2 * Utility routines for packet capture
4 * $Id: pcap-util.c,v 1.5 2002/04/01 03:55:44 guy Exp $
6 * Ethereal - Network traffic analyzer
7 * By Gerald Combs <gerald@ethereal.com>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
42 #ifdef HAVE_SYS_TYPES_H
43 #include <sys/types.h>
46 #ifdef HAVE_SYS_SOCKET_H
47 #include <sys/socket.h>
50 #ifdef HAVE_SYS_IOCTL_H
51 #include <sys/ioctl.h>
60 #ifdef HAVE_SYS_SOCKIO_H
61 # include <sys/sockio.h>
67 #include "capture-wpcap.h"
70 #include "pcap-util.h"
73 * Get the data-link type for a libpcap device.
74 * This works around AIX 5.x's non-standard and incompatible-with-the-
75 * rest-of-the-universe libpcap.
78 get_pcap_linktype(pcap_t *pch, char *devname
89 linktype = pcap_datalink(pch);
93 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
94 * rather than DLT_ values for link-layer types; the ifType values
95 * for LAN devices are:
102 * The AIX names for LAN devices begin with:
109 * (The difference between "Ethernet" and "802.3" is presumably
110 * whether packets have an Ethernet header, with a packet type,
111 * or an 802.3 header, with a packet length, followed by an 802.2
112 * header and possibly a SNAP header.)
114 * If the device name matches "linktype" interpreted as an ifType
115 * value, rather than as a DLT_ value, we will assume this is AIX's
116 * non-standard, incompatible libpcap, rather than a standard libpcap,
117 * and will map the link-layer type to the standard DLT_ value for
118 * that link-layer type, as that's what the rest of Ethereal expects.
120 * (This means the capture files won't be readable by a tcpdump
121 * linked with AIX's non-standard libpcap, but so it goes. They
122 * *will* be readable by standard versions of tcpdump, Ethereal,
125 * XXX - if we conclude we're using AIX libpcap, should we also
126 * set a flag to cause us to assume the time stamps are in
127 * seconds-and-nanoseconds form, and to convert them to
128 * seconds-and-microseconds form before processing them and
133 * Find the last component of the device name, which is the
136 ifacename = strchr(devname, '/');
137 if (ifacename == NULL)
138 ifacename = devnames;
140 /* See if it matches any of the LAN device names. */
141 if (strncmp(ifacename, "en", 2) == 0) {
144 * That's the RFC 1573 value for Ethernet; map it
149 } else if (strncmp(ifacename, "et", 2) == 0) {
152 * That's the RFC 1573 value for 802.3; map it to
154 * (libpcap, tcpdump, Ethereal, etc. don't care if
155 * it's Ethernet or 802.3.)
159 } else if (strncmp(ifacename, "tr") == 0) {
162 * That's the RFC 1573 value for 802.5 (Token Ring);
163 * map it to DLT_IEEE802, which is what's used for
168 } else if (strncmp(ifacename, "fi") == 0) {
169 if (linktype == 15) {
171 * That's the RFC 1573 value for FDDI; map it to
183 * If the ability to capture packets is added to Wiretap, these
184 * routines should be moved to the Wiretap source (with
185 * "get_interface_list()" and "free_interface_list()" renamed to
186 * "wtap_get_interface_list()" and "wtap_free_interface_list()",
187 * and modified to use Wiretap routines to attempt to open the
191 struct search_user_data {
197 search_for_if_cb(gpointer data, gpointer user_data);
200 free_if_cb(gpointer data, gpointer user_data);
204 get_interface_list(int *err, char *err_str)
207 gint nonloopback_pos = 0;
208 struct ifreq *ifr, *last;
210 struct ifreq ifrflags;
211 int sock = socket(AF_INET, SOCK_DGRAM, 0);
212 struct search_user_data user_data;
218 sprintf(err_str, "Error opening socket: %s",
224 * This code came from: W. Richard Stevens: "UNIX Network Programming",
225 * Networking APIs: Sockets and XTI, Vol 1, page 434.
228 len = 100 * sizeof(struct ifreq);
233 memset (buf, 0, len);
234 if (ioctl(sock, SIOCGIFCONF, &ifc) < 0) {
235 if (errno != EINVAL || lastlen != 0) {
237 "SIOCGIFCONF ioctl error getting list of interfaces: %s",
242 if ((unsigned) ifc.ifc_len < sizeof(struct ifreq)) {
244 "SIOCGIFCONF ioctl gave too small return buffer");
247 if (ifc.ifc_len == lastlen)
248 break; /* success, len has not changed */
249 lastlen = ifc.ifc_len;
251 len += 10 * sizeof(struct ifreq); /* increment */
254 ifr = (struct ifreq *) ifc.ifc_req;
255 last = (struct ifreq *) ((char *) ifr + ifc.ifc_len);
258 * Skip addresses that begin with "dummy", or that include
259 * a ":" (the latter are Solaris virtuals).
261 if (strncmp(ifr->ifr_name, "dummy", 5) == 0 ||
262 strchr(ifr->ifr_name, ':') != NULL)
266 * If we already have this interface name on the list,
267 * don't add it (SIOCGIFCONF returns, at least on
268 * BSD-flavored systems, one entry per interface *address*;
269 * if an interface has multiple addresses, we get multiple
272 user_data.name = ifr->ifr_name;
273 user_data.found = FALSE;
274 g_list_foreach(il, search_for_if_cb, &user_data);
279 * Get the interface flags.
281 memset(&ifrflags, 0, sizeof ifrflags);
282 strncpy(ifrflags.ifr_name, ifr->ifr_name,
283 sizeof ifrflags.ifr_name);
284 if (ioctl(sock, SIOCGIFFLAGS, (char *)&ifrflags) < 0) {
287 sprintf(err_str, "SIOCGIFFLAGS error getting flags for interface %s: %s",
288 ifr->ifr_name, strerror(errno));
293 * Skip interfaces that aren't up.
295 if (!(ifrflags.ifr_flags & IFF_UP))
299 * Skip interfaces that we can't open with "libpcap".
300 * Open with the minimum packet size - it appears that the
301 * IRIX SIOCSNOOPLEN "ioctl" may fail if the capture length
302 * supplied is too large, rather than just truncating it.
304 pch = pcap_open_live(ifr->ifr_name, MIN_PACKET_SIZE, 0, 0,
311 * If it's a loopback interface, add it at the end of the
312 * list, otherwise add it after the last non-loopback
313 * interface, so all loopback interfaces go at the end - we
314 * don't want a loopback interface to be the default capture
315 * device unless there are no non-loopback devices.
317 if ((ifrflags.ifr_flags & IFF_LOOPBACK) ||
318 strncmp(ifr->ifr_name, "lo", 2) == 0)
319 il = g_list_insert(il, g_strdup(ifr->ifr_name), -1);
321 il = g_list_insert(il, g_strdup(ifr->ifr_name),
324 * Insert the next non-loopback interface after this
332 ifr = (struct ifreq *) ((char *) ifr +
333 (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_addr) ?
334 ifr->ifr_addr.sa_len : sizeof(ifr->ifr_addr)) +
337 ifr = (struct ifreq *) ((char *) ifr + sizeof(struct ifreq));
343 * OK, maybe we have support for the "any" device, to do a cooked
344 * capture on all interfaces at once.
345 * Try opening it and, if that succeeds, add it to the end of
346 * the list of interfaces.
348 pch = pcap_open_live("any", MIN_PACKET_SIZE, 0, 0, err_str);
351 * It worked; we can use the "any" device.
353 il = g_list_insert(il, g_strdup("any"), -1);
363 * No interfaces found.
365 *err = NO_INTERFACES_FOUND;
371 g_list_foreach(il, free_if_cb, NULL);
376 *err = CANT_GET_INTERFACE_LIST;
381 search_for_if_cb(gpointer data, gpointer user_data)
383 struct search_user_data *search_user_data = user_data;
385 if (strcmp((char *)data, search_user_data->name) == 0)
386 search_user_data->found = TRUE;
390 get_interface_list(int *err, char *err_str) {
397 /* On Windows pcap_lookupdev is implemented by calling
398 * PacketGetAdapterNames. According to the documentation I can find
399 * (http://winpcap.polito.it/docs/dll.htm#PacketGetAdapterNames)
402 * On Windows 95x, pcap_lookupdev returns an ASCII string with the
403 * names of the adapters separated by a single ASCII "\0", a double
404 * "\0", followed by the descriptions of the adapters separated by a
405 * single ASCII "\0" . The string is terminated by a double "\0".
407 * On Windows NTx, pcap_lookupdev returns the names of the adapters,
408 * in UNICODE format, separated by a single UNICODE "\0" (i.e. 2
409 * ASCII "\0"), a double UNICODE "\0", followed by the descriptions
410 * of the adapters, in ASCII format, separated by a single ASCII
411 * "\0" . The string is terminated by a double ASCII "\0".
413 names = (wchar_t *)pcap_lookupdev(err_str);
421 /* If names[0] is less than 256 it means the first byte is 0
422 This implies that we are using unicode characters */
423 while(*(names+desc_pos) || *(names+desc_pos-1))
425 desc_pos++; /* Step over the extra '\0' */
426 desc = (char*)(names + desc_pos); /* cast *after* addition */
431 while (names[i] != 0)
432 newname[j++] = names[i++];
440 newname[j++] = *desc++;
445 il = g_list_append(il, g_strdup(newname));
449 /* Otherwise we are in Windows 95/98 and using ascii(8 bit)
451 win95names=(char *)names;
452 while(*(win95names+desc_pos) || *(win95names+desc_pos-1))
454 desc_pos++; /* Step over the extra '\0' */
455 desc = win95names + desc_pos;
460 while (win95names[i] != 0)
461 newname[j++] = win95names[i++];
463 if (win95names[i] == 0)
468 newname[j++] = *desc++;
472 il = g_list_append(il, g_strdup(newname));
481 free_if_cb(gpointer data, gpointer user_data _U_)
487 free_interface_list(GList *if_list)
489 while (if_list != NULL) {
490 g_free(if_list->data);
491 if_list = g_list_remove_link(if_list, if_list);
495 #endif /* HAVE_LIBPCAP */