"struct rtentry" (in <net/if.h> on some systems, e.g. Digital UNIX 4.0,
there are prototypes for kernel functions that include "struct mbuf *"
and "struct rtentry *" arguments, and they are included even if you're
just user-mode code).
We don't need to include <netinet/if_ether.h> unless we have
"ether_hostton()", and we don't need to include <net/if.h> unless we're
including <netinet/if_ether.h>, and we don't need to define "struct
mbuf" or "struct rtentry" unless we're including <net/if.h>.
"struct rtentry" (in <net/if.h> on some systems, e.g. Digital UNIX 4.0,
there are prototypes for kernel functions that include "struct mbuf *"
and "struct rtentry *" arguments, and they are included even if you're
just user-mode code).
define a structure used by <pcap-namedb.h>, and include <sys/socket.h>
before <netdb.h>, as <sys/socket.h> is included to define a structure
used by <netdb.h> (only a pointer to the first structure is used in
<pcap-namedb.h>, and only a pointer to the second structure is used by
<netdb.h>, so code will compile no matter which order you include them
in, but it's a bit cleaner to include <sys/socket.h> before <netdb.h>
and to include <netdb.h> before <pcap-namedb.h>). Indicate why we're
including <netdb.h> and <sys/socket.h>.
define a structure used by <pcap-namedb.h> (only a pointer to the
structure is used in <pcap-namedb.h>, so code will compile no matter
which order you include them in, but it's a bit cleaner to include
<netdb.h> first). Indicate why we're including <netdb.h>.
snoopheader" is a "struct irix5_timeval" rather than a "struct timeval",
by copying the "tv_sec" and "tv_usec" members of that structure to the
time stamp in a "struct pcap_hdr".
read packets is "p->bufsize" bytes long, not MAXDLBUF bytes long
("p->bufsize" is set to (MAXDLBUF * sizeof sizeof(bpf_u_int32))), so
supply that as the "maxlen" value in the "data" argument to "getmsg()".
"struct timeval" - on Solaris 7 and 8, when compiling in LP64 or I32LPx
mode, it's a "struct timeval32" (presumably so that bufmod doesn't have
to worry about whether the stream is being read by a 32-bit program or a
64-bit program). Set the "struct timeval" "pkthdr.ts" by copying the
individual members rather than by doing a structure assignment.
1. During termination processing set up by atexit() under a 2.0.x
kernel, if a socket had been previously closed and the handle freed
due to an error, pcap_close_all() and pcap_close_linux() would
nevertheless try to work with these structures and then crash.
pcap_close_linux() is now called directly when necessary during
error processing.
2. atexit() could get called more than once because the did_atexit
flag wasn't being set.
3. If iface_get_arptype() returns an error because the ioctl() call
failed (probably due to "no such device"), live_open_new() now
returns a fatal error to pcap_open_live() and the call to
live_open_old() is short-circuited.
4. Applications using libpcap would appear to listen on an interface
that was down.
a. iface_bind() and iface_bind_old() now check for pending errors
after bind(). In turn, pcap_open_live() now returns an error
status if there was a pending error after bind().
b. After draining the socket, set_kernel_filter() now checks to see
if the error was the expected EAGAIN and returns a fatal error
to pcap_setfilter() if not. In turn, pcap_setfilter() now
returns an error status if there was a network error.
5. pcap_setfilter() was putting an error message into errbuf after a
failed call to install_bpf_program(). This was unnecessary since
install_bpf_program() puts its own error message into errbuf.
return DLT_LINUX_SLL or not, and, if that flag is false, for those
interface types where we'd used DLT_LINUX_SLL, pick a DLT_ type that
works as well as possible in raw mode, or fail.
Pass 1 as that flag if we're using a PF_PACKET socket; pass 0 as that
flag if we're using a PF_INET/SOCK_PACKET socket.
For PF_INET/SOCK_PACKET sockets, try to get the link-layer type and map
it to a DLT_ value *before* turning promiscuous mode on, so that we
don't try to put the interface into promiscuous mode unless we know we
can handle its link-layer type (and thus that we can use the interface).
ARPHRD_IEEE80211_PRISM, for sniffing on Prism II-based 802.11 interfaces
and getting the special Prism header, so we should map it to
DLT_PRISM_HEADER.
the file descriptor flags; there's no guarantee that it will actually
*affect* the file descriptor flags (consider a memory-mapped capture
mechanism such as the Linux 2.4 mechanism, where all "non-blocking mode"
means is "don't do a 'select()' or 'poll()' if there aren't any new
packets in the memory-mapped buffer") or, in fact, that there are file
descriptor flags to affect (consider WinPcap).
Don't subtract "tp_drops" from "tp_packets" - "ps_recv", on BSD,
at least, includes packets dropped due to lack of buffer space,
so it should do so on Linux as well.
The "len" argument to "getsockopt()" is a value-result
parameter, initially containing the size of the buffer being
supplied; set it before the call.
Catch "getsockopt()" errors and, if it's an error other than
EOPNOTSUPP, return an error.
the current state of non-blocking mode; this allows us to implement, for
example, memory-mapped capture devices, where "pcap_read()" uses
"select()" or "poll()" to wait for packets to arrive, and hide that
implementation detail from applications using this API
("pcap_setnonblock()" would set or clear a non-blocking mode flag in the
"pcap_t", and the "select()" or "poll()" would not be done if the
"pcap_t" is in non-blocking mode).
information plus 802.11 header (as per Tim Newsham's stuff) and for some
flavor of Aironet 802.11 link-layer header (as per Doug Ambrisko's
FreeBSD patches).
that there may be compile-time or run-time problems with the
workarounds, suggest that people send in a detailed report and fall back
on DLPI if they have those problems, and suggest that if they construct
fixes for the problems they send them to patches@tcpdump.org.
Fix the white space.
guy