk_input_remove(cap_input_id);
766 if ((nread = read(sync_pipe[READ], buffer, BUFSIZE)) <= 0) {
767 /* The child has closed the sync pipe, meaning it's not going to be
768 capturing any more packets. Pick up its exit status, and
769 complain if it did anything other than exit with status 0. */
770 wait_for_child(FALSE);
772 /* Read what remains of the capture file, and finish the capture.
773 XXX - do something if this fails? */
774 switch (finish_tail_cap_file(cf, &err)) {
778 /* Just because we got an error, that doesn't mean we were unable
779 to read any of the file; we handle what we could get from the
784 /* Exit by leaving the main loop, so that any quit functions
785 we registered get called. */
790 /* We're not doing a capture any more, so we don't have a save
792 g_free(cf->save_file);
793 cf->save_file = NULL;
798 buffer[nread] = '\0';
801 /* look for (possibly multiple) indications */
803 case SP_PACKET_COUNT :
810 cf->drops_known = TRUE;
822 /* Read the entire message.
823 XXX - if the child hasn't sent it all yet, this could cause us
824 to hang until they do. */
825 msg = g_malloc(msglen + 1);
827 while (msglen != 0) {
830 if ((nread = read(sync_pipe[READ], buffer, BUFSIZE)) <= 0)
835 chars_to_copy = MIN(msglen, nread);
836 memcpy(r, q, chars_to_copy);
839 nread -= chars_to_copy;
840 msglen -= chars_to_copy;
843 simple_dialog(ESD_TYPE_CRIT, NULL, msg);
853 /* Read from the capture file the number of records the child told us
855 XXX - do something if this fails? */
856 switch (continue_tail_cap_file(cf, to_read, &err)) {
860 /* Just because we got an error, that doesn't mean we were unable
861 to read any of the file; we handle what we could get from the
864 XXX - abort on a read error? */
868 /* Kill the child capture process; the user wants to exit, and we
869 shouldn't just leave it running. */
873 kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
878 /* restore pipe handler */
880 cap_timer_id = gtk_timeout_add(1000, cap_timer_cb, NULL);
882 cap_input_id = gtk_input_add_full (sync_pipe[READ],
883 GDK_INPUT_READ|GDK_INPUT_EXCEPTION,
892 wait_for_child(gboolean always_report)
897 /* XXX - analyze the wait stuatus and display more information
898 in the dialog box? */
899 if (_cwait(&wstatus, child_process, _WAIT_CHILD) == -1) {
900 simple_dialog(ESD_TYPE_WARN, NULL, "Child capture process stopped unexpectedly");
903 if (wait(&wstatus) != -1) {
904 if (WIFEXITED(wstatus)) {
905 /* The child exited; display its exit status, if it's not zero,
906 and even if it's zero if "always_report" is true. */
907 if (always_report || WEXITSTATUS(wstatus) != 0) {
908 simple_dialog(ESD_TYPE_WARN, NULL,
909 "Child capture process exited: exit status %d",
910 WEXITSTATUS(wstatus));
912 } else if (WIFSTOPPED(wstatus)) {
913 /* It stopped, rather than exiting. "Should not happen." */
914 simple_dialog(ESD_TYPE_WARN, NULL,
915 "Child capture process stopped: %s",
916 signame(WSTOPSIG(wstatus)));
917 } else if (WIFSIGNALED(wstatus)) {
918 /* It died with a signal. */
919 simple_dialog(ESD_TYPE_WARN, NULL,
920 "Child capture process died: %s%s",
921 signame(WTERMSIG(wstatus)),
922 WCOREDUMP(wstatus) ? " - core dumped" : "");
924 /* What? It had to either have exited, or stopped, or died with
925 a signal; what happened here? */
926 simple_dialog(ESD_TYPE_WARN, NULL,
927 "Child capture process died: wait status %#o", wstatus);
931 /* No more child process. */
941 static char sigmsg_buf[6+1+3+1];
950 sigmsg = "Interrupted";
958 sigmsg = "Illegal instruction";
962 sigmsg = "Trace trap";
970 sigmsg = "Arithmetic exception";
978 sigmsg = "Bus error";
982 sigmsg = "Segmentation violation";
985 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
986 Linux is POSIX compliant. These are not POSIX-defined signals ---
987 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
989 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
990 were omitted from POSIX.1 because their behavior is
991 implementation dependent and could not be adequately catego-
992 rized. Conforming implementations may deliver these sig-
993 nals, but must document the circumstances under which they
994 are delivered and note any restrictions concerning their
997 So we only check for SIGSYS on those systems that happen to
998 implement them (a system can be POSIX-compliant and implement
999 them, it's just that POSIX doesn't *require* a POSIX-compliant
1000 system to implement them).
1005 sigmsg = "Bad system call";
1010 sigmsg = "Broken pipe";
1014 sigmsg = "Alarm clock";
1018 sigmsg = "Terminated";
1022 sprintf(sigmsg_buf, "Signal %d", sig);
1023 sigmsg = sigmsg_buf;
1031 * Timeout, in milliseconds, for reads from the stream of captured packets.
1033 #define CAP_READ_TIMEOUT 250
1036 /* Take care of byte order in the libpcap headers read from pipes.
1037 * (function taken from wiretap/libpcap.c) */
1039 adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1041 if (ld->byte_swapped) {
1042 /* Byte-swap the record header fields. */
1043 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1044 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1045 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1046 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1049 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1050 swapped, in order to match the BPF header layout.
1052 Unfortunately, some files were, according to a comment in the "libpcap"
1053 source, written with version 2.3 in their headers but without the
1054 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1055 would make no sense - we assume that we need to swap them. */
1056 if (hdr->version_major == 2 &&
1057 (hdr->version_minor < 3 ||
1058 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1061 temp = rechdr->orig_len;
1062 rechdr->orig_len = rechdr->incl_len;
1063 rechdr->incl_len = temp;
1067 /* Mimic pcap_open_live() for pipe captures
1068 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
1070 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1071 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1073 pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1074 char *errmsg, int errmsgl)
1076 struct stat pipe_stat;
1080 unsigned int bytes_read;
1082 struct timeval timeout;
1085 * XXX Ethereal blocks until we return
1087 if (strcmp(pipename, "-") == 0)
1088 fd = 0; /* read from stdin */
1090 if (stat(pipename, &pipe_stat) < 0) {
1091 if (errno == ENOENT || errno == ENOTDIR)
1092 ld->pipe_err = PIPNEXIST;
1094 snprintf(errmsg, errmsgl,
1095 "The capture session could not be initiated "
1096 "due to error on pipe: %s", strerror(errno));
1097 ld->pipe_err = PIPERR;
1101 if (! S_ISFIFO(pipe_stat.st_mode)) {
1102 if (S_ISCHR(pipe_stat.st_mode)) {
1104 * Assume the user specified an interface on a system where
1105 * interfaces are in /dev. Pretend we haven't seen it.
1107 ld->pipe_err = PIPNEXIST;
1109 snprintf(errmsg, errmsgl,
1110 "The capture session could not be initiated because\n"
1111 "\"%s\" is neither an interface nor a pipe", pipename);
1112 ld->pipe_err = PIPERR;
1116 fd = open(pipename, O_RDONLY | O_NONBLOCK);
1118 snprintf(errmsg, errmsgl,
1119 "The capture session could not be initiated "
1120 "due to error on pipe open: %s", strerror(errno));
1121 ld->pipe_err = PIPERR;
1126 ld->from_pipe = TRUE;
1128 /* read the pcap header */
1131 while (bytes_read < sizeof magic) {
1134 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1135 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
1137 snprintf(errmsg, errmsgl,
1138 "Unexpected error from select: %s", strerror(errno));
1140 } else if (sel_ret > 0) {
1141 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1144 snprintf(errmsg, errmsgl, "End of file on pipe during open");
1146 snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
1156 /* Host that wrote it has our byte order, and was running
1157 a program using either standard or ss990417 libpcap. */
1158 ld->byte_swapped = FALSE;
1159 ld->modified = FALSE;
1161 case PCAP_MODIFIED_MAGIC:
1162 /* Host that wrote it has our byte order, but was running
1163 a program using either ss990915 or ss991029 libpcap. */
1164 ld->byte_swapped = FALSE;
1165 ld->modified = TRUE;
1167 case PCAP_SWAPPED_MAGIC:
1168 /* Host that wrote it has a byte order opposite to ours,
1169 and was running a program using either standard or
1170 ss990417 libpcap. */
1171 ld->byte_swapped = TRUE;
1172 ld->modified = FALSE;
1174 case PCAP_SWAPPED_MODIFIED_MAGIC:
1175 /* Host that wrote it out has a byte order opposite to
1176 ours, and was running a program using either ss990915
1177 or ss991029 libpcap. */
1178 ld->byte_swapped = TRUE;
1179 ld->modified = TRUE;
1182 /* Not a "libpcap" type we know about. */
1183 snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1187 /* Read the rest of the header */
1189 while (bytes_read < sizeof(struct pcap_hdr)) {
1192 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1193 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
1195 snprintf(errmsg, errmsgl,
1196 "Unexpected error from select: %s", strerror(errno));
1198 } else if (sel_ret > 0) {
1199 b = read(fd, ((char *)hdr)+bytes_read,
1200 sizeof(struct pcap_hdr) - bytes_read);
1203 snprintf(errmsg, errmsgl, "End of file on pipe during open");
1205 snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
1213 if (ld->byte_swapped) {
1214 /* Byte-swap the header fields about which we care. */
1215 hdr->version_major = BSWAP16(hdr->version_major);
1216 hdr->version_minor = BSWAP16(hdr->version_minor);
1217 hdr->snaplen = BSWAP32(hdr->snaplen);
1218 hdr->network = BSWAP32(hdr->network);
1221 if (hdr->version_major < 2) {
1222 snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1226 ld->pipe_state = STATE_EXPECT_REC_HDR;
1227 ld->pipe_err = PIPOK;
1231 ld->pipe_err = PIPERR;
1237 /* We read one record from the pipe, take care of byte order in the record
1238 * header, write the record in the capture file, and update capture statistics. */
1241 pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr,
1242 struct pcaprec_modified_hdr *rechdr, guchar *data,
1243 char *errmsg, int errmsgl)
1245 struct pcap_pkthdr phdr;
1247 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1250 switch (ld->pipe_state) {
1252 case STATE_EXPECT_REC_HDR:
1253 ld->bytes_to_read = ld->modified ?
1254 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1256 ld->pipe_state = STATE_READ_REC_HDR;
1259 case STATE_READ_REC_HDR:
1260 b = read(fd, ((char *)rechdr)+ld->bytes_read,
1261 ld->bytes_to_read - ld->bytes_read);
1264 result = PD_PIPE_EOF;
1266 result = PD_PIPE_ERR;
1269 if ((ld->bytes_read += b) < ld->bytes_to_read)
1271 result = PD_REC_HDR_READ;
1274 case STATE_EXPECT_DATA:
1276 ld->pipe_state = STATE_READ_DATA;
1279 case STATE_READ_DATA:
1280 b = read(fd, data+ld->bytes_read, rechdr->hdr.incl_len - ld->bytes_read);
1283 result = PD_PIPE_EOF;
1285 result = PD_PIPE_ERR;
1288 if ((ld->bytes_read += b) < rechdr->hdr.incl_len)
1290 result = PD_DATA_READ;
1294 snprintf(errmsg, errmsgl, "pipe_dispatch: invalid state");
1297 } /* switch (ld->pipe_state) */
1300 * We've now read as much data as we were expecting, so process it.
1304 case PD_REC_HDR_READ:
1305 /* We've read the header. Take care of byte order. */
1306 adjust_header(ld, hdr, &rechdr->hdr);
1307 if (rechdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1308 snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
1309 ld->counts.total+1, rechdr->hdr.incl_len);
1312 ld->pipe_state = STATE_EXPECT_DATA;
1316 /* Fill in a "struct pcap_pkthdr", and process the packet. */
1317 phdr.ts.tv_sec = rechdr->hdr.ts_sec;
1318 phdr.ts.tv_usec = rechdr->hdr.ts_usec;
1319 phdr.caplen = rechdr->hdr.incl_len;
1320 phdr.len = rechdr->hdr.orig_len;
1322 capture_pcap_cb((guchar *)ld, &phdr, data);
1324 ld->pipe_state = STATE_EXPECT_REC_HDR;
1328 ld->pipe_err = PIPEOF;
1332 snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
1339 ld->pipe_err = PIPERR;
1340 /* Return here rather than inside the switch to prevent GCC warning */
1346 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
1349 static loop_data ld;
1351 /* Do the low-level work of a capture.
1352 Returns TRUE if it succeeds, FALSE otherwise. */
1354 capture(gboolean *stats_known, struct pcap_stat *stats)
1356 GtkWidget *cap_w, *main_vb, *stop_bt, *counts_tb;
1357 GtkWidget *counts_fr, *running_tb, *running_label, *running_time;
1361 gchar open_err_str[PCAP_ERRBUF_SIZE];
1362 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
1363 gchar label_str[64];
1364 bpf_u_int32 netnum, netmask;
1365 struct bpf_program fcode;
1366 time_t upd_time, cur_time;
1369 condition *cnd_stop_capturesize = NULL;
1370 condition *cnd_stop_timeout = NULL;
1372 static const char capstart_msg = SP_CAPSTART;
1373 char errmsg[4096+1];
1377 struct timeval timeout;
1381 GtkWidget *label, *value, *percent;
1383 { "Total", &ld.counts.total, NULL, NULL, NULL },
1384 { "SCTP", &ld.counts.sctp, NULL, NULL, NULL },
1385 { "TCP", &ld.counts.tcp, NULL, NULL, NULL },
1386 { "UDP", &ld.counts.udp, NULL, NULL, NULL },
1387 { "ICMP", &ld.counts.icmp, NULL, NULL, NULL },
1388 { "ARP", &ld.counts.arp, NULL, NULL, NULL },
1389 { "OSPF", &ld.counts.ospf, NULL, NULL, NULL },
1390 { "GRE", &ld.counts.gre, NULL, NULL, NULL },
1391 { "NetBIOS", &ld.counts.netbios, NULL, NULL, NULL },
1392 { "IPX", &ld.counts.ipx, NULL, NULL, NULL },
1393 { "VINES", &ld.counts.vines, NULL, NULL, NULL },
1394 { "Other", &ld.counts.other, NULL, NULL, NULL }
1397 #define N_COUNTS (sizeof counts / sizeof counts[0])
1400 WORD wVersionRequested;
1403 static const char ppamsg[] = "can't find PPA for ";
1407 struct pcap_hdr hdr;
1408 struct pcaprec_modified_hdr rechdr;
1409 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
1411 #ifdef MUST_DO_SELECT
1415 /* Size of buffer to hold decimal representation of
1416 signed/unsigned 64-bit int */
1419 /* Initialize Windows Socket if we are in a WIN32 OS
1420 This needs to be done before querying the interface for network/netmask */
1422 wVersionRequested = MAKEWORD( 1, 1 );
1423 err = WSAStartup( wVersionRequested, &wsaData );
1425 snprintf(errmsg, sizeof errmsg,
1426 "Couldn't initialize Windows Sockets.");
1433 ld.counts.total = 0;
1434 if (capture_opts.has_autostop_count)
1435 ld.max = capture_opts.autostop_count;
1437 ld.max = 0; /* no limit */
1438 ld.err = 0; /* no error seen yet */
1439 ld.linktype = WTAP_ENCAP_UNKNOWN;
1440 ld.pcap_err = FALSE;
1441 ld.from_pipe = FALSE;
1442 ld.sync_packets = 0;
1450 ld.counts.netbios = 0;
1451 ld.counts.vines = 0;
1452 ld.counts.other = 0;
1456 /* We haven't yet gotten the capture statistics. */
1457 *stats_known = FALSE;
1459 /* Open the network interface to capture from it.
1460 Some versions of libpcap may put warnings into the error buffer
1461 if they succeed; to tell if that's happened, we have to clear
1462 the error buffer, and check if it's still a null string. */
1463 open_err_str[0] = '\0';
1464 pch = pcap_open_live(cfile.iface,
1465 capture_opts.has_snaplen ? capture_opts.snaplen :
1466 WTAP_MAX_PACKET_SIZE,
1467 capture_opts.promisc_mode, CAP_READ_TIMEOUT,
1471 /* We couldn't open "cfile.iface" as a network device. */
1473 /* On Windows, we don't support capturing on pipes, so we give up.
1474 If this is a child process that does the capturing in sync
1475 mode or fork mode, it shouldn't do any UI stuff until we pop up the
1476 capture-progress window, and, since we couldn't start the
1477 capture, we haven't popped it up. */
1478 if (!capture_child) {
1479 while (gtk_events_pending()) gtk_main_iteration();
1482 /* On Win32 OSes, the capture devices are probably available to all
1483 users; don't warn about permissions problems.
1485 Do, however, warn that WAN devices aren't supported. */
1486 snprintf(errmsg, sizeof errmsg,
1487 "The capture session could not be initiated (%s).\n"
1488 "Please check that you have the proper interface specified.\n"
1490 "Note that the driver Ethereal uses for packet capture on Windows doesn't\n"
1491 "support capturing on PPP/WAN interfaces in Windows NT/2000/XP/.NET Server.\n",
1495 /* try to open cfile.iface as a pipe */
1496 pipe_fd = pipe_open_live(cfile.iface, &hdr, &ld, errmsg, sizeof errmsg);
1498 if (pipe_fd == -1) {
1500 /* If this is a child process that does the capturing in sync
1501 * mode or fork mode, it shouldn't do any UI stuff until we pop up the
1502 * capture-progress window, and, since we couldn't start the
1503 * capture, we haven't popped it up.
1505 if (!capture_child) {
1506 while (gtk_events_pending()) gtk_main_iteration();
1509 if (ld.pipe_err == PIPNEXIST) {
1510 /* Pipe doesn't exist, so output message for interface */
1512 /* If we got a "can't find PPA for XXX" message, warn the user (who
1513 is running Ethereal on HP-UX) that they don't have a version
1514 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
1515 versions, which properly handle HP-UX, say "can't find /dev/dlpi
1516 PPA for XXX" rather than "can't find PPA for XXX"). */
1517 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
1520 "You are running Ethereal with a version of the libpcap library\n"
1521 "that doesn't handle HP-UX network devices well; this means that\n"
1522 "Ethereal may not be able to capture packets.\n"
1524 "To fix this, you should install libpcap 0.6.2, or a later version\n"
1525 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
1526 "packaged binary form from the Software Porting And Archive Centre\n"
1527 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
1528 "at the URL lists a number of mirror sites.";
1531 snprintf(errmsg, sizeof errmsg,
1532 "The capture session could not be initiated (%s).\n"
1533 "Please check to make sure you have sufficient permissions, and that\n"
1534 "you have the proper interface or pipe specified.%s", open_err_str,
1538 * Else pipe (or file) does exist and pipe_open_live() has
1543 /* pipe_open_live() succeeded; don't want
1544 error message from pcap_open_live() */
1545 open_err_str[0] = '\0';
1549 /* capture filters only work on real interfaces */
1550 if (cfile.cfilter && !ld.from_pipe) {
1551 /* A capture filter was specified; set it up. */
1552 if (pcap_lookupnet(cfile.iface, &netnum, &netmask, lookup_net_err_str) < 0) {
1554 * Well, we can't get the netmask for this interface; it's used
1555 * only for filters that check for broadcast IP addresses, so
1556 * we just punt and use 0. It might be nice to warn the user,
1557 * but that's a pain in a GUI application, as it'd involve popping
1558 * up a message box, and it's not clear how often this would make
1559 * a difference (only filters that check for IP broadcast addresses
1564 if (pcap_compile(pch, &fcode, cfile.cfilter, 1, netmask) < 0) {
1565 snprintf(errmsg, sizeof errmsg, "Unable to parse filter string (%s).",
1569 if (pcap_setfilter(pch, &fcode) < 0) {
1570 snprintf(errmsg, sizeof errmsg, "Can't install filter (%s).",
1576 /* Set up to write to the capture file. */
1579 pcap_encap = hdr.network;
1580 file_snaplen = hdr.snaplen;
1584 pcap_encap = get_pcap_linktype(pch, cfile.iface);
1585 file_snaplen = pcap_snapshot(pch);
1587 ld.linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
1588 if (ld.linktype == WTAP_ENCAP_UNKNOWN) {
1589 snprintf(errmsg, sizeof errmsg,
1590 "The network you're capturing from is of a type"
1591 " that Ethereal doesn't support (data link type %d).", pcap_encap);
1594 if (capture_opts.ringbuffer_on) {
1595 ld.pdh = ringbuf_init_wtap_dump_fdopen(WTAP_FILE_PCAP, ld.linktype,
1596 file_snaplen, &err);
1598 ld.pdh = wtap_dump_fdopen(cfile.save_file_fd, WTAP_FILE_PCAP,
1599 ld.linktype, file_snaplen, &err);
1602 if (ld.pdh == NULL) {
1603 /* We couldn't set up to write to the capture file. */
1606 case WTAP_ERR_CANT_OPEN:
1607 strcpy(errmsg, "The file to which the capture would be saved"
1608 " couldn't be created for some unknown reason.");
1611 case WTAP_ERR_SHORT_WRITE:
1612 strcpy(errmsg, "A full header couldn't be written to the file"
1613 " to which the capture would be saved.");
1618 snprintf(errmsg, sizeof(errmsg),
1619 "The file to which the capture would be"
1620 " saved (\"%s\") could not be opened: Error %d.",
1621 cfile.save_file, err);
1623 snprintf(errmsg, sizeof(errmsg),
1624 "The file to which the capture would be"
1625 " saved (\"%s\") could not be opened: %s.",
1626 cfile.save_file, strerror(err));
1633 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
1634 returned a warning; print it, but keep capturing. */
1635 if (open_err_str[0] != '\0')
1636 g_warning("%s.", open_err_str);
1638 /* XXX - capture SIGTERM and close the capture, in case we're on a
1639 Linux 2.0[.x] system and you have to explicitly close the capture
1640 stream in order to turn promiscuous mode off? We need to do that
1641 in other places as well - and I don't think that works all the
1642 time in any case, due to libpcap bugs. */
1644 if (capture_child) {
1645 /* Well, we should be able to start capturing.
1647 This is the child process for a sync mode capture, so sync out
1648 the capture file, so the header makes it to the file system,
1649 and send a "capture started successfully and capture file created"
1650 message to our parent so that they'll open the capture file and
1651 update its windows to indicate that we have a live capture in
1653 fflush(wtap_dump_file(ld.pdh));
1654 write(1, &capstart_msg, 1);
1657 cap_w = gtk_window_new(GTK_WINDOW_TOPLEVEL);
1658 gtk_window_set_title(GTK_WINDOW(cap_w), "Ethereal: Capture");
1659 gtk_window_set_modal(GTK_WINDOW(cap_w), TRUE);
1661 /* Container for capture display widgets */
1662 main_vb = gtk_vbox_new(FALSE, 1);
1663 gtk_container_border_width(GTK_CONTAINER(main_vb), 5);
1664 gtk_container_add(GTK_CONTAINER(cap_w), main_vb);
1665 gtk_widget_show(main_vb);
1667 counts_fr = gtk_frame_new("Captured Frames");
1668 gtk_box_pack_start(GTK_BOX(main_vb), counts_fr, FALSE, FALSE, 3);
1669 gtk_widget_show(counts_fr);
1671 /* Individual statistic elements */
1672 counts_tb = gtk_table_new(N_COUNTS, 3, TRUE);
1673 gtk_container_add(GTK_CONTAINER(counts_fr), counts_tb);
1674 gtk_container_border_width(GTK_CONTAINER(counts_tb), 5);
1675 gtk_widget_show(counts_tb);
1677 for (i = 0; i < N_COUNTS; i++) {
1678 counts[i].label = gtk_label_new(counts[i].title);
1679 gtk_misc_set_alignment(GTK_MISC(counts[i].label), 0.0f, 0.0f);
1681 counts[i].value = gtk_label_new("0");
1682 gtk_misc_set_alignment(GTK_MISC(counts[i].value), 0.0f, 0.0f);
1684 counts[i].percent = gtk_label_new("0.0%");
1685 gtk_misc_set_alignment(GTK_MISC(counts[i].percent), 0.0f, 0.0f);
1687 gtk_table_attach_defaults(GTK_TABLE(counts_tb),
1688 counts[i].label, 0, 1, i, i + 1);
1690 gtk_table_attach(GTK_TABLE(counts_tb),
1692 1, 2, i, i + 1, 0, 0, 5, 0);
1694 gtk_table_attach_defaults(GTK_TABLE(counts_tb),
1695 counts[i].percent, 2, 3, i, i + 1);
1697 gtk_widget_show(counts[i].label);
1698 gtk_widget_show(counts[i].value);
1699 gtk_widget_show(counts[i].percent);
1703 running_tb = gtk_table_new(1, 3, TRUE);
1704 gtk_box_pack_start(GTK_BOX(main_vb), running_tb, FALSE, FALSE, 3);
1705 gtk_widget_show(running_tb);
1707 running_label = gtk_label_new("Running");
1708 gtk_misc_set_alignment(GTK_MISC(running_label), 0.0f, 0.0f);
1709 gtk_widget_show(running_label);
1710 gtk_table_attach_defaults(GTK_TABLE(running_tb),
1711 running_label, 0, 1, 0, 1);
1713 running_time = gtk_label_new("00:00:00");
1714 gtk_misc_set_alignment(GTK_MISC(running_time), 0.0f, 0.0f);
1715 gtk_widget_show(running_time);
1716 gtk_table_attach(GTK_TABLE(running_tb),
1718 1, 2, 0, 1, 0, 0, 5, 0);
1720 /* allow user to either click a stop button, or the close button on
1721 the window to stop a capture in progress. */
1722 stop_bt = gtk_button_new_with_label ("Stop");
1723 gtk_signal_connect(GTK_OBJECT(stop_bt), "clicked",
1724 GTK_SIGNAL_FUNC(capture_stop_cb), (gpointer) &ld);
1725 gtk_signal_connect(GTK_OBJECT(cap_w), "delete_event",
1726 GTK_SIGNAL_FUNC(capture_delete_cb), (gpointer) &ld);
1727 gtk_box_pack_start(GTK_BOX(main_vb), stop_bt, FALSE, FALSE, 3);
1728 GTK_WIDGET_SET_FLAGS(stop_bt, GTK_CAN_DEFAULT);
1729 gtk_widget_grab_default(stop_bt);
1730 GTK_WIDGET_SET_FLAGS(stop_bt, GTK_CAN_DEFAULT);
1731 gtk_widget_grab_default(stop_bt);
1732 gtk_widget_show(stop_bt);
1734 gtk_widget_show(cap_w);
1736 start_time = time(NULL);
1737 upd_time = time(NULL);
1738 #ifdef MUST_DO_SELECT
1739 if (!ld.from_pipe) pcap_fd = pcap_fileno(pch);
1744 * Catch SIGUSR1, so that we exit cleanly if the parent process
1745 * kills us with it due to the user selecting "Capture->Stop".
1748 signal(SIGUSR1, stop_capture);
1750 /* initialize capture stop conditions */
1751 init_capture_stop_conditions();
1752 /* create stop conditions */
1753 if (capture_opts.has_autostop_filesize)
1754 cnd_stop_capturesize =
1755 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts.autostop_filesize * 1000);
1756 if (capture_opts.has_autostop_duration)
1758 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts.autostop_duration);
1761 while (gtk_events_pending()) gtk_main_iteration();
1766 FD_SET(pipe_fd, &set1);
1768 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1769 sel_ret = select(pipe_fd+1, &set1, NULL, NULL, &timeout);
1772 if (sel_ret < 0 && errno != EINTR) {
1773 snprintf(errmsg, sizeof(errmsg),
1774 "Unexpected error from select: %s", strerror(errno));
1775 popup_errmsg(errmsg);
1780 * "select()" says we can read from the pipe without blocking
1782 inpkts = pipe_dispatch(pipe_fd, &ld, &hdr, &rechdr, pcap_data,
1783 errmsg, sizeof errmsg);
1792 #ifdef MUST_DO_SELECT
1794 * Sigh. The semantics of the read timeout argument to
1795 * "pcap_open_live()" aren't particularly well specified by
1796 * the "pcap" man page - at least with the BSD BPF code, the
1797 * intent appears to be, at least in part, a way of cutting
1798 * down the number of reads done on a capture, by blocking
1799 * until the buffer fills or a timer expires - and the Linux
1800 * libpcap doesn't actually support it, so we can't use it
1801 * to break out of the "pcap_dispatch()" every 1/4 of a second
1802 * or so. Linux's libpcap is not the only libpcap that doesn't
1803 * support the read timeout.
1805 * Furthermore, at least on Solaris, the bufmod STREAMS module's
1806 * read timeout won't go off if no data has arrived, i.e. it cannot
1807 * be used to guarantee that a read from a DLPI stream will return
1808 * within a specified amount of time regardless of whether any
1809 * data arrives or not.
1811 * Thus, on all platforms other than BSD, we do a "select()" on the
1812 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
1813 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
1815 * "select()", on BPF devices, doesn't work as you might expect;
1816 * at least on some versions of some flavors of BSD, the timer
1817 * doesn't start until a read is done, so it won't expire if
1818 * only a "select()" or "poll()" is posted.
1821 FD_SET(pcap_fd, &set1);
1823 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1824 sel_ret = select(pcap_fd+1, &set1, NULL, NULL, &timeout);
1827 * "select()" says we can read from it without blocking; go for
1830 inpkts = pcap_dispatch(pch, 1, capture_pcap_cb, (guchar *) &ld);
1837 if (sel_ret < 0 && errno != EINTR) {
1838 snprintf(errmsg, sizeof(errmsg),
1839 "Unexpected error from select: %s", strerror(errno));
1840 popup_errmsg(errmsg);
1845 inpkts = pcap_dispatch(pch, 1, capture_pcap_cb, (guchar *) &ld);
1854 ld.sync_packets += inpkts;
1855 /* check capture stop conditons */
1856 if (cnd_stop_capturesize != NULL && cnd_eval(cnd_stop_capturesize,
1857 (guint32)wtap_get_bytes_dumped(ld.pdh))){
1858 /* Capture file reached its maximum size. */
1859 if (capture_opts.ringbuffer_on) {
1860 /* Switch to the next ringbuffer file */
1861 if (ringbuf_switch_file(&cfile, &ld.pdh, &ld.err)) {
1862 /* File switch succeeded: reset the condition */
1863 cnd_reset(cnd_stop_capturesize);
1865 /* File switch failed: stop here */
1870 /* no ringbuffer - just stop */
1876 /* Only update once a second so as not to overload slow displays */
1877 cur_time = time(NULL);
1878 if (cur_time > upd_time) {
1879 upd_time = cur_time;
1881 /* calculate and display running time */
1882 cur_time -= start_time;
1883 snprintf(label_str, sizeof(label_str), "%02ld:%02ld:%02ld",
1884 (long)(cur_time/3600), (long)((cur_time%3600)/60),
1885 (long)(cur_time%60));
1886 gtk_label_set(GTK_LABEL(running_time), label_str);
1888 if (ld.sync_packets) {
1890 for (i = 0; i < N_COUNTS; i++) {
1891 snprintf(label_str, sizeof(label_str), "%d",
1892 *counts[i].value_ptr);
1894 gtk_label_set(GTK_LABEL(counts[i].value), label_str);
1896 snprintf(label_str, sizeof(label_str), "(%.1f%%)",
1897 pct(*counts[i].value_ptr, ld.counts.total));
1899 gtk_label_set(GTK_LABEL(counts[i].percent), label_str);
1902 /* do sync here, too */
1903 fflush(wtap_dump_file(ld.pdh));
1905 if (capture_child) {
1906 /* This is the child process for a sync mode capture, so send
1907 our parent a message saying we've written out "ld.sync_packets"
1908 packets to the capture file. */
1909 char tmp[DECISIZE+1+1];
1910 sprintf(tmp, "%d%c", ld.sync_packets, SP_PACKET_COUNT);
1911 write(1, tmp, strlen(tmp));
1914 ld.sync_packets = 0;
1918 if (cnd_stop_timeout != NULL && cnd_eval(cnd_stop_timeout)) {
1919 /* The specified capture time has elapsed; stop the capture. */
1923 } /* while (ld.go) */
1925 /* delete stop conditions */
1926 if (cnd_stop_capturesize != NULL)
1927 cnd_delete(cnd_stop_capturesize);
1928 if (cnd_stop_timeout != NULL)
1929 cnd_delete(cnd_stop_timeout);
1932 snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
1934 popup_errmsg(errmsg);
1938 } else if (ld.from_pipe && ld.pipe_err == PIPERR)
1939 popup_errmsg(errmsg);
1945 get_capture_file_io_error(errmsg, sizeof(errmsg), cfile.save_file, ld.err,
1947 popup_errmsg(errmsg);
1951 if (capture_opts.ringbuffer_on) {
1952 close_ok = ringbuf_wtap_dump_close(&cfile, &err);
1954 close_ok = wtap_dump_close(ld.pdh, &err);
1956 /* If we've displayed a message about a write error, there's no point
1957 in displaying another message about an error on close. */
1958 if (!close_ok && write_ok) {
1959 get_capture_file_io_error(errmsg, sizeof(errmsg), cfile.save_file, err,
1961 popup_errmsg(errmsg);
1963 /* Set write_ok to mean the write and the close were successful. */
1964 write_ok = (write_ok && close_ok);
1968 * XXX We exhibit different behaviour between normal mode and sync mode
1969 * when the pipe is stdin and not already at EOF. If we're a child, the
1970 * parent's stdin isn't closed, so if the user starts another capture,
1971 * pipe_open_live() will very likely not see the expected magic bytes and
1972 * will say "Unrecognized libpcap format". On the other hand, in normal
1973 * mode, pipe_open_live() will say "End of file on pipe during open".
1975 if (ld.from_pipe && pipe_fd >= 0)
1980 /* Get the capture statistics, so we know how many packets were
1982 if (pcap_stats(pch, stats) >= 0) {
1983 *stats_known = TRUE;
1984 if (capture_child) {
1985 /* Let the parent process know. */
1986 char tmp[DECISIZE+1+1];
1987 sprintf(tmp, "%d%c", stats->ps_drop, SP_DROPS);
1988 write(1, tmp, strlen(tmp));
1991 snprintf(errmsg, sizeof(errmsg),
1992 "Can't get packet-drop statistics: %s",
1994 popup_errmsg(errmsg);
2000 /* Shut down windows sockets */
2004 gtk_grab_remove(GTK_WIDGET(cap_w));
2005 gtk_widget_destroy(GTK_WIDGET(cap_w));
2010 if (capture_opts.ringbuffer_on) {
2011 /* cleanup ringbuffer */
2012 ringbuf_error_cleanup();
2014 /* We can't use the save file, and we have no wtap_dump stream
2015 to close in order to close it, so close the FD directly. */
2016 close(cfile.save_file_fd);
2018 /* We couldn't even start the capture, so get rid of the capture
2020 unlink(cfile.save_file); /* silently ignore error */
2021 g_free(cfile.save_file);
2023 cfile.save_file = NULL;
2024 popup_errmsg(errmsg);
2041 get_capture_file_io_error(char *errmsg, int errmsglen, const char *fname,
2042 int err, gboolean is_close)
2047 snprintf(errmsg, errmsglen,
2048 "Not all the packets could be written to the file"
2049 " to which the capture was being saved\n"
2050 "(\"%s\") because there is no space left on the file system\n"
2051 "on which that file resides.",
2057 snprintf(errmsg, errmsglen,
2058 "Not all the packets could be written to the file"
2059 " to which the capture was being saved\n"
2060 "(\"%s\") because you are too close to, or over,"
2061 " your disk quota\n"
2062 "on the file system on which that file resides.",
2067 case WTAP_ERR_CANT_CLOSE:
2068 snprintf(errmsg, errmsglen,
2069 "The file to which the capture was being saved"
2070 " couldn't be closed for some unknown reason.");
2073 case WTAP_ERR_SHORT_WRITE:
2074 snprintf(errmsg, errmsglen,
2075 "Not all the packets could be written to the file"
2076 " to which the capture was being saved\n"
2083 snprintf(errmsg, errmsglen,
2084 "The file to which the capture was being saved\n"
2085 "(\"%s\") could not be closed: %s.",
2086 fname, wtap_strerror(err));
2088 snprintf(errmsg, errmsglen,
2089 "An error occurred while writing to the file"
2090 " to which the capture was being saved\n"
2092 fname, wtap_strerror(err));
2099 popup_errmsg(const char *errmsg)
2101 if (capture_child) {
2102 /* This is the child process for a sync mode capture.
2103 Send the error message to our parent, so they can display a
2104 dialog box containing it. */
2105 send_errmsg_to_parent(errmsg);
2107 /* Display the dialog box ourselves; there's no parent. */
2108 simple_dialog(ESD_TYPE_CRIT, NULL, "%s", errmsg);
2113 send_errmsg_to_parent(const char *errmsg)
2115 int msglen = strlen(errmsg);
2116 char lenbuf[DECISIZE+1+1];
2118 sprintf(lenbuf, "%u%c", msglen, SP_ERROR_MSG);
2119 write(1, lenbuf, strlen(lenbuf));
2120 write(1, errmsg, msglen);
2124 pct(gint num, gint denom) {
2126 return (float) num * 100.0 / (float) denom;
2133 stop_capture(int signo _U_)
2139 capture_delete_cb(GtkWidget *w _U_, GdkEvent *event _U_, gpointer data) {
2140 capture_stop_cb(NULL, data);
2144 capture_stop_cb(GtkWidget *w _U_, gpointer data) {
2145 loop_data *ld = (loop_data *) data;
2154 * XXX - find some way of signaling the child in Win32.
2157 if (fork_child != -1)
2158 kill(fork_child, SIGUSR1);
2163 kill_capture_child(void)
2166 * XXX - find some way of signaling the child in Win32.
2169 if (fork_child != -1)
2170 kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
2175 capture_pcap_cb(guchar *user, const struct pcap_pkthdr *phdr,
2178 struct wtap_pkthdr whdr;
2179 union wtap_pseudo_header pseudo_header;
2180 loop_data *ld = (loop_data *) user;
2183 if ((++ld->counts.total >= ld->max) && (ld->max > 0))
2188 /* Convert from libpcap to Wiretap format.
2189 If that fails, set "ld->go" to FALSE, to stop the capture, and set
2190 "ld->err" to the error. */
2191 pd = wtap_process_pcap_packet(ld->linktype, phdr, pd, &pseudo_header,
2200 /* We're supposed to write the packet to a file; do so.
2201 If this fails, set "ld->go" to FALSE, to stop the capture, and set
2202 "ld->err" to the error. */
2203 if (!wtap_dump(ld->pdh, &whdr, &pseudo_header, pd, &err)) {
2209 switch (ld->linktype) {
2210 case WTAP_ENCAP_ETHERNET:
2211 capture_eth(pd, 0, whdr.caplen, &ld->counts);
2213 case WTAP_ENCAP_FDDI:
2214 case WTAP_ENCAP_FDDI_BITSWAPPED:
2215 capture_fddi(pd, whdr.caplen, &ld->counts);
2217 case WTAP_ENCAP_PRISM_HEADER:
2218 capture_prism(pd, 0, whdr.caplen, &ld->counts);
2220 case WTAP_ENCAP_TOKEN_RING:
2221 capture_tr(pd, 0, whdr.caplen, &ld->counts);
2223 case WTAP_ENCAP_NULL:
2224 capture_null(pd, whdr.caplen, &ld->counts);
2226 case WTAP_ENCAP_PPP:
2227 capture_ppp_hdlc(pd, 0, whdr.caplen, &ld->counts);
2229 case WTAP_ENCAP_RAW_IP:
2230 capture_raw(pd, whdr.caplen, &ld->counts);
2232 case WTAP_ENCAP_SLL:
2233 capture_sll(pd, whdr.caplen, &ld->counts);
2235 case WTAP_ENCAP_LINUX_ATM_CLIP:
2236 capture_clip(pd, whdr.caplen, &ld->counts);
2238 case WTAP_ENCAP_IEEE_802_11:
2239 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
2240 capture_ieee80211(pd, 0, whdr.caplen, &ld->counts);
2242 case WTAP_ENCAP_CHDLC:
2243 capture_chdlc(pd, 0, whdr.caplen, &ld->counts);
2245 case WTAP_ENCAP_LOCALTALK:
2246 capture_llap(&ld->counts);
2248 case WTAP_ENCAP_ATM_SNIFFER:
2249 capture_atm(&pseudo_header, pd, whdr.caplen, &ld->counts);
2251 case WTAP_ENCAP_IP_OVER_FC:
2252 capture_ipfc(pd, whdr.caplen, &ld->counts);
2254 /* XXX - some ATM drivers on FreeBSD might prepend a 4-byte ATM
2255 pseudo-header to DLT_ATM_RFC1483, with LLC header following;
2256 we might have to implement that at some point. */
2260 #endif /* HAVE_LIBPCAP */