1 /* $OpenBSD: pcap.c,v 1.24 2018/06/03 10:29:28 sthen Exp $ */
2
3 /*
4 * Copyright (c) 1993, 1994, 1995, 1996, 1997, 1998
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by the Computer Systems
18 * Engineering Group at Lawrence Berkeley Laboratory.
19 * 4. Neither the name of the University nor of the Laboratory may be used
20 * to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include <sys/types.h>
37
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <unistd.h>
42 #include <errno.h>
43 #include <fcntl.h>
44
45 #ifdef HAVE_OS_PROTO_H
46 #include "os-proto.h"
47 #endif
48
49 #include "pcap-int.h"
50
51 static const char pcap_version_string[] = "OpenBSD libpcap";
52
53 int
pcap_dispatch(pcap_t * p,int cnt,pcap_handler callback,u_char * user)54 pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
55 {
56
57 if (p->sf.rfile != NULL)
58 return (pcap_offline_read(p, cnt, callback, user));
59 return (pcap_read(p, cnt, callback, user));
60 }
61
62 int
pcap_loop(pcap_t * p,int cnt,pcap_handler callback,u_char * user)63 pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
64 {
65 int n;
66
67 for (;;) {
68 if (p->sf.rfile != NULL)
69 n = pcap_offline_read(p, cnt, callback, user);
70 else {
71 /*
72 * XXX keep reading until we get something
73 * (or an error occurs)
74 */
75 do {
76 n = pcap_read(p, cnt, callback, user);
77 } while (n == 0);
78 }
79 if (n <= 0)
80 return (n);
81 if (cnt > 0) {
82 cnt -= n;
83 if (cnt <= 0)
84 return (0);
85 }
86 }
87 }
88
89 struct singleton {
90 struct pcap_pkthdr *hdr;
91 const u_char *pkt;
92 };
93
94
95 static void
pcap_oneshot(u_char * userData,const struct pcap_pkthdr * h,const u_char * pkt)96 pcap_oneshot(u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt)
97 {
98 struct singleton *sp = (struct singleton *)userData;
99 *sp->hdr = *h;
100 sp->pkt = pkt;
101 }
102
103 const u_char *
pcap_next(pcap_t * p,struct pcap_pkthdr * h)104 pcap_next(pcap_t *p, struct pcap_pkthdr *h)
105 {
106 struct singleton s;
107
108 s.hdr = h;
109 if (pcap_dispatch(p, 1, pcap_oneshot, (u_char*)&s) <= 0)
110 return (0);
111 return (s.pkt);
112 }
113
114 struct pkt_for_fakecallback {
115 struct pcap_pkthdr *hdr;
116 const u_char **pkt;
117 };
118
119 static void
pcap_fakecallback(u_char * userData,const struct pcap_pkthdr * h,const u_char * pkt)120 pcap_fakecallback(u_char *userData, const struct pcap_pkthdr *h,
121 const u_char *pkt)
122 {
123 struct pkt_for_fakecallback *sp = (struct pkt_for_fakecallback *)userData;
124
125 *sp->hdr = *h;
126 *sp->pkt = pkt;
127 }
128
129 int
pcap_next_ex(pcap_t * p,struct pcap_pkthdr ** pkt_header,const u_char ** pkt_data)130 pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
131 const u_char **pkt_data)
132 {
133 struct pkt_for_fakecallback s;
134
135 s.hdr = &p->pcap_header;
136 s.pkt = pkt_data;
137
138 /* Saves a pointer to the packet headers */
139 *pkt_header= &p->pcap_header;
140
141 if (p->sf.rfile != NULL) {
142 int status;
143
144 /* We are on an offline capture */
145 status = pcap_offline_read(p, 1, pcap_fakecallback,
146 (u_char *)&s);
147
148 /*
149 * Return codes for pcap_offline_read() are:
150 * - 0: EOF
151 * - -1: error
152 * - >1: OK
153 * The first one ('0') conflicts with the return code of
154 * 0 from pcap_read() meaning "no packets arrived before
155 * the timeout expired", so we map it to -2 so you can
156 * distinguish between an EOF from a savefile and a
157 * "no packets arrived before the timeout expired, try
158 * again" from a live capture.
159 */
160 if (status == 0)
161 return (-2);
162 else
163 return (status);
164 }
165
166 /*
167 * Return codes for pcap_read() are:
168 * - 0: timeout
169 * - -1: error
170 * - -2: loop was broken out of with pcap_breakloop()
171 * - >1: OK
172 * The first one ('0') conflicts with the return code of 0 from
173 * pcap_offline_read() meaning "end of file".
174 */
175 return (pcap_read(p, 1, pcap_fakecallback, (u_char *)&s));
176 }
177
178 int
pcap_check_activated(pcap_t * p)179 pcap_check_activated(pcap_t *p)
180 {
181 if (p->activated) {
182 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't perform "
183 " operation on activated capture");
184 return -1;
185 }
186 return 0;
187 }
188
189 int
pcap_set_snaplen(pcap_t * p,int snaplen)190 pcap_set_snaplen(pcap_t *p, int snaplen)
191 {
192 if (pcap_check_activated(p))
193 return PCAP_ERROR_ACTIVATED;
194 p->snapshot = snaplen;
195 return 0;
196 }
197
198 int
pcap_set_promisc(pcap_t * p,int promisc)199 pcap_set_promisc(pcap_t *p, int promisc)
200 {
201 if (pcap_check_activated(p))
202 return PCAP_ERROR_ACTIVATED;
203 p->opt.promisc = promisc;
204 return 0;
205 }
206
207 int
pcap_set_rfmon(pcap_t * p,int rfmon)208 pcap_set_rfmon(pcap_t *p, int rfmon)
209 {
210 if (pcap_check_activated(p))
211 return PCAP_ERROR_ACTIVATED;
212 p->opt.rfmon = rfmon;
213 return 0;
214 }
215
216 int
pcap_set_timeout(pcap_t * p,int timeout_ms)217 pcap_set_timeout(pcap_t *p, int timeout_ms)
218 {
219 if (pcap_check_activated(p))
220 return PCAP_ERROR_ACTIVATED;
221 p->md.timeout = timeout_ms;
222 return 0;
223 }
224
225 int
pcap_set_immediate_mode(pcap_t * p,int immediate)226 pcap_set_immediate_mode(pcap_t *p, int immediate)
227 {
228 if (pcap_check_activated(p))
229 return PCAP_ERROR_ACTIVATED;
230 p->opt.immediate = immediate;
231 return 0;
232 }
233
234 int
pcap_set_buffer_size(pcap_t * p,int buffer_size)235 pcap_set_buffer_size(pcap_t *p, int buffer_size)
236 {
237 if (pcap_check_activated(p))
238 return PCAP_ERROR_ACTIVATED;
239 p->opt.buffer_size = buffer_size;
240 return 0;
241 }
242
243 /*
244 * Force the loop in "pcap_read()" or "pcap_read_offline()" to terminate.
245 */
246 void
pcap_breakloop(pcap_t * p)247 pcap_breakloop(pcap_t *p)
248 {
249 p->break_loop = 1;
250 }
251
252 int
pcap_datalink(pcap_t * p)253 pcap_datalink(pcap_t *p)
254 {
255 return (p->linktype);
256 }
257
258 int
pcap_list_datalinks(pcap_t * p,int ** dlt_buffer)259 pcap_list_datalinks(pcap_t *p, int **dlt_buffer)
260 {
261 if (p->dlt_count == 0) {
262 /*
263 * We couldn't fetch the list of DLTs, which means
264 * this platform doesn't support changing the
265 * DLT for an interface. Return a list of DLTs
266 * containing only the DLT this device supports.
267 */
268 *dlt_buffer = malloc(sizeof(**dlt_buffer));
269 if (*dlt_buffer == NULL) {
270 (void)snprintf(p->errbuf, sizeof(p->errbuf),
271 "malloc: %s", pcap_strerror(errno));
272 return (-1);
273 }
274 **dlt_buffer = p->linktype;
275 return (1);
276 } else {
277 *dlt_buffer = reallocarray(NULL, sizeof(**dlt_buffer),
278 p->dlt_count);
279 if (*dlt_buffer == NULL) {
280 (void)snprintf(p->errbuf, sizeof(p->errbuf),
281 "malloc: %s", pcap_strerror(errno));
282 return (-1);
283 }
284 (void)memcpy(*dlt_buffer, p->dlt_list,
285 sizeof(**dlt_buffer) * p->dlt_count);
286 return (p->dlt_count);
287 }
288 }
289
290 /*
291 * In Windows, you might have a library built with one version of the
292 * C runtime library and an application built with another version of
293 * the C runtime library, which means that the library might use one
294 * version of malloc() and free() and the application might use another
295 * version of malloc() and free(). If so, that means something
296 * allocated by the library cannot be freed by the application, so we
297 * need to have a pcap_free_datalinks() routine to free up the list
298 * allocated by pcap_list_datalinks(), even though it's just a wrapper
299 * around free().
300 */
301 void
pcap_free_datalinks(int * dlt_list)302 pcap_free_datalinks(int *dlt_list)
303 {
304 free(dlt_list);
305 }
306
307 struct dlt_choice {
308 const char *name;
309 const char *description;
310 int dlt;
311 };
312
313 static struct dlt_choice dlts[] = {
314 #define DLT_CHOICE(code, description) { #code, description, code }
315 DLT_CHOICE(DLT_NULL, "no link-layer encapsulation"),
316 DLT_CHOICE(DLT_EN10MB, "Ethernet (10Mb)"),
317 DLT_CHOICE(DLT_EN3MB, "Experimental Ethernet (3Mb)"),
318 DLT_CHOICE(DLT_AX25, "Amateur Radio AX.25"),
319 DLT_CHOICE(DLT_PRONET, "Proteon ProNET Token Ring"),
320 DLT_CHOICE(DLT_CHAOS, "Chaos"),
321 DLT_CHOICE(DLT_IEEE802, "IEEE 802 Networks"),
322 DLT_CHOICE(DLT_ARCNET, "ARCNET"),
323 DLT_CHOICE(DLT_SLIP, "Serial Line IP"),
324 DLT_CHOICE(DLT_PPP, "Point-to-point Protocol"),
325 DLT_CHOICE(DLT_PPP_SERIAL, "PPP over serial"),
326 DLT_CHOICE(DLT_FDDI, "FDDI"),
327 DLT_CHOICE(DLT_ATM_RFC1483, "LLC/SNAP encapsulated atm"),
328 DLT_CHOICE(DLT_LOOP, "loopback type (af header)"),
329 DLT_CHOICE(DLT_ENC, "IPSEC enc type (af header, spi, flags)"),
330 DLT_CHOICE(DLT_RAW, "raw IP"),
331 DLT_CHOICE(DLT_SLIP_BSDOS, "BSD/OS Serial Line IP"),
332 DLT_CHOICE(DLT_PPP_BSDOS, "BSD/OS Point-to-point Protocol"),
333 DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"),
334 DLT_CHOICE(DLT_PPP_ETHER, "PPP over Ethernet; session only w/o ether header"),
335 DLT_CHOICE(DLT_IEEE802_11, "IEEE 802.11 wireless"),
336 DLT_CHOICE(DLT_PFLOG, "Packet filter logging, by pcap people"),
337 DLT_CHOICE(DLT_IEEE802_11_RADIO, "IEEE 802.11 plus WLAN header"),
338 DLT_CHOICE(DLT_OPENFLOW, "OpenFlow"),
339 DLT_CHOICE(DLT_USBPCAP, "USB"),
340 #undef DLT_CHOICE
341 { NULL, NULL, -1}
342 };
343
344 int
pcap_datalink_name_to_val(const char * name)345 pcap_datalink_name_to_val(const char *name)
346 {
347 int i;
348
349 for (i = 0; dlts[i].name != NULL; i++) {
350 /* Skip leading "DLT_" */
351 if (strcasecmp(dlts[i].name + 4, name) == 0)
352 return (dlts[i].dlt);
353 }
354 return (-1);
355 }
356
357 const char *
pcap_datalink_val_to_name(int dlt)358 pcap_datalink_val_to_name(int dlt)
359 {
360 int i;
361
362 for (i = 0; dlts[i].name != NULL; i++) {
363 if (dlts[i].dlt == dlt)
364 return (dlts[i].name + 4); /* Skip leading "DLT_" */
365 }
366 return (NULL);
367 }
368
369 const char *
pcap_datalink_val_to_description(int dlt)370 pcap_datalink_val_to_description(int dlt)
371 {
372 int i;
373
374 for (i = 0; dlts[i].name != NULL; i++) {
375 if (dlts[i].dlt == dlt)
376 return (dlts[i].description);
377 }
378 return (NULL);
379 }
380
381 int
pcap_snapshot(pcap_t * p)382 pcap_snapshot(pcap_t *p)
383 {
384 return (p->snapshot);
385 }
386
387 int
pcap_is_swapped(pcap_t * p)388 pcap_is_swapped(pcap_t *p)
389 {
390 return (p->sf.swapped);
391 }
392
393 int
pcap_major_version(pcap_t * p)394 pcap_major_version(pcap_t *p)
395 {
396 return (p->sf.version_major);
397 }
398
399 int
pcap_minor_version(pcap_t * p)400 pcap_minor_version(pcap_t *p)
401 {
402 return (p->sf.version_minor);
403 }
404
405 FILE *
pcap_file(pcap_t * p)406 pcap_file(pcap_t *p)
407 {
408 return (p->sf.rfile);
409 }
410
411 int
pcap_fileno(pcap_t * p)412 pcap_fileno(pcap_t *p)
413 {
414 return (p->fd);
415 }
416
417 void
pcap_perror(pcap_t * p,const char * prefix)418 pcap_perror(pcap_t *p, const char *prefix)
419 {
420 fprintf(stderr, "%s: %s\n", prefix, p->errbuf);
421 }
422
423 int
pcap_get_selectable_fd(pcap_t * p)424 pcap_get_selectable_fd(pcap_t *p)
425 {
426 return (p->fd);
427 }
428
429 char *
pcap_geterr(pcap_t * p)430 pcap_geterr(pcap_t *p)
431 {
432 return (p->errbuf);
433 }
434
435 int
pcap_getnonblock(pcap_t * p,char * errbuf)436 pcap_getnonblock(pcap_t *p, char *errbuf)
437 {
438 int fdflags;
439
440 fdflags = fcntl(p->fd, F_GETFL);
441 if (fdflags == -1) {
442 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s",
443 pcap_strerror(errno));
444 return (-1);
445 }
446 if (fdflags & O_NONBLOCK)
447 return (1);
448 else
449 return (0);
450 }
451
452 int
pcap_setnonblock(pcap_t * p,int nonblock,char * errbuf)453 pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf)
454 {
455 int fdflags;
456
457 fdflags = fcntl(p->fd, F_GETFL);
458 if (fdflags == -1) {
459 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s",
460 pcap_strerror(errno));
461 return (-1);
462 }
463 if (nonblock)
464 fdflags |= O_NONBLOCK;
465 else
466 fdflags &= ~O_NONBLOCK;
467 if (fcntl(p->fd, F_SETFL, fdflags) == -1) {
468 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_SETFL: %s",
469 pcap_strerror(errno));
470 return (-1);
471 }
472 return (0);
473 }
474
475 /*
476 * Generate error strings for PCAP_ERROR_ and PCAP_WARNING_ values.
477 */
478 const char *
pcap_statustostr(int errnum)479 pcap_statustostr(int errnum)
480 {
481 static char ebuf[15+10+1];
482
483 switch (errnum) {
484
485 case PCAP_WARNING:
486 return("Generic warning");
487
488 case PCAP_WARNING_TSTAMP_TYPE_NOTSUP:
489 return ("That type of time stamp is not supported by that device");
490
491 case PCAP_WARNING_PROMISC_NOTSUP:
492 return ("That device doesn't support promiscuous mode");
493
494 case PCAP_ERROR:
495 return("Generic error");
496
497 case PCAP_ERROR_BREAK:
498 return("Loop terminated by pcap_breakloop");
499
500 case PCAP_ERROR_NOT_ACTIVATED:
501 return("The pcap_t has not been activated");
502
503 case PCAP_ERROR_ACTIVATED:
504 return ("The setting can't be changed after the pcap_t is activated");
505
506 case PCAP_ERROR_NO_SUCH_DEVICE:
507 return ("No such device exists");
508
509 case PCAP_ERROR_RFMON_NOTSUP:
510 return ("That device doesn't support monitor mode");
511
512 case PCAP_ERROR_NOT_RFMON:
513 return ("That operation is supported only in monitor mode");
514
515 case PCAP_ERROR_PERM_DENIED:
516 return ("You don't have permission to capture on that device");
517
518 case PCAP_ERROR_IFACE_NOT_UP:
519 return ("That device is not up");
520
521 case PCAP_ERROR_CANTSET_TSTAMP_TYPE:
522 return ("That device doesn't support setting the time stamp type");
523
524 case PCAP_ERROR_PROMISC_PERM_DENIED:
525 return ("You don't have permission to capture in promiscuous mode on that device");
526 }
527 (void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum);
528 return(ebuf);
529 }
530
531 /*
532 * Not all systems have strerror().
533 */
534 const char *
pcap_strerror(int errnum)535 pcap_strerror(int errnum)
536 {
537 #ifdef HAVE_STRERROR
538 return (strerror(errnum));
539 #else
540 extern int sys_nerr;
541 extern const char *const sys_errlist[];
542 static char ebuf[20];
543
544 if ((unsigned int)errnum < sys_nerr)
545 return ((char *)sys_errlist[errnum]);
546 (void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum);
547 return(ebuf);
548 #endif
549 }
550
551 /*
552 * On some platforms, we need to clean up promiscuous or monitor mode
553 * when we close a device - and we want that to happen even if the
554 * application just exits without explicitl closing devices.
555 * On those platforms, we need to register a "close all the pcaps"
556 * routine to be called when we exit, and need to maintain a list of
557 * pcaps that need to be closed to clean up modes.
558 *
559 * XXX - not thread-safe.
560 */
561
562 /*
563 * List of pcaps on which we've done something that needs to be
564 * cleaned up.
565 * If there are any such pcaps, we arrange to call "pcap_close_all()"
566 * when we exit, and have it close all of them.
567 */
568 static struct pcap *pcaps_to_close;
569
570 /*
571 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to
572 * be called on exit.
573 */
574 static int did_atexit;
575
576 static void
pcap_close_all(void)577 pcap_close_all(void)
578 {
579 struct pcap *handle;
580
581 while ((handle = pcaps_to_close) != NULL)
582 pcap_close(handle);
583 }
584
585 int
pcap_do_addexit(pcap_t * p)586 pcap_do_addexit(pcap_t *p)
587 {
588 /*
589 * If we haven't already done so, arrange to have
590 * "pcap_close_all()" called when we exit.
591 */
592 if (!did_atexit) {
593 if (atexit(pcap_close_all) == -1) {
594 /*
595 * "atexit()" failed; let our caller know.
596 */
597 (void)strlcpy(p->errbuf, "atexit failed",
598 PCAP_ERRBUF_SIZE);
599 return (0);
600 }
601 did_atexit = 1;
602 }
603 return (1);
604 }
605
606 void
pcap_add_to_pcaps_to_close(pcap_t * p)607 pcap_add_to_pcaps_to_close(pcap_t *p)
608 {
609 p->md.next = pcaps_to_close;
610 pcaps_to_close = p;
611 }
612
613 void
pcap_remove_from_pcaps_to_close(pcap_t * p)614 pcap_remove_from_pcaps_to_close(pcap_t *p)
615 {
616 pcap_t *pc, *prevpc;
617
618 for (pc = pcaps_to_close, prevpc = NULL; pc != NULL;
619 prevpc = pc, pc = pc->md.next) {
620 if (pc == p) {
621 /*
622 * Found it. Remove it from the list.
623 */
624 if (prevpc == NULL) {
625 /*
626 * It was at the head of the list.
627 */
628 pcaps_to_close = pc->md.next;
629 } else {
630 /*
631 * It was in the middle of the list.
632 */
633 prevpc->md.next = pc->md.next;
634 }
635 break;
636 }
637 }
638 }
639
640 pcap_t *
pcap_open_dead(int linktype,int snaplen)641 pcap_open_dead(int linktype, int snaplen)
642 {
643 pcap_t *p;
644
645 p = calloc(1, sizeof(*p));
646 if (p == NULL)
647 return NULL;
648 p->snapshot = snaplen;
649 p->linktype = linktype;
650 p->fd = -1;
651 return p;
652 }
653
654 /*
655 * Given a BPF program, a pcap_pkthdr structure for a packet, and the raw
656 * data for the packet, check whether the packet passes the filter.
657 * Returns the return value of the filter program, which will be zero if
658 * the packet doesn't pass and non-zero if the packet does pass.
659 */
660 int
pcap_offline_filter(const struct bpf_program * fp,const struct pcap_pkthdr * h,const u_char * pkt)661 pcap_offline_filter(const struct bpf_program *fp, const struct pcap_pkthdr *h,
662 const u_char *pkt)
663 {
664 struct bpf_insn *fcode = fp->bf_insns;
665
666 if (fcode != NULL)
667 return (bpf_filter(fcode, pkt, h->len, h->caplen));
668 else
669 return (0);
670 }
671
672 const char *
pcap_lib_version(void)673 pcap_lib_version(void)
674 {
675 return (pcap_version_string);
676 }
677
678