5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
88 #include "capture-wpcap.h"
89 #include <wsutil/unicode-utils.h>
93 #include <sys/socket.h>
97 #ifdef NEED_INET_V6DEFS_H
98 # include "wsutil/inet_v6defs.h"
101 #include <wsutil/privileges.h>
103 #include "sync_pipe.h"
105 #include "capture_opts.h"
106 #include "capture_ifinfo.h"
107 #include "capture_sync.h"
109 #include "conditions.h"
110 #include "capture_stop_conditions.h"
112 #include "tempfile.h"
114 #include "wsutil/file_util.h"
117 * Get information about libpcap format from "wiretap/libpcap.h".
118 * XXX - can we just use pcap_open_offline() to read the pipe?
120 #include "wiretap/libpcap.h"
122 /**#define DEBUG_DUMPCAP**/
123 /**#define DEBUG_CHILD_DUMPCAP**/
127 #include <conio.h> /* _getch() */
131 #ifdef DEBUG_CHILD_DUMPCAP
132 FILE *debug_log; /* for logging debug messages to */
133 /* a file if DEBUG_CHILD_DUMPCAP */
141 static GAsyncQueue *pcap_queue;
142 static gint64 pcap_queue_bytes;
143 static gint64 pcap_queue_packets;
144 static gint64 pcap_queue_byte_limit = 1024 * 1024;
145 static gint64 pcap_queue_packet_limit = 1000;
147 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
149 static gchar *sig_pipe_name = NULL;
150 static HANDLE sig_pipe_handle = NULL;
151 static gboolean signal_pipe_check_running(void);
155 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
156 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
159 /** Stop a low-level capture (stops the capture child). */
160 static void capture_loop_stop(void);
162 #if !defined (__linux__)
163 #ifndef HAVE_PCAP_BREAKLOOP
165 * We don't have pcap_breakloop(), which is the only way to ensure that
166 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
167 * won't, if the call to read the next packet or batch of packets is
168 * is interrupted by a signal on UN*X, just go back and try again to
171 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
172 * the signal handler, set a flag to stop capturing; however, without
173 * a guarantee of that sort, we can't guarantee that we'll stop capturing
174 * if the read will be retried and won't time out if no packets arrive.
176 * Therefore, on at least some platforms, we work around the lack of
177 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
178 * to wait for packets to arrive, so that we're probably going to be
179 * blocked in the select() when the signal arrives, and can just bail
180 * out of the loop at that point.
182 * However, we don't want to do that on BSD (because "select()" doesn't work
183 * correctly on BPF devices on at least some releases of some flavors of
184 * BSD), and we don't want to do it on Windows (because "select()" is
185 * something for sockets, not for arbitrary handles). (Note that "Windows"
186 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
187 * using WinPcap, not a UNIX libpcap.)
189 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
190 * on BSD times out even if no packets have arrived, so we'll eventually
191 * exit pcap_dispatch() with an indication that no packets have arrived,
192 * and will break out of the capture loop at that point.
194 * On Windows, we can't send a SIGINT to stop capturing, so none of this
195 * applies in any case.
197 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
198 * want to include it if it's not present on this platform, however.
200 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
201 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
203 # define MUST_DO_SELECT
204 # endif /* avoid select */
205 #endif /* HAVE_PCAP_BREAKLOOP */
207 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
208 * in pcap_dispatch(); on the other hand, select() works just fine there.
209 * Hence we use a select for that come what may.
211 #define MUST_DO_SELECT
214 /** init the capture filter */
217 INITFILTER_BAD_FILTER,
218 INITFILTER_OTHER_ERROR
219 } initfilter_status_t;
221 typedef struct _pcap_queue_element {
223 struct pcap_pkthdr phdr;
225 } pcap_queue_element;
227 typedef struct _pcap_options {
231 #ifdef MUST_DO_SELECT
232 int pcap_fd; /* pcap file descriptor */
239 /* capture pipe (unix only "input file") */
240 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
241 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
242 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
244 HANDLE cap_pipe_h; /* The handle of the capture pipe */
246 int cap_pipe_fd; /* the file descriptor of the capture pipe */
248 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
249 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
251 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
252 #endif /* USE_THREADS */
253 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
254 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
256 STATE_EXPECT_REC_HDR,
261 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 GMutex *cap_pipe_read_mtx;
264 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
268 typedef struct _loop_data {
270 gboolean go; /* TRUE as long as we're supposed to keep capturing */
271 int err; /* if non-zero, error seen while capturing */
272 gint packet_count; /* Number of packets we have already captured */
273 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
274 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
276 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
283 guint32 autostop_files;
287 * Standard secondary message for unexpected errors.
289 static const char please_report[] =
290 "Please report this to the Wireshark developers.\n"
291 "(This is not a crash; please do not report it as such.)";
294 * This needs to be static, so that the SIGINT handler can clear the "go"
297 static loop_data global_ld;
301 * Timeout, in milliseconds, for reads from the stream of captured packets
302 * from a capture device.
304 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
305 * 64-bit applications, with sub-second timeouts not to work. The bug is
306 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
308 #if defined(__APPLE__) && defined(__LP64__)
309 static gboolean need_timeout_workaround;
311 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
313 #define CAP_READ_TIMEOUT 250
317 * Timeout, in microseconds, for reads from the stream of captured packets
318 * from a pipe. Pipes don't have the same problem that BPF devices do
319 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
320 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
321 * of the offending versions of Snow Leopard.
323 * On Windows this value is converted to milliseconds and passed to
324 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
325 * will return immediately.
328 #define PIPE_READ_TIMEOUT 250000
330 #define PIPE_READ_TIMEOUT 100000
332 static const char *cap_pipe_err_str;
334 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
337 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
338 const char *message, gpointer user_data _U_);
340 /* capture related options */
341 static capture_options global_capture_opts;
342 static gboolean quiet = FALSE;
343 static gboolean use_threads = FALSE;
345 static void capture_loop_write_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
347 static void capture_loop_queue_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
349 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
350 int err, gboolean is_close);
352 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
354 static void report_new_capture_file(const char *filename);
355 static void report_packet_count(int packet_count);
356 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
357 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
358 static void report_cfilter_error(const char *cfilter, const char *errmsg);
360 #define MSG_MAX_LENGTH 4096
363 print_usage(gboolean print_ver)
370 "Dumpcap " VERSION "%s\n"
371 "Capture network packets and dump them into a libpcap file.\n"
372 "See http://www.wireshark.org for more information.\n",
373 wireshark_svnversion);
377 fprintf(output, "\nUsage: dumpcap [options] ...\n");
378 fprintf(output, "\n");
379 fprintf(output, "Capture interface:\n");
380 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
381 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
382 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
383 fprintf(output, " -p don't capture in promiscuous mode\n");
384 #ifdef HAVE_PCAP_CREATE
385 fprintf(output, " -I capture in monitor mode, if available\n");
387 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
388 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
390 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
391 fprintf(output, " -D print list of interfaces and exit\n");
392 fprintf(output, " -L print list of link-layer types of iface and exit\n");
393 #ifdef HAVE_BPF_IMAGE
394 fprintf(output, " -d print generated BPF code for capture filter\n");
396 fprintf(output, " -S print statistics for each interface once every second\n");
397 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
398 fprintf(output, "\n");
399 #ifdef HAVE_PCAP_REMOTE
400 fprintf(output, "\nRPCAP options:\n");
401 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
402 fprintf(output, " -u use UDP for RPCAP data transfer\n");
403 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
404 #ifdef HAVE_PCAP_SETSAMPLING
405 fprintf(output, " -m <sampling type> use packet sampling\n");
406 fprintf(output, " count:NUM - capture one packet of every NUM\n");
407 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
410 fprintf(output, "Stop conditions:\n");
411 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
412 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
413 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
414 fprintf(output, " files:NUM - stop after NUM files\n");
415 /*fprintf(output, "\n");*/
416 fprintf(output, "Output (files):\n");
417 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
418 fprintf(output, " -g enable group read access on the output file(s)\n");
419 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
420 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
421 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
422 fprintf(output, " -n use pcapng format instead of pcap\n");
423 /*fprintf(output, "\n");*/
424 fprintf(output, "Miscellaneous:\n");
425 fprintf(output, " -t use a separate thread per interface\n");
426 fprintf(output, " -q don't report packet capture counts\n");
427 fprintf(output, " -v print version information and exit\n");
428 fprintf(output, " -h display this help and exit\n");
429 fprintf(output, "\n");
430 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
431 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
432 fprintf(output, "\n");
433 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
437 show_version(GString *comp_info_str, GString *runtime_info_str)
440 "Dumpcap " VERSION "%s\n"
445 "See http://www.wireshark.org for more information.\n",
446 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
450 * Print to the standard error. This is a command-line tool, so there's
451 * no need to pop up a console.
454 vfprintf_stderr(const char *fmt, va_list ap)
456 vfprintf(stderr, fmt, ap);
460 fprintf_stderr(const char *fmt, ...)
465 vfprintf_stderr(fmt, ap);
470 * Report an error in command-line arguments.
473 cmdarg_err(const char *fmt, ...)
479 /* Generate a 'special format' message back to parent */
481 msg = g_strdup_vprintf(fmt, ap);
482 sync_pipe_errmsg_to_parent(2, msg, "");
487 fprintf(stderr, "dumpcap: ");
488 vfprintf(stderr, fmt, ap);
489 fprintf(stderr, "\n");
495 * Report additional information for an error in command-line arguments.
498 cmdarg_err_cont(const char *fmt, ...)
505 msg = g_strdup_vprintf(fmt, ap);
506 sync_pipe_errmsg_to_parent(2, msg, "");
511 vfprintf(stderr, fmt, ap);
512 fprintf(stderr, "\n");
519 #if 0 /* Set to enable capability debugging */
520 /* see 'man cap_to_text()' for explanation of output */
521 /* '=' means 'all= ' ie: no capabilities */
522 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
524 print_caps(const char *pfx) {
525 cap_t caps = cap_get_proc();
526 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
527 "%s: EUID: %d Capabilities: %s", pfx,
528 geteuid(), cap_to_text(caps, NULL));
531 print_caps(const char *pfx _U_) {
536 relinquish_all_capabilities(void)
538 /* Drop any and all capabilities this process may have. */
539 /* Allowed whether or not process has any privileges. */
540 cap_t caps = cap_init(); /* all capabilities initialized to off */
541 print_caps("Pre-clear");
542 if (cap_set_proc(caps)) {
543 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
545 print_caps("Post-clear");
551 open_capture_device(interface_options *interface_opts,
552 char (*open_err_str)[PCAP_ERRBUF_SIZE])
555 #ifdef HAVE_PCAP_CREATE
558 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
559 struct pcap_rmtauth auth;
562 /* Open the network interface to capture from it.
563 Some versions of libpcap may put warnings into the error buffer
564 if they succeed; to tell if that's happened, we have to clear
565 the error buffer, and check if it's still a null string. */
566 (*open_err_str)[0] = '\0';
567 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
569 * If we're opening a remote device, use pcap_open(); that's currently
570 * the only open routine that supports remote devices.
572 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
573 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
574 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
575 auth.username = interface_opts->auth_username;
576 auth.password = interface_opts->auth_password;
578 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
580 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
581 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
582 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
583 CAP_READ_TIMEOUT, &auth, *open_err_str);
588 * If we're not opening a remote device, use pcap_create() and
589 * pcap_activate() if we have them, so that we can set the buffer
590 * size, otherwise use pcap_open_live().
592 #ifdef HAVE_PCAP_CREATE
593 pcap_h = pcap_create(interface_opts->name, *open_err_str);
594 if (pcap_h != NULL) {
595 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
596 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
597 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
599 if (interface_opts->buffer_size > 1) {
600 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
602 if (interface_opts->monitor_mode)
603 pcap_set_rfmon(pcap_h, 1);
604 err = pcap_activate(pcap_h);
606 /* Failed to activate, set to NULL */
607 if (err == PCAP_ERROR)
608 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
610 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
616 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
617 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
625 get_capture_device_open_failure_messages(const char *open_err_str,
631 char *errmsg, size_t errmsg_len,
632 char *secondary_errmsg,
633 size_t secondary_errmsg_len)
635 const char *libpcap_warn;
636 static const char ppamsg[] = "can't find PPA for ";
638 /* If we got a "can't find PPA for X" message, warn the user (who
639 is running dumcap on HP-UX) that they don't have a version of
640 libpcap that properly handles HP-UX (libpcap 0.6.x and later
641 versions, which properly handle HP-UX, say "can't find /dev/dlpi
642 PPA for X" rather than "can't find PPA for X"). */
643 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
646 "You are running (T)Wireshark with a version of the libpcap library\n"
647 "that doesn't handle HP-UX network devices well; this means that\n"
648 "(T)Wireshark may not be able to capture packets.\n"
650 "To fix this, you should install libpcap 0.6.2, or a later version\n"
651 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
652 "packaged binary form from the Software Porting And Archive Centre\n"
653 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
654 "at the URL lists a number of mirror sites.";
657 g_snprintf(errmsg, (gulong) errmsg_len,
658 "The capture session could not be initiated (%s).", open_err_str);
660 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
661 "Please check to make sure you have sufficient permissions, and that you have "
662 "the proper interface or pipe specified.%s", libpcap_warn);
664 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
666 "Please check that \"%s\" is the proper interface.\n"
669 "Help can be found at:\n"
671 " http://wiki.wireshark.org/WinPcap\n"
672 " http://wiki.wireshark.org/CaptureSetup\n",
677 /* Set the data link type on a pcap. */
679 set_pcap_linktype(pcap_t *pcap_h, int linktype,
680 #ifdef HAVE_PCAP_SET_DATALINK
685 char *errmsg, size_t errmsg_len,
686 char *secondary_errmsg, size_t secondary_errmsg_len)
688 char *set_linktype_err_str;
691 return TRUE; /* just use the default */
692 #ifdef HAVE_PCAP_SET_DATALINK
693 if (pcap_set_datalink(pcap_h, linktype) == 0)
694 return TRUE; /* no error */
695 set_linktype_err_str = pcap_geterr(pcap_h);
697 /* Let them set it to the type it is; reject any other request. */
698 if (get_pcap_linktype(pcap_h, name) == linktype)
699 return TRUE; /* no error */
700 set_linktype_err_str =
701 "That DLT isn't one of the DLTs supported by this device";
703 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
704 set_linktype_err_str);
706 * If the error isn't "XXX is not one of the DLTs supported by this device",
707 * tell the user to tell the Wireshark developers about it.
709 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
710 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
712 secondary_errmsg[0] = '\0';
717 compile_capture_filter(const char *iface, pcap_t *pcap_h,
718 struct bpf_program *fcode, char *cfilter)
720 bpf_u_int32 netnum, netmask;
721 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
723 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
725 * Well, we can't get the netmask for this interface; it's used
726 * only for filters that check for broadcast IP addresses, so
727 * we just punt and use 0. It might be nice to warn the user,
728 * but that's a pain in a GUI application, as it'd involve popping
729 * up a message box, and it's not clear how often this would make
730 * a difference (only filters that check for IP broadcast addresses
734 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
737 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
742 #ifdef HAVE_BPF_IMAGE
744 show_filter_code(capture_options *capture_opts)
746 interface_options interface_opts;
748 gchar open_err_str[PCAP_ERRBUF_SIZE];
749 char errmsg[MSG_MAX_LENGTH+1];
750 char secondary_errmsg[MSG_MAX_LENGTH+1];
751 struct bpf_program fcode;
752 struct bpf_insn *insn;
756 for (j = 0; j < capture_opts->ifaces->len; j++) {
757 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
758 pcap_h = open_capture_device(&interface_opts, &open_err_str);
759 if (pcap_h == NULL) {
760 /* Open failed; get messages */
761 get_capture_device_open_failure_messages(open_err_str,
763 errmsg, sizeof errmsg,
765 sizeof secondary_errmsg);
766 /* And report them */
767 report_capture_error(errmsg, secondary_errmsg);
771 /* Set the link-layer type. */
772 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
773 errmsg, sizeof errmsg,
774 secondary_errmsg, sizeof secondary_errmsg)) {
776 report_capture_error(errmsg, secondary_errmsg);
780 /* OK, try to compile the capture filter. */
781 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
782 interface_opts.cfilter)) {
784 report_cfilter_error(interface_opts.cfilter, errmsg);
789 /* Now print the filter code. */
790 insn = fcode.bf_insns;
792 for (i = 0; i < fcode.bf_len; insn++, i++)
793 printf("%s\n", bpf_image(insn, i));
795 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
796 /* to remove any suid privileges. */
797 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
798 /* (euid/egid have already previously been set to ruid/rgid. */
799 /* (See comment in main() for details) */
801 relinquish_special_privs_perm();
803 relinquish_all_capabilities();
806 /* Let our parent know we succeeded. */
807 pipe_write_block(2, SP_SUCCESS, NULL);
814 * capture_interface_list() is expected to do the right thing to get
815 * a list of interfaces.
817 * In most of the programs in the Wireshark suite, "the right thing"
818 * is to run dumpcap and ask it for the list, because dumpcap may
819 * be the only program in the suite with enough privileges to get
822 * In dumpcap itself, however, we obviously can't run dumpcap to
823 * ask for the list. Therefore, our capture_interface_list() should
824 * just call get_interface_list().
827 capture_interface_list(int *err, char **err_str)
829 return get_interface_list(err, err_str);
833 * Get the data-link type for a libpcap device.
834 * This works around AIX 5.x's non-standard and incompatible-with-the-
835 * rest-of-the-universe libpcap.
838 get_pcap_linktype(pcap_t *pch, const char *devname
846 const char *ifacename;
849 linktype = pcap_datalink(pch);
853 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
854 * rather than DLT_ values for link-layer types; the ifType values
855 * for LAN devices are:
862 * and the ifType value for a loopback device is 24.
864 * The AIX names for LAN devices begin with:
871 * and the AIX names for loopback devices begin with "lo".
873 * (The difference between "Ethernet" and "802.3" is presumably
874 * whether packets have an Ethernet header, with a packet type,
875 * or an 802.3 header, with a packet length, followed by an 802.2
876 * header and possibly a SNAP header.)
878 * If the device name matches "linktype" interpreted as an ifType
879 * value, rather than as a DLT_ value, we will assume this is AIX's
880 * non-standard, incompatible libpcap, rather than a standard libpcap,
881 * and will map the link-layer type to the standard DLT_ value for
882 * that link-layer type, as that's what the rest of Wireshark expects.
884 * (This means the capture files won't be readable by a tcpdump
885 * linked with AIX's non-standard libpcap, but so it goes. They
886 * *will* be readable by standard versions of tcpdump, Wireshark,
889 * XXX - if we conclude we're using AIX libpcap, should we also
890 * set a flag to cause us to assume the time stamps are in
891 * seconds-and-nanoseconds form, and to convert them to
892 * seconds-and-microseconds form before processing them and
897 * Find the last component of the device name, which is the
900 ifacename = strchr(devname, '/');
901 if (ifacename == NULL)
904 /* See if it matches any of the LAN device names. */
905 if (strncmp(ifacename, "en", 2) == 0) {
908 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
912 } else if (strncmp(ifacename, "et", 2) == 0) {
915 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
916 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
921 } else if (strncmp(ifacename, "tr", 2) == 0) {
924 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
925 * DLT_IEEE802, which is what's used for Token Ring.
929 } else if (strncmp(ifacename, "fi", 2) == 0) {
930 if (linktype == 15) {
932 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
936 } else if (strncmp(ifacename, "lo", 2) == 0) {
937 if (linktype == 24) {
939 * That's the RFC 1573 value for "software loopback" devices; map it
940 * to DLT_NULL, which is what's used for loopback devices on BSD.
950 static data_link_info_t *
951 create_data_link_info(int dlt)
953 data_link_info_t *data_link_info;
956 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
957 data_link_info->dlt = dlt;
958 text = pcap_datalink_val_to_name(dlt);
960 data_link_info->name = g_strdup(text);
962 data_link_info->name = g_strdup_printf("DLT %d", dlt);
963 text = pcap_datalink_val_to_description(dlt);
965 data_link_info->description = g_strdup(text);
967 data_link_info->description = NULL;
968 return data_link_info;
972 * Get the capabilities of a network device.
974 static if_capabilities_t *
975 get_if_capabilities(const char *devname, gboolean monitor_mode
976 #ifndef HAVE_PCAP_CREATE
981 if_capabilities_t *caps;
982 char errbuf[PCAP_ERRBUF_SIZE];
984 #ifdef HAVE_PCAP_CREATE
988 #ifdef HAVE_PCAP_LIST_DATALINKS
992 data_link_info_t *data_link_info;
995 * Allocate the interface capabilities structure.
997 caps = g_malloc(sizeof *caps);
999 #ifdef HAVE_PCAP_OPEN
1000 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1001 caps->can_set_rfmon = FALSE;
1003 if (err_str != NULL)
1004 *err_str = g_strdup(errbuf);
1008 #elif defined(HAVE_PCAP_CREATE)
1009 pch = pcap_create(devname, errbuf);
1011 if (err_str != NULL)
1012 *err_str = g_strdup(errbuf);
1016 status = pcap_can_set_rfmon(pch);
1019 if (status == PCAP_ERROR)
1020 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1023 *err_str = g_strdup(pcap_statustostr(status));
1029 caps->can_set_rfmon = FALSE;
1030 else if (status == 1) {
1031 caps->can_set_rfmon = TRUE;
1033 pcap_set_rfmon(pch, 1);
1035 if (err_str != NULL) {
1036 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1044 status = pcap_activate(pch);
1046 /* Error. We ignore warnings (status > 0). */
1047 if (err_str != NULL) {
1048 if (status == PCAP_ERROR)
1049 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1052 *err_str = g_strdup(pcap_statustostr(status));
1059 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1060 caps->can_set_rfmon = FALSE;
1062 if (err_str != NULL)
1063 *err_str = g_strdup(errbuf);
1068 deflt = get_pcap_linktype(pch, devname);
1069 #ifdef HAVE_PCAP_LIST_DATALINKS
1070 nlt = pcap_list_datalinks(pch, &linktypes);
1071 if (nlt == 0 || linktypes == NULL) {
1073 if (err_str != NULL)
1074 *err_str = NULL; /* an empty list doesn't mean an error */
1077 caps->data_link_types = NULL;
1078 for (i = 0; i < nlt; i++) {
1079 data_link_info = create_data_link_info(linktypes[i]);
1082 * XXX - for 802.11, make the most detailed 802.11
1083 * version the default, rather than the one the
1084 * device has as the default?
1086 if (linktypes[i] == deflt)
1087 caps->data_link_types = g_list_prepend(caps->data_link_types,
1090 caps->data_link_types = g_list_append(caps->data_link_types,
1093 #ifdef HAVE_PCAP_FREE_DATALINKS
1094 pcap_free_datalinks(linktypes);
1097 * In Windows, there's no guarantee that if you have a library
1098 * built with one version of the MSVC++ run-time library, and
1099 * it returns a pointer to allocated data, you can free that
1100 * data from a program linked with another version of the
1101 * MSVC++ run-time library.
1103 * This is not an issue on UN*X.
1105 * See the mail threads starting at
1107 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1111 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1114 #define xx_free free /* hack so checkAPIs doesn't complain */
1117 #endif /* HAVE_PCAP_FREE_DATALINKS */
1118 #else /* HAVE_PCAP_LIST_DATALINKS */
1120 data_link_info = create_data_link_info(deflt);
1121 caps->data_link_types = g_list_append(caps->data_link_types,
1123 #endif /* HAVE_PCAP_LIST_DATALINKS */
1127 if (err_str != NULL)
1132 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1134 print_machine_readable_interfaces(GList *if_list)
1141 char addr_str[ADDRSTRLEN];
1143 if (capture_child) {
1144 /* Let our parent know we succeeded. */
1145 pipe_write_block(2, SP_SUCCESS, NULL);
1148 i = 1; /* Interface id number */
1149 for (if_entry = g_list_first(if_list); if_entry != NULL;
1150 if_entry = g_list_next(if_entry)) {
1151 if_info = (if_info_t *)if_entry->data;
1152 printf("%d. %s", i++, if_info->name);
1155 * Print the contents of the if_entry struct in a parseable format.
1156 * Each if_entry element is tab-separated. Addresses are comma-
1159 /* XXX - Make sure our description doesn't contain a tab */
1160 if (if_info->description != NULL)
1161 printf("\t%s\t", if_info->description);
1165 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1166 addr = g_slist_next(addr)) {
1167 if (addr != g_slist_nth(if_info->addrs, 0))
1170 if_addr = (if_addr_t *)addr->data;
1171 switch(if_addr->ifat_type) {
1173 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1175 printf("%s", addr_str);
1177 printf("<unknown IPv4>");
1181 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1182 addr_str, ADDRSTRLEN)) {
1183 printf("%s", addr_str);
1185 printf("<unknown IPv6>");
1189 printf("<type unknown %u>", if_addr->ifat_type);
1193 if (if_info->loopback)
1194 printf("\tloopback");
1196 printf("\tnetwork");
1203 * If you change the machine-readable output format of this function,
1204 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1207 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1210 data_link_info_t *data_link_info;
1211 const gchar *desc_str;
1213 if (capture_child) {
1214 /* Let our parent know we succeeded. */
1215 pipe_write_block(2, SP_SUCCESS, NULL);
1218 if (caps->can_set_rfmon)
1222 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1223 lt_entry = g_list_next(lt_entry)) {
1224 data_link_info = (data_link_info_t *)lt_entry->data;
1225 if (data_link_info->description != NULL)
1226 desc_str = data_link_info->description;
1228 desc_str = "(not supported)";
1229 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1239 /* Print the number of packets captured for each interface until we're killed. */
1241 print_statistics_loop(gboolean machine_readable)
1243 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1249 char errbuf[PCAP_ERRBUF_SIZE];
1250 struct pcap_stat ps;
1252 if_list = get_interface_list(&err, &err_str);
1253 if (if_list == NULL) {
1255 case CANT_GET_INTERFACE_LIST:
1256 cmdarg_err("%s", err_str);
1260 case NO_INTERFACES_FOUND:
1261 cmdarg_err("There are no interfaces on which a capture can be done");
1267 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1268 if_info = (if_info_t *)if_entry->data;
1269 #ifdef HAVE_PCAP_OPEN
1270 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1272 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1276 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1277 if_stat->name = g_strdup(if_info->name);
1279 stat_list = g_list_append(stat_list, if_stat);
1284 cmdarg_err("There are no interfaces on which a capture can be done");
1288 if (capture_child) {
1289 /* Let our parent know we succeeded. */
1290 pipe_write_block(2, SP_SUCCESS, NULL);
1293 if (!machine_readable) {
1294 printf("%-15s %10s %10s\n", "Interface", "Received",
1298 global_ld.go = TRUE;
1299 while (global_ld.go) {
1300 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1301 if_stat = (if_stat_t *)stat_entry->data;
1302 pcap_stats(if_stat->pch, &ps);
1304 if (!machine_readable) {
1305 printf("%-15s %10u %10u\n", if_stat->name,
1306 ps.ps_recv, ps.ps_drop);
1308 printf("%s\t%u\t%u\n", if_stat->name,
1309 ps.ps_recv, ps.ps_drop);
1320 /* XXX - Not reached. Should we look for 'q' in stdin? */
1321 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1322 if_stat = (if_stat_t *)stat_entry->data;
1323 pcap_close(if_stat->pch);
1324 g_free(if_stat->name);
1327 g_list_free(stat_list);
1328 free_interface_list(if_list);
1336 capture_cleanup_handler(DWORD dwCtrlType)
1338 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1339 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1340 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1341 like SIGTERM at least when the machine's shutting down.
1343 For now, if we're running as a command rather than a capture child,
1344 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1345 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1346 in that way on UN*X.
1348 If we're not running as a capture child, we might be running as
1349 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1350 user logs out. (XXX - can we explicitly check whether we're
1351 running as a service?) */
1353 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1354 "Console: Control signal");
1355 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1356 "Console: Control signal, CtrlType: %u", dwCtrlType);
1358 /* Keep capture running if we're a service and a user logs off */
1359 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1360 capture_loop_stop();
1368 capture_cleanup_handler(int signum _U_)
1370 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1371 SIGTERM. We assume that if the user wanted it to keep running
1372 after they logged out, they'd have nohupped it. */
1374 /* Note: don't call g_log() in the signal handler: if we happened to be in
1375 * g_log() in process context when the signal came in, g_log will detect
1376 * the "recursion" and abort.
1379 capture_loop_stop();
1385 report_capture_count(gboolean reportit)
1387 /* Don't print this if we're a capture child. */
1388 if (!capture_child && reportit) {
1389 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1390 /* stderr could be line buffered */
1398 report_counts_for_siginfo(void)
1400 report_capture_count(quiet);
1401 infoprint = FALSE; /* we just reported it */
1405 report_counts_siginfo(int signum _U_)
1407 int sav_errno = errno;
1409 /* If we've been told to delay printing, just set a flag asking
1410 that we print counts (if we're supposed to), otherwise print
1411 the count of packets captured (if we're supposed to). */
1415 report_counts_for_siginfo();
1418 #endif /* SIGINFO */
1421 exit_main(int status)
1424 /* Shutdown windows sockets */
1427 /* can be helpful for debugging */
1428 #ifdef DEBUG_DUMPCAP
1429 printf("Press any key\n");
1440 * If we were linked with libcap (not libpcap), make sure we have
1441 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1442 * (See comment in main() for details)
1445 relinquish_privs_except_capture(void)
1447 /* If 'started_with_special_privs' (ie: suid) then enable for
1448 * ourself the NET_ADMIN and NET_RAW capabilities and then
1449 * drop our suid privileges.
1451 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1452 * stuff we don't need (and shouldn't have).
1453 * CAP_NET_RAW: Packet capture (raw sockets).
1456 if (started_with_special_privs()) {
1457 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1458 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1460 cap_t caps = cap_init(); /* all capabilities initialized to off */
1462 print_caps("Pre drop, pre set");
1464 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1465 cmdarg_err("prctl() fail return: %s", strerror(errno));
1468 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1469 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1471 if (cap_set_proc(caps)) {
1472 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1474 print_caps("Pre drop, post set");
1476 relinquish_special_privs_perm();
1478 print_caps("Post drop, pre set");
1479 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1480 if (cap_set_proc(caps)) {
1481 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1483 print_caps("Post drop, post set");
1489 #endif /* HAVE_LIBCAP */
1491 /* Take care of byte order in the libpcap headers read from pipes.
1492 * (function taken from wiretap/libpcap.c) */
1494 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1497 /* Byte-swap the record header fields. */
1498 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1499 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1500 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1501 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1504 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1505 swapped, in order to match the BPF header layout.
1507 Unfortunately, some files were, according to a comment in the "libpcap"
1508 source, written with version 2.3 in their headers but without the
1509 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1510 would make no sense - we assume that we need to swap them. */
1511 if (hdr->version_major == 2 &&
1512 (hdr->version_minor < 3 ||
1513 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1516 temp = rechdr->orig_len;
1517 rechdr->orig_len = rechdr->incl_len;
1518 rechdr->incl_len = temp;
1524 * Thread function that reads from a pipe and pushes the data
1525 * to the main application thread.
1528 * XXX Right now we use async queues for basic signaling. The main thread
1529 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1530 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1531 * Iff the read is successful cap_pipe_read pushes an item onto
1532 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1533 * the queues themselves (yet).
1535 * We might want to move some of the cap_pipe_dispatch logic here so that
1536 * we can let cap_pipe_read run independently, queuing up multiple reads
1537 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1539 static void *cap_pipe_read(void *arg)
1541 pcap_options *pcap_opts;
1550 pcap_opts = (pcap_options *)arg;
1551 while (pcap_opts->cap_pipe_err == PIPOK) {
1552 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1553 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1555 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1557 /* If we try to use read() on a named pipe on Windows with partial
1558 * data it appears to return EOF.
1560 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1561 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1566 last_err = GetLastError();
1567 if (last_err == ERROR_MORE_DATA) {
1569 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1570 pcap_opts->cap_pipe_err = PIPEOF;
1574 pcap_opts->cap_pipe_err = PIPERR;
1577 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1578 pcap_opts->cap_pipe_err = PIPEOF;
1583 b = read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1584 pcap_opts->cap_pipe_bytes_to_read - bytes_read);
1587 pcap_opts->cap_pipe_err = PIPEOF;
1591 pcap_opts->cap_pipe_err = PIPERR;
1600 pcap_opts->cap_pipe_bytes_read = bytes_read;
1601 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1602 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1604 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1608 #endif /* USE_THREADS */
1610 /* Provide select() functionality for a single file descriptor
1611 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1613 * Returns the same values as select. If an error is returned,
1614 * the string cap_pipe_err_str should be used instead of errno.
1617 cap_pipe_select(int pipe_fd)
1620 struct timeval timeout;
1623 cap_pipe_err_str = "Unknown error";
1626 FD_SET(pipe_fd, &rfds);
1628 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1629 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1631 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1633 cap_pipe_err_str = strerror(errno);
1638 /* Mimic pcap_open_live() for pipe captures
1640 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1641 * open it, and read the header.
1643 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1644 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1646 cap_pipe_open_live(char *pipename,
1647 pcap_options *pcap_opts,
1648 struct pcap_hdr *hdr,
1649 char *errmsg, int errmsgl)
1652 ws_statb64 pipe_stat;
1653 struct sockaddr_un sa;
1664 unsigned int bytes_read;
1669 pcap_opts->cap_pipe_fd = -1;
1671 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1673 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1676 * XXX - this blocks until a pcap per-file header has been written to
1677 * the pipe, so it could block indefinitely.
1679 if (strcmp(pipename, "-") == 0) {
1681 fd = 0; /* read from stdin */
1683 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1687 if (ws_stat64(pipename, &pipe_stat) < 0) {
1688 if (errno == ENOENT || errno == ENOTDIR)
1689 pcap_opts->cap_pipe_err = PIPNEXIST;
1691 g_snprintf(errmsg, errmsgl,
1692 "The capture session could not be initiated "
1693 "due to error getting information on pipe/socket: %s", strerror(errno));
1694 pcap_opts->cap_pipe_err = PIPERR;
1698 if (S_ISFIFO(pipe_stat.st_mode)) {
1699 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1701 g_snprintf(errmsg, errmsgl,
1702 "The capture session could not be initiated "
1703 "due to error on pipe open: %s", strerror(errno));
1704 pcap_opts->cap_pipe_err = PIPERR;
1707 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1708 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1710 g_snprintf(errmsg, errmsgl,
1711 "The capture session could not be initiated "
1712 "due to error on socket create: %s", strerror(errno));
1713 pcap_opts->cap_pipe_err = PIPERR;
1716 sa.sun_family = AF_UNIX;
1718 * The Single UNIX Specification says:
1720 * The size of sun_path has intentionally been left undefined.
1721 * This is because different implementations use different sizes.
1722 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1723 * of 104. Since most implementations originate from BSD versions,
1724 * the size is typically in the range 92 to 108.
1726 * Applications should not assume a particular length for sun_path
1727 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1731 * The <sys/un.h> header shall define the sockaddr_un structure,
1732 * which shall include at least the following members:
1734 * sa_family_t sun_family Address family.
1735 * char sun_path[] Socket pathname.
1737 * so we assume that it's an array, with a specified size,
1738 * and that the size reflects the maximum path length.
1740 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1741 /* Path name too long */
1742 g_snprintf(errmsg, errmsgl,
1743 "The capture session coud not be initiated "
1744 "due to error on socket connect: Path name too long");
1745 pcap_opts->cap_pipe_err = PIPERR;
1748 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1750 g_snprintf(errmsg, errmsgl,
1751 "The capture session coud not be initiated "
1752 "due to error on socket connect: %s", strerror(errno));
1753 pcap_opts->cap_pipe_err = PIPERR;
1757 if (S_ISCHR(pipe_stat.st_mode)) {
1759 * Assume the user specified an interface on a system where
1760 * interfaces are in /dev. Pretend we haven't seen it.
1762 pcap_opts->cap_pipe_err = PIPNEXIST;
1765 g_snprintf(errmsg, errmsgl,
1766 "The capture session could not be initiated because\n"
1767 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1768 pcap_opts->cap_pipe_err = PIPERR;
1773 #define PIPE_STR "\\pipe\\"
1774 /* Under Windows, named pipes _must_ have the form
1775 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1777 pncopy = g_strdup(pipename);
1778 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1779 pos = strchr(pncopy + 3, '\\');
1780 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1787 g_snprintf(errmsg, errmsgl,
1788 "The capture session could not be initiated because\n"
1789 "\"%s\" is neither an interface nor a pipe", pipename);
1790 pcap_opts->cap_pipe_err = PIPNEXIST;
1794 /* Wait for the pipe to appear */
1796 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1797 OPEN_EXISTING, 0, NULL);
1799 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1802 if (GetLastError() != ERROR_PIPE_BUSY) {
1803 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1804 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1805 g_snprintf(errmsg, errmsgl,
1806 "The capture session on \"%s\" could not be started "
1807 "due to error on pipe open: %s (error %d)",
1808 pipename, utf_16to8(err_str), GetLastError());
1810 pcap_opts->cap_pipe_err = PIPERR;
1814 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1815 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1816 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1817 g_snprintf(errmsg, errmsgl,
1818 "The capture session on \"%s\" timed out during "
1819 "pipe open: %s (error %d)",
1820 pipename, utf_16to8(err_str), GetLastError());
1822 pcap_opts->cap_pipe_err = PIPERR;
1829 pcap_opts->from_cap_pipe = TRUE;
1832 /* read the pcap header */
1834 while (bytes_read < sizeof magic) {
1835 sel_ret = cap_pipe_select(fd);
1837 g_snprintf(errmsg, errmsgl,
1838 "Unexpected error from select: %s", strerror(errno));
1840 } else if (sel_ret > 0) {
1841 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1844 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1846 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1853 #else /* USE_THREADS */
1854 g_thread_create(&cap_pipe_read, pcap_opts, FALSE, NULL);
1856 pcap_opts->cap_pipe_buf = (char *) &magic;
1857 pcap_opts->cap_pipe_bytes_read = 0;
1858 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1859 /* We don't have to worry about cap_pipe_read_mtx here */
1860 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1861 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1862 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1863 if (pcap_opts->cap_pipe_bytes_read == 0)
1864 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1866 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1871 #endif /* USE_THREADS */
1875 /* Host that wrote it has our byte order, and was running
1876 a program using either standard or ss990417 libpcap. */
1877 pcap_opts->cap_pipe_byte_swapped = FALSE;
1878 pcap_opts->cap_pipe_modified = FALSE;
1880 case PCAP_MODIFIED_MAGIC:
1881 /* Host that wrote it has our byte order, but was running
1882 a program using either ss990915 or ss991029 libpcap. */
1883 pcap_opts->cap_pipe_byte_swapped = FALSE;
1884 pcap_opts->cap_pipe_modified = TRUE;
1886 case PCAP_SWAPPED_MAGIC:
1887 /* Host that wrote it has a byte order opposite to ours,
1888 and was running a program using either standard or
1889 ss990417 libpcap. */
1890 pcap_opts->cap_pipe_byte_swapped = TRUE;
1891 pcap_opts->cap_pipe_modified = FALSE;
1893 case PCAP_SWAPPED_MODIFIED_MAGIC:
1894 /* Host that wrote it out has a byte order opposite to
1895 ours, and was running a program using either ss990915
1896 or ss991029 libpcap. */
1897 pcap_opts->cap_pipe_byte_swapped = TRUE;
1898 pcap_opts->cap_pipe_modified = TRUE;
1901 /* Not a "libpcap" type we know about. */
1902 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1907 /* Read the rest of the header */
1909 while (bytes_read < sizeof(struct pcap_hdr)) {
1910 sel_ret = cap_pipe_select(fd);
1912 g_snprintf(errmsg, errmsgl,
1913 "Unexpected error from select: %s", strerror(errno));
1915 } else if (sel_ret > 0) {
1916 b = read(fd, ((char *)hdr)+bytes_read,
1917 sizeof(struct pcap_hdr) - bytes_read);
1920 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1922 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1929 #else /* USE_THREADS */
1930 pcap_opts->cap_pipe_buf = (char *) hdr;
1931 pcap_opts->cap_pipe_bytes_read = 0;
1932 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1933 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1934 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1935 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1936 if (pcap_opts->cap_pipe_bytes_read == 0)
1937 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1939 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1943 #endif /* USE_THREADS */
1945 if (pcap_opts->cap_pipe_byte_swapped) {
1946 /* Byte-swap the header fields about which we care. */
1947 hdr->version_major = BSWAP16(hdr->version_major);
1948 hdr->version_minor = BSWAP16(hdr->version_minor);
1949 hdr->snaplen = BSWAP32(hdr->snaplen);
1950 hdr->network = BSWAP32(hdr->network);
1952 pcap_opts->linktype = hdr->network;
1954 if (hdr->version_major < 2) {
1955 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1959 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
1960 pcap_opts->cap_pipe_err = PIPOK;
1962 pcap_opts->cap_pipe_fd = fd;
1967 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1968 pcap_opts->cap_pipe_err = PIPERR;
1971 pcap_opts->cap_pipe_fd = -1;
1978 /* We read one record from the pipe, take care of byte order in the record
1979 * header, write the record to the capture file, and update capture statistics. */
1981 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
1983 struct pcap_pkthdr phdr;
1984 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1996 #ifdef LOG_CAPTURE_VERBOSE
1997 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2000 switch (pcap_opts->cap_pipe_state) {
2002 case STATE_EXPECT_REC_HDR:
2004 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2007 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2008 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2009 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2010 pcap_opts->cap_pipe_bytes_read = 0;
2013 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2014 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2015 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2020 case STATE_READ_REC_HDR:
2022 b = read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2023 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2026 result = PD_PIPE_EOF;
2028 result = PD_PIPE_ERR;
2031 pcap_opts->cap_pipe_bytes_read += b;
2032 #else /* USE_THREADS */
2033 g_get_current_time(&wait_time);
2034 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2035 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2036 if (pcap_opts->cap_pipe_err == PIPEOF) {
2037 result = PD_PIPE_EOF;
2039 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2040 result = PD_PIPE_ERR;
2046 #endif /* USE_THREADS */
2047 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2049 result = PD_REC_HDR_READ;
2052 case STATE_EXPECT_DATA:
2054 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2057 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2058 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2059 pcap_opts->cap_pipe_bytes_read = 0;
2062 pcap_opts->cap_pipe_buf = (char *) data;
2063 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2064 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2069 case STATE_READ_DATA:
2071 b = read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2072 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2075 result = PD_PIPE_EOF;
2077 result = PD_PIPE_ERR;
2080 pcap_opts->cap_pipe_bytes_read += b;
2081 #else /* USE_THREADS */
2082 g_get_current_time(&wait_time);
2083 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2084 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2085 if (pcap_opts->cap_pipe_err == PIPEOF) {
2086 result = PD_PIPE_EOF;
2088 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2089 result = PD_PIPE_ERR;
2095 #endif /* USE_THREADS */
2096 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2098 result = PD_DATA_READ;
2102 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2105 } /* switch (ld->cap_pipe_state) */
2108 * We've now read as much data as we were expecting, so process it.
2112 case PD_REC_HDR_READ:
2113 /* We've read the header. Take care of byte order. */
2114 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2115 &pcap_opts->cap_pipe_rechdr.hdr);
2116 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2117 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2118 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2121 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2125 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2126 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2127 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2128 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2129 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2132 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2134 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2136 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2140 pcap_opts->cap_pipe_err = PIPEOF;
2145 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2146 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2147 g_snprintf(errmsg, errmsgl,
2148 "Error reading from pipe: %s (error %d)",
2149 utf_16to8(err_str), GetLastError());
2152 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2160 pcap_opts->cap_pipe_err = PIPERR;
2161 /* Return here rather than inside the switch to prevent GCC warning */
2166 /** Open the capture input file (pcap or capture pipe).
2167 * Returns TRUE if it succeeds, FALSE otherwise. */
2169 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2170 char *errmsg, size_t errmsg_len,
2171 char *secondary_errmsg, size_t secondary_errmsg_len)
2173 gchar open_err_str[PCAP_ERRBUF_SIZE];
2174 gchar *sync_msg_str;
2175 interface_options interface_opts;
2176 pcap_options *pcap_opts;
2180 gchar *sync_secondary_msg_str;
2181 WORD wVersionRequested;
2185 /* XXX - opening Winsock on tshark? */
2187 /* Initialize Windows Socket if we are in a WIN32 OS
2188 This needs to be done before querying the interface for network/netmask */
2190 /* XXX - do we really require 1.1 or earlier?
2191 Are there any versions that support only 2.0 or higher? */
2192 wVersionRequested = MAKEWORD(1, 1);
2193 err = WSAStartup(wVersionRequested, &wsaData);
2197 case WSASYSNOTREADY:
2198 g_snprintf(errmsg, (gulong) errmsg_len,
2199 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2202 case WSAVERNOTSUPPORTED:
2203 g_snprintf(errmsg, (gulong) errmsg_len,
2204 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2205 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2208 case WSAEINPROGRESS:
2209 g_snprintf(errmsg, (gulong) errmsg_len,
2210 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2214 g_snprintf(errmsg, (gulong) errmsg_len,
2215 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2219 g_snprintf(errmsg, (gulong) errmsg_len,
2220 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2224 g_snprintf(errmsg, (gulong) errmsg_len,
2225 "Couldn't initialize Windows Sockets: error %d", err);
2228 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2232 if ((use_threads == FALSE) &&
2233 (capture_opts->ifaces->len > 1)) {
2234 g_snprintf(errmsg, (gulong) errmsg_len,
2235 "Using threads is required for capturing on mulitple interfaces! Use the -t option.");
2239 for (i = 0; i < capture_opts->ifaces->len; i++) {
2240 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2241 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2242 if (pcap_opts == NULL) {
2243 g_snprintf(errmsg, (gulong) errmsg_len,
2244 "Could not allocate memory.");
2247 pcap_opts->received = 0;
2248 pcap_opts->dropped = 0;
2249 pcap_opts->pcap_h = NULL;
2250 #ifdef MUST_DO_SELECT
2251 pcap_opts->pcap_fd = -1;
2253 pcap_opts->pcap_err = FALSE;
2254 pcap_opts->interface_id = i;
2255 pcap_opts->tid = NULL;
2256 pcap_opts->snaplen = 0;
2257 pcap_opts->linktype = -1;
2258 pcap_opts->from_cap_pipe = FALSE;
2259 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2260 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2262 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2264 pcap_opts->cap_pipe_fd = -1;
2266 pcap_opts->cap_pipe_modified = FALSE;
2267 pcap_opts->cap_pipe_byte_swapped = FALSE;
2269 pcap_opts->cap_pipe_buf = NULL;
2270 #endif /* USE_THREADS */
2271 pcap_opts->cap_pipe_bytes_to_read = 0;
2272 pcap_opts->cap_pipe_bytes_read = 0;
2273 pcap_opts->cap_pipe_state = 0;
2274 pcap_opts->cap_pipe_err = PIPOK;
2276 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2277 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2278 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2280 g_array_append_val(ld->pcaps, pcap_opts);
2282 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2283 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2285 if (pcap_opts->pcap_h != NULL) {
2286 /* we've opened "iface" as a network device */
2288 /* try to set the capture buffer size */
2289 if (interface_opts.buffer_size > 1 &&
2290 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2291 sync_secondary_msg_str = g_strdup_printf(
2292 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2293 "the default of 1MB will be used.\n"
2295 "Nonetheless, the capture is started.\n",
2296 interface_opts.buffer_size);
2297 report_capture_error("Couldn't set the capture buffer size!",
2298 sync_secondary_msg_str);
2299 g_free(sync_secondary_msg_str);
2303 #if defined(HAVE_PCAP_SETSAMPLING)
2304 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2305 struct pcap_samp *samp;
2307 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2308 switch (interface_opts.sampling_method) {
2309 case CAPTURE_SAMP_BY_COUNT:
2310 samp->method = PCAP_SAMP_1_EVERY_N;
2313 case CAPTURE_SAMP_BY_TIMER:
2314 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2318 sync_msg_str = g_strdup_printf(
2319 "Unknown sampling method %d specified,\n"
2320 "continue without packet sampling",
2321 interface_opts.sampling_method);
2322 report_capture_error("Couldn't set the capture "
2323 "sampling", sync_msg_str);
2324 g_free(sync_msg_str);
2326 samp->value = interface_opts.sampling_param;
2328 report_capture_error("Couldn't set the capture sampling",
2329 "Cannot get packet sampling data structure");
2334 /* setting the data link type only works on real interfaces */
2335 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2337 secondary_errmsg, secondary_errmsg_len)) {
2340 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2342 /* We couldn't open "iface" as a network device. */
2343 /* Try to open it as a pipe */
2344 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2347 if (pcap_opts->cap_pipe_fd == -1) {
2349 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2351 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2352 /* Pipe doesn't exist, so output message for interface */
2353 get_capture_device_open_failure_messages(open_err_str,
2354 interface_opts.name,
2358 secondary_errmsg_len);
2361 * Else pipe (or file) does exist and cap_pipe_open_live() has
2366 /* cap_pipe_open_live() succeeded; don't want
2367 error message from pcap_open_live() */
2368 open_err_str[0] = '\0';
2372 /* XXX - will this work for tshark? */
2373 #ifdef MUST_DO_SELECT
2374 if (!pcap_opts->from_cap_pipe) {
2375 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2376 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2378 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2383 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2384 returned a warning; print it, but keep capturing. */
2385 if (open_err_str[0] != '\0') {
2386 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2387 report_capture_error(sync_msg_str, "");
2388 g_free(sync_msg_str);
2390 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2391 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2394 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2395 /* to remove any suid privileges. */
2396 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2397 /* (euid/egid have already previously been set to ruid/rgid. */
2398 /* (See comment in main() for details) */
2400 relinquish_special_privs_perm();
2402 relinquish_all_capabilities();
2407 /* close the capture input file (pcap or capture pipe) */
2408 static void capture_loop_close_input(loop_data *ld)
2411 pcap_options *pcap_opts;
2413 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2415 for (i = 0; i < ld->pcaps->len; i++) {
2416 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2417 /* if open, close the capture pipe "input file" */
2419 if (pcap_opts->cap_pipe_fd >= 0) {
2420 g_assert(pcap_opts->from_cap_pipe);
2421 ws_close(pcap_opts->cap_pipe_fd);
2422 pcap_opts->cap_pipe_fd = -1;
2425 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2426 CloseHandle(pcap_opts->cap_pipe_h);
2427 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2430 /* if open, close the pcap "input file" */
2431 if (pcap_opts->pcap_h != NULL) {
2432 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", pcap_opts->pcap_h);
2433 pcap_close(pcap_opts->pcap_h);
2434 pcap_opts->pcap_h = NULL;
2441 /* Shut down windows sockets */
2447 /* init the capture filter */
2448 static initfilter_status_t
2449 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2450 gchar * name, gchar * cfilter)
2452 struct bpf_program fcode;
2454 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2456 /* capture filters only work on real interfaces */
2457 if (cfilter && !from_cap_pipe) {
2458 /* A capture filter was specified; set it up. */
2459 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2460 /* Treat this specially - our caller might try to compile this
2461 as a display filter and, if that succeeds, warn the user that
2462 the display and capture filter syntaxes are different. */
2463 return INITFILTER_BAD_FILTER;
2465 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2466 #ifdef HAVE_PCAP_FREECODE
2467 pcap_freecode(&fcode);
2469 return INITFILTER_OTHER_ERROR;
2471 #ifdef HAVE_PCAP_FREECODE
2472 pcap_freecode(&fcode);
2476 return INITFILTER_NO_ERROR;
2480 /* set up to write to the already-opened capture output file/files */
2482 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2486 pcap_options *pcap_opts;
2487 interface_options interface_opts;
2488 gboolean successful;
2490 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2492 if ((capture_opts->use_pcapng == FALSE) &&
2493 (capture_opts->ifaces->len > 1)) {
2494 g_snprintf(errmsg, errmsg_len,
2495 "Using PCAPNG is required for capturing on mulitple interfaces! Use the -n option.");
2499 /* Set up to write to the capture file. */
2500 if (capture_opts->multi_files_on) {
2501 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2503 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2506 if (capture_opts->use_pcapng) {
2509 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2510 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err);
2511 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2512 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2513 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2514 if (pcap_opts->from_cap_pipe) {
2515 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2517 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2519 successful = libpcap_write_interface_description_block(ld->pdh,
2520 interface_opts.name,
2521 interface_opts.cfilter,
2522 pcap_opts->linktype,
2528 interface_opts = g_array_index(capture_opts->ifaces, interface_options, 0);
2529 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2530 if (pcap_opts->from_cap_pipe) {
2531 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2533 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2535 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2536 &ld->bytes_written, &err);
2544 if (ld->pdh == NULL) {
2545 /* We couldn't set up to write to the capture file. */
2546 /* XXX - use cf_open_error_message from tshark instead? */
2551 g_snprintf(errmsg, errmsg_len,
2552 "The file to which the capture would be"
2553 " saved (\"%s\") could not be opened: Error %d.",
2554 capture_opts->save_file, err);
2556 g_snprintf(errmsg, errmsg_len,
2557 "The file to which the capture would be"
2558 " saved (\"%s\") could not be opened: %s.",
2559 capture_opts->save_file, strerror(err));
2571 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2575 pcap_options *pcap_opts;
2577 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2579 if (capture_opts->multi_files_on) {
2580 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2582 if (capture_opts->use_pcapng) {
2583 for (i = 0; i < global_ld.pcaps->len; i++) {
2584 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2585 if (!pcap_opts->from_cap_pipe) {
2586 libpcap_write_interface_statistics_block(ld->pdh, i, pcap_opts->pcap_h, &ld->bytes_written, err_close);
2590 return libpcap_dump_close(ld->pdh, err_close);
2594 /* dispatch incoming packets (pcap or capture pipe)
2596 * Waits for incoming packets to be available, and calls pcap_dispatch()
2597 * to cause them to be processed.
2599 * Returns the number of packets which were processed.
2601 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2602 * packet-batching behaviour does not cause packets to get held back
2606 capture_loop_dispatch(loop_data *ld,
2607 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2610 gint packet_count_before;
2611 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2616 packet_count_before = ld->packet_count;
2617 if (pcap_opts->from_cap_pipe) {
2618 /* dispatch from capture pipe */
2619 #ifdef LOG_CAPTURE_VERBOSE
2620 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2623 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2625 if (sel_ret < 0 && errno != EINTR) {
2626 g_snprintf(errmsg, errmsg_len,
2627 "Unexpected error from select: %s", strerror(errno));
2628 report_capture_error(errmsg, please_report);
2633 * "select()" says we can read from the pipe without blocking
2635 #endif /* USE_THREADS */
2636 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2646 /* dispatch from pcap */
2647 #ifdef MUST_DO_SELECT
2649 * If we have "pcap_get_selectable_fd()", we use it to get the
2650 * descriptor on which to select; if that's -1, it means there
2651 * is no descriptor on which you can do a "select()" (perhaps
2652 * because you're capturing on a special device, and that device's
2653 * driver unfortunately doesn't support "select()", in which case
2654 * we don't do the select - which means it might not be possible
2655 * to stop a capture until a packet arrives. If that's unacceptable,
2656 * plead with whoever supplies the software for that device to add
2657 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2658 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2659 * later, so it can use pcap_breakloop().
2661 #ifdef LOG_CAPTURE_VERBOSE
2662 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2664 if (pcap_opts->pcap_fd != -1) {
2665 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2668 * "select()" says we can read from it without blocking; go for
2671 * We don't have pcap_breakloop(), so we only process one packet
2672 * per pcap_dispatch() call, to allow a signal to stop the
2673 * processing immediately, rather than processing all packets
2674 * in a batch before quitting.
2677 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2679 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2683 /* Error, rather than pcap_breakloop(). */
2684 pcap_opts->pcap_err = TRUE;
2686 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2689 if (sel_ret < 0 && errno != EINTR) {
2690 g_snprintf(errmsg, errmsg_len,
2691 "Unexpected error from select: %s", strerror(errno));
2692 report_capture_error(errmsg, please_report);
2698 #endif /* MUST_DO_SELECT */
2700 /* dispatch from pcap without select */
2702 #ifdef LOG_CAPTURE_VERBOSE
2703 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2707 * On Windows, we don't support asynchronously telling a process to
2708 * stop capturing; instead, we check for an indication on a pipe
2709 * after processing packets. We therefore process only one packet
2710 * at a time, so that we can check the pipe after every packet.
2713 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2715 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2719 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2721 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2726 /* Error, rather than pcap_breakloop(). */
2727 pcap_opts->pcap_err = TRUE;
2729 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2731 #else /* pcap_next_ex */
2732 #ifdef LOG_CAPTURE_VERBOSE
2733 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2735 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2738 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2739 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2740 * This should be fixed in the WinPcap 4.0 alpha release.
2742 * For reference, an example remote interface:
2743 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2746 /* emulate dispatch from pcap */
2749 struct pcap_pkthdr *pkt_header;
2754 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2756 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2758 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2763 pcap_opts->pcap_err = TRUE;
2767 #endif /* pcap_next_ex */
2771 #ifdef LOG_CAPTURE_VERBOSE
2772 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2775 return ld->packet_count - packet_count_before;
2779 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2780 * want to grab only the characters between the '{' and '}' delimiters.
2782 * Returns a GString that must be freed with g_string_free(). */
2784 isolate_uuid(const char *iface)
2789 ptr = strchr(iface, '{');
2791 return g_string_new(iface);
2792 gstr = g_string_new(ptr + 1);
2794 ptr = strchr(gstr->str, '}');
2798 gstr = g_string_truncate(gstr, ptr - gstr->str);
2803 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2804 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2806 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2807 char *errmsg, int errmsg_len)
2810 gchar *capfile_name;
2812 gboolean is_tempfile;
2814 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2815 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2817 if (capture_opts->save_file != NULL) {
2818 /* We return to the caller while the capture is in progress.
2819 * Therefore we need to take a copy of save_file in
2820 * case the caller destroys it after we return.
2822 capfile_name = g_strdup(capture_opts->save_file);
2824 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2825 if (capture_opts->multi_files_on) {
2826 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2827 g_snprintf(errmsg, errmsg_len,
2828 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2829 g_free(capfile_name);
2832 if (strcmp(capfile_name, "-") == 0) {
2833 /* write to stdout */
2836 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2837 _setmode(1, O_BINARY);
2840 } /* if (...output_to_pipe ... */
2843 if (capture_opts->multi_files_on) {
2844 /* ringbuffer is enabled */
2845 *save_file_fd = ringbuf_init(capfile_name,
2846 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2847 capture_opts->group_read_access);
2849 /* we need the ringbuf name */
2850 if(*save_file_fd != -1) {
2851 g_free(capfile_name);
2852 capfile_name = g_strdup(ringbuf_current_filename());
2855 /* Try to open/create the specified file for use as a capture buffer. */
2856 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2857 (capture_opts->group_read_access) ? 0640 : 0600);
2860 is_tempfile = FALSE;
2862 /* Choose a random name for the temporary capture buffer */
2863 if (global_capture_opts.ifaces->len > 1) {
2864 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
2869 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
2870 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2871 g_string_free(iface, TRUE);
2873 prefix = g_strconcat("wireshark_", g_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name), NULL);
2876 *save_file_fd = create_tempfile(&tmpname, prefix);
2878 capfile_name = g_strdup(tmpname);
2882 /* did we fail to open the output file? */
2883 if (*save_file_fd == -1) {
2885 g_snprintf(errmsg, errmsg_len,
2886 "The temporary file to which the capture would be saved (\"%s\") "
2887 "could not be opened: %s.", capfile_name, strerror(errno));
2889 if (capture_opts->multi_files_on) {
2890 ringbuf_error_cleanup();
2893 g_snprintf(errmsg, errmsg_len,
2894 "The file to which the capture would be saved (\"%s\") "
2895 "could not be opened: %s.", capfile_name,
2898 g_free(capfile_name);
2902 if(capture_opts->save_file != NULL) {
2903 g_free(capture_opts->save_file);
2905 capture_opts->save_file = capfile_name;
2906 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2907 "g_free(capfile_name)". */
2913 /* Do the work of handling either the file size or file duration capture
2914 conditions being reached, and switching files or stopping. */
2916 do_file_switch_or_stop(capture_options *capture_opts,
2917 condition *cnd_autostop_files,
2918 condition *cnd_autostop_size,
2919 condition *cnd_file_duration)
2922 pcap_options *pcap_opts;
2923 interface_options interface_opts;
2924 gboolean successful;
2926 if (capture_opts->multi_files_on) {
2927 if (cnd_autostop_files != NULL &&
2928 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2929 /* no files left: stop here */
2930 global_ld.go = FALSE;
2934 /* Switch to the next ringbuffer file */
2935 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2936 &global_ld.save_file_fd, &global_ld.err)) {
2938 /* File switch succeeded: reset the conditions */
2939 global_ld.bytes_written = 0;
2940 if (capture_opts->use_pcapng) {
2943 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2944 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &(global_ld.bytes_written), &global_ld.err);
2945 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2946 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2947 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2948 successful = libpcap_write_interface_description_block(global_ld.pdh,
2949 interface_opts.name,
2950 interface_opts.cfilter,
2951 pcap_opts->linktype,
2953 &(global_ld.bytes_written),
2957 interface_opts = g_array_index(capture_opts->ifaces, interface_options, 0);
2958 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
2959 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
2960 &global_ld.bytes_written, &global_ld.err);
2963 fclose(global_ld.pdh);
2964 global_ld.pdh = NULL;
2965 global_ld.go = FALSE;
2968 if (cnd_autostop_size)
2969 cnd_reset(cnd_autostop_size);
2970 if (cnd_file_duration)
2971 cnd_reset(cnd_file_duration);
2972 libpcap_dump_flush(global_ld.pdh, NULL);
2974 report_packet_count(global_ld.inpkts_to_sync_pipe);
2975 global_ld.inpkts_to_sync_pipe = 0;
2976 report_new_capture_file(capture_opts->save_file);
2978 /* File switch failed: stop here */
2979 global_ld.go = FALSE;
2983 /* single file, stop now */
2984 global_ld.go = FALSE;
2991 pcap_read_handler(void* arg)
2993 pcap_options *pcap_opts;
2994 char errmsg[MSG_MAX_LENGTH+1];
2996 pcap_opts = (pcap_options *)arg;
2998 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
2999 pcap_opts->interface_id);
3001 while (global_ld.go) {
3002 /* dispatch incoming packets */
3003 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3005 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3006 pcap_opts->interface_id);
3007 g_thread_exit(NULL);
3011 /* Do the low-level work of a capture.
3012 Returns TRUE if it succeeds, FALSE otherwise. */
3014 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3017 time_t upd_time, cur_time;
3019 struct timeval upd_time, cur_time;
3023 condition *cnd_file_duration = NULL;
3024 condition *cnd_autostop_files = NULL;
3025 condition *cnd_autostop_size = NULL;
3026 condition *cnd_autostop_duration = NULL;
3029 gboolean cfilter_error = FALSE;
3030 char errmsg[MSG_MAX_LENGTH+1];
3031 char secondary_errmsg[MSG_MAX_LENGTH+1];
3032 pcap_options *pcap_opts;
3033 interface_options interface_opts;
3036 interface_opts = capture_opts->default_options;
3038 *secondary_errmsg = '\0';
3040 /* init the loop data */
3041 global_ld.go = TRUE;
3042 global_ld.packet_count = 0;
3044 global_ld.report_packet_count = FALSE;
3046 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
3047 if (capture_opts->has_autostop_packets)
3048 global_ld.packet_max = capture_opts->autostop_packets;
3050 global_ld.packet_max = 0; /* no limit */
3051 global_ld.inpkts_to_sync_pipe = 0;
3052 global_ld.err = 0; /* no error seen yet */
3053 global_ld.pdh = NULL;
3054 global_ld.autostop_files = 0;
3055 global_ld.save_file_fd = -1;
3057 /* We haven't yet gotten the capture statistics. */
3058 *stats_known = FALSE;
3060 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3061 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3063 /* open the "input file" from network interface or capture pipe */
3064 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3065 secondary_errmsg, sizeof(secondary_errmsg))) {
3068 for (i = 0; i < capture_opts->ifaces->len; i++) {
3069 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3070 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3071 /* init the input filter from the network interface (capture pipe will do nothing) */
3072 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3073 interface_opts.name,
3074 interface_opts.cfilter)) {
3076 case INITFILTER_NO_ERROR:
3079 case INITFILTER_BAD_FILTER:
3080 cfilter_error = TRUE;
3081 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3084 case INITFILTER_OTHER_ERROR:
3085 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3086 pcap_geterr(pcap_opts->pcap_h));
3087 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3092 /* If we're supposed to write to a capture file, open it for output
3093 (temporary/specified name/ringbuffer) */
3094 if (capture_opts->saving_to_file) {
3095 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3096 errmsg, sizeof(errmsg))) {
3100 /* set up to write to the already-opened capture output file/files */
3101 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3106 /* XXX - capture SIGTERM and close the capture, in case we're on a
3107 Linux 2.0[.x] system and you have to explicitly close the capture
3108 stream in order to turn promiscuous mode off? We need to do that
3109 in other places as well - and I don't think that works all the
3110 time in any case, due to libpcap bugs. */
3112 /* Well, we should be able to start capturing.
3114 Sync out the capture file, so the header makes it to the file system,
3115 and send a "capture started successfully and capture file created"
3116 message to our parent so that they'll open the capture file and
3117 update its windows to indicate that we have a live capture in
3119 libpcap_dump_flush(global_ld.pdh, NULL);
3120 report_new_capture_file(capture_opts->save_file);
3123 /* initialize capture stop (and alike) conditions */
3124 init_capture_stop_conditions();
3125 /* create stop conditions */
3126 if (capture_opts->has_autostop_filesize)
3128 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3129 if (capture_opts->has_autostop_duration)
3130 cnd_autostop_duration =
3131 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3133 if (capture_opts->multi_files_on) {
3134 if (capture_opts->has_file_duration)
3136 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3138 if (capture_opts->has_autostop_files)
3139 cnd_autostop_files =
3140 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3143 /* init the time values */
3145 upd_time = GetTickCount();
3147 gettimeofday(&upd_time, NULL);
3150 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3152 /* WOW, everything is prepared! */
3153 /* please fasten your seat belts, we will enter now the actual capture loop */
3155 pcap_queue = g_async_queue_new();
3156 pcap_queue_bytes = 0;
3157 pcap_queue_packets = 0;
3158 for (i = 0; i < global_ld.pcaps->len; i++) {
3159 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3160 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3163 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3164 while (global_ld.go) {
3165 /* dispatch incoming packets */
3167 GTimeVal write_thread_time;
3168 pcap_queue_element *queue_element;
3170 g_get_current_time(&write_thread_time);
3171 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3172 g_async_queue_lock(pcap_queue);
3173 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3174 if (queue_element) {
3175 pcap_queue_bytes -= queue_element->phdr.caplen;
3176 pcap_queue_packets -= 1;
3178 g_async_queue_unlock(pcap_queue);
3179 if (queue_element) {
3180 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3181 "Dequeued a packet of length %d captured on interface %d.",
3182 queue_element->phdr.caplen, queue_element->interface_id);
3184 capture_loop_write_packet_cb((u_char *)&queue_element->interface_id,
3185 &queue_element->phdr,
3187 g_free(queue_element->pd);
3188 g_free(queue_element);
3194 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3195 sizeof(errmsg), pcap_opts);
3198 /* Were we asked to print packet counts by the SIGINFO handler? */
3199 if (global_ld.report_packet_count) {
3200 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3201 plurality(global_ld.packet_count, "", "s"));
3202 global_ld.report_packet_count = FALSE;
3207 /* any news from our parent (signal pipe)? -> just stop the capture */
3208 if (!signal_pipe_check_running()) {
3209 global_ld.go = FALSE;
3214 global_ld.inpkts_to_sync_pipe += inpkts;
3216 /* check capture size condition */
3217 if (cnd_autostop_size != NULL &&
3218 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3219 /* Capture size limit reached, do we have another file? */
3220 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3221 cnd_autostop_size, cnd_file_duration))
3223 } /* cnd_autostop_size */
3224 if (capture_opts->output_to_pipe) {
3225 libpcap_dump_flush(global_ld.pdh, NULL);
3229 /* Only update once every 500ms so as not to overload slow displays.
3230 * This also prevents too much context-switching between the dumpcap
3231 * and wireshark processes.
3233 #define DUMPCAP_UPD_TIME 500
3236 cur_time = GetTickCount();
3237 if ( (cur_time - upd_time) > DUMPCAP_UPD_TIME) {
3239 gettimeofday(&cur_time, NULL);
3240 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3241 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3244 upd_time = cur_time;
3247 if (pcap_stats(pch, stats) >= 0) {
3248 *stats_known = TRUE;
3251 /* Let the parent process know. */
3252 if (global_ld.inpkts_to_sync_pipe) {
3254 libpcap_dump_flush(global_ld.pdh, NULL);
3256 /* Send our parent a message saying we've written out
3257 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3259 report_packet_count(global_ld.inpkts_to_sync_pipe);
3261 global_ld.inpkts_to_sync_pipe = 0;
3264 /* check capture duration condition */
3265 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3266 /* The maximum capture time has elapsed; stop the capture. */
3267 global_ld.go = FALSE;
3271 /* check capture file duration condition */
3272 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3273 /* duration limit reached, do we have another file? */
3274 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3275 cnd_autostop_size, cnd_file_duration))
3277 } /* cnd_file_duration */
3281 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3283 pcap_queue_element *queue_element;
3285 for (i = 0; i < global_ld.pcaps->len; i++) {
3286 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3287 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3288 pcap_opts->interface_id);
3289 g_thread_join(pcap_opts->tid);
3290 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3291 pcap_opts->interface_id);
3294 g_async_queue_lock(pcap_queue);
3295 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3296 if (queue_element) {
3297 pcap_queue_bytes -= queue_element->phdr.caplen;
3298 pcap_queue_packets -= 1;
3300 g_async_queue_unlock(pcap_queue);
3301 if (queue_element == NULL) {
3304 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3305 "Dequeued a packet of length %d captured on interface %d.",
3306 queue_element->phdr.caplen, queue_element->interface_id);
3307 capture_loop_write_packet_cb((u_char *)&queue_element->interface_id,
3308 &queue_element->phdr,
3310 g_free(queue_element->pd);
3311 g_free(queue_element);
3312 global_ld.inpkts_to_sync_pipe += 1;
3313 if (capture_opts->output_to_pipe) {
3314 libpcap_dump_flush(global_ld.pdh, NULL);
3320 /* delete stop conditions */
3321 if (cnd_file_duration != NULL)
3322 cnd_delete(cnd_file_duration);
3323 if (cnd_autostop_files != NULL)
3324 cnd_delete(cnd_autostop_files);
3325 if (cnd_autostop_size != NULL)
3326 cnd_delete(cnd_autostop_size);
3327 if (cnd_autostop_duration != NULL)
3328 cnd_delete(cnd_autostop_duration);
3330 /* did we have a pcap (input) error? */
3331 for (i = 0; i < capture_opts->ifaces->len; i++) {
3332 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3333 if (pcap_opts->pcap_err) {
3334 /* On Linux, if an interface goes down while you're capturing on it,
3335 you'll get a "recvfrom: Network is down" or
3336 "The interface went down" error (ENETDOWN).
3337 (At least you will if strerror() doesn't show a local translation
3340 On FreeBSD and OS X, if a network adapter disappears while
3341 you're capturing on it, you'll get a "read: Device not configured"
3342 error (ENXIO). (See previous parenthetical note.)
3344 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3346 These should *not* be reported to the Wireshark developers. */
3349 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3350 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3351 strcmp(cap_err_str, "The interface went down") == 0 ||
3352 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3353 strcmp(cap_err_str, "read: I/O error") == 0 ||
3354 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3355 report_capture_error("The network adapter on which the capture was being done "
3356 "is no longer running; the capture has stopped.",
3359 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3361 report_capture_error(errmsg, please_report);
3364 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3365 report_capture_error(errmsg, "");
3369 /* did we have an output error while capturing? */
3370 if (global_ld.err == 0) {
3373 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3374 global_ld.err, FALSE);
3375 report_capture_error(errmsg, please_report);
3379 if (capture_opts->saving_to_file) {
3380 /* close the output file */
3381 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3385 /* there might be packets not yet notified to the parent */
3386 /* (do this after closing the file, so all packets are already flushed) */
3387 if(global_ld.inpkts_to_sync_pipe) {
3389 report_packet_count(global_ld.inpkts_to_sync_pipe);
3390 global_ld.inpkts_to_sync_pipe = 0;
3393 /* If we've displayed a message about a write error, there's no point
3394 in displaying another message about an error on close. */
3395 if (!close_ok && write_ok) {
3396 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3398 report_capture_error(errmsg, "");
3402 * XXX We exhibit different behaviour between normal mode and sync mode
3403 * when the pipe is stdin and not already at EOF. If we're a child, the
3404 * parent's stdin isn't closed, so if the user starts another capture,
3405 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3406 * will say "Unrecognized libpcap format". On the other hand, in normal
3407 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3410 report_capture_count(TRUE);
3412 /* get packet drop statistics from pcap */
3413 for (i = 0; i < capture_opts->ifaces->len; i++) {
3417 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3418 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3419 received = pcap_opts->received;
3420 dropped = pcap_opts->dropped;
3421 if (pcap_opts->pcap_h != NULL) {
3422 g_assert(!pcap_opts->from_cap_pipe);
3423 /* Get the capture statistics, so we know how many packets were dropped. */
3424 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3425 *stats_known = TRUE;
3426 /* Let the parent process know. */
3427 dropped += stats->ps_drop;
3429 g_snprintf(errmsg, sizeof(errmsg),
3430 "Can't get packet-drop statistics: %s",
3431 pcap_geterr(pcap_opts->pcap_h));
3432 report_capture_error(errmsg, please_report);
3435 report_packet_drops(received, dropped, interface_opts.name);
3438 /* close the input file (pcap or capture pipe) */
3439 capture_loop_close_input(&global_ld);
3441 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3443 /* ok, if the write and the close were successful. */
3444 return write_ok && close_ok;
3447 if (capture_opts->multi_files_on) {
3448 /* cleanup ringbuffer */
3449 ringbuf_error_cleanup();
3451 /* We can't use the save file, and we have no FILE * for the stream
3452 to close in order to close it, so close the FD directly. */
3453 if (global_ld.save_file_fd != -1) {
3454 ws_close(global_ld.save_file_fd);
3457 /* We couldn't even start the capture, so get rid of the capture
3459 if (capture_opts->save_file != NULL) {
3460 ws_unlink(capture_opts->save_file);
3461 g_free(capture_opts->save_file);
3464 capture_opts->save_file = NULL;
3466 report_cfilter_error(interface_opts.cfilter, errmsg);
3468 report_capture_error(errmsg, secondary_errmsg);
3470 /* close the input file (pcap or cap_pipe) */
3471 capture_loop_close_input(&global_ld);
3473 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3479 static void capture_loop_stop(void)
3481 #ifdef HAVE_PCAP_BREAKLOOP
3483 pcap_options *pcap_opts;
3485 if (global_ld.pcaps) {
3486 for (i = 0; i < global_ld.pcaps->len; i++) {
3487 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3488 if (pcap_opts->pcap_h != NULL)
3489 pcap_breakloop(pcap_opts->pcap_h);
3493 global_ld.go = FALSE;
3498 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3499 int err, gboolean is_close)
3504 g_snprintf(errmsg, errmsglen,
3505 "Not all the packets could be written to the file"
3506 " to which the capture was being saved\n"
3507 "(\"%s\") because there is no space left on the file system\n"
3508 "on which that file resides.",
3514 g_snprintf(errmsg, errmsglen,
3515 "Not all the packets could be written to the file"
3516 " to which the capture was being saved\n"
3517 "(\"%s\") because you are too close to, or over,"
3518 " your disk quota\n"
3519 "on the file system on which that file resides.",
3526 g_snprintf(errmsg, errmsglen,
3527 "The file to which the capture was being saved\n"
3528 "(\"%s\") could not be closed: %s.",
3529 fname, strerror(err));
3531 g_snprintf(errmsg, errmsglen,
3532 "An error occurred while writing to the file"
3533 " to which the capture was being saved\n"
3535 fname, strerror(err));
3542 /* one packet was captured, process it */
3544 capture_loop_write_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3547 pcap_options *pcap_opts;
3550 /* We may be called multiple times from pcap_dispatch(); if we've set
3551 the "stop capturing" flag, ignore this packet, as we're not
3552 supposed to be saving any more packets. */
3556 pcap_opts = (pcap_options *) (void *) user;
3557 if (global_ld.pdh) {
3558 gboolean successful;
3560 /* We're supposed to write the packet to a file; do so.
3561 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3562 "ld->err" to the error. */
3563 if (global_capture_opts.use_pcapng) {
3564 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, pd, &global_ld.bytes_written, &err);
3566 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3569 global_ld.go = FALSE;
3570 global_ld.err = err;
3572 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3573 "Wrote a packet of length %d captured on interface %u.",
3574 phdr->caplen, pcap_opts->interface_id);
3575 global_ld.packet_count++;
3576 pcap_opts->received++;
3577 /* if the user told us to stop after x packets, do we already have enough? */
3578 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3579 global_ld.go = FALSE;
3585 /* one packet was captured, queue it */
3587 capture_loop_queue_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3590 pcap_options *pcap_opts;
3591 pcap_queue_element *queue_element;
3592 gboolean limit_reached;
3594 /* We may be called multiple times from pcap_dispatch(); if we've set
3595 the "stop capturing" flag, ignore this packet, as we're not
3596 supposed to be saving any more packets. */
3600 pcap_opts = (pcap_options *) (void *) user;
3601 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3602 if (queue_element == NULL) {
3603 pcap_opts->dropped++;
3606 queue_element->interface_id = pcap_opts->interface_id;
3607 queue_element->phdr = *phdr;
3608 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3609 if (queue_element->pd == NULL) {
3610 pcap_opts->dropped++;
3611 g_free(queue_element);
3614 memcpy(queue_element->pd, pd, phdr->caplen);
3615 g_async_queue_lock(pcap_queue);
3616 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3617 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3618 limit_reached = FALSE;
3619 g_async_queue_push_unlocked(pcap_queue, queue_element);
3620 pcap_queue_bytes += phdr->caplen;
3621 pcap_queue_packets += 1;
3623 limit_reached = TRUE;
3625 g_async_queue_unlock(pcap_queue);
3626 if (limit_reached) {
3627 pcap_opts->dropped++;
3628 g_free(queue_element->pd);
3629 g_free(queue_element);
3630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3631 "Dropped a packet of length %d captured on interface %u.",
3632 phdr->caplen, pcap_opts->interface_id);
3634 pcap_opts->received++;
3635 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3636 "Queued a packet of length %d captured on interface %u.",
3637 phdr->caplen, pcap_opts->interface_id);
3639 /* I don't want to hold the mutex over the debug output. So the
3640 output may be wrong */
3641 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3642 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3643 pcap_queue_bytes, pcap_queue_packets);
3646 /* And now our feature presentation... [ fade to music ] */
3648 main(int argc, char *argv[])
3651 gboolean arg_error = FALSE;
3656 struct sigaction action, oldaction;
3659 gboolean start_capture = TRUE;
3660 gboolean stats_known;
3661 struct pcap_stat stats;
3662 GLogLevelFlags log_flags;
3663 gboolean list_interfaces = FALSE;
3664 gboolean list_link_layer_types = FALSE;
3665 #ifdef HAVE_BPF_IMAGE
3666 gboolean print_bpf_code = FALSE;
3668 gboolean machine_readable = FALSE;
3669 gboolean print_statistics = FALSE;
3670 int status, run_once_args = 0;
3673 #if defined(__APPLE__) && defined(__LP64__)
3674 struct utsname osinfo;
3678 arg_list_utf_16to8(argc, argv);
3683 * Initialize our DLL search path. MUST be called before LoadLibrary
3686 ws_init_dll_search_path();
3689 #ifdef HAVE_PCAP_REMOTE
3690 #define OPTSTRING_A "A:"
3691 #define OPTSTRING_r "r"
3692 #define OPTSTRING_u "u"
3694 #define OPTSTRING_A ""
3695 #define OPTSTRING_r ""
3696 #define OPTSTRING_u ""
3699 #ifdef HAVE_PCAP_SETSAMPLING
3700 #define OPTSTRING_m "m:"
3702 #define OPTSTRING_m ""
3705 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3706 #define OPTSTRING_B "B:"
3708 #define OPTSTRING_B ""
3709 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3711 #ifdef HAVE_PCAP_CREATE
3712 #define OPTSTRING_I "I"
3714 #define OPTSTRING_I ""
3717 #ifdef HAVE_BPF_IMAGE
3718 #define OPTSTRING_d "d"
3720 #define OPTSTRING_d ""
3723 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
3725 #ifdef DEBUG_CHILD_DUMPCAP
3726 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3727 fprintf (stderr, "Unable to open debug log file !\n");
3732 #if defined(__APPLE__) && defined(__LP64__)
3734 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3735 * a bug workaround - timeouts less than 1 second don't work with libpcap
3736 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3737 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3738 * The problem is extremely unlikely to be reintroduced in a future
3741 if (uname(&osinfo) == 0) {
3743 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3744 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3745 * number of 10.0.0, not 10.1.0 - go figure).
3747 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3748 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3749 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3750 need_timeout_workaround = TRUE;
3755 * Determine if dumpcap is being requested to run in a special
3756 * capture_child mode by going thru the command line args to see if
3757 * a -Z is present. (-Z is a hidden option).
3759 * The primary result of running in capture_child mode is that
3760 * all messages sent out on stderr are in a special type/len/string
3761 * format to allow message processing by type. These messages include
3762 * error messages if dumpcap fails to start the operation it was
3763 * requested to do, as well as various "status" messages which are sent
3764 * when an actual capture is in progress, and a "success" message sent
3765 * if dumpcap was requested to perform an operation other than a
3768 * Capture_child mode would normally be requested by a parent process
3769 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3770 * to which dumpcap stderr has been redirected. It might also have
3771 * another pipe to obtain dumpcap stdout output; for operations other
3772 * than a capture, that information is formatted specially for easier
3773 * parsing by the parent process.
3775 * Capture_child mode needs to be determined immediately upon
3776 * startup so that any messages generated by dumpcap in this mode
3777 * (eg: during initialization) will be formatted properly.
3780 for (i=1; i<argc; i++) {
3781 if (strcmp("-Z", argv[i]) == 0) {
3782 capture_child = TRUE;
3783 machine_readable = TRUE; /* request machine-readable output */
3785 /* set output pipe to binary mode, to avoid ugly text conversions */
3786 _setmode(2, O_BINARY);
3791 /* The default_log_handler will use stdout, which makes trouble in */
3792 /* capture child mode, as it uses stdout for it's sync_pipe. */
3793 /* So: the filtering is done in the console_log_handler and not here.*/
3794 /* We set the log handlers right up front to make sure that any log */
3795 /* messages when running as child will be sent back to the parent */
3796 /* with the correct format. */
3800 G_LOG_LEVEL_CRITICAL|
3801 G_LOG_LEVEL_WARNING|
3802 G_LOG_LEVEL_MESSAGE|
3805 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3807 g_log_set_handler(NULL,
3809 console_log_handler, NULL /* user_data */);
3810 g_log_set_handler(LOG_DOMAIN_MAIN,
3812 console_log_handler, NULL /* user_data */);
3813 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3815 console_log_handler, NULL /* user_data */);
3816 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3818 console_log_handler, NULL /* user_data */);
3820 /* Initialize the pcaps list */
3821 global_ld.pcaps = NULL;
3823 /* Initialize the thread system */
3824 if (!g_thread_supported())
3825 g_thread_init(NULL);
3827 /* Load wpcap if possible. Do this before collecting the run-time version information */
3830 /* ... and also load the packet.dll from wpcap */
3831 /* XXX - currently not required, may change later. */
3832 /*wpcap_packet_load();*/
3834 /* Start windows sockets */
3835 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3837 /* Set handler for Ctrl+C key */
3838 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3840 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3842 action.sa_handler = capture_cleanup_handler;
3844 * Arrange that system calls not get restarted, because when
3845 * our signal handler returns we don't want to restart
3846 * a call that was waiting for packets to arrive.
3848 action.sa_flags = 0;
3849 sigemptyset(&action.sa_mask);
3850 sigaction(SIGTERM, &action, NULL);
3851 sigaction(SIGINT, &action, NULL);
3852 sigaction(SIGPIPE, &action, NULL);
3853 sigaction(SIGHUP, NULL, &oldaction);
3854 if (oldaction.sa_handler == SIG_DFL)
3855 sigaction(SIGHUP, &action, NULL);
3858 /* Catch SIGINFO and, if we get it and we're capturing in
3859 quiet mode, report the number of packets we've captured. */
3860 action.sa_handler = report_counts_siginfo;
3861 action.sa_flags = SA_RESTART;
3862 sigemptyset(&action.sa_mask);
3863 sigaction(SIGINFO, &action, NULL);
3864 #endif /* SIGINFO */
3867 /* ----------------------------------------------------------------- */
3868 /* Privilege and capability handling */
3870 /* 1. Running not as root or suid root; no special capabilities. */
3873 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3876 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3878 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3879 /* capabilities; Drop all other capabilities; */
3880 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3881 /* else: after pcap_open_live() in capture_loop_open_input() */
3882 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3883 /* (Note: this means that the process, although logged in */
3884 /* as root, does not have various permissions such as the */
3885 /* ability to bypass file access permissions). */
3886 /* XXX: Should we just leave capabilities alone in this case */
3887 /* so that user gets expected effect that root can do */
3890 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3892 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3893 /* else: after pcap_open_live() in capture_loop_open_input() */
3894 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3895 /* pcap_open_live). */
3897 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3899 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3900 /* capabilities; Drop all other capabilities; */
3901 /* Drop suid privileges (euid=ruid); */
3902 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3903 /* else: after pcap_open_live() in capture_loop_open_input() */
3904 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3906 /* XXX: For some Linux versions/distros with capabilities */
3907 /* a 'normal' process with any capabilities cannot be */
3908 /* 'killed' (signaled) from another (same uid) non-privileged */
3910 /* For example: If (non-suid) Wireshark forks a */
3911 /* child suid dumpcap which acts as described here (case 5), */
3912 /* Wireshark will be unable to kill (signal) the child */
3913 /* dumpcap process until the capabilities have been dropped */
3914 /* (after pcap_open_live()). */
3915 /* This behaviour will apparently be changed in the kernel */
3916 /* to allow the kill (signal) in this case. */
3917 /* See the following for details: */
3918 /* http://www.mail-archive.com/ [wrapped] */
3919 /* linux-security-module@vger.kernel.org/msg02913.html */
3921 /* It is therefore conceivable that if dumpcap somehow hangs */
3922 /* in pcap_open_live or before that wireshark will not */
3923 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3924 /* In this case, exiting wireshark will kill the child */
3925 /* dumpcap process. */
3927 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3928 /* capabilities; Using libcap. Note: capset cmd (which see) */
3929 /* used to assign capabilities to file. */
3931 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3932 /* else: after pcap_open_live() in capture_loop_open_input() */
3933 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3935 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3936 /* longer required (similar to capture). */
3938 /* ----------------------------------------------------------------- */
3940 init_process_policies();
3943 /* If 'started with special privileges' (and using libcap) */
3944 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3945 /* Set euid/egid = ruid/rgid to remove suid privileges */
3946 relinquish_privs_except_capture();
3949 /* Set the initial values in the capture options. This might be overwritten
3950 by the command line parameters. */
3951 capture_opts_init(&global_capture_opts, NULL);
3953 /* Default to capturing the entire packet. */
3954 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3956 /* We always save to a file - if no file was specified, we save to a
3958 global_capture_opts.saving_to_file = TRUE;
3959 global_capture_opts.has_ring_num_files = TRUE;
3961 /* Now get our args */
3962 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3964 case 'h': /* Print help and exit */
3968 case 'v': /* Show version and exit */
3970 GString *comp_info_str;
3971 GString *runtime_info_str;
3972 /* Assemble the compile-time version information string */
3973 comp_info_str = g_string_new("Compiled ");
3974 get_compiled_version_info(comp_info_str, NULL, NULL);
3976 /* Assemble the run-time version information string */
3977 runtime_info_str = g_string_new("Running ");
3978 get_runtime_version_info(runtime_info_str, NULL);
3979 show_version(comp_info_str, runtime_info_str);
3980 g_string_free(comp_info_str, TRUE);
3981 g_string_free(runtime_info_str, TRUE);
3985 /*** capture option specific ***/
3986 case 'a': /* autostop criteria */
3987 case 'b': /* Ringbuffer option */
3988 case 'c': /* Capture x packets */
3989 case 'f': /* capture filter */
3990 case 'i': /* Use interface x */
3991 case 'n': /* Use pcapng format */
3992 case 'p': /* Don't capture in promiscuous mode */
3993 case 's': /* Set the snapshot (capture) length */
3994 case 'w': /* Write to capture file x */
3995 case 'g': /* enable group read accesson file(s) */
3996 case 'y': /* Set the pcap data link type */
3997 #ifdef HAVE_PCAP_REMOTE
3998 case 'u': /* Use UDP for data transfer */
3999 case 'r': /* Capture own RPCAP traffic too */
4000 case 'A': /* Authentication */
4002 #ifdef HAVE_PCAP_SETSAMPLING
4003 case 'm': /* Sampling */
4005 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4006 case 'B': /* Buffer size */
4007 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4008 #ifdef HAVE_PCAP_CREATE
4009 case 'I': /* Monitor mode */
4011 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4016 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4018 capture_child = TRUE;
4020 /* set output pipe to binary mode, to avoid ugly text conversions */
4021 _setmode(2, O_BINARY);
4023 * optarg = the control ID, aka the PPID, currently used for the
4026 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4027 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4028 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4029 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4031 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4032 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4033 "Signal pipe: Unable to open %s. Dead parent?",
4041 case 'q': /* Quiet */
4048 /*** all non capture option specific ***/
4049 case 'D': /* Print a list of capture devices and exit */
4050 list_interfaces = TRUE;
4053 case 'L': /* Print list of link-layer types and exit */
4054 list_link_layer_types = TRUE;
4057 #ifdef HAVE_BPF_IMAGE
4058 case 'd': /* Print BPF code for capture filter and exit */
4059 print_bpf_code = TRUE;
4063 case 'S': /* Print interface statistics once a second */
4064 print_statistics = TRUE;
4067 case 'M': /* For -D, -L, and -S, print machine-readable output */
4068 machine_readable = TRUE;
4071 case '?': /* Bad flag - print usage message */
4072 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4080 /* user specified file name as regular command-line argument */
4081 /* XXX - use it as the capture file name (or something else)? */
4088 * Extra command line arguments were specified; complain.
4089 * XXX - interpret as capture filter, as tcpdump and tshark do?
4091 cmdarg_err("Invalid argument: %s", argv[0]);
4100 if (run_once_args > 1) {
4101 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4103 } else if (run_once_args == 1) {
4104 /* We're supposed to print some information, rather than
4105 to capture traffic; did they specify a ring buffer option? */
4106 if (global_capture_opts.multi_files_on) {
4107 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4111 /* We're supposed to capture traffic; */
4112 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4113 if (global_capture_opts.ifaces->len > 1) {
4115 global_capture_opts.use_pcapng = TRUE;
4117 /* Was the ring buffer option specified and, if so, does it make sense? */
4118 if (global_capture_opts.multi_files_on) {
4119 /* Ring buffer works only under certain conditions:
4120 a) ring buffer does not work with temporary files;
4121 b) it makes no sense to enable the ring buffer if the maximum
4122 file size is set to "infinite". */
4123 if (global_capture_opts.save_file == NULL) {
4124 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4125 global_capture_opts.multi_files_on = FALSE;
4127 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4128 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4130 /* XXX - this must be redesigned as the conditions changed */
4131 global_capture_opts.multi_files_on = FALSE;
4138 * "-D" requires no interface to be selected; it's supposed to list
4141 if (list_interfaces) {
4142 /* Get the list of interfaces */
4147 if_list = capture_interface_list(&err, &err_str);
4148 if (if_list == NULL) {
4150 case CANT_GET_INTERFACE_LIST:
4151 cmdarg_err("%s", err_str);
4156 case NO_INTERFACES_FOUND:
4158 * If we're being run by another program, just give them
4159 * an empty list of interfaces, don't report this as
4160 * an error; that lets them decide whether to report
4161 * this as an error or not.
4163 if (!machine_readable) {
4164 cmdarg_err("There are no interfaces on which a capture can be done");
4171 if (machine_readable) /* tab-separated values to stdout */
4172 print_machine_readable_interfaces(if_list);
4174 capture_opts_print_interfaces(if_list);
4175 free_interface_list(if_list);
4180 * "-S" requires no interface to be selected; it gives statistics
4181 * for all interfaces.
4183 if (print_statistics) {
4184 status = print_statistics_loop(machine_readable);
4189 * "-L", "-d", and capturing act on a particular interface, so we have to
4190 * have an interface; if none was specified, pick a default.
4192 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4193 /* cmdarg_err() already called .... */
4197 /* Let the user know what interfaces were chosen. */
4198 /* get_interface_descriptive_name() is not available! */
4199 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4200 interface_options interface_opts;
4202 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4203 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s", interface_opts.name);
4206 if (list_link_layer_types) {
4207 /* Get the list of link-layer types for the capture device. */
4208 if_capabilities_t *caps;
4212 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4213 interface_options interface_opts;
4215 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4216 caps = get_if_capabilities(interface_opts.name,
4217 interface_opts.monitor_mode, &err_str);
4219 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4220 "Please check to make sure you have sufficient permissions, and that\n"
4221 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4225 if (caps->data_link_types == NULL) {
4226 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4229 if (machine_readable) /* tab-separated values to stdout */
4230 /* XXX: We need to change the format and adopt consumers */
4231 print_machine_readable_if_capabilities(caps);
4233 /* XXX: We might want to print also the interface name */
4234 capture_opts_print_if_capabilities(caps, interface_opts.name,
4235 interface_opts.monitor_mode);
4236 free_if_capabilities(caps);
4241 /* We're supposed to do a capture, or print the BPF code for a filter.
4242 Process the snapshot length, as that affects the generated BPF code. */
4243 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4245 #ifdef HAVE_BPF_IMAGE
4246 if (print_bpf_code) {
4247 show_filter_code(&global_capture_opts);
4252 /* We're supposed to do a capture. Process the ring buffer arguments. */
4253 capture_opts_trim_ring_num_files(&global_capture_opts);
4255 /* Now start the capture. */
4257 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4261 /* capture failed */
4264 return 0; /* never here, make compiler happy */
4269 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4270 const char *message, gpointer user_data _U_)
4277 /* ignore log message, if log_level isn't interesting */
4278 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4279 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4284 /* create a "timestamp" */
4286 today = localtime(&curr);
4288 switch(log_level & G_LOG_LEVEL_MASK) {
4289 case G_LOG_LEVEL_ERROR:
4292 case G_LOG_LEVEL_CRITICAL:
4295 case G_LOG_LEVEL_WARNING:
4298 case G_LOG_LEVEL_MESSAGE:
4301 case G_LOG_LEVEL_INFO:
4304 case G_LOG_LEVEL_DEBUG:
4308 fprintf(stderr, "unknown log_level %u\n", log_level);
4310 g_assert_not_reached();
4313 /* Generate the output message */
4314 if(log_level & G_LOG_LEVEL_MESSAGE) {
4315 /* normal user messages without additional infos */
4316 msg = g_strdup_printf("%s\n", message);
4318 /* info/debug messages with additional infos */
4319 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4320 today->tm_hour, today->tm_min, today->tm_sec,
4321 log_domain != NULL ? log_domain : "",
4325 /* DEBUG & INFO msgs (if we're debugging today) */
4326 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4327 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4328 #ifdef DEBUG_DUMPCAP
4329 fprintf(stderr, "%s", msg);
4332 #ifdef DEBUG_CHILD_DUMPCAP
4333 fprintf(debug_log, "%s", msg);
4341 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4342 /* to parent especially formatted if dumpcap running as child. */
4343 if (capture_child) {
4344 sync_pipe_errmsg_to_parent(2, msg, "");
4346 fprintf(stderr, "%s", msg);
4353 /****************************************************************************************************************/
4354 /* indication report routines */
4358 report_packet_count(int packet_count)
4360 char tmp[SP_DECISIZE+1+1];
4361 static int count = 0;
4364 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4365 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4366 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4368 count += packet_count;
4369 fprintf(stderr, "\rPackets: %u ", count);
4370 /* stderr could be line buffered */
4376 report_new_capture_file(const char *filename)
4379 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4380 pipe_write_block(2, SP_FILE, filename);
4384 * Prevent a SIGINFO handler from writing to the standard error
4385 * while we're doing so; instead, have it just set a flag telling
4386 * us to print that information when we're done.
4389 #endif /* SIGINFO */
4390 fprintf(stderr, "File: %s\n", filename);
4391 /* stderr could be line buffered */
4396 * Allow SIGINFO handlers to write.
4401 * If a SIGINFO handler asked us to write out capture counts, do so.
4404 report_counts_for_siginfo();
4405 #endif /* SIGINFO */
4410 report_cfilter_error(const char *cfilter, const char *errmsg)
4412 if (capture_child) {
4413 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4414 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4417 "Invalid capture filter: \"%s\"!\n"
4419 "That string isn't a valid capture filter (%s).\n"
4420 "See the User's Guide for a description of the capture filter syntax.\n",
4426 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4429 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4430 "Primary Error: %s", error_msg);
4431 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4432 "Secondary Error: %s", secondary_error_msg);
4433 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4435 fprintf(stderr, "%s\n", error_msg);
4436 if (secondary_error_msg[0] != '\0')
4437 fprintf(stderr, "%s\n", secondary_error_msg);
4442 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4444 char tmp[SP_DECISIZE+1+1];
4446 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4449 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4450 "Packets received/dropped on interface %s: %u/%u",
4451 name, received, drops);
4452 /* XXX: Need to provide interface id, changes to consumers required. */
4453 pipe_write_block(2, SP_DROPS, tmp);
4456 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4457 name, received, drops,
4458 received ? 100.0 * received / (received + drops) : 0.0);
4459 /* stderr could be line buffered */
4465 /****************************************************************************************************************/
4466 /* signal_pipe handling */
4471 signal_pipe_check_running(void)
4473 /* any news from our parent? -> just stop the capture */
4477 /* if we are running standalone, no check required */
4478 if(!capture_child) {
4482 if(!sig_pipe_name || !sig_pipe_handle) {
4483 /* This shouldn't happen */
4484 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4485 "Signal pipe: No name or handle");
4490 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4491 * at this point. Should we check to see if the parent is still alive,
4492 * e.g. by using OpenProcess?
4495 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4497 if(!result || avail > 0) {
4498 /* peek failed or some bytes really available */
4499 /* (if not piping from stdin this would fail) */
4500 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4501 "Signal pipe: Stop capture: %s", sig_pipe_name);
4502 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4503 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4504 sig_pipe_handle, result, avail);
4507 /* pipe ok and no bytes available */
4514 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4519 * indent-tabs-mode: nil
4522 * vi: set shiftwidth=4 tabstop=8 expandtab
4523 * :indentSize=4:tabSize=8:noTabs=true: