1 /* -*- Mode: c; tab-width: 8; indent-tabs-mode: 1; c-basic-offset: 8; -*- */ 2 /* 3 * Copyright (c) 1993, 1994, 1995, 1996, 1997 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. All advertising materials mentioning features or use of this software 15 * must display the following acknowledgement: 16 * This product includes software developed by the Computer Systems 17 * Engineering Group at Lawrence Berkeley Laboratory. 18 * 4. Neither the name of the University nor of the Laboratory may be used 19 * to endorse or promote products derived from this software without 20 * specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 /* 36 * Remote packet capture mechanisms and extensions from WinPcap: 37 * 38 * Copyright (c) 2002 - 2003 39 * NetGroup, Politecnico di Torino (Italy) 40 * All rights reserved. 41 * 42 * Redistribution and use in source and binary forms, with or without 43 * modification, are permitted provided that the following conditions 44 * are met: 45 * 46 * 1. Redistributions of source code must retain the above copyright 47 * notice, this list of conditions and the following disclaimer. 48 * 2. Redistributions in binary form must reproduce the above copyright 49 * notice, this list of conditions and the following disclaimer in the 50 * documentation and/or other materials provided with the distribution. 51 * 3. Neither the name of the Politecnico di Torino nor the names of its 52 * contributors may be used to endorse or promote products derived from 53 * this software without specific prior written permission. 54 * 55 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 56 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 57 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 58 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 59 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 60 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 61 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 62 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 63 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 64 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 65 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 66 * 67 */ 68 69 #ifndef lib_pcap_pcap_h 70 #define lib_pcap_pcap_h 71 72 #include <pcap/funcattrs.h> 73 74 #include <pcap/pcap-inttypes.h> 75 76 #if defined(_WIN32) 77 #include <winsock2.h> /* u_int, u_char etc. */ 78 #include <io.h> /* _get_osfhandle() */ 79 #elif defined(MSDOS) 80 #include <sys/types.h> /* u_int, u_char etc. */ 81 #include <sys/socket.h> 82 #else /* UN*X */ 83 #include <sys/types.h> /* u_int, u_char etc. */ 84 #include <sys/time.h> 85 #endif /* _WIN32/MSDOS/UN*X */ 86 87 #include <pcap/socket.h> /* for SOCKET, as the active-mode rpcap APIs use it */ 88 89 #ifndef PCAP_DONT_INCLUDE_PCAP_BPF_H 90 #include <pcap/bpf.h> 91 #endif 92 93 #include <stdio.h> 94 95 #ifdef __cplusplus 96 extern "C" { 97 #endif 98 99 /* 100 * Version number of the current version of the pcap file format. 101 * 102 * NOTE: this is *NOT* the version number of the libpcap library. 103 * To fetch the version information for the version of libpcap 104 * you're using, use pcap_lib_version(). 105 */ 106 #define PCAP_VERSION_MAJOR 2 107 #define PCAP_VERSION_MINOR 4 108 109 #define PCAP_ERRBUF_SIZE 256 110 111 /* 112 * Compatibility for systems that have a bpf.h that 113 * predates the bpf typedefs for 64-bit support. 114 */ 115 #if BPF_RELEASE - 0 < 199406 116 typedef int bpf_int32; 117 typedef u_int bpf_u_int32; 118 #endif 119 120 typedef struct pcap pcap_t; 121 typedef struct pcap_dumper pcap_dumper_t; 122 typedef struct pcap_if pcap_if_t; 123 typedef struct pcap_addr pcap_addr_t; 124 125 /* 126 * The first record in the file contains saved values for some 127 * of the flags used in the printout phases of tcpdump. 128 * Many fields here are 32 bit ints so compilers won't insert unwanted 129 * padding; these files need to be interchangeable across architectures. 130 * 131 * Do not change the layout of this structure, in any way (this includes 132 * changes that only affect the length of fields in this structure). 133 * 134 * Also, do not change the interpretation of any of the members of this 135 * structure, in any way (this includes using values other than 136 * LINKTYPE_ values, as defined in "savefile.c", in the "linktype" 137 * field). 138 * 139 * Instead: 140 * 141 * introduce a new structure for the new format, if the layout 142 * of the structure changed; 143 * 144 * send mail to "tcpdump-workers@lists.tcpdump.org", requesting 145 * a new magic number for your new capture file format, and, when 146 * you get the new magic number, put it in "savefile.c"; 147 * 148 * use that magic number for save files with the changed file 149 * header; 150 * 151 * make the code in "savefile.c" capable of reading files with 152 * the old file header as well as files with the new file header 153 * (using the magic number to determine the header format). 154 * 155 * Then supply the changes by forking the branch at 156 * 157 * https://github.com/the-tcpdump-group/libpcap/issues 158 * 159 * and issuing a pull request, so that future versions of libpcap and 160 * programs that use it (such as tcpdump) will be able to read your new 161 * capture file format. 162 */ 163 struct pcap_file_header { 164 bpf_u_int32 magic; 165 u_short version_major; 166 u_short version_minor; 167 bpf_int32 thiszone; /* gmt to local correction */ 168 bpf_u_int32 sigfigs; /* accuracy of timestamps */ 169 bpf_u_int32 snaplen; /* max length saved portion of each pkt */ 170 bpf_u_int32 linktype; /* data link type (LINKTYPE_*) */ 171 }; 172 173 /* 174 * Macros for the value returned by pcap_datalink_ext(). 175 * 176 * If LT_FCS_LENGTH_PRESENT(x) is true, the LT_FCS_LENGTH(x) macro 177 * gives the FCS length of packets in the capture. 178 */ 179 #define LT_FCS_LENGTH_PRESENT(x) ((x) & 0x04000000) 180 #define LT_FCS_LENGTH(x) (((x) & 0xF0000000) >> 28) 181 #define LT_FCS_DATALINK_EXT(x) ((((x) & 0xF) << 28) | 0x04000000) 182 183 typedef enum { 184 PCAP_D_INOUT = 0, 185 PCAP_D_IN, 186 PCAP_D_OUT 187 } pcap_direction_t; 188 189 /* 190 * Generic per-packet information, as supplied by libpcap. 191 * 192 * The time stamp can and should be a "struct timeval", regardless of 193 * whether your system supports 32-bit tv_sec in "struct timeval", 194 * 64-bit tv_sec in "struct timeval", or both if it supports both 32-bit 195 * and 64-bit applications. The on-disk format of savefiles uses 32-bit 196 * tv_sec (and tv_usec); this structure is irrelevant to that. 32-bit 197 * and 64-bit versions of libpcap, even if they're on the same platform, 198 * should supply the appropriate version of "struct timeval", even if 199 * that's not what the underlying packet capture mechanism supplies. 200 */ 201 struct pcap_pkthdr { 202 struct timeval ts; /* time stamp */ 203 bpf_u_int32 caplen; /* length of portion present */ 204 bpf_u_int32 len; /* length this packet (off wire) */ 205 }; 206 207 /* 208 * As returned by the pcap_stats() 209 */ 210 struct pcap_stat { 211 u_int ps_recv; /* number of packets received */ 212 u_int ps_drop; /* number of packets dropped */ 213 u_int ps_ifdrop; /* drops by interface -- only supported on some platforms */ 214 #ifdef _WIN32 215 u_int ps_capt; /* number of packets that reach the application */ 216 u_int ps_sent; /* number of packets sent by the server on the network */ 217 u_int ps_netdrop; /* number of packets lost on the network */ 218 #endif /* _WIN32 */ 219 }; 220 221 #ifdef MSDOS 222 /* 223 * As returned by the pcap_stats_ex() 224 */ 225 struct pcap_stat_ex { 226 u_long rx_packets; /* total packets received */ 227 u_long tx_packets; /* total packets transmitted */ 228 u_long rx_bytes; /* total bytes received */ 229 u_long tx_bytes; /* total bytes transmitted */ 230 u_long rx_errors; /* bad packets received */ 231 u_long tx_errors; /* packet transmit problems */ 232 u_long rx_dropped; /* no space in Rx buffers */ 233 u_long tx_dropped; /* no space available for Tx */ 234 u_long multicast; /* multicast packets received */ 235 u_long collisions; 236 237 /* detailed rx_errors: */ 238 u_long rx_length_errors; 239 u_long rx_over_errors; /* receiver ring buff overflow */ 240 u_long rx_crc_errors; /* recv'd pkt with crc error */ 241 u_long rx_frame_errors; /* recv'd frame alignment error */ 242 u_long rx_fifo_errors; /* recv'r fifo overrun */ 243 u_long rx_missed_errors; /* recv'r missed packet */ 244 245 /* detailed tx_errors */ 246 u_long tx_aborted_errors; 247 u_long tx_carrier_errors; 248 u_long tx_fifo_errors; 249 u_long tx_heartbeat_errors; 250 u_long tx_window_errors; 251 }; 252 #endif 253 254 /* 255 * Item in a list of interfaces. 256 */ 257 struct pcap_if { 258 struct pcap_if *next; 259 char *name; /* name to hand to "pcap_open_live()" */ 260 char *description; /* textual description of interface, or NULL */ 261 struct pcap_addr *addresses; 262 bpf_u_int32 flags; /* PCAP_IF_ interface flags */ 263 }; 264 265 #define PCAP_IF_LOOPBACK 0x00000001 /* interface is loopback */ 266 #define PCAP_IF_UP 0x00000002 /* interface is up */ 267 #define PCAP_IF_RUNNING 0x00000004 /* interface is running */ 268 #define PCAP_IF_WIRELESS 0x00000008 /* interface is wireless (*NOT* necessarily Wi-Fi!) */ 269 #define PCAP_IF_CONNECTION_STATUS 0x00000030 /* connection status: */ 270 #define PCAP_IF_CONNECTION_STATUS_UNKNOWN 0x00000000 /* unknown */ 271 #define PCAP_IF_CONNECTION_STATUS_CONNECTED 0x00000010 /* connected */ 272 #define PCAP_IF_CONNECTION_STATUS_DISCONNECTED 0x00000020 /* disconnected */ 273 #define PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE 0x00000030 /* not applicable */ 274 275 /* 276 * Representation of an interface address. 277 */ 278 struct pcap_addr { 279 struct pcap_addr *next; 280 struct sockaddr *addr; /* address */ 281 struct sockaddr *netmask; /* netmask for that address */ 282 struct sockaddr *broadaddr; /* broadcast address for that address */ 283 struct sockaddr *dstaddr; /* P2P destination address for that address */ 284 }; 285 286 typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *, 287 const u_char *); 288 289 /* 290 * Error codes for the pcap API. 291 * These will all be negative, so you can check for the success or 292 * failure of a call that returns these codes by checking for a 293 * negative value. 294 */ 295 #define PCAP_ERROR -1 /* generic error code */ 296 #define PCAP_ERROR_BREAK -2 /* loop terminated by pcap_breakloop */ 297 #define PCAP_ERROR_NOT_ACTIVATED -3 /* the capture needs to be activated */ 298 #define PCAP_ERROR_ACTIVATED -4 /* the operation can't be performed on already activated captures */ 299 #define PCAP_ERROR_NO_SUCH_DEVICE -5 /* no such device exists */ 300 #define PCAP_ERROR_RFMON_NOTSUP -6 /* this device doesn't support rfmon (monitor) mode */ 301 #define PCAP_ERROR_NOT_RFMON -7 /* operation supported only in monitor mode */ 302 #define PCAP_ERROR_PERM_DENIED -8 /* no permission to open the device */ 303 #define PCAP_ERROR_IFACE_NOT_UP -9 /* interface isn't up */ 304 #define PCAP_ERROR_CANTSET_TSTAMP_TYPE -10 /* this device doesn't support setting the time stamp type */ 305 #define PCAP_ERROR_PROMISC_PERM_DENIED -11 /* you don't have permission to capture in promiscuous mode */ 306 #define PCAP_ERROR_TSTAMP_PRECISION_NOTSUP -12 /* the requested time stamp precision is not supported */ 307 308 /* 309 * Warning codes for the pcap API. 310 * These will all be positive and non-zero, so they won't look like 311 * errors. 312 */ 313 #define PCAP_WARNING 1 /* generic warning code */ 314 #define PCAP_WARNING_PROMISC_NOTSUP 2 /* this device doesn't support promiscuous mode */ 315 #define PCAP_WARNING_TSTAMP_TYPE_NOTSUP 3 /* the requested time stamp type is not supported */ 316 317 /* 318 * Value to pass to pcap_compile() as the netmask if you don't know what 319 * the netmask is. 320 */ 321 #define PCAP_NETMASK_UNKNOWN 0xffffffff 322 323 /* 324 * We're deprecating pcap_lookupdev() for various reasons (not 325 * thread-safe, can behave weirdly with WinPcap). Callers 326 * should use pcap_findalldevs() and use the first device. 327 */ 328 PCAP_API char *pcap_lookupdev(char *) 329 PCAP_DEPRECATED(pcap_lookupdev, "use 'pcap_findalldevs' and use the first device"); 330 331 PCAP_API int pcap_lookupnet(const char *, bpf_u_int32 *, bpf_u_int32 *, char *); 332 333 PCAP_API pcap_t *pcap_create(const char *, char *); 334 PCAP_API int pcap_set_snaplen(pcap_t *, int); 335 PCAP_API int pcap_set_promisc(pcap_t *, int); 336 PCAP_API int pcap_can_set_rfmon(pcap_t *); 337 PCAP_API int pcap_set_rfmon(pcap_t *, int); 338 PCAP_API int pcap_set_timeout(pcap_t *, int); 339 PCAP_API int pcap_set_tstamp_type(pcap_t *, int); 340 PCAP_API int pcap_set_immediate_mode(pcap_t *, int); 341 PCAP_API int pcap_set_buffer_size(pcap_t *, int); 342 PCAP_API int pcap_set_tstamp_precision(pcap_t *, int); 343 PCAP_API int pcap_get_tstamp_precision(pcap_t *); 344 PCAP_API int pcap_activate(pcap_t *); 345 346 PCAP_API int pcap_list_tstamp_types(pcap_t *, int **); 347 PCAP_API void pcap_free_tstamp_types(int *); 348 PCAP_API int pcap_tstamp_type_name_to_val(const char *); 349 PCAP_API const char *pcap_tstamp_type_val_to_name(int); 350 PCAP_API const char *pcap_tstamp_type_val_to_description(int); 351 352 #ifdef __linux__ 353 PCAP_API int pcap_set_protocol_linux(pcap_t *, int); 354 #endif 355 356 /* 357 * Time stamp types. 358 * Not all systems and interfaces will necessarily support all of these. 359 * 360 * A system that supports PCAP_TSTAMP_HOST is offering time stamps 361 * provided by the host machine, rather than by the capture device, 362 * but not committing to any characteristics of the time stamp; 363 * it will not offer any of the PCAP_TSTAMP_HOST_ subtypes. 364 * 365 * PCAP_TSTAMP_HOST_LOWPREC is a time stamp, provided by the host machine, 366 * that's low-precision but relatively cheap to fetch; it's normally done 367 * using the system clock, so it's normally synchronized with times you'd 368 * fetch from system calls. 369 * 370 * PCAP_TSTAMP_HOST_HIPREC is a time stamp, provided by the host machine, 371 * that's high-precision; it might be more expensive to fetch. It might 372 * or might not be synchronized with the system clock, and might have 373 * problems with time stamps for packets received on different CPUs, 374 * depending on the platform. 375 * 376 * PCAP_TSTAMP_ADAPTER is a high-precision time stamp supplied by the 377 * capture device; it's synchronized with the system clock. 378 * 379 * PCAP_TSTAMP_ADAPTER_UNSYNCED is a high-precision time stamp supplied by 380 * the capture device; it's not synchronized with the system clock. 381 * 382 * Note that time stamps synchronized with the system clock can go 383 * backwards, as the system clock can go backwards. If a clock is 384 * not in sync with the system clock, that could be because the 385 * system clock isn't keeping accurate time, because the other 386 * clock isn't keeping accurate time, or both. 387 * 388 * Note that host-provided time stamps generally correspond to the 389 * time when the time-stamping code sees the packet; this could 390 * be some unknown amount of time after the first or last bit of 391 * the packet is received by the network adapter, due to batching 392 * of interrupts for packet arrival, queueing delays, etc.. 393 */ 394 #define PCAP_TSTAMP_HOST 0 /* host-provided, unknown characteristics */ 395 #define PCAP_TSTAMP_HOST_LOWPREC 1 /* host-provided, low precision */ 396 #define PCAP_TSTAMP_HOST_HIPREC 2 /* host-provided, high precision */ 397 #define PCAP_TSTAMP_ADAPTER 3 /* device-provided, synced with the system clock */ 398 #define PCAP_TSTAMP_ADAPTER_UNSYNCED 4 /* device-provided, not synced with the system clock */ 399 400 /* 401 * Time stamp resolution types. 402 * Not all systems and interfaces will necessarily support all of these 403 * resolutions when doing live captures; all of them can be requested 404 * when reading a savefile. 405 */ 406 #define PCAP_TSTAMP_PRECISION_MICRO 0 /* use timestamps with microsecond precision, default */ 407 #define PCAP_TSTAMP_PRECISION_NANO 1 /* use timestamps with nanosecond precision */ 408 409 PCAP_API pcap_t *pcap_open_live(const char *, int, int, int, char *); 410 PCAP_API pcap_t *pcap_open_dead(int, int); 411 PCAP_API pcap_t *pcap_open_dead_with_tstamp_precision(int, int, u_int); 412 PCAP_API pcap_t *pcap_open_offline_with_tstamp_precision(const char *, u_int, char *); 413 PCAP_API pcap_t *pcap_open_offline(const char *, char *); 414 #ifdef _WIN32 415 PCAP_API pcap_t *pcap_hopen_offline_with_tstamp_precision(intptr_t, u_int, char *); 416 PCAP_API pcap_t *pcap_hopen_offline(intptr_t, char *); 417 /* 418 * If we're building libpcap, these are internal routines in savefile.c, 419 * so we must not define them as macros. 420 * 421 * If we're not building libpcap, given that the version of the C runtime 422 * with which libpcap was built might be different from the version 423 * of the C runtime with which an application using libpcap was built, 424 * and that a FILE structure may differ between the two versions of the 425 * C runtime, calls to _fileno() must use the version of _fileno() in 426 * the C runtime used to open the FILE *, not the version in the C 427 * runtime with which libpcap was built. (Maybe once the Universal CRT 428 * rules the world, this will cease to be a problem.) 429 */ 430 #ifndef BUILDING_PCAP 431 #define pcap_fopen_offline_with_tstamp_precision(f,p,b) \ 432 pcap_hopen_offline_with_tstamp_precision(_get_osfhandle(_fileno(f)), p, b) 433 #define pcap_fopen_offline(f,b) \ 434 pcap_hopen_offline(_get_osfhandle(_fileno(f)), b) 435 #endif 436 #else /*_WIN32*/ 437 PCAP_API pcap_t *pcap_fopen_offline_with_tstamp_precision(FILE *, u_int, char *); 438 PCAP_API pcap_t *pcap_fopen_offline(FILE *, char *); 439 #endif /*_WIN32*/ 440 441 PCAP_API void pcap_close(pcap_t *); 442 PCAP_API int pcap_loop(pcap_t *, int, pcap_handler, u_char *); 443 PCAP_API int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *); 444 PCAP_API const u_char *pcap_next(pcap_t *, struct pcap_pkthdr *); 445 PCAP_API int pcap_next_ex(pcap_t *, struct pcap_pkthdr **, const u_char **); 446 PCAP_API void pcap_breakloop(pcap_t *); 447 PCAP_API int pcap_stats(pcap_t *, struct pcap_stat *); 448 PCAP_API int pcap_setfilter(pcap_t *, struct bpf_program *); 449 PCAP_API int pcap_setdirection(pcap_t *, pcap_direction_t); 450 PCAP_API int pcap_getnonblock(pcap_t *, char *); 451 PCAP_API int pcap_setnonblock(pcap_t *, int, char *); 452 PCAP_API int pcap_inject(pcap_t *, const void *, size_t); 453 PCAP_API int pcap_sendpacket(pcap_t *, const u_char *, int); 454 PCAP_API const char *pcap_statustostr(int); 455 PCAP_API const char *pcap_strerror(int); 456 PCAP_API char *pcap_geterr(pcap_t *); 457 PCAP_API void pcap_perror(pcap_t *, const char *); 458 PCAP_API int pcap_compile(pcap_t *, struct bpf_program *, const char *, int, 459 bpf_u_int32); 460 PCAP_API int pcap_compile_nopcap(int, int, struct bpf_program *, 461 const char *, int, bpf_u_int32); 462 PCAP_API void pcap_freecode(struct bpf_program *); 463 PCAP_API int pcap_offline_filter(const struct bpf_program *, 464 const struct pcap_pkthdr *, const u_char *); 465 PCAP_API int pcap_datalink(pcap_t *); 466 PCAP_API int pcap_datalink_ext(pcap_t *); 467 PCAP_API int pcap_list_datalinks(pcap_t *, int **); 468 PCAP_API int pcap_set_datalink(pcap_t *, int); 469 PCAP_API void pcap_free_datalinks(int *); 470 PCAP_API int pcap_datalink_name_to_val(const char *); 471 PCAP_API const char *pcap_datalink_val_to_name(int); 472 PCAP_API const char *pcap_datalink_val_to_description(int); 473 PCAP_API const char *pcap_datalink_val_to_description_or_dlt(int); 474 PCAP_API int pcap_snapshot(pcap_t *); 475 PCAP_API int pcap_is_swapped(pcap_t *); 476 PCAP_API int pcap_major_version(pcap_t *); 477 PCAP_API int pcap_minor_version(pcap_t *); 478 PCAP_API int pcap_bufsize(pcap_t *); 479 480 /* XXX */ 481 PCAP_API FILE *pcap_file(pcap_t *); 482 PCAP_API int pcap_fileno(pcap_t *); 483 484 #ifdef _WIN32 485 PCAP_API int pcap_wsockinit(void); 486 #endif 487 488 PCAP_API pcap_dumper_t *pcap_dump_open(pcap_t *, const char *); 489 #ifdef _WIN32 490 PCAP_API pcap_dumper_t *pcap_dump_hopen(pcap_t *, intptr_t); 491 /* 492 * If we're building libpcap, this is an internal routine in sf-pcap.c, so 493 * we must not define it as a macro. 494 * 495 * If we're not building libpcap, given that the version of the C runtime 496 * with which libpcap was built might be different from the version 497 * of the C runtime with which an application using libpcap was built, 498 * and that a FILE structure may differ between the two versions of the 499 * C runtime, calls to _fileno() must use the version of _fileno() in 500 * the C runtime used to open the FILE *, not the version in the C 501 * runtime with which libpcap was built. (Maybe once the Universal CRT 502 * rules the world, this will cease to be a problem.) 503 */ 504 #ifndef BUILDING_PCAP 505 #define pcap_dump_fopen(p,f) \ 506 pcap_dump_hopen(p, _get_osfhandle(_fileno(f))) 507 #endif 508 #else /*_WIN32*/ 509 PCAP_API pcap_dumper_t *pcap_dump_fopen(pcap_t *, FILE *fp); 510 #endif /*_WIN32*/ 511 PCAP_API pcap_dumper_t *pcap_dump_open_append(pcap_t *, const char *); 512 PCAP_API FILE *pcap_dump_file(pcap_dumper_t *); 513 PCAP_API long pcap_dump_ftell(pcap_dumper_t *); 514 PCAP_API int64_t pcap_dump_ftell64(pcap_dumper_t *); 515 PCAP_API int pcap_dump_flush(pcap_dumper_t *); 516 PCAP_API void pcap_dump_close(pcap_dumper_t *); 517 PCAP_API void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *); 518 519 PCAP_API int pcap_findalldevs(pcap_if_t **, char *); 520 PCAP_API void pcap_freealldevs(pcap_if_t *); 521 522 /* 523 * We return a pointer to the version string, rather than exporting the 524 * version string directly. 525 * 526 * On at least some UNIXes, if you import data from a shared library into 527 * an program, the data is bound into the program binary, so if the string 528 * in the version of the library with which the program was linked isn't 529 * the same as the string in the version of the library with which the 530 * program is being run, various undesirable things may happen (warnings, 531 * the string being the one from the version of the library with which the 532 * program was linked, or even weirder things, such as the string being the 533 * one from the library but being truncated). 534 * 535 * On Windows, the string is constructed at run time. 536 */ 537 PCAP_API const char *pcap_lib_version(void); 538 539 /* 540 * On at least some versions of NetBSD and QNX, we don't want to declare 541 * bpf_filter() here, as it's also be declared in <net/bpf.h>, with a 542 * different signature, but, on other BSD-flavored UN*Xes, it's not 543 * declared in <net/bpf.h>, so we *do* want to declare it here, so it's 544 * declared when we build pcap-bpf.c. 545 */ 546 #if !defined(__NetBSD__) && !defined(__QNX__) 547 PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int); 548 #endif 549 PCAP_API int bpf_validate(const struct bpf_insn *f, int len); 550 PCAP_API char *bpf_image(const struct bpf_insn *, int); 551 PCAP_API void bpf_dump(const struct bpf_program *, int); 552 553 #if defined(_WIN32) 554 555 /* 556 * Win32 definitions 557 */ 558 559 /*! 560 \brief A queue of raw packets that will be sent to the network with pcap_sendqueue_transmit(). 561 */ 562 struct pcap_send_queue 563 { 564 u_int maxlen; /* Maximum size of the queue, in bytes. This 565 variable contains the size of the buffer field. */ 566 u_int len; /* Current size of the queue, in bytes. */ 567 char *buffer; /* Buffer containing the packets to be sent. */ 568 }; 569 570 typedef struct pcap_send_queue pcap_send_queue; 571 572 /*! 573 \brief This typedef is a support for the pcap_get_airpcap_handle() function 574 */ 575 #if !defined(AIRPCAP_HANDLE__EAE405F5_0171_9592_B3C2_C19EC426AD34__DEFINED_) 576 #define AIRPCAP_HANDLE__EAE405F5_0171_9592_B3C2_C19EC426AD34__DEFINED_ 577 typedef struct _AirpcapHandle *PAirpcapHandle; 578 #endif 579 580 PCAP_API int pcap_setbuff(pcap_t *p, int dim); 581 PCAP_API int pcap_setmode(pcap_t *p, int mode); 582 PCAP_API int pcap_setmintocopy(pcap_t *p, int size); 583 584 PCAP_API HANDLE pcap_getevent(pcap_t *p); 585 586 PCAP_API int pcap_oid_get_request(pcap_t *, bpf_u_int32, void *, size_t *); 587 PCAP_API int pcap_oid_set_request(pcap_t *, bpf_u_int32, const void *, size_t *); 588 589 PCAP_API pcap_send_queue* pcap_sendqueue_alloc(u_int memsize); 590 591 PCAP_API void pcap_sendqueue_destroy(pcap_send_queue* queue); 592 593 PCAP_API int pcap_sendqueue_queue(pcap_send_queue* queue, const struct pcap_pkthdr *pkt_header, const u_char *pkt_data); 594 595 PCAP_API u_int pcap_sendqueue_transmit(pcap_t *p, pcap_send_queue* queue, int sync); 596 597 PCAP_API struct pcap_stat *pcap_stats_ex(pcap_t *p, int *pcap_stat_size); 598 599 PCAP_API int pcap_setuserbuffer(pcap_t *p, int size); 600 601 PCAP_API int pcap_live_dump(pcap_t *p, char *filename, int maxsize, int maxpacks); 602 603 PCAP_API int pcap_live_dump_ended(pcap_t *p, int sync); 604 605 PCAP_API int pcap_start_oem(char* err_str, int flags); 606 607 PCAP_API PAirpcapHandle pcap_get_airpcap_handle(pcap_t *p); 608 609 #define MODE_CAPT 0 610 #define MODE_STAT 1 611 #define MODE_MON 2 612 613 #elif defined(MSDOS) 614 615 /* 616 * MS-DOS definitions 617 */ 618 619 PCAP_API int pcap_stats_ex (pcap_t *, struct pcap_stat_ex *); 620 PCAP_API void pcap_set_wait (pcap_t *p, void (*yield)(void), int wait); 621 PCAP_API u_long pcap_mac_packets (void); 622 623 #else /* UN*X */ 624 625 /* 626 * UN*X definitions 627 */ 628 629 PCAP_API int pcap_get_selectable_fd(pcap_t *); 630 PCAP_API struct timeval *pcap_get_required_select_timeout(pcap_t *); 631 632 #endif /* _WIN32/MSDOS/UN*X */ 633 634 #if 0 /* Remote capture is disabled on FreeBSD */ 635 /* 636 * Remote capture definitions. 637 * 638 * These routines are only present if libpcap has been configured to 639 * include remote capture support. 640 */ 641 642 /* 643 * The maximum buffer size in which address, port, interface names are kept. 644 * 645 * In case the adapter name or such is larger than this value, it is truncated. 646 * This is not used by the user; however it must be aware that an hostname / interface 647 * name longer than this value will be truncated. 648 */ 649 #define PCAP_BUF_SIZE 1024 650 651 /* 652 * The type of input source, passed to pcap_open(). 653 */ 654 #define PCAP_SRC_FILE 2 /* local savefile */ 655 #define PCAP_SRC_IFLOCAL 3 /* local network interface */ 656 #define PCAP_SRC_IFREMOTE 4 /* interface on a remote host, using RPCAP */ 657 658 /* 659 * The formats allowed by pcap_open() are the following: 660 * - file://path_and_filename [opens a local file] 661 * - rpcap://devicename [opens the selected device devices available on the local host, without using the RPCAP protocol] 662 * - rpcap://host/devicename [opens the selected device available on a remote host] 663 * - rpcap://host:port/devicename [opens the selected device available on a remote host, using a non-standard port for RPCAP] 664 * - adaptername [to open a local adapter; kept for compability, but it is strongly discouraged] 665 * - (NULL) [to open the first local adapter; kept for compability, but it is strongly discouraged] 666 * 667 * The formats allowed by the pcap_findalldevs_ex() are the following: 668 * - file://folder/ [lists all the files in the given folder] 669 * - rpcap:// [lists all local adapters] 670 * - rpcap://host:port/ [lists the devices available on a remote host] 671 * 672 * Referring to the 'host' and 'port' parameters, they can be either numeric or literal. Since 673 * IPv6 is fully supported, these are the allowed formats: 674 * 675 * - host (literal): e.g. host.foo.bar 676 * - host (numeric IPv4): e.g. 10.11.12.13 677 * - host (numeric IPv4, IPv6 style): e.g. [10.11.12.13] 678 * - host (numeric IPv6): e.g. [1:2:3::4] 679 * - port: can be either numeric (e.g. '80') or literal (e.g. 'http') 680 * 681 * Here you find some allowed examples: 682 * - rpcap://host.foo.bar/devicename [everything literal, no port number] 683 * - rpcap://host.foo.bar:1234/devicename [everything literal, with port number] 684 * - rpcap://10.11.12.13/devicename [IPv4 numeric, no port number] 685 * - rpcap://10.11.12.13:1234/devicename [IPv4 numeric, with port number] 686 * - rpcap://[10.11.12.13]:1234/devicename [IPv4 numeric with IPv6 format, with port number] 687 * - rpcap://[1:2:3::4]/devicename [IPv6 numeric, no port number] 688 * - rpcap://[1:2:3::4]:1234/devicename [IPv6 numeric, with port number] 689 * - rpcap://[1:2:3::4]:http/devicename [IPv6 numeric, with literal port number] 690 */ 691 692 /* 693 * URL schemes for capture source. 694 */ 695 /* 696 * This string indicates that the user wants to open a capture from a 697 * local file. 698 */ 699 #define PCAP_SRC_FILE_STRING "file://" 700 /* 701 * This string indicates that the user wants to open a capture from a 702 * network interface. This string does not necessarily involve the use 703 * of the RPCAP protocol. If the interface required resides on the local 704 * host, the RPCAP protocol is not involved and the local functions are used. 705 */ 706 #define PCAP_SRC_IF_STRING "rpcap://" 707 708 /* 709 * Flags to pass to pcap_open(). 710 */ 711 712 /* 713 * Specifies whether promiscuous mode is to be used. 714 */ 715 #define PCAP_OPENFLAG_PROMISCUOUS 0x00000001 716 717 /* 718 * Specifies, for an RPCAP capture, whether the data transfer (in 719 * case of a remote capture) has to be done with UDP protocol. 720 * 721 * If it is '1' if you want a UDP data connection, '0' if you want 722 * a TCP data connection; control connection is always TCP-based. 723 * A UDP connection is much lighter, but it does not guarantee that all 724 * the captured packets arrive to the client workstation. Moreover, 725 * it could be harmful in case of network congestion. 726 * This flag is meaningless if the source is not a remote interface. 727 * In that case, it is simply ignored. 728 */ 729 #define PCAP_OPENFLAG_DATATX_UDP 0x00000002 730 731 /* 732 * Specifies wheether the remote probe will capture its own generated 733 * traffic. 734 * 735 * In case the remote probe uses the same interface to capture traffic 736 * and to send data back to the caller, the captured traffic includes 737 * the RPCAP traffic as well. If this flag is turned on, the RPCAP 738 * traffic is excluded from the capture, so that the trace returned 739 * back to the collector is does not include this traffic. 740 * 741 * Has no effect on local interfaces or savefiles. 742 */ 743 #define PCAP_OPENFLAG_NOCAPTURE_RPCAP 0x00000004 744 745 /* 746 * Specifies whether the local adapter will capture its own generated traffic. 747 * 748 * This flag tells the underlying capture driver to drop the packets 749 * that were sent by itself. This is useful when building applications 750 * such as bridges that should ignore the traffic they just sent. 751 * 752 * Supported only on Windows. 753 */ 754 #define PCAP_OPENFLAG_NOCAPTURE_LOCAL 0x00000008 755 756 /* 757 * This flag configures the adapter for maximum responsiveness. 758 * 759 * In presence of a large value for nbytes, WinPcap waits for the arrival 760 * of several packets before copying the data to the user. This guarantees 761 * a low number of system calls, i.e. lower processor usage, i.e. better 762 * performance, which is good for applications like sniffers. If the user 763 * sets the PCAP_OPENFLAG_MAX_RESPONSIVENESS flag, the capture driver will 764 * copy the packets as soon as the application is ready to receive them. 765 * This is suggested for real time applications (such as, for example, 766 * a bridge) that need the best responsiveness. 767 * 768 * The equivalent with pcap_create()/pcap_activate() is "immediate mode". 769 */ 770 #define PCAP_OPENFLAG_MAX_RESPONSIVENESS 0x00000010 771 772 /* 773 * Remote authentication methods. 774 * These are used in the 'type' member of the pcap_rmtauth structure. 775 */ 776 777 /* 778 * NULL authentication. 779 * 780 * The 'NULL' authentication has to be equal to 'zero', so that old 781 * applications can just put every field of struct pcap_rmtauth to zero, 782 * and it does work. 783 */ 784 #define RPCAP_RMTAUTH_NULL 0 785 /* 786 * Username/password authentication. 787 * 788 * With this type of authentication, the RPCAP protocol will use the username/ 789 * password provided to authenticate the user on the remote machine. If the 790 * authentication is successful (and the user has the right to open network 791 * devices) the RPCAP connection will continue; otherwise it will be dropped. 792 * 793 * *******NOTE********: the username and password are sent over the network 794 * to the capture server *IN CLEAR TEXT*. Don't use this on a network 795 * that you don't completely control! (And be *really* careful in your 796 * definition of "completely"!) 797 */ 798 #define RPCAP_RMTAUTH_PWD 1 799 800 /* 801 * This structure keeps the information needed to autheticate the user 802 * on a remote machine. 803 * 804 * The remote machine can either grant or refuse the access according 805 * to the information provided. 806 * In case the NULL authentication is required, both 'username' and 807 * 'password' can be NULL pointers. 808 * 809 * This structure is meaningless if the source is not a remote interface; 810 * in that case, the functions which requires such a structure can accept 811 * a NULL pointer as well. 812 */ 813 struct pcap_rmtauth 814 { 815 /* 816 * \brief Type of the authentication required. 817 * 818 * In order to provide maximum flexibility, we can support different types 819 * of authentication based on the value of this 'type' variable. The currently 820 * supported authentication methods are defined into the 821 * \link remote_auth_methods Remote Authentication Methods Section\endlink. 822 */ 823 int type; 824 /* 825 * \brief Zero-terminated string containing the username that has to be 826 * used on the remote machine for authentication. 827 * 828 * This field is meaningless in case of the RPCAP_RMTAUTH_NULL authentication 829 * and it can be NULL. 830 */ 831 char *username; 832 /* 833 * \brief Zero-terminated string containing the password that has to be 834 * used on the remote machine for authentication. 835 * 836 * This field is meaningless in case of the RPCAP_RMTAUTH_NULL authentication 837 * and it can be NULL. 838 */ 839 char *password; 840 }; 841 842 /* 843 * This routine can open a savefile, a local device, or a device on 844 * a remote machine running an RPCAP server. 845 * 846 * For opening a savefile, the pcap_open_offline routines can be used, 847 * and will work just as well; code using them will work on more 848 * platforms than code using pcap_open() to open savefiles. 849 * 850 * For opening a local device, pcap_open_live() can be used; it supports 851 * most of the capabilities that pcap_open() supports, and code using it 852 * will work on more platforms than code using pcap_open(). pcap_create() 853 * and pcap_activate() can also be used; they support all capabilities 854 * that pcap_open() supports, except for the Windows-only 855 * PCAP_OPENFLAG_NOCAPTURE_LOCAL, and support additional capabilities. 856 * 857 * For opening a remote capture, pcap_open() is currently the only 858 * API available. 859 */ 860 PCAP_API pcap_t *pcap_open(const char *source, int snaplen, int flags, 861 int read_timeout, struct pcap_rmtauth *auth, char *errbuf); 862 PCAP_API int pcap_createsrcstr(char *source, int type, const char *host, 863 const char *port, const char *name, char *errbuf); 864 PCAP_API int pcap_parsesrcstr(const char *source, int *type, char *host, 865 char *port, char *name, char *errbuf); 866 867 /* 868 * This routine can scan a directory for savefiles, list local capture 869 * devices, or list capture devices on a remote machine running an RPCAP 870 * server. 871 * 872 * For scanning for savefiles, it can be used on both UN*X systems and 873 * Windows systems; for each directory entry it sees, it tries to open 874 * the file as a savefile using pcap_open_offline(), and only includes 875 * it in the list of files if the open succeeds, so it filters out 876 * files for which the user doesn't have read permission, as well as 877 * files that aren't valid savefiles readable by libpcap. 878 * 879 * For listing local capture devices, it's just a wrapper around 880 * pcap_findalldevs(); code using pcap_findalldevs() will work on more 881 * platforms than code using pcap_findalldevs_ex(). 882 * 883 * For listing remote capture devices, pcap_findalldevs_ex() is currently 884 * the only API available. 885 */ 886 PCAP_API int pcap_findalldevs_ex(const char *source, 887 struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf); 888 889 /* 890 * Sampling methods. 891 * 892 * These allow pcap_loop(), pcap_dispatch(), pcap_next(), and pcap_next_ex() 893 * to see only a sample of packets, rather than all packets. 894 * 895 * Currently, they work only on Windows local captures. 896 */ 897 898 /* 899 * Specifies that no sampling is to be done on the current capture. 900 * 901 * In this case, no sampling algorithms are applied to the current capture. 902 */ 903 #define PCAP_SAMP_NOSAMP 0 904 905 /* 906 * Specifies that only 1 out of N packets must be returned to the user. 907 * 908 * In this case, the 'value' field of the 'pcap_samp' structure indicates the 909 * number of packets (minus 1) that must be discarded before one packet got 910 * accepted. 911 * In other words, if 'value = 10', the first packet is returned to the 912 * caller, while the following 9 are discarded. 913 */ 914 #define PCAP_SAMP_1_EVERY_N 1 915 916 /* 917 * Specifies that we have to return 1 packet every N milliseconds. 918 * 919 * In this case, the 'value' field of the 'pcap_samp' structure indicates 920 * the 'waiting time' in milliseconds before one packet got accepted. 921 * In other words, if 'value = 10', the first packet is returned to the 922 * caller; the next returned one will be the first packet that arrives 923 * when 10ms have elapsed. 924 */ 925 #define PCAP_SAMP_FIRST_AFTER_N_MS 2 926 927 /* 928 * This structure defines the information related to sampling. 929 * 930 * In case the sampling is requested, the capturing device should read 931 * only a subset of the packets coming from the source. The returned packets 932 * depend on the sampling parameters. 933 * 934 * WARNING: The sampling process is applied *after* the filtering process. 935 * In other words, packets are filtered first, then the sampling process 936 * selects a subset of the 'filtered' packets and it returns them to the 937 * caller. 938 */ 939 struct pcap_samp 940 { 941 /* 942 * Method used for sampling; see above. 943 */ 944 int method; 945 946 /* 947 * This value depends on the sampling method defined. 948 * For its meaning, see above. 949 */ 950 int value; 951 }; 952 953 /* 954 * New functions. 955 */ 956 PCAP_API struct pcap_samp *pcap_setsampling(pcap_t *p); 957 958 /* 959 * RPCAP active mode. 960 */ 961 962 /* Maximum length of an host name (needed for the RPCAP active mode) */ 963 #define RPCAP_HOSTLIST_SIZE 1024 964 965 PCAP_API SOCKET pcap_remoteact_accept(const char *address, const char *port, 966 const char *hostlist, char *connectinghost, 967 struct pcap_rmtauth *auth, char *errbuf); 968 PCAP_API int pcap_remoteact_list(char *hostlist, char sep, int size, 969 char *errbuf); 970 PCAP_API int pcap_remoteact_close(const char *host, char *errbuf); 971 PCAP_API void pcap_remoteact_cleanup(void); 972 #endif /* Remote capture is disabled on FreeBSD */ 973 974 #ifdef __cplusplus 975 } 976 #endif 977 978 #endif /* lib_pcap_pcap_h */ 979