2 * Routines for packet capture windows
4 * $Id: capture.c,v 1.204 2003/01/23 06:57:35 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 #ifdef HAVE_SYS_STAT_H
32 # include <sys/stat.h>
35 #ifdef HAVE_SYS_WAIT_H
36 # include <sys/wait.h>
41 * Define various POSIX macros (and, in the case of WCOREDUMP, non-POSIX
42 * macros) on UNIX systems that don't have them.
45 # define WIFEXITED(status) (((status) & 0177) == 0)
48 # define WIFSTOPPED(status) (((status) & 0177) == 0177)
51 # define WIFSIGNALED(status) (!WIFSTOPPED(status) && !WIFEXITED(status))
54 # define WEXITSTATUS(status) ((status) >> 8)
57 # define WTERMSIG(status) ((status) & 0177)
60 # define WCOREDUMP(status) ((status) & 0200)
63 # define WSTOPSIG(status) ((status) >> 8)
87 #ifdef HAVE_SYS_SOCKET_H
88 #include <sys/socket.h>
91 #ifdef HAVE_SYS_IOCTL_H
92 #include <sys/ioctl.h>
100 #ifdef NEED_SNPRINTF_H
101 # include "snprintf.h"
105 #include <process.h> /* For spawning child process */
109 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
110 * want to include it if it's not present on this platform, however.
112 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__) || defined(__APPLE__)
116 #endif /* defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__bsdi__) || defined(__APPLE__) */
119 * We don't want to do a "select()" on the pcap_t's file descriptor on
120 * BSD (because "select()" doesn't work correctly on BPF devices on at
121 * least some releases of some flavors of BSD), and we don't want to do
122 * it on Windows (because "select()" is something for sockets, not for
123 * arbitrary handles).
125 * We *do* want to do it on other platforms, as, on other platforms (with
126 * the possible exception of Ultrix and Digital UNIX), the read timeout
127 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
128 * will block until packets arrive, causing the UI to hang.
130 #if !defined(BSD) && !defined(_WIN32)
131 # define MUST_DO_SELECT
134 #include <epan/packet.h>
138 #include "pcap-util.h"
139 #include "simple_dialog.h"
142 #include "conditions.h"
143 #include "capture_stop_conditions.h"
144 #include "ringbuffer.h"
146 #include "wiretap/libpcap.h"
147 #include "wiretap/wtap.h"
148 #include "wiretap/wtap-capture.h"
150 #include "packet-atalk.h"
151 #include "packet-atm.h"
152 #include "packet-clip.h"
153 #include "packet-eth.h"
154 #include "packet-fddi.h"
155 #include "packet-null.h"
156 #include "packet-ppp.h"
157 #include "packet-raw.h"
158 #include "packet-sll.h"
159 #include "packet-tr.h"
160 #include "packet-ieee80211.h"
161 #include "packet-chdlc.h"
162 #include "packet-prism.h"
163 #include "packet-ipfc.h"
164 #include "packet-arcnet.h"
167 #include "capture-wpcap.h"
173 capture_options capture_opts;
175 static int sync_pipe[2]; /* used to sync father */
176 enum PIPES { READ, WRITE }; /* Constants 0 and 1 for READ and WRITE */
177 int quit_after_cap; /* Makes a "capture only mode". Implies -k */
178 gboolean capture_child; /* if this is the child for "-S" */
179 static int fork_child = -1; /* If not -1, in parent, process ID of child */
180 static guint cap_input_id;
183 * Indications sent out on the sync pipe.
185 #define SP_CAPSTART ';' /* capture start message */
186 #define SP_PACKET_COUNT '*' /* followed by count of packets captured since last message */
187 #define SP_ERROR_MSG '!' /* followed by length of error message that follows */
188 #define SP_DROPS '#' /* followed by count of packets dropped in capture */
191 static guint cap_timer_id;
192 static int cap_timer_cb(gpointer); /* Win32 kludge to check for pipe input */
195 static void cap_file_input_cb(gpointer, gint, GdkInputCondition);
196 static void wait_for_child(gboolean);
198 static char *signame(int);
200 static void capture_delete_cb(GtkWidget *, GdkEvent *, gpointer);
201 static void capture_stop_cb(GtkWidget *, gpointer);
202 static void capture_pcap_cb(guchar *, const struct pcap_pkthdr *,
204 static void get_capture_file_io_error(char *, int, const char *, int, gboolean);
205 static void popup_errmsg(const char *);
206 static void send_errmsg_to_parent(const char *);
207 static float pct(gint, gint);
208 static void stop_capture(int signo);
210 typedef struct _loop_data {
211 gboolean go; /* TRUE as long as we're supposed to keep capturing */
212 gint max; /* Number of packets we're supposed to capture - 0 means infinite */
213 int err; /* if non-zero, error seen while capturing */
216 gboolean pcap_err; /* TRUE if error from pcap */
217 gboolean from_pipe; /* TRUE if we are capturing data from a pipe */
218 packet_counts counts;
221 gboolean modified; /* TRUE if data in the pipe uses modified pcap headers */
222 gboolean byte_swapped; /* TRUE if data in the pipe is byte swapped */
223 unsigned int bytes_to_read, bytes_read; /* Used by pipe_dispatch */
225 STATE_EXPECT_REC_HDR, STATE_READ_REC_HDR,
226 STATE_EXPECT_DATA, STATE_READ_DATA
229 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } pipe_err;
234 static void adjust_header(loop_data *, struct pcap_hdr *, struct pcaprec_hdr *);
235 static int pipe_open_live(char *, struct pcap_hdr *, loop_data *, char *, int);
236 static int pipe_dispatch(int, loop_data *, struct pcap_hdr *, \
237 struct pcaprec_modified_hdr *, guchar *, char *, int);
240 /* Win32 needs the O_BINARY flag for open() */
246 /* Win32 needs a handle to the child capture process */
250 /* Add a string pointer to a NULL-terminated array of string pointers. */
252 add_arg(char **args, int *argc, char *arg)
254 /* Grow the array; "*argc" currently contains the number of string
255 pointers, *not* counting the NULL pointer at the end, so we have
256 to add 2 in order to get the new size of the array, including the
257 new pointer and the terminating NULL pointer. */
258 args = g_realloc(args, (*argc + 2) * sizeof (char *));
260 /* Stuff the pointer into the penultimate element of the array, which
261 is the one at the index specified by "*argc". */
264 /* Now bump the count. */
267 /* We overwrite the NULL pointer; put it back right after the
275 /* Given a string, return a pointer to a quote-encapsulated version of
276 the string, so we can pass it as an argument with "spawnvp" even
277 if it contains blanks. */
279 quote_encapsulate(const char *string)
281 char *encapsulated_string;
283 encapsulated_string = g_new(char, strlen(string) + 3);
284 sprintf(encapsulated_string, "\"%s\"", string);
285 return encapsulated_string;
289 /* Open a specified file, or create a temporary file, and start a capture
290 to the file in question. */
292 do_capture(const char *save_file)
295 gboolean is_tempfile;
301 int capture_succeeded;
302 gboolean stats_known;
303 struct pcap_stat stats;
306 if (save_file != NULL) {
307 /* If the Sync option is set, we return to the caller while the capture
308 * is in progress. Therefore we need to take a copy of save_file in
309 * case the caller destroys it after we return.
311 capfile_name = g_strdup(save_file);
312 if (capture_opts.ringbuffer_on) {
313 /* ringbuffer is enabled */
314 cfile.save_file_fd = ringbuf_init(capfile_name,
315 capture_opts.ringbuffer_num_files);
317 /* Try to open/create the specified file for use as a capture buffer. */
318 cfile.save_file_fd = open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
323 /* Choose a random name for the capture buffer */
324 cfile.save_file_fd = create_tempfile(tmpname, sizeof tmpname, "ether");
325 capfile_name = g_strdup(tmpname);
328 if (cfile.save_file_fd == -1) {
330 simple_dialog(ESD_TYPE_CRIT, NULL,
331 "The temporary file to which the capture would be saved (\"%s\")"
332 "could not be opened: %s.", capfile_name, strerror(errno));
334 if (capture_opts.ringbuffer_on) {
335 ringbuf_error_cleanup();
337 simple_dialog(ESD_TYPE_CRIT, NULL,
338 file_open_error_message(errno, TRUE, WTAP_FILE_PCAP), capfile_name);
340 g_free(capfile_name);
343 close_cap_file(&cfile);
344 g_assert(cfile.save_file == NULL);
345 cfile.save_file = capfile_name;
346 /* cfile.save_file is "g_free"ed below, which is equivalent to
347 "g_free(capfile_name)". */
349 if (capture_opts.sync_mode) { /* do the capture in a child process */
351 char scount[24]; /* need a constant for len of numbers */
352 char sautostop_filesize[24]; /* need a constant for len of numbers */
353 char sautostop_duration[24]; /* need a constant for len of numbers */
354 char save_file_fd[24];
360 char sync_pipe_fd[24];
365 /* Allocate the string pointer array with enough space for the
366 terminating NULL pointer. */
368 argv = g_malloc(sizeof (char *));
371 /* Now add those arguments used on all platforms. */
372 argv = add_arg(argv, &argc, CHILD_NAME);
374 argv = add_arg(argv, &argc, "-i");
375 argv = add_arg(argv, &argc, cfile.iface);
377 argv = add_arg(argv, &argc, "-w");
378 argv = add_arg(argv, &argc, cfile.save_file);
380 argv = add_arg(argv, &argc, "-W");
381 sprintf(save_file_fd,"%d",cfile.save_file_fd); /* in lieu of itoa */
382 argv = add_arg(argv, &argc, save_file_fd);
384 if (capture_opts.has_autostop_count) {
385 argv = add_arg(argv, &argc, "-c");
386 sprintf(scount,"%d",capture_opts.autostop_count);
387 argv = add_arg(argv, &argc, scount);
390 if (capture_opts.has_snaplen) {
391 argv = add_arg(argv, &argc, "-s");
392 sprintf(ssnap,"%d",capture_opts.snaplen);
393 argv = add_arg(argv, &argc, ssnap);
396 if (capture_opts.has_autostop_filesize) {
397 argv = add_arg(argv, &argc, "-a");
398 sprintf(sautostop_filesize,"filesize:%d",capture_opts.autostop_filesize);
399 argv = add_arg(argv, &argc, sautostop_filesize);
402 if (capture_opts.has_autostop_duration) {
403 argv = add_arg(argv, &argc, "-a");
404 sprintf(sautostop_duration,"duration:%d",capture_opts.autostop_duration);
405 argv = add_arg(argv, &argc, sautostop_duration);
408 if (!capture_opts.promisc_mode)
409 argv = add_arg(argv, &argc, "-p");
412 /* Create a pipe for the child process */
414 if(_pipe(sync_pipe, 512, O_BINARY) < 0) {
415 /* Couldn't create the pipe between parent and child. */
417 unlink(cfile.save_file);
418 g_free(cfile.save_file);
419 cfile.save_file = NULL;
420 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create sync pipe: %s",
425 /* Convert font name to a quote-encapsulated string and pass to child */
426 argv = add_arg(argv, &argc, "-m");
427 fontstring = quote_encapsulate(prefs.gui_font_name);
428 argv = add_arg(argv, &argc, fontstring);
430 /* Convert pipe write handle to a string and pass to child */
431 argv = add_arg(argv, &argc, "-Z");
432 itoa(sync_pipe[WRITE], sync_pipe_fd, 10);
433 argv = add_arg(argv, &argc, sync_pipe_fd);
435 /* Convert filter string to a quote delimited string and pass to child */
437 if (cfile.cfilter != NULL && strlen(cfile.cfilter) != 0) {
438 argv = add_arg(argv, &argc, "-f");
439 filterstring = quote_encapsulate(cfile.cfilter);
440 argv = add_arg(argv, &argc, filterstring);
444 fork_child = spawnvp(_P_NOWAIT, ethereal_path, argv);
447 g_free(filterstring);
449 /* Keep a copy for later evaluation by _cwait() */
450 child_process = fork_child;
452 signal(SIGCHLD, SIG_IGN);
453 if (pipe(sync_pipe) < 0) {
454 /* Couldn't create the pipe between parent and child. */
456 unlink(cfile.save_file);
457 g_free(cfile.save_file);
458 cfile.save_file = NULL;
459 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create sync pipe: %s",
464 argv = add_arg(argv, &argc, "-m");
465 argv = add_arg(argv, &argc, prefs.gui_font_name);
467 if (cfile.cfilter != NULL && strlen(cfile.cfilter) != 0) {
468 argv = add_arg(argv, &argc, "-f");
469 argv = add_arg(argv, &argc, cfile.cfilter);
472 if ((fork_child = fork()) == 0) {
474 * Child process - run Ethereal with the right arguments to make
475 * it just pop up the live capture dialog box and capture with
476 * the specified capture parameters, writing to the specified file.
478 * args: -i interface specification
480 * -W file descriptor to write
481 * -c count to capture
484 * -f "filter expression"
487 dup(sync_pipe[WRITE]);
488 close(sync_pipe[READ]);
489 execvp(ethereal_path, argv);
490 snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
491 ethereal_path, strerror(errno));
492 send_errmsg_to_parent(errmsg);
494 /* Exit with "_exit()", so that we don't close the connection
495 to the X server (and cause stuff buffered up by our parent but
496 not yet sent to be sent, as that stuff should only be sent by
502 /* Parent process - read messages from the child process over the
504 g_free(argv); /* free up arg array */
506 /* Close the write side of the pipe, so that only the child has it
507 open, and thus it completely closes, and thus returns to us
508 an EOF indication, if the child closes it (either deliberately
509 or by exiting abnormally). */
510 close(sync_pipe[WRITE]);
512 /* Close the save file FD, as we won't be using it - we'll be opening
513 it and reading the save file through Wiretap. */
514 close(cfile.save_file_fd);
516 if (fork_child == -1) {
517 /* We couldn't even create the child process. */
519 close(sync_pipe[READ]);
520 unlink(cfile.save_file);
521 g_free(cfile.save_file);
522 cfile.save_file = NULL;
523 simple_dialog(ESD_TYPE_CRIT, NULL, "Couldn't create child process: %s",
528 /* Read a byte count from "sync_pipe[READ]", terminated with a
529 colon; if the count is 0, the child process created the
530 capture file and we should start reading from it, otherwise
531 the capture couldn't start and the count is a count of bytes
532 of error message, and we should display the message. */
535 i = read(sync_pipe[READ], &c, 1);
537 /* EOF - the child process died.
538 Close the read side of the sync pipe, remove the capture file,
539 and report the failure. */
540 close(sync_pipe[READ]);
541 unlink(cfile.save_file);
542 g_free(cfile.save_file);
543 cfile.save_file = NULL;
544 wait_for_child(TRUE);
547 if (c == SP_CAPSTART || c == SP_ERROR_MSG)
550 /* Child process handed us crap.
551 Close the read side of the sync pipe, remove the capture file,
552 and report the failure. */
553 close(sync_pipe[READ]);
554 unlink(cfile.save_file);
555 g_free(cfile.save_file);
556 cfile.save_file = NULL;
557 simple_dialog(ESD_TYPE_WARN, NULL,
558 "Capture child process sent us a bad message");
561 byte_count = byte_count*10 + c - '0';
563 if (c == SP_CAPSTART) {
564 /* Success. Open the capture file, and set up to read it. */
565 err = start_tail_cap_file(cfile.save_file, is_tempfile, &cfile);
567 /* We were able to open and set up to read the capture file;
568 arrange that our callback be called whenever it's possible
569 to read from the sync pipe, so that it's called when
570 the child process wants to tell us something. */
572 /* Tricky to use pipes in win9x, as no concept of wait. NT can
573 do this but that doesn't cover all win32 platforms. GTK can do
574 this but doesn't seem to work over processes. Attempt to do
575 something similar here, start a timer and check for data on every
577 cap_timer_id = gtk_timeout_add(1000, cap_timer_cb, NULL);
579 cap_input_id = gtk_input_add_full(sync_pipe[READ],
580 GDK_INPUT_READ|GDK_INPUT_EXCEPTION,
587 /* We weren't able to open the capture file; user has been
588 alerted. Close the sync pipe. */
590 close(sync_pipe[READ]);
592 /* Don't unlink the save file - leave it around, for debugging
594 g_free(cfile.save_file);
595 cfile.save_file = NULL;
598 /* Failure - the child process sent us a message indicating
599 what the problem was. */
600 if (byte_count == 0) {
601 /* Zero-length message? */
602 simple_dialog(ESD_TYPE_WARN, NULL,
603 "Capture child process failed, but its error message was empty.");
605 msg = g_malloc(byte_count + 1);
607 simple_dialog(ESD_TYPE_WARN, NULL,
608 "Capture child process failed, but its error message was too big.");
610 i = read(sync_pipe[READ], msg, byte_count);
611 msg[byte_count] = '\0';
613 simple_dialog(ESD_TYPE_WARN, NULL,
614 "Capture child process failed: Error %s reading its error message.",
617 simple_dialog(ESD_TYPE_WARN, NULL,
618 "Capture child process failed: EOF reading its error message.");
619 wait_for_child(FALSE);
621 simple_dialog(ESD_TYPE_CRIT, NULL, msg);
625 /* Close the sync pipe. */
626 close(sync_pipe[READ]);
628 /* Get rid of the save file - the capture never started. */
629 unlink(cfile.save_file);
630 g_free(cfile.save_file);
631 cfile.save_file = NULL;
636 capture_succeeded = capture(&stats_known, &stats);
637 if (quit_after_cap) {
638 /* DON'T unlink the save file. Presumably someone wants it. */
641 if (capture_succeeded) {
642 /* Capture succeeded; read in the capture file. */
643 if ((err = open_cap_file(cfile.save_file, is_tempfile, &cfile)) == 0) {
644 /* Set the read filter to NULL. */
647 /* Get the packet-drop statistics.
649 XXX - there are currently no packet-drop statistics stored
650 in libpcap captures, and that's what we're reading.
652 At some point, we will add support in Wiretap to return
653 packet-drop statistics for capture file formats that store it,
654 and will make "read_cap_file()" get those statistics from
655 Wiretap. We clear the statistics (marking them as "not known")
656 in "open_cap_file()", and "read_cap_file()" will only fetch
657 them and mark them as known if Wiretap supplies them, so if
658 we get the statistics now, after calling "open_cap_file()" but
659 before calling "read_cap_file()", the values we store will
660 be used by "read_cap_file()".
662 If a future libpcap capture file format stores the statistics,
663 we'll put them into the capture file that we write, and will
664 thus not have to set them here - "read_cap_file()" will get
665 them from the file and use them. */
667 cfile.drops_known = TRUE;
669 /* XXX - on some systems, libpcap doesn't bother filling in
670 "ps_ifdrop" - it doesn't even set it to zero - so we don't
671 bother looking at it.
673 Ideally, libpcap would have an interface that gave us
674 several statistics - perhaps including various interface
675 error statistics - and would tell us which of them it
676 supplies, allowing us to display only the ones it does. */
677 cfile.drops = stats.ps_drop;
679 switch (read_cap_file(&cfile, &err)) {
683 /* Just because we got an error, that doesn't mean we were unable
684 to read any of the file; we handle what we could get from the
689 /* Exit by leaving the main loop, so that any quit functions
690 we registered get called. */
691 if (gtk_main_level() > 0)
697 /* We're not doing a capture any more, so we don't have a save
699 if (capture_opts.ringbuffer_on) {
702 g_free(cfile.save_file);
704 cfile.save_file = NULL;
709 /* The timer has expired, see if there's stuff to read from the pipe,
710 if so call the cap_file_input_cb */
712 cap_timer_cb(gpointer data)
716 gboolean result, result1;
719 /* Oddly enough although Named pipes don't work on win9x,
720 PeekNamedPipe does !!! */
721 handle = (HANDLE) _get_osfhandle (sync_pipe[READ]);
722 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
724 /* Get the child process exit status */
725 result1 = GetExitCodeProcess((HANDLE)child_process, &childstatus);
727 /* If the Peek returned an error, or there are bytes to be read
728 or the childwatcher thread has terminated then call the normal
730 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
732 /* avoid reentrancy problems and stack overflow */
733 gtk_timeout_remove(cap_timer_id);
735 /* And call the real handler */
736 cap_file_input_cb((gpointer) &cfile, 0, 0);
738 /* Return false so that the timer is not run again */
742 /* No data so let timer run again */
748 /* There's stuff to read from the sync pipe, meaning the child has sent
749 us a message, or the sync pipe has closed, meaning the child has
750 closed it (perhaps because it exited). */
752 cap_file_input_cb(gpointer data, gint source _U_,
753 GdkInputCondition condition _U_)
755 capture_file *cf = (capture_file *)data;
757 char buffer[BUFSIZE+1], *p = buffer, *q = buffer, *msg, *r;
758 int nread, msglen, chars_to_copy;
763 /* avoid reentrancy problems and stack overflow */
764 gtk_input_remove(cap_input_id);
767 if ((nread = read(sync_pipe[READ], buffer, BUFSIZE)) <= 0) {
768 /* The child has closed the sync pipe, meaning it's not going to be
769 capturing any more packets. Pick up its exit status, and
770 complain if it did anything other than exit with status 0. */
771 wait_for_child(FALSE);
773 /* Read what remains of the capture file, and finish the capture.
774 XXX - do something if this fails? */
775 switch (finish_tail_cap_file(cf, &err)) {
779 /* Just because we got an error, that doesn't mean we were unable
780 to read any of the file; we handle what we could get from the
785 /* Exit by leaving the main loop, so that any quit functions
786 we registered get called. */
791 /* We're not doing a capture any more, so we don't have a save
793 g_free(cf->save_file);
794 cf->save_file = NULL;
799 buffer[nread] = '\0';
802 /* look for (possibly multiple) indications */
804 case SP_PACKET_COUNT :
811 cf->drops_known = TRUE;
823 /* Read the entire message.
824 XXX - if the child hasn't sent it all yet, this could cause us
825 to hang until they do. */
826 msg = g_malloc(msglen + 1);
828 while (msglen != 0) {
831 if ((nread = read(sync_pipe[READ], buffer, BUFSIZE)) <= 0)
836 chars_to_copy = MIN(msglen, nread);
837 memcpy(r, q, chars_to_copy);
840 nread -= chars_to_copy;
841 msglen -= chars_to_copy;
844 simple_dialog(ESD_TYPE_CRIT, NULL, msg);
854 /* Read from the capture file the number of records the child told us
856 XXX - do something if this fails? */
857 switch (continue_tail_cap_file(cf, to_read, &err)) {
861 /* Just because we got an error, that doesn't mean we were unable
862 to read any of the file; we handle what we could get from the
865 XXX - abort on a read error? */
869 /* Kill the child capture process; the user wants to exit, and we
870 shouldn't just leave it running. */
874 kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
879 /* restore pipe handler */
881 cap_timer_id = gtk_timeout_add(1000, cap_timer_cb, NULL);
883 cap_input_id = gtk_input_add_full (sync_pipe[READ],
884 GDK_INPUT_READ|GDK_INPUT_EXCEPTION,
893 wait_for_child(gboolean always_report)
898 /* XXX - analyze the wait stuatus and display more information
899 in the dialog box? */
900 if (_cwait(&wstatus, child_process, _WAIT_CHILD) == -1) {
901 simple_dialog(ESD_TYPE_WARN, NULL, "Child capture process stopped unexpectedly");
904 if (wait(&wstatus) != -1) {
905 if (WIFEXITED(wstatus)) {
906 /* The child exited; display its exit status, if it's not zero,
907 and even if it's zero if "always_report" is true. */
908 if (always_report || WEXITSTATUS(wstatus) != 0) {
909 simple_dialog(ESD_TYPE_WARN, NULL,
910 "Child capture process exited: exit status %d",
911 WEXITSTATUS(wstatus));
913 } else if (WIFSTOPPED(wstatus)) {
914 /* It stopped, rather than exiting. "Should not happen." */
915 simple_dialog(ESD_TYPE_WARN, NULL,
916 "Child capture process stopped: %s",
917 signame(WSTOPSIG(wstatus)));
918 } else if (WIFSIGNALED(wstatus)) {
919 /* It died with a signal. */
920 simple_dialog(ESD_TYPE_WARN, NULL,
921 "Child capture process died: %s%s",
922 signame(WTERMSIG(wstatus)),
923 WCOREDUMP(wstatus) ? " - core dumped" : "");
925 /* What? It had to either have exited, or stopped, or died with
926 a signal; what happened here? */
927 simple_dialog(ESD_TYPE_WARN, NULL,
928 "Child capture process died: wait status %#o", wstatus);
932 /* No more child process. */
942 static char sigmsg_buf[6+1+3+1];
951 sigmsg = "Interrupted";
959 sigmsg = "Illegal instruction";
963 sigmsg = "Trace trap";
971 sigmsg = "Arithmetic exception";
979 sigmsg = "Bus error";
983 sigmsg = "Segmentation violation";
986 /* http://metalab.unc.edu/pub/Linux/docs/HOWTO/GCC-HOWTO
987 Linux is POSIX compliant. These are not POSIX-defined signals ---
988 ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990), paragraph B.3.3.1.1 sez:
990 ``The signals SIGBUS, SIGEMT, SIGIOT, SIGTRAP, and SIGSYS
991 were omitted from POSIX.1 because their behavior is
992 implementation dependent and could not be adequately catego-
993 rized. Conforming implementations may deliver these sig-
994 nals, but must document the circumstances under which they
995 are delivered and note any restrictions concerning their
998 So we only check for SIGSYS on those systems that happen to
999 implement them (a system can be POSIX-compliant and implement
1000 them, it's just that POSIX doesn't *require* a POSIX-compliant
1001 system to implement them).
1006 sigmsg = "Bad system call";
1011 sigmsg = "Broken pipe";
1015 sigmsg = "Alarm clock";
1019 sigmsg = "Terminated";
1023 sprintf(sigmsg_buf, "Signal %d", sig);
1024 sigmsg = sigmsg_buf;
1032 * Timeout, in milliseconds, for reads from the stream of captured packets.
1034 #define CAP_READ_TIMEOUT 250
1037 /* Take care of byte order in the libpcap headers read from pipes.
1038 * (function taken from wiretap/libpcap.c) */
1040 adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1042 if (ld->byte_swapped) {
1043 /* Byte-swap the record header fields. */
1044 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1045 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1046 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1047 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1050 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1051 swapped, in order to match the BPF header layout.
1053 Unfortunately, some files were, according to a comment in the "libpcap"
1054 source, written with version 2.3 in their headers but without the
1055 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1056 would make no sense - we assume that we need to swap them. */
1057 if (hdr->version_major == 2 &&
1058 (hdr->version_minor < 3 ||
1059 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1062 temp = rechdr->orig_len;
1063 rechdr->orig_len = rechdr->incl_len;
1064 rechdr->incl_len = temp;
1068 /* Mimic pcap_open_live() for pipe captures
1069 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
1071 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1072 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1074 pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1075 char *errmsg, int errmsgl)
1077 struct stat pipe_stat;
1081 unsigned int bytes_read;
1083 struct timeval timeout;
1086 * XXX Ethereal blocks until we return
1088 if (strcmp(pipename, "-") == 0)
1089 fd = 0; /* read from stdin */
1091 if (stat(pipename, &pipe_stat) < 0) {
1092 if (errno == ENOENT || errno == ENOTDIR)
1093 ld->pipe_err = PIPNEXIST;
1095 snprintf(errmsg, errmsgl,
1096 "The capture session could not be initiated "
1097 "due to error on pipe: %s", strerror(errno));
1098 ld->pipe_err = PIPERR;
1102 if (! S_ISFIFO(pipe_stat.st_mode)) {
1103 if (S_ISCHR(pipe_stat.st_mode)) {
1105 * Assume the user specified an interface on a system where
1106 * interfaces are in /dev. Pretend we haven't seen it.
1108 ld->pipe_err = PIPNEXIST;
1110 snprintf(errmsg, errmsgl,
1111 "The capture session could not be initiated because\n"
1112 "\"%s\" is neither an interface nor a pipe", pipename);
1113 ld->pipe_err = PIPERR;
1117 fd = open(pipename, O_RDONLY | O_NONBLOCK);
1119 snprintf(errmsg, errmsgl,
1120 "The capture session could not be initiated "
1121 "due to error on pipe open: %s", strerror(errno));
1122 ld->pipe_err = PIPERR;
1127 ld->from_pipe = TRUE;
1129 /* read the pcap header */
1132 while (bytes_read < sizeof magic) {
1135 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1136 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
1138 snprintf(errmsg, errmsgl,
1139 "Unexpected error from select: %s", strerror(errno));
1141 } else if (sel_ret > 0) {
1142 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1145 snprintf(errmsg, errmsgl, "End of file on pipe during open");
1147 snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
1157 /* Host that wrote it has our byte order, and was running
1158 a program using either standard or ss990417 libpcap. */
1159 ld->byte_swapped = FALSE;
1160 ld->modified = FALSE;
1162 case PCAP_MODIFIED_MAGIC:
1163 /* Host that wrote it has our byte order, but was running
1164 a program using either ss990915 or ss991029 libpcap. */
1165 ld->byte_swapped = FALSE;
1166 ld->modified = TRUE;
1168 case PCAP_SWAPPED_MAGIC:
1169 /* Host that wrote it has a byte order opposite to ours,
1170 and was running a program using either standard or
1171 ss990417 libpcap. */
1172 ld->byte_swapped = TRUE;
1173 ld->modified = FALSE;
1175 case PCAP_SWAPPED_MODIFIED_MAGIC:
1176 /* Host that wrote it out has a byte order opposite to
1177 ours, and was running a program using either ss990915
1178 or ss991029 libpcap. */
1179 ld->byte_swapped = TRUE;
1180 ld->modified = TRUE;
1183 /* Not a "libpcap" type we know about. */
1184 snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1188 /* Read the rest of the header */
1190 while (bytes_read < sizeof(struct pcap_hdr)) {
1193 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1194 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
1196 snprintf(errmsg, errmsgl,
1197 "Unexpected error from select: %s", strerror(errno));
1199 } else if (sel_ret > 0) {
1200 b = read(fd, ((char *)hdr)+bytes_read,
1201 sizeof(struct pcap_hdr) - bytes_read);
1204 snprintf(errmsg, errmsgl, "End of file on pipe during open");
1206 snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
1214 if (ld->byte_swapped) {
1215 /* Byte-swap the header fields about which we care. */
1216 hdr->version_major = BSWAP16(hdr->version_major);
1217 hdr->version_minor = BSWAP16(hdr->version_minor);
1218 hdr->snaplen = BSWAP32(hdr->snaplen);
1219 hdr->network = BSWAP32(hdr->network);
1222 if (hdr->version_major < 2) {
1223 snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1227 ld->pipe_state = STATE_EXPECT_REC_HDR;
1228 ld->pipe_err = PIPOK;
1232 ld->pipe_err = PIPERR;
1238 /* We read one record from the pipe, take care of byte order in the record
1239 * header, write the record in the capture file, and update capture statistics. */
1242 pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr,
1243 struct pcaprec_modified_hdr *rechdr, guchar *data,
1244 char *errmsg, int errmsgl)
1246 struct pcap_pkthdr phdr;
1248 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1251 switch (ld->pipe_state) {
1253 case STATE_EXPECT_REC_HDR:
1254 ld->bytes_to_read = ld->modified ?
1255 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1257 ld->pipe_state = STATE_READ_REC_HDR;
1260 case STATE_READ_REC_HDR:
1261 b = read(fd, ((char *)rechdr)+ld->bytes_read,
1262 ld->bytes_to_read - ld->bytes_read);
1265 result = PD_PIPE_EOF;
1267 result = PD_PIPE_ERR;
1270 if ((ld->bytes_read += b) < ld->bytes_to_read)
1272 result = PD_REC_HDR_READ;
1275 case STATE_EXPECT_DATA:
1277 ld->pipe_state = STATE_READ_DATA;
1280 case STATE_READ_DATA:
1281 b = read(fd, data+ld->bytes_read, rechdr->hdr.incl_len - ld->bytes_read);
1284 result = PD_PIPE_EOF;
1286 result = PD_PIPE_ERR;
1289 if ((ld->bytes_read += b) < rechdr->hdr.incl_len)
1291 result = PD_DATA_READ;
1295 snprintf(errmsg, errmsgl, "pipe_dispatch: invalid state");
1298 } /* switch (ld->pipe_state) */
1301 * We've now read as much data as we were expecting, so process it.
1305 case PD_REC_HDR_READ:
1306 /* We've read the header. Take care of byte order. */
1307 adjust_header(ld, hdr, &rechdr->hdr);
1308 if (rechdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1309 snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
1310 ld->counts.total+1, rechdr->hdr.incl_len);
1313 ld->pipe_state = STATE_EXPECT_DATA;
1317 /* Fill in a "struct pcap_pkthdr", and process the packet. */
1318 phdr.ts.tv_sec = rechdr->hdr.ts_sec;
1319 phdr.ts.tv_usec = rechdr->hdr.ts_usec;
1320 phdr.caplen = rechdr->hdr.incl_len;
1321 phdr.len = rechdr->hdr.orig_len;
1323 capture_pcap_cb((guchar *)ld, &phdr, data);
1325 ld->pipe_state = STATE_EXPECT_REC_HDR;
1329 ld->pipe_err = PIPEOF;
1333 snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
1340 ld->pipe_err = PIPERR;
1341 /* Return here rather than inside the switch to prevent GCC warning */
1347 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
1350 static loop_data ld;
1352 /* Do the low-level work of a capture.
1353 Returns TRUE if it succeeds, FALSE otherwise. */
1355 capture(gboolean *stats_known, struct pcap_stat *stats)
1357 GtkWidget *cap_w, *main_vb, *stop_bt, *counts_tb;
1358 GtkWidget *counts_fr, *running_tb, *running_label, *running_time;
1362 gchar open_err_str[PCAP_ERRBUF_SIZE];
1363 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
1364 gchar label_str[64];
1365 bpf_u_int32 netnum, netmask;
1366 struct bpf_program fcode;
1367 time_t upd_time, cur_time;
1370 condition *cnd_stop_capturesize = NULL;
1371 condition *cnd_stop_timeout = NULL;
1373 static const char capstart_msg = SP_CAPSTART;
1374 char errmsg[4096+1];
1378 struct timeval timeout;
1382 GtkWidget *label, *value, *percent;
1384 { "Total", &ld.counts.total, NULL, NULL, NULL },
1385 { "SCTP", &ld.counts.sctp, NULL, NULL, NULL },
1386 { "TCP", &ld.counts.tcp, NULL, NULL, NULL },
1387 { "UDP", &ld.counts.udp, NULL, NULL, NULL },
1388 { "ICMP", &ld.counts.icmp, NULL, NULL, NULL },
1389 { "ARP", &ld.counts.arp, NULL, NULL, NULL },
1390 { "OSPF", &ld.counts.ospf, NULL, NULL, NULL },
1391 { "GRE", &ld.counts.gre, NULL, NULL, NULL },
1392 { "NetBIOS", &ld.counts.netbios, NULL, NULL, NULL },
1393 { "IPX", &ld.counts.ipx, NULL, NULL, NULL },
1394 { "VINES", &ld.counts.vines, NULL, NULL, NULL },
1395 { "Other", &ld.counts.other, NULL, NULL, NULL }
1398 #define N_COUNTS (sizeof counts / sizeof counts[0])
1401 WORD wVersionRequested;
1404 static const char ppamsg[] = "can't find PPA for ";
1408 struct pcap_hdr hdr;
1409 struct pcaprec_modified_hdr rechdr;
1410 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
1412 #ifdef MUST_DO_SELECT
1416 /* Size of buffer to hold decimal representation of
1417 signed/unsigned 64-bit int */
1420 /* Initialize Windows Socket if we are in a WIN32 OS
1421 This needs to be done before querying the interface for network/netmask */
1423 wVersionRequested = MAKEWORD( 1, 1 );
1424 err = WSAStartup( wVersionRequested, &wsaData );
1426 snprintf(errmsg, sizeof errmsg,
1427 "Couldn't initialize Windows Sockets.");
1434 ld.counts.total = 0;
1435 if (capture_opts.has_autostop_count)
1436 ld.max = capture_opts.autostop_count;
1438 ld.max = 0; /* no limit */
1439 ld.err = 0; /* no error seen yet */
1440 ld.linktype = WTAP_ENCAP_UNKNOWN;
1441 ld.pcap_err = FALSE;
1442 ld.from_pipe = FALSE;
1443 ld.sync_packets = 0;
1451 ld.counts.netbios = 0;
1452 ld.counts.vines = 0;
1453 ld.counts.other = 0;
1457 /* We haven't yet gotten the capture statistics. */
1458 *stats_known = FALSE;
1460 /* Open the network interface to capture from it.
1461 Some versions of libpcap may put warnings into the error buffer
1462 if they succeed; to tell if that's happened, we have to clear
1463 the error buffer, and check if it's still a null string. */
1464 open_err_str[0] = '\0';
1465 pch = pcap_open_live(cfile.iface,
1466 capture_opts.has_snaplen ? capture_opts.snaplen :
1467 WTAP_MAX_PACKET_SIZE,
1468 capture_opts.promisc_mode, CAP_READ_TIMEOUT,
1472 /* We couldn't open "cfile.iface" as a network device. */
1474 /* On Windows, we don't support capturing on pipes, so we give up.
1475 If this is a child process that does the capturing in sync
1476 mode or fork mode, it shouldn't do any UI stuff until we pop up the
1477 capture-progress window, and, since we couldn't start the
1478 capture, we haven't popped it up. */
1479 if (!capture_child) {
1480 while (gtk_events_pending()) gtk_main_iteration();
1483 /* On Win32 OSes, the capture devices are probably available to all
1484 users; don't warn about permissions problems.
1486 Do, however, warn that WAN devices aren't supported. */
1487 snprintf(errmsg, sizeof errmsg,
1488 "The capture session could not be initiated (%s).\n"
1489 "Please check that you have the proper interface specified.\n"
1491 "Note that the driver Ethereal uses for packet capture on Windows doesn't\n"
1492 "support capturing on PPP/WAN interfaces in Windows NT/2000/XP/.NET Server.\n",
1496 /* try to open cfile.iface as a pipe */
1497 pipe_fd = pipe_open_live(cfile.iface, &hdr, &ld, errmsg, sizeof errmsg);
1499 if (pipe_fd == -1) {
1501 /* If this is a child process that does the capturing in sync
1502 * mode or fork mode, it shouldn't do any UI stuff until we pop up the
1503 * capture-progress window, and, since we couldn't start the
1504 * capture, we haven't popped it up.
1506 if (!capture_child) {
1507 while (gtk_events_pending()) gtk_main_iteration();
1510 if (ld.pipe_err == PIPNEXIST) {
1511 /* Pipe doesn't exist, so output message for interface */
1513 /* If we got a "can't find PPA for XXX" message, warn the user (who
1514 is running Ethereal on HP-UX) that they don't have a version
1515 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
1516 versions, which properly handle HP-UX, say "can't find /dev/dlpi
1517 PPA for XXX" rather than "can't find PPA for XXX"). */
1518 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
1521 "You are running Ethereal with a version of the libpcap library\n"
1522 "that doesn't handle HP-UX network devices well; this means that\n"
1523 "Ethereal may not be able to capture packets.\n"
1525 "To fix this, you should install libpcap 0.6.2, or a later version\n"
1526 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
1527 "packaged binary form from the Software Porting And Archive Centre\n"
1528 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
1529 "at the URL lists a number of mirror sites.";
1532 snprintf(errmsg, sizeof errmsg,
1533 "The capture session could not be initiated (%s).\n"
1534 "Please check to make sure you have sufficient permissions, and that\n"
1535 "you have the proper interface or pipe specified.%s", open_err_str,
1539 * Else pipe (or file) does exist and pipe_open_live() has
1544 /* pipe_open_live() succeeded; don't want
1545 error message from pcap_open_live() */
1546 open_err_str[0] = '\0';
1550 /* capture filters only work on real interfaces */
1551 if (cfile.cfilter && !ld.from_pipe) {
1552 /* A capture filter was specified; set it up. */
1553 if (pcap_lookupnet(cfile.iface, &netnum, &netmask, lookup_net_err_str) < 0) {
1555 * Well, we can't get the netmask for this interface; it's used
1556 * only for filters that check for broadcast IP addresses, so
1557 * we just punt and use 0. It might be nice to warn the user,
1558 * but that's a pain in a GUI application, as it'd involve popping
1559 * up a message box, and it's not clear how often this would make
1560 * a difference (only filters that check for IP broadcast addresses
1565 if (pcap_compile(pch, &fcode, cfile.cfilter, 1, netmask) < 0) {
1566 snprintf(errmsg, sizeof errmsg, "Unable to parse filter string (%s).",
1570 if (pcap_setfilter(pch, &fcode) < 0) {
1571 snprintf(errmsg, sizeof errmsg, "Can't install filter (%s).",
1577 /* Set up to write to the capture file. */
1580 pcap_encap = hdr.network;
1581 file_snaplen = hdr.snaplen;
1585 pcap_encap = get_pcap_linktype(pch, cfile.iface);
1586 file_snaplen = pcap_snapshot(pch);
1588 ld.linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
1589 if (ld.linktype == WTAP_ENCAP_UNKNOWN) {
1590 snprintf(errmsg, sizeof errmsg,
1591 "The network you're capturing from is of a type"
1592 " that Ethereal doesn't support (data link type %d).", pcap_encap);
1595 if (capture_opts.ringbuffer_on) {
1596 ld.pdh = ringbuf_init_wtap_dump_fdopen(WTAP_FILE_PCAP, ld.linktype,
1597 file_snaplen, &err);
1599 ld.pdh = wtap_dump_fdopen(cfile.save_file_fd, WTAP_FILE_PCAP,
1600 ld.linktype, file_snaplen, &err);
1603 if (ld.pdh == NULL) {
1604 /* We couldn't set up to write to the capture file. */
1607 case WTAP_ERR_CANT_OPEN:
1608 strcpy(errmsg, "The file to which the capture would be saved"
1609 " couldn't be created for some unknown reason.");
1612 case WTAP_ERR_SHORT_WRITE:
1613 strcpy(errmsg, "A full header couldn't be written to the file"
1614 " to which the capture would be saved.");
1619 snprintf(errmsg, sizeof(errmsg),
1620 "The file to which the capture would be"
1621 " saved (\"%s\") could not be opened: Error %d.",
1622 cfile.save_file, err);
1624 snprintf(errmsg, sizeof(errmsg),
1625 "The file to which the capture would be"
1626 " saved (\"%s\") could not be opened: %s.",
1627 cfile.save_file, strerror(err));
1634 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
1635 returned a warning; print it, but keep capturing. */
1636 if (open_err_str[0] != '\0')
1637 g_warning("%s.", open_err_str);
1639 /* XXX - capture SIGTERM and close the capture, in case we're on a
1640 Linux 2.0[.x] system and you have to explicitly close the capture
1641 stream in order to turn promiscuous mode off? We need to do that
1642 in other places as well - and I don't think that works all the
1643 time in any case, due to libpcap bugs. */
1645 if (capture_child) {
1646 /* Well, we should be able to start capturing.
1648 This is the child process for a sync mode capture, so sync out
1649 the capture file, so the header makes it to the file system,
1650 and send a "capture started successfully and capture file created"
1651 message to our parent so that they'll open the capture file and
1652 update its windows to indicate that we have a live capture in
1654 fflush(wtap_dump_file(ld.pdh));
1655 write(1, &capstart_msg, 1);
1658 cap_w = gtk_window_new(GTK_WINDOW_TOPLEVEL);
1659 gtk_window_set_title(GTK_WINDOW(cap_w), "Ethereal: Capture");
1660 gtk_window_set_modal(GTK_WINDOW(cap_w), TRUE);
1662 /* Container for capture display widgets */
1663 main_vb = gtk_vbox_new(FALSE, 1);
1664 gtk_container_border_width(GTK_CONTAINER(main_vb), 5);
1665 gtk_container_add(GTK_CONTAINER(cap_w), main_vb);
1666 gtk_widget_show(main_vb);
1668 counts_fr = gtk_frame_new("Captured Frames");
1669 gtk_box_pack_start(GTK_BOX(main_vb), counts_fr, FALSE, FALSE, 3);
1670 gtk_widget_show(counts_fr);
1672 /* Individual statistic elements */
1673 counts_tb = gtk_table_new(N_COUNTS, 3, TRUE);
1674 gtk_container_add(GTK_CONTAINER(counts_fr), counts_tb);
1675 gtk_container_border_width(GTK_CONTAINER(counts_tb), 5);
1676 gtk_widget_show(counts_tb);
1678 for (i = 0; i < N_COUNTS; i++) {
1679 counts[i].label = gtk_label_new(counts[i].title);
1680 gtk_misc_set_alignment(GTK_MISC(counts[i].label), 0.0f, 0.0f);
1682 counts[i].value = gtk_label_new("0");
1683 gtk_misc_set_alignment(GTK_MISC(counts[i].value), 0.0f, 0.0f);
1685 counts[i].percent = gtk_label_new("0.0%");
1686 gtk_misc_set_alignment(GTK_MISC(counts[i].percent), 0.0f, 0.0f);
1688 gtk_table_attach_defaults(GTK_TABLE(counts_tb),
1689 counts[i].label, 0, 1, i, i + 1);
1691 gtk_table_attach(GTK_TABLE(counts_tb),
1693 1, 2, i, i + 1, 0, 0, 5, 0);
1695 gtk_table_attach_defaults(GTK_TABLE(counts_tb),
1696 counts[i].percent, 2, 3, i, i + 1);
1698 gtk_widget_show(counts[i].label);
1699 gtk_widget_show(counts[i].value);
1700 gtk_widget_show(counts[i].percent);
1704 running_tb = gtk_table_new(1, 3, TRUE);
1705 gtk_box_pack_start(GTK_BOX(main_vb), running_tb, FALSE, FALSE, 3);
1706 gtk_widget_show(running_tb);
1708 running_label = gtk_label_new("Running");
1709 gtk_misc_set_alignment(GTK_MISC(running_label), 0.0f, 0.0f);
1710 gtk_widget_show(running_label);
1711 gtk_table_attach_defaults(GTK_TABLE(running_tb),
1712 running_label, 0, 1, 0, 1);
1714 running_time = gtk_label_new("00:00:00");
1715 gtk_misc_set_alignment(GTK_MISC(running_time), 0.0f, 0.0f);
1716 gtk_widget_show(running_time);
1717 gtk_table_attach(GTK_TABLE(running_tb),
1719 1, 2, 0, 1, 0, 0, 5, 0);
1721 /* allow user to either click a stop button, or the close button on
1722 the window to stop a capture in progress. */
1723 stop_bt = gtk_button_new_with_label ("Stop");
1724 gtk_signal_connect(GTK_OBJECT(stop_bt), "clicked",
1725 GTK_SIGNAL_FUNC(capture_stop_cb), (gpointer) &ld);
1726 gtk_signal_connect(GTK_OBJECT(cap_w), "delete_event",
1727 GTK_SIGNAL_FUNC(capture_delete_cb), (gpointer) &ld);
1728 gtk_box_pack_start(GTK_BOX(main_vb), stop_bt, FALSE, FALSE, 3);
1729 GTK_WIDGET_SET_FLAGS(stop_bt, GTK_CAN_DEFAULT);
1730 gtk_widget_grab_default(stop_bt);
1731 GTK_WIDGET_SET_FLAGS(stop_bt, GTK_CAN_DEFAULT);
1732 gtk_widget_grab_default(stop_bt);
1733 gtk_widget_show(stop_bt);
1735 gtk_widget_show(cap_w);
1737 start_time = time(NULL);
1738 upd_time = time(NULL);
1739 #ifdef MUST_DO_SELECT
1740 if (!ld.from_pipe) pcap_fd = pcap_fileno(pch);
1745 * Catch SIGUSR1, so that we exit cleanly if the parent process
1746 * kills us with it due to the user selecting "Capture->Stop".
1749 signal(SIGUSR1, stop_capture);
1751 /* initialize capture stop conditions */
1752 init_capture_stop_conditions();
1753 /* create stop conditions */
1754 if (capture_opts.has_autostop_filesize)
1755 cnd_stop_capturesize =
1756 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts.autostop_filesize * 1000);
1757 if (capture_opts.has_autostop_duration)
1759 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts.autostop_duration);
1762 while (gtk_events_pending()) gtk_main_iteration();
1767 FD_SET(pipe_fd, &set1);
1769 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1770 sel_ret = select(pipe_fd+1, &set1, NULL, NULL, &timeout);
1773 if (sel_ret < 0 && errno != EINTR) {
1774 snprintf(errmsg, sizeof(errmsg),
1775 "Unexpected error from select: %s", strerror(errno));
1776 popup_errmsg(errmsg);
1781 * "select()" says we can read from the pipe without blocking
1783 inpkts = pipe_dispatch(pipe_fd, &ld, &hdr, &rechdr, pcap_data,
1784 errmsg, sizeof errmsg);
1793 #ifdef MUST_DO_SELECT
1795 * Sigh. The semantics of the read timeout argument to
1796 * "pcap_open_live()" aren't particularly well specified by
1797 * the "pcap" man page - at least with the BSD BPF code, the
1798 * intent appears to be, at least in part, a way of cutting
1799 * down the number of reads done on a capture, by blocking
1800 * until the buffer fills or a timer expires - and the Linux
1801 * libpcap doesn't actually support it, so we can't use it
1802 * to break out of the "pcap_dispatch()" every 1/4 of a second
1803 * or so. Linux's libpcap is not the only libpcap that doesn't
1804 * support the read timeout.
1806 * Furthermore, at least on Solaris, the bufmod STREAMS module's
1807 * read timeout won't go off if no data has arrived, i.e. it cannot
1808 * be used to guarantee that a read from a DLPI stream will return
1809 * within a specified amount of time regardless of whether any
1810 * data arrives or not.
1812 * Thus, on all platforms other than BSD, we do a "select()" on the
1813 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
1814 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
1816 * "select()", on BPF devices, doesn't work as you might expect;
1817 * at least on some versions of some flavors of BSD, the timer
1818 * doesn't start until a read is done, so it won't expire if
1819 * only a "select()" or "poll()" is posted.
1822 FD_SET(pcap_fd, &set1);
1824 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
1825 sel_ret = select(pcap_fd+1, &set1, NULL, NULL, &timeout);
1828 * "select()" says we can read from it without blocking; go for
1831 inpkts = pcap_dispatch(pch, 1, capture_pcap_cb, (guchar *) &ld);
1838 if (sel_ret < 0 && errno != EINTR) {
1839 snprintf(errmsg, sizeof(errmsg),
1840 "Unexpected error from select: %s", strerror(errno));
1841 popup_errmsg(errmsg);
1846 inpkts = pcap_dispatch(pch, 1, capture_pcap_cb, (guchar *) &ld);
1855 ld.sync_packets += inpkts;
1856 /* check capture stop conditons */
1857 if (cnd_stop_capturesize != NULL && cnd_eval(cnd_stop_capturesize,
1858 (guint32)wtap_get_bytes_dumped(ld.pdh))){
1859 /* Capture file reached its maximum size. */
1860 if (capture_opts.ringbuffer_on) {
1861 /* Switch to the next ringbuffer file */
1862 if (ringbuf_switch_file(&cfile, &ld.pdh, &ld.err)) {
1863 /* File switch succeeded: reset the condition */
1864 cnd_reset(cnd_stop_capturesize);
1866 /* File switch failed: stop here */
1871 /* no ringbuffer - just stop */
1877 /* Only update once a second so as not to overload slow displays */
1878 cur_time = time(NULL);
1879 if (cur_time > upd_time) {
1880 upd_time = cur_time;
1882 /* calculate and display running time */
1883 cur_time -= start_time;
1884 snprintf(label_str, sizeof(label_str), "%02ld:%02ld:%02ld",
1885 (long)(cur_time/3600), (long)((cur_time%3600)/60),
1886 (long)(cur_time%60));
1887 gtk_label_set(GTK_LABEL(running_time), label_str);
1889 if (ld.sync_packets) {
1891 for (i = 0; i < N_COUNTS; i++) {
1892 snprintf(label_str, sizeof(label_str), "%d",
1893 *counts[i].value_ptr);
1895 gtk_label_set(GTK_LABEL(counts[i].value), label_str);
1897 snprintf(label_str, sizeof(label_str), "(%.1f%%)",
1898 pct(*counts[i].value_ptr, ld.counts.total));
1900 gtk_label_set(GTK_LABEL(counts[i].percent), label_str);
1903 /* do sync here, too */
1904 fflush(wtap_dump_file(ld.pdh));
1906 if (capture_child) {
1907 /* This is the child process for a sync mode capture, so send
1908 our parent a message saying we've written out "ld.sync_packets"
1909 packets to the capture file. */
1910 char tmp[DECISIZE+1+1];
1911 sprintf(tmp, "%d%c", ld.sync_packets, SP_PACKET_COUNT);
1912 write(1, tmp, strlen(tmp));
1915 ld.sync_packets = 0;
1919 if (cnd_stop_timeout != NULL && cnd_eval(cnd_stop_timeout)) {
1920 /* The specified capture time has elapsed; stop the capture. */
1924 } /* while (ld.go) */
1926 /* delete stop conditions */
1927 if (cnd_stop_capturesize != NULL)
1928 cnd_delete(cnd_stop_capturesize);
1929 if (cnd_stop_timeout != NULL)
1930 cnd_delete(cnd_stop_timeout);
1933 snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
1935 popup_errmsg(errmsg);
1939 } else if (ld.from_pipe && ld.pipe_err == PIPERR)
1940 popup_errmsg(errmsg);
1946 get_capture_file_io_error(errmsg, sizeof(errmsg), cfile.save_file, ld.err,
1948 popup_errmsg(errmsg);
1952 if (capture_opts.ringbuffer_on) {
1953 close_ok = ringbuf_wtap_dump_close(&cfile, &err);
1955 close_ok = wtap_dump_close(ld.pdh, &err);
1957 /* If we've displayed a message about a write error, there's no point
1958 in displaying another message about an error on close. */
1959 if (!close_ok && write_ok) {
1960 get_capture_file_io_error(errmsg, sizeof(errmsg), cfile.save_file, err,
1962 popup_errmsg(errmsg);
1964 /* Set write_ok to mean the write and the close were successful. */
1965 write_ok = (write_ok && close_ok);
1969 * XXX We exhibit different behaviour between normal mode and sync mode
1970 * when the pipe is stdin and not already at EOF. If we're a child, the
1971 * parent's stdin isn't closed, so if the user starts another capture,
1972 * pipe_open_live() will very likely not see the expected magic bytes and
1973 * will say "Unrecognized libpcap format". On the other hand, in normal
1974 * mode, pipe_open_live() will say "End of file on pipe during open".
1976 if (ld.from_pipe && pipe_fd >= 0)
1981 /* Get the capture statistics, so we know how many packets were
1983 if (pcap_stats(pch, stats) >= 0) {
1984 *stats_known = TRUE;
1985 if (capture_child) {
1986 /* Let the parent process know. */
1987 char tmp[DECISIZE+1+1];
1988 sprintf(tmp, "%d%c", stats->ps_drop, SP_DROPS);
1989 write(1, tmp, strlen(tmp));
1992 snprintf(errmsg, sizeof(errmsg),
1993 "Can't get packet-drop statistics: %s",
1995 popup_errmsg(errmsg);
2001 /* Shut down windows sockets */
2005 gtk_grab_remove(GTK_WIDGET(cap_w));
2006 gtk_widget_destroy(GTK_WIDGET(cap_w));
2011 if (capture_opts.ringbuffer_on) {
2012 /* cleanup ringbuffer */
2013 ringbuf_error_cleanup();
2015 /* We can't use the save file, and we have no wtap_dump stream
2016 to close in order to close it, so close the FD directly. */
2017 close(cfile.save_file_fd);
2019 /* We couldn't even start the capture, so get rid of the capture
2021 unlink(cfile.save_file); /* silently ignore error */
2022 g_free(cfile.save_file);
2024 cfile.save_file = NULL;
2025 popup_errmsg(errmsg);
2042 get_capture_file_io_error(char *errmsg, int errmsglen, const char *fname,
2043 int err, gboolean is_close)
2048 snprintf(errmsg, errmsglen,
2049 "Not all the packets could be written to the file"
2050 " to which the capture was being saved\n"
2051 "(\"%s\") because there is no space left on the file system\n"
2052 "on which that file resides.",
2058 snprintf(errmsg, errmsglen,
2059 "Not all the packets could be written to the file"
2060 " to which the capture was being saved\n"
2061 "(\"%s\") because you are too close to, or over,"
2062 " your disk quota\n"
2063 "on the file system on which that file resides.",
2068 case WTAP_ERR_CANT_CLOSE:
2069 snprintf(errmsg, errmsglen,
2070 "The file to which the capture was being saved"
2071 " couldn't be closed for some unknown reason.");
2074 case WTAP_ERR_SHORT_WRITE:
2075 snprintf(errmsg, errmsglen,
2076 "Not all the packets could be written to the file"
2077 " to which the capture was being saved\n"
2084 snprintf(errmsg, errmsglen,
2085 "The file to which the capture was being saved\n"
2086 "(\"%s\") could not be closed: %s.",
2087 fname, wtap_strerror(err));
2089 snprintf(errmsg, errmsglen,
2090 "An error occurred while writing to the file"
2091 " to which the capture was being saved\n"
2093 fname, wtap_strerror(err));
2100 popup_errmsg(const char *errmsg)
2102 if (capture_child) {
2103 /* This is the child process for a sync mode capture.
2104 Send the error message to our parent, so they can display a
2105 dialog box containing it. */
2106 send_errmsg_to_parent(errmsg);
2108 /* Display the dialog box ourselves; there's no parent. */
2109 simple_dialog(ESD_TYPE_CRIT, NULL, "%s", errmsg);
2114 send_errmsg_to_parent(const char *errmsg)
2116 int msglen = strlen(errmsg);
2117 char lenbuf[DECISIZE+1+1];
2119 sprintf(lenbuf, "%u%c", msglen, SP_ERROR_MSG);
2120 write(1, lenbuf, strlen(lenbuf));
2121 write(1, errmsg, msglen);
2125 pct(gint num, gint denom) {
2127 return (float) num * 100.0 / (float) denom;
2134 stop_capture(int signo _U_)
2140 capture_delete_cb(GtkWidget *w _U_, GdkEvent *event _U_, gpointer data) {
2141 capture_stop_cb(NULL, data);
2145 capture_stop_cb(GtkWidget *w _U_, gpointer data) {
2146 loop_data *ld = (loop_data *) data;
2155 * XXX - find some way of signaling the child in Win32.
2158 if (fork_child != -1)
2159 kill(fork_child, SIGUSR1);
2164 kill_capture_child(void)
2167 * XXX - find some way of signaling the child in Win32.
2170 if (fork_child != -1)
2171 kill(fork_child, SIGTERM); /* SIGTERM so it can clean up if necessary */
2176 capture_pcap_cb(guchar *user, const struct pcap_pkthdr *phdr,
2179 struct wtap_pkthdr whdr;
2180 union wtap_pseudo_header pseudo_header;
2181 loop_data *ld = (loop_data *) user;
2184 if ((++ld->counts.total >= ld->max) && (ld->max > 0))
2189 /* Convert from libpcap to Wiretap format.
2190 If that fails, set "ld->go" to FALSE, to stop the capture, and set
2191 "ld->err" to the error. */
2192 pd = wtap_process_pcap_packet(ld->linktype, phdr, pd, &pseudo_header,
2201 /* We're supposed to write the packet to a file; do so.
2202 If this fails, set "ld->go" to FALSE, to stop the capture, and set
2203 "ld->err" to the error. */
2204 if (!wtap_dump(ld->pdh, &whdr, &pseudo_header, pd, &err)) {
2210 switch (ld->linktype) {
2211 case WTAP_ENCAP_ETHERNET:
2212 capture_eth(pd, 0, whdr.caplen, &ld->counts);
2214 case WTAP_ENCAP_FDDI:
2215 case WTAP_ENCAP_FDDI_BITSWAPPED:
2216 capture_fddi(pd, whdr.caplen, &ld->counts);
2218 case WTAP_ENCAP_PRISM_HEADER:
2219 capture_prism(pd, 0, whdr.caplen, &ld->counts);
2221 case WTAP_ENCAP_TOKEN_RING:
2222 capture_tr(pd, 0, whdr.caplen, &ld->counts);
2224 case WTAP_ENCAP_NULL:
2225 capture_null(pd, whdr.caplen, &ld->counts);
2227 case WTAP_ENCAP_PPP:
2228 capture_ppp_hdlc(pd, 0, whdr.caplen, &ld->counts);
2230 case WTAP_ENCAP_RAW_IP:
2231 capture_raw(pd, whdr.caplen, &ld->counts);
2233 case WTAP_ENCAP_SLL:
2234 capture_sll(pd, whdr.caplen, &ld->counts);
2236 case WTAP_ENCAP_LINUX_ATM_CLIP:
2237 capture_clip(pd, whdr.caplen, &ld->counts);
2239 case WTAP_ENCAP_IEEE_802_11:
2240 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
2241 capture_ieee80211(pd, 0, whdr.caplen, &ld->counts);
2243 case WTAP_ENCAP_CHDLC:
2244 capture_chdlc(pd, 0, whdr.caplen, &ld->counts);
2246 case WTAP_ENCAP_LOCALTALK:
2247 capture_llap(&ld->counts);
2249 case WTAP_ENCAP_ATM_PDUS:
2250 capture_atm(&pseudo_header, pd, whdr.caplen, &ld->counts);
2252 case WTAP_ENCAP_IP_OVER_FC:
2253 capture_ipfc(pd, whdr.caplen, &ld->counts);
2255 case WTAP_ENCAP_ARCNET:
2256 capture_arcnet(pd, whdr.caplen, &ld->counts, FALSE);
2258 case WTAP_ENCAP_ARCNET_LINUX:
2259 capture_arcnet(pd, whdr.caplen, &ld->counts, TRUE);
2261 /* XXX - some ATM drivers on FreeBSD might prepend a 4-byte ATM
2262 pseudo-header to DLT_ATM_RFC1483, with LLC header following;
2263 we might have to implement that at some point. */
2267 #endif /* HAVE_LIBPCAP */