2 * Utility routines for packet capture
4 * $Id: pcap-util.c,v 1.17 2003/09/10 06:47:04 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
42 #ifdef HAVE_SYS_SOCKET_H
43 #include <sys/socket.h>
46 #ifdef HAVE_SYS_IOCTL_H
47 #include <sys/ioctl.h>
54 * Keep Digital UNIX happy when including <net/if.h>.
61 #ifdef HAVE_SYS_SOCKIO_H
62 # include <sys/sockio.h>
68 #include "capture-wpcap.h"
71 #include "pcap-util.h"
74 * Get the data-link type for a libpcap device.
75 * This works around AIX 5.x's non-standard and incompatible-with-the-
76 * rest-of-the-universe libpcap.
79 get_pcap_linktype(pcap_t *pch, char *devname
90 linktype = pcap_datalink(pch);
94 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
95 * rather than DLT_ values for link-layer types; the ifType values
96 * for LAN devices are:
103 * and the ifType value for a loopback device is 24.
105 * The AIX names for LAN devices begin with:
112 * and the AIX names for loopback devices begin with "lo".
114 * (The difference between "Ethernet" and "802.3" is presumably
115 * whether packets have an Ethernet header, with a packet type,
116 * or an 802.3 header, with a packet length, followed by an 802.2
117 * header and possibly a SNAP header.)
119 * If the device name matches "linktype" interpreted as an ifType
120 * value, rather than as a DLT_ value, we will assume this is AIX's
121 * non-standard, incompatible libpcap, rather than a standard libpcap,
122 * and will map the link-layer type to the standard DLT_ value for
123 * that link-layer type, as that's what the rest of Ethereal expects.
125 * (This means the capture files won't be readable by a tcpdump
126 * linked with AIX's non-standard libpcap, but so it goes. They
127 * *will* be readable by standard versions of tcpdump, Ethereal,
130 * XXX - if we conclude we're using AIX libpcap, should we also
131 * set a flag to cause us to assume the time stamps are in
132 * seconds-and-nanoseconds form, and to convert them to
133 * seconds-and-microseconds form before processing them and
138 * Find the last component of the device name, which is the
141 ifacename = strchr(devname, '/');
142 if (ifacename == NULL)
143 ifacename = devnames;
145 /* See if it matches any of the LAN device names. */
146 if (strncmp(ifacename, "en", 2) == 0) {
149 * That's the RFC 1573 value for Ethernet; map it
154 } else if (strncmp(ifacename, "et", 2) == 0) {
157 * That's the RFC 1573 value for 802.3; map it to
159 * (libpcap, tcpdump, Ethereal, etc. don't care if
160 * it's Ethernet or 802.3.)
164 } else if (strncmp(ifacename, "tr") == 0) {
167 * That's the RFC 1573 value for 802.5 (Token Ring);
168 * map it to DLT_IEEE802, which is what's used for
173 } else if (strncmp(ifacename, "fi") == 0) {
174 if (linktype == 15) {
176 * That's the RFC 1573 value for FDDI; map it to
181 } else if (strncmp(ifacename, "lo") == 0) {
182 if (linktype == 24) {
184 * That's the RFC 1573 value for "software loopback"
185 * devices; map it to DLT_NULL, which is what's used
186 * for loopback devices on BSD.
197 * If the ability to capture packets is added to Wiretap, these
198 * routines should be moved to the Wiretap source (with
199 * "get_interface_list()" and "free_interface_list()" renamed to
200 * "wtap_get_interface_list()" and "wtap_free_interface_list()",
201 * and modified to use Wiretap routines to attempt to open the
205 struct search_user_data {
211 search_for_if_cb(gpointer data, gpointer user_data);
214 free_if_cb(gpointer data, gpointer user_data);
217 if_info_new(char *name, char *description)
221 if_info = g_malloc(sizeof (if_info_t));
222 if_info->name = g_strdup(name);
223 if (description == NULL)
224 if_info->description = NULL;
226 if_info->description = g_strdup(description);
232 get_interface_list(int *err, char *err_str)
235 gint nonloopback_pos = 0;
236 struct ifreq *ifr, *last;
238 struct ifreq ifrflags;
239 int sock = socket(AF_INET, SOCK_DGRAM, 0);
240 struct search_user_data user_data;
247 sprintf(err_str, "Error opening socket: %s",
253 * This code came from: W. Richard Stevens: "UNIX Network Programming",
254 * Networking APIs: Sockets and XTI, Vol 1, page 434.
257 len = 100 * sizeof(struct ifreq);
262 memset (buf, 0, len);
263 if (ioctl(sock, SIOCGIFCONF, &ifc) < 0) {
264 if (errno != EINVAL || lastlen != 0) {
266 "SIOCGIFCONF ioctl error getting list of interfaces: %s",
271 if ((unsigned) ifc.ifc_len < sizeof(struct ifreq)) {
273 "SIOCGIFCONF ioctl gave too small return buffer");
276 if (ifc.ifc_len == lastlen)
277 break; /* success, len has not changed */
278 lastlen = ifc.ifc_len;
280 len += 10 * sizeof(struct ifreq); /* increment */
283 ifr = (struct ifreq *) ifc.ifc_req;
284 last = (struct ifreq *) ((char *) ifr + ifc.ifc_len);
287 * Skip addresses that begin with "dummy", or that include
288 * a ":" (the latter are Solaris virtuals).
290 if (strncmp(ifr->ifr_name, "dummy", 5) == 0 ||
291 strchr(ifr->ifr_name, ':') != NULL)
295 * If we already have this interface name on the list,
296 * don't add it (SIOCGIFCONF returns, at least on
297 * BSD-flavored systems, one entry per interface *address*;
298 * if an interface has multiple addresses, we get multiple
301 user_data.name = ifr->ifr_name;
302 user_data.found = FALSE;
303 g_list_foreach(il, search_for_if_cb, &user_data);
308 * Get the interface flags.
310 memset(&ifrflags, 0, sizeof ifrflags);
311 strncpy(ifrflags.ifr_name, ifr->ifr_name,
312 sizeof ifrflags.ifr_name);
313 if (ioctl(sock, SIOCGIFFLAGS, (char *)&ifrflags) < 0) {
316 sprintf(err_str, "SIOCGIFFLAGS error getting flags for interface %s: %s",
317 ifr->ifr_name, strerror(errno));
322 * Skip interfaces that aren't up.
324 if (!(ifrflags.ifr_flags & IFF_UP))
328 * Skip interfaces that we can't open with "libpcap".
329 * Open with the minimum packet size - it appears that the
330 * IRIX SIOCSNOOPLEN "ioctl" may fail if the capture length
331 * supplied is too large, rather than just truncating it.
333 pch = pcap_open_live(ifr->ifr_name, MIN_PACKET_SIZE, 0, 0,
340 * If it's a loopback interface, add it at the end of the
341 * list, otherwise add it after the last non-loopback
342 * interface, so all loopback interfaces go at the end - we
343 * don't want a loopback interface to be the default capture
344 * device unless there are no non-loopback devices.
346 if_info = if_info_new(ifr->ifr_name, NULL);
347 if ((ifrflags.ifr_flags & IFF_LOOPBACK) ||
348 strncmp(ifr->ifr_name, "lo", 2) == 0)
349 il = g_list_insert(il, if_info, -1);
351 il = g_list_insert(il, if_info, nonloopback_pos);
353 * Insert the next non-loopback interface after this
361 ifr = (struct ifreq *) ((char *) ifr +
362 (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_addr) ?
363 ifr->ifr_addr.sa_len : sizeof(ifr->ifr_addr)) +
366 ifr = (struct ifreq *) ((char *) ifr + sizeof(struct ifreq));
372 * OK, maybe we have support for the "any" device, to do a cooked
373 * capture on all interfaces at once.
374 * Try opening it and, if that succeeds, add it to the end of
375 * the list of interfaces.
377 pch = pcap_open_live("any", MIN_PACKET_SIZE, 0, 0, err_str);
380 * It worked; we can use the "any" device.
382 if_info = if_info_new("any",
383 "Pseudo-device that captures on all interfaces");
384 il = g_list_insert(il, if_info, -1);
394 * No interfaces found.
396 *err = NO_INTERFACES_FOUND;
402 free_interface_list(il);
405 *err = CANT_GET_INTERFACE_LIST;
410 search_for_if_cb(gpointer data, gpointer user_data)
412 struct search_user_data *search_user_data = user_data;
413 if_info_t *if_info = data;
415 if (strcmp(if_info->name, search_user_data->name) == 0)
416 search_user_data->found = TRUE;
420 get_interface_list(int *err, char *err_str) {
424 char ascii_name[MAX_WIN_IF_NAME_LEN + 1];
425 char ascii_desc[MAX_WIN_IF_NAME_LEN + 1];
428 /* On Windows pcap_lookupdev is implemented by calling
429 * PacketGetAdapterNames. According to the documentation I can find
430 * (http://winpcap.polito.it/docs/dll.htm#PacketGetAdapterNames)
433 * On Windows OT (95, 98, Me), pcap_lookupdev returns a sequence of bytes
436 * a sequence of null-terminated ASCII strings (i.e., each one is
437 * terminated by a single 0 byte), giving the names of the interfaces;
439 * an empty ASCII string (i.e., a single 0 byte);
441 * a sequence of null-terminated ASCII strings, giving the
442 * descriptions of the interfaces;
444 * an empty ASCII string.
446 * On Windows NT (NT 4.0, W2K, WXP, W2K3, etc.), pcap_lookupdev returns
447 * a sequence of bytes consisting of:
449 * a sequence of null-terminated double-byte Unicode strings (i.e.,
450 * each one consits of a sequence of double-byte characters,
451 * terminated by a double-byte 0), giving the names of the interfaces;
453 * an empty Unicode string (i.e., a double 0 byte);
455 * a sequence of null-terminated ASCII strings, giving the
456 * descriptions of the interfaces;
458 * an empty ASCII string.
460 * The Nth string in the first sequence is the name of the Nth adapter;
461 * the Nth string in the second sequence is the descriptio of the Nth
465 names = (wchar_t *)pcap_lookupdev(err_str);
473 /* If names[0] is less than 256 it means the first byte is 0
474 This implies that we are using unicode characters */
475 while(*(names+desc_pos) || *(names+desc_pos-1))
477 desc_pos++; /* Step over the extra '\0' */
478 desc = (char*)(names + desc_pos); /* cast *after* addition */
480 while (names[i] != 0)
483 * Copy the Unicode description to an ASCII
488 if (j < MAX_WIN_IF_NAME_LEN)
489 ascii_desc[j++] = *desc;
492 ascii_desc[j] = '\0';
496 * Copy the Unicode name to an ASCII string.
499 while (names[i] != 0) {
500 if (j < MAX_WIN_IF_NAME_LEN)
501 ascii_name[j++] = names[i++];
503 ascii_name[j] = '\0';
505 il = g_list_append(il,
506 if_info_new(ascii_name, ascii_desc));
510 /* Otherwise we are in Windows 95/98 and using ASCII
511 (8 bit) characters */
512 win95names=(char *)names;
513 while(*(win95names+desc_pos) || *(win95names+desc_pos-1))
515 desc_pos++; /* Step over the extra '\0' */
516 desc = win95names + desc_pos;
518 while (win95names[i] != '\0')
521 * "&win95names[i]" points to the current interface
522 * name, and "desc" points to that interface's
525 il = g_list_append(il,
526 if_info_new(&win95names[i], desc));
529 * Skip to the next description.
536 * Skip to the next name.
538 while (win95names[i] != 0)
547 * No interfaces found.
549 *err = NO_INTERFACES_FOUND;
556 free_if_cb(gpointer data, gpointer user_data _U_)
558 if_info_t *if_info = data;
560 g_free(if_info->name);
561 if (if_info->description != NULL)
562 g_free(if_info->description);
566 free_interface_list(GList *if_list)
568 g_list_foreach(if_list, free_if_cb, NULL);
569 g_list_free(if_list);
572 #endif /* HAVE_LIBPCAP */