// FIXME this is kind of a mess, all options need to be double-check for
// backward compatibility
int
descriptor_set_tsmode(struct radclock *handle, pcap_t *p_handle, int kmode)
{
u_int bd_tstamp;
bd_tstamp = 0;
switch (handle->kernel_version) {
case 0:
case 1:
if (ioctl(pcap_fileno(p_handle), BIOCSRADCLOCKTSMODE, (caddr_t)&kmode) == -1) {
logger(LOG_ERR, "Setting capture mode failed");
return (1);
}
break;
case 2:
case 3:
/* No more Faircompare mode in kernel version 2, it is identical to
* SYSCLOCK
*/
switch (kmode) {
case RADCLOCK_TSMODE_SYSCLOCK:
case RADCLOCK_TSMODE_FAIRCOMPARE:
bd_tstamp = BPF_T_MICROTIME;
break;
case RADCLOCK_TSMODE_RADCLOCK:
// TODO this is not very clean, need to do better management of
// the format flag
bd_tstamp = BPF_T_FFCOUNTER;
// bd_tstamp = BPF_T_FFCOUNTER | BPF_T_FFCLOCK;
// bd_tstamp = BPF_T_MICROTIME | BPF_T_FFCLOCK | BPF_T_MONOTONIC;
break;
default:
logger(LOG_ERR, "descriptor_set_tsmode: Unknown timestamping mode.");
return (1);
}
if (ioctl(pcap_fileno(p_handle), BIOCSTSTAMP, (caddr_t)&bd_tstamp) == -1) {
logger(LOG_ERR, "Setting capture mode failed: %s", strerror(errno));
return (1);
}
break;
default:
logger(LOG_ERR, "Unknown kernel version");
return (1);
}
return (0);
}
/*
* a simple pcap test program, bridge between two interfaces.
*/
int
main(int argc, char **argv)
{
pcap_t *p0, *p1;
int burst = 1024;
struct pollfd pollfd[2];
fprintf(stderr, "%s %s built %s %s\n",
argv[0], version, __DATE__, __TIME__);
while (argc > 1 && !strcmp(argv[1], "-v")) {
verbose++;
argv++;
argc--;
}
if (argc < 3 || argc > 4 || !strcmp(argv[1], argv[2])) {
D("Usage: %s IFNAME1 IFNAME2 [BURST]", argv[0]);
return (1);
}
if (argc > 3)
burst = atoi(argv[3]);
p0 = pcap_open_live(argv[1], 0, 1, 100, NULL);
p1 = pcap_open_live(argv[2], 0, 1, 100, NULL);
D("%s", version);
D("open returns %p %p", p0, p1);
if (!p0 || !p1)
return(1);
bzero(pollfd, sizeof(pollfd));
pollfd[0].fd = pcap_fileno(p0);
pollfd[1].fd = pcap_fileno(p1);
pollfd[0].events = pollfd[1].events = POLLIN;
for (;;) {
/* do i need to reset ? */
pollfd[0].revents = pollfd[1].revents = 0;
int ret = poll(pollfd, 2, 1000);
if (ret <= 0 || verbose)
D("poll %s [0] ev %x %x [1] ev %x %x",
ret <= 0 ? "timeout" : "ok",
pollfd[0].events,
pollfd[0].revents,
pollfd[1].events,
pollfd[1].revents);
if (ret < 0)
continue;
if (pollfd[0].revents & POLLIN)
pcap_dispatch(p0, burst, do_send, (void *)p1);
if (pollfd[1].revents & POLLIN)
pcap_dispatch(p1, burst, do_send, (void *)p0);
}
return (0);
}
int
pcap_ex_immediate(pcap_t *pcap)
{
#ifdef _WIN32
return pcap_setmintocopy(pcap, 1);
#elif defined BIOCIMMEDIATE
int n = 1;
return ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n);
#else /* XXX On OSX Yosemite (10.10.3) BIOCIMMEDIATE is not defined) */
int n = 1;
return ioctl(pcap_fileno(pcap), _IOW('B',112, u_int), &n);
#endif
}
struct pcap_port *
pcap_open(struct pcap_port *pcap_port) {
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_drv *pcap_drv = pcap_port->drv;
pcap_t *pcap = NULL;
pcap = pcap_open_live(pcap_port->name, PCAP_SNAPLEN, true/*promisc*/, -1/*to_ms*/, errbuf);
if (pcap == NULL) {
logger_log(pcap_drv->logger, LOG_ERR, "Unable to open device %s: %s.", pcap_port->name, errbuf);
return NULL;
}
if(pcap_setnonblock(pcap, true, errbuf) != 0) {
logger_log(pcap_drv->logger, LOG_ERR, "Unable to set device to promisc %s: %s.", pcap_port->name, errbuf);
return NULL;
}
if(pcap_setdirection(pcap, PCAP_D_IN) != 0) {
logger_log(pcap_drv->logger, LOG_ERR, "Unable to set device direction %s: %s.", pcap_port->name, pcap_geterr(pcap));
return NULL;
}
pcap_port->pcap = pcap;
pcap_port->fd = pcap_fileno(pcap);
pcap_port->watcher = malloc(sizeof(ev_io));
pcap_port->watcher->data = pcap_port;
ev_io_init(pcap_port->watcher, event_loop_packet_in_cb, pcap_port->fd, EV_READ);
pcap_port_fill(pcap_port);
return pcap_port;
}
int
init_pcap(void)
{
hpcap = pcap_open_live(interface, snaplen, 1, PCAP_TO_MS, errbuf);
if (hpcap == NULL) {
logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
return (-1);
}
if (pcap_datalink(hpcap) != DLT_PFLOG) {
logmsg(LOG_ERR, "Invalid datalink type");
pcap_close(hpcap);
hpcap = NULL;
return (-1);
}
set_pcap_filter();
cur_snaplen = snaplen = pcap_snapshot(hpcap);
/* lock */
if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
return (-1);
}
return (0);
}
static int l2_packet_init_libpcap(struct l2_packet_data *l2,
unsigned short protocol)
{
bpf_u_int32 pcap_maskp, pcap_netp;
char pcap_filter[200], pcap_err[PCAP_ERRBUF_SIZE];
struct bpf_program pcap_fp;
pcap_lookupnet(l2->ifname, &pcap_netp, &pcap_maskp, pcap_err);
l2->pcap = pcap_open_live(l2->ifname, 2500, 0, 10, pcap_err);
if (l2->pcap == NULL) {
fprintf(stderr, "pcap_open_live: %s\n", pcap_err);
fprintf(stderr, "ifname='%s'\n", l2->ifname);
return -1;
}
if (pcap_datalink(l2->pcap) != DLT_EN10MB &&
pcap_set_datalink(l2->pcap, DLT_EN10MB) < 0) {
fprintf(stderr, "pcap_set_datalink(DLT_EN10MB): %s\n",
pcap_geterr(l2->pcap));
return -1;
}
os_snprintf(pcap_filter, sizeof(pcap_filter),
"not ether src " MACSTR " and "
"( ether dst " MACSTR " or ether dst " MACSTR " ) and "
"ether proto 0x%x",
MAC2STR(l2->own_addr), /* do not receive own packets */
MAC2STR(l2->own_addr), MAC2STR(pae_group_addr),
protocol);
if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) {
fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap));
return -1;
}
if (pcap_setfilter(l2->pcap, &pcap_fp) < 0) {
fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(l2->pcap));
return -1;
}
pcap_freecode(&pcap_fp);
#ifndef __sun__
/*
* When libpcap uses BPF we must enable "immediate mode" to
* receive frames right away; otherwise the system may
* buffer them for us.
*/
{
unsigned int on = 1;
if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) {
fprintf(stderr, "%s: cannot enable immediate mode on "
"interface %s: %s\n",
__func__, l2->ifname, strerror(errno));
/* XXX should we fail? */
}
}
#endif /* __sun__ */
eloop_register_read_sock(pcap_get_selectable_fd(l2->pcap),
l2_packet_receive, l2, l2->pcap);
return 0;
}
static struct recv_handler *HpingRecvGetHandler(struct recv_handler *ra, int len, char *ifname, Tcl_Interp *interp)
{
int i;
#if (!defined OSTYPE_LINUX) && (!defined __sun__)
int on = 1;
#endif
for (i = 0; i < len; i++) {
if (!ra[i].rh_ifname[0])
break;
if (!strcmp(ra[i].rh_ifname, ifname))
return ra+i;
}
/* Not found, need to open it */
if (i == len) {
/* XXX: with hping setfilter this is broken */
/* All the slots are full, make space at the end */
HpingRecvCloseHandler(ra+(len-1));
i--;
}
/* Open a new handler */
ra[i].rh_pcapfp = pcap_open_live(ifname, 99999, 0, 1, ra[i].rh_pcap_errbuf);
if (ra[i].rh_pcapfp == NULL)
return NULL;
#if (!defined OSTYPE_LINUX) && (!defined __sun__)
/* Return the packets to userspace as fast as possible */
if (ioctl(pcap_fileno(ra[i].rh_pcapfp), BIOCIMMEDIATE, &on) == -1) {
/* XXX non-critical error */
}
#endif
strlcpy(ra[i].rh_ifname, ifname, HPING_IFNAME_LEN);
ra[i].rh_interp = NULL;
ra[i].rh_linkhdrsize = dltype_to_lhs(pcap_datalink(ra[i].rh_pcapfp));
return ra+i;
}
static PyObject * p_fileno (PyObject *self, PyObject *args)
{
pcap_t * ppcap;
if (!PyArg_ParseTuple(args, "l", (long int*)&ppcap)) return NULL;
int rv = pcap_fileno(ppcap);
return Py_BuildValue("i", rv);
}
/* Open an Ethernet interface using PCAP */
static pcap_t *nio_ethernet_open(char *device)
{
char pcap_errbuf[PCAP_ERRBUF_SIZE];
pcap_t *p;
#ifndef CYGWIN
/* Timeout is 10ms */
if (!(p = pcap_open_live(device, 65535, TRUE, 10, pcap_errbuf)))
goto pcap_error;
pcap_setdirection(p, PCAP_D_INOUT);
#ifdef BIOCFEEDBACK
{
int on = 1;
ioctl(pcap_fileno(p), BIOCFEEDBACK, &on);
}
#endif
#else
p = pcap_open(device, 65535,
PCAP_OPENFLAG_PROMISCUOUS |
PCAP_OPENFLAG_NOCAPTURE_LOCAL |
PCAP_OPENFLAG_MAX_RESPONSIVENESS |
PCAP_OPENFLAG_NOCAPTURE_RPCAP,
10, NULL, pcap_errbuf);
if (!p)
goto pcap_error;
#endif
return p;
pcap_error:
fprintf(stderr, "nio_ethernet_open: unable to open device '%s' ""with PCAP (%s)\n", device, pcap_errbuf);
return NULL;
}
pcap_t *
pcap_open(char *device)
{
char ebuf[PCAP_ERRBUF_SIZE];
pcap_t *pcap;
if (device == NULL) {
if ((device = pcap_lookupdev(ebuf)) == NULL)
return (NULL);
}
if ((pcap = pcap_open_live(device, 31337, 0, 10, ebuf)) == NULL)
return (NULL);
#ifdef BSD
{
int n = 1;
if (ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n) < 0) {
pcap_close(pcap);
return (NULL);
}
}
#endif
return (pcap);
}
static void
add_device(orchids_t *ctx, mod_entry_t *mod, config_directive_t *dir)
{
/* dev: the network device to open
capd: a packet capture descriptor
*/
int fd;
char* dev;
char errbuf[PCAP_ERRBUF_SIZE]="";
pcap_t* capd = NULL;
dev = dir->args;
DebugLog(DF_MOD, DS_INFO, "Add 802.11 listen device %s\n", dev);
capd = pcap_open_live(dev, 65535, 1, 1, errbuf);
if ( strlen(errbuf) != 0 ) {
DebugLog(DF_MOD, DS_ERROR, "pcap_open_live error: %s\n", errbuf);
return;
}
pcap_setnonblock(capd, 1, NULL);
fd = pcap_fileno(capd);
datalink_type = pcap_datalink(capd);
add_input_descriptor(ctx, mod, wifi_callback, fd, capd);
}
static mrb_value
capture(mrb_state *mrb, mrb_value self)
{
struct capture_object *cap;
int nfd;
cap = (struct capture_object *)mrb_get_datatype(mrb, self, &mrb_pcap_type);
cap->mrb = mrb;
if (pcap_file(cap->pcap) != NULL) {
mrb_raise(mrb, E_RUNTIME_ERROR, "pcap file not supported");
} else {
int fd = pcap_fileno(cap->pcap);
fd_set rset;
FD_ZERO(&rset);
do {
FD_SET(fd, &rset);
nfd = select(fd+1, &rset, NULL, NULL, NULL);
if (nfd != 0) {
pcap_dispatch(cap->pcap, 1, handler, (u_char *)cap);
break;
} else {
continue;
}
} while (1);
}
return cap->cap_data;
}
static u32 regen_pfds(struct pollfd* pfds, struct api_client** ctable) {
u32 i, count = 2;
pfds[0].fd = pcap_fileno(pt);
pfds[0].events = (POLLIN | POLLERR | POLLHUP);
DEBUG("[#] Recomputing pollfd data, pcap_fd = %d.\n", pfds[0].fd);
if (!api_sock) return 1;
pfds[1].fd = api_fd;
pfds[1].events = (POLLIN | POLLERR | POLLHUP);
for (i = 0; i < api_max_conn; i++) {
if (api_cl[i].fd == -1) continue;
ctable[count] = api_cl + i;
/* If we haven't received a complete query yet, wait for POLLIN.
Otherwise, we want to write stuff. */
if (api_cl[i].in_off < sizeof(struct p0f_api_query))
pfds[count].events = (POLLIN | POLLERR | POLLHUP);
else
pfds[count].events = (POLLOUT | POLLERR | POLLHUP);
pfds[count++].fd = api_cl[i].fd;
}
return count;
}
static int parse_dhcp_replies(pcap_t *pc, int max_timeout, uint32_t dhcp_xid)
{
struct pcap_pkthdr pc_hdr;
fd_set read_set;
int status, pcap_fd, timed_out;
struct timeval timeout;
uint8_t *packet;
struct libnet_ethernet_hdr *eth_hdr;
struct libnet_ipv4_hdr *ip_hdr;
struct libnet_udp_hdr *udp_hdr;
struct libnet_dhcpv4_hdr *dhcp_hdr;
timeout.tv_sec = max_timeout;
timeout.tv_usec = 0;
pcap_fd = pcap_fileno(pc);
FD_ZERO(&read_set);
FD_SET(pcap_fd, &read_set);
for (timed_out = 0; !timed_out;) {
status = select(pcap_fd + 1, &read_set, 0, 0, &timeout);
switch (status) {
case -1:
fprintf(stderr, "select() %s\n", strerror(errno));
exit(EXIT_FAILURE);
case 0:
timed_out = 1;
continue;
default:
if (FD_ISSET(pcap_fd, &read_set) == 0) {
timed_out = 1;
continue;
}
}
packet = (uint8_t *) pcap_next(pc, &pc_hdr);
if (packet == NULL) {
continue;
}
eth_hdr = (struct libnet_ethernet_hdr *)(packet);
ip_hdr = (struct libnet_ipv4_hdr *)(packet +
sizeof(struct libnet_ethernet_hdr));
udp_hdr = (struct libnet_udp_hdr *)(packet +
sizeof(struct libnet_ethernet_hdr) +
sizeof(struct libnet_ipv4_hdr));
dhcp_hdr = (struct libnet_dhcpv4_hdr *)(packet +
sizeof(struct libnet_ethernet_hdr) +
sizeof(struct libnet_ipv4_hdr) +
sizeof(struct libnet_udp_hdr));
if (ntohl(dhcp_hdr->dhcp_xid) != dhcp_xid) {
continue;
}
printf("\n");
dump_dhcp_packet(dhcp_hdr);
}
}
/*
* Open either interface specified by "dev" or pcap file specified by
* "capfile". Optionally apply filter "bpf_prog"
*/
static void
setup_packet_capture(struct pcap **pcap, char *dev,
char *capfile, char *bpf_prog)
{
char ebuf[PCAP_ERRBUF_SIZE];
struct bpf_program prog_c;
/* Open pcap */
if (dev != NULL)
{
if ((*pcap = pcap_open_live(dev, LIBPCAP_SNAPLEN,
1, 0, ebuf)) == NULL)
{
fprintf(stderr, "pcap_open_live: %s\n", ebuf);
exit(1);
}
}
else
{
if ((*pcap = pcap_open_offline(capfile, ebuf)) == NULL)
{
fprintf(stderr, "pcap_open_offline(%s): %s\n",
capfile, ebuf);
exit(1);
}
}
/* XXX - check datalink */
/* Attach BPF filter, if specified */
if (bpf_prog != NULL)
{
if (pcap_compile(*pcap, &prog_c, bpf_prog, 1, 0) == -1)
{
fprintf(stderr, "pcap_compile(\"%s\"): %s\n",
bpf_prog, pcap_geterr(*pcap));
exit(1);
}
if (pcap_setfilter(*pcap, &prog_c) == -1)
{
fprintf(stderr, "pcap_setfilter: %s\n",
pcap_geterr(*pcap));
exit(1);
}
}
#ifdef BIOCLOCK
/*
* If we are reading from an device (not a file), then
* lock the underlying BPF device to prevent changes in the
* unprivileged child
*/
if (dev != NULL && ioctl(pcap_fileno(*pcap), BIOCLOCK) < 0)
{
fprintf(stderr, "ioctl(BIOCLOCK) failed: %s\n",
strerror(errno));
exit(1);
}
#endif
}
static void
arpd_init(char *dev, int naddresses, char **addresses)
{
struct bpf_program fcode;
char filter[1024], ebuf[PCAP_ERRBUF_SIZE], *dst;
intf_t *intf;
dst = arpd_expandips(naddresses, addresses);
if ((arpd_arp = arp_open()) == NULL)
err(1, "arp_open");
if ((intf = intf_open()) == NULL)
err(1, "intf_open");
if (dev == NULL) {
if ((dev = pcap_lookupdev(ebuf)) == NULL)
errx(1, "pcap_lookupdev: %s", ebuf);
}
arpd_ifent.intf_len = sizeof(arpd_ifent);
strncpy(arpd_ifent.intf_name, dev, sizeof(arpd_ifent.intf_name) - 1);
arpd_ifent.intf_name[sizeof(arpd_ifent.intf_name) - 1] = '\0';
if (intf_get(intf, &arpd_ifent) < 0)
err(1, "intf_get");
if (arpd_ifent.intf_addr.addr_type != ADDR_TYPE_IP ||
arpd_ifent.intf_link_addr.addr_type != ADDR_TYPE_ETH)
errx(1, "bad interface configuration: not IP or Ethernet");
arpd_ifent.intf_addr.addr_bits = IP_ADDR_BITS;
snprintf(filter, sizeof(filter), "arp %s%s%s and not ether src %s",
dst ? "and (" : "", dst ? dst : "", dst ? ")" : "",
addr_ntoa(&arpd_ifent.intf_link_addr));
if ((arpd_pcap = pcap_open_live(dev, 128, 0, 500, ebuf)) == NULL)
errx(1, "pcap_open_live: %s", ebuf);
if (pcap_compile(arpd_pcap, &fcode, filter, 1, 0) < 0 ||
pcap_setfilter(arpd_pcap, &fcode) < 0)
errx(1, "bad pcap filter: %s", pcap_geterr(arpd_pcap));
#if defined(BSD) && defined(BIOCIMMEDIATE)
{
int on = 1;
if (ioctl(pcap_fileno(arpd_pcap), BIOCIMMEDIATE, &on) < 0)
err(1, "BIOCIMMEDIATE");
}
#endif
if ((arpd_eth = eth_open(dev)) == NULL)
errx(1, "eth_open");
#ifndef LOG_PERROR
#define LOG_PERROR 0
#endif
openlog("arpd", LOG_PERROR|LOG_PID|LOG_CONS, LOG_DAEMON);
syslog(LOG_INFO, "listening on %s: %s", dev, filter);
}
void reader_libpcapfile_opened()
{
int dlt_to_linktype(int dlt);
pcapFileHeader.linktype = dlt_to_linktype(pcap_datalink(pcap)) | pcap_datalink_ext(pcap);
pcapFileHeader.snaplen = pcap_snapshot(pcap);
offlineFile = pcap_file(pcap);
if (config.bpf) {
struct bpf_program bpf;
if (pcap_compile(pcap, &bpf, config.bpf, 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
exit(1);
}
if (pcap_setfilter(pcap, &bpf) == -1) {
LOG("ERROR - Couldn't set filter: '%s' with %s", config.bpf, pcap_geterr(pcap));
exit(1);
}
}
int t;
for (t = 0; t < MOLOCH_FILTER_MAX; t++) {
if (config.bpfsNum[t]) {
int i;
if (bpf_programs[t]) {
for (i = 0; i < config.bpfsNum[t]; i++) {
pcap_freecode(&bpf_programs[t][i]);
}
} else {
bpf_programs[t] = malloc(config.bpfsNum[t]*sizeof(struct bpf_program));
}
for (i = 0; i < config.bpfsNum[t]; i++) {
if (pcap_compile(pcap, &bpf_programs[t][i], config.bpfs[t][i], 1, PCAP_NETMASK_UNKNOWN) == -1) {
LOG("ERROR - Couldn't compile filter: '%s' with %s", config.bpfs[t][i], pcap_geterr(pcap));
exit(1);
}
}
moloch_reader_should_filter = reader_libpcapfile_should_filter;
}
}
if (config.flushBetween)
moloch_session_flush();
offlinePcapName = strdup(offlinePcapFilename);
int fd = pcap_fileno(pcap);
if (fd == -1) {
g_timeout_add(0, reader_libpcapfile_read, NULL);
} else {
moloch_watch_fd(fd, MOLOCH_GIO_READ_COND, reader_libpcapfile_read, NULL);
}
}
int pcap_ex_immediate(pcap_t *pcap)
{
#ifdef BIOCIMMEDIATE
int n = 1;
return ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n);
#else
return (0);
#endif
}
static void HpingRecvCloseHandler(struct recv_handler *ra)
{
ra->rh_ifname[0] = '\0';
if (ra->rh_interp != NULL) {
Tcl_DeleteFileHandler(pcap_fileno(ra->rh_pcapfp));
Tcl_DecrRefCount(ra->rh_handlerscript);
}
pcap_close(ra->rh_pcapfp);
ra->rh_interp = NULL;
}
int
pcap_ex_fileno(pcap_t *pcap)
{
#ifdef _WIN32
/* XXX - how to handle savefiles? */
return ((int)pcap_getevent(pcap));
#else
FILE *f = pcap_file(pcap);
if (f != NULL)
return (fileno(f));
return (pcap_fileno(pcap));
#endif /* !_WIN32 */
}
int util_preparepcap(pcap_t *pdev, char *errorbuf) {
int pfd=-1, param=0;
pfd=pcap_fileno(pdev);
/* if its not a savefile then ioctl it (not always needed) */
if (pfd) {
param=1;
if (ioctl(pfd, BIOCIMMEDIATE, ¶m) < 0) {
;/* failure here is not always bad */
}
}
return 1;
}
int
pcap_ex_immediate(pcap_t *pcap)
{
#ifdef BIOCIMMEDIATE
int n = 1;
return ioctl(pcap_fileno(pcap), BIOCIMMEDIATE, &n);
#elif defined _WIN32
return pcap_setmintocopy(pcap, 1);
#else
return (0);
#endif
}
int launch_config(struct event_base* base) {
bpf_u_int32 netaddr = 0, mask = 0;
struct bpf_program filter;
char errbuf[PCAP_ERRBUF_SIZE];
memset(errbuf, 0, PCAP_ERRBUF_SIZE);
struct config* config_node = config;
while (config_node) {
struct module* mod = config_node->modules;
while (mod) {
pre_capture_function* precapture_func = dlsym(mod->mod_handle, "preCapture");
if ((precapture_func && precapture_func(base, config_node->interface, mod->context)) || precapture_func == NULL) {
if (offline_file) {
if ((mod->pcap_handle = pcap_open_offline(offline_file, errbuf)) == NULL) {
fprintf(stderr, "ERROR: %s\n", errbuf);
exit(1);
}
} else {
if ((mod->pcap_handle = pcap_open_live(config_node->interface, BUFSIZ, 0, 512, errbuf)) == NULL) {
fprintf(stderr, "ERROR: %s\n", errbuf);
exit(1);
} else if (pcap_lookupnet(config_node->interface, &netaddr, &mask, errbuf) == -1) {
fprintf(stderr, "ERROR: %s\n", errbuf);
exit(1);
}
}
}
pcaprule_function* rule_func = dlsym(mod->mod_handle, "getPcapRule");
if (rule_func == NULL) {
fprintf(stderr, "ERROR: %s\n", dlerror());
exit(1);
} else if (pcap_compile(mod->pcap_handle, &filter, rule_func(mod->context), 1, mask) == -1) {
fprintf(stderr, "ERROR: %s\n", pcap_geterr(mod->pcap_handle));
exit(1);
} else if (pcap_setfilter(mod->pcap_handle, &filter) == -1) {
fprintf(stderr, "ERROR: %s\n", pcap_geterr(mod->pcap_handle));
exit(1);
} else {
if (offline_file) {
pcap_callback(0, 0, mod);
} else {
struct event* ev = event_new(base, pcap_fileno(mod->pcap_handle), EV_READ|EV_PERSIST, pcap_callback, mod);
event_add(ev, NULL);
}
}
mod = mod->next;
}
config_node = config_node->next;
}
return 1;
};
/* XXX - hrr, this sux */
void pcap_ex_setup(pcap_t *pcap)
{
#ifdef _WIN32
SetConsoleCtrlHandler(__pcap_ex_ctrl, TRUE);
#else
#if 0
int fd, n;
fd = pcap_fileno(pcap);
n = fcntl(fd, F_GETFL, 0) | O_NONBLOCK;
fcntl(fd, F_SETFL, n);
#endif
signal(SIGINT, __pcap_ex_signal);
#endif
}
int
init_pcap(void)
{
struct bpf_program bpfp;
char filter[PCAPFSIZ] = "ip and port 25 and action pass "
"and tcp[13]&0x12=0x2";
#ifdef __FreeBSD__
if(!use_pf) {
strncpy(filter,"ip and port 25 and tcp[13]&0x12=0x2",sizeof(filter));
}
#endif
if ((hpcap = pcap_open_live(pflogif, PCAPSNAP, 1, PCAPTIMO,
errbuf)) == NULL) {
logmsg(LOG_ERR, "Failed to initialize: %s", errbuf);
return (-1);
}
if ((use_pf && pcap_datalink(hpcap) != DLT_PFLOG) || (!use_pf && pcap_datalink(hpcap)!=DLT_NULL)) {
logmsg(LOG_ERR, "Invalid datalink type");
pcap_close(hpcap);
hpcap = NULL;
return (-1);
}
if (networkif != NULL) {
strlcat(filter, " and on ", PCAPFSIZ);
strlcat(filter, networkif, PCAPFSIZ);
}
if (pcap_compile(hpcap, &bpfp, filter, PCAPOPTZ, 0) == -1 ||
pcap_setfilter(hpcap, &bpfp) == -1) {
logmsg(LOG_ERR, "%s", pcap_geterr(hpcap));
return (-1);
}
pcap_freecode(&bpfp);
#ifdef BIOCLOCK
if (ioctl(pcap_fileno(hpcap), BIOCLOCK) < 0) {
logmsg(LOG_ERR, "BIOCLOCK: %s", strerror(errno));
return (-1);
}
#endif
return (0);
}
/* return codes: 1 = pkt, 0 = timeout, -1 = error, -2 = EOF */
int pcap_ex_next(pcap_t *pcap, struct pcap_pkthdr **hdr, u_char **pkt)
{
#ifdef _WIN32
if (__pcap_ex_gotsig)
{
__pcap_ex_gotsig = 0;
return (-1);
}
return (pcap_next_ex(pcap, hdr, pkt));
#else
static u_char *__pkt;
static struct pcap_pkthdr __hdr;
struct timeval tv =
{ 1, 0 };
fd_set rfds;
int fd, n;
fd = pcap_fileno(pcap);
for (;;)
{
if (__pcap_ex_gotsig)
{
__pcap_ex_gotsig = 0;
return (-1);
}
if ((__pkt = (u_char *) pcap_next(pcap, &__hdr)) == NULL )
{
#ifdef HAVE_PCAP_FILE
if (pcap_file(pcap) != NULL)
#else
if (pcap->sf.rfile != NULL )
#endif
return (-2);
FD_ZERO(&rfds);
FD_SET(fd, &rfds);
n = select(fd + 1, &rfds, NULL, NULL, &tv);
if (n <= 0)
return (n);
}
else
break;
}
*pkt = __pkt;
*hdr = &__hdr;
return (1);
#endif
}
void
Mod_fw_start_log_capture(FW_handle_T handle)
{
struct fw_handle *fwh = handle->fwh;
struct bpf_program bpfp;
char *pflog_if, *net_if;
char errbuf[PCAP_ERRBUF_SIZE];
char filter[PCAPFSIZ] = "ip and port 25 and action pass "
"and tcp[13]&0x12=0x2";
pflog_if = Config_get_str(handle->config, "pflog_if", "firewall",
PFLOG_IF);
net_if = Config_get_str(handle->config, "net_if", "firewall",
NULL);
if((fwh->pcap_handle = pcap_open_live(pflog_if, PCAPSNAP, 1, PCAPTIMO,
errbuf)) == NULL)
{
i_critical("failed to initialize: %s", errbuf);
}
if(pcap_datalink(fwh->pcap_handle) != DLT_PFLOG) {
pcap_close(fwh->pcap_handle);
fwh->pcap_handle = NULL;
i_critical("invalid datalink type");
}
if(net_if != NULL) {
sstrncat(filter, " and on ", PCAPFSIZ);
sstrncat(filter, net_if, PCAPFSIZ);
}
if((pcap_compile(fwh->pcap_handle, &bpfp, filter, PCAPOPTZ, 0) == -1)
|| (pcap_setfilter(fwh->pcap_handle, &bpfp) == -1))
{
i_critical("%s", pcap_geterr(fwh->pcap_handle));
}
pcap_freecode(&bpfp);
#ifdef BIOCLOCK
if(ioctl(pcap_fileno(fwh->pcap_handle), BIOCLOCK) < 0) {
i_critical("BIOCLOCK: %s", strerror(errno));
}
#endif
fwh->entries = List_create(destroy_log_entry);
}
/* return codes: 1 = pkt, 0 = timeout, -1 = error, -2 = EOF */
int
pcap_ex_next(pcap_t *pcap, struct pcap_pkthdr *hdr, u_char **pkt)
{
#ifdef _WIN32
struct pcap_pkthdr *hdrp;
int ret;
if (__pcap_ex_gotsig) {
__pcap_ex_gotsig = 0;
return (-1);
}
ret = pcap_next_ex(pcap, &hdrp, pkt);
if (hdrp && hdr)
*hdr = *hdrp;
return ret;
#else
static u_char *__pkt;
struct timeval tv = { 1, 0 };
fd_set rfds;
int fd, n;
fd = pcap_fileno(pcap);
for (;;) {
if (__pcap_ex_gotsig) {
__pcap_ex_gotsig = 0;
return (-1);
}
if ((__pkt = (u_char *)pcap_next(pcap, hdr)) == NULL) {
if (pcap_file(pcap) != NULL)
return (-2);
FD_ZERO(&rfds);
FD_SET(fd, &rfds);
n = select(fd + 1, &rfds, NULL, NULL, &tv);
if (n <= 0)
return (n);
} else
break;
}
*pkt = __pkt;
return (1);
#endif
}
void
Pcap_run(DMC * dns_callback, IPC * ip_callback)
{
dns_message_callback = dns_callback;
ip_message_callback = ip_callback;
gettimeofday(&start_ts, NULL);
finish_ts.tv_sec = ((start_ts.tv_sec / 60) + 1) * 60;
finish_ts.tv_usec = 0;
while (last_ts.tv_sec < finish_ts.tv_sec) {
fd_set *R = Pcap_select(&pcap_fdset, 0, 250000);
if (NULL == R) {
gettimeofday(&last_ts, NULL);
} else {
int i;
for (i = 0; i < n_pcap; i++)
if (FD_ISSET(pcap_fileno(pcap[i]), &pcap_fdset))
pcap_dispatch(pcap[i], 50, handle_pcap, NULL);
}
}
}
int open_pcap()
{
int on;
on = 1; /* no warning if BIOCIMMEDIATE will not be compiled */
if (opt_debug)
printf("DEBUG: pcap_open_live(%s, 99999, 0, 1, %p)\n",
ifname, errbuf);
pcapfp = pcap_open_live(ifname, 99999, 0, 1, errbuf);
if (pcapfp == NULL) {
printf("[open_pcap] pcap_open_live: %s\n", errbuf);
return -1;
}
#if (!defined OSTYPE_LINUX) && (!defined __sun__)
/* Return the packets to userspace as fast as possible */
if (ioctl(pcap_fileno(pcapfp), BIOCIMMEDIATE, &on) == -1)
perror("[open_pcap] ioctl(... BIOCIMMEDIATE ...)");
#endif
return 0;
}
