Home | History | Annotate | Download | only in libpcap
      1 /*
      2  * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
      3  * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
      4  * All rights reserved.
      5  *
      6  * Redistribution and use in source and binary forms, with or without
      7  * modification, are permitted provided that the following conditions
      8  * are met:
      9  *
     10  * 1. Redistributions of source code must retain the above copyright
     11  * notice, this list of conditions and the following disclaimer.
     12  * 2. Redistributions in binary form must reproduce the above copyright
     13  * notice, this list of conditions and the following disclaimer in the
     14  * documentation and/or other materials provided with the distribution.
     15  * 3. Neither the name of the Politecnico di Torino, CACE Technologies
     16  * nor the names of its contributors may be used to endorse or promote
     17  * products derived from this software without specific prior written
     18  * permission.
     19  *
     20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
     23  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
     24  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     25  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
     26  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     31  *
     32  */
     33 
     34 #ifndef __RPCAP_PROTOCOL_H__
     35 #define __RPCAP_PROTOCOL_H__
     36 
     37 #define RPCAP_DEFAULT_NETPORT "2002" /* Default port on which the RPCAP daemon is waiting for connections. */
     38 /* Default port on which the client workstation is waiting for connections in case of active mode. */
     39 #define RPCAP_DEFAULT_NETPORT_ACTIVE "2003"
     40 #define RPCAP_DEFAULT_NETADDR ""	/* Default network address on which the RPCAP daemon binds to. */
     41 
     42 /*
     43  * Minimum and maximum supported versions of the protocol.
     44  *
     45  * If new message types are added, the protocol version MUST be changed,
     46  * so that a client knows, from the negotiated protocol version, what
     47  * messages can be sent to the server.
     48  *
     49  * If the format of an existing message type is changed, the protocol
     50  * version MUST be changed, so that each side knows, from the negotiated
     51  * protocol version, what format should be used.
     52  *
     53  * The RPCAP_MSG_ERROR format MUST not change, as it's used to, among
     54  * other things, report "incorrect version number" errors, where, if
     55  * the format changed, the sender of the message might not know what
     56  * versions the recipient would understand, or might know a version
     57  * they support (the version number they sent) but might not know
     58  * the format of the message in that version.
     59  *
     60  * Other message versions SHOULD not change, as that would complicate
     61  * the process of interpreting the message, making it version-dependent.
     62  * Introducing a new message with a new format is preferable.
     63  *
     64  * Version negotiation is done as part of the authentication process:
     65  *
     66  * The client sends an authentication request, with the version number
     67  * in the request being the maximum version it supports.
     68  *
     69  * If the server supports that version, it attempts to authenticate the
     70  * client, and replies as appropriate, with the version number in the
     71  * reply being that version.
     72  *
     73  * If the server doesn't support that version because it's too large,
     74  * it replies with a RPCAP_MSG_ERROR message, with the maximum version
     75  * they support as the version number in the reply, and with the error
     76  * code being PCAP_ERR_WRONGVER.
     77  *
     78  * If the server doesn't support that version because it's too small,
     79  * it replies with a RPCAP_MSG_ERROR message, with that version as
     80  * the version number in the reply, and with the error code being
     81  * PCAP_ERR_WRONGVER.
     82  *
     83  * If the client supports that version, it retries the authentication
     84  * with that version and, if that fails for any reason, including
     85  * PCAP_ERR_WRONGVER, fails.  Otherwise, it fails, telling its caller
     86  * that there's no version that both support.
     87  *
     88  * This requires that the set of versions supported by a client or
     89  * server be a range of integers, with no gaps.  Thus:
     90  *
     91  * the client's version set is [Cmin, Cmax], with Cmin <= Cmax;
     92  *
     93  * the server's version set is [Smin, Smax], with Smin <= Smax;
     94  *
     95  * the client sends Cmax as the version number in the initial
     96  * authentication request;
     97  *
     98  * if the server doesn't support the version sent by the client,
     99  * either Smax < Cmax or Smin > Cmax (because the client sent Cmax
    100  * to the server, and the server doesn't support it);
    101  *
    102  * if Smax < Cmax:
    103  *
    104  *    the server sends Smax as the version number in the RPCAP_MSG_ERROR/
    105  *    PCAP_ERR_WRONGVER message - the client will accept this because
    106  *    Cmax != 0, as these numbers are unsigned, and this means that
    107  *    this isn't an old client that rejects all messages with a non-zero
    108  *    version number, it's a new client that accepts RPCAP_MSG_ERROR
    109  *    messages no matter what the version is;
    110  *
    111  *    if Smax >= Cmin, both the client and the server can use it, and
    112  *    the client retries with Smax;
    113  *
    114  *    if Smax < Cmin, there is no version the client and server can
    115  *    both support.
    116  *
    117  * if Smin > Cmax:
    118  *
    119  *    the server sends Cmax as the version number in the RPCAP_MSG_ERROR/
    120  *    PCAP_ERR_WRONGVER message - the client will accept this because
    121  *    Cmax is a valid client version number.
    122  *
    123  *    the client will retry with Cmax, get the same version failure,
    124  *    and report that there is no version the client and server can
    125  *    both support (as the version sets are disjoint).
    126  *
    127  * Old negotiation-unaware clients just send version 0 and, if they
    128  * get back PCAP_ERR_WRONGVER, treat it as a fatal error.  This
    129  * means they'll fail to talk to any server that can't handle
    130  * version 0, which is the appropriate thing to do, as they can
    131  * only use version 0.
    132  *
    133  * Old negotiation-unaware servers fail if they get a version other
    134  * than 0, sending back PCAP_ERR_WRONGVER with version 0, which is
    135  * the only version, and thus both the minimum and maximum version,
    136  * they support.  The client will either fail if it doesn't support
    137  * version 0, or will retry with version 0 and succeed, so it will
    138  * fail with servers that can't handle version 0 or will negotiate
    139  * version 0 with servers that can handle version 0.
    140  */
    141 #define RPCAP_MIN_VERSION 0
    142 #define RPCAP_MAX_VERSION 0
    143 
    144 /*
    145  * Version numbers are unsigned, so if RPCAP_MIN_VERSION is 0, they
    146  * are >= the minimum version, by definition; don't check against
    147  * RPCAP_MIN_VERSION, as you may get compiler warnings that the
    148  * comparison will always succeed.
    149  */
    150 #if RPCAP_MIN_VERSION == 0
    151 #define RPCAP_VERSION_IS_SUPPORTED(v)	((v) <= RPCAP_MAX_VERSION)
    152 #else
    153 #define RPCAP_VERSION_IS_SUPPORTED(v)	\
    154 	((v) >= RPCAP_MIN_VERSION && (v) <= RPCAP_MAX_VERSION)
    155 #endif
    156 
    157 /*
    158  * Separators used for the host list.
    159  *
    160  * It is used:
    161  * - by the rpcapd daemon, when you types a list of allowed connecting hosts
    162  * - by the rpcap client in active mode, when the client waits for incoming
    163  * connections from other hosts
    164  */
    165 #define RPCAP_HOSTLIST_SEP " ,;\n\r"
    166 
    167 /*********************************************************
    168  *                                                       *
    169  * Protocol messages formats                             *
    170  *                                                       *
    171  *********************************************************/
    172 /*
    173  * WARNING: This file defines some structures that are used to transfer
    174  * data on the network.
    175  * Note that your compiler MUST not insert padding into these structures
    176  * for better alignment.
    177  * These structures have been created in order to be correctly aligned to
    178  * a 32-bit boundary, but be careful in any case.
    179  */
    180 
    181 /*
    182  * WARNING: These typedefs MUST be of a specific size.
    183  * You might have to change them on your platform.
    184  *
    185  * XXX - use the C99 types?  Microsoft's newer versions of Visual Studio
    186  * support them.
    187  */
    188 typedef unsigned char uint8;	/* 8-bit unsigned integer */
    189 typedef unsigned short uint16;	/* 16-bit unsigned integer */
    190 typedef unsigned int uint32;	/* 32-bit unsigned integer */
    191 typedef int int32;		/* 32-bit signed integer */
    192 
    193 /* Common header for all the RPCAP messages */
    194 struct rpcap_header
    195 {
    196 	uint8 ver;	/* RPCAP version number */
    197 	uint8 type;	/* RPCAP message type (error, findalldevs, ...) */
    198 	uint16 value;	/* Message-dependent value (not always used) */
    199 	uint32 plen;	/* Length of the payload of this RPCAP message */
    200 };
    201 
    202 /* Format of the message for the interface description (findalldevs command) */
    203 struct rpcap_findalldevs_if
    204 {
    205 	uint16 namelen;	/* Length of the interface name */
    206 	uint16 desclen;	/* Length of the interface description */
    207 	uint32 flags;	/* Interface flags */
    208 	uint16 naddr;	/* Number of addresses */
    209 	uint16 dummy;	/* Must be zero */
    210 };
    211 
    212 /*
    213  * Format of an address as sent over the wire.
    214  *
    215  * Do *NOT* use struct sockaddr_storage, as the layout for that is
    216  * machine-dependent.
    217  *
    218  * RFC 2553 gives two sample layouts, both of which are 128 bytes long,
    219  * both of which are aligned on an 8-byte boundary, and both of which
    220  * have 2 bytes before the address data.
    221  *
    222  * However, one has a 2-byte address family value at the beginning
    223  * and the other has a 1-byte address length value and a 1-byte
    224  * address family value; this reflects the fact that the original
    225  * BSD sockaddr structure had a 2-byte address family value, which
    226  * was later changed to a 1-byte address length value and a 1-byte
    227  * address family value, when support for variable-length OSI
    228  * network-layer addresses was added.
    229  *
    230  * Furthermore, Solaris's struct sockaddr_storage is 256 bytes
    231  * long.
    232  *
    233  * This structure is supposed to be aligned on an 8-byte boundary;
    234  * the message header is 8 bytes long, so we don't have to do
    235  * anything to ensure it's aligned on that boundary within a packet,
    236  * so we just define it as 128 bytes long, with a 2-byte address
    237  * family.  (We only support IPv4 and IPv6 addresses, which are fixed-
    238  * length.)  That way, it's the same size as sockaddr_storage on
    239  * Windows, and it'll look like what an older Windows client will
    240  * expect.
    241  *
    242  * In addition, do *NOT* use the host's AF_ value for an address,
    243  * as the value for AF_INET6 is machine-dependent.  We use the
    244  * Windows value, so it'll look like what an older Windows client
    245  * will expect.
    246  *
    247  * (The Windows client is the only one that has been distributed
    248  * as a standard part of *pcap; UN*X clients are probably built
    249  * from source by the user or administrator, so they're in a
    250  * better position to upgrade an old client.  Therefore, we
    251  * try to make what goes over the wire look like what comes
    252  * from a Windows server.)
    253  */
    254 struct rpcap_sockaddr
    255 {
    256 	uint16	family;			/* Address family */
    257 	char	data[128-2];		/* Data */
    258 };
    259 
    260 /*
    261  * Format of an IPv4 address as sent over the wire.
    262  */
    263 #define RPCAP_AF_INET	2		/* Value on all OSes */
    264 struct rpcap_sockaddr_in
    265 {
    266 	uint16	family;			/* Address family */
    267 	uint16	port;			/* Port number */
    268 	uint32	addr;			/* IPv4 address */
    269 	uint8	zero[8];		/* Padding */
    270 };
    271 
    272 /*
    273  * Format of an IPv6 address as sent over the wire.
    274  */
    275 #define RPCAP_AF_INET6	23		/* Value on Windows */
    276 struct rpcap_sockaddr_in6
    277 {
    278 	uint16	family;			/* Address family */
    279 	uint16	port;			/* Port number */
    280 	uint32	flowinfo;		/* IPv6 flow information */
    281 	uint8	addr[16];		/* IPv6 address */
    282 	uint32	scope_id;		/* Scope zone index */
    283 };
    284 
    285 /* Format of the message for the address listing (findalldevs command) */
    286 struct rpcap_findalldevs_ifaddr
    287 {
    288 	struct rpcap_sockaddr addr;		/* Network address */
    289 	struct rpcap_sockaddr netmask;		/* Netmask for that address */
    290 	struct rpcap_sockaddr broadaddr;	/* Broadcast address for that address */
    291 	struct rpcap_sockaddr dstaddr;		/* P2P destination address for that address */
    292 };
    293 
    294 /*
    295  * \brief Format of the message of the connection opening reply (open command).
    296  *
    297  * This structure transfers over the network some of the values useful on the client side.
    298  */
    299 struct rpcap_openreply
    300 {
    301 	int32 linktype;	/* Link type */
    302 	int32 tzoff;	/* Timezone offset */
    303 };
    304 
    305 /* Format of the message that starts a remote capture (startcap command) */
    306 struct rpcap_startcapreq
    307 {
    308 	uint32 snaplen;		/* Length of the snapshot (number of bytes to capture for each packet) */
    309 	uint32 read_timeout;	/* Read timeout in milliseconds */
    310 	uint16 flags;		/* Flags (see RPCAP_STARTCAPREQ_FLAG_xxx) */
    311 	uint16 portdata;	/* Network port on which the client is waiting at (if 'serveropen') */
    312 };
    313 
    314 /* Format of the reply message that devoted to start a remote capture (startcap reply command) */
    315 struct rpcap_startcapreply
    316 {
    317 	int32 bufsize;		/* Size of the user buffer allocated by WinPcap; it can be different from the one we chose */
    318 	uint16 portdata;	/* Network port on which the server is waiting at (passive mode only) */
    319 	uint16 dummy;		/* Must be zero */
    320 };
    321 
    322 /*
    323  * \brief Format of the header which encapsulates captured packets when transmitted on the network.
    324  *
    325  * This message requires the general header as well, since we want to be able to exchange
    326  * more information across the network in the future (for example statistics, and kind like that).
    327  */
    328 struct rpcap_pkthdr
    329 {
    330 	uint32 timestamp_sec;	/* 'struct timeval' compatible, it represents the 'tv_sec' field */
    331 	uint32 timestamp_usec;	/* 'struct timeval' compatible, it represents the 'tv_usec' field */
    332 	uint32 caplen;		/* Length of portion present in the capture */
    333 	uint32 len;		/* Real length this packet (off wire) */
    334 	uint32 npkt;		/* Ordinal number of the packet (i.e. the first one captured has '1', the second one '2', etc) */
    335 };
    336 
    337 /* General header used for the pcap_setfilter() command; keeps just the number of BPF instructions */
    338 struct rpcap_filter
    339 {
    340 	uint16 filtertype;	/* type of the filter transferred (BPF instructions, ...) */
    341 	uint16 dummy;		/* Must be zero */
    342 	uint32 nitems;		/* Number of items contained into the filter (e.g. BPF instructions for BPF filters) */
    343 };
    344 
    345 /* Structure that keeps a single BPF instuction; it is repeated 'ninsn' times according to the 'rpcap_filterbpf' header */
    346 struct rpcap_filterbpf_insn
    347 {
    348 	uint16 code;	/* opcode of the instruction */
    349 	uint8 jt;	/* relative offset to jump to in case of 'true' */
    350 	uint8 jf;	/* relative offset to jump to in case of 'false' */
    351 	int32 k;	/* instruction-dependent value */
    352 };
    353 
    354 /* Structure that keeps the data required for the authentication on the remote host */
    355 struct rpcap_auth
    356 {
    357 	uint16 type;	/* Authentication type */
    358 	uint16 dummy;	/* Must be zero */
    359 	uint16 slen1;	/* Length of the first authentication item (e.g. username) */
    360 	uint16 slen2;	/* Length of the second authentication item (e.g. password) */
    361 };
    362 
    363 /* Structure that keeps the statistics about the number of packets captured, dropped, etc. */
    364 struct rpcap_stats
    365 {
    366 	uint32 ifrecv;		/* Packets received by the kernel filter (i.e. pcap_stats.ps_recv) */
    367 	uint32 ifdrop;		/* Packets dropped by the network interface (e.g. not enough buffers) (i.e. pcap_stats.ps_ifdrop) */
    368 	uint32 krnldrop;	/* Packets dropped by the kernel filter (i.e. pcap_stats.ps_drop) */
    369 	uint32 svrcapt;		/* Packets captured by the RPCAP daemon and sent on the network */
    370 };
    371 
    372 /* Structure that is needed to set sampling parameters */
    373 struct rpcap_sampling
    374 {
    375 	uint8 method;	/* Sampling method */
    376 	uint8 dummy1;	/* Must be zero */
    377 	uint16 dummy2;	/* Must be zero */
    378 	uint32 value;	/* Parameter related to the sampling method */
    379 };
    380 
    381 /* Messages field coding */
    382 #define RPCAP_MSG_IS_REPLY		0x080	/* Flag indicating a reply */
    383 
    384 #define RPCAP_MSG_ERROR			1	/* Message that keeps an error notification */
    385 #define RPCAP_MSG_FINDALLIF_REQ		2	/* Request to list all the remote interfaces */
    386 #define RPCAP_MSG_OPEN_REQ		3	/* Request to open a remote device */
    387 #define RPCAP_MSG_STARTCAP_REQ		4	/* Request to start a capture on a remote device */
    388 #define RPCAP_MSG_UPDATEFILTER_REQ	5	/* Send a compiled filter into the remote device */
    389 #define RPCAP_MSG_CLOSE			6	/* Close the connection with the remote peer */
    390 #define RPCAP_MSG_PACKET		7	/* This is a 'data' message, which carries a network packet */
    391 #define RPCAP_MSG_AUTH_REQ		8	/* Message that keeps the authentication parameters */
    392 #define RPCAP_MSG_STATS_REQ		9	/* It requires to have network statistics */
    393 #define RPCAP_MSG_ENDCAP_REQ		10	/* Stops the current capture, keeping the device open */
    394 #define RPCAP_MSG_SETSAMPLING_REQ	11	/* Set sampling parameters */
    395 
    396 #define RPCAP_MSG_FINDALLIF_REPLY	(RPCAP_MSG_FINDALLIF_REQ | RPCAP_MSG_IS_REPLY)		/* Keeps the list of all the remote interfaces */
    397 #define RPCAP_MSG_OPEN_REPLY		(RPCAP_MSG_OPEN_REQ | RPCAP_MSG_IS_REPLY)		/* The remote device has been opened correctly */
    398 #define RPCAP_MSG_STARTCAP_REPLY	(RPCAP_MSG_STARTCAP_REQ | RPCAP_MSG_IS_REPLY)		/* The capture is starting correctly */
    399 #define RPCAP_MSG_UPDATEFILTER_REPLY	(RPCAP_MSG_UPDATEFILTER_REQ | RPCAP_MSG_IS_REPLY)	/* The filter has been applied correctly on the remote device */
    400 #define RPCAP_MSG_AUTH_REPLY		(RPCAP_MSG_AUTH_REQ | RPCAP_MSG_IS_REPLY)		/* Sends a message that says 'ok, authorization successful' */
    401 #define RPCAP_MSG_STATS_REPLY		(RPCAP_MSG_STATS_REQ | RPCAP_MSG_IS_REPLY)		/* Message that keeps the network statistics */
    402 #define RPCAP_MSG_ENDCAP_REPLY		(RPCAP_MSG_ENDCAP_REQ | RPCAP_MSG_IS_REPLY)		/* Confirms that the capture stopped successfully */
    403 #define RPCAP_MSG_SETSAMPLING_REPLY	(RPCAP_MSG_SETSAMPLING_REQ | RPCAP_MSG_IS_REPLY)		/* Confirms that the capture stopped successfully */
    404 
    405 #define RPCAP_STARTCAPREQ_FLAG_PROMISC		0x00000001	/* Enables promiscuous mode (default: disabled) */
    406 #define RPCAP_STARTCAPREQ_FLAG_DGRAM		0x00000002	/* Use a datagram (i.e. UDP) connection for the data stream (default: use TCP)*/
    407 #define RPCAP_STARTCAPREQ_FLAG_SERVEROPEN	0x00000004	/* The server has to open the data connection toward the client */
    408 #define RPCAP_STARTCAPREQ_FLAG_INBOUND		0x00000008	/* Capture only inbound packets (take care: the flag has no effect with promiscuous enabled) */
    409 #define RPCAP_STARTCAPREQ_FLAG_OUTBOUND		0x00000010	/* Capture only outbound packets (take care: the flag has no effect with promiscuous enabled) */
    410 
    411 #define RPCAP_UPDATEFILTER_BPF 1			/* This code tells us that the filter is encoded with the BPF/NPF syntax */
    412 
    413 /* Network error codes */
    414 #define PCAP_ERR_NETW		1	/* Network error */
    415 #define PCAP_ERR_INITTIMEOUT	2	/* The RPCAP initial timeout has expired */
    416 #define PCAP_ERR_AUTH		3	/* Generic authentication error */
    417 #define PCAP_ERR_FINDALLIF	4	/* Generic findalldevs error */
    418 #define PCAP_ERR_NOREMOTEIF	5	/* The findalldevs was ok, but the remote end had no interfaces to list */
    419 #define PCAP_ERR_OPEN		6	/* Generic pcap_open error */
    420 #define PCAP_ERR_UPDATEFILTER	7	/* Generic updatefilter error */
    421 #define PCAP_ERR_GETSTATS	8	/* Generic pcap_stats error */
    422 #define PCAP_ERR_READEX		9	/* Generic pcap_next_ex error */
    423 #define PCAP_ERR_HOSTNOAUTH	10	/* The host is not authorized to connect to this server */
    424 #define PCAP_ERR_REMOTEACCEPT	11	/* Generic pcap_remoteaccept error */
    425 #define PCAP_ERR_STARTCAPTURE	12	/* Generic pcap_startcapture error */
    426 #define PCAP_ERR_ENDCAPTURE	13	/* Generic pcap_endcapture error */
    427 #define PCAP_ERR_RUNTIMETIMEOUT	14	/* The RPCAP run-time timeout has expired */
    428 #define PCAP_ERR_SETSAMPLING	15	/* Error during the settings of sampling parameters */
    429 #define PCAP_ERR_WRONGMSG	16	/* The other end endpoint sent a message which has not been recognized */
    430 #define PCAP_ERR_WRONGVER	17	/* The other end endpoint has a version number that is not compatible with our */
    431 
    432 /*
    433  * \brief Buffer used by socket functions to send-receive packets.
    434  * In case you plan to have messages larger than this value, you have to increase it.
    435  */
    436 #define RPCAP_NETBUF_SIZE 64000
    437 
    438 /*********************************************************
    439  *                                                       *
    440  * Routines used by the rpcap client and rpcap daemon    *
    441  *                                                       *
    442  *********************************************************/
    443 
    444 #include "sockutils.h"
    445 
    446 extern void rpcap_createhdr(struct rpcap_header *header, uint8 ver, uint8 type, uint16 value, uint32 length);
    447 extern const char *rpcap_msg_type_string(uint8 type);
    448 extern int rpcap_senderror(SOCKET sock, uint8 ver, uint16 errcode, const char *error, char *errbuf);
    449 
    450 #endif
    451