1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1998 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * $FreeBSD$ 22 */ 23 #ifndef lint 24 static const char rcsid[] _U_ = 25 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.86.2.12 2007/06/15 17:57:27 guy Exp $ (LBL)"; 26 #endif 27 28 #ifdef HAVE_CONFIG_H 29 #include "config.h" 30 #endif 31 32 #include <sys/param.h> /* optionally get BSD define */ 33 #include <sys/mman.h> 34 #include <sys/time.h> 35 #include <sys/timeb.h> 36 #include <sys/socket.h> 37 #include <sys/file.h> 38 #include <sys/ioctl.h> 39 #include <sys/utsname.h> 40 41 #include <net/if.h> 42 43 #ifdef _AIX 44 45 /* 46 * Make "pcap.h" not include "pcap-bpf.h"; we are going to include the 47 * native OS version, as we need "struct bpf_config" from it. 48 */ 49 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 50 51 #include <sys/types.h> 52 53 /* 54 * Prevent bpf.h from redefining the DLT_ values to their 55 * IFT_ values, as we're going to return the standard libpcap 56 * values, not IBM's non-standard IFT_ values. 57 */ 58 #undef _AIX 59 #include <net/bpf.h> 60 #define _AIX 61 62 #include <net/if_types.h> /* for IFT_ values */ 63 #include <sys/sysconfig.h> 64 #include <sys/device.h> 65 #include <sys/cfgodm.h> 66 #include <cf.h> 67 68 #ifdef __64BIT__ 69 #define domakedev makedev64 70 #define getmajor major64 71 #define bpf_hdr bpf_hdr32 72 #else /* __64BIT__ */ 73 #define domakedev makedev 74 #define getmajor major 75 #endif /* __64BIT__ */ 76 77 #define BPF_NAME "bpf" 78 #define BPF_MINORS 4 79 #define DRIVER_PATH "/usr/lib/drivers" 80 #define BPF_NODE "/dev/bpf" 81 static int bpfloadedflag = 0; 82 static int odmlockid = 0; 83 84 #else /* _AIX */ 85 86 #include <net/bpf.h> 87 88 #endif /* _AIX */ 89 90 #ifdef BIOCSETBUFMODE 91 #include <machine/atomic.h> 92 #endif 93 94 #include <ctype.h> 95 #include <errno.h> 96 #include <netdb.h> 97 #include <stdio.h> 98 #include <stdlib.h> 99 #include <string.h> 100 #include <unistd.h> 101 102 #include "pcap-int.h" 103 104 #ifdef HAVE_DAG_API 105 #include "pcap-dag.h" 106 #endif /* HAVE_DAG_API */ 107 108 #ifdef HAVE_OS_PROTO_H 109 #include "os-proto.h" 110 #endif 111 112 #include "gencode.h" /* for "no_optimize" */ 113 114 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp); 115 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t); 116 static int pcap_set_datalink_bpf(pcap_t *p, int dlt); 117 118 static int 119 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps) 120 { 121 struct bpf_stat s; 122 123 /* 124 * "ps_recv" counts packets handed to the filter, not packets 125 * that passed the filter. This includes packets later dropped 126 * because we ran out of buffer space. 127 * 128 * "ps_drop" counts packets dropped inside the BPF device 129 * because we ran out of buffer space. It doesn't count 130 * packets dropped by the interface driver. It counts 131 * only packets that passed the filter. 132 * 133 * Both statistics include packets not yet read from the kernel 134 * by libpcap, and thus not yet seen by the application. 135 */ 136 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) { 137 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s", 138 pcap_strerror(errno)); 139 return (-1); 140 } 141 142 ps->ps_recv = s.bs_recv; 143 ps->ps_drop = s.bs_drop; 144 return (0); 145 } 146 147 #ifdef BIOCGETBUFMODE 148 /* 149 * Zero-copy BPF buffer routines to check for and acknowledge BPF data in 150 * shared memory buffers. 151 * 152 * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer, 153 * and set up p->buffer and cc to reflect one if available. Notice that if 154 * there was no prior buffer, we select zbuf1 as this will be the first 155 * buffer filled for a fresh BPF session. 156 */ 157 static int 158 pcap_next_zbuf_shm(pcap_t *p, int *cc) 159 { 160 struct bpf_zbuf_header *bzh; 161 162 if (p->zbuffer == p->zbuf2 || p->zbuffer == NULL) { 163 bzh = (struct bpf_zbuf_header *)p->zbuf1; 164 if (bzh->bzh_user_gen != 165 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 166 p->bzh = bzh; 167 p->zbuffer = (u_char *)p->zbuf1; 168 p->buffer = p->zbuffer + sizeof(*bzh); 169 *cc = bzh->bzh_kernel_len; 170 return (1); 171 } 172 } else if (p->zbuffer == p->zbuf1) { 173 bzh = (struct bpf_zbuf_header *)p->zbuf2; 174 if (bzh->bzh_user_gen != 175 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 176 p->bzh = bzh; 177 p->zbuffer = (u_char *)p->zbuf2; 178 p->buffer = p->zbuffer + sizeof(*bzh); 179 *cc = bzh->bzh_kernel_len; 180 return (1); 181 } 182 } 183 *cc = 0; 184 return (0); 185 } 186 187 /* 188 * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using 189 * select() for data or a timeout, and possibly force rotation of the buffer 190 * in the event we time out or are in immediate mode. Invoke the shared 191 * memory check before doing system calls in order to avoid doing avoidable 192 * work. 193 */ 194 static int 195 pcap_next_zbuf(pcap_t *p, int *cc) 196 { 197 struct bpf_zbuf bz; 198 struct timeval tv; 199 struct timespec cur; 200 fd_set r_set; 201 int data, r; 202 int tmout, expire; 203 204 #define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000)) 205 /* 206 * Start out by seeing whether anything is waiting by checking the 207 * next shared memory buffer for data. 208 */ 209 data = pcap_next_zbuf_shm(p, cc); 210 if (data) 211 return (data); 212 /* 213 * If a previous sleep was interrupted due to signal delivery, make 214 * sure that the timeout gets adjusted accordingly. This requires 215 * that we analyze when the timeout should be been expired, and 216 * subtract the current time from that. If after this operation, 217 * our timeout is less then or equal to zero, handle it like a 218 * regular timeout. 219 */ 220 tmout = p->to_ms; 221 if (tmout) 222 (void) clock_gettime(CLOCK_MONOTONIC, &cur); 223 if (p->interrupted && p->to_ms) { 224 expire = TSTOMILLI(&p->firstsel) + p->to_ms; 225 tmout = expire - TSTOMILLI(&cur); 226 #undef TSTOMILLI 227 if (tmout <= 0) { 228 p->interrupted = 0; 229 data = pcap_next_zbuf_shm(p, cc); 230 if (data) 231 return (data); 232 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 233 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 234 "BIOCROTZBUF: %s", strerror(errno)); 235 return (-1); 236 } 237 return (pcap_next_zbuf_shm(p, cc)); 238 } 239 } 240 /* 241 * No data in the buffer, so must use select() to wait for data or 242 * the next timeout. 243 */ 244 FD_ZERO(&r_set); 245 FD_SET(p->fd, &r_set); 246 if (tmout != 0) { 247 tv.tv_sec = tmout / 1000; 248 tv.tv_usec = (tmout * 1000) % 1000000; 249 } 250 r = select(p->fd + 1, &r_set, NULL, NULL, p->to_ms != 0 ? &tv : 251 NULL); 252 if (r < 0 && errno == EINTR) { 253 if (!p->interrupted && p->to_ms) { 254 p->interrupted = 1; 255 p->firstsel = cur; 256 } 257 return (0); 258 } else if (r < 0) { 259 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 260 "select: %s", strerror(errno)); 261 return (-1); 262 } 263 p->interrupted = 0; 264 /* 265 * Check again for data, which may exist now that we've either been 266 * woken up as a result of data or timed out. Try the "there's data" 267 * case first since it doesn't require a system call. 268 */ 269 data = pcap_next_zbuf_shm(p, cc); 270 if (data) 271 return (data); 272 273 /* 274 * Try forcing a buffer rotation to dislodge timed out or immediate 275 * data. 276 */ 277 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 278 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 279 "BIOCROTZBUF: %s", strerror(errno)); 280 return (-1); 281 } 282 return (pcap_next_zbuf_shm(p, cc)); 283 } 284 285 /* 286 * Notify kernel that we are done with the buffer. We don't reset zbuffer so 287 * that we know which buffer to use next time around. 288 */ 289 static int 290 pcap_ack_zbuf(pcap_t *p) 291 { 292 293 atomic_store_rel_int(&p->bzh->bzh_user_gen, p->bzh->bzh_kernel_gen); 294 p->bzh = NULL; 295 p->buffer = NULL; 296 return (0); 297 } 298 #endif 299 300 static int 301 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 302 { 303 int cc; 304 int n = 0; 305 register u_char *bp, *ep; 306 u_char *datap; 307 struct bpf_insn *fcode; 308 #ifdef BIOCSETBUFMODE 309 int i; 310 #endif 311 #ifdef PCAP_FDDIPAD 312 register int pad; 313 #endif 314 315 fcode = p->md.use_bpf ? NULL : p->fcode.bf_insns; 316 again: 317 /* 318 * Has "pcap_breakloop()" been called? 319 */ 320 if (p->break_loop) { 321 /* 322 * Yes - clear the flag that indicates that it 323 * has, and return -2 to indicate that we were 324 * told to break out of the loop. 325 */ 326 p->break_loop = 0; 327 return (-2); 328 } 329 cc = p->cc; 330 if (p->cc == 0) { 331 /* 332 * When reading without zero-copy from a file descriptor, we 333 * use a single buffer and return a length of data in the 334 * buffer. With zero-copy, we update the p->buffer pointer 335 * to point at whatever underlying buffer contains the next 336 * data and update cc to reflect the data found in the 337 * buffer. 338 */ 339 #ifdef BIOCSETBUFMODE 340 if (p->zerocopy) { 341 if (p->buffer != NULL) 342 pcap_ack_zbuf(p); 343 i = pcap_next_zbuf(p, &cc); 344 if (i == 0) 345 goto again; 346 if (i < 0) 347 return (-1); 348 } else 349 #endif 350 cc = read(p->fd, (char *)p->buffer, p->bufsize); 351 352 if (cc < 0) { 353 /* Don't choke when we get ptraced */ 354 switch (errno) { 355 356 case EINTR: 357 goto again; 358 359 #ifdef _AIX 360 case EFAULT: 361 /* 362 * Sigh. More AIX wonderfulness. 363 * 364 * For some unknown reason the uiomove() 365 * operation in the bpf kernel extension 366 * used to copy the buffer into user 367 * space sometimes returns EFAULT. I have 368 * no idea why this is the case given that 369 * a kernel debugger shows the user buffer 370 * is correct. This problem appears to 371 * be mostly mitigated by the memset of 372 * the buffer before it is first used. 373 * Very strange.... Shaun Clowes 374 * 375 * In any case this means that we shouldn't 376 * treat EFAULT as a fatal error; as we 377 * don't have an API for returning 378 * a "some packets were dropped since 379 * the last packet you saw" indication, 380 * we just ignore EFAULT and keep reading. 381 */ 382 goto again; 383 #endif 384 385 case EWOULDBLOCK: 386 return (0); 387 #if defined(sun) && !defined(BSD) 388 /* 389 * Due to a SunOS bug, after 2^31 bytes, the kernel 390 * file offset overflows and read fails with EINVAL. 391 * The lseek() to 0 will fix things. 392 */ 393 case EINVAL: 394 if (lseek(p->fd, 0L, SEEK_CUR) + 395 p->bufsize < 0) { 396 (void)lseek(p->fd, 0L, SEEK_SET); 397 goto again; 398 } 399 /* fall through */ 400 #endif 401 } 402 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s", 403 pcap_strerror(errno)); 404 return (-1); 405 } 406 bp = p->buffer; 407 } else 408 bp = p->bp; 409 410 /* 411 * Loop through each packet. 412 */ 413 #define bhp ((struct bpf_hdr *)bp) 414 ep = bp + cc; 415 #ifdef PCAP_FDDIPAD 416 pad = p->fddipad; 417 #endif 418 while (bp < ep) { 419 register int caplen, hdrlen; 420 421 /* 422 * Has "pcap_breakloop()" been called? 423 * If so, return immediately - if we haven't read any 424 * packets, clear the flag and return -2 to indicate 425 * that we were told to break out of the loop, otherwise 426 * leave the flag set, so that the *next* call will break 427 * out of the loop without having read any packets, and 428 * return the number of packets we've processed so far. 429 */ 430 if (p->break_loop) { 431 if (n == 0) { 432 p->break_loop = 0; 433 return (-2); 434 } else { 435 p->bp = bp; 436 p->cc = ep - bp; 437 return (n); 438 } 439 } 440 441 caplen = bhp->bh_caplen; 442 hdrlen = bhp->bh_hdrlen; 443 datap = bp + hdrlen; 444 /* 445 * Short-circuit evaluation: if using BPF filter 446 * in kernel, no need to do it now. 447 * 448 #ifdef PCAP_FDDIPAD 449 * Note: the filter code was generated assuming 450 * that p->fddipad was the amount of padding 451 * before the header, as that's what's required 452 * in the kernel, so we run the filter before 453 * skipping that padding. 454 #endif 455 */ 456 if (fcode == NULL || 457 bpf_filter(fcode, datap, bhp->bh_datalen, caplen)) { 458 struct pcap_pkthdr pkthdr; 459 460 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec; 461 #ifdef _AIX 462 /* 463 * AIX's BPF returns seconds/nanoseconds time 464 * stamps, not seconds/microseconds time stamps. 465 */ 466 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000; 467 #else 468 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec; 469 #endif 470 #ifdef PCAP_FDDIPAD 471 if (caplen > pad) 472 pkthdr.caplen = caplen - pad; 473 else 474 pkthdr.caplen = 0; 475 if (bhp->bh_datalen > pad) 476 pkthdr.len = bhp->bh_datalen - pad; 477 else 478 pkthdr.len = 0; 479 datap += pad; 480 #else 481 pkthdr.caplen = caplen; 482 pkthdr.len = bhp->bh_datalen; 483 #endif 484 (*callback)(user, &pkthdr, datap); 485 bp += BPF_WORDALIGN(caplen + hdrlen); 486 if (++n >= cnt && cnt > 0) { 487 p->bp = bp; 488 p->cc = ep - bp; 489 return (n); 490 } 491 } else { 492 /* 493 * Skip this packet. 494 */ 495 bp += BPF_WORDALIGN(caplen + hdrlen); 496 } 497 } 498 #undef bhp 499 p->cc = 0; 500 return (n); 501 } 502 503 static int 504 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size) 505 { 506 int ret; 507 508 ret = write(p->fd, buf, size); 509 #ifdef __APPLE__ 510 if (ret == -1 && errno == EAFNOSUPPORT) { 511 /* 512 * In Mac OS X, there's a bug wherein setting the 513 * BIOCSHDRCMPLT flag causes writes to fail; see, 514 * for example: 515 * 516 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch 517 * 518 * So, if, on OS X, we get EAFNOSUPPORT from the write, we 519 * assume it's due to that bug, and turn off that flag 520 * and try again. If we succeed, it either means that 521 * somebody applied the fix from that URL, or other patches 522 * for that bug from 523 * 524 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/ 525 * 526 * and are running a Darwin kernel with those fixes, or 527 * that Apple fixed the problem in some OS X release. 528 */ 529 u_int spoof_eth_src = 0; 530 531 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 532 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 533 "send: can't turn off BIOCSHDRCMPLT: %s", 534 pcap_strerror(errno)); 535 return (-1); 536 } 537 538 /* 539 * Now try the write again. 540 */ 541 ret = write(p->fd, buf, size); 542 } 543 #endif /* __APPLE__ */ 544 if (ret == -1) { 545 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 546 pcap_strerror(errno)); 547 return (-1); 548 } 549 return (ret); 550 } 551 552 #ifdef _AIX 553 static int 554 bpf_odminit(char *errbuf) 555 { 556 char *errstr; 557 558 if (odm_initialize() == -1) { 559 if (odm_err_msg(odmerrno, &errstr) == -1) 560 errstr = "Unknown error"; 561 snprintf(errbuf, PCAP_ERRBUF_SIZE, 562 "bpf_load: odm_initialize failed: %s", 563 errstr); 564 return (-1); 565 } 566 567 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) { 568 if (odm_err_msg(odmerrno, &errstr) == -1) 569 errstr = "Unknown error"; 570 snprintf(errbuf, PCAP_ERRBUF_SIZE, 571 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s", 572 errstr); 573 return (-1); 574 } 575 576 return (0); 577 } 578 579 static int 580 bpf_odmcleanup(char *errbuf) 581 { 582 char *errstr; 583 584 if (odm_unlock(odmlockid) == -1) { 585 if (odm_err_msg(odmerrno, &errstr) == -1) 586 errstr = "Unknown error"; 587 snprintf(errbuf, PCAP_ERRBUF_SIZE, 588 "bpf_load: odm_unlock failed: %s", 589 errstr); 590 return (-1); 591 } 592 593 if (odm_terminate() == -1) { 594 if (odm_err_msg(odmerrno, &errstr) == -1) 595 errstr = "Unknown error"; 596 snprintf(errbuf, PCAP_ERRBUF_SIZE, 597 "bpf_load: odm_terminate failed: %s", 598 errstr); 599 return (-1); 600 } 601 602 return (0); 603 } 604 605 static int 606 bpf_load(char *errbuf) 607 { 608 long major; 609 int *minors; 610 int numminors, i, rc; 611 char buf[1024]; 612 struct stat sbuf; 613 struct bpf_config cfg_bpf; 614 struct cfg_load cfg_ld; 615 struct cfg_kmod cfg_km; 616 617 /* 618 * This is very very close to what happens in the real implementation 619 * but I've fixed some (unlikely) bug situations. 620 */ 621 if (bpfloadedflag) 622 return (0); 623 624 if (bpf_odminit(errbuf) != 0) 625 return (-1); 626 627 major = genmajor(BPF_NAME); 628 if (major == -1) { 629 snprintf(errbuf, PCAP_ERRBUF_SIZE, 630 "bpf_load: genmajor failed: %s", pcap_strerror(errno)); 631 return (-1); 632 } 633 634 minors = getminor(major, &numminors, BPF_NAME); 635 if (!minors) { 636 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1); 637 if (!minors) { 638 snprintf(errbuf, PCAP_ERRBUF_SIZE, 639 "bpf_load: genminor failed: %s", 640 pcap_strerror(errno)); 641 return (-1); 642 } 643 } 644 645 if (bpf_odmcleanup(errbuf)) 646 return (-1); 647 648 rc = stat(BPF_NODE "0", &sbuf); 649 if (rc == -1 && errno != ENOENT) { 650 snprintf(errbuf, PCAP_ERRBUF_SIZE, 651 "bpf_load: can't stat %s: %s", 652 BPF_NODE "0", pcap_strerror(errno)); 653 return (-1); 654 } 655 656 if (rc == -1 || getmajor(sbuf.st_rdev) != major) { 657 for (i = 0; i < BPF_MINORS; i++) { 658 sprintf(buf, "%s%d", BPF_NODE, i); 659 unlink(buf); 660 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) { 661 snprintf(errbuf, PCAP_ERRBUF_SIZE, 662 "bpf_load: can't mknod %s: %s", 663 buf, pcap_strerror(errno)); 664 return (-1); 665 } 666 } 667 } 668 669 /* Check if the driver is loaded */ 670 memset(&cfg_ld, 0x0, sizeof(cfg_ld)); 671 cfg_ld.path = buf; 672 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME); 673 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) || 674 (cfg_ld.kmid == 0)) { 675 /* Driver isn't loaded, load it now */ 676 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) { 677 snprintf(errbuf, PCAP_ERRBUF_SIZE, 678 "bpf_load: could not load driver: %s", 679 strerror(errno)); 680 return (-1); 681 } 682 } 683 684 /* Configure the driver */ 685 cfg_km.cmd = CFG_INIT; 686 cfg_km.kmid = cfg_ld.kmid; 687 cfg_km.mdilen = sizeof(cfg_bpf); 688 cfg_km.mdiptr = (void *)&cfg_bpf; 689 for (i = 0; i < BPF_MINORS; i++) { 690 cfg_bpf.devno = domakedev(major, i); 691 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) { 692 snprintf(errbuf, PCAP_ERRBUF_SIZE, 693 "bpf_load: could not configure driver: %s", 694 strerror(errno)); 695 return (-1); 696 } 697 } 698 699 bpfloadedflag = 1; 700 701 return (0); 702 } 703 #endif 704 705 static inline int 706 bpf_open(pcap_t *p, char *errbuf) 707 { 708 int fd; 709 #ifdef HAVE_CLONING_BPF 710 static const char device[] = "/dev/bpf"; 711 #else 712 int n = 0; 713 char device[sizeof "/dev/bpf0000000000"]; 714 #endif 715 716 #ifdef _AIX 717 /* 718 * Load the bpf driver, if it isn't already loaded, 719 * and create the BPF device entries, if they don't 720 * already exist. 721 */ 722 if (bpf_load(errbuf) == -1) 723 return (-1); 724 #endif 725 726 #ifdef HAVE_CLONING_BPF 727 if ((fd = open(device, O_RDWR)) == -1 && 728 (errno != EACCES || (fd = open(device, O_RDONLY)) == -1)) 729 snprintf(errbuf, PCAP_ERRBUF_SIZE, 730 "(cannot open device) %s: %s", device, pcap_strerror(errno)); 731 #else 732 /* 733 * Go through all the minors and find one that isn't in use. 734 */ 735 do { 736 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++); 737 /* 738 * Initially try a read/write open (to allow the inject 739 * method to work). If that fails due to permission 740 * issues, fall back to read-only. This allows a 741 * non-root user to be granted specific access to pcap 742 * capabilities via file permissions. 743 * 744 * XXX - we should have an API that has a flag that 745 * controls whether to open read-only or read-write, 746 * so that denial of permission to send (or inability 747 * to send, if sending packets isn't supported on 748 * the device in question) can be indicated at open 749 * time. 750 */ 751 fd = open(device, O_RDWR); 752 if (fd == -1 && errno == EACCES) 753 fd = open(device, O_RDONLY); 754 } while (fd < 0 && errno == EBUSY); 755 756 /* 757 * XXX better message for all minors used 758 */ 759 if (fd < 0) 760 snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s", 761 device, pcap_strerror(errno)); 762 #endif 763 764 return (fd); 765 } 766 767 /* 768 * We include the OS's <net/bpf.h>, not our "pcap-bpf.h", so we probably 769 * don't get DLT_DOCSIS defined. 770 */ 771 #ifndef DLT_DOCSIS 772 #define DLT_DOCSIS 143 773 #endif 774 775 pcap_t * 776 pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, 777 char *ebuf) 778 { 779 int fd; 780 struct ifreq ifr; 781 struct bpf_version bv; 782 #ifdef BIOCGDLTLIST 783 struct bpf_dltlist bdl; 784 #endif 785 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 786 u_int spoof_eth_src = 1; 787 #endif 788 u_int v; 789 pcap_t *p; 790 struct bpf_insn total_insn; 791 struct bpf_program total_prog; 792 struct utsname osinfo; 793 #ifdef BIOCSETBUFMODE 794 struct bpf_zbuf bz; 795 u_int bufmode, zbufmax; 796 #endif 797 798 #ifdef HAVE_DAG_API 799 if (strstr(device, "dag")) { 800 return dag_open_live(device, snaplen, promisc, to_ms, ebuf); 801 } 802 #endif /* HAVE_DAG_API */ 803 804 #ifdef BIOCGDLTLIST 805 memset(&bdl, 0, sizeof(bdl)); 806 #endif 807 808 p = (pcap_t *)malloc(sizeof(*p)); 809 if (p == NULL) { 810 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 811 pcap_strerror(errno)); 812 return (NULL); 813 } 814 memset(p, 0, sizeof(*p)); 815 fd = bpf_open(p, ebuf); 816 if (fd < 0) 817 goto bad; 818 819 p->fd = fd; 820 p->snapshot = snaplen; 821 822 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { 823 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s", 824 pcap_strerror(errno)); 825 goto bad; 826 } 827 if (bv.bv_major != BPF_MAJOR_VERSION || 828 bv.bv_minor < BPF_MINOR_VERSION) { 829 snprintf(ebuf, PCAP_ERRBUF_SIZE, 830 "kernel bpf filter out of date"); 831 goto bad; 832 } 833 834 #ifdef BIOCSETBUFMODE 835 /* 836 * If the BPF extension to set buffer mode is present, try setting 837 * the mode to zero-copy. If that fails, use regular buffering. If 838 * it succeeds but other setup fails, return an error to the user. 839 */ 840 bufmode = BPF_BUFMODE_ZBUF; 841 if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) { 842 p->zerocopy = 1; 843 844 /* 845 * How to pick a buffer size: first, query the maximum buffer 846 * size supported by zero-copy. This also lets us quickly 847 * determine whether the kernel generally supports zero-copy. 848 * Then, query the default buffer size, which reflects kernel 849 * policy for a desired default. Round to the nearest page 850 * size. 851 */ 852 if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) { 853 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGETZMAX: %s", 854 pcap_strerror(errno)); 855 goto bad; 856 } 857 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768) 858 v = 32768; 859 #ifndef roundup 860 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */ 861 #endif 862 p->zbufsize = roundup(v, getpagesize()); 863 if (p->zbufsize > zbufmax) 864 p->zbufsize = zbufmax; 865 p->zbuf1 = mmap(NULL, p->zbufsize, PROT_READ | PROT_WRITE, 866 MAP_ANON, -1, 0); 867 p->zbuf2 = mmap(NULL, p->zbufsize, PROT_READ | PROT_WRITE, 868 MAP_ANON, -1, 0); 869 if (p->zbuf1 == MAP_FAILED || p->zbuf2 == MAP_FAILED) { 870 snprintf(ebuf, PCAP_ERRBUF_SIZE, "mmap: %s", 871 pcap_strerror(errno)); 872 goto bad; 873 } 874 bzero(&bz, sizeof(bz)); 875 bz.bz_bufa = p->zbuf1; 876 bz.bz_bufb = p->zbuf2; 877 bz.bz_buflen = p->zbufsize; 878 if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) { 879 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETZBUF: %s", 880 pcap_strerror(errno)); 881 goto bad; 882 } 883 (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 884 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 885 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 886 device, pcap_strerror(errno)); 887 goto bad; 888 } 889 v = p->zbufsize - sizeof(struct bpf_zbuf_header); 890 } else { 891 #endif 892 893 /* 894 * Try finding a good size for the buffer; 32768 may be too 895 * big, so keep cutting it in half until we find a size 896 * that works, or run out of sizes to try. If the default 897 * is larger, don't make it smaller. 898 * 899 * XXX - there should be a user-accessible hook to set the 900 * initial buffer size. 901 */ 902 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768) 903 v = 32768; 904 for ( ; v != 0; v >>= 1) { 905 /* Ignore the return value - this is because the call 906 * fails on BPF systems that don't have kernel 907 * malloc. And if the call fails, it's no big deal, 908 * we just continue to use the standard buffer size. 909 */ 910 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); 911 912 (void)strncpy(ifr.ifr_name, device, 913 sizeof(ifr.ifr_name)); 914 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0) 915 break; /* that size worked; we're done */ 916 917 if (errno != ENOBUFS) { 918 snprintf(ebuf, PCAP_ERRBUF_SIZE, 919 "BIOCSETIF: %s: %s", 920 device, pcap_strerror(errno)); 921 goto bad; 922 } 923 } 924 925 if (v == 0) { 926 snprintf(ebuf, PCAP_ERRBUF_SIZE, 927 "BIOCSBLEN: %s: No buffer size worked", device); 928 goto bad; 929 } 930 #ifdef BIOCSETBUFMODE 931 } 932 #endif 933 934 /* Get the data link layer type. */ 935 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { 936 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s", 937 pcap_strerror(errno)); 938 goto bad; 939 } 940 #ifdef _AIX 941 /* 942 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT. 943 */ 944 switch (v) { 945 946 case IFT_ETHER: 947 case IFT_ISO88023: 948 v = DLT_EN10MB; 949 break; 950 951 case IFT_FDDI: 952 v = DLT_FDDI; 953 break; 954 955 case IFT_ISO88025: 956 v = DLT_IEEE802; 957 break; 958 959 case IFT_LOOP: 960 v = DLT_NULL; 961 break; 962 963 default: 964 /* 965 * We don't know what to map this to yet. 966 */ 967 snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %u", 968 v); 969 goto bad; 970 } 971 #endif 972 #if _BSDI_VERSION - 0 >= 199510 973 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */ 974 switch (v) { 975 976 case DLT_SLIP: 977 v = DLT_SLIP_BSDOS; 978 break; 979 980 case DLT_PPP: 981 v = DLT_PPP_BSDOS; 982 break; 983 984 case 11: /*DLT_FR*/ 985 v = DLT_FRELAY; 986 break; 987 988 case 12: /*DLT_C_HDLC*/ 989 v = DLT_CHDLC; 990 break; 991 } 992 #endif 993 #ifdef PCAP_FDDIPAD 994 if (v == DLT_FDDI) 995 p->fddipad = PCAP_FDDIPAD; 996 else 997 p->fddipad = 0; 998 #endif 999 p->linktype = v; 1000 1001 #ifdef BIOCGDLTLIST 1002 /* 1003 * We know the default link type -- now determine all the DLTs 1004 * this interface supports. If this fails with EINVAL, it's 1005 * not fatal; we just don't get to use the feature later. 1006 */ 1007 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) == 0) { 1008 u_int i; 1009 int is_ethernet; 1010 1011 bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * (bdl.bfl_len + 1)); 1012 if (bdl.bfl_list == NULL) { 1013 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 1014 pcap_strerror(errno)); 1015 goto bad; 1016 } 1017 1018 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) < 0) { 1019 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 1020 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 1021 free(bdl.bfl_list); 1022 goto bad; 1023 } 1024 1025 /* 1026 * OK, for real Ethernet devices, add DLT_DOCSIS to the 1027 * list, so that an application can let you choose it, 1028 * in case you're capturing DOCSIS traffic that a Cisco 1029 * Cable Modem Termination System is putting out onto 1030 * an Ethernet (it doesn't put an Ethernet header onto 1031 * the wire, it puts raw DOCSIS frames out on the wire 1032 * inside the low-level Ethernet framing). 1033 * 1034 * A "real Ethernet device" is defined here as a device 1035 * that has a link-layer type of DLT_EN10MB and that has 1036 * no alternate link-layer types; that's done to exclude 1037 * 802.11 interfaces (which might or might not be the 1038 * right thing to do, but I suspect it is - Ethernet <-> 1039 * 802.11 bridges would probably badly mishandle frames 1040 * that don't have Ethernet headers). 1041 */ 1042 if (p->linktype == DLT_EN10MB) { 1043 is_ethernet = 1; 1044 for (i = 0; i < bdl.bfl_len; i++) { 1045 if (bdl.bfl_list[i] != DLT_EN10MB) { 1046 is_ethernet = 0; 1047 break; 1048 } 1049 } 1050 if (is_ethernet) { 1051 /* 1052 * We reserved one more slot at the end of 1053 * the list. 1054 */ 1055 bdl.bfl_list[bdl.bfl_len] = DLT_DOCSIS; 1056 bdl.bfl_len++; 1057 } 1058 } 1059 p->dlt_count = bdl.bfl_len; 1060 p->dlt_list = bdl.bfl_list; 1061 } else { 1062 if (errno != EINVAL) { 1063 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 1064 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 1065 goto bad; 1066 } 1067 } 1068 #endif 1069 1070 /* 1071 * If this is an Ethernet device, and we don't have a DLT_ list, 1072 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give 1073 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to 1074 * do, but there's not much we can do about that without finding 1075 * some other way of determining whether it's an Ethernet or 802.11 1076 * device.) 1077 */ 1078 if (p->linktype == DLT_EN10MB && p->dlt_count == 0) { 1079 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1080 /* 1081 * If that fails, just leave the list empty. 1082 */ 1083 if (p->dlt_list != NULL) { 1084 p->dlt_list[0] = DLT_EN10MB; 1085 p->dlt_list[1] = DLT_DOCSIS; 1086 p->dlt_count = 2; 1087 } 1088 } 1089 1090 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 1091 /* 1092 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so 1093 * the link-layer source address isn't forcibly overwritten. 1094 * (Should we ignore errors? Should we do this only if 1095 * we're open for writing?) 1096 * 1097 * XXX - I seem to remember some packet-sending bug in some 1098 * BSDs - check CVS log for "bpf.c"? 1099 */ 1100 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 1101 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 1102 "BIOCSHDRCMPLT: %s", pcap_strerror(errno)); 1103 goto bad; 1104 } 1105 #endif 1106 /* set timeout */ 1107 p->to_ms = to_ms; 1108 if (to_ms != 0 && !p->zerocopy) { 1109 /* 1110 * XXX - is this seconds/nanoseconds in AIX? 1111 * (Treating it as such doesn't fix the timeout 1112 * problem described below.) 1113 */ 1114 struct timeval to; 1115 to.tv_sec = to_ms / 1000; 1116 to.tv_usec = (to_ms * 1000) % 1000000; 1117 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { 1118 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s", 1119 pcap_strerror(errno)); 1120 goto bad; 1121 } 1122 } 1123 #ifdef BIOCSETBUFMODE 1124 p->timeout = to_ms; 1125 #endif 1126 1127 #ifdef _AIX 1128 #ifdef BIOCIMMEDIATE 1129 /* 1130 * Darren Reed notes that 1131 * 1132 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the 1133 * timeout appears to be ignored and it waits until the buffer 1134 * is filled before returning. The result of not having it 1135 * set is almost worse than useless if your BPF filter 1136 * is reducing things to only a few packets (i.e. one every 1137 * second or so). 1138 * 1139 * so we turn BIOCIMMEDIATE mode on if this is AIX. 1140 * 1141 * We don't turn it on for other platforms, as that means we 1142 * get woken up for every packet, which may not be what we want; 1143 * in the Winter 1993 USENIX paper on BPF, they say: 1144 * 1145 * Since a process might want to look at every packet on a 1146 * network and the time between packets can be only a few 1147 * microseconds, it is not possible to do a read system call 1148 * per packet and BPF must collect the data from several 1149 * packets and return it as a unit when the monitoring 1150 * application does a read. 1151 * 1152 * which I infer is the reason for the timeout - it means we 1153 * wait that amount of time, in the hopes that more packets 1154 * will arrive and we'll get them all with one read. 1155 * 1156 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other 1157 * BSDs) causes the timeout to be ignored. 1158 * 1159 * On the other hand, some platforms (e.g., Linux) don't support 1160 * timeouts, they just hand stuff to you as soon as it arrives; 1161 * if that doesn't cause a problem on those platforms, it may 1162 * be OK to have BIOCIMMEDIATE mode on BSD as well. 1163 * 1164 * (Note, though, that applications may depend on the read 1165 * completing, even if no packets have arrived, when the timeout 1166 * expires, e.g. GUI applications that have to check for input 1167 * while waiting for packets to arrive; a non-zero timeout 1168 * prevents "select()" from working right on FreeBSD and 1169 * possibly other BSDs, as the timer doesn't start until a 1170 * "read()" is done, so the timer isn't in effect if the 1171 * application is blocked on a "select()", and the "select()" 1172 * doesn't get woken up for a BPF device until the buffer 1173 * fills up.) 1174 */ 1175 v = 1; 1176 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) { 1177 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s", 1178 pcap_strerror(errno)); 1179 goto bad; 1180 } 1181 #endif /* BIOCIMMEDIATE */ 1182 #endif /* _AIX */ 1183 1184 if (promisc) { 1185 /* set promiscuous mode, okay if it fails */ 1186 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) { 1187 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s", 1188 pcap_strerror(errno)); 1189 } 1190 } 1191 1192 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { 1193 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s", 1194 pcap_strerror(errno)); 1195 goto bad; 1196 } 1197 p->bufsize = v; 1198 #ifdef BIOCSETBUFMODE 1199 if (!p->zerocopy) { 1200 #endif 1201 p->buffer = (u_char *)malloc(p->bufsize); 1202 if (p->buffer == NULL) { 1203 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 1204 pcap_strerror(errno)); 1205 goto bad; 1206 } 1207 #ifdef _AIX 1208 /* For some strange reason this seems to prevent the EFAULT 1209 * problems we have experienced from AIX BPF. */ 1210 memset(p->buffer, 0x0, p->bufsize); 1211 #endif 1212 #ifdef BIOCSETBUFMODE 1213 } 1214 #endif 1215 1216 /* 1217 * If there's no filter program installed, there's 1218 * no indication to the kernel of what the snapshot 1219 * length should be, so no snapshotting is done. 1220 * 1221 * Therefore, when we open the device, we install 1222 * an "accept everything" filter with the specified 1223 * snapshot length. 1224 */ 1225 total_insn.code = (u_short)(BPF_RET | BPF_K); 1226 total_insn.jt = 0; 1227 total_insn.jf = 0; 1228 total_insn.k = snaplen; 1229 1230 total_prog.bf_len = 1; 1231 total_prog.bf_insns = &total_insn; 1232 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) { 1233 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 1234 pcap_strerror(errno)); 1235 goto bad; 1236 } 1237 1238 /* 1239 * On most BPF platforms, either you can do a "select()" or 1240 * "poll()" on a BPF file descriptor and it works correctly, 1241 * or you can do it and it will return "readable" if the 1242 * hold buffer is full but not if the timeout expires *and* 1243 * a non-blocking read will, if the hold buffer is empty 1244 * but the store buffer isn't empty, rotate the buffers 1245 * and return what packets are available. 1246 * 1247 * In the latter case, the fact that a non-blocking read 1248 * will give you the available packets means you can work 1249 * around the failure of "select()" and "poll()" to wake up 1250 * and return "readable" when the timeout expires by using 1251 * the timeout as the "select()" or "poll()" timeout, putting 1252 * the BPF descriptor into non-blocking mode, and read from 1253 * it regardless of whether "select()" reports it as readable 1254 * or not. 1255 * 1256 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()" 1257 * won't wake up and return "readable" if the timer expires 1258 * and non-blocking reads return EWOULDBLOCK if the hold 1259 * buffer is empty, even if the store buffer is non-empty. 1260 * 1261 * This means the workaround in question won't work. 1262 * 1263 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd" 1264 * to -1, which means "sorry, you can't use 'select()' or 'poll()' 1265 * here". On all other BPF platforms, we set it to the FD for 1266 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking 1267 * read will, if the hold buffer is empty and the store buffer 1268 * isn't empty, rotate the buffers and return what packets are 1269 * there (and in sufficiently recent versions of OpenBSD 1270 * "select()" and "poll()" should work correctly). 1271 * 1272 * XXX - what about AIX? 1273 */ 1274 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */ 1275 if (uname(&osinfo) == 0) { 1276 /* 1277 * We can check what OS this is. 1278 */ 1279 if (strcmp(osinfo.sysname, "FreeBSD") == 0) { 1280 if (strncmp(osinfo.release, "4.3-", 4) == 0 || 1281 strncmp(osinfo.release, "4.4-", 4) == 0) 1282 p->selectable_fd = -1; 1283 } 1284 } 1285 1286 p->read_op = pcap_read_bpf; 1287 p->inject_op = pcap_inject_bpf; 1288 p->setfilter_op = pcap_setfilter_bpf; 1289 p->setdirection_op = pcap_setdirection_bpf; 1290 p->set_datalink_op = pcap_set_datalink_bpf; 1291 p->getnonblock_op = pcap_getnonblock_fd; 1292 p->setnonblock_op = pcap_setnonblock_fd; 1293 p->stats_op = pcap_stats_bpf; 1294 p->close_op = pcap_close_common; 1295 1296 return (p); 1297 bad: 1298 1299 (void)close(fd); 1300 #ifdef BIOCSETBUFMODE 1301 /* 1302 * In zero-copy mode, p->buffer is just a pointer into one of the two 1303 * memory-mapped buffers, so no need to free it. 1304 */ 1305 if (p->zerocopy) { 1306 if (p->zbuf1 != MAP_FAILED && p->zbuf1 != NULL) 1307 munmap(p->zbuf1, p->zbufsize); 1308 if (p->zbuf2 != MAP_FAILED && p->zbuf2 != NULL) 1309 munmap(p->zbuf2, p->zbufsize); 1310 } else 1311 #endif 1312 if (p->buffer != NULL) 1313 free(p->buffer); 1314 if (p->dlt_list != NULL) 1315 free(p->dlt_list); 1316 free(p); 1317 return (NULL); 1318 } 1319 1320 int 1321 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 1322 { 1323 #ifdef HAVE_DAG_API 1324 if (dag_platform_finddevs(alldevsp, errbuf) < 0) 1325 return (-1); 1326 #endif /* HAVE_DAG_API */ 1327 1328 return (0); 1329 } 1330 1331 static int 1332 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp) 1333 { 1334 /* 1335 * It looks that BPF code generated by gen_protochain() is not 1336 * compatible with some of kernel BPF code (for example BSD/OS 3.1). 1337 * Take a safer side for now. 1338 */ 1339 if (no_optimize) { 1340 /* 1341 * XXX - what if we already have a filter in the kernel? 1342 */ 1343 if (install_bpf_program(p, fp) < 0) 1344 return (-1); 1345 p->md.use_bpf = 0; /* filtering in userland */ 1346 return (0); 1347 } 1348 1349 /* 1350 * Free any user-mode filter we might happen to have installed. 1351 */ 1352 pcap_freecode(&p->fcode); 1353 1354 /* 1355 * Try to install the kernel filter. 1356 */ 1357 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) { 1358 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 1359 pcap_strerror(errno)); 1360 return (-1); 1361 } 1362 p->md.use_bpf = 1; /* filtering in the kernel */ 1363 1364 /* 1365 * Discard any previously-received packets, as they might have 1366 * passed whatever filter was formerly in effect, but might 1367 * not pass this filter (BIOCSETF discards packets buffered 1368 * in the kernel, so you can lose packets in any case). 1369 */ 1370 p->cc = 0; 1371 return (0); 1372 } 1373 1374 /* 1375 * Set direction flag: Which packets do we accept on a forwarding 1376 * single device? IN, OUT or both? 1377 */ 1378 static int 1379 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d) 1380 { 1381 #if defined(BIOCSDIRECTION) 1382 u_int direction; 1383 1384 direction = (d == PCAP_D_IN) ? BPF_D_IN : 1385 ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT); 1386 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) { 1387 (void) snprintf(p->errbuf, sizeof(p->errbuf), 1388 "Cannot set direction to %s: %s", 1389 (d == PCAP_D_IN) ? "PCAP_D_IN" : 1390 ((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"), 1391 strerror(errno)); 1392 return (-1); 1393 } 1394 return (0); 1395 #elif defined(BIOCSSEESENT) 1396 u_int seesent; 1397 1398 /* 1399 * We don't support PCAP_D_OUT. 1400 */ 1401 if (d == PCAP_D_OUT) { 1402 snprintf(p->errbuf, sizeof(p->errbuf), 1403 "Setting direction to PCAP_D_OUT is not supported on BPF"); 1404 return -1; 1405 } 1406 1407 seesent = (d == PCAP_D_INOUT); 1408 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) { 1409 (void) snprintf(p->errbuf, sizeof(p->errbuf), 1410 "Cannot set direction to %s: %s", 1411 (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN", 1412 strerror(errno)); 1413 return (-1); 1414 } 1415 return (0); 1416 #else 1417 (void) snprintf(p->errbuf, sizeof(p->errbuf), 1418 "This system doesn't support BIOCSSEESENT, so the direction can't be set"); 1419 return (-1); 1420 #endif 1421 } 1422 1423 static int 1424 pcap_set_datalink_bpf(pcap_t *p, int dlt) 1425 { 1426 #ifdef BIOCSDLT 1427 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) { 1428 (void) snprintf(p->errbuf, sizeof(p->errbuf), 1429 "Cannot set DLT %d: %s", dlt, strerror(errno)); 1430 return (-1); 1431 } 1432 #endif 1433 return (0); 1434 } 1435