1 /* $OpenBSD: pcap.c,v 1.19 2016/04/06 08:02:56 jasper Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1995, 1996, 1997, 1998 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the Computer Systems 18 * Engineering Group at Lawrence Berkeley Laboratory. 19 * 4. Neither the name of the University nor of the Laboratory may be used 20 * to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/types.h> 37 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <string.h> 41 #include <unistd.h> 42 #include <errno.h> 43 #include <fcntl.h> 44 45 #ifdef HAVE_OS_PROTO_H 46 #include "os-proto.h" 47 #endif 48 49 #include "pcap-int.h" 50 51 static const char pcap_version_string[] = "OpenBSD libpcap"; 52 53 int 54 pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 55 { 56 57 if (p->sf.rfile != NULL) 58 return (pcap_offline_read(p, cnt, callback, user)); 59 return (pcap_read(p, cnt, callback, user)); 60 } 61 62 int 63 pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 64 { 65 int n; 66 67 for (;;) { 68 if (p->sf.rfile != NULL) 69 n = pcap_offline_read(p, cnt, callback, user); 70 else { 71 /* 72 * XXX keep reading until we get something 73 * (or an error occurs) 74 */ 75 do { 76 n = pcap_read(p, cnt, callback, user); 77 } while (n == 0); 78 } 79 if (n <= 0) 80 return (n); 81 if (cnt > 0) { 82 cnt -= n; 83 if (cnt <= 0) 84 return (0); 85 } 86 } 87 } 88 89 struct singleton { 90 struct pcap_pkthdr *hdr; 91 const u_char *pkt; 92 }; 93 94 95 static void 96 pcap_oneshot(u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt) 97 { 98 struct singleton *sp = (struct singleton *)userData; 99 *sp->hdr = *h; 100 sp->pkt = pkt; 101 } 102 103 const u_char * 104 pcap_next(pcap_t *p, struct pcap_pkthdr *h) 105 { 106 struct singleton s; 107 108 s.hdr = h; 109 if (pcap_dispatch(p, 1, pcap_oneshot, (u_char*)&s) <= 0) 110 return (0); 111 return (s.pkt); 112 } 113 114 struct pkt_for_fakecallback { 115 struct pcap_pkthdr *hdr; 116 const u_char **pkt; 117 }; 118 119 static void 120 pcap_fakecallback(u_char *userData, const struct pcap_pkthdr *h, 121 const u_char *pkt) 122 { 123 struct pkt_for_fakecallback *sp = (struct pkt_for_fakecallback *)userData; 124 125 *sp->hdr = *h; 126 *sp->pkt = pkt; 127 } 128 129 int 130 pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, 131 const u_char **pkt_data) 132 { 133 struct pkt_for_fakecallback s; 134 135 s.hdr = &p->pcap_header; 136 s.pkt = pkt_data; 137 138 /* Saves a pointer to the packet headers */ 139 *pkt_header= &p->pcap_header; 140 141 if (p->sf.rfile != NULL) { 142 int status; 143 144 /* We are on an offline capture */ 145 status = pcap_offline_read(p, 1, pcap_fakecallback, 146 (u_char *)&s); 147 148 /* 149 * Return codes for pcap_offline_read() are: 150 * - 0: EOF 151 * - -1: error 152 * - >1: OK 153 * The first one ('0') conflicts with the return code of 154 * 0 from pcap_read() meaning "no packets arrived before 155 * the timeout expired", so we map it to -2 so you can 156 * distinguish between an EOF from a savefile and a 157 * "no packets arrived before the timeout expired, try 158 * again" from a live capture. 159 */ 160 if (status == 0) 161 return (-2); 162 else 163 return (status); 164 } 165 166 /* 167 * Return codes for pcap_read() are: 168 * - 0: timeout 169 * - -1: error 170 * - -2: loop was broken out of with pcap_breakloop() 171 * - >1: OK 172 * The first one ('0') conflicts with the return code of 0 from 173 * pcap_offline_read() meaning "end of file". 174 */ 175 return (pcap_read(p, 1, pcap_fakecallback, (u_char *)&s)); 176 } 177 178 int 179 pcap_check_activated(pcap_t *p) 180 { 181 if (p->activated) { 182 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't perform " 183 " operation on activated capture"); 184 return -1; 185 } 186 return 0; 187 } 188 189 int 190 pcap_set_snaplen(pcap_t *p, int snaplen) 191 { 192 if (pcap_check_activated(p)) 193 return PCAP_ERROR_ACTIVATED; 194 p->snapshot = snaplen; 195 return 0; 196 } 197 198 int 199 pcap_set_promisc(pcap_t *p, int promisc) 200 { 201 if (pcap_check_activated(p)) 202 return PCAP_ERROR_ACTIVATED; 203 p->opt.promisc = promisc; 204 return 0; 205 } 206 207 int 208 pcap_set_rfmon(pcap_t *p, int rfmon) 209 { 210 if (pcap_check_activated(p)) 211 return PCAP_ERROR_ACTIVATED; 212 p->opt.rfmon = rfmon; 213 return 0; 214 } 215 216 int 217 pcap_set_timeout(pcap_t *p, int timeout_ms) 218 { 219 if (pcap_check_activated(p)) 220 return PCAP_ERROR_ACTIVATED; 221 p->md.timeout = timeout_ms; 222 return 0; 223 } 224 225 int 226 pcap_set_buffer_size(pcap_t *p, int buffer_size) 227 { 228 if (pcap_check_activated(p)) 229 return PCAP_ERROR_ACTIVATED; 230 p->opt.buffer_size = buffer_size; 231 return 0; 232 } 233 234 /* 235 * Force the loop in "pcap_read()" or "pcap_read_offline()" to terminate. 236 */ 237 void 238 pcap_breakloop(pcap_t *p) 239 { 240 p->break_loop = 1; 241 } 242 243 int 244 pcap_datalink(pcap_t *p) 245 { 246 return (p->linktype); 247 } 248 249 int 250 pcap_list_datalinks(pcap_t *p, int **dlt_buffer) 251 { 252 if (p->dlt_count == 0) { 253 /* 254 * We couldn't fetch the list of DLTs, which means 255 * this platform doesn't support changing the 256 * DLT for an interface. Return a list of DLTs 257 * containing only the DLT this device supports. 258 */ 259 *dlt_buffer = malloc(sizeof(**dlt_buffer)); 260 if (*dlt_buffer == NULL) { 261 (void)snprintf(p->errbuf, sizeof(p->errbuf), 262 "malloc: %s", pcap_strerror(errno)); 263 return (-1); 264 } 265 **dlt_buffer = p->linktype; 266 return (1); 267 } else { 268 *dlt_buffer = reallocarray(NULL, sizeof(**dlt_buffer), 269 p->dlt_count); 270 if (*dlt_buffer == NULL) { 271 (void)snprintf(p->errbuf, sizeof(p->errbuf), 272 "malloc: %s", pcap_strerror(errno)); 273 return (-1); 274 } 275 (void)memcpy(*dlt_buffer, p->dlt_list, 276 sizeof(**dlt_buffer) * p->dlt_count); 277 return (p->dlt_count); 278 } 279 } 280 281 /* 282 * In Windows, you might have a library built with one version of the 283 * C runtime library and an application built with another version of 284 * the C runtime library, which means that the library might use one 285 * version of malloc() and free() and the application might use another 286 * version of malloc() and free(). If so, that means something 287 * allocated by the library cannot be freed by the application, so we 288 * need to have a pcap_free_datalinks() routine to free up the list 289 * allocated by pcap_list_datalinks(), even though it's just a wrapper 290 * around free(). 291 */ 292 void 293 pcap_free_datalinks(int *dlt_list) 294 { 295 free(dlt_list); 296 } 297 298 struct dlt_choice { 299 const char *name; 300 const char *description; 301 int dlt; 302 }; 303 304 static struct dlt_choice dlts[] = { 305 #define DLT_CHOICE(code, description) { #code, description, code } 306 DLT_CHOICE(DLT_NULL, "no link-layer encapsulation"), 307 DLT_CHOICE(DLT_EN10MB, "Ethernet (10Mb)"), 308 DLT_CHOICE(DLT_EN3MB, "Experimental Ethernet (3Mb)"), 309 DLT_CHOICE(DLT_AX25, "Amateur Radio AX.25"), 310 DLT_CHOICE(DLT_PRONET, "Proteon ProNET Token Ring"), 311 DLT_CHOICE(DLT_CHAOS, "Chaos"), 312 DLT_CHOICE(DLT_IEEE802, "IEEE 802 Networks"), 313 DLT_CHOICE(DLT_ARCNET, "ARCNET"), 314 DLT_CHOICE(DLT_SLIP, "Serial Line IP"), 315 DLT_CHOICE(DLT_PPP, "Point-to-point Protocol"), 316 DLT_CHOICE(DLT_FDDI, "FDDI"), 317 DLT_CHOICE(DLT_ATM_RFC1483, "LLC/SNAP encapsulated atm"), 318 DLT_CHOICE(DLT_LOOP, "loopback type (af header)"), 319 DLT_CHOICE(DLT_ENC, "IPSEC enc type (af header, spi, flags)"), 320 DLT_CHOICE(DLT_RAW, "raw IP"), 321 DLT_CHOICE(DLT_SLIP_BSDOS, "BSD/OS Serial Line IP"), 322 DLT_CHOICE(DLT_PPP_BSDOS, "BSD/OS Point-to-point Protocol"), 323 DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"), 324 DLT_CHOICE(DLT_PPP_ETHER, "PPP over Ethernet; session only w/o ether header"), 325 DLT_CHOICE(DLT_IEEE802_11, "IEEE 802.11 wireless"), 326 DLT_CHOICE(DLT_PFLOG, "Packet filter logging, by pcap people"), 327 DLT_CHOICE(DLT_IEEE802_11_RADIO, "IEEE 802.11 plus WLAN header"), 328 #undef DLT_CHOICE 329 { NULL, NULL, -1} 330 }; 331 332 int 333 pcap_datalink_name_to_val(const char *name) 334 { 335 int i; 336 337 for (i = 0; dlts[i].name != NULL; i++) { 338 /* Skip leading "DLT_" */ 339 if (strcasecmp(dlts[i].name + 4, name) == 0) 340 return (dlts[i].dlt); 341 } 342 return (-1); 343 } 344 345 const char * 346 pcap_datalink_val_to_name(int dlt) 347 { 348 int i; 349 350 for (i = 0; dlts[i].name != NULL; i++) { 351 if (dlts[i].dlt == dlt) 352 return (dlts[i].name + 4); /* Skip leading "DLT_" */ 353 } 354 return (NULL); 355 } 356 357 const char * 358 pcap_datalink_val_to_description(int dlt) 359 { 360 int i; 361 362 for (i = 0; dlts[i].name != NULL; i++) { 363 if (dlts[i].dlt == dlt) 364 return (dlts[i].description); 365 } 366 return (NULL); 367 } 368 369 int 370 pcap_snapshot(pcap_t *p) 371 { 372 return (p->snapshot); 373 } 374 375 int 376 pcap_is_swapped(pcap_t *p) 377 { 378 return (p->sf.swapped); 379 } 380 381 int 382 pcap_major_version(pcap_t *p) 383 { 384 return (p->sf.version_major); 385 } 386 387 int 388 pcap_minor_version(pcap_t *p) 389 { 390 return (p->sf.version_minor); 391 } 392 393 FILE * 394 pcap_file(pcap_t *p) 395 { 396 return (p->sf.rfile); 397 } 398 399 int 400 pcap_fileno(pcap_t *p) 401 { 402 return (p->fd); 403 } 404 405 void 406 pcap_perror(pcap_t *p, char *prefix) 407 { 408 fprintf(stderr, "%s: %s\n", prefix, p->errbuf); 409 } 410 411 int 412 pcap_get_selectable_fd(pcap_t *p) 413 { 414 return (p->fd); 415 } 416 417 char * 418 pcap_geterr(pcap_t *p) 419 { 420 return (p->errbuf); 421 } 422 423 int 424 pcap_getnonblock(pcap_t *p, char *errbuf) 425 { 426 int fdflags; 427 428 fdflags = fcntl(p->fd, F_GETFL); 429 if (fdflags == -1) { 430 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s", 431 pcap_strerror(errno)); 432 return (-1); 433 } 434 if (fdflags & O_NONBLOCK) 435 return (1); 436 else 437 return (0); 438 } 439 440 int 441 pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf) 442 { 443 int fdflags; 444 445 fdflags = fcntl(p->fd, F_GETFL); 446 if (fdflags == -1) { 447 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s", 448 pcap_strerror(errno)); 449 return (-1); 450 } 451 if (nonblock) 452 fdflags |= O_NONBLOCK; 453 else 454 fdflags &= ~O_NONBLOCK; 455 if (fcntl(p->fd, F_SETFL, fdflags) == -1) { 456 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_SETFL: %s", 457 pcap_strerror(errno)); 458 return (-1); 459 } 460 return (0); 461 } 462 463 /* 464 * Generate error strings for PCAP_ERROR_ and PCAP_WARNING_ values. 465 */ 466 const char * 467 pcap_statustostr(int errnum) 468 { 469 static char ebuf[15+10+1]; 470 471 switch (errnum) { 472 473 case PCAP_WARNING: 474 return("Generic warning"); 475 476 case PCAP_WARNING_TSTAMP_TYPE_NOTSUP: 477 return ("That type of time stamp is not supported by that device"); 478 479 case PCAP_WARNING_PROMISC_NOTSUP: 480 return ("That device doesn't support promiscuous mode"); 481 482 case PCAP_ERROR: 483 return("Generic error"); 484 485 case PCAP_ERROR_BREAK: 486 return("Loop terminated by pcap_breakloop"); 487 488 case PCAP_ERROR_NOT_ACTIVATED: 489 return("The pcap_t has not been activated"); 490 491 case PCAP_ERROR_ACTIVATED: 492 return ("The setting can't be changed after the pcap_t is activated"); 493 494 case PCAP_ERROR_NO_SUCH_DEVICE: 495 return ("No such device exists"); 496 497 case PCAP_ERROR_RFMON_NOTSUP: 498 return ("That device doesn't support monitor mode"); 499 500 case PCAP_ERROR_NOT_RFMON: 501 return ("That operation is supported only in monitor mode"); 502 503 case PCAP_ERROR_PERM_DENIED: 504 return ("You don't have permission to capture on that device"); 505 506 case PCAP_ERROR_IFACE_NOT_UP: 507 return ("That device is not up"); 508 509 case PCAP_ERROR_CANTSET_TSTAMP_TYPE: 510 return ("That device doesn't support setting the time stamp type"); 511 512 case PCAP_ERROR_PROMISC_PERM_DENIED: 513 return ("You don't have permission to capture in promiscuous mode on that device"); 514 } 515 (void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum); 516 return(ebuf); 517 } 518 519 /* 520 * Not all systems have strerror(). 521 */ 522 char * 523 pcap_strerror(int errnum) 524 { 525 #ifdef HAVE_STRERROR 526 return (strerror(errnum)); 527 #else 528 extern int sys_nerr; 529 extern const char *const sys_errlist[]; 530 static char ebuf[20]; 531 532 if ((unsigned int)errnum < sys_nerr) 533 return ((char *)sys_errlist[errnum]); 534 (void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum); 535 return(ebuf); 536 #endif 537 } 538 539 /* 540 * On some platforms, we need to clean up promiscuous or monitor mode 541 * when we close a device - and we want that to happen even if the 542 * application just exits without explicitl closing devices. 543 * On those platforms, we need to register a "close all the pcaps" 544 * routine to be called when we exit, and need to maintain a list of 545 * pcaps that need to be closed to clean up modes. 546 * 547 * XXX - not thread-safe. 548 */ 549 550 /* 551 * List of pcaps on which we've done something that needs to be 552 * cleaned up. 553 * If there are any such pcaps, we arrange to call "pcap_close_all()" 554 * when we exit, and have it close all of them. 555 */ 556 static struct pcap *pcaps_to_close; 557 558 /* 559 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to 560 * be called on exit. 561 */ 562 static int did_atexit; 563 564 static void 565 pcap_close_all(void) 566 { 567 struct pcap *handle; 568 569 while ((handle = pcaps_to_close) != NULL) 570 pcap_close(handle); 571 } 572 573 int 574 pcap_do_addexit(pcap_t *p) 575 { 576 /* 577 * If we haven't already done so, arrange to have 578 * "pcap_close_all()" called when we exit. 579 */ 580 if (!did_atexit) { 581 if (atexit(pcap_close_all) == -1) { 582 /* 583 * "atexit()" failed; let our caller know. 584 */ 585 (void)strlcpy(p->errbuf, "atexit failed", 586 PCAP_ERRBUF_SIZE); 587 return (0); 588 } 589 did_atexit = 1; 590 } 591 return (1); 592 } 593 594 void 595 pcap_add_to_pcaps_to_close(pcap_t *p) 596 { 597 p->md.next = pcaps_to_close; 598 pcaps_to_close = p; 599 } 600 601 void 602 pcap_remove_from_pcaps_to_close(pcap_t *p) 603 { 604 pcap_t *pc, *prevpc; 605 606 for (pc = pcaps_to_close, prevpc = NULL; pc != NULL; 607 prevpc = pc, pc = pc->md.next) { 608 if (pc == p) { 609 /* 610 * Found it. Remove it from the list. 611 */ 612 if (prevpc == NULL) { 613 /* 614 * It was at the head of the list. 615 */ 616 pcaps_to_close = pc->md.next; 617 } else { 618 /* 619 * It was in the middle of the list. 620 */ 621 prevpc->md.next = pc->md.next; 622 } 623 break; 624 } 625 } 626 } 627 628 pcap_t * 629 pcap_open_dead(int linktype, int snaplen) 630 { 631 pcap_t *p; 632 633 p = calloc(1, sizeof(*p)); 634 if (p == NULL) 635 return NULL; 636 p->snapshot = snaplen; 637 p->linktype = linktype; 638 p->fd = -1; 639 return p; 640 } 641 642 /* 643 * Given a BPF program, a pcap_pkthdr structure for a packet, and the raw 644 * data for the packet, check whether the packet passes the filter. 645 * Returns the return value of the filter program, which will be zero if 646 * the packet doesn't pass and non-zero if the packet does pass. 647 */ 648 int 649 pcap_offline_filter(const struct bpf_program *fp, const struct pcap_pkthdr *h, 650 const u_char *pkt) 651 { 652 struct bpf_insn *fcode = fp->bf_insns; 653 654 if (fcode != NULL) 655 return (bpf_filter(fcode, pkt, h->len, h->caplen)); 656 else 657 return (0); 658 } 659 660 const char * 661 pcap_lib_version(void) 662 { 663 return (pcap_version_string); 664 } 665 666