5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
88 #include "capture-wpcap.h"
89 #include <wsutil/unicode-utils.h>
93 #include <sys/socket.h>
97 #ifdef NEED_INET_V6DEFS_H
98 # include "wsutil/inet_v6defs.h"
101 #include <wsutil/privileges.h>
103 #include "sync_pipe.h"
105 #include "capture_opts.h"
106 #include "capture_ifinfo.h"
107 #include "capture_sync.h"
109 #include "conditions.h"
110 #include "capture_stop_conditions.h"
112 #include "tempfile.h"
114 #include "wsutil/file_util.h"
117 * Get information about libpcap format from "wiretap/libpcap.h".
118 * XXX - can we just use pcap_open_offline() to read the pipe?
120 #include "wiretap/libpcap.h"
122 /**#define DEBUG_DUMPCAP**/
123 /**#define DEBUG_CHILD_DUMPCAP**/
125 #ifdef DEBUG_CHILD_DUMPCAP
126 FILE *debug_log; /* for logging debug messages to */
127 /* a file if DEBUG_CHILD_DUMPCAP */
135 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
137 static gchar *sig_pipe_name = NULL;
138 static HANDLE sig_pipe_handle = NULL;
139 static gboolean signal_pipe_check_running(void);
143 static GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
144 static GMutex *cap_pipe_read_mtx;
148 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
149 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
152 /** Stop a low-level capture (stops the capture child). */
153 static void capture_loop_stop(void);
155 #if !defined (__linux__)
156 #ifndef HAVE_PCAP_BREAKLOOP
158 * We don't have pcap_breakloop(), which is the only way to ensure that
159 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
160 * won't, if the call to read the next packet or batch of packets is
161 * is interrupted by a signal on UN*X, just go back and try again to
164 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
165 * the signal handler, set a flag to stop capturing; however, without
166 * a guarantee of that sort, we can't guarantee that we'll stop capturing
167 * if the read will be retried and won't time out if no packets arrive.
169 * Therefore, on at least some platforms, we work around the lack of
170 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
171 * to wait for packets to arrive, so that we're probably going to be
172 * blocked in the select() when the signal arrives, and can just bail
173 * out of the loop at that point.
175 * However, we don't want to that on BSD (because "select()" doesn't work
176 * correctly on BPF devices on at least some releases of some flavors of
177 * BSD), and we don't want to do it on Windows (because "select()" is
178 * something for sockets, not for arbitrary handles). (Note that "Windows"
179 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
180 * using WinPcap, not a UNIX libpcap.)
182 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
183 * on BSD times out even if no packets have arrived, so we'll eventually
184 * exit pcap_dispatch() with an indication that no packets have arrived,
185 * and will break out of the capture loop at that point.
187 * On Windows, we can't send a SIGINT to stop capturing, so none of this
188 * applies in any case.
190 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
191 * want to include it if it's not present on this platform, however.
193 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
194 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
196 # define MUST_DO_SELECT
197 # endif /* avoid select */
198 #endif /* HAVE_PCAP_BREAKLOOP */
200 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
201 * in pcap_dispatch(); on the other hand, select() works just fine there.
202 * Hence we use a select for that come what may.
204 #define MUST_DO_SELECT
207 /** init the capture filter */
210 INITFILTER_BAD_FILTER,
211 INITFILTER_OTHER_ERROR
212 } initfilter_status_t;
214 typedef struct _loop_data {
216 gboolean go; /* TRUE as long as we're supposed to keep capturing */
217 int err; /* if non-zero, error seen while capturing */
218 gint packet_count; /* Number of packets we have already captured */
219 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
220 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
222 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
225 /* pcap "input file" */
226 pcap_t *pcap_h; /* pcap handle */
227 gboolean pcap_err; /* TRUE if error from pcap */
228 #ifdef MUST_DO_SELECT
229 int pcap_fd; /* pcap file descriptor */
232 /* capture pipe (unix only "input file") */
233 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
234 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
235 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
237 HANDLE cap_pipe_h; /* The handle of the capture pipe */
239 int cap_pipe_fd; /* the file descriptor of the capture pipe */
241 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
242 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
244 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
245 #endif /* USE_THREADS */
246 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
247 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
249 STATE_EXPECT_REC_HDR,
254 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 guint32 autostop_files;
267 * Standard secondary message for unexpected errors.
269 static const char please_report[] =
270 "Please report this to the Wireshark developers.\n"
271 "(This is not a crash; please do not report it as such.)";
274 * This needs to be static, so that the SIGINT handler can clear the "go"
277 static loop_data global_ld;
281 * Timeout, in milliseconds, for reads from the stream of captured packets
282 * from a capture device.
284 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
285 * 64-bit applications, with sub-second timeouts not to work. The bug is
286 * fixed in 10.6.2 and re-broken in 10.6.3.
288 #if defined(__APPLE__) && defined(__LP64__)
289 static gboolean need_timeout_workaround;
291 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
293 #define CAP_READ_TIMEOUT 250
297 * Timeout, in microseconds, for reads from the stream of captured packets
298 * from a pipe. Pipes don't have the same problem that BPF devices do
299 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
300 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
301 * of the offending versions of Snow Leopard.
303 * XXX - why is it 100 for threaded capturing?
306 #define PIPE_READ_TIMEOUT 250000
308 #define PIPE_READ_TIMEOUT 100
310 static const char *cap_pipe_err_str;
313 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
314 const char *message, gpointer user_data _U_);
316 /* capture related options */
317 static capture_options global_capture_opts;
318 static gboolean quiet;
320 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
322 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
323 int err, gboolean is_close);
325 static void exit_main(int err) G_GNUC_NORETURN;
327 static void report_new_capture_file(const char *filename);
328 static void report_packet_count(int packet_count);
329 static void report_packet_drops(guint32 drops);
330 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
331 static void report_cfilter_error(const char *cfilter, const char *errmsg);
333 #define MSG_MAX_LENGTH 4096
336 print_usage(gboolean print_ver) {
344 "Dumpcap " VERSION "%s\n"
345 "Capture network packets and dump them into a libpcap file.\n"
346 "See http://www.wireshark.org for more information.\n",
347 wireshark_svnversion);
351 fprintf(output, "\nUsage: dumpcap [options] ...\n");
352 fprintf(output, "\n");
353 fprintf(output, "Capture interface:\n");
354 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
355 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
356 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
357 fprintf(output, " -p don't capture in promiscuous mode\n");
358 #ifdef HAVE_PCAP_CREATE
359 fprintf(output, " -I capture in monitor mode, if available\n");
361 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
362 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
364 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
365 fprintf(output, " -D print list of interfaces and exit\n");
366 fprintf(output, " -L print list of link-layer types of iface and exit\n");
367 #ifdef HAVE_BPF_IMAGE
368 fprintf(output, " -d print generated BPF code for capture filter\n");
370 fprintf(output, " -S print statistics for each interface once every second\n");
371 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
372 fprintf(output, "\n");
373 #ifdef HAVE_PCAP_REMOTE
374 fprintf(output, "\nRPCAP options:\n");
375 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
376 fprintf(output, " -u use UDP for RPCAP data transfer\n");
377 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
378 #ifdef HAVE_PCAP_SETSAMPLING
379 fprintf(output, " -m <sampling type> use packet sampling\n");
380 fprintf(output, " count:NUM - capture one packet of every NUM\n");
381 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
384 fprintf(output, "Stop conditions:\n");
385 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
386 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
387 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
388 fprintf(output, " files:NUM - stop after NUM files\n");
389 /*fprintf(output, "\n");*/
390 fprintf(output, "Output (files):\n");
391 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
392 fprintf(output, " -g enable group read access on the output file(s)\n");
393 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
394 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
395 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
396 fprintf(output, " -n use pcapng format instead of pcap\n");
397 /*fprintf(output, "\n");*/
398 fprintf(output, "Miscellaneous:\n");
399 fprintf(output, " -q don't report packet capture counts\n");
400 fprintf(output, " -v print version information and exit\n");
401 fprintf(output, " -h display this help and exit\n");
402 fprintf(output, "\n");
403 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
404 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
405 fprintf(output, "\n");
406 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
410 show_version(GString *comp_info_str, GString *runtime_info_str)
414 "Dumpcap " VERSION "%s\n"
419 "See http://www.wireshark.org for more information.\n",
420 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
424 * Print to the standard error. This is a command-line tool, so there's
425 * no need to pop up a console.
428 vfprintf_stderr(const char *fmt, va_list ap)
430 vfprintf(stderr, fmt, ap);
434 fprintf_stderr(const char *fmt, ...)
439 vfprintf_stderr(fmt, ap);
444 * Report an error in command-line arguments.
447 cmdarg_err(const char *fmt, ...)
453 /* Generate a 'special format' message back to parent */
455 msg = g_strdup_vprintf(fmt, ap);
456 sync_pipe_errmsg_to_parent(2, msg, "");
461 fprintf(stderr, "dumpcap: ");
462 vfprintf(stderr, fmt, ap);
463 fprintf(stderr, "\n");
469 * Report additional information for an error in command-line arguments.
472 cmdarg_err_cont(const char *fmt, ...)
479 msg = g_strdup_vprintf(fmt, ap);
480 sync_pipe_errmsg_to_parent(2, msg, "");
485 vfprintf(stderr, fmt, ap);
486 fprintf(stderr, "\n");
493 #if 0 /* Set to enable capability debugging */
494 /* see 'man cap_to_text()' for explanation of output */
495 /* '=' means 'all= ' ie: no capabilities */
496 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
498 print_caps(const char *pfx) {
499 cap_t caps = cap_get_proc();
500 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
501 "%s: EUID: %d Capabilities: %s", pfx,
502 geteuid(), cap_to_text(caps, NULL));
505 print_caps(const char *pfx _U_) {
510 relinquish_all_capabilities(void)
512 /* Drop any and all capabilities this process may have. */
513 /* Allowed whether or not process has any privileges. */
514 cap_t caps = cap_init(); /* all capabilities initialized to off */
515 print_caps("Pre-clear");
516 if (cap_set_proc(caps)) {
517 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
519 print_caps("Post-clear");
525 open_capture_device(capture_options *capture_opts,
526 char (*open_err_str)[PCAP_ERRBUF_SIZE])
529 #ifdef HAVE_PCAP_CREATE
532 #ifdef HAVE_PCAP_REMOTE
533 struct pcap_rmtauth auth;
536 /* Open the network interface to capture from it.
537 Some versions of libpcap may put warnings into the error buffer
538 if they succeed; to tell if that's happened, we have to clear
539 the error buffer, and check if it's still a null string. */
540 (*open_err_str)[0] = '\0';
541 #ifdef HAVE_PCAP_OPEN
543 * If we're opening a remote device, use pcap_open(); that's currently
544 * the only open routine that supports remote devices.
546 if (strncmp (capture_opts->iface, "rpcap://", 8) == 0) {
547 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
548 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
549 auth.username = capture_opts->auth_username;
550 auth.password = capture_opts->auth_password;
552 pcap_h = pcap_open(capture_opts->iface,
553 capture_opts->has_snaplen ? capture_opts->snaplen :
554 WTAP_MAX_PACKET_SIZE,
556 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
557 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
558 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
559 CAP_READ_TIMEOUT, &auth, *open_err_str);
561 #endif /* HAVE_PCAP_OPEN */
564 * If we're not opening a remote device, use pcap_create() and
565 * pcap_activate() if we have them, so that we can set the buffer
566 * size, otherwise use pcap_open_live().
568 #ifdef HAVE_PCAP_CREATE
569 pcap_h = pcap_create(capture_opts->iface, *open_err_str);
570 if (pcap_h != NULL) {
571 pcap_set_snaplen(pcap_h, capture_opts->has_snaplen ? capture_opts->snaplen : WTAP_MAX_PACKET_SIZE);
572 pcap_set_promisc(pcap_h, capture_opts->promisc_mode);
573 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
575 if (capture_opts->buffer_size > 1) {
576 pcap_set_buffer_size(pcap_h, capture_opts->buffer_size * 1024 * 1024);
578 if (capture_opts->monitor_mode)
579 pcap_set_rfmon(pcap_h, 1);
580 err = pcap_activate(pcap_h);
582 /* Failed to activate, set to NULL */
583 if (err == PCAP_ERROR)
584 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
586 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
592 pcap_h = pcap_open_live(capture_opts->iface,
593 capture_opts->has_snaplen ? capture_opts->snaplen :
594 WTAP_MAX_PACKET_SIZE,
595 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
600 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
601 /* to remove any suid privileges. */
602 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
603 /* (euid/egid have already previously been set to ruid/rgid. */
604 /* (See comment in main() for details) */
606 relinquish_special_privs_perm();
608 relinquish_all_capabilities();
615 get_capture_device_open_failure_messages(const char *open_err_str,
621 char *errmsg, size_t errmsg_len,
622 char *secondary_errmsg,
623 size_t secondary_errmsg_len)
625 const char *libpcap_warn;
626 static const char ppamsg[] = "can't find PPA for ";
628 /* If we got a "can't find PPA for X" message, warn the user (who
629 is running dumcap on HP-UX) that they don't have a version of
630 libpcap that properly handles HP-UX (libpcap 0.6.x and later
631 versions, which properly handle HP-UX, say "can't find /dev/dlpi
632 PPA for X" rather than "can't find PPA for X"). */
633 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
636 "You are running (T)Wireshark with a version of the libpcap library\n"
637 "that doesn't handle HP-UX network devices well; this means that\n"
638 "(T)Wireshark may not be able to capture packets.\n"
640 "To fix this, you should install libpcap 0.6.2, or a later version\n"
641 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
642 "packaged binary form from the Software Porting And Archive Centre\n"
643 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
644 "at the URL lists a number of mirror sites.";
647 g_snprintf(errmsg, (gulong) errmsg_len,
648 "The capture session could not be initiated (%s).", open_err_str);
650 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
651 "Please check to make sure you have sufficient permissions, and that you have "
652 "the proper interface or pipe specified.%s", libpcap_warn);
654 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
656 "Please check that \"%s\" is the proper interface.\n"
659 "Help can be found at:\n"
661 " http://wiki.wireshark.org/WinPcap\n"
662 " http://wiki.wireshark.org/CaptureSetup\n",
667 /* Set the data link type on a pcap. */
669 set_pcap_linktype(pcap_t *pcap_h, capture_options *capture_opts,
670 char *errmsg, size_t errmsg_len,
671 char *secondary_errmsg, size_t secondary_errmsg_len)
673 char *set_linktype_err_str;
675 if (capture_opts->linktype == -1)
676 return TRUE; /* just use the default */
677 #ifdef HAVE_PCAP_SET_DATALINK
678 if (pcap_set_datalink(pcap_h, capture_opts->linktype) == 0)
679 return TRUE; /* no error */
680 set_linktype_err_str = pcap_geterr(pcap_h);
682 /* Let them set it to the type it is; reject any other request. */
683 if (get_pcap_linktype(pcap_h, capture_opts->iface) == capture_opts->linktype)
684 return TRUE; /* no error */
685 set_linktype_err_str =
686 "That DLT isn't one of the DLTs supported by this device";
688 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
689 set_linktype_err_str);
691 * If the error isn't "XXX is not one of the DLTs supported by this device",
692 * tell the user to tell the Wireshark developers about it.
694 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
695 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
697 secondary_errmsg[0] = '\0';
702 compile_capture_filter(const char *iface, pcap_t *pcap_h,
703 struct bpf_program *fcode, char *cfilter)
705 bpf_u_int32 netnum, netmask;
706 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
708 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
710 * Well, we can't get the netmask for this interface; it's used
711 * only for filters that check for broadcast IP addresses, so
712 * we just punt and use 0. It might be nice to warn the user,
713 * but that's a pain in a GUI application, as it'd involve popping
714 * up a message box, and it's not clear how often this would make
715 * a difference (only filters that check for IP broadcast addresses
719 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
722 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
727 #ifdef HAVE_BPF_IMAGE
729 show_filter_code(capture_options *capture_opts)
732 gchar open_err_str[PCAP_ERRBUF_SIZE];
733 char errmsg[MSG_MAX_LENGTH+1];
734 char secondary_errmsg[MSG_MAX_LENGTH+1];
735 struct bpf_program fcode;
736 struct bpf_insn *insn;
739 pcap_h = open_capture_device(capture_opts, &open_err_str);
740 if (pcap_h == NULL) {
741 /* Open failed; get messages */
742 get_capture_device_open_failure_messages(open_err_str,
744 errmsg, sizeof errmsg,
746 sizeof secondary_errmsg);
747 /* And report them */
748 report_capture_error(errmsg, secondary_errmsg);
752 /* Set the link-layer type. */
753 if (!set_pcap_linktype(pcap_h, capture_opts, errmsg, sizeof errmsg,
754 secondary_errmsg, sizeof secondary_errmsg)) {
756 report_capture_error(errmsg, secondary_errmsg);
760 /* OK, try to compile the capture filter. */
761 if (!compile_capture_filter(capture_opts->iface, pcap_h, &fcode,
762 capture_opts->cfilter)) {
764 report_cfilter_error(capture_opts->cfilter, errmsg);
770 /* Let our parent know we succeeded. */
771 pipe_write_block(2, SP_SUCCESS, NULL);
774 /* Now print the filter code. */
775 insn = fcode.bf_insns;
777 for (i = 0; i < fcode.bf_len; insn++, i++)
778 printf("%s\n", bpf_image(insn, i));
784 * capture_interface_list() is expected to do the right thing to get
785 * a list of interfaces.
787 * In most of the programs in the Wireshark suite, "the right thing"
788 * is to run dumpcap and ask it for the list, because dumpcap may
789 * be the only program in the suite with enough privileges to get
792 * In dumpcap itself, however, we obviously can't run dumpcap to
793 * ask for the list. Therefore, our capture_interface_list() should
794 * just call get_interface_list().
797 capture_interface_list(int *err, char **err_str)
799 return get_interface_list(err, err_str);
803 * Get the data-link type for a libpcap device.
804 * This works around AIX 5.x's non-standard and incompatible-with-the-
805 * rest-of-the-universe libpcap.
808 get_pcap_linktype(pcap_t *pch, const char *devname
816 const char *ifacename;
819 linktype = pcap_datalink(pch);
823 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
824 * rather than DLT_ values for link-layer types; the ifType values
825 * for LAN devices are:
832 * and the ifType value for a loopback device is 24.
834 * The AIX names for LAN devices begin with:
841 * and the AIX names for loopback devices begin with "lo".
843 * (The difference between "Ethernet" and "802.3" is presumably
844 * whether packets have an Ethernet header, with a packet type,
845 * or an 802.3 header, with a packet length, followed by an 802.2
846 * header and possibly a SNAP header.)
848 * If the device name matches "linktype" interpreted as an ifType
849 * value, rather than as a DLT_ value, we will assume this is AIX's
850 * non-standard, incompatible libpcap, rather than a standard libpcap,
851 * and will map the link-layer type to the standard DLT_ value for
852 * that link-layer type, as that's what the rest of Wireshark expects.
854 * (This means the capture files won't be readable by a tcpdump
855 * linked with AIX's non-standard libpcap, but so it goes. They
856 * *will* be readable by standard versions of tcpdump, Wireshark,
859 * XXX - if we conclude we're using AIX libpcap, should we also
860 * set a flag to cause us to assume the time stamps are in
861 * seconds-and-nanoseconds form, and to convert them to
862 * seconds-and-microseconds form before processing them and
867 * Find the last component of the device name, which is the
870 ifacename = strchr(devname, '/');
871 if (ifacename == NULL)
874 /* See if it matches any of the LAN device names. */
875 if (strncmp(ifacename, "en", 2) == 0) {
878 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
882 } else if (strncmp(ifacename, "et", 2) == 0) {
885 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
886 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
891 } else if (strncmp(ifacename, "tr", 2) == 0) {
894 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
895 * DLT_IEEE802, which is what's used for Token Ring.
899 } else if (strncmp(ifacename, "fi", 2) == 0) {
900 if (linktype == 15) {
902 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
906 } else if (strncmp(ifacename, "lo", 2) == 0) {
907 if (linktype == 24) {
909 * That's the RFC 1573 value for "software loopback" devices; map it
910 * to DLT_NULL, which is what's used for loopback devices on BSD.
920 static data_link_info_t *
921 create_data_link_info(int dlt)
923 data_link_info_t *data_link_info;
926 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
927 data_link_info->dlt = dlt;
928 text = pcap_datalink_val_to_name(dlt);
930 data_link_info->name = g_strdup(text);
932 data_link_info->name = g_strdup_printf("DLT %d", dlt);
933 text = pcap_datalink_val_to_description(dlt);
935 data_link_info->description = g_strdup(text);
937 data_link_info->description = NULL;
938 return data_link_info;
942 * Get the capabilities of a network device.
944 static if_capabilities_t *
945 get_if_capabilities(const char *devname, gboolean monitor_mode
946 #ifndef HAVE_PCAP_CREATE
951 if_capabilities_t *caps;
952 char errbuf[PCAP_ERRBUF_SIZE];
954 #ifdef HAVE_PCAP_CREATE
958 #ifdef HAVE_PCAP_LIST_DATALINKS
962 data_link_info_t *data_link_info;
965 * Allocate the interface capabilities structure.
967 caps = g_malloc(sizeof *caps);
969 #ifdef HAVE_PCAP_OPEN
970 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
971 caps->can_set_rfmon = FALSE;
974 *err_str = g_strdup(errbuf);
978 #elif defined(HAVE_PCAP_CREATE)
979 pch = pcap_create(devname, errbuf);
982 *err_str = g_strdup(errbuf);
986 status = pcap_can_set_rfmon(pch);
989 if (status == PCAP_ERROR)
990 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
993 *err_str = g_strdup(pcap_statustostr(status));
999 caps->can_set_rfmon = FALSE;
1000 else if (status == 1) {
1001 caps->can_set_rfmon = TRUE;
1003 pcap_set_rfmon(pch, 1);
1005 if (err_str != NULL) {
1006 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1014 status = pcap_activate(pch);
1016 /* Error. We ignore warnings (status > 0). */
1017 if (err_str != NULL) {
1018 if (status == PCAP_ERROR)
1019 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1022 *err_str = g_strdup(pcap_statustostr(status));
1029 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1030 caps->can_set_rfmon = FALSE;
1032 if (err_str != NULL)
1033 *err_str = g_strdup(errbuf);
1038 deflt = get_pcap_linktype(pch, devname);
1039 #ifdef HAVE_PCAP_LIST_DATALINKS
1040 nlt = pcap_list_datalinks(pch, &linktypes);
1041 if (nlt == 0 || linktypes == NULL) {
1043 if (err_str != NULL)
1044 *err_str = NULL; /* an empty list doesn't mean an error */
1047 caps->data_link_types = NULL;
1048 for (i = 0; i < nlt; i++) {
1049 data_link_info = create_data_link_info(linktypes[i]);
1052 * XXX - for 802.11, make the most detailed 802.11
1053 * version the default, rather than the one the
1054 * device has as the default?
1056 if (linktypes[i] == deflt)
1057 caps->data_link_types = g_list_prepend(caps->data_link_types,
1060 caps->data_link_types = g_list_append(caps->data_link_types,
1063 #ifdef HAVE_PCAP_FREE_DATALINKS
1064 pcap_free_datalinks(linktypes);
1067 * In Windows, there's no guarantee that if you have a library
1068 * built with one version of the MSVC++ run-time library, and
1069 * it returns a pointer to allocated data, you can free that
1070 * data from a program linked with another version of the
1071 * MSVC++ run-time library.
1073 * This is not an issue on UN*X.
1075 * See the mail threads starting at
1077 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1081 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1084 #define xx_free free /* hack so checkAPIs doesn't complain */
1087 #endif /* HAVE_PCAP_FREE_DATALINKS */
1088 #else /* HAVE_PCAP_LIST_DATALINKS */
1090 data_link_info = create_data_link_info(deflt);
1091 caps->data_link_types = g_list_append(caps->data_link_types,
1093 #endif /* HAVE_PCAP_LIST_DATALINKS */
1097 if (err_str != NULL)
1102 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1104 print_machine_readable_interfaces(GList *if_list)
1111 char addr_str[ADDRSTRLEN];
1113 if (capture_child) {
1114 /* Let our parent know we succeeded. */
1115 pipe_write_block(2, SP_SUCCESS, NULL);
1118 i = 1; /* Interface id number */
1119 for (if_entry = g_list_first(if_list); if_entry != NULL;
1120 if_entry = g_list_next(if_entry)) {
1121 if_info = (if_info_t *)if_entry->data;
1122 printf("%d. %s", i++, if_info->name);
1125 * Print the contents of the if_entry struct in a parseable format.
1126 * Each if_entry element is tab-separated. Addresses are comma-
1129 /* XXX - Make sure our description doesn't contain a tab */
1130 if (if_info->description != NULL)
1131 printf("\t%s\t", if_info->description);
1135 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1136 addr = g_slist_next(addr)) {
1137 if (addr != g_slist_nth(if_info->addrs, 0))
1140 if_addr = (if_addr_t *)addr->data;
1141 switch(if_addr->ifat_type) {
1143 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1145 printf("%s", addr_str);
1147 printf("<unknown IPv4>");
1151 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1152 addr_str, ADDRSTRLEN)) {
1153 printf("%s", addr_str);
1155 printf("<unknown IPv6>");
1159 printf("<type unknown %u>", if_addr->ifat_type);
1163 if (if_info->loopback)
1164 printf("\tloopback");
1166 printf("\tnetwork");
1173 * If you change the machine-readable output format of this function,
1174 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1177 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1180 data_link_info_t *data_link_info;
1181 const gchar *desc_str;
1183 if (capture_child) {
1184 /* Let our parent know we succeeded. */
1185 pipe_write_block(2, SP_SUCCESS, NULL);
1188 if (caps->can_set_rfmon)
1192 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1193 lt_entry = g_list_next(lt_entry)) {
1194 data_link_info = (data_link_info_t *)lt_entry->data;
1195 if (data_link_info->description != NULL)
1196 desc_str = data_link_info->description;
1198 desc_str = "(not supported)";
1199 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1209 /* Print the number of packets captured for each interface until we're killed. */
1211 print_statistics_loop(gboolean machine_readable)
1213 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1219 char errbuf[PCAP_ERRBUF_SIZE];
1220 struct pcap_stat ps;
1222 if_list = get_interface_list(&err, &err_str);
1223 if (if_list == NULL) {
1225 case CANT_GET_INTERFACE_LIST:
1226 cmdarg_err("%s", err_str);
1230 case NO_INTERFACES_FOUND:
1231 cmdarg_err("There are no interfaces on which a capture can be done");
1237 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1238 if_info = (if_info_t *)if_entry->data;
1239 #ifdef HAVE_PCAP_OPEN
1240 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1242 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1246 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1247 if_stat->name = g_strdup(if_info->name);
1249 stat_list = g_list_append(stat_list, if_stat);
1254 cmdarg_err("There are no interfaces on which a capture can be done");
1258 if (capture_child) {
1259 /* Let our parent know we succeeded. */
1260 pipe_write_block(2, SP_SUCCESS, NULL);
1263 if (!machine_readable) {
1264 printf("%-15s %10s %10s\n", "Interface", "Received",
1268 global_ld.go = TRUE;
1269 while (global_ld.go) {
1270 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1271 if_stat = (if_stat_t *)stat_entry->data;
1272 pcap_stats(if_stat->pch, &ps);
1274 if (!machine_readable) {
1275 printf("%-15s %10u %10u\n", if_stat->name,
1276 ps.ps_recv, ps.ps_drop);
1278 printf("%s\t%u\t%u\n", if_stat->name,
1279 ps.ps_recv, ps.ps_drop);
1284 if (! global_ld.from_cap_pipe)
1291 /* XXX - Not reached. Should we look for 'q' in stdin? */
1292 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1293 if_stat = (if_stat_t *)stat_entry->data;
1294 pcap_close(if_stat->pch);
1295 g_free(if_stat->name);
1298 g_list_free(stat_list);
1299 free_interface_list(if_list);
1307 capture_cleanup_handler(DWORD dwCtrlType)
1309 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1310 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1311 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1312 like SIGTERM at least when the machine's shutting down.
1314 For now, if we're running as a command rather than a capture child,
1315 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1316 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1317 in that way on UN*X.
1319 If we're not running as a capture child, we might be running as
1320 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1321 user logs out. (XXX - can we explicitly check whether we're
1322 running as a service?) */
1324 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1325 "Console: Control signal");
1326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1327 "Console: Control signal, CtrlType: %u", dwCtrlType);
1329 /* Keep capture running if we're a service and a user logs off */
1330 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1331 capture_loop_stop();
1339 capture_cleanup_handler(int signum _U_)
1341 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1342 SIGTERM. We assume that if the user wanted it to keep running
1343 after they logged out, they'd have nohupped it. */
1345 /* Note: don't call g_log() in the signal handler: if we happened to be in
1346 * g_log() in process context when the signal came in, g_log will detect
1347 * the "recursion" and abort.
1350 capture_loop_stop();
1359 /* Don't print this if we're a capture child. */
1360 if (!capture_child) {
1362 /* Report the count only if we aren't printing a packet count
1363 as packets arrive. */
1364 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
1365 plurality(global_ld.packet_count, "", "s"));
1368 infoprint = FALSE; /* we just reported it */
1372 report_counts_siginfo(int signum _U_)
1374 int sav_errno = errno;
1376 /* If we've been told to delay printing, just set a flag asking
1377 that we print counts (if we're supposed to), otherwise print
1378 the count of packets captured (if we're supposed to). */
1385 #endif /* SIGINFO */
1387 static void exit_main(int status)
1390 /* Shutdown windows sockets */
1393 /* can be helpful for debugging */
1394 #ifdef DEBUG_DUMPCAP
1395 printf("Press any key\n");
1406 * If we were linked with libcap (not libpcap), make sure we have
1407 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1408 * (See comment in main() for details)
1411 relinquish_privs_except_capture(void)
1413 /* If 'started_with_special_privs' (ie: suid) then enable for
1414 * ourself the NET_ADMIN and NET_RAW capabilities and then
1415 * drop our suid privileges.
1417 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1418 * stuff we don't need (and shouldn't have).
1419 * CAP_NET_RAW: Packet capture (raw sockets).
1422 if (started_with_special_privs()) {
1423 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1424 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1426 cap_t caps = cap_init(); /* all capabilities initialized to off */
1428 print_caps("Pre drop, pre set");
1430 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1431 cmdarg_err("prctl() fail return: %s", strerror(errno));
1434 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1435 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1437 if (cap_set_proc(caps)) {
1438 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1440 print_caps("Pre drop, post set");
1442 relinquish_special_privs_perm();
1444 print_caps("Post drop, pre set");
1445 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1446 if (cap_set_proc(caps)) {
1447 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1449 print_caps("Post drop, post set");
1455 #endif /* HAVE_LIBCAP */
1457 /* Take care of byte order in the libpcap headers read from pipes.
1458 * (function taken from wiretap/libpcap.c) */
1460 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1463 /* Byte-swap the record header fields. */
1464 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1465 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1466 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1467 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1470 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1471 swapped, in order to match the BPF header layout.
1473 Unfortunately, some files were, according to a comment in the "libpcap"
1474 source, written with version 2.3 in their headers but without the
1475 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1476 would make no sense - we assume that we need to swap them. */
1477 if (hdr->version_major == 2 &&
1478 (hdr->version_minor < 3 ||
1479 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1482 temp = rechdr->orig_len;
1483 rechdr->orig_len = rechdr->incl_len;
1484 rechdr->incl_len = temp;
1490 * Thread function that reads from a pipe and pushes the data
1491 * to the main application thread.
1494 * XXX Right now we use async queues for basic signaling. The main thread
1495 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1496 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1497 * Iff the read is successful cap_pipe_read pushes an item onto
1498 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1499 * the queues themselves (yet).
1501 * We might want to move some of the cap_pipe_dispatch logic here so that
1502 * we can let cap_pipe_read run independently, queuing up multiple reads
1503 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1505 static void *cap_pipe_read(void *ld_ptr) {
1506 loop_data *ld = (loop_data *)ld_ptr;
1515 while (ld->cap_pipe_err == PIPOK) {
1516 g_async_queue_pop(cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1517 g_mutex_lock(cap_pipe_read_mtx);
1519 while (bytes_read < (int) ld->cap_pipe_bytes_to_read) {
1521 /* If we try to use read() on a named pipe on Windows with partial
1522 * data it appears to return EOF.
1524 res = ReadFile(ld->cap_pipe_h, ld->cap_pipe_buf+bytes_read,
1525 ld->cap_pipe_bytes_to_read - bytes_read,
1530 last_err = GetLastError();
1531 if (last_err == ERROR_MORE_DATA) {
1533 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1534 ld->cap_pipe_err = PIPEOF;
1538 ld->cap_pipe_err = PIPERR;
1541 } else if (b == 0 && ld->cap_pipe_bytes_to_read > 0) {
1542 ld->cap_pipe_err = PIPEOF;
1547 b = read(ld->cap_pipe_fd, ld->cap_pipe_buf+bytes_read,
1548 ld->cap_pipe_bytes_to_read - bytes_read);
1551 ld->cap_pipe_err = PIPEOF;
1555 ld->cap_pipe_err = PIPERR;
1564 ld->cap_pipe_bytes_read = bytes_read;
1565 if (ld->cap_pipe_bytes_read >= ld->cap_pipe_bytes_to_read) {
1566 g_async_queue_push(cap_pipe_done_q, ld->cap_pipe_buf); /* Any non-NULL value will do */
1568 g_mutex_unlock(cap_pipe_read_mtx);
1572 #endif /* USE_THREADS */
1574 /* Provide select() functionality for a single file descriptor
1575 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1577 * Returns the same values as select. If an error is returned,
1578 * the string cap_pipe_err_str should be used instead of errno.
1581 cap_pipe_select(int pipe_fd) {
1583 struct timeval timeout;
1586 cap_pipe_err_str = "Unknown error";
1589 FD_SET(pipe_fd, &rfds);
1591 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1592 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1594 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1596 cap_pipe_err_str = strerror(errno);
1601 /* Mimic pcap_open_live() for pipe captures
1603 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1604 * open it, and read the header.
1606 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1607 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1609 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1610 char *errmsg, int errmsgl)
1613 struct stat pipe_stat;
1614 struct sockaddr_un sa;
1617 unsigned int bytes_read;
1628 ld->cap_pipe_fd = -1;
1630 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
1632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1635 * XXX - this blocks until a pcap per-file header has been written to
1636 * the pipe, so it could block indefinitely.
1638 if (strcmp(pipename, "-") == 0) {
1640 fd = 0; /* read from stdin */
1642 ld->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1646 if (ws_stat(pipename, &pipe_stat) < 0) {
1647 if (errno == ENOENT || errno == ENOTDIR)
1648 ld->cap_pipe_err = PIPNEXIST;
1650 g_snprintf(errmsg, errmsgl,
1651 "The capture session could not be initiated "
1652 "due to error getting information on pipe/socket: %s", strerror(errno));
1653 ld->cap_pipe_err = PIPERR;
1657 if (S_ISFIFO(pipe_stat.st_mode)) {
1658 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1660 g_snprintf(errmsg, errmsgl,
1661 "The capture session could not be initiated "
1662 "due to error on pipe open: %s", strerror(errno));
1663 ld->cap_pipe_err = PIPERR;
1666 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1667 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1669 g_snprintf(errmsg, errmsgl,
1670 "The capture session could not be initiated "
1671 "due to error on socket create: %s", strerror(errno));
1672 ld->cap_pipe_err = PIPERR;
1675 sa.sun_family = AF_UNIX;
1677 * The Single UNIX Specification says:
1679 * The size of sun_path has intentionally been left undefined.
1680 * This is because different implementations use different sizes.
1681 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1682 * of 104. Since most implementations originate from BSD versions,
1683 * the size is typically in the range 92 to 108.
1685 * Applications should not assume a particular length for sun_path
1686 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1690 * The <sys/un.h> header shall define the sockaddr_un structure,
1691 * which shall include at least the following members:
1693 * sa_family_t sun_family Address family.
1694 * char sun_path[] Socket pathname.
1696 * so we assume that it's an array, with a specified size,
1697 * and that the size reflects the maximum path length.
1699 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1700 /* Path name too long */
1701 g_snprintf(errmsg, errmsgl,
1702 "The capture session coud not be initiated "
1703 "due to error on socket connect: Path name too long");
1704 ld->cap_pipe_err = PIPERR;
1707 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1709 g_snprintf(errmsg, errmsgl,
1710 "The capture session coud not be initiated "
1711 "due to error on socket connect: %s", strerror(errno));
1712 ld->cap_pipe_err = PIPERR;
1716 if (S_ISCHR(pipe_stat.st_mode)) {
1718 * Assume the user specified an interface on a system where
1719 * interfaces are in /dev. Pretend we haven't seen it.
1721 ld->cap_pipe_err = PIPNEXIST;
1724 g_snprintf(errmsg, errmsgl,
1725 "The capture session could not be initiated because\n"
1726 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1727 ld->cap_pipe_err = PIPERR;
1732 #define PIPE_STR "\\pipe\\"
1733 /* Under Windows, named pipes _must_ have the form
1734 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1736 pncopy = g_strdup(pipename);
1737 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1738 pos = strchr(pncopy + 3, '\\');
1739 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1746 g_snprintf(errmsg, errmsgl,
1747 "The capture session could not be initiated because\n"
1748 "\"%s\" is neither an interface nor a pipe", pipename);
1749 ld->cap_pipe_err = PIPNEXIST;
1753 /* Wait for the pipe to appear */
1755 ld->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1756 OPEN_EXISTING, 0, NULL);
1758 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE)
1761 if (GetLastError() != ERROR_PIPE_BUSY) {
1762 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1763 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1764 g_snprintf(errmsg, errmsgl,
1765 "The capture session on \"%s\" could not be started "
1766 "due to error on pipe open: %s (error %d)",
1767 pipename, utf_16to8(err_str), GetLastError());
1769 ld->cap_pipe_err = PIPERR;
1773 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1774 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1775 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1776 g_snprintf(errmsg, errmsgl,
1777 "The capture session on \"%s\" timed out during "
1778 "pipe open: %s (error %d)",
1779 pipename, utf_16to8(err_str), GetLastError());
1781 ld->cap_pipe_err = PIPERR;
1788 ld->from_cap_pipe = TRUE;
1791 /* read the pcap header */
1793 while (bytes_read < sizeof magic) {
1794 sel_ret = cap_pipe_select(fd);
1796 g_snprintf(errmsg, errmsgl,
1797 "Unexpected error from select: %s", strerror(errno));
1799 } else if (sel_ret > 0) {
1800 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1803 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1805 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1812 #else /* USE_THREADS */
1813 g_thread_create(&cap_pipe_read, ld, FALSE, NULL);
1815 ld->cap_pipe_buf = (char *) &magic;
1816 ld->cap_pipe_bytes_read = 0;
1817 ld->cap_pipe_bytes_to_read = sizeof(magic);
1818 /* We don't have to worry about cap_pipe_read_mtx here */
1819 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1820 g_async_queue_pop(cap_pipe_done_q);
1821 if (ld->cap_pipe_bytes_read <= 0) {
1822 if (ld->cap_pipe_bytes_read == 0)
1823 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1825 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1830 #endif /* USE_THREADS */
1834 /* Host that wrote it has our byte order, and was running
1835 a program using either standard or ss990417 libpcap. */
1836 ld->cap_pipe_byte_swapped = FALSE;
1837 ld->cap_pipe_modified = FALSE;
1839 case PCAP_MODIFIED_MAGIC:
1840 /* Host that wrote it has our byte order, but was running
1841 a program using either ss990915 or ss991029 libpcap. */
1842 ld->cap_pipe_byte_swapped = FALSE;
1843 ld->cap_pipe_modified = TRUE;
1845 case PCAP_SWAPPED_MAGIC:
1846 /* Host that wrote it has a byte order opposite to ours,
1847 and was running a program using either standard or
1848 ss990417 libpcap. */
1849 ld->cap_pipe_byte_swapped = TRUE;
1850 ld->cap_pipe_modified = FALSE;
1852 case PCAP_SWAPPED_MODIFIED_MAGIC:
1853 /* Host that wrote it out has a byte order opposite to
1854 ours, and was running a program using either ss990915
1855 or ss991029 libpcap. */
1856 ld->cap_pipe_byte_swapped = TRUE;
1857 ld->cap_pipe_modified = TRUE;
1860 /* Not a "libpcap" type we know about. */
1861 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1866 /* Read the rest of the header */
1868 while (bytes_read < sizeof(struct pcap_hdr)) {
1869 sel_ret = cap_pipe_select(fd);
1871 g_snprintf(errmsg, errmsgl,
1872 "Unexpected error from select: %s", strerror(errno));
1874 } else if (sel_ret > 0) {
1875 b = read(fd, ((char *)hdr)+bytes_read,
1876 sizeof(struct pcap_hdr) - bytes_read);
1879 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1881 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1888 #else /* USE_THREADS */
1889 ld->cap_pipe_buf = (char *) hdr;
1890 ld->cap_pipe_bytes_read = 0;
1891 ld->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1892 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1893 g_async_queue_pop(cap_pipe_done_q);
1894 if (ld->cap_pipe_bytes_read <= 0) {
1895 if (ld->cap_pipe_bytes_read == 0)
1896 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1898 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1902 #endif /* USE_THREADS */
1904 if (ld->cap_pipe_byte_swapped) {
1905 /* Byte-swap the header fields about which we care. */
1906 hdr->version_major = BSWAP16(hdr->version_major);
1907 hdr->version_minor = BSWAP16(hdr->version_minor);
1908 hdr->snaplen = BSWAP32(hdr->snaplen);
1909 hdr->network = BSWAP32(hdr->network);
1911 ld->linktype = hdr->network;
1913 if (hdr->version_major < 2) {
1914 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1918 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1919 ld->cap_pipe_err = PIPOK;
1921 ld->cap_pipe_fd = fd;
1926 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1927 ld->cap_pipe_err = PIPERR;
1930 ld->cap_pipe_fd = -1;
1937 /* We read one record from the pipe, take care of byte order in the record
1938 * header, write the record to the capture file, and update capture statistics. */
1940 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1942 struct pcap_pkthdr phdr;
1943 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1955 #ifdef LOG_CAPTURE_VERBOSE
1956 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1959 switch (ld->cap_pipe_state) {
1961 case STATE_EXPECT_REC_HDR:
1963 if (g_mutex_trylock(cap_pipe_read_mtx)) {
1966 ld->cap_pipe_state = STATE_READ_REC_HDR;
1967 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1968 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1969 ld->cap_pipe_bytes_read = 0;
1972 ld->cap_pipe_buf = (char *) &ld->cap_pipe_rechdr;
1973 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1974 g_mutex_unlock(cap_pipe_read_mtx);
1979 case STATE_READ_REC_HDR:
1981 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1982 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1985 result = PD_PIPE_EOF;
1987 result = PD_PIPE_ERR;
1990 ld->cap_pipe_bytes_read += b;
1991 #else /* USE_THREADS */
1992 g_get_current_time(&wait_time);
1993 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
1994 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
1995 if (ld->cap_pipe_err == PIPEOF) {
1996 result = PD_PIPE_EOF;
1998 } else if (ld->cap_pipe_err == PIPERR) {
1999 result = PD_PIPE_ERR;
2005 #endif /* USE_THREADS */
2006 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2008 result = PD_REC_HDR_READ;
2011 case STATE_EXPECT_DATA:
2013 if (g_mutex_trylock(cap_pipe_read_mtx)) {
2016 ld->cap_pipe_state = STATE_READ_DATA;
2017 ld->cap_pipe_bytes_to_read = ld->cap_pipe_rechdr.hdr.incl_len;
2018 ld->cap_pipe_bytes_read = 0;
2021 ld->cap_pipe_buf = (char *) data;
2022 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
2023 g_mutex_unlock(cap_pipe_read_mtx);
2028 case STATE_READ_DATA:
2030 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
2031 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
2034 result = PD_PIPE_EOF;
2036 result = PD_PIPE_ERR;
2039 ld->cap_pipe_bytes_read += b;
2040 #else /* USE_THREADS */
2041 g_get_current_time(&wait_time);
2042 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2043 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2044 if (ld->cap_pipe_err == PIPEOF) {
2045 result = PD_PIPE_EOF;
2047 } else if (ld->cap_pipe_err == PIPERR) {
2048 result = PD_PIPE_ERR;
2054 #endif /* USE_THREADS */
2055 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2057 result = PD_DATA_READ;
2061 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2064 } /* switch (ld->cap_pipe_state) */
2067 * We've now read as much data as we were expecting, so process it.
2071 case PD_REC_HDR_READ:
2072 /* We've read the header. Take care of byte order. */
2073 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
2074 &ld->cap_pipe_rechdr.hdr);
2075 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2076 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2077 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
2080 ld->cap_pipe_state = STATE_EXPECT_DATA;
2084 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2085 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
2086 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
2087 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
2088 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
2090 capture_loop_packet_cb((u_char *)ld, &phdr, data);
2092 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
2096 ld->cap_pipe_err = PIPEOF;
2101 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2102 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2103 g_snprintf(errmsg, errmsgl,
2104 "Error reading from pipe: %s (error %d)",
2105 utf_16to8(err_str), GetLastError());
2108 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2116 ld->cap_pipe_err = PIPERR;
2117 /* Return here rather than inside the switch to prevent GCC warning */
2122 /** Open the capture input file (pcap or capture pipe).
2123 * Returns TRUE if it succeeds, FALSE otherwise. */
2125 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2126 char *errmsg, size_t errmsg_len,
2127 char *secondary_errmsg, size_t secondary_errmsg_len)
2129 gchar open_err_str[PCAP_ERRBUF_SIZE];
2130 gchar *sync_msg_str;
2133 gchar *sync_secondary_msg_str;
2134 WORD wVersionRequested;
2138 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
2141 /* XXX - opening Winsock on tshark? */
2143 /* Initialize Windows Socket if we are in a WIN32 OS
2144 This needs to be done before querying the interface for network/netmask */
2146 /* XXX - do we really require 1.1 or earlier?
2147 Are there any versions that support only 2.0 or higher? */
2148 wVersionRequested = MAKEWORD(1, 1);
2149 err = WSAStartup(wVersionRequested, &wsaData);
2153 case WSASYSNOTREADY:
2154 g_snprintf(errmsg, (gulong) errmsg_len,
2155 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2158 case WSAVERNOTSUPPORTED:
2159 g_snprintf(errmsg, (gulong) errmsg_len,
2160 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2161 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2164 case WSAEINPROGRESS:
2165 g_snprintf(errmsg, (gulong) errmsg_len,
2166 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2170 g_snprintf(errmsg, (gulong) errmsg_len,
2171 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2175 g_snprintf(errmsg, (gulong) errmsg_len,
2176 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2180 g_snprintf(errmsg, (gulong) errmsg_len,
2181 "Couldn't initialize Windows Sockets: error %d", err);
2184 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2189 ld->pcap_h = open_capture_device(capture_opts, &open_err_str);
2191 if (ld->pcap_h != NULL) {
2192 /* we've opened "iface" as a network device */
2194 /* try to set the capture buffer size */
2195 if (capture_opts->buffer_size > 1 &&
2196 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
2197 sync_secondary_msg_str = g_strdup_printf(
2198 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2199 "the default of 1MB will be used.\n"
2201 "Nonetheless, the capture is started.\n",
2202 capture_opts->buffer_size);
2203 report_capture_error("Couldn't set the capture buffer size!",
2204 sync_secondary_msg_str);
2205 g_free(sync_secondary_msg_str);
2209 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
2210 if ((capture_opts->sampling_method != CAPTURE_SAMP_NONE) &&
2211 (strncmp (capture_opts->iface, "rpcap://", 8) == 0))
2213 struct pcap_samp *samp;
2215 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
2217 switch (capture_opts->sampling_method)
2219 case CAPTURE_SAMP_BY_COUNT:
2220 samp->method = PCAP_SAMP_1_EVERY_N;
2223 case CAPTURE_SAMP_BY_TIMER:
2224 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2228 sync_msg_str = g_strdup_printf(
2229 "Unknown sampling method %d specified,\n"
2230 "continue without packet sampling",
2231 capture_opts->sampling_method);
2232 report_capture_error("Couldn't set the capture "
2233 "sampling", sync_msg_str);
2234 g_free(sync_msg_str);
2236 samp->value = capture_opts->sampling_param;
2240 report_capture_error("Couldn't set the capture sampling",
2241 "Cannot get packet sampling data structure");
2247 /* setting the data link type only works on real interfaces */
2248 if (!set_pcap_linktype(ld->pcap_h, capture_opts, errmsg, errmsg_len,
2249 secondary_errmsg, secondary_errmsg_len))
2251 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
2253 /* We couldn't open "iface" as a network device. */
2254 /* Try to open it as a pipe */
2255 cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
2258 if (ld->cap_pipe_fd == -1) {
2260 if (ld->cap_pipe_h == INVALID_HANDLE_VALUE) {
2263 if (ld->cap_pipe_err == PIPNEXIST) {
2264 /* Pipe doesn't exist, so output message for interface */
2265 get_capture_device_open_failure_messages(open_err_str,
2266 capture_opts->iface,
2270 secondary_errmsg_len);
2273 * Else pipe (or file) does exist and cap_pipe_open_live() has
2278 /* cap_pipe_open_live() succeeded; don't want
2279 error message from pcap_open_live() */
2280 open_err_str[0] = '\0';
2283 /* XXX - will this work for tshark? */
2284 #ifdef MUST_DO_SELECT
2285 if (!ld->from_cap_pipe) {
2286 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2287 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
2289 ld->pcap_fd = pcap_fileno(ld->pcap_h);
2294 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2295 returned a warning; print it, but keep capturing. */
2296 if (open_err_str[0] != '\0') {
2297 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2298 report_capture_error(sync_msg_str, "");
2299 g_free(sync_msg_str);
2305 /* close the capture input file (pcap or capture pipe) */
2306 static void capture_loop_close_input(loop_data *ld) {
2308 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2310 /* if open, close the capture pipe "input file" */
2312 if (ld->cap_pipe_fd >= 0) {
2313 g_assert(ld->from_cap_pipe);
2314 ws_close(ld->cap_pipe_fd);
2315 ld->cap_pipe_fd = 0;
2318 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE) {
2319 CloseHandle(ld->cap_pipe_h);
2320 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
2324 /* if open, close the pcap "input file" */
2325 if(ld->pcap_h != NULL) {
2326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)ld->pcap_h);
2327 g_assert(!ld->from_cap_pipe);
2328 pcap_close(ld->pcap_h);
2335 /* Shut down windows sockets */
2341 /* init the capture filter */
2342 static initfilter_status_t
2343 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2344 gchar * iface, gchar * cfilter)
2346 struct bpf_program fcode;
2348 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2350 /* capture filters only work on real interfaces */
2351 if (cfilter && !from_cap_pipe) {
2352 /* A capture filter was specified; set it up. */
2353 if (!compile_capture_filter(iface, pcap_h, &fcode, cfilter)) {
2354 /* Treat this specially - our caller might try to compile this
2355 as a display filter and, if that succeeds, warn the user that
2356 the display and capture filter syntaxes are different. */
2357 return INITFILTER_BAD_FILTER;
2359 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2360 #ifdef HAVE_PCAP_FREECODE
2361 pcap_freecode(&fcode);
2363 return INITFILTER_OTHER_ERROR;
2365 #ifdef HAVE_PCAP_FREECODE
2366 pcap_freecode(&fcode);
2370 return INITFILTER_NO_ERROR;
2374 /* set up to write to the already-opened capture output file/files */
2376 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len) {
2380 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2383 if (ld->from_cap_pipe) {
2384 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
2387 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
2390 /* Set up to write to the capture file. */
2391 if (capture_opts->multi_files_on) {
2392 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2394 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2397 gboolean successful;
2399 ld->bytes_written = 0;
2400 if (capture_opts->use_pcapng) {
2403 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2404 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err) &&
2405 libpcap_write_interface_description_block(ld->pdh, capture_opts->iface, capture_opts->cfilter, ld->linktype, ld->file_snaplen, &ld->bytes_written, &err);
2407 successful = libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
2408 &ld->bytes_written, &err);
2416 if (ld->pdh == NULL) {
2417 /* We couldn't set up to write to the capture file. */
2418 /* XXX - use cf_open_error_message from tshark instead? */
2421 case WTAP_ERR_CANT_OPEN:
2422 g_snprintf(errmsg, errmsg_len, "The file to which the capture would be saved"
2423 " couldn't be created for some unknown reason.");
2426 case WTAP_ERR_SHORT_WRITE:
2427 g_snprintf(errmsg, errmsg_len, "A full header couldn't be written to the file"
2428 " to which the capture would be saved.");
2433 g_snprintf(errmsg, errmsg_len,
2434 "The file to which the capture would be"
2435 " saved (\"%s\") could not be opened: Error %d.",
2436 capture_opts->save_file, err);
2438 g_snprintf(errmsg, errmsg_len,
2439 "The file to which the capture would be"
2440 " saved (\"%s\") could not be opened: %s.",
2441 capture_opts->save_file, strerror(err));
2453 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
2455 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2457 if (capture_opts->multi_files_on) {
2458 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2460 if (capture_opts->use_pcapng) {
2461 libpcap_write_interface_statistics_block(ld->pdh, 0, ld->pcap_h, &ld->bytes_written, err_close);
2463 return libpcap_dump_close(ld->pdh, err_close);
2467 /* dispatch incoming packets (pcap or capture pipe)
2469 * Waits for incoming packets to be available, and calls pcap_dispatch()
2470 * to cause them to be processed.
2472 * Returns the number of packets which were processed.
2474 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2475 * packet-batching behaviour does not cause packets to get held back
2479 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
2480 char *errmsg, int errmsg_len)
2483 gint packet_count_before;
2484 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2489 packet_count_before = ld->packet_count;
2490 if (ld->from_cap_pipe) {
2491 /* dispatch from capture pipe */
2492 #ifdef LOG_CAPTURE_VERBOSE
2493 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2496 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
2499 if (sel_ret < 0 && errno != EINTR) {
2500 g_snprintf(errmsg, errmsg_len,
2501 "Unexpected error from select: %s", strerror(errno));
2502 report_capture_error(errmsg, please_report);
2507 * "select()" says we can read from the pipe without blocking
2509 #endif /* USE_THREADS */
2510 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
2520 /* dispatch from pcap */
2521 #ifdef MUST_DO_SELECT
2523 * If we have "pcap_get_selectable_fd()", we use it to get the
2524 * descriptor on which to select; if that's -1, it means there
2525 * is no descriptor on which you can do a "select()" (perhaps
2526 * because you're capturing on a special device, and that device's
2527 * driver unfortunately doesn't support "select()", in which case
2528 * we don't do the select - which means it might not be possible
2529 * to stop a capture until a packet arrives. If that's unacceptable,
2530 * plead with whoever supplies the software for that device to add
2531 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2532 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2533 * later, so it can use pcap_breakloop().
2535 #ifdef LOG_CAPTURE_VERBOSE
2536 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2538 if (ld->pcap_fd != -1) {
2539 sel_ret = cap_pipe_select(ld->pcap_fd);
2542 * "select()" says we can read from it without blocking; go for
2545 * We don't have pcap_breakloop(), so we only process one packet
2546 * per pcap_dispatch() call, to allow a signal to stop the
2547 * processing immediately, rather than processing all packets
2548 * in a batch before quitting.
2550 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
2554 /* Error, rather than pcap_breakloop(). */
2555 ld->pcap_err = TRUE;
2557 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2560 if (sel_ret < 0 && errno != EINTR) {
2561 g_snprintf(errmsg, errmsg_len,
2562 "Unexpected error from select: %s", strerror(errno));
2563 report_capture_error(errmsg, please_report);
2569 #endif /* MUST_DO_SELECT */
2571 /* dispatch from pcap without select */
2573 #ifdef LOG_CAPTURE_VERBOSE
2574 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2578 * On Windows, we don't support asynchronously telling a process to
2579 * stop capturing; instead, we check for an indication on a pipe
2580 * after processing packets. We therefore process only one packet
2581 * at a time, so that we can check the pipe after every packet.
2583 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
2585 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
2589 /* Error, rather than pcap_breakloop(). */
2590 ld->pcap_err = TRUE;
2592 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2594 #else /* pcap_next_ex */
2595 #ifdef LOG_CAPTURE_VERBOSE
2596 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2598 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2601 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2602 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2603 * This should be fixed in the WinPcap 4.0 alpha release.
2605 * For reference, an example remote interface:
2606 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2609 /* emulate dispatch from pcap */
2612 struct pcap_pkthdr *pkt_header;
2617 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
2618 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
2621 ld->pcap_err = TRUE;
2625 #endif /* pcap_next_ex */
2629 #ifdef LOG_CAPTURE_VERBOSE
2630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2633 return ld->packet_count - packet_count_before;
2637 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2638 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2640 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2641 char *errmsg, int errmsg_len) {
2644 gchar *capfile_name;
2645 gboolean is_tempfile;
2650 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2651 (capture_opts->save_file) ? capture_opts->save_file : "");
2653 if (capture_opts->save_file != NULL) {
2654 /* We return to the caller while the capture is in progress.
2655 * Therefore we need to take a copy of save_file in
2656 * case the caller destroys it after we return.
2658 capfile_name = g_strdup(capture_opts->save_file);
2660 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2661 if (capture_opts->multi_files_on) {
2662 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2663 g_snprintf(errmsg, errmsg_len,
2664 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2665 g_free(capfile_name);
2668 if (strcmp(capfile_name, "-") == 0) {
2669 /* write to stdout */
2672 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2673 _setmode(1, O_BINARY);
2676 } /* if (...output_to_pipe ... */
2679 if (capture_opts->multi_files_on) {
2680 /* ringbuffer is enabled */
2681 *save_file_fd = ringbuf_init(capfile_name,
2682 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2683 capture_opts->group_read_access);
2685 /* we need the ringbuf name */
2686 if(*save_file_fd != -1) {
2687 g_free(capfile_name);
2688 capfile_name = g_strdup(ringbuf_current_filename());
2691 /* Try to open/create the specified file for use as a capture buffer. */
2692 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2693 (capture_opts->group_read_access) ? 0640 : 0600);
2696 is_tempfile = FALSE;
2698 /* Choose a random name for the temporary capture buffer */
2699 *save_file_fd = create_tempfile(&tmpname, "wireshark");
2700 capfile_name = g_strdup(tmpname);
2704 /* did we fail to open the output file? */
2705 if (*save_file_fd == -1) {
2707 g_snprintf(errmsg, errmsg_len,
2708 "The temporary file to which the capture would be saved (\"%s\") "
2709 "could not be opened: %s.", capfile_name, strerror(errno));
2711 if (capture_opts->multi_files_on) {
2712 ringbuf_error_cleanup();
2715 g_snprintf(errmsg, errmsg_len,
2716 "The file to which the capture would be saved (\"%s\") "
2717 "could not be opened: %s.", capfile_name,
2720 g_free(capfile_name);
2724 if(capture_opts->save_file != NULL) {
2725 g_free(capture_opts->save_file);
2727 capture_opts->save_file = capfile_name;
2728 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2729 "g_free(capfile_name)". */
2731 ret = fchown(*save_file_fd, capture_opts->owner, capture_opts->group);
2739 #define TIME_GET() GetTickCount()
2741 #define TIME_GET() time(NULL)
2744 /* Do the work of handling either the file size or file duration capture
2745 conditions being reached, and switching files or stopping. */
2747 do_file_switch_or_stop(capture_options *capture_opts,
2748 condition *cnd_autostop_files,
2749 condition *cnd_autostop_size,
2750 condition *cnd_file_duration)
2752 if (capture_opts->multi_files_on) {
2753 if (cnd_autostop_files != NULL &&
2754 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2755 /* no files left: stop here */
2756 global_ld.go = FALSE;
2760 /* Switch to the next ringbuffer file */
2761 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2762 &global_ld.save_file_fd, &global_ld.err)) {
2763 gboolean successful;
2768 /* File switch succeeded: reset the conditions */
2769 global_ld.bytes_written = 0;
2770 if (capture_opts->use_pcapng) {
2773 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2774 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &global_ld.bytes_written, &global_ld.err) &&
2775 libpcap_write_interface_description_block(global_ld.pdh, capture_opts->iface, capture_opts->cfilter, global_ld.linktype, global_ld.file_snaplen, &global_ld.bytes_written, &global_ld.err);
2777 successful = libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2778 &global_ld.bytes_written, &global_ld.err);
2781 fclose(global_ld.pdh);
2782 global_ld.pdh = NULL;
2783 global_ld.go = FALSE;
2786 if(cnd_autostop_size)
2787 cnd_reset(cnd_autostop_size);
2788 if(cnd_file_duration)
2789 cnd_reset(cnd_file_duration);
2790 libpcap_dump_flush(global_ld.pdh, NULL);
2792 report_packet_count(global_ld.inpkts_to_sync_pipe);
2793 global_ld.inpkts_to_sync_pipe = 0;
2794 report_new_capture_file(capture_opts->save_file);
2797 ret = fchown(global_ld.save_file_fd, capture_opts->owner, capture_opts->group);
2800 /* File switch failed: stop here */
2801 global_ld.go = FALSE;
2805 /* single file, stop now */
2806 global_ld.go = FALSE;
2812 /* Do the low-level work of a capture.
2813 Returns TRUE if it succeeds, FALSE otherwise. */
2815 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
2817 time_t upd_time, cur_time;
2821 condition *cnd_file_duration = NULL;
2822 condition *cnd_autostop_files = NULL;
2823 condition *cnd_autostop_size = NULL;
2824 condition *cnd_autostop_duration = NULL;
2827 gboolean cfilter_error = FALSE;
2828 char errmsg[MSG_MAX_LENGTH+1];
2829 char secondary_errmsg[MSG_MAX_LENGTH+1];
2832 *secondary_errmsg = '\0';
2834 /* init the loop data */
2835 global_ld.go = TRUE;
2836 global_ld.packet_count = 0;
2838 global_ld.report_packet_count = FALSE;
2840 if (capture_opts->has_autostop_packets)
2841 global_ld.packet_max = capture_opts->autostop_packets;
2843 global_ld.packet_max = 0; /* no limit */
2844 global_ld.inpkts_to_sync_pipe = 0;
2845 global_ld.err = 0; /* no error seen yet */
2846 global_ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
2847 global_ld.pcap_err = FALSE;
2848 global_ld.from_cap_pipe = FALSE;
2849 global_ld.pdh = NULL;
2851 global_ld.cap_pipe_fd = -1;
2853 global_ld.cap_pipe_h = INVALID_HANDLE_VALUE;
2855 #ifdef MUST_DO_SELECT
2856 global_ld.pcap_fd = 0;
2858 global_ld.autostop_files = 0;
2859 global_ld.save_file_fd = -1;
2861 /* We haven't yet gotten the capture statistics. */
2862 *stats_known = FALSE;
2864 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
2865 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
2867 /* open the "input file" from network interface or capture pipe */
2868 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
2869 secondary_errmsg, sizeof(secondary_errmsg))) {
2873 /* init the input filter from the network interface (capture pipe will do nothing) */
2874 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
2875 capture_opts->iface,
2876 capture_opts->cfilter)) {
2878 case INITFILTER_NO_ERROR:
2881 case INITFILTER_BAD_FILTER:
2882 cfilter_error = TRUE;
2883 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
2886 case INITFILTER_OTHER_ERROR:
2887 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
2888 pcap_geterr(global_ld.pcap_h));
2889 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
2893 /* If we're supposed to write to a capture file, open it for output
2894 (temporary/specified name/ringbuffer) */
2895 if (capture_opts->saving_to_file) {
2896 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
2897 errmsg, sizeof(errmsg))) {
2901 /* set up to write to the already-opened capture output file/files */
2902 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
2907 /* XXX - capture SIGTERM and close the capture, in case we're on a
2908 Linux 2.0[.x] system and you have to explicitly close the capture
2909 stream in order to turn promiscuous mode off? We need to do that
2910 in other places as well - and I don't think that works all the
2911 time in any case, due to libpcap bugs. */
2913 /* Well, we should be able to start capturing.
2915 Sync out the capture file, so the header makes it to the file system,
2916 and send a "capture started successfully and capture file created"
2917 message to our parent so that they'll open the capture file and
2918 update its windows to indicate that we have a live capture in
2920 libpcap_dump_flush(global_ld.pdh, NULL);
2921 report_new_capture_file(capture_opts->save_file);
2924 /* initialize capture stop (and alike) conditions */
2925 init_capture_stop_conditions();
2926 /* create stop conditions */
2927 if (capture_opts->has_autostop_filesize)
2929 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
2930 if (capture_opts->has_autostop_duration)
2931 cnd_autostop_duration =
2932 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
2934 if (capture_opts->multi_files_on) {
2935 if (capture_opts->has_file_duration)
2937 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
2939 if (capture_opts->has_autostop_files)
2940 cnd_autostop_files =
2941 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
2944 /* init the time values */
2945 start_time = TIME_GET();
2946 upd_time = TIME_GET();
2948 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
2950 /* WOW, everything is prepared! */
2951 /* please fasten your seat belts, we will enter now the actual capture loop */
2952 while (global_ld.go) {
2953 /* dispatch incoming packets */
2954 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
2958 /* Were we asked to print packet counts by the SIGINFO handler? */
2959 if (global_ld.report_packet_count) {
2960 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
2961 plurality(global_ld.packet_count, "", "s"));
2962 global_ld.report_packet_count = FALSE;
2967 /* any news from our parent (signal pipe)? -> just stop the capture */
2968 if (!signal_pipe_check_running()) {
2969 global_ld.go = FALSE;
2974 global_ld.inpkts_to_sync_pipe += inpkts;
2976 /* check capture size condition */
2977 if (cnd_autostop_size != NULL &&
2978 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
2979 /* Capture size limit reached, do we have another file? */
2980 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
2981 cnd_autostop_size, cnd_file_duration))
2983 } /* cnd_autostop_size */
2984 if (capture_opts->output_to_pipe) {
2985 libpcap_dump_flush(global_ld.pdh, NULL);
2989 /* Only update once a second (Win32: 500ms) so as not to overload slow
2990 * displays. This also prevents too much context-switching between the
2991 * dumpcap and wireshark processes */
2992 cur_time = TIME_GET();
2994 if ( (cur_time - upd_time) > 500) {
2996 if (cur_time - upd_time > 0) {
2998 upd_time = cur_time;
3000 /*if (pcap_stats(pch, stats) >= 0) {
3001 *stats_known = TRUE;
3004 /* Let the parent process know. */
3005 if (global_ld.inpkts_to_sync_pipe) {
3007 libpcap_dump_flush(global_ld.pdh, NULL);
3009 /* Send our parent a message saying we've written out
3010 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3012 report_packet_count(global_ld.inpkts_to_sync_pipe);
3014 global_ld.inpkts_to_sync_pipe = 0;
3017 /* check capture duration condition */
3018 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3019 /* The maximum capture time has elapsed; stop the capture. */
3020 global_ld.go = FALSE;
3024 /* check capture file duration condition */
3025 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3026 /* duration limit reached, do we have another file? */
3027 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3028 cnd_autostop_size, cnd_file_duration))
3030 } /* cnd_file_duration */
3033 } /* while (global_ld.go) */
3035 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3037 /* delete stop conditions */
3038 if (cnd_file_duration != NULL)
3039 cnd_delete(cnd_file_duration);
3040 if (cnd_autostop_files != NULL)
3041 cnd_delete(cnd_autostop_files);
3042 if (cnd_autostop_size != NULL)
3043 cnd_delete(cnd_autostop_size);
3044 if (cnd_autostop_duration != NULL)
3045 cnd_delete(cnd_autostop_duration);
3047 /* did we had a pcap (input) error? */
3048 if (global_ld.pcap_err) {
3049 /* On Linux, if an interface goes down while you're capturing on it,
3050 you'll get a "recvfrom: Network is down" error (ENETDOWN).
3051 (At least you will if strerror() doesn't show a local translation
3054 On FreeBSD and OS X, if a network adapter disappears while
3055 you're capturing on it, you'll get a "read: Device not configured"
3056 error (ENXIO). (See previous parenthetical note.)
3058 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3060 These should *not* be reported to the Wireshark developers. */
3063 cap_err_str = pcap_geterr(global_ld.pcap_h);
3064 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3065 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3066 strcmp(cap_err_str, "read: I/O error") == 0) {
3067 report_capture_error("The network adapter on which the capture was being done "
3068 "is no longer running; the capture has stopped.",
3071 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3073 report_capture_error(errmsg, please_report);
3076 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
3077 report_capture_error(errmsg, "");
3079 /* did we had an error while capturing? */
3080 if (global_ld.err == 0) {
3083 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3084 global_ld.err, FALSE);
3085 report_capture_error(errmsg, please_report);
3089 if (capture_opts->saving_to_file) {
3090 /* close the wiretap (output) file */
3091 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3095 /* there might be packets not yet notified to the parent */
3096 /* (do this after closing the file, so all packets are already flushed) */
3097 if(global_ld.inpkts_to_sync_pipe) {
3099 report_packet_count(global_ld.inpkts_to_sync_pipe);
3100 global_ld.inpkts_to_sync_pipe = 0;
3103 /* If we've displayed a message about a write error, there's no point
3104 in displaying another message about an error on close. */
3105 if (!close_ok && write_ok) {
3106 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3108 report_capture_error(errmsg, "");
3112 * XXX We exhibit different behaviour between normal mode and sync mode
3113 * when the pipe is stdin and not already at EOF. If we're a child, the
3114 * parent's stdin isn't closed, so if the user starts another capture,
3115 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3116 * will say "Unrecognized libpcap format". On the other hand, in normal
3117 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3120 /* get packet drop statistics from pcap */
3121 if(global_ld.pcap_h != NULL) {
3122 g_assert(!global_ld.from_cap_pipe);
3123 /* Get the capture statistics, so we know how many packets were
3125 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
3126 *stats_known = TRUE;
3127 /* Let the parent process know. */
3128 report_packet_drops(stats->ps_drop);
3130 g_snprintf(errmsg, sizeof(errmsg),
3131 "Can't get packet-drop statistics: %s",
3132 pcap_geterr(global_ld.pcap_h));
3133 report_capture_error(errmsg, please_report);
3137 /* close the input file (pcap or capture pipe) */
3138 capture_loop_close_input(&global_ld);
3140 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3142 /* ok, if the write and the close were successful. */
3143 return write_ok && close_ok;
3146 if (capture_opts->multi_files_on) {
3147 /* cleanup ringbuffer */
3148 ringbuf_error_cleanup();
3150 /* We can't use the save file, and we have no FILE * for the stream
3151 to close in order to close it, so close the FD directly. */
3152 if(global_ld.save_file_fd != -1) {
3153 ws_close(global_ld.save_file_fd);
3156 /* We couldn't even start the capture, so get rid of the capture
3158 if(capture_opts->save_file != NULL) {
3159 ws_unlink(capture_opts->save_file);
3160 g_free(capture_opts->save_file);
3163 capture_opts->save_file = NULL;
3165 report_cfilter_error(capture_opts->cfilter, errmsg);
3167 report_capture_error(errmsg, secondary_errmsg);
3169 /* close the input file (pcap or cap_pipe) */
3170 capture_loop_close_input(&global_ld);
3172 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3178 static void capture_loop_stop(void)
3180 #ifdef HAVE_PCAP_BREAKLOOP
3181 if(global_ld.pcap_h != NULL)
3182 pcap_breakloop(global_ld.pcap_h);
3184 global_ld.go = FALSE;
3189 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3190 int err, gboolean is_close)
3195 g_snprintf(errmsg, errmsglen,
3196 "Not all the packets could be written to the file"
3197 " to which the capture was being saved\n"
3198 "(\"%s\") because there is no space left on the file system\n"
3199 "on which that file resides.",
3205 g_snprintf(errmsg, errmsglen,
3206 "Not all the packets could be written to the file"
3207 " to which the capture was being saved\n"
3208 "(\"%s\") because you are too close to, or over,"
3209 " your disk quota\n"
3210 "on the file system on which that file resides.",
3215 case WTAP_ERR_CANT_CLOSE:
3216 g_snprintf(errmsg, errmsglen,
3217 "The file to which the capture was being saved"
3218 " couldn't be closed for some unknown reason.");
3221 case WTAP_ERR_SHORT_WRITE:
3222 g_snprintf(errmsg, errmsglen,
3223 "Not all the packets could be written to the file"
3224 " to which the capture was being saved\n"
3231 g_snprintf(errmsg, errmsglen,
3232 "The file to which the capture was being saved\n"
3233 "(\"%s\") could not be closed: %s.",
3234 fname, wtap_strerror(err));
3236 g_snprintf(errmsg, errmsglen,
3237 "An error occurred while writing to the file"
3238 " to which the capture was being saved\n"
3240 fname, wtap_strerror(err));
3247 /* one packet was captured, process it */
3249 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3252 loop_data *ld = (loop_data *) (void *) user;
3255 /* We may be called multiple times from pcap_dispatch(); if we've set
3256 the "stop capturing" flag, ignore this packet, as we're not
3257 supposed to be saving any more packets. */
3262 gboolean successful;
3263 /* We're supposed to write the packet to a file; do so.
3264 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3265 "ld->err" to the error. */
3266 if (global_capture_opts.use_pcapng) {
3267 successful = libpcap_write_enhanced_packet_block(ld->pdh, phdr, 0, pd, &ld->bytes_written, &err);
3269 successful = libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err);
3276 /* if the user told us to stop after x packets, do we already have enough? */
3277 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
3286 /* And now our feature presentation... [ fade to music ] */
3288 main(int argc, char *argv[])
3291 gboolean arg_error = FALSE;
3296 struct sigaction action, oldaction;
3299 gboolean start_capture = TRUE;
3300 gboolean stats_known;
3301 struct pcap_stat stats;
3302 GLogLevelFlags log_flags;
3303 gboolean list_interfaces = FALSE;
3304 gboolean list_link_layer_types = FALSE;
3305 #ifdef HAVE_BPF_IMAGE
3306 gboolean print_bpf_code = FALSE;
3308 gboolean machine_readable = FALSE;
3309 gboolean print_statistics = FALSE;
3310 int status, run_once_args = 0;
3312 #if defined(__APPLE__) && defined(__LP64__)
3313 struct utsname osinfo;
3318 * Initialize our DLL search path. MUST be called before LoadLibrary
3321 ws_init_dll_search_path();
3324 #ifdef HAVE_PCAP_REMOTE
3325 #define OPTSTRING_A "A:"
3326 #define OPTSTRING_r "r"
3327 #define OPTSTRING_u "u"
3329 #define OPTSTRING_A ""
3330 #define OPTSTRING_r ""
3331 #define OPTSTRING_u ""
3334 #ifdef HAVE_PCAP_SETSAMPLING
3335 #define OPTSTRING_m "m:"
3337 #define OPTSTRING_m ""
3340 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3341 #define OPTSTRING_B "B:"
3343 #define OPTSTRING_B ""
3344 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3346 #ifdef HAVE_PCAP_CREATE
3347 #define OPTSTRING_I "I"
3349 #define OPTSTRING_I ""
3352 #ifdef HAVE_BPF_IMAGE
3353 #define OPTSTRING_d "d"
3355 #define OPTSTRING_d ""
3358 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:" OPTSTRING_u "vw:y:Z:"
3360 #ifdef DEBUG_CHILD_DUMPCAP
3361 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3362 fprintf (stderr, "Unable to open debug log file !\n");
3367 #if defined(__APPLE__) && defined(__LP64__)
3369 * Is this Mac OS X 10.6.x, other than 10.6.2? If so, we need a bug
3370 * workaround - timeouts less than 1 second don't work with libpcap
3371 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3372 * and re-introduced in 10.6.3. We don't know whether it'll be fixed
3373 * again in a later 10.6.x release; we'll assume that it'll be fixed
3374 * in any future major releases.)
3376 if (uname(&osinfo) == 0) {
3378 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3379 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3380 * number of 10.0.0, not 10.1.0 - go figure).
3382 if (strncmp(osinfo.release, "10.", 3) == 0) {
3384 * OK, it's Snow Leopard - which version?
3386 if (strcmp(osinfo.release, "10.2.0") != 0) {
3388 need_timeout_workaround = TRUE;
3395 * Determine if dumpcap is being requested to run in a special
3396 * capture_child mode by going thru the command line args to see if
3397 * a -Z is present. (-Z is a hidden option).
3399 * The primary result of running in capture_child mode is that
3400 * all messages sent out on stderr are in a special type/len/string
3401 * format to allow message processing by type. These messages include
3402 * error messages if dumpcap fails to start the operation it was
3403 * requested to do, as well as various "status" messages which are sent
3404 * when an actual capture is in progress, and a "success" message sent
3405 * if dumpcap was requested to perform an operation other than a
3408 * Capture_child mode would normally be requested by a parent process
3409 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3410 * to which dumpcap stderr has been redirected. It might also have
3411 * another pipe to obtain dumpcap stdout output; for operations other
3412 * than a capture, that information is formatted specially for easier
3413 * parsing by the parent process.
3415 * Capture_child mode needs to be determined immediately upon
3416 * startup so that any messages generated by dumpcap in this mode
3417 * (eg: during initialization) will be formatted properly.
3420 for (i=1; i<argc; i++) {
3421 if (strcmp("-Z", argv[i]) == 0) {
3422 capture_child = TRUE;
3423 machine_readable = TRUE; /* request machine-readable output */
3425 /* set output pipe to binary mode, to avoid ugly text conversions */
3426 _setmode(2, O_BINARY);
3431 /* The default_log_handler will use stdout, which makes trouble in */
3432 /* capture child mode, as it uses stdout for it's sync_pipe. */
3433 /* So: the filtering is done in the console_log_handler and not here.*/
3434 /* We set the log handlers right up front to make sure that any log */
3435 /* messages when running as child will be sent back to the parent */
3436 /* with the correct format. */
3440 G_LOG_LEVEL_CRITICAL|
3441 G_LOG_LEVEL_WARNING|
3442 G_LOG_LEVEL_MESSAGE|
3445 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3447 g_log_set_handler(NULL,
3449 console_log_handler, NULL /* user_data */);
3450 g_log_set_handler(LOG_DOMAIN_MAIN,
3452 console_log_handler, NULL /* user_data */);
3453 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3455 console_log_handler, NULL /* user_data */);
3456 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3458 console_log_handler, NULL /* user_data */);
3461 /* Load wpcap if possible. Do this before collecting the run-time version information */
3464 /* ... and also load the packet.dll from wpcap */
3465 /* XXX - currently not required, may change later. */
3466 /*wpcap_packet_load();*/
3468 /* Start windows sockets */
3469 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3471 /* Set handler for Ctrl+C key */
3472 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3474 /* Prepare to read from a pipe */
3475 if (!g_thread_supported ())
3476 g_thread_init (NULL);
3477 cap_pipe_pending_q = g_async_queue_new();
3478 cap_pipe_done_q = g_async_queue_new();
3479 cap_pipe_read_mtx = g_mutex_new();
3482 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3484 action.sa_handler = capture_cleanup_handler;
3486 * Arrange that system calls not get restarted, because when
3487 * our signal handler returns we don't want to restart
3488 * a call that was waiting for packets to arrive.
3490 action.sa_flags = 0;
3491 sigemptyset(&action.sa_mask);
3492 sigaction(SIGTERM, &action, NULL);
3493 sigaction(SIGINT, &action, NULL);
3494 sigaction(SIGPIPE, &action, NULL);
3495 sigaction(SIGHUP, NULL, &oldaction);
3496 if (oldaction.sa_handler == SIG_DFL)
3497 sigaction(SIGHUP, &action, NULL);
3500 /* Catch SIGINFO and, if we get it and we're capturing in
3501 quiet mode, report the number of packets we've captured. */
3502 action.sa_handler = report_counts_siginfo;
3503 action.sa_flags = SA_RESTART;
3504 sigemptyset(&action.sa_mask);
3505 sigaction(SIGINFO, &action, NULL);
3506 #endif /* SIGINFO */
3509 /* ----------------------------------------------------------------- */
3510 /* Privilege and capability handling */
3512 /* 1. Running not as root or suid root; no special capabilities. */
3515 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3518 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3520 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3521 /* capabilities; Drop all other capabilities; */
3522 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3523 /* else: after pcap_open_live() in capture_loop_open_input() */
3524 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3525 /* (Note: this means that the process, although logged in */
3526 /* as root, does not have various permissions such as the */
3527 /* ability to bypass file access permissions). */
3528 /* XXX: Should we just leave capabilities alone in this case */
3529 /* so that user gets expected effect that root can do */
3532 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3534 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3535 /* else: after pcap_open_live() in capture_loop_open_input() */
3536 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3537 /* pcap_open_live). */
3539 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3541 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3542 /* capabilities; Drop all other capabilities; */
3543 /* Drop suid privileges (euid=ruid); */
3544 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3545 /* else: after pcap_open_live() in capture_loop_open_input() */
3546 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3548 /* XXX: For some Linux versions/distros with capabilities */
3549 /* a 'normal' process with any capabilities cannot be */
3550 /* 'killed' (signaled) from another (same uid) non-privileged */
3552 /* For example: If (non-suid) Wireshark forks a */
3553 /* child suid dumpcap which acts as described here (case 5), */
3554 /* Wireshark will be unable to kill (signal) the child */
3555 /* dumpcap process until the capabilities have been dropped */
3556 /* (after pcap_open_live()). */
3557 /* This behaviour will apparently be changed in the kernel */
3558 /* to allow the kill (signal) in this case. */
3559 /* See the following for details: */
3560 /* http://www.mail-archive.com/ [wrapped] */
3561 /* linux-security-module@vger.kernel.org/msg02913.html */
3563 /* It is therefore conceivable that if dumpcap somehow hangs */
3564 /* in pcap_open_live or before that wireshark will not */
3565 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3566 /* In this case, exiting wireshark will kill the child */
3567 /* dumpcap process. */
3569 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3570 /* capabilities; Using libcap. Note: capset cmd (which see) */
3571 /* used to assign capabilities to file. */
3573 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3574 /* else: after pcap_open_live() in capture_loop_open_input() */
3575 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3577 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3578 /* longer required (similar to capture). */
3580 /* ----------------------------------------------------------------- */
3582 init_process_policies();
3585 /* If 'started with special privileges' (and using libcap) */
3586 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3587 /* Set euid/egid = ruid/rgid to remove suid privileges */
3588 relinquish_privs_except_capture();
3591 /* Set the initial values in the capture options. This might be overwritten
3592 by the command line parameters. */
3593 capture_opts_init(&global_capture_opts, NULL);
3595 /* Default to capturing the entire packet. */
3596 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3598 /* We always save to a file - if no file was specified, we save to a
3600 global_capture_opts.saving_to_file = TRUE;
3601 global_capture_opts.has_ring_num_files = TRUE;
3603 /* Now get our args */
3604 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3606 case 'h': /* Print help and exit */
3610 case 'v': /* Show version and exit */
3612 GString *comp_info_str;
3613 GString *runtime_info_str;
3614 /* Assemble the compile-time version information string */
3615 comp_info_str = g_string_new("Compiled ");
3616 get_compiled_version_info(comp_info_str, NULL, NULL);
3618 /* Assemble the run-time version information string */
3619 runtime_info_str = g_string_new("Running ");
3620 get_runtime_version_info(runtime_info_str, NULL);
3621 show_version(comp_info_str, runtime_info_str);
3622 g_string_free(comp_info_str, TRUE);
3623 g_string_free(runtime_info_str, TRUE);
3627 /*** capture option specific ***/
3628 case 'a': /* autostop criteria */
3629 case 'b': /* Ringbuffer option */
3630 case 'c': /* Capture x packets */
3631 case 'f': /* capture filter */
3632 case 'i': /* Use interface x */
3633 case 'n': /* Use pcapng format */
3634 case 'p': /* Don't capture in promiscuous mode */
3635 case 's': /* Set the snapshot (capture) length */
3636 case 'w': /* Write to capture file x */
3637 case 'g': /* enable group read accesson file(s) */
3638 case 'y': /* Set the pcap data link type */
3639 #ifdef HAVE_PCAP_REMOTE
3640 case 'u': /* Use UDP for data transfer */
3641 case 'r': /* Capture own RPCAP traffic too */
3642 case 'A': /* Authentication */
3644 #ifdef HAVE_PCAP_SETSAMPLING
3645 case 'm': /* Sampling */
3647 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3648 case 'B': /* Buffer size */
3649 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3650 #ifdef HAVE_PCAP_CREATE
3651 case 'I': /* Monitor mode */
3653 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
3658 /*** hidden option: Wireshark child mode (using binary output messages) ***/
3660 capture_child = TRUE;
3662 /* set output pipe to binary mode, to avoid ugly text conversions */
3663 _setmode(2, O_BINARY);
3665 * optarg = the control ID, aka the PPID, currently used for the
3668 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
3669 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
3670 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
3671 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
3673 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
3674 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3675 "Signal pipe: Unable to open %s. Dead parent?",
3683 case 'q': /* Quiet */
3687 /*** all non capture option specific ***/
3688 case 'D': /* Print a list of capture devices and exit */
3689 list_interfaces = TRUE;
3692 case 'L': /* Print list of link-layer types and exit */
3693 list_link_layer_types = TRUE;
3696 #ifdef HAVE_BPF_IMAGE
3697 case 'd': /* Print BPF code for capture filter and exit */
3698 print_bpf_code = TRUE;
3702 case 'S': /* Print interface statistics once a second */
3703 print_statistics = TRUE;
3706 case 'M': /* For -D, -L, and -S, print machine-readable output */
3707 machine_readable = TRUE;
3710 case '?': /* Bad flag - print usage message */
3711 cmdarg_err("Invalid Option: %s", argv[optind-1]);
3719 /* user specified file name as regular command-line argument */
3720 /* XXX - use it as the capture file name (or something else)? */
3727 * Extra command line arguments were specified; complain.
3728 * XXX - interpret as capture filter, as tcpdump and tshark do?
3730 cmdarg_err("Invalid argument: %s", argv[0]);
3739 if (run_once_args > 1) {
3740 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
3742 } else if (run_once_args == 1) {
3743 /* We're supposed to print some information, rather than
3744 to capture traffic; did they specify a ring buffer option? */
3745 if (global_capture_opts.multi_files_on) {
3746 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
3750 /* We're supposed to capture traffic; was the ring buffer option
3751 specified and, if so, does it make sense? */
3752 if (global_capture_opts.multi_files_on) {
3753 /* Ring buffer works only under certain conditions:
3754 a) ring buffer does not work with temporary files;
3755 b) it makes no sense to enable the ring buffer if the maximum
3756 file size is set to "infinite". */
3757 if (global_capture_opts.save_file == NULL) {
3758 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
3759 global_capture_opts.multi_files_on = FALSE;
3761 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
3762 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
3763 /* XXX - this must be redesigned as the conditions changed */
3764 /* global_capture_opts.multi_files_on = FALSE;*/
3770 * "-D" requires no interface to be selected; it's supposed to list
3773 if (list_interfaces) {
3774 /* Get the list of interfaces */
3779 if_list = capture_interface_list(&err, &err_str);
3780 if (if_list == NULL) {
3782 case CANT_GET_INTERFACE_LIST:
3783 cmdarg_err("%s", err_str);
3788 case NO_INTERFACES_FOUND:
3790 * If we're being run by another program, just give them
3791 * an empty list of interfaces, don't report this as
3792 * an error; that lets them decide whether to report
3793 * this as an error or not.
3795 if (!machine_readable) {
3796 cmdarg_err("There are no interfaces on which a capture can be done");
3803 if (machine_readable) /* tab-separated values to stdout */
3804 print_machine_readable_interfaces(if_list);
3806 capture_opts_print_interfaces(if_list);
3807 free_interface_list(if_list);
3812 * "-S" requires no interface to be selected; it gives statistics
3813 * for all interfaces.
3815 if (print_statistics) {
3816 status = print_statistics_loop(machine_readable);
3821 * "-L", "-d", and capturing act on a particular interface, so we have to
3822 * have an interface; if none was specified, pick a default.
3824 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
3825 /* cmdarg_err() already called .... */
3829 /* Let the user know what interface was chosen. */
3830 /* get_interface_descriptive_name() is not available! */
3831 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
3833 if (list_link_layer_types) {
3834 /* Get the list of link-layer types for the capture device. */
3835 if_capabilities_t *caps;
3838 caps = get_if_capabilities(global_capture_opts.iface,
3839 global_capture_opts.monitor_mode, &err_str);
3841 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
3842 "Please check to make sure you have sufficient permissions, and that\n"
3843 "you have the proper interface or pipe specified.", global_capture_opts.iface, err_str);
3847 if (caps->data_link_types == NULL) {
3848 cmdarg_err("The capture device \"%s\" has no data link types.", global_capture_opts.iface);
3851 if (machine_readable) /* tab-separated values to stdout */
3852 print_machine_readable_if_capabilities(caps);
3854 capture_opts_print_if_capabilities(caps,
3855 global_capture_opts.monitor_mode);
3856 free_if_capabilities(caps);
3860 /* We're supposed to do a capture, or print the BPF code for a filter.
3861 Process the snapshot length, as that affects the generated BPF code. */
3862 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
3864 #ifdef HAVE_BPF_IMAGE
3865 if (print_bpf_code) {
3866 show_filter_code(&global_capture_opts);
3871 /* We're supposed to do a capture. Process the ring buffer arguments. */
3872 capture_opts_trim_ring_num_files(&global_capture_opts);
3874 /* Now start the capture. */
3876 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
3880 /* capture failed */
3887 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
3888 const char *message, gpointer user_data _U_)
3895 /* ignore log message, if log_level isn't interesting */
3896 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3897 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
3902 /* create a "timestamp" */
3904 today = localtime(&curr);
3906 switch(log_level & G_LOG_LEVEL_MASK) {
3907 case G_LOG_LEVEL_ERROR:
3910 case G_LOG_LEVEL_CRITICAL:
3913 case G_LOG_LEVEL_WARNING:
3916 case G_LOG_LEVEL_MESSAGE:
3919 case G_LOG_LEVEL_INFO:
3922 case G_LOG_LEVEL_DEBUG:
3926 fprintf(stderr, "unknown log_level %u\n", log_level);
3928 g_assert_not_reached();
3931 /* Generate the output message */
3932 if(log_level & G_LOG_LEVEL_MESSAGE) {
3933 /* normal user messages without additional infos */
3934 msg = g_strdup_printf("%s\n", message);
3936 /* info/debug messages with additional infos */
3937 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
3938 today->tm_hour, today->tm_min, today->tm_sec,
3939 log_domain != NULL ? log_domain : "",
3943 /* DEBUG & INFO msgs (if we're debugging today) */
3944 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3945 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3946 #ifdef DEBUG_DUMPCAP
3947 fprintf(stderr, "%s", msg);
3950 #ifdef DEBUG_CHILD_DUMPCAP
3951 fprintf(debug_log, "%s", msg);
3959 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
3960 /* to parent especially formatted if dumpcap running as child. */
3961 if (capture_child) {
3962 sync_pipe_errmsg_to_parent(2, msg, "");
3964 fprintf(stderr, "%s", msg);
3971 /****************************************************************************************************************/
3972 /* indication report routines */
3976 report_packet_count(int packet_count)
3978 char tmp[SP_DECISIZE+1+1];
3979 static int count = 0;
3982 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
3983 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
3984 pipe_write_block(2, SP_PACKET_COUNT, tmp);
3986 count += packet_count;
3987 fprintf(stderr, "\rPackets: %u ", count);
3988 /* stderr could be line buffered */
3994 report_new_capture_file(const char *filename)
3997 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
3998 pipe_write_block(2, SP_FILE, filename);
4002 * Prevent a SIGINFO handler from writing to the standard error
4003 * while we're doing so; instead, have it just set a flag telling
4004 * us to print that information when we're done.
4007 #endif /* SIGINFO */
4008 fprintf(stderr, "File: %s\n", filename);
4009 /* stderr could be line buffered */
4014 * Allow SIGINFO handlers to write.
4019 * If a SIGINFO handler asked us to write out capture counts, do so.
4023 #endif /* SIGINFO */
4028 report_cfilter_error(const char *cfilter, const char *errmsg)
4030 if (capture_child) {
4031 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4032 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4035 "Invalid capture filter: \"%s\"!\n"
4037 "That string isn't a valid capture filter (%s).\n"
4038 "See the User's Guide for a description of the capture filter syntax.\n",
4044 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4047 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4048 "Primary Error: %s", error_msg);
4049 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4050 "Secondary Error: %s", secondary_error_msg);
4051 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4053 fprintf(stderr, "%s\n", error_msg);
4054 if (secondary_error_msg[0] != '\0')
4055 fprintf(stderr, "%s\n", secondary_error_msg);
4060 report_packet_drops(guint32 drops)
4062 char tmp[SP_DECISIZE+1+1];
4064 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4067 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets dropped: %s", tmp);
4068 pipe_write_block(2, SP_DROPS, tmp);
4070 fprintf(stderr, "Packets dropped: %s\n", tmp);
4071 /* stderr could be line buffered */
4077 /****************************************************************************************************************/
4078 /* signal_pipe handling */
4083 signal_pipe_check_running(void)
4085 /* any news from our parent? -> just stop the capture */
4089 /* if we are running standalone, no check required */
4090 if(!capture_child) {
4094 if(!sig_pipe_name || !sig_pipe_handle) {
4095 /* This shouldn't happen */
4096 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4097 "Signal pipe: No name or handle");
4102 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4103 * at this point. Should we check to see if the parent is still alive,
4104 * e.g. by using OpenProcess?
4107 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4109 if(!result || avail > 0) {
4110 /* peek failed or some bytes really available */
4111 /* (if not piping from stdin this would fail) */
4112 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4113 "Signal pipe: Stop capture: %s", sig_pipe_name);
4114 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4115 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4116 sig_pipe_handle, result, avail);
4119 /* pipe ok and no bytes available */
4126 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4131 * indent-tabs-mode: nil
4134 * vi: set shiftwidth=4 tabstop=8 expandtab
4135 * :indentSize=4:tabSize=8:noTabs=true: