1 /* $NetBSD: pcap-snoop.c,v 1.5 2018/09/03 15:26:43 christos Exp $ */
2
3 /*
4 * Copyright (c) 1993, 1994, 1995, 1996, 1997
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that: (1) source code distributions
9 * retain the above copyright notice and this paragraph in its entirety, (2)
10 * distributions including binary code include the above copyright notice and
11 * this paragraph in its entirety in the documentation or other materials
12 * provided with the distribution, and (3) all advertising materials mentioning
13 * features or use of this software display the following acknowledgement:
14 * ``This product includes software developed by the University of California,
15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16 * the University nor the names of its contributors may be used to endorse
17 * or promote products derived from this software without specific prior
18 * written permission.
19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 */
23
24 #include <sys/cdefs.h>
25 __RCSID("$NetBSD: pcap-snoop.c,v 1.5 2018/09/03 15:26:43 christos Exp $");
26
27 #ifdef HAVE_CONFIG_H
28 #include <config.h>
29 #endif
30
31 #include <sys/param.h>
32 #include <sys/file.h>
33 #include <sys/ioctl.h>
34 #include <sys/socket.h>
35 #include <sys/time.h>
36
37 #include <net/raw.h>
38 #include <net/if.h>
39
40 #include <netinet/in.h>
41 #include <netinet/in_systm.h>
42 #include <netinet/ip.h>
43 #include <netinet/if_ether.h>
44 #include <netinet/ip_var.h>
45 #include <netinet/udp.h>
46 #include <netinet/udp_var.h>
47 #include <netinet/tcp.h>
48 #include <netinet/tcpip.h>
49
50 #include <errno.h>
51 #include <stdio.h>
52 #include <stdlib.h>
53 #include <string.h>
54 #include <unistd.h>
55
56 #include "pcap-int.h"
57
58 #ifdef HAVE_OS_PROTO_H
59 #include "os-proto.h"
60 #endif
61
62 /*
63 * Private data for capturing on snoop devices.
64 */
65 struct pcap_snoop {
66 struct pcap_stat stat;
67 };
68
69 static int
pcap_read_snoop(pcap_t * p,int cnt,pcap_handler callback,u_char * user)70 pcap_read_snoop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
71 {
72 struct pcap_snoop *psn = p->priv;
73 int cc;
74 register struct snoopheader *sh;
75 register u_int datalen;
76 register u_int caplen;
77 register u_char *cp;
78
79 again:
80 /*
81 * Has "pcap_breakloop()" been called?
82 */
83 if (p->break_loop) {
84 /*
85 * Yes - clear the flag that indicates that it
86 * has, and return -2 to indicate that we were
87 * told to break out of the loop.
88 */
89 p->break_loop = 0;
90 return (-2);
91 }
92 cc = read(p->fd, (char *)p->buffer, p->bufsize);
93 if (cc < 0) {
94 /* Don't choke when we get ptraced */
95 switch (errno) {
96
97 case EINTR:
98 goto again;
99
100 case EWOULDBLOCK:
101 return (0); /* XXX */
102 }
103 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
104 errno, "read");
105 return (-1);
106 }
107 sh = (struct snoopheader *)p->buffer;
108 datalen = sh->snoop_packetlen;
109
110 /*
111 * XXX - Sigh, snoop_packetlen is a 16 bit quantity. If we
112 * got a short length, but read a full sized snoop pakcet,
113 * assume we overflowed and add back the 64K...
114 */
115 if (cc == (p->snapshot + sizeof(struct snoopheader)) &&
116 (datalen < p->snapshot))
117 datalen += (64 * 1024);
118
119 caplen = (datalen < p->snapshot) ? datalen : p->snapshot;
120 cp = (u_char *)(sh + 1) + p->offset; /* XXX */
121
122 /*
123 * XXX unfortunately snoop loopback isn't exactly like
124 * BSD's. The address family is encoded in the first 2
125 * bytes rather than the first 4 bytes! Luckily the last
126 * two snoop loopback bytes are zeroed.
127 */
128 if (p->linktype == DLT_NULL && *((short *)(cp + 2)) == 0) {
129 u_int *uip = (u_int *)cp;
130 *uip >>= 16;
131 }
132
133 if (p->fcode.bf_insns == NULL ||
134 bpf_filter(p->fcode.bf_insns, cp, datalen, caplen)) {
135 struct pcap_pkthdr h;
136 ++psn->stat.ps_recv;
137 h.ts.tv_sec = sh->snoop_timestamp.tv_sec;
138 h.ts.tv_usec = sh->snoop_timestamp.tv_usec;
139 h.len = datalen;
140 h.caplen = caplen;
141 (*callback)(user, &h, cp);
142 return (1);
143 }
144 return (0);
145 }
146
147 static int
pcap_inject_snoop(pcap_t * p,const void * buf,size_t size)148 pcap_inject_snoop(pcap_t *p, const void *buf, size_t size)
149 {
150 int ret;
151
152 /*
153 * XXX - libnet overwrites the source address with what I
154 * presume is the interface's address; is that required?
155 */
156 ret = write(p->fd, buf, size);
157 if (ret == -1) {
158 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
159 errno, "send");
160 return (-1);
161 }
162 return (ret);
163 }
164
165 static int
pcap_stats_snoop(pcap_t * p,struct pcap_stat * ps)166 pcap_stats_snoop(pcap_t *p, struct pcap_stat *ps)
167 {
168 struct pcap_snoop *psn = p->priv;
169 register struct rawstats *rs;
170 struct rawstats rawstats;
171
172 rs = &rawstats;
173 memset(rs, 0, sizeof(*rs));
174 if (ioctl(p->fd, SIOCRAWSTATS, (char *)rs) < 0) {
175 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
176 errno, "SIOCRAWSTATS");
177 return (-1);
178 }
179
180 /*
181 * "ifdrops" are those dropped by the network interface
182 * due to resource shortages or hardware errors.
183 *
184 * "sbdrops" are those dropped due to socket buffer limits.
185 *
186 * As filter is done in userland, "sbdrops" counts packets
187 * regardless of whether they would've passed the filter.
188 *
189 * XXX - does this count *all* Snoop or Drain sockets,
190 * rather than just this socket? If not, why does it have
191 * both Snoop and Drain statistics?
192 */
193 psn->stat.ps_drop =
194 rs->rs_snoop.ss_ifdrops + rs->rs_snoop.ss_sbdrops +
195 rs->rs_drain.ds_ifdrops + rs->rs_drain.ds_sbdrops;
196
197 /*
198 * "ps_recv" counts only packets that passed the filter.
199 * As filtering is done in userland, this does not include
200 * packets dropped because we ran out of buffer space.
201 */
202 *ps = psn->stat;
203 return (0);
204 }
205
206 /* XXX can't disable promiscuous */
207 static int
pcap_activate_snoop(pcap_t * p)208 pcap_activate_snoop(pcap_t *p)
209 {
210 int fd;
211 struct sockaddr_raw sr;
212 struct snoopfilter sf;
213 u_int v;
214 int ll_hdrlen;
215 int snooplen;
216 struct ifreq ifr;
217
218 fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP);
219 if (fd < 0) {
220 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
221 errno, "snoop socket");
222 goto bad;
223 }
224 p->fd = fd;
225 memset(&sr, 0, sizeof(sr));
226 sr.sr_family = AF_RAW;
227 (void)strncpy(sr.sr_ifname, p->opt.device, sizeof(sr.sr_ifname));
228 if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) {
229 /*
230 * XXX - there's probably a particular bind error that
231 * means "there's no such device" and a particular bind
232 * error that means "that device doesn't support snoop";
233 * they might be the same error, if they both end up
234 * meaning "snoop doesn't know about that device".
235 */
236 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
237 errno, "snoop bind");
238 goto bad;
239 }
240 memset(&sf, 0, sizeof(sf));
241 if (ioctl(fd, SIOCADDSNOOP, &sf) < 0) {
242 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
243 errno, "SIOCADDSNOOP");
244 goto bad;
245 }
246 if (p->opt.buffer_size != 0)
247 v = p->opt.buffer_size;
248 else
249 v = 64 * 1024; /* default to 64K buffer size */
250 (void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (char *)&v, sizeof(v));
251 /*
252 * XXX hack - map device name to link layer type
253 */
254 if (strncmp("et", p->opt.device, 2) == 0 || /* Challenge 10 Mbit */
255 strncmp("ec", p->opt.device, 2) == 0 || /* Indigo/Indy 10 Mbit,
256 O2 10/100 */
257 strncmp("ef", p->opt.device, 2) == 0 || /* O200/2000 10/100 Mbit */
258 strncmp("eg", p->opt.device, 2) == 0 || /* Octane/O2xxx/O3xxx Gigabit */
259 strncmp("gfe", p->opt.device, 3) == 0 || /* GIO 100 Mbit */
260 strncmp("fxp", p->opt.device, 3) == 0 || /* Challenge VME Enet */
261 strncmp("ep", p->opt.device, 2) == 0 || /* Challenge 8x10 Mbit EPLEX */
262 strncmp("vfe", p->opt.device, 3) == 0 || /* Challenge VME 100Mbit */
263 strncmp("fa", p->opt.device, 2) == 0 ||
264 strncmp("qaa", p->opt.device, 3) == 0 ||
265 strncmp("cip", p->opt.device, 3) == 0 ||
266 strncmp("el", p->opt.device, 2) == 0) {
267 p->linktype = DLT_EN10MB;
268 p->offset = RAW_HDRPAD(sizeof(struct ether_header));
269 ll_hdrlen = sizeof(struct ether_header);
270 /*
271 * This is (presumably) a real Ethernet capture; give it a
272 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
273 * that an application can let you choose it, in case you're
274 * capturing DOCSIS traffic that a Cisco Cable Modem
275 * Termination System is putting out onto an Ethernet (it
276 * doesn't put an Ethernet header onto the wire, it puts raw
277 * DOCSIS frames out on the wire inside the low-level
278 * Ethernet framing).
279 *
280 * XXX - are there any sorts of "fake Ethernet" that have
281 * Ethernet link-layer headers but that *shouldn't offer
282 * DLT_DOCSIS as a Cisco CMTS won't put traffic onto it
283 * or get traffic bridged onto it? "el" is for ATM LANE
284 * Ethernet devices, so that might be the case for them;
285 * the same applies for "qaa" classical IP devices. If
286 * "fa" devices are for FORE SPANS, that'd apply to them
287 * as well; what are "cip" devices - some other ATM
288 * Classical IP devices?
289 */
290 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
291 /*
292 * If that fails, just leave the list empty.
293 */
294 if (p->dlt_list != NULL) {
295 p->dlt_list[0] = DLT_EN10MB;
296 p->dlt_list[1] = DLT_DOCSIS;
297 p->dlt_count = 2;
298 }
299 } else if (strncmp("ipg", p->opt.device, 3) == 0 ||
300 strncmp("rns", p->opt.device, 3) == 0 || /* O2/200/2000 FDDI */
301 strncmp("xpi", p->opt.device, 3) == 0) {
302 p->linktype = DLT_FDDI;
303 p->offset = 3; /* XXX yeah? */
304 ll_hdrlen = 13;
305 } else if (strncmp("ppp", p->opt.device, 3) == 0) {
306 p->linktype = DLT_RAW;
307 ll_hdrlen = 0; /* DLT_RAW meaning "no PPP header, just the IP packet"? */
308 } else if (strncmp("qfa", p->opt.device, 3) == 0) {
309 p->linktype = DLT_IP_OVER_FC;
310 ll_hdrlen = 24;
311 } else if (strncmp("pl", p->opt.device, 2) == 0) {
312 p->linktype = DLT_RAW;
313 ll_hdrlen = 0; /* Cray UNICOS/mp pseudo link */
314 } else if (strncmp("lo", p->opt.device, 2) == 0) {
315 p->linktype = DLT_NULL;
316 ll_hdrlen = 4;
317 } else {
318 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
319 "snoop: unknown physical layer type");
320 goto bad;
321 }
322
323 if (p->opt.rfmon) {
324 /*
325 * No monitor mode on Irix (no Wi-Fi devices on
326 * hardware supported by Irix).
327 */
328 return (PCAP_ERROR_RFMON_NOTSUP);
329 }
330
331 /*
332 * Turn a negative snapshot value (invalid), a snapshot value of
333 * 0 (unspecified), or a value bigger than the normal maximum
334 * value, into the maximum allowed value.
335 *
336 * If some application really *needs* a bigger snapshot
337 * length, we should just increase MAXIMUM_SNAPLEN.
338 */
339 if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
340 p->snapshot = MAXIMUM_SNAPLEN;
341
342 #ifdef SIOCGIFMTU
343 /*
344 * XXX - IRIX appears to give you an error if you try to set the
345 * capture length to be greater than the MTU, so let's try to get
346 * the MTU first and, if that succeeds, trim the snap length
347 * to be no greater than the MTU.
348 */
349 (void)strncpy(ifr.ifr_name, p->opt.device, sizeof(ifr.ifr_name));
350 if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) {
351 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
352 errno, "SIOCGIFMTU");
353 goto bad;
354 }
355 /*
356 * OK, we got it.
357 *
358 * XXX - some versions of IRIX 6.5 define "ifr_mtu" and have an
359 * "ifru_metric" member of the "ifr_ifru" union in an "ifreq"
360 * structure, others don't.
361 *
362 * I've no idea what's going on, so, if "ifr_mtu" isn't defined,
363 * we define it as "ifr_metric", as using that field appears to
364 * work on the versions that lack "ifr_mtu" (and, on those that
365 * don't lack it, "ifru_metric" and "ifru_mtu" are both "int"
366 * members of the "ifr_ifru" union, which suggests that they
367 * may be interchangeable in this case).
368 */
369 #ifndef ifr_mtu
370 #define ifr_mtu ifr_metric
371 #endif
372 if (p->snapshot > ifr.ifr_mtu + ll_hdrlen)
373 p->snapshot = ifr.ifr_mtu + ll_hdrlen;
374 #endif
375
376 /*
377 * The argument to SIOCSNOOPLEN is the number of link-layer
378 * payload bytes to capture - it doesn't count link-layer
379 * header bytes.
380 */
381 snooplen = p->snapshot - ll_hdrlen;
382 if (snooplen < 0)
383 snooplen = 0;
384 if (ioctl(fd, SIOCSNOOPLEN, &snooplen) < 0) {
385 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
386 errno, "SIOCSNOOPLEN");
387 goto bad;
388 }
389 v = 1;
390 if (ioctl(fd, SIOCSNOOPING, &v) < 0) {
391 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
392 errno, "SIOCSNOOPING");
393 goto bad;
394 }
395
396 p->bufsize = 4096; /* XXX */
397 p->buffer = malloc(p->bufsize);
398 if (p->buffer == NULL) {
399 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
400 errno, "malloc");
401 goto bad;
402 }
403
404 /*
405 * "p->fd" is a socket, so "select()" should work on it.
406 */
407 p->selectable_fd = p->fd;
408
409 p->read_op = pcap_read_snoop;
410 p->inject_op = pcap_inject_snoop;
411 p->setfilter_op = install_bpf_program; /* no kernel filtering */
412 p->setdirection_op = NULL; /* Not implemented. */
413 p->set_datalink_op = NULL; /* can't change data link type */
414 p->getnonblock_op = pcap_getnonblock_fd;
415 p->setnonblock_op = pcap_setnonblock_fd;
416 p->stats_op = pcap_stats_snoop;
417
418 return (0);
419 bad:
420 pcap_cleanup_live_common(p);
421 return (PCAP_ERROR);
422 }
423
424 pcap_t *
pcap_create_interface(const char * device _U_,char * ebuf)425 pcap_create_interface(const char *device _U_, char *ebuf)
426 {
427 pcap_t *p;
428
429 p = pcap_create_common(ebuf, sizeof (struct pcap_snoop));
430 if (p == NULL)
431 return (NULL);
432
433 p->activate_op = pcap_activate_snoop;
434 return (p);
435 }
436
437 /*
438 * XXX - there's probably a particular bind error that means "that device
439 * doesn't support snoop"; if so, we should try a bind and use that.
440 */
441 static int
can_be_bound(const char * name _U_)442 can_be_bound(const char *name _U_)
443 {
444 return (1);
445 }
446
447 static int
get_if_flags(const char * name _U_,bpf_u_int32 * flags _U_,char * errbuf _U_)448 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
449 {
450 /*
451 * Nothing we can do.
452 * XXX - is there a way to find out whether an adapter has
453 * something plugged into it?
454 */
455 return (0);
456 }
457
458 int
pcap_platform_finddevs(pcap_if_list_t * devlistp,char * errbuf)459 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
460 {
461 return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound,
462 get_if_flags));
463 }
464
465 /*
466 * Libpcap version string.
467 */
468 const char *
pcap_lib_version(void)469 pcap_lib_version(void)
470 {
471 return (PCAP_VERSION_STRING);
472 }
473