1 /* 2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Support for splitting captures into multiple files with a maximum 22 * file size: 23 * 24 * Copyright (c) 2001 25 * Seth Webster <swebster@sst.ll.mit.edu> 26 */ 27 28 /* 29 * tcpdump - dump traffic on a network 30 * 31 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 32 * Mercilessly hacked and occasionally improved since then via the 33 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 34 */ 35 36 #ifdef HAVE_CONFIG_H 37 #include <config.h> 38 #endif 39 40 /* 41 * Some older versions of Mac OS X may ship pcap.h from libpcap 0.6 with a 42 * libpcap based on 0.8. That means it has pcap_findalldevs() but the 43 * header doesn't define pcap_if_t, meaning that we can't actually *use* 44 * pcap_findalldevs(). 45 */ 46 #ifdef HAVE_PCAP_FINDALLDEVS 47 #ifndef HAVE_PCAP_IF_T 48 #undef HAVE_PCAP_FINDALLDEVS 49 #endif 50 #endif 51 52 #include "netdissect-stdinc.h" 53 54 /* 55 * This must appear after including netdissect-stdinc.h, so that _U_ is 56 * defined. 57 */ 58 #ifndef lint 59 static const char copyright[] _U_ = 60 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\ 61 The Regents of the University of California. All rights reserved.\n"; 62 #endif 63 64 #include <sys/stat.h> 65 66 #ifdef HAVE_FCNTL_H 67 #include <fcntl.h> 68 #endif 69 70 #ifdef HAVE_LIBCRYPTO 71 #include <openssl/crypto.h> 72 #endif 73 74 #ifdef HAVE_GETOPT_LONG 75 #include <getopt.h> 76 #else 77 #include "missing/getopt_long.h" 78 #endif 79 /* Capsicum-specific code requires macros from <net/bpf.h>, which will fail 80 * to compile if <pcap.h> has already been included; including the headers 81 * in the opposite order works fine. For the most part anyway, because in 82 * FreeBSD <pcap/pcap.h> declares bpf_dump() instead of <net/bpf.h>. Thus 83 * interface.h takes care of it later to avoid a compiler warning. 84 */ 85 #ifdef HAVE_CAPSICUM 86 #include <sys/capsicum.h> 87 #include <sys/ioccom.h> 88 #include <net/bpf.h> 89 #include <libgen.h> 90 #ifdef HAVE_CASPER 91 #include <libcasper.h> 92 #include <casper/cap_dns.h> 93 #include <sys/nv.h> 94 #endif /* HAVE_CASPER */ 95 #endif /* HAVE_CAPSICUM */ 96 #ifdef HAVE_PCAP_OPEN 97 /* 98 * We found pcap_open() in the capture library, so we'll be using 99 * the remote capture APIs; define PCAP_REMOTE before we include pcap.h, 100 * so we get those APIs declared, and the types and #defines that they 101 * use defined. 102 * 103 * WinPcap's headers require that PCAP_REMOTE be defined in order to get 104 * remote-capture APIs declared and types and #defines that they use 105 * defined. 106 * 107 * (Versions of libpcap with those APIs, and thus Npcap, which is based on 108 * those versions of libpcap, don't require it.) 109 */ 110 #define HAVE_REMOTE 111 #endif 112 #include <pcap.h> 113 #include <signal.h> 114 #include <stdio.h> 115 #include <stdarg.h> 116 #include <stdlib.h> 117 #include <string.h> 118 #include <limits.h> 119 #ifdef _WIN32 120 #include <windows.h> 121 #else 122 #include <sys/time.h> 123 #include <sys/wait.h> 124 #include <sys/resource.h> 125 #include <pwd.h> 126 #include <grp.h> 127 #endif /* _WIN32 */ 128 129 /* 130 * Pathname separator. 131 * Use this in pathnames, but do *not* use it in URLs. 132 */ 133 #ifdef _WIN32 134 #define PATH_SEPARATOR '\\' 135 #else 136 #define PATH_SEPARATOR '/' 137 #endif 138 139 /* capabilities convenience library */ 140 /* If a code depends on HAVE_LIBCAP_NG, it depends also on HAVE_CAP_NG_H. 141 * If HAVE_CAP_NG_H is not defined, undefine HAVE_LIBCAP_NG. 142 * Thus, the later tests are done only on HAVE_LIBCAP_NG. 143 */ 144 #ifdef HAVE_LIBCAP_NG 145 #ifdef HAVE_CAP_NG_H 146 #include <cap-ng.h> 147 #else 148 #undef HAVE_LIBCAP_NG 149 #endif /* HAVE_CAP_NG_H */ 150 #endif /* HAVE_LIBCAP_NG */ 151 152 #ifdef __FreeBSD__ 153 #include <sys/sysctl.h> 154 #endif /* __FreeBSD__ */ 155 156 #include "netdissect-stdinc.h" 157 #include "netdissect.h" 158 #include "interface.h" 159 #include "addrtoname.h" 160 #include "machdep.h" 161 #include "pcap-missing.h" 162 #include "ascii_strcasecmp.h" 163 164 #include "print.h" 165 166 #include "diag-control.h" 167 168 #include "fptype.h" 169 170 #ifndef PATH_MAX 171 #define PATH_MAX 1024 172 #endif 173 174 #if defined(SIGINFO) 175 #define SIGNAL_REQ_INFO SIGINFO 176 #elif defined(SIGUSR1) 177 #define SIGNAL_REQ_INFO SIGUSR1 178 #endif 179 180 #if defined(HAVE_PCAP_DUMP_FLUSH) && defined(SIGUSR2) 181 #define SIGNAL_FLUSH_PCAP SIGUSR2 182 #endif 183 184 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 185 static int Bflag; /* buffer size */ 186 #endif 187 #ifdef HAVE_PCAP_DUMP_FTELL64 188 static int64_t Cflag; /* rotate dump files after this many bytes */ 189 #else 190 static long Cflag; /* rotate dump files after this many bytes */ 191 #endif 192 static int Cflag_count; /* Keep track of which file number we're writing */ 193 #ifdef HAVE_PCAP_FINDALLDEVS 194 static int Dflag; /* list available devices and exit */ 195 #endif 196 #ifdef HAVE_PCAP_FINDALLDEVS_EX 197 static char *remote_interfaces_source; /* list available devices from this source and exit */ 198 #endif 199 200 /* 201 * This is exported because, in some versions of libpcap, if libpcap 202 * is built with optimizer debugging code (which is *NOT* the default 203 * configuration!), the library *imports*(!) a variable named dflag, 204 * under the expectation that tcpdump is exporting it, to govern 205 * how much debugging information to print when optimizing 206 * the generated BPF code. 207 * 208 * This is a horrible hack; newer versions of libpcap don't import 209 * dflag but, instead, *if* built with optimizer debugging code, 210 * *export* a routine to set that flag. 211 */ 212 extern int dflag; 213 int dflag; /* print filter code */ 214 static int Gflag; /* rotate dump files after this many seconds */ 215 static int Gflag_count; /* number of files created with Gflag rotation */ 216 static time_t Gflag_time; /* The last time_t the dump file was rotated. */ 217 static int Lflag; /* list available data link types and exit */ 218 static int Iflag; /* rfmon (monitor) mode */ 219 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 220 static int Jflag; /* list available time stamp types */ 221 static int jflag = -1; /* packet time stamp source */ 222 #endif 223 static int lflag; /* line-buffered output */ 224 static int pflag; /* don't go promiscuous */ 225 #ifdef HAVE_PCAP_SETDIRECTION 226 static int Qflag = -1; /* restrict captured packet by send/receive direction */ 227 #endif 228 #ifdef HAVE_PCAP_DUMP_FLUSH 229 static int Uflag; /* "unbuffered" output of dump files */ 230 #endif 231 static int Wflag; /* recycle output files after this number of files */ 232 static int WflagChars; 233 static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */ 234 static int timeout = 1000; /* default timeout = 1000 ms = 1 s */ 235 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 236 static int immediate_mode; 237 #endif 238 static int count_mode; 239 240 static int infodelay; 241 static int infoprint; 242 243 char *program_name; 244 245 /* 246 * #ifdef HAVE_CASPER 247 * cap_channel_t *capdns; 248 * #endif 249 */ 250 251 /* Forwards */ 252 static NORETURN void error(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 253 static void warning(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 254 static NORETURN void exit_tcpdump(int); 255 static void (*setsignal (int sig, void (*func)(int)))(int); 256 static void cleanup(int); 257 static void child_cleanup(int); 258 static void print_version(FILE *); 259 static void print_usage(FILE *); 260 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 261 static NORETURN void show_tstamp_types_and_exit(pcap_t *, const char *device); 262 #endif 263 static NORETURN void show_dlts_and_exit(pcap_t *, const char *device); 264 #ifdef HAVE_PCAP_FINDALLDEVS 265 static NORETURN void show_devices_and_exit(void); 266 #endif 267 #ifdef HAVE_PCAP_FINDALLDEVS_EX 268 static NORETURN void show_remote_devices_and_exit(void); 269 #endif 270 271 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 272 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *); 273 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 274 static void droproot(const char *, const char *); 275 276 #ifdef SIGNAL_REQ_INFO 277 static void requestinfo(int); 278 #endif 279 280 #ifdef SIGNAL_FLUSH_PCAP 281 static void flushpcap(int); 282 #endif 283 284 #ifdef _WIN32 285 static HANDLE timer_handle = INVALID_HANDLE_VALUE; 286 static void CALLBACK verbose_stats_dump(PVOID param, BOOLEAN timer_fired); 287 #else /* _WIN32 */ 288 static void verbose_stats_dump(int sig); 289 #endif /* _WIN32 */ 290 291 static void info(int); 292 static u_int packets_captured; 293 294 #ifdef HAVE_PCAP_FINDALLDEVS 295 static const struct tok status_flags[] = { 296 #ifdef PCAP_IF_UP 297 { PCAP_IF_UP, "Up" }, 298 #endif 299 #ifdef PCAP_IF_RUNNING 300 { PCAP_IF_RUNNING, "Running" }, 301 #endif 302 { PCAP_IF_LOOPBACK, "Loopback" }, 303 #ifdef PCAP_IF_WIRELESS 304 { PCAP_IF_WIRELESS, "Wireless" }, 305 #endif 306 { 0, NULL } 307 }; 308 #endif 309 310 static pcap_t *pd; 311 static pcap_dumper_t *pdd = NULL; 312 313 static int supports_monitor_mode; 314 315 extern int optind; 316 extern int opterr; 317 extern char *optarg; 318 319 struct dump_info { 320 char *WFileName; 321 char *CurrentFileName; 322 pcap_t *pd; 323 pcap_dumper_t *pdd; 324 netdissect_options *ndo; 325 #ifdef HAVE_CAPSICUM 326 int dirfd; 327 #endif 328 }; 329 330 #if defined(HAVE_PCAP_SET_PARSER_DEBUG) 331 /* 332 * We have pcap_set_parser_debug() in libpcap; declare it (it's not declared 333 * by any libpcap header, because it's a special hack, only available if 334 * libpcap was configured to include it, and only intended for use by 335 * libpcap developers trying to debug the parser for filter expressions). 336 */ 337 #ifdef _WIN32 338 __declspec(dllimport) 339 #else /* _WIN32 */ 340 extern 341 #endif /* _WIN32 */ 342 void pcap_set_parser_debug(int); 343 #elif defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG) 344 /* 345 * We don't have pcap_set_parser_debug() in libpcap, but we do have 346 * pcap_debug or yydebug. Make a local version of pcap_set_parser_debug() 347 * to set the flag, and define HAVE_PCAP_SET_PARSER_DEBUG. 348 */ 349 static void 350 pcap_set_parser_debug(int value) 351 { 352 #ifdef HAVE_PCAP_DEBUG 353 extern int pcap_debug; 354 355 pcap_debug = value; 356 #else /* HAVE_PCAP_DEBUG */ 357 extern int yydebug; 358 359 yydebug = value; 360 #endif /* HAVE_PCAP_DEBUG */ 361 } 362 363 #define HAVE_PCAP_SET_PARSER_DEBUG 364 #endif 365 366 #if defined(HAVE_PCAP_SET_OPTIMIZER_DEBUG) 367 /* 368 * We have pcap_set_optimizer_debug() in libpcap; declare it (it's not declared 369 * by any libpcap header, because it's a special hack, only available if 370 * libpcap was configured to include it, and only intended for use by 371 * libpcap developers trying to debug the optimizer for filter expressions). 372 */ 373 #ifdef _WIN32 374 __declspec(dllimport) 375 #else /* _WIN32 */ 376 extern 377 #endif /* _WIN32 */ 378 void pcap_set_optimizer_debug(int); 379 #endif 380 381 /* VARARGS */ 382 static void 383 error(const char *fmt, ...) 384 { 385 va_list ap; 386 387 (void)fprintf(stderr, "%s: ", program_name); 388 va_start(ap, fmt); 389 (void)vfprintf(stderr, fmt, ap); 390 va_end(ap); 391 if (*fmt) { 392 fmt += strlen(fmt); 393 if (fmt[-1] != '\n') 394 (void)fputc('\n', stderr); 395 } 396 exit_tcpdump(S_ERR_HOST_PROGRAM); 397 /* NOTREACHED */ 398 } 399 400 /* VARARGS */ 401 static void 402 warning(const char *fmt, ...) 403 { 404 va_list ap; 405 406 (void)fprintf(stderr, "%s: WARNING: ", program_name); 407 va_start(ap, fmt); 408 (void)vfprintf(stderr, fmt, ap); 409 va_end(ap); 410 if (*fmt) { 411 fmt += strlen(fmt); 412 if (fmt[-1] != '\n') 413 (void)fputc('\n', stderr); 414 } 415 } 416 417 static void 418 exit_tcpdump(int status) 419 { 420 nd_cleanup(); 421 exit(status); 422 } 423 424 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 425 static void 426 show_tstamp_types_and_exit(pcap_t *pc, const char *device) 427 { 428 int n_tstamp_types; 429 int *tstamp_types = 0; 430 const char *tstamp_type_name; 431 int i; 432 433 n_tstamp_types = pcap_list_tstamp_types(pc, &tstamp_types); 434 if (n_tstamp_types < 0) 435 error("%s", pcap_geterr(pc)); 436 437 if (n_tstamp_types == 0) { 438 fprintf(stderr, "Time stamp type cannot be set for %s\n", 439 device); 440 exit_tcpdump(S_SUCCESS); 441 } 442 fprintf(stderr, "Time stamp types for %s (use option -j to set):\n", 443 device); 444 for (i = 0; i < n_tstamp_types; i++) { 445 tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]); 446 if (tstamp_type_name != NULL) { 447 (void) fprintf(stderr, " %s (%s)\n", tstamp_type_name, 448 pcap_tstamp_type_val_to_description(tstamp_types[i])); 449 } else { 450 (void) fprintf(stderr, " %d\n", tstamp_types[i]); 451 } 452 } 453 pcap_free_tstamp_types(tstamp_types); 454 exit_tcpdump(S_SUCCESS); 455 } 456 #endif 457 458 static void 459 show_dlts_and_exit(pcap_t *pc, const char *device) 460 { 461 int n_dlts, i; 462 int *dlts = 0; 463 const char *dlt_name; 464 465 n_dlts = pcap_list_datalinks(pc, &dlts); 466 if (n_dlts < 0) 467 error("%s", pcap_geterr(pc)); 468 else if (n_dlts == 0 || !dlts) 469 error("No data link types."); 470 471 /* 472 * If the interface is known to support monitor mode, indicate 473 * whether these are the data link types available when not in 474 * monitor mode, if -I wasn't specified, or when in monitor mode, 475 * when -I was specified (the link-layer types available in 476 * monitor mode might be different from the ones available when 477 * not in monitor mode). 478 */ 479 if (supports_monitor_mode) 480 (void) fprintf(stderr, "Data link types for %s %s (use option -y to set):\n", 481 device, 482 Iflag ? "when in monitor mode" : "when not in monitor mode"); 483 else 484 (void) fprintf(stderr, "Data link types for %s (use option -y to set):\n", 485 device); 486 487 for (i = 0; i < n_dlts; i++) { 488 dlt_name = pcap_datalink_val_to_name(dlts[i]); 489 if (dlt_name != NULL) { 490 (void) fprintf(stderr, " %s (%s)", dlt_name, 491 pcap_datalink_val_to_description(dlts[i])); 492 493 /* 494 * OK, does tcpdump handle that type? 495 */ 496 if (!has_printer(dlts[i])) 497 (void) fprintf(stderr, " (printing not supported)"); 498 fprintf(stderr, "\n"); 499 } else { 500 (void) fprintf(stderr, " DLT %d (printing not supported)\n", 501 dlts[i]); 502 } 503 } 504 #ifdef HAVE_PCAP_FREE_DATALINKS 505 pcap_free_datalinks(dlts); 506 #endif 507 exit_tcpdump(S_SUCCESS); 508 } 509 510 #ifdef HAVE_PCAP_FINDALLDEVS 511 static void 512 show_devices_and_exit(void) 513 { 514 pcap_if_t *dev, *devlist; 515 char ebuf[PCAP_ERRBUF_SIZE]; 516 int i; 517 518 if (pcap_findalldevs(&devlist, ebuf) < 0) 519 error("%s", ebuf); 520 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 521 printf("%d.%s", i+1, dev->name); 522 if (dev->description != NULL) 523 printf(" (%s)", dev->description); 524 if (dev->flags != 0) { 525 printf(" ["); 526 printf("%s", bittok2str(status_flags, "none", dev->flags)); 527 #ifdef PCAP_IF_WIRELESS 528 if (dev->flags & PCAP_IF_WIRELESS) { 529 switch (dev->flags & PCAP_IF_CONNECTION_STATUS) { 530 531 case PCAP_IF_CONNECTION_STATUS_UNKNOWN: 532 printf(", Association status unknown"); 533 break; 534 535 case PCAP_IF_CONNECTION_STATUS_CONNECTED: 536 printf(", Associated"); 537 break; 538 539 case PCAP_IF_CONNECTION_STATUS_DISCONNECTED: 540 printf(", Not associated"); 541 break; 542 543 case PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE: 544 break; 545 } 546 } else { 547 switch (dev->flags & PCAP_IF_CONNECTION_STATUS) { 548 549 case PCAP_IF_CONNECTION_STATUS_UNKNOWN: 550 printf(", Connection status unknown"); 551 break; 552 553 case PCAP_IF_CONNECTION_STATUS_CONNECTED: 554 printf(", Connected"); 555 break; 556 557 case PCAP_IF_CONNECTION_STATUS_DISCONNECTED: 558 printf(", Disconnected"); 559 break; 560 561 case PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE: 562 break; 563 } 564 } 565 #endif 566 printf("]"); 567 } 568 printf("\n"); 569 } 570 pcap_freealldevs(devlist); 571 exit_tcpdump(S_SUCCESS); 572 } 573 #endif /* HAVE_PCAP_FINDALLDEVS */ 574 575 #ifdef HAVE_PCAP_FINDALLDEVS_EX 576 static void 577 show_remote_devices_and_exit(void) 578 { 579 pcap_if_t *dev, *devlist; 580 char ebuf[PCAP_ERRBUF_SIZE]; 581 int i; 582 583 if (pcap_findalldevs_ex(remote_interfaces_source, NULL, &devlist, 584 ebuf) < 0) 585 error("%s", ebuf); 586 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 587 printf("%d.%s", i+1, dev->name); 588 if (dev->description != NULL) 589 printf(" (%s)", dev->description); 590 if (dev->flags != 0) 591 printf(" [%s]", bittok2str(status_flags, "none", dev->flags)); 592 printf("\n"); 593 } 594 pcap_freealldevs(devlist); 595 exit_tcpdump(S_SUCCESS); 596 } 597 #endif /* HAVE_PCAP_FINDALLDEVS */ 598 599 /* 600 * Short options. 601 * 602 * Note that there we use all letters for short options except for g, k, 603 * o, and P, and those are used by other versions of tcpdump, and we should 604 * only use them for the same purposes that the other versions of tcpdump 605 * use them: 606 * 607 * macOS tcpdump uses -g to force non--v output for IP to be on one 608 * line, making it more "g"repable; 609 * 610 * macOS tcpdump uses -k to specify that packet comments in pcapng files 611 * should be printed; 612 * 613 * OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done 614 * for hosts sending TCP SYN packets; 615 * 616 * macOS tcpdump uses -P to indicate that -w should write pcapng rather 617 * than pcap files. 618 * 619 * macOS tcpdump also uses -Q to specify expressions that match packet 620 * metadata, including but not limited to the packet direction. 621 * The expression syntax is different from a simple "in|out|inout", 622 * and those expressions aren't accepted by macOS tcpdump, but the 623 * equivalents would be "in" = "dir=in", "out" = "dir=out", and 624 * "inout" = "dir=in or dir=out", and the parser could conceivably 625 * special-case "in", "out", and "inout" as expressions for backwards 626 * compatibility, so all is not (yet) lost. 627 */ 628 629 /* 630 * Set up flags that might or might not be supported depending on the 631 * version of libpcap we're using. 632 */ 633 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 634 #define B_FLAG "B:" 635 #define B_FLAG_USAGE " [ -B size ]" 636 #else /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 637 #define B_FLAG 638 #define B_FLAG_USAGE 639 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 640 641 #ifdef HAVE_PCAP_FINDALLDEVS 642 #define D_FLAG "D" 643 #else 644 #define D_FLAG 645 #endif 646 647 #ifdef HAVE_PCAP_CREATE 648 #define I_FLAG "I" 649 #else /* HAVE_PCAP_CREATE */ 650 #define I_FLAG 651 #endif /* HAVE_PCAP_CREATE */ 652 653 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 654 #define j_FLAG "j:" 655 #define j_FLAG_USAGE " [ -j tstamptype ]" 656 #define J_FLAG "J" 657 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 658 #define j_FLAG 659 #define j_FLAG_USAGE 660 #define J_FLAG 661 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 662 663 #ifdef USE_LIBSMI 664 #define m_FLAG_USAGE "[ -m module ] ..." 665 #endif 666 667 #ifdef HAVE_PCAP_SETDIRECTION 668 #define Q_FLAG "Q:" 669 #define Q_FLAG_USAGE " [ -Q in|out|inout ]" 670 #else 671 #define Q_FLAG 672 #define Q_FLAG_USAGE 673 #endif 674 675 #ifdef HAVE_PCAP_DUMP_FLUSH 676 #define U_FLAG "U" 677 #else 678 #define U_FLAG 679 #endif 680 681 #define SHORTOPTS "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpq" Q_FLAG "r:s:StT:u" U_FLAG "vV:w:W:xXy:Yz:Z:#" 682 683 /* 684 * Long options. 685 * 686 * We do not currently have long options corresponding to all short 687 * options; we should probably pick appropriate option names for them. 688 * 689 * However, the short options where the number of times the option is 690 * specified matters, such as -v and -d and -t, should probably not 691 * just map to a long option, as saying 692 * 693 * tcpdump --verbose --verbose 694 * 695 * doesn't make sense; it should be --verbosity={N} or something such 696 * as that. 697 * 698 * For long options with no corresponding short options, we define values 699 * outside the range of ASCII graphic characters, make that the last 700 * component of the entry for the long option, and have a case for that 701 * option in the switch statement. 702 */ 703 #define OPTION_VERSION 128 704 #define OPTION_TSTAMP_PRECISION 129 705 #define OPTION_IMMEDIATE_MODE 130 706 #define OPTION_PRINT 131 707 #define OPTION_LIST_REMOTE_INTERFACES 132 708 #define OPTION_TSTAMP_MICRO 133 709 #define OPTION_TSTAMP_NANO 134 710 #define OPTION_FP_TYPE 135 711 #define OPTION_COUNT 136 712 713 static const struct option longopts[] = { 714 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 715 { "buffer-size", required_argument, NULL, 'B' }, 716 #endif 717 { "list-interfaces", no_argument, NULL, 'D' }, 718 #ifdef HAVE_PCAP_FINDALLDEVS_EX 719 { "list-remote-interfaces", required_argument, NULL, OPTION_LIST_REMOTE_INTERFACES }, 720 #endif 721 { "help", no_argument, NULL, 'h' }, 722 { "interface", required_argument, NULL, 'i' }, 723 #ifdef HAVE_PCAP_CREATE 724 { "monitor-mode", no_argument, NULL, 'I' }, 725 #endif 726 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 727 { "time-stamp-type", required_argument, NULL, 'j' }, 728 { "list-time-stamp-types", no_argument, NULL, 'J' }, 729 #endif 730 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 731 { "micro", no_argument, NULL, OPTION_TSTAMP_MICRO}, 732 { "nano", no_argument, NULL, OPTION_TSTAMP_NANO}, 733 { "time-stamp-precision", required_argument, NULL, OPTION_TSTAMP_PRECISION}, 734 #endif 735 { "dont-verify-checksums", no_argument, NULL, 'K' }, 736 { "list-data-link-types", no_argument, NULL, 'L' }, 737 { "no-optimize", no_argument, NULL, 'O' }, 738 { "no-promiscuous-mode", no_argument, NULL, 'p' }, 739 #ifdef HAVE_PCAP_SETDIRECTION 740 { "direction", required_argument, NULL, 'Q' }, 741 #endif 742 { "snapshot-length", required_argument, NULL, 's' }, 743 { "absolute-tcp-sequence-numbers", no_argument, NULL, 'S' }, 744 #ifdef HAVE_PCAP_DUMP_FLUSH 745 { "packet-buffered", no_argument, NULL, 'U' }, 746 #endif 747 { "linktype", required_argument, NULL, 'y' }, 748 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 749 { "immediate-mode", no_argument, NULL, OPTION_IMMEDIATE_MODE }, 750 #endif 751 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 752 { "debug-filter-parser", no_argument, NULL, 'Y' }, 753 #endif 754 { "relinquish-privileges", required_argument, NULL, 'Z' }, 755 { "count", no_argument, NULL, OPTION_COUNT }, 756 { "fp-type", no_argument, NULL, OPTION_FP_TYPE }, 757 { "number", no_argument, NULL, '#' }, 758 { "print", no_argument, NULL, OPTION_PRINT }, 759 { "version", no_argument, NULL, OPTION_VERSION }, 760 { NULL, 0, NULL, 0 } 761 }; 762 763 #ifdef HAVE_PCAP_FINDALLDEVS_EX 764 #define LIST_REMOTE_INTERFACES_USAGE "[ --list-remote-interfaces remote-source ]" 765 #else 766 #define LIST_REMOTE_INTERFACES_USAGE 767 #endif 768 769 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 770 #define IMMEDIATE_MODE_USAGE " [ --immediate-mode ]" 771 #else 772 #define IMMEDIATE_MODE_USAGE "" 773 #endif 774 775 #ifndef _WIN32 776 /* Drop root privileges and chroot if necessary */ 777 static void 778 droproot(const char *username, const char *chroot_dir) 779 { 780 struct passwd *pw = NULL; 781 782 if (chroot_dir && !username) 783 error("Chroot without dropping root is insecure"); 784 785 pw = getpwnam(username); 786 if (pw) { 787 if (chroot_dir) { 788 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) 789 error("Couldn't chroot/chdir to '%.64s': %s", 790 chroot_dir, pcap_strerror(errno)); 791 } 792 #ifdef HAVE_LIBCAP_NG 793 { 794 int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); 795 if (ret < 0) 796 error("capng_change_id(): return %d\n", ret); 797 else 798 fprintf(stderr, "dropped privs to %s\n", username); 799 } 800 #else 801 if (initgroups(pw->pw_name, pw->pw_gid) != 0 || 802 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) 803 error("Couldn't change to '%.32s' uid=%lu gid=%lu: %s", 804 username, 805 (unsigned long)pw->pw_uid, 806 (unsigned long)pw->pw_gid, 807 pcap_strerror(errno)); 808 else { 809 fprintf(stderr, "dropped privs to %s\n", username); 810 } 811 #endif /* HAVE_LIBCAP_NG */ 812 } else 813 error("Couldn't find user '%.32s'", username); 814 #ifdef HAVE_LIBCAP_NG 815 /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */ 816 DIAG_OFF_ASSIGN_ENUM 817 capng_updatev( 818 CAPNG_DROP, 819 CAPNG_EFFECTIVE | CAPNG_PERMITTED, 820 CAP_SETUID, 821 CAP_SETGID, 822 CAP_SYS_CHROOT, 823 -1); 824 DIAG_ON_ASSIGN_ENUM 825 capng_apply(CAPNG_SELECT_BOTH); 826 #endif /* HAVE_LIBCAP_NG */ 827 828 } 829 #endif /* _WIN32 */ 830 831 static int 832 getWflagChars(int x) 833 { 834 int c = 0; 835 836 x -= 1; 837 while (x > 0) { 838 c += 1; 839 x /= 10; 840 } 841 842 return c; 843 } 844 845 846 static void 847 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars) 848 { 849 char *filename = malloc(PATH_MAX + 1); 850 if (filename == NULL) 851 error("%s: malloc", __func__); 852 if (strlen(orig_name) == 0) 853 error("an empty string is not a valid file name"); 854 855 /* Process with strftime if Gflag is set. */ 856 if (Gflag != 0) { 857 struct tm *local_tm; 858 859 /* Convert Gflag_time to a usable format */ 860 if ((local_tm = localtime(&Gflag_time)) == NULL) { 861 error("%s: localtime", __func__); 862 } 863 864 /* There's no good way to detect an error in strftime since a return 865 * value of 0 isn't necessarily failure; if orig_name is an empty 866 * string, the formatted string will be empty. 867 * 868 * However, the C90 standard says that, if there *is* a 869 * buffer overflow, the content of the buffer is undefined, 870 * so we must check for a buffer overflow. 871 * 872 * So we check above for an empty orig_name, and only call 873 * strftime() if it's non-empty, in which case the return 874 * value will only be 0 if the formatted date doesn't fit 875 * in the buffer. 876 * 877 * (We check above because, even if we don't use -G, we 878 * want a better error message than "tcpdump: : No such 879 * file or directory" for this case.) 880 */ 881 if (strftime(filename, PATH_MAX, orig_name, local_tm) == 0) { 882 error("%s: strftime", __func__); 883 } 884 } else { 885 strncpy(filename, orig_name, PATH_MAX); 886 } 887 888 if (cnt == 0 && max_chars == 0) 889 strncpy(buffer, filename, PATH_MAX + 1); 890 else 891 if (snprintf(buffer, PATH_MAX + 1, "%s%0*d", filename, max_chars, cnt) > PATH_MAX) 892 /* Report an error if the filename is too large */ 893 error("too many output files or filename is too long (> %d)", PATH_MAX); 894 free(filename); 895 } 896 897 static char * 898 get_next_file(FILE *VFile, char *ptr) 899 { 900 char *ret; 901 size_t len; 902 903 ret = fgets(ptr, PATH_MAX, VFile); 904 if (!ret) 905 return NULL; 906 907 len = strlen (ptr); 908 if (len > 0 && ptr[len - 1] == '\n') 909 ptr[len - 1] = '\0'; 910 911 return ret; 912 } 913 914 #ifdef HAVE_CASPER 915 static cap_channel_t * 916 capdns_setup(void) 917 { 918 cap_channel_t *capcas, *capdnsloc; 919 const char *types[1]; 920 int families[2]; 921 922 capcas = cap_init(); 923 if (capcas == NULL) 924 error("unable to create casper process"); 925 capdnsloc = cap_service_open(capcas, "system.dns"); 926 /* Casper capability no longer needed. */ 927 cap_close(capcas); 928 if (capdnsloc == NULL) 929 error("unable to open system.dns service"); 930 /* Limit system.dns to reverse DNS lookups. */ 931 types[0] = "ADDR2NAME"; 932 if (cap_dns_type_limit(capdnsloc, types, 1) < 0) 933 error("unable to limit access to system.dns service"); 934 families[0] = AF_INET; 935 families[1] = AF_INET6; 936 if (cap_dns_family_limit(capdnsloc, families, 2) < 0) 937 error("unable to limit access to system.dns service"); 938 939 return (capdnsloc); 940 } 941 #endif /* HAVE_CASPER */ 942 943 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 944 static int 945 tstamp_precision_from_string(const char *precision) 946 { 947 if (strncmp(precision, "nano", strlen("nano")) == 0) 948 return PCAP_TSTAMP_PRECISION_NANO; 949 950 if (strncmp(precision, "micro", strlen("micro")) == 0) 951 return PCAP_TSTAMP_PRECISION_MICRO; 952 953 return -EINVAL; 954 } 955 956 static const char * 957 tstamp_precision_to_string(int precision) 958 { 959 switch (precision) { 960 961 case PCAP_TSTAMP_PRECISION_MICRO: 962 return "micro"; 963 964 case PCAP_TSTAMP_PRECISION_NANO: 965 return "nano"; 966 967 default: 968 return "unknown"; 969 } 970 } 971 #endif 972 973 #ifdef HAVE_CAPSICUM 974 /* 975 * Ensure that, on a dump file's descriptor, we have all the rights 976 * necessary to make the standard I/O library work with an fdopen()ed 977 * FILE * from that descriptor. 978 * 979 * A long time ago in a galaxy far, far away, AT&T decided that, instead 980 * of providing separate APIs for getting and setting the FD_ flags on a 981 * descriptor, getting and setting the O_ flags on a descriptor, and 982 * locking files, they'd throw them all into a kitchen-sink fcntl() call 983 * along the lines of ioctl(), the fact that ioctl() operations are 984 * largely specific to particular character devices but fcntl() operations 985 * are either generic to all descriptors or generic to all descriptors for 986 * regular files nonwithstanding. 987 * 988 * The Capsicum people decided that fine-grained control of descriptor 989 * operations was required, so that you need to grant permission for 990 * reading, writing, seeking, and fcntl-ing. The latter, courtesy of 991 * AT&T's decision, means that "fcntl-ing" isn't a thing, but a motley 992 * collection of things, so there are *individual* fcntls for which 993 * permission needs to be granted. 994 * 995 * The FreeBSD standard I/O people implemented some optimizations that 996 * requires that the standard I/O routines be able to determine whether 997 * the descriptor for the FILE * is open append-only or not; as that 998 * descriptor could have come from an open() rather than an fopen(), 999 * that requires that it be able to do an F_GETFL fcntl() to read 1000 * the O_ flags. 1001 * 1002 * Tcpdump uses ftell() to determine how much data has been written 1003 * to a file in order to, when used with -C, determine when it's time 1004 * to rotate capture files. ftell() therefore needs to do an lseek() 1005 * to find out the file offset and must, thanks to the aforementioned 1006 * optimization, also know whether the descriptor is open append-only 1007 * or not. 1008 * 1009 * The net result of all the above is that we need to grant CAP_SEEK, 1010 * CAP_WRITE, and CAP_FCNTL with the CAP_FCNTL_GETFL subcapability. 1011 * 1012 * Perhaps this is the universe's way of saying that either 1013 * 1014 * 1) there needs to be an fopenat() call and a pcap_dump_openat() call 1015 * using it, so that Capsicum-capable tcpdump wouldn't need to do 1016 * an fdopen() 1017 * 1018 * or 1019 * 1020 * 2) there needs to be a cap_fdopen() call in the FreeBSD standard 1021 * I/O library that knows what rights are needed by the standard 1022 * I/O library, based on the open mode, and assigns them, perhaps 1023 * with an additional argument indicating, for example, whether 1024 * seeking should be allowed, so that tcpdump doesn't need to know 1025 * what the standard I/O library happens to require this week. 1026 */ 1027 static void 1028 set_dumper_capsicum_rights(pcap_dumper_t *p) 1029 { 1030 int fd = fileno(pcap_dump_file(p)); 1031 cap_rights_t rights; 1032 1033 cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL); 1034 if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) { 1035 error("unable to limit dump descriptor"); 1036 } 1037 if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) { 1038 error("unable to limit dump descriptor fcntls"); 1039 } 1040 } 1041 #endif 1042 1043 /* 1044 * Copy arg vector into a new buffer, concatenating arguments with spaces. 1045 */ 1046 static char * 1047 copy_argv(char **argv) 1048 { 1049 char **p; 1050 size_t len = 0; 1051 char *buf; 1052 char *src, *dst; 1053 1054 p = argv; 1055 if (*p == NULL) 1056 return 0; 1057 1058 while (*p) 1059 len += strlen(*p++) + 1; 1060 1061 buf = (char *)malloc(len); 1062 if (buf == NULL) 1063 error("%s: malloc", __func__); 1064 1065 p = argv; 1066 dst = buf; 1067 while ((src = *p++) != NULL) { 1068 while ((*dst++ = *src++) != '\0') 1069 ; 1070 dst[-1] = ' '; 1071 } 1072 dst[-1] = '\0'; 1073 1074 return buf; 1075 } 1076 1077 /* 1078 * On Windows, we need to open the file in binary mode, so that 1079 * we get all the bytes specified by the size we get from "fstat()". 1080 * On UNIX, that's not necessary. O_BINARY is defined on Windows; 1081 * we define it as 0 if it's not defined, so it does nothing. 1082 */ 1083 #ifndef O_BINARY 1084 #define O_BINARY 0 1085 #endif 1086 1087 static char * 1088 read_infile(char *fname) 1089 { 1090 int i, fd; 1091 ssize_t cc; 1092 char *cp; 1093 our_statb buf; 1094 1095 fd = open(fname, O_RDONLY|O_BINARY); 1096 if (fd < 0) 1097 error("can't open %s: %s", fname, pcap_strerror(errno)); 1098 1099 if (our_fstat(fd, &buf) < 0) 1100 error("can't stat %s: %s", fname, pcap_strerror(errno)); 1101 1102 /* 1103 * Reject files whose size doesn't fit into an int; a filter 1104 * *that* large will probably be too big. 1105 */ 1106 if (buf.st_size > INT_MAX) 1107 error("%s is too large", fname); 1108 1109 cp = malloc((u_int)buf.st_size + 1); 1110 if (cp == NULL) 1111 error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, 1112 fname, pcap_strerror(errno)); 1113 cc = read(fd, cp, (u_int)buf.st_size); 1114 if (cc < 0) 1115 error("read %s: %s", fname, pcap_strerror(errno)); 1116 if (cc != buf.st_size) 1117 error("short read %s (%d != %d)", fname, (int) cc, 1118 (int)buf.st_size); 1119 1120 close(fd); 1121 /* replace "# comment" with spaces */ 1122 for (i = 0; i < cc; i++) { 1123 if (cp[i] == '#') 1124 while (i < cc && cp[i] != '\n') 1125 cp[i++] = ' '; 1126 } 1127 cp[cc] = '\0'; 1128 return (cp); 1129 } 1130 1131 #ifdef HAVE_PCAP_FINDALLDEVS 1132 static long 1133 parse_interface_number(const char *device) 1134 { 1135 const char *p; 1136 long devnum; 1137 char *end; 1138 1139 /* 1140 * Search for a colon, terminating any scheme at the beginning 1141 * of the device. 1142 */ 1143 p = strchr(device, ':'); 1144 if (p != NULL) { 1145 /* 1146 * We found it. Is it followed by "//"? 1147 */ 1148 p++; /* skip the : */ 1149 if (strncmp(p, "//", 2) == 0) { 1150 /* 1151 * Yes. Search for the next /, at the end of the 1152 * authority part of the URL. 1153 */ 1154 p += 2; /* skip the // */ 1155 p = strchr(p, '/'); 1156 if (p != NULL) { 1157 /* 1158 * OK, past the / is the path. 1159 */ 1160 device = p + 1; 1161 } 1162 } 1163 } 1164 devnum = strtol(device, &end, 10); 1165 if (device != end && *end == '\0') { 1166 /* 1167 * It's all-numeric, but is it a valid number? 1168 */ 1169 if (devnum <= 0) { 1170 /* 1171 * No, it's not an ordinal. 1172 */ 1173 error("Invalid adapter index"); 1174 } 1175 return (devnum); 1176 } else { 1177 /* 1178 * It's not all-numeric; return -1, so our caller 1179 * knows that. 1180 */ 1181 return (-1); 1182 } 1183 } 1184 1185 static char * 1186 find_interface_by_number(const char *url 1187 #ifndef HAVE_PCAP_FINDALLDEVS_EX 1188 _U_ 1189 #endif 1190 , long devnum) 1191 { 1192 pcap_if_t *dev, *devlist; 1193 long i; 1194 char ebuf[PCAP_ERRBUF_SIZE]; 1195 char *device; 1196 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1197 const char *endp; 1198 char *host_url; 1199 #endif 1200 int status; 1201 1202 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1203 /* 1204 * Search for a colon, terminating any scheme at the beginning 1205 * of the URL. 1206 */ 1207 endp = strchr(url, ':'); 1208 if (endp != NULL) { 1209 /* 1210 * We found it. Is it followed by "//"? 1211 */ 1212 endp++; /* skip the : */ 1213 if (strncmp(endp, "//", 2) == 0) { 1214 /* 1215 * Yes. Search for the next /, at the end of the 1216 * authority part of the URL. 1217 */ 1218 endp += 2; /* skip the // */ 1219 endp = strchr(endp, '/'); 1220 } else 1221 endp = NULL; 1222 } 1223 if (endp != NULL) { 1224 /* 1225 * OK, everything from device to endp is a URL to hand 1226 * to pcap_findalldevs_ex(). 1227 */ 1228 endp++; /* Include the trailing / in the URL; pcap_findalldevs_ex() requires it */ 1229 host_url = malloc(endp - url + 1); 1230 if (host_url == NULL && (endp - url + 1) > 0) 1231 error("Invalid allocation for host"); 1232 1233 memcpy(host_url, url, endp - url); 1234 host_url[endp - url] = '\0'; 1235 status = pcap_findalldevs_ex(host_url, NULL, &devlist, ebuf); 1236 free(host_url); 1237 } else 1238 #endif 1239 status = pcap_findalldevs(&devlist, ebuf); 1240 if (status < 0) 1241 error("%s", ebuf); 1242 /* 1243 * Look for the devnum-th entry in the list of devices (1-based). 1244 */ 1245 for (i = 0, dev = devlist; i < devnum-1 && dev != NULL; 1246 i++, dev = dev->next) 1247 ; 1248 if (dev == NULL) 1249 error("Invalid adapter index"); 1250 device = strdup(dev->name); 1251 pcap_freealldevs(devlist); 1252 return (device); 1253 } 1254 #endif 1255 1256 #ifdef HAVE_PCAP_OPEN 1257 /* 1258 * Prefixes for rpcap URLs. 1259 */ 1260 static char rpcap_prefix[] = "rpcap://"; 1261 static char rpcap_ssl_prefix[] = "rpcaps://"; 1262 #endif 1263 1264 static pcap_t * 1265 open_interface(const char *device, netdissect_options *ndo, char *ebuf) 1266 { 1267 pcap_t *pc; 1268 #ifdef HAVE_PCAP_CREATE 1269 int status; 1270 char *cp; 1271 #endif 1272 1273 #ifdef HAVE_PCAP_OPEN 1274 /* 1275 * Is this an rpcap URL? 1276 */ 1277 if (strncmp(device, rpcap_prefix, sizeof(rpcap_prefix) - 1) == 0 || 1278 strncmp(device, rpcap_ssl_prefix, sizeof(rpcap_ssl_prefix) - 1) == 0) { 1279 /* 1280 * Yes. Open it with pcap_open(). 1281 */ 1282 *ebuf = '\0'; 1283 pc = pcap_open(device, ndo->ndo_snaplen, 1284 pflag ? 0 : PCAP_OPENFLAG_PROMISCUOUS, timeout, NULL, 1285 ebuf); 1286 if (pc == NULL) { 1287 /* 1288 * If this failed with "No such device" or "The system 1289 * cannot find the device specified", that means 1290 * the interface doesn't exist; return NULL, so that 1291 * the caller can see whether the device name is 1292 * actually an interface index. 1293 */ 1294 if (strstr(ebuf, "No such device") != NULL || 1295 strstr(ebuf, "The system cannot find the device specified") != NULL) 1296 return (NULL); 1297 error("%s", ebuf); 1298 } 1299 if (*ebuf) 1300 warning("%s", ebuf); 1301 return (pc); 1302 } 1303 #endif /* HAVE_PCAP_OPEN */ 1304 1305 #ifdef HAVE_PCAP_CREATE 1306 pc = pcap_create(device, ebuf); 1307 if (pc == NULL) { 1308 /* 1309 * If this failed with "No such device", that means 1310 * the interface doesn't exist; return NULL, so that 1311 * the caller can see whether the device name is 1312 * actually an interface index. 1313 */ 1314 if (strstr(ebuf, "No such device") != NULL) 1315 return (NULL); 1316 error("%s", ebuf); 1317 } 1318 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1319 if (Jflag) 1320 show_tstamp_types_and_exit(pc, device); 1321 #endif 1322 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1323 status = pcap_set_tstamp_precision(pc, ndo->ndo_tstamp_precision); 1324 if (status != 0) 1325 error("%s: Can't set %ssecond time stamp precision: %s", 1326 device, 1327 tstamp_precision_to_string(ndo->ndo_tstamp_precision), 1328 pcap_statustostr(status)); 1329 #endif 1330 1331 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1332 if (immediate_mode) { 1333 status = pcap_set_immediate_mode(pc, 1); 1334 if (status != 0) 1335 error("%s: Can't set immediate mode: %s", 1336 device, pcap_statustostr(status)); 1337 } 1338 #endif 1339 /* 1340 * Is this an interface that supports monitor mode? 1341 */ 1342 if (pcap_can_set_rfmon(pc) == 1) 1343 supports_monitor_mode = 1; 1344 else 1345 supports_monitor_mode = 0; 1346 if (ndo->ndo_snaplen != 0) { 1347 /* 1348 * A snapshot length was explicitly specified; 1349 * use it. 1350 */ 1351 status = pcap_set_snaplen(pc, ndo->ndo_snaplen); 1352 if (status != 0) 1353 error("%s: Can't set snapshot length: %s", 1354 device, pcap_statustostr(status)); 1355 } 1356 status = pcap_set_promisc(pc, !pflag); 1357 if (status != 0) 1358 error("%s: Can't set promiscuous mode: %s", 1359 device, pcap_statustostr(status)); 1360 if (Iflag) { 1361 status = pcap_set_rfmon(pc, 1); 1362 if (status != 0) 1363 error("%s: Can't set monitor mode: %s", 1364 device, pcap_statustostr(status)); 1365 } 1366 status = pcap_set_timeout(pc, timeout); 1367 if (status != 0) 1368 error("%s: pcap_set_timeout failed: %s", 1369 device, pcap_statustostr(status)); 1370 if (Bflag != 0) { 1371 status = pcap_set_buffer_size(pc, Bflag); 1372 if (status != 0) 1373 error("%s: Can't set buffer size: %s", 1374 device, pcap_statustostr(status)); 1375 } 1376 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1377 if (jflag != -1) { 1378 status = pcap_set_tstamp_type(pc, jflag); 1379 if (status < 0) 1380 error("%s: Can't set time stamp type: %s", 1381 device, pcap_statustostr(status)); 1382 else if (status > 0) 1383 warning("When trying to set timestamp type '%s' on %s: %s", 1384 pcap_tstamp_type_val_to_name(jflag), device, 1385 pcap_statustostr(status)); 1386 } 1387 #endif 1388 status = pcap_activate(pc); 1389 if (status < 0) { 1390 /* 1391 * pcap_activate() failed. 1392 */ 1393 cp = pcap_geterr(pc); 1394 if (status == PCAP_ERROR) 1395 error("%s", cp); 1396 else if (status == PCAP_ERROR_NO_SUCH_DEVICE) { 1397 /* 1398 * Return an error for our caller to handle. 1399 */ 1400 snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s: %s\n(%s)", 1401 device, pcap_statustostr(status), cp); 1402 } else if (status == PCAP_ERROR_PERM_DENIED && *cp != '\0') 1403 error("%s: %s\n(%s)", device, 1404 pcap_statustostr(status), cp); 1405 #ifdef __FreeBSD__ 1406 else if (status == PCAP_ERROR_RFMON_NOTSUP && 1407 strncmp(device, "wlan", 4) == 0) { 1408 char parent[8], newdev[8]; 1409 char sysctl[32]; 1410 size_t s = sizeof(parent); 1411 1412 snprintf(sysctl, sizeof(sysctl), 1413 "net.wlan.%d.%%parent", atoi(device + 4)); 1414 sysctlbyname(sysctl, parent, &s, NULL, 0); 1415 strlcpy(newdev, device, sizeof(newdev)); 1416 /* Suggest a new wlan device. */ 1417 /* FIXME: incrementing the index this way is not going to work well 1418 * when the index is 9 or greater but the only consequence in this 1419 * specific case would be an error message that looks a bit odd. 1420 */ 1421 newdev[strlen(newdev)-1]++; 1422 error("%s is not a monitor mode VAP\n" 1423 "To create a new monitor mode VAP use:\n" 1424 " ifconfig %s create wlandev %s wlanmode monitor\n" 1425 "and use %s as the tcpdump interface", 1426 device, newdev, parent, newdev); 1427 } 1428 #endif 1429 else 1430 error("%s: %s", device, 1431 pcap_statustostr(status)); 1432 pcap_close(pc); 1433 return (NULL); 1434 } else if (status > 0) { 1435 /* 1436 * pcap_activate() succeeded, but it's warning us 1437 * of a problem it had. 1438 */ 1439 cp = pcap_geterr(pc); 1440 if (status == PCAP_WARNING) 1441 warning("%s", cp); 1442 else if (status == PCAP_WARNING_PROMISC_NOTSUP && 1443 *cp != '\0') 1444 warning("%s: %s\n(%s)", device, 1445 pcap_statustostr(status), cp); 1446 else 1447 warning("%s: %s", device, 1448 pcap_statustostr(status)); 1449 } 1450 #ifdef HAVE_PCAP_SETDIRECTION 1451 if (Qflag != -1) { 1452 status = pcap_setdirection(pc, Qflag); 1453 if (status != 0) 1454 error("%s: pcap_setdirection() failed: %s", 1455 device, pcap_geterr(pc)); 1456 } 1457 #endif /* HAVE_PCAP_SETDIRECTION */ 1458 #else /* HAVE_PCAP_CREATE */ 1459 *ebuf = '\0'; 1460 /* 1461 * If no snapshot length was specified, or a length of 0 was 1462 * specified, default to 256KB. 1463 */ 1464 if (ndo->ndo_snaplen == 0) 1465 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 1466 pc = pcap_open_live(device, ndo->ndo_snaplen, !pflag, timeout, ebuf); 1467 if (pc == NULL) { 1468 /* 1469 * If this failed with "No such device", that means 1470 * the interface doesn't exist; return NULL, so that 1471 * the caller can see whether the device name is 1472 * actually an interface index. 1473 */ 1474 if (strstr(ebuf, "No such device") != NULL) 1475 return (NULL); 1476 error("%s", ebuf); 1477 } 1478 if (*ebuf) 1479 warning("%s", ebuf); 1480 #endif /* HAVE_PCAP_CREATE */ 1481 1482 return (pc); 1483 } 1484 1485 int 1486 main(int argc, char **argv) 1487 { 1488 int cnt, op, i; 1489 bpf_u_int32 localnet = 0, netmask = 0; 1490 char *cp, *infile, *cmdbuf, *device, *RFileName, *VFileName, *WFileName; 1491 char *endp; 1492 pcap_handler callback; 1493 int dlt; 1494 const char *dlt_name; 1495 struct bpf_program fcode; 1496 #ifndef _WIN32 1497 void (*oldhandler)(int); 1498 #endif 1499 struct dump_info dumpinfo; 1500 u_char *pcap_userdata; 1501 char ebuf[PCAP_ERRBUF_SIZE]; 1502 char VFileLine[PATH_MAX + 1]; 1503 const char *username = NULL; 1504 #ifndef _WIN32 1505 const char *chroot_dir = NULL; 1506 #endif 1507 char *ret = NULL; 1508 char *end; 1509 #ifdef HAVE_PCAP_FINDALLDEVS 1510 pcap_if_t *devlist; 1511 long devnum; 1512 #endif 1513 int status; 1514 FILE *VFile; 1515 #ifdef HAVE_CAPSICUM 1516 cap_rights_t rights; 1517 int cansandbox; 1518 #endif /* HAVE_CAPSICUM */ 1519 int Oflag = 1; /* run filter code optimizer */ 1520 int yflag_dlt = -1; 1521 const char *yflag_dlt_name = NULL; 1522 int print = 0; 1523 1524 netdissect_options Ndo; 1525 netdissect_options *ndo = &Ndo; 1526 1527 /* 1528 * Initialize the netdissect code. 1529 */ 1530 if (nd_init(ebuf, sizeof(ebuf)) == -1) 1531 error("%s", ebuf); 1532 1533 memset(ndo, 0, sizeof(*ndo)); 1534 ndo_set_function_pointers(ndo); 1535 1536 cnt = -1; 1537 device = NULL; 1538 infile = NULL; 1539 RFileName = NULL; 1540 VFileName = NULL; 1541 VFile = NULL; 1542 WFileName = NULL; 1543 dlt = -1; 1544 if ((cp = strrchr(argv[0], PATH_SEPARATOR)) != NULL) 1545 ndo->program_name = program_name = cp + 1; 1546 else 1547 ndo->program_name = program_name = argv[0]; 1548 1549 #if defined(HAVE_PCAP_WSOCKINIT) 1550 if (pcap_wsockinit() != 0) 1551 error("Attempting to initialize Winsock failed"); 1552 #elif defined(HAVE_WSOCKINIT) 1553 if (wsockinit() != 0) 1554 error("Attempting to initialize Winsock failed"); 1555 #endif 1556 1557 /* 1558 * On platforms where the CPU doesn't support unaligned loads, 1559 * force unaligned accesses to abort with SIGBUS, rather than 1560 * being fixed up (slowly) by the OS kernel; on those platforms, 1561 * misaligned accesses are bugs, and we want tcpdump to crash so 1562 * that the bugs are reported. 1563 */ 1564 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0) 1565 error("%s", ebuf); 1566 1567 while ( 1568 (op = getopt_long(argc, argv, SHORTOPTS, longopts, NULL)) != -1) 1569 switch (op) { 1570 1571 case 'a': 1572 /* compatibility for old -a */ 1573 break; 1574 1575 case 'A': 1576 ++ndo->ndo_Aflag; 1577 break; 1578 1579 case 'b': 1580 ++ndo->ndo_bflag; 1581 break; 1582 1583 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 1584 case 'B': 1585 Bflag = atoi(optarg)*1024; 1586 if (Bflag <= 0) 1587 error("invalid packet buffer size %s", optarg); 1588 break; 1589 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 1590 1591 case 'c': 1592 cnt = atoi(optarg); 1593 if (cnt <= 0) 1594 error("invalid packet count %s", optarg); 1595 break; 1596 1597 case 'C': 1598 errno = 0; 1599 #ifdef HAVE_PCAP_DUMP_FTELL64 1600 Cflag = strtoint64_t(optarg, &endp, 10); 1601 #else 1602 Cflag = strtol(optarg, &endp, 10); 1603 #endif 1604 if (endp == optarg || *endp != '\0' || errno != 0 1605 || Cflag <= 0) 1606 error("invalid file size %s", optarg); 1607 /* 1608 * Will multiplying it by 1000000 overflow? 1609 */ 1610 #ifdef HAVE_PCAP_DUMP_FTELL64 1611 if (Cflag > INT64_T_CONSTANT(0x7fffffffffffffff) / 1000000) 1612 #else 1613 if (Cflag > LONG_MAX / 1000000) 1614 #endif 1615 error("file size %s is too large", optarg); 1616 Cflag *= 1000000; 1617 break; 1618 1619 case 'd': 1620 ++dflag; 1621 break; 1622 1623 #ifdef HAVE_PCAP_FINDALLDEVS 1624 case 'D': 1625 Dflag++; 1626 break; 1627 #endif 1628 1629 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1630 case OPTION_LIST_REMOTE_INTERFACES: 1631 remote_interfaces_source = optarg; 1632 break; 1633 #endif 1634 1635 case 'L': 1636 Lflag++; 1637 break; 1638 1639 case 'e': 1640 ++ndo->ndo_eflag; 1641 break; 1642 1643 case 'E': 1644 #ifndef HAVE_LIBCRYPTO 1645 warning("crypto code not compiled in"); 1646 #endif 1647 ndo->ndo_espsecret = optarg; 1648 break; 1649 1650 case 'f': 1651 ++ndo->ndo_fflag; 1652 break; 1653 1654 case 'F': 1655 infile = optarg; 1656 break; 1657 1658 case 'G': 1659 Gflag = atoi(optarg); 1660 if (Gflag < 0) 1661 error("invalid number of seconds %s", optarg); 1662 1663 /* We will create one file initially. */ 1664 Gflag_count = 0; 1665 1666 /* Grab the current time for rotation use. */ 1667 if ((Gflag_time = time(NULL)) == (time_t)-1) { 1668 error("%s: can't get current time: %s", 1669 __func__, pcap_strerror(errno)); 1670 } 1671 break; 1672 1673 case 'h': 1674 print_usage(stdout); 1675 exit_tcpdump(S_SUCCESS); 1676 break; 1677 1678 case 'H': 1679 ++ndo->ndo_Hflag; 1680 break; 1681 1682 case 'i': 1683 device = optarg; 1684 break; 1685 1686 #ifdef HAVE_PCAP_CREATE 1687 case 'I': 1688 ++Iflag; 1689 break; 1690 #endif /* HAVE_PCAP_CREATE */ 1691 1692 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1693 case 'j': 1694 jflag = pcap_tstamp_type_name_to_val(optarg); 1695 if (jflag < 0) 1696 error("invalid time stamp type %s", optarg); 1697 break; 1698 1699 case 'J': 1700 Jflag++; 1701 break; 1702 #endif 1703 1704 case 'l': 1705 #ifdef _WIN32 1706 /* 1707 * _IOLBF is the same as _IOFBF in Microsoft's C 1708 * libraries; the only alternative they offer 1709 * is _IONBF. 1710 * 1711 * XXX - this should really be checking for MSVC++, 1712 * not _WIN32, if, for example, MinGW has its own 1713 * C library that is more UNIX-compatible. 1714 */ 1715 setvbuf(stdout, NULL, _IONBF, 0); 1716 #else /* _WIN32 */ 1717 #ifdef HAVE_SETLINEBUF 1718 setlinebuf(stdout); 1719 #else 1720 setvbuf(stdout, NULL, _IOLBF, 0); 1721 #endif 1722 #endif /* _WIN32 */ 1723 lflag = 1; 1724 break; 1725 1726 case 'K': 1727 ++ndo->ndo_Kflag; 1728 break; 1729 1730 case 'm': 1731 if (nd_have_smi_support()) { 1732 if (nd_load_smi_module(optarg, ebuf, sizeof(ebuf)) == -1) 1733 error("%s", ebuf); 1734 } else { 1735 (void)fprintf(stderr, "%s: ignoring option `-m %s' ", 1736 program_name, optarg); 1737 (void)fprintf(stderr, "(no libsmi support)\n"); 1738 } 1739 break; 1740 1741 case 'M': 1742 /* TCP-MD5 shared secret */ 1743 #ifndef HAVE_LIBCRYPTO 1744 warning("crypto code not compiled in"); 1745 #endif 1746 ndo->ndo_sigsecret = optarg; 1747 break; 1748 1749 case 'n': 1750 ++ndo->ndo_nflag; 1751 break; 1752 1753 case 'N': 1754 ++ndo->ndo_Nflag; 1755 break; 1756 1757 case 'O': 1758 Oflag = 0; 1759 break; 1760 1761 case 'p': 1762 ++pflag; 1763 break; 1764 1765 case 'q': 1766 ++ndo->ndo_qflag; 1767 ++ndo->ndo_suppress_default_print; 1768 break; 1769 1770 #ifdef HAVE_PCAP_SETDIRECTION 1771 case 'Q': 1772 if (ascii_strcasecmp(optarg, "in") == 0) 1773 Qflag = PCAP_D_IN; 1774 else if (ascii_strcasecmp(optarg, "out") == 0) 1775 Qflag = PCAP_D_OUT; 1776 else if (ascii_strcasecmp(optarg, "inout") == 0) 1777 Qflag = PCAP_D_INOUT; 1778 else 1779 error("unknown capture direction `%s'", optarg); 1780 break; 1781 #endif /* HAVE_PCAP_SETDIRECTION */ 1782 1783 case 'r': 1784 RFileName = optarg; 1785 break; 1786 1787 case 's': 1788 ndo->ndo_snaplen = (int)strtol(optarg, &end, 0); 1789 if (optarg == end || *end != '\0' 1790 || ndo->ndo_snaplen < 0 || ndo->ndo_snaplen > MAXIMUM_SNAPLEN) 1791 error("invalid snaplen %s (must be >= 0 and <= %d)", 1792 optarg, MAXIMUM_SNAPLEN); 1793 break; 1794 1795 case 'S': 1796 ++ndo->ndo_Sflag; 1797 break; 1798 1799 case 't': 1800 ++ndo->ndo_tflag; 1801 break; 1802 1803 case 'T': 1804 if (ascii_strcasecmp(optarg, "vat") == 0) 1805 ndo->ndo_packettype = PT_VAT; 1806 else if (ascii_strcasecmp(optarg, "wb") == 0) 1807 ndo->ndo_packettype = PT_WB; 1808 else if (ascii_strcasecmp(optarg, "rpc") == 0) 1809 ndo->ndo_packettype = PT_RPC; 1810 else if (ascii_strcasecmp(optarg, "rtp") == 0) 1811 ndo->ndo_packettype = PT_RTP; 1812 else if (ascii_strcasecmp(optarg, "rtcp") == 0) 1813 ndo->ndo_packettype = PT_RTCP; 1814 else if (ascii_strcasecmp(optarg, "snmp") == 0) 1815 ndo->ndo_packettype = PT_SNMP; 1816 else if (ascii_strcasecmp(optarg, "cnfp") == 0) 1817 ndo->ndo_packettype = PT_CNFP; 1818 else if (ascii_strcasecmp(optarg, "tftp") == 0) 1819 ndo->ndo_packettype = PT_TFTP; 1820 else if (ascii_strcasecmp(optarg, "aodv") == 0) 1821 ndo->ndo_packettype = PT_AODV; 1822 else if (ascii_strcasecmp(optarg, "carp") == 0) 1823 ndo->ndo_packettype = PT_CARP; 1824 else if (ascii_strcasecmp(optarg, "radius") == 0) 1825 ndo->ndo_packettype = PT_RADIUS; 1826 else if (ascii_strcasecmp(optarg, "zmtp1") == 0) 1827 ndo->ndo_packettype = PT_ZMTP1; 1828 else if (ascii_strcasecmp(optarg, "vxlan") == 0) 1829 ndo->ndo_packettype = PT_VXLAN; 1830 else if (ascii_strcasecmp(optarg, "pgm") == 0) 1831 ndo->ndo_packettype = PT_PGM; 1832 else if (ascii_strcasecmp(optarg, "pgm_zmtp1") == 0) 1833 ndo->ndo_packettype = PT_PGM_ZMTP1; 1834 else if (ascii_strcasecmp(optarg, "lmp") == 0) 1835 ndo->ndo_packettype = PT_LMP; 1836 else if (ascii_strcasecmp(optarg, "resp") == 0) 1837 ndo->ndo_packettype = PT_RESP; 1838 else if (ascii_strcasecmp(optarg, "ptp") == 0) 1839 ndo->ndo_packettype = PT_PTP; 1840 else if (ascii_strcasecmp(optarg, "someip") == 0) 1841 ndo->ndo_packettype = PT_SOMEIP; 1842 else if (ascii_strcasecmp(optarg, "domain") == 0) 1843 ndo->ndo_packettype = PT_DOMAIN; 1844 else 1845 error("unknown packet type `%s'", optarg); 1846 break; 1847 1848 case 'u': 1849 ++ndo->ndo_uflag; 1850 break; 1851 1852 #ifdef HAVE_PCAP_DUMP_FLUSH 1853 case 'U': 1854 ++Uflag; 1855 break; 1856 #endif 1857 1858 case 'v': 1859 ++ndo->ndo_vflag; 1860 break; 1861 1862 case 'V': 1863 VFileName = optarg; 1864 break; 1865 1866 case 'w': 1867 WFileName = optarg; 1868 break; 1869 1870 case 'W': 1871 Wflag = atoi(optarg); 1872 if (Wflag <= 0) 1873 error("invalid number of output files %s", optarg); 1874 WflagChars = getWflagChars(Wflag); 1875 break; 1876 1877 case 'x': 1878 ++ndo->ndo_xflag; 1879 ++ndo->ndo_suppress_default_print; 1880 break; 1881 1882 case 'X': 1883 ++ndo->ndo_Xflag; 1884 ++ndo->ndo_suppress_default_print; 1885 break; 1886 1887 case 'y': 1888 yflag_dlt_name = optarg; 1889 yflag_dlt = 1890 pcap_datalink_name_to_val(yflag_dlt_name); 1891 if (yflag_dlt < 0) 1892 error("invalid data link type %s", yflag_dlt_name); 1893 break; 1894 1895 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 1896 case 'Y': 1897 { 1898 /* Undocumented flag */ 1899 pcap_set_parser_debug(1); 1900 } 1901 break; 1902 #endif 1903 case 'z': 1904 zflag = optarg; 1905 break; 1906 1907 case 'Z': 1908 username = optarg; 1909 break; 1910 1911 case '#': 1912 ndo->ndo_packet_number = 1; 1913 break; 1914 1915 case OPTION_VERSION: 1916 print_version(stdout); 1917 exit_tcpdump(S_SUCCESS); 1918 break; 1919 1920 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1921 case OPTION_TSTAMP_PRECISION: 1922 ndo->ndo_tstamp_precision = tstamp_precision_from_string(optarg); 1923 if (ndo->ndo_tstamp_precision < 0) 1924 error("unsupported time stamp precision"); 1925 break; 1926 #endif 1927 1928 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1929 case OPTION_IMMEDIATE_MODE: 1930 immediate_mode = 1; 1931 break; 1932 #endif 1933 1934 case OPTION_PRINT: 1935 print = 1; 1936 break; 1937 1938 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1939 case OPTION_TSTAMP_MICRO: 1940 ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO; 1941 break; 1942 1943 case OPTION_TSTAMP_NANO: 1944 ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_NANO; 1945 break; 1946 #endif 1947 1948 case OPTION_FP_TYPE: 1949 /* 1950 * Print out the type of floating-point arithmetic 1951 * we're doing; it's probably IEEE, unless somebody 1952 * tries to run this on a VAX, but the precision 1953 * may differ (e.g., it might be 32-bit, 64-bit, 1954 * or 80-bit). 1955 */ 1956 float_type_check(0x4e93312d); 1957 return 0; 1958 1959 case OPTION_COUNT: 1960 count_mode = 1; 1961 break; 1962 1963 default: 1964 print_usage(stderr); 1965 exit_tcpdump(S_ERR_HOST_PROGRAM); 1966 /* NOTREACHED */ 1967 } 1968 1969 #ifdef HAVE_PCAP_FINDALLDEVS 1970 if (Dflag) 1971 show_devices_and_exit(); 1972 #endif 1973 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1974 if (remote_interfaces_source != NULL) 1975 show_remote_devices_and_exit(); 1976 #endif 1977 1978 #if defined(DLT_LINUX_SLL2) && defined(HAVE_PCAP_SET_DATALINK) 1979 /* Set default linktype DLT_LINUX_SLL2 when capturing on the "any" device */ 1980 if (device != NULL && 1981 strncmp (device, "any", strlen("any")) == 0 1982 && yflag_dlt == -1) 1983 yflag_dlt = DLT_LINUX_SLL2; 1984 #endif 1985 1986 switch (ndo->ndo_tflag) { 1987 1988 case 0: /* Default */ 1989 case 1: /* No time stamp */ 1990 case 2: /* Unix timeval style */ 1991 case 3: /* Microseconds/nanoseconds since previous packet */ 1992 case 4: /* Date + Default */ 1993 case 5: /* Microseconds/nanoseconds since first packet */ 1994 break; 1995 1996 default: /* Not supported */ 1997 error("only -t, -tt, -ttt, -tttt and -ttttt are supported"); 1998 break; 1999 } 2000 2001 if (ndo->ndo_fflag != 0 && (VFileName != NULL || RFileName != NULL)) 2002 error("-f can not be used with -V or -r"); 2003 2004 if (VFileName != NULL && RFileName != NULL) 2005 error("-V and -r are mutually exclusive."); 2006 2007 /* 2008 * If we're printing dissected packets to the standard output, 2009 * and either the standard output is a terminal or we're doing 2010 * "line" buffering, set the capture timeout to .1 second rather 2011 * than 1 second, as the user's probably expecting to see packets 2012 * pop up immediately shortly after they arrive. 2013 * 2014 * XXX - would there be some value appropriate for all cases, 2015 * based on, say, the buffer size and packet input rate? 2016 */ 2017 if ((WFileName == NULL || print) && (isatty(1) || lflag)) 2018 timeout = 100; 2019 2020 #ifdef WITH_CHROOT 2021 /* if run as root, prepare for chrooting */ 2022 if (getuid() == 0 || geteuid() == 0) { 2023 /* future extensibility for cmd-line arguments */ 2024 if (!chroot_dir) 2025 chroot_dir = WITH_CHROOT; 2026 } 2027 #endif 2028 2029 #ifdef WITH_USER 2030 /* if run as root, prepare for dropping root privileges */ 2031 if (getuid() == 0 || geteuid() == 0) { 2032 /* Run with '-Z root' to restore old behaviour */ 2033 if (!username) 2034 username = WITH_USER; 2035 } 2036 #endif 2037 2038 if (RFileName != NULL || VFileName != NULL) { 2039 /* 2040 * If RFileName is non-null, it's the pathname of a 2041 * savefile to read. If VFileName is non-null, it's 2042 * the pathname of a file containing a list of pathnames 2043 * (one per line) of savefiles to read. 2044 * 2045 * In either case, we're reading a savefile, not doing 2046 * a live capture. 2047 */ 2048 #ifndef _WIN32 2049 /* 2050 * We don't need network access, so relinquish any set-UID 2051 * or set-GID privileges we have (if any). 2052 * 2053 * We do *not* want set-UID privileges when opening a 2054 * trace file, as that might let the user read other 2055 * people's trace files (especially if we're set-UID 2056 * root). 2057 */ 2058 if (setgid(getgid()) != 0 || setuid(getuid()) != 0 ) 2059 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 2060 #endif /* _WIN32 */ 2061 if (VFileName != NULL) { 2062 if (VFileName[0] == '-' && VFileName[1] == '\0') 2063 VFile = stdin; 2064 else 2065 VFile = fopen(VFileName, "r"); 2066 2067 if (VFile == NULL) 2068 error("Unable to open file: %s\n", pcap_strerror(errno)); 2069 2070 ret = get_next_file(VFile, VFileLine); 2071 if (!ret) 2072 error("Nothing in %s\n", VFileName); 2073 RFileName = VFileLine; 2074 } 2075 2076 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 2077 pd = pcap_open_offline_with_tstamp_precision(RFileName, 2078 ndo->ndo_tstamp_precision, ebuf); 2079 #else 2080 pd = pcap_open_offline(RFileName, ebuf); 2081 #endif 2082 2083 if (pd == NULL) 2084 error("%s", ebuf); 2085 #ifdef HAVE_CAPSICUM 2086 cap_rights_init(&rights, CAP_READ); 2087 if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 && 2088 errno != ENOSYS) { 2089 error("unable to limit pcap descriptor"); 2090 } 2091 #endif 2092 dlt = pcap_datalink(pd); 2093 dlt_name = pcap_datalink_val_to_name(dlt); 2094 fprintf(stderr, "reading from file %s", RFileName); 2095 if (dlt_name == NULL) { 2096 fprintf(stderr, ", link-type %u", dlt); 2097 } else { 2098 fprintf(stderr, ", link-type %s (%s)", dlt_name, 2099 pcap_datalink_val_to_description(dlt)); 2100 } 2101 fprintf(stderr, ", snapshot length %d\n", pcap_snapshot(pd)); 2102 #ifdef DLT_LINUX_SLL2 2103 if (dlt == DLT_LINUX_SLL2) 2104 fprintf(stderr, "Warning: interface names might be incorrect\n"); 2105 #endif 2106 } else if (dflag && !device) { 2107 int dump_dlt = DLT_EN10MB; 2108 /* 2109 * We're dumping the compiled code without an explicit 2110 * device specification. (If a device is specified, we 2111 * definitely want to open it to use the DLT of that device.) 2112 * Either default to DLT_EN10MB with a warning, or use 2113 * the user-specified value if supplied. 2114 */ 2115 /* 2116 * If no snapshot length was specified, or a length of 0 was 2117 * specified, default to 256KB. 2118 */ 2119 if (ndo->ndo_snaplen == 0) 2120 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 2121 /* 2122 * If a DLT was specified with the -y flag, use that instead. 2123 */ 2124 if (yflag_dlt != -1) 2125 dump_dlt = yflag_dlt; 2126 else 2127 fprintf(stderr, "Warning: assuming Ethernet\n"); 2128 pd = pcap_open_dead(dump_dlt, ndo->ndo_snaplen); 2129 } else { 2130 /* 2131 * We're doing a live capture. 2132 */ 2133 if (device == NULL) { 2134 /* 2135 * No interface was specified. Pick one. 2136 */ 2137 #ifdef HAVE_PCAP_FINDALLDEVS 2138 /* 2139 * Find the list of interfaces, and pick 2140 * the first interface. 2141 */ 2142 if (pcap_findalldevs(&devlist, ebuf) == -1) 2143 error("%s", ebuf); 2144 if (devlist == NULL) 2145 error("no interfaces available for capture"); 2146 device = strdup(devlist->name); 2147 pcap_freealldevs(devlist); 2148 #else /* HAVE_PCAP_FINDALLDEVS */ 2149 /* 2150 * Use whatever interface pcap_lookupdev() 2151 * chooses. 2152 */ 2153 device = pcap_lookupdev(ebuf); 2154 if (device == NULL) 2155 error("%s", ebuf); 2156 #endif 2157 } 2158 2159 /* 2160 * Try to open the interface with the specified name. 2161 */ 2162 pd = open_interface(device, ndo, ebuf); 2163 if (pd == NULL) { 2164 /* 2165 * That failed. If we can get a list of 2166 * interfaces, and the interface name 2167 * is purely numeric, try to use it as 2168 * a 1-based index in the list of 2169 * interfaces. 2170 */ 2171 #ifdef HAVE_PCAP_FINDALLDEVS 2172 devnum = parse_interface_number(device); 2173 if (devnum == -1) { 2174 /* 2175 * It's not a number; just report 2176 * the open error and fail. 2177 */ 2178 error("%s", ebuf); 2179 } 2180 2181 /* 2182 * OK, it's a number; try to find the 2183 * interface with that index, and try 2184 * to open it. 2185 * 2186 * find_interface_by_number() exits if it 2187 * couldn't be found. 2188 */ 2189 device = find_interface_by_number(device, devnum); 2190 pd = open_interface(device, ndo, ebuf); 2191 if (pd == NULL) 2192 error("%s", ebuf); 2193 #else /* HAVE_PCAP_FINDALLDEVS */ 2194 /* 2195 * We can't get a list of interfaces; just 2196 * fail. 2197 */ 2198 error("%s", ebuf); 2199 #endif /* HAVE_PCAP_FINDALLDEVS */ 2200 } 2201 2202 /* 2203 * Let user own process after capture device has 2204 * been opened. 2205 */ 2206 #ifndef _WIN32 2207 if (setgid(getgid()) != 0 || setuid(getuid()) != 0) 2208 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 2209 #endif /* _WIN32 */ 2210 #if !defined(HAVE_PCAP_CREATE) && defined(_WIN32) 2211 if(Bflag != 0) 2212 if(pcap_setbuff(pd, Bflag)==-1){ 2213 error("%s", pcap_geterr(pd)); 2214 } 2215 #endif /* !defined(HAVE_PCAP_CREATE) && defined(_WIN32) */ 2216 if (Lflag) 2217 show_dlts_and_exit(pd, device); 2218 if (yflag_dlt >= 0) { 2219 #ifdef HAVE_PCAP_SET_DATALINK 2220 if (pcap_set_datalink(pd, yflag_dlt) < 0) 2221 error("%s", pcap_geterr(pd)); 2222 #else 2223 /* 2224 * We don't actually support changing the 2225 * data link type, so we only let them 2226 * set it to what it already is. 2227 */ 2228 if (yflag_dlt != pcap_datalink(pd)) { 2229 error("%s is not one of the DLTs supported by this device\n", 2230 yflag_dlt_name); 2231 } 2232 #endif 2233 (void)fprintf(stderr, "%s: data link type %s\n", 2234 program_name, 2235 pcap_datalink_val_to_name(yflag_dlt)); 2236 (void)fflush(stderr); 2237 } 2238 i = pcap_snapshot(pd); 2239 if (ndo->ndo_snaplen < i) { 2240 if (ndo->ndo_snaplen != 0) 2241 warning("snaplen raised from %d to %d", ndo->ndo_snaplen, i); 2242 ndo->ndo_snaplen = i; 2243 } else if (ndo->ndo_snaplen > i) { 2244 warning("snaplen lowered from %d to %d", ndo->ndo_snaplen, i); 2245 ndo->ndo_snaplen = i; 2246 } 2247 if(ndo->ndo_fflag != 0) { 2248 if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) { 2249 warning("foreign (-f) flag used but: %s", ebuf); 2250 } 2251 } 2252 2253 } 2254 if (infile) 2255 cmdbuf = read_infile(infile); 2256 else 2257 cmdbuf = copy_argv(&argv[optind]); 2258 2259 #ifdef HAVE_PCAP_SET_OPTIMIZER_DEBUG 2260 pcap_set_optimizer_debug(dflag); 2261 #endif 2262 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2263 error("%s", pcap_geterr(pd)); 2264 if (dflag) { 2265 bpf_dump(&fcode, dflag); 2266 pcap_close(pd); 2267 free(cmdbuf); 2268 pcap_freecode(&fcode); 2269 exit_tcpdump(S_SUCCESS); 2270 } 2271 2272 #ifdef HAVE_CASPER 2273 if (!ndo->ndo_nflag) 2274 capdns = capdns_setup(); 2275 #endif /* HAVE_CASPER */ 2276 2277 init_print(ndo, localnet, netmask); 2278 2279 #ifndef _WIN32 2280 (void)setsignal(SIGPIPE, cleanup); 2281 (void)setsignal(SIGTERM, cleanup); 2282 #endif /* _WIN32 */ 2283 (void)setsignal(SIGINT, cleanup); 2284 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2285 (void)setsignal(SIGCHLD, child_cleanup); 2286 #endif 2287 /* Cooperate with nohup(1) */ 2288 #ifndef _WIN32 2289 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) 2290 (void)setsignal(SIGHUP, oldhandler); 2291 #endif /* _WIN32 */ 2292 2293 #ifndef _WIN32 2294 /* 2295 * If a user name was specified with "-Z", attempt to switch to 2296 * that user's UID. This would probably be used with sudo, 2297 * to allow tcpdump to be run in a special restricted 2298 * account (if you just want to allow users to open capture 2299 * devices, and can't just give users that permission, 2300 * you'd make tcpdump set-UID or set-GID). 2301 * 2302 * Tcpdump doesn't necessarily write only to one savefile; 2303 * the general only way to allow a -Z instance to write to 2304 * savefiles as the user under whose UID it's run, rather 2305 * than as the user specified with -Z, would thus be to switch 2306 * to the original user ID before opening a capture file and 2307 * then switch back to the -Z user ID after opening the savefile. 2308 * Switching to the -Z user ID only after opening the first 2309 * savefile doesn't handle the general case. 2310 */ 2311 2312 if (getuid() == 0 || geteuid() == 0) { 2313 #ifdef HAVE_LIBCAP_NG 2314 /* Initialize capng */ 2315 capng_clear(CAPNG_SELECT_BOTH); 2316 if (username) { 2317 DIAG_OFF_ASSIGN_ENUM 2318 capng_updatev( 2319 CAPNG_ADD, 2320 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2321 CAP_SETUID, 2322 CAP_SETGID, 2323 -1); 2324 DIAG_ON_ASSIGN_ENUM 2325 } 2326 if (chroot_dir) { 2327 DIAG_OFF_ASSIGN_ENUM 2328 capng_update( 2329 CAPNG_ADD, 2330 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2331 CAP_SYS_CHROOT 2332 ); 2333 DIAG_ON_ASSIGN_ENUM 2334 } 2335 2336 if (WFileName) { 2337 DIAG_OFF_ASSIGN_ENUM 2338 capng_update( 2339 CAPNG_ADD, 2340 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2341 CAP_DAC_OVERRIDE 2342 ); 2343 DIAG_ON_ASSIGN_ENUM 2344 } 2345 capng_apply(CAPNG_SELECT_BOTH); 2346 #endif /* HAVE_LIBCAP_NG */ 2347 if (username || chroot_dir) 2348 droproot(username, chroot_dir); 2349 2350 } 2351 #endif /* _WIN32 */ 2352 2353 if (pcap_setfilter(pd, &fcode) < 0) 2354 error("%s", pcap_geterr(pd)); 2355 #ifdef HAVE_CAPSICUM 2356 if (RFileName == NULL && VFileName == NULL && pcap_fileno(pd) != -1) { 2357 static const unsigned long cmds[] = { BIOCGSTATS, BIOCROTZBUF }; 2358 2359 /* 2360 * The various libpcap devices use a combination of 2361 * read (bpf), ioctl (bpf, netmap), poll (netmap) 2362 * so we add the relevant access rights. 2363 */ 2364 cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT); 2365 if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 && 2366 errno != ENOSYS) { 2367 error("unable to limit pcap descriptor"); 2368 } 2369 if (cap_ioctls_limit(pcap_fileno(pd), cmds, 2370 sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) { 2371 error("unable to limit ioctls on pcap descriptor"); 2372 } 2373 } 2374 #endif 2375 if (WFileName) { 2376 /* Do not exceed the default PATH_MAX for files. */ 2377 dumpinfo.CurrentFileName = (char *)malloc(PATH_MAX + 1); 2378 2379 if (dumpinfo.CurrentFileName == NULL) 2380 error("malloc of dumpinfo.CurrentFileName"); 2381 2382 /* We do not need numbering for dumpfiles if Cflag isn't set. */ 2383 if (Cflag != 0) 2384 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars); 2385 else 2386 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0); 2387 2388 pdd = pcap_dump_open(pd, dumpinfo.CurrentFileName); 2389 #ifdef HAVE_LIBCAP_NG 2390 /* Give up CAP_DAC_OVERRIDE capability. 2391 * Only allow it to be restored if the -C or -G flag have been 2392 * set since we may need to create more files later on. 2393 */ 2394 capng_update( 2395 CAPNG_DROP, 2396 (Cflag || Gflag ? 0 : CAPNG_PERMITTED) 2397 | CAPNG_EFFECTIVE, 2398 CAP_DAC_OVERRIDE 2399 ); 2400 capng_apply(CAPNG_SELECT_BOTH); 2401 #endif /* HAVE_LIBCAP_NG */ 2402 if (pdd == NULL) 2403 error("%s", pcap_geterr(pd)); 2404 #ifdef HAVE_CAPSICUM 2405 set_dumper_capsicum_rights(pdd); 2406 #endif 2407 if (Cflag != 0 || Gflag != 0) { 2408 #ifdef HAVE_CAPSICUM 2409 /* 2410 * basename() and dirname() may modify their input buffer 2411 * and they do since FreeBSD 12.0, but they didn't before. 2412 * Hence use the return value only, but always assume the 2413 * input buffer has been modified and would need to be 2414 * reset before the next use. 2415 */ 2416 char *WFileName_copy; 2417 2418 if ((WFileName_copy = strdup(WFileName)) == NULL) { 2419 error("Unable to allocate memory for file %s", 2420 WFileName); 2421 } 2422 DIAG_OFF_C11_EXTENSIONS 2423 dumpinfo.WFileName = strdup(basename(WFileName_copy)); 2424 DIAG_ON_C11_EXTENSIONS 2425 if (dumpinfo.WFileName == NULL) { 2426 error("Unable to allocate memory for file %s", 2427 WFileName); 2428 } 2429 free(WFileName_copy); 2430 2431 if ((WFileName_copy = strdup(WFileName)) == NULL) { 2432 error("Unable to allocate memory for file %s", 2433 WFileName); 2434 } 2435 DIAG_OFF_C11_EXTENSIONS 2436 char *WFileName_dirname = dirname(WFileName_copy); 2437 DIAG_ON_C11_EXTENSIONS 2438 dumpinfo.dirfd = open(WFileName_dirname, 2439 O_DIRECTORY | O_RDONLY); 2440 if (dumpinfo.dirfd < 0) { 2441 error("unable to open directory %s", 2442 WFileName_dirname); 2443 } 2444 free(WFileName_dirname); 2445 free(WFileName_copy); 2446 2447 cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL, 2448 CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE); 2449 if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 && 2450 errno != ENOSYS) { 2451 error("unable to limit directory rights"); 2452 } 2453 if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 && 2454 errno != ENOSYS) { 2455 error("unable to limit dump descriptor fcntls"); 2456 } 2457 #else /* !HAVE_CAPSICUM */ 2458 dumpinfo.WFileName = WFileName; 2459 #endif 2460 callback = dump_packet_and_trunc; 2461 dumpinfo.pd = pd; 2462 dumpinfo.pdd = pdd; 2463 pcap_userdata = (u_char *)&dumpinfo; 2464 } else { 2465 callback = dump_packet; 2466 dumpinfo.WFileName = WFileName; 2467 dumpinfo.pd = pd; 2468 dumpinfo.pdd = pdd; 2469 pcap_userdata = (u_char *)&dumpinfo; 2470 } 2471 if (print) { 2472 dlt = pcap_datalink(pd); 2473 ndo->ndo_if_printer = get_if_printer(dlt); 2474 dumpinfo.ndo = ndo; 2475 } else 2476 dumpinfo.ndo = NULL; 2477 2478 #ifdef HAVE_PCAP_DUMP_FLUSH 2479 if (Uflag) 2480 pcap_dump_flush(pdd); 2481 #endif 2482 } else { 2483 dlt = pcap_datalink(pd); 2484 ndo->ndo_if_printer = get_if_printer(dlt); 2485 callback = print_packet; 2486 pcap_userdata = (u_char *)ndo; 2487 } 2488 2489 #ifdef SIGNAL_REQ_INFO 2490 /* 2491 * We can't get statistics when reading from a file rather 2492 * than capturing from a device. 2493 */ 2494 if (RFileName == NULL) 2495 (void)setsignal(SIGNAL_REQ_INFO, requestinfo); 2496 #endif 2497 #ifdef SIGNAL_FLUSH_PCAP 2498 (void)setsignal(SIGNAL_FLUSH_PCAP, flushpcap); 2499 #endif 2500 2501 if (ndo->ndo_vflag > 0 && WFileName && RFileName == NULL && !print) { 2502 /* 2503 * When capturing to a file, if "--print" wasn't specified, 2504 *"-v" means tcpdump should, once per second, 2505 * "v"erbosely report the number of packets captured. 2506 * Except when reading from a file, because -r, -w and -v 2507 * together used to make a corner case, in which pcap_loop() 2508 * errored due to EINTR (see GH #155 for details). 2509 */ 2510 #ifdef _WIN32 2511 /* 2512 * https://blogs.msdn.microsoft.com/oldnewthing/20151230-00/?p=92741 2513 * 2514 * suggests that this dates back to W2K. 2515 * 2516 * I don't know what a "long wait" is, but we'll assume 2517 * that printing the stats could be a "long wait". 2518 */ 2519 CreateTimerQueueTimer(&timer_handle, NULL, 2520 verbose_stats_dump, NULL, 1000, 1000, 2521 WT_EXECUTEDEFAULT|WT_EXECUTELONGFUNCTION); 2522 setvbuf(stderr, NULL, _IONBF, 0); 2523 #else /* _WIN32 */ 2524 /* 2525 * Assume this is UN*X, and that it has setitimer(); that 2526 * dates back to UNIX 95. 2527 */ 2528 struct itimerval timer; 2529 (void)setsignal(SIGALRM, verbose_stats_dump); 2530 timer.it_interval.tv_sec = 1; 2531 timer.it_interval.tv_usec = 0; 2532 timer.it_value.tv_sec = 1; 2533 timer.it_value.tv_usec = 1; 2534 setitimer(ITIMER_REAL, &timer, NULL); 2535 #endif /* _WIN32 */ 2536 } 2537 2538 if (RFileName == NULL) { 2539 /* 2540 * Live capture (if -V was specified, we set RFileName 2541 * to a file from the -V file). Print a message to 2542 * the standard error on UN*X. 2543 */ 2544 if (!ndo->ndo_vflag && !WFileName) { 2545 (void)fprintf(stderr, 2546 "%s: verbose output suppressed, use -v[v]... for full protocol decode\n", 2547 program_name); 2548 } else 2549 (void)fprintf(stderr, "%s: ", program_name); 2550 dlt = pcap_datalink(pd); 2551 dlt_name = pcap_datalink_val_to_name(dlt); 2552 (void)fprintf(stderr, "listening on %s", device); 2553 if (dlt_name == NULL) { 2554 (void)fprintf(stderr, ", link-type %u", dlt); 2555 } else { 2556 (void)fprintf(stderr, ", link-type %s (%s)", dlt_name, 2557 pcap_datalink_val_to_description(dlt)); 2558 } 2559 (void)fprintf(stderr, ", snapshot length %d bytes\n", ndo->ndo_snaplen); 2560 (void)fflush(stderr); 2561 } 2562 2563 #ifdef HAVE_CAPSICUM 2564 cansandbox = (VFileName == NULL && zflag == NULL && 2565 ndo->ndo_espsecret == NULL); 2566 #ifdef HAVE_CASPER 2567 cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL)); 2568 #else 2569 cansandbox = (cansandbox && ndo->ndo_nflag); 2570 #endif /* HAVE_CASPER */ 2571 cansandbox = (cansandbox && (pcap_fileno(pd) != -1 || 2572 RFileName != NULL)); 2573 2574 if (cansandbox && cap_enter() < 0 && errno != ENOSYS) 2575 error("unable to enter the capability mode"); 2576 #endif /* HAVE_CAPSICUM */ 2577 2578 do { 2579 status = pcap_loop(pd, cnt, callback, pcap_userdata); 2580 if (WFileName == NULL) { 2581 /* 2582 * We're printing packets. Flush the printed output, 2583 * so it doesn't get intermingled with error output. 2584 */ 2585 if (status == -2) { 2586 /* 2587 * We got interrupted, so perhaps we didn't 2588 * manage to finish a line we were printing. 2589 * Print an extra newline, just in case. 2590 */ 2591 putchar('\n'); 2592 } 2593 (void)fflush(stdout); 2594 } 2595 if (status == -2) { 2596 /* 2597 * We got interrupted. If we are reading multiple 2598 * files (via -V) set these so that we stop. 2599 */ 2600 VFileName = NULL; 2601 ret = NULL; 2602 } 2603 if (status == -1) { 2604 /* 2605 * Error. Report it. 2606 */ 2607 (void)fprintf(stderr, "%s: pcap_loop: %s\n", 2608 program_name, pcap_geterr(pd)); 2609 } 2610 if (RFileName == NULL) { 2611 /* 2612 * We're doing a live capture. Report the capture 2613 * statistics. 2614 */ 2615 info(1); 2616 } 2617 pcap_close(pd); 2618 if (VFileName != NULL) { 2619 ret = get_next_file(VFile, VFileLine); 2620 if (ret) { 2621 int new_dlt; 2622 2623 RFileName = VFileLine; 2624 pd = pcap_open_offline(RFileName, ebuf); 2625 if (pd == NULL) 2626 error("%s", ebuf); 2627 #ifdef HAVE_CAPSICUM 2628 cap_rights_init(&rights, CAP_READ); 2629 if (cap_rights_limit(fileno(pcap_file(pd)), 2630 &rights) < 0 && errno != ENOSYS) { 2631 error("unable to limit pcap descriptor"); 2632 } 2633 #endif 2634 new_dlt = pcap_datalink(pd); 2635 if (new_dlt != dlt) { 2636 /* 2637 * The new file has a different 2638 * link-layer header type from the 2639 * previous one. 2640 */ 2641 if (WFileName != NULL) { 2642 /* 2643 * We're writing raw packets 2644 * that match the filter to 2645 * a pcap file. pcap files 2646 * don't support multiple 2647 * different link-layer 2648 * header types, so we fail 2649 * here. 2650 */ 2651 error("%s: new dlt does not match original", RFileName); 2652 } 2653 2654 /* 2655 * We're printing the decoded packets; 2656 * switch to the new DLT. 2657 * 2658 * To do that, we need to change 2659 * the printer, change the DLT name, 2660 * and recompile the filter with 2661 * the new DLT. 2662 */ 2663 dlt = new_dlt; 2664 ndo->ndo_if_printer = get_if_printer(dlt); 2665 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2666 error("%s", pcap_geterr(pd)); 2667 } 2668 2669 /* 2670 * Set the filter on the new file. 2671 */ 2672 if (pcap_setfilter(pd, &fcode) < 0) 2673 error("%s", pcap_geterr(pd)); 2674 2675 /* 2676 * Report the new file. 2677 */ 2678 dlt_name = pcap_datalink_val_to_name(dlt); 2679 fprintf(stderr, "reading from file %s", RFileName); 2680 if (dlt_name == NULL) { 2681 fprintf(stderr, ", link-type %u", dlt); 2682 } else { 2683 fprintf(stderr, ", link-type %s (%s)", 2684 dlt_name, 2685 pcap_datalink_val_to_description(dlt)); 2686 } 2687 fprintf(stderr, ", snapshot length %d\n", pcap_snapshot(pd)); 2688 } 2689 } 2690 } 2691 while (ret != NULL); 2692 2693 if (count_mode && RFileName != NULL) 2694 fprintf(stdout, "%u packet%s\n", packets_captured, 2695 PLURAL_SUFFIX(packets_captured)); 2696 2697 free(cmdbuf); 2698 pcap_freecode(&fcode); 2699 exit_tcpdump(status == -1 ? S_ERR_HOST_PROGRAM : S_SUCCESS); 2700 } 2701 2702 /* 2703 * Catch a signal. 2704 */ 2705 static void 2706 (*setsignal (int sig, void (*func)(int)))(int) 2707 { 2708 #ifdef _WIN32 2709 return (signal(sig, func)); 2710 #else 2711 struct sigaction old, new; 2712 2713 memset(&new, 0, sizeof(new)); 2714 new.sa_handler = func; 2715 if ((sig == SIGCHLD) 2716 # ifdef SIGNAL_REQ_INFO 2717 || (sig == SIGNAL_REQ_INFO) 2718 # endif 2719 # ifdef SIGNAL_FLUSH_PCAP 2720 || (sig == SIGNAL_FLUSH_PCAP) 2721 # endif 2722 ) 2723 new.sa_flags = SA_RESTART; 2724 if (sigaction(sig, &new, &old) < 0) 2725 return (SIG_ERR); 2726 return (old.sa_handler); 2727 #endif 2728 } 2729 2730 /* make a clean exit on interrupts */ 2731 static void 2732 cleanup(int signo _U_) 2733 { 2734 #ifdef _WIN32 2735 if (timer_handle != INVALID_HANDLE_VALUE) { 2736 DeleteTimerQueueTimer(NULL, timer_handle, NULL); 2737 CloseHandle(timer_handle); 2738 timer_handle = INVALID_HANDLE_VALUE; 2739 } 2740 #else /* _WIN32 */ 2741 struct itimerval timer; 2742 2743 timer.it_interval.tv_sec = 0; 2744 timer.it_interval.tv_usec = 0; 2745 timer.it_value.tv_sec = 0; 2746 timer.it_value.tv_usec = 0; 2747 setitimer(ITIMER_REAL, &timer, NULL); 2748 #endif /* _WIN32 */ 2749 2750 #ifdef HAVE_PCAP_BREAKLOOP 2751 /* 2752 * We have "pcap_breakloop()"; use it, so that we do as little 2753 * as possible in the signal handler (it's probably not safe 2754 * to do anything with standard I/O streams in a signal handler - 2755 * the ANSI C standard doesn't say it is). 2756 */ 2757 pcap_breakloop(pd); 2758 #else 2759 /* 2760 * We don't have "pcap_breakloop()"; this isn't safe, but 2761 * it's the best we can do. Print the summary if we're 2762 * not reading from a savefile - i.e., if we're doing a 2763 * live capture - and exit. 2764 */ 2765 if (pd != NULL && pcap_file(pd) == NULL) { 2766 /* 2767 * We got interrupted, so perhaps we didn't 2768 * manage to finish a line we were printing. 2769 * Print an extra newline, just in case. 2770 */ 2771 putchar('\n'); 2772 (void)fflush(stdout); 2773 info(1); 2774 } 2775 exit_tcpdump(S_SUCCESS); 2776 #endif 2777 } 2778 2779 /* 2780 On windows, we do not use a fork, so we do not care less about 2781 waiting a child processes to die 2782 */ 2783 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2784 static void 2785 child_cleanup(int signo _U_) 2786 { 2787 wait(NULL); 2788 } 2789 #endif /* HAVE_FORK && HAVE_VFORK */ 2790 2791 static void 2792 info(int verbose) 2793 { 2794 struct pcap_stat stats; 2795 2796 /* 2797 * Older versions of libpcap didn't set ps_ifdrop on some 2798 * platforms; initialize it to 0 to handle that. 2799 */ 2800 stats.ps_ifdrop = 0; 2801 if (pcap_stats(pd, &stats) < 0) { 2802 (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd)); 2803 infoprint = 0; 2804 return; 2805 } 2806 2807 if (!verbose) 2808 fprintf(stderr, "%s: ", program_name); 2809 2810 (void)fprintf(stderr, "%u packet%s captured", packets_captured, 2811 PLURAL_SUFFIX(packets_captured)); 2812 if (!verbose) 2813 fputs(", ", stderr); 2814 else 2815 putc('\n', stderr); 2816 (void)fprintf(stderr, "%u packet%s received by filter", stats.ps_recv, 2817 PLURAL_SUFFIX(stats.ps_recv)); 2818 if (!verbose) 2819 fputs(", ", stderr); 2820 else 2821 putc('\n', stderr); 2822 (void)fprintf(stderr, "%u packet%s dropped by kernel", stats.ps_drop, 2823 PLURAL_SUFFIX(stats.ps_drop)); 2824 if (stats.ps_ifdrop != 0) { 2825 if (!verbose) 2826 fputs(", ", stderr); 2827 else 2828 putc('\n', stderr); 2829 (void)fprintf(stderr, "%u packet%s dropped by interface\n", 2830 stats.ps_ifdrop, PLURAL_SUFFIX(stats.ps_ifdrop)); 2831 } else 2832 putc('\n', stderr); 2833 infoprint = 0; 2834 } 2835 2836 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2837 #ifdef HAVE_FORK 2838 #define fork_subprocess() fork() 2839 #else 2840 #define fork_subprocess() vfork() 2841 #endif 2842 static void 2843 compress_savefile(const char *filename) 2844 { 2845 pid_t child; 2846 2847 child = fork_subprocess(); 2848 if (child == -1) { 2849 fprintf(stderr, 2850 "compress_savefile: fork failed: %s\n", 2851 pcap_strerror(errno)); 2852 return; 2853 } 2854 if (child != 0) { 2855 /* Parent process. */ 2856 return; 2857 } 2858 2859 /* 2860 * Child process. 2861 * Set to lowest priority so that this doesn't disturb the capture. 2862 */ 2863 #ifdef NZERO 2864 setpriority(PRIO_PROCESS, 0, NZERO - 1); 2865 #else 2866 setpriority(PRIO_PROCESS, 0, 19); 2867 #endif 2868 if (execlp(zflag, zflag, filename, (char *)NULL) == -1) 2869 fprintf(stderr, 2870 "compress_savefile: execlp(%s, %s) failed: %s\n", 2871 zflag, 2872 filename, 2873 pcap_strerror(errno)); 2874 #ifdef HAVE_FORK 2875 exit(S_ERR_HOST_PROGRAM); 2876 #else 2877 _exit(S_ERR_HOST_PROGRAM); 2878 #endif 2879 } 2880 #else /* HAVE_FORK && HAVE_VFORK */ 2881 static void 2882 compress_savefile(const char *filename) 2883 { 2884 fprintf(stderr, 2885 "compress_savefile failed. Functionality not implemented under your system\n"); 2886 } 2887 #endif /* HAVE_FORK && HAVE_VFORK */ 2888 2889 static void 2890 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 2891 { 2892 struct dump_info *dump_info; 2893 2894 ++packets_captured; 2895 2896 ++infodelay; 2897 2898 dump_info = (struct dump_info *)user; 2899 2900 /* 2901 * XXX - this won't force the file to rotate on the specified time 2902 * boundary, but it will rotate on the first packet received after the 2903 * specified Gflag number of seconds. Note: if a Gflag time boundary 2904 * and a Cflag size boundary coincide, the time rotation will occur 2905 * first thereby cancelling the Cflag boundary (since the file should 2906 * be 0). 2907 */ 2908 if (Gflag != 0) { 2909 /* Check if it is time to rotate */ 2910 time_t t; 2911 2912 /* Get the current time */ 2913 if ((t = time(NULL)) == (time_t)-1) { 2914 error("%s: can't get current_time: %s", 2915 __func__, pcap_strerror(errno)); 2916 } 2917 2918 2919 /* If the time is greater than the specified window, rotate */ 2920 if (t - Gflag_time >= Gflag) { 2921 #ifdef HAVE_CAPSICUM 2922 FILE *fp; 2923 int fd; 2924 #endif 2925 2926 /* Update the Gflag_time */ 2927 Gflag_time = t; 2928 /* Update Gflag_count */ 2929 Gflag_count++; 2930 /* 2931 * Close the current file and open a new one. 2932 */ 2933 pcap_dump_close(dump_info->pdd); 2934 2935 /* 2936 * Compress the file we just closed, if the user asked for it 2937 */ 2938 if (zflag != NULL) 2939 compress_savefile(dump_info->CurrentFileName); 2940 2941 /* 2942 * Check to see if we've exceeded the Wflag (when 2943 * not using Cflag). 2944 */ 2945 if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) { 2946 (void)fprintf(stderr, "Maximum file limit reached: %d\n", 2947 Wflag); 2948 info(1); 2949 exit_tcpdump(S_SUCCESS); 2950 /* NOTREACHED */ 2951 } 2952 if (dump_info->CurrentFileName != NULL) 2953 free(dump_info->CurrentFileName); 2954 /* Allocate space for max filename + \0. */ 2955 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 2956 if (dump_info->CurrentFileName == NULL) 2957 error("dump_packet_and_trunc: malloc"); 2958 /* 2959 * Gflag was set otherwise we wouldn't be here. Reset the count 2960 * so multiple files would end with 1,2,3 in the filename. 2961 * The counting is handled with the -C flow after this. 2962 */ 2963 Cflag_count = 0; 2964 2965 /* 2966 * This is always the first file in the Cflag 2967 * rotation: e.g. 0 2968 * We also don't need numbering if Cflag is not set. 2969 */ 2970 if (Cflag != 0) 2971 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 2972 WflagChars); 2973 else 2974 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0); 2975 2976 #ifdef HAVE_LIBCAP_NG 2977 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2978 capng_apply(CAPNG_SELECT_BOTH); 2979 #endif /* HAVE_LIBCAP_NG */ 2980 #ifdef HAVE_CAPSICUM 2981 fd = openat(dump_info->dirfd, 2982 dump_info->CurrentFileName, 2983 O_CREAT | O_WRONLY | O_TRUNC, 0644); 2984 if (fd < 0) { 2985 error("unable to open file %s", 2986 dump_info->CurrentFileName); 2987 } 2988 fp = fdopen(fd, "w"); 2989 if (fp == NULL) { 2990 error("unable to fdopen file %s", 2991 dump_info->CurrentFileName); 2992 } 2993 dump_info->pdd = pcap_dump_fopen(dump_info->pd, fp); 2994 #else /* !HAVE_CAPSICUM */ 2995 dump_info->pdd = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 2996 #endif 2997 #ifdef HAVE_LIBCAP_NG 2998 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 2999 capng_apply(CAPNG_SELECT_BOTH); 3000 #endif /* HAVE_LIBCAP_NG */ 3001 if (dump_info->pdd == NULL) 3002 error("%s", pcap_geterr(pd)); 3003 #ifdef HAVE_CAPSICUM 3004 set_dumper_capsicum_rights(dump_info->pdd); 3005 #endif 3006 } 3007 } 3008 3009 /* 3010 * XXX - this won't prevent capture files from getting 3011 * larger than Cflag - the last packet written to the 3012 * file could put it over Cflag. 3013 */ 3014 if (Cflag != 0) { 3015 #ifdef HAVE_PCAP_DUMP_FTELL64 3016 int64_t size = pcap_dump_ftell64(dump_info->pdd); 3017 #else 3018 /* 3019 * XXX - this only handles a Cflag value > 2^31-1 on 3020 * LP64 platforms; to handle ILP32 (32-bit UN*X and 3021 * Windows) or LLP64 (64-bit Windows) would require 3022 * a version of libpcap with pcap_dump_ftell64(). 3023 */ 3024 long size = pcap_dump_ftell(dump_info->pdd); 3025 #endif 3026 3027 if (size == -1) 3028 error("ftell fails on output file"); 3029 if (size > Cflag) { 3030 #ifdef HAVE_CAPSICUM 3031 FILE *fp; 3032 int fd; 3033 #endif 3034 3035 /* 3036 * Close the current file and open a new one. 3037 */ 3038 pcap_dump_close(dump_info->pdd); 3039 3040 /* 3041 * Compress the file we just closed, if the user 3042 * asked for it. 3043 */ 3044 if (zflag != NULL) 3045 compress_savefile(dump_info->CurrentFileName); 3046 3047 Cflag_count++; 3048 if (Wflag > 0) { 3049 if (Cflag_count >= Wflag) 3050 Cflag_count = 0; 3051 } 3052 if (dump_info->CurrentFileName != NULL) 3053 free(dump_info->CurrentFileName); 3054 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 3055 if (dump_info->CurrentFileName == NULL) 3056 error("%s: malloc", __func__); 3057 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars); 3058 #ifdef HAVE_LIBCAP_NG 3059 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3060 capng_apply(CAPNG_SELECT_BOTH); 3061 #endif /* HAVE_LIBCAP_NG */ 3062 #ifdef HAVE_CAPSICUM 3063 fd = openat(dump_info->dirfd, dump_info->CurrentFileName, 3064 O_CREAT | O_WRONLY | O_TRUNC, 0644); 3065 if (fd < 0) { 3066 error("unable to open file %s", 3067 dump_info->CurrentFileName); 3068 } 3069 fp = fdopen(fd, "w"); 3070 if (fp == NULL) { 3071 error("unable to fdopen file %s", 3072 dump_info->CurrentFileName); 3073 } 3074 dump_info->pdd = pcap_dump_fopen(dump_info->pd, fp); 3075 #else /* !HAVE_CAPSICUM */ 3076 dump_info->pdd = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 3077 #endif 3078 #ifdef HAVE_LIBCAP_NG 3079 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3080 capng_apply(CAPNG_SELECT_BOTH); 3081 #endif /* HAVE_LIBCAP_NG */ 3082 if (dump_info->pdd == NULL) 3083 error("%s", pcap_geterr(pd)); 3084 #ifdef HAVE_CAPSICUM 3085 set_dumper_capsicum_rights(dump_info->pdd); 3086 #endif 3087 } 3088 } 3089 3090 pcap_dump((u_char *)dump_info->pdd, h, sp); 3091 #ifdef HAVE_PCAP_DUMP_FLUSH 3092 if (Uflag) 3093 pcap_dump_flush(dump_info->pdd); 3094 #endif 3095 3096 if (dump_info->ndo != NULL) 3097 pretty_print_packet(dump_info->ndo, h, sp, packets_captured); 3098 3099 --infodelay; 3100 if (infoprint) 3101 info(0); 3102 } 3103 3104 static void 3105 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 3106 { 3107 struct dump_info *dump_info; 3108 3109 ++packets_captured; 3110 3111 ++infodelay; 3112 3113 dump_info = (struct dump_info *)user; 3114 3115 pcap_dump((u_char *)dump_info->pdd, h, sp); 3116 #ifdef HAVE_PCAP_DUMP_FLUSH 3117 if (Uflag) 3118 pcap_dump_flush(dump_info->pdd); 3119 #endif 3120 3121 if (dump_info->ndo != NULL) 3122 pretty_print_packet(dump_info->ndo, h, sp, packets_captured); 3123 3124 --infodelay; 3125 if (infoprint) 3126 info(0); 3127 } 3128 3129 static void 3130 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 3131 { 3132 ++packets_captured; 3133 3134 ++infodelay; 3135 3136 if (!count_mode) 3137 pretty_print_packet((netdissect_options *)user, h, sp, packets_captured); 3138 3139 --infodelay; 3140 if (infoprint) 3141 info(0); 3142 } 3143 3144 #ifdef SIGNAL_REQ_INFO 3145 static void 3146 requestinfo(int signo _U_) 3147 { 3148 if (infodelay) 3149 ++infoprint; 3150 else 3151 info(0); 3152 } 3153 #endif 3154 3155 #ifdef SIGNAL_FLUSH_PCAP 3156 static void 3157 flushpcap(int signo _U_) 3158 { 3159 if (pdd != NULL) 3160 pcap_dump_flush(pdd); 3161 } 3162 #endif 3163 3164 static void 3165 print_packets_captured (void) 3166 { 3167 static u_int prev_packets_captured, first = 1; 3168 3169 if (infodelay == 0 && (first || packets_captured != prev_packets_captured)) { 3170 fprintf(stderr, "Got %u\r", packets_captured); 3171 first = 0; 3172 prev_packets_captured = packets_captured; 3173 } 3174 } 3175 3176 /* 3177 * Called once each second in verbose mode while dumping to file 3178 */ 3179 #ifdef _WIN32 3180 static void CALLBACK verbose_stats_dump(PVOID param _U_, 3181 BOOLEAN timer_fired _U_) 3182 { 3183 print_packets_captured(); 3184 } 3185 #else /* _WIN32 */ 3186 static void verbose_stats_dump(int sig _U_) 3187 { 3188 print_packets_captured(); 3189 } 3190 #endif /* _WIN32 */ 3191 3192 DIAG_OFF_DEPRECATION 3193 static void 3194 print_version(FILE *f) 3195 { 3196 #ifndef HAVE_PCAP_LIB_VERSION 3197 #ifdef HAVE_PCAP_VERSION 3198 extern char pcap_version[]; 3199 #else /* HAVE_PCAP_VERSION */ 3200 static char pcap_version[] = "unknown"; 3201 #endif /* HAVE_PCAP_VERSION */ 3202 #endif /* HAVE_PCAP_LIB_VERSION */ 3203 const char *smi_version_string; 3204 3205 (void)fprintf(f, "%s version " PACKAGE_VERSION "\n", program_name); 3206 #ifdef HAVE_PCAP_LIB_VERSION 3207 (void)fprintf(f, "%s\n", pcap_lib_version()); 3208 #else /* HAVE_PCAP_LIB_VERSION */ 3209 (void)fprintf(f, "libpcap version %s\n", pcap_version); 3210 #endif /* HAVE_PCAP_LIB_VERSION */ 3211 3212 #if defined(HAVE_LIBCRYPTO) && defined(SSLEAY_VERSION) 3213 (void)fprintf (f, "%s\n", SSLeay_version(SSLEAY_VERSION)); 3214 #endif 3215 3216 smi_version_string = nd_smi_version_string(); 3217 if (smi_version_string != NULL) 3218 (void)fprintf (f, "SMI-library: %s\n", smi_version_string); 3219 3220 #if defined(__SANITIZE_ADDRESS__) 3221 (void)fprintf (f, "Compiled with AddressSanitizer/GCC.\n"); 3222 #elif defined(__has_feature) 3223 # if __has_feature(address_sanitizer) 3224 (void)fprintf (f, "Compiled with AddressSanitizer/Clang.\n"); 3225 # elif __has_feature(memory_sanitizer) 3226 (void)fprintf (f, "Compiled with MemorySanitizer/Clang.\n"); 3227 # endif 3228 #endif /* __SANITIZE_ADDRESS__ or __has_feature */ 3229 } 3230 DIAG_ON_DEPRECATION 3231 3232 static void 3233 print_usage(FILE *f) 3234 { 3235 print_version(f); 3236 (void)fprintf(f, 3237 "Usage: %s [-Abd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqStu" U_FLAG "vxX#]" B_FLAG_USAGE " [ -c count ] [--count]\n", program_name); 3238 (void)fprintf(f, 3239 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n"); 3240 (void)fprintf(f, 3241 "\t\t[ -i interface ]" IMMEDIATE_MODE_USAGE j_FLAG_USAGE "\n"); 3242 #ifdef HAVE_PCAP_FINDALLDEVS_EX 3243 (void)fprintf(f, 3244 "\t\t" LIST_REMOTE_INTERFACES_USAGE "\n"); 3245 #endif 3246 #ifdef USE_LIBSMI 3247 (void)fprintf(f, 3248 "\t\t" m_FLAG_USAGE "\n"); 3249 #endif 3250 (void)fprintf(f, 3251 "\t\t[ -M secret ] [ --number ] [ --print ]" Q_FLAG_USAGE "\n"); 3252 (void)fprintf(f, 3253 "\t\t[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]\n"); 3254 (void)fprintf(f, 3255 "\t\t[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]\n"); 3256 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 3257 (void)fprintf(f, 3258 "\t\t[ --time-stamp-precision precision ] [ --micro ] [ --nano ]\n"); 3259 #endif 3260 (void)fprintf(f, 3261 "\t\t[ -z postrotate-command ] [ -Z user ] [ expression ]\n"); 3262 } 3263