1 /* 2 * Copyright (c) 1993, 1994, 1995, 1996, 1998 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 */ 21 #ifndef lint 22 static const char rcsid[] _U_ = 23 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.99.2.17 2008-09-16 18:43:02 guy Exp $ (LBL)"; 24 #endif 25 26 #ifdef HAVE_CONFIG_H 27 #include "config.h" 28 #endif 29 30 #include <sys/param.h> /* optionally get BSD define */ 31 #ifdef HAVE_ZEROCOPY_BPF 32 #include <sys/mman.h> 33 #endif 34 #include <sys/time.h> 35 #include <sys/timeb.h> 36 #include <sys/socket.h> 37 #include <sys/file.h> 38 #include <sys/ioctl.h> 39 #include <sys/utsname.h> 40 41 #ifdef HAVE_ZEROCOPY_BPF 42 #include <machine/atomic.h> 43 #endif 44 45 #include <net/if.h> 46 47 #ifdef _AIX 48 49 /* 50 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the 51 * native OS version, as we need "struct bpf_config" from it. 52 */ 53 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 54 55 #include <sys/types.h> 56 57 /* 58 * Prevent bpf.h from redefining the DLT_ values to their 59 * IFT_ values, as we're going to return the standard libpcap 60 * values, not IBM's non-standard IFT_ values. 61 */ 62 #undef _AIX 63 #include <net/bpf.h> 64 #define _AIX 65 66 #include <net/if_types.h> /* for IFT_ values */ 67 #include <sys/sysconfig.h> 68 #include <sys/device.h> 69 #include <sys/cfgodm.h> 70 #include <cf.h> 71 72 #ifdef __64BIT__ 73 #define domakedev makedev64 74 #define getmajor major64 75 #define bpf_hdr bpf_hdr32 76 #else /* __64BIT__ */ 77 #define domakedev makedev 78 #define getmajor major 79 #endif /* __64BIT__ */ 80 81 #define BPF_NAME "bpf" 82 #define BPF_MINORS 4 83 #define DRIVER_PATH "/usr/lib/drivers" 84 #define BPF_NODE "/dev/bpf" 85 static int bpfloadedflag = 0; 86 static int odmlockid = 0; 87 88 #else /* _AIX */ 89 90 #include <net/bpf.h> 91 92 #endif /* _AIX */ 93 94 #include <ctype.h> 95 #include <errno.h> 96 #include <netdb.h> 97 #include <stdio.h> 98 #include <stdlib.h> 99 #include <string.h> 100 #include <unistd.h> 101 102 #ifdef HAVE_NET_IF_MEDIA_H 103 # include <net/if_media.h> 104 #endif 105 106 #include "pcap-int.h" 107 108 #ifdef HAVE_DAG_API 109 #include "pcap-dag.h" 110 #endif /* HAVE_DAG_API */ 111 112 #ifdef HAVE_OS_PROTO_H 113 #include "os-proto.h" 114 #endif 115 116 #ifdef BIOCGDLTLIST 117 # if (defined(HAVE_NET_IF_MEDIA_H) && defined(IFM_IEEE80211)) && !defined(__APPLE__) 118 #define HAVE_BSD_IEEE80211 119 # endif 120 121 # if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) 122 static int find_802_11(struct bpf_dltlist *); 123 124 # ifdef HAVE_BSD_IEEE80211 125 static int monitor_mode(pcap_t *, int); 126 # endif 127 128 # if defined(__APPLE__) 129 static void remove_en(pcap_t *); 130 static void remove_802_11(pcap_t *); 131 # endif 132 133 # endif /* defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) */ 134 135 #endif /* BIOCGDLTLIST */ 136 137 /* 138 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably 139 * don't get DLT_DOCSIS defined. 140 */ 141 #ifndef DLT_DOCSIS 142 #define DLT_DOCSIS 143 143 #endif 144 145 /* 146 * On OS X, we don't even get any of the 802.11-plus-radio-header DLT_'s 147 * defined, even though some of them are used by various Airport drivers. 148 */ 149 #ifndef DLT_PRISM_HEADER 150 #define DLT_PRISM_HEADER 119 151 #endif 152 #ifndef DLT_AIRONET_HEADER 153 #define DLT_AIRONET_HEADER 120 154 #endif 155 #ifndef DLT_IEEE802_11_RADIO 156 #define DLT_IEEE802_11_RADIO 127 157 #endif 158 #ifndef DLT_IEEE802_11_RADIO_AVS 159 #define DLT_IEEE802_11_RADIO_AVS 163 160 #endif 161 162 static int pcap_can_set_rfmon_bpf(pcap_t *p); 163 static int pcap_activate_bpf(pcap_t *p); 164 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp); 165 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t); 166 static int pcap_set_datalink_bpf(pcap_t *p, int dlt); 167 168 #ifdef HAVE_ZEROCOPY_BPF 169 /* 170 * For zerocopy bpf, we need to override the setnonblock/getnonblock routines 171 * so we don't call select(2) if the pcap handle is in non-blocking mode. We 172 * preserve the timeout supplied by pcap_open functions to make sure it 173 * does not get clobbered if the pcap handle moves between blocking and non- 174 * blocking mode. 175 */ 176 static int 177 pcap_getnonblock_zbuf(pcap_t *p, char *errbuf) 178 { 179 /* 180 * Use a negative value for the timeout to represent that the 181 * pcap handle is in non-blocking mode. 182 */ 183 return (p->md.timeout < 0); 184 } 185 186 static int 187 pcap_setnonblock_zbuf(pcap_t *p, int nonblock, char *errbuf) 188 { 189 /* 190 * Map each value to the corresponding 2's complement, to 191 * preserve the timeout value provided with pcap_set_timeout. 192 * (from pcap-linux.c). 193 */ 194 if (nonblock) { 195 if (p->md.timeout > 0) 196 p->md.timeout = p->md.timeout * -1 - 1; 197 } else 198 if (p->md.timeout < 0) 199 p->md.timeout = (p->md.timeout + 1) * -1; 200 return (0); 201 } 202 203 /* 204 * Zero-copy specific close method. Un-map the shared buffers then call 205 * pcap_cleanup_live_common. 206 */ 207 static void 208 pcap_cleanup_zbuf(pcap_t *p) 209 { 210 /* 211 * Delete the mappings. Note that p->buffer gets initialized to one 212 * of the mmapped regions in this case, so do not try and free it 213 * directly; null it out so that pcap_cleanup_live_common() doesn't 214 * try to free it. 215 */ 216 if (p->md.zbuf1 != MAP_FAILED && p->md.zbuf1 != NULL) 217 (void) munmap(p->md.zbuf1, p->md.zbufsize); 218 if (p->md.zbuf2 != MAP_FAILED && p->md.zbuf2 != NULL) 219 (void) munmap(p->md.zbuf2, p->md.zbufsize); 220 p->buffer = NULL; 221 pcap_cleanup_live_common(p); 222 } 223 224 /* 225 * Zero-copy BPF buffer routines to check for and acknowledge BPF data in 226 * shared memory buffers. 227 * 228 * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer, 229 * and set up p->buffer and cc to reflect one if available. Notice that if 230 * there was no prior buffer, we select zbuf1 as this will be the first 231 * buffer filled for a fresh BPF session. 232 */ 233 static int 234 pcap_next_zbuf_shm(pcap_t *p, int *cc) 235 { 236 struct bpf_zbuf_header *bzh; 237 238 if (p->md.zbuffer == p->md.zbuf2 || p->md.zbuffer == NULL) { 239 bzh = (struct bpf_zbuf_header *)p->md.zbuf1; 240 if (bzh->bzh_user_gen != 241 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 242 p->md.bzh = bzh; 243 p->md.zbuffer = (u_char *)p->md.zbuf1; 244 p->buffer = p->md.zbuffer + sizeof(*bzh); 245 *cc = bzh->bzh_kernel_len; 246 return (1); 247 } 248 } else if (p->md.zbuffer == p->md.zbuf1) { 249 bzh = (struct bpf_zbuf_header *)p->md.zbuf2; 250 if (bzh->bzh_user_gen != 251 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 252 p->md.bzh = bzh; 253 p->md.zbuffer = (u_char *)p->md.zbuf2; 254 p->buffer = p->md.zbuffer + sizeof(*bzh); 255 *cc = bzh->bzh_kernel_len; 256 return (1); 257 } 258 } 259 *cc = 0; 260 return (0); 261 } 262 263 /* 264 * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using 265 * select() for data or a timeout, and possibly force rotation of the buffer 266 * in the event we time out or are in immediate mode. Invoke the shared 267 * memory check before doing system calls in order to avoid doing avoidable 268 * work. 269 */ 270 static int 271 pcap_next_zbuf(pcap_t *p, int *cc) 272 { 273 struct bpf_zbuf bz; 274 struct timeval tv; 275 struct timespec cur; 276 fd_set r_set; 277 int data, r; 278 int expire, tmout; 279 280 #define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000)) 281 /* 282 * Start out by seeing whether anything is waiting by checking the 283 * next shared memory buffer for data. 284 */ 285 data = pcap_next_zbuf_shm(p, cc); 286 if (data) 287 return (data); 288 /* 289 * If a previous sleep was interrupted due to signal delivery, make 290 * sure that the timeout gets adjusted accordingly. This requires 291 * that we analyze when the timeout should be been expired, and 292 * subtract the current time from that. If after this operation, 293 * our timeout is less then or equal to zero, handle it like a 294 * regular timeout. 295 */ 296 tmout = p->md.timeout; 297 if (tmout) 298 (void) clock_gettime(CLOCK_MONOTONIC, &cur); 299 if (p->md.interrupted && p->md.timeout) { 300 expire = TSTOMILLI(&p->md.firstsel) + p->md.timeout; 301 tmout = expire - TSTOMILLI(&cur); 302 #undef TSTOMILLI 303 if (tmout <= 0) { 304 p->md.interrupted = 0; 305 data = pcap_next_zbuf_shm(p, cc); 306 if (data) 307 return (data); 308 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 309 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 310 "BIOCROTZBUF: %s", strerror(errno)); 311 return (PCAP_ERROR); 312 } 313 return (pcap_next_zbuf_shm(p, cc)); 314 } 315 } 316 /* 317 * No data in the buffer, so must use select() to wait for data or 318 * the next timeout. Note that we only call select if the handle 319 * is in blocking mode. 320 */ 321 if (p->md.timeout >= 0) { 322 FD_ZERO(&r_set); 323 FD_SET(p->fd, &r_set); 324 if (tmout != 0) { 325 tv.tv_sec = tmout / 1000; 326 tv.tv_usec = (tmout * 1000) % 1000000; 327 } 328 r = select(p->fd + 1, &r_set, NULL, NULL, 329 p->md.timeout != 0 ? &tv : NULL); 330 if (r < 0 && errno == EINTR) { 331 if (!p->md.interrupted && p->md.timeout) { 332 p->md.interrupted = 1; 333 p->md.firstsel = cur; 334 } 335 return (0); 336 } else if (r < 0) { 337 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 338 "select: %s", strerror(errno)); 339 return (PCAP_ERROR); 340 } 341 } 342 p->md.interrupted = 0; 343 /* 344 * Check again for data, which may exist now that we've either been 345 * woken up as a result of data or timed out. Try the "there's data" 346 * case first since it doesn't require a system call. 347 */ 348 data = pcap_next_zbuf_shm(p, cc); 349 if (data) 350 return (data); 351 /* 352 * Try forcing a buffer rotation to dislodge timed out or immediate 353 * data. 354 */ 355 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 356 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 357 "BIOCROTZBUF: %s", strerror(errno)); 358 return (PCAP_ERROR); 359 } 360 return (pcap_next_zbuf_shm(p, cc)); 361 } 362 363 /* 364 * Notify kernel that we are done with the buffer. We don't reset zbuffer so 365 * that we know which buffer to use next time around. 366 */ 367 static int 368 pcap_ack_zbuf(pcap_t *p) 369 { 370 371 atomic_store_rel_int(&p->md.bzh->bzh_user_gen, 372 p->md.bzh->bzh_kernel_gen); 373 p->md.bzh = NULL; 374 p->buffer = NULL; 375 return (0); 376 } 377 #endif 378 379 pcap_t * 380 pcap_create(const char *device, char *ebuf) 381 { 382 pcap_t *p; 383 384 #ifdef HAVE_DAG_API 385 if (strstr(device, "dag")) 386 return (dag_create(device, ebuf)); 387 #endif /* HAVE_DAG_API */ 388 389 p = pcap_create_common(device, ebuf); 390 if (p == NULL) 391 return (NULL); 392 393 p->activate_op = pcap_activate_bpf; 394 p->can_set_rfmon_op = pcap_can_set_rfmon_bpf; 395 return (p); 396 } 397 398 static int 399 bpf_open(pcap_t *p) 400 { 401 int fd; 402 #ifdef HAVE_CLONING_BPF 403 static const char device[] = "/dev/bpf"; 404 #else 405 int n = 0; 406 char device[sizeof "/dev/bpf0000000000"]; 407 #endif 408 409 #ifdef _AIX 410 /* 411 * Load the bpf driver, if it isn't already loaded, 412 * and create the BPF device entries, if they don't 413 * already exist. 414 */ 415 if (bpf_load(p->errbuf) == PCAP_ERROR) 416 return (PCAP_ERROR); 417 #endif 418 419 #ifdef HAVE_CLONING_BPF 420 if ((fd = open(device, O_RDWR)) == -1 && 421 (errno != EACCES || (fd = open(device, O_RDONLY)) == -1)) { 422 if (errno == EACCES) 423 fd = PCAP_ERROR_PERM_DENIED; 424 else 425 fd = PCAP_ERROR; 426 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 427 "(cannot open device) %s: %s", device, pcap_strerror(errno)); 428 } 429 #else 430 /* 431 * Go through all the minors and find one that isn't in use. 432 */ 433 do { 434 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++); 435 /* 436 * Initially try a read/write open (to allow the inject 437 * method to work). If that fails due to permission 438 * issues, fall back to read-only. This allows a 439 * non-root user to be granted specific access to pcap 440 * capabilities via file permissions. 441 * 442 * XXX - we should have an API that has a flag that 443 * controls whether to open read-only or read-write, 444 * so that denial of permission to send (or inability 445 * to send, if sending packets isn't supported on 446 * the device in question) can be indicated at open 447 * time. 448 */ 449 fd = open(device, O_RDWR); 450 if (fd == -1 && errno == EACCES) 451 fd = open(device, O_RDONLY); 452 } while (fd < 0 && errno == EBUSY); 453 454 /* 455 * XXX better message for all minors used 456 */ 457 if (fd < 0) { 458 if (errno == EACCES) 459 fd = PCAP_ERROR_PERM_DENIED; 460 else 461 fd = PCAP_ERROR; 462 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s", 463 device, pcap_strerror(errno)); 464 } 465 #endif 466 467 return (fd); 468 } 469 470 #ifdef BIOCGDLTLIST 471 static int 472 get_dlt_list(int fd, int v, struct bpf_dltlist *bdlp, char *ebuf) 473 { 474 memset(bdlp, 0, sizeof(*bdlp)); 475 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) == 0) { 476 u_int i; 477 int is_ethernet; 478 479 bdlp->bfl_list = (u_int *) malloc(sizeof(u_int) * (bdlp->bfl_len + 1)); 480 if (bdlp->bfl_list == NULL) { 481 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s", 482 pcap_strerror(errno)); 483 return (PCAP_ERROR); 484 } 485 486 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) < 0) { 487 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 488 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 489 free(bdlp->bfl_list); 490 return (PCAP_ERROR); 491 } 492 493 /* 494 * OK, for real Ethernet devices, add DLT_DOCSIS to the 495 * list, so that an application can let you choose it, 496 * in case you're capturing DOCSIS traffic that a Cisco 497 * Cable Modem Termination System is putting out onto 498 * an Ethernet (it doesn't put an Ethernet header onto 499 * the wire, it puts raw DOCSIS frames out on the wire 500 * inside the low-level Ethernet framing). 501 * 502 * A "real Ethernet device" is defined here as a device 503 * that has a link-layer type of DLT_EN10MB and that has 504 * no alternate link-layer types; that's done to exclude 505 * 802.11 interfaces (which might or might not be the 506 * right thing to do, but I suspect it is - Ethernet <-> 507 * 802.11 bridges would probably badly mishandle frames 508 * that don't have Ethernet headers). 509 */ 510 if (v == DLT_EN10MB) { 511 is_ethernet = 1; 512 for (i = 0; i < bdlp->bfl_len; i++) { 513 if (bdlp->bfl_list[i] != DLT_EN10MB) { 514 is_ethernet = 0; 515 break; 516 } 517 } 518 if (is_ethernet) { 519 /* 520 * We reserved one more slot at the end of 521 * the list. 522 */ 523 bdlp->bfl_list[bdlp->bfl_len] = DLT_DOCSIS; 524 bdlp->bfl_len++; 525 } 526 } 527 } else { 528 /* 529 * EINVAL just means "we don't support this ioctl on 530 * this device"; don't treat it as an error. 531 */ 532 if (errno != EINVAL) { 533 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, 534 "BIOCGDLTLIST: %s", pcap_strerror(errno)); 535 return (PCAP_ERROR); 536 } 537 } 538 return (0); 539 } 540 #endif 541 542 static int 543 pcap_can_set_rfmon_bpf(pcap_t *p) 544 { 545 #if defined(__APPLE__) 546 struct utsname osinfo; 547 struct ifreq ifr; 548 int fd; 549 #ifdef BIOCGDLTLIST 550 struct bpf_dltlist bdl; 551 #endif 552 553 /* 554 * The joys of monitor mode on OS X. 555 * 556 * Prior to 10.4, it's not supported at all. 557 * 558 * In 10.4, if adapter enN supports monitor mode, there's a 559 * wltN adapter corresponding to it; you open it, instead of 560 * enN, to get monitor mode. You get whatever link-layer 561 * headers it supplies. 562 * 563 * In 10.5, and, we assume, later releases, if adapter enN 564 * supports monitor mode, it offers, among its selectable 565 * DLT_ values, values that let you get the 802.11 header; 566 * selecting one of those values puts the adapter into monitor 567 * mode (i.e., you can't get 802.11 headers except in monitor 568 * mode, and you can't get Ethernet headers in monitor mode). 569 */ 570 if (uname(&osinfo) == -1) { 571 /* 572 * Can't get the OS version; just say "no". 573 */ 574 return (0); 575 } 576 /* 577 * We assume osinfo.sysname is "Darwin", because 578 * __APPLE__ is defined. We just check the version. 579 */ 580 if (osinfo.release[0] < '8' && osinfo.release[1] == '.') { 581 /* 582 * 10.3 (Darwin 7.x) or earlier. 583 * Monitor mode not supported. 584 */ 585 return (0); 586 } 587 if (osinfo.release[0] == '8' && osinfo.release[1] == '.') { 588 /* 589 * 10.4 (Darwin 8.x). s/en/wlt/, and check 590 * whether the device exists. 591 */ 592 if (strncmp(p->opt.source, "en", 2) != 0) { 593 /* 594 * Not an enN device; no monitor mode. 595 */ 596 return (0); 597 } 598 fd = socket(AF_INET, SOCK_DGRAM, 0); 599 if (fd == -1) { 600 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 601 "socket: %s", pcap_strerror(errno)); 602 return (PCAP_ERROR); 603 } 604 strlcpy(ifr.ifr_name, "wlt", sizeof(ifr.ifr_name)); 605 strlcat(ifr.ifr_name, p->opt.source + 2, sizeof(ifr.ifr_name)); 606 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { 607 /* 608 * No such device? 609 */ 610 close(fd); 611 return (0); 612 } 613 close(fd); 614 return (1); 615 } 616 617 #ifdef BIOCGDLTLIST 618 /* 619 * Everything else is 10.5 or later; for those, 620 * we just open the enN device, and check whether 621 * we have any 802.11 devices. 622 * 623 * First, open a BPF device. 624 */ 625 fd = bpf_open(p); 626 if (fd < 0) 627 return (fd); 628 629 /* 630 * Now bind to the device. 631 */ 632 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name)); 633 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 634 if (errno == ENETDOWN) { 635 /* 636 * Return a "network down" indication, so that 637 * the application can report that rather than 638 * saying we had a mysterious failure and 639 * suggest that they report a problem to the 640 * libpcap developers. 641 */ 642 close(fd); 643 return (PCAP_ERROR_IFACE_NOT_UP); 644 } else { 645 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 646 "BIOCSETIF: %s: %s", 647 p->opt.source, pcap_strerror(errno)); 648 close(fd); 649 return (PCAP_ERROR); 650 } 651 } 652 653 /* 654 * We know the default link type -- now determine all the DLTs 655 * this interface supports. If this fails with EINVAL, it's 656 * not fatal; we just don't get to use the feature later. 657 * (We don't care about DLT_DOCSIS, so we pass DLT_NULL 658 * as the default DLT for this adapter.) 659 */ 660 if (get_dlt_list(fd, DLT_NULL, &bdl, p->errbuf) == PCAP_ERROR) { 661 close(fd); 662 return (PCAP_ERROR); 663 } 664 if (find_802_11(&bdl) != -1) { 665 /* 666 * We have an 802.11 DLT, so we can set monitor mode. 667 */ 668 free(bdl.bfl_list); 669 close(fd); 670 return (1); 671 } 672 free(bdl.bfl_list); 673 #endif /* BIOCGDLTLIST */ 674 return (0); 675 #elif defined(HAVE_BSD_IEEE80211) 676 int ret; 677 678 ret = monitor_mode(p, 0); 679 if (ret == PCAP_ERROR_RFMON_NOTSUP) 680 return (0); /* not an error, just a "can't do" */ 681 if (ret == 0) 682 return (1); /* success */ 683 return (ret); 684 #else 685 return (0); 686 #endif 687 } 688 689 static int 690 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps) 691 { 692 struct bpf_stat s; 693 694 /* 695 * "ps_recv" counts packets handed to the filter, not packets 696 * that passed the filter. This includes packets later dropped 697 * because we ran out of buffer space. 698 * 699 * "ps_drop" counts packets dropped inside the BPF device 700 * because we ran out of buffer space. It doesn't count 701 * packets dropped by the interface driver. It counts 702 * only packets that passed the filter. 703 * 704 * Both statistics include packets not yet read from the kernel 705 * by libpcap, and thus not yet seen by the application. 706 */ 707 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) { 708 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s", 709 pcap_strerror(errno)); 710 return (PCAP_ERROR); 711 } 712 713 ps->ps_recv = s.bs_recv; 714 ps->ps_drop = s.bs_drop; 715 return (0); 716 } 717 718 static int 719 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 720 { 721 int cc; 722 int n = 0; 723 register u_char *bp, *ep; 724 u_char *datap; 725 #ifdef PCAP_FDDIPAD 726 register int pad; 727 #endif 728 #ifdef HAVE_ZEROCOPY_BPF 729 int i; 730 #endif 731 732 again: 733 /* 734 * Has "pcap_breakloop()" been called? 735 */ 736 if (p->break_loop) { 737 /* 738 * Yes - clear the flag that indicates that it 739 * has, and return PCAP_ERROR_BREAK to indicate 740 * that we were told to break out of the loop. 741 */ 742 p->break_loop = 0; 743 return (PCAP_ERROR_BREAK); 744 } 745 cc = p->cc; 746 if (p->cc == 0) { 747 /* 748 * When reading without zero-copy from a file descriptor, we 749 * use a single buffer and return a length of data in the 750 * buffer. With zero-copy, we update the p->buffer pointer 751 * to point at whatever underlying buffer contains the next 752 * data and update cc to reflect the data found in the 753 * buffer. 754 */ 755 #ifdef HAVE_ZEROCOPY_BPF 756 if (p->md.zerocopy) { 757 if (p->buffer != NULL) 758 pcap_ack_zbuf(p); 759 i = pcap_next_zbuf(p, &cc); 760 if (i == 0) 761 goto again; 762 if (i < 0) 763 return (PCAP_ERROR); 764 } else 765 #endif 766 { 767 cc = read(p->fd, (char *)p->buffer, p->bufsize); 768 } 769 if (cc < 0) { 770 /* Don't choke when we get ptraced */ 771 switch (errno) { 772 773 case EINTR: 774 goto again; 775 776 #ifdef _AIX 777 case EFAULT: 778 /* 779 * Sigh. More AIX wonderfulness. 780 * 781 * For some unknown reason the uiomove() 782 * operation in the bpf kernel extension 783 * used to copy the buffer into user 784 * space sometimes returns EFAULT. I have 785 * no idea why this is the case given that 786 * a kernel debugger shows the user buffer 787 * is correct. This problem appears to 788 * be mostly mitigated by the memset of 789 * the buffer before it is first used. 790 * Very strange.... Shaun Clowes 791 * 792 * In any case this means that we shouldn't 793 * treat EFAULT as a fatal error; as we 794 * don't have an API for returning 795 * a "some packets were dropped since 796 * the last packet you saw" indication, 797 * we just ignore EFAULT and keep reading. 798 */ 799 goto again; 800 #endif 801 802 case EWOULDBLOCK: 803 return (0); 804 #if defined(sun) && !defined(BSD) 805 /* 806 * Due to a SunOS bug, after 2^31 bytes, the kernel 807 * file offset overflows and read fails with EINVAL. 808 * The lseek() to 0 will fix things. 809 */ 810 case EINVAL: 811 if (lseek(p->fd, 0L, SEEK_CUR) + 812 p->bufsize < 0) { 813 (void)lseek(p->fd, 0L, SEEK_SET); 814 goto again; 815 } 816 /* fall through */ 817 #endif 818 } 819 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s", 820 pcap_strerror(errno)); 821 return (PCAP_ERROR); 822 } 823 bp = p->buffer; 824 } else 825 bp = p->bp; 826 827 /* 828 * Loop through each packet. 829 */ 830 #define bhp ((struct bpf_hdr *)bp) 831 ep = bp + cc; 832 #ifdef PCAP_FDDIPAD 833 pad = p->fddipad; 834 #endif 835 while (bp < ep) { 836 register int caplen, hdrlen; 837 838 /* 839 * Has "pcap_breakloop()" been called? 840 * If so, return immediately - if we haven't read any 841 * packets, clear the flag and return PCAP_ERROR_BREAK 842 * to indicate that we were told to break out of the loop, 843 * otherwise leave the flag set, so that the *next* call 844 * will break out of the loop without having read any 845 * packets, and return the number of packets we've 846 * processed so far. 847 */ 848 if (p->break_loop) { 849 if (n == 0) { 850 p->break_loop = 0; 851 return (PCAP_ERROR_BREAK); 852 } else { 853 p->bp = bp; 854 p->cc = ep - bp; 855 return (n); 856 } 857 } 858 859 caplen = bhp->bh_caplen; 860 hdrlen = bhp->bh_hdrlen; 861 datap = bp + hdrlen; 862 /* 863 * Short-circuit evaluation: if using BPF filter 864 * in kernel, no need to do it now - we already know 865 * the packet passed the filter. 866 * 867 #ifdef PCAP_FDDIPAD 868 * Note: the filter code was generated assuming 869 * that p->fddipad was the amount of padding 870 * before the header, as that's what's required 871 * in the kernel, so we run the filter before 872 * skipping that padding. 873 #endif 874 */ 875 if (p->md.use_bpf || 876 bpf_filter(p->fcode.bf_insns, datap, bhp->bh_datalen, caplen)) { 877 struct pcap_pkthdr pkthdr; 878 879 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec; 880 #ifdef _AIX 881 /* 882 * AIX's BPF returns seconds/nanoseconds time 883 * stamps, not seconds/microseconds time stamps. 884 */ 885 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000; 886 #else 887 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec; 888 #endif 889 #ifdef PCAP_FDDIPAD 890 if (caplen > pad) 891 pkthdr.caplen = caplen - pad; 892 else 893 pkthdr.caplen = 0; 894 if (bhp->bh_datalen > pad) 895 pkthdr.len = bhp->bh_datalen - pad; 896 else 897 pkthdr.len = 0; 898 datap += pad; 899 #else 900 pkthdr.caplen = caplen; 901 pkthdr.len = bhp->bh_datalen; 902 #endif 903 (*callback)(user, &pkthdr, datap); 904 bp += BPF_WORDALIGN(caplen + hdrlen); 905 if (++n >= cnt && cnt > 0) { 906 p->bp = bp; 907 p->cc = ep - bp; 908 return (n); 909 } 910 } else { 911 /* 912 * Skip this packet. 913 */ 914 bp += BPF_WORDALIGN(caplen + hdrlen); 915 } 916 } 917 #undef bhp 918 p->cc = 0; 919 return (n); 920 } 921 922 static int 923 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size) 924 { 925 int ret; 926 927 ret = write(p->fd, buf, size); 928 #ifdef __APPLE__ 929 if (ret == -1 && errno == EAFNOSUPPORT) { 930 /* 931 * In Mac OS X, there's a bug wherein setting the 932 * BIOCSHDRCMPLT flag causes writes to fail; see, 933 * for example: 934 * 935 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch 936 * 937 * So, if, on OS X, we get EAFNOSUPPORT from the write, we 938 * assume it's due to that bug, and turn off that flag 939 * and try again. If we succeed, it either means that 940 * somebody applied the fix from that URL, or other patches 941 * for that bug from 942 * 943 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/ 944 * 945 * and are running a Darwin kernel with those fixes, or 946 * that Apple fixed the problem in some OS X release. 947 */ 948 u_int spoof_eth_src = 0; 949 950 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 951 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 952 "send: can't turn off BIOCSHDRCMPLT: %s", 953 pcap_strerror(errno)); 954 return (PCAP_ERROR); 955 } 956 957 /* 958 * Now try the write again. 959 */ 960 ret = write(p->fd, buf, size); 961 } 962 #endif /* __APPLE__ */ 963 if (ret == -1) { 964 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s", 965 pcap_strerror(errno)); 966 return (PCAP_ERROR); 967 } 968 return (ret); 969 } 970 971 #ifdef _AIX 972 static int 973 bpf_odminit(char *errbuf) 974 { 975 char *errstr; 976 977 if (odm_initialize() == -1) { 978 if (odm_err_msg(odmerrno, &errstr) == -1) 979 errstr = "Unknown error"; 980 snprintf(errbuf, PCAP_ERRBUF_SIZE, 981 "bpf_load: odm_initialize failed: %s", 982 errstr); 983 return (PCAP_ERROR); 984 } 985 986 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) { 987 if (odm_err_msg(odmerrno, &errstr) == -1) 988 errstr = "Unknown error"; 989 snprintf(errbuf, PCAP_ERRBUF_SIZE, 990 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s", 991 errstr); 992 return (PCAP_ERROR); 993 } 994 995 return (0); 996 } 997 998 static int 999 bpf_odmcleanup(char *errbuf) 1000 { 1001 char *errstr; 1002 1003 if (odm_unlock(odmlockid) == -1) { 1004 if (odm_err_msg(odmerrno, &errstr) == -1) 1005 errstr = "Unknown error"; 1006 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1007 "bpf_load: odm_unlock failed: %s", 1008 errstr); 1009 return (PCAP_ERROR); 1010 } 1011 1012 if (odm_terminate() == -1) { 1013 if (odm_err_msg(odmerrno, &errstr) == -1) 1014 errstr = "Unknown error"; 1015 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1016 "bpf_load: odm_terminate failed: %s", 1017 errstr); 1018 return (PCAP_ERROR); 1019 } 1020 1021 return (0); 1022 } 1023 1024 static int 1025 bpf_load(char *errbuf) 1026 { 1027 long major; 1028 int *minors; 1029 int numminors, i, rc; 1030 char buf[1024]; 1031 struct stat sbuf; 1032 struct bpf_config cfg_bpf; 1033 struct cfg_load cfg_ld; 1034 struct cfg_kmod cfg_km; 1035 1036 /* 1037 * This is very very close to what happens in the real implementation 1038 * but I've fixed some (unlikely) bug situations. 1039 */ 1040 if (bpfloadedflag) 1041 return (0); 1042 1043 if (bpf_odminit(errbuf) == PCAP_ERROR) 1044 return (PCAP_ERROR); 1045 1046 major = genmajor(BPF_NAME); 1047 if (major == -1) { 1048 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1049 "bpf_load: genmajor failed: %s", pcap_strerror(errno)); 1050 return (PCAP_ERROR); 1051 } 1052 1053 minors = getminor(major, &numminors, BPF_NAME); 1054 if (!minors) { 1055 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1); 1056 if (!minors) { 1057 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1058 "bpf_load: genminor failed: %s", 1059 pcap_strerror(errno)); 1060 return (PCAP_ERROR); 1061 } 1062 } 1063 1064 if (bpf_odmcleanup(errbuf) == PCAP_ERROR) 1065 return (PCAP_ERROR); 1066 1067 rc = stat(BPF_NODE "0", &sbuf); 1068 if (rc == -1 && errno != ENOENT) { 1069 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1070 "bpf_load: can't stat %s: %s", 1071 BPF_NODE "0", pcap_strerror(errno)); 1072 return (PCAP_ERROR); 1073 } 1074 1075 if (rc == -1 || getmajor(sbuf.st_rdev) != major) { 1076 for (i = 0; i < BPF_MINORS; i++) { 1077 sprintf(buf, "%s%d", BPF_NODE, i); 1078 unlink(buf); 1079 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) { 1080 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1081 "bpf_load: can't mknod %s: %s", 1082 buf, pcap_strerror(errno)); 1083 return (PCAP_ERROR); 1084 } 1085 } 1086 } 1087 1088 /* Check if the driver is loaded */ 1089 memset(&cfg_ld, 0x0, sizeof(cfg_ld)); 1090 cfg_ld.path = buf; 1091 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME); 1092 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) || 1093 (cfg_ld.kmid == 0)) { 1094 /* Driver isn't loaded, load it now */ 1095 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) { 1096 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1097 "bpf_load: could not load driver: %s", 1098 strerror(errno)); 1099 return (PCAP_ERROR); 1100 } 1101 } 1102 1103 /* Configure the driver */ 1104 cfg_km.cmd = CFG_INIT; 1105 cfg_km.kmid = cfg_ld.kmid; 1106 cfg_km.mdilen = sizeof(cfg_bpf); 1107 cfg_km.mdiptr = (void *)&cfg_bpf; 1108 for (i = 0; i < BPF_MINORS; i++) { 1109 cfg_bpf.devno = domakedev(major, i); 1110 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) { 1111 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1112 "bpf_load: could not configure driver: %s", 1113 strerror(errno)); 1114 return (PCAP_ERROR); 1115 } 1116 } 1117 1118 bpfloadedflag = 1; 1119 1120 return (0); 1121 } 1122 #endif 1123 1124 /* 1125 * Turn off rfmon mode if necessary. 1126 */ 1127 static void 1128 pcap_cleanup_bpf(pcap_t *p) 1129 { 1130 #ifdef HAVE_BSD_IEEE80211 1131 int sock; 1132 struct ifmediareq req; 1133 struct ifreq ifr; 1134 #endif 1135 1136 if (p->md.must_clear != 0) { 1137 /* 1138 * There's something we have to do when closing this 1139 * pcap_t. 1140 */ 1141 #ifdef HAVE_BSD_IEEE80211 1142 if (p->md.must_clear & MUST_CLEAR_RFMON) { 1143 /* 1144 * We put the interface into rfmon mode; 1145 * take it out of rfmon mode. 1146 * 1147 * XXX - if somebody else wants it in rfmon 1148 * mode, this code cannot know that, so it'll take 1149 * it out of rfmon mode. 1150 */ 1151 sock = socket(AF_INET, SOCK_DGRAM, 0); 1152 if (sock == -1) { 1153 fprintf(stderr, 1154 "Can't restore interface flags (socket() failed: %s).\n" 1155 "Please adjust manually.\n", 1156 strerror(errno)); 1157 } else { 1158 memset(&req, 0, sizeof(req)); 1159 strncpy(req.ifm_name, p->md.device, 1160 sizeof(req.ifm_name)); 1161 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 1162 fprintf(stderr, 1163 "Can't restore interface flags (SIOCGIFMEDIA failed: %s).\n" 1164 "Please adjust manually.\n", 1165 strerror(errno)); 1166 } else { 1167 if (req.ifm_current & IFM_IEEE80211_MONITOR) { 1168 /* 1169 * Rfmon mode is currently on; 1170 * turn it off. 1171 */ 1172 memset(&ifr, 0, sizeof(ifr)); 1173 (void)strncpy(ifr.ifr_name, 1174 p->md.device, 1175 sizeof(ifr.ifr_name)); 1176 ifr.ifr_media = 1177 req.ifm_current & ~IFM_IEEE80211_MONITOR; 1178 if (ioctl(sock, SIOCSIFMEDIA, 1179 &ifr) == -1) { 1180 fprintf(stderr, 1181 "Can't restore interface flags (SIOCSIFMEDIA failed: %s).\n" 1182 "Please adjust manually.\n", 1183 strerror(errno)); 1184 } 1185 } 1186 } 1187 close(sock); 1188 } 1189 } 1190 #endif /* HAVE_BSD_IEEE80211 */ 1191 1192 /* 1193 * Take this pcap out of the list of pcaps for which we 1194 * have to take the interface out of some mode. 1195 */ 1196 pcap_remove_from_pcaps_to_close(p); 1197 p->md.must_clear = 0; 1198 } 1199 1200 #ifdef HAVE_ZEROCOPY_BPF 1201 /* 1202 * In zero-copy mode, p->buffer is just a pointer into one of the two 1203 * memory-mapped buffers, so no need to free it. 1204 */ 1205 if (p->md.zerocopy) { 1206 if (p->md.zbuf1 != MAP_FAILED && p->md.zbuf1 != NULL) 1207 munmap(p->md.zbuf1, p->md.zbufsize); 1208 if (p->md.zbuf2 != MAP_FAILED && p->md.zbuf2 != NULL) 1209 munmap(p->md.zbuf2, p->md.zbufsize); 1210 } 1211 #endif 1212 if (p->md.device != NULL) { 1213 free(p->md.device); 1214 p->md.device = NULL; 1215 } 1216 pcap_cleanup_live_common(p); 1217 } 1218 1219 static int 1220 check_setif_failure(pcap_t *p, int error) 1221 { 1222 #ifdef __APPLE__ 1223 int fd; 1224 struct ifreq ifr; 1225 int err; 1226 #endif 1227 1228 if (error == ENXIO) { 1229 /* 1230 * No such device exists. 1231 */ 1232 #ifdef __APPLE__ 1233 if (p->opt.rfmon && strncmp(p->opt.source, "wlt", 3) == 0) { 1234 /* 1235 * Monitor mode was requested, and we're trying 1236 * to open a "wltN" device. Assume that this 1237 * is 10.4 and that we were asked to open an 1238 * "enN" device; if that device exists, return 1239 * "monitor mode not supported on the device". 1240 */ 1241 fd = socket(AF_INET, SOCK_DGRAM, 0); 1242 if (fd != -1) { 1243 strlcpy(ifr.ifr_name, "en", 1244 sizeof(ifr.ifr_name)); 1245 strlcat(ifr.ifr_name, p->opt.source + 3, 1246 sizeof(ifr.ifr_name)); 1247 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { 1248 /* 1249 * We assume this failed because 1250 * the underlying device doesn't 1251 * exist. 1252 */ 1253 err = PCAP_ERROR_NO_SUCH_DEVICE; 1254 strcpy(p->errbuf, ""); 1255 } else { 1256 /* 1257 * The underlying "enN" device 1258 * exists, but there's no 1259 * corresponding "wltN" device; 1260 * that means that the "enN" 1261 * device doesn't support 1262 * monitor mode, probably because 1263 * it's an Ethernet device rather 1264 * than a wireless device. 1265 */ 1266 err = PCAP_ERROR_RFMON_NOTSUP; 1267 } 1268 close(fd); 1269 } else { 1270 /* 1271 * We can't find out whether there's 1272 * an underlying "enN" device, so 1273 * just report "no such device". 1274 */ 1275 err = PCAP_ERROR_NO_SUCH_DEVICE; 1276 strcpy(p->errbuf, ""); 1277 } 1278 return (err); 1279 } 1280 #endif 1281 /* 1282 * No such device. 1283 */ 1284 strcpy(p->errbuf, ""); 1285 return (PCAP_ERROR_NO_SUCH_DEVICE); 1286 } else if (errno == ENETDOWN) { 1287 /* 1288 * Return a "network down" indication, so that 1289 * the application can report that rather than 1290 * saying we had a mysterious failure and 1291 * suggest that they report a problem to the 1292 * libpcap developers. 1293 */ 1294 return (PCAP_ERROR_IFACE_NOT_UP); 1295 } else { 1296 /* 1297 * Some other error; fill in the error string, and 1298 * return PCAP_ERROR. 1299 */ 1300 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 1301 p->opt.source, pcap_strerror(errno)); 1302 return (PCAP_ERROR); 1303 } 1304 } 1305 1306 static int 1307 pcap_activate_bpf(pcap_t *p) 1308 { 1309 int status = 0; 1310 int fd; 1311 struct ifreq ifr; 1312 struct bpf_version bv; 1313 #ifdef __APPLE__ 1314 int sockfd; 1315 char *wltdev = NULL; 1316 #endif 1317 #ifdef BIOCGDLTLIST 1318 struct bpf_dltlist bdl; 1319 #if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) 1320 int new_dlt; 1321 #endif 1322 #endif /* BIOCGDLTLIST */ 1323 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 1324 u_int spoof_eth_src = 1; 1325 #endif 1326 u_int v; 1327 struct bpf_insn total_insn; 1328 struct bpf_program total_prog; 1329 struct utsname osinfo; 1330 int have_osinfo = 0; 1331 #ifdef HAVE_ZEROCOPY_BPF 1332 struct bpf_zbuf bz; 1333 u_int bufmode, zbufmax; 1334 #endif 1335 1336 fd = bpf_open(p); 1337 if (fd < 0) { 1338 status = fd; 1339 goto bad; 1340 } 1341 1342 p->fd = fd; 1343 1344 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { 1345 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s", 1346 pcap_strerror(errno)); 1347 status = PCAP_ERROR; 1348 goto bad; 1349 } 1350 if (bv.bv_major != BPF_MAJOR_VERSION || 1351 bv.bv_minor < BPF_MINOR_VERSION) { 1352 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1353 "kernel bpf filter out of date"); 1354 status = PCAP_ERROR; 1355 goto bad; 1356 } 1357 1358 p->md.device = strdup(p->opt.source); 1359 if (p->md.device == NULL) { 1360 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s", 1361 pcap_strerror(errno)); 1362 status = PCAP_ERROR; 1363 goto bad; 1364 } 1365 1366 /* 1367 * Attempt to find out the version of the OS on which we're running. 1368 */ 1369 if (uname(&osinfo) == 0) 1370 have_osinfo = 1; 1371 1372 #ifdef __APPLE__ 1373 /* 1374 * See comment in pcap_can_set_rfmon_bpf() for an explanation 1375 * of why we check the version number. 1376 */ 1377 if (p->opt.rfmon) { 1378 if (have_osinfo) { 1379 /* 1380 * We assume osinfo.sysname is "Darwin", because 1381 * __APPLE__ is defined. We just check the version. 1382 */ 1383 if (osinfo.release[0] < '8' && 1384 osinfo.release[1] == '.') { 1385 /* 1386 * 10.3 (Darwin 7.x) or earlier. 1387 */ 1388 status = PCAP_ERROR_RFMON_NOTSUP; 1389 goto bad; 1390 } 1391 if (osinfo.release[0] == '8' && 1392 osinfo.release[1] == '.') { 1393 /* 1394 * 10.4 (Darwin 8.x). s/en/wlt/ 1395 */ 1396 if (strncmp(p->opt.source, "en", 2) != 0) { 1397 /* 1398 * Not an enN device; check 1399 * whether the device even exists. 1400 */ 1401 sockfd = socket(AF_INET, SOCK_DGRAM, 0); 1402 if (sockfd != -1) { 1403 strlcpy(ifr.ifr_name, 1404 p->opt.source, 1405 sizeof(ifr.ifr_name)); 1406 if (ioctl(sockfd, SIOCGIFFLAGS, 1407 (char *)&ifr) < 0) { 1408 /* 1409 * We assume this 1410 * failed because 1411 * the underlying 1412 * device doesn't 1413 * exist. 1414 */ 1415 status = PCAP_ERROR_NO_SUCH_DEVICE; 1416 strcpy(p->errbuf, ""); 1417 } else 1418 status = PCAP_ERROR_RFMON_NOTSUP; 1419 close(sockfd); 1420 } else { 1421 /* 1422 * We can't find out whether 1423 * the device exists, so just 1424 * report "no such device". 1425 */ 1426 status = PCAP_ERROR_NO_SUCH_DEVICE; 1427 strcpy(p->errbuf, ""); 1428 } 1429 goto bad; 1430 } 1431 wltdev = malloc(strlen(p->opt.source) + 2); 1432 if (wltdev == NULL) { 1433 (void)snprintf(p->errbuf, 1434 PCAP_ERRBUF_SIZE, "malloc: %s", 1435 pcap_strerror(errno)); 1436 status = PCAP_ERROR; 1437 goto bad; 1438 } 1439 strcpy(wltdev, "wlt"); 1440 strcat(wltdev, p->opt.source + 2); 1441 free(p->opt.source); 1442 p->opt.source = wltdev; 1443 } 1444 /* 1445 * Everything else is 10.5 or later; for those, 1446 * we just open the enN device, and set the DLT. 1447 */ 1448 } 1449 } 1450 #endif /* __APPLE__ */ 1451 #ifdef HAVE_ZEROCOPY_BPF 1452 /* 1453 * If the BPF extension to set buffer mode is present, try setting 1454 * the mode to zero-copy. If that fails, use regular buffering. If 1455 * it succeeds but other setup fails, return an error to the user. 1456 */ 1457 bufmode = BPF_BUFMODE_ZBUF; 1458 if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) { 1459 /* 1460 * We have zerocopy BPF; use it. 1461 */ 1462 p->md.zerocopy = 1; 1463 1464 /* 1465 * Set the cleanup and set/get nonblocking mode ops 1466 * as appropriate for zero-copy mode. 1467 */ 1468 p->cleanup_op = pcap_cleanup_zbuf; 1469 p->setnonblock_op = pcap_setnonblock_zbuf; 1470 p->getnonblock_op = pcap_getnonblock_zbuf; 1471 1472 /* 1473 * How to pick a buffer size: first, query the maximum buffer 1474 * size supported by zero-copy. This also lets us quickly 1475 * determine whether the kernel generally supports zero-copy. 1476 * Then, if a buffer size was specified, use that, otherwise 1477 * query the default buffer size, which reflects kernel 1478 * policy for a desired default. Round to the nearest page 1479 * size. 1480 */ 1481 if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) { 1482 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGETZMAX: %s", 1483 pcap_strerror(errno)); 1484 goto bad; 1485 } 1486 1487 if (p->opt.buffer_size != 0) { 1488 /* 1489 * A buffer size was explicitly specified; use it. 1490 */ 1491 v = p->opt.buffer_size; 1492 } else { 1493 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || 1494 v < 32768) 1495 v = 32768; 1496 } 1497 #ifndef roundup 1498 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */ 1499 #endif 1500 p->md.zbufsize = roundup(v, getpagesize()); 1501 if (p->md.zbufsize > zbufmax) 1502 p->md.zbufsize = zbufmax; 1503 p->md.zbuf1 = mmap(NULL, p->md.zbufsize, PROT_READ | PROT_WRITE, 1504 MAP_ANON, -1, 0); 1505 p->md.zbuf2 = mmap(NULL, p->md.zbufsize, PROT_READ | PROT_WRITE, 1506 MAP_ANON, -1, 0); 1507 if (p->md.zbuf1 == MAP_FAILED || p->md.zbuf2 == MAP_FAILED) { 1508 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "mmap: %s", 1509 pcap_strerror(errno)); 1510 goto bad; 1511 } 1512 bzero(&bz, sizeof(bz)); 1513 bz.bz_bufa = p->md.zbuf1; 1514 bz.bz_bufb = p->md.zbuf2; 1515 bz.bz_buflen = p->md.zbufsize; 1516 if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) { 1517 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETZBUF: %s", 1518 pcap_strerror(errno)); 1519 goto bad; 1520 } 1521 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name)); 1522 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 1523 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s", 1524 p->opt.source, pcap_strerror(errno)); 1525 goto bad; 1526 } 1527 v = p->md.zbufsize - sizeof(struct bpf_zbuf_header); 1528 } else 1529 #endif 1530 { 1531 /* 1532 * We don't have zerocopy BPF. 1533 * Set the buffer size. 1534 */ 1535 if (p->opt.buffer_size != 0) { 1536 /* 1537 * A buffer size was explicitly specified; use it. 1538 */ 1539 if (ioctl(fd, BIOCSBLEN, 1540 (caddr_t)&p->opt.buffer_size) < 0) { 1541 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1542 "BIOCSBLEN: %s: %s", p->opt.source, 1543 pcap_strerror(errno)); 1544 status = PCAP_ERROR; 1545 goto bad; 1546 } 1547 1548 /* 1549 * Now bind to the device. 1550 */ 1551 (void)strncpy(ifr.ifr_name, p->opt.source, 1552 sizeof(ifr.ifr_name)); 1553 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) { 1554 status = check_setif_failure(p, errno); 1555 goto bad; 1556 } 1557 } else { 1558 /* 1559 * No buffer size was explicitly specified. 1560 * 1561 * Try finding a good size for the buffer; 32768 may 1562 * be too big, so keep cutting it in half until we 1563 * find a size that works, or run out of sizes to try. 1564 * If the default is larger, don't make it smaller. 1565 */ 1566 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || 1567 v < 32768) 1568 v = 32768; 1569 for ( ; v != 0; v >>= 1) { 1570 /* 1571 * Ignore the return value - this is because the 1572 * call fails on BPF systems that don't have 1573 * kernel malloc. And if the call fails, it's 1574 * no big deal, we just continue to use the 1575 * standard buffer size. 1576 */ 1577 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); 1578 1579 (void)strncpy(ifr.ifr_name, p->opt.source, 1580 sizeof(ifr.ifr_name)); 1581 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0) 1582 break; /* that size worked; we're done */ 1583 1584 if (errno != ENOBUFS) { 1585 status = check_setif_failure(p, errno); 1586 goto bad; 1587 } 1588 } 1589 1590 if (v == 0) { 1591 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1592 "BIOCSBLEN: %s: No buffer size worked", 1593 p->opt.source); 1594 status = PCAP_ERROR; 1595 goto bad; 1596 } 1597 } 1598 } 1599 1600 /* Get the data link layer type. */ 1601 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { 1602 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s", 1603 pcap_strerror(errno)); 1604 status = PCAP_ERROR; 1605 goto bad; 1606 } 1607 1608 #ifdef _AIX 1609 /* 1610 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT. 1611 */ 1612 switch (v) { 1613 1614 case IFT_ETHER: 1615 case IFT_ISO88023: 1616 v = DLT_EN10MB; 1617 break; 1618 1619 case IFT_FDDI: 1620 v = DLT_FDDI; 1621 break; 1622 1623 case IFT_ISO88025: 1624 v = DLT_IEEE802; 1625 break; 1626 1627 case IFT_LOOP: 1628 v = DLT_NULL; 1629 break; 1630 1631 default: 1632 /* 1633 * We don't know what to map this to yet. 1634 */ 1635 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "unknown interface type %u", 1636 v); 1637 status = PCAP_ERROR; 1638 goto bad; 1639 } 1640 #endif 1641 #if _BSDI_VERSION - 0 >= 199510 1642 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */ 1643 switch (v) { 1644 1645 case DLT_SLIP: 1646 v = DLT_SLIP_BSDOS; 1647 break; 1648 1649 case DLT_PPP: 1650 v = DLT_PPP_BSDOS; 1651 break; 1652 1653 case 11: /*DLT_FR*/ 1654 v = DLT_FRELAY; 1655 break; 1656 1657 case 12: /*DLT_C_HDLC*/ 1658 v = DLT_CHDLC; 1659 break; 1660 } 1661 #endif 1662 1663 #ifdef BIOCGDLTLIST 1664 /* 1665 * We know the default link type -- now determine all the DLTs 1666 * this interface supports. If this fails with EINVAL, it's 1667 * not fatal; we just don't get to use the feature later. 1668 */ 1669 if (get_dlt_list(fd, v, &bdl, p->errbuf) == -1) { 1670 status = PCAP_ERROR; 1671 goto bad; 1672 } 1673 p->dlt_count = bdl.bfl_len; 1674 p->dlt_list = bdl.bfl_list; 1675 1676 #ifdef __APPLE__ 1677 /* 1678 * Monitor mode fun, continued. 1679 * 1680 * For 10.5 and, we're assuming, later releases, as noted above, 1681 * 802.1 adapters that support monitor mode offer both DLT_EN10MB, 1682 * DLT_IEEE802_11, and possibly some 802.11-plus-radio-information 1683 * DLT_ value. Choosing one of the 802.11 DLT_ values will turn 1684 * monitor mode on. 1685 * 1686 * Therefore, if the user asked for monitor mode, we filter out 1687 * the DLT_EN10MB value, as you can't get that in monitor mode, 1688 * and, if the user didn't ask for monitor mode, we filter out 1689 * the 802.11 DLT_ values, because selecting those will turn 1690 * monitor mode on. Then, for monitor mode, if an 802.11-plus- 1691 * radio DLT_ value is offered, we try to select that, otherwise 1692 * we try to select DLT_IEEE802_11. 1693 */ 1694 if (have_osinfo) { 1695 if (isdigit((unsigned)osinfo.release[0]) && 1696 (osinfo.release[0] == '9' || 1697 isdigit((unsigned)osinfo.release[1]))) { 1698 /* 1699 * 10.5 (Darwin 9.x), or later. 1700 */ 1701 new_dlt = find_802_11(&bdl); 1702 if (new_dlt != -1) { 1703 /* 1704 * We have at least one 802.11 DLT_ value, 1705 * so this is an 802.11 interface. 1706 * new_dlt is the best of the 802.11 1707 * DLT_ values in the list. 1708 */ 1709 if (p->opt.rfmon) { 1710 /* 1711 * Our caller wants monitor mode. 1712 * Purge DLT_EN10MB from the list 1713 * of link-layer types, as selecting 1714 * it will keep monitor mode off. 1715 */ 1716 remove_en(p); 1717 1718 /* 1719 * If the new mode we want isn't 1720 * the default mode, attempt to 1721 * select the new mode. 1722 */ 1723 if (new_dlt != v) { 1724 if (ioctl(p->fd, BIOCSDLT, 1725 &new_dlt) != -1) { 1726 /* 1727 * We succeeded; 1728 * make this the 1729 * new DLT_ value. 1730 */ 1731 v = new_dlt; 1732 } 1733 } 1734 } else { 1735 /* 1736 * Our caller doesn't want 1737 * monitor mode. Unless this 1738 * is being done by pcap_open_live(), 1739 * purge the 802.11 link-layer types 1740 * from the list, as selecting 1741 * one of them will turn monitor 1742 * mode on. 1743 */ 1744 if (!p->oldstyle) 1745 remove_802_11(p); 1746 } 1747 } else { 1748 if (p->opt.rfmon) { 1749 /* 1750 * The caller requested monitor 1751 * mode, but we have no 802.11 1752 * link-layer types, so they 1753 * can't have it. 1754 */ 1755 status = PCAP_ERROR_RFMON_NOTSUP; 1756 goto bad; 1757 } 1758 } 1759 } 1760 } 1761 #elif defined(HAVE_BSD_IEEE80211) 1762 /* 1763 * *BSD with the new 802.11 ioctls. 1764 * Do we want monitor mode? 1765 */ 1766 if (p->opt.rfmon) { 1767 /* 1768 * Try to put the interface into monitor mode. 1769 */ 1770 status = monitor_mode(p, 1); 1771 if (status != 0) { 1772 /* 1773 * We failed. 1774 */ 1775 goto bad; 1776 } 1777 1778 /* 1779 * We're in monitor mode. 1780 * Try to find the best 802.11 DLT_ value and, if we 1781 * succeed, try to switch to that mode if we're not 1782 * already in that mode. 1783 */ 1784 new_dlt = find_802_11(&bdl); 1785 if (new_dlt != -1) { 1786 /* 1787 * We have at least one 802.11 DLT_ value. 1788 * new_dlt is the best of the 802.11 1789 * DLT_ values in the list. 1790 * 1791 * If the new mode we want isn't the default mode, 1792 * attempt to select the new mode. 1793 */ 1794 if (new_dlt != v) { 1795 if (ioctl(p->fd, BIOCSDLT, &new_dlt) != -1) { 1796 /* 1797 * We succeeded; make this the 1798 * new DLT_ value. 1799 */ 1800 v = new_dlt; 1801 } 1802 } 1803 } 1804 } 1805 #endif /* various platforms */ 1806 #endif /* BIOCGDLTLIST */ 1807 1808 /* 1809 * If this is an Ethernet device, and we don't have a DLT_ list, 1810 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give 1811 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to 1812 * do, but there's not much we can do about that without finding 1813 * some other way of determining whether it's an Ethernet or 802.11 1814 * device.) 1815 */ 1816 if (v == DLT_EN10MB && p->dlt_count == 0) { 1817 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 1818 /* 1819 * If that fails, just leave the list empty. 1820 */ 1821 if (p->dlt_list != NULL) { 1822 p->dlt_list[0] = DLT_EN10MB; 1823 p->dlt_list[1] = DLT_DOCSIS; 1824 p->dlt_count = 2; 1825 } 1826 } 1827 #ifdef PCAP_FDDIPAD 1828 if (v == DLT_FDDI) 1829 p->fddipad = PCAP_FDDIPAD; 1830 else 1831 p->fddipad = 0; 1832 #endif 1833 p->linktype = v; 1834 1835 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 1836 /* 1837 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so 1838 * the link-layer source address isn't forcibly overwritten. 1839 * (Should we ignore errors? Should we do this only if 1840 * we're open for writing?) 1841 * 1842 * XXX - I seem to remember some packet-sending bug in some 1843 * BSDs - check CVS log for "bpf.c"? 1844 */ 1845 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 1846 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1847 "BIOCSHDRCMPLT: %s", pcap_strerror(errno)); 1848 status = PCAP_ERROR; 1849 goto bad; 1850 } 1851 #endif 1852 /* set timeout */ 1853 #ifdef HAVE_ZEROCOPY_BPF 1854 if (p->md.timeout != 0 && !p->md.zerocopy) { 1855 #else 1856 if (p->md.timeout) { 1857 #endif 1858 /* 1859 * XXX - is this seconds/nanoseconds in AIX? 1860 * (Treating it as such doesn't fix the timeout 1861 * problem described below.) 1862 */ 1863 struct timeval to; 1864 to.tv_sec = p->md.timeout / 1000; 1865 to.tv_usec = (p->md.timeout * 1000) % 1000000; 1866 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { 1867 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s", 1868 pcap_strerror(errno)); 1869 status = PCAP_ERROR; 1870 goto bad; 1871 } 1872 } 1873 1874 #ifdef _AIX 1875 #ifdef BIOCIMMEDIATE 1876 /* 1877 * Darren Reed notes that 1878 * 1879 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the 1880 * timeout appears to be ignored and it waits until the buffer 1881 * is filled before returning. The result of not having it 1882 * set is almost worse than useless if your BPF filter 1883 * is reducing things to only a few packets (i.e. one every 1884 * second or so). 1885 * 1886 * so we turn BIOCIMMEDIATE mode on if this is AIX. 1887 * 1888 * We don't turn it on for other platforms, as that means we 1889 * get woken up for every packet, which may not be what we want; 1890 * in the Winter 1993 USENIX paper on BPF, they say: 1891 * 1892 * Since a process might want to look at every packet on a 1893 * network and the time between packets can be only a few 1894 * microseconds, it is not possible to do a read system call 1895 * per packet and BPF must collect the data from several 1896 * packets and return it as a unit when the monitoring 1897 * application does a read. 1898 * 1899 * which I infer is the reason for the timeout - it means we 1900 * wait that amount of time, in the hopes that more packets 1901 * will arrive and we'll get them all with one read. 1902 * 1903 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other 1904 * BSDs) causes the timeout to be ignored. 1905 * 1906 * On the other hand, some platforms (e.g., Linux) don't support 1907 * timeouts, they just hand stuff to you as soon as it arrives; 1908 * if that doesn't cause a problem on those platforms, it may 1909 * be OK to have BIOCIMMEDIATE mode on BSD as well. 1910 * 1911 * (Note, though, that applications may depend on the read 1912 * completing, even if no packets have arrived, when the timeout 1913 * expires, e.g. GUI applications that have to check for input 1914 * while waiting for packets to arrive; a non-zero timeout 1915 * prevents "select()" from working right on FreeBSD and 1916 * possibly other BSDs, as the timer doesn't start until a 1917 * "read()" is done, so the timer isn't in effect if the 1918 * application is blocked on a "select()", and the "select()" 1919 * doesn't get woken up for a BPF device until the buffer 1920 * fills up.) 1921 */ 1922 v = 1; 1923 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) { 1924 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s", 1925 pcap_strerror(errno)); 1926 status = PCAP_ERROR; 1927 goto bad; 1928 } 1929 #endif /* BIOCIMMEDIATE */ 1930 #endif /* _AIX */ 1931 1932 if (p->opt.promisc) { 1933 /* set promiscuous mode, just warn if it fails */ 1934 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) { 1935 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s", 1936 pcap_strerror(errno)); 1937 status = PCAP_WARNING_PROMISC_NOTSUP; 1938 } 1939 } 1940 1941 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { 1942 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s", 1943 pcap_strerror(errno)); 1944 status = PCAP_ERROR; 1945 goto bad; 1946 } 1947 p->bufsize = v; 1948 #ifdef HAVE_ZEROCOPY_BPF 1949 if (!p->md.zerocopy) { 1950 #endif 1951 p->buffer = (u_char *)malloc(p->bufsize); 1952 if (p->buffer == NULL) { 1953 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", 1954 pcap_strerror(errno)); 1955 status = PCAP_ERROR; 1956 goto bad; 1957 } 1958 #ifdef _AIX 1959 /* For some strange reason this seems to prevent the EFAULT 1960 * problems we have experienced from AIX BPF. */ 1961 memset(p->buffer, 0x0, p->bufsize); 1962 #endif 1963 #ifdef HAVE_ZEROCOPY_BPF 1964 } 1965 #endif 1966 1967 /* 1968 * If there's no filter program installed, there's 1969 * no indication to the kernel of what the snapshot 1970 * length should be, so no snapshotting is done. 1971 * 1972 * Therefore, when we open the device, we install 1973 * an "accept everything" filter with the specified 1974 * snapshot length. 1975 */ 1976 total_insn.code = (u_short)(BPF_RET | BPF_K); 1977 total_insn.jt = 0; 1978 total_insn.jf = 0; 1979 total_insn.k = p->snapshot; 1980 1981 total_prog.bf_len = 1; 1982 total_prog.bf_insns = &total_insn; 1983 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) { 1984 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 1985 pcap_strerror(errno)); 1986 status = PCAP_ERROR; 1987 goto bad; 1988 } 1989 1990 /* 1991 * On most BPF platforms, either you can do a "select()" or 1992 * "poll()" on a BPF file descriptor and it works correctly, 1993 * or you can do it and it will return "readable" if the 1994 * hold buffer is full but not if the timeout expires *and* 1995 * a non-blocking read will, if the hold buffer is empty 1996 * but the store buffer isn't empty, rotate the buffers 1997 * and return what packets are available. 1998 * 1999 * In the latter case, the fact that a non-blocking read 2000 * will give you the available packets means you can work 2001 * around the failure of "select()" and "poll()" to wake up 2002 * and return "readable" when the timeout expires by using 2003 * the timeout as the "select()" or "poll()" timeout, putting 2004 * the BPF descriptor into non-blocking mode, and read from 2005 * it regardless of whether "select()" reports it as readable 2006 * or not. 2007 * 2008 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()" 2009 * won't wake up and return "readable" if the timer expires 2010 * and non-blocking reads return EWOULDBLOCK if the hold 2011 * buffer is empty, even if the store buffer is non-empty. 2012 * 2013 * This means the workaround in question won't work. 2014 * 2015 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd" 2016 * to -1, which means "sorry, you can't use 'select()' or 'poll()' 2017 * here". On all other BPF platforms, we set it to the FD for 2018 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking 2019 * read will, if the hold buffer is empty and the store buffer 2020 * isn't empty, rotate the buffers and return what packets are 2021 * there (and in sufficiently recent versions of OpenBSD 2022 * "select()" and "poll()" should work correctly). 2023 * 2024 * XXX - what about AIX? 2025 */ 2026 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */ 2027 if (have_osinfo) { 2028 /* 2029 * We can check what OS this is. 2030 */ 2031 if (strcmp(osinfo.sysname, "FreeBSD") == 0) { 2032 if (strncmp(osinfo.release, "4.3-", 4) == 0 || 2033 strncmp(osinfo.release, "4.4-", 4) == 0) 2034 p->selectable_fd = -1; 2035 } 2036 } 2037 2038 p->read_op = pcap_read_bpf; 2039 p->inject_op = pcap_inject_bpf; 2040 p->setfilter_op = pcap_setfilter_bpf; 2041 p->setdirection_op = pcap_setdirection_bpf; 2042 p->set_datalink_op = pcap_set_datalink_bpf; 2043 p->getnonblock_op = pcap_getnonblock_fd; 2044 p->setnonblock_op = pcap_setnonblock_fd; 2045 p->stats_op = pcap_stats_bpf; 2046 p->cleanup_op = pcap_cleanup_bpf; 2047 2048 return (status); 2049 bad: 2050 pcap_cleanup_bpf(p); 2051 return (status); 2052 } 2053 2054 int 2055 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf) 2056 { 2057 #ifdef HAVE_DAG_API 2058 if (dag_platform_finddevs(alldevsp, errbuf) < 0) 2059 return (-1); 2060 #endif /* HAVE_DAG_API */ 2061 2062 return (0); 2063 } 2064 2065 #ifdef HAVE_BSD_IEEE80211 2066 static int 2067 monitor_mode(pcap_t *p, int set) 2068 { 2069 int sock; 2070 struct ifmediareq req; 2071 int *media_list; 2072 int i; 2073 int can_do; 2074 struct ifreq ifr; 2075 2076 sock = socket(AF_INET, SOCK_DGRAM, 0); 2077 if (sock == -1) { 2078 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't open socket: %s", 2079 pcap_strerror(errno)); 2080 return (PCAP_ERROR); 2081 } 2082 2083 memset(&req, 0, sizeof req); 2084 strncpy(req.ifm_name, p->opt.source, sizeof req.ifm_name); 2085 2086 /* 2087 * Find out how many media types we have. 2088 */ 2089 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 2090 /* 2091 * Can't get the media types. 2092 */ 2093 if (errno == EINVAL) { 2094 /* 2095 * Interface doesn't support SIOC{G,S}IFMEDIA. 2096 */ 2097 close(sock); 2098 return (PCAP_ERROR_RFMON_NOTSUP); 2099 } 2100 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA 1: %s", 2101 pcap_strerror(errno)); 2102 close(sock); 2103 return (PCAP_ERROR); 2104 } 2105 if (req.ifm_count == 0) { 2106 /* 2107 * No media types. 2108 */ 2109 close(sock); 2110 return (PCAP_ERROR_RFMON_NOTSUP); 2111 } 2112 2113 /* 2114 * Allocate a buffer to hold all the media types, and 2115 * get the media types. 2116 */ 2117 media_list = malloc(req.ifm_count * sizeof(int)); 2118 if (media_list == NULL) { 2119 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s", 2120 pcap_strerror(errno)); 2121 close(sock); 2122 return (PCAP_ERROR); 2123 } 2124 req.ifm_ulist = media_list; 2125 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 2126 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA: %s", 2127 pcap_strerror(errno)); 2128 free(media_list); 2129 close(sock); 2130 return (PCAP_ERROR); 2131 } 2132 2133 /* 2134 * Look for an 802.11 "automatic" media type. 2135 * We assume that all 802.11 adapters have that media type, 2136 * and that it will carry the monitor mode supported flag. 2137 */ 2138 can_do = 0; 2139 for (i = 0; i < req.ifm_count; i++) { 2140 if (IFM_TYPE(media_list[i]) == IFM_IEEE80211 2141 && IFM_SUBTYPE(media_list[i]) == IFM_AUTO) { 2142 /* OK, does it do monitor mode? */ 2143 if (media_list[i] & IFM_IEEE80211_MONITOR) { 2144 can_do = 1; 2145 break; 2146 } 2147 } 2148 } 2149 free(media_list); 2150 if (!can_do) { 2151 /* 2152 * This adapter doesn't support monitor mode. 2153 */ 2154 close(sock); 2155 return (PCAP_ERROR_RFMON_NOTSUP); 2156 } 2157 2158 if (set) { 2159 /* 2160 * Don't just check whether we can enable monitor mode, 2161 * do so, if it's not already enabled. 2162 */ 2163 if ((req.ifm_current & IFM_IEEE80211_MONITOR) == 0) { 2164 /* 2165 * Monitor mode isn't currently on, so turn it on, 2166 * and remember that we should turn it off when the 2167 * pcap_t is closed. 2168 */ 2169 2170 /* 2171 * If we haven't already done so, arrange to have 2172 * "pcap_close_all()" called when we exit. 2173 */ 2174 if (!pcap_do_addexit(p)) { 2175 /* 2176 * "atexit()" failed; don't put the interface 2177 * in monitor mode, just give up. 2178 */ 2179 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2180 "atexit failed"); 2181 close(sock); 2182 return (PCAP_ERROR); 2183 } 2184 memset(&ifr, 0, sizeof(ifr)); 2185 (void)strncpy(ifr.ifr_name, p->opt.source, 2186 sizeof(ifr.ifr_name)); 2187 ifr.ifr_media = req.ifm_current | IFM_IEEE80211_MONITOR; 2188 if (ioctl(sock, SIOCSIFMEDIA, &ifr) == -1) { 2189 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2190 "SIOCSIFMEDIA: %s", pcap_strerror(errno)); 2191 close(sock); 2192 return (PCAP_ERROR); 2193 } 2194 2195 p->md.must_clear |= MUST_CLEAR_RFMON; 2196 2197 /* 2198 * Add this to the list of pcaps to close when we exit. 2199 */ 2200 pcap_add_to_pcaps_to_close(p); 2201 } 2202 } 2203 return (0); 2204 } 2205 #endif /* HAVE_BSD_IEEE80211 */ 2206 2207 #if defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) 2208 /* 2209 * Check whether we have any 802.11 link-layer types; return the best 2210 * of the 802.11 link-layer types if we find one, and return -1 2211 * otherwise. 2212 * 2213 * DLT_IEEE802_11_RADIO, with the radiotap header, is considered the 2214 * best 802.11 link-layer type; any of the other 802.11-plus-radio 2215 * headers are second-best; 802.11 with no radio information is 2216 * the least good. 2217 */ 2218 static int 2219 find_802_11(struct bpf_dltlist *bdlp) 2220 { 2221 int new_dlt; 2222 int i; 2223 2224 /* 2225 * Scan the list of DLT_ values, looking for 802.11 values, 2226 * and, if we find any, choose the best of them. 2227 */ 2228 new_dlt = -1; 2229 for (i = 0; i < bdlp->bfl_len; i++) { 2230 switch (bdlp->bfl_list[i]) { 2231 2232 case DLT_IEEE802_11: 2233 /* 2234 * 802.11, but no radio. 2235 * 2236 * Offer this, and select it as the new mode 2237 * unless we've already found an 802.11 2238 * header with radio information. 2239 */ 2240 if (new_dlt == -1) 2241 new_dlt = bdlp->bfl_list[i]; 2242 break; 2243 2244 case DLT_PRISM_HEADER: 2245 case DLT_AIRONET_HEADER: 2246 case DLT_IEEE802_11_RADIO_AVS: 2247 /* 2248 * 802.11 with radio, but not radiotap. 2249 * 2250 * Offer this, and select it as the new mode 2251 * unless we've already found the radiotap DLT_. 2252 */ 2253 if (new_dlt != DLT_IEEE802_11_RADIO) 2254 new_dlt = bdlp->bfl_list[i]; 2255 break; 2256 2257 case DLT_IEEE802_11_RADIO: 2258 /* 2259 * 802.11 with radiotap. 2260 * 2261 * Offer this, and select it as the new mode. 2262 */ 2263 new_dlt = bdlp->bfl_list[i]; 2264 break; 2265 2266 default: 2267 /* 2268 * Not 802.11. 2269 */ 2270 break; 2271 } 2272 } 2273 2274 return (new_dlt); 2275 } 2276 #endif /* defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) */ 2277 2278 #if defined(__APPLE__) && defined(BIOCGDLTLIST) 2279 /* 2280 * Remove DLT_EN10MB from the list of DLT_ values. 2281 */ 2282 static void 2283 remove_en(pcap_t *p) 2284 { 2285 int i, j; 2286 2287 /* 2288 * Scan the list of DLT_ values and discard DLT_EN10MB. 2289 */ 2290 j = 0; 2291 for (i = 0; i < p->dlt_count; i++) { 2292 switch (p->dlt_list[i]) { 2293 2294 case DLT_EN10MB: 2295 /* 2296 * Don't offer this one. 2297 */ 2298 continue; 2299 2300 default: 2301 /* 2302 * Just copy this mode over. 2303 */ 2304 break; 2305 } 2306 2307 /* 2308 * Copy this DLT_ value to its new position. 2309 */ 2310 p->dlt_list[j] = p->dlt_list[i]; 2311 j++; 2312 } 2313 2314 /* 2315 * Set the DLT_ count to the number of entries we copied. 2316 */ 2317 p->dlt_count = j; 2318 } 2319 2320 /* 2321 * Remove DLT_EN10MB from the list of DLT_ values, and look for the 2322 * best 802.11 link-layer type in that list and return it. 2323 * Radiotap is better than anything else; 802.11 with any other radio 2324 * header is better than 802.11 with no radio header. 2325 */ 2326 static void 2327 remove_802_11(pcap_t *p) 2328 { 2329 int i, j; 2330 2331 /* 2332 * Scan the list of DLT_ values and discard 802.11 values. 2333 */ 2334 j = 0; 2335 for (i = 0; i < p->dlt_count; i++) { 2336 switch (p->dlt_list[i]) { 2337 2338 case DLT_IEEE802_11: 2339 case DLT_PRISM_HEADER: 2340 case DLT_AIRONET_HEADER: 2341 case DLT_IEEE802_11_RADIO: 2342 case DLT_IEEE802_11_RADIO_AVS: 2343 /* 2344 * 802.11. Don't offer this one. 2345 */ 2346 continue; 2347 2348 default: 2349 /* 2350 * Just copy this mode over. 2351 */ 2352 break; 2353 } 2354 2355 /* 2356 * Copy this DLT_ value to its new position. 2357 */ 2358 p->dlt_list[j] = p->dlt_list[i]; 2359 j++; 2360 } 2361 2362 /* 2363 * Set the DLT_ count to the number of entries we copied. 2364 */ 2365 p->dlt_count = j; 2366 } 2367 #endif /* defined(__APPLE__) && defined(BIOCGDLTLIST) */ 2368 2369 static int 2370 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp) 2371 { 2372 /* 2373 * Free any user-mode filter we might happen to have installed. 2374 */ 2375 pcap_freecode(&p->fcode); 2376 2377 /* 2378 * Try to install the kernel filter. 2379 */ 2380 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) == 0) { 2381 /* 2382 * It worked. 2383 */ 2384 p->md.use_bpf = 1; /* filtering in the kernel */ 2385 2386 /* 2387 * Discard any previously-received packets, as they might 2388 * have passed whatever filter was formerly in effect, but 2389 * might not pass this filter (BIOCSETF discards packets 2390 * buffered in the kernel, so you can lose packets in any 2391 * case). 2392 */ 2393 p->cc = 0; 2394 return (0); 2395 } 2396 2397 /* 2398 * We failed. 2399 * 2400 * If it failed with EINVAL, that's probably because the program 2401 * is invalid or too big. Validate it ourselves; if we like it 2402 * (we currently allow backward branches, to support protochain), 2403 * run it in userland. (There's no notion of "too big" for 2404 * userland.) 2405 * 2406 * Otherwise, just give up. 2407 * XXX - if the copy of the program into the kernel failed, 2408 * we will get EINVAL rather than, say, EFAULT on at least 2409 * some kernels. 2410 */ 2411 if (errno != EINVAL) { 2412 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s", 2413 pcap_strerror(errno)); 2414 return (-1); 2415 } 2416 2417 /* 2418 * install_bpf_program() validates the program. 2419 * 2420 * XXX - what if we already have a filter in the kernel? 2421 */ 2422 if (install_bpf_program(p, fp) < 0) 2423 return (-1); 2424 p->md.use_bpf = 0; /* filtering in userland */ 2425 return (0); 2426 } 2427 2428 /* 2429 * Set direction flag: Which packets do we accept on a forwarding 2430 * single device? IN, OUT or both? 2431 */ 2432 static int 2433 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d) 2434 { 2435 #if defined(BIOCSDIRECTION) 2436 u_int direction; 2437 2438 direction = (d == PCAP_D_IN) ? BPF_D_IN : 2439 ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT); 2440 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) { 2441 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2442 "Cannot set direction to %s: %s", 2443 (d == PCAP_D_IN) ? "PCAP_D_IN" : 2444 ((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"), 2445 strerror(errno)); 2446 return (-1); 2447 } 2448 return (0); 2449 #elif defined(BIOCSSEESENT) 2450 u_int seesent; 2451 2452 /* 2453 * We don't support PCAP_D_OUT. 2454 */ 2455 if (d == PCAP_D_OUT) { 2456 snprintf(p->errbuf, sizeof(p->errbuf), 2457 "Setting direction to PCAP_D_OUT is not supported on BPF"); 2458 return -1; 2459 } 2460 2461 seesent = (d == PCAP_D_INOUT); 2462 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) { 2463 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2464 "Cannot set direction to %s: %s", 2465 (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN", 2466 strerror(errno)); 2467 return (-1); 2468 } 2469 return (0); 2470 #else 2471 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2472 "This system doesn't support BIOCSSEESENT, so the direction can't be set"); 2473 return (-1); 2474 #endif 2475 } 2476 2477 static int 2478 pcap_set_datalink_bpf(pcap_t *p, int dlt) 2479 { 2480 #ifdef BIOCSDLT 2481 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) { 2482 (void) snprintf(p->errbuf, sizeof(p->errbuf), 2483 "Cannot set DLT %d: %s", dlt, strerror(errno)); 2484 return (-1); 2485 } 2486 #endif 2487 return (0); 2488 } 2489