5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include <stdlib.h> /* for exit() */
33 #ifdef HAVE_SYS_TYPES_H
34 # include <sys/types.h>
37 #ifdef HAVE_SYS_SOCKET_H
38 #include <sys/socket.h>
41 #ifdef HAVE_NETINET_IN_H
42 #include <netinet/in.h>
45 #ifdef HAVE_SYS_STAT_H
46 # include <sys/stat.h>
57 #ifdef HAVE_ARPA_INET_H
58 #include <arpa/inet.h>
61 #if defined(__APPLE__) && defined(__LP64__)
62 #include <sys/utsname.h>
69 #include "wsutil/wsgetopt.h"
77 # include <sys/prctl.h>
78 # include <sys/capability.h>
81 #include "ringbuffer.h"
82 #include "clopts_common.h"
83 #include "console_io.h"
84 #include "cmdarg_err.h"
85 #include "version_info.h"
87 #include "capture-pcap-util.h"
89 #include "capture-wpcap.h"
95 #include "capture-wpcap.h"
96 #include <wsutil/unicode-utils.h>
103 #ifdef NEED_INET_V6DEFS_H
104 # include "wsutil/inet_v6defs.h"
107 #include <wsutil/privileges.h>
109 #include "sync_pipe.h"
111 #include "capture_opts.h"
112 #include "capture_ifinfo.h"
113 #include "capture_sync.h"
115 #include "conditions.h"
116 #include "capture_stop_conditions.h"
118 #include "tempfile.h"
120 #include "wsutil/file_util.h"
122 #include "ws80211_utils.h"
125 * Get information about libpcap format from "wiretap/libpcap.h".
126 * XXX - can we just use pcap_open_offline() to read the pipe?
128 #include "wiretap/libpcap.h"
130 /**#define DEBUG_DUMPCAP**/
131 /**#define DEBUG_CHILD_DUMPCAP**/
135 #include <conio.h> /* _getch() */
139 #ifdef DEBUG_CHILD_DUMPCAP
140 FILE *debug_log; /* for logging debug messages to */
141 /* a file if DEBUG_CHILD_DUMPCAP */
145 static GAsyncQueue *pcap_queue;
146 static gint64 pcap_queue_bytes;
147 static gint64 pcap_queue_packets;
148 static gint64 pcap_queue_byte_limit = 1024 * 1024;
149 static gint64 pcap_queue_packet_limit = 1000;
151 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
153 static gchar *sig_pipe_name = NULL;
154 static HANDLE sig_pipe_handle = NULL;
155 static gboolean signal_pipe_check_running(void);
159 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
160 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
163 /** Stop a low-level capture (stops the capture child). */
164 static void capture_loop_stop(void);
165 /** Close a pipe, or socket if \a from_socket is TRUE */
166 static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_);
168 #if !defined (__linux__)
169 #ifndef HAVE_PCAP_BREAKLOOP
171 * We don't have pcap_breakloop(), which is the only way to ensure that
172 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
173 * won't, if the call to read the next packet or batch of packets is
174 * is interrupted by a signal on UN*X, just go back and try again to
177 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
178 * the signal handler, set a flag to stop capturing; however, without
179 * a guarantee of that sort, we can't guarantee that we'll stop capturing
180 * if the read will be retried and won't time out if no packets arrive.
182 * Therefore, on at least some platforms, we work around the lack of
183 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
184 * to wait for packets to arrive, so that we're probably going to be
185 * blocked in the select() when the signal arrives, and can just bail
186 * out of the loop at that point.
188 * However, we don't want to do that on BSD (because "select()" doesn't work
189 * correctly on BPF devices on at least some releases of some flavors of
190 * BSD), and we don't want to do it on Windows (because "select()" is
191 * something for sockets, not for arbitrary handles). (Note that "Windows"
192 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
193 * using WinPcap, not a UNIX libpcap.)
195 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
196 * on BSD times out even if no packets have arrived, so we'll eventually
197 * exit pcap_dispatch() with an indication that no packets have arrived,
198 * and will break out of the capture loop at that point.
200 * On Windows, we can't send a SIGINT to stop capturing, so none of this
201 * applies in any case.
203 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
204 * want to include it if it's not present on this platform, however.
206 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
207 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
209 # define MUST_DO_SELECT
210 # endif /* avoid select */
211 #endif /* HAVE_PCAP_BREAKLOOP */
213 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
214 * in pcap_dispatch(); on the other hand, select() works just fine there.
215 * Hence we use a select for that come what may.
217 #define MUST_DO_SELECT
220 /** init the capture filter */
223 INITFILTER_BAD_FILTER,
224 INITFILTER_OTHER_ERROR
225 } initfilter_status_t;
227 typedef struct _pcap_options {
231 #ifdef MUST_DO_SELECT
232 int pcap_fd; /* pcap file descriptor */
239 gboolean ts_nsec; /* TRUE if we're using nanosecond precision. */
240 /* capture pipe (unix only "input file") */
241 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
242 gboolean from_cap_socket; /* TRUE if we're capturing from socket */
243 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
244 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
246 HANDLE cap_pipe_h; /* The handle of the capture pipe */
248 int cap_pipe_fd; /* the file descriptor of the capture pipe */
249 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
250 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
252 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
254 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
255 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
257 STATE_EXPECT_REC_HDR,
262 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
264 GMutex *cap_pipe_read_mtx;
265 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
269 typedef struct _loop_data {
271 gboolean go; /* TRUE as long as we're supposed to keep capturing */
272 int err; /* if non-zero, error seen while capturing */
273 gint packet_count; /* Number of packets we have already captured */
274 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
275 guint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
277 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
284 guint32 autostop_files;
287 typedef struct _pcap_queue_element {
288 pcap_options *pcap_opts;
289 struct pcap_pkthdr phdr;
291 } pcap_queue_element;
294 * Standard secondary message for unexpected errors.
296 static const char please_report[] =
297 "Please report this to the Wireshark developers.\n"
298 "(This is not a crash; please do not report it as such.)";
301 * This needs to be static, so that the SIGINT handler can clear the "go"
304 static loop_data global_ld;
308 * Timeout, in milliseconds, for reads from the stream of captured packets
309 * from a capture device.
311 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
312 * 64-bit applications, with sub-second timeouts not to work. The bug is
313 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
315 #if defined(__APPLE__) && defined(__LP64__)
316 static gboolean need_timeout_workaround;
318 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
320 #define CAP_READ_TIMEOUT 250
324 * Timeout, in microseconds, for reads from the stream of captured packets
325 * from a pipe. Pipes don't have the same problem that BPF devices do
326 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
327 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
328 * of the offending versions of Snow Leopard.
330 * On Windows this value is converted to milliseconds and passed to
331 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
332 * will return immediately.
335 #define PIPE_READ_TIMEOUT 100000
337 #define PIPE_READ_TIMEOUT 250000
340 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
343 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
344 const char *message, gpointer user_data _U_);
346 /* capture related options */
347 static capture_options global_capture_opts;
348 static gboolean quiet = FALSE;
349 static gboolean use_threads = FALSE;
350 static guint64 start_time;
352 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
354 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
356 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
357 int err, gboolean is_close);
359 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
361 static void report_new_capture_file(const char *filename);
362 static void report_packet_count(unsigned int packet_count);
363 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
364 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
365 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
367 #define MSG_MAX_LENGTH 4096
369 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
371 create_timestamp(void) {
381 * Current time, represented as 100-nanosecond intervals since
382 * January 1, 1601, 00:00:00 UTC.
384 * I think DWORD might be signed, so cast both parts of "now"
385 * to guint32 so that the sign bit doesn't get treated specially.
387 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
388 * might want to use instead.
390 GetSystemTimeAsFileTime(&now);
391 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
392 (guint32)now.dwLowDateTime;
395 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
401 * Subtract difference, in microseconds, between January 1, 1601
402 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
404 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
407 * Current time, represented as seconds and microseconds since
408 * January 1, 1970, 00:00:00 UTC.
410 gettimeofday(&now, NULL);
413 * Convert to delta in microseconds.
415 timestamp = (guint64)(now.tv_sec) * 1000000 +
416 (guint64)(now.tv_usec);
422 print_usage(gboolean print_ver)
429 "Dumpcap " VERSION "%s\n"
430 "Capture network packets and dump them into a pcapng file.\n"
431 "See http://www.wireshark.org for more information.\n",
432 wireshark_svnversion);
436 fprintf(output, "\nUsage: dumpcap [options] ...\n");
437 fprintf(output, "\n");
438 fprintf(output, "Capture interface:\n");
439 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback),\n"
440 " or for remote capturing, use one of these formats:\n"
441 " rpcap://<host>/<interface>\n"
442 " TCP@<host>:<port>\n");
443 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
444 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
445 fprintf(output, " -p don't capture in promiscuous mode\n");
446 #ifdef HAVE_PCAP_CREATE
447 fprintf(output, " -I capture in monitor mode, if available\n");
449 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
450 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
452 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
453 fprintf(output, " -D print list of interfaces and exit\n");
454 fprintf(output, " -L print list of link-layer types of iface and exit\n");
455 #ifdef HAVE_BPF_IMAGE
456 fprintf(output, " -d print generated BPF code for capture filter\n");
458 fprintf(output, " -k set channel on wifi interface <freq>,[<type>]\n");
459 fprintf(output, " -S print statistics for each interface once per second\n");
460 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
461 fprintf(output, "\n");
462 #ifdef HAVE_PCAP_REMOTE
463 fprintf(output, "RPCAP options:\n");
464 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
465 fprintf(output, " -u use UDP for RPCAP data transfer\n");
466 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
467 #ifdef HAVE_PCAP_SETSAMPLING
468 fprintf(output, " -m <sampling type> use packet sampling\n");
469 fprintf(output, " count:NUM - capture one packet of every NUM\n");
470 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
473 fprintf(output, "Stop conditions:\n");
474 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
475 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
476 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
477 fprintf(output, " files:NUM - stop after NUM files\n");
478 /*fprintf(output, "\n");*/
479 fprintf(output, "Output (files):\n");
480 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
481 fprintf(output, " -g enable group read access on the output file(s)\n");
482 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
483 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
484 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
485 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
486 fprintf(output, " -P use libpcap format instead of pcapng\n");
487 fprintf(output, "\n");
488 fprintf(output, "Miscellaneous:\n");
489 fprintf(output, " -t use a separate thread per interface\n");
490 fprintf(output, " -q don't report packet capture counts\n");
491 fprintf(output, " -v print version information and exit\n");
492 fprintf(output, " -h display this help and exit\n");
493 fprintf(output, "\n");
494 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
495 fprintf(output, "\"Capture packets from interface eth0 until 60s passed into output.pcapng\"\n");
496 fprintf(output, "\n");
497 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
501 show_version(GString *comp_info_str, GString *runtime_info_str)
504 "Dumpcap " VERSION "%s\n"
509 "See http://www.wireshark.org for more information.\n",
510 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
514 * Print to the standard error. This is a command-line tool, so there's
515 * no need to pop up a console.
518 vfprintf_stderr(const char *fmt, va_list ap)
520 vfprintf(stderr, fmt, ap);
524 fprintf_stderr(const char *fmt, ...)
529 vfprintf_stderr(fmt, ap);
534 * Report an error in command-line arguments.
537 cmdarg_err(const char *fmt, ...)
543 /* Generate a 'special format' message back to parent */
545 msg = g_strdup_vprintf(fmt, ap);
546 sync_pipe_errmsg_to_parent(2, msg, "");
551 fprintf(stderr, "dumpcap: ");
552 vfprintf(stderr, fmt, ap);
553 fprintf(stderr, "\n");
559 * Report additional information for an error in command-line arguments.
562 cmdarg_err_cont(const char *fmt, ...)
569 msg = g_strdup_vprintf(fmt, ap);
570 sync_pipe_errmsg_to_parent(2, msg, "");
575 vfprintf(stderr, fmt, ap);
576 fprintf(stderr, "\n");
583 #if 0 /* Set to enable capability debugging */
584 /* see 'man cap_to_text()' for explanation of output */
585 /* '=' means 'all= ' ie: no capabilities */
586 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
588 print_caps(const char *pfx) {
589 cap_t caps = cap_get_proc();
590 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
591 "%s: EUID: %d Capabilities: %s", pfx,
592 geteuid(), cap_to_text(caps, NULL));
595 print_caps(const char *pfx _U_) {
600 relinquish_all_capabilities(void)
602 /* Drop any and all capabilities this process may have. */
603 /* Allowed whether or not process has any privileges. */
604 cap_t caps = cap_init(); /* all capabilities initialized to off */
605 print_caps("Pre-clear");
606 if (cap_set_proc(caps)) {
607 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
609 print_caps("Post-clear");
615 open_capture_device(interface_options *interface_opts,
616 char (*open_err_str)[PCAP_ERRBUF_SIZE])
619 #ifdef HAVE_PCAP_CREATE
622 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
623 struct pcap_rmtauth auth;
626 /* Open the network interface to capture from it.
627 Some versions of libpcap may put warnings into the error buffer
628 if they succeed; to tell if that's happened, we have to clear
629 the error buffer, and check if it's still a null string. */
630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
631 (*open_err_str)[0] = '\0';
632 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
634 * If we're opening a remote device, use pcap_open(); that's currently
635 * the only open routine that supports remote devices.
637 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
638 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
639 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
640 auth.username = interface_opts->auth_username;
641 auth.password = interface_opts->auth_password;
643 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
644 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
645 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
646 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
647 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
649 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
650 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
651 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
652 CAP_READ_TIMEOUT, &auth, *open_err_str);
653 if (pcap_h == NULL) {
654 /* Error - did pcap actually supply an error message? */
655 if ((*open_err_str)[0] == '\0') {
656 /* Work around known WinPcap bug wherein no error message is
657 filled in on a failure to open an rpcap: URL. */
658 g_strlcpy(*open_err_str,
659 "Unknown error (pcap bug; actual error cause not reported)",
660 sizeof *open_err_str);
663 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
664 "pcap_open() returned %p.", (void *)pcap_h);
669 * If we're not opening a remote device, use pcap_create() and
670 * pcap_activate() if we have them, so that we can set the buffer
671 * size, otherwise use pcap_open_live().
673 #ifdef HAVE_PCAP_CREATE
674 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
675 "Calling pcap_create() using %s.", interface_opts->name);
676 pcap_h = pcap_create(interface_opts->name, *open_err_str);
677 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
678 "pcap_create() returned %p.", (void *)pcap_h);
679 if (pcap_h != NULL) {
680 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
681 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
682 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
683 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
684 "Calling pcap_set_promisc() with promisc_mode %d.", interface_opts->promisc_mode);
685 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
686 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
688 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
689 "buffersize %d.", interface_opts->buffer_size);
690 if (interface_opts->buffer_size != 0) {
691 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
693 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
694 "monitor_mode %d.", interface_opts->monitor_mode);
695 if (interface_opts->monitor_mode)
696 pcap_set_rfmon(pcap_h, 1);
697 err = pcap_activate(pcap_h);
698 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
699 "pcap_activate() returned %d.", err);
701 /* Failed to activate, set to NULL */
702 if (err == PCAP_ERROR)
703 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
705 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
711 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
712 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
713 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
714 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
715 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
717 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
718 "pcap_open_live() returned %p.", (void *)pcap_h);
721 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
726 get_capture_device_open_failure_messages(const char *open_err_str,
732 char *errmsg, size_t errmsg_len,
733 char *secondary_errmsg,
734 size_t secondary_errmsg_len)
737 const char *libpcap_warn;
738 static const char ppamsg[] = "can't find PPA for ";
741 g_snprintf(errmsg, (gulong) errmsg_len,
742 "The capture session could not be initiated (%s).", open_err_str);
745 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
747 "In order to capture packets, WinPcap must be installed; see\n"
749 " http://www.winpcap.org/\n"
753 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
757 " http://winpcap.cs.pu.edu.tw/\n"
759 "for a downloadable version of WinPcap and for instructions on how to install\n"
762 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
764 "Please check that \"%s\" is the proper interface.\n"
767 "Help can be found at:\n"
769 " http://wiki.wireshark.org/WinPcap\n"
770 " http://wiki.wireshark.org/CaptureSetup\n",
774 /* If we got a "can't find PPA for X" message, warn the user (who
775 is running dumpcap on HP-UX) that they don't have a version of
776 libpcap that properly handles HP-UX (libpcap 0.6.x and later
777 versions, which properly handle HP-UX, say "can't find /dev/dlpi
778 PPA for X" rather than "can't find PPA for X"). */
779 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
782 "You are running (T)Wireshark with a version of the libpcap library\n"
783 "that doesn't handle HP-UX network devices well; this means that\n"
784 "(T)Wireshark may not be able to capture packets.\n"
786 "To fix this, you should install libpcap 0.6.2, or a later version\n"
787 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
788 "packaged binary form from the Software Porting And Archive Centre\n"
789 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
790 "at the URL lists a number of mirror sites.";
794 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
795 "Please check to make sure you have sufficient permissions, and that you have "
796 "the proper interface or pipe specified.%s", libpcap_warn);
800 /* Set the data link type on a pcap. */
802 set_pcap_linktype(pcap_t *pcap_h, int linktype,
803 #ifdef HAVE_PCAP_SET_DATALINK
808 char *errmsg, size_t errmsg_len,
809 char *secondary_errmsg, size_t secondary_errmsg_len)
811 char *set_linktype_err_str;
814 return TRUE; /* just use the default */
815 #ifdef HAVE_PCAP_SET_DATALINK
816 if (pcap_set_datalink(pcap_h, linktype) == 0)
817 return TRUE; /* no error */
818 set_linktype_err_str = pcap_geterr(pcap_h);
820 /* Let them set it to the type it is; reject any other request. */
821 if (get_pcap_linktype(pcap_h, name) == linktype)
822 return TRUE; /* no error */
823 set_linktype_err_str =
824 "That DLT isn't one of the DLTs supported by this device";
826 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
827 set_linktype_err_str);
829 * If the error isn't "XXX is not one of the DLTs supported by this device",
830 * tell the user to tell the Wireshark developers about it.
832 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
833 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
835 secondary_errmsg[0] = '\0';
840 compile_capture_filter(const char *iface, pcap_t *pcap_h,
841 struct bpf_program *fcode, const char *cfilter)
843 bpf_u_int32 netnum, netmask;
844 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
846 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
848 * Well, we can't get the netmask for this interface; it's used
849 * only for filters that check for broadcast IP addresses, so
850 * we just punt and use 0. It might be nice to warn the user,
851 * but that's a pain in a GUI application, as it'd involve popping
852 * up a message box, and it's not clear how often this would make
853 * a difference (only filters that check for IP broadcast addresses
857 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
862 * Sigh. Older versions of libpcap don't properly declare the
863 * third argument to pcap_compile() as a const pointer. Cast
866 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
871 #ifdef HAVE_BPF_IMAGE
873 show_filter_code(capture_options *capture_opts)
875 interface_options interface_opts;
877 gchar open_err_str[PCAP_ERRBUF_SIZE];
878 char errmsg[MSG_MAX_LENGTH+1];
879 char secondary_errmsg[MSG_MAX_LENGTH+1];
880 struct bpf_program fcode;
881 struct bpf_insn *insn;
885 for (j = 0; j < capture_opts->ifaces->len; j++) {
886 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
887 pcap_h = open_capture_device(&interface_opts, &open_err_str);
888 if (pcap_h == NULL) {
889 /* Open failed; get messages */
890 get_capture_device_open_failure_messages(open_err_str,
892 errmsg, sizeof errmsg,
894 sizeof secondary_errmsg);
895 /* And report them */
896 report_capture_error(errmsg, secondary_errmsg);
900 /* Set the link-layer type. */
901 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
902 errmsg, sizeof errmsg,
903 secondary_errmsg, sizeof secondary_errmsg)) {
905 report_capture_error(errmsg, secondary_errmsg);
909 /* OK, try to compile the capture filter. */
910 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
911 interface_opts.cfilter)) {
913 report_cfilter_error(capture_opts, j, errmsg);
918 /* Now print the filter code. */
919 insn = fcode.bf_insns;
921 for (i = 0; i < fcode.bf_len; insn++, i++)
922 printf("%s\n", bpf_image(insn, i));
924 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
925 /* to remove any suid privileges. */
926 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
927 /* (euid/egid have already previously been set to ruid/rgid. */
928 /* (See comment in main() for details) */
930 relinquish_special_privs_perm();
932 relinquish_all_capabilities();
935 /* Let our parent know we succeeded. */
936 pipe_write_block(2, SP_SUCCESS, NULL);
943 * capture_interface_list() is expected to do the right thing to get
944 * a list of interfaces.
946 * In most of the programs in the Wireshark suite, "the right thing"
947 * is to run dumpcap and ask it for the list, because dumpcap may
948 * be the only program in the suite with enough privileges to get
951 * In dumpcap itself, however, we obviously can't run dumpcap to
952 * ask for the list. Therefore, our capture_interface_list() should
953 * just call get_interface_list().
956 capture_interface_list(int *err, char **err_str)
958 return get_interface_list(err, err_str);
962 * Get the data-link type for a libpcap device.
963 * This works around AIX 5.x's non-standard and incompatible-with-the-
964 * rest-of-the-universe libpcap.
967 get_pcap_linktype(pcap_t *pch, const char *devname
975 const char *ifacename;
978 linktype = pcap_datalink(pch);
982 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
983 * rather than DLT_ values for link-layer types; the ifType values
984 * for LAN devices are:
991 * and the ifType value for a loopback device is 24.
993 * The AIX names for LAN devices begin with:
1000 * and the AIX names for loopback devices begin with "lo".
1002 * (The difference between "Ethernet" and "802.3" is presumably
1003 * whether packets have an Ethernet header, with a packet type,
1004 * or an 802.3 header, with a packet length, followed by an 802.2
1005 * header and possibly a SNAP header.)
1007 * If the device name matches "linktype" interpreted as an ifType
1008 * value, rather than as a DLT_ value, we will assume this is AIX's
1009 * non-standard, incompatible libpcap, rather than a standard libpcap,
1010 * and will map the link-layer type to the standard DLT_ value for
1011 * that link-layer type, as that's what the rest of Wireshark expects.
1013 * (This means the capture files won't be readable by a tcpdump
1014 * linked with AIX's non-standard libpcap, but so it goes. They
1015 * *will* be readable by standard versions of tcpdump, Wireshark,
1018 * XXX - if we conclude we're using AIX libpcap, should we also
1019 * set a flag to cause us to assume the time stamps are in
1020 * seconds-and-nanoseconds form, and to convert them to
1021 * seconds-and-microseconds form before processing them and
1026 * Find the last component of the device name, which is the
1029 ifacename = strchr(devname, '/');
1030 if (ifacename == NULL)
1031 ifacename = devname;
1033 /* See if it matches any of the LAN device names. */
1034 if (strncmp(ifacename, "en", 2) == 0) {
1035 if (linktype == 6) {
1037 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1041 } else if (strncmp(ifacename, "et", 2) == 0) {
1042 if (linktype == 7) {
1044 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1045 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1050 } else if (strncmp(ifacename, "tr", 2) == 0) {
1051 if (linktype == 9) {
1053 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1054 * DLT_IEEE802, which is what's used for Token Ring.
1058 } else if (strncmp(ifacename, "fi", 2) == 0) {
1059 if (linktype == 15) {
1061 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1065 } else if (strncmp(ifacename, "lo", 2) == 0) {
1066 if (linktype == 24) {
1068 * That's the RFC 1573 value for "software loopback" devices; map it
1069 * to DLT_NULL, which is what's used for loopback devices on BSD.
1079 static data_link_info_t *
1080 create_data_link_info(int dlt)
1082 data_link_info_t *data_link_info;
1085 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1086 data_link_info->dlt = dlt;
1087 text = pcap_datalink_val_to_name(dlt);
1089 data_link_info->name = g_strdup(text);
1091 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1092 text = pcap_datalink_val_to_description(dlt);
1094 data_link_info->description = g_strdup(text);
1096 data_link_info->description = NULL;
1097 return data_link_info;
1101 * Get the capabilities of a network device.
1103 static if_capabilities_t *
1104 get_if_capabilities(const char *devname, gboolean monitor_mode
1105 #ifndef HAVE_PCAP_CREATE
1110 if_capabilities_t *caps;
1111 char errbuf[PCAP_ERRBUF_SIZE];
1113 #ifdef HAVE_PCAP_CREATE
1117 #ifdef HAVE_PCAP_LIST_DATALINKS
1121 data_link_info_t *data_link_info;
1124 * Allocate the interface capabilities structure.
1126 caps = g_malloc(sizeof *caps);
1129 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1130 * wherein, when an open with an rpcap: URL fails, the error
1131 * message for the error is not copied to errbuf and whatever
1132 * on-the-stack junk is in errbuf is treated as the error
1135 * To work around that (and any other bugs of that sort, we
1136 * initialize errbuf to an empty string. If we get an error
1137 * and the string is empty, we report it as an unknown error.
1138 * (If we *don't* get an error, and the string is *non*-empty,
1139 * that could be a warning returned, such as "can't turn
1140 * promiscuous mode on"; we currently don't do so.)
1143 #ifdef HAVE_PCAP_OPEN
1144 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1145 caps->can_set_rfmon = FALSE;
1147 if (err_str != NULL)
1148 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1152 #elif defined(HAVE_PCAP_CREATE)
1153 pch = pcap_create(devname, errbuf);
1155 if (err_str != NULL)
1156 *err_str = g_strdup(errbuf);
1160 status = pcap_can_set_rfmon(pch);
1163 if (status == PCAP_ERROR)
1164 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1167 *err_str = g_strdup(pcap_statustostr(status));
1173 caps->can_set_rfmon = FALSE;
1174 else if (status == 1) {
1175 caps->can_set_rfmon = TRUE;
1177 pcap_set_rfmon(pch, 1);
1179 if (err_str != NULL) {
1180 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1188 status = pcap_activate(pch);
1190 /* Error. We ignore warnings (status > 0). */
1191 if (err_str != NULL) {
1192 if (status == PCAP_ERROR)
1193 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1196 *err_str = g_strdup(pcap_statustostr(status));
1203 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1204 caps->can_set_rfmon = FALSE;
1206 if (err_str != NULL)
1207 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1212 deflt = get_pcap_linktype(pch, devname);
1213 #ifdef HAVE_PCAP_LIST_DATALINKS
1214 nlt = pcap_list_datalinks(pch, &linktypes);
1215 if (nlt == 0 || linktypes == NULL) {
1217 if (err_str != NULL)
1218 *err_str = NULL; /* an empty list doesn't mean an error */
1222 caps->data_link_types = NULL;
1223 for (i = 0; i < nlt; i++) {
1224 data_link_info = create_data_link_info(linktypes[i]);
1227 * XXX - for 802.11, make the most detailed 802.11
1228 * version the default, rather than the one the
1229 * device has as the default?
1231 if (linktypes[i] == deflt)
1232 caps->data_link_types = g_list_prepend(caps->data_link_types,
1235 caps->data_link_types = g_list_append(caps->data_link_types,
1238 #ifdef HAVE_PCAP_FREE_DATALINKS
1239 pcap_free_datalinks(linktypes);
1242 * In Windows, there's no guarantee that if you have a library
1243 * built with one version of the MSVC++ run-time library, and
1244 * it returns a pointer to allocated data, you can free that
1245 * data from a program linked with another version of the
1246 * MSVC++ run-time library.
1248 * This is not an issue on UN*X.
1250 * See the mail threads starting at
1252 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1256 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1259 #define xx_free free /* hack so checkAPIs doesn't complain */
1262 #endif /* HAVE_PCAP_FREE_DATALINKS */
1263 #else /* HAVE_PCAP_LIST_DATALINKS */
1265 data_link_info = create_data_link_info(deflt);
1266 caps->data_link_types = g_list_append(caps->data_link_types,
1268 #endif /* HAVE_PCAP_LIST_DATALINKS */
1272 if (err_str != NULL)
1277 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1279 * Output a machine readable list of the interfaces
1280 * This list is retrieved by the sync_interface_list_open() function
1281 * The actual output of this function can be viewed with the command "dumpcap -D -Z none"
1284 print_machine_readable_interfaces(GList *if_list)
1291 char addr_str[ADDRSTRLEN];
1293 if (capture_child) {
1294 /* Let our parent know we succeeded. */
1295 pipe_write_block(2, SP_SUCCESS, NULL);
1298 i = 1; /* Interface id number */
1299 for (if_entry = g_list_first(if_list); if_entry != NULL;
1300 if_entry = g_list_next(if_entry)) {
1301 if_info = (if_info_t *)if_entry->data;
1302 printf("%d. %s", i++, if_info->name);
1305 * Print the contents of the if_entry struct in a parseable format.
1306 * Each if_entry element is tab-separated. Addresses are comma-
1309 /* XXX - Make sure our description doesn't contain a tab */
1310 if (if_info->description != NULL)
1311 printf("\t%s\t", if_info->description);
1315 if (if_info->friendly_name != NULL)
1316 printf("%s\t", if_info->friendly_name);
1320 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1321 addr = g_slist_next(addr)) {
1322 if (addr != g_slist_nth(if_info->addrs, 0))
1325 if_addr = (if_addr_t *)addr->data;
1326 switch(if_addr->ifat_type) {
1328 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1330 printf("%s", addr_str);
1332 printf("<unknown IPv4>");
1336 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1337 addr_str, ADDRSTRLEN)) {
1338 printf("%s", addr_str);
1340 printf("<unknown IPv6>");
1344 printf("<type unknown %u>", if_addr->ifat_type);
1348 if (if_info->loopback)
1349 printf("\tloopback");
1351 printf("\tnetwork");
1358 * If you change the machine-readable output format of this function,
1359 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1362 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1365 data_link_info_t *data_link_info;
1366 const gchar *desc_str;
1368 if (capture_child) {
1369 /* Let our parent know we succeeded. */
1370 pipe_write_block(2, SP_SUCCESS, NULL);
1373 if (caps->can_set_rfmon)
1377 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1378 lt_entry = g_list_next(lt_entry)) {
1379 data_link_info = (data_link_info_t *)lt_entry->data;
1380 if (data_link_info->description != NULL)
1381 desc_str = data_link_info->description;
1383 desc_str = "(not supported)";
1384 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1394 /* Print the number of packets captured for each interface until we're killed. */
1396 print_statistics_loop(gboolean machine_readable)
1398 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1404 char errbuf[PCAP_ERRBUF_SIZE];
1405 struct pcap_stat ps;
1407 if_list = get_interface_list(&err, &err_str);
1408 if (if_list == NULL) {
1410 case CANT_GET_INTERFACE_LIST:
1411 case DONT_HAVE_PCAP:
1412 cmdarg_err("%s", err_str);
1416 case NO_INTERFACES_FOUND:
1417 cmdarg_err("There are no interfaces on which a capture can be done");
1423 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1424 if_info = (if_info_t *)if_entry->data;
1425 #ifdef HAVE_PCAP_OPEN
1426 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1428 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1432 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1433 if_stat->name = g_strdup(if_info->name);
1435 stat_list = g_list_append(stat_list, if_stat);
1440 cmdarg_err("There are no interfaces on which a capture can be done");
1444 if (capture_child) {
1445 /* Let our parent know we succeeded. */
1446 pipe_write_block(2, SP_SUCCESS, NULL);
1449 if (!machine_readable) {
1450 printf("%-15s %10s %10s\n", "Interface", "Received",
1454 global_ld.go = TRUE;
1455 while (global_ld.go) {
1456 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1457 if_stat = (if_stat_t *)stat_entry->data;
1458 pcap_stats(if_stat->pch, &ps);
1460 if (!machine_readable) {
1461 printf("%-15s %10u %10u\n", if_stat->name,
1462 ps.ps_recv, ps.ps_drop);
1464 printf("%s\t%u\t%u\n", if_stat->name,
1465 ps.ps_recv, ps.ps_drop);
1476 /* XXX - Not reached. Should we look for 'q' in stdin? */
1477 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1478 if_stat = (if_stat_t *)stat_entry->data;
1479 pcap_close(if_stat->pch);
1480 g_free(if_stat->name);
1483 g_list_free(stat_list);
1484 free_interface_list(if_list);
1492 capture_cleanup_handler(DWORD dwCtrlType)
1494 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1495 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1496 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1497 like SIGTERM at least when the machine's shutting down.
1499 For now, if we're running as a command rather than a capture child,
1500 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1501 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1502 in that way on UN*X.
1504 If we're not running as a capture child, we might be running as
1505 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1506 user logs out. (XXX - can we explicitly check whether we're
1507 running as a service?) */
1509 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1510 "Console: Control signal");
1511 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1512 "Console: Control signal, CtrlType: %u", dwCtrlType);
1514 /* Keep capture running if we're a service and a user logs off */
1515 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1516 capture_loop_stop();
1524 capture_cleanup_handler(int signum _U_)
1526 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1527 SIGTERM. We assume that if the user wanted it to keep running
1528 after they logged out, they'd have nohupped it. */
1530 /* Note: don't call g_log() in the signal handler: if we happened to be in
1531 * g_log() in process context when the signal came in, g_log will detect
1532 * the "recursion" and abort.
1535 capture_loop_stop();
1541 report_capture_count(gboolean reportit)
1543 /* Don't print this if we're a capture child. */
1544 if (!capture_child && reportit) {
1545 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1546 /* stderr could be line buffered */
1554 report_counts_for_siginfo(void)
1556 report_capture_count(quiet);
1557 infoprint = FALSE; /* we just reported it */
1561 report_counts_siginfo(int signum _U_)
1563 int sav_errno = errno;
1565 /* If we've been told to delay printing, just set a flag asking
1566 that we print counts (if we're supposed to), otherwise print
1567 the count of packets captured (if we're supposed to). */
1571 report_counts_for_siginfo();
1574 #endif /* SIGINFO */
1577 exit_main(int status)
1580 /* Shutdown windows sockets */
1583 /* can be helpful for debugging */
1584 #ifdef DEBUG_DUMPCAP
1585 printf("Press any key\n");
1596 * If we were linked with libcap (not related to libpcap), make sure we have
1597 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1598 * (See comment in main() for details)
1601 relinquish_privs_except_capture(void)
1603 /* If 'started_with_special_privs' (ie: suid) then enable for
1604 * ourself the NET_ADMIN and NET_RAW capabilities and then
1605 * drop our suid privileges.
1607 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1608 * stuff we don't need (and shouldn't have).
1609 * CAP_NET_RAW: Packet capture (raw sockets).
1612 if (started_with_special_privs()) {
1613 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1614 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1616 cap_t caps = cap_init(); /* all capabilities initialized to off */
1618 print_caps("Pre drop, pre set");
1620 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1621 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1624 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1625 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1627 if (cap_set_proc(caps)) {
1628 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1630 print_caps("Pre drop, post set");
1632 relinquish_special_privs_perm();
1634 print_caps("Post drop, pre set");
1635 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1636 if (cap_set_proc(caps)) {
1637 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1639 print_caps("Post drop, post set");
1645 #endif /* HAVE_LIBCAP */
1647 /* Take care of byte order in the libpcap headers read from pipes.
1648 * (function taken from wiretap/libpcap.c) */
1650 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1653 /* Byte-swap the record header fields. */
1654 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1655 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1656 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1657 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1660 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1661 swapped, in order to match the BPF header layout.
1663 Unfortunately, some files were, according to a comment in the "libpcap"
1664 source, written with version 2.3 in their headers but without the
1665 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1666 would make no sense - we assume that we need to swap them. */
1667 if (hdr->version_major == 2 &&
1668 (hdr->version_minor < 3 ||
1669 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1672 temp = rechdr->orig_len;
1673 rechdr->orig_len = rechdr->incl_len;
1674 rechdr->incl_len = temp;
1678 /* Wrapper: distinguish between recv/read if we're reading on Windows,
1682 cap_pipe_read(int pipe_fd, char *buf, size_t sz, gboolean from_socket _U_)
1686 return recv(pipe_fd, buf, (int)sz, 0);
1691 return ws_read(pipe_fd, buf, sz);
1697 * Thread function that reads from a pipe and pushes the data
1698 * to the main application thread.
1701 * XXX Right now we use async queues for basic signaling. The main thread
1702 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1703 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1704 * Iff the read is successful cap_pipe_read pushes an item onto
1705 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1706 * the queues themselves (yet).
1708 * We might want to move some of the cap_pipe_dispatch logic here so that
1709 * we can let cap_thread_read run independently, queuing up multiple reads
1710 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1712 static void *cap_thread_read(void *arg)
1714 pcap_options *pcap_opts;
1723 pcap_opts = (pcap_options *)arg;
1724 while (pcap_opts->cap_pipe_err == PIPOK) {
1725 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1726 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1728 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1729 if ((pcap_opts->from_cap_socket)
1735 b = cap_pipe_read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1736 pcap_opts->cap_pipe_bytes_to_read - bytes_read, pcap_opts->from_cap_socket);
1739 pcap_opts->cap_pipe_err = PIPEOF;
1743 pcap_opts->cap_pipe_err = PIPERR;
1754 /* If we try to use read() on a named pipe on Windows with partial
1755 * data it appears to return EOF.
1757 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1758 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1763 last_err = GetLastError();
1764 if (last_err == ERROR_MORE_DATA) {
1766 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1767 pcap_opts->cap_pipe_err = PIPEOF;
1771 pcap_opts->cap_pipe_err = PIPERR;
1774 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1775 pcap_opts->cap_pipe_err = PIPEOF;
1782 pcap_opts->cap_pipe_bytes_read = bytes_read;
1783 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1784 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1786 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1792 /* Provide select() functionality for a single file descriptor
1793 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1795 * Returns the same values as select.
1798 cap_pipe_select(int pipe_fd)
1801 struct timeval timeout;
1804 FD_SET(pipe_fd, &rfds);
1806 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1807 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1809 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1812 #define DEF_TCP_PORT 19000
1815 cap_open_socket(char *pipename, pcap_options *pcap_opts, char *errmsg, int errmsgl)
1817 char *sockname = pipename + 4;
1818 struct sockaddr_in sa;
1825 memset(&sa, 0, sizeof(sa));
1827 p = strchr(sockname, ':');
1829 len = strlen(sockname);
1830 port = DEF_TCP_PORT;
1834 port = strtoul(p + 1, &p, 10);
1835 if (*p || port > 65535) {
1844 strncpy(buf, sockname, len);
1846 if (!inet_pton(AF_INET, buf, &sa.sin_addr)) {
1850 sa.sin_family = AF_INET;
1851 sa.sin_port = htons((u_short)port);
1853 if (((fd = (int)socket(AF_INET, SOCK_STREAM, 0)) < 0) ||
1854 (connect(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0)) {
1856 LPTSTR errorText = NULL;
1859 lastError = WSAGetLastError();
1860 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM |
1861 FORMAT_MESSAGE_ALLOCATE_BUFFER |
1862 FORMAT_MESSAGE_IGNORE_INSERTS,
1863 NULL, lastError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
1864 (LPTSTR)&errorText, 0, NULL);
1866 g_snprintf(errmsg, errmsgl,
1867 "The capture session could not be initiated due to the socket error: \n"
1869 " %d: %S", lastError, errorText ? (char *)errorText : "Unknown");
1871 LocalFree(errorText);
1873 " %d: %s", errno, strerror(errno));
1875 pcap_opts->cap_pipe_err = PIPERR;
1878 cap_pipe_close(fd, TRUE);
1882 pcap_opts->from_cap_socket = TRUE;
1886 g_snprintf(errmsg, errmsgl,
1887 "The capture session could not be initiated because\n"
1888 "\"%s\" is not a valid socket specification", pipename);
1889 pcap_opts->cap_pipe_err = PIPERR;
1893 /* Wrapper: distinguish between closesocket on Windows; use ws_close
1897 cap_pipe_close(int pipe_fd, gboolean from_socket _U_)
1901 closesocket(pipe_fd);
1908 /* Mimic pcap_open_live() for pipe captures
1910 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1911 * open it, and read the header.
1913 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1914 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1916 cap_pipe_open_live(char *pipename,
1917 pcap_options *pcap_opts,
1918 struct pcap_hdr *hdr,
1919 char *errmsg, int errmsgl)
1922 ws_statb64 pipe_stat;
1923 struct sockaddr_un sa;
1929 unsigned int bytes_read;
1932 pcap_opts->cap_pipe_fd = -1;
1934 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1936 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1939 * XXX - this blocks until a pcap per-file header has been written to
1940 * the pipe, so it could block indefinitely.
1942 if (strcmp(pipename, "-") == 0) {
1944 fd = 0; /* read from stdin */
1946 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1948 } else if (!strncmp(pipename, "TCP@", 4)) {
1949 if ((fd = cap_open_socket(pipename, pcap_opts, errmsg, errmsgl)) < 0) {
1954 if (ws_stat64(pipename, &pipe_stat) < 0) {
1955 if (errno == ENOENT || errno == ENOTDIR)
1956 pcap_opts->cap_pipe_err = PIPNEXIST;
1958 g_snprintf(errmsg, errmsgl,
1959 "The capture session could not be initiated "
1960 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1961 pcap_opts->cap_pipe_err = PIPERR;
1965 if (S_ISFIFO(pipe_stat.st_mode)) {
1966 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1968 g_snprintf(errmsg, errmsgl,
1969 "The capture session could not be initiated "
1970 "due to error on pipe open: %s", g_strerror(errno));
1971 pcap_opts->cap_pipe_err = PIPERR;
1974 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1975 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1977 g_snprintf(errmsg, errmsgl,
1978 "The capture session could not be initiated "
1979 "due to error on socket create: %s", g_strerror(errno));
1980 pcap_opts->cap_pipe_err = PIPERR;
1983 sa.sun_family = AF_UNIX;
1985 * The Single UNIX Specification says:
1987 * The size of sun_path has intentionally been left undefined.
1988 * This is because different implementations use different sizes.
1989 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1990 * of 104. Since most implementations originate from BSD versions,
1991 * the size is typically in the range 92 to 108.
1993 * Applications should not assume a particular length for sun_path
1994 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1998 * The <sys/un.h> header shall define the sockaddr_un structure,
1999 * which shall include at least the following members:
2001 * sa_family_t sun_family Address family.
2002 * char sun_path[] Socket pathname.
2004 * so we assume that it's an array, with a specified size,
2005 * and that the size reflects the maximum path length.
2007 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
2008 /* Path name too long */
2009 g_snprintf(errmsg, errmsgl,
2010 "The capture session coud not be initiated "
2011 "due to error on socket connect: Path name too long");
2012 pcap_opts->cap_pipe_err = PIPERR;
2016 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
2018 g_snprintf(errmsg, errmsgl,
2019 "The capture session coud not be initiated "
2020 "due to error on socket connect: %s", g_strerror(errno));
2021 pcap_opts->cap_pipe_err = PIPERR;
2026 if (S_ISCHR(pipe_stat.st_mode)) {
2028 * Assume the user specified an interface on a system where
2029 * interfaces are in /dev. Pretend we haven't seen it.
2031 pcap_opts->cap_pipe_err = PIPNEXIST;
2034 g_snprintf(errmsg, errmsgl,
2035 "The capture session could not be initiated because\n"
2036 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
2037 pcap_opts->cap_pipe_err = PIPERR;
2042 #define PIPE_STR "\\pipe\\"
2043 /* Under Windows, named pipes _must_ have the form
2044 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
2046 pncopy = g_strdup(pipename);
2047 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
2048 pos = strchr(pncopy + 3, '\\');
2049 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
2056 g_snprintf(errmsg, errmsgl,
2057 "The capture session could not be initiated because\n"
2058 "\"%s\" is neither an interface nor a pipe", pipename);
2059 pcap_opts->cap_pipe_err = PIPNEXIST;
2063 /* Wait for the pipe to appear */
2065 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
2066 OPEN_EXISTING, 0, NULL);
2068 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
2071 if (GetLastError() != ERROR_PIPE_BUSY) {
2072 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2073 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2074 g_snprintf(errmsg, errmsgl,
2075 "The capture session on \"%s\" could not be started "
2076 "due to error on pipe open: %s (error %d)",
2077 pipename, utf_16to8(err_str), GetLastError());
2079 pcap_opts->cap_pipe_err = PIPERR;
2083 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
2084 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2085 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2086 g_snprintf(errmsg, errmsgl,
2087 "The capture session on \"%s\" timed out during "
2088 "pipe open: %s (error %d)",
2089 pipename, utf_16to8(err_str), GetLastError());
2091 pcap_opts->cap_pipe_err = PIPERR;
2098 pcap_opts->from_cap_pipe = TRUE;
2100 if ((pcap_opts->from_cap_socket)
2106 /* read the pcap header */
2108 while (bytes_read < sizeof magic) {
2109 sel_ret = cap_pipe_select(fd);
2111 g_snprintf(errmsg, errmsgl,
2112 "Unexpected error from select: %s", g_strerror(errno));
2114 } else if (sel_ret > 0) {
2115 b = cap_pipe_read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read, pcap_opts->from_cap_socket);
2118 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2120 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2130 g_thread_create(&cap_thread_read, pcap_opts, FALSE, NULL);
2132 pcap_opts->cap_pipe_buf = (char *) &magic;
2133 pcap_opts->cap_pipe_bytes_read = 0;
2134 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
2135 /* We don't have to worry about cap_pipe_read_mtx here */
2136 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2137 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2138 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2139 if (pcap_opts->cap_pipe_bytes_read == 0)
2140 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
2142 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
2151 case PCAP_NSEC_MAGIC:
2152 /* Host that wrote it has our byte order, and was running
2153 a program using either standard or ss990417 libpcap. */
2154 pcap_opts->cap_pipe_byte_swapped = FALSE;
2155 pcap_opts->cap_pipe_modified = FALSE;
2156 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
2158 case PCAP_MODIFIED_MAGIC:
2159 /* Host that wrote it has our byte order, but was running
2160 a program using either ss990915 or ss991029 libpcap. */
2161 pcap_opts->cap_pipe_byte_swapped = FALSE;
2162 pcap_opts->cap_pipe_modified = TRUE;
2164 case PCAP_SWAPPED_MAGIC:
2165 case PCAP_SWAPPED_NSEC_MAGIC:
2166 /* Host that wrote it has a byte order opposite to ours,
2167 and was running a program using either standard or
2168 ss990417 libpcap. */
2169 pcap_opts->cap_pipe_byte_swapped = TRUE;
2170 pcap_opts->cap_pipe_modified = FALSE;
2171 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
2173 case PCAP_SWAPPED_MODIFIED_MAGIC:
2174 /* Host that wrote it out has a byte order opposite to
2175 ours, and was running a program using either ss990915
2176 or ss991029 libpcap. */
2177 pcap_opts->cap_pipe_byte_swapped = TRUE;
2178 pcap_opts->cap_pipe_modified = TRUE;
2181 /* Not a "libpcap" type we know about. */
2182 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2186 if ((pcap_opts->from_cap_socket)
2192 /* Read the rest of the header */
2194 while (bytes_read < sizeof(struct pcap_hdr)) {
2195 sel_ret = cap_pipe_select(fd);
2197 g_snprintf(errmsg, errmsgl,
2198 "Unexpected error from select: %s", g_strerror(errno));
2200 } else if (sel_ret > 0) {
2201 b = cap_pipe_read(fd, ((char *)hdr)+bytes_read,
2202 sizeof(struct pcap_hdr) - bytes_read, pcap_opts->from_cap_socket);
2205 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2207 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2217 pcap_opts->cap_pipe_buf = (char *) hdr;
2218 pcap_opts->cap_pipe_bytes_read = 0;
2219 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2220 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2221 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2222 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2223 if (pcap_opts->cap_pipe_bytes_read == 0)
2224 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2226 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2233 if (pcap_opts->cap_pipe_byte_swapped) {
2234 /* Byte-swap the header fields about which we care. */
2235 hdr->version_major = BSWAP16(hdr->version_major);
2236 hdr->version_minor = BSWAP16(hdr->version_minor);
2237 hdr->snaplen = BSWAP32(hdr->snaplen);
2238 hdr->network = BSWAP32(hdr->network);
2240 pcap_opts->linktype = hdr->network;
2242 if (hdr->version_major < 2) {
2243 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2247 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2248 pcap_opts->cap_pipe_err = PIPOK;
2249 pcap_opts->cap_pipe_fd = fd;
2253 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2254 pcap_opts->cap_pipe_err = PIPERR;
2255 cap_pipe_close(fd, pcap_opts->from_cap_socket);
2256 pcap_opts->cap_pipe_fd = -1;
2262 /* We read one record from the pipe, take care of byte order in the record
2263 * header, write the record to the capture file, and update capture statistics. */
2265 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2267 struct pcap_pkthdr phdr;
2268 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2271 #if !GLIB_CHECK_VERSION(2,31,18)
2279 #ifdef LOG_CAPTURE_VERBOSE
2280 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2283 switch (pcap_opts->cap_pipe_state) {
2285 case STATE_EXPECT_REC_HDR:
2287 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2290 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2291 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2292 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2293 pcap_opts->cap_pipe_bytes_read = 0;
2296 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2297 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2298 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2303 case STATE_READ_REC_HDR:
2304 if ((pcap_opts->from_cap_socket)
2310 b = cap_pipe_read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2311 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
2314 result = PD_PIPE_EOF;
2316 result = PD_PIPE_ERR;
2319 pcap_opts->cap_pipe_bytes_read += b;
2324 #if GLIB_CHECK_VERSION(2,31,18)
2325 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2327 g_get_current_time(&wait_time);
2328 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2329 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2331 if (pcap_opts->cap_pipe_err == PIPEOF) {
2332 result = PD_PIPE_EOF;
2334 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2335 result = PD_PIPE_ERR;
2343 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2345 result = PD_REC_HDR_READ;
2348 case STATE_EXPECT_DATA:
2350 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2353 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2354 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2355 pcap_opts->cap_pipe_bytes_read = 0;
2358 pcap_opts->cap_pipe_buf = (char *) data;
2359 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2360 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2365 case STATE_READ_DATA:
2366 if ((pcap_opts->from_cap_socket)
2372 b = cap_pipe_read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2373 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read, pcap_opts->from_cap_socket);
2376 result = PD_PIPE_EOF;
2378 result = PD_PIPE_ERR;
2381 pcap_opts->cap_pipe_bytes_read += b;
2387 #if GLIB_CHECK_VERSION(2,31,18)
2388 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2390 g_get_current_time(&wait_time);
2391 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2392 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2394 if (pcap_opts->cap_pipe_err == PIPEOF) {
2395 result = PD_PIPE_EOF;
2397 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2398 result = PD_PIPE_ERR;
2406 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2408 result = PD_DATA_READ;
2412 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2415 } /* switch (pcap_opts->cap_pipe_state) */
2418 * We've now read as much data as we were expecting, so process it.
2422 case PD_REC_HDR_READ:
2423 /* We've read the header. Take care of byte order. */
2424 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2425 &pcap_opts->cap_pipe_rechdr.hdr);
2426 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2427 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2428 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2432 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2433 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2436 /* no data to read? fall through */
2439 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2440 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2441 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2442 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2443 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2446 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2448 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2450 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2454 pcap_opts->cap_pipe_err = PIPEOF;
2459 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
2460 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2461 g_snprintf(errmsg, errmsgl,
2462 "Error reading from pipe: %s (error %d)",
2463 utf_16to8(err_str), GetLastError());
2466 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2474 pcap_opts->cap_pipe_err = PIPERR;
2475 /* Return here rather than inside the switch to prevent GCC warning */
2480 /** Open the capture input file (pcap or capture pipe).
2481 * Returns TRUE if it succeeds, FALSE otherwise. */
2483 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2484 char *errmsg, size_t errmsg_len,
2485 char *secondary_errmsg, size_t secondary_errmsg_len)
2487 gchar open_err_str[PCAP_ERRBUF_SIZE];
2488 gchar *sync_msg_str;
2489 interface_options interface_opts;
2490 pcap_options *pcap_opts;
2494 gchar *sync_secondary_msg_str;
2495 WORD wVersionRequested;
2499 /* XXX - opening Winsock on tshark? */
2501 /* Initialize Windows Socket if we are in a WIN32 OS
2502 This needs to be done before querying the interface for network/netmask */
2504 /* XXX - do we really require 1.1 or earlier?
2505 Are there any versions that support only 2.0 or higher? */
2506 wVersionRequested = MAKEWORD(1, 1);
2507 err = WSAStartup(wVersionRequested, &wsaData);
2511 case WSASYSNOTREADY:
2512 g_snprintf(errmsg, (gulong) errmsg_len,
2513 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2516 case WSAVERNOTSUPPORTED:
2517 g_snprintf(errmsg, (gulong) errmsg_len,
2518 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2519 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2522 case WSAEINPROGRESS:
2523 g_snprintf(errmsg, (gulong) errmsg_len,
2524 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2528 g_snprintf(errmsg, (gulong) errmsg_len,
2529 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2533 g_snprintf(errmsg, (gulong) errmsg_len,
2534 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2538 g_snprintf(errmsg, (gulong) errmsg_len,
2539 "Couldn't initialize Windows Sockets: error %d", err);
2542 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2546 if ((use_threads == FALSE) &&
2547 (capture_opts->ifaces->len > 1)) {
2548 g_snprintf(errmsg, (gulong) errmsg_len,
2549 "Using threads is required for capturing on multiple interfaces!");
2553 for (i = 0; i < capture_opts->ifaces->len; i++) {
2554 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2555 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2556 if (pcap_opts == NULL) {
2557 g_snprintf(errmsg, (gulong) errmsg_len,
2558 "Could not allocate memory.");
2561 pcap_opts->received = 0;
2562 pcap_opts->dropped = 0;
2563 pcap_opts->pcap_h = NULL;
2564 #ifdef MUST_DO_SELECT
2565 pcap_opts->pcap_fd = -1;
2567 pcap_opts->pcap_err = FALSE;
2568 pcap_opts->interface_id = i;
2569 pcap_opts->tid = NULL;
2570 pcap_opts->snaplen = 0;
2571 pcap_opts->linktype = -1;
2572 pcap_opts->ts_nsec = FALSE;
2573 pcap_opts->from_cap_pipe = FALSE;
2574 pcap_opts->from_cap_socket = FALSE;
2575 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2576 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2578 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2580 pcap_opts->cap_pipe_fd = -1;
2581 pcap_opts->cap_pipe_modified = FALSE;
2582 pcap_opts->cap_pipe_byte_swapped = FALSE;
2584 pcap_opts->cap_pipe_buf = NULL;
2586 pcap_opts->cap_pipe_bytes_to_read = 0;
2587 pcap_opts->cap_pipe_bytes_read = 0;
2588 pcap_opts->cap_pipe_state = 0;
2589 pcap_opts->cap_pipe_err = PIPOK;
2591 #if GLIB_CHECK_VERSION(2,31,0)
2592 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2593 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2595 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2597 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2598 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2600 g_array_append_val(ld->pcaps, pcap_opts);
2602 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2603 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2605 if (pcap_opts->pcap_h != NULL) {
2606 /* we've opened "iface" as a network device */
2608 /* try to set the capture buffer size */
2609 if (interface_opts.buffer_size > 1 &&
2610 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2611 sync_secondary_msg_str = g_strdup_printf(
2612 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2613 "the default of 1MB will be used.\n"
2615 "Nonetheless, the capture is started.\n",
2616 interface_opts.buffer_size);
2617 report_capture_error("Couldn't set the capture buffer size!",
2618 sync_secondary_msg_str);
2619 g_free(sync_secondary_msg_str);
2623 #if defined(HAVE_PCAP_SETSAMPLING)
2624 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2625 struct pcap_samp *samp;
2627 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2628 switch (interface_opts.sampling_method) {
2629 case CAPTURE_SAMP_BY_COUNT:
2630 samp->method = PCAP_SAMP_1_EVERY_N;
2633 case CAPTURE_SAMP_BY_TIMER:
2634 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2638 sync_msg_str = g_strdup_printf(
2639 "Unknown sampling method %d specified,\n"
2640 "continue without packet sampling",
2641 interface_opts.sampling_method);
2642 report_capture_error("Couldn't set the capture "
2643 "sampling", sync_msg_str);
2644 g_free(sync_msg_str);
2646 samp->value = interface_opts.sampling_param;
2648 report_capture_error("Couldn't set the capture sampling",
2649 "Cannot get packet sampling data structure");
2654 /* setting the data link type only works on real interfaces */
2655 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2657 secondary_errmsg, secondary_errmsg_len)) {
2660 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2662 /* We couldn't open "iface" as a network device. */
2663 /* Try to open it as a pipe */
2664 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2667 if (pcap_opts->cap_pipe_fd == -1) {
2669 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2671 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2672 /* Pipe doesn't exist, so output message for interface */
2673 get_capture_device_open_failure_messages(open_err_str,
2674 interface_opts.name,
2678 secondary_errmsg_len);
2681 * Else pipe (or file) does exist and cap_pipe_open_live() has
2686 /* cap_pipe_open_live() succeeded; don't want
2687 error message from pcap_open_live() */
2688 open_err_str[0] = '\0';
2692 /* XXX - will this work for tshark? */
2693 #ifdef MUST_DO_SELECT
2694 if (!pcap_opts->from_cap_pipe) {
2695 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2696 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2698 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2703 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2704 returned a warning; print it, but keep capturing. */
2705 if (open_err_str[0] != '\0') {
2706 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2707 report_capture_error(sync_msg_str, "");
2708 g_free(sync_msg_str);
2710 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2711 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2714 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2715 /* to remove any suid privileges. */
2716 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2717 /* (euid/egid have already previously been set to ruid/rgid. */
2718 /* (See comment in main() for details) */
2720 relinquish_special_privs_perm();
2722 relinquish_all_capabilities();
2727 /* close the capture input file (pcap or capture pipe) */
2728 static void capture_loop_close_input(loop_data *ld)
2731 pcap_options *pcap_opts;
2733 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2735 for (i = 0; i < ld->pcaps->len; i++) {
2736 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2737 /* if open, close the capture pipe "input file" */
2738 if (pcap_opts->cap_pipe_fd >= 0) {
2739 g_assert(pcap_opts->from_cap_pipe);
2740 cap_pipe_close(pcap_opts->cap_pipe_fd, pcap_opts->from_cap_socket);
2741 pcap_opts->cap_pipe_fd = -1;
2744 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2745 CloseHandle(pcap_opts->cap_pipe_h);
2746 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2749 /* if open, close the pcap "input file" */
2750 if (pcap_opts->pcap_h != NULL) {
2751 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2752 pcap_close(pcap_opts->pcap_h);
2753 pcap_opts->pcap_h = NULL;
2760 /* Shut down windows sockets */
2766 /* init the capture filter */
2767 static initfilter_status_t
2768 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2769 const gchar * name, const gchar * cfilter)
2771 struct bpf_program fcode;
2773 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2775 /* capture filters only work on real interfaces */
2776 if (cfilter && !from_cap_pipe) {
2777 /* A capture filter was specified; set it up. */
2778 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2779 /* Treat this specially - our caller might try to compile this
2780 as a display filter and, if that succeeds, warn the user that
2781 the display and capture filter syntaxes are different. */
2782 return INITFILTER_BAD_FILTER;
2784 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2785 #ifdef HAVE_PCAP_FREECODE
2786 pcap_freecode(&fcode);
2788 return INITFILTER_OTHER_ERROR;
2790 #ifdef HAVE_PCAP_FREECODE
2791 pcap_freecode(&fcode);
2795 return INITFILTER_NO_ERROR;
2799 /* set up to write to the already-opened capture output file/files */
2801 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2805 pcap_options *pcap_opts;
2806 interface_options interface_opts;
2807 gboolean successful;
2809 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2811 if ((capture_opts->use_pcapng == FALSE) &&
2812 (capture_opts->ifaces->len > 1)) {
2813 g_snprintf(errmsg, errmsg_len,
2814 "Using PCAPNG is required for capturing on multiple interfaces! Use the -n option.");
2818 /* Set up to write to the capture file. */
2819 if (capture_opts->multi_files_on) {
2820 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2822 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2825 if (capture_opts->use_pcapng) {
2827 GString *os_info_str;
2829 os_info_str = g_string_new("");
2830 get_os_version_info(os_info_str);
2832 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2833 successful = libpcap_write_session_header_block(ld->pdh,
2836 os_info_str->str, /* OS*/
2838 -1, /* section_length */
2842 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2843 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2844 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2845 if (pcap_opts->from_cap_pipe) {
2846 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2848 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2850 successful = libpcap_write_interface_description_block(global_ld.pdh,
2851 NULL, /* OPT_COMMENT 1 */
2852 interface_opts.name, /* IDB_NAME 2 */
2853 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2854 interface_opts.cfilter, /* IDB_FILTER 11 */
2855 os_info_str->str, /* IDB_OS 12 */
2856 pcap_opts->linktype,
2858 &(global_ld.bytes_written),
2859 0, /* IDB_IF_SPEED 8 */
2860 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2864 g_string_free(os_info_str, TRUE);
2867 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2868 if (pcap_opts->from_cap_pipe) {
2869 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2871 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2873 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2874 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2882 if (ld->pdh == NULL) {
2883 /* We couldn't set up to write to the capture file. */
2884 /* XXX - use cf_open_error_message from tshark instead? */
2889 g_snprintf(errmsg, errmsg_len,
2890 "The file to which the capture would be"
2891 " saved (\"%s\") could not be opened: Error %d.",
2892 capture_opts->save_file, err);
2894 g_snprintf(errmsg, errmsg_len,
2895 "The file to which the capture would be"
2896 " saved (\"%s\") could not be opened: %s.",
2897 capture_opts->save_file, g_strerror(err));
2909 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2913 pcap_options *pcap_opts;
2914 guint64 end_time = create_timestamp();
2916 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2918 if (capture_opts->multi_files_on) {
2919 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2921 if (capture_opts->use_pcapng) {
2922 for (i = 0; i < global_ld.pcaps->len; i++) {
2923 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2924 if (!pcap_opts->from_cap_pipe) {
2925 guint64 isb_ifrecv, isb_ifdrop;
2926 struct pcap_stat stats;
2928 if (pcap_stats(pcap_opts->pcap_h, &stats) >= 0) {
2929 isb_ifrecv = pcap_opts->received;
2930 isb_ifdrop = stats.ps_drop + pcap_opts->dropped;
2932 isb_ifrecv = G_MAXUINT64;
2933 isb_ifdrop = G_MAXUINT64;
2935 libpcap_write_interface_statistics_block(ld->pdh,
2938 "Counters provided by dumpcap",
2947 return libpcap_dump_close(ld->pdh, err_close);
2951 /* dispatch incoming packets (pcap or capture pipe)
2953 * Waits for incoming packets to be available, and calls pcap_dispatch()
2954 * to cause them to be processed.
2956 * Returns the number of packets which were processed.
2958 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2959 * packet-batching behaviour does not cause packets to get held back
2963 capture_loop_dispatch(loop_data *ld,
2964 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2967 gint packet_count_before;
2968 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2973 packet_count_before = ld->packet_count;
2974 if (pcap_opts->from_cap_pipe) {
2975 /* dispatch from capture pipe */
2976 #ifdef LOG_CAPTURE_VERBOSE
2977 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2980 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2982 if (sel_ret < 0 && errno != EINTR) {
2983 g_snprintf(errmsg, errmsg_len,
2984 "Unexpected error from select: %s", g_strerror(errno));
2985 report_capture_error(errmsg, please_report);
2990 * "select()" says we can read from the pipe without blocking
2993 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
3003 /* dispatch from pcap */
3004 #ifdef MUST_DO_SELECT
3006 * If we have "pcap_get_selectable_fd()", we use it to get the
3007 * descriptor on which to select; if that's -1, it means there
3008 * is no descriptor on which you can do a "select()" (perhaps
3009 * because you're capturing on a special device, and that device's
3010 * driver unfortunately doesn't support "select()", in which case
3011 * we don't do the select - which means it might not be possible
3012 * to stop a capture until a packet arrives. If that's unacceptable,
3013 * plead with whoever supplies the software for that device to add
3014 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
3015 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
3016 * later, so it can use pcap_breakloop().
3018 #ifdef LOG_CAPTURE_VERBOSE
3019 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
3021 if (pcap_opts->pcap_fd != -1) {
3022 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
3025 * "select()" says we can read from it without blocking; go for
3028 * We don't have pcap_breakloop(), so we only process one packet
3029 * per pcap_dispatch() call, to allow a signal to stop the
3030 * processing immediately, rather than processing all packets
3031 * in a batch before quitting.
3034 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3036 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3040 /* Error, rather than pcap_breakloop(). */
3041 pcap_opts->pcap_err = TRUE;
3043 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3046 if (sel_ret < 0 && errno != EINTR) {
3047 g_snprintf(errmsg, errmsg_len,
3048 "Unexpected error from select: %s", g_strerror(errno));
3049 report_capture_error(errmsg, please_report);
3055 #endif /* MUST_DO_SELECT */
3057 /* dispatch from pcap without select */
3059 #ifdef LOG_CAPTURE_VERBOSE
3060 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
3064 * On Windows, we don't support asynchronously telling a process to
3065 * stop capturing; instead, we check for an indication on a pipe
3066 * after processing packets. We therefore process only one packet
3067 * at a time, so that we can check the pipe after every packet.
3070 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3072 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3076 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
3078 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
3083 /* Error, rather than pcap_breakloop(). */
3084 pcap_opts->pcap_err = TRUE;
3086 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
3088 #else /* pcap_next_ex */
3089 #ifdef LOG_CAPTURE_VERBOSE
3090 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
3092 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
3095 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
3096 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
3097 * This should be fixed in the WinPcap 4.0 alpha release.
3099 * For reference, an example remote interface:
3100 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
3103 /* emulate dispatch from pcap */
3106 struct pcap_pkthdr *pkt_header;
3111 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
3113 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3115 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
3120 pcap_opts->pcap_err = TRUE;
3124 #endif /* pcap_next_ex */
3128 #ifdef LOG_CAPTURE_VERBOSE
3129 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
3132 return ld->packet_count - packet_count_before;
3136 /* Isolate the Universally Unique Identifier from the interface. Basically, we
3137 * want to grab only the characters between the '{' and '}' delimiters.
3139 * Returns a GString that must be freed with g_string_free(). */
3141 isolate_uuid(const char *iface)
3146 ptr = strchr(iface, '{');
3148 return g_string_new(iface);
3149 gstr = g_string_new(ptr + 1);
3151 ptr = strchr(gstr->str, '}');
3155 gstr = g_string_truncate(gstr, ptr - gstr->str);
3160 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
3161 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
3163 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
3164 char *errmsg, int errmsg_len)
3167 gchar *capfile_name;
3169 gboolean is_tempfile;
3171 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
3172 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
3174 if (capture_opts->save_file != NULL) {
3175 /* We return to the caller while the capture is in progress.
3176 * Therefore we need to take a copy of save_file in
3177 * case the caller destroys it after we return.
3179 capfile_name = g_strdup(capture_opts->save_file);
3181 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
3182 if (capture_opts->multi_files_on) {
3183 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
3184 g_snprintf(errmsg, errmsg_len,
3185 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
3186 g_free(capfile_name);
3189 if (strcmp(capfile_name, "-") == 0) {
3190 /* write to stdout */
3193 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
3194 _setmode(1, O_BINARY);
3197 } /* if (...output_to_pipe ... */
3200 if (capture_opts->multi_files_on) {
3201 /* ringbuffer is enabled */
3202 *save_file_fd = ringbuf_init(capfile_name,
3203 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
3204 capture_opts->group_read_access);
3206 /* we need the ringbuf name */
3207 if(*save_file_fd != -1) {
3208 g_free(capfile_name);
3209 capfile_name = g_strdup(ringbuf_current_filename());
3212 /* Try to open/create the specified file for use as a capture buffer. */
3213 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
3214 (capture_opts->group_read_access) ? 0640 : 0600);
3217 is_tempfile = FALSE;
3219 /* Choose a random name for the temporary capture buffer */
3220 if (global_capture_opts.ifaces->len > 1) {
3221 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3224 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).console_display_name);
3226 /* use the generic portion of the interface guid to form the basis of the filename */
3227 if(strncmp("NPF_{", basename, 5)==0)
3229 /* we have a windows guid style device name, extract the guid digits as the basis of the filename */
3231 iface = isolate_uuid(basename);
3233 basename = g_strdup(iface->str);
3234 g_string_free(iface, TRUE);
3237 /* generate the temp file name prefix...
3238 * It would be nice if we could specify a pcapng/pcap filename suffix,
3239 * create_tempfile() however currently uses mkstemp() which doesn't allow this - one day perhaps*/
3240 if (capture_opts->use_pcapng) {
3241 prefix = g_strconcat("wireshark_pcapng_", basename, NULL);
3243 prefix = g_strconcat("wireshark_pcap_", basename, NULL);
3247 *save_file_fd = create_tempfile(&tmpname, prefix);
3249 capfile_name = g_strdup(tmpname);
3253 /* did we fail to open the output file? */
3254 if (*save_file_fd == -1) {
3256 g_snprintf(errmsg, errmsg_len,
3257 "The temporary file to which the capture would be saved (\"%s\") "
3258 "could not be opened: %s.", capfile_name, g_strerror(errno));
3260 if (capture_opts->multi_files_on) {
3261 ringbuf_error_cleanup();
3264 g_snprintf(errmsg, errmsg_len,
3265 "The file to which the capture would be saved (\"%s\") "
3266 "could not be opened: %s.", capfile_name,
3269 g_free(capfile_name);
3273 if(capture_opts->save_file != NULL) {
3274 g_free(capture_opts->save_file);
3276 capture_opts->save_file = capfile_name;
3277 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3278 "g_free(capfile_name)". */
3284 /* Do the work of handling either the file size or file duration capture
3285 conditions being reached, and switching files or stopping. */
3287 do_file_switch_or_stop(capture_options *capture_opts,
3288 condition *cnd_autostop_files,
3289 condition *cnd_autostop_size,
3290 condition *cnd_file_duration)
3293 pcap_options *pcap_opts;
3294 interface_options interface_opts;
3295 gboolean successful;
3297 if (capture_opts->multi_files_on) {
3298 if (cnd_autostop_files != NULL &&
3299 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3300 /* no files left: stop here */
3301 global_ld.go = FALSE;
3305 /* Switch to the next ringbuffer file */
3306 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3307 &global_ld.save_file_fd, &global_ld.err)) {
3309 /* File switch succeeded: reset the conditions */
3310 global_ld.bytes_written = 0;
3311 if (capture_opts->use_pcapng) {
3313 GString *os_info_str;
3315 os_info_str = g_string_new("");
3316 get_os_version_info(os_info_str);
3318 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3319 successful = libpcap_write_session_header_block(global_ld.pdh,
3322 os_info_str->str, /* OS */
3324 -1, /* section_length */
3325 &(global_ld.bytes_written),
3328 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3329 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3330 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3331 successful = libpcap_write_interface_description_block(global_ld.pdh,
3332 NULL, /* OPT_COMMENT 1 */
3333 interface_opts.name, /* IDB_NAME 2 */
3334 interface_opts.descr, /* IDB_DESCRIPTION 3 */
3335 interface_opts.cfilter, /* IDB_FILTER 11 */
3336 os_info_str->str, /* IDB_OS 12 */
3337 pcap_opts->linktype,
3339 &(global_ld.bytes_written),
3340 0, /* IDB_IF_SPEED 8 */
3341 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
3345 g_string_free(os_info_str, TRUE);
3348 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3349 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3350 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
3353 fclose(global_ld.pdh);
3354 global_ld.pdh = NULL;
3355 global_ld.go = FALSE;
3358 if (cnd_autostop_size)
3359 cnd_reset(cnd_autostop_size);
3360 if (cnd_file_duration)
3361 cnd_reset(cnd_file_duration);
3362 libpcap_dump_flush(global_ld.pdh, NULL);
3364 report_packet_count(global_ld.inpkts_to_sync_pipe);
3365 global_ld.inpkts_to_sync_pipe = 0;
3366 report_new_capture_file(capture_opts->save_file);
3368 /* File switch failed: stop here */
3369 global_ld.go = FALSE;
3373 /* single file, stop now */
3374 global_ld.go = FALSE;
3381 pcap_read_handler(void* arg)
3383 pcap_options *pcap_opts;
3384 char errmsg[MSG_MAX_LENGTH+1];
3386 pcap_opts = (pcap_options *)arg;
3388 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3389 pcap_opts->interface_id);
3391 while (global_ld.go) {
3392 /* dispatch incoming packets */
3393 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3395 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3396 pcap_opts->interface_id);
3397 g_thread_exit(NULL);
3401 /* Do the low-level work of a capture.
3402 Returns TRUE if it succeeds, FALSE otherwise. */
3404 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3407 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3409 struct timeval upd_time, cur_time;
3413 condition *cnd_file_duration = NULL;
3414 condition *cnd_autostop_files = NULL;
3415 condition *cnd_autostop_size = NULL;
3416 condition *cnd_autostop_duration = NULL;
3419 gboolean cfilter_error = FALSE;
3420 char errmsg[MSG_MAX_LENGTH+1];
3421 char secondary_errmsg[MSG_MAX_LENGTH+1];
3422 pcap_options *pcap_opts;
3423 interface_options interface_opts;
3424 guint i, error_index = 0;
3427 *secondary_errmsg = '\0';
3429 /* init the loop data */
3430 global_ld.go = TRUE;
3431 global_ld.packet_count = 0;
3433 global_ld.report_packet_count = FALSE;
3435 if (capture_opts->has_autostop_packets)
3436 global_ld.packet_max = capture_opts->autostop_packets;
3438 global_ld.packet_max = 0; /* no limit */
3439 global_ld.inpkts_to_sync_pipe = 0;
3440 global_ld.err = 0; /* no error seen yet */
3441 global_ld.pdh = NULL;
3442 global_ld.autostop_files = 0;
3443 global_ld.save_file_fd = -1;
3445 /* We haven't yet gotten the capture statistics. */
3446 *stats_known = FALSE;
3448 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3449 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3451 /* open the "input file" from network interface or capture pipe */
3452 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3453 secondary_errmsg, sizeof(secondary_errmsg))) {
3456 for (i = 0; i < capture_opts->ifaces->len; i++) {
3457 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3458 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3459 /* init the input filter from the network interface (capture pipe will do nothing) */
3461 * When remote capturing WinPCap crashes when the capture filter
3462 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3465 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3466 interface_opts.name,
3467 interface_opts.cfilter?interface_opts.cfilter:"")) {
3469 case INITFILTER_NO_ERROR:
3472 case INITFILTER_BAD_FILTER:
3473 cfilter_error = TRUE;
3475 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3478 case INITFILTER_OTHER_ERROR:
3479 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3480 pcap_geterr(pcap_opts->pcap_h));
3481 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3486 /* If we're supposed to write to a capture file, open it for output
3487 (temporary/specified name/ringbuffer) */
3488 if (capture_opts->saving_to_file) {
3489 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3490 errmsg, sizeof(errmsg))) {
3494 /* set up to write to the already-opened capture output file/files */
3495 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3500 /* XXX - capture SIGTERM and close the capture, in case we're on a
3501 Linux 2.0[.x] system and you have to explicitly close the capture
3502 stream in order to turn promiscuous mode off? We need to do that
3503 in other places as well - and I don't think that works all the
3504 time in any case, due to libpcap bugs. */
3506 /* Well, we should be able to start capturing.
3508 Sync out the capture file, so the header makes it to the file system,
3509 and send a "capture started successfully and capture file created"
3510 message to our parent so that they'll open the capture file and
3511 update its windows to indicate that we have a live capture in
3513 libpcap_dump_flush(global_ld.pdh, NULL);
3514 report_new_capture_file(capture_opts->save_file);
3517 /* initialize capture stop (and alike) conditions */
3518 init_capture_stop_conditions();
3519 /* create stop conditions */
3520 if (capture_opts->has_autostop_filesize)
3522 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3523 if (capture_opts->has_autostop_duration)
3524 cnd_autostop_duration =
3525 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3527 if (capture_opts->multi_files_on) {
3528 if (capture_opts->has_file_duration)
3530 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3532 if (capture_opts->has_autostop_files)
3533 cnd_autostop_files =
3534 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3537 /* init the time values */
3539 upd_time = GetTickCount();
3541 gettimeofday(&upd_time, NULL);
3543 start_time = create_timestamp();
3544 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3546 /* WOW, everything is prepared! */
3547 /* please fasten your seat belts, we will enter now the actual capture loop */
3549 pcap_queue = g_async_queue_new();
3550 pcap_queue_bytes = 0;
3551 pcap_queue_packets = 0;
3552 for (i = 0; i < global_ld.pcaps->len; i++) {
3553 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3554 #if GLIB_CHECK_VERSION(2,31,0)
3555 /* XXX - Add an interface name here? */
3556 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3558 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3562 while (global_ld.go) {
3563 /* dispatch incoming packets */
3565 pcap_queue_element *queue_element;
3566 #if GLIB_CHECK_VERSION(2,31,18)
3568 g_async_queue_lock(pcap_queue);
3569 queue_element = g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3571 GTimeVal write_thread_time;
3573 g_get_current_time(&write_thread_time);
3574 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3575 g_async_queue_lock(pcap_queue);
3576 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3578 if (queue_element) {
3579 pcap_queue_bytes -= queue_element->phdr.caplen;
3580 pcap_queue_packets -= 1;
3582 g_async_queue_unlock(pcap_queue);
3583 if (queue_element) {
3584 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3585 "Dequeued a packet of length %d captured on interface %d.",
3586 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3588 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3589 &queue_element->phdr,
3591 g_free(queue_element->pd);
3592 g_free(queue_element);
3598 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3599 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3600 sizeof(errmsg), pcap_opts);
3603 /* Were we asked to print packet counts by the SIGINFO handler? */
3604 if (global_ld.report_packet_count) {
3605 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3606 plurality(global_ld.packet_count, "", "s"));
3607 global_ld.report_packet_count = FALSE;
3612 /* any news from our parent (signal pipe)? -> just stop the capture */
3613 if (!signal_pipe_check_running()) {
3614 global_ld.go = FALSE;
3619 global_ld.inpkts_to_sync_pipe += inpkts;
3621 /* check capture size condition */
3622 if (cnd_autostop_size != NULL &&
3623 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3624 /* Capture size limit reached, do we have another file? */
3625 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3626 cnd_autostop_size, cnd_file_duration))
3628 } /* cnd_autostop_size */
3629 if (capture_opts->output_to_pipe) {
3630 libpcap_dump_flush(global_ld.pdh, NULL);
3634 /* Only update once every 500ms so as not to overload slow displays.
3635 * This also prevents too much context-switching between the dumpcap
3636 * and wireshark processes.
3638 #define DUMPCAP_UPD_TIME 500
3641 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3642 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3644 gettimeofday(&cur_time, NULL);
3645 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3646 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3649 upd_time = cur_time;
3652 if (pcap_stats(pch, stats) >= 0) {
3653 *stats_known = TRUE;
3656 /* Let the parent process know. */
3657 if (global_ld.inpkts_to_sync_pipe) {
3659 libpcap_dump_flush(global_ld.pdh, NULL);
3661 /* Send our parent a message saying we've written out
3662 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3664 report_packet_count(global_ld.inpkts_to_sync_pipe);
3666 global_ld.inpkts_to_sync_pipe = 0;
3669 /* check capture duration condition */
3670 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3671 /* The maximum capture time has elapsed; stop the capture. */
3672 global_ld.go = FALSE;
3676 /* check capture file duration condition */
3677 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3678 /* duration limit reached, do we have another file? */
3679 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3680 cnd_autostop_size, cnd_file_duration))
3682 } /* cnd_file_duration */
3686 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3688 pcap_queue_element *queue_element;
3690 for (i = 0; i < global_ld.pcaps->len; i++) {
3691 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3692 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3693 pcap_opts->interface_id);
3694 g_thread_join(pcap_opts->tid);
3695 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3696 pcap_opts->interface_id);
3699 g_async_queue_lock(pcap_queue);
3700 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3701 if (queue_element) {
3702 pcap_queue_bytes -= queue_element->phdr.caplen;
3703 pcap_queue_packets -= 1;
3705 g_async_queue_unlock(pcap_queue);
3706 if (queue_element == NULL) {
3709 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3710 "Dequeued a packet of length %d captured on interface %d.",
3711 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3712 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3713 &queue_element->phdr,
3715 g_free(queue_element->pd);
3716 g_free(queue_element);
3717 global_ld.inpkts_to_sync_pipe += 1;
3718 if (capture_opts->output_to_pipe) {
3719 libpcap_dump_flush(global_ld.pdh, NULL);
3725 /* delete stop conditions */
3726 if (cnd_file_duration != NULL)
3727 cnd_delete(cnd_file_duration);
3728 if (cnd_autostop_files != NULL)
3729 cnd_delete(cnd_autostop_files);
3730 if (cnd_autostop_size != NULL)
3731 cnd_delete(cnd_autostop_size);
3732 if (cnd_autostop_duration != NULL)
3733 cnd_delete(cnd_autostop_duration);
3735 /* did we have a pcap (input) error? */
3736 for (i = 0; i < capture_opts->ifaces->len; i++) {
3737 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3738 if (pcap_opts->pcap_err) {
3739 /* On Linux, if an interface goes down while you're capturing on it,
3740 you'll get a "recvfrom: Network is down" or
3741 "The interface went down" error (ENETDOWN).
3742 (At least you will if g_strerror() doesn't show a local translation
3745 On FreeBSD and OS X, if a network adapter disappears while
3746 you're capturing on it, you'll get a "read: Device not configured"
3747 error (ENXIO). (See previous parenthetical note.)
3749 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3751 These should *not* be reported to the Wireshark developers. */
3754 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3755 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3756 strcmp(cap_err_str, "The interface went down") == 0 ||
3757 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3758 strcmp(cap_err_str, "read: I/O error") == 0 ||
3759 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3760 report_capture_error("The network adapter on which the capture was being done "
3761 "is no longer running; the capture has stopped.",
3764 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3766 report_capture_error(errmsg, please_report);
3769 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3770 report_capture_error(errmsg, "");
3774 /* did we have an output error while capturing? */
3775 if (global_ld.err == 0) {
3778 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3779 global_ld.err, FALSE);
3780 report_capture_error(errmsg, please_report);
3784 if (capture_opts->saving_to_file) {
3785 /* close the output file */
3786 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3790 /* there might be packets not yet notified to the parent */
3791 /* (do this after closing the file, so all packets are already flushed) */
3792 if(global_ld.inpkts_to_sync_pipe) {
3794 report_packet_count(global_ld.inpkts_to_sync_pipe);
3795 global_ld.inpkts_to_sync_pipe = 0;
3798 /* If we've displayed a message about a write error, there's no point
3799 in displaying another message about an error on close. */
3800 if (!close_ok && write_ok) {
3801 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3803 report_capture_error(errmsg, "");
3807 * XXX We exhibit different behaviour between normal mode and sync mode
3808 * when the pipe is stdin and not already at EOF. If we're a child, the
3809 * parent's stdin isn't closed, so if the user starts another capture,
3810 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3811 * will say "Unrecognized libpcap format". On the other hand, in normal
3812 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3815 report_capture_count(TRUE);
3817 /* get packet drop statistics from pcap */
3818 for (i = 0; i < capture_opts->ifaces->len; i++) {
3822 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3823 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3824 received = pcap_opts->received;
3825 dropped = pcap_opts->dropped;
3826 if (pcap_opts->pcap_h != NULL) {
3827 g_assert(!pcap_opts->from_cap_pipe);
3828 /* Get the capture statistics, so we know how many packets were dropped. */
3829 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3830 *stats_known = TRUE;
3831 /* Let the parent process know. */
3832 dropped += stats->ps_drop;
3834 g_snprintf(errmsg, sizeof(errmsg),
3835 "Can't get packet-drop statistics: %s",
3836 pcap_geterr(pcap_opts->pcap_h));
3837 report_capture_error(errmsg, please_report);
3840 report_packet_drops(received, dropped, interface_opts.console_display_name);
3843 /* close the input file (pcap or capture pipe) */
3844 capture_loop_close_input(&global_ld);
3846 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3848 /* ok, if the write and the close were successful. */
3849 return write_ok && close_ok;
3852 if (capture_opts->multi_files_on) {
3853 /* cleanup ringbuffer */
3854 ringbuf_error_cleanup();
3856 /* We can't use the save file, and we have no FILE * for the stream
3857 to close in order to close it, so close the FD directly. */
3858 if (global_ld.save_file_fd != -1) {
3859 ws_close(global_ld.save_file_fd);
3862 /* We couldn't even start the capture, so get rid of the capture
3864 if (capture_opts->save_file != NULL) {
3865 ws_unlink(capture_opts->save_file);
3866 g_free(capture_opts->save_file);
3869 capture_opts->save_file = NULL;
3871 report_cfilter_error(capture_opts, error_index, errmsg);
3873 report_capture_error(errmsg, secondary_errmsg);
3875 /* close the input file (pcap or cap_pipe) */
3876 capture_loop_close_input(&global_ld);
3878 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3884 static void capture_loop_stop(void)
3886 #ifdef HAVE_PCAP_BREAKLOOP
3888 pcap_options *pcap_opts;
3890 for (i = 0; i < global_ld.pcaps->len; i++) {
3891 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3892 if (pcap_opts->pcap_h != NULL)
3893 pcap_breakloop(pcap_opts->pcap_h);
3896 global_ld.go = FALSE;
3901 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3902 int err, gboolean is_close)
3907 g_snprintf(errmsg, errmsglen,
3908 "Not all the packets could be written to the file"
3909 " to which the capture was being saved\n"
3910 "(\"%s\") because there is no space left on the file system\n"
3911 "on which that file resides.",
3917 g_snprintf(errmsg, errmsglen,
3918 "Not all the packets could be written to the file"
3919 " to which the capture was being saved\n"
3920 "(\"%s\") because you are too close to, or over,"
3921 " your disk quota\n"
3922 "on the file system on which that file resides.",
3929 g_snprintf(errmsg, errmsglen,
3930 "The file to which the capture was being saved\n"
3931 "(\"%s\") could not be closed: %s.",
3932 fname, g_strerror(err));
3934 g_snprintf(errmsg, errmsglen,
3935 "An error occurred while writing to the file"
3936 " to which the capture was being saved\n"
3938 fname, g_strerror(err));
3945 /* one packet was captured, process it */
3947 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3950 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3952 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3954 /* We may be called multiple times from pcap_dispatch(); if we've set
3955 the "stop capturing" flag, ignore this packet, as we're not
3956 supposed to be saving any more packets. */
3957 if (!global_ld.go) {
3958 pcap_opts->dropped++;
3962 if (global_ld.pdh) {
3963 gboolean successful;
3965 /* We're supposed to write the packet to a file; do so.
3966 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3967 "ld->err" to the error. */
3968 if (global_capture_opts.use_pcapng) {
3969 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, ts_mul, pd, &global_ld.bytes_written, &err);
3971 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3974 global_ld.go = FALSE;
3975 global_ld.err = err;
3976 pcap_opts->dropped++;
3978 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3979 "Wrote a packet of length %d captured on interface %u.",
3980 phdr->caplen, pcap_opts->interface_id);
3981 global_ld.packet_count++;
3982 pcap_opts->received++;
3983 /* if the user told us to stop after x packets, do we already have enough? */
3984 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3985 global_ld.go = FALSE;
3991 /* one packet was captured, queue it */
3993 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3996 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3997 pcap_queue_element *queue_element;
3998 gboolean limit_reached;
4000 /* We may be called multiple times from pcap_dispatch(); if we've set
4001 the "stop capturing" flag, ignore this packet, as we're not
4002 supposed to be saving any more packets. */
4003 if (!global_ld.go) {
4004 pcap_opts->dropped++;
4008 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
4009 if (queue_element == NULL) {
4010 pcap_opts->dropped++;
4013 queue_element->pcap_opts = pcap_opts;
4014 queue_element->phdr = *phdr;
4015 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
4016 if (queue_element->pd == NULL) {
4017 pcap_opts->dropped++;
4018 g_free(queue_element);
4021 memcpy(queue_element->pd, pd, phdr->caplen);
4022 g_async_queue_lock(pcap_queue);
4023 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
4024 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
4025 limit_reached = FALSE;
4026 g_async_queue_push_unlocked(pcap_queue, queue_element);
4027 pcap_queue_bytes += phdr->caplen;
4028 pcap_queue_packets += 1;
4030 limit_reached = TRUE;
4032 g_async_queue_unlock(pcap_queue);
4033 if (limit_reached) {
4034 pcap_opts->dropped++;
4035 g_free(queue_element->pd);
4036 g_free(queue_element);
4037 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4038 "Dropped a packet of length %d captured on interface %u.",
4039 phdr->caplen, pcap_opts->interface_id);
4041 pcap_opts->received++;
4042 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4043 "Queued a packet of length %d captured on interface %u.",
4044 phdr->caplen, pcap_opts->interface_id);
4046 /* I don't want to hold the mutex over the debug output. So the
4047 output may be wrong */
4048 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4049 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
4050 pcap_queue_bytes, pcap_queue_packets);
4054 set_80211_channel(const char *iface, const char *opt)
4056 int freq = 0, type, ret;
4057 gchar **options = NULL;
4058 options = g_strsplit_set(opt, ",", 2);
4061 freq = atoi(options[0]);
4064 type = ws80211_str_to_chan_type(options[1]);
4073 ret = ws80211_init();
4075 cmdarg_err("%d: Failed to init ws80211: %s\n", abs(ret), g_strerror(abs(ret)));
4079 ret = ws80211_set_freq(iface, freq, type);
4082 cmdarg_err("%d: Failed to set channel: %s\n", abs(ret), g_strerror(abs(ret)));
4088 pipe_write_block(2, SP_SUCCESS, NULL);
4092 g_strfreev(options);
4096 /* And now our feature presentation... [ fade to music ] */
4098 main(int argc, char *argv[])
4101 gboolean arg_error = FALSE;
4106 struct sigaction action, oldaction;
4109 gboolean start_capture = TRUE;
4110 gboolean stats_known;
4111 struct pcap_stat stats;
4112 GLogLevelFlags log_flags;
4113 gboolean list_interfaces = FALSE;
4114 gboolean list_link_layer_types = FALSE;
4115 #ifdef HAVE_BPF_IMAGE
4116 gboolean print_bpf_code = FALSE;
4118 gboolean set_chan = FALSE;
4119 gchar *set_chan_arg = NULL;
4120 gboolean machine_readable = FALSE;
4121 gboolean print_statistics = FALSE;
4122 int status, run_once_args = 0;
4125 #if defined(__APPLE__) && defined(__LP64__)
4126 struct utsname osinfo;
4131 arg_list_utf_16to8(argc, argv);
4136 * Initialize our DLL search path. MUST be called before LoadLibrary
4139 ws_init_dll_search_path();
4142 #ifdef HAVE_PCAP_REMOTE
4143 #define OPTSTRING_A "A:"
4144 #define OPTSTRING_r "r"
4145 #define OPTSTRING_u "u"
4147 #define OPTSTRING_A ""
4148 #define OPTSTRING_r ""
4149 #define OPTSTRING_u ""
4152 #ifdef HAVE_PCAP_SETSAMPLING
4153 #define OPTSTRING_m "m:"
4155 #define OPTSTRING_m ""
4158 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4159 #define OPTSTRING_B "B:"
4161 #define OPTSTRING_B ""
4162 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4164 #ifdef HAVE_PCAP_CREATE
4165 #define OPTSTRING_I "I"
4167 #define OPTSTRING_I ""
4170 #ifdef HAVE_BPF_IMAGE
4171 #define OPTSTRING_d "d"
4173 #define OPTSTRING_d ""
4176 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "k:L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
4178 #ifdef DEBUG_CHILD_DUMPCAP
4179 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
4180 fprintf (stderr, "Unable to open debug log file !\n");
4185 #if defined(__APPLE__) && defined(__LP64__)
4187 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
4188 * a bug workaround - timeouts less than 1 second don't work with libpcap
4189 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
4190 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
4191 * The problem is extremely unlikely to be reintroduced in a future
4194 if (uname(&osinfo) == 0) {
4196 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
4197 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
4198 * number of 10.0.0, not 10.1.0 - go figure).
4200 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
4201 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
4202 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
4203 need_timeout_workaround = TRUE;
4208 * Determine if dumpcap is being requested to run in a special
4209 * capture_child mode by going thru the command line args to see if
4210 * a -Z is present. (-Z is a hidden option).
4212 * The primary result of running in capture_child mode is that
4213 * all messages sent out on stderr are in a special type/len/string
4214 * format to allow message processing by type. These messages include
4215 * error messages if dumpcap fails to start the operation it was
4216 * requested to do, as well as various "status" messages which are sent
4217 * when an actual capture is in progress, and a "success" message sent
4218 * if dumpcap was requested to perform an operation other than a
4221 * Capture_child mode would normally be requested by a parent process
4222 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
4223 * to which dumpcap stderr has been redirected. It might also have
4224 * another pipe to obtain dumpcap stdout output; for operations other
4225 * than a capture, that information is formatted specially for easier
4226 * parsing by the parent process.
4228 * Capture_child mode needs to be determined immediately upon
4229 * startup so that any messages generated by dumpcap in this mode
4230 * (eg: during initialization) will be formatted properly.
4233 for (i=1; i<argc; i++) {
4234 if (strcmp("-Z", argv[i]) == 0) {
4235 capture_child = TRUE;
4236 machine_readable = TRUE; /* request machine-readable output */
4238 /* set output pipe to binary mode, to avoid ugly text conversions */
4239 _setmode(2, O_BINARY);
4244 /* The default_log_handler will use stdout, which makes trouble in */
4245 /* capture child mode, as it uses stdout for it's sync_pipe. */
4246 /* So: the filtering is done in the console_log_handler and not here.*/
4247 /* We set the log handlers right up front to make sure that any log */
4248 /* messages when running as child will be sent back to the parent */
4249 /* with the correct format. */
4253 G_LOG_LEVEL_CRITICAL|
4254 G_LOG_LEVEL_WARNING|
4255 G_LOG_LEVEL_MESSAGE|
4258 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
4260 g_log_set_handler(NULL,
4262 console_log_handler, NULL /* user_data */);
4263 g_log_set_handler(LOG_DOMAIN_MAIN,
4265 console_log_handler, NULL /* user_data */);
4266 g_log_set_handler(LOG_DOMAIN_CAPTURE,
4268 console_log_handler, NULL /* user_data */);
4269 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
4271 console_log_handler, NULL /* user_data */);
4273 /* Initialize the pcaps list */
4274 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
4276 #if !GLIB_CHECK_VERSION(2,31,0)
4277 /* Initialize the thread system */
4278 g_thread_init(NULL);
4282 /* Load wpcap if possible. Do this before collecting the run-time version information */
4285 /* ... and also load the packet.dll from wpcap */
4286 /* XXX - currently not required, may change later. */
4287 /*wpcap_packet_load();*/
4289 /* Start windows sockets */
4290 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
4292 /* Set handler for Ctrl+C key */
4293 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4295 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4296 and exit. Do the same with SIGPIPE, in case, for example,
4297 we're writing to our standard output and it's a pipe.
4298 Do the same with SIGHUP if it's not being ignored (if we're
4299 being run under nohup, it might be ignored, in which case we
4300 should leave it ignored).
4302 XXX - apparently, Coverity complained that part of action
4303 wasn't initialized. Perhaps it's running on Linux, where
4304 struct sigaction has an ignored "sa_restorer" element and
4305 where "sa_handler" and "sa_sigaction" might not be two
4306 members of a union. */
4307 memset(&action, 0, sizeof(action));
4308 action.sa_handler = capture_cleanup_handler;
4310 * Arrange that system calls not get restarted, because when
4311 * our signal handler returns we don't want to restart
4312 * a call that was waiting for packets to arrive.
4314 action.sa_flags = 0;
4315 sigemptyset(&action.sa_mask);
4316 sigaction(SIGTERM, &action, NULL);
4317 sigaction(SIGINT, &action, NULL);
4318 sigaction(SIGPIPE, &action, NULL);
4319 sigaction(SIGHUP, NULL, &oldaction);
4320 if (oldaction.sa_handler == SIG_DFL)
4321 sigaction(SIGHUP, &action, NULL);
4324 /* Catch SIGINFO and, if we get it and we're capturing in
4325 quiet mode, report the number of packets we've captured. */
4326 action.sa_handler = report_counts_siginfo;
4327 action.sa_flags = SA_RESTART;
4328 sigemptyset(&action.sa_mask);
4329 sigaction(SIGINFO, &action, NULL);
4330 #endif /* SIGINFO */
4333 /* ----------------------------------------------------------------- */
4334 /* Privilege and capability handling */
4336 /* 1. Running not as root or suid root; no special capabilities. */
4339 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4342 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4344 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4345 /* capabilities; Drop all other capabilities; */
4346 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4347 /* else: after pcap_open_live() in capture_loop_open_input() */
4348 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4349 /* (Note: this means that the process, although logged in */
4350 /* as root, does not have various permissions such as the */
4351 /* ability to bypass file access permissions). */
4352 /* XXX: Should we just leave capabilities alone in this case */
4353 /* so that user gets expected effect that root can do */
4356 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4358 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4359 /* else: after pcap_open_live() in capture_loop_open_input() */
4360 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4361 /* pcap_open_live). */
4363 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4365 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4366 /* capabilities; Drop all other capabilities; */
4367 /* Drop suid privileges (euid=ruid); */
4368 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4369 /* else: after pcap_open_live() in capture_loop_open_input() */
4370 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4372 /* XXX: For some Linux versions/distros with capabilities */
4373 /* a 'normal' process with any capabilities cannot be */
4374 /* 'killed' (signaled) from another (same uid) non-privileged */
4376 /* For example: If (non-suid) Wireshark forks a */
4377 /* child suid dumpcap which acts as described here (case 5), */
4378 /* Wireshark will be unable to kill (signal) the child */
4379 /* dumpcap process until the capabilities have been dropped */
4380 /* (after pcap_open_live()). */
4381 /* This behaviour will apparently be changed in the kernel */
4382 /* to allow the kill (signal) in this case. */
4383 /* See the following for details: */
4384 /* http://www.mail-archive.com/ [wrapped] */
4385 /* linux-security-module@vger.kernel.org/msg02913.html */
4387 /* It is therefore conceivable that if dumpcap somehow hangs */
4388 /* in pcap_open_live or before that wireshark will not */
4389 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4390 /* In this case, exiting wireshark will kill the child */
4391 /* dumpcap process. */
4393 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4394 /* capabilities; Using libcap. Note: capset cmd (which see) */
4395 /* used to assign capabilities to file. */
4397 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4398 /* else: after pcap_open_live() in capture_loop_open_input() */
4399 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4401 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4402 /* longer required (similar to capture). */
4404 /* ----------------------------------------------------------------- */
4406 init_process_policies();
4409 /* If 'started with special privileges' (and using libcap) */
4410 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4411 /* Set euid/egid = ruid/rgid to remove suid privileges */
4412 relinquish_privs_except_capture();
4415 /* Set the initial values in the capture options. This might be overwritten
4416 by the command line parameters. */
4417 capture_opts_init(&global_capture_opts, NULL);
4419 /* We always save to a file - if no file was specified, we save to a
4421 global_capture_opts.saving_to_file = TRUE;
4422 global_capture_opts.has_ring_num_files = TRUE;
4424 /* Now get our args */
4425 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4427 case 'h': /* Print help and exit */
4431 case 'v': /* Show version and exit */
4433 GString *comp_info_str;
4434 GString *runtime_info_str;
4435 /* Assemble the compile-time version information string */
4436 comp_info_str = g_string_new("Compiled ");
4437 get_compiled_version_info(comp_info_str, NULL, NULL);
4439 /* Assemble the run-time version information string */
4440 runtime_info_str = g_string_new("Running ");
4441 get_runtime_version_info(runtime_info_str, NULL);
4442 show_version(comp_info_str, runtime_info_str);
4443 g_string_free(comp_info_str, TRUE);
4444 g_string_free(runtime_info_str, TRUE);
4448 /*** capture option specific ***/
4449 case 'a': /* autostop criteria */
4450 case 'b': /* Ringbuffer option */
4451 case 'c': /* Capture x packets */
4452 case 'f': /* capture filter */
4453 case 'i': /* Use interface x */
4454 case 'n': /* Use pcapng format */
4455 case 'p': /* Don't capture in promiscuous mode */
4456 case 'P': /* Use pcap format */
4457 case 's': /* Set the snapshot (capture) length */
4458 case 'w': /* Write to capture file x */
4459 case 'g': /* enable group read accesson file(s) */
4460 case 'y': /* Set the pcap data link type */
4461 #ifdef HAVE_PCAP_REMOTE
4462 case 'u': /* Use UDP for data transfer */
4463 case 'r': /* Capture own RPCAP traffic too */
4464 case 'A': /* Authentication */
4466 #ifdef HAVE_PCAP_SETSAMPLING
4467 case 'm': /* Sampling */
4469 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4470 case 'B': /* Buffer size */
4471 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4472 #ifdef HAVE_PCAP_CREATE
4473 case 'I': /* Monitor mode */
4475 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4480 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4482 capture_child = TRUE;
4484 /* set output pipe to binary mode, to avoid ugly text conversions */
4485 _setmode(2, O_BINARY);
4487 * optarg = the control ID, aka the PPID, currently used for the
4490 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4491 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4492 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4493 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4495 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4496 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4497 "Signal pipe: Unable to open %s. Dead parent?",
4505 case 'q': /* Quiet */
4511 /*** all non capture option specific ***/
4512 case 'D': /* Print a list of capture devices and exit */
4513 list_interfaces = TRUE;
4516 case 'L': /* Print list of link-layer types and exit */
4517 list_link_layer_types = TRUE;
4520 #ifdef HAVE_BPF_IMAGE
4521 case 'd': /* Print BPF code for capture filter and exit */
4522 print_bpf_code = TRUE;
4526 case 'S': /* Print interface statistics once a second */
4527 print_statistics = TRUE;
4530 case 'k': /* Set wireless channel */
4532 set_chan_arg = optarg;
4535 case 'M': /* For -D, -L, and -S, print machine-readable output */
4536 machine_readable = TRUE;
4539 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4541 case '?': /* Bad flag - print usage message */
4550 /* user specified file name as regular command-line argument */
4551 /* XXX - use it as the capture file name (or something else)? */
4557 * Extra command line arguments were specified; complain.
4558 * XXX - interpret as capture filter, as tcpdump and tshark do?
4560 cmdarg_err("Invalid argument: %s", argv[0]);
4570 if (run_once_args > 1) {
4571 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4573 } else if (run_once_args == 1) {
4574 /* We're supposed to print some information, rather than
4575 to capture traffic; did they specify a ring buffer option? */
4576 if (global_capture_opts.multi_files_on) {
4577 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4581 /* We're supposed to capture traffic; */
4582 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4583 if (global_capture_opts.ifaces->len > 1) {
4585 global_capture_opts.use_pcapng = TRUE;
4587 /* Was the ring buffer option specified and, if so, does it make sense? */
4588 if (global_capture_opts.multi_files_on) {
4589 /* Ring buffer works only under certain conditions:
4590 a) ring buffer does not work with temporary files;
4591 b) it makes no sense to enable the ring buffer if the maximum
4592 file size is set to "infinite". */
4593 if (global_capture_opts.save_file == NULL) {
4594 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4595 global_capture_opts.multi_files_on = FALSE;
4597 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4598 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4600 /* XXX - this must be redesigned as the conditions changed */
4601 global_capture_opts.multi_files_on = FALSE;
4608 * "-D" requires no interface to be selected; it's supposed to list
4611 if (list_interfaces) {
4612 /* Get the list of interfaces */
4617 if_list = capture_interface_list(&err, &err_str);
4618 if (if_list == NULL) {
4620 case CANT_GET_INTERFACE_LIST:
4621 case DONT_HAVE_PCAP:
4622 cmdarg_err("%s", err_str);
4627 case NO_INTERFACES_FOUND:
4629 * If we're being run by another program, just give them
4630 * an empty list of interfaces, don't report this as
4631 * an error; that lets them decide whether to report
4632 * this as an error or not.
4634 if (!machine_readable) {
4635 cmdarg_err("There are no interfaces on which a capture can be done");
4642 if (machine_readable) /* tab-separated values to stdout */
4643 print_machine_readable_interfaces(if_list);
4645 capture_opts_print_interfaces(if_list);
4646 free_interface_list(if_list);
4651 * "-S" requires no interface to be selected; it gives statistics
4652 * for all interfaces.
4654 if (print_statistics) {
4655 status = print_statistics_loop(machine_readable);
4660 interface_options interface_opts;
4662 if (global_capture_opts.ifaces->len != 1) {
4663 cmdarg_err("Need one interface");
4667 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, 0);
4668 status = set_80211_channel(interface_opts.name, set_chan_arg);
4673 * "-L", "-d", and capturing act on a particular interface, so we have to
4674 * have an interface; if none was specified, pick a default.
4676 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4677 /* cmdarg_err() already called .... */
4681 /* Let the user know what interfaces were chosen. */
4682 if (capture_child) {
4683 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4684 interface_options interface_opts;
4686 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4687 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4688 interface_opts.name);
4691 str = g_string_new("");
4693 if (global_capture_opts.ifaces->len < 2)
4695 if (global_capture_opts.ifaces->len < 4)
4698 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4699 interface_options interface_opts;
4701 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4703 if (global_capture_opts.ifaces->len > 2) {
4704 g_string_append_printf(str, ",");
4706 g_string_append_printf(str, " ");
4707 if (j == global_capture_opts.ifaces->len - 1) {
4708 g_string_append_printf(str, "and ");
4711 g_string_append_printf(str, "'%s'", interface_opts.console_display_name);
4714 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4716 fprintf(stderr, "Capturing on %s\n", str->str);
4717 g_string_free(str, TRUE);
4720 if (list_link_layer_types) {
4721 /* Get the list of link-layer types for the capture device. */
4722 if_capabilities_t *caps;
4726 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4727 interface_options interface_opts;
4729 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4730 caps = get_if_capabilities(interface_opts.name,
4731 interface_opts.monitor_mode, &err_str);
4733 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4734 "Please check to make sure you have sufficient permissions, and that\n"
4735 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4739 if (caps->data_link_types == NULL) {
4740 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4743 if (machine_readable) /* tab-separated values to stdout */
4744 /* XXX: We need to change the format and adopt consumers */
4745 print_machine_readable_if_capabilities(caps);
4747 /* XXX: We might want to print also the interface name */
4748 capture_opts_print_if_capabilities(caps, interface_opts.name,
4749 interface_opts.monitor_mode);
4750 free_if_capabilities(caps);
4755 /* We're supposed to do a capture, or print the BPF code for a filter.
4756 Process the snapshot length, as that affects the generated BPF code. */
4757 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4759 #ifdef HAVE_BPF_IMAGE
4760 if (print_bpf_code) {
4761 show_filter_code(&global_capture_opts);
4766 /* We're supposed to do a capture. Process the ring buffer arguments. */
4767 capture_opts_trim_ring_num_files(&global_capture_opts);
4769 /* flush stderr prior to starting the main capture loop */
4772 /* Now start the capture. */
4774 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4778 /* capture failed */
4781 return 0; /* never here, make compiler happy */
4786 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4787 const char *message, gpointer user_data _U_)
4794 /* ignore log message, if log_level isn't interesting */
4795 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4796 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4801 /* create a "timestamp" */
4803 today = localtime(&curr);
4805 switch(log_level & G_LOG_LEVEL_MASK) {
4806 case G_LOG_LEVEL_ERROR:
4809 case G_LOG_LEVEL_CRITICAL:
4812 case G_LOG_LEVEL_WARNING:
4815 case G_LOG_LEVEL_MESSAGE:
4818 case G_LOG_LEVEL_INFO:
4821 case G_LOG_LEVEL_DEBUG:
4825 fprintf(stderr, "unknown log_level %u\n", log_level);
4827 g_assert_not_reached();
4830 /* Generate the output message */
4831 if(log_level & G_LOG_LEVEL_MESSAGE) {
4832 /* normal user messages without additional infos */
4833 msg = g_strdup_printf("%s\n", message);
4835 /* info/debug messages with additional infos */
4836 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4837 today->tm_hour, today->tm_min, today->tm_sec,
4838 log_domain != NULL ? log_domain : "",
4842 /* DEBUG & INFO msgs (if we're debugging today) */
4843 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4844 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4845 #ifdef DEBUG_DUMPCAP
4846 fprintf(stderr, "%s", msg);
4849 #ifdef DEBUG_CHILD_DUMPCAP
4850 fprintf(debug_log, "%s", msg);
4858 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4859 /* to parent especially formatted if dumpcap running as child. */
4860 if (capture_child) {
4861 sync_pipe_errmsg_to_parent(2, msg, "");
4863 fprintf(stderr, "%s", msg);
4870 /****************************************************************************************************************/
4871 /* indication report routines */
4875 report_packet_count(unsigned int packet_count)
4877 char tmp[SP_DECISIZE+1+1];
4878 static unsigned int count = 0;
4881 g_snprintf(tmp, sizeof(tmp), "%u", packet_count);
4882 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4883 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4885 count += packet_count;
4886 fprintf(stderr, "\rPackets: %u ", count);
4887 /* stderr could be line buffered */
4893 report_new_capture_file(const char *filename)
4896 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4897 pipe_write_block(2, SP_FILE, filename);
4901 * Prevent a SIGINFO handler from writing to the standard error
4902 * while we're doing so; instead, have it just set a flag telling
4903 * us to print that information when we're done.
4906 #endif /* SIGINFO */
4907 fprintf(stderr, "File: %s\n", filename);
4908 /* stderr could be line buffered */
4913 * Allow SIGINFO handlers to write.
4918 * If a SIGINFO handler asked us to write out capture counts, do so.
4921 report_counts_for_siginfo();
4922 #endif /* SIGINFO */
4927 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4929 interface_options interface_opts;
4930 char tmp[MSG_MAX_LENGTH+1+6];
4932 if (i < capture_opts->ifaces->len) {
4933 if (capture_child) {
4934 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4935 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4936 pipe_write_block(2, SP_BAD_FILTER, tmp);
4939 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4940 * the error message below.
4942 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4944 "Invalid capture filter \"%s\" for interface %s!\n"
4946 "That string isn't a valid capture filter (%s).\n"
4947 "See the User's Guide for a description of the capture filter syntax.",
4948 interface_opts.cfilter, interface_opts.name, errmsg);
4954 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4957 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4958 "Primary Error: %s", error_msg);
4959 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4960 "Secondary Error: %s", secondary_error_msg);
4961 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4963 cmdarg_err("%s", error_msg);
4964 if (secondary_error_msg[0] != '\0')
4965 cmdarg_err_cont("%s", secondary_error_msg);
4970 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4972 char tmp[SP_DECISIZE+1+1];
4974 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4977 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4978 "Packets received/dropped on interface %s: %u/%u",
4979 name, received, drops);
4980 /* XXX: Need to provide interface id, changes to consumers required. */
4981 pipe_write_block(2, SP_DROPS, tmp);
4984 "Packets received/dropped on interface '%s': %u/%u (%.1f%%)\n",
4985 name, received, drops,
4986 received ? 100.0 * received / (received + drops) : 0.0);
4987 /* stderr could be line buffered */
4993 /************************************************************************************************/
4994 /* signal_pipe handling */
4999 signal_pipe_check_running(void)
5001 /* any news from our parent? -> just stop the capture */
5005 /* if we are running standalone, no check required */
5006 if(!capture_child) {
5010 if(!sig_pipe_name || !sig_pipe_handle) {
5011 /* This shouldn't happen */
5012 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
5013 "Signal pipe: No name or handle");
5018 * XXX - We should have the process ID of the parent (from the "-Z" flag)
5019 * at this point. Should we check to see if the parent is still alive,
5020 * e.g. by using OpenProcess?
5023 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
5025 if(!result || avail > 0) {
5026 /* peek failed or some bytes really available */
5027 /* (if not piping from stdin this would fail) */
5028 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
5029 "Signal pipe: Stop capture: %s", sig_pipe_name);
5030 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
5031 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
5032 sig_pipe_handle, result, avail);
5035 /* pipe ok and no bytes available */
5042 * Editor modelines - http://www.wireshark.org/tools/modelines.html
5047 * indent-tabs-mode: nil
5050 * vi: set shiftwidth=4 tabstop=8 expandtab:
5051 * :indentSize=4:tabSize=8:noTabs=true: