1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1997 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 */ 21 22 #ifdef HAVE_CONFIG_H 23 #include <config.h> 24 #endif 25 26 #include <sys/param.h> 27 #include <sys/file.h> 28 #include <sys/ioctl.h> 29 #include <sys/socket.h> 30 #include <sys/time.h> 31 32 #include <net/raw.h> 33 #include <net/if.h> 34 35 #include <netinet/in.h> 36 #include <netinet/in_systm.h> 37 #include <netinet/ip.h> 38 #include <netinet/if_ether.h> 39 #include <netinet/ip_var.h> 40 #include <netinet/udp.h> 41 #include <netinet/udp_var.h> 42 #include <netinet/tcp.h> 43 #include <netinet/tcpip.h> 44 45 #include <errno.h> 46 #include <stdio.h> 47 #include <stdlib.h> 48 #include <string.h> 49 #include <unistd.h> 50 51 #include "pcap-int.h" 52 53 #ifdef HAVE_OS_PROTO_H 54 #include "os-proto.h" 55 #endif 56 57 /* 58 * Private data for capturing on snoop devices. 59 */ 60 struct pcap_snoop { 61 struct pcap_stat stat; 62 }; 63 64 static int 65 pcap_read_snoop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 66 { 67 struct pcap_snoop *psn = p->priv; 68 int cc; 69 register struct snoopheader *sh; 70 register u_int datalen; 71 register u_int caplen; 72 register u_char *cp; 73 74 again: 75 /* 76 * Has "pcap_breakloop()" been called? 77 */ 78 if (p->break_loop) { 79 /* 80 * Yes - clear the flag that indicates that it 81 * has, and return -2 to indicate that we were 82 * told to break out of the loop. 83 */ 84 p->break_loop = 0; 85 return (-2); 86 } 87 cc = read(p->fd, (char *)p->buffer, p->bufsize); 88 if (cc < 0) { 89 /* Don't choke when we get ptraced */ 90 switch (errno) { 91 92 case EINTR: 93 goto again; 94 95 case EWOULDBLOCK: 96 return (0); /* XXX */ 97 } 98 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf), 99 errno, "read"); 100 return (-1); 101 } 102 sh = (struct snoopheader *)p->buffer; 103 datalen = sh->snoop_packetlen; 104 105 /* 106 * XXX - Sigh, snoop_packetlen is a 16 bit quantity. If we 107 * got a short length, but read a full sized snoop pakcet, 108 * assume we overflowed and add back the 64K... 109 */ 110 if (cc == (p->snapshot + sizeof(struct snoopheader)) && 111 (datalen < p->snapshot)) 112 datalen += (64 * 1024); 113 114 caplen = (datalen < p->snapshot) ? datalen : p->snapshot; 115 cp = (u_char *)(sh + 1) + p->offset; /* XXX */ 116 117 /* 118 * XXX unfortunately snoop loopback isn't exactly like 119 * BSD's. The address family is encoded in the first 2 120 * bytes rather than the first 4 bytes! Luckily the last 121 * two snoop loopback bytes are zeroed. 122 */ 123 if (p->linktype == DLT_NULL && *((short *)(cp + 2)) == 0) { 124 u_int *uip = (u_int *)cp; 125 *uip >>= 16; 126 } 127 128 if (p->fcode.bf_insns == NULL || 129 pcap_filter(p->fcode.bf_insns, cp, datalen, caplen)) { 130 struct pcap_pkthdr h; 131 ++psn->stat.ps_recv; 132 h.ts.tv_sec = sh->snoop_timestamp.tv_sec; 133 h.ts.tv_usec = sh->snoop_timestamp.tv_usec; 134 h.len = datalen; 135 h.caplen = caplen; 136 (*callback)(user, &h, cp); 137 return (1); 138 } 139 return (0); 140 } 141 142 static int 143 pcap_inject_snoop(pcap_t *p, const void *buf, int size) 144 { 145 int ret; 146 147 /* 148 * XXX - libnet overwrites the source address with what I 149 * presume is the interface's address; is that required? 150 */ 151 ret = write(p->fd, buf, size); 152 if (ret == -1) { 153 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 154 errno, "send"); 155 return (-1); 156 } 157 return (ret); 158 } 159 160 static int 161 pcap_stats_snoop(pcap_t *p, struct pcap_stat *ps) 162 { 163 struct pcap_snoop *psn = p->priv; 164 register struct rawstats *rs; 165 struct rawstats rawstats; 166 167 rs = &rawstats; 168 memset(rs, 0, sizeof(*rs)); 169 if (ioctl(p->fd, SIOCRAWSTATS, (char *)rs) < 0) { 170 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf), 171 errno, "SIOCRAWSTATS"); 172 return (-1); 173 } 174 175 /* 176 * "ifdrops" are those dropped by the network interface 177 * due to resource shortages or hardware errors. 178 * 179 * "sbdrops" are those dropped due to socket buffer limits. 180 * 181 * As filter is done in userland, "sbdrops" counts packets 182 * regardless of whether they would've passed the filter. 183 * 184 * XXX - does this count *all* Snoop or Drain sockets, 185 * rather than just this socket? If not, why does it have 186 * both Snoop and Drain statistics? 187 */ 188 psn->stat.ps_drop = 189 rs->rs_snoop.ss_ifdrops + rs->rs_snoop.ss_sbdrops + 190 rs->rs_drain.ds_ifdrops + rs->rs_drain.ds_sbdrops; 191 192 /* 193 * "ps_recv" counts only packets that passed the filter. 194 * As filtering is done in userland, this does not include 195 * packets dropped because we ran out of buffer space. 196 */ 197 *ps = psn->stat; 198 return (0); 199 } 200 201 /* XXX can't disable promiscuous */ 202 static int 203 pcap_activate_snoop(pcap_t *p) 204 { 205 int fd; 206 struct sockaddr_raw sr; 207 struct snoopfilter sf; 208 u_int v; 209 int ll_hdrlen; 210 int snooplen; 211 struct ifreq ifr; 212 213 fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP); 214 if (fd < 0) { 215 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 216 errno, "snoop socket"); 217 goto bad; 218 } 219 p->fd = fd; 220 memset(&sr, 0, sizeof(sr)); 221 sr.sr_family = AF_RAW; 222 (void)strncpy(sr.sr_ifname, p->opt.device, sizeof(sr.sr_ifname)); 223 if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) { 224 /* 225 * XXX - there's probably a particular bind error that 226 * means "there's no such device" and a particular bind 227 * error that means "that device doesn't support snoop"; 228 * they might be the same error, if they both end up 229 * meaning "snoop doesn't know about that device". 230 */ 231 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 232 errno, "snoop bind"); 233 goto bad; 234 } 235 memset(&sf, 0, sizeof(sf)); 236 if (ioctl(fd, SIOCADDSNOOP, &sf) < 0) { 237 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 238 errno, "SIOCADDSNOOP"); 239 goto bad; 240 } 241 if (p->opt.buffer_size != 0) 242 v = p->opt.buffer_size; 243 else 244 v = 64 * 1024; /* default to 64K buffer size */ 245 (void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (char *)&v, sizeof(v)); 246 /* 247 * XXX hack - map device name to link layer type 248 */ 249 if (strncmp("et", p->opt.device, 2) == 0 || /* Challenge 10 Mbit */ 250 strncmp("ec", p->opt.device, 2) == 0 || /* Indigo/Indy 10 Mbit, 251 O2 10/100 */ 252 strncmp("ef", p->opt.device, 2) == 0 || /* O200/2000 10/100 Mbit */ 253 strncmp("eg", p->opt.device, 2) == 0 || /* Octane/O2xxx/O3xxx Gigabit */ 254 strncmp("gfe", p->opt.device, 3) == 0 || /* GIO 100 Mbit */ 255 strncmp("fxp", p->opt.device, 3) == 0 || /* Challenge VME Enet */ 256 strncmp("ep", p->opt.device, 2) == 0 || /* Challenge 8x10 Mbit EPLEX */ 257 strncmp("vfe", p->opt.device, 3) == 0 || /* Challenge VME 100Mbit */ 258 strncmp("fa", p->opt.device, 2) == 0 || 259 strncmp("qaa", p->opt.device, 3) == 0 || 260 strncmp("cip", p->opt.device, 3) == 0 || 261 strncmp("el", p->opt.device, 2) == 0) { 262 p->linktype = DLT_EN10MB; 263 p->offset = RAW_HDRPAD(sizeof(struct ether_header)); 264 ll_hdrlen = sizeof(struct ether_header); 265 /* 266 * This is (presumably) a real Ethernet capture; give it a 267 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so 268 * that an application can let you choose it, in case you're 269 * capturing DOCSIS traffic that a Cisco Cable Modem 270 * Termination System is putting out onto an Ethernet (it 271 * doesn't put an Ethernet header onto the wire, it puts raw 272 * DOCSIS frames out on the wire inside the low-level 273 * Ethernet framing). 274 * 275 * XXX - are there any sorts of "fake Ethernet" that have 276 * Ethernet link-layer headers but that *shouldn't offer 277 * DLT_DOCSIS as a Cisco CMTS won't put traffic onto it 278 * or get traffic bridged onto it? "el" is for ATM LANE 279 * Ethernet devices, so that might be the case for them; 280 * the same applies for "qaa" classical IP devices. If 281 * "fa" devices are for FORE SPANS, that'd apply to them 282 * as well; what are "cip" devices - some other ATM 283 * Classical IP devices? 284 */ 285 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 286 /* 287 * If that fails, just leave the list empty. 288 */ 289 if (p->dlt_list != NULL) { 290 p->dlt_list[0] = DLT_EN10MB; 291 p->dlt_list[1] = DLT_DOCSIS; 292 p->dlt_count = 2; 293 } 294 } else if (strncmp("ipg", p->opt.device, 3) == 0 || 295 strncmp("rns", p->opt.device, 3) == 0 || /* O2/200/2000 FDDI */ 296 strncmp("xpi", p->opt.device, 3) == 0) { 297 p->linktype = DLT_FDDI; 298 p->offset = 3; /* XXX yeah? */ 299 ll_hdrlen = 13; 300 } else if (strncmp("ppp", p->opt.device, 3) == 0) { 301 p->linktype = DLT_RAW; 302 ll_hdrlen = 0; /* DLT_RAW meaning "no PPP header, just the IP packet"? */ 303 } else if (strncmp("qfa", p->opt.device, 3) == 0) { 304 p->linktype = DLT_IP_OVER_FC; 305 ll_hdrlen = 24; 306 } else if (strncmp("pl", p->opt.device, 2) == 0) { 307 p->linktype = DLT_RAW; 308 ll_hdrlen = 0; /* Cray UNICOS/mp pseudo link */ 309 } else if (strncmp("lo", p->opt.device, 2) == 0) { 310 p->linktype = DLT_NULL; 311 ll_hdrlen = 4; 312 } else { 313 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 314 "snoop: unknown physical layer type"); 315 goto bad; 316 } 317 318 if (p->opt.rfmon) { 319 /* 320 * No monitor mode on Irix (no Wi-Fi devices on 321 * hardware supported by Irix). 322 */ 323 return (PCAP_ERROR_RFMON_NOTSUP); 324 } 325 326 /* 327 * Turn a negative snapshot value (invalid), a snapshot value of 328 * 0 (unspecified), or a value bigger than the normal maximum 329 * value, into the maximum allowed value. 330 * 331 * If some application really *needs* a bigger snapshot 332 * length, we should just increase MAXIMUM_SNAPLEN. 333 */ 334 if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN) 335 p->snapshot = MAXIMUM_SNAPLEN; 336 337 #ifdef SIOCGIFMTU 338 /* 339 * XXX - IRIX appears to give you an error if you try to set the 340 * capture length to be greater than the MTU, so let's try to get 341 * the MTU first and, if that succeeds, trim the snap length 342 * to be no greater than the MTU. 343 */ 344 (void)strncpy(ifr.ifr_name, p->opt.device, sizeof(ifr.ifr_name)); 345 if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) { 346 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 347 errno, "SIOCGIFMTU"); 348 goto bad; 349 } 350 /* 351 * OK, we got it. 352 * 353 * XXX - some versions of IRIX 6.5 define "ifr_mtu" and have an 354 * "ifru_metric" member of the "ifr_ifru" union in an "ifreq" 355 * structure, others don't. 356 * 357 * I've no idea what's going on, so, if "ifr_mtu" isn't defined, 358 * we define it as "ifr_metric", as using that field appears to 359 * work on the versions that lack "ifr_mtu" (and, on those that 360 * don't lack it, "ifru_metric" and "ifru_mtu" are both "int" 361 * members of the "ifr_ifru" union, which suggests that they 362 * may be interchangeable in this case). 363 */ 364 #ifndef ifr_mtu 365 #define ifr_mtu ifr_metric 366 #endif 367 if (p->snapshot > ifr.ifr_mtu + ll_hdrlen) 368 p->snapshot = ifr.ifr_mtu + ll_hdrlen; 369 #endif 370 371 /* 372 * The argument to SIOCSNOOPLEN is the number of link-layer 373 * payload bytes to capture - it doesn't count link-layer 374 * header bytes. 375 */ 376 snooplen = p->snapshot - ll_hdrlen; 377 if (snooplen < 0) 378 snooplen = 0; 379 if (ioctl(fd, SIOCSNOOPLEN, &snooplen) < 0) { 380 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 381 errno, "SIOCSNOOPLEN"); 382 goto bad; 383 } 384 v = 1; 385 if (ioctl(fd, SIOCSNOOPING, &v) < 0) { 386 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 387 errno, "SIOCSNOOPING"); 388 goto bad; 389 } 390 391 p->bufsize = 4096; /* XXX */ 392 p->buffer = malloc(p->bufsize); 393 if (p->buffer == NULL) { 394 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 395 errno, "malloc"); 396 goto bad; 397 } 398 399 /* 400 * "p->fd" is a socket, so "select()" should work on it. 401 */ 402 p->selectable_fd = p->fd; 403 404 p->read_op = pcap_read_snoop; 405 p->inject_op = pcap_inject_snoop; 406 p->setfilter_op = install_bpf_program; /* no kernel filtering */ 407 p->setdirection_op = NULL; /* Not implemented. */ 408 p->set_datalink_op = NULL; /* can't change data link type */ 409 p->getnonblock_op = pcap_getnonblock_fd; 410 p->setnonblock_op = pcap_setnonblock_fd; 411 p->stats_op = pcap_stats_snoop; 412 413 return (0); 414 bad: 415 pcap_cleanup_live_common(p); 416 return (PCAP_ERROR); 417 } 418 419 pcap_t * 420 pcap_create_interface(const char *device _U_, char *ebuf) 421 { 422 pcap_t *p; 423 424 p = PCAP_CREATE_COMMON(ebuf, struct pcap_snoop); 425 if (p == NULL) 426 return (NULL); 427 428 p->activate_op = pcap_activate_snoop; 429 return (p); 430 } 431 432 /* 433 * XXX - there's probably a particular bind error that means "that device 434 * doesn't support snoop"; if so, we should try a bind and use that. 435 */ 436 static int 437 can_be_bound(const char *name _U_) 438 { 439 return (1); 440 } 441 442 static int 443 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_) 444 { 445 /* 446 * Nothing we can do. 447 * XXX - is there a way to find out whether an adapter has 448 * something plugged into it? 449 */ 450 return (0); 451 } 452 453 int 454 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf) 455 { 456 return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound, 457 get_if_flags)); 458 } 459 460 /* 461 * Libpcap version string. 462 */ 463 const char * 464 pcap_lib_version(void) 465 { 466 return (PCAP_VERSION_STRING); 467 } 468