5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
126 #ifdef DEBUG_CHILD_DUMPCAP
127 FILE *debug_log; /* for logging debug messages to */
128 /* a file if DEBUG_CHILD_DUMPCAP */
136 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
138 static gchar *sig_pipe_name = NULL;
139 static HANDLE sig_pipe_handle = NULL;
140 static gboolean signal_pipe_check_running(void);
144 static GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
145 static GMutex *cap_pipe_read_mtx;
149 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
150 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
153 /** Stop a low-level capture (stops the capture child). */
154 static void capture_loop_stop(void);
156 #if !defined (__linux__)
157 #ifndef HAVE_PCAP_BREAKLOOP
159 * We don't have pcap_breakloop(), which is the only way to ensure that
160 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
161 * won't, if the call to read the next packet or batch of packets is
162 * is interrupted by a signal on UN*X, just go back and try again to
165 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
166 * the signal handler, set a flag to stop capturing; however, without
167 * a guarantee of that sort, we can't guarantee that we'll stop capturing
168 * if the read will be retried and won't time out if no packets arrive.
170 * Therefore, on at least some platforms, we work around the lack of
171 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
172 * to wait for packets to arrive, so that we're probably going to be
173 * blocked in the select() when the signal arrives, and can just bail
174 * out of the loop at that point.
176 * However, we don't want to do that on BSD (because "select()" doesn't work
177 * correctly on BPF devices on at least some releases of some flavors of
178 * BSD), and we don't want to do it on Windows (because "select()" is
179 * something for sockets, not for arbitrary handles). (Note that "Windows"
180 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
181 * using WinPcap, not a UNIX libpcap.)
183 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
184 * on BSD times out even if no packets have arrived, so we'll eventually
185 * exit pcap_dispatch() with an indication that no packets have arrived,
186 * and will break out of the capture loop at that point.
188 * On Windows, we can't send a SIGINT to stop capturing, so none of this
189 * applies in any case.
191 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
192 * want to include it if it's not present on this platform, however.
194 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
195 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
197 # define MUST_DO_SELECT
198 # endif /* avoid select */
199 #endif /* HAVE_PCAP_BREAKLOOP */
201 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
202 * in pcap_dispatch(); on the other hand, select() works just fine there.
203 * Hence we use a select for that come what may.
205 #define MUST_DO_SELECT
208 /** init the capture filter */
211 INITFILTER_BAD_FILTER,
212 INITFILTER_OTHER_ERROR
213 } initfilter_status_t;
215 typedef struct _loop_data {
217 gboolean go; /* TRUE as long as we're supposed to keep capturing */
218 int err; /* if non-zero, error seen while capturing */
219 gint packet_count; /* Number of packets we have already captured */
220 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
221 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
223 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
226 /* pcap "input file" */
227 pcap_t *pcap_h; /* pcap handle */
228 gboolean pcap_err; /* TRUE if error from pcap */
229 #ifdef MUST_DO_SELECT
230 int pcap_fd; /* pcap file descriptor */
233 /* capture pipe (unix only "input file") */
234 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
235 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
236 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
238 HANDLE cap_pipe_h; /* The handle of the capture pipe */
240 int cap_pipe_fd; /* the file descriptor of the capture pipe */
242 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
243 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
245 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
246 #endif /* USE_THREADS */
247 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
248 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
250 STATE_EXPECT_REC_HDR,
255 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 guint32 autostop_files;
267 * Standard secondary message for unexpected errors.
269 static const char please_report[] =
270 "Please report this to the Wireshark developers.\n"
271 "(This is not a crash; please do not report it as such.)";
274 * This needs to be static, so that the SIGINT handler can clear the "go"
277 static loop_data global_ld;
281 * Timeout, in milliseconds, for reads from the stream of captured packets
282 * from a capture device.
284 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
285 * 64-bit applications, with sub-second timeouts not to work. The bug is
286 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
288 #if defined(__APPLE__) && defined(__LP64__)
289 static gboolean need_timeout_workaround;
291 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
293 #define CAP_READ_TIMEOUT 250
297 * Timeout, in microseconds, for reads from the stream of captured packets
298 * from a pipe. Pipes don't have the same problem that BPF devices do
299 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
300 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
301 * of the offending versions of Snow Leopard.
303 * On Windows this value is converted to milliseconds and passed to
304 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
305 * will return immediately.
308 #define PIPE_READ_TIMEOUT 250000
310 #define PIPE_READ_TIMEOUT 100000
312 static const char *cap_pipe_err_str;
315 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
316 const char *message, gpointer user_data _U_);
318 /* capture related options */
319 static capture_options global_capture_opts;
320 static gboolean quiet = FALSE;
322 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
324 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
325 int err, gboolean is_close);
327 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
329 static void report_new_capture_file(const char *filename);
330 static void report_packet_count(int packet_count);
331 static void report_packet_drops(guint32 drops);
332 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
333 static void report_cfilter_error(const char *cfilter, const char *errmsg);
335 #define MSG_MAX_LENGTH 4096
338 print_usage(gboolean print_ver)
345 "Dumpcap " VERSION "%s\n"
346 "Capture network packets and dump them into a libpcap file.\n"
347 "See http://www.wireshark.org for more information.\n",
348 wireshark_svnversion);
352 fprintf(output, "\nUsage: dumpcap [options] ...\n");
353 fprintf(output, "\n");
354 fprintf(output, "Capture interface:\n");
355 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
356 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
357 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
358 fprintf(output, " -p don't capture in promiscuous mode\n");
359 #ifdef HAVE_PCAP_CREATE
360 fprintf(output, " -I capture in monitor mode, if available\n");
362 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
363 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
365 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
366 fprintf(output, " -D print list of interfaces and exit\n");
367 fprintf(output, " -L print list of link-layer types of iface and exit\n");
368 #ifdef HAVE_BPF_IMAGE
369 fprintf(output, " -d print generated BPF code for capture filter\n");
371 fprintf(output, " -S print statistics for each interface once every second\n");
372 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
373 fprintf(output, "\n");
374 #ifdef HAVE_PCAP_REMOTE
375 fprintf(output, "\nRPCAP options:\n");
376 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
377 fprintf(output, " -u use UDP for RPCAP data transfer\n");
378 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
379 #ifdef HAVE_PCAP_SETSAMPLING
380 fprintf(output, " -m <sampling type> use packet sampling\n");
381 fprintf(output, " count:NUM - capture one packet of every NUM\n");
382 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
385 fprintf(output, "Stop conditions:\n");
386 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
387 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
388 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
389 fprintf(output, " files:NUM - stop after NUM files\n");
390 /*fprintf(output, "\n");*/
391 fprintf(output, "Output (files):\n");
392 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
393 fprintf(output, " -g enable group read access on the output file(s)\n");
394 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
395 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
396 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
397 fprintf(output, " -n use pcapng format instead of pcap\n");
398 /*fprintf(output, "\n");*/
399 fprintf(output, "Miscellaneous:\n");
400 fprintf(output, " -q don't report packet capture counts\n");
401 fprintf(output, " -v print version information and exit\n");
402 fprintf(output, " -h display this help and exit\n");
403 fprintf(output, "\n");
404 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
405 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
406 fprintf(output, "\n");
407 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
411 show_version(GString *comp_info_str, GString *runtime_info_str)
414 "Dumpcap " VERSION "%s\n"
419 "See http://www.wireshark.org for more information.\n",
420 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
424 * Print to the standard error. This is a command-line tool, so there's
425 * no need to pop up a console.
428 vfprintf_stderr(const char *fmt, va_list ap)
430 vfprintf(stderr, fmt, ap);
434 fprintf_stderr(const char *fmt, ...)
439 vfprintf_stderr(fmt, ap);
444 * Report an error in command-line arguments.
447 cmdarg_err(const char *fmt, ...)
453 /* Generate a 'special format' message back to parent */
455 msg = g_strdup_vprintf(fmt, ap);
456 sync_pipe_errmsg_to_parent(2, msg, "");
461 fprintf(stderr, "dumpcap: ");
462 vfprintf(stderr, fmt, ap);
463 fprintf(stderr, "\n");
469 * Report additional information for an error in command-line arguments.
472 cmdarg_err_cont(const char *fmt, ...)
479 msg = g_strdup_vprintf(fmt, ap);
480 sync_pipe_errmsg_to_parent(2, msg, "");
485 vfprintf(stderr, fmt, ap);
486 fprintf(stderr, "\n");
493 #if 0 /* Set to enable capability debugging */
494 /* see 'man cap_to_text()' for explanation of output */
495 /* '=' means 'all= ' ie: no capabilities */
496 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
498 print_caps(const char *pfx) {
499 cap_t caps = cap_get_proc();
500 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
501 "%s: EUID: %d Capabilities: %s", pfx,
502 geteuid(), cap_to_text(caps, NULL));
505 print_caps(const char *pfx _U_) {
510 relinquish_all_capabilities(void)
512 /* Drop any and all capabilities this process may have. */
513 /* Allowed whether or not process has any privileges. */
514 cap_t caps = cap_init(); /* all capabilities initialized to off */
515 print_caps("Pre-clear");
516 if (cap_set_proc(caps)) {
517 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
519 print_caps("Post-clear");
525 open_capture_device(capture_options *capture_opts,
526 char (*open_err_str)[PCAP_ERRBUF_SIZE])
529 #ifdef HAVE_PCAP_CREATE
532 #ifdef HAVE_PCAP_REMOTE
533 struct pcap_rmtauth auth;
536 /* Open the network interface to capture from it.
537 Some versions of libpcap may put warnings into the error buffer
538 if they succeed; to tell if that's happened, we have to clear
539 the error buffer, and check if it's still a null string. */
540 (*open_err_str)[0] = '\0';
541 #ifdef HAVE_PCAP_OPEN
543 * If we're opening a remote device, use pcap_open(); that's currently
544 * the only open routine that supports remote devices.
546 if (strncmp (capture_opts->iface, "rpcap://", 8) == 0) {
547 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
548 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
549 auth.username = capture_opts->auth_username;
550 auth.password = capture_opts->auth_password;
552 pcap_h = pcap_open(capture_opts->iface,
553 capture_opts->has_snaplen ? capture_opts->snaplen :
554 WTAP_MAX_PACKET_SIZE,
556 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
557 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
558 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
559 CAP_READ_TIMEOUT, &auth, *open_err_str);
561 #endif /* HAVE_PCAP_OPEN */
564 * If we're not opening a remote device, use pcap_create() and
565 * pcap_activate() if we have them, so that we can set the buffer
566 * size, otherwise use pcap_open_live().
568 #ifdef HAVE_PCAP_CREATE
569 pcap_h = pcap_create(capture_opts->iface, *open_err_str);
570 if (pcap_h != NULL) {
571 pcap_set_snaplen(pcap_h, capture_opts->has_snaplen ? capture_opts->snaplen : WTAP_MAX_PACKET_SIZE);
572 pcap_set_promisc(pcap_h, capture_opts->promisc_mode);
573 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
575 if (capture_opts->buffer_size > 1) {
576 pcap_set_buffer_size(pcap_h, capture_opts->buffer_size * 1024 * 1024);
578 if (capture_opts->monitor_mode)
579 pcap_set_rfmon(pcap_h, 1);
580 err = pcap_activate(pcap_h);
582 /* Failed to activate, set to NULL */
583 if (err == PCAP_ERROR)
584 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
586 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
592 pcap_h = pcap_open_live(capture_opts->iface,
593 capture_opts->has_snaplen ? capture_opts->snaplen :
594 WTAP_MAX_PACKET_SIZE,
595 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
600 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
601 /* to remove any suid privileges. */
602 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
603 /* (euid/egid have already previously been set to ruid/rgid. */
604 /* (See comment in main() for details) */
606 relinquish_special_privs_perm();
608 relinquish_all_capabilities();
615 get_capture_device_open_failure_messages(const char *open_err_str,
621 char *errmsg, size_t errmsg_len,
622 char *secondary_errmsg,
623 size_t secondary_errmsg_len)
625 const char *libpcap_warn;
626 static const char ppamsg[] = "can't find PPA for ";
628 /* If we got a "can't find PPA for X" message, warn the user (who
629 is running dumcap on HP-UX) that they don't have a version of
630 libpcap that properly handles HP-UX (libpcap 0.6.x and later
631 versions, which properly handle HP-UX, say "can't find /dev/dlpi
632 PPA for X" rather than "can't find PPA for X"). */
633 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
636 "You are running (T)Wireshark with a version of the libpcap library\n"
637 "that doesn't handle HP-UX network devices well; this means that\n"
638 "(T)Wireshark may not be able to capture packets.\n"
640 "To fix this, you should install libpcap 0.6.2, or a later version\n"
641 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
642 "packaged binary form from the Software Porting And Archive Centre\n"
643 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
644 "at the URL lists a number of mirror sites.";
647 g_snprintf(errmsg, (gulong) errmsg_len,
648 "The capture session could not be initiated (%s).", open_err_str);
650 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
651 "Please check to make sure you have sufficient permissions, and that you have "
652 "the proper interface or pipe specified.%s", libpcap_warn);
654 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
656 "Please check that \"%s\" is the proper interface.\n"
659 "Help can be found at:\n"
661 " http://wiki.wireshark.org/WinPcap\n"
662 " http://wiki.wireshark.org/CaptureSetup\n",
667 /* Set the data link type on a pcap. */
669 set_pcap_linktype(pcap_t *pcap_h, capture_options *capture_opts,
670 char *errmsg, size_t errmsg_len,
671 char *secondary_errmsg, size_t secondary_errmsg_len)
673 char *set_linktype_err_str;
675 if (capture_opts->linktype == -1)
676 return TRUE; /* just use the default */
677 #ifdef HAVE_PCAP_SET_DATALINK
678 if (pcap_set_datalink(pcap_h, capture_opts->linktype) == 0)
679 return TRUE; /* no error */
680 set_linktype_err_str = pcap_geterr(pcap_h);
682 /* Let them set it to the type it is; reject any other request. */
683 if (get_pcap_linktype(pcap_h, capture_opts->iface) == capture_opts->linktype)
684 return TRUE; /* no error */
685 set_linktype_err_str =
686 "That DLT isn't one of the DLTs supported by this device";
688 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
689 set_linktype_err_str);
691 * If the error isn't "XXX is not one of the DLTs supported by this device",
692 * tell the user to tell the Wireshark developers about it.
694 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
695 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
697 secondary_errmsg[0] = '\0';
702 compile_capture_filter(const char *iface, pcap_t *pcap_h,
703 struct bpf_program *fcode, char *cfilter)
705 bpf_u_int32 netnum, netmask;
706 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
708 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
710 * Well, we can't get the netmask for this interface; it's used
711 * only for filters that check for broadcast IP addresses, so
712 * we just punt and use 0. It might be nice to warn the user,
713 * but that's a pain in a GUI application, as it'd involve popping
714 * up a message box, and it's not clear how often this would make
715 * a difference (only filters that check for IP broadcast addresses
719 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
722 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
727 #ifdef HAVE_BPF_IMAGE
729 show_filter_code(capture_options *capture_opts)
732 gchar open_err_str[PCAP_ERRBUF_SIZE];
733 char errmsg[MSG_MAX_LENGTH+1];
734 char secondary_errmsg[MSG_MAX_LENGTH+1];
735 struct bpf_program fcode;
736 struct bpf_insn *insn;
739 pcap_h = open_capture_device(capture_opts, &open_err_str);
740 if (pcap_h == NULL) {
741 /* Open failed; get messages */
742 get_capture_device_open_failure_messages(open_err_str,
744 errmsg, sizeof errmsg,
746 sizeof secondary_errmsg);
747 /* And report them */
748 report_capture_error(errmsg, secondary_errmsg);
752 /* Set the link-layer type. */
753 if (!set_pcap_linktype(pcap_h, capture_opts, errmsg, sizeof errmsg,
754 secondary_errmsg, sizeof secondary_errmsg)) {
756 report_capture_error(errmsg, secondary_errmsg);
760 /* OK, try to compile the capture filter. */
761 if (!compile_capture_filter(capture_opts->iface, pcap_h, &fcode,
762 capture_opts->cfilter)) {
764 report_cfilter_error(capture_opts->cfilter, errmsg);
770 /* Let our parent know we succeeded. */
771 pipe_write_block(2, SP_SUCCESS, NULL);
774 /* Now print the filter code. */
775 insn = fcode.bf_insns;
777 for (i = 0; i < fcode.bf_len; insn++, i++)
778 printf("%s\n", bpf_image(insn, i));
784 * capture_interface_list() is expected to do the right thing to get
785 * a list of interfaces.
787 * In most of the programs in the Wireshark suite, "the right thing"
788 * is to run dumpcap and ask it for the list, because dumpcap may
789 * be the only program in the suite with enough privileges to get
792 * In dumpcap itself, however, we obviously can't run dumpcap to
793 * ask for the list. Therefore, our capture_interface_list() should
794 * just call get_interface_list().
797 capture_interface_list(int *err, char **err_str)
799 return get_interface_list(err, err_str);
803 * Get the data-link type for a libpcap device.
804 * This works around AIX 5.x's non-standard and incompatible-with-the-
805 * rest-of-the-universe libpcap.
808 get_pcap_linktype(pcap_t *pch, const char *devname
816 const char *ifacename;
819 linktype = pcap_datalink(pch);
823 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
824 * rather than DLT_ values for link-layer types; the ifType values
825 * for LAN devices are:
832 * and the ifType value for a loopback device is 24.
834 * The AIX names for LAN devices begin with:
841 * and the AIX names for loopback devices begin with "lo".
843 * (The difference between "Ethernet" and "802.3" is presumably
844 * whether packets have an Ethernet header, with a packet type,
845 * or an 802.3 header, with a packet length, followed by an 802.2
846 * header and possibly a SNAP header.)
848 * If the device name matches "linktype" interpreted as an ifType
849 * value, rather than as a DLT_ value, we will assume this is AIX's
850 * non-standard, incompatible libpcap, rather than a standard libpcap,
851 * and will map the link-layer type to the standard DLT_ value for
852 * that link-layer type, as that's what the rest of Wireshark expects.
854 * (This means the capture files won't be readable by a tcpdump
855 * linked with AIX's non-standard libpcap, but so it goes. They
856 * *will* be readable by standard versions of tcpdump, Wireshark,
859 * XXX - if we conclude we're using AIX libpcap, should we also
860 * set a flag to cause us to assume the time stamps are in
861 * seconds-and-nanoseconds form, and to convert them to
862 * seconds-and-microseconds form before processing them and
867 * Find the last component of the device name, which is the
870 ifacename = strchr(devname, '/');
871 if (ifacename == NULL)
874 /* See if it matches any of the LAN device names. */
875 if (strncmp(ifacename, "en", 2) == 0) {
878 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
882 } else if (strncmp(ifacename, "et", 2) == 0) {
885 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
886 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
891 } else if (strncmp(ifacename, "tr", 2) == 0) {
894 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
895 * DLT_IEEE802, which is what's used for Token Ring.
899 } else if (strncmp(ifacename, "fi", 2) == 0) {
900 if (linktype == 15) {
902 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
906 } else if (strncmp(ifacename, "lo", 2) == 0) {
907 if (linktype == 24) {
909 * That's the RFC 1573 value for "software loopback" devices; map it
910 * to DLT_NULL, which is what's used for loopback devices on BSD.
920 static data_link_info_t *
921 create_data_link_info(int dlt)
923 data_link_info_t *data_link_info;
926 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
927 data_link_info->dlt = dlt;
928 text = pcap_datalink_val_to_name(dlt);
930 data_link_info->name = g_strdup(text);
932 data_link_info->name = g_strdup_printf("DLT %d", dlt);
933 text = pcap_datalink_val_to_description(dlt);
935 data_link_info->description = g_strdup(text);
937 data_link_info->description = NULL;
938 return data_link_info;
942 * Get the capabilities of a network device.
944 static if_capabilities_t *
945 get_if_capabilities(const char *devname, gboolean monitor_mode
946 #ifndef HAVE_PCAP_CREATE
951 if_capabilities_t *caps;
952 char errbuf[PCAP_ERRBUF_SIZE];
954 #ifdef HAVE_PCAP_CREATE
958 #ifdef HAVE_PCAP_LIST_DATALINKS
962 data_link_info_t *data_link_info;
965 * Allocate the interface capabilities structure.
967 caps = g_malloc(sizeof *caps);
969 #ifdef HAVE_PCAP_OPEN
970 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
971 caps->can_set_rfmon = FALSE;
974 *err_str = g_strdup(errbuf);
978 #elif defined(HAVE_PCAP_CREATE)
979 pch = pcap_create(devname, errbuf);
982 *err_str = g_strdup(errbuf);
986 status = pcap_can_set_rfmon(pch);
989 if (status == PCAP_ERROR)
990 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
993 *err_str = g_strdup(pcap_statustostr(status));
999 caps->can_set_rfmon = FALSE;
1000 else if (status == 1) {
1001 caps->can_set_rfmon = TRUE;
1003 pcap_set_rfmon(pch, 1);
1005 if (err_str != NULL) {
1006 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1014 status = pcap_activate(pch);
1016 /* Error. We ignore warnings (status > 0). */
1017 if (err_str != NULL) {
1018 if (status == PCAP_ERROR)
1019 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1022 *err_str = g_strdup(pcap_statustostr(status));
1029 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1030 caps->can_set_rfmon = FALSE;
1032 if (err_str != NULL)
1033 *err_str = g_strdup(errbuf);
1038 deflt = get_pcap_linktype(pch, devname);
1039 #ifdef HAVE_PCAP_LIST_DATALINKS
1040 nlt = pcap_list_datalinks(pch, &linktypes);
1041 if (nlt == 0 || linktypes == NULL) {
1043 if (err_str != NULL)
1044 *err_str = NULL; /* an empty list doesn't mean an error */
1047 caps->data_link_types = NULL;
1048 for (i = 0; i < nlt; i++) {
1049 data_link_info = create_data_link_info(linktypes[i]);
1052 * XXX - for 802.11, make the most detailed 802.11
1053 * version the default, rather than the one the
1054 * device has as the default?
1056 if (linktypes[i] == deflt)
1057 caps->data_link_types = g_list_prepend(caps->data_link_types,
1060 caps->data_link_types = g_list_append(caps->data_link_types,
1063 #ifdef HAVE_PCAP_FREE_DATALINKS
1064 pcap_free_datalinks(linktypes);
1067 * In Windows, there's no guarantee that if you have a library
1068 * built with one version of the MSVC++ run-time library, and
1069 * it returns a pointer to allocated data, you can free that
1070 * data from a program linked with another version of the
1071 * MSVC++ run-time library.
1073 * This is not an issue on UN*X.
1075 * See the mail threads starting at
1077 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1081 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1084 #define xx_free free /* hack so checkAPIs doesn't complain */
1087 #endif /* HAVE_PCAP_FREE_DATALINKS */
1088 #else /* HAVE_PCAP_LIST_DATALINKS */
1090 data_link_info = create_data_link_info(deflt);
1091 caps->data_link_types = g_list_append(caps->data_link_types,
1093 #endif /* HAVE_PCAP_LIST_DATALINKS */
1097 if (err_str != NULL)
1102 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1104 print_machine_readable_interfaces(GList *if_list)
1111 char addr_str[ADDRSTRLEN];
1113 if (capture_child) {
1114 /* Let our parent know we succeeded. */
1115 pipe_write_block(2, SP_SUCCESS, NULL);
1118 i = 1; /* Interface id number */
1119 for (if_entry = g_list_first(if_list); if_entry != NULL;
1120 if_entry = g_list_next(if_entry)) {
1121 if_info = (if_info_t *)if_entry->data;
1122 printf("%d. %s", i++, if_info->name);
1125 * Print the contents of the if_entry struct in a parseable format.
1126 * Each if_entry element is tab-separated. Addresses are comma-
1129 /* XXX - Make sure our description doesn't contain a tab */
1130 if (if_info->description != NULL)
1131 printf("\t%s\t", if_info->description);
1135 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1136 addr = g_slist_next(addr)) {
1137 if (addr != g_slist_nth(if_info->addrs, 0))
1140 if_addr = (if_addr_t *)addr->data;
1141 switch(if_addr->ifat_type) {
1143 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1145 printf("%s", addr_str);
1147 printf("<unknown IPv4>");
1151 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1152 addr_str, ADDRSTRLEN)) {
1153 printf("%s", addr_str);
1155 printf("<unknown IPv6>");
1159 printf("<type unknown %u>", if_addr->ifat_type);
1163 if (if_info->loopback)
1164 printf("\tloopback");
1166 printf("\tnetwork");
1173 * If you change the machine-readable output format of this function,
1174 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1177 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1180 data_link_info_t *data_link_info;
1181 const gchar *desc_str;
1183 if (capture_child) {
1184 /* Let our parent know we succeeded. */
1185 pipe_write_block(2, SP_SUCCESS, NULL);
1188 if (caps->can_set_rfmon)
1192 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1193 lt_entry = g_list_next(lt_entry)) {
1194 data_link_info = (data_link_info_t *)lt_entry->data;
1195 if (data_link_info->description != NULL)
1196 desc_str = data_link_info->description;
1198 desc_str = "(not supported)";
1199 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1209 /* Print the number of packets captured for each interface until we're killed. */
1211 print_statistics_loop(gboolean machine_readable)
1213 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1219 char errbuf[PCAP_ERRBUF_SIZE];
1220 struct pcap_stat ps;
1222 if_list = get_interface_list(&err, &err_str);
1223 if (if_list == NULL) {
1225 case CANT_GET_INTERFACE_LIST:
1226 cmdarg_err("%s", err_str);
1230 case NO_INTERFACES_FOUND:
1231 cmdarg_err("There are no interfaces on which a capture can be done");
1237 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1238 if_info = (if_info_t *)if_entry->data;
1239 #ifdef HAVE_PCAP_OPEN
1240 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1242 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1246 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1247 if_stat->name = g_strdup(if_info->name);
1249 stat_list = g_list_append(stat_list, if_stat);
1254 cmdarg_err("There are no interfaces on which a capture can be done");
1258 if (capture_child) {
1259 /* Let our parent know we succeeded. */
1260 pipe_write_block(2, SP_SUCCESS, NULL);
1263 if (!machine_readable) {
1264 printf("%-15s %10s %10s\n", "Interface", "Received",
1268 global_ld.go = TRUE;
1269 while (global_ld.go) {
1270 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1271 if_stat = (if_stat_t *)stat_entry->data;
1272 pcap_stats(if_stat->pch, &ps);
1274 if (!machine_readable) {
1275 printf("%-15s %10u %10u\n", if_stat->name,
1276 ps.ps_recv, ps.ps_drop);
1278 printf("%s\t%u\t%u\n", if_stat->name,
1279 ps.ps_recv, ps.ps_drop);
1284 if (! global_ld.from_cap_pipe)
1291 /* XXX - Not reached. Should we look for 'q' in stdin? */
1292 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1293 if_stat = (if_stat_t *)stat_entry->data;
1294 pcap_close(if_stat->pch);
1295 g_free(if_stat->name);
1298 g_list_free(stat_list);
1299 free_interface_list(if_list);
1307 capture_cleanup_handler(DWORD dwCtrlType)
1309 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1310 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1311 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1312 like SIGTERM at least when the machine's shutting down.
1314 For now, if we're running as a command rather than a capture child,
1315 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1316 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1317 in that way on UN*X.
1319 If we're not running as a capture child, we might be running as
1320 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1321 user logs out. (XXX - can we explicitly check whether we're
1322 running as a service?) */
1324 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1325 "Console: Control signal");
1326 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1327 "Console: Control signal, CtrlType: %u", dwCtrlType);
1329 /* Keep capture running if we're a service and a user logs off */
1330 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1331 capture_loop_stop();
1339 capture_cleanup_handler(int signum _U_)
1341 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1342 SIGTERM. We assume that if the user wanted it to keep running
1343 after they logged out, they'd have nohupped it. */
1345 /* Note: don't call g_log() in the signal handler: if we happened to be in
1346 * g_log() in process context when the signal came in, g_log will detect
1347 * the "recursion" and abort.
1350 capture_loop_stop();
1356 report_capture_count(void)
1358 /* Don't print this if we're a capture child. */
1359 if (!capture_child) {
1361 /* Report the count only if we aren't printing a packet count
1362 as packets arrive. */
1363 fprintf(stderr, "Packets captured: %u\n", global_ld.packet_count);
1364 /* stderr could be line buffered */
1373 report_counts_for_siginfo(void)
1375 report_capture_count();
1376 infoprint = FALSE; /* we just reported it */
1380 report_counts_siginfo(int signum _U_)
1382 int sav_errno = errno;
1384 /* If we've been told to delay printing, just set a flag asking
1385 that we print counts (if we're supposed to), otherwise print
1386 the count of packets captured (if we're supposed to). */
1390 report_counts_for_siginfo();
1393 #endif /* SIGINFO */
1396 exit_main(int status)
1399 /* Shutdown windows sockets */
1402 /* can be helpful for debugging */
1403 #ifdef DEBUG_DUMPCAP
1404 printf("Press any key\n");
1415 * If we were linked with libcap (not libpcap), make sure we have
1416 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1417 * (See comment in main() for details)
1420 relinquish_privs_except_capture(void)
1422 /* If 'started_with_special_privs' (ie: suid) then enable for
1423 * ourself the NET_ADMIN and NET_RAW capabilities and then
1424 * drop our suid privileges.
1426 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1427 * stuff we don't need (and shouldn't have).
1428 * CAP_NET_RAW: Packet capture (raw sockets).
1431 if (started_with_special_privs()) {
1432 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1433 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1435 cap_t caps = cap_init(); /* all capabilities initialized to off */
1437 print_caps("Pre drop, pre set");
1439 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1440 cmdarg_err("prctl() fail return: %s", strerror(errno));
1443 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1444 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1446 if (cap_set_proc(caps)) {
1447 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1449 print_caps("Pre drop, post set");
1451 relinquish_special_privs_perm();
1453 print_caps("Post drop, pre set");
1454 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1455 if (cap_set_proc(caps)) {
1456 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1458 print_caps("Post drop, post set");
1464 #endif /* HAVE_LIBCAP */
1466 /* Take care of byte order in the libpcap headers read from pipes.
1467 * (function taken from wiretap/libpcap.c) */
1469 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1472 /* Byte-swap the record header fields. */
1473 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1474 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1475 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1476 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1479 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1480 swapped, in order to match the BPF header layout.
1482 Unfortunately, some files were, according to a comment in the "libpcap"
1483 source, written with version 2.3 in their headers but without the
1484 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1485 would make no sense - we assume that we need to swap them. */
1486 if (hdr->version_major == 2 &&
1487 (hdr->version_minor < 3 ||
1488 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1491 temp = rechdr->orig_len;
1492 rechdr->orig_len = rechdr->incl_len;
1493 rechdr->incl_len = temp;
1499 * Thread function that reads from a pipe and pushes the data
1500 * to the main application thread.
1503 * XXX Right now we use async queues for basic signaling. The main thread
1504 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1505 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1506 * Iff the read is successful cap_pipe_read pushes an item onto
1507 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1508 * the queues themselves (yet).
1510 * We might want to move some of the cap_pipe_dispatch logic here so that
1511 * we can let cap_pipe_read run independently, queuing up multiple reads
1512 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1514 static void *cap_pipe_read(void *ld_ptr)
1516 loop_data *ld = (loop_data *)ld_ptr;
1525 while (ld->cap_pipe_err == PIPOK) {
1526 g_async_queue_pop(cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1527 g_mutex_lock(cap_pipe_read_mtx);
1529 while (bytes_read < (int) ld->cap_pipe_bytes_to_read) {
1531 /* If we try to use read() on a named pipe on Windows with partial
1532 * data it appears to return EOF.
1534 res = ReadFile(ld->cap_pipe_h, ld->cap_pipe_buf+bytes_read,
1535 ld->cap_pipe_bytes_to_read - bytes_read,
1540 last_err = GetLastError();
1541 if (last_err == ERROR_MORE_DATA) {
1543 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1544 ld->cap_pipe_err = PIPEOF;
1548 ld->cap_pipe_err = PIPERR;
1551 } else if (b == 0 && ld->cap_pipe_bytes_to_read > 0) {
1552 ld->cap_pipe_err = PIPEOF;
1557 b = read(ld->cap_pipe_fd, ld->cap_pipe_buf+bytes_read,
1558 ld->cap_pipe_bytes_to_read - bytes_read);
1561 ld->cap_pipe_err = PIPEOF;
1565 ld->cap_pipe_err = PIPERR;
1574 ld->cap_pipe_bytes_read = bytes_read;
1575 if (ld->cap_pipe_bytes_read >= ld->cap_pipe_bytes_to_read) {
1576 g_async_queue_push(cap_pipe_done_q, ld->cap_pipe_buf); /* Any non-NULL value will do */
1578 g_mutex_unlock(cap_pipe_read_mtx);
1582 #endif /* USE_THREADS */
1584 /* Provide select() functionality for a single file descriptor
1585 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1587 * Returns the same values as select. If an error is returned,
1588 * the string cap_pipe_err_str should be used instead of errno.
1591 cap_pipe_select(int pipe_fd)
1594 struct timeval timeout;
1597 cap_pipe_err_str = "Unknown error";
1600 FD_SET(pipe_fd, &rfds);
1602 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1603 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1605 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1607 cap_pipe_err_str = strerror(errno);
1612 /* Mimic pcap_open_live() for pipe captures
1614 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1615 * open it, and read the header.
1617 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1618 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1620 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
1621 char *errmsg, int errmsgl)
1624 ws_statb64 pipe_stat;
1625 struct sockaddr_un sa;
1628 unsigned int bytes_read;
1639 ld->cap_pipe_fd = -1;
1641 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
1643 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1646 * XXX - this blocks until a pcap per-file header has been written to
1647 * the pipe, so it could block indefinitely.
1649 if (strcmp(pipename, "-") == 0) {
1651 fd = 0; /* read from stdin */
1653 ld->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1657 if (ws_stat64(pipename, &pipe_stat) < 0) {
1658 if (errno == ENOENT || errno == ENOTDIR)
1659 ld->cap_pipe_err = PIPNEXIST;
1661 g_snprintf(errmsg, errmsgl,
1662 "The capture session could not be initiated "
1663 "due to error getting information on pipe/socket: %s", strerror(errno));
1664 ld->cap_pipe_err = PIPERR;
1668 if (S_ISFIFO(pipe_stat.st_mode)) {
1669 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1671 g_snprintf(errmsg, errmsgl,
1672 "The capture session could not be initiated "
1673 "due to error on pipe open: %s", strerror(errno));
1674 ld->cap_pipe_err = PIPERR;
1677 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1678 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1680 g_snprintf(errmsg, errmsgl,
1681 "The capture session could not be initiated "
1682 "due to error on socket create: %s", strerror(errno));
1683 ld->cap_pipe_err = PIPERR;
1686 sa.sun_family = AF_UNIX;
1688 * The Single UNIX Specification says:
1690 * The size of sun_path has intentionally been left undefined.
1691 * This is because different implementations use different sizes.
1692 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1693 * of 104. Since most implementations originate from BSD versions,
1694 * the size is typically in the range 92 to 108.
1696 * Applications should not assume a particular length for sun_path
1697 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1701 * The <sys/un.h> header shall define the sockaddr_un structure,
1702 * which shall include at least the following members:
1704 * sa_family_t sun_family Address family.
1705 * char sun_path[] Socket pathname.
1707 * so we assume that it's an array, with a specified size,
1708 * and that the size reflects the maximum path length.
1710 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1711 /* Path name too long */
1712 g_snprintf(errmsg, errmsgl,
1713 "The capture session coud not be initiated "
1714 "due to error on socket connect: Path name too long");
1715 ld->cap_pipe_err = PIPERR;
1718 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1720 g_snprintf(errmsg, errmsgl,
1721 "The capture session coud not be initiated "
1722 "due to error on socket connect: %s", strerror(errno));
1723 ld->cap_pipe_err = PIPERR;
1727 if (S_ISCHR(pipe_stat.st_mode)) {
1729 * Assume the user specified an interface on a system where
1730 * interfaces are in /dev. Pretend we haven't seen it.
1732 ld->cap_pipe_err = PIPNEXIST;
1735 g_snprintf(errmsg, errmsgl,
1736 "The capture session could not be initiated because\n"
1737 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1738 ld->cap_pipe_err = PIPERR;
1743 #define PIPE_STR "\\pipe\\"
1744 /* Under Windows, named pipes _must_ have the form
1745 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1747 pncopy = g_strdup(pipename);
1748 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1749 pos = strchr(pncopy + 3, '\\');
1750 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1757 g_snprintf(errmsg, errmsgl,
1758 "The capture session could not be initiated because\n"
1759 "\"%s\" is neither an interface nor a pipe", pipename);
1760 ld->cap_pipe_err = PIPNEXIST;
1764 /* Wait for the pipe to appear */
1766 ld->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1767 OPEN_EXISTING, 0, NULL);
1769 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE)
1772 if (GetLastError() != ERROR_PIPE_BUSY) {
1773 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1774 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1775 g_snprintf(errmsg, errmsgl,
1776 "The capture session on \"%s\" could not be started "
1777 "due to error on pipe open: %s (error %d)",
1778 pipename, utf_16to8(err_str), GetLastError());
1780 ld->cap_pipe_err = PIPERR;
1784 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1785 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1786 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1787 g_snprintf(errmsg, errmsgl,
1788 "The capture session on \"%s\" timed out during "
1789 "pipe open: %s (error %d)",
1790 pipename, utf_16to8(err_str), GetLastError());
1792 ld->cap_pipe_err = PIPERR;
1799 ld->from_cap_pipe = TRUE;
1802 /* read the pcap header */
1804 while (bytes_read < sizeof magic) {
1805 sel_ret = cap_pipe_select(fd);
1807 g_snprintf(errmsg, errmsgl,
1808 "Unexpected error from select: %s", strerror(errno));
1810 } else if (sel_ret > 0) {
1811 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1814 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1816 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1823 #else /* USE_THREADS */
1824 g_thread_create(&cap_pipe_read, ld, FALSE, NULL);
1826 ld->cap_pipe_buf = (char *) &magic;
1827 ld->cap_pipe_bytes_read = 0;
1828 ld->cap_pipe_bytes_to_read = sizeof(magic);
1829 /* We don't have to worry about cap_pipe_read_mtx here */
1830 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1831 g_async_queue_pop(cap_pipe_done_q);
1832 if (ld->cap_pipe_bytes_read <= 0) {
1833 if (ld->cap_pipe_bytes_read == 0)
1834 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1836 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1841 #endif /* USE_THREADS */
1845 /* Host that wrote it has our byte order, and was running
1846 a program using either standard or ss990417 libpcap. */
1847 ld->cap_pipe_byte_swapped = FALSE;
1848 ld->cap_pipe_modified = FALSE;
1850 case PCAP_MODIFIED_MAGIC:
1851 /* Host that wrote it has our byte order, but was running
1852 a program using either ss990915 or ss991029 libpcap. */
1853 ld->cap_pipe_byte_swapped = FALSE;
1854 ld->cap_pipe_modified = TRUE;
1856 case PCAP_SWAPPED_MAGIC:
1857 /* Host that wrote it has a byte order opposite to ours,
1858 and was running a program using either standard or
1859 ss990417 libpcap. */
1860 ld->cap_pipe_byte_swapped = TRUE;
1861 ld->cap_pipe_modified = FALSE;
1863 case PCAP_SWAPPED_MODIFIED_MAGIC:
1864 /* Host that wrote it out has a byte order opposite to
1865 ours, and was running a program using either ss990915
1866 or ss991029 libpcap. */
1867 ld->cap_pipe_byte_swapped = TRUE;
1868 ld->cap_pipe_modified = TRUE;
1871 /* Not a "libpcap" type we know about. */
1872 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1877 /* Read the rest of the header */
1879 while (bytes_read < sizeof(struct pcap_hdr)) {
1880 sel_ret = cap_pipe_select(fd);
1882 g_snprintf(errmsg, errmsgl,
1883 "Unexpected error from select: %s", strerror(errno));
1885 } else if (sel_ret > 0) {
1886 b = read(fd, ((char *)hdr)+bytes_read,
1887 sizeof(struct pcap_hdr) - bytes_read);
1890 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1892 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1899 #else /* USE_THREADS */
1900 ld->cap_pipe_buf = (char *) hdr;
1901 ld->cap_pipe_bytes_read = 0;
1902 ld->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1903 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1904 g_async_queue_pop(cap_pipe_done_q);
1905 if (ld->cap_pipe_bytes_read <= 0) {
1906 if (ld->cap_pipe_bytes_read == 0)
1907 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1909 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1913 #endif /* USE_THREADS */
1915 if (ld->cap_pipe_byte_swapped) {
1916 /* Byte-swap the header fields about which we care. */
1917 hdr->version_major = BSWAP16(hdr->version_major);
1918 hdr->version_minor = BSWAP16(hdr->version_minor);
1919 hdr->snaplen = BSWAP32(hdr->snaplen);
1920 hdr->network = BSWAP32(hdr->network);
1922 ld->linktype = hdr->network;
1924 if (hdr->version_major < 2) {
1925 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1929 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1930 ld->cap_pipe_err = PIPOK;
1932 ld->cap_pipe_fd = fd;
1937 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1938 ld->cap_pipe_err = PIPERR;
1941 ld->cap_pipe_fd = -1;
1948 /* We read one record from the pipe, take care of byte order in the record
1949 * header, write the record to the capture file, and update capture statistics. */
1951 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1953 struct pcap_pkthdr phdr;
1954 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1966 #ifdef LOG_CAPTURE_VERBOSE
1967 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1970 switch (ld->cap_pipe_state) {
1972 case STATE_EXPECT_REC_HDR:
1974 if (g_mutex_trylock(cap_pipe_read_mtx)) {
1977 ld->cap_pipe_state = STATE_READ_REC_HDR;
1978 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1979 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1980 ld->cap_pipe_bytes_read = 0;
1983 ld->cap_pipe_buf = (char *) &ld->cap_pipe_rechdr;
1984 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
1985 g_mutex_unlock(cap_pipe_read_mtx);
1990 case STATE_READ_REC_HDR:
1992 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1993 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1996 result = PD_PIPE_EOF;
1998 result = PD_PIPE_ERR;
2001 ld->cap_pipe_bytes_read += b;
2002 #else /* USE_THREADS */
2003 g_get_current_time(&wait_time);
2004 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2005 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2006 if (ld->cap_pipe_err == PIPEOF) {
2007 result = PD_PIPE_EOF;
2009 } else if (ld->cap_pipe_err == PIPERR) {
2010 result = PD_PIPE_ERR;
2016 #endif /* USE_THREADS */
2017 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2019 result = PD_REC_HDR_READ;
2022 case STATE_EXPECT_DATA:
2024 if (g_mutex_trylock(cap_pipe_read_mtx)) {
2027 ld->cap_pipe_state = STATE_READ_DATA;
2028 ld->cap_pipe_bytes_to_read = ld->cap_pipe_rechdr.hdr.incl_len;
2029 ld->cap_pipe_bytes_read = 0;
2032 ld->cap_pipe_buf = (char *) data;
2033 g_async_queue_push(cap_pipe_pending_q, ld->cap_pipe_buf);
2034 g_mutex_unlock(cap_pipe_read_mtx);
2039 case STATE_READ_DATA:
2041 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
2042 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
2045 result = PD_PIPE_EOF;
2047 result = PD_PIPE_ERR;
2050 ld->cap_pipe_bytes_read += b;
2051 #else /* USE_THREADS */
2052 g_get_current_time(&wait_time);
2053 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2054 q_status = g_async_queue_timed_pop(cap_pipe_done_q, &wait_time);
2055 if (ld->cap_pipe_err == PIPEOF) {
2056 result = PD_PIPE_EOF;
2058 } else if (ld->cap_pipe_err == PIPERR) {
2059 result = PD_PIPE_ERR;
2065 #endif /* USE_THREADS */
2066 if ((ld->cap_pipe_bytes_read) < ld->cap_pipe_bytes_to_read)
2068 result = PD_DATA_READ;
2072 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2075 } /* switch (ld->cap_pipe_state) */
2078 * We've now read as much data as we were expecting, so process it.
2082 case PD_REC_HDR_READ:
2083 /* We've read the header. Take care of byte order. */
2084 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
2085 &ld->cap_pipe_rechdr.hdr);
2086 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2087 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2088 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
2091 ld->cap_pipe_state = STATE_EXPECT_DATA;
2095 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2096 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
2097 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
2098 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
2099 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
2101 capture_loop_packet_cb((u_char *)ld, &phdr, data);
2103 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
2107 ld->cap_pipe_err = PIPEOF;
2112 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2113 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2114 g_snprintf(errmsg, errmsgl,
2115 "Error reading from pipe: %s (error %d)",
2116 utf_16to8(err_str), GetLastError());
2119 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2127 ld->cap_pipe_err = PIPERR;
2128 /* Return here rather than inside the switch to prevent GCC warning */
2133 /** Open the capture input file (pcap or capture pipe).
2134 * Returns TRUE if it succeeds, FALSE otherwise. */
2136 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2137 char *errmsg, size_t errmsg_len,
2138 char *secondary_errmsg, size_t secondary_errmsg_len)
2140 gchar open_err_str[PCAP_ERRBUF_SIZE];
2141 gchar *sync_msg_str;
2144 gchar *sync_secondary_msg_str;
2145 WORD wVersionRequested;
2149 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
2152 /* XXX - opening Winsock on tshark? */
2154 /* Initialize Windows Socket if we are in a WIN32 OS
2155 This needs to be done before querying the interface for network/netmask */
2157 /* XXX - do we really require 1.1 or earlier?
2158 Are there any versions that support only 2.0 or higher? */
2159 wVersionRequested = MAKEWORD(1, 1);
2160 err = WSAStartup(wVersionRequested, &wsaData);
2164 case WSASYSNOTREADY:
2165 g_snprintf(errmsg, (gulong) errmsg_len,
2166 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2169 case WSAVERNOTSUPPORTED:
2170 g_snprintf(errmsg, (gulong) errmsg_len,
2171 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2172 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2175 case WSAEINPROGRESS:
2176 g_snprintf(errmsg, (gulong) errmsg_len,
2177 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2181 g_snprintf(errmsg, (gulong) errmsg_len,
2182 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2186 g_snprintf(errmsg, (gulong) errmsg_len,
2187 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2191 g_snprintf(errmsg, (gulong) errmsg_len,
2192 "Couldn't initialize Windows Sockets: error %d", err);
2195 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2200 ld->pcap_h = open_capture_device(capture_opts, &open_err_str);
2202 if (ld->pcap_h != NULL) {
2203 /* we've opened "iface" as a network device */
2205 /* try to set the capture buffer size */
2206 if (capture_opts->buffer_size > 1 &&
2207 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
2208 sync_secondary_msg_str = g_strdup_printf(
2209 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2210 "the default of 1MB will be used.\n"
2212 "Nonetheless, the capture is started.\n",
2213 capture_opts->buffer_size);
2214 report_capture_error("Couldn't set the capture buffer size!",
2215 sync_secondary_msg_str);
2216 g_free(sync_secondary_msg_str);
2220 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
2221 if ((capture_opts->sampling_method != CAPTURE_SAMP_NONE) &&
2222 (strncmp (capture_opts->iface, "rpcap://", 8) == 0))
2224 struct pcap_samp *samp;
2226 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
2228 switch (capture_opts->sampling_method)
2230 case CAPTURE_SAMP_BY_COUNT:
2231 samp->method = PCAP_SAMP_1_EVERY_N;
2234 case CAPTURE_SAMP_BY_TIMER:
2235 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2239 sync_msg_str = g_strdup_printf(
2240 "Unknown sampling method %d specified,\n"
2241 "continue without packet sampling",
2242 capture_opts->sampling_method);
2243 report_capture_error("Couldn't set the capture "
2244 "sampling", sync_msg_str);
2245 g_free(sync_msg_str);
2247 samp->value = capture_opts->sampling_param;
2251 report_capture_error("Couldn't set the capture sampling",
2252 "Cannot get packet sampling data structure");
2258 /* setting the data link type only works on real interfaces */
2259 if (!set_pcap_linktype(ld->pcap_h, capture_opts, errmsg, errmsg_len,
2260 secondary_errmsg, secondary_errmsg_len))
2262 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
2264 /* We couldn't open "iface" as a network device. */
2265 /* Try to open it as a pipe */
2266 cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
2269 if (ld->cap_pipe_fd == -1)
2271 if (ld->cap_pipe_h == INVALID_HANDLE_VALUE)
2274 if (ld->cap_pipe_err == PIPNEXIST) {
2275 /* Pipe doesn't exist, so output message for interface */
2276 get_capture_device_open_failure_messages(open_err_str,
2277 capture_opts->iface,
2281 secondary_errmsg_len);
2284 * Else pipe (or file) does exist and cap_pipe_open_live() has
2289 /* cap_pipe_open_live() succeeded; don't want
2290 error message from pcap_open_live() */
2291 open_err_str[0] = '\0';
2294 /* XXX - will this work for tshark? */
2295 #ifdef MUST_DO_SELECT
2296 if (!ld->from_cap_pipe) {
2297 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2298 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
2300 ld->pcap_fd = pcap_fileno(ld->pcap_h);
2305 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2306 returned a warning; print it, but keep capturing. */
2307 if (open_err_str[0] != '\0') {
2308 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2309 report_capture_error(sync_msg_str, "");
2310 g_free(sync_msg_str);
2316 /* close the capture input file (pcap or capture pipe) */
2317 static void capture_loop_close_input(loop_data *ld)
2319 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2321 /* if open, close the capture pipe "input file" */
2323 if (ld->cap_pipe_fd >= 0) {
2324 g_assert(ld->from_cap_pipe);
2325 ws_close(ld->cap_pipe_fd);
2326 ld->cap_pipe_fd = 0;
2329 if (ld->cap_pipe_h != INVALID_HANDLE_VALUE) {
2330 CloseHandle(ld->cap_pipe_h);
2331 ld->cap_pipe_h = INVALID_HANDLE_VALUE;
2335 /* if open, close the pcap "input file" */
2336 if(ld->pcap_h != NULL) {
2337 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)ld->pcap_h);
2338 g_assert(!ld->from_cap_pipe);
2339 pcap_close(ld->pcap_h);
2346 /* Shut down windows sockets */
2352 /* init the capture filter */
2353 static initfilter_status_t
2354 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2355 gchar * iface, gchar * cfilter)
2357 struct bpf_program fcode;
2359 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2361 /* capture filters only work on real interfaces */
2362 if (cfilter && !from_cap_pipe) {
2363 /* A capture filter was specified; set it up. */
2364 if (!compile_capture_filter(iface, pcap_h, &fcode, cfilter)) {
2365 /* Treat this specially - our caller might try to compile this
2366 as a display filter and, if that succeeds, warn the user that
2367 the display and capture filter syntaxes are different. */
2368 return INITFILTER_BAD_FILTER;
2370 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2371 #ifdef HAVE_PCAP_FREECODE
2372 pcap_freecode(&fcode);
2374 return INITFILTER_OTHER_ERROR;
2376 #ifdef HAVE_PCAP_FREECODE
2377 pcap_freecode(&fcode);
2381 return INITFILTER_NO_ERROR;
2385 /* set up to write to the already-opened capture output file/files */
2387 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2391 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2394 if (ld->from_cap_pipe) {
2395 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
2398 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
2401 /* Set up to write to the capture file. */
2402 if (capture_opts->multi_files_on) {
2403 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2405 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2408 gboolean successful;
2410 ld->bytes_written = 0;
2411 if (capture_opts->use_pcapng) {
2414 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2415 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err) &&
2416 libpcap_write_interface_description_block(ld->pdh, capture_opts->iface, capture_opts->cfilter, ld->linktype, ld->file_snaplen, &ld->bytes_written, &err);
2418 successful = libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
2419 &ld->bytes_written, &err);
2427 if (ld->pdh == NULL) {
2428 /* We couldn't set up to write to the capture file. */
2429 /* XXX - use cf_open_error_message from tshark instead? */
2434 g_snprintf(errmsg, errmsg_len,
2435 "The file to which the capture would be"
2436 " saved (\"%s\") could not be opened: Error %d.",
2437 capture_opts->save_file, err);
2439 g_snprintf(errmsg, errmsg_len,
2440 "The file to which the capture would be"
2441 " saved (\"%s\") could not be opened: %s.",
2442 capture_opts->save_file, strerror(err));
2454 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2457 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2459 if (capture_opts->multi_files_on) {
2460 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2462 if (capture_opts->use_pcapng) {
2463 libpcap_write_interface_statistics_block(ld->pdh, 0, ld->pcap_h, &ld->bytes_written, err_close);
2465 return libpcap_dump_close(ld->pdh, err_close);
2469 /* dispatch incoming packets (pcap or capture pipe)
2471 * Waits for incoming packets to be available, and calls pcap_dispatch()
2472 * to cause them to be processed.
2474 * Returns the number of packets which were processed.
2476 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2477 * packet-batching behaviour does not cause packets to get held back
2481 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
2482 char *errmsg, int errmsg_len)
2485 gint packet_count_before;
2486 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2491 packet_count_before = ld->packet_count;
2492 if (ld->from_cap_pipe) {
2493 /* dispatch from capture pipe */
2494 #ifdef LOG_CAPTURE_VERBOSE
2495 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2498 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
2500 if (sel_ret < 0 && errno != EINTR) {
2501 g_snprintf(errmsg, errmsg_len,
2502 "Unexpected error from select: %s", strerror(errno));
2503 report_capture_error(errmsg, please_report);
2508 * "select()" says we can read from the pipe without blocking
2510 #endif /* USE_THREADS */
2511 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
2521 /* dispatch from pcap */
2522 #ifdef MUST_DO_SELECT
2524 * If we have "pcap_get_selectable_fd()", we use it to get the
2525 * descriptor on which to select; if that's -1, it means there
2526 * is no descriptor on which you can do a "select()" (perhaps
2527 * because you're capturing on a special device, and that device's
2528 * driver unfortunately doesn't support "select()", in which case
2529 * we don't do the select - which means it might not be possible
2530 * to stop a capture until a packet arrives. If that's unacceptable,
2531 * plead with whoever supplies the software for that device to add
2532 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2533 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2534 * later, so it can use pcap_breakloop().
2536 #ifdef LOG_CAPTURE_VERBOSE
2537 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2539 if (ld->pcap_fd != -1) {
2540 sel_ret = cap_pipe_select(ld->pcap_fd);
2543 * "select()" says we can read from it without blocking; go for
2546 * We don't have pcap_breakloop(), so we only process one packet
2547 * per pcap_dispatch() call, to allow a signal to stop the
2548 * processing immediately, rather than processing all packets
2549 * in a batch before quitting.
2551 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
2555 /* Error, rather than pcap_breakloop(). */
2556 ld->pcap_err = TRUE;
2558 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2561 if (sel_ret < 0 && errno != EINTR) {
2562 g_snprintf(errmsg, errmsg_len,
2563 "Unexpected error from select: %s", strerror(errno));
2564 report_capture_error(errmsg, please_report);
2570 #endif /* MUST_DO_SELECT */
2572 /* dispatch from pcap without select */
2574 #ifdef LOG_CAPTURE_VERBOSE
2575 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2579 * On Windows, we don't support asynchronously telling a process to
2580 * stop capturing; instead, we check for an indication on a pipe
2581 * after processing packets. We therefore process only one packet
2582 * at a time, so that we can check the pipe after every packet.
2584 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
2586 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
2590 /* Error, rather than pcap_breakloop(). */
2591 ld->pcap_err = TRUE;
2593 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2595 #else /* pcap_next_ex */
2596 #ifdef LOG_CAPTURE_VERBOSE
2597 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2599 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2602 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2603 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2604 * This should be fixed in the WinPcap 4.0 alpha release.
2606 * For reference, an example remote interface:
2607 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2610 /* emulate dispatch from pcap */
2613 struct pcap_pkthdr *pkt_header;
2618 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
2619 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
2622 ld->pcap_err = TRUE;
2626 #endif /* pcap_next_ex */
2630 #ifdef LOG_CAPTURE_VERBOSE
2631 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2634 return ld->packet_count - packet_count_before;
2638 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2639 * want to grab only the characters between the '{' and '}' delimiters.
2641 * Returns a GString that must be freed with g_string_free(). */
2643 isolate_uuid(const char *iface)
2648 ptr = strchr(iface, '{');
2650 return g_string_new(iface);
2651 gstr = g_string_new(ptr + 1);
2653 ptr = strchr(gstr->str, '}');
2657 gstr = g_string_truncate(gstr, ptr - gstr->str);
2662 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2663 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2665 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2666 char *errmsg, int errmsg_len)
2669 gchar *capfile_name;
2671 gboolean is_tempfile;
2673 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2674 (capture_opts->save_file) ? capture_opts->save_file : "");
2676 if (capture_opts->save_file != NULL) {
2677 /* We return to the caller while the capture is in progress.
2678 * Therefore we need to take a copy of save_file in
2679 * case the caller destroys it after we return.
2681 capfile_name = g_strdup(capture_opts->save_file);
2683 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2684 if (capture_opts->multi_files_on) {
2685 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2686 g_snprintf(errmsg, errmsg_len,
2687 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2688 g_free(capfile_name);
2691 if (strcmp(capfile_name, "-") == 0) {
2692 /* write to stdout */
2695 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2696 _setmode(1, O_BINARY);
2699 } /* if (...output_to_pipe ... */
2702 if (capture_opts->multi_files_on) {
2703 /* ringbuffer is enabled */
2704 *save_file_fd = ringbuf_init(capfile_name,
2705 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2706 capture_opts->group_read_access);
2708 /* we need the ringbuf name */
2709 if(*save_file_fd != -1) {
2710 g_free(capfile_name);
2711 capfile_name = g_strdup(ringbuf_current_filename());
2714 /* Try to open/create the specified file for use as a capture buffer. */
2715 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2716 (capture_opts->group_read_access) ? 0640 : 0600);
2719 is_tempfile = FALSE;
2721 /* Choose a random name for the temporary capture buffer */
2725 iface = isolate_uuid(capture_opts->iface);
2726 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2727 g_string_free(iface, TRUE);
2729 prefix = g_strconcat("wireshark_", g_basename(capture_opts->iface), NULL);
2731 *save_file_fd = create_tempfile(&tmpname, prefix);
2733 capfile_name = g_strdup(tmpname);
2737 /* did we fail to open the output file? */
2738 if (*save_file_fd == -1) {
2740 g_snprintf(errmsg, errmsg_len,
2741 "The temporary file to which the capture would be saved (\"%s\") "
2742 "could not be opened: %s.", capfile_name, strerror(errno));
2744 if (capture_opts->multi_files_on) {
2745 ringbuf_error_cleanup();
2748 g_snprintf(errmsg, errmsg_len,
2749 "The file to which the capture would be saved (\"%s\") "
2750 "could not be opened: %s.", capfile_name,
2753 g_free(capfile_name);
2757 if(capture_opts->save_file != NULL) {
2758 g_free(capture_opts->save_file);
2760 capture_opts->save_file = capfile_name;
2761 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2762 "g_free(capfile_name)". */
2769 #define TIME_GET() GetTickCount()
2771 #define TIME_GET() time(NULL)
2774 /* Do the work of handling either the file size or file duration capture
2775 conditions being reached, and switching files or stopping. */
2777 do_file_switch_or_stop(capture_options *capture_opts,
2778 condition *cnd_autostop_files,
2779 condition *cnd_autostop_size,
2780 condition *cnd_file_duration)
2782 if (capture_opts->multi_files_on) {
2783 if (cnd_autostop_files != NULL &&
2784 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2785 /* no files left: stop here */
2786 global_ld.go = FALSE;
2790 /* Switch to the next ringbuffer file */
2791 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2792 &global_ld.save_file_fd, &global_ld.err)) {
2793 gboolean successful;
2795 /* File switch succeeded: reset the conditions */
2796 global_ld.bytes_written = 0;
2797 if (capture_opts->use_pcapng) {
2800 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2801 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &global_ld.bytes_written, &global_ld.err) &&
2802 libpcap_write_interface_description_block(global_ld.pdh, capture_opts->iface, capture_opts->cfilter, global_ld.linktype, global_ld.file_snaplen, &global_ld.bytes_written, &global_ld.err);
2804 successful = libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2805 &global_ld.bytes_written, &global_ld.err);
2808 fclose(global_ld.pdh);
2809 global_ld.pdh = NULL;
2810 global_ld.go = FALSE;
2813 if(cnd_autostop_size)
2814 cnd_reset(cnd_autostop_size);
2815 if(cnd_file_duration)
2816 cnd_reset(cnd_file_duration);
2817 libpcap_dump_flush(global_ld.pdh, NULL);
2819 report_packet_count(global_ld.inpkts_to_sync_pipe);
2820 global_ld.inpkts_to_sync_pipe = 0;
2821 report_new_capture_file(capture_opts->save_file);
2823 /* File switch failed: stop here */
2824 global_ld.go = FALSE;
2828 /* single file, stop now */
2829 global_ld.go = FALSE;
2835 /* Do the low-level work of a capture.
2836 Returns TRUE if it succeeds, FALSE otherwise. */
2838 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
2840 time_t upd_time, cur_time;
2843 condition *cnd_file_duration = NULL;
2844 condition *cnd_autostop_files = NULL;
2845 condition *cnd_autostop_size = NULL;
2846 condition *cnd_autostop_duration = NULL;
2849 gboolean cfilter_error = FALSE;
2850 char errmsg[MSG_MAX_LENGTH+1];
2851 char secondary_errmsg[MSG_MAX_LENGTH+1];
2854 *secondary_errmsg = '\0';
2856 /* init the loop data */
2857 global_ld.go = TRUE;
2858 global_ld.packet_count = 0;
2860 global_ld.report_packet_count = FALSE;
2862 if (capture_opts->has_autostop_packets)
2863 global_ld.packet_max = capture_opts->autostop_packets;
2865 global_ld.packet_max = 0; /* no limit */
2866 global_ld.inpkts_to_sync_pipe = 0;
2867 global_ld.err = 0; /* no error seen yet */
2868 global_ld.pcap_err = FALSE;
2869 global_ld.from_cap_pipe = FALSE;
2870 global_ld.pdh = NULL;
2872 global_ld.cap_pipe_fd = -1;
2874 global_ld.cap_pipe_h = INVALID_HANDLE_VALUE;
2876 #ifdef MUST_DO_SELECT
2877 global_ld.pcap_fd = 0;
2879 global_ld.autostop_files = 0;
2880 global_ld.save_file_fd = -1;
2882 /* We haven't yet gotten the capture statistics. */
2883 *stats_known = FALSE;
2885 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
2886 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
2888 /* open the "input file" from network interface or capture pipe */
2889 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
2890 secondary_errmsg, sizeof(secondary_errmsg))) {
2894 /* init the input filter from the network interface (capture pipe will do nothing) */
2895 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
2896 capture_opts->iface,
2897 capture_opts->cfilter)) {
2899 case INITFILTER_NO_ERROR:
2902 case INITFILTER_BAD_FILTER:
2903 cfilter_error = TRUE;
2904 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
2907 case INITFILTER_OTHER_ERROR:
2908 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
2909 pcap_geterr(global_ld.pcap_h));
2910 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
2914 /* If we're supposed to write to a capture file, open it for output
2915 (temporary/specified name/ringbuffer) */
2916 if (capture_opts->saving_to_file) {
2917 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
2918 errmsg, sizeof(errmsg))) {
2922 /* set up to write to the already-opened capture output file/files */
2923 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
2928 /* XXX - capture SIGTERM and close the capture, in case we're on a
2929 Linux 2.0[.x] system and you have to explicitly close the capture
2930 stream in order to turn promiscuous mode off? We need to do that
2931 in other places as well - and I don't think that works all the
2932 time in any case, due to libpcap bugs. */
2934 /* Well, we should be able to start capturing.
2936 Sync out the capture file, so the header makes it to the file system,
2937 and send a "capture started successfully and capture file created"
2938 message to our parent so that they'll open the capture file and
2939 update its windows to indicate that we have a live capture in
2941 libpcap_dump_flush(global_ld.pdh, NULL);
2942 report_new_capture_file(capture_opts->save_file);
2945 /* initialize capture stop (and alike) conditions */
2946 init_capture_stop_conditions();
2947 /* create stop conditions */
2948 if (capture_opts->has_autostop_filesize)
2950 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
2951 if (capture_opts->has_autostop_duration)
2952 cnd_autostop_duration =
2953 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
2955 if (capture_opts->multi_files_on) {
2956 if (capture_opts->has_file_duration)
2958 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
2960 if (capture_opts->has_autostop_files)
2961 cnd_autostop_files =
2962 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
2965 /* init the time values */
2966 upd_time = TIME_GET();
2968 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
2970 /* WOW, everything is prepared! */
2971 /* please fasten your seat belts, we will enter now the actual capture loop */
2972 while (global_ld.go) {
2973 /* dispatch incoming packets */
2974 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
2978 /* Were we asked to print packet counts by the SIGINFO handler? */
2979 if (global_ld.report_packet_count) {
2980 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
2981 plurality(global_ld.packet_count, "", "s"));
2982 global_ld.report_packet_count = FALSE;
2987 /* any news from our parent (signal pipe)? -> just stop the capture */
2988 if (!signal_pipe_check_running()) {
2989 global_ld.go = FALSE;
2994 global_ld.inpkts_to_sync_pipe += inpkts;
2996 /* check capture size condition */
2997 if (cnd_autostop_size != NULL &&
2998 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
2999 /* Capture size limit reached, do we have another file? */
3000 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3001 cnd_autostop_size, cnd_file_duration))
3003 } /* cnd_autostop_size */
3004 if (capture_opts->output_to_pipe) {
3005 libpcap_dump_flush(global_ld.pdh, NULL);
3009 /* Only update once a second (Win32: 500ms) so as not to overload slow
3010 * displays. This also prevents too much context-switching between the
3011 * dumpcap and wireshark processes */
3013 #define DUMPCAP_UPD_TIME 500
3015 #define DUMPCAP_UPD_TIME 0
3017 cur_time = TIME_GET();
3018 if ( (cur_time - upd_time) > DUMPCAP_UPD_TIME) {
3019 upd_time = cur_time;
3022 if (pcap_stats(pch, stats) >= 0) {
3023 *stats_known = TRUE;
3026 /* Let the parent process know. */
3027 if (global_ld.inpkts_to_sync_pipe) {
3029 libpcap_dump_flush(global_ld.pdh, NULL);
3031 /* Send our parent a message saying we've written out
3032 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3034 report_packet_count(global_ld.inpkts_to_sync_pipe);
3036 global_ld.inpkts_to_sync_pipe = 0;
3039 /* check capture duration condition */
3040 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3041 /* The maximum capture time has elapsed; stop the capture. */
3042 global_ld.go = FALSE;
3046 /* check capture file duration condition */
3047 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3048 /* duration limit reached, do we have another file? */
3049 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3050 cnd_autostop_size, cnd_file_duration))
3052 } /* cnd_file_duration */
3055 } /* while (global_ld.go) */
3057 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3059 /* delete stop conditions */
3060 if (cnd_file_duration != NULL)
3061 cnd_delete(cnd_file_duration);
3062 if (cnd_autostop_files != NULL)
3063 cnd_delete(cnd_autostop_files);
3064 if (cnd_autostop_size != NULL)
3065 cnd_delete(cnd_autostop_size);
3066 if (cnd_autostop_duration != NULL)
3067 cnd_delete(cnd_autostop_duration);
3069 /* did we had a pcap (input) error? */
3070 if (global_ld.pcap_err) {
3071 /* On Linux, if an interface goes down while you're capturing on it,
3072 you'll get a "recvfrom: Network is down" or
3073 "The interface went down" error (ENETDOWN).
3074 (At least you will if strerror() doesn't show a local translation
3077 On FreeBSD and OS X, if a network adapter disappears while
3078 you're capturing on it, you'll get a "read: Device not configured"
3079 error (ENXIO). (See previous parenthetical note.)
3081 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3083 These should *not* be reported to the Wireshark developers. */
3086 cap_err_str = pcap_geterr(global_ld.pcap_h);
3087 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3088 strcmp(cap_err_str, "The interface went down") == 0 ||
3089 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3090 strcmp(cap_err_str, "read: I/O error") == 0 ||
3091 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3092 report_capture_error("The network adapter on which the capture was being done "
3093 "is no longer running; the capture has stopped.",
3096 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3098 report_capture_error(errmsg, please_report);
3101 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
3102 report_capture_error(errmsg, "");
3104 /* did we have an output error while capturing? */
3105 if (global_ld.err == 0) {
3108 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3109 global_ld.err, FALSE);
3110 report_capture_error(errmsg, please_report);
3114 if (capture_opts->saving_to_file) {
3115 /* close the output file */
3116 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3120 /* there might be packets not yet notified to the parent */
3121 /* (do this after closing the file, so all packets are already flushed) */
3122 if(global_ld.inpkts_to_sync_pipe) {
3124 report_packet_count(global_ld.inpkts_to_sync_pipe);
3125 global_ld.inpkts_to_sync_pipe = 0;
3128 /* If we've displayed a message about a write error, there's no point
3129 in displaying another message about an error on close. */
3130 if (!close_ok && write_ok) {
3131 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3133 report_capture_error(errmsg, "");
3137 * XXX We exhibit different behaviour between normal mode and sync mode
3138 * when the pipe is stdin and not already at EOF. If we're a child, the
3139 * parent's stdin isn't closed, so if the user starts another capture,
3140 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3141 * will say "Unrecognized libpcap format". On the other hand, in normal
3142 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3145 report_capture_count(); /* print final capture count only if (quiet && !capture_child) */
3147 /* get packet drop statistics from pcap */
3148 if(global_ld.pcap_h != NULL) {
3149 g_assert(!global_ld.from_cap_pipe);
3150 /* Get the capture statistics, so we know how many packets were
3152 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
3153 *stats_known = TRUE;
3154 /* Let the parent process know. */
3155 report_packet_drops(stats->ps_drop);
3157 g_snprintf(errmsg, sizeof(errmsg),
3158 "Can't get packet-drop statistics: %s",
3159 pcap_geterr(global_ld.pcap_h));
3160 report_capture_error(errmsg, please_report);
3164 /* close the input file (pcap or capture pipe) */
3165 capture_loop_close_input(&global_ld);
3167 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3169 /* ok, if the write and the close were successful. */
3170 return write_ok && close_ok;
3173 if (capture_opts->multi_files_on) {
3174 /* cleanup ringbuffer */
3175 ringbuf_error_cleanup();
3177 /* We can't use the save file, and we have no FILE * for the stream
3178 to close in order to close it, so close the FD directly. */
3179 if(global_ld.save_file_fd != -1) {
3180 ws_close(global_ld.save_file_fd);
3183 /* We couldn't even start the capture, so get rid of the capture
3185 if(capture_opts->save_file != NULL) {
3186 ws_unlink(capture_opts->save_file);
3187 g_free(capture_opts->save_file);
3190 capture_opts->save_file = NULL;
3192 report_cfilter_error(capture_opts->cfilter, errmsg);
3194 report_capture_error(errmsg, secondary_errmsg);
3196 /* close the input file (pcap or cap_pipe) */
3197 capture_loop_close_input(&global_ld);
3199 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3205 static void capture_loop_stop(void)
3207 #ifdef HAVE_PCAP_BREAKLOOP
3208 if(global_ld.pcap_h != NULL)
3209 pcap_breakloop(global_ld.pcap_h);
3211 global_ld.go = FALSE;
3216 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3217 int err, gboolean is_close)
3222 g_snprintf(errmsg, errmsglen,
3223 "Not all the packets could be written to the file"
3224 " to which the capture was being saved\n"
3225 "(\"%s\") because there is no space left on the file system\n"
3226 "on which that file resides.",
3232 g_snprintf(errmsg, errmsglen,
3233 "Not all the packets could be written to the file"
3234 " to which the capture was being saved\n"
3235 "(\"%s\") because you are too close to, or over,"
3236 " your disk quota\n"
3237 "on the file system on which that file resides.",
3244 g_snprintf(errmsg, errmsglen,
3245 "The file to which the capture was being saved\n"
3246 "(\"%s\") could not be closed: %s.",
3247 fname, strerror(err));
3249 g_snprintf(errmsg, errmsglen,
3250 "An error occurred while writing to the file"
3251 " to which the capture was being saved\n"
3253 fname, strerror(err));
3260 /* one packet was captured, process it */
3262 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3265 loop_data *ld = (loop_data *) (void *) user;
3268 /* We may be called multiple times from pcap_dispatch(); if we've set
3269 the "stop capturing" flag, ignore this packet, as we're not
3270 supposed to be saving any more packets. */
3275 gboolean successful;
3276 /* We're supposed to write the packet to a file; do so.
3277 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3278 "ld->err" to the error. */
3279 if (global_capture_opts.use_pcapng) {
3280 successful = libpcap_write_enhanced_packet_block(ld->pdh, phdr, 0, pd, &ld->bytes_written, &err);
3282 successful = libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err);
3289 /* if the user told us to stop after x packets, do we already have enough? */
3290 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
3299 /* And now our feature presentation... [ fade to music ] */
3301 main(int argc, char *argv[])
3304 gboolean arg_error = FALSE;
3311 struct sigaction action, oldaction;
3314 gboolean start_capture = TRUE;
3315 gboolean stats_known;
3316 struct pcap_stat stats;
3317 GLogLevelFlags log_flags;
3318 gboolean list_interfaces = FALSE;
3319 gboolean list_link_layer_types = FALSE;
3320 #ifdef HAVE_BPF_IMAGE
3321 gboolean print_bpf_code = FALSE;
3323 gboolean machine_readable = FALSE;
3324 gboolean print_statistics = FALSE;
3325 int status, run_once_args = 0;
3327 #if defined(__APPLE__) && defined(__LP64__)
3328 struct utsname osinfo;
3332 /* Convert our arg list to UTF-8. */
3333 wc_argv = CommandLineToArgvW(GetCommandLineW(), &wc_argc);
3334 if (wc_argv && wc_argc == argc) {
3335 for (i = 0; i < argc; i++) {
3336 argv[i] = g_utf16_to_utf8(wc_argv[i], -1, NULL, NULL, NULL);
3338 } /* XXX else bail because something is horribly, horribly wrong? */
3343 * Initialize our DLL search path. MUST be called before LoadLibrary
3346 ws_init_dll_search_path();
3349 #ifdef HAVE_PCAP_REMOTE
3350 #define OPTSTRING_A "A:"
3351 #define OPTSTRING_r "r"
3352 #define OPTSTRING_u "u"
3354 #define OPTSTRING_A ""
3355 #define OPTSTRING_r ""
3356 #define OPTSTRING_u ""
3359 #ifdef HAVE_PCAP_SETSAMPLING
3360 #define OPTSTRING_m "m:"
3362 #define OPTSTRING_m ""
3365 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3366 #define OPTSTRING_B "B:"
3368 #define OPTSTRING_B ""
3369 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3371 #ifdef HAVE_PCAP_CREATE
3372 #define OPTSTRING_I "I"
3374 #define OPTSTRING_I ""
3377 #ifdef HAVE_BPF_IMAGE
3378 #define OPTSTRING_d "d"
3380 #define OPTSTRING_d ""
3383 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:" OPTSTRING_u "vw:y:Z:"
3385 #ifdef DEBUG_CHILD_DUMPCAP
3386 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3387 fprintf (stderr, "Unable to open debug log file !\n");
3392 #if defined(__APPLE__) && defined(__LP64__)
3394 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3395 * a bug workaround - timeouts less than 1 second don't work with libpcap
3396 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3397 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3398 * The problem is extremely unlikely to be reintroduced in a future
3401 if (uname(&osinfo) == 0) {
3403 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3404 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3405 * number of 10.0.0, not 10.1.0 - go figure).
3407 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3408 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3409 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3410 need_timeout_workaround = TRUE;
3415 * Determine if dumpcap is being requested to run in a special
3416 * capture_child mode by going thru the command line args to see if
3417 * a -Z is present. (-Z is a hidden option).
3419 * The primary result of running in capture_child mode is that
3420 * all messages sent out on stderr are in a special type/len/string
3421 * format to allow message processing by type. These messages include
3422 * error messages if dumpcap fails to start the operation it was
3423 * requested to do, as well as various "status" messages which are sent
3424 * when an actual capture is in progress, and a "success" message sent
3425 * if dumpcap was requested to perform an operation other than a
3428 * Capture_child mode would normally be requested by a parent process
3429 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3430 * to which dumpcap stderr has been redirected. It might also have
3431 * another pipe to obtain dumpcap stdout output; for operations other
3432 * than a capture, that information is formatted specially for easier
3433 * parsing by the parent process.
3435 * Capture_child mode needs to be determined immediately upon
3436 * startup so that any messages generated by dumpcap in this mode
3437 * (eg: during initialization) will be formatted properly.
3440 for (i=1; i<argc; i++) {
3441 if (strcmp("-Z", argv[i]) == 0) {
3442 capture_child = TRUE;
3443 machine_readable = TRUE; /* request machine-readable output */
3445 /* set output pipe to binary mode, to avoid ugly text conversions */
3446 _setmode(2, O_BINARY);
3451 /* The default_log_handler will use stdout, which makes trouble in */
3452 /* capture child mode, as it uses stdout for it's sync_pipe. */
3453 /* So: the filtering is done in the console_log_handler and not here.*/
3454 /* We set the log handlers right up front to make sure that any log */
3455 /* messages when running as child will be sent back to the parent */
3456 /* with the correct format. */
3460 G_LOG_LEVEL_CRITICAL|
3461 G_LOG_LEVEL_WARNING|
3462 G_LOG_LEVEL_MESSAGE|
3465 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3467 g_log_set_handler(NULL,
3469 console_log_handler, NULL /* user_data */);
3470 g_log_set_handler(LOG_DOMAIN_MAIN,
3472 console_log_handler, NULL /* user_data */);
3473 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3475 console_log_handler, NULL /* user_data */);
3476 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3478 console_log_handler, NULL /* user_data */);
3481 /* Load wpcap if possible. Do this before collecting the run-time version information */
3484 /* ... and also load the packet.dll from wpcap */
3485 /* XXX - currently not required, may change later. */
3486 /*wpcap_packet_load();*/
3488 /* Start windows sockets */
3489 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3491 /* Set handler for Ctrl+C key */
3492 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3494 /* Prepare to read from a pipe */
3495 if (!g_thread_supported ())
3496 g_thread_init (NULL);
3497 cap_pipe_pending_q = g_async_queue_new();
3498 cap_pipe_done_q = g_async_queue_new();
3499 cap_pipe_read_mtx = g_mutex_new();
3502 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3504 action.sa_handler = capture_cleanup_handler;
3506 * Arrange that system calls not get restarted, because when
3507 * our signal handler returns we don't want to restart
3508 * a call that was waiting for packets to arrive.
3510 action.sa_flags = 0;
3511 sigemptyset(&action.sa_mask);
3512 sigaction(SIGTERM, &action, NULL);
3513 sigaction(SIGINT, &action, NULL);
3514 sigaction(SIGPIPE, &action, NULL);
3515 sigaction(SIGHUP, NULL, &oldaction);
3516 if (oldaction.sa_handler == SIG_DFL)
3517 sigaction(SIGHUP, &action, NULL);
3520 /* Catch SIGINFO and, if we get it and we're capturing in
3521 quiet mode, report the number of packets we've captured. */
3522 action.sa_handler = report_counts_siginfo;
3523 action.sa_flags = SA_RESTART;
3524 sigemptyset(&action.sa_mask);
3525 sigaction(SIGINFO, &action, NULL);
3526 #endif /* SIGINFO */
3529 /* ----------------------------------------------------------------- */
3530 /* Privilege and capability handling */
3532 /* 1. Running not as root or suid root; no special capabilities. */
3535 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3538 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3540 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3541 /* capabilities; Drop all other capabilities; */
3542 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3543 /* else: after pcap_open_live() in capture_loop_open_input() */
3544 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3545 /* (Note: this means that the process, although logged in */
3546 /* as root, does not have various permissions such as the */
3547 /* ability to bypass file access permissions). */
3548 /* XXX: Should we just leave capabilities alone in this case */
3549 /* so that user gets expected effect that root can do */
3552 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3554 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3555 /* else: after pcap_open_live() in capture_loop_open_input() */
3556 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3557 /* pcap_open_live). */
3559 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3561 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3562 /* capabilities; Drop all other capabilities; */
3563 /* Drop suid privileges (euid=ruid); */
3564 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3565 /* else: after pcap_open_live() in capture_loop_open_input() */
3566 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3568 /* XXX: For some Linux versions/distros with capabilities */
3569 /* a 'normal' process with any capabilities cannot be */
3570 /* 'killed' (signaled) from another (same uid) non-privileged */
3572 /* For example: If (non-suid) Wireshark forks a */
3573 /* child suid dumpcap which acts as described here (case 5), */
3574 /* Wireshark will be unable to kill (signal) the child */
3575 /* dumpcap process until the capabilities have been dropped */
3576 /* (after pcap_open_live()). */
3577 /* This behaviour will apparently be changed in the kernel */
3578 /* to allow the kill (signal) in this case. */
3579 /* See the following for details: */
3580 /* http://www.mail-archive.com/ [wrapped] */
3581 /* linux-security-module@vger.kernel.org/msg02913.html */
3583 /* It is therefore conceivable that if dumpcap somehow hangs */
3584 /* in pcap_open_live or before that wireshark will not */
3585 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3586 /* In this case, exiting wireshark will kill the child */
3587 /* dumpcap process. */
3589 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3590 /* capabilities; Using libcap. Note: capset cmd (which see) */
3591 /* used to assign capabilities to file. */
3593 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3594 /* else: after pcap_open_live() in capture_loop_open_input() */
3595 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3597 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3598 /* longer required (similar to capture). */
3600 /* ----------------------------------------------------------------- */
3602 init_process_policies();
3605 /* If 'started with special privileges' (and using libcap) */
3606 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3607 /* Set euid/egid = ruid/rgid to remove suid privileges */
3608 relinquish_privs_except_capture();
3611 /* Set the initial values in the capture options. This might be overwritten
3612 by the command line parameters. */
3613 capture_opts_init(&global_capture_opts, NULL);
3615 /* Default to capturing the entire packet. */
3616 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3618 /* We always save to a file - if no file was specified, we save to a
3620 global_capture_opts.saving_to_file = TRUE;
3621 global_capture_opts.has_ring_num_files = TRUE;
3623 /* Now get our args */
3624 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3626 case 'h': /* Print help and exit */
3630 case 'v': /* Show version and exit */
3632 GString *comp_info_str;
3633 GString *runtime_info_str;
3634 /* Assemble the compile-time version information string */
3635 comp_info_str = g_string_new("Compiled ");
3636 get_compiled_version_info(comp_info_str, NULL, NULL);
3638 /* Assemble the run-time version information string */
3639 runtime_info_str = g_string_new("Running ");
3640 get_runtime_version_info(runtime_info_str, NULL);
3641 show_version(comp_info_str, runtime_info_str);
3642 g_string_free(comp_info_str, TRUE);
3643 g_string_free(runtime_info_str, TRUE);
3647 /*** capture option specific ***/
3648 case 'a': /* autostop criteria */
3649 case 'b': /* Ringbuffer option */
3650 case 'c': /* Capture x packets */
3651 case 'f': /* capture filter */
3652 case 'i': /* Use interface x */
3653 case 'n': /* Use pcapng format */
3654 case 'p': /* Don't capture in promiscuous mode */
3655 case 's': /* Set the snapshot (capture) length */
3656 case 'w': /* Write to capture file x */
3657 case 'g': /* enable group read accesson file(s) */
3658 case 'y': /* Set the pcap data link type */
3659 #ifdef HAVE_PCAP_REMOTE
3660 case 'u': /* Use UDP for data transfer */
3661 case 'r': /* Capture own RPCAP traffic too */
3662 case 'A': /* Authentication */
3664 #ifdef HAVE_PCAP_SETSAMPLING
3665 case 'm': /* Sampling */
3667 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3668 case 'B': /* Buffer size */
3669 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3670 #ifdef HAVE_PCAP_CREATE
3671 case 'I': /* Monitor mode */
3673 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
3678 /*** hidden option: Wireshark child mode (using binary output messages) ***/
3680 capture_child = TRUE;
3682 /* set output pipe to binary mode, to avoid ugly text conversions */
3683 _setmode(2, O_BINARY);
3685 * optarg = the control ID, aka the PPID, currently used for the
3688 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
3689 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
3690 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
3691 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
3693 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
3694 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3695 "Signal pipe: Unable to open %s. Dead parent?",
3703 case 'q': /* Quiet */
3707 /*** all non capture option specific ***/
3708 case 'D': /* Print a list of capture devices and exit */
3709 list_interfaces = TRUE;
3712 case 'L': /* Print list of link-layer types and exit */
3713 list_link_layer_types = TRUE;
3716 #ifdef HAVE_BPF_IMAGE
3717 case 'd': /* Print BPF code for capture filter and exit */
3718 print_bpf_code = TRUE;
3722 case 'S': /* Print interface statistics once a second */
3723 print_statistics = TRUE;
3726 case 'M': /* For -D, -L, and -S, print machine-readable output */
3727 machine_readable = TRUE;
3730 case '?': /* Bad flag - print usage message */
3731 cmdarg_err("Invalid Option: %s", argv[optind-1]);
3739 /* user specified file name as regular command-line argument */
3740 /* XXX - use it as the capture file name (or something else)? */
3747 * Extra command line arguments were specified; complain.
3748 * XXX - interpret as capture filter, as tcpdump and tshark do?
3750 cmdarg_err("Invalid argument: %s", argv[0]);
3759 if (run_once_args > 1) {
3760 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
3762 } else if (run_once_args == 1) {
3763 /* We're supposed to print some information, rather than
3764 to capture traffic; did they specify a ring buffer option? */
3765 if (global_capture_opts.multi_files_on) {
3766 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
3770 /* We're supposed to capture traffic; was the ring buffer option
3771 specified and, if so, does it make sense? */
3772 if (global_capture_opts.multi_files_on) {
3773 /* Ring buffer works only under certain conditions:
3774 a) ring buffer does not work with temporary files;
3775 b) it makes no sense to enable the ring buffer if the maximum
3776 file size is set to "infinite". */
3777 if (global_capture_opts.save_file == NULL) {
3778 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
3779 global_capture_opts.multi_files_on = FALSE;
3781 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
3782 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
3784 /* XXX - this must be redesigned as the conditions changed */
3785 global_capture_opts.multi_files_on = FALSE;
3792 * "-D" requires no interface to be selected; it's supposed to list
3795 if (list_interfaces) {
3796 /* Get the list of interfaces */
3801 if_list = capture_interface_list(&err, &err_str);
3802 if (if_list == NULL) {
3804 case CANT_GET_INTERFACE_LIST:
3805 cmdarg_err("%s", err_str);
3810 case NO_INTERFACES_FOUND:
3812 * If we're being run by another program, just give them
3813 * an empty list of interfaces, don't report this as
3814 * an error; that lets them decide whether to report
3815 * this as an error or not.
3817 if (!machine_readable) {
3818 cmdarg_err("There are no interfaces on which a capture can be done");
3825 if (machine_readable) /* tab-separated values to stdout */
3826 print_machine_readable_interfaces(if_list);
3828 capture_opts_print_interfaces(if_list);
3829 free_interface_list(if_list);
3834 * "-S" requires no interface to be selected; it gives statistics
3835 * for all interfaces.
3837 if (print_statistics) {
3838 status = print_statistics_loop(machine_readable);
3843 * "-L", "-d", and capturing act on a particular interface, so we have to
3844 * have an interface; if none was specified, pick a default.
3846 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
3847 /* cmdarg_err() already called .... */
3851 /* Let the user know what interface was chosen. */
3852 /* get_interface_descriptive_name() is not available! */
3853 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
3855 if (list_link_layer_types) {
3856 /* Get the list of link-layer types for the capture device. */
3857 if_capabilities_t *caps;
3860 caps = get_if_capabilities(global_capture_opts.iface,
3861 global_capture_opts.monitor_mode, &err_str);
3863 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
3864 "Please check to make sure you have sufficient permissions, and that\n"
3865 "you have the proper interface or pipe specified.", global_capture_opts.iface, err_str);
3869 if (caps->data_link_types == NULL) {
3870 cmdarg_err("The capture device \"%s\" has no data link types.", global_capture_opts.iface);
3873 if (machine_readable) /* tab-separated values to stdout */
3874 print_machine_readable_if_capabilities(caps);
3876 capture_opts_print_if_capabilities(caps,
3877 global_capture_opts.monitor_mode);
3878 free_if_capabilities(caps);
3882 /* We're supposed to do a capture, or print the BPF code for a filter.
3883 Process the snapshot length, as that affects the generated BPF code. */
3884 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
3886 #ifdef HAVE_BPF_IMAGE
3887 if (print_bpf_code) {
3888 show_filter_code(&global_capture_opts);
3893 /* We're supposed to do a capture. Process the ring buffer arguments. */
3894 capture_opts_trim_ring_num_files(&global_capture_opts);
3896 /* Now start the capture. */
3898 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
3902 /* capture failed */
3909 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
3910 const char *message, gpointer user_data _U_)
3917 /* ignore log message, if log_level isn't interesting */
3918 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3919 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
3924 /* create a "timestamp" */
3926 today = localtime(&curr);
3928 switch(log_level & G_LOG_LEVEL_MASK) {
3929 case G_LOG_LEVEL_ERROR:
3932 case G_LOG_LEVEL_CRITICAL:
3935 case G_LOG_LEVEL_WARNING:
3938 case G_LOG_LEVEL_MESSAGE:
3941 case G_LOG_LEVEL_INFO:
3944 case G_LOG_LEVEL_DEBUG:
3948 fprintf(stderr, "unknown log_level %u\n", log_level);
3950 g_assert_not_reached();
3953 /* Generate the output message */
3954 if(log_level & G_LOG_LEVEL_MESSAGE) {
3955 /* normal user messages without additional infos */
3956 msg = g_strdup_printf("%s\n", message);
3958 /* info/debug messages with additional infos */
3959 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
3960 today->tm_hour, today->tm_min, today->tm_sec,
3961 log_domain != NULL ? log_domain : "",
3965 /* DEBUG & INFO msgs (if we're debugging today) */
3966 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
3967 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
3968 #ifdef DEBUG_DUMPCAP
3969 fprintf(stderr, "%s", msg);
3972 #ifdef DEBUG_CHILD_DUMPCAP
3973 fprintf(debug_log, "%s", msg);
3981 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
3982 /* to parent especially formatted if dumpcap running as child. */
3983 if (capture_child) {
3984 sync_pipe_errmsg_to_parent(2, msg, "");
3986 fprintf(stderr, "%s", msg);
3993 /****************************************************************************************************************/
3994 /* indication report routines */
3998 report_packet_count(int packet_count)
4000 char tmp[SP_DECISIZE+1+1];
4001 static int count = 0;
4004 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4005 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4006 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4008 count += packet_count;
4009 fprintf(stderr, "\rPackets: %u ", count);
4010 /* stderr could be line buffered */
4016 report_new_capture_file(const char *filename)
4019 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4020 pipe_write_block(2, SP_FILE, filename);
4024 * Prevent a SIGINFO handler from writing to the standard error
4025 * while we're doing so; instead, have it just set a flag telling
4026 * us to print that information when we're done.
4029 #endif /* SIGINFO */
4030 fprintf(stderr, "File: %s\n", filename);
4031 /* stderr could be line buffered */
4036 * Allow SIGINFO handlers to write.
4041 * If a SIGINFO handler asked us to write out capture counts, do so.
4044 report_counts_for_siginfo();
4045 #endif /* SIGINFO */
4050 report_cfilter_error(const char *cfilter, const char *errmsg)
4052 if (capture_child) {
4053 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4054 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4057 "Invalid capture filter: \"%s\"!\n"
4059 "That string isn't a valid capture filter (%s).\n"
4060 "See the User's Guide for a description of the capture filter syntax.\n",
4066 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4069 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4070 "Primary Error: %s", error_msg);
4071 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4072 "Secondary Error: %s", secondary_error_msg);
4073 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4075 fprintf(stderr, "%s\n", error_msg);
4076 if (secondary_error_msg[0] != '\0')
4077 fprintf(stderr, "%s\n", secondary_error_msg);
4082 report_packet_drops(guint32 drops)
4084 char tmp[SP_DECISIZE+1+1];
4086 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4089 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets dropped: %s", tmp);
4090 pipe_write_block(2, SP_DROPS, tmp);
4092 fprintf(stderr, "Packets dropped: %s\n", tmp);
4093 /* stderr could be line buffered */
4099 /****************************************************************************************************************/
4100 /* signal_pipe handling */
4105 signal_pipe_check_running(void)
4107 /* any news from our parent? -> just stop the capture */
4111 /* if we are running standalone, no check required */
4112 if(!capture_child) {
4116 if(!sig_pipe_name || !sig_pipe_handle) {
4117 /* This shouldn't happen */
4118 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4119 "Signal pipe: No name or handle");
4124 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4125 * at this point. Should we check to see if the parent is still alive,
4126 * e.g. by using OpenProcess?
4129 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4131 if(!result || avail > 0) {
4132 /* peek failed or some bytes really available */
4133 /* (if not piping from stdin this would fail) */
4134 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4135 "Signal pipe: Stop capture: %s", sig_pipe_name);
4136 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4137 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4138 sig_pipe_handle, result, avail);
4141 /* pipe ok and no bytes available */
4148 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4153 * indent-tabs-mode: nil
4156 * vi: set shiftwidth=4 tabstop=8 expandtab
4157 * :indentSize=4:tabSize=8:noTabs=true: