xref: /freebsd/contrib/tcpdump/tcpdump.c (revision 2830819497fb2deae3dd71574592ace55f2fbdba)
1 /*
2  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * Support for splitting captures into multiple files with a maximum
22  * file size:
23  *
24  * Copyright (c) 2001
25  *	Seth Webster <swebster@sst.ll.mit.edu>
26  */
27 
28 #ifndef lint
29 static const char copyright[] _U_ =
30     "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\
31 The Regents of the University of California.  All rights reserved.\n";
32 #endif
33 
34 /* $FreeBSD$ */
35 
36 /*
37  * tcpdump - monitor tcp/ip traffic on an ethernet.
38  *
39  * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory.
40  * Mercilessly hacked and occasionally improved since then via the
41  * combined efforts of Van, Steve McCanne and Craig Leres of LBL.
42  */
43 
44 #ifdef HAVE_CONFIG_H
45 #include "config.h"
46 #endif
47 
48 /*
49  * Mac OS X may ship pcap.h from libpcap 0.6 with a libpcap based on
50  * 0.8.  That means it has pcap_findalldevs() but the header doesn't
51  * define pcap_if_t, meaning that we can't actually *use* pcap_findalldevs().
52  */
53 #ifdef HAVE_PCAP_FINDALLDEVS
54 #ifndef HAVE_PCAP_IF_T
55 #undef HAVE_PCAP_FINDALLDEVS
56 #endif
57 #endif
58 
59 #include <tcpdump-stdinc.h>
60 
61 #ifdef WIN32
62 #include "w32_fzs.h"
63 extern int strcasecmp (const char *__s1, const char *__s2);
64 extern int SIZE_BUF;
65 #define off_t long
66 #define uint UINT
67 #endif /* WIN32 */
68 
69 #ifdef USE_LIBSMI
70 #include <smi.h>
71 #endif
72 
73 #ifdef HAVE_LIBCRYPTO
74 #include <openssl/crypto.h>
75 #endif
76 
77 #ifdef HAVE_GETOPT_LONG
78 #include <getopt.h>
79 #else
80 #include "getopt_long.h"
81 #endif
82 /* Capsicum-specific code requires macros from <net/bpf.h>, which will fail
83  * to compile if <pcap.h> has already been included; including the headers
84  * in the opposite order works fine.
85  */
86 #ifdef __FreeBSD__
87 #include <sys/capsicum.h>
88 #include <sys/sysctl.h>
89 #endif /* __FreeBSD__ */
90 #ifdef HAVE_CAPSICUM
91 #include <libcapsicum.h>
92 #include <libcapsicum_dns.h>
93 #include <libcapsicum_service.h>
94 #include <sys/nv.h>
95 #include <sys/capability.h>
96 #include <sys/ioccom.h>
97 #include <net/bpf.h>
98 #include <fcntl.h>
99 #include <libgen.h>
100 #endif	/* HAVE_CAPSICUM */
101 #include <pcap.h>
102 #include <signal.h>
103 #include <stdio.h>
104 #include <stdlib.h>
105 #include <string.h>
106 #include <limits.h>
107 #ifndef WIN32
108 #include <sys/wait.h>
109 #include <sys/resource.h>
110 #include <pwd.h>
111 #include <grp.h>
112 #endif /* WIN32 */
113 
114 /* capabilities convenience library */
115 /* If a code depends on HAVE_LIBCAP_NG, it depends also on HAVE_CAP_NG_H.
116  * If HAVE_CAP_NG_H is not defined, undefine HAVE_LIBCAP_NG.
117  * Thus, the later tests are done only on HAVE_LIBCAP_NG.
118  */
119 #ifdef HAVE_LIBCAP_NG
120 #ifdef HAVE_CAP_NG_H
121 #include <cap-ng.h>
122 #else
123 #undef HAVE_LIBCAP_NG
124 #endif /* HAVE_CAP_NG_H */
125 #endif /* HAVE_LIBCAP_NG */
126 
127 #include "netdissect.h"
128 #include "interface.h"
129 #include "addrtoname.h"
130 #include "machdep.h"
131 #include "setsignal.h"
132 #include "gmt2local.h"
133 #include "pcap-missing.h"
134 
135 #ifndef PATH_MAX
136 #define PATH_MAX 1024
137 #endif
138 
139 #ifdef SIGINFO
140 #define SIGNAL_REQ_INFO SIGINFO
141 #elif SIGUSR1
142 #define SIGNAL_REQ_INFO SIGUSR1
143 #endif
144 
145 netdissect_options Gndo;
146 netdissect_options *gndo = &Gndo;
147 
148 static int Dflag;			/* list available devices and exit */
149 static int dflag;			/* print filter code */
150 static int Lflag;			/* list available data link types and exit */
151 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
152 static int Jflag;			/* list available time stamp types */
153 #endif
154 #ifdef HAVE_PCAP_SETDIRECTION
155 int Qflag = -1;				/* restrict captured packet by send/receive direction */
156 #endif
157 static char *zflag = NULL;		/* compress each savefile using a specified command (like gzip or bzip2) */
158 
159 static int infodelay;
160 static int infoprint;
161 
162 char *program_name;
163 
164 #ifdef HAVE_CAPSICUM
165 cap_channel_t *capdns;
166 #endif
167 
168 int32_t thiszone;		/* seconds offset from gmt to local time */
169 
170 /* Forwards */
171 static RETSIGTYPE cleanup(int);
172 static RETSIGTYPE child_cleanup(int);
173 static void print_version(void);
174 static void print_usage(void);
175 static void show_dlts_and_exit(const char *device, pcap_t *pd) __attribute__((noreturn));
176 
177 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
178 static void ndo_default_print(netdissect_options *, const u_char *, u_int);
179 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *);
180 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
181 static void droproot(const char *, const char *);
182 static void ndo_error(netdissect_options *ndo, const char *fmt, ...)
183      __attribute__((noreturn))
184 #ifdef __ATTRIBUTE___FORMAT_OK
185      __attribute__((format (printf, 2, 3)))
186 #endif /* __ATTRIBUTE___FORMAT_OK */
187     ;
188 static void ndo_warning(netdissect_options *ndo, const char *fmt, ...)
189 #ifdef __ATTRIBUTE___FORMAT_OK
190      __attribute__((format (printf, 2, 3)))
191 #endif /* __ATTRIBUTE___FORMAT_OK */
192     ;
193 
194 #ifdef SIGNAL_REQ_INFO
195 RETSIGTYPE requestinfo(int);
196 #endif
197 
198 #if defined(USE_WIN32_MM_TIMER)
199   #include <MMsystem.h>
200   static UINT timer_id;
201   static void CALLBACK verbose_stats_dump(UINT, UINT, DWORD_PTR, DWORD_PTR, DWORD_PTR);
202 #elif defined(HAVE_ALARM)
203   static void verbose_stats_dump(int sig);
204 #endif
205 
206 static void info(int);
207 static u_int packets_captured;
208 
209 struct printer {
210         if_printer f;
211 	int type;
212 };
213 
214 
215 struct ndo_printer {
216         if_ndo_printer f;
217 	int type;
218 };
219 
220 
221 static const struct printer printers[] = {
222 	{ NULL,			0 },
223 };
224 
225 static const struct ndo_printer ndo_printers[] = {
226 	{ ether_if_print,	DLT_EN10MB },
227 #ifdef DLT_IPNET
228 	{ ipnet_if_print,	DLT_IPNET },
229 #endif
230 #ifdef DLT_IEEE802_15_4
231 	{ ieee802_15_4_if_print, DLT_IEEE802_15_4 },
232 #endif
233 #ifdef DLT_IEEE802_15_4_NOFCS
234 	{ ieee802_15_4_if_print, DLT_IEEE802_15_4_NOFCS },
235 #endif
236 #ifdef DLT_PPI
237 	{ ppi_if_print,		DLT_PPI },
238 #endif
239 #ifdef DLT_NETANALYZER
240 	{ netanalyzer_if_print, DLT_NETANALYZER },
241 #endif
242 #ifdef DLT_NETANALYZER_TRANSPARENT
243 	{ netanalyzer_transparent_if_print, DLT_NETANALYZER_TRANSPARENT },
244 #endif
245 #if defined(DLT_NFLOG) && defined(HAVE_PCAP_NFLOG_H)
246 	{ nflog_if_print,	DLT_NFLOG},
247 #endif
248 #ifdef DLT_CIP
249 	{ cip_if_print,         DLT_CIP },
250 #endif
251 #ifdef DLT_ATM_CLIP
252 	{ cip_if_print,		DLT_ATM_CLIP },
253 #endif
254 #ifdef DLT_IP_OVER_FC
255 	{ ipfc_if_print,	DLT_IP_OVER_FC },
256 #endif
257 	{ null_if_print,	DLT_NULL },
258 #ifdef DLT_LOOP
259 	{ null_if_print,	DLT_LOOP },
260 #endif
261 #ifdef DLT_APPLE_IP_OVER_IEEE1394
262 	{ ap1394_if_print,	DLT_APPLE_IP_OVER_IEEE1394 },
263 #endif
264 #if defined(DLT_BLUETOOTH_HCI_H4_WITH_PHDR) && defined(HAVE_PCAP_BLUETOOTH_H)
265 	{ bt_if_print,		DLT_BLUETOOTH_HCI_H4_WITH_PHDR},
266 #endif
267 #ifdef DLT_LANE8023
268 	{ lane_if_print,        DLT_LANE8023 },
269 #endif
270 	{ arcnet_if_print,	DLT_ARCNET },
271 #ifdef DLT_ARCNET_LINUX
272 	{ arcnet_linux_if_print, DLT_ARCNET_LINUX },
273 #endif
274 	{ raw_if_print,		DLT_RAW },
275 #ifdef DLT_IPV4
276 	{ raw_if_print,		DLT_IPV4 },
277 #endif
278 #ifdef DLT_IPV6
279 	{ raw_if_print,		DLT_IPV6 },
280 #endif
281 #ifdef HAVE_PCAP_USB_H
282 #ifdef DLT_USB_LINUX
283 	{ usb_linux_48_byte_print, DLT_USB_LINUX},
284 #endif /* DLT_USB_LINUX */
285 #ifdef DLT_USB_LINUX_MMAPPED
286 	{ usb_linux_64_byte_print, DLT_USB_LINUX_MMAPPED},
287 #endif /* DLT_USB_LINUX_MMAPPED */
288 #endif /* HAVE_PCAP_USB_H */
289 #ifdef DLT_SYMANTEC_FIREWALL
290 	{ symantec_if_print,	DLT_SYMANTEC_FIREWALL },
291 #endif
292 #ifdef DLT_C_HDLC
293 	{ chdlc_if_print,	DLT_C_HDLC },
294 #endif
295 #ifdef DLT_HDLC
296 	{ chdlc_if_print,	DLT_HDLC },
297 #endif
298 #ifdef DLT_PPP_ETHER
299 	{ pppoe_if_print,	DLT_PPP_ETHER },
300 #endif
301 #if defined(DLT_PFLOG) && defined(HAVE_NET_PFVAR_H)
302 	{ pflog_if_print,	DLT_PFLOG },
303 #endif
304 	{ token_if_print,	DLT_IEEE802 },
305 	{ fddi_if_print,	DLT_FDDI },
306 #ifdef DLT_LINUX_SLL
307 	{ sll_if_print,		DLT_LINUX_SLL },
308 #endif
309 #ifdef DLT_FR
310 	{ fr_if_print,		DLT_FR },
311 #endif
312 #ifdef DLT_FRELAY
313 	{ fr_if_print,		DLT_FRELAY },
314 #endif
315 #ifdef DLT_MFR
316 	{ mfr_if_print,		DLT_MFR },
317 #endif
318 	{ atm_if_print,		DLT_ATM_RFC1483 },
319 #ifdef DLT_SUNATM
320 	{ sunatm_if_print,	DLT_SUNATM },
321 #endif
322 #ifdef DLT_ENC
323 	{ enc_if_print,		DLT_ENC },
324 #endif
325 	{ sl_if_print,		DLT_SLIP },
326 #ifdef DLT_SLIP_BSDOS
327 	{ sl_bsdos_if_print,	DLT_SLIP_BSDOS },
328 #endif
329 #ifdef DLT_LTALK
330 	{ ltalk_if_print,	DLT_LTALK },
331 #endif
332 #ifdef DLT_JUNIPER_ATM1
333 	{ juniper_atm1_print,	DLT_JUNIPER_ATM1 },
334 #endif
335 #ifdef DLT_JUNIPER_ATM2
336 	{ juniper_atm2_print,	DLT_JUNIPER_ATM2 },
337 #endif
338 #ifdef DLT_JUNIPER_MFR
339 	{ juniper_mfr_print,	DLT_JUNIPER_MFR },
340 #endif
341 #ifdef DLT_JUNIPER_MLFR
342 	{ juniper_mlfr_print,	DLT_JUNIPER_MLFR },
343 #endif
344 #ifdef DLT_JUNIPER_MLPPP
345 	{ juniper_mlppp_print,	DLT_JUNIPER_MLPPP },
346 #endif
347 #ifdef DLT_JUNIPER_PPPOE
348 	{ juniper_pppoe_print,	DLT_JUNIPER_PPPOE },
349 #endif
350 #ifdef DLT_JUNIPER_PPPOE_ATM
351 	{ juniper_pppoe_atm_print, DLT_JUNIPER_PPPOE_ATM },
352 #endif
353 #ifdef DLT_JUNIPER_GGSN
354 	{ juniper_ggsn_print,	DLT_JUNIPER_GGSN },
355 #endif
356 #ifdef DLT_JUNIPER_ES
357 	{ juniper_es_print,	DLT_JUNIPER_ES },
358 #endif
359 #ifdef DLT_JUNIPER_MONITOR
360 	{ juniper_monitor_print, DLT_JUNIPER_MONITOR },
361 #endif
362 #ifdef DLT_JUNIPER_SERVICES
363 	{ juniper_services_print, DLT_JUNIPER_SERVICES },
364 #endif
365 #ifdef DLT_JUNIPER_ETHER
366 	{ juniper_ether_print,	DLT_JUNIPER_ETHER },
367 #endif
368 #ifdef DLT_JUNIPER_PPP
369 	{ juniper_ppp_print,	DLT_JUNIPER_PPP },
370 #endif
371 #ifdef DLT_JUNIPER_FRELAY
372 	{ juniper_frelay_print,	DLT_JUNIPER_FRELAY },
373 #endif
374 #ifdef DLT_JUNIPER_CHDLC
375 	{ juniper_chdlc_print,	DLT_JUNIPER_CHDLC },
376 #endif
377 #ifdef DLT_PKTAP
378 	{ pktap_if_print,	DLT_PKTAP },
379 #endif
380 #ifdef DLT_IEEE802_11_RADIO
381 	{ ieee802_11_radio_if_print,	DLT_IEEE802_11_RADIO },
382 #endif
383 #ifdef DLT_IEEE802_11
384 	{ ieee802_11_if_print,	DLT_IEEE802_11},
385 #endif
386 #ifdef DLT_IEEE802_11_RADIO_AVS
387 	{ ieee802_11_radio_avs_if_print,	DLT_IEEE802_11_RADIO_AVS },
388 #endif
389 #ifdef DLT_PRISM_HEADER
390 	{ prism_if_print,	DLT_PRISM_HEADER },
391 #endif
392 	{ ppp_if_print,		DLT_PPP },
393 #ifdef DLT_PPP_WITHDIRECTION
394 	{ ppp_if_print,		DLT_PPP_WITHDIRECTION },
395 #endif
396 #ifdef DLT_PPP_BSDOS
397 	{ ppp_bsdos_if_print,	DLT_PPP_BSDOS },
398 #endif
399 #ifdef DLT_PPP_SERIAL
400 	{ ppp_hdlc_if_print,	DLT_PPP_SERIAL },
401 #endif
402 	{ NULL,			0 },
403 };
404 
405 static const struct tok status_flags[] = {
406 #ifdef PCAP_IF_UP
407 	{ PCAP_IF_UP,       "Up"       },
408 #endif
409 #ifdef PCAP_IF_RUNNING
410 	{ PCAP_IF_RUNNING,  "Running"  },
411 #endif
412 	{ PCAP_IF_LOOPBACK, "Loopback" },
413 	{ 0, NULL }
414 };
415 
416 if_printer
417 lookup_printer(int type)
418 {
419 	const struct printer *p;
420 
421 	for (p = printers; p->f; ++p)
422 		if (type == p->type)
423 			return p->f;
424 
425 	return NULL;
426 	/* NOTREACHED */
427 }
428 
429 if_ndo_printer
430 lookup_ndo_printer(int type)
431 {
432 	const struct ndo_printer *p;
433 
434 	for (p = ndo_printers; p->f; ++p)
435 		if (type == p->type)
436 			return p->f;
437 
438 #if defined(DLT_USER2) && defined(DLT_PKTAP)
439 	/*
440 	 * Apple incorrectly chose to use DLT_USER2 for their PKTAP
441 	 * header.
442 	 *
443 	 * We map DLT_PKTAP, whether it's DLT_USER2 as it is on Darwin-
444 	 * based OSes or the same value as LINKTYPE_PKTAP as it is on
445 	 * other OSes, to LINKTYPE_PKTAP, so files written with
446 	 * this version of libpcap for a DLT_PKTAP capture have a link-
447 	 * layer header type of LINKTYPE_PKTAP.
448 	 *
449 	 * However, files written on OS X Mavericks for a DLT_PKTAP
450 	 * capture have a link-layer header type of LINKTYPE_USER2.
451 	 * If we don't have a printer for DLT_USER2, and type is
452 	 * DLT_USER2, we look up the printer for DLT_PKTAP and use
453 	 * that.
454 	 */
455 	if (type == DLT_USER2) {
456 		for (p = ndo_printers; p->f; ++p)
457 			if (DLT_PKTAP == p->type)
458 				return p->f;
459 	}
460 #endif
461 
462 	return NULL;
463 	/* NOTREACHED */
464 }
465 
466 static pcap_t *pd;
467 
468 static int supports_monitor_mode;
469 
470 extern int optind;
471 extern int opterr;
472 extern char *optarg;
473 
474 struct print_info {
475         netdissect_options *ndo;
476         union {
477                 if_printer     printer;
478                 if_ndo_printer ndo_printer;
479         } p;
480         int ndo_type;
481 };
482 
483 struct dump_info {
484 	char	*WFileName;
485 	char	*CurrentFileName;
486 	pcap_t	*pd;
487 	pcap_dumper_t *p;
488 #ifdef HAVE_CAPSICUM
489 	int	dirfd;
490 #endif
491 };
492 
493 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
494 static void
495 show_tstamp_types_and_exit(const char *device, pcap_t *pd)
496 {
497 	int n_tstamp_types;
498 	int *tstamp_types = 0;
499 	const char *tstamp_type_name;
500 	int i;
501 
502 	n_tstamp_types = pcap_list_tstamp_types(pd, &tstamp_types);
503 	if (n_tstamp_types < 0)
504 		error("%s", pcap_geterr(pd));
505 
506 	if (n_tstamp_types == 0) {
507 		fprintf(stderr, "Time stamp type cannot be set for %s\n",
508 		    device);
509 		exit(0);
510 	}
511 	fprintf(stderr, "Time stamp types for %s (use option -j to set):\n",
512 	    device);
513 	for (i = 0; i < n_tstamp_types; i++) {
514 		tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]);
515 		if (tstamp_type_name != NULL) {
516 			(void) fprintf(stderr, "  %s (%s)\n", tstamp_type_name,
517 			    pcap_tstamp_type_val_to_description(tstamp_types[i]));
518 		} else {
519 			(void) fprintf(stderr, "  %d\n", tstamp_types[i]);
520 		}
521 	}
522 	pcap_free_tstamp_types(tstamp_types);
523 	exit(0);
524 }
525 #endif
526 
527 static void
528 show_dlts_and_exit(const char *device, pcap_t *pd)
529 {
530 	int n_dlts;
531 	int *dlts = 0;
532 	const char *dlt_name;
533 
534 	n_dlts = pcap_list_datalinks(pd, &dlts);
535 	if (n_dlts < 0)
536 		error("%s", pcap_geterr(pd));
537 	else if (n_dlts == 0 || !dlts)
538 		error("No data link types.");
539 
540 	/*
541 	 * If the interface is known to support monitor mode, indicate
542 	 * whether these are the data link types available when not in
543 	 * monitor mode, if -I wasn't specified, or when in monitor mode,
544 	 * when -I was specified (the link-layer types available in
545 	 * monitor mode might be different from the ones available when
546 	 * not in monitor mode).
547 	 */
548 	if (supports_monitor_mode)
549 		(void) fprintf(stderr, "Data link types for %s %s (use option -y to set):\n",
550 		    device,
551 		    Iflag ? "when in monitor mode" : "when not in monitor mode");
552 	else
553 		(void) fprintf(stderr, "Data link types for %s (use option -y to set):\n",
554 		    device);
555 
556 	while (--n_dlts >= 0) {
557 		dlt_name = pcap_datalink_val_to_name(dlts[n_dlts]);
558 		if (dlt_name != NULL) {
559 			(void) fprintf(stderr, "  %s (%s)", dlt_name,
560 			    pcap_datalink_val_to_description(dlts[n_dlts]));
561 
562 			/*
563 			 * OK, does tcpdump handle that type?
564 			 */
565 			if (lookup_printer(dlts[n_dlts]) == NULL
566                             && lookup_ndo_printer(dlts[n_dlts]) == NULL)
567 				(void) fprintf(stderr, " (printing not supported)");
568 			fprintf(stderr, "\n");
569 		} else {
570 			(void) fprintf(stderr, "  DLT %d (printing not supported)\n",
571 			    dlts[n_dlts]);
572 		}
573 	}
574 #ifdef HAVE_PCAP_FREE_DATALINKS
575 	pcap_free_datalinks(dlts);
576 #endif
577 	exit(0);
578 }
579 
580 #ifdef HAVE_PCAP_FINDALLDEVS
581 static void
582 show_devices_and_exit (void)
583 {
584 	pcap_if_t *devpointer;
585 	char ebuf[PCAP_ERRBUF_SIZE];
586 	int i;
587 
588 	if (pcap_findalldevs(&devpointer, ebuf) < 0)
589 		error("%s", ebuf);
590 	else {
591 		for (i = 0; devpointer != NULL; i++) {
592 			printf("%d.%s", i+1, devpointer->name);
593 			if (devpointer->description != NULL)
594 				printf(" (%s)", devpointer->description);
595 			if (devpointer->flags != 0)
596 				printf(" [%s]", bittok2str(status_flags, "none", devpointer->flags));
597 			printf("\n");
598 			devpointer = devpointer->next;
599 		}
600 	}
601 	exit(0);
602 }
603 #endif /* HAVE_PCAP_FINDALLDEVS */
604 
605 /*
606  * Short options.
607  *
608  * Note that there we use all letters for short options except for g, k,
609  * o, and P, and those are used by other versions of tcpdump, and we should
610  * only use them for the same purposes that the other versions of tcpdump
611  * use them:
612  *
613  * OS X tcpdump uses -g to force non--v output for IP to be on one
614  * line, making it more "g"repable;
615  *
616  * OS X tcpdump uses -k tospecify that packet comments in pcap-ng files
617  * should be printed;
618  *
619  * OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done
620  * for hosts sending TCP SYN packets;
621  *
622  * OS X tcpdump uses -P to indicate that -w should write pcap-ng rather
623  * than pcap files.
624  *
625  * OS X tcpdump also uses -Q to specify expressions that match packet
626  * metadata, including but not limited to the packet direction.
627  * The expression syntax is different from a simple "in|out|inout",
628  * and those expressions aren't accepted by OS X tcpdump, but the
629  * equivalents would be "in" = "dir=in", "out" = "dir=out", and
630  * "inout" = "dir=in or dir=out", and the parser could conceivably
631  * special-case "in", "out", and "inout" as expressions for backwards
632  * compatibility, so all is not (yet) lost.
633  */
634 
635 /*
636  * Set up flags that might or might not be supported depending on the
637  * version of libpcap we're using.
638  */
639 #if defined(HAVE_PCAP_CREATE) || defined(WIN32)
640 #define B_FLAG		"B:"
641 #define B_FLAG_USAGE	" [ -B size ]"
642 #else /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */
643 #define B_FLAG
644 #define B_FLAG_USAGE
645 #endif /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */
646 
647 #ifdef HAVE_PCAP_CREATE
648 #define I_FLAG		"I"
649 #else /* HAVE_PCAP_CREATE */
650 #define I_FLAG
651 #endif /* HAVE_PCAP_CREATE */
652 
653 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
654 #define j_FLAG		"j:"
655 #define j_FLAG_USAGE	" [ -j tstamptype ]"
656 #define J_FLAG		"J"
657 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */
658 #define j_FLAG
659 #define j_FLAG_USAGE
660 #define J_FLAG
661 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */
662 
663 #ifdef HAVE_PCAP_FINDALLDEVS
664 #define D_FLAG	"D"
665 #else
666 #define D_FLAG
667 #endif
668 
669 #ifdef HAVE_PCAP_DUMP_FLUSH
670 #define U_FLAG	"U"
671 #else
672 #define U_FLAG
673 #endif
674 
675 #ifdef HAVE_PCAP_SETDIRECTION
676 #define Q_FLAG "Q:"
677 #else
678 #define Q_FLAG
679 #endif
680 
681 #define SHORTOPTS "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpq" Q_FLAG "r:Rs:StT:u" U_FLAG "vV:w:W:xXy:Yz:Z:#"
682 
683 /*
684  * Long options.
685  *
686  * We do not currently have long options corresponding to all short
687  * options; we should probably pick appropriate option names for them.
688  *
689  * However, the short options where the number of times the option is
690  * specified matters, such as -v and -d and -t, should probably not
691  * just map to a long option, as saying
692  *
693  *  tcpdump --verbose --verbose
694  *
695  * doesn't make sense; it should be --verbosity={N} or something such
696  * as that.
697  *
698  * For long options with no corresponding short options, we define values
699  * outside the range of ASCII graphic characters, make that the last
700  * component of the entry for the long option, and have a case for that
701  * option in the switch statement.
702  */
703 #define OPTION_VERSION		128
704 #define OPTION_TSTAMP_PRECISION	129
705 #define OPTION_IMMEDIATE_MODE	130
706 
707 static const struct option longopts[] = {
708 #if defined(HAVE_PCAP_CREATE) || defined(WIN32)
709 	{ "buffer-size", required_argument, NULL, 'B' },
710 #endif
711 	{ "list-interfaces", no_argument, NULL, 'D' },
712 	{ "help", no_argument, NULL, 'h' },
713 	{ "interface", required_argument, NULL, 'i' },
714 #ifdef HAVE_PCAP_CREATE
715 	{ "monitor-mode", no_argument, NULL, 'I' },
716 #endif
717 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
718 	{ "time-stamp-type", required_argument, NULL, 'j' },
719 	{ "list-time-stamp-types", no_argument, NULL, 'J' },
720 #endif
721 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
722 	{ "time-stamp-precision", required_argument, NULL, OPTION_TSTAMP_PRECISION},
723 #endif
724 	{ "dont-verify-checksums", no_argument, NULL, 'K' },
725 	{ "list-data-link-types", no_argument, NULL, 'L' },
726 	{ "no-optimize", no_argument, NULL, 'O' },
727 	{ "no-promiscuous-mode", no_argument, NULL, 'p' },
728 #ifdef HAVE_PCAP_SETDIRECTION
729 	{ "direction", required_argument, NULL, 'Q' },
730 #endif
731 	{ "snapshot-length", required_argument, NULL, 's' },
732 	{ "absolute-tcp-sequence-numbers", no_argument, NULL, 'S' },
733 #ifdef HAVE_PCAP_DUMP_FLUSH
734 	{ "packet-buffered", no_argument, NULL, 'U' },
735 #endif
736 	{ "linktype", required_argument, NULL, 'y' },
737 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
738 	{ "immediate-mode", no_argument, NULL, OPTION_IMMEDIATE_MODE },
739 #endif
740 #if defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG)
741 	{ "debug-filter-parser", no_argument, NULL, 'Y' },
742 #endif
743 	{ "relinquish-privileges", required_argument, NULL, 'Z' },
744 	{ "number", no_argument, NULL, '#' },
745 	{ "version", no_argument, NULL, OPTION_VERSION },
746 	{ NULL, 0, NULL, 0 }
747 };
748 
749 #ifndef WIN32
750 /* Drop root privileges and chroot if necessary */
751 static void
752 droproot(const char *username, const char *chroot_dir)
753 {
754 	struct passwd *pw = NULL;
755 
756 	if (chroot_dir && !username) {
757 		fprintf(stderr, "tcpdump: Chroot without dropping root is insecure\n");
758 		exit(1);
759 	}
760 
761 	pw = getpwnam(username);
762 	if (pw) {
763 		if (chroot_dir) {
764 			if (chroot(chroot_dir) != 0 || chdir ("/") != 0) {
765 				fprintf(stderr, "tcpdump: Couldn't chroot/chdir to '%.64s': %s\n",
766 				    chroot_dir, pcap_strerror(errno));
767 				exit(1);
768 			}
769 		}
770 #ifdef HAVE_LIBCAP_NG
771 		int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
772 		if (ret < 0) {
773 			fprintf(stderr, "error : ret %d\n", ret);
774 		}
775 		else {
776 			fprintf(stderr, "dropped privs to %s\n", username);
777 		}
778 #else
779 		if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
780 		    setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
781 			fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n",
782 			    username,
783 			    (unsigned long)pw->pw_uid,
784 			    (unsigned long)pw->pw_gid,
785 			    pcap_strerror(errno));
786 			exit(1);
787 		}
788 		else {
789 			fprintf(stderr, "dropped privs to %s\n", username);
790 		}
791 #endif /* HAVE_LIBCAP_NG */
792 	}
793 	else {
794 		fprintf(stderr, "tcpdump: Couldn't find user '%.32s'\n",
795 		    username);
796 		exit(1);
797 	}
798 #ifdef HAVE_LIBCAP_NG
799 	/* We don't need CAP_SETUID and CAP_SETGID any more. */
800 	capng_updatev(
801 		CAPNG_DROP,
802 		CAPNG_EFFECTIVE | CAPNG_PERMITTED,
803 		CAP_SETUID,
804 		CAP_SETGID,
805 		-1);
806 	capng_apply(CAPNG_SELECT_BOTH);
807 #endif /* HAVE_LIBCAP_NG */
808 
809 }
810 #endif /* WIN32 */
811 
812 static int
813 getWflagChars(int x)
814 {
815 	int c = 0;
816 
817 	x -= 1;
818 	while (x > 0) {
819 		c += 1;
820 		x /= 10;
821 	}
822 
823 	return c;
824 }
825 
826 
827 static void
828 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars)
829 {
830         char *filename = malloc(PATH_MAX + 1);
831         if (filename == NULL)
832             error("Makefilename: malloc");
833 
834         /* Process with strftime if Gflag is set. */
835         if (Gflag != 0) {
836           struct tm *local_tm;
837 
838           /* Convert Gflag_time to a usable format */
839           if ((local_tm = localtime(&Gflag_time)) == NULL) {
840                   error("MakeTimedFilename: localtime");
841           }
842 
843           /* There's no good way to detect an error in strftime since a return
844            * value of 0 isn't necessarily failure.
845            */
846           strftime(filename, PATH_MAX, orig_name, local_tm);
847         } else {
848           strncpy(filename, orig_name, PATH_MAX);
849         }
850 
851 	if (cnt == 0 && max_chars == 0)
852 		strncpy(buffer, filename, PATH_MAX + 1);
853 	else
854 		if (snprintf(buffer, PATH_MAX + 1, "%s%0*d", filename, max_chars, cnt) > PATH_MAX)
855                   /* Report an error if the filename is too large */
856                   error("too many output files or filename is too long (> %d)", PATH_MAX);
857         free(filename);
858 }
859 
860 static int tcpdump_printf(netdissect_options *ndo _U_,
861 			  const char *fmt, ...)
862 {
863 
864   va_list args;
865   int ret;
866 
867   va_start(args, fmt);
868   ret=vfprintf(stdout, fmt, args);
869   va_end(args);
870 
871   return ret;
872 }
873 
874 static struct print_info
875 get_print_info(int type)
876 {
877 	struct print_info printinfo;
878 
879 	printinfo.ndo_type = 1;
880 	printinfo.ndo = gndo;
881 	printinfo.p.ndo_printer = lookup_ndo_printer(type);
882 	if (printinfo.p.ndo_printer == NULL) {
883 		printinfo.p.printer = lookup_printer(type);
884 		printinfo.ndo_type = 0;
885 		if (printinfo.p.printer == NULL) {
886 			gndo->ndo_dltname = pcap_datalink_val_to_name(type);
887 			if (gndo->ndo_dltname != NULL)
888 				error("packet printing is not supported for link type %s: use -w",
889 				      gndo->ndo_dltname);
890 			else
891 				error("packet printing is not supported for link type %d: use -w", type);
892 		}
893 	}
894 	return (printinfo);
895 }
896 
897 static char *
898 get_next_file(FILE *VFile, char *ptr)
899 {
900 	char *ret;
901 
902 	ret = fgets(ptr, PATH_MAX, VFile);
903 	if (!ret)
904 		return NULL;
905 
906 	if (ptr[strlen(ptr) - 1] == '\n')
907 		ptr[strlen(ptr) - 1] = '\0';
908 
909 	return ret;
910 }
911 
912 #ifdef HAVE_CAPSICUM
913 static cap_channel_t *
914 capdns_setup(void)
915 {
916 	cap_channel_t *capcas, *capdnsloc;
917 	const char *types[1];
918 	int families[2];
919 
920 	capcas = cap_init();
921 	if (capcas == NULL) {
922 		warning("unable to contact casperd");
923 		return (NULL);
924 	}
925 	capdnsloc = cap_service_open(capcas, "system.dns");
926 	/* Casper capability no longer needed. */
927 	cap_close(capcas);
928 	if (capdnsloc == NULL)
929 		error("unable to open system.dns service");
930 	/* Limit system.dns to reverse DNS lookups. */
931 	types[0] = "ADDR";
932 	if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
933 		error("unable to limit access to system.dns service");
934 	families[0] = AF_INET;
935 	families[1] = AF_INET6;
936 	if (cap_dns_family_limit(capdnsloc, families, 2) < 0)
937 		error("unable to limit access to system.dns service");
938 
939 	return (capdnsloc);
940 }
941 #endif	/* HAVE_CAPSICUM */
942 
943 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
944 static int
945 tstamp_precision_from_string(const char *precision)
946 {
947 	if (strncmp(precision, "nano", strlen("nano")) == 0)
948 		return PCAP_TSTAMP_PRECISION_NANO;
949 
950 	if (strncmp(precision, "micro", strlen("micro")) == 0)
951 		return PCAP_TSTAMP_PRECISION_MICRO;
952 
953 	return -EINVAL;
954 }
955 
956 static const char *
957 tstamp_precision_to_string(int precision)
958 {
959 	switch (precision) {
960 
961 	case PCAP_TSTAMP_PRECISION_MICRO:
962 		return "micro";
963 
964 	case PCAP_TSTAMP_PRECISION_NANO:
965 		return "nano";
966 
967 	default:
968 		return "unknown";
969 	}
970 }
971 #endif
972 
973 #ifdef HAVE_CAPSICUM
974 /*
975  * Ensure that, on a dump file's descriptor, we have all the rights
976  * necessary to make the standard I/O library work with an fdopen()ed
977  * FILE * from that descriptor.
978  *
979  * A long time ago, in a galaxy far far away, AT&T decided that, instead
980  * of providing separate APIs for getting and setting the FD_ flags on a
981  * descriptor, getting and setting the O_ flags on a descriptor, and
982  * locking files, they'd throw them all into a kitchen-sink fcntl() call
983  * along the lines of ioctl(), the fact that ioctl() operations are
984  * largely specific to particular character devices but fcntl() operations
985  * are either generic to all descriptors or generic to all descriptors for
986  * regular files nonwithstanding.
987  *
988  * The Capsicum people decided that fine-grained control of descriptor
989  * operations was required, so that you need to grant permission for
990  * reading, writing, seeking, and fcntl-ing.  The latter, courtesy of
991  * AT&T's decision, means that "fcntl-ing" isn't a thing, but a motley
992  * collection of things, so there are *individual* fcntls for which
993  * permission needs to be granted.
994  *
995  * The FreeBSD standard I/O people implemented some optimizations that
996  * requires that the standard I/O routines be able to determine whether
997  * the descriptor for the FILE * is open append-only or not; as that
998  * descriptor could have come from an open() rather than an fopen(),
999  * that requires that it be able to do an F_GETFL fcntl() to read
1000  * the O_ flags.
1001  *
1002  * Tcpdump uses ftell() to determine how much data has been written
1003  * to a file in order to, when used with -C, determine when it's time
1004  * to rotate capture files.  ftell() therefore needs to do an lseek()
1005  * to find out the file offset and must, thanks to the aforementioned
1006  * optimization, also know whether the descriptor is open append-only
1007  * or not.
1008  *
1009  * The net result of all the above is that we need to grant CAP_SEEK,
1010  * CAP_WRITE, and CAP_FCNTL with the CAP_FCNTL_GETFL subcapability.
1011  *
1012  * Perhaps this is the universe's way of saying that either
1013  *
1014  *	1) there needs to be an fopenat() call and a pcap_dump_openat() call
1015  *	   using it, so that Capsicum-capable tcpdump wouldn't need to do
1016  *	   an fdopen()
1017  *
1018  * or
1019  *
1020  *	2) there needs to be a cap_fdopen() call in the FreeBSD standard
1021  *	   I/O library that knows what rights are needed by the standard
1022  *	   I/O library, based on the open mode, and assigns them, perhaps
1023  *	   with an additional argument indicating, for example, whether
1024  *	   seeking should be allowed, so that tcpdump doesn't need to know
1025  *	   what the standard I/O library happens to require this week.
1026  */
1027 static void
1028 set_dumper_capsicum_rights(pcap_dumper_t *p)
1029 {
1030 	int fd = fileno(pcap_dump_file(p));
1031 	cap_rights_t rights;
1032 
1033 	cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL);
1034 	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) {
1035 		error("unable to limit dump descriptor");
1036 	}
1037 	if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) {
1038 		error("unable to limit dump descriptor fcntls");
1039 	}
1040 }
1041 #endif
1042 
1043 int
1044 main(int argc, char **argv)
1045 {
1046 	register int cnt, op, i;
1047 	bpf_u_int32 localnet =0 , netmask = 0;
1048 	register char *cp, *infile, *cmdbuf, *device, *RFileName, *VFileName, *WFileName;
1049 	pcap_handler callback;
1050 	int type;
1051 	int dlt;
1052 	int new_dlt;
1053 	const char *dlt_name;
1054 	struct bpf_program fcode;
1055 #ifndef WIN32
1056 	RETSIGTYPE (*oldhandler)(int);
1057 #endif
1058 	struct print_info printinfo;
1059 	struct dump_info dumpinfo;
1060 	u_char *pcap_userdata;
1061 	char ebuf[PCAP_ERRBUF_SIZE];
1062 	char VFileLine[PATH_MAX + 1];
1063 	char *username = NULL;
1064 	char *chroot_dir = NULL;
1065 	char *ret = NULL;
1066 	char *end;
1067 #ifdef HAVE_PCAP_FINDALLDEVS
1068 	pcap_if_t *devpointer;
1069 	int devnum;
1070 #endif
1071 	int status;
1072 	FILE *VFile;
1073 #ifdef HAVE_CAPSICUM
1074 	cap_rights_t rights;
1075 #endif	/* HAVE_CAPSICUM */
1076 	int cansandbox;
1077 
1078 #ifdef WIN32
1079 	if(wsockinit() != 0) return 1;
1080 #endif /* WIN32 */
1081 
1082 	jflag=-1;	/* not set */
1083         gndo->ndo_Oflag=1;
1084 	gndo->ndo_Rflag=1;
1085 	gndo->ndo_dlt=-1;
1086 	gndo->ndo_default_print=ndo_default_print;
1087 	gndo->ndo_printf=tcpdump_printf;
1088 	gndo->ndo_error=ndo_error;
1089 	gndo->ndo_warning=ndo_warning;
1090 	gndo->ndo_snaplen = DEFAULT_SNAPLEN;
1091 	gndo->ndo_immediate = 0;
1092 
1093 	cnt = -1;
1094 	device = NULL;
1095 	infile = NULL;
1096 	RFileName = NULL;
1097 	VFileName = NULL;
1098 	VFile = NULL;
1099 	WFileName = NULL;
1100 	dlt = -1;
1101 	if ((cp = strrchr(argv[0], '/')) != NULL)
1102 		program_name = cp + 1;
1103 	else
1104 		program_name = argv[0];
1105 
1106 	/*
1107 	 * On platforms where the CPU doesn't support unaligned loads,
1108 	 * force unaligned accesses to abort with SIGBUS, rather than
1109 	 * being fixed up (slowly) by the OS kernel; on those platforms,
1110 	 * misaligned accesses are bugs, and we want tcpdump to crash so
1111 	 * that the bugs are reported.
1112 	 */
1113 	if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0)
1114 		error("%s", ebuf);
1115 
1116 #ifdef USE_LIBSMI
1117 	smiInit("tcpdump");
1118 #endif
1119 
1120 	while (
1121 	    (op = getopt_long(argc, argv, SHORTOPTS, longopts, NULL)) != -1)
1122 		switch (op) {
1123 
1124 		case 'a':
1125 			/* compatibility for old -a */
1126 			break;
1127 
1128 		case 'A':
1129 			++Aflag;
1130 			break;
1131 
1132 		case 'b':
1133 			++bflag;
1134 			break;
1135 
1136 #if defined(HAVE_PCAP_CREATE) || defined(WIN32)
1137 		case 'B':
1138 			Bflag = atoi(optarg)*1024;
1139 			if (Bflag <= 0)
1140 				error("invalid packet buffer size %s", optarg);
1141 			break;
1142 #endif /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */
1143 
1144 		case 'c':
1145 			cnt = atoi(optarg);
1146 			if (cnt <= 0)
1147 				error("invalid packet count %s", optarg);
1148 			break;
1149 
1150 		case 'C':
1151 			Cflag = atoi(optarg) * 1000000;
1152 			if (Cflag < 0)
1153 				error("invalid file size %s", optarg);
1154 			break;
1155 
1156 		case 'd':
1157 			++dflag;
1158 			break;
1159 
1160 		case 'D':
1161 			Dflag++;
1162 			break;
1163 
1164 		case 'L':
1165 			Lflag++;
1166 			break;
1167 
1168 		case 'e':
1169 			++eflag;
1170 			break;
1171 
1172 		case 'E':
1173 #ifndef HAVE_LIBCRYPTO
1174 			warning("crypto code not compiled in");
1175 #endif
1176 			gndo->ndo_espsecret = optarg;
1177 			break;
1178 
1179 		case 'f':
1180 			++fflag;
1181 			break;
1182 
1183 		case 'F':
1184 			infile = optarg;
1185 			break;
1186 
1187 		case 'G':
1188 			Gflag = atoi(optarg);
1189 			if (Gflag < 0)
1190 				error("invalid number of seconds %s", optarg);
1191 
1192                         /* We will create one file initially. */
1193                         Gflag_count = 0;
1194 
1195 			/* Grab the current time for rotation use. */
1196 			if ((Gflag_time = time(NULL)) == (time_t)-1) {
1197 				error("main: can't get current time: %s",
1198 				    pcap_strerror(errno));
1199 			}
1200 			break;
1201 
1202 		case 'h':
1203 			print_usage();
1204 			exit(0);
1205 			break;
1206 
1207 		case 'H':
1208 			++Hflag;
1209 			break;
1210 
1211 		case 'i':
1212 			if (optarg[0] == '0' && optarg[1] == 0)
1213 				error("Invalid adapter index");
1214 
1215 #ifdef HAVE_PCAP_FINDALLDEVS
1216 			/*
1217 			 * If the argument is a number, treat it as
1218 			 * an index into the list of adapters, as
1219 			 * printed by "tcpdump -D".
1220 			 *
1221 			 * This should be OK on UNIX systems, as interfaces
1222 			 * shouldn't have names that begin with digits.
1223 			 * It can be useful on Windows, where more than
1224 			 * one interface can have the same name.
1225 			 */
1226 			devnum = strtol(optarg, &end, 10);
1227 			if (optarg != end && *end == '\0') {
1228 				if (devnum < 0)
1229 					error("Invalid adapter index");
1230 
1231 				if (pcap_findalldevs(&devpointer, ebuf) < 0)
1232 					error("%s", ebuf);
1233 				else {
1234 					/*
1235 					 * Look for the devnum-th entry
1236 					 * in the list of devices
1237 					 * (1-based).
1238 					 */
1239 					for (i = 0;
1240 					    i < devnum-1 && devpointer != NULL;
1241 					    i++, devpointer = devpointer->next)
1242 						;
1243 					if (devpointer == NULL)
1244 						error("Invalid adapter index");
1245 				}
1246 				device = devpointer->name;
1247 				break;
1248 			}
1249 #endif /* HAVE_PCAP_FINDALLDEVS */
1250 			device = optarg;
1251 			break;
1252 
1253 #ifdef HAVE_PCAP_CREATE
1254 		case 'I':
1255 			++Iflag;
1256 			break;
1257 #endif /* HAVE_PCAP_CREATE */
1258 
1259 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1260 		case 'j':
1261 			jflag = pcap_tstamp_type_name_to_val(optarg);
1262 			if (jflag < 0)
1263 				error("invalid time stamp type %s", optarg);
1264 			break;
1265 
1266 		case 'J':
1267 			Jflag++;
1268 			break;
1269 #endif
1270 
1271 		case 'l':
1272 #ifdef WIN32
1273 			/*
1274 			 * _IOLBF is the same as _IOFBF in Microsoft's C
1275 			 * libraries; the only alternative they offer
1276 			 * is _IONBF.
1277 			 *
1278 			 * XXX - this should really be checking for MSVC++,
1279 			 * not WIN32, if, for example, MinGW has its own
1280 			 * C library that is more UNIX-compatible.
1281 			 */
1282 			setvbuf(stdout, NULL, _IONBF, 0);
1283 #else /* WIN32 */
1284 #ifdef HAVE_SETLINEBUF
1285 			setlinebuf(stdout);
1286 #else
1287 			setvbuf(stdout, NULL, _IOLBF, 0);
1288 #endif
1289 #endif /* WIN32 */
1290 			break;
1291 
1292 		case 'K':
1293 			++Kflag;
1294 			break;
1295 
1296 		case 'm':
1297 #ifdef USE_LIBSMI
1298 			if (smiLoadModule(optarg) == 0) {
1299 				error("could not load MIB module %s", optarg);
1300 			}
1301 			sflag = 1;
1302 #else
1303 			(void)fprintf(stderr, "%s: ignoring option `-m %s' ",
1304 				      program_name, optarg);
1305 			(void)fprintf(stderr, "(no libsmi support)\n");
1306 #endif
1307 			break;
1308 
1309 		case 'M':
1310 			/* TCP-MD5 shared secret */
1311 #ifndef HAVE_LIBCRYPTO
1312 			warning("crypto code not compiled in");
1313 #endif
1314 			sigsecret = optarg;
1315 			break;
1316 
1317 		case 'n':
1318 			++nflag;
1319 			break;
1320 
1321 		case 'N':
1322 			++Nflag;
1323 			break;
1324 
1325 		case 'O':
1326 			Oflag = 0;
1327 			break;
1328 
1329 		case 'p':
1330 			++pflag;
1331 			break;
1332 
1333 		case 'q':
1334 			++qflag;
1335 			++suppress_default_print;
1336 			break;
1337 
1338 #ifdef HAVE_PCAP_SETDIRECTION
1339 		case 'Q':
1340 			if (strcasecmp(optarg, "in") == 0)
1341 				Qflag = PCAP_D_IN;
1342 			else if (strcasecmp(optarg, "out") == 0)
1343 				Qflag = PCAP_D_OUT;
1344 			else if (strcasecmp(optarg, "inout") == 0)
1345 				Qflag = PCAP_D_INOUT;
1346 			else
1347 				error("unknown capture direction `%s'", optarg);
1348 			break;
1349 #endif /* HAVE_PCAP_SETDIRECTION */
1350 
1351 		case 'r':
1352 			RFileName = optarg;
1353 			break;
1354 
1355 		case 'R':
1356 			Rflag = 0;
1357 			break;
1358 
1359 		case 's':
1360 			snaplen = strtol(optarg, &end, 0);
1361 			if (optarg == end || *end != '\0'
1362 			    || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN)
1363 				error("invalid snaplen %s", optarg);
1364 			else if (snaplen == 0)
1365 				snaplen = MAXIMUM_SNAPLEN;
1366 			break;
1367 
1368 		case 'S':
1369 			++Sflag;
1370 			break;
1371 
1372 		case 't':
1373 			++tflag;
1374 			break;
1375 
1376 		case 'T':
1377 			if (strcasecmp(optarg, "vat") == 0)
1378 				packettype = PT_VAT;
1379 			else if (strcasecmp(optarg, "wb") == 0)
1380 				packettype = PT_WB;
1381 			else if (strcasecmp(optarg, "rpc") == 0)
1382 				packettype = PT_RPC;
1383 			else if (strcasecmp(optarg, "rtp") == 0)
1384 				packettype = PT_RTP;
1385 			else if (strcasecmp(optarg, "rtcp") == 0)
1386 				packettype = PT_RTCP;
1387 			else if (strcasecmp(optarg, "snmp") == 0)
1388 				packettype = PT_SNMP;
1389 			else if (strcasecmp(optarg, "cnfp") == 0)
1390 				packettype = PT_CNFP;
1391 			else if (strcasecmp(optarg, "tftp") == 0)
1392 				packettype = PT_TFTP;
1393 			else if (strcasecmp(optarg, "aodv") == 0)
1394 				packettype = PT_AODV;
1395 			else if (strcasecmp(optarg, "carp") == 0)
1396 				packettype = PT_CARP;
1397 			else if (strcasecmp(optarg, "radius") == 0)
1398 				packettype = PT_RADIUS;
1399 			else if (strcasecmp(optarg, "zmtp1") == 0)
1400 				packettype = PT_ZMTP1;
1401 			else if (strcasecmp(optarg, "vxlan") == 0)
1402 				packettype = PT_VXLAN;
1403 			else if (strcasecmp(optarg, "pgm") == 0)
1404 				packettype = PT_PGM;
1405 			else if (strcasecmp(optarg, "pgm_zmtp1") == 0)
1406 				packettype = PT_PGM_ZMTP1;
1407 			else if (strcasecmp(optarg, "lmp") == 0)
1408 				packettype = PT_LMP;
1409 			else
1410 				error("unknown packet type `%s'", optarg);
1411 			break;
1412 
1413 		case 'u':
1414 			++uflag;
1415 			break;
1416 
1417 #ifdef HAVE_PCAP_DUMP_FLUSH
1418 		case 'U':
1419 			++Uflag;
1420 			break;
1421 #endif
1422 
1423 		case 'v':
1424 			++vflag;
1425 			break;
1426 
1427 		case 'V':
1428 			VFileName = optarg;
1429 			break;
1430 
1431 		case 'w':
1432 			WFileName = optarg;
1433 			break;
1434 
1435 		case 'W':
1436 			Wflag = atoi(optarg);
1437 			if (Wflag < 0)
1438 				error("invalid number of output files %s", optarg);
1439 			WflagChars = getWflagChars(Wflag);
1440 			break;
1441 
1442 		case 'x':
1443 			++xflag;
1444 			++suppress_default_print;
1445 			break;
1446 
1447 		case 'X':
1448 			++Xflag;
1449 			++suppress_default_print;
1450 			break;
1451 
1452 		case 'y':
1453 			gndo->ndo_dltname = optarg;
1454 			gndo->ndo_dlt =
1455 			  pcap_datalink_name_to_val(gndo->ndo_dltname);
1456 			if (gndo->ndo_dlt < 0)
1457 				error("invalid data link type %s", gndo->ndo_dltname);
1458 			break;
1459 
1460 #if defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG)
1461 		case 'Y':
1462 			{
1463 			/* Undocumented flag */
1464 #ifdef HAVE_PCAP_DEBUG
1465 			extern int pcap_debug;
1466 			pcap_debug = 1;
1467 #else
1468 			extern int yydebug;
1469 			yydebug = 1;
1470 #endif
1471 			}
1472 			break;
1473 #endif
1474 		case 'z':
1475 			zflag = strdup(optarg);
1476 			break;
1477 
1478 		case 'Z':
1479 			username = strdup(optarg);
1480 			break;
1481 
1482 		case '#':
1483 			gndo->ndo_packet_number = 1;
1484 			break;
1485 
1486 		case OPTION_VERSION:
1487 			print_version();
1488 			exit(0);
1489 			break;
1490 
1491 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1492 		case OPTION_TSTAMP_PRECISION:
1493 			gndo->ndo_tstamp_precision = tstamp_precision_from_string(optarg);
1494 			if (gndo->ndo_tstamp_precision < 0)
1495 				error("unsupported time stamp precision");
1496 			break;
1497 #endif
1498 
1499 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
1500 		case OPTION_IMMEDIATE_MODE:
1501 			gndo->ndo_immediate = 1;
1502 			break;
1503 #endif
1504 
1505 		default:
1506 			print_usage();
1507 			exit(1);
1508 			/* NOTREACHED */
1509 		}
1510 
1511 #ifdef HAVE_PCAP_FINDALLDEVS
1512 	if (Dflag)
1513 		show_devices_and_exit();
1514 #endif
1515 
1516 	switch (tflag) {
1517 
1518 	case 0: /* Default */
1519 	case 4: /* Default + Date*/
1520 		thiszone = gmt2local(0);
1521 		break;
1522 
1523 	case 1: /* No time stamp */
1524 	case 2: /* Unix timeval style */
1525 	case 3: /* Microseconds since previous packet */
1526         case 5: /* Microseconds since first packet */
1527 		break;
1528 
1529 	default: /* Not supported */
1530 		error("only -t, -tt, -ttt, -tttt and -ttttt are supported");
1531 		break;
1532 	}
1533 
1534 	if (fflag != 0 && (VFileName != NULL || RFileName != NULL))
1535 		error("-f can not be used with -V or -r");
1536 
1537 	if (VFileName != NULL && RFileName != NULL)
1538 		error("-V and -r are mutually exclusive.");
1539 
1540 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
1541 	/*
1542 	 * If we're printing dissected packets to the standard output
1543 	 * rather than saving raw packets to a file, and the standard
1544 	 * output is a terminal, use immediate mode, as the user's
1545 	 * probably expecting to see packets pop up immediately.
1546 	 */
1547 	if (WFileName == NULL && isatty(1))
1548 		gndo->ndo_immediate = 1;
1549 #endif
1550 
1551 #ifdef WITH_CHROOT
1552 	/* if run as root, prepare for chrooting */
1553 	if (getuid() == 0 || geteuid() == 0) {
1554 		/* future extensibility for cmd-line arguments */
1555 		if (!chroot_dir)
1556 			chroot_dir = WITH_CHROOT;
1557 	}
1558 #endif
1559 
1560 #ifdef WITH_USER
1561 	/* if run as root, prepare for dropping root privileges */
1562 	if (getuid() == 0 || geteuid() == 0) {
1563 		/* Run with '-Z root' to restore old behaviour */
1564 		if (!username)
1565 			username = WITH_USER;
1566 	}
1567 #endif
1568 
1569 	if (RFileName != NULL || VFileName != NULL) {
1570 		/*
1571 		 * If RFileName is non-null, it's the pathname of a
1572 		 * savefile to read.  If VFileName is non-null, it's
1573 		 * the pathname of a file containing a list of pathnames
1574 		 * (one per line) of savefiles to read.
1575 		 *
1576 		 * In either case, we're reading a savefile, not doing
1577 		 * a live capture.
1578 		 */
1579 #ifndef WIN32
1580 		/*
1581 		 * We don't need network access, so relinquish any set-UID
1582 		 * or set-GID privileges we have (if any).
1583 		 *
1584 		 * We do *not* want set-UID privileges when opening a
1585 		 * trace file, as that might let the user read other
1586 		 * people's trace files (especially if we're set-UID
1587 		 * root).
1588 		 */
1589 		if (setgid(getgid()) != 0 || setuid(getuid()) != 0 )
1590 			fprintf(stderr, "Warning: setgid/setuid failed !\n");
1591 #endif /* WIN32 */
1592 		if (VFileName != NULL) {
1593 			if (VFileName[0] == '-' && VFileName[1] == '\0')
1594 				VFile = stdin;
1595 			else
1596 				VFile = fopen(VFileName, "r");
1597 
1598 			if (VFile == NULL)
1599 				error("Unable to open file: %s\n", strerror(errno));
1600 
1601 			ret = get_next_file(VFile, VFileLine);
1602 			if (!ret)
1603 				error("Nothing in %s\n", VFileName);
1604 			RFileName = VFileLine;
1605 		}
1606 
1607 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1608 		pd = pcap_open_offline_with_tstamp_precision(RFileName,
1609 		    gndo->ndo_tstamp_precision, ebuf);
1610 #else
1611 		pd = pcap_open_offline(RFileName, ebuf);
1612 #endif
1613 
1614 		if (pd == NULL)
1615 			error("%s", ebuf);
1616 #ifdef HAVE_CAPSICUM
1617 		cap_rights_init(&rights, CAP_READ);
1618 		if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 &&
1619 		    errno != ENOSYS) {
1620 			error("unable to limit pcap descriptor");
1621 		}
1622 #endif
1623 		dlt = pcap_datalink(pd);
1624 		dlt_name = pcap_datalink_val_to_name(dlt);
1625 		if (dlt_name == NULL) {
1626 			fprintf(stderr, "reading from file %s, link-type %u\n",
1627 			    RFileName, dlt);
1628 		} else {
1629 			fprintf(stderr,
1630 			    "reading from file %s, link-type %s (%s)\n",
1631 			    RFileName, dlt_name,
1632 			    pcap_datalink_val_to_description(dlt));
1633 		}
1634 	} else {
1635 		/*
1636 		 * We're doing a live capture.
1637 		 */
1638 		if (device == NULL) {
1639 			device = pcap_lookupdev(ebuf);
1640 			if (device == NULL)
1641 				error("%s", ebuf);
1642 		}
1643 #ifdef WIN32
1644 		/*
1645 		 * Print a message to the standard error on Windows.
1646 		 * XXX - why do it here, with a different message?
1647 		 */
1648 		if(strlen(device) == 1)	/* we assume that an ASCII string is always longer than 1 char */
1649 		{						/* a Unicode string has a \0 as second byte (so strlen() is 1) */
1650 			fprintf(stderr, "%s: listening on %ws\n", program_name, device);
1651 		}
1652 		else
1653 		{
1654 			fprintf(stderr, "%s: listening on %s\n", program_name, device);
1655 		}
1656 
1657 		fflush(stderr);
1658 #endif /* WIN32 */
1659 #ifdef HAVE_PCAP_CREATE
1660 		pd = pcap_create(device, ebuf);
1661 		if (pd == NULL)
1662 			error("%s", ebuf);
1663 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1664 		if (Jflag)
1665 			show_tstamp_types_and_exit(device, pd);
1666 #endif
1667 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
1668 		status = pcap_set_tstamp_precision(pd, gndo->ndo_tstamp_precision);
1669 		if (status != 0)
1670 			error("%s: Can't set %ssecond time stamp precision: %s",
1671 				device,
1672 				tstamp_precision_to_string(gndo->ndo_tstamp_precision),
1673 				pcap_statustostr(status));
1674 #endif
1675 
1676 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
1677 		if (gndo->ndo_immediate) {
1678 			status = pcap_set_immediate_mode(pd, 1);
1679 			if (status != 0)
1680 				error("%s: Can't set immediate mode: %s",
1681 				device,
1682 				pcap_statustostr(status));
1683 		}
1684 #endif
1685 		/*
1686 		 * Is this an interface that supports monitor mode?
1687 		 */
1688 		if (pcap_can_set_rfmon(pd) == 1)
1689 			supports_monitor_mode = 1;
1690 		else
1691 			supports_monitor_mode = 0;
1692 		status = pcap_set_snaplen(pd, snaplen);
1693 		if (status != 0)
1694 			error("%s: Can't set snapshot length: %s",
1695 			    device, pcap_statustostr(status));
1696 		status = pcap_set_promisc(pd, !pflag);
1697 		if (status != 0)
1698 			error("%s: Can't set promiscuous mode: %s",
1699 			    device, pcap_statustostr(status));
1700 		if (Iflag) {
1701 			status = pcap_set_rfmon(pd, 1);
1702 			if (status != 0)
1703 				error("%s: Can't set monitor mode: %s",
1704 				    device, pcap_statustostr(status));
1705 		}
1706 		status = pcap_set_timeout(pd, 1000);
1707 		if (status != 0)
1708 			error("%s: pcap_set_timeout failed: %s",
1709 			    device, pcap_statustostr(status));
1710 		if (Bflag != 0) {
1711 			status = pcap_set_buffer_size(pd, Bflag);
1712 			if (status != 0)
1713 				error("%s: Can't set buffer size: %s",
1714 				    device, pcap_statustostr(status));
1715 		}
1716 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE
1717                 if (jflag != -1) {
1718 			status = pcap_set_tstamp_type(pd, jflag);
1719 			if (status < 0)
1720 				error("%s: Can't set time stamp type: %s",
1721 			              device, pcap_statustostr(status));
1722 		}
1723 #endif
1724 		status = pcap_activate(pd);
1725 		if (status < 0) {
1726 			/*
1727 			 * pcap_activate() failed.
1728 			 */
1729 			cp = pcap_geterr(pd);
1730 			if (status == PCAP_ERROR)
1731 				error("%s", cp);
1732 			else if ((status == PCAP_ERROR_NO_SUCH_DEVICE ||
1733 			          status == PCAP_ERROR_PERM_DENIED) &&
1734 			         *cp != '\0')
1735 				error("%s: %s\n(%s)", device,
1736 				    pcap_statustostr(status), cp);
1737 #ifdef __FreeBSD__
1738 			else if (status == PCAP_ERROR_RFMON_NOTSUP &&
1739 			    strncmp(device, "wlan", 4) == 0) {
1740 				char parent[8], newdev[8];
1741 				char sysctl[32];
1742 				size_t s = sizeof(parent);
1743 
1744 				snprintf(sysctl, sizeof(sysctl),
1745 				    "net.wlan.%d.%%parent", atoi(device + 4));
1746 				sysctlbyname(sysctl, parent, &s, NULL, 0);
1747 				strlcpy(newdev, device, sizeof(newdev));
1748 				/* Suggest a new wlan device. */
1749 				newdev[strlen(newdev)-1]++;
1750 				error("%s is not a monitor mode VAP\n"
1751 				    "To create a new monitor mode VAP use:\n"
1752 				    "  ifconfig %s create wlandev %s wlanmode "
1753 				    "monitor\nand use %s as the tcpdump "
1754 				    "interface", device, newdev, parent,
1755 				    newdev);
1756 			}
1757 #endif
1758 			else
1759 				error("%s: %s", device,
1760 				    pcap_statustostr(status));
1761 		} else if (status > 0) {
1762 			/*
1763 			 * pcap_activate() succeeded, but it's warning us
1764 			 * of a problem it had.
1765 			 */
1766 			cp = pcap_geterr(pd);
1767 			if (status == PCAP_WARNING)
1768 				warning("%s", cp);
1769 			else if (status == PCAP_WARNING_PROMISC_NOTSUP &&
1770 			         *cp != '\0')
1771 				warning("%s: %s\n(%s)", device,
1772 				    pcap_statustostr(status), cp);
1773 			else
1774 				warning("%s: %s", device,
1775 				    pcap_statustostr(status));
1776 		}
1777 #ifdef HAVE_PCAP_SETDIRECTION
1778 		if (Qflag != -1) {
1779 			status = pcap_setdirection(pd, Qflag);
1780 			if (status != 0)
1781 				error("%s: pcap_setdirection() failed: %s",
1782 				      device,  pcap_geterr(pd));
1783 		}
1784 #endif /* HAVE_PCAP_SETDIRECTION */
1785 #else
1786 		*ebuf = '\0';
1787 		pd = pcap_open_live(device, snaplen, !pflag, 1000, ebuf);
1788 		if (pd == NULL)
1789 			error("%s", ebuf);
1790 		else if (*ebuf)
1791 			warning("%s", ebuf);
1792 #endif /* HAVE_PCAP_CREATE */
1793 		/*
1794 		 * Let user own process after socket has been opened.
1795 		 */
1796 #ifndef WIN32
1797 		if (setgid(getgid()) != 0 || setuid(getuid()) != 0)
1798 			fprintf(stderr, "Warning: setgid/setuid failed !\n");
1799 #endif /* WIN32 */
1800 #if !defined(HAVE_PCAP_CREATE) && defined(WIN32)
1801 		if(Bflag != 0)
1802 			if(pcap_setbuff(pd, Bflag)==-1){
1803 				error("%s", pcap_geterr(pd));
1804 			}
1805 #endif /* !defined(HAVE_PCAP_CREATE) && defined(WIN32) */
1806 		if (Lflag)
1807 			show_dlts_and_exit(device, pd);
1808 		if (gndo->ndo_dlt >= 0) {
1809 #ifdef HAVE_PCAP_SET_DATALINK
1810 			if (pcap_set_datalink(pd, gndo->ndo_dlt) < 0)
1811 				error("%s", pcap_geterr(pd));
1812 #else
1813 			/*
1814 			 * We don't actually support changing the
1815 			 * data link type, so we only let them
1816 			 * set it to what it already is.
1817 			 */
1818 			if (gndo->ndo_dlt != pcap_datalink(pd)) {
1819 				error("%s is not one of the DLTs supported by this device\n",
1820 				      gndo->ndo_dltname);
1821 			}
1822 #endif
1823 			(void)fprintf(stderr, "%s: data link type %s\n",
1824 				      program_name, gndo->ndo_dltname);
1825 			(void)fflush(stderr);
1826 		}
1827 		i = pcap_snapshot(pd);
1828 		if (snaplen < i) {
1829 			warning("snaplen raised from %d to %d", snaplen, i);
1830 			snaplen = i;
1831 		}
1832                 if(fflag != 0) {
1833                         if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) {
1834                                 warning("foreign (-f) flag used but: %s", ebuf);
1835                         }
1836                 }
1837 
1838 	}
1839 	if (infile)
1840 		cmdbuf = read_infile(infile);
1841 	else
1842 		cmdbuf = copy_argv(&argv[optind]);
1843 
1844 	if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0)
1845 		error("%s", pcap_geterr(pd));
1846 	if (dflag) {
1847 		bpf_dump(&fcode, dflag);
1848 		pcap_close(pd);
1849 		free(cmdbuf);
1850 		exit(0);
1851 	}
1852 
1853 #ifdef HAVE_CAPSICUM
1854 	if (!nflag)
1855 		capdns = capdns_setup();
1856 #endif	/* HAVE_CAPSICUM */
1857 
1858 	init_addrtoname(gndo, localnet, netmask);
1859         init_checksum();
1860 
1861 #ifndef WIN32
1862 	(void)setsignal(SIGPIPE, cleanup);
1863 	(void)setsignal(SIGTERM, cleanup);
1864 	(void)setsignal(SIGINT, cleanup);
1865 #endif /* WIN32 */
1866 #if defined(HAVE_FORK) || defined(HAVE_VFORK)
1867 	(void)setsignal(SIGCHLD, child_cleanup);
1868 #endif
1869 	/* Cooperate with nohup(1) */
1870 #ifndef WIN32
1871 	if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
1872 		(void)setsignal(SIGHUP, oldhandler);
1873 #endif /* WIN32 */
1874 
1875 #ifndef WIN32
1876 	/*
1877 	 * If a user name was specified with "-Z", attempt to switch to
1878 	 * that user's UID.  This would probably be used with sudo,
1879 	 * to allow tcpdump to be run in a special restricted
1880 	 * account (if you just want to allow users to open capture
1881 	 * devices, and can't just give users that permission,
1882 	 * you'd make tcpdump set-UID or set-GID).
1883 	 *
1884 	 * Tcpdump doesn't necessarily write only to one savefile;
1885 	 * the general only way to allow a -Z instance to write to
1886 	 * savefiles as the user under whose UID it's run, rather
1887 	 * than as the user specified with -Z, would thus be to switch
1888 	 * to the original user ID before opening a capture file and
1889 	 * then switch back to the -Z user ID after opening the savefile.
1890 	 * Switching to the -Z user ID only after opening the first
1891 	 * savefile doesn't handle the general case.
1892 	 */
1893 
1894 	if (getuid() == 0 || geteuid() == 0) {
1895 #ifdef HAVE_LIBCAP_NG
1896 		/* Initialize capng */
1897 		capng_clear(CAPNG_SELECT_BOTH);
1898 		if (username) {
1899 			capng_updatev(
1900 				CAPNG_ADD,
1901 				CAPNG_PERMITTED | CAPNG_EFFECTIVE,
1902 				CAP_SETUID,
1903 				CAP_SETGID,
1904 				-1);
1905 		}
1906 
1907 		if (WFileName) {
1908 			capng_update(
1909 				CAPNG_ADD,
1910 				CAPNG_PERMITTED | CAPNG_EFFECTIVE,
1911 				CAP_DAC_OVERRIDE
1912 				);
1913 		}
1914 		capng_apply(CAPNG_SELECT_BOTH);
1915 #endif /* HAVE_LIBCAP_NG */
1916 		if (username || chroot_dir)
1917 			droproot(username, chroot_dir);
1918 
1919 	}
1920 #endif /* WIN32 */
1921 
1922 	if (pcap_setfilter(pd, &fcode) < 0)
1923 		error("%s", pcap_geterr(pd));
1924 #ifdef HAVE_CAPSICUM
1925 	if (RFileName == NULL && VFileName == NULL) {
1926 		static const unsigned long cmds[] = { BIOCGSTATS };
1927 
1928 		/*
1929 		 * The various libpcap devices use a combination of
1930 		 * read (bpf), ioctl (bpf, netmap), poll (netmap).
1931 		 * Grant the relevant access rights, sorted by name.
1932 		 */
1933 		cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ);
1934 		if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 &&
1935 		    errno != ENOSYS) {
1936 			error("unable to limit pcap descriptor");
1937 		}
1938 		if (cap_ioctls_limit(pcap_fileno(pd), cmds,
1939 		    sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) {
1940 			error("unable to limit ioctls on pcap descriptor");
1941 		}
1942 	}
1943 #endif
1944 	if (WFileName) {
1945 		pcap_dumper_t *p;
1946 		/* Do not exceed the default PATH_MAX for files. */
1947 		dumpinfo.CurrentFileName = (char *)malloc(PATH_MAX + 1);
1948 
1949 		if (dumpinfo.CurrentFileName == NULL)
1950 			error("malloc of dumpinfo.CurrentFileName");
1951 
1952 		/* We do not need numbering for dumpfiles if Cflag isn't set. */
1953 		if (Cflag != 0)
1954 		  MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars);
1955 		else
1956 		  MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);
1957 
1958 		p = pcap_dump_open(pd, dumpinfo.CurrentFileName);
1959 #ifdef HAVE_LIBCAP_NG
1960 		/* Give up CAP_DAC_OVERRIDE capability.
1961 		 * Only allow it to be restored if the -C or -G flag have been
1962 		 * set since we may need to create more files later on.
1963 		 */
1964 		capng_update(
1965 			CAPNG_DROP,
1966 			(Cflag || Gflag ? 0 : CAPNG_PERMITTED)
1967 				| CAPNG_EFFECTIVE,
1968 			CAP_DAC_OVERRIDE
1969 			);
1970 		capng_apply(CAPNG_SELECT_BOTH);
1971 #endif /* HAVE_LIBCAP_NG */
1972 		if (p == NULL)
1973 			error("%s", pcap_geterr(pd));
1974 #ifdef HAVE_CAPSICUM
1975 		set_dumper_capsicum_rights(p);
1976 #endif
1977 		if (Cflag != 0 || Gflag != 0) {
1978 #ifdef HAVE_CAPSICUM
1979 			dumpinfo.WFileName = strdup(basename(WFileName));
1980 			dumpinfo.dirfd = open(dirname(WFileName),
1981 			    O_DIRECTORY | O_RDONLY);
1982 			if (dumpinfo.dirfd < 0) {
1983 				error("unable to open directory %s",
1984 				    dirname(WFileName));
1985 			}
1986 			cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL,
1987 			    CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE);
1988 			if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 &&
1989 			    errno != ENOSYS) {
1990 				error("unable to limit directory rights");
1991 			}
1992 			if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 &&
1993 			    errno != ENOSYS) {
1994 				error("unable to limit dump descriptor fcntls");
1995 			}
1996 #else	/* !HAVE_CAPSICUM */
1997 			dumpinfo.WFileName = WFileName;
1998 #endif
1999 			callback = dump_packet_and_trunc;
2000 			dumpinfo.pd = pd;
2001 			dumpinfo.p = p;
2002 			pcap_userdata = (u_char *)&dumpinfo;
2003 		} else {
2004 			callback = dump_packet;
2005 			pcap_userdata = (u_char *)p;
2006 		}
2007 #ifdef HAVE_PCAP_DUMP_FLUSH
2008 		if (Uflag)
2009 			pcap_dump_flush(p);
2010 #endif
2011 	} else {
2012 		type = pcap_datalink(pd);
2013 		printinfo = get_print_info(type);
2014 		callback = print_packet;
2015 		pcap_userdata = (u_char *)&printinfo;
2016 	}
2017 
2018 #ifdef SIGNAL_REQ_INFO
2019 	/*
2020 	 * We can't get statistics when reading from a file rather
2021 	 * than capturing from a device.
2022 	 */
2023 	if (RFileName == NULL)
2024 		(void)setsignal(SIGNAL_REQ_INFO, requestinfo);
2025 #endif
2026 
2027 	if (vflag > 0 && WFileName) {
2028 		/*
2029 		 * When capturing to a file, "-v" means tcpdump should,
2030 		 * every 10 secodns, "v"erbosely report the number of
2031 		 * packets captured.
2032 		 */
2033 #ifdef USE_WIN32_MM_TIMER
2034 		/* call verbose_stats_dump() each 1000 +/-100msec */
2035 		timer_id = timeSetEvent(1000, 100, verbose_stats_dump, 0, TIME_PERIODIC);
2036 		setvbuf(stderr, NULL, _IONBF, 0);
2037 #elif defined(HAVE_ALARM)
2038 		(void)setsignal(SIGALRM, verbose_stats_dump);
2039 		alarm(1);
2040 #endif
2041 	}
2042 
2043 #ifndef WIN32
2044 	if (RFileName == NULL) {
2045 		/*
2046 		 * Live capture (if -V was specified, we set RFileName
2047 		 * to a file from the -V file).  Print a message to
2048 		 * the standard error on UN*X.
2049 		 */
2050 		if (!vflag && !WFileName) {
2051 			(void)fprintf(stderr,
2052 			    "%s: verbose output suppressed, use -v or -vv for full protocol decode\n",
2053 			    program_name);
2054 		} else
2055 			(void)fprintf(stderr, "%s: ", program_name);
2056 		dlt = pcap_datalink(pd);
2057 		dlt_name = pcap_datalink_val_to_name(dlt);
2058 		if (dlt_name == NULL) {
2059 			(void)fprintf(stderr, "listening on %s, link-type %u, capture size %u bytes\n",
2060 			    device, dlt, snaplen);
2061 		} else {
2062 			(void)fprintf(stderr, "listening on %s, link-type %s (%s), capture size %u bytes\n",
2063 			    device, dlt_name,
2064 			    pcap_datalink_val_to_description(dlt), snaplen);
2065 		}
2066 		(void)fflush(stderr);
2067 	}
2068 #endif /* WIN32 */
2069 
2070 #ifdef __FreeBSD__
2071 	cansandbox = (VFileName == NULL && zflag == NULL);
2072 #ifdef HAVE_CAPSICUM
2073 	cansandbox = (cansandbox && (nflag || capdns != NULL));
2074 #else
2075 	cansandbox = (cansandbox && nflag);
2076 #endif
2077 	if (cansandbox && cap_enter() < 0 && errno != ENOSYS)
2078 		error("unable to enter the capability mode");
2079 #endif	/* __FreeBSD__ */
2080 
2081 	do {
2082 		status = pcap_loop(pd, cnt, callback, pcap_userdata);
2083 		if (WFileName == NULL) {
2084 			/*
2085 			 * We're printing packets.  Flush the printed output,
2086 			 * so it doesn't get intermingled with error output.
2087 			 */
2088 			if (status == -2) {
2089 				/*
2090 				 * We got interrupted, so perhaps we didn't
2091 				 * manage to finish a line we were printing.
2092 				 * Print an extra newline, just in case.
2093 				 */
2094 				putchar('\n');
2095 			}
2096 			(void)fflush(stdout);
2097 		}
2098                 if (status == -2) {
2099 			/*
2100 			 * We got interrupted. If we are reading multiple
2101 			 * files (via -V) set these so that we stop.
2102 			 */
2103 			VFileName = NULL;
2104 			ret = NULL;
2105 		}
2106 		if (status == -1) {
2107 			/*
2108 			 * Error.  Report it.
2109 			 */
2110 			(void)fprintf(stderr, "%s: pcap_loop: %s\n",
2111 			    program_name, pcap_geterr(pd));
2112 		}
2113 		if (RFileName == NULL) {
2114 			/*
2115 			 * We're doing a live capture.  Report the capture
2116 			 * statistics.
2117 			 */
2118 			info(1);
2119 		}
2120 		pcap_close(pd);
2121 		if (VFileName != NULL) {
2122 			ret = get_next_file(VFile, VFileLine);
2123 			if (ret) {
2124 				RFileName = VFileLine;
2125 				pd = pcap_open_offline(RFileName, ebuf);
2126 				if (pd == NULL)
2127 					error("%s", ebuf);
2128 #ifdef HAVE_CAPSICUM
2129 				cap_rights_init(&rights, CAP_READ);
2130 				if (cap_rights_limit(fileno(pcap_file(pd)),
2131 				    &rights) < 0 && errno != ENOSYS) {
2132 					error("unable to limit pcap descriptor");
2133 				}
2134 #endif
2135 				new_dlt = pcap_datalink(pd);
2136 				if (WFileName && new_dlt != dlt)
2137 					error("%s: new dlt does not match original", RFileName);
2138 				printinfo = get_print_info(new_dlt);
2139 				dlt_name = pcap_datalink_val_to_name(new_dlt);
2140 				if (dlt_name == NULL) {
2141 					fprintf(stderr, "reading from file %s, link-type %u\n",
2142 					RFileName, new_dlt);
2143 				} else {
2144 					fprintf(stderr,
2145 					"reading from file %s, link-type %s (%s)\n",
2146 					RFileName, dlt_name,
2147 					pcap_datalink_val_to_description(new_dlt));
2148 				}
2149 				if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0)
2150 					error("%s", pcap_geterr(pd));
2151 				if (pcap_setfilter(pd, &fcode) < 0)
2152 					error("%s", pcap_geterr(pd));
2153 			}
2154 		}
2155 	}
2156 	while (ret != NULL);
2157 
2158 	free(cmdbuf);
2159 	exit(status == -1 ? 1 : 0);
2160 }
2161 
2162 /* make a clean exit on interrupts */
2163 static RETSIGTYPE
2164 cleanup(int signo _U_)
2165 {
2166 #ifdef USE_WIN32_MM_TIMER
2167 	if (timer_id)
2168 		timeKillEvent(timer_id);
2169 	timer_id = 0;
2170 #elif defined(HAVE_ALARM)
2171 	alarm(0);
2172 #endif
2173 
2174 #ifdef HAVE_PCAP_BREAKLOOP
2175 	/*
2176 	 * We have "pcap_breakloop()"; use it, so that we do as little
2177 	 * as possible in the signal handler (it's probably not safe
2178 	 * to do anything with standard I/O streams in a signal handler -
2179 	 * the ANSI C standard doesn't say it is).
2180 	 */
2181 	pcap_breakloop(pd);
2182 #else
2183 	/*
2184 	 * We don't have "pcap_breakloop()"; this isn't safe, but
2185 	 * it's the best we can do.  Print the summary if we're
2186 	 * not reading from a savefile - i.e., if we're doing a
2187 	 * live capture - and exit.
2188 	 */
2189 	if (pd != NULL && pcap_file(pd) == NULL) {
2190 		/*
2191 		 * We got interrupted, so perhaps we didn't
2192 		 * manage to finish a line we were printing.
2193 		 * Print an extra newline, just in case.
2194 		 */
2195 		putchar('\n');
2196 		(void)fflush(stdout);
2197 		info(1);
2198 	}
2199 	exit(0);
2200 #endif
2201 }
2202 
2203 /*
2204   On windows, we do not use a fork, so we do not care less about
2205   waiting a child processes to die
2206  */
2207 #if defined(HAVE_FORK) || defined(HAVE_VFORK)
2208 static RETSIGTYPE
2209 child_cleanup(int signo _U_)
2210 {
2211   wait(NULL);
2212 }
2213 #endif /* HAVE_FORK && HAVE_VFORK */
2214 
2215 static void
2216 info(register int verbose)
2217 {
2218 	struct pcap_stat stat;
2219 
2220 	/*
2221 	 * Older versions of libpcap didn't set ps_ifdrop on some
2222 	 * platforms; initialize it to 0 to handle that.
2223 	 */
2224 	stat.ps_ifdrop = 0;
2225 	if (pcap_stats(pd, &stat) < 0) {
2226 		(void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd));
2227 		infoprint = 0;
2228 		return;
2229 	}
2230 
2231 	if (!verbose)
2232 		fprintf(stderr, "%s: ", program_name);
2233 
2234 	(void)fprintf(stderr, "%u packet%s captured", packets_captured,
2235 	    PLURAL_SUFFIX(packets_captured));
2236 	if (!verbose)
2237 		fputs(", ", stderr);
2238 	else
2239 		putc('\n', stderr);
2240 	(void)fprintf(stderr, "%u packet%s received by filter", stat.ps_recv,
2241 	    PLURAL_SUFFIX(stat.ps_recv));
2242 	if (!verbose)
2243 		fputs(", ", stderr);
2244 	else
2245 		putc('\n', stderr);
2246 	(void)fprintf(stderr, "%u packet%s dropped by kernel", stat.ps_drop,
2247 	    PLURAL_SUFFIX(stat.ps_drop));
2248 	if (stat.ps_ifdrop != 0) {
2249 		if (!verbose)
2250 			fputs(", ", stderr);
2251 		else
2252 			putc('\n', stderr);
2253 		(void)fprintf(stderr, "%u packet%s dropped by interface\n",
2254 		    stat.ps_ifdrop, PLURAL_SUFFIX(stat.ps_ifdrop));
2255 	} else
2256 		putc('\n', stderr);
2257 	infoprint = 0;
2258 }
2259 
2260 #if defined(HAVE_FORK) || defined(HAVE_VFORK)
2261 static void
2262 compress_savefile(const char *filename)
2263 {
2264 # ifdef HAVE_FORK
2265 	if (fork())
2266 # else
2267 	if (vfork())
2268 # endif
2269 		return;
2270 	/*
2271 	 * Set to lowest priority so that this doesn't disturb the capture
2272 	 */
2273 #ifdef NZERO
2274 	setpriority(PRIO_PROCESS, 0, NZERO - 1);
2275 #else
2276 	setpriority(PRIO_PROCESS, 0, 19);
2277 #endif
2278 	if (execlp(zflag, zflag, filename, (char *)NULL) == -1)
2279 		fprintf(stderr,
2280 			"compress_savefile:execlp(%s, %s): %s\n",
2281 			zflag,
2282 			filename,
2283 			strerror(errno));
2284 # ifdef HAVE_FORK
2285 	exit(1);
2286 # else
2287 	_exit(1);
2288 # endif
2289 }
2290 #else  /* HAVE_FORK && HAVE_VFORK */
2291 static void
2292 compress_savefile(const char *filename)
2293 {
2294 	fprintf(stderr,
2295 		"compress_savefile failed. Functionality not implemented under your system\n");
2296 }
2297 #endif /* HAVE_FORK && HAVE_VFORK */
2298 
2299 static void
2300 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
2301 {
2302 	struct dump_info *dump_info;
2303 
2304 	++packets_captured;
2305 
2306 	++infodelay;
2307 
2308 	dump_info = (struct dump_info *)user;
2309 
2310 	/*
2311 	 * XXX - this won't force the file to rotate on the specified time
2312 	 * boundary, but it will rotate on the first packet received after the
2313 	 * specified Gflag number of seconds. Note: if a Gflag time boundary
2314 	 * and a Cflag size boundary coincide, the time rotation will occur
2315 	 * first thereby cancelling the Cflag boundary (since the file should
2316 	 * be 0).
2317 	 */
2318 	if (Gflag != 0) {
2319 		/* Check if it is time to rotate */
2320 		time_t t;
2321 
2322 		/* Get the current time */
2323 		if ((t = time(NULL)) == (time_t)-1) {
2324 			error("dump_and_trunc_packet: can't get current_time: %s",
2325 			    pcap_strerror(errno));
2326 		}
2327 
2328 
2329 		/* If the time is greater than the specified window, rotate */
2330 		if (t - Gflag_time >= Gflag) {
2331 #ifdef HAVE_CAPSICUM
2332 			FILE *fp;
2333 			int fd;
2334 #endif
2335 
2336 			/* Update the Gflag_time */
2337 			Gflag_time = t;
2338 			/* Update Gflag_count */
2339 			Gflag_count++;
2340 			/*
2341 			 * Close the current file and open a new one.
2342 			 */
2343 			pcap_dump_close(dump_info->p);
2344 
2345 			/*
2346 			 * Compress the file we just closed, if the user asked for it
2347 			 */
2348 			if (zflag != NULL)
2349 				compress_savefile(dump_info->CurrentFileName);
2350 
2351 			/*
2352 			 * Check to see if we've exceeded the Wflag (when
2353 			 * not using Cflag).
2354 			 */
2355 			if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) {
2356 				(void)fprintf(stderr, "Maximum file limit reached: %d\n",
2357 				    Wflag);
2358 				exit(0);
2359 				/* NOTREACHED */
2360 			}
2361 			if (dump_info->CurrentFileName != NULL)
2362 				free(dump_info->CurrentFileName);
2363 			/* Allocate space for max filename + \0. */
2364 			dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1);
2365 			if (dump_info->CurrentFileName == NULL)
2366 				error("dump_packet_and_trunc: malloc");
2367 			/*
2368 			 * Gflag was set otherwise we wouldn't be here. Reset the count
2369 			 * so multiple files would end with 1,2,3 in the filename.
2370 			 * The counting is handled with the -C flow after this.
2371 			 */
2372 			Cflag_count = 0;
2373 
2374 			/*
2375 			 * This is always the first file in the Cflag
2376 			 * rotation: e.g. 0
2377 			 * We also don't need numbering if Cflag is not set.
2378 			 */
2379 			if (Cflag != 0)
2380 				MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0,
2381 				    WflagChars);
2382 			else
2383 				MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0);
2384 
2385 #ifdef HAVE_LIBCAP_NG
2386 			capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2387 			capng_apply(CAPNG_SELECT_BOTH);
2388 #endif /* HAVE_LIBCAP_NG */
2389 #ifdef HAVE_CAPSICUM
2390 			fd = openat(dump_info->dirfd,
2391 			    dump_info->CurrentFileName,
2392 			    O_CREAT | O_WRONLY | O_TRUNC, 0644);
2393 			if (fd < 0) {
2394 				error("unable to open file %s",
2395 				    dump_info->CurrentFileName);
2396 			}
2397 			fp = fdopen(fd, "w");
2398 			if (fp == NULL) {
2399 				error("unable to fdopen file %s",
2400 				    dump_info->CurrentFileName);
2401 			}
2402 			dump_info->p = pcap_dump_fopen(dump_info->pd, fp);
2403 #else	/* !HAVE_CAPSICUM */
2404 			dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName);
2405 #endif
2406 #ifdef HAVE_LIBCAP_NG
2407 			capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2408 			capng_apply(CAPNG_SELECT_BOTH);
2409 #endif /* HAVE_LIBCAP_NG */
2410 			if (dump_info->p == NULL)
2411 				error("%s", pcap_geterr(pd));
2412 #ifdef HAVE_CAPSICUM
2413 			set_dumper_capsicum_rights(dump_info->p);
2414 #endif
2415 		}
2416 	}
2417 
2418 	/*
2419 	 * XXX - this won't prevent capture files from getting
2420 	 * larger than Cflag - the last packet written to the
2421 	 * file could put it over Cflag.
2422 	 */
2423 	if (Cflag != 0) {
2424 		long size = pcap_dump_ftell(dump_info->p);
2425 
2426 		if (size == -1)
2427 			error("ftell fails on output file");
2428 		if (size > Cflag) {
2429 #ifdef HAVE_CAPSICUM
2430 			FILE *fp;
2431 			int fd;
2432 #endif
2433 
2434 			/*
2435 			 * Close the current file and open a new one.
2436 			 */
2437 			pcap_dump_close(dump_info->p);
2438 
2439 			/*
2440 			 * Compress the file we just closed, if the user
2441 			 * asked for it.
2442 			 */
2443 			if (zflag != NULL)
2444 				compress_savefile(dump_info->CurrentFileName);
2445 
2446 			Cflag_count++;
2447 			if (Wflag > 0) {
2448 				if (Cflag_count >= Wflag)
2449 					Cflag_count = 0;
2450 			}
2451 			if (dump_info->CurrentFileName != NULL)
2452 				free(dump_info->CurrentFileName);
2453 			dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1);
2454 			if (dump_info->CurrentFileName == NULL)
2455 				error("dump_packet_and_trunc: malloc");
2456 			MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars);
2457 #ifdef HAVE_LIBCAP_NG
2458 			capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2459 			capng_apply(CAPNG_SELECT_BOTH);
2460 #endif /* HAVE_LIBCAP_NG */
2461 #ifdef HAVE_CAPSICUM
2462 			fd = openat(dump_info->dirfd, dump_info->CurrentFileName,
2463 			    O_CREAT | O_WRONLY | O_TRUNC, 0644);
2464 			if (fd < 0) {
2465 				error("unable to open file %s",
2466 				    dump_info->CurrentFileName);
2467 			}
2468 			fp = fdopen(fd, "w");
2469 			if (fp == NULL) {
2470 				error("unable to fdopen file %s",
2471 				    dump_info->CurrentFileName);
2472 			}
2473 			dump_info->p = pcap_dump_fopen(dump_info->pd, fp);
2474 #else	/* !HAVE_CAPSICUM */
2475 			dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName);
2476 #endif
2477 #ifdef HAVE_LIBCAP_NG
2478 			capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
2479 			capng_apply(CAPNG_SELECT_BOTH);
2480 #endif /* HAVE_LIBCAP_NG */
2481 			if (dump_info->p == NULL)
2482 				error("%s", pcap_geterr(pd));
2483 #ifdef HAVE_CAPSICUM
2484 			set_dumper_capsicum_rights(dump_info->p);
2485 #endif
2486 		}
2487 	}
2488 
2489 	pcap_dump((u_char *)dump_info->p, h, sp);
2490 #ifdef HAVE_PCAP_DUMP_FLUSH
2491 	if (Uflag)
2492 		pcap_dump_flush(dump_info->p);
2493 #endif
2494 
2495 	--infodelay;
2496 	if (infoprint)
2497 		info(0);
2498 }
2499 
2500 static void
2501 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
2502 {
2503 	++packets_captured;
2504 
2505 	++infodelay;
2506 
2507 	pcap_dump(user, h, sp);
2508 #ifdef HAVE_PCAP_DUMP_FLUSH
2509 	if (Uflag)
2510 		pcap_dump_flush((pcap_dumper_t *)user);
2511 #endif
2512 
2513 	--infodelay;
2514 	if (infoprint)
2515 		info(0);
2516 }
2517 
2518 static void
2519 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
2520 {
2521 	struct print_info *print_info;
2522 	u_int hdrlen;
2523         netdissect_options *ndo;
2524 
2525 	++packets_captured;
2526 
2527 	++infodelay;
2528 
2529 	print_info = (struct print_info *)user;
2530         ndo = print_info->ndo;
2531 
2532 	if(ndo->ndo_packet_number)
2533 		ND_PRINT((ndo, "%5u  ", packets_captured));
2534 
2535 	ts_print(ndo, &h->ts);
2536 
2537 	/*
2538 	 * Some printers want to check that they're not walking off the
2539 	 * end of the packet.
2540 	 * Rather than pass it all the way down, we set this member
2541 	 * of the netdissect_options structure.
2542 	 */
2543 	ndo->ndo_snapend = sp + h->caplen;
2544 
2545         if(print_info->ndo_type) {
2546                 hdrlen = (*print_info->p.ndo_printer)(print_info->ndo, h, sp);
2547         } else {
2548                 hdrlen = (*print_info->p.printer)(h, sp);
2549         }
2550 
2551 	/*
2552 	 * Restore the original snapend, as a printer might have
2553 	 * changed it.
2554 	 */
2555 	ndo->ndo_snapend = sp + h->caplen;
2556 	if (ndo->ndo_Xflag) {
2557 		/*
2558 		 * Print the raw packet data in hex and ASCII.
2559 		 */
2560 		if (ndo->ndo_Xflag > 1) {
2561 			/*
2562 			 * Include the link-layer header.
2563 			 */
2564 			hex_and_ascii_print(ndo, "\n\t", sp, h->caplen);
2565 		} else {
2566 			/*
2567 			 * Don't include the link-layer header - and if
2568 			 * we have nothing past the link-layer header,
2569 			 * print nothing.
2570 			 */
2571 			if (h->caplen > hdrlen)
2572 				hex_and_ascii_print(ndo, "\n\t", sp + hdrlen,
2573 				    h->caplen - hdrlen);
2574 		}
2575 	} else if (ndo->ndo_xflag) {
2576 		/*
2577 		 * Print the raw packet data in hex.
2578 		 */
2579 		if (ndo->ndo_xflag > 1) {
2580 			/*
2581 			 * Include the link-layer header.
2582 			 */
2583                         hex_print(ndo, "\n\t", sp, h->caplen);
2584 		} else {
2585 			/*
2586 			 * Don't include the link-layer header - and if
2587 			 * we have nothing past the link-layer header,
2588 			 * print nothing.
2589 			 */
2590 			if (h->caplen > hdrlen)
2591 				hex_print(ndo, "\n\t", sp + hdrlen,
2592                                           h->caplen - hdrlen);
2593 		}
2594 	} else if (ndo->ndo_Aflag) {
2595 		/*
2596 		 * Print the raw packet data in ASCII.
2597 		 */
2598 		if (ndo->ndo_Aflag > 1) {
2599 			/*
2600 			 * Include the link-layer header.
2601 			 */
2602 			ascii_print(ndo, sp, h->caplen);
2603 		} else {
2604 			/*
2605 			 * Don't include the link-layer header - and if
2606 			 * we have nothing past the link-layer header,
2607 			 * print nothing.
2608 			 */
2609 			if (h->caplen > hdrlen)
2610 				ascii_print(ndo, sp + hdrlen, h->caplen - hdrlen);
2611 		}
2612 	}
2613 
2614 	putchar('\n');
2615 
2616 	--infodelay;
2617 	if (infoprint)
2618 		info(0);
2619 }
2620 
2621 #ifdef WIN32
2622 	/*
2623 	 * XXX - there should really be libpcap calls to get the version
2624 	 * number as a string (the string would be generated from #defines
2625 	 * at run time, so that it's not generated from string constants
2626 	 * in the library, as, on many UNIX systems, those constants would
2627 	 * be statically linked into the application executable image, and
2628 	 * would thus reflect the version of libpcap on the system on
2629 	 * which the application was *linked*, not the system on which it's
2630 	 * *running*.
2631 	 *
2632 	 * That routine should be documented, unlike the "version[]"
2633 	 * string, so that UNIX vendors providing their own libpcaps
2634 	 * don't omit it (as a couple of vendors have...).
2635 	 *
2636 	 * Packet.dll should perhaps also export a routine to return the
2637 	 * version number of the Packet.dll code, to supply the
2638 	 * "Wpcap_version" information on Windows.
2639 	 */
2640 	char WDversion[]="current-git.tcpdump.org";
2641 #if !defined(HAVE_GENERATED_VERSION)
2642 	char version[]="current-git.tcpdump.org";
2643 #endif
2644 	char pcap_version[]="current-git.tcpdump.org";
2645 	char Wpcap_version[]="3.1";
2646 #endif
2647 
2648 /*
2649  * By default, print the specified data out in hex and ASCII.
2650  */
2651 static void
2652 ndo_default_print(netdissect_options *ndo, const u_char *bp, u_int length)
2653 {
2654 	hex_and_ascii_print(ndo, "\n\t", bp, length); /* pass on lf and indentation string */
2655 }
2656 
2657 void
2658 default_print(const u_char *bp, u_int length)
2659 {
2660 	ndo_default_print(gndo, bp, length);
2661 }
2662 
2663 #ifdef SIGNAL_REQ_INFO
2664 RETSIGTYPE requestinfo(int signo _U_)
2665 {
2666 	if (infodelay)
2667 		++infoprint;
2668 	else
2669 		info(0);
2670 }
2671 #endif
2672 
2673 /*
2674  * Called once each second in verbose mode while dumping to file
2675  */
2676 #ifdef USE_WIN32_MM_TIMER
2677 void CALLBACK verbose_stats_dump (UINT timer_id _U_, UINT msg _U_, DWORD_PTR arg _U_,
2678 				  DWORD_PTR dw1 _U_, DWORD_PTR dw2 _U_)
2679 {
2680 	struct pcap_stat stat;
2681 
2682 	if (infodelay == 0 && pcap_stats(pd, &stat) >= 0)
2683 		fprintf(stderr, "Got %u\r", packets_captured);
2684 }
2685 #elif defined(HAVE_ALARM)
2686 static void verbose_stats_dump(int sig _U_)
2687 {
2688 	struct pcap_stat stat;
2689 
2690 	if (infodelay == 0 && pcap_stats(pd, &stat) >= 0)
2691 		fprintf(stderr, "Got %u\r", packets_captured);
2692 	alarm(1);
2693 }
2694 #endif
2695 
2696 USES_APPLE_DEPRECATED_API
2697 static void
2698 print_version(void)
2699 {
2700 	extern char version[];
2701 #ifndef HAVE_PCAP_LIB_VERSION
2702 #if defined(WIN32) || defined(HAVE_PCAP_VERSION)
2703 	extern char pcap_version[];
2704 #else /* defined(WIN32) || defined(HAVE_PCAP_VERSION) */
2705 	static char pcap_version[] = "unknown";
2706 #endif /* defined(WIN32) || defined(HAVE_PCAP_VERSION) */
2707 #endif /* HAVE_PCAP_LIB_VERSION */
2708 
2709 #ifdef HAVE_PCAP_LIB_VERSION
2710 #ifdef WIN32
2711 	(void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version);
2712 #else /* WIN32 */
2713 	(void)fprintf(stderr, "%s version %s\n", program_name, version);
2714 #endif /* WIN32 */
2715 	(void)fprintf(stderr, "%s\n",pcap_lib_version());
2716 #else /* HAVE_PCAP_LIB_VERSION */
2717 #ifdef WIN32
2718 	(void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version);
2719 	(void)fprintf(stderr, "WinPcap version %s, based on libpcap version %s\n",Wpcap_version, pcap_version);
2720 #else /* WIN32 */
2721 	(void)fprintf(stderr, "%s version %s\n", program_name, version);
2722 	(void)fprintf(stderr, "libpcap version %s\n", pcap_version);
2723 #endif /* WIN32 */
2724 #endif /* HAVE_PCAP_LIB_VERSION */
2725 
2726 #if defined(HAVE_LIBCRYPTO) && defined(SSLEAY_VERSION)
2727 	(void)fprintf (stderr, "%s\n", SSLeay_version(SSLEAY_VERSION));
2728 #endif
2729 
2730 #ifdef USE_LIBSMI
2731 	(void)fprintf (stderr, "SMI-library: %s\n", smi_version_string);
2732 #endif
2733 }
2734 USES_APPLE_RST
2735 
2736 static void
2737 print_usage(void)
2738 {
2739 	print_version();
2740 	(void)fprintf(stderr,
2741 "Usage: %s [-aAbd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqRStu" U_FLAG "vxX#]" B_FLAG_USAGE " [ -c count ]\n", program_name);
2742 	(void)fprintf(stderr,
2743 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n");
2744 	(void)fprintf(stderr,
2745 "\t\t[ -i interface ]" j_FLAG_USAGE " [ -M secret ] [ --number ]\n");
2746 #ifdef HAVE_PCAP_SETDIRECTION
2747 	(void)fprintf(stderr,
2748 "\t\t[ -Q in|out|inout ]\n");
2749 #endif
2750 	(void)fprintf(stderr,
2751 "\t\t[ -r file ] [ -s snaplen ] ");
2752 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
2753 	(void)fprintf(stderr, "[ --time-stamp-precision precision ]\n");
2754 	(void)fprintf(stderr,
2755 "\t\t");
2756 #endif
2757 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
2758 	(void)fprintf(stderr, "[ --immediate-mode ] ");
2759 #endif
2760 	(void)fprintf(stderr, "[ -T type ] [ --version ] [ -V file ]\n");
2761 	(void)fprintf(stderr,
2762 "\t\t[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ]\n");
2763 	(void)fprintf(stderr,
2764 "\t\t[ -Z user ] [ expression ]\n");
2765 }
2766 
2767 
2768 
2769 /* VARARGS */
2770 static void
2771 ndo_error(netdissect_options *ndo _U_, const char *fmt, ...)
2772 {
2773 	va_list ap;
2774 
2775 	(void)fprintf(stderr, "%s: ", program_name);
2776 	va_start(ap, fmt);
2777 	(void)vfprintf(stderr, fmt, ap);
2778 	va_end(ap);
2779 	if (*fmt) {
2780 		fmt += strlen(fmt);
2781 		if (fmt[-1] != '\n')
2782 			(void)fputc('\n', stderr);
2783 	}
2784 	exit(1);
2785 	/* NOTREACHED */
2786 }
2787 
2788 /* VARARGS */
2789 static void
2790 ndo_warning(netdissect_options *ndo _U_, const char *fmt, ...)
2791 {
2792 	va_list ap;
2793 
2794 	(void)fprintf(stderr, "%s: WARNING: ", program_name);
2795 	va_start(ap, fmt);
2796 	(void)vfprintf(stderr, fmt, ap);
2797 	va_end(ap);
2798 	if (*fmt) {
2799 		fmt += strlen(fmt);
2800 		if (fmt[-1] != '\n')
2801 			(void)fputc('\n', stderr);
2802 	}
2803 }
2804 /*
2805  * Local Variables:
2806  * c-style: whitesmith
2807  * c-basic-offset: 8
2808  * End:
2809  */
2810