1 /* 2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Support for splitting captures into multiple files with a maximum 22 * file size: 23 * 24 * Copyright (c) 2001 25 * Seth Webster <swebster@sst.ll.mit.edu> 26 */ 27 28 /* 29 * tcpdump - dump traffic on a network 30 * 31 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 32 * Mercilessly hacked and occasionally improved since then via the 33 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 34 */ 35 36 #ifdef HAVE_CONFIG_H 37 #include <config.h> 38 #endif 39 40 /* 41 * Some older versions of Mac OS X may ship pcap.h from libpcap 0.6 with a 42 * libpcap based on 0.8. That means it has pcap_findalldevs() but the 43 * header doesn't define pcap_if_t, meaning that we can't actually *use* 44 * pcap_findalldevs(). 45 */ 46 #ifdef HAVE_PCAP_FINDALLDEVS 47 #ifndef HAVE_PCAP_IF_T 48 #undef HAVE_PCAP_FINDALLDEVS 49 #endif 50 #endif 51 52 #include "netdissect-stdinc.h" 53 54 /* 55 * This must appear after including netdissect-stdinc.h, so that _U_ is 56 * defined. 57 */ 58 #ifndef lint 59 static const char copyright[] _U_ = 60 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\ 61 The Regents of the University of California. All rights reserved.\n"; 62 #endif 63 64 #include <sys/stat.h> 65 66 #ifdef HAVE_FCNTL_H 67 #include <fcntl.h> 68 #endif 69 70 #ifdef HAVE_LIBCRYPTO 71 #include <openssl/crypto.h> 72 #endif 73 74 #ifdef HAVE_GETOPT_LONG 75 #include <getopt.h> 76 #else 77 #include "missing/getopt_long.h" 78 #endif 79 /* Capsicum-specific code requires macros from <net/bpf.h>, which will fail 80 * to compile if <pcap.h> has already been included; including the headers 81 * in the opposite order works fine. For the most part anyway, because in 82 * FreeBSD <pcap/pcap.h> declares bpf_dump() instead of <net/bpf.h>. Thus 83 * interface.h takes care of it later to avoid a compiler warning. 84 */ 85 #ifdef HAVE_CAPSICUM 86 #include <sys/capsicum.h> 87 #include <sys/ioccom.h> 88 #include <net/bpf.h> 89 #include <libgen.h> 90 #ifdef HAVE_CASPER 91 #include <libcasper.h> 92 #include <casper/cap_dns.h> 93 #include <sys/nv.h> 94 #endif /* HAVE_CASPER */ 95 #endif /* HAVE_CAPSICUM */ 96 #ifdef HAVE_PCAP_OPEN 97 /* 98 * We found pcap_open() in the capture library, so we'll be using 99 * the remote capture APIs; define PCAP_REMOTE before we include pcap.h, 100 * so we get those APIs declared, and the types and #defines that they 101 * use defined. 102 * 103 * WinPcap's headers require that PCAP_REMOTE be defined in order to get 104 * remote-capture APIs declared and types and #defines that they use 105 * defined. 106 * 107 * (Versions of libpcap with those APIs, and thus Npcap, which is based on 108 * those versions of libpcap, don't require it.) 109 */ 110 #define HAVE_REMOTE 111 #endif 112 #include <pcap.h> 113 #include <signal.h> 114 #include <stdio.h> 115 #include <stdarg.h> 116 #include <stdlib.h> 117 #include <string.h> 118 #include <limits.h> 119 #ifdef _WIN32 120 #include <windows.h> 121 #else 122 #include <sys/time.h> 123 #include <sys/wait.h> 124 #include <sys/resource.h> 125 #include <pwd.h> 126 #include <grp.h> 127 #endif /* _WIN32 */ 128 129 /* 130 * Pathname separator. 131 * Use this in pathnames, but do *not* use it in URLs. 132 */ 133 #ifdef _WIN32 134 #define PATH_SEPARATOR '\\' 135 #else 136 #define PATH_SEPARATOR '/' 137 #endif 138 139 /* capabilities convenience library */ 140 /* If a code depends on HAVE_LIBCAP_NG, it depends also on HAVE_CAP_NG_H. 141 * If HAVE_CAP_NG_H is not defined, undefine HAVE_LIBCAP_NG. 142 * Thus, the later tests are done only on HAVE_LIBCAP_NG. 143 */ 144 #ifdef HAVE_LIBCAP_NG 145 #ifdef HAVE_CAP_NG_H 146 #include <cap-ng.h> 147 #else 148 #undef HAVE_LIBCAP_NG 149 #endif /* HAVE_CAP_NG_H */ 150 #endif /* HAVE_LIBCAP_NG */ 151 152 #ifdef __FreeBSD__ 153 #include <sys/sysctl.h> 154 #endif /* __FreeBSD__ */ 155 156 #include "netdissect-stdinc.h" 157 #include "netdissect.h" 158 #include "interface.h" 159 #include "addrtoname.h" 160 #include "machdep.h" 161 #include "pcap-missing.h" 162 #include "ascii_strcasecmp.h" 163 164 #include "print.h" 165 166 #include "diag-control.h" 167 168 #include "fptype.h" 169 170 #ifndef PATH_MAX 171 #define PATH_MAX 1024 172 #endif 173 174 #if defined(SIGINFO) 175 #define SIGNAL_REQ_INFO SIGINFO 176 #elif defined(SIGUSR1) 177 #define SIGNAL_REQ_INFO SIGUSR1 178 #endif 179 180 #if defined(HAVE_PCAP_DUMP_FLUSH) && defined(SIGUSR2) 181 #define SIGNAL_FLUSH_PCAP SIGUSR2 182 #endif 183 184 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 185 static int Bflag; /* buffer size */ 186 #endif 187 #ifdef HAVE_PCAP_DUMP_FTELL64 188 static int64_t Cflag; /* rotate dump files after this many bytes */ 189 #else 190 static long Cflag; /* rotate dump files after this many bytes */ 191 #endif 192 static int Cflag_count; /* Keep track of which file number we're writing */ 193 #ifdef HAVE_PCAP_FINDALLDEVS 194 static int Dflag; /* list available devices and exit */ 195 #endif 196 #ifdef HAVE_PCAP_FINDALLDEVS_EX 197 static char *remote_interfaces_source; /* list available devices from this source and exit */ 198 #endif 199 200 /* 201 * This is exported because, in some versions of libpcap, if libpcap 202 * is built with optimizer debugging code (which is *NOT* the default 203 * configuration!), the library *imports*(!) a variable named dflag, 204 * under the expectation that tcpdump is exporting it, to govern 205 * how much debugging information to print when optimizing 206 * the generated BPF code. 207 * 208 * This is a horrible hack; newer versions of libpcap don't import 209 * dflag but, instead, *if* built with optimizer debugging code, 210 * *export* a routine to set that flag. 211 */ 212 extern int dflag; 213 int dflag; /* print filter code */ 214 static int Gflag; /* rotate dump files after this many seconds */ 215 static int Gflag_count; /* number of files created with Gflag rotation */ 216 static time_t Gflag_time; /* The last time_t the dump file was rotated. */ 217 static int Lflag; /* list available data link types and exit */ 218 static int Iflag; /* rfmon (monitor) mode */ 219 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 220 static int Jflag; /* list available time stamp types */ 221 static int jflag = -1; /* packet time stamp source */ 222 #endif 223 static int lflag; /* line-buffered output */ 224 static int pflag; /* don't go promiscuous */ 225 #ifdef HAVE_PCAP_SETDIRECTION 226 static int Qflag = -1; /* restrict captured packet by send/receive direction */ 227 #endif 228 #ifdef HAVE_PCAP_DUMP_FLUSH 229 static int Uflag; /* "unbuffered" output of dump files */ 230 #endif 231 static int Wflag; /* recycle output files after this number of files */ 232 static int WflagChars; 233 static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */ 234 static int timeout = 1000; /* default timeout = 1000 ms = 1 s */ 235 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 236 static int immediate_mode; 237 #endif 238 static int count_mode; 239 240 static int infodelay; 241 static int infoprint; 242 243 char *program_name; 244 245 /* 246 * #ifdef HAVE_CASPER 247 * cap_channel_t *capdns; 248 * #endif 249 */ 250 251 /* Forwards */ 252 static NORETURN void error(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 253 static void warning(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 254 static NORETURN void exit_tcpdump(int); 255 static void (*setsignal (int sig, void (*func)(int)))(int); 256 static void cleanup(int); 257 static void child_cleanup(int); 258 static void print_version(FILE *); 259 static void print_usage(FILE *); 260 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 261 static NORETURN void show_tstamp_types_and_exit(pcap_t *, const char *device); 262 #endif 263 static NORETURN void show_dlts_and_exit(pcap_t *, const char *device); 264 #ifdef HAVE_PCAP_FINDALLDEVS 265 static NORETURN void show_devices_and_exit(void); 266 #endif 267 #ifdef HAVE_PCAP_FINDALLDEVS_EX 268 static NORETURN void show_remote_devices_and_exit(void); 269 #endif 270 271 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 272 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *); 273 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 274 static void droproot(const char *, const char *); 275 276 #ifdef SIGNAL_REQ_INFO 277 static void requestinfo(int); 278 #endif 279 280 #ifdef SIGNAL_FLUSH_PCAP 281 static void flushpcap(int); 282 #endif 283 284 #ifdef _WIN32 285 static HANDLE timer_handle = INVALID_HANDLE_VALUE; 286 static void CALLBACK verbose_stats_dump(PVOID param, BOOLEAN timer_fired); 287 #else /* _WIN32 */ 288 static void verbose_stats_dump(int sig); 289 #endif /* _WIN32 */ 290 291 static void info(int); 292 static u_int packets_captured; 293 294 #ifdef HAVE_PCAP_FINDALLDEVS 295 static const struct tok status_flags[] = { 296 #ifdef PCAP_IF_UP 297 { PCAP_IF_UP, "Up" }, 298 #endif 299 #ifdef PCAP_IF_RUNNING 300 { PCAP_IF_RUNNING, "Running" }, 301 #endif 302 { PCAP_IF_LOOPBACK, "Loopback" }, 303 #ifdef PCAP_IF_WIRELESS 304 { PCAP_IF_WIRELESS, "Wireless" }, 305 #endif 306 { 0, NULL } 307 }; 308 #endif 309 310 static pcap_t *pd; 311 static pcap_dumper_t *pdd = NULL; 312 313 static int supports_monitor_mode; 314 315 extern int optind; 316 extern int opterr; 317 extern char *optarg; 318 319 struct dump_info { 320 char *WFileName; 321 char *CurrentFileName; 322 pcap_t *pd; 323 pcap_dumper_t *pdd; 324 netdissect_options *ndo; 325 #ifdef HAVE_CAPSICUM 326 int dirfd; 327 #endif 328 }; 329 330 #if defined(HAVE_PCAP_SET_PARSER_DEBUG) 331 /* 332 * We have pcap_set_parser_debug() in libpcap; declare it (it's not declared 333 * by any libpcap header, because it's a special hack, only available if 334 * libpcap was configured to include it, and only intended for use by 335 * libpcap developers trying to debug the parser for filter expressions). 336 */ 337 #ifdef _WIN32 338 __declspec(dllimport) 339 #else /* _WIN32 */ 340 extern 341 #endif /* _WIN32 */ 342 void pcap_set_parser_debug(int); 343 #elif defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG) 344 /* 345 * We don't have pcap_set_parser_debug() in libpcap, but we do have 346 * pcap_debug or yydebug. Make a local version of pcap_set_parser_debug() 347 * to set the flag, and define HAVE_PCAP_SET_PARSER_DEBUG. 348 */ 349 static void 350 pcap_set_parser_debug(int value) 351 { 352 #ifdef HAVE_PCAP_DEBUG 353 extern int pcap_debug; 354 355 pcap_debug = value; 356 #else /* HAVE_PCAP_DEBUG */ 357 extern int yydebug; 358 359 yydebug = value; 360 #endif /* HAVE_PCAP_DEBUG */ 361 } 362 363 #define HAVE_PCAP_SET_PARSER_DEBUG 364 #endif 365 366 #if defined(HAVE_PCAP_SET_OPTIMIZER_DEBUG) 367 /* 368 * We have pcap_set_optimizer_debug() in libpcap; declare it (it's not declared 369 * by any libpcap header, because it's a special hack, only available if 370 * libpcap was configured to include it, and only intended for use by 371 * libpcap developers trying to debug the optimizer for filter expressions). 372 */ 373 #ifdef _WIN32 374 __declspec(dllimport) 375 #else /* _WIN32 */ 376 extern 377 #endif /* _WIN32 */ 378 void pcap_set_optimizer_debug(int); 379 #endif 380 381 /* VARARGS */ 382 static void 383 error(const char *fmt, ...) 384 { 385 va_list ap; 386 387 (void)fprintf(stderr, "%s: ", program_name); 388 va_start(ap, fmt); 389 (void)vfprintf(stderr, fmt, ap); 390 va_end(ap); 391 if (*fmt) { 392 fmt += strlen(fmt); 393 if (fmt[-1] != '\n') 394 (void)fputc('\n', stderr); 395 } 396 exit_tcpdump(S_ERR_HOST_PROGRAM); 397 /* NOTREACHED */ 398 } 399 400 /* VARARGS */ 401 static void 402 warning(const char *fmt, ...) 403 { 404 va_list ap; 405 406 (void)fprintf(stderr, "%s: WARNING: ", program_name); 407 va_start(ap, fmt); 408 (void)vfprintf(stderr, fmt, ap); 409 va_end(ap); 410 if (*fmt) { 411 fmt += strlen(fmt); 412 if (fmt[-1] != '\n') 413 (void)fputc('\n', stderr); 414 } 415 } 416 417 static void 418 exit_tcpdump(int status) 419 { 420 nd_cleanup(); 421 exit(status); 422 } 423 424 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 425 static void 426 show_tstamp_types_and_exit(pcap_t *pc, const char *device) 427 { 428 int n_tstamp_types; 429 int *tstamp_types = 0; 430 const char *tstamp_type_name; 431 int i; 432 433 n_tstamp_types = pcap_list_tstamp_types(pc, &tstamp_types); 434 if (n_tstamp_types < 0) 435 error("%s", pcap_geterr(pc)); 436 437 if (n_tstamp_types == 0) { 438 fprintf(stderr, "Time stamp type cannot be set for %s\n", 439 device); 440 exit_tcpdump(S_SUCCESS); 441 } 442 fprintf(stderr, "Time stamp types for %s (use option -j to set):\n", 443 device); 444 for (i = 0; i < n_tstamp_types; i++) { 445 tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]); 446 if (tstamp_type_name != NULL) { 447 (void) fprintf(stderr, " %s (%s)\n", tstamp_type_name, 448 pcap_tstamp_type_val_to_description(tstamp_types[i])); 449 } else { 450 (void) fprintf(stderr, " %d\n", tstamp_types[i]); 451 } 452 } 453 pcap_free_tstamp_types(tstamp_types); 454 exit_tcpdump(S_SUCCESS); 455 } 456 #endif 457 458 static void 459 show_dlts_and_exit(pcap_t *pc, const char *device) 460 { 461 int n_dlts, i; 462 int *dlts = 0; 463 const char *dlt_name; 464 465 n_dlts = pcap_list_datalinks(pc, &dlts); 466 if (n_dlts < 0) 467 error("%s", pcap_geterr(pc)); 468 else if (n_dlts == 0 || !dlts) 469 error("No data link types."); 470 471 /* 472 * If the interface is known to support monitor mode, indicate 473 * whether these are the data link types available when not in 474 * monitor mode, if -I wasn't specified, or when in monitor mode, 475 * when -I was specified (the link-layer types available in 476 * monitor mode might be different from the ones available when 477 * not in monitor mode). 478 */ 479 if (supports_monitor_mode) 480 (void) fprintf(stderr, "Data link types for %s %s (use option -y to set):\n", 481 device, 482 Iflag ? "when in monitor mode" : "when not in monitor mode"); 483 else 484 (void) fprintf(stderr, "Data link types for %s (use option -y to set):\n", 485 device); 486 487 for (i = 0; i < n_dlts; i++) { 488 dlt_name = pcap_datalink_val_to_name(dlts[i]); 489 if (dlt_name != NULL) { 490 (void) fprintf(stderr, " %s (%s)", dlt_name, 491 pcap_datalink_val_to_description(dlts[i])); 492 493 /* 494 * OK, does tcpdump handle that type? 495 */ 496 if (!has_printer(dlts[i])) 497 (void) fprintf(stderr, " (printing not supported)"); 498 fprintf(stderr, "\n"); 499 } else { 500 (void) fprintf(stderr, " DLT %d (printing not supported)\n", 501 dlts[i]); 502 } 503 } 504 #ifdef HAVE_PCAP_FREE_DATALINKS 505 pcap_free_datalinks(dlts); 506 #endif 507 exit_tcpdump(S_SUCCESS); 508 } 509 510 #ifdef HAVE_PCAP_FINDALLDEVS 511 static void 512 show_devices_and_exit(void) 513 { 514 pcap_if_t *dev, *devlist; 515 char ebuf[PCAP_ERRBUF_SIZE]; 516 int i; 517 518 if (pcap_findalldevs(&devlist, ebuf) < 0) 519 error("%s", ebuf); 520 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 521 printf("%d.%s", i+1, dev->name); 522 if (dev->description != NULL) 523 printf(" (%s)", dev->description); 524 if (dev->flags != 0) { 525 printf(" ["); 526 printf("%s", bittok2str(status_flags, "none", dev->flags)); 527 #ifdef PCAP_IF_WIRELESS 528 if (dev->flags & PCAP_IF_WIRELESS) { 529 switch (dev->flags & PCAP_IF_CONNECTION_STATUS) { 530 531 case PCAP_IF_CONNECTION_STATUS_UNKNOWN: 532 printf(", Association status unknown"); 533 break; 534 535 case PCAP_IF_CONNECTION_STATUS_CONNECTED: 536 printf(", Associated"); 537 break; 538 539 case PCAP_IF_CONNECTION_STATUS_DISCONNECTED: 540 printf(", Not associated"); 541 break; 542 543 case PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE: 544 break; 545 } 546 } else { 547 switch (dev->flags & PCAP_IF_CONNECTION_STATUS) { 548 549 case PCAP_IF_CONNECTION_STATUS_UNKNOWN: 550 printf(", Connection status unknown"); 551 break; 552 553 case PCAP_IF_CONNECTION_STATUS_CONNECTED: 554 printf(", Connected"); 555 break; 556 557 case PCAP_IF_CONNECTION_STATUS_DISCONNECTED: 558 printf(", Disconnected"); 559 break; 560 561 case PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE: 562 break; 563 } 564 } 565 #endif 566 printf("]"); 567 } 568 printf("\n"); 569 } 570 pcap_freealldevs(devlist); 571 exit_tcpdump(S_SUCCESS); 572 } 573 #endif /* HAVE_PCAP_FINDALLDEVS */ 574 575 #ifdef HAVE_PCAP_FINDALLDEVS_EX 576 static void 577 show_remote_devices_and_exit(void) 578 { 579 pcap_if_t *dev, *devlist; 580 char ebuf[PCAP_ERRBUF_SIZE]; 581 int i; 582 583 if (pcap_findalldevs_ex(remote_interfaces_source, NULL, &devlist, 584 ebuf) < 0) 585 error("%s", ebuf); 586 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 587 printf("%d.%s", i+1, dev->name); 588 if (dev->description != NULL) 589 printf(" (%s)", dev->description); 590 if (dev->flags != 0) 591 printf(" [%s]", bittok2str(status_flags, "none", dev->flags)); 592 printf("\n"); 593 } 594 pcap_freealldevs(devlist); 595 exit_tcpdump(S_SUCCESS); 596 } 597 #endif /* HAVE_PCAP_FINDALLDEVS */ 598 599 /* 600 * Short options. 601 * 602 * Note that there we use all letters for short options except for g, k, 603 * o, and P, and those are used by other versions of tcpdump, and we should 604 * only use them for the same purposes that the other versions of tcpdump 605 * use them: 606 * 607 * macOS tcpdump uses -g to force non--v output for IP to be on one 608 * line, making it more "g"repable; 609 * 610 * macOS tcpdump uses -k to specify that packet comments in pcapng files 611 * should be printed; 612 * 613 * OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done 614 * for hosts sending TCP SYN packets; 615 * 616 * macOS tcpdump uses -P to indicate that -w should write pcapng rather 617 * than pcap files. 618 * 619 * macOS tcpdump also uses -Q to specify expressions that match packet 620 * metadata, including but not limited to the packet direction. 621 * The expression syntax is different from a simple "in|out|inout", 622 * and those expressions aren't accepted by macOS tcpdump, but the 623 * equivalents would be "in" = "dir=in", "out" = "dir=out", and 624 * "inout" = "dir=in or dir=out", and the parser could conceivably 625 * special-case "in", "out", and "inout" as expressions for backwards 626 * compatibility, so all is not (yet) lost. 627 */ 628 629 /* 630 * Set up flags that might or might not be supported depending on the 631 * version of libpcap we're using. 632 */ 633 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 634 #define B_FLAG "B:" 635 #define B_FLAG_USAGE " [ -B size ]" 636 #else /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 637 #define B_FLAG 638 #define B_FLAG_USAGE 639 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 640 641 #ifdef HAVE_PCAP_FINDALLDEVS 642 #define D_FLAG "D" 643 #else 644 #define D_FLAG 645 #endif 646 647 #ifdef HAVE_PCAP_CREATE 648 #define I_FLAG "I" 649 #else /* HAVE_PCAP_CREATE */ 650 #define I_FLAG 651 #endif /* HAVE_PCAP_CREATE */ 652 653 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 654 #define j_FLAG "j:" 655 #define j_FLAG_USAGE " [ -j tstamptype ]" 656 #define J_FLAG "J" 657 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 658 #define j_FLAG 659 #define j_FLAG_USAGE 660 #define J_FLAG 661 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 662 663 #ifdef USE_LIBSMI 664 #define m_FLAG_USAGE "[ -m module ] ..." 665 #endif 666 667 #ifdef HAVE_PCAP_SETDIRECTION 668 #define Q_FLAG "Q:" 669 #define Q_FLAG_USAGE " [ -Q in|out|inout ]" 670 #else 671 #define Q_FLAG 672 #define Q_FLAG_USAGE 673 #endif 674 675 #ifdef HAVE_PCAP_DUMP_FLUSH 676 #define U_FLAG "U" 677 #else 678 #define U_FLAG 679 #endif 680 681 #define SHORTOPTS "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpq" Q_FLAG "r:s:StT:u" U_FLAG "vV:w:W:xXy:Yz:Z:#" 682 683 /* 684 * Long options. 685 * 686 * We do not currently have long options corresponding to all short 687 * options; we should probably pick appropriate option names for them. 688 * 689 * However, the short options where the number of times the option is 690 * specified matters, such as -v and -d and -t, should probably not 691 * just map to a long option, as saying 692 * 693 * tcpdump --verbose --verbose 694 * 695 * doesn't make sense; it should be --verbosity={N} or something such 696 * as that. 697 * 698 * For long options with no corresponding short options, we define values 699 * outside the range of ASCII graphic characters, make that the last 700 * component of the entry for the long option, and have a case for that 701 * option in the switch statement. 702 */ 703 #define OPTION_VERSION 128 704 #define OPTION_TSTAMP_PRECISION 129 705 #define OPTION_IMMEDIATE_MODE 130 706 #define OPTION_PRINT 131 707 #define OPTION_LIST_REMOTE_INTERFACES 132 708 #define OPTION_TSTAMP_MICRO 133 709 #define OPTION_TSTAMP_NANO 134 710 #define OPTION_FP_TYPE 135 711 #define OPTION_COUNT 136 712 713 static const struct option longopts[] = { 714 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 715 { "buffer-size", required_argument, NULL, 'B' }, 716 #endif 717 { "list-interfaces", no_argument, NULL, 'D' }, 718 #ifdef HAVE_PCAP_FINDALLDEVS_EX 719 { "list-remote-interfaces", required_argument, NULL, OPTION_LIST_REMOTE_INTERFACES }, 720 #endif 721 { "help", no_argument, NULL, 'h' }, 722 { "interface", required_argument, NULL, 'i' }, 723 #ifdef HAVE_PCAP_CREATE 724 { "monitor-mode", no_argument, NULL, 'I' }, 725 #endif 726 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 727 { "time-stamp-type", required_argument, NULL, 'j' }, 728 { "list-time-stamp-types", no_argument, NULL, 'J' }, 729 #endif 730 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 731 { "micro", no_argument, NULL, OPTION_TSTAMP_MICRO}, 732 { "nano", no_argument, NULL, OPTION_TSTAMP_NANO}, 733 { "time-stamp-precision", required_argument, NULL, OPTION_TSTAMP_PRECISION}, 734 #endif 735 { "dont-verify-checksums", no_argument, NULL, 'K' }, 736 { "list-data-link-types", no_argument, NULL, 'L' }, 737 { "no-optimize", no_argument, NULL, 'O' }, 738 { "no-promiscuous-mode", no_argument, NULL, 'p' }, 739 #ifdef HAVE_PCAP_SETDIRECTION 740 { "direction", required_argument, NULL, 'Q' }, 741 #endif 742 { "snapshot-length", required_argument, NULL, 's' }, 743 { "absolute-tcp-sequence-numbers", no_argument, NULL, 'S' }, 744 #ifdef HAVE_PCAP_DUMP_FLUSH 745 { "packet-buffered", no_argument, NULL, 'U' }, 746 #endif 747 { "linktype", required_argument, NULL, 'y' }, 748 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 749 { "immediate-mode", no_argument, NULL, OPTION_IMMEDIATE_MODE }, 750 #endif 751 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 752 { "debug-filter-parser", no_argument, NULL, 'Y' }, 753 #endif 754 { "relinquish-privileges", required_argument, NULL, 'Z' }, 755 { "count", no_argument, NULL, OPTION_COUNT }, 756 { "fp-type", no_argument, NULL, OPTION_FP_TYPE }, 757 { "number", no_argument, NULL, '#' }, 758 { "print", no_argument, NULL, OPTION_PRINT }, 759 { "version", no_argument, NULL, OPTION_VERSION }, 760 { NULL, 0, NULL, 0 } 761 }; 762 763 #ifdef HAVE_PCAP_FINDALLDEVS_EX 764 #define LIST_REMOTE_INTERFACES_USAGE "[ --list-remote-interfaces remote-source ]" 765 #else 766 #define LIST_REMOTE_INTERFACES_USAGE 767 #endif 768 769 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 770 #define IMMEDIATE_MODE_USAGE " [ --immediate-mode ]" 771 #else 772 #define IMMEDIATE_MODE_USAGE "" 773 #endif 774 775 #ifndef _WIN32 776 /* Drop root privileges and chroot if necessary */ 777 static void 778 droproot(const char *username, const char *chroot_dir) 779 { 780 struct passwd *pw = NULL; 781 782 if (chroot_dir && !username) 783 error("Chroot without dropping root is insecure"); 784 785 pw = getpwnam(username); 786 if (pw) { 787 if (chroot_dir) { 788 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) 789 error("Couldn't chroot/chdir to '%.64s': %s", 790 chroot_dir, pcap_strerror(errno)); 791 } 792 #ifdef HAVE_LIBCAP_NG 793 { 794 int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); 795 if (ret < 0) 796 error("capng_change_id(): return %d\n", ret); 797 else 798 fprintf(stderr, "dropped privs to %s\n", username); 799 } 800 #else 801 if (initgroups(pw->pw_name, pw->pw_gid) != 0 || 802 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) 803 error("Couldn't change to '%.32s' uid=%lu gid=%lu: %s", 804 username, 805 (unsigned long)pw->pw_uid, 806 (unsigned long)pw->pw_gid, 807 pcap_strerror(errno)); 808 else { 809 fprintf(stderr, "dropped privs to %s\n", username); 810 } 811 #endif /* HAVE_LIBCAP_NG */ 812 } else 813 error("Couldn't find user '%.32s'", username); 814 #ifdef HAVE_LIBCAP_NG 815 /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */ 816 DIAG_OFF_ASSIGN_ENUM 817 capng_updatev( 818 CAPNG_DROP, 819 CAPNG_EFFECTIVE | CAPNG_PERMITTED, 820 CAP_SETUID, 821 CAP_SETGID, 822 CAP_SYS_CHROOT, 823 -1); 824 DIAG_ON_ASSIGN_ENUM 825 capng_apply(CAPNG_SELECT_BOTH); 826 #endif /* HAVE_LIBCAP_NG */ 827 828 } 829 #endif /* _WIN32 */ 830 831 static int 832 getWflagChars(int x) 833 { 834 int c = 0; 835 836 x -= 1; 837 while (x > 0) { 838 c += 1; 839 x /= 10; 840 } 841 842 return c; 843 } 844 845 846 static void 847 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars) 848 { 849 char *filename = malloc(PATH_MAX + 1); 850 if (filename == NULL) 851 error("%s: malloc", __func__); 852 if (strlen(orig_name) == 0) 853 error("an empty string is not a valid file name"); 854 855 /* Process with strftime if Gflag is set. */ 856 if (Gflag != 0) { 857 struct tm *local_tm; 858 859 /* Convert Gflag_time to a usable format */ 860 if ((local_tm = localtime(&Gflag_time)) == NULL) { 861 error("%s: localtime", __func__); 862 } 863 864 /* There's no good way to detect an error in strftime since a return 865 * value of 0 isn't necessarily failure; if orig_name is an empty 866 * string, the formatted string will be empty. 867 * 868 * However, the C90 standard says that, if there *is* a 869 * buffer overflow, the content of the buffer is undefined, 870 * so we must check for a buffer overflow. 871 * 872 * So we check above for an empty orig_name, and only call 873 * strftime() if it's non-empty, in which case the return 874 * value will only be 0 if the formatted date doesn't fit 875 * in the buffer. 876 * 877 * (We check above because, even if we don't use -G, we 878 * want a better error message than "tcpdump: : No such 879 * file or directory" for this case.) 880 */ 881 if (strftime(filename, PATH_MAX, orig_name, local_tm) == 0) { 882 error("%s: strftime", __func__); 883 } 884 } else { 885 strncpy(filename, orig_name, PATH_MAX); 886 } 887 888 if (cnt == 0 && max_chars == 0) 889 strncpy(buffer, filename, PATH_MAX + 1); 890 else 891 if (snprintf(buffer, PATH_MAX + 1, "%s%0*d", filename, max_chars, cnt) > PATH_MAX) 892 /* Report an error if the filename is too large */ 893 error("too many output files or filename is too long (> %d)", PATH_MAX); 894 free(filename); 895 } 896 897 static char * 898 get_next_file(FILE *VFile, char *ptr) 899 { 900 char *ret; 901 size_t len; 902 903 ret = fgets(ptr, PATH_MAX, VFile); 904 if (!ret) 905 return NULL; 906 907 len = strlen (ptr); 908 if (len > 0 && ptr[len - 1] == '\n') 909 ptr[len - 1] = '\0'; 910 911 return ret; 912 } 913 914 #ifdef HAVE_CASPER 915 static cap_channel_t * 916 capdns_setup(void) 917 { 918 cap_channel_t *capcas, *capdnsloc; 919 const char *types[1]; 920 int families[2]; 921 922 capcas = cap_init(); 923 if (capcas == NULL) 924 error("unable to create casper process"); 925 capdnsloc = cap_service_open(capcas, "system.dns"); 926 /* Casper capability no longer needed. */ 927 cap_close(capcas); 928 if (capdnsloc == NULL) 929 error("unable to open system.dns service"); 930 /* Limit system.dns to reverse DNS lookups. */ 931 types[0] = "ADDR2NAME"; 932 if (cap_dns_type_limit(capdnsloc, types, 1) < 0) 933 error("unable to limit access to system.dns service"); 934 families[0] = AF_INET; 935 families[1] = AF_INET6; 936 if (cap_dns_family_limit(capdnsloc, families, 2) < 0) 937 error("unable to limit access to system.dns service"); 938 939 return (capdnsloc); 940 } 941 #endif /* HAVE_CASPER */ 942 943 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 944 static int 945 tstamp_precision_from_string(const char *precision) 946 { 947 if (strncmp(precision, "nano", strlen("nano")) == 0) 948 return PCAP_TSTAMP_PRECISION_NANO; 949 950 if (strncmp(precision, "micro", strlen("micro")) == 0) 951 return PCAP_TSTAMP_PRECISION_MICRO; 952 953 return -EINVAL; 954 } 955 956 static const char * 957 tstamp_precision_to_string(int precision) 958 { 959 switch (precision) { 960 961 case PCAP_TSTAMP_PRECISION_MICRO: 962 return "micro"; 963 964 case PCAP_TSTAMP_PRECISION_NANO: 965 return "nano"; 966 967 default: 968 return "unknown"; 969 } 970 } 971 #endif 972 973 #ifdef HAVE_CAPSICUM 974 /* 975 * Ensure that, on a dump file's descriptor, we have all the rights 976 * necessary to make the standard I/O library work with an fdopen()ed 977 * FILE * from that descriptor. 978 * 979 * A long time ago in a galaxy far, far away, AT&T decided that, instead 980 * of providing separate APIs for getting and setting the FD_ flags on a 981 * descriptor, getting and setting the O_ flags on a descriptor, and 982 * locking files, they'd throw them all into a kitchen-sink fcntl() call 983 * along the lines of ioctl(), the fact that ioctl() operations are 984 * largely specific to particular character devices but fcntl() operations 985 * are either generic to all descriptors or generic to all descriptors for 986 * regular files nonwithstanding. 987 * 988 * The Capsicum people decided that fine-grained control of descriptor 989 * operations was required, so that you need to grant permission for 990 * reading, writing, seeking, and fcntl-ing. The latter, courtesy of 991 * AT&T's decision, means that "fcntl-ing" isn't a thing, but a motley 992 * collection of things, so there are *individual* fcntls for which 993 * permission needs to be granted. 994 * 995 * The FreeBSD standard I/O people implemented some optimizations that 996 * requires that the standard I/O routines be able to determine whether 997 * the descriptor for the FILE * is open append-only or not; as that 998 * descriptor could have come from an open() rather than an fopen(), 999 * that requires that it be able to do an F_GETFL fcntl() to read 1000 * the O_ flags. 1001 * 1002 * Tcpdump uses ftell() to determine how much data has been written 1003 * to a file in order to, when used with -C, determine when it's time 1004 * to rotate capture files. ftell() therefore needs to do an lseek() 1005 * to find out the file offset and must, thanks to the aforementioned 1006 * optimization, also know whether the descriptor is open append-only 1007 * or not. 1008 * 1009 * The net result of all the above is that we need to grant CAP_SEEK, 1010 * CAP_WRITE, and CAP_FCNTL with the CAP_FCNTL_GETFL subcapability. 1011 * 1012 * Perhaps this is the universe's way of saying that either 1013 * 1014 * 1) there needs to be an fopenat() call and a pcap_dump_openat() call 1015 * using it, so that Capsicum-capable tcpdump wouldn't need to do 1016 * an fdopen() 1017 * 1018 * or 1019 * 1020 * 2) there needs to be a cap_fdopen() call in the FreeBSD standard 1021 * I/O library that knows what rights are needed by the standard 1022 * I/O library, based on the open mode, and assigns them, perhaps 1023 * with an additional argument indicating, for example, whether 1024 * seeking should be allowed, so that tcpdump doesn't need to know 1025 * what the standard I/O library happens to require this week. 1026 */ 1027 static void 1028 set_dumper_capsicum_rights(pcap_dumper_t *p) 1029 { 1030 int fd = fileno(pcap_dump_file(p)); 1031 cap_rights_t rights; 1032 1033 cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL); 1034 if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) { 1035 error("unable to limit dump descriptor"); 1036 } 1037 if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) { 1038 error("unable to limit dump descriptor fcntls"); 1039 } 1040 } 1041 #endif 1042 1043 /* 1044 * Copy arg vector into a new buffer, concatenating arguments with spaces. 1045 */ 1046 static char * 1047 copy_argv(char **argv) 1048 { 1049 char **p; 1050 size_t len = 0; 1051 char *buf; 1052 char *src, *dst; 1053 1054 p = argv; 1055 if (*p == NULL) 1056 return 0; 1057 1058 while (*p) 1059 len += strlen(*p++) + 1; 1060 1061 buf = (char *)malloc(len); 1062 if (buf == NULL) 1063 error("%s: malloc", __func__); 1064 1065 p = argv; 1066 dst = buf; 1067 while ((src = *p++) != NULL) { 1068 while ((*dst++ = *src++) != '\0') 1069 ; 1070 dst[-1] = ' '; 1071 } 1072 dst[-1] = '\0'; 1073 1074 return buf; 1075 } 1076 1077 /* 1078 * On Windows, we need to open the file in binary mode, so that 1079 * we get all the bytes specified by the size we get from "fstat()". 1080 * On UNIX, that's not necessary. O_BINARY is defined on Windows; 1081 * we define it as 0 if it's not defined, so it does nothing. 1082 */ 1083 #ifndef O_BINARY 1084 #define O_BINARY 0 1085 #endif 1086 1087 static char * 1088 read_infile(char *fname) 1089 { 1090 int i, fd; 1091 ssize_t cc; 1092 char *cp; 1093 our_statb buf; 1094 1095 fd = open(fname, O_RDONLY|O_BINARY); 1096 if (fd < 0) 1097 error("can't open %s: %s", fname, pcap_strerror(errno)); 1098 1099 if (our_fstat(fd, &buf) < 0) 1100 error("can't stat %s: %s", fname, pcap_strerror(errno)); 1101 1102 /* 1103 * Reject files whose size doesn't fit into an int; a filter 1104 * *that* large will probably be too big. 1105 */ 1106 if (buf.st_size > INT_MAX) 1107 error("%s is too large", fname); 1108 1109 cp = malloc((u_int)buf.st_size + 1); 1110 if (cp == NULL) 1111 error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, 1112 fname, pcap_strerror(errno)); 1113 cc = read(fd, cp, (u_int)buf.st_size); 1114 if (cc < 0) 1115 error("read %s: %s", fname, pcap_strerror(errno)); 1116 if (cc != buf.st_size) 1117 error("short read %s (%d != %d)", fname, (int) cc, 1118 (int)buf.st_size); 1119 1120 close(fd); 1121 /* replace "# comment" with spaces */ 1122 for (i = 0; i < cc; i++) { 1123 if (cp[i] == '#') 1124 while (i < cc && cp[i] != '\n') 1125 cp[i++] = ' '; 1126 } 1127 cp[cc] = '\0'; 1128 return (cp); 1129 } 1130 1131 #ifdef HAVE_PCAP_FINDALLDEVS 1132 static long 1133 parse_interface_number(const char *device) 1134 { 1135 const char *p; 1136 long devnum; 1137 char *end; 1138 1139 /* 1140 * Search for a colon, terminating any scheme at the beginning 1141 * of the device. 1142 */ 1143 p = strchr(device, ':'); 1144 if (p != NULL) { 1145 /* 1146 * We found it. Is it followed by "//"? 1147 */ 1148 p++; /* skip the : */ 1149 if (strncmp(p, "//", 2) == 0) { 1150 /* 1151 * Yes. Search for the next /, at the end of the 1152 * authority part of the URL. 1153 */ 1154 p += 2; /* skip the // */ 1155 p = strchr(p, '/'); 1156 if (p != NULL) { 1157 /* 1158 * OK, past the / is the path. 1159 */ 1160 device = p + 1; 1161 } 1162 } 1163 } 1164 devnum = strtol(device, &end, 10); 1165 if (device != end && *end == '\0') { 1166 /* 1167 * It's all-numeric, but is it a valid number? 1168 */ 1169 if (devnum <= 0) { 1170 /* 1171 * No, it's not an ordinal. 1172 */ 1173 error("Invalid adapter index"); 1174 } 1175 return (devnum); 1176 } else { 1177 /* 1178 * It's not all-numeric; return -1, so our caller 1179 * knows that. 1180 */ 1181 return (-1); 1182 } 1183 } 1184 1185 static char * 1186 find_interface_by_number(const char *url 1187 #ifndef HAVE_PCAP_FINDALLDEVS_EX 1188 _U_ 1189 #endif 1190 , long devnum) 1191 { 1192 pcap_if_t *dev, *devlist; 1193 long i; 1194 char ebuf[PCAP_ERRBUF_SIZE]; 1195 char *device; 1196 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1197 const char *endp; 1198 char *host_url; 1199 #endif 1200 int status; 1201 1202 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1203 /* 1204 * Search for a colon, terminating any scheme at the beginning 1205 * of the URL. 1206 */ 1207 endp = strchr(url, ':'); 1208 if (endp != NULL) { 1209 /* 1210 * We found it. Is it followed by "//"? 1211 */ 1212 endp++; /* skip the : */ 1213 if (strncmp(endp, "//", 2) == 0) { 1214 /* 1215 * Yes. Search for the next /, at the end of the 1216 * authority part of the URL. 1217 */ 1218 endp += 2; /* skip the // */ 1219 endp = strchr(endp, '/'); 1220 } else 1221 endp = NULL; 1222 } 1223 if (endp != NULL) { 1224 /* 1225 * OK, everything from device to endp is a URL to hand 1226 * to pcap_findalldevs_ex(). 1227 */ 1228 endp++; /* Include the trailing / in the URL; pcap_findalldevs_ex() requires it */ 1229 host_url = malloc(endp - url + 1); 1230 if (host_url == NULL && (endp - url + 1) > 0) 1231 error("Invalid allocation for host"); 1232 1233 memcpy(host_url, url, endp - url); 1234 host_url[endp - url] = '\0'; 1235 status = pcap_findalldevs_ex(host_url, NULL, &devlist, ebuf); 1236 free(host_url); 1237 } else 1238 #endif 1239 status = pcap_findalldevs(&devlist, ebuf); 1240 if (status < 0) 1241 error("%s", ebuf); 1242 /* 1243 * Look for the devnum-th entry in the list of devices (1-based). 1244 */ 1245 for (i = 0, dev = devlist; i < devnum-1 && dev != NULL; 1246 i++, dev = dev->next) 1247 ; 1248 if (dev == NULL) 1249 error("Invalid adapter index"); 1250 device = strdup(dev->name); 1251 pcap_freealldevs(devlist); 1252 return (device); 1253 } 1254 #endif 1255 1256 #ifdef HAVE_PCAP_OPEN 1257 /* 1258 * Prefixes for rpcap URLs. 1259 */ 1260 static char rpcap_prefix[] = "rpcap://"; 1261 static char rpcap_ssl_prefix[] = "rpcaps://"; 1262 #endif 1263 1264 static pcap_t * 1265 open_interface(const char *device, netdissect_options *ndo, char *ebuf) 1266 { 1267 pcap_t *pc; 1268 #ifdef HAVE_PCAP_CREATE 1269 int status; 1270 char *cp; 1271 #endif 1272 1273 #ifdef HAVE_PCAP_OPEN 1274 /* 1275 * Is this an rpcap URL? 1276 */ 1277 if (strncmp(device, rpcap_prefix, sizeof(rpcap_prefix) - 1) == 0 || 1278 strncmp(device, rpcap_ssl_prefix, sizeof(rpcap_ssl_prefix) - 1) == 0) { 1279 /* 1280 * Yes. Open it with pcap_open(). 1281 */ 1282 *ebuf = '\0'; 1283 pc = pcap_open(device, ndo->ndo_snaplen, 1284 pflag ? 0 : PCAP_OPENFLAG_PROMISCUOUS, timeout, NULL, 1285 ebuf); 1286 if (pc == NULL) { 1287 /* 1288 * If this failed with "No such device" or "The system 1289 * cannot find the device specified", that means 1290 * the interface doesn't exist; return NULL, so that 1291 * the caller can see whether the device name is 1292 * actually an interface index. 1293 */ 1294 if (strstr(ebuf, "No such device") != NULL || 1295 strstr(ebuf, "The system cannot find the device specified") != NULL) 1296 return (NULL); 1297 error("%s", ebuf); 1298 } 1299 if (*ebuf) 1300 warning("%s", ebuf); 1301 return (pc); 1302 } 1303 #endif /* HAVE_PCAP_OPEN */ 1304 1305 #ifdef HAVE_PCAP_CREATE 1306 pc = pcap_create(device, ebuf); 1307 if (pc == NULL) { 1308 /* 1309 * If this failed with "No such device", that means 1310 * the interface doesn't exist; return NULL, so that 1311 * the caller can see whether the device name is 1312 * actually an interface index. 1313 */ 1314 if (strstr(ebuf, "No such device") != NULL) 1315 return (NULL); 1316 error("%s", ebuf); 1317 } 1318 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1319 if (Jflag) 1320 show_tstamp_types_and_exit(pc, device); 1321 #endif 1322 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1323 status = pcap_set_tstamp_precision(pc, ndo->ndo_tstamp_precision); 1324 if (status != 0) 1325 error("%s: Can't set %ssecond time stamp precision: %s", 1326 device, 1327 tstamp_precision_to_string(ndo->ndo_tstamp_precision), 1328 pcap_statustostr(status)); 1329 #endif 1330 1331 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1332 if (immediate_mode) { 1333 status = pcap_set_immediate_mode(pc, 1); 1334 if (status != 0) 1335 error("%s: Can't set immediate mode: %s", 1336 device, pcap_statustostr(status)); 1337 } 1338 #endif 1339 /* 1340 * Is this an interface that supports monitor mode? 1341 */ 1342 if (pcap_can_set_rfmon(pc) == 1) 1343 supports_monitor_mode = 1; 1344 else 1345 supports_monitor_mode = 0; 1346 if (ndo->ndo_snaplen != 0) { 1347 /* 1348 * A snapshot length was explicitly specified; 1349 * use it. 1350 */ 1351 status = pcap_set_snaplen(pc, ndo->ndo_snaplen); 1352 if (status != 0) 1353 error("%s: Can't set snapshot length: %s", 1354 device, pcap_statustostr(status)); 1355 } 1356 status = pcap_set_promisc(pc, !pflag); 1357 if (status != 0) 1358 error("%s: Can't set promiscuous mode: %s", 1359 device, pcap_statustostr(status)); 1360 if (Iflag) { 1361 status = pcap_set_rfmon(pc, 1); 1362 if (status != 0) 1363 error("%s: Can't set monitor mode: %s", 1364 device, pcap_statustostr(status)); 1365 } 1366 status = pcap_set_timeout(pc, timeout); 1367 if (status != 0) 1368 error("%s: pcap_set_timeout failed: %s", 1369 device, pcap_statustostr(status)); 1370 if (Bflag != 0) { 1371 status = pcap_set_buffer_size(pc, Bflag); 1372 if (status != 0) 1373 error("%s: Can't set buffer size: %s", 1374 device, pcap_statustostr(status)); 1375 } 1376 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1377 if (jflag != -1) { 1378 status = pcap_set_tstamp_type(pc, jflag); 1379 if (status < 0) 1380 error("%s: Can't set time stamp type: %s", 1381 device, pcap_statustostr(status)); 1382 else if (status > 0) 1383 warning("When trying to set timestamp type '%s' on %s: %s", 1384 pcap_tstamp_type_val_to_name(jflag), device, 1385 pcap_statustostr(status)); 1386 } 1387 #endif 1388 status = pcap_activate(pc); 1389 if (status < 0) { 1390 /* 1391 * pcap_activate() failed. 1392 */ 1393 cp = pcap_geterr(pc); 1394 if (status == PCAP_ERROR) 1395 error("%s", cp); 1396 else if (status == PCAP_ERROR_NO_SUCH_DEVICE) { 1397 /* 1398 * Return an error for our caller to handle. 1399 */ 1400 snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s: %s\n(%s)", 1401 device, pcap_statustostr(status), cp); 1402 } else if (status == PCAP_ERROR_PERM_DENIED && *cp != '\0') 1403 error("%s: %s\n(%s)", device, 1404 pcap_statustostr(status), cp); 1405 #ifdef __FreeBSD__ 1406 else if (status == PCAP_ERROR_RFMON_NOTSUP && 1407 strncmp(device, "wlan", 4) == 0) { 1408 char parent[8], newdev[8]; 1409 char sysctl[32]; 1410 size_t s = sizeof(parent); 1411 1412 snprintf(sysctl, sizeof(sysctl), 1413 "net.wlan.%d.%%parent", atoi(device + 4)); 1414 sysctlbyname(sysctl, parent, &s, NULL, 0); 1415 strlcpy(newdev, device, sizeof(newdev)); 1416 /* Suggest a new wlan device. */ 1417 /* FIXME: incrementing the index this way is not going to work well 1418 * when the index is 9 or greater but the only consequence in this 1419 * specific case would be an error message that looks a bit odd. 1420 */ 1421 newdev[strlen(newdev)-1]++; 1422 error("%s is not a monitor mode VAP\n" 1423 "To create a new monitor mode VAP use:\n" 1424 " ifconfig %s create wlandev %s wlanmode monitor\n" 1425 "and use %s as the tcpdump interface", 1426 device, newdev, parent, newdev); 1427 } 1428 #endif 1429 else 1430 error("%s: %s", device, 1431 pcap_statustostr(status)); 1432 pcap_close(pc); 1433 return (NULL); 1434 } else if (status > 0) { 1435 /* 1436 * pcap_activate() succeeded, but it's warning us 1437 * of a problem it had. 1438 */ 1439 cp = pcap_geterr(pc); 1440 if (status == PCAP_WARNING) 1441 warning("%s", cp); 1442 else if (status == PCAP_WARNING_PROMISC_NOTSUP && 1443 *cp != '\0') 1444 warning("%s: %s\n(%s)", device, 1445 pcap_statustostr(status), cp); 1446 else 1447 warning("%s: %s", device, 1448 pcap_statustostr(status)); 1449 } 1450 #ifdef HAVE_PCAP_SETDIRECTION 1451 if (Qflag != -1) { 1452 status = pcap_setdirection(pc, Qflag); 1453 if (status != 0) 1454 error("%s: pcap_setdirection() failed: %s", 1455 device, pcap_geterr(pc)); 1456 } 1457 #endif /* HAVE_PCAP_SETDIRECTION */ 1458 #else /* HAVE_PCAP_CREATE */ 1459 *ebuf = '\0'; 1460 /* 1461 * If no snapshot length was specified, or a length of 0 was 1462 * specified, default to 256KB. 1463 */ 1464 if (ndo->ndo_snaplen == 0) 1465 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 1466 pc = pcap_open_live(device, ndo->ndo_snaplen, !pflag, timeout, ebuf); 1467 if (pc == NULL) { 1468 /* 1469 * If this failed with "No such device", that means 1470 * the interface doesn't exist; return NULL, so that 1471 * the caller can see whether the device name is 1472 * actually an interface index. 1473 */ 1474 if (strstr(ebuf, "No such device") != NULL) 1475 return (NULL); 1476 error("%s", ebuf); 1477 } 1478 if (*ebuf) 1479 warning("%s", ebuf); 1480 #endif /* HAVE_PCAP_CREATE */ 1481 1482 return (pc); 1483 } 1484 1485 int 1486 main(int argc, char **argv) 1487 { 1488 int cnt, op, i; 1489 bpf_u_int32 localnet = 0, netmask = 0; 1490 char *cp, *infile, *cmdbuf, *device, *RFileName, *VFileName, *WFileName; 1491 char *endp; 1492 pcap_handler callback; 1493 int dlt; 1494 const char *dlt_name; 1495 struct bpf_program fcode; 1496 #ifndef _WIN32 1497 void (*oldhandler)(int); 1498 #endif 1499 struct dump_info dumpinfo; 1500 u_char *pcap_userdata; 1501 char ebuf[PCAP_ERRBUF_SIZE]; 1502 char VFileLine[PATH_MAX + 1]; 1503 const char *username = NULL; 1504 #ifndef _WIN32 1505 const char *chroot_dir = NULL; 1506 #endif 1507 char *ret = NULL; 1508 char *end; 1509 #ifdef HAVE_PCAP_FINDALLDEVS 1510 pcap_if_t *devlist; 1511 long devnum; 1512 #endif 1513 int status; 1514 FILE *VFile; 1515 #ifdef HAVE_CAPSICUM 1516 cap_rights_t rights; 1517 int cansandbox; 1518 #endif /* HAVE_CAPSICUM */ 1519 int Oflag = 1; /* run filter code optimizer */ 1520 int yflag_dlt = -1; 1521 const char *yflag_dlt_name = NULL; 1522 int print = 0; 1523 1524 netdissect_options Ndo; 1525 netdissect_options *ndo = &Ndo; 1526 1527 /* 1528 * Initialize the netdissect code. 1529 */ 1530 if (nd_init(ebuf, sizeof(ebuf)) == -1) 1531 error("%s", ebuf); 1532 1533 memset(ndo, 0, sizeof(*ndo)); 1534 ndo_set_function_pointers(ndo); 1535 1536 cnt = -1; 1537 device = NULL; 1538 infile = NULL; 1539 RFileName = NULL; 1540 VFileName = NULL; 1541 VFile = NULL; 1542 WFileName = NULL; 1543 dlt = -1; 1544 if ((cp = strrchr(argv[0], PATH_SEPARATOR)) != NULL) 1545 ndo->program_name = program_name = cp + 1; 1546 else 1547 ndo->program_name = program_name = argv[0]; 1548 1549 #if defined(HAVE_PCAP_WSOCKINIT) 1550 if (pcap_wsockinit() != 0) 1551 error("Attempting to initialize Winsock failed"); 1552 #elif defined(HAVE_WSOCKINIT) 1553 if (wsockinit() != 0) 1554 error("Attempting to initialize Winsock failed"); 1555 #endif 1556 1557 /* 1558 * On platforms where the CPU doesn't support unaligned loads, 1559 * force unaligned accesses to abort with SIGBUS, rather than 1560 * being fixed up (slowly) by the OS kernel; on those platforms, 1561 * misaligned accesses are bugs, and we want tcpdump to crash so 1562 * that the bugs are reported. 1563 */ 1564 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0) 1565 error("%s", ebuf); 1566 1567 tzset(); 1568 1569 while ( 1570 (op = getopt_long(argc, argv, SHORTOPTS, longopts, NULL)) != -1) 1571 switch (op) { 1572 1573 case 'a': 1574 /* compatibility for old -a */ 1575 break; 1576 1577 case 'A': 1578 ++ndo->ndo_Aflag; 1579 break; 1580 1581 case 'b': 1582 ++ndo->ndo_bflag; 1583 break; 1584 1585 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 1586 case 'B': 1587 Bflag = atoi(optarg)*1024; 1588 if (Bflag <= 0) 1589 error("invalid packet buffer size %s", optarg); 1590 break; 1591 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 1592 1593 case 'c': 1594 cnt = atoi(optarg); 1595 if (cnt <= 0) 1596 error("invalid packet count %s", optarg); 1597 break; 1598 1599 case 'C': 1600 errno = 0; 1601 #ifdef HAVE_PCAP_DUMP_FTELL64 1602 Cflag = strtoint64_t(optarg, &endp, 10); 1603 #else 1604 Cflag = strtol(optarg, &endp, 10); 1605 #endif 1606 if (endp == optarg || *endp != '\0' || errno != 0 1607 || Cflag <= 0) 1608 error("invalid file size %s", optarg); 1609 /* 1610 * Will multiplying it by 1000000 overflow? 1611 */ 1612 #ifdef HAVE_PCAP_DUMP_FTELL64 1613 if (Cflag > INT64_T_CONSTANT(0x7fffffffffffffff) / 1000000) 1614 #else 1615 if (Cflag > LONG_MAX / 1000000) 1616 #endif 1617 error("file size %s is too large", optarg); 1618 Cflag *= 1000000; 1619 break; 1620 1621 case 'd': 1622 ++dflag; 1623 break; 1624 1625 #ifdef HAVE_PCAP_FINDALLDEVS 1626 case 'D': 1627 Dflag++; 1628 break; 1629 #endif 1630 1631 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1632 case OPTION_LIST_REMOTE_INTERFACES: 1633 remote_interfaces_source = optarg; 1634 break; 1635 #endif 1636 1637 case 'L': 1638 Lflag++; 1639 break; 1640 1641 case 'e': 1642 ++ndo->ndo_eflag; 1643 break; 1644 1645 case 'E': 1646 #ifndef HAVE_LIBCRYPTO 1647 warning("crypto code not compiled in"); 1648 #endif 1649 ndo->ndo_espsecret = optarg; 1650 break; 1651 1652 case 'f': 1653 ++ndo->ndo_fflag; 1654 break; 1655 1656 case 'F': 1657 infile = optarg; 1658 break; 1659 1660 case 'G': 1661 Gflag = atoi(optarg); 1662 if (Gflag < 0) 1663 error("invalid number of seconds %s", optarg); 1664 1665 /* We will create one file initially. */ 1666 Gflag_count = 0; 1667 1668 /* Grab the current time for rotation use. */ 1669 if ((Gflag_time = time(NULL)) == (time_t)-1) { 1670 error("%s: can't get current time: %s", 1671 __func__, pcap_strerror(errno)); 1672 } 1673 break; 1674 1675 case 'h': 1676 print_usage(stdout); 1677 exit_tcpdump(S_SUCCESS); 1678 break; 1679 1680 case 'H': 1681 ++ndo->ndo_Hflag; 1682 break; 1683 1684 case 'i': 1685 device = optarg; 1686 break; 1687 1688 #ifdef HAVE_PCAP_CREATE 1689 case 'I': 1690 ++Iflag; 1691 break; 1692 #endif /* HAVE_PCAP_CREATE */ 1693 1694 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1695 case 'j': 1696 jflag = pcap_tstamp_type_name_to_val(optarg); 1697 if (jflag < 0) 1698 error("invalid time stamp type %s", optarg); 1699 break; 1700 1701 case 'J': 1702 Jflag++; 1703 break; 1704 #endif 1705 1706 case 'l': 1707 #ifdef _WIN32 1708 /* 1709 * _IOLBF is the same as _IOFBF in Microsoft's C 1710 * libraries; the only alternative they offer 1711 * is _IONBF. 1712 * 1713 * XXX - this should really be checking for MSVC++, 1714 * not _WIN32, if, for example, MinGW has its own 1715 * C library that is more UNIX-compatible. 1716 */ 1717 setvbuf(stdout, NULL, _IONBF, 0); 1718 #else /* _WIN32 */ 1719 #ifdef HAVE_SETLINEBUF 1720 setlinebuf(stdout); 1721 #else 1722 setvbuf(stdout, NULL, _IOLBF, 0); 1723 #endif 1724 #endif /* _WIN32 */ 1725 lflag = 1; 1726 break; 1727 1728 case 'K': 1729 ++ndo->ndo_Kflag; 1730 break; 1731 1732 case 'm': 1733 if (nd_have_smi_support()) { 1734 if (nd_load_smi_module(optarg, ebuf, sizeof(ebuf)) == -1) 1735 error("%s", ebuf); 1736 } else { 1737 (void)fprintf(stderr, "%s: ignoring option `-m %s' ", 1738 program_name, optarg); 1739 (void)fprintf(stderr, "(no libsmi support)\n"); 1740 } 1741 break; 1742 1743 case 'M': 1744 /* TCP-MD5 shared secret */ 1745 #ifndef HAVE_LIBCRYPTO 1746 warning("crypto code not compiled in"); 1747 #endif 1748 ndo->ndo_sigsecret = optarg; 1749 break; 1750 1751 case 'n': 1752 ++ndo->ndo_nflag; 1753 break; 1754 1755 case 'N': 1756 ++ndo->ndo_Nflag; 1757 break; 1758 1759 case 'O': 1760 Oflag = 0; 1761 break; 1762 1763 case 'p': 1764 ++pflag; 1765 break; 1766 1767 case 'q': 1768 ++ndo->ndo_qflag; 1769 ++ndo->ndo_suppress_default_print; 1770 break; 1771 1772 #ifdef HAVE_PCAP_SETDIRECTION 1773 case 'Q': 1774 if (ascii_strcasecmp(optarg, "in") == 0) 1775 Qflag = PCAP_D_IN; 1776 else if (ascii_strcasecmp(optarg, "out") == 0) 1777 Qflag = PCAP_D_OUT; 1778 else if (ascii_strcasecmp(optarg, "inout") == 0) 1779 Qflag = PCAP_D_INOUT; 1780 else 1781 error("unknown capture direction `%s'", optarg); 1782 break; 1783 #endif /* HAVE_PCAP_SETDIRECTION */ 1784 1785 case 'r': 1786 RFileName = optarg; 1787 break; 1788 1789 case 's': 1790 ndo->ndo_snaplen = (int)strtol(optarg, &end, 0); 1791 if (optarg == end || *end != '\0' 1792 || ndo->ndo_snaplen < 0 || ndo->ndo_snaplen > MAXIMUM_SNAPLEN) 1793 error("invalid snaplen %s (must be >= 0 and <= %d)", 1794 optarg, MAXIMUM_SNAPLEN); 1795 break; 1796 1797 case 'S': 1798 ++ndo->ndo_Sflag; 1799 break; 1800 1801 case 't': 1802 ++ndo->ndo_tflag; 1803 break; 1804 1805 case 'T': 1806 if (ascii_strcasecmp(optarg, "vat") == 0) 1807 ndo->ndo_packettype = PT_VAT; 1808 else if (ascii_strcasecmp(optarg, "wb") == 0) 1809 ndo->ndo_packettype = PT_WB; 1810 else if (ascii_strcasecmp(optarg, "rpc") == 0) 1811 ndo->ndo_packettype = PT_RPC; 1812 else if (ascii_strcasecmp(optarg, "rtp") == 0) 1813 ndo->ndo_packettype = PT_RTP; 1814 else if (ascii_strcasecmp(optarg, "rtcp") == 0) 1815 ndo->ndo_packettype = PT_RTCP; 1816 else if (ascii_strcasecmp(optarg, "snmp") == 0) 1817 ndo->ndo_packettype = PT_SNMP; 1818 else if (ascii_strcasecmp(optarg, "cnfp") == 0) 1819 ndo->ndo_packettype = PT_CNFP; 1820 else if (ascii_strcasecmp(optarg, "tftp") == 0) 1821 ndo->ndo_packettype = PT_TFTP; 1822 else if (ascii_strcasecmp(optarg, "aodv") == 0) 1823 ndo->ndo_packettype = PT_AODV; 1824 else if (ascii_strcasecmp(optarg, "carp") == 0) 1825 ndo->ndo_packettype = PT_CARP; 1826 else if (ascii_strcasecmp(optarg, "radius") == 0) 1827 ndo->ndo_packettype = PT_RADIUS; 1828 else if (ascii_strcasecmp(optarg, "zmtp1") == 0) 1829 ndo->ndo_packettype = PT_ZMTP1; 1830 else if (ascii_strcasecmp(optarg, "vxlan") == 0) 1831 ndo->ndo_packettype = PT_VXLAN; 1832 else if (ascii_strcasecmp(optarg, "pgm") == 0) 1833 ndo->ndo_packettype = PT_PGM; 1834 else if (ascii_strcasecmp(optarg, "pgm_zmtp1") == 0) 1835 ndo->ndo_packettype = PT_PGM_ZMTP1; 1836 else if (ascii_strcasecmp(optarg, "lmp") == 0) 1837 ndo->ndo_packettype = PT_LMP; 1838 else if (ascii_strcasecmp(optarg, "resp") == 0) 1839 ndo->ndo_packettype = PT_RESP; 1840 else if (ascii_strcasecmp(optarg, "ptp") == 0) 1841 ndo->ndo_packettype = PT_PTP; 1842 else if (ascii_strcasecmp(optarg, "someip") == 0) 1843 ndo->ndo_packettype = PT_SOMEIP; 1844 else if (ascii_strcasecmp(optarg, "domain") == 0) 1845 ndo->ndo_packettype = PT_DOMAIN; 1846 else 1847 error("unknown packet type `%s'", optarg); 1848 break; 1849 1850 case 'u': 1851 ++ndo->ndo_uflag; 1852 break; 1853 1854 #ifdef HAVE_PCAP_DUMP_FLUSH 1855 case 'U': 1856 ++Uflag; 1857 break; 1858 #endif 1859 1860 case 'v': 1861 ++ndo->ndo_vflag; 1862 break; 1863 1864 case 'V': 1865 VFileName = optarg; 1866 break; 1867 1868 case 'w': 1869 WFileName = optarg; 1870 break; 1871 1872 case 'W': 1873 Wflag = atoi(optarg); 1874 if (Wflag <= 0) 1875 error("invalid number of output files %s", optarg); 1876 WflagChars = getWflagChars(Wflag); 1877 break; 1878 1879 case 'x': 1880 ++ndo->ndo_xflag; 1881 ++ndo->ndo_suppress_default_print; 1882 break; 1883 1884 case 'X': 1885 ++ndo->ndo_Xflag; 1886 ++ndo->ndo_suppress_default_print; 1887 break; 1888 1889 case 'y': 1890 yflag_dlt_name = optarg; 1891 yflag_dlt = 1892 pcap_datalink_name_to_val(yflag_dlt_name); 1893 if (yflag_dlt < 0) 1894 error("invalid data link type %s", yflag_dlt_name); 1895 break; 1896 1897 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 1898 case 'Y': 1899 { 1900 /* Undocumented flag */ 1901 pcap_set_parser_debug(1); 1902 } 1903 break; 1904 #endif 1905 case 'z': 1906 zflag = optarg; 1907 break; 1908 1909 case 'Z': 1910 username = optarg; 1911 break; 1912 1913 case '#': 1914 ndo->ndo_packet_number = 1; 1915 break; 1916 1917 case OPTION_VERSION: 1918 print_version(stdout); 1919 exit_tcpdump(S_SUCCESS); 1920 break; 1921 1922 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1923 case OPTION_TSTAMP_PRECISION: 1924 ndo->ndo_tstamp_precision = tstamp_precision_from_string(optarg); 1925 if (ndo->ndo_tstamp_precision < 0) 1926 error("unsupported time stamp precision"); 1927 break; 1928 #endif 1929 1930 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1931 case OPTION_IMMEDIATE_MODE: 1932 immediate_mode = 1; 1933 break; 1934 #endif 1935 1936 case OPTION_PRINT: 1937 print = 1; 1938 break; 1939 1940 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1941 case OPTION_TSTAMP_MICRO: 1942 ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO; 1943 break; 1944 1945 case OPTION_TSTAMP_NANO: 1946 ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_NANO; 1947 break; 1948 #endif 1949 1950 case OPTION_FP_TYPE: 1951 /* 1952 * Print out the type of floating-point arithmetic 1953 * we're doing; it's probably IEEE, unless somebody 1954 * tries to run this on a VAX, but the precision 1955 * may differ (e.g., it might be 32-bit, 64-bit, 1956 * or 80-bit). 1957 */ 1958 float_type_check(0x4e93312d); 1959 return 0; 1960 1961 case OPTION_COUNT: 1962 count_mode = 1; 1963 break; 1964 1965 default: 1966 print_usage(stderr); 1967 exit_tcpdump(S_ERR_HOST_PROGRAM); 1968 /* NOTREACHED */ 1969 } 1970 1971 #ifdef HAVE_PCAP_FINDALLDEVS 1972 if (Dflag) 1973 show_devices_and_exit(); 1974 #endif 1975 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1976 if (remote_interfaces_source != NULL) 1977 show_remote_devices_and_exit(); 1978 #endif 1979 1980 #if defined(DLT_LINUX_SLL2) && defined(HAVE_PCAP_SET_DATALINK) 1981 /* Set default linktype DLT_LINUX_SLL2 when capturing on the "any" device */ 1982 if (device != NULL && 1983 strncmp (device, "any", strlen("any")) == 0 1984 && yflag_dlt == -1) 1985 yflag_dlt = DLT_LINUX_SLL2; 1986 #endif 1987 1988 switch (ndo->ndo_tflag) { 1989 1990 case 0: /* Default */ 1991 case 1: /* No time stamp */ 1992 case 2: /* Unix timeval style */ 1993 case 3: /* Microseconds/nanoseconds since previous packet */ 1994 case 4: /* Date + Default */ 1995 case 5: /* Microseconds/nanoseconds since first packet */ 1996 break; 1997 1998 default: /* Not supported */ 1999 error("only -t, -tt, -ttt, -tttt and -ttttt are supported"); 2000 break; 2001 } 2002 2003 if (ndo->ndo_fflag != 0 && (VFileName != NULL || RFileName != NULL)) 2004 error("-f can not be used with -V or -r"); 2005 2006 if (VFileName != NULL && RFileName != NULL) 2007 error("-V and -r are mutually exclusive."); 2008 2009 /* 2010 * If we're printing dissected packets to the standard output, 2011 * and either the standard output is a terminal or we're doing 2012 * "line" buffering, set the capture timeout to .1 second rather 2013 * than 1 second, as the user's probably expecting to see packets 2014 * pop up immediately shortly after they arrive. 2015 * 2016 * XXX - would there be some value appropriate for all cases, 2017 * based on, say, the buffer size and packet input rate? 2018 */ 2019 if ((WFileName == NULL || print) && (isatty(1) || lflag)) 2020 timeout = 100; 2021 2022 #ifdef WITH_CHROOT 2023 /* if run as root, prepare for chrooting */ 2024 if (getuid() == 0 || geteuid() == 0) { 2025 /* future extensibility for cmd-line arguments */ 2026 if (!chroot_dir) 2027 chroot_dir = WITH_CHROOT; 2028 } 2029 #endif 2030 2031 #ifdef WITH_USER 2032 /* if run as root, prepare for dropping root privileges */ 2033 if (getuid() == 0 || geteuid() == 0) { 2034 /* Run with '-Z root' to restore old behaviour */ 2035 if (!username) 2036 username = WITH_USER; 2037 } 2038 #endif 2039 2040 if (RFileName != NULL || VFileName != NULL) { 2041 /* 2042 * If RFileName is non-null, it's the pathname of a 2043 * savefile to read. If VFileName is non-null, it's 2044 * the pathname of a file containing a list of pathnames 2045 * (one per line) of savefiles to read. 2046 * 2047 * In either case, we're reading a savefile, not doing 2048 * a live capture. 2049 */ 2050 #ifndef _WIN32 2051 /* 2052 * We don't need network access, so relinquish any set-UID 2053 * or set-GID privileges we have (if any). 2054 * 2055 * We do *not* want set-UID privileges when opening a 2056 * trace file, as that might let the user read other 2057 * people's trace files (especially if we're set-UID 2058 * root). 2059 */ 2060 if (setgid(getgid()) != 0 || setuid(getuid()) != 0 ) 2061 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 2062 #endif /* _WIN32 */ 2063 if (VFileName != NULL) { 2064 if (VFileName[0] == '-' && VFileName[1] == '\0') 2065 VFile = stdin; 2066 else 2067 VFile = fopen(VFileName, "r"); 2068 2069 if (VFile == NULL) 2070 error("Unable to open file: %s\n", pcap_strerror(errno)); 2071 2072 ret = get_next_file(VFile, VFileLine); 2073 if (!ret) 2074 error("Nothing in %s\n", VFileName); 2075 RFileName = VFileLine; 2076 } 2077 2078 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 2079 pd = pcap_open_offline_with_tstamp_precision(RFileName, 2080 ndo->ndo_tstamp_precision, ebuf); 2081 #else 2082 pd = pcap_open_offline(RFileName, ebuf); 2083 #endif 2084 2085 if (pd == NULL) 2086 error("%s", ebuf); 2087 #ifdef HAVE_CAPSICUM 2088 cap_rights_init(&rights, CAP_READ); 2089 if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 && 2090 errno != ENOSYS) { 2091 error("unable to limit pcap descriptor"); 2092 } 2093 #endif 2094 dlt = pcap_datalink(pd); 2095 dlt_name = pcap_datalink_val_to_name(dlt); 2096 fprintf(stderr, "reading from file %s", RFileName); 2097 if (dlt_name == NULL) { 2098 fprintf(stderr, ", link-type %u", dlt); 2099 } else { 2100 fprintf(stderr, ", link-type %s (%s)", dlt_name, 2101 pcap_datalink_val_to_description(dlt)); 2102 } 2103 fprintf(stderr, ", snapshot length %d\n", pcap_snapshot(pd)); 2104 #ifdef DLT_LINUX_SLL2 2105 if (dlt == DLT_LINUX_SLL2) 2106 fprintf(stderr, "Warning: interface names might be incorrect\n"); 2107 #endif 2108 } else if (dflag && !device) { 2109 int dump_dlt = DLT_EN10MB; 2110 /* 2111 * We're dumping the compiled code without an explicit 2112 * device specification. (If a device is specified, we 2113 * definitely want to open it to use the DLT of that device.) 2114 * Either default to DLT_EN10MB with a warning, or use 2115 * the user-specified value if supplied. 2116 */ 2117 /* 2118 * If no snapshot length was specified, or a length of 0 was 2119 * specified, default to 256KB. 2120 */ 2121 if (ndo->ndo_snaplen == 0) 2122 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 2123 /* 2124 * If a DLT was specified with the -y flag, use that instead. 2125 */ 2126 if (yflag_dlt != -1) 2127 dump_dlt = yflag_dlt; 2128 else 2129 fprintf(stderr, "Warning: assuming Ethernet\n"); 2130 pd = pcap_open_dead(dump_dlt, ndo->ndo_snaplen); 2131 } else { 2132 /* 2133 * We're doing a live capture. 2134 */ 2135 if (device == NULL) { 2136 /* 2137 * No interface was specified. Pick one. 2138 */ 2139 #ifdef HAVE_PCAP_FINDALLDEVS 2140 /* 2141 * Find the list of interfaces, and pick 2142 * the first interface. 2143 */ 2144 if (pcap_findalldevs(&devlist, ebuf) == -1) 2145 error("%s", ebuf); 2146 if (devlist == NULL) 2147 error("no interfaces available for capture"); 2148 device = strdup(devlist->name); 2149 pcap_freealldevs(devlist); 2150 #else /* HAVE_PCAP_FINDALLDEVS */ 2151 /* 2152 * Use whatever interface pcap_lookupdev() 2153 * chooses. 2154 */ 2155 device = pcap_lookupdev(ebuf); 2156 if (device == NULL) 2157 error("%s", ebuf); 2158 #endif 2159 } 2160 2161 /* 2162 * Try to open the interface with the specified name. 2163 */ 2164 pd = open_interface(device, ndo, ebuf); 2165 if (pd == NULL) { 2166 /* 2167 * That failed. If we can get a list of 2168 * interfaces, and the interface name 2169 * is purely numeric, try to use it as 2170 * a 1-based index in the list of 2171 * interfaces. 2172 */ 2173 #ifdef HAVE_PCAP_FINDALLDEVS 2174 devnum = parse_interface_number(device); 2175 if (devnum == -1) { 2176 /* 2177 * It's not a number; just report 2178 * the open error and fail. 2179 */ 2180 error("%s", ebuf); 2181 } 2182 2183 /* 2184 * OK, it's a number; try to find the 2185 * interface with that index, and try 2186 * to open it. 2187 * 2188 * find_interface_by_number() exits if it 2189 * couldn't be found. 2190 */ 2191 device = find_interface_by_number(device, devnum); 2192 pd = open_interface(device, ndo, ebuf); 2193 if (pd == NULL) 2194 error("%s", ebuf); 2195 #else /* HAVE_PCAP_FINDALLDEVS */ 2196 /* 2197 * We can't get a list of interfaces; just 2198 * fail. 2199 */ 2200 error("%s", ebuf); 2201 #endif /* HAVE_PCAP_FINDALLDEVS */ 2202 } 2203 2204 /* 2205 * Let user own process after capture device has 2206 * been opened. 2207 */ 2208 #ifndef _WIN32 2209 if (setgid(getgid()) != 0 || setuid(getuid()) != 0) 2210 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 2211 #endif /* _WIN32 */ 2212 #if !defined(HAVE_PCAP_CREATE) && defined(_WIN32) 2213 if(Bflag != 0) 2214 if(pcap_setbuff(pd, Bflag)==-1){ 2215 error("%s", pcap_geterr(pd)); 2216 } 2217 #endif /* !defined(HAVE_PCAP_CREATE) && defined(_WIN32) */ 2218 if (Lflag) 2219 show_dlts_and_exit(pd, device); 2220 if (yflag_dlt >= 0) { 2221 #ifdef HAVE_PCAP_SET_DATALINK 2222 if (pcap_set_datalink(pd, yflag_dlt) < 0) 2223 error("%s", pcap_geterr(pd)); 2224 #else 2225 /* 2226 * We don't actually support changing the 2227 * data link type, so we only let them 2228 * set it to what it already is. 2229 */ 2230 if (yflag_dlt != pcap_datalink(pd)) { 2231 error("%s is not one of the DLTs supported by this device\n", 2232 yflag_dlt_name); 2233 } 2234 #endif 2235 (void)fprintf(stderr, "%s: data link type %s\n", 2236 program_name, 2237 pcap_datalink_val_to_name(yflag_dlt)); 2238 (void)fflush(stderr); 2239 } 2240 i = pcap_snapshot(pd); 2241 if (ndo->ndo_snaplen < i) { 2242 if (ndo->ndo_snaplen != 0) 2243 warning("snaplen raised from %d to %d", ndo->ndo_snaplen, i); 2244 ndo->ndo_snaplen = i; 2245 } else if (ndo->ndo_snaplen > i) { 2246 warning("snaplen lowered from %d to %d", ndo->ndo_snaplen, i); 2247 ndo->ndo_snaplen = i; 2248 } 2249 if(ndo->ndo_fflag != 0) { 2250 if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) { 2251 warning("foreign (-f) flag used but: %s", ebuf); 2252 } 2253 } 2254 2255 } 2256 if (infile) 2257 cmdbuf = read_infile(infile); 2258 else 2259 cmdbuf = copy_argv(&argv[optind]); 2260 2261 #ifdef HAVE_PCAP_SET_OPTIMIZER_DEBUG 2262 pcap_set_optimizer_debug(dflag); 2263 #endif 2264 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2265 error("%s", pcap_geterr(pd)); 2266 if (dflag) { 2267 bpf_dump(&fcode, dflag); 2268 pcap_close(pd); 2269 free(cmdbuf); 2270 pcap_freecode(&fcode); 2271 exit_tcpdump(S_SUCCESS); 2272 } 2273 2274 #ifdef HAVE_CASPER 2275 if (!ndo->ndo_nflag) 2276 capdns = capdns_setup(); 2277 #endif /* HAVE_CASPER */ 2278 2279 init_print(ndo, localnet, netmask); 2280 2281 #ifndef _WIN32 2282 (void)setsignal(SIGPIPE, cleanup); 2283 (void)setsignal(SIGTERM, cleanup); 2284 #endif /* _WIN32 */ 2285 (void)setsignal(SIGINT, cleanup); 2286 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2287 (void)setsignal(SIGCHLD, child_cleanup); 2288 #endif 2289 /* Cooperate with nohup(1) */ 2290 #ifndef _WIN32 2291 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) 2292 (void)setsignal(SIGHUP, oldhandler); 2293 #endif /* _WIN32 */ 2294 2295 #ifndef _WIN32 2296 /* 2297 * If a user name was specified with "-Z", attempt to switch to 2298 * that user's UID. This would probably be used with sudo, 2299 * to allow tcpdump to be run in a special restricted 2300 * account (if you just want to allow users to open capture 2301 * devices, and can't just give users that permission, 2302 * you'd make tcpdump set-UID or set-GID). 2303 * 2304 * Tcpdump doesn't necessarily write only to one savefile; 2305 * the general only way to allow a -Z instance to write to 2306 * savefiles as the user under whose UID it's run, rather 2307 * than as the user specified with -Z, would thus be to switch 2308 * to the original user ID before opening a capture file and 2309 * then switch back to the -Z user ID after opening the savefile. 2310 * Switching to the -Z user ID only after opening the first 2311 * savefile doesn't handle the general case. 2312 */ 2313 2314 if (getuid() == 0 || geteuid() == 0) { 2315 #ifdef HAVE_LIBCAP_NG 2316 /* Initialize capng */ 2317 capng_clear(CAPNG_SELECT_BOTH); 2318 if (username) { 2319 DIAG_OFF_ASSIGN_ENUM 2320 capng_updatev( 2321 CAPNG_ADD, 2322 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2323 CAP_SETUID, 2324 CAP_SETGID, 2325 -1); 2326 DIAG_ON_ASSIGN_ENUM 2327 } 2328 if (chroot_dir) { 2329 DIAG_OFF_ASSIGN_ENUM 2330 capng_update( 2331 CAPNG_ADD, 2332 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2333 CAP_SYS_CHROOT 2334 ); 2335 DIAG_ON_ASSIGN_ENUM 2336 } 2337 2338 if (WFileName) { 2339 DIAG_OFF_ASSIGN_ENUM 2340 capng_update( 2341 CAPNG_ADD, 2342 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2343 CAP_DAC_OVERRIDE 2344 ); 2345 DIAG_ON_ASSIGN_ENUM 2346 } 2347 capng_apply(CAPNG_SELECT_BOTH); 2348 #endif /* HAVE_LIBCAP_NG */ 2349 if (username || chroot_dir) 2350 droproot(username, chroot_dir); 2351 2352 } 2353 #endif /* _WIN32 */ 2354 2355 if (pcap_setfilter(pd, &fcode) < 0) 2356 error("%s", pcap_geterr(pd)); 2357 #ifdef HAVE_CAPSICUM 2358 if (RFileName == NULL && VFileName == NULL && pcap_fileno(pd) != -1) { 2359 static const unsigned long cmds[] = { BIOCGSTATS, BIOCROTZBUF }; 2360 2361 /* 2362 * The various libpcap devices use a combination of 2363 * read (bpf), ioctl (bpf, netmap), poll (netmap) 2364 * so we add the relevant access rights. 2365 */ 2366 cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT); 2367 if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 && 2368 errno != ENOSYS) { 2369 error("unable to limit pcap descriptor"); 2370 } 2371 if (cap_ioctls_limit(pcap_fileno(pd), cmds, 2372 sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) { 2373 error("unable to limit ioctls on pcap descriptor"); 2374 } 2375 } 2376 #endif 2377 if (WFileName) { 2378 /* Do not exceed the default PATH_MAX for files. */ 2379 dumpinfo.CurrentFileName = (char *)malloc(PATH_MAX + 1); 2380 2381 if (dumpinfo.CurrentFileName == NULL) 2382 error("malloc of dumpinfo.CurrentFileName"); 2383 2384 /* We do not need numbering for dumpfiles if Cflag isn't set. */ 2385 if (Cflag != 0) 2386 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars); 2387 else 2388 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0); 2389 2390 pdd = pcap_dump_open(pd, dumpinfo.CurrentFileName); 2391 #ifdef HAVE_LIBCAP_NG 2392 /* Give up CAP_DAC_OVERRIDE capability. 2393 * Only allow it to be restored if the -C or -G flag have been 2394 * set since we may need to create more files later on. 2395 */ 2396 capng_update( 2397 CAPNG_DROP, 2398 (Cflag || Gflag ? 0 : CAPNG_PERMITTED) 2399 | CAPNG_EFFECTIVE, 2400 CAP_DAC_OVERRIDE 2401 ); 2402 capng_apply(CAPNG_SELECT_BOTH); 2403 #endif /* HAVE_LIBCAP_NG */ 2404 if (pdd == NULL) 2405 error("%s", pcap_geterr(pd)); 2406 #ifdef HAVE_CAPSICUM 2407 set_dumper_capsicum_rights(pdd); 2408 #endif 2409 if (Cflag != 0 || Gflag != 0) { 2410 #ifdef HAVE_CAPSICUM 2411 /* 2412 * basename() and dirname() may modify their input buffer 2413 * and they do since FreeBSD 12.0, but they didn't before. 2414 * Hence use the return value only, but always assume the 2415 * input buffer has been modified and would need to be 2416 * reset before the next use. 2417 */ 2418 char *WFileName_copy; 2419 2420 if ((WFileName_copy = strdup(WFileName)) == NULL) { 2421 error("Unable to allocate memory for file %s", 2422 WFileName); 2423 } 2424 DIAG_OFF_C11_EXTENSIONS 2425 dumpinfo.WFileName = strdup(basename(WFileName_copy)); 2426 DIAG_ON_C11_EXTENSIONS 2427 if (dumpinfo.WFileName == NULL) { 2428 error("Unable to allocate memory for file %s", 2429 WFileName); 2430 } 2431 free(WFileName_copy); 2432 2433 if ((WFileName_copy = strdup(WFileName)) == NULL) { 2434 error("Unable to allocate memory for file %s", 2435 WFileName); 2436 } 2437 DIAG_OFF_C11_EXTENSIONS 2438 char *WFileName_dirname = dirname(WFileName_copy); 2439 DIAG_ON_C11_EXTENSIONS 2440 dumpinfo.dirfd = open(WFileName_dirname, 2441 O_DIRECTORY | O_RDONLY); 2442 if (dumpinfo.dirfd < 0) { 2443 error("unable to open directory %s", 2444 WFileName_dirname); 2445 } 2446 free(WFileName_dirname); 2447 free(WFileName_copy); 2448 2449 cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL, 2450 CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE); 2451 if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 && 2452 errno != ENOSYS) { 2453 error("unable to limit directory rights"); 2454 } 2455 if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 && 2456 errno != ENOSYS) { 2457 error("unable to limit dump descriptor fcntls"); 2458 } 2459 #else /* !HAVE_CAPSICUM */ 2460 dumpinfo.WFileName = WFileName; 2461 #endif 2462 callback = dump_packet_and_trunc; 2463 dumpinfo.pd = pd; 2464 dumpinfo.pdd = pdd; 2465 pcap_userdata = (u_char *)&dumpinfo; 2466 } else { 2467 callback = dump_packet; 2468 dumpinfo.WFileName = WFileName; 2469 dumpinfo.pd = pd; 2470 dumpinfo.pdd = pdd; 2471 pcap_userdata = (u_char *)&dumpinfo; 2472 } 2473 if (print) { 2474 dlt = pcap_datalink(pd); 2475 ndo->ndo_if_printer = get_if_printer(dlt); 2476 dumpinfo.ndo = ndo; 2477 } else 2478 dumpinfo.ndo = NULL; 2479 2480 #ifdef HAVE_PCAP_DUMP_FLUSH 2481 if (Uflag) 2482 pcap_dump_flush(pdd); 2483 #endif 2484 } else { 2485 dlt = pcap_datalink(pd); 2486 ndo->ndo_if_printer = get_if_printer(dlt); 2487 callback = print_packet; 2488 pcap_userdata = (u_char *)ndo; 2489 } 2490 2491 #ifdef SIGNAL_REQ_INFO 2492 /* 2493 * We can't get statistics when reading from a file rather 2494 * than capturing from a device. 2495 */ 2496 if (RFileName == NULL) 2497 (void)setsignal(SIGNAL_REQ_INFO, requestinfo); 2498 #endif 2499 #ifdef SIGNAL_FLUSH_PCAP 2500 (void)setsignal(SIGNAL_FLUSH_PCAP, flushpcap); 2501 #endif 2502 2503 if (ndo->ndo_vflag > 0 && WFileName && RFileName == NULL && !print) { 2504 /* 2505 * When capturing to a file, if "--print" wasn't specified, 2506 *"-v" means tcpdump should, once per second, 2507 * "v"erbosely report the number of packets captured. 2508 * Except when reading from a file, because -r, -w and -v 2509 * together used to make a corner case, in which pcap_loop() 2510 * errored due to EINTR (see GH #155 for details). 2511 */ 2512 #ifdef _WIN32 2513 /* 2514 * https://blogs.msdn.microsoft.com/oldnewthing/20151230-00/?p=92741 2515 * 2516 * suggests that this dates back to W2K. 2517 * 2518 * I don't know what a "long wait" is, but we'll assume 2519 * that printing the stats could be a "long wait". 2520 */ 2521 CreateTimerQueueTimer(&timer_handle, NULL, 2522 verbose_stats_dump, NULL, 1000, 1000, 2523 WT_EXECUTEDEFAULT|WT_EXECUTELONGFUNCTION); 2524 setvbuf(stderr, NULL, _IONBF, 0); 2525 #else /* _WIN32 */ 2526 /* 2527 * Assume this is UN*X, and that it has setitimer(); that 2528 * dates back to UNIX 95. 2529 */ 2530 struct itimerval timer; 2531 (void)setsignal(SIGALRM, verbose_stats_dump); 2532 timer.it_interval.tv_sec = 1; 2533 timer.it_interval.tv_usec = 0; 2534 timer.it_value.tv_sec = 1; 2535 timer.it_value.tv_usec = 1; 2536 setitimer(ITIMER_REAL, &timer, NULL); 2537 #endif /* _WIN32 */ 2538 } 2539 2540 if (RFileName == NULL) { 2541 /* 2542 * Live capture (if -V was specified, we set RFileName 2543 * to a file from the -V file). Print a message to 2544 * the standard error on UN*X. 2545 */ 2546 if (!ndo->ndo_vflag && !WFileName) { 2547 (void)fprintf(stderr, 2548 "%s: verbose output suppressed, use -v[v]... for full protocol decode\n", 2549 program_name); 2550 } else 2551 (void)fprintf(stderr, "%s: ", program_name); 2552 dlt = pcap_datalink(pd); 2553 dlt_name = pcap_datalink_val_to_name(dlt); 2554 (void)fprintf(stderr, "listening on %s", device); 2555 if (dlt_name == NULL) { 2556 (void)fprintf(stderr, ", link-type %u", dlt); 2557 } else { 2558 (void)fprintf(stderr, ", link-type %s (%s)", dlt_name, 2559 pcap_datalink_val_to_description(dlt)); 2560 } 2561 (void)fprintf(stderr, ", snapshot length %d bytes\n", ndo->ndo_snaplen); 2562 (void)fflush(stderr); 2563 } 2564 2565 #ifdef HAVE_CAPSICUM 2566 cansandbox = (VFileName == NULL && zflag == NULL && 2567 ndo->ndo_espsecret == NULL); 2568 #ifdef HAVE_CASPER 2569 cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL)); 2570 #else 2571 cansandbox = (cansandbox && ndo->ndo_nflag); 2572 #endif /* HAVE_CASPER */ 2573 cansandbox = (cansandbox && (pcap_fileno(pd) != -1 || 2574 RFileName != NULL)); 2575 2576 if (cansandbox && cap_enter() < 0 && errno != ENOSYS) 2577 error("unable to enter the capability mode"); 2578 #endif /* HAVE_CAPSICUM */ 2579 2580 do { 2581 status = pcap_loop(pd, cnt, callback, pcap_userdata); 2582 if (WFileName == NULL) { 2583 /* 2584 * We're printing packets. Flush the printed output, 2585 * so it doesn't get intermingled with error output. 2586 */ 2587 if (status == -2) { 2588 /* 2589 * We got interrupted, so perhaps we didn't 2590 * manage to finish a line we were printing. 2591 * Print an extra newline, just in case. 2592 */ 2593 putchar('\n'); 2594 } 2595 (void)fflush(stdout); 2596 } 2597 if (status == -2) { 2598 /* 2599 * We got interrupted. If we are reading multiple 2600 * files (via -V) set these so that we stop. 2601 */ 2602 VFileName = NULL; 2603 ret = NULL; 2604 } 2605 if (status == -1) { 2606 /* 2607 * Error. Report it. 2608 */ 2609 (void)fprintf(stderr, "%s: pcap_loop: %s\n", 2610 program_name, pcap_geterr(pd)); 2611 } 2612 if (RFileName == NULL) { 2613 /* 2614 * We're doing a live capture. Report the capture 2615 * statistics. 2616 */ 2617 info(1); 2618 } 2619 pcap_close(pd); 2620 if (VFileName != NULL) { 2621 ret = get_next_file(VFile, VFileLine); 2622 if (ret) { 2623 int new_dlt; 2624 2625 RFileName = VFileLine; 2626 pd = pcap_open_offline(RFileName, ebuf); 2627 if (pd == NULL) 2628 error("%s", ebuf); 2629 #ifdef HAVE_CAPSICUM 2630 cap_rights_init(&rights, CAP_READ); 2631 if (cap_rights_limit(fileno(pcap_file(pd)), 2632 &rights) < 0 && errno != ENOSYS) { 2633 error("unable to limit pcap descriptor"); 2634 } 2635 #endif 2636 new_dlt = pcap_datalink(pd); 2637 if (new_dlt != dlt) { 2638 /* 2639 * The new file has a different 2640 * link-layer header type from the 2641 * previous one. 2642 */ 2643 if (WFileName != NULL) { 2644 /* 2645 * We're writing raw packets 2646 * that match the filter to 2647 * a pcap file. pcap files 2648 * don't support multiple 2649 * different link-layer 2650 * header types, so we fail 2651 * here. 2652 */ 2653 error("%s: new dlt does not match original", RFileName); 2654 } 2655 2656 /* 2657 * We're printing the decoded packets; 2658 * switch to the new DLT. 2659 * 2660 * To do that, we need to change 2661 * the printer, change the DLT name, 2662 * and recompile the filter with 2663 * the new DLT. 2664 */ 2665 dlt = new_dlt; 2666 ndo->ndo_if_printer = get_if_printer(dlt); 2667 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2668 error("%s", pcap_geterr(pd)); 2669 } 2670 2671 /* 2672 * Set the filter on the new file. 2673 */ 2674 if (pcap_setfilter(pd, &fcode) < 0) 2675 error("%s", pcap_geterr(pd)); 2676 2677 /* 2678 * Report the new file. 2679 */ 2680 dlt_name = pcap_datalink_val_to_name(dlt); 2681 fprintf(stderr, "reading from file %s", RFileName); 2682 if (dlt_name == NULL) { 2683 fprintf(stderr, ", link-type %u", dlt); 2684 } else { 2685 fprintf(stderr, ", link-type %s (%s)", 2686 dlt_name, 2687 pcap_datalink_val_to_description(dlt)); 2688 } 2689 fprintf(stderr, ", snapshot length %d\n", pcap_snapshot(pd)); 2690 } 2691 } 2692 } 2693 while (ret != NULL); 2694 2695 if (count_mode && RFileName != NULL) 2696 fprintf(stdout, "%u packet%s\n", packets_captured, 2697 PLURAL_SUFFIX(packets_captured)); 2698 2699 free(cmdbuf); 2700 pcap_freecode(&fcode); 2701 exit_tcpdump(status == -1 ? S_ERR_HOST_PROGRAM : S_SUCCESS); 2702 } 2703 2704 /* 2705 * Catch a signal. 2706 */ 2707 static void 2708 (*setsignal (int sig, void (*func)(int)))(int) 2709 { 2710 #ifdef _WIN32 2711 return (signal(sig, func)); 2712 #else 2713 struct sigaction old, new; 2714 2715 memset(&new, 0, sizeof(new)); 2716 new.sa_handler = func; 2717 if ((sig == SIGCHLD) 2718 # ifdef SIGNAL_REQ_INFO 2719 || (sig == SIGNAL_REQ_INFO) 2720 # endif 2721 # ifdef SIGNAL_FLUSH_PCAP 2722 || (sig == SIGNAL_FLUSH_PCAP) 2723 # endif 2724 ) 2725 new.sa_flags = SA_RESTART; 2726 if (sigaction(sig, &new, &old) < 0) 2727 return (SIG_ERR); 2728 return (old.sa_handler); 2729 #endif 2730 } 2731 2732 /* make a clean exit on interrupts */ 2733 static void 2734 cleanup(int signo _U_) 2735 { 2736 #ifdef _WIN32 2737 if (timer_handle != INVALID_HANDLE_VALUE) { 2738 DeleteTimerQueueTimer(NULL, timer_handle, NULL); 2739 CloseHandle(timer_handle); 2740 timer_handle = INVALID_HANDLE_VALUE; 2741 } 2742 #else /* _WIN32 */ 2743 struct itimerval timer; 2744 2745 timer.it_interval.tv_sec = 0; 2746 timer.it_interval.tv_usec = 0; 2747 timer.it_value.tv_sec = 0; 2748 timer.it_value.tv_usec = 0; 2749 setitimer(ITIMER_REAL, &timer, NULL); 2750 #endif /* _WIN32 */ 2751 2752 #ifdef HAVE_PCAP_BREAKLOOP 2753 /* 2754 * We have "pcap_breakloop()"; use it, so that we do as little 2755 * as possible in the signal handler (it's probably not safe 2756 * to do anything with standard I/O streams in a signal handler - 2757 * the ANSI C standard doesn't say it is). 2758 */ 2759 pcap_breakloop(pd); 2760 #else 2761 /* 2762 * We don't have "pcap_breakloop()"; this isn't safe, but 2763 * it's the best we can do. Print the summary if we're 2764 * not reading from a savefile - i.e., if we're doing a 2765 * live capture - and exit. 2766 */ 2767 if (pd != NULL && pcap_file(pd) == NULL) { 2768 /* 2769 * We got interrupted, so perhaps we didn't 2770 * manage to finish a line we were printing. 2771 * Print an extra newline, just in case. 2772 */ 2773 putchar('\n'); 2774 (void)fflush(stdout); 2775 info(1); 2776 } 2777 exit_tcpdump(S_SUCCESS); 2778 #endif 2779 } 2780 2781 /* 2782 On windows, we do not use a fork, so we do not care less about 2783 waiting a child processes to die 2784 */ 2785 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2786 static void 2787 child_cleanup(int signo _U_) 2788 { 2789 wait(NULL); 2790 } 2791 #endif /* HAVE_FORK && HAVE_VFORK */ 2792 2793 static void 2794 info(int verbose) 2795 { 2796 struct pcap_stat stats; 2797 2798 /* 2799 * Older versions of libpcap didn't set ps_ifdrop on some 2800 * platforms; initialize it to 0 to handle that. 2801 */ 2802 stats.ps_ifdrop = 0; 2803 if (pcap_stats(pd, &stats) < 0) { 2804 (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd)); 2805 infoprint = 0; 2806 return; 2807 } 2808 2809 if (!verbose) 2810 fprintf(stderr, "%s: ", program_name); 2811 2812 (void)fprintf(stderr, "%u packet%s captured", packets_captured, 2813 PLURAL_SUFFIX(packets_captured)); 2814 if (!verbose) 2815 fputs(", ", stderr); 2816 else 2817 putc('\n', stderr); 2818 (void)fprintf(stderr, "%u packet%s received by filter", stats.ps_recv, 2819 PLURAL_SUFFIX(stats.ps_recv)); 2820 if (!verbose) 2821 fputs(", ", stderr); 2822 else 2823 putc('\n', stderr); 2824 (void)fprintf(stderr, "%u packet%s dropped by kernel", stats.ps_drop, 2825 PLURAL_SUFFIX(stats.ps_drop)); 2826 if (stats.ps_ifdrop != 0) { 2827 if (!verbose) 2828 fputs(", ", stderr); 2829 else 2830 putc('\n', stderr); 2831 (void)fprintf(stderr, "%u packet%s dropped by interface\n", 2832 stats.ps_ifdrop, PLURAL_SUFFIX(stats.ps_ifdrop)); 2833 } else 2834 putc('\n', stderr); 2835 infoprint = 0; 2836 } 2837 2838 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2839 #ifdef HAVE_FORK 2840 #define fork_subprocess() fork() 2841 #else 2842 #define fork_subprocess() vfork() 2843 #endif 2844 static void 2845 compress_savefile(const char *filename) 2846 { 2847 pid_t child; 2848 2849 child = fork_subprocess(); 2850 if (child == -1) { 2851 fprintf(stderr, 2852 "compress_savefile: fork failed: %s\n", 2853 pcap_strerror(errno)); 2854 return; 2855 } 2856 if (child != 0) { 2857 /* Parent process. */ 2858 return; 2859 } 2860 2861 /* 2862 * Child process. 2863 * Set to lowest priority so that this doesn't disturb the capture. 2864 */ 2865 #ifdef NZERO 2866 setpriority(PRIO_PROCESS, 0, NZERO - 1); 2867 #else 2868 setpriority(PRIO_PROCESS, 0, 19); 2869 #endif 2870 if (execlp(zflag, zflag, filename, (char *)NULL) == -1) 2871 fprintf(stderr, 2872 "compress_savefile: execlp(%s, %s) failed: %s\n", 2873 zflag, 2874 filename, 2875 pcap_strerror(errno)); 2876 #ifdef HAVE_FORK 2877 exit(S_ERR_HOST_PROGRAM); 2878 #else 2879 _exit(S_ERR_HOST_PROGRAM); 2880 #endif 2881 } 2882 #else /* HAVE_FORK && HAVE_VFORK */ 2883 static void 2884 compress_savefile(const char *filename) 2885 { 2886 fprintf(stderr, 2887 "compress_savefile failed. Functionality not implemented under your system\n"); 2888 } 2889 #endif /* HAVE_FORK && HAVE_VFORK */ 2890 2891 static void 2892 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 2893 { 2894 struct dump_info *dump_info; 2895 2896 ++packets_captured; 2897 2898 ++infodelay; 2899 2900 dump_info = (struct dump_info *)user; 2901 2902 /* 2903 * XXX - this won't force the file to rotate on the specified time 2904 * boundary, but it will rotate on the first packet received after the 2905 * specified Gflag number of seconds. Note: if a Gflag time boundary 2906 * and a Cflag size boundary coincide, the time rotation will occur 2907 * first thereby cancelling the Cflag boundary (since the file should 2908 * be 0). 2909 */ 2910 if (Gflag != 0) { 2911 /* Check if it is time to rotate */ 2912 time_t t; 2913 2914 /* Get the current time */ 2915 if ((t = time(NULL)) == (time_t)-1) { 2916 error("%s: can't get current_time: %s", 2917 __func__, pcap_strerror(errno)); 2918 } 2919 2920 2921 /* If the time is greater than the specified window, rotate */ 2922 if (t - Gflag_time >= Gflag) { 2923 #ifdef HAVE_CAPSICUM 2924 FILE *fp; 2925 int fd; 2926 #endif 2927 2928 /* Update the Gflag_time */ 2929 Gflag_time = t; 2930 /* Update Gflag_count */ 2931 Gflag_count++; 2932 /* 2933 * Close the current file and open a new one. 2934 */ 2935 pcap_dump_close(dump_info->pdd); 2936 2937 /* 2938 * Compress the file we just closed, if the user asked for it 2939 */ 2940 if (zflag != NULL) 2941 compress_savefile(dump_info->CurrentFileName); 2942 2943 /* 2944 * Check to see if we've exceeded the Wflag (when 2945 * not using Cflag). 2946 */ 2947 if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) { 2948 (void)fprintf(stderr, "Maximum file limit reached: %d\n", 2949 Wflag); 2950 info(1); 2951 exit_tcpdump(S_SUCCESS); 2952 /* NOTREACHED */ 2953 } 2954 if (dump_info->CurrentFileName != NULL) 2955 free(dump_info->CurrentFileName); 2956 /* Allocate space for max filename + \0. */ 2957 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 2958 if (dump_info->CurrentFileName == NULL) 2959 error("dump_packet_and_trunc: malloc"); 2960 /* 2961 * Gflag was set otherwise we wouldn't be here. Reset the count 2962 * so multiple files would end with 1,2,3 in the filename. 2963 * The counting is handled with the -C flow after this. 2964 */ 2965 Cflag_count = 0; 2966 2967 /* 2968 * This is always the first file in the Cflag 2969 * rotation: e.g. 0 2970 * We also don't need numbering if Cflag is not set. 2971 */ 2972 if (Cflag != 0) 2973 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 2974 WflagChars); 2975 else 2976 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0); 2977 2978 #ifdef HAVE_LIBCAP_NG 2979 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2980 capng_apply(CAPNG_SELECT_BOTH); 2981 #endif /* HAVE_LIBCAP_NG */ 2982 #ifdef HAVE_CAPSICUM 2983 fd = openat(dump_info->dirfd, 2984 dump_info->CurrentFileName, 2985 O_CREAT | O_WRONLY | O_TRUNC, 0644); 2986 if (fd < 0) { 2987 error("unable to open file %s", 2988 dump_info->CurrentFileName); 2989 } 2990 fp = fdopen(fd, "w"); 2991 if (fp == NULL) { 2992 error("unable to fdopen file %s", 2993 dump_info->CurrentFileName); 2994 } 2995 dump_info->pdd = pcap_dump_fopen(dump_info->pd, fp); 2996 #else /* !HAVE_CAPSICUM */ 2997 dump_info->pdd = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 2998 #endif 2999 #ifdef HAVE_LIBCAP_NG 3000 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3001 capng_apply(CAPNG_SELECT_BOTH); 3002 #endif /* HAVE_LIBCAP_NG */ 3003 if (dump_info->pdd == NULL) 3004 error("%s", pcap_geterr(pd)); 3005 #ifdef HAVE_CAPSICUM 3006 set_dumper_capsicum_rights(dump_info->pdd); 3007 #endif 3008 } 3009 } 3010 3011 /* 3012 * XXX - this won't prevent capture files from getting 3013 * larger than Cflag - the last packet written to the 3014 * file could put it over Cflag. 3015 */ 3016 if (Cflag != 0) { 3017 #ifdef HAVE_PCAP_DUMP_FTELL64 3018 int64_t size = pcap_dump_ftell64(dump_info->pdd); 3019 #else 3020 /* 3021 * XXX - this only handles a Cflag value > 2^31-1 on 3022 * LP64 platforms; to handle ILP32 (32-bit UN*X and 3023 * Windows) or LLP64 (64-bit Windows) would require 3024 * a version of libpcap with pcap_dump_ftell64(). 3025 */ 3026 long size = pcap_dump_ftell(dump_info->pdd); 3027 #endif 3028 3029 if (size == -1) 3030 error("ftell fails on output file"); 3031 if (size > Cflag) { 3032 #ifdef HAVE_CAPSICUM 3033 FILE *fp; 3034 int fd; 3035 #endif 3036 3037 /* 3038 * Close the current file and open a new one. 3039 */ 3040 pcap_dump_close(dump_info->pdd); 3041 3042 /* 3043 * Compress the file we just closed, if the user 3044 * asked for it. 3045 */ 3046 if (zflag != NULL) 3047 compress_savefile(dump_info->CurrentFileName); 3048 3049 Cflag_count++; 3050 if (Wflag > 0) { 3051 if (Cflag_count >= Wflag) 3052 Cflag_count = 0; 3053 } 3054 if (dump_info->CurrentFileName != NULL) 3055 free(dump_info->CurrentFileName); 3056 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 3057 if (dump_info->CurrentFileName == NULL) 3058 error("%s: malloc", __func__); 3059 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars); 3060 #ifdef HAVE_LIBCAP_NG 3061 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3062 capng_apply(CAPNG_SELECT_BOTH); 3063 #endif /* HAVE_LIBCAP_NG */ 3064 #ifdef HAVE_CAPSICUM 3065 fd = openat(dump_info->dirfd, dump_info->CurrentFileName, 3066 O_CREAT | O_WRONLY | O_TRUNC, 0644); 3067 if (fd < 0) { 3068 error("unable to open file %s", 3069 dump_info->CurrentFileName); 3070 } 3071 fp = fdopen(fd, "w"); 3072 if (fp == NULL) { 3073 error("unable to fdopen file %s", 3074 dump_info->CurrentFileName); 3075 } 3076 dump_info->pdd = pcap_dump_fopen(dump_info->pd, fp); 3077 #else /* !HAVE_CAPSICUM */ 3078 dump_info->pdd = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 3079 #endif 3080 #ifdef HAVE_LIBCAP_NG 3081 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3082 capng_apply(CAPNG_SELECT_BOTH); 3083 #endif /* HAVE_LIBCAP_NG */ 3084 if (dump_info->pdd == NULL) 3085 error("%s", pcap_geterr(pd)); 3086 #ifdef HAVE_CAPSICUM 3087 set_dumper_capsicum_rights(dump_info->pdd); 3088 #endif 3089 } 3090 } 3091 3092 pcap_dump((u_char *)dump_info->pdd, h, sp); 3093 #ifdef HAVE_PCAP_DUMP_FLUSH 3094 if (Uflag) 3095 pcap_dump_flush(dump_info->pdd); 3096 #endif 3097 3098 if (dump_info->ndo != NULL) 3099 pretty_print_packet(dump_info->ndo, h, sp, packets_captured); 3100 3101 --infodelay; 3102 if (infoprint) 3103 info(0); 3104 } 3105 3106 static void 3107 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 3108 { 3109 struct dump_info *dump_info; 3110 3111 ++packets_captured; 3112 3113 ++infodelay; 3114 3115 dump_info = (struct dump_info *)user; 3116 3117 pcap_dump((u_char *)dump_info->pdd, h, sp); 3118 #ifdef HAVE_PCAP_DUMP_FLUSH 3119 if (Uflag) 3120 pcap_dump_flush(dump_info->pdd); 3121 #endif 3122 3123 if (dump_info->ndo != NULL) 3124 pretty_print_packet(dump_info->ndo, h, sp, packets_captured); 3125 3126 --infodelay; 3127 if (infoprint) 3128 info(0); 3129 } 3130 3131 static void 3132 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 3133 { 3134 ++packets_captured; 3135 3136 ++infodelay; 3137 3138 if (!count_mode) 3139 pretty_print_packet((netdissect_options *)user, h, sp, packets_captured); 3140 3141 --infodelay; 3142 if (infoprint) 3143 info(0); 3144 } 3145 3146 #ifdef SIGNAL_REQ_INFO 3147 static void 3148 requestinfo(int signo _U_) 3149 { 3150 if (infodelay) 3151 ++infoprint; 3152 else 3153 info(0); 3154 } 3155 #endif 3156 3157 #ifdef SIGNAL_FLUSH_PCAP 3158 static void 3159 flushpcap(int signo _U_) 3160 { 3161 if (pdd != NULL) 3162 pcap_dump_flush(pdd); 3163 } 3164 #endif 3165 3166 static void 3167 print_packets_captured (void) 3168 { 3169 static u_int prev_packets_captured, first = 1; 3170 3171 if (infodelay == 0 && (first || packets_captured != prev_packets_captured)) { 3172 fprintf(stderr, "Got %u\r", packets_captured); 3173 first = 0; 3174 prev_packets_captured = packets_captured; 3175 } 3176 } 3177 3178 /* 3179 * Called once each second in verbose mode while dumping to file 3180 */ 3181 #ifdef _WIN32 3182 static void CALLBACK verbose_stats_dump(PVOID param _U_, 3183 BOOLEAN timer_fired _U_) 3184 { 3185 print_packets_captured(); 3186 } 3187 #else /* _WIN32 */ 3188 static void verbose_stats_dump(int sig _U_) 3189 { 3190 print_packets_captured(); 3191 } 3192 #endif /* _WIN32 */ 3193 3194 DIAG_OFF_DEPRECATION 3195 static void 3196 print_version(FILE *f) 3197 { 3198 #ifndef HAVE_PCAP_LIB_VERSION 3199 #ifdef HAVE_PCAP_VERSION 3200 extern char pcap_version[]; 3201 #else /* HAVE_PCAP_VERSION */ 3202 static char pcap_version[] = "unknown"; 3203 #endif /* HAVE_PCAP_VERSION */ 3204 #endif /* HAVE_PCAP_LIB_VERSION */ 3205 const char *smi_version_string; 3206 3207 (void)fprintf(f, "%s version " PACKAGE_VERSION "\n", program_name); 3208 #ifdef HAVE_PCAP_LIB_VERSION 3209 (void)fprintf(f, "%s\n", pcap_lib_version()); 3210 #else /* HAVE_PCAP_LIB_VERSION */ 3211 (void)fprintf(f, "libpcap version %s\n", pcap_version); 3212 #endif /* HAVE_PCAP_LIB_VERSION */ 3213 3214 #if defined(HAVE_LIBCRYPTO) && defined(SSLEAY_VERSION) 3215 (void)fprintf (f, "%s\n", SSLeay_version(SSLEAY_VERSION)); 3216 #endif 3217 3218 smi_version_string = nd_smi_version_string(); 3219 if (smi_version_string != NULL) 3220 (void)fprintf (f, "SMI-library: %s\n", smi_version_string); 3221 3222 #if defined(__SANITIZE_ADDRESS__) 3223 (void)fprintf (f, "Compiled with AddressSanitizer/GCC.\n"); 3224 #elif defined(__has_feature) 3225 # if __has_feature(address_sanitizer) 3226 (void)fprintf (f, "Compiled with AddressSanitizer/Clang.\n"); 3227 # elif __has_feature(memory_sanitizer) 3228 (void)fprintf (f, "Compiled with MemorySanitizer/Clang.\n"); 3229 # endif 3230 #endif /* __SANITIZE_ADDRESS__ or __has_feature */ 3231 } 3232 DIAG_ON_DEPRECATION 3233 3234 static void 3235 print_usage(FILE *f) 3236 { 3237 print_version(f); 3238 (void)fprintf(f, 3239 "Usage: %s [-Abd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqStu" U_FLAG "vxX#]" B_FLAG_USAGE " [ -c count ] [--count]\n", program_name); 3240 (void)fprintf(f, 3241 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n"); 3242 (void)fprintf(f, 3243 "\t\t[ -i interface ]" IMMEDIATE_MODE_USAGE j_FLAG_USAGE "\n"); 3244 #ifdef HAVE_PCAP_FINDALLDEVS_EX 3245 (void)fprintf(f, 3246 "\t\t" LIST_REMOTE_INTERFACES_USAGE "\n"); 3247 #endif 3248 #ifdef USE_LIBSMI 3249 (void)fprintf(f, 3250 "\t\t" m_FLAG_USAGE "\n"); 3251 #endif 3252 (void)fprintf(f, 3253 "\t\t[ -M secret ] [ --number ] [ --print ]" Q_FLAG_USAGE "\n"); 3254 (void)fprintf(f, 3255 "\t\t[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]\n"); 3256 (void)fprintf(f, 3257 "\t\t[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]\n"); 3258 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 3259 (void)fprintf(f, 3260 "\t\t[ --time-stamp-precision precision ] [ --micro ] [ --nano ]\n"); 3261 #endif 3262 (void)fprintf(f, 3263 "\t\t[ -z postrotate-command ] [ -Z user ] [ expression ]\n"); 3264 } 3265