5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
88 #include "capture-wpcap.h"
89 #include <wsutil/unicode-utils.h>
93 #include <sys/socket.h>
97 #ifdef NEED_INET_V6DEFS_H
98 # include "wsutil/inet_v6defs.h"
101 #include <wsutil/privileges.h>
103 #include "sync_pipe.h"
105 #include "capture_opts.h"
106 #include "capture_ifinfo.h"
107 #include "capture_sync.h"
109 #include "conditions.h"
110 #include "capture_stop_conditions.h"
112 #include "tempfile.h"
114 #include "wsutil/file_util.h"
117 * Get information about libpcap format from "wiretap/libpcap.h".
118 * XXX - can we just use pcap_open_offline() to read the pipe?
120 #include "wiretap/libpcap.h"
122 /**#define DEBUG_DUMPCAP**/
123 /**#define DEBUG_CHILD_DUMPCAP**/
125 #ifdef DEBUG_CHILD_DUMPCAP
126 FILE *debug_log; /* for logging debug messages to */
127 /* a file if DEBUG_CHILD_DUMPCAP */
135 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
137 static gchar *sig_pipe_name = NULL;
138 static HANDLE sig_pipe_handle = NULL;
139 static gboolean signal_pipe_check_running(void);
143 static GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
144 static GMutex *cap_pipe_read_mtx;
148 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
149 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
152 /** Stop a low-level capture (stops the capture child). */
153 static void capture_loop_stop(void);
155 #if !defined (__linux__)
156 #ifndef HAVE_PCAP_BREAKLOOP
158 * We don't have pcap_breakloop(), which is the only way to ensure that
159 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
160 * won't, if the call to read the next packet or batch of packets is
161 * is interrupted by a signal on UN*X, just go back and try again to
164 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
165 * the signal handler, set a flag to stop capturing; however, without
166 * a guarantee of that sort, we can't guarantee that we'll stop capturing
167 * if the read will be retried and won't time out if no packets arrive.
169 * Therefore, on at least some platforms, we work around the lack of
170 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
171 * to wait for packets to arrive, so that we're probably going to be
172 * blocked in the select() when the signal arrives, and can just bail
173 * out of the loop at that point.
175 * However, we don't want to that on BSD (because "select()" doesn't work
176 * correctly on BPF devices on at least some releases of some flavors of
177 * BSD), and we don't want to do it on Windows (because "select()" is
178 * something for sockets, not for arbitrary handles). (Note that "Windows"
179 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
180 * using WinPcap, not a UNIX libpcap.)
182 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
183 * on BSD times out even if no packets have arrived, so we'll eventually
184 * exit pcap_dispatch() with an indication that no packets have arrived,
185 * and will break out of the capture loop at that point.
187 * On Windows, we can't send a SIGINT to stop capturing, so none of this
188 * applies in any case.
190 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
191 * want to include it if it's not present on this platform, however.
193 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
194 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
196 # define MUST_DO_SELECT
197 # endif /* avoid select */
198 #endif /* HAVE_PCAP_BREAKLOOP */
200 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
201 * in pcap_dispatch(); on the other hand, select() works just fine there.
202 * Hence we use a select for that come what may.
204 #define MUST_DO_SELECT
207 /** init the capture filter */
210 INITFILTER_BAD_FILTER,
211 INITFILTER_OTHER_ERROR
212 } initfilter_status_t;
214 typedef struct _loop_data {
216 gboolean go; /* TRUE as long as we're supposed to keep capturing */
217 int err; /* if non-zero, error seen while capturing */
218 gint packet_count; /* Number of packets we have already captured */
219 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
220 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
222 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
225 /* pcap "input file" */
226 pcap_t *pcap_h; /* pcap handle */
227 gboolean pcap_err; /* TRUE if error from pcap */
228 #ifdef MUST_DO_SELECT
229 int pcap_fd; /* pcap file descriptor */
232 /* capture pipe (unix only "input file") */
233 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
234 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
235 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
237 HANDLE cap_pipe_h; /* The handle of the capture pipe */
239 int cap_pipe_fd; /* the file descriptor of the capture pipe */
241 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
242 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
244 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
245 #endif /* USE_THREADS */
246 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
247 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
249 STATE_EXPECT_REC_HDR,
254 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 guint32 autostop_files;
267 * Standard secondary message for unexpected errors.
269 static const char please_report[] =
270 "Please report this to the Wireshark developers.\n"
271 "(This is not a crash; please do not report it as such.)";
274 * This needs to be static, so that the SIGINT handler can clear the "go"
277 static loop_data global_ld;
281 * Timeout, in milliseconds, for reads from the stream of captured packets
282 * from a capture device.
284 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
285 * 64-bit applications, with sub-second timeouts not to work. The bug is
286 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
288 #if defined(__APPLE__) && defined(__LP64__)
289 static gboolean need_timeout_workaround;
291 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
293 #define CAP_READ_TIMEOUT 250
297 * Timeout, in microseconds, for reads from the stream of captured packets
298 * from a pipe. Pipes don't have the same problem that BPF devices do
299 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
300 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
301 * of the offending versions of Snow Leopard.
303 * On Windows this value is converted to milliseconds and passed to
304 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
305 * will return immediately.
308 #define PIPE_READ_TIMEOUT 250000
310 #define PIPE_READ_TIMEOUT 100000
312 static const char *cap_pipe_err_str;
315 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
316 const char *message, gpointer user_data _U_);
318 /* capture related options */
319 static capture_options global_capture_opts;
320 static gboolean quiet;
322 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
324 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
325 int err, gboolean is_close);
327 static void exit_main(int err) G_GNUC_NORETURN;
329 static void report_new_capture_file(const char *filename);
330 static void report_packet_count(int packet_count);
331 static void report_packet_drops(guint32 drops);
332 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
333 static void report_cfilter_error(const char *cfilter, const char *errmsg);
335 #define MSG_MAX_LENGTH 4096
338 print_usage(gboolean print_ver) {
346 "Dumpcap " VERSION "%s\n"
347 "Capture network packets and dump them into a libpcap file.\n"
348 "See http://www.wireshark.org for more information.\n",
349 wireshark_svnversion);
353 fprintf(output, "\nUsage: dumpcap [options] ...\n");
354 fprintf(output, "\n");
355 fprintf(output, "Capture interface:\n");
356 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
357 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
358 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
359 fprintf(output, " -p don't capture in promiscuous mode\n");
360 #ifdef HAVE_PCAP_CREATE
361 fprintf(output, " -I capture in monitor mode, if available\n");
363 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
364 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
366 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
367 fprintf(output, " -D print list of interfaces and exit\n");
368 fprintf(output, " -L print list of link-layer types of iface and exit\n");
369 #ifdef HAVE_BPF_IMAGE
370 fprintf(output, " -d print generated BPF code for capture filter\n");
372 fprintf(output, " -S print statistics for each interface once every second\n");
373 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
374 fprintf(output, "\n");
375 #ifdef HAVE_PCAP_REMOTE
376 fprintf(output, "\nRPCAP options:\n");
377 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
378 fprintf(output, " -u use UDP for RPCAP data transfer\n");
379 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
380 #ifdef HAVE_PCAP_SETSAMPLING
381 fprintf(output, " -m <sampling type> use packet sampling\n");
382 fprintf(output, " count:NUM - capture one packet of every NUM\n");
383 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
386 fprintf(output, "Stop conditions:\n");
387 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
388 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
389 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
390 fprintf(output, " files:NUM - stop after NUM files\n");
391 /*fprintf(output, "\n");*/
392 fprintf(output, "Output (files):\n");
393 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
394 fprintf(output, " -g enable group read access on the output file(s)\n");
395 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
396 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
397 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
398 fprintf(output, " -n use pcapng format instead of pcap\n");
399 /*fprintf(output, "\n");*/
400 fprintf(output, "Miscellaneous:\n");
401 fprintf(output, " -q don't report packet capture counts\n");
402 fprintf(output, " -v print version information and exit\n");
403 fprintf(output, " -h display this help and exit\n");
404 fprintf(output, "\n");
405 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
406 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
407 fprintf(output, "\n");
408 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
412 show_version(GString *comp_info_str, GString *runtime_info_str)
416 "Dumpcap " VERSION "%s\n"
421 "See http://www.wireshark.org for more information.\n",
422 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
426 * Print to the standard error. This is a command-line tool, so there's
427 * no need to pop up a console.
430 vfprintf_stderr(const char *fmt, va_list ap)
432 vfprintf(stderr, fmt, ap);
436 fprintf_stderr(const char *fmt, ...)
441 vfprintf_stderr(fmt, ap);
446 * Report an error in command-line arguments.
449 cmdarg_err(const char *fmt, ...)
455 /* Generate a 'special format' message back to parent */
457 msg = g_strdup_vprintf(fmt, ap);
458 sync_pipe_errmsg_to_parent(2, msg, "");
463 fprintf(stderr, "dumpcap: ");
464 vfprintf(stderr, fmt, ap);
465 fprintf(stderr, "\n");
471 * Report additional information for an error in command-line arguments.
474 cmdarg_err_cont(const char *fmt, ...)
481 msg = g_strdup_vprintf(fmt, ap);
482 sync_pipe_errmsg_to_parent(2, msg, "");
487 vfprintf(stderr, fmt, ap);
488 fprintf(stderr, "\n");
495 #if 0 /* Set to enable capability debugging */
496 /* see 'man cap_to_text()' for explanation of output */
497 /* '=' means 'all= ' ie: no capabilities */
498 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
500 print_caps(const char *pfx) {
501 cap_t caps = cap_get_proc();
502 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
503 "%s: EUID: %d Capabilities: %s", pfx,
504 geteuid(), cap_to_text(caps, NULL));
507 print_caps(const char *pfx _U_) {
512 relinquish_all_capabilities(void)
514 /* Drop any and all capabilities this process may have. */
515 /* Allowed whether or not process has any privileges. */
516 cap_t caps = cap_init(); /* all capabilities initialized to off */
517 print_caps("Pre-clear");
518 if (cap_set_proc(caps)) {
519 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
521 print_caps("Post-clear");
527 open_capture_device(capture_options *capture_opts,
528 char (*open_err_str)[PCAP_ERRBUF_SIZE])
531 #ifdef HAVE_PCAP_CREATE
534 #ifdef HAVE_PCAP_REMOTE
535 struct pcap_rmtauth auth;
538 /* Open the network interface to capture from it.
539 Some versions of libpcap may put warnings into the error buffer
540 if they succeed; to tell if that's happened, we have to clear
541 the error buffer, and check if it's still a null string. */
542 (*open_err_str)[0] = '\0';
543 #ifdef HAVE_PCAP_OPEN
545 * If we're opening a remote device, use pcap_open(); that's currently
546 * the only open routine that supports remote devices.
548 if (strncmp (capture_opts->iface, "rpcap://", 8) == 0) {
549 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
550 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
551 auth.username = capture_opts->auth_username;
552 auth.password = capture_opts->auth_password;
554 pcap_h = pcap_open(capture_opts->iface,
555 capture_opts->has_snaplen ? capture_opts->snaplen :
556 WTAP_MAX_PACKET_SIZE,
558 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
559 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
560 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
561 CAP_READ_TIMEOUT, &auth, *open_err_str);
563 #endif /* HAVE_PCAP_OPEN */
566 * If we're not opening a remote device, use pcap_create() and
567 * pcap_activate() if we have them, so that we can set the buffer
568 * size, otherwise use pcap_open_live().
570 #ifdef HAVE_PCAP_CREATE
571 pcap_h = pcap_create(capture_opts->iface, *open_err_str);
572 if (pcap_h != NULL) {
573 pcap_set_snaplen(pcap_h, capture_opts->has_snaplen ? capture_opts->snaplen : WTAP_MAX_PACKET_SIZE);
574 pcap_set_promisc(pcap_h, capture_opts->promisc_mode);
575 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
577 if (capture_opts->buffer_size > 1) {
578 pcap_set_buffer_size(pcap_h, capture_opts->buffer_size * 1024 * 1024);
580 if (capture_opts->monitor_mode)
581 pcap_set_rfmon(pcap_h, 1);
582 err = pcap_activate(pcap_h);
584 /* Failed to activate, set to NULL */
585 if (err == PCAP_ERROR)
586 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
588 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
594 pcap_h = pcap_open_live(capture_opts->iface,
595 capture_opts->has_snaplen ? capture_opts->snaplen :
596 WTAP_MAX_PACKET_SIZE,
597 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
602 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
603 /* to remove any suid privileges. */
604 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
605 /* (euid/egid have already previously been set to ruid/rgid. */
606 /* (See comment in main() for details) */
608 relinquish_special_privs_perm();
610 relinquish_all_capabilities();
617 get_capture_device_open_failure_messages(const char *open_err_str,
623 char *errmsg, size_t errmsg_len,
624 char *secondary_errmsg,
625 size_t secondary_errmsg_len)
627 const char *libpcap_warn;
628 static const char ppamsg[] = "can't find PPA for ";
630 /* If we got a "can't find PPA for X" message, warn the user (who
631 is running dumcap on HP-UX) that they don't have a version of
632 libpcap that properly handles HP-UX (libpcap 0.6.x and later
633 versions, which properly handle HP-UX, say "can't find /dev/dlpi
634 PPA for X" rather than "can't find PPA for X"). */
635 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
638 "You are running (T)Wireshark with a version of the libpcap library\n"
639 "that doesn't handle HP-UX network devices well; this means that\n"
640 "(T)Wireshark may not be able to capture packets.\n"
642 "To fix this, you should install libpcap 0.6.2, or a later version\n"
643 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
644 "packaged binary form from the Software Porting And Archive Centre\n"
645 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
646 "at the URL lists a number of mirror sites.";
649 g_snprintf(errmsg, (gulong) errmsg_len,
650 "The capture session could not be initiated (%s).", open_err_str);
652 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
653 "Please check to make sure you have sufficient permissions, and that you have "
654 "the proper interface or pipe specified.%s", libpcap_warn);
656 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
658 "Please check that \"%s\" is the proper interface.\n"
661 "Help can be found at:\n"
663 " http://wiki.wireshark.org/WinPcap\n"
664 " http://wiki.wireshark.org/CaptureSetup\n",
669 /* Set the data link type on a pcap. */
671 set_pcap_linktype(pcap_t *pcap_h, capture_options *capture_opts,
672 char *errmsg, size_t errmsg_len,
673 char *secondary_errmsg, size_t secondary_errmsg_len)
675 char *set_linktype_err_str;
677 if (capture_opts->linktype == -1)
678 return TRUE; /* just use the default */
679 #ifdef HAVE_PCAP_SET_DATALINK
680 if (pcap_set_datalink(pcap_h, capture_opts->linktype) == 0)
681 return TRUE; /* no error */
682 set_linktype_err_str = pcap_geterr(pcap_h);
684 /* Let them set it to the type it is; reject any other request. */
685 if (get_pcap_linktype(pcap_h, capture_opts->iface) == capture_opts->linktype)
686 return TRUE; /* no error */
687 set_linktype_err_str =
688 "That DLT isn't one of the DLTs supported by this device";
690 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
691 set_linktype_err_str);
693 * If the error isn't "XXX is not one of the DLTs supported by this device",
694 * tell the user to tell the Wireshark developers about it.
696 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
697 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
699 secondary_errmsg[0] = '\0';
704 compile_capture_filter(const char *iface, pcap_t *pcap_h,
705 struct bpf_program *fcode, char *cfilter)
707 bpf_u_int32 netnum, netmask;
708 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
710 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
712 * Well, we can't get the netmask for this interface; it's used
713 * only for filters that check for broadcast IP addresses, so
714 * we just punt and use 0. It might be nice to warn the user,
715 * but that's a pain in a GUI application, as it'd involve popping
716 * up a message box, and it's not clear how often this would make
717 * a difference (only filters that check for IP broadcast addresses
721 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
724 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
729 #ifdef HAVE_BPF_IMAGE
731 show_filter_code(capture_options *capture_opts)
734 gchar open_err_str[PCAP_ERRBUF_SIZE];
735 char errmsg[MSG_MAX_LENGTH+1];
736 char secondary_errmsg[MSG_MAX_LENGTH+1];
737 struct bpf_program fcode;
738 struct bpf_insn *insn;
741 pcap_h = open_capture_device(capture_opts, &open_err_str);
742 if (pcap_h == NULL) {
743 /* Open failed; get messages */
744 get_capture_device_open_failure_messages(open_err_str,
746 errmsg, sizeof errmsg,
748 sizeof secondary_errmsg);
749 /* And report them */
750 report_capture_error(errmsg, secondary_errmsg);
754 /* Set the link-layer type. */
755 if (!set_pcap_linktype(pcap_h, capture_opts, errmsg, sizeof errmsg,
756 secondary_errmsg, sizeof secondary_errmsg)) {
758 report_capture_error(errmsg, secondary_errmsg);
762 /* OK, try to compile the capture filter. */
763 if (!compile_capture_filter(capture_opts->iface, pcap_h, &fcode,
764 capture_opts->cfilter)) {
766 report_cfilter_error(capture_opts->cfilter, errmsg);
772 /* Let our parent know we succeeded. */
773 pipe_write_block(2, SP_SUCCESS, NULL);
776 /* Now print the filter code. */
777 insn = fcode.bf_insns;
779 for (i = 0; i < fcode.bf_len; insn++, i++)
780 printf("%s\n", bpf_image(insn, i));
786 * capture_interface_list() is expected to do the right thing to get
787 * a list of interfaces.
789 * In most of the programs in the Wireshark suite, "the right thing"
790 * is to run dumpcap and ask it for the list, because dumpcap may
791 * be the only program in the suite with enough privileges to get
794 * In dumpcap itself, however, we obviously can't run dumpcap to
795 * ask for the list. Therefore, our capture_interface_list() should
796 * just call get_interface_list().
799 capture_interface_list(int *err, char **err_str)
801 return get_interface_list(err, err_str);
805 * Get the data-link type for a libpcap device.
806 * This works around AIX 5.x's non-standard and incompatible-with-the-
807 * rest-of-the-universe libpcap.
810 get_pcap_linktype(pcap_t *pch, const char *devname
818 const char *ifacename;
821 linktype = pcap_datalink(pch);
825 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
826 * rather than DLT_ values for link-layer types; the ifType values
827 * for LAN devices are:
834 * and the ifType value for a loopback device is 24.
836 * The AIX names for LAN devices begin with:
843 * and the AIX names for loopback devices begin with "lo".
845 * (The difference between "Ethernet" and "802.3" is presumably
846 * whether packets have an Ethernet header, with a packet type,
847 * or an 802.3 header, with a packet length, followed by an 802.2
848 * header and possibly a SNAP header.)
850 * If the device name matches "linktype" interpreted as an ifType
851 * value, rather than as a DLT_ value, we will assume this is AIX's
852 * non-standard, incompatible libpcap, rather than a standard libpcap,
853 * and will map the link-layer type to the standard DLT_ value for
854 * that link-layer type, as that's what the rest of Wireshark expects.
856 * (This means the capture files won't be readable by a tcpdump
857 * linked with AIX's non-standard libpcap, but so it goes. They
858 * *will* be readable by standard versions of tcpdump, Wireshark,
861 * XXX - if we conclude we're using AIX libpcap, should we also
862 * set a flag to cause us to assume the time stamps are in
863 * seconds-and-nanoseconds form, and to convert them to
864 * seconds-and-microseconds form before processing them and
869 * Find the last component of the device name, which is the
872 ifacename = strchr(devname, '/');
873 if (ifacename == NULL)
876 /* See if it matches any of the LAN device names. */
877 if (strncmp(ifacename, "en", 2) == 0) {
880 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
884 } else if (strncmp(ifacename, "et", 2) == 0) {
887 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
888 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
893 } else if (strncmp(ifacename, "tr", 2) == 0) {
896 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
897 * DLT_IEEE802, which is what's used for Token Ring.
901 } else if (strncmp(ifacename, "fi", 2) == 0) {
902 if (linktype == 15) {
904 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
908 } else if (strncmp(ifacename, "lo", 2) == 0) {
909 if (linktype == 24) {
911 * That's the RFC 1573 value for "software loopback" devices; map it
912 * to DLT_NULL, which is what's used for loopback devices on BSD.
922 static data_link_info_t *
923 create_data_link_info(int dlt)
925 data_link_info_t *data_link_info;
928 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
929 data_link_info->dlt = dlt;
930 text = pcap_datalink_val_to_name(dlt);
932 data_link_info->name = g_strdup(text);
934 data_link_info->name = g_strdup_printf("DLT %d", dlt);
935 text = pcap_datalink_val_to_description(dlt);
937 data_link_info->description = g_strdup(text);
939 data_link_info->description = NULL;
940 return data_link_info;
944 * Get the capabilities of a network device.
946 static if_capabilities_t *
947 get_if_capabilities(const char *devname, gboolean monitor_mode
948 #ifndef HAVE_PCAP_CREATE
953 if_capabilities_t *caps;
954 char errbuf[PCAP_ERRBUF_SIZE];
956 #ifdef HAVE_PCAP_CREATE
960 #ifdef HAVE_PCAP_LIST_DATALINKS
964 data_link_info_t *data_link_info;
967 * Allocate the interface capabilities structure.
969 caps = g_malloc(sizeof *caps);
971 #ifdef HAVE_PCAP_OPEN
972 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
973 caps->can_set_rfmon = FALSE;
976 *err_str = g_strdup(errbuf);
980 #elif defined(HAVE_PCAP_CREATE)
981 pch = pcap_create(devname, errbuf);
984 *err_str = g_strdup(errbuf);
988 status = pcap_can_set_rfmon(pch);
991 if (status == PCAP_ERROR)
992 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
995 *err_str = g_strdup(pcap_statustostr(status));
1001 caps->can_set_rfmon = FALSE;
1002 else if (status == 1) {
1003 caps->can_set_rfmon = TRUE;
1005 pcap_set_rfmon(pch, 1);
1007 if (err_str != NULL) {
1008 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1016 status = pcap_activate(pch);
1018 /* Error. We ignore warnings (status > 0). */
1019 if (err_str != NULL) {
1020 if (status == PCAP_ERROR)
1021 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1024 *err_str = g_strdup(pcap_statustostr(status));
1031 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1032 caps->can_set_rfmon = FALSE;
1034 if (err_str != NULL)
1035 *err_str = g_strdup(errbuf);
1040 deflt = get_pcap_linktype(pch, devname);
1041 #ifdef HAVE_PCAP_LIST_DATALINKS
1042 nlt = pcap_list_datalinks(pch, &linktypes);
1043 if (nlt == 0 || linktypes == NULL) {
1045 if (err_str != NULL)
1046 *err_str = NULL; /* an empty list doesn't mean an error */
1049 caps->data_link_types = NULL;
1050 for (i = 0; i < nlt; i++) {
1051 data_link_info = create_data_link_info(linktypes[i]);
1054 * XXX - for 802.11, make the most detailed 802.11
1055 * version the default, rather than the one the
1056 * device has as the default?
1058 if (linktypes[i] == deflt)
1059 caps->data_link_types = g_list_prepend(caps->data_link_types,
1062 caps->data_link_types = g_list_append(caps->data_link_types,
1065 #ifdef HAVE_PCAP_FREE_DATALINKS
1066 pcap_free_datalinks(linktypes);
1069 * In Windows, there's no guarantee that if you have a library
1070 * built with one version of the MSVC++ run-time library, and
1071 * it returns a pointer to allocated data, you can free that
1072 * data from a program linked with another version of the
1073 * MSVC++ run-time library.
1075 * This is not an issue on UN*X.
1077 * See the mail threads starting at
1079 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1083 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1086 #define xx_free free /* hack so checkAPIs doesn't complain */
1089 #endif /* HAVE_PCAP_FREE_DATALINKS */
1090 #else /* HAVE_PCAP_LIST_DATALINKS */
1092 data_link_info = create_data_link_info(deflt);
1093 caps->data_link_types = g_list_append(caps->data_link_types,
1095 #endif /* HAVE_PCAP_LIST_DATALINKS */
1099 if (err_str != NULL)
1104 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1106 print_machine_readable_interfaces(GList *if_list)
1113 char addr_str[ADDRSTRLEN];
1115 if (capture_child) {
1116 /* Let our parent know we succeeded. */
1117 pipe_write_block(2, SP_SUCCESS, NULL);
1120 i = 1; /* Interface id number */
1121 for (if_entry = g_list_first(if_list); if_entry != NULL;
1122 if_entry = g_list_next(if_entry)) {
1123 if_info = (if_info_t *)if_entry->data;
1124 printf("%d. %s", i++, if_info->name);
1127 * Print the contents of the if_entry struct in a parseable format.
1128 * Each if_entry element is tab-separated. Addresses are comma-
1131 /* XXX - Make sure our description doesn't contain a tab */
1132 if (if_info->description != NULL)
1133 printf("\t%s\t", if_info->description);
1137 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1138 addr = g_slist_next(addr)) {
1139 if (addr != g_slist_nth(if_info->addrs, 0))
1142 if_addr = (if_addr_t *)addr->data;
1143 switch(if_addr->ifat_type) {
1145 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1147 printf("%s", addr_str);
1149 printf("<unknown IPv4>");
1153 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1154 addr_str, ADDRSTRLEN)) {
1155 printf("%s", addr_str);
1157 printf("<unknown IPv6>");
1161 printf("<type unknown %u>", if_addr->ifat_type);
1165 if (if_info->loopback)
1166 printf("\tloopback");
1168 printf("\tnetwork");
1175 * If you change the machine-readable output format of this function,
1176 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1179 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1182 data_link_info_t *data_link_info;
1183 const gchar *desc_str;
1185 if (capture_child) {
1186 /* Let our parent know we succeeded. */
1187 pipe_write_block(2, SP_SUCCESS, NULL);
1190 if (caps->can_set_rfmon)
1194 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1195 lt_entry = g_list_next(lt_entry)) {
1196 data_link_info = (data_link_info_t *)lt_entry->data;
1197 if (data_link_info->description != NULL)
1198 desc_str = data_link_info->description;
1200 desc_str = "(not supported)";
1201 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1211 /* Print the number of packets captured for each interface until we're killed. */
1213 print_statistics_loop(gboolean machine_readable)
1215 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1221 char errbuf[PCAP_ERRBUF_SIZE];
1222 struct pcap_stat ps;
1224 if_list = get_interface_list(&err, &err_str);
1225 if (if_list == NULL) {
1227 case CANT_GET_INTERFACE_LIST:
1228 cmdarg_err("%s", err_str);
1232 case NO_INTERFACES_FOUND:
1233 cmdarg_err("There are no interfaces on which a capture can be done");
1239 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1240 if_info = (if_info_t *)if_entry->data;
1241 #ifdef HAVE_PCAP_OPEN
1242 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1244 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1248 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1249 if_stat->name = g_strdup(if_info->name);
1251 stat_list = g_list_append(stat_list, if_stat);
1256 cmdarg_err("There are no interfaces on which a capture can be done");
1260 if (capture_child) {
1261 /* Let our parent know we succeeded. */
1262 pipe_write_block(2, SP_SUCCESS, NULL);
1265 if (!machine_readable) {
1266 printf("%-15s %10s %10s\n", "Interface", "Received",
1270 global_ld.go = TRUE;
1271 while (global_ld.go) {
1272 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1273 if_stat = (if_stat_t *)stat_entry->data;
1274 pcap_stats(if_stat->pch, &ps);
1276 if (!machine_readable) {
1277 printf("%-15s %10u %10u\n", if_stat->name,
1278 ps.ps_recv, ps.ps_drop);
1280 printf("%s\t%u\t%u\n", if_stat->name,
1281 ps.ps_recv, ps.ps_drop);
1286 if (! global_ld.from_cap_pipe)
1293 /* XXX - Not reached. Should we look for 'q' in stdin? */
1294 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1295 if_stat = (if_stat_t *)stat_entry->data;
1296 pcap_close(if_stat->pch);
1297 g_free(if_stat->name);
1300 g_list_free(stat_list);
1301 free_interface_list(if_list);
1309 capture_cleanup_handler(DWORD dwCtrlType)
1311 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1312 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1313 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1314 like SIGTERM at least when the machine's shutting down.
1316 For now, if we're running as a command rather than a capture child,
1317 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1318 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1319 in that way on UN*X.
1321 If we're not running as a capture child, we might be running as
1322 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1323 user logs out. (XXX - can we explicitly check whether we're
1324 running as a service?) */
1326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1327 "Console: Control signal");
1328 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1329 "Console: Control signal, CtrlType: %u", dwCtrlType);
1331 /* Keep capture running if we're a service and a user logs off */
1332 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1333 capture_loop_stop();
1341 capture_cleanup_handler(int signum _U_)
1343 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1344 SIGTERM. We assume that if the user wanted it to keep running
1345 after they logged out, they'd have nohupped it. */
1347 /* Note: don't call g_log() in the signal handler: if we happened to be in
1348 * g_log() in process context when the signal came in, g_log will detect
1349 * the "recursion" and abort.
1352 capture_loop_stop();
1361 /* Don't print this if we're a capture child. */
1362 if (!capture_child) {
1364 /* Report the count only if we aren't printing a packet count
1365 as packets arrive. */
1366 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
1367 plurality(global_ld.packet_count, "", "s"));
1370 infoprint = FALSE; /* we just reported it */
1374 report_counts_siginfo(int signum _U_)
1376 int sav_errno = errno;
1378 /* If we've been told to delay printing, just set a flag asking
1379 that we print counts (if we're supposed to), otherwise print
1380 the count of packets captured (if we're supposed to). */
1387 #endif /* SIGINFO */
1389 static void exit_main(int status)
1392 /* Shutdown windows sockets */
1395 /* can be helpful for debugging */
1396 #ifdef DEBUG_DUMPCAP
1397 printf("Press any key\n");
1408 * If we were linked with libcap (not libpcap), make sure we have
1409 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1410 * (See comment in main() for details)
1413 relinquish_privs_except_capture(void)
1415 /* If 'started_with_special_privs' (ie: suid) then enable for
1416 * ourself the NET_ADMIN and NET_RAW capabilities and then
1417 * drop our suid privileges.
1419 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1420 * stuff we don't need (and shouldn't have).
1421 * CAP_NET_RAW: Packet capture (raw sockets).
1424 if (started_with_special_privs()) {
1425 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1426 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1428 cap_t caps = cap_init(); /* all capabilities initialized to off */
1430 print_caps("Pre drop, pre set");
1432 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1433 cmdarg_err("prctl() fail return: %s", strerror(errno));
1436 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1437 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1439 if (cap_set_proc(caps)) {
1440 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1442 print_caps("Pre drop, post set");
1444 relinquish_special_privs_perm();
1446 print_caps("Post drop, pre set");
1447 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1448 if (cap_set_proc(caps)) {
1449 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1451 print_caps("Post drop, post set");
1457 #endif /* HAVE_LIBCAP */
1459 /* Take care of byte order in the libpcap headers read from pipes.
1460 * (function taken from wiretap/libpcap.c) */
1462 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1465 /* Byte-swap the record header fields. */
1466 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1467 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1468 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1469 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1472 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1473 swapped, in order to match the BPF header layout.
1475 Unfortunately, some files were, according to a comment in the "libpcap"
1476 source, written with version 2.3 in their headers but without the
1477 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1478 would make no sense - we assume that we need to swap them. */
1479 if (hdr->version_major == 2 &&
1480 (hdr->version_minor < 3 ||
1481 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1484 temp = rechdr->orig_len;
1485 rechdr->orig_len = rechdr->incl_len;
1486 rechdr->incl_len = temp;
1492 * Thread function that reads from a pipe and pushes the data
1493 * to the main application thread.
1496 * XXX Right now we use async queues for basic signaling. The main thread
1497 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1498 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1499 * Iff the read is successful cap_pipe_read pushes an item onto
1500 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1501 * the queues themselves (yet).
1503 * We might want to move some of the cap_pipe_dispatch logic here so that
1504 * we can let cap_pipe_read run independently, queuing up multiple reads
1505 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1507 static void *cap_pipe_read(void *ld_ptr) {
1508 loop_data *ld = (loop_data *)ld_ptr;
1517 while (ld->cap_pipe_err == PIPOK) {
1518 g_async_queue_pop(cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1519 g_mutex_lock(cap_pipe_read_mtx);
1521 while (bytes_read < (int) ld->cap_pipe_bytes_to_read) {
1523 /* If we try to use read() on a named pipe on Windows with partial
1524 * data it appears to return EOF.
1526 res = ReadFile(ld->cap_pipe_h, ld->cap_pipe_buf+bytes_read,
1527 ld->cap_pipe_bytes_to_read - bytes_read,
1532 last_err = GetLastError();
1533 if (last_err == ERROR_MORE_DATA) {
1535 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1536 ld->cap_pipe_err = PIPEOF;
1540 ld->cap_pipe_err = PIPERR;
1543 } else if (b == 0 && ld->cap_pipe_bytes_to_read > 0) {
1544 ld->cap_pipe_err = PIPEOF;
1549 b = read(ld->cap_pipe_fd, ld->cap_pipe_buf+bytes_read,
1550 ld->cap_pipe_bytes_to_read - bytes_read);
1553 ld->cap_pipe_err = PIPEOF;
1557 ld->cap_pipe_err = PIPERR;
1566 ld->cap_pipe_bytes_read = bytes_read;
1567 if (ld->cap_pipe_bytes_read >= ld->cap_pipe_bytes_to_read) {
1568 g_async_queue_push(cap_pipe_done_q, ld->cap_pipe_buf); /* Any non-NULL value will do */
1570 g_mutex_unlock(cap_pipe_read_mtx);
1574 #endif /* USE_THREADS */
1576 /* Provide select() functionality for a single file descriptor
1577 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1579 * Returns the same values as select. If an error is returned,
1580 * the string cap_pipe_err_str should be used instead of errno.
1583 cap_pipe_select(int pipe_fd) {
1585 struct timeval timeout;
1588 cap_pipe_err_str = "Unknown error";
1591 FD_SET(pipe_fd, &rfds);
1593 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1594 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1596 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1598 cap_pipe_err_str = strerror(errno);
1603 /* Mimic pcap_open_live() for pipe captures
1605 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1606 * open it, and read the header.
1608 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1609 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1611 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1612 char *errmsg, int errmsgl)
1615 struct stat pipe_stat;
1616 struct sockaddr_un sa;
1619 unsigned int bytes_read;
1630 ld->cap_pipe_fd = -1;
1632 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
1634 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1637 * XXX - this blocks until a pcap per-file header has been written to
1638 * the pipe, so it could block indefinitely.
1640 if (strcmp(pipename, "-") == 0) {
1642 fd = 0; /* read from stdin */
1644 ld->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1648 if (ws_stat(pipename, &pipe_stat) < 0) {
1649 if (errno == ENOENT || errno == ENOTDIR)
1650 ld->cap_pipe_err = PIPNEXIST;
1652 g_snprintf(errmsg, errmsgl,
1653 "The capture session could not be initiated "
1654 "due to error getting information on pipe/socket: %s", strerror(errno));
1655 ld->cap_pipe_err = PIPERR;
1659 if (S_ISFIFO(pipe_stat.st_mode)) {
1660 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1662 g_snprintf(errmsg, errmsgl,
1663 "The capture session could not be initiated "
1664 "due to error on pipe open: %s", strerror(errno));
1665 ld->cap_pipe_err = PIPERR;
1668 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1669 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1671 g_snprintf(errmsg, errmsgl,
1672 "The capture session could not be initiated "
1673 "due to error on socket create: %s", strerror(errno));
1674 ld->cap_pipe_err = PIPERR;
1677 sa.sun_family = AF_UNIX;
1679 * The Single UNIX Specification says:
1681 * The size of sun_path has intentionally been left undefined.
1682 * This is because different implementations use different sizes.
1683 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1684 * of 104. Since most implementations originate from BSD versions,
1685 * the size is typically in the range 92 to 108.
1687 * Applications should not assume a particular length for sun_path
1688 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1692 * The <sys/un.h> header shall define the sockaddr_un structure,
1693 * which shall include at least the following members:
1695 * sa_family_t sun_family Address family.
1696 * char sun_path[] Socket pathname.
1698 * so we assume that it's an array, with a specified size,
1699 * and that the size reflects the maximum path length.
1701 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1702 /* Path name too long */
1703 g_snprintf(errmsg, errmsgl,
1704 "The capture session coud not be initiated "
1705 "due to error on socket connect: Path name too long");
1706 ld->cap_pipe_err = PIPERR;
1709 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1711 g_snprintf(errmsg, errmsgl,
1712 "The capture session coud not be initiated "
1713 "due to error on socket connect: %s", strerror(errno));
1714 ld->cap_pipe_err = PIPERR;
1718 if (S_ISCHR(pipe_stat.st_mode)) {
1720 * Assume the user specified an interface on a system where
1721 * interfaces are in /dev. Pretend we haven't seen it.
1723 ld->cap_pipe_err = PIPNEXIST;
1726 g_snprintf(errmsg, errmsgl,
1727 "The capture session could not be initiated because\n"
1728 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1729 ld->cap_pipe_err = PIPERR;
1734 #define PIPE_STR "\\pipe\\"
1735 /* Under Windows, named pipes _must_ have the form
1736 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1738 pncopy = g_strdup(pipename);
1739 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1740 pos = strchr(pncopy + 3, '\\');
1741 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1748 g_snprintf(errmsg, errmsgl,
1749 "The capture session could not be initiated because\n"
1750 "\"%s\" is neither an interface nor a pipe", pipename);
1751 ld->cap_pipe_err = PIPNEXIST;
1755 /* Wait for the pipe to appear */
1757 ld->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1758 OPEN_EXISTING, 0, NULL);
1760 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE)
1763 if (GetLastError() != ERROR_PIPE_BUSY) {
1764 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1765 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1766 g_snprintf(errmsg, errmsgl,
1767 "The capture session on \"%s\" could not be started "
1768 "due to error on pipe open: %s (error %d)",
1769 pipename, utf_16to8(err_str), GetLastError());
1771 ld->cap_pipe_err = PIPERR;
1775 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1776 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1777 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1778 g_snprintf(errmsg, errmsgl,
1779 "The capture session on \"%s\" timed out during "
1780 "pipe open: %s (error %d)",
1781 pipename, utf_16to8(err_str), GetLastError());
1783 ld->cap_pipe_err = PIPERR;
1790 ld->from_cap_pipe = TRUE;
1793 /* read the pcap header */
1795 while (bytes_read < sizeof magic) {
1796 sel_ret = cap_pipe_select(fd);
1798 g_snprintf(errmsg, errmsgl,
1799 "Unexpected error from select: %s", strerror(errno));
1801 } else if (sel_ret > 0) {
1802 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1805 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1807 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1814 #else /* USE_THREADS */
1815 g_thread_create(&cap_pipe_read, ld, FALSE, NULL);
1817 ld->cap_pipe_buf = (char *) &magic;
1818 ld->cap_pipe_bytes_read = 0;
1819 ld->cap_pipe_bytes_to_read = sizeof(magic);
1820 /* We don't have to worry about cap_pipe_read_mtx here */
1821 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1822 g_async_queue_pop(cap_pipe_done_q);
1823 if (ld->cap_pipe_bytes_read <= 0) {
1824 if (ld->cap_pipe_bytes_read == 0)
1825 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1827 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1832 #endif /* USE_THREADS */
1836 /* Host that wrote it has our byte order, and was running
1837 a program using either standard or ss990417 libpcap. */
1838 ld->cap_pipe_byte_swapped = FALSE;
1839 ld->cap_pipe_modified = FALSE;
1841 case PCAP_MODIFIED_MAGIC:
1842 /* Host that wrote it has our byte order, but was running
1843 a program using either ss990915 or ss991029 libpcap. */
1844 ld->cap_pipe_byte_swapped = FALSE;
1845 ld->cap_pipe_modified = TRUE;
1847 case PCAP_SWAPPED_MAGIC:
1848 /* Host that wrote it has a byte order opposite to ours,
1849 and was running a program using either standard or
1850 ss990417 libpcap. */
1851 ld->cap_pipe_byte_swapped = TRUE;
1852 ld->cap_pipe_modified = FALSE;
1854 case PCAP_SWAPPED_MODIFIED_MAGIC:
1855 /* Host that wrote it out has a byte order opposite to
1856 ours, and was running a program using either ss990915
1857 or ss991029 libpcap. */
1858 ld->cap_pipe_byte_swapped = TRUE;
1859 ld->cap_pipe_modified = TRUE;
1862 /* Not a "libpcap" type we know about. */
1863 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1868 /* Read the rest of the header */
1870 while (bytes_read < sizeof(struct pcap_hdr)) {
1871 sel_ret = cap_pipe_select(fd);
1873 g_snprintf(errmsg, errmsgl,
1874 "Unexpected error from select: %s", strerror(errno));
1876 } else if (sel_ret > 0) {
1877 b = read(fd, ((char *)hdr)+bytes_read,
1878 sizeof(struct pcap_hdr) - bytes_read);
1881 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1883 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1890 #else /* USE_THREADS */
1891 ld->cap_pipe_buf = (char *) hdr;
1892 ld->cap_pipe_bytes_read = 0;
1893 ld->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1894 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1895 g_async_queue_pop(cap_pipe_done_q);
1896 if (ld->cap_pipe_bytes_read <= 0) {
1897 if (ld->cap_pipe_bytes_read == 0)
1898 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1900 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1904 #endif /* USE_THREADS */
1906 if (ld->cap_pipe_byte_swapped) {
1907 /* Byte-swap the header fields about which we care. */
1908 hdr->version_major = BSWAP16(hdr->version_major);
1909 hdr->version_minor = BSWAP16(hdr->version_minor);
1910 hdr->snaplen = BSWAP32(hdr->snaplen);
1911 hdr->network = BSWAP32(hdr->network);
1913 ld->linktype = hdr->network;
1915 if (hdr->version_major < 2) {
1916 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1920 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1921 ld->cap_pipe_err = PIPOK;
1923 ld->cap_pipe_fd = fd;
1928 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1929 ld->cap_pipe_err = PIPERR;
1932 ld->cap_pipe_fd = -1;
1939 /* We read one record from the pipe, take care of byte order in the record
1940 * header, write the record to the capture file, and update capture statistics. */
1942 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1944 struct pcap_pkthdr phdr;
1945 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1957 #ifdef LOG_CAPTURE_VERBOSE
1958 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1961 switch (ld->cap_pipe_state) {
1963 case STATE_EXPECT_REC_HDR:
1965 if (g_mutex_trylock(cap_pipe_read_mtx)) {
1968 ld->cap_pipe_state = STATE_READ_REC_HDR;
1969 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1970 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1971 ld->cap_pipe_bytes_read = 0;
1974 ld->cap_pipe_buf = (char *) &ld->cap_pipe_rechdr;
1975 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1976 g_mutex_unlock(cap_pipe_read_mtx);
1981 case STATE_READ_REC_HDR:
1983 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1984 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1987 result = PD_PIPE_EOF;
1989 result = PD_PIPE_ERR;
1992 ld->cap_pipe_bytes_read += b;
1993 #else /* USE_THREADS */
1994 g_get_current_time(&wait_time);
1995 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
1996 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
1997 if (ld->cap_pipe_err == PIPEOF) {
1998 result = PD_PIPE_EOF;
2000 } else if (ld->cap_pipe_err == PIPERR) {
2001 result = PD_PIPE_ERR;
2007 #endif /* USE_THREADS */
2008 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2010 result = PD_REC_HDR_READ;
2013 case STATE_EXPECT_DATA:
2015 if (g_mutex_trylock(cap_pipe_read_mtx)) {
2018 ld->cap_pipe_state = STATE_READ_DATA;
2019 ld->cap_pipe_bytes_to_read = ld->cap_pipe_rechdr.hdr.incl_len;
2020 ld->cap_pipe_bytes_read = 0;
2023 ld->cap_pipe_buf = (char *) data;
2024 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
2025 g_mutex_unlock(cap_pipe_read_mtx);
2030 case STATE_READ_DATA:
2032 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
2033 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
2036 result = PD_PIPE_EOF;
2038 result = PD_PIPE_ERR;
2041 ld->cap_pipe_bytes_read += b;
2042 #else /* USE_THREADS */
2043 g_get_current_time(&wait_time);
2044 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2045 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2046 if (ld->cap_pipe_err == PIPEOF) {
2047 result = PD_PIPE_EOF;
2049 } else if (ld->cap_pipe_err == PIPERR) {
2050 result = PD_PIPE_ERR;
2056 #endif /* USE_THREADS */
2057 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2059 result = PD_DATA_READ;
2063 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2066 } /* switch (ld->cap_pipe_state) */
2069 * We've now read as much data as we were expecting, so process it.
2073 case PD_REC_HDR_READ:
2074 /* We've read the header. Take care of byte order. */
2075 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
2076 &ld->cap_pipe_rechdr.hdr);
2077 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2078 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2079 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
2082 ld->cap_pipe_state = STATE_EXPECT_DATA;
2086 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2087 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
2088 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
2089 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
2090 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
2092 capture_loop_packet_cb((u_char *)ld, &phdr, data);
2094 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
2098 ld->cap_pipe_err = PIPEOF;
2103 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2104 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2105 g_snprintf(errmsg, errmsgl,
2106 "Error reading from pipe: %s (error %d)",
2107 utf_16to8(err_str), GetLastError());
2110 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2118 ld->cap_pipe_err = PIPERR;
2119 /* Return here rather than inside the switch to prevent GCC warning */
2124 /** Open the capture input file (pcap or capture pipe).
2125 * Returns TRUE if it succeeds, FALSE otherwise. */
2127 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2128 char *errmsg, size_t errmsg_len,
2129 char *secondary_errmsg, size_t secondary_errmsg_len)
2131 gchar open_err_str[PCAP_ERRBUF_SIZE];
2132 gchar *sync_msg_str;
2135 gchar *sync_secondary_msg_str;
2136 WORD wVersionRequested;
2140 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
2143 /* XXX - opening Winsock on tshark? */
2145 /* Initialize Windows Socket if we are in a WIN32 OS
2146 This needs to be done before querying the interface for network/netmask */
2148 /* XXX - do we really require 1.1 or earlier?
2149 Are there any versions that support only 2.0 or higher? */
2150 wVersionRequested = MAKEWORD(1, 1);
2151 err = WSAStartup(wVersionRequested, &wsaData);
2155 case WSASYSNOTREADY:
2156 g_snprintf(errmsg, (gulong) errmsg_len,
2157 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2160 case WSAVERNOTSUPPORTED:
2161 g_snprintf(errmsg, (gulong) errmsg_len,
2162 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2163 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2166 case WSAEINPROGRESS:
2167 g_snprintf(errmsg, (gulong) errmsg_len,
2168 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2172 g_snprintf(errmsg, (gulong) errmsg_len,
2173 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2177 g_snprintf(errmsg, (gulong) errmsg_len,
2178 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2182 g_snprintf(errmsg, (gulong) errmsg_len,
2183 "Couldn't initialize Windows Sockets: error %d", err);
2186 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2191 ld->pcap_h = open_capture_device(capture_opts, &open_err_str);
2193 if (ld->pcap_h != NULL) {
2194 /* we've opened "iface" as a network device */
2196 /* try to set the capture buffer size */
2197 if (capture_opts->buffer_size > 1 &&
2198 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
2199 sync_secondary_msg_str = g_strdup_printf(
2200 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2201 "the default of 1MB will be used.\n"
2203 "Nonetheless, the capture is started.\n",
2204 capture_opts->buffer_size);
2205 report_capture_error("Couldn't set the capture buffer size!",
2206 sync_secondary_msg_str);
2207 g_free(sync_secondary_msg_str);
2211 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
2212 if ((capture_opts->sampling_method != CAPTURE_SAMP_NONE) &&
2213 (strncmp (capture_opts->iface, "rpcap://", 8) == 0))
2215 struct pcap_samp *samp;
2217 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
2219 switch (capture_opts->sampling_method)
2221 case CAPTURE_SAMP_BY_COUNT:
2222 samp->method = PCAP_SAMP_1_EVERY_N;
2225 case CAPTURE_SAMP_BY_TIMER:
2226 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2230 sync_msg_str = g_strdup_printf(
2231 "Unknown sampling method %d specified,\n"
2232 "continue without packet sampling",
2233 capture_opts->sampling_method);
2234 report_capture_error("Couldn't set the capture "
2235 "sampling", sync_msg_str);
2236 g_free(sync_msg_str);
2238 samp->value = capture_opts->sampling_param;
2242 report_capture_error("Couldn't set the capture sampling",
2243 "Cannot get packet sampling data structure");
2249 /* setting the data link type only works on real interfaces */
2250 if (!set_pcap_linktype(ld->pcap_h, capture_opts, errmsg, errmsg_len,
2251 secondary_errmsg, secondary_errmsg_len))
2253 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
2255 /* We couldn't open "iface" as a network device. */
2256 /* Try to open it as a pipe */
2257 cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
2260 if (ld->cap_pipe_fd == -1) {
2262 if (ld->cap_pipe_h == INVALID_HANDLE_VALUE) {
2265 if (ld->cap_pipe_err == PIPNEXIST) {
2266 /* Pipe doesn't exist, so output message for interface */
2267 get_capture_device_open_failure_messages(open_err_str,
2268 capture_opts->iface,
2272 secondary_errmsg_len);
2275 * Else pipe (or file) does exist and cap_pipe_open_live() has
2280 /* cap_pipe_open_live() succeeded; don't want
2281 error message from pcap_open_live() */
2282 open_err_str[0] = '\0';
2285 /* XXX - will this work for tshark? */
2286 #ifdef MUST_DO_SELECT
2287 if (!ld->from_cap_pipe) {
2288 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2289 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
2291 ld->pcap_fd = pcap_fileno(ld->pcap_h);
2296 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2297 returned a warning; print it, but keep capturing. */
2298 if (open_err_str[0] != '\0') {
2299 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2300 report_capture_error(sync_msg_str, "");
2301 g_free(sync_msg_str);
2307 /* close the capture input file (pcap or capture pipe) */
2308 static void capture_loop_close_input(loop_data *ld) {
2310 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2312 /* if open, close the capture pipe "input file" */
2314 if (ld->cap_pipe_fd >= 0) {
2315 g_assert(ld->from_cap_pipe);
2316 ws_close(ld->cap_pipe_fd);
2317 ld->cap_pipe_fd = 0;
2320 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE) {
2321 CloseHandle(ld->cap_pipe_h);
2322 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
2326 /* if open, close the pcap "input file" */
2327 if(ld->pcap_h != NULL) {
2328 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)ld->pcap_h);
2329 g_assert(!ld->from_cap_pipe);
2330 pcap_close(ld->pcap_h);
2337 /* Shut down windows sockets */
2343 /* init the capture filter */
2344 static initfilter_status_t
2345 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2346 gchar * iface, gchar * cfilter)
2348 struct bpf_program fcode;
2350 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2352 /* capture filters only work on real interfaces */
2353 if (cfilter && !from_cap_pipe) {
2354 /* A capture filter was specified; set it up. */
2355 if (!compile_capture_filter(iface, pcap_h, &fcode, cfilter)) {
2356 /* Treat this specially - our caller might try to compile this
2357 as a display filter and, if that succeeds, warn the user that
2358 the display and capture filter syntaxes are different. */
2359 return INITFILTER_BAD_FILTER;
2361 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2362 #ifdef HAVE_PCAP_FREECODE
2363 pcap_freecode(&fcode);
2365 return INITFILTER_OTHER_ERROR;
2367 #ifdef HAVE_PCAP_FREECODE
2368 pcap_freecode(&fcode);
2372 return INITFILTER_NO_ERROR;
2376 /* set up to write to the already-opened capture output file/files */
2378 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
2382 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2385 if (ld->from_cap_pipe) {
2386 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
2389 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
2392 /* Set up to write to the capture file. */
2393 if (capture_opts->multi_files_on) {
2394 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2396 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2399 gboolean successful;
2401 ld->bytes_written = 0;
2402 if (capture_opts->use_pcapng) {
2405 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2406 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err) &&
2407 libpcap_write_interface_description_block(ld->pdh, capture_opts->iface, capture_opts->cfilter, ld->linktype, ld->file_snaplen, &ld->bytes_written, &err);
2409 successful = libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
2410 &ld->bytes_written, &err);
2418 if (ld->pdh == NULL) {
2419 /* We couldn't set up to write to the capture file. */
2420 /* XXX - use cf_open_error_message from tshark instead? */
2423 case WTAP_ERR_CANT_OPEN:
2424 g_snprintf(errmsg, errmsg_len, "The file to which the capture would be saved"
2425 " couldn't be created for some unknown reason.");
2428 case WTAP_ERR_SHORT_WRITE:
2429 g_snprintf(errmsg, errmsg_len, "A full header couldn't be written to the file"
2430 " to which the capture would be saved.");
2435 g_snprintf(errmsg, errmsg_len,
2436 "The file to which the capture would be"
2437 " saved (\"%s\") could not be opened: Error %d.",
2438 capture_opts->save_file, err);
2440 g_snprintf(errmsg, errmsg_len,
2441 "The file to which the capture would be"
2442 " saved (\"%s\") could not be opened: %s.",
2443 capture_opts->save_file, strerror(err));
2455 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
2457 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2459 if (capture_opts->multi_files_on) {
2460 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2462 if (capture_opts->use_pcapng) {
2463 libpcap_write_interface_statistics_block(ld->pdh, 0, ld->pcap_h, &ld->bytes_written, err_close);
2465 return libpcap_dump_close(ld->pdh, err_close);
2469 /* dispatch incoming packets (pcap or capture pipe)
2471 * Waits for incoming packets to be available, and calls pcap_dispatch()
2472 * to cause them to be processed.
2474 * Returns the number of packets which were processed.
2476 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2477 * packet-batching behaviour does not cause packets to get held back
2481 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
2482 char *errmsg, int errmsg_len)
2485 gint packet_count_before;
2486 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2491 packet_count_before = ld->packet_count;
2492 if (ld->from_cap_pipe) {
2493 /* dispatch from capture pipe */
2494 #ifdef LOG_CAPTURE_VERBOSE
2495 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2498 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
2501 if (sel_ret < 0 && errno != EINTR) {
2502 g_snprintf(errmsg, errmsg_len,
2503 "Unexpected error from select: %s", strerror(errno));
2504 report_capture_error(errmsg, please_report);
2509 * "select()" says we can read from the pipe without blocking
2511 #endif /* USE_THREADS */
2512 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
2522 /* dispatch from pcap */
2523 #ifdef MUST_DO_SELECT
2525 * If we have "pcap_get_selectable_fd()", we use it to get the
2526 * descriptor on which to select; if that's -1, it means there
2527 * is no descriptor on which you can do a "select()" (perhaps
2528 * because you're capturing on a special device, and that device's
2529 * driver unfortunately doesn't support "select()", in which case
2530 * we don't do the select - which means it might not be possible
2531 * to stop a capture until a packet arrives. If that's unacceptable,
2532 * plead with whoever supplies the software for that device to add
2533 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2534 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2535 * later, so it can use pcap_breakloop().
2537 #ifdef LOG_CAPTURE_VERBOSE
2538 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2540 if (ld->pcap_fd != -1) {
2541 sel_ret = cap_pipe_select(ld->pcap_fd);
2544 * "select()" says we can read from it without blocking; go for
2547 * We don't have pcap_breakloop(), so we only process one packet
2548 * per pcap_dispatch() call, to allow a signal to stop the
2549 * processing immediately, rather than processing all packets
2550 * in a batch before quitting.
2552 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
2556 /* Error, rather than pcap_breakloop(). */
2557 ld->pcap_err = TRUE;
2559 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2562 if (sel_ret < 0 && errno != EINTR) {
2563 g_snprintf(errmsg, errmsg_len,
2564 "Unexpected error from select: %s", strerror(errno));
2565 report_capture_error(errmsg, please_report);
2571 #endif /* MUST_DO_SELECT */
2573 /* dispatch from pcap without select */
2575 #ifdef LOG_CAPTURE_VERBOSE
2576 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2580 * On Windows, we don't support asynchronously telling a process to
2581 * stop capturing; instead, we check for an indication on a pipe
2582 * after processing packets. We therefore process only one packet
2583 * at a time, so that we can check the pipe after every packet.
2585 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
2587 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
2591 /* Error, rather than pcap_breakloop(). */
2592 ld->pcap_err = TRUE;
2594 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2596 #else /* pcap_next_ex */
2597 #ifdef LOG_CAPTURE_VERBOSE
2598 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2600 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2603 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2604 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2605 * This should be fixed in the WinPcap 4.0 alpha release.
2607 * For reference, an example remote interface:
2608 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2611 /* emulate dispatch from pcap */
2614 struct pcap_pkthdr *pkt_header;
2619 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
2620 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
2623 ld->pcap_err = TRUE;
2627 #endif /* pcap_next_ex */
2631 #ifdef LOG_CAPTURE_VERBOSE
2632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2635 return ld->packet_count - packet_count_before;
2639 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2640 * want to grab only the characters between the '{' and '}' delimiters.
2642 * Returns a GString that must be freed with g_string_free(). */
2643 static GString *isolate_uuid(const char *iface)
2648 ptr = strchr(iface, '{');
2650 return g_string_new(iface);
2651 gstr = g_string_new(ptr + 1);
2653 ptr = strchr(gstr->str, '}');
2657 gstr = g_string_truncate(gstr, ptr - gstr->str);
2662 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2663 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2665 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2666 char *errmsg, int errmsg_len) {
2669 gchar *capfile_name;
2671 gboolean is_tempfile;
2676 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2677 (capture_opts->save_file) ? capture_opts->save_file : "");
2679 if (capture_opts->save_file != NULL) {
2680 /* We return to the caller while the capture is in progress.
2681 * Therefore we need to take a copy of save_file in
2682 * case the caller destroys it after we return.
2684 capfile_name = g_strdup(capture_opts->save_file);
2686 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2687 if (capture_opts->multi_files_on) {
2688 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2689 g_snprintf(errmsg, errmsg_len,
2690 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2691 g_free(capfile_name);
2694 if (strcmp(capfile_name, "-") == 0) {
2695 /* write to stdout */
2698 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2699 _setmode(1, O_BINARY);
2702 } /* if (...output_to_pipe ... */
2705 if (capture_opts->multi_files_on) {
2706 /* ringbuffer is enabled */
2707 *save_file_fd = ringbuf_init(capfile_name,
2708 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2709 capture_opts->group_read_access);
2711 /* we need the ringbuf name */
2712 if(*save_file_fd != -1) {
2713 g_free(capfile_name);
2714 capfile_name = g_strdup(ringbuf_current_filename());
2717 /* Try to open/create the specified file for use as a capture buffer. */
2718 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2719 (capture_opts->group_read_access) ? 0640 : 0600);
2722 is_tempfile = FALSE;
2724 /* Choose a random name for the temporary capture buffer */
2728 iface = isolate_uuid(capture_opts->iface);
2729 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2730 g_string_free(iface, TRUE);
2732 prefix = g_strconcat("wireshark_", g_basename(capture_opts->iface), NULL);
2734 *save_file_fd = create_tempfile(&tmpname, prefix);
2736 capfile_name = g_strdup(tmpname);
2740 /* did we fail to open the output file? */
2741 if (*save_file_fd == -1) {
2743 g_snprintf(errmsg, errmsg_len,
2744 "The temporary file to which the capture would be saved (\"%s\") "
2745 "could not be opened: %s.", capfile_name, strerror(errno));
2747 if (capture_opts->multi_files_on) {
2748 ringbuf_error_cleanup();
2751 g_snprintf(errmsg, errmsg_len,
2752 "The file to which the capture would be saved (\"%s\") "
2753 "could not be opened: %s.", capfile_name,
2756 g_free(capfile_name);
2760 if(capture_opts->save_file != NULL) {
2761 g_free(capture_opts->save_file);
2763 capture_opts->save_file = capfile_name;
2764 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2765 "g_free(capfile_name)". */
2767 ret = fchown(*save_file_fd, capture_opts->owner, capture_opts->group);
2775 #define TIME_GET() GetTickCount()
2777 #define TIME_GET() time(NULL)
2780 /* Do the work of handling either the file size or file duration capture
2781 conditions being reached, and switching files or stopping. */
2783 do_file_switch_or_stop(capture_options *capture_opts,
2784 condition *cnd_autostop_files,
2785 condition *cnd_autostop_size,
2786 condition *cnd_file_duration)
2788 if (capture_opts->multi_files_on) {
2789 if (cnd_autostop_files != NULL &&
2790 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2791 /* no files left: stop here */
2792 global_ld.go = FALSE;
2796 /* Switch to the next ringbuffer file */
2797 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2798 &global_ld.save_file_fd, &global_ld.err)) {
2799 gboolean successful;
2804 /* File switch succeeded: reset the conditions */
2805 global_ld.bytes_written = 0;
2806 if (capture_opts->use_pcapng) {
2809 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2810 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &global_ld.bytes_written, &global_ld.err) &&
2811 libpcap_write_interface_description_block(global_ld.pdh, capture_opts->iface, capture_opts->cfilter, global_ld.linktype, global_ld.file_snaplen, &global_ld.bytes_written, &global_ld.err);
2813 successful = libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2814 &global_ld.bytes_written, &global_ld.err);
2817 fclose(global_ld.pdh);
2818 global_ld.pdh = NULL;
2819 global_ld.go = FALSE;
2822 if(cnd_autostop_size)
2823 cnd_reset(cnd_autostop_size);
2824 if(cnd_file_duration)
2825 cnd_reset(cnd_file_duration);
2826 libpcap_dump_flush(global_ld.pdh, NULL);
2828 report_packet_count(global_ld.inpkts_to_sync_pipe);
2829 global_ld.inpkts_to_sync_pipe = 0;
2830 report_new_capture_file(capture_opts->save_file);
2833 ret = fchown(global_ld.save_file_fd, capture_opts->owner, capture_opts->group);
2836 /* File switch failed: stop here */
2837 global_ld.go = FALSE;
2841 /* single file, stop now */
2842 global_ld.go = FALSE;
2848 /* Do the low-level work of a capture.
2849 Returns TRUE if it succeeds, FALSE otherwise. */
2851 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
2853 time_t upd_time, cur_time;
2857 condition *cnd_file_duration = NULL;
2858 condition *cnd_autostop_files = NULL;
2859 condition *cnd_autostop_size = NULL;
2860 condition *cnd_autostop_duration = NULL;
2863 gboolean cfilter_error = FALSE;
2864 char errmsg[MSG_MAX_LENGTH+1];
2865 char secondary_errmsg[MSG_MAX_LENGTH+1];
2868 *secondary_errmsg = '\0';
2870 /* init the loop data */
2871 global_ld.go = TRUE;
2872 global_ld.packet_count = 0;
2874 global_ld.report_packet_count = FALSE;
2876 if (capture_opts->has_autostop_packets)
2877 global_ld.packet_max = capture_opts->autostop_packets;
2879 global_ld.packet_max = 0; /* no limit */
2880 global_ld.inpkts_to_sync_pipe = 0;
2881 global_ld.err = 0; /* no error seen yet */
2882 global_ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
2883 global_ld.pcap_err = FALSE;
2884 global_ld.from_cap_pipe = FALSE;
2885 global_ld.pdh = NULL;
2887 global_ld.cap_pipe_fd = -1;
2889 global_ld.cap_pipe_h = INVALID_HANDLE_VALUE;
2891 #ifdef MUST_DO_SELECT
2892 global_ld.pcap_fd = 0;
2894 global_ld.autostop_files = 0;
2895 global_ld.save_file_fd = -1;
2897 /* We haven't yet gotten the capture statistics. */
2898 *stats_known = FALSE;
2900 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
2901 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
2903 /* open the "input file" from network interface or capture pipe */
2904 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
2905 secondary_errmsg, sizeof(secondary_errmsg))) {
2909 /* init the input filter from the network interface (capture pipe will do nothing) */
2910 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
2911 capture_opts->iface,
2912 capture_opts->cfilter)) {
2914 case INITFILTER_NO_ERROR:
2917 case INITFILTER_BAD_FILTER:
2918 cfilter_error = TRUE;
2919 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
2922 case INITFILTER_OTHER_ERROR:
2923 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
2924 pcap_geterr(global_ld.pcap_h));
2925 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
2929 /* If we're supposed to write to a capture file, open it for output
2930 (temporary/specified name/ringbuffer) */
2931 if (capture_opts->saving_to_file) {
2932 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
2933 errmsg, sizeof(errmsg))) {
2937 /* set up to write to the already-opened capture output file/files */
2938 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
2943 /* XXX - capture SIGTERM and close the capture, in case we're on a
2944 Linux 2.0[.x] system and you have to explicitly close the capture
2945 stream in order to turn promiscuous mode off? We need to do that
2946 in other places as well - and I don't think that works all the
2947 time in any case, due to libpcap bugs. */
2949 /* Well, we should be able to start capturing.
2951 Sync out the capture file, so the header makes it to the file system,
2952 and send a "capture started successfully and capture file created"
2953 message to our parent so that they'll open the capture file and
2954 update its windows to indicate that we have a live capture in
2956 libpcap_dump_flush(global_ld.pdh, NULL);
2957 report_new_capture_file(capture_opts->save_file);
2960 /* initialize capture stop (and alike) conditions */
2961 init_capture_stop_conditions();
2962 /* create stop conditions */
2963 if (capture_opts->has_autostop_filesize)
2965 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
2966 if (capture_opts->has_autostop_duration)
2967 cnd_autostop_duration =
2968 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
2970 if (capture_opts->multi_files_on) {
2971 if (capture_opts->has_file_duration)
2973 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
2975 if (capture_opts->has_autostop_files)
2976 cnd_autostop_files =
2977 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
2980 /* init the time values */
2981 start_time = TIME_GET();
2982 upd_time = TIME_GET();
2984 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
2986 /* WOW, everything is prepared! */
2987 /* please fasten your seat belts, we will enter now the actual capture loop */
2988 while (global_ld.go) {
2989 /* dispatch incoming packets */
2990 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
2994 /* Were we asked to print packet counts by the SIGINFO handler? */
2995 if (global_ld.report_packet_count) {
2996 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
2997 plurality(global_ld.packet_count, "", "s"));
2998 global_ld.report_packet_count = FALSE;
3003 /* any news from our parent (signal pipe)? -> just stop the capture */
3004 if (!signal_pipe_check_running()) {
3005 global_ld.go = FALSE;
3010 global_ld.inpkts_to_sync_pipe += inpkts;
3012 /* check capture size condition */
3013 if (cnd_autostop_size != NULL &&
3014 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3015 /* Capture size limit reached, do we have another file? */
3016 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3017 cnd_autostop_size, cnd_file_duration))
3019 } /* cnd_autostop_size */
3020 if (capture_opts->output_to_pipe) {
3021 libpcap_dump_flush(global_ld.pdh, NULL);
3025 /* Only update once a second (Win32: 500ms) so as not to overload slow
3026 * displays. This also prevents too much context-switching between the
3027 * dumpcap and wireshark processes */
3028 cur_time = TIME_GET();
3030 if ( (cur_time - upd_time) > 500) {
3032 if (cur_time - upd_time > 0) {
3034 upd_time = cur_time;
3036 /*if (pcap_stats(pch, stats) >= 0) {
3037 *stats_known = TRUE;
3040 /* Let the parent process know. */
3041 if (global_ld.inpkts_to_sync_pipe) {
3043 libpcap_dump_flush(global_ld.pdh, NULL);
3045 /* Send our parent a message saying we've written out
3046 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3048 report_packet_count(global_ld.inpkts_to_sync_pipe);
3050 global_ld.inpkts_to_sync_pipe = 0;
3053 /* check capture duration condition */
3054 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3055 /* The maximum capture time has elapsed; stop the capture. */
3056 global_ld.go = FALSE;
3060 /* check capture file duration condition */
3061 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3062 /* duration limit reached, do we have another file? */
3063 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3064 cnd_autostop_size, cnd_file_duration))
3066 } /* cnd_file_duration */
3069 } /* while (global_ld.go) */
3071 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3073 /* delete stop conditions */
3074 if (cnd_file_duration != NULL)
3075 cnd_delete(cnd_file_duration);
3076 if (cnd_autostop_files != NULL)
3077 cnd_delete(cnd_autostop_files);
3078 if (cnd_autostop_size != NULL)
3079 cnd_delete(cnd_autostop_size);
3080 if (cnd_autostop_duration != NULL)
3081 cnd_delete(cnd_autostop_duration);
3083 /* did we had a pcap (input) error? */
3084 if (global_ld.pcap_err) {
3085 /* On Linux, if an interface goes down while you're capturing on it,
3086 you'll get a "recvfrom: Network is down" error (ENETDOWN).
3087 (At least you will if strerror() doesn't show a local translation
3090 On FreeBSD and OS X, if a network adapter disappears while
3091 you're capturing on it, you'll get a "read: Device not configured"
3092 error (ENXIO). (See previous parenthetical note.)
3094 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3096 These should *not* be reported to the Wireshark developers. */
3099 cap_err_str = pcap_geterr(global_ld.pcap_h);
3100 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3101 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3102 strcmp(cap_err_str, "read: I/O error") == 0 ||
3103 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3104 report_capture_error("The network adapter on which the capture was being done "
3105 "is no longer running; the capture has stopped.",
3108 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3110 report_capture_error(errmsg, please_report);
3113 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
3114 report_capture_error(errmsg, "");
3116 /* did we had an error while capturing? */
3117 if (global_ld.err == 0) {
3120 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3121 global_ld.err, FALSE);
3122 report_capture_error(errmsg, please_report);
3126 if (capture_opts->saving_to_file) {
3127 /* close the wiretap (output) file */
3128 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3132 /* there might be packets not yet notified to the parent */
3133 /* (do this after closing the file, so all packets are already flushed) */
3134 if(global_ld.inpkts_to_sync_pipe) {
3136 report_packet_count(global_ld.inpkts_to_sync_pipe);
3137 global_ld.inpkts_to_sync_pipe = 0;
3140 /* If we've displayed a message about a write error, there's no point
3141 in displaying another message about an error on close. */
3142 if (!close_ok && write_ok) {
3143 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3145 report_capture_error(errmsg, "");
3149 * XXX We exhibit different behaviour between normal mode and sync mode
3150 * when the pipe is stdin and not already at EOF. If we're a child, the
3151 * parent's stdin isn't closed, so if the user starts another capture,
3152 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3153 * will say "Unrecognized libpcap format". On the other hand, in normal
3154 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3157 /* get packet drop statistics from pcap */
3158 if(global_ld.pcap_h != NULL) {
3159 g_assert(!global_ld.from_cap_pipe);
3160 /* Get the capture statistics, so we know how many packets were
3162 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
3163 *stats_known = TRUE;
3164 /* Let the parent process know. */
3165 report_packet_drops(stats->ps_drop);
3167 g_snprintf(errmsg, sizeof(errmsg),
3168 "Can't get packet-drop statistics: %s",
3169 pcap_geterr(global_ld.pcap_h));
3170 report_capture_error(errmsg, please_report);
3174 /* close the input file (pcap or capture pipe) */
3175 capture_loop_close_input(&global_ld);
3177 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3179 /* ok, if the write and the close were successful. */
3180 return write_ok && close_ok;
3183 if (capture_opts->multi_files_on) {
3184 /* cleanup ringbuffer */
3185 ringbuf_error_cleanup();
3187 /* We can't use the save file, and we have no FILE * for the stream
3188 to close in order to close it, so close the FD directly. */
3189 if(global_ld.save_file_fd != -1) {
3190 ws_close(global_ld.save_file_fd);
3193 /* We couldn't even start the capture, so get rid of the capture
3195 if(capture_opts->save_file != NULL) {
3196 ws_unlink(capture_opts->save_file);
3197 g_free(capture_opts->save_file);
3200 capture_opts->save_file = NULL;
3202 report_cfilter_error(capture_opts->cfilter, errmsg);
3204 report_capture_error(errmsg, secondary_errmsg);
3206 /* close the input file (pcap or cap_pipe) */
3207 capture_loop_close_input(&global_ld);
3209 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3215 static void capture_loop_stop(void)
3217 #ifdef HAVE_PCAP_BREAKLOOP
3218 if(global_ld.pcap_h != NULL)
3219 pcap_breakloop(global_ld.pcap_h);
3221 global_ld.go = FALSE;
3226 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3227 int err, gboolean is_close)
3232 g_snprintf(errmsg, errmsglen,
3233 "Not all the packets could be written to the file"
3234 " to which the capture was being saved\n"
3235 "(\"%s\") because there is no space left on the file system\n"
3236 "on which that file resides.",
3242 g_snprintf(errmsg, errmsglen,
3243 "Not all the packets could be written to the file"
3244 " to which the capture was being saved\n"
3245 "(\"%s\") because you are too close to, or over,"
3246 " your disk quota\n"
3247 "on the file system on which that file resides.",
3252 case WTAP_ERR_CANT_CLOSE:
3253 g_snprintf(errmsg, errmsglen,
3254 "The file to which the capture was being saved"
3255 " couldn't be closed for some unknown reason.");
3258 case WTAP_ERR_SHORT_WRITE:
3259 g_snprintf(errmsg, errmsglen,
3260 "Not all the packets could be written to the file"
3261 " to which the capture was being saved\n"
3268 g_snprintf(errmsg, errmsglen,
3269 "The file to which the capture was being saved\n"
3270 "(\"%s\") could not be closed: %s.",
3271 fname, wtap_strerror(err));
3273 g_snprintf(errmsg, errmsglen,
3274 "An error occurred while writing to the file"
3275 " to which the capture was being saved\n"
3277 fname, wtap_strerror(err));
3284 /* one packet was captured, process it */
3286 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3289 loop_data *ld = (loop_data *) (void *) user;
3292 /* We may be called multiple times from pcap_dispatch(); if we've set
3293 the "stop capturing" flag, ignore this packet, as we're not
3294 supposed to be saving any more packets. */
3299 gboolean successful;
3300 /* We're supposed to write the packet to a file; do so.
3301 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3302 "ld->err" to the error. */
3303 if (global_capture_opts.use_pcapng) {
3304 successful = libpcap_write_enhanced_packet_block(ld->pdh, phdr, 0, pd, &ld->bytes_written, &err);
3306 successful = libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err);
3313 /* if the user told us to stop after x packets, do we already have enough? */
3314 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
3323 /* And now our feature presentation... [ fade to music ] */
3325 main(int argc, char *argv[])
3328 gboolean arg_error = FALSE;
3333 struct sigaction action, oldaction;
3336 gboolean start_capture = TRUE;
3337 gboolean stats_known;
3338 struct pcap_stat stats;
3339 GLogLevelFlags log_flags;
3340 gboolean list_interfaces = FALSE;
3341 gboolean list_link_layer_types = FALSE;
3342 #ifdef HAVE_BPF_IMAGE
3343 gboolean print_bpf_code = FALSE;
3345 gboolean machine_readable = FALSE;
3346 gboolean print_statistics = FALSE;
3347 int status, run_once_args = 0;
3349 #if defined(__APPLE__) && defined(__LP64__)
3350 struct utsname osinfo;
3355 * Initialize our DLL search path. MUST be called before LoadLibrary
3358 ws_init_dll_search_path();
3361 #ifdef HAVE_PCAP_REMOTE
3362 #define OPTSTRING_A "A:"
3363 #define OPTSTRING_r "r"
3364 #define OPTSTRING_u "u"
3366 #define OPTSTRING_A ""
3367 #define OPTSTRING_r ""
3368 #define OPTSTRING_u ""
3371 #ifdef HAVE_PCAP_SETSAMPLING
3372 #define OPTSTRING_m "m:"
3374 #define OPTSTRING_m ""
3377 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3378 #define OPTSTRING_B "B:"
3380 #define OPTSTRING_B ""
3381 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3383 #ifdef HAVE_PCAP_CREATE
3384 #define OPTSTRING_I "I"
3386 #define OPTSTRING_I ""
3389 #ifdef HAVE_BPF_IMAGE
3390 #define OPTSTRING_d "d"
3392 #define OPTSTRING_d ""
3395 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:" OPTSTRING_u "vw:y:Z:"
3397 #ifdef DEBUG_CHILD_DUMPCAP
3398 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3399 fprintf (stderr, "Unable to open debug log file !\n");
3404 #if defined(__APPLE__) && defined(__LP64__)
3406 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3407 * a bug workaround - timeouts less than 1 second don't work with libpcap
3408 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3409 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3410 * The problem is extremely unlikely to be reintroduced in a future
3413 if (uname(&osinfo) == 0) {
3415 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3416 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3417 * number of 10.0.0, not 10.1.0 - go figure).
3419 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3420 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3421 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3422 need_timeout_workaround = TRUE;
3427 * Determine if dumpcap is being requested to run in a special
3428 * capture_child mode by going thru the command line args to see if
3429 * a -Z is present. (-Z is a hidden option).
3431 * The primary result of running in capture_child mode is that
3432 * all messages sent out on stderr are in a special type/len/string
3433 * format to allow message processing by type. These messages include
3434 * error messages if dumpcap fails to start the operation it was
3435 * requested to do, as well as various "status" messages which are sent
3436 * when an actual capture is in progress, and a "success" message sent
3437 * if dumpcap was requested to perform an operation other than a
3440 * Capture_child mode would normally be requested by a parent process
3441 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3442 * to which dumpcap stderr has been redirected. It might also have
3443 * another pipe to obtain dumpcap stdout output; for operations other
3444 * than a capture, that information is formatted specially for easier
3445 * parsing by the parent process.
3447 * Capture_child mode needs to be determined immediately upon
3448 * startup so that any messages generated by dumpcap in this mode
3449 * (eg: during initialization) will be formatted properly.
3452 for (i=1; i<argc; i++) {
3453 if (strcmp("-Z", argv[i]) == 0) {
3454 capture_child = TRUE;
3455 machine_readable = TRUE; /* request machine-readable output */
3457 /* set output pipe to binary mode, to avoid ugly text conversions */
3458 _setmode(2, O_BINARY);
3463 /* The default_log_handler will use stdout, which makes trouble in */
3464 /* capture child mode, as it uses stdout for it's sync_pipe. */
3465 /* So: the filtering is done in the console_log_handler and not here.*/
3466 /* We set the log handlers right up front to make sure that any log */
3467 /* messages when running as child will be sent back to the parent */
3468 /* with the correct format. */
3472 G_LOG_LEVEL_CRITICAL|
3473 G_LOG_LEVEL_WARNING|
3474 G_LOG_LEVEL_MESSAGE|
3477 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3479 g_log_set_handler(NULL,
3481 console_log_handler, NULL /* user_data */);
3482 g_log_set_handler(LOG_DOMAIN_MAIN,
3484 console_log_handler, NULL /* user_data */);
3485 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3487 console_log_handler, NULL /* user_data */);
3488 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3490 console_log_handler, NULL /* user_data */);
3493 /* Load wpcap if possible. Do this before collecting the run-time version information */
3496 /* ... and also load the packet.dll from wpcap */
3497 /* XXX - currently not required, may change later. */
3498 /*wpcap_packet_load();*/
3500 /* Start windows sockets */
3501 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3503 /* Set handler for Ctrl+C key */
3504 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3506 /* Prepare to read from a pipe */
3507 if (!g_thread_supported ())
3508 g_thread_init (NULL);
3509 cap_pipe_pending_q = g_async_queue_new();
3510 cap_pipe_done_q = g_async_queue_new();
3511 cap_pipe_read_mtx = g_mutex_new();
3514 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3516 action.sa_handler = capture_cleanup_handler;
3518 * Arrange that system calls not get restarted, because when
3519 * our signal handler returns we don't want to restart
3520 * a call that was waiting for packets to arrive.
3522 action.sa_flags = 0;
3523 sigemptyset(&action.sa_mask);
3524 sigaction(SIGTERM, &action, NULL);
3525 sigaction(SIGINT, &action, NULL);
3526 sigaction(SIGPIPE, &action, NULL);
3527 sigaction(SIGHUP, NULL, &oldaction);
3528 if (oldaction.sa_handler == SIG_DFL)
3529 sigaction(SIGHUP, &action, NULL);
3532 /* Catch SIGINFO and, if we get it and we're capturing in
3533 quiet mode, report the number of packets we've captured. */
3534 action.sa_handler = report_counts_siginfo;
3535 action.sa_flags = SA_RESTART;
3536 sigemptyset(&action.sa_mask);
3537 sigaction(SIGINFO, &action, NULL);
3538 #endif /* SIGINFO */
3541 /* ----------------------------------------------------------------- */
3542 /* Privilege and capability handling */
3544 /* 1. Running not as root or suid root; no special capabilities. */
3547 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3550 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3552 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3553 /* capabilities; Drop all other capabilities; */
3554 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3555 /* else: after pcap_open_live() in capture_loop_open_input() */
3556 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3557 /* (Note: this means that the process, although logged in */
3558 /* as root, does not have various permissions such as the */
3559 /* ability to bypass file access permissions). */
3560 /* XXX: Should we just leave capabilities alone in this case */
3561 /* so that user gets expected effect that root can do */
3564 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3566 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3567 /* else: after pcap_open_live() in capture_loop_open_input() */
3568 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3569 /* pcap_open_live). */
3571 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3573 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3574 /* capabilities; Drop all other capabilities; */
3575 /* Drop suid privileges (euid=ruid); */
3576 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3577 /* else: after pcap_open_live() in capture_loop_open_input() */
3578 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3580 /* XXX: For some Linux versions/distros with capabilities */
3581 /* a 'normal' process with any capabilities cannot be */
3582 /* 'killed' (signaled) from another (same uid) non-privileged */
3584 /* For example: If (non-suid) Wireshark forks a */
3585 /* child suid dumpcap which acts as described here (case 5), */
3586 /* Wireshark will be unable to kill (signal) the child */
3587 /* dumpcap process until the capabilities have been dropped */
3588 /* (after pcap_open_live()). */
3589 /* This behaviour will apparently be changed in the kernel */
3590 /* to allow the kill (signal) in this case. */
3591 /* See the following for details: */
3592 /* http://www.mail-archive.com/ [wrapped] */
3593 /* linux-security-module@vger.kernel.org/msg02913.html */
3595 /* It is therefore conceivable that if dumpcap somehow hangs */
3596 /* in pcap_open_live or before that wireshark will not */
3597 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3598 /* In this case, exiting wireshark will kill the child */
3599 /* dumpcap process. */
3601 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3602 /* capabilities; Using libcap. Note: capset cmd (which see) */
3603 /* used to assign capabilities to file. */
3605 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3606 /* else: after pcap_open_live() in capture_loop_open_input() */
3607 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3609 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3610 /* longer required (similar to capture). */
3612 /* ----------------------------------------------------------------- */
3614 init_process_policies();
3617 /* If 'started with special privileges' (and using libcap) */
3618 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3619 /* Set euid/egid = ruid/rgid to remove suid privileges */
3620 relinquish_privs_except_capture();
3623 /* Set the initial values in the capture options. This might be overwritten
3624 by the command line parameters. */
3625 capture_opts_init(&global_capture_opts, NULL);
3627 /* Default to capturing the entire packet. */
3628 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3630 /* We always save to a file - if no file was specified, we save to a
3632 global_capture_opts.saving_to_file = TRUE;
3633 global_capture_opts.has_ring_num_files = TRUE;
3635 /* Now get our args */
3636 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3638 case 'h': /* Print help and exit */
3642 case 'v': /* Show version and exit */
3644 GString *comp_info_str;
3645 GString *runtime_info_str;
3646 /* Assemble the compile-time version information string */
3647 comp_info_str = g_string_new("Compiled ");
3648 get_compiled_version_info(comp_info_str, NULL, NULL);
3650 /* Assemble the run-time version information string */
3651 runtime_info_str = g_string_new("Running ");
3652 get_runtime_version_info(runtime_info_str, NULL);
3653 show_version(comp_info_str, runtime_info_str);
3654 g_string_free(comp_info_str, TRUE);
3655 g_string_free(runtime_info_str, TRUE);
3659 /*** capture option specific ***/
3660 case 'a': /* autostop criteria */
3661 case 'b': /* Ringbuffer option */
3662 case 'c': /* Capture x packets */
3663 case 'f': /* capture filter */
3664 case 'i': /* Use interface x */
3665 case 'n': /* Use pcapng format */
3666 case 'p': /* Don't capture in promiscuous mode */
3667 case 's': /* Set the snapshot (capture) length */
3668 case 'w': /* Write to capture file x */
3669 case 'g': /* enable group read accesson file(s) */
3670 case 'y': /* Set the pcap data link type */
3671 #ifdef HAVE_PCAP_REMOTE
3672 case 'u': /* Use UDP for data transfer */
3673 case 'r': /* Capture own RPCAP traffic too */
3674 case 'A': /* Authentication */
3676 #ifdef HAVE_PCAP_SETSAMPLING
3677 case 'm': /* Sampling */
3679 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3680 case 'B': /* Buffer size */
3681 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3682 #ifdef HAVE_PCAP_CREATE
3683 case 'I': /* Monitor mode */
3685 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
3690 /*** hidden option: Wireshark child mode (using binary output messages) ***/
3692 capture_child = TRUE;
3694 /* set output pipe to binary mode, to avoid ugly text conversions */
3695 _setmode(2, O_BINARY);
3697 * optarg = the control ID, aka the PPID, currently used for the
3700 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
3701 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
3702 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
3703 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
3705 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
3706 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3707 "Signal pipe: Unable to open %s. Dead parent?",
3715 case 'q': /* Quiet */
3719 /*** all non capture option specific ***/
3720 case 'D': /* Print a list of capture devices and exit */
3721 list_interfaces = TRUE;
3724 case 'L': /* Print list of link-layer types and exit */
3725 list_link_layer_types = TRUE;
3728 #ifdef HAVE_BPF_IMAGE
3729 case 'd': /* Print BPF code for capture filter and exit */
3730 print_bpf_code = TRUE;
3734 case 'S': /* Print interface statistics once a second */
3735 print_statistics = TRUE;
3738 case 'M': /* For -D, -L, and -S, print machine-readable output */
3739 machine_readable = TRUE;
3742 case '?': /* Bad flag - print usage message */
3743 cmdarg_err("Invalid Option: %s", argv[optind-1]);
3751 /* user specified file name as regular command-line argument */
3752 /* XXX - use it as the capture file name (or something else)? */
3759 * Extra command line arguments were specified; complain.
3760 * XXX - interpret as capture filter, as tcpdump and tshark do?
3762 cmdarg_err("Invalid argument: %s", argv[0]);
3771 if (run_once_args > 1) {
3772 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
3774 } else if (run_once_args == 1) {
3775 /* We're supposed to print some information, rather than
3776 to capture traffic; did they specify a ring buffer option? */
3777 if (global_capture_opts.multi_files_on) {
3778 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
3782 /* We're supposed to capture traffic; was the ring buffer option
3783 specified and, if so, does it make sense? */
3784 if (global_capture_opts.multi_files_on) {
3785 /* Ring buffer works only under certain conditions:
3786 a) ring buffer does not work with temporary files;
3787 b) it makes no sense to enable the ring buffer if the maximum
3788 file size is set to "infinite". */
3789 if (global_capture_opts.save_file == NULL) {
3790 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
3791 global_capture_opts.multi_files_on = FALSE;
3793 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
3794 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
3795 /* XXX - this must be redesigned as the conditions changed */
3796 /* global_capture_opts.multi_files_on = FALSE;*/
3802 * "-D" requires no interface to be selected; it's supposed to list
3805 if (list_interfaces) {
3806 /* Get the list of interfaces */
3811 if_list = capture_interface_list(&err, &err_str);
3812 if (if_list == NULL) {
3814 case CANT_GET_INTERFACE_LIST:
3815 cmdarg_err("%s", err_str);
3820 case NO_INTERFACES_FOUND:
3822 * If we're being run by another program, just give them
3823 * an empty list of interfaces, don't report this as
3824 * an error; that lets them decide whether to report
3825 * this as an error or not.
3827 if (!machine_readable) {
3828 cmdarg_err("There are no interfaces on which a capture can be done");
3835 if (machine_readable) /* tab-separated values to stdout */
3836 print_machine_readable_interfaces(if_list);
3838 capture_opts_print_interfaces(if_list);
3839 free_interface_list(if_list);
3844 * "-S" requires no interface to be selected; it gives statistics
3845 * for all interfaces.
3847 if (print_statistics) {
3848 status = print_statistics_loop(machine_readable);
3853 * "-L", "-d", and capturing act on a particular interface, so we have to
3854 * have an interface; if none was specified, pick a default.
3856 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
3857 /* cmdarg_err() already called .... */
3861 /* Let the user know what interface was chosen. */
3862 /* get_interface_descriptive_name() is not available! */
3863 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
3865 if (list_link_layer_types) {
3866 /* Get the list of link-layer types for the capture device. */
3867 if_capabilities_t *caps;
3870 caps = get_if_capabilities(global_capture_opts.iface,
3871 global_capture_opts.monitor_mode, &err_str);
3873 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
3874 "Please check to make sure you have sufficient permissions, and that\n"
3875 "you have the proper interface or pipe specified.", global_capture_opts.iface, err_str);
3879 if (caps->data_link_types == NULL) {
3880 cmdarg_err("The capture device \"%s\" has no data link types.", global_capture_opts.iface);
3883 if (machine_readable) /* tab-separated values to stdout */
3884 print_machine_readable_if_capabilities(caps);
3886 capture_opts_print_if_capabilities(caps,
3887 global_capture_opts.monitor_mode);
3888 free_if_capabilities(caps);
3892 /* We're supposed to do a capture, or print the BPF code for a filter.
3893 Process the snapshot length, as that affects the generated BPF code. */
3894 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
3896 #ifdef HAVE_BPF_IMAGE
3897 if (print_bpf_code) {
3898 show_filter_code(&global_capture_opts);
3903 /* We're supposed to do a capture. Process the ring buffer arguments. */
3904 capture_opts_trim_ring_num_files(&global_capture_opts);
3906 /* Now start the capture. */
3908 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
3912 /* capture failed */
3919 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
3920 const char *message, gpointer user_data _U_)
3927 /* ignore log message, if log_level isn't interesting */
3928 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3929 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
3934 /* create a "timestamp" */
3936 today = localtime(&curr);
3938 switch(log_level & G_LOG_LEVEL_MASK) {
3939 case G_LOG_LEVEL_ERROR:
3942 case G_LOG_LEVEL_CRITICAL:
3945 case G_LOG_LEVEL_WARNING:
3948 case G_LOG_LEVEL_MESSAGE:
3951 case G_LOG_LEVEL_INFO:
3954 case G_LOG_LEVEL_DEBUG:
3958 fprintf(stderr, "unknown log_level %u\n", log_level);
3960 g_assert_not_reached();
3963 /* Generate the output message */
3964 if(log_level & G_LOG_LEVEL_MESSAGE) {
3965 /* normal user messages without additional infos */
3966 msg = g_strdup_printf("%s\n", message);
3968 /* info/debug messages with additional infos */
3969 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
3970 today->tm_hour, today->tm_min, today->tm_sec,
3971 log_domain != NULL ? log_domain : "",
3975 /* DEBUG & INFO msgs (if we're debugging today) */
3976 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3977 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3978 #ifdef DEBUG_DUMPCAP
3979 fprintf(stderr, "%s", msg);
3982 #ifdef DEBUG_CHILD_DUMPCAP
3983 fprintf(debug_log, "%s", msg);
3991 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
3992 /* to parent especially formatted if dumpcap running as child. */
3993 if (capture_child) {
3994 sync_pipe_errmsg_to_parent(2, msg, "");
3996 fprintf(stderr, "%s", msg);
4003 /****************************************************************************************************************/
4004 /* indication report routines */
4008 report_packet_count(int packet_count)
4010 char tmp[SP_DECISIZE+1+1];
4011 static int count = 0;
4014 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4015 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4016 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4018 count += packet_count;
4019 fprintf(stderr, "\rPackets: %u ", count);
4020 /* stderr could be line buffered */
4026 report_new_capture_file(const char *filename)
4029 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4030 pipe_write_block(2, SP_FILE, filename);
4034 * Prevent a SIGINFO handler from writing to the standard error
4035 * while we're doing so; instead, have it just set a flag telling
4036 * us to print that information when we're done.
4039 #endif /* SIGINFO */
4040 fprintf(stderr, "File: %s\n", filename);
4041 /* stderr could be line buffered */
4046 * Allow SIGINFO handlers to write.
4051 * If a SIGINFO handler asked us to write out capture counts, do so.
4055 #endif /* SIGINFO */
4060 report_cfilter_error(const char *cfilter, const char *errmsg)
4062 if (capture_child) {
4063 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4064 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4067 "Invalid capture filter: \"%s\"!\n"
4069 "That string isn't a valid capture filter (%s).\n"
4070 "See the User's Guide for a description of the capture filter syntax.\n",
4076 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4079 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4080 "Primary Error: %s", error_msg);
4081 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4082 "Secondary Error: %s", secondary_error_msg);
4083 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4085 fprintf(stderr, "%s\n", error_msg);
4086 if (secondary_error_msg[0] != '\0')
4087 fprintf(stderr, "%s\n", secondary_error_msg);
4092 report_packet_drops(guint32 drops)
4094 char tmp[SP_DECISIZE+1+1];
4096 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4099 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets dropped: %s", tmp);
4100 pipe_write_block(2, SP_DROPS, tmp);
4102 fprintf(stderr, "Packets dropped: %s\n", tmp);
4103 /* stderr could be line buffered */
4109 /****************************************************************************************************************/
4110 /* signal_pipe handling */
4115 signal_pipe_check_running(void)
4117 /* any news from our parent? -> just stop the capture */
4121 /* if we are running standalone, no check required */
4122 if(!capture_child) {
4126 if(!sig_pipe_name || !sig_pipe_handle) {
4127 /* This shouldn't happen */
4128 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4129 "Signal pipe: No name or handle");
4134 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4135 * at this point. Should we check to see if the parent is still alive,
4136 * e.g. by using OpenProcess?
4139 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4141 if(!result || avail > 0) {
4142 /* peek failed or some bytes really available */
4143 /* (if not piping from stdin this would fail) */
4144 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4145 "Signal pipe: Stop capture: %s", sig_pipe_name);
4146 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4147 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4148 sig_pipe_handle, result, avail);
4151 /* pipe ok and no bytes available */
4158 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4163 * indent-tabs-mode: nil
4166 * vi: set shiftwidth=4 tabstop=8 expandtab
4167 * :indentSize=4:tabSize=8:noTabs=true: