6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
40 #include <epan/address.h>
41 #include <epan/addr_resolv.h>
42 #include <epan/strutil.h>
47 * Collect command-line arguments as a string consisting of the arguments,
48 * separated by spaces.
51 get_args_as_string(int argc, char **argv, int optindex)
58 * Find out how long the string will be.
61 for (i = optindex; i < argc; i++) {
62 len += (int) strlen(argv[i]);
63 len++; /* space, or '\0' if this is the last argument */
67 * Allocate the buffer for the string.
69 argstring = (char *)g_malloc(len);
72 * Now construct the string.
77 g_strlcat(argstring, argv[i], len);
81 g_strlcat(argstring, " ", len);
86 /* Compute the difference between two seconds/microseconds time stamps. */
88 compute_timestamp_diff(gint *diffsec, gint *diffusec,
89 guint32 sec1, guint32 usec1, guint32 sec2, guint32 usec2)
92 /* The seconds part of the first time is the same as the seconds
93 part of the second time, so if the microseconds part of the first
94 time is less than the microseconds part of the second time, the
95 first time is before the second time. The microseconds part of
96 the delta should just be the difference between the microseconds
97 part of the first time and the microseconds part of the second
98 time; don't adjust the seconds part of the delta, as it's OK if
99 the microseconds part is negative. */
101 *diffsec = sec1 - sec2;
102 *diffusec = usec1 - usec2;
103 } else if (sec1 <= sec2) {
104 /* The seconds part of the first time is less than the seconds part
105 of the second time, so the first time is before the second time.
107 Both the "seconds" and "microseconds" value of the delta
108 should have the same sign, so if the difference between the
109 microseconds values would be *positive*, subtract 1,000,000
110 from it, and add one to the seconds value. */
111 *diffsec = sec1 - sec2;
112 if (usec2 >= usec1) {
113 *diffusec = usec1 - usec2;
115 *diffusec = (usec1 - 1000000) - usec2;
119 /* Oh, good, we're not caught in a chronosynclastic infindibulum. */
120 *diffsec = sec1 - sec2;
121 if (usec2 <= usec1) {
122 *diffusec = usec1 - usec2;
124 *diffusec = (usec1 + 1000000) - usec2;
130 /* Remove any %<interface_name> from an IP address. */
131 char *sanitize_filter_ip(char *hostname) {
135 ret = g_strdup(hostname);
139 end = strchr(ret, '%');
145 /* Try to figure out if we're remotely connected, e.g. via ssh or
146 Terminal Server, and create a capture filter that matches aspects of the
147 connection. We match the following environment variables:
149 SSH_CONNECTION (ssh): <remote IP> <remote port> <local IP> <local port>
150 SSH_CLIENT (ssh): <remote IP> <remote port> <local port>
151 REMOTEHOST (tcsh, others?): <remote name>
152 DISPLAY (x11): [remote name]:<display num>
153 SESSIONNAME (terminal server): <remote name>
156 const gchar *get_conn_cfilter(void) {
157 static GString *filter_str = NULL;
158 gchar *env, **tokens;
159 char *lastp, *lastc, *p;
160 char *pprotocol = NULL;
161 char *phostname = NULL;
165 if (filter_str == NULL) {
166 filter_str = g_string_new("");
168 if ((env = getenv("SSH_CONNECTION")) != NULL) {
169 tokens = g_strsplit(env, " ", 4);
171 remip = sanitize_filter_ip(tokens[0]);
172 locip = sanitize_filter_ip(tokens[2]);
173 g_string_printf(filter_str, "not (tcp port %s and %s host %s "
174 "and tcp port %s and %s host %s)", tokens[1], host_ip_af(remip), remip,
175 tokens[3], host_ip_af(locip), locip);
178 return filter_str->str;
180 } else if ((env = getenv("SSH_CLIENT")) != NULL) {
181 tokens = g_strsplit(env, " ", 3);
182 remip = sanitize_filter_ip(tokens[2]);
183 g_string_printf(filter_str, "not (tcp port %s and %s host %s "
184 "and tcp port %s)", tokens[1], host_ip_af(remip), tokens[0], remip);
186 return filter_str->str;
187 } else if ((env = getenv("REMOTEHOST")) != NULL) {
188 /* FreeBSD 7.0 sets REMOTEHOST to an empty string */
189 if (g_ascii_strcasecmp(env, "localhost") == 0 ||
190 strcmp(env, "127.0.0.1") == 0 ||
191 strcmp(env, "") == 0) {
194 remip = sanitize_filter_ip(env);
195 g_string_printf(filter_str, "not %s host %s", host_ip_af(remip), remip);
197 return filter_str->str;
198 } else if ((env = getenv("DISPLAY")) != NULL) {
200 * This mirrors what _X11TransConnectDisplay() does.
201 * Note that, on some systems, the hostname can
202 * begin with "/", which means that it's a pathname
203 * of a UNIX domain socket to connect to.
205 * The comments mirror those in _X11TransConnectDisplay(),
208 * Display names may be of the following format:
210 * [protoco./] [hostname] : [:] displaynumber [.screennumber]
212 * A string with exactly two colons separating hostname
213 * from the display indicates a DECnet style name. Colons
214 * in the hostname may occur if an IPv6 numeric address
215 * is used as the hostname. An IPv6 numeric address may
216 * also end in a double colon, so three colons in a row
217 * indicates an IPv6 address ending in :: followed by
218 * :display. To make it easier for people to read, an
219 * IPv6 numeric address hostname may be surrounded by []
220 * in a similar fashion to the IPv6 numeric address URL
221 * syntax defined by IETF RFC 2732.
223 * If no hostname and no protocol is specified, the string
224 * is interpreted as the most efficient local connection
225 * to a server on the same machine. This is usually:
229 * o UNIX domain socket
230 * o TCP to local host.
236 * Step 0, find the protocol. This is delimited by
237 * the optional slash ('/').
239 for (lastp = p; *p != '\0' && *p != ':' && *p != '/'; p++)
242 return ""; /* must have a colon */
244 if (p != lastp && *p != ':') { /* protocol given? */
249 if (p - lastp != 3 || g_ascii_strncasecmp(lastp, "tcp", 3) != 0)
250 return ""; /* not TCP */
251 p++; /* skip the '/' */
253 p = env; /* reset the pointer in
254 case no protocol was given */
257 * Step 1, find the hostname. This is delimited either by
258 * one colon, or two colons in the case of DECnet (DECnet
259 * Phase V allows a single colon in the hostname). (See
260 * note above regarding IPv6 numeric addresses with
261 * triple colons or [] brackets.)
265 for (; *p != '\0'; p++)
270 return ""; /* must have a colon */
272 if ((lastp != lastc) && (*(lastc - 1) == ':')
273 && (((lastc - 1) == lastp) || (*(lastc - 2) != ':'))) {
274 /* DECnet display specified */
277 hostlen = lastc - lastp;
280 return ""; /* no hostname supplied */
282 phostname = (char *)g_malloc(hostlen + 1);
283 memcpy(phostname, lastp, hostlen);
284 phostname[hostlen] = '\0';
286 if (pprotocol == NULL) {
288 * No protocol was explicitly specified, so it
289 * could be a local connection over a transport
292 * Does the host name refer to the local host?
293 * If so, the connection would probably be a
296 * XXX - compare against our host name?
297 * _X11TransConnectDisplay() does.
299 if (g_ascii_strcasecmp(phostname, "localhost") == 0 ||
300 strcmp(phostname, "127.0.0.1") == 0) {
306 * A host name of "unix" (case-sensitive) also
307 * causes a local connection.
309 if (strcmp(phostname, "unix") == 0) {
315 * Does the host name begin with "/"? If so,
316 * it's presumed to be the pathname of a
317 * UNIX domain socket.
319 if (phostname[0] == '/') {
325 g_string_printf(filter_str, "not %s host %s",
326 host_ip_af(phostname), phostname);
328 return filter_str->str;
329 } else if ((env = getenv("SESSIONNAME")) != NULL) {
330 /* Apparently the KB article at
331 * http://technet2.microsoft.com/WindowsServer/en/library/6caf87bf-3d70-4801-9485-87e9ec3df0171033.mspx?mfr=true
332 * is incorrect. There are _plenty_ of cases where CLIENTNAME
333 * and SESSIONNAME are set outside of a Terminal Terver session.
334 * It looks like Terminal Server sets SESSIONNAME to RDP-TCP#<number>
335 * for "real" sessions.
337 * XXX - There's a better way to do this described at
338 * http://www.microsoft.com/technet/archive/termsrv/maintain/featusability/tsrvapi.mspx?mfr=true
340 if (g_ascii_strncasecmp(env, "rdp", 3) == 0) {
341 g_string_printf(filter_str, "not tcp port 3389");
342 return filter_str->str;