2005-11-28 08:54:52 +00:00
|
|
|
/* dumpcap.c
|
|
|
|
|
*
|
2006-05-21 05:12:17 +00:00
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
2005-11-28 08:54:52 +00:00
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
2018-02-07 12:26:45 +01:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
2005-11-28 08:54:52 +00:00
|
|
|
*/
|
|
|
|
|
|
2014-08-22 22:13:05 +01:00
|
|
|
#include <config.h>
|
2021-06-08 02:46:52 +01:00
|
|
|
#define WS_LOG_DOMAIN LOG_DOMAIN_CAPCHILD
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2009-08-27 02:53:13 +00:00
|
|
|
#include <stdio.h>
|
2005-11-28 08:54:52 +00:00
|
|
|
#include <glib.h>
|
|
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
2024-01-18 10:09:46 +01:00
|
|
|
#include <ws_exit_codes.h>
|
|
|
|
|
|
2018-05-16 12:51:45 -07:00
|
|
|
#include <sys/types.h>
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2012-06-18 21:50:59 +00:00
|
|
|
#ifdef HAVE_NETINET_IN_H
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2021-07-26 17:22:36 +01:00
|
|
|
#include <wsutil/ws_getopt.h>
|
2013-07-24 20:42:39 +00:00
|
|
|
|
2009-11-26 04:17:18 +00:00
|
|
|
#if defined(__APPLE__) && defined(__LP64__)
|
|
|
|
|
#include <sys/utsname.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-11-21 22:49:02 +00:00
|
|
|
#include <signal.h>
|
2008-02-16 02:39:58 +00:00
|
|
|
#include <errno.h>
|
2007-11-21 22:49:02 +00:00
|
|
|
|
2024-12-02 17:12:34 -08:00
|
|
|
#include <wsutil/application_flavor.h>
|
2024-05-22 20:52:28 +10:00
|
|
|
#include <wsutil/array.h>
|
2023-02-06 22:46:45 +00:00
|
|
|
#include <wsutil/cmdarg_err.h>
|
2024-11-09 02:30:23 -05:00
|
|
|
#include <wsutil/report_message.h>
|
|
|
|
|
#include <wsutil/failure_message_simple.h>
|
2016-09-05 15:45:21 +02:00
|
|
|
#include <wsutil/strtoi.h>
|
2018-12-12 02:53:08 -08:00
|
|
|
#include <cli_main.h>
|
2023-02-06 21:57:51 +00:00
|
|
|
#include <wsutil/version_info.h>
|
2013-01-15 21:54:41 +00:00
|
|
|
|
2019-05-01 18:46:23 -07:00
|
|
|
#include <wsutil/socket.h>
|
2021-06-08 02:46:52 +01:00
|
|
|
#include <wsutil/wslog.h>
|
2022-02-09 14:32:28 +00:00
|
|
|
#include <wsutil/file_util.h>
|
2019-05-01 18:46:23 -07:00
|
|
|
|
2007-11-20 16:53:01 +00:00
|
|
|
#ifdef HAVE_LIBCAP
|
|
|
|
|
# include <sys/prctl.h>
|
|
|
|
|
# include <sys/capability.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-11-28 08:54:52 +00:00
|
|
|
#include "ringbuffer.h"
|
|
|
|
|
|
2021-03-24 22:09:19 +00:00
|
|
|
#include "capture/capture_ifinfo.h"
|
|
|
|
|
#include "capture/capture-pcap-util.h"
|
|
|
|
|
#include "capture/capture-pcap-util-int.h"
|
2011-12-29 21:59:24 +00:00
|
|
|
#ifdef _WIN32
|
2021-03-24 22:09:19 +00:00
|
|
|
#include "capture/capture-wpcap.h"
|
2011-12-29 21:59:24 +00:00
|
|
|
#endif /* _WIN32 */
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2016-03-24 13:00:07 -07:00
|
|
|
#include "writecap/pcapio.h"
|
2010-03-04 07:19:43 +00:00
|
|
|
|
2010-03-13 00:29:30 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
|
#include <sys/un.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2023-02-06 22:50:32 +00:00
|
|
|
#include <wsutil/clopts_common.h>
|
2008-06-30 17:16:29 +00:00
|
|
|
#include <wsutil/privileges.h>
|
2007-11-20 16:53:01 +00:00
|
|
|
|
2006-04-03 01:56:53 +00:00
|
|
|
#include "sync_pipe.h"
|
|
|
|
|
|
2024-11-30 15:39:04 -08:00
|
|
|
#include "ui/capture_opts.h"
|
2021-03-24 22:09:19 +00:00
|
|
|
#include <capture/capture_session.h>
|
|
|
|
|
#include <capture/capture_sync.h>
|
2005-12-04 02:04:18 +00:00
|
|
|
|
2013-06-26 01:14:35 +00:00
|
|
|
#include "wsutil/tempfile.h"
|
2008-05-22 15:46:27 +00:00
|
|
|
#include "wsutil/file_util.h"
|
2016-09-22 13:23:37 +02:00
|
|
|
#include "wsutil/cpu_info.h"
|
2014-06-21 11:01:19 -07:00
|
|
|
#include "wsutil/os_version_info.h"
|
2015-11-04 00:45:54 -08:00
|
|
|
#include "wsutil/str_util.h"
|
2016-02-10 09:11:12 +00:00
|
|
|
#include "wsutil/inet_addr.h"
|
2017-12-16 14:15:28 -08:00
|
|
|
#include "wsutil/time_util.h"
|
2019-03-23 21:02:47 -07:00
|
|
|
#include "wsutil/please_report_bug.h"
|
2021-03-23 16:41:54 +01:00
|
|
|
#include "wsutil/glib-compat.h"
|
2023-11-21 08:31:26 -05:00
|
|
|
#include <wsutil/json_dumper.h>
|
2021-06-18 19:21:42 +01:00
|
|
|
#include <wsutil/ws_assert.h>
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2021-03-24 22:09:19 +00:00
|
|
|
#include "capture/ws80211_utils.h"
|
2012-06-24 19:45:49 +00:00
|
|
|
|
2015-04-10 19:04:22 +02:00
|
|
|
#include "extcap.h"
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/*
|
|
|
|
|
* Get information about libpcap format from "wiretap/libpcap.h".
|
2016-07-09 00:07:52 -07:00
|
|
|
* Get information about pcapng format from "wiretap/pcapng_module.h".
|
2008-02-16 02:39:58 +00:00
|
|
|
* XXX - can we just use pcap_open_offline() to read the pipe?
|
|
|
|
|
*/
|
|
|
|
|
#include "wiretap/libpcap.h"
|
2016-07-09 00:07:52 -07:00
|
|
|
#include "wiretap/pcapng_module.h"
|
2017-11-22 11:05:48 -08:00
|
|
|
#include "wiretap/pcapng.h"
|
2005-11-28 08:54:52 +00:00
|
|
|
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
/*
|
2023-12-31 20:08:05 -05:00
|
|
|
* Define these for extra logging. Note that when dumpcap is spawned as
|
|
|
|
|
* a child process, logs are sent to the parent via the sync pipe.
|
|
|
|
|
* The parent will pass along the Capchild domain log level settings,
|
|
|
|
|
* so "--log-debug Capchild" or "--log-level debug" can be used to get
|
|
|
|
|
* debugging from dumpcap sent to the parent.
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
*/
|
2023-12-31 20:08:05 -05:00
|
|
|
//#define DEBUG_DUMPCAP /* Waits for keypress on quitting on Windows */
|
|
|
|
|
//#define DEBUG_CHILD_DUMPCAP /* Writes logs to file */
|
2008-02-23 19:59:38 +00:00
|
|
|
|
2011-05-16 19:56:27 +00:00
|
|
|
#ifdef _WIN32
|
2019-05-01 16:02:27 -07:00
|
|
|
#include "wsutil/win32-utils.h"
|
2025-03-14 17:07:45 -04:00
|
|
|
#include "wsutil/console_win32.h"
|
2011-05-16 19:56:27 +00:00
|
|
|
#ifdef DEBUG_DUMPCAP
|
|
|
|
|
#include <conio.h> /* _getch() */
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-02-23 19:59:38 +00:00
|
|
|
#ifdef DEBUG_CHILD_DUMPCAP
|
2008-02-25 20:43:03 +00:00
|
|
|
FILE *debug_log; /* for logging debug messages to */
|
2008-02-23 19:59:38 +00:00
|
|
|
/* a file if DEBUG_CHILD_DUMPCAP */
|
|
|
|
|
/* is defined */
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
#include <stdarg.h> /* va_copy */
|
|
|
|
|
#endif
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2011-05-16 21:56:12 +00:00
|
|
|
static GAsyncQueue *pcap_queue;
|
2024-07-08 00:26:01 -04:00
|
|
|
static int64_t pcap_queue_bytes;
|
|
|
|
|
static int64_t pcap_queue_packets;
|
|
|
|
|
static int64_t pcap_queue_byte_limit;
|
|
|
|
|
static int64_t pcap_queue_packet_limit;
|
2011-05-16 21:56:12 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool capture_child; /* false: standalone call, true: this is an Wireshark capture child */
|
2024-04-02 14:37:13 +02:00
|
|
|
static const char *report_capture_filename; /* capture child file name */
|
2007-10-26 16:32:28 +00:00
|
|
|
#ifdef _WIN32
|
2024-07-08 00:26:01 -04:00
|
|
|
static char *sig_pipe_name;
|
2024-04-02 14:37:13 +02:00
|
|
|
static HANDLE sig_pipe_handle;
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool signal_pipe_check_running(void);
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2023-12-28 20:18:38 -05:00
|
|
|
static int sync_pipe_fd = 2;
|
2009-08-26 23:16:37 +00:00
|
|
|
|
2024-10-02 09:31:30 -04:00
|
|
|
#if defined (ENABLE_ASAN) || defined (ENABLE_LSAN)
|
2023-03-13 07:29:15 -04:00
|
|
|
/* This has public visibility so that if compiled with shared libasan (the
|
|
|
|
|
* gcc default) function interposition occurs.
|
|
|
|
|
*/
|
|
|
|
|
WS_DLL_PUBLIC int
|
|
|
|
|
__lsan_is_turned_off(void)
|
|
|
|
|
{
|
|
|
|
|
/* If we're in capture child mode, don't run a LSan report and
|
|
|
|
|
* send it to stderr, because it isn't properly formatted for
|
|
|
|
|
* the sync pipe.
|
|
|
|
|
* We could, if debugging variables are set, send the reports
|
|
|
|
|
* elsewhere instead, by calling __sanitizer_set_report_path()
|
|
|
|
|
* or __sanitizer_set_report_fd()
|
|
|
|
|
*/
|
|
|
|
|
if (capture_child) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
#ifdef HAVE_LIBCAP
|
|
|
|
|
/* LSan dies with a fatal error without explanation if it can't ptrace.
|
|
|
|
|
* Normally, the "dumpable" attribute (which also controls ptracing)
|
|
|
|
|
* is set to 1 (SUID_DUMP_USER, process is dumpable.) However, it is
|
|
|
|
|
* reset to the current value in /proc/sys/fs/suid_dumpable in the
|
|
|
|
|
* following circumstances: euid/egid changes, fsuid/fsgid changes,
|
|
|
|
|
* execve of a setuid or setgid program that changes the euid or egid,
|
|
|
|
|
* execve of a program with capabilities exceeding those already
|
|
|
|
|
* permitted for the process.
|
|
|
|
|
*
|
|
|
|
|
* Unless we're running as root, one of those applies to dumpcap.
|
|
|
|
|
*
|
|
|
|
|
* The default value of /proc/sys/fs/suid_dumpable is 0, SUID_DUMP_DISABLE.
|
|
|
|
|
* In such a case, LeakSanitizer temporarily sets the value to 1 to
|
|
|
|
|
* allow ptracing, and then sets it back to 0.
|
|
|
|
|
*
|
|
|
|
|
* Another possible value, used by Ubuntu, Fedora, etc., is 2,
|
|
|
|
|
* which creates dumps readable by root only. For security reasons,
|
|
|
|
|
* unprivileged programs are not allowed to change the value to 2.
|
|
|
|
|
* (See https://nvd.nist.gov/vuln/detail/CVE-2006-2451 )
|
|
|
|
|
*
|
|
|
|
|
* LSan does not check for the value 2 and change dumpable to 1 in that
|
|
|
|
|
* case, possibly because if it did it could not change it back to 2
|
|
|
|
|
* and would have to either leave the process dumpable or change it to 0.
|
|
|
|
|
*
|
|
|
|
|
* The usual way to control the family of sanitizers is through environment
|
|
|
|
|
* variables. However, complicating things, changing the dumpable attribute
|
|
|
|
|
* to 0 or 2 changes the ownership of files in /proc/[pid] (including
|
|
|
|
|
* /proc/self ) to root:root, in particular /proc/[pid]/environ, and so
|
|
|
|
|
* ASAN_OPTIONS=detect_leaks=0 has no effect. (Unless the process has
|
|
|
|
|
* CAP_SYS_PTRACE, which allows tracing of any process, but that's also
|
|
|
|
|
* a security risk and we'll have dropped that with other privileges.)
|
|
|
|
|
*
|
|
|
|
|
* So if prctl(PR_GET_DUMPABLE) returns 2, we know that the process will
|
|
|
|
|
* die with a fatal error if it attempts to run LSan, so don't.
|
|
|
|
|
*
|
|
|
|
|
* See proc(5), prctl(2), ptrace(2), and
|
|
|
|
|
* https://github.com/google/sanitizers/issues/1306
|
|
|
|
|
* https://github.com/llvm/llvm-project/issues/55944
|
|
|
|
|
*/
|
|
|
|
|
if (prctl(PR_GET_DUMPABLE) == 2) {
|
|
|
|
|
ws_debug("Not running LeakSanitizer because /proc/sys/fs/suid_dumpable is 2");
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
WS_DLL_PUBLIC const char*
|
|
|
|
|
__asan_default_options(void)
|
|
|
|
|
{
|
|
|
|
|
/* By default don't override our exit code if there's a leak or error.
|
|
|
|
|
* We particularly don't want to do this if running as a capture child,
|
|
|
|
|
* because capture/capture_sync doesn't expect the ASan exit codes.
|
|
|
|
|
*/
|
|
|
|
|
return "exitcode=0";
|
|
|
|
|
}
|
2024-10-02 09:31:30 -04:00
|
|
|
|
|
|
|
|
WS_DLL_PUBLIC const char*
|
|
|
|
|
__lsan_default_options(void)
|
|
|
|
|
{
|
|
|
|
|
/* By default don't override our exit code if there's a leak or error.
|
|
|
|
|
* We particularly don't want to do this if running as a capture child,
|
|
|
|
|
* because capture/capture_sync doesn't expect the LSan exit codes.
|
|
|
|
|
*/
|
|
|
|
|
return "exitcode=0";
|
|
|
|
|
}
|
2023-03-13 07:29:15 -04:00
|
|
|
#endif
|
|
|
|
|
|
2010-05-26 00:19:27 +00:00
|
|
|
#ifdef SIGINFO
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool infodelay; /* if true, don't print capture info in SIGINFO handler */
|
|
|
|
|
static bool infoprint; /* if true, print capture info after clearing infodelay */
|
2010-05-26 00:19:27 +00:00
|
|
|
#endif /* SIGINFO */
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/** Stop a low-level capture (stops the capture child). */
|
|
|
|
|
static void capture_loop_stop(void);
|
2024-07-08 00:26:01 -04:00
|
|
|
/** Close a pipe, or socket if \a from_socket is true */
|
|
|
|
|
static void cap_pipe_close(int pipe_fd, bool from_socket);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2020-03-12 13:16:24 -07:00
|
|
|
#if defined (__linux__)
|
2008-02-16 02:39:58 +00:00
|
|
|
/* whatever the deal with pcap_breakloop, linux doesn't support timeouts
|
|
|
|
|
* in pcap_dispatch(); on the other hand, select() works just fine there.
|
|
|
|
|
* Hence we use a select for that come what may.
|
2013-08-22 17:36:30 +00:00
|
|
|
*
|
|
|
|
|
* XXX - with TPACKET_V1 and TPACKET_V2, it currently uses select()
|
|
|
|
|
* internally, and, with TPACKET_V3, once that's supported, it'll
|
|
|
|
|
* support timeouts, at least as I understand the way the code works.
|
2008-02-16 02:39:58 +00:00
|
|
|
*/
|
|
|
|
|
#define MUST_DO_SELECT
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/** init the capture filter */
|
|
|
|
|
typedef enum {
|
2011-03-21 16:57:11 +00:00
|
|
|
INITFILTER_NO_ERROR,
|
|
|
|
|
INITFILTER_BAD_FILTER,
|
|
|
|
|
INITFILTER_OTHER_ERROR
|
2008-02-16 02:39:58 +00:00
|
|
|
} initfilter_status_t;
|
|
|
|
|
|
2013-03-03 17:14:19 +00:00
|
|
|
typedef enum {
|
|
|
|
|
STATE_EXPECT_REC_HDR,
|
|
|
|
|
STATE_READ_REC_HDR,
|
|
|
|
|
STATE_EXPECT_DATA,
|
|
|
|
|
STATE_READ_DATA
|
|
|
|
|
} cap_pipe_state_t;
|
2013-06-27 17:10:50 +00:00
|
|
|
|
2013-07-15 15:51:45 +00:00
|
|
|
typedef enum {
|
|
|
|
|
PIPOK,
|
|
|
|
|
PIPEOF,
|
|
|
|
|
PIPERR,
|
|
|
|
|
PIPNEXIST
|
2013-03-03 17:14:19 +00:00
|
|
|
} cap_pipe_err_t;
|
2013-06-27 17:10:50 +00:00
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
typedef struct _pcap_pipe_info {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool byte_swapped; /**< true if data in the pipe is byte swapped. */
|
2018-10-17 17:59:07 +00:00
|
|
|
struct pcap_hdr hdr; /**< Pcap header when capturing from a pipe */
|
|
|
|
|
struct pcaprec_modified_hdr rechdr; /**< Pcap record header when capturing from a pipe */
|
2017-11-22 11:05:48 -08:00
|
|
|
} pcap_pipe_info_t;
|
|
|
|
|
|
|
|
|
|
typedef struct _pcapng_pipe_info {
|
2019-05-23 10:24:02 +02:00
|
|
|
pcapng_block_header_t bh; /**< Pcapng general block header when capturing from a pipe */
|
2018-10-08 13:25:36 -07:00
|
|
|
GArray *src_iface_to_global; /**< Int array mapping local IDB numbers to global_ld.interface_data */
|
2025-03-24 09:24:14 -04:00
|
|
|
bool byte_swapped; /**< true if data in the pipe is byte swapped. */
|
2017-11-22 11:05:48 -08:00
|
|
|
} pcapng_pipe_info_t;
|
|
|
|
|
|
|
|
|
|
struct _loop_data; /* forward declaration so we can use it in the cap_pipe_dispatch function pointer */
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
/*
|
|
|
|
|
* A source of packets from which we're capturing.
|
|
|
|
|
*/
|
|
|
|
|
typedef struct _capture_src {
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t received;
|
|
|
|
|
uint32_t dropped;
|
|
|
|
|
uint32_t flushed;
|
2012-11-25 18:35:41 +00:00
|
|
|
pcap_t *pcap_h;
|
2008-02-16 02:39:58 +00:00
|
|
|
#ifdef MUST_DO_SELECT
|
2013-01-22 08:28:46 +00:00
|
|
|
int pcap_fd; /**< pcap file descriptor */
|
2012-11-25 18:35:41 +00:00
|
|
|
#endif
|
2024-07-08 00:26:01 -04:00
|
|
|
bool pcap_err;
|
|
|
|
|
unsigned interface_id;
|
|
|
|
|
unsigned idb_id; /**< If from_pcapng is false, the output IDB interface ID. Otherwise the mapping in src_iface_to_global is used. */
|
2012-11-25 18:35:41 +00:00
|
|
|
GThread *tid;
|
|
|
|
|
int snaplen;
|
|
|
|
|
int linktype;
|
2024-07-08 00:26:01 -04:00
|
|
|
bool ts_nsec; /**< true if we're using nanosecond precision. */
|
2013-01-22 08:28:46 +00:00
|
|
|
/**< capture pipe (unix only "input file") */
|
2024-07-08 00:26:01 -04:00
|
|
|
bool from_cap_pipe; /**< true if we are capturing data from a capture pipe */
|
|
|
|
|
bool from_cap_socket; /**< true if we're capturing from socket */
|
|
|
|
|
bool from_pcapng; /**< true if we're capturing from pcapng format */
|
2017-11-22 11:05:48 -08:00
|
|
|
union {
|
|
|
|
|
pcap_pipe_info_t pcap; /**< Pcap info when capturing from a pipe */
|
|
|
|
|
pcapng_pipe_info_t pcapng; /**< Pcapng info when capturing from a pipe */
|
|
|
|
|
} cap_pipe_info;
|
2009-08-26 23:16:37 +00:00
|
|
|
#ifdef _WIN32
|
2013-01-22 08:28:46 +00:00
|
|
|
HANDLE cap_pipe_h; /**< The handle of the capture pipe */
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2013-01-22 08:28:46 +00:00
|
|
|
int cap_pipe_fd; /**< the file descriptor of the capture pipe */
|
2024-07-08 00:26:01 -04:00
|
|
|
bool cap_pipe_modified; /**< true if data in the pipe uses modified pcap headers */
|
2017-06-04 12:15:34 -07:00
|
|
|
char * cap_pipe_databuf; /**< Pointer to the data buffer we've allocated */
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
size_t cap_pipe_databuf_size; /**< Current size of the data buffer */
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned cap_pipe_max_pkt_size; /**< Maximum packet size allowed */
|
2011-11-07 23:42:53 +00:00
|
|
|
#if defined(_WIN32)
|
2017-06-04 12:15:34 -07:00
|
|
|
char * cap_pipe_buf; /**< Pointer to the buffer we read into */
|
2013-01-22 08:28:46 +00:00
|
|
|
DWORD cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
|
|
|
|
|
DWORD cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
|
2012-12-26 15:02:32 +00:00
|
|
|
#else
|
2013-01-22 08:28:46 +00:00
|
|
|
size_t cap_pipe_bytes_to_read; /**< Used by cap_pipe_dispatch */
|
|
|
|
|
size_t cap_pipe_bytes_read; /**< Used by cap_pipe_dispatch */
|
2012-12-26 15:02:32 +00:00
|
|
|
#endif
|
2018-12-30 18:58:54 -08:00
|
|
|
int (*cap_pipe_dispatch)(struct _loop_data *, struct _capture_src *, char *, size_t);
|
2013-03-03 17:14:19 +00:00
|
|
|
cap_pipe_state_t cap_pipe_state;
|
|
|
|
|
cap_pipe_err_t cap_pipe_err;
|
|
|
|
|
|
2011-11-07 23:42:53 +00:00
|
|
|
#if defined(_WIN32)
|
2012-11-25 18:35:41 +00:00
|
|
|
GMutex *cap_pipe_read_mtx;
|
|
|
|
|
GAsyncQueue *cap_pipe_pending_q, *cap_pipe_done_q;
|
2011-05-15 22:54:52 +00:00
|
|
|
#endif
|
2017-03-05 18:11:22 -08:00
|
|
|
} capture_src;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
typedef struct _saved_idb {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool deleted;
|
|
|
|
|
unsigned interface_id; /* capture_src->interface_id for the associated SHB */
|
|
|
|
|
uint8_t *idb; /* If non-NULL, IDB read from capture_src. This is an interface specified on the command line otherwise. */
|
|
|
|
|
unsigned idb_len;
|
2018-10-08 13:25:36 -07:00
|
|
|
} saved_idb_t;
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
/*
|
|
|
|
|
* Global capture loop state.
|
|
|
|
|
*/
|
2011-05-15 22:54:52 +00:00
|
|
|
typedef struct _loop_data {
|
|
|
|
|
/* common */
|
2024-07-08 00:26:01 -04:00
|
|
|
bool go; /**< true as long as we're supposed to keep capturing */
|
2017-03-05 18:11:22 -08:00
|
|
|
int err; /**< if non-zero, error seen while capturing */
|
2024-07-08 00:26:01 -04:00
|
|
|
int packets_captured; /**< Number of packets we have already captured */
|
|
|
|
|
unsigned inpkts_to_sync_pipe; /**< Packets not already send out to the sync_pipe */
|
2011-05-15 22:54:52 +00:00
|
|
|
#ifdef SIGINFO
|
2024-07-08 00:26:01 -04:00
|
|
|
bool report_packet_count; /**< Set by SIGINFO handler; print packet count */
|
2011-05-15 22:54:52 +00:00
|
|
|
#endif
|
2017-03-05 18:11:22 -08:00
|
|
|
GArray *pcaps; /**< Array of capture_src's on which we're capturing */
|
2024-07-08 00:26:01 -04:00
|
|
|
bool pcapng_passthrough; /**< We have one source and it's pcapng. Pass its SHB and IDBs through. */
|
|
|
|
|
uint8_t *saved_shb; /**< SHB to write when we have one pcapng input */
|
2018-10-08 13:25:36 -07:00
|
|
|
GArray *saved_idbs; /**< Array of saved_idb_t, written when we have a new section or output file. */
|
|
|
|
|
GRWLock saved_shb_idb_lock; /**< Saved IDB RW mutex */
|
2011-03-21 16:57:11 +00:00
|
|
|
/* output file(s) */
|
2025-01-21 09:47:46 -05:00
|
|
|
pcapio_writer* pdh;
|
2012-11-25 18:35:41 +00:00
|
|
|
int save_file_fd;
|
2024-07-08 00:26:01 -04:00
|
|
|
uint64_t bytes_written; /**< Bytes written for the current file. */
|
2018-10-31 10:03:04 +01:00
|
|
|
/* autostop conditions */
|
|
|
|
|
int packets_written; /**< Packets written for the current file. */
|
|
|
|
|
int file_count;
|
|
|
|
|
/* ring buffer conditions */
|
|
|
|
|
GTimer *file_duration_timer;
|
|
|
|
|
time_t next_interval_time;
|
|
|
|
|
int interval_s;
|
2008-02-16 02:39:58 +00:00
|
|
|
} loop_data;
|
|
|
|
|
|
2011-06-23 18:54:07 +00:00
|
|
|
typedef struct _pcap_queue_element {
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src;
|
2017-11-22 11:05:48 -08:00
|
|
|
union {
|
|
|
|
|
struct pcap_pkthdr phdr;
|
2019-05-23 10:24:02 +02:00
|
|
|
pcapng_block_header_t bh;
|
2017-11-22 11:05:48 -08:00
|
|
|
} u;
|
2024-06-17 18:40:41 +02:00
|
|
|
uint8_t *pd;
|
2011-06-23 18:54:07 +00:00
|
|
|
} pcap_queue_element;
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/*
|
2009-09-13 17:46:10 +00:00
|
|
|
* This needs to be static, so that the SIGINT handler can clear the "go"
|
2018-10-08 13:25:36 -07:00
|
|
|
* flag and for saved_shb_idb_lock.
|
2008-02-16 02:39:58 +00:00
|
|
|
*/
|
2008-06-23 21:22:11 +00:00
|
|
|
static loop_data global_ld;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
/*
|
2010-09-30 01:01:25 +00:00
|
|
|
* Timeout, in milliseconds, for reads from the stream of captured packets
|
|
|
|
|
* from a capture device.
|
2009-11-26 04:17:18 +00:00
|
|
|
*
|
|
|
|
|
* A bug in Mac OS X 10.6 and 10.6.1 causes calls to pcap_open_live(), in
|
|
|
|
|
* 64-bit applications, with sub-second timeouts not to work. The bug is
|
2010-11-11 07:34:12 +00:00
|
|
|
* fixed in 10.6.2, re-broken in 10.6.3, and again fixed in 10.6.5.
|
2008-02-16 02:39:58 +00:00
|
|
|
*/
|
2009-08-31 19:13:50 +00:00
|
|
|
#if defined(__APPLE__) && defined(__LP64__)
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool need_timeout_workaround;
|
2009-11-26 04:17:18 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
#define CAP_READ_TIMEOUT (need_timeout_workaround ? 1000 : 250)
|
2009-08-31 19:13:50 +00:00
|
|
|
#else
|
2011-03-21 16:57:11 +00:00
|
|
|
#define CAP_READ_TIMEOUT 250
|
2009-08-31 19:13:50 +00:00
|
|
|
#endif
|
2009-11-26 04:17:18 +00:00
|
|
|
|
2009-08-26 23:16:37 +00:00
|
|
|
/*
|
2010-09-30 01:01:25 +00:00
|
|
|
* Timeout, in microseconds, for reads from the stream of captured packets
|
2010-09-30 01:40:03 +00:00
|
|
|
* from a pipe. Pipes don't have the same problem that BPF devices do
|
2017-04-05 12:15:27 -07:00
|
|
|
* in Mac OS X 10.6, 10.6.1, 10.6.3, and 10.6.4, so we always use a timeout
|
2010-09-30 01:40:03 +00:00
|
|
|
* of 250ms, i.e. the same value as CAP_READ_TIMEOUT when not on one
|
|
|
|
|
* of the offending versions of Snow Leopard.
|
2010-11-18 17:29:02 +00:00
|
|
|
*
|
|
|
|
|
* On Windows this value is converted to milliseconds and passed to
|
|
|
|
|
* WaitForSingleObject. If it's less than 1000 WaitForSingleObject
|
|
|
|
|
* will return immediately.
|
2009-08-26 23:16:37 +00:00
|
|
|
*/
|
2011-11-07 23:42:53 +00:00
|
|
|
#if defined(_WIN32)
|
2010-11-17 23:51:31 +00:00
|
|
|
#define PIPE_READ_TIMEOUT 100000
|
2011-07-16 12:45:47 +00:00
|
|
|
#else
|
|
|
|
|
#define PIPE_READ_TIMEOUT 250000
|
2010-09-30 01:01:25 +00:00
|
|
|
#endif
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-05-16 21:56:12 +00:00
|
|
|
#define WRITER_THREAD_TIMEOUT 100000 /* usecs */
|
|
|
|
|
|
2005-11-28 08:54:52 +00:00
|
|
|
static void
|
2021-06-14 19:53:59 +01:00
|
|
|
dumpcap_log_writer(const char *domain, enum ws_log_level level,
|
2022-01-04 01:23:10 +00:00
|
|
|
const char *file, long line, const char *func,
|
2023-09-02 13:55:34 +01:00
|
|
|
const char *fatal_msg, ws_log_manifest_t *mft,
|
2021-06-14 19:53:59 +01:00
|
|
|
const char *user_format, va_list user_ap,
|
2021-06-10 22:13:11 +01:00
|
|
|
void *user_data);
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2005-12-15 00:45:29 +00:00
|
|
|
/* capture related options */
|
2008-02-16 02:39:58 +00:00
|
|
|
static capture_options global_capture_opts;
|
2024-04-02 14:37:13 +02:00
|
|
|
static GPtrArray *capture_comments;
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool quiet;
|
|
|
|
|
static bool really_quiet;
|
|
|
|
|
static bool use_threads;
|
|
|
|
|
static uint64_t start_time;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-06-17 18:40:41 +02:00
|
|
|
static void capture_loop_write_packet_cb(uint8_t *pcap_src_p, const struct pcap_pkthdr *phdr,
|
|
|
|
|
const uint8_t *pd);
|
|
|
|
|
static void capture_loop_queue_packet_cb(uint8_t *pcap_src_p, const struct pcap_pkthdr *phdr,
|
|
|
|
|
const uint8_t *pd);
|
|
|
|
|
static void capture_loop_write_pcapng_cb(capture_src *pcap_src, const pcapng_block_header_t *bh, uint8_t *pd);
|
|
|
|
|
static void capture_loop_queue_pcapng_cb(capture_src *pcap_src, const pcapng_block_header_t *bh, uint8_t *pd);
|
2018-05-12 13:42:38 -07:00
|
|
|
static void capture_loop_get_errmsg(char *errmsg, size_t errmsglen,
|
|
|
|
|
char *secondary_errmsg,
|
|
|
|
|
size_t secondary_errmsglen,
|
|
|
|
|
const char *fname, int err,
|
2024-07-08 00:26:01 -04:00
|
|
|
bool is_close);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
static void report_new_capture_file(const char *filename);
|
2012-09-09 13:57:43 +00:00
|
|
|
static void report_packet_count(unsigned int packet_count);
|
2024-07-08 00:26:01 -04:00
|
|
|
static void report_packet_drops(uint32_t received, uint32_t pcap_drops, uint32_t drops, uint32_t flushed, uint32_t ps_ifdrop, char *name);
|
2008-02-16 02:39:58 +00:00
|
|
|
static void report_capture_error(const char *error_msg, const char *secondary_error_msg);
|
2024-07-08 00:26:01 -04:00
|
|
|
static void report_cfilter_error(capture_options *capture_opts, unsigned i, const char *errmsg);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2010-07-13 23:26:07 +00:00
|
|
|
#define MSG_MAX_LENGTH 4096
|
|
|
|
|
|
2005-11-28 08:54:52 +00:00
|
|
|
static void
|
2014-07-02 19:29:21 -07:00
|
|
|
print_usage(FILE *output)
|
2011-03-21 16:57:11 +00:00
|
|
|
{
|
|
|
|
|
fprintf(output, "\nUsage: dumpcap [options] ...\n");
|
|
|
|
|
fprintf(output, "\n");
|
|
|
|
|
fprintf(output, "Capture interface:\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -i <interface>, --interface <interface>\n");
|
2024-11-29 14:44:46 -08:00
|
|
|
fprintf(output, " name or idx of interface (def: first non-loopback)\n"
|
2024-07-03 14:24:53 -07:00
|
|
|
#ifdef HAVE_PCAP_REMOTE
|
2012-06-08 13:55:14 +00:00
|
|
|
" or for remote capturing, use one of these formats:\n"
|
|
|
|
|
" rpcap://<host>/<interface>\n"
|
2024-07-03 14:24:53 -07:00
|
|
|
#else
|
|
|
|
|
" or for remote capturing, use this format:\n"
|
|
|
|
|
#endif
|
2012-06-08 13:55:14 +00:00
|
|
|
" TCP@<host>:<port>\n");
|
2021-03-24 23:36:29 -07:00
|
|
|
fprintf(output, " --ifname <name> name to use in the capture file for a pipe from which\n");
|
|
|
|
|
fprintf(output, " we're capturing\n");
|
|
|
|
|
fprintf(output, " --ifdescr <description>\n");
|
|
|
|
|
fprintf(output, " description to use in the capture file for a pipe\n");
|
|
|
|
|
fprintf(output, " from which we're capturing\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -s <snaplen>, --snapshot-length <snaplen>\n");
|
|
|
|
|
fprintf(output, " packet snapshot length (def: appropriate maximum)\n");
|
|
|
|
|
fprintf(output, " -p, --no-promiscuous-mode\n");
|
|
|
|
|
fprintf(output, " don't capture in promiscuous mode\n");
|
|
|
|
|
fprintf(output, " -I, --monitor-mode capture in monitor mode, if available\n");
|
|
|
|
|
fprintf(output, " -B <buffer size>, --buffer-size <buffer size>\n");
|
|
|
|
|
fprintf(output, " size of kernel buffer in MiB (def: %dMiB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
|
|
|
|
|
fprintf(output, " -y <link type>, --linktype <link type>\n");
|
|
|
|
|
fprintf(output, " link layer type (def: first appropriate)\n");
|
2017-08-07 16:38:52 +02:00
|
|
|
fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -D, --list-interfaces print list of interfaces and exit\n");
|
|
|
|
|
fprintf(output, " -L, --list-data-link-types\n");
|
|
|
|
|
fprintf(output, " print list of link-layer types of iface and exit\n");
|
2017-08-07 16:38:52 +02:00
|
|
|
fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
|
2024-11-29 00:05:00 -08:00
|
|
|
fprintf(output, " --update-interval interval between updates with new packets, in milliseconds (def: %dms)\n", DEFAULT_UPDATE_INTERVAL);
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " -d print generated BPF code for capture filter\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -k <freq>,[<type>],[<center_freq1>],[<center_freq2>]\n");
|
|
|
|
|
fprintf(output, " set channel on wifi interface\n");
|
2011-09-27 18:19:23 +00:00
|
|
|
fprintf(output, " -S print statistics for each interface once per second\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " -M for -D, -L, and -S, produce machine-readable output\n");
|
|
|
|
|
fprintf(output, "\n");
|
2007-12-04 11:19:29 +00:00
|
|
|
#ifdef HAVE_PCAP_REMOTE
|
2011-09-27 18:19:23 +00:00
|
|
|
fprintf(output, "RPCAP options:\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " -r don't ignore own RPCAP traffic in capture\n");
|
|
|
|
|
fprintf(output, " -u use UDP for RPCAP data transfer\n");
|
|
|
|
|
fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
|
2007-12-04 11:19:29 +00:00
|
|
|
#ifdef HAVE_PCAP_SETSAMPLING
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " -m <sampling type> use packet sampling\n");
|
|
|
|
|
fprintf(output, " count:NUM - capture one packet of every NUM\n");
|
|
|
|
|
fprintf(output, " timer:NUM - capture no more than 1 packet in NUM ms\n");
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
fprintf(output, "Stop conditions:\n");
|
|
|
|
|
fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -a <autostop cond.> ..., --autostop <autostop cond.> ...\n");
|
|
|
|
|
fprintf(output, " duration:NUM - stop after NUM seconds\n");
|
2018-10-31 11:34:35 +01:00
|
|
|
fprintf(output, " filesize:NUM - stop this file after NUM kB\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " files:NUM - stop after NUM files\n");
|
2018-10-31 10:03:04 +01:00
|
|
|
fprintf(output, " packets:NUM - stop after NUM packets\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
/*fprintf(output, "\n");*/
|
|
|
|
|
fprintf(output, "Output (files):\n");
|
|
|
|
|
fprintf(output, " -w <filename> name of file to save (def: tempfile)\n");
|
|
|
|
|
fprintf(output, " -g enable group read access on the output file(s)\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>\n");
|
|
|
|
|
fprintf(output, " duration:NUM - switch to next file after NUM secs\n");
|
2018-10-31 11:34:35 +01:00
|
|
|
fprintf(output, " filesize:NUM - switch to next file after NUM kB\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
|
2018-10-31 10:03:04 +01:00
|
|
|
fprintf(output, " packets:NUM - ringbuffer: replace after NUM packets\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " interval:NUM - switch to next file when the time is\n");
|
|
|
|
|
fprintf(output, " an exact multiple of NUM secs\n");
|
2020-07-29 09:36:19 -04:00
|
|
|
fprintf(output, " printname:FILE - print filename to FILE when written\n");
|
|
|
|
|
fprintf(output, " (can use 'stdout' or 'stderr')\n");
|
2025-02-20 20:54:29 -05:00
|
|
|
fprintf(output, " -F output file type (default: pcapng)\n");
|
|
|
|
|
fprintf(output, " an empty \"-F\" option will list the file types\n");
|
2012-01-23 07:48:53 +00:00
|
|
|
fprintf(output, " -n use pcapng format instead of pcap (default)\n");
|
|
|
|
|
fprintf(output, " -P use libpcap format instead of pcapng\n");
|
2025-02-20 20:54:29 -05:00
|
|
|
|
2013-07-27 16:25:08 +00:00
|
|
|
fprintf(output, " --capture-comment <comment>\n");
|
|
|
|
|
fprintf(output, " add a capture comment to the output file\n");
|
|
|
|
|
fprintf(output, " (only for pcapng)\n");
|
2022-02-09 14:32:28 +00:00
|
|
|
fprintf(output, " --temp-dir <directory> write temporary files to this directory\n");
|
|
|
|
|
fprintf(output, " (default: %s)\n", g_get_tmp_dir());
|
2011-09-27 18:19:23 +00:00
|
|
|
fprintf(output, "\n");
|
2021-06-15 22:50:46 +01:00
|
|
|
|
|
|
|
|
ws_log_print_usage(output);
|
2021-12-26 09:35:37 -08:00
|
|
|
fprintf(output, "\n");
|
2021-06-15 22:50:46 +01:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, "Miscellaneous:\n");
|
2013-03-10 11:57:40 +00:00
|
|
|
fprintf(output, " -N <packet_limit> maximum number of packets buffered within dumpcap\n");
|
2013-07-29 15:45:36 +00:00
|
|
|
fprintf(output, " -C <byte_limit> maximum number of bytes used for buffering packets\n");
|
|
|
|
|
fprintf(output, " within dumpcap\n");
|
2011-05-16 21:56:12 +00:00
|
|
|
fprintf(output, " -t use a separate thread per interface\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, " -q don't report packet capture counts\n");
|
2025-02-20 20:54:29 -05:00
|
|
|
fprintf(output, " -Q suppress all non-error status messages to stderr\n");
|
2024-12-02 17:12:34 -08:00
|
|
|
fprintf(output, " --application-flavor <flavor>\n");
|
|
|
|
|
fprintf(output, " set the application flavor\n");
|
2019-11-29 22:10:31 +01:00
|
|
|
fprintf(output, " -v, --version print version information and exit\n");
|
|
|
|
|
fprintf(output, " -h, --help display this help and exit\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, "\n");
|
2013-08-23 05:21:25 +00:00
|
|
|
#ifdef __linux__
|
2018-01-08 01:22:53 -05:00
|
|
|
fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n");
|
|
|
|
|
fprintf(output, "You might want to enable it by executing:\n");
|
|
|
|
|
fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n");
|
|
|
|
|
fprintf(output, "Note that this can make your system less secure!\n");
|
2013-08-23 05:21:25 +00:00
|
|
|
fprintf(output, "\n");
|
|
|
|
|
#endif
|
2012-01-23 07:48:53 +00:00
|
|
|
fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n");
|
2012-06-08 13:55:14 +00:00
|
|
|
fprintf(output, "\"Capture packets from interface eth0 until 60s passed into output.pcapng\"\n");
|
2011-03-21 16:57:11 +00:00
|
|
|
fprintf(output, "\n");
|
|
|
|
|
fprintf(output, "Use Ctrl-C to stop capturing at any time.\n");
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Report an error in command-line arguments.
|
2014-06-29 14:37:21 -07:00
|
|
|
* If we're a capture child, send a message back to the parent, otherwise
|
|
|
|
|
* just print it.
|
2005-11-28 08:54:52 +00:00
|
|
|
*/
|
2014-06-29 14:37:21 -07:00
|
|
|
static void
|
|
|
|
|
dumpcap_cmdarg_err(const char *fmt, va_list ap)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2025-04-24 15:57:40 +00:00
|
|
|
if ((capture_child) && (sync_pipe_fd > 0)) {
|
2024-07-08 00:26:01 -04:00
|
|
|
char *msg;
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Generate a 'special format' message back to parent */
|
2021-12-18 18:48:20 +00:00
|
|
|
msg = ws_strdup_vprintf(fmt, ap);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, msg, "");
|
2011-03-21 16:57:11 +00:00
|
|
|
g_free(msg);
|
|
|
|
|
} else {
|
|
|
|
|
fprintf(stderr, "dumpcap: ");
|
|
|
|
|
vfprintf(stderr, fmt, ap);
|
|
|
|
|
fprintf(stderr, "\n");
|
|
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Report additional information for an error in command-line arguments.
|
2014-06-29 14:37:21 -07:00
|
|
|
* If we're a capture child, send a message back to the parent, otherwise
|
|
|
|
|
* just print it.
|
2005-11-28 08:54:52 +00:00
|
|
|
*/
|
2014-06-29 14:37:21 -07:00
|
|
|
static void
|
|
|
|
|
dumpcap_cmdarg_err_cont(const char *fmt, va_list ap)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2025-04-24 15:57:40 +00:00
|
|
|
if ((capture_child) && (sync_pipe_fd > 0)) {
|
2024-07-08 00:26:01 -04:00
|
|
|
char *msg;
|
2021-12-18 18:48:20 +00:00
|
|
|
msg = ws_strdup_vprintf(fmt, ap);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, msg, "");
|
2011-03-21 16:57:11 +00:00
|
|
|
g_free(msg);
|
|
|
|
|
} else {
|
|
|
|
|
vfprintf(stderr, fmt, ap);
|
|
|
|
|
fprintf(stderr, "\n");
|
|
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
2010-07-14 02:14:54 +00:00
|
|
|
#ifdef HAVE_LIBCAP
|
2010-07-14 04:31:52 +00:00
|
|
|
static void
|
|
|
|
|
/* see 'man cap_to_text()' for explanation of output */
|
|
|
|
|
/* '=' means 'all= ' ie: no capabilities */
|
|
|
|
|
/* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */
|
|
|
|
|
/* .... */
|
|
|
|
|
print_caps(const char *pfx) {
|
2024-06-12 08:51:30 -04:00
|
|
|
if (ws_log_msg_is_active(WS_LOG_DOMAIN, LOG_LEVEL_NOISY)) {
|
|
|
|
|
cap_t caps = cap_get_proc();
|
|
|
|
|
char *caps_text = cap_to_text(caps, NULL);
|
|
|
|
|
ws_noisy("%s: EUID: %d Capabilities: %s", pfx, geteuid(), caps_text);
|
|
|
|
|
cap_free(caps_text);
|
|
|
|
|
cap_free(caps);
|
|
|
|
|
}
|
2010-07-14 04:31:52 +00:00
|
|
|
}
|
|
|
|
|
|
2010-07-14 02:14:54 +00:00
|
|
|
static void
|
|
|
|
|
relinquish_all_capabilities(void)
|
|
|
|
|
{
|
|
|
|
|
/* Drop any and all capabilities this process may have. */
|
|
|
|
|
/* Allowed whether or not process has any privileges. */
|
|
|
|
|
cap_t caps = cap_init(); /* all capabilities initialized to off */
|
|
|
|
|
print_caps("Pre-clear");
|
|
|
|
|
if (cap_set_proc(caps)) {
|
2011-06-28 09:00:11 +00:00
|
|
|
cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
|
2010-07-14 02:14:54 +00:00
|
|
|
}
|
|
|
|
|
print_caps("Post-clear");
|
|
|
|
|
cap_free(caps);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-06-09 23:39:12 -07:00
|
|
|
static void
|
2021-06-23 01:42:14 -07:00
|
|
|
get_capture_device_open_failure_messages(cap_device_open_status open_status,
|
|
|
|
|
const char *open_status_str,
|
2018-06-09 23:39:12 -07:00
|
|
|
const char *iface,
|
|
|
|
|
char *errmsg, size_t errmsg_len,
|
|
|
|
|
char *secondary_errmsg,
|
|
|
|
|
size_t secondary_errmsg_len)
|
|
|
|
|
{
|
2023-04-20 00:36:47 -07:00
|
|
|
switch (open_status) {
|
|
|
|
|
|
|
|
|
|
case CAP_DEVICE_OPEN_ERROR_NO_SUCH_DEVICE:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2023-04-20 00:36:47 -07:00
|
|
|
"There is no device named \"%s\".\n(%s)",
|
|
|
|
|
iface, open_status_str);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case CAP_DEVICE_OPEN_ERROR_RFMON_NOTSUP:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2023-04-20 00:36:47 -07:00
|
|
|
"Capturing in monitor mode is not supported on device \"%s\".\n(%s)",
|
|
|
|
|
iface, open_status_str);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case CAP_DEVICE_OPEN_ERROR_PERM_DENIED:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2023-04-20 00:36:47 -07:00
|
|
|
"You do not have permission to capture on device \"%s\".\n(%s)",
|
|
|
|
|
iface, open_status_str);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case CAP_DEVICE_OPEN_ERROR_IFACE_NOT_UP:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2023-04-20 00:36:47 -07:00
|
|
|
"Device \"%s\" is not up.\n(%s)",
|
|
|
|
|
iface, open_status_str);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case CAP_DEVICE_OPEN_ERROR_PROMISC_PERM_DENIED:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2023-04-20 00:36:47 -07:00
|
|
|
"You do not have permission to capture in promiscuous mode on device \"%s\".\n(%s)",
|
|
|
|
|
iface, open_status_str);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case CAP_DEVICE_OPEN_ERROR_OTHER:
|
|
|
|
|
default:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2023-04-20 00:36:47 -07:00
|
|
|
"The capture session could not be initiated on capture device \"%s\".\n(%s)",
|
|
|
|
|
iface, open_status_str);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsg_len, "%s",
|
2021-06-23 01:42:14 -07:00
|
|
|
get_pcap_failure_secondary_error_message(open_status, open_status_str));
|
2010-07-13 23:26:07 +00:00
|
|
|
}
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2010-07-13 23:26:07 +00:00
|
|
|
compile_capture_filter(const char *iface, pcap_t *pcap_h,
|
2011-06-15 20:21:45 +00:00
|
|
|
struct bpf_program *fcode, const char *cfilter)
|
2010-07-13 23:26:07 +00:00
|
|
|
{
|
2011-03-21 16:57:11 +00:00
|
|
|
bpf_u_int32 netnum, netmask;
|
2024-07-08 00:26:01 -04:00
|
|
|
char lookup_net_err_str[PCAP_ERRBUF_SIZE];
|
2010-07-13 23:26:07 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (pcap_lookupnet(iface, &netnum, &netmask, lookup_net_err_str) < 0) {
|
|
|
|
|
/*
|
|
|
|
|
* Well, we can't get the netmask for this interface; it's used
|
|
|
|
|
* only for filters that check for broadcast IP addresses, so
|
|
|
|
|
* we just punt and use 0. It might be nice to warn the user,
|
|
|
|
|
* but that's a pain in a GUI application, as it'd involve popping
|
|
|
|
|
* up a message box, and it's not clear how often this would make
|
|
|
|
|
* a difference (only filters that check for IP broadcast addresses
|
|
|
|
|
* use the netmask).
|
|
|
|
|
*/
|
|
|
|
|
/*cmdarg_err(
|
|
|
|
|
"Warning: Couldn't obtain netmask info (%s).", lookup_net_err_str);*/
|
|
|
|
|
netmask = 0;
|
|
|
|
|
}
|
2011-06-15 21:22:30 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Sigh. Older versions of libpcap don't properly declare the
|
|
|
|
|
* third argument to pcap_compile() as a const pointer. Cast
|
|
|
|
|
* away the warning.
|
|
|
|
|
*/
|
2015-02-19 16:05:49 -08:00
|
|
|
DIAG_OFF(cast-qual)
|
2011-06-15 21:22:30 +00:00
|
|
|
if (pcap_compile(pcap_h, fcode, (char *)cfilter, 1, netmask) < 0)
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2015-02-19 16:05:49 -08:00
|
|
|
DIAG_ON(cast-qual)
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2010-07-13 23:26:07 +00:00
|
|
|
}
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2010-07-13 23:26:07 +00:00
|
|
|
show_filter_code(capture_options *capture_opts)
|
|
|
|
|
{
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_options *interface_opts;
|
2011-03-21 16:57:11 +00:00
|
|
|
pcap_t *pcap_h;
|
2021-06-23 01:42:14 -07:00
|
|
|
cap_device_open_status open_status;
|
2024-07-08 00:26:01 -04:00
|
|
|
char open_status_str[PCAP_ERRBUF_SIZE];
|
2011-03-21 16:57:11 +00:00
|
|
|
char errmsg[MSG_MAX_LENGTH+1];
|
|
|
|
|
char secondary_errmsg[MSG_MAX_LENGTH+1];
|
|
|
|
|
struct bpf_program fcode;
|
|
|
|
|
struct bpf_insn *insn;
|
|
|
|
|
u_int i;
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned j;
|
2011-05-13 11:28:51 +00:00
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
for (j = 0; j < capture_opts->ifaces->len; j++) {
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(capture_opts->ifaces, interface_options, j);
|
|
|
|
|
pcap_h = open_capture_device(capture_opts, interface_opts,
|
2021-06-23 01:42:14 -07:00
|
|
|
CAP_READ_TIMEOUT, &open_status, &open_status_str);
|
2011-05-13 11:28:51 +00:00
|
|
|
if (pcap_h == NULL) {
|
|
|
|
|
/* Open failed; get messages */
|
2021-06-23 01:42:14 -07:00
|
|
|
get_capture_device_open_failure_messages(open_status, open_status_str,
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts->name,
|
2011-05-13 11:28:51 +00:00
|
|
|
errmsg, sizeof errmsg,
|
|
|
|
|
secondary_errmsg,
|
|
|
|
|
sizeof secondary_errmsg);
|
|
|
|
|
/* And report them */
|
|
|
|
|
report_capture_error(errmsg, secondary_errmsg);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-05-13 11:28:51 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2011-05-13 11:28:51 +00:00
|
|
|
/* Set the link-layer type. */
|
2017-08-25 11:27:38 +02:00
|
|
|
if (!set_pcap_datalink(pcap_h, interface_opts->linktype, interface_opts->name,
|
2011-05-15 22:54:52 +00:00
|
|
|
errmsg, sizeof errmsg,
|
2011-05-13 11:28:51 +00:00
|
|
|
secondary_errmsg, sizeof secondary_errmsg)) {
|
|
|
|
|
pcap_close(pcap_h);
|
|
|
|
|
report_capture_error(errmsg, secondary_errmsg);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-05-13 11:28:51 +00:00
|
|
|
}
|
2010-07-13 23:26:07 +00:00
|
|
|
|
2011-05-13 11:28:51 +00:00
|
|
|
/* OK, try to compile the capture filter. */
|
2017-08-25 11:27:38 +02:00
|
|
|
if (!compile_capture_filter(interface_opts->name, pcap_h, &fcode,
|
|
|
|
|
interface_opts->cfilter)) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_h));
|
2011-05-13 11:28:51 +00:00
|
|
|
pcap_close(pcap_h);
|
2011-06-27 11:30:39 +00:00
|
|
|
report_cfilter_error(capture_opts, j, errmsg);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-05-13 11:28:51 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
pcap_close(pcap_h);
|
2010-07-14 00:50:25 +00:00
|
|
|
|
2011-05-13 11:28:51 +00:00
|
|
|
/* Now print the filter code. */
|
|
|
|
|
insn = fcode.bf_insns;
|
2010-07-13 23:26:07 +00:00
|
|
|
|
2011-05-13 11:28:51 +00:00
|
|
|
for (i = 0; i < fcode.bf_len; insn++, i++)
|
|
|
|
|
printf("%s\n", bpf_image(insn, i));
|
|
|
|
|
}
|
2011-05-19 20:48:58 +00:00
|
|
|
/* If not using libcap: we now can now set euid/egid to ruid/rgid */
|
|
|
|
|
/* to remove any suid privileges. */
|
|
|
|
|
/* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
|
|
|
|
|
/* (euid/egid have already previously been set to ruid/rgid. */
|
|
|
|
|
/* (See comment in main() for details) */
|
2024-10-02 08:50:36 -04:00
|
|
|
/* XXX - On Linux, if we're capturing on a mac80211 device and enabling */
|
|
|
|
|
/* rfmon via libpcap with libnl support, that creates a new monitor mode */
|
|
|
|
|
/* device that libpcap will attempt to delete when capture is done. That */
|
|
|
|
|
/* will fail with EPERM because we dropped privileges. */
|
2011-05-19 20:48:58 +00:00
|
|
|
#ifndef HAVE_LIBCAP
|
|
|
|
|
relinquish_special_privs_perm();
|
|
|
|
|
#else
|
|
|
|
|
relinquish_all_capabilities();
|
|
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
if (capture_child) {
|
|
|
|
|
/* Let our parent know we succeeded. */
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2010-07-13 23:26:07 +00:00
|
|
|
}
|
|
|
|
|
|
2023-12-15 06:18:39 -05:00
|
|
|
static void
|
|
|
|
|
print_machine_readable_if_capabilities(json_dumper *dumper, if_capabilities_t *caps, int queries);
|
|
|
|
|
|
From Mike Garratt:
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
2012-11-19 20:07:27 +00:00
|
|
|
/*
|
2012-11-25 18:35:41 +00:00
|
|
|
* Output a machine readable list of the interfaces
|
From Mike Garratt:
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
2012-11-19 20:07:27 +00:00
|
|
|
* This list is retrieved by the sync_interface_list_open() function
|
2012-11-25 18:35:41 +00:00
|
|
|
* The actual output of this function can be viewed with the command "dumpcap -D -Z none"
|
From Mike Garratt:
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
2012-11-19 20:07:27 +00:00
|
|
|
*/
|
2023-12-13 09:07:22 -05:00
|
|
|
static int
|
2023-12-18 10:34:39 -05:00
|
|
|
print_machine_readable_interfaces(GList *if_list, int caps_queries, bool print_statistics)
|
2010-05-07 19:24:32 +00:00
|
|
|
{
|
|
|
|
|
GList *if_entry;
|
|
|
|
|
if_info_t *if_info;
|
|
|
|
|
GSList *addr;
|
|
|
|
|
if_addr_t *if_addr;
|
2017-10-26 08:51:55 +01:00
|
|
|
char addr_str[WS_INET6_ADDRSTRLEN];
|
2023-12-13 09:07:22 -05:00
|
|
|
int status;
|
2010-05-07 19:24:32 +00:00
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper dumper = {
|
2023-12-18 10:34:39 -05:00
|
|
|
.output_string = g_string_new(NULL),
|
2023-12-13 09:07:22 -05:00
|
|
|
.flags = JSON_DUMPER_FLAGS_NO_DEBUG,
|
|
|
|
|
// Don't abort on failure
|
|
|
|
|
};
|
|
|
|
|
json_dumper_begin_array(&dumper);
|
2010-05-17 18:40:23 +00:00
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
/*
|
|
|
|
|
* Print the contents of the if_entry struct in a parseable format (JSON)
|
|
|
|
|
*/
|
2010-05-07 19:24:32 +00:00
|
|
|
for (if_entry = g_list_first(if_list); if_entry != NULL;
|
|
|
|
|
if_entry = g_list_next(if_entry)) {
|
|
|
|
|
if_info = (if_info_t *)if_entry->data;
|
|
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_begin_object(&dumper);
|
|
|
|
|
json_dumper_set_member_name(&dumper, if_info->name);
|
2012-11-25 18:35:41 +00:00
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_begin_object(&dumper);
|
|
|
|
|
|
|
|
|
|
json_dumper_set_member_name(&dumper, "friendly_name");
|
|
|
|
|
json_dumper_value_string(&dumper, if_info->friendly_name);
|
|
|
|
|
|
|
|
|
|
json_dumper_set_member_name(&dumper, "vendor_description");
|
|
|
|
|
json_dumper_value_string(&dumper, if_info->vendor_description);
|
2010-05-07 19:24:32 +00:00
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_set_member_name(&dumper, "type");
|
|
|
|
|
json_dumper_value_anyf(&dumper, "%i", if_info->type);
|
2013-05-22 01:19:18 +00:00
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_set_member_name(&dumper, "addrs");
|
|
|
|
|
|
|
|
|
|
json_dumper_begin_array(&dumper);
|
2012-11-25 18:35:41 +00:00
|
|
|
for (addr = g_slist_nth(if_info->addrs, 0); addr != NULL;
|
2010-05-07 19:24:32 +00:00
|
|
|
addr = g_slist_next(addr)) {
|
|
|
|
|
|
|
|
|
|
if_addr = (if_addr_t *)addr->data;
|
|
|
|
|
switch(if_addr->ifat_type) {
|
|
|
|
|
case IF_AT_IPv4:
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_value_string(&dumper, ws_inet_ntop4(&if_addr->addr.ip4_addr, addr_str, sizeof(addr_str)));
|
2010-05-07 19:24:32 +00:00
|
|
|
break;
|
|
|
|
|
case IF_AT_IPv6:
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_value_string(&dumper, ws_inet_ntop6(&if_addr->addr.ip6_addr, addr_str, sizeof(addr_str)));
|
2010-05-07 19:24:32 +00:00
|
|
|
break;
|
|
|
|
|
default:
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_value_anyf(&dumper, "<type unknown %i>", if_addr->ifat_type);
|
2010-05-07 19:24:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_end_array(&dumper);
|
2010-05-07 19:24:32 +00:00
|
|
|
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_set_member_name(&dumper, "loopback");
|
|
|
|
|
json_dumper_value_anyf(&dumper, "%s", if_info->loopback ? "true" : "false");
|
|
|
|
|
|
|
|
|
|
json_dumper_set_member_name(&dumper, "extcap");
|
|
|
|
|
json_dumper_value_string(&dumper, if_info->extcap);
|
|
|
|
|
|
2023-12-15 06:18:39 -05:00
|
|
|
if (if_info->caps && caps_queries) {
|
|
|
|
|
json_dumper_set_member_name(&dumper, "caps");
|
|
|
|
|
json_dumper_begin_object(&dumper);
|
|
|
|
|
print_machine_readable_if_capabilities(&dumper, if_info->caps, caps_queries);
|
|
|
|
|
json_dumper_end_object(&dumper);
|
|
|
|
|
}
|
2023-12-13 09:07:22 -05:00
|
|
|
json_dumper_end_object(&dumper);
|
|
|
|
|
json_dumper_end_object(&dumper);
|
|
|
|
|
}
|
|
|
|
|
json_dumper_end_array(&dumper);
|
|
|
|
|
if (json_dumper_finish(&dumper)) {
|
|
|
|
|
status = 0;
|
|
|
|
|
if (capture_child) {
|
2023-12-18 10:34:39 -05:00
|
|
|
if (print_statistics) {
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_IFACE_LIST, dumper.output_string->str);
|
2023-12-18 10:34:39 -05:00
|
|
|
} else {
|
|
|
|
|
/* Let our parent know we succeeded. */
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
|
2023-12-18 10:34:39 -05:00
|
|
|
printf("%s", dumper.output_string->str);
|
|
|
|
|
}
|
2024-06-10 11:41:32 -04:00
|
|
|
} else {
|
|
|
|
|
printf("%s", dumper.output_string->str);
|
2023-12-13 09:07:22 -05:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
status = 2;
|
|
|
|
|
if (capture_child) {
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, "Unexpected JSON error", "");
|
2024-06-10 11:41:32 -04:00
|
|
|
} else {
|
|
|
|
|
cmdarg_err("Unexpected JSON error");
|
2023-12-13 09:07:22 -05:00
|
|
|
}
|
2010-05-07 19:24:32 +00:00
|
|
|
}
|
2023-12-18 10:34:39 -05:00
|
|
|
g_string_free(dumper.output_string, TRUE);
|
2023-12-13 09:07:22 -05:00
|
|
|
return status;
|
2010-05-07 19:24:32 +00:00
|
|
|
}
|
|
|
|
|
|
2010-05-07 08:06:25 +00:00
|
|
|
/*
|
|
|
|
|
* If you change the machine-readable output format of this function,
|
2010-05-13 17:37:39 +00:00
|
|
|
* you MUST update capture_ifinfo.c:capture_get_if_capabilities() accordingly!
|
2010-05-07 08:06:25 +00:00
|
|
|
*/
|
|
|
|
|
static void
|
2023-11-21 08:31:26 -05:00
|
|
|
print_machine_readable_if_capabilities(json_dumper *dumper, if_capabilities_t *caps, int queries)
|
2010-05-07 08:06:25 +00:00
|
|
|
{
|
2017-08-07 16:38:52 +02:00
|
|
|
GList *lt_entry, *ts_entry;
|
2024-07-08 00:26:01 -04:00
|
|
|
const char *desc_str;
|
2010-05-07 08:06:25 +00:00
|
|
|
|
2023-12-15 06:18:39 -05:00
|
|
|
json_dumper_set_member_name(dumper, "status");
|
|
|
|
|
json_dumper_value_anyf(dumper, "%i", caps->status);
|
|
|
|
|
if (caps->primary_msg) {
|
|
|
|
|
json_dumper_set_member_name(dumper, "primary_msg");
|
|
|
|
|
json_dumper_value_string(dumper, caps->primary_msg);
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-07 16:38:52 +02:00
|
|
|
if (queries & CAPS_QUERY_LINK_TYPES) {
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_set_member_name(dumper, "rfmon");
|
|
|
|
|
json_dumper_value_anyf(dumper, "%s", caps->can_set_rfmon ? "true" : "false");
|
|
|
|
|
json_dumper_set_member_name(dumper, "data_link_types");
|
|
|
|
|
json_dumper_begin_array(dumper);
|
2017-08-07 16:38:52 +02:00
|
|
|
for (lt_entry = caps->data_link_types; lt_entry != NULL;
|
|
|
|
|
lt_entry = g_list_next(lt_entry)) {
|
|
|
|
|
data_link_info_t *data_link_info = (data_link_info_t *)lt_entry->data;
|
|
|
|
|
if (data_link_info->description != NULL)
|
|
|
|
|
desc_str = data_link_info->description;
|
|
|
|
|
else
|
|
|
|
|
desc_str = "(not supported)";
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_begin_object(dumper);
|
|
|
|
|
json_dumper_set_member_name(dumper, "dlt");
|
|
|
|
|
json_dumper_value_anyf(dumper, "%d", data_link_info->dlt);
|
|
|
|
|
json_dumper_set_member_name(dumper, "name");
|
|
|
|
|
json_dumper_value_string(dumper, data_link_info->name);
|
|
|
|
|
json_dumper_set_member_name(dumper, "description");
|
|
|
|
|
json_dumper_value_string(dumper, desc_str);
|
|
|
|
|
json_dumper_end_object(dumper);
|
2017-08-07 16:38:52 +02:00
|
|
|
}
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_end_array(dumper);
|
2023-12-14 06:13:04 -05:00
|
|
|
|
|
|
|
|
json_dumper_set_member_name(dumper, "data_link_types_rfmon");
|
|
|
|
|
json_dumper_begin_array(dumper);
|
|
|
|
|
for (lt_entry = caps->data_link_types_rfmon; lt_entry != NULL;
|
|
|
|
|
lt_entry = g_list_next(lt_entry)) {
|
|
|
|
|
data_link_info_t *data_link_info = (data_link_info_t *)lt_entry->data;
|
|
|
|
|
if (data_link_info->description != NULL)
|
|
|
|
|
desc_str = data_link_info->description;
|
|
|
|
|
else
|
|
|
|
|
desc_str = "(not supported)";
|
|
|
|
|
json_dumper_begin_object(dumper);
|
|
|
|
|
json_dumper_set_member_name(dumper, "dlt");
|
|
|
|
|
json_dumper_value_anyf(dumper, "%d", data_link_info->dlt);
|
|
|
|
|
json_dumper_set_member_name(dumper, "name");
|
|
|
|
|
json_dumper_value_string(dumper, data_link_info->name);
|
|
|
|
|
json_dumper_set_member_name(dumper, "description");
|
|
|
|
|
json_dumper_value_string(dumper, desc_str);
|
|
|
|
|
json_dumper_end_object(dumper);
|
|
|
|
|
}
|
|
|
|
|
json_dumper_end_array(dumper);
|
2017-08-07 16:38:52 +02:00
|
|
|
}
|
|
|
|
|
if (queries & CAPS_QUERY_TIMESTAMP_TYPES) {
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_set_member_name(dumper, "timestamp_types");
|
|
|
|
|
json_dumper_begin_array(dumper);
|
2017-08-07 16:38:52 +02:00
|
|
|
for (ts_entry = caps->timestamp_types; ts_entry != NULL;
|
|
|
|
|
ts_entry = g_list_next(ts_entry)) {
|
|
|
|
|
timestamp_info_t *timestamp = (timestamp_info_t *)ts_entry->data;
|
|
|
|
|
if (timestamp->description != NULL)
|
|
|
|
|
desc_str = timestamp->description;
|
|
|
|
|
else
|
|
|
|
|
desc_str = "(none)";
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_begin_object(dumper);
|
|
|
|
|
json_dumper_set_member_name(dumper, "name");
|
|
|
|
|
json_dumper_value_string(dumper, timestamp->name);
|
|
|
|
|
json_dumper_set_member_name(dumper, "description");
|
|
|
|
|
json_dumper_value_string(dumper, desc_str);
|
|
|
|
|
json_dumper_end_object(dumper);
|
2017-08-07 16:38:52 +02:00
|
|
|
}
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_end_array(dumper);
|
2010-05-07 08:06:25 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-06-20 00:09:47 +00:00
|
|
|
typedef struct {
|
|
|
|
|
char *name;
|
|
|
|
|
pcap_t *pch;
|
|
|
|
|
} if_stat_t;
|
|
|
|
|
|
|
|
|
|
/* Print the number of packets captured for each interface until we're killed. */
|
|
|
|
|
static int
|
2024-07-08 00:26:01 -04:00
|
|
|
print_statistics_loop(bool machine_readable)
|
2008-06-20 00:09:47 +00:00
|
|
|
{
|
|
|
|
|
GList *if_list, *if_entry, *stat_list = NULL, *stat_entry;
|
|
|
|
|
if_info_t *if_info;
|
|
|
|
|
if_stat_t *if_stat;
|
|
|
|
|
int err;
|
2024-07-08 00:26:01 -04:00
|
|
|
char *err_str;
|
2008-06-20 00:09:47 +00:00
|
|
|
pcap_t *pch;
|
|
|
|
|
char errbuf[PCAP_ERRBUF_SIZE];
|
|
|
|
|
struct pcap_stat ps;
|
|
|
|
|
|
|
|
|
|
if_list = get_interface_list(&err, &err_str);
|
|
|
|
|
if (if_list == NULL) {
|
2024-01-18 10:09:46 +01:00
|
|
|
if (err == 0) {
|
2014-07-22 16:53:18 -07:00
|
|
|
cmdarg_err("There are no interfaces on which a capture can be done");
|
2024-01-18 10:09:46 +01:00
|
|
|
err = WS_EXIT_NO_INTERFACES;
|
|
|
|
|
}
|
2014-07-22 16:53:18 -07:00
|
|
|
else {
|
2008-06-20 00:09:47 +00:00
|
|
|
cmdarg_err("%s", err_str);
|
|
|
|
|
g_free(err_str);
|
|
|
|
|
}
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (if_entry = g_list_first(if_list); if_entry != NULL; if_entry = g_list_next(if_entry)) {
|
2010-03-01 23:43:47 +00:00
|
|
|
if_info = (if_info_t *)if_entry->data;
|
2015-02-02 10:37:17 +01:00
|
|
|
|
|
|
|
|
#ifdef __linux__
|
|
|
|
|
/* On Linux nf* interfaces don't collect stats properly and don't allows multiple
|
|
|
|
|
* connections. We avoid collecting stats on them.
|
|
|
|
|
*/
|
|
|
|
|
if (!strncmp(if_info->name, "nf", 2)) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("Skipping interface %s for stats", if_info->name);
|
2015-02-02 10:37:17 +01:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-06-20 00:09:47 +00:00
|
|
|
#ifdef HAVE_PCAP_OPEN
|
Work around stub routines in macOS 14 (Sonoma) libpcap.
Some routines that are built only if libpcap 1.10.x is built with remote
capture support, but that are unconditionally declared in pcap/pcap.h,
now have stub implementations in macOS 14 that always fail and set the
error string to "not supported". (This was probably done because those
routines are now declared as "weakly linked symbols":
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/WeakLinking.html
om macOS 14.)
This means CMakeLists.txt finds them when you build on Sonoma, so we end
up calling them.
The only place where we didn't arrange that we *only* use them if the
device name begins with rpcap://, indicating that it's a remote-capture
URL, was the code in dumpcap that produces packet counts for the
sparklines in the Wireshark main screen. That meant that all opens
failed, and dumpcap reported that failure to Wireshark, so no sparklines
were drawn. Check for rpcap:// in that case as well, and use
pcap_open_live() if it's not present.
For all code that calls the routines in question, if the any of the
routines in question fail, check for an error string of "not supported",
and replace it with "Remote capture not supported", so as to make the
cause of failure clearer.
Fixes #19349.
2023-09-23 00:36:03 -07:00
|
|
|
/*
|
|
|
|
|
* If we're opening a remote device, use pcap_open(); that's currently
|
|
|
|
|
* the only open routine that supports remote devices.
|
|
|
|
|
*/
|
|
|
|
|
if (strncmp(if_info->name, "rpcap://", 8) == 0)
|
|
|
|
|
pch = pcap_open(if_info->name, MIN_PACKET_SIZE, 0, 0, NULL, errbuf);
|
|
|
|
|
else
|
2008-06-20 00:09:47 +00:00
|
|
|
#endif
|
Work around stub routines in macOS 14 (Sonoma) libpcap.
Some routines that are built only if libpcap 1.10.x is built with remote
capture support, but that are unconditionally declared in pcap/pcap.h,
now have stub implementations in macOS 14 that always fail and set the
error string to "not supported". (This was probably done because those
routines are now declared as "weakly linked symbols":
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/WeakLinking.html
om macOS 14.)
This means CMakeLists.txt finds them when you build on Sonoma, so we end
up calling them.
The only place where we didn't arrange that we *only* use them if the
device name begins with rpcap://, indicating that it's a remote-capture
URL, was the code in dumpcap that produces packet counts for the
sparklines in the Wireshark main screen. That meant that all opens
failed, and dumpcap reported that failure to Wireshark, so no sparklines
were drawn. Check for rpcap:// in that case as well, and use
pcap_open_live() if it's not present.
For all code that calls the routines in question, if the any of the
routines in question fail, check for an error string of "not supported",
and replace it with "Remote capture not supported", so as to make the
cause of failure clearer.
Fixes #19349.
2023-09-23 00:36:03 -07:00
|
|
|
pch = pcap_open_live(if_info->name, MIN_PACKET_SIZE, 0, 0, errbuf);
|
2008-06-20 00:09:47 +00:00
|
|
|
|
|
|
|
|
if (pch) {
|
2020-12-20 21:30:28 -05:00
|
|
|
if_stat = g_new(if_stat_t, 1);
|
2008-06-20 00:09:47 +00:00
|
|
|
if_stat->name = g_strdup(if_info->name);
|
|
|
|
|
if_stat->pch = pch;
|
|
|
|
|
stat_list = g_list_append(stat_list, if_stat);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!stat_list) {
|
|
|
|
|
cmdarg_err("There are no interfaces on which a capture can be done");
|
|
|
|
|
return 2;
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-18 00:20:30 +00:00
|
|
|
if (capture_child) {
|
|
|
|
|
/* Let our parent know we succeeded. */
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
|
2010-05-18 00:20:30 +00:00
|
|
|
}
|
2010-05-17 18:40:23 +00:00
|
|
|
|
2008-06-20 00:09:47 +00:00
|
|
|
if (!machine_readable) {
|
|
|
|
|
printf("%-15s %10s %10s\n", "Interface", "Received",
|
|
|
|
|
"Dropped");
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = true;
|
2008-06-23 21:22:11 +00:00
|
|
|
while (global_ld.go) {
|
2008-06-20 00:09:47 +00:00
|
|
|
for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
|
2010-03-01 23:43:47 +00:00
|
|
|
if_stat = (if_stat_t *)stat_entry->data;
|
2023-12-07 01:42:38 -08:00
|
|
|
/* XXX - what if this fails? */
|
|
|
|
|
if (pcap_stats(if_stat->pch, &ps) == 0) {
|
|
|
|
|
if (!machine_readable) {
|
|
|
|
|
printf("%-15s %10u %10u\n", if_stat->name,
|
|
|
|
|
ps.ps_recv, ps.ps_drop);
|
|
|
|
|
} else {
|
|
|
|
|
printf("%s\t%u\t%u\n", if_stat->name,
|
|
|
|
|
ps.ps_recv, ps.ps_drop);
|
|
|
|
|
fflush(stdout);
|
|
|
|
|
}
|
2008-06-20 00:09:47 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#ifdef _WIN32
|
2013-08-25 22:41:54 +00:00
|
|
|
/* If we have a dummy signal pipe check it */
|
|
|
|
|
if (!signal_pipe_check_running()) {
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2013-08-25 22:41:54 +00:00
|
|
|
}
|
2011-05-15 23:41:21 +00:00
|
|
|
Sleep(1 * 1000);
|
2008-06-20 00:09:47 +00:00
|
|
|
#else
|
|
|
|
|
sleep(1);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* XXX - Not reached. Should we look for 'q' in stdin? */
|
|
|
|
|
for (stat_entry = g_list_first(stat_list); stat_entry != NULL; stat_entry = g_list_next(stat_entry)) {
|
2010-03-01 23:43:47 +00:00
|
|
|
if_stat = (if_stat_t *)stat_entry->data;
|
2008-06-20 00:09:47 +00:00
|
|
|
pcap_close(if_stat->pch);
|
|
|
|
|
g_free(if_stat->name);
|
|
|
|
|
g_free(if_stat);
|
|
|
|
|
}
|
|
|
|
|
g_list_free(stat_list);
|
|
|
|
|
free_interface_list(if_list);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2005-11-28 08:54:52 +00:00
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
2007-11-21 22:49:02 +00:00
|
|
|
static BOOL WINAPI
|
2009-09-13 17:46:10 +00:00
|
|
|
capture_cleanup_handler(DWORD dwCtrlType)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2007-11-21 22:49:02 +00:00
|
|
|
/* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
|
|
|
|
|
Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
|
|
|
|
|
is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
|
|
|
|
|
like SIGTERM at least when the machine's shutting down.
|
|
|
|
|
|
|
|
|
|
For now, if we're running as a command rather than a capture child,
|
|
|
|
|
we handle all but CTRL_LOGOFF_EVENT as indications that we should
|
|
|
|
|
clean up and quit, just as we handle SIGINT, SIGHUP, and SIGTERM
|
|
|
|
|
in that way on UN*X.
|
|
|
|
|
|
|
|
|
|
If we're not running as a capture child, we might be running as
|
|
|
|
|
a service; ignore CTRL_LOGOFF_EVENT, so we keep running after the
|
|
|
|
|
user logs out. (XXX - can we explicitly check whether we're
|
|
|
|
|
running as a service?) */
|
|
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Console: Control signal");
|
|
|
|
|
ws_debug("Console: Control signal, CtrlType: %lu", dwCtrlType);
|
2006-10-20 06:24:56 +00:00
|
|
|
|
|
|
|
|
/* Keep capture running if we're a service and a user logs off */
|
|
|
|
|
if (capture_child || (dwCtrlType != CTRL_LOGOFF_EVENT)) {
|
|
|
|
|
capture_loop_stop();
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2006-10-20 06:24:56 +00:00
|
|
|
} else {
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2006-10-20 06:24:56 +00:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
2007-11-21 22:49:02 +00:00
|
|
|
#else
|
|
|
|
|
static void
|
2011-05-26 23:20:35 +00:00
|
|
|
capture_cleanup_handler(int signum _U_)
|
2007-11-21 22:49:02 +00:00
|
|
|
{
|
|
|
|
|
/* On UN*X, we cleanly shut down the capture on SIGINT, SIGHUP, and
|
|
|
|
|
SIGTERM. We assume that if the user wanted it to keep running
|
|
|
|
|
after they logged out, they'd have nohupped it. */
|
|
|
|
|
|
|
|
|
|
capture_loop_stop();
|
|
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
#endif
|
|
|
|
|
|
2010-05-26 00:19:27 +00:00
|
|
|
|
|
|
|
|
static void
|
2024-07-08 00:26:01 -04:00
|
|
|
report_capture_count(bool reportit)
|
2010-05-26 00:19:27 +00:00
|
|
|
{
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Don't print this if we're a capture child. */
|
2011-05-26 14:33:55 +00:00
|
|
|
if (!capture_child && reportit) {
|
2018-10-31 10:03:04 +01:00
|
|
|
fprintf(stderr, "\rPackets captured: %d\n", global_ld.packets_captured);
|
2011-05-26 14:33:55 +00:00
|
|
|
/* stderr could be line buffered */
|
|
|
|
|
fflush(stderr);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2011-02-24 19:26:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef SIGINFO
|
|
|
|
|
static void
|
|
|
|
|
report_counts_for_siginfo(void)
|
|
|
|
|
{
|
2011-05-26 14:33:55 +00:00
|
|
|
report_capture_count(quiet);
|
2024-07-08 00:26:01 -04:00
|
|
|
infoprint = false; /* we just reported it */
|
2010-05-26 00:19:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
report_counts_siginfo(int signum _U_)
|
|
|
|
|
{
|
2011-03-21 16:57:11 +00:00
|
|
|
int sav_errno = errno;
|
|
|
|
|
|
|
|
|
|
/* If we've been told to delay printing, just set a flag asking
|
|
|
|
|
that we print counts (if we're supposed to), otherwise print
|
|
|
|
|
the count of packets captured (if we're supposed to). */
|
|
|
|
|
if (infodelay)
|
2024-07-08 00:26:01 -04:00
|
|
|
infoprint = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
else
|
|
|
|
|
report_counts_for_siginfo();
|
|
|
|
|
errno = sav_errno;
|
2010-05-26 00:19:27 +00:00
|
|
|
}
|
|
|
|
|
#endif /* SIGINFO */
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
static void
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main(void)
|
2005-12-31 10:51:15 +00:00
|
|
|
{
|
2019-05-01 18:46:23 -07:00
|
|
|
ws_cleanup_sockets();
|
2005-12-01 20:19:30 +00:00
|
|
|
|
2019-05-01 18:46:23 -07:00
|
|
|
#ifdef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
/* can be helpful for debugging */
|
2006-02-11 23:25:11 +00:00
|
|
|
#ifdef DEBUG_DUMPCAP
|
2011-03-21 16:57:11 +00:00
|
|
|
printf("Press any key\n");
|
|
|
|
|
_getch();
|
2006-02-11 23:25:11 +00:00
|
|
|
#endif
|
|
|
|
|
|
2006-04-03 00:52:59 +00:00
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
|
2019-01-25 17:04:33 +01:00
|
|
|
if (ringbuf_is_initialized()) {
|
|
|
|
|
/* save_file is managed by ringbuffer, be sure to release the memory and
|
|
|
|
|
* avoid capture_opts_cleanup from double-freeing 'save_file'. */
|
|
|
|
|
ringbuf_free();
|
|
|
|
|
global_capture_opts.save_file = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-25 10:16:35 +01:00
|
|
|
capture_opts_cleanup(&global_capture_opts);
|
2005-12-01 20:19:30 +00:00
|
|
|
}
|
|
|
|
|
|
2007-11-20 16:53:01 +00:00
|
|
|
#ifdef HAVE_LIBCAP
|
|
|
|
|
/*
|
2012-10-03 15:42:41 +00:00
|
|
|
* If we were linked with libcap (not related to libpcap), make sure we have
|
2007-11-20 16:53:01 +00:00
|
|
|
* CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions.
|
2008-03-22 19:04:26 +00:00
|
|
|
* (See comment in main() for details)
|
2007-11-20 16:53:01 +00:00
|
|
|
*/
|
2008-02-16 02:39:58 +00:00
|
|
|
static void
|
2007-11-20 16:53:01 +00:00
|
|
|
relinquish_privs_except_capture(void)
|
|
|
|
|
{
|
2024-06-12 09:43:38 -04:00
|
|
|
/*
|
|
|
|
|
* Drop any capabilities other than NET_ADMIN and NET_RAW:
|
2008-03-22 19:04:26 +00:00
|
|
|
*
|
|
|
|
|
* CAP_NET_ADMIN: Promiscuous mode and a truckload of other
|
2007-11-20 16:53:01 +00:00
|
|
|
* stuff we don't need (and shouldn't have).
|
|
|
|
|
* CAP_NET_RAW: Packet capture (raw sockets).
|
2024-06-12 09:43:38 -04:00
|
|
|
*
|
|
|
|
|
* If 'started_with_special_privs' (ie: suid) then drop our
|
|
|
|
|
* suid privileges.
|
2007-11-20 16:53:01 +00:00
|
|
|
*/
|
|
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
cap_t current_caps = cap_get_proc();
|
|
|
|
|
print_caps("Pre set");
|
2008-03-22 19:04:26 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
cap_t caps = cap_init(); /* all capabilities initialized to off */
|
2008-03-22 19:04:26 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
/*
|
|
|
|
|
* We can only set capabilities that are in the permitted set.
|
|
|
|
|
* If the real or effective user ID is 0 (root), then the file
|
|
|
|
|
* inherited and permitted sets are ignored, and our permitted
|
|
|
|
|
* set should be all ones - unless the effective ID is 0, the
|
|
|
|
|
* real ID is not zero, and the binary has file capabilities,
|
|
|
|
|
* in which case the permitted set is only that of the file.
|
|
|
|
|
* (E.g., set-user-ID-root + file capabilities.)
|
|
|
|
|
*
|
|
|
|
|
* If one or more of the euid, ruid, and saved set user ID are
|
|
|
|
|
* all zero and all change to nonzero, then all capabilities are
|
|
|
|
|
* cleared from the permitted, effective, and ambient sets.
|
|
|
|
|
* PR_SET_KEEPCAPS causes the permitted set to be retained, so
|
|
|
|
|
* we can relinquish our changed user ID.
|
|
|
|
|
*
|
|
|
|
|
* All capabilities are always cleared from the effective set
|
|
|
|
|
* when the euid is changed from 0 to nonzero.
|
|
|
|
|
*
|
|
|
|
|
* See capabilities(7).
|
|
|
|
|
*/
|
|
|
|
|
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) {
|
|
|
|
|
cmdarg_err("prctl() fail return: %s", g_strerror(errno));
|
|
|
|
|
}
|
2008-03-22 19:04:26 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
if (started_with_special_privs()) {
|
|
|
|
|
relinquish_special_privs_perm();
|
|
|
|
|
}
|
2007-11-20 16:53:01 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
/*
|
|
|
|
|
* If cap_set_proc() fails, it leaves the capabilities unchanged.
|
|
|
|
|
* So the only way to guarantee that we've dropped all other
|
|
|
|
|
* capabilities is to ensure that cap_set_proc() succeeds.
|
|
|
|
|
* One option might be to exit if cap_set_proc() fails - but some
|
|
|
|
|
* captures will work with CAP_NET_RAW but not CAP_NET_ADMIN.
|
|
|
|
|
*/
|
2007-11-20 16:53:01 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
cap_value_t cap_list[1] = { CAP_NET_ADMIN };
|
|
|
|
|
int cl_len = array_length(cap_list);
|
|
|
|
|
cap_flag_value_t value;
|
2007-11-20 16:53:01 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
cap_get_flag(current_caps, cap_list[0], CAP_PERMITTED, &value);
|
2007-11-20 16:53:01 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
if (value != CAP_SET) {
|
|
|
|
|
// XXX - Should we warn here? Some captures will still work.
|
|
|
|
|
}
|
|
|
|
|
cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, value);
|
|
|
|
|
// XXX - Do we really need CAP_INHERITABLE?
|
|
|
|
|
cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, value);
|
|
|
|
|
cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, value);
|
2008-03-22 19:04:26 +00:00
|
|
|
|
2024-06-12 09:43:38 -04:00
|
|
|
cap_list[0] = CAP_NET_RAW;
|
|
|
|
|
cap_get_flag(current_caps, cap_list[0], CAP_PERMITTED, &value);
|
|
|
|
|
|
|
|
|
|
if (value != CAP_SET) {
|
|
|
|
|
// XXX - Should we warn here?
|
2007-11-20 16:53:01 +00:00
|
|
|
}
|
2024-06-12 09:43:38 -04:00
|
|
|
cap_set_flag(caps, CAP_PERMITTED, cl_len, cap_list, value);
|
|
|
|
|
// XXX - Do we really need CAP_INHERITABLE?
|
|
|
|
|
cap_set_flag(caps, CAP_INHERITABLE, cl_len, cap_list, value);
|
|
|
|
|
cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, value);
|
|
|
|
|
|
|
|
|
|
if (cap_set_proc(caps)) {
|
|
|
|
|
/*
|
|
|
|
|
* This shouldn't happen, we're only trying to set capabilities
|
|
|
|
|
* already in the permitted set.
|
|
|
|
|
*/
|
|
|
|
|
cmdarg_err("cap_set_proc() fail return: %s", g_strerror(errno));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
print_caps("Post set");
|
|
|
|
|
|
|
|
|
|
cap_free(current_caps);
|
|
|
|
|
cap_free(caps);
|
2008-03-22 19:04:26 +00:00
|
|
|
}
|
|
|
|
|
|
2007-11-20 16:53:01 +00:00
|
|
|
#endif /* HAVE_LIBCAP */
|
|
|
|
|
|
dumpcap: map DLT_ values from libpcap or piped pcap headers to LINKTYPE_s.
For most link-layer header types, the DLT_ value and the LINKTYPE_ value
are the same.
For some DLT_s for which the values are *not* the same on all OSes, or
which weren't defined on some OSes, that's not the case, because, in
order to have a *single* link-layer type value to use in capture files
on *all* platforms, so that the link-layer type is the same no matter
what OS it was captured on, new values were assigned for LINKTYPE_s.
(That's why LINKTYPE_s were created in the first place.)
Therefore, we should map DLT_ values obtained from libpcap to the
corresponding LINKTYPE_ values before using the value in a pcap header
or a pcapng Interface Description Block.
Furthermore, since a pcap or pcapng file being piped to dumpcap might
have been generated by a program that doesn't do DLT_ to LINKTYPE_
mapping (the libpcap from tcpdump.org has done so for many years now,
but OpenBSD's libpcap doesn't), we map them for pcap files as well.
(pcapng files require that we not just blindly copy the pcapng file.
Other things, such as byte-swapped pcapng files, may also require that;
this needs to be looked into.)
Fixes #19230.
2023-08-12 13:45:16 -07:00
|
|
|
/* Map DLT_ values, as returned by pcap_datalink(), to LINKTYPE_ values,
|
|
|
|
|
as are written to capture files.
|
|
|
|
|
|
|
|
|
|
Most of the time, a DLT_ value and the corresponding LINKYPE_ value
|
|
|
|
|
are the same, but there are some cases, where a numeric value as
|
|
|
|
|
a DLT_ doesn't uniquely identify a particular link-layer header type,
|
|
|
|
|
where they differ, so that the values in files *do* identify
|
|
|
|
|
particular link-layer header types. */
|
|
|
|
|
|
|
|
|
|
/* LINKTYPE_ values that don't match corresponding DLT_ values on
|
|
|
|
|
all platforms. */
|
|
|
|
|
#define LINKTYPE_ATM_RFC1483 100
|
|
|
|
|
#define LINKTYPE_RAW 101
|
|
|
|
|
#define LINKTYPE_SLIP_BSDOS 102
|
|
|
|
|
#define LINKTYPE_PPP_BSDOS 103
|
|
|
|
|
#define LINKTYPE_C_HDLC 104
|
|
|
|
|
#define LINKTYPE_IEEE802_11 105
|
|
|
|
|
#define LINKTYPE_ATM_CLIP 106
|
|
|
|
|
#define LINKTYPE_FRELAY 107
|
|
|
|
|
#define LINKTYPE_LOOP 108
|
|
|
|
|
#define LINKTYPE_ENC 109
|
|
|
|
|
#define LINKTYPE_NETBSD_HDLC 112
|
|
|
|
|
#define LINKTYPE_PFSYNC 246
|
|
|
|
|
#define LINKTYPE_PKTAP 258
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
dlt_to_linktype(int dlt)
|
|
|
|
|
{
|
|
|
|
|
/* DLT_NULL through DLT_FDDI have the same numeric value on
|
|
|
|
|
all platforms, so the corresponding LINKTYPE_s have the
|
|
|
|
|
same numeric values. */
|
|
|
|
|
if (dlt >= DLT_NULL && dlt <= DLT_FDDI)
|
|
|
|
|
return (dlt);
|
|
|
|
|
|
|
|
|
|
#if defined(DLT_PFSYNC) && DLT_PFSYNC != LINKTYPE_PFSYNC
|
|
|
|
|
/* DLT_PFSYNC has a value on several platforms that's in the
|
|
|
|
|
non-matching range, a value on FreeBSD that's in the high
|
|
|
|
|
matching range and that's *not* equal to LINKTYPE_PFSYNC,
|
|
|
|
|
and has a value on the rmaining platforms that's equal
|
|
|
|
|
to LINKTYPE_PFSYNC, which is in the high matching range.
|
|
|
|
|
|
|
|
|
|
Map it to LINKTYPE_PFSYNC if it's not equal to LINKTYPE_PFSYNC. */
|
|
|
|
|
if (dlt == DLT_PFSYNC)
|
|
|
|
|
return (LINKTYPE_PFSYNC);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* DLT_PKTAP is defined as DLT_USER2 - which is in the high
|
|
|
|
|
matching range - on Darwin because Apple used DLT_USER2
|
|
|
|
|
on systems that users ran, not just as an internal thing.
|
|
|
|
|
|
|
|
|
|
We map it to LINKTYPE_PKTAP if it's not equal to LINKTYPE_PKTAP
|
|
|
|
|
so that DLT_PKTAP captures from Apple machines can be read by
|
|
|
|
|
software that either doesn't handle DLT_USER2 or that handles it
|
|
|
|
|
as something other than Apple PKTAP. */
|
|
|
|
|
#if defined(DLT_PKTAP) && DLT_PKTAP != LINKTYPE_PKTAP
|
|
|
|
|
if (dlt == DLT_PKTAP)
|
|
|
|
|
return (LINKTYPE_PKTAP);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* For all other DLT_s with values beyond 104, the value
|
|
|
|
|
of the corresponding LINKTYPE_ is the same. */
|
|
|
|
|
if (dlt >= 104)
|
|
|
|
|
return (dlt);
|
|
|
|
|
|
|
|
|
|
/* These DLT_ values have different values on different
|
|
|
|
|
platforms, so we assigned them LINKTYPE_ values just
|
|
|
|
|
below the lower bound of the high matchig range;
|
|
|
|
|
those values should never be equal to any DLT_
|
|
|
|
|
values, so that should avoid collisions.
|
|
|
|
|
|
|
|
|
|
That way, for example, "raw IP" packets will have
|
|
|
|
|
LINKTYPE_RAW as the code in all savefiles for
|
|
|
|
|
which the code that writes them maps to that
|
2023-09-26 00:26:25 -04:00
|
|
|
value, regardless of the platform on which they
|
dumpcap: map DLT_ values from libpcap or piped pcap headers to LINKTYPE_s.
For most link-layer header types, the DLT_ value and the LINKTYPE_ value
are the same.
For some DLT_s for which the values are *not* the same on all OSes, or
which weren't defined on some OSes, that's not the case, because, in
order to have a *single* link-layer type value to use in capture files
on *all* platforms, so that the link-layer type is the same no matter
what OS it was captured on, new values were assigned for LINKTYPE_s.
(That's why LINKTYPE_s were created in the first place.)
Therefore, we should map DLT_ values obtained from libpcap to the
corresponding LINKTYPE_ values before using the value in a pcap header
or a pcapng Interface Description Block.
Furthermore, since a pcap or pcapng file being piped to dumpcap might
have been generated by a program that doesn't do DLT_ to LINKTYPE_
mapping (the libpcap from tcpdump.org has done so for many years now,
but OpenBSD's libpcap doesn't), we map them for pcap files as well.
(pcapng files require that we not just blindly copy the pcapng file.
Other things, such as byte-swapped pcapng files, may also require that;
this needs to be looked into.)
Fixes #19230.
2023-08-12 13:45:16 -07:00
|
|
|
were written, so they should be readable on all
|
|
|
|
|
platforms without having to determine on which
|
|
|
|
|
platform they were written.
|
|
|
|
|
|
|
|
|
|
We map the DLT_ values on this platform, whatever
|
|
|
|
|
it might be, to the corresponding LINKTYPE_ values. */
|
|
|
|
|
#ifdef DLT_ATM_RFC1483
|
|
|
|
|
if (dlt == DLT_ATM_RFC1483)
|
|
|
|
|
return (LINKTYPE_ATM_RFC1483);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef DLT_RAW
|
|
|
|
|
if (dlt == DLT_RAW)
|
|
|
|
|
return (LINKTYPE_RAW);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef DLT_SLIP_BSDOS
|
|
|
|
|
if (dlt == DLT_SLIP_BSDOS)
|
|
|
|
|
return (LINKTYPE_SLIP_BSDOS);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef DLT_PPP_BSDOS
|
|
|
|
|
if (dlt == DLT_PPP_BSDOS)
|
|
|
|
|
return (LINKTYPE_PPP_BSDOS);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* These DLT_ values were originally defined on some platform,
|
|
|
|
|
and weren't defined on other platforms.
|
|
|
|
|
|
|
|
|
|
At least some of those values, on at least one platform,
|
|
|
|
|
collide with the values of other DLT_s on other platforms,
|
|
|
|
|
e.g. DLT_LOOP, so we don't just define them, on all
|
|
|
|
|
platforms, as having the same value as on the original
|
|
|
|
|
platform.
|
|
|
|
|
|
|
|
|
|
Therefore, we assigned new LINKTYPE_ values to them, and,
|
|
|
|
|
on the platforms where they weren't originally defined,
|
|
|
|
|
define the DLT_s to have the same value as the corresponding
|
|
|
|
|
LINKTYPE_.
|
|
|
|
|
|
|
|
|
|
This means that, for capture files with the original
|
|
|
|
|
platform's DLT_ value rather than the LINKTYPE_ value
|
|
|
|
|
as a link-layer type, we will recognize those types
|
|
|
|
|
on that platform, but not on other platforms. */
|
|
|
|
|
#ifdef DLT_FR
|
|
|
|
|
/* BSD/OS Frame Relay */
|
|
|
|
|
if (dlt == DLT_FR)
|
|
|
|
|
return (LINKTYPE_FRELAY);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(DLT_HDLC) && DLT_HDLC != LINKTYPE_NETBSD_HDLC
|
|
|
|
|
/* NetBSD HDLC */
|
|
|
|
|
if (dlt == DLT_HDLC)
|
|
|
|
|
return (LINKTYPE_NETBSD_HDLC);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(DLT_C_HDLC) && DLT_C_HDLC != LINKTYPE_C_HDLC
|
|
|
|
|
/* BSD/OS Cisco HDLC */
|
|
|
|
|
if (dlt == DLT_C_HDLC)
|
|
|
|
|
return (LINKTYPE_C_HDLC);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(DLT_LOOP) && DLT_LOOP != LINKTYPE_LOOP
|
|
|
|
|
/* OpenBSD DLT_LOOP */
|
|
|
|
|
if (dlt == DLT_LOOP)
|
|
|
|
|
return (LINKTYPE_LOOP);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(DLT_ENC) && DLT_ENC != LINKTYPE_ENC
|
|
|
|
|
/* OpenBSD DLT_ENC */
|
|
|
|
|
if (dlt == DLT_ENC)
|
|
|
|
|
return (LINKTYPE_ENC);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* These DLT_ values are not on all platforms, but, so far,
|
|
|
|
|
there don't appear to be any platforms that define
|
|
|
|
|
other DLT_s with those values; we map them to
|
|
|
|
|
different LINKTYPE_ values anyway, just in case. */
|
|
|
|
|
#ifdef DLT_ATM_CLIP
|
|
|
|
|
/* Linux ATM Classical IP */
|
|
|
|
|
if (dlt == DLT_ATM_CLIP)
|
|
|
|
|
return (LINKTYPE_ATM_CLIP);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Treat all other DLT_s as having the same value as the
|
|
|
|
|
corresponding LINKTYPE_. */
|
|
|
|
|
return (dlt);
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/* Take care of byte order in the libpcap headers read from pipes.
|
|
|
|
|
* (function taken from wiretap/libpcap.c) */
|
|
|
|
|
static void
|
2024-07-08 00:26:01 -04:00
|
|
|
cap_pipe_adjust_pcap_header(bool byte_swapped, struct pcap_hdr *hdr, struct pcaprec_hdr *rechdr)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2011-03-21 16:57:11 +00:00
|
|
|
if (byte_swapped) {
|
|
|
|
|
/* Byte-swap the record header fields. */
|
2013-11-29 19:21:20 +00:00
|
|
|
rechdr->ts_sec = GUINT32_SWAP_LE_BE(rechdr->ts_sec);
|
|
|
|
|
rechdr->ts_usec = GUINT32_SWAP_LE_BE(rechdr->ts_usec);
|
|
|
|
|
rechdr->incl_len = GUINT32_SWAP_LE_BE(rechdr->incl_len);
|
|
|
|
|
rechdr->orig_len = GUINT32_SWAP_LE_BE(rechdr->orig_len);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* In file format version 2.3, the "incl_len" and "orig_len" fields were
|
|
|
|
|
swapped, in order to match the BPF header layout.
|
|
|
|
|
|
|
|
|
|
Unfortunately, some files were, according to a comment in the "libpcap"
|
|
|
|
|
source, written with version 2.3 in their headers but without the
|
|
|
|
|
interchanged fields, so if "incl_len" is greater than "orig_len" - which
|
|
|
|
|
would make no sense - we assume that we need to swap them. */
|
|
|
|
|
if (hdr->version_major == 2 &&
|
|
|
|
|
(hdr->version_minor < 3 ||
|
|
|
|
|
(hdr->version_minor == 3 && rechdr->incl_len > rechdr->orig_len))) {
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t temp;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
temp = rechdr->orig_len;
|
|
|
|
|
rechdr->orig_len = rechdr->incl_len;
|
|
|
|
|
rechdr->incl_len = temp;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2012-06-08 11:54:26 +00:00
|
|
|
/* Wrapper: distinguish between recv/read if we're reading on Windows,
|
|
|
|
|
* or just read().
|
|
|
|
|
*/
|
2012-12-26 05:57:06 +00:00
|
|
|
static ssize_t
|
2024-07-08 00:26:01 -04:00
|
|
|
cap_pipe_read(int pipe_fd, char *buf, size_t sz, bool from_socket _U_)
|
2012-06-08 11:54:26 +00:00
|
|
|
{
|
|
|
|
|
#ifdef _WIN32
|
2017-03-05 18:30:43 -08:00
|
|
|
if (from_socket) {
|
|
|
|
|
return recv(pipe_fd, buf, (int)sz, 0);
|
|
|
|
|
} else {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#else
|
2017-03-05 18:30:43 -08:00
|
|
|
return ws_read(pipe_fd, buf, sz);
|
2012-06-08 11:54:26 +00:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-07 23:42:53 +00:00
|
|
|
#if defined(_WIN32)
|
2009-08-26 23:16:37 +00:00
|
|
|
/*
|
|
|
|
|
* Thread function that reads from a pipe and pushes the data
|
|
|
|
|
* to the main application thread.
|
|
|
|
|
*/
|
|
|
|
|
/*
|
|
|
|
|
* XXX Right now we use async queues for basic signaling. The main thread
|
|
|
|
|
* sets cap_pipe_buf and cap_bytes_to_read, then pushes an item onto
|
|
|
|
|
* cap_pipe_pending_q which triggers a read in the cap_pipe_read thread.
|
|
|
|
|
* Iff the read is successful cap_pipe_read pushes an item onto
|
|
|
|
|
* cap_pipe_done_q, otherwise an error is signaled. No data is passed in
|
|
|
|
|
* the queues themselves (yet).
|
2009-09-08 18:02:43 +00:00
|
|
|
*
|
2009-08-26 23:16:37 +00:00
|
|
|
* We might want to move some of the cap_pipe_dispatch logic here so that
|
2012-06-08 11:54:26 +00:00
|
|
|
* we can let cap_thread_read run independently, queuing up multiple reads
|
2009-08-26 23:16:37 +00:00
|
|
|
* for the main thread (and possibly get rid of cap_pipe_read_mtx).
|
|
|
|
|
*/
|
2012-06-08 11:54:26 +00:00
|
|
|
static void *cap_thread_read(void *arg)
|
2011-03-21 16:57:11 +00:00
|
|
|
{
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src;
|
2009-08-26 23:16:37 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
BOOL res;
|
2017-12-04 21:57:08 +01:00
|
|
|
DWORD last_err, bytes_read;
|
2009-08-26 23:16:37 +00:00
|
|
|
#else /* _WIN32 */
|
2012-12-26 15:02:32 +00:00
|
|
|
size_t bytes_read;
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = (capture_src *)arg;
|
|
|
|
|
while (pcap_src->cap_pipe_err == PIPOK) {
|
|
|
|
|
g_async_queue_pop(pcap_src->cap_pipe_pending_q); /* Wait for our cue (ahem) from the main thread */
|
|
|
|
|
g_mutex_lock(pcap_src->cap_pipe_read_mtx);
|
2009-08-26 23:16:37 +00:00
|
|
|
bytes_read = 0;
|
2017-03-05 18:11:22 -08:00
|
|
|
while (bytes_read < pcap_src->cap_pipe_bytes_to_read) {
|
|
|
|
|
if ((pcap_src->from_cap_socket)
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifndef _WIN32
|
|
|
|
|
|| 1
|
|
|
|
|
#endif
|
|
|
|
|
)
|
|
|
|
|
{
|
2018-09-28 12:02:42 -07:00
|
|
|
ssize_t b;
|
2017-03-05 18:11:22 -08:00
|
|
|
b = cap_pipe_read(pcap_src->cap_pipe_fd, pcap_src->cap_pipe_buf+bytes_read,
|
|
|
|
|
pcap_src->cap_pipe_bytes_to_read - bytes_read, pcap_src->from_cap_socket);
|
2012-06-08 11:54:26 +00:00
|
|
|
if (b <= 0) {
|
|
|
|
|
if (b == 0) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
2012-06-08 11:54:26 +00:00
|
|
|
bytes_read = 0;
|
|
|
|
|
break;
|
|
|
|
|
} else {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2012-06-08 11:54:26 +00:00
|
|
|
bytes_read = -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2021-12-20 02:33:15 +00:00
|
|
|
bytes_read += (DWORD)b;
|
2012-06-08 11:54:26 +00:00
|
|
|
}
|
|
|
|
|
}
|
2009-08-26 23:16:37 +00:00
|
|
|
#ifdef _WIN32
|
2012-06-08 11:54:26 +00:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* If we try to use read() on a named pipe on Windows with partial
|
|
|
|
|
* data it appears to return EOF.
|
|
|
|
|
*/
|
2018-09-28 12:02:42 -07:00
|
|
|
DWORD b;
|
2017-03-05 18:11:22 -08:00
|
|
|
res = ReadFile(pcap_src->cap_pipe_h, pcap_src->cap_pipe_buf+bytes_read,
|
|
|
|
|
pcap_src->cap_pipe_bytes_to_read - bytes_read,
|
2012-06-08 11:54:26 +00:00
|
|
|
&b, NULL);
|
|
|
|
|
|
|
|
|
|
bytes_read += b;
|
|
|
|
|
if (!res) {
|
|
|
|
|
last_err = GetLastError();
|
|
|
|
|
if (last_err == ERROR_MORE_DATA) {
|
|
|
|
|
continue;
|
|
|
|
|
} else if (last_err == ERROR_HANDLE_EOF || last_err == ERROR_BROKEN_PIPE || last_err == ERROR_PIPE_NOT_CONNECTED) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
2012-06-08 11:54:26 +00:00
|
|
|
bytes_read = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2012-06-08 11:54:26 +00:00
|
|
|
bytes_read = -1;
|
|
|
|
|
break;
|
2017-03-05 18:11:22 -08:00
|
|
|
} else if (b == 0 && pcap_src->cap_pipe_bytes_to_read > 0) {
|
|
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
2012-06-08 11:54:26 +00:00
|
|
|
bytes_read = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif /*_WIN32 */
|
|
|
|
|
}
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_read = bytes_read;
|
|
|
|
|
if (pcap_src->cap_pipe_bytes_read >= pcap_src->cap_pipe_bytes_to_read) {
|
|
|
|
|
g_async_queue_push(pcap_src->cap_pipe_done_q, pcap_src->cap_pipe_buf); /* Any non-NULL value will do */
|
2009-08-26 23:16:37 +00:00
|
|
|
}
|
2017-03-05 18:11:22 -08:00
|
|
|
g_mutex_unlock(pcap_src->cap_pipe_read_mtx);
|
2009-08-26 23:16:37 +00:00
|
|
|
}
|
2019-04-20 09:42:51 +02:00
|
|
|
/* Post to queue if we didn't read enough data as the main thread waits for the message */
|
|
|
|
|
g_mutex_lock(pcap_src->cap_pipe_read_mtx);
|
|
|
|
|
if (pcap_src->cap_pipe_bytes_read < pcap_src->cap_pipe_bytes_to_read) {
|
2020-11-22 04:02:26 -08:00
|
|
|
/* There's still more of the record to read. */
|
2019-04-20 09:42:51 +02:00
|
|
|
g_async_queue_push(pcap_src->cap_pipe_done_q, pcap_src->cap_pipe_buf); /* Any non-NULL value will do */
|
|
|
|
|
}
|
|
|
|
|
g_mutex_unlock(pcap_src->cap_pipe_read_mtx);
|
2009-08-26 23:16:37 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
2020-11-22 04:02:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do a blocking read from a pipe within the main thread, by pushing
|
|
|
|
|
* the read onto the pipe queue and then popping it off that queue;
|
|
|
|
|
* the pipe will block until the pushed read completes.
|
|
|
|
|
*
|
|
|
|
|
* We do it with another thread because we can't use select() on
|
|
|
|
|
* pipes on Windows, as we can on UN*Xes, we can only use it on
|
|
|
|
|
* sockets.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
pipe_read_sync(capture_src *pcap_src, void *buf, DWORD nbytes)
|
|
|
|
|
{
|
|
|
|
|
pcap_src->cap_pipe_buf = (char *) buf;
|
|
|
|
|
pcap_src->cap_pipe_bytes_read = 0;
|
|
|
|
|
pcap_src->cap_pipe_bytes_to_read = nbytes;
|
|
|
|
|
/* We don't have to worry about cap_pipe_read_mtx here */
|
|
|
|
|
g_async_queue_push(pcap_src->cap_pipe_pending_q, pcap_src->cap_pipe_buf);
|
|
|
|
|
g_async_queue_pop(pcap_src->cap_pipe_done_q);
|
|
|
|
|
}
|
2011-07-16 12:45:47 +00:00
|
|
|
#endif
|
2009-08-26 23:16:37 +00:00
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/* Provide select() functionality for a single file descriptor
|
2009-08-26 23:16:37 +00:00
|
|
|
* on UNIX/POSIX. Windows uses cap_pipe_read via a thread.
|
2008-02-16 02:39:58 +00:00
|
|
|
*
|
2011-06-13 15:28:37 +00:00
|
|
|
* Returns the same values as select.
|
2008-02-16 02:39:58 +00:00
|
|
|
*/
|
|
|
|
|
static int
|
2011-03-21 16:57:11 +00:00
|
|
|
cap_pipe_select(int pipe_fd)
|
|
|
|
|
{
|
|
|
|
|
fd_set rfds;
|
|
|
|
|
struct timeval timeout;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
FD_ZERO(&rfds);
|
|
|
|
|
FD_SET(pipe_fd, &rfds);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
timeout.tv_sec = PIPE_READ_TIMEOUT / 1000000;
|
|
|
|
|
timeout.tv_usec = PIPE_READ_TIMEOUT % 1000000;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-06-13 15:28:37 +00:00
|
|
|
return select(pipe_fd+1, &rfds, NULL, NULL, &timeout);
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
|
|
|
|
|
#define DEF_TCP_PORT 19000
|
|
|
|
|
|
|
|
|
|
static int
|
2018-12-30 18:58:54 -08:00
|
|
|
cap_open_socket(char *pipename, capture_src *pcap_src, char *errmsg, size_t errmsgl)
|
2012-06-08 11:54:26 +00:00
|
|
|
{
|
2019-11-07 23:11:00 +00:00
|
|
|
struct sockaddr_storage sa;
|
Pass an address-family-appropriate socket length to connect().
Some UN*Xes (4.4-lite-derived, such as the obscure, little-known macOS,
FreeBSD, NetBSD, OpenBSD, and DragonFly BSD) have a length field in the
socket address structure.
That was originally done for OSI address support; unlike most transport
addresses, such as IPv4 (and IPv6) addresses, where the size of the
address is fixed, the size of an OSI transport layer address is *not*
fixed, so it cannot be inferred from the address type.
With the dropping of OSI support, that field is no longer necessary in
userland. System calls that take a socket address argument also take an
address length argument; in newer (all?) versions of the {macOS,
FreeBSD, NetBSD, OpenBSD, DragonFly BSD} kernel, the system call code
sets the length field in the kernel's copy of the address to the address
length field value.
However, that means that you have to pass in the appropriate length; if
you have a sockaddr_storage that might contain an IPv4 address or an
IPv6 address, connect() (and bind()) calls should use the IPv4 address
size for IPv4 addresses and the IPv6 address size for IPv6 addresses,
otherwise, at least on macOS, the call fails.
In cap_open_socket(), report socket() and connect() errors separately,
to make it easier to determine where TCP@ captures fail, if they do
fail. (That's how I got here in the first place.)
2020-11-14 22:51:58 -08:00
|
|
|
socklen_t sa_len;
|
2017-03-05 18:30:43 -08:00
|
|
|
int fd;
|
|
|
|
|
|
2019-11-07 23:11:00 +00:00
|
|
|
/* Skip the initial "TCP@" in the pipename. */
|
|
|
|
|
if (ws_socket_ptoa(&sa, pipename + 4, DEF_TCP_PORT) < 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2019-11-07 23:11:00 +00:00
|
|
|
"The capture session could not be initiated because"
|
|
|
|
|
"\"%s\" is not a valid socket specification", pipename);
|
|
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
return -1;
|
2017-03-05 18:30:43 -08:00
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
|
Pass an address-family-appropriate socket length to connect().
Some UN*Xes (4.4-lite-derived, such as the obscure, little-known macOS,
FreeBSD, NetBSD, OpenBSD, and DragonFly BSD) have a length field in the
socket address structure.
That was originally done for OSI address support; unlike most transport
addresses, such as IPv4 (and IPv6) addresses, where the size of the
address is fixed, the size of an OSI transport layer address is *not*
fixed, so it cannot be inferred from the address type.
With the dropping of OSI support, that field is no longer necessary in
userland. System calls that take a socket address argument also take an
address length argument; in newer (all?) versions of the {macOS,
FreeBSD, NetBSD, OpenBSD, DragonFly BSD} kernel, the system call code
sets the length field in the kernel's copy of the address to the address
length field value.
However, that means that you have to pass in the appropriate length; if
you have a sockaddr_storage that might contain an IPv4 address or an
IPv6 address, connect() (and bind()) calls should use the IPv4 address
size for IPv4 addresses and the IPv6 address size for IPv6 addresses,
otherwise, at least on macOS, the call fails.
In cap_open_socket(), report socket() and connect() errors separately,
to make it easier to determine where TCP@ captures fail, if they do
fail. (That's how I got here in the first place.)
2020-11-14 22:51:58 -08:00
|
|
|
if ((fd = (int)socket(sa.ss_family, SOCK_STREAM, 0)) < 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
Pass an address-family-appropriate socket length to connect().
Some UN*Xes (4.4-lite-derived, such as the obscure, little-known macOS,
FreeBSD, NetBSD, OpenBSD, and DragonFly BSD) have a length field in the
socket address structure.
That was originally done for OSI address support; unlike most transport
addresses, such as IPv4 (and IPv6) addresses, where the size of the
address is fixed, the size of an OSI transport layer address is *not*
fixed, so it cannot be inferred from the address type.
With the dropping of OSI support, that field is no longer necessary in
userland. System calls that take a socket address argument also take an
address length argument; in newer (all?) versions of the {macOS,
FreeBSD, NetBSD, OpenBSD, DragonFly BSD} kernel, the system call code
sets the length field in the kernel's copy of the address to the address
length field value.
However, that means that you have to pass in the appropriate length; if
you have a sockaddr_storage that might contain an IPv4 address or an
IPv6 address, connect() (and bind()) calls should use the IPv4 address
size for IPv4 addresses and the IPv6 address size for IPv6 addresses,
otherwise, at least on macOS, the call fails.
In cap_open_socket(), report socket() and connect() errors separately,
to make it easier to determine where TCP@ captures fail, if they do
fail. (That's how I got here in the first place.)
2020-11-14 22:51:58 -08:00
|
|
|
"The capture session could not be initiated because"
|
|
|
|
|
" the socket couldn't be created due to the socket error: \n"
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
" %s", win32strerror(WSAGetLastError()));
|
|
|
|
|
#else
|
|
|
|
|
" %d: %s", errno, g_strerror(errno));
|
|
|
|
|
#endif
|
|
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (sa.ss_family == AF_INET6)
|
|
|
|
|
sa_len = sizeof(struct sockaddr_in6);
|
|
|
|
|
else
|
|
|
|
|
sa_len = sizeof(struct sockaddr_in);
|
|
|
|
|
if (connect(fd, (struct sockaddr *)&sa, sa_len) < 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
Pass an address-family-appropriate socket length to connect().
Some UN*Xes (4.4-lite-derived, such as the obscure, little-known macOS,
FreeBSD, NetBSD, OpenBSD, and DragonFly BSD) have a length field in the
socket address structure.
That was originally done for OSI address support; unlike most transport
addresses, such as IPv4 (and IPv6) addresses, where the size of the
address is fixed, the size of an OSI transport layer address is *not*
fixed, so it cannot be inferred from the address type.
With the dropping of OSI support, that field is no longer necessary in
userland. System calls that take a socket address argument also take an
address length argument; in newer (all?) versions of the {macOS,
FreeBSD, NetBSD, OpenBSD, DragonFly BSD} kernel, the system call code
sets the length field in the kernel's copy of the address to the address
length field value.
However, that means that you have to pass in the appropriate length; if
you have a sockaddr_storage that might contain an IPv4 address or an
IPv6 address, connect() (and bind()) calls should use the IPv4 address
size for IPv4 addresses and the IPv6 address size for IPv6 addresses,
otherwise, at least on macOS, the call fails.
In cap_open_socket(), report socket() and connect() errors separately,
to make it easier to determine where TCP@ captures fail, if they do
fail. (That's how I got here in the first place.)
2020-11-14 22:51:58 -08:00
|
|
|
"The capture session could not be initiated because"
|
|
|
|
|
" the socket couldn't be connected due to the socket error: \n"
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
2019-05-02 09:25:11 -07:00
|
|
|
" %s", win32strerror(WSAGetLastError()));
|
2012-06-08 11:54:26 +00:00
|
|
|
#else
|
2017-03-05 18:30:43 -08:00
|
|
|
" %d: %s", errno, g_strerror(errno));
|
2011-07-15 14:31:27 +00:00
|
|
|
#endif
|
2017-03-05 18:30:43 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2012-06-09 03:36:15 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
cap_pipe_close(fd, true);
|
2017-03-05 18:30:43 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->from_cap_socket = true;
|
2017-03-05 18:30:43 -08:00
|
|
|
return fd;
|
2012-06-08 11:54:26 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2012-06-08 11:54:26 +00:00
|
|
|
/* Wrapper: distinguish between closesocket on Windows; use ws_close
|
|
|
|
|
* otherwise.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2024-07-08 00:26:01 -04:00
|
|
|
cap_pipe_close(int pipe_fd, bool from_socket)
|
2012-06-08 11:54:26 +00:00
|
|
|
{
|
|
|
|
|
#ifdef _WIN32
|
2017-03-05 18:30:43 -08:00
|
|
|
if (from_socket) {
|
|
|
|
|
closesocket(pipe_fd);
|
|
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#else
|
2018-11-13 14:52:14 -08:00
|
|
|
(void) from_socket; /* Mark unused, similar to Q_UNUSED */
|
2017-03-05 18:30:43 -08:00
|
|
|
ws_close(pipe_fd);
|
2012-06-08 11:54:26 +00:00
|
|
|
#endif
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2020-11-25 11:25:10 -08:00
|
|
|
/** Read bytes from a capture source, which is assumed to be a pipe or
|
|
|
|
|
* socket.
|
2018-11-14 11:44:47 -08:00
|
|
|
*
|
|
|
|
|
* Returns -1, or the number of bytes read similar to read(2).
|
|
|
|
|
* Sets pcap_src->cap_pipe_err on error or EOF.
|
|
|
|
|
*/
|
|
|
|
|
static ssize_t
|
2018-12-30 18:58:54 -08:00
|
|
|
cap_pipe_read_data_bytes(capture_src *pcap_src, char *errmsg, size_t errmsgl)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
|
|
|
|
int sel_ret;
|
|
|
|
|
int fd = pcap_src->cap_pipe_fd;
|
|
|
|
|
#ifdef _WIN32
|
2017-12-04 21:57:08 +01:00
|
|
|
DWORD sz, bytes_read = 0;
|
2017-11-22 11:05:48 -08:00
|
|
|
#else /* _WIN32 */
|
2018-11-14 11:44:47 -08:00
|
|
|
ssize_t sz, bytes_read = 0;
|
2017-11-22 11:05:48 -08:00
|
|
|
#endif /* _WIN32 */
|
2017-12-04 21:57:08 +01:00
|
|
|
ssize_t b;
|
|
|
|
|
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("cap_pipe_read_data_bytes read %lu of %lu",
|
2018-09-28 12:02:42 -07:00
|
|
|
pcap_src->cap_pipe_bytes_read, pcap_src->cap_pipe_bytes_to_read);
|
|
|
|
|
#endif
|
2017-11-22 11:05:48 -08:00
|
|
|
sz = pcap_src->cap_pipe_bytes_to_read - pcap_src->cap_pipe_bytes_read;
|
|
|
|
|
while (bytes_read < sz) {
|
|
|
|
|
if (fd == -1) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl, "Invalid file descriptor.");
|
2018-11-14 11:44:47 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPNEXIST;
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sel_ret = cap_pipe_select(fd);
|
|
|
|
|
if (sel_ret < 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Unexpected error from select: %s.", g_strerror(errno));
|
2018-11-14 11:44:47 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
} else if (sel_ret > 0) {
|
|
|
|
|
b = cap_pipe_read(fd, pcap_src->cap_pipe_databuf+pcap_src->cap_pipe_bytes_read+bytes_read,
|
|
|
|
|
sz-bytes_read, pcap_src->from_cap_socket);
|
|
|
|
|
if (b <= 0) {
|
2018-11-14 11:44:47 -08:00
|
|
|
if (b == 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"End of file reading from pipe or socket.");
|
2018-11-14 11:44:47 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
|
|
|
|
} else {
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef _WIN32
|
2020-11-25 11:25:10 -08:00
|
|
|
/*
|
|
|
|
|
* On Windows, we only do this for sockets.
|
|
|
|
|
*/
|
2019-05-02 09:25:11 -07:00
|
|
|
DWORD lastError = WSAGetLastError();
|
2018-09-28 12:02:42 -07:00
|
|
|
errno = lastError;
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"Error reading from pipe or socket: %s.",
|
2019-05-02 09:25:11 -07:00
|
|
|
win32strerror(lastError));
|
2018-09-28 12:02:42 -07:00
|
|
|
#else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"Error reading from pipe or socket: %s.",
|
2018-12-30 18:58:54 -08:00
|
|
|
g_strerror(errno));
|
2018-09-28 12:02:42 -07:00
|
|
|
#endif
|
2018-11-14 11:44:47 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2018-09-28 12:02:42 -07:00
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
2021-12-20 02:33:15 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
bytes_read += (DWORD)b;
|
|
|
|
|
#else
|
2017-11-22 11:05:48 -08:00
|
|
|
bytes_read += b;
|
2021-12-20 02:33:15 +00:00
|
|
|
#endif
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
pcap_src->cap_pipe_bytes_read += bytes_read;
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("cap_pipe_read_data_bytes read %lu of %lu",
|
2018-09-28 12:02:42 -07:00
|
|
|
pcap_src->cap_pipe_bytes_read, pcap_src->cap_pipe_bytes_to_read);
|
|
|
|
|
#endif
|
2018-11-14 11:44:47 -08:00
|
|
|
return bytes_read;
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Some forward declarations for breaking up cap_pipe_open_live for pcap and pcapng formats */
|
2018-12-30 18:58:54 -08:00
|
|
|
static void pcap_pipe_open_live(int fd, capture_src *pcap_src,
|
|
|
|
|
struct pcap_hdr *hdr,
|
2018-12-30 20:39:10 -08:00
|
|
|
char *errmsg, size_t errmsgl,
|
|
|
|
|
char *secondary_errmsg, size_t secondary_errmsgl);
|
2018-12-30 18:58:54 -08:00
|
|
|
static void pcapng_pipe_open_live(int fd, capture_src *pcap_src,
|
|
|
|
|
char *errmsg, size_t errmsgl);
|
|
|
|
|
static int pcapng_pipe_dispatch(loop_data *ld, capture_src *pcap_src,
|
|
|
|
|
char *errmsg, size_t errmsgl);
|
2017-11-22 11:05:48 -08:00
|
|
|
|
2018-12-30 20:39:10 -08:00
|
|
|
/* For problems that are probably Not Our Fault. */
|
|
|
|
|
static char not_our_bug[] =
|
|
|
|
|
"Please report this to the developers of the program writing to the pipe.";
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/* Mimic pcap_open_live() for pipe captures
|
2010-03-13 00:29:30 +00:00
|
|
|
|
|
|
|
|
* We check if "pipename" is "-" (stdin), a AF_UNIX socket, or a FIFO,
|
|
|
|
|
* open it, and read the header.
|
|
|
|
|
*
|
2008-02-16 02:39:58 +00:00
|
|
|
* N.B. : we can't read the libpcap formats used in RedHat 6.1 or SuSE 6.3
|
|
|
|
|
* because we can't seek on pipes (see wiretap/libpcap.c for details) */
|
2009-08-26 23:16:37 +00:00
|
|
|
static void
|
2011-05-15 22:54:52 +00:00
|
|
|
cap_pipe_open_live(char *pipename,
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src,
|
2017-11-22 11:05:48 -08:00
|
|
|
void *hdr,
|
2018-12-30 20:39:10 -08:00
|
|
|
char *errmsg, size_t errmsgl,
|
|
|
|
|
char *secondary_errmsg, size_t secondary_errmsgl)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
|
|
|
|
#ifndef _WIN32
|
2012-11-25 18:35:41 +00:00
|
|
|
ws_statb64 pipe_stat;
|
2011-03-21 16:57:11 +00:00
|
|
|
struct sockaddr_un sa;
|
2009-08-26 23:16:37 +00:00
|
|
|
#else /* _WIN32 */
|
2024-07-22 13:03:52 +02:00
|
|
|
uintptr_t extcap_pipe_handle;
|
2015-04-10 19:04:22 +02:00
|
|
|
#endif
|
2024-07-08 00:26:01 -04:00
|
|
|
bool extcap_pipe = false;
|
2012-12-26 05:57:06 +00:00
|
|
|
ssize_t b;
|
2014-02-25 11:25:47 -05:00
|
|
|
int fd = -1, sel_ret;
|
2012-12-26 05:57:06 +00:00
|
|
|
size_t bytes_read;
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t magic = 0;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_fd = -1;
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_h = INVALID_HANDLE_VALUE;
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2015-04-10 19:04:22 +02:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("cap_pipe_open_live: %s", pipename);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* XXX - this blocks until a pcap per-file header has been written to
|
|
|
|
|
* the pipe, so it could block indefinitely.
|
|
|
|
|
*/
|
|
|
|
|
if (strcmp(pipename, "-") == 0) {
|
2009-08-26 23:16:37 +00:00
|
|
|
#ifndef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
fd = 0; /* read from stdin */
|
2009-08-26 23:16:37 +00:00
|
|
|
#else /* _WIN32 */
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_h = GetStdHandle(STD_INPUT_HANDLE);
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif /* _WIN32 */
|
2012-06-08 11:54:26 +00:00
|
|
|
} else if (!strncmp(pipename, "TCP@", 4)) {
|
2017-03-05 18:11:22 -08:00
|
|
|
if ((fd = cap_open_socket(pipename, pcap_src, errmsg, errmsgl)) < 0) {
|
2012-06-08 11:54:26 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2010-03-13 00:29:30 +00:00
|
|
|
} else {
|
2011-03-21 16:57:11 +00:00
|
|
|
#ifndef _WIN32
|
2017-09-04 20:02:00 +02:00
|
|
|
if ( g_strrstr(pipename, EXTCAP_PIPE_PREFIX) != NULL )
|
2024-07-08 00:26:01 -04:00
|
|
|
extcap_pipe = true;
|
2016-01-04 18:32:39 +01:00
|
|
|
|
2011-04-10 20:59:10 +00:00
|
|
|
if (ws_stat64(pipename, &pipe_stat) < 0) {
|
2011-03-21 16:57:11 +00:00
|
|
|
if (errno == ENOENT || errno == ENOTDIR)
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPNEXIST;
|
2011-03-21 16:57:11 +00:00
|
|
|
else {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2011-03-21 16:57:11 +00:00
|
|
|
"The capture session could not be initiated "
|
2020-11-25 10:41:05 -08:00
|
|
|
"due to error getting information on pipe or socket: %s.", g_strerror(errno));
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (S_ISFIFO(pipe_stat.st_mode)) {
|
|
|
|
|
fd = ws_open(pipename, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
|
|
|
|
|
if (fd == -1) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2011-03-21 16:57:11 +00:00
|
|
|
"The capture session could not be initiated "
|
2016-07-09 00:07:52 -07:00
|
|
|
"due to error on pipe open: %s.", g_strerror(errno));
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
} else if (S_ISSOCK(pipe_stat.st_mode)) {
|
|
|
|
|
fd = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
|
|
|
if (fd == -1) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2011-03-21 16:57:11 +00:00
|
|
|
"The capture session could not be initiated "
|
2016-07-09 00:07:52 -07:00
|
|
|
"due to error on socket create: %s.", g_strerror(errno));
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
sa.sun_family = AF_UNIX;
|
|
|
|
|
/*
|
|
|
|
|
* The Single UNIX Specification says:
|
|
|
|
|
*
|
|
|
|
|
* The size of sun_path has intentionally been left undefined.
|
|
|
|
|
* This is because different implementations use different sizes.
|
|
|
|
|
* For example, 4.3 BSD uses a size of 108, and 4.4 BSD uses a size
|
|
|
|
|
* of 104. Since most implementations originate from BSD versions,
|
|
|
|
|
* the size is typically in the range 92 to 108.
|
|
|
|
|
*
|
|
|
|
|
* Applications should not assume a particular length for sun_path
|
|
|
|
|
* or assume that it can hold {_POSIX_PATH_MAX} bytes (256).
|
|
|
|
|
*
|
|
|
|
|
* It also says
|
|
|
|
|
*
|
|
|
|
|
* The <sys/un.h> header shall define the sockaddr_un structure,
|
|
|
|
|
* which shall include at least the following members:
|
|
|
|
|
*
|
|
|
|
|
* sa_family_t sun_family Address family.
|
|
|
|
|
* char sun_path[] Socket pathname.
|
|
|
|
|
*
|
|
|
|
|
* so we assume that it's an array, with a specified size,
|
|
|
|
|
* and that the size reflects the maximum path length.
|
|
|
|
|
*/
|
|
|
|
|
if (g_strlcpy(sa.sun_path, pipename, sizeof sa.sun_path) > sizeof sa.sun_path) {
|
|
|
|
|
/* Path name too long */
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2023-09-26 00:26:25 -04:00
|
|
|
"The capture session could not be initiated "
|
2016-07-09 00:07:52 -07:00
|
|
|
"due to error on socket connect: Path name too long.");
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2012-05-25 01:32:26 +00:00
|
|
|
ws_close(fd);
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
b = connect(fd, (struct sockaddr *)&sa, sizeof sa);
|
|
|
|
|
if (b == -1) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2023-09-26 00:26:25 -04:00
|
|
|
"The capture session could not be initiated "
|
2016-07-09 00:07:52 -07:00
|
|
|
"due to error on socket connect: %s.", g_strerror(errno));
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2012-05-25 01:32:26 +00:00
|
|
|
ws_close(fd);
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (S_ISCHR(pipe_stat.st_mode)) {
|
|
|
|
|
/*
|
|
|
|
|
* Assume the user specified an interface on a system where
|
|
|
|
|
* interfaces are in /dev. Pretend we haven't seen it.
|
|
|
|
|
*/
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPNEXIST;
|
2012-12-23 09:54:05 +00:00
|
|
|
} else {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2011-03-21 16:57:11 +00:00
|
|
|
"The capture session could not be initiated because\n"
|
2016-07-09 00:07:52 -07:00
|
|
|
"\"%s\" is neither an interface nor a socket nor a pipe.", pipename);
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
2016-01-04 18:32:39 +01:00
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
#else /* _WIN32 */
|
2021-12-19 23:12:36 +00:00
|
|
|
if (sscanf(pipename, EXTCAP_PIPE_PREFIX "%" SCNuPTR, &extcap_pipe_handle) == 1)
|
2019-09-11 16:46:00 +02:00
|
|
|
{
|
|
|
|
|
/* The client is already connected to extcap pipe.
|
|
|
|
|
* We have inherited the handle from parent process.
|
|
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
extcap_pipe = true;
|
2019-09-11 16:46:00 +02:00
|
|
|
pcap_src->cap_pipe_h = (HANDLE)extcap_pipe_handle;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2019-09-11 16:46:00 +02:00
|
|
|
else
|
|
|
|
|
{
|
2023-12-07 19:58:21 -05:00
|
|
|
if (!win32_is_pipe_name(pipename)) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2019-09-11 16:46:00 +02:00
|
|
|
"The capture session could not be initiated because\n"
|
|
|
|
|
"\"%s\" is neither an interface nor a pipe.", pipename);
|
|
|
|
|
pcap_src->cap_pipe_err = PIPNEXIST;
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2019-09-11 16:46:00 +02:00
|
|
|
/* Wait for the pipe to appear */
|
|
|
|
|
while (1) {
|
|
|
|
|
pcap_src->cap_pipe_h = CreateFile(utf_8to16(pipename), GENERIC_READ, 0, NULL,
|
|
|
|
|
OPEN_EXISTING, 0, NULL);
|
|
|
|
|
|
|
|
|
|
if (pcap_src->cap_pipe_h != INVALID_HANDLE_VALUE)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
if (GetLastError() != ERROR_PIPE_BUSY) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2019-09-11 16:46:00 +02:00
|
|
|
"The capture session on \"%s\" could not be started "
|
|
|
|
|
"due to error on pipe open: %s.",
|
|
|
|
|
pipename, win32strerror(GetLastError()));
|
|
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!WaitNamedPipe(utf_8to16(pipename), 30 * 1000)) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2019-09-11 16:46:00 +02:00
|
|
|
"The capture session on \"%s\" timed out during "
|
|
|
|
|
"pipe open: %s.",
|
|
|
|
|
pipename, win32strerror(GetLastError()));
|
|
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif /* _WIN32 */
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->from_cap_pipe = true;
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We start with a 2KB buffer for packet data, which should be
|
|
|
|
|
* large enough for most regular network packets. We increase it,
|
|
|
|
|
* up to the maximum size we allow, as necessary.
|
|
|
|
|
*/
|
2018-09-28 12:02:42 -07:00
|
|
|
pcap_src->cap_pipe_databuf = (char*)g_malloc(2048);
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
pcap_src->cap_pipe_databuf_size = 2048;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* Read the first 4 bytes of data from the pipe.
|
|
|
|
|
*
|
|
|
|
|
* If a pcap file is being written to it, that will be
|
|
|
|
|
* the pcap magic number.
|
|
|
|
|
*
|
|
|
|
|
* If a pcapng file is being written to it, that will be
|
|
|
|
|
* the block type of the initial SHB.
|
|
|
|
|
*/
|
2013-03-19 05:09:37 +00:00
|
|
|
#ifdef _WIN32
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* On UN*X, we can use select() on pipes or sockets.
|
|
|
|
|
*
|
|
|
|
|
* On Windows, we can only use it on sockets; to do non-blocking
|
|
|
|
|
* reads from pipes, we currently do reads in a separate thread
|
|
|
|
|
* and use GLib asynchronous queues from the main thread to start
|
|
|
|
|
* read operations and to wait for them to complete.
|
|
|
|
|
*/
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->from_cap_socket)
|
2012-06-08 11:54:26 +00:00
|
|
|
#endif
|
2013-03-19 05:09:37 +00:00
|
|
|
{
|
2012-12-23 09:54:05 +00:00
|
|
|
bytes_read = 0;
|
|
|
|
|
while (bytes_read < sizeof magic) {
|
|
|
|
|
sel_ret = cap_pipe_select(fd);
|
|
|
|
|
if (sel_ret < 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Unexpected error from select: %s.",
|
|
|
|
|
g_strerror(errno));
|
2012-12-23 09:54:05 +00:00
|
|
|
goto error;
|
|
|
|
|
} else if (sel_ret > 0) {
|
2012-12-26 05:57:06 +00:00
|
|
|
b = cap_pipe_read(fd, ((char *)&magic)+bytes_read,
|
|
|
|
|
sizeof magic-bytes_read,
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->from_cap_socket);
|
2016-01-04 18:32:39 +01:00
|
|
|
/* jump messaging, if extcap had an error, stderr will provide the correct message */
|
|
|
|
|
if (extcap_pipe && b <= 0)
|
|
|
|
|
goto error;
|
2018-01-06 21:39:26 +01:00
|
|
|
|
2012-12-23 09:54:05 +00:00
|
|
|
if (b <= 0) {
|
|
|
|
|
if (b == 0)
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"End of file on pipe magic during open.");
|
2012-12-23 09:54:05 +00:00
|
|
|
else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Error on pipe magic during open: %s.",
|
2012-12-23 09:54:05 +00:00
|
|
|
g_strerror(errno));
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
bytes_read += b;
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-06-21 13:23:45 +00:00
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
else {
|
2020-11-22 04:02:26 -08:00
|
|
|
/* Create a thread to read from this pipe */
|
2017-03-05 18:11:22 -08:00
|
|
|
g_thread_new("cap_pipe_open_live", &cap_thread_read, pcap_src);
|
2012-12-23 09:54:05 +00:00
|
|
|
|
2020-11-22 04:02:26 -08:00
|
|
|
pipe_read_sync(pcap_src, &magic, sizeof(magic));
|
2016-01-04 18:32:39 +01:00
|
|
|
/* jump messaging, if extcap had an error, stderr will provide the correct message */
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read <= 0 && extcap_pipe)
|
2016-01-04 18:32:39 +01:00
|
|
|
goto error;
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read <= 0) {
|
|
|
|
|
if (pcap_src->cap_pipe_bytes_read == 0)
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"End of file on pipe magic during open.");
|
2012-12-23 09:54:05 +00:00
|
|
|
else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Error on pipe magic during open: %s.",
|
2012-12-23 09:54:05 +00:00
|
|
|
g_strerror(errno));
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
2011-07-16 12:45:47 +00:00
|
|
|
#endif
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
switch (magic) {
|
|
|
|
|
case PCAP_MAGIC:
|
2012-03-10 00:24:42 +00:00
|
|
|
case PCAP_NSEC_MAGIC:
|
2020-11-22 04:02:26 -08:00
|
|
|
/* This is a pcap file.
|
|
|
|
|
The host that wrote it has our byte order, and was running
|
2011-03-21 16:57:11 +00:00
|
|
|
a program using either standard or ss990417 libpcap. */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->cap_pipe_info.pcap.byte_swapped = false;
|
|
|
|
|
pcap_src->cap_pipe_modified = false;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->ts_nsec = magic == PCAP_NSEC_MAGIC;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
case PCAP_MODIFIED_MAGIC:
|
2020-11-22 04:02:26 -08:00
|
|
|
/* This is a pcap file.
|
|
|
|
|
The host that wrote it has our byte order, but was running
|
2011-03-21 16:57:11 +00:00
|
|
|
a program using either ss990915 or ss991029 libpcap. */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->cap_pipe_info.pcap.byte_swapped = false;
|
|
|
|
|
pcap_src->cap_pipe_modified = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
case PCAP_SWAPPED_MAGIC:
|
2012-03-10 00:24:42 +00:00
|
|
|
case PCAP_SWAPPED_NSEC_MAGIC:
|
2020-11-22 04:02:26 -08:00
|
|
|
/* This is a pcap file.
|
|
|
|
|
The host that wrote it has a byte order opposite to ours,
|
2011-03-21 16:57:11 +00:00
|
|
|
and was running a program using either standard or
|
|
|
|
|
ss990417 libpcap. */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->cap_pipe_info.pcap.byte_swapped = true;
|
|
|
|
|
pcap_src->cap_pipe_modified = false;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->ts_nsec = magic == PCAP_SWAPPED_NSEC_MAGIC;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
case PCAP_SWAPPED_MODIFIED_MAGIC:
|
2020-11-22 04:02:26 -08:00
|
|
|
/* This is a pcap file.
|
|
|
|
|
The host that wrote it out has a byte order opposite to
|
2011-03-21 16:57:11 +00:00
|
|
|
ours, and was running a program using either ss990915
|
|
|
|
|
or ss991029 libpcap. */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->cap_pipe_info.pcap.byte_swapped = true;
|
|
|
|
|
pcap_src->cap_pipe_modified = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
2016-07-09 00:07:52 -07:00
|
|
|
case BLOCK_TYPE_SHB:
|
2020-11-22 04:02:26 -08:00
|
|
|
/* This is a pcapng file. */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->from_pcapng = true;
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_dispatch = pcapng_pipe_dispatch;
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->cap_pipe_info.pcapng.src_iface_to_global = g_array_new(FALSE, FALSE, sizeof(uint32_t));
|
|
|
|
|
global_capture_opts.use_pcapng = true; /* we can only output in pcapng format */
|
2020-11-22 04:02:26 -08:00
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
default:
|
2020-11-22 04:02:26 -08:00
|
|
|
/* Not a pcapng file, and either not a pcap type we know about
|
|
|
|
|
or not a pcap file, either. */
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2022-12-10 17:49:59 -08:00
|
|
|
"File type is neither a supported pcap nor pcapng format. (magic = 0x%08x)", magic);
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsgl, "%s",
|
2018-12-30 20:39:10 -08:00
|
|
|
not_our_bug);
|
2011-03-21 16:57:11 +00:00
|
|
|
goto error;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2020-11-25 12:43:00 -08:00
|
|
|
if (pcap_src->from_pcapng)
|
|
|
|
|
pcapng_pipe_open_live(fd, pcap_src, errmsg, errmsgl);
|
|
|
|
|
else
|
|
|
|
|
pcap_pipe_open_live(fd, pcap_src, (struct pcap_hdr *) hdr, errmsg, errmsgl,
|
|
|
|
|
secondary_errmsg, secondary_errmsgl);
|
|
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
error:
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("cap_pipe_open_live: error %s", errmsg);
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
cap_pipe_close(fd, pcap_src->from_cap_socket);
|
|
|
|
|
pcap_src->cap_pipe_fd = -1;
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
pcap_src->cap_pipe_h = INVALID_HANDLE_VALUE;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* Read the part of the pcap file header that follows the magic
|
|
|
|
|
* number (we've already read the magic number).
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
static void
|
|
|
|
|
pcap_pipe_open_live(int fd,
|
|
|
|
|
capture_src *pcap_src,
|
|
|
|
|
struct pcap_hdr *hdr,
|
2018-12-30 20:39:10 -08:00
|
|
|
char *errmsg, size_t errmsgl,
|
|
|
|
|
char *secondary_errmsg, size_t secondary_errmsgl)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
|
|
|
|
size_t bytes_read;
|
|
|
|
|
ssize_t b;
|
|
|
|
|
int sel_ret;
|
2020-11-22 04:02:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We're reading from a pcap file. We've already read the magic
|
|
|
|
|
* number; read the rest of the header.
|
|
|
|
|
*
|
|
|
|
|
* (Note that struct pcap_hdr is a structure for the part of a
|
|
|
|
|
* pcap file header *following the magic number*; it does not
|
|
|
|
|
* include the magic number itself.)
|
|
|
|
|
*/
|
2013-03-19 05:09:37 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->from_cap_socket)
|
2012-06-08 11:54:26 +00:00
|
|
|
#endif
|
2013-03-19 05:09:37 +00:00
|
|
|
{
|
2020-11-22 04:02:26 -08:00
|
|
|
/* Keep reading until we get the rest of the header. */
|
2012-12-23 09:54:05 +00:00
|
|
|
bytes_read = 0;
|
|
|
|
|
while (bytes_read < sizeof(struct pcap_hdr)) {
|
|
|
|
|
sel_ret = cap_pipe_select(fd);
|
|
|
|
|
if (sel_ret < 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Unexpected error from select: %s.",
|
|
|
|
|
g_strerror(errno));
|
2012-12-23 09:54:05 +00:00
|
|
|
goto error;
|
|
|
|
|
} else if (sel_ret > 0) {
|
|
|
|
|
b = cap_pipe_read(fd, ((char *)hdr)+bytes_read,
|
2012-12-26 05:57:06 +00:00
|
|
|
sizeof(struct pcap_hdr) - bytes_read,
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->from_cap_socket);
|
2012-12-23 09:54:05 +00:00
|
|
|
if (b <= 0) {
|
|
|
|
|
if (b == 0)
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"End of file on pipe header during open.");
|
2012-12-23 09:54:05 +00:00
|
|
|
else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Error on pipe header during open: %s.",
|
2012-12-23 09:54:05 +00:00
|
|
|
g_strerror(errno));
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsgl,
|
2018-12-30 20:39:10 -08:00
|
|
|
"%s", not_our_bug);
|
2012-12-23 09:54:05 +00:00
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
bytes_read += b;
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
else {
|
2020-11-22 04:02:26 -08:00
|
|
|
pipe_read_sync(pcap_src, hdr, sizeof(struct pcap_hdr));
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read <= 0) {
|
|
|
|
|
if (pcap_src->cap_pipe_bytes_read == 0)
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"End of file on pipe header during open.");
|
2012-12-23 09:54:05 +00:00
|
|
|
else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Error on pipe header header during open: %s.",
|
2012-12-23 09:54:05 +00:00
|
|
|
g_strerror(errno));
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsgl, "%s",
|
2018-12-30 20:39:10 -08:00
|
|
|
not_our_bug);
|
2012-12-23 09:54:05 +00:00
|
|
|
goto error;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
2011-07-16 12:45:47 +00:00
|
|
|
#endif
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2018-10-17 17:59:07 +00:00
|
|
|
if (pcap_src->cap_pipe_info.pcap.byte_swapped) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Byte-swap the header fields about which we care. */
|
2013-11-29 19:21:20 +00:00
|
|
|
hdr->version_major = GUINT16_SWAP_LE_BE(hdr->version_major);
|
|
|
|
|
hdr->version_minor = GUINT16_SWAP_LE_BE(hdr->version_minor);
|
|
|
|
|
hdr->snaplen = GUINT32_SWAP_LE_BE(hdr->snaplen);
|
|
|
|
|
hdr->network = GUINT32_SWAP_LE_BE(hdr->network);
|
2025-03-24 09:24:14 -04:00
|
|
|
|
|
|
|
|
/* XXX - There are some link-layer types, like Linux USB or Linux SLL
|
|
|
|
|
* carrying CAN bus, that have metadata fields in host byte order in
|
|
|
|
|
* the packet data. We don't byte-swap those currently, but should.
|
|
|
|
|
* Fail with an error on those link-layer types?
|
|
|
|
|
*/
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
dumpcap: map DLT_ values from libpcap or piped pcap headers to LINKTYPE_s.
For most link-layer header types, the DLT_ value and the LINKTYPE_ value
are the same.
For some DLT_s for which the values are *not* the same on all OSes, or
which weren't defined on some OSes, that's not the case, because, in
order to have a *single* link-layer type value to use in capture files
on *all* platforms, so that the link-layer type is the same no matter
what OS it was captured on, new values were assigned for LINKTYPE_s.
(That's why LINKTYPE_s were created in the first place.)
Therefore, we should map DLT_ values obtained from libpcap to the
corresponding LINKTYPE_ values before using the value in a pcap header
or a pcapng Interface Description Block.
Furthermore, since a pcap or pcapng file being piped to dumpcap might
have been generated by a program that doesn't do DLT_ to LINKTYPE_
mapping (the libpcap from tcpdump.org has done so for many years now,
but OpenBSD's libpcap doesn't), we map them for pcap files as well.
(pcapng files require that we not just blindly copy the pcapng file.
Other things, such as byte-swapped pcapng files, may also require that;
this needs to be looked into.)
Fixes #19230.
2023-08-12 13:45:16 -07:00
|
|
|
/*
|
|
|
|
|
* The link-layer header type field of the pcap header is
|
|
|
|
|
* probably a LINKTYPE_ value, as the vast majority of
|
|
|
|
|
* LINKTYPE_ values and their corresponding DLT_ values
|
|
|
|
|
* are the same.
|
|
|
|
|
*
|
|
|
|
|
* However, in case the file was written by a program
|
|
|
|
|
* that used a DLT_ value, rather than a LINKTYPE_ value,
|
|
|
|
|
* in one of the cases where the two differ, use dlt_to_linktype()
|
|
|
|
|
* to map to a LINKTYPE_ value, just as we use it to map
|
|
|
|
|
* the result of pcap_datalink() to a LINKTYPE_ value.
|
|
|
|
|
*/
|
|
|
|
|
pcap_src->linktype = dlt_to_linktype(hdr->network);
|
2019-08-19 21:16:46 -07:00
|
|
|
/* Pick the appropriate maximum packet size for the link type */
|
|
|
|
|
switch (pcap_src->linktype) {
|
|
|
|
|
|
|
|
|
|
case 231: /* DLT_DBUS */
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
pcap_src->cap_pipe_max_pkt_size = WTAP_MAX_PACKET_SIZE_DBUS;
|
2019-08-19 21:16:46 -07:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 279: /* DLT_EBHSCR */
|
2019-01-15 14:38:09 +01:00
|
|
|
pcap_src->cap_pipe_max_pkt_size = WTAP_MAX_PACKET_SIZE_EBHSCR;
|
2019-08-19 21:16:46 -07:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case 249: /* DLT_USBPCAP */
|
|
|
|
|
pcap_src->cap_pipe_max_pkt_size = WTAP_MAX_PACKET_SIZE_USBPCAP;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
pcap_src->cap_pipe_max_pkt_size = WTAP_MAX_PACKET_SIZE_STANDARD;
|
2019-08-19 21:16:46 -07:00
|
|
|
break;
|
2019-01-15 14:38:09 +01:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
if (hdr->version_major < 2) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 20:39:10 -08:00
|
|
|
"The old pcap format version %d.%d is not supported.",
|
2017-11-22 11:05:48 -08:00
|
|
|
hdr->version_major, hdr->version_minor);
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsgl, "%s",
|
2018-12-30 20:39:10 -08:00
|
|
|
not_our_bug);
|
2011-03-21 16:57:11 +00:00
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_fd = fd;
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
error:
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcap_pipe_open_live: error %s", errmsg);
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
cap_pipe_close(fd, pcap_src->from_cap_socket);
|
|
|
|
|
pcap_src->cap_pipe_fd = -1;
|
2017-01-30 12:52:35 -08:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_h = INVALID_HANDLE_VALUE;
|
2017-01-30 12:52:35 -08:00
|
|
|
#endif
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
2020-11-24 23:43:33 -08:00
|
|
|
* Synchronously read the fixed portion of the pcapng section header block
|
2020-11-22 04:02:26 -08:00
|
|
|
* (we've already read the pcapng block header).
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
static int
|
|
|
|
|
pcapng_read_shb(capture_src *pcap_src,
|
|
|
|
|
char *errmsg,
|
2018-12-30 18:58:54 -08:00
|
|
|
size_t errmsgl)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
2019-05-23 10:24:02 +02:00
|
|
|
pcapng_section_header_block_t shb;
|
2017-11-22 11:05:48 -08:00
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
if (pcap_src->from_cap_socket)
|
|
|
|
|
#endif
|
|
|
|
|
{
|
2019-05-23 10:24:02 +02:00
|
|
|
pcap_src->cap_pipe_bytes_to_read = sizeof(pcapng_block_header_t) + sizeof(pcapng_section_header_block_t);
|
2018-11-14 11:44:47 -08:00
|
|
|
if (cap_pipe_read_data_bytes(pcap_src, errmsg, errmsgl) < 0) {
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
else {
|
2020-11-22 04:02:26 -08:00
|
|
|
pipe_read_sync(pcap_src, pcap_src->cap_pipe_databuf + sizeof(pcapng_block_header_t),
|
|
|
|
|
sizeof(pcapng_section_header_block_t));
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read <= 0) {
|
|
|
|
|
if (pcap_src->cap_pipe_bytes_read == 0)
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"End of file reading from pipe or socket.");
|
2020-11-25 11:25:10 -08:00
|
|
|
else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"Error reading from pipe or socket: %s.",
|
2020-11-25 11:25:10 -08:00
|
|
|
g_strerror(errno));
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
2018-10-04 18:09:28 -07:00
|
|
|
/* Continuing with STATE_EXPECT_DATA requires reading into cap_pipe_databuf at offset cap_pipe_bytes_read */
|
2019-05-23 10:24:02 +02:00
|
|
|
pcap_src->cap_pipe_bytes_read = sizeof(pcapng_block_header_t) + sizeof(pcapng_section_header_block_t);
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
#endif
|
2019-05-23 10:24:02 +02:00
|
|
|
memcpy(&shb, pcap_src->cap_pipe_databuf + sizeof(pcapng_block_header_t), sizeof(pcapng_section_header_block_t));
|
2018-10-08 13:25:36 -07:00
|
|
|
switch (shb.magic)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
|
|
|
|
case PCAPNG_MAGIC:
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng SHB MAGIC");
|
2025-03-24 09:24:14 -04:00
|
|
|
pcap_src->cap_pipe_info.pcapng.byte_swapped = false;
|
2017-11-22 11:05:48 -08:00
|
|
|
break;
|
|
|
|
|
case PCAPNG_SWAPPED_MAGIC:
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng SHB SWAPPED MAGIC");
|
2018-10-17 17:59:07 +00:00
|
|
|
#if G_BYTE_ORDER == G_BIG_ENDIAN
|
|
|
|
|
#define OUR_ENDIAN "big"
|
|
|
|
|
#define IFACE_ENDIAN "little"
|
|
|
|
|
#else
|
|
|
|
|
#define OUR_ENDIAN "little"
|
|
|
|
|
#define IFACE_ENDIAN "big"
|
|
|
|
|
#endif
|
2025-03-24 09:24:14 -04:00
|
|
|
if (!global_ld.pcapng_passthrough) {
|
|
|
|
|
/* Dumpcap is generating its own SHB and IDBs, which will have the
|
|
|
|
|
* opposite endianness of this source SHB. To handle this, we'd have
|
|
|
|
|
* to byte swap various elements (including in other block types);
|
|
|
|
|
* we don't do that for pcapng yet.
|
|
|
|
|
*
|
|
|
|
|
* We also might have to byte-swap some fields in the packet data,
|
|
|
|
|
* at least for link-layer types like Linux USB or Linux SLL
|
|
|
|
|
* carrying CAN bus that have metadata fields in host byte order.
|
|
|
|
|
*
|
|
|
|
|
* XXX - If *all* the input pcapng SHBs are the opposite byte order
|
|
|
|
|
* of the host, we could generate an opposite byte order SHB and
|
|
|
|
|
* IDBs. It still wouldn't handle the mixed case.
|
|
|
|
|
*/
|
|
|
|
|
snprintf(errmsg, errmsgl,
|
|
|
|
|
"Interface %u is " IFACE_ENDIAN " endian but we're " OUR_ENDIAN " endian.",
|
|
|
|
|
pcap_src->interface_id);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
/* Remember that this pipe's current section is byte swapped; we're
|
|
|
|
|
* passing everything through, but still need to swap the block total
|
|
|
|
|
* length and, for other block types, the block type, to read correctly.
|
|
|
|
|
*/
|
|
|
|
|
pcap_src->cap_pipe_info.pcapng.byte_swapped = true;
|
|
|
|
|
pcapng_block_header_t *bh = &pcap_src->cap_pipe_info.pcapng.bh;
|
|
|
|
|
bh->block_total_length = GUINT32_SWAP_LE_BE(bh->block_total_length);
|
|
|
|
|
break;
|
2017-11-22 11:05:48 -08:00
|
|
|
default:
|
|
|
|
|
/* Not a pcapng type we know about, or not pcapng at all. */
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"Unrecognized pcapng format or not pcapng data.");
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pcap_src->cap_pipe_max_pkt_size = WTAP_MAX_PACKET_SIZE_STANDARD;
|
|
|
|
|
|
2018-10-04 18:09:28 -07:00
|
|
|
/* Setup state to capture any options following the section header block */
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_EXPECT_DATA;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
/*
|
dumpcap: map DLT_ values from libpcap or piped pcap headers to LINKTYPE_s.
For most link-layer header types, the DLT_ value and the LINKTYPE_ value
are the same.
For some DLT_s for which the values are *not* the same on all OSes, or
which weren't defined on some OSes, that's not the case, because, in
order to have a *single* link-layer type value to use in capture files
on *all* platforms, so that the link-layer type is the same no matter
what OS it was captured on, new values were assigned for LINKTYPE_s.
(That's why LINKTYPE_s were created in the first place.)
Therefore, we should map DLT_ values obtained from libpcap to the
corresponding LINKTYPE_ values before using the value in a pcap header
or a pcapng Interface Description Block.
Furthermore, since a pcap or pcapng file being piped to dumpcap might
have been generated by a program that doesn't do DLT_ to LINKTYPE_
mapping (the libpcap from tcpdump.org has done so for many years now,
but OpenBSD's libpcap doesn't), we map them for pcap files as well.
(pcapng files require that we not just blindly copy the pcapng file.
Other things, such as byte-swapped pcapng files, may also require that;
this needs to be looked into.)
Fixes #19230.
2023-08-12 13:45:16 -07:00
|
|
|
* Save IDB blocks for playback whenever we change output files, and
|
|
|
|
|
* fix LINKTYPE_ values that are really platform-dependent DLT_ values.
|
2018-10-08 13:25:36 -07:00
|
|
|
* Rewrite EPB and ISB interface IDs.
|
|
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2024-06-17 18:40:41 +02:00
|
|
|
pcapng_adjust_block(capture_src *pcap_src, const pcapng_block_header_t *bh, uint8_t *pd)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
2018-10-08 13:25:36 -07:00
|
|
|
switch(bh->block_type) {
|
|
|
|
|
case BLOCK_TYPE_SHB:
|
|
|
|
|
{
|
2018-11-26 13:55:32 -08:00
|
|
|
if (global_ld.pcapng_passthrough) {
|
2018-10-08 13:25:36 -07:00
|
|
|
/*
|
|
|
|
|
* We have a single pcapng input. We pass the SHB through when
|
|
|
|
|
* writing a single output file and for the first ring buffer
|
|
|
|
|
* file. We need to save it for the second and subsequent ring
|
|
|
|
|
* buffer files.
|
|
|
|
|
*/
|
2018-11-26 13:55:32 -08:00
|
|
|
g_free(global_ld.saved_shb);
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.saved_shb = (uint8_t *) g_memdup2(pd, bh->block_total_length);
|
2017-11-22 11:05:48 -08:00
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
/*
|
|
|
|
|
* We're dealing with one section at a time, so we can (and must)
|
|
|
|
|
* get rid of our old IDBs.
|
|
|
|
|
*/
|
2018-11-26 13:55:32 -08:00
|
|
|
for (unsigned i = 0; i < global_ld.saved_idbs->len; i++) {
|
|
|
|
|
saved_idb_t *idb_source = &g_array_index(global_ld.saved_idbs, saved_idb_t, i);
|
2018-10-08 13:25:36 -07:00
|
|
|
g_free(idb_source->idb);
|
|
|
|
|
}
|
2018-11-26 13:55:32 -08:00
|
|
|
g_array_set_size(global_ld.saved_idbs, 0);
|
2018-10-08 13:25:36 -07:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* We have a new SHB from this capture source. We need to keep
|
|
|
|
|
* global_ld.saved_idbs intact, so we mark IDBs we previously
|
|
|
|
|
* collected from this source as deleted.
|
|
|
|
|
*/
|
|
|
|
|
for (unsigned i = 0; i < pcap_src->cap_pipe_info.pcapng.src_iface_to_global->len; i++) {
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t iface_id = g_array_index(pcap_src->cap_pipe_info.pcapng.src_iface_to_global, uint32_t, i);
|
2018-11-26 13:55:32 -08:00
|
|
|
saved_idb_t *idb_source = &g_array_index(global_ld.saved_idbs, saved_idb_t, iface_id);
|
2021-06-18 19:21:42 +01:00
|
|
|
ws_assert(idb_source->interface_id == pcap_src->interface_id);
|
2018-10-08 13:25:36 -07:00
|
|
|
g_free(idb_source->idb);
|
|
|
|
|
memset(idb_source, 0, sizeof(saved_idb_t));
|
2024-07-08 00:26:01 -04:00
|
|
|
idb_source->deleted = true;
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: deleted pcapng IDB %u", G_STRFUNC, iface_id);
|
2018-10-08 13:25:36 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
g_array_set_size(pcap_src->cap_pipe_info.pcapng.src_iface_to_global, 0);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case BLOCK_TYPE_IDB:
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Always gather IDBs. We can remove them or mark them as deleted
|
|
|
|
|
* when we get a new SHB.
|
|
|
|
|
*/
|
|
|
|
|
saved_idb_t idb_source = { 0 };
|
|
|
|
|
idb_source.interface_id = pcap_src->interface_id;
|
|
|
|
|
idb_source.idb_len = bh->block_total_length;
|
2024-07-08 00:26:01 -04:00
|
|
|
idb_source.idb = (uint8_t *) g_memdup2(pd, idb_source.idb_len);
|
2018-11-26 13:55:32 -08:00
|
|
|
g_array_append_val(global_ld.saved_idbs, idb_source);
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t iface_id = global_ld.saved_idbs->len - 1;
|
2018-10-08 13:25:36 -07:00
|
|
|
g_array_append_val(pcap_src->cap_pipe_info.pcapng.src_iface_to_global, iface_id);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: mapped pcapng IDB %u -> %u from source %u",
|
2018-10-08 13:25:36 -07:00
|
|
|
G_STRFUNC, pcap_src->cap_pipe_info.pcapng.src_iface_to_global->len - 1, iface_id, pcap_src->interface_id);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case BLOCK_TYPE_EPB:
|
|
|
|
|
case BLOCK_TYPE_ISB:
|
|
|
|
|
{
|
2018-11-26 13:55:32 -08:00
|
|
|
if (global_ld.pcapng_passthrough) {
|
2018-10-08 13:25:36 -07:00
|
|
|
/* Our input and output interface IDs are the same. */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
/* The interface ID is the first 32-bit field after the BH for both EPBs and ISBs. */
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t iface_id;
|
2019-05-23 10:24:02 +02:00
|
|
|
memcpy(&iface_id, pd + sizeof(pcapng_block_header_t), 4);
|
2018-10-08 13:25:36 -07:00
|
|
|
if (iface_id < pcap_src->cap_pipe_info.pcapng.src_iface_to_global->len) {
|
2019-05-23 10:24:02 +02:00
|
|
|
memcpy(pd + sizeof(pcapng_block_header_t),
|
2024-07-08 00:26:01 -04:00
|
|
|
&g_array_index(pcap_src->cap_pipe_info.pcapng.src_iface_to_global, uint32_t, iface_id), 4);
|
2018-10-08 13:25:36 -07:00
|
|
|
} else {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: pcapng EPB or ISB interface id %u > max %u", G_STRFUNC, iface_id, pcap_src->cap_pipe_info.pcapng.src_iface_to_global->len);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2018-10-08 13:25:36 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
|
2024-04-17 16:20:50 -07:00
|
|
|
/*
|
|
|
|
|
* Return true if the block contains packet, event, or log data. Return false otherwise.
|
|
|
|
|
*/
|
|
|
|
|
static bool is_data_block(uint32_t block_type)
|
|
|
|
|
{
|
2025-05-28 10:17:43 -04:00
|
|
|
/* This should be the negation of get_block_type_internal in
|
|
|
|
|
* wiretap/pcapng.c, but dumpcap doesn't link with wiretap, and
|
|
|
|
|
* wouldn't know about blocks registered by plugins without running
|
|
|
|
|
* the registration routines.
|
|
|
|
|
*
|
|
|
|
|
* This is used for reporting packet counts. It affects autostop
|
|
|
|
|
* and file switching conditions, and is also reported via the
|
|
|
|
|
* sync pipe in capture child mode. In capture child mode, if the
|
|
|
|
|
* count reported is too small (i.e., false is returned for blocks
|
|
|
|
|
* that pcapng_read returns to the caller), then the parent process
|
|
|
|
|
* lags behind (and can report a "No packets captured error."). If
|
|
|
|
|
* the count reported is too large, then some parents (e.g. tshark)
|
|
|
|
|
* abort the capture because wtap_read will return an error.
|
|
|
|
|
*
|
|
|
|
|
* This errs on the side of returning false for unknown block types.
|
|
|
|
|
*/
|
2024-04-17 16:20:50 -07:00
|
|
|
switch (block_type) {
|
|
|
|
|
case BLOCK_TYPE_PB:
|
|
|
|
|
case BLOCK_TYPE_EPB:
|
|
|
|
|
case BLOCK_TYPE_SPB:
|
2025-05-28 10:17:43 -04:00
|
|
|
case BLOCK_TYPE_CB_COPY:
|
|
|
|
|
case BLOCK_TYPE_CB_NO_COPY:
|
2024-04-17 16:20:50 -07:00
|
|
|
case BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT:
|
|
|
|
|
case BLOCK_TYPE_SYSDIG_EVENT:
|
|
|
|
|
case BLOCK_TYPE_SYSDIG_EVENT_V2:
|
|
|
|
|
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
|
|
|
|
|
return true;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* Read the part of the initial pcapng SHB following the block type
|
|
|
|
|
* (we've already read the block type).
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
static void
|
|
|
|
|
pcapng_pipe_open_live(int fd,
|
|
|
|
|
capture_src *pcap_src,
|
|
|
|
|
char *errmsg,
|
2018-12-30 18:58:54 -08:00
|
|
|
size_t errmsgl)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t type = BLOCK_TYPE_SHB;
|
2019-05-23 10:24:02 +02:00
|
|
|
pcapng_block_header_t *bh = &pcap_src->cap_pipe_info.pcapng.bh;
|
2017-11-22 11:05:48 -08:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_open_live: fd %d", fd);
|
2020-11-22 04:02:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* A pcapng block begins with the block type followed by the block
|
|
|
|
|
* total length; we've already read the block type, now read the
|
|
|
|
|
* block length.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
#ifdef _WIN32
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* On UN*X, we can use select() on pipes or sockets.
|
|
|
|
|
*
|
|
|
|
|
* On Windows, we can only use it on sockets; to do non-blocking
|
|
|
|
|
* reads from pipes, we currently do reads in a separate thread
|
|
|
|
|
* and use GLib asynchronous queues from the main thread to start
|
|
|
|
|
* read operations and to wait for them to complete.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcap_src->from_cap_socket)
|
|
|
|
|
#endif
|
|
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
memcpy(pcap_src->cap_pipe_databuf, &type, sizeof(uint32_t));
|
|
|
|
|
pcap_src->cap_pipe_bytes_read = sizeof(uint32_t);
|
2019-05-23 10:24:02 +02:00
|
|
|
pcap_src->cap_pipe_bytes_to_read = sizeof(pcapng_block_header_t);
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_fd = fd;
|
2018-11-14 11:44:47 -08:00
|
|
|
if (cap_pipe_read_data_bytes(pcap_src, errmsg, errmsgl) < 0) {
|
2017-11-22 11:05:48 -08:00
|
|
|
goto error;
|
|
|
|
|
}
|
2019-05-23 10:24:02 +02:00
|
|
|
memcpy(bh, pcap_src->cap_pipe_databuf, sizeof(pcapng_block_header_t));
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
else {
|
|
|
|
|
g_thread_new("cap_pipe_open_live", &cap_thread_read, pcap_src);
|
|
|
|
|
|
|
|
|
|
bh->block_type = type;
|
2020-11-22 04:02:26 -08:00
|
|
|
pipe_read_sync(pcap_src, &bh->block_total_length,
|
|
|
|
|
sizeof(bh->block_total_length));
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read <= 0) {
|
|
|
|
|
if (pcap_src->cap_pipe_bytes_read == 0)
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"End of file reading from pipe or socket.");
|
2020-11-25 11:25:10 -08:00
|
|
|
else
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"Error reading from pipe or socket: %s.",
|
2020-11-25 11:25:10 -08:00
|
|
|
g_strerror(errno));
|
2017-11-22 11:05:48 -08:00
|
|
|
goto error;
|
|
|
|
|
}
|
2019-05-23 10:24:02 +02:00
|
|
|
pcap_src->cap_pipe_bytes_read = sizeof(pcapng_block_header_t);
|
|
|
|
|
memcpy(pcap_src->cap_pipe_databuf, bh, sizeof(pcapng_block_header_t));
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_fd = fd;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2020-11-25 10:41:05 -08:00
|
|
|
if ((bh->block_total_length & 0x03) != 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"block_total_length read from pipe is %u, which is not a multiple of 4.",
|
|
|
|
|
bh->block_total_length);
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcapng_read_shb(pcap_src, errmsg, errmsgl)) {
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
error:
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_open_live: error %s", errmsg);
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
cap_pipe_close(fd, pcap_src->from_cap_socket);
|
|
|
|
|
pcap_src->cap_pipe_fd = -1;
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
pcap_src->cap_pipe_h = INVALID_HANDLE_VALUE;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
/* We read one record from the pipe, take care of byte order in the record
|
|
|
|
|
* header, write the record to the capture file, and update capture statistics. */
|
|
|
|
|
static int
|
2018-12-30 18:58:54 -08:00
|
|
|
pcap_pipe_dispatch(loop_data *ld, capture_src *pcap_src, char *errmsg, size_t errmsgl)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2012-11-25 18:35:41 +00:00
|
|
|
struct pcap_pkthdr phdr;
|
2011-03-21 16:57:11 +00:00
|
|
|
enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
|
|
|
|
|
PD_ERR } result;
|
2011-11-07 23:42:53 +00:00
|
|
|
#ifdef _WIN32
|
2024-07-08 00:26:01 -04:00
|
|
|
void * q_status;
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2012-12-26 05:57:06 +00:00
|
|
|
ssize_t b;
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned new_bufsize;
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_pipe_info_t *pcap_info = &pcap_src->cap_pipe_info.pcap;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcap_pipe_dispatch");
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
switch (pcap_src->cap_pipe_state) {
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case STATE_EXPECT_REC_HDR:
|
2011-11-07 23:42:53 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
if (g_mutex_trylock(pcap_src->cap_pipe_read_mtx)) {
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_READ_REC_HDR;
|
|
|
|
|
pcap_src->cap_pipe_bytes_to_read = pcap_src->cap_pipe_modified ?
|
2011-03-21 16:57:11 +00:00
|
|
|
sizeof(struct pcaprec_modified_hdr) : sizeof(struct pcaprec_hdr);
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_read = 0;
|
2009-08-26 23:16:37 +00:00
|
|
|
|
2011-11-07 23:42:53 +00:00
|
|
|
#ifdef _WIN32
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_buf = (char *) &pcap_info->rechdr;
|
2017-03-05 18:11:22 -08:00
|
|
|
g_async_queue_push(pcap_src->cap_pipe_pending_q, pcap_src->cap_pipe_buf);
|
|
|
|
|
g_mutex_unlock(pcap_src->cap_pipe_read_mtx);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Fall through */
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case STATE_READ_REC_HDR:
|
2013-03-19 05:09:37 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->from_cap_socket)
|
2012-06-08 11:54:26 +00:00
|
|
|
#endif
|
2013-03-19 05:09:37 +00:00
|
|
|
{
|
2017-11-22 11:05:48 -08:00
|
|
|
b = cap_pipe_read(pcap_src->cap_pipe_fd, ((char *)&pcap_info->rechdr)+pcap_src->cap_pipe_bytes_read,
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_to_read - pcap_src->cap_pipe_bytes_read, pcap_src->from_cap_socket);
|
2012-12-23 06:52:50 +00:00
|
|
|
if (b <= 0) {
|
|
|
|
|
if (b == 0)
|
|
|
|
|
result = PD_PIPE_EOF;
|
|
|
|
|
else
|
|
|
|
|
result = PD_PIPE_ERR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2021-12-20 02:33:15 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
pcap_src->cap_pipe_bytes_read += (DWORD)b;
|
|
|
|
|
#else
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_read += b;
|
2021-12-20 02:33:15 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
2012-12-23 06:52:50 +00:00
|
|
|
else {
|
2017-03-05 18:11:22 -08:00
|
|
|
q_status = g_async_queue_timeout_pop(pcap_src->cap_pipe_done_q, PIPE_READ_TIMEOUT);
|
|
|
|
|
if (pcap_src->cap_pipe_err == PIPEOF) {
|
2012-12-23 06:52:50 +00:00
|
|
|
result = PD_PIPE_EOF;
|
|
|
|
|
break;
|
2017-03-05 18:11:22 -08:00
|
|
|
} else if (pcap_src->cap_pipe_err == PIPERR) {
|
2012-12-23 06:52:50 +00:00
|
|
|
result = PD_PIPE_ERR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (!q_status) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2011-07-16 12:45:47 +00:00
|
|
|
#endif
|
2020-11-22 04:02:26 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read < pcap_src->cap_pipe_bytes_to_read) {
|
|
|
|
|
/* There's still more of the pcap packet header to read. */
|
2011-03-21 16:57:11 +00:00
|
|
|
return 0;
|
2020-11-22 04:02:26 -08:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
result = PD_REC_HDR_READ;
|
|
|
|
|
break;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case STATE_EXPECT_DATA:
|
2011-11-07 23:42:53 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
if (g_mutex_trylock(pcap_src->cap_pipe_read_mtx)) {
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_READ_DATA;
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_bytes_to_read = pcap_info->rechdr.hdr.incl_len;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_read = 0;
|
2009-08-26 23:16:37 +00:00
|
|
|
|
2011-11-07 23:42:53 +00:00
|
|
|
#ifdef _WIN32
|
2017-06-04 12:15:34 -07:00
|
|
|
pcap_src->cap_pipe_buf = pcap_src->cap_pipe_databuf;
|
2017-03-05 18:11:22 -08:00
|
|
|
g_async_queue_push(pcap_src->cap_pipe_pending_q, pcap_src->cap_pipe_buf);
|
|
|
|
|
g_mutex_unlock(pcap_src->cap_pipe_read_mtx);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Fall through */
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case STATE_READ_DATA:
|
2013-03-19 05:09:37 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->from_cap_socket)
|
2012-06-08 11:54:26 +00:00
|
|
|
#endif
|
2013-03-19 05:09:37 +00:00
|
|
|
{
|
2017-03-05 18:11:22 -08:00
|
|
|
b = cap_pipe_read(pcap_src->cap_pipe_fd,
|
2017-06-04 12:15:34 -07:00
|
|
|
pcap_src->cap_pipe_databuf+pcap_src->cap_pipe_bytes_read,
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_to_read - pcap_src->cap_pipe_bytes_read,
|
|
|
|
|
pcap_src->from_cap_socket);
|
2012-12-23 06:52:50 +00:00
|
|
|
if (b <= 0) {
|
|
|
|
|
if (b == 0)
|
|
|
|
|
result = PD_PIPE_EOF;
|
|
|
|
|
else
|
|
|
|
|
result = PD_PIPE_ERR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2021-12-20 02:33:15 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
pcap_src->cap_pipe_bytes_read += (DWORD)b;
|
|
|
|
|
#else
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_bytes_read += b;
|
2021-12-20 02:33:15 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
2012-12-23 06:52:50 +00:00
|
|
|
else {
|
2012-06-08 11:54:26 +00:00
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
q_status = g_async_queue_timeout_pop(pcap_src->cap_pipe_done_q, PIPE_READ_TIMEOUT);
|
|
|
|
|
if (pcap_src->cap_pipe_err == PIPEOF) {
|
2012-12-23 06:52:50 +00:00
|
|
|
result = PD_PIPE_EOF;
|
|
|
|
|
break;
|
2017-03-05 18:11:22 -08:00
|
|
|
} else if (pcap_src->cap_pipe_err == PIPERR) {
|
2012-12-23 06:52:50 +00:00
|
|
|
result = PD_PIPE_ERR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (!q_status) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2013-03-19 05:09:37 +00:00
|
|
|
#endif /* _WIN32 */
|
2020-11-22 04:02:26 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read < pcap_src->cap_pipe_bytes_to_read) {
|
|
|
|
|
/* There's still more of the pcap packet data to read. */
|
2011-03-21 16:57:11 +00:00
|
|
|
return 0;
|
2020-11-22 04:02:26 -08:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
result = PD_DATA_READ;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"pcap_pipe_dispatch: invalid state");
|
2011-03-21 16:57:11 +00:00
|
|
|
result = PD_ERR;
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
} /* switch (pcap_src->cap_pipe_state) */
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We've now read as much data as we were expecting, so process it.
|
|
|
|
|
*/
|
|
|
|
|
switch (result) {
|
|
|
|
|
|
|
|
|
|
case PD_REC_HDR_READ:
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* We've read the packet header, so we know the captured length,
|
|
|
|
|
* and thus the number of packet data bytes. Take care of byte order.
|
|
|
|
|
*/
|
2018-10-17 17:59:07 +00:00
|
|
|
cap_pipe_adjust_pcap_header(pcap_src->cap_pipe_info.pcap.byte_swapped, &pcap_info->hdr,
|
2017-11-22 11:05:48 -08:00
|
|
|
&pcap_info->rechdr.hdr);
|
|
|
|
|
if (pcap_info->rechdr.hdr.incl_len > pcap_src->cap_pipe_max_pkt_size) {
|
2017-06-29 22:44:08 +02:00
|
|
|
/*
|
|
|
|
|
* The record contains more data than the advertised/allowed in the
|
|
|
|
|
* pcap header, do not try to read more data (do not change to
|
|
|
|
|
* STATE_EXPECT_DATA) as that would not fit in the buffer and
|
|
|
|
|
* instead stop with an error.
|
|
|
|
|
*/
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl, "Frame %u too long (%d bytes)",
|
2018-10-31 10:03:04 +01:00
|
|
|
ld->packets_captured+1, pcap_info->rechdr.hdr.incl_len);
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2011-07-06 16:22:11 +00:00
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcap_info->rechdr.hdr.incl_len > pcap_src->cap_pipe_databuf_size) {
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
/*
|
|
|
|
|
* Grow the buffer to the packet size, rounded up to a power of
|
|
|
|
|
* 2.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
new_bufsize = pcap_info->rechdr.hdr.incl_len;
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
/*
|
2019-07-27 21:20:27 -07:00
|
|
|
* https://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
*/
|
|
|
|
|
new_bufsize--;
|
|
|
|
|
new_bufsize |= new_bufsize >> 1;
|
|
|
|
|
new_bufsize |= new_bufsize >> 2;
|
|
|
|
|
new_bufsize |= new_bufsize >> 4;
|
|
|
|
|
new_bufsize |= new_bufsize >> 8;
|
|
|
|
|
new_bufsize |= new_bufsize >> 16;
|
|
|
|
|
new_bufsize++;
|
2018-09-28 12:02:42 -07:00
|
|
|
pcap_src->cap_pipe_databuf = (char*)g_realloc(pcap_src->cap_pipe_databuf, new_bufsize);
|
Allow bigger snapshot lengths for D-Bus captures.
Use WTAP_MAX_PACKET_SIZE_STANDARD, set to 256KB, for everything except
for D-Bus captures. Use WTAP_MAX_PACKET_SIZE_DBUS, set to 128MB, for
them, because that's the largest possible D-Bus message size. See
https://bugs.freedesktop.org/show_bug.cgi?id=100220
for an example of the problems caused by limiting the snapshot length to
256KB for D-Bus.
Have a snapshot length of 0 in a capture_file structure mean "there is
no snapshot length for the file"; we don't need the has_snap field in
that case, a value of 0 mean "no, we don't have a snapshot length".
In dumpcap, start out with a pipe buffer size of 2KB, and grow it as
necessary. When checking for a too-big packet from a pipe, check
against the appropriate maximum - 128MB for DLT_DBUS, 256KB for
everything else.
Change-Id: Ib2ce7a0cf37b971fbc0318024fd011e18add8b20
Reviewed-on: https://code.wireshark.org/review/21952
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Guy Harris <guy@alum.mit.edu>
2017-06-04 18:58:40 -07:00
|
|
|
pcap_src->cap_pipe_databuf_size = new_bufsize;
|
|
|
|
|
}
|
2017-06-29 22:44:08 +02:00
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcap_info->rechdr.hdr.incl_len) {
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* The record has some data following the header, try
|
|
|
|
|
* to read it next time.
|
|
|
|
|
*/
|
2017-06-29 22:44:08 +02:00
|
|
|
pcap_src->cap_pipe_state = STATE_EXPECT_DATA;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* No data following the record header? Then no more data needs to be
|
|
|
|
|
* read and we will fallthrough and emit an empty packet.
|
|
|
|
|
*/
|
2017-03-05 19:38:07 +01:00
|
|
|
/* FALLTHROUGH */
|
2020-11-22 04:02:26 -08:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case PD_DATA_READ:
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* We've read the full contents of the packet record.
|
|
|
|
|
* Fill in a "struct pcap_pkthdr", and process the packet.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
phdr.ts.tv_sec = pcap_info->rechdr.hdr.ts_sec;
|
|
|
|
|
phdr.ts.tv_usec = pcap_info->rechdr.hdr.ts_usec;
|
|
|
|
|
phdr.caplen = pcap_info->rechdr.hdr.incl_len;
|
|
|
|
|
phdr.len = pcap_info->rechdr.hdr.orig_len;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-05-16 21:56:12 +00:00
|
|
|
if (use_threads) {
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_queue_packet_cb((uint8_t *)pcap_src, &phdr, pcap_src->cap_pipe_databuf);
|
2011-05-16 21:56:12 +00:00
|
|
|
} else {
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_write_packet_cb((uint8_t *)pcap_src, &phdr, pcap_src->cap_pipe_databuf);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2020-11-22 04:02:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now we want to read the next packet's header.
|
|
|
|
|
*/
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_EXPECT_REC_HDR;
|
2011-03-21 16:57:11 +00:00
|
|
|
return 1;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case PD_PIPE_EOF:
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
2011-03-21 16:57:11 +00:00
|
|
|
return -1;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case PD_PIPE_ERR:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
|
2009-08-26 23:16:37 +00:00
|
|
|
#ifdef _WIN32
|
2019-05-02 09:25:11 -07:00
|
|
|
win32strerror(GetLastError()));
|
2009-08-26 23:16:37 +00:00
|
|
|
#else
|
2011-06-28 09:00:11 +00:00
|
|
|
g_strerror(errno));
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Fall through */
|
|
|
|
|
case PD_ERR:
|
|
|
|
|
break;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Return here rather than inside the switch to prevent GCC warning */
|
|
|
|
|
return -1;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
static int
|
2018-12-30 18:58:54 -08:00
|
|
|
pcapng_pipe_dispatch(loop_data *ld, capture_src *pcap_src, char *errmsg, size_t errmsgl)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
|
|
|
|
enum { PD_REC_HDR_READ, PD_DATA_READ, PD_PIPE_EOF, PD_PIPE_ERR,
|
|
|
|
|
PD_ERR } result;
|
|
|
|
|
#ifdef _WIN32
|
2024-07-08 00:26:01 -04:00
|
|
|
void * q_status;
|
2017-11-22 11:05:48 -08:00
|
|
|
#endif
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned new_bufsize;
|
2019-05-23 10:24:02 +02:00
|
|
|
pcapng_block_header_t *bh = &pcap_src->cap_pipe_info.pcapng.bh;
|
2017-11-22 11:05:48 -08:00
|
|
|
|
|
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_dispatch");
|
2017-11-22 11:05:48 -08:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
switch (pcap_src->cap_pipe_state) {
|
|
|
|
|
|
|
|
|
|
case STATE_EXPECT_REC_HDR:
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_dispatch STATE_EXPECT_REC_HDR");
|
2018-09-28 12:02:42 -07:00
|
|
|
#endif
|
2017-11-22 11:05:48 -08:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
if (g_mutex_trylock(pcap_src->cap_pipe_read_mtx)) {
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
pcap_src->cap_pipe_state = STATE_READ_REC_HDR;
|
2019-05-23 10:24:02 +02:00
|
|
|
pcap_src->cap_pipe_bytes_to_read = sizeof(pcapng_block_header_t);
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_bytes_read = 0;
|
|
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
2018-10-04 18:09:28 -07:00
|
|
|
if (!pcap_src->from_cap_socket) {
|
|
|
|
|
pcap_src->cap_pipe_buf = pcap_src->cap_pipe_databuf;
|
|
|
|
|
g_async_queue_push(pcap_src->cap_pipe_pending_q, pcap_src->cap_pipe_buf);
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
g_mutex_unlock(pcap_src->cap_pipe_read_mtx);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
/* Fall through */
|
|
|
|
|
|
|
|
|
|
case STATE_READ_REC_HDR:
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_dispatch STATE_READ_REC_HDR");
|
2018-09-28 12:02:42 -07:00
|
|
|
#endif
|
2017-11-22 11:05:48 -08:00
|
|
|
#ifdef _WIN32
|
2018-09-28 12:02:42 -07:00
|
|
|
if (pcap_src->from_cap_socket) {
|
2017-11-22 11:05:48 -08:00
|
|
|
#endif
|
2018-11-14 11:44:47 -08:00
|
|
|
if (cap_pipe_read_data_bytes(pcap_src, errmsg, errmsgl) < 0) {
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
#ifdef _WIN32
|
2018-09-28 12:02:42 -07:00
|
|
|
} else {
|
2017-11-22 11:05:48 -08:00
|
|
|
q_status = g_async_queue_timeout_pop(pcap_src->cap_pipe_done_q, PIPE_READ_TIMEOUT);
|
|
|
|
|
if (pcap_src->cap_pipe_err == PIPEOF) {
|
|
|
|
|
result = PD_PIPE_EOF;
|
|
|
|
|
break;
|
|
|
|
|
} else if (pcap_src->cap_pipe_err == PIPERR) {
|
|
|
|
|
result = PD_PIPE_ERR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (!q_status) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2018-11-14 11:44:47 -08:00
|
|
|
if (pcap_src->cap_pipe_bytes_read < pcap_src->cap_pipe_bytes_to_read) {
|
2020-11-22 04:02:26 -08:00
|
|
|
/* There's still more of the pcapng block header to read. */
|
2017-11-22 11:05:48 -08:00
|
|
|
return 0;
|
2018-11-14 11:44:47 -08:00
|
|
|
}
|
2019-05-23 10:24:02 +02:00
|
|
|
memcpy(bh, pcap_src->cap_pipe_databuf, sizeof(pcapng_block_header_t));
|
2017-11-22 11:05:48 -08:00
|
|
|
result = PD_REC_HDR_READ;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case STATE_EXPECT_DATA:
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_dispatch STATE_EXPECT_DATA");
|
2018-09-28 12:02:42 -07:00
|
|
|
#endif
|
2017-11-22 11:05:48 -08:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
if (g_mutex_trylock(pcap_src->cap_pipe_read_mtx)) {
|
|
|
|
|
#endif
|
|
|
|
|
pcap_src->cap_pipe_state = STATE_READ_DATA;
|
|
|
|
|
pcap_src->cap_pipe_bytes_to_read = bh->block_total_length;
|
|
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
2018-10-04 18:09:28 -07:00
|
|
|
if (!pcap_src->from_cap_socket) {
|
|
|
|
|
pcap_src->cap_pipe_bytes_to_read -= pcap_src->cap_pipe_bytes_read;
|
|
|
|
|
pcap_src->cap_pipe_buf = pcap_src->cap_pipe_databuf + pcap_src->cap_pipe_bytes_read;
|
|
|
|
|
pcap_src->cap_pipe_bytes_read = 0;
|
|
|
|
|
g_async_queue_push(pcap_src->cap_pipe_pending_q, pcap_src->cap_pipe_buf);
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
g_mutex_unlock(pcap_src->cap_pipe_read_mtx);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
/* Fall through */
|
|
|
|
|
|
|
|
|
|
case STATE_READ_DATA:
|
2018-09-28 12:02:42 -07:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("pcapng_pipe_dispatch STATE_READ_DATA");
|
2018-09-28 12:02:42 -07:00
|
|
|
#endif
|
2017-11-22 11:05:48 -08:00
|
|
|
#ifdef _WIN32
|
2018-09-28 12:02:42 -07:00
|
|
|
if (pcap_src->from_cap_socket) {
|
2017-11-22 11:05:48 -08:00
|
|
|
#endif
|
2018-11-14 11:44:47 -08:00
|
|
|
if (cap_pipe_read_data_bytes(pcap_src, errmsg, errmsgl) < 0) {
|
2017-11-22 11:05:48 -08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
#ifdef _WIN32
|
2018-09-28 12:02:42 -07:00
|
|
|
} else {
|
2017-11-22 11:05:48 -08:00
|
|
|
|
|
|
|
|
q_status = g_async_queue_timeout_pop(pcap_src->cap_pipe_done_q, PIPE_READ_TIMEOUT);
|
|
|
|
|
if (pcap_src->cap_pipe_err == PIPEOF) {
|
|
|
|
|
result = PD_PIPE_EOF;
|
|
|
|
|
break;
|
|
|
|
|
} else if (pcap_src->cap_pipe_err == PIPERR) {
|
|
|
|
|
result = PD_PIPE_ERR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (!q_status) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif /* _WIN32 */
|
2018-10-04 18:09:28 -07:00
|
|
|
if (pcap_src->cap_pipe_bytes_read < pcap_src->cap_pipe_bytes_to_read) {
|
2020-11-22 04:02:26 -08:00
|
|
|
/* There's still more of the pcap block contents to read. */
|
2018-10-04 18:09:28 -07:00
|
|
|
return 0;
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
result = PD_DATA_READ;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"pcapng_pipe_dispatch: invalid state");
|
2017-11-22 11:05:48 -08:00
|
|
|
result = PD_ERR;
|
|
|
|
|
|
|
|
|
|
} /* switch (pcap_src->cap_pipe_state) */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We've now read as much data as we were expecting, so process it.
|
|
|
|
|
*/
|
|
|
|
|
switch (result) {
|
|
|
|
|
|
|
|
|
|
case PD_REC_HDR_READ:
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* We've read the pcapng block header, so we know the block type
|
|
|
|
|
* and length.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
if (bh->block_type == BLOCK_TYPE_SHB) {
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* We need to read the fixed portion of the SHB before to
|
|
|
|
|
* get the endianness before we can interpret the block length.
|
|
|
|
|
* (The block type of the SHB is byte-order-independent, so that
|
|
|
|
|
* an SHB can be recognized before we know the endianness of
|
|
|
|
|
* the section.)
|
|
|
|
|
*
|
|
|
|
|
* Continue the read process.
|
|
|
|
|
*/
|
2025-03-24 08:13:27 -04:00
|
|
|
if (pcapng_read_shb(pcap_src, errmsg, errmsgl)) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2025-03-24 09:24:14 -04:00
|
|
|
if (pcap_src->cap_pipe_info.pcapng.byte_swapped) {
|
|
|
|
|
bh->block_type = GUINT32_SWAP_LE_BE(bh->block_type);
|
|
|
|
|
bh->block_total_length = GUINT32_SWAP_LE_BE(bh->block_total_length);
|
|
|
|
|
}
|
2020-11-25 10:41:05 -08:00
|
|
|
if ((bh->block_total_length & 0x03) != 0) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2020-11-25 10:41:05 -08:00
|
|
|
"Total length of pcapng block read from pipe is %u, which is not a multiple of 4.",
|
|
|
|
|
bh->block_total_length);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2024-04-17 16:20:50 -07:00
|
|
|
if (is_data_block(bh->block_type) && bh->block_total_length > pcap_src->cap_pipe_max_pkt_size) {
|
2017-11-22 11:05:48 -08:00
|
|
|
/*
|
|
|
|
|
* The record contains more data than the advertised/allowed in the
|
|
|
|
|
* pcapng header, do not try to read more data (do not change to
|
|
|
|
|
* STATE_EXPECT_DATA) as that would not fit in the buffer and
|
|
|
|
|
* instead stop with an error.
|
|
|
|
|
*/
|
2024-04-17 16:20:50 -07:00
|
|
|
snprintf(errmsg, errmsgl, "Block %u type 0x%08x too long (%d bytes)",
|
|
|
|
|
ld->packets_captured+1, bh->block_type, bh->block_total_length);
|
2017-11-22 11:05:48 -08:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bh->block_total_length > pcap_src->cap_pipe_databuf_size) {
|
|
|
|
|
/*
|
|
|
|
|
* Grow the buffer to the packet size, rounded up to a power of
|
|
|
|
|
* 2.
|
|
|
|
|
*/
|
|
|
|
|
new_bufsize = bh->block_total_length;
|
|
|
|
|
/*
|
2019-07-27 21:20:27 -07:00
|
|
|
* https://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2
|
2017-11-22 11:05:48 -08:00
|
|
|
*/
|
|
|
|
|
new_bufsize--;
|
|
|
|
|
new_bufsize |= new_bufsize >> 1;
|
|
|
|
|
new_bufsize |= new_bufsize >> 2;
|
|
|
|
|
new_bufsize |= new_bufsize >> 4;
|
|
|
|
|
new_bufsize |= new_bufsize >> 8;
|
|
|
|
|
new_bufsize |= new_bufsize >> 16;
|
|
|
|
|
new_bufsize++;
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->cap_pipe_databuf = (unsigned char*)g_realloc(pcap_src->cap_pipe_databuf, new_bufsize);
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_databuf_size = new_bufsize;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* The record always has at least the block total length following the header */
|
2024-07-08 00:26:01 -04:00
|
|
|
if (bh->block_total_length < sizeof(pcapng_block_header_t)+sizeof(uint32_t)) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl,
|
2018-12-30 18:58:54 -08:00
|
|
|
"malformed pcapng block_total_length < minimum");
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2020-11-22 04:02:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now we want to read the block contents.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_EXPECT_DATA;
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
case PD_DATA_READ:
|
2020-11-22 04:02:26 -08:00
|
|
|
/*
|
|
|
|
|
* We've read the full contents of the block.
|
|
|
|
|
* Process the block.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
if (use_threads) {
|
|
|
|
|
capture_loop_queue_pcapng_cb(pcap_src, bh, pcap_src->cap_pipe_databuf);
|
|
|
|
|
} else {
|
|
|
|
|
capture_loop_write_pcapng_cb(pcap_src, bh, pcap_src->cap_pipe_databuf);
|
|
|
|
|
}
|
2020-11-22 04:02:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now we want to read the next block's header.
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_EXPECT_REC_HDR;
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
case PD_PIPE_EOF:
|
|
|
|
|
pcap_src->cap_pipe_err = PIPEOF;
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
case PD_PIPE_ERR:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsgl, "Error reading from pipe: %s",
|
2017-11-22 11:05:48 -08:00
|
|
|
#ifdef _WIN32
|
2019-05-02 09:25:11 -07:00
|
|
|
win32strerror(GetLastError()));
|
2017-11-22 11:05:48 -08:00
|
|
|
#else
|
|
|
|
|
g_strerror(errno));
|
|
|
|
|
#endif
|
|
|
|
|
/* Fall through */
|
|
|
|
|
case PD_ERR:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pcap_src->cap_pipe_err = PIPERR;
|
|
|
|
|
/* Return here rather than inside the switch to prevent GCC warning */
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2020-11-25 11:58:26 -08:00
|
|
|
/** Open the capture input sources; each one is either a pcap device,
|
|
|
|
|
* a capture pipe, or a capture socket.
|
2024-07-08 00:26:01 -04:00
|
|
|
* Returns true if it succeeds, false otherwise. */
|
|
|
|
|
static bool
|
2008-02-16 02:39:58 +00:00
|
|
|
capture_loop_open_input(capture_options *capture_opts, loop_data *ld,
|
|
|
|
|
char *errmsg, size_t errmsg_len,
|
|
|
|
|
char *secondary_errmsg, size_t secondary_errmsg_len)
|
|
|
|
|
{
|
2021-06-23 01:42:14 -07:00
|
|
|
cap_device_open_status open_status;
|
2024-07-08 00:26:01 -04:00
|
|
|
char open_status_str[PCAP_ERRBUF_SIZE];
|
|
|
|
|
char *sync_msg_str;
|
2018-06-09 23:39:12 -07:00
|
|
|
interface_options *interface_opts;
|
|
|
|
|
capture_src *pcap_src;
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned i;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2025-03-24 09:24:14 -04:00
|
|
|
if (capture_opts->ifaces->len > 1) {
|
|
|
|
|
/* If we have more than one input, then we're definitely not passing
|
|
|
|
|
* blocks through. Setting it here will cause pcapng_read_shb to fail
|
|
|
|
|
* on a SHB of endianness opposite our host, since we don't handle
|
|
|
|
|
* byte swapping the data in each block.
|
|
|
|
|
*/
|
|
|
|
|
ld->pcapng_passthrough = false;
|
|
|
|
|
|
|
|
|
|
if (use_threads == false) {
|
|
|
|
|
snprintf(errmsg, errmsg_len,
|
|
|
|
|
"Using threads is required for capturing on multiple interfaces.");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
|
|
|
|
|
2025-03-24 09:24:14 -04:00
|
|
|
unsigned pcapng_src_count = 0;
|
2011-05-15 22:54:52 +00:00
|
|
|
for (i = 0; i < capture_opts->ifaces->len; i++) {
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
|
2020-12-20 21:30:28 -05:00
|
|
|
pcap_src = g_new0(capture_src, 1);
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src == NULL) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2011-05-26 18:12:41 +00:00
|
|
|
"Could not allocate memory.");
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-05-26 18:12:41 +00:00
|
|
|
}
|
2018-10-08 13:25:36 -07:00
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
#ifdef MUST_DO_SELECT
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->pcap_fd = -1;
|
|
|
|
|
#endif
|
|
|
|
|
pcap_src->interface_id = i;
|
|
|
|
|
pcap_src->linktype = -1;
|
2008-02-16 02:39:58 +00:00
|
|
|
#ifdef _WIN32
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_h = INVALID_HANDLE_VALUE;
|
2011-05-15 22:54:52 +00:00
|
|
|
#endif
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_fd = -1;
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->cap_pipe_dispatch = pcap_pipe_dispatch;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->cap_pipe_state = STATE_EXPECT_REC_HDR;
|
|
|
|
|
pcap_src->cap_pipe_err = PIPOK;
|
2011-11-07 23:42:53 +00:00
|
|
|
#ifdef _WIN32
|
2020-12-22 14:24:09 -05:00
|
|
|
pcap_src->cap_pipe_read_mtx = g_new(GMutex, 1);
|
2017-03-05 18:11:22 -08:00
|
|
|
g_mutex_init(pcap_src->cap_pipe_read_mtx);
|
|
|
|
|
pcap_src->cap_pipe_pending_q = g_async_queue_new();
|
|
|
|
|
pcap_src->cap_pipe_done_q = g_async_queue_new();
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
2017-03-05 18:11:22 -08:00
|
|
|
g_array_append_val(ld->pcaps, pcap_src);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_open_input : %s", interface_opts->name);
|
2017-08-25 11:27:38 +02:00
|
|
|
pcap_src->pcap_h = open_capture_device(capture_opts, interface_opts,
|
2021-06-23 01:42:14 -07:00
|
|
|
CAP_READ_TIMEOUT, &open_status, &open_status_str);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->pcap_h != NULL) {
|
2011-05-15 22:54:52 +00:00
|
|
|
/* we've opened "iface" as a network device */
|
2014-09-28 16:28:36 -07:00
|
|
|
|
|
|
|
|
/* Find out if we're getting nanosecond-precision time stamps */
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->ts_nsec = have_high_resolution_timestamp(pcap_src->pcap_h);
|
2014-09-28 16:28:36 -07:00
|
|
|
|
2011-05-16 14:12:35 +00:00
|
|
|
#if defined(HAVE_PCAP_SETSAMPLING)
|
2017-08-25 11:27:38 +02:00
|
|
|
if (interface_opts->sampling_method != CAPTURE_SAMP_NONE) {
|
2011-05-15 22:54:52 +00:00
|
|
|
struct pcap_samp *samp;
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
if ((samp = pcap_setsampling(pcap_src->pcap_h)) != NULL) {
|
2017-08-25 11:27:38 +02:00
|
|
|
switch (interface_opts->sampling_method) {
|
2011-05-15 22:54:52 +00:00
|
|
|
case CAPTURE_SAMP_BY_COUNT:
|
|
|
|
|
samp->method = PCAP_SAMP_1_EVERY_N;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case CAPTURE_SAMP_BY_TIMER:
|
|
|
|
|
samp->method = PCAP_SAMP_FIRST_AFTER_N_MS;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
2021-12-18 18:48:20 +00:00
|
|
|
sync_msg_str = ws_strdup_printf(
|
2011-05-15 22:54:52 +00:00
|
|
|
"Unknown sampling method %d specified,\n"
|
|
|
|
|
"continue without packet sampling",
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts->sampling_method);
|
2011-05-15 22:54:52 +00:00
|
|
|
report_capture_error("Couldn't set the capture "
|
|
|
|
|
"sampling", sync_msg_str);
|
|
|
|
|
g_free(sync_msg_str);
|
|
|
|
|
}
|
2017-08-25 11:27:38 +02:00
|
|
|
samp->value = interface_opts->sampling_param;
|
2011-05-15 22:54:52 +00:00
|
|
|
} else {
|
|
|
|
|
report_capture_error("Couldn't set the capture sampling",
|
|
|
|
|
"Cannot get packet sampling data structure");
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
|
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
/* setting the data link type only works on real interfaces */
|
2017-08-25 11:27:38 +02:00
|
|
|
if (!set_pcap_datalink(pcap_src->pcap_h, interface_opts->linktype,
|
|
|
|
|
interface_opts->name,
|
2011-05-15 22:54:52 +00:00
|
|
|
errmsg, errmsg_len,
|
|
|
|
|
secondary_errmsg, secondary_errmsg_len)) {
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
dumpcap: map DLT_ values from libpcap or piped pcap headers to LINKTYPE_s.
For most link-layer header types, the DLT_ value and the LINKTYPE_ value
are the same.
For some DLT_s for which the values are *not* the same on all OSes, or
which weren't defined on some OSes, that's not the case, because, in
order to have a *single* link-layer type value to use in capture files
on *all* platforms, so that the link-layer type is the same no matter
what OS it was captured on, new values were assigned for LINKTYPE_s.
(That's why LINKTYPE_s were created in the first place.)
Therefore, we should map DLT_ values obtained from libpcap to the
corresponding LINKTYPE_ values before using the value in a pcap header
or a pcapng Interface Description Block.
Furthermore, since a pcap or pcapng file being piped to dumpcap might
have been generated by a program that doesn't do DLT_ to LINKTYPE_
mapping (the libpcap from tcpdump.org has done so for many years now,
but OpenBSD's libpcap doesn't), we map them for pcap files as well.
(pcapng files require that we not just blindly copy the pcapng file.
Other things, such as byte-swapped pcapng files, may also require that;
this needs to be looked into.)
Fixes #19230.
2023-08-12 13:45:16 -07:00
|
|
|
pcap_src->linktype = dlt_to_linktype(get_pcap_datalink(pcap_src->pcap_h, interface_opts->name));
|
2011-05-15 22:54:52 +00:00
|
|
|
} else {
|
|
|
|
|
/* We couldn't open "iface" as a network device. */
|
|
|
|
|
/* Try to open it as a pipe */
|
2024-07-08 00:26:01 -04:00
|
|
|
bool pipe_err = false;
|
2018-12-30 20:39:10 -08:00
|
|
|
cap_pipe_open_live(interface_opts->name, pcap_src,
|
|
|
|
|
&pcap_src->cap_pipe_info.pcap.hdr,
|
|
|
|
|
errmsg, errmsg_len,
|
|
|
|
|
secondary_errmsg, secondary_errmsg_len);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2018-10-04 18:09:28 -07:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
if (pcap_src->from_cap_socket) {
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2018-10-04 18:09:28 -07:00
|
|
|
if (pcap_src->cap_pipe_fd == -1) {
|
2024-07-08 00:26:01 -04:00
|
|
|
pipe_err = true;
|
2018-10-04 18:09:28 -07:00
|
|
|
}
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
} else {
|
|
|
|
|
if (pcap_src->cap_pipe_h == INVALID_HANDLE_VALUE) {
|
2024-07-08 00:26:01 -04:00
|
|
|
pipe_err = true;
|
2018-10-04 18:09:28 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if (pipe_err) {
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->cap_pipe_err == PIPNEXIST) {
|
2016-01-07 00:26:12 -08:00
|
|
|
/*
|
|
|
|
|
* We tried opening as an interface, and that failed,
|
|
|
|
|
* so we tried to open it as a pipe, but the pipe
|
|
|
|
|
* doesn't exist. Report the error message for
|
|
|
|
|
* the interface.
|
|
|
|
|
*/
|
2021-06-23 01:42:14 -07:00
|
|
|
get_capture_device_open_failure_messages(open_status,
|
|
|
|
|
open_status_str,
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts->name,
|
2011-03-21 16:57:11 +00:00
|
|
|
errmsg,
|
|
|
|
|
errmsg_len,
|
|
|
|
|
secondary_errmsg,
|
|
|
|
|
secondary_errmsg_len);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Else pipe (or file) does exist and cap_pipe_open_live() has
|
|
|
|
|
* filled in errmsg
|
|
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-05-15 22:54:52 +00:00
|
|
|
} else {
|
2021-06-23 01:42:14 -07:00
|
|
|
/*
|
|
|
|
|
* We tried opening as an interface, and that failed,
|
|
|
|
|
* so we tried to open it as a pipe, and that succeeded.
|
|
|
|
|
*/
|
|
|
|
|
open_status = CAP_DEVICE_OPEN_NO_ERR;
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
/* XXX - will this work for tshark? */
|
|
|
|
|
#ifdef MUST_DO_SELECT
|
2017-03-05 18:11:22 -08:00
|
|
|
if (!pcap_src->from_cap_pipe) {
|
|
|
|
|
pcap_src->pcap_fd = pcap_get_selectable_fd(pcap_src->pcap_h);
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
|
|
|
|
|
2021-06-23 01:42:14 -07:00
|
|
|
/* Is "open_status" something other than CAP_DEVICE_OPEN_NO_ERR?
|
|
|
|
|
If so, "open_capture_device()" returned a warning; print it,
|
|
|
|
|
but keep capturing. */
|
|
|
|
|
if (open_status != CAP_DEVICE_OPEN_NO_ERR) {
|
2021-12-18 18:48:20 +00:00
|
|
|
sync_msg_str = ws_strdup_printf("%s.", open_status_str);
|
2011-05-15 22:54:52 +00:00
|
|
|
report_capture_error(sync_msg_str, "");
|
|
|
|
|
g_free(sync_msg_str);
|
|
|
|
|
}
|
2018-10-08 13:25:36 -07:00
|
|
|
if (pcap_src->from_pcapng) {
|
dumpcap: Don't write fake IDBs for pcapng interfaces
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix #19080
2023-05-17 19:19:02 -04:00
|
|
|
/*
|
|
|
|
|
* We will use the IDBs from the source (but rewrite the
|
|
|
|
|
* interface IDs if there's more than one source.)
|
|
|
|
|
*/
|
2018-10-08 13:25:36 -07:00
|
|
|
pcapng_src_count++;
|
dumpcap: Don't write fake IDBs for pcapng interfaces
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix #19080
2023-05-17 19:19:02 -04:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* Add our pcapng interface entry.
|
|
|
|
|
*/
|
2025-03-24 09:24:14 -04:00
|
|
|
ld->pcapng_passthrough = false;
|
dumpcap: Don't write fake IDBs for pcapng interfaces
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix #19080
2023-05-17 19:19:02 -04:00
|
|
|
saved_idb_t idb_source = { 0 };
|
|
|
|
|
idb_source.interface_id = i;
|
|
|
|
|
g_rw_lock_writer_lock (&ld->saved_shb_idb_lock);
|
|
|
|
|
pcap_src->idb_id = global_ld.saved_idbs->len;
|
|
|
|
|
g_array_append_val(global_ld.saved_idbs, idb_source);
|
|
|
|
|
g_rw_lock_writer_unlock (&ld->saved_shb_idb_lock);
|
|
|
|
|
ws_debug("%s: saved capture_opts %u to IDB %u",
|
|
|
|
|
G_STRFUNC, i, pcap_src->idb_id);
|
2018-10-08 13:25:36 -07:00
|
|
|
}
|
|
|
|
|
}
|
2020-11-25 11:58:26 -08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Are we capturing from one source that is providing pcapng
|
|
|
|
|
* information?
|
|
|
|
|
*/
|
2018-10-08 13:25:36 -07:00
|
|
|
if (capture_opts->ifaces->len == 1 && pcapng_src_count == 1) {
|
2020-11-25 11:58:26 -08:00
|
|
|
/*
|
|
|
|
|
* Yes; pass through SHBs and IDBs from the source, rather
|
|
|
|
|
* than generating our own.
|
|
|
|
|
*/
|
2018-10-08 13:25:36 -07:00
|
|
|
g_rw_lock_writer_lock (&ld->saved_shb_idb_lock);
|
2025-03-24 09:24:14 -04:00
|
|
|
ws_assert(global_ld.pcapng_passthrough == true);
|
dumpcap: Don't write fake IDBs for pcapng interfaces
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix #19080
2023-05-17 19:19:02 -04:00
|
|
|
ws_assert(global_ld.saved_idbs->len == 0);
|
|
|
|
|
ws_debug("%s: Pass through SHBs and IDBs directly", G_STRFUNC);
|
2018-10-08 13:25:36 -07:00
|
|
|
g_rw_lock_writer_unlock (&ld->saved_shb_idb_lock);
|
2025-03-24 09:24:14 -04:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* No; that means we'll generate our own SHB and IDBs. If the source
|
|
|
|
|
* is a pipe with byte order different than our own, we'll have to
|
|
|
|
|
* byte swap various elements; we don't do that for pcapng yet.
|
|
|
|
|
*/
|
|
|
|
|
ws_assert(global_ld.pcapng_passthrough == false);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-05-19 20:48:58 +00:00
|
|
|
/* If not using libcap: we now can now set euid/egid to ruid/rgid */
|
|
|
|
|
/* to remove any suid privileges. */
|
|
|
|
|
/* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */
|
|
|
|
|
/* (euid/egid have already previously been set to ruid/rgid. */
|
|
|
|
|
/* (See comment in main() for details) */
|
|
|
|
|
#ifndef HAVE_LIBCAP
|
|
|
|
|
relinquish_special_privs_perm();
|
|
|
|
|
#else
|
|
|
|
|
relinquish_all_capabilities();
|
|
|
|
|
#endif
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* close the capture input file (pcap or capture pipe) */
|
2011-03-21 16:57:11 +00:00
|
|
|
static void capture_loop_close_input(loop_data *ld)
|
|
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned i;
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src;
|
2011-05-15 22:54:52 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_close_input");
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
for (i = 0; i < ld->pcaps->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(ld->pcaps, capture_src *, i);
|
2017-06-04 12:15:34 -07:00
|
|
|
/* Pipe, or capture device? */
|
|
|
|
|
if (pcap_src->from_cap_pipe) {
|
|
|
|
|
/* Pipe. If open, close the capture pipe "input file". */
|
|
|
|
|
if (pcap_src->cap_pipe_fd >= 0) {
|
|
|
|
|
cap_pipe_close(pcap_src->cap_pipe_fd, pcap_src->from_cap_socket);
|
|
|
|
|
pcap_src->cap_pipe_fd = -1;
|
|
|
|
|
}
|
2012-06-08 11:54:26 +00:00
|
|
|
#ifdef _WIN32
|
2017-06-04 12:15:34 -07:00
|
|
|
if (pcap_src->cap_pipe_h != INVALID_HANDLE_VALUE) {
|
|
|
|
|
CloseHandle(pcap_src->cap_pipe_h);
|
|
|
|
|
pcap_src->cap_pipe_h = INVALID_HANDLE_VALUE;
|
|
|
|
|
}
|
2009-08-26 23:16:37 +00:00
|
|
|
#endif
|
2017-06-04 12:15:34 -07:00
|
|
|
if (pcap_src->cap_pipe_databuf != NULL) {
|
|
|
|
|
/* Free the buffer. */
|
|
|
|
|
g_free(pcap_src->cap_pipe_databuf);
|
|
|
|
|
pcap_src->cap_pipe_databuf = NULL;
|
|
|
|
|
}
|
2017-11-22 11:05:48 -08:00
|
|
|
if (pcap_src->from_pcapng) {
|
2018-10-08 13:25:36 -07:00
|
|
|
g_array_free(pcap_src->cap_pipe_info.pcapng.src_iface_to_global, TRUE);
|
|
|
|
|
pcap_src->cap_pipe_info.pcapng.src_iface_to_global = NULL;
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
2018-05-12 13:42:38 -07:00
|
|
|
} else {
|
|
|
|
|
/* Capture device. If open, close the pcap_t. */
|
2017-06-04 12:15:34 -07:00
|
|
|
if (pcap_src->pcap_h != NULL) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_close_input: closing %p", (void *)pcap_src->pcap_h);
|
2017-06-04 12:15:34 -07:00
|
|
|
pcap_close(pcap_src->pcap_h);
|
|
|
|
|
pcap_src->pcap_h = NULL;
|
|
|
|
|
}
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
ld->go = false;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* init the capture filter */
|
|
|
|
|
static initfilter_status_t
|
2024-07-08 00:26:01 -04:00
|
|
|
capture_loop_init_filter(pcap_t *pcap_h, bool from_cap_pipe,
|
|
|
|
|
const char * name, const char * cfilter)
|
2010-07-13 23:26:07 +00:00
|
|
|
{
|
2011-03-21 16:57:11 +00:00
|
|
|
struct bpf_program fcode;
|
|
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_init_filter: %s", cfilter);
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* capture filters only work on real interfaces */
|
|
|
|
|
if (cfilter && !from_cap_pipe) {
|
|
|
|
|
/* A capture filter was specified; set it up. */
|
2011-05-13 11:28:51 +00:00
|
|
|
if (!compile_capture_filter(name, pcap_h, &fcode, cfilter)) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Treat this specially - our caller might try to compile this
|
|
|
|
|
as a display filter and, if that succeeds, warn the user that
|
|
|
|
|
the display and capture filter syntaxes are different. */
|
|
|
|
|
return INITFILTER_BAD_FILTER;
|
|
|
|
|
}
|
|
|
|
|
if (pcap_setfilter(pcap_h, &fcode) < 0) {
|
|
|
|
|
pcap_freecode(&fcode);
|
|
|
|
|
return INITFILTER_OTHER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
pcap_freecode(&fcode);
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
return INITFILTER_NO_ERROR;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
/*
|
|
|
|
|
* Write the dumpcap pcapng SHB and IDBs if needed.
|
|
|
|
|
* Called from capture_loop_init_output and do_file_switch_or_stop.
|
|
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2020-11-25 00:43:43 -08:00
|
|
|
capture_loop_init_pcapng_output(capture_options *capture_opts, loop_data *ld,
|
|
|
|
|
int *err)
|
2018-10-08 13:25:36 -07:00
|
|
|
{
|
|
|
|
|
g_rw_lock_reader_lock (&ld->saved_shb_idb_lock);
|
|
|
|
|
|
|
|
|
|
if (ld->pcapng_passthrough && !ld->saved_shb) {
|
|
|
|
|
/* We have a single pcapng capture interface and this is the first or only output file. */
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: skipping dumpcap SHB and IDBs in favor of source", G_STRFUNC);
|
2018-10-08 13:25:36 -07:00
|
|
|
g_rw_lock_reader_unlock (&ld->saved_shb_idb_lock);
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2018-10-08 13:25:36 -07:00
|
|
|
}
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
bool successful = true;
|
2018-10-08 13:25:36 -07:00
|
|
|
GString *os_info_str = g_string_new("");
|
|
|
|
|
|
2020-11-25 00:43:43 -08:00
|
|
|
*err = 0;
|
2018-10-08 13:25:36 -07:00
|
|
|
get_os_version_info(os_info_str);
|
|
|
|
|
|
|
|
|
|
if (ld->saved_shb) {
|
|
|
|
|
/* We have a single pcapng capture interface and multiple output files. */
|
|
|
|
|
|
2019-05-23 10:24:02 +02:00
|
|
|
pcapng_block_header_t bh;
|
2018-10-08 13:25:36 -07:00
|
|
|
|
2019-05-23 10:24:02 +02:00
|
|
|
memcpy(&bh, ld->saved_shb, sizeof(pcapng_block_header_t));
|
2018-10-08 13:25:36 -07:00
|
|
|
|
2025-04-30 12:59:00 -04:00
|
|
|
ws_assert(global_ld.pcapng_passthrough);
|
|
|
|
|
capture_src *pcap_src = g_array_index(ld->pcaps, capture_src *, 0);
|
|
|
|
|
if (pcap_src->cap_pipe_info.pcapng.byte_swapped) {
|
|
|
|
|
bh.block_total_length = GUINT32_SWAP_LE_BE(bh.block_total_length);
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-25 00:43:43 -08:00
|
|
|
successful = pcapng_write_block(ld->pdh, ld->saved_shb, bh.block_total_length, &ld->bytes_written, err);
|
2018-10-08 13:25:36 -07:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: wrote saved passthrough SHB %d", G_STRFUNC, successful);
|
2018-10-08 13:25:36 -07:00
|
|
|
} else {
|
|
|
|
|
GString *cpu_info_str = g_string_new("");
|
|
|
|
|
get_cpu_info(cpu_info_str);
|
|
|
|
|
|
2018-12-18 23:47:33 +01:00
|
|
|
successful = pcapng_write_section_header_block(ld->pdh,
|
Clean up handling of --capture-comment.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
2021-07-14 22:16:30 -07:00
|
|
|
capture_comments, /* Comments */
|
2018-10-08 13:25:36 -07:00
|
|
|
cpu_info_str->str, /* HW */
|
|
|
|
|
os_info_str->str, /* OS */
|
2018-12-12 18:16:15 -08:00
|
|
|
get_appname_and_version(),
|
2018-10-08 13:25:36 -07:00
|
|
|
-1, /* section_length */
|
|
|
|
|
&ld->bytes_written,
|
2020-11-25 00:43:43 -08:00
|
|
|
err);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: wrote dumpcap SHB %d", G_STRFUNC, successful);
|
2018-10-08 13:25:36 -07:00
|
|
|
g_string_free(cpu_info_str, TRUE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (unsigned i = 0; successful && (i < ld->saved_idbs->len); i++) {
|
|
|
|
|
saved_idb_t idb_source = g_array_index(ld->saved_idbs, saved_idb_t, i);
|
|
|
|
|
if (idb_source.deleted) {
|
|
|
|
|
/*
|
|
|
|
|
* Our interface is out of scope. Suppose we're writing multiple
|
|
|
|
|
* files and a source switches sections. We currently write dummy
|
|
|
|
|
* IDBs like so:
|
|
|
|
|
*
|
|
|
|
|
* File 1: IDB0, IDB1, IDB2
|
|
|
|
|
* [ The source of IDBs 1 and 2 writes an SHB with two new IDBs ]
|
|
|
|
|
* [ We switch output files ]
|
|
|
|
|
* File 2: IDB0, dummy IDB, dummy IDB, IDB3, IDB4
|
|
|
|
|
*
|
|
|
|
|
* It might make more sense to write the original data so that
|
|
|
|
|
* so that our IDB lists are more consistent across files.
|
|
|
|
|
*/
|
|
|
|
|
successful = pcapng_write_interface_description_block(global_ld.pdh,
|
|
|
|
|
"Interface went out of scope", /* OPT_COMMENT 1 */
|
|
|
|
|
"dummy", /* IDB_NAME 2 */
|
|
|
|
|
"Dumpcap dummy interface", /* IDB_DESCRIPTION 3 */
|
|
|
|
|
NULL, /* IDB_FILTER 11 */
|
|
|
|
|
os_info_str->str, /* IDB_OS 12 */
|
2020-03-27 20:08:33 -07:00
|
|
|
NULL, /* IDB_HARDWARE 15 */
|
2018-10-08 13:25:36 -07:00
|
|
|
-1,
|
|
|
|
|
0,
|
|
|
|
|
&(global_ld.bytes_written),
|
|
|
|
|
0, /* IDB_IF_SPEED 8 */
|
|
|
|
|
6, /* IDB_TSRESOL 9 */
|
|
|
|
|
&global_ld.err);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: skipping deleted pcapng IDB %u", G_STRFUNC, i);
|
2018-10-08 13:25:36 -07:00
|
|
|
} else if (idb_source.idb && idb_source.idb_len) {
|
2020-11-25 00:43:43 -08:00
|
|
|
successful = pcapng_write_block(global_ld.pdh, idb_source.idb, idb_source.idb_len, &ld->bytes_written, err);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: wrote pcapng IDB %d", G_STRFUNC, successful);
|
2018-10-08 13:25:36 -07:00
|
|
|
} else if (idb_source.interface_id < capture_opts->ifaces->len) {
|
|
|
|
|
unsigned if_id = idb_source.interface_id;
|
|
|
|
|
interface_options *interface_opts = &g_array_index(capture_opts->ifaces, interface_options, if_id);
|
|
|
|
|
capture_src *pcap_src = g_array_index(ld->pcaps, capture_src *, if_id);
|
|
|
|
|
if (pcap_src->from_cap_pipe) {
|
|
|
|
|
pcap_src->snaplen = pcap_src->cap_pipe_info.pcap.hdr.snaplen;
|
|
|
|
|
} else {
|
|
|
|
|
pcap_src->snaplen = pcap_snapshot(pcap_src->pcap_h);
|
|
|
|
|
}
|
|
|
|
|
successful = pcapng_write_interface_description_block(global_ld.pdh,
|
2021-03-24 23:36:29 -07:00
|
|
|
NULL, /* OPT_COMMENT 1 */
|
|
|
|
|
(interface_opts->ifname != NULL) ? interface_opts->ifname : interface_opts->name, /* IDB_NAME 2 */
|
2018-10-08 13:25:36 -07:00
|
|
|
interface_opts->descr, /* IDB_DESCRIPTION 3 */
|
|
|
|
|
interface_opts->cfilter, /* IDB_FILTER 11 */
|
|
|
|
|
os_info_str->str, /* IDB_OS 12 */
|
2020-03-27 20:08:33 -07:00
|
|
|
interface_opts->hardware, /* IDB_HARDWARE 15 */
|
2018-10-08 13:25:36 -07:00
|
|
|
pcap_src->linktype,
|
|
|
|
|
pcap_src->snaplen,
|
|
|
|
|
&(global_ld.bytes_written),
|
|
|
|
|
0, /* IDB_IF_SPEED 8 */
|
|
|
|
|
pcap_src->ts_nsec ? 9 : 6, /* IDB_TSRESOL 9 */
|
|
|
|
|
&global_ld.err);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: wrote capture_opts IDB %d: %d", G_STRFUNC, if_id, successful);
|
2018-10-08 13:25:36 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
g_rw_lock_reader_unlock (&ld->saved_shb_idb_lock);
|
|
|
|
|
|
|
|
|
|
g_string_free(os_info_str, TRUE);
|
|
|
|
|
|
|
|
|
|
return successful;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
/* set up to write to the already-opened capture output file/files */
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2011-03-21 16:57:11 +00:00
|
|
|
capture_loop_init_output(capture_options *capture_opts, loop_data *ld, char *errmsg, int errmsg_len)
|
|
|
|
|
{
|
2020-05-20 10:34:32 -07:00
|
|
|
int err = 0;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_init_output");
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
if ((capture_opts->use_pcapng == false) &&
|
2011-05-15 22:54:52 +00:00
|
|
|
(capture_opts->ifaces->len > 1)) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2014-09-24 14:06:23 -07:00
|
|
|
"Using PCAPNG is required for capturing on multiple interfaces. Use the -n option.");
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2009-04-27 08:11:10 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* Set up to write to the capture file. */
|
|
|
|
|
if (capture_opts->multi_files_on) {
|
|
|
|
|
ld->pdh = ringbuf_init_libpcap_fdopen(&err);
|
|
|
|
|
} else {
|
2025-01-21 09:47:46 -05:00
|
|
|
ld->pdh = writecap_fdopen(ld->save_file_fd, wtap_name_to_compression_type(capture_opts->compress_type), &err);
|
2009-04-26 15:51:25 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
if (ld->pdh) {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool successful;
|
2011-03-21 16:57:11 +00:00
|
|
|
if (capture_opts->use_pcapng) {
|
2020-11-25 00:43:43 -08:00
|
|
|
successful = capture_loop_init_pcapng_output(capture_opts, ld, &err);
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
2018-10-08 13:25:36 -07:00
|
|
|
capture_src *pcap_src;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(ld->pcaps, capture_src *, 0);
|
|
|
|
|
if (pcap_src->from_cap_pipe) {
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->snaplen = pcap_src->cap_pipe_info.pcap.hdr.snaplen;
|
2011-05-15 22:54:52 +00:00
|
|
|
} else {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->snaplen = pcap_snapshot(pcap_src->pcap_h);
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2017-03-05 18:11:22 -08:00
|
|
|
successful = libpcap_write_file_header(ld->pdh, pcap_src->linktype, pcap_src->snaplen,
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_src->ts_nsec, &ld->bytes_written, &err);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
if (!successful) {
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_close(ld->pdh, NULL);
|
2011-03-21 16:57:11 +00:00
|
|
|
ld->pdh = NULL;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (ld->pdh == NULL) {
|
|
|
|
|
/* We couldn't set up to write to the capture file. */
|
|
|
|
|
/* XXX - use cf_open_error_message from tshark instead? */
|
2019-05-10 18:52:44 +02:00
|
|
|
if (err < 0) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2019-05-10 18:52:44 +02:00
|
|
|
"The file to which the capture would be"
|
|
|
|
|
" saved (\"%s\") could not be opened: Error %d.",
|
|
|
|
|
capture_opts->save_file, err);
|
|
|
|
|
} else {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2019-05-10 18:52:44 +02:00
|
|
|
"The file to which the capture would be"
|
|
|
|
|
" saved (\"%s\") could not be opened: %s.",
|
|
|
|
|
capture_opts->save_file, g_strerror(err));
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2011-03-21 16:57:11 +00:00
|
|
|
capture_loop_close_output(capture_options *capture_opts, loop_data *ld, int *err_close)
|
|
|
|
|
{
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
unsigned int i;
|
|
|
|
|
capture_src *pcap_src;
|
2024-07-08 00:26:01 -04:00
|
|
|
uint64_t end_time = create_timestamp();
|
|
|
|
|
bool success;
|
2011-05-15 22:54:52 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_close_output");
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (capture_opts->multi_files_on) {
|
|
|
|
|
return ringbuf_libpcap_dump_close(&capture_opts->save_file, err_close);
|
|
|
|
|
} else {
|
|
|
|
|
if (capture_opts->use_pcapng) {
|
2011-05-15 22:54:52 +00:00
|
|
|
for (i = 0; i < global_ld.pcaps->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
|
|
|
|
if (!pcap_src->from_cap_pipe) {
|
2024-07-08 00:26:01 -04:00
|
|
|
uint64_t isb_ifrecv, isb_ifdrop;
|
2012-04-25 20:50:38 +00:00
|
|
|
struct pcap_stat stats;
|
|
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_stats(pcap_src->pcap_h, &stats) >= 0) {
|
|
|
|
|
isb_ifrecv = pcap_src->received;
|
|
|
|
|
isb_ifdrop = stats.ps_drop + pcap_src->dropped + pcap_src->flushed;
|
2012-04-25 20:50:38 +00:00
|
|
|
} else {
|
2024-07-08 00:26:01 -04:00
|
|
|
isb_ifrecv = UINT64_MAX;
|
|
|
|
|
isb_ifdrop = UINT64_MAX;
|
2012-04-25 20:50:38 +00:00
|
|
|
}
|
2013-09-29 20:53:13 +00:00
|
|
|
pcapng_write_interface_statistics_block(ld->pdh,
|
|
|
|
|
i,
|
|
|
|
|
&ld->bytes_written,
|
|
|
|
|
"Counters provided by dumpcap",
|
|
|
|
|
start_time,
|
|
|
|
|
end_time,
|
|
|
|
|
isb_ifrecv,
|
|
|
|
|
isb_ifdrop,
|
|
|
|
|
err_close);
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2025-01-21 09:47:46 -05:00
|
|
|
success = writecap_close(ld->pdh, err_close);
|
2019-01-03 15:51:56 +01:00
|
|
|
return success;
|
2009-04-27 08:11:10 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* dispatch incoming packets (pcap or capture pipe)
|
|
|
|
|
*
|
|
|
|
|
* Waits for incoming packets to be available, and calls pcap_dispatch()
|
|
|
|
|
* to cause them to be processed.
|
|
|
|
|
*
|
|
|
|
|
* Returns the number of packets which were processed.
|
|
|
|
|
*
|
|
|
|
|
* Times out (returning zero) after CAP_READ_TIMEOUT ms; this ensures that the
|
|
|
|
|
* packet-batching behaviour does not cause packets to get held back
|
|
|
|
|
* indefinitely.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2011-05-16 21:56:12 +00:00
|
|
|
capture_loop_dispatch(loop_data *ld,
|
2017-03-05 18:11:22 -08:00
|
|
|
char *errmsg, int errmsg_len, capture_src *pcap_src)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2018-10-04 18:09:28 -07:00
|
|
|
int inpkts = 0;
|
2024-07-08 00:26:01 -04:00
|
|
|
int packet_count_before;
|
2012-11-25 18:35:41 +00:00
|
|
|
int sel_ret;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2018-10-31 10:03:04 +01:00
|
|
|
packet_count_before = ld->packets_captured;
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->from_cap_pipe) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* dispatch from capture pipe */
|
2008-02-16 02:39:58 +00:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_dispatch: from capture pipe");
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
2018-10-04 18:09:28 -07:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
if (pcap_src->from_cap_socket) {
|
|
|
|
|
#endif
|
|
|
|
|
sel_ret = cap_pipe_select(pcap_src->cap_pipe_fd);
|
|
|
|
|
if (sel_ret <= 0) {
|
|
|
|
|
if (sel_ret < 0 && errno != EINTR) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2018-10-04 18:09:28 -07:00
|
|
|
"Unexpected error from select: %s", g_strerror(errno));
|
2019-03-23 21:02:47 -07:00
|
|
|
report_capture_error(errmsg, please_report_bug());
|
2024-07-08 00:26:01 -04:00
|
|
|
ld->go = false;
|
2018-10-04 18:09:28 -07:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2018-10-04 18:09:28 -07:00
|
|
|
#ifdef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
2018-10-04 18:09:28 -07:00
|
|
|
/* Windows does not have select() for pipes. */
|
|
|
|
|
/* Proceed with _dispatch() which waits for cap_pipe_done_q
|
|
|
|
|
* notification from cap_thread_read() when ReadFile() on
|
|
|
|
|
* the pipe has read enough bytes. */
|
|
|
|
|
sel_ret = 1;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
if (sel_ret > 0) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* "select()" says we can read from the pipe without blocking
|
|
|
|
|
*/
|
2017-11-22 11:05:48 -08:00
|
|
|
inpkts = pcap_src->cap_pipe_dispatch(ld, pcap_src, errmsg, errmsg_len);
|
2011-03-21 16:57:11 +00:00
|
|
|
if (inpkts < 0) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("%s: src %u pipe reached EOF or err, rcv: %u drop: %u flush: %u",
|
2018-11-13 14:52:14 -08:00
|
|
|
G_STRFUNC, pcap_src->interface_id, pcap_src->received, pcap_src->dropped, pcap_src->flushed);
|
2021-06-18 19:21:42 +01:00
|
|
|
ws_assert(pcap_src->cap_pipe_err != PIPOK);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* dispatch from pcap */
|
2008-02-16 02:39:58 +00:00
|
|
|
#ifdef MUST_DO_SELECT
|
|
|
|
|
/*
|
2011-03-21 16:57:11 +00:00
|
|
|
* If we have "pcap_get_selectable_fd()", we use it to get the
|
|
|
|
|
* descriptor on which to select; if that's -1, it means there
|
|
|
|
|
* is no descriptor on which you can do a "select()" (perhaps
|
|
|
|
|
* because you're capturing on a special device, and that device's
|
|
|
|
|
* driver unfortunately doesn't support "select()", in which case
|
|
|
|
|
* we don't do the select - which means it might not be possible
|
|
|
|
|
* to stop a capture until a packet arrives. If that's unacceptable,
|
|
|
|
|
* plead with whoever supplies the software for that device to add
|
|
|
|
|
* "select()" support, or upgrade to libpcap 0.8.1 or later, and
|
|
|
|
|
* rebuild Wireshark or get a version built with libpcap 0.8.1 or
|
|
|
|
|
* later, so it can use pcap_breakloop().
|
2008-02-16 02:39:58 +00:00
|
|
|
*/
|
2011-03-21 16:57:11 +00:00
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_dispatch: from pcap_dispatch with select");
|
2011-03-21 16:57:11 +00:00
|
|
|
#endif
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_src->pcap_fd != -1) {
|
|
|
|
|
sel_ret = cap_pipe_select(pcap_src->pcap_fd);
|
2011-03-21 16:57:11 +00:00
|
|
|
if (sel_ret > 0) {
|
|
|
|
|
/*
|
|
|
|
|
* "select()" says we can read from it without blocking; go for
|
|
|
|
|
* it.
|
|
|
|
|
*
|
|
|
|
|
* We don't have pcap_breakloop(), so we only process one packet
|
|
|
|
|
* per pcap_dispatch() call, to allow a signal to stop the
|
|
|
|
|
* processing immediately, rather than processing all packets
|
|
|
|
|
* in a batch before quitting.
|
|
|
|
|
*/
|
2011-05-21 00:10:57 +00:00
|
|
|
if (use_threads) {
|
2024-06-17 18:40:41 +02:00
|
|
|
inpkts = pcap_dispatch(pcap_src->pcap_h, 1, capture_loop_queue_packet_cb, (uint8_t *)pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
} else {
|
2024-06-17 18:40:41 +02:00
|
|
|
inpkts = pcap_dispatch(pcap_src->pcap_h, 1, capture_loop_write_packet_cb, (uint8_t *)pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
if (inpkts < 0) {
|
|
|
|
|
if (inpkts == -1) {
|
|
|
|
|
/* Error, rather than pcap_breakloop(). */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->pcap_err = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
ld->go = false; /* error or pcap_breakloop() - stop capturing */
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (sel_ret < 0 && errno != EINTR) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2011-06-28 09:00:11 +00:00
|
|
|
"Unexpected error from select: %s", g_strerror(errno));
|
2019-03-23 21:02:47 -07:00
|
|
|
report_capture_error(errmsg, please_report_bug());
|
2024-07-08 00:26:01 -04:00
|
|
|
ld->go = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2009-08-22 22:49:59 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
else
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif /* MUST_DO_SELECT */
|
2011-03-21 16:57:11 +00:00
|
|
|
{
|
|
|
|
|
/* dispatch from pcap without select */
|
2008-02-16 02:39:58 +00:00
|
|
|
#if 1
|
|
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_dispatch: from pcap_dispatch");
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
|
|
|
|
#ifdef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* On Windows, we don't support asynchronously telling a process to
|
|
|
|
|
* stop capturing; instead, we check for an indication on a pipe
|
|
|
|
|
* after processing packets. We therefore process only one packet
|
|
|
|
|
* at a time, so that we can check the pipe after every packet.
|
|
|
|
|
*/
|
2011-05-21 00:10:57 +00:00
|
|
|
if (use_threads) {
|
2024-06-17 18:40:41 +02:00
|
|
|
inpkts = pcap_dispatch(pcap_src->pcap_h, 1, capture_loop_queue_packet_cb, (uint8_t *)pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
} else {
|
2024-06-17 18:40:41 +02:00
|
|
|
inpkts = pcap_dispatch(pcap_src->pcap_h, 1, capture_loop_write_packet_cb, (uint8_t *)pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#else
|
2011-05-21 00:10:57 +00:00
|
|
|
if (use_threads) {
|
2024-06-17 18:40:41 +02:00
|
|
|
inpkts = pcap_dispatch(pcap_src->pcap_h, -1, capture_loop_queue_packet_cb, (uint8_t *)pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
} else {
|
2024-06-17 18:40:41 +02:00
|
|
|
inpkts = pcap_dispatch(pcap_src->pcap_h, -1, capture_loop_write_packet_cb, (uint8_t *)pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
if (inpkts < 0) {
|
|
|
|
|
if (inpkts == -1) {
|
|
|
|
|
/* Error, rather than pcap_breakloop(). */
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->pcap_err = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
ld->go = false; /* error or pcap_breakloop() - stop capturing */
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#else /* pcap_next_ex */
|
|
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_dispatch: from pcap_next_ex");
|
2011-03-21 16:57:11 +00:00
|
|
|
#endif
|
|
|
|
|
/* XXX - this is currently unused, as there is some confusion with pcap_next_ex() vs. pcap_dispatch() */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* WinPcap's remote capturing feature doesn't work with pcap_dispatch(),
|
2020-10-02 19:17:00 -07:00
|
|
|
* see https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/WinPcapRemote
|
2011-03-21 16:57:11 +00:00
|
|
|
* This should be fixed in the WinPcap 4.0 alpha release.
|
|
|
|
|
*
|
|
|
|
|
* For reference, an example remote interface:
|
|
|
|
|
* rpcap://[1.2.3.4]/\Device\NPF_{39993D68-7C9B-4439-A329-F2D888DA7C5C}
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* emulate dispatch from pcap */
|
|
|
|
|
{
|
|
|
|
|
int in;
|
|
|
|
|
struct pcap_pkthdr *pkt_header;
|
2024-06-17 18:40:41 +02:00
|
|
|
uint8_t *pkt_data;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
in = 0;
|
|
|
|
|
while(ld->go &&
|
2017-03-05 18:11:22 -08:00
|
|
|
(in = pcap_next_ex(pcap_src->pcap_h, &pkt_header, &pkt_data)) == 1) {
|
2011-05-16 21:56:12 +00:00
|
|
|
if (use_threads) {
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_queue_packet_cb((uint8_t *)pcap_src, pkt_header, pkt_data);
|
2011-05-16 21:56:12 +00:00
|
|
|
} else {
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_write_packet_cb((uint8_t *)pcap_src, pkt_header, pkt_data);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2012-11-25 18:35:41 +00:00
|
|
|
if (in < 0) {
|
2024-07-08 00:26:01 -04:00
|
|
|
pcap_src->pcap_err = true;
|
|
|
|
|
ld->go = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif /* pcap_next_ex */
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef LOG_CAPTURE_VERBOSE
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_dispatch: %d new packet%s", inpkts, plurality(inpkts, "", "s"));
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
|
|
|
|
|
2018-10-31 10:03:04 +01:00
|
|
|
return ld->packets_captured - packet_count_before;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2010-11-16 15:37:37 +00:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
/* Isolate the Universally Unique Identifier from the interface. Basically, we
|
2011-05-05 20:46:02 +00:00
|
|
|
* want to grab only the characters between the '{' and '}' delimiters.
|
|
|
|
|
*
|
2010-11-16 15:37:37 +00:00
|
|
|
* Returns a GString that must be freed with g_string_free(). */
|
2011-03-21 16:57:11 +00:00
|
|
|
static GString *
|
|
|
|
|
isolate_uuid(const char *iface)
|
2010-11-16 15:37:37 +00:00
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
char *ptr;
|
2010-11-16 15:37:37 +00:00
|
|
|
GString *gstr;
|
|
|
|
|
|
|
|
|
|
ptr = strchr(iface, '{');
|
|
|
|
|
if (ptr == NULL)
|
|
|
|
|
return g_string_new(iface);
|
|
|
|
|
gstr = g_string_new(ptr + 1);
|
|
|
|
|
|
|
|
|
|
ptr = strchr(gstr->str, '}');
|
|
|
|
|
if (ptr == NULL)
|
|
|
|
|
return gstr;
|
|
|
|
|
|
|
|
|
|
gstr = g_string_truncate(gstr, ptr - gstr->str);
|
|
|
|
|
return gstr;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
/* open the output file (temporary/specified name/ringbuffer/named pipe/stdout) */
|
2024-07-08 00:26:01 -04:00
|
|
|
/* Returns true if the file opened successfully, false otherwise. */
|
|
|
|
|
static bool
|
2008-02-16 02:39:58 +00:00
|
|
|
capture_loop_open_output(capture_options *capture_opts, int *save_file_fd,
|
2011-03-21 16:57:11 +00:00
|
|
|
char *errmsg, int errmsg_len)
|
|
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
char *capfile_name = NULL;
|
|
|
|
|
char *prefix, *suffix;
|
|
|
|
|
bool is_tempfile;
|
2019-09-01 14:37:38 -04:00
|
|
|
GError *err_tempfile = NULL;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_open_output: %s",
|
2011-05-15 22:54:52 +00:00
|
|
|
(capture_opts->save_file) ? capture_opts->save_file : "(not specified)");
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
if (capture_opts->save_file != NULL) {
|
|
|
|
|
/* We return to the caller while the capture is in progress.
|
|
|
|
|
* Therefore we need to take a copy of save_file in
|
|
|
|
|
* case the caller destroys it after we return.
|
|
|
|
|
*/
|
|
|
|
|
capfile_name = g_strdup(capture_opts->save_file);
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
if (capture_opts->output_to_pipe == true) { /* either "-" or named pipe */
|
2011-03-21 16:57:11 +00:00
|
|
|
if (capture_opts->multi_files_on) {
|
|
|
|
|
/* ringbuffer is enabled; that doesn't work with standard output or a named pipe */
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2011-03-21 16:57:11 +00:00
|
|
|
"Ring buffer requested, but capture is being written to standard output or to a named pipe.");
|
|
|
|
|
g_free(capfile_name);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
if (strcmp(capfile_name, "-") == 0) {
|
|
|
|
|
/* write to stdout */
|
|
|
|
|
*save_file_fd = 1;
|
2008-02-16 02:39:58 +00:00
|
|
|
#ifdef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
/* set output pipe to binary mode to avoid Windows text-mode processing (eg: for CR/LF) */
|
|
|
|
|
_setmode(1, O_BINARY);
|
|
|
|
|
#endif
|
2017-11-16 20:23:33 -08:00
|
|
|
} else {
|
|
|
|
|
/* Try to open the specified FIFO for use as a capture buffer.
|
|
|
|
|
Do *not* create it if it doesn't exist. There's nothing
|
|
|
|
|
to truncate. If we need to read it, We Have A Problem. */
|
|
|
|
|
*save_file_fd = ws_open(capfile_name, O_WRONLY|O_BINARY, 0);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
} /* if (...output_to_pipe ... */
|
|
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
if (capture_opts->multi_files_on) {
|
|
|
|
|
/* ringbuffer is enabled */
|
|
|
|
|
*save_file_fd = ringbuf_init(capfile_name,
|
|
|
|
|
(capture_opts->has_ring_num_files) ? capture_opts->ring_num_files : 0,
|
2020-08-09 12:12:24 +09:00
|
|
|
capture_opts->group_read_access,
|
2021-08-23 19:42:04 +03:00
|
|
|
capture_opts->compress_type,
|
|
|
|
|
capture_opts->has_nametimenum);
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2019-01-25 17:04:33 +01:00
|
|
|
/* capfile_name is unused as the ringbuffer provides its own filename. */
|
2012-11-25 18:35:41 +00:00
|
|
|
if (*save_file_fd != -1) {
|
2011-03-21 16:57:11 +00:00
|
|
|
g_free(capfile_name);
|
2019-01-25 17:04:33 +01:00
|
|
|
capfile_name = NULL;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2020-07-29 09:36:19 -04:00
|
|
|
if (capture_opts->print_file_names) {
|
|
|
|
|
if (!ringbuf_set_print_name(capture_opts->print_name_to, NULL)) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len, "Could not write filenames to %s: %s.\n",
|
2020-07-29 09:36:19 -04:00
|
|
|
capture_opts->print_name_to,
|
|
|
|
|
g_strerror(errno));
|
|
|
|
|
g_free(capfile_name);
|
|
|
|
|
ringbuf_error_cleanup();
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2020-07-29 09:36:19 -04:00
|
|
|
}
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
|
|
|
|
/* Try to open/create the specified file for use as a capture buffer. */
|
2017-11-16 21:31:48 -08:00
|
|
|
*save_file_fd = ws_open(capfile_name, O_WRONLY|O_BINARY|O_TRUNC|O_CREAT,
|
2011-03-21 16:57:11 +00:00
|
|
|
(capture_opts->group_read_access) ? 0640 : 0600);
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
is_tempfile = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
|
|
|
|
/* Choose a random name for the temporary capture buffer */
|
2011-05-21 20:57:00 +00:00
|
|
|
if (global_capture_opts.ifaces->len > 1) {
|
2018-08-11 20:48:01 -07:00
|
|
|
/*
|
|
|
|
|
* More than one interface; just use the number of interfaces
|
2018-08-11 21:12:45 -07:00
|
|
|
* to generate the temporary file name prefix.
|
2018-08-11 20:48:01 -07:00
|
|
|
*/
|
2021-12-18 18:48:20 +00:00
|
|
|
prefix = ws_strdup_printf("wireshark_%d_interfaces", global_capture_opts.ifaces->len);
|
2011-05-21 20:57:00 +00:00
|
|
|
} else {
|
2018-08-11 21:12:45 -07:00
|
|
|
/*
|
2018-08-12 20:32:01 -07:00
|
|
|
* One interface; use its description, if it has one, to generate
|
|
|
|
|
* the temporary file name, otherwise use its name.
|
2018-08-11 21:12:45 -07:00
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
char *basename;
|
2018-08-12 20:32:01 -07:00
|
|
|
const interface_options *interface_opts;
|
|
|
|
|
|
|
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, 0);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Do we have a description?
|
|
|
|
|
*/
|
|
|
|
|
if (interface_opts->descr) {
|
|
|
|
|
/*
|
|
|
|
|
* Yes - use it.
|
|
|
|
|
*
|
|
|
|
|
* Strip off any stuff we shouldn't use in the file name,
|
|
|
|
|
* by getting the last component of what would be a file
|
|
|
|
|
* name.
|
|
|
|
|
*/
|
|
|
|
|
basename = g_path_get_basename(interface_opts->descr);
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* No - use the name.
|
|
|
|
|
*
|
|
|
|
|
* Strip off any stuff we shouldn't use in the file name,
|
|
|
|
|
* by getting the last component of what would be a file
|
|
|
|
|
* name.
|
|
|
|
|
*/
|
|
|
|
|
basename = g_path_get_basename(interface_opts->name);
|
2010-11-16 15:37:37 +00:00
|
|
|
#ifdef _WIN32
|
2018-08-12 20:32:01 -07:00
|
|
|
/*
|
|
|
|
|
* This is Windows, where we might have an ugly GUID-based
|
|
|
|
|
* interface name.
|
|
|
|
|
*
|
|
|
|
|
* If it's an ugly GUID-based name, use the generic portion
|
|
|
|
|
* of the interface GUID to form the basis of the filename.
|
|
|
|
|
*/
|
|
|
|
|
if (strncmp("NPF_{", basename, 5) == 0) {
|
|
|
|
|
/*
|
|
|
|
|
* We have a GUID-based name; extract the GUID digits
|
|
|
|
|
* as the basis of the filename.
|
|
|
|
|
*/
|
|
|
|
|
GString *iface;
|
|
|
|
|
iface = isolate_uuid(basename);
|
|
|
|
|
g_free(basename);
|
|
|
|
|
basename = g_strdup(iface->str);
|
|
|
|
|
g_string_free(iface, TRUE);
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
#endif
|
2018-08-12 20:32:01 -07:00
|
|
|
}
|
|
|
|
|
/* generate the temp file name prefix */
|
2018-08-11 20:43:00 -07:00
|
|
|
prefix = g_strconcat("wireshark_", basename, NULL);
|
2011-08-07 18:15:45 +00:00
|
|
|
g_free(basename);
|
2011-05-21 20:57:00 +00:00
|
|
|
}
|
2018-08-11 20:48:01 -07:00
|
|
|
|
|
|
|
|
/* Generate the appropriate suffix. */
|
2018-08-11 20:43:00 -07:00
|
|
|
if (capture_opts->use_pcapng) {
|
|
|
|
|
suffix = ".pcapng";
|
|
|
|
|
} else {
|
|
|
|
|
suffix = ".pcap";
|
|
|
|
|
}
|
2025-01-21 09:47:46 -05:00
|
|
|
const char* compression_suffix = wtap_compression_type_extension(wtap_name_to_compression_type(capture_opts->compress_type));
|
|
|
|
|
/* If not compressed, compression_suffix is NULL and g_strjoin
|
|
|
|
|
* handles the string list terminating early correctly.
|
|
|
|
|
*/
|
|
|
|
|
suffix = g_strjoin(".", suffix, compression_suffix, NULL);
|
2022-02-09 14:32:28 +00:00
|
|
|
*save_file_fd = create_tempfile(capture_opts->temp_dir, &capfile_name, prefix, suffix, &err_tempfile);
|
2011-03-21 16:57:11 +00:00
|
|
|
g_free(prefix);
|
2025-01-21 09:47:46 -05:00
|
|
|
g_free(suffix);
|
2024-07-08 00:26:01 -04:00
|
|
|
is_tempfile = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* did we fail to open the output file? */
|
|
|
|
|
if (*save_file_fd == -1) {
|
|
|
|
|
if (is_tempfile) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2022-01-19 08:05:10 -05:00
|
|
|
"The temporary file to which the capture would be saved "
|
|
|
|
|
"could not be opened: %s.", err_tempfile->message);
|
2019-09-01 14:37:38 -04:00
|
|
|
g_error_free(err_tempfile);
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
|
|
|
|
if (capture_opts->multi_files_on) {
|
2019-01-25 17:04:33 +01:00
|
|
|
/* Ensures that the ringbuffer is not used. This ensures that
|
|
|
|
|
* !ringbuf_is_initialized() is equivalent to
|
|
|
|
|
* capture_opts->save_file not being part of ringbuffer. */
|
2011-03-21 16:57:11 +00:00
|
|
|
ringbuf_error_cleanup();
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, errmsg_len,
|
2011-03-21 16:57:11 +00:00
|
|
|
"The file to which the capture would be saved (\"%s\") "
|
|
|
|
|
"could not be opened: %s.", capfile_name,
|
2011-06-28 09:00:11 +00:00
|
|
|
g_strerror(errno));
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
g_free(capfile_name);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2019-01-25 17:04:33 +01:00
|
|
|
g_free(capture_opts->save_file);
|
|
|
|
|
if (!is_tempfile && capture_opts->multi_files_on) {
|
|
|
|
|
/* In ringbuffer mode, save_file points to a filename from ringbuffer.c.
|
|
|
|
|
* capfile_name was already freed before. */
|
|
|
|
|
capture_opts->save_file = (char *)ringbuf_current_filename();
|
|
|
|
|
} else {
|
|
|
|
|
/* capture_opts_cleanup will g_free(capture_opts->save_file). */
|
|
|
|
|
capture_opts->save_file = capfile_name;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-10-31 11:34:35 +01:00
|
|
|
static time_t get_next_time_interval(int interval_s) {
|
|
|
|
|
time_t next_time = time(NULL);
|
|
|
|
|
next_time -= next_time % interval_s;
|
|
|
|
|
next_time += interval_s;
|
|
|
|
|
return next_time;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2010-05-25 20:14:22 +00:00
|
|
|
/* Do the work of handling either the file size or file duration capture
|
|
|
|
|
conditions being reached, and switching files or stopping. */
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2018-10-31 10:03:04 +01:00
|
|
|
do_file_switch_or_stop(capture_options *capture_opts)
|
2010-05-25 20:14:22 +00:00
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
bool successful;
|
2011-05-15 22:54:52 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (capture_opts->multi_files_on) {
|
2018-10-31 10:03:04 +01:00
|
|
|
if (capture_opts->has_autostop_files &&
|
|
|
|
|
++global_ld.file_count >= capture_opts->autostop_files) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* no files left: stop here */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
|
|
|
|
return false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Switch to the next ringbuffer file */
|
|
|
|
|
if (ringbuf_switch_file(&global_ld.pdh, &capture_opts->save_file,
|
|
|
|
|
&global_ld.save_file_fd, &global_ld.err)) {
|
|
|
|
|
|
|
|
|
|
/* File switch succeeded: reset the conditions */
|
|
|
|
|
global_ld.bytes_written = 0;
|
2018-10-31 10:03:04 +01:00
|
|
|
global_ld.packets_written = 0;
|
2018-10-08 13:25:36 -07:00
|
|
|
if (capture_opts->use_pcapng) {
|
2020-11-25 00:43:43 -08:00
|
|
|
successful = capture_loop_init_pcapng_output(capture_opts, &global_ld, &global_ld.err);
|
2017-11-22 11:05:48 -08:00
|
|
|
} else {
|
2018-10-08 13:25:36 -07:00
|
|
|
capture_src *pcap_src;
|
|
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, 0);
|
|
|
|
|
successful = libpcap_write_file_header(global_ld.pdh, pcap_src->linktype, pcap_src->snaplen,
|
|
|
|
|
pcap_src->ts_nsec, &global_ld.bytes_written, &global_ld.err);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2018-10-08 13:25:36 -07:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (!successful) {
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_close(global_ld.pdh, NULL);
|
2011-03-21 16:57:11 +00:00
|
|
|
global_ld.pdh = NULL;
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
|
|
|
|
return false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2018-10-31 10:03:04 +01:00
|
|
|
if (global_ld.file_duration_timer) {
|
|
|
|
|
g_timer_reset(global_ld.file_duration_timer);
|
2018-10-31 11:34:35 +01:00
|
|
|
}
|
2018-10-31 10:03:04 +01:00
|
|
|
if (global_ld.next_interval_time) {
|
|
|
|
|
global_ld.next_interval_time = get_next_time_interval(global_ld.interval_s);
|
2018-10-31 11:34:35 +01:00
|
|
|
}
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2021-10-13 17:18:50 -07:00
|
|
|
if (global_ld.inpkts_to_sync_pipe) {
|
|
|
|
|
if (!quiet)
|
|
|
|
|
report_packet_count(global_ld.inpkts_to_sync_pipe);
|
|
|
|
|
global_ld.inpkts_to_sync_pipe = 0;
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
report_new_capture_file(capture_opts->save_file);
|
|
|
|
|
} else {
|
|
|
|
|
/* File switch failed: stop here */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
|
|
|
|
return false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* single file, stop now */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
|
|
|
|
return false;
|
2010-05-25 20:14:22 +00:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2010-05-25 20:14:22 +00:00
|
|
|
}
|
|
|
|
|
|
2011-05-16 21:56:12 +00:00
|
|
|
static void *
|
|
|
|
|
pcap_read_handler(void* arg)
|
|
|
|
|
{
|
2018-11-13 14:52:14 -08:00
|
|
|
capture_src *pcap_src = (capture_src *)arg;
|
2017-03-05 18:11:22 -08:00
|
|
|
char errmsg[MSG_MAX_LENGTH+1];
|
2011-05-16 21:56:12 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Started thread for interface %d.", pcap_src->interface_id);
|
2011-05-16 21:56:12 +00:00
|
|
|
|
2018-11-13 14:52:14 -08:00
|
|
|
/* If this is a pipe input it might finish early. */
|
|
|
|
|
while (global_ld.go && pcap_src->cap_pipe_err == PIPOK) {
|
2011-05-16 21:56:12 +00:00
|
|
|
/* dispatch incoming packets */
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_loop_dispatch(&global_ld, errmsg, sizeof(errmsg), pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2018-11-13 14:52:14 -08:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Stopped thread for interface %d.", pcap_src->interface_id);
|
2011-05-16 21:56:12 +00:00
|
|
|
g_thread_exit(NULL);
|
|
|
|
|
return (NULL);
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-13 10:40:55 -08:00
|
|
|
/* Try to pop an item off the packet queue and if it exists, write it */
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2018-11-13 10:40:55 -08:00
|
|
|
capture_loop_dequeue_packet(void) {
|
|
|
|
|
pcap_queue_element *queue_element;
|
|
|
|
|
|
|
|
|
|
g_async_queue_lock(pcap_queue);
|
|
|
|
|
queue_element = (pcap_queue_element *)g_async_queue_timeout_pop_unlocked(pcap_queue, WRITER_THREAD_TIMEOUT);
|
|
|
|
|
if (queue_element) {
|
|
|
|
|
if (queue_element->pcap_src->from_pcapng) {
|
|
|
|
|
pcap_queue_bytes -= queue_element->u.bh.block_total_length;
|
|
|
|
|
} else {
|
|
|
|
|
pcap_queue_bytes -= queue_element->u.phdr.caplen;
|
|
|
|
|
}
|
|
|
|
|
pcap_queue_packets -= 1;
|
|
|
|
|
}
|
|
|
|
|
g_async_queue_unlock(pcap_queue);
|
|
|
|
|
if (queue_element) {
|
|
|
|
|
if (queue_element->pcap_src->from_pcapng) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Dequeued a block of type 0x%08x of length %d captured on interface %d.",
|
2018-11-13 10:40:55 -08:00
|
|
|
queue_element->u.bh.block_type, queue_element->u.bh.block_total_length,
|
|
|
|
|
queue_element->pcap_src->interface_id);
|
|
|
|
|
|
|
|
|
|
capture_loop_write_pcapng_cb(queue_element->pcap_src,
|
|
|
|
|
&queue_element->u.bh,
|
|
|
|
|
queue_element->pd);
|
|
|
|
|
} else {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Dequeued a packet of length %d captured on interface %d.",
|
2018-11-13 10:40:55 -08:00
|
|
|
queue_element->u.phdr.caplen, queue_element->pcap_src->interface_id);
|
|
|
|
|
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_write_packet_cb((uint8_t *) queue_element->pcap_src,
|
2018-11-13 10:40:55 -08:00
|
|
|
&queue_element->u.phdr,
|
|
|
|
|
queue_element->pd);
|
|
|
|
|
}
|
|
|
|
|
g_free(queue_element->pd);
|
|
|
|
|
g_free(queue_element);
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2018-11-13 10:40:55 -08:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2018-11-13 10:40:55 -08:00
|
|
|
}
|
|
|
|
|
|
2021-02-08 22:33:18 -08:00
|
|
|
/*
|
|
|
|
|
* Note: this code will never be run on any OS other than Windows.
|
2021-10-22 15:00:16 -07:00
|
|
|
*
|
|
|
|
|
* We keep the arguments in case there's something in the future
|
|
|
|
|
* that needs to be reported as an NPCAP bug.
|
2021-02-08 22:33:18 -08:00
|
|
|
*/
|
|
|
|
|
static char *
|
2021-10-22 15:00:16 -07:00
|
|
|
handle_npcap_bug(char *adapter_name _U_, char *cap_err_str _U_)
|
2021-02-08 22:33:18 -08:00
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
bool have_npcap = false;
|
2022-02-24 17:07:45 +00:00
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
|
|
|
|
have_npcap = caplibs_have_npcap();
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if (!have_npcap) {
|
2021-02-09 11:38:51 -08:00
|
|
|
/*
|
2024-11-24 23:47:56 +10:00
|
|
|
* We're not using Npcap, so don't recommend a user
|
2021-02-09 11:38:51 -08:00
|
|
|
* file a bug against Npcap.
|
|
|
|
|
*/
|
|
|
|
|
return g_strdup("");
|
|
|
|
|
}
|
2022-02-24 17:07:45 +00:00
|
|
|
|
|
|
|
|
return ws_strdup_printf("If you have not removed that adapter, this "
|
2021-10-22 15:00:16 -07:00
|
|
|
"is probably a known issue in Npcap resulting from "
|
|
|
|
|
"the behavior of the Windows networking stack. "
|
|
|
|
|
"Work is being done in Npcap to improve the "
|
|
|
|
|
"handling of this issue; it does not need to "
|
|
|
|
|
"be reported as a Wireshark or Npcap bug.");
|
2021-02-08 22:33:18 -08:00
|
|
|
}
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
/* Do the low-level work of a capture.
|
2024-07-08 00:26:01 -04:00
|
|
|
Returns true if it succeeds, false otherwise. */
|
|
|
|
|
static bool
|
|
|
|
|
capture_loop_start(capture_options *capture_opts, bool *stats_known, struct pcap_stat *stats)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2015-09-02 14:35:37 -07:00
|
|
|
#ifdef _WIN32
|
2024-07-08 00:28:11 -04:00
|
|
|
ULONGLONG upd_time, cur_time; /* GetTickCount64() returns a "ULONGLONG" */
|
2011-05-05 20:46:02 +00:00
|
|
|
#else
|
2017-03-05 18:11:22 -08:00
|
|
|
struct timeval upd_time, cur_time;
|
|
|
|
|
#endif
|
|
|
|
|
int err_close;
|
|
|
|
|
int inpkts;
|
2018-10-31 11:34:35 +01:00
|
|
|
GTimer *autostop_duration_timer = NULL;
|
2024-07-08 00:26:01 -04:00
|
|
|
bool write_ok;
|
|
|
|
|
bool close_ok;
|
|
|
|
|
bool cfilter_error = false;
|
2017-03-05 18:11:22 -08:00
|
|
|
char errmsg[MSG_MAX_LENGTH+1];
|
|
|
|
|
char secondary_errmsg[MSG_MAX_LENGTH+1];
|
|
|
|
|
capture_src *pcap_src;
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_options *interface_opts;
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned i, error_index = 0;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
*errmsg = '\0';
|
|
|
|
|
*secondary_errmsg = '\0';
|
|
|
|
|
|
|
|
|
|
/* init the loop data */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = true;
|
2018-10-31 10:03:04 +01:00
|
|
|
global_ld.packets_captured = 0;
|
2010-05-26 00:19:27 +00:00
|
|
|
#ifdef SIGINFO
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.report_packet_count = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
#endif
|
|
|
|
|
global_ld.inpkts_to_sync_pipe = 0;
|
|
|
|
|
global_ld.err = 0; /* no error seen yet */
|
|
|
|
|
global_ld.pdh = NULL;
|
|
|
|
|
global_ld.save_file_fd = -1;
|
2018-10-31 10:03:04 +01:00
|
|
|
global_ld.file_count = 0;
|
|
|
|
|
global_ld.file_duration_timer = NULL;
|
|
|
|
|
global_ld.next_interval_time = 0;
|
|
|
|
|
global_ld.interval_s = 0;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* We haven't yet gotten the capture statistics. */
|
2024-07-08 00:26:01 -04:00
|
|
|
*stats_known = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Capture loop starting ...");
|
|
|
|
|
capture_opts_log(LOG_DOMAIN_CAPCHILD, LOG_LEVEL_DEBUG, capture_opts);
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* open the "input file" from network interface or capture pipe */
|
|
|
|
|
if (!capture_loop_open_input(capture_opts, &global_ld, errmsg, sizeof(errmsg),
|
|
|
|
|
secondary_errmsg, sizeof(secondary_errmsg))) {
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
2011-05-15 22:54:52 +00:00
|
|
|
for (i = 0; i < capture_opts->ifaces->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
|
2011-05-15 22:54:52 +00:00
|
|
|
/* init the input filter from the network interface (capture pipe will do nothing) */
|
2011-06-07 12:23:15 +00:00
|
|
|
/*
|
|
|
|
|
* When remote capturing WinPCap crashes when the capture filter
|
2012-03-03 16:17:20 +00:00
|
|
|
* is NULL. This might be a bug in WPCap. Therefore we provide an empty
|
2011-06-07 12:23:15 +00:00
|
|
|
* string.
|
|
|
|
|
*/
|
2017-03-05 18:11:22 -08:00
|
|
|
switch (capture_loop_init_filter(pcap_src->pcap_h, pcap_src->from_cap_pipe,
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts->name,
|
|
|
|
|
interface_opts->cfilter?interface_opts->cfilter:"")) {
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
case INITFILTER_NO_ERROR:
|
|
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
case INITFILTER_BAD_FILTER:
|
2024-07-08 00:26:01 -04:00
|
|
|
cfilter_error = true;
|
2011-06-27 11:30:39 +00:00
|
|
|
error_index = i;
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, sizeof(errmsg), "%s", pcap_geterr(pcap_src->pcap_h));
|
2011-05-15 22:54:52 +00:00
|
|
|
goto error;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2011-05-15 22:54:52 +00:00
|
|
|
case INITFILTER_OTHER_ERROR:
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, sizeof(errmsg), "Can't install filter (%s).",
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_geterr(pcap_src->pcap_h));
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(secondary_errmsg, sizeof(secondary_errmsg), "%s", please_report_bug());
|
2011-05-15 22:54:52 +00:00
|
|
|
goto error;
|
|
|
|
|
}
|
2010-05-26 00:19:27 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* If we're supposed to write to a capture file, open it for output
|
|
|
|
|
(temporary/specified name/ringbuffer) */
|
|
|
|
|
if (capture_opts->saving_to_file) {
|
|
|
|
|
if (!capture_loop_open_output(capture_opts, &global_ld.save_file_fd,
|
|
|
|
|
errmsg, sizeof(errmsg))) {
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* set up to write to the already-opened capture output file/files */
|
|
|
|
|
if (!capture_loop_init_output(capture_opts, &global_ld, errmsg,
|
|
|
|
|
sizeof(errmsg))) {
|
|
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* XXX - capture SIGTERM and close the capture, in case we're on a
|
|
|
|
|
Linux 2.0[.x] system and you have to explicitly close the capture
|
|
|
|
|
stream in order to turn promiscuous mode off? We need to do that
|
|
|
|
|
in other places as well - and I don't think that works all the
|
|
|
|
|
time in any case, due to libpcap bugs. */
|
|
|
|
|
|
|
|
|
|
/* Well, we should be able to start capturing.
|
|
|
|
|
|
|
|
|
|
Sync out the capture file, so the header makes it to the file system,
|
|
|
|
|
and send a "capture started successfully and capture file created"
|
|
|
|
|
message to our parent so that they'll open the capture file and
|
|
|
|
|
update its windows to indicate that we have a live capture in
|
|
|
|
|
progress. */
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2011-03-21 16:57:11 +00:00
|
|
|
report_new_capture_file(capture_opts->save_file);
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-31 11:34:35 +01:00
|
|
|
if (capture_opts->has_file_interval) {
|
2018-10-31 10:03:04 +01:00
|
|
|
global_ld.interval_s = capture_opts->file_interval;
|
|
|
|
|
global_ld.next_interval_time = get_next_time_interval(global_ld.interval_s);
|
2018-10-31 11:34:35 +01:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
/* create stop conditions */
|
2013-08-29 18:15:13 +00:00
|
|
|
if (capture_opts->has_autostop_filesize) {
|
Qt: Raise autostop filesize limit to 2 TB, enforce in the GUI
The variable used to control the autostop filesize (or filesize
at which to switch to the next file in multiple file mode) is a
32 bit unsigned integer, but it measures kB. Therefore we can easily
allow larger sizes. There is a small limitation because the QSpinBox
uses a signed integer (we could evade that by allowing larger sizes
only with MB or GB selected), but even with that, it's easy to support
2 TB, which is quite a bit larger.
We have large file support everywhere (tshark, Wireshark, libpcap,
etc.) so the size alone shouldn't be a problem. Such a very big
file might run into issues from being more than 2^31 frames in the
GUI (QTreeView uses an int for the number of rows) or 2^32 frames
viewed in tshark, but that would equally happen with *no* filesize
limit.
The autostop options, like the ring buffer options, must be greater
than zero. The GUI was only enforcing the latter. Set the minimums
for the spinboxes.
Also set maximums for the file size spinboxes, rather than popping up
a warning message when the user puts in a disallowed value. Change
the maximums depending on whether kB, MB, or GB are selected.
Fix the warning message (which shouldn't happen anymore), which was
incorrectly using binary prefixes even though the enforced maximum
value is actually a decimal/metric prefix.
Fix #5691
2024-05-30 18:41:03 -04:00
|
|
|
if (capture_opts->autostop_filesize > UINT32_C(2000000000)) {
|
|
|
|
|
capture_opts->autostop_filesize = UINT32_C(2000000000);
|
2013-08-29 18:15:13 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-10-31 11:34:35 +01:00
|
|
|
if (capture_opts->has_autostop_duration) {
|
|
|
|
|
autostop_duration_timer = g_timer_new();
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
if (capture_opts->multi_files_on) {
|
2018-10-31 11:34:35 +01:00
|
|
|
if (capture_opts->has_file_duration) {
|
2018-10-31 10:03:04 +01:00
|
|
|
global_ld.file_duration_timer = g_timer_new();
|
2018-10-31 11:34:35 +01:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* init the time values */
|
2015-09-02 14:35:37 -07:00
|
|
|
#ifdef _WIN32
|
2024-07-08 00:28:11 -04:00
|
|
|
upd_time = GetTickCount64();
|
2011-05-05 20:46:02 +00:00
|
|
|
#else
|
|
|
|
|
gettimeofday(&upd_time, NULL);
|
|
|
|
|
#endif
|
2012-02-23 12:57:17 +00:00
|
|
|
start_time = create_timestamp();
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Capture loop running.");
|
|
|
|
|
capture_opts_log(LOG_DOMAIN_CAPCHILD, LOG_LEVEL_DEBUG, capture_opts);
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* WOW, everything is prepared! */
|
|
|
|
|
/* please fasten your seat belts, we will enter now the actual capture loop */
|
2011-05-16 21:56:12 +00:00
|
|
|
if (use_threads) {
|
|
|
|
|
pcap_queue = g_async_queue_new();
|
2011-05-19 05:49:46 +00:00
|
|
|
pcap_queue_bytes = 0;
|
|
|
|
|
pcap_queue_packets = 0;
|
2011-05-16 21:56:12 +00:00
|
|
|
for (i = 0; i < global_ld.pcaps->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
2011-11-09 23:43:50 +00:00
|
|
|
/* XXX - Add an interface name here? */
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->tid = g_thread_new("Capture read", pcap_read_handler, pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
while (global_ld.go) {
|
|
|
|
|
/* dispatch incoming packets */
|
2011-05-16 21:56:12 +00:00
|
|
|
if (use_threads) {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool dequeued = capture_loop_dequeue_packet();
|
2011-05-16 21:56:12 +00:00
|
|
|
|
2018-11-13 10:40:55 -08:00
|
|
|
if (dequeued) {
|
2011-05-16 21:56:12 +00:00
|
|
|
inpkts = 1;
|
|
|
|
|
} else {
|
|
|
|
|
inpkts = 0;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, 0);
|
2011-05-16 21:56:12 +00:00
|
|
|
inpkts = capture_loop_dispatch(&global_ld, errmsg,
|
2017-03-05 18:11:22 -08:00
|
|
|
sizeof(errmsg), pcap_src);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2018-11-15 08:05:17 -08:00
|
|
|
if (inpkts == 0) {
|
|
|
|
|
/* Stop capturing if all of our sources are pipes and none of them are open. */
|
2024-07-08 00:26:01 -04:00
|
|
|
bool open_interfaces = false;
|
2018-11-15 08:05:17 -08:00
|
|
|
for (i = 0; i < global_ld.pcaps->len; i++) {
|
|
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
|
|
|
|
if (pcap_src->cap_pipe_err == PIPOK) {
|
|
|
|
|
/* True for both non-pipes and open pipes. */
|
2024-07-08 00:26:01 -04:00
|
|
|
open_interfaces = true;
|
2018-11-15 08:05:17 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!open_interfaces) {
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2018-11-13 14:52:14 -08:00
|
|
|
}
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
#ifdef SIGINFO
|
|
|
|
|
/* Were we asked to print packet counts by the SIGINFO handler? */
|
|
|
|
|
if (global_ld.report_packet_count) {
|
2018-10-31 10:03:04 +01:00
|
|
|
fprintf(stderr, "%u packet%s captured\n", global_ld.packets_captured,
|
|
|
|
|
plurality(global_ld.packets_captured, "", "s"));
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.report_packet_count = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2010-05-26 00:19:27 +00:00
|
|
|
#endif
|
|
|
|
|
|
2008-02-16 02:39:58 +00:00
|
|
|
#ifdef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
/* any news from our parent (signal pipe)? -> just stop the capture */
|
|
|
|
|
if (!signal_pipe_check_running()) {
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (inpkts > 0) {
|
|
|
|
|
if (capture_opts->output_to_pipe) {
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
} /* inpkts */
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2023-03-08 22:15:21 -05:00
|
|
|
/* Only update after an interval so as not to overload slow displays.
|
2011-05-05 20:46:02 +00:00
|
|
|
* This also prevents too much context-switching between the dumpcap
|
|
|
|
|
* and wireshark processes.
|
2023-03-08 22:15:21 -05:00
|
|
|
* XXX: Should we send updates sooner if there have been lots of
|
|
|
|
|
* packets we haven't notified the parent about, such as on fast links?
|
2011-05-05 21:41:51 +00:00
|
|
|
*/
|
2015-09-02 14:35:37 -07:00
|
|
|
#ifdef _WIN32
|
2024-07-08 00:28:11 -04:00
|
|
|
cur_time = GetTickCount64();
|
|
|
|
|
if ((cur_time - upd_time) > capture_opts->update_interval)
|
2008-02-16 02:39:58 +00:00
|
|
|
#else
|
2011-05-05 21:41:51 +00:00
|
|
|
gettimeofday(&cur_time, NULL);
|
2024-07-08 00:26:01 -04:00
|
|
|
if (((uint64_t)cur_time.tv_sec * 1000000 + cur_time.tv_usec) >
|
|
|
|
|
((uint64_t)upd_time.tv_sec * 1000000 + upd_time.tv_usec + capture_opts->update_interval*1000))
|
2008-02-16 02:39:58 +00:00
|
|
|
#endif
|
2018-09-28 12:02:42 -07:00
|
|
|
{
|
2011-05-05 20:46:02 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
upd_time = cur_time;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
#if 0
|
|
|
|
|
if (pcap_stats(pch, stats) >= 0) {
|
2024-07-08 00:26:01 -04:00
|
|
|
*stats_known = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
/* Let the parent process know. */
|
|
|
|
|
if (global_ld.inpkts_to_sync_pipe) {
|
|
|
|
|
/* do sync here */
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Send our parent a message saying we've written out
|
|
|
|
|
"global_ld.inpkts_to_sync_pipe" packets to the capture file. */
|
|
|
|
|
if (!quiet)
|
|
|
|
|
report_packet_count(global_ld.inpkts_to_sync_pipe);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
global_ld.inpkts_to_sync_pipe = 0;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* check capture duration condition */
|
2018-10-31 11:34:35 +01:00
|
|
|
if (autostop_duration_timer != NULL && g_timer_elapsed(autostop_duration_timer, NULL) >= capture_opts->autostop_duration) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* The maximum capture time has elapsed; stop the capture. */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* check capture file duration condition */
|
2018-10-31 10:03:04 +01:00
|
|
|
if (global_ld.file_duration_timer != NULL && g_timer_elapsed(global_ld.file_duration_timer, NULL) >= capture_opts->file_duration) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* duration limit reached, do we have another file? */
|
2018-10-31 10:03:04 +01:00
|
|
|
if (!do_file_switch_or_stop(capture_opts))
|
2011-03-21 16:57:11 +00:00
|
|
|
continue;
|
|
|
|
|
} /* cnd_file_duration */
|
2017-06-27 22:04:33 +02:00
|
|
|
|
|
|
|
|
/* check capture file interval condition */
|
2018-10-31 10:03:04 +01:00
|
|
|
if (global_ld.interval_s && time(NULL) >= global_ld.next_interval_time) {
|
2017-06-27 22:04:33 +02:00
|
|
|
/* end of interval reached, do we have another file? */
|
2018-10-31 10:03:04 +01:00
|
|
|
if (!do_file_switch_or_stop(capture_opts))
|
2017-06-27 22:04:33 +02:00
|
|
|
continue;
|
|
|
|
|
} /* cnd_file_interval */
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Capture loop stopping ...");
|
2011-05-16 21:56:12 +00:00
|
|
|
if (use_threads) {
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < global_ld.pcaps->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Waiting for thread of interface %u...", pcap_src->interface_id);
|
2017-03-05 18:11:22 -08:00
|
|
|
g_thread_join(pcap_src->tid);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Thread of interface %u terminated.", pcap_src->interface_id);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2011-05-19 05:49:46 +00:00
|
|
|
while (1) {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool dequeued = capture_loop_dequeue_packet();
|
2018-11-13 10:40:55 -08:00
|
|
|
if (!dequeued) {
|
2011-05-19 05:49:46 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2011-05-16 21:56:12 +00:00
|
|
|
if (capture_opts->output_to_pipe) {
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* delete stop conditions */
|
2018-10-31 10:03:04 +01:00
|
|
|
if (global_ld.file_duration_timer != NULL)
|
|
|
|
|
g_timer_destroy(global_ld.file_duration_timer);
|
2018-10-31 11:34:35 +01:00
|
|
|
if (autostop_duration_timer != NULL)
|
|
|
|
|
g_timer_destroy(autostop_duration_timer);
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2011-05-26 14:33:55 +00:00
|
|
|
/* did we have a pcap (input) error? */
|
2011-05-15 22:54:52 +00:00
|
|
|
for (i = 0; i < capture_opts->ifaces->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
|
|
|
|
if (pcap_src->pcap_err) {
|
2011-05-15 22:54:52 +00:00
|
|
|
/* On Linux, if an interface goes down while you're capturing on it,
|
2019-06-30 15:58:22 -07:00
|
|
|
you'll get "recvfrom: Network is down".
|
2011-06-28 09:00:11 +00:00
|
|
|
(At least you will if g_strerror() doesn't show a local translation
|
2011-05-15 22:54:52 +00:00
|
|
|
of the error.)
|
|
|
|
|
|
2019-07-01 00:12:40 -07:00
|
|
|
Newer versions of libpcap maps that to just
|
|
|
|
|
"The interface went down".
|
|
|
|
|
|
2017-04-22 15:39:24 -07:00
|
|
|
On FreeBSD, DragonFly BSD, and macOS, if a network adapter
|
2019-06-30 15:58:22 -07:00
|
|
|
disappears while you're capturing on it, you'll get
|
2017-04-22 15:39:24 -07:00
|
|
|
"read: Device not configured" error (ENXIO). (See previous
|
|
|
|
|
parenthetical note.)
|
2011-05-15 22:54:52 +00:00
|
|
|
|
|
|
|
|
On OpenBSD, you get "read: I/O error" (EIO) in the same case.
|
|
|
|
|
|
2019-06-30 15:58:22 -07:00
|
|
|
With WinPcap and Npcap, you'll get
|
2021-02-08 00:40:36 -08:00
|
|
|
"read error: PacketReceivePacket failed" or
|
|
|
|
|
"PacketReceivePacket error: The device has been removed. (1617)".
|
2019-06-30 15:58:22 -07:00
|
|
|
|
|
|
|
|
Newer versions of libpcap map some or all of those to just
|
2021-02-08 13:10:54 -08:00
|
|
|
"The interface disappeared" or something beginning with
|
2019-07-01 00:12:40 -07:00
|
|
|
"The interface disappeared".
|
2019-06-30 15:58:22 -07:00
|
|
|
|
2021-02-08 13:10:54 -08:00
|
|
|
These should *not* be reported to the Wireshark developers,
|
|
|
|
|
although, with Npcap, "The interface disappeared" messages
|
|
|
|
|
should perhaps be reported to the Npcap developers, at least
|
|
|
|
|
until errors of that sort that shouldn't happen are fixed,
|
|
|
|
|
if that's possible. */
|
2011-05-15 22:54:52 +00:00
|
|
|
char *cap_err_str;
|
2021-02-08 12:35:43 -08:00
|
|
|
char *primary_msg;
|
2021-02-08 13:10:54 -08:00
|
|
|
char *secondary_msg;
|
2011-05-15 22:54:52 +00:00
|
|
|
|
2021-02-08 12:35:43 -08:00
|
|
|
interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
|
2017-03-05 18:11:22 -08:00
|
|
|
cap_err_str = pcap_geterr(pcap_src->pcap_h);
|
2019-06-30 15:58:22 -07:00
|
|
|
if (strcmp(cap_err_str, "The interface went down") == 0 ||
|
2019-07-01 00:12:40 -07:00
|
|
|
strcmp(cap_err_str, "recvfrom: Network is down") == 0) {
|
2021-12-18 18:48:20 +00:00
|
|
|
primary_msg = ws_strdup_printf("The network adapter \"%s\" "
|
2021-02-08 12:35:43 -08:00
|
|
|
"is no longer running; the "
|
|
|
|
|
"capture has stopped.",
|
2021-02-08 15:16:33 -08:00
|
|
|
interface_opts->display_name);
|
2021-02-08 13:10:54 -08:00
|
|
|
secondary_msg = g_strdup("");
|
2019-07-01 00:12:40 -07:00
|
|
|
} else if (strcmp(cap_err_str, "The interface disappeared") == 0 ||
|
|
|
|
|
strcmp(cap_err_str, "read: Device not configured") == 0 ||
|
|
|
|
|
strcmp(cap_err_str, "read: I/O error") == 0 ||
|
|
|
|
|
strcmp(cap_err_str, "read error: PacketReceivePacket failed") == 0) {
|
2021-12-18 18:48:20 +00:00
|
|
|
primary_msg = ws_strdup_printf("The network adapter \"%s\" "
|
2021-02-08 12:35:43 -08:00
|
|
|
"is no longer attached; the "
|
|
|
|
|
"capture has stopped.",
|
2021-02-08 15:16:33 -08:00
|
|
|
interface_opts->display_name);
|
2021-02-08 13:10:54 -08:00
|
|
|
secondary_msg = g_strdup("");
|
|
|
|
|
} else if (g_str_has_prefix(cap_err_str, "The interface disappeared ")) {
|
|
|
|
|
/*
|
|
|
|
|
* Npcap, if it picks up a recent commit to libpcap, will
|
|
|
|
|
* report an error *beginning* with "The interface
|
|
|
|
|
* disappeared", with the name of the Windows status code,
|
|
|
|
|
* and the corresponding NT status code, after it.
|
|
|
|
|
*
|
|
|
|
|
* Those should be reported as Npcap issues.
|
|
|
|
|
*/
|
2021-12-18 18:48:20 +00:00
|
|
|
primary_msg = ws_strdup_printf("The network adapter \"%s\" "
|
2021-02-08 13:10:54 -08:00
|
|
|
"is no longer attached; the "
|
|
|
|
|
"capture has stopped.",
|
2021-02-08 15:16:33 -08:00
|
|
|
interface_opts->display_name);
|
2021-10-22 15:00:16 -07:00
|
|
|
secondary_msg = handle_npcap_bug(interface_opts->display_name,
|
|
|
|
|
cap_err_str);
|
2021-02-07 22:51:44 -08:00
|
|
|
} else if (g_str_has_prefix(cap_err_str, "PacketReceivePacket error:") &&
|
|
|
|
|
g_str_has_suffix(cap_err_str, "(1617)")) {
|
|
|
|
|
/*
|
|
|
|
|
* "PacketReceivePacket error: {message in arbitrary language} (1617)",
|
|
|
|
|
* which is ERROR_DEVICE_REMOVED.
|
|
|
|
|
*
|
|
|
|
|
* Current libpcap/Npcap treat ERROR_GEN_FAILURE as
|
|
|
|
|
* "the device is no longer attached"; users are also
|
|
|
|
|
* getting ERROR_DEVICE_REMOVED.
|
|
|
|
|
*
|
|
|
|
|
* For now, some users appear to be getg ERROR_DEVICE_REMOVED
|
|
|
|
|
* in cases where the device *wasn't* removed, so tell
|
|
|
|
|
* them to report this as an Npcap issue; I seem to
|
|
|
|
|
* remember some discussion between Daniel and somebody
|
|
|
|
|
* at Microsoft about the Windows 10 network stack setup/
|
|
|
|
|
* teardown code being modified to try to prevent those
|
|
|
|
|
* sort of problems popping up, but I can't find that
|
|
|
|
|
* discussion.
|
|
|
|
|
*/
|
2021-12-18 18:48:20 +00:00
|
|
|
primary_msg = ws_strdup_printf("The network adapter \"%s\" "
|
2021-02-08 12:35:43 -08:00
|
|
|
"is no longer attached; the "
|
|
|
|
|
"capture has stopped.",
|
2021-02-08 15:16:33 -08:00
|
|
|
interface_opts->display_name);
|
2021-10-22 15:00:16 -07:00
|
|
|
secondary_msg = handle_npcap_bug(interface_opts->display_name,
|
|
|
|
|
"The interface disappeared (error code ERROR_DEVICE_REMOVED/STATUS_DEVICE_REMOVED)");
|
2023-12-30 21:58:01 -08:00
|
|
|
} else if (strcmp(cap_err_str, "The other host terminated the connection.") == 0 ||
|
|
|
|
|
g_str_has_prefix(cap_err_str, "Is the server properly installed?")) {
|
|
|
|
|
/*
|
|
|
|
|
* Networking error for a remote capture.
|
|
|
|
|
*/
|
2021-02-08 12:35:43 -08:00
|
|
|
primary_msg = g_strdup(cap_err_str);
|
2021-02-08 13:10:54 -08:00
|
|
|
secondary_msg = g_strdup("This may be a problem with the "
|
|
|
|
|
"remote host on which you are "
|
|
|
|
|
"capturing packets.");
|
2011-05-15 22:54:52 +00:00
|
|
|
} else {
|
2021-12-18 18:48:20 +00:00
|
|
|
primary_msg = ws_strdup_printf("Error while capturing packets: %s",
|
2021-02-08 12:35:43 -08:00
|
|
|
cap_err_str);
|
2021-02-08 13:10:54 -08:00
|
|
|
secondary_msg = g_strdup(please_report_bug());
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2021-02-08 12:35:43 -08:00
|
|
|
report_capture_error(primary_msg, secondary_msg);
|
|
|
|
|
g_free(primary_msg);
|
2021-02-08 13:10:54 -08:00
|
|
|
g_free(secondary_msg);
|
2011-05-15 22:54:52 +00:00
|
|
|
break;
|
2017-03-05 18:11:22 -08:00
|
|
|
} else if (pcap_src->from_cap_pipe && pcap_src->cap_pipe_err == PIPERR) {
|
2011-05-15 22:54:52 +00:00
|
|
|
report_capture_error(errmsg, "");
|
|
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* did we have an output error while capturing? */
|
|
|
|
|
if (global_ld.err == 0) {
|
2024-07-08 00:26:01 -04:00
|
|
|
write_ok = true;
|
2008-02-16 02:39:58 +00:00
|
|
|
} else {
|
2018-05-12 13:42:38 -07:00
|
|
|
capture_loop_get_errmsg(errmsg, sizeof(errmsg), secondary_errmsg,
|
|
|
|
|
sizeof(secondary_errmsg),
|
2024-07-08 00:26:01 -04:00
|
|
|
capture_opts->save_file, global_ld.err, false);
|
2018-05-12 13:42:38 -07:00
|
|
|
report_capture_error(errmsg, secondary_errmsg);
|
2024-07-08 00:26:01 -04:00
|
|
|
write_ok = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (capture_opts->saving_to_file) {
|
|
|
|
|
/* close the output file */
|
|
|
|
|
close_ok = capture_loop_close_output(capture_opts, &global_ld, &err_close);
|
|
|
|
|
} else
|
2024-07-08 00:26:01 -04:00
|
|
|
close_ok = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* there might be packets not yet notified to the parent */
|
|
|
|
|
/* (do this after closing the file, so all packets are already flushed) */
|
2012-11-25 18:35:41 +00:00
|
|
|
if (global_ld.inpkts_to_sync_pipe) {
|
2011-03-21 16:57:11 +00:00
|
|
|
if (!quiet)
|
|
|
|
|
report_packet_count(global_ld.inpkts_to_sync_pipe);
|
|
|
|
|
global_ld.inpkts_to_sync_pipe = 0;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* If we've displayed a message about a write error, there's no point
|
|
|
|
|
in displaying another message about an error on close. */
|
|
|
|
|
if (!close_ok && write_ok) {
|
2018-05-12 13:42:38 -07:00
|
|
|
capture_loop_get_errmsg(errmsg, sizeof(errmsg), secondary_errmsg,
|
|
|
|
|
sizeof(secondary_errmsg),
|
2024-07-08 00:26:01 -04:00
|
|
|
capture_opts->save_file, err_close, true);
|
2018-05-12 13:42:38 -07:00
|
|
|
report_capture_error(errmsg, secondary_errmsg);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* XXX We exhibit different behaviour between normal mode and sync mode
|
|
|
|
|
* when the pipe is stdin and not already at EOF. If we're a child, the
|
|
|
|
|
* parent's stdin isn't closed, so if the user starts another capture,
|
|
|
|
|
* cap_pipe_open_live() will very likely not see the expected magic bytes and
|
|
|
|
|
* will say "Unrecognized libpcap format". On the other hand, in normal
|
|
|
|
|
* mode, cap_pipe_open_live() will say "End of file on pipe during open".
|
|
|
|
|
*/
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-06-07 20:56:42 -04:00
|
|
|
report_capture_count(!really_quiet);
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* get packet drop statistics from pcap */
|
2011-05-15 22:54:52 +00:00
|
|
|
for (i = 0; i < capture_opts->ifaces->len; i++) {
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t received;
|
|
|
|
|
uint32_t pcap_dropped = 0;
|
2011-05-26 19:22:16 +00:00
|
|
|
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
|
2017-03-05 18:11:22 -08:00
|
|
|
received = pcap_src->received;
|
|
|
|
|
if (pcap_src->pcap_h != NULL) {
|
2021-06-18 19:21:42 +01:00
|
|
|
ws_assert(!pcap_src->from_cap_pipe);
|
2011-05-15 22:54:52 +00:00
|
|
|
/* Get the capture statistics, so we know how many packets were dropped. */
|
2017-03-05 18:11:22 -08:00
|
|
|
if (pcap_stats(pcap_src->pcap_h, stats) >= 0) {
|
2024-07-08 00:26:01 -04:00
|
|
|
*stats_known = true;
|
2011-05-15 22:54:52 +00:00
|
|
|
/* Let the parent process know. */
|
2013-03-10 11:57:40 +00:00
|
|
|
pcap_dropped += stats->ps_drop;
|
2011-05-15 22:54:52 +00:00
|
|
|
} else {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(errmsg, sizeof(errmsg),
|
2011-05-15 22:54:52 +00:00
|
|
|
"Can't get packet-drop statistics: %s",
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_geterr(pcap_src->pcap_h));
|
2019-03-23 21:02:47 -07:00
|
|
|
report_capture_error(errmsg, please_report_bug());
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2018-08-12 20:32:01 -07:00
|
|
|
report_packet_drops(received, pcap_dropped, pcap_src->dropped, pcap_src->flushed, stats->ps_ifdrop, interface_opts->display_name);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* close the input file (pcap or capture pipe) */
|
|
|
|
|
capture_loop_close_input(&global_ld);
|
|
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Capture loop stopped.");
|
2011-03-21 16:57:11 +00:00
|
|
|
|
|
|
|
|
/* ok, if the write and the close were successful. */
|
|
|
|
|
return write_ok && close_ok;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
error:
|
2011-03-21 16:57:11 +00:00
|
|
|
if (capture_opts->multi_files_on) {
|
|
|
|
|
/* cleanup ringbuffer */
|
|
|
|
|
ringbuf_error_cleanup();
|
|
|
|
|
} else {
|
|
|
|
|
/* We can't use the save file, and we have no FILE * for the stream
|
|
|
|
|
to close in order to close it, so close the FD directly. */
|
2011-05-15 22:54:52 +00:00
|
|
|
if (global_ld.save_file_fd != -1) {
|
2011-03-21 16:57:11 +00:00
|
|
|
ws_close(global_ld.save_file_fd);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* We couldn't even start the capture, so get rid of the capture
|
|
|
|
|
file. */
|
2011-05-15 22:54:52 +00:00
|
|
|
if (capture_opts->save_file != NULL) {
|
2011-03-21 16:57:11 +00:00
|
|
|
ws_unlink(capture_opts->save_file);
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
if (cfilter_error)
|
2011-06-27 11:30:39 +00:00
|
|
|
report_cfilter_error(capture_opts, error_index, errmsg);
|
2011-03-21 16:57:11 +00:00
|
|
|
else
|
|
|
|
|
report_capture_error(errmsg, secondary_errmsg);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* close the input file (pcap or cap_pipe) */
|
|
|
|
|
capture_loop_close_input(&global_ld);
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Capture loop stopped with error");
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-11-25 18:35:41 +00:00
|
|
|
static void
|
|
|
|
|
capture_loop_stop(void)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned i;
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src;
|
2011-05-15 22:54:52 +00:00
|
|
|
|
2011-05-28 12:48:21 +00:00
|
|
|
for (i = 0; i < global_ld.pcaps->len; i++) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src = g_array_index(global_ld.pcaps, capture_src *, i);
|
|
|
|
|
if (pcap_src->pcap_h != NULL)
|
|
|
|
|
pcap_breakloop(pcap_src->pcap_h);
|
2011-05-15 22:54:52 +00:00
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2018-05-12 13:42:38 -07:00
|
|
|
capture_loop_get_errmsg(char *errmsg, size_t errmsglen, char *secondary_errmsg,
|
|
|
|
|
size_t secondary_errmsglen, const char *fname,
|
2024-07-08 00:26:01 -04:00
|
|
|
int err, bool is_close)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2018-05-12 13:42:38 -07:00
|
|
|
static const char find_space[] =
|
|
|
|
|
"You will need to free up space on that file system"
|
|
|
|
|
" or put the capture file on a different file system.";
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
switch (err) {
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
case ENOSPC:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsglen,
|
2011-03-21 16:57:11 +00:00
|
|
|
"Not all the packets could be written to the file"
|
|
|
|
|
" to which the capture was being saved\n"
|
|
|
|
|
"(\"%s\") because there is no space left on the file system\n"
|
|
|
|
|
"on which that file resides.",
|
|
|
|
|
fname);
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsglen, "%s", find_space);
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
|
|
|
|
#ifdef EDQUOT
|
2011-03-21 16:57:11 +00:00
|
|
|
case EDQUOT:
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsglen,
|
2011-03-21 16:57:11 +00:00
|
|
|
"Not all the packets could be written to the file"
|
|
|
|
|
" to which the capture was being saved\n"
|
|
|
|
|
"(\"%s\") because you are too close to, or over,"
|
|
|
|
|
" your disk quota\n"
|
|
|
|
|
"on the file system on which that file resides.",
|
|
|
|
|
fname);
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsglen, "%s", find_space);
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
if (is_close) {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsglen,
|
2011-03-21 16:57:11 +00:00
|
|
|
"The file to which the capture was being saved\n"
|
|
|
|
|
"(\"%s\") could not be closed: %s.",
|
2011-06-28 09:00:11 +00:00
|
|
|
fname, g_strerror(err));
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(errmsg, errmsglen,
|
2011-03-21 16:57:11 +00:00
|
|
|
"An error occurred while writing to the file"
|
|
|
|
|
" to which the capture was being saved\n"
|
|
|
|
|
"(\"%s\"): %s.",
|
2011-06-28 09:00:11 +00:00
|
|
|
fname, g_strerror(err));
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2023-06-18 16:07:35 -07:00
|
|
|
snprintf(secondary_errmsg, secondary_errmsglen,
|
2019-03-23 21:02:47 -07:00
|
|
|
"%s", please_report_bug());
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-09 13:58:03 -07:00
|
|
|
/*
|
|
|
|
|
* We wrote one packet. Update some statistics and check if we've met any
|
|
|
|
|
* autostop or ring buffer conditions.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
capture_loop_wrote_one_packet(capture_src *pcap_src) {
|
|
|
|
|
global_ld.packets_captured++;
|
|
|
|
|
global_ld.packets_written++;
|
2021-10-13 17:18:50 -07:00
|
|
|
global_ld.inpkts_to_sync_pipe++;
|
|
|
|
|
|
2021-03-13 18:28:14 -06:00
|
|
|
if (!use_threads) {
|
|
|
|
|
pcap_src->received++;
|
|
|
|
|
}
|
2018-11-09 13:58:03 -07:00
|
|
|
|
2022-02-11 01:54:53 +00:00
|
|
|
/* check -c NUM */
|
2018-11-09 13:58:03 -07:00
|
|
|
if (global_capture_opts.has_autostop_packets && global_ld.packets_captured >= global_capture_opts.autostop_packets) {
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2018-11-09 13:58:03 -07:00
|
|
|
return;
|
|
|
|
|
}
|
2022-02-11 01:54:53 +00:00
|
|
|
/* check -a packets:NUM (treat like -c NUM) */
|
|
|
|
|
if (global_capture_opts.has_autostop_written_packets && global_ld.packets_captured >= global_capture_opts.autostop_written_packets) {
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2022-02-11 01:54:53 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2018-11-09 13:58:03 -07:00
|
|
|
/* check -b packets:NUM */
|
|
|
|
|
if (global_capture_opts.has_file_packets && global_ld.packets_written >= global_capture_opts.file_packets) {
|
|
|
|
|
do_file_switch_or_stop(&global_capture_opts);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
/* check -a filesize:NUM */
|
|
|
|
|
if (global_capture_opts.has_autostop_filesize &&
|
|
|
|
|
global_capture_opts.autostop_filesize > 0 &&
|
|
|
|
|
global_ld.bytes_written / 1000 >= global_capture_opts.autostop_filesize) {
|
|
|
|
|
/* Capture size limit reached, do we have another file? */
|
|
|
|
|
do_file_switch_or_stop(&global_capture_opts);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
/* one pcapng block was captured, process it */
|
|
|
|
|
static void
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_write_pcapng_cb(capture_src *pcap_src, const pcapng_block_header_t *bh, uint8_t *pd)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
|
2018-11-09 19:03:07 -08:00
|
|
|
/*
|
|
|
|
|
* This should never be called if we're not writing pcapng.
|
|
|
|
|
*/
|
2021-06-18 19:21:42 +01:00
|
|
|
ws_assert(global_capture_opts.use_pcapng);
|
2018-11-09 19:03:07 -08:00
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
/* We may be called multiple times from pcap_dispatch(); if we've set
|
|
|
|
|
the "stop capturing" flag, ignore this packet, as we're not
|
|
|
|
|
supposed to be saving any more packets. */
|
|
|
|
|
if (!global_ld.go) {
|
|
|
|
|
pcap_src->flushed++;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-26 13:55:32 -08:00
|
|
|
if (!pcapng_adjust_block(pcap_src, bh, pd)) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("%s failed to adjust pcapng block.", G_STRFUNC);
|
2021-06-18 19:21:42 +01:00
|
|
|
ws_assert_not_reached();
|
2018-11-26 13:55:32 -08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
if (bh->block_type == BLOCK_TYPE_SHB && !global_ld.pcapng_passthrough) {
|
|
|
|
|
/*
|
|
|
|
|
* capture_loop_init_pcapng_output should've handled this. We need
|
|
|
|
|
* to write ISBs when they're initially read so we shouldn't skip
|
|
|
|
|
* them here.
|
|
|
|
|
*/
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
if (global_ld.pdh) {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool successful;
|
2017-11-22 11:05:48 -08:00
|
|
|
|
|
|
|
|
/* We're supposed to write the packet to a file; do so.
|
2024-07-08 00:26:01 -04:00
|
|
|
If this fails, set "ld->go" to false, to stop the capture, and set
|
2017-11-22 11:05:48 -08:00
|
|
|
"ld->err" to the error. */
|
|
|
|
|
successful = pcapng_write_block(global_ld.pdh,
|
|
|
|
|
pd,
|
|
|
|
|
bh->block_total_length,
|
|
|
|
|
&global_ld.bytes_written, &err);
|
|
|
|
|
|
2025-01-21 09:47:46 -05:00
|
|
|
writecap_flush(global_ld.pdh, NULL);
|
2017-11-22 11:05:48 -08:00
|
|
|
if (!successful) {
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2017-11-22 11:05:48 -08:00
|
|
|
global_ld.err = err;
|
|
|
|
|
pcap_src->dropped++;
|
2024-04-17 16:20:50 -07:00
|
|
|
} else if (is_data_block(bh->block_type)) {
|
2022-03-19 19:31:03 -07:00
|
|
|
/* Count packets for block types that should be dissected, i.e. ones that show up in the packet list. */
|
2024-05-10 10:31:26 -07:00
|
|
|
ws_debug("Wrote a pcapng block type 0x%04x of length %d captured on interface %u.",
|
2018-10-08 13:25:36 -07:00
|
|
|
bh->block_type, bh->block_total_length, pcap_src->interface_id);
|
2018-11-09 13:58:03 -07:00
|
|
|
capture_loop_wrote_one_packet(pcap_src);
|
2021-09-09 15:53:27 -07:00
|
|
|
} else if (bh->block_type == BLOCK_TYPE_SHB && report_capture_filename) {
|
2023-12-31 20:08:05 -05:00
|
|
|
ws_debug("Sending SP_FILE on first SHB");
|
2021-09-09 15:53:27 -07:00
|
|
|
/* SHB is now ready for capture parent to read on SP_FILE message */
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_FILE, report_capture_filename);
|
2021-09-09 15:53:27 -07:00
|
|
|
report_capture_filename = NULL;
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
/* one pcap packet was captured, process it */
|
2008-02-16 02:39:58 +00:00
|
|
|
static void
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_write_packet_cb(uint8_t *pcap_src_p, const struct pcap_pkthdr *phdr,
|
|
|
|
|
const uint8_t *pd)
|
2008-02-16 02:39:58 +00:00
|
|
|
{
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src = (capture_src *) (void *) pcap_src_p;
|
|
|
|
|
int err;
|
2024-07-08 00:26:01 -04:00
|
|
|
unsigned ts_mul = pcap_src->ts_nsec ? 1000000000 : 1000000;
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("capture_loop_write_packet_cb");
|
2018-09-28 12:02:42 -07:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* We may be called multiple times from pcap_dispatch(); if we've set
|
|
|
|
|
the "stop capturing" flag, ignore this packet, as we're not
|
|
|
|
|
supposed to be saving any more packets. */
|
2012-07-25 07:08:20 +00:00
|
|
|
if (!global_ld.go) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->flushed++;
|
2011-03-21 16:57:11 +00:00
|
|
|
return;
|
2012-07-25 07:08:20 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
|
2011-05-16 21:56:12 +00:00
|
|
|
if (global_ld.pdh) {
|
2024-07-08 00:26:01 -04:00
|
|
|
bool successful;
|
2011-05-16 00:19:47 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* We're supposed to write the packet to a file; do so.
|
2024-07-08 00:26:01 -04:00
|
|
|
If this fails, set "ld->go" to false, to stop the capture, and set
|
2011-03-21 16:57:11 +00:00
|
|
|
"ld->err" to the error. */
|
|
|
|
|
if (global_capture_opts.use_pcapng) {
|
2013-09-29 20:53:13 +00:00
|
|
|
successful = pcapng_write_enhanced_packet_block(global_ld.pdh,
|
|
|
|
|
NULL,
|
2024-07-08 00:26:01 -04:00
|
|
|
phdr->ts.tv_sec, (int32_t)phdr->ts.tv_usec,
|
2013-09-29 20:53:13 +00:00
|
|
|
phdr->caplen, phdr->len,
|
dumpcap: Don't write fake IDBs for pcapng interfaces
When we have multiple capture sources, for each one that is a pcapng
source and supplies its own IDBs, don't create a fake IDB with invalid
linktype WTAP_ENCAP_UNKNOWN and write it to the output file.
Instead, use the IDBs from the source, remapping them as necessary.
For non-pcapng sources, store the output IDB interface ID and write
EPBs using that, since now the input interface ID and the output
interface ID are not necessarily the same, if some of the other
sources are not pcapng.
Update the capture tests that use multiple FIFO sources, because now we
don't add two extra IDBs, one for each FIFO. Instead there are
3 * 11 == 33 total IDBs.
This prevents some various incompatibilites in Wireshark and other
tools when a file has interfaces of more than one link type, and also
has IDBs with an illegal WTAP_ENCAP_UNKNOWN link type.
Fix #19080
2023-05-17 19:19:02 -04:00
|
|
|
pcap_src->idb_id,
|
2013-09-29 20:53:13 +00:00
|
|
|
ts_mul,
|
|
|
|
|
pd, 0,
|
|
|
|
|
&global_ld.bytes_written, &err);
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
2013-09-29 20:26:25 +00:00
|
|
|
successful = libpcap_write_packet(global_ld.pdh,
|
2024-07-08 00:26:01 -04:00
|
|
|
phdr->ts.tv_sec, (int32_t)phdr->ts.tv_usec,
|
2012-12-20 15:20:10 +00:00
|
|
|
phdr->caplen, phdr->len,
|
|
|
|
|
pd,
|
|
|
|
|
&global_ld.bytes_written, &err);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
if (!successful) {
|
2024-07-08 00:26:01 -04:00
|
|
|
global_ld.go = false;
|
2011-05-16 21:56:12 +00:00
|
|
|
global_ld.err = err;
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->dropped++;
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
2023-12-31 20:08:05 -05:00
|
|
|
ws_debug("Wrote a pcap packet of length %d captured on interface %u.",
|
2017-03-05 18:11:22 -08:00
|
|
|
phdr->caplen, pcap_src->interface_id);
|
2018-11-09 13:58:03 -07:00
|
|
|
capture_loop_wrote_one_packet(pcap_src);
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2009-04-27 08:11:10 +00:00
|
|
|
}
|
2008-02-16 02:39:58 +00:00
|
|
|
}
|
|
|
|
|
|
2011-05-16 21:56:12 +00:00
|
|
|
/* one packet was captured, queue it */
|
|
|
|
|
static void
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_queue_packet_cb(uint8_t *pcap_src_p, const struct pcap_pkthdr *phdr,
|
|
|
|
|
const uint8_t *pd)
|
2011-05-16 21:56:12 +00:00
|
|
|
{
|
2017-03-05 18:11:22 -08:00
|
|
|
capture_src *pcap_src = (capture_src *) (void *) pcap_src_p;
|
2011-05-16 21:56:12 +00:00
|
|
|
pcap_queue_element *queue_element;
|
2024-07-08 00:26:01 -04:00
|
|
|
bool limit_reached;
|
2011-05-16 21:56:12 +00:00
|
|
|
|
|
|
|
|
/* We may be called multiple times from pcap_dispatch(); if we've set
|
|
|
|
|
the "stop capturing" flag, ignore this packet, as we're not
|
|
|
|
|
supposed to be saving any more packets. */
|
2012-04-25 17:43:44 +00:00
|
|
|
if (!global_ld.go) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->flushed++;
|
2011-05-16 21:56:12 +00:00
|
|
|
return;
|
2012-04-25 17:43:44 +00:00
|
|
|
}
|
2011-05-16 21:56:12 +00:00
|
|
|
|
2020-12-20 21:30:28 -05:00
|
|
|
queue_element = g_new(pcap_queue_element, 1);
|
2011-05-19 05:49:46 +00:00
|
|
|
if (queue_element == NULL) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->dropped++;
|
2011-05-26 19:22:16 +00:00
|
|
|
return;
|
2011-05-19 05:49:46 +00:00
|
|
|
}
|
2017-03-05 18:11:22 -08:00
|
|
|
queue_element->pcap_src = pcap_src;
|
2017-11-22 11:05:48 -08:00
|
|
|
queue_element->u.phdr = *phdr;
|
2024-06-17 18:40:41 +02:00
|
|
|
queue_element->pd = (uint8_t *)g_malloc(phdr->caplen);
|
2011-05-19 05:49:46 +00:00
|
|
|
if (queue_element->pd == NULL) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->dropped++;
|
2011-05-19 05:49:46 +00:00
|
|
|
g_free(queue_element);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2011-05-16 21:56:12 +00:00
|
|
|
memcpy(queue_element->pd, pd, phdr->caplen);
|
2011-05-19 05:49:46 +00:00
|
|
|
g_async_queue_lock(pcap_queue);
|
2013-03-10 11:57:40 +00:00
|
|
|
if (((pcap_queue_byte_limit == 0) || (pcap_queue_bytes < pcap_queue_byte_limit)) &&
|
|
|
|
|
((pcap_queue_packet_limit == 0) || (pcap_queue_packets < pcap_queue_packet_limit))) {
|
2024-07-08 00:26:01 -04:00
|
|
|
limit_reached = false;
|
2011-05-19 05:49:46 +00:00
|
|
|
g_async_queue_push_unlocked(pcap_queue, queue_element);
|
|
|
|
|
pcap_queue_bytes += phdr->caplen;
|
|
|
|
|
pcap_queue_packets += 1;
|
|
|
|
|
} else {
|
2024-07-08 00:26:01 -04:00
|
|
|
limit_reached = true;
|
2011-05-19 05:49:46 +00:00
|
|
|
}
|
|
|
|
|
g_async_queue_unlock(pcap_queue);
|
|
|
|
|
if (limit_reached) {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->dropped++;
|
2011-05-19 05:49:46 +00:00
|
|
|
g_free(queue_element->pd);
|
|
|
|
|
g_free(queue_element);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Dropped a packet of length %d captured on interface %u.",
|
2017-03-05 18:11:22 -08:00
|
|
|
phdr->caplen, pcap_src->interface_id);
|
2011-05-19 05:49:46 +00:00
|
|
|
} else {
|
2017-03-05 18:11:22 -08:00
|
|
|
pcap_src->received++;
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Queued a packet of length %d captured on interface %u.",
|
2017-03-05 18:11:22 -08:00
|
|
|
phdr->caplen, pcap_src->interface_id);
|
2011-05-19 05:49:46 +00:00
|
|
|
}
|
|
|
|
|
/* I don't want to hold the mutex over the debug output. So the
|
|
|
|
|
output may be wrong */
|
2021-12-17 20:05:19 +00:00
|
|
|
ws_info("Queue size is now %" PRId64 " bytes (%" PRId64 " packets)",
|
2011-05-19 05:49:46 +00:00
|
|
|
pcap_queue_bytes, pcap_queue_packets);
|
2011-05-16 21:56:12 +00:00
|
|
|
}
|
2005-12-01 20:19:30 +00:00
|
|
|
|
2017-11-22 11:05:48 -08:00
|
|
|
/* one pcapng block was captured, queue it */
|
|
|
|
|
static void
|
2024-06-17 18:40:41 +02:00
|
|
|
capture_loop_queue_pcapng_cb(capture_src *pcap_src, const pcapng_block_header_t *bh, uint8_t *pd)
|
2017-11-22 11:05:48 -08:00
|
|
|
{
|
|
|
|
|
pcap_queue_element *queue_element;
|
2024-07-08 00:26:01 -04:00
|
|
|
bool limit_reached;
|
2017-11-22 11:05:48 -08:00
|
|
|
|
|
|
|
|
/* We may be called multiple times from pcap_dispatch(); if we've set
|
|
|
|
|
the "stop capturing" flag, ignore this packet, as we're not
|
|
|
|
|
supposed to be saving any more packets. */
|
|
|
|
|
if (!global_ld.go) {
|
|
|
|
|
pcap_src->flushed++;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-20 21:30:28 -05:00
|
|
|
queue_element = g_new(pcap_queue_element, 1);
|
2017-11-22 11:05:48 -08:00
|
|
|
if (queue_element == NULL) {
|
|
|
|
|
pcap_src->dropped++;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
queue_element->pcap_src = pcap_src;
|
|
|
|
|
queue_element->u.bh = *bh;
|
2024-06-17 18:40:41 +02:00
|
|
|
queue_element->pd = (uint8_t *)g_malloc(bh->block_total_length);
|
2017-11-22 11:05:48 -08:00
|
|
|
if (queue_element->pd == NULL) {
|
|
|
|
|
pcap_src->dropped++;
|
|
|
|
|
g_free(queue_element);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
memcpy(queue_element->pd, pd, bh->block_total_length);
|
|
|
|
|
g_async_queue_lock(pcap_queue);
|
|
|
|
|
if (((pcap_queue_byte_limit == 0) || (pcap_queue_bytes < pcap_queue_byte_limit)) &&
|
|
|
|
|
((pcap_queue_packet_limit == 0) || (pcap_queue_packets < pcap_queue_packet_limit))) {
|
2024-07-08 00:26:01 -04:00
|
|
|
limit_reached = false;
|
2017-11-22 11:05:48 -08:00
|
|
|
g_async_queue_push_unlocked(pcap_queue, queue_element);
|
|
|
|
|
pcap_queue_bytes += bh->block_total_length;
|
|
|
|
|
pcap_queue_packets += 1;
|
|
|
|
|
} else {
|
2024-07-08 00:26:01 -04:00
|
|
|
limit_reached = true;
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
g_async_queue_unlock(pcap_queue);
|
|
|
|
|
if (limit_reached) {
|
|
|
|
|
pcap_src->dropped++;
|
|
|
|
|
g_free(queue_element->pd);
|
|
|
|
|
g_free(queue_element);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Dropped a packet of length %d captured on interface %u.",
|
2017-11-22 11:05:48 -08:00
|
|
|
bh->block_total_length, pcap_src->interface_id);
|
|
|
|
|
} else {
|
|
|
|
|
pcap_src->received++;
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Queued a block of type 0x%08x of length %d captured on interface %u.",
|
2018-10-08 13:25:36 -07:00
|
|
|
bh->block_type, bh->block_total_length, pcap_src->interface_id);
|
2017-11-22 11:05:48 -08:00
|
|
|
}
|
|
|
|
|
/* I don't want to hold the mutex over the debug output. So the
|
|
|
|
|
output may be wrong */
|
2021-12-17 20:05:19 +00:00
|
|
|
ws_info("Queue size is now %" PRId64 " bytes (%" PRId64 " packets)",
|
2017-11-22 11:05:48 -08:00
|
|
|
pcap_queue_bytes, pcap_queue_packets);
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-24 19:45:49 +00:00
|
|
|
static int
|
|
|
|
|
set_80211_channel(const char *iface, const char *opt)
|
|
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t freq = 0;
|
2016-02-07 00:40:51 +01:00
|
|
|
int type = -1;
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t center_freq1 = 0;
|
|
|
|
|
uint32_t center_freq2 = 0;
|
2016-02-07 00:40:51 +01:00
|
|
|
int args;
|
2016-09-05 15:45:21 +02:00
|
|
|
int ret = 0;
|
2024-07-08 00:26:01 -04:00
|
|
|
char **options = NULL;
|
2012-11-25 18:35:41 +00:00
|
|
|
|
2016-02-07 00:40:51 +01:00
|
|
|
options = g_strsplit_set(opt, ",", 4);
|
2020-04-01 13:06:00 -07:00
|
|
|
for (args = 0; options[args]; args++)
|
|
|
|
|
;
|
|
|
|
|
|
|
|
|
|
ret = ws80211_init();
|
|
|
|
|
if (ret != WS80211_INIT_OK) {
|
|
|
|
|
if (ret == WS80211_INIT_NOT_SUPPORTED)
|
|
|
|
|
cmdarg_err("Setting 802.11 channels is not supported on this platform");
|
|
|
|
|
else
|
|
|
|
|
cmdarg_err("Failed to init ws80211: %s", g_strerror(abs(ret)));
|
|
|
|
|
ret = 2;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-06-24 19:45:49 +00:00
|
|
|
|
|
|
|
|
if (options[0])
|
2025-04-18 13:10:42 -04:00
|
|
|
if (!get_nonzero_uint32(options[0], "802.11 channel frequency", &freq)) {
|
|
|
|
|
ret = EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-06-24 19:45:49 +00:00
|
|
|
|
2016-02-07 00:40:51 +01:00
|
|
|
if (args >= 1 && options[1]) {
|
2012-06-24 19:45:49 +00:00
|
|
|
type = ws80211_str_to_chan_type(options[1]);
|
|
|
|
|
if (type == -1) {
|
2016-09-05 13:45:35 -07:00
|
|
|
cmdarg_err("\"%s\" is not a valid 802.11 channel type", options[1]);
|
2012-06-24 19:45:49 +00:00
|
|
|
ret = EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-02-07 00:40:51 +01:00
|
|
|
|
|
|
|
|
if (args >= 2 && options[2])
|
2025-04-18 13:10:42 -04:00
|
|
|
if (!get_nonzero_uint32(options[2], "VHT center frequency", ¢er_freq1)) {
|
|
|
|
|
ret = EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2016-02-07 00:40:51 +01:00
|
|
|
|
|
|
|
|
if (args >= 3 && options[3])
|
2025-04-18 13:10:42 -04:00
|
|
|
if (!get_nonzero_uint32(options[3], "VHT center frequency 2", ¢er_freq2)) {
|
|
|
|
|
ret = EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2012-06-24 19:45:49 +00:00
|
|
|
|
2016-02-07 00:40:51 +01:00
|
|
|
ret = ws80211_set_freq(iface, freq, type, center_freq1, center_freq2);
|
2012-06-24 19:45:49 +00:00
|
|
|
|
|
|
|
|
if (ret) {
|
|
|
|
|
cmdarg_err("%d: Failed to set channel: %s\n", abs(ret), g_strerror(abs(ret)));
|
|
|
|
|
ret = 2;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (capture_child)
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
|
2012-06-24 19:45:49 +00:00
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
g_strfreev(options);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2014-07-03 01:45:32 -07:00
|
|
|
static void
|
2022-02-24 13:27:08 +00:00
|
|
|
gather_dumpcap_compiled_info(feature_list l)
|
2014-07-03 01:45:32 -07:00
|
|
|
{
|
2014-08-05 16:10:44 -04:00
|
|
|
/* Capture libraries */
|
2022-02-24 13:27:08 +00:00
|
|
|
gather_caplibs_compile_info(l);
|
2014-07-03 01:45:32 -07:00
|
|
|
}
|
|
|
|
|
|
2014-06-23 14:55:56 -07:00
|
|
|
static void
|
2022-02-24 13:27:08 +00:00
|
|
|
gather_dumpcap_runtime_info(feature_list l)
|
2014-06-23 14:55:56 -07:00
|
|
|
{
|
2014-07-04 00:24:02 -07:00
|
|
|
/* Capture libraries */
|
2022-02-24 13:27:08 +00:00
|
|
|
gather_caplibs_runtime_info(l);
|
2014-06-23 14:55:56 -07:00
|
|
|
}
|
|
|
|
|
|
2024-12-02 17:12:34 -08:00
|
|
|
#define LONGOPT_IFNAME LONGOPT_BASE_APPLICATION+1
|
|
|
|
|
#define LONGOPT_IFDESCR LONGOPT_BASE_APPLICATION+2
|
|
|
|
|
#define LONGOPT_CAPTURE_COMMENT LONGOPT_BASE_APPLICATION+3
|
|
|
|
|
#define LONGOPT_APPLICATION_FLAVOR LONGOPT_BASE_APPLICATION+4
|
2023-12-28 20:18:38 -05:00
|
|
|
#ifdef _WIN32
|
2024-12-02 17:12:34 -08:00
|
|
|
#define LONGOPT_SIGNAL_PIPE LONGOPT_BASE_APPLICATION+5
|
2023-12-28 20:18:38 -05:00
|
|
|
#endif
|
2021-03-24 23:36:29 -07:00
|
|
|
|
2005-11-28 08:54:52 +00:00
|
|
|
/* And now our feature presentation... [ fade to music ] */
|
2018-12-12 02:53:08 -08:00
|
|
|
int
|
2018-12-26 18:10:12 +01:00
|
|
|
main(int argc, char *argv[])
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2019-05-01 18:46:23 -07:00
|
|
|
char *err_msg;
|
2012-11-25 18:35:41 +00:00
|
|
|
int opt;
|
2021-09-29 18:32:28 +01:00
|
|
|
static const struct ws_option long_options[] = {
|
|
|
|
|
{"help", ws_no_argument, NULL, 'h'},
|
|
|
|
|
{"version", ws_no_argument, NULL, 'v'},
|
2014-06-20 14:51:10 -07:00
|
|
|
LONGOPT_CAPTURE_COMMON
|
2025-04-28 13:30:46 +00:00
|
|
|
LONGOPT_WSLOG
|
2021-09-29 18:32:28 +01:00
|
|
|
{"ifname", ws_required_argument, NULL, LONGOPT_IFNAME},
|
|
|
|
|
{"ifdescr", ws_required_argument, NULL, LONGOPT_IFDESCR},
|
|
|
|
|
{"capture-comment", ws_required_argument, NULL, LONGOPT_CAPTURE_COMMENT},
|
2024-12-02 17:12:34 -08:00
|
|
|
{"application-flavor", ws_required_argument, NULL, LONGOPT_APPLICATION_FLAVOR},
|
2023-12-28 20:18:38 -05:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
{"signal-pipe", ws_required_argument, NULL, LONGOPT_SIGNAL_PIPE},
|
|
|
|
|
#endif
|
2013-07-27 16:25:08 +00:00
|
|
|
{0, 0, 0, 0 }
|
|
|
|
|
};
|
|
|
|
|
|
2025-04-28 13:30:46 +00:00
|
|
|
#ifdef HAVE_PCAP_REMOTE
|
|
|
|
|
#define OPTSTRING_r "r"
|
|
|
|
|
#define OPTSTRING_u "u"
|
|
|
|
|
#else
|
|
|
|
|
#define OPTSTRING_r
|
|
|
|
|
#define OPTSTRING_u
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_PCAP_SETSAMPLING
|
|
|
|
|
#define OPTSTRING_m "m:"
|
|
|
|
|
#else
|
|
|
|
|
#define OPTSTRING_m
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#define OPTSTRING OPTSTRING_CAPTURE_COMMON "C:dghk:" OPTSTRING_m "MN:nPqQ" OPTSTRING_r "St" OPTSTRING_u "vw:Z:"
|
|
|
|
|
static const char optstring[] = OPTSTRING;
|
|
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
bool arg_error = false;
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2019-05-01 16:02:27 -07:00
|
|
|
#ifndef _WIN32
|
2012-11-25 18:35:41 +00:00
|
|
|
struct sigaction action, oldaction;
|
2007-11-21 22:49:02 +00:00
|
|
|
#endif
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2024-07-08 00:26:01 -04:00
|
|
|
bool stats_known;
|
2019-03-11 19:12:14 +02:00
|
|
|
struct pcap_stat stats = {0};
|
2024-07-08 00:26:01 -04:00
|
|
|
bool list_interfaces = false;
|
2017-08-07 16:38:52 +02:00
|
|
|
int caps_queries = 0;
|
2024-07-08 00:26:01 -04:00
|
|
|
bool print_bpf_code = false;
|
|
|
|
|
bool set_chan = false;
|
|
|
|
|
char *set_chan_arg = NULL;
|
|
|
|
|
bool machine_readable = false;
|
|
|
|
|
bool print_statistics = false;
|
2012-11-25 18:35:41 +00:00
|
|
|
int status, run_once_args = 0;
|
2024-07-08 00:26:01 -04:00
|
|
|
int i;
|
|
|
|
|
unsigned j;
|
2009-11-26 04:17:18 +00:00
|
|
|
#if defined(__APPLE__) && defined(__LP64__)
|
2012-11-25 18:35:41 +00:00
|
|
|
struct utsname osinfo;
|
2009-11-26 04:17:18 +00:00
|
|
|
#endif
|
2012-11-25 18:35:41 +00:00
|
|
|
GString *str;
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2024-11-28 14:04:14 -08:00
|
|
|
/* Set the program name. */
|
|
|
|
|
g_set_prgname("dumpcap");
|
|
|
|
|
|
2021-06-24 21:20:25 +01:00
|
|
|
/*
|
|
|
|
|
* Determine if dumpcap is being requested to run in a special
|
|
|
|
|
* capture_child mode by going thru the command line args to see if
|
|
|
|
|
* a -Z is present. (-Z is a hidden option).
|
|
|
|
|
*
|
|
|
|
|
* The primary result of running in capture_child mode is that
|
|
|
|
|
* all messages sent out on stderr are in a special type/len/string
|
|
|
|
|
* format to allow message processing by type. These messages include
|
|
|
|
|
* error messages if dumpcap fails to start the operation it was
|
|
|
|
|
* requested to do, as well as various "status" messages which are sent
|
|
|
|
|
* when an actual capture is in progress, and a "success" message sent
|
|
|
|
|
* if dumpcap was requested to perform an operation other than a
|
|
|
|
|
* capture.
|
|
|
|
|
*
|
|
|
|
|
* Capture_child mode would normally be requested by a parent process
|
|
|
|
|
* which invokes dumpcap and obtains dumpcap stderr output via a pipe
|
|
|
|
|
* to which dumpcap stderr has been redirected. It might also have
|
|
|
|
|
* another pipe to obtain dumpcap stdout output; for operations other
|
|
|
|
|
* than a capture, that information is formatted specially for easier
|
|
|
|
|
* parsing by the parent process.
|
|
|
|
|
*
|
|
|
|
|
* Capture_child mode needs to be determined immediately upon
|
|
|
|
|
* startup so that any messages generated by dumpcap in this mode
|
|
|
|
|
* (eg: during initialization) will be formatted properly.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
for (i=1; i<argc; i++) {
|
|
|
|
|
if (strcmp("-Z", argv[i]) == 0) {
|
2024-07-08 00:26:01 -04:00
|
|
|
capture_child = true;
|
|
|
|
|
machine_readable = true; /* request machine-readable output */
|
2023-12-28 20:18:38 -05:00
|
|
|
i++;
|
|
|
|
|
if (i >= argc) {
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2023-12-28 20:18:38 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strcmp(argv[i], SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
|
|
|
|
|
// get_positive_int calls cmdarg_err
|
|
|
|
|
if (!ws_strtoi(argv[i], NULL, &sync_pipe_fd) || sync_pipe_fd <= 0) {
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2023-12-28 20:18:38 -05:00
|
|
|
}
|
2021-06-24 21:20:25 +01:00
|
|
|
#ifdef _WIN32
|
2023-12-28 20:18:38 -05:00
|
|
|
/* On UN*X the fd is the same when we fork + exec.
|
|
|
|
|
* On Windows the HANDLE value is the same for inherited
|
|
|
|
|
* handles in the child process and the parent, although
|
|
|
|
|
* not necessarily the fd value from _open_osfhandle.
|
|
|
|
|
* https://learn.microsoft.com/en-us/windows/win32/procthread/inheritance
|
|
|
|
|
* Also, "64-bit versions of Windows use 32-bit handles for
|
|
|
|
|
* interoperability... only the lower 32 bits are significant,
|
|
|
|
|
* so it is safe to truncate... or sign-extend the handle."
|
|
|
|
|
* https://learn.microsoft.com/en-us/windows/win32/winprog64/interprocess-communication
|
|
|
|
|
*/
|
|
|
|
|
/* set output pipe to binary mode, avoid ugly text conversions */
|
|
|
|
|
sync_pipe_fd = _open_osfhandle( (intptr_t) sync_pipe_fd, _O_BINARY);
|
2021-06-24 21:20:25 +01:00
|
|
|
#endif
|
2023-12-28 20:18:38 -05:00
|
|
|
}
|
2021-06-24 21:20:25 +01:00
|
|
|
}
|
|
|
|
|
}
|
2021-06-08 02:46:52 +01:00
|
|
|
|
2014-06-29 14:37:21 -07:00
|
|
|
cmdarg_err_init(dumpcap_cmdarg_err, dumpcap_cmdarg_err_cont);
|
|
|
|
|
|
2021-06-24 21:20:25 +01:00
|
|
|
/* Initialize log handler early so we can have proper logging during startup. */
|
2024-11-28 14:04:14 -08:00
|
|
|
ws_log_init_with_writer(dumpcap_log_writer, vcmdarg_err);
|
2021-06-24 21:20:25 +01:00
|
|
|
|
2025-03-14 17:07:45 -04:00
|
|
|
#ifdef _WIN32
|
|
|
|
|
/* If running as a capture child, under no circumstances attempt to wait
|
|
|
|
|
* for the user to press a key before detaching from a console. */
|
|
|
|
|
if (capture_child) {
|
|
|
|
|
set_console_wait(false);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2021-06-19 19:44:58 +01:00
|
|
|
/* Early logging command-line initialization. */
|
2025-04-28 13:30:46 +00:00
|
|
|
ws_log_parse_args(&argc, argv, optstring, long_options, vcmdarg_err, WS_EXIT_INVALID_OPTION);
|
2021-06-08 02:46:52 +01:00
|
|
|
|
2023-12-31 20:08:05 -05:00
|
|
|
#if DEBUG_CHILD_DUMPCAP
|
|
|
|
|
/* Assume that if we're specially compiled with dumpcap debugging
|
|
|
|
|
* then we want maximum debugging.
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
*/
|
|
|
|
|
if (capture_child) {
|
2023-12-31 20:08:05 -05:00
|
|
|
ws_log_set_level(LOG_LEVEL_NOISY);
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((debug_log = ws_fopen("dumpcap_debug_log.tmp","w")) == NULL) {
|
|
|
|
|
fprintf (stderr, "Unable to open debug log file .\n");
|
|
|
|
|
exit (1);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2022-10-06 18:41:17 +01:00
|
|
|
ws_noisy("Finished log init and parsing command line log arguments");
|
|
|
|
|
|
2011-01-06 23:28:58 +00:00
|
|
|
#ifdef _WIN32
|
2013-02-20 01:19:42 +00:00
|
|
|
create_app_running_mutex();
|
2011-01-06 23:28:58 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* Initialize our DLL search path. MUST be called before LoadLibrary
|
|
|
|
|
* or g_module_open.
|
|
|
|
|
*/
|
|
|
|
|
ws_init_dll_search_path();
|
2019-10-06 19:44:59 +02:00
|
|
|
|
|
|
|
|
/* Load wpcap if possible. Do this before collecting the run-time version information */
|
|
|
|
|
load_wpcap();
|
2010-08-25 00:20:50 +00:00
|
|
|
#endif
|
2010-08-24 23:39:29 +00:00
|
|
|
|
2019-10-06 19:44:59 +02:00
|
|
|
/* Initialize the version information. */
|
2022-02-24 13:27:08 +00:00
|
|
|
ws_init_version_info("Dumpcap", gather_dumpcap_compiled_info,
|
|
|
|
|
gather_dumpcap_runtime_info);
|
2019-10-06 19:44:59 +02:00
|
|
|
|
2009-11-26 04:17:18 +00:00
|
|
|
#if defined(__APPLE__) && defined(__LP64__)
|
|
|
|
|
/*
|
2011-03-21 16:57:11 +00:00
|
|
|
* Is this Mac OS X 10.6.0, 10.6.1, 10.6.3, or 10.6.4? If so, we need
|
|
|
|
|
* a bug workaround - timeouts less than 1 second don't work with libpcap
|
|
|
|
|
* in 64-bit code. (The bug was introduced in 10.6, fixed in 10.6.2,
|
|
|
|
|
* re-introduced in 10.6.3, not fixed in 10.6.4, and fixed in 10.6.5.
|
|
|
|
|
* The problem is extremely unlikely to be reintroduced in a future
|
|
|
|
|
* release.)
|
|
|
|
|
*/
|
|
|
|
|
if (uname(&osinfo) == 0) {
|
|
|
|
|
/*
|
2017-04-05 12:15:27 -07:00
|
|
|
* {Mac} OS X/macOS 10.x uses Darwin {x+4}.0.0; 10.x.y uses Darwin
|
2011-03-21 16:57:11 +00:00
|
|
|
* {x+4}.y.0 (except that 10.6.1 appears to have a uname version
|
|
|
|
|
* number of 10.0.0, not 10.1.0 - go figure).
|
|
|
|
|
*/
|
|
|
|
|
if (strcmp(osinfo.release, "10.0.0") == 0 || /* 10.6, 10.6.1 */
|
|
|
|
|
strcmp(osinfo.release, "10.3.0") == 0 || /* 10.6.3 */
|
|
|
|
|
strcmp(osinfo.release, "10.4.0") == 0) /* 10.6.4 */
|
2024-07-08 00:26:01 -04:00
|
|
|
need_timeout_workaround = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-10-08 13:25:36 -07:00
|
|
|
/* Initialize the pcaps list and IDBs */
|
2017-03-05 18:11:22 -08:00
|
|
|
global_ld.pcaps = g_array_new(FALSE, FALSE, sizeof(capture_src *));
|
2025-03-24 09:24:14 -04:00
|
|
|
/* Assume, for now, that there will be only one input, which is pcapng. */
|
|
|
|
|
global_ld.pcapng_passthrough = true;
|
2018-10-08 13:25:36 -07:00
|
|
|
global_ld.saved_shb = NULL;
|
|
|
|
|
global_ld.saved_idbs = g_array_new(FALSE, TRUE, sizeof(saved_idb_t));
|
2011-05-27 06:52:32 +00:00
|
|
|
|
2019-05-01 18:46:23 -07:00
|
|
|
err_msg = ws_init_sockets();
|
|
|
|
|
if (err_msg != NULL)
|
2017-03-26 18:46:13 -04:00
|
|
|
{
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_log(LOG_DOMAIN_CAPCHILD, LOG_LEVEL_ERROR,
|
2019-05-01 18:46:23 -07:00
|
|
|
"ERROR: %s", err_msg);
|
|
|
|
|
g_free(err_msg);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_log(LOG_DOMAIN_CAPCHILD, LOG_LEVEL_ERROR,
|
2019-05-01 18:46:23 -07:00
|
|
|
"%s", please_report_bug());
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return EXIT_FAILURE;
|
2017-03-26 18:46:13 -04:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2019-05-01 18:46:23 -07:00
|
|
|
#ifdef _WIN32
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Set handler for Ctrl+C key */
|
2024-07-08 00:26:01 -04:00
|
|
|
SetConsoleCtrlHandler(capture_cleanup_handler, true);
|
2007-11-21 22:49:02 +00:00
|
|
|
#else
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Catch SIGINT and SIGTERM and, if we get either of them, clean up
|
2012-05-18 04:06:35 +00:00
|
|
|
and exit. Do the same with SIGPIPE, in case, for example,
|
|
|
|
|
we're writing to our standard output and it's a pipe.
|
|
|
|
|
Do the same with SIGHUP if it's not being ignored (if we're
|
|
|
|
|
being run under nohup, it might be ignored, in which case we
|
|
|
|
|
should leave it ignored).
|
|
|
|
|
|
|
|
|
|
XXX - apparently, Coverity complained that part of action
|
|
|
|
|
wasn't initialized. Perhaps it's running on Linux, where
|
|
|
|
|
struct sigaction has an ignored "sa_restorer" element and
|
|
|
|
|
where "sa_handler" and "sa_sigaction" might not be two
|
|
|
|
|
members of a union. */
|
|
|
|
|
memset(&action, 0, sizeof(action));
|
2011-03-21 16:57:11 +00:00
|
|
|
action.sa_handler = capture_cleanup_handler;
|
|
|
|
|
/*
|
|
|
|
|
* Arrange that system calls not get restarted, because when
|
|
|
|
|
* our signal handler returns we don't want to restart
|
|
|
|
|
* a call that was waiting for packets to arrive.
|
|
|
|
|
*/
|
|
|
|
|
action.sa_flags = 0;
|
|
|
|
|
sigemptyset(&action.sa_mask);
|
|
|
|
|
sigaction(SIGTERM, &action, NULL);
|
|
|
|
|
sigaction(SIGINT, &action, NULL);
|
|
|
|
|
sigaction(SIGPIPE, &action, NULL);
|
|
|
|
|
sigaction(SIGHUP, NULL, &oldaction);
|
|
|
|
|
if (oldaction.sa_handler == SIG_DFL)
|
|
|
|
|
sigaction(SIGHUP, &action, NULL);
|
2010-05-26 00:19:27 +00:00
|
|
|
|
|
|
|
|
#ifdef SIGINFO
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Catch SIGINFO and, if we get it and we're capturing in
|
|
|
|
|
quiet mode, report the number of packets we've captured. */
|
|
|
|
|
action.sa_handler = report_counts_siginfo;
|
|
|
|
|
action.sa_flags = SA_RESTART;
|
|
|
|
|
sigemptyset(&action.sa_mask);
|
|
|
|
|
sigaction(SIGINFO, &action, NULL);
|
2010-05-26 00:19:27 +00:00
|
|
|
#endif /* SIGINFO */
|
2005-11-28 08:54:52 +00:00
|
|
|
#endif /* _WIN32 */
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* ----------------------------------------------------------------- */
|
|
|
|
|
/* Privilege and capability handling */
|
|
|
|
|
/* Cases: */
|
|
|
|
|
/* 1. Running not as root or suid root; no special capabilities. */
|
|
|
|
|
/* Action: none */
|
|
|
|
|
/* */
|
|
|
|
|
/* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */
|
|
|
|
|
/* Action: none */
|
|
|
|
|
/* */
|
|
|
|
|
/* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */
|
|
|
|
|
/* Action: */
|
|
|
|
|
/* - Near start of program: Enable NET_RAW and NET_ADMIN */
|
|
|
|
|
/* capabilities; Drop all other capabilities; */
|
|
|
|
|
/* - If not -w (ie: doing -S or -D, etc) run to completion; */
|
|
|
|
|
/* else: after pcap_open_live() in capture_loop_open_input() */
|
|
|
|
|
/* drop all capabilities (NET_RAW and NET_ADMIN); */
|
|
|
|
|
/* (Note: this means that the process, although logged in */
|
|
|
|
|
/* as root, does not have various permissions such as the */
|
|
|
|
|
/* ability to bypass file access permissions). */
|
|
|
|
|
/* XXX: Should we just leave capabilities alone in this case */
|
|
|
|
|
/* so that user gets expected effect that root can do */
|
|
|
|
|
/* anything ?? */
|
|
|
|
|
/* */
|
|
|
|
|
/* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */
|
|
|
|
|
/* Action: */
|
|
|
|
|
/* - If not -w (ie: doing -S or -D, etc) run to completion; */
|
|
|
|
|
/* else: after pcap_open_live() in capture_loop_open_input() */
|
|
|
|
|
/* drop suid root (set euid=ruid).(ie: keep suid until after */
|
|
|
|
|
/* pcap_open_live). */
|
|
|
|
|
/* */
|
|
|
|
|
/* 5. Running as suid root (euid=0, ruid=n); Using libcap. */
|
|
|
|
|
/* Action: */
|
|
|
|
|
/* - Near start of program: Enable NET_RAW and NET_ADMIN */
|
|
|
|
|
/* capabilities; Drop all other capabilities; */
|
|
|
|
|
/* Drop suid privileges (euid=ruid); */
|
|
|
|
|
/* - If not -w (ie: doing -S or -D, etc) run to completion; */
|
|
|
|
|
/* else: after pcap_open_live() in capture_loop_open_input() */
|
|
|
|
|
/* drop all capabilities (NET_RAW and NET_ADMIN). */
|
|
|
|
|
/* */
|
|
|
|
|
/* XXX: For some Linux versions/distros with capabilities */
|
|
|
|
|
/* a 'normal' process with any capabilities cannot be */
|
|
|
|
|
/* 'killed' (signaled) from another (same uid) non-privileged */
|
|
|
|
|
/* process. */
|
|
|
|
|
/* For example: If (non-suid) Wireshark forks a */
|
|
|
|
|
/* child suid dumpcap which acts as described here (case 5), */
|
|
|
|
|
/* Wireshark will be unable to kill (signal) the child */
|
|
|
|
|
/* dumpcap process until the capabilities have been dropped */
|
|
|
|
|
/* (after pcap_open_live()). */
|
|
|
|
|
/* This behaviour will apparently be changed in the kernel */
|
|
|
|
|
/* to allow the kill (signal) in this case. */
|
|
|
|
|
/* See the following for details: */
|
2015-03-10 10:46:50 -07:00
|
|
|
/* https://www.mail-archive.com/ [wrapped] */
|
2011-03-21 16:57:11 +00:00
|
|
|
/* linux-security-module@vger.kernel.org/msg02913.html */
|
|
|
|
|
/* */
|
|
|
|
|
/* It is therefore conceivable that if dumpcap somehow hangs */
|
|
|
|
|
/* in pcap_open_live or before that wireshark will not */
|
|
|
|
|
/* be able to stop dumpcap using a signal (INT, TERM, etc). */
|
|
|
|
|
/* In this case, exiting wireshark will kill the child */
|
|
|
|
|
/* dumpcap process. */
|
|
|
|
|
/* */
|
|
|
|
|
/* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */
|
|
|
|
|
/* capabilities; Using libcap. Note: capset cmd (which see) */
|
|
|
|
|
/* used to assign capabilities to file. */
|
|
|
|
|
/* Action: */
|
|
|
|
|
/* - If not -w (ie: doing -S or -D, etc) run to completion; */
|
|
|
|
|
/* else: after pcap_open_live() in capture_loop_open_input() */
|
|
|
|
|
/* drop all capabilities (NET_RAW and NET_ADMIN) */
|
|
|
|
|
/* */
|
|
|
|
|
/* ToDo: -S (stats) should drop privileges/capabilities when no */
|
|
|
|
|
/* longer required (similar to capture). */
|
|
|
|
|
/* */
|
|
|
|
|
/* ----------------------------------------------------------------- */
|
|
|
|
|
|
|
|
|
|
init_process_policies();
|
2008-03-22 19:04:26 +00:00
|
|
|
|
2008-02-16 03:18:36 +00:00
|
|
|
#ifdef HAVE_LIBCAP
|
2011-03-21 16:57:11 +00:00
|
|
|
/* If 'started with special privileges' (and using libcap) */
|
|
|
|
|
/* Set to keep only NET_RAW and NET_ADMIN capabilities; */
|
|
|
|
|
/* Set euid/egid = ruid/rgid to remove suid privileges */
|
|
|
|
|
relinquish_privs_except_capture();
|
|
|
|
|
#endif
|
|
|
|
|
|
2024-11-09 02:30:23 -05:00
|
|
|
init_report_failure_message_simple("dumpcap");
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Set the initial values in the capture options. This might be overwritten
|
|
|
|
|
by the command line parameters. */
|
2023-08-27 23:44:14 -07:00
|
|
|
capture_opts_init(&global_capture_opts, get_interface_list);
|
2011-03-21 16:57:11 +00:00
|
|
|
/* We always save to a file - if no file was specified, we save to a
|
|
|
|
|
temporary file. */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_capture_opts.saving_to_file = true;
|
|
|
|
|
global_capture_opts.has_ring_num_files = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2014-06-20 12:18:48 -07:00
|
|
|
/* Pass on capture_child mode for capture_opts */
|
|
|
|
|
global_capture_opts.capture_child = capture_child;
|
2013-06-04 04:36:19 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Now get our args */
|
2025-04-28 13:30:46 +00:00
|
|
|
while ((opt = ws_getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
|
2011-03-21 16:57:11 +00:00
|
|
|
switch (opt) {
|
|
|
|
|
case 'h': /* Print help and exit */
|
2018-12-12 18:16:15 -08:00
|
|
|
show_help_header("Capture network packets and dump them into a pcapng or pcap file.");
|
2014-07-02 19:29:21 -07:00
|
|
|
print_usage(stdout);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return EXIT_SUCCESS;
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'v': /* Show version and exit */
|
2018-12-12 18:16:15 -08:00
|
|
|
show_version();
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return EXIT_SUCCESS;
|
2024-12-02 17:12:34 -08:00
|
|
|
case LONGOPT_APPLICATION_FLAVOR:
|
|
|
|
|
set_application_flavor(application_name_to_flavor(ws_optarg));
|
|
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
/*** capture option specific ***/
|
|
|
|
|
case 'a': /* autostop criteria */
|
|
|
|
|
case 'b': /* Ringbuffer option */
|
|
|
|
|
case 'c': /* Capture x packets */
|
|
|
|
|
case 'f': /* capture filter */
|
2024-06-06 10:56:10 -04:00
|
|
|
case 'F': /* capture file type */
|
2012-12-12 03:25:35 +00:00
|
|
|
case 'g': /* enable group read access on file(s) */
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'i': /* Use interface x */
|
2017-08-07 16:38:52 +02:00
|
|
|
case LONGOPT_SET_TSTAMP_TYPE: /* Set capture timestamp type */
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'n': /* Use pcapng format */
|
|
|
|
|
case 'p': /* Don't capture in promiscuous mode */
|
2011-06-17 17:52:31 +00:00
|
|
|
case 'P': /* Use pcap format */
|
2011-03-21 16:57:11 +00:00
|
|
|
case 's': /* Set the snapshot (capture) length */
|
|
|
|
|
case 'w': /* Write to capture file x */
|
|
|
|
|
case 'y': /* Set the pcap data link type */
|
2007-12-04 11:19:29 +00:00
|
|
|
#ifdef HAVE_PCAP_REMOTE
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'u': /* Use UDP for data transfer */
|
|
|
|
|
case 'r': /* Capture own RPCAP traffic too */
|
|
|
|
|
case 'A': /* Authentication */
|
2007-12-04 11:19:29 +00:00
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_PCAP_SETSAMPLING
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'm': /* Sampling */
|
2007-12-04 11:19:29 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'B': /* Buffer size */
|
|
|
|
|
case 'I': /* Monitor mode */
|
2020-08-09 12:12:24 +09:00
|
|
|
case LONGOPT_COMPRESS_TYPE: /* compress type */
|
2022-02-09 14:32:28 +00:00
|
|
|
case LONGOPT_CAPTURE_TMPDIR: /* capture temp directory */
|
2023-03-08 22:15:21 -05:00
|
|
|
case LONGOPT_UPDATE_INTERVAL: /* sync pipe update interval */
|
2021-07-26 17:22:36 +01:00
|
|
|
status = capture_opts_add_opt(&global_capture_opts, opt, ws_optarg);
|
2012-11-25 18:35:41 +00:00
|
|
|
if (status != 0) {
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return status;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
/*** hidden option: Wireshark child mode (using binary output messages) ***/
|
2021-03-24 23:36:29 -07:00
|
|
|
case LONGOPT_IFNAME:
|
|
|
|
|
if (global_capture_opts.ifaces->len > 0) {
|
|
|
|
|
interface_options *interface_opts;
|
|
|
|
|
|
|
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, global_capture_opts.ifaces->len - 1);
|
2021-07-26 17:22:36 +01:00
|
|
|
interface_opts->ifname = g_strdup(ws_optarg);
|
2021-03-24 23:36:29 -07:00
|
|
|
} else {
|
|
|
|
|
cmdarg_err("--ifname must be specified after a -i option");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2021-03-24 23:36:29 -07:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case LONGOPT_IFDESCR:
|
|
|
|
|
if (global_capture_opts.ifaces->len > 0) {
|
|
|
|
|
interface_options *interface_opts;
|
|
|
|
|
|
|
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, global_capture_opts.ifaces->len - 1);
|
2021-07-26 17:22:36 +01:00
|
|
|
interface_opts->descr = g_strdup(ws_optarg);
|
2021-03-24 23:36:29 -07:00
|
|
|
} else {
|
|
|
|
|
cmdarg_err("--ifdescr must be specified after a -i option");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2021-03-24 23:36:29 -07:00
|
|
|
}
|
|
|
|
|
break;
|
Clean up handling of --capture-comment.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
2021-07-14 22:16:30 -07:00
|
|
|
case LONGOPT_CAPTURE_COMMENT: /* capture comment */
|
|
|
|
|
if (capture_comments == NULL) {
|
|
|
|
|
capture_comments = g_ptr_array_new_with_free_func(g_free);
|
|
|
|
|
}
|
2021-07-26 17:22:36 +01:00
|
|
|
g_ptr_array_add(capture_comments, g_strdup(ws_optarg));
|
Clean up handling of --capture-comment.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
2021-07-14 22:16:30 -07:00
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'Z':
|
2024-07-08 00:26:01 -04:00
|
|
|
capture_child = true;
|
2023-12-28 20:18:38 -05:00
|
|
|
/*
|
|
|
|
|
* Handled above
|
|
|
|
|
*/
|
|
|
|
|
break;
|
2006-03-13 00:30:51 +00:00
|
|
|
#ifdef _WIN32
|
2023-12-28 20:18:38 -05:00
|
|
|
case LONGOPT_SIGNAL_PIPE:
|
|
|
|
|
if (!capture_child) {
|
|
|
|
|
/* We have already checked for -Z at the very beginning. */
|
|
|
|
|
cmdarg_err("--signal-pipe may only be specified with -Z");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2023-12-28 20:18:38 -05:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
2021-07-26 17:22:36 +01:00
|
|
|
* ws_optarg = the control ID, aka the PPID, currently used for the
|
2011-03-21 16:57:11 +00:00
|
|
|
* signal pipe name.
|
|
|
|
|
*/
|
2021-07-26 17:22:36 +01:00
|
|
|
if (strcmp(ws_optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) {
|
2021-12-18 18:48:20 +00:00
|
|
|
sig_pipe_name = ws_strdup_printf(SIGNAL_PIPE_FORMAT, ws_optarg);
|
2011-03-21 16:57:11 +00:00
|
|
|
sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name),
|
|
|
|
|
GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
|
|
|
|
|
|
|
|
|
|
if (sig_pipe_handle == INVALID_HANDLE_VALUE) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Signal pipe: Unable to open %s. Dead parent?",
|
2011-03-21 16:57:11 +00:00
|
|
|
sig_pipe_name);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
2023-12-28 20:18:38 -05:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'q': /* Quiet */
|
2024-07-08 00:26:01 -04:00
|
|
|
quiet = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
2024-06-07 20:56:42 -04:00
|
|
|
case 'Q': /* Really quiet */
|
2024-07-08 00:26:01 -04:00
|
|
|
quiet = true;
|
|
|
|
|
really_quiet = true;
|
2024-06-07 20:56:42 -04:00
|
|
|
break;
|
2011-05-16 21:56:12 +00:00
|
|
|
case 't':
|
2024-07-08 00:26:01 -04:00
|
|
|
use_threads = true;
|
2011-05-16 21:56:12 +00:00
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
/*** all non capture option specific ***/
|
|
|
|
|
case 'D': /* Print a list of capture devices and exit */
|
2023-12-18 10:34:39 -05:00
|
|
|
if (!list_interfaces && !caps_queries & !print_statistics) {
|
2015-03-17 13:11:12 -07:00
|
|
|
run_once_args++;
|
|
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
list_interfaces = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
case 'L': /* Print list of link-layer types and exit */
|
2023-12-18 10:34:39 -05:00
|
|
|
if (!list_interfaces && !caps_queries & !print_statistics) {
|
2015-03-17 13:11:12 -07:00
|
|
|
run_once_args++;
|
|
|
|
|
}
|
2023-12-15 06:18:39 -05:00
|
|
|
caps_queries |= CAPS_QUERY_LINK_TYPES;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
2017-08-07 16:38:52 +02:00
|
|
|
case LONGOPT_LIST_TSTAMP_TYPES:
|
2023-12-18 10:34:39 -05:00
|
|
|
if (!list_interfaces && !caps_queries & !print_statistics) {
|
2023-12-15 06:18:39 -05:00
|
|
|
run_once_args++;
|
|
|
|
|
}
|
|
|
|
|
caps_queries |= CAPS_QUERY_TIMESTAMP_TYPES;
|
|
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'd': /* Print BPF code for capture filter and exit */
|
2015-03-17 13:11:12 -07:00
|
|
|
if (!print_bpf_code) {
|
2024-07-08 00:26:01 -04:00
|
|
|
print_bpf_code = true;
|
2015-03-17 13:11:12 -07:00
|
|
|
run_once_args++;
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
case 'S': /* Print interface statistics once a second */
|
2023-12-18 10:34:39 -05:00
|
|
|
if (!list_interfaces && !caps_queries & !print_statistics) {
|
2015-03-17 13:11:12 -07:00
|
|
|
run_once_args++;
|
|
|
|
|
}
|
2024-07-08 00:26:01 -04:00
|
|
|
print_statistics = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
2012-06-24 19:45:49 +00:00
|
|
|
case 'k': /* Set wireless channel */
|
2015-03-17 13:11:12 -07:00
|
|
|
if (!set_chan) {
|
2024-07-08 00:26:01 -04:00
|
|
|
set_chan = true;
|
2021-07-26 17:22:36 +01:00
|
|
|
set_chan_arg = ws_optarg;
|
2015-03-17 13:11:12 -07:00
|
|
|
run_once_args++;
|
|
|
|
|
} else {
|
|
|
|
|
cmdarg_err("Only one -k flag may be specified");
|
2024-07-08 00:26:01 -04:00
|
|
|
arg_error = true;
|
2015-03-17 13:11:12 -07:00
|
|
|
}
|
|
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
case 'M': /* For -D, -L, and -S, print machine-readable output */
|
2024-07-08 00:26:01 -04:00
|
|
|
machine_readable = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
2013-03-10 11:57:40 +00:00
|
|
|
case 'C':
|
2025-04-18 13:10:42 -04:00
|
|
|
if (!get_positive_int64(ws_optarg, "byte_limit", &pcap_queue_byte_limit))
|
|
|
|
|
arg_error = true;
|
2013-03-10 11:57:40 +00:00
|
|
|
break;
|
|
|
|
|
case 'N':
|
2025-04-18 13:10:42 -04:00
|
|
|
if (!get_positive_int64(ws_optarg, "packet_limit", &pcap_queue_packet_limit))
|
|
|
|
|
arg_error = true;
|
2013-03-10 11:57:40 +00:00
|
|
|
break;
|
2011-03-21 16:57:11 +00:00
|
|
|
default:
|
2025-04-28 13:30:46 +00:00
|
|
|
/* wslog arguments are okay */
|
|
|
|
|
if (ws_log_is_wslog_arg(opt))
|
|
|
|
|
break;
|
|
|
|
|
|
2021-07-26 17:22:36 +01:00
|
|
|
cmdarg_err("Invalid Option: %s", argv[ws_optind-1]);
|
2011-08-29 21:36:48 +00:00
|
|
|
/* FALLTHROUGH */
|
2011-05-31 14:45:55 +00:00
|
|
|
case '?': /* Bad flag - print usage message */
|
2024-07-08 00:26:01 -04:00
|
|
|
arg_error = true;
|
2011-03-21 16:57:11 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-05-31 14:45:55 +00:00
|
|
|
if (!arg_error) {
|
2021-07-26 17:22:36 +01:00
|
|
|
argc -= ws_optind;
|
|
|
|
|
argv += ws_optind;
|
2011-05-31 14:45:55 +00:00
|
|
|
if (argc >= 1) {
|
|
|
|
|
/* user specified file name as regular command-line argument */
|
|
|
|
|
/* XXX - use it as the capture file name (or something else)? */
|
|
|
|
|
argc--;
|
|
|
|
|
argv++;
|
|
|
|
|
}
|
|
|
|
|
if (argc != 0) {
|
|
|
|
|
/*
|
|
|
|
|
* Extra command line arguments were specified; complain.
|
|
|
|
|
* XXX - interpret as capture filter, as tcpdump and tshark do?
|
|
|
|
|
*/
|
|
|
|
|
cmdarg_err("Invalid argument: %s", argv[0]);
|
2024-07-08 00:26:01 -04:00
|
|
|
arg_error = true;
|
2011-05-31 14:45:55 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
2013-03-10 11:57:40 +00:00
|
|
|
if ((pcap_queue_byte_limit > 0) || (pcap_queue_packet_limit > 0)) {
|
2024-07-08 00:26:01 -04:00
|
|
|
use_threads = true;
|
2013-03-10 11:57:40 +00:00
|
|
|
}
|
|
|
|
|
if ((pcap_queue_byte_limit == 0) && (pcap_queue_packet_limit == 0)) {
|
|
|
|
|
/* Use some default if the user hasn't specified some */
|
|
|
|
|
/* XXX: Are these defaults good enough? */
|
|
|
|
|
pcap_queue_byte_limit = 1000 * 1000;
|
|
|
|
|
pcap_queue_packet_limit = 1000;
|
|
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
if (arg_error) {
|
2024-06-06 10:56:10 -04:00
|
|
|
if (ws_optopt == 'F') {
|
|
|
|
|
capture_opts_list_file_types();
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2024-06-06 10:56:10 -04:00
|
|
|
}
|
2014-07-02 19:29:21 -07:00
|
|
|
print_usage(stderr);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (run_once_args > 1) {
|
2017-08-07 16:38:52 +02:00
|
|
|
cmdarg_err("Only one of -D, -L, -d, -k or -S may be supplied.");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2011-03-21 16:57:11 +00:00
|
|
|
} else if (run_once_args == 1) {
|
|
|
|
|
/* We're supposed to print some information, rather than
|
|
|
|
|
to capture traffic; did they specify a ring buffer option? */
|
|
|
|
|
if (global_capture_opts.multi_files_on) {
|
|
|
|
|
cmdarg_err("Ring buffer requested, but a capture isn't being done.");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2008-03-22 19:04:26 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
} else {
|
2011-05-21 18:51:25 +00:00
|
|
|
/* We're supposed to capture traffic; */
|
2013-07-27 16:16:57 +00:00
|
|
|
|
2013-07-27 16:48:06 +00:00
|
|
|
/* Are we capturing on multiple interface? If so, use threads and pcapng. */
|
|
|
|
|
if (global_capture_opts.ifaces->len > 1) {
|
2024-07-08 00:26:01 -04:00
|
|
|
use_threads = true;
|
|
|
|
|
global_capture_opts.use_pcapng = true;
|
2013-07-27 16:48:06 +00:00
|
|
|
}
|
|
|
|
|
|
Clean up handling of --capture-comment.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
2021-07-14 22:16:30 -07:00
|
|
|
if (capture_comments &&
|
2013-07-27 16:16:57 +00:00
|
|
|
(!global_capture_opts.use_pcapng || global_capture_opts.multi_files_on)) {
|
Clean up handling of --capture-comment.
Don't store the comments in a capture_options structure, because that's
available only if we're being built with capture support, and
--capture-comment can be used in TShark when reading a capture file and
writing another capture file, with no live capture taking place.
This means we don't handle that option in capture_opts_add_opt(); handle
it in the programs that support it.
Support writing multiple comments in dumpcap when capturing.
These changes also fix builds without pcap, and makes --capture-comment
work in Wireshark when a capture is started from the command line with
-k.
Update the help messages to indicate that --capture-comment adds a
capture comment, it doesn't change any comment (much less "the" comment,
as there isn't necessarily a single comment).
Update the man pages:
- not to presume that only pcapng files support file comments (even if
that's true now, it might not be true in the future);
- to note that multiple instances of --capture-comment are supported,
and that multiple comments will be written, whether capturing or reading
one file and writing another;
- clarify that Wireshark doesn't *discard* SHB comments other than the
first one, even though it only displays the first one;
2021-07-14 22:16:30 -07:00
|
|
|
/* XXX - for ringbuffer, should we apply the comments to each file? */
|
|
|
|
|
cmdarg_err("Capture comments can only be set if we capture into a single pcapng file.");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2013-07-27 16:16:57 +00:00
|
|
|
}
|
|
|
|
|
|
2011-05-21 18:51:25 +00:00
|
|
|
/* Was the ring buffer option specified and, if so, does it make sense? */
|
2011-03-21 16:57:11 +00:00
|
|
|
if (global_capture_opts.multi_files_on) {
|
|
|
|
|
/* Ring buffer works only under certain conditions:
|
|
|
|
|
a) ring buffer does not work with temporary files;
|
|
|
|
|
b) it makes no sense to enable the ring buffer if the maximum
|
|
|
|
|
file size is set to "infinite". */
|
|
|
|
|
if (global_capture_opts.save_file == NULL) {
|
|
|
|
|
cmdarg_err("Ring buffer requested, but capture isn't being saved to a permanent file.");
|
2024-07-08 00:26:01 -04:00
|
|
|
global_capture_opts.multi_files_on = false;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2017-06-27 22:04:33 +02:00
|
|
|
if (!global_capture_opts.has_autostop_filesize &&
|
|
|
|
|
!global_capture_opts.has_file_duration &&
|
2018-10-31 10:03:04 +01:00
|
|
|
!global_capture_opts.has_file_interval &&
|
|
|
|
|
!global_capture_opts.has_file_packets) {
|
|
|
|
|
cmdarg_err("Ring buffer requested, but no maximum capture file size, duration "
|
|
|
|
|
"interval, or packets were specified.");
|
2011-03-21 16:57:11 +00:00
|
|
|
#if 0
|
|
|
|
|
/* XXX - this must be redesigned as the conditions changed */
|
2024-07-08 00:26:01 -04:00
|
|
|
global_capture_opts.multi_files_on = false;
|
2006-03-13 00:30:51 +00:00
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2017-06-27 22:04:33 +02:00
|
|
|
if (global_capture_opts.has_file_duration && global_capture_opts.has_file_interval) {
|
|
|
|
|
cmdarg_err("Ring buffer file duration and interval can't be used at the same time.");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
2017-06-27 22:04:33 +02:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* "-D" requires no interface to be selected; it's supposed to list
|
|
|
|
|
* all interfaces.
|
|
|
|
|
*/
|
|
|
|
|
if (list_interfaces) {
|
|
|
|
|
/* Get the list of interfaces */
|
2012-11-25 18:35:41 +00:00
|
|
|
GList *if_list;
|
|
|
|
|
int err;
|
2024-07-08 00:26:01 -04:00
|
|
|
char *err_str;
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2023-08-27 23:44:14 -07:00
|
|
|
if_list = get_interface_list(&err, &err_str);
|
2011-03-21 16:57:11 +00:00
|
|
|
if (if_list == NULL) {
|
2014-07-22 16:53:18 -07:00
|
|
|
if (err == 0) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* If we're being run by another program, just give them
|
|
|
|
|
* an empty list of interfaces, don't report this as
|
|
|
|
|
* an error; that lets them decide whether to report
|
|
|
|
|
* this as an error or not.
|
|
|
|
|
*/
|
|
|
|
|
if (!machine_readable) {
|
|
|
|
|
cmdarg_err("There are no interfaces on which a capture can be done");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_INTERFACE;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2014-07-22 16:53:18 -07:00
|
|
|
} else {
|
|
|
|
|
cmdarg_err("%s", err_str);
|
|
|
|
|
g_free(err_str);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_INTERFACE;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-15 06:18:39 -05:00
|
|
|
if (!machine_readable) {
|
2023-12-13 09:07:22 -05:00
|
|
|
status = 0;
|
2011-03-21 16:57:11 +00:00
|
|
|
capture_opts_print_interfaces(if_list);
|
2023-12-13 09:07:22 -05:00
|
|
|
}
|
2023-12-15 06:18:39 -05:00
|
|
|
|
|
|
|
|
if (caps_queries) {
|
|
|
|
|
if_info_t *if_info;
|
|
|
|
|
interface_options *interface_opts;
|
|
|
|
|
cap_device_open_status open_status;
|
2024-07-08 00:26:01 -04:00
|
|
|
char *open_status_str;
|
2023-12-15 06:18:39 -05:00
|
|
|
for (GList *if_entry = if_list; if_entry != NULL; if_entry = g_list_next(if_entry)) {
|
|
|
|
|
if_info = (if_info_t *)if_entry->data;
|
|
|
|
|
|
2024-09-28 11:07:30 -04:00
|
|
|
/*
|
|
|
|
|
* XXX - If on the command line we had the options -i <interface> -I,
|
|
|
|
|
* we should retrieve the link-types for the interface in monitor mode.
|
|
|
|
|
* We've already copied that information to global_capture_opts, but
|
|
|
|
|
* the below statement wipes it away.
|
|
|
|
|
*/
|
2023-12-15 06:18:39 -05:00
|
|
|
interface_opts = interface_opts_from_if_info(&global_capture_opts, if_info);
|
|
|
|
|
|
|
|
|
|
if_info->caps = get_if_capabilities(interface_opts, &open_status, &open_status_str);
|
|
|
|
|
|
|
|
|
|
if (!machine_readable) {
|
|
|
|
|
if (if_info->caps == NULL) {
|
|
|
|
|
cmdarg_err("The capabilities of the capture device "
|
|
|
|
|
"\"%s\" could not be obtained (%s).\n%s",
|
|
|
|
|
interface_opts->name, open_status_str,
|
|
|
|
|
get_pcap_failure_secondary_error_message(open_status, open_status_str));
|
|
|
|
|
g_free(open_status_str);
|
|
|
|
|
/* Break after one error, as when printing selected
|
|
|
|
|
* interface capabilities. (XXX: We could print all
|
|
|
|
|
* the primary status strings, and only the unique
|
|
|
|
|
* set of secondary messages / suggestions; printing
|
|
|
|
|
* the same long secondary error is a lot.)
|
|
|
|
|
*/
|
|
|
|
|
interface_opts_free(interface_opts);
|
|
|
|
|
g_free(interface_opts);
|
|
|
|
|
break;
|
|
|
|
|
} else {
|
|
|
|
|
status = capture_opts_print_if_capabilities(if_info->caps, interface_opts, caps_queries);
|
|
|
|
|
if (status != 0) {
|
|
|
|
|
interface_opts_free(interface_opts);
|
|
|
|
|
g_free(interface_opts);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (if_info->caps == NULL) {
|
|
|
|
|
if_info->caps = g_new0(if_capabilities_t, 1);
|
|
|
|
|
if_info->caps->primary_msg = open_status_str;
|
2024-09-29 08:50:22 -04:00
|
|
|
if_info->caps->secondary_msg = get_pcap_failure_secondary_error_message(open_status, open_status_str);
|
2023-12-15 06:18:39 -05:00
|
|
|
}
|
|
|
|
|
if_info->caps->status = open_status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interface_opts_free(interface_opts);
|
|
|
|
|
g_free(interface_opts);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (machine_readable) {
|
2023-12-18 10:34:39 -05:00
|
|
|
status = print_machine_readable_interfaces(if_list, caps_queries, print_statistics);
|
2023-12-15 06:18:39 -05:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
free_interface_list(if_list);
|
2023-12-18 10:34:39 -05:00
|
|
|
if (!print_statistics) {
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return status;
|
2023-12-18 10:34:39 -05:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2005-11-28 08:54:52 +00:00
|
|
|
/*
|
2011-03-21 16:57:11 +00:00
|
|
|
* "-S" requires no interface to be selected; it gives statistics
|
|
|
|
|
* for all interfaces.
|
2005-11-28 08:54:52 +00:00
|
|
|
*/
|
2011-03-21 16:57:11 +00:00
|
|
|
if (print_statistics) {
|
|
|
|
|
status = print_statistics_loop(machine_readable);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return status;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2010-05-07 19:24:32 +00:00
|
|
|
|
2012-06-24 19:45:49 +00:00
|
|
|
if (set_chan) {
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_options *interface_opts;
|
2012-06-24 19:45:49 +00:00
|
|
|
|
|
|
|
|
if (global_capture_opts.ifaces->len != 1) {
|
|
|
|
|
cmdarg_err("Need one interface");
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_INTERFACE;
|
2012-06-24 19:45:49 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, 0);
|
|
|
|
|
status = set_80211_channel(interface_opts->name, set_chan_arg);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return status;
|
2012-06-24 19:45:49 +00:00
|
|
|
}
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/*
|
|
|
|
|
* "-L", "-d", and capturing act on a particular interface, so we have to
|
|
|
|
|
* have an interface; if none was specified, pick a default.
|
|
|
|
|
*/
|
2013-05-22 04:49:31 +00:00
|
|
|
status = capture_opts_default_iface_if_necessary(&global_capture_opts, NULL);
|
2012-11-21 17:14:54 +00:00
|
|
|
if (status != 0) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* cmdarg_err() already called .... */
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return status;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
|
|
|
|
|
2017-08-07 16:38:52 +02:00
|
|
|
if (caps_queries) {
|
|
|
|
|
/* Get the list of link-layer and/or timestamp types for the capture device. */
|
2015-03-17 13:35:55 -07:00
|
|
|
if_capabilities_t *caps;
|
2021-06-23 01:42:14 -07:00
|
|
|
cap_device_open_status open_status;
|
2024-07-08 00:26:01 -04:00
|
|
|
char *open_status_str;
|
|
|
|
|
unsigned ii;
|
2015-03-17 13:35:55 -07:00
|
|
|
|
2023-11-21 08:31:26 -05:00
|
|
|
if (machine_readable) {
|
|
|
|
|
json_dumper dumper = {
|
|
|
|
|
.output_file = stdout,
|
|
|
|
|
.flags = JSON_DUMPER_FLAGS_NO_DEBUG,
|
|
|
|
|
// Don't abort on failure
|
|
|
|
|
};
|
|
|
|
|
json_dumper_begin_array(&dumper);
|
|
|
|
|
for (ii = 0; ii < global_capture_opts.ifaces->len; ii++) {
|
|
|
|
|
interface_options *interface_opts;
|
|
|
|
|
|
|
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, ii);
|
2015-03-17 13:35:55 -07:00
|
|
|
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_begin_object(&dumper);
|
|
|
|
|
json_dumper_set_member_name(&dumper, interface_opts->name);
|
2015-03-17 13:35:55 -07:00
|
|
|
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_begin_object(&dumper);
|
|
|
|
|
|
|
|
|
|
open_status = CAP_DEVICE_OPEN_NO_ERR;
|
|
|
|
|
caps = get_if_capabilities(interface_opts, &open_status, &open_status_str);
|
|
|
|
|
if (caps == NULL) {
|
2023-12-15 06:18:39 -05:00
|
|
|
json_dumper_set_member_name(&dumper, "status");
|
|
|
|
|
json_dumper_value_anyf(&dumper, "%i", open_status);
|
2023-11-21 08:31:26 -05:00
|
|
|
json_dumper_set_member_name(&dumper, "primary_msg");
|
|
|
|
|
json_dumper_value_string(&dumper, open_status_str);
|
|
|
|
|
g_free(open_status_str);
|
|
|
|
|
} else {
|
2023-12-15 06:18:39 -05:00
|
|
|
caps->status = open_status;
|
2023-11-21 08:31:26 -05:00
|
|
|
print_machine_readable_if_capabilities(&dumper, caps, caps_queries);
|
|
|
|
|
free_if_capabilities(caps);
|
|
|
|
|
}
|
|
|
|
|
json_dumper_end_object(&dumper);
|
|
|
|
|
json_dumper_end_object(&dumper);
|
|
|
|
|
}
|
|
|
|
|
json_dumper_end_array(&dumper);
|
|
|
|
|
if (json_dumper_finish(&dumper)) {
|
|
|
|
|
status = 0;
|
2021-03-05 04:09:47 +00:00
|
|
|
if (capture_child) {
|
2023-11-21 08:31:26 -05:00
|
|
|
/* Let our parent know we succeeded. */
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_SUCCESS, NULL);
|
2021-03-05 04:09:47 +00:00
|
|
|
}
|
2023-11-21 08:31:26 -05:00
|
|
|
} else {
|
|
|
|
|
status = 2;
|
|
|
|
|
if (capture_child) {
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, "Unexpected JSON error", "");
|
2021-03-05 04:09:47 +00:00
|
|
|
}
|
2015-03-17 13:35:55 -07:00
|
|
|
}
|
2023-11-21 08:31:26 -05:00
|
|
|
} else {
|
|
|
|
|
for (ii = 0; ii < global_capture_opts.ifaces->len; ii++) {
|
|
|
|
|
interface_options *interface_opts;
|
|
|
|
|
|
|
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, ii);
|
|
|
|
|
|
|
|
|
|
caps = get_if_capabilities(interface_opts, &open_status, &open_status_str);
|
|
|
|
|
if (caps == NULL) {
|
|
|
|
|
if (capture_child) {
|
|
|
|
|
char *error_msg = ws_strdup_printf("The capabilities of the capture device "
|
|
|
|
|
"\"%s\" could not be obtained (%s)",
|
|
|
|
|
interface_opts->name, open_status_str);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, error_msg,
|
2023-11-21 08:31:26 -05:00
|
|
|
get_pcap_failure_secondary_error_message(open_status, open_status_str));
|
|
|
|
|
g_free(error_msg);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
cmdarg_err("The capabilities of the capture device "
|
|
|
|
|
"\"%s\" could not be obtained (%s).\n%s",
|
|
|
|
|
interface_opts->name, open_status_str,
|
|
|
|
|
get_pcap_failure_secondary_error_message(open_status, open_status_str));
|
|
|
|
|
}
|
|
|
|
|
g_free(open_status_str);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_INTERFACE;
|
2023-11-21 08:31:26 -05:00
|
|
|
}
|
2017-08-07 16:38:52 +02:00
|
|
|
|
2015-03-17 13:35:55 -07:00
|
|
|
/* XXX: We might want to print also the interface name */
|
2021-04-13 23:14:09 -07:00
|
|
|
status = capture_opts_print_if_capabilities(caps,
|
|
|
|
|
interface_opts,
|
|
|
|
|
caps_queries);
|
2023-11-21 08:31:26 -05:00
|
|
|
free_if_capabilities(caps);
|
|
|
|
|
if (status != 0)
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-03-17 13:35:55 -07:00
|
|
|
}
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return status;
|
2015-03-17 13:35:55 -07:00
|
|
|
}
|
|
|
|
|
|
2017-08-07 16:38:52 +02:00
|
|
|
for (j = 0; j < global_capture_opts.ifaces->len; j++) {
|
|
|
|
|
interface_options *interface_opts;
|
|
|
|
|
|
|
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, j);
|
|
|
|
|
if (interface_opts->timestamp_type) {
|
|
|
|
|
interface_opts->timestamp_type_id = pcap_tstamp_type_name_to_val(interface_opts->timestamp_type);
|
|
|
|
|
if (interface_opts->timestamp_type_id < 0) {
|
|
|
|
|
cmdarg_err("Invalid argument to option: --time-stamp-type=%s", interface_opts->timestamp_type);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return WS_EXIT_INVALID_OPTION;
|
|
|
|
|
|
2017-08-07 16:38:52 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-17 13:35:55 -07:00
|
|
|
/* We're supposed to do a capture, or print the BPF code for a filter. */
|
|
|
|
|
|
2011-05-12 19:25:44 +00:00
|
|
|
/* Let the user know what interfaces were chosen. */
|
2011-11-22 19:07:49 +00:00
|
|
|
if (capture_child) {
|
|
|
|
|
for (j = 0; j < global_capture_opts.ifaces->len; j++) {
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_options *interface_opts;
|
2011-11-22 19:07:49 +00:00
|
|
|
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, j);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("Interface: %s\n", interface_opts->name);
|
2011-11-22 19:07:49 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
str = g_string_new("");
|
|
|
|
|
#ifdef _WIN32
|
From Mike Garratt:
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
2012-11-19 20:07:27 +00:00
|
|
|
if (global_capture_opts.ifaces->len < 2)
|
2011-11-22 19:07:49 +00:00
|
|
|
#else
|
2012-11-25 18:35:41 +00:00
|
|
|
if (global_capture_opts.ifaces->len < 4)
|
2011-11-22 19:07:49 +00:00
|
|
|
#endif
|
From Mike Garratt:
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
2012-11-19 20:07:27 +00:00
|
|
|
{
|
2011-11-22 19:07:49 +00:00
|
|
|
for (j = 0; j < global_capture_opts.ifaces->len; j++) {
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_options *interface_opts;
|
2011-11-22 19:07:49 +00:00
|
|
|
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, j);
|
2011-11-22 19:07:49 +00:00
|
|
|
if (j > 0) {
|
|
|
|
|
if (global_capture_opts.ifaces->len > 2) {
|
|
|
|
|
g_string_append_printf(str, ",");
|
|
|
|
|
}
|
|
|
|
|
g_string_append_printf(str, " ");
|
|
|
|
|
if (j == global_capture_opts.ifaces->len - 1) {
|
|
|
|
|
g_string_append_printf(str, "and ");
|
|
|
|
|
}
|
2012-11-25 18:35:41 +00:00
|
|
|
}
|
2021-03-24 23:36:29 -07:00
|
|
|
if (interface_opts->ifname != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* Re-generate the display name based on the strins
|
|
|
|
|
* we were handed.
|
|
|
|
|
*/
|
|
|
|
|
g_free(interface_opts->display_name);
|
|
|
|
|
if (interface_opts->descr != NULL) {
|
|
|
|
|
#ifdef _WIN32
|
2021-12-18 18:48:20 +00:00
|
|
|
interface_opts->display_name = ws_strdup_printf("%s",
|
2021-03-24 23:36:29 -07:00
|
|
|
interface_opts->descr);
|
|
|
|
|
#else
|
2021-12-18 18:48:20 +00:00
|
|
|
interface_opts->display_name = ws_strdup_printf("%s: %s",
|
2021-03-24 23:36:29 -07:00
|
|
|
interface_opts->descr, interface_opts->ifname);
|
|
|
|
|
#endif
|
|
|
|
|
} else {
|
2021-12-18 18:48:20 +00:00
|
|
|
interface_opts->display_name = ws_strdup_printf("%s",
|
2021-03-24 23:36:29 -07:00
|
|
|
interface_opts->ifname);
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-08-12 20:32:01 -07:00
|
|
|
g_string_append_printf(str, "'%s'", interface_opts->display_name);
|
2011-11-22 19:07:49 +00:00
|
|
|
}
|
2011-11-22 10:08:26 +00:00
|
|
|
} else {
|
2011-11-22 19:07:49 +00:00
|
|
|
g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
|
|
|
|
|
}
|
2024-06-07 20:56:42 -04:00
|
|
|
if (!really_quiet)
|
|
|
|
|
fprintf(stderr, "Capturing on %s\n", str->str);
|
2011-11-22 19:07:49 +00:00
|
|
|
g_string_free(str, TRUE);
|
2011-05-12 19:25:44 +00:00
|
|
|
}
|
2011-03-21 16:57:11 +00:00
|
|
|
|
2015-03-17 13:35:55 -07:00
|
|
|
/* Process the snapshot length, as that affects the generated BPF code. */
|
2011-03-21 16:57:11 +00:00
|
|
|
capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
|
2010-07-13 23:26:07 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
if (print_bpf_code) {
|
|
|
|
|
show_filter_code(&global_capture_opts);
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return EXIT_SUCCESS;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2010-07-13 23:26:07 +00:00
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* We're supposed to do a capture. Process the ring buffer arguments. */
|
|
|
|
|
capture_opts_trim_ring_num_files(&global_capture_opts);
|
2005-11-28 08:54:52 +00:00
|
|
|
|
From Mike Garratt:
Friendly Names for interfaces on Windows
Notes on the changes the patch covers:
* if_info_t struct: addition of friendly_name
* Dumpcap Interface list format changes:
+ Win32: "dumpcap -D" shows friendly_name in place of descript if known
+ All: machine interface "dumpcap -D -Z none" includes friendly_name in the
list in addition to the existing parameters
* interface_options struct: addition of console_display_name
+ When an interface name is displayed in a console, it will typically be the
console_display_name (instead of name).
+ console_display_name is used as the basis of the autogenerated temp
filenames
+ console_display_name is typically set to the friendly_name if known,
otherwise it is set to the interface name
* Enhancements to capture_opts_add_iface_opt() (the function which process -i
options).
+ Can now specify the interface using its name and friendly_name
+ Interface name matching is case insenstive
+ Name matching first attempts exact matching, then falls back to prefix
matching
(e.g. dumpcap -i local)
+ Validates interface names, instead of blindly sending them off to
winpcap/libpcap
+ Interface specification by number is still supported.
* capture_opts_trim_iface() has been refactored:
+ Instead of repeating a decent chunk of the cost in
capture_opts_add_iface_opt(), it calls capture_opts_trim_iface() to specify the
interface.
* introduction of capture_win_ifnames.[ch] (windows only code)
+ Implements static function GetInterfaceFriendlyNameFromDeviceGuid() - a
windows version independant function to convert an interface guid into its
friendly name. Uses published api functions on windows vista and higher, but
falls back to unpublished API functions on older windows releases.
+ void get_windows_interface_friendlyname(/* IN */ char
*interface_devicename, /* OUT */char **interface_friendlyname); - extracts the
GUID from the interface_devicename, then uses
GetInterfaceFriendlyNameFromDeviceGuid() to do the resolution
* Auto temp filename generation:
+ Now uses wireshark_pcapng_* or wireshark_pcap_* depending on file format
+ Basis temp filename format on console_display_name
+ Win32: if console_display_name is a windows interface guid, extracts
numbers from GUID here (instead of in interface option processing)
GUI CHANGES:
* Dialog that displays when you click the "Manage Interfaces" button (within
Capture Options dialog) has been renamed from "Add new interfaces" to
"Interface Management"
* ui/gtk/capture_dlg.c: new_interfaces_w variable renamed to
interface_management_w
* Win32: Local Interfaces tab on Interface Management dialog, shows includes
friendly name as far left column
* Interface Management dialog defaults to larger size on win32 - so it fits
without resizing local interfaces tab
* Interface Management dialog now saves preferences when you click the apply
button (local hidden interfaces was not persisting across restarts)
* Tweaks: "Interface Details" dialog (Interface list->Capture Interfaces ->
Details):
+ "Friendly Name" renamed to "NDIS Friendly Name"
+ Added "OS Friendly Name" to the top of the list
* Win32: The "Capture Interfaces" dialog now shows the friendly name instead of
device guid
* Welcome screen:
+ The height of the interface list scrollbox dynamically adjusts & updates to
the number visible interfaces.
Up to 10 interfaces can be listed without a scroll bar, the minimum height
is for 2 interfaces.
+ Win32: now shows just the Friendly Name if known - in place of
"Interfacename_Guid:(Description)"
svn path=/trunk/; revision=46083
2012-11-19 20:07:27 +00:00
|
|
|
/* flush stderr prior to starting the main capture loop */
|
|
|
|
|
fflush(stderr);
|
|
|
|
|
|
2011-03-21 16:57:11 +00:00
|
|
|
/* Now start the capture. */
|
2024-07-08 00:26:01 -04:00
|
|
|
if (capture_loop_start(&global_capture_opts, &stats_known, &stats) == true) {
|
2011-03-21 16:57:11 +00:00
|
|
|
/* capture ok */
|
2025-04-21 12:19:40 -04:00
|
|
|
exit_main();
|
|
|
|
|
return EXIT_SUCCESS;
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2025-04-21 12:19:40 -04:00
|
|
|
|
|
|
|
|
/* capture failed */
|
|
|
|
|
exit_main();
|
|
|
|
|
return EXIT_FAILURE;
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2021-06-14 19:53:59 +01:00
|
|
|
dumpcap_log_writer(const char *domain, enum ws_log_level level,
|
2023-04-08 14:13:39 +01:00
|
|
|
const char *file, long line, const char *func,
|
2023-09-02 13:55:34 +01:00
|
|
|
const char *fatal_msg _U_,
|
|
|
|
|
ws_log_manifest_t *mft,
|
2023-04-08 14:13:39 +01:00
|
|
|
const char *user_format, va_list user_ap,
|
|
|
|
|
void *user_data _U_)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2023-12-31 16:38:37 -05:00
|
|
|
if (ws_log_msg_is_active(domain, level)) {
|
|
|
|
|
/* log messages go to stderr or */
|
|
|
|
|
/* to parent especially formatted if dumpcap running as child. */
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
#ifdef DEBUG_CHILD_DUMPCAP
|
|
|
|
|
va_list user_ap_copy;
|
|
|
|
|
va_copy(user_ap_copy, user_ap);
|
2008-02-23 19:59:38 +00:00
|
|
|
#endif
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
if (capture_child) {
|
2023-12-31 16:38:37 -05:00
|
|
|
/* Format the log mesage as the numeric level, followed
|
|
|
|
|
* by a colon and then a string matching the standard log
|
|
|
|
|
* string. In the future perhaps we serialize file, line,
|
|
|
|
|
* and func (which can be NULL) instead.
|
|
|
|
|
*/
|
|
|
|
|
GString *msg = g_string_new(NULL);
|
|
|
|
|
g_string_append_printf(msg, "%u:", level);
|
|
|
|
|
if (file != NULL) {
|
|
|
|
|
g_string_append_printf(msg, "%s", file);
|
|
|
|
|
if (line >= 0) {
|
|
|
|
|
g_string_append_printf(msg, ":%ld", line);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
g_string_append(msg, " --");
|
|
|
|
|
if (func != NULL) {
|
|
|
|
|
g_string_append_printf(msg, " %s():", func);
|
|
|
|
|
}
|
|
|
|
|
g_string_append_c(msg, ' ');
|
|
|
|
|
g_string_append_vprintf(msg, user_format, user_ap);
|
|
|
|
|
|
|
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_LOG_MSG, msg->str);
|
|
|
|
|
g_string_free(msg, TRUE);
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
} else {
|
2023-09-17 07:51:51 -04:00
|
|
|
ws_log_console_writer(domain, level, file, line, func, mft, user_format, user_ap);
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
}
|
2008-02-23 19:59:38 +00:00
|
|
|
#ifdef DEBUG_CHILD_DUMPCAP
|
2023-09-17 07:51:51 -04:00
|
|
|
ws_log_file_writer(debug_log, domain, level, file, line, func, mft, user_format, user_ap_copy);
|
dumpcap: Make debugging compile again
Commit e921b804d0174b2bb5a118df8b454c0dc2e69369 removed the
user data parameter from logging, so remove it here.
Explain how the debugging defines work.
If DEBUG_DUMPCAP is defined and dumpcap is a capture child, don't send
logs to stderr with normal formatting, because that will be connected to
the sync pipe. Don't send them to stdout either, because that can be
connected to a data pipe (e.g., for retrieving interface information.)
Instead, send it to stderr with the special formatting so that the
parent recognizes it.
Use va_copy if both DEBUG_DUMPCAP and DEBUG_CHILD_DUMPCAP are defined,
avoiding undefined behavior that can lead to segfaults.
Set the log level to DEBUG when running as a capture child if the
DEBUG defines are set, because sync_pipe_start doesn't pass along
log level information. If you turned on the extra #define, you
presumably want to debug.
If logging to a file, open the file before any log messages.
Get rid of a check for the log level being below the default level.
It's either redundant of a check already done in ws_log_full, or it
prevents logs from being shown when dumpcap is run standalone with
logging options.
2023-03-08 09:25:51 -05:00
|
|
|
va_end(user_ap_copy);
|
|
|
|
|
#endif
|
2011-03-21 16:57:11 +00:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
2006-02-17 02:18:48 +00:00
|
|
|
|
2005-12-04 02:04:18 +00:00
|
|
|
/****************************************************************************************************************/
|
2006-04-03 01:56:53 +00:00
|
|
|
/* indication report routines */
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2005-12-13 22:48:58 +00:00
|
|
|
|
2010-05-26 00:19:27 +00:00
|
|
|
static void
|
2012-09-09 13:57:43 +00:00
|
|
|
report_packet_count(unsigned int packet_count)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2012-09-09 13:57:43 +00:00
|
|
|
static unsigned int count = 0;
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2012-11-25 18:35:41 +00:00
|
|
|
if (capture_child) {
|
2023-08-26 14:58:08 -07:00
|
|
|
ws_debug("Packets: %u", packet_count);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_uint_msg(sync_pipe_fd, SP_PACKET_COUNT, packet_count);
|
2006-02-17 02:18:48 +00:00
|
|
|
} else {
|
2006-02-10 01:18:24 +00:00
|
|
|
count += packet_count;
|
2006-02-17 02:18:48 +00:00
|
|
|
fprintf(stderr, "\rPackets: %u ", count);
|
2006-02-10 01:18:24 +00:00
|
|
|
/* stderr could be line buffered */
|
|
|
|
|
fflush(stderr);
|
|
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
2011-05-26 14:33:55 +00:00
|
|
|
static void
|
2006-04-03 01:56:53 +00:00
|
|
|
report_new_capture_file(const char *filename)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2012-11-25 18:35:41 +00:00
|
|
|
if (capture_child) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("File: %s", filename);
|
2021-09-09 15:53:27 -07:00
|
|
|
if (global_ld.pcapng_passthrough) {
|
|
|
|
|
/* Save filename for sending SP_FILE to capture parent after SHB is passed-through */
|
2023-12-31 20:08:05 -05:00
|
|
|
ws_debug("Delaying SP_FILE until first SHB");
|
2021-09-09 15:53:27 -07:00
|
|
|
report_capture_filename = filename;
|
|
|
|
|
} else {
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_FILE, filename);
|
2021-09-09 15:53:27 -07:00
|
|
|
}
|
2007-02-19 20:25:56 +00:00
|
|
|
} else {
|
2010-05-26 00:19:27 +00:00
|
|
|
#ifdef SIGINFO
|
|
|
|
|
/*
|
|
|
|
|
* Prevent a SIGINFO handler from writing to the standard error
|
|
|
|
|
* while we're doing so; instead, have it just set a flag telling
|
|
|
|
|
* us to print that information when we're done.
|
|
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
infodelay = true;
|
2010-05-26 00:19:27 +00:00
|
|
|
#endif /* SIGINFO */
|
2024-06-07 20:56:42 -04:00
|
|
|
if (!really_quiet) {
|
|
|
|
|
fprintf(stderr, "File: %s\n", filename);
|
|
|
|
|
/* stderr could be line buffered */
|
|
|
|
|
fflush(stderr);
|
|
|
|
|
}
|
2010-05-26 00:19:27 +00:00
|
|
|
|
|
|
|
|
#ifdef SIGINFO
|
|
|
|
|
/*
|
|
|
|
|
* Allow SIGINFO handlers to write.
|
|
|
|
|
*/
|
2024-07-08 00:26:01 -04:00
|
|
|
infodelay = false;
|
2010-05-26 00:19:27 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If a SIGINFO handler asked us to write out capture counts, do so.
|
|
|
|
|
*/
|
|
|
|
|
if (infoprint)
|
2011-02-24 19:26:38 +00:00
|
|
|
report_counts_for_siginfo();
|
2010-05-26 00:19:27 +00:00
|
|
|
#endif /* SIGINFO */
|
2006-03-05 03:14:16 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-05-26 14:33:55 +00:00
|
|
|
static void
|
2024-07-08 00:26:01 -04:00
|
|
|
report_cfilter_error(capture_options *capture_opts, unsigned i, const char *errmsg)
|
2006-03-05 03:14:16 +00:00
|
|
|
{
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_options *interface_opts;
|
2011-06-27 12:13:15 +00:00
|
|
|
char tmp[MSG_MAX_LENGTH+1+6];
|
2011-06-27 11:30:39 +00:00
|
|
|
|
|
|
|
|
if (i < capture_opts->ifaces->len) {
|
|
|
|
|
if (capture_child) {
|
2021-12-17 20:05:19 +00:00
|
|
|
snprintf(tmp, sizeof(tmp), "%u:%s", i, errmsg);
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("Capture filter error: %s", errmsg);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_BAD_FILTER, tmp);
|
2011-06-27 11:30:39 +00:00
|
|
|
} else {
|
2011-06-27 16:09:49 +00:00
|
|
|
/*
|
|
|
|
|
* clopts_step_invalid_capfilter in test/suite-clopts.sh MUST match
|
|
|
|
|
* the error message below.
|
|
|
|
|
*/
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
|
2011-11-22 10:08:26 +00:00
|
|
|
cmdarg_err(
|
2014-09-24 14:06:23 -07:00
|
|
|
"Invalid capture filter \"%s\" for interface '%s'.\n"
|
2011-06-27 11:30:39 +00:00
|
|
|
"\n"
|
|
|
|
|
"That string isn't a valid capture filter (%s).\n"
|
2011-11-22 10:08:26 +00:00
|
|
|
"See the User's Guide for a description of the capture filter syntax.",
|
2017-08-25 11:27:38 +02:00
|
|
|
interface_opts->cfilter, interface_opts->name, errmsg);
|
2011-06-27 11:30:39 +00:00
|
|
|
}
|
2006-02-17 02:18:48 +00:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
2011-05-26 14:33:55 +00:00
|
|
|
static void
|
2006-04-03 01:56:53 +00:00
|
|
|
report_capture_error(const char *error_msg, const char *secondary_error_msg)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2012-11-25 18:35:41 +00:00
|
|
|
if (capture_child) {
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("Primary Error: %s", error_msg);
|
|
|
|
|
ws_debug("Secondary Error: %s", secondary_error_msg);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_errmsgs_to_parent(sync_pipe_fd, error_msg, secondary_error_msg);
|
2007-02-19 20:25:56 +00:00
|
|
|
} else {
|
2011-11-22 10:08:26 +00:00
|
|
|
cmdarg_err("%s", error_msg);
|
2010-07-14 04:30:37 +00:00
|
|
|
if (secondary_error_msg[0] != '\0')
|
2011-11-22 10:08:26 +00:00
|
|
|
cmdarg_err_cont("%s", secondary_error_msg);
|
2006-02-17 02:18:48 +00:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
2011-05-26 14:33:55 +00:00
|
|
|
static void
|
2024-07-08 00:26:01 -04:00
|
|
|
report_packet_drops(uint32_t received, uint32_t pcap_drops, uint32_t drops, uint32_t flushed, uint32_t ps_ifdrop, char *name)
|
2005-11-28 08:54:52 +00:00
|
|
|
{
|
2024-07-08 00:26:01 -04:00
|
|
|
uint32_t total_drops = pcap_drops + drops + flushed;
|
2005-11-28 08:54:52 +00:00
|
|
|
|
2012-11-25 18:35:41 +00:00
|
|
|
if (capture_child) {
|
2021-12-18 18:48:20 +00:00
|
|
|
char* tmp = ws_strdup_printf("%u:%s", total_drops, name);
|
2018-12-27 11:34:09 -05:00
|
|
|
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_debug("Packets received/dropped on interface '%s': %u/%u (pcap:%u/dumpcap:%u/flushed:%u/ps_ifdrop:%u)",
|
2013-11-04 19:38:20 +00:00
|
|
|
name, received, total_drops, pcap_drops, drops, flushed, ps_ifdrop);
|
2023-12-28 20:18:38 -05:00
|
|
|
sync_pipe_write_string_msg(sync_pipe_fd, SP_DROPS, tmp);
|
2018-12-27 11:34:09 -05:00
|
|
|
g_free(tmp);
|
2007-02-19 20:25:56 +00:00
|
|
|
} else {
|
2024-06-07 20:56:42 -04:00
|
|
|
if (!really_quiet) {
|
|
|
|
|
fprintf(stderr,
|
|
|
|
|
"Packets received/dropped on interface '%s': %u/%u (pcap:%u/dumpcap:%u/flushed:%u/ps_ifdrop:%u) (%.1f%%)\n",
|
|
|
|
|
name, received, total_drops, pcap_drops, drops, flushed, ps_ifdrop,
|
|
|
|
|
received ? 100.0 * received / (received + total_drops) : 0.0);
|
|
|
|
|
/* stderr could be line buffered */
|
|
|
|
|
fflush(stderr);
|
|
|
|
|
}
|
2006-02-17 02:18:48 +00:00
|
|
|
}
|
2005-11-28 08:54:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-10-03 15:42:41 +00:00
|
|
|
/************************************************************************************************/
|
2006-02-17 02:18:48 +00:00
|
|
|
/* signal_pipe handling */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
2024-07-08 00:26:01 -04:00
|
|
|
static bool
|
2006-02-17 02:18:48 +00:00
|
|
|
signal_pipe_check_running(void)
|
|
|
|
|
{
|
2007-10-26 16:32:28 +00:00
|
|
|
/* any news from our parent? -> just stop the capture */
|
2012-11-25 18:35:41 +00:00
|
|
|
DWORD avail = 0;
|
2024-07-08 00:26:01 -04:00
|
|
|
bool result;
|
2006-02-17 02:18:48 +00:00
|
|
|
|
|
|
|
|
/* if we are running standalone, no check required */
|
2012-11-25 18:35:41 +00:00
|
|
|
if (!capture_child) {
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2006-02-17 02:18:48 +00:00
|
|
|
}
|
|
|
|
|
|
2012-11-25 18:35:41 +00:00
|
|
|
if (!sig_pipe_name || !sig_pipe_handle) {
|
2007-10-26 16:32:28 +00:00
|
|
|
/* This shouldn't happen */
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Signal pipe: No name or handle");
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2007-10-26 16:32:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* XXX - We should have the process ID of the parent (from the "-Z" flag)
|
|
|
|
|
* at this point. Should we check to see if the parent is still alive,
|
|
|
|
|
* e.g. by using OpenProcess?
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
result = PeekNamedPipe(sig_pipe_handle, NULL, 0, NULL, &avail, NULL);
|
2006-02-17 02:18:48 +00:00
|
|
|
|
2012-11-25 18:35:41 +00:00
|
|
|
if (!result || avail > 0) {
|
2006-02-17 02:18:48 +00:00
|
|
|
/* peek failed or some bytes really available */
|
|
|
|
|
/* (if not piping from stdin this would fail) */
|
2021-06-08 02:46:52 +01:00
|
|
|
ws_info("Signal pipe: Stop capture: %s", sig_pipe_name);
|
|
|
|
|
ws_debug("Signal pipe: %s (%p) result: %u avail: %lu", sig_pipe_name,
|
2007-10-26 16:32:28 +00:00
|
|
|
sig_pipe_handle, result, avail);
|
2024-07-08 00:26:01 -04:00
|
|
|
return false;
|
2006-02-17 02:18:48 +00:00
|
|
|
} else {
|
|
|
|
|
/* pipe ok and no bytes available */
|
2024-07-08 00:26:01 -04:00
|
|
|
return true;
|
2006-02-17 02:18:48 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2009-08-26 23:16:37 +00:00
|
|
|
|
|
|
|
|
/*
|
2015-03-10 10:46:50 -07:00
|
|
|
* Editor modelines - https://www.wireshark.org/tools/modelines.html
|
2009-08-26 23:16:37 +00:00
|
|
|
*
|
|
|
|
|
* Local variables:
|
|
|
|
|
* c-basic-offset: 4
|
|
|
|
|
* tab-width: 8
|
|
|
|
|
* indent-tabs-mode: nil
|
|
|
|
|
* End:
|
|
|
|
|
*
|
2011-09-21 16:44:10 +00:00
|
|
|
* vi: set shiftwidth=4 tabstop=8 expandtab:
|
2009-08-26 23:16:37 +00:00
|
|
|
* :indentSize=4:tabSize=8:noTabs=true:
|
|
|
|
|
*/
|
