5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
65 #include "wsutil/wsgetopt.h"
73 # include <sys/prctl.h>
74 # include <sys/capability.h>
77 #include "ringbuffer.h"
78 #include "clopts_common.h"
79 #include "console_io.h"
80 #include "cmdarg_err.h"
81 #include "version_info.h"
83 #include "capture-pcap-util.h"
88 #include "capture-wpcap.h"
89 #include <wsutil/unicode-utils.h>
93 #include <sys/socket.h>
97 #ifdef NEED_INET_V6DEFS_H
98 # include "wsutil/inet_v6defs.h"
101 #include <wsutil/privileges.h>
103 #include "sync_pipe.h"
105 #include "capture_opts.h"
106 #include "capture_ifinfo.h"
107 #include "capture_sync.h"
109 #include "conditions.h"
110 #include "capture_stop_conditions.h"
112 #include "tempfile.h"
114 #include "wsutil/file_util.h"
117 * Get information about libpcap format from "wiretap/libpcap.h".
118 * XXX - can we just use pcap_open_offline() to read the pipe?
120 #include "wiretap/libpcap.h"
122 /**#define DEBUG_DUMPCAP**/
123 /**#define DEBUG_CHILD_DUMPCAP**/
127 #include <conio.h> /* _getch() */
131 #ifdef DEBUG_CHILD_DUMPCAP
132 FILE *debug_log; /* for logging debug messages to */
133 /* a file if DEBUG_CHILD_DUMPCAP */
141 static GAsyncQueue *pcap_queue;
142 static gint64 pcap_queue_bytes;
143 static gint64 pcap_queue_packets;
144 static gint64 pcap_queue_byte_limit = 1024 * 1024;
145 static gint64 pcap_queue_packet_limit = 1000;
147 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
149 static gchar *sig_pipe_name = NULL;
150 static HANDLE sig_pipe_handle = NULL;
151 static gboolean signal_pipe_check_running(void);
155 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
156 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
159 /** Stop a low-level capture (stops the capture child). */
160 static void capture_loop_stop(void);
162 #if !defined (__linux__)
163 #ifndef HAVE_PCAP_BREAKLOOP
165 * We don't have pcap_breakloop(), which is the only way to ensure that
166 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
167 * won't, if the call to read the next packet or batch of packets is
168 * is interrupted by a signal on UN*X, just go back and try again to
171 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
172 * the signal handler, set a flag to stop capturing; however, without
173 * a guarantee of that sort, we can't guarantee that we'll stop capturing
174 * if the read will be retried and won't time out if no packets arrive.
176 * Therefore, on at least some platforms, we work around the lack of
177 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
178 * to wait for packets to arrive, so that we're probably going to be
179 * blocked in the select() when the signal arrives, and can just bail
180 * out of the loop at that point.
182 * However, we don't want to do that on BSD (because "select()" doesn't work
183 * correctly on BPF devices on at least some releases of some flavors of
184 * BSD), and we don't want to do it on Windows (because "select()" is
185 * something for sockets, not for arbitrary handles). (Note that "Windows"
186 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
187 * using WinPcap, not a UNIX libpcap.)
189 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
190 * on BSD times out even if no packets have arrived, so we'll eventually
191 * exit pcap_dispatch() with an indication that no packets have arrived,
192 * and will break out of the capture loop at that point.
194 * On Windows, we can't send a SIGINT to stop capturing, so none of this
195 * applies in any case.
197 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
198 * want to include it if it's not present on this platform, however.
200 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
201 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
203 # define MUST_DO_SELECT
204 # endif /* avoid select */
205 #endif /* HAVE_PCAP_BREAKLOOP */
207 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
208 * in pcap_dispatch(); on the other hand, select() works just fine there.
209 * Hence we use a select for that come what may.
211 #define MUST_DO_SELECT
214 /** init the capture filter */
217 INITFILTER_BAD_FILTER,
218 INITFILTER_OTHER_ERROR
219 } initfilter_status_t;
221 typedef struct _pcap_queue_element {
223 struct pcap_pkthdr phdr;
225 } pcap_queue_element;
227 typedef struct _pcap_options {
231 #ifdef MUST_DO_SELECT
232 int pcap_fd; /* pcap file descriptor */
239 /* capture pipe (unix only "input file") */
240 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
241 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
242 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
244 HANDLE cap_pipe_h; /* The handle of the capture pipe */
246 int cap_pipe_fd; /* the file descriptor of the capture pipe */
248 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
249 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
251 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
252 #endif /* USE_THREADS */
253 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
254 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
256 STATE_EXPECT_REC_HDR,
261 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
263 GMutex *cap_pipe_read_mtx;
264 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
268 typedef struct _loop_data {
270 gboolean go; /* TRUE as long as we're supposed to keep capturing */
271 int err; /* if non-zero, error seen while capturing */
272 gint packet_count; /* Number of packets we have already captured */
273 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
274 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
276 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
283 guint32 autostop_files;
287 * Standard secondary message for unexpected errors.
289 static const char please_report[] =
290 "Please report this to the Wireshark developers.\n"
291 "(This is not a crash; please do not report it as such.)";
294 * This needs to be static, so that the SIGINT handler can clear the "go"
297 static loop_data global_ld;
301 * Timeout, in milliseconds, for reads from the stream of captured packets
302 * from a capture device.
304 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
305 * 64-bit applications, with sub-second timeouts not to work. The bug is
306 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
308 #if defined(__APPLE__) && defined(__LP64__)
309 static gboolean need_timeout_workaround;
311 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
313 #define CAP_READ_TIMEOUT 250
317 * Timeout, in microseconds, for reads from the stream of captured packets
318 * from a pipe. Pipes don't have the same problem that BPF devices do
319 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
320 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
321 * of the offending versions of Snow Leopard.
323 * On Windows this value is converted to milliseconds and passed to
324 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
325 * will return immediately.
328 #define PIPE_READ_TIMEOUT 250000
330 #define PIPE_READ_TIMEOUT 100000
332 static const char *cap_pipe_err_str;
334 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
337 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
338 const char *message, gpointer user_data _U_);
340 /* capture related options */
341 static capture_options global_capture_opts;
342 static gboolean quiet = FALSE;
343 static gboolean use_threads = FALSE;
345 static void capture_loop_write_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
347 static void capture_loop_queue_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
349 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
350 int err, gboolean is_close);
352 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
354 static void report_new_capture_file(const char *filename);
355 static void report_packet_count(int packet_count);
356 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
357 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
358 static void report_cfilter_error(const char *cfilter, const char *errmsg);
360 #define MSG_MAX_LENGTH 4096
363 print_usage(gboolean print_ver)
370 "Dumpcap " VERSION "%s\n"
371 "Capture network packets and dump them into a libpcap file.\n"
372 "See http://www.wireshark.org for more information.\n",
373 wireshark_svnversion);
377 fprintf(output, "\nUsage: dumpcap [options] ...\n");
378 fprintf(output, "\n");
379 fprintf(output, "Capture interface:\n");
380 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
381 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
382 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
383 fprintf(output, " -p don't capture in promiscuous mode\n");
384 #ifdef HAVE_PCAP_CREATE
385 fprintf(output, " -I capture in monitor mode, if available\n");
387 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
388 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
390 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
391 fprintf(output, " -D print list of interfaces and exit\n");
392 fprintf(output, " -L print list of link-layer types of iface and exit\n");
393 #ifdef HAVE_BPF_IMAGE
394 fprintf(output, " -d print generated BPF code for capture filter\n");
396 fprintf(output, " -S print statistics for each interface once every second\n");
397 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
398 fprintf(output, "\n");
399 #ifdef HAVE_PCAP_REMOTE
400 fprintf(output, "\nRPCAP options:\n");
401 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
402 fprintf(output, " -u use UDP for RPCAP data transfer\n");
403 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
404 #ifdef HAVE_PCAP_SETSAMPLING
405 fprintf(output, " -m <sampling type> use packet sampling\n");
406 fprintf(output, " count:NUM - capture one packet of every NUM\n");
407 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
410 fprintf(output, "Stop conditions:\n");
411 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
412 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
413 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
414 fprintf(output, " files:NUM - stop after NUM files\n");
415 /*fprintf(output, "\n");*/
416 fprintf(output, "Output (files):\n");
417 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
418 fprintf(output, " -g enable group read access on the output file(s)\n");
419 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
420 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
421 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
422 fprintf(output, " -n use pcapng format instead of pcap\n");
423 /*fprintf(output, "\n");*/
424 fprintf(output, "Miscellaneous:\n");
425 fprintf(output, " -t use a separate thread per interface\n");
426 fprintf(output, " -q don't report packet capture counts\n");
427 fprintf(output, " -v print version information and exit\n");
428 fprintf(output, " -h display this help and exit\n");
429 fprintf(output, "\n");
430 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
431 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
432 fprintf(output, "\n");
433 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
437 show_version(GString *comp_info_str, GString *runtime_info_str)
440 "Dumpcap " VERSION "%s\n"
445 "See http://www.wireshark.org for more information.\n",
446 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
450 * Print to the standard error. This is a command-line tool, so there's
451 * no need to pop up a console.
454 vfprintf_stderr(const char *fmt, va_list ap)
456 vfprintf(stderr, fmt, ap);
460 fprintf_stderr(const char *fmt, ...)
465 vfprintf_stderr(fmt, ap);
470 * Report an error in command-line arguments.
473 cmdarg_err(const char *fmt, ...)
479 /* Generate a 'special format' message back to parent */
481 msg = g_strdup_vprintf(fmt, ap);
482 sync_pipe_errmsg_to_parent(2, msg, "");
487 fprintf(stderr, "dumpcap: ");
488 vfprintf(stderr, fmt, ap);
489 fprintf(stderr, "\n");
495 * Report additional information for an error in command-line arguments.
498 cmdarg_err_cont(const char *fmt, ...)
505 msg = g_strdup_vprintf(fmt, ap);
506 sync_pipe_errmsg_to_parent(2, msg, "");
511 vfprintf(stderr, fmt, ap);
512 fprintf(stderr, "\n");
519 #if 0 /* Set to enable capability debugging */
520 /* see 'man cap_to_text()' for explanation of output */
521 /* '=' means 'all= ' ie: no capabilities */
522 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
524 print_caps(const char *pfx) {
525 cap_t caps = cap_get_proc();
526 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
527 "%s: EUID: %d Capabilities: %s", pfx,
528 geteuid(), cap_to_text(caps, NULL));
531 print_caps(const char *pfx _U_) {
536 relinquish_all_capabilities(void)
538 /* Drop any and all capabilities this process may have. */
539 /* Allowed whether or not process has any privileges. */
540 cap_t caps = cap_init(); /* all capabilities initialized to off */
541 print_caps("Pre-clear");
542 if (cap_set_proc(caps)) {
543 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
545 print_caps("Post-clear");
551 open_capture_device(interface_options *interface_opts,
552 char (*open_err_str)[PCAP_ERRBUF_SIZE])
555 #ifdef HAVE_PCAP_CREATE
558 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
559 struct pcap_rmtauth auth;
562 /* Open the network interface to capture from it.
563 Some versions of libpcap may put warnings into the error buffer
564 if they succeed; to tell if that's happened, we have to clear
565 the error buffer, and check if it's still a null string. */
566 (*open_err_str)[0] = '\0';
567 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
569 * If we're opening a remote device, use pcap_open(); that's currently
570 * the only open routine that supports remote devices.
572 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
573 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
574 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
575 auth.username = interface_opts->auth_username;
576 auth.password = interface_opts->auth_password;
578 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
580 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
581 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
582 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
583 CAP_READ_TIMEOUT, &auth, *open_err_str);
588 * If we're not opening a remote device, use pcap_create() and
589 * pcap_activate() if we have them, so that we can set the buffer
590 * size, otherwise use pcap_open_live().
592 #ifdef HAVE_PCAP_CREATE
593 pcap_h = pcap_create(interface_opts->name, *open_err_str);
594 if (pcap_h != NULL) {
595 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
596 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
597 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
599 if (interface_opts->buffer_size > 1) {
600 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
602 if (interface_opts->monitor_mode)
603 pcap_set_rfmon(pcap_h, 1);
604 err = pcap_activate(pcap_h);
606 /* Failed to activate, set to NULL */
607 if (err == PCAP_ERROR)
608 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
610 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
616 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
617 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
625 get_capture_device_open_failure_messages(const char *open_err_str,
631 char *errmsg, size_t errmsg_len,
632 char *secondary_errmsg,
633 size_t secondary_errmsg_len)
635 const char *libpcap_warn;
636 static const char ppamsg[] = "can't find PPA for ";
638 /* If we got a "can't find PPA for X" message, warn the user (who
639 is running dumcap on HP-UX) that they don't have a version of
640 libpcap that properly handles HP-UX (libpcap 0.6.x and later
641 versions, which properly handle HP-UX, say "can't find /dev/dlpi
642 PPA for X" rather than "can't find PPA for X"). */
643 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
646 "You are running (T)Wireshark with a version of the libpcap library\n"
647 "that doesn't handle HP-UX network devices well; this means that\n"
648 "(T)Wireshark may not be able to capture packets.\n"
650 "To fix this, you should install libpcap 0.6.2, or a later version\n"
651 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
652 "packaged binary form from the Software Porting And Archive Centre\n"
653 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
654 "at the URL lists a number of mirror sites.";
657 g_snprintf(errmsg, (gulong) errmsg_len,
658 "The capture session could not be initiated (%s).", open_err_str);
660 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
661 "Please check to make sure you have sufficient permissions, and that you have "
662 "the proper interface or pipe specified.%s", libpcap_warn);
664 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
666 "Please check that \"%s\" is the proper interface.\n"
669 "Help can be found at:\n"
671 " http://wiki.wireshark.org/WinPcap\n"
672 " http://wiki.wireshark.org/CaptureSetup\n",
677 /* Set the data link type on a pcap. */
679 set_pcap_linktype(pcap_t *pcap_h, int linktype,
680 #ifdef HAVE_PCAP_SET_DATALINK
685 char *errmsg, size_t errmsg_len,
686 char *secondary_errmsg, size_t secondary_errmsg_len)
688 char *set_linktype_err_str;
691 return TRUE; /* just use the default */
692 #ifdef HAVE_PCAP_SET_DATALINK
693 if (pcap_set_datalink(pcap_h, linktype) == 0)
694 return TRUE; /* no error */
695 set_linktype_err_str = pcap_geterr(pcap_h);
697 /* Let them set it to the type it is; reject any other request. */
698 if (get_pcap_linktype(pcap_h, name) == linktype)
699 return TRUE; /* no error */
700 set_linktype_err_str =
701 "That DLT isn't one of the DLTs supported by this device";
703 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
704 set_linktype_err_str);
706 * If the error isn't "XXX is not one of the DLTs supported by this device",
707 * tell the user to tell the Wireshark developers about it.
709 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
710 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
712 secondary_errmsg[0] = '\0';
717 compile_capture_filter(const char *iface, pcap_t *pcap_h,
718 struct bpf_program *fcode, char *cfilter)
720 bpf_u_int32 netnum, netmask;
721 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
723 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
725 * Well, we can't get the netmask for this interface; it's used
726 * only for filters that check for broadcast IP addresses, so
727 * we just punt and use 0. It might be nice to warn the user,
728 * but that's a pain in a GUI application, as it'd involve popping
729 * up a message box, and it's not clear how often this would make
730 * a difference (only filters that check for IP broadcast addresses
734 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
737 if (pcap_compile(pcap_h, fcode, cfilter, 1, netmask) < 0)
742 #ifdef HAVE_BPF_IMAGE
744 show_filter_code(capture_options *capture_opts)
746 interface_options interface_opts;
748 gchar open_err_str[PCAP_ERRBUF_SIZE];
749 char errmsg[MSG_MAX_LENGTH+1];
750 char secondary_errmsg[MSG_MAX_LENGTH+1];
751 struct bpf_program fcode;
752 struct bpf_insn *insn;
756 for (j = 0; j < capture_opts->ifaces->len; j++) {
757 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
758 pcap_h = open_capture_device(&interface_opts, &open_err_str);
759 if (pcap_h == NULL) {
760 /* Open failed; get messages */
761 get_capture_device_open_failure_messages(open_err_str,
763 errmsg, sizeof errmsg,
765 sizeof secondary_errmsg);
766 /* And report them */
767 report_capture_error(errmsg, secondary_errmsg);
771 /* Set the link-layer type. */
772 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
773 errmsg, sizeof errmsg,
774 secondary_errmsg, sizeof secondary_errmsg)) {
776 report_capture_error(errmsg, secondary_errmsg);
780 /* OK, try to compile the capture filter. */
781 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
782 interface_opts.cfilter)) {
784 report_cfilter_error(interface_opts.cfilter, errmsg);
789 /* Now print the filter code. */
790 insn = fcode.bf_insns;
792 for (i = 0; i < fcode.bf_len; insn++, i++)
793 printf("%s\n", bpf_image(insn, i));
795 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
796 /* to remove any suid privileges. */
797 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
798 /* (euid/egid have already previously been set to ruid/rgid. */
799 /* (See comment in main() for details) */
801 relinquish_special_privs_perm();
803 relinquish_all_capabilities();
806 /* Let our parent know we succeeded. */
807 pipe_write_block(2, SP_SUCCESS, NULL);
814 * capture_interface_list() is expected to do the right thing to get
815 * a list of interfaces.
817 * In most of the programs in the Wireshark suite, "the right thing"
818 * is to run dumpcap and ask it for the list, because dumpcap may
819 * be the only program in the suite with enough privileges to get
822 * In dumpcap itself, however, we obviously can't run dumpcap to
823 * ask for the list. Therefore, our capture_interface_list() should
824 * just call get_interface_list().
827 capture_interface_list(int *err, char **err_str)
829 return get_interface_list(err, err_str);
833 * Get the data-link type for a libpcap device.
834 * This works around AIX 5.x's non-standard and incompatible-with-the-
835 * rest-of-the-universe libpcap.
838 get_pcap_linktype(pcap_t *pch, const char *devname
846 const char *ifacename;
849 linktype = pcap_datalink(pch);
853 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
854 * rather than DLT_ values for link-layer types; the ifType values
855 * for LAN devices are:
862 * and the ifType value for a loopback device is 24.
864 * The AIX names for LAN devices begin with:
871 * and the AIX names for loopback devices begin with "lo".
873 * (The difference between "Ethernet" and "802.3" is presumably
874 * whether packets have an Ethernet header, with a packet type,
875 * or an 802.3 header, with a packet length, followed by an 802.2
876 * header and possibly a SNAP header.)
878 * If the device name matches "linktype" interpreted as an ifType
879 * value, rather than as a DLT_ value, we will assume this is AIX's
880 * non-standard, incompatible libpcap, rather than a standard libpcap,
881 * and will map the link-layer type to the standard DLT_ value for
882 * that link-layer type, as that's what the rest of Wireshark expects.
884 * (This means the capture files won't be readable by a tcpdump
885 * linked with AIX's non-standard libpcap, but so it goes. They
886 * *will* be readable by standard versions of tcpdump, Wireshark,
889 * XXX - if we conclude we're using AIX libpcap, should we also
890 * set a flag to cause us to assume the time stamps are in
891 * seconds-and-nanoseconds form, and to convert them to
892 * seconds-and-microseconds form before processing them and
897 * Find the last component of the device name, which is the
900 ifacename = strchr(devname, '/');
901 if (ifacename == NULL)
904 /* See if it matches any of the LAN device names. */
905 if (strncmp(ifacename, "en", 2) == 0) {
908 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
912 } else if (strncmp(ifacename, "et", 2) == 0) {
915 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
916 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
921 } else if (strncmp(ifacename, "tr", 2) == 0) {
924 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
925 * DLT_IEEE802, which is what's used for Token Ring.
929 } else if (strncmp(ifacename, "fi", 2) == 0) {
930 if (linktype == 15) {
932 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
936 } else if (strncmp(ifacename, "lo", 2) == 0) {
937 if (linktype == 24) {
939 * That's the RFC 1573 value for "software loopback" devices; map it
940 * to DLT_NULL, which is what's used for loopback devices on BSD.
950 static data_link_info_t *
951 create_data_link_info(int dlt)
953 data_link_info_t *data_link_info;
956 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
957 data_link_info->dlt = dlt;
958 text = pcap_datalink_val_to_name(dlt);
960 data_link_info->name = g_strdup(text);
962 data_link_info->name = g_strdup_printf("DLT %d", dlt);
963 text = pcap_datalink_val_to_description(dlt);
965 data_link_info->description = g_strdup(text);
967 data_link_info->description = NULL;
968 return data_link_info;
972 * Get the capabilities of a network device.
974 static if_capabilities_t *
975 get_if_capabilities(const char *devname, gboolean monitor_mode
976 #ifndef HAVE_PCAP_CREATE
981 if_capabilities_t *caps;
982 char errbuf[PCAP_ERRBUF_SIZE];
984 #ifdef HAVE_PCAP_CREATE
988 #ifdef HAVE_PCAP_LIST_DATALINKS
992 data_link_info_t *data_link_info;
995 * Allocate the interface capabilities structure.
997 caps = g_malloc(sizeof *caps);
999 #ifdef HAVE_PCAP_OPEN
1000 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1001 caps->can_set_rfmon = FALSE;
1003 if (err_str != NULL)
1004 *err_str = g_strdup(errbuf);
1008 #elif defined(HAVE_PCAP_CREATE)
1009 pch = pcap_create(devname, errbuf);
1011 if (err_str != NULL)
1012 *err_str = g_strdup(errbuf);
1016 status = pcap_can_set_rfmon(pch);
1019 if (status == PCAP_ERROR)
1020 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1023 *err_str = g_strdup(pcap_statustostr(status));
1029 caps->can_set_rfmon = FALSE;
1030 else if (status == 1) {
1031 caps->can_set_rfmon = TRUE;
1033 pcap_set_rfmon(pch, 1);
1035 if (err_str != NULL) {
1036 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1044 status = pcap_activate(pch);
1046 /* Error. We ignore warnings (status > 0). */
1047 if (err_str != NULL) {
1048 if (status == PCAP_ERROR)
1049 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1052 *err_str = g_strdup(pcap_statustostr(status));
1059 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1060 caps->can_set_rfmon = FALSE;
1062 if (err_str != NULL)
1063 *err_str = g_strdup(errbuf);
1068 deflt = get_pcap_linktype(pch, devname);
1069 #ifdef HAVE_PCAP_LIST_DATALINKS
1070 nlt = pcap_list_datalinks(pch, &linktypes);
1071 if (nlt == 0 || linktypes == NULL) {
1073 if (err_str != NULL)
1074 *err_str = NULL; /* an empty list doesn't mean an error */
1077 caps->data_link_types = NULL;
1078 for (i = 0; i < nlt; i++) {
1079 data_link_info = create_data_link_info(linktypes[i]);
1082 * XXX - for 802.11, make the most detailed 802.11
1083 * version the default, rather than the one the
1084 * device has as the default?
1086 if (linktypes[i] == deflt)
1087 caps->data_link_types = g_list_prepend(caps->data_link_types,
1090 caps->data_link_types = g_list_append(caps->data_link_types,
1093 #ifdef HAVE_PCAP_FREE_DATALINKS
1094 pcap_free_datalinks(linktypes);
1097 * In Windows, there's no guarantee that if you have a library
1098 * built with one version of the MSVC++ run-time library, and
1099 * it returns a pointer to allocated data, you can free that
1100 * data from a program linked with another version of the
1101 * MSVC++ run-time library.
1103 * This is not an issue on UN*X.
1105 * See the mail threads starting at
1107 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1111 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1114 #define xx_free free /* hack so checkAPIs doesn't complain */
1117 #endif /* HAVE_PCAP_FREE_DATALINKS */
1118 #else /* HAVE_PCAP_LIST_DATALINKS */
1120 data_link_info = create_data_link_info(deflt);
1121 caps->data_link_types = g_list_append(caps->data_link_types,
1123 #endif /* HAVE_PCAP_LIST_DATALINKS */
1127 if (err_str != NULL)
1132 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1134 print_machine_readable_interfaces(GList *if_list)
1141 char addr_str[ADDRSTRLEN];
1143 if (capture_child) {
1144 /* Let our parent know we succeeded. */
1145 pipe_write_block(2, SP_SUCCESS, NULL);
1148 i = 1; /* Interface id number */
1149 for (if_entry = g_list_first(if_list); if_entry != NULL;
1150 if_entry = g_list_next(if_entry)) {
1151 if_info = (if_info_t *)if_entry->data;
1152 printf("%d. %s", i++, if_info->name);
1155 * Print the contents of the if_entry struct in a parseable format.
1156 * Each if_entry element is tab-separated. Addresses are comma-
1159 /* XXX - Make sure our description doesn't contain a tab */
1160 if (if_info->description != NULL)
1161 printf("\t%s\t", if_info->description);
1165 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1166 addr = g_slist_next(addr)) {
1167 if (addr != g_slist_nth(if_info->addrs, 0))
1170 if_addr = (if_addr_t *)addr->data;
1171 switch(if_addr->ifat_type) {
1173 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1175 printf("%s", addr_str);
1177 printf("<unknown IPv4>");
1181 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1182 addr_str, ADDRSTRLEN)) {
1183 printf("%s", addr_str);
1185 printf("<unknown IPv6>");
1189 printf("<type unknown %u>", if_addr->ifat_type);
1193 if (if_info->loopback)
1194 printf("\tloopback");
1196 printf("\tnetwork");
1203 * If you change the machine-readable output format of this function,
1204 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1207 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1210 data_link_info_t *data_link_info;
1211 const gchar *desc_str;
1213 if (capture_child) {
1214 /* Let our parent know we succeeded. */
1215 pipe_write_block(2, SP_SUCCESS, NULL);
1218 if (caps->can_set_rfmon)
1222 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1223 lt_entry = g_list_next(lt_entry)) {
1224 data_link_info = (data_link_info_t *)lt_entry->data;
1225 if (data_link_info->description != NULL)
1226 desc_str = data_link_info->description;
1228 desc_str = "(not supported)";
1229 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1239 /* Print the number of packets captured for each interface until we're killed. */
1241 print_statistics_loop(gboolean machine_readable)
1243 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1249 char errbuf[PCAP_ERRBUF_SIZE];
1250 struct pcap_stat ps;
1252 if_list = get_interface_list(&err, &err_str);
1253 if (if_list == NULL) {
1255 case CANT_GET_INTERFACE_LIST:
1256 cmdarg_err("%s", err_str);
1260 case NO_INTERFACES_FOUND:
1261 cmdarg_err("There are no interfaces on which a capture can be done");
1267 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1268 if_info = (if_info_t *)if_entry->data;
1269 #ifdef HAVE_PCAP_OPEN
1270 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1272 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1276 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1277 if_stat->name = g_strdup(if_info->name);
1279 stat_list = g_list_append(stat_list, if_stat);
1284 cmdarg_err("There are no interfaces on which a capture can be done");
1288 if (capture_child) {
1289 /* Let our parent know we succeeded. */
1290 pipe_write_block(2, SP_SUCCESS, NULL);
1293 if (!machine_readable) {
1294 printf("%-15s %10s %10s\n", "Interface", "Received",
1298 global_ld.go = TRUE;
1299 while (global_ld.go) {
1300 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1301 if_stat = (if_stat_t *)stat_entry->data;
1302 pcap_stats(if_stat->pch, &ps);
1304 if (!machine_readable) {
1305 printf("%-15s %10u %10u\n", if_stat->name,
1306 ps.ps_recv, ps.ps_drop);
1308 printf("%s\t%u\t%u\n", if_stat->name,
1309 ps.ps_recv, ps.ps_drop);
1320 /* XXX - Not reached. Should we look for 'q' in stdin? */
1321 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1322 if_stat = (if_stat_t *)stat_entry->data;
1323 pcap_close(if_stat->pch);
1324 g_free(if_stat->name);
1327 g_list_free(stat_list);
1328 free_interface_list(if_list);
1336 capture_cleanup_handler(DWORD dwCtrlType)
1338 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1339 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1340 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1341 like SIGTERM at least when the machine's shutting down.
1343 For now, if we're running as a command rather than a capture child,
1344 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1345 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1346 in that way on UN*X.
1348 If we're not running as a capture child, we might be running as
1349 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1350 user logs out. (XXX - can we explicitly check whether we're
1351 running as a service?) */
1353 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1354 "Console: Control signal");
1355 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1356 "Console: Control signal, CtrlType: %u", dwCtrlType);
1358 /* Keep capture running if we're a service and a user logs off */
1359 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1360 capture_loop_stop();
1368 capture_cleanup_handler(int signum _U_)
1370 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1371 SIGTERM. We assume that if the user wanted it to keep running
1372 after they logged out, they'd have nohupped it. */
1374 /* Note: don't call g_log() in the signal handler: if we happened to be in
1375 * g_log() in process context when the signal came in, g_log will detect
1376 * the "recursion" and abort.
1379 capture_loop_stop();
1385 report_capture_count(gboolean reportit)
1387 /* Don't print this if we're a capture child. */
1388 if (!capture_child && reportit) {
1389 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1390 /* stderr could be line buffered */
1398 report_counts_for_siginfo(void)
1400 report_capture_count(quiet);
1401 infoprint = FALSE; /* we just reported it */
1405 report_counts_siginfo(int signum _U_)
1407 int sav_errno = errno;
1409 /* If we've been told to delay printing, just set a flag asking
1410 that we print counts (if we're supposed to), otherwise print
1411 the count of packets captured (if we're supposed to). */
1415 report_counts_for_siginfo();
1418 #endif /* SIGINFO */
1421 exit_main(int status)
1424 /* Shutdown windows sockets */
1427 /* can be helpful for debugging */
1428 #ifdef DEBUG_DUMPCAP
1429 printf("Press any key\n");
1440 * If we were linked with libcap (not libpcap), make sure we have
1441 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1442 * (See comment in main() for details)
1445 relinquish_privs_except_capture(void)
1447 /* If 'started_with_special_privs' (ie: suid) then enable for
1448 * ourself the NET_ADMIN and NET_RAW capabilities and then
1449 * drop our suid privileges.
1451 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1452 * stuff we don't need (and shouldn't have).
1453 * CAP_NET_RAW: Packet capture (raw sockets).
1456 if (started_with_special_privs()) {
1457 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1458 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1460 cap_t caps = cap_init(); /* all capabilities initialized to off */
1462 print_caps("Pre drop, pre set");
1464 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1465 cmdarg_err("prctl() fail return: %s", strerror(errno));
1468 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1469 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1471 if (cap_set_proc(caps)) {
1472 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1474 print_caps("Pre drop, post set");
1476 relinquish_special_privs_perm();
1478 print_caps("Post drop, pre set");
1479 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1480 if (cap_set_proc(caps)) {
1481 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
1483 print_caps("Post drop, post set");
1489 #endif /* HAVE_LIBCAP */
1491 /* Take care of byte order in the libpcap headers read from pipes.
1492 * (function taken from wiretap/libpcap.c) */
1494 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1497 /* Byte-swap the record header fields. */
1498 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1499 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1500 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1501 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1504 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1505 swapped, in order to match the BPF header layout.
1507 Unfortunately, some files were, according to a comment in the "libpcap"
1508 source, written with version 2.3 in their headers but without the
1509 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1510 would make no sense - we assume that we need to swap them. */
1511 if (hdr->version_major == 2 &&
1512 (hdr->version_minor < 3 ||
1513 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1516 temp = rechdr->orig_len;
1517 rechdr->orig_len = rechdr->incl_len;
1518 rechdr->incl_len = temp;
1524 * Thread function that reads from a pipe and pushes the data
1525 * to the main application thread.
1528 * XXX Right now we use async queues for basic signaling. The main thread
1529 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1530 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1531 * Iff the read is successful cap_pipe_read pushes an item onto
1532 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1533 * the queues themselves (yet).
1535 * We might want to move some of the cap_pipe_dispatch logic here so that
1536 * we can let cap_pipe_read run independently, queuing up multiple reads
1537 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1539 static void *cap_pipe_read(void *arg)
1541 pcap_options *pcap_opts;
1550 pcap_opts = (pcap_options *)arg;
1551 while (pcap_opts->cap_pipe_err == PIPOK) {
1552 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1553 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1555 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1557 /* If we try to use read() on a named pipe on Windows with partial
1558 * data it appears to return EOF.
1560 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1561 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1566 last_err = GetLastError();
1567 if (last_err == ERROR_MORE_DATA) {
1569 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1570 pcap_opts->cap_pipe_err = PIPEOF;
1574 pcap_opts->cap_pipe_err = PIPERR;
1577 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1578 pcap_opts->cap_pipe_err = PIPEOF;
1583 b = read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1584 pcap_opts->cap_pipe_bytes_to_read - bytes_read);
1587 pcap_opts->cap_pipe_err = PIPEOF;
1591 pcap_opts->cap_pipe_err = PIPERR;
1600 pcap_opts->cap_pipe_bytes_read = bytes_read;
1601 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1602 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1604 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1608 #endif /* USE_THREADS */
1610 /* Provide select() functionality for a single file descriptor
1611 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1613 * Returns the same values as select. If an error is returned,
1614 * the string cap_pipe_err_str should be used instead of errno.
1617 cap_pipe_select(int pipe_fd)
1620 struct timeval timeout;
1623 cap_pipe_err_str = "Unknown error";
1626 FD_SET(pipe_fd, &rfds);
1628 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1629 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1631 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1633 cap_pipe_err_str = strerror(errno);
1638 /* Mimic pcap_open_live() for pipe captures
1640 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1641 * open it, and read the header.
1643 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1644 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1646 cap_pipe_open_live(char *pipename,
1647 pcap_options *pcap_opts,
1648 struct pcap_hdr *hdr,
1649 char *errmsg, int errmsgl)
1652 ws_statb64 pipe_stat;
1653 struct sockaddr_un sa;
1664 unsigned int bytes_read;
1669 pcap_opts->cap_pipe_fd = -1;
1671 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1673 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1676 * XXX - this blocks until a pcap per-file header has been written to
1677 * the pipe, so it could block indefinitely.
1679 if (strcmp(pipename, "-") == 0) {
1681 fd = 0; /* read from stdin */
1683 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1687 if (ws_stat64(pipename, &pipe_stat) < 0) {
1688 if (errno == ENOENT || errno == ENOTDIR)
1689 pcap_opts->cap_pipe_err = PIPNEXIST;
1691 g_snprintf(errmsg, errmsgl,
1692 "The capture session could not be initiated "
1693 "due to error getting information on pipe/socket: %s", strerror(errno));
1694 pcap_opts->cap_pipe_err = PIPERR;
1698 if (S_ISFIFO(pipe_stat.st_mode)) {
1699 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1701 g_snprintf(errmsg, errmsgl,
1702 "The capture session could not be initiated "
1703 "due to error on pipe open: %s", strerror(errno));
1704 pcap_opts->cap_pipe_err = PIPERR;
1707 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1708 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1710 g_snprintf(errmsg, errmsgl,
1711 "The capture session could not be initiated "
1712 "due to error on socket create: %s", strerror(errno));
1713 pcap_opts->cap_pipe_err = PIPERR;
1716 sa.sun_family = AF_UNIX;
1718 * The Single UNIX Specification says:
1720 * The size of sun_path has intentionally been left undefined.
1721 * This is because different implementations use different sizes.
1722 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1723 * of 104. Since most implementations originate from BSD versions,
1724 * the size is typically in the range 92 to 108.
1726 * Applications should not assume a particular length for sun_path
1727 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1731 * The <sys/un.h> header shall define the sockaddr_un structure,
1732 * which shall include at least the following members:
1734 * sa_family_t sun_family Address family.
1735 * char sun_path[] Socket pathname.
1737 * so we assume that it's an array, with a specified size,
1738 * and that the size reflects the maximum path length.
1740 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1741 /* Path name too long */
1742 g_snprintf(errmsg, errmsgl,
1743 "The capture session coud not be initiated "
1744 "due to error on socket connect: Path name too long");
1745 pcap_opts->cap_pipe_err = PIPERR;
1748 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1750 g_snprintf(errmsg, errmsgl,
1751 "The capture session coud not be initiated "
1752 "due to error on socket connect: %s", strerror(errno));
1753 pcap_opts->cap_pipe_err = PIPERR;
1757 if (S_ISCHR(pipe_stat.st_mode)) {
1759 * Assume the user specified an interface on a system where
1760 * interfaces are in /dev. Pretend we haven't seen it.
1762 pcap_opts->cap_pipe_err = PIPNEXIST;
1765 g_snprintf(errmsg, errmsgl,
1766 "The capture session could not be initiated because\n"
1767 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1768 pcap_opts->cap_pipe_err = PIPERR;
1773 #define PIPE_STR "\\pipe\\"
1774 /* Under Windows, named pipes _must_ have the form
1775 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1777 pncopy = g_strdup(pipename);
1778 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1779 pos = strchr(pncopy + 3, '\\');
1780 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1787 g_snprintf(errmsg, errmsgl,
1788 "The capture session could not be initiated because\n"
1789 "\"%s\" is neither an interface nor a pipe", pipename);
1790 pcap_opts->cap_pipe_err = PIPNEXIST;
1794 /* Wait for the pipe to appear */
1796 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1797 OPEN_EXISTING, 0, NULL);
1799 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1802 if (GetLastError() != ERROR_PIPE_BUSY) {
1803 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1804 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1805 g_snprintf(errmsg, errmsgl,
1806 "The capture session on \"%s\" could not be started "
1807 "due to error on pipe open: %s (error %d)",
1808 pipename, utf_16to8(err_str), GetLastError());
1810 pcap_opts->cap_pipe_err = PIPERR;
1814 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1815 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1816 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1817 g_snprintf(errmsg, errmsgl,
1818 "The capture session on \"%s\" timed out during "
1819 "pipe open: %s (error %d)",
1820 pipename, utf_16to8(err_str), GetLastError());
1822 pcap_opts->cap_pipe_err = PIPERR;
1829 pcap_opts->from_cap_pipe = TRUE;
1832 /* read the pcap header */
1834 while (bytes_read < sizeof magic) {
1835 sel_ret = cap_pipe_select(fd);
1837 g_snprintf(errmsg, errmsgl,
1838 "Unexpected error from select: %s", strerror(errno));
1840 } else if (sel_ret > 0) {
1841 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1844 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1846 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1853 #else /* USE_THREADS */
1854 g_thread_create(&cap_pipe_read, pcap_opts, FALSE, NULL);
1856 pcap_opts->cap_pipe_buf = (char *) &magic;
1857 pcap_opts->cap_pipe_bytes_read = 0;
1858 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1859 /* We don't have to worry about cap_pipe_read_mtx here */
1860 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1861 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1862 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1863 if (pcap_opts->cap_pipe_bytes_read == 0)
1864 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1866 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1871 #endif /* USE_THREADS */
1875 /* Host that wrote it has our byte order, and was running
1876 a program using either standard or ss990417 libpcap. */
1877 pcap_opts->cap_pipe_byte_swapped = FALSE;
1878 pcap_opts->cap_pipe_modified = FALSE;
1880 case PCAP_MODIFIED_MAGIC:
1881 /* Host that wrote it has our byte order, but was running
1882 a program using either ss990915 or ss991029 libpcap. */
1883 pcap_opts->cap_pipe_byte_swapped = FALSE;
1884 pcap_opts->cap_pipe_modified = TRUE;
1886 case PCAP_SWAPPED_MAGIC:
1887 /* Host that wrote it has a byte order opposite to ours,
1888 and was running a program using either standard or
1889 ss990417 libpcap. */
1890 pcap_opts->cap_pipe_byte_swapped = TRUE;
1891 pcap_opts->cap_pipe_modified = FALSE;
1893 case PCAP_SWAPPED_MODIFIED_MAGIC:
1894 /* Host that wrote it out has a byte order opposite to
1895 ours, and was running a program using either ss990915
1896 or ss991029 libpcap. */
1897 pcap_opts->cap_pipe_byte_swapped = TRUE;
1898 pcap_opts->cap_pipe_modified = TRUE;
1901 /* Not a "libpcap" type we know about. */
1902 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
1907 /* Read the rest of the header */
1909 while (bytes_read < sizeof(struct pcap_hdr)) {
1910 sel_ret = cap_pipe_select(fd);
1912 g_snprintf(errmsg, errmsgl,
1913 "Unexpected error from select: %s", strerror(errno));
1915 } else if (sel_ret > 0) {
1916 b = read(fd, ((char *)hdr)+bytes_read,
1917 sizeof(struct pcap_hdr) - bytes_read);
1920 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1922 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
1929 #else /* USE_THREADS */
1930 pcap_opts->cap_pipe_buf = (char *) hdr;
1931 pcap_opts->cap_pipe_bytes_read = 0;
1932 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
1933 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1934 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1935 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1936 if (pcap_opts->cap_pipe_bytes_read == 0)
1937 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
1939 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
1943 #endif /* USE_THREADS */
1945 if (pcap_opts->cap_pipe_byte_swapped) {
1946 /* Byte-swap the header fields about which we care. */
1947 hdr->version_major = BSWAP16(hdr->version_major);
1948 hdr->version_minor = BSWAP16(hdr->version_minor);
1949 hdr->snaplen = BSWAP32(hdr->snaplen);
1950 hdr->network = BSWAP32(hdr->network);
1952 pcap_opts->linktype = hdr->network;
1954 if (hdr->version_major < 2) {
1955 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
1959 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
1960 pcap_opts->cap_pipe_err = PIPOK;
1962 pcap_opts->cap_pipe_fd = fd;
1967 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
1968 pcap_opts->cap_pipe_err = PIPERR;
1971 pcap_opts->cap_pipe_fd = -1;
1978 /* We read one record from the pipe, take care of byte order in the record
1979 * header, write the record to the capture file, and update capture statistics. */
1981 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
1983 struct pcap_pkthdr phdr;
1984 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1996 #ifdef LOG_CAPTURE_VERBOSE
1997 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2000 switch (pcap_opts->cap_pipe_state) {
2002 case STATE_EXPECT_REC_HDR:
2004 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2007 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2008 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2009 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2010 pcap_opts->cap_pipe_bytes_read = 0;
2013 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2014 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2015 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2020 case STATE_READ_REC_HDR:
2022 b = read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2023 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2026 result = PD_PIPE_EOF;
2028 result = PD_PIPE_ERR;
2031 pcap_opts->cap_pipe_bytes_read += b;
2032 #else /* USE_THREADS */
2033 g_get_current_time(&wait_time);
2034 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2035 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2036 if (pcap_opts->cap_pipe_err == PIPEOF) {
2037 result = PD_PIPE_EOF;
2039 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2040 result = PD_PIPE_ERR;
2046 #endif /* USE_THREADS */
2047 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2049 result = PD_REC_HDR_READ;
2052 case STATE_EXPECT_DATA:
2054 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2057 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2058 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2059 pcap_opts->cap_pipe_bytes_read = 0;
2062 pcap_opts->cap_pipe_buf = (char *) data;
2063 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2064 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2069 case STATE_READ_DATA:
2071 b = read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2072 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2075 result = PD_PIPE_EOF;
2077 result = PD_PIPE_ERR;
2080 pcap_opts->cap_pipe_bytes_read += b;
2081 #else /* USE_THREADS */
2082 g_get_current_time(&wait_time);
2083 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2084 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2085 if (pcap_opts->cap_pipe_err == PIPEOF) {
2086 result = PD_PIPE_EOF;
2088 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2089 result = PD_PIPE_ERR;
2095 #endif /* USE_THREADS */
2096 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2098 result = PD_DATA_READ;
2102 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2105 } /* switch (ld->cap_pipe_state) */
2108 * We've now read as much data as we were expecting, so process it.
2112 case PD_REC_HDR_READ:
2113 /* We've read the header. Take care of byte order. */
2114 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2115 &pcap_opts->cap_pipe_rechdr.hdr);
2116 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2117 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2118 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2121 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2125 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2126 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2127 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2128 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2129 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2132 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2134 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2136 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2140 pcap_opts->cap_pipe_err = PIPEOF;
2145 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2146 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2147 g_snprintf(errmsg, errmsgl,
2148 "Error reading from pipe: %s (error %d)",
2149 utf_16to8(err_str), GetLastError());
2152 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2160 pcap_opts->cap_pipe_err = PIPERR;
2161 /* Return here rather than inside the switch to prevent GCC warning */
2166 /** Open the capture input file (pcap or capture pipe).
2167 * Returns TRUE if it succeeds, FALSE otherwise. */
2169 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2170 char *errmsg, size_t errmsg_len,
2171 char *secondary_errmsg, size_t secondary_errmsg_len)
2173 gchar open_err_str[PCAP_ERRBUF_SIZE];
2174 gchar *sync_msg_str;
2175 interface_options interface_opts;
2176 pcap_options *pcap_opts;
2180 gchar *sync_secondary_msg_str;
2181 WORD wVersionRequested;
2185 /* XXX - opening Winsock on tshark? */
2187 /* Initialize Windows Socket if we are in a WIN32 OS
2188 This needs to be done before querying the interface for network/netmask */
2190 /* XXX - do we really require 1.1 or earlier?
2191 Are there any versions that support only 2.0 or higher? */
2192 wVersionRequested = MAKEWORD(1, 1);
2193 err = WSAStartup(wVersionRequested, &wsaData);
2197 case WSASYSNOTREADY:
2198 g_snprintf(errmsg, (gulong) errmsg_len,
2199 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2202 case WSAVERNOTSUPPORTED:
2203 g_snprintf(errmsg, (gulong) errmsg_len,
2204 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2205 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2208 case WSAEINPROGRESS:
2209 g_snprintf(errmsg, (gulong) errmsg_len,
2210 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2214 g_snprintf(errmsg, (gulong) errmsg_len,
2215 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2219 g_snprintf(errmsg, (gulong) errmsg_len,
2220 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2224 g_snprintf(errmsg, (gulong) errmsg_len,
2225 "Couldn't initialize Windows Sockets: error %d", err);
2228 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2232 if ((use_threads == FALSE) &&
2233 (capture_opts->ifaces->len > 1)) {
2234 g_snprintf(errmsg, (gulong) errmsg_len,
2235 "Using threads is required for capturing on mulitple interfaces! Use the -t option.");
2239 for (i = 0; i < capture_opts->ifaces->len; i++) {
2240 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2241 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2242 if (pcap_opts == NULL) {
2243 g_snprintf(errmsg, (gulong) errmsg_len,
2244 "Could not allocate memory.");
2247 pcap_opts->received = 0;
2248 pcap_opts->dropped = 0;
2249 pcap_opts->pcap_h = NULL;
2250 #ifdef MUST_DO_SELECT
2251 pcap_opts->pcap_fd = -1;
2253 pcap_opts->pcap_err = FALSE;
2254 pcap_opts->interface_id = i;
2255 pcap_opts->tid = NULL;
2256 pcap_opts->snaplen = 0;
2257 pcap_opts->linktype = -1;
2258 pcap_opts->from_cap_pipe = FALSE;
2259 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2260 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2262 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2264 pcap_opts->cap_pipe_fd = -1;
2266 pcap_opts->cap_pipe_modified = FALSE;
2267 pcap_opts->cap_pipe_byte_swapped = FALSE;
2269 pcap_opts->cap_pipe_buf = NULL;
2270 #endif /* USE_THREADS */
2271 pcap_opts->cap_pipe_bytes_to_read = 0;
2272 pcap_opts->cap_pipe_bytes_read = 0;
2273 pcap_opts->cap_pipe_state = 0;
2274 pcap_opts->cap_pipe_err = PIPOK;
2276 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2277 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2278 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2280 g_array_append_val(ld->pcaps, pcap_opts);
2282 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2283 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2285 if (pcap_opts->pcap_h != NULL) {
2286 /* we've opened "iface" as a network device */
2288 /* try to set the capture buffer size */
2289 if (interface_opts.buffer_size > 1 &&
2290 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2291 sync_secondary_msg_str = g_strdup_printf(
2292 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2293 "the default of 1MB will be used.\n"
2295 "Nonetheless, the capture is started.\n",
2296 interface_opts.buffer_size);
2297 report_capture_error("Couldn't set the capture buffer size!",
2298 sync_secondary_msg_str);
2299 g_free(sync_secondary_msg_str);
2303 #if defined(HAVE_PCAP_SETSAMPLING)
2304 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2305 struct pcap_samp *samp;
2307 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2308 switch (interface_opts.sampling_method) {
2309 case CAPTURE_SAMP_BY_COUNT:
2310 samp->method = PCAP_SAMP_1_EVERY_N;
2313 case CAPTURE_SAMP_BY_TIMER:
2314 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2318 sync_msg_str = g_strdup_printf(
2319 "Unknown sampling method %d specified,\n"
2320 "continue without packet sampling",
2321 interface_opts.sampling_method);
2322 report_capture_error("Couldn't set the capture "
2323 "sampling", sync_msg_str);
2324 g_free(sync_msg_str);
2326 samp->value = interface_opts.sampling_param;
2328 report_capture_error("Couldn't set the capture sampling",
2329 "Cannot get packet sampling data structure");
2334 /* setting the data link type only works on real interfaces */
2335 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2337 secondary_errmsg, secondary_errmsg_len)) {
2340 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2342 /* We couldn't open "iface" as a network device. */
2343 /* Try to open it as a pipe */
2344 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2347 if (pcap_opts->cap_pipe_fd == -1) {
2349 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2351 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2352 /* Pipe doesn't exist, so output message for interface */
2353 get_capture_device_open_failure_messages(open_err_str,
2354 interface_opts.name,
2358 secondary_errmsg_len);
2361 * Else pipe (or file) does exist and cap_pipe_open_live() has
2366 /* cap_pipe_open_live() succeeded; don't want
2367 error message from pcap_open_live() */
2368 open_err_str[0] = '\0';
2372 /* XXX - will this work for tshark? */
2373 #ifdef MUST_DO_SELECT
2374 if (!pcap_opts->from_cap_pipe) {
2375 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2376 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2378 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2383 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2384 returned a warning; print it, but keep capturing. */
2385 if (open_err_str[0] != '\0') {
2386 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2387 report_capture_error(sync_msg_str, "");
2388 g_free(sync_msg_str);
2390 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2391 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2394 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2395 /* to remove any suid privileges. */
2396 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2397 /* (euid/egid have already previously been set to ruid/rgid. */
2398 /* (See comment in main() for details) */
2400 relinquish_special_privs_perm();
2402 relinquish_all_capabilities();
2407 /* close the capture input file (pcap or capture pipe) */
2408 static void capture_loop_close_input(loop_data *ld)
2411 pcap_options *pcap_opts;
2413 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2415 for (i = 0; i < ld->pcaps->len; i++) {
2416 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2417 /* if open, close the capture pipe "input file" */
2419 if (pcap_opts->cap_pipe_fd >= 0) {
2420 g_assert(pcap_opts->from_cap_pipe);
2421 ws_close(pcap_opts->cap_pipe_fd);
2422 pcap_opts->cap_pipe_fd = -1;
2425 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2426 CloseHandle(pcap_opts->cap_pipe_h);
2427 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2430 /* if open, close the pcap "input file" */
2431 if (pcap_opts->pcap_h != NULL) {
2432 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", pcap_opts->pcap_h);
2433 pcap_close(pcap_opts->pcap_h);
2434 pcap_opts->pcap_h = NULL;
2441 /* Shut down windows sockets */
2447 /* init the capture filter */
2448 static initfilter_status_t
2449 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2450 gchar * name, gchar * cfilter)
2452 struct bpf_program fcode;
2454 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2456 /* capture filters only work on real interfaces */
2457 if (cfilter && !from_cap_pipe) {
2458 /* A capture filter was specified; set it up. */
2459 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2460 /* Treat this specially - our caller might try to compile this
2461 as a display filter and, if that succeeds, warn the user that
2462 the display and capture filter syntaxes are different. */
2463 return INITFILTER_BAD_FILTER;
2465 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2466 #ifdef HAVE_PCAP_FREECODE
2467 pcap_freecode(&fcode);
2469 return INITFILTER_OTHER_ERROR;
2471 #ifdef HAVE_PCAP_FREECODE
2472 pcap_freecode(&fcode);
2476 return INITFILTER_NO_ERROR;
2480 /* set up to write to the already-opened capture output file/files */
2482 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2486 pcap_options *pcap_opts;
2487 interface_options interface_opts;
2488 gboolean successful;
2490 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2492 if ((capture_opts->use_pcapng == FALSE) &&
2493 (capture_opts->ifaces->len > 1)) {
2494 g_snprintf(errmsg, errmsg_len,
2495 "Using PCAPNG is required for capturing on mulitple interfaces! Use the -n option.");
2499 /* Set up to write to the capture file. */
2500 if (capture_opts->multi_files_on) {
2501 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2503 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2506 if (capture_opts->use_pcapng) {
2509 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2510 successful = libpcap_write_session_header_block(ld->pdh, appname, &ld->bytes_written, &err);
2511 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2512 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2513 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2514 if (pcap_opts->from_cap_pipe) {
2515 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2517 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2519 successful = libpcap_write_interface_description_block(ld->pdh,
2520 interface_opts.name,
2521 interface_opts.cfilter,
2522 pcap_opts->linktype,
2528 interface_opts = g_array_index(capture_opts->ifaces, interface_options, 0);
2529 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2530 if (pcap_opts->from_cap_pipe) {
2531 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2533 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2535 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2536 &ld->bytes_written, &err);
2544 if (ld->pdh == NULL) {
2545 /* We couldn't set up to write to the capture file. */
2546 /* XXX - use cf_open_error_message from tshark instead? */
2551 g_snprintf(errmsg, errmsg_len,
2552 "The file to which the capture would be"
2553 " saved (\"%s\") could not be opened: Error %d.",
2554 capture_opts->save_file, err);
2556 g_snprintf(errmsg, errmsg_len,
2557 "The file to which the capture would be"
2558 " saved (\"%s\") could not be opened: %s.",
2559 capture_opts->save_file, strerror(err));
2571 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2575 pcap_options *pcap_opts;
2577 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2579 if (capture_opts->multi_files_on) {
2580 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2582 if (capture_opts->use_pcapng) {
2583 for (i = 0; i < global_ld.pcaps->len; i++) {
2584 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2585 if (!pcap_opts->from_cap_pipe) {
2586 libpcap_write_interface_statistics_block(ld->pdh, i, pcap_opts->pcap_h, &ld->bytes_written, err_close);
2590 return libpcap_dump_close(ld->pdh, err_close);
2594 /* dispatch incoming packets (pcap or capture pipe)
2596 * Waits for incoming packets to be available, and calls pcap_dispatch()
2597 * to cause them to be processed.
2599 * Returns the number of packets which were processed.
2601 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2602 * packet-batching behaviour does not cause packets to get held back
2606 capture_loop_dispatch(loop_data *ld,
2607 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2610 gint packet_count_before;
2611 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2616 packet_count_before = ld->packet_count;
2617 if (pcap_opts->from_cap_pipe) {
2618 /* dispatch from capture pipe */
2619 #ifdef LOG_CAPTURE_VERBOSE
2620 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2623 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2625 if (sel_ret < 0 && errno != EINTR) {
2626 g_snprintf(errmsg, errmsg_len,
2627 "Unexpected error from select: %s", strerror(errno));
2628 report_capture_error(errmsg, please_report);
2633 * "select()" says we can read from the pipe without blocking
2635 #endif /* USE_THREADS */
2636 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2646 /* dispatch from pcap */
2647 #ifdef MUST_DO_SELECT
2649 * If we have "pcap_get_selectable_fd()", we use it to get the
2650 * descriptor on which to select; if that's -1, it means there
2651 * is no descriptor on which you can do a "select()" (perhaps
2652 * because you're capturing on a special device, and that device's
2653 * driver unfortunately doesn't support "select()", in which case
2654 * we don't do the select - which means it might not be possible
2655 * to stop a capture until a packet arrives. If that's unacceptable,
2656 * plead with whoever supplies the software for that device to add
2657 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2658 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2659 * later, so it can use pcap_breakloop().
2661 #ifdef LOG_CAPTURE_VERBOSE
2662 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2664 if (pcap_opts->pcap_fd != -1) {
2665 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2668 * "select()" says we can read from it without blocking; go for
2671 * We don't have pcap_breakloop(), so we only process one packet
2672 * per pcap_dispatch() call, to allow a signal to stop the
2673 * processing immediately, rather than processing all packets
2674 * in a batch before quitting.
2677 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2679 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2683 /* Error, rather than pcap_breakloop(). */
2684 pcap_opts->pcap_err = TRUE;
2686 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2689 if (sel_ret < 0 && errno != EINTR) {
2690 g_snprintf(errmsg, errmsg_len,
2691 "Unexpected error from select: %s", strerror(errno));
2692 report_capture_error(errmsg, please_report);
2698 #endif /* MUST_DO_SELECT */
2700 /* dispatch from pcap without select */
2702 #ifdef LOG_CAPTURE_VERBOSE
2703 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2707 * On Windows, we don't support asynchronously telling a process to
2708 * stop capturing; instead, we check for an indication on a pipe
2709 * after processing packets. We therefore process only one packet
2710 * at a time, so that we can check the pipe after every packet.
2713 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2715 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2719 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2721 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2726 /* Error, rather than pcap_breakloop(). */
2727 pcap_opts->pcap_err = TRUE;
2729 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2731 #else /* pcap_next_ex */
2732 #ifdef LOG_CAPTURE_VERBOSE
2733 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2735 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2738 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2739 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2740 * This should be fixed in the WinPcap 4.0 alpha release.
2742 * For reference, an example remote interface:
2743 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2746 /* emulate dispatch from pcap */
2749 struct pcap_pkthdr *pkt_header;
2754 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2756 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2758 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2763 pcap_opts->pcap_err = TRUE;
2767 #endif /* pcap_next_ex */
2771 #ifdef LOG_CAPTURE_VERBOSE
2772 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2775 return ld->packet_count - packet_count_before;
2779 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2780 * want to grab only the characters between the '{' and '}' delimiters.
2782 * Returns a GString that must be freed with g_string_free(). */
2784 isolate_uuid(const char *iface)
2789 ptr = strchr(iface, '{');
2791 return g_string_new(iface);
2792 gstr = g_string_new(ptr + 1);
2794 ptr = strchr(gstr->str, '}');
2798 gstr = g_string_truncate(gstr, ptr - gstr->str);
2803 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2804 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2806 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2807 char *errmsg, int errmsg_len)
2810 gchar *capfile_name;
2812 gboolean is_tempfile;
2814 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2815 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2817 if (capture_opts->save_file != NULL) {
2818 /* We return to the caller while the capture is in progress.
2819 * Therefore we need to take a copy of save_file in
2820 * case the caller destroys it after we return.
2822 capfile_name = g_strdup(capture_opts->save_file);
2824 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2825 if (capture_opts->multi_files_on) {
2826 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2827 g_snprintf(errmsg, errmsg_len,
2828 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2829 g_free(capfile_name);
2832 if (strcmp(capfile_name, "-") == 0) {
2833 /* write to stdout */
2836 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2837 _setmode(1, O_BINARY);
2840 } /* if (...output_to_pipe ... */
2843 if (capture_opts->multi_files_on) {
2844 /* ringbuffer is enabled */
2845 *save_file_fd = ringbuf_init(capfile_name,
2846 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2847 capture_opts->group_read_access);
2849 /* we need the ringbuf name */
2850 if(*save_file_fd != -1) {
2851 g_free(capfile_name);
2852 capfile_name = g_strdup(ringbuf_current_filename());
2855 /* Try to open/create the specified file for use as a capture buffer. */
2856 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2857 (capture_opts->group_read_access) ? 0640 : 0600);
2860 is_tempfile = FALSE;
2862 /* Choose a random name for the temporary capture buffer */
2863 if (global_capture_opts.ifaces->len > 1) {
2864 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
2869 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
2870 prefix = g_strconcat("wireshark_", g_basename(iface->str), NULL);
2871 g_string_free(iface, TRUE);
2873 prefix = g_strconcat("wireshark_", g_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name), NULL);
2876 *save_file_fd = create_tempfile(&tmpname, prefix);
2878 capfile_name = g_strdup(tmpname);
2882 /* did we fail to open the output file? */
2883 if (*save_file_fd == -1) {
2885 g_snprintf(errmsg, errmsg_len,
2886 "The temporary file to which the capture would be saved (\"%s\") "
2887 "could not be opened: %s.", capfile_name, strerror(errno));
2889 if (capture_opts->multi_files_on) {
2890 ringbuf_error_cleanup();
2893 g_snprintf(errmsg, errmsg_len,
2894 "The file to which the capture would be saved (\"%s\") "
2895 "could not be opened: %s.", capfile_name,
2898 g_free(capfile_name);
2902 if(capture_opts->save_file != NULL) {
2903 g_free(capture_opts->save_file);
2905 capture_opts->save_file = capfile_name;
2906 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
2907 "g_free(capfile_name)". */
2913 /* Do the work of handling either the file size or file duration capture
2914 conditions being reached, and switching files or stopping. */
2916 do_file_switch_or_stop(capture_options *capture_opts,
2917 condition *cnd_autostop_files,
2918 condition *cnd_autostop_size,
2919 condition *cnd_file_duration)
2922 pcap_options *pcap_opts;
2923 interface_options interface_opts;
2924 gboolean successful;
2926 if (capture_opts->multi_files_on) {
2927 if (cnd_autostop_files != NULL &&
2928 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
2929 /* no files left: stop here */
2930 global_ld.go = FALSE;
2934 /* Switch to the next ringbuffer file */
2935 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2936 &global_ld.save_file_fd, &global_ld.err)) {
2938 /* File switch succeeded: reset the conditions */
2939 global_ld.bytes_written = 0;
2940 if (capture_opts->use_pcapng) {
2943 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2944 successful = libpcap_write_session_header_block(global_ld.pdh, appname, &(global_ld.bytes_written), &global_ld.err);
2945 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2946 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2947 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2948 successful = libpcap_write_interface_description_block(global_ld.pdh,
2949 interface_opts.name,
2950 interface_opts.cfilter,
2951 pcap_opts->linktype,
2953 &(global_ld.bytes_written),
2957 interface_opts = g_array_index(capture_opts->ifaces, interface_options, 0);
2958 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
2959 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
2960 &global_ld.bytes_written, &global_ld.err);
2963 fclose(global_ld.pdh);
2964 global_ld.pdh = NULL;
2965 global_ld.go = FALSE;
2968 if (cnd_autostop_size)
2969 cnd_reset(cnd_autostop_size);
2970 if (cnd_file_duration)
2971 cnd_reset(cnd_file_duration);
2972 libpcap_dump_flush(global_ld.pdh, NULL);
2974 report_packet_count(global_ld.inpkts_to_sync_pipe);
2975 global_ld.inpkts_to_sync_pipe = 0;
2976 report_new_capture_file(capture_opts->save_file);
2978 /* File switch failed: stop here */
2979 global_ld.go = FALSE;
2983 /* single file, stop now */
2984 global_ld.go = FALSE;
2991 pcap_read_handler(void* arg)
2993 pcap_options *pcap_opts;
2994 char errmsg[MSG_MAX_LENGTH+1];
2996 pcap_opts = (pcap_options *)arg;
2998 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
2999 pcap_opts->interface_id);
3001 while (global_ld.go) {
3002 /* dispatch incoming packets */
3003 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3005 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3006 pcap_opts->interface_id);
3007 g_thread_exit(NULL);
3011 /* Do the low-level work of a capture.
3012 Returns TRUE if it succeeds, FALSE otherwise. */
3014 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3017 time_t upd_time, cur_time;
3019 struct timeval upd_time, cur_time;
3023 condition *cnd_file_duration = NULL;
3024 condition *cnd_autostop_files = NULL;
3025 condition *cnd_autostop_size = NULL;
3026 condition *cnd_autostop_duration = NULL;
3029 gboolean cfilter_error = FALSE;
3030 char errmsg[MSG_MAX_LENGTH+1];
3031 char secondary_errmsg[MSG_MAX_LENGTH+1];
3032 pcap_options *pcap_opts;
3033 interface_options interface_opts;
3036 interface_opts = capture_opts->default_options;
3038 *secondary_errmsg = '\0';
3040 /* init the loop data */
3041 global_ld.go = TRUE;
3042 global_ld.packet_count = 0;
3044 global_ld.report_packet_count = FALSE;
3046 if (capture_opts->has_autostop_packets)
3047 global_ld.packet_max = capture_opts->autostop_packets;
3049 global_ld.packet_max = 0; /* no limit */
3050 global_ld.inpkts_to_sync_pipe = 0;
3051 global_ld.err = 0; /* no error seen yet */
3052 global_ld.pdh = NULL;
3053 global_ld.autostop_files = 0;
3054 global_ld.save_file_fd = -1;
3056 /* We haven't yet gotten the capture statistics. */
3057 *stats_known = FALSE;
3059 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3060 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3062 /* open the "input file" from network interface or capture pipe */
3063 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3064 secondary_errmsg, sizeof(secondary_errmsg))) {
3067 for (i = 0; i < capture_opts->ifaces->len; i++) {
3068 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3069 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3070 /* init the input filter from the network interface (capture pipe will do nothing) */
3071 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3072 interface_opts.name,
3073 interface_opts.cfilter)) {
3075 case INITFILTER_NO_ERROR:
3078 case INITFILTER_BAD_FILTER:
3079 cfilter_error = TRUE;
3080 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3083 case INITFILTER_OTHER_ERROR:
3084 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3085 pcap_geterr(pcap_opts->pcap_h));
3086 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3091 /* If we're supposed to write to a capture file, open it for output
3092 (temporary/specified name/ringbuffer) */
3093 if (capture_opts->saving_to_file) {
3094 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3095 errmsg, sizeof(errmsg))) {
3099 /* set up to write to the already-opened capture output file/files */
3100 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3105 /* XXX - capture SIGTERM and close the capture, in case we're on a
3106 Linux 2.0[.x] system and you have to explicitly close the capture
3107 stream in order to turn promiscuous mode off? We need to do that
3108 in other places as well - and I don't think that works all the
3109 time in any case, due to libpcap bugs. */
3111 /* Well, we should be able to start capturing.
3113 Sync out the capture file, so the header makes it to the file system,
3114 and send a "capture started successfully and capture file created"
3115 message to our parent so that they'll open the capture file and
3116 update its windows to indicate that we have a live capture in
3118 libpcap_dump_flush(global_ld.pdh, NULL);
3119 report_new_capture_file(capture_opts->save_file);
3122 /* initialize capture stop (and alike) conditions */
3123 init_capture_stop_conditions();
3124 /* create stop conditions */
3125 if (capture_opts->has_autostop_filesize)
3127 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3128 if (capture_opts->has_autostop_duration)
3129 cnd_autostop_duration =
3130 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3132 if (capture_opts->multi_files_on) {
3133 if (capture_opts->has_file_duration)
3135 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3137 if (capture_opts->has_autostop_files)
3138 cnd_autostop_files =
3139 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3142 /* init the time values */
3144 upd_time = GetTickCount();
3146 gettimeofday(&upd_time, NULL);
3149 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3151 /* WOW, everything is prepared! */
3152 /* please fasten your seat belts, we will enter now the actual capture loop */
3154 pcap_queue = g_async_queue_new();
3155 pcap_queue_bytes = 0;
3156 pcap_queue_packets = 0;
3157 for (i = 0; i < global_ld.pcaps->len; i++) {
3158 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3159 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3162 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3163 while (global_ld.go) {
3164 /* dispatch incoming packets */
3166 GTimeVal write_thread_time;
3167 pcap_queue_element *queue_element;
3169 g_get_current_time(&write_thread_time);
3170 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3171 g_async_queue_lock(pcap_queue);
3172 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3173 if (queue_element) {
3174 pcap_queue_bytes -= queue_element->phdr.caplen;
3175 pcap_queue_packets -= 1;
3177 g_async_queue_unlock(pcap_queue);
3178 if (queue_element) {
3179 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3180 "Dequeued a packet of length %d captured on interface %d.",
3181 queue_element->phdr.caplen, queue_element->interface_id);
3183 capture_loop_write_packet_cb((u_char *)&queue_element->interface_id,
3184 &queue_element->phdr,
3186 g_free(queue_element->pd);
3187 g_free(queue_element);
3193 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3194 sizeof(errmsg), pcap_opts);
3197 /* Were we asked to print packet counts by the SIGINFO handler? */
3198 if (global_ld.report_packet_count) {
3199 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3200 plurality(global_ld.packet_count, "", "s"));
3201 global_ld.report_packet_count = FALSE;
3206 /* any news from our parent (signal pipe)? -> just stop the capture */
3207 if (!signal_pipe_check_running()) {
3208 global_ld.go = FALSE;
3213 global_ld.inpkts_to_sync_pipe += inpkts;
3215 /* check capture size condition */
3216 if (cnd_autostop_size != NULL &&
3217 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3218 /* Capture size limit reached, do we have another file? */
3219 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3220 cnd_autostop_size, cnd_file_duration))
3222 } /* cnd_autostop_size */
3223 if (capture_opts->output_to_pipe) {
3224 libpcap_dump_flush(global_ld.pdh, NULL);
3228 /* Only update once every 500ms so as not to overload slow displays.
3229 * This also prevents too much context-switching between the dumpcap
3230 * and wireshark processes.
3232 #define DUMPCAP_UPD_TIME 500
3235 cur_time = GetTickCount();
3236 if ( (cur_time - upd_time) > DUMPCAP_UPD_TIME) {
3238 gettimeofday(&cur_time, NULL);
3239 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3240 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3243 upd_time = cur_time;
3246 if (pcap_stats(pch, stats) >= 0) {
3247 *stats_known = TRUE;
3250 /* Let the parent process know. */
3251 if (global_ld.inpkts_to_sync_pipe) {
3253 libpcap_dump_flush(global_ld.pdh, NULL);
3255 /* Send our parent a message saying we've written out
3256 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3258 report_packet_count(global_ld.inpkts_to_sync_pipe);
3260 global_ld.inpkts_to_sync_pipe = 0;
3263 /* check capture duration condition */
3264 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3265 /* The maximum capture time has elapsed; stop the capture. */
3266 global_ld.go = FALSE;
3270 /* check capture file duration condition */
3271 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3272 /* duration limit reached, do we have another file? */
3273 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3274 cnd_autostop_size, cnd_file_duration))
3276 } /* cnd_file_duration */
3280 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3282 pcap_queue_element *queue_element;
3284 for (i = 0; i < global_ld.pcaps->len; i++) {
3285 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3286 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3287 pcap_opts->interface_id);
3288 g_thread_join(pcap_opts->tid);
3289 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3290 pcap_opts->interface_id);
3293 g_async_queue_lock(pcap_queue);
3294 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3295 if (queue_element) {
3296 pcap_queue_bytes -= queue_element->phdr.caplen;
3297 pcap_queue_packets -= 1;
3299 g_async_queue_unlock(pcap_queue);
3300 if (queue_element == NULL) {
3303 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3304 "Dequeued a packet of length %d captured on interface %d.",
3305 queue_element->phdr.caplen, queue_element->interface_id);
3306 capture_loop_write_packet_cb((u_char *)&queue_element->interface_id,
3307 &queue_element->phdr,
3309 g_free(queue_element->pd);
3310 g_free(queue_element);
3311 global_ld.inpkts_to_sync_pipe += 1;
3312 if (capture_opts->output_to_pipe) {
3313 libpcap_dump_flush(global_ld.pdh, NULL);
3319 /* delete stop conditions */
3320 if (cnd_file_duration != NULL)
3321 cnd_delete(cnd_file_duration);
3322 if (cnd_autostop_files != NULL)
3323 cnd_delete(cnd_autostop_files);
3324 if (cnd_autostop_size != NULL)
3325 cnd_delete(cnd_autostop_size);
3326 if (cnd_autostop_duration != NULL)
3327 cnd_delete(cnd_autostop_duration);
3329 /* did we have a pcap (input) error? */
3330 for (i = 0; i < capture_opts->ifaces->len; i++) {
3331 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3332 if (pcap_opts->pcap_err) {
3333 /* On Linux, if an interface goes down while you're capturing on it,
3334 you'll get a "recvfrom: Network is down" or
3335 "The interface went down" error (ENETDOWN).
3336 (At least you will if strerror() doesn't show a local translation
3339 On FreeBSD and OS X, if a network adapter disappears while
3340 you're capturing on it, you'll get a "read: Device not configured"
3341 error (ENXIO). (See previous parenthetical note.)
3343 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3345 These should *not* be reported to the Wireshark developers. */
3348 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3349 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3350 strcmp(cap_err_str, "The interface went down") == 0 ||
3351 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3352 strcmp(cap_err_str, "read: I/O error") == 0 ||
3353 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3354 report_capture_error("The network adapter on which the capture was being done "
3355 "is no longer running; the capture has stopped.",
3358 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3360 report_capture_error(errmsg, please_report);
3363 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3364 report_capture_error(errmsg, "");
3368 /* did we have an output error while capturing? */
3369 if (global_ld.err == 0) {
3372 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3373 global_ld.err, FALSE);
3374 report_capture_error(errmsg, please_report);
3378 if (capture_opts->saving_to_file) {
3379 /* close the output file */
3380 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3384 /* there might be packets not yet notified to the parent */
3385 /* (do this after closing the file, so all packets are already flushed) */
3386 if(global_ld.inpkts_to_sync_pipe) {
3388 report_packet_count(global_ld.inpkts_to_sync_pipe);
3389 global_ld.inpkts_to_sync_pipe = 0;
3392 /* If we've displayed a message about a write error, there's no point
3393 in displaying another message about an error on close. */
3394 if (!close_ok && write_ok) {
3395 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3397 report_capture_error(errmsg, "");
3401 * XXX We exhibit different behaviour between normal mode and sync mode
3402 * when the pipe is stdin and not already at EOF. If we're a child, the
3403 * parent's stdin isn't closed, so if the user starts another capture,
3404 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3405 * will say "Unrecognized libpcap format". On the other hand, in normal
3406 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3409 report_capture_count(TRUE);
3411 /* get packet drop statistics from pcap */
3412 for (i = 0; i < capture_opts->ifaces->len; i++) {
3416 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3417 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3418 received = pcap_opts->received;
3419 dropped = pcap_opts->dropped;
3420 if (pcap_opts->pcap_h != NULL) {
3421 g_assert(!pcap_opts->from_cap_pipe);
3422 /* Get the capture statistics, so we know how many packets were dropped. */
3423 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3424 *stats_known = TRUE;
3425 /* Let the parent process know. */
3426 dropped += stats->ps_drop;
3428 g_snprintf(errmsg, sizeof(errmsg),
3429 "Can't get packet-drop statistics: %s",
3430 pcap_geterr(pcap_opts->pcap_h));
3431 report_capture_error(errmsg, please_report);
3434 report_packet_drops(received, dropped, interface_opts.name);
3437 /* close the input file (pcap or capture pipe) */
3438 capture_loop_close_input(&global_ld);
3440 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3442 /* ok, if the write and the close were successful. */
3443 return write_ok && close_ok;
3446 if (capture_opts->multi_files_on) {
3447 /* cleanup ringbuffer */
3448 ringbuf_error_cleanup();
3450 /* We can't use the save file, and we have no FILE * for the stream
3451 to close in order to close it, so close the FD directly. */
3452 if (global_ld.save_file_fd != -1) {
3453 ws_close(global_ld.save_file_fd);
3456 /* We couldn't even start the capture, so get rid of the capture
3458 if (capture_opts->save_file != NULL) {
3459 ws_unlink(capture_opts->save_file);
3460 g_free(capture_opts->save_file);
3463 capture_opts->save_file = NULL;
3465 report_cfilter_error(interface_opts.cfilter, errmsg);
3467 report_capture_error(errmsg, secondary_errmsg);
3469 /* close the input file (pcap or cap_pipe) */
3470 capture_loop_close_input(&global_ld);
3472 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3478 static void capture_loop_stop(void)
3480 #ifdef HAVE_PCAP_BREAKLOOP
3482 pcap_options *pcap_opts;
3484 for (i = 0; i < global_ld.pcaps->len; i++) {
3485 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3486 if (pcap_opts->pcap_h != NULL)
3487 pcap_breakloop(pcap_opts->pcap_h);
3490 global_ld.go = FALSE;
3495 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3496 int err, gboolean is_close)
3501 g_snprintf(errmsg, errmsglen,
3502 "Not all the packets could be written to the file"
3503 " to which the capture was being saved\n"
3504 "(\"%s\") because there is no space left on the file system\n"
3505 "on which that file resides.",
3511 g_snprintf(errmsg, errmsglen,
3512 "Not all the packets could be written to the file"
3513 " to which the capture was being saved\n"
3514 "(\"%s\") because you are too close to, or over,"
3515 " your disk quota\n"
3516 "on the file system on which that file resides.",
3523 g_snprintf(errmsg, errmsglen,
3524 "The file to which the capture was being saved\n"
3525 "(\"%s\") could not be closed: %s.",
3526 fname, strerror(err));
3528 g_snprintf(errmsg, errmsglen,
3529 "An error occurred while writing to the file"
3530 " to which the capture was being saved\n"
3532 fname, strerror(err));
3539 /* one packet was captured, process it */
3541 capture_loop_write_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3544 pcap_options *pcap_opts;
3547 /* We may be called multiple times from pcap_dispatch(); if we've set
3548 the "stop capturing" flag, ignore this packet, as we're not
3549 supposed to be saving any more packets. */
3553 pcap_opts = (pcap_options *) (void *) user;
3554 if (global_ld.pdh) {
3555 gboolean successful;
3557 /* We're supposed to write the packet to a file; do so.
3558 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3559 "ld->err" to the error. */
3560 if (global_capture_opts.use_pcapng) {
3561 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, pd, &global_ld.bytes_written, &err);
3563 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3566 global_ld.go = FALSE;
3567 global_ld.err = err;
3569 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3570 "Wrote a packet of length %d captured on interface %u.",
3571 phdr->caplen, pcap_opts->interface_id);
3572 global_ld.packet_count++;
3573 pcap_opts->received++;
3574 /* if the user told us to stop after x packets, do we already have enough? */
3575 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3576 global_ld.go = FALSE;
3582 /* one packet was captured, queue it */
3584 capture_loop_queue_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
3587 pcap_options *pcap_opts;
3588 pcap_queue_element *queue_element;
3589 gboolean limit_reached;
3591 /* We may be called multiple times from pcap_dispatch(); if we've set
3592 the "stop capturing" flag, ignore this packet, as we're not
3593 supposed to be saving any more packets. */
3597 pcap_opts = (pcap_options *) (void *) user;
3598 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3599 if (queue_element == NULL) {
3600 pcap_opts->dropped++;
3603 queue_element->interface_id = pcap_opts->interface_id;
3604 queue_element->phdr = *phdr;
3605 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3606 if (queue_element->pd == NULL) {
3607 pcap_opts->dropped++;
3608 g_free(queue_element);
3611 memcpy(queue_element->pd, pd, phdr->caplen);
3612 g_async_queue_lock(pcap_queue);
3613 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3614 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3615 limit_reached = FALSE;
3616 g_async_queue_push_unlocked(pcap_queue, queue_element);
3617 pcap_queue_bytes += phdr->caplen;
3618 pcap_queue_packets += 1;
3620 limit_reached = TRUE;
3622 g_async_queue_unlock(pcap_queue);
3623 if (limit_reached) {
3624 pcap_opts->dropped++;
3625 g_free(queue_element->pd);
3626 g_free(queue_element);
3627 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3628 "Dropped a packet of length %d captured on interface %u.",
3629 phdr->caplen, pcap_opts->interface_id);
3631 pcap_opts->received++;
3632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3633 "Queued a packet of length %d captured on interface %u.",
3634 phdr->caplen, pcap_opts->interface_id);
3636 /* I don't want to hold the mutex over the debug output. So the
3637 output may be wrong */
3638 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3639 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3640 pcap_queue_bytes, pcap_queue_packets);
3643 /* And now our feature presentation... [ fade to music ] */
3645 main(int argc, char *argv[])
3648 gboolean arg_error = FALSE;
3653 struct sigaction action, oldaction;
3656 gboolean start_capture = TRUE;
3657 gboolean stats_known;
3658 struct pcap_stat stats;
3659 GLogLevelFlags log_flags;
3660 gboolean list_interfaces = FALSE;
3661 gboolean list_link_layer_types = FALSE;
3662 #ifdef HAVE_BPF_IMAGE
3663 gboolean print_bpf_code = FALSE;
3665 gboolean machine_readable = FALSE;
3666 gboolean print_statistics = FALSE;
3667 int status, run_once_args = 0;
3670 #if defined(__APPLE__) && defined(__LP64__)
3671 struct utsname osinfo;
3675 arg_list_utf_16to8(argc, argv);
3680 * Initialize our DLL search path. MUST be called before LoadLibrary
3683 ws_init_dll_search_path();
3686 #ifdef HAVE_PCAP_REMOTE
3687 #define OPTSTRING_A "A:"
3688 #define OPTSTRING_r "r"
3689 #define OPTSTRING_u "u"
3691 #define OPTSTRING_A ""
3692 #define OPTSTRING_r ""
3693 #define OPTSTRING_u ""
3696 #ifdef HAVE_PCAP_SETSAMPLING
3697 #define OPTSTRING_m "m:"
3699 #define OPTSTRING_m ""
3702 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3703 #define OPTSTRING_B "B:"
3705 #define OPTSTRING_B ""
3706 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3708 #ifdef HAVE_PCAP_CREATE
3709 #define OPTSTRING_I "I"
3711 #define OPTSTRING_I ""
3714 #ifdef HAVE_BPF_IMAGE
3715 #define OPTSTRING_d "d"
3717 #define OPTSTRING_d ""
3720 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "Mnpq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
3722 #ifdef DEBUG_CHILD_DUMPCAP
3723 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3724 fprintf (stderr, "Unable to open debug log file !\n");
3729 #if defined(__APPLE__) && defined(__LP64__)
3731 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3732 * a bug workaround - timeouts less than 1 second don't work with libpcap
3733 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3734 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3735 * The problem is extremely unlikely to be reintroduced in a future
3738 if (uname(&osinfo) == 0) {
3740 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3741 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3742 * number of 10.0.0, not 10.1.0 - go figure).
3744 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3745 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3746 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3747 need_timeout_workaround = TRUE;
3752 * Determine if dumpcap is being requested to run in a special
3753 * capture_child mode by going thru the command line args to see if
3754 * a -Z is present. (-Z is a hidden option).
3756 * The primary result of running in capture_child mode is that
3757 * all messages sent out on stderr are in a special type/len/string
3758 * format to allow message processing by type. These messages include
3759 * error messages if dumpcap fails to start the operation it was
3760 * requested to do, as well as various "status" messages which are sent
3761 * when an actual capture is in progress, and a "success" message sent
3762 * if dumpcap was requested to perform an operation other than a
3765 * Capture_child mode would normally be requested by a parent process
3766 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3767 * to which dumpcap stderr has been redirected. It might also have
3768 * another pipe to obtain dumpcap stdout output; for operations other
3769 * than a capture, that information is formatted specially for easier
3770 * parsing by the parent process.
3772 * Capture_child mode needs to be determined immediately upon
3773 * startup so that any messages generated by dumpcap in this mode
3774 * (eg: during initialization) will be formatted properly.
3777 for (i=1; i<argc; i++) {
3778 if (strcmp("-Z", argv[i]) == 0) {
3779 capture_child = TRUE;
3780 machine_readable = TRUE; /* request machine-readable output */
3782 /* set output pipe to binary mode, to avoid ugly text conversions */
3783 _setmode(2, O_BINARY);
3788 /* The default_log_handler will use stdout, which makes trouble in */
3789 /* capture child mode, as it uses stdout for it's sync_pipe. */
3790 /* So: the filtering is done in the console_log_handler and not here.*/
3791 /* We set the log handlers right up front to make sure that any log */
3792 /* messages when running as child will be sent back to the parent */
3793 /* with the correct format. */
3797 G_LOG_LEVEL_CRITICAL|
3798 G_LOG_LEVEL_WARNING|
3799 G_LOG_LEVEL_MESSAGE|
3802 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3804 g_log_set_handler(NULL,
3806 console_log_handler, NULL /* user_data */);
3807 g_log_set_handler(LOG_DOMAIN_MAIN,
3809 console_log_handler, NULL /* user_data */);
3810 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3812 console_log_handler, NULL /* user_data */);
3813 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3815 console_log_handler, NULL /* user_data */);
3817 /* Initialize the pcaps list */
3818 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
3820 /* Initialize the thread system */
3821 if (!g_thread_supported())
3822 g_thread_init(NULL);
3824 /* Load wpcap if possible. Do this before collecting the run-time version information */
3827 /* ... and also load the packet.dll from wpcap */
3828 /* XXX - currently not required, may change later. */
3829 /*wpcap_packet_load();*/
3831 /* Start windows sockets */
3832 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3834 /* Set handler for Ctrl+C key */
3835 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
3837 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
3839 action.sa_handler = capture_cleanup_handler;
3841 * Arrange that system calls not get restarted, because when
3842 * our signal handler returns we don't want to restart
3843 * a call that was waiting for packets to arrive.
3845 action.sa_flags = 0;
3846 sigemptyset(&action.sa_mask);
3847 sigaction(SIGTERM, &action, NULL);
3848 sigaction(SIGINT, &action, NULL);
3849 sigaction(SIGPIPE, &action, NULL);
3850 sigaction(SIGHUP, NULL, &oldaction);
3851 if (oldaction.sa_handler == SIG_DFL)
3852 sigaction(SIGHUP, &action, NULL);
3855 /* Catch SIGINFO and, if we get it and we're capturing in
3856 quiet mode, report the number of packets we've captured. */
3857 action.sa_handler = report_counts_siginfo;
3858 action.sa_flags = SA_RESTART;
3859 sigemptyset(&action.sa_mask);
3860 sigaction(SIGINFO, &action, NULL);
3861 #endif /* SIGINFO */
3864 /* ----------------------------------------------------------------- */
3865 /* Privilege and capability handling */
3867 /* 1. Running not as root or suid root; no special capabilities. */
3870 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
3873 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
3875 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3876 /* capabilities; Drop all other capabilities; */
3877 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3878 /* else: after pcap_open_live() in capture_loop_open_input() */
3879 /* drop all capabilities (NET_RAW and NET_ADMIN); */
3880 /* (Note: this means that the process, although logged in */
3881 /* as root, does not have various permissions such as the */
3882 /* ability to bypass file access permissions). */
3883 /* XXX: Should we just leave capabilities alone in this case */
3884 /* so that user gets expected effect that root can do */
3887 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
3889 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3890 /* else: after pcap_open_live() in capture_loop_open_input() */
3891 /* drop suid root (set euid=ruid).(ie: keep suid until after */
3892 /* pcap_open_live). */
3894 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
3896 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
3897 /* capabilities; Drop all other capabilities; */
3898 /* Drop suid privileges (euid=ruid); */
3899 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3900 /* else: after pcap_open_live() in capture_loop_open_input() */
3901 /* drop all capabilities (NET_RAW and NET_ADMIN). */
3903 /* XXX: For some Linux versions/distros with capabilities */
3904 /* a 'normal' process with any capabilities cannot be */
3905 /* 'killed' (signaled) from another (same uid) non-privileged */
3907 /* For example: If (non-suid) Wireshark forks a */
3908 /* child suid dumpcap which acts as described here (case 5), */
3909 /* Wireshark will be unable to kill (signal) the child */
3910 /* dumpcap process until the capabilities have been dropped */
3911 /* (after pcap_open_live()). */
3912 /* This behaviour will apparently be changed in the kernel */
3913 /* to allow the kill (signal) in this case. */
3914 /* See the following for details: */
3915 /* http://www.mail-archive.com/ [wrapped] */
3916 /* linux-security-module@vger.kernel.org/msg02913.html */
3918 /* It is therefore conceivable that if dumpcap somehow hangs */
3919 /* in pcap_open_live or before that wireshark will not */
3920 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
3921 /* In this case, exiting wireshark will kill the child */
3922 /* dumpcap process. */
3924 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
3925 /* capabilities; Using libcap. Note: capset cmd (which see) */
3926 /* used to assign capabilities to file. */
3928 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
3929 /* else: after pcap_open_live() in capture_loop_open_input() */
3930 /* drop all capabilities (NET_RAW and NET_ADMIN) */
3932 /* ToDo: -S (stats) should drop privileges/capabilities when no */
3933 /* longer required (similar to capture). */
3935 /* ----------------------------------------------------------------- */
3937 init_process_policies();
3940 /* If 'started with special privileges' (and using libcap) */
3941 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
3942 /* Set euid/egid = ruid/rgid to remove suid privileges */
3943 relinquish_privs_except_capture();
3946 /* Set the initial values in the capture options. This might be overwritten
3947 by the command line parameters. */
3948 capture_opts_init(&global_capture_opts, NULL);
3950 /* Default to capturing the entire packet. */
3951 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
3953 /* We always save to a file - if no file was specified, we save to a
3955 global_capture_opts.saving_to_file = TRUE;
3956 global_capture_opts.has_ring_num_files = TRUE;
3958 /* Now get our args */
3959 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
3961 case 'h': /* Print help and exit */
3965 case 'v': /* Show version and exit */
3967 GString *comp_info_str;
3968 GString *runtime_info_str;
3969 /* Assemble the compile-time version information string */
3970 comp_info_str = g_string_new("Compiled ");
3971 get_compiled_version_info(comp_info_str, NULL, NULL);
3973 /* Assemble the run-time version information string */
3974 runtime_info_str = g_string_new("Running ");
3975 get_runtime_version_info(runtime_info_str, NULL);
3976 show_version(comp_info_str, runtime_info_str);
3977 g_string_free(comp_info_str, TRUE);
3978 g_string_free(runtime_info_str, TRUE);
3982 /*** capture option specific ***/
3983 case 'a': /* autostop criteria */
3984 case 'b': /* Ringbuffer option */
3985 case 'c': /* Capture x packets */
3986 case 'f': /* capture filter */
3987 case 'i': /* Use interface x */
3988 case 'n': /* Use pcapng format */
3989 case 'p': /* Don't capture in promiscuous mode */
3990 case 's': /* Set the snapshot (capture) length */
3991 case 'w': /* Write to capture file x */
3992 case 'g': /* enable group read accesson file(s) */
3993 case 'y': /* Set the pcap data link type */
3994 #ifdef HAVE_PCAP_REMOTE
3995 case 'u': /* Use UDP for data transfer */
3996 case 'r': /* Capture own RPCAP traffic too */
3997 case 'A': /* Authentication */
3999 #ifdef HAVE_PCAP_SETSAMPLING
4000 case 'm': /* Sampling */
4002 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4003 case 'B': /* Buffer size */
4004 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4005 #ifdef HAVE_PCAP_CREATE
4006 case 'I': /* Monitor mode */
4008 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4013 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4015 capture_child = TRUE;
4017 /* set output pipe to binary mode, to avoid ugly text conversions */
4018 _setmode(2, O_BINARY);
4020 * optarg = the control ID, aka the PPID, currently used for the
4023 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4024 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4025 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4026 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4028 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4029 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4030 "Signal pipe: Unable to open %s. Dead parent?",
4038 case 'q': /* Quiet */
4045 /*** all non capture option specific ***/
4046 case 'D': /* Print a list of capture devices and exit */
4047 list_interfaces = TRUE;
4050 case 'L': /* Print list of link-layer types and exit */
4051 list_link_layer_types = TRUE;
4054 #ifdef HAVE_BPF_IMAGE
4055 case 'd': /* Print BPF code for capture filter and exit */
4056 print_bpf_code = TRUE;
4060 case 'S': /* Print interface statistics once a second */
4061 print_statistics = TRUE;
4064 case 'M': /* For -D, -L, and -S, print machine-readable output */
4065 machine_readable = TRUE;
4068 case '?': /* Bad flag - print usage message */
4069 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4077 /* user specified file name as regular command-line argument */
4078 /* XXX - use it as the capture file name (or something else)? */
4085 * Extra command line arguments were specified; complain.
4086 * XXX - interpret as capture filter, as tcpdump and tshark do?
4088 cmdarg_err("Invalid argument: %s", argv[0]);
4097 if (run_once_args > 1) {
4098 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4100 } else if (run_once_args == 1) {
4101 /* We're supposed to print some information, rather than
4102 to capture traffic; did they specify a ring buffer option? */
4103 if (global_capture_opts.multi_files_on) {
4104 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4108 /* We're supposed to capture traffic; */
4109 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4110 if (global_capture_opts.ifaces->len > 1) {
4112 global_capture_opts.use_pcapng = TRUE;
4114 /* Was the ring buffer option specified and, if so, does it make sense? */
4115 if (global_capture_opts.multi_files_on) {
4116 /* Ring buffer works only under certain conditions:
4117 a) ring buffer does not work with temporary files;
4118 b) it makes no sense to enable the ring buffer if the maximum
4119 file size is set to "infinite". */
4120 if (global_capture_opts.save_file == NULL) {
4121 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4122 global_capture_opts.multi_files_on = FALSE;
4124 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4125 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4127 /* XXX - this must be redesigned as the conditions changed */
4128 global_capture_opts.multi_files_on = FALSE;
4135 * "-D" requires no interface to be selected; it's supposed to list
4138 if (list_interfaces) {
4139 /* Get the list of interfaces */
4144 if_list = capture_interface_list(&err, &err_str);
4145 if (if_list == NULL) {
4147 case CANT_GET_INTERFACE_LIST:
4148 cmdarg_err("%s", err_str);
4153 case NO_INTERFACES_FOUND:
4155 * If we're being run by another program, just give them
4156 * an empty list of interfaces, don't report this as
4157 * an error; that lets them decide whether to report
4158 * this as an error or not.
4160 if (!machine_readable) {
4161 cmdarg_err("There are no interfaces on which a capture can be done");
4168 if (machine_readable) /* tab-separated values to stdout */
4169 print_machine_readable_interfaces(if_list);
4171 capture_opts_print_interfaces(if_list);
4172 free_interface_list(if_list);
4177 * "-S" requires no interface to be selected; it gives statistics
4178 * for all interfaces.
4180 if (print_statistics) {
4181 status = print_statistics_loop(machine_readable);
4186 * "-L", "-d", and capturing act on a particular interface, so we have to
4187 * have an interface; if none was specified, pick a default.
4189 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4190 /* cmdarg_err() already called .... */
4194 /* Let the user know what interfaces were chosen. */
4195 /* get_interface_descriptive_name() is not available! */
4196 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4197 interface_options interface_opts;
4199 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4200 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s", interface_opts.name);
4203 if (list_link_layer_types) {
4204 /* Get the list of link-layer types for the capture device. */
4205 if_capabilities_t *caps;
4209 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4210 interface_options interface_opts;
4212 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4213 caps = get_if_capabilities(interface_opts.name,
4214 interface_opts.monitor_mode, &err_str);
4216 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4217 "Please check to make sure you have sufficient permissions, and that\n"
4218 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4222 if (caps->data_link_types == NULL) {
4223 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4226 if (machine_readable) /* tab-separated values to stdout */
4227 /* XXX: We need to change the format and adopt consumers */
4228 print_machine_readable_if_capabilities(caps);
4230 /* XXX: We might want to print also the interface name */
4231 capture_opts_print_if_capabilities(caps, interface_opts.name,
4232 interface_opts.monitor_mode);
4233 free_if_capabilities(caps);
4238 /* We're supposed to do a capture, or print the BPF code for a filter.
4239 Process the snapshot length, as that affects the generated BPF code. */
4240 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4242 #ifdef HAVE_BPF_IMAGE
4243 if (print_bpf_code) {
4244 show_filter_code(&global_capture_opts);
4249 /* We're supposed to do a capture. Process the ring buffer arguments. */
4250 capture_opts_trim_ring_num_files(&global_capture_opts);
4252 /* Now start the capture. */
4254 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4258 /* capture failed */
4261 return 0; /* never here, make compiler happy */
4266 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4267 const char *message, gpointer user_data _U_)
4274 /* ignore log message, if log_level isn't interesting */
4275 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4276 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4281 /* create a "timestamp" */
4283 today = localtime(&curr);
4285 switch(log_level & G_LOG_LEVEL_MASK) {
4286 case G_LOG_LEVEL_ERROR:
4289 case G_LOG_LEVEL_CRITICAL:
4292 case G_LOG_LEVEL_WARNING:
4295 case G_LOG_LEVEL_MESSAGE:
4298 case G_LOG_LEVEL_INFO:
4301 case G_LOG_LEVEL_DEBUG:
4305 fprintf(stderr, "unknown log_level %u\n", log_level);
4307 g_assert_not_reached();
4310 /* Generate the output message */
4311 if(log_level & G_LOG_LEVEL_MESSAGE) {
4312 /* normal user messages without additional infos */
4313 msg = g_strdup_printf("%s\n", message);
4315 /* info/debug messages with additional infos */
4316 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4317 today->tm_hour, today->tm_min, today->tm_sec,
4318 log_domain != NULL ? log_domain : "",
4322 /* DEBUG & INFO msgs (if we're debugging today) */
4323 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4324 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4325 #ifdef DEBUG_DUMPCAP
4326 fprintf(stderr, "%s", msg);
4329 #ifdef DEBUG_CHILD_DUMPCAP
4330 fprintf(debug_log, "%s", msg);
4338 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4339 /* to parent especially formatted if dumpcap running as child. */
4340 if (capture_child) {
4341 sync_pipe_errmsg_to_parent(2, msg, "");
4343 fprintf(stderr, "%s", msg);
4350 /****************************************************************************************************************/
4351 /* indication report routines */
4355 report_packet_count(int packet_count)
4357 char tmp[SP_DECISIZE+1+1];
4358 static int count = 0;
4361 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4362 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4363 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4365 count += packet_count;
4366 fprintf(stderr, "\rPackets: %u ", count);
4367 /* stderr could be line buffered */
4373 report_new_capture_file(const char *filename)
4376 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4377 pipe_write_block(2, SP_FILE, filename);
4381 * Prevent a SIGINFO handler from writing to the standard error
4382 * while we're doing so; instead, have it just set a flag telling
4383 * us to print that information when we're done.
4386 #endif /* SIGINFO */
4387 fprintf(stderr, "File: %s\n", filename);
4388 /* stderr could be line buffered */
4393 * Allow SIGINFO handlers to write.
4398 * If a SIGINFO handler asked us to write out capture counts, do so.
4401 report_counts_for_siginfo();
4402 #endif /* SIGINFO */
4407 report_cfilter_error(const char *cfilter, const char *errmsg)
4409 if (capture_child) {
4410 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4411 pipe_write_block(2, SP_BAD_FILTER, errmsg);
4414 "Invalid capture filter: \"%s\"!\n"
4416 "That string isn't a valid capture filter (%s).\n"
4417 "See the User's Guide for a description of the capture filter syntax.\n",
4423 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4426 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4427 "Primary Error: %s", error_msg);
4428 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4429 "Secondary Error: %s", secondary_error_msg);
4430 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4432 fprintf(stderr, "%s\n", error_msg);
4433 if (secondary_error_msg[0] != '\0')
4434 fprintf(stderr, "%s\n", secondary_error_msg);
4439 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4441 char tmp[SP_DECISIZE+1+1];
4443 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4446 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4447 "Packets received/dropped on interface %s: %u/%u",
4448 name, received, drops);
4449 /* XXX: Need to provide interface id, changes to consumers required. */
4450 pipe_write_block(2, SP_DROPS, tmp);
4453 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4454 name, received, drops,
4455 received ? 100.0 * received / (received + drops) : 0.0);
4456 /* stderr could be line buffered */
4462 /****************************************************************************************************************/
4463 /* signal_pipe handling */
4468 signal_pipe_check_running(void)
4470 /* any news from our parent? -> just stop the capture */
4474 /* if we are running standalone, no check required */
4475 if(!capture_child) {
4479 if(!sig_pipe_name || !sig_pipe_handle) {
4480 /* This shouldn't happen */
4481 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4482 "Signal pipe: No name or handle");
4487 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4488 * at this point. Should we check to see if the parent is still alive,
4489 * e.g. by using OpenProcess?
4492 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4494 if(!result || avail > 0) {
4495 /* peek failed or some bytes really available */
4496 /* (if not piping from stdin this would fail) */
4497 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4498 "Signal pipe: Stop capture: %s", sig_pipe_name);
4499 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4500 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4501 sig_pipe_handle, result, avail);
4504 /* pipe ok and no bytes available */
4511 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4516 * indent-tabs-mode: nil
4519 * vi: set shiftwidth=4 tabstop=8 expandtab
4520 * :indentSize=4:tabSize=8:noTabs=true: