1 /* 2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy) 3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California) 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies 16 * nor the names of its contributors may be used to endorse or promote 17 * products derived from this software without specific prior written 18 * permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 * 32 */ 33 34 #ifdef HAVE_CONFIG_H 35 #include <config.h> 36 #endif 37 38 #include "ftmacros.h" 39 40 #include <string.h> /* for strlen(), ... */ 41 #include <stdlib.h> /* for malloc(), free(), ... */ 42 #include <stdarg.h> /* for functions with variable number of arguments */ 43 #include <errno.h> /* for the errno variable */ 44 #include "sockutils.h" 45 #include "pcap-int.h" 46 #include "rpcap-protocol.h" 47 #include "pcap-rpcap.h" 48 49 /* 50 * This file contains the pcap module for capturing from a remote machine's 51 * interfaces using the RPCAP protocol. 52 * 53 * WARNING: All the RPCAP functions that are allowed to return a buffer 54 * containing the error description can return max PCAP_ERRBUF_SIZE characters. 55 * However there is no guarantees that the string will be zero-terminated. 56 * Best practice is to define the errbuf variable as a char of size 57 * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end 58 * of the buffer. This will guarantee that no buffer overflows occur even 59 * if we use the printf() to show the error on the screen. 60 * 61 * XXX - actually, null-terminating the error string is part of the 62 * contract for the pcap API; if there's any place in the pcap code 63 * that doesn't guarantee null-termination, even at the expense of 64 * cutting the message short, that's a bug and needs to be fixed. 65 */ 66 67 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */ 68 #ifdef _WIN32 69 #define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */ 70 #endif 71 72 /* 73 * \brief Keeps a list of all the opened connections in the active mode. 74 * 75 * This structure defines a linked list of items that are needed to keep the info required to 76 * manage the active mode. 77 * In other words, when a new connection in active mode starts, this structure is updated so that 78 * it reflects the list of active mode connections currently opened. 79 * This structure is required by findalldevs() and open_remote() to see if they have to open a new 80 * control connection toward the host, or they already have a control connection in place. 81 */ 82 struct activehosts 83 { 84 struct sockaddr_storage host; 85 SOCKET sockctrl; 86 uint8 protocol_version; 87 struct activehosts *next; 88 }; 89 90 /* Keeps a list of all the opened connections in the active mode. */ 91 static struct activehosts *activeHosts; 92 93 /* 94 * Keeps the main socket identifier when we want to accept a new remote 95 * connection (active mode only). 96 * See the documentation of pcap_remoteact_accept() and 97 * pcap_remoteact_cleanup() for more details. 98 */ 99 static SOCKET sockmain; 100 101 /* 102 * Private data for capturing remotely using the rpcap protocol. 103 */ 104 struct pcap_rpcap { 105 /* 106 * This is '1' if we're the network client; it is needed by several 107 * functions (such as pcap_setfilter()) to know whether they have 108 * to use the socket or have to open the local adapter. 109 */ 110 int rmt_clientside; 111 112 SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */ 113 SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */ 114 int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */ 115 int rmt_capstarted; /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */ 116 char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */ 117 118 uint8 protocol_version; /* negotiated protocol version */ 119 120 unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */ 121 122 /* 123 * This keeps the number of packets that have been received by the 124 * application. 125 * 126 * Packets dropped by the kernel buffer are not counted in this 127 * variable. It is always equal to (TotAccepted - TotDrops), 128 * except for the case of remote capture, in which we have also 129 * packets in flight, i.e. that have been transmitted by the remote 130 * host, but that have not been received (yet) from the client. 131 * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a 132 * wrong result, since this number does not corresponds always to 133 * the number of packet received by the application. For this reason, 134 * in the remote capture we need another variable that takes into 135 * account of the number of packets actually received by the 136 * application. 137 */ 138 unsigned int TotCapt; 139 140 struct pcap_stat stat; 141 /* XXX */ 142 struct pcap *next; /* list of open pcaps that need stuff cleared on close */ 143 }; 144 145 /**************************************************** 146 * * 147 * Locally defined functions * 148 * * 149 ****************************************************/ 150 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode); 151 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog); 152 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog); 153 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog); 154 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter); 155 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog); 156 static int pcap_setsampling_remote(pcap_t *fp); 157 static int pcap_startcapture_remote(pcap_t *fp); 158 static int rpcap_sendauth(SOCKET sock, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf); 159 static int rpcap_recv_msg_header(SOCKET sock, struct rpcap_header *header, char *errbuf); 160 static int rpcap_check_msg_ver(SOCKET sock, uint8 expected_ver, struct rpcap_header *header, char *errbuf); 161 static int rpcap_check_msg_type(SOCKET sock, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf); 162 static int rpcap_process_msg_header(SOCKET sock, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf); 163 static int rpcap_recv(SOCKET sock, void *buffer, size_t toread, uint32 *plen, char *errbuf); 164 static void rpcap_msg_err(SOCKET sockctrl, uint32 plen, char *remote_errbuf); 165 static int rpcap_discard(SOCKET sock, uint32 len, char *errbuf); 166 static int rpcap_read_packet_msg(SOCKET sock, pcap_t *p, size_t size); 167 168 /**************************************************** 169 * * 170 * Function bodies * 171 * * 172 ****************************************************/ 173 174 /* 175 * This function translates (i.e. de-serializes) a 'rpcap_sockaddr' 176 * structure from the network byte order to a 'sockaddr_in" or 177 * 'sockaddr_in6' structure in the host byte order. 178 * 179 * It accepts an 'rpcap_sockaddr' structure as it is received from the 180 * network, and checks the address family field against various values 181 * to see whether it looks like an IPv4 address, an IPv6 address, or 182 * neither of those. It checks for multiple values in order to try 183 * to handle older rpcap daemons that sent the native OS's 'sockaddr_in' 184 * or 'sockaddr_in6' structures over the wire with some members 185 * byte-swapped, and to handle the fact that AF_INET6 has different 186 * values on different OSes. 187 * 188 * For IPv4 addresses, it converts the address family to host byte 189 * order from network byte order and puts it into the structure, 190 * sets the length if a sockaddr structure has a length, converts the 191 * port number to host byte order from network byte order and puts 192 * it into the structure, copies over the IPv4 address, and zeroes 193 * out the zero padding. 194 * 195 * For IPv6 addresses, it converts the address family to host byte 196 * order from network byte order and puts it into the structure, 197 * sets the length if a sockaddr structure has a length, converts the 198 * port number and flow information to host byte order from network 199 * byte order and puts them into the structure, copies over the IPv6 200 * address, and converts the scope ID to host byte order from network 201 * byte order and puts it into the structure. 202 * 203 * The function will allocate the 'sockaddrout' variable according to the 204 * address family in use. In case the address does not belong to the 205 * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a 206 * NULL pointer is returned. This usually happens because that address 207 * does not exist on the other host, or is of an address family other 208 * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage' 209 * structure containing all 'zero' values. 210 * 211 * Older RPCAPDs sent the addresses over the wire in the OS's native 212 * structure format. For most OSes, this looks like the over-the-wire 213 * format, but might have a different value for AF_INET6 than the value 214 * on the machine receiving the reply. For OSes with the newer BSD-style 215 * sockaddr structures, this has, instead of a 2-byte address family, 216 * a 1-byte structure length followed by a 1-byte address family. The 217 * RPCAPD code would put the address family in network byte order before 218 * sending it; that would set it to 0 on a little-endian machine, as 219 * htons() of any value between 1 and 255 would result in a value > 255, 220 * with its lower 8 bits zero, so putting that back into a 1-byte field 221 * would set it to 0. 222 * 223 * Therefore, for older RPCAPDs running on an OS with newer BSD-style 224 * sockaddr structures, the family field, if treated as a big-endian 225 * (network byte order) 16-bit field, would be: 226 * 227 * (length << 8) | family if sent by a big-endian machine 228 * (length << 8) if sent by a little-endian machine 229 * 230 * For current RPCAPDs, and for older RPCAPDs running on an OS with 231 * older BSD-style sockaddr structures, the family field, if treated 232 * as a big-endian 16-bit field, would just contain the family. 233 * 234 * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has 235 * to be de-serialized. 236 * 237 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain 238 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'. 239 * This variable will be allocated automatically inside this function. 240 * 241 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE) 242 * that will contain the error message (in case there is one). 243 * 244 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error 245 * can be only the fact that the malloc() failed to allocate memory. 246 * The error message is returned in the 'errbuf' variable, while the deserialized address 247 * is returned into the 'sockaddrout' variable. 248 * 249 * \warning This function supports only AF_INET and AF_INET6 address families. 250 * 251 * \warning The sockaddrout (if not NULL) must be deallocated by the user. 252 */ 253 254 /* 255 * Possible IPv4 family values other than the designated over-the-wire value, 256 * which is 2 (because everybody uses 2 for AF_INET4). 257 */ 258 #define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */ 259 #define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */ 260 #define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2) 261 #define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8) 262 263 /* 264 * Possible IPv6 family values other than the designated over-the-wire value, 265 * which is 23 (because that's what Windows uses, and most RPCAP servers 266 * out there are probably running Windows, as WinPcap includes the server 267 * but few if any UN*Xes build and ship it). 268 * 269 * The new BSD sockaddr structure format was in place before 4.4-Lite, so 270 * all the free-software BSDs use it. 271 */ 272 #define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */ 273 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */ 274 #define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */ 275 #define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8) 276 #define LINUX_AF_INET6 10 277 #define HPUX_AF_INET6 22 278 #define AIX_AF_INET6 24 279 #define SOLARIS_AF_INET6 26 280 281 static int 282 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf) 283 { 284 /* Warning: we support only AF_INET and AF_INET6 */ 285 switch (ntohs(sockaddrin->family)) 286 { 287 case RPCAP_AF_INET: 288 case NEW_BSD_AF_INET_BE: 289 case NEW_BSD_AF_INET_LE: 290 { 291 struct rpcap_sockaddr_in *sockaddrin_ipv4; 292 struct sockaddr_in *sockaddrout_ipv4; 293 294 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in)); 295 if ((*sockaddrout) == NULL) 296 { 297 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 298 errno, "malloc() failed"); 299 return -1; 300 } 301 sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin; 302 sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout); 303 sockaddrout_ipv4->sin_family = AF_INET; 304 sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port); 305 memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr)); 306 memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero)); 307 break; 308 } 309 310 #ifdef AF_INET6 311 case RPCAP_AF_INET6: 312 case NEW_BSD_AF_INET6_BSD_BE: 313 case NEW_BSD_AF_INET6_FREEBSD_BE: 314 case NEW_BSD_AF_INET6_DARWIN_BE: 315 case NEW_BSD_AF_INET6_LE: 316 case LINUX_AF_INET6: 317 case HPUX_AF_INET6: 318 case AIX_AF_INET6: 319 case SOLARIS_AF_INET6: 320 { 321 struct rpcap_sockaddr_in6 *sockaddrin_ipv6; 322 struct sockaddr_in6 *sockaddrout_ipv6; 323 324 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6)); 325 if ((*sockaddrout) == NULL) 326 { 327 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 328 errno, "malloc() failed"); 329 return -1; 330 } 331 sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin; 332 sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout); 333 sockaddrout_ipv6->sin6_family = AF_INET6; 334 sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port); 335 sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo); 336 memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr)); 337 sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id); 338 break; 339 } 340 #endif 341 342 default: 343 /* 344 * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't 345 * support AF_INET6, it's not AF_INET). 346 */ 347 *sockaddrout = NULL; 348 break; 349 } 350 return 0; 351 } 352 353 /* 354 * This function reads a packet from the network socket. It does not 355 * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence 356 * the "nocb" string into its name). 357 * 358 * This function is called by pcap_read_rpcap(). 359 * 360 * WARNING: By choice, this function does not make use of semaphores. A smarter 361 * implementation should put a semaphore into the data thread, and a signal will 362 * be raised as soon as there is data into the socket buffer. 363 * However this is complicated and it does not bring any advantages when reading 364 * from the network, in which network delays can be much more important than 365 * these optimizations. Therefore, we chose the following approach: 366 * - the 'timeout' chosen by the user is split in two (half on the server side, 367 * with the usual meaning, and half on the client side) 368 * - this function checks for packets; if there are no packets, it waits for 369 * timeout/2 and then it checks again. If packets are still missing, it returns, 370 * otherwise it reads packets. 371 */ 372 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data) 373 { 374 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */ 375 struct rpcap_header *header; /* general header according to the RPCAP format */ 376 struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */ 377 u_char *net_pkt_data; /* packet data from the message */ 378 uint32 plen; 379 int retval; /* generic return value */ 380 int msglen; 381 382 /* Structures needed for the select() call */ 383 struct timeval tv; /* maximum time the select() can block waiting for data */ 384 fd_set rfds; /* set of socket descriptors we have to check */ 385 386 /* 387 * Define the packet buffer timeout, to be used in the select() 388 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec 389 */ 390 tv.tv_sec = p->opt.timeout / 1000; 391 tv.tv_usec = (p->opt.timeout - tv.tv_sec * 1000) * 1000; 392 393 /* Watch out sockdata to see if it has input */ 394 FD_ZERO(&rfds); 395 396 /* 397 * 'fp->rmt_sockdata' has always to be set before calling the select(), 398 * since it is cleared by the select() 399 */ 400 FD_SET(pr->rmt_sockdata, &rfds); 401 402 retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv); 403 if (retval == -1) 404 { 405 #ifndef _WIN32 406 if (errno == EINTR) 407 { 408 /* Interrupted. */ 409 return 0; 410 } 411 #endif 412 sock_geterror("select(): ", p->errbuf, PCAP_ERRBUF_SIZE); 413 return -1; 414 } 415 416 /* There is no data waiting, so return '0' */ 417 if (retval == 0) 418 return 0; 419 420 /* 421 * We have to define 'header' as a pointer to a larger buffer, 422 * because in case of UDP we have to read all the message within a single call 423 */ 424 header = (struct rpcap_header *) p->buffer; 425 net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header)); 426 net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr); 427 428 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) 429 { 430 /* Read the entire message from the network */ 431 msglen = sock_recv_dgram(pr->rmt_sockdata, p->buffer, 432 p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE); 433 if (msglen == -1) 434 { 435 /* Network error. */ 436 return -1; 437 } 438 if (msglen == -3) 439 { 440 /* Interrupted receive. */ 441 return 0; 442 } 443 if ((size_t)msglen < sizeof(struct rpcap_header)) 444 { 445 /* 446 * Message is shorter than an rpcap header. 447 */ 448 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 449 "UDP packet message is shorter than an rpcap header"); 450 return -1; 451 } 452 plen = ntohl(header->plen); 453 if ((size_t)msglen < sizeof(struct rpcap_header) + plen) 454 { 455 /* 456 * Message is shorter than the header claims it 457 * is. 458 */ 459 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 460 "UDP packet message is shorter than its rpcap header claims"); 461 return -1; 462 } 463 } 464 else 465 { 466 int status; 467 468 if ((size_t)p->cc < sizeof(struct rpcap_header)) 469 { 470 /* 471 * We haven't read any of the packet header yet. 472 * The size we should get is the size of the 473 * packet header. 474 */ 475 status = rpcap_read_packet_msg(pr->rmt_sockdata, p, 476 sizeof(struct rpcap_header)); 477 if (status == -1) 478 { 479 /* Network error. */ 480 return -1; 481 } 482 if (status == -3) 483 { 484 /* Interrupted receive. */ 485 return 0; 486 } 487 } 488 489 /* 490 * We have the header, so we know how long the 491 * message payload is. The size we should get 492 * is the size of the packet header plus the 493 * size of the payload. 494 */ 495 plen = ntohl(header->plen); 496 if (plen > p->bufsize - sizeof(struct rpcap_header)) 497 { 498 /* 499 * This is bigger than the largest 500 * record we'd expect. (We do it by 501 * subtracting in order to avoid an 502 * overflow.) 503 */ 504 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 505 "Server sent us a message larger than the largest expected packet message"); 506 return -1; 507 } 508 status = rpcap_read_packet_msg(pr->rmt_sockdata, p, 509 sizeof(struct rpcap_header) + plen); 510 if (status == -1) 511 { 512 /* Network error. */ 513 return -1; 514 } 515 if (status == -3) 516 { 517 /* Interrupted receive. */ 518 return 0; 519 } 520 521 /* 522 * We have the entire message; reset the buffer pointer 523 * and count, as the next read should start a new 524 * message. 525 */ 526 p->bp = p->buffer; 527 p->cc = 0; 528 } 529 530 /* 531 * We have the entire message. 532 */ 533 header->plen = plen; 534 535 /* 536 * Did the server specify the version we negotiated? 537 */ 538 if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->protocol_version, 539 header, p->errbuf) == -1) 540 { 541 return 0; /* Return 'no packets received' */ 542 } 543 544 /* 545 * Is this a RPCAP_MSG_PACKET message? 546 */ 547 if (header->type != RPCAP_MSG_PACKET) 548 { 549 return 0; /* Return 'no packets received' */ 550 } 551 552 if (ntohl(net_pkt_header->caplen) > plen) 553 { 554 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 555 "Packet's captured data goes past the end of the received packet message."); 556 return -1; 557 } 558 559 /* Fill in packet header */ 560 pkt_header->caplen = ntohl(net_pkt_header->caplen); 561 pkt_header->len = ntohl(net_pkt_header->len); 562 pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec); 563 pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec); 564 565 /* Supply a pointer to the beginning of the packet data */ 566 *pkt_data = net_pkt_data; 567 568 /* 569 * I don't update the counter of the packets dropped by the network since we're using TCP, 570 * therefore no packets are dropped. Just update the number of packets received correctly 571 */ 572 pr->TotCapt++; 573 574 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) 575 { 576 unsigned int npkt; 577 578 /* We're using UDP, so we need to update the counter of the packets dropped by the network */ 579 npkt = ntohl(net_pkt_header->npkt); 580 581 if (pr->TotCapt != npkt) 582 { 583 pr->TotNetDrops += (npkt - pr->TotCapt); 584 pr->TotCapt = npkt; 585 } 586 } 587 588 /* Packet read successfully */ 589 return 1; 590 } 591 592 /* 593 * This function reads a packet from the network socket. 594 * 595 * This function relies on the pcap_read_nocb_remote to deliver packets. The 596 * difference, here, is that as soon as a packet is read, it is delivered 597 * to the application by means of a callback function. 598 */ 599 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 600 { 601 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */ 602 struct pcap_pkthdr pkt_header; 603 u_char *pkt_data; 604 int n = 0; 605 int ret; 606 607 /* 608 * If this is client-side, and we haven't already started 609 * the capture, start it now. 610 */ 611 if (pr->rmt_clientside) 612 { 613 /* We are on an remote capture */ 614 if (!pr->rmt_capstarted) 615 { 616 /* 617 * The capture isn't started yet, so try to 618 * start it. 619 */ 620 if (pcap_startcapture_remote(p)) 621 return -1; 622 } 623 } 624 625 while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt)) 626 { 627 /* 628 * Has "pcap_breakloop()" been called? 629 */ 630 if (p->break_loop) { 631 /* 632 * Yes - clear the flag that indicates that it 633 * has, and return PCAP_ERROR_BREAK to indicate 634 * that we were told to break out of the loop. 635 */ 636 p->break_loop = 0; 637 return (PCAP_ERROR_BREAK); 638 } 639 640 /* 641 * Read some packets. 642 */ 643 ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data); 644 if (ret == 1) 645 { 646 /* 647 * We got a packet. Hand it to the callback 648 * and count it so we can return the count. 649 */ 650 (*callback)(user, &pkt_header, pkt_data); 651 n++; 652 } 653 else if (ret == -1) 654 { 655 /* Error. */ 656 return ret; 657 } 658 else 659 { 660 /* 661 * No packet; this could mean that we timed 662 * out, or that we got interrupted, or that 663 * we got a bad packet. 664 * 665 * Were we told to break out of the loop? 666 */ 667 if (p->break_loop) { 668 /* 669 * Yes. 670 */ 671 p->break_loop = 0; 672 return (PCAP_ERROR_BREAK); 673 } 674 /* No - return the number of packets we've processed. */ 675 return n; 676 } 677 } 678 return n; 679 } 680 681 /* 682 * This function sends a CLOSE command to the capture server. 683 * 684 * It is called when the user calls pcap_close(). It sends a command 685 * to our peer that says 'ok, let's stop capturing'. 686 * 687 * WARNING: Since we're closing the connection, we do not check for errors. 688 */ 689 static void pcap_cleanup_rpcap(pcap_t *fp) 690 { 691 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 692 struct rpcap_header header; /* header of the RPCAP packet */ 693 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */ 694 int active = 0; /* active mode or not? */ 695 696 /* detect if we're in active mode */ 697 temp = activeHosts; 698 while (temp) 699 { 700 if (temp->sockctrl == pr->rmt_sockctrl) 701 { 702 active = 1; 703 break; 704 } 705 temp = temp->next; 706 } 707 708 if (!active) 709 { 710 rpcap_createhdr(&header, pr->protocol_version, 711 RPCAP_MSG_CLOSE, 0, 0); 712 713 /* 714 * Send the close request; don't report any errors, as 715 * we're closing this pcap_t, and have no place to report 716 * the error. No reply is sent to this message. 717 */ 718 (void)sock_send(pr->rmt_sockctrl, (char *)&header, 719 sizeof(struct rpcap_header), NULL, 0); 720 } 721 else 722 { 723 rpcap_createhdr(&header, pr->protocol_version, 724 RPCAP_MSG_ENDCAP_REQ, 0, 0); 725 726 /* 727 * Send the end capture request; don't report any errors, 728 * as we're closing this pcap_t, and have no place to 729 * report the error. 730 */ 731 if (sock_send(pr->rmt_sockctrl, (char *)&header, 732 sizeof(struct rpcap_header), NULL, 0) == 0) 733 { 734 /* 735 * Wait for the answer; don't report any errors, 736 * as we're closing this pcap_t, and have no 737 * place to report the error. 738 */ 739 if (rpcap_process_msg_header(pr->rmt_sockctrl, 740 pr->protocol_version, RPCAP_MSG_ENDCAP_REQ, 741 &header, NULL) == 0) 742 { 743 (void)rpcap_discard(pr->rmt_sockctrl, 744 header.plen, NULL); 745 } 746 } 747 } 748 749 if (pr->rmt_sockdata) 750 { 751 sock_close(pr->rmt_sockdata, NULL, 0); 752 pr->rmt_sockdata = 0; 753 } 754 755 if ((!active) && (pr->rmt_sockctrl)) 756 sock_close(pr->rmt_sockctrl, NULL, 0); 757 758 pr->rmt_sockctrl = 0; 759 760 if (pr->currentfilter) 761 { 762 free(pr->currentfilter); 763 pr->currentfilter = NULL; 764 } 765 766 /* To avoid inconsistencies in the number of sock_init() */ 767 sock_cleanup(); 768 } 769 770 /* 771 * This function retrieves network statistics from our peer; 772 * it provides only the standard statistics. 773 */ 774 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps) 775 { 776 struct pcap_stat *retval; 777 778 retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD); 779 780 if (retval) 781 return 0; 782 else 783 return -1; 784 } 785 786 #ifdef _WIN32 787 /* 788 * This function retrieves network statistics from our peer; 789 * it provides the additional statistics supported by pcap_stats_ex(). 790 */ 791 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size) 792 { 793 *pcap_stat_size = sizeof (p->stat); 794 795 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */ 796 return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX)); 797 } 798 #endif 799 800 /* 801 * This function retrieves network statistics from our peer. It 802 * is used by the two previous functions. 803 * 804 * It can be called in two modes: 805 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e., 806 * for pcap_stats()) 807 * - PCAP_STATS_EX: if we want extended statistics (i.e., for 808 * pcap_stats_ex()) 809 * 810 * This 'mode' parameter is needed because in pcap_stats() the variable that 811 * keeps the statistics is allocated by the user. On Windows, this structure 812 * has been extended in order to keep new stats. However, if the user has a 813 * smaller structure and it passes it to pcap_stats(), this function will 814 * try to fill in more data than the size of the structure, so that memory 815 * after the structure will be overwritten. 816 * 817 * So, we need to know it we have to copy just the standard fields, or the 818 * extended fields as well. 819 * 820 * In case we want to copy the extended fields as well, the problem of 821 * memory overflow no longer exists because the structure that's filled 822 * in is part of the pcap_t, so that it can be guaranteed to be large 823 * enough for the additional statistics. 824 * 825 * \param p: the pcap_t structure related to the current instance. 826 * 827 * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility 828 * with pcap_stat(), where the structure is allocated by the user. In case 829 * of pcap_stats_ex(), this structure and the function return value point 830 * to the same variable. 831 * 832 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX. 833 * 834 * \return The structure that keeps the statistics, or NULL in case of error. 835 * The error string is placed in the pcap_t structure. 836 */ 837 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode) 838 { 839 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */ 840 struct rpcap_header header; /* header of the RPCAP packet */ 841 struct rpcap_stats netstats; /* statistics sent on the network */ 842 uint32 plen; /* data remaining in the message */ 843 844 #ifdef _WIN32 845 if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX) 846 #else 847 if (mode != PCAP_STATS_STANDARD) 848 #endif 849 { 850 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 851 "Invalid stats mode %d", mode); 852 return NULL; 853 } 854 855 /* 856 * If the capture has not yet started, we cannot request statistics 857 * for the capture from our peer, so we return 0 for all statistics, 858 * as nothing's been seen yet. 859 */ 860 if (!pr->rmt_capstarted) 861 { 862 ps->ps_drop = 0; 863 ps->ps_ifdrop = 0; 864 ps->ps_recv = 0; 865 #ifdef _WIN32 866 if (mode == PCAP_STATS_EX) 867 { 868 ps->ps_capt = 0; 869 ps->ps_sent = 0; 870 ps->ps_netdrop = 0; 871 } 872 #endif /* _WIN32 */ 873 874 return ps; 875 } 876 877 rpcap_createhdr(&header, pr->protocol_version, 878 RPCAP_MSG_STATS_REQ, 0, 0); 879 880 /* Send the PCAP_STATS command */ 881 if (sock_send(pr->rmt_sockctrl, (char *)&header, 882 sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0) 883 return NULL; /* Unrecoverable network error */ 884 885 /* Receive and process the reply message header. */ 886 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version, 887 RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1) 888 return NULL; /* Error */ 889 890 plen = header.plen; 891 892 /* Read the reply body */ 893 if (rpcap_recv(pr->rmt_sockctrl, (char *)&netstats, 894 sizeof(struct rpcap_stats), &plen, p->errbuf) == -1) 895 goto error; 896 897 ps->ps_drop = ntohl(netstats.krnldrop); 898 ps->ps_ifdrop = ntohl(netstats.ifdrop); 899 ps->ps_recv = ntohl(netstats.ifrecv); 900 #ifdef _WIN32 901 if (mode == PCAP_STATS_EX) 902 { 903 ps->ps_capt = pr->TotCapt; 904 ps->ps_netdrop = pr->TotNetDrops; 905 ps->ps_sent = ntohl(netstats.svrcapt); 906 } 907 #endif /* _WIN32 */ 908 909 /* Discard the rest of the message. */ 910 if (rpcap_discard(pr->rmt_sockctrl, plen, p->errbuf) == -1) 911 goto error_nodiscard; 912 913 return ps; 914 915 error: 916 /* 917 * Discard the rest of the message. 918 * We already reported an error; if this gets an error, just 919 * drive on. 920 */ 921 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL); 922 923 error_nodiscard: 924 return NULL; 925 } 926 927 /* 928 * This function returns the entry in the list of active hosts for this 929 * active connection (active mode only), or NULL if there is no 930 * active connection or an error occurred. It is just for internal 931 * use. 932 * 933 * \param host: a string that keeps the host name of the host for which we 934 * want to get the socket ID for that active connection. 935 * 936 * \param error: a pointer to an int that is set to 1 if an error occurred 937 * and 0 otherwise. 938 * 939 * \param errbuf: a pointer to a user-allocated buffer (of size 940 * PCAP_ERRBUF_SIZE) that will contain the error message (in case 941 * there is one). 942 * 943 * \return the entry for this host in the list of active connections 944 * if found, NULL if it's not found or there's an error. 945 */ 946 static struct activehosts * 947 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf) 948 { 949 struct activehosts *temp; /* temp var needed to scan the host list chain */ 950 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */ 951 int retval; 952 953 /* retrieve the network address corresponding to 'host' */ 954 addrinfo = NULL; 955 memset(&hints, 0, sizeof(struct addrinfo)); 956 hints.ai_family = PF_UNSPEC; 957 hints.ai_socktype = SOCK_STREAM; 958 959 retval = getaddrinfo(host, "0", &hints, &addrinfo); 960 if (retval != 0) 961 { 962 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s", 963 gai_strerror(retval)); 964 *error = 1; 965 return NULL; 966 } 967 968 temp = activeHosts; 969 970 while (temp) 971 { 972 ai_next = addrinfo; 973 while (ai_next) 974 { 975 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0) 976 { 977 *error = 0; 978 freeaddrinfo(addrinfo); 979 return temp; 980 } 981 982 ai_next = ai_next->ai_next; 983 } 984 temp = temp->next; 985 } 986 987 if (addrinfo) 988 freeaddrinfo(addrinfo); 989 990 /* 991 * The host for which you want to get the socket ID does not have an 992 * active connection. 993 */ 994 *error = 0; 995 return NULL; 996 } 997 998 /* 999 * This function starts a remote capture. 1000 * 1001 * This function is required since the RPCAP protocol decouples the 'open' 1002 * from the 'start capture' functions. 1003 * This function takes all the parameters needed (which have been stored 1004 * into the pcap_t structure) and sends them to the server. 1005 * 1006 * \param fp: the pcap_t descriptor of the device currently open. 1007 * 1008 * \return '0' if everything is fine, '-1' otherwise. The error message 1009 * (if one) is returned into the 'errbuf' field of the pcap_t structure. 1010 */ 1011 static int pcap_startcapture_remote(pcap_t *fp) 1012 { 1013 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 1014 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */ 1015 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */ 1016 char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the data connection */ 1017 uint32 plen; 1018 int active = 0; /* '1' if we're in active mode */ 1019 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */ 1020 char host[INET6_ADDRSTRLEN + 1]; /* numeric name of the other host */ 1021 1022 /* socket-related variables*/ 1023 struct addrinfo hints; /* temp, needed to open a socket connection */ 1024 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */ 1025 SOCKET sockdata = 0; /* socket descriptor of the data connection */ 1026 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */ 1027 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */ 1028 int ai_family; /* temp, keeps the address family used by the control connection */ 1029 1030 /* RPCAP-related variables*/ 1031 struct rpcap_header header; /* header of the RPCAP packet */ 1032 struct rpcap_startcapreq *startcapreq; /* start capture request message */ 1033 struct rpcap_startcapreply startcapreply; /* start capture reply message */ 1034 1035 /* Variables related to the buffer setting */ 1036 int res; 1037 socklen_t itemp; 1038 int sockbufsize = 0; 1039 uint32 server_sockbufsize; 1040 1041 /* 1042 * Let's check if sampling has been required. 1043 * If so, let's set it first 1044 */ 1045 if (pcap_setsampling_remote(fp) != 0) 1046 return -1; 1047 1048 /* detect if we're in active mode */ 1049 temp = activeHosts; 1050 while (temp) 1051 { 1052 if (temp->sockctrl == pr->rmt_sockctrl) 1053 { 1054 active = 1; 1055 break; 1056 } 1057 temp = temp->next; 1058 } 1059 1060 addrinfo = NULL; 1061 1062 /* 1063 * Gets the complete sockaddr structure used in the ctrl connection 1064 * This is needed to get the address family of the control socket 1065 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct, 1066 * since the ctrl socket can already be open in case of active mode; 1067 * so I would have to call getpeername() anyway 1068 */ 1069 saddrlen = sizeof(struct sockaddr_storage); 1070 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1) 1071 { 1072 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1073 goto error_nodiscard; 1074 } 1075 ai_family = ((struct sockaddr_storage *) &saddr)->ss_family; 1076 1077 /* Get the numeric address of the remote host we are connected to */ 1078 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host, 1079 sizeof(host), NULL, 0, NI_NUMERICHOST)) 1080 { 1081 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1082 goto error_nodiscard; 1083 } 1084 1085 /* 1086 * Data connection is opened by the server toward the client if: 1087 * - we're using TCP, and the user wants us to be in active mode 1088 * - we're using UDP 1089 */ 1090 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)) 1091 { 1092 /* 1093 * We have to create a new socket to receive packets 1094 * We have to do that immediately, since we have to tell the other 1095 * end which network port we picked up 1096 */ 1097 memset(&hints, 0, sizeof(struct addrinfo)); 1098 /* TEMP addrinfo is NULL in case of active */ 1099 hints.ai_family = ai_family; /* Use the same address family of the control socket */ 1100 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM; 1101 hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */ 1102 1103 /* Let's the server pick up a free network port for us */ 1104 if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1) 1105 goto error_nodiscard; 1106 1107 if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER, 1108 1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) 1109 goto error_nodiscard; 1110 1111 /* addrinfo is no longer used */ 1112 freeaddrinfo(addrinfo); 1113 addrinfo = NULL; 1114 1115 /* get the complete sockaddr structure used in the data connection */ 1116 saddrlen = sizeof(struct sockaddr_storage); 1117 if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1) 1118 { 1119 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1120 goto error_nodiscard; 1121 } 1122 1123 /* Get the local port the system picked up */ 1124 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 1125 0, portdata, sizeof(portdata), NI_NUMERICSERV)) 1126 { 1127 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1128 goto error_nodiscard; 1129 } 1130 } 1131 1132 /* 1133 * Now it's time to start playing with the RPCAP protocol 1134 * RPCAP start capture command: create the request message 1135 */ 1136 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, 1137 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1138 goto error_nodiscard; 1139 1140 rpcap_createhdr((struct rpcap_header *) sendbuf, 1141 pr->protocol_version, RPCAP_MSG_STARTCAP_REQ, 0, 1142 sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn)); 1143 1144 /* Fill the structure needed to open an adapter remotely */ 1145 startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx]; 1146 1147 if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL, 1148 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1149 goto error_nodiscard; 1150 1151 memset(startcapreq, 0, sizeof(struct rpcap_startcapreq)); 1152 1153 /* By default, apply half the timeout on one side, half of the other */ 1154 fp->opt.timeout = fp->opt.timeout / 2; 1155 startcapreq->read_timeout = htonl(fp->opt.timeout); 1156 1157 /* portdata on the openreq is meaningful only if we're in active mode */ 1158 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)) 1159 { 1160 sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */ 1161 startcapreq->portdata = htons(startcapreq->portdata); 1162 } 1163 1164 startcapreq->snaplen = htonl(fp->snapshot); 1165 startcapreq->flags = 0; 1166 1167 if (pr->rmt_flags & PCAP_OPENFLAG_PROMISCUOUS) 1168 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC; 1169 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) 1170 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM; 1171 if (active) 1172 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN; 1173 1174 startcapreq->flags = htons(startcapreq->flags); 1175 1176 /* Pack the capture filter */ 1177 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode)) 1178 goto error_nodiscard; 1179 1180 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf, 1181 PCAP_ERRBUF_SIZE) < 0) 1182 goto error_nodiscard; 1183 1184 /* Receive and process the reply message header. */ 1185 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version, 1186 RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1) 1187 goto error_nodiscard; 1188 1189 plen = header.plen; 1190 1191 if (rpcap_recv(pr->rmt_sockctrl, (char *)&startcapreply, 1192 sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1) 1193 goto error; 1194 1195 /* 1196 * In case of UDP data stream, the connection is always opened by the daemon 1197 * So, this case is already covered by the code above. 1198 * Now, we have still to handle TCP connections, because: 1199 * - if we're in active mode, we have to wait for a remote connection 1200 * - if we're in passive more, we have to start a connection 1201 * 1202 * We have to do he job in two steps because in case we're opening a TCP connection, we have 1203 * to tell the port we're using to the remote side; in case we're accepting a TCP 1204 * connection, we have to wait this info from the remote side. 1205 */ 1206 if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)) 1207 { 1208 if (!active) 1209 { 1210 memset(&hints, 0, sizeof(struct addrinfo)); 1211 hints.ai_family = ai_family; /* Use the same address family of the control socket */ 1212 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM; 1213 pcap_snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata)); 1214 1215 /* Let's the server pick up a free network port for us */ 1216 if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1) 1217 goto error; 1218 1219 if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) 1220 goto error; 1221 1222 /* addrinfo is no longer used */ 1223 freeaddrinfo(addrinfo); 1224 addrinfo = NULL; 1225 } 1226 else 1227 { 1228 SOCKET socktemp; /* We need another socket, since we're going to accept() a connection */ 1229 1230 /* Connection creation */ 1231 saddrlen = sizeof(struct sockaddr_storage); 1232 1233 socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen); 1234 1235 if (socktemp == INVALID_SOCKET) 1236 { 1237 sock_geterror("accept(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1238 goto error; 1239 } 1240 1241 /* Now that I accepted the connection, the server socket is no longer needed */ 1242 sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE); 1243 sockdata = socktemp; 1244 } 1245 } 1246 1247 /* Let's save the socket of the data connection */ 1248 pr->rmt_sockdata = sockdata; 1249 1250 /* 1251 * Set the size of the socket buffer for the data socket. 1252 * It has the same size as the local capture buffer used 1253 * on the other side of the connection. 1254 */ 1255 server_sockbufsize = ntohl(startcapreply.bufsize); 1256 1257 /* Let's get the actual size of the socket buffer */ 1258 itemp = sizeof(sockbufsize); 1259 1260 res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp); 1261 if (res == -1) 1262 { 1263 sock_geterror("pcap_startcapture_remote()", fp->errbuf, PCAP_ERRBUF_SIZE); 1264 SOCK_DEBUG_MESSAGE(fp->errbuf); 1265 } 1266 1267 /* 1268 * Warning: on some kernels (e.g. Linux), the size of the user 1269 * buffer does not take into account the pcap_header and such, 1270 * and it is set equal to the snaplen. 1271 * 1272 * In my view, this is wrong (the meaning of the bufsize became 1273 * a bit strange). So, here bufsize is the whole size of the 1274 * user buffer. In case the bufsize returned is too small, 1275 * let's adjust it accordingly. 1276 */ 1277 if (server_sockbufsize <= (u_int) fp->snapshot) 1278 server_sockbufsize += sizeof(struct pcap_pkthdr); 1279 1280 /* if the current socket buffer is smaller than the desired one */ 1281 if ((u_int) sockbufsize < server_sockbufsize) 1282 { 1283 /* 1284 * Loop until the buffer size is OK or the original 1285 * socket buffer size is larger than this one. 1286 */ 1287 for (;;) 1288 { 1289 res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, 1290 (char *)&(server_sockbufsize), 1291 sizeof(server_sockbufsize)); 1292 1293 if (res == 0) 1294 break; 1295 1296 /* 1297 * If something goes wrong, halve the buffer size 1298 * (checking that it does not become smaller than 1299 * the current one). 1300 */ 1301 server_sockbufsize /= 2; 1302 1303 if ((u_int) sockbufsize >= server_sockbufsize) 1304 { 1305 server_sockbufsize = sockbufsize; 1306 break; 1307 } 1308 } 1309 } 1310 1311 /* 1312 * Let's allocate the packet; this is required in order to put 1313 * the packet somewhere when extracting data from the socket. 1314 * Since buffering has already been done in the socket buffer, 1315 * here we need just a buffer whose size is equal to the 1316 * largest possible packet message for the snapshot size, 1317 * namely the length of the message header plus the length 1318 * of the packet header plus the snapshot length. 1319 */ 1320 fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot; 1321 1322 fp->buffer = (u_char *)malloc(fp->bufsize); 1323 if (fp->buffer == NULL) 1324 { 1325 pcap_fmt_errmsg_for_errno(fp->errbuf, PCAP_ERRBUF_SIZE, 1326 errno, "malloc"); 1327 goto error; 1328 } 1329 1330 /* 1331 * The buffer is currently empty. 1332 */ 1333 fp->bp = fp->buffer; 1334 fp->cc = 0; 1335 1336 /* Discard the rest of the message. */ 1337 if (rpcap_discard(pr->rmt_sockctrl, plen, fp->errbuf) == -1) 1338 goto error_nodiscard; 1339 1340 /* 1341 * In case the user does not want to capture RPCAP packets, let's update the filter 1342 * We have to update it here (instead of sending it into the 'StartCapture' message 1343 * because when we generate the 'start capture' we do not know (yet) all the ports 1344 * we're currently using. 1345 */ 1346 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP) 1347 { 1348 struct bpf_program fcode; 1349 1350 if (pcap_createfilter_norpcappkt(fp, &fcode) == -1) 1351 goto error; 1352 1353 /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */ 1354 /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */ 1355 if (pcap_updatefilter_remote(fp, &fcode) == -1) 1356 goto error; 1357 1358 pcap_freecode(&fcode); 1359 } 1360 1361 pr->rmt_capstarted = 1; 1362 return 0; 1363 1364 error: 1365 /* 1366 * When the connection has been established, we have to close it. So, at the 1367 * beginning of this function, if an error occur we return immediately with 1368 * a return NULL; when the connection is established, we have to come here 1369 * ('goto error;') in order to close everything properly. 1370 */ 1371 1372 /* 1373 * Discard the rest of the message. 1374 * We already reported an error; if this gets an error, just 1375 * drive on. 1376 */ 1377 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL); 1378 1379 error_nodiscard: 1380 if ((sockdata) && (sockdata != -1)) /* we can be here because sockdata said 'error' */ 1381 sock_close(sockdata, NULL, 0); 1382 1383 if (!active) 1384 sock_close(pr->rmt_sockctrl, NULL, 0); 1385 1386 if (addrinfo != NULL) 1387 freeaddrinfo(addrinfo); 1388 1389 /* 1390 * We do not have to call pcap_close() here, because this function is always called 1391 * by the user in case something bad happens 1392 */ 1393 #if 0 1394 if (fp) 1395 { 1396 pcap_close(fp); 1397 fp= NULL; 1398 } 1399 #endif 1400 1401 return -1; 1402 } 1403 1404 /* 1405 * This function takes a bpf program and sends it to the other host. 1406 * 1407 * This function can be called in two cases: 1408 * - pcap_startcapture_remote() is called (we have to send the filter 1409 * along with the 'start capture' command) 1410 * - we want to udpate the filter during a capture (i.e. pcap_setfilter() 1411 * after the capture has been started) 1412 * 1413 * This function serializes the filter into the sending buffer ('sendbuf', 1414 * passed as a parameter) and return back. It does not send anything on 1415 * the network. 1416 * 1417 * \param fp: the pcap_t descriptor of the device currently opened. 1418 * 1419 * \param sendbuf: the buffer on which the serialized data has to copied. 1420 * 1421 * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer. 1422 * 1423 * \param prog: the bpf program we have to copy. 1424 * 1425 * \return '0' if everything is fine, '-1' otherwise. The error message (if one) 1426 * is returned into the 'errbuf' field of the pcap_t structure. 1427 */ 1428 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog) 1429 { 1430 struct rpcap_filter *filter; 1431 struct rpcap_filterbpf_insn *insn; 1432 struct bpf_insn *bf_insn; 1433 struct bpf_program fake_prog; /* To be used just in case the user forgot to set a filter */ 1434 unsigned int i; 1435 1436 if (prog->bf_len == 0) /* No filters have been specified; so, let's apply a "fake" filter */ 1437 { 1438 if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1) 1439 return -1; 1440 1441 prog = &fake_prog; 1442 } 1443 1444 filter = (struct rpcap_filter *) sendbuf; 1445 1446 if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx, 1447 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1448 return -1; 1449 1450 filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF); 1451 filter->nitems = htonl((int32)prog->bf_len); 1452 1453 if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn), 1454 NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1455 return -1; 1456 1457 insn = (struct rpcap_filterbpf_insn *) (filter + 1); 1458 bf_insn = prog->bf_insns; 1459 1460 for (i = 0; i < prog->bf_len; i++) 1461 { 1462 insn->code = htons(bf_insn->code); 1463 insn->jf = bf_insn->jf; 1464 insn->jt = bf_insn->jt; 1465 insn->k = htonl(bf_insn->k); 1466 1467 insn++; 1468 bf_insn++; 1469 } 1470 1471 return 0; 1472 } 1473 1474 /* 1475 * This function updates a filter on a remote host. 1476 * 1477 * It is called when the user wants to update a filter. 1478 * In case we're capturing from the network, it sends the filter to our 1479 * peer. 1480 * This function is *not* called automatically when the user calls 1481 * pcap_setfilter(). 1482 * There will be two cases: 1483 * - the capture has been started: in this case, pcap_setfilter_rpcap() 1484 * calls pcap_updatefilter_remote() 1485 * - the capture has not started yet: in this case, pcap_setfilter_rpcap() 1486 * stores the filter into the pcap_t structure, and then the filter is 1487 * sent with pcap_startcap(). 1488 * 1489 * WARNING This function *does not* clear the packet currently into the 1490 * buffers. Therefore, the user has to expect to receive some packets 1491 * that are related to the previous filter. If you want to discard all 1492 * the packets before applying a new filter, you have to close the 1493 * current capture session and start a new one. 1494 * 1495 * XXX - we really should have pcap_setfilter() always discard packets 1496 * received with the old filter, and have a separate pcap_setfilter_noflush() 1497 * function that doesn't discard any packets. 1498 */ 1499 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog) 1500 { 1501 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 1502 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */ 1503 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */ 1504 struct rpcap_header header; /* To keep the reply message */ 1505 1506 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx, 1507 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1508 return -1; 1509 1510 rpcap_createhdr((struct rpcap_header *) sendbuf, 1511 pr->protocol_version, RPCAP_MSG_UPDATEFILTER_REQ, 0, 1512 sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn)); 1513 1514 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog)) 1515 return -1; 1516 1517 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf, 1518 PCAP_ERRBUF_SIZE) < 0) 1519 return -1; 1520 1521 /* Receive and process the reply message header. */ 1522 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version, 1523 RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1) 1524 return -1; 1525 1526 /* 1527 * It shouldn't have any contents; discard it if it does. 1528 */ 1529 if (rpcap_discard(pr->rmt_sockctrl, header.plen, fp->errbuf) == -1) 1530 return -1; 1531 1532 return 0; 1533 } 1534 1535 static void 1536 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter) 1537 { 1538 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 1539 1540 /* 1541 * Check if: 1542 * - We are on an remote capture 1543 * - we do not want to capture RPCAP traffic 1544 * 1545 * If so, we have to save the current filter, because we have to 1546 * add some piece of stuff later 1547 */ 1548 if (pr->rmt_clientside && 1549 (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)) 1550 { 1551 if (pr->currentfilter) 1552 free(pr->currentfilter); 1553 1554 if (filter == NULL) 1555 filter = ""; 1556 1557 pr->currentfilter = strdup(filter); 1558 } 1559 } 1560 1561 /* 1562 * This function sends a filter to a remote host. 1563 * 1564 * This function is called when the user wants to set a filter. 1565 * It sends the filter to our peer. 1566 * This function is called automatically when the user calls pcap_setfilter(). 1567 * 1568 * Parameters and return values are exactly the same of pcap_setfilter(). 1569 */ 1570 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog) 1571 { 1572 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 1573 1574 if (!pr->rmt_capstarted) 1575 { 1576 /* copy filter into the pcap_t structure */ 1577 if (install_bpf_program(fp, prog) == -1) 1578 return -1; 1579 return 0; 1580 } 1581 1582 /* we have to update a filter during run-time */ 1583 if (pcap_updatefilter_remote(fp, prog)) 1584 return -1; 1585 1586 return 0; 1587 } 1588 1589 /* 1590 * This function updates the current filter in order not to capture rpcap 1591 * packets. 1592 * 1593 * This function is called *only* when the user wants exclude RPCAP packets 1594 * related to the current session from the captured packets. 1595 * 1596 * \return '0' if everything is fine, '-1' otherwise. The error message (if one) 1597 * is returned into the 'errbuf' field of the pcap_t structure. 1598 */ 1599 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog) 1600 { 1601 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 1602 int RetVal = 0; 1603 1604 /* We do not want to capture our RPCAP traffic. So, let's update the filter */ 1605 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP) 1606 { 1607 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */ 1608 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */ 1609 char myaddress[128]; 1610 char myctrlport[128]; 1611 char mydataport[128]; 1612 char peeraddress[128]; 1613 char peerctrlport[128]; 1614 char *newfilter; 1615 const int newstringsize = 1024; 1616 size_t currentfiltersize; 1617 1618 /* Get the name/port of our peer */ 1619 saddrlen = sizeof(struct sockaddr_storage); 1620 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1) 1621 { 1622 sock_geterror("getpeername(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1623 return -1; 1624 } 1625 1626 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress, 1627 sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV)) 1628 { 1629 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1630 return -1; 1631 } 1632 1633 /* We cannot check the data port, because this is available only in case of TCP sockets */ 1634 /* Get the name/port of the current host */ 1635 if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1) 1636 { 1637 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1638 return -1; 1639 } 1640 1641 /* Get the local port the system picked up */ 1642 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress, 1643 sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV)) 1644 { 1645 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1646 return -1; 1647 } 1648 1649 /* Let's now check the data port */ 1650 if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1) 1651 { 1652 sock_geterror("getsockname(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1653 return -1; 1654 } 1655 1656 /* Get the local port the system picked up */ 1657 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV)) 1658 { 1659 sock_geterror("getnameinfo(): ", fp->errbuf, PCAP_ERRBUF_SIZE); 1660 return -1; 1661 } 1662 1663 currentfiltersize = pr->currentfilter ? strlen(pr->currentfilter) : 0; 1664 1665 newfilter = (char *)malloc(currentfiltersize + newstringsize + 1); 1666 1667 if (currentfiltersize) 1668 { 1669 pcap_snprintf(newfilter, currentfiltersize + newstringsize, 1670 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)", 1671 pr->currentfilter, myaddress, peeraddress, myctrlport, peerctrlport, myaddress, peeraddress, mydataport); 1672 } 1673 else 1674 { 1675 pcap_snprintf(newfilter, currentfiltersize + newstringsize, 1676 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)", 1677 myaddress, peeraddress, myctrlport, peerctrlport, myaddress, peeraddress, mydataport); 1678 } 1679 1680 newfilter[currentfiltersize + newstringsize] = 0; 1681 1682 /* 1683 * This is only an hack to prevent the save_current_filter 1684 * routine, which will be called when we call pcap_compile(), 1685 * from saving the modified filter. 1686 */ 1687 pr->rmt_clientside = 0; 1688 1689 if (pcap_compile(fp, prog, newfilter, 1, 0) == -1) 1690 RetVal = -1; 1691 1692 /* Undo the hack. */ 1693 pr->rmt_clientside = 1; 1694 1695 free(newfilter); 1696 } 1697 1698 return RetVal; 1699 } 1700 1701 /* 1702 * This function sets sampling parameters in the remote host. 1703 * 1704 * It is called when the user wants to set activate sampling on the 1705 * remote host. 1706 * 1707 * Sampling parameters are defined into the 'pcap_t' structure. 1708 * 1709 * \param p: the pcap_t descriptor of the device currently opened. 1710 * 1711 * \return '0' if everything is OK, '-1' is something goes wrong. The 1712 * error message is returned in the 'errbuf' member of the pcap_t structure. 1713 */ 1714 static int pcap_setsampling_remote(pcap_t *fp) 1715 { 1716 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */ 1717 char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */ 1718 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */ 1719 struct rpcap_header header; /* To keep the reply message */ 1720 struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */ 1721 1722 /* If no samping is requested, return 'ok' */ 1723 if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP) 1724 return 0; 1725 1726 /* 1727 * Check for sampling parameters that don't fit in a message. 1728 * We'll let the server complain about invalid parameters 1729 * that do fit into the message. 1730 */ 1731 if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) { 1732 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE, 1733 "Invalid sampling method %d", fp->rmt_samp.method); 1734 return -1; 1735 } 1736 if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) { 1737 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE, 1738 "Invalid sampling value %d", fp->rmt_samp.value); 1739 return -1; 1740 } 1741 1742 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, 1743 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1744 return -1; 1745 1746 rpcap_createhdr((struct rpcap_header *) sendbuf, 1747 pr->protocol_version, RPCAP_MSG_SETSAMPLING_REQ, 0, 1748 sizeof(struct rpcap_sampling)); 1749 1750 /* Fill the structure needed to open an adapter remotely */ 1751 sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx]; 1752 1753 if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL, 1754 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE)) 1755 return -1; 1756 1757 memset(sampling_pars, 0, sizeof(struct rpcap_sampling)); 1758 1759 sampling_pars->method = (uint8)fp->rmt_samp.method; 1760 sampling_pars->value = (uint16)htonl(fp->rmt_samp.value); 1761 1762 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf, 1763 PCAP_ERRBUF_SIZE) < 0) 1764 return -1; 1765 1766 /* Receive and process the reply message header. */ 1767 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version, 1768 RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1) 1769 return -1; 1770 1771 /* 1772 * It shouldn't have any contents; discard it if it does. 1773 */ 1774 if (rpcap_discard(pr->rmt_sockctrl, header.plen, fp->errbuf) == -1) 1775 return -1; 1776 1777 return 0; 1778 } 1779 1780 /********************************************************* 1781 * * 1782 * Miscellaneous functions * 1783 * * 1784 *********************************************************/ 1785 1786 /* 1787 * This function performs authentication and protocol version 1788 * negotiation. It first tries to authenticate with the maximum 1789 * version we support and, if that fails with an "I don't support 1790 * that version" error from the server, and the version number in 1791 * the reply from the server is one we support, tries again with 1792 * that version. 1793 * 1794 * \param sock: the socket we are currently using. 1795 * 1796 * \param ver: pointer to variable holding protocol version number to send 1797 * and to set to the protocol version number in the reply. 1798 * 1799 * \param auth: authentication parameters that have to be sent. 1800 * 1801 * \param errbuf: a pointer to a user-allocated buffer (of size 1802 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there 1803 * is one). It could be a network problem or the fact that the authorization 1804 * failed. 1805 * 1806 * \return '0' if everything is fine, '-1' for an error. For errors, 1807 * an error message string is returned in the 'errbuf' variable. 1808 */ 1809 static int rpcap_doauth(SOCKET sockctrl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf) 1810 { 1811 int status; 1812 1813 /* 1814 * Send authentication to the remote machine. 1815 * 1816 * First try with the maximum version number we support. 1817 */ 1818 *ver = RPCAP_MAX_VERSION; 1819 status = rpcap_sendauth(sockctrl, ver, auth, errbuf); 1820 if (status == 0) 1821 { 1822 // 1823 // Success. 1824 // 1825 return 0; 1826 } 1827 if (status == -1) 1828 { 1829 /* Unrecoverable error. */ 1830 return -1; 1831 } 1832 1833 /* 1834 * The server doesn't support the version we used in the initial 1835 * message, and it sent us back a reply either with the maximum 1836 * version they do support, or with the version we sent, and we 1837 * support that version. *ver has been set to that version; try 1838 * authenticating again with that version. 1839 */ 1840 status = rpcap_sendauth(sockctrl, ver, auth, errbuf); 1841 if (status == 0) 1842 { 1843 // 1844 // Success. 1845 // 1846 return 0; 1847 } 1848 if (status == -1) 1849 { 1850 /* Unrecoverable error. */ 1851 return -1; 1852 } 1853 if (status == -2) 1854 { 1855 /* 1856 * The server doesn't support that version, which 1857 * means there is no version we both support, so 1858 * this is a fatal error. 1859 */ 1860 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The server doesn't support any protocol version that we support"); 1861 return -1; 1862 } 1863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "rpcap_sendauth() returned %d", status); 1864 return -1; 1865 } 1866 1867 /* 1868 * This function sends the authentication message. 1869 * 1870 * It sends the authentication parameters on the control socket. 1871 * It is required in order to open the connection with the other end party. 1872 * 1873 * \param sock: the socket we are currently using. 1874 * 1875 * \param ver: pointer to variable holding protocol version number to send 1876 * and to set to the protocol version number in the reply. 1877 * 1878 * \param auth: authentication parameters that have to be sent. 1879 * 1880 * \param errbuf: a pointer to a user-allocated buffer (of size 1881 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there 1882 * is one). It could be a network problem or the fact that the authorization 1883 * failed. 1884 * 1885 * \return '0' if everything is fine, '-2' if the server didn't reply with 1886 * the protocol version we requested but replied with a version we do 1887 * support, or '-1' for other errors. For errors, an error message string 1888 * is returned in the 'errbuf' variable. 1889 */ 1890 static int rpcap_sendauth(SOCKET sock, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf) 1891 { 1892 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */ 1893 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */ 1894 uint16 length; /* length of the payload of this message */ 1895 uint16 errcode; 1896 struct rpcap_auth *rpauth; 1897 uint16 auth_type; 1898 struct rpcap_header header; 1899 size_t str_length; 1900 1901 if (auth) 1902 { 1903 switch (auth->type) 1904 { 1905 case RPCAP_RMTAUTH_NULL: 1906 length = sizeof(struct rpcap_auth); 1907 break; 1908 1909 case RPCAP_RMTAUTH_PWD: 1910 length = sizeof(struct rpcap_auth); 1911 if (auth->username) 1912 { 1913 str_length = strlen(auth->username); 1914 if (str_length > 65535) 1915 { 1916 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)"); 1917 return -1; 1918 } 1919 length += (uint16)str_length; 1920 } 1921 if (auth->password) 1922 { 1923 str_length = strlen(auth->password); 1924 if (str_length > 65535) 1925 { 1926 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)"); 1927 return -1; 1928 } 1929 length += (uint16)str_length; 1930 } 1931 break; 1932 1933 default: 1934 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized."); 1935 return -1; 1936 } 1937 1938 auth_type = (uint16)auth->type; 1939 } 1940 else 1941 { 1942 auth_type = RPCAP_RMTAUTH_NULL; 1943 length = sizeof(struct rpcap_auth); 1944 } 1945 1946 1947 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, 1948 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE)) 1949 return -1; 1950 1951 rpcap_createhdr((struct rpcap_header *) sendbuf, *ver, 1952 RPCAP_MSG_AUTH_REQ, 0, length); 1953 1954 rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx]; 1955 1956 if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL, 1957 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE)) 1958 return -1; 1959 1960 memset(rpauth, 0, sizeof(struct rpcap_auth)); 1961 1962 rpauth->type = htons(auth_type); 1963 1964 if (auth_type == RPCAP_RMTAUTH_PWD) 1965 { 1966 if (auth->username) 1967 rpauth->slen1 = (uint16)strlen(auth->username); 1968 else 1969 rpauth->slen1 = 0; 1970 1971 if (sock_bufferize(auth->username, rpauth->slen1, sendbuf, 1972 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE)) 1973 return -1; 1974 1975 if (auth->password) 1976 rpauth->slen2 = (uint16)strlen(auth->password); 1977 else 1978 rpauth->slen2 = 0; 1979 1980 if (sock_bufferize(auth->password, rpauth->slen2, sendbuf, 1981 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE)) 1982 return -1; 1983 1984 rpauth->slen1 = htons(rpauth->slen1); 1985 rpauth->slen2 = htons(rpauth->slen2); 1986 } 1987 1988 if (sock_send(sock, sendbuf, sendbufidx, errbuf, PCAP_ERRBUF_SIZE) < 0) 1989 return -1; 1990 1991 /* Receive the reply */ 1992 if (rpcap_recv_msg_header(sock, &header, errbuf) == -1) 1993 return -1; 1994 1995 if (rpcap_check_msg_type(sock, RPCAP_MSG_AUTH_REQ, &header, 1996 &errcode, errbuf) == -1) 1997 { 1998 /* Error message - or something else, which is a protocol error. */ 1999 if (header.type == RPCAP_MSG_ERROR && 2000 errcode == PCAP_ERR_WRONGVER) 2001 { 2002 /* 2003 * The server didn't support the version we sent, 2004 * and replied with the maximum version it supports 2005 * if our version was too big or with the version 2006 * we sent if out version was too small. 2007 * 2008 * Do we also support it? 2009 */ 2010 if (!RPCAP_VERSION_IS_SUPPORTED(header.ver)) 2011 { 2012 /* 2013 * No, so there's no version we both support. 2014 * This is an unrecoverable error. 2015 */ 2016 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The server doesn't support any protocol version that we support"); 2017 return -1; 2018 } 2019 2020 /* 2021 * OK, use that version, and tell our caller to 2022 * try again. 2023 */ 2024 *ver = header.ver; 2025 return -2; 2026 } 2027 2028 /* 2029 * Other error - unrecoverable. 2030 */ 2031 return -1; 2032 } 2033 2034 /* 2035 * OK, it's an authentication reply, so they're OK with the 2036 * protocol version we sent. 2037 * 2038 * Discard the rest of it. 2039 */ 2040 if (rpcap_discard(sock, header.plen, errbuf) == -1) 2041 return -1; 2042 2043 return 0; 2044 } 2045 2046 /* We don't currently support non-blocking mode. */ 2047 static int 2048 pcap_getnonblock_rpcap(pcap_t *p) 2049 { 2050 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2051 "Non-blocking mode isn't supported for capturing remotely with rpcap"); 2052 return (-1); 2053 } 2054 2055 static int 2056 pcap_setnonblock_rpcap(pcap_t *p, int nonblock _U_) 2057 { 2058 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2059 "Non-blocking mode isn't supported for capturing remotely with rpcap"); 2060 return (-1); 2061 } 2062 2063 /* 2064 * This function opens a remote adapter by opening an RPCAP connection and 2065 * so on. 2066 * 2067 * It does the job of pcap_open_live() for a remote interface; it's called 2068 * by pcap_open() for remote interfaces. 2069 * 2070 * We do not start the capture until pcap_startcapture_remote() is called. 2071 * 2072 * This is because, when doing a remote capture, we cannot start capturing 2073 * data as soon as the 'open adapter' command is sent. Suppose the remote 2074 * adapter is already overloaded; if we start a capture (which, by default, 2075 * has a NULL filter) the new traffic can saturate the network. 2076 * 2077 * Instead, we want to "open" the adapter, then send a "start capture" 2078 * command only when we're ready to start the capture. 2079 * This function does this job: it sends an "open adapter" command 2080 * (according to the RPCAP protocol), but it does not start the capture. 2081 * 2082 * Since the other libpcap functions do not share this way of life, we 2083 * have to do some dirty things in order to make everything work. 2084 * 2085 * \param source: see pcap_open(). 2086 * \param snaplen: see pcap_open(). 2087 * \param flags: see pcap_open(). 2088 * \param read_timeout: see pcap_open(). 2089 * \param auth: see pcap_open(). 2090 * \param errbuf: see pcap_open(). 2091 * 2092 * \return a pcap_t pointer in case of success, NULL otherwise. In case of 2093 * success, the pcap_t pointer can be used as a parameter to the following 2094 * calls (pcap_compile() and so on). In case of problems, errbuf contains 2095 * a text explanation of error. 2096 * 2097 * WARNING: In case we call pcap_compile() and the capture has not yet 2098 * been started, the filter will be saved into the pcap_t structure, 2099 * and it will be sent to the other host later (when 2100 * pcap_startcapture_remote() is called). 2101 */ 2102 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf) 2103 { 2104 pcap_t *fp; 2105 char *source_str; 2106 struct pcap_rpcap *pr; /* structure used when doing a remote live capture */ 2107 char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE]; 2108 struct activehosts *activeconn; /* active connection, if there is one */ 2109 int error; /* '1' if rpcap_remoteact_getsock returned an error */ 2110 SOCKET sockctrl; 2111 uint8 protocol_version; /* negotiated protocol version */ 2112 int active; 2113 uint32 plen; 2114 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */ 2115 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */ 2116 int retval; /* store the return value of the functions */ 2117 2118 /* RPCAP-related variables */ 2119 struct rpcap_header header; /* header of the RPCAP packet */ 2120 struct rpcap_openreply openreply; /* open reply message */ 2121 2122 fp = pcap_create_common(errbuf, sizeof (struct pcap_rpcap)); 2123 if (fp == NULL) 2124 { 2125 return NULL; 2126 } 2127 source_str = strdup(source); 2128 if (source_str == NULL) { 2129 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 2130 errno, "malloc"); 2131 return NULL; 2132 } 2133 2134 /* 2135 * Turn a negative snapshot value (invalid), a snapshot value of 2136 * 0 (unspecified), or a value bigger than the normal maximum 2137 * value, into the maximum allowed value. 2138 * 2139 * If some application really *needs* a bigger snapshot 2140 * length, we should just increase MAXIMUM_SNAPLEN. 2141 * 2142 * XXX - should we leave this up to the remote server to 2143 * do? 2144 */ 2145 if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN) 2146 snaplen = MAXIMUM_SNAPLEN; 2147 2148 fp->opt.device = source_str; 2149 fp->snapshot = snaplen; 2150 fp->opt.timeout = read_timeout; 2151 pr = fp->priv; 2152 pr->rmt_flags = flags; 2153 2154 /* 2155 * determine the type of the source (NULL, file, local, remote) 2156 * You must have a valid source string even if we're in active mode, because otherwise 2157 * the call to the following function will fail. 2158 */ 2159 if (pcap_parsesrcstr(fp->opt.device, &retval, host, ctrlport, iface, errbuf) == -1) 2160 { 2161 pcap_close(fp); 2162 return NULL; 2163 } 2164 2165 if (retval != PCAP_SRC_IFREMOTE) 2166 { 2167 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "This function is able to open only remote interfaces"); 2168 pcap_close(fp); 2169 return NULL; 2170 } 2171 2172 /* 2173 * Warning: this call can be the first one called by the user. 2174 * For this reason, we have to initialize the WinSock support. 2175 */ 2176 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1) 2177 { 2178 pcap_close(fp); 2179 return NULL; 2180 } 2181 2182 /* Check for active mode */ 2183 activeconn = rpcap_remoteact_getsock(host, &error, errbuf); 2184 if (activeconn != NULL) 2185 { 2186 sockctrl = activeconn->sockctrl; 2187 protocol_version = activeconn->protocol_version; 2188 active = 1; 2189 } 2190 else 2191 { 2192 struct addrinfo hints; /* temp, needed to open a socket connection */ 2193 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */ 2194 2195 if (error) 2196 { 2197 /* 2198 * Call failed. 2199 */ 2200 pcap_close(fp); 2201 return NULL; 2202 } 2203 2204 /* 2205 * We're not in active mode; let's try to open a new 2206 * control connection. 2207 */ 2208 memset(&hints, 0, sizeof(struct addrinfo)); 2209 hints.ai_family = PF_UNSPEC; 2210 hints.ai_socktype = SOCK_STREAM; 2211 2212 if (ctrlport[0] == 0) 2213 { 2214 /* the user chose not to specify the port */ 2215 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) 2216 { 2217 pcap_close(fp); 2218 return NULL; 2219 } 2220 } 2221 else 2222 { 2223 if (sock_initaddress(host, ctrlport, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) 2224 { 2225 pcap_close(fp); 2226 return NULL; 2227 } 2228 } 2229 2230 if ((sockctrl = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) 2231 { 2232 freeaddrinfo(addrinfo); 2233 pcap_close(fp); 2234 return NULL; 2235 } 2236 2237 /* addrinfo is no longer used */ 2238 freeaddrinfo(addrinfo); 2239 2240 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1) 2241 { 2242 sock_close(sockctrl, NULL, 0); 2243 pcap_close(fp); 2244 return NULL; 2245 } 2246 active = 0; 2247 } 2248 2249 /* 2250 * Now it's time to start playing with the RPCAP protocol 2251 * RPCAP open command: create the request message 2252 */ 2253 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, 2254 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE)) 2255 goto error_nodiscard; 2256 2257 rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version, 2258 RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface)); 2259 2260 if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx, 2261 RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE)) 2262 goto error_nodiscard; 2263 2264 if (sock_send(sockctrl, sendbuf, sendbufidx, errbuf, 2265 PCAP_ERRBUF_SIZE) < 0) 2266 goto error_nodiscard; 2267 2268 /* Receive and process the reply message header. */ 2269 if (rpcap_process_msg_header(sockctrl, protocol_version, 2270 RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1) 2271 goto error_nodiscard; 2272 plen = header.plen; 2273 2274 /* Read the reply body */ 2275 if (rpcap_recv(sockctrl, (char *)&openreply, 2276 sizeof(struct rpcap_openreply), &plen, errbuf) == -1) 2277 goto error; 2278 2279 /* Discard the rest of the message, if there is any. */ 2280 if (rpcap_discard(pr->rmt_sockctrl, plen, errbuf) == -1) 2281 goto error_nodiscard; 2282 2283 /* Set proper fields into the pcap_t struct */ 2284 fp->linktype = ntohl(openreply.linktype); 2285 fp->tzoff = ntohl(openreply.tzoff); 2286 pr->rmt_sockctrl = sockctrl; 2287 pr->protocol_version = protocol_version; 2288 pr->rmt_clientside = 1; 2289 2290 /* This code is duplicated from the end of this function */ 2291 fp->read_op = pcap_read_rpcap; 2292 fp->save_current_filter_op = pcap_save_current_filter_rpcap; 2293 fp->setfilter_op = pcap_setfilter_rpcap; 2294 fp->getnonblock_op = pcap_getnonblock_rpcap; 2295 fp->setnonblock_op = pcap_setnonblock_rpcap; 2296 fp->stats_op = pcap_stats_rpcap; 2297 #ifdef _WIN32 2298 fp->stats_ex_op = pcap_stats_ex_rpcap; 2299 #endif 2300 fp->cleanup_op = pcap_cleanup_rpcap; 2301 2302 fp->activated = 1; 2303 return fp; 2304 2305 error: 2306 /* 2307 * When the connection has been established, we have to close it. So, at the 2308 * beginning of this function, if an error occur we return immediately with 2309 * a return NULL; when the connection is established, we have to come here 2310 * ('goto error;') in order to close everything properly. 2311 */ 2312 2313 /* 2314 * Discard the rest of the message. 2315 * We already reported an error; if this gets an error, just 2316 * drive on. 2317 */ 2318 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL); 2319 2320 error_nodiscard: 2321 if (!active) 2322 sock_close(sockctrl, NULL, 0); 2323 2324 pcap_close(fp); 2325 return NULL; 2326 } 2327 2328 /* String identifier to be used in the pcap_findalldevs_ex() */ 2329 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter" 2330 /* String identifier to be used in the pcap_findalldevs_ex() */ 2331 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node" 2332 2333 static void 2334 freeaddr(struct pcap_addr *addr) 2335 { 2336 free(addr->addr); 2337 free(addr->netmask); 2338 free(addr->broadaddr); 2339 free(addr->dstaddr); 2340 free(addr); 2341 } 2342 2343 int 2344 pcap_findalldevs_ex_remote(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf) 2345 { 2346 struct activehosts *activeconn; /* active connection, if there is one */ 2347 int error; /* '1' if rpcap_remoteact_getsock returned an error */ 2348 uint8 protocol_version; /* protocol version */ 2349 SOCKET sockctrl; /* socket descriptor of the control connection */ 2350 uint32 plen; 2351 struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */ 2352 int i, j; /* temp variables */ 2353 int nif; /* Number of interfaces listed */ 2354 int active; /* 'true' if we the other end-party is in active mode */ 2355 int type; 2356 char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE]; 2357 char tmpstring[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */ 2358 pcap_if_t *lastdev; /* Last device in the pcap_if_t list */ 2359 pcap_if_t *dev; /* Device we're adding to the pcap_if_t list */ 2360 2361 /* List starts out empty. */ 2362 (*alldevs) = NULL; 2363 lastdev = NULL; 2364 2365 /* Retrieve the needed data for getting adapter list */ 2366 if (pcap_parsesrcstr(source, &type, host, port, NULL, errbuf) == -1) 2367 return -1; 2368 2369 /* Warning: this call can be the first one called by the user. */ 2370 /* For this reason, we have to initialize the WinSock support. */ 2371 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1) 2372 return -1; 2373 2374 /* Check for active mode */ 2375 activeconn = rpcap_remoteact_getsock(host, &error, errbuf); 2376 if (activeconn != NULL) 2377 { 2378 sockctrl = activeconn->sockctrl; 2379 protocol_version = activeconn->protocol_version; 2380 active = 1; 2381 } 2382 else 2383 { 2384 struct addrinfo hints; /* temp variable needed to resolve hostnames into to socket representation */ 2385 struct addrinfo *addrinfo; /* temp variable needed to resolve hostnames into to socket representation */ 2386 2387 if (error) 2388 { 2389 /* 2390 * Call failed. 2391 */ 2392 return -1; 2393 } 2394 2395 /* 2396 * We're not in active mode; let's try to open a new 2397 * control connection. 2398 */ 2399 memset(&hints, 0, sizeof(struct addrinfo)); 2400 hints.ai_family = PF_UNSPEC; 2401 hints.ai_socktype = SOCK_STREAM; 2402 2403 if (port[0] == 0) 2404 { 2405 /* the user chose not to specify the port */ 2406 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) 2407 return -1; 2408 } 2409 else 2410 { 2411 if (sock_initaddress(host, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) 2412 return -1; 2413 } 2414 2415 if ((sockctrl = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) 2416 { 2417 freeaddrinfo(addrinfo); 2418 return -1; 2419 } 2420 2421 /* addrinfo is no longer used */ 2422 freeaddrinfo(addrinfo); 2423 addrinfo = NULL; 2424 2425 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1) 2426 { 2427 sock_close(sockctrl, NULL, 0); 2428 return -1; 2429 } 2430 active = 0; 2431 } 2432 2433 /* RPCAP findalldevs command */ 2434 rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ, 2435 0, 0); 2436 2437 if (sock_send(sockctrl, (char *)&header, sizeof(struct rpcap_header), 2438 errbuf, PCAP_ERRBUF_SIZE) < 0) 2439 goto error_nodiscard; 2440 2441 /* Receive and process the reply message header. */ 2442 if (rpcap_process_msg_header(sockctrl, protocol_version, 2443 RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1) 2444 goto error_nodiscard; 2445 2446 plen = header.plen; 2447 2448 /* read the number of interfaces */ 2449 nif = ntohs(header.value); 2450 2451 /* loop until all interfaces have been received */ 2452 for (i = 0; i < nif; i++) 2453 { 2454 struct rpcap_findalldevs_if findalldevs_if; 2455 char tmpstring2[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */ 2456 size_t stringlen; 2457 struct pcap_addr *addr, *prevaddr; 2458 2459 tmpstring2[PCAP_BUF_SIZE] = 0; 2460 2461 /* receive the findalldevs structure from remote host */ 2462 if (rpcap_recv(sockctrl, (char *)&findalldevs_if, 2463 sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1) 2464 goto error; 2465 2466 findalldevs_if.namelen = ntohs(findalldevs_if.namelen); 2467 findalldevs_if.desclen = ntohs(findalldevs_if.desclen); 2468 findalldevs_if.naddr = ntohs(findalldevs_if.naddr); 2469 2470 /* allocate the main structure */ 2471 dev = (pcap_if_t *)malloc(sizeof(pcap_if_t)); 2472 if (dev == NULL) 2473 { 2474 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 2475 errno, "malloc() failed"); 2476 goto error; 2477 } 2478 2479 /* Initialize the structure to 'zero' */ 2480 memset(dev, 0, sizeof(pcap_if_t)); 2481 2482 /* Append it to the list. */ 2483 if (lastdev == NULL) 2484 { 2485 /* 2486 * List is empty, so it's also the first device. 2487 */ 2488 *alldevs = dev; 2489 } 2490 else 2491 { 2492 /* 2493 * Append after the last device. 2494 */ 2495 lastdev->next = dev; 2496 } 2497 /* It's now the last device. */ 2498 lastdev = dev; 2499 2500 /* allocate mem for name and description */ 2501 if (findalldevs_if.namelen) 2502 { 2503 2504 if (findalldevs_if.namelen >= sizeof(tmpstring)) 2505 { 2506 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long"); 2507 goto error; 2508 } 2509 2510 /* Retrieve adapter name */ 2511 if (rpcap_recv(sockctrl, tmpstring, 2512 findalldevs_if.namelen, &plen, errbuf) == -1) 2513 goto error; 2514 2515 tmpstring[findalldevs_if.namelen] = 0; 2516 2517 /* Create the new device identifier */ 2518 if (pcap_createsrcstr(tmpstring2, PCAP_SRC_IFREMOTE, host, port, tmpstring, errbuf) == -1) 2519 return -1; 2520 2521 stringlen = strlen(tmpstring2); 2522 2523 dev->name = (char *)malloc(stringlen + 1); 2524 if (dev->name == NULL) 2525 { 2526 pcap_fmt_errmsg_for_errno(errbuf, 2527 PCAP_ERRBUF_SIZE, errno, "malloc() failed"); 2528 goto error; 2529 } 2530 2531 /* Copy the new device name into the correct memory location */ 2532 strlcpy(dev->name, tmpstring2, stringlen + 1); 2533 } 2534 2535 if (findalldevs_if.desclen) 2536 { 2537 if (findalldevs_if.desclen >= sizeof(tmpstring)) 2538 { 2539 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long"); 2540 goto error; 2541 } 2542 2543 /* Retrieve adapter description */ 2544 if (rpcap_recv(sockctrl, tmpstring, 2545 findalldevs_if.desclen, &plen, errbuf) == -1) 2546 goto error; 2547 2548 tmpstring[findalldevs_if.desclen] = 0; 2549 2550 pcap_snprintf(tmpstring2, sizeof(tmpstring2) - 1, "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER, 2551 tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host); 2552 2553 stringlen = strlen(tmpstring2); 2554 2555 dev->description = (char *)malloc(stringlen + 1); 2556 2557 if (dev->description == NULL) 2558 { 2559 pcap_fmt_errmsg_for_errno(errbuf, 2560 PCAP_ERRBUF_SIZE, errno, "malloc() failed"); 2561 goto error; 2562 } 2563 2564 /* Copy the new device description into the correct memory location */ 2565 strlcpy(dev->description, tmpstring2, stringlen + 1); 2566 } 2567 2568 dev->flags = ntohl(findalldevs_if.flags); 2569 2570 prevaddr = NULL; 2571 /* loop until all addresses have been received */ 2572 for (j = 0; j < findalldevs_if.naddr; j++) 2573 { 2574 struct rpcap_findalldevs_ifaddr ifaddr; 2575 2576 /* Retrieve the interface addresses */ 2577 if (rpcap_recv(sockctrl, (char *)&ifaddr, 2578 sizeof(struct rpcap_findalldevs_ifaddr), 2579 &plen, errbuf) == -1) 2580 goto error; 2581 2582 /* 2583 * Deserialize all the address components. 2584 */ 2585 addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr)); 2586 if (addr == NULL) 2587 { 2588 pcap_fmt_errmsg_for_errno(errbuf, 2589 PCAP_ERRBUF_SIZE, errno, "malloc() failed"); 2590 goto error; 2591 } 2592 addr->next = NULL; 2593 addr->addr = NULL; 2594 addr->netmask = NULL; 2595 addr->broadaddr = NULL; 2596 addr->dstaddr = NULL; 2597 2598 if (rpcap_deseraddr(&ifaddr.addr, 2599 (struct sockaddr_storage **) &addr->addr, errbuf) == -1) 2600 { 2601 freeaddr(addr); 2602 goto error; 2603 } 2604 if (rpcap_deseraddr(&ifaddr.netmask, 2605 (struct sockaddr_storage **) &addr->netmask, errbuf) == -1) 2606 { 2607 freeaddr(addr); 2608 goto error; 2609 } 2610 if (rpcap_deseraddr(&ifaddr.broadaddr, 2611 (struct sockaddr_storage **) &addr->broadaddr, errbuf) == -1) 2612 { 2613 freeaddr(addr); 2614 goto error; 2615 } 2616 if (rpcap_deseraddr(&ifaddr.dstaddr, 2617 (struct sockaddr_storage **) &addr->dstaddr, errbuf) == -1) 2618 { 2619 freeaddr(addr); 2620 goto error; 2621 } 2622 2623 if ((addr->addr == NULL) && (addr->netmask == NULL) && 2624 (addr->broadaddr == NULL) && (addr->dstaddr == NULL)) 2625 { 2626 /* 2627 * None of the addresses are IPv4 or IPv6 2628 * addresses, so throw this entry away. 2629 */ 2630 free(addr); 2631 } 2632 else 2633 { 2634 /* 2635 * Add this entry to the list. 2636 */ 2637 if (prevaddr == NULL) 2638 { 2639 dev->addresses = addr; 2640 } 2641 else 2642 { 2643 prevaddr->next = addr; 2644 } 2645 prevaddr = addr; 2646 } 2647 } 2648 } 2649 2650 /* Discard the rest of the message. */ 2651 if (rpcap_discard(sockctrl, plen, errbuf) == 1) 2652 goto error_nodiscard; 2653 2654 /* Control connection has to be closed only in case the remote machine is in passive mode */ 2655 if (!active) 2656 { 2657 /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */ 2658 if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE)) 2659 return -1; 2660 } 2661 2662 /* To avoid inconsistencies in the number of sock_init() */ 2663 sock_cleanup(); 2664 2665 return 0; 2666 2667 error: 2668 /* 2669 * In case there has been an error, I don't want to overwrite it with a new one 2670 * if the following call fails. I want to return always the original error. 2671 * 2672 * Take care: this connection can already be closed when we try to close it. 2673 * This happens because a previous error in the rpcapd, which requested to 2674 * closed the connection. In that case, we already recognized that into the 2675 * rpspck_isheaderok() and we already acknowledged the closing. 2676 * In that sense, this call is useless here (however it is needed in case 2677 * the client generates the error). 2678 * 2679 * Checks if all the data has been read; if not, discard the data in excess 2680 */ 2681 (void) rpcap_discard(sockctrl, plen, NULL); 2682 2683 error_nodiscard: 2684 /* Control connection has to be closed only in case the remote machine is in passive mode */ 2685 if (!active) 2686 sock_close(sockctrl, NULL, 0); 2687 2688 /* To avoid inconsistencies in the number of sock_init() */ 2689 sock_cleanup(); 2690 2691 /* Free whatever interfaces we've allocated. */ 2692 pcap_freealldevs(*alldevs); 2693 2694 return -1; 2695 } 2696 2697 /* 2698 * Active mode routines. 2699 * 2700 * The old libpcap API is somewhat ugly, and makes active mode difficult 2701 * to implement; we provide some APIs for it that work only with rpcap. 2702 */ 2703 2704 SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf) 2705 { 2706 /* socket-related variables */ 2707 struct addrinfo hints; /* temporary struct to keep settings needed to open the new socket */ 2708 struct addrinfo *addrinfo; /* keeps the addrinfo chain; required to open a new socket */ 2709 struct sockaddr_storage from; /* generic sockaddr_storage variable */ 2710 socklen_t fromlen; /* keeps the length of the sockaddr_storage variable */ 2711 SOCKET sockctrl; /* keeps the main socket identifier */ 2712 uint8 protocol_version; /* negotiated protocol version */ 2713 struct activehosts *temp, *prev; /* temp var needed to scan he host list chain */ 2714 2715 *connectinghost = 0; /* just in case */ 2716 2717 /* Prepare to open a new server socket */ 2718 memset(&hints, 0, sizeof(struct addrinfo)); 2719 /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6 */ 2720 hints.ai_family = AF_INET; /* PF_UNSPEC to have both IPv4 and IPv6 server */ 2721 hints.ai_flags = AI_PASSIVE; /* Ready to a bind() socket */ 2722 hints.ai_socktype = SOCK_STREAM; 2723 2724 /* Warning: this call can be the first one called by the user. */ 2725 /* For this reason, we have to initialize the WinSock support. */ 2726 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1) 2727 return (SOCKET)-1; 2728 2729 /* Do the work */ 2730 if ((port == NULL) || (port[0] == 0)) 2731 { 2732 if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) 2733 { 2734 SOCK_DEBUG_MESSAGE(errbuf); 2735 return (SOCKET)-2; 2736 } 2737 } 2738 else 2739 { 2740 if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1) 2741 { 2742 SOCK_DEBUG_MESSAGE(errbuf); 2743 return (SOCKET)-2; 2744 } 2745 } 2746 2747 2748 if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET) 2749 { 2750 SOCK_DEBUG_MESSAGE(errbuf); 2751 freeaddrinfo(addrinfo); 2752 return (SOCKET)-2; 2753 } 2754 freeaddrinfo(addrinfo); 2755 2756 /* Connection creation */ 2757 fromlen = sizeof(struct sockaddr_storage); 2758 2759 sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen); 2760 2761 /* We're not using sock_close, since we do not want to send a shutdown */ 2762 /* (which is not allowed on a non-connected socket) */ 2763 closesocket(sockmain); 2764 sockmain = 0; 2765 2766 if (sockctrl == INVALID_SOCKET) 2767 { 2768 sock_geterror("accept(): ", errbuf, PCAP_ERRBUF_SIZE); 2769 return (SOCKET)-2; 2770 } 2771 2772 /* Get the numeric for of the name of the connecting host */ 2773 if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST)) 2774 { 2775 sock_geterror("getnameinfo(): ", errbuf, PCAP_ERRBUF_SIZE); 2776 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL); 2777 sock_close(sockctrl, NULL, 0); 2778 return (SOCKET)-1; 2779 } 2780 2781 /* checks if the connecting host is among the ones allowed */ 2782 if (sock_check_hostlist((char *)hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0) 2783 { 2784 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL); 2785 sock_close(sockctrl, NULL, 0); 2786 return (SOCKET)-1; 2787 } 2788 2789 /* 2790 * Send authentication to the remote machine. 2791 */ 2792 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1) 2793 { 2794 /* Unrecoverable error. */ 2795 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL); 2796 sock_close(sockctrl, NULL, 0); 2797 return (SOCKET)-3; 2798 } 2799 2800 /* Checks that this host does not already have a cntrl connection in place */ 2801 2802 /* Initialize pointers */ 2803 temp = activeHosts; 2804 prev = NULL; 2805 2806 while (temp) 2807 { 2808 /* This host already has an active connection in place, so I don't have to update the host list */ 2809 if (sock_cmpaddr(&temp->host, &from) == 0) 2810 return sockctrl; 2811 2812 prev = temp; 2813 temp = temp->next; 2814 } 2815 2816 /* The host does not exist in the list; so I have to update the list */ 2817 if (prev) 2818 { 2819 prev->next = (struct activehosts *) malloc(sizeof(struct activehosts)); 2820 temp = prev->next; 2821 } 2822 else 2823 { 2824 activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts)); 2825 temp = activeHosts; 2826 } 2827 2828 if (temp == NULL) 2829 { 2830 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 2831 errno, "malloc() failed"); 2832 rpcap_senderror(sockctrl, protocol_version, PCAP_ERR_REMOTEACCEPT, errbuf, NULL); 2833 sock_close(sockctrl, NULL, 0); 2834 return (SOCKET)-1; 2835 } 2836 2837 memcpy(&temp->host, &from, fromlen); 2838 temp->sockctrl = sockctrl; 2839 temp->protocol_version = protocol_version; 2840 temp->next = NULL; 2841 2842 return sockctrl; 2843 } 2844 2845 int pcap_remoteact_close(const char *host, char *errbuf) 2846 { 2847 struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */ 2848 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */ 2849 int retval; 2850 2851 temp = activeHosts; 2852 prev = NULL; 2853 2854 /* retrieve the network address corresponding to 'host' */ 2855 addrinfo = NULL; 2856 memset(&hints, 0, sizeof(struct addrinfo)); 2857 hints.ai_family = PF_UNSPEC; 2858 hints.ai_socktype = SOCK_STREAM; 2859 2860 retval = getaddrinfo(host, "0", &hints, &addrinfo); 2861 if (retval != 0) 2862 { 2863 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s", gai_strerror(retval)); 2864 return -1; 2865 } 2866 2867 while (temp) 2868 { 2869 ai_next = addrinfo; 2870 while (ai_next) 2871 { 2872 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0) 2873 { 2874 struct rpcap_header header; 2875 int status = 0; 2876 2877 /* Close this connection */ 2878 rpcap_createhdr(&header, temp->protocol_version, 2879 RPCAP_MSG_CLOSE, 0, 0); 2880 2881 /* 2882 * Don't check for errors, since we're 2883 * just cleaning up. 2884 */ 2885 if (sock_send(temp->sockctrl, 2886 (char *)&header, 2887 sizeof(struct rpcap_header), errbuf, 2888 PCAP_ERRBUF_SIZE) < 0) 2889 { 2890 /* 2891 * Let that error be the one we 2892 * report. 2893 */ 2894 (void)sock_close(temp->sockctrl, NULL, 2895 0); 2896 status = -1; 2897 } 2898 else 2899 { 2900 if (sock_close(temp->sockctrl, errbuf, 2901 PCAP_ERRBUF_SIZE) == -1) 2902 status = -1; 2903 } 2904 2905 /* 2906 * Remove the host from the list of active 2907 * hosts. 2908 */ 2909 if (prev) 2910 prev->next = temp->next; 2911 else 2912 activeHosts = temp->next; 2913 2914 freeaddrinfo(addrinfo); 2915 2916 free(temp); 2917 2918 /* To avoid inconsistencies in the number of sock_init() */ 2919 sock_cleanup(); 2920 2921 return status; 2922 } 2923 2924 ai_next = ai_next->ai_next; 2925 } 2926 prev = temp; 2927 temp = temp->next; 2928 } 2929 2930 if (addrinfo) 2931 freeaddrinfo(addrinfo); 2932 2933 /* To avoid inconsistencies in the number of sock_init() */ 2934 sock_cleanup(); 2935 2936 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known"); 2937 return -1; 2938 } 2939 2940 void pcap_remoteact_cleanup(void) 2941 { 2942 /* Very dirty, but it works */ 2943 if (sockmain) 2944 { 2945 closesocket(sockmain); 2946 2947 /* To avoid inconsistencies in the number of sock_init() */ 2948 sock_cleanup(); 2949 } 2950 2951 } 2952 2953 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf) 2954 { 2955 struct activehosts *temp; /* temp var needed to scan the host list chain */ 2956 size_t len; 2957 char hoststr[RPCAP_HOSTLIST_SIZE + 1]; 2958 2959 temp = activeHosts; 2960 2961 len = 0; 2962 *hostlist = 0; 2963 2964 while (temp) 2965 { 2966 /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */ 2967 2968 /* Get the numeric form of the name of the connecting host */ 2969 if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr, 2970 RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1) 2971 /* if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */ 2972 /* RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */ 2973 { 2974 /* sock_geterror("getnameinfo(): ", errbuf, PCAP_ERRBUF_SIZE); */ 2975 return -1; 2976 } 2977 2978 len = len + strlen(hoststr) + 1 /* the separator */; 2979 2980 if ((size < 0) || (len >= (size_t)size)) 2981 { 2982 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep " 2983 "the hostnames for all the active connections"); 2984 return -1; 2985 } 2986 2987 strlcat(hostlist, hoststr, PCAP_ERRBUF_SIZE); 2988 hostlist[len - 1] = sep; 2989 hostlist[len] = 0; 2990 2991 temp = temp->next; 2992 } 2993 2994 return 0; 2995 } 2996 2997 /* 2998 * Receive the header of a message. 2999 */ 3000 static int rpcap_recv_msg_header(SOCKET sock, struct rpcap_header *header, char *errbuf) 3001 { 3002 int nrecv; 3003 3004 nrecv = sock_recv(sock, (char *) header, sizeof(struct rpcap_header), 3005 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, 3006 PCAP_ERRBUF_SIZE); 3007 if (nrecv == -1) 3008 { 3009 /* Network error. */ 3010 return -1; 3011 } 3012 header->plen = ntohl(header->plen); 3013 return 0; 3014 } 3015 3016 /* 3017 * Make sure the protocol version of a received message is what we were 3018 * expecting. 3019 */ 3020 static int rpcap_check_msg_ver(SOCKET sock, uint8 expected_ver, struct rpcap_header *header, char *errbuf) 3021 { 3022 /* 3023 * Did the server specify the version we negotiated? 3024 */ 3025 if (header->ver != expected_ver) 3026 { 3027 /* 3028 * Discard the rest of the message. 3029 */ 3030 if (rpcap_discard(sock, header->plen, errbuf) == -1) 3031 return -1; 3032 3033 /* 3034 * Tell our caller that it's not the negotiated version. 3035 */ 3036 if (errbuf != NULL) 3037 { 3038 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 3039 "Server sent us a message with version %u when we were expecting %u", 3040 header->ver, expected_ver); 3041 } 3042 return -1; 3043 } 3044 return 0; 3045 } 3046 3047 /* 3048 * Check the message type of a received message, which should either be 3049 * the expected message type or RPCAP_MSG_ERROR. 3050 */ 3051 static int rpcap_check_msg_type(SOCKET sock, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf) 3052 { 3053 const char *request_type_string; 3054 const char *msg_type_string; 3055 3056 /* 3057 * What type of message is it? 3058 */ 3059 if (header->type == RPCAP_MSG_ERROR) 3060 { 3061 /* 3062 * The server reported an error. 3063 * Hand that error back to our caller. 3064 */ 3065 *errcode = ntohs(header->value); 3066 rpcap_msg_err(sock, header->plen, errbuf); 3067 return -1; 3068 } 3069 3070 *errcode = 0; 3071 3072 /* 3073 * For a given request type value, the expected reply type value 3074 * is the request type value with ORed with RPCAP_MSG_IS_REPLY. 3075 */ 3076 if (header->type != (request_type | RPCAP_MSG_IS_REPLY)) 3077 { 3078 /* 3079 * This isn't a reply to the request we sent. 3080 */ 3081 3082 /* 3083 * Discard the rest of the message. 3084 */ 3085 if (rpcap_discard(sock, header->plen, errbuf) == -1) 3086 return -1; 3087 3088 /* 3089 * Tell our caller about it. 3090 */ 3091 request_type_string = rpcap_msg_type_string(request_type); 3092 msg_type_string = rpcap_msg_type_string(header->type); 3093 if (errbuf != NULL) 3094 { 3095 if (request_type_string == NULL) 3096 { 3097 /* This should not happen. */ 3098 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 3099 "rpcap_check_msg_type called for request message with type %u", 3100 request_type); 3101 return -1; 3102 } 3103 if (msg_type_string != NULL) 3104 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 3105 "%s message received in response to a %s message", 3106 msg_type_string, request_type_string); 3107 else 3108 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, 3109 "Message of unknown type %u message received in response to a %s request", 3110 header->type, request_type_string); 3111 } 3112 return -1; 3113 } 3114 3115 return 0; 3116 } 3117 3118 /* 3119 * Receive and process the header of a message. 3120 */ 3121 static int rpcap_process_msg_header(SOCKET sock, uint8 expected_ver, uint8 request_type, struct rpcap_header *header, char *errbuf) 3122 { 3123 uint16 errcode; 3124 3125 if (rpcap_recv_msg_header(sock, header, errbuf) == -1) 3126 { 3127 /* Network error. */ 3128 return -1; 3129 } 3130 3131 /* 3132 * Did the server specify the version we negotiated? 3133 */ 3134 if (rpcap_check_msg_ver(sock, expected_ver, header, errbuf) == -1) 3135 return -1; 3136 3137 /* 3138 * Check the message type. 3139 */ 3140 return rpcap_check_msg_type(sock, request_type, header, 3141 &errcode, errbuf); 3142 } 3143 3144 /* 3145 * Read data from a message. 3146 * If we're trying to read more data that remains, puts an error 3147 * message into errmsgbuf and returns -2. Otherwise, tries to read 3148 * the data and, if that succeeds, subtracts the amount read from 3149 * the number of bytes of data that remains. 3150 * Returns 0 on success, logs a message and returns -1 on a network 3151 * error. 3152 */ 3153 static int rpcap_recv(SOCKET sock, void *buffer, size_t toread, uint32 *plen, char *errbuf) 3154 { 3155 int nread; 3156 3157 if (toread > *plen) 3158 { 3159 /* The server sent us a bad message */ 3160 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short"); 3161 return -1; 3162 } 3163 nread = sock_recv(sock, buffer, toread, 3164 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE); 3165 if (nread == -1) 3166 { 3167 return -1; 3168 } 3169 *plen -= nread; 3170 return 0; 3171 } 3172 3173 /* 3174 * This handles the RPCAP_MSG_ERROR message. 3175 */ 3176 static void rpcap_msg_err(SOCKET sockctrl, uint32 plen, char *remote_errbuf) 3177 { 3178 char errbuf[PCAP_ERRBUF_SIZE]; 3179 3180 if (plen >= PCAP_ERRBUF_SIZE) 3181 { 3182 /* 3183 * Message is too long; just read as much of it as we 3184 * can into the buffer provided, and discard the rest. 3185 */ 3186 if (sock_recv(sockctrl, remote_errbuf, PCAP_ERRBUF_SIZE - 1, 3187 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, 3188 PCAP_ERRBUF_SIZE) == -1) 3189 { 3190 // Network error. 3191 pcap_snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf); 3192 return; 3193 } 3194 3195 /* 3196 * Null-terminate it. 3197 */ 3198 remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0'; 3199 3200 /* 3201 * Throw away the rest. 3202 */ 3203 (void)rpcap_discard(sockctrl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf); 3204 } 3205 else if (plen == 0) 3206 { 3207 /* Empty error string. */ 3208 remote_errbuf[0] = '\0'; 3209 } 3210 else 3211 { 3212 if (sock_recv(sockctrl, remote_errbuf, plen, 3213 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, 3214 PCAP_ERRBUF_SIZE) == -1) 3215 { 3216 // Network error. 3217 pcap_snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf); 3218 return; 3219 } 3220 3221 /* 3222 * Null-terminate it. 3223 */ 3224 remote_errbuf[plen] = '\0'; 3225 } 3226 } 3227 3228 /* 3229 * Discard data from a connection. 3230 * Mostly used to discard wrong-sized messages. 3231 * Returns 0 on success, logs a message and returns -1 on a network 3232 * error. 3233 */ 3234 static int rpcap_discard(SOCKET sock, uint32 len, char *errbuf) 3235 { 3236 if (len != 0) 3237 { 3238 if (sock_discard(sock, len, errbuf, PCAP_ERRBUF_SIZE) == -1) 3239 { 3240 // Network error. 3241 return -1; 3242 } 3243 } 3244 return 0; 3245 } 3246 3247 /* 3248 * Read bytes into the pcap_t's buffer until we have the specified 3249 * number of bytes read or we get an error or interrupt indication. 3250 */ 3251 static int rpcap_read_packet_msg(SOCKET sock, pcap_t *p, size_t size) 3252 { 3253 u_char *bp; 3254 int cc; 3255 int bytes_read; 3256 3257 bp = p->bp; 3258 cc = p->cc; 3259 3260 /* 3261 * Loop until we have the amount of data requested or we get 3262 * an error or interrupt. 3263 */ 3264 while ((size_t)cc < size) 3265 { 3266 /* 3267 * We haven't read all of the packet header yet. 3268 * Read what remains, which could be all of it. 3269 */ 3270 bytes_read = sock_recv(sock, bp, size - cc, 3271 SOCK_RECEIVEALL_NO|SOCK_EOF_IS_ERROR, p->errbuf, 3272 PCAP_ERRBUF_SIZE); 3273 if (bytes_read == -1) 3274 { 3275 /* 3276 * Network error. Update the read pointer and 3277 * byte count, and return an error indication. 3278 */ 3279 p->bp = bp; 3280 p->cc = cc; 3281 return -1; 3282 } 3283 if (bytes_read == -3) 3284 { 3285 /* 3286 * Interrupted receive. Update the read 3287 * pointer and byte count, and return 3288 * an interrupted indication. 3289 */ 3290 p->bp = bp; 3291 p->cc = cc; 3292 return -3; 3293 } 3294 if (bytes_read == 0) 3295 { 3296 /* 3297 * EOF - server terminated the connection. 3298 * Update the read pointer and byte count, and 3299 * return an error indication. 3300 */ 3301 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 3302 "The server terminated the connection."); 3303 return -1; 3304 } 3305 bp += bytes_read; 3306 cc += bytes_read; 3307 } 3308 p->bp = bp; 3309 p->cc = cc; 3310 return 0; 3311 } 3312
