1 /* 2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * packet filter subroutines for tcpdump 22 * Extraction/creation by Jeffrey Mogul, DECWRL 23 */ 24 25 #ifndef lint 26 static const char rcsid[] _U_ = 27 "@(#) $Header: /tcpdump/master/libpcap/pcap-pf.c,v 1.97 2008-04-14 20:40:58 guy Exp $ (LBL)"; 28 #endif 29 30 #ifdef HAVE_CONFIG_H 31 #include "config.h" 32 #endif 33 34 #include <sys/types.h> 35 #include <sys/time.h> 36 #include <sys/timeb.h> 37 #include <sys/socket.h> 38 #include <sys/file.h> 39 #include <sys/ioctl.h> 40 #include <net/pfilt.h> 41 42 struct mbuf; 43 struct rtentry; 44 #include <net/if.h> 45 46 #include <netinet/in.h> 47 #include <netinet/in_systm.h> 48 #include <netinet/ip.h> 49 #include <netinet/if_ether.h> 50 #include <netinet/ip_var.h> 51 #include <netinet/udp.h> 52 #include <netinet/udp_var.h> 53 #include <netinet/tcp.h> 54 #include <netinet/tcpip.h> 55 56 #include <ctype.h> 57 #include <errno.h> 58 #include <netdb.h> 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 #include <unistd.h> 63 64 /* 65 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the 66 * native OS version, as we need various BPF ioctls from it. 67 */ 68 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 69 #include <net/bpf.h> 70 71 #include "pcap-int.h" 72 73 #ifdef HAVE_OS_PROTO_H 74 #include "os-proto.h" 75 #endif 76 77 /* 78 * FDDI packets are padded to make everything line up on a nice boundary. 79 */ 80 #define PCAP_FDDIPAD 3 81 82 /* 83 * Private data for capturing on Ultrix and DEC OSF/1^WDigital UNIX^W^W 84 * Tru64 UNIX packetfilter devices. 85 */ 86 struct pcap_pf { 87 int filtering_in_kernel; /* using kernel filter */ 88 u_long TotPkts; /* can't oflow for 79 hrs on ether */ 89 u_long TotAccepted; /* count accepted by filter */ 90 u_long TotDrops; /* count of dropped packets */ 91 long TotMissed; /* missed by i/f during this run */ 92 long OrigMissed; /* missed by i/f before this run */ 93 }; 94 95 static int pcap_setfilter_pf(pcap_t *, struct bpf_program *); 96 97 /* 98 * BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump 99 * applications aren't going to need more than 200 bytes of packet header 100 * and the read shouldn't return more packets than packetfilter's internal 101 * queue limit (bounded at 256). 102 */ 103 #define BUFSPACE (200 * 256) 104 105 static int 106 pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user) 107 { 108 struct pcap_pf *pf = pc->priv; 109 register u_char *p, *bp; 110 register int cc, n, buflen, inc; 111 register struct enstamp *sp; 112 #ifdef LBL_ALIGN 113 struct enstamp stamp; 114 #endif 115 register int pad; 116 117 again: 118 cc = pc->cc; 119 if (cc == 0) { 120 cc = read(pc->fd, (char *)pc->buffer + pc->offset, pc->bufsize); 121 if (cc < 0) { 122 if (errno == EWOULDBLOCK) 123 return (0); 124 if (errno == EINVAL && 125 lseek(pc->fd, 0L, SEEK_CUR) + pc->bufsize < 0) { 126 /* 127 * Due to a kernel bug, after 2^31 bytes, 128 * the kernel file offset overflows and 129 * read fails with EINVAL. The lseek() 130 * to 0 will fix things. 131 */ 132 (void)lseek(pc->fd, 0L, SEEK_SET); 133 goto again; 134 } 135 snprintf(pc->errbuf, sizeof(pc->errbuf), "pf read: %s", 136 pcap_strerror(errno)); 137 return (-1); 138 } 139 bp = pc->buffer + pc->offset; 140 } else 141 bp = pc->bp; 142 /* 143 * Loop through each packet. 144 */ 145 n = 0; 146 pad = pc->fddipad; 147 while (cc > 0) { 148 /* 149 * Has "pcap_breakloop()" been called? 150 * If so, return immediately - if we haven't read any 151 * packets, clear the flag and return -2 to indicate 152 * that we were told to break out of the loop, otherwise 153 * leave the flag set, so that the *next* call will break 154 * out of the loop without having read any packets, and 155 * return the number of packets we've processed so far. 156 */ 157 if (pc->break_loop) { 158 if (n == 0) { 159 pc->break_loop = 0; 160 return (-2); 161 } else { 162 pc->cc = cc; 163 pc->bp = bp; 164 return (n); 165 } 166 } 167 if (cc < sizeof(*sp)) { 168 snprintf(pc->errbuf, sizeof(pc->errbuf), 169 "pf short read (%d)", cc); 170 return (-1); 171 } 172 #ifdef LBL_ALIGN 173 if ((long)bp & 3) { 174 sp = &stamp; 175 memcpy((char *)sp, (char *)bp, sizeof(*sp)); 176 } else 177 #endif 178 sp = (struct enstamp *)bp; 179 if (sp->ens_stamplen != sizeof(*sp)) { 180 snprintf(pc->errbuf, sizeof(pc->errbuf), 181 "pf short stamplen (%d)", 182 sp->ens_stamplen); 183 return (-1); 184 } 185 186 p = bp + sp->ens_stamplen; 187 buflen = sp->ens_count; 188 if (buflen > pc->snapshot) 189 buflen = pc->snapshot; 190 191 /* Calculate inc before possible pad update */ 192 inc = ENALIGN(buflen + sp->ens_stamplen); 193 cc -= inc; 194 bp += inc; 195 pf->TotPkts++; 196 pf->TotDrops += sp->ens_dropped; 197 pf->TotMissed = sp->ens_ifoverflows; 198 if (pf->OrigMissed < 0) 199 pf->OrigMissed = pf->TotMissed; 200 201 /* 202 * Short-circuit evaluation: if using BPF filter 203 * in kernel, no need to do it now - we already know 204 * the packet passed the filter. 205 * 206 * Note: the filter code was generated assuming 207 * that pc->fddipad was the amount of padding 208 * before the header, as that's what's required 209 * in the kernel, so we run the filter before 210 * skipping that padding. 211 */ 212 if (pf->filtering_in_kernel || 213 bpf_filter(pc->fcode.bf_insns, p, sp->ens_count, buflen)) { 214 struct pcap_pkthdr h; 215 pf->TotAccepted++; 216 h.ts = sp->ens_tstamp; 217 h.len = sp->ens_count - pad; 218 p += pad; 219 buflen -= pad; 220 h.caplen = buflen; 221 (*callback)(user, &h, p); 222 if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) { 223 pc->cc = cc; 224 pc->bp = bp; 225 return (n); 226 } 227 } 228 } 229 pc->cc = 0; 230 return (n); 231 } 232 233 static int 234 pcap_inject_pf(pcap_t *p, const void *buf, size_t size) 235 { 236 int ret; 237 238 ret = write(p->fd, buf, size); 239 if (ret == -1) { 240 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 241 pcap_strerror(errno)); 242 return (-1); 243 } 244 return (ret); 245 } 246 247 static int 248 pcap_stats_pf(pcap_t *p, struct pcap_stat *ps) 249 { 250 struct pcap_pf *pf = p->priv; 251 252 /* 253 * If packet filtering is being done in the kernel: 254 * 255 * "ps_recv" counts only packets that passed the filter. 256 * This does not include packets dropped because we 257 * ran out of buffer space. (XXX - perhaps it should, 258 * by adding "ps_drop" to "ps_recv", for compatibility 259 * with some other platforms. On the other hand, on 260 * some platforms "ps_recv" counts only packets that 261 * passed the filter, and on others it counts packets 262 * that didn't pass the filter....) 263 * 264 * "ps_drop" counts packets that passed the kernel filter 265 * (if any) but were dropped because the input queue was 266 * full. 267 * 268 * "ps_ifdrop" counts packets dropped by the network 269 * inteface (regardless of whether they would have passed 270 * the input filter, of course). 271 * 272 * If packet filtering is not being done in the kernel: 273 * 274 * "ps_recv" counts only packets that passed the filter. 275 * 276 * "ps_drop" counts packets that were dropped because the 277 * input queue was full, regardless of whether they passed 278 * the userland filter. 279 * 280 * "ps_ifdrop" counts packets dropped by the network 281 * inteface (regardless of whether they would have passed 282 * the input filter, of course). 283 * 284 * These statistics don't include packets not yet read from 285 * the kernel by libpcap, but they may include packets not 286 * yet read from libpcap by the application. 287 */ 288 ps->ps_recv = pf->TotAccepted; 289 ps->ps_drop = pf->TotDrops; 290 ps->ps_ifdrop = pf->TotMissed - pf->OrigMissed; 291 return (0); 292 } 293 294 /* 295 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably 296 * don't get DLT_DOCSIS defined. 297 */ 298 #ifndef DLT_DOCSIS 299 #define DLT_DOCSIS 143 300 #endif 301 302 static int 303 pcap_activate_pf(pcap_t *p) 304 { 305 struct pcap_pf *pf = p->priv; 306 short enmode; 307 int backlog = -1; /* request the most */ 308 struct enfilter Filter; 309 struct endevp devparams; 310 311 /* 312 * Initially try a read/write open (to allow the inject 313 * method to work). If that fails due to permission 314 * issues, fall back to read-only. This allows a 315 * non-root user to be granted specific access to pcap 316 * capabilities via file permissions. 317 * 318 * XXX - we should have an API that has a flag that 319 * controls whether to open read-only or read-write, 320 * so that denial of permission to send (or inability 321 * to send, if sending packets isn't supported on 322 * the device in question) can be indicated at open 323 * time. 324 * 325 * XXX - we assume here that "pfopen()" does not, in fact, modify 326 * its argument, even though it takes a "char *" rather than a 327 * "const char *" as its first argument. That appears to be 328 * the case, at least on Digital UNIX 4.0. 329 */ 330 p->fd = pfopen(p->opt.source, O_RDWR); 331 if (p->fd == -1 && errno == EACCES) 332 p->fd = pfopen(p->opt.source, O_RDONLY); 333 if (p->fd < 0) { 334 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "pf open: %s: %s\n\ 335 your system may not be properly configured; see the packetfilter(4) man page\n", 336 p->opt.source, pcap_strerror(errno)); 337 goto bad; 338 } 339 pf->OrigMissed = -1; 340 enmode = ENTSTAMP|ENNONEXCL; 341 if (!p->opt.immediate) 342 enmode |= ENBATCH; 343 if (p->opt.promisc) 344 enmode |= ENPROMISC; 345 if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) { 346 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "EIOCMBIS: %s", 347 pcap_strerror(errno)); 348 goto bad; 349 } 350 #ifdef ENCOPYALL 351 /* Try to set COPYALL mode so that we see packets to ourself */ 352 enmode = ENCOPYALL; 353 (void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */ 354 #endif 355 /* set the backlog */ 356 if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) { 357 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "EIOCSETW: %s", 358 pcap_strerror(errno)); 359 goto bad; 360 } 361 /* discover interface type */ 362 if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) { 363 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "EIOCDEVP: %s", 364 pcap_strerror(errno)); 365 goto bad; 366 } 367 /* HACK: to compile prior to Ultrix 4.2 */ 368 #ifndef ENDT_FDDI 369 #define ENDT_FDDI 4 370 #endif 371 switch (devparams.end_dev_type) { 372 373 case ENDT_10MB: 374 p->linktype = DLT_EN10MB; 375 p->offset = 2; 376 /* 377 * This is (presumably) a real Ethernet capture; give it a 378 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 379 * that an application can let you choose it, in case you're 380 * capturing DOCSIS traffic that a Cisco Cable Modem 381 * Termination System is putting out onto an Ethernet (it 382 * doesn't put an Ethernet header onto the wire, it puts raw 383 * DOCSIS frames out on the wire inside the low-level 384 * Ethernet framing). 385 */ 386 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 387 /* 388 * If that fails, just leave the list empty. 389 */ 390 if (p->dlt_list != NULL) { 391 p->dlt_list[0] = DLT_EN10MB; 392 p->dlt_list[1] = DLT_DOCSIS; 393 p->dlt_count = 2; 394 } 395 break; 396 397 case ENDT_FDDI: 398 p->linktype = DLT_FDDI; 399 break; 400 401 #ifdef ENDT_SLIP 402 case ENDT_SLIP: 403 p->linktype = DLT_SLIP; 404 break; 405 #endif 406 407 #ifdef ENDT_PPP 408 case ENDT_PPP: 409 p->linktype = DLT_PPP; 410 break; 411 #endif 412 413 #ifdef ENDT_LOOPBACK 414 case ENDT_LOOPBACK: 415 /* 416 * It appears to use Ethernet framing, at least on 417 * Digital UNIX 4.0. 418 */ 419 p->linktype = DLT_EN10MB; 420 p->offset = 2; 421 break; 422 #endif 423 424 #ifdef ENDT_TRN 425 case ENDT_TRN: 426 p->linktype = DLT_IEEE802; 427 break; 428 #endif 429 430 default: 431 /* 432 * XXX - what about ENDT_IEEE802? The pfilt.h header 433 * file calls this "IEEE 802 networks (non-Ethernet)", 434 * but that doesn't specify a specific link layer type; 435 * it could be 802.4, or 802.5 (except that 802.5 is 436 * ENDT_TRN), or 802.6, or 802.11, or.... That's why 437 * DLT_IEEE802 was hijacked to mean Token Ring in various 438 * BSDs, and why we went along with that hijacking. 439 * 440 * XXX - what about ENDT_HDLC and ENDT_NULL? 441 * Presumably, as ENDT_OTHER is just "Miscellaneous 442 * framing", there's not much we can do, as that 443 * doesn't specify a particular type of header. 444 */ 445 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 446 "unknown data-link type %u", devparams.end_dev_type); 447 goto bad; 448 } 449 /* set truncation */ 450 if (p->linktype == DLT_FDDI) { 451 p->fddipad = PCAP_FDDIPAD; 452 453 /* packetfilter includes the padding in the snapshot */ 454 p->snapshot += PCAP_FDDIPAD; 455 } else 456 p->fddipad = 0; 457 if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&p->snapshot) < 0) { 458 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "EIOCTRUNCATE: %s", 459 pcap_strerror(errno)); 460 goto bad; 461 } 462 /* accept all packets */ 463 memset(&Filter, 0, sizeof(Filter)); 464 Filter.enf_Priority = 37; /* anything > 2 */ 465 Filter.enf_FilterLen = 0; /* means "always true" */ 466 if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) { 467 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "EIOCSETF: %s", 468 pcap_strerror(errno)); 469 goto bad; 470 } 471 472 if (p->opt.timeout != 0) { 473 struct timeval timeout; 474 timeout.tv_sec = p->opt.timeout / 1000; 475 timeout.tv_usec = (p->opt.timeout * 1000) % 1000000; 476 if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) { 477 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "EIOCSRTIMEOUT: %s", 478 pcap_strerror(errno)); 479 goto bad; 480 } 481 } 482 483 p->bufsize = BUFSPACE; 484 p->buffer = (u_char*)malloc(p->bufsize + p->offset); 485 if (p->buffer == NULL) { 486 strlcpy(p->errbuf, pcap_strerror(errno), PCAP_ERRBUF_SIZE); 487 goto bad; 488 } 489 490 /* 491 * "select()" and "poll()" work on packetfilter devices. 492 */ 493 p->selectable_fd = p->fd; 494 495 p->read_op = pcap_read_pf; 496 p->inject_op = pcap_inject_pf; 497 p->setfilter_op = pcap_setfilter_pf; 498 p->setdirection_op = NULL; /* Not implemented. */ 499 p->set_datalink_op = NULL; /* can't change data link type */ 500 p->getnonblock_op = pcap_getnonblock_fd; 501 p->setnonblock_op = pcap_setnonblock_fd; 502 p->stats_op = pcap_stats_pf; 503 504 return (0); 505 bad: 506 pcap_cleanup_live_common(p); 507 return (PCAP_ERROR); 508 } 509 510 pcap_t * 511 pcap_create_interface(const char *device, char *ebuf) 512 { 513 pcap_t *p; 514 515 p = pcap_create_common(device, ebuf, sizeof (struct pcap_pf)); 516 if (p == NULL) 517 return (NULL); 518 519 p->activate_op = pcap_activate_pf; 520 return (p); 521 } 522 523 int 524 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 525 { 526 return (0); 527 } 528 529 static int 530 pcap_setfilter_pf(pcap_t *p, struct bpf_program *fp) 531 { 532 struct pcap_pf *pf = p->priv; 533 struct bpf_version bv; 534 535 /* 536 * See if BIOCVERSION works. If not, we assume the kernel doesn't 537 * support BPF-style filters (it's not documented in the bpf(7) 538 * or packetfiler(7) man pages, but the code used to fail if 539 * BIOCSETF worked but BIOCVERSION didn't, and I've seen it do 540 * kernel filtering in DU 4.0, so presumably BIOCVERSION works 541 * there, at least). 542 */ 543 if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) >= 0) { 544 /* 545 * OK, we have the version of the BPF interpreter; 546 * is it the same major version as us, and the same 547 * or better minor version? 548 */ 549 if (bv.bv_major == BPF_MAJOR_VERSION && 550 bv.bv_minor >= BPF_MINOR_VERSION) { 551 /* 552 * Yes. Try to install the filter. 553 */ 554 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) { 555 snprintf(p->errbuf, sizeof(p->errbuf), 556 "BIOCSETF: %s", pcap_strerror(errno)); 557 return (-1); 558 } 559 560 /* 561 * OK, that succeeded. We're doing filtering in 562 * the kernel. (We assume we don't have a 563 * userland filter installed - that'd require 564 * a previous version check to have failed but 565 * this one to succeed.) 566 * 567 * XXX - this message should be supplied to the 568 * application as a warning of some sort, 569 * except that if it's a GUI application, it's 570 * not clear that it should be displayed in 571 * a window to annoy the user. 572 */ 573 fprintf(stderr, "tcpdump: Using kernel BPF filter\n"); 574 pf->filtering_in_kernel = 1; 575 576 /* 577 * Discard any previously-received packets, 578 * as they might have passed whatever filter 579 * was formerly in effect, but might not pass 580 * this filter (BIOCSETF discards packets buffered 581 * in the kernel, so you can lose packets in any 582 * case). 583 */ 584 p->cc = 0; 585 return (0); 586 } 587 588 /* 589 * We can't use the kernel's BPF interpreter; don't give 590 * up, just log a message and be inefficient. 591 * 592 * XXX - this should really be supplied to the application 593 * as a warning of some sort. 594 */ 595 fprintf(stderr, 596 "tcpdump: Requires BPF language %d.%d or higher; kernel is %d.%d\n", 597 BPF_MAJOR_VERSION, BPF_MINOR_VERSION, 598 bv.bv_major, bv.bv_minor); 599 } 600 601 /* 602 * We couldn't do filtering in the kernel; do it in userland. 603 */ 604 if (install_bpf_program(p, fp) < 0) 605 return (-1); 606 607 /* 608 * XXX - this message should be supplied by the application as 609 * a warning of some sort. 610 */ 611 fprintf(stderr, "tcpdump: Filtering in user process\n"); 612 pf->filtering_in_kernel = 0; 613 return (0); 614 } 615
