1 /* 2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Support for splitting captures into multiple files with a maximum 22 * file size: 23 * 24 * Copyright (c) 2001 25 * Seth Webster <swebster (at) sst.ll.mit.edu> 26 */ 27 28 #ifndef lint 29 static const char copyright[] _U_ = 30 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\ 31 The Regents of the University of California. All rights reserved.\n"; 32 #endif 33 34 /* 35 * tcpdump - dump traffic on a network 36 * 37 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 38 * Mercilessly hacked and occasionally improved since then via the 39 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 40 */ 41 42 #ifdef HAVE_CONFIG_H 43 #include "config.h" 44 #endif 45 46 /* 47 * Mac OS X may ship pcap.h from libpcap 0.6 with a libpcap based on 48 * 0.8. That means it has pcap_findalldevs() but the header doesn't 49 * define pcap_if_t, meaning that we can't actually *use* pcap_findalldevs(). 50 */ 51 #ifdef HAVE_PCAP_FINDALLDEVS 52 #ifndef HAVE_PCAP_IF_T 53 #undef HAVE_PCAP_FINDALLDEVS 54 #endif 55 #endif 56 57 #include <netdissect-stdinc.h> 58 59 #include <sys/stat.h> 60 61 #ifdef HAVE_FCNTL_H 62 #include <fcntl.h> 63 #endif 64 65 #ifdef HAVE_LIBCRYPTO 66 #include <openssl/crypto.h> 67 #endif 68 69 #ifdef HAVE_GETOPT_LONG 70 #include <getopt.h> 71 #else 72 #include "getopt_long.h" 73 #endif 74 /* Capsicum-specific code requires macros from <net/bpf.h>, which will fail 75 * to compile if <pcap.h> has already been included; including the headers 76 * in the opposite order works fine. 77 */ 78 #ifdef HAVE_CAPSICUM 79 #include <sys/capability.h> 80 #include <sys/ioccom.h> 81 #include <net/bpf.h> 82 #include <libgen.h> 83 #endif /* HAVE_CAPSICUM */ 84 #include <pcap.h> 85 #include <signal.h> 86 #include <stdio.h> 87 #include <stdarg.h> 88 #include <stdlib.h> 89 #include <string.h> 90 #include <limits.h> 91 #ifndef _WIN32 92 #include <sys/wait.h> 93 #include <sys/resource.h> 94 #include <pwd.h> 95 #include <grp.h> 96 #endif /* _WIN32 */ 97 98 /* capabilities convenience library */ 99 /* If a code depends on HAVE_LIBCAP_NG, it depends also on HAVE_CAP_NG_H. 100 * If HAVE_CAP_NG_H is not defined, undefine HAVE_LIBCAP_NG. 101 * Thus, the later tests are done only on HAVE_LIBCAP_NG. 102 */ 103 #ifdef HAVE_LIBCAP_NG 104 #ifdef HAVE_CAP_NG_H 105 #include <cap-ng.h> 106 #else 107 #undef HAVE_LIBCAP_NG 108 #endif /* HAVE_CAP_NG_H */ 109 #endif /* HAVE_LIBCAP_NG */ 110 111 #include "netdissect.h" 112 #include "interface.h" 113 #include "addrtoname.h" 114 #include "machdep.h" 115 #include "setsignal.h" 116 #include "gmt2local.h" 117 #include "pcap-missing.h" 118 #include "ascii_strcasecmp.h" 119 120 #include "print.h" 121 122 #ifndef PATH_MAX 123 #define PATH_MAX 1024 124 #endif 125 126 #ifdef SIGINFO 127 #define SIGNAL_REQ_INFO SIGINFO 128 #elif SIGUSR1 129 #define SIGNAL_REQ_INFO SIGUSR1 130 #endif 131 132 static int Bflag; /* buffer size */ 133 static long Cflag; /* rotate dump files after this many bytes */ 134 static int Cflag_count; /* Keep track of which file number we're writing */ 135 static int Dflag; /* list available devices and exit */ 136 /* 137 * This is exported because, in some versions of libpcap, if libpcap 138 * is built with optimizer debugging code (which is *NOT* the default 139 * configuration!), the library *imports*(!) a variable named dflag, 140 * under the expectation that tcpdump is exporting it, to govern 141 * how much debugging information to print when optimizing 142 * the generated BPF code. 143 * 144 * This is a horrible hack; newer versions of libpcap don't import 145 * dflag but, instead, *if* built with optimizer debugging code, 146 * *export* a routine to set that flag. 147 */ 148 int dflag; /* print filter code */ 149 static int Gflag; /* rotate dump files after this many seconds */ 150 static int Gflag_count; /* number of files created with Gflag rotation */ 151 static time_t Gflag_time; /* The last time_t the dump file was rotated. */ 152 static int Lflag; /* list available data link types and exit */ 153 static int Iflag; /* rfmon (monitor) mode */ 154 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 155 static int Jflag; /* list available time stamp types */ 156 #endif 157 static int jflag = -1; /* packet time stamp source */ 158 static int pflag; /* don't go promiscuous */ 159 #ifdef HAVE_PCAP_SETDIRECTION 160 static int Qflag = -1; /* restrict captured packet by send/receive direction */ 161 #endif 162 static int Uflag; /* "unbuffered" output of dump files */ 163 static int Wflag; /* recycle output files after this number of files */ 164 static int WflagChars; 165 static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */ 166 static int immediate_mode; 167 168 static int infodelay; 169 static int infoprint; 170 171 char *program_name; 172 173 /* Forwards */ 174 static void error(FORMAT_STRING(const char *), ...) NORETURN PRINTFLIKE(1, 2); 175 static void warning(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 176 static void exit_tcpdump(int) NORETURN; 177 static RETSIGTYPE cleanup(int); 178 static RETSIGTYPE child_cleanup(int); 179 static void print_version(void); 180 static void print_usage(void); 181 static void show_tstamp_types_and_exit(pcap_t *, const char *device) NORETURN; 182 static void show_dlts_and_exit(pcap_t *, const char *device) NORETURN; 183 #ifdef HAVE_PCAP_FINDALLDEVS 184 static void show_devices_and_exit (void) NORETURN; 185 #endif 186 187 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 188 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *); 189 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 190 static void droproot(const char *, const char *); 191 192 #ifdef SIGNAL_REQ_INFO 193 RETSIGTYPE requestinfo(int); 194 #endif 195 196 #if defined(USE_WIN32_MM_TIMER) 197 #include <MMsystem.h> 198 static UINT timer_id; 199 static void CALLBACK verbose_stats_dump(UINT, UINT, DWORD_PTR, DWORD_PTR, DWORD_PTR); 200 #elif defined(HAVE_ALARM) 201 static void verbose_stats_dump(int sig); 202 #endif 203 204 static void info(int); 205 static u_int packets_captured; 206 207 #ifdef HAVE_PCAP_FINDALLDEVS 208 static const struct tok status_flags[] = { 209 #ifdef PCAP_IF_UP 210 { PCAP_IF_UP, "Up" }, 211 #endif 212 #ifdef PCAP_IF_RUNNING 213 { PCAP_IF_RUNNING, "Running" }, 214 #endif 215 { PCAP_IF_LOOPBACK, "Loopback" }, 216 { 0, NULL } 217 }; 218 #endif 219 220 static pcap_t *pd; 221 222 static int supports_monitor_mode; 223 224 extern int optind; 225 extern int opterr; 226 extern char *optarg; 227 228 struct dump_info { 229 char *WFileName; 230 char *CurrentFileName; 231 pcap_t *pd; 232 pcap_dumper_t *p; 233 #ifdef HAVE_CAPSICUM 234 int dirfd; 235 #endif 236 }; 237 238 #if defined(HAVE_PCAP_SET_PARSER_DEBUG) 239 /* 240 * We have pcap_set_parser_debug() in libpcap; declare it (it's not declared 241 * by any libpcap header, because it's a special hack, only available if 242 * libpcap was configured to include it, and only intended for use by 243 * libpcap developers trying to debug the parser for filter expressions). 244 */ 245 #ifdef _WIN32 246 __declspec(dllimport) 247 #else /* _WIN32 */ 248 extern 249 #endif /* _WIN32 */ 250 void pcap_set_parser_debug(int); 251 #elif defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG) 252 /* 253 * We don't have pcap_set_parser_debug() in libpcap, but we do have 254 * pcap_debug or yydebug. Make a local version of pcap_set_parser_debug() 255 * to set the flag, and define HAVE_PCAP_SET_PARSER_DEBUG. 256 */ 257 static void 258 pcap_set_parser_debug(int value) 259 { 260 #ifdef HAVE_PCAP_DEBUG 261 extern int pcap_debug; 262 263 pcap_debug = value; 264 #else /* HAVE_PCAP_DEBUG */ 265 extern int yydebug; 266 267 yydebug = value; 268 #endif /* HAVE_PCAP_DEBUG */ 269 } 270 271 #define HAVE_PCAP_SET_PARSER_DEBUG 272 #endif 273 274 #if defined(HAVE_PCAP_SET_OPTIMIZER_DEBUG) 275 /* 276 * We have pcap_set_optimizer_debug() in libpcap; declare it (it's not declared 277 * by any libpcap header, because it's a special hack, only available if 278 * libpcap was configured to include it, and only intended for use by 279 * libpcap developers trying to debug the optimizer for filter expressions). 280 */ 281 #ifdef _WIN32 282 __declspec(dllimport) 283 #else /* _WIN32 */ 284 extern 285 #endif /* _WIN32 */ 286 void pcap_set_optimizer_debug(int); 287 #endif 288 289 /* VARARGS */ 290 static void 291 error(const char *fmt, ...) 292 { 293 va_list ap; 294 295 (void)fprintf(stderr, "%s: ", program_name); 296 va_start(ap, fmt); 297 (void)vfprintf(stderr, fmt, ap); 298 va_end(ap); 299 if (*fmt) { 300 fmt += strlen(fmt); 301 if (fmt[-1] != '\n') 302 (void)fputc('\n', stderr); 303 } 304 exit_tcpdump(1); 305 /* NOTREACHED */ 306 } 307 308 /* VARARGS */ 309 static void 310 warning(const char *fmt, ...) 311 { 312 va_list ap; 313 314 (void)fprintf(stderr, "%s: WARNING: ", program_name); 315 va_start(ap, fmt); 316 (void)vfprintf(stderr, fmt, ap); 317 va_end(ap); 318 if (*fmt) { 319 fmt += strlen(fmt); 320 if (fmt[-1] != '\n') 321 (void)fputc('\n', stderr); 322 } 323 } 324 325 static void 326 exit_tcpdump(int status) 327 { 328 nd_cleanup(); 329 exit(status); 330 } 331 332 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 333 static void 334 show_tstamp_types_and_exit(pcap_t *pc, const char *device) 335 { 336 int n_tstamp_types; 337 int *tstamp_types = 0; 338 const char *tstamp_type_name; 339 int i; 340 341 n_tstamp_types = pcap_list_tstamp_types(pc, &tstamp_types); 342 if (n_tstamp_types < 0) 343 error("%s", pcap_geterr(pc)); 344 345 if (n_tstamp_types == 0) { 346 fprintf(stderr, "Time stamp type cannot be set for %s\n", 347 device); 348 exit_tcpdump(0); 349 } 350 fprintf(stderr, "Time stamp types for %s (use option -j to set):\n", 351 device); 352 for (i = 0; i < n_tstamp_types; i++) { 353 tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]); 354 if (tstamp_type_name != NULL) { 355 (void) fprintf(stderr, " %s (%s)\n", tstamp_type_name, 356 pcap_tstamp_type_val_to_description(tstamp_types[i])); 357 } else { 358 (void) fprintf(stderr, " %d\n", tstamp_types[i]); 359 } 360 } 361 pcap_free_tstamp_types(tstamp_types); 362 exit_tcpdump(0); 363 } 364 #endif 365 366 static void 367 show_dlts_and_exit(pcap_t *pc, const char *device) 368 { 369 int n_dlts, i; 370 int *dlts = 0; 371 const char *dlt_name; 372 373 n_dlts = pcap_list_datalinks(pc, &dlts); 374 if (n_dlts < 0) 375 error("%s", pcap_geterr(pc)); 376 else if (n_dlts == 0 || !dlts) 377 error("No data link types."); 378 379 /* 380 * If the interface is known to support monitor mode, indicate 381 * whether these are the data link types available when not in 382 * monitor mode, if -I wasn't specified, or when in monitor mode, 383 * when -I was specified (the link-layer types available in 384 * monitor mode might be different from the ones available when 385 * not in monitor mode). 386 */ 387 if (supports_monitor_mode) 388 (void) fprintf(stderr, "Data link types for %s %s (use option -y to set):\n", 389 device, 390 Iflag ? "when in monitor mode" : "when not in monitor mode"); 391 else 392 (void) fprintf(stderr, "Data link types for %s (use option -y to set):\n", 393 device); 394 395 for (i = 0; i < n_dlts; i++) { 396 dlt_name = pcap_datalink_val_to_name(dlts[i]); 397 if (dlt_name != NULL) { 398 (void) fprintf(stderr, " %s (%s)", dlt_name, 399 pcap_datalink_val_to_description(dlts[i])); 400 401 /* 402 * OK, does tcpdump handle that type? 403 */ 404 if (!has_printer(dlts[i])) 405 (void) fprintf(stderr, " (printing not supported)"); 406 fprintf(stderr, "\n"); 407 } else { 408 (void) fprintf(stderr, " DLT %d (printing not supported)\n", 409 dlts[i]); 410 } 411 } 412 #ifdef HAVE_PCAP_FREE_DATALINKS 413 pcap_free_datalinks(dlts); 414 #endif 415 exit_tcpdump(0); 416 } 417 418 #ifdef HAVE_PCAP_FINDALLDEVS 419 static void 420 show_devices_and_exit (void) 421 { 422 pcap_if_t *dev, *devlist; 423 char ebuf[PCAP_ERRBUF_SIZE]; 424 int i; 425 426 if (pcap_findalldevs(&devlist, ebuf) < 0) 427 error("%s", ebuf); 428 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 429 printf("%d.%s", i+1, dev->name); 430 if (dev->description != NULL) 431 printf(" (%s)", dev->description); 432 if (dev->flags != 0) 433 printf(" [%s]", bittok2str(status_flags, "none", dev->flags)); 434 printf("\n"); 435 } 436 pcap_freealldevs(devlist); 437 exit_tcpdump(0); 438 } 439 #endif /* HAVE_PCAP_FINDALLDEVS */ 440 441 /* 442 * Short options. 443 * 444 * Note that there we use all letters for short options except for g, k, 445 * o, and P, and those are used by other versions of tcpdump, and we should 446 * only use them for the same purposes that the other versions of tcpdump 447 * use them: 448 * 449 * OS X tcpdump uses -g to force non--v output for IP to be on one 450 * line, making it more "g"repable; 451 * 452 * OS X tcpdump uses -k to specify that packet comments in pcap-ng files 453 * should be printed; 454 * 455 * OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done 456 * for hosts sending TCP SYN packets; 457 * 458 * OS X tcpdump uses -P to indicate that -w should write pcap-ng rather 459 * than pcap files. 460 * 461 * OS X tcpdump also uses -Q to specify expressions that match packet 462 * metadata, including but not limited to the packet direction. 463 * The expression syntax is different from a simple "in|out|inout", 464 * and those expressions aren't accepted by OS X tcpdump, but the 465 * equivalents would be "in" = "dir=in", "out" = "dir=out", and 466 * "inout" = "dir=in or dir=out", and the parser could conceivably 467 * special-case "in", "out", and "inout" as expressions for backwards 468 * compatibility, so all is not (yet) lost. 469 */ 470 471 /* 472 * Set up flags that might or might not be supported depending on the 473 * version of libpcap we're using. 474 */ 475 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 476 #define B_FLAG "B:" 477 #define B_FLAG_USAGE " [ -B size ]" 478 #else /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 479 #define B_FLAG 480 #define B_FLAG_USAGE 481 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 482 483 #ifdef HAVE_PCAP_CREATE 484 #define I_FLAG "I" 485 #else /* HAVE_PCAP_CREATE */ 486 #define I_FLAG 487 #endif /* HAVE_PCAP_CREATE */ 488 489 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 490 #define j_FLAG "j:" 491 #define j_FLAG_USAGE " [ -j tstamptype ]" 492 #define J_FLAG "J" 493 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 494 #define j_FLAG 495 #define j_FLAG_USAGE 496 #define J_FLAG 497 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 498 499 #ifdef HAVE_PCAP_FINDALLDEVS 500 #define D_FLAG "D" 501 #else 502 #define D_FLAG 503 #endif 504 505 #ifdef HAVE_PCAP_DUMP_FLUSH 506 #define U_FLAG "U" 507 #else 508 #define U_FLAG 509 #endif 510 511 #ifdef HAVE_PCAP_SETDIRECTION 512 #define Q_FLAG "Q:" 513 #else 514 #define Q_FLAG 515 #endif 516 517 #define SHORTOPTS "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpq" Q_FLAG "r:s:StT:u" U_FLAG "vV:w:W:xXy:Yz:Z:#" 518 519 /* 520 * Long options. 521 * 522 * We do not currently have long options corresponding to all short 523 * options; we should probably pick appropriate option names for them. 524 * 525 * However, the short options where the number of times the option is 526 * specified matters, such as -v and -d and -t, should probably not 527 * just map to a long option, as saying 528 * 529 * tcpdump --verbose --verbose 530 * 531 * doesn't make sense; it should be --verbosity={N} or something such 532 * as that. 533 * 534 * For long options with no corresponding short options, we define values 535 * outside the range of ASCII graphic characters, make that the last 536 * component of the entry for the long option, and have a case for that 537 * option in the switch statement. 538 */ 539 #define OPTION_VERSION 128 540 #define OPTION_TSTAMP_PRECISION 129 541 #define OPTION_IMMEDIATE_MODE 130 542 543 static const struct option longopts[] = { 544 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 545 { "buffer-size", required_argument, NULL, 'B' }, 546 #endif 547 { "list-interfaces", no_argument, NULL, 'D' }, 548 { "help", no_argument, NULL, 'h' }, 549 { "interface", required_argument, NULL, 'i' }, 550 #ifdef HAVE_PCAP_CREATE 551 { "monitor-mode", no_argument, NULL, 'I' }, 552 #endif 553 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 554 { "time-stamp-type", required_argument, NULL, 'j' }, 555 { "list-time-stamp-types", no_argument, NULL, 'J' }, 556 #endif 557 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 558 { "time-stamp-precision", required_argument, NULL, OPTION_TSTAMP_PRECISION}, 559 #endif 560 { "dont-verify-checksums", no_argument, NULL, 'K' }, 561 { "list-data-link-types", no_argument, NULL, 'L' }, 562 { "no-optimize", no_argument, NULL, 'O' }, 563 { "no-promiscuous-mode", no_argument, NULL, 'p' }, 564 #ifdef HAVE_PCAP_SETDIRECTION 565 { "direction", required_argument, NULL, 'Q' }, 566 #endif 567 { "snapshot-length", required_argument, NULL, 's' }, 568 { "absolute-tcp-sequence-numbers", no_argument, NULL, 'S' }, 569 #ifdef HAVE_PCAP_DUMP_FLUSH 570 { "packet-buffered", no_argument, NULL, 'U' }, 571 #endif 572 { "linktype", required_argument, NULL, 'y' }, 573 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 574 { "immediate-mode", no_argument, NULL, OPTION_IMMEDIATE_MODE }, 575 #endif 576 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 577 { "debug-filter-parser", no_argument, NULL, 'Y' }, 578 #endif 579 { "relinquish-privileges", required_argument, NULL, 'Z' }, 580 { "number", no_argument, NULL, '#' }, 581 { "version", no_argument, NULL, OPTION_VERSION }, 582 { NULL, 0, NULL, 0 } 583 }; 584 585 #ifndef _WIN32 586 /* Drop root privileges and chroot if necessary */ 587 static void 588 droproot(const char *username, const char *chroot_dir) 589 { 590 struct passwd *pw = NULL; 591 592 if (chroot_dir && !username) { 593 fprintf(stderr, "%s: Chroot without dropping root is insecure\n", 594 program_name); 595 exit_tcpdump(1); 596 } 597 598 pw = getpwnam(username); 599 if (pw) { 600 if (chroot_dir) { 601 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) { 602 fprintf(stderr, "%s: Couldn't chroot/chdir to '%.64s': %s\n", 603 program_name, chroot_dir, pcap_strerror(errno)); 604 exit_tcpdump(1); 605 } 606 } 607 #ifdef HAVE_LIBCAP_NG 608 { 609 int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); 610 if (ret < 0) { 611 fprintf(stderr, "error : ret %d\n", ret); 612 } else { 613 fprintf(stderr, "dropped privs to %s\n", username); 614 } 615 } 616 #else 617 if (initgroups(pw->pw_name, pw->pw_gid) != 0 || 618 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) { 619 fprintf(stderr, "%s: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n", 620 program_name, username, 621 (unsigned long)pw->pw_uid, 622 (unsigned long)pw->pw_gid, 623 pcap_strerror(errno)); 624 exit_tcpdump(1); 625 } 626 else { 627 fprintf(stderr, "dropped privs to %s\n", username); 628 } 629 #endif /* HAVE_LIBCAP_NG */ 630 } 631 else { 632 fprintf(stderr, "%s: Couldn't find user '%.32s'\n", 633 program_name, username); 634 exit_tcpdump(1); 635 } 636 #ifdef HAVE_LIBCAP_NG 637 /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */ 638 capng_updatev( 639 CAPNG_DROP, 640 CAPNG_EFFECTIVE | CAPNG_PERMITTED, 641 CAP_SETUID, 642 CAP_SETGID, 643 CAP_SYS_CHROOT, 644 -1); 645 capng_apply(CAPNG_SELECT_BOTH); 646 #endif /* HAVE_LIBCAP_NG */ 647 648 } 649 #endif /* _WIN32 */ 650 651 static int 652 getWflagChars(int x) 653 { 654 int c = 0; 655 656 x -= 1; 657 while (x > 0) { 658 c += 1; 659 x /= 10; 660 } 661 662 return c; 663 } 664 665 666 static void 667 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars) 668 { 669 char *filename = malloc(PATH_MAX + 1); 670 if (filename == NULL) 671 error("Makefilename: malloc"); 672 673 /* Process with strftime if Gflag is set. */ 674 if (Gflag != 0) { 675 struct tm *local_tm; 676 677 /* Convert Gflag_time to a usable format */ 678 if ((local_tm = localtime(&Gflag_time)) == NULL) { 679 error("MakeTimedFilename: localtime"); 680 } 681 682 /* There's no good way to detect an error in strftime since a return 683 * value of 0 isn't necessarily failure. 684 */ 685 strftime(filename, PATH_MAX, orig_name, local_tm); 686 } else { 687 strncpy(filename, orig_name, PATH_MAX); 688 } 689 690 if (cnt == 0 && max_chars == 0) 691 strncpy(buffer, filename, PATH_MAX + 1); 692 else 693 if (snprintf(buffer, PATH_MAX + 1, "%s%0*d", filename, max_chars, cnt) > PATH_MAX) 694 /* Report an error if the filename is too large */ 695 error("too many output files or filename is too long (> %d)", PATH_MAX); 696 free(filename); 697 } 698 699 static char * 700 get_next_file(FILE *VFile, char *ptr) 701 { 702 char *ret; 703 704 ret = fgets(ptr, PATH_MAX, VFile); 705 if (!ret) 706 return NULL; 707 708 if (ptr[strlen(ptr) - 1] == '\n') 709 ptr[strlen(ptr) - 1] = '\0'; 710 711 return ret; 712 } 713 714 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 715 static int 716 tstamp_precision_from_string(const char *precision) 717 { 718 if (strncmp(precision, "nano", strlen("nano")) == 0) 719 return PCAP_TSTAMP_PRECISION_NANO; 720 721 if (strncmp(precision, "micro", strlen("micro")) == 0) 722 return PCAP_TSTAMP_PRECISION_MICRO; 723 724 return -EINVAL; 725 } 726 727 static const char * 728 tstamp_precision_to_string(int precision) 729 { 730 switch (precision) { 731 732 case PCAP_TSTAMP_PRECISION_MICRO: 733 return "micro"; 734 735 case PCAP_TSTAMP_PRECISION_NANO: 736 return "nano"; 737 738 default: 739 return "unknown"; 740 } 741 } 742 #endif 743 744 #ifdef HAVE_CAPSICUM 745 /* 746 * Ensure that, on a dump file's descriptor, we have all the rights 747 * necessary to make the standard I/O library work with an fdopen()ed 748 * FILE * from that descriptor. 749 * 750 * A long time ago, in a galaxy far far away, AT&T decided that, instead 751 * of providing separate APIs for getting and setting the FD_ flags on a 752 * descriptor, getting and setting the O_ flags on a descriptor, and 753 * locking files, they'd throw them all into a kitchen-sink fcntl() call 754 * along the lines of ioctl(), the fact that ioctl() operations are 755 * largely specific to particular character devices but fcntl() operations 756 * are either generic to all descriptors or generic to all descriptors for 757 * regular files nonwithstanding. 758 * 759 * The Capsicum people decided that fine-grained control of descriptor 760 * operations was required, so that you need to grant permission for 761 * reading, writing, seeking, and fcntl-ing. The latter, courtesy of 762 * AT&T's decision, means that "fcntl-ing" isn't a thing, but a motley 763 * collection of things, so there are *individual* fcntls for which 764 * permission needs to be granted. 765 * 766 * The FreeBSD standard I/O people implemented some optimizations that 767 * requires that the standard I/O routines be able to determine whether 768 * the descriptor for the FILE * is open append-only or not; as that 769 * descriptor could have come from an open() rather than an fopen(), 770 * that requires that it be able to do an F_GETFL fcntl() to read 771 * the O_ flags. 772 * 773 * Tcpdump uses ftell() to determine how much data has been written 774 * to a file in order to, when used with -C, determine when it's time 775 * to rotate capture files. ftell() therefore needs to do an lseek() 776 * to find out the file offset and must, thanks to the aforementioned 777 * optimization, also know whether the descriptor is open append-only 778 * or not. 779 * 780 * The net result of all the above is that we need to grant CAP_SEEK, 781 * CAP_WRITE, and CAP_FCNTL with the CAP_FCNTL_GETFL subcapability. 782 * 783 * Perhaps this is the universe's way of saying that either 784 * 785 * 1) there needs to be an fopenat() call and a pcap_dump_openat() call 786 * using it, so that Capsicum-capable tcpdump wouldn't need to do 787 * an fdopen() 788 * 789 * or 790 * 791 * 2) there needs to be a cap_fdopen() call in the FreeBSD standard 792 * I/O library that knows what rights are needed by the standard 793 * I/O library, based on the open mode, and assigns them, perhaps 794 * with an additional argument indicating, for example, whether 795 * seeking should be allowed, so that tcpdump doesn't need to know 796 * what the standard I/O library happens to require this week. 797 */ 798 static void 799 set_dumper_capsicum_rights(pcap_dumper_t *p) 800 { 801 int fd = fileno(pcap_dump_file(p)); 802 cap_rights_t rights; 803 804 cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL); 805 if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) { 806 error("unable to limit dump descriptor"); 807 } 808 if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) { 809 error("unable to limit dump descriptor fcntls"); 810 } 811 } 812 #endif 813 814 /* 815 * Copy arg vector into a new buffer, concatenating arguments with spaces. 816 */ 817 static char * 818 copy_argv(register char **argv) 819 { 820 register char **p; 821 register u_int len = 0; 822 char *buf; 823 char *src, *dst; 824 825 p = argv; 826 if (*p == NULL) 827 return 0; 828 829 while (*p) 830 len += strlen(*p++) + 1; 831 832 buf = (char *)malloc(len); 833 if (buf == NULL) 834 error("copy_argv: malloc"); 835 836 p = argv; 837 dst = buf; 838 while ((src = *p++) != NULL) { 839 while ((*dst++ = *src++) != '\0') 840 ; 841 dst[-1] = ' '; 842 } 843 dst[-1] = '\0'; 844 845 return buf; 846 } 847 848 /* 849 * On Windows, we need to open the file in binary mode, so that 850 * we get all the bytes specified by the size we get from "fstat()". 851 * On UNIX, that's not necessary. O_BINARY is defined on Windows; 852 * we define it as 0 if it's not defined, so it does nothing. 853 */ 854 #ifndef O_BINARY 855 #define O_BINARY 0 856 #endif 857 858 static char * 859 read_infile(char *fname) 860 { 861 register int i, fd, cc; 862 register char *cp; 863 struct stat buf; 864 865 fd = open(fname, O_RDONLY|O_BINARY); 866 if (fd < 0) 867 error("can't open %s: %s", fname, pcap_strerror(errno)); 868 869 if (fstat(fd, &buf) < 0) 870 error("can't stat %s: %s", fname, pcap_strerror(errno)); 871 872 cp = malloc((u_int)buf.st_size + 1); 873 if (cp == NULL) 874 error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, 875 fname, pcap_strerror(errno)); 876 cc = read(fd, cp, (u_int)buf.st_size); 877 if (cc < 0) 878 error("read %s: %s", fname, pcap_strerror(errno)); 879 if (cc != buf.st_size) 880 error("short read %s (%d != %d)", fname, cc, (int)buf.st_size); 881 882 close(fd); 883 /* replace "# comment" with spaces */ 884 for (i = 0; i < cc; i++) { 885 if (cp[i] == '#') 886 while (i < cc && cp[i] != '\n') 887 cp[i++] = ' '; 888 } 889 cp[cc] = '\0'; 890 return (cp); 891 } 892 893 #ifdef HAVE_PCAP_FINDALLDEVS 894 static long 895 parse_interface_number(const char *device) 896 { 897 long devnum; 898 char *end; 899 900 devnum = strtol(device, &end, 10); 901 if (device != end && *end == '\0') { 902 /* 903 * It's all-numeric, but is it a valid number? 904 */ 905 if (devnum <= 0) { 906 /* 907 * No, it's not an ordinal. 908 */ 909 error("Invalid adapter index"); 910 } 911 return (devnum); 912 } else { 913 /* 914 * It's not all-numeric; return -1, so our caller 915 * knows that. 916 */ 917 return (-1); 918 } 919 } 920 921 static char * 922 find_interface_by_number(long devnum) 923 { 924 pcap_if_t *dev, *devlist; 925 long i; 926 char ebuf[PCAP_ERRBUF_SIZE]; 927 char *device; 928 929 if (pcap_findalldevs(&devlist, ebuf) < 0) 930 error("%s", ebuf); 931 /* 932 * Look for the devnum-th entry in the list of devices (1-based). 933 */ 934 for (i = 0, dev = devlist; i < devnum-1 && dev != NULL; 935 i++, dev = dev->next) 936 ; 937 if (dev == NULL) 938 error("Invalid adapter index"); 939 device = strdup(dev->name); 940 pcap_freealldevs(devlist); 941 return (device); 942 } 943 #endif 944 945 static pcap_t * 946 open_interface(const char *device, netdissect_options *ndo, char *ebuf) 947 { 948 pcap_t *pc; 949 #ifdef HAVE_PCAP_CREATE 950 int status; 951 char *cp; 952 #endif 953 954 #ifdef HAVE_PCAP_CREATE 955 pc = pcap_create(device, ebuf); 956 if (pc == NULL) { 957 /* 958 * If this failed with "No such device", that means 959 * the interface doesn't exist; return NULL, so that 960 * the caller can see whether the device name is 961 * actually an interface index. 962 */ 963 if (strstr(ebuf, "No such device") != NULL) 964 return (NULL); 965 error("%s", ebuf); 966 } 967 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 968 if (Jflag) 969 show_tstamp_types_and_exit(pc, device); 970 #endif 971 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 972 status = pcap_set_tstamp_precision(pc, ndo->ndo_tstamp_precision); 973 if (status != 0) 974 error("%s: Can't set %ssecond time stamp precision: %s", 975 device, 976 tstamp_precision_to_string(ndo->ndo_tstamp_precision), 977 pcap_statustostr(status)); 978 #endif 979 980 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 981 if (immediate_mode) { 982 status = pcap_set_immediate_mode(pc, 1); 983 if (status != 0) 984 error("%s: Can't set immediate mode: %s", 985 device, 986 pcap_statustostr(status)); 987 } 988 #endif 989 /* 990 * Is this an interface that supports monitor mode? 991 */ 992 if (pcap_can_set_rfmon(pc) == 1) 993 supports_monitor_mode = 1; 994 else 995 supports_monitor_mode = 0; 996 status = pcap_set_snaplen(pc, ndo->ndo_snaplen); 997 if (status != 0) 998 error("%s: Can't set snapshot length: %s", 999 device, pcap_statustostr(status)); 1000 status = pcap_set_promisc(pc, !pflag); 1001 if (status != 0) 1002 error("%s: Can't set promiscuous mode: %s", 1003 device, pcap_statustostr(status)); 1004 if (Iflag) { 1005 status = pcap_set_rfmon(pc, 1); 1006 if (status != 0) 1007 error("%s: Can't set monitor mode: %s", 1008 device, pcap_statustostr(status)); 1009 } 1010 status = pcap_set_timeout(pc, 1000); 1011 if (status != 0) 1012 error("%s: pcap_set_timeout failed: %s", 1013 device, pcap_statustostr(status)); 1014 if (Bflag != 0) { 1015 status = pcap_set_buffer_size(pc, Bflag); 1016 if (status != 0) 1017 error("%s: Can't set buffer size: %s", 1018 device, pcap_statustostr(status)); 1019 } 1020 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1021 if (jflag != -1) { 1022 status = pcap_set_tstamp_type(pc, jflag); 1023 if (status < 0) 1024 error("%s: Can't set time stamp type: %s", 1025 device, pcap_statustostr(status)); 1026 } 1027 #endif 1028 status = pcap_activate(pc); 1029 if (status < 0) { 1030 /* 1031 * pcap_activate() failed. 1032 */ 1033 cp = pcap_geterr(pc); 1034 if (status == PCAP_ERROR) 1035 error("%s", cp); 1036 else if (status == PCAP_ERROR_NO_SUCH_DEVICE) { 1037 /* 1038 * Return an error for our caller to handle. 1039 */ 1040 snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s: %s\n(%s)", 1041 device, pcap_statustostr(status), cp); 1042 pcap_close(pc); 1043 return (NULL); 1044 } else if (status == PCAP_ERROR_PERM_DENIED && *cp != '\0') 1045 error("%s: %s\n(%s)", device, 1046 pcap_statustostr(status), cp); 1047 else 1048 error("%s: %s", device, 1049 pcap_statustostr(status)); 1050 } else if (status > 0) { 1051 /* 1052 * pcap_activate() succeeded, but it's warning us 1053 * of a problem it had. 1054 */ 1055 cp = pcap_geterr(pc); 1056 if (status == PCAP_WARNING) 1057 warning("%s", cp); 1058 else if (status == PCAP_WARNING_PROMISC_NOTSUP && 1059 *cp != '\0') 1060 warning("%s: %s\n(%s)", device, 1061 pcap_statustostr(status), cp); 1062 else 1063 warning("%s: %s", device, 1064 pcap_statustostr(status)); 1065 } 1066 #ifdef HAVE_PCAP_SETDIRECTION 1067 if (Qflag != -1) { 1068 status = pcap_setdirection(pc, Qflag); 1069 if (status != 0) 1070 error("%s: pcap_setdirection() failed: %s", 1071 device, pcap_geterr(pc)); 1072 } 1073 #endif /* HAVE_PCAP_SETDIRECTION */ 1074 #else /* HAVE_PCAP_CREATE */ 1075 *ebuf = '\0'; 1076 pc = pcap_open_live(device, ndo->ndo_snaplen, !pflag, 1000, ebuf); 1077 if (pc == NULL) { 1078 /* 1079 * If this failed with "No such device", that means 1080 * the interface doesn't exist; return NULL, so that 1081 * the caller can see whether the device name is 1082 * actually an interface index. 1083 */ 1084 if (strstr(ebuf, "No such device") != NULL) 1085 return (NULL); 1086 error("%s", ebuf); 1087 } 1088 if (*ebuf) 1089 warning("%s", ebuf); 1090 #endif /* HAVE_PCAP_CREATE */ 1091 1092 return (pc); 1093 } 1094 1095 int 1096 main(int argc, char **argv) 1097 { 1098 register int cnt, op, i; 1099 bpf_u_int32 localnet =0 , netmask = 0; 1100 int timezone_offset = 0; 1101 register char *cp, *infile, *cmdbuf, *device, *RFileName, *VFileName, *WFileName; 1102 pcap_handler callback; 1103 int dlt; 1104 const char *dlt_name; 1105 struct bpf_program fcode; 1106 #ifndef _WIN32 1107 RETSIGTYPE (*oldhandler)(int); 1108 #endif 1109 struct dump_info dumpinfo; 1110 u_char *pcap_userdata; 1111 char ebuf[PCAP_ERRBUF_SIZE]; 1112 char VFileLine[PATH_MAX + 1]; 1113 char *username = NULL; 1114 char *chroot_dir = NULL; 1115 char *ret = NULL; 1116 char *end; 1117 #ifdef HAVE_PCAP_FINDALLDEVS 1118 pcap_if_t *devlist; 1119 long devnum; 1120 #endif 1121 int status; 1122 FILE *VFile; 1123 #ifdef HAVE_CAPSICUM 1124 cap_rights_t rights; 1125 int cansandbox; 1126 #endif /* HAVE_CAPSICUM */ 1127 int Oflag = 1; /* run filter code optimizer */ 1128 int yflag_dlt = -1; 1129 const char *yflag_dlt_name = NULL; 1130 1131 netdissect_options Ndo; 1132 netdissect_options *ndo = &Ndo; 1133 1134 /* 1135 * Initialize the netdissect code. 1136 */ 1137 if (nd_init(ebuf, sizeof ebuf) == -1) 1138 error("%s", ebuf); 1139 1140 memset(ndo, 0, sizeof(*ndo)); 1141 ndo_set_function_pointers(ndo); 1142 ndo->ndo_snaplen = DEFAULT_SNAPLEN; 1143 1144 cnt = -1; 1145 device = NULL; 1146 infile = NULL; 1147 RFileName = NULL; 1148 VFileName = NULL; 1149 VFile = NULL; 1150 WFileName = NULL; 1151 dlt = -1; 1152 if ((cp = strrchr(argv[0], '/')) != NULL) 1153 ndo->program_name = program_name = cp + 1; 1154 else 1155 ndo->program_name = program_name = argv[0]; 1156 1157 #ifdef _WIN32 1158 if (pcap_wsockinit() != 0) 1159 error("Attempting to initialize Winsock failed"); 1160 #endif /* _WIN32 */ 1161 1162 /* 1163 * On platforms where the CPU doesn't support unaligned loads, 1164 * force unaligned accesses to abort with SIGBUS, rather than 1165 * being fixed up (slowly) by the OS kernel; on those platforms, 1166 * misaligned accesses are bugs, and we want tcpdump to crash so 1167 * that the bugs are reported. 1168 */ 1169 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0) 1170 error("%s", ebuf); 1171 1172 while ( 1173 (op = getopt_long(argc, argv, SHORTOPTS, longopts, NULL)) != -1) 1174 switch (op) { 1175 1176 case 'a': 1177 /* compatibility for old -a */ 1178 break; 1179 1180 case 'A': 1181 ++ndo->ndo_Aflag; 1182 break; 1183 1184 case 'b': 1185 ++ndo->ndo_bflag; 1186 break; 1187 1188 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 1189 case 'B': 1190 Bflag = atoi(optarg)*1024; 1191 if (Bflag <= 0) 1192 error("invalid packet buffer size %s", optarg); 1193 break; 1194 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 1195 1196 case 'c': 1197 cnt = atoi(optarg); 1198 if (cnt <= 0) 1199 error("invalid packet count %s", optarg); 1200 break; 1201 1202 case 'C': 1203 Cflag = atoi(optarg) * 1000000; 1204 if (Cflag <= 0) 1205 error("invalid file size %s", optarg); 1206 break; 1207 1208 case 'd': 1209 ++dflag; 1210 break; 1211 1212 case 'D': 1213 Dflag++; 1214 break; 1215 1216 case 'L': 1217 Lflag++; 1218 break; 1219 1220 case 'e': 1221 ++ndo->ndo_eflag; 1222 break; 1223 1224 case 'E': 1225 #ifndef HAVE_LIBCRYPTO 1226 warning("crypto code not compiled in"); 1227 #endif 1228 ndo->ndo_espsecret = optarg; 1229 break; 1230 1231 case 'f': 1232 ++ndo->ndo_fflag; 1233 break; 1234 1235 case 'F': 1236 infile = optarg; 1237 break; 1238 1239 case 'G': 1240 Gflag = atoi(optarg); 1241 if (Gflag < 0) 1242 error("invalid number of seconds %s", optarg); 1243 1244 /* We will create one file initially. */ 1245 Gflag_count = 0; 1246 1247 /* Grab the current time for rotation use. */ 1248 if ((Gflag_time = time(NULL)) == (time_t)-1) { 1249 error("main: can't get current time: %s", 1250 pcap_strerror(errno)); 1251 } 1252 break; 1253 1254 case 'h': 1255 print_usage(); 1256 exit_tcpdump(0); 1257 break; 1258 1259 case 'H': 1260 ++ndo->ndo_Hflag; 1261 break; 1262 1263 case 'i': 1264 device = optarg; 1265 break; 1266 1267 #ifdef HAVE_PCAP_CREATE 1268 case 'I': 1269 ++Iflag; 1270 break; 1271 #endif /* HAVE_PCAP_CREATE */ 1272 1273 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1274 case 'j': 1275 jflag = pcap_tstamp_type_name_to_val(optarg); 1276 if (jflag < 0) 1277 error("invalid time stamp type %s", optarg); 1278 break; 1279 1280 case 'J': 1281 Jflag++; 1282 break; 1283 #endif 1284 1285 case 'l': 1286 #ifdef _WIN32 1287 /* 1288 * _IOLBF is the same as _IOFBF in Microsoft's C 1289 * libraries; the only alternative they offer 1290 * is _IONBF. 1291 * 1292 * XXX - this should really be checking for MSVC++, 1293 * not _WIN32, if, for example, MinGW has its own 1294 * C library that is more UNIX-compatible. 1295 */ 1296 setvbuf(stdout, NULL, _IONBF, 0); 1297 #else /* _WIN32 */ 1298 #ifdef HAVE_SETLINEBUF 1299 setlinebuf(stdout); 1300 #else 1301 setvbuf(stdout, NULL, _IOLBF, 0); 1302 #endif 1303 #endif /* _WIN32 */ 1304 break; 1305 1306 case 'K': 1307 ++ndo->ndo_Kflag; 1308 break; 1309 1310 case 'm': 1311 if (nd_have_smi_support()) { 1312 if (nd_load_smi_module(optarg, ebuf, sizeof ebuf) == -1) 1313 error("%s", ebuf); 1314 } else { 1315 (void)fprintf(stderr, "%s: ignoring option `-m %s' ", 1316 program_name, optarg); 1317 (void)fprintf(stderr, "(no libsmi support)\n"); 1318 } 1319 break; 1320 1321 case 'M': 1322 /* TCP-MD5 shared secret */ 1323 #ifndef HAVE_LIBCRYPTO 1324 warning("crypto code not compiled in"); 1325 #endif 1326 ndo->ndo_sigsecret = optarg; 1327 break; 1328 1329 case 'n': 1330 ++ndo->ndo_nflag; 1331 break; 1332 1333 case 'N': 1334 ++ndo->ndo_Nflag; 1335 break; 1336 1337 case 'O': 1338 Oflag = 0; 1339 break; 1340 1341 case 'p': 1342 ++pflag; 1343 break; 1344 1345 case 'q': 1346 ++ndo->ndo_qflag; 1347 ++ndo->ndo_suppress_default_print; 1348 break; 1349 1350 #ifdef HAVE_PCAP_SETDIRECTION 1351 case 'Q': 1352 if (ascii_strcasecmp(optarg, "in") == 0) 1353 Qflag = PCAP_D_IN; 1354 else if (ascii_strcasecmp(optarg, "out") == 0) 1355 Qflag = PCAP_D_OUT; 1356 else if (ascii_strcasecmp(optarg, "inout") == 0) 1357 Qflag = PCAP_D_INOUT; 1358 else 1359 error("unknown capture direction `%s'", optarg); 1360 break; 1361 #endif /* HAVE_PCAP_SETDIRECTION */ 1362 1363 case 'r': 1364 RFileName = optarg; 1365 break; 1366 1367 case 's': 1368 ndo->ndo_snaplen = strtol(optarg, &end, 0); 1369 if (optarg == end || *end != '\0' 1370 || ndo->ndo_snaplen < 0 || ndo->ndo_snaplen > MAXIMUM_SNAPLEN) 1371 error("invalid snaplen %s", optarg); 1372 else if (ndo->ndo_snaplen == 0) 1373 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 1374 break; 1375 1376 case 'S': 1377 ++ndo->ndo_Sflag; 1378 break; 1379 1380 case 't': 1381 ++ndo->ndo_tflag; 1382 break; 1383 1384 case 'T': 1385 if (ascii_strcasecmp(optarg, "vat") == 0) 1386 ndo->ndo_packettype = PT_VAT; 1387 else if (ascii_strcasecmp(optarg, "wb") == 0) 1388 ndo->ndo_packettype = PT_WB; 1389 else if (ascii_strcasecmp(optarg, "rpc") == 0) 1390 ndo->ndo_packettype = PT_RPC; 1391 else if (ascii_strcasecmp(optarg, "rtp") == 0) 1392 ndo->ndo_packettype = PT_RTP; 1393 else if (ascii_strcasecmp(optarg, "rtcp") == 0) 1394 ndo->ndo_packettype = PT_RTCP; 1395 else if (ascii_strcasecmp(optarg, "snmp") == 0) 1396 ndo->ndo_packettype = PT_SNMP; 1397 else if (ascii_strcasecmp(optarg, "cnfp") == 0) 1398 ndo->ndo_packettype = PT_CNFP; 1399 else if (ascii_strcasecmp(optarg, "tftp") == 0) 1400 ndo->ndo_packettype = PT_TFTP; 1401 else if (ascii_strcasecmp(optarg, "aodv") == 0) 1402 ndo->ndo_packettype = PT_AODV; 1403 else if (ascii_strcasecmp(optarg, "carp") == 0) 1404 ndo->ndo_packettype = PT_CARP; 1405 else if (ascii_strcasecmp(optarg, "radius") == 0) 1406 ndo->ndo_packettype = PT_RADIUS; 1407 else if (ascii_strcasecmp(optarg, "zmtp1") == 0) 1408 ndo->ndo_packettype = PT_ZMTP1; 1409 else if (ascii_strcasecmp(optarg, "vxlan") == 0) 1410 ndo->ndo_packettype = PT_VXLAN; 1411 else if (ascii_strcasecmp(optarg, "pgm") == 0) 1412 ndo->ndo_packettype = PT_PGM; 1413 else if (ascii_strcasecmp(optarg, "pgm_zmtp1") == 0) 1414 ndo->ndo_packettype = PT_PGM_ZMTP1; 1415 else if (ascii_strcasecmp(optarg, "lmp") == 0) 1416 ndo->ndo_packettype = PT_LMP; 1417 else if (ascii_strcasecmp(optarg, "resp") == 0) 1418 ndo->ndo_packettype = PT_RESP; 1419 else 1420 error("unknown packet type `%s'", optarg); 1421 break; 1422 1423 case 'u': 1424 ++ndo->ndo_uflag; 1425 break; 1426 1427 #ifdef HAVE_PCAP_DUMP_FLUSH 1428 case 'U': 1429 ++Uflag; 1430 break; 1431 #endif 1432 1433 case 'v': 1434 ++ndo->ndo_vflag; 1435 break; 1436 1437 case 'V': 1438 VFileName = optarg; 1439 break; 1440 1441 case 'w': 1442 WFileName = optarg; 1443 break; 1444 1445 case 'W': 1446 Wflag = atoi(optarg); 1447 if (Wflag <= 0) 1448 error("invalid number of output files %s", optarg); 1449 WflagChars = getWflagChars(Wflag); 1450 break; 1451 1452 case 'x': 1453 ++ndo->ndo_xflag; 1454 ++ndo->ndo_suppress_default_print; 1455 break; 1456 1457 case 'X': 1458 ++ndo->ndo_Xflag; 1459 ++ndo->ndo_suppress_default_print; 1460 break; 1461 1462 case 'y': 1463 yflag_dlt_name = optarg; 1464 yflag_dlt = 1465 pcap_datalink_name_to_val(yflag_dlt_name); 1466 if (yflag_dlt < 0) 1467 error("invalid data link type %s", yflag_dlt_name); 1468 break; 1469 1470 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 1471 case 'Y': 1472 { 1473 /* Undocumented flag */ 1474 pcap_set_parser_debug(1); 1475 } 1476 break; 1477 #endif 1478 case 'z': 1479 zflag = optarg; 1480 break; 1481 1482 case 'Z': 1483 username = optarg; 1484 break; 1485 1486 case '#': 1487 ndo->ndo_packet_number = 1; 1488 break; 1489 1490 case OPTION_VERSION: 1491 print_version(); 1492 exit_tcpdump(0); 1493 break; 1494 1495 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1496 case OPTION_TSTAMP_PRECISION: 1497 ndo->ndo_tstamp_precision = tstamp_precision_from_string(optarg); 1498 if (ndo->ndo_tstamp_precision < 0) 1499 error("unsupported time stamp precision"); 1500 break; 1501 #endif 1502 1503 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1504 case OPTION_IMMEDIATE_MODE: 1505 immediate_mode = 1; 1506 break; 1507 #endif 1508 1509 default: 1510 print_usage(); 1511 exit_tcpdump(1); 1512 /* NOTREACHED */ 1513 } 1514 1515 #ifdef HAVE_PCAP_FINDALLDEVS 1516 if (Dflag) 1517 show_devices_and_exit(); 1518 #endif 1519 1520 switch (ndo->ndo_tflag) { 1521 1522 case 0: /* Default */ 1523 case 4: /* Default + Date*/ 1524 timezone_offset = gmt2local(0); 1525 break; 1526 1527 case 1: /* No time stamp */ 1528 case 2: /* Unix timeval style */ 1529 case 3: /* Microseconds since previous packet */ 1530 case 5: /* Microseconds since first packet */ 1531 break; 1532 1533 default: /* Not supported */ 1534 error("only -t, -tt, -ttt, -tttt and -ttttt are supported"); 1535 break; 1536 } 1537 1538 if (ndo->ndo_fflag != 0 && (VFileName != NULL || RFileName != NULL)) 1539 error("-f can not be used with -V or -r"); 1540 1541 if (VFileName != NULL && RFileName != NULL) 1542 error("-V and -r are mutually exclusive."); 1543 1544 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1545 /* 1546 * If we're printing dissected packets to the standard output 1547 * rather than saving raw packets to a file, and the standard 1548 * output is a terminal, use immediate mode, as the user's 1549 * probably expecting to see packets pop up immediately. 1550 */ 1551 if (WFileName == NULL && isatty(1)) 1552 immediate_mode = 1; 1553 #endif 1554 1555 #ifdef WITH_CHROOT 1556 /* if run as root, prepare for chrooting */ 1557 if (getuid() == 0 || geteuid() == 0) { 1558 /* future extensibility for cmd-line arguments */ 1559 if (!chroot_dir) 1560 chroot_dir = WITH_CHROOT; 1561 } 1562 #endif 1563 1564 #ifdef WITH_USER 1565 /* if run as root, prepare for dropping root privileges */ 1566 if (getuid() == 0 || geteuid() == 0) { 1567 /* Run with '-Z root' to restore old behaviour */ 1568 if (!username) 1569 username = WITH_USER; 1570 } 1571 #endif 1572 1573 if (RFileName != NULL || VFileName != NULL) { 1574 /* 1575 * If RFileName is non-null, it's the pathname of a 1576 * savefile to read. If VFileName is non-null, it's 1577 * the pathname of a file containing a list of pathnames 1578 * (one per line) of savefiles to read. 1579 * 1580 * In either case, we're reading a savefile, not doing 1581 * a live capture. 1582 */ 1583 #ifndef _WIN32 1584 /* 1585 * We don't need network access, so relinquish any set-UID 1586 * or set-GID privileges we have (if any). 1587 * 1588 * We do *not* want set-UID privileges when opening a 1589 * trace file, as that might let the user read other 1590 * people's trace files (especially if we're set-UID 1591 * root). 1592 */ 1593 if (setgid(getgid()) != 0 || setuid(getuid()) != 0 ) 1594 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 1595 #endif /* _WIN32 */ 1596 if (VFileName != NULL) { 1597 if (VFileName[0] == '-' && VFileName[1] == '\0') 1598 VFile = stdin; 1599 else 1600 VFile = fopen(VFileName, "r"); 1601 1602 if (VFile == NULL) 1603 error("Unable to open file: %s\n", pcap_strerror(errno)); 1604 1605 ret = get_next_file(VFile, VFileLine); 1606 if (!ret) 1607 error("Nothing in %s\n", VFileName); 1608 RFileName = VFileLine; 1609 } 1610 1611 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1612 pd = pcap_open_offline_with_tstamp_precision(RFileName, 1613 ndo->ndo_tstamp_precision, ebuf); 1614 #else 1615 pd = pcap_open_offline(RFileName, ebuf); 1616 #endif 1617 1618 if (pd == NULL) 1619 error("%s", ebuf); 1620 #ifdef HAVE_CAPSICUM 1621 cap_rights_init(&rights, CAP_READ); 1622 if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 && 1623 errno != ENOSYS) { 1624 error("unable to limit pcap descriptor"); 1625 } 1626 #endif 1627 dlt = pcap_datalink(pd); 1628 dlt_name = pcap_datalink_val_to_name(dlt); 1629 if (dlt_name == NULL) { 1630 fprintf(stderr, "reading from file %s, link-type %u\n", 1631 RFileName, dlt); 1632 } else { 1633 fprintf(stderr, 1634 "reading from file %s, link-type %s (%s)\n", 1635 RFileName, dlt_name, 1636 pcap_datalink_val_to_description(dlt)); 1637 } 1638 } else { 1639 /* 1640 * We're doing a live capture. 1641 */ 1642 if (device == NULL) { 1643 /* 1644 * No interface was specified. Pick one. 1645 */ 1646 #ifdef HAVE_PCAP_FINDALLDEVS 1647 /* 1648 * Find the list of interfaces, and pick 1649 * the first interface. 1650 */ 1651 if (pcap_findalldevs(&devlist, ebuf) >= 0 && 1652 devlist != NULL) { 1653 device = strdup(devlist->name); 1654 pcap_freealldevs(devlist); 1655 } 1656 #else /* HAVE_PCAP_FINDALLDEVS */ 1657 /* 1658 * Use whatever interface pcap_lookupdev() 1659 * chooses. 1660 */ 1661 device = pcap_lookupdev(ebuf); 1662 #endif 1663 if (device == NULL) 1664 error("%s", ebuf); 1665 } 1666 1667 /* 1668 * Try to open the interface with the specified name. 1669 */ 1670 pd = open_interface(device, ndo, ebuf); 1671 if (pd == NULL) { 1672 /* 1673 * That failed. If we can get a list of 1674 * interfaces, and the interface name 1675 * is purely numeric, try to use it as 1676 * a 1-based index in the list of 1677 * interfaces. 1678 */ 1679 #ifdef HAVE_PCAP_FINDALLDEVS 1680 devnum = parse_interface_number(device); 1681 if (devnum == -1) { 1682 /* 1683 * It's not a number; just report 1684 * the open error and fail. 1685 */ 1686 error("%s", ebuf); 1687 } 1688 1689 /* 1690 * OK, it's a number; try to find the 1691 * interface with that index, and try 1692 * to open it. 1693 * 1694 * find_interface_by_number() exits if it 1695 * couldn't be found. 1696 */ 1697 device = find_interface_by_number(devnum); 1698 pd = open_interface(device, ndo, ebuf); 1699 if (pd == NULL) 1700 error("%s", ebuf); 1701 #else /* HAVE_PCAP_FINDALLDEVS */ 1702 /* 1703 * We can't get a list of interfaces; just 1704 * fail. 1705 */ 1706 error("%s", ebuf); 1707 #endif /* HAVE_PCAP_FINDALLDEVS */ 1708 } 1709 1710 /* 1711 * Let user own process after socket has been opened. 1712 */ 1713 #ifndef _WIN32 1714 if (setgid(getgid()) != 0 || setuid(getuid()) != 0) 1715 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 1716 #endif /* _WIN32 */ 1717 #if !defined(HAVE_PCAP_CREATE) && defined(_WIN32) 1718 if(Bflag != 0) 1719 if(pcap_setbuff(pd, Bflag)==-1){ 1720 error("%s", pcap_geterr(pd)); 1721 } 1722 #endif /* !defined(HAVE_PCAP_CREATE) && defined(_WIN32) */ 1723 if (Lflag) 1724 show_dlts_and_exit(pd, device); 1725 if (yflag_dlt >= 0) { 1726 #ifdef HAVE_PCAP_SET_DATALINK 1727 if (pcap_set_datalink(pd, yflag_dlt) < 0) 1728 error("%s", pcap_geterr(pd)); 1729 #else 1730 /* 1731 * We don't actually support changing the 1732 * data link type, so we only let them 1733 * set it to what it already is. 1734 */ 1735 if (yflag_dlt != pcap_datalink(pd)) { 1736 error("%s is not one of the DLTs supported by this device\n", 1737 yflag_dlt_name); 1738 } 1739 #endif 1740 (void)fprintf(stderr, "%s: data link type %s\n", 1741 program_name, yflag_dlt_name); 1742 (void)fflush(stderr); 1743 } 1744 i = pcap_snapshot(pd); 1745 if (ndo->ndo_snaplen < i) { 1746 warning("snaplen raised from %d to %d", ndo->ndo_snaplen, i); 1747 ndo->ndo_snaplen = i; 1748 } 1749 if(ndo->ndo_fflag != 0) { 1750 if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) { 1751 warning("foreign (-f) flag used but: %s", ebuf); 1752 } 1753 } 1754 1755 } 1756 if (infile) 1757 cmdbuf = read_infile(infile); 1758 else 1759 cmdbuf = copy_argv(&argv[optind]); 1760 1761 #ifdef HAVE_PCAP_SET_OPTIMIZER_DEBUG 1762 pcap_set_optimizer_debug(dflag); 1763 #endif 1764 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 1765 error("%s", pcap_geterr(pd)); 1766 if (dflag) { 1767 bpf_dump(&fcode, dflag); 1768 pcap_close(pd); 1769 free(cmdbuf); 1770 pcap_freecode(&fcode); 1771 exit_tcpdump(0); 1772 } 1773 init_print(ndo, localnet, netmask, timezone_offset); 1774 1775 #ifndef _WIN32 1776 (void)setsignal(SIGPIPE, cleanup); 1777 (void)setsignal(SIGTERM, cleanup); 1778 (void)setsignal(SIGINT, cleanup); 1779 #endif /* _WIN32 */ 1780 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 1781 (void)setsignal(SIGCHLD, child_cleanup); 1782 #endif 1783 /* Cooperate with nohup(1) */ 1784 #ifndef _WIN32 1785 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) 1786 (void)setsignal(SIGHUP, oldhandler); 1787 #endif /* _WIN32 */ 1788 1789 #ifndef _WIN32 1790 /* 1791 * If a user name was specified with "-Z", attempt to switch to 1792 * that user's UID. This would probably be used with sudo, 1793 * to allow tcpdump to be run in a special restricted 1794 * account (if you just want to allow users to open capture 1795 * devices, and can't just give users that permission, 1796 * you'd make tcpdump set-UID or set-GID). 1797 * 1798 * Tcpdump doesn't necessarily write only to one savefile; 1799 * the general only way to allow a -Z instance to write to 1800 * savefiles as the user under whose UID it's run, rather 1801 * than as the user specified with -Z, would thus be to switch 1802 * to the original user ID before opening a capture file and 1803 * then switch back to the -Z user ID after opening the savefile. 1804 * Switching to the -Z user ID only after opening the first 1805 * savefile doesn't handle the general case. 1806 */ 1807 1808 if (getuid() == 0 || geteuid() == 0) { 1809 #ifdef HAVE_LIBCAP_NG 1810 /* Initialize capng */ 1811 capng_clear(CAPNG_SELECT_BOTH); 1812 if (username) { 1813 capng_updatev( 1814 CAPNG_ADD, 1815 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 1816 CAP_SETUID, 1817 CAP_SETGID, 1818 -1); 1819 } 1820 if (chroot_dir) { 1821 capng_update( 1822 CAPNG_ADD, 1823 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 1824 CAP_SYS_CHROOT 1825 ); 1826 } 1827 1828 if (WFileName) { 1829 capng_update( 1830 CAPNG_ADD, 1831 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 1832 CAP_DAC_OVERRIDE 1833 ); 1834 } 1835 capng_apply(CAPNG_SELECT_BOTH); 1836 #endif /* HAVE_LIBCAP_NG */ 1837 if (username || chroot_dir) 1838 droproot(username, chroot_dir); 1839 1840 } 1841 #endif /* _WIN32 */ 1842 1843 if (pcap_setfilter(pd, &fcode) < 0) 1844 error("%s", pcap_geterr(pd)); 1845 #ifdef HAVE_CAPSICUM 1846 if (RFileName == NULL && VFileName == NULL) { 1847 static const unsigned long cmds[] = { BIOCGSTATS, BIOCROTZBUF }; 1848 1849 /* 1850 * The various libpcap devices use a combination of 1851 * read (bpf), ioctl (bpf, netmap), poll (netmap) 1852 * so we add the relevant access rights. 1853 */ 1854 cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT); 1855 if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 && 1856 errno != ENOSYS) { 1857 error("unable to limit pcap descriptor"); 1858 } 1859 if (cap_ioctls_limit(pcap_fileno(pd), cmds, 1860 sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) { 1861 error("unable to limit ioctls on pcap descriptor"); 1862 } 1863 } 1864 #endif 1865 if (WFileName) { 1866 pcap_dumper_t *p; 1867 /* Do not exceed the default PATH_MAX for files. */ 1868 dumpinfo.CurrentFileName = (char *)malloc(PATH_MAX + 1); 1869 1870 if (dumpinfo.CurrentFileName == NULL) 1871 error("malloc of dumpinfo.CurrentFileName"); 1872 1873 /* We do not need numbering for dumpfiles if Cflag isn't set. */ 1874 if (Cflag != 0) 1875 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars); 1876 else 1877 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0); 1878 1879 p = pcap_dump_open(pd, dumpinfo.CurrentFileName); 1880 #ifdef HAVE_LIBCAP_NG 1881 /* Give up CAP_DAC_OVERRIDE capability. 1882 * Only allow it to be restored if the -C or -G flag have been 1883 * set since we may need to create more files later on. 1884 */ 1885 capng_update( 1886 CAPNG_DROP, 1887 (Cflag || Gflag ? 0 : CAPNG_PERMITTED) 1888 | CAPNG_EFFECTIVE, 1889 CAP_DAC_OVERRIDE 1890 ); 1891 capng_apply(CAPNG_SELECT_BOTH); 1892 #endif /* HAVE_LIBCAP_NG */ 1893 if (p == NULL) 1894 error("%s", pcap_geterr(pd)); 1895 #ifdef HAVE_CAPSICUM 1896 set_dumper_capsicum_rights(p); 1897 #endif 1898 if (Cflag != 0 || Gflag != 0) { 1899 #ifdef HAVE_CAPSICUM 1900 dumpinfo.WFileName = strdup(basename(WFileName)); 1901 if (dumpinfo.WFileName == NULL) { 1902 error("Unable to allocate memory for file %s", 1903 WFileName); 1904 } 1905 dumpinfo.dirfd = open(dirname(WFileName), 1906 O_DIRECTORY | O_RDONLY); 1907 if (dumpinfo.dirfd < 0) { 1908 error("unable to open directory %s", 1909 dirname(WFileName)); 1910 } 1911 cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL, 1912 CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE); 1913 if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 && 1914 errno != ENOSYS) { 1915 error("unable to limit directory rights"); 1916 } 1917 if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 && 1918 errno != ENOSYS) { 1919 error("unable to limit dump descriptor fcntls"); 1920 } 1921 #else /* !HAVE_CAPSICUM */ 1922 dumpinfo.WFileName = WFileName; 1923 #endif 1924 callback = dump_packet_and_trunc; 1925 dumpinfo.pd = pd; 1926 dumpinfo.p = p; 1927 pcap_userdata = (u_char *)&dumpinfo; 1928 } else { 1929 callback = dump_packet; 1930 pcap_userdata = (u_char *)p; 1931 } 1932 #ifdef HAVE_PCAP_DUMP_FLUSH 1933 if (Uflag) 1934 pcap_dump_flush(p); 1935 #endif 1936 } else { 1937 dlt = pcap_datalink(pd); 1938 ndo->ndo_if_printer = get_if_printer(ndo, dlt); 1939 callback = print_packet; 1940 pcap_userdata = (u_char *)ndo; 1941 } 1942 1943 #ifdef SIGNAL_REQ_INFO 1944 /* 1945 * We can't get statistics when reading from a file rather 1946 * than capturing from a device. 1947 */ 1948 if (RFileName == NULL) 1949 (void)setsignal(SIGNAL_REQ_INFO, requestinfo); 1950 #endif 1951 1952 if (ndo->ndo_vflag > 0 && WFileName) { 1953 /* 1954 * When capturing to a file, "-v" means tcpdump should, 1955 * every 10 seconds, "v"erbosely report the number of 1956 * packets captured. 1957 */ 1958 #ifdef USE_WIN32_MM_TIMER 1959 /* call verbose_stats_dump() each 1000 +/-100msec */ 1960 timer_id = timeSetEvent(1000, 100, verbose_stats_dump, 0, TIME_PERIODIC); 1961 setvbuf(stderr, NULL, _IONBF, 0); 1962 #elif defined(HAVE_ALARM) 1963 (void)setsignal(SIGALRM, verbose_stats_dump); 1964 alarm(1); 1965 #endif 1966 } 1967 1968 if (RFileName == NULL) { 1969 /* 1970 * Live capture (if -V was specified, we set RFileName 1971 * to a file from the -V file). Print a message to 1972 * the standard error on UN*X. 1973 */ 1974 if (!ndo->ndo_vflag && !WFileName) { 1975 (void)fprintf(stderr, 1976 "%s: verbose output suppressed, use -v or -vv for full protocol decode\n", 1977 program_name); 1978 } else 1979 (void)fprintf(stderr, "%s: ", program_name); 1980 dlt = pcap_datalink(pd); 1981 dlt_name = pcap_datalink_val_to_name(dlt); 1982 if (dlt_name == NULL) { 1983 (void)fprintf(stderr, "listening on %s, link-type %u, capture size %u bytes\n", 1984 device, dlt, ndo->ndo_snaplen); 1985 } else { 1986 (void)fprintf(stderr, "listening on %s, link-type %s (%s), capture size %u bytes\n", 1987 device, dlt_name, 1988 pcap_datalink_val_to_description(dlt), ndo->ndo_snaplen); 1989 } 1990 (void)fflush(stderr); 1991 } 1992 1993 #ifdef HAVE_CAPSICUM 1994 cansandbox = (ndo->ndo_nflag && VFileName == NULL && zflag == NULL); 1995 if (cansandbox && cap_enter() < 0 && errno != ENOSYS) 1996 error("unable to enter the capability mode"); 1997 #endif /* HAVE_CAPSICUM */ 1998 1999 do { 2000 status = pcap_loop(pd, cnt, callback, pcap_userdata); 2001 if (WFileName == NULL) { 2002 /* 2003 * We're printing packets. Flush the printed output, 2004 * so it doesn't get intermingled with error output. 2005 */ 2006 if (status == -2) { 2007 /* 2008 * We got interrupted, so perhaps we didn't 2009 * manage to finish a line we were printing. 2010 * Print an extra newline, just in case. 2011 */ 2012 putchar('\n'); 2013 } 2014 (void)fflush(stdout); 2015 } 2016 if (status == -2) { 2017 /* 2018 * We got interrupted. If we are reading multiple 2019 * files (via -V) set these so that we stop. 2020 */ 2021 VFileName = NULL; 2022 ret = NULL; 2023 } 2024 if (status == -1) { 2025 /* 2026 * Error. Report it. 2027 */ 2028 (void)fprintf(stderr, "%s: pcap_loop: %s\n", 2029 program_name, pcap_geterr(pd)); 2030 } 2031 if (RFileName == NULL) { 2032 /* 2033 * We're doing a live capture. Report the capture 2034 * statistics. 2035 */ 2036 info(1); 2037 } 2038 pcap_close(pd); 2039 if (VFileName != NULL) { 2040 ret = get_next_file(VFile, VFileLine); 2041 if (ret) { 2042 int new_dlt; 2043 2044 RFileName = VFileLine; 2045 pd = pcap_open_offline(RFileName, ebuf); 2046 if (pd == NULL) 2047 error("%s", ebuf); 2048 #ifdef HAVE_CAPSICUM 2049 cap_rights_init(&rights, CAP_READ); 2050 if (cap_rights_limit(fileno(pcap_file(pd)), 2051 &rights) < 0 && errno != ENOSYS) { 2052 error("unable to limit pcap descriptor"); 2053 } 2054 #endif 2055 new_dlt = pcap_datalink(pd); 2056 if (new_dlt != dlt) { 2057 /* 2058 * The new file has a different 2059 * link-layer header type from the 2060 * previous one. 2061 */ 2062 if (WFileName != NULL) { 2063 /* 2064 * We're writing raw packets 2065 * that match the filter to 2066 * a pcap file. pcap files 2067 * don't support multiple 2068 * different link-layer 2069 * header types, so we fail 2070 * here. 2071 */ 2072 error("%s: new dlt does not match original", RFileName); 2073 } 2074 2075 /* 2076 * We're printing the decoded packets; 2077 * switch to the new DLT. 2078 * 2079 * To do that, we need to change 2080 * the printer, change the DLT name, 2081 * and recompile the filter with 2082 * the new DLT. 2083 */ 2084 dlt = new_dlt; 2085 ndo->ndo_if_printer = get_if_printer(ndo, dlt); 2086 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2087 error("%s", pcap_geterr(pd)); 2088 } 2089 2090 /* 2091 * Set the filter on the new file. 2092 */ 2093 if (pcap_setfilter(pd, &fcode) < 0) 2094 error("%s", pcap_geterr(pd)); 2095 2096 /* 2097 * Report the new file. 2098 */ 2099 dlt_name = pcap_datalink_val_to_name(dlt); 2100 if (dlt_name == NULL) { 2101 fprintf(stderr, "reading from file %s, link-type %u\n", 2102 RFileName, dlt); 2103 } else { 2104 fprintf(stderr, 2105 "reading from file %s, link-type %s (%s)\n", 2106 RFileName, dlt_name, 2107 pcap_datalink_val_to_description(dlt)); 2108 } 2109 } 2110 } 2111 } 2112 while (ret != NULL); 2113 2114 free(cmdbuf); 2115 pcap_freecode(&fcode); 2116 exit_tcpdump(status == -1 ? 1 : 0); 2117 } 2118 2119 /* make a clean exit on interrupts */ 2120 static RETSIGTYPE 2121 cleanup(int signo _U_) 2122 { 2123 #ifdef USE_WIN32_MM_TIMER 2124 if (timer_id) 2125 timeKillEvent(timer_id); 2126 timer_id = 0; 2127 #elif defined(HAVE_ALARM) 2128 alarm(0); 2129 #endif 2130 2131 #ifdef HAVE_PCAP_BREAKLOOP 2132 /* 2133 * We have "pcap_breakloop()"; use it, so that we do as little 2134 * as possible in the signal handler (it's probably not safe 2135 * to do anything with standard I/O streams in a signal handler - 2136 * the ANSI C standard doesn't say it is). 2137 */ 2138 pcap_breakloop(pd); 2139 #else 2140 /* 2141 * We don't have "pcap_breakloop()"; this isn't safe, but 2142 * it's the best we can do. Print the summary if we're 2143 * not reading from a savefile - i.e., if we're doing a 2144 * live capture - and exit. 2145 */ 2146 if (pd != NULL && pcap_file(pd) == NULL) { 2147 /* 2148 * We got interrupted, so perhaps we didn't 2149 * manage to finish a line we were printing. 2150 * Print an extra newline, just in case. 2151 */ 2152 putchar('\n'); 2153 (void)fflush(stdout); 2154 info(1); 2155 } 2156 exit_tcpdump(0); 2157 #endif 2158 } 2159 2160 /* 2161 On windows, we do not use a fork, so we do not care less about 2162 waiting a child processes to die 2163 */ 2164 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2165 static RETSIGTYPE 2166 child_cleanup(int signo _U_) 2167 { 2168 wait(NULL); 2169 } 2170 #endif /* HAVE_FORK && HAVE_VFORK */ 2171 2172 static void 2173 info(register int verbose) 2174 { 2175 struct pcap_stat stats; 2176 2177 /* 2178 * Older versions of libpcap didn't set ps_ifdrop on some 2179 * platforms; initialize it to 0 to handle that. 2180 */ 2181 stats.ps_ifdrop = 0; 2182 if (pcap_stats(pd, &stats) < 0) { 2183 (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd)); 2184 infoprint = 0; 2185 return; 2186 } 2187 2188 if (!verbose) 2189 fprintf(stderr, "%s: ", program_name); 2190 2191 (void)fprintf(stderr, "%u packet%s captured", packets_captured, 2192 PLURAL_SUFFIX(packets_captured)); 2193 if (!verbose) 2194 fputs(", ", stderr); 2195 else 2196 putc('\n', stderr); 2197 (void)fprintf(stderr, "%u packet%s received by filter", stats.ps_recv, 2198 PLURAL_SUFFIX(stats.ps_recv)); 2199 if (!verbose) 2200 fputs(", ", stderr); 2201 else 2202 putc('\n', stderr); 2203 (void)fprintf(stderr, "%u packet%s dropped by kernel", stats.ps_drop, 2204 PLURAL_SUFFIX(stats.ps_drop)); 2205 if (stats.ps_ifdrop != 0) { 2206 if (!verbose) 2207 fputs(", ", stderr); 2208 else 2209 putc('\n', stderr); 2210 (void)fprintf(stderr, "%u packet%s dropped by interface\n", 2211 stats.ps_ifdrop, PLURAL_SUFFIX(stats.ps_ifdrop)); 2212 } else 2213 putc('\n', stderr); 2214 infoprint = 0; 2215 } 2216 2217 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2218 #ifdef HAVE_FORK 2219 #define fork_subprocess() fork() 2220 #else 2221 #define fork_subprocess() vfork() 2222 #endif 2223 static void 2224 compress_savefile(const char *filename) 2225 { 2226 pid_t child; 2227 2228 child = fork_subprocess(); 2229 if (child == -1) { 2230 fprintf(stderr, 2231 "compress_savefile: fork failed: %s\n", 2232 pcap_strerror(errno)); 2233 return; 2234 } 2235 if (child != 0) { 2236 /* Parent process. */ 2237 return; 2238 } 2239 2240 /* 2241 * Child process. 2242 * Set to lowest priority so that this doesn't disturb the capture. 2243 */ 2244 #ifdef NZERO 2245 setpriority(PRIO_PROCESS, 0, NZERO - 1); 2246 #else 2247 setpriority(PRIO_PROCESS, 0, 19); 2248 #endif 2249 if (execlp(zflag, zflag, filename, (char *)NULL) == -1) 2250 fprintf(stderr, 2251 "compress_savefile: execlp(%s, %s) failed: %s\n", 2252 zflag, 2253 filename, 2254 pcap_strerror(errno)); 2255 #ifdef HAVE_FORK 2256 exit(1); 2257 #else 2258 _exit(1); 2259 #endif 2260 } 2261 #else /* HAVE_FORK && HAVE_VFORK */ 2262 static void 2263 compress_savefile(const char *filename) 2264 { 2265 fprintf(stderr, 2266 "compress_savefile failed. Functionality not implemented under your system\n"); 2267 } 2268 #endif /* HAVE_FORK && HAVE_VFORK */ 2269 2270 static void 2271 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 2272 { 2273 struct dump_info *dump_info; 2274 2275 ++packets_captured; 2276 2277 ++infodelay; 2278 2279 dump_info = (struct dump_info *)user; 2280 2281 /* 2282 * XXX - this won't force the file to rotate on the specified time 2283 * boundary, but it will rotate on the first packet received after the 2284 * specified Gflag number of seconds. Note: if a Gflag time boundary 2285 * and a Cflag size boundary coincide, the time rotation will occur 2286 * first thereby cancelling the Cflag boundary (since the file should 2287 * be 0). 2288 */ 2289 if (Gflag != 0) { 2290 /* Check if it is time to rotate */ 2291 time_t t; 2292 2293 /* Get the current time */ 2294 if ((t = time(NULL)) == (time_t)-1) { 2295 error("dump_and_trunc_packet: can't get current_time: %s", 2296 pcap_strerror(errno)); 2297 } 2298 2299 2300 /* If the time is greater than the specified window, rotate */ 2301 if (t - Gflag_time >= Gflag) { 2302 #ifdef HAVE_CAPSICUM 2303 FILE *fp; 2304 int fd; 2305 #endif 2306 2307 /* Update the Gflag_time */ 2308 Gflag_time = t; 2309 /* Update Gflag_count */ 2310 Gflag_count++; 2311 /* 2312 * Close the current file and open a new one. 2313 */ 2314 pcap_dump_close(dump_info->p); 2315 2316 /* 2317 * Compress the file we just closed, if the user asked for it 2318 */ 2319 if (zflag != NULL) 2320 compress_savefile(dump_info->CurrentFileName); 2321 2322 /* 2323 * Check to see if we've exceeded the Wflag (when 2324 * not using Cflag). 2325 */ 2326 if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) { 2327 (void)fprintf(stderr, "Maximum file limit reached: %d\n", 2328 Wflag); 2329 info(1); 2330 exit_tcpdump(0); 2331 /* NOTREACHED */ 2332 } 2333 if (dump_info->CurrentFileName != NULL) 2334 free(dump_info->CurrentFileName); 2335 /* Allocate space for max filename + \0. */ 2336 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 2337 if (dump_info->CurrentFileName == NULL) 2338 error("dump_packet_and_trunc: malloc"); 2339 /* 2340 * Gflag was set otherwise we wouldn't be here. Reset the count 2341 * so multiple files would end with 1,2,3 in the filename. 2342 * The counting is handled with the -C flow after this. 2343 */ 2344 Cflag_count = 0; 2345 2346 /* 2347 * This is always the first file in the Cflag 2348 * rotation: e.g. 0 2349 * We also don't need numbering if Cflag is not set. 2350 */ 2351 if (Cflag != 0) 2352 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 2353 WflagChars); 2354 else 2355 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0); 2356 2357 #ifdef HAVE_LIBCAP_NG 2358 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2359 capng_apply(CAPNG_SELECT_BOTH); 2360 #endif /* HAVE_LIBCAP_NG */ 2361 #ifdef HAVE_CAPSICUM 2362 fd = openat(dump_info->dirfd, 2363 dump_info->CurrentFileName, 2364 O_CREAT | O_WRONLY | O_TRUNC, 0644); 2365 if (fd < 0) { 2366 error("unable to open file %s", 2367 dump_info->CurrentFileName); 2368 } 2369 fp = fdopen(fd, "w"); 2370 if (fp == NULL) { 2371 error("unable to fdopen file %s", 2372 dump_info->CurrentFileName); 2373 } 2374 dump_info->p = pcap_dump_fopen(dump_info->pd, fp); 2375 #else /* !HAVE_CAPSICUM */ 2376 dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 2377 #endif 2378 #ifdef HAVE_LIBCAP_NG 2379 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2380 capng_apply(CAPNG_SELECT_BOTH); 2381 #endif /* HAVE_LIBCAP_NG */ 2382 if (dump_info->p == NULL) 2383 error("%s", pcap_geterr(pd)); 2384 #ifdef HAVE_CAPSICUM 2385 set_dumper_capsicum_rights(dump_info->p); 2386 #endif 2387 } 2388 } 2389 2390 /* 2391 * XXX - this won't prevent capture files from getting 2392 * larger than Cflag - the last packet written to the 2393 * file could put it over Cflag. 2394 */ 2395 if (Cflag != 0) { 2396 long size = pcap_dump_ftell(dump_info->p); 2397 2398 if (size == -1) 2399 error("ftell fails on output file"); 2400 if (size > Cflag) { 2401 #ifdef HAVE_CAPSICUM 2402 FILE *fp; 2403 int fd; 2404 #endif 2405 2406 /* 2407 * Close the current file and open a new one. 2408 */ 2409 pcap_dump_close(dump_info->p); 2410 2411 /* 2412 * Compress the file we just closed, if the user 2413 * asked for it. 2414 */ 2415 if (zflag != NULL) 2416 compress_savefile(dump_info->CurrentFileName); 2417 2418 Cflag_count++; 2419 if (Wflag > 0) { 2420 if (Cflag_count >= Wflag) 2421 Cflag_count = 0; 2422 } 2423 if (dump_info->CurrentFileName != NULL) 2424 free(dump_info->CurrentFileName); 2425 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 2426 if (dump_info->CurrentFileName == NULL) 2427 error("dump_packet_and_trunc: malloc"); 2428 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars); 2429 #ifdef HAVE_LIBCAP_NG 2430 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2431 capng_apply(CAPNG_SELECT_BOTH); 2432 #endif /* HAVE_LIBCAP_NG */ 2433 #ifdef HAVE_CAPSICUM 2434 fd = openat(dump_info->dirfd, dump_info->CurrentFileName, 2435 O_CREAT | O_WRONLY | O_TRUNC, 0644); 2436 if (fd < 0) { 2437 error("unable to open file %s", 2438 dump_info->CurrentFileName); 2439 } 2440 fp = fdopen(fd, "w"); 2441 if (fp == NULL) { 2442 error("unable to fdopen file %s", 2443 dump_info->CurrentFileName); 2444 } 2445 dump_info->p = pcap_dump_fopen(dump_info->pd, fp); 2446 #else /* !HAVE_CAPSICUM */ 2447 dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 2448 #endif 2449 #ifdef HAVE_LIBCAP_NG 2450 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2451 capng_apply(CAPNG_SELECT_BOTH); 2452 #endif /* HAVE_LIBCAP_NG */ 2453 if (dump_info->p == NULL) 2454 error("%s", pcap_geterr(pd)); 2455 #ifdef HAVE_CAPSICUM 2456 set_dumper_capsicum_rights(dump_info->p); 2457 #endif 2458 } 2459 } 2460 2461 pcap_dump((u_char *)dump_info->p, h, sp); 2462 #ifdef HAVE_PCAP_DUMP_FLUSH 2463 if (Uflag) 2464 pcap_dump_flush(dump_info->p); 2465 #endif 2466 2467 --infodelay; 2468 if (infoprint) 2469 info(0); 2470 } 2471 2472 static void 2473 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 2474 { 2475 ++packets_captured; 2476 2477 ++infodelay; 2478 2479 pcap_dump(user, h, sp); 2480 #ifdef HAVE_PCAP_DUMP_FLUSH 2481 if (Uflag) 2482 pcap_dump_flush((pcap_dumper_t *)user); 2483 #endif 2484 2485 --infodelay; 2486 if (infoprint) 2487 info(0); 2488 } 2489 2490 static void 2491 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 2492 { 2493 ++packets_captured; 2494 2495 ++infodelay; 2496 2497 pretty_print_packet((netdissect_options *)user, h, sp, packets_captured); 2498 2499 --infodelay; 2500 if (infoprint) 2501 info(0); 2502 } 2503 2504 #ifdef _WIN32 2505 /* 2506 * XXX - there should really be libpcap calls to get the version 2507 * number as a string (the string would be generated from #defines 2508 * at run time, so that it's not generated from string constants 2509 * in the library, as, on many UNIX systems, those constants would 2510 * be statically linked into the application executable image, and 2511 * would thus reflect the version of libpcap on the system on 2512 * which the application was *linked*, not the system on which it's 2513 * *running*. 2514 * 2515 * That routine should be documented, unlike the "version[]" 2516 * string, so that UNIX vendors providing their own libpcaps 2517 * don't omit it (as a couple of vendors have...). 2518 * 2519 * Packet.dll should perhaps also export a routine to return the 2520 * version number of the Packet.dll code, to supply the 2521 * "Wpcap_version" information on Windows. 2522 */ 2523 char WDversion[]="current-git.tcpdump.org"; 2524 #if !defined(HAVE_GENERATED_VERSION) 2525 char version[]="current-git.tcpdump.org"; 2526 #endif 2527 char pcap_version[]="current-git.tcpdump.org"; 2528 char Wpcap_version[]="3.1"; 2529 #endif 2530 2531 #ifdef SIGNAL_REQ_INFO 2532 RETSIGTYPE requestinfo(int signo _U_) 2533 { 2534 if (infodelay) 2535 ++infoprint; 2536 else 2537 info(0); 2538 } 2539 #endif 2540 2541 /* 2542 * Called once each second in verbose mode while dumping to file 2543 */ 2544 #ifdef USE_WIN32_MM_TIMER 2545 void CALLBACK verbose_stats_dump (UINT timer_id _U_, UINT msg _U_, DWORD_PTR arg _U_, 2546 DWORD_PTR dw1 _U_, DWORD_PTR dw2 _U_) 2547 { 2548 if (infodelay == 0) 2549 fprintf(stderr, "Got %u\r", packets_captured); 2550 } 2551 #elif defined(HAVE_ALARM) 2552 static void verbose_stats_dump(int sig _U_) 2553 { 2554 if (infodelay == 0) 2555 fprintf(stderr, "Got %u\r", packets_captured); 2556 alarm(1); 2557 } 2558 #endif 2559 2560 USES_APPLE_DEPRECATED_API 2561 static void 2562 print_version(void) 2563 { 2564 extern char version[]; 2565 #ifndef HAVE_PCAP_LIB_VERSION 2566 #if defined(_WIN32) || defined(HAVE_PCAP_VERSION) 2567 extern char pcap_version[]; 2568 #else /* defined(_WIN32) || defined(HAVE_PCAP_VERSION) */ 2569 static char pcap_version[] = "unknown"; 2570 #endif /* defined(_WIN32) || defined(HAVE_PCAP_VERSION) */ 2571 #endif /* HAVE_PCAP_LIB_VERSION */ 2572 const char *smi_version_string; 2573 2574 #ifdef HAVE_PCAP_LIB_VERSION 2575 #ifdef _WIN32 2576 (void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version); 2577 #else /* _WIN32 */ 2578 (void)fprintf(stderr, "%s version %s\n", program_name, version); 2579 #endif /* _WIN32 */ 2580 (void)fprintf(stderr, "%s\n",pcap_lib_version()); 2581 #else /* HAVE_PCAP_LIB_VERSION */ 2582 #ifdef _WIN32 2583 (void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version); 2584 (void)fprintf(stderr, "WinPcap version %s, based on libpcap version %s\n",Wpcap_version, pcap_version); 2585 #else /* _WIN32 */ 2586 (void)fprintf(stderr, "%s version %s\n", program_name, version); 2587 (void)fprintf(stderr, "libpcap version %s\n", pcap_version); 2588 #endif /* _WIN32 */ 2589 #endif /* HAVE_PCAP_LIB_VERSION */ 2590 2591 #if defined(HAVE_LIBCRYPTO) && defined(SSLEAY_VERSION) 2592 (void)fprintf (stderr, "%s\n", SSLeay_version(SSLEAY_VERSION)); 2593 #endif 2594 2595 smi_version_string = nd_smi_version_string(); 2596 if (smi_version_string != NULL) 2597 (void)fprintf (stderr, "SMI-library: %s\n", smi_version_string); 2598 2599 #if defined(__SANITIZE_ADDRESS__) 2600 (void)fprintf (stderr, "Compiled with AddressSanitizer/GCC.\n"); 2601 #elif defined(__has_feature) 2602 # if __has_feature(address_sanitizer) 2603 (void)fprintf (stderr, "Compiled with AddressSanitizer/CLang.\n"); 2604 # endif 2605 #endif /* __SANITIZE_ADDRESS__ or __has_feature */ 2606 } 2607 USES_APPLE_RST 2608 2609 static void 2610 print_usage(void) 2611 { 2612 print_version(); 2613 (void)fprintf(stderr, 2614 "Usage: %s [-aAbd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqStu" U_FLAG "vxX#]" B_FLAG_USAGE " [ -c count ]\n", program_name); 2615 (void)fprintf(stderr, 2616 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n"); 2617 (void)fprintf(stderr, 2618 "\t\t[ -i interface ]" j_FLAG_USAGE " [ -M secret ] [ --number ]\n"); 2619 #ifdef HAVE_PCAP_SETDIRECTION 2620 (void)fprintf(stderr, 2621 "\t\t[ -Q in|out|inout ]\n"); 2622 #endif 2623 (void)fprintf(stderr, 2624 "\t\t[ -r file ] [ -s snaplen ] "); 2625 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 2626 (void)fprintf(stderr, "[ --time-stamp-precision precision ]\n"); 2627 (void)fprintf(stderr, 2628 "\t\t"); 2629 #endif 2630 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 2631 (void)fprintf(stderr, "[ --immediate-mode ] "); 2632 #endif 2633 (void)fprintf(stderr, "[ -T type ] [ --version ] [ -V file ]\n"); 2634 (void)fprintf(stderr, 2635 "\t\t[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]\n"); 2636 (void)fprintf(stderr, 2637 "\t\t[ -Z user ] [ expression ]\n"); 2638 } 2639 /* 2640 * Local Variables: 2641 * c-style: whitesmith 2642 * c-basic-offset: 8 2643 * End: 2644 */ 2645
