1 /* 2 * pcap-linux.c: Packet capture interface to the Linux kernel 3 * 4 * Copyright (c) 2000 Torsten Landschoff <torsten (at) debian.org> 5 * Sebastian Krahmer <krahmer (at) cs.uni-potsdam.de> 6 * 7 * License: BSD 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 3. The names of the authors may not be used to endorse or promote 20 * products derived from this software without specific prior 21 * written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 26 * 27 * Modifications: Added PACKET_MMAP support 28 * Paolo Abeni <paolo.abeni (at) email.it> 29 * Added TPACKET_V3 support 30 * Gabor Tatarka <gabor.tatarka (at) ericsson.com> 31 * 32 * based on previous works of: 33 * Simon Patarin <patarin (at) cs.unibo.it> 34 * Phil Wood <cpw (at) lanl.gov> 35 * 36 * Monitor-mode support for mac80211 includes code taken from the iw 37 * command; the copyright notice for that code is 38 * 39 * Copyright (c) 2007, 2008 Johannes Berg 40 * Copyright (c) 2007 Andy Lutomirski 41 * Copyright (c) 2007 Mike Kershaw 42 * Copyright (c) 2008 Gbor Stefanik 43 * 44 * All rights reserved. 45 * 46 * Redistribution and use in source and binary forms, with or without 47 * modification, are permitted provided that the following conditions 48 * are met: 49 * 1. Redistributions of source code must retain the above copyright 50 * notice, this list of conditions and the following disclaimer. 51 * 2. Redistributions in binary form must reproduce the above copyright 52 * notice, this list of conditions and the following disclaimer in the 53 * documentation and/or other materials provided with the distribution. 54 * 3. The name of the author may not be used to endorse or promote products 55 * derived from this software without specific prior written permission. 56 * 57 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 58 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 59 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 60 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 61 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 62 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 63 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 64 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 65 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 66 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 67 * SUCH DAMAGE. 68 */ 69 70 /* 71 * Known problems with 2.0[.x] kernels: 72 * 73 * - The loopback device gives every packet twice; on 2.2[.x] kernels, 74 * if we use PF_PACKET, we can filter out the transmitted version 75 * of the packet by using data in the "sockaddr_ll" returned by 76 * "recvfrom()", but, on 2.0[.x] kernels, we have to use 77 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 78 * "sockaddr_pkt" which doesn't give us enough information to let 79 * us do that. 80 * 81 * - We have to set the interface's IFF_PROMISC flag ourselves, if 82 * we're to run in promiscuous mode, which means we have to turn 83 * it off ourselves when we're done; the kernel doesn't keep track 84 * of how many sockets are listening promiscuously, which means 85 * it won't get turned off automatically when no sockets are 86 * listening promiscuously. We catch "pcap_close()" and, for 87 * interfaces we put into promiscuous mode, take them out of 88 * promiscuous mode - which isn't necessarily the right thing to 89 * do, if another socket also requested promiscuous mode between 90 * the time when we opened the socket and the time when we close 91 * the socket. 92 * 93 * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()" 94 * return the amount of data that you could have read, rather than 95 * the amount that was returned, so we can't just allocate a buffer 96 * whose size is the snapshot length and pass the snapshot length 97 * as the byte count, and also pass MSG_TRUNC, so that the return 98 * value tells us how long the packet was on the wire. 99 * 100 * This means that, if we want to get the actual size of the packet, 101 * so we can return it in the "len" field of the packet header, 102 * we have to read the entire packet, not just the part that fits 103 * within the snapshot length, and thus waste CPU time copying data 104 * from the kernel that our caller won't see. 105 * 106 * We have to get the actual size, and supply it in "len", because 107 * otherwise, the IP dissector in tcpdump, for example, will complain 108 * about "truncated-ip", as the packet will appear to have been 109 * shorter, on the wire, than the IP header said it should have been. 110 */ 111 112 113 #define _GNU_SOURCE 114 115 #ifdef HAVE_CONFIG_H 116 #include "config.h" 117 #endif 118 119 #include <errno.h> 120 #include <stdio.h> 121 #include <stdlib.h> 122 #include <ctype.h> 123 #include <unistd.h> 124 #include <fcntl.h> 125 #include <string.h> 126 #include <limits.h> 127 #include <sys/stat.h> 128 #include <sys/socket.h> 129 #include <sys/ioctl.h> 130 #include <sys/utsname.h> 131 #include <sys/mman.h> 132 #include <linux/if.h> 133 #include <linux/if_packet.h> 134 #include <linux/sockios.h> 135 #include <netinet/in.h> 136 #include <linux/if_ether.h> 137 #include <net/if_arp.h> 138 #include <poll.h> 139 #include <dirent.h> 140 141 #include "pcap-int.h" 142 #include "pcap/sll.h" 143 #include "pcap/vlan.h" 144 145 /* 146 * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET 147 * sockets rather than SOCK_PACKET sockets. 148 * 149 * To use them, we include <linux/if_packet.h> rather than 150 * <netpacket/packet.h>; we do so because 151 * 152 * some Linux distributions (e.g., Slackware 4.0) have 2.2 or 153 * later kernels and libc5, and don't provide a <netpacket/packet.h> 154 * file; 155 * 156 * not all versions of glibc2 have a <netpacket/packet.h> file 157 * that defines stuff needed for some of the 2.4-or-later-kernel 158 * features, so if the system has a 2.4 or later kernel, we 159 * still can't use those features. 160 * 161 * We're already including a number of other <linux/XXX.h> headers, and 162 * this code is Linux-specific (no other OS has PF_PACKET sockets as 163 * a raw packet capture mechanism), so it's not as if you gain any 164 * useful portability by using <netpacket/packet.h> 165 * 166 * XXX - should we just include <linux/if_packet.h> even if PF_PACKET 167 * isn't defined? It only defines one data structure in 2.0.x, so 168 * it shouldn't cause any problems. 169 */ 170 #ifdef PF_PACKET 171 # include <linux/if_packet.h> 172 173 /* 174 * On at least some Linux distributions (for example, Red Hat 5.2), 175 * there's no <netpacket/packet.h> file, but PF_PACKET is defined if 176 * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 177 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 178 * the PACKET_xxx stuff. 179 * 180 * So we check whether PACKET_HOST is defined, and assume that we have 181 * PF_PACKET sockets only if it is defined. 182 */ 183 # ifdef PACKET_HOST 184 # define HAVE_PF_PACKET_SOCKETS 185 # ifdef PACKET_AUXDATA 186 # define HAVE_PACKET_AUXDATA 187 # endif /* PACKET_AUXDATA */ 188 # endif /* PACKET_HOST */ 189 190 191 /* check for memory mapped access avaibility. We assume every needed 192 * struct is defined if the macro TPACKET_HDRLEN is defined, because it 193 * uses many ring related structs and macros */ 194 # ifdef PCAP_SUPPORT_PACKET_RING 195 # ifdef TPACKET_HDRLEN 196 # define HAVE_PACKET_RING 197 # ifdef TPACKET3_HDRLEN 198 # define HAVE_TPACKET3 199 # endif /* TPACKET3_HDRLEN */ 200 # ifdef TPACKET2_HDRLEN 201 # define HAVE_TPACKET2 202 # else /* TPACKET2_HDRLEN */ 203 # define TPACKET_V1 0 /* Old kernel with only V1, so no TPACKET_Vn defined */ 204 # endif /* TPACKET2_HDRLEN */ 205 # endif /* TPACKET_HDRLEN */ 206 # endif /* PCAP_SUPPORT_PACKET_RING */ 207 #endif /* PF_PACKET */ 208 209 #ifdef SO_ATTACH_FILTER 210 #include <linux/types.h> 211 #include <linux/filter.h> 212 #endif 213 214 #ifdef HAVE_LINUX_NET_TSTAMP_H 215 #include <linux/net_tstamp.h> 216 #endif 217 218 #ifdef HAVE_LINUX_SOCKIOS_H 219 #include <linux/sockios.h> 220 #endif 221 222 #ifdef HAVE_LINUX_IF_BONDING_H 223 #include <linux/if_bonding.h> 224 #endif 225 226 /* 227 * Got Wireless Extensions? 228 */ 229 #ifdef HAVE_LINUX_WIRELESS_H 230 #include <linux/wireless.h> 231 #endif /* HAVE_LINUX_WIRELESS_H */ 232 233 /* 234 * Got libnl? 235 */ 236 #ifdef HAVE_LIBNL 237 #include <linux/nl80211.h> 238 239 #include <netlink/genl/genl.h> 240 #include <netlink/genl/family.h> 241 #include <netlink/genl/ctrl.h> 242 #include <netlink/msg.h> 243 #include <netlink/attr.h> 244 #endif /* HAVE_LIBNL */ 245 246 /* 247 * Got ethtool support? 248 */ 249 #ifdef HAVE_LINUX_ETHTOOL_H 250 #include <linux/ethtool.h> 251 #endif 252 253 #ifndef HAVE_SOCKLEN_T 254 typedef int socklen_t; 255 #endif 256 257 #ifndef MSG_TRUNC 258 /* 259 * This is being compiled on a system that lacks MSG_TRUNC; define it 260 * with the value it has in the 2.2 and later kernels, so that, on 261 * those kernels, when we pass it in the flags argument to "recvfrom()" 262 * we're passing the right value and thus get the MSG_TRUNC behavior 263 * we want. (We don't get that behavior on 2.0[.x] kernels, because 264 * they didn't support MSG_TRUNC.) 265 */ 266 #define MSG_TRUNC 0x20 267 #endif 268 269 #ifndef SOL_PACKET 270 /* 271 * This is being compiled on a system that lacks SOL_PACKET; define it 272 * with the value it has in the 2.2 and later kernels, so that we can 273 * set promiscuous mode in the good modern way rather than the old 274 * 2.0-kernel crappy way. 275 */ 276 #define SOL_PACKET 263 277 #endif 278 279 #define MAX_LINKHEADER_SIZE 256 280 281 /* 282 * When capturing on all interfaces we use this as the buffer size. 283 * Should be bigger then all MTUs that occur in real life. 284 * 64kB should be enough for now. 285 */ 286 #define BIGGER_THAN_ALL_MTUS (64*1024) 287 288 /* 289 * Private data for capturing on Linux SOCK_PACKET or PF_PACKET sockets. 290 */ 291 struct pcap_linux { 292 u_int packets_read; /* count of packets read with recvfrom() */ 293 long proc_dropped; /* packets reported dropped by /proc/net/dev */ 294 struct pcap_stat stat; 295 296 char *device; /* device name */ 297 int filter_in_userland; /* must filter in userland */ 298 int blocks_to_filter_in_userland; 299 int must_do_on_close; /* stuff we must do when we close */ 300 int timeout; /* timeout for buffering */ 301 int sock_packet; /* using Linux 2.0 compatible interface */ 302 int cooked; /* using SOCK_DGRAM rather than SOCK_RAW */ 303 int ifindex; /* interface index of device we're bound to */ 304 int lo_ifindex; /* interface index of the loopback device */ 305 bpf_u_int32 oldmode; /* mode to restore when turning monitor mode off */ 306 char *mondevice; /* mac80211 monitor device we created */ 307 u_char *mmapbuf; /* memory-mapped region pointer */ 308 size_t mmapbuflen; /* size of region */ 309 int vlan_offset; /* offset at which to insert vlan tags; if -1, don't insert */ 310 u_int tp_version; /* version of tpacket_hdr for mmaped ring */ 311 u_int tp_hdrlen; /* hdrlen of tpacket_hdr for mmaped ring */ 312 u_char *oneshot_buffer; /* buffer for copy of packet */ 313 #ifdef HAVE_TPACKET3 314 unsigned char *current_packet; /* Current packet within the TPACKET_V3 block. Move to next block if NULL. */ 315 int packets_left; /* Unhandled packets left within the block from previous call to pcap_read_linux_mmap_v3 in case of TPACKET_V3. */ 316 #endif 317 }; 318 319 /* 320 * Stuff to do when we close. 321 */ 322 #define MUST_CLEAR_PROMISC 0x00000001 /* clear promiscuous mode */ 323 #define MUST_CLEAR_RFMON 0x00000002 /* clear rfmon (monitor) mode */ 324 #define MUST_DELETE_MONIF 0x00000004 /* delete monitor-mode interface */ 325 326 /* 327 * Prototypes for internal functions and methods. 328 */ 329 static void map_arphrd_to_dlt(pcap_t *, int, int, const char *, int); 330 #ifdef HAVE_PF_PACKET_SOCKETS 331 static short int map_packet_type_to_sll_type(short int); 332 #endif 333 static int pcap_activate_linux(pcap_t *); 334 static int activate_old(pcap_t *); 335 static int activate_new(pcap_t *); 336 static int activate_mmap(pcap_t *, int *); 337 static int pcap_can_set_rfmon_linux(pcap_t *); 338 static int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *); 339 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 340 static int pcap_inject_linux(pcap_t *, const void *, size_t); 341 static int pcap_stats_linux(pcap_t *, struct pcap_stat *); 342 static int pcap_setfilter_linux(pcap_t *, struct bpf_program *); 343 static int pcap_setdirection_linux(pcap_t *, pcap_direction_t); 344 static int pcap_set_datalink_linux(pcap_t *, int); 345 static void pcap_cleanup_linux(pcap_t *); 346 347 /* 348 * This is what the header structure looks like in a 64-bit kernel; 349 * we use this, rather than struct tpacket_hdr, if we're using 350 * TPACKET_V1 in 32-bit code running on a 64-bit kernel. 351 */ 352 struct tpacket_hdr_64 { 353 uint64_t tp_status; 354 unsigned int tp_len; 355 unsigned int tp_snaplen; 356 unsigned short tp_mac; 357 unsigned short tp_net; 358 unsigned int tp_sec; 359 unsigned int tp_usec; 360 }; 361 362 /* 363 * We use this internally as the tpacket version for TPACKET_V1 in 364 * 32-bit code on a 64-bit kernel. 365 */ 366 #define TPACKET_V1_64 99 367 368 union thdr { 369 struct tpacket_hdr *h1; 370 struct tpacket_hdr_64 *h1_64; 371 #ifdef HAVE_TPACKET2 372 struct tpacket2_hdr *h2; 373 #endif 374 #ifdef HAVE_TPACKET3 375 struct tpacket_block_desc *h3; 376 #endif 377 void *raw; 378 }; 379 380 #ifdef HAVE_PACKET_RING 381 #define RING_GET_FRAME(h) (((union thdr **)h->buffer)[h->offset]) 382 383 static void destroy_ring(pcap_t *handle); 384 static int create_ring(pcap_t *handle, int *status); 385 static int prepare_tpacket_socket(pcap_t *handle); 386 static void pcap_cleanup_linux_mmap(pcap_t *); 387 static int pcap_read_linux_mmap_v1(pcap_t *, int, pcap_handler , u_char *); 388 static int pcap_read_linux_mmap_v1_64(pcap_t *, int, pcap_handler , u_char *); 389 #ifdef HAVE_TPACKET2 390 static int pcap_read_linux_mmap_v2(pcap_t *, int, pcap_handler , u_char *); 391 #endif 392 #ifdef HAVE_TPACKET3 393 static int pcap_read_linux_mmap_v3(pcap_t *, int, pcap_handler , u_char *); 394 #endif 395 static int pcap_setfilter_linux_mmap(pcap_t *, struct bpf_program *); 396 static int pcap_setnonblock_mmap(pcap_t *p, int nonblock, char *errbuf); 397 static int pcap_getnonblock_mmap(pcap_t *p, char *errbuf); 398 static void pcap_oneshot_mmap(u_char *user, const struct pcap_pkthdr *h, 399 const u_char *bytes); 400 #endif 401 402 #ifdef TP_STATUS_VLAN_TPID_VALID 403 # define VLAN_TPID(hdr, hv) (((hv)->tp_vlan_tpid || ((hdr)->tp_status & TP_STATUS_VLAN_TPID_VALID)) ? (hv)->tp_vlan_tpid : ETH_P_8021Q) 404 #else 405 # define VLAN_TPID(hdr, hv) ETH_P_8021Q 406 #endif 407 408 /* 409 * Wrap some ioctl calls 410 */ 411 #ifdef HAVE_PF_PACKET_SOCKETS 412 static int iface_get_id(int fd, const char *device, char *ebuf); 413 #endif /* HAVE_PF_PACKET_SOCKETS */ 414 static int iface_get_mtu(int fd, const char *device, char *ebuf); 415 static int iface_get_arptype(int fd, const char *device, char *ebuf); 416 #ifdef HAVE_PF_PACKET_SOCKETS 417 static int iface_bind(int fd, int ifindex, char *ebuf); 418 #ifdef IW_MODE_MONITOR 419 static int has_wext(int sock_fd, const char *device, char *ebuf); 420 #endif /* IW_MODE_MONITOR */ 421 static int enter_rfmon_mode(pcap_t *handle, int sock_fd, 422 const char *device); 423 #endif /* HAVE_PF_PACKET_SOCKETS */ 424 #if defined(HAVE_LINUX_NET_TSTAMP_H) && defined(PACKET_TIMESTAMP) 425 static int iface_ethtool_get_ts_info(pcap_t *handle, char *ebuf); 426 #endif 427 #ifdef HAVE_PACKET_RING 428 static int iface_get_offload(pcap_t *handle); 429 #endif 430 static int iface_bind_old(int fd, const char *device, char *ebuf); 431 432 #ifdef SO_ATTACH_FILTER 433 static int fix_program(pcap_t *handle, struct sock_fprog *fcode, 434 int is_mapped); 435 static int fix_offset(struct bpf_insn *p); 436 static int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode); 437 static int reset_kernel_filter(pcap_t *handle); 438 439 static struct sock_filter total_insn 440 = BPF_STMT(BPF_RET | BPF_K, 0); 441 static struct sock_fprog total_fcode 442 = { 1, &total_insn }; 443 #endif /* SO_ATTACH_FILTER */ 444 445 pcap_t * 446 pcap_create_interface(const char *device, char *ebuf) 447 { 448 pcap_t *handle; 449 450 handle = pcap_create_common(device, ebuf, sizeof (struct pcap_linux)); 451 if (handle == NULL) 452 return NULL; 453 454 handle->activate_op = pcap_activate_linux; 455 handle->can_set_rfmon_op = pcap_can_set_rfmon_linux; 456 457 #if defined(HAVE_LINUX_NET_TSTAMP_H) && defined(PACKET_TIMESTAMP) 458 /* 459 * See what time stamp types we support. 460 */ 461 if (iface_ethtool_get_ts_info(handle, ebuf) == -1) { 462 free(handle); 463 return NULL; 464 } 465 #endif 466 467 #if defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) 468 /* 469 * We claim that we support microsecond and nanosecond time 470 * stamps. 471 * 472 * XXX - with adapter-supplied time stamps, can we choose 473 * microsecond or nanosecond time stamps on arbitrary 474 * adapters? 475 */ 476 handle->tstamp_precision_count = 2; 477 handle->tstamp_precision_list = malloc(2 * sizeof(u_int)); 478 if (handle->tstamp_precision_list == NULL) { 479 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 480 pcap_strerror(errno)); 481 if (handle->tstamp_type_list != NULL) 482 free(handle->tstamp_type_list); 483 free(handle); 484 return NULL; 485 } 486 handle->tstamp_precision_list[0] = PCAP_TSTAMP_PRECISION_MICRO; 487 handle->tstamp_precision_list[1] = PCAP_TSTAMP_PRECISION_NANO; 488 #endif /* defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) */ 489 490 return handle; 491 } 492 493 #ifdef HAVE_LIBNL 494 /* 495 * If interface {if} is a mac80211 driver, the file 496 * /sys/class/net/{if}/phy80211 is a symlink to 497 * /sys/class/ieee80211/{phydev}, for some {phydev}. 498 * 499 * On Fedora 9, with a 2.6.26.3-29 kernel, my Zydas stick, at 500 * least, has a "wmaster0" device and a "wlan0" device; the 501 * latter is the one with the IP address. Both show up in 502 * "tcpdump -D" output. Capturing on the wmaster0 device 503 * captures with 802.11 headers. 504 * 505 * airmon-ng searches through /sys/class/net for devices named 506 * monN, starting with mon0; as soon as one *doesn't* exist, 507 * it chooses that as the monitor device name. If the "iw" 508 * command exists, it does "iw dev {if} interface add {monif} 509 * type monitor", where {monif} is the monitor device. It 510 * then (sigh) sleeps .1 second, and then configures the 511 * device up. Otherwise, if /sys/class/ieee80211/{phydev}/add_iface 512 * is a file, it writes {mondev}, without a newline, to that file, 513 * and again (sigh) sleeps .1 second, and then iwconfig's that 514 * device into monitor mode and configures it up. Otherwise, 515 * you can't do monitor mode. 516 * 517 * All these devices are "glued" together by having the 518 * /sys/class/net/{device}/phy80211 links pointing to the same 519 * place, so, given a wmaster, wlan, or mon device, you can 520 * find the other devices by looking for devices with 521 * the same phy80211 link. 522 * 523 * To turn monitor mode off, delete the monitor interface, 524 * either with "iw dev {monif} interface del" or by sending 525 * {monif}, with no NL, down /sys/class/ieee80211/{phydev}/remove_iface 526 * 527 * Note: if you try to create a monitor device named "monN", and 528 * there's already a "monN" device, it fails, as least with 529 * the netlink interface (which is what iw uses), with a return 530 * value of -ENFILE. (Return values are negative errnos.) We 531 * could probably use that to find an unused device. 532 * 533 * Yes, you can have multiple monitor devices for a given 534 * physical device. 535 */ 536 537 /* 538 * Is this a mac80211 device? If so, fill in the physical device path and 539 * return 1; if not, return 0. On an error, fill in handle->errbuf and 540 * return PCAP_ERROR. 541 */ 542 static int 543 get_mac80211_phydev(pcap_t *handle, const char *device, char *phydev_path, 544 size_t phydev_max_pathlen) 545 { 546 char *pathstr; 547 ssize_t bytes_read; 548 549 /* 550 * Generate the path string for the symlink to the physical device. 551 */ 552 if (asprintf(&pathstr, "/sys/class/net/%s/phy80211", device) == -1) { 553 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 554 "%s: Can't generate path name string for /sys/class/net device", 555 device); 556 return PCAP_ERROR; 557 } 558 bytes_read = readlink(pathstr, phydev_path, phydev_max_pathlen); 559 if (bytes_read == -1) { 560 if (errno == ENOENT || errno == EINVAL) { 561 /* 562 * Doesn't exist, or not a symlink; assume that 563 * means it's not a mac80211 device. 564 */ 565 free(pathstr); 566 return 0; 567 } 568 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 569 "%s: Can't readlink %s: %s", device, pathstr, 570 strerror(errno)); 571 free(pathstr); 572 return PCAP_ERROR; 573 } 574 free(pathstr); 575 phydev_path[bytes_read] = '\0'; 576 return 1; 577 } 578 579 #ifdef HAVE_LIBNL_SOCKETS 580 #define get_nl_errmsg nl_geterror 581 #else 582 /* libnl 2.x compatibility code */ 583 584 #define nl_sock nl_handle 585 586 static inline struct nl_handle * 587 nl_socket_alloc(void) 588 { 589 return nl_handle_alloc(); 590 } 591 592 static inline void 593 nl_socket_free(struct nl_handle *h) 594 { 595 nl_handle_destroy(h); 596 } 597 598 #define get_nl_errmsg strerror 599 600 static inline int 601 __genl_ctrl_alloc_cache(struct nl_handle *h, struct nl_cache **cache) 602 { 603 struct nl_cache *tmp = genl_ctrl_alloc_cache(h); 604 if (!tmp) 605 return -ENOMEM; 606 *cache = tmp; 607 return 0; 608 } 609 #define genl_ctrl_alloc_cache __genl_ctrl_alloc_cache 610 #endif /* !HAVE_LIBNL_SOCKETS */ 611 612 struct nl80211_state { 613 struct nl_sock *nl_sock; 614 struct nl_cache *nl_cache; 615 struct genl_family *nl80211; 616 }; 617 618 static int 619 nl80211_init(pcap_t *handle, struct nl80211_state *state, const char *device) 620 { 621 int err; 622 623 state->nl_sock = nl_socket_alloc(); 624 if (!state->nl_sock) { 625 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 626 "%s: failed to allocate netlink handle", device); 627 return PCAP_ERROR; 628 } 629 630 if (genl_connect(state->nl_sock)) { 631 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 632 "%s: failed to connect to generic netlink", device); 633 goto out_handle_destroy; 634 } 635 636 err = genl_ctrl_alloc_cache(state->nl_sock, &state->nl_cache); 637 if (err < 0) { 638 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 639 "%s: failed to allocate generic netlink cache: %s", 640 device, get_nl_errmsg(-err)); 641 goto out_handle_destroy; 642 } 643 644 state->nl80211 = genl_ctrl_search_by_name(state->nl_cache, "nl80211"); 645 if (!state->nl80211) { 646 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 647 "%s: nl80211 not found", device); 648 goto out_cache_free; 649 } 650 651 return 0; 652 653 out_cache_free: 654 nl_cache_free(state->nl_cache); 655 out_handle_destroy: 656 nl_socket_free(state->nl_sock); 657 return PCAP_ERROR; 658 } 659 660 static void 661 nl80211_cleanup(struct nl80211_state *state) 662 { 663 genl_family_put(state->nl80211); 664 nl_cache_free(state->nl_cache); 665 nl_socket_free(state->nl_sock); 666 } 667 668 static int 669 add_mon_if(pcap_t *handle, int sock_fd, struct nl80211_state *state, 670 const char *device, const char *mondevice) 671 { 672 int ifindex; 673 struct nl_msg *msg; 674 int err; 675 676 ifindex = iface_get_id(sock_fd, device, handle->errbuf); 677 if (ifindex == -1) 678 return PCAP_ERROR; 679 680 msg = nlmsg_alloc(); 681 if (!msg) { 682 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 683 "%s: failed to allocate netlink msg", device); 684 return PCAP_ERROR; 685 } 686 687 genlmsg_put(msg, 0, 0, genl_family_get_id(state->nl80211), 0, 688 0, NL80211_CMD_NEW_INTERFACE, 0); 689 NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, ifindex); 690 NLA_PUT_STRING(msg, NL80211_ATTR_IFNAME, mondevice); 691 NLA_PUT_U32(msg, NL80211_ATTR_IFTYPE, NL80211_IFTYPE_MONITOR); 692 693 err = nl_send_auto_complete(state->nl_sock, msg); 694 if (err < 0) { 695 #if defined HAVE_LIBNL_NLE 696 if (err == -NLE_FAILURE) { 697 #else 698 if (err == -ENFILE) { 699 #endif 700 /* 701 * Device not available; our caller should just 702 * keep trying. (libnl 2.x maps ENFILE to 703 * NLE_FAILURE; it can also map other errors 704 * to that, but there's not much we can do 705 * about that.) 706 */ 707 nlmsg_free(msg); 708 return 0; 709 } else { 710 /* 711 * Real failure, not just "that device is not 712 * available. 713 */ 714 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 715 "%s: nl_send_auto_complete failed adding %s interface: %s", 716 device, mondevice, get_nl_errmsg(-err)); 717 nlmsg_free(msg); 718 return PCAP_ERROR; 719 } 720 } 721 err = nl_wait_for_ack(state->nl_sock); 722 if (err < 0) { 723 #if defined HAVE_LIBNL_NLE 724 if (err == -NLE_FAILURE) { 725 #else 726 if (err == -ENFILE) { 727 #endif 728 /* 729 * Device not available; our caller should just 730 * keep trying. (libnl 2.x maps ENFILE to 731 * NLE_FAILURE; it can also map other errors 732 * to that, but there's not much we can do 733 * about that.) 734 */ 735 nlmsg_free(msg); 736 return 0; 737 } else { 738 /* 739 * Real failure, not just "that device is not 740 * available. 741 */ 742 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 743 "%s: nl_wait_for_ack failed adding %s interface: %s", 744 device, mondevice, get_nl_errmsg(-err)); 745 nlmsg_free(msg); 746 return PCAP_ERROR; 747 } 748 } 749 750 /* 751 * Success. 752 */ 753 nlmsg_free(msg); 754 return 1; 755 756 nla_put_failure: 757 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 758 "%s: nl_put failed adding %s interface", 759 device, mondevice); 760 nlmsg_free(msg); 761 return PCAP_ERROR; 762 } 763 764 static int 765 del_mon_if(pcap_t *handle, int sock_fd, struct nl80211_state *state, 766 const char *device, const char *mondevice) 767 { 768 int ifindex; 769 struct nl_msg *msg; 770 int err; 771 772 ifindex = iface_get_id(sock_fd, mondevice, handle->errbuf); 773 if (ifindex == -1) 774 return PCAP_ERROR; 775 776 msg = nlmsg_alloc(); 777 if (!msg) { 778 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 779 "%s: failed to allocate netlink msg", device); 780 return PCAP_ERROR; 781 } 782 783 genlmsg_put(msg, 0, 0, genl_family_get_id(state->nl80211), 0, 784 0, NL80211_CMD_DEL_INTERFACE, 0); 785 NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, ifindex); 786 787 err = nl_send_auto_complete(state->nl_sock, msg); 788 if (err < 0) { 789 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 790 "%s: nl_send_auto_complete failed deleting %s interface: %s", 791 device, mondevice, get_nl_errmsg(-err)); 792 nlmsg_free(msg); 793 return PCAP_ERROR; 794 } 795 err = nl_wait_for_ack(state->nl_sock); 796 if (err < 0) { 797 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 798 "%s: nl_wait_for_ack failed adding %s interface: %s", 799 device, mondevice, get_nl_errmsg(-err)); 800 nlmsg_free(msg); 801 return PCAP_ERROR; 802 } 803 804 /* 805 * Success. 806 */ 807 nlmsg_free(msg); 808 return 1; 809 810 nla_put_failure: 811 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 812 "%s: nl_put failed deleting %s interface", 813 device, mondevice); 814 nlmsg_free(msg); 815 return PCAP_ERROR; 816 } 817 818 static int 819 enter_rfmon_mode_mac80211(pcap_t *handle, int sock_fd, const char *device) 820 { 821 struct pcap_linux *handlep = handle->priv; 822 int ret; 823 char phydev_path[PATH_MAX+1]; 824 struct nl80211_state nlstate; 825 struct ifreq ifr; 826 u_int n; 827 828 /* 829 * Is this a mac80211 device? 830 */ 831 ret = get_mac80211_phydev(handle, device, phydev_path, PATH_MAX); 832 if (ret < 0) 833 return ret; /* error */ 834 if (ret == 0) 835 return 0; /* no error, but not mac80211 device */ 836 837 /* 838 * XXX - is this already a monN device? 839 * If so, we're done. 840 * Is that determined by old Wireless Extensions ioctls? 841 */ 842 843 /* 844 * OK, it's apparently a mac80211 device. 845 * Try to find an unused monN device for it. 846 */ 847 ret = nl80211_init(handle, &nlstate, device); 848 if (ret != 0) 849 return ret; 850 for (n = 0; n < UINT_MAX; n++) { 851 /* 852 * Try mon{n}. 853 */ 854 char mondevice[3+10+1]; /* mon{UINT_MAX}\0 */ 855 856 snprintf(mondevice, sizeof mondevice, "mon%u", n); 857 ret = add_mon_if(handle, sock_fd, &nlstate, device, mondevice); 858 if (ret == 1) { 859 handlep->mondevice = strdup(mondevice); 860 goto added; 861 } 862 if (ret < 0) { 863 /* 864 * Hard failure. Just return ret; handle->errbuf 865 * has already been set. 866 */ 867 nl80211_cleanup(&nlstate); 868 return ret; 869 } 870 } 871 872 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 873 "%s: No free monN interfaces", device); 874 nl80211_cleanup(&nlstate); 875 return PCAP_ERROR; 876 877 added: 878 879 #if 0 880 /* 881 * Sleep for .1 seconds. 882 */ 883 delay.tv_sec = 0; 884 delay.tv_nsec = 500000000; 885 nanosleep(&delay, NULL); 886 #endif 887 888 /* 889 * If we haven't already done so, arrange to have 890 * "pcap_close_all()" called when we exit. 891 */ 892 if (!pcap_do_addexit(handle)) { 893 /* 894 * "atexit()" failed; don't put the interface 895 * in rfmon mode, just give up. 896 */ 897 return PCAP_ERROR_RFMON_NOTSUP; 898 } 899 900 /* 901 * Now configure the monitor interface up. 902 */ 903 memset(&ifr, 0, sizeof(ifr)); 904 strlcpy(ifr.ifr_name, handlep->mondevice, sizeof(ifr.ifr_name)); 905 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) { 906 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 907 "%s: Can't get flags for %s: %s", device, 908 handlep->mondevice, strerror(errno)); 909 del_mon_if(handle, sock_fd, &nlstate, device, 910 handlep->mondevice); 911 nl80211_cleanup(&nlstate); 912 return PCAP_ERROR; 913 } 914 ifr.ifr_flags |= IFF_UP|IFF_RUNNING; 915 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) { 916 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 917 "%s: Can't set flags for %s: %s", device, 918 handlep->mondevice, strerror(errno)); 919 del_mon_if(handle, sock_fd, &nlstate, device, 920 handlep->mondevice); 921 nl80211_cleanup(&nlstate); 922 return PCAP_ERROR; 923 } 924 925 /* 926 * Success. Clean up the libnl state. 927 */ 928 nl80211_cleanup(&nlstate); 929 930 /* 931 * Note that we have to delete the monitor device when we close 932 * the handle. 933 */ 934 handlep->must_do_on_close |= MUST_DELETE_MONIF; 935 936 /* 937 * Add this to the list of pcaps to close when we exit. 938 */ 939 pcap_add_to_pcaps_to_close(handle); 940 941 return 1; 942 } 943 #endif /* HAVE_LIBNL */ 944 945 #ifdef IW_MODE_MONITOR 946 /* 947 * Bonding devices mishandle unknown ioctls; they fail with ENODEV 948 * rather than ENOTSUP, EOPNOTSUPP, or ENOTTY, so Wireless Extensions 949 * will fail with ENODEV if we try to do them on a bonding device, 950 * making us return a "no such device" indication rather than just 951 * saying "no Wireless Extensions". 952 * 953 * So we check for bonding devices, if we can, before trying those 954 * ioctls, by trying a bonding device information query ioctl to see 955 * whether it succeeds. 956 */ 957 static int 958 is_bonding_device(int fd, const char *device) 959 { 960 #if defined(BOND_INFO_QUERY_OLD) || defined(SIOCBONDINFOQUERY) 961 struct ifreq ifr; 962 ifbond ifb; 963 964 memset(&ifr, 0, sizeof ifr); 965 strlcpy(ifr.ifr_name, device, sizeof ifr.ifr_name); 966 memset(&ifb, 0, sizeof ifb); 967 ifr.ifr_data = (caddr_t)&ifb; 968 #ifdef SIOCBONDINFOQUERY 969 if (ioctl(fd, SIOCBONDINFOQUERY, &ifr) == 0) 970 #else /* SIOCBONDINFOQUERY */ 971 if (ioctl(fd, BOND_INFO_QUERY_OLD, &ifr) == 0) 972 #endif /* SIOCBONDINFOQUERY */ 973 return 1; /* success, so it's a bonding device */ 974 #endif /* defined(BOND_INFO_QUERY_OLD) || defined(SIOCBONDINFOQUERY) */ 975 976 return 0; /* no, it's not a bonding device */ 977 } 978 #endif /* IW_MODE_MONITOR */ 979 980 static int 981 pcap_can_set_rfmon_linux(pcap_t *handle) 982 { 983 #ifdef HAVE_LIBNL 984 char phydev_path[PATH_MAX+1]; 985 int ret; 986 #endif 987 #ifdef IW_MODE_MONITOR 988 int sock_fd; 989 struct iwreq ireq; 990 #endif 991 992 if (strcmp(handle->opt.source, "any") == 0) { 993 /* 994 * Monitor mode makes no sense on the "any" device. 995 */ 996 return 0; 997 } 998 999 #ifdef HAVE_LIBNL 1000 /* 1001 * Bleah. There doesn't seem to be a way to ask a mac80211 1002 * device, through libnl, whether it supports monitor mode; 1003 * we'll just check whether the device appears to be a 1004 * mac80211 device and, if so, assume the device supports 1005 * monitor mode. 1006 * 1007 * wmaster devices don't appear to support the Wireless 1008 * Extensions, but we can create a mon device for a 1009 * wmaster device, so we don't bother checking whether 1010 * a mac80211 device supports the Wireless Extensions. 1011 */ 1012 ret = get_mac80211_phydev(handle, handle->opt.source, phydev_path, 1013 PATH_MAX); 1014 if (ret < 0) 1015 return ret; /* error */ 1016 if (ret == 1) 1017 return 1; /* mac80211 device */ 1018 #endif 1019 1020 #ifdef IW_MODE_MONITOR 1021 /* 1022 * Bleah. There doesn't appear to be an ioctl to use to ask 1023 * whether a device supports monitor mode; we'll just do 1024 * SIOCGIWMODE and, if it succeeds, assume the device supports 1025 * monitor mode. 1026 * 1027 * Open a socket on which to attempt to get the mode. 1028 * (We assume that if we have Wireless Extensions support 1029 * we also have PF_PACKET support.) 1030 */ 1031 sock_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); 1032 if (sock_fd == -1) { 1033 (void)snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1034 "socket: %s", pcap_strerror(errno)); 1035 return PCAP_ERROR; 1036 } 1037 1038 if (is_bonding_device(sock_fd, handle->opt.source)) { 1039 /* It's a bonding device, so don't even try. */ 1040 close(sock_fd); 1041 return 0; 1042 } 1043 1044 /* 1045 * Attempt to get the current mode. 1046 */ 1047 strlcpy(ireq.ifr_ifrn.ifrn_name, handle->opt.source, 1048 sizeof ireq.ifr_ifrn.ifrn_name); 1049 if (ioctl(sock_fd, SIOCGIWMODE, &ireq) != -1) { 1050 /* 1051 * Well, we got the mode; assume we can set it. 1052 */ 1053 close(sock_fd); 1054 return 1; 1055 } 1056 if (errno == ENODEV) { 1057 /* The device doesn't even exist. */ 1058 (void)snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1059 "SIOCGIWMODE failed: %s", pcap_strerror(errno)); 1060 close(sock_fd); 1061 return PCAP_ERROR_NO_SUCH_DEVICE; 1062 } 1063 close(sock_fd); 1064 #endif 1065 return 0; 1066 } 1067 1068 /* 1069 * Grabs the number of dropped packets by the interface from /proc/net/dev. 1070 * 1071 * XXX - what about /sys/class/net/{interface name}/rx_*? There are 1072 * individual devices giving, in ASCII, various rx_ and tx_ statistics. 1073 * 1074 * Or can we get them in binary form from netlink? 1075 */ 1076 static long int 1077 linux_if_drops(const char * if_name) 1078 { 1079 char buffer[512]; 1080 char * bufptr; 1081 FILE * file; 1082 int field_to_convert = 3, if_name_sz = strlen(if_name); 1083 long int dropped_pkts = 0; 1084 1085 file = fopen("/proc/net/dev", "r"); 1086 if (!file) 1087 return 0; 1088 1089 while (!dropped_pkts && fgets( buffer, sizeof(buffer), file )) 1090 { 1091 /* search for 'bytes' -- if its in there, then 1092 that means we need to grab the fourth field. otherwise 1093 grab the third field. */ 1094 if (field_to_convert != 4 && strstr(buffer, "bytes")) 1095 { 1096 field_to_convert = 4; 1097 continue; 1098 } 1099 1100 /* find iface and make sure it actually matches -- space before the name and : after it */ 1101 if ((bufptr = strstr(buffer, if_name)) && 1102 (bufptr == buffer || *(bufptr-1) == ' ') && 1103 *(bufptr + if_name_sz) == ':') 1104 { 1105 bufptr = bufptr + if_name_sz + 1; 1106 1107 /* grab the nth field from it */ 1108 while( --field_to_convert && *bufptr != '\0') 1109 { 1110 while (*bufptr != '\0' && *(bufptr++) == ' '); 1111 while (*bufptr != '\0' && *(bufptr++) != ' '); 1112 } 1113 1114 /* get rid of any final spaces */ 1115 while (*bufptr != '\0' && *bufptr == ' ') bufptr++; 1116 1117 if (*bufptr != '\0') 1118 dropped_pkts = strtol(bufptr, NULL, 10); 1119 1120 break; 1121 } 1122 } 1123 1124 fclose(file); 1125 return dropped_pkts; 1126 } 1127 1128 1129 /* 1130 * With older kernels promiscuous mode is kind of interesting because we 1131 * have to reset the interface before exiting. The problem can't really 1132 * be solved without some daemon taking care of managing usage counts. 1133 * If we put the interface into promiscuous mode, we set a flag indicating 1134 * that we must take it out of that mode when the interface is closed, 1135 * and, when closing the interface, if that flag is set we take it out 1136 * of promiscuous mode. 1137 * 1138 * Even with newer kernels, we have the same issue with rfmon mode. 1139 */ 1140 1141 static void pcap_cleanup_linux( pcap_t *handle ) 1142 { 1143 struct pcap_linux *handlep = handle->priv; 1144 struct ifreq ifr; 1145 #ifdef HAVE_LIBNL 1146 struct nl80211_state nlstate; 1147 int ret; 1148 #endif /* HAVE_LIBNL */ 1149 #ifdef IW_MODE_MONITOR 1150 int oldflags; 1151 struct iwreq ireq; 1152 #endif /* IW_MODE_MONITOR */ 1153 1154 if (handlep->must_do_on_close != 0) { 1155 /* 1156 * There's something we have to do when closing this 1157 * pcap_t. 1158 */ 1159 if (handlep->must_do_on_close & MUST_CLEAR_PROMISC) { 1160 /* 1161 * We put the interface into promiscuous mode; 1162 * take it out of promiscuous mode. 1163 * 1164 * XXX - if somebody else wants it in promiscuous 1165 * mode, this code cannot know that, so it'll take 1166 * it out of promiscuous mode. That's not fixable 1167 * in 2.0[.x] kernels. 1168 */ 1169 memset(&ifr, 0, sizeof(ifr)); 1170 strlcpy(ifr.ifr_name, handlep->device, 1171 sizeof(ifr.ifr_name)); 1172 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 1173 fprintf(stderr, 1174 "Can't restore interface %s flags (SIOCGIFFLAGS failed: %s).\n" 1175 "Please adjust manually.\n" 1176 "Hint: This can't happen with Linux >= 2.2.0.\n", 1177 handlep->device, strerror(errno)); 1178 } else { 1179 if (ifr.ifr_flags & IFF_PROMISC) { 1180 /* 1181 * Promiscuous mode is currently on; 1182 * turn it off. 1183 */ 1184 ifr.ifr_flags &= ~IFF_PROMISC; 1185 if (ioctl(handle->fd, SIOCSIFFLAGS, 1186 &ifr) == -1) { 1187 fprintf(stderr, 1188 "Can't restore interface %s flags (SIOCSIFFLAGS failed: %s).\n" 1189 "Please adjust manually.\n" 1190 "Hint: This can't happen with Linux >= 2.2.0.\n", 1191 handlep->device, 1192 strerror(errno)); 1193 } 1194 } 1195 } 1196 } 1197 1198 #ifdef HAVE_LIBNL 1199 if (handlep->must_do_on_close & MUST_DELETE_MONIF) { 1200 ret = nl80211_init(handle, &nlstate, handlep->device); 1201 if (ret >= 0) { 1202 ret = del_mon_if(handle, handle->fd, &nlstate, 1203 handlep->device, handlep->mondevice); 1204 nl80211_cleanup(&nlstate); 1205 } 1206 if (ret < 0) { 1207 fprintf(stderr, 1208 "Can't delete monitor interface %s (%s).\n" 1209 "Please delete manually.\n", 1210 handlep->mondevice, handle->errbuf); 1211 } 1212 } 1213 #endif /* HAVE_LIBNL */ 1214 1215 #ifdef IW_MODE_MONITOR 1216 if (handlep->must_do_on_close & MUST_CLEAR_RFMON) { 1217 /* 1218 * We put the interface into rfmon mode; 1219 * take it out of rfmon mode. 1220 * 1221 * XXX - if somebody else wants it in rfmon 1222 * mode, this code cannot know that, so it'll take 1223 * it out of rfmon mode. 1224 */ 1225 1226 /* 1227 * First, take the interface down if it's up; 1228 * otherwise, we might get EBUSY. 1229 * If we get errors, just drive on and print 1230 * a warning if we can't restore the mode. 1231 */ 1232 oldflags = 0; 1233 memset(&ifr, 0, sizeof(ifr)); 1234 strlcpy(ifr.ifr_name, handlep->device, 1235 sizeof(ifr.ifr_name)); 1236 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) != -1) { 1237 if (ifr.ifr_flags & IFF_UP) { 1238 oldflags = ifr.ifr_flags; 1239 ifr.ifr_flags &= ~IFF_UP; 1240 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) 1241 oldflags = 0; /* didn't set, don't restore */ 1242 } 1243 } 1244 1245 /* 1246 * Now restore the mode. 1247 */ 1248 strlcpy(ireq.ifr_ifrn.ifrn_name, handlep->device, 1249 sizeof ireq.ifr_ifrn.ifrn_name); 1250 ireq.u.mode = handlep->oldmode; 1251 if (ioctl(handle->fd, SIOCSIWMODE, &ireq) == -1) { 1252 /* 1253 * Scientist, you've failed. 1254 */ 1255 fprintf(stderr, 1256 "Can't restore interface %s wireless mode (SIOCSIWMODE failed: %s).\n" 1257 "Please adjust manually.\n", 1258 handlep->device, strerror(errno)); 1259 } 1260 1261 /* 1262 * Now bring the interface back up if we brought 1263 * it down. 1264 */ 1265 if (oldflags != 0) { 1266 ifr.ifr_flags = oldflags; 1267 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 1268 fprintf(stderr, 1269 "Can't bring interface %s back up (SIOCSIFFLAGS failed: %s).\n" 1270 "Please adjust manually.\n", 1271 handlep->device, strerror(errno)); 1272 } 1273 } 1274 } 1275 #endif /* IW_MODE_MONITOR */ 1276 1277 /* 1278 * Take this pcap out of the list of pcaps for which we 1279 * have to take the interface out of some mode. 1280 */ 1281 pcap_remove_from_pcaps_to_close(handle); 1282 } 1283 1284 if (handlep->mondevice != NULL) { 1285 free(handlep->mondevice); 1286 handlep->mondevice = NULL; 1287 } 1288 if (handlep->device != NULL) { 1289 free(handlep->device); 1290 handlep->device = NULL; 1291 } 1292 pcap_cleanup_live_common(handle); 1293 } 1294 1295 /* 1296 * Get a handle for a live capture from the given device. You can 1297 * pass NULL as device to get all packages (without link level 1298 * information of course). If you pass 1 as promisc the interface 1299 * will be set to promiscous mode (XXX: I think this usage should 1300 * be deprecated and functions be added to select that later allow 1301 * modification of that values -- Torsten). 1302 */ 1303 static int 1304 pcap_activate_linux(pcap_t *handle) 1305 { 1306 struct pcap_linux *handlep = handle->priv; 1307 const char *device; 1308 struct ifreq ifr; 1309 int status = 0; 1310 int ret; 1311 1312 device = handle->opt.source; 1313 1314 /* 1315 * Make sure the name we were handed will fit into the ioctls we 1316 * might perform on the device; if not, return a "No such device" 1317 * indication, as the Linux kernel shouldn't support creating 1318 * a device whose name won't fit into those ioctls. 1319 * 1320 * "Will fit" means "will fit, complete with a null terminator", 1321 * so if the length, which does *not* include the null terminator, 1322 * is greater than *or equal to* the size of the field into which 1323 * we'll be copying it, that won't fit. 1324 */ 1325 if (strlen(device) >= sizeof(ifr.ifr_name)) { 1326 status = PCAP_ERROR_NO_SUCH_DEVICE; 1327 goto fail; 1328 } 1329 1330 handle->inject_op = pcap_inject_linux; 1331 handle->setfilter_op = pcap_setfilter_linux; 1332 handle->setdirection_op = pcap_setdirection_linux; 1333 handle->set_datalink_op = pcap_set_datalink_linux; 1334 handle->getnonblock_op = pcap_getnonblock_fd; 1335 handle->setnonblock_op = pcap_setnonblock_fd; 1336 handle->cleanup_op = pcap_cleanup_linux; 1337 handle->read_op = pcap_read_linux; 1338 handle->stats_op = pcap_stats_linux; 1339 1340 /* 1341 * The "any" device is a special device which causes us not 1342 * to bind to a particular device and thus to look at all 1343 * devices. 1344 */ 1345 if (strcmp(device, "any") == 0) { 1346 if (handle->opt.promisc) { 1347 handle->opt.promisc = 0; 1348 /* Just a warning. */ 1349 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1350 "Promiscuous mode not supported on the \"any\" device"); 1351 status = PCAP_WARNING_PROMISC_NOTSUP; 1352 } 1353 } 1354 1355 handlep->device = strdup(device); 1356 if (handlep->device == NULL) { 1357 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s", 1358 pcap_strerror(errno) ); 1359 return PCAP_ERROR; 1360 } 1361 1362 /* copy timeout value */ 1363 handlep->timeout = handle->opt.timeout; 1364 1365 /* 1366 * If we're in promiscuous mode, then we probably want 1367 * to see when the interface drops packets too, so get an 1368 * initial count from /proc/net/dev 1369 */ 1370 if (handle->opt.promisc) 1371 handlep->proc_dropped = linux_if_drops(handlep->device); 1372 1373 /* 1374 * Current Linux kernels use the protocol family PF_PACKET to 1375 * allow direct access to all packets on the network while 1376 * older kernels had a special socket type SOCK_PACKET to 1377 * implement this feature. 1378 * While this old implementation is kind of obsolete we need 1379 * to be compatible with older kernels for a while so we are 1380 * trying both methods with the newer method preferred. 1381 */ 1382 ret = activate_new(handle); 1383 if (ret < 0) { 1384 /* 1385 * Fatal error with the new way; just fail. 1386 * ret has the error return; if it's PCAP_ERROR, 1387 * handle->errbuf has been set appropriately. 1388 */ 1389 status = ret; 1390 goto fail; 1391 } 1392 if (ret == 1) { 1393 /* 1394 * Success. 1395 * Try to use memory-mapped access. 1396 */ 1397 switch (activate_mmap(handle, &status)) { 1398 1399 case 1: 1400 /* 1401 * We succeeded. status has been 1402 * set to the status to return, 1403 * which might be 0, or might be 1404 * a PCAP_WARNING_ value. 1405 */ 1406 return status; 1407 1408 case 0: 1409 /* 1410 * Kernel doesn't support it - just continue 1411 * with non-memory-mapped access. 1412 */ 1413 break; 1414 1415 case -1: 1416 /* 1417 * We failed to set up to use it, or the kernel 1418 * supports it, but we failed to enable it. 1419 * ret has been set to the error status to 1420 * return and, if it's PCAP_ERROR, handle->errbuf 1421 * contains the error message. 1422 */ 1423 status = ret; 1424 goto fail; 1425 } 1426 } 1427 else if (ret == 0) { 1428 /* Non-fatal error; try old way */ 1429 if ((ret = activate_old(handle)) != 1) { 1430 /* 1431 * Both methods to open the packet socket failed. 1432 * Tidy up and report our failure (handle->errbuf 1433 * is expected to be set by the functions above). 1434 */ 1435 status = ret; 1436 goto fail; 1437 } 1438 } 1439 1440 /* 1441 * We set up the socket, but not with memory-mapped access. 1442 */ 1443 if (handle->opt.buffer_size != 0) { 1444 /* 1445 * Set the socket buffer size to the specified value. 1446 */ 1447 if (setsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF, 1448 &handle->opt.buffer_size, 1449 sizeof(handle->opt.buffer_size)) == -1) { 1450 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1451 "SO_RCVBUF: %s", pcap_strerror(errno)); 1452 status = PCAP_ERROR; 1453 goto fail; 1454 } 1455 } 1456 1457 /* Allocate the buffer */ 1458 1459 handle->buffer = malloc(handle->bufsize + handle->offset); 1460 if (!handle->buffer) { 1461 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1462 "malloc: %s", pcap_strerror(errno)); 1463 status = PCAP_ERROR; 1464 goto fail; 1465 } 1466 1467 /* 1468 * "handle->fd" is a socket, so "select()" and "poll()" 1469 * should work on it. 1470 */ 1471 handle->selectable_fd = handle->fd; 1472 1473 return status; 1474 1475 fail: 1476 pcap_cleanup_linux(handle); 1477 return status; 1478 } 1479 1480 /* 1481 * Read at most max_packets from the capture stream and call the callback 1482 * for each of them. Returns the number of packets handled or -1 if an 1483 * error occured. 1484 */ 1485 static int 1486 pcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 1487 { 1488 /* 1489 * Currently, on Linux only one packet is delivered per read, 1490 * so we don't loop. 1491 */ 1492 return pcap_read_packet(handle, callback, user); 1493 } 1494 1495 static int 1496 pcap_set_datalink_linux(pcap_t *handle, int dlt) 1497 { 1498 handle->linktype = dlt; 1499 return 0; 1500 } 1501 1502 /* 1503 * linux_check_direction() 1504 * 1505 * Do checks based on packet direction. 1506 */ 1507 static inline int 1508 linux_check_direction(const pcap_t *handle, const struct sockaddr_ll *sll) 1509 { 1510 struct pcap_linux *handlep = handle->priv; 1511 1512 if (sll->sll_pkttype == PACKET_OUTGOING) { 1513 /* 1514 * Outgoing packet. 1515 * If this is from the loopback device, reject it; 1516 * we'll see the packet as an incoming packet as well, 1517 * and we don't want to see it twice. 1518 */ 1519 if (sll->sll_ifindex == handlep->lo_ifindex) 1520 return 0; 1521 1522 /* 1523 * If the user only wants incoming packets, reject it. 1524 */ 1525 if (handle->direction == PCAP_D_IN) 1526 return 0; 1527 } else { 1528 /* 1529 * Incoming packet. 1530 * If the user only wants outgoing packets, reject it. 1531 */ 1532 if (handle->direction == PCAP_D_OUT) 1533 return 0; 1534 } 1535 return 1; 1536 } 1537 1538 /* 1539 * Read a packet from the socket calling the handler provided by 1540 * the user. Returns the number of packets received or -1 if an 1541 * error occured. 1542 */ 1543 static int 1544 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 1545 { 1546 struct pcap_linux *handlep = handle->priv; 1547 u_char *bp; 1548 int offset; 1549 #ifdef HAVE_PF_PACKET_SOCKETS 1550 struct sockaddr_ll from; 1551 struct sll_header *hdrp; 1552 #else 1553 struct sockaddr from; 1554 #endif 1555 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 1556 struct iovec iov; 1557 struct msghdr msg; 1558 struct cmsghdr *cmsg; 1559 union { 1560 struct cmsghdr cmsg; 1561 char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))]; 1562 } cmsg_buf; 1563 #else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 1564 socklen_t fromlen; 1565 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 1566 int packet_len, caplen; 1567 struct pcap_pkthdr pcap_header; 1568 1569 struct bpf_aux_data aux_data; 1570 #ifdef HAVE_PF_PACKET_SOCKETS 1571 /* 1572 * If this is a cooked device, leave extra room for a 1573 * fake packet header. 1574 */ 1575 if (handlep->cooked) 1576 offset = SLL_HDR_LEN; 1577 else 1578 offset = 0; 1579 #else 1580 /* 1581 * This system doesn't have PF_PACKET sockets, so it doesn't 1582 * support cooked devices. 1583 */ 1584 offset = 0; 1585 #endif 1586 1587 /* 1588 * Receive a single packet from the kernel. 1589 * We ignore EINTR, as that might just be due to a signal 1590 * being delivered - if the signal should interrupt the 1591 * loop, the signal handler should call pcap_breakloop() 1592 * to set handle->break_loop (we ignore it on other 1593 * platforms as well). 1594 * We also ignore ENETDOWN, so that we can continue to 1595 * capture traffic if the interface goes down and comes 1596 * back up again; comments in the kernel indicate that 1597 * we'll just block waiting for packets if we try to 1598 * receive from a socket that delivered ENETDOWN, and, 1599 * if we're using a memory-mapped buffer, we won't even 1600 * get notified of "network down" events. 1601 */ 1602 bp = handle->buffer + handle->offset; 1603 1604 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 1605 msg.msg_name = &from; 1606 msg.msg_namelen = sizeof(from); 1607 msg.msg_iov = &iov; 1608 msg.msg_iovlen = 1; 1609 msg.msg_control = &cmsg_buf; 1610 msg.msg_controllen = sizeof(cmsg_buf); 1611 msg.msg_flags = 0; 1612 1613 iov.iov_len = handle->bufsize - offset; 1614 iov.iov_base = bp + offset; 1615 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 1616 1617 do { 1618 /* 1619 * Has "pcap_breakloop()" been called? 1620 */ 1621 if (handle->break_loop) { 1622 /* 1623 * Yes - clear the flag that indicates that it has, 1624 * and return PCAP_ERROR_BREAK as an indication that 1625 * we were told to break out of the loop. 1626 */ 1627 handle->break_loop = 0; 1628 return PCAP_ERROR_BREAK; 1629 } 1630 1631 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 1632 packet_len = recvmsg(handle->fd, &msg, MSG_TRUNC); 1633 #else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 1634 fromlen = sizeof(from); 1635 packet_len = recvfrom( 1636 handle->fd, bp + offset, 1637 handle->bufsize - offset, MSG_TRUNC, 1638 (struct sockaddr *) &from, &fromlen); 1639 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 1640 } while (packet_len == -1 && errno == EINTR); 1641 1642 /* Check if an error occured */ 1643 1644 if (packet_len == -1) { 1645 switch (errno) { 1646 1647 case EAGAIN: 1648 return 0; /* no packet there */ 1649 1650 case ENETDOWN: 1651 /* 1652 * The device on which we're capturing went away. 1653 * 1654 * XXX - we should really return 1655 * PCAP_ERROR_IFACE_NOT_UP, but pcap_dispatch() 1656 * etc. aren't defined to return that. 1657 */ 1658 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1659 "The interface went down"); 1660 return PCAP_ERROR; 1661 1662 default: 1663 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1664 "recvfrom: %s", pcap_strerror(errno)); 1665 return PCAP_ERROR; 1666 } 1667 } 1668 1669 #ifdef HAVE_PF_PACKET_SOCKETS 1670 if (!handlep->sock_packet) { 1671 /* 1672 * Unfortunately, there is a window between socket() and 1673 * bind() where the kernel may queue packets from any 1674 * interface. If we're bound to a particular interface, 1675 * discard packets not from that interface. 1676 * 1677 * (If socket filters are supported, we could do the 1678 * same thing we do when changing the filter; however, 1679 * that won't handle packet sockets without socket 1680 * filter support, and it's a bit more complicated. 1681 * It would save some instructions per packet, however.) 1682 */ 1683 if (handlep->ifindex != -1 && 1684 from.sll_ifindex != handlep->ifindex) 1685 return 0; 1686 1687 /* 1688 * Do checks based on packet direction. 1689 * We can only do this if we're using PF_PACKET; the 1690 * address returned for SOCK_PACKET is a "sockaddr_pkt" 1691 * which lacks the relevant packet type information. 1692 */ 1693 if (!linux_check_direction(handle, &from)) 1694 return 0; 1695 } 1696 #endif 1697 1698 #ifdef HAVE_PF_PACKET_SOCKETS 1699 /* 1700 * If this is a cooked device, fill in the fake packet header. 1701 */ 1702 if (handlep->cooked) { 1703 /* 1704 * Add the length of the fake header to the length 1705 * of packet data we read. 1706 */ 1707 packet_len += SLL_HDR_LEN; 1708 1709 hdrp = (struct sll_header *)bp; 1710 hdrp->sll_pkttype = map_packet_type_to_sll_type(from.sll_pkttype); 1711 hdrp->sll_hatype = htons(from.sll_hatype); 1712 hdrp->sll_halen = htons(from.sll_halen); 1713 memcpy(hdrp->sll_addr, from.sll_addr, 1714 (from.sll_halen > SLL_ADDRLEN) ? 1715 SLL_ADDRLEN : 1716 from.sll_halen); 1717 hdrp->sll_protocol = from.sll_protocol; 1718 } 1719 1720 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 1721 if (handlep->vlan_offset != -1) { 1722 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { 1723 struct tpacket_auxdata *aux; 1724 unsigned int len; 1725 struct vlan_tag *tag; 1726 1727 if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct tpacket_auxdata)) || 1728 cmsg->cmsg_level != SOL_PACKET || 1729 cmsg->cmsg_type != PACKET_AUXDATA) 1730 continue; 1731 1732 aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg); 1733 #if defined(TP_STATUS_VLAN_VALID) 1734 if ((aux->tp_vlan_tci == 0) && !(aux->tp_status & TP_STATUS_VLAN_VALID)) 1735 #else 1736 if (aux->tp_vlan_tci == 0) /* this is ambigious but without the 1737 TP_STATUS_VLAN_VALID flag, there is 1738 nothing that we can do */ 1739 #endif 1740 continue; 1741 1742 len = packet_len > iov.iov_len ? iov.iov_len : packet_len; 1743 if (len < (unsigned int) handlep->vlan_offset) 1744 break; 1745 1746 bp -= VLAN_TAG_LEN; 1747 memmove(bp, bp + VLAN_TAG_LEN, handlep->vlan_offset); 1748 1749 tag = (struct vlan_tag *)(bp + handlep->vlan_offset); 1750 tag->vlan_tpid = htons(VLAN_TPID(aux, aux)); 1751 tag->vlan_tci = htons(aux->tp_vlan_tci); 1752 1753 /* store vlan tci to bpf_aux_data struct for userland bpf filter */ 1754 #if defined(TP_STATUS_VLAN_VALID) 1755 aux_data.vlan_tag = htons(aux->tp_vlan_tci) & 0x0fff; 1756 aux_data.vlan_tag_present = (aux->tp_status & TP_STATUS_VLAN_VALID); 1757 #endif 1758 packet_len += VLAN_TAG_LEN; 1759 } 1760 } 1761 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 1762 #endif /* HAVE_PF_PACKET_SOCKETS */ 1763 1764 /* 1765 * XXX: According to the kernel source we should get the real 1766 * packet len if calling recvfrom with MSG_TRUNC set. It does 1767 * not seem to work here :(, but it is supported by this code 1768 * anyway. 1769 * To be honest the code RELIES on that feature so this is really 1770 * broken with 2.2.x kernels. 1771 * I spend a day to figure out what's going on and I found out 1772 * that the following is happening: 1773 * 1774 * The packet comes from a random interface and the packet_rcv 1775 * hook is called with a clone of the packet. That code inserts 1776 * the packet into the receive queue of the packet socket. 1777 * If a filter is attached to that socket that filter is run 1778 * first - and there lies the problem. The default filter always 1779 * cuts the packet at the snaplen: 1780 * 1781 * # tcpdump -d 1782 * (000) ret #68 1783 * 1784 * So the packet filter cuts down the packet. The recvfrom call 1785 * says "hey, it's only 68 bytes, it fits into the buffer" with 1786 * the result that we don't get the real packet length. This 1787 * is valid at least until kernel 2.2.17pre6. 1788 * 1789 * We currently handle this by making a copy of the filter 1790 * program, fixing all "ret" instructions with non-zero 1791 * operands to have an operand of MAXIMUM_SNAPLEN so that the 1792 * filter doesn't truncate the packet, and supplying that modified 1793 * filter to the kernel. 1794 */ 1795 1796 caplen = packet_len; 1797 if (caplen > handle->snapshot) 1798 caplen = handle->snapshot; 1799 1800 /* Run the packet filter if not using kernel filter */ 1801 if (handlep->filter_in_userland && handle->fcode.bf_insns) { 1802 if (bpf_filter_with_aux_data(handle->fcode.bf_insns, bp, 1803 packet_len, caplen, &aux_data) == 0) { 1804 /* rejected by filter */ 1805 return 0; 1806 } 1807 } 1808 1809 /* Fill in our own header data */ 1810 1811 /* get timestamp for this packet */ 1812 #if defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) 1813 if (handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) { 1814 if (ioctl(handle->fd, SIOCGSTAMPNS, &pcap_header.ts) == -1) { 1815 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1816 "SIOCGSTAMPNS: %s", pcap_strerror(errno)); 1817 return PCAP_ERROR; 1818 } 1819 } else 1820 #endif 1821 { 1822 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 1823 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1824 "SIOCGSTAMP: %s", pcap_strerror(errno)); 1825 return PCAP_ERROR; 1826 } 1827 } 1828 1829 pcap_header.caplen = caplen; 1830 pcap_header.len = packet_len; 1831 1832 /* 1833 * Count the packet. 1834 * 1835 * Arguably, we should count them before we check the filter, 1836 * as on many other platforms "ps_recv" counts packets 1837 * handed to the filter rather than packets that passed 1838 * the filter, but if filtering is done in the kernel, we 1839 * can't get a count of packets that passed the filter, 1840 * and that would mean the meaning of "ps_recv" wouldn't 1841 * be the same on all Linux systems. 1842 * 1843 * XXX - it's not the same on all systems in any case; 1844 * ideally, we should have a "get the statistics" call 1845 * that supplies more counts and indicates which of them 1846 * it supplies, so that we supply a count of packets 1847 * handed to the filter only on platforms where that 1848 * information is available. 1849 * 1850 * We count them here even if we can get the packet count 1851 * from the kernel, as we can only determine at run time 1852 * whether we'll be able to get it from the kernel (if 1853 * HAVE_TPACKET_STATS isn't defined, we can't get it from 1854 * the kernel, but if it is defined, the library might 1855 * have been built with a 2.4 or later kernel, but we 1856 * might be running on a 2.2[.x] kernel without Alexey 1857 * Kuznetzov's turbopacket patches, and thus the kernel 1858 * might not be able to supply those statistics). We 1859 * could, I guess, try, when opening the socket, to get 1860 * the statistics, and if we can not increment the count 1861 * here, but it's not clear that always incrementing 1862 * the count is more expensive than always testing a flag 1863 * in memory. 1864 * 1865 * We keep the count in "handlep->packets_read", and use that 1866 * for "ps_recv" if we can't get the statistics from the kernel. 1867 * We do that because, if we *can* get the statistics from 1868 * the kernel, we use "handlep->stat.ps_recv" and 1869 * "handlep->stat.ps_drop" as running counts, as reading the 1870 * statistics from the kernel resets the kernel statistics, 1871 * and if we directly increment "handlep->stat.ps_recv" here, 1872 * that means it will count packets *twice* on systems where 1873 * we can get kernel statistics - once here, and once in 1874 * pcap_stats_linux(). 1875 */ 1876 handlep->packets_read++; 1877 1878 /* Call the user supplied callback function */ 1879 callback(userdata, &pcap_header, bp); 1880 1881 return 1; 1882 } 1883 1884 static int 1885 pcap_inject_linux(pcap_t *handle, const void *buf, size_t size) 1886 { 1887 struct pcap_linux *handlep = handle->priv; 1888 int ret; 1889 1890 #ifdef HAVE_PF_PACKET_SOCKETS 1891 if (!handlep->sock_packet) { 1892 /* PF_PACKET socket */ 1893 if (handlep->ifindex == -1) { 1894 /* 1895 * We don't support sending on the "any" device. 1896 */ 1897 strlcpy(handle->errbuf, 1898 "Sending packets isn't supported on the \"any\" device", 1899 PCAP_ERRBUF_SIZE); 1900 return (-1); 1901 } 1902 1903 if (handlep->cooked) { 1904 /* 1905 * We don't support sending on the "any" device. 1906 * 1907 * XXX - how do you send on a bound cooked-mode 1908 * socket? 1909 * Is a "sendto()" required there? 1910 */ 1911 strlcpy(handle->errbuf, 1912 "Sending packets isn't supported in cooked mode", 1913 PCAP_ERRBUF_SIZE); 1914 return (-1); 1915 } 1916 } 1917 #endif 1918 1919 ret = send(handle->fd, buf, size, 0); 1920 if (ret == -1) { 1921 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 1922 pcap_strerror(errno)); 1923 return (-1); 1924 } 1925 return (ret); 1926 } 1927 1928 /* 1929 * Get the statistics for the given packet capture handle. 1930 * Reports the number of dropped packets iff the kernel supports 1931 * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later 1932 * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket 1933 * patches); otherwise, that information isn't available, and we lie 1934 * and report 0 as the count of dropped packets. 1935 */ 1936 static int 1937 pcap_stats_linux(pcap_t *handle, struct pcap_stat *stats) 1938 { 1939 struct pcap_linux *handlep = handle->priv; 1940 #ifdef HAVE_TPACKET_STATS 1941 #ifdef HAVE_TPACKET3 1942 /* 1943 * For sockets using TPACKET_V1 or TPACKET_V2, the extra 1944 * stuff at the end of a struct tpacket_stats_v3 will not 1945 * be filled in, and we don't look at it so this is OK even 1946 * for those sockets. In addition, the PF_PACKET socket 1947 * code in the kernel only uses the length parameter to 1948 * compute how much data to copy out and to indicate how 1949 * much data was copied out, so it's OK to base it on the 1950 * size of a struct tpacket_stats. 1951 * 1952 * XXX - it's probably OK, in fact, to just use a 1953 * struct tpacket_stats for V3 sockets, as we don't 1954 * care about the tp_freeze_q_cnt stat. 1955 */ 1956 struct tpacket_stats_v3 kstats; 1957 #else /* HAVE_TPACKET3 */ 1958 struct tpacket_stats kstats; 1959 #endif /* HAVE_TPACKET3 */ 1960 socklen_t len = sizeof (struct tpacket_stats); 1961 #endif /* HAVE_TPACKET_STATS */ 1962 1963 long if_dropped = 0; 1964 1965 /* 1966 * To fill in ps_ifdrop, we parse /proc/net/dev for the number 1967 */ 1968 if (handle->opt.promisc) 1969 { 1970 if_dropped = handlep->proc_dropped; 1971 handlep->proc_dropped = linux_if_drops(handlep->device); 1972 handlep->stat.ps_ifdrop += (handlep->proc_dropped - if_dropped); 1973 } 1974 1975 #ifdef HAVE_TPACKET_STATS 1976 /* 1977 * Try to get the packet counts from the kernel. 1978 */ 1979 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, 1980 &kstats, &len) > -1) { 1981 /* 1982 * On systems where the PACKET_STATISTICS "getsockopt()" 1983 * argument is supported on PF_PACKET sockets: 1984 * 1985 * "ps_recv" counts only packets that *passed* the 1986 * filter, not packets that didn't pass the filter. 1987 * This includes packets later dropped because we 1988 * ran out of buffer space. 1989 * 1990 * "ps_drop" counts packets dropped because we ran 1991 * out of buffer space. It doesn't count packets 1992 * dropped by the interface driver. It counts only 1993 * packets that passed the filter. 1994 * 1995 * See above for ps_ifdrop. 1996 * 1997 * Both statistics include packets not yet read from 1998 * the kernel by libpcap, and thus not yet seen by 1999 * the application. 2000 * 2001 * In "linux/net/packet/af_packet.c", at least in the 2002 * 2.4.9 kernel, "tp_packets" is incremented for every 2003 * packet that passes the packet filter *and* is 2004 * successfully queued on the socket; "tp_drops" is 2005 * incremented for every packet dropped because there's 2006 * not enough free space in the socket buffer. 2007 * 2008 * When the statistics are returned for a PACKET_STATISTICS 2009 * "getsockopt()" call, "tp_drops" is added to "tp_packets", 2010 * so that "tp_packets" counts all packets handed to 2011 * the PF_PACKET socket, including packets dropped because 2012 * there wasn't room on the socket buffer - but not 2013 * including packets that didn't pass the filter. 2014 * 2015 * In the BSD BPF, the count of received packets is 2016 * incremented for every packet handed to BPF, regardless 2017 * of whether it passed the filter. 2018 * 2019 * We can't make "pcap_stats()" work the same on both 2020 * platforms, but the best approximation is to return 2021 * "tp_packets" as the count of packets and "tp_drops" 2022 * as the count of drops. 2023 * 2024 * Keep a running total because each call to 2025 * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, .... 2026 * resets the counters to zero. 2027 */ 2028 handlep->stat.ps_recv += kstats.tp_packets; 2029 handlep->stat.ps_drop += kstats.tp_drops; 2030 *stats = handlep->stat; 2031 return 0; 2032 } 2033 else 2034 { 2035 /* 2036 * If the error was EOPNOTSUPP, fall through, so that 2037 * if you build the library on a system with 2038 * "struct tpacket_stats" and run it on a system 2039 * that doesn't, it works as it does if the library 2040 * is built on a system without "struct tpacket_stats". 2041 */ 2042 if (errno != EOPNOTSUPP) { 2043 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2044 "pcap_stats: %s", pcap_strerror(errno)); 2045 return -1; 2046 } 2047 } 2048 #endif 2049 /* 2050 * On systems where the PACKET_STATISTICS "getsockopt()" argument 2051 * is not supported on PF_PACKET sockets: 2052 * 2053 * "ps_recv" counts only packets that *passed* the filter, 2054 * not packets that didn't pass the filter. It does not 2055 * count packets dropped because we ran out of buffer 2056 * space. 2057 * 2058 * "ps_drop" is not supported. 2059 * 2060 * "ps_ifdrop" is supported. It will return the number 2061 * of drops the interface reports in /proc/net/dev, 2062 * if that is available. 2063 * 2064 * "ps_recv" doesn't include packets not yet read from 2065 * the kernel by libpcap. 2066 * 2067 * We maintain the count of packets processed by libpcap in 2068 * "handlep->packets_read", for reasons described in the comment 2069 * at the end of pcap_read_packet(). We have no idea how many 2070 * packets were dropped by the kernel buffers -- but we know 2071 * how many the interface dropped, so we can return that. 2072 */ 2073 2074 stats->ps_recv = handlep->packets_read; 2075 stats->ps_drop = 0; 2076 stats->ps_ifdrop = handlep->stat.ps_ifdrop; 2077 return 0; 2078 } 2079 2080 static int 2081 add_linux_if(pcap_if_t **devlistp, const char *ifname, int fd, char *errbuf) 2082 { 2083 const char *p; 2084 char name[512]; /* XXX - pick a size */ 2085 char *q, *saveq; 2086 struct ifreq ifrflags; 2087 2088 /* 2089 * Get the interface name. 2090 */ 2091 p = ifname; 2092 q = &name[0]; 2093 while (*p != '\0' && isascii(*p) && !isspace(*p)) { 2094 if (*p == ':') { 2095 /* 2096 * This could be the separator between a 2097 * name and an alias number, or it could be 2098 * the separator between a name with no 2099 * alias number and the next field. 2100 * 2101 * If there's a colon after digits, it 2102 * separates the name and the alias number, 2103 * otherwise it separates the name and the 2104 * next field. 2105 */ 2106 saveq = q; 2107 while (isascii(*p) && isdigit(*p)) 2108 *q++ = *p++; 2109 if (*p != ':') { 2110 /* 2111 * That was the next field, 2112 * not the alias number. 2113 */ 2114 q = saveq; 2115 } 2116 break; 2117 } else 2118 *q++ = *p++; 2119 } 2120 *q = '\0'; 2121 2122 /* 2123 * Get the flags for this interface. 2124 */ 2125 strlcpy(ifrflags.ifr_name, name, sizeof(ifrflags.ifr_name)); 2126 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifrflags) < 0) { 2127 if (errno == ENXIO || errno == ENODEV) 2128 return (0); /* device doesn't actually exist - ignore it */ 2129 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2130 "SIOCGIFFLAGS: %.*s: %s", 2131 (int)sizeof(ifrflags.ifr_name), 2132 ifrflags.ifr_name, 2133 pcap_strerror(errno)); 2134 return (-1); 2135 } 2136 2137 /* 2138 * Add an entry for this interface, with no addresses. 2139 */ 2140 if (pcap_add_if(devlistp, name, ifrflags.ifr_flags, NULL, 2141 errbuf) == -1) { 2142 /* 2143 * Failure. 2144 */ 2145 return (-1); 2146 } 2147 2148 return (0); 2149 } 2150 2151 /* 2152 * Get from "/sys/class/net" all interfaces listed there; if they're 2153 * already in the list of interfaces we have, that won't add another 2154 * instance, but if they're not, that'll add them. 2155 * 2156 * We don't bother getting any addresses for them; it appears you can't 2157 * use SIOCGIFADDR on Linux to get IPv6 addresses for interfaces, and, 2158 * although some other types of addresses can be fetched with SIOCGIFADDR, 2159 * we don't bother with them for now. 2160 * 2161 * We also don't fail if we couldn't open "/sys/class/net"; we just leave 2162 * the list of interfaces as is, and return 0, so that we can try 2163 * scanning /proc/net/dev. 2164 * 2165 * Otherwise, we return 1 if we don't get an error and -1 if we do. 2166 */ 2167 static int 2168 scan_sys_class_net(pcap_if_t **devlistp, char *errbuf) 2169 { 2170 DIR *sys_class_net_d; 2171 int fd; 2172 struct dirent *ent; 2173 char subsystem_path[PATH_MAX+1]; 2174 struct stat statb; 2175 int ret = 1; 2176 2177 sys_class_net_d = opendir("/sys/class/net"); 2178 if (sys_class_net_d == NULL) { 2179 /* 2180 * Don't fail if it doesn't exist at all. 2181 */ 2182 if (errno == ENOENT) 2183 return (0); 2184 2185 /* 2186 * Fail if we got some other error. 2187 */ 2188 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2189 "Can't open /sys/class/net: %s", pcap_strerror(errno)); 2190 return (-1); 2191 } 2192 2193 /* 2194 * Create a socket from which to fetch interface information. 2195 */ 2196 fd = socket(AF_INET, SOCK_DGRAM, 0); 2197 if (fd < 0) { 2198 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2199 "socket: %s", pcap_strerror(errno)); 2200 (void)closedir(sys_class_net_d); 2201 return (-1); 2202 } 2203 2204 for (;;) { 2205 errno = 0; 2206 ent = readdir(sys_class_net_d); 2207 if (ent == NULL) { 2208 /* 2209 * Error or EOF; if errno != 0, it's an error. 2210 */ 2211 break; 2212 } 2213 2214 /* 2215 * Ignore "." and "..". 2216 */ 2217 if (strcmp(ent->d_name, ".") == 0 || 2218 strcmp(ent->d_name, "..") == 0) 2219 continue; 2220 2221 /* 2222 * Ignore plain files; they do not have subdirectories 2223 * and thus have no attributes. 2224 */ 2225 if (ent->d_type == DT_REG) 2226 continue; 2227 2228 /* 2229 * Is there an "ifindex" file under that name? 2230 * (We don't care whether it's a directory or 2231 * a symlink; older kernels have directories 2232 * for devices, newer kernels have symlinks to 2233 * directories.) 2234 */ 2235 snprintf(subsystem_path, sizeof subsystem_path, 2236 "/sys/class/net/%s/ifindex", ent->d_name); 2237 if (lstat(subsystem_path, &statb) != 0) { 2238 /* 2239 * Stat failed. Either there was an error 2240 * other than ENOENT, and we don't know if 2241 * this is an interface, or it's ENOENT, 2242 * and either some part of "/sys/class/net/{if}" 2243 * disappeared, in which case it probably means 2244 * the interface disappeared, or there's no 2245 * "ifindex" file, which means it's not a 2246 * network interface. 2247 */ 2248 continue; 2249 } 2250 2251 /* 2252 * Attempt to add the interface. 2253 */ 2254 if (add_linux_if(devlistp, &ent->d_name[0], fd, errbuf) == -1) { 2255 /* Fail. */ 2256 ret = -1; 2257 break; 2258 } 2259 } 2260 if (ret != -1) { 2261 /* 2262 * Well, we didn't fail for any other reason; did we 2263 * fail due to an error reading the directory? 2264 */ 2265 if (errno != 0) { 2266 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2267 "Error reading /sys/class/net: %s", 2268 pcap_strerror(errno)); 2269 ret = -1; 2270 } 2271 } 2272 2273 (void)close(fd); 2274 (void)closedir(sys_class_net_d); 2275 return (ret); 2276 } 2277 2278 /* 2279 * Get from "/proc/net/dev" all interfaces listed there; if they're 2280 * already in the list of interfaces we have, that won't add another 2281 * instance, but if they're not, that'll add them. 2282 * 2283 * See comments from scan_sys_class_net(). 2284 */ 2285 static int 2286 scan_proc_net_dev(pcap_if_t **devlistp, char *errbuf) 2287 { 2288 FILE *proc_net_f; 2289 int fd; 2290 char linebuf[512]; 2291 int linenum; 2292 char *p; 2293 int ret = 0; 2294 2295 proc_net_f = fopen("/proc/net/dev", "r"); 2296 if (proc_net_f == NULL) { 2297 /* 2298 * Don't fail if it doesn't exist at all. 2299 */ 2300 if (errno == ENOENT) 2301 return (0); 2302 2303 /* 2304 * Fail if we got some other error. 2305 */ 2306 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2307 "Can't open /proc/net/dev: %s", pcap_strerror(errno)); 2308 return (-1); 2309 } 2310 2311 /* 2312 * Create a socket from which to fetch interface information. 2313 */ 2314 fd = socket(AF_INET, SOCK_DGRAM, 0); 2315 if (fd < 0) { 2316 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2317 "socket: %s", pcap_strerror(errno)); 2318 (void)fclose(proc_net_f); 2319 return (-1); 2320 } 2321 2322 for (linenum = 1; 2323 fgets(linebuf, sizeof linebuf, proc_net_f) != NULL; linenum++) { 2324 /* 2325 * Skip the first two lines - they're headers. 2326 */ 2327 if (linenum <= 2) 2328 continue; 2329 2330 p = &linebuf[0]; 2331 2332 /* 2333 * Skip leading white space. 2334 */ 2335 while (*p != '\0' && isascii(*p) && isspace(*p)) 2336 p++; 2337 if (*p == '\0' || *p == '\n') 2338 continue; /* blank line */ 2339 2340 /* 2341 * Attempt to add the interface. 2342 */ 2343 if (add_linux_if(devlistp, p, fd, errbuf) == -1) { 2344 /* Fail. */ 2345 ret = -1; 2346 break; 2347 } 2348 } 2349 if (ret != -1) { 2350 /* 2351 * Well, we didn't fail for any other reason; did we 2352 * fail due to an error reading the file? 2353 */ 2354 if (ferror(proc_net_f)) { 2355 (void)snprintf(errbuf, PCAP_ERRBUF_SIZE, 2356 "Error reading /proc/net/dev: %s", 2357 pcap_strerror(errno)); 2358 ret = -1; 2359 } 2360 } 2361 2362 (void)close(fd); 2363 (void)fclose(proc_net_f); 2364 return (ret); 2365 } 2366 2367 /* 2368 * Description string for the "any" device. 2369 */ 2370 static const char any_descr[] = "Pseudo-device that captures on all interfaces"; 2371 2372 int 2373 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 2374 { 2375 int ret; 2376 2377 /* 2378 * Read "/sys/class/net", and add to the list of interfaces all 2379 * interfaces listed there that we don't already have, because, 2380 * on Linux, SIOCGIFCONF reports only interfaces with IPv4 addresses, 2381 * and even getifaddrs() won't return information about 2382 * interfaces with no addresses, so you need to read "/sys/class/net" 2383 * to get the names of the rest of the interfaces. 2384 */ 2385 ret = scan_sys_class_net(alldevsp, errbuf); 2386 if (ret == -1) 2387 return (-1); /* failed */ 2388 if (ret == 0) { 2389 /* 2390 * No /sys/class/net; try reading /proc/net/dev instead. 2391 */ 2392 if (scan_proc_net_dev(alldevsp, errbuf) == -1) 2393 return (-1); 2394 } 2395 2396 /* 2397 * Add the "any" device. 2398 */ 2399 if (pcap_add_if(alldevsp, "any", IFF_UP|IFF_RUNNING, 2400 any_descr, errbuf) < 0) 2401 return (-1); 2402 2403 return (0); 2404 } 2405 2406 /* 2407 * Attach the given BPF code to the packet capture device. 2408 */ 2409 static int 2410 pcap_setfilter_linux_common(pcap_t *handle, struct bpf_program *filter, 2411 int is_mmapped) 2412 { 2413 struct pcap_linux *handlep; 2414 #ifdef SO_ATTACH_FILTER 2415 struct sock_fprog fcode; 2416 int can_filter_in_kernel; 2417 int err = 0; 2418 #endif 2419 2420 if (!handle) 2421 return -1; 2422 if (!filter) { 2423 strlcpy(handle->errbuf, "setfilter: No filter specified", 2424 PCAP_ERRBUF_SIZE); 2425 return -1; 2426 } 2427 2428 handlep = handle->priv; 2429 2430 /* Make our private copy of the filter */ 2431 2432 if (install_bpf_program(handle, filter) < 0) 2433 /* install_bpf_program() filled in errbuf */ 2434 return -1; 2435 2436 /* 2437 * Run user level packet filter by default. Will be overriden if 2438 * installing a kernel filter succeeds. 2439 */ 2440 handlep->filter_in_userland = 1; 2441 2442 /* Install kernel level filter if possible */ 2443 2444 #ifdef SO_ATTACH_FILTER 2445 #ifdef USHRT_MAX 2446 if (handle->fcode.bf_len > USHRT_MAX) { 2447 /* 2448 * fcode.len is an unsigned short for current kernel. 2449 * I have yet to see BPF-Code with that much 2450 * instructions but still it is possible. So for the 2451 * sake of correctness I added this check. 2452 */ 2453 fprintf(stderr, "Warning: Filter too complex for kernel\n"); 2454 fcode.len = 0; 2455 fcode.filter = NULL; 2456 can_filter_in_kernel = 0; 2457 } else 2458 #endif /* USHRT_MAX */ 2459 { 2460 /* 2461 * Oh joy, the Linux kernel uses struct sock_fprog instead 2462 * of struct bpf_program and of course the length field is 2463 * of different size. Pointed out by Sebastian 2464 * 2465 * Oh, and we also need to fix it up so that all "ret" 2466 * instructions with non-zero operands have MAXIMUM_SNAPLEN 2467 * as the operand if we're not capturing in memory-mapped 2468 * mode, and so that, if we're in cooked mode, all memory- 2469 * reference instructions use special magic offsets in 2470 * references to the link-layer header and assume that the 2471 * link-layer payload begins at 0; "fix_program()" will do 2472 * that. 2473 */ 2474 switch (fix_program(handle, &fcode, is_mmapped)) { 2475 2476 case -1: 2477 default: 2478 /* 2479 * Fatal error; just quit. 2480 * (The "default" case shouldn't happen; we 2481 * return -1 for that reason.) 2482 */ 2483 return -1; 2484 2485 case 0: 2486 /* 2487 * The program performed checks that we can't make 2488 * work in the kernel. 2489 */ 2490 can_filter_in_kernel = 0; 2491 break; 2492 2493 case 1: 2494 /* 2495 * We have a filter that'll work in the kernel. 2496 */ 2497 can_filter_in_kernel = 1; 2498 break; 2499 } 2500 } 2501 2502 /* 2503 * NOTE: at this point, we've set both the "len" and "filter" 2504 * fields of "fcode". As of the 2.6.32.4 kernel, at least, 2505 * those are the only members of the "sock_fprog" structure, 2506 * so we initialize every member of that structure. 2507 * 2508 * If there is anything in "fcode" that is not initialized, 2509 * it is either a field added in a later kernel, or it's 2510 * padding. 2511 * 2512 * If a new field is added, this code needs to be updated 2513 * to set it correctly. 2514 * 2515 * If there are no other fields, then: 2516 * 2517 * if the Linux kernel looks at the padding, it's 2518 * buggy; 2519 * 2520 * if the Linux kernel doesn't look at the padding, 2521 * then if some tool complains that we're passing 2522 * uninitialized data to the kernel, then the tool 2523 * is buggy and needs to understand that it's just 2524 * padding. 2525 */ 2526 if (can_filter_in_kernel) { 2527 if ((err = set_kernel_filter(handle, &fcode)) == 0) 2528 { 2529 /* 2530 * Installation succeded - using kernel filter, 2531 * so userland filtering not needed. 2532 */ 2533 handlep->filter_in_userland = 0; 2534 } 2535 else if (err == -1) /* Non-fatal error */ 2536 { 2537 /* 2538 * Print a warning if we weren't able to install 2539 * the filter for a reason other than "this kernel 2540 * isn't configured to support socket filters. 2541 */ 2542 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 2543 fprintf(stderr, 2544 "Warning: Kernel filter failed: %s\n", 2545 pcap_strerror(errno)); 2546 } 2547 } 2548 } 2549 2550 /* 2551 * If we're not using the kernel filter, get rid of any kernel 2552 * filter that might've been there before, e.g. because the 2553 * previous filter could work in the kernel, or because some other 2554 * code attached a filter to the socket by some means other than 2555 * calling "pcap_setfilter()". Otherwise, the kernel filter may 2556 * filter out packets that would pass the new userland filter. 2557 */ 2558 if (handlep->filter_in_userland) { 2559 if (reset_kernel_filter(handle) == -1) { 2560 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2561 "can't remove kernel filter: %s", 2562 pcap_strerror(errno)); 2563 err = -2; /* fatal error */ 2564 } 2565 } 2566 2567 /* 2568 * Free up the copy of the filter that was made by "fix_program()". 2569 */ 2570 if (fcode.filter != NULL) 2571 free(fcode.filter); 2572 2573 if (err == -2) 2574 /* Fatal error */ 2575 return -1; 2576 #endif /* SO_ATTACH_FILTER */ 2577 2578 return 0; 2579 } 2580 2581 static int 2582 pcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter) 2583 { 2584 return pcap_setfilter_linux_common(handle, filter, 0); 2585 } 2586 2587 2588 /* 2589 * Set direction flag: Which packets do we accept on a forwarding 2590 * single device? IN, OUT or both? 2591 */ 2592 static int 2593 pcap_setdirection_linux(pcap_t *handle, pcap_direction_t d) 2594 { 2595 #ifdef HAVE_PF_PACKET_SOCKETS 2596 struct pcap_linux *handlep = handle->priv; 2597 2598 if (!handlep->sock_packet) { 2599 handle->direction = d; 2600 return 0; 2601 } 2602 #endif 2603 /* 2604 * We're not using PF_PACKET sockets, so we can't determine 2605 * the direction of the packet. 2606 */ 2607 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2608 "Setting direction is not supported on SOCK_PACKET sockets"); 2609 return -1; 2610 } 2611 2612 #ifdef HAVE_PF_PACKET_SOCKETS 2613 /* 2614 * Map the PACKET_ value to a LINUX_SLL_ value; we 2615 * want the same numerical value to be used in 2616 * the link-layer header even if the numerical values 2617 * for the PACKET_ #defines change, so that programs 2618 * that look at the packet type field will always be 2619 * able to handle DLT_LINUX_SLL captures. 2620 */ 2621 static short int 2622 map_packet_type_to_sll_type(short int sll_pkttype) 2623 { 2624 switch (sll_pkttype) { 2625 2626 case PACKET_HOST: 2627 return htons(LINUX_SLL_HOST); 2628 2629 case PACKET_BROADCAST: 2630 return htons(LINUX_SLL_BROADCAST); 2631 2632 case PACKET_MULTICAST: 2633 return htons(LINUX_SLL_MULTICAST); 2634 2635 case PACKET_OTHERHOST: 2636 return htons(LINUX_SLL_OTHERHOST); 2637 2638 case PACKET_OUTGOING: 2639 return htons(LINUX_SLL_OUTGOING); 2640 2641 default: 2642 return -1; 2643 } 2644 } 2645 #endif 2646 2647 static int 2648 is_wifi(int sock_fd 2649 #ifndef IW_MODE_MONITOR 2650 _U_ 2651 #endif 2652 , const char *device) 2653 { 2654 char *pathstr; 2655 struct stat statb; 2656 #ifdef IW_MODE_MONITOR 2657 char errbuf[PCAP_ERRBUF_SIZE]; 2658 #endif 2659 2660 /* 2661 * See if there's a sysfs wireless directory for it. 2662 * If so, it's a wireless interface. 2663 */ 2664 if (asprintf(&pathstr, "/sys/class/net/%s/wireless", device) == -1) { 2665 /* 2666 * Just give up here. 2667 */ 2668 return 0; 2669 } 2670 if (stat(pathstr, &statb) == 0) { 2671 free(pathstr); 2672 return 1; 2673 } 2674 free(pathstr); 2675 2676 #ifdef IW_MODE_MONITOR 2677 /* 2678 * OK, maybe it's not wireless, or maybe this kernel doesn't 2679 * support sysfs. Try the wireless extensions. 2680 */ 2681 if (has_wext(sock_fd, device, errbuf) == 1) { 2682 /* 2683 * It supports the wireless extensions, so it's a Wi-Fi 2684 * device. 2685 */ 2686 return 1; 2687 } 2688 #endif 2689 return 0; 2690 } 2691 2692 /* 2693 * Linux uses the ARP hardware type to identify the type of an 2694 * interface. pcap uses the DLT_xxx constants for this. This 2695 * function takes a pointer to a "pcap_t", and an ARPHRD_xxx 2696 * constant, as arguments, and sets "handle->linktype" to the 2697 * appropriate DLT_XXX constant and sets "handle->offset" to 2698 * the appropriate value (to make "handle->offset" plus link-layer 2699 * header length be a multiple of 4, so that the link-layer payload 2700 * will be aligned on a 4-byte boundary when capturing packets). 2701 * (If the offset isn't set here, it'll be 0; add code as appropriate 2702 * for cases where it shouldn't be 0.) 2703 * 2704 * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture 2705 * in cooked mode; otherwise, we can't use cooked mode, so we have 2706 * to pick some type that works in raw mode, or fail. 2707 * 2708 * Sets the link type to -1 if unable to map the type. 2709 */ 2710 static void map_arphrd_to_dlt(pcap_t *handle, int sock_fd, int arptype, 2711 const char *device, int cooked_ok) 2712 { 2713 static const char cdma_rmnet[] = "cdma_rmnet"; 2714 2715 switch (arptype) { 2716 2717 case ARPHRD_ETHER: 2718 /* 2719 * For various annoying reasons having to do with DHCP 2720 * software, some versions of Android give the mobile- 2721 * phone-network interface an ARPHRD_ value of 2722 * ARPHRD_ETHER, even though the packets supplied by 2723 * that interface have no link-layer header, and begin 2724 * with an IP header, so that the ARPHRD_ value should 2725 * be ARPHRD_NONE. 2726 * 2727 * Detect those devices by checking the device name, and 2728 * use DLT_RAW for them. 2729 */ 2730 if (strncmp(device, cdma_rmnet, sizeof cdma_rmnet - 1) == 0) { 2731 handle->linktype = DLT_RAW; 2732 return; 2733 } 2734 2735 /* 2736 * Is this a real Ethernet device? If so, give it a 2737 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 2738 * that an application can let you choose it, in case you're 2739 * capturing DOCSIS traffic that a Cisco Cable Modem 2740 * Termination System is putting out onto an Ethernet (it 2741 * doesn't put an Ethernet header onto the wire, it puts raw 2742 * DOCSIS frames out on the wire inside the low-level 2743 * Ethernet framing). 2744 * 2745 * XXX - are there any other sorts of "fake Ethernet" that 2746 * have ARPHRD_ETHER but that shouldn't offer DLT_DOCSIS as 2747 * a Cisco CMTS won't put traffic onto it or get traffic 2748 * bridged onto it? ISDN is handled in "activate_new()", 2749 * as we fall back on cooked mode there, and we use 2750 * is_wifi() to check for 802.11 devices; are there any 2751 * others? 2752 */ 2753 if (!is_wifi(sock_fd, device)) { 2754 /* 2755 * It's not a Wi-Fi device; offer DOCSIS. 2756 */ 2757 handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 2758 /* 2759 * If that fails, just leave the list empty. 2760 */ 2761 if (handle->dlt_list != NULL) { 2762 handle->dlt_list[0] = DLT_EN10MB; 2763 handle->dlt_list[1] = DLT_DOCSIS; 2764 handle->dlt_count = 2; 2765 } 2766 } 2767 /* FALLTHROUGH */ 2768 2769 case ARPHRD_METRICOM: 2770 case ARPHRD_LOOPBACK: 2771 handle->linktype = DLT_EN10MB; 2772 handle->offset = 2; 2773 break; 2774 2775 case ARPHRD_EETHER: 2776 handle->linktype = DLT_EN3MB; 2777 break; 2778 2779 case ARPHRD_AX25: 2780 handle->linktype = DLT_AX25_KISS; 2781 break; 2782 2783 case ARPHRD_PRONET: 2784 handle->linktype = DLT_PRONET; 2785 break; 2786 2787 case ARPHRD_CHAOS: 2788 handle->linktype = DLT_CHAOS; 2789 break; 2790 #ifndef ARPHRD_CAN 2791 #define ARPHRD_CAN 280 2792 #endif 2793 case ARPHRD_CAN: 2794 handle->linktype = DLT_CAN_SOCKETCAN; 2795 break; 2796 2797 #ifndef ARPHRD_IEEE802_TR 2798 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 2799 #endif 2800 case ARPHRD_IEEE802_TR: 2801 case ARPHRD_IEEE802: 2802 handle->linktype = DLT_IEEE802; 2803 handle->offset = 2; 2804 break; 2805 2806 case ARPHRD_ARCNET: 2807 handle->linktype = DLT_ARCNET_LINUX; 2808 break; 2809 2810 #ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ 2811 #define ARPHRD_FDDI 774 2812 #endif 2813 case ARPHRD_FDDI: 2814 handle->linktype = DLT_FDDI; 2815 handle->offset = 3; 2816 break; 2817 2818 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 2819 #define ARPHRD_ATM 19 2820 #endif 2821 case ARPHRD_ATM: 2822 /* 2823 * The Classical IP implementation in ATM for Linux 2824 * supports both what RFC 1483 calls "LLC Encapsulation", 2825 * in which each packet has an LLC header, possibly 2826 * with a SNAP header as well, prepended to it, and 2827 * what RFC 1483 calls "VC Based Multiplexing", in which 2828 * different virtual circuits carry different network 2829 * layer protocols, and no header is prepended to packets. 2830 * 2831 * They both have an ARPHRD_ type of ARPHRD_ATM, so 2832 * you can't use the ARPHRD_ type to find out whether 2833 * captured packets will have an LLC header, and, 2834 * while there's a socket ioctl to *set* the encapsulation 2835 * type, there's no ioctl to *get* the encapsulation type. 2836 * 2837 * This means that 2838 * 2839 * programs that dissect Linux Classical IP frames 2840 * would have to check for an LLC header and, 2841 * depending on whether they see one or not, dissect 2842 * the frame as LLC-encapsulated or as raw IP (I 2843 * don't know whether there's any traffic other than 2844 * IP that would show up on the socket, or whether 2845 * there's any support for IPv6 in the Linux 2846 * Classical IP code); 2847 * 2848 * filter expressions would have to compile into 2849 * code that checks for an LLC header and does 2850 * the right thing. 2851 * 2852 * Both of those are a nuisance - and, at least on systems 2853 * that support PF_PACKET sockets, we don't have to put 2854 * up with those nuisances; instead, we can just capture 2855 * in cooked mode. That's what we'll do, if we can. 2856 * Otherwise, we'll just fail. 2857 */ 2858 if (cooked_ok) 2859 handle->linktype = DLT_LINUX_SLL; 2860 else 2861 handle->linktype = -1; 2862 break; 2863 2864 #ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ 2865 #define ARPHRD_IEEE80211 801 2866 #endif 2867 case ARPHRD_IEEE80211: 2868 handle->linktype = DLT_IEEE802_11; 2869 break; 2870 2871 #ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ 2872 #define ARPHRD_IEEE80211_PRISM 802 2873 #endif 2874 case ARPHRD_IEEE80211_PRISM: 2875 handle->linktype = DLT_PRISM_HEADER; 2876 break; 2877 2878 #ifndef ARPHRD_IEEE80211_RADIOTAP /* new */ 2879 #define ARPHRD_IEEE80211_RADIOTAP 803 2880 #endif 2881 case ARPHRD_IEEE80211_RADIOTAP: 2882 handle->linktype = DLT_IEEE802_11_RADIO; 2883 break; 2884 2885 case ARPHRD_PPP: 2886 /* 2887 * Some PPP code in the kernel supplies no link-layer 2888 * header whatsoever to PF_PACKET sockets; other PPP 2889 * code supplies PPP link-layer headers ("syncppp.c"); 2890 * some PPP code might supply random link-layer 2891 * headers (PPP over ISDN - there's code in Ethereal, 2892 * for example, to cope with PPP-over-ISDN captures 2893 * with which the Ethereal developers have had to cope, 2894 * heuristically trying to determine which of the 2895 * oddball link-layer headers particular packets have). 2896 * 2897 * As such, we just punt, and run all PPP interfaces 2898 * in cooked mode, if we can; otherwise, we just treat 2899 * it as DLT_RAW, for now - if somebody needs to capture, 2900 * on a 2.0[.x] kernel, on PPP devices that supply a 2901 * link-layer header, they'll have to add code here to 2902 * map to the appropriate DLT_ type (possibly adding a 2903 * new DLT_ type, if necessary). 2904 */ 2905 if (cooked_ok) 2906 handle->linktype = DLT_LINUX_SLL; 2907 else { 2908 /* 2909 * XXX - handle ISDN types here? We can't fall 2910 * back on cooked sockets, so we'd have to 2911 * figure out from the device name what type of 2912 * link-layer encapsulation it's using, and map 2913 * that to an appropriate DLT_ value, meaning 2914 * we'd map "isdnN" devices to DLT_RAW (they 2915 * supply raw IP packets with no link-layer 2916 * header) and "isdY" devices to a new DLT_I4L_IP 2917 * type that has only an Ethernet packet type as 2918 * a link-layer header. 2919 * 2920 * But sometimes we seem to get random crap 2921 * in the link-layer header when capturing on 2922 * ISDN devices.... 2923 */ 2924 handle->linktype = DLT_RAW; 2925 } 2926 break; 2927 2928 #ifndef ARPHRD_CISCO 2929 #define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */ 2930 #endif 2931 case ARPHRD_CISCO: 2932 handle->linktype = DLT_C_HDLC; 2933 break; 2934 2935 /* Not sure if this is correct for all tunnels, but it 2936 * works for CIPE */ 2937 case ARPHRD_TUNNEL: 2938 #ifndef ARPHRD_SIT 2939 #define ARPHRD_SIT 776 /* From Linux 2.2.13 */ 2940 #endif 2941 case ARPHRD_SIT: 2942 case ARPHRD_CSLIP: 2943 case ARPHRD_SLIP6: 2944 case ARPHRD_CSLIP6: 2945 case ARPHRD_ADAPT: 2946 case ARPHRD_SLIP: 2947 #ifndef ARPHRD_RAWHDLC 2948 #define ARPHRD_RAWHDLC 518 2949 #endif 2950 case ARPHRD_RAWHDLC: 2951 #ifndef ARPHRD_DLCI 2952 #define ARPHRD_DLCI 15 2953 #endif 2954 case ARPHRD_DLCI: 2955 /* 2956 * XXX - should some of those be mapped to DLT_LINUX_SLL 2957 * instead? Should we just map all of them to DLT_LINUX_SLL? 2958 */ 2959 handle->linktype = DLT_RAW; 2960 break; 2961 2962 #ifndef ARPHRD_FRAD 2963 #define ARPHRD_FRAD 770 2964 #endif 2965 case ARPHRD_FRAD: 2966 handle->linktype = DLT_FRELAY; 2967 break; 2968 2969 case ARPHRD_LOCALTLK: 2970 handle->linktype = DLT_LTALK; 2971 break; 2972 2973 case 18: 2974 /* 2975 * RFC 4338 defines an encapsulation for IP and ARP 2976 * packets that's compatible with the RFC 2625 2977 * encapsulation, but that uses a different ARP 2978 * hardware type and hardware addresses. That 2979 * ARP hardware type is 18; Linux doesn't define 2980 * any ARPHRD_ value as 18, but if it ever officially 2981 * supports RFC 4338-style IP-over-FC, it should define 2982 * one. 2983 * 2984 * For now, we map it to DLT_IP_OVER_FC, in the hopes 2985 * that this will encourage its use in the future, 2986 * should Linux ever officially support RFC 4338-style 2987 * IP-over-FC. 2988 */ 2989 handle->linktype = DLT_IP_OVER_FC; 2990 break; 2991 2992 #ifndef ARPHRD_FCPP 2993 #define ARPHRD_FCPP 784 2994 #endif 2995 case ARPHRD_FCPP: 2996 #ifndef ARPHRD_FCAL 2997 #define ARPHRD_FCAL 785 2998 #endif 2999 case ARPHRD_FCAL: 3000 #ifndef ARPHRD_FCPL 3001 #define ARPHRD_FCPL 786 3002 #endif 3003 case ARPHRD_FCPL: 3004 #ifndef ARPHRD_FCFABRIC 3005 #define ARPHRD_FCFABRIC 787 3006 #endif 3007 case ARPHRD_FCFABRIC: 3008 /* 3009 * Back in 2002, Donald Lee at Cray wanted a DLT_ for 3010 * IP-over-FC: 3011 * 3012 * http://www.mail-archive.com/tcpdump-workers@sandelman.ottawa.on.ca/msg01043.html 3013 * 3014 * and one was assigned. 3015 * 3016 * In a later private discussion (spun off from a message 3017 * on the ethereal-users list) on how to get that DLT_ 3018 * value in libpcap on Linux, I ended up deciding that 3019 * the best thing to do would be to have him tweak the 3020 * driver to set the ARPHRD_ value to some ARPHRD_FCxx 3021 * type, and map all those types to DLT_IP_OVER_FC: 3022 * 3023 * I've checked into the libpcap and tcpdump CVS tree 3024 * support for DLT_IP_OVER_FC. In order to use that, 3025 * you'd have to modify your modified driver to return 3026 * one of the ARPHRD_FCxxx types, in "fcLINUXfcp.c" - 3027 * change it to set "dev->type" to ARPHRD_FCFABRIC, for 3028 * example (the exact value doesn't matter, it can be 3029 * any of ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, or 3030 * ARPHRD_FCFABRIC). 3031 * 3032 * 11 years later, Christian Svensson wanted to map 3033 * various ARPHRD_ values to DLT_FC_2 and 3034 * DLT_FC_2_WITH_FRAME_DELIMS for raw Fibre Channel 3035 * frames: 3036 * 3037 * https://github.com/mcr/libpcap/pull/29 3038 * 3039 * There doesn't seem to be any network drivers that uses 3040 * any of the ARPHRD_FC* values for IP-over-FC, and 3041 * it's not exactly clear what the "Dummy types for non 3042 * ARP hardware" are supposed to mean (link-layer 3043 * header type? Physical network type?), so it's 3044 * not exactly clear why the ARPHRD_FC* types exist 3045 * in the first place. 3046 * 3047 * For now, we map them to DLT_FC_2, and provide an 3048 * option of DLT_FC_2_WITH_FRAME_DELIMS, as well as 3049 * DLT_IP_OVER_FC just in case there's some old 3050 * driver out there that uses one of those types for 3051 * IP-over-FC on which somebody wants to capture 3052 * packets. 3053 */ 3054 handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 3055 /* 3056 * If that fails, just leave the list empty. 3057 */ 3058 if (handle->dlt_list != NULL) { 3059 handle->dlt_list[0] = DLT_FC_2; 3060 handle->dlt_list[1] = DLT_FC_2_WITH_FRAME_DELIMS; 3061 handle->dlt_list[2] = DLT_IP_OVER_FC; 3062 handle->dlt_count = 3; 3063 } 3064 handle->linktype = DLT_FC_2; 3065 break; 3066 3067 #ifndef ARPHRD_IRDA 3068 #define ARPHRD_IRDA 783 3069 #endif 3070 case ARPHRD_IRDA: 3071 /* Don't expect IP packet out of this interfaces... */ 3072 handle->linktype = DLT_LINUX_IRDA; 3073 /* We need to save packet direction for IrDA decoding, 3074 * so let's use "Linux-cooked" mode. Jean II 3075 * 3076 * XXX - this is handled in activate_new(). */ 3077 //handlep->cooked = 1; 3078 break; 3079 3080 /* ARPHRD_LAPD is unofficial and randomly allocated, if reallocation 3081 * is needed, please report it to <daniele (at) orlandi.com> */ 3082 #ifndef ARPHRD_LAPD 3083 #define ARPHRD_LAPD 8445 3084 #endif 3085 case ARPHRD_LAPD: 3086 /* Don't expect IP packet out of this interfaces... */ 3087 handle->linktype = DLT_LINUX_LAPD; 3088 break; 3089 3090 #ifndef ARPHRD_NONE 3091 #define ARPHRD_NONE 0xFFFE 3092 #endif 3093 case ARPHRD_NONE: 3094 /* 3095 * No link-layer header; packets are just IP 3096 * packets, so use DLT_RAW. 3097 */ 3098 handle->linktype = DLT_RAW; 3099 break; 3100 3101 #ifndef ARPHRD_IEEE802154 3102 #define ARPHRD_IEEE802154 804 3103 #endif 3104 case ARPHRD_IEEE802154: 3105 handle->linktype = DLT_IEEE802_15_4_NOFCS; 3106 break; 3107 3108 #ifndef ARPHRD_NETLINK 3109 #define ARPHRD_NETLINK 824 3110 #endif 3111 case ARPHRD_NETLINK: 3112 handle->linktype = DLT_NETLINK; 3113 /* 3114 * We need to use cooked mode, so that in sll_protocol we 3115 * pick up the netlink protocol type such as NETLINK_ROUTE, 3116 * NETLINK_GENERIC, NETLINK_FIB_LOOKUP, etc. 3117 * 3118 * XXX - this is handled in activate_new(). 3119 */ 3120 //handlep->cooked = 1; 3121 break; 3122 3123 default: 3124 handle->linktype = -1; 3125 break; 3126 } 3127 } 3128 3129 /* ===== Functions to interface to the newer kernels ================== */ 3130 3131 /* 3132 * Try to open a packet socket using the new kernel PF_PACKET interface. 3133 * Returns 1 on success, 0 on an error that means the new interface isn't 3134 * present (so the old SOCK_PACKET interface should be tried), and a 3135 * PCAP_ERROR_ value on an error that means that the old mechanism won't 3136 * work either (so it shouldn't be tried). 3137 */ 3138 static int 3139 activate_new(pcap_t *handle) 3140 { 3141 #ifdef HAVE_PF_PACKET_SOCKETS 3142 struct pcap_linux *handlep = handle->priv; 3143 const char *device = handle->opt.source; 3144 int is_any_device = (strcmp(device, "any") == 0); 3145 int sock_fd = -1, arptype; 3146 #ifdef HAVE_PACKET_AUXDATA 3147 int val; 3148 #endif 3149 int err = 0; 3150 struct packet_mreq mr; 3151 #ifdef SO_BPF_EXTENSIONS 3152 int bpf_extensions; 3153 socklen_t len = sizeof(bpf_extensions); 3154 #endif 3155 3156 /* 3157 * Open a socket with protocol family packet. If the 3158 * "any" device was specified, we open a SOCK_DGRAM 3159 * socket for the cooked interface, otherwise we first 3160 * try a SOCK_RAW socket for the raw interface. 3161 */ 3162 sock_fd = is_any_device ? 3163 socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)) : 3164 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); 3165 3166 if (sock_fd == -1) { 3167 if (errno == EINVAL || errno == EAFNOSUPPORT) { 3168 /* 3169 * We don't support PF_PACKET/SOCK_whatever 3170 * sockets; try the old mechanism. 3171 */ 3172 return 0; 3173 } 3174 3175 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "socket: %s", 3176 pcap_strerror(errno) ); 3177 if (errno == EPERM || errno == EACCES) { 3178 /* 3179 * You don't have permission to open the 3180 * socket. 3181 */ 3182 return PCAP_ERROR_PERM_DENIED; 3183 } else { 3184 /* 3185 * Other error. 3186 */ 3187 return PCAP_ERROR; 3188 } 3189 } 3190 3191 /* It seems the kernel supports the new interface. */ 3192 handlep->sock_packet = 0; 3193 3194 /* 3195 * Get the interface index of the loopback device. 3196 * If the attempt fails, don't fail, just set the 3197 * "handlep->lo_ifindex" to -1. 3198 * 3199 * XXX - can there be more than one device that loops 3200 * packets back, i.e. devices other than "lo"? If so, 3201 * we'd need to find them all, and have an array of 3202 * indices for them, and check all of them in 3203 * "pcap_read_packet()". 3204 */ 3205 handlep->lo_ifindex = iface_get_id(sock_fd, "lo", handle->errbuf); 3206 3207 /* 3208 * Default value for offset to align link-layer payload 3209 * on a 4-byte boundary. 3210 */ 3211 handle->offset = 0; 3212 3213 /* 3214 * What kind of frames do we have to deal with? Fall back 3215 * to cooked mode if we have an unknown interface type 3216 * or a type we know doesn't work well in raw mode. 3217 */ 3218 if (!is_any_device) { 3219 /* Assume for now we don't need cooked mode. */ 3220 handlep->cooked = 0; 3221 3222 if (handle->opt.rfmon) { 3223 /* 3224 * We were asked to turn on monitor mode. 3225 * Do so before we get the link-layer type, 3226 * because entering monitor mode could change 3227 * the link-layer type. 3228 */ 3229 err = enter_rfmon_mode(handle, sock_fd, device); 3230 if (err < 0) { 3231 /* Hard failure */ 3232 close(sock_fd); 3233 return err; 3234 } 3235 if (err == 0) { 3236 /* 3237 * Nothing worked for turning monitor mode 3238 * on. 3239 */ 3240 close(sock_fd); 3241 return PCAP_ERROR_RFMON_NOTSUP; 3242 } 3243 3244 /* 3245 * Either monitor mode has been turned on for 3246 * the device, or we've been given a different 3247 * device to open for monitor mode. If we've 3248 * been given a different device, use it. 3249 */ 3250 if (handlep->mondevice != NULL) 3251 device = handlep->mondevice; 3252 } 3253 arptype = iface_get_arptype(sock_fd, device, handle->errbuf); 3254 if (arptype < 0) { 3255 close(sock_fd); 3256 return arptype; 3257 } 3258 map_arphrd_to_dlt(handle, sock_fd, arptype, device, 1); 3259 if (handle->linktype == -1 || 3260 handle->linktype == DLT_LINUX_SLL || 3261 handle->linktype == DLT_LINUX_IRDA || 3262 handle->linktype == DLT_LINUX_LAPD || 3263 handle->linktype == DLT_NETLINK || 3264 (handle->linktype == DLT_EN10MB && 3265 (strncmp("isdn", device, 4) == 0 || 3266 strncmp("isdY", device, 4) == 0))) { 3267 /* 3268 * Unknown interface type (-1), or a 3269 * device we explicitly chose to run 3270 * in cooked mode (e.g., PPP devices), 3271 * or an ISDN device (whose link-layer 3272 * type we can only determine by using 3273 * APIs that may be different on different 3274 * kernels) - reopen in cooked mode. 3275 */ 3276 if (close(sock_fd) == -1) { 3277 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3278 "close: %s", pcap_strerror(errno)); 3279 return PCAP_ERROR; 3280 } 3281 sock_fd = socket(PF_PACKET, SOCK_DGRAM, 3282 htons(ETH_P_ALL)); 3283 if (sock_fd == -1) { 3284 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3285 "socket: %s", pcap_strerror(errno)); 3286 if (errno == EPERM || errno == EACCES) { 3287 /* 3288 * You don't have permission to 3289 * open the socket. 3290 */ 3291 return PCAP_ERROR_PERM_DENIED; 3292 } else { 3293 /* 3294 * Other error. 3295 */ 3296 return PCAP_ERROR; 3297 } 3298 } 3299 handlep->cooked = 1; 3300 3301 /* 3302 * Get rid of any link-layer type list 3303 * we allocated - this only supports cooked 3304 * capture. 3305 */ 3306 if (handle->dlt_list != NULL) { 3307 free(handle->dlt_list); 3308 handle->dlt_list = NULL; 3309 handle->dlt_count = 0; 3310 } 3311 3312 if (handle->linktype == -1) { 3313 /* 3314 * Warn that we're falling back on 3315 * cooked mode; we may want to 3316 * update "map_arphrd_to_dlt()" 3317 * to handle the new type. 3318 */ 3319 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3320 "arptype %d not " 3321 "supported by libpcap - " 3322 "falling back to cooked " 3323 "socket", 3324 arptype); 3325 } 3326 3327 /* 3328 * IrDA capture is not a real "cooked" capture, 3329 * it's IrLAP frames, not IP packets. The 3330 * same applies to LAPD capture. 3331 */ 3332 if (handle->linktype != DLT_LINUX_IRDA && 3333 handle->linktype != DLT_LINUX_LAPD && 3334 handle->linktype != DLT_NETLINK) 3335 handle->linktype = DLT_LINUX_SLL; 3336 } 3337 3338 handlep->ifindex = iface_get_id(sock_fd, device, 3339 handle->errbuf); 3340 if (handlep->ifindex == -1) { 3341 close(sock_fd); 3342 return PCAP_ERROR; 3343 } 3344 3345 if ((err = iface_bind(sock_fd, handlep->ifindex, 3346 handle->errbuf)) != 1) { 3347 close(sock_fd); 3348 if (err < 0) 3349 return err; 3350 else 3351 return 0; /* try old mechanism */ 3352 } 3353 } else { 3354 /* 3355 * The "any" device. 3356 */ 3357 if (handle->opt.rfmon) { 3358 /* 3359 * It doesn't support monitor mode. 3360 */ 3361 close(sock_fd); 3362 return PCAP_ERROR_RFMON_NOTSUP; 3363 } 3364 3365 /* 3366 * It uses cooked mode. 3367 */ 3368 handlep->cooked = 1; 3369 handle->linktype = DLT_LINUX_SLL; 3370 3371 /* 3372 * We're not bound to a device. 3373 * For now, we're using this as an indication 3374 * that we can't transmit; stop doing that only 3375 * if we figure out how to transmit in cooked 3376 * mode. 3377 */ 3378 handlep->ifindex = -1; 3379 } 3380 3381 /* 3382 * Select promiscuous mode on if "promisc" is set. 3383 * 3384 * Do not turn allmulti mode on if we don't select 3385 * promiscuous mode - on some devices (e.g., Orinoco 3386 * wireless interfaces), allmulti mode isn't supported 3387 * and the driver implements it by turning promiscuous 3388 * mode on, and that screws up the operation of the 3389 * card as a normal networking interface, and on no 3390 * other platform I know of does starting a non- 3391 * promiscuous capture affect which multicast packets 3392 * are received by the interface. 3393 */ 3394 3395 /* 3396 * Hmm, how can we set promiscuous mode on all interfaces? 3397 * I am not sure if that is possible at all. For now, we 3398 * silently ignore attempts to turn promiscuous mode on 3399 * for the "any" device (so you don't have to explicitly 3400 * disable it in programs such as tcpdump). 3401 */ 3402 3403 if (!is_any_device && handle->opt.promisc) { 3404 memset(&mr, 0, sizeof(mr)); 3405 mr.mr_ifindex = handlep->ifindex; 3406 mr.mr_type = PACKET_MR_PROMISC; 3407 if (setsockopt(sock_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP, 3408 &mr, sizeof(mr)) == -1) { 3409 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3410 "setsockopt: %s", pcap_strerror(errno)); 3411 close(sock_fd); 3412 return PCAP_ERROR; 3413 } 3414 } 3415 3416 /* Enable auxillary data if supported and reserve room for 3417 * reconstructing VLAN headers. */ 3418 #ifdef HAVE_PACKET_AUXDATA 3419 val = 1; 3420 if (setsockopt(sock_fd, SOL_PACKET, PACKET_AUXDATA, &val, 3421 sizeof(val)) == -1 && errno != ENOPROTOOPT) { 3422 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3423 "setsockopt: %s", pcap_strerror(errno)); 3424 close(sock_fd); 3425 return PCAP_ERROR; 3426 } 3427 handle->offset += VLAN_TAG_LEN; 3428 #endif /* HAVE_PACKET_AUXDATA */ 3429 3430 /* 3431 * This is a 2.2[.x] or later kernel (we know that 3432 * because we're not using a SOCK_PACKET socket - 3433 * PF_PACKET is supported only in 2.2 and later 3434 * kernels). 3435 * 3436 * We can safely pass "recvfrom()" a byte count 3437 * based on the snapshot length. 3438 * 3439 * If we're in cooked mode, make the snapshot length 3440 * large enough to hold a "cooked mode" header plus 3441 * 1 byte of packet data (so we don't pass a byte 3442 * count of 0 to "recvfrom()"). 3443 */ 3444 if (handlep->cooked) { 3445 if (handle->snapshot < SLL_HDR_LEN + 1) 3446 handle->snapshot = SLL_HDR_LEN + 1; 3447 } 3448 handle->bufsize = handle->snapshot; 3449 3450 /* 3451 * Set the offset at which to insert VLAN tags. 3452 */ 3453 switch (handle->linktype) { 3454 3455 case DLT_EN10MB: 3456 handlep->vlan_offset = 2 * ETH_ALEN; 3457 break; 3458 3459 case DLT_LINUX_SLL: 3460 handlep->vlan_offset = 14; 3461 break; 3462 3463 default: 3464 handlep->vlan_offset = -1; /* unknown */ 3465 break; 3466 } 3467 3468 #if defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) 3469 if (handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) { 3470 int nsec_tstamps = 1; 3471 3472 if (setsockopt(sock_fd, SOL_SOCKET, SO_TIMESTAMPNS, &nsec_tstamps, sizeof(nsec_tstamps)) < 0) { 3473 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "setsockopt: unable to set SO_TIMESTAMPNS"); 3474 close(sock_fd); 3475 return PCAP_ERROR; 3476 } 3477 } 3478 #endif /* defined(SIOCGSTAMPNS) && defined(SO_TIMESTAMPNS) */ 3479 3480 /* 3481 * We've succeeded. Save the socket FD in the pcap structure. 3482 */ 3483 handle->fd = sock_fd; 3484 3485 #ifdef SO_BPF_EXTENSIONS 3486 /* 3487 * Can we generate special code for VLAN checks? 3488 * (XXX - what if we need the special code but it's not supported 3489 * by the OS? Is that possible?) 3490 */ 3491 if (getsockopt(sock_fd, SOL_SOCKET, SO_BPF_EXTENSIONS, 3492 &bpf_extensions, &len) == 0) { 3493 if (bpf_extensions >= SKF_AD_VLAN_TAG_PRESENT) { 3494 /* 3495 * Yes, we can. Request that we do so. 3496 */ 3497 handle->bpf_codegen_flags |= BPF_SPECIAL_VLAN_HANDLING; 3498 } 3499 } 3500 #endif /* SO_BPF_EXTENSIONS */ 3501 3502 return 1; 3503 #else /* HAVE_PF_PACKET_SOCKETS */ 3504 strlcpy(ebuf, 3505 "New packet capturing interface not supported by build " 3506 "environment", PCAP_ERRBUF_SIZE); 3507 return 0; 3508 #endif /* HAVE_PF_PACKET_SOCKETS */ 3509 } 3510 3511 #ifdef HAVE_PACKET_RING 3512 /* 3513 * Attempt to activate with memory-mapped access. 3514 * 3515 * On success, returns 1, and sets *status to 0 if there are no warnings 3516 * or to a PCAP_WARNING_ code if there is a warning. 3517 * 3518 * On failure due to lack of support for memory-mapped capture, returns 3519 * 0. 3520 * 3521 * On error, returns -1, and sets *status to the appropriate error code; 3522 * if that is PCAP_ERROR, sets handle->errbuf to the appropriate message. 3523 */ 3524 static int 3525 activate_mmap(pcap_t *handle, int *status) 3526 { 3527 struct pcap_linux *handlep = handle->priv; 3528 int ret; 3529 3530 /* 3531 * Attempt to allocate a buffer to hold the contents of one 3532 * packet, for use by the oneshot callback. 3533 */ 3534 handlep->oneshot_buffer = malloc(handle->snapshot); 3535 if (handlep->oneshot_buffer == NULL) { 3536 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3537 "can't allocate oneshot buffer: %s", 3538 pcap_strerror(errno)); 3539 *status = PCAP_ERROR; 3540 return -1; 3541 } 3542 3543 if (handle->opt.buffer_size == 0) { 3544 /* by default request 2M for the ring buffer */ 3545 handle->opt.buffer_size = 2*1024*1024; 3546 } 3547 ret = prepare_tpacket_socket(handle); 3548 if (ret == -1) { 3549 free(handlep->oneshot_buffer); 3550 *status = PCAP_ERROR; 3551 return ret; 3552 } 3553 ret = create_ring(handle, status); 3554 if (ret == 0) { 3555 /* 3556 * We don't support memory-mapped capture; our caller 3557 * will fall back on reading from the socket. 3558 */ 3559 free(handlep->oneshot_buffer); 3560 return 0; 3561 } 3562 if (ret == -1) { 3563 /* 3564 * Error attempting to enable memory-mapped capture; 3565 * fail. create_ring() has set *status. 3566 */ 3567 free(handlep->oneshot_buffer); 3568 return -1; 3569 } 3570 3571 /* 3572 * Success. *status has been set either to 0 if there are no 3573 * warnings or to a PCAP_WARNING_ value if there is a warning. 3574 * 3575 * Override some defaults and inherit the other fields from 3576 * activate_new. 3577 * handle->offset is used to get the current position into the rx ring. 3578 * handle->cc is used to store the ring size. 3579 */ 3580 3581 switch (handlep->tp_version) { 3582 case TPACKET_V1: 3583 handle->read_op = pcap_read_linux_mmap_v1; 3584 break; 3585 case TPACKET_V1_64: 3586 handle->read_op = pcap_read_linux_mmap_v1_64; 3587 break; 3588 #ifdef HAVE_TPACKET2 3589 case TPACKET_V2: 3590 handle->read_op = pcap_read_linux_mmap_v2; 3591 break; 3592 #endif 3593 #ifdef HAVE_TPACKET3 3594 case TPACKET_V3: 3595 handle->read_op = pcap_read_linux_mmap_v3; 3596 break; 3597 #endif 3598 } 3599 handle->cleanup_op = pcap_cleanup_linux_mmap; 3600 handle->setfilter_op = pcap_setfilter_linux_mmap; 3601 handle->setnonblock_op = pcap_setnonblock_mmap; 3602 handle->getnonblock_op = pcap_getnonblock_mmap; 3603 handle->oneshot_callback = pcap_oneshot_mmap; 3604 handle->selectable_fd = handle->fd; 3605 return 1; 3606 } 3607 #else /* HAVE_PACKET_RING */ 3608 static int 3609 activate_mmap(pcap_t *handle _U_, int *status _U_) 3610 { 3611 return 0; 3612 } 3613 #endif /* HAVE_PACKET_RING */ 3614 3615 #ifdef HAVE_PACKET_RING 3616 3617 #if defined(HAVE_TPACKET2) || defined(HAVE_TPACKET3) 3618 /* 3619 * Attempt to set the socket to the specified version of the memory-mapped 3620 * header. 3621 * 3622 * Return 0 if we succeed; return 1 if we fail because that version isn't 3623 * supported; return -1 on any other error, and set handle->errbuf. 3624 */ 3625 static int 3626 init_tpacket(pcap_t *handle, int version, const char *version_str) 3627 { 3628 struct pcap_linux *handlep = handle->priv; 3629 int val = version; 3630 socklen_t len = sizeof(val); 3631 3632 /* 3633 * Probe whether kernel supports the specified TPACKET version; 3634 * this also gets the length of the header for that version. 3635 */ 3636 if (getsockopt(handle->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) { 3637 if (errno == ENOPROTOOPT || errno == EINVAL) 3638 return 1; /* no */ 3639 3640 /* Failed to even find out; this is a fatal error. */ 3641 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3642 "can't get %s header len on packet socket: %s", 3643 version_str, 3644 pcap_strerror(errno)); 3645 return -1; 3646 } 3647 handlep->tp_hdrlen = val; 3648 3649 val = version; 3650 if (setsockopt(handle->fd, SOL_PACKET, PACKET_VERSION, &val, 3651 sizeof(val)) < 0) { 3652 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3653 "can't activate %s on packet socket: %s", 3654 version_str, 3655 pcap_strerror(errno)); 3656 return -1; 3657 } 3658 handlep->tp_version = version; 3659 3660 /* Reserve space for VLAN tag reconstruction */ 3661 val = VLAN_TAG_LEN; 3662 if (setsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE, &val, 3663 sizeof(val)) < 0) { 3664 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3665 "can't set up reserve on packet socket: %s", 3666 pcap_strerror(errno)); 3667 return -1; 3668 } 3669 3670 return 0; 3671 } 3672 #endif /* defined HAVE_TPACKET2 || defined HAVE_TPACKET3 */ 3673 3674 /* 3675 * If the instruction set for which we're compiling has both 32-bit 3676 * and 64-bit versions, and Linux support for the 64-bit version 3677 * predates TPACKET_V2, define ISA_64_BIT as the .machine value 3678 * you get from uname() for the 64-bit version. Otherwise, leave 3679 * it undefined. (This includes ARM, which has a 64-bit version, 3680 * but Linux support for it appeared well after TPACKET_V2 support 3681 * did, so there should never be a case where 32-bit ARM code is 3682 * running o a 64-bit kernel that only supports TPACKET_V1.) 3683 * 3684 * If we've omitted your favorite such architecture, please contribute 3685 * a patch. (No patch is needed for architectures that are 32-bit-only 3686 * or for which Linux has no support for 32-bit userland - or for which, 3687 * as noted, 64-bit support appeared in Linux after TPACKET_V2 support 3688 * did.) 3689 */ 3690 #if defined(__i386__) 3691 #define ISA_64_BIT "x86_64" 3692 #elif defined(__ppc__) 3693 #define ISA_64_BIT "ppc64" 3694 #elif defined(__sparc__) 3695 #define ISA_64_BIT "sparc64" 3696 #elif defined(__s390__) 3697 #define ISA_64_BIT "s390x" 3698 #elif defined(__mips__) 3699 #define ISA_64_BIT "mips64" 3700 #elif defined(__hppa__) 3701 #define ISA_64_BIT "parisc64" 3702 #endif 3703 3704 /* 3705 * Attempt to set the socket to version 3 of the memory-mapped header and, 3706 * if that fails because version 3 isn't supported, attempt to fall 3707 * back to version 2. If version 2 isn't supported, just leave it at 3708 * version 1. 3709 * 3710 * Return 1 if we succeed or if we fail because neither version 2 nor 3 is 3711 * supported; return -1 on any other error, and set handle->errbuf. 3712 */ 3713 static int 3714 prepare_tpacket_socket(pcap_t *handle) 3715 { 3716 struct pcap_linux *handlep = handle->priv; 3717 #if defined(HAVE_TPACKET2) || defined(HAVE_TPACKET3) 3718 int ret; 3719 #endif 3720 3721 #ifdef HAVE_TPACKET3 3722 /* 3723 * Try setting the version to TPACKET_V3. 3724 * 3725 * The only mode in which buffering is done on PF_PACKET 3726 * sockets, so that packets might not be delivered 3727 * immediately, is TPACKET_V3 mode. 3728 * 3729 * The buffering cannot be disabled in that mode, so 3730 * if the user has requested immediate mode, we don't 3731 * use TPACKET_V3. 3732 */ 3733 if (!handle->opt.immediate) { 3734 ret = init_tpacket(handle, TPACKET_V3, "TPACKET_V3"); 3735 if (ret == 0) { 3736 /* 3737 * Success. 3738 */ 3739 return 1; 3740 } 3741 if (ret == -1) { 3742 /* 3743 * We failed for some reason other than "the 3744 * kernel doesn't support TPACKET_V3". 3745 */ 3746 return -1; 3747 } 3748 } 3749 #endif /* HAVE_TPACKET3 */ 3750 3751 #ifdef HAVE_TPACKET2 3752 /* 3753 * Try setting the version to TPACKET_V2. 3754 */ 3755 ret = init_tpacket(handle, TPACKET_V2, "TPACKET_V2"); 3756 if (ret == 0) { 3757 /* 3758 * Success. 3759 */ 3760 return 1; 3761 } 3762 if (ret == -1) { 3763 /* 3764 * We failed for some reason other than "the 3765 * kernel doesn't support TPACKET_V2". 3766 */ 3767 return -1; 3768 } 3769 #endif /* HAVE_TPACKET2 */ 3770 3771 /* 3772 * OK, we're using TPACKET_V1, as that's all the kernel supports. 3773 */ 3774 handlep->tp_version = TPACKET_V1; 3775 handlep->tp_hdrlen = sizeof(struct tpacket_hdr); 3776 3777 #ifdef ISA_64_BIT 3778 /* 3779 * 32-bit userspace + 64-bit kernel + TPACKET_V1 are not compatible with 3780 * each other due to platform-dependent data type size differences. 3781 * 3782 * If we have a 32-bit userland and a 64-bit kernel, use an 3783 * internally-defined TPACKET_V1_64, with which we use a 64-bit 3784 * version of the data structures. 3785 */ 3786 if (sizeof(long) == 4) { 3787 /* 3788 * This is 32-bit code. 3789 */ 3790 struct utsname utsname; 3791 3792 if (uname(&utsname) == -1) { 3793 /* 3794 * Failed. 3795 */ 3796 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3797 "uname failed: %s", pcap_strerror(errno)); 3798 return -1; 3799 } 3800 if (strcmp(utsname.machine, ISA_64_BIT) == 0) { 3801 /* 3802 * uname() tells us the machine is 64-bit, 3803 * so we presumably have a 64-bit kernel. 3804 * 3805 * XXX - this presumes that uname() won't lie 3806 * in 32-bit code and claim that the machine 3807 * has the 32-bit version of the ISA. 3808 */ 3809 handlep->tp_version = TPACKET_V1_64; 3810 handlep->tp_hdrlen = sizeof(struct tpacket_hdr_64); 3811 } 3812 } 3813 #endif 3814 3815 return 1; 3816 } 3817 3818 /* 3819 * Attempt to set up memory-mapped access. 3820 * 3821 * On success, returns 1, and sets *status to 0 if there are no warnings 3822 * or to a PCAP_WARNING_ code if there is a warning. 3823 * 3824 * On failure due to lack of support for memory-mapped capture, returns 3825 * 0. 3826 * 3827 * On error, returns -1, and sets *status to the appropriate error code; 3828 * if that is PCAP_ERROR, sets handle->errbuf to the appropriate message. 3829 */ 3830 static int 3831 create_ring(pcap_t *handle, int *status) 3832 { 3833 struct pcap_linux *handlep = handle->priv; 3834 unsigned i, j, frames_per_block; 3835 #ifdef HAVE_TPACKET3 3836 /* 3837 * For sockets using TPACKET_V1 or TPACKET_V2, the extra 3838 * stuff at the end of a struct tpacket_req3 will be 3839 * ignored, so this is OK even for those sockets. 3840 */ 3841 struct tpacket_req3 req; 3842 #else 3843 struct tpacket_req req; 3844 #endif 3845 socklen_t len; 3846 unsigned int sk_type, tp_reserve, maclen, tp_hdrlen, netoff, macoff; 3847 unsigned int frame_size; 3848 3849 /* 3850 * Start out assuming no warnings or errors. 3851 */ 3852 *status = 0; 3853 3854 switch (handlep->tp_version) { 3855 3856 case TPACKET_V1: 3857 case TPACKET_V1_64: 3858 #ifdef HAVE_TPACKET2 3859 case TPACKET_V2: 3860 #endif 3861 /* Note that with large snapshot length (say 64K, which is 3862 * the default for recent versions of tcpdump, the value that 3863 * "-s 0" has given for a long time with tcpdump, and the 3864 * default in Wireshark/TShark/dumpcap), if we use the snapshot 3865 * length to calculate the frame length, only a few frames 3866 * will be available in the ring even with pretty 3867 * large ring size (and a lot of memory will be unused). 3868 * 3869 * Ideally, we should choose a frame length based on the 3870 * minimum of the specified snapshot length and the maximum 3871 * packet size. That's not as easy as it sounds; consider, 3872 * for example, an 802.11 interface in monitor mode, where 3873 * the frame would include a radiotap header, where the 3874 * maximum radiotap header length is device-dependent. 3875 * 3876 * So, for now, we just do this for Ethernet devices, where 3877 * there's no metadata header, and the link-layer header is 3878 * fixed length. We can get the maximum packet size by 3879 * adding 18, the Ethernet header length plus the CRC length 3880 * (just in case we happen to get the CRC in the packet), to 3881 * the MTU of the interface; we fetch the MTU in the hopes 3882 * that it reflects support for jumbo frames. (Even if the 3883 * interface is just being used for passive snooping, the 3884 * driver might set the size of buffers in the receive ring 3885 * based on the MTU, so that the MTU limits the maximum size 3886 * of packets that we can receive.) 3887 * 3888 * We don't do that if segmentation/fragmentation or receive 3889 * offload are enabled, so we don't get rudely surprised by 3890 * "packets" bigger than the MTU. */ 3891 frame_size = handle->snapshot; 3892 if (handle->linktype == DLT_EN10MB) { 3893 int mtu; 3894 int offload; 3895 3896 offload = iface_get_offload(handle); 3897 if (offload == -1) { 3898 *status = PCAP_ERROR; 3899 return -1; 3900 } 3901 if (!offload) { 3902 mtu = iface_get_mtu(handle->fd, handle->opt.source, 3903 handle->errbuf); 3904 if (mtu == -1) { 3905 *status = PCAP_ERROR; 3906 return -1; 3907 } 3908 if (frame_size > mtu + 18) 3909 frame_size = mtu + 18; 3910 } 3911 } 3912 3913 /* NOTE: calculus matching those in tpacket_rcv() 3914 * in linux-2.6/net/packet/af_packet.c 3915 */ 3916 len = sizeof(sk_type); 3917 if (getsockopt(handle->fd, SOL_SOCKET, SO_TYPE, &sk_type, 3918 &len) < 0) { 3919 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3920 "getsockopt: %s", pcap_strerror(errno)); 3921 *status = PCAP_ERROR; 3922 return -1; 3923 } 3924 #ifdef PACKET_RESERVE 3925 len = sizeof(tp_reserve); 3926 if (getsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE, 3927 &tp_reserve, &len) < 0) { 3928 if (errno != ENOPROTOOPT) { 3929 /* 3930 * ENOPROTOOPT means "kernel doesn't support 3931 * PACKET_RESERVE", in which case we fall back 3932 * as best we can. 3933 */ 3934 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3935 "getsockopt: %s", pcap_strerror(errno)); 3936 *status = PCAP_ERROR; 3937 return -1; 3938 } 3939 tp_reserve = 0; /* older kernel, reserve not supported */ 3940 } 3941 #else 3942 tp_reserve = 0; /* older kernel, reserve not supported */ 3943 #endif 3944 maclen = (sk_type == SOCK_DGRAM) ? 0 : MAX_LINKHEADER_SIZE; 3945 /* XXX: in the kernel maclen is calculated from 3946 * LL_ALLOCATED_SPACE(dev) and vnet_hdr.hdr_len 3947 * in: packet_snd() in linux-2.6/net/packet/af_packet.c 3948 * then packet_alloc_skb() in linux-2.6/net/packet/af_packet.c 3949 * then sock_alloc_send_pskb() in linux-2.6/net/core/sock.c 3950 * but I see no way to get those sizes in userspace, 3951 * like for instance with an ifreq ioctl(); 3952 * the best thing I've found so far is MAX_HEADER in 3953 * the kernel part of linux-2.6/include/linux/netdevice.h 3954 * which goes up to 128+48=176; since pcap-linux.c 3955 * defines a MAX_LINKHEADER_SIZE of 256 which is 3956 * greater than that, let's use it.. maybe is it even 3957 * large enough to directly replace macoff.. 3958 */ 3959 tp_hdrlen = TPACKET_ALIGN(handlep->tp_hdrlen) + sizeof(struct sockaddr_ll) ; 3960 netoff = TPACKET_ALIGN(tp_hdrlen + (maclen < 16 ? 16 : maclen)) + tp_reserve; 3961 /* NOTE: AFAICS tp_reserve may break the TPACKET_ALIGN 3962 * of netoff, which contradicts 3963 * linux-2.6/Documentation/networking/packet_mmap.txt 3964 * documenting that: 3965 * "- Gap, chosen so that packet data (Start+tp_net) 3966 * aligns to TPACKET_ALIGNMENT=16" 3967 */ 3968 /* NOTE: in linux-2.6/include/linux/skbuff.h: 3969 * "CPUs often take a performance hit 3970 * when accessing unaligned memory locations" 3971 */ 3972 macoff = netoff - maclen; 3973 req.tp_frame_size = TPACKET_ALIGN(macoff + frame_size); 3974 req.tp_frame_nr = handle->opt.buffer_size/req.tp_frame_size; 3975 break; 3976 3977 #ifdef HAVE_TPACKET3 3978 case TPACKET_V3: 3979 /* The "frames" for this are actually buffers that 3980 * contain multiple variable-sized frames. 3981 * 3982 * We pick a "frame" size of 128K to leave enough 3983 * room for at least one reasonably-sized packet 3984 * in the "frame". */ 3985 req.tp_frame_size = MAXIMUM_SNAPLEN; 3986 req.tp_frame_nr = handle->opt.buffer_size/req.tp_frame_size; 3987 break; 3988 #endif 3989 default: 3990 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3991 "Internal error: unknown TPACKET_ value %u", 3992 handlep->tp_version); 3993 *status = PCAP_ERROR; 3994 return -1; 3995 } 3996 3997 /* compute the minumum block size that will handle this frame. 3998 * The block has to be page size aligned. 3999 * The max block size allowed by the kernel is arch-dependent and 4000 * it's not explicitly checked here. */ 4001 req.tp_block_size = getpagesize(); 4002 while (req.tp_block_size < req.tp_frame_size) 4003 req.tp_block_size <<= 1; 4004 4005 frames_per_block = req.tp_block_size/req.tp_frame_size; 4006 4007 /* 4008 * PACKET_TIMESTAMP was added after linux/net_tstamp.h was, 4009 * so we check for PACKET_TIMESTAMP. We check for 4010 * linux/net_tstamp.h just in case a system somehow has 4011 * PACKET_TIMESTAMP but not linux/net_tstamp.h; that might 4012 * be unnecessary. 4013 * 4014 * SIOCSHWTSTAMP was introduced in the patch that introduced 4015 * linux/net_tstamp.h, so we don't bother checking whether 4016 * SIOCSHWTSTAMP is defined (if your Linux system has 4017 * linux/net_tstamp.h but doesn't define SIOCSHWTSTAMP, your 4018 * Linux system is badly broken). 4019 */ 4020 #if defined(HAVE_LINUX_NET_TSTAMP_H) && defined(PACKET_TIMESTAMP) 4021 /* 4022 * If we were told to do so, ask the kernel and the driver 4023 * to use hardware timestamps. 4024 * 4025 * Hardware timestamps are only supported with mmapped 4026 * captures. 4027 */ 4028 if (handle->opt.tstamp_type == PCAP_TSTAMP_ADAPTER || 4029 handle->opt.tstamp_type == PCAP_TSTAMP_ADAPTER_UNSYNCED) { 4030 struct hwtstamp_config hwconfig; 4031 struct ifreq ifr; 4032 int timesource; 4033 4034 /* 4035 * Ask for hardware time stamps on all packets, 4036 * including transmitted packets. 4037 */ 4038 memset(&hwconfig, 0, sizeof(hwconfig)); 4039 hwconfig.tx_type = HWTSTAMP_TX_ON; 4040 hwconfig.rx_filter = HWTSTAMP_FILTER_ALL; 4041 4042 memset(&ifr, 0, sizeof(ifr)); 4043 strlcpy(ifr.ifr_name, handle->opt.source, sizeof(ifr.ifr_name)); 4044 ifr.ifr_data = (void *)&hwconfig; 4045 4046 if (ioctl(handle->fd, SIOCSHWTSTAMP, &ifr) < 0) { 4047 switch (errno) { 4048 4049 case EPERM: 4050 /* 4051 * Treat this as an error, as the 4052 * user should try to run this 4053 * with the appropriate privileges - 4054 * and, if they can't, shouldn't 4055 * try requesting hardware time stamps. 4056 */ 4057 *status = PCAP_ERROR_PERM_DENIED; 4058 return -1; 4059 4060 case EOPNOTSUPP: 4061 /* 4062 * Treat this as a warning, as the 4063 * only way to fix the warning is to 4064 * get an adapter that supports hardware 4065 * time stamps. We'll just fall back 4066 * on the standard host time stamps. 4067 */ 4068 *status = PCAP_WARNING_TSTAMP_TYPE_NOTSUP; 4069 break; 4070 4071 default: 4072 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4073 "SIOCSHWTSTAMP failed: %s", 4074 pcap_strerror(errno)); 4075 *status = PCAP_ERROR; 4076 return -1; 4077 } 4078 } else { 4079 /* 4080 * Well, that worked. Now specify the type of 4081 * hardware time stamp we want for this 4082 * socket. 4083 */ 4084 if (handle->opt.tstamp_type == PCAP_TSTAMP_ADAPTER) { 4085 /* 4086 * Hardware timestamp, synchronized 4087 * with the system clock. 4088 */ 4089 timesource = SOF_TIMESTAMPING_SYS_HARDWARE; 4090 } else { 4091 /* 4092 * PCAP_TSTAMP_ADAPTER_UNSYNCED - hardware 4093 * timestamp, not synchronized with the 4094 * system clock. 4095 */ 4096 timesource = SOF_TIMESTAMPING_RAW_HARDWARE; 4097 } 4098 if (setsockopt(handle->fd, SOL_PACKET, PACKET_TIMESTAMP, 4099 (void *)×ource, sizeof(timesource))) { 4100 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4101 "can't set PACKET_TIMESTAMP: %s", 4102 pcap_strerror(errno)); 4103 *status = PCAP_ERROR; 4104 return -1; 4105 } 4106 } 4107 } 4108 #endif /* HAVE_LINUX_NET_TSTAMP_H && PACKET_TIMESTAMP */ 4109 4110 /* ask the kernel to create the ring */ 4111 retry: 4112 req.tp_block_nr = req.tp_frame_nr / frames_per_block; 4113 4114 /* req.tp_frame_nr is requested to match frames_per_block*req.tp_block_nr */ 4115 req.tp_frame_nr = req.tp_block_nr * frames_per_block; 4116 4117 #ifdef HAVE_TPACKET3 4118 /* timeout value to retire block - use the configured buffering timeout, or default if <0. */ 4119 req.tp_retire_blk_tov = (handlep->timeout>=0)?handlep->timeout:0; 4120 /* private data not used */ 4121 req.tp_sizeof_priv = 0; 4122 /* Rx ring - feature request bits - none (rxhash will not be filled) */ 4123 req.tp_feature_req_word = 0; 4124 #endif 4125 4126 if (setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, 4127 (void *) &req, sizeof(req))) { 4128 if ((errno == ENOMEM) && (req.tp_block_nr > 1)) { 4129 /* 4130 * Memory failure; try to reduce the requested ring 4131 * size. 4132 * 4133 * We used to reduce this by half -- do 5% instead. 4134 * That may result in more iterations and a longer 4135 * startup, but the user will be much happier with 4136 * the resulting buffer size. 4137 */ 4138 if (req.tp_frame_nr < 20) 4139 req.tp_frame_nr -= 1; 4140 else 4141 req.tp_frame_nr -= req.tp_frame_nr/20; 4142 goto retry; 4143 } 4144 if (errno == ENOPROTOOPT) { 4145 /* 4146 * We don't have ring buffer support in this kernel. 4147 */ 4148 return 0; 4149 } 4150 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4151 "can't create rx ring on packet socket: %s", 4152 pcap_strerror(errno)); 4153 *status = PCAP_ERROR; 4154 return -1; 4155 } 4156 4157 /* memory map the rx ring */ 4158 handlep->mmapbuflen = req.tp_block_nr * req.tp_block_size; 4159 handlep->mmapbuf = mmap(0, handlep->mmapbuflen, 4160 PROT_READ|PROT_WRITE, MAP_SHARED, handle->fd, 0); 4161 if (handlep->mmapbuf == MAP_FAILED) { 4162 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4163 "can't mmap rx ring: %s", pcap_strerror(errno)); 4164 4165 /* clear the allocated ring on error*/ 4166 destroy_ring(handle); 4167 *status = PCAP_ERROR; 4168 return -1; 4169 } 4170 4171 /* allocate a ring for each frame header pointer*/ 4172 handle->cc = req.tp_frame_nr; 4173 handle->buffer = malloc(handle->cc * sizeof(union thdr *)); 4174 if (!handle->buffer) { 4175 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4176 "can't allocate ring of frame headers: %s", 4177 pcap_strerror(errno)); 4178 4179 destroy_ring(handle); 4180 *status = PCAP_ERROR; 4181 return -1; 4182 } 4183 4184 /* fill the header ring with proper frame ptr*/ 4185 handle->offset = 0; 4186 for (i=0; i<req.tp_block_nr; ++i) { 4187 void *base = &handlep->mmapbuf[i*req.tp_block_size]; 4188 for (j=0; j<frames_per_block; ++j, ++handle->offset) { 4189 RING_GET_FRAME(handle) = base; 4190 base += req.tp_frame_size; 4191 } 4192 } 4193 4194 handle->bufsize = req.tp_frame_size; 4195 handle->offset = 0; 4196 return 1; 4197 } 4198 4199 /* free all ring related resources*/ 4200 static void 4201 destroy_ring(pcap_t *handle) 4202 { 4203 struct pcap_linux *handlep = handle->priv; 4204 4205 /* tell the kernel to destroy the ring*/ 4206 struct tpacket_req req; 4207 memset(&req, 0, sizeof(req)); 4208 /* do not test for setsockopt failure, as we can't recover from any error */ 4209 (void)setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, 4210 (void *) &req, sizeof(req)); 4211 4212 /* if ring is mapped, unmap it*/ 4213 if (handlep->mmapbuf) { 4214 /* do not test for mmap failure, as we can't recover from any error */ 4215 (void)munmap(handlep->mmapbuf, handlep->mmapbuflen); 4216 handlep->mmapbuf = NULL; 4217 } 4218 } 4219 4220 /* 4221 * Special one-shot callback, used for pcap_next() and pcap_next_ex(), 4222 * for Linux mmapped capture. 4223 * 4224 * The problem is that pcap_next() and pcap_next_ex() expect the packet 4225 * data handed to the callback to be valid after the callback returns, 4226 * but pcap_read_linux_mmap() has to release that packet as soon as 4227 * the callback returns (otherwise, the kernel thinks there's still 4228 * at least one unprocessed packet available in the ring, so a select() 4229 * will immediately return indicating that there's data to process), so, 4230 * in the callback, we have to make a copy of the packet. 4231 * 4232 * Yes, this means that, if the capture is using the ring buffer, using 4233 * pcap_next() or pcap_next_ex() requires more copies than using 4234 * pcap_loop() or pcap_dispatch(). If that bothers you, don't use 4235 * pcap_next() or pcap_next_ex(). 4236 */ 4237 static void 4238 pcap_oneshot_mmap(u_char *user, const struct pcap_pkthdr *h, 4239 const u_char *bytes) 4240 { 4241 struct oneshot_userdata *sp = (struct oneshot_userdata *)user; 4242 pcap_t *handle = sp->pd; 4243 struct pcap_linux *handlep = handle->priv; 4244 4245 *sp->hdr = *h; 4246 memcpy(handlep->oneshot_buffer, bytes, h->caplen); 4247 *sp->pkt = handlep->oneshot_buffer; 4248 } 4249 4250 static void 4251 pcap_cleanup_linux_mmap( pcap_t *handle ) 4252 { 4253 struct pcap_linux *handlep = handle->priv; 4254 4255 destroy_ring(handle); 4256 if (handlep->oneshot_buffer != NULL) { 4257 free(handlep->oneshot_buffer); 4258 handlep->oneshot_buffer = NULL; 4259 } 4260 pcap_cleanup_linux(handle); 4261 } 4262 4263 4264 static int 4265 pcap_getnonblock_mmap(pcap_t *p, char *errbuf) 4266 { 4267 struct pcap_linux *handlep = p->priv; 4268 4269 /* use negative value of timeout to indicate non blocking ops */ 4270 return (handlep->timeout<0); 4271 } 4272 4273 static int 4274 pcap_setnonblock_mmap(pcap_t *p, int nonblock, char *errbuf) 4275 { 4276 struct pcap_linux *handlep = p->priv; 4277 4278 /* 4279 * Set the file descriptor to non-blocking mode, as we use 4280 * it for sending packets. 4281 */ 4282 if (pcap_setnonblock_fd(p, nonblock, errbuf) == -1) 4283 return -1; 4284 4285 /* 4286 * Map each value to their corresponding negation to 4287 * preserve the timeout value provided with pcap_set_timeout. 4288 */ 4289 if (nonblock) { 4290 if (handlep->timeout >= 0) { 4291 /* 4292 * Indicate that we're switching to 4293 * non-blocking mode. 4294 */ 4295 handlep->timeout = ~handlep->timeout; 4296 } 4297 } else { 4298 if (handlep->timeout < 0) { 4299 handlep->timeout = ~handlep->timeout; 4300 } 4301 } 4302 return 0; 4303 } 4304 4305 static inline union thdr * 4306 pcap_get_ring_frame(pcap_t *handle, int status) 4307 { 4308 struct pcap_linux *handlep = handle->priv; 4309 union thdr h; 4310 4311 h.raw = RING_GET_FRAME(handle); 4312 switch (handlep->tp_version) { 4313 case TPACKET_V1: 4314 if (status != (h.h1->tp_status ? TP_STATUS_USER : 4315 TP_STATUS_KERNEL)) 4316 return NULL; 4317 break; 4318 case TPACKET_V1_64: 4319 if (status != (h.h1_64->tp_status ? TP_STATUS_USER : 4320 TP_STATUS_KERNEL)) 4321 return NULL; 4322 break; 4323 #ifdef HAVE_TPACKET2 4324 case TPACKET_V2: 4325 if (status != (h.h2->tp_status ? TP_STATUS_USER : 4326 TP_STATUS_KERNEL)) 4327 return NULL; 4328 break; 4329 #endif 4330 #ifdef HAVE_TPACKET3 4331 case TPACKET_V3: 4332 if (status != (h.h3->hdr.bh1.block_status ? TP_STATUS_USER : 4333 TP_STATUS_KERNEL)) 4334 return NULL; 4335 break; 4336 #endif 4337 } 4338 return h.raw; 4339 } 4340 4341 #ifndef POLLRDHUP 4342 #define POLLRDHUP 0 4343 #endif 4344 4345 /* wait for frames availability.*/ 4346 static int pcap_wait_for_frames_mmap(pcap_t *handle) 4347 { 4348 if (!pcap_get_ring_frame(handle, TP_STATUS_USER)) { 4349 struct pcap_linux *handlep = handle->priv; 4350 int timeout; 4351 char c; 4352 struct pollfd pollinfo; 4353 int ret; 4354 4355 pollinfo.fd = handle->fd; 4356 pollinfo.events = POLLIN; 4357 4358 if (handlep->timeout == 0) { 4359 #ifdef HAVE_TPACKET3 4360 /* 4361 * XXX - due to a set of (mis)features in the 4362 * TPACKET_V3 kernel code, blocking forever with 4363 * a TPACKET_V3 socket can, if few packets 4364 * are arriving and passing the socket filter, 4365 * cause most packets to be dropped. See 4366 * libpcap issue #335 for the full painful 4367 * story. The workaround is to have poll() 4368 * time out very quickly, so we grab the 4369 * frames handed to us, and return them to 4370 * the kernel, ASAP. 4371 * 4372 * If those issues are ever fixed, we might 4373 * want to check the kernel version and block 4374 * forever with TPACKET_V3 if we're running 4375 * with a kernel that has the fix. 4376 */ 4377 if (handlep->tp_version == TPACKET_V3) 4378 timeout = 1; /* don't block for very long */ 4379 else 4380 #endif 4381 timeout = -1; /* block forever */ 4382 } else if (handlep->timeout > 0) 4383 timeout = handlep->timeout; /* block for that amount of time */ 4384 else 4385 timeout = 0; /* non-blocking mode - poll to pick up errors */ 4386 do { 4387 ret = poll(&pollinfo, 1, timeout); 4388 if (ret < 0 && errno != EINTR) { 4389 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4390 "can't poll on packet socket: %s", 4391 pcap_strerror(errno)); 4392 return PCAP_ERROR; 4393 } else if (ret > 0 && 4394 (pollinfo.revents & (POLLHUP|POLLRDHUP|POLLERR|POLLNVAL))) { 4395 /* 4396 * There's some indication other than 4397 * "you can read on this descriptor" on 4398 * the descriptor. 4399 */ 4400 if (pollinfo.revents & (POLLHUP | POLLRDHUP)) { 4401 snprintf(handle->errbuf, 4402 PCAP_ERRBUF_SIZE, 4403 "Hangup on packet socket"); 4404 return PCAP_ERROR; 4405 } 4406 if (pollinfo.revents & POLLERR) { 4407 /* 4408 * A recv() will give us the 4409 * actual error code. 4410 * 4411 * XXX - make the socket non-blocking? 4412 */ 4413 if (recv(handle->fd, &c, sizeof c, 4414 MSG_PEEK) != -1) 4415 continue; /* what, no error? */ 4416 if (errno == ENETDOWN) { 4417 /* 4418 * The device on which we're 4419 * capturing went away. 4420 * 4421 * XXX - we should really return 4422 * PCAP_ERROR_IFACE_NOT_UP, 4423 * but pcap_dispatch() etc. 4424 * aren't defined to return 4425 * that. 4426 */ 4427 snprintf(handle->errbuf, 4428 PCAP_ERRBUF_SIZE, 4429 "The interface went down"); 4430 } else { 4431 snprintf(handle->errbuf, 4432 PCAP_ERRBUF_SIZE, 4433 "Error condition on packet socket: %s", 4434 strerror(errno)); 4435 } 4436 return PCAP_ERROR; 4437 } 4438 if (pollinfo.revents & POLLNVAL) { 4439 snprintf(handle->errbuf, 4440 PCAP_ERRBUF_SIZE, 4441 "Invalid polling request on packet socket"); 4442 return PCAP_ERROR; 4443 } 4444 } 4445 /* check for break loop condition on interrupted syscall*/ 4446 if (handle->break_loop) { 4447 handle->break_loop = 0; 4448 return PCAP_ERROR_BREAK; 4449 } 4450 } while (ret < 0); 4451 } 4452 return 0; 4453 } 4454 4455 /* handle a single memory mapped packet */ 4456 static int pcap_handle_packet_mmap( 4457 pcap_t *handle, 4458 pcap_handler callback, 4459 u_char *user, 4460 unsigned char *frame, 4461 unsigned int tp_len, 4462 unsigned int tp_mac, 4463 unsigned int tp_snaplen, 4464 unsigned int tp_sec, 4465 unsigned int tp_usec, 4466 int tp_vlan_tci_valid, 4467 __u16 tp_vlan_tci, 4468 __u16 tp_vlan_tpid) 4469 { 4470 struct pcap_linux *handlep = handle->priv; 4471 unsigned char *bp; 4472 struct sockaddr_ll *sll; 4473 struct pcap_pkthdr pcaphdr; 4474 4475 /* perform sanity check on internal offset. */ 4476 if (tp_mac + tp_snaplen > handle->bufsize) { 4477 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4478 "corrupted frame on kernel ring mac " 4479 "offset %u + caplen %u > frame len %d", 4480 tp_mac, tp_snaplen, handle->bufsize); 4481 return -1; 4482 } 4483 4484 /* run filter on received packet 4485 * If the kernel filtering is enabled we need to run the 4486 * filter until all the frames present into the ring 4487 * at filter creation time are processed. 4488 * In this case, blocks_to_filter_in_userland is used 4489 * as a counter for the packet we need to filter. 4490 * Note: alternatively it could be possible to stop applying 4491 * the filter when the ring became empty, but it can possibly 4492 * happen a lot later... */ 4493 bp = frame + tp_mac; 4494 4495 /* if required build in place the sll header*/ 4496 sll = (void *)frame + TPACKET_ALIGN(handlep->tp_hdrlen); 4497 if (handlep->cooked) { 4498 struct sll_header *hdrp; 4499 4500 /* 4501 * The kernel should have left us with enough 4502 * space for an sll header; back up the packet 4503 * data pointer into that space, as that'll be 4504 * the beginning of the packet we pass to the 4505 * callback. 4506 */ 4507 bp -= SLL_HDR_LEN; 4508 4509 /* 4510 * Let's make sure that's past the end of 4511 * the tpacket header, i.e. >= 4512 * ((u_char *)thdr + TPACKET_HDRLEN), so we 4513 * don't step on the header when we construct 4514 * the sll header. 4515 */ 4516 if (bp < (u_char *)frame + 4517 TPACKET_ALIGN(handlep->tp_hdrlen) + 4518 sizeof(struct sockaddr_ll)) { 4519 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 4520 "cooked-mode frame doesn't have room for sll header"); 4521 return -1; 4522 } 4523 4524 /* 4525 * OK, that worked; construct the sll header. 4526 */ 4527 hdrp = (struct sll_header *)bp; 4528 hdrp->sll_pkttype = map_packet_type_to_sll_type( 4529 sll->sll_pkttype); 4530 hdrp->sll_hatype = htons(sll->sll_hatype); 4531 hdrp->sll_halen = htons(sll->sll_halen); 4532 memcpy(hdrp->sll_addr, sll->sll_addr, SLL_ADDRLEN); 4533 hdrp->sll_protocol = sll->sll_protocol; 4534 } 4535 4536 if (handlep->filter_in_userland && handle->fcode.bf_insns) { 4537 struct bpf_aux_data aux_data; 4538 4539 aux_data.vlan_tag = tp_vlan_tci & 0x0fff; 4540 aux_data.vlan_tag_present = tp_vlan_tci_valid; 4541 4542 if (bpf_filter_with_aux_data(handle->fcode.bf_insns, bp, 4543 tp_len, tp_snaplen, &aux_data) == 0) 4544 return 0; 4545 } 4546 4547 if (!linux_check_direction(handle, sll)) 4548 return 0; 4549 4550 /* get required packet info from ring header */ 4551 pcaphdr.ts.tv_sec = tp_sec; 4552 pcaphdr.ts.tv_usec = tp_usec; 4553 pcaphdr.caplen = tp_snaplen; 4554 pcaphdr.len = tp_len; 4555 4556 /* if required build in place the sll header*/ 4557 if (handlep->cooked) { 4558 /* update packet len */ 4559 pcaphdr.caplen += SLL_HDR_LEN; 4560 pcaphdr.len += SLL_HDR_LEN; 4561 } 4562 4563 #if defined(HAVE_TPACKET2) || defined(HAVE_TPACKET3) 4564 if (tp_vlan_tci_valid && 4565 handlep->vlan_offset != -1 && 4566 tp_snaplen >= (unsigned int) handlep->vlan_offset) 4567 { 4568 struct vlan_tag *tag; 4569 4570 bp -= VLAN_TAG_LEN; 4571 memmove(bp, bp + VLAN_TAG_LEN, handlep->vlan_offset); 4572 4573 tag = (struct vlan_tag *)(bp + handlep->vlan_offset); 4574 tag->vlan_tpid = htons(tp_vlan_tpid); 4575 tag->vlan_tci = htons(tp_vlan_tci); 4576 4577 pcaphdr.caplen += VLAN_TAG_LEN; 4578 pcaphdr.len += VLAN_TAG_LEN; 4579 } 4580 #endif 4581 4582 /* 4583 * The only way to tell the kernel to cut off the 4584 * packet at a snapshot length is with a filter program; 4585 * if there's no filter program, the kernel won't cut 4586 * the packet off. 4587 * 4588 * Trim the snapshot length to be no longer than the 4589 * specified snapshot length. 4590 */ 4591 if (pcaphdr.caplen > handle->snapshot) 4592 pcaphdr.caplen = handle->snapshot; 4593 4594 /* pass the packet to the user */ 4595 callback(user, &pcaphdr, bp); 4596 4597 return 1; 4598 } 4599 4600 static int 4601 pcap_read_linux_mmap_v1(pcap_t *handle, int max_packets, pcap_handler callback, 4602 u_char *user) 4603 { 4604 struct pcap_linux *handlep = handle->priv; 4605 int pkts = 0; 4606 int ret; 4607 4608 /* wait for frames availability.*/ 4609 ret = pcap_wait_for_frames_mmap(handle); 4610 if (ret) { 4611 return ret; 4612 } 4613 4614 /* non-positive values of max_packets are used to require all 4615 * packets currently available in the ring */ 4616 while ((pkts < max_packets) || PACKET_COUNT_IS_UNLIMITED(max_packets)) { 4617 union thdr h; 4618 4619 h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 4620 if (!h.raw) 4621 break; 4622 4623 ret = pcap_handle_packet_mmap( 4624 handle, 4625 callback, 4626 user, 4627 h.raw, 4628 h.h1->tp_len, 4629 h.h1->tp_mac, 4630 h.h1->tp_snaplen, 4631 h.h1->tp_sec, 4632 h.h1->tp_usec, 4633 0, 4634 0, 4635 0); 4636 if (ret == 1) { 4637 pkts++; 4638 handlep->packets_read++; 4639 } else if (ret < 0) { 4640 return ret; 4641 } 4642 4643 /* 4644 * Hand this block back to the kernel, and, if we're 4645 * counting blocks that need to be filtered in userland 4646 * after having been filtered by the kernel, count 4647 * the one we've just processed. 4648 */ 4649 h.h1->tp_status = TP_STATUS_KERNEL; 4650 if (handlep->blocks_to_filter_in_userland > 0) { 4651 handlep->blocks_to_filter_in_userland--; 4652 if (handlep->blocks_to_filter_in_userland == 0) { 4653 /* 4654 * No more blocks need to be filtered 4655 * in userland. 4656 */ 4657 handlep->filter_in_userland = 0; 4658 } 4659 } 4660 4661 /* next block */ 4662 if (++handle->offset >= handle->cc) 4663 handle->offset = 0; 4664 4665 /* check for break loop condition*/ 4666 if (handle->break_loop) { 4667 handle->break_loop = 0; 4668 return PCAP_ERROR_BREAK; 4669 } 4670 } 4671 return pkts; 4672 } 4673 4674 static int 4675 pcap_read_linux_mmap_v1_64(pcap_t *handle, int max_packets, pcap_handler callback, 4676 u_char *user) 4677 { 4678 struct pcap_linux *handlep = handle->priv; 4679 int pkts = 0; 4680 int ret; 4681 4682 /* wait for frames availability.*/ 4683 ret = pcap_wait_for_frames_mmap(handle); 4684 if (ret) { 4685 return ret; 4686 } 4687 4688 /* non-positive values of max_packets are used to require all 4689 * packets currently available in the ring */ 4690 while ((pkts < max_packets) || PACKET_COUNT_IS_UNLIMITED(max_packets)) { 4691 union thdr h; 4692 4693 h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 4694 if (!h.raw) 4695 break; 4696 4697 ret = pcap_handle_packet_mmap( 4698 handle, 4699 callback, 4700 user, 4701 h.raw, 4702 h.h1_64->tp_len, 4703 h.h1_64->tp_mac, 4704 h.h1_64->tp_snaplen, 4705 h.h1_64->tp_sec, 4706 h.h1_64->tp_usec, 4707 0, 4708 0, 4709 0); 4710 if (ret == 1) { 4711 pkts++; 4712 handlep->packets_read++; 4713 } else if (ret < 0) { 4714 return ret; 4715 } 4716 4717 /* 4718 * Hand this block back to the kernel, and, if we're 4719 * counting blocks that need to be filtered in userland 4720 * after having been filtered by the kernel, count 4721 * the one we've just processed. 4722 */ 4723 h.h1_64->tp_status = TP_STATUS_KERNEL; 4724 if (handlep->blocks_to_filter_in_userland > 0) { 4725 handlep->blocks_to_filter_in_userland--; 4726 if (handlep->blocks_to_filter_in_userland == 0) { 4727 /* 4728 * No more blocks need to be filtered 4729 * in userland. 4730 */ 4731 handlep->filter_in_userland = 0; 4732 } 4733 } 4734 4735 /* next block */ 4736 if (++handle->offset >= handle->cc) 4737 handle->offset = 0; 4738 4739 /* check for break loop condition*/ 4740 if (handle->break_loop) { 4741 handle->break_loop = 0; 4742 return PCAP_ERROR_BREAK; 4743 } 4744 } 4745 return pkts; 4746 } 4747 4748 #ifdef HAVE_TPACKET2 4749 static int 4750 pcap_read_linux_mmap_v2(pcap_t *handle, int max_packets, pcap_handler callback, 4751 u_char *user) 4752 { 4753 struct pcap_linux *handlep = handle->priv; 4754 int pkts = 0; 4755 int ret; 4756 4757 /* wait for frames availability.*/ 4758 ret = pcap_wait_for_frames_mmap(handle); 4759 if (ret) { 4760 return ret; 4761 } 4762 4763 /* non-positive values of max_packets are used to require all 4764 * packets currently available in the ring */ 4765 while ((pkts < max_packets) || PACKET_COUNT_IS_UNLIMITED(max_packets)) { 4766 union thdr h; 4767 4768 h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 4769 if (!h.raw) 4770 break; 4771 4772 ret = pcap_handle_packet_mmap( 4773 handle, 4774 callback, 4775 user, 4776 h.raw, 4777 h.h2->tp_len, 4778 h.h2->tp_mac, 4779 h.h2->tp_snaplen, 4780 h.h2->tp_sec, 4781 handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO ? h.h2->tp_nsec : h.h2->tp_nsec / 1000, 4782 #if defined(TP_STATUS_VLAN_VALID) 4783 (h.h2->tp_vlan_tci || (h.h2->tp_status & TP_STATUS_VLAN_VALID)), 4784 #else 4785 h.h2->tp_vlan_tci != 0, 4786 #endif 4787 h.h2->tp_vlan_tci, 4788 VLAN_TPID(h.h2, h.h2)); 4789 if (ret == 1) { 4790 pkts++; 4791 handlep->packets_read++; 4792 } else if (ret < 0) { 4793 return ret; 4794 } 4795 4796 /* 4797 * Hand this block back to the kernel, and, if we're 4798 * counting blocks that need to be filtered in userland 4799 * after having been filtered by the kernel, count 4800 * the one we've just processed. 4801 */ 4802 h.h2->tp_status = TP_STATUS_KERNEL; 4803 if (handlep->blocks_to_filter_in_userland > 0) { 4804 handlep->blocks_to_filter_in_userland--; 4805 if (handlep->blocks_to_filter_in_userland == 0) { 4806 /* 4807 * No more blocks need to be filtered 4808 * in userland. 4809 */ 4810 handlep->filter_in_userland = 0; 4811 } 4812 } 4813 4814 /* next block */ 4815 if (++handle->offset >= handle->cc) 4816 handle->offset = 0; 4817 4818 /* check for break loop condition*/ 4819 if (handle->break_loop) { 4820 handle->break_loop = 0; 4821 return PCAP_ERROR_BREAK; 4822 } 4823 } 4824 return pkts; 4825 } 4826 #endif /* HAVE_TPACKET2 */ 4827 4828 #ifdef HAVE_TPACKET3 4829 static int 4830 pcap_read_linux_mmap_v3(pcap_t *handle, int max_packets, pcap_handler callback, 4831 u_char *user) 4832 { 4833 struct pcap_linux *handlep = handle->priv; 4834 union thdr h; 4835 int pkts = 0; 4836 int ret; 4837 4838 again: 4839 if (handlep->current_packet == NULL) { 4840 /* wait for frames availability.*/ 4841 ret = pcap_wait_for_frames_mmap(handle); 4842 if (ret) { 4843 return ret; 4844 } 4845 } 4846 h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 4847 if (!h.raw) { 4848 if (pkts == 0 && handlep->timeout == 0) { 4849 /* Block until we see a packet. */ 4850 goto again; 4851 } 4852 return pkts; 4853 } 4854 4855 /* non-positive values of max_packets are used to require all 4856 * packets currently available in the ring */ 4857 while ((pkts < max_packets) || PACKET_COUNT_IS_UNLIMITED(max_packets)) { 4858 if (handlep->current_packet == NULL) { 4859 h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 4860 if (!h.raw) 4861 break; 4862 4863 handlep->current_packet = h.raw + h.h3->hdr.bh1.offset_to_first_pkt; 4864 handlep->packets_left = h.h3->hdr.bh1.num_pkts; 4865 } 4866 int packets_to_read = handlep->packets_left; 4867 4868 if (!PACKET_COUNT_IS_UNLIMITED(max_packets) && packets_to_read > max_packets) { 4869 packets_to_read = max_packets; 4870 } 4871 4872 while(packets_to_read--) { 4873 struct tpacket3_hdr* tp3_hdr = (struct tpacket3_hdr*) handlep->current_packet; 4874 ret = pcap_handle_packet_mmap( 4875 handle, 4876 callback, 4877 user, 4878 handlep->current_packet, 4879 tp3_hdr->tp_len, 4880 tp3_hdr->tp_mac, 4881 tp3_hdr->tp_snaplen, 4882 tp3_hdr->tp_sec, 4883 handle->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO ? tp3_hdr->tp_nsec : tp3_hdr->tp_nsec / 1000, 4884 #if defined(TP_STATUS_VLAN_VALID) 4885 (tp3_hdr->hv1.tp_vlan_tci || (tp3_hdr->tp_status & TP_STATUS_VLAN_VALID)), 4886 #else 4887 tp3_hdr->hv1.tp_vlan_tci != 0, 4888 #endif 4889 tp3_hdr->hv1.tp_vlan_tci, 4890 VLAN_TPID(tp3_hdr, &tp3_hdr->hv1)); 4891 if (ret == 1) { 4892 pkts++; 4893 handlep->packets_read++; 4894 } else if (ret < 0) { 4895 handlep->current_packet = NULL; 4896 return ret; 4897 } 4898 handlep->current_packet += tp3_hdr->tp_next_offset; 4899 handlep->packets_left--; 4900 } 4901 4902 if (handlep->packets_left <= 0) { 4903 /* 4904 * Hand this block back to the kernel, and, if 4905 * we're counting blocks that need to be 4906 * filtered in userland after having been 4907 * filtered by the kernel, count the one we've 4908 * just processed. 4909 */ 4910 h.h3->hdr.bh1.block_status = TP_STATUS_KERNEL; 4911 if (handlep->blocks_to_filter_in_userland > 0) { 4912 handlep->blocks_to_filter_in_userland--; 4913 if (handlep->blocks_to_filter_in_userland == 0) { 4914 /* 4915 * No more blocks need to be filtered 4916 * in userland. 4917 */ 4918 handlep->filter_in_userland = 0; 4919 } 4920 } 4921 4922 /* next block */ 4923 if (++handle->offset >= handle->cc) 4924 handle->offset = 0; 4925 4926 handlep->current_packet = NULL; 4927 } 4928 4929 /* check for break loop condition*/ 4930 if (handle->break_loop) { 4931 handle->break_loop = 0; 4932 return PCAP_ERROR_BREAK; 4933 } 4934 } 4935 if (pkts == 0 && handlep->timeout == 0) { 4936 /* Block until we see a packet. */ 4937 goto again; 4938 } 4939 return pkts; 4940 } 4941 #endif /* HAVE_TPACKET3 */ 4942 4943 static int 4944 pcap_setfilter_linux_mmap(pcap_t *handle, struct bpf_program *filter) 4945 { 4946 struct pcap_linux *handlep = handle->priv; 4947 int n, offset; 4948 int ret; 4949 4950 /* 4951 * Don't rewrite "ret" instructions; we don't need to, as 4952 * we're not reading packets with recvmsg(), and we don't 4953 * want to, as, by not rewriting them, the kernel can avoid 4954 * copying extra data. 4955 */ 4956 ret = pcap_setfilter_linux_common(handle, filter, 1); 4957 if (ret < 0) 4958 return ret; 4959 4960 /* 4961 * If we're filtering in userland, there's nothing to do; 4962 * the new filter will be used for the next packet. 4963 */ 4964 if (handlep->filter_in_userland) 4965 return ret; 4966 4967 /* 4968 * We're filtering in the kernel; the packets present in 4969 * all blocks currently in the ring were already filtered 4970 * by the old filter, and so will need to be filtered in 4971 * userland by the new filter. 4972 * 4973 * Get an upper bound for the number of such blocks; first, 4974 * walk the ring backward and count the free blocks. 4975 */ 4976 offset = handle->offset; 4977 if (--handle->offset < 0) 4978 handle->offset = handle->cc - 1; 4979 for (n=0; n < handle->cc; ++n) { 4980 if (--handle->offset < 0) 4981 handle->offset = handle->cc - 1; 4982 if (!pcap_get_ring_frame(handle, TP_STATUS_KERNEL)) 4983 break; 4984 } 4985 4986 /* 4987 * If we found free blocks, decrement the count of free 4988 * blocks by 1, just in case we lost a race with another 4989 * thread of control that was adding a packet while 4990 * we were counting and that had run the filter before 4991 * we changed it. 4992 * 4993 * XXX - could there be more than one block added in 4994 * this fashion? 4995 * 4996 * XXX - is there a way to avoid that race, e.g. somehow 4997 * wait for all packets that passed the old filter to 4998 * be added to the ring? 4999 */ 5000 if (n != 0) 5001 n--; 5002 5003 /* be careful to not change current ring position */ 5004 handle->offset = offset; 5005 5006 /* 5007 * Set the count of blocks worth of packets to filter 5008 * in userland to the total number of blocks in the 5009 * ring minus the number of free blocks we found, and 5010 * turn on userland filtering. (The count of blocks 5011 * worth of packets to filter in userland is guaranteed 5012 * not to be zero - n, above, couldn't be set to a 5013 * value > handle->cc, and if it were equal to 5014 * handle->cc, it wouldn't be zero, and thus would 5015 * be decremented to handle->cc - 1.) 5016 */ 5017 handlep->blocks_to_filter_in_userland = handle->cc - n; 5018 handlep->filter_in_userland = 1; 5019 return ret; 5020 } 5021 5022 #endif /* HAVE_PACKET_RING */ 5023 5024 5025 #ifdef HAVE_PF_PACKET_SOCKETS 5026 /* 5027 * Return the index of the given device name. Fill ebuf and return 5028 * -1 on failure. 5029 */ 5030 static int 5031 iface_get_id(int fd, const char *device, char *ebuf) 5032 { 5033 struct ifreq ifr; 5034 5035 memset(&ifr, 0, sizeof(ifr)); 5036 strlcpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 5037 5038 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 5039 snprintf(ebuf, PCAP_ERRBUF_SIZE, 5040 "SIOCGIFINDEX: %s", pcap_strerror(errno)); 5041 return -1; 5042 } 5043 5044 return ifr.ifr_ifindex; 5045 } 5046 5047 /* 5048 * Bind the socket associated with FD to the given device. 5049 * Return 1 on success, 0 if we should try a SOCK_PACKET socket, 5050 * or a PCAP_ERROR_ value on a hard error. 5051 */ 5052 static int 5053 iface_bind(int fd, int ifindex, char *ebuf) 5054 { 5055 struct sockaddr_ll sll; 5056 int err; 5057 socklen_t errlen = sizeof(err); 5058 5059 memset(&sll, 0, sizeof(sll)); 5060 sll.sll_family = AF_PACKET; 5061 sll.sll_ifindex = ifindex; 5062 sll.sll_protocol = htons(ETH_P_ALL); 5063 5064 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 5065 if (errno == ENETDOWN) { 5066 /* 5067 * Return a "network down" indication, so that 5068 * the application can report that rather than 5069 * saying we had a mysterious failure and 5070 * suggest that they report a problem to the 5071 * libpcap developers. 5072 */ 5073 return PCAP_ERROR_IFACE_NOT_UP; 5074 } else { 5075 snprintf(ebuf, PCAP_ERRBUF_SIZE, 5076 "bind: %s", pcap_strerror(errno)); 5077 return PCAP_ERROR; 5078 } 5079 } 5080 5081 /* Any pending errors, e.g., network is down? */ 5082 5083 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 5084 snprintf(ebuf, PCAP_ERRBUF_SIZE, 5085 "getsockopt: %s", pcap_strerror(errno)); 5086 return 0; 5087 } 5088 5089 if (err == ENETDOWN) { 5090 /* 5091 * Return a "network down" indication, so that 5092 * the application can report that rather than 5093 * saying we had a mysterious failure and 5094 * suggest that they report a problem to the 5095 * libpcap developers. 5096 */ 5097 return PCAP_ERROR_IFACE_NOT_UP; 5098 } else if (err > 0) { 5099 snprintf(ebuf, PCAP_ERRBUF_SIZE, 5100 "bind: %s", pcap_strerror(err)); 5101 return 0; 5102 } 5103 5104 return 1; 5105 } 5106 5107 #ifdef IW_MODE_MONITOR 5108 /* 5109 * Check whether the device supports the Wireless Extensions. 5110 * Returns 1 if it does, 0 if it doesn't, PCAP_ERROR_NO_SUCH_DEVICE 5111 * if the device doesn't even exist. 5112 */ 5113 static int 5114 has_wext(int sock_fd, const char *device, char *ebuf) 5115 { 5116 struct iwreq ireq; 5117 5118 if (is_bonding_device(sock_fd, device)) 5119 return 0; /* bonding device, so don't even try */ 5120 5121 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5122 sizeof ireq.ifr_ifrn.ifrn_name); 5123 if (ioctl(sock_fd, SIOCGIWNAME, &ireq) >= 0) 5124 return 1; /* yes */ 5125 snprintf(ebuf, PCAP_ERRBUF_SIZE, 5126 "%s: SIOCGIWNAME: %s", device, pcap_strerror(errno)); 5127 if (errno == ENODEV) 5128 return PCAP_ERROR_NO_SUCH_DEVICE; 5129 return 0; 5130 } 5131 5132 /* 5133 * Per me si va ne la citta dolente, 5134 * Per me si va ne l'etterno dolore, 5135 * ... 5136 * Lasciate ogne speranza, voi ch'intrate. 5137 * 5138 * XXX - airmon-ng does special stuff with the Orinoco driver and the 5139 * wlan-ng driver. 5140 */ 5141 typedef enum { 5142 MONITOR_WEXT, 5143 MONITOR_HOSTAP, 5144 MONITOR_PRISM, 5145 MONITOR_PRISM54, 5146 MONITOR_ACX100, 5147 MONITOR_RT2500, 5148 MONITOR_RT2570, 5149 MONITOR_RT73, 5150 MONITOR_RTL8XXX 5151 } monitor_type; 5152 5153 /* 5154 * Use the Wireless Extensions, if we have them, to try to turn monitor mode 5155 * on if it's not already on. 5156 * 5157 * Returns 1 on success, 0 if we don't support the Wireless Extensions 5158 * on this device, or a PCAP_ERROR_ value if we do support them but 5159 * we weren't able to turn monitor mode on. 5160 */ 5161 static int 5162 enter_rfmon_mode_wext(pcap_t *handle, int sock_fd, const char *device) 5163 { 5164 /* 5165 * XXX - at least some adapters require non-Wireless Extensions 5166 * mechanisms to turn monitor mode on. 5167 * 5168 * Atheros cards might require that a separate "monitor virtual access 5169 * point" be created, with later versions of the madwifi driver. 5170 * airmon-ng does "wlanconfig ath create wlandev {if} wlanmode 5171 * monitor -bssid", which apparently spits out a line "athN" 5172 * where "athN" is the monitor mode device. To leave monitor 5173 * mode, it destroys the monitor mode device. 5174 * 5175 * Some Intel Centrino adapters might require private ioctls to get 5176 * radio headers; the ipw2200 and ipw3945 drivers allow you to 5177 * configure a separate "rtapN" interface to capture in monitor 5178 * mode without preventing the adapter from operating normally. 5179 * (airmon-ng doesn't appear to use that, though.) 5180 * 5181 * It would be Truly Wonderful if mac80211 and nl80211 cleaned this 5182 * up, and if all drivers were converted to mac80211 drivers. 5183 * 5184 * If interface {if} is a mac80211 driver, the file 5185 * /sys/class/net/{if}/phy80211 is a symlink to 5186 * /sys/class/ieee80211/{phydev}, for some {phydev}. 5187 * 5188 * On Fedora 9, with a 2.6.26.3-29 kernel, my Zydas stick, at 5189 * least, has a "wmaster0" device and a "wlan0" device; the 5190 * latter is the one with the IP address. Both show up in 5191 * "tcpdump -D" output. Capturing on the wmaster0 device 5192 * captures with 802.11 headers. 5193 * 5194 * airmon-ng searches through /sys/class/net for devices named 5195 * monN, starting with mon0; as soon as one *doesn't* exist, 5196 * it chooses that as the monitor device name. If the "iw" 5197 * command exists, it does "iw dev {if} interface add {monif} 5198 * type monitor", where {monif} is the monitor device. It 5199 * then (sigh) sleeps .1 second, and then configures the 5200 * device up. Otherwise, if /sys/class/ieee80211/{phydev}/add_iface 5201 * is a file, it writes {mondev}, without a newline, to that file, 5202 * and again (sigh) sleeps .1 second, and then iwconfig's that 5203 * device into monitor mode and configures it up. Otherwise, 5204 * you can't do monitor mode. 5205 * 5206 * All these devices are "glued" together by having the 5207 * /sys/class/net/{device}/phy80211 links pointing to the same 5208 * place, so, given a wmaster, wlan, or mon device, you can 5209 * find the other devices by looking for devices with 5210 * the same phy80211 link. 5211 * 5212 * To turn monitor mode off, delete the monitor interface, 5213 * either with "iw dev {monif} interface del" or by sending 5214 * {monif}, with no NL, down /sys/class/ieee80211/{phydev}/remove_iface 5215 * 5216 * Note: if you try to create a monitor device named "monN", and 5217 * there's already a "monN" device, it fails, as least with 5218 * the netlink interface (which is what iw uses), with a return 5219 * value of -ENFILE. (Return values are negative errnos.) We 5220 * could probably use that to find an unused device. 5221 */ 5222 struct pcap_linux *handlep = handle->priv; 5223 int err; 5224 struct iwreq ireq; 5225 struct iw_priv_args *priv; 5226 monitor_type montype; 5227 int i; 5228 __u32 cmd; 5229 struct ifreq ifr; 5230 int oldflags; 5231 int args[2]; 5232 int channel; 5233 5234 /* 5235 * Does this device *support* the Wireless Extensions? 5236 */ 5237 err = has_wext(sock_fd, device, handle->errbuf); 5238 if (err <= 0) 5239 return err; /* either it doesn't or the device doesn't even exist */ 5240 /* 5241 * Start out assuming we have no private extensions to control 5242 * radio metadata. 5243 */ 5244 montype = MONITOR_WEXT; 5245 cmd = 0; 5246 5247 /* 5248 * Try to get all the Wireless Extensions private ioctls 5249 * supported by this device. 5250 * 5251 * First, get the size of the buffer we need, by supplying no 5252 * buffer and a length of 0. If the device supports private 5253 * ioctls, it should return E2BIG, with ireq.u.data.length set 5254 * to the length we need. If it doesn't support them, it should 5255 * return EOPNOTSUPP. 5256 */ 5257 memset(&ireq, 0, sizeof ireq); 5258 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5259 sizeof ireq.ifr_ifrn.ifrn_name); 5260 ireq.u.data.pointer = (void *)args; 5261 ireq.u.data.length = 0; 5262 ireq.u.data.flags = 0; 5263 if (ioctl(sock_fd, SIOCGIWPRIV, &ireq) != -1) { 5264 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5265 "%s: SIOCGIWPRIV with a zero-length buffer didn't fail!", 5266 device); 5267 return PCAP_ERROR; 5268 } 5269 if (errno != EOPNOTSUPP) { 5270 /* 5271 * OK, it's not as if there are no private ioctls. 5272 */ 5273 if (errno != E2BIG) { 5274 /* 5275 * Failed. 5276 */ 5277 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5278 "%s: SIOCGIWPRIV: %s", device, 5279 pcap_strerror(errno)); 5280 return PCAP_ERROR; 5281 } 5282 5283 /* 5284 * OK, try to get the list of private ioctls. 5285 */ 5286 priv = malloc(ireq.u.data.length * sizeof (struct iw_priv_args)); 5287 if (priv == NULL) { 5288 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5289 "malloc: %s", pcap_strerror(errno)); 5290 return PCAP_ERROR; 5291 } 5292 ireq.u.data.pointer = (void *)priv; 5293 if (ioctl(sock_fd, SIOCGIWPRIV, &ireq) == -1) { 5294 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5295 "%s: SIOCGIWPRIV: %s", device, 5296 pcap_strerror(errno)); 5297 free(priv); 5298 return PCAP_ERROR; 5299 } 5300 5301 /* 5302 * Look for private ioctls to turn monitor mode on or, if 5303 * monitor mode is on, to set the header type. 5304 */ 5305 for (i = 0; i < ireq.u.data.length; i++) { 5306 if (strcmp(priv[i].name, "monitor_type") == 0) { 5307 /* 5308 * Hostap driver, use this one. 5309 * Set monitor mode first. 5310 * You can set it to 0 to get DLT_IEEE80211, 5311 * 1 to get DLT_PRISM, 2 to get 5312 * DLT_IEEE80211_RADIO_AVS, and, with more 5313 * recent versions of the driver, 3 to get 5314 * DLT_IEEE80211_RADIO. 5315 */ 5316 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 5317 break; 5318 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 5319 break; 5320 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 5321 break; 5322 montype = MONITOR_HOSTAP; 5323 cmd = priv[i].cmd; 5324 break; 5325 } 5326 if (strcmp(priv[i].name, "set_prismhdr") == 0) { 5327 /* 5328 * Prism54 driver, use this one. 5329 * Set monitor mode first. 5330 * You can set it to 2 to get DLT_IEEE80211 5331 * or 3 or get DLT_PRISM. 5332 */ 5333 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 5334 break; 5335 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 5336 break; 5337 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 5338 break; 5339 montype = MONITOR_PRISM54; 5340 cmd = priv[i].cmd; 5341 break; 5342 } 5343 if (strcmp(priv[i].name, "forceprismheader") == 0) { 5344 /* 5345 * RT2570 driver, use this one. 5346 * Do this after turning monitor mode on. 5347 * You can set it to 1 to get DLT_PRISM or 2 5348 * to get DLT_IEEE80211. 5349 */ 5350 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 5351 break; 5352 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 5353 break; 5354 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 5355 break; 5356 montype = MONITOR_RT2570; 5357 cmd = priv[i].cmd; 5358 break; 5359 } 5360 if (strcmp(priv[i].name, "forceprism") == 0) { 5361 /* 5362 * RT73 driver, use this one. 5363 * Do this after turning monitor mode on. 5364 * Its argument is a *string*; you can 5365 * set it to "1" to get DLT_PRISM or "2" 5366 * to get DLT_IEEE80211. 5367 */ 5368 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_CHAR) 5369 break; 5370 if (priv[i].set_args & IW_PRIV_SIZE_FIXED) 5371 break; 5372 montype = MONITOR_RT73; 5373 cmd = priv[i].cmd; 5374 break; 5375 } 5376 if (strcmp(priv[i].name, "prismhdr") == 0) { 5377 /* 5378 * One of the RTL8xxx drivers, use this one. 5379 * It can only be done after monitor mode 5380 * has been turned on. You can set it to 1 5381 * to get DLT_PRISM or 0 to get DLT_IEEE80211. 5382 */ 5383 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 5384 break; 5385 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 5386 break; 5387 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 5388 break; 5389 montype = MONITOR_RTL8XXX; 5390 cmd = priv[i].cmd; 5391 break; 5392 } 5393 if (strcmp(priv[i].name, "rfmontx") == 0) { 5394 /* 5395 * RT2500 or RT61 driver, use this one. 5396 * It has one one-byte parameter; set 5397 * u.data.length to 1 and u.data.pointer to 5398 * point to the parameter. 5399 * It doesn't itself turn monitor mode on. 5400 * You can set it to 1 to allow transmitting 5401 * in monitor mode(?) and get DLT_IEEE80211, 5402 * or set it to 0 to disallow transmitting in 5403 * monitor mode(?) and get DLT_PRISM. 5404 */ 5405 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 5406 break; 5407 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 2) 5408 break; 5409 montype = MONITOR_RT2500; 5410 cmd = priv[i].cmd; 5411 break; 5412 } 5413 if (strcmp(priv[i].name, "monitor") == 0) { 5414 /* 5415 * Either ACX100 or hostap, use this one. 5416 * It turns monitor mode on. 5417 * If it takes two arguments, it's ACX100; 5418 * the first argument is 1 for DLT_PRISM 5419 * or 2 for DLT_IEEE80211, and the second 5420 * argument is the channel on which to 5421 * run. If it takes one argument, it's 5422 * HostAP, and the argument is 2 for 5423 * DLT_IEEE80211 and 3 for DLT_PRISM. 5424 * 5425 * If we see this, we don't quit, as this 5426 * might be a version of the hostap driver 5427 * that also supports "monitor_type". 5428 */ 5429 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 5430 break; 5431 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 5432 break; 5433 switch (priv[i].set_args & IW_PRIV_SIZE_MASK) { 5434 5435 case 1: 5436 montype = MONITOR_PRISM; 5437 cmd = priv[i].cmd; 5438 break; 5439 5440 case 2: 5441 montype = MONITOR_ACX100; 5442 cmd = priv[i].cmd; 5443 break; 5444 5445 default: 5446 break; 5447 } 5448 } 5449 } 5450 free(priv); 5451 } 5452 5453 /* 5454 * XXX - ipw3945? islism? 5455 */ 5456 5457 /* 5458 * Get the old mode. 5459 */ 5460 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5461 sizeof ireq.ifr_ifrn.ifrn_name); 5462 if (ioctl(sock_fd, SIOCGIWMODE, &ireq) == -1) { 5463 /* 5464 * We probably won't be able to set the mode, either. 5465 */ 5466 return PCAP_ERROR_RFMON_NOTSUP; 5467 } 5468 5469 /* 5470 * Is it currently in monitor mode? 5471 */ 5472 if (ireq.u.mode == IW_MODE_MONITOR) { 5473 /* 5474 * Yes. Just leave things as they are. 5475 * We don't offer multiple link-layer types, as 5476 * changing the link-layer type out from under 5477 * somebody else capturing in monitor mode would 5478 * be considered rude. 5479 */ 5480 return 1; 5481 } 5482 /* 5483 * No. We have to put the adapter into rfmon mode. 5484 */ 5485 5486 /* 5487 * If we haven't already done so, arrange to have 5488 * "pcap_close_all()" called when we exit. 5489 */ 5490 if (!pcap_do_addexit(handle)) { 5491 /* 5492 * "atexit()" failed; don't put the interface 5493 * in rfmon mode, just give up. 5494 */ 5495 return PCAP_ERROR_RFMON_NOTSUP; 5496 } 5497 5498 /* 5499 * Save the old mode. 5500 */ 5501 handlep->oldmode = ireq.u.mode; 5502 5503 /* 5504 * Put the adapter in rfmon mode. How we do this depends 5505 * on whether we have a special private ioctl or not. 5506 */ 5507 if (montype == MONITOR_PRISM) { 5508 /* 5509 * We have the "monitor" private ioctl, but none of 5510 * the other private ioctls. Use this, and select 5511 * the Prism header. 5512 * 5513 * If it fails, just fall back on SIOCSIWMODE. 5514 */ 5515 memset(&ireq, 0, sizeof ireq); 5516 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5517 sizeof ireq.ifr_ifrn.ifrn_name); 5518 ireq.u.data.length = 1; /* 1 argument */ 5519 args[0] = 3; /* request Prism header */ 5520 memcpy(ireq.u.name, args, sizeof (int)); 5521 if (ioctl(sock_fd, cmd, &ireq) != -1) { 5522 /* 5523 * Success. 5524 * Note that we have to put the old mode back 5525 * when we close the device. 5526 */ 5527 handlep->must_do_on_close |= MUST_CLEAR_RFMON; 5528 5529 /* 5530 * Add this to the list of pcaps to close 5531 * when we exit. 5532 */ 5533 pcap_add_to_pcaps_to_close(handle); 5534 5535 return 1; 5536 } 5537 5538 /* 5539 * Failure. Fall back on SIOCSIWMODE. 5540 */ 5541 } 5542 5543 /* 5544 * First, take the interface down if it's up; otherwise, we 5545 * might get EBUSY. 5546 */ 5547 memset(&ifr, 0, sizeof(ifr)); 5548 strlcpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 5549 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) { 5550 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5551 "%s: Can't get flags: %s", device, strerror(errno)); 5552 return PCAP_ERROR; 5553 } 5554 oldflags = 0; 5555 if (ifr.ifr_flags & IFF_UP) { 5556 oldflags = ifr.ifr_flags; 5557 ifr.ifr_flags &= ~IFF_UP; 5558 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) { 5559 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5560 "%s: Can't set flags: %s", device, strerror(errno)); 5561 return PCAP_ERROR; 5562 } 5563 } 5564 5565 /* 5566 * Then turn monitor mode on. 5567 */ 5568 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5569 sizeof ireq.ifr_ifrn.ifrn_name); 5570 ireq.u.mode = IW_MODE_MONITOR; 5571 if (ioctl(sock_fd, SIOCSIWMODE, &ireq) == -1) { 5572 /* 5573 * Scientist, you've failed. 5574 * Bring the interface back up if we shut it down. 5575 */ 5576 ifr.ifr_flags = oldflags; 5577 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) { 5578 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5579 "%s: Can't set flags: %s", device, strerror(errno)); 5580 return PCAP_ERROR; 5581 } 5582 return PCAP_ERROR_RFMON_NOTSUP; 5583 } 5584 5585 /* 5586 * XXX - airmon-ng does "iwconfig {if} key off" after setting 5587 * monitor mode and setting the channel, and then does 5588 * "iwconfig up". 5589 */ 5590 5591 /* 5592 * Now select the appropriate radio header. 5593 */ 5594 switch (montype) { 5595 5596 case MONITOR_WEXT: 5597 /* 5598 * We don't have any private ioctl to set the header. 5599 */ 5600 break; 5601 5602 case MONITOR_HOSTAP: 5603 /* 5604 * Try to select the radiotap header. 5605 */ 5606 memset(&ireq, 0, sizeof ireq); 5607 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5608 sizeof ireq.ifr_ifrn.ifrn_name); 5609 args[0] = 3; /* request radiotap header */ 5610 memcpy(ireq.u.name, args, sizeof (int)); 5611 if (ioctl(sock_fd, cmd, &ireq) != -1) 5612 break; /* success */ 5613 5614 /* 5615 * That failed. Try to select the AVS header. 5616 */ 5617 memset(&ireq, 0, sizeof ireq); 5618 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5619 sizeof ireq.ifr_ifrn.ifrn_name); 5620 args[0] = 2; /* request AVS header */ 5621 memcpy(ireq.u.name, args, sizeof (int)); 5622 if (ioctl(sock_fd, cmd, &ireq) != -1) 5623 break; /* success */ 5624 5625 /* 5626 * That failed. Try to select the Prism header. 5627 */ 5628 memset(&ireq, 0, sizeof ireq); 5629 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5630 sizeof ireq.ifr_ifrn.ifrn_name); 5631 args[0] = 1; /* request Prism header */ 5632 memcpy(ireq.u.name, args, sizeof (int)); 5633 ioctl(sock_fd, cmd, &ireq); 5634 break; 5635 5636 case MONITOR_PRISM: 5637 /* 5638 * The private ioctl failed. 5639 */ 5640 break; 5641 5642 case MONITOR_PRISM54: 5643 /* 5644 * Select the Prism header. 5645 */ 5646 memset(&ireq, 0, sizeof ireq); 5647 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5648 sizeof ireq.ifr_ifrn.ifrn_name); 5649 args[0] = 3; /* request Prism header */ 5650 memcpy(ireq.u.name, args, sizeof (int)); 5651 ioctl(sock_fd, cmd, &ireq); 5652 break; 5653 5654 case MONITOR_ACX100: 5655 /* 5656 * Get the current channel. 5657 */ 5658 memset(&ireq, 0, sizeof ireq); 5659 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5660 sizeof ireq.ifr_ifrn.ifrn_name); 5661 if (ioctl(sock_fd, SIOCGIWFREQ, &ireq) == -1) { 5662 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5663 "%s: SIOCGIWFREQ: %s", device, 5664 pcap_strerror(errno)); 5665 return PCAP_ERROR; 5666 } 5667 channel = ireq.u.freq.m; 5668 5669 /* 5670 * Select the Prism header, and set the channel to the 5671 * current value. 5672 */ 5673 memset(&ireq, 0, sizeof ireq); 5674 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5675 sizeof ireq.ifr_ifrn.ifrn_name); 5676 args[0] = 1; /* request Prism header */ 5677 args[1] = channel; /* set channel */ 5678 memcpy(ireq.u.name, args, 2*sizeof (int)); 5679 ioctl(sock_fd, cmd, &ireq); 5680 break; 5681 5682 case MONITOR_RT2500: 5683 /* 5684 * Disallow transmission - that turns on the 5685 * Prism header. 5686 */ 5687 memset(&ireq, 0, sizeof ireq); 5688 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5689 sizeof ireq.ifr_ifrn.ifrn_name); 5690 args[0] = 0; /* disallow transmitting */ 5691 memcpy(ireq.u.name, args, sizeof (int)); 5692 ioctl(sock_fd, cmd, &ireq); 5693 break; 5694 5695 case MONITOR_RT2570: 5696 /* 5697 * Force the Prism header. 5698 */ 5699 memset(&ireq, 0, sizeof ireq); 5700 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5701 sizeof ireq.ifr_ifrn.ifrn_name); 5702 args[0] = 1; /* request Prism header */ 5703 memcpy(ireq.u.name, args, sizeof (int)); 5704 ioctl(sock_fd, cmd, &ireq); 5705 break; 5706 5707 case MONITOR_RT73: 5708 /* 5709 * Force the Prism header. 5710 */ 5711 memset(&ireq, 0, sizeof ireq); 5712 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5713 sizeof ireq.ifr_ifrn.ifrn_name); 5714 ireq.u.data.length = 1; /* 1 argument */ 5715 ireq.u.data.pointer = "1"; 5716 ireq.u.data.flags = 0; 5717 ioctl(sock_fd, cmd, &ireq); 5718 break; 5719 5720 case MONITOR_RTL8XXX: 5721 /* 5722 * Force the Prism header. 5723 */ 5724 memset(&ireq, 0, sizeof ireq); 5725 strlcpy(ireq.ifr_ifrn.ifrn_name, device, 5726 sizeof ireq.ifr_ifrn.ifrn_name); 5727 args[0] = 1; /* request Prism header */ 5728 memcpy(ireq.u.name, args, sizeof (int)); 5729 ioctl(sock_fd, cmd, &ireq); 5730 break; 5731 } 5732 5733 /* 5734 * Now bring the interface back up if we brought it down. 5735 */ 5736 if (oldflags != 0) { 5737 ifr.ifr_flags = oldflags; 5738 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) { 5739 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5740 "%s: Can't set flags: %s", device, strerror(errno)); 5741 5742 /* 5743 * At least try to restore the old mode on the 5744 * interface. 5745 */ 5746 if (ioctl(handle->fd, SIOCSIWMODE, &ireq) == -1) { 5747 /* 5748 * Scientist, you've failed. 5749 */ 5750 fprintf(stderr, 5751 "Can't restore interface wireless mode (SIOCSIWMODE failed: %s).\n" 5752 "Please adjust manually.\n", 5753 strerror(errno)); 5754 } 5755 return PCAP_ERROR; 5756 } 5757 } 5758 5759 /* 5760 * Note that we have to put the old mode back when we 5761 * close the device. 5762 */ 5763 handlep->must_do_on_close |= MUST_CLEAR_RFMON; 5764 5765 /* 5766 * Add this to the list of pcaps to close when we exit. 5767 */ 5768 pcap_add_to_pcaps_to_close(handle); 5769 5770 return 1; 5771 } 5772 #endif /* IW_MODE_MONITOR */ 5773 5774 /* 5775 * Try various mechanisms to enter monitor mode. 5776 */ 5777 static int 5778 enter_rfmon_mode(pcap_t *handle, int sock_fd, const char *device) 5779 { 5780 #if defined(HAVE_LIBNL) || defined(IW_MODE_MONITOR) 5781 int ret; 5782 #endif 5783 5784 #ifdef HAVE_LIBNL 5785 ret = enter_rfmon_mode_mac80211(handle, sock_fd, device); 5786 if (ret < 0) 5787 return ret; /* error attempting to do so */ 5788 if (ret == 1) 5789 return 1; /* success */ 5790 #endif /* HAVE_LIBNL */ 5791 5792 #ifdef IW_MODE_MONITOR 5793 ret = enter_rfmon_mode_wext(handle, sock_fd, device); 5794 if (ret < 0) 5795 return ret; /* error attempting to do so */ 5796 if (ret == 1) 5797 return 1; /* success */ 5798 #endif /* IW_MODE_MONITOR */ 5799 5800 /* 5801 * Either none of the mechanisms we know about work or none 5802 * of those mechanisms are available, so we can't do monitor 5803 * mode. 5804 */ 5805 return 0; 5806 } 5807 5808 #if defined(HAVE_LINUX_NET_TSTAMP_H) && defined(PACKET_TIMESTAMP) 5809 /* 5810 * Map SOF_TIMESTAMPING_ values to PCAP_TSTAMP_ values. 5811 */ 5812 static const struct { 5813 int soft_timestamping_val; 5814 int pcap_tstamp_val; 5815 } sof_ts_type_map[3] = { 5816 { SOF_TIMESTAMPING_SOFTWARE, PCAP_TSTAMP_HOST }, 5817 { SOF_TIMESTAMPING_SYS_HARDWARE, PCAP_TSTAMP_ADAPTER }, 5818 { SOF_TIMESTAMPING_RAW_HARDWARE, PCAP_TSTAMP_ADAPTER_UNSYNCED } 5819 }; 5820 #define NUM_SOF_TIMESTAMPING_TYPES (sizeof sof_ts_type_map / sizeof sof_ts_type_map[0]) 5821 5822 static void 5823 iface_set_default_ts_types(pcap_t *handle) 5824 { 5825 int i; 5826 5827 handle->tstamp_type_count = NUM_SOF_TIMESTAMPING_TYPES; 5828 handle->tstamp_type_list = malloc(NUM_SOF_TIMESTAMPING_TYPES * sizeof(u_int)); 5829 for (i = 0; i < NUM_SOF_TIMESTAMPING_TYPES; i++) 5830 handle->tstamp_type_list[i] = sof_ts_type_map[i].pcap_tstamp_val; 5831 } 5832 5833 #ifdef ETHTOOL_GET_TS_INFO 5834 /* 5835 * Get a list of time stamping capabilities. 5836 */ 5837 static int 5838 iface_ethtool_get_ts_info(pcap_t *handle, char *ebuf) 5839 { 5840 int fd; 5841 struct ifreq ifr; 5842 struct ethtool_ts_info info; 5843 int num_ts_types; 5844 int i, j; 5845 5846 /* 5847 * This doesn't apply to the "any" device; you have to ask 5848 * specific devices for their capabilities, so just default 5849 * to saying we support all of them. 5850 */ 5851 if (strcmp(handle->opt.source, "any") == 0) { 5852 iface_set_default_ts_types(handle); 5853 return 0; 5854 } 5855 5856 /* 5857 * Create a socket from which to fetch time stamping capabilities. 5858 */ 5859 fd = socket(AF_INET, SOCK_DGRAM, 0); 5860 if (fd < 0) { 5861 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 5862 "socket for SIOCETHTOOL(ETHTOOL_GET_TS_INFO): %s", pcap_strerror(errno)); 5863 return -1; 5864 } 5865 5866 memset(&ifr, 0, sizeof(ifr)); 5867 strlcpy(ifr.ifr_name, handle->opt.source, sizeof(ifr.ifr_name)); 5868 memset(&info, 0, sizeof(info)); 5869 info.cmd = ETHTOOL_GET_TS_INFO; 5870 ifr.ifr_data = (caddr_t)&info; 5871 if (ioctl(fd, SIOCETHTOOL, &ifr) == -1) { 5872 close(fd); 5873 if (errno == EOPNOTSUPP || errno == EINVAL) { 5874 /* 5875 * OK, let's just return all the possible time 5876 * stamping types. 5877 */ 5878 iface_set_default_ts_types(handle); 5879 return 0; 5880 } 5881 snprintf(ebuf, PCAP_ERRBUF_SIZE, 5882 "%s: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: %s", handle->opt.source, 5883 strerror(errno)); 5884 return -1; 5885 } 5886 close(fd); 5887 5888 num_ts_types = 0; 5889 for (i = 0; i < NUM_SOF_TIMESTAMPING_TYPES; i++) { 5890 if (info.so_timestamping & sof_ts_type_map[i].soft_timestamping_val) 5891 num_ts_types++; 5892 } 5893 handle->tstamp_type_count = num_ts_types; 5894 if (num_ts_types != 0) { 5895 handle->tstamp_type_list = malloc(num_ts_types * sizeof(u_int)); 5896 for (i = 0, j = 0; i < NUM_SOF_TIMESTAMPING_TYPES; i++) { 5897 if (info.so_timestamping & sof_ts_type_map[i].soft_timestamping_val) { 5898 handle->tstamp_type_list[j] = sof_ts_type_map[i].pcap_tstamp_val; 5899 j++; 5900 } 5901 } 5902 } else 5903 handle->tstamp_type_list = NULL; 5904 5905 return 0; 5906 } 5907 #else /* ETHTOOL_GET_TS_INFO */ 5908 static int 5909 iface_ethtool_get_ts_info(pcap_t *handle, char *ebuf _U_) 5910 { 5911 /* 5912 * We don't have an ioctl to use to ask what's supported, 5913 * so say we support everything. 5914 */ 5915 iface_set_default_ts_types(handle); 5916 return 0; 5917 } 5918 #endif /* ETHTOOL_GET_TS_INFO */ 5919 5920 #endif /* defined(HAVE_LINUX_NET_TSTAMP_H) && defined(PACKET_TIMESTAMP) */ 5921 5922 #ifdef HAVE_PACKET_RING 5923 /* 5924 * Find out if we have any form of fragmentation/reassembly offloading. 5925 * 5926 * We do so using SIOCETHTOOL checking for various types of offloading; 5927 * if SIOCETHTOOL isn't defined, or we don't have any #defines for any 5928 * of the types of offloading, there's nothing we can do to check, so 5929 * we just say "no, we don't". 5930 */ 5931 #if defined(SIOCETHTOOL) && (defined(ETHTOOL_GTSO) || defined(ETHTOOL_GUFO) || defined(ETHTOOL_GGSO) || defined(ETHTOOL_GFLAGS) || defined(ETHTOOL_GGRO)) 5932 static int 5933 iface_ethtool_flag_ioctl(pcap_t *handle, int cmd, const char *cmdname) 5934 { 5935 struct ifreq ifr; 5936 struct ethtool_value eval; 5937 5938 memset(&ifr, 0, sizeof(ifr)); 5939 strlcpy(ifr.ifr_name, handle->opt.source, sizeof(ifr.ifr_name)); 5940 eval.cmd = cmd; 5941 eval.data = 0; 5942 ifr.ifr_data = (caddr_t)&eval; 5943 if (ioctl(handle->fd, SIOCETHTOOL, &ifr) == -1) { 5944 if (errno == EOPNOTSUPP || errno == EINVAL) { 5945 /* 5946 * OK, let's just return 0, which, in our 5947 * case, either means "no, what we're asking 5948 * about is not enabled" or "all the flags 5949 * are clear (i.e., nothing is enabled)". 5950 */ 5951 return 0; 5952 } 5953 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 5954 "%s: SIOCETHTOOL(%s) ioctl failed: %s", handle->opt.source, 5955 cmdname, strerror(errno)); 5956 return -1; 5957 } 5958 return eval.data; 5959 } 5960 5961 static int 5962 iface_get_offload(pcap_t *handle) 5963 { 5964 int ret; 5965 5966 #ifdef ETHTOOL_GTSO 5967 ret = iface_ethtool_flag_ioctl(handle, ETHTOOL_GTSO, "ETHTOOL_GTSO"); 5968 if (ret == -1) 5969 return -1; 5970 if (ret) 5971 return 1; /* TCP segmentation offloading on */ 5972 #endif 5973 5974 #ifdef ETHTOOL_GUFO 5975 ret = iface_ethtool_flag_ioctl(handle, ETHTOOL_GUFO, "ETHTOOL_GUFO"); 5976 if (ret == -1) 5977 return -1; 5978 if (ret) 5979 return 1; /* UDP fragmentation offloading on */ 5980 #endif 5981 5982 #ifdef ETHTOOL_GGSO 5983 /* 5984 * XXX - will this cause large unsegmented packets to be 5985 * handed to PF_PACKET sockets on transmission? If not, 5986 * this need not be checked. 5987 */ 5988 ret = iface_ethtool_flag_ioctl(handle, ETHTOOL_GGSO, "ETHTOOL_GGSO"); 5989 if (ret == -1) 5990 return -1; 5991 if (ret) 5992 return 1; /* generic segmentation offloading on */ 5993 #endif 5994 5995 #ifdef ETHTOOL_GFLAGS 5996 ret = iface_ethtool_flag_ioctl(handle, ETHTOOL_GFLAGS, "ETHTOOL_GFLAGS"); 5997 if (ret == -1) 5998 return -1; 5999 if (ret & ETH_FLAG_LRO) 6000 return 1; /* large receive offloading on */ 6001 #endif 6002 6003 #ifdef ETHTOOL_GGRO 6004 /* 6005 * XXX - will this cause large reassembled packets to be 6006 * handed to PF_PACKET sockets on receipt? If not, 6007 * this need not be checked. 6008 */ 6009 ret = iface_ethtool_flag_ioctl(handle, ETHTOOL_GGRO, "ETHTOOL_GGRO"); 6010 if (ret == -1) 6011 return -1; 6012 if (ret) 6013 return 1; /* generic (large) receive offloading on */ 6014 #endif 6015 6016 return 0; 6017 } 6018 #else /* SIOCETHTOOL */ 6019 static int 6020 iface_get_offload(pcap_t *handle _U_) 6021 { 6022 /* 6023 * XXX - do we need to get this information if we don't 6024 * have the ethtool ioctls? If so, how do we do that? 6025 */ 6026 return 0; 6027 } 6028 #endif /* SIOCETHTOOL */ 6029 6030 #endif /* HAVE_PACKET_RING */ 6031 6032 #endif /* HAVE_PF_PACKET_SOCKETS */ 6033 6034 /* ===== Functions to interface to the older kernels ================== */ 6035 6036 /* 6037 * Try to open a packet socket using the old kernel interface. 6038 * Returns 1 on success and a PCAP_ERROR_ value on an error. 6039 */ 6040 static int 6041 activate_old(pcap_t *handle) 6042 { 6043 struct pcap_linux *handlep = handle->priv; 6044 int arptype; 6045 struct ifreq ifr; 6046 const char *device = handle->opt.source; 6047 struct utsname utsname; 6048 int mtu; 6049 6050 /* Open the socket */ 6051 6052 handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 6053 if (handle->fd == -1) { 6054 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6055 "socket: %s", pcap_strerror(errno)); 6056 if (errno == EPERM || errno == EACCES) { 6057 /* 6058 * You don't have permission to open the 6059 * socket. 6060 */ 6061 return PCAP_ERROR_PERM_DENIED; 6062 } else { 6063 /* 6064 * Other error. 6065 */ 6066 return PCAP_ERROR; 6067 } 6068 } 6069 6070 /* It worked - we are using the old interface */ 6071 handlep->sock_packet = 1; 6072 6073 /* ...which means we get the link-layer header. */ 6074 handlep->cooked = 0; 6075 6076 /* Bind to the given device */ 6077 6078 if (strcmp(device, "any") == 0) { 6079 strlcpy(handle->errbuf, "pcap_activate: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 6080 PCAP_ERRBUF_SIZE); 6081 return PCAP_ERROR; 6082 } 6083 if (iface_bind_old(handle->fd, device, handle->errbuf) == -1) 6084 return PCAP_ERROR; 6085 6086 /* 6087 * Try to get the link-layer type. 6088 */ 6089 arptype = iface_get_arptype(handle->fd, device, handle->errbuf); 6090 if (arptype < 0) 6091 return PCAP_ERROR; 6092 6093 /* 6094 * Try to find the DLT_ type corresponding to that 6095 * link-layer type. 6096 */ 6097 map_arphrd_to_dlt(handle, handle->fd, arptype, device, 0); 6098 if (handle->linktype == -1) { 6099 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6100 "unknown arptype %d", arptype); 6101 return PCAP_ERROR; 6102 } 6103 6104 /* Go to promisc mode if requested */ 6105 6106 if (handle->opt.promisc) { 6107 memset(&ifr, 0, sizeof(ifr)); 6108 strlcpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 6109 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 6110 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6111 "SIOCGIFFLAGS: %s", pcap_strerror(errno)); 6112 return PCAP_ERROR; 6113 } 6114 if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 6115 /* 6116 * Promiscuous mode isn't currently on, 6117 * so turn it on, and remember that 6118 * we should turn it off when the 6119 * pcap_t is closed. 6120 */ 6121 6122 /* 6123 * If we haven't already done so, arrange 6124 * to have "pcap_close_all()" called when 6125 * we exit. 6126 */ 6127 if (!pcap_do_addexit(handle)) { 6128 /* 6129 * "atexit()" failed; don't put 6130 * the interface in promiscuous 6131 * mode, just give up. 6132 */ 6133 return PCAP_ERROR; 6134 } 6135 6136 ifr.ifr_flags |= IFF_PROMISC; 6137 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 6138 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6139 "SIOCSIFFLAGS: %s", 6140 pcap_strerror(errno)); 6141 return PCAP_ERROR; 6142 } 6143 handlep->must_do_on_close |= MUST_CLEAR_PROMISC; 6144 6145 /* 6146 * Add this to the list of pcaps 6147 * to close when we exit. 6148 */ 6149 pcap_add_to_pcaps_to_close(handle); 6150 } 6151 } 6152 6153 /* 6154 * Compute the buffer size. 6155 * 6156 * We're using SOCK_PACKET, so this might be a 2.0[.x] 6157 * kernel, and might require special handling - check. 6158 */ 6159 if (uname(&utsname) < 0 || 6160 strncmp(utsname.release, "2.0", 3) == 0) { 6161 /* 6162 * Either we couldn't find out what kernel release 6163 * this is, or it's a 2.0[.x] kernel. 6164 * 6165 * In the 2.0[.x] kernel, a "recvfrom()" on 6166 * a SOCK_PACKET socket, with MSG_TRUNC set, will 6167 * return the number of bytes read, so if we pass 6168 * a length based on the snapshot length, it'll 6169 * return the number of bytes from the packet 6170 * copied to userland, not the actual length 6171 * of the packet. 6172 * 6173 * This means that, for example, the IP dissector 6174 * in tcpdump will get handed a packet length less 6175 * than the length in the IP header, and will 6176 * complain about "truncated-ip". 6177 * 6178 * So we don't bother trying to copy from the 6179 * kernel only the bytes in which we're interested, 6180 * but instead copy them all, just as the older 6181 * versions of libpcap for Linux did. 6182 * 6183 * The buffer therefore needs to be big enough to 6184 * hold the largest packet we can get from this 6185 * device. Unfortunately, we can't get the MRU 6186 * of the network; we can only get the MTU. The 6187 * MTU may be too small, in which case a packet larger 6188 * than the buffer size will be truncated *and* we 6189 * won't get the actual packet size. 6190 * 6191 * However, if the snapshot length is larger than 6192 * the buffer size based on the MTU, we use the 6193 * snapshot length as the buffer size, instead; 6194 * this means that with a sufficiently large snapshot 6195 * length we won't artificially truncate packets 6196 * to the MTU-based size. 6197 * 6198 * This mess just one of many problems with packet 6199 * capture on 2.0[.x] kernels; you really want a 6200 * 2.2[.x] or later kernel if you want packet capture 6201 * to work well. 6202 */ 6203 mtu = iface_get_mtu(handle->fd, device, handle->errbuf); 6204 if (mtu == -1) 6205 return PCAP_ERROR; 6206 handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 6207 if (handle->bufsize < handle->snapshot) 6208 handle->bufsize = handle->snapshot; 6209 } else { 6210 /* 6211 * This is a 2.2[.x] or later kernel. 6212 * 6213 * We can safely pass "recvfrom()" a byte count 6214 * based on the snapshot length. 6215 */ 6216 handle->bufsize = handle->snapshot; 6217 } 6218 6219 /* 6220 * Default value for offset to align link-layer payload 6221 * on a 4-byte boundary. 6222 */ 6223 handle->offset = 0; 6224 6225 /* 6226 * SOCK_PACKET sockets don't supply information from 6227 * stripped VLAN tags. 6228 */ 6229 handlep->vlan_offset = -1; /* unknown */ 6230 6231 return 1; 6232 } 6233 6234 /* 6235 * Bind the socket associated with FD to the given device using the 6236 * interface of the old kernels. 6237 */ 6238 static int 6239 iface_bind_old(int fd, const char *device, char *ebuf) 6240 { 6241 struct sockaddr saddr; 6242 int err; 6243 socklen_t errlen = sizeof(err); 6244 6245 memset(&saddr, 0, sizeof(saddr)); 6246 strlcpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 6247 if (bind(fd, &saddr, sizeof(saddr)) == -1) { 6248 snprintf(ebuf, PCAP_ERRBUF_SIZE, 6249 "bind: %s", pcap_strerror(errno)); 6250 return -1; 6251 } 6252 6253 /* Any pending errors, e.g., network is down? */ 6254 6255 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 6256 snprintf(ebuf, PCAP_ERRBUF_SIZE, 6257 "getsockopt: %s", pcap_strerror(errno)); 6258 return -1; 6259 } 6260 6261 if (err > 0) { 6262 snprintf(ebuf, PCAP_ERRBUF_SIZE, 6263 "bind: %s", pcap_strerror(err)); 6264 return -1; 6265 } 6266 6267 return 0; 6268 } 6269 6270 6271 /* ===== System calls available on all supported kernels ============== */ 6272 6273 /* 6274 * Query the kernel for the MTU of the given interface. 6275 */ 6276 static int 6277 iface_get_mtu(int fd, const char *device, char *ebuf) 6278 { 6279 struct ifreq ifr; 6280 6281 if (!device) 6282 return BIGGER_THAN_ALL_MTUS; 6283 6284 memset(&ifr, 0, sizeof(ifr)); 6285 strlcpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 6286 6287 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 6288 snprintf(ebuf, PCAP_ERRBUF_SIZE, 6289 "SIOCGIFMTU: %s", pcap_strerror(errno)); 6290 return -1; 6291 } 6292 6293 return ifr.ifr_mtu; 6294 } 6295 6296 /* 6297 * Get the hardware type of the given interface as ARPHRD_xxx constant. 6298 */ 6299 static int 6300 iface_get_arptype(int fd, const char *device, char *ebuf) 6301 { 6302 struct ifreq ifr; 6303 6304 memset(&ifr, 0, sizeof(ifr)); 6305 strlcpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 6306 6307 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 6308 snprintf(ebuf, PCAP_ERRBUF_SIZE, 6309 "SIOCGIFHWADDR: %s", pcap_strerror(errno)); 6310 if (errno == ENODEV) { 6311 /* 6312 * No such device. 6313 */ 6314 return PCAP_ERROR_NO_SUCH_DEVICE; 6315 } 6316 return PCAP_ERROR; 6317 } 6318 6319 return ifr.ifr_hwaddr.sa_family; 6320 } 6321 6322 #ifdef SO_ATTACH_FILTER 6323 static int 6324 fix_program(pcap_t *handle, struct sock_fprog *fcode, int is_mmapped) 6325 { 6326 struct pcap_linux *handlep = handle->priv; 6327 size_t prog_size; 6328 register int i; 6329 register struct bpf_insn *p; 6330 struct bpf_insn *f; 6331 int len; 6332 6333 /* 6334 * Make a copy of the filter, and modify that copy if 6335 * necessary. 6336 */ 6337 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 6338 len = handle->fcode.bf_len; 6339 f = (struct bpf_insn *)malloc(prog_size); 6340 if (f == NULL) { 6341 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6342 "malloc: %s", pcap_strerror(errno)); 6343 return -1; 6344 } 6345 memcpy(f, handle->fcode.bf_insns, prog_size); 6346 fcode->len = len; 6347 fcode->filter = (struct sock_filter *) f; 6348 6349 for (i = 0; i < len; ++i) { 6350 p = &f[i]; 6351 /* 6352 * What type of instruction is this? 6353 */ 6354 switch (BPF_CLASS(p->code)) { 6355 6356 case BPF_RET: 6357 /* 6358 * It's a return instruction; are we capturing 6359 * in memory-mapped mode? 6360 */ 6361 if (!is_mmapped) { 6362 /* 6363 * No; is the snapshot length a constant, 6364 * rather than the contents of the 6365 * accumulator? 6366 */ 6367 if (BPF_MODE(p->code) == BPF_K) { 6368 /* 6369 * Yes - if the value to be returned, 6370 * i.e. the snapshot length, is 6371 * anything other than 0, make it 6372 * MAXIMUM_SNAPLEN, so that the packet 6373 * is truncated by "recvfrom()", 6374 * not by the filter. 6375 * 6376 * XXX - there's nothing we can 6377 * easily do if it's getting the 6378 * value from the accumulator; we'd 6379 * have to insert code to force 6380 * non-zero values to be 6381 * MAXIMUM_SNAPLEN. 6382 */ 6383 if (p->k != 0) 6384 p->k = MAXIMUM_SNAPLEN; 6385 } 6386 } 6387 break; 6388 6389 case BPF_LD: 6390 case BPF_LDX: 6391 /* 6392 * It's a load instruction; is it loading 6393 * from the packet? 6394 */ 6395 switch (BPF_MODE(p->code)) { 6396 6397 case BPF_ABS: 6398 case BPF_IND: 6399 case BPF_MSH: 6400 /* 6401 * Yes; are we in cooked mode? 6402 */ 6403 if (handlep->cooked) { 6404 /* 6405 * Yes, so we need to fix this 6406 * instruction. 6407 */ 6408 if (fix_offset(p) < 0) { 6409 /* 6410 * We failed to do so. 6411 * Return 0, so our caller 6412 * knows to punt to userland. 6413 */ 6414 return 0; 6415 } 6416 } 6417 break; 6418 } 6419 break; 6420 } 6421 } 6422 return 1; /* we succeeded */ 6423 } 6424 6425 static int 6426 fix_offset(struct bpf_insn *p) 6427 { 6428 /* 6429 * What's the offset? 6430 */ 6431 if (p->k >= SLL_HDR_LEN) { 6432 /* 6433 * It's within the link-layer payload; that starts at an 6434 * offset of 0, as far as the kernel packet filter is 6435 * concerned, so subtract the length of the link-layer 6436 * header. 6437 */ 6438 p->k -= SLL_HDR_LEN; 6439 } else if (p->k == 0) { 6440 /* 6441 * It's the packet type field; map it to the special magic 6442 * kernel offset for that field. 6443 */ 6444 p->k = SKF_AD_OFF + SKF_AD_PKTTYPE; 6445 } else if (p->k == 14) { 6446 /* 6447 * It's the protocol field; map it to the special magic 6448 * kernel offset for that field. 6449 */ 6450 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 6451 } else if ((bpf_int32)(p->k) > 0) { 6452 /* 6453 * It's within the header, but it's not one of those 6454 * fields; we can't do that in the kernel, so punt 6455 * to userland. 6456 */ 6457 return -1; 6458 } 6459 return 0; 6460 } 6461 6462 static int 6463 set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) 6464 { 6465 int total_filter_on = 0; 6466 int save_mode; 6467 int ret; 6468 int save_errno; 6469 6470 /* 6471 * The socket filter code doesn't discard all packets queued 6472 * up on the socket when the filter is changed; this means 6473 * that packets that don't match the new filter may show up 6474 * after the new filter is put onto the socket, if those 6475 * packets haven't yet been read. 6476 * 6477 * This means, for example, that if you do a tcpdump capture 6478 * with a filter, the first few packets in the capture might 6479 * be packets that wouldn't have passed the filter. 6480 * 6481 * We therefore discard all packets queued up on the socket 6482 * when setting a kernel filter. (This isn't an issue for 6483 * userland filters, as the userland filtering is done after 6484 * packets are queued up.) 6485 * 6486 * To flush those packets, we put the socket in read-only mode, 6487 * and read packets from the socket until there are no more to 6488 * read. 6489 * 6490 * In order to keep that from being an infinite loop - i.e., 6491 * to keep more packets from arriving while we're draining 6492 * the queue - we put the "total filter", which is a filter 6493 * that rejects all packets, onto the socket before draining 6494 * the queue. 6495 * 6496 * This code deliberately ignores any errors, so that you may 6497 * get bogus packets if an error occurs, rather than having 6498 * the filtering done in userland even if it could have been 6499 * done in the kernel. 6500 */ 6501 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 6502 &total_fcode, sizeof(total_fcode)) == 0) { 6503 char drain[1]; 6504 6505 /* 6506 * Note that we've put the total filter onto the socket. 6507 */ 6508 total_filter_on = 1; 6509 6510 /* 6511 * Save the socket's current mode, and put it in 6512 * non-blocking mode; we drain it by reading packets 6513 * until we get an error (which is normally a 6514 * "nothing more to be read" error). 6515 */ 6516 save_mode = fcntl(handle->fd, F_GETFL, 0); 6517 if (save_mode == -1) { 6518 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6519 "can't get FD flags when changing filter: %s", 6520 pcap_strerror(errno)); 6521 return -2; 6522 } 6523 if (fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) < 0) { 6524 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6525 "can't set nonblocking mode when changing filter: %s", 6526 pcap_strerror(errno)); 6527 return -2; 6528 } 6529 while (recv(handle->fd, &drain, sizeof drain, MSG_TRUNC) >= 0) 6530 ; 6531 save_errno = errno; 6532 if (save_errno != EAGAIN) { 6533 /* 6534 * Fatal error. 6535 * 6536 * If we can't restore the mode or reset the 6537 * kernel filter, there's nothing we can do. 6538 */ 6539 (void)fcntl(handle->fd, F_SETFL, save_mode); 6540 (void)reset_kernel_filter(handle); 6541 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6542 "recv failed when changing filter: %s", 6543 pcap_strerror(save_errno)); 6544 return -2; 6545 } 6546 if (fcntl(handle->fd, F_SETFL, save_mode) == -1) { 6547 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6548 "can't restore FD flags when changing filter: %s", 6549 pcap_strerror(save_errno)); 6550 return -2; 6551 } 6552 } 6553 6554 /* 6555 * Now attach the new filter. 6556 */ 6557 ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 6558 fcode, sizeof(*fcode)); 6559 if (ret == -1 && total_filter_on) { 6560 /* 6561 * Well, we couldn't set that filter on the socket, 6562 * but we could set the total filter on the socket. 6563 * 6564 * This could, for example, mean that the filter was 6565 * too big to put into the kernel, so we'll have to 6566 * filter in userland; in any case, we'll be doing 6567 * filtering in userland, so we need to remove the 6568 * total filter so we see packets. 6569 */ 6570 save_errno = errno; 6571 6572 /* 6573 * If this fails, we're really screwed; we have the 6574 * total filter on the socket, and it won't come off. 6575 * Report it as a fatal error. 6576 */ 6577 if (reset_kernel_filter(handle) == -1) { 6578 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 6579 "can't remove kernel total filter: %s", 6580 pcap_strerror(errno)); 6581 return -2; /* fatal error */ 6582 } 6583 6584 errno = save_errno; 6585 } 6586 return ret; 6587 } 6588 6589 static int 6590 reset_kernel_filter(pcap_t *handle) 6591 { 6592 /* 6593 * setsockopt() barfs unless it get a dummy parameter. 6594 * valgrind whines unless the value is initialized, 6595 * as it has no idea that setsockopt() ignores its 6596 * parameter. 6597 */ 6598 int dummy = 0; 6599 6600 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, 6601 &dummy, sizeof(dummy)); 6602 } 6603 #endif 6604
