2 * The actual capturing loop, getting packets and storing it
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 * Capture loop (internal interface).
30 * It will open the input and output files, capture the packets,
31 * change ringbuffer output files while capturing and close all files again.
33 * The input file can be a network interface or capture pipe (unix only).
34 * The output file can be a single or a ringbuffer file handled by wiretap.
54 #ifdef HAVE_SYS_TYPES_H
55 # include <sys/types.h>
58 #ifdef HAVE_SYS_STAT_H
59 # include <sys/stat.h>
69 #include <epan/packet.h>
71 #include "capture_sync.h"
72 #include "pcap-util.h"
74 #include "simple_dialog.h"
75 #include "conditions.h"
76 #include "capture_stop_conditions.h"
77 #include "ringbuffer.h"
79 #include "wiretap/libpcap.h"
80 #include "wiretap/wtap.h"
81 #include "wiretap/wtap-capture.h"
83 #include <epan/prefs.h>
84 /* XXX - try to remove this later */
86 /* XXX - try to remove this later */
88 #include "alert_box.h"
91 #include <epan/dissectors/packet-ap1394.h>
92 #include <epan/dissectors/packet-atalk.h>
93 #include <epan/dissectors/packet-atm.h>
94 #include <epan/dissectors/packet-clip.h>
95 #include <epan/dissectors/packet-eth.h>
96 #include <epan/dissectors/packet-fddi.h>
97 #include <epan/dissectors/packet-fr.h>
98 #include <epan/dissectors/packet-null.h>
99 #include <epan/dissectors/packet-ppp.h>
100 #include <epan/dissectors/packet-raw.h>
101 #include <epan/dissectors/packet-sll.h>
102 #include <epan/dissectors/packet-tr.h>
103 #include <epan/dissectors/packet-ieee80211.h>
104 #include <epan/dissectors/packet-chdlc.h>
105 #include <epan/dissectors/packet-prism.h>
106 #include <epan/dissectors/packet-ipfc.h>
107 #include <epan/dissectors/packet-arcnet.h>
109 /* Win32 needs the O_BINARY flag for open() */
117 * We don't want to do a "select()" on the pcap_t's file descriptor on
118 * BSD (because "select()" doesn't work correctly on BPF devices on at
119 * least some releases of some flavors of BSD), and we don't want to do
120 * it on Windows (because "select()" is something for sockets, not for
121 * arbitrary handles). (Note that "Windows" here includes Cygwin;
122 * even in its pretend-it's-UNIX environment, we're using WinPcap, not
125 * We *do* want to do it on other platforms, as, on other platforms (with
126 * the possible exception of Ultrix and Digital UNIX), the read timeout
127 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
128 * will block until packets arrive, causing the UI to hang.
130 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
131 * want to include it if it's not present on this platform, however.
133 #if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
134 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
136 # define MUST_DO_SELECT
140 typedef struct _loop_data {
142 gboolean go; /* TRUE as long as we're supposed to keep capturing */
143 int err; /* if non-zero, error seen while capturing */
144 gint packets_max; /* Number of packets we're supposed to capture - 0 means infinite */
145 gint packets_sync_pipe; /* packets not already send out to the sync_pipe */
146 packet_counts counts; /* several packet type counters */
148 /* pcap "input file" */
149 pcap_t *pcap_h; /* pcap handle */
150 gboolean pcap_err; /* TRUE if error from pcap */
151 #ifdef MUST_DO_SELECT
152 int pcap_fd; /* pcap file descriptor */
155 /* capture pipe (unix only "input file") */
156 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
158 struct pcap_hdr cap_pipe_hdr;
159 int cap_pipe_fd; /* the file descriptor of the capture pipe */
160 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
161 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
162 unsigned int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
163 unsigned int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
165 STATE_EXPECT_REC_HDR,
171 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
174 /* wiretap (output file) */
175 wtap_dumper *wtap_pdh;
182 * Timeout, in milliseconds, for reads from the stream of captured packets.
184 #define CAP_READ_TIMEOUT 250
186 static void capture_loop_packet_cb(guchar *user, const struct pcap_pkthdr *phdr,
188 static void capture_loop_popup_errmsg(capture_options *capture_opts, const char *errmsg);
189 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
190 int err, gboolean is_close);
195 /* Take care of byte order in the libpcap headers read from pipes.
196 * (function taken from wiretap/libpcap.c) */
198 cap_pipe_adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
200 if (ld->cap_pipe_byte_swapped) {
201 /* Byte-swap the record header fields. */
202 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
203 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
204 rechdr->incl_len = BSWAP32(rechdr->incl_len);
205 rechdr->orig_len = BSWAP32(rechdr->orig_len);
208 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
209 swapped, in order to match the BPF header layout.
211 Unfortunately, some files were, according to a comment in the "libpcap"
212 source, written with version 2.3 in their headers but without the
213 interchanged fields, so if "incl_len" is greater than "orig_len" - which
214 would make no sense - we assume that we need to swap them. */
215 if (hdr->version_major == 2 &&
216 (hdr->version_minor < 3 ||
217 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
220 temp = rechdr->orig_len;
221 rechdr->orig_len = rechdr->incl_len;
222 rechdr->incl_len = temp;
226 /* Mimic pcap_open_live() for pipe captures
227 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
229 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
230 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
232 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
233 char *errmsg, int errmsgl)
235 struct stat pipe_stat;
239 unsigned int bytes_read;
241 struct timeval timeout;
244 * XXX Ethereal blocks until we return
246 if (strcmp(pipename, "-") == 0)
247 fd = 0; /* read from stdin */
249 if (stat(pipename, &pipe_stat) < 0) {
250 if (errno == ENOENT || errno == ENOTDIR)
251 ld->cap_pipe_err = PIPNEXIST;
253 g_snprintf(errmsg, errmsgl,
254 "The capture session could not be initiated "
255 "due to error on pipe: %s", strerror(errno));
256 ld->cap_pipe_err = PIPERR;
260 if (! S_ISFIFO(pipe_stat.st_mode)) {
261 if (S_ISCHR(pipe_stat.st_mode)) {
263 * Assume the user specified an interface on a system where
264 * interfaces are in /dev. Pretend we haven't seen it.
266 ld->cap_pipe_err = PIPNEXIST;
268 g_snprintf(errmsg, errmsgl,
269 "The capture session could not be initiated because\n"
270 "\"%s\" is neither an interface nor a pipe", pipename);
271 ld->cap_pipe_err = PIPERR;
275 fd = open(pipename, O_RDONLY | O_NONBLOCK);
277 g_snprintf(errmsg, errmsgl,
278 "The capture session could not be initiated "
279 "due to error on pipe open: %s", strerror(errno));
280 ld->cap_pipe_err = PIPERR;
285 ld->from_cap_pipe = TRUE;
287 /* read the pcap header */
290 while (bytes_read < sizeof magic) {
293 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
294 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
296 g_snprintf(errmsg, errmsgl,
297 "Unexpected error from select: %s", strerror(errno));
299 } else if (sel_ret > 0) {
300 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
303 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
305 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
315 /* Host that wrote it has our byte order, and was running
316 a program using either standard or ss990417 libpcap. */
317 ld->cap_pipe_byte_swapped = FALSE;
318 ld->cap_pipe_modified = FALSE;
320 case PCAP_MODIFIED_MAGIC:
321 /* Host that wrote it has our byte order, but was running
322 a program using either ss990915 or ss991029 libpcap. */
323 ld->cap_pipe_byte_swapped = FALSE;
324 ld->cap_pipe_modified = TRUE;
326 case PCAP_SWAPPED_MAGIC:
327 /* Host that wrote it has a byte order opposite to ours,
328 and was running a program using either standard or
330 ld->cap_pipe_byte_swapped = TRUE;
331 ld->cap_pipe_modified = FALSE;
333 case PCAP_SWAPPED_MODIFIED_MAGIC:
334 /* Host that wrote it out has a byte order opposite to
335 ours, and was running a program using either ss990915
336 or ss991029 libpcap. */
337 ld->cap_pipe_byte_swapped = TRUE;
338 ld->cap_pipe_modified = TRUE;
341 /* Not a "libpcap" type we know about. */
342 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
346 /* Read the rest of the header */
348 while (bytes_read < sizeof(struct pcap_hdr)) {
351 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
352 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
354 g_snprintf(errmsg, errmsgl,
355 "Unexpected error from select: %s", strerror(errno));
357 } else if (sel_ret > 0) {
358 b = read(fd, ((char *)hdr)+bytes_read,
359 sizeof(struct pcap_hdr) - bytes_read);
362 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
364 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
372 if (ld->cap_pipe_byte_swapped) {
373 /* Byte-swap the header fields about which we care. */
374 hdr->version_major = BSWAP16(hdr->version_major);
375 hdr->version_minor = BSWAP16(hdr->version_minor);
376 hdr->snaplen = BSWAP32(hdr->snaplen);
377 hdr->network = BSWAP32(hdr->network);
380 if (hdr->version_major < 2) {
381 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
385 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
386 ld->cap_pipe_err = PIPOK;
390 ld->cap_pipe_err = PIPERR;
397 /* We read one record from the pipe, take care of byte order in the record
398 * header, write the record to the capture file, and update capture statistics. */
400 cap_pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr,
401 struct pcaprec_modified_hdr *rechdr, guchar *data,
402 char *errmsg, int errmsgl)
404 struct pcap_pkthdr phdr;
406 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
409 switch (ld->cap_pipe_state) {
411 case STATE_EXPECT_REC_HDR:
412 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
413 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
414 ld->cap_pipe_bytes_read = 0;
415 ld->cap_pipe_state = STATE_READ_REC_HDR;
418 case STATE_READ_REC_HDR:
419 b = read(fd, ((char *)rechdr)+ld->cap_pipe_bytes_read,
420 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
423 result = PD_PIPE_EOF;
425 result = PD_PIPE_ERR;
428 if ((ld->cap_pipe_bytes_read += b) < ld->cap_pipe_bytes_to_read)
430 result = PD_REC_HDR_READ;
433 case STATE_EXPECT_DATA:
434 ld->cap_pipe_bytes_read = 0;
435 ld->cap_pipe_state = STATE_READ_DATA;
438 case STATE_READ_DATA:
439 b = read(fd, data+ld->cap_pipe_bytes_read, rechdr->hdr.incl_len - ld->cap_pipe_bytes_read);
442 result = PD_PIPE_EOF;
444 result = PD_PIPE_ERR;
447 if ((ld->cap_pipe_bytes_read += b) < rechdr->hdr.incl_len)
449 result = PD_DATA_READ;
453 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
456 } /* switch (ld->cap_pipe_state) */
459 * We've now read as much data as we were expecting, so process it.
463 case PD_REC_HDR_READ:
464 /* We've read the header. Take care of byte order. */
465 cap_pipe_adjust_header(ld, hdr, &rechdr->hdr);
466 if (rechdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
467 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
468 ld->counts.total+1, rechdr->hdr.incl_len);
471 ld->cap_pipe_state = STATE_EXPECT_DATA;
475 /* Fill in a "struct pcap_pkthdr", and process the packet. */
476 phdr.ts.tv_sec = rechdr->hdr.ts_sec;
477 phdr.ts.tv_usec = rechdr->hdr.ts_usec;
478 phdr.caplen = rechdr->hdr.incl_len;
479 phdr.len = rechdr->hdr.orig_len;
481 capture_loop_packet_cb((guchar *)ld, &phdr, data);
483 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
487 ld->cap_pipe_err = PIPEOF;
491 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
498 ld->cap_pipe_err = PIPERR;
499 /* Return here rather than inside the switch to prevent GCC warning */
502 #endif /* not _WIN32 */
505 /* open the capture input file (pcap or capture pipe) */
506 static int capture_loop_open_input(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
507 gchar open_err_str[PCAP_ERRBUF_SIZE];
508 const char *set_linktype_err_str;
511 WORD wVersionRequested;
514 static const char ppamsg[] = "can't find PPA for ";
518 /* Initialize Windows Socket if we are in a WIN32 OS
519 This needs to be done before querying the interface for network/netmask */
521 /* XXX - do we really require 1.1 or earlier?
522 Are there any versions that support only 2.0 or higher? */
523 wVersionRequested = MAKEWORD(1, 1);
524 err = WSAStartup(wVersionRequested, &wsaData);
529 g_snprintf(errmsg, errmsg_len,
530 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
533 case WSAVERNOTSUPPORTED:
534 g_snprintf(errmsg, errmsg_len,
535 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
536 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
540 g_snprintf(errmsg, errmsg_len,
541 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
545 g_snprintf(errmsg, errmsg_len,
546 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
550 g_snprintf(errmsg, errmsg_len,
551 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
555 g_snprintf(errmsg, errmsg_len,
556 "Couldn't initialize Windows Sockets: error %d", err);
563 /* Open the network interface to capture from it.
564 Some versions of libpcap may put warnings into the error buffer
565 if they succeed; to tell if that's happened, we have to clear
566 the error buffer, and check if it's still a null string. */
567 open_err_str[0] = '\0';
568 ld->pcap_h = pcap_open_live(capture_opts->iface,
569 capture_opts->has_snaplen ? capture_opts->snaplen :
570 WTAP_MAX_PACKET_SIZE,
571 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
574 if (ld->pcap_h != NULL) {
575 /* we've opened "iface" as a network device */
577 /* try to set the capture buffer size */
578 if (pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
579 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
580 "%sCouldn't set the capture buffer size!%s\n"
582 "The capture buffer size of %luMB seems to be too high for your machine,\n"
583 "the default of 1MB will be used.\n"
585 "Nonetheless, the capture is started.\n",
586 simple_dialog_primary_start(), simple_dialog_primary_end(), capture_opts->buffer_size);
590 /* setting the data link type only works on real interfaces */
591 if (capture_opts->linktype != -1) {
592 set_linktype_err_str = set_pcap_linktype(ld->pcap_h, capture_opts->iface,
593 capture_opts->linktype);
594 if (set_linktype_err_str != NULL) {
595 g_snprintf(errmsg, errmsg_len, "Unable to set data link type (%s).",
596 set_linktype_err_str);
601 /* We couldn't open "iface" as a network device. */
603 /* On Windows, we don't support capturing on pipes, so we give up. */
605 /* On Win32 OSes, the capture devices are probably available to all
606 users; don't warn about permissions problems.
608 Do, however, warn that WAN devices aren't supported. */
609 g_snprintf(errmsg, errmsg_len,
610 "The capture session could not be initiated (%s).\n"
611 "Please check that you have the proper interface specified.\n"
613 "Note that version 3.0 of WinPcap, and earlier versions of WinPcap, don't\n"
614 "support capturing on PPP/WAN interfaces in Windows NT 4.0, Windows 2000,\n"
615 "Windows XP, or Windows Server 2003. WinPcap 3.1 has experimental support\n"
616 "for it on Windows 2000, Windows XP, and Windows Server 2003, but has no\n"
617 "support for it on Windows NT 4.0. WinPcap 3.1 is currently in beta, so\n"
618 "using it might introduce bugs not present in WinPcap 3.0; you should report\n"
619 "all problems you see to the WinPcap developers, so they can try to fix\n"
620 "them before the final WinPcap 3.1 release.",
624 /* try to open iface as a pipe */
625 ld->cap_pipe_fd = cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, errmsg_len);
627 if (ld->cap_pipe_fd == -1) {
629 if (ld->cap_pipe_err == PIPNEXIST) {
630 /* Pipe doesn't exist, so output message for interface */
632 /* If we got a "can't find PPA for XXX" message, warn the user (who
633 is running Ethereal on HP-UX) that they don't have a version
634 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
635 versions, which properly handle HP-UX, say "can't find /dev/dlpi
636 PPA for XXX" rather than "can't find PPA for XXX"). */
637 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
640 "You are running Ethereal with a version of the libpcap library\n"
641 "that doesn't handle HP-UX network devices well; this means that\n"
642 "Ethereal may not be able to capture packets.\n"
644 "To fix this, you should install libpcap 0.6.2, or a later version\n"
645 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
646 "packaged binary form from the Software Porting And Archive Centre\n"
647 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
648 "at the URL lists a number of mirror sites.";
651 g_snprintf(errmsg, errmsg_len,
652 "The capture session could not be initiated (%s).\n"
653 "Please check to make sure you have sufficient permissions, and that\n"
654 "you have the proper interface or pipe specified.%s", open_err_str,
658 * Else pipe (or file) does exist and cap_pipe_open_live() has
663 /* cap_pipe_open_live() succeeded; don't want
664 error message from pcap_open_live() */
665 open_err_str[0] = '\0';
669 #ifdef MUST_DO_SELECT
670 if (!ld->from_cap_pipe) ld->pcap_fd = pcap_fileno(ld->pcap_h);
673 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
674 returned a warning; print it, but keep capturing. */
675 if (open_err_str[0] != '\0')
676 g_warning("%s.", open_err_str);
682 /* open the capture input file (pcap or capture pipe) */
683 static void capture_loop_close_input(loop_data *ld) {
685 /* if open, close the capture pipe "input file" */
686 if (ld->cap_pipe_fd >= 0) {
687 g_assert(ld->from_cap_pipe);
688 close(ld->cap_pipe_fd);
692 /* if open, close the pcap "input file" */
693 if(ld->pcap_h != NULL) {
694 g_assert(!ld->from_cap_pipe);
695 pcap_close(ld->pcap_h);
699 /* Shut down windows sockets */
705 /* init the capture filter */
706 static int capture_loop_init_filter(loop_data *ld, const gchar * iface, gchar * cfilter, char *errmsg, int errmsg_len) {
707 bpf_u_int32 netnum, netmask;
708 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
709 struct bpf_program fcode;
711 /* capture filters only work on real interfaces */
712 if (cfilter && !ld->from_cap_pipe) {
713 /* A capture filter was specified; set it up. */
714 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
716 * Well, we can't get the netmask for this interface; it's used
717 * only for filters that check for broadcast IP addresses, so
718 * we just punt and use 0. It might be nice to warn the user,
719 * but that's a pain in a GUI application, as it'd involve popping
720 * up a message box, and it's not clear how often this would make
721 * a difference (only filters that check for IP broadcast addresses
726 if (pcap_compile(ld->pcap_h, &fcode, cfilter, 1, netmask) < 0) {
727 dfilter_t *rfcode = NULL;
728 /* filter string invalid, did the user tried a display filter? */
729 if (dfilter_compile(cfilter, &rfcode) && rfcode != NULL) {
730 g_snprintf(errmsg, errmsg_len,
731 "%sInvalid capture filter: \"%s\"!%s\n"
733 "That string looks like a valid display filter; however, it isn't a valid\n"
734 "capture filter (%s).\n"
736 "Note that display filters and capture filters don't have the same syntax,\n"
737 "so you can't use most display filter expressions as capture filters.\n"
739 "See the help for a description of the capture filter syntax.",
740 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
741 pcap_geterr(ld->pcap_h));
742 dfilter_free(rfcode);
744 g_snprintf(errmsg, errmsg_len,
745 "%sInvalid capture filter: \"%s\"!%s\n"
747 "That string isn't a valid capture filter (%s).\n"
748 "See the help for a description of the capture filter syntax.",
749 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
750 pcap_geterr(ld->pcap_h));
754 if (pcap_setfilter(ld->pcap_h, &fcode) < 0) {
755 g_snprintf(errmsg, errmsg_len, "Can't install filter (%s).",
756 pcap_geterr(ld->pcap_h));
757 #ifdef HAVE_PCAP_FREECODE
758 pcap_freecode(&fcode);
762 #ifdef HAVE_PCAP_FREECODE
763 pcap_freecode(&fcode);
771 /* open the wiretap part of the capture output file */
772 static int capture_loop_open_wiretap_output(capture_options *capture_opts, int save_file_fd, loop_data *ld, char *errmsg, int errmsg_len) {
778 /* get packet encapsulation type and snaplen */
780 if (ld->from_cap_pipe) {
781 pcap_encap = ld->cap_pipe_hdr.network;
782 file_snaplen = ld->cap_pipe_hdr.snaplen;
786 pcap_encap = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
787 file_snaplen = pcap_snapshot(ld->pcap_h);
790 /* Set up to write to the capture file. */
791 ld->wtap_linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
792 if (ld->wtap_linktype == WTAP_ENCAP_UNKNOWN) {
793 g_snprintf(errmsg, errmsg_len,
794 "The network you're capturing from is of a type"
795 " that Ethereal doesn't support (data link type %d).", pcap_encap);
798 if (capture_opts->multi_files_on) {
799 ld->wtap_pdh = ringbuf_init_wtap_dump_fdopen(WTAP_FILE_PCAP, ld->wtap_linktype,
802 ld->wtap_pdh = wtap_dump_fdopen(save_file_fd, WTAP_FILE_PCAP,
803 ld->wtap_linktype, file_snaplen, &err);
806 if (ld->wtap_pdh == NULL) {
807 /* We couldn't set up to write to the capture file. */
810 case WTAP_ERR_CANT_OPEN:
811 strcpy(errmsg, "The file to which the capture would be saved"
812 " couldn't be created for some unknown reason.");
815 case WTAP_ERR_SHORT_WRITE:
816 strcpy(errmsg, "A full header couldn't be written to the file"
817 " to which the capture would be saved.");
822 g_snprintf(errmsg, errmsg_len,
823 "The file to which the capture would be"
824 " saved (\"%s\") could not be opened: Error %d.",
825 capture_opts->save_file, err);
827 g_snprintf(errmsg, errmsg_len,
828 "The file to which the capture would be"
829 " saved (\"%s\") could not be opened: %s.",
830 capture_opts->save_file, strerror(err));
841 static gboolean capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
842 if (capture_opts->multi_files_on) {
843 return ringbuf_wtap_dump_close(&capture_opts->save_file, err_close);
845 return wtap_dump_close(ld->wtap_pdh, err_close);
849 /* dispatch incoming packets (pcap or capture pipe) */
851 capture_loop_dispatch(capture_options *capture_opts, loop_data *ld,
852 char *errmsg, int errmsg_len) {
856 struct timeval timeout;
858 struct pcaprec_modified_hdr rechdr;
859 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
863 /* dispatch from capture pipe */
864 if (ld->from_cap_pipe) {
866 FD_SET(ld->cap_pipe_fd, &set1);
868 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
869 sel_ret = select(ld->cap_pipe_fd+1, &set1, NULL, NULL, &timeout);
872 if (sel_ret < 0 && errno != EINTR) {
873 g_snprintf(errmsg, errmsg_len,
874 "Unexpected error from select: %s", strerror(errno));
875 capture_loop_popup_errmsg(capture_opts, errmsg);
880 * "select()" says we can read from the pipe without blocking
882 inpkts = cap_pipe_dispatch(ld->cap_pipe_fd, ld, &ld->cap_pipe_hdr, &rechdr, pcap_data,
892 /* dispatch from pcap using select */
893 #ifdef MUST_DO_SELECT
895 * Sigh. The semantics of the read timeout argument to
896 * "pcap_open_live()" aren't particularly well specified by
897 * the "pcap" man page - at least with the BSD BPF code, the
898 * intent appears to be, at least in part, a way of cutting
899 * down the number of reads done on a capture, by blocking
900 * until the buffer fills or a timer expires - and the Linux
901 * libpcap doesn't actually support it, so we can't use it
902 * to break out of the "pcap_dispatch()" every 1/4 of a second
903 * or so. Linux's libpcap is not the only libpcap that doesn't
904 * support the read timeout.
906 * Furthermore, at least on Solaris, the bufmod STREAMS module's
907 * read timeout won't go off if no data has arrived, i.e. it cannot
908 * be used to guarantee that a read from a DLPI stream will return
909 * within a specified amount of time regardless of whether any
910 * data arrives or not.
912 * Thus, on all platforms other than BSD, we do a "select()" on the
913 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
914 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
916 * "select()", on BPF devices, doesn't work as you might expect;
917 * at least on some versions of some flavors of BSD, the timer
918 * doesn't start until a read is done, so it won't expire if
919 * only a "select()" or "poll()" is posted.
922 FD_SET(ld->pcap_fd, &set1);
924 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
925 sel_ret = select(ld->pcap_fd+1, &set1, NULL, NULL, &timeout);
928 * "select()" says we can read from it without blocking; go for
931 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (gchar *)ld);
938 if (sel_ret < 0 && errno != EINTR) {
939 g_snprintf(errmsg, errmsg_len,
940 "Unexpected error from select: %s", strerror(errno));
941 capture_loop_popup_errmsg(capture_opts, errmsg);
946 /* dispatch from pcap without select */
947 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (gchar *) ld);
952 #endif /* MUST_DO_SELECT */
959 /* open the output file (temporary/specified name/ringbuffer) */
960 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
962 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd) {
965 gboolean is_tempfile;
968 if (capture_opts->save_file != NULL) {
969 /* We return to the caller while the capture is in progress.
970 * Therefore we need to take a copy of save_file in
971 * case the caller destroys it after we return.
973 capfile_name = g_strdup(capture_opts->save_file);
974 if (capture_opts->multi_files_on) {
975 /* ringbuffer is enabled */
976 *save_file_fd = ringbuf_init(capfile_name,
977 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0);
979 /* we need the ringbuf name */
980 g_free(capfile_name);
981 capfile_name = g_strdup(ringbuf_current_filename());
983 /* Try to open/create the specified file for use as a capture buffer. */
984 *save_file_fd = open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
989 /* Choose a random name for the temporary capture buffer */
990 *save_file_fd = create_tempfile(tmpname, sizeof tmpname, "ether");
991 capfile_name = g_strdup(tmpname);
995 /* did we fail to open the output file? */
996 if (*save_file_fd == -1) {
998 simple_dialog(ESD_TYPE_ERROR, ESD_BTN_OK,
999 "The temporary file to which the capture would be saved (\"%s\") "
1000 "could not be opened: %s.", capfile_name, strerror(errno));
1002 if (capture_opts->multi_files_on) {
1003 ringbuf_error_cleanup();
1005 open_failure_alert_box(capfile_name, errno, TRUE);
1007 g_free(capfile_name);
1011 if(capture_opts->save_file != NULL) {
1012 g_free(capture_opts->save_file);
1014 capture_opts->save_file = capfile_name;
1015 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
1016 "g_free(capfile_name)". */
1024 capture_loop_stop_signal_handler(int signo _U_)
1026 capture_loop_stop();
1032 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
1035 static loop_data ld;
1037 /* Do the low-level work of a capture.
1038 Returns TRUE if it succeeds, FALSE otherwise. */
1040 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
1042 time_t upd_time, cur_time;
1044 int err_close, inpkts;
1045 condition *cnd_file_duration = NULL;
1046 condition *cnd_autostop_files = NULL;
1047 condition *cnd_autostop_size = NULL;
1048 condition *cnd_autostop_duration = NULL;
1049 guint32 autostop_files = 0;
1052 capture_info capture_ui;
1053 char errmsg[4096+1];
1057 /* init the loop data */
1059 if (capture_opts->has_autostop_packets)
1060 ld.packets_max = capture_opts->autostop_packets;
1062 ld.packets_max = 0; /* no limit */
1063 ld.err = 0; /* no error seen yet */
1064 ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
1065 ld.pcap_err = FALSE;
1066 ld.from_cap_pipe = FALSE;
1067 ld.packets_sync_pipe = 0;
1068 ld.counts.total = 0;
1076 ld.counts.netbios = 0;
1077 ld.counts.vines = 0;
1078 ld.counts.other = 0;
1082 ld.cap_pipe_fd = -1;
1084 #ifdef MUST_DO_SELECT
1090 * Catch SIGUSR1, so that we exit cleanly if the parent process
1091 * kills us with it due to the user selecting "Capture->Stop".
1093 signal(SIGUSR1, capture_loop_stop_signal_handler);
1096 /* We haven't yet gotten the capture statistics. */
1097 *stats_known = FALSE;
1099 /*g_warning("capture_loop_start");
1100 capture_opts_info(capture_opts);*/
1103 /* open the output file (temporary/specified name/ringbuffer) */
1104 if (!capture_loop_open_output(capture_opts, &save_file_fd)) {
1108 /* open the "input file" from network interface or capture pipe */
1109 if (!capture_loop_open_input(capture_opts, &ld, errmsg, sizeof(errmsg))) {
1113 /* init the input filter from the network interface (capture pipe will do nothing) */
1114 if (!capture_loop_init_filter(&ld, capture_opts->iface, capture_opts->cfilter, errmsg, sizeof(errmsg))) {
1118 /* open the wiretap part of the output file (the output file is already open) */
1119 if (!capture_loop_open_wiretap_output(capture_opts, save_file_fd, &ld, errmsg, sizeof(errmsg))) {
1123 /* XXX - capture SIGTERM and close the capture, in case we're on a
1124 Linux 2.0[.x] system and you have to explicitly close the capture
1125 stream in order to turn promiscuous mode off? We need to do that
1126 in other places as well - and I don't think that works all the
1127 time in any case, due to libpcap bugs. */
1129 /* Well, we should be able to start capturing.
1131 Sync out the capture file, so the header makes it to the file system,
1132 and send a "capture started successfully and capture file created"
1133 message to our parent so that they'll open the capture file and
1134 update its windows to indicate that we have a live capture in
1136 fflush(wtap_dump_file(ld.wtap_pdh));
1137 sync_pipe_capstart_to_parent();
1138 sync_pipe_filename_to_parent(capture_opts->save_file);
1140 /* initialize capture stop (and alike) conditions */
1141 init_capture_stop_conditions();
1142 /* create stop conditions */
1143 if (capture_opts->has_autostop_filesize)
1145 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize);
1146 if (capture_opts->has_autostop_duration)
1147 cnd_autostop_duration =
1148 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
1150 if (capture_opts->multi_files_on) {
1151 if (capture_opts->has_file_duration)
1153 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
1155 if (capture_opts->has_autostop_files)
1156 cnd_autostop_files =
1157 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
1160 /* start capture info dialog */
1161 if(capture_opts->show_info) {
1162 capture_ui.callback_data = &ld;
1163 capture_ui.counts = &ld.counts;
1164 capture_info_create(&capture_ui, capture_opts->iface);
1167 /* init the time values */
1168 start_time = time(NULL);
1169 upd_time = time(NULL);
1171 /* WOW, everything is prepared! */
1172 /* please fasten your seat belts, we will enter now the actual capture loop */
1174 main_window_update();
1176 /* dispatch incoming packets */
1177 inpkts = capture_loop_dispatch(capture_opts, &ld, errmsg, sizeof(errmsg));
1180 ld.packets_sync_pipe += inpkts;
1182 /* check capture size condition */
1183 if (cnd_autostop_size != NULL && cnd_eval(cnd_autostop_size,
1184 (guint32)wtap_get_bytes_dumped(ld.wtap_pdh))){
1185 /* Capture size limit reached, do we have another file? */
1186 if (capture_opts->multi_files_on) {
1187 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1188 /* no files left: stop here */
1193 /* Switch to the next ringbuffer file */
1194 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &save_file_fd, &ld.err)) {
1195 /* File switch succeeded: reset the conditions */
1196 cnd_reset(cnd_autostop_size);
1197 if (cnd_file_duration) {
1198 cnd_reset(cnd_file_duration);
1200 sync_pipe_filename_to_parent(capture_opts->save_file);
1202 /* File switch failed: stop here */
1207 /* single file, stop now */
1211 } /* cnd_autostop_size */
1214 /* Only update once a second so as not to overload slow displays */
1215 cur_time = time(NULL);
1216 if (cur_time > upd_time) {
1217 upd_time = cur_time;
1219 /*if (pcap_stats(pch, stats) >= 0) {
1220 *stats_known = TRUE;
1223 /* calculate and display running time */
1224 if(capture_opts->show_info) {
1225 cur_time -= start_time;
1226 capture_ui.running_time = cur_time;
1227 capture_ui.new_packets = ld.packets_sync_pipe;
1228 capture_info_update(&capture_ui);
1231 /* Let the parent process know. */
1232 if (ld.packets_sync_pipe) {
1234 fflush(wtap_dump_file(ld.wtap_pdh));
1236 /* Send our parent a message saying we've written out "ld.sync_packets"
1237 packets to the capture file. */
1238 sync_pipe_packet_count_to_parent(ld.packets_sync_pipe);
1240 ld.packets_sync_pipe = 0;
1243 /* check capture duration condition */
1244 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
1245 /* The maximum capture time has elapsed; stop the capture. */
1250 /* check capture file duration condition */
1251 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
1252 /* duration limit reached, do we have another file? */
1253 if (capture_opts->multi_files_on) {
1254 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1255 /* no files left: stop here */
1260 /* Switch to the next ringbuffer file */
1261 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &save_file_fd, &ld.err)) {
1262 /* file switch succeeded: reset the conditions */
1263 cnd_reset(cnd_file_duration);
1264 if(cnd_autostop_size)
1265 cnd_reset(cnd_autostop_size);
1266 sync_pipe_filename_to_parent(capture_opts->save_file);
1268 /* File switch failed: stop here */
1273 /* single file, stop now */
1277 } /* cnd_file_duration */
1280 } /* while (ld.go) */
1282 /* close capture info dialog */
1283 if(capture_opts->show_info) {
1284 capture_info_destroy(&capture_ui);
1287 /* delete stop conditions */
1288 if (cnd_file_duration != NULL)
1289 cnd_delete(cnd_file_duration);
1290 if (cnd_autostop_files != NULL)
1291 cnd_delete(cnd_autostop_files);
1292 if (cnd_autostop_size != NULL)
1293 cnd_delete(cnd_autostop_size);
1294 if (cnd_autostop_duration != NULL)
1295 cnd_delete(cnd_autostop_duration);
1297 /* did we had a pcap (input) error? */
1299 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
1300 pcap_geterr(ld.pcap_h));
1301 capture_loop_popup_errmsg(capture_opts, errmsg);
1304 else if (ld.from_cap_pipe && ld.cap_pipe_err == PIPERR)
1305 capture_loop_popup_errmsg(capture_opts, errmsg);
1308 /* did we had an error while capturing? */
1312 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, ld.err,
1314 capture_loop_popup_errmsg(capture_opts, errmsg);
1318 /* close the wiretap (output) file */
1319 close_ok = capture_loop_close_output(capture_opts, &ld, &err_close);
1321 /* If we've displayed a message about a write error, there's no point
1322 in displaying another message about an error on close. */
1323 if (!close_ok && write_ok) {
1324 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
1326 capture_loop_popup_errmsg(capture_opts, errmsg);
1330 * XXX We exhibit different behaviour between normal mode and sync mode
1331 * when the pipe is stdin and not already at EOF. If we're a child, the
1332 * parent's stdin isn't closed, so if the user starts another capture,
1333 * cap_pipe_open_live() will very likely not see the expected magic bytes and
1334 * will say "Unrecognized libpcap format". On the other hand, in normal
1335 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
1338 /* get packet drop statistics from pcap */
1339 if(ld.pcap_h != NULL) {
1340 g_assert(!ld.from_cap_pipe);
1341 /* Get the capture statistics, so we know how many packets were
1343 if (pcap_stats(ld.pcap_h, stats) >= 0) {
1344 *stats_known = TRUE;
1345 /* Let the parent process know. */
1346 sync_pipe_drops_to_parent(stats->ps_drop);
1348 g_snprintf(errmsg, sizeof(errmsg),
1349 "Can't get packet-drop statistics: %s",
1350 pcap_geterr(ld.pcap_h));
1351 capture_loop_popup_errmsg(capture_opts, errmsg);
1355 /* close the input file (pcap or capture pipe) */
1356 capture_loop_close_input(&ld);
1358 /* ok, if the write and the close were successful. */
1359 return write_ok && close_ok;
1362 if (capture_opts->multi_files_on) {
1363 /* cleanup ringbuffer */
1364 ringbuf_error_cleanup();
1366 /* We can't use the save file, and we have no wtap_dump stream
1367 to close in order to close it, so close the FD directly. */
1368 close(save_file_fd);
1370 /* We couldn't even start the capture, so get rid of the capture
1372 unlink(capture_opts->save_file); /* silently ignore error */
1373 g_free(capture_opts->save_file);
1375 capture_opts->save_file = NULL;
1376 capture_loop_popup_errmsg(capture_opts, errmsg);
1378 /* close the input file (pcap or cap_pipe) */
1379 capture_loop_close_input(&ld);
1385 void capture_loop_stop(void)
1392 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
1393 int err, gboolean is_close)
1398 g_snprintf(errmsg, errmsglen,
1399 "Not all the packets could be written to the file"
1400 " to which the capture was being saved\n"
1401 "(\"%s\") because there is no space left on the file system\n"
1402 "on which that file resides.",
1408 g_snprintf(errmsg, errmsglen,
1409 "Not all the packets could be written to the file"
1410 " to which the capture was being saved\n"
1411 "(\"%s\") because you are too close to, or over,"
1412 " your disk quota\n"
1413 "on the file system on which that file resides.",
1418 case WTAP_ERR_CANT_CLOSE:
1419 g_snprintf(errmsg, errmsglen,
1420 "The file to which the capture was being saved"
1421 " couldn't be closed for some unknown reason.");
1424 case WTAP_ERR_SHORT_WRITE:
1425 g_snprintf(errmsg, errmsglen,
1426 "Not all the packets could be written to the file"
1427 " to which the capture was being saved\n"
1434 g_snprintf(errmsg, errmsglen,
1435 "The file to which the capture was being saved\n"
1436 "(\"%s\") could not be closed: %s.",
1437 fname, wtap_strerror(err));
1439 g_snprintf(errmsg, errmsglen,
1440 "An error occurred while writing to the file"
1441 " to which the capture was being saved\n"
1443 fname, wtap_strerror(err));
1450 capture_loop_popup_errmsg(capture_options *capture_opts, const char *errmsg)
1452 /* Send the error message to our parent, so they can display a
1453 dialog box containing it. */
1454 sync_pipe_errmsg_to_parent(errmsg);
1458 /* one packet was captured, process it */
1460 capture_loop_packet_cb(guchar *user, const struct pcap_pkthdr *phdr,
1463 struct wtap_pkthdr whdr;
1464 union wtap_pseudo_header pseudo_header;
1465 loop_data *ld = (loop_data *) user;
1468 /* if the user told us to stop after x packets, do we have enough? */
1470 if ((ld->packets_max > 0) && (ld->counts.total >= ld->packets_max))
1475 /* Convert from libpcap to Wiretap format.
1476 If that fails, set "ld->go" to FALSE, to stop the capture, and set
1477 "ld->err" to the error. */
1478 pd = wtap_process_pcap_packet(ld->wtap_linktype, phdr, pd, &pseudo_header,
1487 /* We're supposed to write the packet to a file; do so.
1488 If this fails, set "ld->go" to FALSE, to stop the capture, and set
1489 "ld->err" to the error. */
1490 if (!wtap_dump(ld->wtap_pdh, &whdr, &pseudo_header, pd, &err)) {
1496 switch (ld->wtap_linktype) {
1497 case WTAP_ENCAP_ETHERNET:
1498 capture_eth(pd, 0, whdr.caplen, &ld->counts);
1500 case WTAP_ENCAP_FDDI:
1501 case WTAP_ENCAP_FDDI_BITSWAPPED:
1502 capture_fddi(pd, whdr.caplen, &ld->counts);
1504 case WTAP_ENCAP_PRISM_HEADER:
1505 capture_prism(pd, 0, whdr.caplen, &ld->counts);
1507 case WTAP_ENCAP_TOKEN_RING:
1508 capture_tr(pd, 0, whdr.caplen, &ld->counts);
1510 case WTAP_ENCAP_NULL:
1511 capture_null(pd, whdr.caplen, &ld->counts);
1513 case WTAP_ENCAP_PPP:
1514 capture_ppp_hdlc(pd, 0, whdr.caplen, &ld->counts);
1516 case WTAP_ENCAP_RAW_IP:
1517 capture_raw(pd, whdr.caplen, &ld->counts);
1519 case WTAP_ENCAP_SLL:
1520 capture_sll(pd, whdr.caplen, &ld->counts);
1522 case WTAP_ENCAP_LINUX_ATM_CLIP:
1523 capture_clip(pd, whdr.caplen, &ld->counts);
1525 case WTAP_ENCAP_IEEE_802_11:
1526 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1527 capture_ieee80211(pd, 0, whdr.caplen, &ld->counts);
1529 case WTAP_ENCAP_CHDLC:
1530 capture_chdlc(pd, 0, whdr.caplen, &ld->counts);
1532 case WTAP_ENCAP_LOCALTALK:
1533 capture_llap(&ld->counts);
1535 case WTAP_ENCAP_ATM_PDUS:
1536 capture_atm(&pseudo_header, pd, whdr.caplen, &ld->counts);
1538 case WTAP_ENCAP_IP_OVER_FC:
1539 capture_ipfc(pd, whdr.caplen, &ld->counts);
1541 case WTAP_ENCAP_ARCNET:
1542 capture_arcnet(pd, whdr.caplen, &ld->counts, FALSE, TRUE);
1544 case WTAP_ENCAP_ARCNET_LINUX:
1545 capture_arcnet(pd, whdr.caplen, &ld->counts, TRUE, FALSE);
1547 case WTAP_ENCAP_APPLE_IP_OVER_IEEE1394:
1548 capture_ap1394(pd, 0, whdr.caplen, &ld->counts);
1550 case WTAP_ENCAP_FRELAY:
1551 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1552 capture_fr(pd, 0, whdr.caplen, &ld->counts);
1554 /* XXX - some ATM drivers on FreeBSD might prepend a 4-byte ATM
1555 pseudo-header to DLT_ATM_RFC1483, with LLC header following;
1556 we might have to implement that at some point. */
1560 #endif /* HAVE_LIBPCAP */