5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
63 #include "wsutil/wsgetopt.h"
71 # include <sys/prctl.h>
72 # include <sys/capability.h>
75 #include "ringbuffer.h"
76 #include "clopts_common.h"
77 #include "console_io.h"
78 #include "cmdarg_err.h"
79 #include "version_info.h"
81 #include "capture-pcap-util.h"
83 #include "capture-wpcap.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
128 #include <conio.h> /* _getch() */
132 #ifdef DEBUG_CHILD_DUMPCAP
133 FILE *debug_log; /* for logging debug messages to */
134 /* a file if DEBUG_CHILD_DUMPCAP */
138 static GAsyncQueue *pcap_queue;
139 static gint64 pcap_queue_bytes;
140 static gint64 pcap_queue_packets;
141 static gint64 pcap_queue_byte_limit = 1024 * 1024;
142 static gint64 pcap_queue_packet_limit = 1000;
144 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
146 static gchar *sig_pipe_name = NULL;
147 static HANDLE sig_pipe_handle = NULL;
148 static gboolean signal_pipe_check_running(void);
152 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
153 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
156 /** Stop a low-level capture (stops the capture child). */
157 static void capture_loop_stop(void);
159 #if !defined (__linux__)
160 #ifndef HAVE_PCAP_BREAKLOOP
162 * We don't have pcap_breakloop(), which is the only way to ensure that
163 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
164 * won't, if the call to read the next packet or batch of packets is
165 * is interrupted by a signal on UN*X, just go back and try again to
168 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
169 * the signal handler, set a flag to stop capturing; however, without
170 * a guarantee of that sort, we can't guarantee that we'll stop capturing
171 * if the read will be retried and won't time out if no packets arrive.
173 * Therefore, on at least some platforms, we work around the lack of
174 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
175 * to wait for packets to arrive, so that we're probably going to be
176 * blocked in the select() when the signal arrives, and can just bail
177 * out of the loop at that point.
179 * However, we don't want to do that on BSD (because "select()" doesn't work
180 * correctly on BPF devices on at least some releases of some flavors of
181 * BSD), and we don't want to do it on Windows (because "select()" is
182 * something for sockets, not for arbitrary handles). (Note that "Windows"
183 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
184 * using WinPcap, not a UNIX libpcap.)
186 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
187 * on BSD times out even if no packets have arrived, so we'll eventually
188 * exit pcap_dispatch() with an indication that no packets have arrived,
189 * and will break out of the capture loop at that point.
191 * On Windows, we can't send a SIGINT to stop capturing, so none of this
192 * applies in any case.
194 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
195 * want to include it if it's not present on this platform, however.
197 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
198 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
200 # define MUST_DO_SELECT
201 # endif /* avoid select */
202 #endif /* HAVE_PCAP_BREAKLOOP */
204 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
205 * in pcap_dispatch(); on the other hand, select() works just fine there.
206 * Hence we use a select for that come what may.
208 #define MUST_DO_SELECT
211 /** init the capture filter */
214 INITFILTER_BAD_FILTER,
215 INITFILTER_OTHER_ERROR
216 } initfilter_status_t;
218 typedef struct _pcap_options {
222 #ifdef MUST_DO_SELECT
223 int pcap_fd; /* pcap file descriptor */
230 /* capture pipe (unix only "input file") */
231 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
232 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
233 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
235 HANDLE cap_pipe_h; /* The handle of the capture pipe */
237 int cap_pipe_fd; /* the file descriptor of the capture pipe */
239 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
240 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
242 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
244 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
245 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
247 STATE_EXPECT_REC_HDR,
252 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
254 GMutex *cap_pipe_read_mtx;
255 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
259 typedef struct _loop_data {
261 gboolean go; /* TRUE as long as we're supposed to keep capturing */
262 int err; /* if non-zero, error seen while capturing */
263 gint packet_count; /* Number of packets we have already captured */
264 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
265 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
267 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
274 guint32 autostop_files;
277 typedef struct _pcap_queue_element {
278 pcap_options *pcap_opts;
279 struct pcap_pkthdr phdr;
281 } pcap_queue_element;
284 * Standard secondary message for unexpected errors.
286 static const char please_report[] =
287 "Please report this to the Wireshark developers.\n"
288 "(This is not a crash; please do not report it as such.)";
291 * This needs to be static, so that the SIGINT handler can clear the "go"
294 static loop_data global_ld;
298 * Timeout, in milliseconds, for reads from the stream of captured packets
299 * from a capture device.
301 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
302 * 64-bit applications, with sub-second timeouts not to work. The bug is
303 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
305 #if defined(__APPLE__) && defined(__LP64__)
306 static gboolean need_timeout_workaround;
308 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
310 #define CAP_READ_TIMEOUT 250
314 * Timeout, in microseconds, for reads from the stream of captured packets
315 * from a pipe. Pipes don't have the same problem that BPF devices do
316 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
317 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
318 * of the offending versions of Snow Leopard.
320 * On Windows this value is converted to milliseconds and passed to
321 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
322 * will return immediately.
325 #define PIPE_READ_TIMEOUT 100000
327 #define PIPE_READ_TIMEOUT 250000
330 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
333 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
334 const char *message, gpointer user_data _U_);
336 /* capture related options */
337 static capture_options global_capture_opts;
338 static gboolean quiet = FALSE;
339 static gboolean use_threads = FALSE;
340 static guint64 start_time;
342 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
344 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
346 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
347 int err, gboolean is_close);
349 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
351 static void report_new_capture_file(const char *filename);
352 static void report_packet_count(int packet_count);
353 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
354 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
355 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
357 #define MSG_MAX_LENGTH 4096
359 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
361 create_timestamp(void) {
371 * Current time, represented as 100-nanosecond intervals since
372 * January 1, 1601, 00:00:00 UTC.
374 * I think DWORD might be signed, so cast both parts of "now"
375 * to guint32 so that the sign bit doesn't get treated specially.
377 GetSystemTimeAsFileTime(&now);
378 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
379 (guint32)now.dwLowDateTime;
382 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
388 * Subtract difference, in microseconds, between January 1, 1601
389 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
391 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
394 * Current time, represented as seconds and microseconds since
395 * January 1, 1970, 00:00:00 UTC.
397 gettimeofday(&now, NULL);
400 * Convert to delta in microseconds.
402 timestamp = (guint64)(now.tv_sec) * 1000000 +
403 (guint64)(now.tv_usec);
409 print_usage(gboolean print_ver)
416 "Dumpcap " VERSION "%s\n"
417 "Capture network packets and dump them into a pcapng file.\n"
418 "See http://www.wireshark.org for more information.\n",
419 wireshark_svnversion);
423 fprintf(output, "\nUsage: dumpcap [options] ...\n");
424 fprintf(output, "\n");
425 fprintf(output, "Capture interface:\n");
426 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
427 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
428 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
429 fprintf(output, " -p don't capture in promiscuous mode\n");
430 #ifdef HAVE_PCAP_CREATE
431 fprintf(output, " -I capture in monitor mode, if available\n");
433 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
434 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
436 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
437 fprintf(output, " -D print list of interfaces and exit\n");
438 fprintf(output, " -L print list of link-layer types of iface and exit\n");
439 #ifdef HAVE_BPF_IMAGE
440 fprintf(output, " -d print generated BPF code for capture filter\n");
442 fprintf(output, " -S print statistics for each interface once per second\n");
443 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
444 fprintf(output, "\n");
445 #ifdef HAVE_PCAP_REMOTE
446 fprintf(output, "RPCAP options:\n");
447 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
448 fprintf(output, " -u use UDP for RPCAP data transfer\n");
449 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
450 #ifdef HAVE_PCAP_SETSAMPLING
451 fprintf(output, " -m <sampling type> use packet sampling\n");
452 fprintf(output, " count:NUM - capture one packet of every NUM\n");
453 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
456 fprintf(output, "Stop conditions:\n");
457 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
458 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
459 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
460 fprintf(output, " files:NUM - stop after NUM files\n");
461 /*fprintf(output, "\n");*/
462 fprintf(output, "Output (files):\n");
463 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
464 fprintf(output, " -g enable group read access on the output file(s)\n");
465 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
466 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
467 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
468 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
469 fprintf(output, " -P use libpcap format instead of pcapng\n");
470 fprintf(output, "\n");
471 fprintf(output, "Miscellaneous:\n");
472 fprintf(output, " -t use a separate thread per interface\n");
473 fprintf(output, " -q don't report packet capture counts\n");
474 fprintf(output, " -v print version information and exit\n");
475 fprintf(output, " -h display this help and exit\n");
476 fprintf(output, "\n");
477 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
478 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcapng\"\n");
479 fprintf(output, "\n");
480 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
484 show_version(GString *comp_info_str, GString *runtime_info_str)
487 "Dumpcap " VERSION "%s\n"
492 "See http://www.wireshark.org for more information.\n",
493 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
497 * Print to the standard error. This is a command-line tool, so there's
498 * no need to pop up a console.
501 vfprintf_stderr(const char *fmt, va_list ap)
503 vfprintf(stderr, fmt, ap);
507 fprintf_stderr(const char *fmt, ...)
512 vfprintf_stderr(fmt, ap);
517 * Report an error in command-line arguments.
520 cmdarg_err(const char *fmt, ...)
526 /* Generate a 'special format' message back to parent */
528 msg = g_strdup_vprintf(fmt, ap);
529 sync_pipe_errmsg_to_parent(2, msg, "");
534 fprintf(stderr, "dumpcap: ");
535 vfprintf(stderr, fmt, ap);
536 fprintf(stderr, "\n");
542 * Report additional information for an error in command-line arguments.
545 cmdarg_err_cont(const char *fmt, ...)
552 msg = g_strdup_vprintf(fmt, ap);
553 sync_pipe_errmsg_to_parent(2, msg, "");
558 vfprintf(stderr, fmt, ap);
559 fprintf(stderr, "\n");
566 #if 0 /* Set to enable capability debugging */
567 /* see 'man cap_to_text()' for explanation of output */
568 /* '=' means 'all= ' ie: no capabilities */
569 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
571 print_caps(const char *pfx) {
572 cap_t caps = cap_get_proc();
573 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
574 "%s: EUID: %d Capabilities: %s", pfx,
575 geteuid(), cap_to_text(caps, NULL));
578 print_caps(const char *pfx _U_) {
583 relinquish_all_capabilities(void)
585 /* Drop any and all capabilities this process may have. */
586 /* Allowed whether or not process has any privileges. */
587 cap_t caps = cap_init(); /* all capabilities initialized to off */
588 print_caps("Pre-clear");
589 if (cap_set_proc(caps)) {
590 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
592 print_caps("Post-clear");
598 open_capture_device(interface_options *interface_opts,
599 char (*open_err_str)[PCAP_ERRBUF_SIZE])
602 #ifdef HAVE_PCAP_CREATE
605 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
606 struct pcap_rmtauth auth;
609 /* Open the network interface to capture from it.
610 Some versions of libpcap may put warnings into the error buffer
611 if they succeed; to tell if that's happened, we have to clear
612 the error buffer, and check if it's still a null string. */
613 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
614 (*open_err_str)[0] = '\0';
615 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
617 * If we're opening a remote device, use pcap_open(); that's currently
618 * the only open routine that supports remote devices.
620 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
621 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
622 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
623 auth.username = interface_opts->auth_username;
624 auth.password = interface_opts->auth_password;
626 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
627 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
628 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
629 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
630 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
632 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
633 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
634 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
635 CAP_READ_TIMEOUT, &auth, *open_err_str);
636 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
637 "pcap_open() returned %p.", (void *)pcap_h);
642 * If we're not opening a remote device, use pcap_create() and
643 * pcap_activate() if we have them, so that we can set the buffer
644 * size, otherwise use pcap_open_live().
646 #ifdef HAVE_PCAP_CREATE
647 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
648 "Calling pcap_create() using %s.", interface_opts->name);
649 pcap_h = pcap_create(interface_opts->name, *open_err_str);
650 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
651 "pcap_create() returned %p.", (void *)pcap_h);
652 if (pcap_h != NULL) {
653 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
654 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
655 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
656 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
657 "Calling pcap_set_snaplen() with promisc_mode %d.", interface_opts->promisc_mode);
658 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
659 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
661 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
662 "buffersize %d.", interface_opts->buffer_size);
663 if (interface_opts->buffer_size > 1) {
664 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
666 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
667 "monitor_mode %d.", interface_opts->monitor_mode);
668 if (interface_opts->monitor_mode)
669 pcap_set_rfmon(pcap_h, 1);
670 err = pcap_activate(pcap_h);
671 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
672 "pcap_activate() returned %d.", err);
674 /* Failed to activate, set to NULL */
675 if (err == PCAP_ERROR)
676 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
678 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
684 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
685 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
686 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
687 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
688 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
690 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
691 "pcap_open_live() returned %p.", (void *)pcap_h);
694 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
699 get_capture_device_open_failure_messages(const char *open_err_str,
705 char *errmsg, size_t errmsg_len,
706 char *secondary_errmsg,
707 size_t secondary_errmsg_len)
709 const char *libpcap_warn;
710 static const char ppamsg[] = "can't find PPA for ";
712 /* If we got a "can't find PPA for X" message, warn the user (who
713 is running dumcap on HP-UX) that they don't have a version of
714 libpcap that properly handles HP-UX (libpcap 0.6.x and later
715 versions, which properly handle HP-UX, say "can't find /dev/dlpi
716 PPA for X" rather than "can't find PPA for X"). */
717 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
720 "You are running (T)Wireshark with a version of the libpcap library\n"
721 "that doesn't handle HP-UX network devices well; this means that\n"
722 "(T)Wireshark may not be able to capture packets.\n"
724 "To fix this, you should install libpcap 0.6.2, or a later version\n"
725 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
726 "packaged binary form from the Software Porting And Archive Centre\n"
727 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
728 "at the URL lists a number of mirror sites.";
731 g_snprintf(errmsg, (gulong) errmsg_len,
732 "The capture session could not be initiated (%s).", open_err_str);
735 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
737 "In order to capture packets, WinPcap must be installed; see\n"
739 " http://www.winpcap.org/\n"
743 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
747 " http://winpcap.cs.pu.edu.tw/\n"
749 "for a downloadable version of WinPcap and for instructions on how to install\n"
752 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
754 "Please check that \"%s\" is the proper interface.\n"
757 "Help can be found at:\n"
759 " http://wiki.wireshark.org/WinPcap\n"
760 " http://wiki.wireshark.org/CaptureSetup\n",
764 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
765 "Please check to make sure you have sufficient permissions, and that you have "
766 "the proper interface or pipe specified.%s", libpcap_warn);
770 /* Set the data link type on a pcap. */
772 set_pcap_linktype(pcap_t *pcap_h, int linktype,
773 #ifdef HAVE_PCAP_SET_DATALINK
778 char *errmsg, size_t errmsg_len,
779 char *secondary_errmsg, size_t secondary_errmsg_len)
781 char *set_linktype_err_str;
784 return TRUE; /* just use the default */
785 #ifdef HAVE_PCAP_SET_DATALINK
786 if (pcap_set_datalink(pcap_h, linktype) == 0)
787 return TRUE; /* no error */
788 set_linktype_err_str = pcap_geterr(pcap_h);
790 /* Let them set it to the type it is; reject any other request. */
791 if (get_pcap_linktype(pcap_h, name) == linktype)
792 return TRUE; /* no error */
793 set_linktype_err_str =
794 "That DLT isn't one of the DLTs supported by this device";
796 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
797 set_linktype_err_str);
799 * If the error isn't "XXX is not one of the DLTs supported by this device",
800 * tell the user to tell the Wireshark developers about it.
802 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
803 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
805 secondary_errmsg[0] = '\0';
810 compile_capture_filter(const char *iface, pcap_t *pcap_h,
811 struct bpf_program *fcode, const char *cfilter)
813 bpf_u_int32 netnum, netmask;
814 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
816 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
818 * Well, we can't get the netmask for this interface; it's used
819 * only for filters that check for broadcast IP addresses, so
820 * we just punt and use 0. It might be nice to warn the user,
821 * but that's a pain in a GUI application, as it'd involve popping
822 * up a message box, and it's not clear how often this would make
823 * a difference (only filters that check for IP broadcast addresses
827 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
832 * Sigh. Older versions of libpcap don't properly declare the
833 * third argument to pcap_compile() as a const pointer. Cast
836 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
841 #ifdef HAVE_BPF_IMAGE
843 show_filter_code(capture_options *capture_opts)
845 interface_options interface_opts;
847 gchar open_err_str[PCAP_ERRBUF_SIZE];
848 char errmsg[MSG_MAX_LENGTH+1];
849 char secondary_errmsg[MSG_MAX_LENGTH+1];
850 struct bpf_program fcode;
851 struct bpf_insn *insn;
855 for (j = 0; j < capture_opts->ifaces->len; j++) {
856 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
857 pcap_h = open_capture_device(&interface_opts, &open_err_str);
858 if (pcap_h == NULL) {
859 /* Open failed; get messages */
860 get_capture_device_open_failure_messages(open_err_str,
862 errmsg, sizeof errmsg,
864 sizeof secondary_errmsg);
865 /* And report them */
866 report_capture_error(errmsg, secondary_errmsg);
870 /* Set the link-layer type. */
871 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
872 errmsg, sizeof errmsg,
873 secondary_errmsg, sizeof secondary_errmsg)) {
875 report_capture_error(errmsg, secondary_errmsg);
879 /* OK, try to compile the capture filter. */
880 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
881 interface_opts.cfilter)) {
883 report_cfilter_error(capture_opts, j, errmsg);
888 /* Now print the filter code. */
889 insn = fcode.bf_insns;
891 for (i = 0; i < fcode.bf_len; insn++, i++)
892 printf("%s\n", bpf_image(insn, i));
894 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
895 /* to remove any suid privileges. */
896 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
897 /* (euid/egid have already previously been set to ruid/rgid. */
898 /* (See comment in main() for details) */
900 relinquish_special_privs_perm();
902 relinquish_all_capabilities();
905 /* Let our parent know we succeeded. */
906 pipe_write_block(2, SP_SUCCESS, NULL);
913 * capture_interface_list() is expected to do the right thing to get
914 * a list of interfaces.
916 * In most of the programs in the Wireshark suite, "the right thing"
917 * is to run dumpcap and ask it for the list, because dumpcap may
918 * be the only program in the suite with enough privileges to get
921 * In dumpcap itself, however, we obviously can't run dumpcap to
922 * ask for the list. Therefore, our capture_interface_list() should
923 * just call get_interface_list().
926 capture_interface_list(int *err, char **err_str)
928 return get_interface_list(err, err_str);
932 * Get the data-link type for a libpcap device.
933 * This works around AIX 5.x's non-standard and incompatible-with-the-
934 * rest-of-the-universe libpcap.
937 get_pcap_linktype(pcap_t *pch, const char *devname
945 const char *ifacename;
948 linktype = pcap_datalink(pch);
952 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
953 * rather than DLT_ values for link-layer types; the ifType values
954 * for LAN devices are:
961 * and the ifType value for a loopback device is 24.
963 * The AIX names for LAN devices begin with:
970 * and the AIX names for loopback devices begin with "lo".
972 * (The difference between "Ethernet" and "802.3" is presumably
973 * whether packets have an Ethernet header, with a packet type,
974 * or an 802.3 header, with a packet length, followed by an 802.2
975 * header and possibly a SNAP header.)
977 * If the device name matches "linktype" interpreted as an ifType
978 * value, rather than as a DLT_ value, we will assume this is AIX's
979 * non-standard, incompatible libpcap, rather than a standard libpcap,
980 * and will map the link-layer type to the standard DLT_ value for
981 * that link-layer type, as that's what the rest of Wireshark expects.
983 * (This means the capture files won't be readable by a tcpdump
984 * linked with AIX's non-standard libpcap, but so it goes. They
985 * *will* be readable by standard versions of tcpdump, Wireshark,
988 * XXX - if we conclude we're using AIX libpcap, should we also
989 * set a flag to cause us to assume the time stamps are in
990 * seconds-and-nanoseconds form, and to convert them to
991 * seconds-and-microseconds form before processing them and
996 * Find the last component of the device name, which is the
999 ifacename = strchr(devname, '/');
1000 if (ifacename == NULL)
1001 ifacename = devname;
1003 /* See if it matches any of the LAN device names. */
1004 if (strncmp(ifacename, "en", 2) == 0) {
1005 if (linktype == 6) {
1007 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1011 } else if (strncmp(ifacename, "et", 2) == 0) {
1012 if (linktype == 7) {
1014 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1015 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1020 } else if (strncmp(ifacename, "tr", 2) == 0) {
1021 if (linktype == 9) {
1023 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1024 * DLT_IEEE802, which is what's used for Token Ring.
1028 } else if (strncmp(ifacename, "fi", 2) == 0) {
1029 if (linktype == 15) {
1031 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1035 } else if (strncmp(ifacename, "lo", 2) == 0) {
1036 if (linktype == 24) {
1038 * That's the RFC 1573 value for "software loopback" devices; map it
1039 * to DLT_NULL, which is what's used for loopback devices on BSD.
1049 static data_link_info_t *
1050 create_data_link_info(int dlt)
1052 data_link_info_t *data_link_info;
1055 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1056 data_link_info->dlt = dlt;
1057 text = pcap_datalink_val_to_name(dlt);
1059 data_link_info->name = g_strdup(text);
1061 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1062 text = pcap_datalink_val_to_description(dlt);
1064 data_link_info->description = g_strdup(text);
1066 data_link_info->description = NULL;
1067 return data_link_info;
1071 * Get the capabilities of a network device.
1073 static if_capabilities_t *
1074 get_if_capabilities(const char *devname, gboolean monitor_mode
1075 #ifndef HAVE_PCAP_CREATE
1080 if_capabilities_t *caps;
1081 char errbuf[PCAP_ERRBUF_SIZE];
1083 #ifdef HAVE_PCAP_CREATE
1087 #ifdef HAVE_PCAP_LIST_DATALINKS
1091 data_link_info_t *data_link_info;
1094 * Allocate the interface capabilities structure.
1096 caps = g_malloc(sizeof *caps);
1098 #ifdef HAVE_PCAP_OPEN
1099 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1100 caps->can_set_rfmon = FALSE;
1102 if (err_str != NULL)
1103 *err_str = g_strdup(errbuf);
1107 #elif defined(HAVE_PCAP_CREATE)
1108 pch = pcap_create(devname, errbuf);
1110 if (err_str != NULL)
1111 *err_str = g_strdup(errbuf);
1115 status = pcap_can_set_rfmon(pch);
1118 if (status == PCAP_ERROR)
1119 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1122 *err_str = g_strdup(pcap_statustostr(status));
1128 caps->can_set_rfmon = FALSE;
1129 else if (status == 1) {
1130 caps->can_set_rfmon = TRUE;
1132 pcap_set_rfmon(pch, 1);
1134 if (err_str != NULL) {
1135 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1143 status = pcap_activate(pch);
1145 /* Error. We ignore warnings (status > 0). */
1146 if (err_str != NULL) {
1147 if (status == PCAP_ERROR)
1148 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1151 *err_str = g_strdup(pcap_statustostr(status));
1158 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1159 caps->can_set_rfmon = FALSE;
1161 if (err_str != NULL)
1162 *err_str = g_strdup(errbuf);
1167 deflt = get_pcap_linktype(pch, devname);
1168 #ifdef HAVE_PCAP_LIST_DATALINKS
1169 nlt = pcap_list_datalinks(pch, &linktypes);
1170 if (nlt == 0 || linktypes == NULL) {
1172 if (err_str != NULL)
1173 *err_str = NULL; /* an empty list doesn't mean an error */
1176 caps->data_link_types = NULL;
1177 for (i = 0; i < nlt; i++) {
1178 data_link_info = create_data_link_info(linktypes[i]);
1181 * XXX - for 802.11, make the most detailed 802.11
1182 * version the default, rather than the one the
1183 * device has as the default?
1185 if (linktypes[i] == deflt)
1186 caps->data_link_types = g_list_prepend(caps->data_link_types,
1189 caps->data_link_types = g_list_append(caps->data_link_types,
1192 #ifdef HAVE_PCAP_FREE_DATALINKS
1193 pcap_free_datalinks(linktypes);
1196 * In Windows, there's no guarantee that if you have a library
1197 * built with one version of the MSVC++ run-time library, and
1198 * it returns a pointer to allocated data, you can free that
1199 * data from a program linked with another version of the
1200 * MSVC++ run-time library.
1202 * This is not an issue on UN*X.
1204 * See the mail threads starting at
1206 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1210 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1213 #define xx_free free /* hack so checkAPIs doesn't complain */
1216 #endif /* HAVE_PCAP_FREE_DATALINKS */
1217 #else /* HAVE_PCAP_LIST_DATALINKS */
1219 data_link_info = create_data_link_info(deflt);
1220 caps->data_link_types = g_list_append(caps->data_link_types,
1222 #endif /* HAVE_PCAP_LIST_DATALINKS */
1226 if (err_str != NULL)
1231 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1233 print_machine_readable_interfaces(GList *if_list)
1240 char addr_str[ADDRSTRLEN];
1242 if (capture_child) {
1243 /* Let our parent know we succeeded. */
1244 pipe_write_block(2, SP_SUCCESS, NULL);
1247 i = 1; /* Interface id number */
1248 for (if_entry = g_list_first(if_list); if_entry != NULL;
1249 if_entry = g_list_next(if_entry)) {
1250 if_info = (if_info_t *)if_entry->data;
1251 printf("%d. %s", i++, if_info->name);
1254 * Print the contents of the if_entry struct in a parseable format.
1255 * Each if_entry element is tab-separated. Addresses are comma-
1258 /* XXX - Make sure our description doesn't contain a tab */
1259 if (if_info->description != NULL)
1260 printf("\t%s\t", if_info->description);
1264 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1265 addr = g_slist_next(addr)) {
1266 if (addr != g_slist_nth(if_info->addrs, 0))
1269 if_addr = (if_addr_t *)addr->data;
1270 switch(if_addr->ifat_type) {
1272 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1274 printf("%s", addr_str);
1276 printf("<unknown IPv4>");
1280 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1281 addr_str, ADDRSTRLEN)) {
1282 printf("%s", addr_str);
1284 printf("<unknown IPv6>");
1288 printf("<type unknown %u>", if_addr->ifat_type);
1292 if (if_info->loopback)
1293 printf("\tloopback");
1295 printf("\tnetwork");
1302 * If you change the machine-readable output format of this function,
1303 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1306 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1309 data_link_info_t *data_link_info;
1310 const gchar *desc_str;
1312 if (capture_child) {
1313 /* Let our parent know we succeeded. */
1314 pipe_write_block(2, SP_SUCCESS, NULL);
1317 if (caps->can_set_rfmon)
1321 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1322 lt_entry = g_list_next(lt_entry)) {
1323 data_link_info = (data_link_info_t *)lt_entry->data;
1324 if (data_link_info->description != NULL)
1325 desc_str = data_link_info->description;
1327 desc_str = "(not supported)";
1328 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1338 /* Print the number of packets captured for each interface until we're killed. */
1340 print_statistics_loop(gboolean machine_readable)
1342 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1348 char errbuf[PCAP_ERRBUF_SIZE];
1349 struct pcap_stat ps;
1351 if_list = get_interface_list(&err, &err_str);
1352 if (if_list == NULL) {
1354 case CANT_GET_INTERFACE_LIST:
1355 case DONT_HAVE_PCAP:
1356 cmdarg_err("%s", err_str);
1360 case NO_INTERFACES_FOUND:
1361 cmdarg_err("There are no interfaces on which a capture can be done");
1367 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1368 if_info = (if_info_t *)if_entry->data;
1369 #ifdef HAVE_PCAP_OPEN
1370 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1372 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1376 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1377 if_stat->name = g_strdup(if_info->name);
1379 stat_list = g_list_append(stat_list, if_stat);
1384 cmdarg_err("There are no interfaces on which a capture can be done");
1388 if (capture_child) {
1389 /* Let our parent know we succeeded. */
1390 pipe_write_block(2, SP_SUCCESS, NULL);
1393 if (!machine_readable) {
1394 printf("%-15s %10s %10s\n", "Interface", "Received",
1398 global_ld.go = TRUE;
1399 while (global_ld.go) {
1400 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1401 if_stat = (if_stat_t *)stat_entry->data;
1402 pcap_stats(if_stat->pch, &ps);
1404 if (!machine_readable) {
1405 printf("%-15s %10u %10u\n", if_stat->name,
1406 ps.ps_recv, ps.ps_drop);
1408 printf("%s\t%u\t%u\n", if_stat->name,
1409 ps.ps_recv, ps.ps_drop);
1420 /* XXX - Not reached. Should we look for 'q' in stdin? */
1421 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1422 if_stat = (if_stat_t *)stat_entry->data;
1423 pcap_close(if_stat->pch);
1424 g_free(if_stat->name);
1427 g_list_free(stat_list);
1428 free_interface_list(if_list);
1436 capture_cleanup_handler(DWORD dwCtrlType)
1438 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1439 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1440 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1441 like SIGTERM at least when the machine's shutting down.
1443 For now, if we're running as a command rather than a capture child,
1444 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1445 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1446 in that way on UN*X.
1448 If we're not running as a capture child, we might be running as
1449 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1450 user logs out. (XXX - can we explicitly check whether we're
1451 running as a service?) */
1453 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1454 "Console: Control signal");
1455 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1456 "Console: Control signal, CtrlType: %u", dwCtrlType);
1458 /* Keep capture running if we're a service and a user logs off */
1459 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1460 capture_loop_stop();
1468 capture_cleanup_handler(int signum _U_)
1470 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1471 SIGTERM. We assume that if the user wanted it to keep running
1472 after they logged out, they'd have nohupped it. */
1474 /* Note: don't call g_log() in the signal handler: if we happened to be in
1475 * g_log() in process context when the signal came in, g_log will detect
1476 * the "recursion" and abort.
1479 capture_loop_stop();
1485 report_capture_count(gboolean reportit)
1487 /* Don't print this if we're a capture child. */
1488 if (!capture_child && reportit) {
1489 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1490 /* stderr could be line buffered */
1498 report_counts_for_siginfo(void)
1500 report_capture_count(quiet);
1501 infoprint = FALSE; /* we just reported it */
1505 report_counts_siginfo(int signum _U_)
1507 int sav_errno = errno;
1509 /* If we've been told to delay printing, just set a flag asking
1510 that we print counts (if we're supposed to), otherwise print
1511 the count of packets captured (if we're supposed to). */
1515 report_counts_for_siginfo();
1518 #endif /* SIGINFO */
1521 exit_main(int status)
1524 /* Shutdown windows sockets */
1527 /* can be helpful for debugging */
1528 #ifdef DEBUG_DUMPCAP
1529 printf("Press any key\n");
1540 * If we were linked with libcap (not libpcap), make sure we have
1541 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1542 * (See comment in main() for details)
1545 relinquish_privs_except_capture(void)
1547 /* If 'started_with_special_privs' (ie: suid) then enable for
1548 * ourself the NET_ADMIN and NET_RAW capabilities and then
1549 * drop our suid privileges.
1551 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1552 * stuff we don't need (and shouldn't have).
1553 * CAP_NET_RAW: Packet capture (raw sockets).
1556 if (started_with_special_privs()) {
1557 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1558 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1560 cap_t caps = cap_init(); /* all capabilities initialized to off */
1562 print_caps("Pre drop, pre set");
1564 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1565 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1568 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1569 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1571 if (cap_set_proc(caps)) {
1572 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1574 print_caps("Pre drop, post set");
1576 relinquish_special_privs_perm();
1578 print_caps("Post drop, pre set");
1579 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1580 if (cap_set_proc(caps)) {
1581 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1583 print_caps("Post drop, post set");
1589 #endif /* HAVE_LIBCAP */
1591 /* Take care of byte order in the libpcap headers read from pipes.
1592 * (function taken from wiretap/libpcap.c) */
1594 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1597 /* Byte-swap the record header fields. */
1598 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1599 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1600 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1601 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1604 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1605 swapped, in order to match the BPF header layout.
1607 Unfortunately, some files were, according to a comment in the "libpcap"
1608 source, written with version 2.3 in their headers but without the
1609 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1610 would make no sense - we assume that we need to swap them. */
1611 if (hdr->version_major == 2 &&
1612 (hdr->version_minor < 3 ||
1613 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1616 temp = rechdr->orig_len;
1617 rechdr->orig_len = rechdr->incl_len;
1618 rechdr->incl_len = temp;
1624 * Thread function that reads from a pipe and pushes the data
1625 * to the main application thread.
1628 * XXX Right now we use async queues for basic signaling. The main thread
1629 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1630 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1631 * Iff the read is successful cap_pipe_read pushes an item onto
1632 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1633 * the queues themselves (yet).
1635 * We might want to move some of the cap_pipe_dispatch logic here so that
1636 * we can let cap_pipe_read run independently, queuing up multiple reads
1637 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1639 static void *cap_pipe_read(void *arg)
1641 pcap_options *pcap_opts;
1650 pcap_opts = (pcap_options *)arg;
1651 while (pcap_opts->cap_pipe_err == PIPOK) {
1652 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1653 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1655 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1657 /* If we try to use read() on a named pipe on Windows with partial
1658 * data it appears to return EOF.
1660 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1661 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1666 last_err = GetLastError();
1667 if (last_err == ERROR_MORE_DATA) {
1669 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1670 pcap_opts->cap_pipe_err = PIPEOF;
1674 pcap_opts->cap_pipe_err = PIPERR;
1677 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1678 pcap_opts->cap_pipe_err = PIPEOF;
1683 b = read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1684 pcap_opts->cap_pipe_bytes_to_read - bytes_read);
1687 pcap_opts->cap_pipe_err = PIPEOF;
1691 pcap_opts->cap_pipe_err = PIPERR;
1700 pcap_opts->cap_pipe_bytes_read = bytes_read;
1701 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1702 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1704 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1710 #if !defined(_WIN32) || defined(MUST_DO_SELECT)
1711 /* Provide select() functionality for a single file descriptor
1712 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1714 * Returns the same values as select.
1717 cap_pipe_select(int pipe_fd)
1720 struct timeval timeout;
1723 FD_SET(pipe_fd, &rfds);
1725 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1726 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1728 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1733 /* Mimic pcap_open_live() for pipe captures
1735 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1736 * open it, and read the header.
1738 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1739 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1741 cap_pipe_open_live(char *pipename,
1742 pcap_options *pcap_opts,
1743 struct pcap_hdr *hdr,
1744 char *errmsg, int errmsgl)
1747 ws_statb64 pipe_stat;
1748 struct sockaddr_un sa;
1759 unsigned int bytes_read;
1764 pcap_opts->cap_pipe_fd = -1;
1766 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1768 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1771 * XXX - this blocks until a pcap per-file header has been written to
1772 * the pipe, so it could block indefinitely.
1774 if (strcmp(pipename, "-") == 0) {
1776 fd = 0; /* read from stdin */
1778 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1782 if (ws_stat64(pipename, &pipe_stat) < 0) {
1783 if (errno == ENOENT || errno == ENOTDIR)
1784 pcap_opts->cap_pipe_err = PIPNEXIST;
1786 g_snprintf(errmsg, errmsgl,
1787 "The capture session could not be initiated "
1788 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1789 pcap_opts->cap_pipe_err = PIPERR;
1793 if (S_ISFIFO(pipe_stat.st_mode)) {
1794 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1796 g_snprintf(errmsg, errmsgl,
1797 "The capture session could not be initiated "
1798 "due to error on pipe open: %s", g_strerror(errno));
1799 pcap_opts->cap_pipe_err = PIPERR;
1802 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1803 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1805 g_snprintf(errmsg, errmsgl,
1806 "The capture session could not be initiated "
1807 "due to error on socket create: %s", g_strerror(errno));
1808 pcap_opts->cap_pipe_err = PIPERR;
1811 sa.sun_family = AF_UNIX;
1813 * The Single UNIX Specification says:
1815 * The size of sun_path has intentionally been left undefined.
1816 * This is because different implementations use different sizes.
1817 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1818 * of 104. Since most implementations originate from BSD versions,
1819 * the size is typically in the range 92 to 108.
1821 * Applications should not assume a particular length for sun_path
1822 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1826 * The <sys/un.h> header shall define the sockaddr_un structure,
1827 * which shall include at least the following members:
1829 * sa_family_t sun_family Address family.
1830 * char sun_path[] Socket pathname.
1832 * so we assume that it's an array, with a specified size,
1833 * and that the size reflects the maximum path length.
1835 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1836 /* Path name too long */
1837 g_snprintf(errmsg, errmsgl,
1838 "The capture session coud not be initiated "
1839 "due to error on socket connect: Path name too long");
1840 pcap_opts->cap_pipe_err = PIPERR;
1843 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1845 g_snprintf(errmsg, errmsgl,
1846 "The capture session coud not be initiated "
1847 "due to error on socket connect: %s", g_strerror(errno));
1848 pcap_opts->cap_pipe_err = PIPERR;
1852 if (S_ISCHR(pipe_stat.st_mode)) {
1854 * Assume the user specified an interface on a system where
1855 * interfaces are in /dev. Pretend we haven't seen it.
1857 pcap_opts->cap_pipe_err = PIPNEXIST;
1860 g_snprintf(errmsg, errmsgl,
1861 "The capture session could not be initiated because\n"
1862 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1863 pcap_opts->cap_pipe_err = PIPERR;
1868 #define PIPE_STR "\\pipe\\"
1869 /* Under Windows, named pipes _must_ have the form
1870 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1872 pncopy = g_strdup(pipename);
1873 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1874 pos = strchr(pncopy + 3, '\\');
1875 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1882 g_snprintf(errmsg, errmsgl,
1883 "The capture session could not be initiated because\n"
1884 "\"%s\" is neither an interface nor a pipe", pipename);
1885 pcap_opts->cap_pipe_err = PIPNEXIST;
1889 /* Wait for the pipe to appear */
1891 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1892 OPEN_EXISTING, 0, NULL);
1894 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1897 if (GetLastError() != ERROR_PIPE_BUSY) {
1898 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1899 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1900 g_snprintf(errmsg, errmsgl,
1901 "The capture session on \"%s\" could not be started "
1902 "due to error on pipe open: %s (error %d)",
1903 pipename, utf_16to8(err_str), GetLastError());
1905 pcap_opts->cap_pipe_err = PIPERR;
1909 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1910 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1911 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1912 g_snprintf(errmsg, errmsgl,
1913 "The capture session on \"%s\" timed out during "
1914 "pipe open: %s (error %d)",
1915 pipename, utf_16to8(err_str), GetLastError());
1917 pcap_opts->cap_pipe_err = PIPERR;
1924 pcap_opts->from_cap_pipe = TRUE;
1927 /* read the pcap header */
1929 while (bytes_read < sizeof magic) {
1930 sel_ret = cap_pipe_select(fd);
1932 g_snprintf(errmsg, errmsgl,
1933 "Unexpected error from select: %s", g_strerror(errno));
1935 } else if (sel_ret > 0) {
1936 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1939 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1941 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1949 g_thread_create(&cap_pipe_read, pcap_opts, FALSE, NULL);
1951 pcap_opts->cap_pipe_buf = (char *) &magic;
1952 pcap_opts->cap_pipe_bytes_read = 0;
1953 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1954 /* We don't have to worry about cap_pipe_read_mtx here */
1955 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1956 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1957 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1958 if (pcap_opts->cap_pipe_bytes_read == 0)
1959 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1961 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1970 /* Host that wrote it has our byte order, and was running
1971 a program using either standard or ss990417 libpcap. */
1972 pcap_opts->cap_pipe_byte_swapped = FALSE;
1973 pcap_opts->cap_pipe_modified = FALSE;
1975 case PCAP_MODIFIED_MAGIC:
1976 /* Host that wrote it has our byte order, but was running
1977 a program using either ss990915 or ss991029 libpcap. */
1978 pcap_opts->cap_pipe_byte_swapped = FALSE;
1979 pcap_opts->cap_pipe_modified = TRUE;
1981 case PCAP_SWAPPED_MAGIC:
1982 /* Host that wrote it has a byte order opposite to ours,
1983 and was running a program using either standard or
1984 ss990417 libpcap. */
1985 pcap_opts->cap_pipe_byte_swapped = TRUE;
1986 pcap_opts->cap_pipe_modified = FALSE;
1988 case PCAP_SWAPPED_MODIFIED_MAGIC:
1989 /* Host that wrote it out has a byte order opposite to
1990 ours, and was running a program using either ss990915
1991 or ss991029 libpcap. */
1992 pcap_opts->cap_pipe_byte_swapped = TRUE;
1993 pcap_opts->cap_pipe_modified = TRUE;
1996 /* Not a "libpcap" type we know about. */
1997 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2002 /* Read the rest of the header */
2004 while (bytes_read < sizeof(struct pcap_hdr)) {
2005 sel_ret = cap_pipe_select(fd);
2007 g_snprintf(errmsg, errmsgl,
2008 "Unexpected error from select: %s", g_strerror(errno));
2010 } else if (sel_ret > 0) {
2011 b = read(fd, ((char *)hdr)+bytes_read,
2012 sizeof(struct pcap_hdr) - bytes_read);
2015 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2017 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2025 pcap_opts->cap_pipe_buf = (char *) hdr;
2026 pcap_opts->cap_pipe_bytes_read = 0;
2027 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2028 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2029 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2030 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2031 if (pcap_opts->cap_pipe_bytes_read == 0)
2032 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2034 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2040 if (pcap_opts->cap_pipe_byte_swapped) {
2041 /* Byte-swap the header fields about which we care. */
2042 hdr->version_major = BSWAP16(hdr->version_major);
2043 hdr->version_minor = BSWAP16(hdr->version_minor);
2044 hdr->snaplen = BSWAP32(hdr->snaplen);
2045 hdr->network = BSWAP32(hdr->network);
2047 pcap_opts->linktype = hdr->network;
2049 if (hdr->version_major < 2) {
2050 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2054 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2055 pcap_opts->cap_pipe_err = PIPOK;
2057 pcap_opts->cap_pipe_fd = fd;
2062 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2063 pcap_opts->cap_pipe_err = PIPERR;
2066 pcap_opts->cap_pipe_fd = -1;
2073 /* We read one record from the pipe, take care of byte order in the record
2074 * header, write the record to the capture file, and update capture statistics. */
2076 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2078 struct pcap_pkthdr phdr;
2079 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2091 #ifdef LOG_CAPTURE_VERBOSE
2092 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2095 switch (pcap_opts->cap_pipe_state) {
2097 case STATE_EXPECT_REC_HDR:
2099 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2102 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2103 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2104 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2105 pcap_opts->cap_pipe_bytes_read = 0;
2108 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2109 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2110 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2115 case STATE_READ_REC_HDR:
2117 b = read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2118 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2121 result = PD_PIPE_EOF;
2123 result = PD_PIPE_ERR;
2126 pcap_opts->cap_pipe_bytes_read += b;
2128 g_get_current_time(&wait_time);
2129 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2130 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2131 if (pcap_opts->cap_pipe_err == PIPEOF) {
2132 result = PD_PIPE_EOF;
2134 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2135 result = PD_PIPE_ERR;
2142 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2144 result = PD_REC_HDR_READ;
2147 case STATE_EXPECT_DATA:
2149 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2152 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2153 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2154 pcap_opts->cap_pipe_bytes_read = 0;
2157 pcap_opts->cap_pipe_buf = (char *) data;
2158 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2159 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2164 case STATE_READ_DATA:
2166 b = read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2167 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2170 result = PD_PIPE_EOF;
2172 result = PD_PIPE_ERR;
2175 pcap_opts->cap_pipe_bytes_read += b;
2177 g_get_current_time(&wait_time);
2178 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2179 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2180 if (pcap_opts->cap_pipe_err == PIPEOF) {
2181 result = PD_PIPE_EOF;
2183 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2184 result = PD_PIPE_ERR;
2191 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2193 result = PD_DATA_READ;
2197 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2200 } /* switch (ld->cap_pipe_state) */
2203 * We've now read as much data as we were expecting, so process it.
2207 case PD_REC_HDR_READ:
2208 /* We've read the header. Take care of byte order. */
2209 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2210 &pcap_opts->cap_pipe_rechdr.hdr);
2211 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2212 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2213 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2217 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2218 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2221 /* no data to read? fall through */
2224 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2225 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2226 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2227 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2228 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2231 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2233 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2235 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2239 pcap_opts->cap_pipe_err = PIPEOF;
2244 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2245 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2246 g_snprintf(errmsg, errmsgl,
2247 "Error reading from pipe: %s (error %d)",
2248 utf_16to8(err_str), GetLastError());
2251 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2259 pcap_opts->cap_pipe_err = PIPERR;
2260 /* Return here rather than inside the switch to prevent GCC warning */
2265 /** Open the capture input file (pcap or capture pipe).
2266 * Returns TRUE if it succeeds, FALSE otherwise. */
2268 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2269 char *errmsg, size_t errmsg_len,
2270 char *secondary_errmsg, size_t secondary_errmsg_len)
2272 gchar open_err_str[PCAP_ERRBUF_SIZE];
2273 gchar *sync_msg_str;
2274 interface_options interface_opts;
2275 pcap_options *pcap_opts;
2279 gchar *sync_secondary_msg_str;
2280 WORD wVersionRequested;
2284 /* XXX - opening Winsock on tshark? */
2286 /* Initialize Windows Socket if we are in a WIN32 OS
2287 This needs to be done before querying the interface for network/netmask */
2289 /* XXX - do we really require 1.1 or earlier?
2290 Are there any versions that support only 2.0 or higher? */
2291 wVersionRequested = MAKEWORD(1, 1);
2292 err = WSAStartup(wVersionRequested, &wsaData);
2296 case WSASYSNOTREADY:
2297 g_snprintf(errmsg, (gulong) errmsg_len,
2298 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2301 case WSAVERNOTSUPPORTED:
2302 g_snprintf(errmsg, (gulong) errmsg_len,
2303 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2304 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2307 case WSAEINPROGRESS:
2308 g_snprintf(errmsg, (gulong) errmsg_len,
2309 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2313 g_snprintf(errmsg, (gulong) errmsg_len,
2314 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2318 g_snprintf(errmsg, (gulong) errmsg_len,
2319 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2323 g_snprintf(errmsg, (gulong) errmsg_len,
2324 "Couldn't initialize Windows Sockets: error %d", err);
2327 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2331 if ((use_threads == FALSE) &&
2332 (capture_opts->ifaces->len > 1)) {
2333 g_snprintf(errmsg, (gulong) errmsg_len,
2334 "Using threads is required for capturing on mulitple interfaces!");
2338 for (i = 0; i < capture_opts->ifaces->len; i++) {
2339 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2340 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2341 if (pcap_opts == NULL) {
2342 g_snprintf(errmsg, (gulong) errmsg_len,
2343 "Could not allocate memory.");
2346 pcap_opts->received = 0;
2347 pcap_opts->dropped = 0;
2348 pcap_opts->pcap_h = NULL;
2349 #ifdef MUST_DO_SELECT
2350 pcap_opts->pcap_fd = -1;
2352 pcap_opts->pcap_err = FALSE;
2353 pcap_opts->interface_id = i;
2354 pcap_opts->tid = NULL;
2355 pcap_opts->snaplen = 0;
2356 pcap_opts->linktype = -1;
2357 pcap_opts->from_cap_pipe = FALSE;
2358 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2359 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2361 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2363 pcap_opts->cap_pipe_fd = -1;
2365 pcap_opts->cap_pipe_modified = FALSE;
2366 pcap_opts->cap_pipe_byte_swapped = FALSE;
2368 pcap_opts->cap_pipe_buf = NULL;
2370 pcap_opts->cap_pipe_bytes_to_read = 0;
2371 pcap_opts->cap_pipe_bytes_read = 0;
2372 pcap_opts->cap_pipe_state = 0;
2373 pcap_opts->cap_pipe_err = PIPOK;
2375 #if GLIB_CHECK_VERSION(2,31,0)
2376 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2377 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2379 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2381 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2382 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2384 g_array_append_val(ld->pcaps, pcap_opts);
2386 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2387 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2389 if (pcap_opts->pcap_h != NULL) {
2390 /* we've opened "iface" as a network device */
2392 /* try to set the capture buffer size */
2393 if (interface_opts.buffer_size > 1 &&
2394 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2395 sync_secondary_msg_str = g_strdup_printf(
2396 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2397 "the default of 1MB will be used.\n"
2399 "Nonetheless, the capture is started.\n",
2400 interface_opts.buffer_size);
2401 report_capture_error("Couldn't set the capture buffer size!",
2402 sync_secondary_msg_str);
2403 g_free(sync_secondary_msg_str);
2407 #if defined(HAVE_PCAP_SETSAMPLING)
2408 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2409 struct pcap_samp *samp;
2411 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2412 switch (interface_opts.sampling_method) {
2413 case CAPTURE_SAMP_BY_COUNT:
2414 samp->method = PCAP_SAMP_1_EVERY_N;
2417 case CAPTURE_SAMP_BY_TIMER:
2418 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2422 sync_msg_str = g_strdup_printf(
2423 "Unknown sampling method %d specified,\n"
2424 "continue without packet sampling",
2425 interface_opts.sampling_method);
2426 report_capture_error("Couldn't set the capture "
2427 "sampling", sync_msg_str);
2428 g_free(sync_msg_str);
2430 samp->value = interface_opts.sampling_param;
2432 report_capture_error("Couldn't set the capture sampling",
2433 "Cannot get packet sampling data structure");
2438 /* setting the data link type only works on real interfaces */
2439 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2441 secondary_errmsg, secondary_errmsg_len)) {
2444 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2446 /* We couldn't open "iface" as a network device. */
2447 /* Try to open it as a pipe */
2448 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2451 if (pcap_opts->cap_pipe_fd == -1) {
2453 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2455 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2456 /* Pipe doesn't exist, so output message for interface */
2457 get_capture_device_open_failure_messages(open_err_str,
2458 interface_opts.name,
2462 secondary_errmsg_len);
2465 * Else pipe (or file) does exist and cap_pipe_open_live() has
2470 /* cap_pipe_open_live() succeeded; don't want
2471 error message from pcap_open_live() */
2472 open_err_str[0] = '\0';
2476 /* XXX - will this work for tshark? */
2477 #ifdef MUST_DO_SELECT
2478 if (!pcap_opts->from_cap_pipe) {
2479 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2480 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2482 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2487 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2488 returned a warning; print it, but keep capturing. */
2489 if (open_err_str[0] != '\0') {
2490 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2491 report_capture_error(sync_msg_str, "");
2492 g_free(sync_msg_str);
2494 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2495 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2498 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2499 /* to remove any suid privileges. */
2500 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2501 /* (euid/egid have already previously been set to ruid/rgid. */
2502 /* (See comment in main() for details) */
2504 relinquish_special_privs_perm();
2506 relinquish_all_capabilities();
2511 /* close the capture input file (pcap or capture pipe) */
2512 static void capture_loop_close_input(loop_data *ld)
2515 pcap_options *pcap_opts;
2517 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2519 for (i = 0; i < ld->pcaps->len; i++) {
2520 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2521 /* if open, close the capture pipe "input file" */
2523 if (pcap_opts->cap_pipe_fd >= 0) {
2524 g_assert(pcap_opts->from_cap_pipe);
2525 ws_close(pcap_opts->cap_pipe_fd);
2526 pcap_opts->cap_pipe_fd = -1;
2529 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2530 CloseHandle(pcap_opts->cap_pipe_h);
2531 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2534 /* if open, close the pcap "input file" */
2535 if (pcap_opts->pcap_h != NULL) {
2536 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2537 pcap_close(pcap_opts->pcap_h);
2538 pcap_opts->pcap_h = NULL;
2545 /* Shut down windows sockets */
2551 /* init the capture filter */
2552 static initfilter_status_t
2553 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2554 const gchar * name, const gchar * cfilter)
2556 struct bpf_program fcode;
2558 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2560 /* capture filters only work on real interfaces */
2561 if (cfilter && !from_cap_pipe) {
2562 /* A capture filter was specified; set it up. */
2563 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2564 /* Treat this specially - our caller might try to compile this
2565 as a display filter and, if that succeeds, warn the user that
2566 the display and capture filter syntaxes are different. */
2567 return INITFILTER_BAD_FILTER;
2569 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2570 #ifdef HAVE_PCAP_FREECODE
2571 pcap_freecode(&fcode);
2573 return INITFILTER_OTHER_ERROR;
2575 #ifdef HAVE_PCAP_FREECODE
2576 pcap_freecode(&fcode);
2580 return INITFILTER_NO_ERROR;
2584 /* set up to write to the already-opened capture output file/files */
2586 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2590 pcap_options *pcap_opts;
2591 interface_options interface_opts;
2592 gboolean successful;
2594 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2596 if ((capture_opts->use_pcapng == FALSE) &&
2597 (capture_opts->ifaces->len > 1)) {
2598 g_snprintf(errmsg, errmsg_len,
2599 "Using PCAPNG is required for capturing on mulitple interfaces! Use the -n option.");
2603 /* Set up to write to the capture file. */
2604 if (capture_opts->multi_files_on) {
2605 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2607 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2610 if (capture_opts->use_pcapng) {
2612 GString *os_info_str;
2614 os_info_str = g_string_new("");
2615 get_os_version_info(os_info_str);
2617 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2618 successful = libpcap_write_session_header_block(ld->pdh,
2621 os_info_str->str, /* OS*/
2623 -1, /* section_length */
2627 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2628 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2629 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2630 if (pcap_opts->from_cap_pipe) {
2631 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2633 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2635 successful = libpcap_write_interface_description_block(global_ld.pdh,
2636 NULL, /* OPT_COMMENT 1 */
2637 interface_opts.name, /* IDB_NAME 2 */
2638 NULL, /* IDB_DESCRIPTION 3 */
2639 interface_opts.cfilter?interface_opts.cfilter:"", /* IDB_FILTER 11 */
2640 os_info_str->str, /* IDB_OS 12 */
2641 pcap_opts->linktype,
2643 &(global_ld.bytes_written),
2644 0, /* IDB_IF_SPEED 8 */
2645 0, /* IDB_TSRESOL 9 */
2649 g_string_free(os_info_str, TRUE);
2652 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2653 if (pcap_opts->from_cap_pipe) {
2654 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2656 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2658 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2659 &ld->bytes_written, &err);
2667 if (ld->pdh == NULL) {
2668 /* We couldn't set up to write to the capture file. */
2669 /* XXX - use cf_open_error_message from tshark instead? */
2674 g_snprintf(errmsg, errmsg_len,
2675 "The file to which the capture would be"
2676 " saved (\"%s\") could not be opened: Error %d.",
2677 capture_opts->save_file, err);
2679 g_snprintf(errmsg, errmsg_len,
2680 "The file to which the capture would be"
2681 " saved (\"%s\") could not be opened: %s.",
2682 capture_opts->save_file, g_strerror(err));
2694 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2698 pcap_options *pcap_opts;
2699 guint64 end_time = create_timestamp();
2701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2703 if (capture_opts->multi_files_on) {
2704 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2706 if (capture_opts->use_pcapng) {
2707 for (i = 0; i < global_ld.pcaps->len; i++) {
2708 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2709 if (!pcap_opts->from_cap_pipe) {
2710 libpcap_write_interface_statistics_block(ld->pdh,
2714 "Counters provided by libpcap",
2721 return libpcap_dump_close(ld->pdh, err_close);
2725 /* dispatch incoming packets (pcap or capture pipe)
2727 * Waits for incoming packets to be available, and calls pcap_dispatch()
2728 * to cause them to be processed.
2730 * Returns the number of packets which were processed.
2732 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2733 * packet-batching behaviour does not cause packets to get held back
2737 capture_loop_dispatch(loop_data *ld,
2738 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2741 gint packet_count_before;
2742 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2747 packet_count_before = ld->packet_count;
2748 if (pcap_opts->from_cap_pipe) {
2749 /* dispatch from capture pipe */
2750 #ifdef LOG_CAPTURE_VERBOSE
2751 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2754 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2756 if (sel_ret < 0 && errno != EINTR) {
2757 g_snprintf(errmsg, errmsg_len,
2758 "Unexpected error from select: %s", g_strerror(errno));
2759 report_capture_error(errmsg, please_report);
2764 * "select()" says we can read from the pipe without blocking
2767 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2777 /* dispatch from pcap */
2778 #ifdef MUST_DO_SELECT
2780 * If we have "pcap_get_selectable_fd()", we use it to get the
2781 * descriptor on which to select; if that's -1, it means there
2782 * is no descriptor on which you can do a "select()" (perhaps
2783 * because you're capturing on a special device, and that device's
2784 * driver unfortunately doesn't support "select()", in which case
2785 * we don't do the select - which means it might not be possible
2786 * to stop a capture until a packet arrives. If that's unacceptable,
2787 * plead with whoever supplies the software for that device to add
2788 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2789 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2790 * later, so it can use pcap_breakloop().
2792 #ifdef LOG_CAPTURE_VERBOSE
2793 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2795 if (pcap_opts->pcap_fd != -1) {
2796 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2799 * "select()" says we can read from it without blocking; go for
2802 * We don't have pcap_breakloop(), so we only process one packet
2803 * per pcap_dispatch() call, to allow a signal to stop the
2804 * processing immediately, rather than processing all packets
2805 * in a batch before quitting.
2808 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2810 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2814 /* Error, rather than pcap_breakloop(). */
2815 pcap_opts->pcap_err = TRUE;
2817 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2820 if (sel_ret < 0 && errno != EINTR) {
2821 g_snprintf(errmsg, errmsg_len,
2822 "Unexpected error from select: %s", g_strerror(errno));
2823 report_capture_error(errmsg, please_report);
2829 #endif /* MUST_DO_SELECT */
2831 /* dispatch from pcap without select */
2833 #ifdef LOG_CAPTURE_VERBOSE
2834 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2838 * On Windows, we don't support asynchronously telling a process to
2839 * stop capturing; instead, we check for an indication on a pipe
2840 * after processing packets. We therefore process only one packet
2841 * at a time, so that we can check the pipe after every packet.
2844 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2846 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2850 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2852 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2857 /* Error, rather than pcap_breakloop(). */
2858 pcap_opts->pcap_err = TRUE;
2860 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2862 #else /* pcap_next_ex */
2863 #ifdef LOG_CAPTURE_VERBOSE
2864 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2866 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2869 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2870 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2871 * This should be fixed in the WinPcap 4.0 alpha release.
2873 * For reference, an example remote interface:
2874 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2877 /* emulate dispatch from pcap */
2880 struct pcap_pkthdr *pkt_header;
2885 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2887 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2889 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2894 pcap_opts->pcap_err = TRUE;
2898 #endif /* pcap_next_ex */
2902 #ifdef LOG_CAPTURE_VERBOSE
2903 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2906 return ld->packet_count - packet_count_before;
2910 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2911 * want to grab only the characters between the '{' and '}' delimiters.
2913 * Returns a GString that must be freed with g_string_free(). */
2915 isolate_uuid(const char *iface)
2920 ptr = strchr(iface, '{');
2922 return g_string_new(iface);
2923 gstr = g_string_new(ptr + 1);
2925 ptr = strchr(gstr->str, '}');
2929 gstr = g_string_truncate(gstr, ptr - gstr->str);
2934 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2935 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2937 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2938 char *errmsg, int errmsg_len)
2941 gchar *capfile_name;
2943 gboolean is_tempfile;
2945 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2946 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2948 if (capture_opts->save_file != NULL) {
2949 /* We return to the caller while the capture is in progress.
2950 * Therefore we need to take a copy of save_file in
2951 * case the caller destroys it after we return.
2953 capfile_name = g_strdup(capture_opts->save_file);
2955 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2956 if (capture_opts->multi_files_on) {
2957 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
2958 g_snprintf(errmsg, errmsg_len,
2959 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
2960 g_free(capfile_name);
2963 if (strcmp(capfile_name, "-") == 0) {
2964 /* write to stdout */
2967 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
2968 _setmode(1, O_BINARY);
2971 } /* if (...output_to_pipe ... */
2974 if (capture_opts->multi_files_on) {
2975 /* ringbuffer is enabled */
2976 *save_file_fd = ringbuf_init(capfile_name,
2977 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
2978 capture_opts->group_read_access);
2980 /* we need the ringbuf name */
2981 if(*save_file_fd != -1) {
2982 g_free(capfile_name);
2983 capfile_name = g_strdup(ringbuf_current_filename());
2986 /* Try to open/create the specified file for use as a capture buffer. */
2987 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
2988 (capture_opts->group_read_access) ? 0640 : 0600);
2991 is_tempfile = FALSE;
2993 /* Choose a random name for the temporary capture buffer */
2994 if (global_capture_opts.ifaces->len > 1) {
2995 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3000 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3001 basename = g_path_get_basename(iface->str);
3002 g_string_free(iface, TRUE);
3004 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3006 prefix = g_strconcat("wireshark_", basename, NULL);
3009 *save_file_fd = create_tempfile(&tmpname, prefix);
3011 capfile_name = g_strdup(tmpname);
3015 /* did we fail to open the output file? */
3016 if (*save_file_fd == -1) {
3018 g_snprintf(errmsg, errmsg_len,
3019 "The temporary file to which the capture would be saved (\"%s\") "
3020 "could not be opened: %s.", capfile_name, g_strerror(errno));
3022 if (capture_opts->multi_files_on) {
3023 ringbuf_error_cleanup();
3026 g_snprintf(errmsg, errmsg_len,
3027 "The file to which the capture would be saved (\"%s\") "
3028 "could not be opened: %s.", capfile_name,
3031 g_free(capfile_name);
3035 if(capture_opts->save_file != NULL) {
3036 g_free(capture_opts->save_file);
3038 capture_opts->save_file = capfile_name;
3039 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3040 "g_free(capfile_name)". */
3046 /* Do the work of handling either the file size or file duration capture
3047 conditions being reached, and switching files or stopping. */
3049 do_file_switch_or_stop(capture_options *capture_opts,
3050 condition *cnd_autostop_files,
3051 condition *cnd_autostop_size,
3052 condition *cnd_file_duration)
3055 pcap_options *pcap_opts;
3056 interface_options interface_opts;
3057 gboolean successful;
3059 if (capture_opts->multi_files_on) {
3060 if (cnd_autostop_files != NULL &&
3061 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3062 /* no files left: stop here */
3063 global_ld.go = FALSE;
3067 /* Switch to the next ringbuffer file */
3068 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3069 &global_ld.save_file_fd, &global_ld.err)) {
3071 /* File switch succeeded: reset the conditions */
3072 global_ld.bytes_written = 0;
3073 if (capture_opts->use_pcapng) {
3075 GString *os_info_str;
3077 os_info_str = g_string_new("");
3078 get_os_version_info(os_info_str);
3080 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3081 successful = libpcap_write_session_header_block(global_ld.pdh,
3084 os_info_str->str, /* OS */
3086 -1, /* section_length */
3087 &(global_ld.bytes_written),
3090 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3091 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3092 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3093 successful = libpcap_write_interface_description_block(global_ld.pdh,
3094 NULL, /* OPT_COMMENT 1 */
3095 interface_opts.name, /* IDB_NAME 2 */
3096 NULL, /* IDB_DESCRIPTION 3 */
3097 interface_opts.cfilter?interface_opts.cfilter:"", /* IDB_FILTER 11 */
3098 os_info_str->str, /* IDB_OS 12 */
3099 pcap_opts->linktype,
3101 &(global_ld.bytes_written),
3102 0, /* IDB_IF_SPEED 8 */
3103 0, /* IDB_TSRESOL 9 */
3107 g_string_free(os_info_str, TRUE);
3110 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3111 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3112 &global_ld.bytes_written, &global_ld.err);
3115 fclose(global_ld.pdh);
3116 global_ld.pdh = NULL;
3117 global_ld.go = FALSE;
3120 if (cnd_autostop_size)
3121 cnd_reset(cnd_autostop_size);
3122 if (cnd_file_duration)
3123 cnd_reset(cnd_file_duration);
3124 libpcap_dump_flush(global_ld.pdh, NULL);
3126 report_packet_count(global_ld.inpkts_to_sync_pipe);
3127 global_ld.inpkts_to_sync_pipe = 0;
3128 report_new_capture_file(capture_opts->save_file);
3130 /* File switch failed: stop here */
3131 global_ld.go = FALSE;
3135 /* single file, stop now */
3136 global_ld.go = FALSE;
3143 pcap_read_handler(void* arg)
3145 pcap_options *pcap_opts;
3146 char errmsg[MSG_MAX_LENGTH+1];
3148 pcap_opts = (pcap_options *)arg;
3150 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3151 pcap_opts->interface_id);
3153 while (global_ld.go) {
3154 /* dispatch incoming packets */
3155 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3157 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3158 pcap_opts->interface_id);
3159 g_thread_exit(NULL);
3163 /* Do the low-level work of a capture.
3164 Returns TRUE if it succeeds, FALSE otherwise. */
3166 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3169 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3171 struct timeval upd_time, cur_time;
3175 condition *cnd_file_duration = NULL;
3176 condition *cnd_autostop_files = NULL;
3177 condition *cnd_autostop_size = NULL;
3178 condition *cnd_autostop_duration = NULL;
3181 gboolean cfilter_error = FALSE;
3182 char errmsg[MSG_MAX_LENGTH+1];
3183 char secondary_errmsg[MSG_MAX_LENGTH+1];
3184 pcap_options *pcap_opts;
3185 interface_options interface_opts;
3186 guint i, error_index = 0;
3189 *secondary_errmsg = '\0';
3191 /* init the loop data */
3192 global_ld.go = TRUE;
3193 global_ld.packet_count = 0;
3195 global_ld.report_packet_count = FALSE;
3197 if (capture_opts->has_autostop_packets)
3198 global_ld.packet_max = capture_opts->autostop_packets;
3200 global_ld.packet_max = 0; /* no limit */
3201 global_ld.inpkts_to_sync_pipe = 0;
3202 global_ld.err = 0; /* no error seen yet */
3203 global_ld.pdh = NULL;
3204 global_ld.autostop_files = 0;
3205 global_ld.save_file_fd = -1;
3207 /* We haven't yet gotten the capture statistics. */
3208 *stats_known = FALSE;
3210 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3211 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3213 /* open the "input file" from network interface or capture pipe */
3214 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3215 secondary_errmsg, sizeof(secondary_errmsg))) {
3218 for (i = 0; i < capture_opts->ifaces->len; i++) {
3219 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3220 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3221 /* init the input filter from the network interface (capture pipe will do nothing) */
3223 * When remote capturing WinPCap crashes when the capture filter
3224 * is NULL. This might be a bug in WPCap. Therefore we provide an emtpy
3227 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3228 interface_opts.name,
3229 interface_opts.cfilter?interface_opts.cfilter:"")) {
3231 case INITFILTER_NO_ERROR:
3234 case INITFILTER_BAD_FILTER:
3235 cfilter_error = TRUE;
3237 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3240 case INITFILTER_OTHER_ERROR:
3241 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3242 pcap_geterr(pcap_opts->pcap_h));
3243 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3248 /* If we're supposed to write to a capture file, open it for output
3249 (temporary/specified name/ringbuffer) */
3250 if (capture_opts->saving_to_file) {
3251 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3252 errmsg, sizeof(errmsg))) {
3256 /* set up to write to the already-opened capture output file/files */
3257 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3262 /* XXX - capture SIGTERM and close the capture, in case we're on a
3263 Linux 2.0[.x] system and you have to explicitly close the capture
3264 stream in order to turn promiscuous mode off? We need to do that
3265 in other places as well - and I don't think that works all the
3266 time in any case, due to libpcap bugs. */
3268 /* Well, we should be able to start capturing.
3270 Sync out the capture file, so the header makes it to the file system,
3271 and send a "capture started successfully and capture file created"
3272 message to our parent so that they'll open the capture file and
3273 update its windows to indicate that we have a live capture in
3275 libpcap_dump_flush(global_ld.pdh, NULL);
3276 report_new_capture_file(capture_opts->save_file);
3279 /* initialize capture stop (and alike) conditions */
3280 init_capture_stop_conditions();
3281 /* create stop conditions */
3282 if (capture_opts->has_autostop_filesize)
3284 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3285 if (capture_opts->has_autostop_duration)
3286 cnd_autostop_duration =
3287 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3289 if (capture_opts->multi_files_on) {
3290 if (capture_opts->has_file_duration)
3292 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3294 if (capture_opts->has_autostop_files)
3295 cnd_autostop_files =
3296 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3299 /* init the time values */
3301 upd_time = GetTickCount();
3303 gettimeofday(&upd_time, NULL);
3305 start_time = create_timestamp();
3306 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3308 /* WOW, everything is prepared! */
3309 /* please fasten your seat belts, we will enter now the actual capture loop */
3311 pcap_queue = g_async_queue_new();
3312 pcap_queue_bytes = 0;
3313 pcap_queue_packets = 0;
3314 for (i = 0; i < global_ld.pcaps->len; i++) {
3315 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3316 #if GLIB_CHECK_VERSION(2,31,0)
3317 /* XXX - Add an interface name here? */
3318 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3320 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3324 while (global_ld.go) {
3325 /* dispatch incoming packets */
3327 GTimeVal write_thread_time;
3328 pcap_queue_element *queue_element;
3330 g_get_current_time(&write_thread_time);
3331 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3332 g_async_queue_lock(pcap_queue);
3333 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3334 if (queue_element) {
3335 pcap_queue_bytes -= queue_element->phdr.caplen;
3336 pcap_queue_packets -= 1;
3338 g_async_queue_unlock(pcap_queue);
3339 if (queue_element) {
3340 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3341 "Dequeued a packet of length %d captured on interface %d.",
3342 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3344 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3345 &queue_element->phdr,
3347 g_free(queue_element->pd);
3348 g_free(queue_element);
3354 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3355 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3356 sizeof(errmsg), pcap_opts);
3359 /* Were we asked to print packet counts by the SIGINFO handler? */
3360 if (global_ld.report_packet_count) {
3361 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3362 plurality(global_ld.packet_count, "", "s"));
3363 global_ld.report_packet_count = FALSE;
3368 /* any news from our parent (signal pipe)? -> just stop the capture */
3369 if (!signal_pipe_check_running()) {
3370 global_ld.go = FALSE;
3375 global_ld.inpkts_to_sync_pipe += inpkts;
3377 /* check capture size condition */
3378 if (cnd_autostop_size != NULL &&
3379 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3380 /* Capture size limit reached, do we have another file? */
3381 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3382 cnd_autostop_size, cnd_file_duration))
3384 } /* cnd_autostop_size */
3385 if (capture_opts->output_to_pipe) {
3386 libpcap_dump_flush(global_ld.pdh, NULL);
3390 /* Only update once every 500ms so as not to overload slow displays.
3391 * This also prevents too much context-switching between the dumpcap
3392 * and wireshark processes.
3394 #define DUMPCAP_UPD_TIME 500
3397 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3398 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3400 gettimeofday(&cur_time, NULL);
3401 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3402 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3405 upd_time = cur_time;
3408 if (pcap_stats(pch, stats) >= 0) {
3409 *stats_known = TRUE;
3412 /* Let the parent process know. */
3413 if (global_ld.inpkts_to_sync_pipe) {
3415 libpcap_dump_flush(global_ld.pdh, NULL);
3417 /* Send our parent a message saying we've written out
3418 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3420 report_packet_count(global_ld.inpkts_to_sync_pipe);
3422 global_ld.inpkts_to_sync_pipe = 0;
3425 /* check capture duration condition */
3426 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3427 /* The maximum capture time has elapsed; stop the capture. */
3428 global_ld.go = FALSE;
3432 /* check capture file duration condition */
3433 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3434 /* duration limit reached, do we have another file? */
3435 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3436 cnd_autostop_size, cnd_file_duration))
3438 } /* cnd_file_duration */
3442 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3444 pcap_queue_element *queue_element;
3446 for (i = 0; i < global_ld.pcaps->len; i++) {
3447 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3448 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3449 pcap_opts->interface_id);
3450 g_thread_join(pcap_opts->tid);
3451 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3452 pcap_opts->interface_id);
3455 g_async_queue_lock(pcap_queue);
3456 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3457 if (queue_element) {
3458 pcap_queue_bytes -= queue_element->phdr.caplen;
3459 pcap_queue_packets -= 1;
3461 g_async_queue_unlock(pcap_queue);
3462 if (queue_element == NULL) {
3465 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3466 "Dequeued a packet of length %d captured on interface %d.",
3467 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3468 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3469 &queue_element->phdr,
3471 g_free(queue_element->pd);
3472 g_free(queue_element);
3473 global_ld.inpkts_to_sync_pipe += 1;
3474 if (capture_opts->output_to_pipe) {
3475 libpcap_dump_flush(global_ld.pdh, NULL);
3481 /* delete stop conditions */
3482 if (cnd_file_duration != NULL)
3483 cnd_delete(cnd_file_duration);
3484 if (cnd_autostop_files != NULL)
3485 cnd_delete(cnd_autostop_files);
3486 if (cnd_autostop_size != NULL)
3487 cnd_delete(cnd_autostop_size);
3488 if (cnd_autostop_duration != NULL)
3489 cnd_delete(cnd_autostop_duration);
3491 /* did we have a pcap (input) error? */
3492 for (i = 0; i < capture_opts->ifaces->len; i++) {
3493 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3494 if (pcap_opts->pcap_err) {
3495 /* On Linux, if an interface goes down while you're capturing on it,
3496 you'll get a "recvfrom: Network is down" or
3497 "The interface went down" error (ENETDOWN).
3498 (At least you will if g_strerror() doesn't show a local translation
3501 On FreeBSD and OS X, if a network adapter disappears while
3502 you're capturing on it, you'll get a "read: Device not configured"
3503 error (ENXIO). (See previous parenthetical note.)
3505 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3507 These should *not* be reported to the Wireshark developers. */
3510 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3511 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3512 strcmp(cap_err_str, "The interface went down") == 0 ||
3513 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3514 strcmp(cap_err_str, "read: I/O error") == 0 ||
3515 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3516 report_capture_error("The network adapter on which the capture was being done "
3517 "is no longer running; the capture has stopped.",
3520 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3522 report_capture_error(errmsg, please_report);
3525 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3526 report_capture_error(errmsg, "");
3530 /* did we have an output error while capturing? */
3531 if (global_ld.err == 0) {
3534 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3535 global_ld.err, FALSE);
3536 report_capture_error(errmsg, please_report);
3540 if (capture_opts->saving_to_file) {
3541 /* close the output file */
3542 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3546 /* there might be packets not yet notified to the parent */
3547 /* (do this after closing the file, so all packets are already flushed) */
3548 if(global_ld.inpkts_to_sync_pipe) {
3550 report_packet_count(global_ld.inpkts_to_sync_pipe);
3551 global_ld.inpkts_to_sync_pipe = 0;
3554 /* If we've displayed a message about a write error, there's no point
3555 in displaying another message about an error on close. */
3556 if (!close_ok && write_ok) {
3557 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3559 report_capture_error(errmsg, "");
3563 * XXX We exhibit different behaviour between normal mode and sync mode
3564 * when the pipe is stdin and not already at EOF. If we're a child, the
3565 * parent's stdin isn't closed, so if the user starts another capture,
3566 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3567 * will say "Unrecognized libpcap format". On the other hand, in normal
3568 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3571 report_capture_count(TRUE);
3573 /* get packet drop statistics from pcap */
3574 for (i = 0; i < capture_opts->ifaces->len; i++) {
3578 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3579 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3580 received = pcap_opts->received;
3581 dropped = pcap_opts->dropped;
3582 if (pcap_opts->pcap_h != NULL) {
3583 g_assert(!pcap_opts->from_cap_pipe);
3584 /* Get the capture statistics, so we know how many packets were dropped. */
3585 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3586 *stats_known = TRUE;
3587 /* Let the parent process know. */
3588 dropped += stats->ps_drop;
3590 g_snprintf(errmsg, sizeof(errmsg),
3591 "Can't get packet-drop statistics: %s",
3592 pcap_geterr(pcap_opts->pcap_h));
3593 report_capture_error(errmsg, please_report);
3596 report_packet_drops(received, dropped, interface_opts.name);
3599 /* close the input file (pcap or capture pipe) */
3600 capture_loop_close_input(&global_ld);
3602 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3604 /* ok, if the write and the close were successful. */
3605 return write_ok && close_ok;
3608 if (capture_opts->multi_files_on) {
3609 /* cleanup ringbuffer */
3610 ringbuf_error_cleanup();
3612 /* We can't use the save file, and we have no FILE * for the stream
3613 to close in order to close it, so close the FD directly. */
3614 if (global_ld.save_file_fd != -1) {
3615 ws_close(global_ld.save_file_fd);
3618 /* We couldn't even start the capture, so get rid of the capture
3620 if (capture_opts->save_file != NULL) {
3621 ws_unlink(capture_opts->save_file);
3622 g_free(capture_opts->save_file);
3625 capture_opts->save_file = NULL;
3627 report_cfilter_error(capture_opts, error_index, errmsg);
3629 report_capture_error(errmsg, secondary_errmsg);
3631 /* close the input file (pcap or cap_pipe) */
3632 capture_loop_close_input(&global_ld);
3634 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3640 static void capture_loop_stop(void)
3642 #ifdef HAVE_PCAP_BREAKLOOP
3644 pcap_options *pcap_opts;
3646 for (i = 0; i < global_ld.pcaps->len; i++) {
3647 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3648 if (pcap_opts->pcap_h != NULL)
3649 pcap_breakloop(pcap_opts->pcap_h);
3652 global_ld.go = FALSE;
3657 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3658 int err, gboolean is_close)
3663 g_snprintf(errmsg, errmsglen,
3664 "Not all the packets could be written to the file"
3665 " to which the capture was being saved\n"
3666 "(\"%s\") because there is no space left on the file system\n"
3667 "on which that file resides.",
3673 g_snprintf(errmsg, errmsglen,
3674 "Not all the packets could be written to the file"
3675 " to which the capture was being saved\n"
3676 "(\"%s\") because you are too close to, or over,"
3677 " your disk quota\n"
3678 "on the file system on which that file resides.",
3685 g_snprintf(errmsg, errmsglen,
3686 "The file to which the capture was being saved\n"
3687 "(\"%s\") could not be closed: %s.",
3688 fname, g_strerror(err));
3690 g_snprintf(errmsg, errmsglen,
3691 "An error occurred while writing to the file"
3692 " to which the capture was being saved\n"
3694 fname, g_strerror(err));
3701 /* one packet was captured, process it */
3703 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3706 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3709 /* We may be called multiple times from pcap_dispatch(); if we've set
3710 the "stop capturing" flag, ignore this packet, as we're not
3711 supposed to be saving any more packets. */
3715 if (global_ld.pdh) {
3716 gboolean successful;
3718 /* We're supposed to write the packet to a file; do so.
3719 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3720 "ld->err" to the error. */
3721 if (global_capture_opts.use_pcapng) {
3722 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, pd, &global_ld.bytes_written, &err);
3724 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3727 global_ld.go = FALSE;
3728 global_ld.err = err;
3730 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3731 "Wrote a packet of length %d captured on interface %u.",
3732 phdr->caplen, pcap_opts->interface_id);
3733 global_ld.packet_count++;
3734 pcap_opts->received++;
3735 /* if the user told us to stop after x packets, do we already have enough? */
3736 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3737 global_ld.go = FALSE;
3743 /* one packet was captured, queue it */
3745 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3748 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3749 pcap_queue_element *queue_element;
3750 gboolean limit_reached;
3752 /* We may be called multiple times from pcap_dispatch(); if we've set
3753 the "stop capturing" flag, ignore this packet, as we're not
3754 supposed to be saving any more packets. */
3758 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3759 if (queue_element == NULL) {
3760 pcap_opts->dropped++;
3763 queue_element->pcap_opts = pcap_opts;
3764 queue_element->phdr = *phdr;
3765 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3766 if (queue_element->pd == NULL) {
3767 pcap_opts->dropped++;
3768 g_free(queue_element);
3771 memcpy(queue_element->pd, pd, phdr->caplen);
3772 g_async_queue_lock(pcap_queue);
3773 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3774 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3775 limit_reached = FALSE;
3776 g_async_queue_push_unlocked(pcap_queue, queue_element);
3777 pcap_queue_bytes += phdr->caplen;
3778 pcap_queue_packets += 1;
3780 limit_reached = TRUE;
3782 g_async_queue_unlock(pcap_queue);
3783 if (limit_reached) {
3784 pcap_opts->dropped++;
3785 g_free(queue_element->pd);
3786 g_free(queue_element);
3787 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3788 "Dropped a packet of length %d captured on interface %u.",
3789 phdr->caplen, pcap_opts->interface_id);
3791 pcap_opts->received++;
3792 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3793 "Queued a packet of length %d captured on interface %u.",
3794 phdr->caplen, pcap_opts->interface_id);
3796 /* I don't want to hold the mutex over the debug output. So the
3797 output may be wrong */
3798 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3799 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3800 pcap_queue_bytes, pcap_queue_packets);
3803 /* And now our feature presentation... [ fade to music ] */
3805 main(int argc, char *argv[])
3808 gboolean arg_error = FALSE;
3813 struct sigaction action, oldaction;
3816 gboolean start_capture = TRUE;
3817 gboolean stats_known;
3818 struct pcap_stat stats;
3819 GLogLevelFlags log_flags;
3820 gboolean list_interfaces = FALSE;
3821 gboolean list_link_layer_types = FALSE;
3822 #ifdef HAVE_BPF_IMAGE
3823 gboolean print_bpf_code = FALSE;
3825 gboolean machine_readable = FALSE;
3826 gboolean print_statistics = FALSE;
3827 int status, run_once_args = 0;
3830 #if defined(__APPLE__) && defined(__LP64__)
3831 struct utsname osinfo;
3836 arg_list_utf_16to8(argc, argv);
3841 * Initialize our DLL search path. MUST be called before LoadLibrary
3844 ws_init_dll_search_path();
3847 #ifdef HAVE_PCAP_REMOTE
3848 #define OPTSTRING_A "A:"
3849 #define OPTSTRING_r "r"
3850 #define OPTSTRING_u "u"
3852 #define OPTSTRING_A ""
3853 #define OPTSTRING_r ""
3854 #define OPTSTRING_u ""
3857 #ifdef HAVE_PCAP_SETSAMPLING
3858 #define OPTSTRING_m "m:"
3860 #define OPTSTRING_m ""
3863 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3864 #define OPTSTRING_B "B:"
3866 #define OPTSTRING_B ""
3867 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3869 #ifdef HAVE_PCAP_CREATE
3870 #define OPTSTRING_I "I"
3872 #define OPTSTRING_I ""
3875 #ifdef HAVE_BPF_IMAGE
3876 #define OPTSTRING_d "d"
3878 #define OPTSTRING_d ""
3881 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
3883 #ifdef DEBUG_CHILD_DUMPCAP
3884 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3885 fprintf (stderr, "Unable to open debug log file !\n");
3890 #if defined(__APPLE__) && defined(__LP64__)
3892 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3893 * a bug workaround - timeouts less than 1 second don't work with libpcap
3894 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3895 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3896 * The problem is extremely unlikely to be reintroduced in a future
3899 if (uname(&osinfo) == 0) {
3901 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3902 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3903 * number of 10.0.0, not 10.1.0 - go figure).
3905 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3906 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3907 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3908 need_timeout_workaround = TRUE;
3913 * Determine if dumpcap is being requested to run in a special
3914 * capture_child mode by going thru the command line args to see if
3915 * a -Z is present. (-Z is a hidden option).
3917 * The primary result of running in capture_child mode is that
3918 * all messages sent out on stderr are in a special type/len/string
3919 * format to allow message processing by type. These messages include
3920 * error messages if dumpcap fails to start the operation it was
3921 * requested to do, as well as various "status" messages which are sent
3922 * when an actual capture is in progress, and a "success" message sent
3923 * if dumpcap was requested to perform an operation other than a
3926 * Capture_child mode would normally be requested by a parent process
3927 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3928 * to which dumpcap stderr has been redirected. It might also have
3929 * another pipe to obtain dumpcap stdout output; for operations other
3930 * than a capture, that information is formatted specially for easier
3931 * parsing by the parent process.
3933 * Capture_child mode needs to be determined immediately upon
3934 * startup so that any messages generated by dumpcap in this mode
3935 * (eg: during initialization) will be formatted properly.
3938 for (i=1; i<argc; i++) {
3939 if (strcmp("-Z", argv[i]) == 0) {
3940 capture_child = TRUE;
3941 machine_readable = TRUE; /* request machine-readable output */
3943 /* set output pipe to binary mode, to avoid ugly text conversions */
3944 _setmode(2, O_BINARY);
3949 /* The default_log_handler will use stdout, which makes trouble in */
3950 /* capture child mode, as it uses stdout for it's sync_pipe. */
3951 /* So: the filtering is done in the console_log_handler and not here.*/
3952 /* We set the log handlers right up front to make sure that any log */
3953 /* messages when running as child will be sent back to the parent */
3954 /* with the correct format. */
3958 G_LOG_LEVEL_CRITICAL|
3959 G_LOG_LEVEL_WARNING|
3960 G_LOG_LEVEL_MESSAGE|
3963 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
3965 g_log_set_handler(NULL,
3967 console_log_handler, NULL /* user_data */);
3968 g_log_set_handler(LOG_DOMAIN_MAIN,
3970 console_log_handler, NULL /* user_data */);
3971 g_log_set_handler(LOG_DOMAIN_CAPTURE,
3973 console_log_handler, NULL /* user_data */);
3974 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
3976 console_log_handler, NULL /* user_data */);
3978 /* Initialize the pcaps list */
3979 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
3981 #if !GLIB_CHECK_VERSION(2,31,0)
3982 /* Initialize the thread system */
3983 g_thread_init(NULL);
3987 /* Load wpcap if possible. Do this before collecting the run-time version information */
3990 /* ... and also load the packet.dll from wpcap */
3991 /* XXX - currently not required, may change later. */
3992 /*wpcap_packet_load();*/
3994 /* Start windows sockets */
3995 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
3997 /* Set handler for Ctrl+C key */
3998 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4000 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4002 action.sa_handler = capture_cleanup_handler;
4004 * Arrange that system calls not get restarted, because when
4005 * our signal handler returns we don't want to restart
4006 * a call that was waiting for packets to arrive.
4008 action.sa_flags = 0;
4009 sigemptyset(&action.sa_mask);
4010 sigaction(SIGTERM, &action, NULL);
4011 sigaction(SIGINT, &action, NULL);
4012 sigaction(SIGPIPE, &action, NULL);
4013 sigaction(SIGHUP, NULL, &oldaction);
4014 if (oldaction.sa_handler == SIG_DFL)
4015 sigaction(SIGHUP, &action, NULL);
4018 /* Catch SIGINFO and, if we get it and we're capturing in
4019 quiet mode, report the number of packets we've captured. */
4020 action.sa_handler = report_counts_siginfo;
4021 action.sa_flags = SA_RESTART;
4022 sigemptyset(&action.sa_mask);
4023 sigaction(SIGINFO, &action, NULL);
4024 #endif /* SIGINFO */
4027 /* ----------------------------------------------------------------- */
4028 /* Privilege and capability handling */
4030 /* 1. Running not as root or suid root; no special capabilities. */
4033 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4036 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4038 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4039 /* capabilities; Drop all other capabilities; */
4040 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4041 /* else: after pcap_open_live() in capture_loop_open_input() */
4042 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4043 /* (Note: this means that the process, although logged in */
4044 /* as root, does not have various permissions such as the */
4045 /* ability to bypass file access permissions). */
4046 /* XXX: Should we just leave capabilities alone in this case */
4047 /* so that user gets expected effect that root can do */
4050 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4052 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4053 /* else: after pcap_open_live() in capture_loop_open_input() */
4054 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4055 /* pcap_open_live). */
4057 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4059 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4060 /* capabilities; Drop all other capabilities; */
4061 /* Drop suid privileges (euid=ruid); */
4062 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4063 /* else: after pcap_open_live() in capture_loop_open_input() */
4064 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4066 /* XXX: For some Linux versions/distros with capabilities */
4067 /* a 'normal' process with any capabilities cannot be */
4068 /* 'killed' (signaled) from another (same uid) non-privileged */
4070 /* For example: If (non-suid) Wireshark forks a */
4071 /* child suid dumpcap which acts as described here (case 5), */
4072 /* Wireshark will be unable to kill (signal) the child */
4073 /* dumpcap process until the capabilities have been dropped */
4074 /* (after pcap_open_live()). */
4075 /* This behaviour will apparently be changed in the kernel */
4076 /* to allow the kill (signal) in this case. */
4077 /* See the following for details: */
4078 /* http://www.mail-archive.com/ [wrapped] */
4079 /* linux-security-module@vger.kernel.org/msg02913.html */
4081 /* It is therefore conceivable that if dumpcap somehow hangs */
4082 /* in pcap_open_live or before that wireshark will not */
4083 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4084 /* In this case, exiting wireshark will kill the child */
4085 /* dumpcap process. */
4087 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4088 /* capabilities; Using libcap. Note: capset cmd (which see) */
4089 /* used to assign capabilities to file. */
4091 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4092 /* else: after pcap_open_live() in capture_loop_open_input() */
4093 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4095 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4096 /* longer required (similar to capture). */
4098 /* ----------------------------------------------------------------- */
4100 init_process_policies();
4103 /* If 'started with special privileges' (and using libcap) */
4104 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4105 /* Set euid/egid = ruid/rgid to remove suid privileges */
4106 relinquish_privs_except_capture();
4109 /* Set the initial values in the capture options. This might be overwritten
4110 by the command line parameters. */
4111 capture_opts_init(&global_capture_opts, NULL);
4113 /* We always save to a file - if no file was specified, we save to a
4115 global_capture_opts.saving_to_file = TRUE;
4116 global_capture_opts.has_ring_num_files = TRUE;
4118 /* Now get our args */
4119 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4121 case 'h': /* Print help and exit */
4125 case 'v': /* Show version and exit */
4127 GString *comp_info_str;
4128 GString *runtime_info_str;
4129 /* Assemble the compile-time version information string */
4130 comp_info_str = g_string_new("Compiled ");
4131 get_compiled_version_info(comp_info_str, NULL, NULL);
4133 /* Assemble the run-time version information string */
4134 runtime_info_str = g_string_new("Running ");
4135 get_runtime_version_info(runtime_info_str, NULL);
4136 show_version(comp_info_str, runtime_info_str);
4137 g_string_free(comp_info_str, TRUE);
4138 g_string_free(runtime_info_str, TRUE);
4142 /*** capture option specific ***/
4143 case 'a': /* autostop criteria */
4144 case 'b': /* Ringbuffer option */
4145 case 'c': /* Capture x packets */
4146 case 'f': /* capture filter */
4147 case 'i': /* Use interface x */
4148 case 'n': /* Use pcapng format */
4149 case 'p': /* Don't capture in promiscuous mode */
4150 case 'P': /* Use pcap format */
4151 case 's': /* Set the snapshot (capture) length */
4152 case 'w': /* Write to capture file x */
4153 case 'g': /* enable group read accesson file(s) */
4154 case 'y': /* Set the pcap data link type */
4155 #ifdef HAVE_PCAP_REMOTE
4156 case 'u': /* Use UDP for data transfer */
4157 case 'r': /* Capture own RPCAP traffic too */
4158 case 'A': /* Authentication */
4160 #ifdef HAVE_PCAP_SETSAMPLING
4161 case 'm': /* Sampling */
4163 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4164 case 'B': /* Buffer size */
4165 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4166 #ifdef HAVE_PCAP_CREATE
4167 case 'I': /* Monitor mode */
4169 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4174 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4176 capture_child = TRUE;
4178 /* set output pipe to binary mode, to avoid ugly text conversions */
4179 _setmode(2, O_BINARY);
4181 * optarg = the control ID, aka the PPID, currently used for the
4184 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4185 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4186 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4187 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4189 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4190 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4191 "Signal pipe: Unable to open %s. Dead parent?",
4199 case 'q': /* Quiet */
4205 /*** all non capture option specific ***/
4206 case 'D': /* Print a list of capture devices and exit */
4207 list_interfaces = TRUE;
4210 case 'L': /* Print list of link-layer types and exit */
4211 list_link_layer_types = TRUE;
4214 #ifdef HAVE_BPF_IMAGE
4215 case 'd': /* Print BPF code for capture filter and exit */
4216 print_bpf_code = TRUE;
4220 case 'S': /* Print interface statistics once a second */
4221 print_statistics = TRUE;
4224 case 'M': /* For -D, -L, and -S, print machine-readable output */
4225 machine_readable = TRUE;
4228 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4230 case '?': /* Bad flag - print usage message */
4239 /* user specified file name as regular command-line argument */
4240 /* XXX - use it as the capture file name (or something else)? */
4246 * Extra command line arguments were specified; complain.
4247 * XXX - interpret as capture filter, as tcpdump and tshark do?
4249 cmdarg_err("Invalid argument: %s", argv[0]);
4259 if (run_once_args > 1) {
4260 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4262 } else if (run_once_args == 1) {
4263 /* We're supposed to print some information, rather than
4264 to capture traffic; did they specify a ring buffer option? */
4265 if (global_capture_opts.multi_files_on) {
4266 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4270 /* We're supposed to capture traffic; */
4271 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4272 if (global_capture_opts.ifaces->len > 1) {
4274 global_capture_opts.use_pcapng = TRUE;
4276 /* Was the ring buffer option specified and, if so, does it make sense? */
4277 if (global_capture_opts.multi_files_on) {
4278 /* Ring buffer works only under certain conditions:
4279 a) ring buffer does not work with temporary files;
4280 b) it makes no sense to enable the ring buffer if the maximum
4281 file size is set to "infinite". */
4282 if (global_capture_opts.save_file == NULL) {
4283 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4284 global_capture_opts.multi_files_on = FALSE;
4286 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4287 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4289 /* XXX - this must be redesigned as the conditions changed */
4290 global_capture_opts.multi_files_on = FALSE;
4297 * "-D" requires no interface to be selected; it's supposed to list
4300 if (list_interfaces) {
4301 /* Get the list of interfaces */
4306 if_list = capture_interface_list(&err, &err_str);
4307 if (if_list == NULL) {
4309 case CANT_GET_INTERFACE_LIST:
4310 case DONT_HAVE_PCAP:
4311 cmdarg_err("%s", err_str);
4316 case NO_INTERFACES_FOUND:
4318 * If we're being run by another program, just give them
4319 * an empty list of interfaces, don't report this as
4320 * an error; that lets them decide whether to report
4321 * this as an error or not.
4323 if (!machine_readable) {
4324 cmdarg_err("There are no interfaces on which a capture can be done");
4331 if (machine_readable) /* tab-separated values to stdout */
4332 print_machine_readable_interfaces(if_list);
4334 capture_opts_print_interfaces(if_list);
4335 free_interface_list(if_list);
4340 * "-S" requires no interface to be selected; it gives statistics
4341 * for all interfaces.
4343 if (print_statistics) {
4344 status = print_statistics_loop(machine_readable);
4349 * "-L", "-d", and capturing act on a particular interface, so we have to
4350 * have an interface; if none was specified, pick a default.
4352 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4353 /* cmdarg_err() already called .... */
4357 /* Let the user know what interfaces were chosen. */
4358 /* get_interface_descriptive_name() is not available! */
4359 if (capture_child) {
4360 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4361 interface_options interface_opts;
4363 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4364 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4365 interface_opts.name);
4368 str = g_string_new("");
4370 if (global_capture_opts.ifaces->len < 2) {
4372 if (global_capture_opts.ifaces->len < 4) {
4374 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4375 interface_options interface_opts;
4377 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4379 if (global_capture_opts.ifaces->len > 2) {
4380 g_string_append_printf(str, ",");
4382 g_string_append_printf(str, " ");
4383 if (j == global_capture_opts.ifaces->len - 1) {
4384 g_string_append_printf(str, "and ");
4387 g_string_append_printf(str, "%s", interface_opts.name);
4390 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4392 fprintf(stderr, "Capturing on %s\n", str->str);
4393 g_string_free(str, TRUE);
4396 if (list_link_layer_types) {
4397 /* Get the list of link-layer types for the capture device. */
4398 if_capabilities_t *caps;
4402 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4403 interface_options interface_opts;
4405 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4406 caps = get_if_capabilities(interface_opts.name,
4407 interface_opts.monitor_mode, &err_str);
4409 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4410 "Please check to make sure you have sufficient permissions, and that\n"
4411 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4415 if (caps->data_link_types == NULL) {
4416 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4419 if (machine_readable) /* tab-separated values to stdout */
4420 /* XXX: We need to change the format and adopt consumers */
4421 print_machine_readable_if_capabilities(caps);
4423 /* XXX: We might want to print also the interface name */
4424 capture_opts_print_if_capabilities(caps, interface_opts.name,
4425 interface_opts.monitor_mode);
4426 free_if_capabilities(caps);
4431 /* We're supposed to do a capture, or print the BPF code for a filter.
4432 Process the snapshot length, as that affects the generated BPF code. */
4433 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4435 #ifdef HAVE_BPF_IMAGE
4436 if (print_bpf_code) {
4437 show_filter_code(&global_capture_opts);
4442 /* We're supposed to do a capture. Process the ring buffer arguments. */
4443 capture_opts_trim_ring_num_files(&global_capture_opts);
4445 /* Now start the capture. */
4447 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4451 /* capture failed */
4454 return 0; /* never here, make compiler happy */
4459 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4460 const char *message, gpointer user_data _U_)
4467 /* ignore log message, if log_level isn't interesting */
4468 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4469 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4474 /* create a "timestamp" */
4476 today = localtime(&curr);
4478 switch(log_level & G_LOG_LEVEL_MASK) {
4479 case G_LOG_LEVEL_ERROR:
4482 case G_LOG_LEVEL_CRITICAL:
4485 case G_LOG_LEVEL_WARNING:
4488 case G_LOG_LEVEL_MESSAGE:
4491 case G_LOG_LEVEL_INFO:
4494 case G_LOG_LEVEL_DEBUG:
4498 fprintf(stderr, "unknown log_level %u\n", log_level);
4500 g_assert_not_reached();
4503 /* Generate the output message */
4504 if(log_level & G_LOG_LEVEL_MESSAGE) {
4505 /* normal user messages without additional infos */
4506 msg = g_strdup_printf("%s\n", message);
4508 /* info/debug messages with additional infos */
4509 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4510 today->tm_hour, today->tm_min, today->tm_sec,
4511 log_domain != NULL ? log_domain : "",
4515 /* DEBUG & INFO msgs (if we're debugging today) */
4516 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4517 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4518 #ifdef DEBUG_DUMPCAP
4519 fprintf(stderr, "%s", msg);
4522 #ifdef DEBUG_CHILD_DUMPCAP
4523 fprintf(debug_log, "%s", msg);
4531 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4532 /* to parent especially formatted if dumpcap running as child. */
4533 if (capture_child) {
4534 sync_pipe_errmsg_to_parent(2, msg, "");
4536 fprintf(stderr, "%s", msg);
4543 /****************************************************************************************************************/
4544 /* indication report routines */
4548 report_packet_count(int packet_count)
4550 char tmp[SP_DECISIZE+1+1];
4551 static int count = 0;
4554 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4555 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4556 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4558 count += packet_count;
4559 fprintf(stderr, "\rPackets: %u ", count);
4560 /* stderr could be line buffered */
4566 report_new_capture_file(const char *filename)
4569 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4570 pipe_write_block(2, SP_FILE, filename);
4574 * Prevent a SIGINFO handler from writing to the standard error
4575 * while we're doing so; instead, have it just set a flag telling
4576 * us to print that information when we're done.
4579 #endif /* SIGINFO */
4580 fprintf(stderr, "File: %s\n", filename);
4581 /* stderr could be line buffered */
4586 * Allow SIGINFO handlers to write.
4591 * If a SIGINFO handler asked us to write out capture counts, do so.
4594 report_counts_for_siginfo();
4595 #endif /* SIGINFO */
4600 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4602 interface_options interface_opts;
4603 char tmp[MSG_MAX_LENGTH+1+6];
4605 if (i < capture_opts->ifaces->len) {
4606 if (capture_child) {
4607 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4608 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4609 pipe_write_block(2, SP_BAD_FILTER, tmp);
4612 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4613 * the error message below.
4615 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4617 "Invalid capture filter: \"%s\" for interface %s!\n"
4619 "That string isn't a valid capture filter (%s).\n"
4620 "See the User's Guide for a description of the capture filter syntax.",
4621 interface_opts.cfilter, interface_opts.name, errmsg);
4627 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4631 "Primary Error: %s", error_msg);
4632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4633 "Secondary Error: %s", secondary_error_msg);
4634 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4636 cmdarg_err("%s", error_msg);
4637 if (secondary_error_msg[0] != '\0')
4638 cmdarg_err_cont("%s", secondary_error_msg);
4643 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4645 char tmp[SP_DECISIZE+1+1];
4647 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4650 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4651 "Packets received/dropped on interface %s: %u/%u",
4652 name, received, drops);
4653 /* XXX: Need to provide interface id, changes to consumers required. */
4654 pipe_write_block(2, SP_DROPS, tmp);
4657 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4658 name, received, drops,
4659 received ? 100.0 * received / (received + drops) : 0.0);
4660 /* stderr could be line buffered */
4666 /****************************************************************************************************************/
4667 /* signal_pipe handling */
4672 signal_pipe_check_running(void)
4674 /* any news from our parent? -> just stop the capture */
4678 /* if we are running standalone, no check required */
4679 if(!capture_child) {
4683 if(!sig_pipe_name || !sig_pipe_handle) {
4684 /* This shouldn't happen */
4685 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4686 "Signal pipe: No name or handle");
4691 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4692 * at this point. Should we check to see if the parent is still alive,
4693 * e.g. by using OpenProcess?
4696 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4698 if(!result || avail > 0) {
4699 /* peek failed or some bytes really available */
4700 /* (if not piping from stdin this would fail) */
4701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4702 "Signal pipe: Stop capture: %s", sig_pipe_name);
4703 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4704 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4705 sig_pipe_handle, result, avail);
4708 /* pipe ok and no bytes available */
4715 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4720 * indent-tabs-mode: nil
4723 * vi: set shiftwidth=4 tabstop=8 expandtab:
4724 * :indentSize=4:tabSize=8:noTabs=true:
git.samba.org / obnox / wireshark / wip.git / blob