// FIXME this is kind of a mess, all options need to be double-check for // backward compatibility int descriptor_set_tsmode(struct radclock *handle, pcap_t *p_handle, int kmode) { u_int bd_tstamp; bd_tstamp = 0; switch (handle->kernel_version) { case 0: case 1: if (ioctl(pcap_fileno(p_handle), BIOCSRADCLOCKTSMODE, (caddr_t)&kmode) == -1) { logger(LOG_ERR, "Setting capture mode failed"); return (1); } break; case 2: case 3: /* No more Faircompare mode in kernel version 2, it is identical to * SYSCLOCK */ switch (kmode) { case RADCLOCK_TSMODE_SYSCLOCK: case RADCLOCK_TSMODE_FAIRCOMPARE: bd_tstamp = BPF_T_MICROTIME; break; case RADCLOCK_TSMODE_RADCLOCK: // TODO this is not very clean, need to do better management of // the format flag bd_tstamp = BPF_T_FFCOUNTER; // bd_tstamp = BPF_T_FFCOUNTER | BPF_T_FFCLOCK; // bd_tstamp = BPF_T_MICROTIME | BPF_T_FFCLOCK | BPF_T_MONOTONIC; break; default: logger(LOG_ERR, "descriptor_set_tsmode: Unknown timestamping mode."); return (1); } if (ioctl(pcap_fileno(p_handle), BIOCSTSTAMP, (caddr_t)&bd_tstamp) == -1) { logger(LOG_ERR, "Setting capture mode failed: %s", strerror(errno)); return (1); } break; default: logger(LOG_ERR, "Unknown kernel version"); return (1); } return (0); }
/* * a simple pcap test program, bridge between two interfaces. */ int main(int argc, char **argv) { pcap_t *p0, *p1; int burst = 1024; struct pollfd pollfd[2]; fprintf(stderr, "%s %s built %s %s\n", argv[0], version, __DATE__, __TIME__); while (argc > 1 && !strcmp(argv[1], "-v")) { verbose++; argv++; argc--; } if (argc < 3 || argc > 4 || !strcmp(argv[1], argv[2])) { D("Usage: %s IFNAME1 IFNAME2 [BURST]", argv[0]); return (1); } if (argc > 3) burst = atoi(argv[3]); p0 = pcap_open_live(argv[1], 0, 1, 100, NULL); p1 = pcap_open_live(argv[2], 0, 1, 100, NULL); D("%s", version); D("open returns %p %p", p0, p1); if (!p0 || !p1) return(1); bzero(pollfd, sizeof(pollfd)); pollfd[0].fd = pcap_fileno(p0); pollfd[1].fd = pcap_fileno(p1); pollfd[0].events = pollfd[1].events = POLLIN; for (;;) { /* do i need to reset ? */ pollfd[0].revents = pollfd[1].revents = 0; int ret = poll(pollfd, 2, 1000); if (ret <= 0 || verbose) D("poll %s [0] ev %x %x [1] ev %x %x", ret <= 0 ? "timeout" : "ok", pollfd[0].events, pollfd[0].revents, pollfd[1].events, pollfd[1].revents); if (ret < 0) continue; if (pollfd[0].revents & POLLIN) pcap_dispatch(p0, burst, do_send, (void *)p1); if (pollfd[1].revents & POLLIN) pcap_dispatch(p1, burst, do_send, (void *)p0); } return (0); }
int pcap_ex_immediate(pcap_t *pcap) { #ifdef _WIN32 return pcap_setmintocopy(pcap, 1); #elif defined BIOCIMMEDIATE int n = 1; return ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n); #else /* XXX On OSX Yosemite (10.10.3) BIOCIMMEDIATE is not defined) */ int n = 1; return ioctl(pcap_fileno(pcap), _IOW('B',112, u_int), &n); #endif }
struct pcap_port * pcap_open(struct pcap_port *pcap_port) { char errbuf[PCAP_ERRBUF_SIZE]; struct pcap_drv *pcap_drv = pcap_port->drv; pcap_t *pcap = NULL; pcap = pcap_open_live(pcap_port->name, PCAP_SNAPLEN, true/*promisc*/, -1/*to_ms*/, errbuf); if (pcap == NULL) { logger_log(pcap_drv->logger, LOG_ERR, "Unable to open device %s: %s.", pcap_port->name, errbuf); return NULL; } if(pcap_setnonblock(pcap, true, errbuf) != 0) { logger_log(pcap_drv->logger, LOG_ERR, "Unable to set device to promisc %s: %s.", pcap_port->name, errbuf); return NULL; } if(pcap_setdirection(pcap, PCAP_D_IN) != 0) { logger_log(pcap_drv->logger, LOG_ERR, "Unable to set device direction %s: %s.", pcap_port->name, pcap_geterr(pcap)); return NULL; } pcap_port->pcap = pcap; pcap_port->fd = pcap_fileno(pcap); pcap_port->watcher = malloc(sizeof(ev_io)); pcap_port->watcher->data = pcap_port; ev_io_init(pcap_port->watcher, event_loop_packet_in_cb, pcap_port->fd, EV_READ); pcap_port_fill(pcap_port); return pcap_port; }
int init_pcap(void) { hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf); if (hpcap == NULL) { logmsg(LOG_ERR, "Failed to initialize: %s", errbuf); return (-1); } if (pcap_datalink(hpcap) != DLT_PFLOG) { logmsg(LOG_ERR, "Invalid datalink type"); pcap_close(hpcap); hpcap = NULL; return (-1); } set_pcap_filter(); cur_snaplen = snaplen = pcap_snapshot(hpcap); /* lock */ if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) { logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno)); return (-1); } return (0); }
static int l2_packet_init_libpcap(struct l2_packet_data *l2, unsigned short protocol) { bpf_u_int32 pcap_maskp, pcap_netp; char pcap_filter[200], pcap_err[PCAP_ERRBUF_SIZE]; struct bpf_program pcap_fp; pcap_lookupnet(l2->ifname, &pcap_netp, &pcap_maskp, pcap_err); l2->pcap = pcap_open_live(l2->ifname, 2500, 0, 10, pcap_err); if (l2->pcap == NULL) { fprintf(stderr, "pcap_open_live: %s\n", pcap_err); fprintf(stderr, "ifname='%s'\n", l2->ifname); return -1; } if (pcap_datalink(l2->pcap) != DLT_EN10MB && pcap_set_datalink(l2->pcap, DLT_EN10MB) < 0) { fprintf(stderr, "pcap_set_datalink(DLT_EN10MB): %s\n", pcap_geterr(l2->pcap)); return -1; } os_snprintf(pcap_filter, sizeof(pcap_filter), "not ether src " MACSTR " and " "( ether dst " MACSTR " or ether dst " MACSTR " ) and " "ether proto 0x%x", MAC2STR(l2->own_addr), /* do not receive own packets */ MAC2STR(l2->own_addr), MAC2STR(pae_group_addr), protocol); if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) { fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap)); return -1; } if (pcap_setfilter(l2->pcap, &pcap_fp) < 0) { fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(l2->pcap)); return -1; } pcap_freecode(&pcap_fp); #ifndef __sun__ /* * When libpcap uses BPF we must enable "immediate mode" to * receive frames right away; otherwise the system may * buffer them for us. */ { unsigned int on = 1; if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) { fprintf(stderr, "%s: cannot enable immediate mode on " "interface %s: %s\n", __func__, l2->ifname, strerror(errno)); /* XXX should we fail? */ } } #endif /* __sun__ */ eloop_register_read_sock(pcap_get_selectable_fd(l2->pcap), l2_packet_receive, l2, l2->pcap); return 0; }
static struct recv_handler *HpingRecvGetHandler(struct recv_handler *ra, int len, char *ifname, Tcl_Interp *interp) { int i; #if (!defined OSTYPE_LINUX) && (!defined __sun__) int on = 1; #endif for (i = 0; i < len; i++) { if (!ra[i].rh_ifname[0]) break; if (!strcmp(ra[i].rh_ifname, ifname)) return ra+i; } /* Not found, need to open it */ if (i == len) { /* XXX: with hping setfilter this is broken */ /* All the slots are full, make space at the end */ HpingRecvCloseHandler(ra+(len-1)); i--; } /* Open a new handler */ ra[i].rh_pcapfp = pcap_open_live(ifname, 99999, 0, 1, ra[i].rh_pcap_errbuf); if (ra[i].rh_pcapfp == NULL) return NULL; #if (!defined OSTYPE_LINUX) && (!defined __sun__) /* Return the packets to userspace as fast as possible */ if (ioctl(pcap_fileno(ra[i].rh_pcapfp), BIOCIMMEDIATE, &on) == -1) { /* XXX non-critical error */ } #endif strlcpy(ra[i].rh_ifname, ifname, HPING_IFNAME_LEN); ra[i].rh_interp = NULL; ra[i].rh_linkhdrsize = dltype_to_lhs(pcap_datalink(ra[i].rh_pcapfp)); return ra+i; }
static PyObject * p_fileno (PyObject *self, PyObject *args) { pcap_t * ppcap; if (!PyArg_ParseTuple(args, "l", (long int*)&ppcap)) return NULL; int rv = pcap_fileno(ppcap); return Py_BuildValue("i", rv); }
/* Open an Ethernet interface using PCAP */ static pcap_t *nio_ethernet_open(char *device) { char pcap_errbuf[PCAP_ERRBUF_SIZE]; pcap_t *p; #ifndef CYGWIN /* Timeout is 10ms */ if (!(p = pcap_open_live(device, 65535, TRUE, 10, pcap_errbuf))) goto pcap_error; pcap_setdirection(p, PCAP_D_INOUT); #ifdef BIOCFEEDBACK { int on = 1; ioctl(pcap_fileno(p), BIOCFEEDBACK, &on); } #endif #else p = pcap_open(device, 65535, PCAP_OPENFLAG_PROMISCUOUS | PCAP_OPENFLAG_NOCAPTURE_LOCAL | PCAP_OPENFLAG_MAX_RESPONSIVENESS | PCAP_OPENFLAG_NOCAPTURE_RPCAP, 10, NULL, pcap_errbuf); if (!p) goto pcap_error; #endif return p; pcap_error: fprintf(stderr, "nio_ethernet_open: unable to open device '%s' ""with PCAP (%s)\n", device, pcap_errbuf); return NULL; }
pcap_t * pcap_open(char *device) { char ebuf[PCAP_ERRBUF_SIZE]; pcap_t *pcap; if (device == NULL) { if ((device = pcap_lookupdev(ebuf)) == NULL) return (NULL); } if ((pcap = pcap_open_live(device, 31337, 0, 10, ebuf)) == NULL) return (NULL); #ifdef BSD { int n = 1; if (ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n) < 0) { pcap_close(pcap); return (NULL); } } #endif return (pcap); }
static void add_device(orchids_t *ctx, mod_entry_t *mod, config_directive_t *dir) { /* dev: the network device to open capd: a packet capture descriptor */ int fd; char* dev; char errbuf[PCAP_ERRBUF_SIZE]=""; pcap_t* capd = NULL; dev = dir->args; DebugLog(DF_MOD, DS_INFO, "Add 802.11 listen device %s\n", dev); capd = pcap_open_live(dev, 65535, 1, 1, errbuf); if ( strlen(errbuf) != 0 ) { DebugLog(DF_MOD, DS_ERROR, "pcap_open_live error: %s\n", errbuf); return; } pcap_setnonblock(capd, 1, NULL); fd = pcap_fileno(capd); datalink_type = pcap_datalink(capd); add_input_descriptor(ctx, mod, wifi_callback, fd, capd); }
static mrb_value capture(mrb_state *mrb, mrb_value self) { struct capture_object *cap; int nfd; cap = (struct capture_object *)mrb_get_datatype(mrb, self, &mrb_pcap_type); cap->mrb = mrb; if (pcap_file(cap->pcap) != NULL) { mrb_raise(mrb, E_RUNTIME_ERROR, "pcap file not supported"); } else { int fd = pcap_fileno(cap->pcap); fd_set rset; FD_ZERO(&rset); do { FD_SET(fd, &rset); nfd = select(fd+1, &rset, NULL, NULL, NULL); if (nfd != 0) { pcap_dispatch(cap->pcap, 1, handler, (u_char *)cap); break; } else { continue; } } while (1); } return cap->cap_data; }
static u32 regen_pfds(struct pollfd* pfds, struct api_client** ctable) { u32 i, count = 2; pfds[0].fd = pcap_fileno(pt); pfds[0].events = (POLLIN | POLLERR | POLLHUP); DEBUG("[#] Recomputing pollfd data, pcap_fd = %d.\n", pfds[0].fd); if (!api_sock) return 1; pfds[1].fd = api_fd; pfds[1].events = (POLLIN | POLLERR | POLLHUP); for (i = 0; i < api_max_conn; i++) { if (api_cl[i].fd == -1) continue; ctable[count] = api_cl + i; /* If we haven't received a complete query yet, wait for POLLIN. Otherwise, we want to write stuff. */ if (api_cl[i].in_off < sizeof(struct p0f_api_query)) pfds[count].events = (POLLIN | POLLERR | POLLHUP); else pfds[count].events = (POLLOUT | POLLERR | POLLHUP); pfds[count++].fd = api_cl[i].fd; } return count; }
static int parse_dhcp_replies(pcap_t *pc, int max_timeout, uint32_t dhcp_xid) { struct pcap_pkthdr pc_hdr; fd_set read_set; int status, pcap_fd, timed_out; struct timeval timeout; uint8_t *packet; struct libnet_ethernet_hdr *eth_hdr; struct libnet_ipv4_hdr *ip_hdr; struct libnet_udp_hdr *udp_hdr; struct libnet_dhcpv4_hdr *dhcp_hdr; timeout.tv_sec = max_timeout; timeout.tv_usec = 0; pcap_fd = pcap_fileno(pc); FD_ZERO(&read_set); FD_SET(pcap_fd, &read_set); for (timed_out = 0; !timed_out;) { status = select(pcap_fd + 1, &read_set, 0, 0, &timeout); switch (status) { case -1: fprintf(stderr, "select() %s\n", strerror(errno)); exit(EXIT_FAILURE); case 0: timed_out = 1; continue; default: if (FD_ISSET(pcap_fd, &read_set) == 0) { timed_out = 1; continue; } } packet = (uint8_t *) pcap_next(pc, &pc_hdr); if (packet == NULL) { continue; } eth_hdr = (struct libnet_ethernet_hdr *)(packet); ip_hdr = (struct libnet_ipv4_hdr *)(packet + sizeof(struct libnet_ethernet_hdr)); udp_hdr = (struct libnet_udp_hdr *)(packet + sizeof(struct libnet_ethernet_hdr) + sizeof(struct libnet_ipv4_hdr)); dhcp_hdr = (struct libnet_dhcpv4_hdr *)(packet + sizeof(struct libnet_ethernet_hdr) + sizeof(struct libnet_ipv4_hdr) + sizeof(struct libnet_udp_hdr)); if (ntohl(dhcp_hdr->dhcp_xid) != dhcp_xid) { continue; } printf("\n"); dump_dhcp_packet(dhcp_hdr); } }
/* * Open either interface specified by "dev" or pcap file specified by * "capfile". Optionally apply filter "bpf_prog" */ static void setup_packet_capture(struct pcap **pcap, char *dev, char *capfile, char *bpf_prog) { char ebuf[PCAP_ERRBUF_SIZE]; struct bpf_program prog_c; /* Open pcap */ if (dev != NULL) { if ((*pcap = pcap_open_live(dev, LIBPCAP_SNAPLEN, 1, 0, ebuf)) == NULL) { fprintf(stderr, "pcap_open_live: %s\n", ebuf); exit(1); } } else { if ((*pcap = pcap_open_offline(capfile, ebuf)) == NULL) { fprintf(stderr, "pcap_open_offline(%s): %s\n", capfile, ebuf); exit(1); } } /* XXX - check datalink */ /* Attach BPF filter, if specified */ if (bpf_prog != NULL) { if (pcap_compile(*pcap, &prog_c, bpf_prog, 1, 0) == -1) { fprintf(stderr, "pcap_compile(\"%s\"): %s\n", bpf_prog, pcap_geterr(*pcap)); exit(1); } if (pcap_setfilter(*pcap, &prog_c) == -1) { fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(*pcap)); exit(1); } } #ifdef BIOCLOCK /* * If we are reading from an device (not a file), then * lock the underlying BPF device to prevent changes in the * unprivileged child */ if (dev != NULL && ioctl(pcap_fileno(*pcap), BIOCLOCK) < 0) { fprintf(stderr, "ioctl(BIOCLOCK) failed: %s\n", strerror(errno)); exit(1); } #endif }
static void arpd_init(char *dev, int naddresses, char **addresses) { struct bpf_program fcode; char filter[1024], ebuf[PCAP_ERRBUF_SIZE], *dst; intf_t *intf; dst = arpd_expandips(naddresses, addresses); if ((arpd_arp = arp_open()) == NULL) err(1, "arp_open"); if ((intf = intf_open()) == NULL) err(1, "intf_open"); if (dev == NULL) { if ((dev = pcap_lookupdev(ebuf)) == NULL) errx(1, "pcap_lookupdev: %s", ebuf); } arpd_ifent.intf_len = sizeof(arpd_ifent); strncpy(arpd_ifent.intf_name, dev, sizeof(arpd_ifent.intf_name) - 1); arpd_ifent.intf_name[sizeof(arpd_ifent.intf_name) - 1] = '\0'; if (intf_get(intf, &arpd_ifent) < 0) err(1, "intf_get"); if (arpd_ifent.intf_addr.addr_type != ADDR_TYPE_IP || arpd_ifent.intf_link_addr.addr_type != ADDR_TYPE_ETH) errx(1, "bad interface configuration: not IP or Ethernet"); arpd_ifent.intf_addr.addr_bits = IP_ADDR_BITS; snprintf(filter, sizeof(filter), "arp %s%s%s and not ether src %s", dst ? "and (" : "", dst ? dst : "", dst ? ")" : "", addr_ntoa(&arpd_ifent.intf_link_addr)); if ((arpd_pcap = pcap_open_live(dev, 128, 0, 500, ebuf)) == NULL) errx(1, "pcap_open_live: %s", ebuf); if (pcap_compile(arpd_pcap, &fcode, filter, 1, 0) < 0 || pcap_setfilter(arpd_pcap, &fcode) < 0) errx(1, "bad pcap filter: %s", pcap_geterr(arpd_pcap)); #if defined(BSD) && defined(BIOCIMMEDIATE) { int on = 1; if (ioctl(pcap_fileno(arpd_pcap), BIOCIMMEDIATE, &on) < 0) err(1, "BIOCIMMEDIATE"); } #endif if ((arpd_eth = eth_open(dev)) == NULL) errx(1, "eth_open"); #ifndef LOG_PERROR #define LOG_PERROR 0 #endif openlog("arpd", LOG_PERROR|LOG_PID|LOG_CONS, LOG_DAEMON); syslog(LOG_INFO, "listening on %s: %s", dev, filter); }
void reader_libpcapfile_opened() { int dlt_to_linktype(int dlt); pcapFileHeader.linktype = dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap); pcapFileHeader.snaplen = pcap_snapshot(pcap); offlineFile = pcap_file(pcap); if (config.bpf) { struct bpf_program bpf; if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) { LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap)); exit(1); } if (pcap_setfilter(pcap, &bpf) == -1) { LOG("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap)); exit(1); } } int t; for (t = 0; t < MOLOCH_FILTER_MAX; t++) { if (config.bpfsNum[t]) { int i; if (bpf_programs[t]) { for (i = 0; i < config.bpfsNum[t]; i++) { pcap_freecode(&bpf_programs[t][i]); } } else { bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program)); } for (i = 0; i < config.bpfsNum[t]; i++) { if (pcap_compile(pcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) { LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(pcap)); exit(1); } } moloch_reader_should_filter = reader_libpcapfile_should_filter; } } if (config.flushBetween) moloch_session_flush(); offlinePcapName = strdup(offlinePcapFilename); int fd = pcap_fileno(pcap); if (fd == -1) { g_timeout_add(0, reader_libpcapfile_read, NULL); } else { moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL); } }
int pcap_ex_immediate(pcap_t *pcap) { #ifdef BIOCIMMEDIATE int n = 1; return ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n); #else return (0); #endif }
static void HpingRecvCloseHandler(struct recv_handler *ra) { ra->rh_ifname[0] = '\0'; if (ra->rh_interp != NULL) { Tcl_DeleteFileHandler(pcap_fileno(ra->rh_pcapfp)); Tcl_DecrRefCount(ra->rh_handlerscript); } pcap_close(ra->rh_pcapfp); ra->rh_interp = NULL; }
int pcap_ex_fileno(pcap_t *pcap) { #ifdef _WIN32 /* XXX - how to handle savefiles? */ return ((int)pcap_getevent(pcap)); #else FILE *f = pcap_file(pcap); if (f != NULL) return (fileno(f)); return (pcap_fileno(pcap)); #endif /* !_WIN32 */ }
int util_preparepcap(pcap_t *pdev, char *errorbuf) { int pfd=-1, param=0; pfd=pcap_fileno(pdev); /* if its not a savefile then ioctl it (not always needed) */ if (pfd) { param=1; if (ioctl(pfd, BIOCIMMEDIATE, ¶m) < 0) { ;/* failure here is not always bad */ } } return 1; }
int pcap_ex_immediate(pcap_t *pcap) { #ifdef BIOCIMMEDIATE int n = 1; return ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n); #elif defined _WIN32 return pcap_setmintocopy(pcap, 1); #else return (0); #endif }
int launch_config(struct event_base* base) { bpf_u_int32 netaddr = 0, mask = 0; struct bpf_program filter; char errbuf[PCAP_ERRBUF_SIZE]; memset(errbuf, 0, PCAP_ERRBUF_SIZE); struct config* config_node = config; while (config_node) { struct module* mod = config_node->modules; while (mod) { pre_capture_function* precapture_func = dlsym(mod->mod_handle, "preCapture"); if ((precapture_func && precapture_func(base, config_node->interface, mod->context)) || precapture_func == NULL) { if (offline_file) { if ((mod->pcap_handle = pcap_open_offline(offline_file, errbuf)) == NULL) { fprintf(stderr, "ERROR: %s\n", errbuf); exit(1); } } else { if ((mod->pcap_handle = pcap_open_live(config_node->interface, BUFSIZ, 0, 512, errbuf)) == NULL) { fprintf(stderr, "ERROR: %s\n", errbuf); exit(1); } else if (pcap_lookupnet(config_node->interface, &netaddr, &mask, errbuf) == -1) { fprintf(stderr, "ERROR: %s\n", errbuf); exit(1); } } } pcaprule_function* rule_func = dlsym(mod->mod_handle, "getPcapRule"); if (rule_func == NULL) { fprintf(stderr, "ERROR: %s\n", dlerror()); exit(1); } else if (pcap_compile(mod->pcap_handle, &filter, rule_func(mod->context), 1, mask) == -1) { fprintf(stderr, "ERROR: %s\n", pcap_geterr(mod->pcap_handle)); exit(1); } else if (pcap_setfilter(mod->pcap_handle, &filter) == -1) { fprintf(stderr, "ERROR: %s\n", pcap_geterr(mod->pcap_handle)); exit(1); } else { if (offline_file) { pcap_callback(0, 0, mod); } else { struct event* ev = event_new(base, pcap_fileno(mod->pcap_handle), EV_READ|EV_PERSIST, pcap_callback, mod); event_add(ev, NULL); } } mod = mod->next; } config_node = config_node->next; } return 1; };
/* XXX - hrr, this sux */ void pcap_ex_setup(pcap_t *pcap) { #ifdef _WIN32 SetConsoleCtrlHandler(__pcap_ex_ctrl, TRUE); #else #if 0 int fd, n; fd = pcap_fileno(pcap); n = fcntl(fd, F_GETFL, 0) | O_NONBLOCK; fcntl(fd, F_SETFL, n); #endif signal(SIGINT, __pcap_ex_signal); #endif }
int init_pcap(void) { struct bpf_program bpfp; char filter[PCAPFSIZ] = "ip and port 25 and action pass " "and tcp[13]&0x12=0x2"; #ifdef __FreeBSD__ if(!use_pf) { strncpy(filter,"ip and port 25 and tcp[13]&0x12=0x2",sizeof(filter)); } #endif if ((hpcap = pcap_open_live(pflogif, PCAPSNAP, 1, PCAPTIMO, errbuf)) == NULL) { logmsg(LOG_ERR, "Failed to initialize: %s", errbuf); return (-1); } if ((use_pf && pcap_datalink(hpcap) != DLT_PFLOG) || (!use_pf && pcap_datalink(hpcap)!=DLT_NULL)) { logmsg(LOG_ERR, "Invalid datalink type"); pcap_close(hpcap); hpcap = NULL; return (-1); } if (networkif != NULL) { strlcat(filter, " and on ", PCAPFSIZ); strlcat(filter, networkif, PCAPFSIZ); } if (pcap_compile(hpcap, &bpfp, filter, PCAPOPTZ, 0) == -1 || pcap_setfilter(hpcap, &bpfp) == -1) { logmsg(LOG_ERR, "%s", pcap_geterr(hpcap)); return (-1); } pcap_freecode(&bpfp); #ifdef BIOCLOCK if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) { logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno)); return (-1); } #endif return (0); }
/* return codes: 1 = pkt, 0 = timeout, -1 = error, -2 = EOF */ int pcap_ex_next(pcap_t *pcap, struct pcap_pkthdr **hdr, u_char **pkt) { #ifdef _WIN32 if (__pcap_ex_gotsig) { __pcap_ex_gotsig = 0; return (-1); } return (pcap_next_ex(pcap, hdr, pkt)); #else static u_char *__pkt; static struct pcap_pkthdr __hdr; struct timeval tv = { 1, 0 }; fd_set rfds; int fd, n; fd = pcap_fileno(pcap); for (;;) { if (__pcap_ex_gotsig) { __pcap_ex_gotsig = 0; return (-1); } if ((__pkt = (u_char *) pcap_next(pcap, &__hdr)) == NULL ) { #ifdef HAVE_PCAP_FILE if (pcap_file(pcap) != NULL) #else if (pcap->sf.rfile != NULL ) #endif return (-2); FD_ZERO(&rfds); FD_SET(fd, &rfds); n = select(fd + 1, &rfds, NULL, NULL, &tv); if (n <= 0) return (n); } else break; } *pkt = __pkt; *hdr = &__hdr; return (1); #endif }
void Mod_fw_start_log_capture(FW_handle_T handle) { struct fw_handle *fwh = handle->fwh; struct bpf_program bpfp; char *pflog_if, *net_if; char errbuf[PCAP_ERRBUF_SIZE]; char filter[PCAPFSIZ] = "ip and port 25 and action pass " "and tcp[13]&0x12=0x2"; pflog_if = Config_get_str(handle->config, "pflog_if", "firewall", PFLOG_IF); net_if = Config_get_str(handle->config, "net_if", "firewall", NULL); if((fwh->pcap_handle = pcap_open_live(pflog_if, PCAPSNAP, 1, PCAPTIMO, errbuf)) == NULL) { i_critical("failed to initialize: %s", errbuf); } if(pcap_datalink(fwh->pcap_handle) != DLT_PFLOG) { pcap_close(fwh->pcap_handle); fwh->pcap_handle = NULL; i_critical("invalid datalink type"); } if(net_if != NULL) { sstrncat(filter, " and on ", PCAPFSIZ); sstrncat(filter, net_if, PCAPFSIZ); } if((pcap_compile(fwh->pcap_handle, &bpfp, filter, PCAPOPTZ, 0) == -1) || (pcap_setfilter(fwh->pcap_handle, &bpfp) == -1)) { i_critical("%s", pcap_geterr(fwh->pcap_handle)); } pcap_freecode(&bpfp); #ifdef BIOCLOCK if(ioctl(pcap_fileno(fwh->pcap_handle), BIOCLOCK) < 0) { i_critical("BIOCLOCK: %s", strerror(errno)); } #endif fwh->entries = List_create(destroy_log_entry); }
/* return codes: 1 = pkt, 0 = timeout, -1 = error, -2 = EOF */ int pcap_ex_next(pcap_t *pcap, struct pcap_pkthdr *hdr, u_char **pkt) { #ifdef _WIN32 struct pcap_pkthdr *hdrp; int ret; if (__pcap_ex_gotsig) { __pcap_ex_gotsig = 0; return (-1); } ret = pcap_next_ex(pcap, &hdrp, pkt); if (hdrp && hdr) *hdr = *hdrp; return ret; #else static u_char *__pkt; struct timeval tv = { 1, 0 }; fd_set rfds; int fd, n; fd = pcap_fileno(pcap); for (;;) { if (__pcap_ex_gotsig) { __pcap_ex_gotsig = 0; return (-1); } if ((__pkt = (u_char *)pcap_next(pcap, hdr)) == NULL) { if (pcap_file(pcap) != NULL) return (-2); FD_ZERO(&rfds); FD_SET(fd, &rfds); n = select(fd + 1, &rfds, NULL, NULL, &tv); if (n <= 0) return (n); } else break; } *pkt = __pkt; return (1); #endif }
void Pcap_run(DMC * dns_callback, IPC * ip_callback) { dns_message_callback = dns_callback; ip_message_callback = ip_callback; gettimeofday(&start_ts, NULL); finish_ts.tv_sec = ((start_ts.tv_sec / 60) + 1) * 60; finish_ts.tv_usec = 0; while (last_ts.tv_sec < finish_ts.tv_sec) { fd_set *R = Pcap_select(&pcap_fdset, 0, 250000); if (NULL == R) { gettimeofday(&last_ts, NULL); } else { int i; for (i = 0; i < n_pcap; i++) if (FD_ISSET(pcap_fileno(pcap[i]), &pcap_fdset)) pcap_dispatch(pcap[i], 50, handle_pcap, NULL); } } }
int open_pcap() { int on; on = 1; /* no warning if BIOCIMMEDIATE will not be compiled */ if (opt_debug) printf("DEBUG: pcap_open_live(%s, 99999, 0, 1, %p)\n", ifname, errbuf); pcapfp = pcap_open_live(ifname, 99999, 0, 1, errbuf); if (pcapfp == NULL) { printf("[open_pcap] pcap_open_live: %s\n", errbuf); return -1; } #if (!defined OSTYPE_LINUX) && (!defined __sun__) /* Return the packets to userspace as fast as possible */ if (ioctl(pcap_fileno(pcapfp), BIOCIMMEDIATE, &on) == -1) perror("[open_pcap] ioctl(... BIOCIMMEDIATE ...)"); #endif return 0; }