5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 #include <stdlib.h> /* for exit() */
34 #ifdef HAVE_SYS_TYPES_H
35 # include <sys/types.h>
38 #ifdef HAVE_SYS_STAT_H
39 # include <sys/stat.h>
62 # include <sys/prctl.h>
63 # include <sys/capability.h>
67 #include "ringbuffer.h"
68 #include "clopts_common.h"
69 #include "cmdarg_err.h"
70 #include "version_info.h"
75 #include "capture-pcap-util.h"
78 #include "capture-wpcap.h"
82 #include <wsutil/unicode-utils.h>
85 #include <wsutil/privileges.h>
87 #include "sync_pipe.h"
89 #include "capture_opts.h"
90 #include "capture_sync.h"
92 #include "conditions.h"
93 #include "capture_stop_conditions.h"
97 #include "wsutil/file_util.h"
100 * Get information about libpcap format from "wiretap/libpcap.h".
101 * XXX - can we just use pcap_open_offline() to read the pipe?
103 #include "wiretap/libpcap.h"
105 /**#define DEBUG_DUMPCAP**/
106 /**#define DEBUG_CHILD_DUMPCAP**/
108 #ifdef DEBUG_CHILD_DUMPCAP
109 FILE *debug_log; /* for logging debug messages to */
110 /* a file if DEBUG_CHILD_DUMPCAP */
114 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
116 static gchar *sig_pipe_name = NULL;
117 static HANDLE sig_pipe_handle = NULL;
120 /** Stop a low-level capture (stops the capture child). */
121 static void capture_loop_stop(void);
123 #if !defined (__linux__)
124 #ifndef HAVE_PCAP_BREAKLOOP
126 * We don't have pcap_breakloop(), which is the only way to ensure that
127 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
128 * won't, if the call to read the next packet or batch of packets is
129 * is interrupted by a signal on UN*X, just go back and try again to
132 * On UN*X, we catch SIGUSR1 as a "stop capturing" signal, and, in
133 * the signal handler, set a flag to stop capturing; however, without
134 * a guarantee of that sort, we can't guarantee that we'll stop capturing
135 * if the read will be retried and won't time out if no packets arrive.
137 * Therefore, on at least some platforms, we work around the lack of
138 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
139 * to wait for packets to arrive, so that we're probably going to be
140 * blocked in the select() when the signal arrives, and can just bail
141 * out of the loop at that point.
143 * However, we don't want to that on BSD (because "select()" doesn't work
144 * correctly on BPF devices on at least some releases of some flavors of
145 * BSD), and we don't want to do it on Windows (because "select()" is
146 * something for sockets, not for arbitrary handles). (Note that "Windows"
147 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
148 * using WinPcap, not a UNIX libpcap.)
150 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
151 * on BSD times out even if no packets have arrived, so we'll eventually
152 * exit pcap_dispatch() with an indication that no packets have arrived,
153 * and will break out of the capture loop at that point.
155 * On Windows, we can't send a SIGUSR1 to stop capturing, so none of this
156 * applies in any case.
158 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
159 * want to include it if it's not present on this platform, however.
161 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
162 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
164 # define MUST_DO_SELECT
165 # endif /* avoid select */
166 #endif /* HAVE_PCAP_BREAKLOOP */
168 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
169 * in pcap_dispatch(); on the other hand, select() works just fine there.
170 * Hence we use a select for that come what may.
172 #define MUST_DO_SELECT
175 /** init the capture filter */
178 INITFILTER_BAD_FILTER,
179 INITFILTER_OTHER_ERROR
180 } initfilter_status_t;
182 typedef struct _loop_data {
184 gboolean go; /* TRUE as long as we're supposed to keep capturing */
185 int err; /* if non-zero, error seen while capturing */
186 gint packet_count; /* Number of packets we have already captured */
187 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
189 /* pcap "input file" */
190 pcap_t *pcap_h; /* pcap handle */
191 gboolean pcap_err; /* TRUE if error from pcap */
192 #ifdef MUST_DO_SELECT
193 int pcap_fd; /* pcap file descriptor */
196 /* capture pipe (unix only "input file") */
197 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
198 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
199 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
200 int cap_pipe_fd; /* the file descriptor of the capture pipe */
201 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
202 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
203 unsigned int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
204 unsigned int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
206 STATE_EXPECT_REC_HDR,
211 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
223 * Standard secondary message for unexpected errors.
225 static const char please_report[] =
226 "Please report this to the Wireshark developers.\n"
227 "(This is not a crash; please do not report it as such.)";
230 * This needs to be static, so that the SIGUSR1 handler can clear the "go"
233 static loop_data global_ld;
237 * Timeout, in milliseconds, for reads from the stream of captured packets.
239 #define CAP_READ_TIMEOUT 250
240 static char *cap_pipe_err_str;
243 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
244 const char *message, gpointer user_data _U_);
246 /* capture related options */
247 static capture_options global_capture_opts;
249 static void capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
251 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
252 int err, gboolean is_close);
256 static void exit_main(int err) __attribute__ ((noreturn));
258 static void exit_main(int err);
261 static void report_new_capture_file(const char *filename);
262 static void report_packet_count(int packet_count);
263 static void report_packet_drops(guint32 drops);
264 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
265 static void report_cfilter_error(const char *cfilter, const char *errmsg);
268 static gboolean signal_pipe_check_running(void);
272 print_usage(gboolean print_ver) {
280 "Dumpcap " VERSION "%s\n"
281 "Capture network packets and dump them into a libpcap file.\n"
282 "See http://www.wireshark.org for more information.\n",
283 wireshark_svnversion);
287 fprintf(output, "\nUsage: dumpcap [options] ...\n");
288 fprintf(output, "\n");
289 fprintf(output, "Capture interface:\n");
290 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
291 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
292 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
293 fprintf(output, " -p don't capture in promiscuous mode\n");
295 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
297 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
298 fprintf(output, " -D print list of interfaces and exit\n");
299 fprintf(output, " -L print list of link-layer types of iface and exit\n");
300 fprintf(output, " -S print statistics for each interface once every second\n");
301 fprintf(output, " -M for -D, -L, and -S produce machine-readable output\n");
302 fprintf(output, "\n");
303 #ifdef HAVE_PCAP_REMOTE
304 fprintf(output, "\nRPCAP options:\n");
305 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
306 fprintf(output, " -u use UDP for RPCAP data transfer\n");
307 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
308 #ifdef HAVE_PCAP_SETSAMPLING
309 fprintf(output, " -m <sampling type> use packet sampling\n");
310 fprintf(output, " count:NUM - capture one packet of every NUM\n");
311 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
314 fprintf(output, "Stop conditions:\n");
315 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
316 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
317 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
318 fprintf(output, " files:NUM - stop after NUM files\n");
319 /*fprintf(output, "\n");*/
320 fprintf(output, "Output (files):\n");
321 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
322 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
323 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
324 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
325 /*fprintf(output, "\n");*/
326 fprintf(output, "Miscellaneous:\n");
327 fprintf(output, " -v print version information and exit\n");
328 fprintf(output, " -h display this help and exit\n");
329 fprintf(output, "\n");
330 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcap\n");
331 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcap\"\n");
332 fprintf(output, "\n");
333 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
337 show_version(GString *comp_info_str, GString *runtime_info_str)
341 "Dumpcap " VERSION "%s\n"
346 "See http://www.wireshark.org for more information.\n",
347 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
351 * Report an error in command-line arguments.
354 cmdarg_err(const char *fmt, ...)
360 /* Generate a 'special format' message back to parent */
362 msg = g_strdup_vprintf(fmt, ap);
363 sync_pipe_errmsg_to_parent(2, msg, "");
368 fprintf(stderr, "dumpcap: ");
369 vfprintf(stderr, fmt, ap);
370 fprintf(stderr, "\n");
376 * Report additional information for an error in command-line arguments.
379 cmdarg_err_cont(const char *fmt, ...)
386 msg = g_strdup_vprintf(fmt, ap);
387 sync_pipe_errmsg_to_parent(2, msg, "");
392 vfprintf(stderr, fmt, ap);
393 fprintf(stderr, "\n");
403 /* Print the number of packets captured for each interface until we're killed. */
405 print_statistics_loop(gboolean machine_readable)
407 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
413 char errbuf[PCAP_ERRBUF_SIZE];
416 struct sigaction act;
419 if_list = get_interface_list(&err, &err_str);
420 if (if_list == NULL) {
422 case CANT_GET_INTERFACE_LIST:
423 cmdarg_err("%s", err_str);
427 case NO_INTERFACES_FOUND:
428 cmdarg_err("There are no interfaces on which a capture can be done");
434 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
435 if_info = if_entry->data;
436 #ifdef HAVE_PCAP_OPEN
437 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
439 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
443 if_stat = g_malloc(sizeof(if_stat_t));
444 if_stat->name = g_strdup(if_info->name);
446 stat_list = g_list_append(stat_list, if_stat);
451 cmdarg_err("There are no interfaces on which a capture can be done");
455 if (!machine_readable) {
456 printf("%-15s %10s %10s\n", "Interface", "Received",
461 /* handle SIGPIPE signal to default action */
462 act.sa_handler = SIG_DFL;
463 sigemptyset(&act.sa_mask);
464 act.sa_flags = SA_RESTART;
465 sigaction(SIGPIPE,&act,NULL);
469 while (global_ld.go) {
470 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
471 if_stat = stat_entry->data;
472 pcap_stats(if_stat->pch, &ps);
474 if (!machine_readable) {
475 printf("%-15s %10u %10u\n", if_stat->name,
476 ps.ps_recv, ps.ps_drop);
478 printf("%s\t%u\t%u\n", if_stat->name,
479 ps.ps_recv, ps.ps_drop);
490 /* XXX - Not reached. Should we look for 'q' in stdin? */
491 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
492 if_stat = stat_entry->data;
493 pcap_close(if_stat->pch);
494 g_free(if_stat->name);
497 g_list_free(stat_list);
498 free_interface_list(if_list);
506 capture_cleanup(DWORD dwCtrlType)
508 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
509 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
510 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
511 like SIGTERM at least when the machine's shutting down.
513 For now, if we're running as a command rather than a capture child,
514 we handle all but CTRL_LOGOFF_EVENT as indications that we should
515 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
518 If we're not running as a capture child, we might be running as
519 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
520 user logs out. (XXX - can we explicitly check whether we're
521 running as a service?) */
523 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
524 "Console: Control signal");
525 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
526 "Console: Control signal, CtrlType: %u", dwCtrlType);
528 /* Keep capture running if we're a service and a user logs off */
529 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
538 capture_cleanup(int signum)
540 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
541 SIGTERM. We assume that if the user wanted it to keep running
542 after they logged out, they'd have nohupped it. */
544 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
546 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
547 "Console: Signal, signal value: %u", signum);
553 static void exit_main(int status)
556 /* Shutdown windows sockets */
559 /* can be helpful for debugging */
561 printf("Press any key\n");
572 * If we were linked with libcap (not libpcap), make sure we have
573 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
574 * (See comment in main() for details)
578 #if 0 /* Set to enable capability debugging */
579 /* see 'man cap_to_text()' for explanation of output */
580 /* '=' means 'all= ' ie: no capabilities */
581 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
583 print_caps(char *pfx) {
584 cap_t caps = cap_get_proc();
585 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
586 "%s: EUID: %d Capabilities: %s", pfx,
587 geteuid(), cap_to_text(caps, NULL));
590 print_caps(char *pfx _U_) {
595 relinquish_privs_except_capture(void)
597 /* If 'started_with_special_privs' (ie: suid) then enable for
598 * ourself the NET_ADMIN and NET_RAW capabilities and then
599 * drop our suid privileges.
601 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
602 * stuff we don't need (and shouldn't have).
603 * CAP_NET_RAW: Packet capture (raw sockets).
606 if (started_with_special_privs()) {
607 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
608 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
610 cap_t caps = cap_init(); /* all capabilities initialized to off */
612 print_caps("Pre drop, pre set");
614 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
615 cmdarg_err("prctl() fail return: %s", strerror(errno));
618 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
619 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
621 if (cap_set_proc(caps)) {
622 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
624 print_caps("Pre drop, post set");
626 relinquish_special_privs_perm();
628 print_caps("Post drop, pre set");
629 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
630 if (cap_set_proc(caps)) {
631 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
633 print_caps("Post drop, post set");
641 relinquish_all_capabilities()
643 /* Drop any and all capabilities this process may have. */
644 /* Allowed whether or not process has any privileges. */
645 cap_t caps = cap_init(); /* all capabilities initialized to off */
646 print_caps("Pre-clear");
647 if (cap_set_proc(caps)) {
648 cmdarg_err("cap_set_proc() fail return: %s", strerror(errno));
650 print_caps("Post-clear");
654 #endif /* HAVE_LIBCAP */
656 /* Take care of byte order in the libpcap headers read from pipes.
657 * (function taken from wiretap/libpcap.c) */
659 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
662 /* Byte-swap the record header fields. */
663 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
664 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
665 rechdr->incl_len = BSWAP32(rechdr->incl_len);
666 rechdr->orig_len = BSWAP32(rechdr->orig_len);
669 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
670 swapped, in order to match the BPF header layout.
672 Unfortunately, some files were, according to a comment in the "libpcap"
673 source, written with version 2.3 in their headers but without the
674 interchanged fields, so if "incl_len" is greater than "orig_len" - which
675 would make no sense - we assume that we need to swap them. */
676 if (hdr->version_major == 2 &&
677 (hdr->version_minor < 3 ||
678 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
681 temp = rechdr->orig_len;
682 rechdr->orig_len = rechdr->incl_len;
683 rechdr->incl_len = temp;
687 /* Provide select() functionality for a single file descriptor
688 * on both UNIX/POSIX and Windows.
690 * The Windows version calls WaitForSingleObject instead of
693 * Returns the same values as select. If an error is returned,
694 * the string cap_pipe_err_str should be used instead of errno.
697 cap_pipe_select(int pipe_fd) {
700 struct timeval timeout, *pto;
703 cap_pipe_err_str = "Unknown error";
706 FD_SET(pipe_fd, &rfds);
709 timeout.tv_usec = CAP_READ_TIMEOUT * 1000;
712 sel_ret = select(pipe_fd+1, &rfds, NULL, NULL, pto);
714 cap_pipe_err_str = strerror(errno);
718 /* XXX - Should we just use file handles exclusively under Windows?
719 * Otherwise we have to convert between file handles and file descriptors
720 * here and when we open a named pipe.
722 HANDLE hPipe = (HANDLE) _get_osfhandle(pipe_fd);
726 if (hPipe == INVALID_HANDLE_VALUE) {
727 cap_pipe_err_str = "Could not open standard input";
731 cap_pipe_err_str = "Unknown error";
733 wait_ret = WaitForSingleObject(hPipe, CAP_READ_TIMEOUT);
735 /* XXX - This probably isn't correct */
744 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
745 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
746 cap_pipe_err_str = utf_16to8(err_str);
750 g_assert_not_reached();
757 /* Mimic pcap_open_live() for pipe captures
758 * We check if "pipename" is "-" (stdin) or a FIFO, open it, and read the
760 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
761 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
763 cap_pipe_open_live(char *pipename, struct pcap_hdr *hdr, loop_data *ld,
764 char *errmsg, int errmsgl)
767 struct stat pipe_stat;
779 unsigned int bytes_read;
781 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
784 * XXX (T)Wireshark blocks until we return
786 if (strcmp(pipename, "-") == 0) {
787 fd = 0; /* read from stdin */
790 * This is needed to set the stdin pipe into binary mode, otherwise
791 * CR/LF are mangled...
793 _setmode(0, _O_BINARY);
797 if (ws_stat(pipename, &pipe_stat) < 0) {
798 if (errno == ENOENT || errno == ENOTDIR)
799 ld->cap_pipe_err = PIPNEXIST;
801 g_snprintf(errmsg, errmsgl,
802 "The capture session could not be initiated "
803 "due to error on pipe: %s", strerror(errno));
804 ld->cap_pipe_err = PIPERR;
808 if (! S_ISFIFO(pipe_stat.st_mode)) {
809 if (S_ISCHR(pipe_stat.st_mode)) {
811 * Assume the user specified an interface on a system where
812 * interfaces are in /dev. Pretend we haven't seen it.
814 ld->cap_pipe_err = PIPNEXIST;
817 g_snprintf(errmsg, errmsgl,
818 "The capture session could not be initiated because\n"
819 "\"%s\" is neither an interface nor a pipe", pipename);
820 ld->cap_pipe_err = PIPERR;
824 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
826 g_snprintf(errmsg, errmsgl,
827 "The capture session could not be initiated "
828 "due to error on pipe open: %s", strerror(errno));
829 ld->cap_pipe_err = PIPERR;
833 #define PIPE_STR "\\pipe\\"
834 /* Under Windows, named pipes _must_ have the form
835 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
837 pncopy = g_strdup(pipename);
838 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
839 pos = strchr(pncopy + 3, '\\');
840 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
847 g_snprintf(errmsg, errmsgl,
848 "The capture session could not be initiated because\n"
849 "\"%s\" is neither an interface nor a pipe", pipename);
850 ld->cap_pipe_err = PIPNEXIST;
854 /* Wait for the pipe to appear */
856 hPipe = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
857 OPEN_EXISTING, 0, NULL);
859 if (hPipe != INVALID_HANDLE_VALUE)
862 if (GetLastError() != ERROR_PIPE_BUSY) {
863 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
864 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
865 g_snprintf(errmsg, errmsgl,
866 "The capture session on \"%s\" could not be initiated "
867 "due to error on pipe open: pipe busy: %s (error %d)",
868 pipename, utf_16to8(err_str), GetLastError());
870 ld->cap_pipe_err = PIPERR;
874 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
875 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
876 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
877 g_snprintf(errmsg, errmsgl,
878 "The capture session could not be initiated "
879 "due to error on named pipe open: %s (error %d)",
880 utf_16to8(err_str), GetLastError());
882 ld->cap_pipe_err = PIPERR;
887 fd = _open_osfhandle((long) hPipe, _O_RDONLY);
889 g_snprintf(errmsg, errmsgl,
890 "The capture session could not be initiated "
891 "due to error on pipe open: %s", strerror(errno));
892 ld->cap_pipe_err = PIPERR;
898 ld->from_cap_pipe = TRUE;
900 /* read the pcap header */
902 while (bytes_read < sizeof magic) {
903 sel_ret = cap_pipe_select(fd);
905 g_snprintf(errmsg, errmsgl,
906 "Unexpected error from select: %s", strerror(errno));
908 } else if (sel_ret > 0) {
909 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
912 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
914 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
924 /* Host that wrote it has our byte order, and was running
925 a program using either standard or ss990417 libpcap. */
926 ld->cap_pipe_byte_swapped = FALSE;
927 ld->cap_pipe_modified = FALSE;
929 case PCAP_MODIFIED_MAGIC:
930 /* Host that wrote it has our byte order, but was running
931 a program using either ss990915 or ss991029 libpcap. */
932 ld->cap_pipe_byte_swapped = FALSE;
933 ld->cap_pipe_modified = TRUE;
935 case PCAP_SWAPPED_MAGIC:
936 /* Host that wrote it has a byte order opposite to ours,
937 and was running a program using either standard or
939 ld->cap_pipe_byte_swapped = TRUE;
940 ld->cap_pipe_modified = FALSE;
942 case PCAP_SWAPPED_MODIFIED_MAGIC:
943 /* Host that wrote it out has a byte order opposite to
944 ours, and was running a program using either ss990915
945 or ss991029 libpcap. */
946 ld->cap_pipe_byte_swapped = TRUE;
947 ld->cap_pipe_modified = TRUE;
950 /* Not a "libpcap" type we know about. */
951 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
955 /* Read the rest of the header */
957 while (bytes_read < sizeof(struct pcap_hdr)) {
958 sel_ret = cap_pipe_select(fd);
960 g_snprintf(errmsg, errmsgl,
961 "Unexpected error from select: %s", strerror(errno));
963 } else if (sel_ret > 0) {
964 b = read(fd, ((char *)hdr)+bytes_read,
965 sizeof(struct pcap_hdr) - bytes_read);
968 g_snprintf(errmsg, errmsgl, "End of file on pipe during open");
970 g_snprintf(errmsg, errmsgl, "Error on pipe during open: %s",
978 if (ld->cap_pipe_byte_swapped) {
979 /* Byte-swap the header fields about which we care. */
980 hdr->version_major = BSWAP16(hdr->version_major);
981 hdr->version_minor = BSWAP16(hdr->version_minor);
982 hdr->snaplen = BSWAP32(hdr->snaplen);
983 hdr->network = BSWAP32(hdr->network);
985 ld->linktype = hdr->network;
987 if (hdr->version_major < 2) {
988 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
992 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
993 ld->cap_pipe_err = PIPOK;
997 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
998 ld->cap_pipe_err = PIPERR;
1005 /* We read one record from the pipe, take care of byte order in the record
1006 * header, write the record to the capture file, and update capture statistics. */
1008 cap_pipe_dispatch(loop_data *ld, guchar *data, char *errmsg, int errmsgl)
1010 struct pcap_pkthdr phdr;
1012 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
1016 #ifdef LOG_CAPTURE_VERBOSE
1017 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
1020 switch (ld->cap_pipe_state) {
1022 case STATE_EXPECT_REC_HDR:
1023 ld->cap_pipe_bytes_to_read = ld->cap_pipe_modified ?
1024 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
1025 ld->cap_pipe_bytes_read = 0;
1026 ld->cap_pipe_state = STATE_READ_REC_HDR;
1029 case STATE_READ_REC_HDR:
1030 b = read(ld->cap_pipe_fd, ((char *)&ld->cap_pipe_rechdr)+ld->cap_pipe_bytes_read,
1031 ld->cap_pipe_bytes_to_read - ld->cap_pipe_bytes_read);
1034 result = PD_PIPE_EOF;
1036 result = PD_PIPE_ERR;
1039 if ((ld->cap_pipe_bytes_read += b) < ld->cap_pipe_bytes_to_read)
1041 result = PD_REC_HDR_READ;
1044 case STATE_EXPECT_DATA:
1045 ld->cap_pipe_bytes_read = 0;
1046 ld->cap_pipe_state = STATE_READ_DATA;
1049 case STATE_READ_DATA:
1050 b = read(ld->cap_pipe_fd, data+ld->cap_pipe_bytes_read,
1051 ld->cap_pipe_rechdr.hdr.incl_len - ld->cap_pipe_bytes_read);
1054 result = PD_PIPE_EOF;
1056 result = PD_PIPE_ERR;
1059 if ((ld->cap_pipe_bytes_read += b) < ld->cap_pipe_rechdr.hdr.incl_len)
1061 result = PD_DATA_READ;
1065 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
1068 } /* switch (ld->cap_pipe_state) */
1071 * We've now read as much data as we were expecting, so process it.
1075 case PD_REC_HDR_READ:
1076 /* We've read the header. Take care of byte order. */
1077 cap_pipe_adjust_header(ld->cap_pipe_byte_swapped, &ld->cap_pipe_hdr,
1078 &ld->cap_pipe_rechdr.hdr);
1079 if (ld->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
1080 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
1081 ld->packet_count+1, ld->cap_pipe_rechdr.hdr.incl_len);
1084 ld->cap_pipe_state = STATE_EXPECT_DATA;
1088 /* Fill in a "struct pcap_pkthdr", and process the packet. */
1089 phdr.ts.tv_sec = ld->cap_pipe_rechdr.hdr.ts_sec;
1090 phdr.ts.tv_usec = ld->cap_pipe_rechdr.hdr.ts_usec;
1091 phdr.caplen = ld->cap_pipe_rechdr.hdr.incl_len;
1092 phdr.len = ld->cap_pipe_rechdr.hdr.orig_len;
1094 capture_loop_packet_cb((u_char *)ld, &phdr, data);
1096 ld->cap_pipe_state = STATE_EXPECT_REC_HDR;
1100 ld->cap_pipe_err = PIPEOF;
1104 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
1111 ld->cap_pipe_err = PIPERR;
1112 /* Return here rather than inside the switch to prevent GCC warning */
1117 /** Open the capture input file (pcap or capture pipe).
1118 * Returns TRUE if it succeeds, FALSE otherwise. */
1120 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
1121 char *errmsg, size_t errmsg_len,
1122 char *secondary_errmsg, size_t secondary_errmsg_len)
1124 gchar open_err_str[PCAP_ERRBUF_SIZE];
1125 gchar *sync_msg_str;
1126 static const char ppamsg[] = "can't find PPA for ";
1127 const char *set_linktype_err_str;
1128 const char *libpcap_warn;
1130 gchar *sync_secondary_msg_str;
1132 WORD wVersionRequested;
1135 #ifdef HAVE_PCAP_REMOTE
1136 struct pcap_rmtauth auth;
1140 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", capture_opts->iface);
1143 /* XXX - opening Winsock on tshark? */
1145 /* Initialize Windows Socket if we are in a WIN32 OS
1146 This needs to be done before querying the interface for network/netmask */
1148 /* XXX - do we really require 1.1 or earlier?
1149 Are there any versions that support only 2.0 or higher? */
1150 wVersionRequested = MAKEWORD(1, 1);
1151 err = WSAStartup(wVersionRequested, &wsaData);
1155 case WSASYSNOTREADY:
1156 g_snprintf(errmsg, (gulong) errmsg_len,
1157 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
1160 case WSAVERNOTSUPPORTED:
1161 g_snprintf(errmsg, (gulong) errmsg_len,
1162 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
1163 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
1166 case WSAEINPROGRESS:
1167 g_snprintf(errmsg, (gulong) errmsg_len,
1168 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
1172 g_snprintf(errmsg, (gulong) errmsg_len,
1173 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
1177 g_snprintf(errmsg, (gulong) errmsg_len,
1178 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
1182 g_snprintf(errmsg, (gulong) errmsg_len,
1183 "Couldn't initialize Windows Sockets: error %d", err);
1186 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
1191 /* Open the network interface to capture from it.
1192 Some versions of libpcap may put warnings into the error buffer
1193 if they succeed; to tell if that's happened, we have to clear
1194 the error buffer, and check if it's still a null string. */
1195 open_err_str[0] = '\0';
1196 #ifdef HAVE_PCAP_OPEN
1197 auth.type = capture_opts->auth_type == CAPTURE_AUTH_PWD ?
1198 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
1199 auth.username = capture_opts->auth_username;
1200 auth.password = capture_opts->auth_password;
1202 ld->pcap_h = pcap_open(capture_opts->iface,
1203 capture_opts->has_snaplen ? capture_opts->snaplen :
1204 WTAP_MAX_PACKET_SIZE,
1206 (capture_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
1207 (capture_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
1208 (capture_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
1209 CAP_READ_TIMEOUT, &auth, open_err_str);
1211 ld->pcap_h = pcap_open_live(capture_opts->iface,
1212 capture_opts->has_snaplen ? capture_opts->snaplen :
1213 WTAP_MAX_PACKET_SIZE,
1214 capture_opts->promisc_mode, CAP_READ_TIMEOUT,
1218 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
1219 /* to remove any suid privileges. */
1220 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
1221 /* (euid/egid have already previously been set to ruid/rgid. */
1222 /* (See comment in main() for details) */
1224 relinquish_special_privs_perm();
1226 relinquish_all_capabilities();
1229 if (ld->pcap_h != NULL) {
1230 /* we've opened "iface" as a network device */
1232 /* try to set the capture buffer size */
1233 if (capture_opts->buffer_size > 1 &&
1234 pcap_setbuff(ld->pcap_h, capture_opts->buffer_size * 1024 * 1024) != 0) {
1235 sync_secondary_msg_str = g_strdup_printf(
1236 "The capture buffer size of %luMB seems to be too high for your machine,\n"
1237 "the default of 1MB will be used.\n"
1239 "Nonetheless, the capture is started.\n",
1240 capture_opts->buffer_size);
1241 report_capture_error("Couldn't set the capture buffer size!",
1242 sync_secondary_msg_str);
1243 g_free(sync_secondary_msg_str);
1247 #if defined(HAVE_PCAP_REMOTE) && defined(HAVE_PCAP_SETSAMPLING)
1248 if (capture_opts->sampling_method != CAPTURE_SAMP_NONE)
1250 struct pcap_samp *samp;
1252 if ((samp = pcap_setsampling(ld->pcap_h)) != NULL)
1254 switch (capture_opts->sampling_method)
1256 case CAPTURE_SAMP_BY_COUNT:
1257 samp->method = PCAP_SAMP_1_EVERY_N;
1260 case CAPTURE_SAMP_BY_TIMER:
1261 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
1265 sync_msg_str = g_strdup_printf(
1266 "Unknown sampling method %d specified,\n"
1267 "continue without packet sampling",
1268 capture_opts->sampling_method);
1269 report_capture_error("Couldn't set the capture "
1270 "sampling", sync_msg_str);
1271 g_free(sync_msg_str);
1273 samp->value = capture_opts->sampling_param;
1277 report_capture_error("Couldn't set the capture sampling",
1278 "Cannot get packet sampling data structure");
1284 /* setting the data link type only works on real interfaces */
1285 if (capture_opts->linktype != -1) {
1286 set_linktype_err_str = set_pcap_linktype(ld->pcap_h, capture_opts->iface,
1287 capture_opts->linktype);
1288 if (set_linktype_err_str != NULL) {
1289 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
1290 set_linktype_err_str);
1291 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
1295 ld->linktype = get_pcap_linktype(ld->pcap_h, capture_opts->iface);
1297 /* We couldn't open "iface" as a network device. */
1298 /* Try to open it as a pipe */
1299 ld->cap_pipe_fd = cap_pipe_open_live(capture_opts->iface, &ld->cap_pipe_hdr, ld, errmsg, (int) errmsg_len);
1301 if (ld->cap_pipe_fd == -1) {
1303 if (ld->cap_pipe_err == PIPNEXIST) {
1304 /* Pipe doesn't exist, so output message for interface */
1306 /* If we got a "can't find PPA for X" message, warn the user (who
1307 is running (T)Wireshark on HP-UX) that they don't have a version
1308 of libpcap that properly handles HP-UX (libpcap 0.6.x and later
1309 versions, which properly handle HP-UX, say "can't find /dev/dlpi
1310 PPA for X" rather than "can't find PPA for X"). */
1311 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
1314 "You are running (T)Wireshark with a version of the libpcap library\n"
1315 "that doesn't handle HP-UX network devices well; this means that\n"
1316 "(T)Wireshark may not be able to capture packets.\n"
1318 "To fix this, you should install libpcap 0.6.2, or a later version\n"
1319 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
1320 "packaged binary form from the Software Porting And Archive Centre\n"
1321 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
1322 "at the URL lists a number of mirror sites.";
1325 g_snprintf(errmsg, (gulong) errmsg_len,
1326 "The capture session could not be initiated (%s).", open_err_str);
1328 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
1329 "Please check to make sure you have sufficient permissions, and that you have "
1330 "the proper interface or pipe specified.%s", libpcap_warn);
1332 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
1334 "Please check that \"%s\" is the proper interface.\n"
1337 "Help can be found at:\n"
1339 " http://wiki.wireshark.org/WinPcap\n"
1340 " http://wiki.wireshark.org/CaptureSetup\n",
1341 capture_opts->iface);
1345 * Else pipe (or file) does exist and cap_pipe_open_live() has
1350 /* cap_pipe_open_live() succeeded; don't want
1351 error message from pcap_open_live() */
1352 open_err_str[0] = '\0';
1355 /* XXX - will this work for tshark? */
1356 #ifdef MUST_DO_SELECT
1357 if (!ld->from_cap_pipe) {
1358 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
1359 ld->pcap_fd = pcap_get_selectable_fd(ld->pcap_h);
1361 ld->pcap_fd = pcap_fileno(ld->pcap_h);
1366 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
1367 returned a warning; print it, but keep capturing. */
1368 if (open_err_str[0] != '\0') {
1369 sync_msg_str = g_strdup_printf("%s.", open_err_str);
1370 report_capture_error(sync_msg_str, "");
1371 g_free(sync_msg_str);
1378 /* close the capture input file (pcap or capture pipe) */
1379 static void capture_loop_close_input(loop_data *ld) {
1381 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
1383 /* if open, close the capture pipe "input file" */
1384 if (ld->cap_pipe_fd >= 0) {
1385 g_assert(ld->from_cap_pipe);
1386 ws_close(ld->cap_pipe_fd);
1387 ld->cap_pipe_fd = 0;
1390 /* if open, close the pcap "input file" */
1391 if(ld->pcap_h != NULL) {
1392 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", ld->pcap_h);
1393 g_assert(!ld->from_cap_pipe);
1394 pcap_close(ld->pcap_h);
1401 /* Shut down windows sockets */
1407 /* init the capture filter */
1408 static initfilter_status_t
1409 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe, gchar * iface, gchar * cfilter) {
1410 bpf_u_int32 netnum, netmask;
1411 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
1412 struct bpf_program fcode;
1415 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
1417 /* capture filters only work on real interfaces */
1418 if (cfilter && !from_cap_pipe) {
1419 /* A capture filter was specified; set it up. */
1420 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
1422 * Well, we can't get the netmask for this interface; it's used
1423 * only for filters that check for broadcast IP addresses, so
1424 * we just punt and use 0. It might be nice to warn the user,
1425 * but that's a pain in a GUI application, as it'd involve popping
1426 * up a message box, and it's not clear how often this would make
1427 * a difference (only filters that check for IP broadcast addresses
1431 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
1434 if (pcap_compile(pcap_h, &fcode, cfilter, 1, netmask) < 0) {
1435 /* Treat this specially - our caller might try to compile this
1436 as a display filter and, if that succeeds, warn the user that
1437 the display and capture filter syntaxes are different. */
1438 return INITFILTER_BAD_FILTER;
1440 if (pcap_setfilter(pcap_h, &fcode) < 0) {
1441 #ifdef HAVE_PCAP_FREECODE
1442 pcap_freecode(&fcode);
1444 return INITFILTER_OTHER_ERROR;
1446 #ifdef HAVE_PCAP_FREECODE
1447 pcap_freecode(&fcode);
1451 return INITFILTER_NO_ERROR;
1455 /* set up to write to the already-opened capture output file/files */
1457 capture_loop_init_output(capture_options *capture_opts, int save_file_fd, loop_data *ld, char *errmsg, int errmsg_len) {
1461 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
1464 if (ld->from_cap_pipe) {
1465 ld->file_snaplen = ld->cap_pipe_hdr.snaplen;
1468 ld->file_snaplen = pcap_snapshot(ld->pcap_h);
1471 /* Set up to write to the capture file. */
1472 if (capture_opts->multi_files_on) {
1473 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
1475 ld->pdh = libpcap_fdopen(save_file_fd, &err);
1478 ld->bytes_written = 0;
1479 if (!libpcap_write_file_header(ld->pdh, ld->linktype, ld->file_snaplen,
1480 &ld->bytes_written, &err)) {
1486 if (ld->pdh == NULL) {
1487 /* We couldn't set up to write to the capture file. */
1488 /* XXX - use cf_open_error_message from tshark instead? */
1491 case WTAP_ERR_CANT_OPEN:
1492 g_snprintf(errmsg, errmsg_len, "The file to which the capture would be saved"
1493 " couldn't be created for some unknown reason.");
1496 case WTAP_ERR_SHORT_WRITE:
1497 g_snprintf(errmsg, errmsg_len, "A full header couldn't be written to the file"
1498 " to which the capture would be saved.");
1503 g_snprintf(errmsg, errmsg_len,
1504 "The file to which the capture would be"
1505 " saved (\"%s\") could not be opened: Error %d.",
1506 capture_opts->save_file, err);
1508 g_snprintf(errmsg, errmsg_len,
1509 "The file to which the capture would be"
1510 " saved (\"%s\") could not be opened: %s.",
1511 capture_opts->save_file, strerror(err));
1523 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close) {
1525 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
1527 if (capture_opts->multi_files_on) {
1528 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
1530 return libpcap_dump_close(ld->pdh, err_close);
1534 /* dispatch incoming packets (pcap or capture pipe)
1536 * Waits for incoming packets to be available, and calls pcap_dispatch()
1537 * to cause them to be processed.
1539 * Returns the number of packets which were processed.
1541 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
1542 * packet-batching behaviour does not cause packets to get held back
1546 capture_loop_dispatch(capture_options *capture_opts _U_, loop_data *ld,
1547 char *errmsg, int errmsg_len)
1551 gint packet_count_before;
1552 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
1554 packet_count_before = ld->packet_count;
1555 if (ld->from_cap_pipe) {
1556 /* dispatch from capture pipe */
1557 #ifdef LOG_CAPTURE_VERBOSE
1558 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
1560 sel_ret = cap_pipe_select(ld->cap_pipe_fd);
1563 if (sel_ret < 0 && errno != EINTR) {
1564 g_snprintf(errmsg, errmsg_len,
1565 "Unexpected error from select: %s", strerror(errno));
1566 report_capture_error(errmsg, please_report);
1571 * "select()" says we can read from the pipe without blocking
1573 inpkts = cap_pipe_dispatch(ld, pcap_data, errmsg, errmsg_len);
1581 /* dispatch from pcap */
1582 #ifdef MUST_DO_SELECT
1584 * If we have "pcap_get_selectable_fd()", we use it to get the
1585 * descriptor on which to select; if that's -1, it means there
1586 * is no descriptor on which you can do a "select()" (perhaps
1587 * because you're capturing on a special device, and that device's
1588 * driver unfortunately doesn't support "select()", in which case
1589 * we don't do the select - which means it might not be possible
1590 * to stop a capture until a packet arrives. If that's unacceptable,
1591 * plead with whoever supplies the software for that device to add
1592 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
1593 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
1594 * later, so it can use pcap_breakloop().
1596 #ifdef LOG_CAPTURE_VERBOSE
1597 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
1599 if (ld->pcap_fd != -1) {
1600 sel_ret = cap_pipe_select(ld->pcap_fd);
1603 * "select()" says we can read from it without blocking; go for
1606 * We don't have pcap_breakloop(), so we only process one packet
1607 * per pcap_dispatch() call, to allow a signal to stop the
1608 * processing immediately, rather than processing all packets
1609 * in a batch before quitting.
1611 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb,
1614 ld->pcap_err = TRUE;
1615 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
1618 if (sel_ret < 0 && errno != EINTR) {
1619 g_snprintf(errmsg, errmsg_len,
1620 "Unexpected error from select: %s", strerror(errno));
1621 report_capture_error(errmsg, please_report);
1627 #endif /* MUST_DO_SELECT */
1629 /* dispatch from pcap without select */
1631 #ifdef LOG_CAPTURE_VERBOSE
1632 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
1636 * On Windows, we don't support asynchronously telling a process to
1637 * stop capturing; instead, we check for an indication on a pipe
1638 * after processing packets. We therefore process only one packet
1639 * at a time, so that we can check the pipe after every packet.
1641 inpkts = pcap_dispatch(ld->pcap_h, 1, capture_loop_packet_cb, (u_char *) ld);
1643 inpkts = pcap_dispatch(ld->pcap_h, -1, capture_loop_packet_cb, (u_char *) ld);
1647 /* Error, rather than pcap_breakloop(). */
1648 ld->pcap_err = TRUE;
1650 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
1652 #else /* pcap_next_ex */
1653 #ifdef LOG_CAPTURE_VERBOSE
1654 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
1656 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
1659 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
1660 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
1661 * This should be fixed in the WinPcap 4.0 alpha release.
1663 * For reference, an example remote interface:
1664 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
1667 /* emulate dispatch from pcap */
1670 struct pcap_pkthdr *pkt_header;
1675 (in = pcap_next_ex(ld->pcap_h, &pkt_header, &pkt_data)) == 1)
1676 capture_loop_packet_cb( (u_char *) ld, pkt_header, pkt_data);
1679 ld->pcap_err = TRUE;
1683 #endif /* pcap_next_ex */
1687 #ifdef LOG_CAPTURE_VERBOSE
1688 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
1691 return ld->packet_count - packet_count_before;
1695 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
1696 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
1698 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
1699 char *errmsg, int errmsg_len) {
1701 char tmpname[128+1];
1702 gchar *capfile_name;
1703 gboolean is_tempfile;
1708 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
1709 (capture_opts->save_file) ? capture_opts->save_file : "");
1711 if (capture_opts->save_file != NULL) {
1712 /* We return to the caller while the capture is in progress.
1713 * Therefore we need to take a copy of save_file in
1714 * case the caller destroys it after we return.
1716 capfile_name = g_strdup(capture_opts->save_file);
1718 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
1719 if (capture_opts->multi_files_on) {
1720 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
1721 g_snprintf(errmsg, errmsg_len,
1722 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
1723 g_free(capfile_name);
1726 if (strcmp(capfile_name, "-") == 0) {
1727 /* write to stdout */
1730 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
1731 _setmode(1, O_BINARY);
1734 } /* if (...output_to_pipe ... */
1737 if (capture_opts->multi_files_on) {
1738 /* ringbuffer is enabled */
1739 *save_file_fd = ringbuf_init(capfile_name,
1740 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0);
1742 /* we need the ringbuf name */
1743 if(*save_file_fd != -1) {
1744 g_free(capfile_name);
1745 capfile_name = g_strdup(ringbuf_current_filename());
1748 /* Try to open/create the specified file for use as a capture buffer. */
1749 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
1753 is_tempfile = FALSE;
1755 /* Choose a random name for the temporary capture buffer */
1756 *save_file_fd = create_tempfile(tmpname, sizeof tmpname, "wireshark");
1757 capfile_name = g_strdup(tmpname);
1761 /* did we fail to open the output file? */
1762 if (*save_file_fd == -1) {
1764 g_snprintf(errmsg, errmsg_len,
1765 "The temporary file to which the capture would be saved (\"%s\") "
1766 "could not be opened: %s.", capfile_name, strerror(errno));
1768 if (capture_opts->multi_files_on) {
1769 ringbuf_error_cleanup();
1772 g_snprintf(errmsg, errmsg_len,
1773 "The file to which the capture would be saved (\"%s\") "
1774 "could not be opened: %s.", capfile_name,
1777 g_free(capfile_name);
1781 if(capture_opts->save_file != NULL) {
1782 g_free(capture_opts->save_file);
1784 capture_opts->save_file = capfile_name;
1785 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
1786 "g_free(capfile_name)". */
1788 ret = fchown(*save_file_fd, capture_opts->owner, capture_opts->group);
1796 capture_loop_stop_signal_handler(int signo _U_)
1798 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Signal: Stop capture");
1799 capture_loop_stop();
1803 #define TIME_GET() GetTickCount()
1805 #define TIME_GET() time(NULL)
1808 /* Do the low-level work of a capture.
1809 Returns TRUE if it succeeds, FALSE otherwise. */
1811 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
1814 struct sigaction act;
1816 time_t upd_time, cur_time;
1820 gint inpkts_to_sync_pipe = 0; /* packets not already send out to the sync_pipe */
1821 condition *cnd_file_duration = NULL;
1822 condition *cnd_autostop_files = NULL;
1823 condition *cnd_autostop_size = NULL;
1824 condition *cnd_autostop_duration = NULL;
1825 guint32 autostop_files = 0;
1828 gboolean cfilter_error = FALSE;
1829 #define MSG_MAX_LENGTH 4096
1830 char errmsg[MSG_MAX_LENGTH+1];
1831 char secondary_errmsg[MSG_MAX_LENGTH+1];
1832 int save_file_fd = -1;
1835 *secondary_errmsg = '\0';
1837 /* init the loop data */
1838 global_ld.go = TRUE;
1839 global_ld.packet_count = 0;
1840 if (capture_opts->has_autostop_packets)
1841 global_ld.packet_max = capture_opts->autostop_packets;
1843 global_ld.packet_max = 0; /* no limit */
1844 global_ld.err = 0; /* no error seen yet */
1845 global_ld.wtap_linktype = WTAP_ENCAP_UNKNOWN;
1846 global_ld.pcap_err = FALSE;
1847 global_ld.from_cap_pipe = FALSE;
1848 global_ld.pdh = NULL;
1849 global_ld.cap_pipe_fd = -1;
1850 #ifdef MUST_DO_SELECT
1851 global_ld.pcap_fd = 0;
1854 /* We haven't yet gotten the capture statistics. */
1855 *stats_known = FALSE;
1859 * Catch SIGUSR1, so that we exit cleanly if the parent process
1860 * kills us with it due to the user selecting "Capture->Stop".
1862 act.sa_handler = capture_loop_stop_signal_handler;
1864 * Arrange that system calls not get restarted, because when
1865 * our signal handler returns we don't want to restart
1866 * a call that was waiting for packets to arrive.
1869 sigemptyset(&act.sa_mask);
1870 sigaction(SIGUSR1, &act, NULL);
1873 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
1874 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
1876 /* open the "input file" from network interface or capture pipe */
1877 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
1878 secondary_errmsg, sizeof(secondary_errmsg))) {
1882 /* init the input filter from the network interface (capture pipe will do nothing) */
1883 switch (capture_loop_init_filter(global_ld.pcap_h, global_ld.from_cap_pipe,
1884 capture_opts->iface,
1885 capture_opts->cfilter)) {
1887 case INITFILTER_NO_ERROR:
1890 case INITFILTER_BAD_FILTER:
1891 cfilter_error = TRUE;
1892 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(global_ld.pcap_h));
1895 case INITFILTER_OTHER_ERROR:
1896 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
1897 pcap_geterr(global_ld.pcap_h));
1898 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
1902 /* If we're supposed to write to a capture file, open it for output
1903 (temporary/specified name/ringbuffer) */
1904 if (capture_opts->saving_to_file) {
1905 if (!capture_loop_open_output(capture_opts, &save_file_fd, errmsg, sizeof(errmsg))) {
1909 /* set up to write to the already-opened capture output file/files */
1910 if (!capture_loop_init_output(capture_opts, save_file_fd, &global_ld,
1911 errmsg, sizeof(errmsg))) {
1915 /* XXX - capture SIGTERM and close the capture, in case we're on a
1916 Linux 2.0[.x] system and you have to explicitly close the capture
1917 stream in order to turn promiscuous mode off? We need to do that
1918 in other places as well - and I don't think that works all the
1919 time in any case, due to libpcap bugs. */
1921 /* Well, we should be able to start capturing.
1923 Sync out the capture file, so the header makes it to the file system,
1924 and send a "capture started successfully and capture file created"
1925 message to our parent so that they'll open the capture file and
1926 update its windows to indicate that we have a live capture in
1928 libpcap_dump_flush(global_ld.pdh, NULL);
1929 report_new_capture_file(capture_opts->save_file);
1932 /* initialize capture stop (and alike) conditions */
1933 init_capture_stop_conditions();
1934 /* create stop conditions */
1935 if (capture_opts->has_autostop_filesize)
1937 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
1938 if (capture_opts->has_autostop_duration)
1939 cnd_autostop_duration =
1940 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
1942 if (capture_opts->multi_files_on) {
1943 if (capture_opts->has_file_duration)
1945 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
1947 if (capture_opts->has_autostop_files)
1948 cnd_autostop_files =
1949 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
1952 /* init the time values */
1953 start_time = TIME_GET();
1954 upd_time = TIME_GET();
1956 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
1958 /* WOW, everything is prepared! */
1959 /* please fasten your seat belts, we will enter now the actual capture loop */
1960 while (global_ld.go) {
1961 /* dispatch incoming packets */
1962 inpkts = capture_loop_dispatch(capture_opts, &global_ld, errmsg,
1966 /* any news from our parent (signal pipe)? -> just stop the capture */
1967 if (!signal_pipe_check_running()) {
1968 global_ld.go = FALSE;
1973 inpkts_to_sync_pipe += inpkts;
1975 /* check capture size condition */
1976 if (cnd_autostop_size != NULL &&
1977 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)){
1978 /* Capture size limit reached, do we have another file? */
1979 if (capture_opts->multi_files_on) {
1980 if (cnd_autostop_files != NULL &&
1981 cnd_eval(cnd_autostop_files, ++autostop_files)) {
1982 /* no files left: stop here */
1983 global_ld.go = FALSE;
1987 /* Switch to the next ringbuffer file */
1988 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
1989 &save_file_fd, &global_ld.err)) {
1990 /* File switch succeeded: reset the conditions */
1991 global_ld.bytes_written = 0;
1992 if (!libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
1993 &global_ld.bytes_written, &global_ld.err)) {
1994 fclose(global_ld.pdh);
1995 global_ld.pdh = NULL;
1996 global_ld.go = FALSE;
1999 cnd_reset(cnd_autostop_size);
2000 if (cnd_file_duration) {
2001 cnd_reset(cnd_file_duration);
2003 libpcap_dump_flush(global_ld.pdh, NULL);
2004 report_packet_count(inpkts_to_sync_pipe);
2005 inpkts_to_sync_pipe = 0;
2006 report_new_capture_file(capture_opts->save_file);
2008 /* File switch failed: stop here */
2009 global_ld.go = FALSE;
2013 /* single file, stop now */
2014 global_ld.go = FALSE;
2017 } /* cnd_autostop_size */
2018 if (capture_opts->output_to_pipe) {
2019 libpcap_dump_flush(global_ld.pdh, NULL);
2023 /* Only update once a second (Win32: 500ms) so as not to overload slow
2024 * displays. This also prevents too much context-switching between the
2025 * dumpcap and wireshark processes */
2026 cur_time = TIME_GET();
2028 if ( (cur_time - upd_time) > 500) {
2030 if (cur_time - upd_time > 0) {
2032 upd_time = cur_time;
2034 /*if (pcap_stats(pch, stats) >= 0) {
2035 *stats_known = TRUE;
2038 /* Let the parent process know. */
2039 if (inpkts_to_sync_pipe) {
2041 libpcap_dump_flush(global_ld.pdh, NULL);
2043 /* Send our parent a message saying we've written out "inpkts_to_sync_pipe"
2044 packets to the capture file. */
2045 report_packet_count(inpkts_to_sync_pipe);
2047 inpkts_to_sync_pipe = 0;
2050 /* check capture duration condition */
2051 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
2052 /* The maximum capture time has elapsed; stop the capture. */
2053 global_ld.go = FALSE;
2057 /* check capture file duration condition */
2058 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
2059 /* duration limit reached, do we have another file? */
2060 if (capture_opts->multi_files_on) {
2061 if (cnd_autostop_files != NULL &&
2062 cnd_eval(cnd_autostop_files, ++autostop_files)) {
2063 /* no files left: stop here */
2064 global_ld.go = FALSE;
2068 /* Switch to the next ringbuffer file */
2069 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
2070 &save_file_fd, &global_ld.err)) {
2071 /* file switch succeeded: reset the conditions */
2072 global_ld.bytes_written = 0;
2073 if (!libpcap_write_file_header(global_ld.pdh, global_ld.linktype, global_ld.file_snaplen,
2074 &global_ld.bytes_written, &global_ld.err)) {
2075 fclose(global_ld.pdh);
2076 global_ld.pdh = NULL;
2077 global_ld.go = FALSE;
2080 cnd_reset(cnd_file_duration);
2081 if(cnd_autostop_size)
2082 cnd_reset(cnd_autostop_size);
2083 libpcap_dump_flush(global_ld.pdh, NULL);
2084 report_packet_count(inpkts_to_sync_pipe);
2085 inpkts_to_sync_pipe = 0;
2086 report_new_capture_file(capture_opts->save_file);
2088 /* File switch failed: stop here */
2089 global_ld.go = FALSE;
2093 /* single file, stop now */
2094 global_ld.go = FALSE;
2097 } /* cnd_file_duration */
2100 } /* while (global_ld.go) */
2102 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
2104 /* delete stop conditions */
2105 if (cnd_file_duration != NULL)
2106 cnd_delete(cnd_file_duration);
2107 if (cnd_autostop_files != NULL)
2108 cnd_delete(cnd_autostop_files);
2109 if (cnd_autostop_size != NULL)
2110 cnd_delete(cnd_autostop_size);
2111 if (cnd_autostop_duration != NULL)
2112 cnd_delete(cnd_autostop_duration);
2114 /* did we had a pcap (input) error? */
2115 if (global_ld.pcap_err) {
2116 /* On Linux, if an interface goes down while you're capturing on it,
2117 you'll get a "recvfrom: Network is down" error (ENETDOWN).
2118 (At least you will if strerror() doesn't show a local translation
2121 On FreeBSD and OS X, if a network adapter disappears while
2122 you're capturing on it, you'll get a "read: Device not configured"
2123 error (ENXIO). (See previous parenthetical note.)
2125 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
2127 These should *not* be reported to the Wireshark developers. */
2130 cap_err_str = pcap_geterr(global_ld.pcap_h);
2131 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
2132 strcmp(cap_err_str, "read: Device not configured") == 0 ||
2133 strcmp(cap_err_str, "read: I/O error") == 0) {
2134 report_capture_error("The network adapter on which the capture was being done "
2135 "is no longer running; the capture has stopped.",
2138 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
2140 report_capture_error(errmsg, please_report);
2143 else if (global_ld.from_cap_pipe && global_ld.cap_pipe_err == PIPERR)
2144 report_capture_error(errmsg, "");
2146 /* did we had an error while capturing? */
2147 if (global_ld.err == 0) {
2150 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
2151 global_ld.err, FALSE);
2152 report_capture_error(errmsg, please_report);
2156 if (capture_opts->saving_to_file) {
2157 /* close the wiretap (output) file */
2158 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
2162 /* there might be packets not yet notified to the parent */
2163 /* (do this after closing the file, so all packets are already flushed) */
2164 if(inpkts_to_sync_pipe) {
2165 report_packet_count(inpkts_to_sync_pipe);
2166 inpkts_to_sync_pipe = 0;
2169 /* If we've displayed a message about a write error, there's no point
2170 in displaying another message about an error on close. */
2171 if (!close_ok && write_ok) {
2172 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
2174 report_capture_error(errmsg, "");
2178 * XXX We exhibit different behaviour between normal mode and sync mode
2179 * when the pipe is stdin and not already at EOF. If we're a child, the
2180 * parent's stdin isn't closed, so if the user starts another capture,
2181 * cap_pipe_open_live() will very likely not see the expected magic bytes and
2182 * will say "Unrecognized libpcap format". On the other hand, in normal
2183 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
2186 /* get packet drop statistics from pcap */
2187 if(global_ld.pcap_h != NULL) {
2188 g_assert(!global_ld.from_cap_pipe);
2189 /* Get the capture statistics, so we know how many packets were
2191 if (pcap_stats(global_ld.pcap_h, stats) >= 0) {
2192 *stats_known = TRUE;
2193 /* Let the parent process know. */
2194 report_packet_drops(stats->ps_drop);
2196 g_snprintf(errmsg, sizeof(errmsg),
2197 "Can't get packet-drop statistics: %s",
2198 pcap_geterr(global_ld.pcap_h));
2199 report_capture_error(errmsg, please_report);
2203 /* close the input file (pcap or capture pipe) */
2204 capture_loop_close_input(&global_ld);
2206 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
2208 /* ok, if the write and the close were successful. */
2209 return write_ok && close_ok;
2212 if (capture_opts->multi_files_on) {
2213 /* cleanup ringbuffer */
2214 ringbuf_error_cleanup();
2216 /* We can't use the save file, and we have no FILE * for the stream
2217 to close in order to close it, so close the FD directly. */
2218 if(save_file_fd != -1) {
2219 ws_close(save_file_fd);
2222 /* We couldn't even start the capture, so get rid of the capture
2224 if(capture_opts->save_file != NULL) {
2225 ws_unlink(capture_opts->save_file);
2226 g_free(capture_opts->save_file);
2229 capture_opts->save_file = NULL;
2231 report_cfilter_error(capture_opts->cfilter, errmsg);
2233 report_capture_error(errmsg, secondary_errmsg);
2235 /* close the input file (pcap or cap_pipe) */
2236 capture_loop_close_input(&global_ld);
2238 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
2244 static void capture_loop_stop(void)
2246 #ifdef HAVE_PCAP_BREAKLOOP
2247 if(global_ld.pcap_h != NULL)
2248 pcap_breakloop(global_ld.pcap_h);
2250 global_ld.go = FALSE;
2255 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
2256 int err, gboolean is_close)
2261 g_snprintf(errmsg, errmsglen,
2262 "Not all the packets could be written to the file"
2263 " to which the capture was being saved\n"
2264 "(\"%s\") because there is no space left on the file system\n"
2265 "on which that file resides.",
2271 g_snprintf(errmsg, errmsglen,
2272 "Not all the packets could be written to the file"
2273 " to which the capture was being saved\n"
2274 "(\"%s\") because you are too close to, or over,"
2275 " your disk quota\n"
2276 "on the file system on which that file resides.",
2281 case WTAP_ERR_CANT_CLOSE:
2282 g_snprintf(errmsg, errmsglen,
2283 "The file to which the capture was being saved"
2284 " couldn't be closed for some unknown reason.");
2287 case WTAP_ERR_SHORT_WRITE:
2288 g_snprintf(errmsg, errmsglen,
2289 "Not all the packets could be written to the file"
2290 " to which the capture was being saved\n"
2297 g_snprintf(errmsg, errmsglen,
2298 "The file to which the capture was being saved\n"
2299 "(\"%s\") could not be closed: %s.",
2300 fname, wtap_strerror(err));
2302 g_snprintf(errmsg, errmsglen,
2303 "An error occurred while writing to the file"
2304 " to which the capture was being saved\n"
2306 fname, wtap_strerror(err));
2313 /* one packet was captured, process it */
2315 capture_loop_packet_cb(u_char *user, const struct pcap_pkthdr *phdr,
2318 loop_data *ld = (void *) user;
2321 /* We may be called multiple times from pcap_dispatch(); if we've set
2322 the "stop capturing" flag, ignore this packet, as we're not
2323 supposed to be saving any more packets. */
2328 /* We're supposed to write the packet to a file; do so.
2329 If this fails, set "ld->go" to FALSE, to stop the capture, and set
2330 "ld->err" to the error. */
2331 if (!libpcap_write_packet(ld->pdh, phdr, pd, &ld->bytes_written, &err)) {
2336 /* if the user told us to stop after x packets, do we already have enough? */
2337 if ((ld->packet_max > 0) && (ld->packet_count >= ld->packet_max))
2346 /* And now our feature presentation... [ fade to music ] */
2348 main(int argc, char *argv[])
2351 extern char *optarg;
2352 gboolean arg_error = FALSE;
2357 struct sigaction action, oldaction;
2360 gboolean start_capture = TRUE;
2361 gboolean stats_known;
2362 struct pcap_stat stats;
2363 GLogLevelFlags log_flags;
2364 gboolean list_interfaces = FALSE;
2365 gboolean list_link_layer_types = FALSE;
2366 gboolean machine_readable = FALSE;
2367 gboolean print_statistics = FALSE;
2368 int status, run_once_args = 0;
2371 #ifdef HAVE_PCAP_REMOTE
2372 #define OPTSTRING_INIT "a:A:b:c:Df:hi:Lm:MprSs:uvw:y:Z:"
2374 #define OPTSTRING_INIT "a:b:c:Df:hi:LMpSs:vw:y:Z:"
2378 #define OPTSTRING_WIN32 "B:"
2380 #define OPTSTRING_WIN32 ""
2383 char optstring[sizeof(OPTSTRING_INIT) + sizeof(OPTSTRING_WIN32) - 1] =
2384 OPTSTRING_INIT OPTSTRING_WIN32;
2386 #ifdef DEBUG_CHILD_DUMPCAP
2387 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
2388 fprintf (stderr, "Unable to open debug log file !\n");
2393 /* Determine if dumpcap is being requested to run in a special */
2394 /* capture_child mode by going thru the command line args to see if */
2395 /* a -Z is present. (-Z is a hidden option). */
2396 /* The primary result of running in capture_child mode is that */
2397 /* all messages sent out on stderr are in a special type/len/string */
2398 /* format to allow message processing by type. */
2399 /* These messages include various 'status' messages which are sent */
2400 /* when an actual capture is in progress. Capture_child mode */
2401 /* would normally be requested by a parent process which invokes */
2402 /* dumpcap and obtains dumpcap stderr output via a pipe to which */
2403 /* dumpcap stderr has been redirected. */
2404 /* Capture_child mode needs to be determined immediately upon */
2405 /* startup so that any messages generated by dumpcap in this mode */
2406 /* (eg: during initialization) will be formatted properly. */
2408 for (i=1; i<argc; i++) {
2409 if (strcmp("-Z", argv[i]) == 0) {
2410 capture_child = TRUE;
2412 /* set output pipe to binary mode, to avoid ugly text conversions */
2413 _setmode(2, O_BINARY);
2418 /* The default_log_handler will use stdout, which makes trouble in */
2419 /* capture child mode, as it uses stdout for it's sync_pipe. */
2420 /* So: the filtering is done in the console_log_handler and not here.*/
2421 /* We set the log handlers right up front to make sure that any log */
2422 /* messages when running as child will be sent back to the parent */
2423 /* with the correct format. */
2427 G_LOG_LEVEL_CRITICAL|
2428 G_LOG_LEVEL_WARNING|
2429 G_LOG_LEVEL_MESSAGE|
2432 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
2434 g_log_set_handler(NULL,
2436 console_log_handler, NULL /* user_data */);
2437 g_log_set_handler(LOG_DOMAIN_MAIN,
2439 console_log_handler, NULL /* user_data */);
2440 g_log_set_handler(LOG_DOMAIN_CAPTURE,
2442 console_log_handler, NULL /* user_data */);
2443 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
2445 console_log_handler, NULL /* user_data */);
2448 /* Load wpcap if possible. Do this before collecting the run-time version information */
2451 /* ... and also load the packet.dll from wpcap */
2452 /* XXX - currently not required, may change later. */
2453 /*wpcap_packet_load();*/
2455 /* Start windows sockets */
2456 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
2458 /* Set handler for Ctrl+C key */
2459 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2461 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
2463 action.sa_handler = capture_cleanup;
2464 action.sa_flags = 0;
2465 sigemptyset(&action.sa_mask);
2466 sigaction(SIGTERM, &action, NULL);
2467 sigaction(SIGINT, &action, NULL);
2468 sigaction(SIGHUP, NULL, &oldaction);
2469 if (oldaction.sa_handler == SIG_DFL)
2470 sigaction(SIGHUP, &action, NULL);
2473 /* ----------------------------------------------------------------- */
2474 /* Privilege and capability handling */
2476 /* 1. Running not as root or suid root; no special capabilities. */
2479 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
2482 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
2484 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
2485 /* capabilities; Drop all other capabilities; */
2486 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
2487 /* else: after pcap_open_live() in capture_loop_open_input() */
2488 /* drop all capabilities (NET_RAW and NET_ADMIN); */
2489 /* (Note: this means that the process, although logged in */
2490 /* as root, does not have various permissions such as the */
2491 /* ability to bypass file access permissions). */
2492 /* XXX: Should we just leave capabilities alone in this case */
2493 /* so that user gets expected effect that root can do */
2496 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
2498 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
2499 /* else: after pcap_open_live() in capture_loop_open_input() */
2500 /* drop suid root (set euid=ruid).(ie: keep suid until after */
2501 /* pcap_open_live). */
2503 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
2505 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
2506 /* capabilities; Drop all other capabilities; */
2507 /* Drop suid privileges (euid=ruid); */
2508 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
2509 /* else: after pcap_open_live() in capture_loop_open_input() */
2510 /* drop all capabilities (NET_RAW and NET_ADMIN). */
2512 /* XXX: For some Linux versions/distros with capabilities */
2513 /* a 'normal' process with any capabilities cannot be */
2514 /* 'killed' (signaled) from another (same uid) non-privileged */
2516 /* For example: If (non-suid) Wireshark forks a */
2517 /* child suid dumpcap which acts as described here (case 5), */
2518 /* Wireshark will be unable to kill (signal) the child */
2519 /* dumpcap process until the capabilities have been dropped */
2520 /* (after pcap_open_live()). */
2521 /* This behaviour will apparently be changed in the kernel */
2522 /* to allow the kill (signal) in this case. */
2523 /* See the following for details: */
2524 /* http://www.mail-archive.com/ [wrapped] */
2525 /* linux-security-module@vger.kernel.org/msg02913.html */
2527 /* It is therefore conceivable that if dumpcap somehow hangs */
2528 /* in pcap_open_live or before that wireshark will not */
2529 /* be able to stop dumpcap using a signal (USR1, TERM, etc). */
2530 /* In this case, exiting wireshark will kill the child */
2531 /* dumpcap process. */
2533 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
2534 /* capabilities; Using libcap. Note: capset cmd (which see) */
2535 /* used to assign capabilities to file. */
2537 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
2538 /* else: after pcap_open_live() in capture_loop_open_input() */
2539 /* drop all capabilities (NET_RAW and NET_ADMIN) */
2541 /* ToDo: -S (stats) should drop privileges/capabilities when no */
2542 /* longer required (similar to capture). */
2544 /* ----------------------------------------------------------------- */
2546 get_credential_info();
2549 /* If 'started with special privileges' (and using libcap) */
2550 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
2551 /* Set euid/egid = ruid/rgid to remove suid privileges */
2552 relinquish_privs_except_capture();
2555 /* Set the initial values in the capture options. This might be overwritten
2556 by the command line parameters. */
2557 capture_opts_init(&global_capture_opts, NULL);
2559 /* Default to capturing the entire packet. */
2560 global_capture_opts.snaplen = WTAP_MAX_PACKET_SIZE;
2562 /* We always save to a file - if no file was specified, we save to a
2564 global_capture_opts.saving_to_file = TRUE;
2565 global_capture_opts.has_ring_num_files = TRUE;
2567 /* Now get our args */
2568 while ((opt = getopt(argc, argv, optstring)) != -1) {
2570 case 'h': /* Print help and exit */
2574 case 'v': /* Show version and exit */
2576 GString *comp_info_str;
2577 GString *runtime_info_str;
2578 /* Assemble the compile-time version information string */
2579 comp_info_str = g_string_new("Compiled ");
2580 get_compiled_version_info(comp_info_str, NULL);
2582 /* Assemble the run-time version information string */
2583 runtime_info_str = g_string_new("Running ");
2584 get_runtime_version_info(runtime_info_str, NULL);
2585 show_version(comp_info_str, runtime_info_str);
2586 g_string_free(comp_info_str, TRUE);
2587 g_string_free(runtime_info_str, TRUE);
2591 /*** capture option specific ***/
2592 case 'a': /* autostop criteria */
2593 case 'b': /* Ringbuffer option */
2594 case 'c': /* Capture x packets */
2595 case 'f': /* capture filter */
2596 case 'i': /* Use interface x */
2597 case 'p': /* Don't capture in promiscuous mode */
2598 case 's': /* Set the snapshot (capture) length */
2599 case 'w': /* Write to capture file x */
2600 case 'y': /* Set the pcap data link type */
2601 #ifdef HAVE_PCAP_REMOTE
2602 case 'u': /* Use UDP for data transfer */
2603 case 'r': /* Capture own RPCAP traffic too */
2604 case 'A': /* Authentication */
2606 #ifdef HAVE_PCAP_SETSAMPLING
2607 case 'm': /* Sampling */
2610 case 'B': /* Buffer size */
2612 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
2617 /*** hidden option: Wireshark child mode (using binary output messages) ***/
2619 capture_child = TRUE;
2621 /* set output pipe to binary mode, to avoid ugly text conversions */
2622 _setmode(2, O_BINARY);
2624 * optarg = the control ID, aka the PPID, currently used for the
2627 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
2628 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
2629 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
2630 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
2632 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
2633 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
2634 "Signal pipe: Unable to open %s. Dead parent?",
2642 /*** all non capture option specific ***/
2643 case 'D': /* Print a list of capture devices and exit */
2644 list_interfaces = TRUE;
2647 case 'L': /* Print list of link-layer types and exit */
2648 list_link_layer_types = TRUE;
2651 case 'S': /* Print interface statistics once a second */
2652 print_statistics = TRUE;
2655 case 'M': /* For -D and -L, print machine-readable output */
2656 machine_readable = TRUE;
2659 case '?': /* Bad flag - print usage message */
2660 cmdarg_err("Invalid Option: %s", argv[optind-1]);
2668 /* user specified file name as regular command-line argument */
2669 /* XXX - use it as the capture file name (or something else)? */
2676 * Extra command line arguments were specified; complain.
2677 * XXX - interpret as capture filter, as tcpdump and tshark do?
2679 cmdarg_err("Invalid argument: %s", argv[0]);
2688 if (run_once_args > 1) {
2689 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
2691 } else if (list_link_layer_types) {
2692 /* We're supposed to list the link-layer types for an interface;
2693 did the user also specify a capture file to be read? */
2694 /* No - did they specify a ring buffer option? */
2695 if (global_capture_opts.multi_files_on) {
2696 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
2700 /* No - was the ring buffer option specified and, if so, does it make
2702 if (global_capture_opts.multi_files_on) {
2703 /* Ring buffer works only under certain conditions:
2704 a) ring buffer does not work with temporary files;
2705 b) it makes no sense to enable the ring buffer if the maximum
2706 file size is set to "infinite". */
2707 if (global_capture_opts.save_file == NULL) {
2708 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
2709 global_capture_opts.multi_files_on = FALSE;
2711 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
2712 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
2713 /* XXX - this must be redesigned as the conditions changed */
2714 /* global_capture_opts.multi_files_on = FALSE;*/
2719 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
2720 /* cmdarg_err() already called .... */
2724 /* Let the user know what interface was chosen. */
2725 /* get_interface_descriptive_name() is not available! */
2726 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n", global_capture_opts.iface);
2728 if (list_interfaces) {
2729 status = capture_opts_list_interfaces(machine_readable);
2731 } else if (list_link_layer_types) {
2732 status = capture_opts_list_link_layer_types(&global_capture_opts, machine_readable);
2734 } else if (print_statistics) {
2735 status = print_statistics_loop(machine_readable);
2739 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2740 capture_opts_trim_ring_num_files(&global_capture_opts);
2742 /* Now start the capture. */
2744 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
2748 /* capture failed */
2755 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
2756 const char *message, gpointer user_data _U_)
2763 /* ignore log message, if log_level isn't interesting */
2764 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
2765 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
2770 /* create a "timestamp" */
2772 today = localtime(&curr);
2774 switch(log_level & G_LOG_LEVEL_MASK) {
2775 case G_LOG_LEVEL_ERROR:
2778 case G_LOG_LEVEL_CRITICAL:
2781 case G_LOG_LEVEL_WARNING:
2784 case G_LOG_LEVEL_MESSAGE:
2787 case G_LOG_LEVEL_INFO:
2790 case G_LOG_LEVEL_DEBUG:
2794 fprintf(stderr, "unknown log_level %u\n", log_level);
2796 g_assert_not_reached();
2799 /* Generate the output message */
2800 if(log_level & G_LOG_LEVEL_MESSAGE) {
2801 /* normal user messages without additional infos */
2802 msg = g_strdup_printf("%s\n", message);
2804 /* info/debug messages with additional infos */
2805 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
2806 today->tm_hour, today->tm_min, today->tm_sec,
2807 log_domain != NULL ? log_domain : "",
2811 /* DEBUG & INFO msgs (if we're debugging today) */
2812 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
2813 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
2814 #ifdef DEBUG_DUMPCAP
2815 fprintf(stderr, "%s", msg);
2818 #ifdef DEBUG_CHILD_DUMPCAP
2819 fprintf(debug_log, "%s", msg);
2827 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
2828 /* to parent especially formatted if dumpcap running as child. */
2829 if (capture_child) {
2830 sync_pipe_errmsg_to_parent(2, msg, "");
2832 fprintf(stderr, "%s", msg);
2839 /****************************************************************************************************************/
2840 /* indication report routines */
2844 report_packet_count(int packet_count)
2846 char tmp[SP_DECISIZE+1+1];
2847 static int count = 0;
2850 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
2851 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
2852 pipe_write_block(2, SP_PACKET_COUNT, tmp);
2854 count += packet_count;
2855 fprintf(stderr, "\rPackets: %u ", count);
2856 /* stderr could be line buffered */
2862 report_new_capture_file(const char *filename)
2865 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
2866 pipe_write_block(2, SP_FILE, filename);
2868 fprintf(stderr, "File: %s\n", filename);
2869 /* stderr could be line buffered */
2875 report_cfilter_error(const char *cfilter, const char *errmsg)
2877 if (capture_child) {
2878 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
2879 pipe_write_block(2, SP_BAD_FILTER, errmsg);
2882 "Invalid capture filter: \"%s\"!\n"
2884 "That string isn't a valid capture filter (%s).\n"
2885 "See the User's Guide for a description of the capture filter syntax.\n",
2891 report_capture_error(const char *error_msg, const char *secondary_error_msg)
2894 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
2895 "Primary Error: %s", error_msg);
2896 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
2897 "Secondary Error: %s", secondary_error_msg);
2898 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
2900 fprintf(stderr, "%s\n%s\n", error_msg, secondary_error_msg);
2905 report_packet_drops(guint32 drops)
2907 char tmp[SP_DECISIZE+1+1];
2909 g_snprintf(tmp, sizeof(tmp), "%u", drops);
2912 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets dropped: %s", tmp);
2913 pipe_write_block(2, SP_DROPS, tmp);
2915 fprintf(stderr, "Packets dropped: %s\n", tmp);
2916 /* stderr could be line buffered */
2922 /****************************************************************************************************************/
2923 /* signal_pipe handling */
2928 signal_pipe_check_running(void)
2930 /* any news from our parent? -> just stop the capture */
2934 /* if we are running standalone, no check required */
2935 if(!capture_child) {
2939 if(!sig_pipe_name || !sig_pipe_handle) {
2940 /* This shouldn't happen */
2941 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
2942 "Signal pipe: No name or handle");
2947 * XXX - We should have the process ID of the parent (from the "-Z" flag)
2948 * at this point. Should we check to see if the parent is still alive,
2949 * e.g. by using OpenProcess?
2952 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
2954 if(!result || avail > 0) {
2955 /* peek failed or some bytes really available */
2956 /* (if not piping from stdin this would fail) */
2957 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
2958 "Signal pipe: Stop capture: %s", sig_pipe_name);
2959 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
2960 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
2961 sig_pipe_handle, result, avail);
2964 /* pipe ok and no bytes available */