static inline int
bpf_open(pcap_t *p, char *errbuf)
{
int fd;
int n = 0;
char device[sizeof "/dev/bpf000"];
/*
* Go through all the minors and find one that isn't in use.
*/
do {
(void)sprintf(device, "/dev/bpf%d", n++);
fd = open(device, O_RDONLY);
} while (fd < 0 && errno == EBUSY);
/*
* XXX better message for all minors used
*/
if (fd < 0)
sprintf(errbuf, "%s: %s", device, pcap_strerror(errno));
return (fd);
}
static int
read_bytes(FILE *fp, void *buf, size_t bytes_to_read, int fail_on_eof,
char *errbuf)
{
size_t amt_read;
amt_read = fread(buf, 1, bytes_to_read, fp);
if (amt_read != bytes_to_read) {
if (ferror(fp)) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
if (amt_read == 0 && !fail_on_eof)
return (0); /* EOF */
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %lu bytes, only got %lu",
(unsigned long)bytes_to_read,
(unsigned long)amt_read);
}
return (-1);
}
return (1);
}
int
pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)
{
pcap_if_t *devlist = NULL;
struct ifaddrs *ifap, *ifa;
struct sockaddr *broadaddr, *dstaddr;
int ret = 0;
/*
* Get the list of interface addresses.
*
* Note: this won't return information about interfaces
* with no addresses; are there any such interfaces
* that would be capable of receiving packets?
* (Interfaces incapable of receiving packets aren't
* very interesting from libpcap's point of view.)
*
* LAN interfaces will probably have link-layer
* addresses; I don't know whether all implementations
* of "getifaddrs()" now, or in the future, will return
* those.
*/
if (getifaddrs(&ifap) != 0) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"getifaddrs: %s", pcap_strerror(errno));
return (-1);
}
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
/*
* Is this interface up?
*/
if (!(ifa->ifa_flags & IFF_UP)) {
/*
* No, so don't add it to the list.
*/
continue;
}
/*
* "ifa_broadaddr" may be non-null even on
* non-broadcast interfaces; "ifa_dstaddr"
* was, on at least one FreeBSD 4.1 system,
* non-null on a non-point-to-point
* interface.
*/
if (ifa->ifa_flags & IFF_BROADCAST)
broadaddr = ifa->ifa_broadaddr;
else
broadaddr = NULL;
if (ifa->ifa_flags & IFF_POINTOPOINT)
dstaddr = ifa->ifa_dstaddr;
else
dstaddr = NULL;
/*
* Add information for this address to the list.
*/
if (add_addr_to_iflist(&devlist, ifa->ifa_name,
ifa->ifa_flags, ifa->ifa_addr, ifa->ifa_netmask,
broadaddr, dstaddr, errbuf) < 0) {
ret = -1;
break;
}
}
freeifaddrs(ifap);
if (ret != -1) {
/*
* We haven't had any errors yet; add the "any" device,
* if we can open it.
*/
if (pcap_add_if(&devlist, "any", 0, any_descr, errbuf) < 0)
ret = -1;
}
if (ret == -1) {
/*
* We had an error; free the list we've been constructing.
*/
if (devlist != NULL) {
pcap_freealldevs(devlist);
devlist = NULL;
}
}
*alldevsp = devlist;
return (ret);
}
/*!
\brief It checks if the authentication credentials supplied by the user are valid.
This function is called each time the rpcap daemon starts a new serving thread.
It reads the authentication message from the network and it checks that the
user information are valid.
\param sockctrl: the socket if of the control connection.
\param nullAuthAllowed: '1' if the NULL authentication is allowed.
\param errbuf: a user-allocated buffer in which the error message (if one) has to be written.
\return '0' if everything is fine, '-1' if an unrecoverable error occurred.
The error message is returned in the 'errbuf' variable.
'-2' is returned in case the authentication failed or in case of a recoverable error (like
wrong version). In that case, 'errbuf' keeps the reason of the failure. This provides
a way to know that the connection does not have to be closed.
In case the message is a 'CLOSE' or an 'ERROR', it returns -3. The error can be due to a
connection refusal in active mode, since this host cannot be allowed to connect to the remote
peer.
*/
int daemon_checkauth(SOCKET sockctrl, int nullAuthAllowed, char *errbuf)
{
struct rpcap_header header; // RPCAP message general header
int retval; // generic return value
unsigned int nread; // number of bytes of the payload read from the socket
struct rpcap_auth auth; // RPCAP authentication header
char *string1, *string2; // two strings exchanged by the authentication message
unsigned int plen; // length of the payload
int retcode; // the value we have to return to the caller
if (sock_recv(sockctrl, (char *) &header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, errbuf, PCAP_ERRBUF_SIZE) == -1)
return -1;
plen= ntohl(header.plen);
retval= rpcap_checkmsg(errbuf, sockctrl, &header,
RPCAP_MSG_AUTH_REQ,
RPCAP_MSG_CLOSE,
0);
if (retval != RPCAP_MSG_AUTH_REQ)
{
switch (retval)
{
case -3: // Unrecoverable network error
return -1; // Do nothing; just exit; the error code is already into the errbuf
case -2: // The other endpoint send a message that is not allowed here
case -1: // The other endpoint has a version number that is not compatible with our
return -2;
case RPCAP_MSG_CLOSE:
{
// Check if all the data has been read; if not, discard the data in excess
if (ntohl(header.plen) )
{
if (sock_discard(sockctrl, ntohl(header.plen), NULL, 0) )
{
retcode= -1;
goto error;
}
}
return -3;
};
case RPCAP_MSG_ERROR:
return -3;
default:
{
SOCK_ASSERT("Internal error.", 1);
retcode= -2;
goto error;
};
}
}
// If it comes here, it means that we have an authentication request message
if ( (nread= sock_recv(sockctrl, (char *) &auth, sizeof(struct rpcap_auth), SOCK_RECEIVEALL_YES, errbuf, PCAP_ERRBUF_SIZE)) == -1)
{
retcode= -1;
goto error;
}
switch (ntohs(auth.type) )
{
case RPCAP_RMTAUTH_NULL:
{
if (!nullAuthAllowed)
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed; NULL autentication not permitted.");
retcode= -2;
goto error;
}
break;
}
case RPCAP_RMTAUTH_PWD:
{
int len1, len2;
len1= ntohs(auth.slen1);
len2= ntohs(auth.slen2);
string1= (char *) malloc (len1 + 1);
string2= (char *) malloc (len2 + 1);
if ( (string1 == NULL) || (string2 == NULL) )
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc() failed: %s", pcap_strerror(errno));
retcode= -1;
goto error;
}
if ( (nread+= sock_recv(sockctrl, string1, len1, SOCK_RECEIVEALL_YES, errbuf, PCAP_ERRBUF_SIZE)) == -1)
{
retcode= -1;
goto error;
}
if ( (nread+= sock_recv(sockctrl, string2, len2, SOCK_RECEIVEALL_YES, errbuf, PCAP_ERRBUF_SIZE)) == -1)
{
retcode= -1;
goto error;
}
string1[len1]= 0;
string2[len2]= 0;
if (daemon_AuthUserPwd(string1, string2, errbuf) )
{
retcode= -2;
goto error;
}
break;
}
default:
snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
retcode= -2;
goto error;
}
// Check if all the data has been read; if not, discard the data in excess
if (nread != plen)
{
if (sock_discard(sockctrl, plen - nread, NULL, 0) )
{
retcode= -1;
goto error;
}
}
rpcap_createhdr(&header, RPCAP_MSG_AUTH_REPLY, 0, 0);
// Send the ok message back
if ( sock_send(sockctrl, (char *) &header, sizeof (struct rpcap_header), errbuf, PCAP_ERRBUF_SIZE) == -1)
{
retcode= -1;
goto error;
}
return 0;
error:
// Check if all the data has been read; if not, discard the data in excess
if (nread != plen)
sock_discard(sockctrl, plen - nread, NULL, 0);
return retcode;
}
static int
add_addr_to_iflist(pcap_if_t **alldevs, char *name, u_int flags,
struct sockaddr *addr, struct sockaddr *netmask,
struct sockaddr *broadaddr, struct sockaddr *dstaddr, char *errbuf)
{
pcap_if_t *curdev;
pcap_addr_t *curaddr, *prevaddr, *nextaddr;
if (add_or_find_if(&curdev, alldevs, name, flags, NULL, errbuf) == -1) {
/*
* Error - give up.
*/
return (-1);
}
if (curdev == NULL) {
/*
* Device wasn't added because it can't be opened.
* Not a fatal error.
*/
return (0);
}
/*
* "curdev" is an entry for this interface; add an entry for this
* address to its list of addresses.
*
* Allocate the new entry and fill it in.
*/
curaddr = malloc(sizeof(pcap_addr_t));
if (curaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
return (-1);
}
curaddr->next = NULL;
if (addr != NULL) {
curaddr->addr = dup_sockaddr(addr);
if (curaddr->addr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->addr = NULL;
if (netmask != NULL) {
curaddr->netmask = dup_sockaddr(netmask);
if (curaddr->netmask == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->netmask = NULL;
if (broadaddr != NULL) {
curaddr->broadaddr = dup_sockaddr(broadaddr);
if (curaddr->broadaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->broadaddr = NULL;
if (dstaddr != NULL) {
curaddr->dstaddr = dup_sockaddr(dstaddr);
if (curaddr->dstaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->dstaddr = NULL;
/*
* Find the end of the list of addresses.
*/
for (prevaddr = curdev->addresses; prevaddr != NULL; prevaddr = nextaddr) {
nextaddr = prevaddr->next;
if (nextaddr == NULL) {
/*
* This is the end of the list.
*/
break;
}
}
if (prevaddr == NULL) {
/*
* The list was empty; this is the first member.
*/
curdev->addresses = curaddr;
} else {
/*
* "prevaddr" is the last member of the list; append
* this member to it.
*/
prevaddr->next = curaddr;
}
return (0);
}
static int
pcap_activate_dlpi(pcap_t *p)
{
#ifdef DL_HP_RAWDLS
struct pcap_dlpi *pd = p->priv;
#endif
int status = 0;
int retv;
register char *cp;
int ppa;
#ifdef HAVE_SOLARIS
int isatm = 0;
#endif
register dl_info_ack_t *infop;
#ifdef HAVE_SYS_BUFMOD_H
bpf_u_int32 ss;
#ifdef HAVE_SOLARIS
register char *release;
bpf_u_int32 osmajor, osminor, osmicro;
#endif
#endif
bpf_u_int32 buf[MAXDLBUF];
char dname[100];
#ifndef HAVE_DEV_DLPI
char dname2[100];
#endif
#ifdef HAVE_DEV_DLPI
/*
** Remove any "/dev/" on the front of the device.
*/
cp = strrchr(p->opt.source, '/');
if (cp == NULL)
strlcpy(dname, p->opt.source, sizeof(dname));
else
strlcpy(dname, cp + 1, sizeof(dname));
/*
* Split the device name into a device type name and a unit number;
* chop off the unit number, so "dname" is just a device type name.
*/
cp = split_dname(dname, &ppa, p->errbuf);
if (cp == NULL) {
status = PCAP_ERROR_NO_SUCH_DEVICE;
goto bad;
}
*cp = '\0';
/*
* Use "/dev/dlpi" as the device.
*
* XXX - HP's DLPI Programmer's Guide for HP-UX 11.00 says that
* the "dl_mjr_num" field is for the "major number of interface
* driver"; that's the major of "/dev/dlpi" on the system on
* which I tried this, but there may be DLPI devices that
* use a different driver, in which case we may need to
* search "/dev" for the appropriate device with that major
* device number, rather than hardwiring "/dev/dlpi".
*/
cp = "/dev/dlpi";
if ((p->fd = open(cp, O_RDWR)) < 0) {
if (errno == EPERM || errno == EACCES)
status = PCAP_ERROR_PERM_DENIED;
else
status = PCAP_ERROR;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"%s: %s", cp, pcap_strerror(errno));
goto bad;
}
#ifdef DL_HP_RAWDLS
/*
* XXX - HP-UX 10.20 and 11.xx don't appear to support sending and
* receiving packets on the same descriptor - you need separate
* descriptors for sending and receiving, bound to different SAPs.
*
* If the open fails, we just leave -1 in "pd->send_fd" and reject
* attempts to send packets, just as if, in pcap-bpf.c, we fail
* to open the BPF device for reading and writing, we just try
* to open it for reading only and, if that succeeds, just let
* the send attempts fail.
*/
pd->send_fd = open(cp, O_RDWR);
#endif
/*
* Get a table of all PPAs for that device, and search that
* table for the specified device type name and unit number.
*/
ppa = get_dlpi_ppa(p->fd, dname, ppa, p->errbuf);
if (ppa < 0) {
status = ppa;
goto bad;
}
#else
/*
* If the device name begins with "/", assume it begins with
* the pathname of the directory containing the device to open;
* otherwise, concatenate the device directory name and the
* device name.
*/
if (*p->opt.source == '/')
strlcpy(dname, p->opt.source, sizeof(dname));
else
snprintf(dname, sizeof(dname), "%s/%s", PCAP_DEV_PREFIX,
p->opt.source);
/*
* Get the unit number, and a pointer to the end of the device
* type name.
*/
cp = split_dname(dname, &ppa, p->errbuf);
if (cp == NULL) {
status = PCAP_ERROR_NO_SUCH_DEVICE;
goto bad;
}
/*
* Make a copy of the device pathname, and then remove the unit
* number from the device pathname.
*/
strlcpy(dname2, dname, sizeof(dname));
*cp = '\0';
/* Try device without unit number */
if ((p->fd = open(dname, O_RDWR)) < 0) {
if (errno != ENOENT) {
if (errno == EPERM || errno == EACCES)
status = PCAP_ERROR_PERM_DENIED;
else
status = PCAP_ERROR;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s", dname,
pcap_strerror(errno));
goto bad;
}
/* Try again with unit number */
if ((p->fd = open(dname2, O_RDWR)) < 0) {
if (errno == ENOENT) {
status = PCAP_ERROR_NO_SUCH_DEVICE;
/*
* We provide an error message even
* for this error, for diagnostic
* purposes (so that, for example,
* the app can show the message if the
* user requests it).
*
* In it, we just report "No DLPI device
* found" with the device name, so people
* don't get confused and think, for example,
* that if they can't capture on "lo0"
* on Solaris the fix is to change libpcap
* (or the application that uses it) to
* look for something other than "/dev/lo0",
* as the fix is to look for an operating
* system other than Solaris - you just
* *can't* capture on a loopback interface
* on Solaris, the lack of a DLPI device
* for the loopback interface is just a
* symptom of that inability.
*/
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"%s: No DLPI device found", p->opt.source);
} else {
if (errno == EPERM || errno == EACCES)
status = PCAP_ERROR_PERM_DENIED;
else
status = PCAP_ERROR;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "%s: %s",
dname2, pcap_strerror(errno));
}
goto bad;
}
/* XXX Assume unit zero */
ppa = 0;
}
#endif
/*
** Attach if "style 2" provider
*/
if (dlinforeq(p->fd, p->errbuf) < 0 ||
dlinfoack(p->fd, (char *)buf, p->errbuf) < 0) {
status = PCAP_ERROR;
goto bad;
}
infop = &(MAKE_DL_PRIMITIVES(buf))->info_ack;
#ifdef HAVE_SOLARIS
if (infop->dl_mac_type == DL_IPATM)
isatm = 1;
#endif
if (infop->dl_provider_style == DL_STYLE2) {
retv = dl_doattach(p->fd, ppa, p->errbuf);
if (retv < 0) {
status = retv;
goto bad;
}
#ifdef DL_HP_RAWDLS
if (pd->send_fd >= 0) {
retv = dl_doattach(pd->send_fd, ppa, p->errbuf);
if (retv < 0) {
status = retv;
goto bad;
}
}
#endif
}
if (p->opt.rfmon) {
/*
* This device exists, but we don't support monitor mode
* any platforms that support DLPI.
*/
status = PCAP_ERROR_RFMON_NOTSUP;
goto bad;
}
#ifdef HAVE_DLPI_PASSIVE
/*
* Enable Passive mode to be able to capture on aggregated link.
* Not supported in all Solaris versions.
*/
dlpassive(p->fd, p->errbuf);
#endif
/*
** Bind (defer if using HP-UX 9 or HP-UX 10.20 or later, totally
** skip if using SINIX)
*/
#if !defined(HAVE_HPUX9) && !defined(HAVE_HPUX10_20_OR_LATER) && !defined(sinix)
#ifdef _AIX
/*
** AIX.
** According to IBM's AIX Support Line, the dl_sap value
** should not be less than 0x600 (1536) for standard Ethernet.
** However, we seem to get DL_BADADDR - "DLSAP addr in improper
** format or invalid" - errors if we use 1537 on the "tr0"
** device, which, given that its name starts with "tr" and that
** it's IBM, probably means a Token Ring device. (Perhaps we
** need to use 1537 on "/dev/dlpi/en" because that device is for
** D/I/X Ethernet, the "SAP" is actually an Ethernet type, and
** it rejects invalid Ethernet types.)
**
** So if 1537 fails, we try 2, as Hyung Sik Yoon of IBM Korea
** says that works on Token Ring (he says that 0 does *not*
** work; perhaps that's considered an invalid LLC SAP value - I
** assume the SAP value in a DLPI bind is an LLC SAP for network
** types that use 802.2 LLC).
*/
if ((dlbindreq(p->fd, 1537, p->errbuf) < 0 &&
dlbindreq(p->fd, 2, p->errbuf) < 0) ||
dlbindack(p->fd, (char *)buf, p->errbuf, NULL) < 0) {
status = PCAP_ERROR;
goto bad;
}
#elif defined(DL_HP_RAWDLS)
/*
** HP-UX 10.0x and 10.1x.
*/
if (dl_dohpuxbind(p->fd, p->errbuf) < 0) {
status = PCAP_ERROR;
goto bad;
}
if (pd->send_fd >= 0) {
/*
** XXX - if this fails, just close send_fd and
** set it to -1, so that you can't send but can
** still receive?
*/
if (dl_dohpuxbind(pd->send_fd, p->errbuf) < 0) {
status = PCAP_ERROR;
goto bad;
}
}
#else /* neither AIX nor HP-UX */
/*
** Not Sinix, and neither AIX nor HP-UX - Solaris, and any other
** OS using DLPI.
**/
if (dlbindreq(p->fd, 0, p->errbuf) < 0 ||
dlbindack(p->fd, (char *)buf, p->errbuf, NULL) < 0) {
status = PCAP_ERROR;
goto bad;
}
#endif /* AIX vs. HP-UX vs. other */
#endif /* !HP-UX 9 and !HP-UX 10.20 or later and !SINIX */
#ifdef HAVE_SOLARIS
if (isatm) {
/*
** Have to turn on some special ATM promiscuous mode
** for SunATM.
** Do *NOT* turn regular promiscuous mode on; it doesn't
** help, and may break things.
*/
if (strioctl(p->fd, A_PROMISCON_REQ, 0, NULL) < 0) {
status = PCAP_ERROR;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"A_PROMISCON_REQ: %s", pcap_strerror(errno));
goto bad;
}
} else
#endif
if (p->opt.promisc) {
/*
** Enable promiscuous (not necessary on send FD)
*/
retv = dlpromiscon(p, DL_PROMISC_PHYS);
if (retv < 0) {
if (retv == PCAP_ERROR_PERM_DENIED)
status = PCAP_ERROR_PROMISC_PERM_DENIED;
else
status = retv;
goto bad;
}
/*
** Try to enable multicast (you would have thought
** promiscuous would be sufficient). (Skip if using
** HP-UX or SINIX) (Not necessary on send FD)
*/
#if !defined(__hpux) && !defined(sinix)
retv = dlpromiscon(p, DL_PROMISC_MULTI);
if (retv < 0)
status = PCAP_WARNING;
#endif
}
/*
** Try to enable SAP promiscuity (when not in promiscuous mode
** when using HP-UX, when not doing SunATM on Solaris, and never
** under SINIX) (Not necessary on send FD)
*/
#ifndef sinix
#if defined(__hpux)
/* HP-UX - only do this when not in promiscuous mode */
if (!p->opt.promisc) {
#elif defined(HAVE_SOLARIS)
/* Solaris - don't do this on SunATM devices */
if (!isatm) {
#else
/* Everything else (except for SINIX) - always do this */
{
#endif
retv = dlpromiscon(p, DL_PROMISC_SAP);
if (retv < 0) {
if (p->opt.promisc) {
/*
* Not fatal, since the DL_PROMISC_PHYS mode
* worked.
*
* Report it as a warning, however.
*/
status = PCAP_WARNING;
} else {
/*
* Fatal.
*/
status = retv;
goto bad;
}
}
}
#endif /* sinix */
/*
** HP-UX 9, and HP-UX 10.20 or later, must bind after setting
** promiscuous options.
*/
#if defined(HAVE_HPUX9) || defined(HAVE_HPUX10_20_OR_LATER)
if (dl_dohpuxbind(p->fd, p->errbuf) < 0) {
status = PCAP_ERROR;
goto bad;
}
/*
** We don't set promiscuous mode on the send FD, but we'll defer
** binding it anyway, just to keep the HP-UX 9/10.20 or later
** code together.
*/
if (pd->send_fd >= 0) {
/*
** XXX - if this fails, just close send_fd and
** set it to -1, so that you can't send but can
** still receive?
*/
if (dl_dohpuxbind(pd->send_fd, p->errbuf) < 0) {
status = PCAP_ERROR;
goto bad;
}
}
#endif
/*
** Determine link type
** XXX - get SAP length and address length as well, for use
** when sending packets.
*/
if (dlinforeq(p->fd, p->errbuf) < 0 ||
dlinfoack(p->fd, (char *)buf, p->errbuf) < 0) {
status = PCAP_ERROR;
goto bad;
}
infop = &(MAKE_DL_PRIMITIVES(buf))->info_ack;
if (pcap_process_mactype(p, infop->dl_mac_type) != 0) {
status = PCAP_ERROR;
goto bad;
}
#ifdef DLIOCRAW
/*
** This is a non standard SunOS hack to get the full raw link-layer
** header.
*/
if (strioctl(p->fd, DLIOCRAW, 0, NULL) < 0) {
status = PCAP_ERROR;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "DLIOCRAW: %s",
pcap_strerror(errno));
goto bad;
}
#endif
#ifdef HAVE_SYS_BUFMOD_H
ss = p->snapshot;
/*
** There is a bug in bufmod(7). When dealing with messages of
** less than snaplen size it strips data from the beginning not
** the end.
**
** This bug is fixed in 5.3.2. Also, there is a patch available.
** Ask for bugid 1149065.
*/
#ifdef HAVE_SOLARIS
release = get_release(&osmajor, &osminor, &osmicro);
if (osmajor == 5 && (osminor <= 2 || (osminor == 3 && osmicro < 2)) &&
getenv("BUFMOD_FIXED") == NULL) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"WARNING: bufmod is broken in SunOS %s; ignoring snaplen.",
release);
ss = 0;
status = PCAP_WARNING;
}
#endif
/* Push and configure bufmod. */
if (pcap_conf_bufmod(p, ss) != 0) {
status = PCAP_ERROR;
goto bad;
}
#endif
/*
** As the last operation flush the read side.
*/
if (ioctl(p->fd, I_FLUSH, FLUSHR) != 0) {
status = PCAP_ERROR;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "FLUSHR: %s",
pcap_strerror(errno));
goto bad;
}
/* Allocate data buffer. */
if (pcap_alloc_databuf(p) != 0) {
status = PCAP_ERROR;
goto bad;
}
/*
* Success.
*
* "p->fd" is an FD for a STREAMS device, so "select()" and
* "poll()" should work on it.
*/
p->selectable_fd = p->fd;
p->read_op = pcap_read_dlpi;
p->inject_op = pcap_inject_dlpi;
p->setfilter_op = install_bpf_program; /* no kernel filtering */
p->setdirection_op = NULL; /* Not implemented.*/
p->set_datalink_op = NULL; /* can't change data link type */
p->getnonblock_op = pcap_getnonblock_fd;
p->setnonblock_op = pcap_setnonblock_fd;
p->stats_op = pcap_stats_dlpi;
p->cleanup_op = pcap_cleanup_dlpi;
return (status);
bad:
pcap_cleanup_dlpi(p);
return (status);
}
/*
* Split a device name into a device type name and a unit number;
* return the a pointer to the beginning of the unit number, which
* is the end of the device type name, and set "*unitp" to the unit
* number.
*
* Returns NULL on error, and fills "ebuf" with an error message.
*/
static char *
split_dname(char *device, int *unitp, char *ebuf)
{
char *cp;
char *eos;
long unit;
/*
* Look for a number at the end of the device name string.
*/
cp = device + strlen(device) - 1;
if (*cp < '0' || *cp > '9') {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s missing unit number",
device);
return (NULL);
}
/* Digits at end of string are unit number */
while (cp-1 >= device && *(cp-1) >= '0' && *(cp-1) <= '9')
cp--;
errno = 0;
unit = strtol(cp, &eos, 10);
if (*eos != '\0') {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s bad unit number", device);
return (NULL);
}
if (errno == ERANGE || unit > INT_MAX) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s unit number too large",
device);
return (NULL);
}
if (unit < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s unit number is negative",
device);
return (NULL);
}
*unitp = (int)unit;
return (cp);
}
static int
dl_doattach(int fd, int ppa, char *ebuf)
{
dl_attach_req_t req;
bpf_u_int32 buf[MAXDLBUF];
int err;
req.dl_primitive = DL_ATTACH_REQ;
req.dl_ppa = ppa;
if (send_request(fd, (char *)&req, sizeof(req), "attach", ebuf) < 0)
return (PCAP_ERROR);
err = dlokack(fd, "attach", (char *)buf, ebuf);
if (err < 0)
return (err);
return (0);
}
static int
recv_ack(int fd, int size, const char *what, char *bufp, char *ebuf, int *uerror)
{
union DL_primitives *dlp;
struct strbuf ctl;
int flags;
ctl.maxlen = MAXDLBUF;
ctl.len = 0;
ctl.buf = bufp;
flags = 0;
if (getmsg(fd, &ctl, (struct strbuf*)NULL, &flags) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "recv_ack: %s getmsg: %s",
what, pcap_strerror(errno));
return (-1);
}
dlp = (union DL_primitives *) ctl.buf;
switch (dlp->dl_primitive) {
case DL_INFO_ACK:
case DL_BIND_ACK:
case DL_OK_ACK:
#ifdef DL_HP_PPA_ACK
case DL_HP_PPA_ACK:
#endif
/* These are OK */
break;
case DL_ERROR_ACK:
switch (dlp->error_ack.dl_errno) {
case DL_SYSERR:
if (uerror != NULL)
*uerror = dlp->error_ack.dl_unix_errno;
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"recv_ack: %s: UNIX error - %s",
what, pcap_strerror(dlp->error_ack.dl_unix_errno));
break;
default:
if (uerror != NULL)
*uerror = 0;
snprintf(ebuf, PCAP_ERRBUF_SIZE, "recv_ack: %s: %s",
what, dlstrerror(dlp->error_ack.dl_errno));
break;
}
return (-1);
default:
if (uerror != NULL)
*uerror = 0;
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"recv_ack: %s: Unexpected primitive ack %s",
what, dlprim(dlp->dl_primitive));
return (-1);
}
if (ctl.len < size) {
if (uerror != NULL)
*uerror = 0;
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"recv_ack: %s: Ack too small (%d < %d)",
what, ctl.len, size);
return (-1);
}
return (ctl.len);
}
static int
netfilter_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user)
{
struct pcap_netfilter *handlep = handle->priv;
const unsigned char *buf;
int count = 0;
int len;
/* ignore interrupt system call error */
do {
len = recv(handle->fd, handle->buffer, handle->bufsize, 0);
if (handle->break_loop) {
handle->break_loop = 0;
return -2;
}
} while ((len == -1) && (errno == EINTR));
if (len < 0) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "Can't receive packet %d:%s", errno, pcap_strerror(errno));
return -1;
}
buf = handle->buffer;
while (len >= NLMSG_SPACE(0)) {
const struct nlmsghdr *nlh = (const struct nlmsghdr *) buf;
u_int32_t msg_len;
nftype_t type = OTHER;
if (nlh->nlmsg_len < sizeof(struct nlmsghdr) || len < nlh->nlmsg_len) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "Message truncated: (got: %d) (nlmsg_len: %u)", len, nlh->nlmsg_len);
return -1;
}
if (NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_ULOG &&
NFNL_MSG_TYPE(nlh->nlmsg_type) == NFULNL_MSG_PACKET)
type = NFLOG;
if (NFNL_SUBSYS_ID(nlh->nlmsg_type) == NFNL_SUBSYS_QUEUE &&
NFNL_MSG_TYPE(nlh->nlmsg_type) == NFQNL_MSG_PACKET)
type = NFQUEUE;
if (type != OTHER) {
const unsigned char *payload = NULL;
struct pcap_pkthdr pkth;
const struct nfgenmsg *nfg;
int id = 0;
if (handle->linktype != DLT_NFLOG) {
const struct nfattr *payload_attr = NULL;
if (nlh->nlmsg_len < HDR_LENGTH) {
snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "Malformed message: (nlmsg_len: %u)", nlh->nlmsg_len);
return -1;
}
nfg = NLMSG_DATA(nlh);
if (nlh->nlmsg_len > HDR_LENGTH) {
struct nfattr *attr = NFM_NFA(nfg);
int attr_len = nlh->nlmsg_len - NLMSG_ALIGN(HDR_LENGTH);
while (NFA_OK(attr, attr_len)) {
if (type == NFQUEUE) {
switch (NFA_TYPE(attr)) {
case NFQA_PACKET_HDR:
{
const struct nfqnl_msg_packet_hdr *pkt_hdr = (const struct nfqnl_msg_packet_hdr *) NFA_DATA(attr);
id = ntohl(pkt_hdr->packet_id);
break;
}
case NFQA_PAYLOAD:
payload_attr = attr;
break;
}
} else if (type == NFLOG) {
switch (NFA_TYPE(attr)) {
case NFULA_PAYLOAD:
payload_attr = attr;
break;
}
}
attr = NFA_NEXT(attr, attr_len);
}
}
if (payload_attr) {
payload = NFA_DATA(payload_attr);
pkth.len = pkth.caplen = NFA_PAYLOAD(payload_attr);
}
} else {
payload = NLMSG_DATA(nlh);
pkth.caplen = pkth.len = nlh->nlmsg_len-NLMSG_ALIGN(sizeof(struct nlmsghdr));
}
if (payload) {
/* pkth.caplen = min (payload_len, handle->snapshot); */
gettimeofday(&pkth.ts, NULL);
if (handle->fcode.bf_insns == NULL ||
bpf_filter(handle->fcode.bf_insns, payload, pkth.len, pkth.caplen))
{
handlep->packets_read++;
callback(user, &pkth, payload);
count++;
}
}
if (type == NFQUEUE) {
/* XXX, possible responses: NF_DROP, NF_ACCEPT, NF_STOLEN, NF_QUEUE, NF_REPEAT, NF_STOP */
nfqueue_send_verdict(handle, ntohs(nfg->res_id), id, NF_ACCEPT);
}
}
msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
if (msg_len > len)
msg_len = len;
len -= msg_len;
buf += msg_len;
}
return count;
}
/*
* Determine ppa number that specifies ifname.
*
* If the "dl_hp_ppa_info_t" doesn't have a "dl_module_id_1" member,
* the code that's used here is the old code for HP-UX 10.x.
*
* However, HP-UX 10.20, at least, appears to have such a member
* in its "dl_hp_ppa_info_t" structure, so the new code is used.
* The new code didn't work on an old 10.20 system on which Rick
* Jones of HP tried it, but with later patches installed, it
* worked - it appears that the older system had those members but
* didn't put anything in them, so, if the search by name fails, we
* do the old search.
*
* Rick suggests that making sure your system is "up on the latest
* lancommon/DLPI/driver patches" is probably a good idea; it'd fix
* that problem, as well as allowing libpcap to see packets sent
* from the system on which the libpcap application is being run.
* (On 10.20, in addition to getting the latest patches, you need
* to turn the kernel "lanc_outbound_promisc_flag" flag on with ADB;
* a posting to "comp.sys.hp.hpux" at
*
* http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=558092266
*
* says that, to see the machine's outgoing traffic, you'd need to
* apply the right patches to your system, and also set that variable
* with:
echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
* which could be put in, for example, "/sbin/init.d/lan".
*
* Setting the variable is not necessary on HP-UX 11.x.
*/
static int
get_dlpi_ppa(register int fd, register const char *device, register int unit,
register char *ebuf)
{
register dl_hp_ppa_ack_t *ap;
register dl_hp_ppa_info_t *ipstart, *ip;
register int i;
char dname[100];
register u_long majdev;
struct stat statbuf;
dl_hp_ppa_req_t req;
char buf[MAXDLBUF];
char *ppa_data_buf;
dl_hp_ppa_ack_t *dlp;
struct strbuf ctl;
int flags;
int ppa;
memset((char *)&req, 0, sizeof(req));
req.dl_primitive = DL_HP_PPA_REQ;
memset((char *)buf, 0, sizeof(buf));
if (send_request(fd, (char *)&req, sizeof(req), "hpppa", ebuf) < 0)
return (PCAP_ERROR);
ctl.maxlen = DL_HP_PPA_ACK_SIZE;
ctl.len = 0;
ctl.buf = (char *)buf;
flags = 0;
/*
* DLPI may return a big chunk of data for a DL_HP_PPA_REQ. The normal
* recv_ack will fail because it set the maxlen to MAXDLBUF (8192)
* which is NOT big enough for a DL_HP_PPA_REQ.
*
* This causes libpcap applications to fail on a system with HP-APA
* installed.
*
* To figure out how big the returned data is, we first call getmsg
* to get the small head and peek at the head to get the actual data
* length, and then issue another getmsg to get the actual PPA data.
*/
/* get the head first */
if (getmsg(fd, &ctl, (struct strbuf *)NULL, &flags) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"get_dlpi_ppa: hpppa getmsg: %s", pcap_strerror(errno));
return (PCAP_ERROR);
}
dlp = (dl_hp_ppa_ack_t *)ctl.buf;
if (dlp->dl_primitive != DL_HP_PPA_ACK) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"get_dlpi_ppa: hpppa unexpected primitive ack 0x%x",
(bpf_u_int32)dlp->dl_primitive);
return (PCAP_ERROR);
}
if (ctl.len < DL_HP_PPA_ACK_SIZE) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"get_dlpi_ppa: hpppa ack too small (%d < %lu)",
ctl.len, (unsigned long)DL_HP_PPA_ACK_SIZE);
return (PCAP_ERROR);
}
/* allocate buffer */
if ((ppa_data_buf = (char *)malloc(dlp->dl_length)) == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"get_dlpi_ppa: hpppa malloc: %s", pcap_strerror(errno));
return (PCAP_ERROR);
}
ctl.maxlen = dlp->dl_length;
ctl.len = 0;
ctl.buf = (char *)ppa_data_buf;
/* get the data */
if (getmsg(fd, &ctl, (struct strbuf *)NULL, &flags) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"get_dlpi_ppa: hpppa getmsg: %s", pcap_strerror(errno));
free(ppa_data_buf);
return (PCAP_ERROR);
}
if (ctl.len < dlp->dl_length) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"get_dlpi_ppa: hpppa ack too small (%d < %lu)",
ctl.len, (unsigned long)dlp->dl_length);
free(ppa_data_buf);
return (PCAP_ERROR);
}
ap = (dl_hp_ppa_ack_t *)buf;
ipstart = (dl_hp_ppa_info_t *)ppa_data_buf;
ip = ipstart;
#ifdef HAVE_HP_PPA_INFO_T_DL_MODULE_ID_1
/*
* The "dl_hp_ppa_info_t" structure has a "dl_module_id_1"
* member that should, in theory, contain the part of the
* name for the device that comes before the unit number,
* and should also have a "dl_module_id_2" member that may
* contain an alternate name (e.g., I think Ethernet devices
* have both "lan", for "lanN", and "snap", for "snapN", with
* the former being for Ethernet packets and the latter being
* for 802.3/802.2 packets).
*
* Search for the device that has the specified name and
* instance number.
*/
for (i = 0; i < ap->dl_count; i++) {
if ((strcmp((const char *)ip->dl_module_id_1, device) == 0 ||
strcmp((const char *)ip->dl_module_id_2, device) == 0) &&
ip->dl_instance_num == unit)
break;
ip = (dl_hp_ppa_info_t *)((u_char *)ipstart + ip->dl_next_offset);
}
#else
/*
* We don't have that member, so the search is impossible; make it
* look as if the search failed.
*/
i = ap->dl_count;
#endif
if (i == ap->dl_count) {
/*
* Well, we didn't, or can't, find the device by name.
*
* HP-UX 10.20, whilst it has "dl_module_id_1" and
* "dl_module_id_2" fields in the "dl_hp_ppa_info_t",
* doesn't seem to fill them in unless the system is
* at a reasonably up-to-date patch level.
*
* Older HP-UX 10.x systems might not have those fields
* at all.
*
* Therefore, we'll search for the entry with the major
* device number of a device with the name "/dev/<dev><unit>",
* if such a device exists, as the old code did.
*/
snprintf(dname, sizeof(dname), "/dev/%s%d", device, unit);
if (stat(dname, &statbuf) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "stat: %s: %s",
dname, pcap_strerror(errno));
return (PCAP_ERROR);
}
majdev = major(statbuf.st_rdev);
ip = ipstart;
for (i = 0; i < ap->dl_count; i++) {
if (ip->dl_mjr_num == majdev &&
ip->dl_instance_num == unit)
break;
ip = (dl_hp_ppa_info_t *)((u_char *)ipstart + ip->dl_next_offset);
}
}
if (i == ap->dl_count) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"can't find /dev/dlpi PPA for %s%d", device, unit);
return (PCAP_ERROR_NO_SUCH_DEVICE);
}
if (ip->dl_hdw_state == HDW_DEAD) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"%s%d: hardware state: DOWN\n", device, unit);
free(ppa_data_buf);
return (PCAP_ERROR);
}
ppa = ip->dl_ppa;
free(ppa_data_buf);
return (ppa);
}
/*
* Check whether this is a pcap savefile and, if it is, extract the
* relevant information from the header.
*/
int
pcap_check_header(pcap_t *p, bpf_u_int32 magic, FILE *fp, char *errbuf)
{
struct pcap_file_header hdr;
size_t amt_read;
/*
* Check whether the first 4 bytes of the file are the magic
* number for a pcap savefile, or for a byte-swapped pcap
* savefile.
*/
if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC) {
magic = SWAPLONG(magic);
if (magic != TCPDUMP_MAGIC && magic != KUZNETZOV_TCPDUMP_MAGIC)
return (0); /* nope */
p->sf.swapped = 1;
}
/*
* They are. Put the magic number in the header, and read
* the rest of the header.
*/
hdr.magic = magic;
amt_read = fread(((char *)&hdr) + sizeof hdr.magic, 1,
sizeof(hdr) - sizeof(hdr.magic), fp);
if (amt_read != sizeof(hdr) - sizeof(hdr.magic)) {
if (ferror(fp)) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %lu file header bytes, only got %lu",
(unsigned long)sizeof(hdr),
(unsigned long)amt_read);
}
return (-1);
}
/*
* If it's a byte-swapped capture file, byte-swap the header.
*/
if (p->sf.swapped) {
hdr.version_major = SWAPSHORT(hdr.version_major);
hdr.version_minor = SWAPSHORT(hdr.version_minor);
hdr.thiszone = SWAPLONG(hdr.thiszone);
hdr.sigfigs = SWAPLONG(hdr.sigfigs);
hdr.snaplen = SWAPLONG(hdr.snaplen);
hdr.linktype = SWAPLONG(hdr.linktype);
}
if (hdr.version_major < PCAP_VERSION_MAJOR) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"archaic pcap savefile format");
return (-1);
}
p->sf.version_major = hdr.version_major;
p->sf.version_minor = hdr.version_minor;
p->tzoff = hdr.thiszone;
p->snapshot = hdr.snaplen;
p->linktype = linktype_to_dlt(LT_LINKTYPE(hdr.linktype));
p->linktype_ext = LT_LINKTYPE_EXT(hdr.linktype);
p->sf.next_packet_op = pcap_next_packet;
/*
* We interchanged the caplen and len fields at version 2.3,
* in order to match the bpf header layout. But unfortunately
* some files were written with version 2.3 in their headers
* but without the interchanged fields.
*
* In addition, DG/UX tcpdump writes out files with a version
* number of 543.0, and with the caplen and len fields in the
* pre-2.3 order.
*/
switch (hdr.version_major) {
case 2:
if (hdr.version_minor < 3)
p->sf.lengths_swapped = SWAPPED;
else if (hdr.version_minor == 3)
p->sf.lengths_swapped = MAYBE_SWAPPED;
else
p->sf.lengths_swapped = NOT_SWAPPED;
break;
case 543:
p->sf.lengths_swapped = SWAPPED;
break;
default:
p->sf.lengths_swapped = NOT_SWAPPED;
break;
}
if (magic == KUZNETZOV_TCPDUMP_MAGIC) {
/*
* XXX - the patch that's in some versions of libpcap
* changes the packet header but not the magic number,
* and some other versions with this magic number have
* some extra debugging information in the packet header;
* we'd have to use some hacks^H^H^H^H^Hheuristics to
* detect those variants.
*
* Ethereal does that, but it does so by trying to read
* the first two packets of the file with each of the
* record header formats. That currently means it seeks
* backwards and retries the reads, which doesn't work
* on pipes. We want to be able to read from a pipe, so
* that strategy won't work; we'd have to buffer some
* data ourselves and read from that buffer in order to
* make that work.
*/
p->sf.hdrsize = sizeof(struct pcap_sf_patched_pkthdr);
if (p->linktype == DLT_EN10MB) {
/*
* This capture might have been done in raw mode
* or cooked mode.
*
* If it was done in cooked mode, p->snapshot was
* passed to recvfrom() as the buffer size, meaning
* that the most packet data that would be copied
* would be p->snapshot. However, a faked Ethernet
* header would then have been added to it, so the
* most data that would be in a packet in the file
* would be p->snapshot + 14.
*
* We can't easily tell whether the capture was done
* in raw mode or cooked mode, so we'll assume it was
* cooked mode, and add 14 to the snapshot length.
* That means that, for a raw capture, the snapshot
* length will be misleading if you use it to figure
* out why a capture doesn't have all the packet data,
* but there's not much we can do to avoid that.
*/
p->snapshot += 14;
}
} else
p->sf.hdrsize = sizeof(struct pcap_sf_pkthdr);
/*
* Allocate a buffer for the packet data.
*/
p->bufsize = p->snapshot;
if (p->bufsize <= 0) {
/*
* Bogus snapshot length; use 64KiB as a fallback.
*/
p->bufsize = 65536;
}
p->buffer = malloc(p->bufsize);
if (p->buffer == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
return (-1);
}
return (1);
}
/*
* Read and return the next packet from the savefile. Return the header
* in hdr and a pointer to the contents in data. Return 0 on success, 1
* if there were no more packets, and -1 on an error.
*/
static int
pcap_next_packet(pcap_t *p, struct pcap_pkthdr *hdr, u_char **data)
{
struct pcap_sf_patched_pkthdr sf_hdr;
FILE *fp = p->sf.rfile;
size_t amt_read;
bpf_u_int32 t;
/*
* Read the packet header; the structure we use as a buffer
* is the longer structure for files generated by the patched
* libpcap, but if the file has the magic number for an
* unpatched libpcap we only read as many bytes as the regular
* header has.
*/
amt_read = fread(&sf_hdr, 1, p->sf.hdrsize, fp);
if (amt_read != p->sf.hdrsize) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
return (-1);
} else {
if (amt_read != 0) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %lu header bytes, only got %lu",
(unsigned long)p->sf.hdrsize,
(unsigned long)amt_read);
return (-1);
}
/* EOF */
return (1);
}
}
if (p->sf.swapped) {
/* these were written in opposite byte order */
hdr->caplen = SWAPLONG(sf_hdr.caplen);
hdr->len = SWAPLONG(sf_hdr.len);
hdr->ts.tv_sec = SWAPLONG(sf_hdr.ts.tv_sec);
hdr->ts.tv_usec = SWAPLONG(sf_hdr.ts.tv_usec);
} else {
hdr->caplen = sf_hdr.caplen;
hdr->len = sf_hdr.len;
hdr->ts.tv_sec = sf_hdr.ts.tv_sec;
hdr->ts.tv_usec = sf_hdr.ts.tv_usec;
}
/* Swap the caplen and len fields, if necessary. */
switch (p->sf.lengths_swapped) {
case NOT_SWAPPED:
break;
case MAYBE_SWAPPED:
if (hdr->caplen <= hdr->len) {
/*
* The captured length is <= the actual length,
* so presumably they weren't swapped.
*/
break;
}
/* FALLTHROUGH */
case SWAPPED:
t = hdr->caplen;
hdr->caplen = hdr->len;
hdr->len = t;
break;
}
if (hdr->caplen > p->bufsize) {
/*
* This can happen due to Solaris 2.3 systems tripping
* over the BUFMOD problem and not setting the snapshot
* correctly in the savefile header. If the caplen isn't
* grossly wrong, try to salvage.
*/
static u_char *tp = NULL;
static size_t tsize = 0;
if (hdr->caplen > 65535) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"bogus savefile header");
return (-1);
}
if (tsize < hdr->caplen) {
tsize = ((hdr->caplen + 1023) / 1024) * 1024;
if (tp != NULL)
free((u_char *)tp);
tp = (u_char *)malloc(tsize);
if (tp == NULL) {
tsize = 0;
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"BUFMOD hack malloc");
return (-1);
}
}
amt_read = fread((char *)tp, 1, hdr->caplen, fp);
if (amt_read != hdr->caplen) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %u captured bytes, only got %lu",
hdr->caplen, (unsigned long)amt_read);
}
return (-1);
}
/*
* We can only keep up to p->bufsize bytes. Since
* caplen > p->bufsize is exactly how we got here,
* we know we can only keep the first p->bufsize bytes
* and must drop the remainder. Adjust caplen accordingly,
* so we don't get confused later as to how many bytes we
* have to play with.
*/
hdr->caplen = p->bufsize;
memcpy(p->buffer, (char *)tp, p->bufsize);
} else {
/* read the packet itself */
amt_read = fread(p->buffer, 1, hdr->caplen, fp);
if (amt_read != hdr->caplen) {
if (ferror(fp)) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
} else {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"truncated dump file; tried to read %u captured bytes, only got %lu",
hdr->caplen, (unsigned long)amt_read);
}
return (-1);
}
}
*data = p->buffer;
if (p->sf.swapped) {
/*
* Convert pseudo-headers from the byte order of
* the host on which the file was saved to our
* byte order, as necessary.
*/
switch (p->linktype) {
case DLT_USB_LINUX:
swap_linux_usb_header(hdr, *data, 0);
break;
case DLT_USB_LINUX_MMAPPED:
swap_linux_usb_header(hdr, *data, 1);
break;
}
}
return (0);
}
static int
pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
{
struct pcap_pf *pf = pc->priv;
register u_char *p, *bp;
register int cc, n, buflen, inc;
register struct enstamp *sp;
#ifdef LBL_ALIGN
struct enstamp stamp;
#endif
register int pad;
again:
cc = pc->cc;
if (cc == 0) {
cc = read(pc->fd, (char *)pc->buffer + pc->offset, pc->bufsize);
if (cc < 0) {
if (errno == EWOULDBLOCK)
return (0);
if (errno == EINVAL &&
lseek(pc->fd, 0L, SEEK_CUR) + pc->bufsize < 0) {
/*
* Due to a kernel bug, after 2^31 bytes,
* the kernel file offset overflows and
* read fails with EINVAL. The lseek()
* to 0 will fix things.
*/
(void)lseek(pc->fd, 0L, SEEK_SET);
goto again;
}
snprintf(pc->errbuf, sizeof(pc->errbuf), "pf read: %s",
pcap_strerror(errno));
return (-1);
}
bp = (u_char *)pc->buffer + pc->offset;
} else
bp = pc->bp;
/*
* Loop through each packet.
*/
n = 0;
pad = pc->fddipad;
while (cc > 0) {
/*
* Has "pcap_breakloop()" been called?
* If so, return immediately - if we haven't read any
* packets, clear the flag and return -2 to indicate
* that we were told to break out of the loop, otherwise
* leave the flag set, so that the *next* call will break
* out of the loop without having read any packets, and
* return the number of packets we've processed so far.
*/
if (pc->break_loop) {
if (n == 0) {
pc->break_loop = 0;
return (-2);
} else {
pc->cc = cc;
pc->bp = bp;
return (n);
}
}
if (cc < sizeof(*sp)) {
snprintf(pc->errbuf, sizeof(pc->errbuf),
"pf short read (%d)", cc);
return (-1);
}
#ifdef LBL_ALIGN
if ((long)bp & 3) {
sp = &stamp;
memcpy((char *)sp, (char *)bp, sizeof(*sp));
} else
#endif
sp = (struct enstamp *)bp;
if (sp->ens_stamplen != sizeof(*sp)) {
snprintf(pc->errbuf, sizeof(pc->errbuf),
"pf short stamplen (%d)",
sp->ens_stamplen);
return (-1);
}
p = bp + sp->ens_stamplen;
buflen = sp->ens_count;
if (buflen > pc->snapshot)
buflen = pc->snapshot;
/* Calculate inc before possible pad update */
inc = ENALIGN(buflen + sp->ens_stamplen);
cc -= inc;
bp += inc;
pf->TotPkts++;
pf->TotDrops += sp->ens_dropped;
pf->TotMissed = sp->ens_ifoverflows;
if (pf->OrigMissed < 0)
pf->OrigMissed = pf->TotMissed;
/*
* Short-circuit evaluation: if using BPF filter
* in kernel, no need to do it now - we already know
* the packet passed the filter.
*
* Note: the filter code was generated assuming
* that pc->fddipad was the amount of padding
* before the header, as that's what's required
* in the kernel, so we run the filter before
* skipping that padding.
*/
if (pf->filtering_in_kernel ||
bpf_filter(pc->fcode.bf_insns, p, sp->ens_count, buflen)) {
struct pcap_pkthdr h;
pf->TotAccepted++;
h.ts = sp->ens_tstamp;
h.len = sp->ens_count - pad;
p += pad;
buflen -= pad;
h.caplen = buflen;
(*callback)(user, &h, p);
if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) {
pc->cc = cc;
pc->bp = bp;
return (n);
}
}
}
pc->cc = 0;
return (n);
}
static int process_client_data (char *errbuf) { /* returns: -1 = error, 0 = OK */
int chassis, geoslot;
unit_t *u;
pcap_if_t *iff, *prev_iff;
pcap_addr_t *addr, *prev_addr;
char *ptr;
int address_count;
struct sockaddr_in *s;
char *newname;
bpf_u_int32 interfaceType;
unsigned char flags;
prev_iff = 0;
for (chassis = 0; chassis <= MAX_CHASSIS; chassis++) {
for (geoslot = 0; geoslot <= MAX_GEOSLOT; geoslot++) { /* now loop over all the devices */
u = &units[chassis][geoslot];
empty_unit_iface(u);
ptr = u->imsg; /* point to the start of the msg for this IOP */
while (ptr < (u->imsg + u->len)) {
if ((iff = malloc(sizeof(pcap_if_t))) == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
memset((char *)iff, 0, sizeof(pcap_if_t)); /* bzero() is deprecated, replaced with memset() */
if (acn_if_list == 0) acn_if_list = iff; /* remember the head of the list */
if (prev_iff) prev_iff->next = iff; /* insert a forward link */
if (*ptr) { /* if there is a count for the name */
if ((iff->name = malloc(*ptr + 1)) == NULL) { /* get that amount of space */
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
memcpy(iff->name, (ptr + 1), *ptr); /* copy the name into the malloc'ed space */
*(iff->name + *ptr) = 0; /* and null terminate the string */
ptr += *ptr; /* now move the pointer forwards by the length of the count plus the length of the string */
}
ptr++;
if (*ptr) { /* if there is a count for the description */
if ((iff->description = malloc(*ptr + 1)) == NULL) { /* get that amount of space */
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
memcpy(iff->description, (ptr + 1), *ptr); /* copy the name into the malloc'ed space */
*(iff->description + *ptr) = 0; /* and null terminate the string */
ptr += *ptr; /* now move the pointer forwards by the length of the count plus the length of the string */
}
ptr++;
interfaceType = ntohl(*(bpf_u_int32 *)ptr);
ptr += 4; /* skip over the interface type */
flags = *ptr++;
if (flags) iff->flags = PCAP_IF_LOOPBACK; /* if this is a loopback style interface, lets mark it as such */
address_count = *ptr++;
prev_addr = 0;
while (address_count--) {
if ((addr = malloc(sizeof(pcap_addr_t))) == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
memset((char *)addr, 0, sizeof(pcap_addr_t)); /* bzero() is deprecated, replaced with memset() */
if (iff->addresses == 0) iff->addresses = addr;
if (prev_addr) prev_addr->next = addr; /* insert a forward link */
if (*ptr) { /* if there is a count for the address */
if ((s = malloc(sizeof(struct sockaddr_in))) == NULL) { /* get that amount of space */
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
memset((char *)s, 0, sizeof(struct sockaddr_in)); /* bzero() is deprecated, replaced with memset() */
addr->addr = (struct sockaddr *)s;
s->sin_family = AF_INET;
s->sin_addr.s_addr = *(bpf_u_int32 *)(ptr + 1); /* copy the address in */
ptr += *ptr; /* now move the pointer forwards according to the specified length of the address */
}
ptr++; /* then forwards one more for the 'length of the address' field */
if (*ptr) { /* process any netmask */
if ((s = malloc(sizeof(struct sockaddr_in))) == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
/* bzero() is deprecated, replaced with memset() */
memset((char *)s, 0, sizeof(struct sockaddr_in));
addr->netmask = (struct sockaddr *)s;
s->sin_family = AF_INET;
s->sin_addr.s_addr = *(bpf_u_int32*)(ptr + 1);
ptr += *ptr;
}
ptr++;
if (*ptr) { /* process any broadcast address */
if ((s = malloc(sizeof(struct sockaddr_in))) == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
/* bzero() is deprecated, replaced with memset() */
memset((char *)s, 0, sizeof(struct sockaddr_in));
addr->broadaddr = (struct sockaddr *)s;
s->sin_family = AF_INET;
s->sin_addr.s_addr = *(bpf_u_int32*)(ptr + 1);
ptr += *ptr;
}
ptr++;
if (*ptr) { /* process any destination address */
if ((s = malloc(sizeof(struct sockaddr_in))) == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", pcap_strerror(errno));
return -1;
}
/* bzero() is deprecated, replaced with memset() */
memset((char *)s, 0, sizeof(struct sockaddr_in));
addr->dstaddr = (struct sockaddr *)s;
s->sin_family = AF_INET;
s->sin_addr.s_addr = *(bpf_u_int32*)(ptr + 1);
ptr += *ptr;
}
ptr++;
prev_addr = addr;
}
prev_iff = iff;
newname = translate_IOP_to_pcap_name(u, iff->name, interfaceType); /* add a translation entry and get a point to the mangled name */
if ((iff->name = realloc(iff->name, strlen(newname) + 1)) == NULL) { /* we now re-write the name stored in the interface list */
snprintf(errbuf, PCAP_ERRBUF_SIZE, "realloc: %s", pcap_strerror(errno));
return -1;
}
strcpy(iff->name, newname); /* to this new name */
}
}
}
return 0;
}
/*
* Add an entry to the list of addresses for an interface.
* "curdev" is the entry for that interface.
*/
static int
add_addr_to_list(pcap_if_t *curdev, struct sockaddr *addr,
struct sockaddr *netmask, struct sockaddr *broadaddr,
struct sockaddr *dstaddr, char *errbuf)
{
pcap_addr_t *curaddr, *prevaddr, *nextaddr;
/*
* Allocate the new entry and fill it in.
*/
curaddr = (pcap_addr_t*)malloc(sizeof(pcap_addr_t));
if (curaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
return (-1);
}
curaddr->next = NULL;
if (addr != NULL) {
curaddr->addr = (struct sockaddr*)dup_sockaddr(addr, sizeof(struct sockaddr_storage));
if (curaddr->addr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->addr = NULL;
if (netmask != NULL) {
curaddr->netmask = (struct sockaddr*)dup_sockaddr(netmask, sizeof(struct sockaddr_storage));
if (curaddr->netmask == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->netmask = NULL;
if (broadaddr != NULL) {
curaddr->broadaddr = (struct sockaddr*)dup_sockaddr(broadaddr, sizeof(struct sockaddr_storage));
if (curaddr->broadaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->broadaddr = NULL;
if (dstaddr != NULL) {
curaddr->dstaddr = (struct sockaddr*)dup_sockaddr(dstaddr, sizeof(struct sockaddr_storage));
if (curaddr->dstaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->dstaddr = NULL;
/*
* Find the end of the list of addresses.
*/
for (prevaddr = curdev->addresses; prevaddr != NULL; prevaddr = nextaddr) {
nextaddr = prevaddr->next;
if (nextaddr == NULL) {
/*
* This is the end of the list.
*/
break;
}
}
if (prevaddr == NULL) {
/*
* The list was empty; this is the first member.
*/
curdev->addresses = curaddr;
} else {
/*
* "prevaddr" is the last member of the list; append
* this member to it.
*/
prevaddr->next = curaddr;
}
return (0);
}
pcap_t *
pcap_open_live(const char *device, int snaplen, int promisc, int to_ms,
char *ebuf)
{
register char *cp;
register pcap_t *p;
int ppa;
#ifdef HAVE_SOLARIS
int isatm = 0;
#endif
register dl_info_ack_t *infop;
#ifdef HAVE_SYS_BUFMOD_H
bpf_u_int32 ss, chunksize;
#ifdef HAVE_SOLARIS
register char *release;
bpf_u_int32 osmajor, osminor, osmicro;
#endif
#endif
bpf_u_int32 buf[MAXDLBUF];
char dname[100];
#ifndef HAVE_DEV_DLPI
char dname2[100];
#endif
p = (pcap_t *)malloc(sizeof(*p));
if (p == NULL) {
strlcpy(ebuf, pcap_strerror(errno), PCAP_ERRBUF_SIZE);
return (NULL);
}
memset(p, 0, sizeof(*p));
p->fd = -1; /* indicate that it hasn't been opened yet */
p->send_fd = -1;
#ifdef HAVE_DEV_DLPI
/*
** Remove any "/dev/" on the front of the device.
*/
cp = strrchr(device, '/');
if (cp == NULL)
strlcpy(dname, device, sizeof(dname));
else
strlcpy(dname, cp + 1, sizeof(dname));
/*
* Split the device name into a device type name and a unit number;
* chop off the unit number, so "dname" is just a device type name.
*/
cp = split_dname(dname, &ppa, ebuf);
if (cp == NULL)
goto bad;
*cp = '\0';
/*
* Use "/dev/dlpi" as the device.
*
* XXX - HP's DLPI Programmer's Guide for HP-UX 11.00 says that
* the "dl_mjr_num" field is for the "major number of interface
* driver"; that's the major of "/dev/dlpi" on the system on
* which I tried this, but there may be DLPI devices that
* use a different driver, in which case we may need to
* search "/dev" for the appropriate device with that major
* device number, rather than hardwiring "/dev/dlpi".
*/
cp = "/dev/dlpi";
if ((p->fd = open(cp, O_RDWR)) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"%s: %s", cp, pcap_strerror(errno));
goto bad;
}
#ifdef DL_HP_RAWDLS
/*
* XXX - HP-UX 10.20 and 11.xx don't appear to support sending and
* receiving packets on the same descriptor - you need separate
* descriptors for sending and receiving, bound to different SAPs.
*
* If the open fails, we just leave -1 in "p->send_fd" and reject
* attempts to send packets, just as if, in pcap-bpf.c, we fail
* to open the BPF device for reading and writing, we just try
* to open it for reading only and, if that succeeds, just let
* the send attempts fail.
*/
p->send_fd = open(cp, O_RDWR);
#endif
/*
* Get a table of all PPAs for that device, and search that
* table for the specified device type name and unit number.
*/
ppa = get_dlpi_ppa(p->fd, dname, ppa, ebuf);
if (ppa < 0)
goto bad;
#else
/*
* If the device name begins with "/", assume it begins with
* the pathname of the directory containing the device to open;
* otherwise, concatenate the device directory name and the
* device name.
*/
if (*device == '/')
strlcpy(dname, device, sizeof(dname));
else
snprintf(dname, sizeof(dname), "%s/%s", PCAP_DEV_PREFIX,
device);
/*
* Get the unit number, and a pointer to the end of the device
* type name.
*/
cp = split_dname(dname, &ppa, ebuf);
if (cp == NULL)
goto bad;
/*
* Make a copy of the device pathname, and then remove the unit
* number from the device pathname.
*/
strlcpy(dname2, dname, sizeof(dname));
*cp = '\0';
/* Try device without unit number */
if ((p->fd = open(dname, O_RDWR)) < 0) {
if (errno != ENOENT) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s: %s", dname,
pcap_strerror(errno));
goto bad;
}
/* Try again with unit number */
if ((p->fd = open(dname2, O_RDWR)) < 0) {
if (errno == ENOENT) {
/*
* We just report "No DLPI device found"
* with the device name, so people don't
* get confused and think, for example,
* that if they can't capture on "lo0"
* on Solaris the fix is to change libpcap
* (or the application that uses it) to
* look for something other than "/dev/lo0",
* as the fix is to look for an operating
* system other than Solaris - you just
* *can't* capture on a loopback interface
* on Solaris, the lack of a DLPI device
* for the loopback interface is just a
* symptom of that inability.
*/
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"%s: No DLPI device found", device);
} else {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s: %s",
dname2, pcap_strerror(errno));
}
goto bad;
}
/* XXX Assume unit zero */
ppa = 0;
}
#endif
p->snapshot = snaplen;
/*
** Attach if "style 2" provider
*/
if (dlinforeq(p->fd, ebuf) < 0 ||
dlinfoack(p->fd, (char *)buf, ebuf) < 0)
goto bad;
infop = &((union DL_primitives *)buf)->info_ack;
#ifdef HAVE_SOLARIS
if (infop->dl_mac_type == DL_IPATM)
isatm = 1;
#endif
if (infop->dl_provider_style == DL_STYLE2) {
if (dl_doattach(p->fd, ppa, ebuf) < 0)
goto bad;
#ifdef DL_HP_RAWDLS
if (p->send_fd >= 0) {
if (dl_doattach(p->send_fd, ppa, ebuf) < 0)
goto bad;
}
#endif
}
/*
** Bind (defer if using HP-UX 9 or HP-UX 10.20 or later, totally
** skip if using SINIX)
*/
#if !defined(HAVE_HPUX9) && !defined(HAVE_HPUX10_20_OR_LATER) && !defined(sinix)
#ifdef _AIX
/*
** AIX.
** According to IBM's AIX Support Line, the dl_sap value
** should not be less than 0x600 (1536) for standard Ethernet.
** However, we seem to get DL_BADADDR - "DLSAP addr in improper
** format or invalid" - errors if we use 1537 on the "tr0"
** device, which, given that its name starts with "tr" and that
** it's IBM, probably means a Token Ring device. (Perhaps we
** need to use 1537 on "/dev/dlpi/en" because that device is for
** D/I/X Ethernet, the "SAP" is actually an Ethernet type, and
** it rejects invalid Ethernet types.)
**
** So if 1537 fails, we try 2, as Hyung Sik Yoon of IBM Korea
** says that works on Token Ring (he says that 0 does *not*
** work; perhaps that's considered an invalid LLC SAP value - I
** assume the SAP value in a DLPI bind is an LLC SAP for network
** types that use 802.2 LLC).
*/
if ((dlbindreq(p->fd, 1537, ebuf) < 0 &&
dlbindreq(p->fd, 2, ebuf) < 0) ||
dlbindack(p->fd, (char *)buf, ebuf, NULL) < 0)
goto bad;
#elif defined(DL_HP_RAWDLS)
/*
** HP-UX 10.0x and 10.1x.
*/
if (dl_dohpuxbind(p->fd, ebuf) < 0)
goto bad;
if (p->send_fd >= 0) {
/*
** XXX - if this fails, just close send_fd and
** set it to -1, so that you can't send but can
** still receive?
*/
if (dl_dohpuxbind(p->send_fd, ebuf) < 0)
goto bad;
}
#else /* neither AIX nor HP-UX */
/*
** Not Sinix, and neither AIX nor HP-UX - Solaris, and any other
** OS using DLPI.
**/
if (dlbindreq(p->fd, 0, ebuf) < 0 ||
dlbindack(p->fd, (char *)buf, ebuf, NULL) < 0)
goto bad;
#endif /* AIX vs. HP-UX vs. other */
#endif /* !HP-UX 9 and !HP-UX 10.20 or later and !SINIX */
#ifdef HAVE_SOLARIS
if (isatm) {
/*
** Have to turn on some special ATM promiscuous mode
** for SunATM.
** Do *NOT* turn regular promiscuous mode on; it doesn't
** help, and may break things.
*/
if (strioctl(p->fd, A_PROMISCON_REQ, 0, NULL) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "A_PROMISCON_REQ: %s",
pcap_strerror(errno));
goto bad;
}
} else
#endif
if (promisc) {
/*
** Enable promiscuous (not necessary on send FD)
*/
if (dlpromisconreq(p->fd, DL_PROMISC_PHYS, ebuf) < 0 ||
dlokack(p->fd, "promisc_phys", (char *)buf, ebuf) < 0)
goto bad;
/*
** Try to enable multicast (you would have thought
** promiscuous would be sufficient). (Skip if using
** HP-UX or SINIX) (Not necessary on send FD)
*/
#if !defined(__hpux) && !defined(sinix)
if (dlpromisconreq(p->fd, DL_PROMISC_MULTI, ebuf) < 0 ||
dlokack(p->fd, "promisc_multi", (char *)buf, ebuf) < 0)
fprintf(stderr,
"WARNING: DL_PROMISC_MULTI failed (%s)\n", ebuf);
#endif
}
/*
** Try to enable SAP promiscuity (when not in promiscuous mode
** when using HP-UX, when not doing SunATM on Solaris, and never
** under SINIX) (Not necessary on send FD)
*/
#ifndef sinix
if (
#ifdef __hpux
!promisc &&
#endif
#ifdef HAVE_SOLARIS
!isatm &&
#endif
(dlpromisconreq(p->fd, DL_PROMISC_SAP, ebuf) < 0 ||
dlokack(p->fd, "promisc_sap", (char *)buf, ebuf) < 0)) {
/* Not fatal if promisc since the DL_PROMISC_PHYS worked */
if (promisc)
fprintf(stderr,
"WARNING: DL_PROMISC_SAP failed (%s)\n", ebuf);
else
goto bad;
}
#endif /* sinix */
/*
** HP-UX 9, and HP-UX 10.20 or later, must bind after setting
** promiscuous options.
*/
#if defined(HAVE_HPUX9) || defined(HAVE_HPUX10_20_OR_LATER)
if (dl_dohpuxbind(p->fd, ebuf) < 0)
goto bad;
/*
** We don't set promiscuous mode on the send FD, but we'll defer
** binding it anyway, just to keep the HP-UX 9/10.20 or later
** code together.
*/
if (p->send_fd >= 0) {
/*
** XXX - if this fails, just close send_fd and
** set it to -1, so that you can't send but can
** still receive?
*/
if (dl_dohpuxbind(p->send_fd, ebuf) < 0)
goto bad;
}
#endif
/*
** Determine link type
** XXX - get SAP length and address length as well, for use
** when sending packets.
*/
if (dlinforeq(p->fd, ebuf) < 0 ||
dlinfoack(p->fd, (char *)buf, ebuf) < 0)
goto bad;
infop = &((union DL_primitives *)buf)->info_ack;
switch (infop->dl_mac_type) {
case DL_CSMACD:
case DL_ETHER:
p->linktype = DLT_EN10MB;
p->offset = 2;
/*
* This is (presumably) a real Ethernet capture; give it a
* link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
* that an application can let you choose it, in case you're
* capturing DOCSIS traffic that a Cisco Cable Modem
* Termination System is putting out onto an Ethernet (it
* doesn't put an Ethernet header onto the wire, it puts raw
* DOCSIS frames out on the wire inside the low-level
* Ethernet framing).
*/
p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
/*
* If that fails, just leave the list empty.
*/
if (p->dlt_list != NULL) {
p->dlt_list[0] = DLT_EN10MB;
p->dlt_list[1] = DLT_DOCSIS;
p->dlt_count = 2;
}
break;
case DL_FDDI:
p->linktype = DLT_FDDI;
p->offset = 3;
break;
case DL_TPR:
/*
* XXX - what about DL_TPB? Is that Token Bus?
*/
p->linktype = DLT_IEEE802;
p->offset = 2;
break;
#ifdef HAVE_SOLARIS
case DL_IPATM:
p->linktype = DLT_SUNATM;
p->offset = 0; /* works for LANE and LLC encapsulation */
break;
#endif
default:
snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown mac type %lu",
(unsigned long)infop->dl_mac_type);
goto bad;
}
#ifdef DLIOCRAW
/*
** This is a non standard SunOS hack to get the full raw link-layer
** header.
*/
if (strioctl(p->fd, DLIOCRAW, 0, NULL) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "DLIOCRAW: %s",
pcap_strerror(errno));
goto bad;
}
#endif
#ifdef HAVE_SYS_BUFMOD_H
/*
** Another non standard call to get the data nicely buffered
*/
if (ioctl(p->fd, I_PUSH, "bufmod") != 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "I_PUSH bufmod: %s",
pcap_strerror(errno));
goto bad;
}
/*
** Now that the bufmod is pushed lets configure it.
**
** There is a bug in bufmod(7). When dealing with messages of
** less than snaplen size it strips data from the beginning not
** the end.
**
** This bug is supposed to be fixed in 5.3.2. Also, there is a
** patch available. Ask for bugid 1149065.
*/
ss = snaplen;
#ifdef HAVE_SOLARIS
release = get_release(&osmajor, &osminor, &osmicro);
if (osmajor == 5 && (osminor <= 2 || (osminor == 3 && osmicro < 2)) &&
getenv("BUFMOD_FIXED") == NULL) {
fprintf(stderr,
"WARNING: bufmod is broken in SunOS %s; ignoring snaplen.\n",
release);
ss = 0;
}
#endif
if (ss > 0 &&
strioctl(p->fd, SBIOCSSNAP, sizeof(ss), (char *)&ss) != 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "SBIOCSSNAP: %s",
pcap_strerror(errno));
goto bad;
}
/*
** Set up the bufmod timeout
*/
if (to_ms != 0) {
struct timeval to;
to.tv_sec = to_ms / 1000;
to.tv_usec = (to_ms * 1000) % 1000000;
if (strioctl(p->fd, SBIOCSTIME, sizeof(to), (char *)&to) != 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "SBIOCSTIME: %s",
pcap_strerror(errno));
goto bad;
}
}
/*
** Set the chunk length.
*/
chunksize = CHUNKSIZE;
if (strioctl(p->fd, SBIOCSCHUNK, sizeof(chunksize), (char *)&chunksize)
!= 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "SBIOCSCHUNKP: %s",
pcap_strerror(errno));
goto bad;
}
#endif
/*
** As the last operation flush the read side.
*/
if (ioctl(p->fd, I_FLUSH, FLUSHR) != 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "FLUSHR: %s",
pcap_strerror(errno));
goto bad;
}
/* Allocate data buffer */
p->bufsize = PKTBUFSIZE;
p->buffer = (u_char *)malloc(p->bufsize + p->offset);
if (p->buffer == NULL) {
strlcpy(ebuf, pcap_strerror(errno), PCAP_ERRBUF_SIZE);
goto bad;
}
/*
* "p->fd" is an FD for a STREAMS device, so "select()" and
* "poll()" should work on it.
*/
p->selectable_fd = p->fd;
p->read_op = pcap_read_dlpi;
p->inject_op = pcap_inject_dlpi;
p->setfilter_op = install_bpf_program; /* no kernel filtering */
p->setdirection_op = NULL; /* Not implemented.*/
p->set_datalink_op = NULL; /* can't change data link type */
p->getnonblock_op = pcap_getnonblock_fd;
p->setnonblock_op = pcap_setnonblock_fd;
p->stats_op = pcap_stats_dlpi;
p->close_op = pcap_close_dlpi;
return (p);
bad:
if (p->fd >= 0)
close(p->fd);
if (p->send_fd >= 0)
close(p->send_fd);
/*
* Get rid of any link-layer type list we allocated.
*/
if (p->dlt_list != NULL)
free(p->dlt_list);
free(p);
return (NULL);
}
static int
pcap_read_dlpi(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
{
register int cc, n, caplen, origlen;
register u_char *bp, *ep, *pk;
register struct bpf_insn *fcode;
#ifdef HAVE_SYS_BUFMOD_H
register struct sb_hdr *sbp;
#ifdef LBL_ALIGN
struct sb_hdr sbhdr;
#endif
#endif
int flags;
struct strbuf data;
struct pcap_pkthdr pkthdr;
flags = 0;
cc = p->cc;
if (cc == 0) {
data.buf = (char *)p->buffer + p->offset;
data.maxlen = p->bufsize;
data.len = 0;
do {
/*
* Has "pcap_breakloop()" been called?
*/
if (p->break_loop) {
/*
* Yes - clear the flag that indicates
* that it has, and return -2 to
* indicate that we were told to
* break out of the loop.
*/
p->break_loop = 0;
return (-2);
}
/*
* XXX - check for the DLPI primitive, which
* would be DL_HP_RAWDATA_IND on HP-UX
* if we're in raw mode?
*/
if (getmsg(p->fd, &ctl, &data, &flags) < 0) {
/* Don't choke when we get ptraced */
switch (errno) {
case EINTR:
cc = 0;
continue;
case EAGAIN:
return (0);
}
strlcpy(p->errbuf, pcap_strerror(errno),
sizeof(p->errbuf));
return (-1);
}
cc = data.len;
} while (cc == 0);
bp = p->buffer + p->offset;
} else
bp = p->bp;
/* Loop through packets */
fcode = p->fcode.bf_insns;
ep = bp + cc;
n = 0;
#ifdef HAVE_SYS_BUFMOD_H
while (bp < ep) {
/*
* Has "pcap_breakloop()" been called?
* If so, return immediately - if we haven't read any
* packets, clear the flag and return -2 to indicate
* that we were told to break out of the loop, otherwise
* leave the flag set, so that the *next* call will break
* out of the loop without having read any packets, and
* return the number of packets we've processed so far.
*/
if (p->break_loop) {
if (n == 0) {
p->break_loop = 0;
return (-2);
} else {
p->bp = bp;
p->cc = ep - bp;
return (n);
}
}
#ifdef LBL_ALIGN
if ((long)bp & 3) {
sbp = &sbhdr;
memcpy(sbp, bp, sizeof(*sbp));
} else
#endif
sbp = (struct sb_hdr *)bp;
p->md.stat.ps_drop = sbp->sbh_drops;
pk = bp + sizeof(*sbp);
bp += sbp->sbh_totlen;
origlen = sbp->sbh_origlen;
caplen = sbp->sbh_msglen;
#else
origlen = cc;
caplen = min(p->snapshot, cc);
pk = bp;
bp += caplen;
#endif
++p->md.stat.ps_recv;
if (bpf_filter(fcode, pk, origlen, caplen)) {
#ifdef HAVE_SYS_BUFMOD_H
pkthdr.ts.tv_sec = sbp->sbh_timestamp.tv_sec;
pkthdr.ts.tv_usec = sbp->sbh_timestamp.tv_usec;
#else
(void)gettimeofday(&pkthdr.ts, NULL);
#endif
pkthdr.len = origlen;
pkthdr.caplen = caplen;
/* Insure caplen does not exceed snapshot */
if (pkthdr.caplen > p->snapshot)
pkthdr.caplen = p->snapshot;
(*callback)(user, &pkthdr, pk);
if (++n >= cnt && cnt >= 0) {
p->cc = ep - bp;
p->bp = bp;
return (n);
}
}
#ifdef HAVE_SYS_BUFMOD_H
}
#endif
p->cc = 0;
return (n);
}
/*
* Get from "/proc/net/dev" all interfaces listed there; if they're
* already in the list of interfaces we have, that won't add another
* instance, but if they're not, that'll add them.
*
* We don't bother getting any addresses for them; it appears you can't
* use SIOCGIFADDR on Linux to get IPv6 addresses for interfaces, and,
* although some other types of addresses can be fetched with SIOCGIFADDR,
* we don't bother with them for now.
*
* We also don't fail if we couldn't open "/proc/net/dev"; we just leave
* the list of interfaces as is.
*/
static int
scan_proc_net_dev(pcap_if_t **devlistp, int fd, char *errbuf)
{
FILE *proc_net_f;
char linebuf[512];
int linenum;
unsigned char *p;
char name[512]; /* XXX - pick a size */
char *q, *saveq;
struct ifreq ifrflags;
int ret = 0;
proc_net_f = fopen("/proc/net/dev", "r");
if (proc_net_f == NULL)
return (0);
for (linenum = 1;
fgets(linebuf, sizeof linebuf, proc_net_f) != NULL; linenum++) {
/*
* Skip the first two lines - they're headers.
*/
if (linenum <= 2)
continue;
p = &linebuf[0];
/*
* Skip leading white space.
*/
while (*p != '\0' && isspace(*p))
p++;
if (*p == '\0' || *p == '\n')
continue; /* blank line */
/*
* Get the interface name.
*/
q = &name[0];
while (*p != '\0' && !isspace(*p)) {
if (*p == ':') {
/*
* This could be the separator between a
* name and an alias number, or it could be
* the separator between a name with no
* alias number and the next field.
*
* If there's a colon after digits, it
* separates the name and the alias number,
* otherwise it separates the name and the
* next field.
*/
saveq = q;
while (isdigit(*p))
*q++ = *p++;
if (*p != ':') {
/*
* That was the next field,
* not the alias number.
*/
q = saveq;
}
break;
} else
*q++ = *p++;
}
*q = '\0';
/*
* Get the flags for this interface, and skip it if
* it's not up.
*/
strncpy(ifrflags.ifr_name, name, sizeof(ifrflags.ifr_name));
if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) {
if (errno == ENXIO)
continue;
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFFLAGS: %.*s: %s",
(int)sizeof(ifrflags.ifr_name),
ifrflags.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
if (!(ifrflags.ifr_flags & IFF_UP))
continue;
/*
* Add an entry for this interface, with no addresses.
*/
if (pcap_add_if(devlistp, name, ifrflags.ifr_flags, NULL,
errbuf) == -1) {
/*
* Failure.
*/
ret = -1;
break;
}
}
if (ret != -1) {
/*
* Well, we didn't fail for any other reason; did we
* fail due to an error reading the file?
*/
if (ferror(proc_net_f)) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Error reading /proc/net/dev: %s",
pcap_strerror(errno));
ret = -1;
}
}
(void)fclose(proc_net_f);
return (ret);
}
/*
* XXX reimplement pcap_open_live with privsep, this is the
* unprivileged part.
*/
pcap_t *
priv_pcap_live(const char *dev, int slen, int prom, int to_ms,
char *ebuf, u_int dlt, u_int dirfilt)
{
int fd, err;
struct bpf_version bv;
u_int v;
pcap_t *p;
if (priv_fd < 0)
errx(1, "%s: called from privileged portion", __func__);
if (dev == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "No interface specified");
return (NULL);
}
p = malloc(sizeof(*p));
if (p == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
pcap_strerror(errno));
return (NULL);
}
bzero(p, sizeof(*p));
write_command(priv_fd, PRIV_OPEN_BPF);
must_write(priv_fd, &slen, sizeof(int));
must_write(priv_fd, &prom, sizeof(int));
must_write(priv_fd, &dlt, sizeof(u_int));
must_write(priv_fd, &dirfilt, sizeof(u_int));
write_string(priv_fd, dev);
fd = receive_fd(priv_fd);
must_read(priv_fd, &err, sizeof(int));
if (fd < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"Failed to open bpf device for %s: %s",
dev, strerror(err));
goto bad;
}
/* fd is locked, can only use 'safe' ioctls */
if (ioctl(fd, BIOCVERSION, &bv) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
pcap_strerror(errno));
goto bad;
}
if (bv.bv_major != BPF_MAJOR_VERSION ||
bv.bv_minor < BPF_MINOR_VERSION) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"kernel bpf filter out of date");
goto bad;
}
p->fd = fd;
p->snapshot = slen;
/* Get the data link layer type. */
if (ioctl(fd, BIOCGDLT, &v) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
pcap_strerror(errno));
goto bad;
}
p->linktype = v;
/* XXX hack */
if (p->linktype == DLT_PFLOG && p->snapshot < 160)
p->snapshot = 160;
/* set timeout */
if (to_ms != 0) {
struct timeval to;
to.tv_sec = to_ms / 1000;
to.tv_usec = (to_ms * 1000) % 1000000;
if (ioctl(p->fd, BIOCSRTIMEOUT, &to) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
pcap_strerror(errno));
goto bad;
}
}
if (ioctl(fd, BIOCGBLEN, &v) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
pcap_strerror(errno));
goto bad;
}
p->bufsize = v;
p->buffer = malloc(p->bufsize);
if (p->buffer == NULL) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
pcap_strerror(errno));
goto bad;
}
return (p);
bad:
if (fd >= 0)
close(fd);
free(p);
return (NULL);
}
int
pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)
{
pcap_if_t *devlist = NULL;
register int fd;
register struct ifreq *ifrp, *ifend, *ifnext;
int n;
struct ifconf ifc;
char *buf = NULL;
unsigned buf_size;
struct ifreq ifrflags, ifrnetmask, ifrbroadaddr, ifrdstaddr;
struct sockaddr *netmask, *broadaddr, *dstaddr;
int ret = 0;
/*
* Create a socket from which to fetch the list of interfaces.
*/
fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd < 0) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"socket: %s", pcap_strerror(errno));
return (-1);
}
/*
* Start with an 8K buffer, and keep growing the buffer until
* we get the entire interface list or fail to get it for some
* reason other than EINVAL (which is presumed here to mean
* "buffer is too small").
*/
buf_size = 8192;
for (;;) {
buf = malloc(buf_size);
if (buf == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
(void)close(fd);
return (-1);
}
ifc.ifc_len = buf_size;
ifc.ifc_buf = buf;
memset(buf, 0, buf_size);
if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0
&& errno != EINVAL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFCONF: %s", pcap_strerror(errno));
(void)close(fd);
free(buf);
return (-1);
}
if (ifc.ifc_len < buf_size)
break;
free(buf);
buf_size *= 2;
}
ifrp = (struct ifreq *)buf;
ifend = (struct ifreq *)(buf + ifc.ifc_len);
for (; ifrp < ifend; ifrp = ifnext) {
n = SA_LEN(&ifrp->ifr_addr) + sizeof(ifrp->ifr_name);
if (n < sizeof(*ifrp))
ifnext = ifrp + 1;
else
ifnext = (struct ifreq *)((char *)ifrp + n);
/*
* Get the flags for this interface, and skip it if it's
* not up.
*/
strncpy(ifrflags.ifr_name, ifrp->ifr_name,
sizeof(ifrflags.ifr_name));
if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) {
if (errno == ENXIO)
continue;
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFFLAGS: %.*s: %s",
(int)sizeof(ifrflags.ifr_name),
ifrflags.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
if (!(ifrflags.ifr_flags & IFF_UP))
continue;
/*
* Get the netmask for this address on this interface.
*/
strncpy(ifrnetmask.ifr_name, ifrp->ifr_name,
sizeof(ifrnetmask.ifr_name));
memcpy(&ifrnetmask.ifr_addr, &ifrp->ifr_addr,
sizeof(ifrnetmask.ifr_addr));
if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifrnetmask) < 0) {
if (errno == EADDRNOTAVAIL) {
/*
* Not available.
*/
netmask = NULL;
} else {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFNETMASK: %.*s: %s",
(int)sizeof(ifrnetmask.ifr_name),
ifrnetmask.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
} else
netmask = &ifrnetmask.ifr_addr;
/*
* Get the broadcast address for this address on this
* interface (if any).
*/
if (ifrflags.ifr_flags & IFF_BROADCAST) {
strncpy(ifrbroadaddr.ifr_name, ifrp->ifr_name,
sizeof(ifrbroadaddr.ifr_name));
memcpy(&ifrbroadaddr.ifr_addr, &ifrp->ifr_addr,
sizeof(ifrbroadaddr.ifr_addr));
if (ioctl(fd, SIOCGIFBRDADDR,
(char *)&ifrbroadaddr) < 0) {
if (errno == EADDRNOTAVAIL) {
/*
* Not available.
*/
broadaddr = NULL;
} else {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFBRDADDR: %.*s: %s",
(int)sizeof(ifrbroadaddr.ifr_name),
ifrbroadaddr.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
} else
broadaddr = &ifrbroadaddr.ifr_broadaddr;
} else {
/*
* Not a broadcast interface, so no broadcast
* address.
*/
broadaddr = NULL;
}
/*
* Get the destination address for this address on this
* interface (if any).
*/
if (ifrflags.ifr_flags & IFF_POINTOPOINT) {
strncpy(ifrdstaddr.ifr_name, ifrp->ifr_name,
sizeof(ifrdstaddr.ifr_name));
memcpy(&ifrdstaddr.ifr_addr, &ifrp->ifr_addr,
sizeof(ifrdstaddr.ifr_addr));
if (ioctl(fd, SIOCGIFDSTADDR,
(char *)&ifrdstaddr) < 0) {
if (errno == EADDRNOTAVAIL) {
/*
* Not available.
*/
dstaddr = NULL;
} else {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFDSTADDR: %.*s: %s",
(int)sizeof(ifrdstaddr.ifr_name),
ifrdstaddr.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
} else
dstaddr = &ifrdstaddr.ifr_dstaddr;
} else
dstaddr = NULL;
/*
* Add information for this address to the list.
*/
if (add_addr_to_iflist(&devlist, ifrp->ifr_name,
ifrflags.ifr_flags, &ifrp->ifr_addr,
netmask, broadaddr, dstaddr, errbuf) < 0) {
ret = -1;
break;
}
}
free(buf);
#ifdef HAVE_PROC_NET_DEV
if (ret != -1) {
/*
* We haven't had any errors yet; now read "/proc/net/dev",
* and add to the list of interfaces all interfaces listed
* there that we don't already have, because, on Linux,
* SIOCGIFCONF reports only interfaces with IPv4 addresses,
* so you need to read "/proc/net/dev" to get the names of
* the rest of the interfaces.
*/
ret = scan_proc_net_dev(&devlist, fd, errbuf);
}
#endif
(void)close(fd);
if (ret != -1) {
/*
* We haven't had any errors yet; add the "any" device,
* if we can open it.
*/
if (pcap_add_if(&devlist, "any", 0, any_descr, errbuf) < 0) {
/*
* Oops, we had a fatal error.
*/
ret = -1;
}
}
if (ret == -1) {
/*
* We had an error; free the list we've been constructing.
*/
if (devlist != NULL) {
pcap_freealldevs(devlist);
devlist = NULL;
}
}
*alldevsp = devlist;
return (ret);
}
pcap_t *
priv_pcap_offline(const char *fname, char *errbuf)
{
pcap_t *p;
FILE *fp = NULL;
struct pcap_file_header hdr;
int linklen, err;
if (priv_fd < 0)
errx(1, "%s: called from privileged portion", __func__);
p = malloc(sizeof(*p));
if (p == NULL) {
strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
return (NULL);
}
memset((char *)p, 0, sizeof(*p));
if (fname[0] == '-' && fname[1] == '\0') {
p->fd = -1;
fp = stdin;
} else {
write_command(priv_fd, PRIV_OPEN_DUMP);
p->fd = receive_fd(priv_fd);
must_read(priv_fd, &err, sizeof(int));
if (p->fd < 0) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Failed to open input file %s: %s",
fname, strerror(err));
goto bad;
}
fp = fdopen(p->fd, "r");
if (fp == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", fname,
pcap_strerror(errno));
close(p->fd);
p->fd = -1;
goto bad;
}
}
if (fread((char *)&hdr, sizeof(hdr), 1, fp) != 1) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "fread: %s",
pcap_strerror(errno));
goto bad;
}
if (hdr.magic != TCPDUMP_MAGIC) {
if (swap32(hdr.magic) != TCPDUMP_MAGIC) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"bad dump file format");
goto bad;
}
p->sf.swapped = 1;
swap_hdr(&hdr);
}
if (hdr.version_major < PCAP_VERSION_MAJOR) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "archaic file format");
goto bad;
}
p->tzoff = hdr.thiszone;
p->snapshot = hdr.snaplen;
p->linktype = hdr.linktype;
p->sf.rfile = fp;
p->bufsize = hdr.snaplen;
/* Align link header as required for proper data alignment */
/* XXX should handle all types */
switch (p->linktype) {
case DLT_EN10MB:
linklen = 14;
break;
case DLT_FDDI:
linklen = 13 + 8; /* fddi_header + llc */
break;
case DLT_NULL:
default:
linklen = 0;
break;
}
if (p->bufsize < 0)
p->bufsize = BPF_MAXBUFSIZE;
p->sf.base = malloc(p->bufsize + BPF_ALIGNMENT);
if (p->sf.base == NULL) {
strlcpy(errbuf, "out of swap", PCAP_ERRBUF_SIZE);
goto bad;
}
p->buffer = p->sf.base + BPF_ALIGNMENT - (linklen % BPF_ALIGNMENT);
p->sf.version_major = hdr.version_major;
p->sf.version_minor = hdr.version_minor;
#ifdef PCAP_FDDIPAD
/* XXX what to do with this? */
/* XXX padding only needed for kernel fcode */
pcap_fddipad = 0;
#endif
return (p);
bad:
if (fp != NULL && p->fd != -1)
fclose(fp);
free(p);
return (NULL);
}
static int
recv_ack(int fd, int size, const char *what, char *bufp, char *ebuf, int *uerror)
{
union DL_primitives *dlp;
struct strbuf ctl;
int flags;
/*
* Clear out "*uerror", so it's only set for DL_ERROR_ACK/DL_SYSERR,
* making that the only place where EBUSY is treated specially.
*/
if (uerror != NULL)
*uerror = 0;
ctl.maxlen = MAXDLBUF;
ctl.len = 0;
ctl.buf = bufp;
flags = 0;
if (getmsg(fd, &ctl, (struct strbuf*)NULL, &flags) < 0) {
snprintf(ebuf, PCAP_ERRBUF_SIZE, "recv_ack: %s getmsg: %s",
what, pcap_strerror(errno));
return (PCAP_ERROR);
}
dlp = MAKE_DL_PRIMITIVES(ctl.buf);
switch (dlp->dl_primitive) {
case DL_INFO_ACK:
case DL_BIND_ACK:
case DL_OK_ACK:
#ifdef DL_HP_PPA_ACK
case DL_HP_PPA_ACK:
#endif
/* These are OK */
break;
case DL_ERROR_ACK:
switch (dlp->error_ack.dl_errno) {
case DL_SYSERR:
if (uerror != NULL)
*uerror = dlp->error_ack.dl_unix_errno;
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"recv_ack: %s: UNIX error - %s",
what, pcap_strerror(dlp->error_ack.dl_unix_errno));
if (dlp->error_ack.dl_unix_errno == EPERM ||
dlp->error_ack.dl_unix_errno == EACCES)
return (PCAP_ERROR_PERM_DENIED);
break;
default:
snprintf(ebuf, PCAP_ERRBUF_SIZE, "recv_ack: %s: %s",
what, dlstrerror(dlp->error_ack.dl_errno));
if (dlp->error_ack.dl_errno == DL_BADPPA)
return (PCAP_ERROR_NO_SUCH_DEVICE);
else if (dlp->error_ack.dl_errno == DL_ACCESS)
return (PCAP_ERROR_PERM_DENIED);
break;
}
return (PCAP_ERROR);
default:
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"recv_ack: %s: Unexpected primitive ack %s",
what, dlprim(dlp->dl_primitive));
return (PCAP_ERROR);
}
if (ctl.len < size) {
snprintf(ebuf, PCAP_ERRBUF_SIZE,
"recv_ack: %s: Ack too small (%d < %d)",
what, ctl.len, size);
return (PCAP_ERROR);
}
return (ctl.len);
}
/*
* Check whether this is a pcap-ng savefile and, if it is, extract the
* relevant information from the header.
*/
pcap_t *
pcap_ng_check_header(bpf_u_int32 magic, FILE *fp, u_int precision, char *errbuf,
int *err)
{
size_t amt_read;
bpf_u_int32 total_length;
bpf_u_int32 byte_order_magic;
struct block_header *bhdrp;
struct section_header_block *shbp;
pcap_t *p;
int swapped = 0;
struct pcap_ng_sf *ps;
int status;
struct block_cursor cursor;
struct interface_description_block *idbp;
/*
* Assume no read errors.
*/
*err = 0;
/*
* Check whether the first 4 bytes of the file are the block
* type for a pcap-ng savefile.
*/
if (magic != BT_SHB) {
/*
* XXX - check whether this looks like what the block
* type would be after being munged by mapping between
* UN*X and DOS/Windows text file format and, if it
* does, look for the byte-order magic number in
* the appropriate place and, if we find it, report
* this as possibly being a pcap-ng file transferred
* between UN*X and Windows in text file format?
*/
return (NULL); /* nope */
}
/*
* OK, they are. However, that's just \n\r\r\n, so it could,
* conceivably, be an ordinary text file.
*
* It could not, however, conceivably be any other type of
* capture file, so we can read the rest of the putative
* Section Header Block; put the block type in the common
* header, read the rest of the common header and the
* fixed-length portion of the SHB, and look for the byte-order
* magic value.
*/
amt_read = fread(&total_length, 1, sizeof(total_length), fp);
if (amt_read < sizeof(total_length)) {
if (ferror(fp)) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
*err = 1;
return (NULL); /* fail */
}
/*
* Possibly a weird short text file, so just say
* "not pcap-ng".
*/
return (NULL);
}
amt_read = fread(&byte_order_magic, 1, sizeof(byte_order_magic), fp);
if (amt_read < sizeof(byte_order_magic)) {
if (ferror(fp)) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"error reading dump file: %s",
pcap_strerror(errno));
*err = 1;
return (NULL); /* fail */
}
/*
* Possibly a weird short text file, so just say
* "not pcap-ng".
*/
return (NULL);
}
if (byte_order_magic != BYTE_ORDER_MAGIC) {
byte_order_magic = SWAPLONG(byte_order_magic);
if (byte_order_magic != BYTE_ORDER_MAGIC) {
/*
* Not a pcap-ng file.
*/
return (NULL);
}
swapped = 1;
total_length = SWAPLONG(total_length);
}
/*
* Check the sanity of the total length.
*/
if (total_length < sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Section Header Block in pcap-ng dump file has a length of %u < %lu",
total_length,
(unsigned long)(sizeof(*bhdrp) + sizeof(*shbp) + sizeof(struct block_trailer)));
*err = 1;
return (NULL);
}
/*
* OK, this is a good pcap-ng file.
* Allocate a pcap_t for it.
*/
p = pcap_open_offline_common(errbuf, sizeof (struct pcap_ng_sf));
if (p == NULL) {
/* Allocation failed. */
*err = 1;
return (NULL);
}
p->swapped = swapped;
ps = p->priv;
/*
* What precision does the user want?
*/
switch (precision) {
case PCAP_TSTAMP_PRECISION_MICRO:
ps->user_tsresol = 1000000;
break;
case PCAP_TSTAMP_PRECISION_NANO:
ps->user_tsresol = 1000000000;
break;
default:
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"unknown time stamp resolution %u", precision);
free(p);
*err = 1;
return (NULL);
}
p->opt.tstamp_precision = precision;
/*
* Allocate a buffer into which to read blocks. We default to
* the maximum of:
*
* the total length of the SHB for which we read the header;
*
* 2K, which should be more than large enough for an Enhanced
* Packet Block containing a full-size Ethernet frame, and
* leaving room for some options.
*
* If we find a bigger block, we reallocate the buffer.
*/
p->bufsize = 2048;
if (p->bufsize < (int)total_length)
p->bufsize = total_length;
p->buffer = malloc(p->bufsize);
if (p->buffer == NULL) {
snprintf(errbuf, PCAP_ERRBUF_SIZE, "out of memory");
free(p);
*err = 1;
return (NULL);
}
/*
* Copy the stuff we've read to the buffer, and read the rest
* of the SHB.
*/
bhdrp = (struct block_header *)(void *)p->buffer;
shbp = (struct section_header_block *)(void *)(p->buffer + sizeof(struct block_header));
bhdrp->block_type = magic;
bhdrp->total_length = total_length;
shbp->byte_order_magic = byte_order_magic;
if (read_bytes(fp,
p->buffer + (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
total_length - (sizeof(magic) + sizeof(total_length) + sizeof(byte_order_magic)),
1, errbuf) == -1)
goto fail;
if (p->swapped) {
/*
* Byte-swap the fields we've read.
*/
shbp->major_version = SWAPSHORT((uint32_t)shbp->major_version);
shbp->minor_version = SWAPSHORT((uint32_t)shbp->minor_version);
/*
* XXX - we don't care about the section length.
*/
}
if (shbp->major_version != PCAP_NG_VERSION_MAJOR) {
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"unknown pcap-ng savefile major version number %u",
shbp->major_version);
goto fail;
}
p->version_major = shbp->major_version;
p->version_minor = shbp->minor_version;
/*
* Save the time stamp resolution the user requested.
*/
p->opt.tstamp_precision = precision;
/*
* Now start looking for an Interface Description Block.
*/
for (;;) {
/*
* Read the next block.
*/
status = read_block(fp, p, &cursor, errbuf);
if (status == 0) {
/* EOF - no IDB in this file */
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"the capture file has no Interface Description Blocks");
goto fail;
}
if (status == -1)
goto fail; /* error */
switch (cursor.block_type) {
case BT_IDB:
/*
* Get a pointer to the fixed-length portion of the
* IDB.
*/
idbp = get_from_block_data(&cursor, sizeof(*idbp),
errbuf);
if (idbp == NULL)
goto fail; /* error */
/*
* Byte-swap it if necessary.
*/
if (p->swapped) {
idbp->linktype = SWAPSHORT((uint16_t)idbp->linktype);
idbp->snaplen = SWAPLONG(idbp->snaplen);
}
/*
* Try to add this interface.
*/
if (!add_interface(p, &cursor, errbuf))
goto fail;
goto done;
case BT_EPB:
case BT_SPB:
case BT_PB:
/*
* Saw a packet before we saw any IDBs. That's
* not valid, as we don't know what link-layer
* encapsulation the packet has.
*/
snprintf(errbuf, PCAP_ERRBUF_SIZE,
"the capture file has a packet block before any Interface Description Blocks");
goto fail;
default:
/*
* Just ignore it.
*/
break;
}
}
done:
p->tzoff = 0; /* XXX - not used in pcap */
p->snapshot = idbp->snaplen;
p->linktype = linktype_to_dlt(idbp->linktype);
p->linktype_ext = 0;
p->next_packet_op = pcap_ng_next_packet;
p->cleanup_op = pcap_ng_cleanup;
return (p);
fail:
free(ps->ifaces);
free(p->buffer);
free(p);
*err = 1;
return (NULL);
}
static int
pcap_inject_dlpi(pcap_t *p, const void *buf, size_t size)
{
#ifdef DL_HP_RAWDLS
struct pcap_dlpi *pd = p->priv;
#endif
int ret;
#if defined(DLIOCRAW)
ret = write(p->fd, buf, size);
if (ret == -1) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
pcap_strerror(errno));
return (-1);
}
#elif defined(DL_HP_RAWDLS)
if (pd->send_fd < 0) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"send: Output FD couldn't be opened");
return (-1);
}
ret = dlrawdatareq(pd->send_fd, buf, size);
if (ret == -1) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
pcap_strerror(errno));
return (-1);
}
/*
* putmsg() returns either 0 or -1; it doesn't indicate how
* many bytes were written (presumably they were all written
* or none of them were written). OpenBSD's pcap_inject()
* returns the number of bytes written, so, for API compatibility,
* we return the number of bytes we were told to write.
*/
ret = size;
#else /* no raw mode */
/*
* XXX - this is a pain, because you might have to extract
* the address from the packet and use it in a DL_UNITDATA_REQ
* request. That would be dependent on the link-layer type.
*
* I also don't know what SAP you'd have to bind the descriptor
* to, or whether you'd need separate "receive" and "send" FDs,
* nor do I know whether you'd need different bindings for
* D/I/X Ethernet and 802.3, or for {FDDI,Token Ring} plus
* 802.2 and {FDDI,Token Ring} plus 802.2 plus SNAP.
*
* So, for now, we just return a "you can't send" indication,
* and leave it up to somebody with a DLPI-based system lacking
* both DLIOCRAW and DL_HP_RAWDLS to supply code to implement
* packet transmission on that system. If they do, they should
* send it to us - but should not send us code that assumes
* Ethernet; if the code doesn't work on non-Ethernet interfaces,
* it should check "p->linktype" and reject the send request if
* it's anything other than DLT_EN10MB.
*/
strlcpy(p->errbuf, "send: Not supported on this version of this OS",
PCAP_ERRBUF_SIZE);
ret = -1;
#endif /* raw mode */
return (ret);
}
/*
* XXX - on FreeBSDs that support it, should it get the sysctl named
* "dev.{adapter family name}.{adapter unit}.%desc" to get a description
* of the adapter? Note that "dev.an.0.%desc" is "Aironet PC4500/PC4800"
* with my Cisco 350 card, so the name isn't entirely descriptive. The
* "dev.an.0.%pnpinfo" has a better description, although one might argue
* that the problem is really a driver bug - if it can find out that it's
* a Cisco 340 or 350, rather than an old Aironet card, it should use
* that in the description.
*
* Do NetBSD, DragonflyBSD, or OpenBSD support this as well? FreeBSD
* and OpenBSD let you get a description, but it's not generated by the OS,
* it's set with another ioctl that ifconfig supports; we use that to get
* a description in FreeBSD and OpenBSD, but if there is no such
* description available, it still might be nice to get some description
* string based on the device type or something such as that.
*
* In OS X, the System Configuration framework can apparently return
* names in 10.4 and later.
*
* It also appears that freedesktop.org's HAL offers an "info.product"
* string, but the HAL specification says it "should not be used in any
* UI" and "subsystem/capability specific properties" should be used
* instead and, in any case, I think HAL is being deprecated in
* favor of other stuff such as DeviceKit. DeviceKit doesn't appear
* to have any obvious product information for devices, but maybe
* I haven't looked hard enough.
*
* Using the System Configuration framework, or HAL, or DeviceKit, or
* whatever, would require that libpcap applications be linked with
* the frameworks/libraries in question. That shouldn't be a problem
* for programs linking with the shared version of libpcap (unless
* you're running on AIX - which I think is the only UN*X that doesn't
* support linking a shared library with other libraries on which it
* depends, and having an executable linked only with the first shared
* library automatically pick up the other libraries when started -
* and using HAL or whatever). Programs linked with the static
* version of libpcap would have to use pcap-config with the --static
* flag in order to get the right linker flags in order to pick up
* the additional libraries/frameworks; those programs need that anyway
* for libpcap 1.1 and beyond on Linux, as, by default, it requires
* -lnl.
*
* Do any other UN*Xes, or desktop environments support getting a
* description?
*/
int
add_addr_to_iflist(pcap_if_t **alldevs, const char *name, u_int flags,
struct sockaddr *addr, size_t addr_size,
struct sockaddr *netmask, size_t netmask_size,
struct sockaddr *broadaddr, size_t broadaddr_size,
struct sockaddr *dstaddr, size_t dstaddr_size,
char *errbuf)
{
pcap_if_t *curdev;
char *description = NULL;
pcap_addr_t *curaddr, *prevaddr, *nextaddr;
#ifdef SIOCGIFDESCR
int s;
struct ifreq ifrdesc;
#ifndef IFDESCRSIZE
size_t descrlen = 64;
#else
size_t descrlen = IFDESCRSIZE;
#endif /* IFDESCRSIZE */
#endif /* SIOCGIFDESCR */
#ifdef SIOCGIFDESCR
/*
* Get the description for the interface.
*/
memset(&ifrdesc, 0, sizeof ifrdesc);
strlcpy(ifrdesc.ifr_name, name, sizeof ifrdesc.ifr_name);
s = socket(AF_INET, SOCK_DGRAM, 0);
if (s >= 0) {
#ifdef __FreeBSD__
/*
* On FreeBSD, if the buffer isn't big enough for the
* description, the ioctl succeeds, but the description
* isn't copied, ifr_buffer.length is set to the description
* length, and ifr_buffer.buffer is set to NULL.
*/
for (;;) {
free(description);
if ((description = malloc(descrlen)) != NULL) {
ifrdesc.ifr_buffer.buffer = description;
ifrdesc.ifr_buffer.length = descrlen;
if (ioctl(s, SIOCGIFDESCR, &ifrdesc) == 0) {
if (ifrdesc.ifr_buffer.buffer ==
description)
break;
else
descrlen = ifrdesc.ifr_buffer.length;
} else {
/*
* Failed to get interface description.
*/
free(description);
description = NULL;
break;
}
} else
break;
}
#else /* __FreeBSD__ */
/*
* The only other OS that currently supports
* SIOCGIFDESCR is OpenBSD, and it has no way
* to get the description length - it's clamped
* to a maximum of IFDESCRSIZE.
*/
if ((description = malloc(descrlen)) != NULL) {
ifrdesc.ifr_data = (caddr_t)description;
if (ioctl(s, SIOCGIFDESCR, &ifrdesc) != 0) {
/*
* Failed to get interface description.
*/
free(description);
description = NULL;
}
}
#endif /* __FreeBSD__ */
close(s);
if (description != NULL && strlen(description) == 0) {
free(description);
description = NULL;
}
}
#endif /* SIOCGIFDESCR */
if (add_or_find_if(&curdev, alldevs, name, flags, description,
errbuf) == -1) {
free(description);
/*
* Error - give up.
*/
return (-1);
}
free(description);
if (curdev == NULL) {
/*
* Device wasn't added because it can't be opened.
* Not a fatal error.
*/
return (0);
}
/*
* "curdev" is an entry for this interface; add an entry for this
* address to its list of addresses.
*
* Allocate the new entry and fill it in.
*/
curaddr = malloc(sizeof(pcap_addr_t));
if (curaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
return (-1);
}
curaddr->next = NULL;
if (addr != NULL) {
curaddr->addr = dup_sockaddr(addr, addr_size);
if (curaddr->addr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curaddr);
return (-1);
}
} else
curaddr->addr = NULL;
if (netmask != NULL) {
curaddr->netmask = dup_sockaddr(netmask, netmask_size);
if (curaddr->netmask == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
if (curaddr->addr != NULL)
free(curaddr->addr);
free(curaddr);
return (-1);
}
} else
curaddr->netmask = NULL;
if (broadaddr != NULL) {
curaddr->broadaddr = dup_sockaddr(broadaddr, broadaddr_size);
if (curaddr->broadaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
if (curaddr->netmask != NULL)
free(curaddr->netmask);
if (curaddr->addr != NULL)
free(curaddr->addr);
free(curaddr);
return (-1);
}
} else
curaddr->broadaddr = NULL;
if (dstaddr != NULL) {
curaddr->dstaddr = dup_sockaddr(dstaddr, dstaddr_size);
if (curaddr->dstaddr == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
if (curaddr->broadaddr != NULL)
free(curaddr->broadaddr);
if (curaddr->netmask != NULL)
free(curaddr->netmask);
if (curaddr->addr != NULL)
free(curaddr->addr);
free(curaddr);
return (-1);
}
} else
curaddr->dstaddr = NULL;
/*
* Find the end of the list of addresses.
*/
for (prevaddr = curdev->addresses; prevaddr != NULL; prevaddr = nextaddr) {
nextaddr = prevaddr->next;
if (nextaddr == NULL) {
/*
* This is the end of the list.
*/
break;
}
}
if (prevaddr == NULL) {
/*
* The list was empty; this is the first member.
*/
curdev->addresses = curaddr;
} else {
/*
* "prevaddr" is the last member of the list; append
* this member to it.
*/
prevaddr->next = curaddr;
}
return (0);
}
/*
* Get a list of all interfaces that are up and that we can open.
* Returns -1 on error, 0 otherwise.
* The list, as returned through "alldevsp", may be null if no interfaces
* were up and could be opened.
*
* This is the implementation used on platforms that have SIOCGIFCONF but
* don't have any other mechanism for getting a list of interfaces.
*
* XXX - or platforms that have other, better mechanisms but for which
* we don't yet have code to use that mechanism; I think there's a better
* way on Linux, for example, but if that better way is "getifaddrs()",
* we already have that.
*/
int
pcap_findalldevs_interfaces(pcap_if_t **alldevsp, char *errbuf)
{
pcap_if_t *devlist = NULL;
register int fd;
register struct ifreq *ifrp, *ifend, *ifnext;
int n;
struct ifconf ifc;
char *buf = NULL;
unsigned buf_size;
#if defined (HAVE_SOLARIS) || defined (HAVE_HPUX10_20_OR_LATER)
char *p, *q;
#endif
struct ifreq ifrflags, ifrnetmask, ifrbroadaddr, ifrdstaddr;
struct sockaddr *netmask, *broadaddr, *dstaddr;
size_t netmask_size, broadaddr_size, dstaddr_size;
int ret = 0;
/*
* Create a socket from which to fetch the list of interfaces.
*/
fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd < 0) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"socket: %s", pcap_strerror(errno));
return (-1);
}
/*
* Start with an 8K buffer, and keep growing the buffer until
* we have more than "sizeof(ifrp->ifr_name) + MAX_SA_LEN"
* bytes left over in the buffer or we fail to get the
* interface list for some reason other than EINVAL (which is
* presumed here to mean "buffer is too small").
*/
buf_size = 8192;
for (;;) {
buf = malloc(buf_size);
if (buf == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
(void)close(fd);
return (-1);
}
ifc.ifc_len = buf_size;
ifc.ifc_buf = buf;
memset(buf, 0, buf_size);
if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0
&& errno != EINVAL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFCONF: %s", pcap_strerror(errno));
(void)close(fd);
free(buf);
return (-1);
}
if (ifc.ifc_len < buf_size &&
(buf_size - ifc.ifc_len) > sizeof(ifrp->ifr_name) + MAX_SA_LEN)
break;
free(buf);
buf_size *= 2;
}
ifrp = (struct ifreq *)buf;
ifend = (struct ifreq *)(buf + ifc.ifc_len);
for (; ifrp < ifend; ifrp = ifnext) {
/*
* XXX - what if this isn't an IPv4 address? Can
* we still get the netmask, etc. with ioctls on
* an IPv4 socket?
*
* The answer is probably platform-dependent, and
* if the answer is "no" on more than one platform,
* the way you work around it is probably platform-
* dependent as well.
*/
n = SA_LEN(&ifrp->ifr_addr) + sizeof(ifrp->ifr_name);
if (n < sizeof(*ifrp))
ifnext = ifrp + 1;
else
ifnext = (struct ifreq *)((char *)ifrp + n);
/*
* XXX - The 32-bit compatibility layer for Linux on IA-64
* is slightly broken. It correctly converts the structures
* to and from kernel land from 64 bit to 32 bit but
* doesn't update ifc.ifc_len, leaving it larger than the
* amount really used. This means we read off the end
* of the buffer and encounter an interface with an
* "empty" name. Since this is highly unlikely to ever
* occur in a valid case we can just finish looking for
* interfaces if we see an empty name.
*/
if (!(*ifrp->ifr_name))
break;
/*
* Skip entries that begin with "dummy".
* XXX - what are these? Is this Linux-specific?
* Are there platforms on which we shouldn't do this?
*/
if (strncmp(ifrp->ifr_name, "dummy", 5) == 0)
continue;
/*
* Get the flags for this interface.
*/
strncpy(ifrflags.ifr_name, ifrp->ifr_name,
sizeof(ifrflags.ifr_name));
if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) {
if (errno == ENXIO)
continue;
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFFLAGS: %.*s: %s",
(int)sizeof(ifrflags.ifr_name),
ifrflags.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
/*
* Get the netmask for this address on this interface.
*/
strncpy(ifrnetmask.ifr_name, ifrp->ifr_name,
sizeof(ifrnetmask.ifr_name));
memcpy(&ifrnetmask.ifr_addr, &ifrp->ifr_addr,
sizeof(ifrnetmask.ifr_addr));
if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifrnetmask) < 0) {
if (errno == EADDRNOTAVAIL) {
/*
* Not available.
*/
netmask = NULL;
netmask_size = 0;
} else {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFNETMASK: %.*s: %s",
(int)sizeof(ifrnetmask.ifr_name),
ifrnetmask.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
} else {
netmask = &ifrnetmask.ifr_addr;
netmask_size = SA_LEN(netmask);
}
/*
* Get the broadcast address for this address on this
* interface (if any).
*/
if (ifrflags.ifr_flags & IFF_BROADCAST) {
strncpy(ifrbroadaddr.ifr_name, ifrp->ifr_name,
sizeof(ifrbroadaddr.ifr_name));
memcpy(&ifrbroadaddr.ifr_addr, &ifrp->ifr_addr,
sizeof(ifrbroadaddr.ifr_addr));
if (ioctl(fd, SIOCGIFBRDADDR,
(char *)&ifrbroadaddr) < 0) {
if (errno == EADDRNOTAVAIL) {
/*
* Not available.
*/
broadaddr = NULL;
broadaddr_size = 0;
} else {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFBRDADDR: %.*s: %s",
(int)sizeof(ifrbroadaddr.ifr_name),
ifrbroadaddr.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
} else {
broadaddr = &ifrbroadaddr.ifr_broadaddr;
broadaddr_size = SA_LEN(broadaddr);
}
} else {
/*
* Not a broadcast interface, so no broadcast
* address.
*/
broadaddr = NULL;
broadaddr_size = 0;
}
/*
* Get the destination address for this address on this
* interface (if any).
*/
if (ifrflags.ifr_flags & IFF_POINTOPOINT) {
strncpy(ifrdstaddr.ifr_name, ifrp->ifr_name,
sizeof(ifrdstaddr.ifr_name));
memcpy(&ifrdstaddr.ifr_addr, &ifrp->ifr_addr,
sizeof(ifrdstaddr.ifr_addr));
if (ioctl(fd, SIOCGIFDSTADDR,
(char *)&ifrdstaddr) < 0) {
if (errno == EADDRNOTAVAIL) {
/*
* Not available.
*/
dstaddr = NULL;
dstaddr_size = 0;
} else {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"SIOCGIFDSTADDR: %.*s: %s",
(int)sizeof(ifrdstaddr.ifr_name),
ifrdstaddr.ifr_name,
pcap_strerror(errno));
ret = -1;
break;
}
} else {
dstaddr = &ifrdstaddr.ifr_dstaddr;
dstaddr_size = SA_LEN(dstaddr);
}
} else {
/*
* Not a point-to-point interface, so no destination
* address.
*/
dstaddr = NULL;
dstaddr_size = 0;
}
#if defined (HAVE_SOLARIS) || defined (HAVE_HPUX10_20_OR_LATER)
/*
* If this entry has a colon followed by a number at
* the end, it's a logical interface. Those are just
* the way you assign multiple IP addresses to a real
* interface, so an entry for a logical interface should
* be treated like the entry for the real interface;
* we do that by stripping off the ":" and the number.
*/
p = strchr(ifrp->ifr_name, ':');
if (p != NULL) {
/*
* We have a ":"; is it followed by a number?
*/
q = p + 1;
while (isdigit((unsigned char)*q))
q++;
if (*q == '\0') {
/*
* All digits after the ":" until the end.
* Strip off the ":" and everything after
* it.
*/
*p = '\0';
}
}
#endif
/*
* Add information for this address to the list.
*/
if (add_addr_to_iflist(&devlist, ifrp->ifr_name,
ifrflags.ifr_flags, &ifrp->ifr_addr,
SA_LEN(&ifrp->ifr_addr), netmask, netmask_size,
broadaddr, broadaddr_size, dstaddr, dstaddr_size,
errbuf) < 0) {
ret = -1;
break;
}
}
free(buf);
(void)close(fd);
if (ret == -1) {
/*
* We had an error; free the list we've been constructing.
*/
if (devlist != NULL) {
pcap_freealldevs(devlist);
devlist = NULL;
}
}
*alldevsp = devlist;
return (ret);
}
int daemon_AuthUserPwd(char *username, char *password, char *errbuf)
{
#ifdef WIN32
/*
Warning: the user which launches the process must have the SE_TCB_NAME right.
This corresponds to have the "Act as part of the Operating System" turined on
(administrative tools, local security settings, local policies, user right assignment)
However, it seems to me that if you run it as a service, this right should be
provided by default.
*/
HANDLE Token;
if (LogonUser(username, ".", password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &Token) == 0)
{
int error;
error = GetLastError();
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, 0, errbuf,
PCAP_ERRBUF_SIZE, NULL);
return -1;
}
// This call should change the current thread to the selected user.
// I didn't test it.
if (ImpersonateLoggedOnUser(Token) == 0)
{
int error;
error = GetLastError();
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, 0, errbuf,
PCAP_ERRBUF_SIZE, NULL);
CloseHandle(Token);
return -1;
}
CloseHandle(Token);
return 0;
#else
/* Standard user authentication:
http://www.unixpapa.com/incnote/passwd.html
Problem: it is not able to merge the standard pwd file with the shadow one
Shadow user authentication:
http://www.tldp.org/HOWTO/Shadow-Password-HOWTO-8.html
Problem: the program must either (1) run as root, or (2) run as user, but it
must be owned by root and must be SUID root (chmod u+s rpcapd)
*/
struct passwd *user;
#ifdef linux
struct spwd *usersp;
#endif
// This call is needed to get the uid
if ((user= getpwnam(username)) == NULL)
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: no such user");
return -1;
}
#ifdef linux
// This call is needed to get the password; otherwise 'x' is returned
if ((usersp= getspnam(username)) == NULL)
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: no such user");
return -1;
}
if (strcmp(usersp->sp_pwdp, (char *) crypt(password, usersp->sp_pwdp) ) != 0)
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: password incorrect");
return -1;
}
#endif
#ifdef bsd
if (strcmp(user->pw_passwd, (char *) crypt(password, user->pw_passwd) ) != 0)
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication failed: password incorrect");
return -1;
}
#endif
if (setuid(user->pw_uid) )
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s", pcap_strerror(errno) );
return -1;
}
/* if (setgid(user->pw_gid) )
{
SOCK_ASSERT("setgid failed", 1);
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s", pcap_strerror(errno) );
return -1;
}
*/
return 0;
#endif
}
int
add_or_find_if(pcap_if_t **curdev_ret, pcap_if_t **alldevs, const char *name,
u_int flags, const char *description, char *errbuf)
{
pcap_t *p;
pcap_if_t *curdev, *prevdev, *nextdev;
int this_instance;
char open_errbuf[PCAP_ERRBUF_SIZE];
/*
* Is there already an entry in the list for this interface?
*/
for (curdev = *alldevs; curdev != NULL; curdev = curdev->next) {
if (strcmp(name, curdev->name) == 0)
break; /* yes, we found it */
}
if (curdev == NULL) {
/*
* No, we didn't find it.
*
* Can we open this interface for live capture?
*
* We do this check so that interfaces that are
* supplied by the interface enumeration mechanism
* we're using but that don't support packet capture
* aren't included in the list. Loopback interfaces
* on Solaris are an example of this; we don't just
* omit loopback interfaces on all platforms because
* you *can* capture on loopback interfaces on some
* OSes.
*
* On OS X, we don't do this check if the device
* name begins with "wlt"; at least some versions
* of OS X offer monitor mode capturing by having
* a separate "monitor mode" device for each wireless
* adapter, rather than by implementing the ioctls
* that {Free,Net,Open,DragonFly}BSD provide.
* Opening that device puts the adapter into monitor
* mode, which, at least for some adapters, causes
* them to deassociate from the network with which
* they're associated.
*
* Instead, we try to open the corresponding "en"
* device (so that we don't end up with, for users
* without sufficient privilege to open capture
* devices, a list of adapters that only includes
* the wlt devices).
*/
#ifdef __APPLE__
if (strncmp(name, "wlt", 3) == 0) {
char *en_name;
size_t en_name_len;
/*
* Try to allocate a buffer for the "en"
* device's name.
*/
en_name_len = strlen(name) - 1;
en_name = malloc(en_name_len + 1);
if (en_name == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
return (-1);
}
strcpy(en_name, "en");
strcat(en_name, name + 3);
p = pcap_open_live(en_name, 68, 0, 0, open_errbuf);
free(en_name);
} else
#endif /* __APPLE */
p = pcap_open_live(name, 68, 0, 0, open_errbuf);
if (p == NULL) {
/*
* No. Don't bother including it.
* Don't treat this as an error, though.
*/
*curdev_ret = NULL;
return (0);
}
pcap_close(p);
/*
* Yes, we can open it.
* Allocate a new entry.
*/
curdev = malloc(sizeof(pcap_if_t));
if (curdev == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
return (-1);
}
/*
* Fill in the entry.
*/
curdev->next = NULL;
curdev->name = strdup(name);
if (curdev->name == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curdev);
return (-1);
}
if (description != NULL) {
/*
* We have a description for this interface.
*/
curdev->description = strdup(description);
if (curdev->description == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
free(curdev->name);
free(curdev);
return (-1);
}
} else {
/*
* We don't.
*/
curdev->description = NULL;
}
curdev->addresses = NULL; /* list starts out as empty */
curdev->flags = 0;
if (ISLOOPBACK(name, flags))
curdev->flags |= PCAP_IF_LOOPBACK;
/*
* Add it to the list, in the appropriate location.
* First, get the instance number of this interface.
*/
this_instance = get_instance(name);
/*
* Now look for the last interface with an instance number
* less than or equal to the new interface's instance
* number - except that non-loopback interfaces are
* arbitrarily treated as having interface numbers less
* than those of loopback interfaces, so the loopback
* interfaces are put at the end of the list.
*
* We start with "prevdev" being NULL, meaning we're before
* the first element in the list.
*/
prevdev = NULL;
for (;;) {
/*
* Get the interface after this one.
*/
if (prevdev == NULL) {
/*
* The next element is the first element.
*/
nextdev = *alldevs;
} else
nextdev = prevdev->next;
/*
* Are we at the end of the list?
*/
if (nextdev == NULL) {
/*
* Yes - we have to put the new entry
* after "prevdev".
*/
break;
}
/*
* Is the new interface a non-loopback interface
* and the next interface a loopback interface?
*/
if (!(curdev->flags & PCAP_IF_LOOPBACK) &&
(nextdev->flags & PCAP_IF_LOOPBACK)) {
/*
* Yes, we should put the new entry
* before "nextdev", i.e. after "prevdev".
*/
break;
}
/*
* Is the new interface's instance number less
* than the next interface's instance number,
* and is it the case that the new interface is a
* non-loopback interface or the next interface is
* a loopback interface?
*
* (The goal of both loopback tests is to make
* sure that we never put a loopback interface
* before any non-loopback interface and that we
* always put a non-loopback interface before all
* loopback interfaces.)
*/
if (this_instance < get_instance(nextdev->name) &&
(!(curdev->flags & PCAP_IF_LOOPBACK) ||
(nextdev->flags & PCAP_IF_LOOPBACK))) {
/*
* Yes - we should put the new entry
* before "nextdev", i.e. after "prevdev".
*/
break;
}
prevdev = nextdev;
}
/*
* Insert before "nextdev".
*/
curdev->next = nextdev;
/*
* Insert after "prevdev" - unless "prevdev" is null,
* in which case this is the first interface.
*/
if (prevdev == NULL) {
/*
* This is the first interface. Pass back a
* pointer to it, and put "curdev" before
* "nextdev".
*/
*alldevs = curdev;
} else
prevdev->next = curdev;
}
*curdev_ret = curdev;
return (0);
}
/*
* Write stream error message to errbuf.
*/
static void
pcap_stream_err(const char *func, int err, char *errbuf)
{
snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", func, pcap_strerror(err));
}
/*
* Get a list of all interfaces that are up and that we can open.
* Returns -1 on error, 0 otherwise.
* The list, as returned through "alldevsp", may be null if no interfaces
* could be opened.
*/
int
pcap_findalldevs_interfaces(pcap_if_t **alldevsp, char *errbuf)
{
pcap_if_t *devlist = NULL;
struct ifaddrs *ifap, *ifa;
struct sockaddr *addr, *netmask, *broadaddr, *dstaddr;
size_t addr_size, broadaddr_size, dstaddr_size;
int ret = 0;
char *p, *q;
/*
* Get the list of interface addresses.
*
* Note: this won't return information about interfaces
* with no addresses, so, if a platform has interfaces
* with no interfaces on which traffic can be captured,
* we must check for those interfaces as well (see, for
* example, what's done on Linux).
*
* LAN interfaces will probably have link-layer
* addresses; I don't know whether all implementations
* of "getifaddrs()" now, or in the future, will return
* those.
*/
if (getifaddrs(&ifap) != 0) {
(void)pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
"getifaddrs: %s", pcap_strerror(errno));
return (-1);
}
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
/*
* "ifa_addr" was apparently null on at least one
* interface on some system. Therefore, we supply
* the address and netmask only if "ifa_addr" is
* non-null (if there's no address, there's obviously
* no netmask).
*/
if (ifa->ifa_addr != NULL) {
addr = ifa->ifa_addr;
addr_size = SA_LEN(addr);
netmask = ifa->ifa_netmask;
} else {
addr = NULL;
addr_size = 0;
netmask = NULL;
}
/*
* Note that, on some platforms, ifa_broadaddr and
* ifa_dstaddr could be the same field (true on at
* least some versions of *BSD and OS X), so we
* can't just check whether the broadcast address
* is null and add it if so and check whether the
* destination address is null and add it if so.
*
* Therefore, we must also check the IFF_BROADCAST
* flag, and only add a broadcast address if it's
* set, and check the IFF_POINTTOPOINT flag, and
* only add a destination address if it's set (as
* per man page recommendations on some of those
* platforms).
*/
if (ifa->ifa_flags & IFF_BROADCAST &&
ifa->ifa_broadaddr != NULL) {
broadaddr = ifa->ifa_broadaddr;
broadaddr_size = SA_LEN(broadaddr);
} else {
broadaddr = NULL;
broadaddr_size = 0;
}
if (ifa->ifa_flags & IFF_POINTOPOINT &&
ifa->ifa_dstaddr != NULL) {
dstaddr = ifa->ifa_dstaddr;
dstaddr_size = SA_LEN(ifa->ifa_dstaddr);
} else {
dstaddr = NULL;
dstaddr_size = 0;
}
/*
* If this entry has a colon followed by a number at
* the end, we assume it's a logical interface. Those
* are just the way you assign multiple IP addresses to
* a real interface on Linux, so an entry for a logical
* interface should be treated like the entry for the
* real interface; we do that by stripping off the ":"
* and the number.
*
* XXX - should we do this only on Linux?
*/
p = strchr(ifa->ifa_name, ':');
if (p != NULL) {
/*
* We have a ":"; is it followed by a number?
*/
q = p + 1;
while (isdigit((unsigned char)*q))
q++;
if (*q == '\0') {
/*
* All digits after the ":" until the end.
* Strip off the ":" and everything after
* it.
*/
*p = '\0';
}
}
/*
* Add information for this address to the list.
*/
if (add_addr_to_iflist(&devlist, ifa->ifa_name,
if_flags_to_pcap_flags(ifa->ifa_name, ifa->ifa_flags),
addr, addr_size, netmask, addr_size,
broadaddr, broadaddr_size, dstaddr, dstaddr_size,
errbuf) < 0) {
ret = -1;
break;
}
}
freeifaddrs(ifap);
if (ret == -1) {
/*
* We had an error; free the list we've been constructing.
*/
if (devlist != NULL) {
pcap_freealldevs(devlist);
devlist = NULL;
}
}
*alldevsp = devlist;
return (ret);
}
static int
add_or_find_if(pcap_if_t **curdev_ret, pcap_if_t **alldevs, char *name,
u_int flags, const char *description, char *errbuf)
{
pcap_t *p;
pcap_if_t *curdev, *prevdev, *nextdev;
int this_instance;
/*
* Can we open this interface for live capture?
*/
p = pcap_open_live(name, 68, 0, 0, errbuf);
if (p == NULL) {
/*
* No. Don't bother including it.
* Don't treat this as an error, though.
*/
*curdev_ret = NULL;
return (0);
}
pcap_close(p);
/*
* Is there already an entry in the list for this interface?
*/
for (curdev = *alldevs; curdev != NULL; curdev = curdev->next) {
if (strcmp(name, curdev->name) == 0)
break; /* yes, we found it */
}
if (curdev == NULL) {
/*
* No, we didn't find it.
* Allocate a new entry.
*/
curdev = malloc(sizeof(pcap_if_t));
if (curdev == NULL) {
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"malloc: %s", pcap_strerror(errno));
return (-1);
}
/*
* Fill in the entry.
*/
curdev->next = NULL;
curdev->name = malloc(strlen(name) + 1);
strcpy(curdev->name, name);
if (description != NULL) {
/*
* We have a description for this interface.
*/
curdev->description = malloc(strlen(description) + 1);
strcpy(curdev->description, description);
} else {
/*
* We don't.
*/
curdev->description = NULL;
}
curdev->addresses = NULL; /* list starts out as empty */
curdev->flags = 0;
if (ISLOOPBACK(name, flags))
curdev->flags |= PCAP_IF_LOOPBACK;
/*
* Add it to the list, in the appropriate location.
* First, get the instance number of this interface.
*/
this_instance = get_instance(name);
/*
* Now look for the last interface with an instance number
* less than or equal to the new interface's instance
* number - except that non-loopback interfaces are
* arbitrarily treated as having interface numbers less
* than those of loopback interfaces, so the loopback
* interfaces are put at the end of the list.
*
* We start with "prevdev" being NULL, meaning we're before
* the first element in the list.
*/
prevdev = NULL;
for (;;) {
/*
* Get the interface after this one.
*/
if (prevdev == NULL) {
/*
* The next element is the first element.
*/
nextdev = *alldevs;
} else
nextdev = prevdev->next;
/*
* Are we at the end of the list?
*/
if (nextdev == NULL) {
/*
* Yes - we have to put the new entry
* after "prevdev".
*/
break;
}
/*
* Is the new interface a non-loopback interface
* and the next interface a loopback interface?
*/
if (!(curdev->flags & PCAP_IF_LOOPBACK) &&
(nextdev->flags & PCAP_IF_LOOPBACK)) {
/*
* Yes, we should put the new entry
* before "nextdev", i.e. after "prevdev".
*/
break;
}
/*
* Is the new interface's instance number less
* than the next interface's instance number,
* and is it the case that the new interface is a
* non-loopback interface or the next interface is
* a loopback interface?
*
* (The goal of both loopback tests is to make
* sure that we never put a loopback interface
* before any non-loopback interface and that we
* always put a non-loopback interface before all
* loopback interfaces.)
*/
if (this_instance < get_instance(nextdev->name) &&
(!(curdev->flags & PCAP_IF_LOOPBACK) ||
(nextdev->flags & PCAP_IF_LOOPBACK))) {
/*
* Yes - we should put the new entry
* before "nextdev", i.e. after "prevdev".
*/
break;
}
prevdev = nextdev;
}
/*
* Insert before "nextdev".
*/
curdev->next = nextdev;
/*
* Insert after "prevdev" - unless "prevdev" is null,
* in which case this is the first interface.
*/
if (prevdev == NULL) {
/*
* This is the first interface. Pass back a
* pointer to it, and put "curdev" before
* "nextdev".
*/
*alldevs = curdev;
} else
prevdev->next = curdev;
}
*curdev_ret = curdev;
return (0);
}
