than "the kernel doesn't support memory-mapped access to PF_PACKET
sockets", treat that as an error. If it fails for that reason, don't
leave gunk behind in the pcap_t's error buffer.
Clean up the error messages a bit (the result of strerror() suffices; we
don't need the numeric value of errno, nor do we need the file
descriptor number of the socket on which we're working).
before using that member.
Don't define variables if we aren't going to use them.
If we have an unknown tpacket version (this "can't happen"), return an
error.
pcap-linux: fix invalid rcvbuf size
Libpcap issues a SO_RCVBUF when the buffer size if unspecified (zero).
The intention is to set it when its *not* zero.
Similar to PACKET_AUXDATA for non-mmaped sockets, the VLAN TCI is
present in a new member of struct tpacket2_hdr. Use it to reconstruct
the VLAN header when necessary.
The tpacket_hdr is not clean for 64 bit kernel/32 bit userspace and
is not extendable because the struct sockaddr_ll following it is
expected at a fixed offset.
Linux 2.6.27-rc supports a new tpacket frame header that removes these
two limitations. Convert the mmap ring support to support both formats
and probe for availability of the new version.
VLAN packets sent over devices supporting VLAN tagging/stripping in
hardware don't have a VLAN header when they are received on packet
sockets. The VLAN TCI is available through the PACKET_AUXDATA cmsg,
reconstruct the entire header when necessary.
isn't up, so applications can report that differently from a generic
error (the latter could mean there's a bug somewhere in libpcap).
When capturing on a device without mmap on Linux, ignore ENETDOWN, so
that we can continue to capture traffic if the interface goes down and
comes back up again; comments in the kernel indicate that we'll just
block waiting for packets if we try to receive from a socket that
delivered ENETDOWN, and, if we're using a memory-mapped buffer, we won't
even get notified of "network down" events.
used to clean up after a failed pcap_activate() call. Convert the
existing close_op routines to cleanup_op routines, and use them to clean
up; rename pcap_close_common() to pcap_cleanup_live_common(), and use it
directly if there's no platform-dependent cleanup needed. That means we
don't have to write the same cleanup code twice (and possibly forget
stuff in the version done on a failed pcap_activate() call).
Have the cleanup routines do whatever is necessary to indicate that
cleanup has been done, and not do any particular cleaning up if it's
already been done (i.e., don't free something if the pointer to it is
null and null out the pointer once it's been freed, don't close an FD if
it's -1 and set it to -1 once it's been closed, etc.).
For device types/platforms where we don't support monitor mode, check
for it and return PCAP_ERROR_RFMON_NOTSUP - but do so after we've
checked whether we can open the device, so we return "no such device" or
"permission denied" rather than "that device doesn't support monitor
mode" if we can't open the device in the first place.
Fix a comment.
know that..."; currently, only pcap_activate() returns them, but we
might want some more warning returns for some other calls, such as the
ones that set filters. It's a little cleaner than "clear out the error
message buffer and, if it's not empty after a successful return, it has
a warning", and a little cleaner than spewing a warning to the standard
error (as that might not be visible to the user if they're running a GUI
application).
that often means "sorry, this platform requires you to run as root or to
somehow tweak the system to give you capture privileges", and
applications might want to explain that in a way that does a better job
of letting the user know what they have to do.
Try to return or PCAP_ERROR_PERM_DENIED for open errors, rather than
just returning PCAP_ERROR, so that the application can, if it chooses,
try to explain the error better (as those two errors are the ones that
don't mean "there's probably some obscure OS or libpcap problem", but
mean, instead, "you made an error" or "you need to get permission to
capture").
Check for monitor mode *after* checking whether the device exists in the
first place; a non-existent device doesn't support monitor mode, but
that's because it doesn't, well, exist, and the latter would be a more
meaningful error.
Have pcap_open_live() supply an error message for return values other
than PCAP_ERROR, PCAP_ERROR_NO_SUCH_DEVICE, and PCAP_ERROR_PERM_DENIED -
those all supply error strings (PCAP_ERROR because it's for various OS
problems that might require debugging, and the other two because there
might be multiple causes).
captures, set the socket buffer size to the value specified by
pcap_set_buffer_size() if a value was set.
Clean up if memory buffer allocation fails on Linux.
handle" routine, an 'activate a pcap_t handle" routine, and some "set
the properties of the pcap_t handle" routines, so that, for example, the
buffer size can be set on a BPF device before the device is bound to an
interface.
Add additional routines to set monitor mode, and make at least an
initial attempt at supporting that on Linux, *BSD, and Mac OS X 10.4 and
10.5. (Very much "initial" for Linux, which is a twisty little maze of
wireless drivers, many different.)
Have a "timeout" member of the pcap_md structure on all platforms, use
that on Windows instead of the "timeout" member of the pcap_t structure,
and get rid of the "timeout" member of that structure.
newline in them.
If we're in cooked mode, the packet pointer argument we pass to the callback
should point to the beginning of the constructed sll header, not to the
packet data itself. While we're at it, have a paranoid check to make
sure that we were given enough space to construct the sll header, so we
don't stomp on the tpacket header.
don't have PF_PACKET support; #ifdef it out.
Move the code to compute the buffer size into live_open_new() and
live_open_old(), as it's dependent on the mechanism being used; there's
little code shared between the two variants.
move it into pcap-sita.c, and make --with-sita set the pcap type to
"sita", so we build pcap-sita.c instead of, rather than in addition to,
pcap-linux.c.
Use "bpf_u_int32" rather than "ulong" in the SITA code, as it's intended
to be 32 bits long (the "l" in "htonl()" and "ntohl()" is historical -
they work on 32-bit quantities, and the "l" dates back to the days when
32-bit processors were a bit newer and 16-bit Unix was more common).
Those changes also, at least in theory, makes the SITA support work on
other Unix-compatible platforms; note that in README.sita.
Clean up pcap-sita.c, making routines no longer called outside it
static, folding trivial wrappers, and fixing various warnings.
Put the routines used by fad-sita.c and defined by pcap-sita.c into
pcap-sita.h. Remove from pcap-sita.h the files that are now static to
pcap-sita.c. Include pcap-sita.h in both fad-sita.c and pcap-sita.c, so
that we do cross-file prototype checking.
Clean up some comments.
Protect all references to the USB stuff from the common Linux code with
PCAP_SUPPORT_USB, just as references to the Bluetooth code are protected
with PCAP_SUPPORT_BT.
source directory and the target include directory, and have include
files at the top-level directory to include those headers, for backwards
compatibility.
Update the FILES and INSTALL.txt files to reflect current reality.
packets that didn't arrive on that interface, so packets from other
interfaces that get onto the socket queue before we bind the socket to
the interface don't get supplied to the application (binding the socket
doesn't discard incoming packets).
"getsockopt()" argument, return those statistics, rather than falling
through and returning the statistics the way we would if
PACKET_STATISTICS weren't supported.
packets, only sent packets, or all packets be accepted, with an
implementation for Linux.
Add an implementation for BPF platforms that support BIOCSSEESENT.
at least on 2.2 and later kernels; the socket is bound (except for
sending on the "any" device, which we don't support), so a destination
address isn't necessary.
Generate the right error string for attempts to send on the "any"
device, and also disallow sends if we're in cooked mode.
In the Linux kernel the packet statistics are zeroed during each retrieval.
In contrast, on FreeBSD, the packet statistics are retrived using
ioctl(BIOCGSTATS):
The patch adds a static variable to pcap_stats_linux() which
holds a running total of the packet statistics so that the behaviour
of pcap_stats() on Linux matches the behaviour of FreeBSD.
devices, offer DLT_DOCSIS as one of the choices of link-layer type, and
support setting that type as meaning just "set libpcap's notion of the
link-layer type to DLT_DOCSIS" without telling the driver to use
DLT_DOCSIS.
support Linux Frame Relay ARPHRD_FRAD as Frame Relay with an FR
header;
support Linux Frame Relay ARPHRD_DLCI in cooked mode;
current Linux kernels use the name ARPHRD_CISCO for Cisco HDLC
(513).
reading packets from a pcap_t, and make "pcap_read()" call it. That
removes the last place where we have to check for a pcap_t that refers
to a DAG card rather than a live capture, so get rid of the "is_dag" flag.
handles setting a filter for a pcap_t. Have "pcap_setfilter()" call it,
rather than being a per-platform function. The per-platform functions
don't need to check for an offline capture any more, as they're not
called for an offline capture (and the ones that just call
"install_bpf_program()" don't need to exist at all).
getting statistics for a pcap_t. Have "pcap_stats()" call it, rather
than being a per-platform function; have stats routines for non-live
pcap_t's that return an error.
the platform-dependent part of closing a pcap_t (and the
live-vs-savefile part as well, so that function must close the file
descriptor and free up any buffers allocated).
In the Digital UNIX support, add in a check for a memory allocation
failure.
with some interfaces (see bug 599857 in the SourceForge list of libpcap
bugs), and, even if it doesn't cause problems, it's different from
what's done on other platforms.
which supplies different headers from BSD ARCNET, and fixes to the
ARCNET code generator (the protocol ID field is 1 byte, so the values
for it shouldn't be byte-swapped).
Whitespace cleanups.
The "NetBSD-style" ARCNET headers are used in other BSDs as well, so
just call them "BSD-style".
argument to "pcap_open_live()" a "const" pointer.
Constify some additional device name arguments, and update the man page
to reflect some arguments that were already consts.
Young <dyoung@ojctech.com>, with some minor changes by Jason R. Thorpe
<thorpej@netbsd.org>, and further changes by me to support it on BPF
systems lacking BIOCGDLTLIST and other platforms lacking an equivalent
feature.
Update Jason Thorpe's e-mail address (Zembu is going away, if it hasn't
done so already).
Add APIs to map DLT names to DLT values and vice versa.
new 2.2-or-later kernel, with PF_PACKET sockets including SOL_PACKET,
but with an older version of the C library whose headers don't define
SOL_PACKET.
On those systems, define SOL_PACKET to have the value it has in the
2.2.0 kernel; this means we can get rid of the "#ifdef
SOL_PACKET"/#endif stuff wrapped around the code to turn promiscuous
mode on or off (we don't want that #ifdeffed out, as if it's absent we
won't pay attention to the "promiscuous mode" flag argument to
"pcap_open_live()").
1. During termination processing set up by atexit() under a 2.0.x
kernel, if a socket had been previously closed and the handle freed
due to an error, pcap_close_all() and pcap_close_linux() would
nevertheless try to work with these structures and then crash.
pcap_close_linux() is now called directly when necessary during
error processing.
2. atexit() could get called more than once because the did_atexit
flag wasn't being set.
3. If iface_get_arptype() returns an error because the ioctl() call
failed (probably due to "no such device"), live_open_new() now
returns a fatal error to pcap_open_live() and the call to
live_open_old() is short-circuited.
4. Applications using libpcap would appear to listen on an interface
that was down.
a. iface_bind() and iface_bind_old() now check for pending errors
after bind(). In turn, pcap_open_live() now returns an error
status if there was a pending error after bind().
b. After draining the socket, set_kernel_filter() now checks to see
if the error was the expected EAGAIN and returns a fatal error
to pcap_setfilter() if not. In turn, pcap_setfilter() now
returns an error status if there was a network error.
5. pcap_setfilter() was putting an error message into errbuf after a
failed call to install_bpf_program(). This was unnecessary since
install_bpf_program() puts its own error message into errbuf.
return DLT_LINUX_SLL or not, and, if that flag is false, for those
interface types where we'd used DLT_LINUX_SLL, pick a DLT_ type that
works as well as possible in raw mode, or fail.
Pass 1 as that flag if we're using a PF_PACKET socket; pass 0 as that
flag if we're using a PF_INET/SOCK_PACKET socket.
For PF_INET/SOCK_PACKET sockets, try to get the link-layer type and map
it to a DLT_ value *before* turning promiscuous mode on, so that we
don't try to put the interface into promiscuous mode unless we know we
can handle its link-layer type (and thus that we can use the interface).
ARPHRD_IEEE80211_PRISM, for sniffing on Prism II-based 802.11 interfaces
and getting the special Prism header, so we should map it to
DLT_PRISM_HEADER.
Don't subtract "tp_drops" from "tp_packets" - "ps_recv", on BSD,
at least, includes packets dropped due to lack of buffer space,
so it should do so on Linux as well.
The "len" argument to "getsockopt()" is a value-result
parameter, initially containing the size of the buffer being
supplied; set it before the call.
Catch "getsockopt()" errors and, if it's an error other than
EOPNOTSUPP, return an error.
didn't handle; fix the code to do so.
Remove the word "Warning" from the warning - tcpdump will add it when it
prints the warning, as will Ethereal and Tethereal.
Add a new "pcap_findalldevs()" routine to get a list of all
interfaces that can be opened with "pcap_open_live()", and a
"pcap_freealldevs()" routine to free the list.
Make "pcap_lookupdev()" use it, which also arranges that it will
not return a device that cannot be opened by "pcap_open_live()".
Allow the "any" device to be opened, on Linux, with "promisc"
non-zero; ignore the request for promiscuity, and return a
warning message indicating that promiscuous mode isn't supported
on the "any" device.
Document "pcap_findalldevs()" and "pcap_lookupdev()", and clean up some
items in the libpcap man page.
packets before the network-layer header; we already deal with that in
tcpdump, and we could probably try to deal with that in the code
generator, but it's less of a pain to just punt to DLT_LINUX_SLL.
"pcap_setfilter()" if we're not using a kernel filter, in case a
previous call to "pcap_setfilter()" had succeeded in adding a kernel
filter, as if we're doing userland filtering we need to get rid of all
kernel filters that might discard packets that'd pass the userland
filter.
packets queued up on the socket when we set a kernel filter on the
socket, so that if there are any queue-up packets that wouldn't have
passed the new filter, we don't see them. (Some other packet capture
mechanisms do this automatically; this prevents tcpdump, for example,
from showing or saving, when run with a filter, some packets that
wouldn't have passed the filter.)
XXX - do we have to do this on any other platforms?
Choose whether to compile in the code to modify filter programs for use
in the kernel, and to flush queued-up packet and set a kernel filter, on
whether SO_ATTACH_FILTER is defined (i.e., on whether we have kernel
filter support in our build environment), rather than on whether
HAVE_PF_PACKET_SOCKETS is defined (i.e., on whether we have PF_PACKET
support in our build environment), as we choose whether to *use* that
code based on whether SO_ATTACH_FILTER is defined.
the pointer to the beginning of the link-layer header; never use just
"handle->buffer", as, if "handle->offset" is non-zero (as is the case
with many link-layer types, including Ethernet), "handle->buffer"
doesn't point to the beginning of the link-layer header.
compiled on a system that doesn't have it, it'll use it on systems that
do have it.
On systems with MSG_TRUNC support (i.e., 2.2 and later kernels), there's
no need to read in the entire packet in order to find out how large it
is, so just allocate a buffer big enough for a snapshot length's worth
of data, and just read that much data.
There's no need for a "readlen" member of the "pcap_md" structure, as
the byte count to "recvfrom()" is just the "bufsize" member of the
"pcap_t" structure.
that we don't have almost-duplicate code in "live_open_old()" and
"live_open_new()". This fixes a bug wherein "live_open_new()" wasn't
making the buffer size the maximum of "enough to hold packets of the MTU
obtained from the socket" and "the snapshot length" (for some reason,
"recvfrom()" was copying more data than the MTU obtained from the
socket).
guy