5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 #include <stdlib.h> /* for exit() */
35 #ifdef HAVE_SYS_TYPES_H
36 # include <sys/types.h>
39 #ifdef HAVE_SYS_STAT_H
40 # include <sys/stat.h>
51 #ifdef HAVE_ARPA_INET_H
52 #include <arpa/inet.h>
55 #if defined(__APPLE__) && defined(__LP64__)
56 #include <sys/utsname.h>
63 #include "wsutil/wsgetopt.h"
71 # include <sys/prctl.h>
72 # include <sys/capability.h>
75 #include "ringbuffer.h"
76 #include "clopts_common.h"
77 #include "console_io.h"
78 #include "cmdarg_err.h"
79 #include "version_info.h"
81 #include "capture-pcap-util.h"
83 #include "capture-wpcap.h"
89 #include "capture-wpcap.h"
90 #include <wsutil/unicode-utils.h>
94 #include <sys/socket.h>
98 #ifdef NEED_INET_V6DEFS_H
99 # include "wsutil/inet_v6defs.h"
102 #include <wsutil/privileges.h>
104 #include "sync_pipe.h"
106 #include "capture_opts.h"
107 #include "capture_ifinfo.h"
108 #include "capture_sync.h"
110 #include "conditions.h"
111 #include "capture_stop_conditions.h"
113 #include "tempfile.h"
115 #include "wsutil/file_util.h"
118 * Get information about libpcap format from "wiretap/libpcap.h".
119 * XXX - can we just use pcap_open_offline() to read the pipe?
121 #include "wiretap/libpcap.h"
123 /**#define DEBUG_DUMPCAP**/
124 /**#define DEBUG_CHILD_DUMPCAP**/
128 #include <conio.h> /* _getch() */
132 #ifdef DEBUG_CHILD_DUMPCAP
133 FILE *debug_log; /* for logging debug messages to */
134 /* a file if DEBUG_CHILD_DUMPCAP */
138 static GAsyncQueue *pcap_queue;
139 static gint64 pcap_queue_bytes;
140 static gint64 pcap_queue_packets;
141 static gint64 pcap_queue_byte_limit = 1024 * 1024;
142 static gint64 pcap_queue_packet_limit = 1000;
144 static gboolean capture_child = FALSE; /* FALSE: standalone call, TRUE: this is an Wireshark capture child */
146 static gchar *sig_pipe_name = NULL;
147 static HANDLE sig_pipe_handle = NULL;
148 static gboolean signal_pipe_check_running(void);
152 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
153 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
156 /** Stop a low-level capture (stops the capture child). */
157 static void capture_loop_stop(void);
159 #if !defined (__linux__)
160 #ifndef HAVE_PCAP_BREAKLOOP
162 * We don't have pcap_breakloop(), which is the only way to ensure that
163 * pcap_dispatch(), pcap_loop(), or even pcap_next() or pcap_next_ex()
164 * won't, if the call to read the next packet or batch of packets is
165 * is interrupted by a signal on UN*X, just go back and try again to
168 * On UN*X, we catch SIGINT as a "stop capturing" signal, and, in
169 * the signal handler, set a flag to stop capturing; however, without
170 * a guarantee of that sort, we can't guarantee that we'll stop capturing
171 * if the read will be retried and won't time out if no packets arrive.
173 * Therefore, on at least some platforms, we work around the lack of
174 * pcap_breakloop() by doing a select() on the pcap_t's file descriptor
175 * to wait for packets to arrive, so that we're probably going to be
176 * blocked in the select() when the signal arrives, and can just bail
177 * out of the loop at that point.
179 * However, we don't want to do that on BSD (because "select()" doesn't work
180 * correctly on BPF devices on at least some releases of some flavors of
181 * BSD), and we don't want to do it on Windows (because "select()" is
182 * something for sockets, not for arbitrary handles). (Note that "Windows"
183 * here includes Cygwin; even in its pretend-it's-UNIX environment, we're
184 * using WinPcap, not a UNIX libpcap.)
186 * Fortunately, we don't need to do it on BSD, because the libpcap timeout
187 * on BSD times out even if no packets have arrived, so we'll eventually
188 * exit pcap_dispatch() with an indication that no packets have arrived,
189 * and will break out of the capture loop at that point.
191 * On Windows, we can't send a SIGINT to stop capturing, so none of this
192 * applies in any case.
194 * XXX - the various BSDs appear to define BSD in <sys/param.h>; we don't
195 * want to include it if it's not present on this platform, however.
197 # if !defined(__FreeBSD__) && !defined(__NetBSD__) && !defined(__OpenBSD__) && \
198 !defined(__bsdi__) && !defined(__APPLE__) && !defined(_WIN32) && \
200 # define MUST_DO_SELECT
201 # endif /* avoid select */
202 #endif /* HAVE_PCAP_BREAKLOOP */
204 /* whatever the deal with pcap_breakloop, linux doesn't support timeouts
205 * in pcap_dispatch(); on the other hand, select() works just fine there.
206 * Hence we use a select for that come what may.
208 #define MUST_DO_SELECT
211 /** init the capture filter */
214 INITFILTER_BAD_FILTER,
215 INITFILTER_OTHER_ERROR
216 } initfilter_status_t;
218 typedef struct _pcap_options {
222 #ifdef MUST_DO_SELECT
223 int pcap_fd; /* pcap file descriptor */
230 gboolean ts_nsec; /* TRUE if we're using nanosecond precision. */
231 /* capture pipe (unix only "input file") */
232 gboolean from_cap_pipe; /* TRUE if we are capturing data from a capture pipe */
233 struct pcap_hdr cap_pipe_hdr; /* Pcap header when capturing from a pipe */
234 struct pcaprec_modified_hdr cap_pipe_rechdr; /* Pcap record header when capturing from a pipe */
236 HANDLE cap_pipe_h; /* The handle of the capture pipe */
238 int cap_pipe_fd; /* the file descriptor of the capture pipe */
240 gboolean cap_pipe_modified; /* TRUE if data in the pipe uses modified pcap headers */
241 gboolean cap_pipe_byte_swapped; /* TRUE if data in the pipe is byte swapped */
243 char * cap_pipe_buf; /* Pointer to the data buffer we read into */
245 int cap_pipe_bytes_to_read;/* Used by cap_pipe_dispatch */
246 int cap_pipe_bytes_read; /* Used by cap_pipe_dispatch */
248 STATE_EXPECT_REC_HDR,
253 enum { PIPOK, PIPEOF, PIPERR, PIPNEXIST } cap_pipe_err;
255 GMutex *cap_pipe_read_mtx;
256 GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
260 typedef struct _loop_data {
262 gboolean go; /* TRUE as long as we're supposed to keep capturing */
263 int err; /* if non-zero, error seen while capturing */
264 gint packet_count; /* Number of packets we have already captured */
265 gint packet_max; /* Number of packets we're supposed to capture - 0 means infinite */
266 gint inpkts_to_sync_pipe; /* Packets not already send out to the sync_pipe */
268 gboolean report_packet_count; /* Set by SIGINFO handler; print packet count */
275 guint32 autostop_files;
278 typedef struct _pcap_queue_element {
279 pcap_options *pcap_opts;
280 struct pcap_pkthdr phdr;
282 } pcap_queue_element;
285 * Standard secondary message for unexpected errors.
287 static const char please_report[] =
288 "Please report this to the Wireshark developers.\n"
289 "(This is not a crash; please do not report it as such.)";
292 * This needs to be static, so that the SIGINT handler can clear the "go"
295 static loop_data global_ld;
299 * Timeout, in milliseconds, for reads from the stream of captured packets
300 * from a capture device.
302 * A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
303 * 64-bit applications, with sub-second timeouts not to work. The bug is
304 * fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
306 #if defined(__APPLE__) && defined(__LP64__)
307 static gboolean need_timeout_workaround;
309 #define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
311 #define CAP_READ_TIMEOUT 250
315 * Timeout, in microseconds, for reads from the stream of captured packets
316 * from a pipe. Pipes don't have the same problem that BPF devices do
317 * in OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
318 * of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
319 * of the offending versions of Snow Leopard.
321 * On Windows this value is converted to milliseconds and passed to
322 * WaitForSingleObject. If it's less than 1000 WaitForSingleObject
323 * will return immediately.
326 #define PIPE_READ_TIMEOUT 100000
328 #define PIPE_READ_TIMEOUT 250000
331 #define WRITER_THREAD_TIMEOUT 100000 /* usecs */
334 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
335 const char *message, gpointer user_data _U_);
337 /* capture related options */
338 static capture_options global_capture_opts;
339 static gboolean quiet = FALSE;
340 static gboolean use_threads = FALSE;
341 static guint64 start_time;
343 static void capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
345 static void capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
347 static void capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
348 int err, gboolean is_close);
350 static void WS_MSVC_NORETURN exit_main(int err) G_GNUC_NORETURN;
352 static void report_new_capture_file(const char *filename);
353 static void report_packet_count(int packet_count);
354 static void report_packet_drops(guint32 received, guint32 drops, gchar *name);
355 static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
356 static void report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg);
358 #define MSG_MAX_LENGTH 4096
360 /* Copied from pcapio.c libpcap_write_interface_statistics_block()*/
362 create_timestamp(void) {
372 * Current time, represented as 100-nanosecond intervals since
373 * January 1, 1601, 00:00:00 UTC.
375 * I think DWORD might be signed, so cast both parts of "now"
376 * to guint32 so that the sign bit doesn't get treated specially.
378 * Windows 8 provides GetSystemTimePreciseAsFileTime which we
379 * might want to use instead.
381 GetSystemTimeAsFileTime(&now);
382 timestamp = (((guint64)(guint32)now.dwHighDateTime) << 32) +
383 (guint32)now.dwLowDateTime;
386 * Convert to same thing but as 1-microsecond, i.e. 1000-nanosecond,
392 * Subtract difference, in microseconds, between January 1, 1601
393 * 00:00:00 UTC and January 1, 1970, 00:00:00 UTC.
395 timestamp -= G_GINT64_CONSTANT(11644473600000000U);
398 * Current time, represented as seconds and microseconds since
399 * January 1, 1970, 00:00:00 UTC.
401 gettimeofday(&now, NULL);
404 * Convert to delta in microseconds.
406 timestamp = (guint64)(now.tv_sec) * 1000000 +
407 (guint64)(now.tv_usec);
413 print_usage(gboolean print_ver)
420 "Dumpcap " VERSION "%s\n"
421 "Capture network packets and dump them into a pcapng file.\n"
422 "See http://www.wireshark.org for more information.\n",
423 wireshark_svnversion);
427 fprintf(output, "\nUsage: dumpcap [options] ...\n");
428 fprintf(output, "\n");
429 fprintf(output, "Capture interface:\n");
430 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
431 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
432 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
433 fprintf(output, " -p don't capture in promiscuous mode\n");
434 #ifdef HAVE_PCAP_CREATE
435 fprintf(output, " -I capture in monitor mode, if available\n");
437 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
438 fprintf(output, " -B <buffer size> size of kernel buffer (def: 1MB)\n");
440 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
441 fprintf(output, " -D print list of interfaces and exit\n");
442 fprintf(output, " -L print list of link-layer types of iface and exit\n");
443 #ifdef HAVE_BPF_IMAGE
444 fprintf(output, " -d print generated BPF code for capture filter\n");
446 fprintf(output, " -S print statistics for each interface once per second\n");
447 fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
448 fprintf(output, "\n");
449 #ifdef HAVE_PCAP_REMOTE
450 fprintf(output, "RPCAP options:\n");
451 fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
452 fprintf(output, " -u use UDP for RPCAP data transfer\n");
453 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
454 #ifdef HAVE_PCAP_SETSAMPLING
455 fprintf(output, " -m <sampling type> use packet sampling\n");
456 fprintf(output, " count:NUM - capture one packet of every NUM\n");
457 fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
460 fprintf(output, "Stop conditions:\n");
461 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
462 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
463 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
464 fprintf(output, " files:NUM - stop after NUM files\n");
465 /*fprintf(output, "\n");*/
466 fprintf(output, "Output (files):\n");
467 fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
468 fprintf(output, " -g enable group read access on the output file(s)\n");
469 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
470 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
471 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
472 fprintf(output, " -n use pcapng format instead of pcap (default)\n");
473 fprintf(output, " -P use libpcap format instead of pcapng\n");
474 fprintf(output, "\n");
475 fprintf(output, "Miscellaneous:\n");
476 fprintf(output, " -t use a separate thread per interface\n");
477 fprintf(output, " -q don't report packet capture counts\n");
478 fprintf(output, " -v print version information and exit\n");
479 fprintf(output, " -h display this help and exit\n");
480 fprintf(output, "\n");
481 fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
482 fprintf(output, "\"Capture network packets from interface eth0 until 60s passed into output.pcapng\"\n");
483 fprintf(output, "\n");
484 fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
488 show_version(GString *comp_info_str, GString *runtime_info_str)
491 "Dumpcap " VERSION "%s\n"
496 "See http://www.wireshark.org for more information.\n",
497 wireshark_svnversion, get_copyright_info() ,comp_info_str->str, runtime_info_str->str);
501 * Print to the standard error. This is a command-line tool, so there's
502 * no need to pop up a console.
505 vfprintf_stderr(const char *fmt, va_list ap)
507 vfprintf(stderr, fmt, ap);
511 fprintf_stderr(const char *fmt, ...)
516 vfprintf_stderr(fmt, ap);
521 * Report an error in command-line arguments.
524 cmdarg_err(const char *fmt, ...)
530 /* Generate a 'special format' message back to parent */
532 msg = g_strdup_vprintf(fmt, ap);
533 sync_pipe_errmsg_to_parent(2, msg, "");
538 fprintf(stderr, "dumpcap: ");
539 vfprintf(stderr, fmt, ap);
540 fprintf(stderr, "\n");
546 * Report additional information for an error in command-line arguments.
549 cmdarg_err_cont(const char *fmt, ...)
556 msg = g_strdup_vprintf(fmt, ap);
557 sync_pipe_errmsg_to_parent(2, msg, "");
562 vfprintf(stderr, fmt, ap);
563 fprintf(stderr, "\n");
570 #if 0 /* Set to enable capability debugging */
571 /* see 'man cap_to_text()' for explanation of output */
572 /* '=' means 'all= ' ie: no capabilities */
573 /* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
575 print_caps(const char *pfx) {
576 cap_t caps = cap_get_proc();
577 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
578 "%s: EUID: %d Capabilities: %s", pfx,
579 geteuid(), cap_to_text(caps, NULL));
582 print_caps(const char *pfx _U_) {
587 relinquish_all_capabilities(void)
589 /* Drop any and all capabilities this process may have. */
590 /* Allowed whether or not process has any privileges. */
591 cap_t caps = cap_init(); /* all capabilities initialized to off */
592 print_caps("Pre-clear");
593 if (cap_set_proc(caps)) {
594 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
596 print_caps("Post-clear");
602 open_capture_device(interface_options *interface_opts,
603 char (*open_err_str)[PCAP_ERRBUF_SIZE])
606 #ifdef HAVE_PCAP_CREATE
609 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
610 struct pcap_rmtauth auth;
613 /* Open the network interface to capture from it.
614 Some versions of libpcap may put warnings into the error buffer
615 if they succeed; to tell if that's happened, we have to clear
616 the error buffer, and check if it's still a null string. */
617 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Entering open_capture_device().");
618 (*open_err_str)[0] = '\0';
619 #if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE)
621 * If we're opening a remote device, use pcap_open(); that's currently
622 * the only open routine that supports remote devices.
624 if (strncmp (interface_opts->name, "rpcap://", 8) == 0) {
625 auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ?
626 RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL;
627 auth.username = interface_opts->auth_username;
628 auth.password = interface_opts->auth_password;
630 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
631 "Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.",
632 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode,
633 interface_opts->datatx_udp, interface_opts->nocap_rpcap);
634 pcap_h = pcap_open(interface_opts->name, interface_opts->snaplen,
636 (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) |
637 (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) |
638 (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0),
639 CAP_READ_TIMEOUT, &auth, *open_err_str);
640 if ((*open_err_str)[0] == '\0') {
641 /* Work around known WinPcap bug wherein no error message is
642 filled in on a failure to open an rpcap: URL. */
643 g_strlcpy(*open_err_str,
644 "Unknown error (pcap bug; actual error cause not reported)",
645 sizeof *open_err_str);
647 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
648 "pcap_open() returned %p.", (void *)pcap_h);
653 * If we're not opening a remote device, use pcap_create() and
654 * pcap_activate() if we have them, so that we can set the buffer
655 * size, otherwise use pcap_open_live().
657 #ifdef HAVE_PCAP_CREATE
658 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
659 "Calling pcap_create() using %s.", interface_opts->name);
660 pcap_h = pcap_create(interface_opts->name, *open_err_str);
661 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
662 "pcap_create() returned %p.", (void *)pcap_h);
663 if (pcap_h != NULL) {
664 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
665 "Calling pcap_set_snaplen() with snaplen %d.", interface_opts->snaplen);
666 pcap_set_snaplen(pcap_h, interface_opts->snaplen);
667 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
668 "Calling pcap_set_promisc() with promisc_mode %d.", interface_opts->promisc_mode);
669 pcap_set_promisc(pcap_h, interface_opts->promisc_mode);
670 pcap_set_timeout(pcap_h, CAP_READ_TIMEOUT);
672 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
673 "buffersize %d.", interface_opts->buffer_size);
674 if (interface_opts->buffer_size > 1) {
675 pcap_set_buffer_size(pcap_h, interface_opts->buffer_size * 1024 * 1024);
677 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
678 "monitor_mode %d.", interface_opts->monitor_mode);
679 if (interface_opts->monitor_mode)
680 pcap_set_rfmon(pcap_h, 1);
681 err = pcap_activate(pcap_h);
682 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
683 "pcap_activate() returned %d.", err);
685 /* Failed to activate, set to NULL */
686 if (err == PCAP_ERROR)
687 g_strlcpy(*open_err_str, pcap_geterr(pcap_h), sizeof *open_err_str);
689 g_strlcpy(*open_err_str, pcap_statustostr(err), sizeof *open_err_str);
695 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
696 "pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.",
697 interface_opts->name, interface_opts->snaplen, interface_opts->promisc_mode);
698 pcap_h = pcap_open_live(interface_opts->name, interface_opts->snaplen,
699 interface_opts->promisc_mode, CAP_READ_TIMEOUT,
701 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
702 "pcap_open_live() returned %p.", (void *)pcap_h);
705 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name);
710 get_capture_device_open_failure_messages(const char *open_err_str,
716 char *errmsg, size_t errmsg_len,
717 char *secondary_errmsg,
718 size_t secondary_errmsg_len)
720 const char *libpcap_warn;
721 static const char ppamsg[] = "can't find PPA for ";
723 /* If we got a "can't find PPA for X" message, warn the user (who
724 is running dumpcap on HP-UX) that they don't have a version of
725 libpcap that properly handles HP-UX (libpcap 0.6.x and later
726 versions, which properly handle HP-UX, say "can't find /dev/dlpi
727 PPA for X" rather than "can't find PPA for X"). */
728 if (strncmp(open_err_str, ppamsg, sizeof ppamsg - 1) == 0)
731 "You are running (T)Wireshark with a version of the libpcap library\n"
732 "that doesn't handle HP-UX network devices well; this means that\n"
733 "(T)Wireshark may not be able to capture packets.\n"
735 "To fix this, you should install libpcap 0.6.2, or a later version\n"
736 "of libpcap, rather than libpcap 0.4 or 0.5.x. It is available in\n"
737 "packaged binary form from the Software Porting And Archive Centre\n"
738 "for HP-UX; the Centre is at http://hpux.connect.org.uk/ - the page\n"
739 "at the URL lists a number of mirror sites.";
742 g_snprintf(errmsg, (gulong) errmsg_len,
743 "The capture session could not be initiated (%s).", open_err_str);
746 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
748 "In order to capture packets, WinPcap must be installed; see\n"
750 " http://www.winpcap.org/\n"
754 " http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/\n"
758 " http://winpcap.cs.pu.edu.tw/\n"
760 "for a downloadable version of WinPcap and for instructions on how to install\n"
763 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
765 "Please check that \"%s\" is the proper interface.\n"
768 "Help can be found at:\n"
770 " http://wiki.wireshark.org/WinPcap\n"
771 " http://wiki.wireshark.org/CaptureSetup\n",
775 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len,
776 "Please check to make sure you have sufficient permissions, and that you have "
777 "the proper interface or pipe specified.%s", libpcap_warn);
781 /* Set the data link type on a pcap. */
783 set_pcap_linktype(pcap_t *pcap_h, int linktype,
784 #ifdef HAVE_PCAP_SET_DATALINK
789 char *errmsg, size_t errmsg_len,
790 char *secondary_errmsg, size_t secondary_errmsg_len)
792 char *set_linktype_err_str;
795 return TRUE; /* just use the default */
796 #ifdef HAVE_PCAP_SET_DATALINK
797 if (pcap_set_datalink(pcap_h, linktype) == 0)
798 return TRUE; /* no error */
799 set_linktype_err_str = pcap_geterr(pcap_h);
801 /* Let them set it to the type it is; reject any other request. */
802 if (get_pcap_linktype(pcap_h, name) == linktype)
803 return TRUE; /* no error */
804 set_linktype_err_str =
805 "That DLT isn't one of the DLTs supported by this device";
807 g_snprintf(errmsg, (gulong) errmsg_len, "Unable to set data link type (%s).",
808 set_linktype_err_str);
810 * If the error isn't "XXX is not one of the DLTs supported by this device",
811 * tell the user to tell the Wireshark developers about it.
813 if (strstr(set_linktype_err_str, "is not one of the DLTs supported by this device") == NULL)
814 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
816 secondary_errmsg[0] = '\0';
821 compile_capture_filter(const char *iface, pcap_t *pcap_h,
822 struct bpf_program *fcode, const char *cfilter)
824 bpf_u_int32 netnum, netmask;
825 gchar lookup_net_err_str[PCAP_ERRBUF_SIZE];
827 if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
829 * Well, we can't get the netmask for this interface; it's used
830 * only for filters that check for broadcast IP addresses, so
831 * we just punt and use 0. It might be nice to warn the user,
832 * but that's a pain in a GUI application, as it'd involve popping
833 * up a message box, and it's not clear how often this would make
834 * a difference (only filters that check for IP broadcast addresses
838 "Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
843 * Sigh. Older versions of libpcap don't properly declare the
844 * third argument to pcap_compile() as a const pointer. Cast
847 if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
852 #ifdef HAVE_BPF_IMAGE
854 show_filter_code(capture_options *capture_opts)
856 interface_options interface_opts;
858 gchar open_err_str[PCAP_ERRBUF_SIZE];
859 char errmsg[MSG_MAX_LENGTH+1];
860 char secondary_errmsg[MSG_MAX_LENGTH+1];
861 struct bpf_program fcode;
862 struct bpf_insn *insn;
866 for (j = 0; j < capture_opts->ifaces->len; j++) {
867 interface_opts = g_array_index(capture_opts->ifaces, interface_options, j);
868 pcap_h = open_capture_device(&interface_opts, &open_err_str);
869 if (pcap_h == NULL) {
870 /* Open failed; get messages */
871 get_capture_device_open_failure_messages(open_err_str,
873 errmsg, sizeof errmsg,
875 sizeof secondary_errmsg);
876 /* And report them */
877 report_capture_error(errmsg, secondary_errmsg);
881 /* Set the link-layer type. */
882 if (!set_pcap_linktype(pcap_h, interface_opts.linktype, interface_opts.name,
883 errmsg, sizeof errmsg,
884 secondary_errmsg, sizeof secondary_errmsg)) {
886 report_capture_error(errmsg, secondary_errmsg);
890 /* OK, try to compile the capture filter. */
891 if (!compile_capture_filter(interface_opts.name, pcap_h, &fcode,
892 interface_opts.cfilter)) {
894 report_cfilter_error(capture_opts, j, errmsg);
899 /* Now print the filter code. */
900 insn = fcode.bf_insns;
902 for (i = 0; i < fcode.bf_len; insn++, i++)
903 printf("%s\n", bpf_image(insn, i));
905 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
906 /* to remove any suid privileges. */
907 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
908 /* (euid/egid have already previously been set to ruid/rgid. */
909 /* (See comment in main() for details) */
911 relinquish_special_privs_perm();
913 relinquish_all_capabilities();
916 /* Let our parent know we succeeded. */
917 pipe_write_block(2, SP_SUCCESS, NULL);
924 * capture_interface_list() is expected to do the right thing to get
925 * a list of interfaces.
927 * In most of the programs in the Wireshark suite, "the right thing"
928 * is to run dumpcap and ask it for the list, because dumpcap may
929 * be the only program in the suite with enough privileges to get
932 * In dumpcap itself, however, we obviously can't run dumpcap to
933 * ask for the list. Therefore, our capture_interface_list() should
934 * just call get_interface_list().
937 capture_interface_list(int *err, char **err_str)
939 return get_interface_list(err, err_str);
943 * Get the data-link type for a libpcap device.
944 * This works around AIX 5.x's non-standard and incompatible-with-the-
945 * rest-of-the-universe libpcap.
948 get_pcap_linktype(pcap_t *pch, const char *devname
956 const char *ifacename;
959 linktype = pcap_datalink(pch);
963 * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values
964 * rather than DLT_ values for link-layer types; the ifType values
965 * for LAN devices are:
972 * and the ifType value for a loopback device is 24.
974 * The AIX names for LAN devices begin with:
981 * and the AIX names for loopback devices begin with "lo".
983 * (The difference between "Ethernet" and "802.3" is presumably
984 * whether packets have an Ethernet header, with a packet type,
985 * or an 802.3 header, with a packet length, followed by an 802.2
986 * header and possibly a SNAP header.)
988 * If the device name matches "linktype" interpreted as an ifType
989 * value, rather than as a DLT_ value, we will assume this is AIX's
990 * non-standard, incompatible libpcap, rather than a standard libpcap,
991 * and will map the link-layer type to the standard DLT_ value for
992 * that link-layer type, as that's what the rest of Wireshark expects.
994 * (This means the capture files won't be readable by a tcpdump
995 * linked with AIX's non-standard libpcap, but so it goes. They
996 * *will* be readable by standard versions of tcpdump, Wireshark,
999 * XXX - if we conclude we're using AIX libpcap, should we also
1000 * set a flag to cause us to assume the time stamps are in
1001 * seconds-and-nanoseconds form, and to convert them to
1002 * seconds-and-microseconds form before processing them and
1007 * Find the last component of the device name, which is the
1010 ifacename = strchr(devname, '/');
1011 if (ifacename == NULL)
1012 ifacename = devname;
1014 /* See if it matches any of the LAN device names. */
1015 if (strncmp(ifacename, "en", 2) == 0) {
1016 if (linktype == 6) {
1018 * That's the RFC 1573 value for Ethernet; map it to DLT_EN10MB.
1022 } else if (strncmp(ifacename, "et", 2) == 0) {
1023 if (linktype == 7) {
1025 * That's the RFC 1573 value for 802.3; map it to DLT_EN10MB.
1026 * (libpcap, tcpdump, Wireshark, etc. don't care if it's Ethernet
1031 } else if (strncmp(ifacename, "tr", 2) == 0) {
1032 if (linktype == 9) {
1034 * That's the RFC 1573 value for 802.5 (Token Ring); map it to
1035 * DLT_IEEE802, which is what's used for Token Ring.
1039 } else if (strncmp(ifacename, "fi", 2) == 0) {
1040 if (linktype == 15) {
1042 * That's the RFC 1573 value for FDDI; map it to DLT_FDDI.
1046 } else if (strncmp(ifacename, "lo", 2) == 0) {
1047 if (linktype == 24) {
1049 * That's the RFC 1573 value for "software loopback" devices; map it
1050 * to DLT_NULL, which is what's used for loopback devices on BSD.
1060 static data_link_info_t *
1061 create_data_link_info(int dlt)
1063 data_link_info_t *data_link_info;
1066 data_link_info = (data_link_info_t *)g_malloc(sizeof (data_link_info_t));
1067 data_link_info->dlt = dlt;
1068 text = pcap_datalink_val_to_name(dlt);
1070 data_link_info->name = g_strdup(text);
1072 data_link_info->name = g_strdup_printf("DLT %d", dlt);
1073 text = pcap_datalink_val_to_description(dlt);
1075 data_link_info->description = g_strdup(text);
1077 data_link_info->description = NULL;
1078 return data_link_info;
1082 * Get the capabilities of a network device.
1084 static if_capabilities_t *
1085 get_if_capabilities(const char *devname, gboolean monitor_mode
1086 #ifndef HAVE_PCAP_CREATE
1091 if_capabilities_t *caps;
1092 char errbuf[PCAP_ERRBUF_SIZE];
1094 #ifdef HAVE_PCAP_CREATE
1098 #ifdef HAVE_PCAP_LIST_DATALINKS
1102 data_link_info_t *data_link_info;
1105 * Allocate the interface capabilities structure.
1107 caps = g_malloc(sizeof *caps);
1110 * WinPcap 4.1.2, and possibly earlier versions, have a bug
1111 * wherein, when an open with an rpcap: URL fails, the error
1112 * message for the error is not copied to errbuf and whatever
1113 * on-the-stack junk is in errbuf is treated as the error
1116 * To work around that (and any other bugs of that sort, we
1117 * initialize errbuf to an empty string. If we get an error
1118 * and the string is empty, we report it as an unknown error.
1119 * (If we *don't* get an error, and the string is *non*-empty,
1120 * that could be a warning returned, such as "can't turn
1121 * promiscuous mode on"; we currently don't do so.)
1124 #ifdef HAVE_PCAP_OPEN
1125 pch = pcap_open(devname, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1126 caps->can_set_rfmon = FALSE;
1128 if (err_str != NULL)
1129 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1133 #elif defined(HAVE_PCAP_CREATE)
1134 pch = pcap_create(devname, errbuf);
1136 if (err_str != NULL)
1137 *err_str = g_strdup(errbuf);
1141 status = pcap_can_set_rfmon(pch);
1144 if (status == PCAP_ERROR)
1145 *err_str = g_strdup_printf("pcap_can_set_rfmon() failed: %s",
1148 *err_str = g_strdup(pcap_statustostr(status));
1154 caps->can_set_rfmon = FALSE;
1155 else if (status == 1) {
1156 caps->can_set_rfmon = TRUE;
1158 pcap_set_rfmon(pch, 1);
1160 if (err_str != NULL) {
1161 *err_str = g_strdup_printf("pcap_can_set_rfmon() returned %d",
1169 status = pcap_activate(pch);
1171 /* Error. We ignore warnings (status > 0). */
1172 if (err_str != NULL) {
1173 if (status == PCAP_ERROR)
1174 *err_str = g_strdup_printf("pcap_activate() failed: %s",
1177 *err_str = g_strdup(pcap_statustostr(status));
1184 pch = pcap_open_live(devname, MIN_PACKET_SIZE, 0, 0, errbuf);
1185 caps->can_set_rfmon = FALSE;
1187 if (err_str != NULL)
1188 *err_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf);
1193 deflt = get_pcap_linktype(pch, devname);
1194 #ifdef HAVE_PCAP_LIST_DATALINKS
1195 nlt = pcap_list_datalinks(pch, &linktypes);
1196 if (nlt == 0 || linktypes == NULL) {
1198 if (err_str != NULL)
1199 *err_str = NULL; /* an empty list doesn't mean an error */
1203 caps->data_link_types = NULL;
1204 for (i = 0; i < nlt; i++) {
1205 data_link_info = create_data_link_info(linktypes[i]);
1208 * XXX - for 802.11, make the most detailed 802.11
1209 * version the default, rather than the one the
1210 * device has as the default?
1212 if (linktypes[i] == deflt)
1213 caps->data_link_types = g_list_prepend(caps->data_link_types,
1216 caps->data_link_types = g_list_append(caps->data_link_types,
1219 #ifdef HAVE_PCAP_FREE_DATALINKS
1220 pcap_free_datalinks(linktypes);
1223 * In Windows, there's no guarantee that if you have a library
1224 * built with one version of the MSVC++ run-time library, and
1225 * it returns a pointer to allocated data, you can free that
1226 * data from a program linked with another version of the
1227 * MSVC++ run-time library.
1229 * This is not an issue on UN*X.
1231 * See the mail threads starting at
1233 * http://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html
1237 * http://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html
1240 #define xx_free free /* hack so checkAPIs doesn't complain */
1243 #endif /* HAVE_PCAP_FREE_DATALINKS */
1244 #else /* HAVE_PCAP_LIST_DATALINKS */
1246 data_link_info = create_data_link_info(deflt);
1247 caps->data_link_types = g_list_append(caps->data_link_types,
1249 #endif /* HAVE_PCAP_LIST_DATALINKS */
1253 if (err_str != NULL)
1258 #define ADDRSTRLEN 46 /* Covers IPv4 & IPv6 */
1260 print_machine_readable_interfaces(GList *if_list)
1267 char addr_str[ADDRSTRLEN];
1269 if (capture_child) {
1270 /* Let our parent know we succeeded. */
1271 pipe_write_block(2, SP_SUCCESS, NULL);
1274 i = 1; /* Interface id number */
1275 for (if_entry = g_list_first(if_list); if_entry != NULL;
1276 if_entry = g_list_next(if_entry)) {
1277 if_info = (if_info_t *)if_entry->data;
1278 printf("%d. %s", i++, if_info->name);
1281 * Print the contents of the if_entry struct in a parseable format.
1282 * Each if_entry element is tab-separated. Addresses are comma-
1285 /* XXX - Make sure our description doesn't contain a tab */
1286 if (if_info->description != NULL)
1287 printf("\t%s\t", if_info->description);
1291 for(addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
1292 addr = g_slist_next(addr)) {
1293 if (addr != g_slist_nth(if_info->addrs, 0))
1296 if_addr = (if_addr_t *)addr->data;
1297 switch(if_addr->ifat_type) {
1299 if (inet_ntop(AF_INET, &if_addr->addr.ip4_addr, addr_str,
1301 printf("%s", addr_str);
1303 printf("<unknown IPv4>");
1307 if (inet_ntop(AF_INET6, &if_addr->addr.ip6_addr,
1308 addr_str, ADDRSTRLEN)) {
1309 printf("%s", addr_str);
1311 printf("<unknown IPv6>");
1315 printf("<type unknown %u>", if_addr->ifat_type);
1319 if (if_info->loopback)
1320 printf("\tloopback");
1322 printf("\tnetwork");
1329 * If you change the machine-readable output format of this function,
1330 * you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
1333 print_machine_readable_if_capabilities(if_capabilities_t *caps)
1336 data_link_info_t *data_link_info;
1337 const gchar *desc_str;
1339 if (capture_child) {
1340 /* Let our parent know we succeeded. */
1341 pipe_write_block(2, SP_SUCCESS, NULL);
1344 if (caps->can_set_rfmon)
1348 for (lt_entry = caps->data_link_types; lt_entry != NULL;
1349 lt_entry = g_list_next(lt_entry)) {
1350 data_link_info = (data_link_info_t *)lt_entry->data;
1351 if (data_link_info->description != NULL)
1352 desc_str = data_link_info->description;
1354 desc_str = "(not supported)";
1355 printf("%d\t%s\t%s\n", data_link_info->dlt, data_link_info->name,
1365 /* Print the number of packets captured for each interface until we're killed. */
1367 print_statistics_loop(gboolean machine_readable)
1369 GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
1375 char errbuf[PCAP_ERRBUF_SIZE];
1376 struct pcap_stat ps;
1378 if_list = get_interface_list(&err, &err_str);
1379 if (if_list == NULL) {
1381 case CANT_GET_INTERFACE_LIST:
1382 case DONT_HAVE_PCAP:
1383 cmdarg_err("%s", err_str);
1387 case NO_INTERFACES_FOUND:
1388 cmdarg_err("There are no interfaces on which a capture can be done");
1394 for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
1395 if_info = (if_info_t *)if_entry->data;
1396 #ifdef HAVE_PCAP_OPEN
1397 pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
1399 pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
1403 if_stat = (if_stat_t *)g_malloc(sizeof(if_stat_t));
1404 if_stat->name = g_strdup(if_info->name);
1406 stat_list = g_list_append(stat_list, if_stat);
1411 cmdarg_err("There are no interfaces on which a capture can be done");
1415 if (capture_child) {
1416 /* Let our parent know we succeeded. */
1417 pipe_write_block(2, SP_SUCCESS, NULL);
1420 if (!machine_readable) {
1421 printf("%-15s %10s %10s\n", "Interface", "Received",
1425 global_ld.go = TRUE;
1426 while (global_ld.go) {
1427 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1428 if_stat = (if_stat_t *)stat_entry->data;
1429 pcap_stats(if_stat->pch, &ps);
1431 if (!machine_readable) {
1432 printf("%-15s %10u %10u\n", if_stat->name,
1433 ps.ps_recv, ps.ps_drop);
1435 printf("%s\t%u\t%u\n", if_stat->name,
1436 ps.ps_recv, ps.ps_drop);
1447 /* XXX - Not reached. Should we look for 'q' in stdin? */
1448 for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
1449 if_stat = (if_stat_t *)stat_entry->data;
1450 pcap_close(if_stat->pch);
1451 g_free(if_stat->name);
1454 g_list_free(stat_list);
1455 free_interface_list(if_list);
1463 capture_cleanup_handler(DWORD dwCtrlType)
1465 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
1466 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
1467 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
1468 like SIGTERM at least when the machine's shutting down.
1470 For now, if we're running as a command rather than a capture child,
1471 we handle all but CTRL_LOGOFF_EVENT as indications that we should
1472 clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
1473 in that way on UN*X.
1475 If we're not running as a capture child, we might be running as
1476 a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
1477 user logs out. (XXX - can we explicitly check whether we're
1478 running as a service?) */
1480 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
1481 "Console: Control signal");
1482 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
1483 "Console: Control signal, CtrlType: %u", dwCtrlType);
1485 /* Keep capture running if we're a service and a user logs off */
1486 if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
1487 capture_loop_stop();
1495 capture_cleanup_handler(int signum _U_)
1497 /* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
1498 SIGTERM. We assume that if the user wanted it to keep running
1499 after they logged out, they'd have nohupped it. */
1501 /* Note: don't call g_log() in the signal handler: if we happened to be in
1502 * g_log() in process context when the signal came in, g_log will detect
1503 * the "recursion" and abort.
1506 capture_loop_stop();
1512 report_capture_count(gboolean reportit)
1514 /* Don't print this if we're a capture child. */
1515 if (!capture_child && reportit) {
1516 fprintf(stderr, "\rPackets captured: %u\n", global_ld.packet_count);
1517 /* stderr could be line buffered */
1525 report_counts_for_siginfo(void)
1527 report_capture_count(quiet);
1528 infoprint = FALSE; /* we just reported it */
1532 report_counts_siginfo(int signum _U_)
1534 int sav_errno = errno;
1536 /* If we've been told to delay printing, just set a flag asking
1537 that we print counts (if we're supposed to), otherwise print
1538 the count of packets captured (if we're supposed to). */
1542 report_counts_for_siginfo();
1545 #endif /* SIGINFO */
1548 exit_main(int status)
1551 /* Shutdown windows sockets */
1554 /* can be helpful for debugging */
1555 #ifdef DEBUG_DUMPCAP
1556 printf("Press any key\n");
1567 * If we were linked with libcap (not libpcap), make sure we have
1568 * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
1569 * (See comment in main() for details)
1572 relinquish_privs_except_capture(void)
1574 /* If 'started_with_special_privs' (ie: suid) then enable for
1575 * ourself the NET_ADMIN and NET_RAW capabilities and then
1576 * drop our suid privileges.
1578 * CAP_NET_ADMIN: Promiscuous mode and a truckload of other
1579 * stuff we don't need (and shouldn't have).
1580 * CAP_NET_RAW: Packet capture (raw sockets).
1583 if (started_with_special_privs()) {
1584 cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW };
1585 int cl_len = sizeof(cap_list) / sizeof(cap_value_t);
1587 cap_t caps = cap_init(); /* all capabilities initialized to off */
1589 print_caps("Pre drop, pre set");
1591 if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
1592 cmdarg_err("prctl() fail return: %s", g_strerror(errno));
1595 cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, CAP_SET);
1596 cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, CAP_SET);
1598 if (cap_set_proc(caps)) {
1599 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1601 print_caps("Pre drop, post set");
1603 relinquish_special_privs_perm();
1605 print_caps("Post drop, pre set");
1606 cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET);
1607 if (cap_set_proc(caps)) {
1608 cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
1610 print_caps("Post drop, post set");
1616 #endif /* HAVE_LIBCAP */
1618 /* Take care of byte order in the libpcap headers read from pipes.
1619 * (function taken from wiretap/libpcap.c) */
1621 cap_pipe_adjust_header(gboolean byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
1624 /* Byte-swap the record header fields. */
1625 rechdr->ts_sec = BSWAP32(rechdr->ts_sec);
1626 rechdr->ts_usec = BSWAP32(rechdr->ts_usec);
1627 rechdr->incl_len = BSWAP32(rechdr->incl_len);
1628 rechdr->orig_len = BSWAP32(rechdr->orig_len);
1631 /* In file format version 2.3, the "incl_len" and "orig_len" fields were
1632 swapped, in order to match the BPF header layout.
1634 Unfortunately, some files were, according to a comment in the "libpcap"
1635 source, written with version 2.3 in their headers but without the
1636 interchanged fields, so if "incl_len" is greater than "orig_len" - which
1637 would make no sense - we assume that we need to swap them. */
1638 if (hdr->version_major == 2 &&
1639 (hdr->version_minor < 3 ||
1640 (hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
1643 temp = rechdr->orig_len;
1644 rechdr->orig_len = rechdr->incl_len;
1645 rechdr->incl_len = temp;
1651 * Thread function that reads from a pipe and pushes the data
1652 * to the main application thread.
1655 * XXX Right now we use async queues for basic signaling. The main thread
1656 * sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
1657 * cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
1658 * Iff the read is successful cap_pipe_read pushes an item onto
1659 * cap_pipe_done_q, otherwise an error is signaled. No data is passed in
1660 * the queues themselves (yet).
1662 * We might want to move some of the cap_pipe_dispatch logic here so that
1663 * we can let cap_pipe_read run independently, queuing up multiple reads
1664 * for the main thread (and possibly get rid of cap_pipe_read_mtx).
1666 static void *cap_pipe_read(void *arg)
1668 pcap_options *pcap_opts;
1677 pcap_opts = (pcap_options *)arg;
1678 while (pcap_opts->cap_pipe_err == PIPOK) {
1679 g_async_queue_pop(pcap_opts->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
1680 g_mutex_lock(pcap_opts->cap_pipe_read_mtx);
1682 while (bytes_read < (int) pcap_opts->cap_pipe_bytes_to_read) {
1684 /* If we try to use read() on a named pipe on Windows with partial
1685 * data it appears to return EOF.
1687 res = ReadFile(pcap_opts->cap_pipe_h, pcap_opts->cap_pipe_buf+bytes_read,
1688 pcap_opts->cap_pipe_bytes_to_read - bytes_read,
1693 last_err = GetLastError();
1694 if (last_err == ERROR_MORE_DATA) {
1696 } else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
1697 pcap_opts->cap_pipe_err = PIPEOF;
1701 pcap_opts->cap_pipe_err = PIPERR;
1704 } else if (b == 0 && pcap_opts->cap_pipe_bytes_to_read > 0) {
1705 pcap_opts->cap_pipe_err = PIPEOF;
1710 b = read(pcap_opts->cap_pipe_fd, pcap_opts->cap_pipe_buf+bytes_read,
1711 pcap_opts->cap_pipe_bytes_to_read - bytes_read);
1714 pcap_opts->cap_pipe_err = PIPEOF;
1718 pcap_opts->cap_pipe_err = PIPERR;
1727 pcap_opts->cap_pipe_bytes_read = bytes_read;
1728 if (pcap_opts->cap_pipe_bytes_read >= pcap_opts->cap_pipe_bytes_to_read) {
1729 g_async_queue_push(pcap_opts->cap_pipe_done_q, pcap_opts->cap_pipe_buf); /* Any non-NULL value will do */
1731 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
1737 #if !defined(_WIN32) || defined(MUST_DO_SELECT)
1738 /* Provide select() functionality for a single file descriptor
1739 * on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
1741 * Returns the same values as select.
1744 cap_pipe_select(int pipe_fd)
1747 struct timeval timeout;
1750 FD_SET(pipe_fd, &rfds);
1752 timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
1753 timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
1755 return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
1760 /* Mimic pcap_open_live() for pipe captures
1762 * We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
1763 * open it, and read the header.
1765 * N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
1766 * because we can't seek on pipes (see wiretap/libpcap.c for details) */
1768 cap_pipe_open_live(char *pipename,
1769 pcap_options *pcap_opts,
1770 struct pcap_hdr *hdr,
1771 char *errmsg, int errmsgl)
1774 ws_statb64 pipe_stat;
1775 struct sockaddr_un sa;
1786 unsigned int bytes_read;
1791 pcap_opts->cap_pipe_fd = -1;
1793 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
1795 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: %s", pipename);
1798 * XXX - this blocks until a pcap per-file header has been written to
1799 * the pipe, so it could block indefinitely.
1801 if (strcmp(pipename, "-") == 0) {
1803 fd = 0; /* read from stdin */
1805 pcap_opts->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
1809 if (ws_stat64(pipename, &pipe_stat) < 0) {
1810 if (errno == ENOENT || errno == ENOTDIR)
1811 pcap_opts->cap_pipe_err = PIPNEXIST;
1813 g_snprintf(errmsg, errmsgl,
1814 "The capture session could not be initiated "
1815 "due to error getting information on pipe/socket: %s", g_strerror(errno));
1816 pcap_opts->cap_pipe_err = PIPERR;
1820 if (S_ISFIFO(pipe_stat.st_mode)) {
1821 fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
1823 g_snprintf(errmsg, errmsgl,
1824 "The capture session could not be initiated "
1825 "due to error on pipe open: %s", g_strerror(errno));
1826 pcap_opts->cap_pipe_err = PIPERR;
1829 } else if (S_ISSOCK(pipe_stat.st_mode)) {
1830 fd = socket(AF_UNIX, SOCK_STREAM, 0);
1832 g_snprintf(errmsg, errmsgl,
1833 "The capture session could not be initiated "
1834 "due to error on socket create: %s", g_strerror(errno));
1835 pcap_opts->cap_pipe_err = PIPERR;
1838 sa.sun_family = AF_UNIX;
1840 * The Single UNIX Specification says:
1842 * The size of sun_path has intentionally been left undefined.
1843 * This is because different implementations use different sizes.
1844 * For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
1845 * of 104. Since most implementations originate from BSD versions,
1846 * the size is typically in the range 92 to 108.
1848 * Applications should not assume a particular length for sun_path
1849 * or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
1853 * The <sys/un.h> header shall define the sockaddr_un structure,
1854 * which shall include at least the following members:
1856 * sa_family_t sun_family Address family.
1857 * char sun_path[] Socket pathname.
1859 * so we assume that it's an array, with a specified size,
1860 * and that the size reflects the maximum path length.
1862 if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
1863 /* Path name too long */
1864 g_snprintf(errmsg, errmsgl,
1865 "The capture session coud not be initiated "
1866 "due to error on socket connect: Path name too long");
1867 pcap_opts->cap_pipe_err = PIPERR;
1870 b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
1872 g_snprintf(errmsg, errmsgl,
1873 "The capture session coud not be initiated "
1874 "due to error on socket connect: %s", g_strerror(errno));
1875 pcap_opts->cap_pipe_err = PIPERR;
1879 if (S_ISCHR(pipe_stat.st_mode)) {
1881 * Assume the user specified an interface on a system where
1882 * interfaces are in /dev. Pretend we haven't seen it.
1884 pcap_opts->cap_pipe_err = PIPNEXIST;
1887 g_snprintf(errmsg, errmsgl,
1888 "The capture session could not be initiated because\n"
1889 "\"%s\" is neither an interface nor a socket nor a pipe", pipename);
1890 pcap_opts->cap_pipe_err = PIPERR;
1895 #define PIPE_STR "\\pipe\\"
1896 /* Under Windows, named pipes _must_ have the form
1897 * "\\<server>\pipe\<pipename>". <server> may be "." for localhost.
1899 pncopy = g_strdup(pipename);
1900 if ( (pos=strstr(pncopy, "\\\\")) == pncopy) {
1901 pos = strchr(pncopy + 3, '\\');
1902 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
1909 g_snprintf(errmsg, errmsgl,
1910 "The capture session could not be initiated because\n"
1911 "\"%s\" is neither an interface nor a pipe", pipename);
1912 pcap_opts->cap_pipe_err = PIPNEXIST;
1916 /* Wait for the pipe to appear */
1918 pcap_opts->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
1919 OPEN_EXISTING, 0, NULL);
1921 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE)
1924 if (GetLastError() != ERROR_PIPE_BUSY) {
1925 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1926 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1927 g_snprintf(errmsg, errmsgl,
1928 "The capture session on \"%s\" could not be started "
1929 "due to error on pipe open: %s (error %d)",
1930 pipename, utf_16to8(err_str), GetLastError());
1932 pcap_opts->cap_pipe_err = PIPERR;
1936 if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
1937 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
1938 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
1939 g_snprintf(errmsg, errmsgl,
1940 "The capture session on \"%s\" timed out during "
1941 "pipe open: %s (error %d)",
1942 pipename, utf_16to8(err_str), GetLastError());
1944 pcap_opts->cap_pipe_err = PIPERR;
1951 pcap_opts->from_cap_pipe = TRUE;
1954 /* read the pcap header */
1956 while (bytes_read < sizeof magic) {
1957 sel_ret = cap_pipe_select(fd);
1959 g_snprintf(errmsg, errmsgl,
1960 "Unexpected error from select: %s", g_strerror(errno));
1962 } else if (sel_ret > 0) {
1963 b = read(fd, ((char *)&magic)+bytes_read, sizeof magic-bytes_read);
1966 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1968 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1976 g_thread_create(&cap_pipe_read, pcap_opts, FALSE, NULL);
1978 pcap_opts->cap_pipe_buf = (char *) &magic;
1979 pcap_opts->cap_pipe_bytes_read = 0;
1980 pcap_opts->cap_pipe_bytes_to_read = sizeof(magic);
1981 /* We don't have to worry about cap_pipe_read_mtx here */
1982 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
1983 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
1984 if (pcap_opts->cap_pipe_bytes_read <= 0) {
1985 if (pcap_opts->cap_pipe_bytes_read == 0)
1986 g_snprintf(errmsg, errmsgl, "End of file on pipe magic during open");
1988 g_snprintf(errmsg, errmsgl, "Error on pipe magic during open: %s",
1997 case PCAP_NSEC_MAGIC:
1998 /* Host that wrote it has our byte order, and was running
1999 a program using either standard or ss990417 libpcap. */
2000 pcap_opts->cap_pipe_byte_swapped = FALSE;
2001 pcap_opts->cap_pipe_modified = FALSE;
2002 pcap_opts->ts_nsec = magic == PCAP_NSEC_MAGIC;
2004 case PCAP_MODIFIED_MAGIC:
2005 /* Host that wrote it has our byte order, but was running
2006 a program using either ss990915 or ss991029 libpcap. */
2007 pcap_opts->cap_pipe_byte_swapped = FALSE;
2008 pcap_opts->cap_pipe_modified = TRUE;
2010 case PCAP_SWAPPED_MAGIC:
2011 case PCAP_SWAPPED_NSEC_MAGIC:
2012 /* Host that wrote it has a byte order opposite to ours,
2013 and was running a program using either standard or
2014 ss990417 libpcap. */
2015 pcap_opts->cap_pipe_byte_swapped = TRUE;
2016 pcap_opts->cap_pipe_modified = FALSE;
2017 pcap_opts->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
2019 case PCAP_SWAPPED_MODIFIED_MAGIC:
2020 /* Host that wrote it out has a byte order opposite to
2021 ours, and was running a program using either ss990915
2022 or ss991029 libpcap. */
2023 pcap_opts->cap_pipe_byte_swapped = TRUE;
2024 pcap_opts->cap_pipe_modified = TRUE;
2027 /* Not a "libpcap" type we know about. */
2028 g_snprintf(errmsg, errmsgl, "Unrecognized libpcap format");
2033 /* Read the rest of the header */
2035 while (bytes_read < sizeof(struct pcap_hdr)) {
2036 sel_ret = cap_pipe_select(fd);
2038 g_snprintf(errmsg, errmsgl,
2039 "Unexpected error from select: %s", g_strerror(errno));
2041 } else if (sel_ret > 0) {
2042 b = read(fd, ((char *)hdr)+bytes_read,
2043 sizeof(struct pcap_hdr) - bytes_read);
2046 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2048 g_snprintf(errmsg, errmsgl, "Error on pipe header during open: %s",
2056 pcap_opts->cap_pipe_buf = (char *) hdr;
2057 pcap_opts->cap_pipe_bytes_read = 0;
2058 pcap_opts->cap_pipe_bytes_to_read = sizeof(struct pcap_hdr);
2059 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2060 g_async_queue_pop(pcap_opts->cap_pipe_done_q);
2061 if (pcap_opts->cap_pipe_bytes_read <= 0) {
2062 if (pcap_opts->cap_pipe_bytes_read == 0)
2063 g_snprintf(errmsg, errmsgl, "End of file on pipe header during open");
2065 g_snprintf(errmsg, errmsgl, "Error on pipe header header during open: %s",
2071 if (pcap_opts->cap_pipe_byte_swapped) {
2072 /* Byte-swap the header fields about which we care. */
2073 hdr->version_major = BSWAP16(hdr->version_major);
2074 hdr->version_minor = BSWAP16(hdr->version_minor);
2075 hdr->snaplen = BSWAP32(hdr->snaplen);
2076 hdr->network = BSWAP32(hdr->network);
2078 pcap_opts->linktype = hdr->network;
2080 if (hdr->version_major < 2) {
2081 g_snprintf(errmsg, errmsgl, "Unable to read old libpcap format");
2085 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2086 pcap_opts->cap_pipe_err = PIPOK;
2088 pcap_opts->cap_pipe_fd = fd;
2093 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_open_live: error %s", errmsg);
2094 pcap_opts->cap_pipe_err = PIPERR;
2097 pcap_opts->cap_pipe_fd = -1;
2104 /* We read one record from the pipe, take care of byte order in the record
2105 * header, write the record to the capture file, and update capture statistics. */
2107 cap_pipe_dispatch(loop_data *ld, pcap_options *pcap_opts, guchar *data, char *errmsg, int errmsgl)
2109 struct pcap_pkthdr phdr;
2110 enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
2113 #if !GLIB_CHECK_VERSION(2,31,18)
2124 #ifdef LOG_CAPTURE_VERBOSE
2125 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "cap_pipe_dispatch");
2128 switch (pcap_opts->cap_pipe_state) {
2130 case STATE_EXPECT_REC_HDR:
2132 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2135 pcap_opts->cap_pipe_state = STATE_READ_REC_HDR;
2136 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_modified ?
2137 sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
2138 pcap_opts->cap_pipe_bytes_read = 0;
2141 pcap_opts->cap_pipe_buf = (char *) &pcap_opts->cap_pipe_rechdr;
2142 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2143 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2148 case STATE_READ_REC_HDR:
2150 b = read(pcap_opts->cap_pipe_fd, ((char *)&pcap_opts->cap_pipe_rechdr)+pcap_opts->cap_pipe_bytes_read,
2151 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2154 result = PD_PIPE_EOF;
2156 result = PD_PIPE_ERR;
2159 pcap_opts->cap_pipe_bytes_read += b;
2161 #if GLIB_CHECK_VERSION(2,31,18)
2162 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2164 g_get_current_time(&wait_time);
2165 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2166 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2168 if (pcap_opts->cap_pipe_err == PIPEOF) {
2169 result = PD_PIPE_EOF;
2171 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2172 result = PD_PIPE_ERR;
2179 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2181 result = PD_REC_HDR_READ;
2184 case STATE_EXPECT_DATA:
2186 if (g_mutex_trylock(pcap_opts->cap_pipe_read_mtx)) {
2189 pcap_opts->cap_pipe_state = STATE_READ_DATA;
2190 pcap_opts->cap_pipe_bytes_to_read = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2191 pcap_opts->cap_pipe_bytes_read = 0;
2194 pcap_opts->cap_pipe_buf = (char *) data;
2195 g_async_queue_push(pcap_opts->cap_pipe_pending_q, pcap_opts->cap_pipe_buf);
2196 g_mutex_unlock(pcap_opts->cap_pipe_read_mtx);
2201 case STATE_READ_DATA:
2203 b = read(pcap_opts->cap_pipe_fd, data+pcap_opts->cap_pipe_bytes_read,
2204 pcap_opts->cap_pipe_bytes_to_read - pcap_opts->cap_pipe_bytes_read);
2207 result = PD_PIPE_EOF;
2209 result = PD_PIPE_ERR;
2212 pcap_opts->cap_pipe_bytes_read += b;
2214 #if GLIB_CHECK_VERSION(2,31,18)
2215 q_status = g_async_queue_timeout_pop(pcap_opts->cap_pipe_done_q, PIPE_READ_TIMEOUT);
2217 g_get_current_time(&wait_time);
2218 g_time_val_add(&wait_time, PIPE_READ_TIMEOUT);
2219 q_status = g_async_queue_timed_pop(pcap_opts->cap_pipe_done_q, &wait_time);
2221 if (pcap_opts->cap_pipe_err == PIPEOF) {
2222 result = PD_PIPE_EOF;
2224 } else if (pcap_opts->cap_pipe_err == PIPERR) {
2225 result = PD_PIPE_ERR;
2232 if ((pcap_opts->cap_pipe_bytes_read) < pcap_opts->cap_pipe_bytes_to_read)
2234 result = PD_DATA_READ;
2238 g_snprintf(errmsg, errmsgl, "cap_pipe_dispatch: invalid state");
2241 } /* switch (pcap_opts->cap_pipe_state) */
2244 * We've now read as much data as we were expecting, so process it.
2248 case PD_REC_HDR_READ:
2249 /* We've read the header. Take care of byte order. */
2250 cap_pipe_adjust_header(pcap_opts->cap_pipe_byte_swapped, &pcap_opts->cap_pipe_hdr,
2251 &pcap_opts->cap_pipe_rechdr.hdr);
2252 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len > WTAP_MAX_PACKET_SIZE) {
2253 g_snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
2254 ld->packet_count+1, pcap_opts->cap_pipe_rechdr.hdr.incl_len);
2258 if (pcap_opts->cap_pipe_rechdr.hdr.incl_len) {
2259 pcap_opts->cap_pipe_state = STATE_EXPECT_DATA;
2262 /* no data to read? fall through */
2265 /* Fill in a "struct pcap_pkthdr", and process the packet. */
2266 phdr.ts.tv_sec = pcap_opts->cap_pipe_rechdr.hdr.ts_sec;
2267 phdr.ts.tv_usec = pcap_opts->cap_pipe_rechdr.hdr.ts_usec;
2268 phdr.caplen = pcap_opts->cap_pipe_rechdr.hdr.incl_len;
2269 phdr.len = pcap_opts->cap_pipe_rechdr.hdr.orig_len;
2272 capture_loop_queue_packet_cb((u_char *)pcap_opts, &phdr, data);
2274 capture_loop_write_packet_cb((u_char *)pcap_opts, &phdr, data);
2276 pcap_opts->cap_pipe_state = STATE_EXPECT_REC_HDR;
2280 pcap_opts->cap_pipe_err = PIPEOF;
2285 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER,
2286 NULL, GetLastError(), 0, (LPTSTR) &err_str, 0, NULL);
2287 g_snprintf(errmsg, errmsgl,
2288 "Error reading from pipe: %s (error %d)",
2289 utf_16to8(err_str), GetLastError());
2292 g_snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
2300 pcap_opts->cap_pipe_err = PIPERR;
2301 /* Return here rather than inside the switch to prevent GCC warning */
2306 /** Open the capture input file (pcap or capture pipe).
2307 * Returns TRUE if it succeeds, FALSE otherwise. */
2309 capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
2310 char *errmsg, size_t errmsg_len,
2311 char *secondary_errmsg, size_t secondary_errmsg_len)
2313 gchar open_err_str[PCAP_ERRBUF_SIZE];
2314 gchar *sync_msg_str;
2315 interface_options interface_opts;
2316 pcap_options *pcap_opts;
2320 gchar *sync_secondary_msg_str;
2321 WORD wVersionRequested;
2325 /* XXX - opening Winsock on tshark? */
2327 /* Initialize Windows Socket if we are in a WIN32 OS
2328 This needs to be done before querying the interface for network/netmask */
2330 /* XXX - do we really require 1.1 or earlier?
2331 Are there any versions that support only 2.0 or higher? */
2332 wVersionRequested = MAKEWORD(1, 1);
2333 err = WSAStartup(wVersionRequested, &wsaData);
2337 case WSASYSNOTREADY:
2338 g_snprintf(errmsg, (gulong) errmsg_len,
2339 "Couldn't initialize Windows Sockets: Network system not ready for network communication");
2342 case WSAVERNOTSUPPORTED:
2343 g_snprintf(errmsg, (gulong) errmsg_len,
2344 "Couldn't initialize Windows Sockets: Windows Sockets version %u.%u not supported",
2345 LOBYTE(wVersionRequested), HIBYTE(wVersionRequested));
2348 case WSAEINPROGRESS:
2349 g_snprintf(errmsg, (gulong) errmsg_len,
2350 "Couldn't initialize Windows Sockets: Blocking operation is in progress");
2354 g_snprintf(errmsg, (gulong) errmsg_len,
2355 "Couldn't initialize Windows Sockets: Limit on the number of tasks supported by this WinSock implementation has been reached");
2359 g_snprintf(errmsg, (gulong) errmsg_len,
2360 "Couldn't initialize Windows Sockets: Bad pointer passed to WSAStartup");
2364 g_snprintf(errmsg, (gulong) errmsg_len,
2365 "Couldn't initialize Windows Sockets: error %d", err);
2368 g_snprintf(secondary_errmsg, (gulong) secondary_errmsg_len, please_report);
2372 if ((use_threads == FALSE) &&
2373 (capture_opts->ifaces->len > 1)) {
2374 g_snprintf(errmsg, (gulong) errmsg_len,
2375 "Using threads is required for capturing on multiple interfaces!");
2379 for (i = 0; i < capture_opts->ifaces->len; i++) {
2380 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2381 pcap_opts = (pcap_options *)g_malloc(sizeof (pcap_options));
2382 if (pcap_opts == NULL) {
2383 g_snprintf(errmsg, (gulong) errmsg_len,
2384 "Could not allocate memory.");
2387 pcap_opts->received = 0;
2388 pcap_opts->dropped = 0;
2389 pcap_opts->pcap_h = NULL;
2390 #ifdef MUST_DO_SELECT
2391 pcap_opts->pcap_fd = -1;
2393 pcap_opts->pcap_err = FALSE;
2394 pcap_opts->interface_id = i;
2395 pcap_opts->tid = NULL;
2396 pcap_opts->snaplen = 0;
2397 pcap_opts->linktype = -1;
2398 pcap_opts->ts_nsec = FALSE;
2399 pcap_opts->from_cap_pipe = FALSE;
2400 memset(&pcap_opts->cap_pipe_hdr, 0, sizeof(struct pcap_hdr));
2401 memset(&pcap_opts->cap_pipe_rechdr, 0, sizeof(struct pcaprec_modified_hdr));
2403 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2405 pcap_opts->cap_pipe_fd = -1;
2407 pcap_opts->cap_pipe_modified = FALSE;
2408 pcap_opts->cap_pipe_byte_swapped = FALSE;
2410 pcap_opts->cap_pipe_buf = NULL;
2412 pcap_opts->cap_pipe_bytes_to_read = 0;
2413 pcap_opts->cap_pipe_bytes_read = 0;
2414 pcap_opts->cap_pipe_state = 0;
2415 pcap_opts->cap_pipe_err = PIPOK;
2417 #if GLIB_CHECK_VERSION(2,31,0)
2418 pcap_opts->cap_pipe_read_mtx = g_malloc(sizeof(GMutex));
2419 g_mutex_init(pcap_opts->cap_pipe_read_mtx);
2421 pcap_opts->cap_pipe_read_mtx = g_mutex_new();
2423 pcap_opts->cap_pipe_pending_q = g_async_queue_new();
2424 pcap_opts->cap_pipe_done_q = g_async_queue_new();
2426 g_array_append_val(ld->pcaps, pcap_opts);
2428 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_input : %s", interface_opts.name);
2429 pcap_opts->pcap_h = open_capture_device(&interface_opts, &open_err_str);
2431 if (pcap_opts->pcap_h != NULL) {
2432 /* we've opened "iface" as a network device */
2434 /* try to set the capture buffer size */
2435 if (interface_opts.buffer_size > 1 &&
2436 pcap_setbuff(pcap_opts->pcap_h, interface_opts.buffer_size * 1024 * 1024) != 0) {
2437 sync_secondary_msg_str = g_strdup_printf(
2438 "The capture buffer size of %dMB seems to be too high for your machine,\n"
2439 "the default of 1MB will be used.\n"
2441 "Nonetheless, the capture is started.\n",
2442 interface_opts.buffer_size);
2443 report_capture_error("Couldn't set the capture buffer size!",
2444 sync_secondary_msg_str);
2445 g_free(sync_secondary_msg_str);
2449 #if defined(HAVE_PCAP_SETSAMPLING)
2450 if (interface_opts.sampling_method != CAPTURE_SAMP_NONE) {
2451 struct pcap_samp *samp;
2453 if ((samp = pcap_setsampling(pcap_opts->pcap_h)) != NULL) {
2454 switch (interface_opts.sampling_method) {
2455 case CAPTURE_SAMP_BY_COUNT:
2456 samp->method = PCAP_SAMP_1_EVERY_N;
2459 case CAPTURE_SAMP_BY_TIMER:
2460 samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
2464 sync_msg_str = g_strdup_printf(
2465 "Unknown sampling method %d specified,\n"
2466 "continue without packet sampling",
2467 interface_opts.sampling_method);
2468 report_capture_error("Couldn't set the capture "
2469 "sampling", sync_msg_str);
2470 g_free(sync_msg_str);
2472 samp->value = interface_opts.sampling_param;
2474 report_capture_error("Couldn't set the capture sampling",
2475 "Cannot get packet sampling data structure");
2480 /* setting the data link type only works on real interfaces */
2481 if (!set_pcap_linktype(pcap_opts->pcap_h, interface_opts.linktype, interface_opts.name,
2483 secondary_errmsg, secondary_errmsg_len)) {
2486 pcap_opts->linktype = get_pcap_linktype(pcap_opts->pcap_h, interface_opts.name);
2488 /* We couldn't open "iface" as a network device. */
2489 /* Try to open it as a pipe */
2490 cap_pipe_open_live(interface_opts.name, pcap_opts, &pcap_opts->cap_pipe_hdr, errmsg, (int) errmsg_len);
2493 if (pcap_opts->cap_pipe_fd == -1) {
2495 if (pcap_opts->cap_pipe_h == INVALID_HANDLE_VALUE) {
2497 if (pcap_opts->cap_pipe_err == PIPNEXIST) {
2498 /* Pipe doesn't exist, so output message for interface */
2499 get_capture_device_open_failure_messages(open_err_str,
2500 interface_opts.name,
2504 secondary_errmsg_len);
2507 * Else pipe (or file) does exist and cap_pipe_open_live() has
2512 /* cap_pipe_open_live() succeeded; don't want
2513 error message from pcap_open_live() */
2514 open_err_str[0] = '\0';
2518 /* XXX - will this work for tshark? */
2519 #ifdef MUST_DO_SELECT
2520 if (!pcap_opts->from_cap_pipe) {
2521 #ifdef HAVE_PCAP_GET_SELECTABLE_FD
2522 pcap_opts->pcap_fd = pcap_get_selectable_fd(pcap_opts->pcap_h);
2524 pcap_opts->pcap_fd = pcap_fileno(pcap_opts->pcap_h);
2529 /* Does "open_err_str" contain a non-empty string? If so, "pcap_open_live()"
2530 returned a warning; print it, but keep capturing. */
2531 if (open_err_str[0] != '\0') {
2532 sync_msg_str = g_strdup_printf("%s.", open_err_str);
2533 report_capture_error(sync_msg_str, "");
2534 g_free(sync_msg_str);
2536 capture_opts->ifaces = g_array_remove_index(capture_opts->ifaces, i);
2537 g_array_insert_val(capture_opts->ifaces, i, interface_opts);
2540 /* If not using libcap: we now can now set euid/egid to ruid/rgid */
2541 /* to remove any suid privileges. */
2542 /* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
2543 /* (euid/egid have already previously been set to ruid/rgid. */
2544 /* (See comment in main() for details) */
2546 relinquish_special_privs_perm();
2548 relinquish_all_capabilities();
2553 /* close the capture input file (pcap or capture pipe) */
2554 static void capture_loop_close_input(loop_data *ld)
2557 pcap_options *pcap_opts;
2559 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input");
2561 for (i = 0; i < ld->pcaps->len; i++) {
2562 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2563 /* if open, close the capture pipe "input file" */
2565 if (pcap_opts->cap_pipe_fd >= 0) {
2566 g_assert(pcap_opts->from_cap_pipe);
2567 ws_close(pcap_opts->cap_pipe_fd);
2568 pcap_opts->cap_pipe_fd = -1;
2571 if (pcap_opts->cap_pipe_h != INVALID_HANDLE_VALUE) {
2572 CloseHandle(pcap_opts->cap_pipe_h);
2573 pcap_opts->cap_pipe_h = INVALID_HANDLE_VALUE;
2576 /* if open, close the pcap "input file" */
2577 if (pcap_opts->pcap_h != NULL) {
2578 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_input: closing %p", (void *)pcap_opts->pcap_h);
2579 pcap_close(pcap_opts->pcap_h);
2580 pcap_opts->pcap_h = NULL;
2587 /* Shut down windows sockets */
2593 /* init the capture filter */
2594 static initfilter_status_t
2595 capture_loop_init_filter(pcap_t *pcap_h, gboolean from_cap_pipe,
2596 const gchar * name, const gchar * cfilter)
2598 struct bpf_program fcode;
2600 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_filter: %s", cfilter);
2602 /* capture filters only work on real interfaces */
2603 if (cfilter && !from_cap_pipe) {
2604 /* A capture filter was specified; set it up. */
2605 if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
2606 /* Treat this specially - our caller might try to compile this
2607 as a display filter and, if that succeeds, warn the user that
2608 the display and capture filter syntaxes are different. */
2609 return INITFILTER_BAD_FILTER;
2611 if (pcap_setfilter(pcap_h, &fcode) < 0) {
2612 #ifdef HAVE_PCAP_FREECODE
2613 pcap_freecode(&fcode);
2615 return INITFILTER_OTHER_ERROR;
2617 #ifdef HAVE_PCAP_FREECODE
2618 pcap_freecode(&fcode);
2622 return INITFILTER_NO_ERROR;
2626 /* set up to write to the already-opened capture output file/files */
2628 capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
2632 pcap_options *pcap_opts;
2633 interface_options interface_opts;
2634 gboolean successful;
2636 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_init_output");
2638 if ((capture_opts->use_pcapng == FALSE) &&
2639 (capture_opts->ifaces->len > 1)) {
2640 g_snprintf(errmsg, errmsg_len,
2641 "Using PCAPNG is required for capturing on multiple interfaces! Use the -n option.");
2645 /* Set up to write to the capture file. */
2646 if (capture_opts->multi_files_on) {
2647 ld->pdh = ringbuf_init_libpcap_fdopen(&err);
2649 ld->pdh = libpcap_fdopen(ld->save_file_fd, &err);
2652 if (capture_opts->use_pcapng) {
2654 GString *os_info_str;
2656 os_info_str = g_string_new("");
2657 get_os_version_info(os_info_str);
2659 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
2660 successful = libpcap_write_session_header_block(ld->pdh,
2663 os_info_str->str, /* OS*/
2665 -1, /* section_length */
2669 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
2670 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2671 pcap_opts = g_array_index(ld->pcaps, pcap_options *, i);
2672 if (pcap_opts->from_cap_pipe) {
2673 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2675 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2677 successful = libpcap_write_interface_description_block(global_ld.pdh,
2678 NULL, /* OPT_COMMENT 1 */
2679 interface_opts.name, /* IDB_NAME 2 */
2680 interface_opts.descr, /* IDB_DESCRIPTION 3 */
2681 interface_opts.cfilter, /* IDB_FILTER 11 */
2682 os_info_str->str, /* IDB_OS 12 */
2683 pcap_opts->linktype,
2685 &(global_ld.bytes_written),
2686 0, /* IDB_IF_SPEED 8 */
2687 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
2691 g_string_free(os_info_str, TRUE);
2694 pcap_opts = g_array_index(ld->pcaps, pcap_options *, 0);
2695 if (pcap_opts->from_cap_pipe) {
2696 pcap_opts->snaplen = pcap_opts->cap_pipe_hdr.snaplen;
2698 pcap_opts->snaplen = pcap_snapshot(pcap_opts->pcap_h);
2700 successful = libpcap_write_file_header(ld->pdh, pcap_opts->linktype, pcap_opts->snaplen,
2701 pcap_opts->ts_nsec, &ld->bytes_written, &err);
2709 if (ld->pdh == NULL) {
2710 /* We couldn't set up to write to the capture file. */
2711 /* XXX - use cf_open_error_message from tshark instead? */
2716 g_snprintf(errmsg, errmsg_len,
2717 "The file to which the capture would be"
2718 " saved (\"%s\") could not be opened: Error %d.",
2719 capture_opts->save_file, err);
2721 g_snprintf(errmsg, errmsg_len,
2722 "The file to which the capture would be"
2723 " saved (\"%s\") could not be opened: %s.",
2724 capture_opts->save_file, g_strerror(err));
2736 capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
2740 pcap_options *pcap_opts;
2741 guint64 end_time = create_timestamp();
2743 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_close_output");
2745 if (capture_opts->multi_files_on) {
2746 return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
2748 if (capture_opts->use_pcapng) {
2749 for (i = 0; i < global_ld.pcaps->len; i++) {
2750 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
2751 if (!pcap_opts->from_cap_pipe) {
2752 libpcap_write_interface_statistics_block(ld->pdh,
2756 "Counters provided by libpcap",
2763 return libpcap_dump_close(ld->pdh, err_close);
2767 /* dispatch incoming packets (pcap or capture pipe)
2769 * Waits for incoming packets to be available, and calls pcap_dispatch()
2770 * to cause them to be processed.
2772 * Returns the number of packets which were processed.
2774 * Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
2775 * packet-batching behaviour does not cause packets to get held back
2779 capture_loop_dispatch(loop_data *ld,
2780 char *errmsg, int errmsg_len, pcap_options *pcap_opts)
2783 gint packet_count_before;
2784 guchar pcap_data[WTAP_MAX_PACKET_SIZE];
2789 packet_count_before = ld->packet_count;
2790 if (pcap_opts->from_cap_pipe) {
2791 /* dispatch from capture pipe */
2792 #ifdef LOG_CAPTURE_VERBOSE
2793 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from capture pipe");
2796 sel_ret = cap_pipe_select(pcap_opts->cap_pipe_fd);
2798 if (sel_ret < 0 && errno != EINTR) {
2799 g_snprintf(errmsg, errmsg_len,
2800 "Unexpected error from select: %s", g_strerror(errno));
2801 report_capture_error(errmsg, please_report);
2806 * "select()" says we can read from the pipe without blocking
2809 inpkts = cap_pipe_dispatch(ld, pcap_opts, pcap_data, errmsg, errmsg_len);
2819 /* dispatch from pcap */
2820 #ifdef MUST_DO_SELECT
2822 * If we have "pcap_get_selectable_fd()", we use it to get the
2823 * descriptor on which to select; if that's -1, it means there
2824 * is no descriptor on which you can do a "select()" (perhaps
2825 * because you're capturing on a special device, and that device's
2826 * driver unfortunately doesn't support "select()", in which case
2827 * we don't do the select - which means it might not be possible
2828 * to stop a capture until a packet arrives. If that's unacceptable,
2829 * plead with whoever supplies the software for that device to add
2830 * "select()" support, or upgrade to libpcap 0.8.1 or later, and
2831 * rebuild Wireshark or get a version built with libpcap 0.8.1 or
2832 * later, so it can use pcap_breakloop().
2834 #ifdef LOG_CAPTURE_VERBOSE
2835 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch with select");
2837 if (pcap_opts->pcap_fd != -1) {
2838 sel_ret = cap_pipe_select(pcap_opts->pcap_fd);
2841 * "select()" says we can read from it without blocking; go for
2844 * We don't have pcap_breakloop(), so we only process one packet
2845 * per pcap_dispatch() call, to allow a signal to stop the
2846 * processing immediately, rather than processing all packets
2847 * in a batch before quitting.
2850 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2852 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2856 /* Error, rather than pcap_breakloop(). */
2857 pcap_opts->pcap_err = TRUE;
2859 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2862 if (sel_ret < 0 && errno != EINTR) {
2863 g_snprintf(errmsg, errmsg_len,
2864 "Unexpected error from select: %s", g_strerror(errno));
2865 report_capture_error(errmsg, please_report);
2871 #endif /* MUST_DO_SELECT */
2873 /* dispatch from pcap without select */
2875 #ifdef LOG_CAPTURE_VERBOSE
2876 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_dispatch");
2880 * On Windows, we don't support asynchronously telling a process to
2881 * stop capturing; instead, we check for an indication on a pipe
2882 * after processing packets. We therefore process only one packet
2883 * at a time, so that we can check the pipe after every packet.
2886 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2888 inpkts = pcap_dispatch(pcap_opts->pcap_h, 1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2892 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_queue_packet_cb, (u_char *)pcap_opts);
2894 inpkts = pcap_dispatch(pcap_opts->pcap_h, -1, capture_loop_write_packet_cb, (u_char *)pcap_opts);
2899 /* Error, rather than pcap_breakloop(). */
2900 pcap_opts->pcap_err = TRUE;
2902 ld->go = FALSE; /* error or pcap_breakloop() - stop capturing */
2904 #else /* pcap_next_ex */
2905 #ifdef LOG_CAPTURE_VERBOSE
2906 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: from pcap_next_ex");
2908 /* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
2911 * WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
2912 * see http://wiki.wireshark.org/CaptureSetup_2fWinPcapRemote
2913 * This should be fixed in the WinPcap 4.0 alpha release.
2915 * For reference, an example remote interface:
2916 * rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
2919 /* emulate dispatch from pcap */
2922 struct pcap_pkthdr *pkt_header;
2927 (in = pcap_next_ex(pcap_opts->pcap_h, &pkt_header, &pkt_data)) == 1) {
2929 capture_loop_queue_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2931 capture_loop_write_packet_cb((u_char *)pcap_opts, pkt_header, pkt_data);
2936 pcap_opts->pcap_err = TRUE;
2940 #endif /* pcap_next_ex */
2944 #ifdef LOG_CAPTURE_VERBOSE
2945 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
2948 return ld->packet_count - packet_count_before;
2952 /* Isolate the Universally Unique Identifier from the interface. Basically, we
2953 * want to grab only the characters between the '{' and '}' delimiters.
2955 * Returns a GString that must be freed with g_string_free(). */
2957 isolate_uuid(const char *iface)
2962 ptr = strchr(iface, '{');
2964 return g_string_new(iface);
2965 gstr = g_string_new(ptr + 1);
2967 ptr = strchr(gstr->str, '}');
2971 gstr = g_string_truncate(gstr, ptr - gstr->str);
2976 /* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
2977 /* Returns TRUE if the file opened successfully, FALSE otherwise. */
2979 capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
2980 char *errmsg, int errmsg_len)
2983 gchar *capfile_name;
2985 gboolean is_tempfile;
2987 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "capture_loop_open_output: %s",
2988 (capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
2990 if (capture_opts->save_file != NULL) {
2991 /* We return to the caller while the capture is in progress.
2992 * Therefore we need to take a copy of save_file in
2993 * case the caller destroys it after we return.
2995 capfile_name = g_strdup(capture_opts->save_file);
2997 if (capture_opts->output_to_pipe == TRUE) { /* either "-" or named pipe */
2998 if (capture_opts->multi_files_on) {
2999 /* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
3000 g_snprintf(errmsg, errmsg_len,
3001 "Ring buffer requested, but capture is being written to standard output or to a named pipe.");
3002 g_free(capfile_name);
3005 if (strcmp(capfile_name, "-") == 0) {
3006 /* write to stdout */
3009 /* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
3010 _setmode(1, O_BINARY);
3013 } /* if (...output_to_pipe ... */
3016 if (capture_opts->multi_files_on) {
3017 /* ringbuffer is enabled */
3018 *save_file_fd = ringbuf_init(capfile_name,
3019 (capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
3020 capture_opts->group_read_access);
3022 /* we need the ringbuf name */
3023 if(*save_file_fd != -1) {
3024 g_free(capfile_name);
3025 capfile_name = g_strdup(ringbuf_current_filename());
3028 /* Try to open/create the specified file for use as a capture buffer. */
3029 *save_file_fd = ws_open(capfile_name, O_RDWR|O_BINARY|O_TRUNC|O_CREAT,
3030 (capture_opts->group_read_access) ? 0640 : 0600);
3033 is_tempfile = FALSE;
3035 /* Choose a random name for the temporary capture buffer */
3036 if (global_capture_opts.ifaces->len > 1) {
3037 prefix = g_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
3042 iface = isolate_uuid(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3043 basename = g_path_get_basename(iface->str);
3044 g_string_free(iface, TRUE);
3046 basename = g_path_get_basename(g_array_index(global_capture_opts.ifaces, interface_options, 0).name);
3048 prefix = g_strconcat("wireshark_", basename, NULL);
3051 *save_file_fd = create_tempfile(&tmpname, prefix);
3053 capfile_name = g_strdup(tmpname);
3057 /* did we fail to open the output file? */
3058 if (*save_file_fd == -1) {
3060 g_snprintf(errmsg, errmsg_len,
3061 "The temporary file to which the capture would be saved (\"%s\") "
3062 "could not be opened: %s.", capfile_name, g_strerror(errno));
3064 if (capture_opts->multi_files_on) {
3065 ringbuf_error_cleanup();
3068 g_snprintf(errmsg, errmsg_len,
3069 "The file to which the capture would be saved (\"%s\") "
3070 "could not be opened: %s.", capfile_name,
3073 g_free(capfile_name);
3077 if(capture_opts->save_file != NULL) {
3078 g_free(capture_opts->save_file);
3080 capture_opts->save_file = capfile_name;
3081 /* capture_opts.save_file is "g_free"ed later, which is equivalent to
3082 "g_free(capfile_name)". */
3088 /* Do the work of handling either the file size or file duration capture
3089 conditions being reached, and switching files or stopping. */
3091 do_file_switch_or_stop(capture_options *capture_opts,
3092 condition *cnd_autostop_files,
3093 condition *cnd_autostop_size,
3094 condition *cnd_file_duration)
3097 pcap_options *pcap_opts;
3098 interface_options interface_opts;
3099 gboolean successful;
3101 if (capture_opts->multi_files_on) {
3102 if (cnd_autostop_files != NULL &&
3103 cnd_eval(cnd_autostop_files, ++global_ld.autostop_files)) {
3104 /* no files left: stop here */
3105 global_ld.go = FALSE;
3109 /* Switch to the next ringbuffer file */
3110 if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
3111 &global_ld.save_file_fd, &global_ld.err)) {
3113 /* File switch succeeded: reset the conditions */
3114 global_ld.bytes_written = 0;
3115 if (capture_opts->use_pcapng) {
3117 GString *os_info_str;
3119 os_info_str = g_string_new("");
3120 get_os_version_info(os_info_str);
3122 g_snprintf(appname, sizeof(appname), "Dumpcap " VERSION "%s", wireshark_svnversion);
3123 successful = libpcap_write_session_header_block(global_ld.pdh,
3126 os_info_str->str, /* OS */
3128 -1, /* section_length */
3129 &(global_ld.bytes_written),
3132 for (i = 0; successful && (i < capture_opts->ifaces->len); i++) {
3133 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3134 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3135 successful = libpcap_write_interface_description_block(global_ld.pdh,
3136 NULL, /* OPT_COMMENT 1 */
3137 interface_opts.name, /* IDB_NAME 2 */
3138 interface_opts.descr, /* IDB_DESCRIPTION 3 */
3139 interface_opts.cfilter, /* IDB_FILTER 11 */
3140 os_info_str->str, /* IDB_OS 12 */
3141 pcap_opts->linktype,
3143 &(global_ld.bytes_written),
3144 0, /* IDB_IF_SPEED 8 */
3145 pcap_opts->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
3149 g_string_free(os_info_str, TRUE);
3152 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3153 successful = libpcap_write_file_header(global_ld.pdh, pcap_opts->linktype, pcap_opts->snaplen,
3154 pcap_opts->ts_nsec, &global_ld.bytes_written, &global_ld.err);
3157 fclose(global_ld.pdh);
3158 global_ld.pdh = NULL;
3159 global_ld.go = FALSE;
3162 if (cnd_autostop_size)
3163 cnd_reset(cnd_autostop_size);
3164 if (cnd_file_duration)
3165 cnd_reset(cnd_file_duration);
3166 libpcap_dump_flush(global_ld.pdh, NULL);
3168 report_packet_count(global_ld.inpkts_to_sync_pipe);
3169 global_ld.inpkts_to_sync_pipe = 0;
3170 report_new_capture_file(capture_opts->save_file);
3172 /* File switch failed: stop here */
3173 global_ld.go = FALSE;
3177 /* single file, stop now */
3178 global_ld.go = FALSE;
3185 pcap_read_handler(void* arg)
3187 pcap_options *pcap_opts;
3188 char errmsg[MSG_MAX_LENGTH+1];
3190 pcap_opts = (pcap_options *)arg;
3192 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Started thread for interface %d.",
3193 pcap_opts->interface_id);
3195 while (global_ld.go) {
3196 /* dispatch incoming packets */
3197 capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_opts);
3199 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Stopped thread for interface %d.",
3200 pcap_opts->interface_id);
3201 g_thread_exit(NULL);
3205 /* Do the low-level work of a capture.
3206 Returns TRUE if it succeeds, FALSE otherwise. */
3208 capture_loop_start(capture_options *capture_opts, gboolean *stats_known, struct pcap_stat *stats)
3211 DWORD upd_time, cur_time; /* GetTickCount() returns a "DWORD" (which is 'unsigned long') */
3213 struct timeval upd_time, cur_time;
3217 condition *cnd_file_duration = NULL;
3218 condition *cnd_autostop_files = NULL;
3219 condition *cnd_autostop_size = NULL;
3220 condition *cnd_autostop_duration = NULL;
3223 gboolean cfilter_error = FALSE;
3224 char errmsg[MSG_MAX_LENGTH+1];
3225 char secondary_errmsg[MSG_MAX_LENGTH+1];
3226 pcap_options *pcap_opts;
3227 interface_options interface_opts;
3228 guint i, error_index = 0;
3231 *secondary_errmsg = '\0';
3233 /* init the loop data */
3234 global_ld.go = TRUE;
3235 global_ld.packet_count = 0;
3237 global_ld.report_packet_count = FALSE;
3239 if (capture_opts->has_autostop_packets)
3240 global_ld.packet_max = capture_opts->autostop_packets;
3242 global_ld.packet_max = 0; /* no limit */
3243 global_ld.inpkts_to_sync_pipe = 0;
3244 global_ld.err = 0; /* no error seen yet */
3245 global_ld.pdh = NULL;
3246 global_ld.autostop_files = 0;
3247 global_ld.save_file_fd = -1;
3249 /* We haven't yet gotten the capture statistics. */
3250 *stats_known = FALSE;
3252 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop starting ...");
3253 capture_opts_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, capture_opts);
3255 /* open the "input file" from network interface or capture pipe */
3256 if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
3257 secondary_errmsg, sizeof(secondary_errmsg))) {
3260 for (i = 0; i < capture_opts->ifaces->len; i++) {
3261 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3262 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3263 /* init the input filter from the network interface (capture pipe will do nothing) */
3265 * When remote capturing WinPCap crashes when the capture filter
3266 * is NULL. This might be a bug in WPCap. Therefore we provide an empty
3269 switch (capture_loop_init_filter(pcap_opts->pcap_h, pcap_opts->from_cap_pipe,
3270 interface_opts.name,
3271 interface_opts.cfilter?interface_opts.cfilter:"")) {
3273 case INITFILTER_NO_ERROR:
3276 case INITFILTER_BAD_FILTER:
3277 cfilter_error = TRUE;
3279 g_snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_opts->pcap_h));
3282 case INITFILTER_OTHER_ERROR:
3283 g_snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
3284 pcap_geterr(pcap_opts->pcap_h));
3285 g_snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report);
3290 /* If we're supposed to write to a capture file, open it for output
3291 (temporary/specified name/ringbuffer) */
3292 if (capture_opts->saving_to_file) {
3293 if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
3294 errmsg, sizeof(errmsg))) {
3298 /* set up to write to the already-opened capture output file/files */
3299 if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
3304 /* XXX - capture SIGTERM and close the capture, in case we're on a
3305 Linux 2.0[.x] system and you have to explicitly close the capture
3306 stream in order to turn promiscuous mode off? We need to do that
3307 in other places as well - and I don't think that works all the
3308 time in any case, due to libpcap bugs. */
3310 /* Well, we should be able to start capturing.
3312 Sync out the capture file, so the header makes it to the file system,
3313 and send a "capture started successfully and capture file created"
3314 message to our parent so that they'll open the capture file and
3315 update its windows to indicate that we have a live capture in
3317 libpcap_dump_flush(global_ld.pdh, NULL);
3318 report_new_capture_file(capture_opts->save_file);
3321 /* initialize capture stop (and alike) conditions */
3322 init_capture_stop_conditions();
3323 /* create stop conditions */
3324 if (capture_opts->has_autostop_filesize)
3326 cnd_new(CND_CLASS_CAPTURESIZE,(long)capture_opts->autostop_filesize * 1024);
3327 if (capture_opts->has_autostop_duration)
3328 cnd_autostop_duration =
3329 cnd_new(CND_CLASS_TIMEOUT,(gint32)capture_opts->autostop_duration);
3331 if (capture_opts->multi_files_on) {
3332 if (capture_opts->has_file_duration)
3334 cnd_new(CND_CLASS_TIMEOUT, capture_opts->file_duration);
3336 if (capture_opts->has_autostop_files)
3337 cnd_autostop_files =
3338 cnd_new(CND_CLASS_CAPTURESIZE, capture_opts->autostop_files);
3341 /* init the time values */
3343 upd_time = GetTickCount();
3345 gettimeofday(&upd_time, NULL);
3347 start_time = create_timestamp();
3348 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop running!");
3350 /* WOW, everything is prepared! */
3351 /* please fasten your seat belts, we will enter now the actual capture loop */
3353 pcap_queue = g_async_queue_new();
3354 pcap_queue_bytes = 0;
3355 pcap_queue_packets = 0;
3356 for (i = 0; i < global_ld.pcaps->len; i++) {
3357 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3358 #if GLIB_CHECK_VERSION(2,31,0)
3359 /* XXX - Add an interface name here? */
3360 pcap_opts->tid = g_thread_new("Capture read", pcap_read_handler, pcap_opts);
3362 pcap_opts->tid = g_thread_create(pcap_read_handler, pcap_opts, TRUE, NULL);
3366 while (global_ld.go) {
3367 /* dispatch incoming packets */
3369 pcap_queue_element *queue_element;
3370 #if GLIB_CHECK_VERSION(2,31,18)
3372 g_async_queue_lock(pcap_queue);
3373 queue_element = g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
3375 GTimeVal write_thread_time;
3377 g_get_current_time(&write_thread_time);
3378 g_time_val_add(&write_thread_time, WRITER_THREAD_TIMEOUT);
3379 g_async_queue_lock(pcap_queue);
3380 queue_element = g_async_queue_timed_pop_unlocked(pcap_queue, &write_thread_time);
3382 if (queue_element) {
3383 pcap_queue_bytes -= queue_element->phdr.caplen;
3384 pcap_queue_packets -= 1;
3386 g_async_queue_unlock(pcap_queue);
3387 if (queue_element) {
3388 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3389 "Dequeued a packet of length %d captured on interface %d.",
3390 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3392 capture_loop_write_packet_cb((u_char *) queue_element->pcap_opts,
3393 &queue_element->phdr,
3395 g_free(queue_element->pd);
3396 g_free(queue_element);
3402 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, 0);
3403 inpkts = capture_loop_dispatch(&global_ld, errmsg,
3404 sizeof(errmsg), pcap_opts);
3407 /* Were we asked to print packet counts by the SIGINFO handler? */
3408 if (global_ld.report_packet_count) {
3409 fprintf(stderr, "%u packet%s captured\n", global_ld.packet_count,
3410 plurality(global_ld.packet_count, "", "s"));
3411 global_ld.report_packet_count = FALSE;
3416 /* any news from our parent (signal pipe)? -> just stop the capture */
3417 if (!signal_pipe_check_running()) {
3418 global_ld.go = FALSE;
3423 global_ld.inpkts_to_sync_pipe += inpkts;
3425 /* check capture size condition */
3426 if (cnd_autostop_size != NULL &&
3427 cnd_eval(cnd_autostop_size, (guint32)global_ld.bytes_written)) {
3428 /* Capture size limit reached, do we have another file? */
3429 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3430 cnd_autostop_size, cnd_file_duration))
3432 } /* cnd_autostop_size */
3433 if (capture_opts->output_to_pipe) {
3434 libpcap_dump_flush(global_ld.pdh, NULL);
3438 /* Only update once every 500ms so as not to overload slow displays.
3439 * This also prevents too much context-switching between the dumpcap
3440 * and wireshark processes.
3442 #define DUMPCAP_UPD_TIME 500
3445 cur_time = GetTickCount(); /* Note: wraps to 0 if sys runs for 49.7 days */
3446 if ((cur_time - upd_time) > DUMPCAP_UPD_TIME) { /* wrap just causes an extra update */
3448 gettimeofday(&cur_time, NULL);
3449 if ((cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
3450 (upd_time.tv_sec * 1000000 + upd_time.tv_usec + DUMPCAP_UPD_TIME*1000)) {
3453 upd_time = cur_time;
3456 if (pcap_stats(pch, stats) >= 0) {
3457 *stats_known = TRUE;
3460 /* Let the parent process know. */
3461 if (global_ld.inpkts_to_sync_pipe) {
3463 libpcap_dump_flush(global_ld.pdh, NULL);
3465 /* Send our parent a message saying we've written out
3466 "global_ld.inpkts_to_sync_pipe" packets to the capture file. */
3468 report_packet_count(global_ld.inpkts_to_sync_pipe);
3470 global_ld.inpkts_to_sync_pipe = 0;
3473 /* check capture duration condition */
3474 if (cnd_autostop_duration != NULL && cnd_eval(cnd_autostop_duration)) {
3475 /* The maximum capture time has elapsed; stop the capture. */
3476 global_ld.go = FALSE;
3480 /* check capture file duration condition */
3481 if (cnd_file_duration != NULL && cnd_eval(cnd_file_duration)) {
3482 /* duration limit reached, do we have another file? */
3483 if (!do_file_switch_or_stop(capture_opts, cnd_autostop_files,
3484 cnd_autostop_size, cnd_file_duration))
3486 } /* cnd_file_duration */
3490 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopping ...");
3492 pcap_queue_element *queue_element;
3494 for (i = 0; i < global_ld.pcaps->len; i++) {
3495 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3496 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Waiting for thread of interface %u...",
3497 pcap_opts->interface_id);
3498 g_thread_join(pcap_opts->tid);
3499 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Thread of interface %u terminated.",
3500 pcap_opts->interface_id);
3503 g_async_queue_lock(pcap_queue);
3504 queue_element = g_async_queue_try_pop_unlocked(pcap_queue);
3505 if (queue_element) {
3506 pcap_queue_bytes -= queue_element->phdr.caplen;
3507 pcap_queue_packets -= 1;
3509 g_async_queue_unlock(pcap_queue);
3510 if (queue_element == NULL) {
3513 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3514 "Dequeued a packet of length %d captured on interface %d.",
3515 queue_element->phdr.caplen, queue_element->pcap_opts->interface_id);
3516 capture_loop_write_packet_cb((u_char *)queue_element->pcap_opts,
3517 &queue_element->phdr,
3519 g_free(queue_element->pd);
3520 g_free(queue_element);
3521 global_ld.inpkts_to_sync_pipe += 1;
3522 if (capture_opts->output_to_pipe) {
3523 libpcap_dump_flush(global_ld.pdh, NULL);
3529 /* delete stop conditions */
3530 if (cnd_file_duration != NULL)
3531 cnd_delete(cnd_file_duration);
3532 if (cnd_autostop_files != NULL)
3533 cnd_delete(cnd_autostop_files);
3534 if (cnd_autostop_size != NULL)
3535 cnd_delete(cnd_autostop_size);
3536 if (cnd_autostop_duration != NULL)
3537 cnd_delete(cnd_autostop_duration);
3539 /* did we have a pcap (input) error? */
3540 for (i = 0; i < capture_opts->ifaces->len; i++) {
3541 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3542 if (pcap_opts->pcap_err) {
3543 /* On Linux, if an interface goes down while you're capturing on it,
3544 you'll get a "recvfrom: Network is down" or
3545 "The interface went down" error (ENETDOWN).
3546 (At least you will if g_strerror() doesn't show a local translation
3549 On FreeBSD and OS X, if a network adapter disappears while
3550 you're capturing on it, you'll get a "read: Device not configured"
3551 error (ENXIO). (See previous parenthetical note.)
3553 On OpenBSD, you get "read: I/O error" (EIO) in the same case.
3555 These should *not* be reported to the Wireshark developers. */
3558 cap_err_str = pcap_geterr(pcap_opts->pcap_h);
3559 if (strcmp(cap_err_str, "recvfrom: Network is down") == 0 ||
3560 strcmp(cap_err_str, "The interface went down") == 0 ||
3561 strcmp(cap_err_str, "read: Device not configured") == 0 ||
3562 strcmp(cap_err_str, "read: I/O error") == 0 ||
3563 strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
3564 report_capture_error("The network adapter on which the capture was being done "
3565 "is no longer running; the capture has stopped.",
3568 g_snprintf(errmsg, sizeof(errmsg), "Error while capturing packets: %s",
3570 report_capture_error(errmsg, please_report);
3573 } else if (pcap_opts->from_cap_pipe && pcap_opts->cap_pipe_err == PIPERR) {
3574 report_capture_error(errmsg, "");
3578 /* did we have an output error while capturing? */
3579 if (global_ld.err == 0) {
3582 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file,
3583 global_ld.err, FALSE);
3584 report_capture_error(errmsg, please_report);
3588 if (capture_opts->saving_to_file) {
3589 /* close the output file */
3590 close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
3594 /* there might be packets not yet notified to the parent */
3595 /* (do this after closing the file, so all packets are already flushed) */
3596 if(global_ld.inpkts_to_sync_pipe) {
3598 report_packet_count(global_ld.inpkts_to_sync_pipe);
3599 global_ld.inpkts_to_sync_pipe = 0;
3602 /* If we've displayed a message about a write error, there's no point
3603 in displaying another message about an error on close. */
3604 if (!close_ok && write_ok) {
3605 capture_loop_get_errmsg(errmsg, sizeof(errmsg), capture_opts->save_file, err_close,
3607 report_capture_error(errmsg, "");
3611 * XXX We exhibit different behaviour between normal mode and sync mode
3612 * when the pipe is stdin and not already at EOF. If we're a child, the
3613 * parent's stdin isn't closed, so if the user starts another capture,
3614 * cap_pipe_open_live() will very likely not see the expected magic bytes and
3615 * will say "Unrecognized libpcap format". On the other hand, in normal
3616 * mode, cap_pipe_open_live() will say "End of file on pipe during open".
3619 report_capture_count(TRUE);
3621 /* get packet drop statistics from pcap */
3622 for (i = 0; i < capture_opts->ifaces->len; i++) {
3626 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3627 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
3628 received = pcap_opts->received;
3629 dropped = pcap_opts->dropped;
3630 if (pcap_opts->pcap_h != NULL) {
3631 g_assert(!pcap_opts->from_cap_pipe);
3632 /* Get the capture statistics, so we know how many packets were dropped. */
3633 if (pcap_stats(pcap_opts->pcap_h, stats) >= 0) {
3634 *stats_known = TRUE;
3635 /* Let the parent process know. */
3636 dropped += stats->ps_drop;
3638 g_snprintf(errmsg, sizeof(errmsg),
3639 "Can't get packet-drop statistics: %s",
3640 pcap_geterr(pcap_opts->pcap_h));
3641 report_capture_error(errmsg, please_report);
3644 report_packet_drops(received, dropped, interface_opts.name);
3647 /* close the input file (pcap or capture pipe) */
3648 capture_loop_close_input(&global_ld);
3650 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped!");
3652 /* ok, if the write and the close were successful. */
3653 return write_ok && close_ok;
3656 if (capture_opts->multi_files_on) {
3657 /* cleanup ringbuffer */
3658 ringbuf_error_cleanup();
3660 /* We can't use the save file, and we have no FILE * for the stream
3661 to close in order to close it, so close the FD directly. */
3662 if (global_ld.save_file_fd != -1) {
3663 ws_close(global_ld.save_file_fd);
3666 /* We couldn't even start the capture, so get rid of the capture
3668 if (capture_opts->save_file != NULL) {
3669 ws_unlink(capture_opts->save_file);
3670 g_free(capture_opts->save_file);
3673 capture_opts->save_file = NULL;
3675 report_cfilter_error(capture_opts, error_index, errmsg);
3677 report_capture_error(errmsg, secondary_errmsg);
3679 /* close the input file (pcap or cap_pipe) */
3680 capture_loop_close_input(&global_ld);
3682 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, "Capture loop stopped with error");
3688 static void capture_loop_stop(void)
3690 #ifdef HAVE_PCAP_BREAKLOOP
3692 pcap_options *pcap_opts;
3694 for (i = 0; i < global_ld.pcaps->len; i++) {
3695 pcap_opts = g_array_index(global_ld.pcaps, pcap_options *, i);
3696 if (pcap_opts->pcap_h != NULL)
3697 pcap_breakloop(pcap_opts->pcap_h);
3700 global_ld.go = FALSE;
3705 capture_loop_get_errmsg(char *errmsg, int errmsglen, const char *fname,
3706 int err, gboolean is_close)
3711 g_snprintf(errmsg, errmsglen,
3712 "Not all the packets could be written to the file"
3713 " to which the capture was being saved\n"
3714 "(\"%s\") because there is no space left on the file system\n"
3715 "on which that file resides.",
3721 g_snprintf(errmsg, errmsglen,
3722 "Not all the packets could be written to the file"
3723 " to which the capture was being saved\n"
3724 "(\"%s\") because you are too close to, or over,"
3725 " your disk quota\n"
3726 "on the file system on which that file resides.",
3733 g_snprintf(errmsg, errmsglen,
3734 "The file to which the capture was being saved\n"
3735 "(\"%s\") could not be closed: %s.",
3736 fname, g_strerror(err));
3738 g_snprintf(errmsg, errmsglen,
3739 "An error occurred while writing to the file"
3740 " to which the capture was being saved\n"
3742 fname, g_strerror(err));
3749 /* one packet was captured, process it */
3751 capture_loop_write_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3754 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3756 guint ts_mul = pcap_opts->ts_nsec ? 1000000000 : 1000000;
3758 /* We may be called multiple times from pcap_dispatch(); if we've set
3759 the "stop capturing" flag, ignore this packet, as we're not
3760 supposed to be saving any more packets. */
3764 if (global_ld.pdh) {
3765 gboolean successful;
3767 /* We're supposed to write the packet to a file; do so.
3768 If this fails, set "ld->go" to FALSE, to stop the capture, and set
3769 "ld->err" to the error. */
3770 if (global_capture_opts.use_pcapng) {
3771 successful = libpcap_write_enhanced_packet_block(global_ld.pdh, phdr, pcap_opts->interface_id, ts_mul, pd, &global_ld.bytes_written, &err);
3773 successful = libpcap_write_packet(global_ld.pdh, phdr, pd, &global_ld.bytes_written, &err);
3776 global_ld.go = FALSE;
3777 global_ld.err = err;
3779 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3780 "Wrote a packet of length %d captured on interface %u.",
3781 phdr->caplen, pcap_opts->interface_id);
3782 global_ld.packet_count++;
3783 /* if the user told us to stop after x packets, do we already have enough? */
3784 if ((global_ld.packet_max > 0) && (global_ld.packet_count >= global_ld.packet_max)) {
3785 global_ld.go = FALSE;
3791 /* one packet was captured, queue it */
3793 capture_loop_queue_packet_cb(u_char *pcap_opts_p, const struct pcap_pkthdr *phdr,
3796 pcap_options *pcap_opts = (pcap_options *) (void *) pcap_opts_p;
3797 pcap_queue_element *queue_element;
3798 gboolean limit_reached;
3800 /* We may be called multiple times from pcap_dispatch(); if we've set
3801 the "stop capturing" flag, ignore this packet, as we're not
3802 supposed to be saving any more packets. */
3803 if (!global_ld.go) {
3804 pcap_opts->dropped++;
3808 queue_element = (pcap_queue_element *)g_malloc(sizeof(pcap_queue_element));
3809 if (queue_element == NULL) {
3810 pcap_opts->dropped++;
3813 queue_element->pcap_opts = pcap_opts;
3814 queue_element->phdr = *phdr;
3815 queue_element->pd = (u_char *)g_malloc(phdr->caplen);
3816 if (queue_element->pd == NULL) {
3817 pcap_opts->dropped++;
3818 g_free(queue_element);
3821 memcpy(queue_element->pd, pd, phdr->caplen);
3822 g_async_queue_lock(pcap_queue);
3823 if (((pcap_queue_byte_limit > 0) && (pcap_queue_bytes < pcap_queue_byte_limit)) &&
3824 ((pcap_queue_packet_limit > 0) && (pcap_queue_packets < pcap_queue_packet_limit))) {
3825 limit_reached = FALSE;
3826 g_async_queue_push_unlocked(pcap_queue, queue_element);
3827 pcap_queue_bytes += phdr->caplen;
3828 pcap_queue_packets += 1;
3830 limit_reached = TRUE;
3832 g_async_queue_unlock(pcap_queue);
3833 if (limit_reached) {
3834 pcap_opts->dropped++;
3835 g_free(queue_element->pd);
3836 g_free(queue_element);
3837 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3838 "Dropped a packet of length %d captured on interface %u.",
3839 phdr->caplen, pcap_opts->interface_id);
3841 pcap_opts->received++;
3842 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3843 "Queued a packet of length %d captured on interface %u.",
3844 phdr->caplen, pcap_opts->interface_id);
3846 /* I don't want to hold the mutex over the debug output. So the
3847 output may be wrong */
3848 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
3849 "Queue size is now %" G_GINT64_MODIFIER "d bytes (%" G_GINT64_MODIFIER "d packets)",
3850 pcap_queue_bytes, pcap_queue_packets);
3853 /* And now our feature presentation... [ fade to music ] */
3855 main(int argc, char *argv[])
3858 gboolean arg_error = FALSE;
3863 struct sigaction action, oldaction;
3866 gboolean start_capture = TRUE;
3867 gboolean stats_known;
3868 struct pcap_stat stats;
3869 GLogLevelFlags log_flags;
3870 gboolean list_interfaces = FALSE;
3871 gboolean list_link_layer_types = FALSE;
3872 #ifdef HAVE_BPF_IMAGE
3873 gboolean print_bpf_code = FALSE;
3875 gboolean machine_readable = FALSE;
3876 gboolean print_statistics = FALSE;
3877 int status, run_once_args = 0;
3880 #if defined(__APPLE__) && defined(__LP64__)
3881 struct utsname osinfo;
3886 arg_list_utf_16to8(argc, argv);
3891 * Initialize our DLL search path. MUST be called before LoadLibrary
3894 ws_init_dll_search_path();
3897 #ifdef HAVE_PCAP_REMOTE
3898 #define OPTSTRING_A "A:"
3899 #define OPTSTRING_r "r"
3900 #define OPTSTRING_u "u"
3902 #define OPTSTRING_A ""
3903 #define OPTSTRING_r ""
3904 #define OPTSTRING_u ""
3907 #ifdef HAVE_PCAP_SETSAMPLING
3908 #define OPTSTRING_m "m:"
3910 #define OPTSTRING_m ""
3913 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
3914 #define OPTSTRING_B "B:"
3916 #define OPTSTRING_B ""
3917 #endif /* _WIN32 or HAVE_PCAP_CREATE */
3919 #ifdef HAVE_PCAP_CREATE
3920 #define OPTSTRING_I "I"
3922 #define OPTSTRING_I ""
3925 #ifdef HAVE_BPF_IMAGE
3926 #define OPTSTRING_d "d"
3928 #define OPTSTRING_d ""
3931 #define OPTSTRING "a:" OPTSTRING_A "b:" OPTSTRING_B "c:" OPTSTRING_d "Df:ghi:" OPTSTRING_I "L" OPTSTRING_m "MnpPq" OPTSTRING_r "Ss:t" OPTSTRING_u "vw:y:Z:"
3933 #ifdef DEBUG_CHILD_DUMPCAP
3934 if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
3935 fprintf (stderr, "Unable to open debug log file !\n");
3940 #if defined(__APPLE__) && defined(__LP64__)
3942 * Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
3943 * a bug workaround - timeouts less than 1 second don't work with libpcap
3944 * in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
3945 * re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
3946 * The problem is extremely unlikely to be reintroduced in a future
3949 if (uname(&osinfo) == 0) {
3951 * Mac OS X 10.x uses Darwin {x+4}.0.0. Mac OS X 10.x.y uses Darwin
3952 * {x+4}.y.0 (except that 10.6.1 appears to have a uname version
3953 * number of 10.0.0, not 10.1.0 - go figure).
3955 if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
3956 strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
3957 strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
3958 need_timeout_workaround = TRUE;
3963 * Determine if dumpcap is being requested to run in a special
3964 * capture_child mode by going thru the command line args to see if
3965 * a -Z is present. (-Z is a hidden option).
3967 * The primary result of running in capture_child mode is that
3968 * all messages sent out on stderr are in a special type/len/string
3969 * format to allow message processing by type. These messages include
3970 * error messages if dumpcap fails to start the operation it was
3971 * requested to do, as well as various "status" messages which are sent
3972 * when an actual capture is in progress, and a "success" message sent
3973 * if dumpcap was requested to perform an operation other than a
3976 * Capture_child mode would normally be requested by a parent process
3977 * which invokes dumpcap and obtains dumpcap stderr output via a pipe
3978 * to which dumpcap stderr has been redirected. It might also have
3979 * another pipe to obtain dumpcap stdout output; for operations other
3980 * than a capture, that information is formatted specially for easier
3981 * parsing by the parent process.
3983 * Capture_child mode needs to be determined immediately upon
3984 * startup so that any messages generated by dumpcap in this mode
3985 * (eg: during initialization) will be formatted properly.
3988 for (i=1; i<argc; i++) {
3989 if (strcmp("-Z", argv[i]) == 0) {
3990 capture_child = TRUE;
3991 machine_readable = TRUE; /* request machine-readable output */
3993 /* set output pipe to binary mode, to avoid ugly text conversions */
3994 _setmode(2, O_BINARY);
3999 /* The default_log_handler will use stdout, which makes trouble in */
4000 /* capture child mode, as it uses stdout for it's sync_pipe. */
4001 /* So: the filtering is done in the console_log_handler and not here.*/
4002 /* We set the log handlers right up front to make sure that any log */
4003 /* messages when running as child will be sent back to the parent */
4004 /* with the correct format. */
4008 G_LOG_LEVEL_CRITICAL|
4009 G_LOG_LEVEL_WARNING|
4010 G_LOG_LEVEL_MESSAGE|
4013 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
4015 g_log_set_handler(NULL,
4017 console_log_handler, NULL /* user_data */);
4018 g_log_set_handler(LOG_DOMAIN_MAIN,
4020 console_log_handler, NULL /* user_data */);
4021 g_log_set_handler(LOG_DOMAIN_CAPTURE,
4023 console_log_handler, NULL /* user_data */);
4024 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
4026 console_log_handler, NULL /* user_data */);
4028 /* Initialize the pcaps list */
4029 global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(pcap_options *));
4031 #if !GLIB_CHECK_VERSION(2,31,0)
4032 /* Initialize the thread system */
4033 g_thread_init(NULL);
4037 /* Load wpcap if possible. Do this before collecting the run-time version information */
4040 /* ... and also load the packet.dll from wpcap */
4041 /* XXX - currently not required, may change later. */
4042 /*wpcap_packet_load();*/
4044 /* Start windows sockets */
4045 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
4047 /* Set handler for Ctrl+C key */
4048 SetConsoleCtrlHandler(capture_cleanup_handler, TRUE);
4050 /* Catch SIGINT and SIGTERM and, if we get either of them, clean up
4052 action.sa_handler = capture_cleanup_handler;
4054 * Arrange that system calls not get restarted, because when
4055 * our signal handler returns we don't want to restart
4056 * a call that was waiting for packets to arrive.
4058 action.sa_flags = 0;
4059 sigemptyset(&action.sa_mask);
4060 sigaction(SIGTERM, &action, NULL);
4061 sigaction(SIGINT, &action, NULL);
4062 sigaction(SIGPIPE, &action, NULL);
4063 sigaction(SIGHUP, NULL, &oldaction);
4064 if (oldaction.sa_handler == SIG_DFL)
4065 sigaction(SIGHUP, &action, NULL);
4068 /* Catch SIGINFO and, if we get it and we're capturing in
4069 quiet mode, report the number of packets we've captured. */
4070 action.sa_handler = report_counts_siginfo;
4071 action.sa_flags = SA_RESTART;
4072 sigemptyset(&action.sa_mask);
4073 sigaction(SIGINFO, &action, NULL);
4074 #endif /* SIGINFO */
4077 /* ----------------------------------------------------------------- */
4078 /* Privilege and capability handling */
4080 /* 1. Running not as root or suid root; no special capabilities. */
4083 /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
4086 /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
4088 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4089 /* capabilities; Drop all other capabilities; */
4090 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4091 /* else: after pcap_open_live() in capture_loop_open_input() */
4092 /* drop all capabilities (NET_RAW and NET_ADMIN); */
4093 /* (Note: this means that the process, although logged in */
4094 /* as root, does not have various permissions such as the */
4095 /* ability to bypass file access permissions). */
4096 /* XXX: Should we just leave capabilities alone in this case */
4097 /* so that user gets expected effect that root can do */
4100 /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
4102 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4103 /* else: after pcap_open_live() in capture_loop_open_input() */
4104 /* drop suid root (set euid=ruid).(ie: keep suid until after */
4105 /* pcap_open_live). */
4107 /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
4109 /* - Near start of program: Enable NET_RAW and NET_ADMIN */
4110 /* capabilities; Drop all other capabilities; */
4111 /* Drop suid privileges (euid=ruid); */
4112 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4113 /* else: after pcap_open_live() in capture_loop_open_input() */
4114 /* drop all capabilities (NET_RAW and NET_ADMIN). */
4116 /* XXX: For some Linux versions/distros with capabilities */
4117 /* a 'normal' process with any capabilities cannot be */
4118 /* 'killed' (signaled) from another (same uid) non-privileged */
4120 /* For example: If (non-suid) Wireshark forks a */
4121 /* child suid dumpcap which acts as described here (case 5), */
4122 /* Wireshark will be unable to kill (signal) the child */
4123 /* dumpcap process until the capabilities have been dropped */
4124 /* (after pcap_open_live()). */
4125 /* This behaviour will apparently be changed in the kernel */
4126 /* to allow the kill (signal) in this case. */
4127 /* See the following for details: */
4128 /* http://www.mail-archive.com/ [wrapped] */
4129 /* linux-security-module@vger.kernel.org/msg02913.html */
4131 /* It is therefore conceivable that if dumpcap somehow hangs */
4132 /* in pcap_open_live or before that wireshark will not */
4133 /* be able to stop dumpcap using a signal (INT, TERM, etc). */
4134 /* In this case, exiting wireshark will kill the child */
4135 /* dumpcap process. */
4137 /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
4138 /* capabilities; Using libcap. Note: capset cmd (which see) */
4139 /* used to assign capabilities to file. */
4141 /* - If not -w (ie: doing -S or -D, etc) run to completion; */
4142 /* else: after pcap_open_live() in capture_loop_open_input() */
4143 /* drop all capabilities (NET_RAW and NET_ADMIN) */
4145 /* ToDo: -S (stats) should drop privileges/capabilities when no */
4146 /* longer required (similar to capture). */
4148 /* ----------------------------------------------------------------- */
4150 init_process_policies();
4153 /* If 'started with special privileges' (and using libcap) */
4154 /* Set to keep only NET_RAW and NET_ADMIN capabilities; */
4155 /* Set euid/egid = ruid/rgid to remove suid privileges */
4156 relinquish_privs_except_capture();
4159 /* Set the initial values in the capture options. This might be overwritten
4160 by the command line parameters. */
4161 capture_opts_init(&global_capture_opts, NULL);
4163 /* We always save to a file - if no file was specified, we save to a
4165 global_capture_opts.saving_to_file = TRUE;
4166 global_capture_opts.has_ring_num_files = TRUE;
4168 /* Now get our args */
4169 while ((opt = getopt(argc, argv, OPTSTRING)) != -1) {
4171 case 'h': /* Print help and exit */
4175 case 'v': /* Show version and exit */
4177 GString *comp_info_str;
4178 GString *runtime_info_str;
4179 /* Assemble the compile-time version information string */
4180 comp_info_str = g_string_new("Compiled ");
4181 get_compiled_version_info(comp_info_str, NULL, NULL);
4183 /* Assemble the run-time version information string */
4184 runtime_info_str = g_string_new("Running ");
4185 get_runtime_version_info(runtime_info_str, NULL);
4186 show_version(comp_info_str, runtime_info_str);
4187 g_string_free(comp_info_str, TRUE);
4188 g_string_free(runtime_info_str, TRUE);
4192 /*** capture option specific ***/
4193 case 'a': /* autostop criteria */
4194 case 'b': /* Ringbuffer option */
4195 case 'c': /* Capture x packets */
4196 case 'f': /* capture filter */
4197 case 'i': /* Use interface x */
4198 case 'n': /* Use pcapng format */
4199 case 'p': /* Don't capture in promiscuous mode */
4200 case 'P': /* Use pcap format */
4201 case 's': /* Set the snapshot (capture) length */
4202 case 'w': /* Write to capture file x */
4203 case 'g': /* enable group read accesson file(s) */
4204 case 'y': /* Set the pcap data link type */
4205 #ifdef HAVE_PCAP_REMOTE
4206 case 'u': /* Use UDP for data transfer */
4207 case 'r': /* Capture own RPCAP traffic too */
4208 case 'A': /* Authentication */
4210 #ifdef HAVE_PCAP_SETSAMPLING
4211 case 'm': /* Sampling */
4213 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
4214 case 'B': /* Buffer size */
4215 #endif /* _WIN32 or HAVE_PCAP_CREATE */
4216 #ifdef HAVE_PCAP_CREATE
4217 case 'I': /* Monitor mode */
4219 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
4224 /*** hidden option: Wireshark child mode (using binary output messages) ***/
4226 capture_child = TRUE;
4228 /* set output pipe to binary mode, to avoid ugly text conversions */
4229 _setmode(2, O_BINARY);
4231 * optarg = the control ID, aka the PPID, currently used for the
4234 if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
4235 sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg);
4236 sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
4237 GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
4239 if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
4240 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4241 "Signal pipe: Unable to open %s. Dead parent?",
4249 case 'q': /* Quiet */
4255 /*** all non capture option specific ***/
4256 case 'D': /* Print a list of capture devices and exit */
4257 list_interfaces = TRUE;
4260 case 'L': /* Print list of link-layer types and exit */
4261 list_link_layer_types = TRUE;
4264 #ifdef HAVE_BPF_IMAGE
4265 case 'd': /* Print BPF code for capture filter and exit */
4266 print_bpf_code = TRUE;
4270 case 'S': /* Print interface statistics once a second */
4271 print_statistics = TRUE;
4274 case 'M': /* For -D, -L, and -S, print machine-readable output */
4275 machine_readable = TRUE;
4278 cmdarg_err("Invalid Option: %s", argv[optind-1]);
4280 case '?': /* Bad flag - print usage message */
4289 /* user specified file name as regular command-line argument */
4290 /* XXX - use it as the capture file name (or something else)? */
4296 * Extra command line arguments were specified; complain.
4297 * XXX - interpret as capture filter, as tcpdump and tshark do?
4299 cmdarg_err("Invalid argument: %s", argv[0]);
4309 if (run_once_args > 1) {
4310 cmdarg_err("Only one of -D, -L, or -S may be supplied.");
4312 } else if (run_once_args == 1) {
4313 /* We're supposed to print some information, rather than
4314 to capture traffic; did they specify a ring buffer option? */
4315 if (global_capture_opts.multi_files_on) {
4316 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
4320 /* We're supposed to capture traffic; */
4321 /* Are we capturing on multiple interface? If so, use threads and pcapng. */
4322 if (global_capture_opts.ifaces->len > 1) {
4324 global_capture_opts.use_pcapng = TRUE;
4326 /* Was the ring buffer option specified and, if so, does it make sense? */
4327 if (global_capture_opts.multi_files_on) {
4328 /* Ring buffer works only under certain conditions:
4329 a) ring buffer does not work with temporary files;
4330 b) it makes no sense to enable the ring buffer if the maximum
4331 file size is set to "infinite". */
4332 if (global_capture_opts.save_file == NULL) {
4333 cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
4334 global_capture_opts.multi_files_on = FALSE;
4336 if (!global_capture_opts.has_autostop_filesize && !global_capture_opts.has_file_duration) {
4337 cmdarg_err("Ring buffer requested, but no maximum capture file size or duration were specified.");
4339 /* XXX - this must be redesigned as the conditions changed */
4340 global_capture_opts.multi_files_on = FALSE;
4347 * "-D" requires no interface to be selected; it's supposed to list
4350 if (list_interfaces) {
4351 /* Get the list of interfaces */
4356 if_list = capture_interface_list(&err, &err_str);
4357 if (if_list == NULL) {
4359 case CANT_GET_INTERFACE_LIST:
4360 case DONT_HAVE_PCAP:
4361 cmdarg_err("%s", err_str);
4366 case NO_INTERFACES_FOUND:
4368 * If we're being run by another program, just give them
4369 * an empty list of interfaces, don't report this as
4370 * an error; that lets them decide whether to report
4371 * this as an error or not.
4373 if (!machine_readable) {
4374 cmdarg_err("There are no interfaces on which a capture can be done");
4381 if (machine_readable) /* tab-separated values to stdout */
4382 print_machine_readable_interfaces(if_list);
4384 capture_opts_print_interfaces(if_list);
4385 free_interface_list(if_list);
4390 * "-S" requires no interface to be selected; it gives statistics
4391 * for all interfaces.
4393 if (print_statistics) {
4394 status = print_statistics_loop(machine_readable);
4399 * "-L", "-d", and capturing act on a particular interface, so we have to
4400 * have an interface; if none was specified, pick a default.
4402 if (capture_opts_trim_iface(&global_capture_opts, NULL) == FALSE) {
4403 /* cmdarg_err() already called .... */
4407 /* Let the user know what interfaces were chosen. */
4408 /* get_interface_descriptive_name() is not available! */
4409 if (capture_child) {
4410 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4411 interface_options interface_opts;
4413 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4414 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Interface: %s\n",
4415 interface_opts.name);
4418 str = g_string_new("");
4420 if (global_capture_opts.ifaces->len < 2) {
4422 if (global_capture_opts.ifaces->len < 4) {
4424 for (j = 0; j < global_capture_opts.ifaces->len; j++) {
4425 interface_options interface_opts;
4427 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, j);
4429 if (global_capture_opts.ifaces->len > 2) {
4430 g_string_append_printf(str, ",");
4432 g_string_append_printf(str, " ");
4433 if (j == global_capture_opts.ifaces->len - 1) {
4434 g_string_append_printf(str, "and ");
4437 g_string_append_printf(str, "%s", interface_opts.name);
4440 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
4442 fprintf(stderr, "Capturing on %s\n", str->str);
4443 g_string_free(str, TRUE);
4446 if (list_link_layer_types) {
4447 /* Get the list of link-layer types for the capture device. */
4448 if_capabilities_t *caps;
4452 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
4453 interface_options interface_opts;
4455 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
4456 caps = get_if_capabilities(interface_opts.name,
4457 interface_opts.monitor_mode, &err_str);
4459 cmdarg_err("The capabilities of the capture device \"%s\" could not be obtained (%s).\n"
4460 "Please check to make sure you have sufficient permissions, and that\n"
4461 "you have the proper interface or pipe specified.", interface_opts.name, err_str);
4465 if (caps->data_link_types == NULL) {
4466 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
4469 if (machine_readable) /* tab-separated values to stdout */
4470 /* XXX: We need to change the format and adopt consumers */
4471 print_machine_readable_if_capabilities(caps);
4473 /* XXX: We might want to print also the interface name */
4474 capture_opts_print_if_capabilities(caps, interface_opts.name,
4475 interface_opts.monitor_mode);
4476 free_if_capabilities(caps);
4481 /* We're supposed to do a capture, or print the BPF code for a filter.
4482 Process the snapshot length, as that affects the generated BPF code. */
4483 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
4485 #ifdef HAVE_BPF_IMAGE
4486 if (print_bpf_code) {
4487 show_filter_code(&global_capture_opts);
4492 /* We're supposed to do a capture. Process the ring buffer arguments. */
4493 capture_opts_trim_ring_num_files(&global_capture_opts);
4495 /* Now start the capture. */
4497 if(capture_loop_start(&global_capture_opts, &stats_known, &stats) == TRUE) {
4501 /* capture failed */
4504 return 0; /* never here, make compiler happy */
4509 console_log_handler(const char *log_domain, GLogLevelFlags log_level,
4510 const char *message, gpointer user_data _U_)
4517 /* ignore log message, if log_level isn't interesting */
4518 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4519 #if !defined(DEBUG_DUMPCAP) && !defined(DEBUG_CHILD_DUMPCAP)
4524 /* create a "timestamp" */
4526 today = localtime(&curr);
4528 switch(log_level & G_LOG_LEVEL_MASK) {
4529 case G_LOG_LEVEL_ERROR:
4532 case G_LOG_LEVEL_CRITICAL:
4535 case G_LOG_LEVEL_WARNING:
4538 case G_LOG_LEVEL_MESSAGE:
4541 case G_LOG_LEVEL_INFO:
4544 case G_LOG_LEVEL_DEBUG:
4548 fprintf(stderr, "unknown log_level %u\n", log_level);
4550 g_assert_not_reached();
4553 /* Generate the output message */
4554 if(log_level & G_LOG_LEVEL_MESSAGE) {
4555 /* normal user messages without additional infos */
4556 msg = g_strdup_printf("%s\n", message);
4558 /* info/debug messages with additional infos */
4559 msg = g_strdup_printf("%02u:%02u:%02u %8s %s %s\n",
4560 today->tm_hour, today->tm_min, today->tm_sec,
4561 log_domain != NULL ? log_domain : "",
4565 /* DEBUG & INFO msgs (if we're debugging today) */
4566 #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP)
4567 if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) {
4568 #ifdef DEBUG_DUMPCAP
4569 fprintf(stderr, "%s", msg);
4572 #ifdef DEBUG_CHILD_DUMPCAP
4573 fprintf(debug_log, "%s", msg);
4581 /* ERROR, CRITICAL, WARNING, MESSAGE messages goto stderr or */
4582 /* to parent especially formatted if dumpcap running as child. */
4583 if (capture_child) {
4584 sync_pipe_errmsg_to_parent(2, msg, "");
4586 fprintf(stderr, "%s", msg);
4593 /****************************************************************************************************************/
4594 /* indication report routines */
4598 report_packet_count(int packet_count)
4600 char tmp[SP_DECISIZE+1+1];
4601 static int count = 0;
4604 g_snprintf(tmp, sizeof(tmp), "%d", packet_count);
4605 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Packets: %s", tmp);
4606 pipe_write_block(2, SP_PACKET_COUNT, tmp);
4608 count += packet_count;
4609 fprintf(stderr, "\rPackets: %u ", count);
4610 /* stderr could be line buffered */
4616 report_new_capture_file(const char *filename)
4619 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "File: %s", filename);
4620 pipe_write_block(2, SP_FILE, filename);
4624 * Prevent a SIGINFO handler from writing to the standard error
4625 * while we're doing so; instead, have it just set a flag telling
4626 * us to print that information when we're done.
4629 #endif /* SIGINFO */
4630 fprintf(stderr, "File: %s\n", filename);
4631 /* stderr could be line buffered */
4636 * Allow SIGINFO handlers to write.
4641 * If a SIGINFO handler asked us to write out capture counts, do so.
4644 report_counts_for_siginfo();
4645 #endif /* SIGINFO */
4650 report_cfilter_error(capture_options *capture_opts, guint i, const char *errmsg)
4652 interface_options interface_opts;
4653 char tmp[MSG_MAX_LENGTH+1+6];
4655 if (i < capture_opts->ifaces->len) {
4656 if (capture_child) {
4657 g_snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
4658 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "Capture filter error: %s", errmsg);
4659 pipe_write_block(2, SP_BAD_FILTER, tmp);
4662 * clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
4663 * the error message below.
4665 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
4667 "Invalid capture filter: \"%s\" for interface %s!\n"
4669 "That string isn't a valid capture filter (%s).\n"
4670 "See the User's Guide for a description of the capture filter syntax.",
4671 interface_opts.cfilter, interface_opts.name, errmsg);
4677 report_capture_error(const char *error_msg, const char *secondary_error_msg)
4680 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4681 "Primary Error: %s", error_msg);
4682 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4683 "Secondary Error: %s", secondary_error_msg);
4684 sync_pipe_errmsg_to_parent(2, error_msg, secondary_error_msg);
4686 cmdarg_err("%s", error_msg);
4687 if (secondary_error_msg[0] != '\0')
4688 cmdarg_err_cont("%s", secondary_error_msg);
4693 report_packet_drops(guint32 received, guint32 drops, gchar *name)
4695 char tmp[SP_DECISIZE+1+1];
4697 g_snprintf(tmp, sizeof(tmp), "%u", drops);
4700 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4701 "Packets received/dropped on interface %s: %u/%u",
4702 name, received, drops);
4703 /* XXX: Need to provide interface id, changes to consumers required. */
4704 pipe_write_block(2, SP_DROPS, tmp);
4707 "Packets received/dropped on interface %s: %u/%u (%.1f%%)\n",
4708 name, received, drops,
4709 received ? 100.0 * received / (received + drops) : 0.0);
4710 /* stderr could be line buffered */
4716 /****************************************************************************************************************/
4717 /* signal_pipe handling */
4722 signal_pipe_check_running(void)
4724 /* any news from our parent? -> just stop the capture */
4728 /* if we are running standalone, no check required */
4729 if(!capture_child) {
4733 if(!sig_pipe_name || !sig_pipe_handle) {
4734 /* This shouldn't happen */
4735 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4736 "Signal pipe: No name or handle");
4741 * XXX - We should have the process ID of the parent (from the "-Z" flag)
4742 * at this point. Should we check to see if the parent is still alive,
4743 * e.g. by using OpenProcess?
4746 result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
4748 if(!result || avail > 0) {
4749 /* peek failed or some bytes really available */
4750 /* (if not piping from stdin this would fail) */
4751 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO,
4752 "Signal pipe: Stop capture: %s", sig_pipe_name);
4753 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG,
4754 "Signal pipe: %s (%p) result: %u avail: %u", sig_pipe_name,
4755 sig_pipe_handle, result, avail);
4758 /* pipe ok and no bytes available */
4765 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4770 * indent-tabs-mode: nil
4773 * vi: set shiftwidth=4 tabstop=8 expandtab:
4774 * :indentSize=4:tabSize=8:noTabs=true: