2 * The actual capturing loop, getting packets and storing it
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 * Capture loop (internal interface).
30 * It will open the input and output files, capture the packets,
31 * change ringbuffer output files while capturing and close all files again.
33 * The input file can be a network interface or capture pipe (unix only).
34 * The output file can be a single or a ringbuffer file handled by wiretap.
54 #ifdef HAVE_SYS_TYPES_H
55 # include <sys/types.h>
58 #ifdef HAVE_SYS_STAT_H
59 # include <sys/stat.h>
69 #include <epan/packet.h>
71 #include "capture_sync.h"
72 #include "pcap-util.h"
74 #include "simple_dialog.h"
75 #include "conditions.h"
76 #include "capture_stop_conditions.h"
77 #include "ringbuffer.h"
79 #include "wiretap/libpcap.h"
80 #include "wiretap/wtap.h"
81 #include "wiretap/wtap-capture.h"
83 #include <epan/prefs.h>
84 /* XXX - try to remove this later */
86 /* XXX - try to remove this later */
88 #include "alert_box.h"
92 #include <epan/dissectors/packet-ap1394.h>
93 #include <epan/dissectors/packet-atalk.h>
94 #include <epan/dissectors/packet-atm.h>
95 #include <epan/dissectors/packet-clip.h>
96 #include <epan/dissectors/packet-eth.h>
97 #include <epan/dissectors/packet-fddi.h>
98 #include <epan/dissectors/packet-fr.h>
99 #include <epan/dissectors/packet-null.h>
100 #include <epan/dissectors/packet-ppp.h>
101 #include <epan/dissectors/packet-raw.h>
102 #include <epan/dissectors/packet-sll.h>
103 #include <epan/dissectors/packet-tr.h>
104 #include <epan/dissectors/packet-ieee80211.h>
105 #include <epan/dissectors/packet-chdlc.h>
106 #include <epan/dissectors/packet-prism.h>
107 #include <epan/dissectors/packet-ipfc.h>
108 #include <epan/dissectors/packet-arcnet.h>
110 /* Win32 needs the O_BINARY flag for open() */
118 * We don't want to do a "select()" on the pcap_t's file descriptor on
119 * BSD (because "select()" doesn't work correctly on BPF devices on at
120 * least some releases of some flavors of BSD), and we don't want to do
121 * it on Windows (because "select()" is something for sockets, not for
122 * arbitrary handles). (Note that "Windows" here includes Cygwin;
123 * even in its pretend-it's-UNIX environment, we're using WinPcap, not
126 * We *do* want to do it on other platforms, as, on other platforms (with
127 * the possible exception of Ultrix and Digital UNIX), the read timeout
128 * doesn't expire if no packets have arrived, so a "pcap_dispatch()" call
129 * will block until packets arrive, causing the UI to hang.
131 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
132 * want to include it if it's not present on this platform, however.
134 #if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
135 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
137 # define MUST_DO_SELECT
141 typedef struct _loop_data {
143 gboolean go; /* TRUE as long as we're supposed to keep capturing */
144 int err; /* if non-zero, error seen while capturing */
145 gint packets_max; /* Number of packets we're supposed to capture - 0 means infinite */
146 gint packets_sync_pipe; /* packets not already send out to the sync_pipe */
147 packet_counts counts; /* several packet type counters */
149 /* pcap "input file" */
150 pcap_t *pcap_h; /* pcap handle */
151 gboolean pcap_err; /* TRUE if error from pcap */
152 #ifdef MUST_DO_SELECT
153 int pcap_fd; /* pcap file descriptor */
156 /* capture pipe (unix only "input file") */
157 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
159 struct pcap_hdr cap_pipe_hdr;
160 struct pcaprec_modified_hdr cap_pipe_rechdr;
161 int cap_pipe_fd; /* the file descriptor of the capture pipe */
162 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
163 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
164 unsigned int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
165 unsigned int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
167 STATE_EXPECT_REC_HDR,
173 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
176 /* wiretap (output file) */
177 wtap_dumper *wtap_pdh;
184 * Timeout, in milliseconds, for reads from the stream of captured packets.
186 #define CAP_READ_TIMEOUT 250
188 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
190 static void capture_loop_popup_errmsg(capture_options *capture_opts, const char *errmsg);
191 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
192 int err, gboolean is_close);
197 /* Take care of byte order in the libpcap headers read from pipes.
198 * (function taken from wiretap/libpcap.c) */
200 cap_pipe_adjust_header(loop_data *ld, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
202 if (ld->cap_pipe_byte_swapped) {
203 /* Byte-swap the record header fields. */
204 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
205 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
206 rechdr->incl_len = BSWAP32(rechdr->incl_len);
207 rechdr->orig_len = BSWAP32(rechdr->orig_len);
210 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
211 swapped, in order to match the BPF header layout.
213 Unfortunately, some files were, according to a comment in the "libpcap"
214 source, written with version 2.3 in their headers but without the
215 interchanged fields, so if "incl_len" is greater than "orig_len" - which
216 would make no sense - we assume that we need to swap them. */
217 if (hdr->version_major == 2 &&
218 (hdr->version_minor < 3 ||
219 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
222 temp = rechdr->orig_len;
223 rechdr->orig_len = rechdr->incl_len;
224 rechdr->incl_len = temp;
228 /* Mimic pcap_open_live() for pipe captures
229 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
231 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
232 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
234 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
235 char *errmsg, int errmsgl)
237 struct stat pipe_stat;
241 unsigned int bytes_read;
243 struct timeval timeout;
246 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
249 * XXX Ethereal blocks until we return
251 if (strcmp(pipename, "-") == 0)
252 fd = 0; /* read from stdin */
254 if (stat(pipename, &pipe_stat) < 0) {
255 if (errno == ENOENT || errno == ENOTDIR)
256 ld->cap_pipe_err = PIPNEXIST;
258 g_snprintf(errmsg, errmsgl,
259 "The capture session could not be initiated "
260 "due to error on pipe: %s", strerror(errno));
261 ld->cap_pipe_err = PIPERR;
265 if (! S_ISFIFO(pipe_stat.st_mode)) {
266 if (S_ISCHR(pipe_stat.st_mode)) {
268 * Assume the user specified an interface on a system where
269 * interfaces are in /dev. Pretend we haven't seen it.
271 ld->cap_pipe_err = PIPNEXIST;
273 g_snprintf(errmsg, errmsgl,
274 "The capture session could not be initiated because\n"
275 "\"%s\" is neither an interface nor a pipe", pipename);
276 ld->cap_pipe_err = PIPERR;
280 fd = open(pipename, O_RDONLY | O_NONBLOCK);
282 g_snprintf(errmsg, errmsgl,
283 "The capture session could not be initiated "
284 "due to error on pipe open: %s", strerror(errno));
285 ld->cap_pipe_err = PIPERR;
290 ld->from_cap_pipe = TRUE;
292 /* read the pcap header */
295 while (bytes_read < sizeof magic) {
298 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
299 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
301 g_snprintf(errmsg, errmsgl,
302 "Unexpected error from select: %s", strerror(errno));
304 } else if (sel_ret > 0) {
305 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
308 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
310 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
320 /* Host that wrote it has our byte order, and was running
321 a program using either standard or ss990417 libpcap. */
322 ld->cap_pipe_byte_swapped = FALSE;
323 ld->cap_pipe_modified = FALSE;
325 case PCAP_MODIFIED_MAGIC:
326 /* Host that wrote it has our byte order, but was running
327 a program using either ss990915 or ss991029 libpcap. */
328 ld->cap_pipe_byte_swapped = FALSE;
329 ld->cap_pipe_modified = TRUE;
331 case PCAP_SWAPPED_MAGIC:
332 /* Host that wrote it has a byte order opposite to ours,
333 and was running a program using either standard or
335 ld->cap_pipe_byte_swapped = TRUE;
336 ld->cap_pipe_modified = FALSE;
338 case PCAP_SWAPPED_MODIFIED_MAGIC:
339 /* Host that wrote it out has a byte order opposite to
340 ours, and was running a program using either ss990915
341 or ss991029 libpcap. */
342 ld->cap_pipe_byte_swapped = TRUE;
343 ld->cap_pipe_modified = TRUE;
346 /* Not a "libpcap" type we know about. */
347 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
351 /* Read the rest of the header */
353 while (bytes_read < sizeof(struct pcap_hdr)) {
356 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
357 sel_ret = select(fd+1, &rfds, NULL, NULL, &timeout);
359 g_snprintf(errmsg, errmsgl,
360 "Unexpected error from select: %s", strerror(errno));
362 } else if (sel_ret > 0) {
363 b = read(fd, ((char *)hdr)+bytes_read,
364 sizeof(struct pcap_hdr) - bytes_read);
367 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
369 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
377 if (ld->cap_pipe_byte_swapped) {
378 /* Byte-swap the header fields about which we care. */
379 hdr->version_major = BSWAP16(hdr->version_major);
380 hdr->version_minor = BSWAP16(hdr->version_minor);
381 hdr->snaplen = BSWAP32(hdr->snaplen);
382 hdr->network = BSWAP32(hdr->network);
385 if (hdr->version_major < 2) {
386 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
390 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
391 ld->cap_pipe_err = PIPOK;
395 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
396 ld->cap_pipe_err = PIPERR;
403 /* We read one record from the pipe, take care of byte order in the record
404 * header, write the record to the capture file, and update capture statistics. */
406 cap_pipe_dispatch(int fd, loop_data *ld, struct pcap_hdr *hdr,
407 struct pcaprec_modified_hdr *rechdr, guchar *data,
408 char *errmsg, int errmsgl)
410 struct pcap_pkthdr phdr;
412 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
416 #ifdef LOG_CAPTURE_VERBOSE
417 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
420 switch (ld->cap_pipe_state) {
422 case STATE_EXPECT_REC_HDR:
423 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
424 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
425 ld->cap_pipe_bytes_read = 0;
426 ld->cap_pipe_state = STATE_READ_REC_HDR;
429 case STATE_READ_REC_HDR:
430 b = read(fd, ((char *)rechdr)+ld->cap_pipe_bytes_read,
431 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
434 result = PD_PIPE_EOF;
436 result = PD_PIPE_ERR;
439 if ((ld->cap_pipe_bytes_read += b) < ld->cap_pipe_bytes_to_read)
441 result = PD_REC_HDR_READ;
444 case STATE_EXPECT_DATA:
445 ld->cap_pipe_bytes_read = 0;
446 ld->cap_pipe_state = STATE_READ_DATA;
449 case STATE_READ_DATA:
450 b = read(fd, data+ld->cap_pipe_bytes_read, rechdr->hdr.incl_len - ld->cap_pipe_bytes_read);
453 result = PD_PIPE_EOF;
455 result = PD_PIPE_ERR;
458 if ((ld->cap_pipe_bytes_read += b) < rechdr->hdr.incl_len)
460 result = PD_DATA_READ;
464 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
467 } /* switch (ld->cap_pipe_state) */
470 * We've now read as much data as we were expecting, so process it.
474 case PD_REC_HDR_READ:
475 /* We've read the header. Take care of byte order. */
476 cap_pipe_adjust_header(ld, hdr, &rechdr->hdr);
477 if (rechdr->hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
478 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
479 ld->counts.total+1, rechdr->hdr.incl_len);
482 ld->cap_pipe_state = STATE_EXPECT_DATA;
486 /* Fill in a "struct pcap_pkthdr", and process the packet. */
487 phdr.ts.tv_sec = rechdr->hdr.ts_sec;
488 phdr.ts.tv_usec = rechdr->hdr.ts_usec;
489 phdr.caplen = rechdr->hdr.incl_len;
490 phdr.len = rechdr->hdr.orig_len;
492 capture_loop_packet_cb((u_char *)ld, &phdr, data);
494 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
498 ld->cap_pipe_err = PIPEOF;
502 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
509 ld->cap_pipe_err = PIPERR;
510 /* Return here rather than inside the switch to prevent GCC warning */
513 #endif /* not _WIN32 */
516 /* open the capture input file (pcap or capture pipe) */
517 static int capture_loop_open_input(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
518 gchar open_err_str[PCAP_ERRBUF_SIZE];
519 const char *set_linktype_err_str;
522 WORD wVersionRequested;
525 static const char ppamsg[] = "can't find PPA for ";
526 const char *libpcap_warn;
530 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
532 /* Initialize Windows Socket if we are in a WIN32 OS
533 This needs to be done before querying the interface for network/netmask */
535 /* XXX - do we really require 1.1 or earlier?
536 Are there any versions that support only 2.0 or higher? */
537 wVersionRequested = MAKEWORD(1, 1);
538 err = WSAStartup(wVersionRequested, &wsaData);
543 g_snprintf(errmsg, errmsg_len,
544 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
547 case WSAVERNOTSUPPORTED:
548 g_snprintf(errmsg, errmsg_len,
549 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
550 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
554 g_snprintf(errmsg, errmsg_len,
555 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
559 g_snprintf(errmsg, errmsg_len,
560 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
564 g_snprintf(errmsg, errmsg_len,
565 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
569 g_snprintf(errmsg, errmsg_len,
570 "Couldn't initialize Windows Sockets: error %d", err);
577 /* Open the network interface to capture from it.
578 Some versions of libpcap may put warnings into the error buffer
579 if they succeed; to tell if that's happened, we have to clear
580 the error buffer, and check if it's still a null string. */
581 open_err_str[0] = '\0';
582 ld->pcap_h = pcap_open_live(capture_opts->iface,
583 capture_opts->has_snaplen ? capture_opts->snaplen :
584 WTAP_MAX_PACKET_SIZE,
585 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
588 if (ld->pcap_h != NULL) {
589 /* we've opened "iface" as a network device */
591 /* try to set the capture buffer size */
592 if (pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
593 simple_dialog(ESD_TYPE_INFO, ESD_BTN_OK,
594 "%sCouldn't set the capture buffer size!%s\n"
596 "The capture buffer size of %luMB seems to be too high for your machine,\n"
597 "the default of 1MB will be used.\n"
599 "Nonetheless, the capture is started.\n",
600 simple_dialog_primary_start(), simple_dialog_primary_end(), capture_opts->buffer_size);
604 /* setting the data link type only works on real interfaces */
605 if (capture_opts->linktype != -1) {
606 set_linktype_err_str = set_pcap_linktype(ld->pcap_h, capture_opts->iface,
607 capture_opts->linktype);
608 if (set_linktype_err_str != NULL) {
609 g_snprintf(errmsg, errmsg_len, "Unable to set data link type (%s).",
610 set_linktype_err_str);
615 /* We couldn't open "iface" as a network device. */
617 /* On Windows, we don't support capturing on pipes, so we give up. */
619 /* On Win32 OSes, the capture devices are probably available to all
620 users; don't warn about permissions problems.
622 Do, however, warn that WAN devices aren't supported. */
623 g_snprintf(errmsg, errmsg_len,
624 "%sThe capture session could not be initiated!%s\n"
628 "Please check that you have the proper interface specified.\n"
630 "Help can be found at: http://wiki.ethereal.com/CaptureSetup\n"
632 "Note that version 3.0 of WinPcap, and earlier versions of WinPcap, don't\n"
633 "support capturing on PPP/WAN interfaces on Windows NT 4.0 / 2000 / XP /\n"
635 "WinPcap 3.1 has support for it on Windows 2000 / XP / Server 2003, but has no\n"
636 "support for it on Windows NT 4.0 or Windows Vista (Beta 1).",
637 simple_dialog_primary_start(), simple_dialog_primary_end(),
641 /* try to open iface as a pipe */
642 ld->cap_pipe_fd = cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, errmsg_len);
644 if (ld->cap_pipe_fd == -1) {
646 if (ld->cap_pipe_err == PIPNEXIST) {
647 /* Pipe doesn't exist, so output message for interface */
649 /* If we got a "can't find PPA for XXX" message, warn the user (who
650 is running Ethereal on HP-UX) that they don't have a version
651 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
652 versions, which properly handle HP-UX, say "can't find /dev/dlpi
653 PPA for XXX" rather than "can't find PPA for XXX"). */
654 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
657 "You are running Ethereal with a version of the libpcap library\n"
658 "that doesn't handle HP-UX network devices well; this means that\n"
659 "Ethereal may not be able to capture packets.\n"
661 "To fix this, you should install libpcap 0.6.2, or a later version\n"
662 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
663 "packaged binary form from the Software Porting And Archive Centre\n"
664 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
665 "at the URL lists a number of mirror sites.";
668 g_snprintf(errmsg, errmsg_len,
669 "The capture session could not be initiated (%s).\n"
670 "Please check to make sure you have sufficient permissions, and that\n"
671 "you have the proper interface or pipe specified.%s", open_err_str,
675 * Else pipe (or file) does exist and cap_pipe_open_live() has
680 /* cap_pipe_open_live() succeeded; don't want
681 error message from pcap_open_live() */
682 open_err_str[0] = '\0';
686 #ifdef MUST_DO_SELECT
687 if (!ld->from_cap_pipe) {
688 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
689 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
691 ld->pcap_fd = pcap_fileno(ld->pcap_h);
696 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
697 returned a warning; print it, but keep capturing. */
698 if (open_err_str[0] != '\0')
699 g_warning("%s.", open_err_str);
705 /* open the capture input file (pcap or capture pipe) */
706 static void capture_loop_close_input(loop_data *ld) {
708 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
711 /* if open, close the capture pipe "input file" */
712 if (ld->cap_pipe_fd >= 0) {
713 g_assert(ld->from_cap_pipe);
714 close(ld->cap_pipe_fd);
718 /* if open, close the pcap "input file" */
719 if(ld->pcap_h != NULL) {
720 g_assert(!ld->from_cap_pipe);
721 pcap_close(ld->pcap_h);
725 /* Shut down windows sockets */
731 /* init the capture filter */
732 static int capture_loop_init_filter(loop_data *ld, const gchar * iface, gchar * cfilter, char *errmsg, int errmsg_len) {
733 bpf_u_int32 netnum, netmask;
734 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
735 struct bpf_program fcode;
738 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
740 /* capture filters only work on real interfaces */
741 if (cfilter && !ld->from_cap_pipe) {
742 /* A capture filter was specified; set it up. */
743 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
745 * Well, we can't get the netmask for this interface; it's used
746 * only for filters that check for broadcast IP addresses, so
747 * we just punt and use 0. It might be nice to warn the user,
748 * but that's a pain in a GUI application, as it'd involve popping
749 * up a message box, and it's not clear how often this would make
750 * a difference (only filters that check for IP broadcast addresses
755 if (pcap_compile(ld->pcap_h, &fcode, cfilter, 1, netmask) < 0) {
756 dfilter_t *rfcode = NULL;
757 /* filter string invalid, did the user tried a display filter? */
758 if (dfilter_compile(cfilter, &rfcode) && rfcode != NULL) {
759 g_snprintf(errmsg, errmsg_len,
760 "%sInvalid capture filter: \"%s\"!%s\n"
762 "That string looks like a valid display filter; however, it isn't a valid\n"
763 "capture filter (%s).\n"
765 "Note that display filters and capture filters don't have the same syntax,\n"
766 "so you can't use most display filter expressions as capture filters.\n"
768 "See the help for a description of the capture filter syntax.",
769 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
770 pcap_geterr(ld->pcap_h));
771 dfilter_free(rfcode);
773 g_snprintf(errmsg, errmsg_len,
774 "%sInvalid capture filter: \"%s\"!%s\n"
776 "That string isn't a valid capture filter (%s).\n"
777 "See the help for a description of the capture filter syntax.",
778 simple_dialog_primary_start(), cfilter, simple_dialog_primary_end(),
779 pcap_geterr(ld->pcap_h));
783 if (pcap_setfilter(ld->pcap_h, &fcode) < 0) {
784 g_snprintf(errmsg, errmsg_len, "Can't install filter (%s).",
785 pcap_geterr(ld->pcap_h));
786 #ifdef HAVE_PCAP_FREECODE
787 pcap_freecode(&fcode);
791 #ifdef HAVE_PCAP_FREECODE
792 pcap_freecode(&fcode);
800 /* open the wiretap part of the capture output file */
801 static int capture_loop_init_wiretap_output(capture_options *capture_opts, int save_file_fd, loop_data *ld, char *errmsg, int errmsg_len) {
807 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_wiretap_output");
809 /* get packet encapsulation type and snaplen */
811 if (ld->from_cap_pipe) {
812 pcap_encap = ld->cap_pipe_hdr.network;
813 file_snaplen = ld->cap_pipe_hdr.snaplen;
817 pcap_encap = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
818 file_snaplen = pcap_snapshot(ld->pcap_h);
821 /* Set up to write to the capture file. */
822 ld->wtap_linktype = wtap_pcap_encap_to_wtap_encap(pcap_encap);
823 if (ld->wtap_linktype == WTAP_ENCAP_UNKNOWN) {
824 g_snprintf(errmsg, errmsg_len,
825 "The network you're capturing from is of a type"
826 " that Ethereal doesn't support (data link type %d).", pcap_encap);
829 if (capture_opts->multi_files_on) {
830 ld->wtap_pdh = ringbuf_init_wtap_dump_fdopen(WTAP_FILE_PCAP, ld->wtap_linktype,
833 ld->wtap_pdh = wtap_dump_fdopen(save_file_fd, WTAP_FILE_PCAP,
834 ld->wtap_linktype, file_snaplen, FALSE /* compressed */, &err);
837 if (ld->wtap_pdh == NULL) {
838 /* We couldn't set up to write to the capture file. */
841 case WTAP_ERR_CANT_OPEN:
842 strcpy(errmsg, "The file to which the capture would be saved"
843 " couldn't be created for some unknown reason.");
846 case WTAP_ERR_SHORT_WRITE:
847 strcpy(errmsg, "A full header couldn't be written to the file"
848 " to which the capture would be saved.");
853 g_snprintf(errmsg, errmsg_len,
854 "The file to which the capture would be"
855 " saved (\"%s\") could not be opened: Error %d.",
856 capture_opts->save_file, err);
858 g_snprintf(errmsg, errmsg_len,
859 "The file to which the capture would be"
860 " saved (\"%s\") could not be opened: %s.",
861 capture_opts->save_file, strerror(err));
872 static gboolean capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
874 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
876 if (capture_opts->multi_files_on) {
877 return ringbuf_wtap_dump_close(&capture_opts->save_file, err_close);
879 return wtap_dump_close(ld->wtap_pdh, err_close);
883 /* dispatch incoming packets (pcap or capture pipe) */
885 capture_loop_dispatch(capture_options *capture_opts, loop_data *ld,
886 char *errmsg, int errmsg_len) {
890 struct timeval timeout;
892 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
896 if (ld->from_cap_pipe) {
897 /* dispatch from capture pipe */
898 #ifdef LOG_CAPTURE_VERBOSE
899 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
902 FD_SET(ld->cap_pipe_fd, &set1);
904 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
905 sel_ret = select(ld->cap_pipe_fd+1, &set1, NULL, NULL, &timeout);
908 if (sel_ret < 0 && errno != EINTR) {
909 g_snprintf(errmsg, errmsg_len,
910 "Unexpected error from select: %s", strerror(errno));
911 capture_loop_popup_errmsg(capture_opts, errmsg);
916 * "select()" says we can read from the pipe without blocking
918 inpkts = cap_pipe_dispatch(ld->cap_pipe_fd, ld, &ld->cap_pipe_hdr, &ld->cap_pipe_rechdr, pcap_data,
928 /* dispatch from pcap */
929 #ifdef MUST_DO_SELECT
931 * Sigh. The semantics of the read timeout argument to
932 * "pcap_open_live()" aren't particularly well specified by
933 * the "pcap" man page - at least with the BSD BPF code, the
934 * intent appears to be, at least in part, a way of cutting
935 * down the number of reads done on a capture, by blocking
936 * until the buffer fills or a timer expires - and the Linux
937 * libpcap doesn't actually support it, so we can't use it
938 * to break out of the "pcap_dispatch()" every 1/4 of a second
939 * or so. Linux's libpcap is not the only libpcap that doesn't
940 * support the read timeout.
942 * Furthermore, at least on Solaris, the bufmod STREAMS module's
943 * read timeout won't go off if no data has arrived, i.e. it cannot
944 * be used to guarantee that a read from a DLPI stream will return
945 * within a specified amount of time regardless of whether any
946 * data arrives or not.
948 * Thus, on all platforms other than BSD, we do a "select()" on the
949 * file descriptor for the capture, with a timeout of CAP_READ_TIMEOUT
950 * milliseconds, or CAP_READ_TIMEOUT*1000 microseconds.
952 * "select()", on BPF devices, doesn't work as you might expect;
953 * at least on some versions of some flavors of BSD, the timer
954 * doesn't start until a read is done, so it won't expire if
955 * only a "select()" or "poll()" is posted.
957 * If we have "pcap_get_selectable_fd()", we use it to get the
958 * descriptor on which to select; if that's -1, it means there
959 * is no descriptor on which you can do a "select()" (perhaps
960 * because you're capturing on a special device, and that device's
961 * driver unfortunately doesn't support "select()", in which case
962 * we don't do the select - which means Ethereal might block,
963 * unable to accept user input, until a packet arrives. If
964 * that's unacceptable, plead with whoever supplies the software
965 * for that device to add "select()" support.
967 #ifdef LOG_CAPTURE_VERBOSE
968 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
970 if (ld->pcap_fd != -1) {
972 FD_SET(ld->pcap_fd, &set1);
974 timeout.tv_usec = CAP_READ_TIMEOUT*1000;
975 sel_ret = select(ld->pcap_fd+1, &set1, NULL, NULL, &timeout);
978 * "select()" says we can read from it without blocking; go for
981 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *)ld);
988 if (sel_ret < 0 && errno != EINTR) {
989 g_snprintf(errmsg, errmsg_len,
990 "Unexpected error from select: %s", strerror(errno));
991 capture_loop_popup_errmsg(capture_opts, errmsg);
997 #endif /* MUST_DO_SELECT */
999 /* dispatch from pcap without select */
1001 #ifdef LOG_CAPTURE_VERBOSE
1002 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
1004 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
1006 ld->pcap_err = TRUE;
1011 #ifdef LOG_CAPTURE_VERBOSE
1012 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
1014 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
1016 /* WinPcap's remote capturing feature doesn't work, see http://wiki.ethereal.com/CaptureSetup_2fWinPcapRemote */
1017 /* for reference, an example remote interface: rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C} */
1019 /* emulate dispatch from pcap */
1021 struct pcap_pkthdr *pkt_header;
1025 while( (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1) {
1026 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
1031 ld->pcap_err = TRUE;
1040 #ifdef LOG_CAPTURE_VERBOSE
1041 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
1048 /* open the output file (temporary/specified name/ringbuffer) */
1049 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
1051 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
1052 char *errmsg, int errmsg_len) {
1054 char tmpname[128+1];
1055 gchar *capfile_name;
1056 gboolean is_tempfile;
1059 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
1060 (capture_opts->save_file) ? capture_opts->save_file : "");
1062 if (capture_opts->save_file != NULL) {
1063 /* We return to the caller while the capture is in progress.
1064 * Therefore we need to take a copy of save_file in
1065 * case the caller destroys it after we return.
1067 capfile_name = g_strdup(capture_opts->save_file);
1068 if (capture_opts->multi_files_on) {
1069 /* ringbuffer is enabled */
1070 *save_file_fd = ringbuf_init(capfile_name,
1071 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0);
1073 /* we need the ringbuf name */
1074 if(*save_file_fd != -1) {
1075 g_free(capfile_name);
1076 capfile_name = g_strdup(ringbuf_current_filename());
1079 /* Try to open/create the specified file for use as a capture buffer. */
1080 *save_file_fd = open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
1083 is_tempfile = FALSE;
1085 /* Choose a random name for the temporary capture buffer */
1086 *save_file_fd = create_tempfile(tmpname, sizeof tmpname, "ether");
1087 capfile_name = g_strdup(tmpname);
1091 /* did we fail to open the output file? */
1092 if (*save_file_fd == -1) {
1094 g_snprintf(errmsg, errmsg_len,
1095 "The temporary file to which the capture would be saved (\"%s\") "
1096 "could not be opened: %s.", capfile_name, strerror(errno));
1098 if (capture_opts->multi_files_on) {
1099 ringbuf_error_cleanup();
1102 g_snprintf(errmsg, errmsg_len,
1103 "The file to which the capture would be saved (\"%s\") "
1104 "could not be opened: %s.", capfile_name,
1107 /*open_failure_alert_box(capfile_name, errno, TRUE);*/
1109 g_free(capfile_name);
1113 if(capture_opts->save_file != NULL) {
1114 g_free(capture_opts->save_file);
1116 capture_opts->save_file = capfile_name;
1117 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
1118 "g_free(capfile_name)". */
1126 capture_loop_stop_signal_handler(int signo _U_)
1128 capture_loop_stop();
1133 #define TIME_GET() GetTickCount()
1135 #define TIME_GET() time(NULL)
1139 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
1142 static loop_data ld;
1144 /* Do the low-level work of a capture.
1145 Returns TRUE if it succeeds, FALSE otherwise. */
1147 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
1149 time_t upd_time, cur_time;
1151 int err_close, inpkts;
1152 condition *cnd_file_duration = NULL;
1153 condition *cnd_autostop_files = NULL;
1154 condition *cnd_autostop_size = NULL;
1155 condition *cnd_autostop_duration = NULL;
1156 guint32 autostop_files = 0;
1159 capture_info capture_ui;
1160 char errmsg[4096+1];
1164 /* init the loop data */
1166 if (capture_opts->has_autostop_packets)
1167 ld.packets_max = capture_opts->autostop_packets;
1169 ld.packets_max = 0; /* no limit */
1170 ld.err = 0; /* no error seen yet */
1171 ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
1172 ld.pcap_err = FALSE;
1173 ld.from_cap_pipe = FALSE;
1174 ld.packets_sync_pipe = 0;
1175 ld.counts.total = 0;
1183 ld.counts.netbios = 0;
1184 ld.counts.vines = 0;
1185 ld.counts.other = 0;
1189 ld.cap_pipe_fd = -1;
1191 #ifdef MUST_DO_SELECT
1197 * Catch SIGUSR1, so that we exit cleanly if the parent process
1198 * kills us with it due to the user selecting "Capture->Stop".
1200 signal(SIGUSR1, capture_loop_stop_signal_handler);
1203 /* We haven't yet gotten the capture statistics. */
1204 *stats_known = FALSE;
1206 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child starting ...");
1207 #ifdef LOG_CAPTURE_VERBOSE
1208 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
1211 /* open the output file (temporary/specified name/ringbuffer) */
1212 if (!capture_loop_open_output(capture_opts, &save_file_fd, errmsg, sizeof(errmsg))) {
1216 /* open the "input file" from network interface or capture pipe */
1217 if (!capture_loop_open_input(capture_opts, &ld, errmsg, sizeof(errmsg))) {
1221 /* init the input filter from the network interface (capture pipe will do nothing) */
1222 if (!capture_loop_init_filter(&ld, capture_opts->iface, capture_opts->cfilter, errmsg, sizeof(errmsg))) {
1226 /* open the wiretap part of the output file (the output file is already open) */
1227 if (!capture_loop_init_wiretap_output(capture_opts, save_file_fd, &ld, errmsg, sizeof(errmsg))) {
1231 /* XXX - capture SIGTERM and close the capture, in case we're on a
1232 Linux 2.0[.x] system and you have to explicitly close the capture
1233 stream in order to turn promiscuous mode off? We need to do that
1234 in other places as well - and I don't think that works all the
1235 time in any case, due to libpcap bugs. */
1237 /* Well, we should be able to start capturing.
1239 Sync out the capture file, so the header makes it to the file system,
1240 and send a "capture started successfully and capture file created"
1241 message to our parent so that they'll open the capture file and
1242 update its windows to indicate that we have a live capture in
1244 wtap_dump_flush(ld.wtap_pdh);
1245 sync_pipe_filename_to_parent(capture_opts->save_file);
1247 /* initialize capture stop (and alike) conditions */
1248 init_capture_stop_conditions();
1249 /* create stop conditions */
1250 if (capture_opts->has_autostop_filesize)
1252 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize);
1253 if (capture_opts->has_autostop_duration)
1254 cnd_autostop_duration =
1255 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
1257 if (capture_opts->multi_files_on) {
1258 if (capture_opts->has_file_duration)
1260 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
1262 if (capture_opts->has_autostop_files)
1263 cnd_autostop_files =
1264 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
1267 /* start capture info dialog */
1268 if(capture_opts->show_info) {
1269 capture_ui.callback_data = &ld;
1270 capture_ui.counts = &ld.counts;
1271 capture_info_create(&capture_ui, capture_opts->iface);
1274 /* init the time values */
1275 start_time = TIME_GET();
1276 upd_time = TIME_GET();
1279 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child running!");
1281 /* WOW, everything is prepared! */
1282 /* please fasten your seat belts, we will enter now the actual capture loop */
1284 main_window_update();
1286 /* dispatch incoming packets */
1287 inpkts = capture_loop_dispatch(capture_opts, &ld, errmsg, sizeof(errmsg));
1289 main_window_update();
1292 /* some news from our parent (signal pipe)? -> just stop the capture */
1299 handle = (HANDLE) _get_osfhandle (0);
1300 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
1302 if(!result || avail > 0) {
1304 /*g_warning("loop closing");*/
1310 ld.packets_sync_pipe += inpkts;
1312 /* check capture size condition */
1313 if (cnd_autostop_size != NULL && cnd_eval(cnd_autostop_size,
1314 (guint32)wtap_get_bytes_dumped(ld.wtap_pdh))){
1315 /* Capture size limit reached, do we have another file? */
1316 if (capture_opts->multi_files_on) {
1317 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1318 /* no files left: stop here */
1323 /* Switch to the next ringbuffer file */
1324 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &save_file_fd, &ld.err)) {
1325 /* File switch succeeded: reset the conditions */
1326 cnd_reset(cnd_autostop_size);
1327 if (cnd_file_duration) {
1328 cnd_reset(cnd_file_duration);
1330 wtap_dump_flush(ld.wtap_pdh);
1331 sync_pipe_filename_to_parent(capture_opts->save_file);
1333 /* File switch failed: stop here */
1338 /* single file, stop now */
1342 } /* cnd_autostop_size */
1345 /* Only update once a second so as not to overload slow displays */
1346 cur_time = TIME_GET();
1348 if ( (cur_time - upd_time) > 500) {
1350 if (cur_time - upd_time > 0) {
1352 upd_time = cur_time;
1354 /*if (pcap_stats(pch, stats) >= 0) {
1355 *stats_known = TRUE;
1358 /* calculate and display running time */
1359 if(capture_opts->show_info) {
1360 cur_time -= start_time;
1362 capture_ui.running_time = cur_time / 1000;
1364 capture_ui.running_time = cur_time;
1366 capture_ui.new_packets = ld.packets_sync_pipe;
1367 capture_info_update(&capture_ui);
1370 /* Let the parent process know. */
1371 if (ld.packets_sync_pipe) {
1373 wtap_dump_flush(ld.wtap_pdh);
1375 /* Send our parent a message saying we've written out "ld.sync_packets"
1376 packets to the capture file. */
1377 sync_pipe_packet_count_to_parent(ld.packets_sync_pipe);
1379 ld.packets_sync_pipe = 0;
1382 /* check capture duration condition */
1383 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
1384 /* The maximum capture time has elapsed; stop the capture. */
1389 /* check capture file duration condition */
1390 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
1391 /* duration limit reached, do we have another file? */
1392 if (capture_opts->multi_files_on) {
1393 if (cnd_autostop_files != NULL && cnd_eval(cnd_autostop_files, ++autostop_files)) {
1394 /* no files left: stop here */
1399 /* Switch to the next ringbuffer file */
1400 if (ringbuf_switch_file(&ld.wtap_pdh, &capture_opts->save_file, &save_file_fd, &ld.err)) {
1401 /* file switch succeeded: reset the conditions */
1402 cnd_reset(cnd_file_duration);
1403 if(cnd_autostop_size)
1404 cnd_reset(cnd_autostop_size);
1405 wtap_dump_flush(ld.wtap_pdh);
1406 sync_pipe_filename_to_parent(capture_opts->save_file);
1408 /* File switch failed: stop here */
1413 /* single file, stop now */
1417 } /* cnd_file_duration */
1420 } /* while (ld.go) */
1422 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child stopping ...");
1424 /* close capture info dialog */
1425 if(capture_opts->show_info) {
1426 capture_info_destroy(&capture_ui);
1429 /* delete stop conditions */
1430 if (cnd_file_duration != NULL)
1431 cnd_delete(cnd_file_duration);
1432 if (cnd_autostop_files != NULL)
1433 cnd_delete(cnd_autostop_files);
1434 if (cnd_autostop_size != NULL)
1435 cnd_delete(cnd_autostop_size);
1436 if (cnd_autostop_duration != NULL)
1437 cnd_delete(cnd_autostop_duration);
1439 /* did we had a pcap (input) error? */
1441 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
1442 pcap_geterr(ld.pcap_h));
1443 capture_loop_popup_errmsg(capture_opts, errmsg);
1446 else if (ld.from_cap_pipe && ld.cap_pipe_err == PIPERR)
1447 capture_loop_popup_errmsg(capture_opts, errmsg);
1450 /* did we had an error while capturing? */
1454 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, ld.err,
1456 capture_loop_popup_errmsg(capture_opts, errmsg);
1460 /* close the wiretap (output) file */
1461 close_ok = capture_loop_close_output(capture_opts, &ld, &err_close);
1463 /* If we've displayed a message about a write error, there's no point
1464 in displaying another message about an error on close. */
1465 if (!close_ok && write_ok) {
1466 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
1468 capture_loop_popup_errmsg(capture_opts, errmsg);
1472 * XXX We exhibit different behaviour between normal mode and sync mode
1473 * when the pipe is stdin and not already at EOF. If we're a child, the
1474 * parent's stdin isn't closed, so if the user starts another capture,
1475 * cap_pipe_open_live() will very likely not see the expected magic bytes and
1476 * will say "Unrecognized libpcap format". On the other hand, in normal
1477 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
1480 /* get packet drop statistics from pcap */
1481 if(ld.pcap_h != NULL) {
1482 g_assert(!ld.from_cap_pipe);
1483 /* Get the capture statistics, so we know how many packets were
1485 if (pcap_stats(ld.pcap_h, stats) >= 0) {
1486 *stats_known = TRUE;
1487 /* Let the parent process know. */
1488 sync_pipe_drops_to_parent(stats->ps_drop);
1490 g_snprintf(errmsg, sizeof(errmsg),
1491 "Can't get packet-drop statistics: %s",
1492 pcap_geterr(ld.pcap_h));
1493 capture_loop_popup_errmsg(capture_opts, errmsg);
1497 /* close the input file (pcap or capture pipe) */
1498 capture_loop_close_input(&ld);
1500 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child stopped!");
1502 /* ok, if the write and the close were successful. */
1503 return write_ok && close_ok;
1506 if (capture_opts->multi_files_on) {
1507 /* cleanup ringbuffer */
1508 ringbuf_error_cleanup();
1510 /* We can't use the save file, and we have no wtap_dump stream
1511 to close in order to close it, so close the FD directly. */
1512 close(save_file_fd);
1514 /* We couldn't even start the capture, so get rid of the capture
1516 unlink(capture_opts->save_file); /* silently ignore error */
1517 g_free(capture_opts->save_file);
1519 capture_opts->save_file = NULL;
1520 capture_loop_popup_errmsg(capture_opts, errmsg);
1522 /* close the input file (pcap or cap_pipe) */
1523 capture_loop_close_input(&ld);
1525 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture child stopped with error");
1531 void capture_loop_stop(void)
1538 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
1539 int err, gboolean is_close)
1544 g_snprintf(errmsg, errmsglen,
1545 "Not all the packets could be written to the file"
1546 " to which the capture was being saved\n"
1547 "(\"%s\") because there is no space left on the file system\n"
1548 "on which that file resides.",
1554 g_snprintf(errmsg, errmsglen,
1555 "Not all the packets could be written to the file"
1556 " to which the capture was being saved\n"
1557 "(\"%s\") because you are too close to, or over,"
1558 " your disk quota\n"
1559 "on the file system on which that file resides.",
1564 case WTAP_ERR_CANT_CLOSE:
1565 g_snprintf(errmsg, errmsglen,
1566 "The file to which the capture was being saved"
1567 " couldn't be closed for some unknown reason.");
1570 case WTAP_ERR_SHORT_WRITE:
1571 g_snprintf(errmsg, errmsglen,
1572 "Not all the packets could be written to the file"
1573 " to which the capture was being saved\n"
1580 g_snprintf(errmsg, errmsglen,
1581 "The file to which the capture was being saved\n"
1582 "(\"%s\") could not be closed: %s.",
1583 fname, wtap_strerror(err));
1585 g_snprintf(errmsg, errmsglen,
1586 "An error occurred while writing to the file"
1587 " to which the capture was being saved\n"
1589 fname, wtap_strerror(err));
1596 capture_loop_popup_errmsg(capture_options *capture_opts _U_, const char *errmsg)
1598 /* Send the error message to our parent, so they can display a
1599 dialog box containing it. */
1600 sync_pipe_errmsg_to_parent(errmsg);
1604 /* one packet was captured, process it */
1606 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
1609 struct wtap_pkthdr whdr;
1610 union wtap_pseudo_header pseudo_header;
1611 loop_data *ld = (loop_data *) user;
1614 /* if the user told us to stop after x packets, do we have enough? */
1616 if ((ld->packets_max > 0) && (ld->counts.total >= ld->packets_max))
1621 /* Convert from libpcap to Wiretap format.
1622 If that fails, set "ld->go" to FALSE, to stop the capture, and set
1623 "ld->err" to the error. */
1624 pd = wtap_process_pcap_packet(ld->wtap_linktype, phdr, pd, &pseudo_header,
1633 /* We're supposed to write the packet to a file; do so.
1634 If this fails, set "ld->go" to FALSE, to stop the capture, and set
1635 "ld->err" to the error. */
1636 if (!wtap_dump(ld->wtap_pdh, &whdr, &pseudo_header, pd, &err)) {
1642 switch (ld->wtap_linktype) {
1643 case WTAP_ENCAP_ETHERNET:
1644 capture_eth(pd, 0, whdr.caplen, &ld->counts);
1646 case WTAP_ENCAP_FDDI:
1647 case WTAP_ENCAP_FDDI_BITSWAPPED:
1648 capture_fddi(pd, whdr.caplen, &ld->counts);
1650 case WTAP_ENCAP_PRISM_HEADER:
1651 capture_prism(pd, 0, whdr.caplen, &ld->counts);
1653 case WTAP_ENCAP_TOKEN_RING:
1654 capture_tr(pd, 0, whdr.caplen, &ld->counts);
1656 case WTAP_ENCAP_NULL:
1657 capture_null(pd, whdr.caplen, &ld->counts);
1659 case WTAP_ENCAP_PPP:
1660 capture_ppp_hdlc(pd, 0, whdr.caplen, &ld->counts);
1662 case WTAP_ENCAP_RAW_IP:
1663 capture_raw(pd, whdr.caplen, &ld->counts);
1665 case WTAP_ENCAP_SLL:
1666 capture_sll(pd, whdr.caplen, &ld->counts);
1668 case WTAP_ENCAP_LINUX_ATM_CLIP:
1669 capture_clip(pd, whdr.caplen, &ld->counts);
1671 case WTAP_ENCAP_IEEE_802_11:
1672 case WTAP_ENCAP_IEEE_802_11_WITH_RADIO:
1673 capture_ieee80211(pd, 0, whdr.caplen, &ld->counts);
1675 case WTAP_ENCAP_CHDLC:
1676 capture_chdlc(pd, 0, whdr.caplen, &ld->counts);
1678 case WTAP_ENCAP_LOCALTALK:
1679 capture_llap(&ld->counts);
1681 case WTAP_ENCAP_ATM_PDUS:
1682 capture_atm(&pseudo_header, pd, whdr.caplen, &ld->counts);
1684 case WTAP_ENCAP_IP_OVER_FC:
1685 capture_ipfc(pd, whdr.caplen, &ld->counts);
1687 case WTAP_ENCAP_ARCNET:
1688 capture_arcnet(pd, whdr.caplen, &ld->counts, FALSE, TRUE);
1690 case WTAP_ENCAP_ARCNET_LINUX:
1691 capture_arcnet(pd, whdr.caplen, &ld->counts, TRUE, FALSE);
1693 case WTAP_ENCAP_APPLE_IP_OVER_IEEE1394:
1694 capture_ap1394(pd, 0, whdr.caplen, &ld->counts);
1696 case WTAP_ENCAP_FRELAY:
1697 case WTAP_ENCAP_FRELAY_WITH_PHDR:
1698 capture_fr(pd, 0, whdr.caplen, &ld->counts);
1700 /* XXX - some ATM drivers on FreeBSD might prepend a 4-byte ATM
1701 pseudo-header to DLT_ATM_RFC1483, with LLC header following;
1702 we might have to implement that at some point. */
1706 #endif /* HAVE_LIBPCAP */