2 * The actual capturing loop, getting packets and storing it
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 * Capture loop (internal interface).
30 * It will open the input and output files, capture the packets,
31 * change ringbuffer output files while capturing and close all files again.
33 * The input file can be a network interface or capture pipe (unix only).
34 * The output file can be a single or a ringbuffer file handled by wiretap.
54 #ifdef HAVE_SYS_TYPES_H
55 # include <sys/types.h>
58 #ifdef HAVE_SYS_STAT_H
59 # include <sys/stat.h>
69 #include <epan/packet.h>
71 #include "capture_sync.h"
72 #include "pcap-util.h"
74 #include "simple_dialog.h"
75 #include "conditions.h"
76 #include "capture_stop_conditions.h"
77 #include "ringbuffer.h"
79 #include "wiretap/libpcap.h"
80 #include "wiretap/wtap.h"
81 #include "wiretap/wtap-capture.h"
83 #include <epan/prefs.h>
84 /* XXX - try to remove this later */
86 /* XXX - try to remove this later */
88 #include "alert_box.h"
92 #include <epan/dissectors/packet-ap1394.h>
93 #include <epan/dissectors/packet-atalk.h>
94 #include <epan/dissectors/packet-atm.h>
95 #include <epan/dissectors/packet-clip.h>
96 #include <epan/dissectors/packet-eth.h>
97 #include <epan/dissectors/packet-fddi.h>
98 #include <epan/dissectors/packet-fr.h>
99 #include <epan/dissectors/packet-null.h>
100 #include <epan/dissectors/packet-ppp.h>
101 #include <epan/dissectors/packet-raw.h>
102 #include <epan/dissectors/packet-sll.h>
103 #include <epan/dissectors/packet-tr.h>
104 #include <epan/dissectors/packet-ieee80211.h>
105 #include <epan/dissectors/packet-chdlc.h>
106 #include <epan/dissectors/packet-prism.h>
107 #include <epan/dissectors/packet-ipfc.h>
108 #include <epan/dissectors/packet-arcnet.h>
110 /* Win32 needs the O_BINARY flag for open() */
118 * We don't want to do a "select()" on the pcap_t's file descriptor on
119 * BSD (because "select()" doesn't work correctly on BPF devices on at
120 * least some releases of some flavors of BSD), and we don't want to do
121 * it on Windows (because "select()" is something for sockets, not for
122 * arbitrary handles). (Note that "Windows" here includes Cygwin;
123 * even in its pretend-it's-UNIX environment, we're using WinPcap, not
126 * We *do* want to do it on other platforms, as, on other platforms (with
127 * the possible exception of Ultrix and Digital UNIX), the read timeout
128 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
129 * will block until packets arrive, causing the UI to hang.
131 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
132 * want to include it if it's not present on this platform, however.
134 #if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
135 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
137 # define MUST_DO_SELECT
141 typedef struct _loop_data {
143 gboolean go; /* TRUE as long as we're supposed to keep capturing */
144 int err; /* if non-zero, error seen while capturing */
145 gint packets_max; /* Number of packets we're supposed to capture - 0 means infinite */
146 gint packets_sync_pipe; /* packets not already send out to the sync_pipe */
147 packet_counts counts; /* several packet type counters */
149 /* pcap "input file" */
150 pcap_t *pcap_h; /* pcap handle */
151 gboolean pcap_err; /* TRUE if error from pcap */
152 #ifdef MUST_DO_SELECT
153 int pcap_fd; /* pcap file descriptor */
156 /* capture pipe (unix only "input file") */
157 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
159 struct pcap_hdr cap_pipe_hdr;
160 struct pcaprec_modified_hdr cap_pipe_rechdr;
161 int cap_pipe_fd; /* the file descriptor of the capture pipe */
162 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
163 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
164 unsigned int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
165 unsigned int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
167 STATE_EXPECT_REC_HDR,
173 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
176 /* wiretap (output file) */
177 wtap_dumper *wtap_pdh;
184 * Timeout, in milliseconds, for reads from the stream of captured packets.
186 #define CAP_READ_TIMEOUT 250
188 static void capture_loop_packet_cb(guchar *user, const struct pcap_pkthdr *phdr,
190 static void capture_loop_popup_errmsg(capture_options *capture_opts, const char *errmsg);
191 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
192 int err, gboolean is_close);
197 /* Take care of byte order in the libpcap headers read from pipes.
198 * (function taken from wiretap/libpcap.c) */
200 cap_pipe_adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
202 if (ld->cap_pipe_byte_swapped) {
203 /* Byte-swap the record header fields. */
204 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
205 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
206 rechdr->incl_len = BSWAP32(rechdr->incl_len);
207 rechdr->orig_len = BSWAP32(rechdr->orig_len);
210 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
211 swapped, in order to match the BPF header layout.
213 Unfortunately, some files were, according to a comment in the "libpcap"
214 source, written with version 2.3 in their headers but without the
215 interchanged fields, so if "incl_len" is greater than "orig_len" - which
216 would make no sense - we assume that we need to swap them. */
217 if (hdr->version_major == 2 &&
218 (hdr->version_minor < 3 ||
219 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
222 temp = rechdr->orig_len;
223 rechdr->orig_len = rechdr->incl_len;
224 rechdr->incl_len = temp;
228 /* Mimic pcap_open_live() for pipe captures
229 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
231 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
232 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
234 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
235 char *errmsg, int errmsgl)
237 struct stat pipe_stat;
241 unsigned int bytes_read;
243 struct timeval timeout;
246 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
249 * XXX Ethereal blocks until we return
251 if (strcmp(pipename, "-") == 0)
252 fd = 0; /* read from stdin */
254 if (stat(pipename, &pipe_stat) < 0) {
255 if (errno == ENOENT || errno == ENOTDIR)
256 ld->cap_pipe_err = PIPNEXIST;
258 g_snprintf(errmsg, errmsgl,
259 "The capture session could not be initiated "
260 "due to error on pipe: %s", strerror(errno));
261 ld->cap_pipe_err = PIPERR;
265 if (! S_ISFIFO(pipe_stat.st_mode)) {
266 if (S_ISCHR(pipe_stat.st_mode)) {
268 * Assume the user specified an interface on a system where
269 * interfaces are in /dev. Pretend we haven't seen it.
271 ld->cap_pipe_err = PIPNEXIST;
273 g_snprintf(errmsg, errmsgl,
274 "The capture session could not be initiated because\n"
275 "\"%s\" is neither an interface nor a pipe", pipename);
276 ld->cap_pipe_err = PIPERR;
280 fd = open(pipename, O_RDONLY | O_NONBLOCK);
282 g_snprintf(errmsg, errmsgl,
283 "The capture session could not be initiated "
284 "due to error on pipe open: %s", strerror(errno));
285 ld->cap_pipe_err = PIPERR;
290 ld->from_cap_pipe = TRUE;
292 /* read the pcap header */
295 while (bytes_read < sizeof magic) {
298 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
299 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
301 g_snprintf(errmsg, errmsgl,
302 "Unexpected error from select: %s", strerror(errno));
304 } else if (sel_ret > 0) {
305 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
308 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
310 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
320 /* Host that wrote it has our byte order, and was running
321 a program using either standard or ss990417 libpcap. */
322 ld->cap_pipe_byte_swapped = FALSE;
323 ld->cap_pipe_modified = FALSE;
325 case PCAP_MODIFIED_MAGIC:
326 /* Host that wrote it has our byte order, but was running
327 a program using either ss990915 or ss991029 libpcap. */
328 ld->cap_pipe_byte_swapped = FALSE;
329 ld->cap_pipe_modified = TRUE;
331 case PCAP_SWAPPED_MAGIC:
332 /* Host that wrote it has a byte order opposite to ours,
333 and was running a program using either standard or
335 ld->cap_pipe_byte_swapped = TRUE;
336 ld->cap_pipe_modified = FALSE;
338 case PCAP_SWAPPED_MODIFIED_MAGIC:
339 /* Host that wrote it out has a byte order opposite to
340 ours, and was running a program using either ss990915
341 or ss991029 libpcap. */
342 ld->cap_pipe_byte_swapped = TRUE;
343 ld->cap_pipe_modified = TRUE;
346 /* Not a "libpcap" type we know about. */
347 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
351 /* Read the rest of the header */
353 while (bytes_read < sizeof(struct pcap_hdr)) {
356 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
357 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
359 g_snprintf(errmsg, errmsgl,
360 "Unexpected error from select: %s", strerror(errno));
362 } else if (sel_ret > 0) {
363 b = read(fd, ((char *)hdr)+bytes_read,
364 sizeof(struct pcap_hdr) - bytes_read);
367 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
369 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
377 if (ld->cap_pipe_byte_swapped) {
378 /* Byte-swap the header fields about which we care. */
379 hdr->version_major = BSWAP16(hdr->version_major);
380 hdr->version_minor = BSWAP16(hdr->version_minor);
381 hdr->snaplen = BSWAP32(hdr->snaplen);
382 hdr->network = BSWAP32(hdr->network);
385 if (hdr->version_major < 2) {
386 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
390 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
391 ld->cap_pipe_err = PIPOK;
395 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
396 ld->cap_pipe_err = PIPERR;
403 /* We read one record from the pipe, take care of byte order in the record
404 * header, write the record to the capture file, and update capture statistics. */
406 cap_pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr,
407 struct pcaprec_modified_hdr *rechdr, guchar *data,
408 char *errmsg, int errmsgl)
410 struct pcap_pkthdr phdr;
412 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
416 #ifdef LOG_CAPTURE_VERBOSE
417 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
420 switch (ld->cap_pipe_state) {
422 case STATE_EXPECT_REC_HDR:
423 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
424 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
425 ld->cap_pipe_bytes_read = 0;
426 ld->cap_pipe_state = STATE_READ_REC_HDR;
429 case STATE_READ_REC_HDR:
430 b = read(fd, ((char *)rechdr)+ld->cap_pipe_bytes_read,
431 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
434 result = PD_PIPE_EOF;
436 result = PD_PIPE_ERR;
439 if ((ld->cap_pipe_bytes_read += b) < ld->cap_pipe_bytes_to_read)
441 result = PD_REC_HDR_READ;
444 case STATE_EXPECT_DATA:
445 ld->cap_pipe_bytes_read = 0;
446 ld->cap_pipe_state = STATE_READ_DATA;
449 case STATE_READ_DATA:
450 b = read(fd, data+ld->cap_pipe_bytes_read, rechdr->hdr.incl_len - ld->cap_pipe_bytes_read);
453 result = PD_PIPE_EOF;
455 result = PD_PIPE_ERR;
458 if ((ld->cap_pipe_bytes_read += b) < rechdr->hdr.incl_len)
460 result = PD_DATA_READ;
464 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
467 } /* switch (ld->cap_pipe_state) */
470 * We've now read as much data as we were expecting, so process it.
474 case PD_REC_HDR_READ:
475 /* We've read the header. Take care of byte order. */
476 cap_pipe_adjust_header(ld, hdr, &rechdr->hdr);
477 if (rechdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
478 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
479 ld->counts.total+1, rechdr->hdr.incl_len);
482 ld->cap_pipe_state = STATE_EXPECT_DATA;
486 /* Fill in a "struct pcap_pkthdr", and process the packet. */
487 phdr.ts.tv_sec = rechdr->hdr.ts_sec;
488 phdr.ts.tv_usec = rechdr->hdr.ts_usec;
489 phdr.caplen = rechdr->hdr.incl_len;
490 phdr.len = rechdr->hdr.orig_len;
492 capture_loop_packet_cb((guchar *)ld, &phdr, data);
494 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
498 ld->cap_pipe_err = PIPEOF;
502 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
509 ld->cap_pipe_err = PIPERR;
510 /* Return here rather than inside the switch to prevent GCC warning */
513 #endif /* not _WIN32 */
516 /* open the capture input file (pcap or capture pipe) */
517 static int capture_loop_open_input(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
518 gchar open_err_str[PCAP_ERRBUF_SIZE];
519 const char *set_linktype_err_str;
522 WORD wVersionRequested;
525 static const char ppamsg[] = "can't find PPA for ";
526 const char *libpcap_warn;
530 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
532 /* Initialize Windows Socket if we are in a WIN32 OS
533 This needs to be done before querying the interface for network/netmask */
535 /* XXX - do we really require 1.1 or earlier?
536 Are there any versions that support only 2.0 or higher? */
537 wVersionRequested = MAKEWORD(1, 1);
538 err = WSAStartup(wVersionRequested, &wsaData);
543 g_snprintf(errmsg, errmsg_len,
544 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
547 case WSAVERNOTSUPPORTED:
548 g_snprintf(errmsg, errmsg_len,
549 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
550 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
554 g_snprintf(errmsg, errmsg_len,
555 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
559 g_snprintf(errmsg, errmsg_len,
560 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
564 g_snprintf(errmsg, errmsg_len,
565 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
569 g_snprintf(errmsg, errmsg_len,
570 "Couldn't initialize Windows Sockets: error %d", err);
577 /* Open the network interface to capture from it.
578 Some versions of libpcap may put warnings into the error buffer
579 if they succeed; to tell if that's happened, we have to clear
580 the error buffer, and check if it's still a null string. */
581 open_err_str[0] = '\0';
582 ld->pcap_h = pcap_open_live(capture_opts->iface,
583 capture_opts->has_snaplen ? capture_opts->snaplen :
584 WTAP_MAX_PACKET_SIZE,
585 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
588 if (ld->pcap_h != NULL) {
589 /* we've opened "iface" as a network device */
591 /* try to set the capture buffer size */
592 if (pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
593 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
594 "%sCouldn't set the capture buffer size!%s\n"
596 "The capture buffer size of %luMB seems to be too high for your machine,\n"
597 "the default of 1MB will be used.\n"
599 "Nonetheless, the capture is started.\n",
600 simple_dialog_primary_start(), simple_dialog_primary_end(), capture_opts->buffer_size);
604 /* setting the data link type only works on real interfaces */
605 if (capture_opts->linktype != -1) {
606 set_linktype_err_str = set_pcap_linktype(ld->pcap_h, capture_opts->iface,
607 capture_opts->linktype);
608 if (set_linktype_err_str != NULL) {
609 g_snprintf(errmsg, errmsg_len, "Unable to set data link type (%s).",
610 set_linktype_err_str);
615 /* We couldn't open "iface" as a network device. */
617 /* On Windows, we don't support capturing on pipes, so we give up. */
619 /* On Win32 OSes, the capture devices are probably available to all
620 users; don't warn about permissions problems.
622 Do, however, warn that WAN devices aren't supported. */
623 g_snprintf(errmsg, errmsg_len,
624 "%sThe capture session could not be initiated!%s\n"
628 "Please check that you have the proper interface specified.\n"
630 "Note that version 3.0 of WinPcap, and earlier versions of WinPcap, don't\n"
631 "support capturing on PPP/WAN interfaces in Windows NT 4.0 / 2000 / XP / Server 2003.\n"
633 "WinPcap 3.1 has experimental support for it on Windows 2000 / XP / Server 2003,\n"
634 "but has no support for it on Windows NT 4.0. WinPcap 3.1 is currently in beta,\n"
635 "so using it might introduce bugs not present in WinPcap 3.0; you should report\n"
636 "all problems you see to the WinPcap developers, so they can try to fix\n"
637 "them before the final WinPcap 3.1 release.",
638 simple_dialog_primary_start(), simple_dialog_primary_end(),
642 /* try to open iface as a pipe */
643 ld->cap_pipe_fd = cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, errmsg_len);
645 if (ld->cap_pipe_fd == -1) {
647 if (ld->cap_pipe_err == PIPNEXIST) {
648 /* Pipe doesn't exist, so output message for interface */
650 /* If we got a "can't find PPA for XXX" message, warn the user (who
651 is running Ethereal on HP-UX) that they don't have a version
652 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
653 versions, which properly handle HP-UX, say "can't find /dev/dlpi
654 PPA for XXX" rather than "can't find PPA for XXX"). */
655 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
658 "You are running Ethereal with a version of the libpcap library\n"
659 "that doesn't handle HP-UX network devices well; this means that\n"
660 "Ethereal may not be able to capture packets.\n"
662 "To fix this, you should install libpcap 0.6.2, or a later version\n"
663 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
664 "packaged binary form from the Software Porting And Archive Centre\n"
665 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
666 "at the URL lists a number of mirror sites.";
669 g_snprintf(errmsg, errmsg_len,
670 "The capture session could not be initiated (%s).\n"
671 "Please check to make sure you have sufficient permissions, and that\n"
672 "you have the proper interface or pipe specified.%s", open_err_str,
676 * Else pipe (or file) does exist and cap_pipe_open_live() has
681 /* cap_pipe_open_live() succeeded; don't want
682 error message from pcap_open_live() */
683 open_err_str[0] = '\0';
687 #ifdef MUST_DO_SELECT
688 if (!ld->from_cap_pipe) {
689 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
690 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
692 ld->pcap_fd = pcap_fileno(ld->pcap_h);
697 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
698 returned a warning; print it, but keep capturing. */
699 if (open_err_str[0] != '\0')
700 g_warning("%s.", open_err_str);
706 /* open the capture input file (pcap or capture pipe) */
707 static void capture_loop_close_input(loop_data *ld) {
709 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
712 /* if open, close the capture pipe "input file" */
713 if (ld->cap_pipe_fd >= 0) {
714 g_assert(ld->from_cap_pipe);
715 close(ld->cap_pipe_fd);
719 /* if open, close the pcap "input file" */
720 if(ld->pcap_h != NULL) {
721 g_assert(!ld->from_cap_pipe);
722 pcap_close(ld->pcap_h);
726 /* Shut down windows sockets */
732 /* init the capture filter */
733 static int capture_loop_init_filter(loop_data *ld, const gchar * iface, gchar * cfilter, char *errmsg, int errmsg_len) {
734 bpf_u_int32 netnum, netmask;
735 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
736 struct bpf_program fcode;
739 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
741 /* capture filters only work on real interfaces */
742 if (cfilter && !ld->from_cap_pipe) {
743 /* A capture filter was specified; set it up. */
744 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
746 * Well, we can't get the netmask for this interface; it's used
747 * only for filters that check for broadcast IP addresses, so
748 * we just punt and use 0. It might be nice to warn the user,
749 * but that's a pain in a GUI application, as it'd involve popping
750 * up a message box, and it's not clear how often this would make
751 * a difference (only filters that check for IP broadcast addresses
756 if (pcap_compile(ld->pcap_h, &fcode, cfilter, 1, netmask) < 0) {
757 dfilter_t *rfcode = NULL;
758 /* filter string invalid, did the user tried a display filter? */
759 if (dfilter_compile(cfilter, &rfcode) && rfcode != NULL) {
760 g_snprintf(errmsg, errmsg_len,
761 "%sInvalid capture filter: \"%s\"!%s\n"
763 "That string looks like a valid display filter; however, it isn't a valid\n"
764 "capture filter (%s).\n"
766 "Note that display filters and capture filters don't have the same syntax,\n"
767 "so you can't use most display filter expressions as capture filters.\n"
769 "See the help for a description of the capture filter syntax.",
770 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
771 pcap_geterr(ld->pcap_h));
772 dfilter_free(rfcode);
774 g_snprintf(errmsg, errmsg_len,
775 "%sInvalid capture filter: \"%s\"!%s\n"
777 "That string isn't a valid capture filter (%s).\n"
778 "See the help for a description of the capture filter syntax.",
779 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
780 pcap_geterr(ld->pcap_h));
784 if (pcap_setfilter(ld->pcap_h, &fcode) < 0) {
785 g_snprintf(errmsg, errmsg_len, "Can't install filter (%s).",
786 pcap_geterr(ld->pcap_h));
787 #ifdef HAVE_PCAP_FREECODE
788 pcap_freecode(&fcode);
792 #ifdef HAVE_PCAP_FREECODE
793 pcap_freecode(&fcode);
801 /* open the wiretap part of the capture output file */
802 static int capture_loop_init_wiretap_output(capture_options *capture_opts, int save_file_fd, loop_data *ld, char *errmsg, int errmsg_len) {
808 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_wiretap_output");
810 /* get packet encapsulation type and snaplen */
812 if (ld->from_cap_pipe) {
813 pcap_encap = ld->cap_pipe_hdr.network;
814 file_snaplen = ld->cap_pipe_hdr.snaplen;
818 pcap_encap = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
819 file_snaplen = pcap_snapshot(ld->pcap_h);
822 /* Set up to write to the capture file. */
823 ld->wtap_linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
824 if (ld->wtap_linktype == WTAP_ENCAP_UNKNOWN) {
825 g_snprintf(errmsg, errmsg_len,
826 "The network you're capturing from is of a type"
827 " that Ethereal doesn't support (data link type %d).", pcap_encap);
830 if (capture_opts->multi_files_on) {
831 ld->wtap_pdh = ringbuf_init_wtap_dump_fdopen(WTAP_FILE_PCAP, ld->wtap_linktype,
834 ld->wtap_pdh = wtap_dump_fdopen(save_file_fd, WTAP_FILE_PCAP,
835 ld->wtap_linktype, file_snaplen, &err);
838 if (ld->wtap_pdh == NULL) {
839 /* We couldn't set up to write to the capture file. */
842 case WTAP_ERR_CANT_OPEN:
843 strcpy(errmsg, "The file to which the capture would be saved"
844 " couldn't be created for some unknown reason.");
847 case WTAP_ERR_SHORT_WRITE:
848 strcpy(errmsg, "A full header couldn't be written to the file"
849 " to which the capture would be saved.");
854 g_snprintf(errmsg, errmsg_len,
855 "The file to which the capture would be"
856 " saved (\"%s\") could not be opened: Error %d.",
857 capture_opts->save_file, err);
859 g_snprintf(errmsg, errmsg_len,
860 "The file to which the capture would be"
861 " saved (\"%s\") could not be opened: %s.",
862 capture_opts->save_file, strerror(err));
873 static gboolean capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
875 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
877 if (capture_opts->multi_files_on) {
878 return ringbuf_wtap_dump_close(&capture_opts->save_file, err_close);
880 return wtap_dump_close(ld->wtap_pdh, err_close);
884 /* dispatch incoming packets (pcap or capture pipe) */
886 capture_loop_dispatch(capture_options *capture_opts, loop_data *ld,
887 char *errmsg, int errmsg_len) {
891 struct timeval timeout;
893 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
897 if (ld->from_cap_pipe) {
898 /* dispatch from capture pipe */
899 #ifdef LOG_CAPTURE_VERBOSE
900 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
903 FD_SET(ld->cap_pipe_fd, &set1);
905 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
906 sel_ret = select(ld->cap_pipe_fd+1, &set1, NULL, NULL, &timeout);
909 if (sel_ret < 0 && errno != EINTR) {
910 g_snprintf(errmsg, errmsg_len,
911 "Unexpected error from select: %s", strerror(errno));
912 capture_loop_popup_errmsg(capture_opts, errmsg);
917 * "select()" says we can read from the pipe without blocking
919 inpkts = cap_pipe_dispatch(ld->cap_pipe_fd, ld, &ld->cap_pipe_hdr, &ld->cap_pipe_rechdr, pcap_data,
929 /* dispatch from pcap */
930 #ifdef MUST_DO_SELECT
932 * Sigh. The semantics of the read timeout argument to
933 * "pcap_open_live()" aren't particularly well specified by
934 * the "pcap" man page - at least with the BSD BPF code, the
935 * intent appears to be, at least in part, a way of cutting
936 * down the number of reads done on a capture, by blocking
937 * until the buffer fills or a timer expires - and the Linux
938 * libpcap doesn't actually support it, so we can't use it
939 * to break out of the "pcap_dispatch()" every 1/4 of a second
940 * or so. Linux's libpcap is not the only libpcap that doesn't
941 * support the read timeout.
943 * Furthermore, at least on Solaris, the bufmod STREAMS module's
944 * read timeout won't go off if no data has arrived, i.e. it cannot
945 * be used to guarantee that a read from a DLPI stream will return
946 * within a specified amount of time regardless of whether any
947 * data arrives or not.
949 * Thus, on all platforms other than BSD, we do a "select()" on the
950 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
951 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
953 * "select()", on BPF devices, doesn't work as you might expect;
954 * at least on some versions of some flavors of BSD, the timer
955 * doesn't start until a read is done, so it won't expire if
956 * only a "select()" or "poll()" is posted.
958 * If we have "pcap_get_selectable_fd()", we use it to get the
959 * descriptor on which to select; if that's -1, it means there
960 * is no descriptor on which you can do a "select()" (perhaps
961 * because you're capturing on a special device, and that device's
962 * driver unfortunately doesn't support "select()", in which case
963 * we don't do the select - which means Ethereal might block,
964 * unable to accept user input, until a packet arrives. If
965 * that's unacceptable, plead with whoever supplies the software
966 * for that device to add "select()" support.
968 #ifdef LOG_CAPTURE_VERBOSE
969 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
971 if (ld->pcap_fd != -1) {
973 FD_SET(ld->pcap_fd, &set1);
975 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
976 sel_ret = select(ld->pcap_fd+1, &set1, NULL, NULL, &timeout);
979 * "select()" says we can read from it without blocking; go for
982 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (gchar *)ld);
989 if (sel_ret < 0 && errno != EINTR) {
990 g_snprintf(errmsg, errmsg_len,
991 "Unexpected error from select: %s", strerror(errno));
992 capture_loop_popup_errmsg(capture_opts, errmsg);
998 #endif /* MUST_DO_SELECT */
1000 /* dispatch from pcap without select */
1002 #ifdef LOG_CAPTURE_VERBOSE
1003 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
1005 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (gchar *) ld);
1007 ld->pcap_err = TRUE;
1012 #ifdef LOG_CAPTURE_VERBOSE
1013 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
1015 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
1017 /* WinPcap's remote capturing feature doesn't work, see http://wiki.ethereal.com/CaptureSetup_2fWinPcapRemote */
1018 /* for reference, an example remote interface: rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C} */
1020 /* emulate dispatch from pcap */
1022 struct pcap_pkthdr *pkt_header;
1026 while( (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1) {
1027 capture_loop_packet_cb( (gchar *) ld, pkt_header, pkt_data);
1032 ld->pcap_err = TRUE;
1041 #ifdef LOG_CAPTURE_VERBOSE
1042 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
1049 /* open the output file (temporary/specified name/ringbuffer) */
1050 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
1052 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
1053 char *errmsg, int errmsg_len) {
1055 char tmpname[128+1];
1056 gchar *capfile_name;
1057 gboolean is_tempfile;
1060 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
1061 (capture_opts->save_file) ? capture_opts->save_file : "");
1063 if (capture_opts->save_file != NULL) {
1064 /* We return to the caller while the capture is in progress.
1065 * Therefore we need to take a copy of save_file in
1066 * case the caller destroys it after we return.
1068 capfile_name = g_strdup(capture_opts->save_file);
1069 if (capture_opts->multi_files_on) {
1070 /* ringbuffer is enabled */
1071 *save_file_fd = ringbuf_init(capfile_name,
1072 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0);
1074 /* we need the ringbuf name */
1075 if(*save_file_fd != -1) {
1076 g_free(capfile_name);
1077 capfile_name = g_strdup(ringbuf_current_filename());
1080 /* Try to open/create the specified file for use as a capture buffer. */
1081 *save_file_fd = open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
1084 is_tempfile = FALSE;
1086 /* Choose a random name for the temporary capture buffer */
1087 *save_file_fd = create_tempfile(tmpname, sizeof tmpname, "ether");
1088 capfile_name = g_strdup(tmpname);
1092 /* did we fail to open the output file? */
1093 if (*save_file_fd == -1) {
1095 g_snprintf(errmsg, errmsg_len,
1096 "The temporary file to which the capture would be saved (\"%s\") "
1097 "could not be opened: %s.", capfile_name, strerror(errno));
1099 if (capture_opts->multi_files_on) {
1100 ringbuf_error_cleanup();
1103 g_snprintf(errmsg, errmsg_len,
1104 "The file to which the capture would be saved (\"%s\") "
1105 "could not be opened: %s.", capfile_name,
1108 /*open_failure_alert_box(capfile_name, errno, TRUE);*/
1110 g_free(capfile_name);
1114 if(capture_opts->save_file != NULL) {
1115 g_free(capture_opts->save_file);
1117 capture_opts->save_file = capfile_name;
1118 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
1119 "g_free(capfile_name)". */
1127 capture_loop_stop_signal_handler(int signo _U_)
1129 capture_loop_stop();
1134 #define TIME_GET() GetTickCount()
1136 #define TIME_GET() time(NULL)
1140 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
1143 static loop_data ld;
1145 /* Do the low-level work of a capture.
1146 Returns TRUE if it succeeds, FALSE otherwise. */
1148 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
1150 time_t upd_time, cur_time;
1152 int err_close, inpkts;
1153 condition *cnd_file_duration = NULL;
1154 condition *cnd_autostop_files = NULL;
1155 condition *cnd_autostop_size = NULL;
1156 condition *cnd_autostop_duration = NULL;
1157 guint32 autostop_files = 0;
1160 capture_info capture_ui;
1161 char errmsg[4096+1];
1165 /* init the loop data */
1167 if (capture_opts->has_autostop_packets)
1168 ld.packets_max = capture_opts->autostop_packets;
1170 ld.packets_max = 0; /* no limit */
1171 ld.err = 0; /* no error seen yet */
1172 ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
1173 ld.pcap_err = FALSE;
1174 ld.from_cap_pipe = FALSE;
1175 ld.packets_sync_pipe = 0;
1176 ld.counts.total = 0;
1184 ld.counts.netbios = 0;
1185 ld.counts.vines = 0;
1186 ld.counts.other = 0;
1190 ld.cap_pipe_fd = -1;
1192 #ifdef MUST_DO_SELECT
1198 * Catch SIGUSR1, so that we exit cleanly if the parent process
1199 * kills us with it due to the user selecting "Capture->Stop".
1201 signal(SIGUSR1, capture_loop_stop_signal_handler);
1204 /* We haven't yet gotten the capture statistics. */
1205 *stats_known = FALSE;
1207 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child starting ...");
1208 #ifdef LOG_CAPTURE_VERBOSE
1209 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
1212 /* open the output file (temporary/specified name/ringbuffer) */
1213 if (!capture_loop_open_output(capture_opts, &save_file_fd, errmsg, sizeof(errmsg))) {
1217 /* open the "input file" from network interface or capture pipe */
1218 if (!capture_loop_open_input(capture_opts, &ld, errmsg, sizeof(errmsg))) {
1222 /* init the input filter from the network interface (capture pipe will do nothing) */
1223 if (!capture_loop_init_filter(&ld, capture_opts->iface, capture_opts->cfilter, errmsg, sizeof(errmsg))) {
1227 /* open the wiretap part of the output file (the output file is already open) */
1228 if (!capture_loop_init_wiretap_output(capture_opts, save_file_fd, &ld, errmsg, sizeof(errmsg))) {
1232 /* XXX - capture SIGTERM and close the capture, in case we're on a
1233 Linux 2.0[.x] system and you have to explicitly close the capture
1234 stream in order to turn promiscuous mode off? We need to do that
1235 in other places as well - and I don't think that works all the
1236 time in any case, due to libpcap bugs. */
1238 /* Well, we should be able to start capturing.
1240 Sync out the capture file, so the header makes it to the file system,
1241 and send a "capture started successfully and capture file created"
1242 message to our parent so that they'll open the capture file and
1243 update its windows to indicate that we have a live capture in
1245 fflush(wtap_dump_file(ld.wtap_pdh));
1246 sync_pipe_filename_to_parent(capture_opts->save_file);
1248 /* initialize capture stop (and alike) conditions */
1249 init_capture_stop_conditions();
1250 /* create stop conditions */
1251 if (capture_opts->has_autostop_filesize)
1253 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize);
1254 if (capture_opts->has_autostop_duration)
1255 cnd_autostop_duration =
1256 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
1258 if (capture_opts->multi_files_on) {
1259 if (capture_opts->has_file_duration)
1261 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
1263 if (capture_opts->has_autostop_files)
1264 cnd_autostop_files =
1265 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
1268 /* start capture info dialog */
1269 if(capture_opts->show_info) {
1270 capture_ui.callback_data = &ld;
1271 capture_ui.counts = &ld.counts;
1272 capture_info_create(&capture_ui, capture_opts->iface);
1275 /* init the time values */
1276 start_time = TIME_GET();
1277 upd_time = TIME_GET();
1280 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child running!");
1282 /* WOW, everything is prepared! */
1283 /* please fasten your seat belts, we will enter now the actual capture loop */
1285 main_window_update();
1287 /* dispatch incoming packets */
1288 inpkts = capture_loop_dispatch(capture_opts, &ld, errmsg, sizeof(errmsg));
1290 main_window_update();
1293 /* some news from our parent (signal pipe)? -> just stop the capture */
1300 handle = (HANDLE) _get_osfhandle (0);
1301 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
1303 if(!result || avail > 0) {
1305 /*g_warning("loop closing");*/
1311 ld.packets_sync_pipe += inpkts;
1313 /* check capture size condition */
1314 if (cnd_autostop_size != NULL && cnd_eval(cnd_autostop_size,
1315 (guint32)wtap_get_bytes_dumped(ld.wtap_pdh))){
1316 /* Capture size limit reached, do we have another file? */
1317 if (capture_opts->multi_files_on) {
1318 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1319 /* no files left: stop here */
1324 /* Switch to the next ringbuffer file */
1325 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &save_file_fd, &ld.err)) {
1326 /* File switch succeeded: reset the conditions */
1327 cnd_reset(cnd_autostop_size);
1328 if (cnd_file_duration) {
1329 cnd_reset(cnd_file_duration);
1331 fflush(wtap_dump_file(ld.wtap_pdh));
1332 sync_pipe_filename_to_parent(capture_opts->save_file);
1334 /* File switch failed: stop here */
1339 /* single file, stop now */
1343 } /* cnd_autostop_size */
1346 /* Only update once a second so as not to overload slow displays */
1347 cur_time = TIME_GET();
1349 if ( (cur_time - upd_time) > 500) {
1351 if (cur_time - upd_time > 0) {
1353 upd_time = cur_time;
1355 /*if (pcap_stats(pch, stats) >= 0) {
1356 *stats_known = TRUE;
1359 /* calculate and display running time */
1360 if(capture_opts->show_info) {
1361 cur_time -= start_time;
1363 capture_ui.running_time = cur_time / 1000;
1365 capture_ui.running_time = cur_time;
1367 capture_ui.new_packets = ld.packets_sync_pipe;
1368 capture_info_update(&capture_ui);
1371 /* Let the parent process know. */
1372 if (ld.packets_sync_pipe) {
1374 fflush(wtap_dump_file(ld.wtap_pdh));
1376 /* Send our parent a message saying we've written out "ld.sync_packets"
1377 packets to the capture file. */
1378 sync_pipe_packet_count_to_parent(ld.packets_sync_pipe);
1380 ld.packets_sync_pipe = 0;
1383 /* check capture duration condition */
1384 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
1385 /* The maximum capture time has elapsed; stop the capture. */
1390 /* check capture file duration condition */
1391 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
1392 /* duration limit reached, do we have another file? */
1393 if (capture_opts->multi_files_on) {
1394 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1395 /* no files left: stop here */
1400 /* Switch to the next ringbuffer file */
1401 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &save_file_fd, &ld.err)) {
1402 /* file switch succeeded: reset the conditions */
1403 cnd_reset(cnd_file_duration);
1404 if(cnd_autostop_size)
1405 cnd_reset(cnd_autostop_size);
1406 fflush(wtap_dump_file(ld.wtap_pdh));
1407 sync_pipe_filename_to_parent(capture_opts->save_file);
1409 /* File switch failed: stop here */
1414 /* single file, stop now */
1418 } /* cnd_file_duration */
1421 } /* while (ld.go) */
1423 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child stopping ...");
1425 /* close capture info dialog */
1426 if(capture_opts->show_info) {
1427 capture_info_destroy(&capture_ui);
1430 /* delete stop conditions */
1431 if (cnd_file_duration != NULL)
1432 cnd_delete(cnd_file_duration);
1433 if (cnd_autostop_files != NULL)
1434 cnd_delete(cnd_autostop_files);
1435 if (cnd_autostop_size != NULL)
1436 cnd_delete(cnd_autostop_size);
1437 if (cnd_autostop_duration != NULL)
1438 cnd_delete(cnd_autostop_duration);
1440 /* did we had a pcap (input) error? */
1442 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
1443 pcap_geterr(ld.pcap_h));
1444 capture_loop_popup_errmsg(capture_opts, errmsg);
1447 else if (ld.from_cap_pipe && ld.cap_pipe_err == PIPERR)
1448 capture_loop_popup_errmsg(capture_opts, errmsg);
1451 /* did we had an error while capturing? */
1455 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, ld.err,
1457 capture_loop_popup_errmsg(capture_opts, errmsg);
1461 /* close the wiretap (output) file */
1462 close_ok = capture_loop_close_output(capture_opts, &ld, &err_close);
1464 /* If we've displayed a message about a write error, there's no point
1465 in displaying another message about an error on close. */
1466 if (!close_ok && write_ok) {
1467 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
1469 capture_loop_popup_errmsg(capture_opts, errmsg);
1473 * XXX We exhibit different behaviour between normal mode and sync mode
1474 * when the pipe is stdin and not already at EOF. If we're a child, the
1475 * parent's stdin isn't closed, so if the user starts another capture,
1476 * cap_pipe_open_live() will very likely not see the expected magic bytes and
1477 * will say "Unrecognized libpcap format". On the other hand, in normal
1478 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
1481 /* get packet drop statistics from pcap */
1482 if(ld.pcap_h != NULL) {
1483 g_assert(!ld.from_cap_pipe);
1484 /* Get the capture statistics, so we know how many packets were
1486 if (pcap_stats(ld.pcap_h, stats) >= 0) {
1487 *stats_known = TRUE;
1488 /* Let the parent process know. */
1489 sync_pipe_drops_to_parent(stats->ps_drop);
1491 g_snprintf(errmsg, sizeof(errmsg),
1492 "Can't get packet-drop statistics: %s",
1493 pcap_geterr(ld.pcap_h));
1494 capture_loop_popup_errmsg(capture_opts, errmsg);
1498 /* close the input file (pcap or capture pipe) */
1499 capture_loop_close_input(&ld);
1501 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child stopped!");
1503 /* ok, if the write and the close were successful. */
1504 return write_ok && close_ok;
1507 if (capture_opts->multi_files_on) {
1508 /* cleanup ringbuffer */
1509 ringbuf_error_cleanup();
1511 /* We can't use the save file, and we have no wtap_dump stream
1512 to close in order to close it, so close the FD directly. */
1513 close(save_file_fd);
1515 /* We couldn't even start the capture, so get rid of the capture
1517 unlink(capture_opts->save_file); /* silently ignore error */
1518 g_free(capture_opts->save_file);
1520 capture_opts->save_file = NULL;
1521 capture_loop_popup_errmsg(capture_opts, errmsg);
1523 /* close the input file (pcap or cap_pipe) */
1524 capture_loop_close_input(&ld);
1526 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child stopped with error");
1532 void capture_loop_stop(void)
1539 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
1540 int err, gboolean is_close)
1545 g_snprintf(errmsg, errmsglen,
1546 "Not all the packets could be written to the file"
1547 " to which the capture was being saved\n"
1548 "(\"%s\") because there is no space left on the file system\n"
1549 "on which that file resides.",
1555 g_snprintf(errmsg, errmsglen,
1556 "Not all the packets could be written to the file"
1557 " to which the capture was being saved\n"
1558 "(\"%s\") because you are too close to, or over,"
1559 " your disk quota\n"
1560 "on the file system on which that file resides.",
1565 case WTAP_ERR_CANT_CLOSE:
1566 g_snprintf(errmsg, errmsglen,
1567 "The file to which the capture was being saved"
1568 " couldn't be closed for some unknown reason.");
1571 case WTAP_ERR_SHORT_WRITE:
1572 g_snprintf(errmsg, errmsglen,
1573 "Not all the packets could be written to the file"
1574 " to which the capture was being saved\n"
1581 g_snprintf(errmsg, errmsglen,
1582 "The file to which the capture was being saved\n"
1583 "(\"%s\") could not be closed: %s.",
1584 fname, wtap_strerror(err));
1586 g_snprintf(errmsg, errmsglen,
1587 "An error occurred while writing to the file"
1588 " to which the capture was being saved\n"
1590 fname, wtap_strerror(err));
1597 capture_loop_popup_errmsg(capture_options *capture_opts _U_, const char *errmsg)
1599 /* Send the error message to our parent, so they can display a
1600 dialog box containing it. */
1601 sync_pipe_errmsg_to_parent(errmsg);
1605 /* one packet was captured, process it */
1607 capture_loop_packet_cb(guchar *user, const struct pcap_pkthdr *phdr,
1610 struct wtap_pkthdr whdr;
1611 union wtap_pseudo_header pseudo_header;
1612 loop_data *ld = (loop_data *) user;
1615 /* if the user told us to stop after x packets, do we have enough? */
1617 if ((ld->packets_max > 0) && (ld->counts.total >= ld->packets_max))
1622 /* Convert from libpcap to Wiretap format.
1623 If that fails, set "ld->go" to FALSE, to stop the capture, and set
1624 "ld->err" to the error. */
1625 pd = wtap_process_pcap_packet(ld->wtap_linktype, phdr, pd, &pseudo_header,
1634 /* We're supposed to write the packet to a file; do so.
1635 If this fails, set "ld->go" to FALSE, to stop the capture, and set
1636 "ld->err" to the error. */
1637 if (!wtap_dump(ld->wtap_pdh, &whdr, &pseudo_header, pd, &err)) {
1643 switch (ld->wtap_linktype) {
1644 case WTAP_ENCAP_ETHERNET:
1645 capture_eth(pd, 0, whdr.caplen, &ld->counts);
1647 case WTAP_ENCAP_FDDI:
1648 case WTAP_ENCAP_FDDI_BITSWAPPED:
1649 capture_fddi(pd, whdr.caplen, &ld->counts);
1651 case WTAP_ENCAP_PRISM_HEADER:
1652 capture_prism(pd, 0, whdr.caplen, &ld->counts);
1654 case WTAP_ENCAP_TOKEN_RING:
1655 capture_tr(pd, 0, whdr.caplen, &ld->counts);
1657 case WTAP_ENCAP_NULL:
1658 capture_null(pd, whdr.caplen, &ld->counts);
1660 case WTAP_ENCAP_PPP:
1661 capture_ppp_hdlc(pd, 0, whdr.caplen, &ld->counts);
1663 case WTAP_ENCAP_RAW_IP:
1664 capture_raw(pd, whdr.caplen, &ld->counts);
1666 case WTAP_ENCAP_SLL:
1667 capture_sll(pd, whdr.caplen, &ld->counts);
1669 case WTAP_ENCAP_LINUX_ATM_CLIP:
1670 capture_clip(pd, whdr.caplen, &ld->counts);
1672 case WTAP_ENCAP_IEEE_802_11:
1673 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1674 capture_ieee80211(pd, 0, whdr.caplen, &ld->counts);
1676 case WTAP_ENCAP_CHDLC:
1677 capture_chdlc(pd, 0, whdr.caplen, &ld->counts);
1679 case WTAP_ENCAP_LOCALTALK:
1680 capture_llap(&ld->counts);
1682 case WTAP_ENCAP_ATM_PDUS:
1683 capture_atm(&pseudo_header, pd, whdr.caplen, &ld->counts);
1685 case WTAP_ENCAP_IP_OVER_FC:
1686 capture_ipfc(pd, whdr.caplen, &ld->counts);
1688 case WTAP_ENCAP_ARCNET:
1689 capture_arcnet(pd, whdr.caplen, &ld->counts, FALSE, TRUE);
1691 case WTAP_ENCAP_ARCNET_LINUX:
1692 capture_arcnet(pd, whdr.caplen, &ld->counts, TRUE, FALSE);
1694 case WTAP_ENCAP_APPLE_IP_OVER_IEEE1394:
1695 capture_ap1394(pd, 0, whdr.caplen, &ld->counts);
1697 case WTAP_ENCAP_FRELAY:
1698 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1699 capture_fr(pd, 0, whdr.caplen, &ld->counts);
1701 /* XXX - some ATM drivers on FreeBSD might prepend a 4-byte ATM
1702 pseudo-header to DLT_ATM_RFC1483, with LLC header following;
1703 we might have to implement that at some point. */
1707 #endif /* HAVE_LIBPCAP */