1 /* 2 * pcap-linux.c: Packet capture interface to the Linux kernel 3 * 4 * Copyright (c) 2000 Torsten Landschoff <torsten@debian.org> 5 * Sebastian Krahmer <krahmer@cs.uni-potsdam.de> 6 * 7 * License: BSD 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 3. The names of the authors may not be used to endorse or promote 20 * products derived from this software without specific prior 21 * written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 25 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 26 * 27 * Modifications: Added PACKET_MMAP support 28 * Paolo Abeni <paolo.abeni@email.it> 29 * 30 * based on previous works of: 31 * Simon Patarin <patarin@cs.unibo.it> 32 * Phil Wood <cpw@lanl.gov> 33 */ 34 35 #ifndef lint 36 static const char rcsid[] _U_ = 37 "@(#) $Header: /tcpdump/master/libpcap/pcap-linux.c,v 1.129.2.29 2008-10-28 00:50:39 guy Exp $ (LBL)"; 38 #endif 39 40 /* 41 * Known problems with 2.0[.x] kernels: 42 * 43 * - The loopback device gives every packet twice; on 2.2[.x] kernels, 44 * if we use PF_PACKET, we can filter out the transmitted version 45 * of the packet by using data in the "sockaddr_ll" returned by 46 * "recvfrom()", but, on 2.0[.x] kernels, we have to use 47 * PF_INET/SOCK_PACKET, which means "recvfrom()" supplies a 48 * "sockaddr_pkt" which doesn't give us enough information to let 49 * us do that. 50 * 51 * - We have to set the interface's IFF_PROMISC flag ourselves, if 52 * we're to run in promiscuous mode, which means we have to turn 53 * it off ourselves when we're done; the kernel doesn't keep track 54 * of how many sockets are listening promiscuously, which means 55 * it won't get turned off automatically when no sockets are 56 * listening promiscuously. We catch "pcap_close()" and, for 57 * interfaces we put into promiscuous mode, take them out of 58 * promiscuous mode - which isn't necessarily the right thing to 59 * do, if another socket also requested promiscuous mode between 60 * the time when we opened the socket and the time when we close 61 * the socket. 62 * 63 * - MSG_TRUNC isn't supported, so you can't specify that "recvfrom()" 64 * return the amount of data that you could have read, rather than 65 * the amount that was returned, so we can't just allocate a buffer 66 * whose size is the snapshot length and pass the snapshot length 67 * as the byte count, and also pass MSG_TRUNC, so that the return 68 * value tells us how long the packet was on the wire. 69 * 70 * This means that, if we want to get the actual size of the packet, 71 * so we can return it in the "len" field of the packet header, 72 * we have to read the entire packet, not just the part that fits 73 * within the snapshot length, and thus waste CPU time copying data 74 * from the kernel that our caller won't see. 75 * 76 * We have to get the actual size, and supply it in "len", because 77 * otherwise, the IP dissector in tcpdump, for example, will complain 78 * about "truncated-ip", as the packet will appear to have been 79 * shorter, on the wire, than the IP header said it should have been. 80 */ 81 82 83 #ifdef HAVE_CONFIG_H 84 #include "config.h" 85 #endif 86 87 #include <errno.h> 88 #include <stdlib.h> 89 #include <unistd.h> 90 #include <fcntl.h> 91 #include <string.h> 92 #include <sys/socket.h> 93 #include <sys/ioctl.h> 94 #include <sys/utsname.h> 95 #include <sys/mman.h> 96 #include <net/if.h> 97 #include <netinet/in.h> 98 #include <linux/if_ether.h> 99 #include <net/if_arp.h> 100 #include <poll.h> 101 102 /* 103 * Got Wireless Extensions? 104 */ 105 #ifdef HAVE_LINUX_WIRELESS_H 106 #include <linux/wireless.h> 107 #endif 108 109 #include "pcap-int.h" 110 #include "pcap/sll.h" 111 #include "pcap/vlan.h" 112 113 #ifdef HAVE_DAG_API 114 #include "pcap-dag.h" 115 #endif /* HAVE_DAG_API */ 116 117 #ifdef HAVE_SEPTEL_API 118 #include "pcap-septel.h" 119 #endif /* HAVE_SEPTEL_API */ 120 121 #ifdef PCAP_SUPPORT_USB 122 #include "pcap-usb-linux.h" 123 #endif 124 125 #ifdef PCAP_SUPPORT_BT 126 #include "pcap-bt-linux.h" 127 #endif 128 129 /* 130 * If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET 131 * sockets rather than SOCK_PACKET sockets. 132 * 133 * To use them, we include <linux/if_packet.h> rather than 134 * <netpacket/packet.h>; we do so because 135 * 136 * some Linux distributions (e.g., Slackware 4.0) have 2.2 or 137 * later kernels and libc5, and don't provide a <netpacket/packet.h> 138 * file; 139 * 140 * not all versions of glibc2 have a <netpacket/packet.h> file 141 * that defines stuff needed for some of the 2.4-or-later-kernel 142 * features, so if the system has a 2.4 or later kernel, we 143 * still can't use those features. 144 * 145 * We're already including a number of other <linux/XXX.h> headers, and 146 * this code is Linux-specific (no other OS has PF_PACKET sockets as 147 * a raw packet capture mechanism), so it's not as if you gain any 148 * useful portability by using <netpacket/packet.h> 149 * 150 * XXX - should we just include <linux/if_packet.h> even if PF_PACKET 151 * isn't defined? It only defines one data structure in 2.0.x, so 152 * it shouldn't cause any problems. 153 */ 154 #ifdef PF_PACKET 155 # include <linux/if_packet.h> 156 157 /* 158 * On at least some Linux distributions (for example, Red Hat 5.2), 159 * there's no <netpacket/packet.h> file, but PF_PACKET is defined if 160 * you include <sys/socket.h>, but <linux/if_packet.h> doesn't define 161 * any of the PF_PACKET stuff such as "struct sockaddr_ll" or any of 162 * the PACKET_xxx stuff. 163 * 164 * So we check whether PACKET_HOST is defined, and assume that we have 165 * PF_PACKET sockets only if it is defined. 166 */ 167 # ifdef PACKET_HOST 168 # define HAVE_PF_PACKET_SOCKETS 169 # ifdef PACKET_AUXDATA 170 # define HAVE_PACKET_AUXDATA 171 # endif /* PACKET_AUXDATA */ 172 # endif /* PACKET_HOST */ 173 174 175 /* check for memory mapped access avaibility. We assume every needed 176 * struct is defined if the macro TPACKET_HDRLEN is defined, because it 177 * uses many ring related structs and macros */ 178 # ifdef TPACKET_HDRLEN 179 # define HAVE_PACKET_RING 180 # ifdef TPACKET2_HDRLEN 181 # define HAVE_TPACKET2 182 # else 183 # define TPACKET_V1 0 184 # endif /* TPACKET2_HDRLEN */ 185 # endif /* TPACKET_HDRLEN */ 186 #endif /* PF_PACKET */ 187 188 #ifdef SO_ATTACH_FILTER 189 #include <linux/types.h> 190 #include <linux/filter.h> 191 #endif 192 193 #ifndef HAVE_SOCKLEN_T 194 typedef int socklen_t; 195 #endif 196 197 #ifndef MSG_TRUNC 198 /* 199 * This is being compiled on a system that lacks MSG_TRUNC; define it 200 * with the value it has in the 2.2 and later kernels, so that, on 201 * those kernels, when we pass it in the flags argument to "recvfrom()" 202 * we're passing the right value and thus get the MSG_TRUNC behavior 203 * we want. (We don't get that behavior on 2.0[.x] kernels, because 204 * they didn't support MSG_TRUNC.) 205 */ 206 #define MSG_TRUNC 0x20 207 #endif 208 209 #ifndef SOL_PACKET 210 /* 211 * This is being compiled on a system that lacks SOL_PACKET; define it 212 * with the value it has in the 2.2 and later kernels, so that we can 213 * set promiscuous mode in the good modern way rather than the old 214 * 2.0-kernel crappy way. 215 */ 216 #define SOL_PACKET 263 217 #endif 218 219 #define MAX_LINKHEADER_SIZE 256 220 221 /* 222 * When capturing on all interfaces we use this as the buffer size. 223 * Should be bigger then all MTUs that occur in real life. 224 * 64kB should be enough for now. 225 */ 226 #define BIGGER_THAN_ALL_MTUS (64*1024) 227 228 /* 229 * Prototypes for internal functions and methods. 230 */ 231 static void map_arphrd_to_dlt(pcap_t *, int, int); 232 #ifdef HAVE_PF_PACKET_SOCKETS 233 static short int map_packet_type_to_sll_type(short int); 234 #endif 235 static int pcap_activate_linux(pcap_t *); 236 static int activate_old(pcap_t *); 237 static int activate_new(pcap_t *); 238 static int activate_mmap(pcap_t *); 239 static int pcap_can_set_rfmon_linux(pcap_t *); 240 static int pcap_read_linux(pcap_t *, int, pcap_handler, u_char *); 241 static int pcap_read_packet(pcap_t *, pcap_handler, u_char *); 242 static int pcap_inject_linux(pcap_t *, const void *, size_t); 243 static int pcap_stats_linux(pcap_t *, struct pcap_stat *); 244 static int pcap_setfilter_linux(pcap_t *, struct bpf_program *); 245 static int pcap_setdirection_linux(pcap_t *, pcap_direction_t); 246 static void pcap_cleanup_linux(pcap_t *); 247 248 union thdr { 249 struct tpacket_hdr *h1; 250 struct tpacket2_hdr *h2; 251 void *raw; 252 }; 253 254 #ifdef HAVE_PACKET_RING 255 #define RING_GET_FRAME(h) (((union thdr **)h->buffer)[h->offset]) 256 257 static void destroy_ring(pcap_t *handle); 258 static int create_ring(pcap_t *handle); 259 static int prepare_tpacket_socket(pcap_t *handle); 260 static void pcap_cleanup_linux_mmap(pcap_t *); 261 static int pcap_read_linux_mmap(pcap_t *, int, pcap_handler , u_char *); 262 static int pcap_setfilter_linux_mmap(pcap_t *, struct bpf_program *); 263 static int pcap_setnonblock_mmap(pcap_t *p, int nonblock, char *errbuf); 264 static int pcap_getnonblock_mmap(pcap_t *p, char *errbuf); 265 #endif 266 267 /* 268 * Wrap some ioctl calls 269 */ 270 #ifdef HAVE_PF_PACKET_SOCKETS 271 static int iface_get_id(int fd, const char *device, char *ebuf); 272 #endif 273 static int iface_get_mtu(int fd, const char *device, char *ebuf); 274 static int iface_get_arptype(int fd, const char *device, char *ebuf); 275 #ifdef HAVE_PF_PACKET_SOCKETS 276 static int iface_bind(int fd, int ifindex, char *ebuf); 277 static int has_wext(int sock_fd, const char *device, char *ebuf); 278 static int enter_rfmon_mode_wext(pcap_t *handle, int sock_fd, 279 const char *device); 280 #endif 281 static int iface_bind_old(int fd, const char *device, char *ebuf); 282 283 #ifdef SO_ATTACH_FILTER 284 static int fix_program(pcap_t *handle, struct sock_fprog *fcode); 285 static int fix_offset(struct bpf_insn *p); 286 static int set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode); 287 static int reset_kernel_filter(pcap_t *handle); 288 289 static struct sock_filter total_insn 290 = BPF_STMT(BPF_RET | BPF_K, 0); 291 static struct sock_fprog total_fcode 292 = { 1, &total_insn }; 293 #endif 294 295 pcap_t * 296 pcap_create(const char *device, char *ebuf) 297 { 298 pcap_t *handle; 299 300 #ifdef HAVE_DAG_API 301 if (strstr(device, "dag")) { 302 return dag_create(device, ebuf); 303 } 304 #endif /* HAVE_DAG_API */ 305 306 #ifdef HAVE_SEPTEL_API 307 if (strstr(device, "septel")) { 308 return septel_create(device, ebuf); 309 } 310 #endif /* HAVE_SEPTEL_API */ 311 312 #ifdef PCAP_SUPPORT_BT 313 if (strstr(device, "bluetooth")) { 314 return bt_create(device, ebuf); 315 } 316 #endif 317 318 #ifdef PCAP_SUPPORT_USB 319 if (strstr(device, "usb")) { 320 return usb_create(device, ebuf); 321 } 322 #endif 323 324 handle = pcap_create_common(device, ebuf); 325 if (handle == NULL) 326 return NULL; 327 328 handle->activate_op = pcap_activate_linux; 329 handle->can_set_rfmon_op = pcap_can_set_rfmon_linux; 330 return handle; 331 } 332 333 static int 334 pcap_can_set_rfmon_linux(pcap_t *p) 335 { 336 #ifdef IW_MODE_MONITOR 337 int sock_fd; 338 struct iwreq ireq; 339 #endif 340 341 if (p->opt.source == NULL) { 342 /* 343 * This is equivalent to the "any" device, and we don't 344 * support monitor mode on it. 345 */ 346 return 0; 347 } 348 349 #ifdef IW_MODE_MONITOR 350 /* 351 * Bleah. There doesn't appear to be an ioctl to use to ask 352 * whether a device supports monitor mode; we'll just do 353 * SIOCGIWMODE and, if it succeeds, assume the device supports 354 * monitor mode. 355 * 356 * Open a socket on which to attempt to get the mode. 357 * (We assume that if we have Wireless Extensions support 358 * we also have PF_PACKET support.) 359 */ 360 sock_fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); 361 if (sock_fd == -1) { 362 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 363 "socket: %s", pcap_strerror(errno)); 364 return PCAP_ERROR; 365 } 366 367 /* 368 * Attempt to get the current mode. 369 */ 370 strncpy(ireq.ifr_ifrn.ifrn_name, p->opt.source, 371 sizeof ireq.ifr_ifrn.ifrn_name); 372 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 373 if (ioctl(sock_fd, SIOCGIWMODE, &ireq) != -1) { 374 /* 375 * Well, we got the mode; assume we can set it. 376 */ 377 close(sock_fd); 378 return 1; 379 } 380 if (errno == ENODEV) { 381 /* The device doesn't even exist. */ 382 close(sock_fd); 383 return PCAP_ERROR_NO_SUCH_DEVICE; 384 } 385 close(sock_fd); 386 #endif 387 return 0; 388 } 389 390 /* 391 * With older kernels promiscuous mode is kind of interesting because we 392 * have to reset the interface before exiting. The problem can't really 393 * be solved without some daemon taking care of managing usage counts. 394 * If we put the interface into promiscuous mode, we set a flag indicating 395 * that we must take it out of that mode when the interface is closed, 396 * and, when closing the interface, if that flag is set we take it out 397 * of promiscuous mode. 398 * 399 * Even with newer kernels, we have the same issue with rfmon mode. 400 */ 401 402 static void pcap_cleanup_linux( pcap_t *handle ) 403 { 404 struct ifreq ifr; 405 #ifdef IW_MODE_MONITOR 406 struct iwreq ireq; 407 #endif 408 409 if (handle->md.must_clear != 0) { 410 /* 411 * There's something we have to do when closing this 412 * pcap_t. 413 */ 414 if (handle->md.must_clear & MUST_CLEAR_PROMISC) { 415 /* 416 * We put the interface into promiscuous mode; 417 * take it out of promiscuous mode. 418 * 419 * XXX - if somebody else wants it in promiscuous 420 * mode, this code cannot know that, so it'll take 421 * it out of promiscuous mode. That's not fixable 422 * in 2.0[.x] kernels. 423 */ 424 memset(&ifr, 0, sizeof(ifr)); 425 strncpy(ifr.ifr_name, handle->md.device, 426 sizeof(ifr.ifr_name)); 427 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 428 fprintf(stderr, 429 "Can't restore interface flags (SIOCGIFFLAGS failed: %s).\n" 430 "Please adjust manually.\n" 431 "Hint: This can't happen with Linux >= 2.2.0.\n", 432 strerror(errno)); 433 } else { 434 if (ifr.ifr_flags & IFF_PROMISC) { 435 /* 436 * Promiscuous mode is currently on; 437 * turn it off. 438 */ 439 ifr.ifr_flags &= ~IFF_PROMISC; 440 if (ioctl(handle->fd, SIOCSIFFLAGS, 441 &ifr) == -1) { 442 fprintf(stderr, 443 "Can't restore interface flags (SIOCSIFFLAGS failed: %s).\n" 444 "Please adjust manually.\n" 445 "Hint: This can't happen with Linux >= 2.2.0.\n", 446 strerror(errno)); 447 } 448 } 449 } 450 } 451 452 #ifdef IW_MODE_MONITOR 453 if (handle->md.must_clear & MUST_CLEAR_RFMON) { 454 /* 455 * We put the interface into rfmon mode; 456 * take it out of rfmon mode. 457 * 458 * XXX - if somebody else wants it in rfmon 459 * mode, this code cannot know that, so it'll take 460 * it out of rfmon mode. 461 */ 462 strncpy(ireq.ifr_ifrn.ifrn_name, handle->md.device, 463 sizeof ireq.ifr_ifrn.ifrn_name); 464 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] 465 = 0; 466 ireq.u.mode = handle->md.oldmode; 467 if (ioctl(handle->fd, SIOCSIWMODE, &ireq) == -1) { 468 /* 469 * Scientist, you've failed. 470 */ 471 fprintf(stderr, 472 "Can't restore interface wireless mode (SIOCSIWMODE failed: %s).\n" 473 "Please adjust manually.\n", 474 strerror(errno)); 475 } 476 } 477 #endif 478 479 /* 480 * Take this pcap out of the list of pcaps for which we 481 * have to take the interface out of some mode. 482 */ 483 pcap_remove_from_pcaps_to_close(handle); 484 } 485 486 if (handle->md.device != NULL) { 487 free(handle->md.device); 488 handle->md.device = NULL; 489 } 490 pcap_cleanup_live_common(handle); 491 } 492 493 /* 494 * Get a handle for a live capture from the given device. You can 495 * pass NULL as device to get all packages (without link level 496 * information of course). If you pass 1 as promisc the interface 497 * will be set to promiscous mode (XXX: I think this usage should 498 * be deprecated and functions be added to select that later allow 499 * modification of that values -- Torsten). 500 */ 501 static int 502 pcap_activate_linux(pcap_t *handle) 503 { 504 const char *device; 505 int status = 0; 506 int activate_ok = 0; 507 508 device = handle->opt.source; 509 510 handle->inject_op = pcap_inject_linux; 511 handle->setfilter_op = pcap_setfilter_linux; 512 handle->setdirection_op = pcap_setdirection_linux; 513 handle->set_datalink_op = NULL; /* can't change data link type */ 514 handle->getnonblock_op = pcap_getnonblock_fd; 515 handle->setnonblock_op = pcap_setnonblock_fd; 516 handle->cleanup_op = pcap_cleanup_linux; 517 handle->read_op = pcap_read_linux; 518 handle->stats_op = pcap_stats_linux; 519 520 /* 521 * NULL and "any" are special devices which give us the hint to 522 * monitor all devices. 523 */ 524 if (!device || strcmp(device, "any") == 0) { 525 device = NULL; 526 handle->md.device = strdup("any"); 527 if (handle->opt.promisc) { 528 handle->opt.promisc = 0; 529 /* Just a warning. */ 530 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 531 "Promiscuous mode not supported on the \"any\" device"); 532 status = PCAP_WARNING_PROMISC_NOTSUP; 533 } 534 535 } else 536 handle->md.device = strdup(device); 537 538 if (handle->md.device == NULL) { 539 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s", 540 pcap_strerror(errno) ); 541 return PCAP_ERROR; 542 } 543 544 /* 545 * Current Linux kernels use the protocol family PF_PACKET to 546 * allow direct access to all packets on the network while 547 * older kernels had a special socket type SOCK_PACKET to 548 * implement this feature. 549 * While this old implementation is kind of obsolete we need 550 * to be compatible with older kernels for a while so we are 551 * trying both methods with the newer method preferred. 552 */ 553 554 if ((status = activate_new(handle)) == 1) { 555 activate_ok = 1; 556 /* 557 * Try to use memory-mapped access. 558 */ 559 if (activate_mmap(handle) == 1) 560 return 0; /* we succeeded; nothing more to do */ 561 } 562 else if (status == 0) { 563 /* Non-fatal error; try old way */ 564 if ((status = activate_old(handle)) == 1) 565 activate_ok = 1; 566 } 567 if (!activate_ok) { 568 /* 569 * Both methods to open the packet socket failed. Tidy 570 * up and report our failure (ebuf is expected to be 571 * set by the functions above). 572 */ 573 goto fail; 574 } 575 576 if (handle->opt.buffer_size != 0) { 577 /* 578 * Set the socket buffer size to the specified value. 579 */ 580 if (setsockopt(handle->fd, SOL_SOCKET, SO_RCVBUF, 581 &handle->opt.buffer_size, 582 sizeof(handle->opt.buffer_size)) == -1) { 583 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 584 "SO_RCVBUF: %s", pcap_strerror(errno)); 585 status = PCAP_ERROR; 586 goto fail; 587 } 588 } 589 590 /* Allocate the buffer */ 591 592 handle->buffer = malloc(handle->bufsize + handle->offset); 593 if (!handle->buffer) { 594 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 595 "malloc: %s", pcap_strerror(errno)); 596 status = PCAP_ERROR; 597 goto fail; 598 } 599 600 /* 601 * "handle->fd" is a socket, so "select()" and "poll()" 602 * should work on it. 603 */ 604 handle->selectable_fd = handle->fd; 605 606 return status; 607 608 fail: 609 pcap_cleanup_linux(handle); 610 return status; 611 } 612 613 /* 614 * Read at most max_packets from the capture stream and call the callback 615 * for each of them. Returns the number of packets handled or -1 if an 616 * error occured. 617 */ 618 static int 619 pcap_read_linux(pcap_t *handle, int max_packets, pcap_handler callback, u_char *user) 620 { 621 /* 622 * Currently, on Linux only one packet is delivered per read, 623 * so we don't loop. 624 */ 625 return pcap_read_packet(handle, callback, user); 626 } 627 628 /* 629 * Read a packet from the socket calling the handler provided by 630 * the user. Returns the number of packets received or -1 if an 631 * error occured. 632 */ 633 static int 634 pcap_read_packet(pcap_t *handle, pcap_handler callback, u_char *userdata) 635 { 636 u_char *bp; 637 int offset; 638 #ifdef HAVE_PF_PACKET_SOCKETS 639 struct sockaddr_ll from; 640 struct sll_header *hdrp; 641 #else 642 struct sockaddr from; 643 #endif 644 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 645 struct iovec iov; 646 struct msghdr msg; 647 struct cmsghdr *cmsg; 648 union { 649 struct cmsghdr cmsg; 650 char buf[CMSG_SPACE(sizeof(struct tpacket_auxdata))]; 651 } cmsg_buf; 652 #else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 653 socklen_t fromlen; 654 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 655 int packet_len, caplen; 656 struct pcap_pkthdr pcap_header; 657 658 #ifdef HAVE_PF_PACKET_SOCKETS 659 /* 660 * If this is a cooked device, leave extra room for a 661 * fake packet header. 662 */ 663 if (handle->md.cooked) 664 offset = SLL_HDR_LEN; 665 else 666 offset = 0; 667 #else 668 /* 669 * This system doesn't have PF_PACKET sockets, so it doesn't 670 * support cooked devices. 671 */ 672 offset = 0; 673 #endif 674 675 /* 676 * Receive a single packet from the kernel. 677 * We ignore EINTR, as that might just be due to a signal 678 * being delivered - if the signal should interrupt the 679 * loop, the signal handler should call pcap_breakloop() 680 * to set handle->break_loop (we ignore it on other 681 * platforms as well). 682 * We also ignore ENETDOWN, so that we can continue to 683 * capture traffic if the interface goes down and comes 684 * back up again; comments in the kernel indicate that 685 * we'll just block waiting for packets if we try to 686 * receive from a socket that delivered ENETDOWN, and, 687 * if we're using a memory-mapped buffer, we won't even 688 * get notified of "network down" events. 689 */ 690 bp = handle->buffer + handle->offset; 691 692 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 693 msg.msg_name = &from; 694 msg.msg_namelen = sizeof(from); 695 msg.msg_iov = &iov; 696 msg.msg_iovlen = 1; 697 msg.msg_control = &cmsg_buf; 698 msg.msg_controllen = sizeof(cmsg_buf); 699 msg.msg_flags = 0; 700 701 iov.iov_len = handle->bufsize - offset; 702 iov.iov_base = bp + offset; 703 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 704 705 do { 706 /* 707 * Has "pcap_breakloop()" been called? 708 */ 709 if (handle->break_loop) { 710 /* 711 * Yes - clear the flag that indicates that it 712 * has, and return -2 as an indication that we 713 * were told to break out of the loop. 714 */ 715 handle->break_loop = 0; 716 return -2; 717 } 718 719 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 720 packet_len = recvmsg(handle->fd, &msg, MSG_TRUNC); 721 #else /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 722 fromlen = sizeof(from); 723 packet_len = recvfrom( 724 handle->fd, bp + offset, 725 handle->bufsize - offset, MSG_TRUNC, 726 (struct sockaddr *) &from, &fromlen); 727 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 728 } while (packet_len == -1 && (errno == EINTR || errno == ENETDOWN)); 729 730 /* Check if an error occured */ 731 732 if (packet_len == -1) { 733 if (errno == EAGAIN) 734 return 0; /* no packet there */ 735 else { 736 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 737 "recvfrom: %s", pcap_strerror(errno)); 738 return -1; 739 } 740 } 741 742 #ifdef HAVE_PF_PACKET_SOCKETS 743 if (!handle->md.sock_packet) { 744 /* 745 * Unfortunately, there is a window between socket() and 746 * bind() where the kernel may queue packets from any 747 * interface. If we're bound to a particular interface, 748 * discard packets not from that interface. 749 * 750 * (If socket filters are supported, we could do the 751 * same thing we do when changing the filter; however, 752 * that won't handle packet sockets without socket 753 * filter support, and it's a bit more complicated. 754 * It would save some instructions per packet, however.) 755 */ 756 if (handle->md.ifindex != -1 && 757 from.sll_ifindex != handle->md.ifindex) 758 return 0; 759 760 /* 761 * Do checks based on packet direction. 762 * We can only do this if we're using PF_PACKET; the 763 * address returned for SOCK_PACKET is a "sockaddr_pkt" 764 * which lacks the relevant packet type information. 765 */ 766 if (from.sll_pkttype == PACKET_OUTGOING) { 767 /* 768 * Outgoing packet. 769 * If this is from the loopback device, reject it; 770 * we'll see the packet as an incoming packet as well, 771 * and we don't want to see it twice. 772 */ 773 if (from.sll_ifindex == handle->md.lo_ifindex) 774 return 0; 775 776 /* 777 * If the user only wants incoming packets, reject it. 778 */ 779 if (handle->direction == PCAP_D_IN) 780 return 0; 781 } else { 782 /* 783 * Incoming packet. 784 * If the user only wants outgoing packets, reject it. 785 */ 786 if (handle->direction == PCAP_D_OUT) 787 return 0; 788 } 789 } 790 #endif 791 792 #ifdef HAVE_PF_PACKET_SOCKETS 793 /* 794 * If this is a cooked device, fill in the fake packet header. 795 */ 796 if (handle->md.cooked) { 797 /* 798 * Add the length of the fake header to the length 799 * of packet data we read. 800 */ 801 packet_len += SLL_HDR_LEN; 802 803 hdrp = (struct sll_header *)bp; 804 hdrp->sll_pkttype = map_packet_type_to_sll_type(from.sll_pkttype); 805 hdrp->sll_hatype = htons(from.sll_hatype); 806 hdrp->sll_halen = htons(from.sll_halen); 807 memcpy(hdrp->sll_addr, from.sll_addr, 808 (from.sll_halen > SLL_ADDRLEN) ? 809 SLL_ADDRLEN : 810 from.sll_halen); 811 hdrp->sll_protocol = from.sll_protocol; 812 } 813 814 #if defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) 815 for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { 816 struct tpacket_auxdata *aux; 817 unsigned int len; 818 struct vlan_tag *tag; 819 820 if (cmsg->cmsg_len < CMSG_LEN(sizeof(struct tpacket_auxdata)) || 821 cmsg->cmsg_level != SOL_PACKET || 822 cmsg->cmsg_type != PACKET_AUXDATA) 823 continue; 824 825 aux = (struct tpacket_auxdata *)CMSG_DATA(cmsg); 826 if (aux->tp_vlan_tci == 0) 827 continue; 828 829 len = packet_len > iov.iov_len ? iov.iov_len : packet_len; 830 if (len < 2 * ETH_ALEN) 831 break; 832 833 bp -= VLAN_TAG_LEN; 834 memmove(bp, bp + VLAN_TAG_LEN, 2 * ETH_ALEN); 835 836 tag = (struct vlan_tag *)(bp + 2 * ETH_ALEN); 837 tag->vlan_tpid = htons(ETH_P_8021Q); 838 tag->vlan_tci = htons(aux->tp_vlan_tci); 839 840 packet_len += VLAN_TAG_LEN; 841 } 842 #endif /* defined(HAVE_PACKET_AUXDATA) && defined(HAVE_LINUX_TPACKET_AUXDATA_TP_VLAN_TCI) */ 843 #endif /* HAVE_PF_PACKET_SOCKETS */ 844 845 /* 846 * XXX: According to the kernel source we should get the real 847 * packet len if calling recvfrom with MSG_TRUNC set. It does 848 * not seem to work here :(, but it is supported by this code 849 * anyway. 850 * To be honest the code RELIES on that feature so this is really 851 * broken with 2.2.x kernels. 852 * I spend a day to figure out what's going on and I found out 853 * that the following is happening: 854 * 855 * The packet comes from a random interface and the packet_rcv 856 * hook is called with a clone of the packet. That code inserts 857 * the packet into the receive queue of the packet socket. 858 * If a filter is attached to that socket that filter is run 859 * first - and there lies the problem. The default filter always 860 * cuts the packet at the snaplen: 861 * 862 * # tcpdump -d 863 * (000) ret #68 864 * 865 * So the packet filter cuts down the packet. The recvfrom call 866 * says "hey, it's only 68 bytes, it fits into the buffer" with 867 * the result that we don't get the real packet length. This 868 * is valid at least until kernel 2.2.17pre6. 869 * 870 * We currently handle this by making a copy of the filter 871 * program, fixing all "ret" instructions with non-zero 872 * operands to have an operand of 65535 so that the filter 873 * doesn't truncate the packet, and supplying that modified 874 * filter to the kernel. 875 */ 876 877 caplen = packet_len; 878 if (caplen > handle->snapshot) 879 caplen = handle->snapshot; 880 881 /* Run the packet filter if not using kernel filter */ 882 if (!handle->md.use_bpf && handle->fcode.bf_insns) { 883 if (bpf_filter(handle->fcode.bf_insns, bp, 884 packet_len, caplen) == 0) 885 { 886 /* rejected by filter */ 887 return 0; 888 } 889 } 890 891 /* Fill in our own header data */ 892 893 if (ioctl(handle->fd, SIOCGSTAMP, &pcap_header.ts) == -1) { 894 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 895 "SIOCGSTAMP: %s", pcap_strerror(errno)); 896 return -1; 897 } 898 pcap_header.caplen = caplen; 899 pcap_header.len = packet_len; 900 901 /* 902 * Count the packet. 903 * 904 * Arguably, we should count them before we check the filter, 905 * as on many other platforms "ps_recv" counts packets 906 * handed to the filter rather than packets that passed 907 * the filter, but if filtering is done in the kernel, we 908 * can't get a count of packets that passed the filter, 909 * and that would mean the meaning of "ps_recv" wouldn't 910 * be the same on all Linux systems. 911 * 912 * XXX - it's not the same on all systems in any case; 913 * ideally, we should have a "get the statistics" call 914 * that supplies more counts and indicates which of them 915 * it supplies, so that we supply a count of packets 916 * handed to the filter only on platforms where that 917 * information is available. 918 * 919 * We count them here even if we can get the packet count 920 * from the kernel, as we can only determine at run time 921 * whether we'll be able to get it from the kernel (if 922 * HAVE_TPACKET_STATS isn't defined, we can't get it from 923 * the kernel, but if it is defined, the library might 924 * have been built with a 2.4 or later kernel, but we 925 * might be running on a 2.2[.x] kernel without Alexey 926 * Kuznetzov's turbopacket patches, and thus the kernel 927 * might not be able to supply those statistics). We 928 * could, I guess, try, when opening the socket, to get 929 * the statistics, and if we can not increment the count 930 * here, but it's not clear that always incrementing 931 * the count is more expensive than always testing a flag 932 * in memory. 933 * 934 * We keep the count in "md.packets_read", and use that for 935 * "ps_recv" if we can't get the statistics from the kernel. 936 * We do that because, if we *can* get the statistics from 937 * the kernel, we use "md.stat.ps_recv" and "md.stat.ps_drop" 938 * as running counts, as reading the statistics from the 939 * kernel resets the kernel statistics, and if we directly 940 * increment "md.stat.ps_recv" here, that means it will 941 * count packets *twice* on systems where we can get kernel 942 * statistics - once here, and once in pcap_stats_linux(). 943 */ 944 handle->md.packets_read++; 945 946 /* Call the user supplied callback function */ 947 callback(userdata, &pcap_header, bp); 948 949 return 1; 950 } 951 952 static int 953 pcap_inject_linux(pcap_t *handle, const void *buf, size_t size) 954 { 955 int ret; 956 957 #ifdef HAVE_PF_PACKET_SOCKETS 958 if (!handle->md.sock_packet) { 959 /* PF_PACKET socket */ 960 if (handle->md.ifindex == -1) { 961 /* 962 * We don't support sending on the "any" device. 963 */ 964 strlcpy(handle->errbuf, 965 "Sending packets isn't supported on the \"any\" device", 966 PCAP_ERRBUF_SIZE); 967 return (-1); 968 } 969 970 if (handle->md.cooked) { 971 /* 972 * We don't support sending on the "any" device. 973 * 974 * XXX - how do you send on a bound cooked-mode 975 * socket? 976 * Is a "sendto()" required there? 977 */ 978 strlcpy(handle->errbuf, 979 "Sending packets isn't supported in cooked mode", 980 PCAP_ERRBUF_SIZE); 981 return (-1); 982 } 983 } 984 #endif 985 986 ret = send(handle->fd, buf, size, 0); 987 if (ret == -1) { 988 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 989 pcap_strerror(errno)); 990 return (-1); 991 } 992 return (ret); 993 } 994 995 /* 996 * Get the statistics for the given packet capture handle. 997 * Reports the number of dropped packets iff the kernel supports 998 * the PACKET_STATISTICS "getsockopt()" argument (2.4 and later 999 * kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket 1000 * patches); otherwise, that information isn't available, and we lie 1001 * and report 0 as the count of dropped packets. 1002 */ 1003 static int 1004 pcap_stats_linux(pcap_t *handle, struct pcap_stat *stats) 1005 { 1006 #ifdef HAVE_TPACKET_STATS 1007 struct tpacket_stats kstats; 1008 socklen_t len = sizeof (struct tpacket_stats); 1009 #endif 1010 1011 #ifdef HAVE_TPACKET_STATS 1012 /* 1013 * Try to get the packet counts from the kernel. 1014 */ 1015 if (getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, 1016 &kstats, &len) > -1) { 1017 /* 1018 * On systems where the PACKET_STATISTICS "getsockopt()" 1019 * argument is supported on PF_PACKET sockets: 1020 * 1021 * "ps_recv" counts only packets that *passed* the 1022 * filter, not packets that didn't pass the filter. 1023 * This includes packets later dropped because we 1024 * ran out of buffer space. 1025 * 1026 * "ps_drop" counts packets dropped because we ran 1027 * out of buffer space. It doesn't count packets 1028 * dropped by the interface driver. It counts only 1029 * packets that passed the filter. 1030 * 1031 * Both statistics include packets not yet read from 1032 * the kernel by libpcap, and thus not yet seen by 1033 * the application. 1034 * 1035 * In "linux/net/packet/af_packet.c", at least in the 1036 * 2.4.9 kernel, "tp_packets" is incremented for every 1037 * packet that passes the packet filter *and* is 1038 * successfully queued on the socket; "tp_drops" is 1039 * incremented for every packet dropped because there's 1040 * not enough free space in the socket buffer. 1041 * 1042 * When the statistics are returned for a PACKET_STATISTICS 1043 * "getsockopt()" call, "tp_drops" is added to "tp_packets", 1044 * so that "tp_packets" counts all packets handed to 1045 * the PF_PACKET socket, including packets dropped because 1046 * there wasn't room on the socket buffer - but not 1047 * including packets that didn't pass the filter. 1048 * 1049 * In the BSD BPF, the count of received packets is 1050 * incremented for every packet handed to BPF, regardless 1051 * of whether it passed the filter. 1052 * 1053 * We can't make "pcap_stats()" work the same on both 1054 * platforms, but the best approximation is to return 1055 * "tp_packets" as the count of packets and "tp_drops" 1056 * as the count of drops. 1057 * 1058 * Keep a running total because each call to 1059 * getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, .... 1060 * resets the counters to zero. 1061 */ 1062 handle->md.stat.ps_recv += kstats.tp_packets; 1063 handle->md.stat.ps_drop += kstats.tp_drops; 1064 *stats = handle->md.stat; 1065 return 0; 1066 } 1067 else 1068 { 1069 /* 1070 * If the error was EOPNOTSUPP, fall through, so that 1071 * if you build the library on a system with 1072 * "struct tpacket_stats" and run it on a system 1073 * that doesn't, it works as it does if the library 1074 * is built on a system without "struct tpacket_stats". 1075 */ 1076 if (errno != EOPNOTSUPP) { 1077 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1078 "pcap_stats: %s", pcap_strerror(errno)); 1079 return -1; 1080 } 1081 } 1082 #endif 1083 /* 1084 * On systems where the PACKET_STATISTICS "getsockopt()" argument 1085 * is not supported on PF_PACKET sockets: 1086 * 1087 * "ps_recv" counts only packets that *passed* the filter, 1088 * not packets that didn't pass the filter. It does not 1089 * count packets dropped because we ran out of buffer 1090 * space. 1091 * 1092 * "ps_drop" is not supported. 1093 * 1094 * "ps_recv" doesn't include packets not yet read from 1095 * the kernel by libpcap. 1096 * 1097 * We maintain the count of packets processed by libpcap in 1098 * "md.packets_read", for reasons described in the comment 1099 * at the end of pcap_read_packet(). We have no idea how many 1100 * packets were dropped. 1101 */ 1102 stats->ps_recv = handle->md.packets_read; 1103 stats->ps_drop = 0; 1104 return 0; 1105 } 1106 1107 /* 1108 * Description string for the "any" device. 1109 */ 1110 static const char any_descr[] = "Pseudo-device that captures on all interfaces"; 1111 1112 int 1113 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 1114 { 1115 if (pcap_add_if(alldevsp, "any", 0, any_descr, errbuf) < 0) 1116 return (-1); 1117 1118 #ifdef HAVE_DAG_API 1119 if (dag_platform_finddevs(alldevsp, errbuf) < 0) 1120 return (-1); 1121 #endif /* HAVE_DAG_API */ 1122 1123 #ifdef HAVE_SEPTEL_API 1124 if (septel_platform_finddevs(alldevsp, errbuf) < 0) 1125 return (-1); 1126 #endif /* HAVE_SEPTEL_API */ 1127 1128 #ifdef PCAP_SUPPORT_BT 1129 if (bt_platform_finddevs(alldevsp, errbuf) < 0) 1130 return (-1); 1131 #endif 1132 1133 #ifdef PCAP_SUPPORT_USB 1134 if (usb_platform_finddevs(alldevsp, errbuf) < 0) 1135 return (-1); 1136 #endif 1137 1138 return (0); 1139 } 1140 1141 /* 1142 * Attach the given BPF code to the packet capture device. 1143 */ 1144 static int 1145 pcap_setfilter_linux(pcap_t *handle, struct bpf_program *filter) 1146 { 1147 #ifdef SO_ATTACH_FILTER 1148 struct sock_fprog fcode; 1149 int can_filter_in_kernel; 1150 int err = 0; 1151 #endif 1152 1153 if (!handle) 1154 return -1; 1155 if (!filter) { 1156 strncpy(handle->errbuf, "setfilter: No filter specified", 1157 PCAP_ERRBUF_SIZE); 1158 return -1; 1159 } 1160 1161 /* Make our private copy of the filter */ 1162 1163 if (install_bpf_program(handle, filter) < 0) 1164 /* install_bpf_program() filled in errbuf */ 1165 return -1; 1166 1167 /* 1168 * Run user level packet filter by default. Will be overriden if 1169 * installing a kernel filter succeeds. 1170 */ 1171 handle->md.use_bpf = 0; 1172 1173 /* Install kernel level filter if possible */ 1174 1175 #ifdef SO_ATTACH_FILTER 1176 #ifdef USHRT_MAX 1177 if (handle->fcode.bf_len > USHRT_MAX) { 1178 /* 1179 * fcode.len is an unsigned short for current kernel. 1180 * I have yet to see BPF-Code with that much 1181 * instructions but still it is possible. So for the 1182 * sake of correctness I added this check. 1183 */ 1184 fprintf(stderr, "Warning: Filter too complex for kernel\n"); 1185 fcode.len = 0; 1186 fcode.filter = NULL; 1187 can_filter_in_kernel = 0; 1188 } else 1189 #endif /* USHRT_MAX */ 1190 { 1191 /* 1192 * Oh joy, the Linux kernel uses struct sock_fprog instead 1193 * of struct bpf_program and of course the length field is 1194 * of different size. Pointed out by Sebastian 1195 * 1196 * Oh, and we also need to fix it up so that all "ret" 1197 * instructions with non-zero operands have 65535 as the 1198 * operand, and so that, if we're in cooked mode, all 1199 * memory-reference instructions use special magic offsets 1200 * in references to the link-layer header and assume that 1201 * the link-layer payload begins at 0; "fix_program()" 1202 * will do that. 1203 */ 1204 switch (fix_program(handle, &fcode)) { 1205 1206 case -1: 1207 default: 1208 /* 1209 * Fatal error; just quit. 1210 * (The "default" case shouldn't happen; we 1211 * return -1 for that reason.) 1212 */ 1213 return -1; 1214 1215 case 0: 1216 /* 1217 * The program performed checks that we can't make 1218 * work in the kernel. 1219 */ 1220 can_filter_in_kernel = 0; 1221 break; 1222 1223 case 1: 1224 /* 1225 * We have a filter that'll work in the kernel. 1226 */ 1227 can_filter_in_kernel = 1; 1228 break; 1229 } 1230 } 1231 1232 if (can_filter_in_kernel) { 1233 if ((err = set_kernel_filter(handle, &fcode)) == 0) 1234 { 1235 /* Installation succeded - using kernel filter. */ 1236 handle->md.use_bpf = 1; 1237 } 1238 else if (err == -1) /* Non-fatal error */ 1239 { 1240 /* 1241 * Print a warning if we weren't able to install 1242 * the filter for a reason other than "this kernel 1243 * isn't configured to support socket filters. 1244 */ 1245 if (errno != ENOPROTOOPT && errno != EOPNOTSUPP) { 1246 fprintf(stderr, 1247 "Warning: Kernel filter failed: %s\n", 1248 pcap_strerror(errno)); 1249 } 1250 } 1251 } 1252 1253 /* 1254 * If we're not using the kernel filter, get rid of any kernel 1255 * filter that might've been there before, e.g. because the 1256 * previous filter could work in the kernel, or because some other 1257 * code attached a filter to the socket by some means other than 1258 * calling "pcap_setfilter()". Otherwise, the kernel filter may 1259 * filter out packets that would pass the new userland filter. 1260 */ 1261 if (!handle->md.use_bpf) 1262 reset_kernel_filter(handle); 1263 1264 /* 1265 * Free up the copy of the filter that was made by "fix_program()". 1266 */ 1267 if (fcode.filter != NULL) 1268 free(fcode.filter); 1269 1270 if (err == -2) 1271 /* Fatal error */ 1272 return -1; 1273 #endif /* SO_ATTACH_FILTER */ 1274 1275 return 0; 1276 } 1277 1278 /* 1279 * Set direction flag: Which packets do we accept on a forwarding 1280 * single device? IN, OUT or both? 1281 */ 1282 static int 1283 pcap_setdirection_linux(pcap_t *handle, pcap_direction_t d) 1284 { 1285 #ifdef HAVE_PF_PACKET_SOCKETS 1286 if (!handle->md.sock_packet) { 1287 handle->direction = d; 1288 return 0; 1289 } 1290 #endif 1291 /* 1292 * We're not using PF_PACKET sockets, so we can't determine 1293 * the direction of the packet. 1294 */ 1295 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1296 "Setting direction is not supported on SOCK_PACKET sockets"); 1297 return -1; 1298 } 1299 1300 1301 #ifdef HAVE_PF_PACKET_SOCKETS 1302 /* 1303 * Map the PACKET_ value to a LINUX_SLL_ value; we 1304 * want the same numerical value to be used in 1305 * the link-layer header even if the numerical values 1306 * for the PACKET_ #defines change, so that programs 1307 * that look at the packet type field will always be 1308 * able to handle DLT_LINUX_SLL captures. 1309 */ 1310 static short int 1311 map_packet_type_to_sll_type(short int sll_pkttype) 1312 { 1313 switch (sll_pkttype) { 1314 1315 case PACKET_HOST: 1316 return htons(LINUX_SLL_HOST); 1317 1318 case PACKET_BROADCAST: 1319 return htons(LINUX_SLL_BROADCAST); 1320 1321 case PACKET_MULTICAST: 1322 return htons(LINUX_SLL_MULTICAST); 1323 1324 case PACKET_OTHERHOST: 1325 return htons(LINUX_SLL_OTHERHOST); 1326 1327 case PACKET_OUTGOING: 1328 return htons(LINUX_SLL_OUTGOING); 1329 1330 default: 1331 return -1; 1332 } 1333 } 1334 #endif 1335 1336 /* 1337 * Linux uses the ARP hardware type to identify the type of an 1338 * interface. pcap uses the DLT_xxx constants for this. This 1339 * function takes a pointer to a "pcap_t", and an ARPHRD_xxx 1340 * constant, as arguments, and sets "handle->linktype" to the 1341 * appropriate DLT_XXX constant and sets "handle->offset" to 1342 * the appropriate value (to make "handle->offset" plus link-layer 1343 * header length be a multiple of 4, so that the link-layer payload 1344 * will be aligned on a 4-byte boundary when capturing packets). 1345 * (If the offset isn't set here, it'll be 0; add code as appropriate 1346 * for cases where it shouldn't be 0.) 1347 * 1348 * If "cooked_ok" is non-zero, we can use DLT_LINUX_SLL and capture 1349 * in cooked mode; otherwise, we can't use cooked mode, so we have 1350 * to pick some type that works in raw mode, or fail. 1351 * 1352 * Sets the link type to -1 if unable to map the type. 1353 */ 1354 static void map_arphrd_to_dlt(pcap_t *handle, int arptype, int cooked_ok) 1355 { 1356 switch (arptype) { 1357 1358 case ARPHRD_ETHER: 1359 /* 1360 * This is (presumably) a real Ethernet capture; give it a 1361 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 1362 * that an application can let you choose it, in case you're 1363 * capturing DOCSIS traffic that a Cisco Cable Modem 1364 * Termination System is putting out onto an Ethernet (it 1365 * doesn't put an Ethernet header onto the wire, it puts raw 1366 * DOCSIS frames out on the wire inside the low-level 1367 * Ethernet framing). 1368 * 1369 * XXX - are there any sorts of "fake Ethernet" that have 1370 * ARPHRD_ETHER but that *shouldn't offer DLT_DOCSIS as 1371 * a Cisco CMTS won't put traffic onto it or get traffic 1372 * bridged onto it? ISDN is handled in "activate_new()", 1373 * as we fall back on cooked mode there; are there any 1374 * others? 1375 */ 1376 handle->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1377 /* 1378 * If that fails, just leave the list empty. 1379 */ 1380 if (handle->dlt_list != NULL) { 1381 handle->dlt_list[0] = DLT_EN10MB; 1382 handle->dlt_list[1] = DLT_DOCSIS; 1383 handle->dlt_count = 2; 1384 } 1385 /* FALLTHROUGH */ 1386 1387 case ARPHRD_METRICOM: 1388 case ARPHRD_LOOPBACK: 1389 handle->linktype = DLT_EN10MB; 1390 handle->offset = 2; 1391 break; 1392 1393 case ARPHRD_EETHER: 1394 handle->linktype = DLT_EN3MB; 1395 break; 1396 1397 case ARPHRD_AX25: 1398 handle->linktype = DLT_AX25_KISS; 1399 break; 1400 1401 case ARPHRD_PRONET: 1402 handle->linktype = DLT_PRONET; 1403 break; 1404 1405 case ARPHRD_CHAOS: 1406 handle->linktype = DLT_CHAOS; 1407 break; 1408 1409 #ifndef ARPHRD_IEEE802_TR 1410 #define ARPHRD_IEEE802_TR 800 /* From Linux 2.4 */ 1411 #endif 1412 case ARPHRD_IEEE802_TR: 1413 case ARPHRD_IEEE802: 1414 handle->linktype = DLT_IEEE802; 1415 handle->offset = 2; 1416 break; 1417 1418 case ARPHRD_ARCNET: 1419 handle->linktype = DLT_ARCNET_LINUX; 1420 break; 1421 1422 #ifndef ARPHRD_FDDI /* From Linux 2.2.13 */ 1423 #define ARPHRD_FDDI 774 1424 #endif 1425 case ARPHRD_FDDI: 1426 handle->linktype = DLT_FDDI; 1427 handle->offset = 3; 1428 break; 1429 1430 #ifndef ARPHRD_ATM /* FIXME: How to #include this? */ 1431 #define ARPHRD_ATM 19 1432 #endif 1433 case ARPHRD_ATM: 1434 /* 1435 * The Classical IP implementation in ATM for Linux 1436 * supports both what RFC 1483 calls "LLC Encapsulation", 1437 * in which each packet has an LLC header, possibly 1438 * with a SNAP header as well, prepended to it, and 1439 * what RFC 1483 calls "VC Based Multiplexing", in which 1440 * different virtual circuits carry different network 1441 * layer protocols, and no header is prepended to packets. 1442 * 1443 * They both have an ARPHRD_ type of ARPHRD_ATM, so 1444 * you can't use the ARPHRD_ type to find out whether 1445 * captured packets will have an LLC header, and, 1446 * while there's a socket ioctl to *set* the encapsulation 1447 * type, there's no ioctl to *get* the encapsulation type. 1448 * 1449 * This means that 1450 * 1451 * programs that dissect Linux Classical IP frames 1452 * would have to check for an LLC header and, 1453 * depending on whether they see one or not, dissect 1454 * the frame as LLC-encapsulated or as raw IP (I 1455 * don't know whether there's any traffic other than 1456 * IP that would show up on the socket, or whether 1457 * there's any support for IPv6 in the Linux 1458 * Classical IP code); 1459 * 1460 * filter expressions would have to compile into 1461 * code that checks for an LLC header and does 1462 * the right thing. 1463 * 1464 * Both of those are a nuisance - and, at least on systems 1465 * that support PF_PACKET sockets, we don't have to put 1466 * up with those nuisances; instead, we can just capture 1467 * in cooked mode. That's what we'll do, if we can. 1468 * Otherwise, we'll just fail. 1469 */ 1470 if (cooked_ok) 1471 handle->linktype = DLT_LINUX_SLL; 1472 else 1473 handle->linktype = -1; 1474 break; 1475 1476 #ifndef ARPHRD_IEEE80211 /* From Linux 2.4.6 */ 1477 #define ARPHRD_IEEE80211 801 1478 #endif 1479 case ARPHRD_IEEE80211: 1480 handle->linktype = DLT_IEEE802_11; 1481 break; 1482 1483 #ifndef ARPHRD_IEEE80211_PRISM /* From Linux 2.4.18 */ 1484 #define ARPHRD_IEEE80211_PRISM 802 1485 #endif 1486 case ARPHRD_IEEE80211_PRISM: 1487 handle->linktype = DLT_PRISM_HEADER; 1488 break; 1489 1490 #ifndef ARPHRD_IEEE80211_RADIOTAP /* new */ 1491 #define ARPHRD_IEEE80211_RADIOTAP 803 1492 #endif 1493 case ARPHRD_IEEE80211_RADIOTAP: 1494 handle->linktype = DLT_IEEE802_11_RADIO; 1495 break; 1496 1497 case ARPHRD_PPP: 1498 /* 1499 * Some PPP code in the kernel supplies no link-layer 1500 * header whatsoever to PF_PACKET sockets; other PPP 1501 * code supplies PPP link-layer headers ("syncppp.c"); 1502 * some PPP code might supply random link-layer 1503 * headers (PPP over ISDN - there's code in Ethereal, 1504 * for example, to cope with PPP-over-ISDN captures 1505 * with which the Ethereal developers have had to cope, 1506 * heuristically trying to determine which of the 1507 * oddball link-layer headers particular packets have). 1508 * 1509 * As such, we just punt, and run all PPP interfaces 1510 * in cooked mode, if we can; otherwise, we just treat 1511 * it as DLT_RAW, for now - if somebody needs to capture, 1512 * on a 2.0[.x] kernel, on PPP devices that supply a 1513 * link-layer header, they'll have to add code here to 1514 * map to the appropriate DLT_ type (possibly adding a 1515 * new DLT_ type, if necessary). 1516 */ 1517 if (cooked_ok) 1518 handle->linktype = DLT_LINUX_SLL; 1519 else { 1520 /* 1521 * XXX - handle ISDN types here? We can't fall 1522 * back on cooked sockets, so we'd have to 1523 * figure out from the device name what type of 1524 * link-layer encapsulation it's using, and map 1525 * that to an appropriate DLT_ value, meaning 1526 * we'd map "isdnN" devices to DLT_RAW (they 1527 * supply raw IP packets with no link-layer 1528 * header) and "isdY" devices to a new DLT_I4L_IP 1529 * type that has only an Ethernet packet type as 1530 * a link-layer header. 1531 * 1532 * But sometimes we seem to get random crap 1533 * in the link-layer header when capturing on 1534 * ISDN devices.... 1535 */ 1536 handle->linktype = DLT_RAW; 1537 } 1538 break; 1539 1540 #ifndef ARPHRD_CISCO 1541 #define ARPHRD_CISCO 513 /* previously ARPHRD_HDLC */ 1542 #endif 1543 case ARPHRD_CISCO: 1544 handle->linktype = DLT_C_HDLC; 1545 break; 1546 1547 /* Not sure if this is correct for all tunnels, but it 1548 * works for CIPE */ 1549 case ARPHRD_TUNNEL: 1550 #ifndef ARPHRD_SIT 1551 #define ARPHRD_SIT 776 /* From Linux 2.2.13 */ 1552 #endif 1553 case ARPHRD_SIT: 1554 case ARPHRD_CSLIP: 1555 case ARPHRD_SLIP6: 1556 case ARPHRD_CSLIP6: 1557 case ARPHRD_ADAPT: 1558 case ARPHRD_SLIP: 1559 #ifndef ARPHRD_RAWHDLC 1560 #define ARPHRD_RAWHDLC 518 1561 #endif 1562 case ARPHRD_RAWHDLC: 1563 #ifndef ARPHRD_DLCI 1564 #define ARPHRD_DLCI 15 1565 #endif 1566 case ARPHRD_DLCI: 1567 /* 1568 * XXX - should some of those be mapped to DLT_LINUX_SLL 1569 * instead? Should we just map all of them to DLT_LINUX_SLL? 1570 */ 1571 handle->linktype = DLT_RAW; 1572 break; 1573 1574 #ifndef ARPHRD_FRAD 1575 #define ARPHRD_FRAD 770 1576 #endif 1577 case ARPHRD_FRAD: 1578 handle->linktype = DLT_FRELAY; 1579 break; 1580 1581 case ARPHRD_LOCALTLK: 1582 handle->linktype = DLT_LTALK; 1583 break; 1584 1585 #ifndef ARPHRD_FCPP 1586 #define ARPHRD_FCPP 784 1587 #endif 1588 case ARPHRD_FCPP: 1589 #ifndef ARPHRD_FCAL 1590 #define ARPHRD_FCAL 785 1591 #endif 1592 case ARPHRD_FCAL: 1593 #ifndef ARPHRD_FCPL 1594 #define ARPHRD_FCPL 786 1595 #endif 1596 case ARPHRD_FCPL: 1597 #ifndef ARPHRD_FCFABRIC 1598 #define ARPHRD_FCFABRIC 787 1599 #endif 1600 case ARPHRD_FCFABRIC: 1601 /* 1602 * We assume that those all mean RFC 2625 IP-over- 1603 * Fibre Channel, with the RFC 2625 header at 1604 * the beginning of the packet. 1605 */ 1606 handle->linktype = DLT_IP_OVER_FC; 1607 break; 1608 1609 #ifndef ARPHRD_IRDA 1610 #define ARPHRD_IRDA 783 1611 #endif 1612 case ARPHRD_IRDA: 1613 /* Don't expect IP packet out of this interfaces... */ 1614 handle->linktype = DLT_LINUX_IRDA; 1615 /* We need to save packet direction for IrDA decoding, 1616 * so let's use "Linux-cooked" mode. Jean II */ 1617 //handle->md.cooked = 1; 1618 break; 1619 1620 /* ARPHRD_LAPD is unofficial and randomly allocated, if reallocation 1621 * is needed, please report it to <daniele@orlandi.com> */ 1622 #ifndef ARPHRD_LAPD 1623 #define ARPHRD_LAPD 8445 1624 #endif 1625 case ARPHRD_LAPD: 1626 /* Don't expect IP packet out of this interfaces... */ 1627 handle->linktype = DLT_LINUX_LAPD; 1628 break; 1629 1630 #ifndef ARPHRD_NONE 1631 #define ARPHRD_NONE 0xFFFE 1632 #endif 1633 case ARPHRD_NONE: 1634 /* 1635 * No link-layer header; packets are just IP 1636 * packets, so use DLT_RAW. 1637 */ 1638 handle->linktype = DLT_RAW; 1639 break; 1640 1641 default: 1642 handle->linktype = -1; 1643 break; 1644 } 1645 } 1646 1647 /* ===== Functions to interface to the newer kernels ================== */ 1648 1649 /* 1650 * Try to open a packet socket using the new kernel PF_PACKET interface. 1651 * Returns 1 on success, 0 on an error that means the new interface isn't 1652 * present (so the old SOCK_PACKET interface should be tried), and a 1653 * PCAP_ERROR_ value on an error that means that the old mechanism won't 1654 * work either (so it shouldn't be tried). 1655 */ 1656 static int 1657 activate_new(pcap_t *handle) 1658 { 1659 #ifdef HAVE_PF_PACKET_SOCKETS 1660 int sock_fd = -1, arptype, val; 1661 int err = 0; 1662 struct packet_mreq mr; 1663 const char* device = handle->opt.source; 1664 1665 /* 1666 * Open a socket with protocol family packet. If a device is 1667 * given we try to open it in raw mode otherwise we use 1668 * the cooked interface. 1669 */ 1670 sock_fd = device ? 1671 socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) 1672 : socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); 1673 1674 if (sock_fd == -1) { 1675 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "socket: %s", 1676 pcap_strerror(errno) ); 1677 return 0; /* try old mechanism */ 1678 } 1679 1680 /* It seems the kernel supports the new interface. */ 1681 handle->md.sock_packet = 0; 1682 1683 /* 1684 * Get the interface index of the loopback device. 1685 * If the attempt fails, don't fail, just set the 1686 * "md.lo_ifindex" to -1. 1687 * 1688 * XXX - can there be more than one device that loops 1689 * packets back, i.e. devices other than "lo"? If so, 1690 * we'd need to find them all, and have an array of 1691 * indices for them, and check all of them in 1692 * "pcap_read_packet()". 1693 */ 1694 handle->md.lo_ifindex = iface_get_id(sock_fd, "lo", handle->errbuf); 1695 1696 /* 1697 * Default value for offset to align link-layer payload 1698 * on a 4-byte boundary. 1699 */ 1700 handle->offset = 0; 1701 1702 /* 1703 * What kind of frames do we have to deal with? Fall back 1704 * to cooked mode if we have an unknown interface type 1705 * or a type we know doesn't work well in raw mode. 1706 */ 1707 if (device) { 1708 /* Assume for now we don't need cooked mode. */ 1709 handle->md.cooked = 0; 1710 1711 if (handle->opt.rfmon) { 1712 /* 1713 * We were asked to turn on monitor mode. 1714 * Do so before we get the link-layer type, 1715 * because entering monitor mode could change 1716 * the link-layer type. 1717 */ 1718 err = enter_rfmon_mode_wext(handle, sock_fd, device); 1719 if (err < 0) { 1720 /* Hard failure */ 1721 close(sock_fd); 1722 return err; 1723 } 1724 if (err == 0) { 1725 /* 1726 * Nothing worked for turning monitor mode 1727 * on. 1728 */ 1729 close(sock_fd); 1730 return PCAP_ERROR_RFMON_NOTSUP; 1731 } 1732 } 1733 arptype = iface_get_arptype(sock_fd, device, handle->errbuf); 1734 if (arptype < 0) { 1735 close(sock_fd); 1736 return arptype; 1737 } 1738 map_arphrd_to_dlt(handle, arptype, 1); 1739 if (handle->linktype == -1 || 1740 handle->linktype == DLT_LINUX_SLL || 1741 handle->linktype == DLT_LINUX_IRDA || 1742 handle->linktype == DLT_LINUX_LAPD || 1743 (handle->linktype == DLT_EN10MB && 1744 (strncmp("isdn", device, 4) == 0 || 1745 strncmp("isdY", device, 4) == 0))) { 1746 /* 1747 * Unknown interface type (-1), or a 1748 * device we explicitly chose to run 1749 * in cooked mode (e.g., PPP devices), 1750 * or an ISDN device (whose link-layer 1751 * type we can only determine by using 1752 * APIs that may be different on different 1753 * kernels) - reopen in cooked mode. 1754 */ 1755 if (close(sock_fd) == -1) { 1756 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1757 "close: %s", pcap_strerror(errno)); 1758 return PCAP_ERROR; 1759 } 1760 sock_fd = socket(PF_PACKET, SOCK_DGRAM, 1761 htons(ETH_P_ALL)); 1762 if (sock_fd == -1) { 1763 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1764 "socket: %s", pcap_strerror(errno)); 1765 return PCAP_ERROR; 1766 } 1767 handle->md.cooked = 1; 1768 1769 /* 1770 * Get rid of any link-layer type list 1771 * we allocated - this only supports cooked 1772 * capture. 1773 */ 1774 if (handle->dlt_list != NULL) { 1775 free(handle->dlt_list); 1776 handle->dlt_list = NULL; 1777 handle->dlt_count = 0; 1778 } 1779 1780 if (handle->linktype == -1) { 1781 /* 1782 * Warn that we're falling back on 1783 * cooked mode; we may want to 1784 * update "map_arphrd_to_dlt()" 1785 * to handle the new type. 1786 */ 1787 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1788 "arptype %d not " 1789 "supported by libpcap - " 1790 "falling back to cooked " 1791 "socket", 1792 arptype); 1793 } 1794 1795 /* 1796 * IrDA capture is not a real "cooked" capture, 1797 * it's IrLAP frames, not IP packets. The 1798 * same applies to LAPD capture. 1799 */ 1800 if (handle->linktype != DLT_LINUX_IRDA && 1801 handle->linktype != DLT_LINUX_LAPD) 1802 handle->linktype = DLT_LINUX_SLL; 1803 } 1804 1805 handle->md.ifindex = iface_get_id(sock_fd, device, 1806 handle->errbuf); 1807 if (handle->md.ifindex == -1) { 1808 close(sock_fd); 1809 return PCAP_ERROR; 1810 } 1811 1812 if ((err = iface_bind(sock_fd, handle->md.ifindex, 1813 handle->errbuf)) != 1) { 1814 close(sock_fd); 1815 if (err < 0) 1816 return err; 1817 else 1818 return 0; /* try old mechanism */ 1819 } 1820 } else { 1821 /* 1822 * This is cooked mode. 1823 */ 1824 handle->md.cooked = 1; 1825 handle->linktype = DLT_LINUX_SLL; 1826 1827 /* 1828 * We're not bound to a device. 1829 * XXX - true? Or true only if we're using 1830 * the "any" device? 1831 * For now, we're using this as an indication 1832 * that we can't transmit; stop doing that only 1833 * if we figure out how to transmit in cooked 1834 * mode. 1835 */ 1836 handle->md.ifindex = -1; 1837 } 1838 1839 /* 1840 * Select promiscuous mode on if "promisc" is set. 1841 * 1842 * Do not turn allmulti mode on if we don't select 1843 * promiscuous mode - on some devices (e.g., Orinoco 1844 * wireless interfaces), allmulti mode isn't supported 1845 * and the driver implements it by turning promiscuous 1846 * mode on, and that screws up the operation of the 1847 * card as a normal networking interface, and on no 1848 * other platform I know of does starting a non- 1849 * promiscuous capture affect which multicast packets 1850 * are received by the interface. 1851 */ 1852 1853 /* 1854 * Hmm, how can we set promiscuous mode on all interfaces? 1855 * I am not sure if that is possible at all. 1856 */ 1857 1858 if (device && handle->opt.promisc) { 1859 memset(&mr, 0, sizeof(mr)); 1860 mr.mr_ifindex = handle->md.ifindex; 1861 mr.mr_type = PACKET_MR_PROMISC; 1862 if (setsockopt(sock_fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP, 1863 &mr, sizeof(mr)) == -1) { 1864 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1865 "setsockopt: %s", pcap_strerror(errno)); 1866 close(sock_fd); 1867 return PCAP_ERROR; 1868 } 1869 } 1870 1871 /* Enable auxillary data if supported and reserve room for 1872 * reconstructing VLAN headers. */ 1873 #ifdef HAVE_PACKET_AUXDATA 1874 val = 1; 1875 if (setsockopt(sock_fd, SOL_PACKET, PACKET_AUXDATA, &val, 1876 sizeof(val)) == -1 && errno != ENOPROTOOPT) { 1877 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1878 "setsockopt: %s", pcap_strerror(errno)); 1879 close(sock_fd); 1880 return PCAP_ERROR; 1881 } 1882 handle->offset += VLAN_TAG_LEN; 1883 #endif /* HAVE_PACKET_AUXDATA */ 1884 1885 /* 1886 * This is a 2.2[.x] or later kernel (we know that 1887 * because we're not using a SOCK_PACKET socket - 1888 * PF_PACKET is supported only in 2.2 and later 1889 * kernels). 1890 * 1891 * We can safely pass "recvfrom()" a byte count 1892 * based on the snapshot length. 1893 * 1894 * If we're in cooked mode, make the snapshot length 1895 * large enough to hold a "cooked mode" header plus 1896 * 1 byte of packet data (so we don't pass a byte 1897 * count of 0 to "recvfrom()"). 1898 */ 1899 if (handle->md.cooked) { 1900 if (handle->snapshot < SLL_HDR_LEN + 1) 1901 handle->snapshot = SLL_HDR_LEN + 1; 1902 } 1903 handle->bufsize = handle->snapshot; 1904 1905 /* Save the socket FD in the pcap structure */ 1906 handle->fd = sock_fd; 1907 1908 return 1; 1909 #else 1910 strncpy(ebuf, 1911 "New packet capturing interface not supported by build " 1912 "environment", PCAP_ERRBUF_SIZE); 1913 return 0; 1914 #endif 1915 } 1916 1917 static int 1918 activate_mmap(pcap_t *handle) 1919 { 1920 #ifdef HAVE_PACKET_RING 1921 int ret; 1922 1923 if (handle->opt.buffer_size == 0) { 1924 /* by default request 2M for the ring buffer */ 1925 handle->opt.buffer_size = 2*1024*1024; 1926 } 1927 ret = prepare_tpacket_socket(handle); 1928 if (ret == 0) 1929 return ret; 1930 ret = create_ring(handle); 1931 if (ret == 0) 1932 return ret; 1933 1934 /* override some defaults and inherit the other fields from 1935 * activate_new 1936 * handle->offset is used to get the current position into the rx ring 1937 * handle->cc is used to store the ring size */ 1938 handle->read_op = pcap_read_linux_mmap; 1939 handle->cleanup_op = pcap_cleanup_linux_mmap; 1940 handle->setfilter_op = pcap_setfilter_linux_mmap; 1941 handle->setnonblock_op = pcap_setnonblock_mmap; 1942 handle->getnonblock_op = pcap_getnonblock_mmap; 1943 handle->selectable_fd = handle->fd; 1944 return 1; 1945 #else /* HAVE_PACKET_RING */ 1946 return 0; 1947 #endif /* HAVE_PACKET_RING */ 1948 } 1949 1950 #ifdef HAVE_PACKET_RING 1951 static int 1952 prepare_tpacket_socket(pcap_t *handle) 1953 { 1954 #ifdef HAVE_TPACKET2 1955 socklen_t len; 1956 int val; 1957 #endif 1958 1959 handle->md.tp_version = TPACKET_V1; 1960 handle->md.tp_hdrlen = sizeof(struct tpacket_hdr); 1961 1962 #ifdef HAVE_TPACKET2 1963 /* Probe whether kernel supports TPACKET_V2 */ 1964 val = TPACKET_V2; 1965 len = sizeof(val); 1966 if (getsockopt(handle->fd, SOL_PACKET, PACKET_HDRLEN, &val, &len) < 0) { 1967 if (errno == ENOPROTOOPT) 1968 return 1; 1969 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1970 "can't get TPACKET_V2 header len on socket %d: %d-%s", 1971 handle->fd, errno, pcap_strerror(errno)); 1972 return 0; 1973 } 1974 handle->md.tp_hdrlen = val; 1975 1976 val = TPACKET_V2; 1977 if (setsockopt(handle->fd, SOL_PACKET, PACKET_VERSION, &val, 1978 sizeof(val)) < 0) { 1979 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1980 "can't activate TPACKET_V2 on socket %d: %d-%s", 1981 handle->fd, errno, pcap_strerror(errno)); 1982 return 0; 1983 } 1984 handle->md.tp_version = TPACKET_V2; 1985 1986 /* Reserve space for VLAN tag reconstruction */ 1987 val = VLAN_TAG_LEN; 1988 if (setsockopt(handle->fd, SOL_PACKET, PACKET_RESERVE, &val, 1989 sizeof(val)) < 0) { 1990 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 1991 "can't set up reserve on socket %d: %d-%s", 1992 handle->fd, errno, pcap_strerror(errno)); 1993 return 0; 1994 } 1995 1996 #endif /* HAVE_TPACKET2 */ 1997 return 1; 1998 } 1999 2000 static void 2001 compute_ring_block(int frame_size, unsigned *block_size, unsigned *frames_per_block) 2002 { 2003 /* compute the minumum block size that will handle this frame. 2004 * The block has to be page size aligned. 2005 * The max block size allowed by the kernel is arch-dependent and 2006 * it's not explicitly checked here. */ 2007 *block_size = getpagesize(); 2008 while (*block_size < frame_size) 2009 *block_size <<= 1; 2010 2011 *frames_per_block = *block_size/frame_size; 2012 } 2013 2014 static int 2015 create_ring(pcap_t *handle) 2016 { 2017 unsigned i, j, ringsize, frames_per_block; 2018 struct tpacket_req req; 2019 2020 /* Note that with large snapshot (say 64K) only a few frames 2021 * will be available in the ring even with pretty large ring size 2022 * (and a lot of memory will be unused). 2023 * The snap len should be carefully chosen to achive best 2024 * performance */ 2025 req.tp_frame_size = TPACKET_ALIGN(handle->snapshot + 2026 TPACKET_ALIGN(handle->md.tp_hdrlen) + 2027 sizeof(struct sockaddr_ll)); 2028 req.tp_frame_nr = handle->opt.buffer_size/req.tp_frame_size; 2029 compute_ring_block(req.tp_frame_size, &req.tp_block_size, &frames_per_block); 2030 req.tp_block_nr = req.tp_frame_nr / frames_per_block; 2031 2032 /* req.tp_frame_nr is requested to match frames_per_block*req.tp_block_nr */ 2033 req.tp_frame_nr = req.tp_block_nr * frames_per_block; 2034 2035 /* ask the kernel to create the ring */ 2036 retry: 2037 if (setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, 2038 (void *) &req, sizeof(req))) { 2039 /* try to reduce requested ring size to prevent memory failure */ 2040 if ((errno == ENOMEM) && (req.tp_block_nr > 1)) { 2041 req.tp_frame_nr >>= 1; 2042 req.tp_block_nr = req.tp_frame_nr/frames_per_block; 2043 goto retry; 2044 } 2045 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "can't create rx ring on " 2046 "packet socket %d: %d-%s", handle->fd, errno, 2047 pcap_strerror(errno)); 2048 return 0; 2049 } 2050 2051 /* memory map the rx ring */ 2052 ringsize = req.tp_block_nr * req.tp_block_size; 2053 handle->bp = mmap(0, ringsize, PROT_READ| PROT_WRITE, MAP_SHARED, 2054 handle->fd, 0); 2055 if (handle->bp == MAP_FAILED) { 2056 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, "can't mmap rx ring: %d-%s", 2057 errno, pcap_strerror(errno)); 2058 2059 /* clear the allocated ring on error*/ 2060 destroy_ring(handle); 2061 return 0; 2062 } 2063 2064 /* allocate a ring for each frame header pointer*/ 2065 handle->cc = req.tp_frame_nr; 2066 handle->buffer = malloc(handle->cc * sizeof(union thdr *)); 2067 if (!handle->buffer) { 2068 destroy_ring(handle); 2069 return 0; 2070 } 2071 2072 /* fill the header ring with proper frame ptr*/ 2073 handle->offset = 0; 2074 for (i=0; i<req.tp_block_nr; ++i) { 2075 void *base = &handle->bp[i*req.tp_block_size]; 2076 for (j=0; j<frames_per_block; ++j, ++handle->offset) { 2077 RING_GET_FRAME(handle) = base; 2078 base += req.tp_frame_size; 2079 } 2080 } 2081 2082 handle->bufsize = req.tp_frame_size; 2083 handle->offset = 0; 2084 return 1; 2085 } 2086 2087 /* free all ring related resources*/ 2088 static void 2089 destroy_ring(pcap_t *handle) 2090 { 2091 /* tell the kernel to destroy the ring*/ 2092 struct tpacket_req req; 2093 memset(&req, 0, sizeof(req)); 2094 setsockopt(handle->fd, SOL_PACKET, PACKET_RX_RING, 2095 (void *) &req, sizeof(req)); 2096 2097 /* if ring is mapped, unmap it*/ 2098 if (handle->bp) { 2099 /* need to re-compute the ring size */ 2100 unsigned frames_per_block, block_size; 2101 compute_ring_block(handle->bufsize, &block_size, &frames_per_block); 2102 2103 /* do not perform sanity check here: we can't recover any error */ 2104 munmap(handle->bp, block_size * handle->cc / frames_per_block); 2105 handle->bp = 0; 2106 } 2107 } 2108 2109 static void 2110 pcap_cleanup_linux_mmap( pcap_t *handle ) 2111 { 2112 destroy_ring(handle); 2113 pcap_cleanup_linux(handle); 2114 } 2115 2116 2117 static int 2118 pcap_getnonblock_mmap(pcap_t *p, char *errbuf) 2119 { 2120 /* use negative value of timeout to indicate non blocking ops */ 2121 return (p->md.timeout<0); 2122 } 2123 2124 static int 2125 pcap_setnonblock_mmap(pcap_t *p, int nonblock, char *errbuf) 2126 { 2127 /* map each value to the corresponding 2's complement, to 2128 * preserve the timeout value provided with pcap_set_timeout */ 2129 if (nonblock) { 2130 if (p->md.timeout > 0) 2131 p->md.timeout = p->md.timeout*-1 - 1; 2132 } else 2133 if (p->md.timeout < 0) 2134 p->md.timeout = (p->md.timeout+1)*-1; 2135 return 0; 2136 } 2137 2138 static inline union thdr * 2139 pcap_get_ring_frame(pcap_t *handle, int status) 2140 { 2141 union thdr h; 2142 2143 h.raw = RING_GET_FRAME(handle); 2144 switch (handle->md.tp_version) { 2145 case TPACKET_V1: 2146 if (status != (h.h1->tp_status ? TP_STATUS_USER : 2147 TP_STATUS_KERNEL)) 2148 return NULL; 2149 break; 2150 #ifdef HAVE_TPACKET2 2151 case TPACKET_V2: 2152 if (status != (h.h2->tp_status ? TP_STATUS_USER : 2153 TP_STATUS_KERNEL)) 2154 return NULL; 2155 break; 2156 #endif 2157 } 2158 return h.raw; 2159 } 2160 2161 static int 2162 pcap_read_linux_mmap(pcap_t *handle, int max_packets, pcap_handler callback, 2163 u_char *user) 2164 { 2165 int pkts = 0; 2166 2167 /* wait for frames availability.*/ 2168 if ((handle->md.timeout >= 0) && 2169 !pcap_get_ring_frame(handle, TP_STATUS_USER)) { 2170 struct pollfd pollinfo; 2171 int ret; 2172 2173 pollinfo.fd = handle->fd; 2174 pollinfo.events = POLLIN; 2175 2176 do { 2177 /* poll() requires a negative timeout to wait forever */ 2178 ret = poll(&pollinfo, 1, (handle->md.timeout > 0)? 2179 handle->md.timeout: -1); 2180 if ((ret < 0) && (errno != EINTR)) { 2181 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2182 "can't poll on packet socket fd %d: %d-%s", 2183 handle->fd, errno, pcap_strerror(errno)); 2184 return -1; 2185 } 2186 /* check for break loop condition on interrupted syscall*/ 2187 if (handle->break_loop) { 2188 handle->break_loop = 0; 2189 return -2; 2190 } 2191 } while (ret < 0); 2192 } 2193 2194 /* non-positive values of max_packets are used to require all 2195 * packets currently available in the ring */ 2196 while ((pkts < max_packets) || (max_packets <= 0)) { 2197 int run_bpf; 2198 struct sockaddr_ll *sll; 2199 struct pcap_pkthdr pcaphdr; 2200 unsigned char *bp; 2201 union thdr h; 2202 unsigned int tp_len; 2203 unsigned int tp_mac; 2204 unsigned int tp_snaplen; 2205 unsigned int tp_sec; 2206 unsigned int tp_usec; 2207 2208 h.raw = pcap_get_ring_frame(handle, TP_STATUS_USER); 2209 if (!h.raw) 2210 break; 2211 2212 switch (handle->md.tp_version) { 2213 case TPACKET_V1: 2214 tp_len = h.h1->tp_len; 2215 tp_mac = h.h1->tp_mac; 2216 tp_snaplen = h.h1->tp_snaplen; 2217 tp_sec = h.h1->tp_sec; 2218 tp_usec = h.h1->tp_usec; 2219 break; 2220 #ifdef HAVE_TPACKET2 2221 case TPACKET_V2: 2222 tp_len = h.h2->tp_len; 2223 tp_mac = h.h2->tp_mac; 2224 tp_snaplen = h.h2->tp_snaplen; 2225 tp_sec = h.h2->tp_sec; 2226 tp_usec = h.h2->tp_nsec / 1000; 2227 break; 2228 #endif 2229 default: 2230 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2231 "unsupported tpacket version %d", 2232 handle->md.tp_version); 2233 return -1; 2234 } 2235 /* perform sanity check on internal offset. */ 2236 if (tp_mac + tp_snaplen > handle->bufsize) { 2237 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2238 "corrupted frame on kernel ring mac " 2239 "offset %d + caplen %d > frame len %d", 2240 tp_mac, tp_snaplen, handle->bufsize); 2241 return -1; 2242 } 2243 2244 /* run filter on received packet 2245 * If the kernel filtering is enabled we need to run the 2246 * filter until all the frames present into the ring 2247 * at filter creation time are processed. 2248 * In such case md.use_bpf is used as a counter for the 2249 * packet we need to filter. 2250 * Note: alternatively it could be possible to stop applying 2251 * the filter when the ring became empty, but it can possibly 2252 * happen a lot later... */ 2253 bp = (unsigned char*)h.raw + tp_mac; 2254 run_bpf = (!handle->md.use_bpf) || 2255 ((handle->md.use_bpf>1) && handle->md.use_bpf--); 2256 if (run_bpf && handle->fcode.bf_insns && 2257 (bpf_filter(handle->fcode.bf_insns, bp, 2258 tp_len, tp_snaplen) == 0)) 2259 goto skip; 2260 2261 /* check direction and interface index */ 2262 sll = (void *)h.raw + TPACKET_ALIGN(handle->md.tp_hdrlen); 2263 if ((sll->sll_ifindex == handle->md.lo_ifindex) && 2264 (sll->sll_pkttype == PACKET_OUTGOING)) 2265 goto skip; 2266 2267 /* get required packet info from ring header */ 2268 pcaphdr.ts.tv_sec = tp_sec; 2269 pcaphdr.ts.tv_usec = tp_usec; 2270 pcaphdr.caplen = tp_snaplen; 2271 pcaphdr.len = tp_len; 2272 2273 /* if required build in place the sll header*/ 2274 if (handle->md.cooked) { 2275 struct sll_header *hdrp; 2276 2277 /* 2278 * The kernel should have left us with enough 2279 * space for an sll header; back up the packet 2280 * data pointer into that space, as that'll be 2281 * the beginning of the packet we pass to the 2282 * callback. 2283 */ 2284 bp -= SLL_HDR_LEN; 2285 2286 /* 2287 * Let's make sure that's past the end of 2288 * the tpacket header, i.e. >= 2289 * ((u_char *)thdr + TPACKET_HDRLEN), so we 2290 * don't step on the header when we construct 2291 * the sll header. 2292 */ 2293 if (bp < (u_char *)h.raw + 2294 TPACKET_ALIGN(handle->md.tp_hdrlen) + 2295 sizeof(struct sockaddr_ll)) { 2296 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2297 "cooked-mode frame doesn't have room for sll header"); 2298 return -1; 2299 } 2300 2301 /* 2302 * OK, that worked; construct the sll header. 2303 */ 2304 hdrp = (struct sll_header *)bp; 2305 hdrp->sll_pkttype = map_packet_type_to_sll_type( 2306 sll->sll_pkttype); 2307 hdrp->sll_hatype = htons(sll->sll_hatype); 2308 hdrp->sll_halen = htons(sll->sll_halen); 2309 memcpy(hdrp->sll_addr, sll->sll_addr, SLL_ADDRLEN); 2310 hdrp->sll_protocol = sll->sll_protocol; 2311 2312 /* update packet len */ 2313 pcaphdr.caplen += SLL_HDR_LEN; 2314 pcaphdr.len += SLL_HDR_LEN; 2315 } 2316 2317 #ifdef HAVE_TPACKET2 2318 if (handle->md.tp_version == TPACKET_V2 && h.h2->tp_vlan_tci && 2319 tp_snaplen >= 2 * ETH_ALEN) { 2320 struct vlan_tag *tag; 2321 2322 bp -= VLAN_TAG_LEN; 2323 memmove(bp, bp + VLAN_TAG_LEN, 2 * ETH_ALEN); 2324 2325 tag = (struct vlan_tag *)(bp + 2 * ETH_ALEN); 2326 tag->vlan_tpid = htons(ETH_P_8021Q); 2327 tag->vlan_tci = htons(h.h2->tp_vlan_tci); 2328 2329 pcaphdr.caplen += VLAN_TAG_LEN; 2330 pcaphdr.len += VLAN_TAG_LEN; 2331 } 2332 #endif 2333 2334 /* pass the packet to the user */ 2335 pkts++; 2336 callback(user, &pcaphdr, bp); 2337 handle->md.packets_read++; 2338 2339 skip: 2340 /* next packet */ 2341 switch (handle->md.tp_version) { 2342 case TPACKET_V1: 2343 h.h1->tp_status = TP_STATUS_KERNEL; 2344 break; 2345 #ifdef HAVE_TPACKET2 2346 case TPACKET_V2: 2347 h.h2->tp_status = TP_STATUS_KERNEL; 2348 break; 2349 #endif 2350 } 2351 if (++handle->offset >= handle->cc) 2352 handle->offset = 0; 2353 2354 /* check for break loop condition*/ 2355 if (handle->break_loop) { 2356 handle->break_loop = 0; 2357 return -2; 2358 } 2359 } 2360 return pkts; 2361 } 2362 2363 static int 2364 pcap_setfilter_linux_mmap(pcap_t *handle, struct bpf_program *filter) 2365 { 2366 int n, offset; 2367 int ret = pcap_setfilter_linux(handle, filter); 2368 if (ret < 0) 2369 return ret; 2370 2371 /* if the kernel filter is enabled, we need to apply the filter on 2372 * all packets present into the ring. Get an upper bound of their number 2373 */ 2374 if (!handle->md.use_bpf) 2375 return ret; 2376 2377 /* walk the ring backward and count the free slot */ 2378 offset = handle->offset; 2379 if (--handle->offset < 0) 2380 handle->offset = handle->cc - 1; 2381 for (n=0; n < handle->cc; ++n) { 2382 if (--handle->offset < 0) 2383 handle->offset = handle->cc - 1; 2384 if (!pcap_get_ring_frame(handle, TP_STATUS_KERNEL)) 2385 break; 2386 } 2387 2388 /* be careful to not change current ring position */ 2389 handle->offset = offset; 2390 2391 /* store the number of packets currently present in the ring */ 2392 handle->md.use_bpf = 1 + (handle->cc - n); 2393 return ret; 2394 } 2395 2396 #endif /* HAVE_PACKET_RING */ 2397 2398 2399 #ifdef HAVE_PF_PACKET_SOCKETS 2400 /* 2401 * Return the index of the given device name. Fill ebuf and return 2402 * -1 on failure. 2403 */ 2404 static int 2405 iface_get_id(int fd, const char *device, char *ebuf) 2406 { 2407 struct ifreq ifr; 2408 2409 memset(&ifr, 0, sizeof(ifr)); 2410 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 2411 2412 if (ioctl(fd, SIOCGIFINDEX, &ifr) == -1) { 2413 snprintf(ebuf, PCAP_ERRBUF_SIZE, 2414 "SIOCGIFINDEX: %s", pcap_strerror(errno)); 2415 return -1; 2416 } 2417 2418 return ifr.ifr_ifindex; 2419 } 2420 2421 /* 2422 * Bind the socket associated with FD to the given device. 2423 * Return 1 on success, 0 if we should try a SOCK_PACKET socket, 2424 * or a PCAP_ERROR_ value on a hard error. 2425 */ 2426 static int 2427 iface_bind(int fd, int ifindex, char *ebuf) 2428 { 2429 struct sockaddr_ll sll; 2430 int err; 2431 socklen_t errlen = sizeof(err); 2432 2433 memset(&sll, 0, sizeof(sll)); 2434 sll.sll_family = AF_PACKET; 2435 sll.sll_ifindex = ifindex; 2436 sll.sll_protocol = htons(ETH_P_ALL); 2437 2438 if (bind(fd, (struct sockaddr *) &sll, sizeof(sll)) == -1) { 2439 if (errno == ENETDOWN) { 2440 /* 2441 * Return a "network down" indication, so that 2442 * the application can report that rather than 2443 * saying we had a mysterious failure and 2444 * suggest that they report a problem to the 2445 * libpcap developers. 2446 */ 2447 return PCAP_ERROR_IFACE_NOT_UP; 2448 } else { 2449 snprintf(ebuf, PCAP_ERRBUF_SIZE, 2450 "bind: %s", pcap_strerror(errno)); 2451 return PCAP_ERROR; 2452 } 2453 } 2454 2455 /* Any pending errors, e.g., network is down? */ 2456 2457 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 2458 snprintf(ebuf, PCAP_ERRBUF_SIZE, 2459 "getsockopt: %s", pcap_strerror(errno)); 2460 return 0; 2461 } 2462 2463 if (err == ENETDOWN) { 2464 /* 2465 * Return a "network down" indication, so that 2466 * the application can report that rather than 2467 * saying we had a mysterious failure and 2468 * suggest that they report a problem to the 2469 * libpcap developers. 2470 */ 2471 return PCAP_ERROR_IFACE_NOT_UP; 2472 } else if (err > 0) { 2473 snprintf(ebuf, PCAP_ERRBUF_SIZE, 2474 "bind: %s", pcap_strerror(err)); 2475 return 0; 2476 } 2477 2478 return 1; 2479 } 2480 2481 /* 2482 * Check whether the device supports the Wireless Extensions. 2483 * Returns 1 if it does, 0 if it doesn't, PCAP_ERROR_NO_SUCH_DEVICE 2484 * if the device doesn't even exist. 2485 */ 2486 static int 2487 has_wext(int sock_fd, const char *device, char *ebuf) 2488 { 2489 #ifdef IW_MODE_MONITOR 2490 struct iwreq ireq; 2491 2492 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2493 sizeof ireq.ifr_ifrn.ifrn_name); 2494 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2495 if (ioctl(sock_fd, SIOCGIWNAME, &ireq) >= 0) 2496 return 1; /* yes */ 2497 snprintf(ebuf, PCAP_ERRBUF_SIZE, 2498 "%s: SIOCGIWPRIV: %s", device, pcap_strerror(errno)); 2499 if (errno == ENODEV) 2500 return PCAP_ERROR_NO_SUCH_DEVICE; 2501 #endif 2502 return 0; 2503 } 2504 2505 /* 2506 * Per me si va ne la citta dolente, 2507 * Per me si va ne l'etterno dolore, 2508 * ... 2509 * Lasciate ogne speranza, voi ch'intrate. 2510 * 2511 * XXX - airmon-ng does special stuff with the Orinoco driver and the 2512 * wlan-ng driver. 2513 */ 2514 typedef enum { 2515 MONITOR_WEXT, 2516 MONITOR_HOSTAP, 2517 MONITOR_PRISM, 2518 MONITOR_PRISM54, 2519 MONITOR_ACX100, 2520 MONITOR_RT2500, 2521 MONITOR_RT2570, 2522 MONITOR_RT73, 2523 MONITOR_RTL8XXX 2524 } monitor_type; 2525 2526 /* 2527 * Use the Wireless Extensions, if we have them, to try to turn monitor mode 2528 * on if it's not already on. 2529 * 2530 * Returns 1 on success, 0 if we don't support the Wireless Extensions 2531 * on this device, or a PCAP_ERROR_ value if we do support them but 2532 * we weren't able to turn monitor mode on. 2533 */ 2534 static int 2535 enter_rfmon_mode_wext(pcap_t *handle, int sock_fd, const char *device) 2536 { 2537 #ifdef IW_MODE_MONITOR 2538 /* 2539 * XXX - at least some adapters require non-Wireless Extensions 2540 * mechanisms to turn monitor mode on. 2541 * 2542 * Atheros cards might require that a separate "monitor virtual access 2543 * point" be created, with later versions of the madwifi driver. 2544 * airmon-ng does "wlanconfig ath create wlandev {if} wlanmode 2545 * monitor -bssid", which apparently spits out a line "athN" 2546 * where "athN" is the monitor mode device. To leave monitor 2547 * mode, it destroys the monitor mode device. 2548 * 2549 * Some Intel Centrino adapters might require private ioctls to get 2550 * radio headers; the ipw2200 and ipw3945 drivers allow you to 2551 * configure a separate "rtapN" interface to capture in monitor 2552 * mode without preventing the adapter from operating normally. 2553 * (airmon-ng doesn't appear to use that, though.) 2554 * 2555 * It would be Truly Wonderful if mac80211 and nl80211 cleaned this 2556 * up, and if all drivers were converted to mac80211 drivers. 2557 * 2558 * If interface {if} is a mac80211 driver, the file 2559 * /sys/class/net/{if}/phy80211 is a symlink to 2560 * /sys/class/ieee80211/{phydev}, for some {phydev}. 2561 * 2562 * On Fedora 9, with a 2.6.26.3-29 kernel, my Zydas stick, at 2563 * least, has a "wmaster0" device and a "wlan0" device; the 2564 * latter is the one with the IP address. Both show up in 2565 * "tcpdump -D" output. Capturing on the wmaster0 device 2566 * captures with 802.11 headers. 2567 * 2568 * airmon-ng searches through /sys/class/net for devices named 2569 * monN, starting with mon0; as soon as one *doesn't* exist, 2570 * it chooses that as the monitor device name. If the "iw" 2571 * command exists, it does "iw dev {if} interface add {monif} 2572 * type monitor", where {monif} is the monitor device. It 2573 * then (sigh) sleeps .1 second, and then configures the 2574 * device up. Otherwise, if /sys/class/ieee80211/{phydev}/add_iface 2575 * is a file, it writes {mondev}, without a newline, to that file, 2576 * and again (sigh) sleeps .1 second, and then iwconfig's that 2577 * device into monitor mode and configures it up. Otherwise, 2578 * you can't do monitor mode. 2579 * 2580 * All these devices are "glued" together by having the 2581 * /sys/class/net/{device}/phy80211 links pointing to the same 2582 * place, so, given a wmaster, wlan, or mon device, you can 2583 * find the other devices by looking for devices with 2584 * the same phy80211 link. 2585 * 2586 * To turn monitor mode off, delete the monitor interface, 2587 * either with "iw dev {monif} interface del" or by sending 2588 * {monif}, with no NL, down /sys/class/ieee80211/{phydev}/remove_iface 2589 * 2590 * Note: if you try to create a monitor device named "monN", and 2591 * there's already a "monN" device, it fails, as least with 2592 * the netlink interface (which is what iw uses), with a return 2593 * value of -ENFILE. (Return values are negative errnos.) We 2594 * could probably use that to find an unused device. 2595 */ 2596 int err; 2597 struct iwreq ireq; 2598 struct iw_priv_args *priv; 2599 monitor_type montype; 2600 int i; 2601 __u32 cmd; 2602 int args[2]; 2603 int channel; 2604 2605 /* 2606 * Does this device *support* the Wireless Extensions? 2607 */ 2608 err = has_wext(sock_fd, device, handle->errbuf); 2609 if (err <= 0) 2610 return err; /* either it doesn't or the device doesn't even exist */ 2611 /* 2612 * Try to get all the Wireless Extensions private ioctls 2613 * supported by this device. 2614 * 2615 * First, get the size of the buffer we need, by supplying no 2616 * buffer and a length of 0. If the device supports private 2617 * ioctls, it should return E2BIG, with ireq.u.data.length set 2618 * to the length we need. If it doesn't support them, it should 2619 * return EOPNOTSUPP. 2620 */ 2621 memset(&ireq, 0, sizeof ireq); 2622 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2623 sizeof ireq.ifr_ifrn.ifrn_name); 2624 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2625 ireq.u.data.pointer = args; 2626 ireq.u.data.length = 0; 2627 ireq.u.data.flags = 0; 2628 if (ioctl(sock_fd, SIOCGIWPRIV, &ireq) != -1) { 2629 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2630 "%s: SIOCGIWPRIV with a zero-length buffer didn't fail!", 2631 device); 2632 return PCAP_ERROR; 2633 } 2634 if (errno == EOPNOTSUPP) { 2635 /* 2636 * No private ioctls, so we assume that there's only one 2637 * DLT_ for monitor mode. 2638 */ 2639 return 0; 2640 } 2641 if (errno != E2BIG) { 2642 /* 2643 * Failed. 2644 */ 2645 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2646 "%s: SIOCGIWPRIV: %s", device, pcap_strerror(errno)); 2647 return PCAP_ERROR; 2648 } 2649 priv = malloc(ireq.u.data.length * sizeof (struct iw_priv_args)); 2650 if (priv == NULL) { 2651 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2652 "malloc: %s", pcap_strerror(errno)); 2653 return PCAP_ERROR; 2654 } 2655 ireq.u.data.pointer = priv; 2656 if (ioctl(sock_fd, SIOCGIWPRIV, &ireq) == -1) { 2657 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2658 "%s: SIOCGIWPRIV: %s", device, pcap_strerror(errno)); 2659 free(priv); 2660 return PCAP_ERROR; 2661 } 2662 2663 /* 2664 * Look for private ioctls to turn monitor mode on or, if 2665 * monitor mode is on, to set the header type. 2666 */ 2667 montype = MONITOR_WEXT; 2668 cmd = 0; 2669 for (i = 0; i < ireq.u.data.length; i++) { 2670 if (strcmp(priv[i].name, "monitor_type") == 0) { 2671 /* 2672 * Hostap driver, use this one. 2673 * Set monitor mode first. 2674 * You can set it to 0 to get DLT_IEEE80211, 2675 * 1 to get DLT_PRISM, or 2 to get 2676 * DLT_IEEE80211_RADIO_AVS. 2677 */ 2678 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2679 break; 2680 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2681 break; 2682 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2683 break; 2684 montype = MONITOR_HOSTAP; 2685 cmd = priv[i].cmd; 2686 break; 2687 } 2688 if (strcmp(priv[i].name, "set_prismhdr") == 0) { 2689 /* 2690 * Prism54 driver, use this one. 2691 * Set monitor mode first. 2692 * You can set it to 2 to get DLT_IEEE80211 2693 * or 3 or get DLT_PRISM. 2694 */ 2695 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2696 break; 2697 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2698 break; 2699 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2700 break; 2701 montype = MONITOR_PRISM54; 2702 cmd = priv[i].cmd; 2703 break; 2704 } 2705 if (strcmp(priv[i].name, "forceprismheader") == 0) { 2706 /* 2707 * RT2570 driver, use this one. 2708 * Do this after turning monitor mode on. 2709 * You can set it to 1 to get DLT_PRISM or 2 2710 * to get DLT_IEEE80211. 2711 */ 2712 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2713 break; 2714 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2715 break; 2716 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2717 break; 2718 montype = MONITOR_RT2570; 2719 cmd = priv[i].cmd; 2720 break; 2721 } 2722 if (strcmp(priv[i].name, "forceprism") == 0) { 2723 /* 2724 * RT73 driver, use this one. 2725 * Do this after turning monitor mode on. 2726 * Its argument is a *string*; you can 2727 * set it to "1" to get DLT_PRISM or "2" 2728 * to get DLT_IEEE80211. 2729 */ 2730 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_CHAR) 2731 break; 2732 if (priv[i].set_args & IW_PRIV_SIZE_FIXED) 2733 break; 2734 montype = MONITOR_RT73; 2735 cmd = priv[i].cmd; 2736 break; 2737 } 2738 if (strcmp(priv[i].name, "prismhdr") == 0) { 2739 /* 2740 * One of the RTL8xxx drivers, use this one. 2741 * It can only be done after monitor mode 2742 * has been turned on. You can set it to 1 2743 * to get DLT_PRISM or 0 to get DLT_IEEE80211. 2744 */ 2745 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2746 break; 2747 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2748 break; 2749 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 1) 2750 break; 2751 montype = MONITOR_RTL8XXX; 2752 cmd = priv[i].cmd; 2753 break; 2754 } 2755 if (strcmp(priv[i].name, "rfmontx") == 0) { 2756 /* 2757 * RT2500 or RT61 driver, use this one. 2758 * It has one one-byte parameter; set 2759 * u.data.length to 1 and u.data.pointer to 2760 * point to the parameter. 2761 * It doesn't itself turn monitor mode on. 2762 * You can set it to 1 to allow transmitting 2763 * in monitor mode(?) and get DLT_IEEE80211, 2764 * or set it to 0 to disallow transmitting in 2765 * monitor mode(?) and get DLT_PRISM. 2766 */ 2767 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2768 break; 2769 if ((priv[i].set_args & IW_PRIV_SIZE_MASK) != 2) 2770 break; 2771 montype = MONITOR_RT2500; 2772 cmd = priv[i].cmd; 2773 break; 2774 } 2775 if (strcmp(priv[i].name, "monitor") == 0) { 2776 /* 2777 * Either ACX100 or hostap, use this one. 2778 * It turns monitor mode on. 2779 * If it takes two arguments, it's ACX100; 2780 * the first argument is 1 for DLT_PRISM 2781 * or 2 for DLT_IEEE80211, and the second 2782 * argument is the channel on which to 2783 * run. If it takes one argument, it's 2784 * HostAP, and the argument is 2 for 2785 * DLT_IEEE80211 and 3 for DLT_PRISM. 2786 * 2787 * If we see this, we don't quit, as this 2788 * might be a version of the hostap driver 2789 * that also supports "monitor_type". 2790 */ 2791 if ((priv[i].set_args & IW_PRIV_TYPE_MASK) != IW_PRIV_TYPE_INT) 2792 break; 2793 if (!(priv[i].set_args & IW_PRIV_SIZE_FIXED)) 2794 break; 2795 switch (priv[i].set_args & IW_PRIV_SIZE_MASK) { 2796 2797 case 1: 2798 montype = MONITOR_PRISM; 2799 cmd = priv[i].cmd; 2800 break; 2801 2802 case 2: 2803 montype = MONITOR_ACX100; 2804 cmd = priv[i].cmd; 2805 break; 2806 2807 default: 2808 break; 2809 } 2810 } 2811 } 2812 free(priv); 2813 2814 /* 2815 * XXX - ipw3945? islism? 2816 */ 2817 2818 /* 2819 * Get the old mode. 2820 */ 2821 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2822 sizeof ireq.ifr_ifrn.ifrn_name); 2823 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2824 if (ioctl(sock_fd, SIOCGIWMODE, &ireq) == -1) { 2825 /* 2826 * We probably won't be able to set the mode, either. 2827 */ 2828 return PCAP_ERROR_RFMON_NOTSUP; 2829 } 2830 2831 /* 2832 * Is it currently in monitor mode? 2833 */ 2834 if (ireq.u.mode == IW_MODE_MONITOR) { 2835 /* 2836 * Yes. Just leave things as they are. 2837 * We don't offer multiple link-layer types, as 2838 * changing the link-layer type out from under 2839 * somebody else capturing in monitor mode would 2840 * be considered rude. 2841 */ 2842 return 1; 2843 } 2844 /* 2845 * No. We have to put the adapter into rfmon mode. 2846 */ 2847 2848 /* 2849 * If we haven't already done so, arrange to have 2850 * "pcap_close_all()" called when we exit. 2851 */ 2852 if (!pcap_do_addexit(handle)) { 2853 /* 2854 * "atexit()" failed; don't put the interface 2855 * in rfmon mode, just give up. 2856 */ 2857 return PCAP_ERROR_RFMON_NOTSUP; 2858 } 2859 2860 /* 2861 * Save the old mode. 2862 */ 2863 handle->md.oldmode = ireq.u.mode; 2864 2865 /* 2866 * Put the adapter in rfmon mode. How we do this depends 2867 * on whether we have a special private ioctl or not. 2868 */ 2869 if (montype == MONITOR_PRISM) { 2870 /* 2871 * We have the "monitor" private ioctl, but none of 2872 * the other private ioctls. Use this, and select 2873 * the Prism header. 2874 * 2875 * If it fails, just fall back on SIOCSIWMODE. 2876 */ 2877 memset(&ireq, 0, sizeof ireq); 2878 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2879 sizeof ireq.ifr_ifrn.ifrn_name); 2880 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2881 ireq.u.data.length = 1; /* 1 argument */ 2882 args[0] = 3; /* request Prism header */ 2883 memcpy(ireq.u.name, args, IFNAMSIZ); 2884 if (ioctl(sock_fd, cmd, &ireq) != -1) { 2885 /* 2886 * Success. 2887 * Note that we have to put the old mode back 2888 * when we close the device. 2889 */ 2890 handle->md.must_clear |= MUST_CLEAR_RFMON; 2891 2892 /* 2893 * Add this to the list of pcaps to close 2894 * when we exit. 2895 */ 2896 pcap_add_to_pcaps_to_close(handle); 2897 2898 return 1; 2899 } 2900 2901 /* 2902 * Failure. Fall back on SIOCSIWMODE. 2903 */ 2904 } 2905 2906 /* 2907 * First, turn monitor mode on. 2908 */ 2909 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2910 sizeof ireq.ifr_ifrn.ifrn_name); 2911 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2912 ireq.u.mode = IW_MODE_MONITOR; 2913 if (ioctl(sock_fd, SIOCSIWMODE, &ireq) == -1) { 2914 /* 2915 * Scientist, you've failed. 2916 */ 2917 return PCAP_ERROR_RFMON_NOTSUP; 2918 } 2919 2920 /* 2921 * XXX - airmon-ng does "iwconfig {if} key off" after setting 2922 * monitor mode and setting the channel, and then does 2923 * "iwconfig up". 2924 */ 2925 2926 /* 2927 * Now select the appropriate radio header. 2928 */ 2929 switch (montype) { 2930 2931 case MONITOR_WEXT: 2932 /* 2933 * We don't have any private ioctl to set the header. 2934 */ 2935 break; 2936 2937 case MONITOR_HOSTAP: 2938 /* 2939 * Select the AVS header if we can, otherwise 2940 * select the Prism header. 2941 */ 2942 memset(&ireq, 0, sizeof ireq); 2943 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2944 sizeof ireq.ifr_ifrn.ifrn_name); 2945 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2946 args[0] = 2; /* request AVS header */ 2947 memcpy(ireq.u.name, args, sizeof (int)); 2948 if (ioctl(sock_fd, cmd, &ireq) == -1) { 2949 /* 2950 * Failure - try the Prism header. 2951 */ 2952 memset(&ireq, 0, sizeof ireq); 2953 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2954 sizeof ireq.ifr_ifrn.ifrn_name); 2955 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2956 args[0] = 1; /* request Prism header */ 2957 memcpy(ireq.u.name, args, sizeof (int)); 2958 ioctl(sock_fd, cmd, &ireq); 2959 } 2960 break; 2961 2962 case MONITOR_PRISM: 2963 /* 2964 * The private ioctl failed. 2965 */ 2966 break; 2967 2968 case MONITOR_PRISM54: 2969 /* 2970 * Select the Prism header. 2971 */ 2972 memset(&ireq, 0, sizeof ireq); 2973 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2974 sizeof ireq.ifr_ifrn.ifrn_name); 2975 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2976 args[0] = 3; /* request Prism header */ 2977 memcpy(ireq.u.name, args, sizeof (int)); 2978 ioctl(sock_fd, cmd, &ireq); 2979 break; 2980 2981 case MONITOR_ACX100: 2982 /* 2983 * Get the current channel. 2984 */ 2985 memset(&ireq, 0, sizeof ireq); 2986 strncpy(ireq.ifr_ifrn.ifrn_name, device, 2987 sizeof ireq.ifr_ifrn.ifrn_name); 2988 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 2989 if (ioctl(sock_fd, SIOCGIWFREQ, &ireq) == -1) { 2990 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 2991 "%s: SIOCGIWFREQ: %s", device, 2992 pcap_strerror(errno)); 2993 return PCAP_ERROR; 2994 } 2995 channel = ireq.u.freq.m; 2996 2997 /* 2998 * Select the Prism header, and set the channel to the 2999 * current value. 3000 */ 3001 memset(&ireq, 0, sizeof ireq); 3002 strncpy(ireq.ifr_ifrn.ifrn_name, device, 3003 sizeof ireq.ifr_ifrn.ifrn_name); 3004 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3005 args[0] = 1; /* request Prism header */ 3006 args[1] = channel; /* set channel */ 3007 memcpy(ireq.u.name, args, 2*sizeof (int)); 3008 ioctl(sock_fd, cmd, &ireq); 3009 break; 3010 3011 case MONITOR_RT2500: 3012 /* 3013 * Disallow transmission - that turns on the 3014 * Prism header. 3015 */ 3016 memset(&ireq, 0, sizeof ireq); 3017 strncpy(ireq.ifr_ifrn.ifrn_name, device, 3018 sizeof ireq.ifr_ifrn.ifrn_name); 3019 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3020 args[0] = 0; /* disallow transmitting */ 3021 memcpy(ireq.u.name, args, sizeof (int)); 3022 ioctl(sock_fd, cmd, &ireq); 3023 break; 3024 3025 case MONITOR_RT2570: 3026 /* 3027 * Force the Prism header. 3028 */ 3029 memset(&ireq, 0, sizeof ireq); 3030 strncpy(ireq.ifr_ifrn.ifrn_name, device, 3031 sizeof ireq.ifr_ifrn.ifrn_name); 3032 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3033 args[0] = 1; /* request Prism header */ 3034 memcpy(ireq.u.name, args, sizeof (int)); 3035 ioctl(sock_fd, cmd, &ireq); 3036 break; 3037 3038 case MONITOR_RT73: 3039 /* 3040 * Force the Prism header. 3041 */ 3042 memset(&ireq, 0, sizeof ireq); 3043 strncpy(ireq.ifr_ifrn.ifrn_name, device, 3044 sizeof ireq.ifr_ifrn.ifrn_name); 3045 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3046 ireq.u.data.length = 1; /* 1 argument */ 3047 ireq.u.data.pointer = "1"; 3048 ireq.u.data.flags = 0; 3049 ioctl(sock_fd, cmd, &ireq); 3050 break; 3051 3052 case MONITOR_RTL8XXX: 3053 /* 3054 * Force the Prism header. 3055 */ 3056 memset(&ireq, 0, sizeof ireq); 3057 strncpy(ireq.ifr_ifrn.ifrn_name, device, 3058 sizeof ireq.ifr_ifrn.ifrn_name); 3059 ireq.ifr_ifrn.ifrn_name[sizeof ireq.ifr_ifrn.ifrn_name - 1] = 0; 3060 args[0] = 1; /* request Prism header */ 3061 memcpy(ireq.u.name, args, sizeof (int)); 3062 ioctl(sock_fd, cmd, &ireq); 3063 break; 3064 } 3065 3066 /* 3067 * Note that we have to put the old mode back when we 3068 * close the device. 3069 */ 3070 handle->md.must_clear |= MUST_CLEAR_RFMON; 3071 3072 /* 3073 * Add this to the list of pcaps to close when we exit. 3074 */ 3075 pcap_add_to_pcaps_to_close(handle); 3076 3077 return 1; 3078 #else 3079 /* 3080 * We don't have the Wireless Extensions available, so we can't 3081 * do monitor mode. 3082 */ 3083 return 0; 3084 #endif 3085 } 3086 3087 #endif /* HAVE_PF_PACKET_SOCKETS */ 3088 3089 /* ===== Functions to interface to the older kernels ================== */ 3090 3091 /* 3092 * Try to open a packet socket using the old kernel interface. 3093 * Returns 1 on success and a PCAP_ERROR_ value on an error. 3094 */ 3095 static int 3096 activate_old(pcap_t *handle) 3097 { 3098 int arptype; 3099 struct ifreq ifr; 3100 const char *device = handle->opt.source; 3101 struct utsname utsname; 3102 int mtu; 3103 3104 /* Open the socket */ 3105 3106 handle->fd = socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)); 3107 if (handle->fd == -1) { 3108 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3109 "socket: %s", pcap_strerror(errno)); 3110 return PCAP_ERROR_PERM_DENIED; 3111 } 3112 3113 /* It worked - we are using the old interface */ 3114 handle->md.sock_packet = 1; 3115 3116 /* ...which means we get the link-layer header. */ 3117 handle->md.cooked = 0; 3118 3119 /* Bind to the given device */ 3120 3121 if (!device) { 3122 strncpy(handle->errbuf, "pcap_activate: The \"any\" device isn't supported on 2.0[.x]-kernel systems", 3123 PCAP_ERRBUF_SIZE); 3124 return PCAP_ERROR; 3125 } 3126 if (iface_bind_old(handle->fd, device, handle->errbuf) == -1) 3127 return PCAP_ERROR; 3128 3129 /* 3130 * Try to get the link-layer type. 3131 */ 3132 arptype = iface_get_arptype(handle->fd, device, handle->errbuf); 3133 if (arptype < 0) 3134 return PCAP_ERROR; 3135 3136 /* 3137 * Try to find the DLT_ type corresponding to that 3138 * link-layer type. 3139 */ 3140 map_arphrd_to_dlt(handle, arptype, 0); 3141 if (handle->linktype == -1) { 3142 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3143 "unknown arptype %d", arptype); 3144 return PCAP_ERROR; 3145 } 3146 3147 /* Go to promisc mode if requested */ 3148 3149 if (handle->opt.promisc) { 3150 memset(&ifr, 0, sizeof(ifr)); 3151 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 3152 if (ioctl(handle->fd, SIOCGIFFLAGS, &ifr) == -1) { 3153 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3154 "SIOCGIFFLAGS: %s", pcap_strerror(errno)); 3155 return PCAP_ERROR; 3156 } 3157 if ((ifr.ifr_flags & IFF_PROMISC) == 0) { 3158 /* 3159 * Promiscuous mode isn't currently on, 3160 * so turn it on, and remember that 3161 * we should turn it off when the 3162 * pcap_t is closed. 3163 */ 3164 3165 /* 3166 * If we haven't already done so, arrange 3167 * to have "pcap_close_all()" called when 3168 * we exit. 3169 */ 3170 if (!pcap_do_addexit(handle)) { 3171 /* 3172 * "atexit()" failed; don't put 3173 * the interface in promiscuous 3174 * mode, just give up. 3175 */ 3176 return PCAP_ERROR; 3177 } 3178 3179 ifr.ifr_flags |= IFF_PROMISC; 3180 if (ioctl(handle->fd, SIOCSIFFLAGS, &ifr) == -1) { 3181 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3182 "SIOCSIFFLAGS: %s", 3183 pcap_strerror(errno)); 3184 return PCAP_ERROR; 3185 } 3186 handle->md.must_clear |= MUST_CLEAR_PROMISC; 3187 3188 /* 3189 * Add this to the list of pcaps 3190 * to close when we exit. 3191 */ 3192 pcap_add_to_pcaps_to_close(handle); 3193 } 3194 } 3195 3196 /* 3197 * Compute the buffer size. 3198 * 3199 * We're using SOCK_PACKET, so this might be a 2.0[.x] 3200 * kernel, and might require special handling - check. 3201 */ 3202 if (uname(&utsname) < 0 || 3203 strncmp(utsname.release, "2.0", 3) == 0) { 3204 /* 3205 * Either we couldn't find out what kernel release 3206 * this is, or it's a 2.0[.x] kernel. 3207 * 3208 * In the 2.0[.x] kernel, a "recvfrom()" on 3209 * a SOCK_PACKET socket, with MSG_TRUNC set, will 3210 * return the number of bytes read, so if we pass 3211 * a length based on the snapshot length, it'll 3212 * return the number of bytes from the packet 3213 * copied to userland, not the actual length 3214 * of the packet. 3215 * 3216 * This means that, for example, the IP dissector 3217 * in tcpdump will get handed a packet length less 3218 * than the length in the IP header, and will 3219 * complain about "truncated-ip". 3220 * 3221 * So we don't bother trying to copy from the 3222 * kernel only the bytes in which we're interested, 3223 * but instead copy them all, just as the older 3224 * versions of libpcap for Linux did. 3225 * 3226 * The buffer therefore needs to be big enough to 3227 * hold the largest packet we can get from this 3228 * device. Unfortunately, we can't get the MRU 3229 * of the network; we can only get the MTU. The 3230 * MTU may be too small, in which case a packet larger 3231 * than the buffer size will be truncated *and* we 3232 * won't get the actual packet size. 3233 * 3234 * However, if the snapshot length is larger than 3235 * the buffer size based on the MTU, we use the 3236 * snapshot length as the buffer size, instead; 3237 * this means that with a sufficiently large snapshot 3238 * length we won't artificially truncate packets 3239 * to the MTU-based size. 3240 * 3241 * This mess just one of many problems with packet 3242 * capture on 2.0[.x] kernels; you really want a 3243 * 2.2[.x] or later kernel if you want packet capture 3244 * to work well. 3245 */ 3246 mtu = iface_get_mtu(handle->fd, device, handle->errbuf); 3247 if (mtu == -1) 3248 return PCAP_ERROR; 3249 handle->bufsize = MAX_LINKHEADER_SIZE + mtu; 3250 if (handle->bufsize < handle->snapshot) 3251 handle->bufsize = handle->snapshot; 3252 } else { 3253 /* 3254 * This is a 2.2[.x] or later kernel. 3255 * 3256 * We can safely pass "recvfrom()" a byte count 3257 * based on the snapshot length. 3258 */ 3259 handle->bufsize = handle->snapshot; 3260 } 3261 3262 /* 3263 * Default value for offset to align link-layer payload 3264 * on a 4-byte boundary. 3265 */ 3266 handle->offset = 0; 3267 3268 return 1; 3269 } 3270 3271 /* 3272 * Bind the socket associated with FD to the given device using the 3273 * interface of the old kernels. 3274 */ 3275 static int 3276 iface_bind_old(int fd, const char *device, char *ebuf) 3277 { 3278 struct sockaddr saddr; 3279 int err; 3280 socklen_t errlen = sizeof(err); 3281 3282 memset(&saddr, 0, sizeof(saddr)); 3283 strncpy(saddr.sa_data, device, sizeof(saddr.sa_data)); 3284 if (bind(fd, &saddr, sizeof(saddr)) == -1) { 3285 snprintf(ebuf, PCAP_ERRBUF_SIZE, 3286 "bind: %s", pcap_strerror(errno)); 3287 return -1; 3288 } 3289 3290 /* Any pending errors, e.g., network is down? */ 3291 3292 if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &err, &errlen) == -1) { 3293 snprintf(ebuf, PCAP_ERRBUF_SIZE, 3294 "getsockopt: %s", pcap_strerror(errno)); 3295 return -1; 3296 } 3297 3298 if (err > 0) { 3299 snprintf(ebuf, PCAP_ERRBUF_SIZE, 3300 "bind: %s", pcap_strerror(err)); 3301 return -1; 3302 } 3303 3304 return 0; 3305 } 3306 3307 3308 /* ===== System calls available on all supported kernels ============== */ 3309 3310 /* 3311 * Query the kernel for the MTU of the given interface. 3312 */ 3313 static int 3314 iface_get_mtu(int fd, const char *device, char *ebuf) 3315 { 3316 struct ifreq ifr; 3317 3318 if (!device) 3319 return BIGGER_THAN_ALL_MTUS; 3320 3321 memset(&ifr, 0, sizeof(ifr)); 3322 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 3323 3324 if (ioctl(fd, SIOCGIFMTU, &ifr) == -1) { 3325 snprintf(ebuf, PCAP_ERRBUF_SIZE, 3326 "SIOCGIFMTU: %s", pcap_strerror(errno)); 3327 return -1; 3328 } 3329 3330 return ifr.ifr_mtu; 3331 } 3332 3333 /* 3334 * Get the hardware type of the given interface as ARPHRD_xxx constant. 3335 */ 3336 static int 3337 iface_get_arptype(int fd, const char *device, char *ebuf) 3338 { 3339 struct ifreq ifr; 3340 3341 memset(&ifr, 0, sizeof(ifr)); 3342 strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); 3343 3344 if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) { 3345 snprintf(ebuf, PCAP_ERRBUF_SIZE, 3346 "SIOCGIFHWADDR: %s", pcap_strerror(errno)); 3347 if (errno == ENODEV) { 3348 /* 3349 * No such device. 3350 */ 3351 return PCAP_ERROR_NO_SUCH_DEVICE; 3352 } 3353 return PCAP_ERROR; 3354 } 3355 3356 return ifr.ifr_hwaddr.sa_family; 3357 } 3358 3359 #ifdef SO_ATTACH_FILTER 3360 static int 3361 fix_program(pcap_t *handle, struct sock_fprog *fcode) 3362 { 3363 size_t prog_size; 3364 register int i; 3365 register struct bpf_insn *p; 3366 struct bpf_insn *f; 3367 int len; 3368 3369 /* 3370 * Make a copy of the filter, and modify that copy if 3371 * necessary. 3372 */ 3373 prog_size = sizeof(*handle->fcode.bf_insns) * handle->fcode.bf_len; 3374 len = handle->fcode.bf_len; 3375 f = (struct bpf_insn *)malloc(prog_size); 3376 if (f == NULL) { 3377 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3378 "malloc: %s", pcap_strerror(errno)); 3379 return -1; 3380 } 3381 memcpy(f, handle->fcode.bf_insns, prog_size); 3382 fcode->len = len; 3383 fcode->filter = (struct sock_filter *) f; 3384 3385 for (i = 0; i < len; ++i) { 3386 p = &f[i]; 3387 /* 3388 * What type of instruction is this? 3389 */ 3390 switch (BPF_CLASS(p->code)) { 3391 3392 case BPF_RET: 3393 /* 3394 * It's a return instruction; is the snapshot 3395 * length a constant, rather than the contents 3396 * of the accumulator? 3397 */ 3398 if (BPF_MODE(p->code) == BPF_K) { 3399 /* 3400 * Yes - if the value to be returned, 3401 * i.e. the snapshot length, is anything 3402 * other than 0, make it 65535, so that 3403 * the packet is truncated by "recvfrom()", 3404 * not by the filter. 3405 * 3406 * XXX - there's nothing we can easily do 3407 * if it's getting the value from the 3408 * accumulator; we'd have to insert 3409 * code to force non-zero values to be 3410 * 65535. 3411 */ 3412 if (p->k != 0) 3413 p->k = 65535; 3414 } 3415 break; 3416 3417 case BPF_LD: 3418 case BPF_LDX: 3419 /* 3420 * It's a load instruction; is it loading 3421 * from the packet? 3422 */ 3423 switch (BPF_MODE(p->code)) { 3424 3425 case BPF_ABS: 3426 case BPF_IND: 3427 case BPF_MSH: 3428 /* 3429 * Yes; are we in cooked mode? 3430 */ 3431 if (handle->md.cooked) { 3432 /* 3433 * Yes, so we need to fix this 3434 * instruction. 3435 */ 3436 if (fix_offset(p) < 0) { 3437 /* 3438 * We failed to do so. 3439 * Return 0, so our caller 3440 * knows to punt to userland. 3441 */ 3442 return 0; 3443 } 3444 } 3445 break; 3446 } 3447 break; 3448 } 3449 } 3450 return 1; /* we succeeded */ 3451 } 3452 3453 static int 3454 fix_offset(struct bpf_insn *p) 3455 { 3456 /* 3457 * What's the offset? 3458 */ 3459 if (p->k >= SLL_HDR_LEN) { 3460 /* 3461 * It's within the link-layer payload; that starts at an 3462 * offset of 0, as far as the kernel packet filter is 3463 * concerned, so subtract the length of the link-layer 3464 * header. 3465 */ 3466 p->k -= SLL_HDR_LEN; 3467 } else if (p->k == 14) { 3468 /* 3469 * It's the protocol field; map it to the special magic 3470 * kernel offset for that field. 3471 */ 3472 p->k = SKF_AD_OFF + SKF_AD_PROTOCOL; 3473 } else { 3474 /* 3475 * It's within the header, but it's not one of those 3476 * fields; we can't do that in the kernel, so punt 3477 * to userland. 3478 */ 3479 return -1; 3480 } 3481 return 0; 3482 } 3483 3484 static int 3485 set_kernel_filter(pcap_t *handle, struct sock_fprog *fcode) 3486 { 3487 int total_filter_on = 0; 3488 int save_mode; 3489 int ret; 3490 int save_errno; 3491 3492 /* 3493 * The socket filter code doesn't discard all packets queued 3494 * up on the socket when the filter is changed; this means 3495 * that packets that don't match the new filter may show up 3496 * after the new filter is put onto the socket, if those 3497 * packets haven't yet been read. 3498 * 3499 * This means, for example, that if you do a tcpdump capture 3500 * with a filter, the first few packets in the capture might 3501 * be packets that wouldn't have passed the filter. 3502 * 3503 * We therefore discard all packets queued up on the socket 3504 * when setting a kernel filter. (This isn't an issue for 3505 * userland filters, as the userland filtering is done after 3506 * packets are queued up.) 3507 * 3508 * To flush those packets, we put the socket in read-only mode, 3509 * and read packets from the socket until there are no more to 3510 * read. 3511 * 3512 * In order to keep that from being an infinite loop - i.e., 3513 * to keep more packets from arriving while we're draining 3514 * the queue - we put the "total filter", which is a filter 3515 * that rejects all packets, onto the socket before draining 3516 * the queue. 3517 * 3518 * This code deliberately ignores any errors, so that you may 3519 * get bogus packets if an error occurs, rather than having 3520 * the filtering done in userland even if it could have been 3521 * done in the kernel. 3522 */ 3523 if (setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 3524 &total_fcode, sizeof(total_fcode)) == 0) { 3525 char drain[1]; 3526 3527 /* 3528 * Note that we've put the total filter onto the socket. 3529 */ 3530 total_filter_on = 1; 3531 3532 /* 3533 * Save the socket's current mode, and put it in 3534 * non-blocking mode; we drain it by reading packets 3535 * until we get an error (which is normally a 3536 * "nothing more to be read" error). 3537 */ 3538 save_mode = fcntl(handle->fd, F_GETFL, 0); 3539 if (save_mode != -1 && 3540 fcntl(handle->fd, F_SETFL, save_mode | O_NONBLOCK) >= 0) { 3541 while (recv(handle->fd, &drain, sizeof drain, 3542 MSG_TRUNC) >= 0) 3543 ; 3544 save_errno = errno; 3545 fcntl(handle->fd, F_SETFL, save_mode); 3546 if (save_errno != EAGAIN) { 3547 /* Fatal error */ 3548 reset_kernel_filter(handle); 3549 snprintf(handle->errbuf, PCAP_ERRBUF_SIZE, 3550 "recv: %s", pcap_strerror(save_errno)); 3551 return -2; 3552 } 3553 } 3554 } 3555 3556 /* 3557 * Now attach the new filter. 3558 */ 3559 ret = setsockopt(handle->fd, SOL_SOCKET, SO_ATTACH_FILTER, 3560 fcode, sizeof(*fcode)); 3561 if (ret == -1 && total_filter_on) { 3562 /* 3563 * Well, we couldn't set that filter on the socket, 3564 * but we could set the total filter on the socket. 3565 * 3566 * This could, for example, mean that the filter was 3567 * too big to put into the kernel, so we'll have to 3568 * filter in userland; in any case, we'll be doing 3569 * filtering in userland, so we need to remove the 3570 * total filter so we see packets. 3571 */ 3572 save_errno = errno; 3573 3574 /* 3575 * XXX - if this fails, we're really screwed; 3576 * we have the total filter on the socket, 3577 * and it won't come off. What do we do then? 3578 */ 3579 reset_kernel_filter(handle); 3580 3581 errno = save_errno; 3582 } 3583 return ret; 3584 } 3585 3586 static int 3587 reset_kernel_filter(pcap_t *handle) 3588 { 3589 /* 3590 * setsockopt() barfs unless it get a dummy parameter. 3591 * valgrind whines unless the value is initialized, 3592 * as it has no idea that setsockopt() ignores its 3593 * parameter. 3594 */ 3595 int dummy = 0; 3596 3597 return setsockopt(handle->fd, SOL_SOCKET, SO_DETACH_FILTER, 3598 &dummy, sizeof(dummy)); 3599 } 3600 #endif 3601