2 * The actual capturing loop, getting packets and storing it
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 * Capture loop (internal interface).
30 * It will open the input and output files, capture the packets,
31 * change ringbuffer output files while capturing and close all files again.
33 * The input file can be a network interface or capture pipe (unix only).
34 * The output file can be a single or a ringbuffer file handled by wiretap.
54 #ifdef HAVE_SYS_TYPES_H
55 # include <sys/types.h>
58 #ifdef HAVE_SYS_STAT_H
59 # include <sys/stat.h>
69 #include <epan/packet.h>
71 #include "capture_sync.h"
72 #include "pcap-util.h"
74 #include "simple_dialog.h"
75 #include "conditions.h"
76 #include "capture_stop_conditions.h"
77 #include "ringbuffer.h"
79 #include "wiretap/libpcap.h"
80 #include "wiretap/wtap.h"
81 #include "wiretap/wtap-capture.h"
83 #include <epan/prefs.h>
84 /* XXX - try to remove this later */
86 /* XXX - try to remove this later */
89 #include <epan/dissectors/packet-ap1394.h>
90 #include <epan/dissectors/packet-atalk.h>
91 #include <epan/dissectors/packet-atm.h>
92 #include <epan/dissectors/packet-clip.h>
93 #include <epan/dissectors/packet-eth.h>
94 #include <epan/dissectors/packet-fddi.h>
95 #include <epan/dissectors/packet-fr.h>
96 #include <epan/dissectors/packet-null.h>
97 #include <epan/dissectors/packet-ppp.h>
98 #include <epan/dissectors/packet-raw.h>
99 #include <epan/dissectors/packet-sll.h>
100 #include <epan/dissectors/packet-tr.h>
101 #include <epan/dissectors/packet-ieee80211.h>
102 #include <epan/dissectors/packet-chdlc.h>
103 #include <epan/dissectors/packet-prism.h>
104 #include <epan/dissectors/packet-ipfc.h>
105 #include <epan/dissectors/packet-arcnet.h>
111 * We don't want to do a "select()" on the pcap_t's file descriptor on
112 * BSD (because "select()" doesn't work correctly on BPF devices on at
113 * least some releases of some flavors of BSD), and we don't want to do
114 * it on Windows (because "select()" is something for sockets, not for
115 * arbitrary handles). (Note that "Windows" here includes Cygwin;
116 * even in its pretend-it's-UNIX environment, we're using WinPcap, not
119 * We *do* want to do it on other platforms, as, on other platforms (with
120 * the possible exception of Ultrix and Digital UNIX), the read timeout
121 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
122 * will block until packets arrive, causing the UI to hang.
124 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
125 * want to include it if it's not present on this platform, however.
127 #if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
128 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
130 # define MUST_DO_SELECT
134 typedef struct _loop_data {
136 gboolean go; /* TRUE as long as we're supposed to keep capturing */
137 int err; /* if non-zero, error seen while capturing */
138 gint packets_max; /* Number of packets we're supposed to capture - 0 means infinite */
139 gint packets_sync_pipe; /* packets not already send out to the sync_pipe */
140 packet_counts counts; /* several packet type counters */
142 /* pcap "input file" */
143 pcap_t *pcap_h; /* pcap handle */
144 gboolean pcap_err; /* TRUE if error from pcap */
145 #ifdef MUST_DO_SELECT
146 int pcap_fd; /* pcap file descriptor */
149 /* capture pipe (unix only "input file") */
150 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
152 struct pcap_hdr cap_pipe_hdr;
153 int cap_pipe_fd; /* the file descriptor of the capture pipe */
154 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
155 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
156 unsigned int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
157 unsigned int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
159 STATE_EXPECT_REC_HDR,
165 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
168 /* wiretap (output file) */
169 wtap_dumper *wtap_pdh;
176 * Timeout, in milliseconds, for reads from the stream of captured packets.
178 #define CAP_READ_TIMEOUT 250
180 static void capture_loop_packet_cb(guchar *user, const struct pcap_pkthdr *phdr,
182 static void capture_loop_popup_errmsg(capture_options *capture_opts, const char *errmsg);
183 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
184 int err, gboolean is_close);
189 /* Take care of byte order in the libpcap headers read from pipes.
190 * (function taken from wiretap/libpcap.c) */
192 cap_pipe_adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
194 if (ld->cap_pipe_byte_swapped) {
195 /* Byte-swap the record header fields. */
196 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
197 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
198 rechdr->incl_len = BSWAP32(rechdr->incl_len);
199 rechdr->orig_len = BSWAP32(rechdr->orig_len);
202 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
203 swapped, in order to match the BPF header layout.
205 Unfortunately, some files were, according to a comment in the "libpcap"
206 source, written with version 2.3 in their headers but without the
207 interchanged fields, so if "incl_len" is greater than "orig_len" - which
208 would make no sense - we assume that we need to swap them. */
209 if (hdr->version_major == 2 &&
210 (hdr->version_minor < 3 ||
211 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
214 temp = rechdr->orig_len;
215 rechdr->orig_len = rechdr->incl_len;
216 rechdr->incl_len = temp;
220 /* Mimic pcap_open_live() for pipe captures
221 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
223 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
224 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
226 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
227 char *errmsg, int errmsgl)
229 struct stat pipe_stat;
233 unsigned int bytes_read;
235 struct timeval timeout;
238 * XXX Ethereal blocks until we return
240 if (strcmp(pipename, "-") == 0)
241 fd = 0; /* read from stdin */
243 if (stat(pipename, &pipe_stat) < 0) {
244 if (errno == ENOENT || errno == ENOTDIR)
245 ld->cap_pipe_err = PIPNEXIST;
247 g_snprintf(errmsg, errmsgl,
248 "The capture session could not be initiated "
249 "due to error on pipe: %s", strerror(errno));
250 ld->cap_pipe_err = PIPERR;
254 if (! S_ISFIFO(pipe_stat.st_mode)) {
255 if (S_ISCHR(pipe_stat.st_mode)) {
257 * Assume the user specified an interface on a system where
258 * interfaces are in /dev. Pretend we haven't seen it.
260 ld->cap_pipe_err = PIPNEXIST;
262 g_snprintf(errmsg, errmsgl,
263 "The capture session could not be initiated because\n"
264 "\"%s\" is neither an interface nor a pipe", pipename);
265 ld->cap_pipe_err = PIPERR;
269 fd = open(pipename, O_RDONLY | O_NONBLOCK);
271 g_snprintf(errmsg, errmsgl,
272 "The capture session could not be initiated "
273 "due to error on pipe open: %s", strerror(errno));
274 ld->cap_pipe_err = PIPERR;
279 ld->from_cap_pipe = TRUE;
281 /* read the pcap header */
284 while (bytes_read < sizeof magic) {
287 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
288 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
290 g_snprintf(errmsg, errmsgl,
291 "Unexpected error from select: %s", strerror(errno));
293 } else if (sel_ret > 0) {
294 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
297 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
299 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
309 /* Host that wrote it has our byte order, and was running
310 a program using either standard or ss990417 libpcap. */
311 ld->cap_pipe_byte_swapped = FALSE;
312 ld->cap_pipe_modified = FALSE;
314 case PCAP_MODIFIED_MAGIC:
315 /* Host that wrote it has our byte order, but was running
316 a program using either ss990915 or ss991029 libpcap. */
317 ld->cap_pipe_byte_swapped = FALSE;
318 ld->cap_pipe_modified = TRUE;
320 case PCAP_SWAPPED_MAGIC:
321 /* Host that wrote it has a byte order opposite to ours,
322 and was running a program using either standard or
324 ld->cap_pipe_byte_swapped = TRUE;
325 ld->cap_pipe_modified = FALSE;
327 case PCAP_SWAPPED_MODIFIED_MAGIC:
328 /* Host that wrote it out has a byte order opposite to
329 ours, and was running a program using either ss990915
330 or ss991029 libpcap. */
331 ld->cap_pipe_byte_swapped = TRUE;
332 ld->cap_pipe_modified = TRUE;
335 /* Not a "libpcap" type we know about. */
336 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
340 /* Read the rest of the header */
342 while (bytes_read < sizeof(struct pcap_hdr)) {
345 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
346 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
348 g_snprintf(errmsg, errmsgl,
349 "Unexpected error from select: %s", strerror(errno));
351 } else if (sel_ret > 0) {
352 b = read(fd, ((char *)hdr)+bytes_read,
353 sizeof(struct pcap_hdr) - bytes_read);
356 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
358 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
366 if (ld->cap_pipe_byte_swapped) {
367 /* Byte-swap the header fields about which we care. */
368 hdr->version_major = BSWAP16(hdr->version_major);
369 hdr->version_minor = BSWAP16(hdr->version_minor);
370 hdr->snaplen = BSWAP32(hdr->snaplen);
371 hdr->network = BSWAP32(hdr->network);
374 if (hdr->version_major < 2) {
375 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
379 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
380 ld->cap_pipe_err = PIPOK;
384 ld->cap_pipe_err = PIPERR;
391 /* We read one record from the pipe, take care of byte order in the record
392 * header, write the record to the capture file, and update capture statistics. */
394 cap_pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr,
395 struct pcaprec_modified_hdr *rechdr, guchar *data,
396 char *errmsg, int errmsgl)
398 struct pcap_pkthdr phdr;
400 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
403 switch (ld->cap_pipe_state) {
405 case STATE_EXPECT_REC_HDR:
406 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
407 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
408 ld->cap_pipe_bytes_read = 0;
409 ld->cap_pipe_state = STATE_READ_REC_HDR;
412 case STATE_READ_REC_HDR:
413 b = read(fd, ((char *)rechdr)+ld->cap_pipe_bytes_read,
414 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
417 result = PD_PIPE_EOF;
419 result = PD_PIPE_ERR;
422 if ((ld->cap_pipe_bytes_read += b) < ld->cap_pipe_bytes_to_read)
424 result = PD_REC_HDR_READ;
427 case STATE_EXPECT_DATA:
428 ld->cap_pipe_bytes_read = 0;
429 ld->cap_pipe_state = STATE_READ_DATA;
432 case STATE_READ_DATA:
433 b = read(fd, data+ld->cap_pipe_bytes_read, rechdr->hdr.incl_len - ld->cap_pipe_bytes_read);
436 result = PD_PIPE_EOF;
438 result = PD_PIPE_ERR;
441 if ((ld->cap_pipe_bytes_read += b) < rechdr->hdr.incl_len)
443 result = PD_DATA_READ;
447 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
450 } /* switch (ld->cap_pipe_state) */
453 * We've now read as much data as we were expecting, so process it.
457 case PD_REC_HDR_READ:
458 /* We've read the header. Take care of byte order. */
459 cap_pipe_adjust_header(ld, hdr, &rechdr->hdr);
460 if (rechdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
461 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
462 ld->counts.total+1, rechdr->hdr.incl_len);
465 ld->cap_pipe_state = STATE_EXPECT_DATA;
469 /* Fill in a "struct pcap_pkthdr", and process the packet. */
470 phdr.ts.tv_sec = rechdr->hdr.ts_sec;
471 phdr.ts.tv_usec = rechdr->hdr.ts_usec;
472 phdr.caplen = rechdr->hdr.incl_len;
473 phdr.len = rechdr->hdr.orig_len;
475 capture_loop_packet_cb((guchar *)ld, &phdr, data);
477 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
481 ld->cap_pipe_err = PIPEOF;
485 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
492 ld->cap_pipe_err = PIPERR;
493 /* Return here rather than inside the switch to prevent GCC warning */
496 #endif /* not _WIN32 */
499 /* open the capture input file (pcap or capture pipe) */
500 static int capture_loop_open_input(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
501 gchar open_err_str[PCAP_ERRBUF_SIZE];
502 const char *set_linktype_err_str;
505 WORD wVersionRequested;
508 static const char ppamsg[] = "can't find PPA for ";
512 /* Initialize Windows Socket if we are in a WIN32 OS
513 This needs to be done before querying the interface for network/netmask */
515 /* XXX - do we really require 1.1 or earlier?
516 Are there any versions that support only 2.0 or higher? */
517 wVersionRequested = MAKEWORD(1, 1);
518 err = WSAStartup(wVersionRequested, &wsaData);
523 g_snprintf(errmsg, errmsg_len,
524 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
527 case WSAVERNOTSUPPORTED:
528 g_snprintf(errmsg, errmsg_len,
529 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
530 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
534 g_snprintf(errmsg, errmsg_len,
535 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
539 g_snprintf(errmsg, errmsg_len,
540 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
544 g_snprintf(errmsg, errmsg_len,
545 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
549 g_snprintf(errmsg, errmsg_len,
550 "Couldn't initialize Windows Sockets: error %d", err);
557 /* Open the network interface to capture from it.
558 Some versions of libpcap may put warnings into the error buffer
559 if they succeed; to tell if that's happened, we have to clear
560 the error buffer, and check if it's still a null string. */
561 open_err_str[0] = '\0';
562 ld->pcap_h = pcap_open_live(capture_opts->iface,
563 capture_opts->has_snaplen ? capture_opts->snaplen :
564 WTAP_MAX_PACKET_SIZE,
565 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
568 if (ld->pcap_h != NULL) {
569 /* we've opened "iface" as a network device */
571 /* try to set the capture buffer size */
572 if (pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
573 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
574 "%sCouldn't set the capture buffer size!%s\n"
576 "The capture buffer size of %luMB seems to be too high for your machine,\n"
577 "the default of 1MB will be used.\n"
579 "Nonetheless, the capture is started.\n",
580 simple_dialog_primary_start(), simple_dialog_primary_end(), capture_opts->buffer_size);
584 /* setting the data link type only works on real interfaces */
585 if (capture_opts->linktype != -1) {
586 set_linktype_err_str = set_pcap_linktype(ld->pcap_h, capture_opts->iface,
587 capture_opts->linktype);
588 if (set_linktype_err_str != NULL) {
589 g_snprintf(errmsg, errmsg_len, "Unable to set data link type (%s).",
590 set_linktype_err_str);
595 /* We couldn't open "iface" as a network device. */
597 /* On Windows, we don't support capturing on pipes, so we give up.
598 If this is a child process that does the capturing in sync
599 mode or fork mode, it shouldn't do any UI stuff until we pop up the
600 capture-progress window, and, since we couldn't start the
601 capture, we haven't popped it up. */
602 if (!capture_opts->capture_child) {
603 main_window_update();
606 /* On Win32 OSes, the capture devices are probably available to all
607 users; don't warn about permissions problems.
609 Do, however, warn that WAN devices aren't supported. */
610 g_snprintf(errmsg, errmsg_len,
611 "The capture session could not be initiated (%s).\n"
612 "Please check that you have the proper interface specified.\n"
614 "Note that version 3.0 of WinPcap, and earlier versions of WinPcap, don't\n"
615 "support capturing on PPP/WAN interfaces in Windows NT 4.0, Windows 2000,\n"
616 "Windows XP, or Windows Server 2003. WinPcap 3.1 has experimental support\n"
617 "for it on Windows 2000, Windows XP, and Windows Server 2003, but has no\n"
618 "support for it on Windows NT 4.0. WinPcap 3.1 is currently in beta, so\n"
619 "using it might introduce bugs not present in WinPcap 3.0; you should report\n"
620 "all problems you see to the WinPcap developers, so they can try to fix\n"
621 "them before the final WinPcap 3.1 release.",
625 /* try to open iface as a pipe */
626 ld->cap_pipe_fd = cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, errmsg_len);
628 if (ld->cap_pipe_fd == -1) {
630 /* If this is a child process that does the capturing in sync
631 * mode or fork mode, it shouldn't do any UI stuff until we pop up the
632 * capture-progress window, and, since we couldn't start the
633 * capture, we haven't popped it up.
635 if (!capture_opts->capture_child) {
636 main_window_update();
639 if (ld->cap_pipe_err == PIPNEXIST) {
640 /* Pipe doesn't exist, so output message for interface */
642 /* If we got a "can't find PPA for XXX" message, warn the user (who
643 is running Ethereal on HP-UX) that they don't have a version
644 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
645 versions, which properly handle HP-UX, say "can't find /dev/dlpi
646 PPA for XXX" rather than "can't find PPA for XXX"). */
647 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
650 "You are running Ethereal with a version of the libpcap library\n"
651 "that doesn't handle HP-UX network devices well; this means that\n"
652 "Ethereal may not be able to capture packets.\n"
654 "To fix this, you should install libpcap 0.6.2, or a later version\n"
655 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
656 "packaged binary form from the Software Porting And Archive Centre\n"
657 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
658 "at the URL lists a number of mirror sites.";
661 g_snprintf(errmsg, errmsg_len,
662 "The capture session could not be initiated (%s).\n"
663 "Please check to make sure you have sufficient permissions, and that\n"
664 "you have the proper interface or pipe specified.%s", open_err_str,
668 * Else pipe (or file) does exist and cap_pipe_open_live() has
673 /* cap_pipe_open_live() succeeded; don't want
674 error message from pcap_open_live() */
675 open_err_str[0] = '\0';
679 #ifdef MUST_DO_SELECT
680 if (!ld->from_cap_pipe) ld->pcap_fd = pcap_fileno(ld->pcap_h);
683 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
684 returned a warning; print it, but keep capturing. */
685 if (open_err_str[0] != '\0')
686 g_warning("%s.", open_err_str);
692 /* open the capture input file (pcap or capture pipe) */
693 static void capture_loop_close_input(loop_data *ld) {
695 /* if open, close the capture pipe "input file" */
696 if (ld->cap_pipe_fd >= 0) {
697 g_assert(ld->from_cap_pipe);
698 close(ld->cap_pipe_fd);
702 /* if open, close the pcap "input file" */
703 if(ld->pcap_h != NULL) {
704 g_assert(!ld->from_cap_pipe);
705 pcap_close(ld->pcap_h);
709 /* Shut down windows sockets */
715 /* init the capture filter */
716 static int capture_loop_init_filter(loop_data *ld, const gchar * iface, gchar * cfilter, char *errmsg, int errmsg_len) {
717 bpf_u_int32 netnum, netmask;
718 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
719 struct bpf_program fcode;
721 /* capture filters only work on real interfaces */
722 if (cfilter && !ld->from_cap_pipe) {
723 /* A capture filter was specified; set it up. */
724 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
726 * Well, we can't get the netmask for this interface; it's used
727 * only for filters that check for broadcast IP addresses, so
728 * we just punt and use 0. It might be nice to warn the user,
729 * but that's a pain in a GUI application, as it'd involve popping
730 * up a message box, and it's not clear how often this would make
731 * a difference (only filters that check for IP broadcast addresses
736 if (pcap_compile(ld->pcap_h, &fcode, cfilter, 1, netmask) < 0) {
737 dfilter_t *rfcode = NULL;
738 /* filter string invalid, did the user tried a display filter? */
739 if (dfilter_compile(cfilter, &rfcode) && rfcode != NULL) {
740 g_snprintf(errmsg, errmsg_len,
741 "%sInvalid capture filter: \"%s\"!%s\n"
743 "That string looks like a valid display filter; however, it isn't a valid\n"
744 "capture filter (%s).\n"
746 "Note that display filters and capture filters don't have the same syntax,\n"
747 "so you can't use most display filter expressions as capture filters.\n"
749 "See the help for a description of the capture filter syntax.",
750 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
751 pcap_geterr(ld->pcap_h));
752 dfilter_free(rfcode);
754 g_snprintf(errmsg, errmsg_len,
755 "%sInvalid capture filter: \"%s\"!%s\n"
757 "That string isn't a valid capture filter (%s).\n"
758 "See the help for a description of the capture filter syntax.",
759 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
760 pcap_geterr(ld->pcap_h));
764 if (pcap_setfilter(ld->pcap_h, &fcode) < 0) {
765 g_snprintf(errmsg, errmsg_len, "Can't install filter (%s).",
766 pcap_geterr(ld->pcap_h));
775 /* open the wiretap part of the capture output file */
776 static int capture_loop_open_wiretap_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
782 /* get packet encapsulation type and snaplen */
784 if (ld->from_cap_pipe) {
785 pcap_encap = ld->cap_pipe_hdr.network;
786 file_snaplen = ld->cap_pipe_hdr.snaplen;
790 pcap_encap = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
791 file_snaplen = pcap_snapshot(ld->pcap_h);
794 /* Set up to write to the capture file. */
795 ld->wtap_linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
796 if (ld->wtap_linktype == WTAP_ENCAP_UNKNOWN) {
797 g_snprintf(errmsg, errmsg_len,
798 "The network you're capturing from is of a type"
799 " that Ethereal doesn't support (data link type %d).", pcap_encap);
802 if (capture_opts->multi_files_on) {
803 ld->wtap_pdh = ringbuf_init_wtap_dump_fdopen(WTAP_FILE_PCAP, ld->wtap_linktype,
806 ld->wtap_pdh = wtap_dump_fdopen(capture_opts->save_file_fd, WTAP_FILE_PCAP,
807 ld->wtap_linktype, file_snaplen, &err);
810 if (ld->wtap_pdh == NULL) {
811 /* We couldn't set up to write to the capture file. */
814 case WTAP_ERR_CANT_OPEN:
815 strcpy(errmsg, "The file to which the capture would be saved"
816 " couldn't be created for some unknown reason.");
819 case WTAP_ERR_SHORT_WRITE:
820 strcpy(errmsg, "A full header couldn't be written to the file"
821 " to which the capture would be saved.");
826 g_snprintf(errmsg, errmsg_len,
827 "The file to which the capture would be"
828 " saved (\"%s\") could not be opened: Error %d.",
829 capture_opts->save_file, err);
831 g_snprintf(errmsg, errmsg_len,
832 "The file to which the capture would be"
833 " saved (\"%s\") could not be opened: %s.",
834 capture_opts->save_file, strerror(err));
845 static gboolean capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
846 if (capture_opts->multi_files_on) {
847 return ringbuf_wtap_dump_close(&capture_opts->save_file, err_close);
849 return wtap_dump_close(ld->wtap_pdh, err_close);
853 /* dispatch incoming packets (pcap or capture pipe) */
855 capture_loop_dispatch(capture_options *capture_opts, loop_data *ld,
856 char *errmsg, int errmsg_len) {
860 struct timeval timeout;
862 struct pcaprec_modified_hdr rechdr;
863 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
867 /* dispatch from capture pipe */
868 if (ld->from_cap_pipe) {
870 FD_SET(ld->cap_pipe_fd, &set1);
872 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
873 sel_ret = select(ld->cap_pipe_fd+1, &set1, NULL, NULL, &timeout);
876 if (sel_ret < 0 && errno != EINTR) {
877 g_snprintf(errmsg, errmsg_len,
878 "Unexpected error from select: %s", strerror(errno));
879 capture_loop_popup_errmsg(capture_opts, errmsg);
884 * "select()" says we can read from the pipe without blocking
886 inpkts = cap_pipe_dispatch(ld->cap_pipe_fd, ld, &ld->cap_pipe_hdr, &rechdr, pcap_data,
896 /* dispatch from pcap using select */
897 #ifdef MUST_DO_SELECT
899 * Sigh. The semantics of the read timeout argument to
900 * "pcap_open_live()" aren't particularly well specified by
901 * the "pcap" man page - at least with the BSD BPF code, the
902 * intent appears to be, at least in part, a way of cutting
903 * down the number of reads done on a capture, by blocking
904 * until the buffer fills or a timer expires - and the Linux
905 * libpcap doesn't actually support it, so we can't use it
906 * to break out of the "pcap_dispatch()" every 1/4 of a second
907 * or so. Linux's libpcap is not the only libpcap that doesn't
908 * support the read timeout.
910 * Furthermore, at least on Solaris, the bufmod STREAMS module's
911 * read timeout won't go off if no data has arrived, i.e. it cannot
912 * be used to guarantee that a read from a DLPI stream will return
913 * within a specified amount of time regardless of whether any
914 * data arrives or not.
916 * Thus, on all platforms other than BSD, we do a "select()" on the
917 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
918 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
920 * "select()", on BPF devices, doesn't work as you might expect;
921 * at least on some versions of some flavors of BSD, the timer
922 * doesn't start until a read is done, so it won't expire if
923 * only a "select()" or "poll()" is posted.
926 FD_SET(ld->pcap_fd, &set1);
928 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
929 sel_ret = select(ld->pcap_fd+1, &set1, NULL, NULL, &timeout);
932 * "select()" says we can read from it without blocking; go for
935 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (gchar *)ld);
942 if (sel_ret < 0 && errno != EINTR) {
943 g_snprintf(errmsg, errmsg_len,
944 "Unexpected error from select: %s", strerror(errno));
945 capture_loop_popup_errmsg(capture_opts, errmsg);
950 /* dispatch from pcap without select */
951 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (gchar *) ld);
956 #endif /* MUST_DO_SELECT */
964 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
969 /* Do the low-level work of a capture.
970 Returns TRUE if it succeeds, FALSE otherwise. */
972 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
974 time_t upd_time, cur_time;
976 int err_close, inpkts;
977 condition *cnd_file_duration = NULL;
978 condition *cnd_autostop_files = NULL;
979 condition *cnd_autostop_size = NULL;
980 condition *cnd_autostop_duration = NULL;
981 guint32 autostop_files = 0;
984 capture_info capture_ui;
987 gboolean show_info = capture_opts->show_info || !capture_opts->sync_mode;
990 /* init the loop data */
992 if (capture_opts->has_autostop_packets)
993 ld.packets_max = capture_opts->autostop_packets;
995 ld.packets_max = 0; /* no limit */
996 ld.err = 0; /* no error seen yet */
997 ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
999 ld.from_cap_pipe = FALSE;
1000 ld.packets_sync_pipe = 0;
1001 ld.counts.total = 0;
1009 ld.counts.netbios = 0;
1010 ld.counts.vines = 0;
1011 ld.counts.other = 0;
1015 ld.cap_pipe_fd = -1;
1017 #ifdef MUST_DO_SELECT
1021 /* We haven't yet gotten the capture statistics. */
1022 *stats_known = FALSE;
1025 /* open the "input file" from network interface or capture pipe */
1026 if (!capture_loop_open_input(capture_opts, &ld, errmsg, sizeof(errmsg))) {
1030 /* init the input filter from the network interface (capture pipe will do nothing) */
1031 if (!capture_loop_init_filter(&ld, capture_opts->iface, capture_opts->cfilter, errmsg, sizeof(errmsg))) {
1035 /* open the wiretap part of the output file (the output file is already open) */
1036 if (!capture_loop_open_wiretap_output(capture_opts, &ld, errmsg, sizeof(errmsg))) {
1040 /* XXX - capture SIGTERM and close the capture, in case we're on a
1041 Linux 2.0[.x] system and you have to explicitly close the capture
1042 stream in order to turn promiscuous mode off? We need to do that
1043 in other places as well - and I don't think that works all the
1044 time in any case, due to libpcap bugs. */
1046 if (capture_opts->capture_child) {
1047 /* Well, we should be able to start capturing.
1049 This is the child process for a sync mode capture, so sync out
1050 the capture file, so the header makes it to the file system,
1051 and send a "capture started successfully and capture file created"
1052 message to our parent so that they'll open the capture file and
1053 update its windows to indicate that we have a live capture in
1055 fflush(wtap_dump_file(ld.wtap_pdh));
1056 sync_pipe_capstart_to_parent();
1057 sync_pipe_filename_to_parent(capture_opts->save_file);
1060 /* initialize capture stop (and alike) conditions */
1061 init_capture_stop_conditions();
1062 /* create stop conditions */
1063 if (capture_opts->has_autostop_filesize)
1065 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize);
1066 if (capture_opts->has_autostop_duration)
1067 cnd_autostop_duration =
1068 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
1070 if (capture_opts->multi_files_on) {
1071 if (capture_opts->has_file_duration)
1073 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
1075 if (capture_opts->has_autostop_files)
1076 cnd_autostop_files =
1077 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
1080 /* start capture info dialog */
1082 capture_ui.callback_data = &ld;
1083 capture_ui.counts = &ld.counts;
1084 capture_info_create(&capture_ui, capture_opts->iface);
1087 /* init the time values */
1088 start_time = time(NULL);
1089 upd_time = time(NULL);
1091 /* WOW, everything is prepared! */
1092 /* please fasten your seat belts, we will enter now the actual capture loop */
1094 main_window_update();
1096 /* dispatch incoming packets */
1097 inpkts = capture_loop_dispatch(capture_opts, &ld, errmsg, sizeof(errmsg));
1100 ld.packets_sync_pipe += inpkts;
1102 /* check capture size condition */
1103 if (cnd_autostop_size != NULL && cnd_eval(cnd_autostop_size,
1104 (guint32)wtap_get_bytes_dumped(ld.wtap_pdh))){
1105 /* Capture size limit reached, do we have another file? */
1106 if (capture_opts->multi_files_on) {
1107 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1108 /* no files left: stop here */
1113 /* Switch to the next ringbuffer file */
1114 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &capture_opts->save_file_fd, &ld.err)) {
1115 /* File switch succeeded: reset the conditions */
1116 cnd_reset(cnd_autostop_size);
1117 if (cnd_file_duration) {
1118 cnd_reset(cnd_file_duration);
1121 /* File switch failed: stop here */
1126 /* single file, stop now */
1130 } /* cnd_autostop_size */
1133 /* Only update once a second so as not to overload slow displays */
1134 cur_time = time(NULL);
1135 if (cur_time > upd_time) {
1136 upd_time = cur_time;
1138 /*if (pcap_stats(pch, stats) >= 0) {
1139 *stats_known = TRUE;
1142 /* calculate and display running time */
1144 cur_time -= start_time;
1145 capture_ui.running_time = cur_time;
1146 capture_ui.new_packets = ld.packets_sync_pipe;
1147 capture_info_update(&capture_ui);
1150 /* Let the parent process know. */
1151 if (ld.packets_sync_pipe) {
1153 fflush(wtap_dump_file(ld.wtap_pdh));
1155 if (capture_opts->capture_child) {
1156 /* This is the child process for a sync mode capture, so send
1157 our parent a message saying we've written out "ld.sync_packets"
1158 packets to the capture file. */
1159 sync_pipe_packet_count_to_parent(ld.packets_sync_pipe);
1162 ld.packets_sync_pipe = 0;
1165 /* check capture duration condition */
1166 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
1167 /* The maximum capture time has elapsed; stop the capture. */
1172 /* check capture file duration condition */
1173 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
1174 /* duration limit reached, do we have another file? */
1175 if (capture_opts->multi_files_on) {
1176 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1177 /* no files left: stop here */
1182 /* Switch to the next ringbuffer file */
1183 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &capture_opts->save_file_fd, &ld.err)) {
1184 /* file switch succeeded: reset the conditions */
1185 cnd_reset(cnd_file_duration);
1186 if(cnd_autostop_size)
1187 cnd_reset(cnd_autostop_size);
1189 /* File switch failed: stop here */
1194 /* single file, stop now */
1198 } /* cnd_file_duration */
1201 } /* while (ld.go) */
1203 /* close capture info dialog */
1205 capture_info_destroy(&capture_ui);
1208 /* delete stop conditions */
1209 if (cnd_file_duration != NULL)
1210 cnd_delete(cnd_file_duration);
1211 if (cnd_autostop_files != NULL)
1212 cnd_delete(cnd_autostop_files);
1213 if (cnd_autostop_size != NULL)
1214 cnd_delete(cnd_autostop_size);
1215 if (cnd_autostop_duration != NULL)
1216 cnd_delete(cnd_autostop_duration);
1218 /* did we had a pcap (input) error? */
1220 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
1221 pcap_geterr(ld.pcap_h));
1222 capture_loop_popup_errmsg(capture_opts, errmsg);
1225 else if (ld.from_cap_pipe && ld.cap_pipe_err == PIPERR)
1226 capture_loop_popup_errmsg(capture_opts, errmsg);
1229 /* did we had an error while capturing? */
1233 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, ld.err,
1235 capture_loop_popup_errmsg(capture_opts, errmsg);
1239 /* close the wiretap (output) file */
1240 close_ok = capture_loop_close_output(capture_opts, &ld, &err_close);
1242 /* If we've displayed a message about a write error, there's no point
1243 in displaying another message about an error on close. */
1244 if (!close_ok && write_ok) {
1245 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
1247 capture_loop_popup_errmsg(capture_opts, errmsg);
1251 * XXX We exhibit different behaviour between normal mode and sync mode
1252 * when the pipe is stdin and not already at EOF. If we're a child, the
1253 * parent's stdin isn't closed, so if the user starts another capture,
1254 * cap_pipe_open_live() will very likely not see the expected magic bytes and
1255 * will say "Unrecognized libpcap format". On the other hand, in normal
1256 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
1259 /* get packet drop statistics from pcap */
1260 if(ld.pcap_h != NULL) {
1261 g_assert(!ld.from_cap_pipe);
1262 /* Get the capture statistics, so we know how many packets were
1264 if (pcap_stats(ld.pcap_h, stats) >= 0) {
1265 *stats_known = TRUE;
1266 if (capture_opts->capture_child) {
1267 /* Let the parent process know. */
1268 sync_pipe_drops_to_parent(stats->ps_drop);
1271 g_snprintf(errmsg, sizeof(errmsg),
1272 "Can't get packet-drop statistics: %s",
1273 pcap_geterr(ld.pcap_h));
1274 capture_loop_popup_errmsg(capture_opts, errmsg);
1278 /* close the input file (pcap or capture pipe) */
1279 capture_loop_close_input(&ld);
1281 /* ok, if the write and the close were successful. */
1282 return write_ok && close_ok;
1285 if (capture_opts->multi_files_on) {
1286 /* cleanup ringbuffer */
1287 ringbuf_error_cleanup();
1289 /* We can't use the save file, and we have no wtap_dump stream
1290 to close in order to close it, so close the FD directly. */
1291 close(capture_opts->save_file_fd);
1293 /* We couldn't even start the capture, so get rid of the capture
1295 unlink(capture_opts->save_file); /* silently ignore error */
1296 g_free(capture_opts->save_file);
1298 capture_opts->save_file = NULL;
1299 capture_loop_popup_errmsg(capture_opts, errmsg);
1301 /* close the input file (pcap or cap_pipe) */
1302 capture_loop_close_input(&ld);
1308 void capture_loop_stop(void)
1315 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
1316 int err, gboolean is_close)
1321 g_snprintf(errmsg, errmsglen,
1322 "Not all the packets could be written to the file"
1323 " to which the capture was being saved\n"
1324 "(\"%s\") because there is no space left on the file system\n"
1325 "on which that file resides.",
1331 g_snprintf(errmsg, errmsglen,
1332 "Not all the packets could be written to the file"
1333 " to which the capture was being saved\n"
1334 "(\"%s\") because you are too close to, or over,"
1335 " your disk quota\n"
1336 "on the file system on which that file resides.",
1341 case WTAP_ERR_CANT_CLOSE:
1342 g_snprintf(errmsg, errmsglen,
1343 "The file to which the capture was being saved"
1344 " couldn't be closed for some unknown reason.");
1347 case WTAP_ERR_SHORT_WRITE:
1348 g_snprintf(errmsg, errmsglen,
1349 "Not all the packets could be written to the file"
1350 " to which the capture was being saved\n"
1357 g_snprintf(errmsg, errmsglen,
1358 "The file to which the capture was being saved\n"
1359 "(\"%s\") could not be closed: %s.",
1360 fname, wtap_strerror(err));
1362 g_snprintf(errmsg, errmsglen,
1363 "An error occurred while writing to the file"
1364 " to which the capture was being saved\n"
1366 fname, wtap_strerror(err));
1373 capture_loop_popup_errmsg(capture_options *capture_opts, const char *errmsg)
1375 if (capture_opts->capture_child) {
1376 /* This is the child process for a sync mode capture.
1377 Send the error message to our parent, so they can display a
1378 dialog box containing it. */
1379 sync_pipe_errmsg_to_parent(errmsg);
1381 /* Display the dialog box ourselves; there's no parent. */
1382 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK, "%s", errmsg);
1387 /* one packet was captured, process it */
1389 capture_loop_packet_cb(guchar *user, const struct pcap_pkthdr *phdr,
1392 struct wtap_pkthdr whdr;
1393 union wtap_pseudo_header pseudo_header;
1394 loop_data *ld = (loop_data *) user;
1397 /* if the user told us to stop after x packets, do we have enough? */
1399 if ((ld->packets_max > 0) && (ld->counts.total >= ld->packets_max))
1404 /* Convert from libpcap to Wiretap format.
1405 If that fails, set "ld->go" to FALSE, to stop the capture, and set
1406 "ld->err" to the error. */
1407 pd = wtap_process_pcap_packet(ld->wtap_linktype, phdr, pd, &pseudo_header,
1416 /* We're supposed to write the packet to a file; do so.
1417 If this fails, set "ld->go" to FALSE, to stop the capture, and set
1418 "ld->err" to the error. */
1419 if (!wtap_dump(ld->wtap_pdh, &whdr, &pseudo_header, pd, &err)) {
1425 switch (ld->wtap_linktype) {
1426 case WTAP_ENCAP_ETHERNET:
1427 capture_eth(pd, 0, whdr.caplen, &ld->counts);
1429 case WTAP_ENCAP_FDDI:
1430 case WTAP_ENCAP_FDDI_BITSWAPPED:
1431 capture_fddi(pd, whdr.caplen, &ld->counts);
1433 case WTAP_ENCAP_PRISM_HEADER:
1434 capture_prism(pd, 0, whdr.caplen, &ld->counts);
1436 case WTAP_ENCAP_TOKEN_RING:
1437 capture_tr(pd, 0, whdr.caplen, &ld->counts);
1439 case WTAP_ENCAP_NULL:
1440 capture_null(pd, whdr.caplen, &ld->counts);
1442 case WTAP_ENCAP_PPP:
1443 capture_ppp_hdlc(pd, 0, whdr.caplen, &ld->counts);
1445 case WTAP_ENCAP_RAW_IP:
1446 capture_raw(pd, whdr.caplen, &ld->counts);
1448 case WTAP_ENCAP_SLL:
1449 capture_sll(pd, whdr.caplen, &ld->counts);
1451 case WTAP_ENCAP_LINUX_ATM_CLIP:
1452 capture_clip(pd, whdr.caplen, &ld->counts);
1454 case WTAP_ENCAP_IEEE_802_11:
1455 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1456 capture_ieee80211(pd, 0, whdr.caplen, &ld->counts);
1458 case WTAP_ENCAP_CHDLC:
1459 capture_chdlc(pd, 0, whdr.caplen, &ld->counts);
1461 case WTAP_ENCAP_LOCALTALK:
1462 capture_llap(&ld->counts);
1464 case WTAP_ENCAP_ATM_PDUS:
1465 capture_atm(&pseudo_header, pd, whdr.caplen, &ld->counts);
1467 case WTAP_ENCAP_IP_OVER_FC:
1468 capture_ipfc(pd, whdr.caplen, &ld->counts);
1470 case WTAP_ENCAP_ARCNET:
1471 capture_arcnet(pd, whdr.caplen, &ld->counts, FALSE, TRUE);
1473 case WTAP_ENCAP_ARCNET_LINUX:
1474 capture_arcnet(pd, whdr.caplen, &ld->counts, TRUE, FALSE);
1476 case WTAP_ENCAP_APPLE_IP_OVER_IEEE1394:
1477 capture_ap1394(pd, 0, whdr.caplen, &ld->counts);
1479 case WTAP_ENCAP_FRELAY:
1480 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1481 capture_fr(pd, 0, whdr.caplen, &ld->counts);
1483 /* XXX - some ATM drivers on FreeBSD might prepend a 4-byte ATM
1484 pseudo-header to DLT_ATM_RFC1483, with LLC header following;
1485 we might have to implement that at some point. */
1489 #endif /* HAVE_LIBPCAP */