1 /* 2 * pcap-linux.c: Packet capture interface to the Linux kernel 3 * 4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org> 5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de> 6 * 7 * License: BSD 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 3. The names of the authors may not be used to endorse or promote 20 * products derived from this software without specific prior 21 * written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 26 */ 27 #ifndef lint 28 static const char rcsid[] = 29 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.51.2.3 2001/01/18 03:59:56 guy Exp $ (LBL)"; 30 #endif 31 32 /* 33 * Known problems with 2.0[.x] kernels: 34 * 35 * - The loopback device gives every packet twice; on 2.2[.x] kernels, 36 * if we use PF_PACKET, we can filter out the transmitted version 37 * of the packet by using data in the "sockaddr_ll" returned by 38 * "recvfrom()", but, on 2.0[.x] kernels, we have to use 39 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 40 * "sockaddr_pkt" which doesn't give us enough information to let 41 * us do that. 42 * 43 * - We have to set the interface's IFF_PROMISC flag ourselves, if 44 * we're to run in promiscuous mode, which means we have to turn 45 * it off ourselves when we're done; the kernel doesn't keep track 46 * of how many sockets are listening promiscuously, which means 47 * it won't get turned off automatically when no sockets are 48 * listening promiscuously. We catch "pcap_close()" and, for 49 * interfaces we put into promiscuous mode, take them out of 50 * promiscuous mode - which isn't necessarily the right thing to 51 * do, if another socket also requested promiscuous mode between 52 * the time when we opened the socket and the time when we close 53 * the socket. 54 */ 55 56 57 #ifdef HAVE_CONFIG_H 58 #include "config.h" 59 #endif 60 61 #include "pcap-int.h" 62 #include "sll.h" 63 64 #include <errno.h> 65 #include <stdlib.h> 66 #include <unistd.h> 67 #include <fcntl.h> 68 #include <string.h> 69 #include <sys/socket.h> 70 #include <sys/ioctl.h> 71 #include <sys/utsname.h> 72 #include <net/if.h> 73 #include <netinet/in.h> 74 #include <linux/if_ether.h> 75 #include <net/if_arp.h> 76 77 #ifdef HAVE_NETPACKET_PACKET_H 78 # include <netpacket/packet.h> 79 80 /* 81 * We assume this means we really do have PF_PACKET sockets. 82 */ 83 # define HAVE_PF_PACKET_SOCKETS 84 #else 85 /* 86 * Oh, joy. Some Linux distributions have 2.2 or later kernels and 87 * libc5. On at least one of those systems (Slackware 4.0), it 88 * appears that "/usr/include/sys/socket.h" includes <linux/socket.h>, 89 * which means it picks up all the AF_, PF_, and SO_ definitions 90 * appropriate for the current kernel; however, it also appears that 91 * they did not see fit to provide a "/usr/include/netpacket/packet.h" 92 * file. 93 * 94 * However, you should be able to get the right definitions by including 95 * <linux/if_packet.h>. 96 * 97 * So if this system has PF_PACKET defined but doesn't have the 98 * <netpacket/packet.h> header file, we include <linux/if_packet.h> 99 * instead. 100 */ 101 # ifdef PF_PACKET 102 # include <linux/if_packet.h> 103 104 /* 105 * However, on at least some Linux distributions (for example, Red Hat 106 * 5.2), there's no <netpacket/packet.h> file, but PF_PACKET is defined 107 * if you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 108 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 109 * the PACKET_xxx stuff. 110 * 111 * So we check whether PACKET_HOST is defined, and assume that we have 112 * PF_PACKET sockets only if it is defined. 113 */ 114 # ifdef PACKET_HOST 115 # define HAVE_PF_PACKET_SOCKETS 116 # endif /* PACKET_HOST */ 117 # endif /* PF_PACKET */ 118 #endif /* HAVE_NETPACKET_PACKET_H */ 119 120 #ifdef SO_ATTACH_FILTER 121 #include <linux/types.h> 122 #include <linux/filter.h> 123 #endif 124 125 #ifndef __GLIBC__ 126 typedef int socklen_t; 127 #endif 128 129 #ifndef MSG_TRUNC 130 #define MSG_TRUNC 0 131 #endif 132 133 #define MAX_LINKHEADER_SIZE 256 134 135 /* 136 * When capturing on all interfaces we use this as the buffer size. 137 * Should be bigger then all MTUs that occur in real life. 138 * 64kB should be enough for now. 139 */ 140 #define BIGGER_THAN_ALL_MTUS (64*1024) 141 142 /* 143 * Prototypes for internal functions 144 */ 145 static int map_arphrd_to_dlt(int arptype ); 146 static int live_open_old(pcap_t *, char *, int, int, char *); 147 static int live_open_new(pcap_t *, char *, int, int, char *); 148 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 149 150 /* 151 * Wrap some ioctl calls 152 */ 153 #ifdef HAVE_PF_PACKET_SOCKETS 154 static int iface_get_id(int fd, const char *device, char *ebuf); 155 #endif 156 static int iface_get_mtu(int fd, const char *device, char *ebuf); 157 static int iface_get_arptype(int fd, const char *device, char *ebuf); 158 #ifdef HAVE_PF_PACKET_SOCKETS 159 static int iface_bind(int fd, int ifindex, char *ebuf); 160 #endif 161 static int iface_bind_old(int fd, const char *device, char *ebuf); 162 163 #ifdef SO_ATTACH_FILTER 164 static int fix_program(pcap_t *handle, struct sock_fprog *fcode); 165 static int fix_offset(struct bpf_insn *p); 166 #endif 167 168 /* 169 * Get a handle for a live capture from the given device. You can 170 * pass NULL as device to get all packages (without link level 171 * information of course). If you pass 1 as promisc the interface 172 * will be set to promiscous mode (XXX: I think this usage should 173 * be deprecated and functions be added to select that later allow 174 * modification of that values -- Torsten). 175 * 176 * See also pcap(3). 177 */ 178 pcap_t * 179 pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf) 180 { 181 /* Allocate a handle for this session. */ 182 183 pcap_t *handle = malloc(sizeof(*handle)); 184 if (handle == NULL) { 185 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 186 pcap_strerror(errno)); 187 return NULL; 188 } 189 190 /* Initialize some components of the pcap structure. */ 191 192 memset(handle, 0, sizeof(*handle)); 193 handle->snapshot = snaplen; 194 handle->md.timeout = to_ms; 195 196 /* 197 * NULL and "any" are special devices which give us the hint to 198 * monitor all devices. 199 */ 200 if (!device || strcmp(device, "any") == 0) { 201 device = NULL; 202 handle->md.device = strdup("any"); 203 } else 204 handle->md.device = strdup(device); 205 206 if (handle->md.device == NULL) { 207 snprintf(ebuf, PCAP_ERRBUF_SIZE, "strdup: %s", 208 pcap_strerror(errno) ); 209 free(handle); 210 return NULL; 211 } 212 213 /* 214 * Current Linux kernels use the protocol family PF_PACKET to 215 * allow direct access to all packets on the network while 216 * older kernels had a special socket type SOCK_PACKET to 217 * implement this feature. 218 * While this old implementation is kind of obsolete we need 219 * to be compatible with older kernels for a while so we are 220 * trying both methods with the newer method preferred. 221 */ 222 223 if (! (live_open_new(handle, device, promisc, to_ms, ebuf) || 224 live_open_old(handle, device, promisc, to_ms, ebuf)) ) 225 { 226 /* 227 * Both methods to open the packet socket failed. Tidy 228 * up and report our failure (ebuf is expected to be 229 * set by the functions above). 230 */ 231 232 free(handle->md.device); 233 free(handle); 234 return NULL; 235 } 236 237 return handle; 238 } 239 240 /* 241 * Read at most max_packets from the capture stream and call the callback 242 * for each of them. Returns the number of packets handled or -1 if an 243 * error occured. 244 */ 245 int 246 pcap_read(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 247 { 248 /* 249 * Currently, on Linux only one packet is delivered per read, 250 * so we don't loop. 251 */ 252 return pcap_read_packet(handle, callback, user); 253 } 254 255 /* 256 * Read a packet from the socket calling the handler provided by 257 * the user. Returns the number of packets received or -1 if an 258 * error occured. 259 */ 260 static int 261 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 262 { 263 int offset; 264 #ifdef HAVE_PF_PACKET_SOCKETS 265 struct sockaddr_ll from; 266 struct sll_header *hdrp; 267 #else 268 struct sockaddr from; 269 #endif 270 socklen_t fromlen; 271 int packet_len, caplen; 272 struct pcap_pkthdr pcap_header; 273 274 #ifdef HAVE_PF_PACKET_SOCKETS 275 /* 276 * If this is a cooked device, leave extra room for a 277 * fake packet header. 278 */ 279 if (handle->md.cooked) 280 offset = SLL_HDR_LEN; 281 else 282 offset = 0; 283 #else 284 /* 285 * This system doesn't have PF_PACKET sockets, so it doesn't 286 * support cooked devices. 287 */ 288 offset = 0; 289 #endif 290 291 /* Receive a single packet from the kernel */ 292 293 do { 294 fromlen = sizeof(from); 295 packet_len = recvfrom( 296 handle->fd, handle->buffer + offset + handle->offset, 297 handle->md.readlen - offset, MSG_TRUNC, 298 (struct sockaddr *) &from, &fromlen); 299 } while (packet_len == -1 && errno == EINTR); 300 301 /* Check if an error occured */ 302 303 if (packet_len == -1) { 304 if (errno == EAGAIN) 305 return 0; /* no packet there */ 306 else { 307 snprintf(handle->errbuf, sizeof(handle->errbuf), 308 "recvfrom: %s", pcap_strerror(errno)); 309 return -1; 310 } 311 } 312 313 #ifdef HAVE_PF_PACKET_SOCKETS 314 /* 315 * If this is from the loopback device, reject outgoing packets; 316 * we'll see the packet as an incoming packet as well, and 317 * we don't want to see it twice. 318 * 319 * We can only do this if we're using PF_PACKET; the address 320 * returned for SOCK_PACKET is a "sockaddr_pkt" which lacks 321 * the relevant packet type information. 322 */ 323 if (!handle->md.sock_packet && 324 from.sll_ifindex == handle->md.lo_ifindex && 325 from.sll_pkttype == PACKET_OUTGOING) 326 return 0; 327 #endif 328 329 #ifdef HAVE_PF_PACKET_SOCKETS 330 /* 331 * If this is a cooked device, fill in the fake packet header. 332 */ 333 if (handle->md.cooked) { 334 /* 335 * Add the length of the fake header to the length 336 * of packet data we read. 337 */ 338 packet_len += SLL_HDR_LEN; 339 340 hdrp = (struct sll_header *)handle->buffer; 341 342 /* 343 * Map the PACKET_ value to a LINUX_SLL_ value; we 344 * want the same numerical value to be used in 345 * the link-layer header even if the numerical values 346 * for the PACKET_ #defines change, so that programs 347 * that look at the packet type field will always be 348 * able to handle DLT_LINUX_SLL captures. 349 */ 350 switch (from.sll_pkttype) { 351 352 case PACKET_HOST: 353 hdrp->sll_pkttype = htons(LINUX_SLL_HOST); 354 break; 355 356 case PACKET_BROADCAST: 357 hdrp->sll_pkttype = htons(LINUX_SLL_BROADCAST); 358 break; 359 360 case PACKET_MULTICAST: 361 hdrp->sll_pkttype = htons(LINUX_SLL_MULTICAST); 362 break; 363 364 case PACKET_OTHERHOST: 365 hdrp->sll_pkttype = htons(LINUX_SLL_OTHERHOST); 366 break; 367 368 case PACKET_OUTGOING: 369 hdrp->sll_pkttype = htons(LINUX_SLL_OUTGOING); 370 break; 371 372 default: 373 hdrp->sll_pkttype = -1; 374 break; 375 } 376 377 hdrp->sll_hatype = htons(from.sll_hatype); 378 hdrp->sll_halen = htons(from.sll_halen); 379 memcpy(hdrp->sll_addr, from.sll_addr, 380 (from.sll_halen > SLL_ADDRLEN) ? 381 SLL_ADDRLEN : 382 from.sll_halen); 383 hdrp->sll_protocol = from.sll_protocol; 384 } 385 #endif 386 387 /* 388 * XXX: According to the kernel source we should get the real 389 * packet len if calling recvfrom with MSG_TRUNC set. It does 390 * not seem to work here :(, but it is supported by this code 391 * anyway. 392 * To be honest the code RELIES on that feature so this is really 393 * broken with 2.2.x kernels. 394 * I spend a day to figure out what's going on and I found out 395 * that the following is happening: 396 * 397 * The packet comes from a random interface and the packet_rcv 398 * hook is called with a clone of the packet. That code inserts 399 * the packet into the receive queue of the packet socket. 400 * If a filter is attached to that socket that filter is run 401 * first - and there lies the problem. The default filter always 402 * cuts the packet at the snaplen: 403 * 404 * # tcpdump -d 405 * (000) ret #68 406 * 407 * So the packet filter cuts down the packet. The recvfrom call 408 * says "hey, it's only 68 bytes, it fits into the buffer" with 409 * the result that we don't get the real packet length. This 410 * is valid at least until kernel 2.2.17pre6. 411 * 412 * We currently handle this by making a copy of the filter 413 * program, fixing all "ret" instructions with non-zero 414 * operands to have an operand of 65535 so that the filter 415 * doesn't truncate the packet, and supplying that modified 416 * filter to the kernel. 417 */ 418 419 caplen = packet_len; 420 if (caplen > handle->snapshot) 421 caplen = handle->snapshot; 422 423 /* Run the packet filter if not using kernel filter */ 424 if (!handle->md.use_bpf && handle->fcode.bf_insns) { 425 if (bpf_filter(handle->fcode.bf_insns, handle->buffer, 426 packet_len, caplen) == 0) 427 { 428 /* rejected by filter */ 429 return 0; 430 } 431 } 432 433 /* Fill in our own header data */ 434 435 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 436 snprintf(handle->errbuf, sizeof(handle->errbuf), 437 "ioctl: %s", pcap_strerror(errno)); 438 return -1; 439 } 440 pcap_header.caplen = caplen; 441 pcap_header.len = packet_len; 442 443 /* Call the user supplied callback function */ 444 handle->md.stat.ps_recv++; 445 callback(userdata, &pcap_header, handle->buffer + handle->offset); 446 447 return 1; 448 } 449 450 /* 451 * Get the statistics for the given packet capture handle. 452 * FIXME: Currently does not report the number of dropped packets. 453 */ 454 int 455 pcap_stats(pcap_t *handle, struct pcap_stat *stats) 456 { 457 *stats = handle->md.stat; 458 return 0; 459 } 460 461 /* 462 * Attach the given BPF code to the packet capture device. 463 */ 464 int 465 pcap_setfilter(pcap_t *handle, struct bpf_program *filter) 466 { 467 #ifdef SO_ATTACH_FILTER 468 struct sock_fprog fcode; 469 int can_filter_in_kernel; 470 #endif 471 472 if (!handle) 473 return -1; 474 if (!filter) { 475 strncpy(handle->errbuf, "setfilter: No filter specified", 476 sizeof(handle->errbuf)); 477 return -1; 478 } 479 480 /* Make our private copy of the filter */ 481 482 if (install_bpf_program(handle, filter) < 0) { 483 snprintf(handle->errbuf, sizeof(handle->errbuf), 484 "malloc: %s", pcap_strerror(errno)); 485 return -1; 486 } 487 488 /* 489 * Run user level packet filter by default. Will be overriden if 490 * installing a kernel filter succeeds. 491 */ 492 handle->md.use_bpf = 0; 493 494 /* 495 * If we're reading from a savefile, don't try to install 496 * a kernel filter. 497 */ 498 if (handle->sf.rfile != NULL) 499 return 0; 500 501 /* Install kernel level filter if possible */ 502 503 #ifdef SO_ATTACH_FILTER 504 #ifdef USHRT_MAX 505 if (handle->fcode.bf_len > USHRT_MAX) { 506 /* 507 * fcode.len is an unsigned short for current kernel. 508 * I have yet to see BPF-Code with that much 509 * instructions but still it is possible. So for the 510 * sake of correctness I added this check. 511 */ 512 fprintf(stderr, "Warning: Filter too complex for kernel\n"); 513 fcode.filter = NULL; 514 can_filter_in_kernel = 0; 515 } else 516 #endif /* USHRT_MAX */ 517 { 518 /* 519 * Oh joy, the Linux kernel uses struct sock_fprog instead 520 * of struct bpf_program and of course the length field is 521 * of different size. Pointed out by Sebastian 522 * 523 * Oh, and we also need to fix it up so that all "ret" 524 * instructions with non-zero operands have 65535 as the 525 * operand, and so that, if we're in cooked mode, all 526 * memory-reference instructions use special magic offsets 527 * in references to the link-layer header and assume that 528 * the link-layer payload begins at 0; "fix_program()" 529 * will do that. 530 */ 531 switch (fix_program(handle, &fcode)) { 532 533 case -1: 534 default: 535 /* 536 * Fatal error; just quit. 537 * (The "default" case shouldn't happen; we 538 * return -1 for that reason.) 539 */ 540 return -1; 541 542 case 0: 543 /* 544 * The program performed checks that we can't make 545 * work in the kernel. 546 */ 547 can_filter_in_kernel = 0; 548 break; 549 550 case 1: 551 /* 552 * We have a filter that'll work in the kernel. 553 */ 554 can_filter_in_kernel = 1; 555 break; 556 } 557 } 558 559 if (can_filter_in_kernel) { 560 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 561 &fcode, sizeof(fcode)) == 0) 562 { 563 /* Installation succeded - using kernel filter. */ 564 handle->md.use_bpf = 1; 565 } 566 else 567 { 568 /* 569 * Print a warning if we weren't able to install 570 * the filter for a reason other than "this kernel 571 * isn't configured to support socket filters. 572 */ 573 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 574 fprintf(stderr, 575 "Warning: Kernel filter failed: %s\n", 576 pcap_strerror(errno)); 577 } 578 } 579 } 580 581 /* 582 * Free up the copy of the filter that was made by "fix_program()". 583 */ 584 if (fcode.filter != NULL) 585 free(fcode.filter); 586 #endif /* SO_ATTACH_FILTER */ 587 588 return 0; 589 } 590 591 /* 592 * Linux uses the ARP hardware type to identify the type of an 593 * interface. pcap uses the DLT_xxx constants for this. This 594 * function maps the ARPHRD_xxx constant to an appropriate 595 * DLT_xxx constant. 596 * 597 * Returns -1 if unable to map the type; we print a message and, 598 * if we're using PF_PACKET/SOCK_RAW rather than PF_INET/SOCK_PACKET, 599 * we fall back on using PF_PACKET/SOCK_DGRAM. 600 */ 601 static int map_arphrd_to_dlt(int arptype) 602 { 603 switch (arptype) { 604 case ARPHRD_ETHER: 605 case ARPHRD_METRICOM: 606 case ARPHRD_LOOPBACK: return DLT_EN10MB; 607 case ARPHRD_EETHER: return DLT_EN3MB; 608 case ARPHRD_AX25: return DLT_AX25; 609 case ARPHRD_PRONET: return DLT_PRONET; 610 case ARPHRD_CHAOS: return DLT_CHAOS; 611 #ifndef ARPHRD_IEEE802_TR 612 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 613 #endif 614 case ARPHRD_IEEE802_TR: 615 case ARPHRD_IEEE802: return DLT_IEEE802; 616 case ARPHRD_ARCNET: return DLT_ARCNET; 617 case ARPHRD_FDDI: return DLT_FDDI; 618 619 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 620 #define ARPHRD_ATM 19 621 #endif 622 case ARPHRD_ATM: return DLT_ATM_CLIP; 623 624 case ARPHRD_PPP: 625 /* Not sure if this is correct for all tunnels, but it 626 * works for CIPE */ 627 case ARPHRD_TUNNEL: 628 #ifndef ARPHRD_SIT 629 #define ARPHRD_SIT 776 /* From Linux 2.2.14 */ 630 #endif 631 case ARPHRD_SIT: 632 case ARPHRD_CSLIP: 633 case ARPHRD_SLIP6: 634 case ARPHRD_CSLIP6: 635 case ARPHRD_SLIP: return DLT_RAW; 636 } 637 638 return -1; 639 } 640 641 /* ===== Functions to interface to the newer kernels ================== */ 642 643 /* 644 * Try to open a packet socket using the new kernel interface. 645 * Returns 0 on failure. 646 * FIXME: 0 uses to mean success (Sebastian) 647 */ 648 static int 649 live_open_new(pcap_t *handle, char *device, int promisc, 650 int to_ms, char *ebuf) 651 { 652 #ifdef HAVE_PF_PACKET_SOCKETS 653 int sock_fd = -1, device_id, mtu, arptype; 654 struct packet_mreq mr; 655 656 /* One shot loop used for error handling - bail out with break */ 657 658 do { 659 /* 660 * Open a socket with protocol family packet. If a device is 661 * given we try to open it in raw mode otherwise we use 662 * the cooked interface. 663 */ 664 sock_fd = device ? 665 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) 666 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); 667 668 if (sock_fd == -1) { 669 snprintf(ebuf, PCAP_ERRBUF_SIZE, "socket: %s", 670 pcap_strerror(errno) ); 671 break; 672 } 673 674 /* It seems the kernel supports the new interface. */ 675 handle->md.sock_packet = 0; 676 677 /* 678 * Get the interface index of the loopback device. 679 * If the attempt fails, don't fail, just set the 680 * "md.lo_ifindex" to -1. 681 * 682 * XXX - can there be more than one device that loops 683 * packets back, i.e. devices other than "lo"? If so, 684 * we'd need to find them all, and have an array of 685 * indices for them, and check all of them in 686 * "pcap_read_packet()". 687 */ 688 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", ebuf); 689 690 /* 691 * What kind of frames do we have to deal with? Fall back 692 * to cooked mode if we have an unknown interface type. 693 */ 694 695 if (device) { 696 /* Assume for now we don't need cooked mode. */ 697 handle->md.cooked = 0; 698 699 arptype = iface_get_arptype(sock_fd, device, ebuf); 700 if (arptype == -1) 701 break; 702 handle->linktype = map_arphrd_to_dlt(arptype); 703 if (handle->linktype == -1 || 704 (handle->linktype == DLT_EN10MB && 705 (strncmp("isdn", device, 4) == 0 || 706 strncmp("isdY", device, 4) == 0)) || 707 (handle->linktype == DLT_RAW && 708 (strncmp("ippp", device, 4) == 0))) { 709 /* 710 * Unknown interface type (-1), or an ISDN 711 * device (whose link-layer type we 712 * can only determine by using APIs 713 * that may be different on different 714 * kernels) - reopen in cooked mode. 715 * 716 * XXX - do that with DLT_RAW as well? 717 */ 718 if (close(sock_fd) == -1) { 719 snprintf(ebuf, PCAP_ERRBUF_SIZE, 720 "close: %s", pcap_strerror(errno)); 721 break; 722 } 723 sock_fd = socket(PF_PACKET, SOCK_DGRAM, 724 htons(ETH_P_ALL)); 725 if (sock_fd == -1) { 726 snprintf(ebuf, PCAP_ERRBUF_SIZE, 727 "socket: %s", pcap_strerror(errno)); 728 break; 729 } 730 handle->md.cooked = 1; 731 732 if (handle->linktype == -1) { 733 /* 734 * Warn that we're falling back on 735 * cooked mode; we may want to 736 * update "map_arphrd_to_dlt()" 737 * to handle the new type. 738 */ 739 fprintf(stderr, 740 "Warning: arptype %d not " 741 "supported by libpcap - " 742 "falling back to cooked " 743 "socket\n", 744 arptype); 745 } 746 handle->linktype = DLT_LINUX_SLL; 747 } 748 749 device_id = iface_get_id(sock_fd, device, ebuf); 750 if (device_id == -1) 751 break; 752 753 if (iface_bind(sock_fd, device_id, ebuf) == -1) 754 break; 755 } else { 756 /* 757 * This is cooked mode. 758 */ 759 handle->md.cooked = 1; 760 handle->linktype = DLT_LINUX_SLL; 761 762 /* 763 * XXX - squelch GCC complaints about 764 * uninitialized variables; if we can't 765 * select promiscuous mode on all interfaces, 766 * we should move the code below into the 767 * "if (device)" branch of the "if" and 768 * get rid of the next statement. 769 */ 770 device_id = -1; 771 } 772 773 /* Select promiscuous mode on/off */ 774 775 #ifdef SOL_PACKET 776 /* 777 * Hmm, how can we set promiscuous mode on all interfaces? 778 * I am not sure if that is possible at all. 779 */ 780 781 if (device) { 782 memset(&mr, 0, sizeof(mr)); 783 mr.mr_ifindex = device_id; 784 mr.mr_type = promisc ? 785 PACKET_MR_PROMISC : PACKET_MR_ALLMULTI; 786 if (setsockopt(sock_fd, SOL_PACKET, 787 PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) == -1) 788 { 789 snprintf(ebuf, PCAP_ERRBUF_SIZE, 790 "setsockopt: %s", pcap_strerror(errno)); 791 break; 792 } 793 } 794 #endif 795 796 /* Compute the buffersize */ 797 798 mtu = iface_get_mtu(sock_fd, device, ebuf); 799 if (mtu == -1) 800 break; 801 handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 802 803 /* Fill in the pcap structure */ 804 805 handle->fd = sock_fd; 806 handle->offset = 0; 807 808 handle->buffer = malloc(handle->bufsize); 809 if (!handle->buffer) { 810 snprintf(ebuf, PCAP_ERRBUF_SIZE, 811 "malloc: %s", pcap_strerror(errno)); 812 break; 813 } 814 815 /* 816 * This is a 2.2 or later kernel, as it has PF_PACKET; 817 * "recvfrom()", when passed the MSG_TRUNC flag, will 818 * return the actual length of the packet, not the 819 * number of bytes from the packet copied to userland, 820 * so we can safely pass it a byte count based on the 821 * snapshot length. 822 */ 823 handle->md.readlen = handle->snapshot; 824 return 1; 825 826 } while(0); 827 828 if (sock_fd != -1) 829 close(sock_fd); 830 return 0; 831 #else 832 strncpy(ebuf, 833 "New packet capturing interface not supported by build " 834 "environment", PCAP_ERRBUF_SIZE); 835 return 0; 836 #endif 837 } 838 839 #ifdef HAVE_PF_PACKET_SOCKETS 840 /* 841 * Return the index of the given device name. Fill ebuf and return 842 * -1 on failure. 843 */ 844 static int 845 iface_get_id(int fd, const char *device, char *ebuf) 846 { 847 struct ifreq ifr; 848 849 memset(&ifr, 0, sizeof(ifr)); 850 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 851 852 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 853 snprintf(ebuf, PCAP_ERRBUF_SIZE, 854 "ioctl: %s", pcap_strerror(errno)); 855 return -1; 856 } 857 858 return ifr.ifr_ifindex; 859 } 860 861 /* 862 * Bind the socket associated with FD to the given device. 863 */ 864 static int 865 iface_bind(int fd, int ifindex, char *ebuf) 866 { 867 struct sockaddr_ll sll; 868 869 memset(&sll, 0, sizeof(sll)); 870 sll.sll_family = AF_PACKET; 871 sll.sll_ifindex = ifindex; 872 sll.sll_protocol = htons(ETH_P_ALL); 873 874 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 875 snprintf(ebuf, PCAP_ERRBUF_SIZE, 876 "bind: %s", pcap_strerror(errno)); 877 return -1; 878 } 879 880 return 0; 881 } 882 883 #endif 884 885 886 /* ===== Functions to interface to the older kernels ================== */ 887 888 /* 889 * With older kernels promiscuous mode is kind of interesting because we 890 * have to reset the interface before exiting. The problem can't really 891 * be solved without some daemon taking care of managing usage counts. 892 * If we put the interface into promiscuous mode, we set a flag indicating 893 * that we must take it out of that mode when the interface is closed, 894 * and, when closing the interface, if that flag is set we take it out 895 * of promiscuous mode. 896 */ 897 898 /* 899 * List of pcaps for which we turned promiscuous mode on by hand. 900 * If there are any such pcaps, we arrange to call "pcap_close_all()" 901 * when we exit, and have it close all of them to turn promiscuous mode 902 * off. 903 */ 904 static struct pcap *pcaps_to_close; 905 906 /* 907 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to 908 * be called on exit. 909 */ 910 static int did_atexit; 911 912 static void pcap_close_all(void) 913 { 914 struct pcap *handle; 915 916 while ((handle = pcaps_to_close) != NULL) 917 pcap_close(handle); 918 } 919 920 void pcap_close_linux( pcap_t *handle ) 921 { 922 struct pcap *p, *prevp; 923 struct ifreq ifr; 924 925 if (handle->md.clear_promisc) { 926 /* 927 * We put the interface into promiscuous mode; take 928 * it out of promiscuous mode. 929 * 930 * XXX - if somebody else wants it in promiscuous mode, 931 * this code cannot know that, so it'll take it out 932 * of promiscuous mode. That's not fixable in 2.0[.x] 933 * kernels. 934 */ 935 memset(&ifr, 0, sizeof(ifr)); 936 strncpy(ifr.ifr_name, handle->md.device, sizeof(ifr.ifr_name)); 937 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 938 fprintf(stderr, 939 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" 940 "Please adjust manually.\n" 941 "Hint: This can't happen with Linux >= 2.2.0.\n", 942 strerror(errno)); 943 } else { 944 if (ifr.ifr_flags & IFF_PROMISC) { 945 /* 946 * Promiscuous mode is currently on; turn it 947 * off. 948 */ 949 ifr.ifr_flags &= ~IFF_PROMISC; 950 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 951 fprintf(stderr, 952 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" 953 "Please adjust manually.\n" 954 "Hint: This can't happen with Linux >= 2.2.0.\n", 955 strerror(errno)); 956 } 957 } 958 } 959 960 /* 961 * Take this pcap out of the list of pcaps for which we 962 * have to take the interface out of promiscuous mode. 963 */ 964 for (p = pcaps_to_close, prevp = NULL; p != NULL; 965 prevp = p, p = p->md.next) { 966 if (p == handle) { 967 /* 968 * Found it. Remove it from the list. 969 */ 970 if (prevp == NULL) { 971 /* 972 * It was at the head of the list. 973 */ 974 pcaps_to_close = p->md.next; 975 } else { 976 /* 977 * It was in the middle of the list. 978 */ 979 prevp->md.next = p->md.next; 980 } 981 break; 982 } 983 } 984 } 985 if (handle->md.device != NULL) 986 free(handle->md.device); 987 } 988 989 /* 990 * Try to open a packet socket using the old kernel interface. 991 * Returns 0 on failure. 992 * FIXME: 0 uses to mean success (Sebastian) 993 */ 994 static int 995 live_open_old(pcap_t *handle, char *device, int promisc, 996 int to_ms, char *ebuf) 997 { 998 int sock_fd = -1, mtu, arptype; 999 struct utsname utsname; 1000 struct ifreq ifr; 1001 1002 do { 1003 /* Open the socket */ 1004 1005 sock_fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 1006 if (sock_fd == -1) { 1007 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1008 "socket: %s", pcap_strerror(errno)); 1009 break; 1010 } 1011 1012 /* It worked - we are using the old interface */ 1013 handle->md.sock_packet = 1; 1014 1015 /* ...which means we get the link-layer header. */ 1016 handle->md.cooked = 0; 1017 1018 /* Bind to the given device */ 1019 1020 if (!device) { 1021 strncpy(ebuf, "pcap_open_live: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 1022 PCAP_ERRBUF_SIZE); 1023 break; 1024 } 1025 if (iface_bind_old(sock_fd, device, ebuf) == -1) 1026 break; 1027 1028 /* Go to promisc mode */ 1029 if (promisc) { 1030 memset(&ifr, 0, sizeof(ifr)); 1031 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 1032 if (ioctl(sock_fd, SIOCGIFFLAGS, &ifr) == -1) { 1033 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1034 "ioctl: %s", pcap_strerror(errno)); 1035 break; 1036 } 1037 if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 1038 /* 1039 * Promiscuous mode isn't currently on, 1040 * so turn it on, and remember that 1041 * we should turn it off when the 1042 * pcap_t is closed. 1043 */ 1044 1045 /* 1046 * If we haven't already done so, arrange 1047 * to have "pcap_close_all()" called when 1048 * we exit. 1049 */ 1050 if (!did_atexit) { 1051 if (atexit(pcap_close_all) == -1) { 1052 /* 1053 * "atexit()" failed; don't 1054 * put the interface in 1055 * promiscuous mode, just 1056 * give up. 1057 */ 1058 strncpy(ebuf, "atexit failed", 1059 PCAP_ERRBUF_SIZE); 1060 break; 1061 } 1062 } 1063 1064 ifr.ifr_flags |= IFF_PROMISC; 1065 if (ioctl(sock_fd, SIOCSIFFLAGS, &ifr) == -1) { 1066 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1067 "ioctl: %s", 1068 pcap_strerror(errno)); 1069 break; 1070 } 1071 handle->md.clear_promisc = 1; 1072 1073 /* 1074 * Add this to the list of pcaps 1075 * to close when we exit. 1076 */ 1077 handle->md.next = pcaps_to_close; 1078 pcaps_to_close = handle; 1079 } 1080 } 1081 1082 /* Compute the buffersize */ 1083 1084 mtu = iface_get_mtu(sock_fd, device, ebuf); 1085 if (mtu == -1) 1086 break; 1087 handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 1088 if (handle->bufsize < handle->snapshot) 1089 handle->bufsize = handle->snapshot; 1090 1091 /* All done - fill in the pcap handle */ 1092 1093 arptype = iface_get_arptype(sock_fd, device, ebuf); 1094 if (arptype == -1) 1095 break; 1096 1097 handle->fd = sock_fd; 1098 handle->offset = 0; 1099 handle->linktype = map_arphrd_to_dlt(arptype); 1100 /* 1101 * XXX - handle ISDN types here? We can't fall back on 1102 * cooked sockets, so we'd have to figure out from the 1103 * device name what type of link-layer encapsulation 1104 * it's using, and map that to an appropriate DLT_ 1105 * value, meaning we'd map "isdnN" devices to DLT_RAW 1106 * (they supply raw IP packets with no link-layer 1107 * header) and "isdY" devices to a new DLT_I4L_IP 1108 * type that has only an Ethernet packet type as 1109 * a link-layer header. 1110 */ 1111 if (handle->linktype == -1) { 1112 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1113 "interface type of %s not supported", device); 1114 break; 1115 } 1116 handle->buffer = malloc(handle->bufsize); 1117 if (!handle->buffer) { 1118 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1119 "malloc: %s", pcap_strerror(errno)); 1120 break; 1121 } 1122 1123 /* 1124 * This might be a 2.0[.x] kernel - check. 1125 */ 1126 if (uname(&utsname) < 0 || 1127 strncmp(utsname.release, "2.0", 3) == 0) { 1128 /* 1129 * Either we couldn't find out what kernel release 1130 * this is, or it's a 2.0[.x] kernel. 1131 * 1132 * In the 2.0[.x] kernel, a "recvfrom()" on 1133 * a SOCK_PACKET socket, with MSG_TRUNC set, will 1134 * return the number of bytes read, so if we pass 1135 * a length based on the snapshot length, it'll 1136 * return the number of bytes from the packet 1137 * copied to userland, not the actual length 1138 * of the packet. 1139 * 1140 * This means that, for example, the IP dissector 1141 * in tcpdump will get handed a packet length less 1142 * than the length in the IP header, and will 1143 * complain about "truncated-ip". 1144 * 1145 * So we don't bother trying to copy from the 1146 * kernel only the bytes in which we're interested, 1147 * but instead copy them all, just as the older 1148 * versions of libpcap for Linux did. 1149 * 1150 * Just one of many problems with packet capture 1151 * on 2.0[.x] kernels; you really want a 2.2[.x] 1152 * or later kernel if you want packet capture to 1153 * work well. 1154 */ 1155 handle->md.readlen = handle->bufsize; 1156 } else { 1157 /* 1158 * This is a 2.2[.x] or later kernel (although 1159 * why we're using SOCK_PACKET on such a system 1160 * is unknown to me). 1161 * 1162 * We can safely pass "recvfrom()" a byte count 1163 * based on the snapshot length. 1164 */ 1165 handle->md.readlen = handle->snapshot; 1166 } 1167 return 1; 1168 1169 } while (0); 1170 1171 if (sock_fd != -1) 1172 close(sock_fd); 1173 return 0; 1174 } 1175 1176 /* 1177 * Bind the socket associated with FD to the given device using the 1178 * interface of the old kernels. 1179 */ 1180 static int 1181 iface_bind_old(int fd, const char *device, char *ebuf) 1182 { 1183 struct sockaddr saddr; 1184 1185 memset(&saddr, 0, sizeof(saddr)); 1186 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 1187 if (bind(fd, &saddr, sizeof(saddr)) == -1) { 1188 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1189 "bind: %s", pcap_strerror(errno)); 1190 return -1; 1191 } 1192 1193 return 0; 1194 } 1195 1196 1197 /* ===== System calls available on all supported kernels ============== */ 1198 1199 /* 1200 * Query the kernel for the MTU of the given interface. 1201 */ 1202 static int 1203 iface_get_mtu(int fd, const char *device, char *ebuf) 1204 { 1205 struct ifreq ifr; 1206 1207 if (!device) 1208 return BIGGER_THAN_ALL_MTUS; 1209 1210 memset(&ifr, 0, sizeof(ifr)); 1211 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 1212 1213 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 1214 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1215 "ioctl: %s", pcap_strerror(errno)); 1216 return -1; 1217 } 1218 1219 return ifr.ifr_mtu; 1220 } 1221 1222 /* 1223 * Get the hardware type of the given interface as ARPHRD_xxx constant. 1224 */ 1225 static int 1226 iface_get_arptype(int fd, const char *device, char *ebuf) 1227 { 1228 struct ifreq ifr; 1229 1230 memset(&ifr, 0, sizeof(ifr)); 1231 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 1232 1233 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 1234 snprintf(ebuf, PCAP_ERRBUF_SIZE, 1235 "ioctl: %s", pcap_strerror(errno)); 1236 return -1; 1237 } 1238 1239 return ifr.ifr_hwaddr.sa_family; 1240 } 1241 1242 #ifdef HAVE_PF_PACKET_SOCKETS 1243 static int 1244 fix_program(pcap_t *handle, struct sock_fprog *fcode) 1245 { 1246 size_t prog_size; 1247 register int i; 1248 register struct bpf_insn *p; 1249 struct bpf_insn *f; 1250 int len; 1251 1252 /* 1253 * Make a copy of the filter, and modify that copy if 1254 * necessary. 1255 */ 1256 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 1257 len = handle->fcode.bf_len; 1258 f = (struct bpf_insn *)malloc(prog_size); 1259 if (f == NULL) { 1260 snprintf(handle->errbuf, sizeof(handle->errbuf), 1261 "malloc: %s", pcap_strerror(errno)); 1262 return -1; 1263 } 1264 memcpy(f, handle->fcode.bf_insns, prog_size); 1265 fcode->len = len; 1266 fcode->filter = (struct sock_filter *) f; 1267 1268 for (i = 0; i < len; ++i) { 1269 p = &f[i]; 1270 /* 1271 * What type of instruction is this? 1272 */ 1273 switch (BPF_CLASS(p->code)) { 1274 1275 case BPF_RET: 1276 /* 1277 * It's a return instruction; is the snapshot 1278 * length a constant, rather than the contents 1279 * of the accumulator? 1280 */ 1281 if (BPF_MODE(p->code) == BPF_K) { 1282 /* 1283 * Yes - if the value to be returned, 1284 * i.e. the snapshot length, is anything 1285 * other than 0, make it 65535, so that 1286 * the packet is truncated by "recvfrom()", 1287 * not by the filter. 1288 * 1289 * XXX - there's nothing we can easily do 1290 * if it's getting the value from the 1291 * accumulator; we'd have to insert 1292 * code to force non-zero values to be 1293 * 65535. 1294 */ 1295 if (p->k != 0) 1296 p->k = 65535; 1297 } 1298 break; 1299 1300 case BPF_LD: 1301 case BPF_LDX: 1302 /* 1303 * It's a load instruction; is it loading 1304 * from the packet? 1305 */ 1306 switch (BPF_MODE(p->code)) { 1307 1308 case BPF_ABS: 1309 case BPF_IND: 1310 case BPF_MSH: 1311 /* 1312 * Yes; are we in cooked mode? 1313 */ 1314 if (handle->md.cooked) { 1315 /* 1316 * Yes, so we need to fix this 1317 * instruction. 1318 */ 1319 if (fix_offset(p) < 0) { 1320 /* 1321 * We failed to do so. 1322 * Return 0, so our caller 1323 * knows to punt to userland. 1324 */ 1325 return 0; 1326 } 1327 } 1328 break; 1329 } 1330 break; 1331 } 1332 } 1333 return 1; /* we succeeded */ 1334 } 1335 1336 static int 1337 fix_offset(struct bpf_insn *p) 1338 { 1339 /* 1340 * What's the offset? 1341 */ 1342 if (p->k >= SLL_HDR_LEN) { 1343 /* 1344 * It's within the link-layer payload; that starts at an 1345 * offset of 0, as far as the kernel packet filter is 1346 * concerned, so subtract the length of the link-layer 1347 * header. 1348 */ 1349 p->k -= SLL_HDR_LEN; 1350 } else if (p->k == 14) { 1351 /* 1352 * It's the protocol field; map it to the special magic 1353 * kernel offset for that field. 1354 */ 1355 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 1356 } else { 1357 /* 1358 * It's within the header, but it's not one of those 1359 * fields; we can't do that in the kernel, so punt 1360 * to userland. 1361 */ 1362 return -1; 1363 } 1364 return 0; 1365 } 1366 #endif 1367