1 /* $NetBSD: pcap-bpf.c,v 1.11 2023/08/17 15:18:12 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1995, 1996, 1998 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that: (1) source code distributions 9 * retain the above copyright notice and this paragraph in its entirety, (2) 10 * distributions including binary code include the above copyright notice and 11 * this paragraph in its entirety in the documentation or other materials 12 * provided with the distribution, and (3) all advertising materials mentioning 13 * features or use of this software display the following acknowledgement: 14 * ``This product includes software developed by the University of California, 15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 16 * the University nor the names of its contributors may be used to endorse 17 * or promote products derived from this software without specific prior 18 * written permission. 19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 22 */ 23 24 #include <sys/cdefs.h> 25 __RCSID("$NetBSD: pcap-bpf.c,v 1.11 2023/08/17 15:18:12 christos Exp $"); 26 27 #ifdef HAVE_CONFIG_H 28 #include <config.h> 29 #endif 30 31 #include <sys/param.h> /* optionally get BSD define */ 32 #include <sys/socket.h> 33 #include <time.h> 34 /* 35 * <net/bpf.h> defines ioctls, but doesn't include <sys/ioccom.h>. 36 * 37 * We include <sys/ioctl.h> as it might be necessary to declare ioctl(); 38 * at least on *BSD and macOS, it also defines various SIOC ioctls - 39 * we could include <sys/sockio.h>, but if we're already including 40 * <sys/ioctl.h>, which includes <sys/sockio.h> on those platforms, 41 * there's not much point in doing so. 42 * 43 * If we have <sys/ioccom.h>, we include it as well, to handle systems 44 * such as Solaris which don't arrange to include <sys/ioccom.h> if you 45 * include <sys/ioctl.h> 46 */ 47 #include <sys/ioctl.h> 48 #ifdef HAVE_SYS_IOCCOM_H 49 #include <sys/ioccom.h> 50 #endif 51 #include <sys/utsname.h> 52 #ifdef __NetBSD__ 53 #include <paths.h> 54 #endif 55 56 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2) 57 /* 58 * Add support for capturing on FreeBSD usbusN interfaces. 59 */ 60 static const char usbus_prefix[] = "usbus"; 61 #define USBUS_PREFIX_LEN (sizeof(usbus_prefix) - 1) 62 #include <dirent.h> 63 #endif 64 65 #include <net/if.h> 66 67 #ifdef _AIX 68 69 /* 70 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the 71 * native OS version, as we need "struct bpf_config" from it. 72 */ 73 #define PCAP_DONT_INCLUDE_PCAP_BPF_H 74 75 #include <sys/types.h> 76 77 /* 78 * Prevent bpf.h from redefining the DLT_ values to their 79 * IFT_ values, as we're going to return the standard libpcap 80 * values, not IBM's non-standard IFT_ values. 81 */ 82 #undef _AIX 83 #include <net/bpf.h> 84 #define _AIX 85 86 /* 87 * If both BIOCROTZBUF and BPF_BUFMODE_ZBUF are defined, we have 88 * zero-copy BPF. 89 */ 90 #if defined(BIOCROTZBUF) && defined(BPF_BUFMODE_ZBUF) 91 #define HAVE_ZEROCOPY_BPF 92 #include <sys/mman.h> 93 #include <machine/atomic.h> 94 #endif 95 96 #include <net/if_types.h> /* for IFT_ values */ 97 #include <sys/sysconfig.h> 98 #include <sys/device.h> 99 #include <sys/cfgodm.h> 100 #include <cf.h> 101 102 #ifdef __64BIT__ 103 #define domakedev makedev64 104 #define getmajor major64 105 #define bpf_hdr bpf_hdr32 106 #else /* __64BIT__ */ 107 #define domakedev makedev 108 #define getmajor major 109 #endif /* __64BIT__ */ 110 111 #define BPF_NAME "bpf" 112 #define BPF_MINORS 4 113 #define DRIVER_PATH "/usr/lib/drivers" 114 #define BPF_NODE "/dev/bpf" 115 static int bpfloadedflag = 0; 116 static int odmlockid = 0; 117 118 static int bpf_load(char *errbuf); 119 120 #else /* _AIX */ 121 122 #include <net/bpf.h> 123 124 #endif /* _AIX */ 125 126 #include <fcntl.h> 127 #include <errno.h> 128 #include <netdb.h> 129 #include <stdio.h> 130 #include <stdlib.h> 131 #include <string.h> 132 #include <unistd.h> 133 134 #ifdef SIOCGIFMEDIA 135 # include <net/if_media.h> 136 #endif 137 138 #include "pcap-int.h" 139 140 #ifdef HAVE_OS_PROTO_H 141 #include "os-proto.h" 142 #endif 143 144 /* 145 * Later versions of NetBSD stick padding in front of FDDI frames 146 * to align the IP header on a 4-byte boundary. 147 */ 148 #if defined(__NetBSD__) && __NetBSD_Version__ > 106000000 149 #define PCAP_FDDIPAD 3 150 #endif 151 152 /* 153 * Private data for capturing on BPF devices. 154 */ 155 struct pcap_bpf { 156 #ifdef HAVE_ZEROCOPY_BPF 157 /* 158 * Zero-copy read buffer -- for zero-copy BPF. 'buffer' above will 159 * alternative between these two actual mmap'd buffers as required. 160 * As there is a header on the front size of the mmap'd buffer, only 161 * some of the buffer is exposed to libpcap as a whole via bufsize; 162 * zbufsize is the true size. zbuffer tracks the current zbuf 163 * associated with buffer so that it can be used to decide which the 164 * next buffer to read will be. 165 */ 166 u_char *zbuf1, *zbuf2, *zbuffer; 167 u_int zbufsize; 168 u_int zerocopy; 169 u_int interrupted; 170 struct timespec firstsel; 171 /* 172 * If there's currently a buffer being actively processed, then it is 173 * referenced here; 'buffer' is also pointed at it, but offset by the 174 * size of the header. 175 */ 176 struct bpf_zbuf_header *bzh; 177 int nonblock; /* true if in nonblocking mode */ 178 #endif /* HAVE_ZEROCOPY_BPF */ 179 180 char *device; /* device name */ 181 int filtering_in_kernel; /* using kernel filter */ 182 int must_do_on_close; /* stuff we must do when we close */ 183 }; 184 185 /* 186 * Stuff to do when we close. 187 */ 188 #define MUST_CLEAR_RFMON 0x00000001 /* clear rfmon (monitor) mode */ 189 #define MUST_DESTROY_USBUS 0x00000002 /* destroy usbusN interface */ 190 191 #ifdef BIOCGDLTLIST 192 # if (defined(HAVE_NET_IF_MEDIA_H) && defined(IFM_IEEE80211)) && !defined(__APPLE__) 193 #define HAVE_BSD_IEEE80211 194 195 /* 196 * The ifm_ulist member of a struct ifmediareq is an int * on most systems, 197 * but it's a uint64_t on newer versions of OpenBSD. 198 * 199 * We check this by checking whether IFM_GMASK is defined and > 2^32-1. 200 */ 201 # if defined(IFM_GMASK) && IFM_GMASK > 0xFFFFFFFF 202 # define IFM_ULIST_TYPE uint64_t 203 # else 204 # define IFM_ULIST_TYPE int 205 # endif 206 # endif 207 208 # if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) 209 static int find_802_11(struct bpf_dltlist *); 210 211 # ifdef HAVE_BSD_IEEE80211 212 static int monitor_mode(pcap_t *, int); 213 # endif 214 215 # if defined(__APPLE__) 216 static void remove_non_802_11(pcap_t *); 217 static void remove_802_11(pcap_t *); 218 # endif 219 220 # endif /* defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) */ 221 222 #endif /* BIOCGDLTLIST */ 223 224 #if defined(sun) && defined(LIFNAMSIZ) && defined(lifr_zoneid) 225 #include <zone.h> 226 #endif 227 228 /* 229 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably 230 * don't get DLT_DOCSIS defined. 231 */ 232 #ifndef DLT_DOCSIS 233 #define DLT_DOCSIS 143 234 #endif 235 236 /* 237 * In some versions of macOS, we might not even get any of the 238 * 802.11-plus-radio-header DLT_'s defined, even though some 239 * of them are used by various Airport drivers in those versions. 240 */ 241 #ifndef DLT_PRISM_HEADER 242 #define DLT_PRISM_HEADER 119 243 #endif 244 #ifndef DLT_AIRONET_HEADER 245 #define DLT_AIRONET_HEADER 120 246 #endif 247 #ifndef DLT_IEEE802_11_RADIO 248 #define DLT_IEEE802_11_RADIO 127 249 #endif 250 #ifndef DLT_IEEE802_11_RADIO_AVS 251 #define DLT_IEEE802_11_RADIO_AVS 163 252 #endif 253 254 static int pcap_can_set_rfmon_bpf(pcap_t *p); 255 static int pcap_activate_bpf(pcap_t *p); 256 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp); 257 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t); 258 static int pcap_set_datalink_bpf(pcap_t *p, int dlt); 259 260 /* 261 * For zerocopy bpf, the setnonblock/getnonblock routines need to modify 262 * pb->nonblock so we don't call select(2) if the pcap handle is in non- 263 * blocking mode. 264 */ 265 static int 266 pcap_getnonblock_bpf(pcap_t *p) 267 { 268 #ifdef HAVE_ZEROCOPY_BPF 269 struct pcap_bpf *pb = p->priv; 270 271 if (pb->zerocopy) 272 return (pb->nonblock); 273 #endif 274 return (pcap_getnonblock_fd(p)); 275 } 276 277 static int 278 pcap_setnonblock_bpf(pcap_t *p, int nonblock) 279 { 280 #ifdef HAVE_ZEROCOPY_BPF 281 struct pcap_bpf *pb = p->priv; 282 283 if (pb->zerocopy) { 284 pb->nonblock = nonblock; 285 return (0); 286 } 287 #endif 288 return (pcap_setnonblock_fd(p, nonblock)); 289 } 290 291 #ifdef HAVE_ZEROCOPY_BPF 292 /* 293 * Zero-copy BPF buffer routines to check for and acknowledge BPF data in 294 * shared memory buffers. 295 * 296 * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer, 297 * and set up p->buffer and cc to reflect one if available. Notice that if 298 * there was no prior buffer, we select zbuf1 as this will be the first 299 * buffer filled for a fresh BPF session. 300 */ 301 static int 302 pcap_next_zbuf_shm(pcap_t *p, int *cc) 303 { 304 struct pcap_bpf *pb = p->priv; 305 struct bpf_zbuf_header *bzh; 306 307 if (pb->zbuffer == pb->zbuf2 || pb->zbuffer == NULL) { 308 bzh = (struct bpf_zbuf_header *)pb->zbuf1; 309 if (bzh->bzh_user_gen != 310 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 311 pb->bzh = bzh; 312 pb->zbuffer = (u_char *)pb->zbuf1; 313 p->buffer = pb->zbuffer + sizeof(*bzh); 314 *cc = bzh->bzh_kernel_len; 315 return (1); 316 } 317 } else if (pb->zbuffer == pb->zbuf1) { 318 bzh = (struct bpf_zbuf_header *)pb->zbuf2; 319 if (bzh->bzh_user_gen != 320 atomic_load_acq_int(&bzh->bzh_kernel_gen)) { 321 pb->bzh = bzh; 322 pb->zbuffer = (u_char *)pb->zbuf2; 323 p->buffer = pb->zbuffer + sizeof(*bzh); 324 *cc = bzh->bzh_kernel_len; 325 return (1); 326 } 327 } 328 *cc = 0; 329 return (0); 330 } 331 332 /* 333 * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using 334 * select() for data or a timeout, and possibly force rotation of the buffer 335 * in the event we time out or are in immediate mode. Invoke the shared 336 * memory check before doing system calls in order to avoid doing avoidable 337 * work. 338 */ 339 static int 340 pcap_next_zbuf(pcap_t *p, int *cc) 341 { 342 struct pcap_bpf *pb = p->priv; 343 struct bpf_zbuf bz; 344 struct timeval tv; 345 struct timespec cur; 346 fd_set r_set; 347 int data, r; 348 int expire, tmout; 349 350 #define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000)) 351 /* 352 * Start out by seeing whether anything is waiting by checking the 353 * next shared memory buffer for data. 354 */ 355 data = pcap_next_zbuf_shm(p, cc); 356 if (data) 357 return (data); 358 /* 359 * If a previous sleep was interrupted due to signal delivery, make 360 * sure that the timeout gets adjusted accordingly. This requires 361 * that we analyze when the timeout should be been expired, and 362 * subtract the current time from that. If after this operation, 363 * our timeout is less then or equal to zero, handle it like a 364 * regular timeout. 365 */ 366 tmout = p->opt.timeout; 367 if (tmout) 368 (void) clock_gettime(CLOCK_MONOTONIC, &cur); 369 if (pb->interrupted && p->opt.timeout) { 370 expire = TSTOMILLI(&pb->firstsel) + p->opt.timeout; 371 tmout = expire - TSTOMILLI(&cur); 372 #undef TSTOMILLI 373 if (tmout <= 0) { 374 pb->interrupted = 0; 375 data = pcap_next_zbuf_shm(p, cc); 376 if (data) 377 return (data); 378 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 379 pcap_fmt_errmsg_for_errno(p->errbuf, 380 PCAP_ERRBUF_SIZE, errno, "BIOCROTZBUF"); 381 return (PCAP_ERROR); 382 } 383 return (pcap_next_zbuf_shm(p, cc)); 384 } 385 } 386 /* 387 * No data in the buffer, so must use select() to wait for data or 388 * the next timeout. Note that we only call select if the handle 389 * is in blocking mode. 390 */ 391 if (!pb->nonblock) { 392 FD_ZERO(&r_set); 393 FD_SET(p->fd, &r_set); 394 if (tmout != 0) { 395 tv.tv_sec = tmout / 1000; 396 tv.tv_usec = (tmout * 1000) % 1000000; 397 } 398 r = select(p->fd + 1, &r_set, NULL, NULL, 399 p->opt.timeout != 0 ? &tv : NULL); 400 if (r < 0 && errno == EINTR) { 401 if (!pb->interrupted && p->opt.timeout) { 402 pb->interrupted = 1; 403 pb->firstsel = cur; 404 } 405 return (0); 406 } else if (r < 0) { 407 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 408 errno, "select"); 409 return (PCAP_ERROR); 410 } 411 } 412 pb->interrupted = 0; 413 /* 414 * Check again for data, which may exist now that we've either been 415 * woken up as a result of data or timed out. Try the "there's data" 416 * case first since it doesn't require a system call. 417 */ 418 data = pcap_next_zbuf_shm(p, cc); 419 if (data) 420 return (data); 421 /* 422 * Try forcing a buffer rotation to dislodge timed out or immediate 423 * data. 424 */ 425 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) { 426 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 427 errno, "BIOCROTZBUF"); 428 return (PCAP_ERROR); 429 } 430 return (pcap_next_zbuf_shm(p, cc)); 431 } 432 433 /* 434 * Notify kernel that we are done with the buffer. We don't reset zbuffer so 435 * that we know which buffer to use next time around. 436 */ 437 static int 438 pcap_ack_zbuf(pcap_t *p) 439 { 440 struct pcap_bpf *pb = p->priv; 441 442 atomic_store_rel_int(&pb->bzh->bzh_user_gen, 443 pb->bzh->bzh_kernel_gen); 444 pb->bzh = NULL; 445 p->buffer = NULL; 446 return (0); 447 } 448 #endif /* HAVE_ZEROCOPY_BPF */ 449 450 pcap_t * 451 pcap_create_interface(const char *device _U_, char *ebuf) 452 { 453 pcap_t *p; 454 455 p = PCAP_CREATE_COMMON(ebuf, struct pcap_bpf); 456 if (p == NULL) 457 return (NULL); 458 459 p->activate_op = pcap_activate_bpf; 460 p->can_set_rfmon_op = pcap_can_set_rfmon_bpf; 461 #ifdef BIOCSTSTAMP 462 /* 463 * We claim that we support microsecond and nanosecond time 464 * stamps. 465 */ 466 p->tstamp_precision_list = malloc(2 * sizeof(u_int)); 467 if (p->tstamp_precision_list == NULL) { 468 pcap_fmt_errmsg_for_errno(ebuf, PCAP_ERRBUF_SIZE, errno, 469 "malloc"); 470 free(p); 471 return (NULL); 472 } 473 p->tstamp_precision_list[0] = PCAP_TSTAMP_PRECISION_MICRO; 474 p->tstamp_precision_list[1] = PCAP_TSTAMP_PRECISION_NANO; 475 p->tstamp_precision_count = 2; 476 #endif /* BIOCSTSTAMP */ 477 return (p); 478 } 479 480 /* 481 * On success, returns a file descriptor for a BPF device. 482 * On failure, returns a PCAP_ERROR_ value, and sets p->errbuf. 483 */ 484 static int 485 bpf_open(char *errbuf) 486 { 487 int fd = -1; 488 static const char cloning_device[] = "/dev/bpf"; 489 u_int n = 0; 490 char device[sizeof "/dev/bpf0000000000"]; 491 static int no_cloning_bpf = 0; 492 493 #ifdef _AIX 494 /* 495 * Load the bpf driver, if it isn't already loaded, 496 * and create the BPF device entries, if they don't 497 * already exist. 498 */ 499 if (bpf_load(errbuf) == PCAP_ERROR) 500 return (PCAP_ERROR); 501 #endif 502 503 /* 504 * First, unless we've already tried opening /dev/bpf and 505 * gotten ENOENT, try opening /dev/bpf. 506 * If it fails with ENOENT, remember that, so we don't try 507 * again, and try /dev/bpfN. 508 */ 509 if (!no_cloning_bpf && 510 (fd = open(cloning_device, O_RDWR)) == -1 && 511 ((errno != EACCES && errno != ENOENT) || 512 (fd = open(cloning_device, O_RDONLY)) == -1)) { 513 if (errno != ENOENT) { 514 if (errno == EACCES) { 515 fd = PCAP_ERROR_PERM_DENIED; 516 snprintf(errbuf, PCAP_ERRBUF_SIZE, 517 "Attempt to open %s failed - root privileges may be required", 518 cloning_device); 519 } else { 520 fd = PCAP_ERROR; 521 pcap_fmt_errmsg_for_errno(errbuf, 522 PCAP_ERRBUF_SIZE, errno, 523 "(cannot open device) %s", cloning_device); 524 } 525 return (fd); 526 } 527 no_cloning_bpf = 1; 528 } 529 530 if (no_cloning_bpf) { 531 /* 532 * We don't have /dev/bpf. 533 * Go through all the /dev/bpfN minors and find one 534 * that isn't in use. 535 */ 536 do { 537 (void)snprintf(device, sizeof(device), "/dev/bpf%u", n++); 538 /* 539 * Initially try a read/write open (to allow the inject 540 * method to work). If that fails due to permission 541 * issues, fall back to read-only. This allows a 542 * non-root user to be granted specific access to pcap 543 * capabilities via file permissions. 544 * 545 * XXX - we should have an API that has a flag that 546 * controls whether to open read-only or read-write, 547 * so that denial of permission to send (or inability 548 * to send, if sending packets isn't supported on 549 * the device in question) can be indicated at open 550 * time. 551 */ 552 fd = open(device, O_RDWR); 553 if (fd == -1 && errno == EACCES) 554 fd = open(device, O_RDONLY); 555 } while (fd < 0 && errno == EBUSY); 556 } 557 558 /* 559 * XXX better message for all minors used 560 */ 561 if (fd < 0) { 562 switch (errno) { 563 564 case ENOENT: 565 fd = PCAP_ERROR; 566 if (n == 1) { 567 /* 568 * /dev/bpf0 doesn't exist, which 569 * means we probably have no BPF 570 * devices. 571 */ 572 snprintf(errbuf, PCAP_ERRBUF_SIZE, 573 "(there are no BPF devices)"); 574 } else { 575 /* 576 * We got EBUSY on at least one 577 * BPF device, so we have BPF 578 * devices, but all the ones 579 * that exist are busy. 580 */ 581 snprintf(errbuf, PCAP_ERRBUF_SIZE, 582 "(all BPF devices are busy)"); 583 } 584 break; 585 586 case EACCES: 587 /* 588 * Got EACCES on the last device we tried, 589 * and EBUSY on all devices before that, 590 * if any. 591 */ 592 fd = PCAP_ERROR_PERM_DENIED; 593 snprintf(errbuf, PCAP_ERRBUF_SIZE, 594 "Attempt to open %s failed - root privileges may be required", 595 device); 596 break; 597 598 default: 599 /* 600 * Some other problem. 601 */ 602 fd = PCAP_ERROR; 603 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 604 errno, "(cannot open BPF device) %s", device); 605 break; 606 } 607 } 608 609 return (fd); 610 } 611 612 /* 613 * Bind a network adapter to a BPF device, given a descriptor for the 614 * BPF device and the name of the network adapter. 615 * 616 * Use BIOCSETLIF if available (meaning "on Solaris"), as it supports 617 * longer device names. 618 * 619 * If the name is longer than will fit, return PCAP_ERROR_NO_SUCH_DEVICE 620 * before trying to bind the interface, as there cannot be such a device. 621 * 622 * If the attempt succeeds, return BPF_BIND_SUCCEEDED. 623 * 624 * If the attempt fails: 625 * 626 * if it fails with ENXIO, return PCAP_ERROR_NO_SUCH_DEVICE, as 627 * the device doesn't exist; 628 * 629 * if it fails with ENETDOWN, return PCAP_ERROR_IFACE_NOT_UP, as 630 * the interface exists but isn't up and the OS doesn't allow 631 * binding to an interface that isn't up; 632 * 633 * if it fails with ENOBUFS, return BPF_BIND_BUFFER_TOO_BIG, and 634 * fill in an error message, as the buffer being requested is too 635 * large; 636 * 637 * otherwise, return PCAP_ERROR and fill in an error message. 638 */ 639 #define BPF_BIND_SUCCEEDED 0 640 #define BPF_BIND_BUFFER_TOO_BIG 1 641 642 static int 643 bpf_bind(int fd, const char *name, char *errbuf) 644 { 645 int status; 646 #ifdef LIFNAMSIZ 647 struct lifreq ifr; 648 649 if (strlen(name) >= sizeof(ifr.lifr_name)) { 650 /* The name is too long, so it can't possibly exist. */ 651 return (PCAP_ERROR_NO_SUCH_DEVICE); 652 } 653 (void)pcap_strlcpy(ifr.lifr_name, name, sizeof(ifr.lifr_name)); 654 status = ioctl(fd, BIOCSETLIF, (caddr_t)&ifr); 655 #else 656 struct ifreq ifr; 657 658 if (strlen(name) >= sizeof(ifr.ifr_name)) { 659 /* The name is too long, so it can't possibly exist. */ 660 return (PCAP_ERROR_NO_SUCH_DEVICE); 661 } 662 (void)pcap_strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); 663 status = ioctl(fd, BIOCSETIF, (caddr_t)&ifr); 664 #endif 665 666 if (status < 0) { 667 switch (errno) { 668 669 case ENXIO: 670 /* 671 * There's no such device. 672 * 673 * There's nothing more to say, so clear out the 674 * error message. 675 */ 676 errbuf[0] = '\0'; 677 return (PCAP_ERROR_NO_SUCH_DEVICE); 678 679 case ENETDOWN: 680 /* 681 * Return a "network down" indication, so that 682 * the application can report that rather than 683 * saying we had a mysterious failure and 684 * suggest that they report a problem to the 685 * libpcap developers. 686 */ 687 return (PCAP_ERROR_IFACE_NOT_UP); 688 689 case ENOBUFS: 690 /* 691 * The buffer size is too big. 692 * Return a special indication so that, if we're 693 * trying to crank the buffer size down, we know 694 * we have to continue; add an error message that 695 * tells the user what needs to be fixed. 696 */ 697 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 698 errno, "The requested buffer size for %s is too large", 699 name); 700 return (BPF_BIND_BUFFER_TOO_BIG); 701 702 default: 703 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 704 errno, "Binding interface %s to BPF device failed", 705 name); 706 return (PCAP_ERROR); 707 } 708 } 709 return (BPF_BIND_SUCCEEDED); 710 } 711 712 /* 713 * Open and bind to a device; used if we're not actually going to use 714 * the device, but are just testing whether it can be opened, or opening 715 * it to get information about it. 716 * 717 * Returns an error code on failure (always negative), and an FD for 718 * the now-bound BPF device on success (always non-negative). 719 */ 720 static int 721 bpf_open_and_bind(const char *name, char *errbuf) 722 { 723 int fd; 724 int status; 725 726 /* 727 * First, open a BPF device. 728 */ 729 fd = bpf_open(errbuf); 730 if (fd < 0) 731 return (fd); /* fd is the appropriate error code */ 732 733 /* 734 * Now bind to the device. 735 */ 736 status = bpf_bind(fd, name, errbuf); 737 if (status != BPF_BIND_SUCCEEDED) { 738 close(fd); 739 if (status == BPF_BIND_BUFFER_TOO_BIG) { 740 /* 741 * We didn't specify a buffer size, so 742 * this *really* shouldn't fail because 743 * there's no buffer space. Fail. 744 */ 745 return (PCAP_ERROR); 746 } 747 return (status); 748 } 749 750 /* 751 * Success. 752 */ 753 return (fd); 754 } 755 756 #ifdef __APPLE__ 757 static int 758 device_exists(int fd, const char *name, char *errbuf) 759 { 760 int status; 761 struct ifreq ifr; 762 763 if (strlen(name) >= sizeof(ifr.ifr_name)) { 764 /* The name is too long, so it can't possibly exist. */ 765 return (PCAP_ERROR_NO_SUCH_DEVICE); 766 } 767 (void)pcap_strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); 768 status = ioctl(fd, SIOCGIFFLAGS, (caddr_t)&ifr); 769 770 if (status < 0) { 771 if (errno == ENXIO || errno == EINVAL) { 772 /* 773 * macOS and *BSD return one of those two 774 * errors if the device doesn't exist. 775 * Don't fill in an error, as this is 776 * an "expected" condition. 777 */ 778 return (PCAP_ERROR_NO_SUCH_DEVICE); 779 } 780 781 /* 782 * Some other error - provide a message for it, as 783 * it's "unexpected". 784 */ 785 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, errno, 786 "Can't get interface flags on %s", name); 787 return (PCAP_ERROR); 788 } 789 790 /* 791 * The device exists. 792 */ 793 return (0); 794 } 795 #endif 796 797 #ifdef BIOCGDLTLIST 798 static int 799 get_dlt_list(int fd, int v, struct bpf_dltlist *bdlp, char *ebuf) 800 { 801 memset(bdlp, 0, sizeof(*bdlp)); 802 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) == 0) { 803 u_int i; 804 int is_ethernet; 805 806 bdlp->bfl_list = (u_int *) malloc(sizeof(u_int) * (bdlp->bfl_len + 1)); 807 if (bdlp->bfl_list == NULL) { 808 pcap_fmt_errmsg_for_errno(ebuf, PCAP_ERRBUF_SIZE, 809 errno, "malloc"); 810 return (PCAP_ERROR); 811 } 812 813 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) < 0) { 814 pcap_fmt_errmsg_for_errno(ebuf, PCAP_ERRBUF_SIZE, 815 errno, "BIOCGDLTLIST"); 816 free(bdlp->bfl_list); 817 return (PCAP_ERROR); 818 } 819 820 /* 821 * OK, for real Ethernet devices, add DLT_DOCSIS to the 822 * list, so that an application can let you choose it, 823 * in case you're capturing DOCSIS traffic that a Cisco 824 * Cable Modem Termination System is putting out onto 825 * an Ethernet (it doesn't put an Ethernet header onto 826 * the wire, it puts raw DOCSIS frames out on the wire 827 * inside the low-level Ethernet framing). 828 * 829 * A "real Ethernet device" is defined here as a device 830 * that has a link-layer type of DLT_EN10MB and that has 831 * no alternate link-layer types; that's done to exclude 832 * 802.11 interfaces (which might or might not be the 833 * right thing to do, but I suspect it is - Ethernet <-> 834 * 802.11 bridges would probably badly mishandle frames 835 * that don't have Ethernet headers). 836 * 837 * On Solaris with BPF, Ethernet devices also offer 838 * DLT_IPNET, so we, if DLT_IPNET is defined, we don't 839 * treat it as an indication that the device isn't an 840 * Ethernet. 841 */ 842 if (v == DLT_EN10MB) { 843 is_ethernet = 1; 844 for (i = 0; i < bdlp->bfl_len; i++) { 845 if (bdlp->bfl_list[i] != DLT_EN10MB 846 #ifdef DLT_IPNET 847 && bdlp->bfl_list[i] != DLT_IPNET 848 #endif 849 ) { 850 is_ethernet = 0; 851 break; 852 } 853 } 854 if (is_ethernet) { 855 /* 856 * We reserved one more slot at the end of 857 * the list. 858 */ 859 bdlp->bfl_list[bdlp->bfl_len] = DLT_DOCSIS; 860 bdlp->bfl_len++; 861 } 862 } 863 } else { 864 /* 865 * EINVAL just means "we don't support this ioctl on 866 * this device"; don't treat it as an error. 867 */ 868 if (errno != EINVAL) { 869 pcap_fmt_errmsg_for_errno(ebuf, PCAP_ERRBUF_SIZE, 870 errno, "BIOCGDLTLIST"); 871 return (PCAP_ERROR); 872 } 873 } 874 return (0); 875 } 876 #endif 877 878 #if defined(__APPLE__) 879 static int 880 pcap_can_set_rfmon_bpf(pcap_t *p) 881 { 882 struct utsname osinfo; 883 int fd; 884 #ifdef BIOCGDLTLIST 885 struct bpf_dltlist bdl; 886 int err; 887 #endif 888 889 /* 890 * The joys of monitor mode on Mac OS X/OS X/macOS. 891 * 892 * Prior to 10.4, it's not supported at all. 893 * 894 * In 10.4, if adapter enN supports monitor mode, there's a 895 * wltN adapter corresponding to it; you open it, instead of 896 * enN, to get monitor mode. You get whatever link-layer 897 * headers it supplies. 898 * 899 * In 10.5, and, we assume, later releases, if adapter enN 900 * supports monitor mode, it offers, among its selectable 901 * DLT_ values, values that let you get the 802.11 header; 902 * selecting one of those values puts the adapter into monitor 903 * mode (i.e., you can't get 802.11 headers except in monitor 904 * mode, and you can't get Ethernet headers in monitor mode). 905 */ 906 if (uname(&osinfo) == -1) { 907 /* 908 * Can't get the OS version; just say "no". 909 */ 910 return (0); 911 } 912 /* 913 * We assume osinfo.sysname is "Darwin", because 914 * __APPLE__ is defined. We just check the version. 915 */ 916 if (osinfo.release[0] < '8' && osinfo.release[1] == '.') { 917 /* 918 * 10.3 (Darwin 7.x) or earlier. 919 * Monitor mode not supported. 920 */ 921 return (0); 922 } 923 if (osinfo.release[0] == '8' && osinfo.release[1] == '.') { 924 char *wlt_name; 925 int status; 926 927 /* 928 * 10.4 (Darwin 8.x). s/en/wlt/, and check 929 * whether the device exists. 930 */ 931 if (strncmp(p->opt.device, "en", 2) != 0) { 932 /* 933 * Not an enN device; no monitor mode. 934 */ 935 return (0); 936 } 937 fd = socket(AF_INET, SOCK_DGRAM, 0); 938 if (fd == -1) { 939 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 940 errno, "socket"); 941 return (PCAP_ERROR); 942 } 943 if (pcap_asprintf(&wlt_name, "wlt%s", p->opt.device + 2) == -1) { 944 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 945 errno, "malloc"); 946 close(fd); 947 return (PCAP_ERROR); 948 } 949 status = device_exists(fd, wlt_name, p->errbuf); 950 free(wlt_name); 951 close(fd); 952 if (status != 0) { 953 if (status == PCAP_ERROR_NO_SUCH_DEVICE) 954 return (0); 955 956 /* 957 * Error. 958 */ 959 return (status); 960 } 961 return (1); 962 } 963 964 #ifdef BIOCGDLTLIST 965 /* 966 * Everything else is 10.5 or later; for those, 967 * we just open the enN device, and check whether 968 * we have any 802.11 devices. 969 * 970 * First, open a BPF device. 971 */ 972 fd = bpf_open(p->errbuf); 973 if (fd < 0) 974 return (fd); /* fd is the appropriate error code */ 975 976 /* 977 * Now bind to the device. 978 */ 979 err = bpf_bind(fd, p->opt.device, p->errbuf); 980 if (err != BPF_BIND_SUCCEEDED) { 981 close(fd); 982 if (err == BPF_BIND_BUFFER_TOO_BIG) { 983 /* 984 * We didn't specify a buffer size, so 985 * this *really* shouldn't fail because 986 * there's no buffer space. Fail. 987 */ 988 return (PCAP_ERROR); 989 } 990 return (err); 991 } 992 993 /* 994 * We know the default link type -- now determine all the DLTs 995 * this interface supports. If this fails with EINVAL, it's 996 * not fatal; we just don't get to use the feature later. 997 * (We don't care about DLT_DOCSIS, so we pass DLT_NULL 998 * as the default DLT for this adapter.) 999 */ 1000 if (get_dlt_list(fd, DLT_NULL, &bdl, p->errbuf) == PCAP_ERROR) { 1001 close(fd); 1002 return (PCAP_ERROR); 1003 } 1004 if (find_802_11(&bdl) != -1) { 1005 /* 1006 * We have an 802.11 DLT, so we can set monitor mode. 1007 */ 1008 free(bdl.bfl_list); 1009 close(fd); 1010 return (1); 1011 } 1012 free(bdl.bfl_list); 1013 close(fd); 1014 #endif /* BIOCGDLTLIST */ 1015 return (0); 1016 } 1017 #elif defined(HAVE_BSD_IEEE80211) 1018 static int 1019 pcap_can_set_rfmon_bpf(pcap_t *p) 1020 { 1021 int ret; 1022 1023 ret = monitor_mode(p, 0); 1024 if (ret == PCAP_ERROR_RFMON_NOTSUP) 1025 return (0); /* not an error, just a "can't do" */ 1026 if (ret == 0) 1027 return (1); /* success */ 1028 return (ret); 1029 } 1030 #else 1031 static int 1032 pcap_can_set_rfmon_bpf(pcap_t *p _U_) 1033 { 1034 return (0); 1035 } 1036 #endif 1037 1038 static int 1039 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps) 1040 { 1041 struct bpf_stat s; 1042 1043 /* 1044 * "ps_recv" counts packets handed to the filter, not packets 1045 * that passed the filter. This includes packets later dropped 1046 * because we ran out of buffer space. 1047 * 1048 * "ps_drop" counts packets dropped inside the BPF device 1049 * because we ran out of buffer space. It doesn't count 1050 * packets dropped by the interface driver. It counts 1051 * only packets that passed the filter. 1052 * 1053 * Both statistics include packets not yet read from the kernel 1054 * by libpcap, and thus not yet seen by the application. 1055 */ 1056 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) { 1057 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1058 errno, "BIOCGSTATS"); 1059 return (PCAP_ERROR); 1060 } 1061 1062 ps->ps_recv = s.bs_recv; 1063 ps->ps_drop = s.bs_drop; 1064 ps->ps_ifdrop = 0; 1065 return (0); 1066 } 1067 1068 static int 1069 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 1070 { 1071 struct pcap_bpf *pb = p->priv; 1072 int cc; 1073 int n = 0; 1074 register u_char *bp, *ep; 1075 u_char *datap; 1076 #ifdef PCAP_FDDIPAD 1077 register u_int pad; 1078 #endif 1079 #ifdef HAVE_ZEROCOPY_BPF 1080 int i; 1081 #endif 1082 1083 again: 1084 /* 1085 * Has "pcap_breakloop()" been called? 1086 */ 1087 if (p->break_loop) { 1088 /* 1089 * Yes - clear the flag that indicates that it 1090 * has, and return PCAP_ERROR_BREAK to indicate 1091 * that we were told to break out of the loop. 1092 */ 1093 p->break_loop = 0; 1094 return (PCAP_ERROR_BREAK); 1095 } 1096 cc = p->cc; 1097 if (p->cc == 0) { 1098 /* 1099 * When reading without zero-copy from a file descriptor, we 1100 * use a single buffer and return a length of data in the 1101 * buffer. With zero-copy, we update the p->buffer pointer 1102 * to point at whatever underlying buffer contains the next 1103 * data and update cc to reflect the data found in the 1104 * buffer. 1105 */ 1106 #ifdef HAVE_ZEROCOPY_BPF 1107 if (pb->zerocopy) { 1108 if (p->buffer != NULL) 1109 pcap_ack_zbuf(p); 1110 i = pcap_next_zbuf(p, &cc); 1111 if (i == 0) 1112 goto again; 1113 if (i < 0) 1114 return (PCAP_ERROR); 1115 } else 1116 #endif 1117 { 1118 cc = (int)read(p->fd, p->buffer, p->bufsize); 1119 } 1120 if (cc < 0) { 1121 /* Don't choke when we get ptraced */ 1122 switch (errno) { 1123 1124 case EINTR: 1125 goto again; 1126 1127 #ifdef _AIX 1128 case EFAULT: 1129 /* 1130 * Sigh. More AIX wonderfulness. 1131 * 1132 * For some unknown reason the uiomove() 1133 * operation in the bpf kernel extension 1134 * used to copy the buffer into user 1135 * space sometimes returns EFAULT. I have 1136 * no idea why this is the case given that 1137 * a kernel debugger shows the user buffer 1138 * is correct. This problem appears to 1139 * be mostly mitigated by the memset of 1140 * the buffer before it is first used. 1141 * Very strange.... Shaun Clowes 1142 * 1143 * In any case this means that we shouldn't 1144 * treat EFAULT as a fatal error; as we 1145 * don't have an API for returning 1146 * a "some packets were dropped since 1147 * the last packet you saw" indication, 1148 * we just ignore EFAULT and keep reading. 1149 */ 1150 goto again; 1151 #endif 1152 1153 case EWOULDBLOCK: 1154 return (0); 1155 1156 case ENXIO: /* FreeBSD, DragonFly BSD, and Darwin */ 1157 case EIO: /* OpenBSD */ 1158 /* NetBSD appears not to return an error in this case */ 1159 /* 1160 * The device on which we're capturing 1161 * went away. 1162 * 1163 * XXX - we should really return 1164 * an appropriate error for that, 1165 * but pcap_dispatch() etc. aren't 1166 * documented as having error returns 1167 * other than PCAP_ERROR or PCAP_ERROR_BREAK. 1168 */ 1169 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1170 "The interface disappeared"); 1171 return (PCAP_ERROR); 1172 1173 #if defined(sun) && !defined(BSD) && !defined(__svr4__) && !defined(__SVR4) 1174 /* 1175 * Due to a SunOS bug, after 2^31 bytes, the kernel 1176 * file offset overflows and read fails with EINVAL. 1177 * The lseek() to 0 will fix things. 1178 */ 1179 case EINVAL: 1180 if (lseek(p->fd, 0L, SEEK_CUR) + 1181 p->bufsize < 0) { 1182 (void)lseek(p->fd, 0L, SEEK_SET); 1183 goto again; 1184 } 1185 /* fall through */ 1186 #endif 1187 } 1188 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1189 errno, "read"); 1190 return (PCAP_ERROR); 1191 } 1192 bp = (u_char *)p->buffer; 1193 } else 1194 bp = p->bp; 1195 1196 /* 1197 * Loop through each packet. 1198 * 1199 * This assumes that a single buffer of packets will have 1200 * <= INT_MAX packets, so the packet count doesn't overflow. 1201 */ 1202 #ifdef BIOCSTSTAMP 1203 #define bhp ((struct bpf_xhdr *)bp) 1204 #else 1205 #define bhp ((struct bpf_hdr *)bp) 1206 #endif 1207 ep = bp + cc; 1208 #ifdef PCAP_FDDIPAD 1209 pad = p->fddipad; 1210 #endif 1211 while (bp < ep) { 1212 register u_int caplen, hdrlen; 1213 1214 /* 1215 * Has "pcap_breakloop()" been called? 1216 * If so, return immediately - if we haven't read any 1217 * packets, clear the flag and return PCAP_ERROR_BREAK 1218 * to indicate that we were told to break out of the loop, 1219 * otherwise leave the flag set, so that the *next* call 1220 * will break out of the loop without having read any 1221 * packets, and return the number of packets we've 1222 * processed so far. 1223 */ 1224 if (p->break_loop) { 1225 p->bp = bp; 1226 p->cc = (int)(ep - bp); 1227 /* 1228 * ep is set based on the return value of read(), 1229 * but read() from a BPF device doesn't necessarily 1230 * return a value that's a multiple of the alignment 1231 * value for BPF_WORDALIGN(). However, whenever we 1232 * increment bp, we round up the increment value by 1233 * a value rounded up by BPF_WORDALIGN(), so we 1234 * could increment bp past ep after processing the 1235 * last packet in the buffer. 1236 * 1237 * We treat ep < bp as an indication that this 1238 * happened, and just set p->cc to 0. 1239 */ 1240 if (p->cc < 0) 1241 p->cc = 0; 1242 if (n == 0) { 1243 p->break_loop = 0; 1244 return (PCAP_ERROR_BREAK); 1245 } else 1246 return (n); 1247 } 1248 1249 caplen = bhp->bh_caplen; 1250 hdrlen = bhp->bh_hdrlen; 1251 datap = bp + hdrlen; 1252 /* 1253 * Short-circuit evaluation: if using BPF filter 1254 * in kernel, no need to do it now - we already know 1255 * the packet passed the filter. 1256 * 1257 #ifdef PCAP_FDDIPAD 1258 * Note: the filter code was generated assuming 1259 * that p->fddipad was the amount of padding 1260 * before the header, as that's what's required 1261 * in the kernel, so we run the filter before 1262 * skipping that padding. 1263 #endif 1264 */ 1265 if (pb->filtering_in_kernel || 1266 pcap_filter(p->fcode.bf_insns, datap, bhp->bh_datalen, caplen)) { 1267 struct pcap_pkthdr pkthdr; 1268 #ifdef BIOCSTSTAMP 1269 struct bintime bt; 1270 1271 bt.sec = bhp->bh_tstamp.bt_sec; 1272 bt.frac = bhp->bh_tstamp.bt_frac; 1273 if (p->opt.tstamp_precision == PCAP_TSTAMP_PRECISION_NANO) { 1274 struct timespec ts; 1275 1276 bintime2timespec(&bt, &ts); 1277 pkthdr.ts.tv_sec = ts.tv_sec; 1278 pkthdr.ts.tv_usec = ts.tv_nsec; 1279 } else { 1280 struct timeval tv; 1281 1282 bintime2timeval(&bt, &tv); 1283 pkthdr.ts.tv_sec = tv.tv_sec; 1284 pkthdr.ts.tv_usec = tv.tv_usec; 1285 } 1286 #else 1287 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec; 1288 #ifdef _AIX 1289 /* 1290 * AIX's BPF returns seconds/nanoseconds time 1291 * stamps, not seconds/microseconds time stamps. 1292 */ 1293 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000; 1294 #else 1295 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec; 1296 #endif 1297 #endif /* BIOCSTSTAMP */ 1298 #ifdef PCAP_FDDIPAD 1299 if (caplen > pad) 1300 pkthdr.caplen = caplen - pad; 1301 else 1302 pkthdr.caplen = 0; 1303 if (bhp->bh_datalen > pad) 1304 pkthdr.len = bhp->bh_datalen - pad; 1305 else 1306 pkthdr.len = 0; 1307 datap += pad; 1308 #else 1309 pkthdr.caplen = caplen; 1310 pkthdr.len = bhp->bh_datalen; 1311 #endif 1312 (*callback)(user, &pkthdr, datap); 1313 bp += BPF_WORDALIGN(caplen + hdrlen); 1314 if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) { 1315 p->bp = bp; 1316 p->cc = (int)(ep - bp); 1317 /* 1318 * See comment above about p->cc < 0. 1319 */ 1320 if (p->cc < 0) 1321 p->cc = 0; 1322 return (n); 1323 } 1324 } else { 1325 /* 1326 * Skip this packet. 1327 */ 1328 bp += BPF_WORDALIGN(caplen + hdrlen); 1329 } 1330 } 1331 #undef bhp 1332 p->cc = 0; 1333 return (n); 1334 } 1335 1336 static int 1337 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size) 1338 { 1339 ssize_t ret; 1340 1341 ret = write(p->fd, buf, size); 1342 #ifdef __APPLE__ 1343 if (ret == -1 && errno == EAFNOSUPPORT) { 1344 /* 1345 * In some versions of macOS, there's a bug wherein setting 1346 * the BIOCSHDRCMPLT flag causes writes to fail; see, for 1347 * example: 1348 * 1349 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch 1350 * 1351 * So, if, on macOS, we get EAFNOSUPPORT from the write, we 1352 * assume it's due to that bug, and turn off that flag 1353 * and try again. If we succeed, it either means that 1354 * somebody applied the fix from that URL, or other patches 1355 * for that bug from 1356 * 1357 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/ 1358 * 1359 * and are running a Darwin kernel with those fixes, or 1360 * that Apple fixed the problem in some macOS release. 1361 */ 1362 u_int spoof_eth_src = 0; 1363 1364 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 1365 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1366 errno, "send: can't turn off BIOCSHDRCMPLT"); 1367 return (PCAP_ERROR); 1368 } 1369 1370 /* 1371 * Now try the write again. 1372 */ 1373 ret = write(p->fd, buf, size); 1374 } 1375 #endif /* __APPLE__ */ 1376 if (ret == -1) { 1377 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1378 errno, "send"); 1379 return (PCAP_ERROR); 1380 } 1381 return (int)ret; 1382 } 1383 1384 #ifdef _AIX 1385 static int 1386 bpf_odminit(char *errbuf) 1387 { 1388 char *errstr; 1389 1390 if (odm_initialize() == -1) { 1391 if (odm_err_msg(odmerrno, &errstr) == -1) 1392 errstr = "Unknown error"; 1393 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1394 "bpf_load: odm_initialize failed: %s", 1395 errstr); 1396 return (PCAP_ERROR); 1397 } 1398 1399 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) { 1400 if (odm_err_msg(odmerrno, &errstr) == -1) 1401 errstr = "Unknown error"; 1402 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1403 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s", 1404 errstr); 1405 (void)odm_terminate(); 1406 return (PCAP_ERROR); 1407 } 1408 1409 return (0); 1410 } 1411 1412 static int 1413 bpf_odmcleanup(char *errbuf) 1414 { 1415 char *errstr; 1416 1417 if (odm_unlock(odmlockid) == -1) { 1418 if (errbuf != NULL) { 1419 if (odm_err_msg(odmerrno, &errstr) == -1) 1420 errstr = "Unknown error"; 1421 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1422 "bpf_load: odm_unlock failed: %s", 1423 errstr); 1424 } 1425 return (PCAP_ERROR); 1426 } 1427 1428 if (odm_terminate() == -1) { 1429 if (errbuf != NULL) { 1430 if (odm_err_msg(odmerrno, &errstr) == -1) 1431 errstr = "Unknown error"; 1432 snprintf(errbuf, PCAP_ERRBUF_SIZE, 1433 "bpf_load: odm_terminate failed: %s", 1434 errstr); 1435 } 1436 return (PCAP_ERROR); 1437 } 1438 1439 return (0); 1440 } 1441 1442 static int 1443 bpf_load(char *errbuf) 1444 { 1445 long major; 1446 int *minors; 1447 int numminors, i, rc; 1448 char buf[1024]; 1449 struct stat sbuf; 1450 struct bpf_config cfg_bpf; 1451 struct cfg_load cfg_ld; 1452 struct cfg_kmod cfg_km; 1453 1454 /* 1455 * This is very very close to what happens in the real implementation 1456 * but I've fixed some (unlikely) bug situations. 1457 */ 1458 if (bpfloadedflag) 1459 return (0); 1460 1461 if (bpf_odminit(errbuf) == PCAP_ERROR) 1462 return (PCAP_ERROR); 1463 1464 major = genmajor(BPF_NAME); 1465 if (major == -1) { 1466 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 1467 errno, "bpf_load: genmajor failed"); 1468 (void)bpf_odmcleanup(NULL); 1469 return (PCAP_ERROR); 1470 } 1471 1472 minors = getminor(major, &numminors, BPF_NAME); 1473 if (!minors) { 1474 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1); 1475 if (!minors) { 1476 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 1477 errno, "bpf_load: genminor failed"); 1478 (void)bpf_odmcleanup(NULL); 1479 return (PCAP_ERROR); 1480 } 1481 } 1482 1483 if (bpf_odmcleanup(errbuf) == PCAP_ERROR) 1484 return (PCAP_ERROR); 1485 1486 rc = stat(BPF_NODE "0", &sbuf); 1487 if (rc == -1 && errno != ENOENT) { 1488 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 1489 errno, "bpf_load: can't stat %s", BPF_NODE "0"); 1490 return (PCAP_ERROR); 1491 } 1492 1493 if (rc == -1 || getmajor(sbuf.st_rdev) != major) { 1494 for (i = 0; i < BPF_MINORS; i++) { 1495 snprintf(buf, sizeof(buf), "%s%d", BPF_NODE, i); 1496 unlink(buf); 1497 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) { 1498 pcap_fmt_errmsg_for_errno(errbuf, 1499 PCAP_ERRBUF_SIZE, errno, 1500 "bpf_load: can't mknod %s", buf); 1501 return (PCAP_ERROR); 1502 } 1503 } 1504 } 1505 1506 /* Check if the driver is loaded */ 1507 memset(&cfg_ld, 0x0, sizeof(cfg_ld)); 1508 snprintf(buf, sizeof(buf), "%s/%s", DRIVER_PATH, BPF_NAME); 1509 cfg_ld.path = buf; 1510 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) || 1511 (cfg_ld.kmid == 0)) { 1512 /* Driver isn't loaded, load it now */ 1513 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) { 1514 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 1515 errno, "bpf_load: could not load driver"); 1516 return (PCAP_ERROR); 1517 } 1518 } 1519 1520 /* Configure the driver */ 1521 cfg_km.cmd = CFG_INIT; 1522 cfg_km.kmid = cfg_ld.kmid; 1523 cfg_km.mdilen = sizeof(cfg_bpf); 1524 cfg_km.mdiptr = (void *)&cfg_bpf; 1525 for (i = 0; i < BPF_MINORS; i++) { 1526 cfg_bpf.devno = domakedev(major, i); 1527 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) { 1528 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 1529 errno, "bpf_load: could not configure driver"); 1530 return (PCAP_ERROR); 1531 } 1532 } 1533 1534 bpfloadedflag = 1; 1535 1536 return (0); 1537 } 1538 #endif 1539 1540 /* 1541 * Undo any operations done when opening the device when necessary. 1542 */ 1543 static void 1544 pcap_cleanup_bpf(pcap_t *p) 1545 { 1546 struct pcap_bpf *pb = p->priv; 1547 #ifdef HAVE_BSD_IEEE80211 1548 int sock; 1549 struct ifmediareq req; 1550 struct ifreq ifr; 1551 #endif 1552 1553 if (pb->must_do_on_close != 0) { 1554 /* 1555 * There's something we have to do when closing this 1556 * pcap_t. 1557 */ 1558 #ifdef HAVE_BSD_IEEE80211 1559 if (pb->must_do_on_close & MUST_CLEAR_RFMON) { 1560 /* 1561 * We put the interface into rfmon mode; 1562 * take it out of rfmon mode. 1563 * 1564 * XXX - if somebody else wants it in rfmon 1565 * mode, this code cannot know that, so it'll take 1566 * it out of rfmon mode. 1567 */ 1568 sock = socket(AF_INET, SOCK_DGRAM, 0); 1569 if (sock == -1) { 1570 fprintf(stderr, 1571 "Can't restore interface flags (socket() failed: %s).\n" 1572 "Please adjust manually.\n", 1573 strerror(errno)); 1574 } else { 1575 memset(&req, 0, sizeof(req)); 1576 pcap_strlcpy(req.ifm_name, pb->device, 1577 sizeof(req.ifm_name)); 1578 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 1579 fprintf(stderr, 1580 "Can't restore interface flags (SIOCGIFMEDIA failed: %s).\n" 1581 "Please adjust manually.\n", 1582 strerror(errno)); 1583 } else { 1584 if (req.ifm_current & IFM_IEEE80211_MONITOR) { 1585 /* 1586 * Rfmon mode is currently on; 1587 * turn it off. 1588 */ 1589 memset(&ifr, 0, sizeof(ifr)); 1590 (void)pcap_strlcpy(ifr.ifr_name, 1591 pb->device, 1592 sizeof(ifr.ifr_name)); 1593 ifr.ifr_media = 1594 req.ifm_current & ~IFM_IEEE80211_MONITOR; 1595 if (ioctl(sock, SIOCSIFMEDIA, 1596 &ifr) == -1) { 1597 fprintf(stderr, 1598 "Can't restore interface flags (SIOCSIFMEDIA failed: %s).\n" 1599 "Please adjust manually.\n", 1600 strerror(errno)); 1601 } 1602 } 1603 } 1604 close(sock); 1605 } 1606 } 1607 #endif /* HAVE_BSD_IEEE80211 */ 1608 1609 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2) 1610 /* 1611 * Attempt to destroy the usbusN interface that we created. 1612 */ 1613 if (pb->must_do_on_close & MUST_DESTROY_USBUS) { 1614 if (if_nametoindex(pb->device) > 0) { 1615 int s; 1616 1617 s = socket(AF_LOCAL, SOCK_DGRAM, 0); 1618 if (s >= 0) { 1619 pcap_strlcpy(ifr.ifr_name, pb->device, 1620 sizeof(ifr.ifr_name)); 1621 ioctl(s, SIOCIFDESTROY, &ifr); 1622 close(s); 1623 } 1624 } 1625 } 1626 #endif /* defined(__FreeBSD__) && defined(SIOCIFCREATE2) */ 1627 /* 1628 * Take this pcap out of the list of pcaps for which we 1629 * have to take the interface out of some mode. 1630 */ 1631 pcap_remove_from_pcaps_to_close(p); 1632 pb->must_do_on_close = 0; 1633 } 1634 1635 #ifdef HAVE_ZEROCOPY_BPF 1636 if (pb->zerocopy) { 1637 /* 1638 * Delete the mappings. Note that p->buffer gets 1639 * initialized to one of the mmapped regions in 1640 * this case, so do not try and free it directly; 1641 * null it out so that pcap_cleanup_live_common() 1642 * doesn't try to free it. 1643 */ 1644 if (pb->zbuf1 != MAP_FAILED && pb->zbuf1 != NULL) 1645 (void) munmap(pb->zbuf1, pb->zbufsize); 1646 if (pb->zbuf2 != MAP_FAILED && pb->zbuf2 != NULL) 1647 (void) munmap(pb->zbuf2, pb->zbufsize); 1648 p->buffer = NULL; 1649 } 1650 #endif 1651 if (pb->device != NULL) { 1652 free(pb->device); 1653 pb->device = NULL; 1654 } 1655 pcap_cleanup_live_common(p); 1656 } 1657 1658 #ifdef __APPLE__ 1659 static int 1660 check_setif_failure(pcap_t *p, int error) 1661 { 1662 int fd; 1663 int err; 1664 1665 if (error == PCAP_ERROR_NO_SUCH_DEVICE) { 1666 /* 1667 * No such device exists. 1668 */ 1669 if (p->opt.rfmon && strncmp(p->opt.device, "wlt", 3) == 0) { 1670 /* 1671 * Monitor mode was requested, and we're trying 1672 * to open a "wltN" device. Assume that this 1673 * is 10.4 and that we were asked to open an 1674 * "enN" device; if that device exists, return 1675 * "monitor mode not supported on the device". 1676 */ 1677 fd = socket(AF_INET, SOCK_DGRAM, 0); 1678 if (fd != -1) { 1679 char *en_name; 1680 1681 if (pcap_asprintf(&en_name, "en%s", 1682 p->opt.device + 3) == -1) { 1683 /* 1684 * We can't find out whether there's 1685 * an underlying "enN" device, so 1686 * just report "no such device". 1687 */ 1688 pcap_fmt_errmsg_for_errno(p->errbuf, 1689 PCAP_ERRBUF_SIZE, errno, 1690 "malloc"); 1691 close(fd); 1692 return (PCAP_ERROR_NO_SUCH_DEVICE); 1693 } 1694 err = device_exists(fd, en_name, p->errbuf); 1695 free(en_name); 1696 if (err != 0) { 1697 if (err == PCAP_ERROR_NO_SUCH_DEVICE) { 1698 /* 1699 * The underlying "enN" device 1700 * exists, but there's no 1701 * corresponding "wltN" device; 1702 * that means that the "enN" 1703 * device doesn't support 1704 * monitor mode, probably 1705 * because it's an Ethernet 1706 * device rather than a 1707 * wireless device. 1708 */ 1709 err = PCAP_ERROR_RFMON_NOTSUP; 1710 } 1711 } 1712 close(fd); 1713 } else { 1714 /* 1715 * We can't find out whether there's 1716 * an underlying "enN" device, so 1717 * just report "no such device". 1718 */ 1719 err = PCAP_ERROR_NO_SUCH_DEVICE; 1720 pcap_fmt_errmsg_for_errno(p->errbuf, 1721 errno, PCAP_ERRBUF_SIZE, 1722 "socket() failed"); 1723 } 1724 return (err); 1725 } 1726 1727 /* 1728 * No such device. 1729 */ 1730 return (PCAP_ERROR_NO_SUCH_DEVICE); 1731 } 1732 1733 /* 1734 * Just return the error status; it's what we want, and, if it's 1735 * PCAP_ERROR, the error string has been filled in. 1736 */ 1737 return (error); 1738 } 1739 #else 1740 static int 1741 check_setif_failure(pcap_t *p _U_, int error) 1742 { 1743 /* 1744 * Just return the error status; it's what we want, and, if it's 1745 * PCAP_ERROR, the error string has been filled in. 1746 */ 1747 return (error); 1748 } 1749 #endif 1750 1751 /* 1752 * Default capture buffer size. 1753 * 32K isn't very much for modern machines with fast networks; we 1754 * pick .5M, as that's the maximum on at least some systems with BPF. 1755 * 1756 * However, on AIX 3.5, the larger buffer sized caused unrecoverable 1757 * read failures under stress, so we leave it as 32K; yet another 1758 * place where AIX's BPF is broken. 1759 */ 1760 #ifdef _AIX 1761 #define DEFAULT_BUFSIZE 32768 1762 #else 1763 #define DEFAULT_BUFSIZE 524288 1764 #endif 1765 1766 static int 1767 pcap_activate_bpf(pcap_t *p) 1768 { 1769 struct pcap_bpf *pb = p->priv; 1770 int status = 0; 1771 #ifdef HAVE_BSD_IEEE80211 1772 int retv; 1773 #endif 1774 int fd; 1775 #if defined(LIFNAMSIZ) && defined(ZONENAME_MAX) && defined(lifr_zoneid) 1776 struct lifreq ifr; 1777 char *zonesep; 1778 #endif 1779 struct bpf_version bv; 1780 #ifdef __APPLE__ 1781 int sockfd; 1782 char *wltdev = NULL; 1783 #endif 1784 #ifdef BIOCGDLTLIST 1785 struct bpf_dltlist bdl; 1786 #if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) 1787 u_int new_dlt; 1788 #endif 1789 #endif /* BIOCGDLTLIST */ 1790 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 1791 u_int spoof_eth_src = 1; 1792 #endif 1793 u_int v; 1794 struct bpf_insn total_insn; 1795 struct bpf_program total_prog; 1796 struct utsname osinfo; 1797 int have_osinfo = 0; 1798 #ifdef HAVE_ZEROCOPY_BPF 1799 struct bpf_zbuf bz; 1800 u_int bufmode, zbufmax; 1801 #endif 1802 1803 fd = bpf_open(p->errbuf); 1804 if (fd < 0) { 1805 status = fd; 1806 goto bad; 1807 } 1808 1809 p->fd = fd; 1810 1811 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { 1812 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1813 errno, "BIOCVERSION"); 1814 status = PCAP_ERROR; 1815 goto bad; 1816 } 1817 if (bv.bv_major != BPF_MAJOR_VERSION || 1818 bv.bv_minor < BPF_MINOR_VERSION) { 1819 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1820 "kernel bpf filter out of date"); 1821 status = PCAP_ERROR; 1822 goto bad; 1823 } 1824 1825 /* 1826 * Turn a negative snapshot value (invalid), a snapshot value of 1827 * 0 (unspecified), or a value bigger than the normal maximum 1828 * value, into the maximum allowed value. 1829 * 1830 * If some application really *needs* a bigger snapshot 1831 * length, we should just increase MAXIMUM_SNAPLEN. 1832 */ 1833 if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN) 1834 p->snapshot = MAXIMUM_SNAPLEN; 1835 1836 #if defined(LIFNAMSIZ) && defined(ZONENAME_MAX) && defined(lifr_zoneid) 1837 /* 1838 * Retrieve the zoneid of the zone we are currently executing in. 1839 */ 1840 if ((ifr.lifr_zoneid = getzoneid()) == -1) { 1841 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1842 errno, "getzoneid()"); 1843 status = PCAP_ERROR; 1844 goto bad; 1845 } 1846 /* 1847 * Check if the given source datalink name has a '/' separated 1848 * zonename prefix string. The zonename prefixed source datalink can 1849 * be used by pcap consumers in the Solaris global zone to capture 1850 * traffic on datalinks in non-global zones. Non-global zones 1851 * do not have access to datalinks outside of their own namespace. 1852 */ 1853 if ((zonesep = strchr(p->opt.device, '/')) != NULL) { 1854 char path_zname[ZONENAME_MAX]; 1855 int znamelen; 1856 char *lnamep; 1857 1858 if (ifr.lifr_zoneid != GLOBAL_ZONEID) { 1859 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 1860 "zonename/linkname only valid in global zone."); 1861 status = PCAP_ERROR; 1862 goto bad; 1863 } 1864 znamelen = zonesep - p->opt.device; 1865 (void) pcap_strlcpy(path_zname, p->opt.device, znamelen + 1); 1866 ifr.lifr_zoneid = getzoneidbyname(path_zname); 1867 if (ifr.lifr_zoneid == -1) { 1868 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1869 errno, "getzoneidbyname(%s)", path_zname); 1870 status = PCAP_ERROR; 1871 goto bad; 1872 } 1873 lnamep = strdup(zonesep + 1); 1874 if (lnamep == NULL) { 1875 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1876 errno, "strdup"); 1877 status = PCAP_ERROR; 1878 goto bad; 1879 } 1880 free(p->opt.device); 1881 p->opt.device = lnamep; 1882 } 1883 #endif 1884 1885 pb->device = strdup(p->opt.device); 1886 if (pb->device == NULL) { 1887 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 1888 errno, "strdup"); 1889 status = PCAP_ERROR; 1890 goto bad; 1891 } 1892 1893 /* 1894 * Attempt to find out the version of the OS on which we're running. 1895 */ 1896 if (uname(&osinfo) == 0) 1897 have_osinfo = 1; 1898 1899 #ifdef __APPLE__ 1900 /* 1901 * See comment in pcap_can_set_rfmon_bpf() for an explanation 1902 * of why we check the version number. 1903 */ 1904 if (p->opt.rfmon) { 1905 if (have_osinfo) { 1906 /* 1907 * We assume osinfo.sysname is "Darwin", because 1908 * __APPLE__ is defined. We just check the version. 1909 */ 1910 if (osinfo.release[0] < '8' && 1911 osinfo.release[1] == '.') { 1912 /* 1913 * 10.3 (Darwin 7.x) or earlier. 1914 */ 1915 status = PCAP_ERROR_RFMON_NOTSUP; 1916 goto bad; 1917 } 1918 if (osinfo.release[0] == '8' && 1919 osinfo.release[1] == '.') { 1920 /* 1921 * 10.4 (Darwin 8.x). s/en/wlt/ 1922 */ 1923 if (strncmp(p->opt.device, "en", 2) != 0) { 1924 /* 1925 * Not an enN device; check 1926 * whether the device even exists. 1927 */ 1928 sockfd = socket(AF_INET, SOCK_DGRAM, 0); 1929 if (sockfd != -1) { 1930 status = device_exists(sockfd, 1931 p->opt.device, p->errbuf); 1932 if (status == 0) { 1933 /* 1934 * The device exists, 1935 * but it's not an 1936 * enN device; that 1937 * means it doesn't 1938 * support monitor 1939 * mode. 1940 */ 1941 status = PCAP_ERROR_RFMON_NOTSUP; 1942 } 1943 close(sockfd); 1944 } else { 1945 /* 1946 * We can't find out whether 1947 * the device exists, so just 1948 * report "no such device". 1949 */ 1950 status = PCAP_ERROR_NO_SUCH_DEVICE; 1951 pcap_fmt_errmsg_for_errno(p->errbuf, 1952 PCAP_ERRBUF_SIZE, errno, 1953 "socket() failed"); 1954 } 1955 goto bad; 1956 } 1957 wltdev = malloc(strlen(p->opt.device) + 2); 1958 if (wltdev == NULL) { 1959 pcap_fmt_errmsg_for_errno(p->errbuf, 1960 PCAP_ERRBUF_SIZE, errno, 1961 "malloc"); 1962 status = PCAP_ERROR; 1963 goto bad; 1964 } 1965 strcpy(wltdev, "wlt"); 1966 strcat(wltdev, p->opt.device + 2); 1967 free(p->opt.device); 1968 p->opt.device = wltdev; 1969 } 1970 /* 1971 * Everything else is 10.5 or later; for those, 1972 * we just open the enN device, and set the DLT. 1973 */ 1974 } 1975 } 1976 #endif /* __APPLE__ */ 1977 1978 /* 1979 * If this is FreeBSD, and the device name begins with "usbus", 1980 * try to create the interface if it's not available. 1981 */ 1982 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2) 1983 if (strncmp(p->opt.device, usbus_prefix, USBUS_PREFIX_LEN) == 0) { 1984 /* 1985 * Do we already have an interface with that name? 1986 */ 1987 if (if_nametoindex(p->opt.device) == 0) { 1988 /* 1989 * No. We need to create it, and, if we 1990 * succeed, remember that we should destroy 1991 * it when the pcap_t is closed. 1992 */ 1993 int s; 1994 struct ifreq ifr; 1995 1996 /* 1997 * Open a socket to use for ioctls to 1998 * create the interface. 1999 */ 2000 s = socket(AF_LOCAL, SOCK_DGRAM, 0); 2001 if (s < 0) { 2002 pcap_fmt_errmsg_for_errno(p->errbuf, 2003 PCAP_ERRBUF_SIZE, errno, 2004 "Can't open socket"); 2005 status = PCAP_ERROR; 2006 goto bad; 2007 } 2008 2009 /* 2010 * If we haven't already done so, arrange to have 2011 * "pcap_close_all()" called when we exit. 2012 */ 2013 if (!pcap_do_addexit(p)) { 2014 /* 2015 * "atexit()" failed; don't create the 2016 * interface, just give up. 2017 */ 2018 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2019 "atexit failed"); 2020 close(s); 2021 status = PCAP_ERROR; 2022 goto bad; 2023 } 2024 2025 /* 2026 * Create the interface. 2027 */ 2028 pcap_strlcpy(ifr.ifr_name, p->opt.device, sizeof(ifr.ifr_name)); 2029 if (ioctl(s, SIOCIFCREATE2, &ifr) < 0) { 2030 if (errno == EINVAL) { 2031 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2032 "Invalid USB bus interface %s", 2033 p->opt.device); 2034 } else { 2035 pcap_fmt_errmsg_for_errno(p->errbuf, 2036 PCAP_ERRBUF_SIZE, errno, 2037 "Can't create interface for %s", 2038 p->opt.device); 2039 } 2040 close(s); 2041 status = PCAP_ERROR; 2042 goto bad; 2043 } 2044 2045 /* 2046 * Make sure we clean this up when we close. 2047 */ 2048 pb->must_do_on_close |= MUST_DESTROY_USBUS; 2049 2050 /* 2051 * Add this to the list of pcaps to close when we exit. 2052 */ 2053 pcap_add_to_pcaps_to_close(p); 2054 } 2055 } 2056 #endif /* defined(__FreeBSD__) && defined(SIOCIFCREATE2) */ 2057 2058 #ifdef HAVE_ZEROCOPY_BPF 2059 /* 2060 * If the BPF extension to set buffer mode is present, try setting 2061 * the mode to zero-copy. If that fails, use regular buffering. If 2062 * it succeeds but other setup fails, return an error to the user. 2063 */ 2064 bufmode = BPF_BUFMODE_ZBUF; 2065 if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) { 2066 /* 2067 * We have zerocopy BPF; use it. 2068 */ 2069 pb->zerocopy = 1; 2070 2071 /* 2072 * How to pick a buffer size: first, query the maximum buffer 2073 * size supported by zero-copy. This also lets us quickly 2074 * determine whether the kernel generally supports zero-copy. 2075 * Then, if a buffer size was specified, use that, otherwise 2076 * query the default buffer size, which reflects kernel 2077 * policy for a desired default. Round to the nearest page 2078 * size. 2079 */ 2080 if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) { 2081 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2082 errno, "BIOCGETZMAX"); 2083 status = PCAP_ERROR; 2084 goto bad; 2085 } 2086 2087 if (p->opt.buffer_size != 0) { 2088 /* 2089 * A buffer size was explicitly specified; use it. 2090 */ 2091 v = p->opt.buffer_size; 2092 } else { 2093 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || 2094 v < DEFAULT_BUFSIZE) 2095 v = DEFAULT_BUFSIZE; 2096 } 2097 #ifndef roundup 2098 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */ 2099 #endif 2100 pb->zbufsize = roundup(v, getpagesize()); 2101 if (pb->zbufsize > zbufmax) 2102 pb->zbufsize = zbufmax; 2103 pb->zbuf1 = mmap(NULL, pb->zbufsize, PROT_READ | PROT_WRITE, 2104 MAP_ANON, -1, 0); 2105 pb->zbuf2 = mmap(NULL, pb->zbufsize, PROT_READ | PROT_WRITE, 2106 MAP_ANON, -1, 0); 2107 if (pb->zbuf1 == MAP_FAILED || pb->zbuf2 == MAP_FAILED) { 2108 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2109 errno, "mmap"); 2110 status = PCAP_ERROR; 2111 goto bad; 2112 } 2113 memset(&bz, 0, sizeof(bz)); /* bzero() deprecated, replaced with memset() */ 2114 bz.bz_bufa = pb->zbuf1; 2115 bz.bz_bufb = pb->zbuf2; 2116 bz.bz_buflen = pb->zbufsize; 2117 if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) { 2118 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2119 errno, "BIOCSETZBUF"); 2120 status = PCAP_ERROR; 2121 goto bad; 2122 } 2123 status = bpf_bind(fd, p->opt.device, ifnamsiz, p->errbuf); 2124 if (status != BPF_BIND_SUCCEEDED) { 2125 if (status == BPF_BIND_BUFFER_TOO_BIG) { 2126 /* 2127 * The requested buffer size 2128 * is too big. Fail. 2129 * 2130 * XXX - should we do the "keep cutting 2131 * the buffer size in half" loop here if 2132 * we're using the default buffer size? 2133 */ 2134 status = PCAP_ERROR; 2135 } 2136 goto bad; 2137 } 2138 v = pb->zbufsize - sizeof(struct bpf_zbuf_header); 2139 } else 2140 #endif 2141 { 2142 /* 2143 * We don't have zerocopy BPF. 2144 * Set the buffer size. 2145 */ 2146 if (p->opt.buffer_size != 0) { 2147 /* 2148 * A buffer size was explicitly specified; use it. 2149 */ 2150 if (ioctl(fd, BIOCSBLEN, 2151 (caddr_t)&p->opt.buffer_size) < 0) { 2152 pcap_fmt_errmsg_for_errno(p->errbuf, 2153 PCAP_ERRBUF_SIZE, errno, 2154 "BIOCSBLEN: %s", p->opt.device); 2155 status = PCAP_ERROR; 2156 goto bad; 2157 } 2158 2159 /* 2160 * Now bind to the device. 2161 */ 2162 status = bpf_bind(fd, p->opt.device, p->errbuf); 2163 if (status != BPF_BIND_SUCCEEDED) { 2164 if (status == BPF_BIND_BUFFER_TOO_BIG) { 2165 /* 2166 * The requested buffer size 2167 * is too big. Fail. 2168 */ 2169 status = PCAP_ERROR; 2170 goto bad; 2171 } 2172 2173 /* 2174 * Special checks on macOS to deal with 2175 * the way monitor mode was done on 2176 * 10.4 Tiger. 2177 */ 2178 status = check_setif_failure(p, status); 2179 goto bad; 2180 } 2181 } else { 2182 /* 2183 * No buffer size was explicitly specified. 2184 * 2185 * Try finding a good size for the buffer; 2186 * DEFAULT_BUFSIZE may be too big, so keep 2187 * cutting it in half until we find a size 2188 * that works, or run out of sizes to try. 2189 * If the default is larger, don't make it smaller. 2190 */ 2191 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || 2192 v < DEFAULT_BUFSIZE) 2193 v = DEFAULT_BUFSIZE; 2194 for ( ; v != 0; v >>= 1) { 2195 /* 2196 * Ignore the return value - this is because the 2197 * call fails on BPF systems that don't have 2198 * kernel malloc. And if the call fails, it's 2199 * no big deal, we just continue to use the 2200 * standard buffer size. 2201 */ 2202 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v); 2203 2204 status = bpf_bind(fd, p->opt.device, p->errbuf); 2205 if (status == BPF_BIND_SUCCEEDED) 2206 break; /* that size worked; we're done */ 2207 2208 /* 2209 * If the attempt failed because the 2210 * buffer was too big, cut the buffer 2211 * size in half and try again. 2212 * 2213 * Otherwise, fail. 2214 */ 2215 if (status != BPF_BIND_BUFFER_TOO_BIG) { 2216 /* 2217 * Special checks on macOS to deal 2218 * with the way monitor mode was 2219 * done on 10.4 Tiger. 2220 */ 2221 status = check_setif_failure(p, status); 2222 goto bad; 2223 } 2224 } 2225 2226 if (v == 0) { 2227 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 2228 "BIOCSBLEN: %s: No buffer size worked", 2229 p->opt.device); 2230 status = PCAP_ERROR; 2231 goto bad; 2232 } 2233 } 2234 } 2235 2236 /* Get the data link layer type. */ 2237 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) { 2238 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2239 errno, "BIOCGDLT"); 2240 status = PCAP_ERROR; 2241 goto bad; 2242 } 2243 2244 #ifdef _AIX 2245 /* 2246 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT. 2247 */ 2248 switch (v) { 2249 2250 case IFT_ETHER: 2251 case IFT_ISO88023: 2252 v = DLT_EN10MB; 2253 break; 2254 2255 case IFT_FDDI: 2256 v = DLT_FDDI; 2257 break; 2258 2259 case IFT_ISO88025: 2260 v = DLT_IEEE802; 2261 break; 2262 2263 case IFT_LOOP: 2264 v = DLT_NULL; 2265 break; 2266 2267 default: 2268 /* 2269 * We don't know what to map this to yet. 2270 */ 2271 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "unknown interface type %u", 2272 v); 2273 status = PCAP_ERROR; 2274 goto bad; 2275 } 2276 #endif 2277 #if _BSDI_VERSION - 0 >= 199510 2278 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */ 2279 switch (v) { 2280 2281 case DLT_SLIP: 2282 v = DLT_SLIP_BSDOS; 2283 break; 2284 2285 case DLT_PPP: 2286 v = DLT_PPP_BSDOS; 2287 break; 2288 2289 case 11: /*DLT_FR*/ 2290 v = DLT_FRELAY; 2291 break; 2292 2293 case 12: /*DLT_C_HDLC*/ 2294 v = DLT_CHDLC; 2295 break; 2296 } 2297 #endif 2298 2299 #ifdef BIOCGDLTLIST 2300 /* 2301 * We know the default link type -- now determine all the DLTs 2302 * this interface supports. If this fails with EINVAL, it's 2303 * not fatal; we just don't get to use the feature later. 2304 */ 2305 if (get_dlt_list(fd, v, &bdl, p->errbuf) == -1) { 2306 status = PCAP_ERROR; 2307 goto bad; 2308 } 2309 p->dlt_count = bdl.bfl_len; 2310 p->dlt_list = bdl.bfl_list; 2311 2312 #ifdef __APPLE__ 2313 /* 2314 * Monitor mode fun, continued. 2315 * 2316 * For 10.5 and, we're assuming, later releases, as noted above, 2317 * 802.1 adapters that support monitor mode offer both DLT_EN10MB, 2318 * DLT_IEEE802_11, and possibly some 802.11-plus-radio-information 2319 * DLT_ value. Choosing one of the 802.11 DLT_ values will turn 2320 * monitor mode on. 2321 * 2322 * Therefore, if the user asked for monitor mode, we filter out 2323 * the DLT_EN10MB value, as you can't get that in monitor mode, 2324 * and, if the user didn't ask for monitor mode, we filter out 2325 * the 802.11 DLT_ values, because selecting those will turn 2326 * monitor mode on. Then, for monitor mode, if an 802.11-plus- 2327 * radio DLT_ value is offered, we try to select that, otherwise 2328 * we try to select DLT_IEEE802_11. 2329 */ 2330 if (have_osinfo) { 2331 if (PCAP_ISDIGIT((unsigned)osinfo.release[0]) && 2332 (osinfo.release[0] == '9' || 2333 PCAP_ISDIGIT((unsigned)osinfo.release[1]))) { 2334 /* 2335 * 10.5 (Darwin 9.x), or later. 2336 */ 2337 new_dlt = find_802_11(&bdl); 2338 if (new_dlt != -1) { 2339 /* 2340 * We have at least one 802.11 DLT_ value, 2341 * so this is an 802.11 interface. 2342 * new_dlt is the best of the 802.11 2343 * DLT_ values in the list. 2344 */ 2345 if (p->opt.rfmon) { 2346 /* 2347 * Our caller wants monitor mode. 2348 * Purge DLT_EN10MB from the list 2349 * of link-layer types, as selecting 2350 * it will keep monitor mode off. 2351 */ 2352 remove_non_802_11(p); 2353 2354 /* 2355 * If the new mode we want isn't 2356 * the default mode, attempt to 2357 * select the new mode. 2358 */ 2359 if ((u_int)new_dlt != v) { 2360 if (ioctl(p->fd, BIOCSDLT, 2361 &new_dlt) != -1) { 2362 /* 2363 * We succeeded; 2364 * make this the 2365 * new DLT_ value. 2366 */ 2367 v = new_dlt; 2368 } 2369 } 2370 } else { 2371 /* 2372 * Our caller doesn't want 2373 * monitor mode. Unless this 2374 * is being done by pcap_open_live(), 2375 * purge the 802.11 link-layer types 2376 * from the list, as selecting 2377 * one of them will turn monitor 2378 * mode on. 2379 */ 2380 if (!p->oldstyle) 2381 remove_802_11(p); 2382 } 2383 } else { 2384 if (p->opt.rfmon) { 2385 /* 2386 * The caller requested monitor 2387 * mode, but we have no 802.11 2388 * link-layer types, so they 2389 * can't have it. 2390 */ 2391 status = PCAP_ERROR_RFMON_NOTSUP; 2392 goto bad; 2393 } 2394 } 2395 } 2396 } 2397 #elif defined(HAVE_BSD_IEEE80211) 2398 /* 2399 * *BSD with the new 802.11 ioctls. 2400 * Do we want monitor mode? 2401 */ 2402 if (p->opt.rfmon) { 2403 /* 2404 * Try to put the interface into monitor mode. 2405 */ 2406 retv = monitor_mode(p, 1); 2407 if (retv != 0) { 2408 /* 2409 * We failed. 2410 */ 2411 status = retv; 2412 goto bad; 2413 } 2414 2415 /* 2416 * We're in monitor mode. 2417 * Try to find the best 802.11 DLT_ value and, if we 2418 * succeed, try to switch to that mode if we're not 2419 * already in that mode. 2420 */ 2421 new_dlt = find_802_11(&bdl); 2422 if (new_dlt != (unsigned)-1) { 2423 /* 2424 * We have at least one 802.11 DLT_ value. 2425 * new_dlt is the best of the 802.11 2426 * DLT_ values in the list. 2427 * 2428 * If the new mode we want isn't the default mode, 2429 * attempt to select the new mode. 2430 */ 2431 if ((u_int)new_dlt != v) { 2432 if (ioctl(p->fd, BIOCSDLT, &new_dlt) != -1) { 2433 /* 2434 * We succeeded; make this the 2435 * new DLT_ value. 2436 */ 2437 v = new_dlt; 2438 } 2439 } 2440 } 2441 } 2442 #endif /* various platforms */ 2443 #endif /* BIOCGDLTLIST */ 2444 2445 /* 2446 * If this is an Ethernet device, and we don't have a DLT_ list, 2447 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give 2448 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to 2449 * do, but there's not much we can do about that without finding 2450 * some other way of determining whether it's an Ethernet or 802.11 2451 * device.) 2452 */ 2453 if (v == DLT_EN10MB && p->dlt_count == 0) { 2454 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2); 2455 /* 2456 * If that fails, just leave the list empty. 2457 */ 2458 if (p->dlt_list != NULL) { 2459 p->dlt_list[0] = DLT_EN10MB; 2460 p->dlt_list[1] = DLT_DOCSIS; 2461 p->dlt_count = 2; 2462 } 2463 } 2464 #ifdef PCAP_FDDIPAD 2465 if (v == DLT_FDDI) 2466 p->fddipad = PCAP_FDDIPAD; 2467 else 2468 #endif 2469 p->fddipad = 0; 2470 p->linktype = v; 2471 2472 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT) 2473 /* 2474 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so 2475 * the link-layer source address isn't forcibly overwritten. 2476 * (Should we ignore errors? Should we do this only if 2477 * we're open for writing?) 2478 * 2479 * XXX - I seem to remember some packet-sending bug in some 2480 * BSDs - check CVS log for "bpf.c"? 2481 */ 2482 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) { 2483 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2484 errno, "BIOCSHDRCMPLT"); 2485 status = PCAP_ERROR; 2486 goto bad; 2487 } 2488 #endif 2489 /* set timeout */ 2490 #ifdef HAVE_ZEROCOPY_BPF 2491 /* 2492 * In zero-copy mode, we just use the timeout in select(). 2493 * XXX - what if we're in non-blocking mode and the *application* 2494 * is using select() or poll() or kqueues or....? 2495 */ 2496 if (p->opt.timeout && !pb->zerocopy) { 2497 #else 2498 if (p->opt.timeout) { 2499 #endif 2500 /* 2501 * XXX - is this seconds/nanoseconds in AIX? 2502 * (Treating it as such doesn't fix the timeout 2503 * problem described below.) 2504 * 2505 * XXX - Mac OS X 10.6 mishandles BIOCSRTIMEOUT in 2506 * 64-bit userland - it takes, as an argument, a 2507 * "struct BPF_TIMEVAL", which has 32-bit tv_sec 2508 * and tv_usec, rather than a "struct timeval". 2509 * 2510 * If this platform defines "struct BPF_TIMEVAL", 2511 * we check whether the structure size in BIOCSRTIMEOUT 2512 * is that of a "struct timeval" and, if not, we use 2513 * a "struct BPF_TIMEVAL" rather than a "struct timeval". 2514 * (That way, if the bug is fixed in a future release, 2515 * we will still do the right thing.) 2516 */ 2517 struct timeval to; 2518 #ifdef HAVE_STRUCT_BPF_TIMEVAL 2519 struct BPF_TIMEVAL bpf_to; 2520 2521 if (IOCPARM_LEN(BIOCSRTIMEOUT) != sizeof(struct timeval)) { 2522 bpf_to.tv_sec = p->opt.timeout / 1000; 2523 bpf_to.tv_usec = (p->opt.timeout * 1000) % 1000000; 2524 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&bpf_to) < 0) { 2525 pcap_fmt_errmsg_for_errno(p->errbuf, 2526 errno, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT"); 2527 status = PCAP_ERROR; 2528 goto bad; 2529 } 2530 } else { 2531 #endif 2532 to.tv_sec = p->opt.timeout / 1000; 2533 to.tv_usec = (p->opt.timeout * 1000) % 1000000; 2534 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) { 2535 pcap_fmt_errmsg_for_errno(p->errbuf, 2536 errno, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT"); 2537 status = PCAP_ERROR; 2538 goto bad; 2539 } 2540 #ifdef HAVE_STRUCT_BPF_TIMEVAL 2541 } 2542 #endif 2543 } 2544 2545 #ifdef BIOCIMMEDIATE 2546 /* 2547 * Darren Reed notes that 2548 * 2549 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the 2550 * timeout appears to be ignored and it waits until the buffer 2551 * is filled before returning. The result of not having it 2552 * set is almost worse than useless if your BPF filter 2553 * is reducing things to only a few packets (i.e. one every 2554 * second or so). 2555 * 2556 * so we always turn BIOCIMMEDIATE mode on if this is AIX. 2557 * 2558 * For other platforms, we don't turn immediate mode on by default, 2559 * as that would mean we get woken up for every packet, which 2560 * probably isn't what you want for a packet sniffer. 2561 * 2562 * We set immediate mode if the caller requested it by calling 2563 * pcap_set_immediate() before calling pcap_activate(). 2564 */ 2565 #ifndef _AIX 2566 if (p->opt.immediate) { 2567 #endif /* _AIX */ 2568 v = 1; 2569 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) { 2570 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2571 errno, "BIOCIMMEDIATE"); 2572 status = PCAP_ERROR; 2573 goto bad; 2574 } 2575 #ifndef _AIX 2576 } 2577 #endif /* _AIX */ 2578 #else /* BIOCIMMEDIATE */ 2579 if (p->opt.immediate) { 2580 /* 2581 * We don't support immediate mode. Fail. 2582 */ 2583 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Immediate mode not supported"); 2584 status = PCAP_ERROR; 2585 goto bad; 2586 } 2587 #endif /* BIOCIMMEDIATE */ 2588 2589 if (p->opt.promisc) { 2590 /* set promiscuous mode, just warn if it fails */ 2591 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) { 2592 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2593 errno, "BIOCPROMISC"); 2594 status = PCAP_WARNING_PROMISC_NOTSUP; 2595 } 2596 } 2597 2598 #ifdef BIOCSTSTAMP 2599 v = BPF_T_BINTIME; 2600 if (ioctl(p->fd, BIOCSTSTAMP, &v) < 0) { 2601 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2602 errno, "BIOCSTSTAMP"); 2603 status = PCAP_ERROR; 2604 goto bad; 2605 } 2606 #endif /* BIOCSTSTAMP */ 2607 2608 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) { 2609 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2610 errno, "BIOCGBLEN"); 2611 status = PCAP_ERROR; 2612 goto bad; 2613 } 2614 p->bufsize = v; 2615 #ifdef HAVE_ZEROCOPY_BPF 2616 if (!pb->zerocopy) { 2617 #endif 2618 p->buffer = malloc(p->bufsize); 2619 if (p->buffer == NULL) { 2620 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2621 errno, "malloc"); 2622 status = PCAP_ERROR; 2623 goto bad; 2624 } 2625 #ifdef _AIX 2626 /* For some strange reason this seems to prevent the EFAULT 2627 * problems we have experienced from AIX BPF. */ 2628 memset(p->buffer, 0x0, p->bufsize); 2629 #endif 2630 #ifdef HAVE_ZEROCOPY_BPF 2631 } 2632 #endif 2633 2634 /* 2635 * If there's no filter program installed, there's 2636 * no indication to the kernel of what the snapshot 2637 * length should be, so no snapshotting is done. 2638 * 2639 * Therefore, when we open the device, we install 2640 * an "accept everything" filter with the specified 2641 * snapshot length. 2642 */ 2643 total_insn.code = (u_short)(BPF_RET | BPF_K); 2644 total_insn.jt = 0; 2645 total_insn.jf = 0; 2646 total_insn.k = p->snapshot; 2647 2648 total_prog.bf_len = 1; 2649 total_prog.bf_insns = &total_insn; 2650 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) { 2651 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 2652 errno, "BIOCSETF"); 2653 status = PCAP_ERROR; 2654 goto bad; 2655 } 2656 2657 /* 2658 * On most BPF platforms, either you can do a "select()" or 2659 * "poll()" on a BPF file descriptor and it works correctly, 2660 * or you can do it and it will return "readable" if the 2661 * hold buffer is full but not if the timeout expires *and* 2662 * a non-blocking read will, if the hold buffer is empty 2663 * but the store buffer isn't empty, rotate the buffers 2664 * and return what packets are available. 2665 * 2666 * In the latter case, the fact that a non-blocking read 2667 * will give you the available packets means you can work 2668 * around the failure of "select()" and "poll()" to wake up 2669 * and return "readable" when the timeout expires by using 2670 * the timeout as the "select()" or "poll()" timeout, putting 2671 * the BPF descriptor into non-blocking mode, and read from 2672 * it regardless of whether "select()" reports it as readable 2673 * or not. 2674 * 2675 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()" 2676 * won't wake up and return "readable" if the timer expires 2677 * and non-blocking reads return EWOULDBLOCK if the hold 2678 * buffer is empty, even if the store buffer is non-empty. 2679 * 2680 * This means the workaround in question won't work. 2681 * 2682 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd" 2683 * to -1, which means "sorry, you can't use 'select()' or 'poll()' 2684 * here". On all other BPF platforms, we set it to the FD for 2685 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking 2686 * read will, if the hold buffer is empty and the store buffer 2687 * isn't empty, rotate the buffers and return what packets are 2688 * there (and in sufficiently recent versions of OpenBSD 2689 * "select()" and "poll()" should work correctly). 2690 * 2691 * XXX - what about AIX? 2692 */ 2693 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */ 2694 if (have_osinfo) { 2695 /* 2696 * We can check what OS this is. 2697 */ 2698 if (strcmp(osinfo.sysname, "FreeBSD") == 0) { 2699 if (strncmp(osinfo.release, "4.3-", 4) == 0 || 2700 strncmp(osinfo.release, "4.4-", 4) == 0) 2701 p->selectable_fd = -1; 2702 } 2703 } 2704 2705 p->read_op = pcap_read_bpf; 2706 p->inject_op = pcap_inject_bpf; 2707 p->setfilter_op = pcap_setfilter_bpf; 2708 p->setdirection_op = pcap_setdirection_bpf; 2709 p->set_datalink_op = pcap_set_datalink_bpf; 2710 p->getnonblock_op = pcap_getnonblock_bpf; 2711 p->setnonblock_op = pcap_setnonblock_bpf; 2712 p->stats_op = pcap_stats_bpf; 2713 p->cleanup_op = pcap_cleanup_bpf; 2714 2715 return (status); 2716 bad: 2717 pcap_cleanup_bpf(p); 2718 return (status); 2719 } 2720 2721 /* 2722 * Not all interfaces can be bound to by BPF, so try to bind to 2723 * the specified interface; return 0 if we fail with 2724 * PCAP_ERROR_NO_SUCH_DEVICE (which means we got an ENXIO when we tried 2725 * to bind, which means this interface isn't in the list of interfaces 2726 * attached to BPF) and 1 otherwise. 2727 */ 2728 static int 2729 check_bpf_bindable(const char *name) 2730 { 2731 int fd; 2732 char errbuf[PCAP_ERRBUF_SIZE]; 2733 2734 /* 2735 * On macOS, we don't do this check if the device name begins 2736 * with "wlt"; at least some versions of macOS (actually, it 2737 * was called "Mac OS X" then...) offer monitor mode capturing 2738 * by having a separate "monitor mode" device for each wireless 2739 * adapter, rather than by implementing the ioctls that 2740 * {Free,Net,Open,DragonFly}BSD provide. Opening that device 2741 * puts the adapter into monitor mode, which, at least for 2742 * some adapters, causes them to deassociate from the network 2743 * with which they're associated. 2744 * 2745 * Instead, we try to open the corresponding "en" device (so 2746 * that we don't end up with, for users without sufficient 2747 * privilege to open capture devices, a list of adapters that 2748 * only includes the wlt devices). 2749 */ 2750 #ifdef __APPLE__ 2751 if (strncmp(name, "wlt", 3) == 0) { 2752 char *en_name; 2753 size_t en_name_len; 2754 2755 /* 2756 * Try to allocate a buffer for the "en" 2757 * device's name. 2758 */ 2759 en_name_len = strlen(name) - 1; 2760 en_name = malloc(en_name_len + 1); 2761 if (en_name == NULL) { 2762 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, 2763 errno, "malloc"); 2764 return (-1); 2765 } 2766 strcpy(en_name, "en"); 2767 strcat(en_name, name + 3); 2768 fd = bpf_open_and_bind(en_name, errbuf); 2769 free(en_name); 2770 } else 2771 #endif /* __APPLE */ 2772 fd = bpf_open_and_bind(name, errbuf); 2773 if (fd < 0) { 2774 /* 2775 * Error - was it PCAP_ERROR_NO_SUCH_DEVICE? 2776 */ 2777 if (fd == PCAP_ERROR_NO_SUCH_DEVICE) { 2778 /* 2779 * Yes, so we can't bind to this because it's 2780 * not something supported by BPF. 2781 */ 2782 return (0); 2783 } 2784 /* 2785 * No, so we don't know whether it's supported or not; 2786 * say it is, so that the user can at least try to 2787 * open it and report the error (which is probably 2788 * "you don't have permission to open BPF devices"; 2789 * reporting those interfaces means users will ask 2790 * "why am I getting a permissions error when I try 2791 * to capture" rather than "why am I not seeing any 2792 * interfaces", making the underlying problem clearer). 2793 */ 2794 return (1); 2795 } 2796 2797 /* 2798 * Success. 2799 */ 2800 close(fd); 2801 return (1); 2802 } 2803 2804 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2) 2805 static int 2806 get_usb_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_) 2807 { 2808 /* 2809 * XXX - if there's a way to determine whether there's something 2810 * plugged into a given USB bus, use that to determine whether 2811 * this device is "connected" or not. 2812 */ 2813 return (0); 2814 } 2815 2816 static int 2817 finddevs_usb(pcap_if_list_t *devlistp, char *errbuf) 2818 { 2819 DIR *usbdir; 2820 struct dirent *usbitem; 2821 size_t name_max; 2822 char *name; 2823 2824 /* 2825 * We might have USB sniffing support, so try looking for USB 2826 * interfaces. 2827 * 2828 * We want to report a usbusN device for each USB bus, but 2829 * usbusN interfaces might, or might not, exist for them - 2830 * we create one if there isn't already one. 2831 * 2832 * So, instead, we look in /dev/usb for all buses and create 2833 * a "usbusN" device for each one. 2834 */ 2835 usbdir = opendir("/dev/usb"); 2836 if (usbdir == NULL) { 2837 /* 2838 * Just punt. 2839 */ 2840 return (0); 2841 } 2842 2843 /* 2844 * Leave enough room for a 32-bit (10-digit) bus number. 2845 * Yes, that's overkill, but we won't be using 2846 * the buffer very long. 2847 */ 2848 name_max = USBUS_PREFIX_LEN + 10 + 1; 2849 name = malloc(name_max); 2850 if (name == NULL) { 2851 closedir(usbdir); 2852 return (0); 2853 } 2854 while ((usbitem = readdir(usbdir)) != NULL) { 2855 char *p; 2856 size_t busnumlen; 2857 2858 if (strcmp(usbitem->d_name, ".") == 0 || 2859 strcmp(usbitem->d_name, "..") == 0) { 2860 /* 2861 * Ignore these. 2862 */ 2863 continue; 2864 } 2865 p = strchr(usbitem->d_name, '.'); 2866 if (p == NULL) 2867 continue; 2868 busnumlen = p - usbitem->d_name; 2869 memcpy(name, usbus_prefix, USBUS_PREFIX_LEN); 2870 memcpy(name + USBUS_PREFIX_LEN, usbitem->d_name, busnumlen); 2871 *(name + USBUS_PREFIX_LEN + busnumlen) = '\0'; 2872 /* 2873 * There's an entry in this directory for every USB device, 2874 * not for every bus; if there's more than one device on 2875 * the bus, there'll be more than one entry for that bus, 2876 * so we need to avoid adding multiple capture devices 2877 * for each bus. 2878 */ 2879 if (find_or_add_dev(devlistp, name, PCAP_IF_UP, 2880 get_usb_if_flags, NULL, errbuf) == NULL) { 2881 free(name); 2882 closedir(usbdir); 2883 return (PCAP_ERROR); 2884 } 2885 } 2886 free(name); 2887 closedir(usbdir); 2888 return (0); 2889 } 2890 #endif 2891 2892 /* 2893 * Get additional flags for a device, using SIOCGIFMEDIA. 2894 */ 2895 #ifdef SIOCGIFMEDIA 2896 static int 2897 get_if_flags(const char *name, bpf_u_int32 *flags, char *errbuf) 2898 { 2899 int sock; 2900 struct ifmediareq req; 2901 2902 sock = socket(AF_INET, SOCK_DGRAM, 0); 2903 if (sock == -1) { 2904 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, errno, 2905 "Can't create socket to get media information for %s", 2906 name); 2907 return (-1); 2908 } 2909 memset(&req, 0, sizeof(req)); 2910 pcap_strlcpy(req.ifm_name, name, sizeof(req.ifm_name)); 2911 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 2912 if (errno == EOPNOTSUPP || errno == EINVAL || errno == ENOTTY || 2913 errno == ENODEV || errno == EPERM 2914 #ifdef EPWROFF 2915 || errno == EPWROFF 2916 #endif 2917 ) { 2918 /* 2919 * Not supported, so we can't provide any 2920 * additional information. Assume that 2921 * this means that "connected" vs. 2922 * "disconnected" doesn't apply. 2923 * 2924 * The ioctl routine for Apple's pktap devices, 2925 * annoyingly, checks for "are you root?" before 2926 * checking whether the ioctl is valid, so it 2927 * returns EPERM, rather than ENOTSUP, for the 2928 * invalid SIOCGIFMEDIA, unless you're root. 2929 * So, just as we do for some ethtool ioctls 2930 * on Linux, which makes the same mistake, we 2931 * also treat EPERM as meaning "not supported". 2932 * 2933 * And it appears that Apple's llw0 device, which 2934 * appears to be part of the Skywalk subsystem: 2935 * 2936 * http://newosxbook.com/bonus/vol1ch16.html 2937 * 2938 * can sometimes return EPWROFF ("Device power 2939 * is off") for that ioctl, so we treat *that* 2940 * as another indication that we can't get a 2941 * connection status. (If it *isn't* "powered 2942 * off", it's reported as a wireless device, 2943 * complete with an active/inactive state.) 2944 */ 2945 *flags |= PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE; 2946 close(sock); 2947 return (0); 2948 } 2949 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE, errno, 2950 "SIOCGIFMEDIA on %s failed", name); 2951 close(sock); 2952 return (-1); 2953 } 2954 close(sock); 2955 2956 /* 2957 * OK, what type of network is this? 2958 */ 2959 switch (IFM_TYPE(req.ifm_active)) { 2960 2961 case IFM_IEEE80211: 2962 /* 2963 * Wireless. 2964 */ 2965 *flags |= PCAP_IF_WIRELESS; 2966 break; 2967 } 2968 2969 /* 2970 * Do we know whether it's connected? 2971 */ 2972 if (req.ifm_status & IFM_AVALID) { 2973 /* 2974 * Yes. 2975 */ 2976 if (req.ifm_status & IFM_ACTIVE) { 2977 /* 2978 * It's connected. 2979 */ 2980 *flags |= PCAP_IF_CONNECTION_STATUS_CONNECTED; 2981 } else { 2982 /* 2983 * It's disconnected. 2984 */ 2985 *flags |= PCAP_IF_CONNECTION_STATUS_DISCONNECTED; 2986 } 2987 } 2988 return (0); 2989 } 2990 #else 2991 static int 2992 get_if_flags(const char *name _U_, bpf_u_int32 *flags, char *errbuf _U_) 2993 { 2994 /* 2995 * Nothing we can do other than mark loopback devices as "the 2996 * connected/disconnected status doesn't apply". 2997 * 2998 * XXX - on Solaris, can we do what the dladm command does, 2999 * i.e. get a connected/disconnected indication from a kstat? 3000 * (Note that you can also get the link speed, and possibly 3001 * other information, from a kstat as well.) 3002 */ 3003 if (*flags & PCAP_IF_LOOPBACK) { 3004 /* 3005 * Loopback devices aren't wireless, and "connected"/ 3006 * "disconnected" doesn't apply to them. 3007 */ 3008 *flags |= PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE; 3009 return (0); 3010 } 3011 return (0); 3012 } 3013 #endif 3014 3015 int 3016 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf) 3017 { 3018 /* 3019 * Get the list of regular interfaces first. 3020 */ 3021 if (pcap_findalldevs_interfaces(devlistp, errbuf, check_bpf_bindable, 3022 get_if_flags) == -1) 3023 return (-1); /* failure */ 3024 3025 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2) 3026 if (finddevs_usb(devlistp, errbuf) == -1) 3027 return (-1); 3028 #endif 3029 3030 return (0); 3031 } 3032 3033 #ifdef HAVE_BSD_IEEE80211 3034 static int 3035 monitor_mode(pcap_t *p, int set) 3036 { 3037 struct pcap_bpf *pb = p->priv; 3038 int sock; 3039 struct ifmediareq req; 3040 IFM_ULIST_TYPE *media_list; 3041 int i; 3042 int can_do; 3043 struct ifreq ifr; 3044 3045 sock = socket(AF_INET, SOCK_DGRAM, 0); 3046 if (sock == -1) { 3047 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 3048 errno, "can't open socket"); 3049 return (PCAP_ERROR); 3050 } 3051 3052 memset(&req, 0, sizeof req); 3053 pcap_strlcpy(req.ifm_name, p->opt.device, sizeof req.ifm_name); 3054 3055 /* 3056 * Find out how many media types we have. 3057 */ 3058 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 3059 /* 3060 * Can't get the media types. 3061 */ 3062 switch (errno) { 3063 3064 case ENXIO: 3065 /* 3066 * There's no such device. 3067 * 3068 * There's nothing more to say, so clear the 3069 * error message. 3070 */ 3071 p->errbuf[0] = '\0'; 3072 close(sock); 3073 return (PCAP_ERROR_NO_SUCH_DEVICE); 3074 3075 case EINVAL: 3076 /* 3077 * Interface doesn't support SIOC{G,S}IFMEDIA. 3078 */ 3079 close(sock); 3080 return (PCAP_ERROR_RFMON_NOTSUP); 3081 3082 default: 3083 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 3084 errno, "SIOCGIFMEDIA"); 3085 close(sock); 3086 return (PCAP_ERROR); 3087 } 3088 } 3089 if (req.ifm_count == 0) { 3090 /* 3091 * No media types. 3092 */ 3093 close(sock); 3094 return (PCAP_ERROR_RFMON_NOTSUP); 3095 } 3096 3097 /* 3098 * Allocate a buffer to hold all the media types, and 3099 * get the media types. 3100 */ 3101 media_list = malloc(req.ifm_count * sizeof(*media_list)); 3102 if (media_list == NULL) { 3103 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 3104 errno, "malloc"); 3105 close(sock); 3106 return (PCAP_ERROR); 3107 } 3108 req.ifm_ulist = media_list; 3109 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) { 3110 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 3111 errno, "SIOCGIFMEDIA"); 3112 free(media_list); 3113 close(sock); 3114 return (PCAP_ERROR); 3115 } 3116 3117 /* 3118 * Look for an 802.11 "automatic" media type. 3119 * We assume that all 802.11 adapters have that media type, 3120 * and that it will carry the monitor mode supported flag. 3121 */ 3122 can_do = 0; 3123 for (i = 0; i < req.ifm_count; i++) { 3124 if (IFM_TYPE(media_list[i]) == IFM_IEEE80211 3125 && IFM_SUBTYPE(media_list[i]) == IFM_AUTO) { 3126 /* OK, does it do monitor mode? */ 3127 if (media_list[i] & IFM_IEEE80211_MONITOR) { 3128 can_do = 1; 3129 break; 3130 } 3131 } 3132 } 3133 free(media_list); 3134 if (!can_do) { 3135 /* 3136 * This adapter doesn't support monitor mode. 3137 */ 3138 close(sock); 3139 return (PCAP_ERROR_RFMON_NOTSUP); 3140 } 3141 3142 if (set) { 3143 /* 3144 * Don't just check whether we can enable monitor mode, 3145 * do so, if it's not already enabled. 3146 */ 3147 if ((req.ifm_current & IFM_IEEE80211_MONITOR) == 0) { 3148 /* 3149 * Monitor mode isn't currently on, so turn it on, 3150 * and remember that we should turn it off when the 3151 * pcap_t is closed. 3152 */ 3153 3154 /* 3155 * If we haven't already done so, arrange to have 3156 * "pcap_close_all()" called when we exit. 3157 */ 3158 if (!pcap_do_addexit(p)) { 3159 /* 3160 * "atexit()" failed; don't put the interface 3161 * in monitor mode, just give up. 3162 */ 3163 close(sock); 3164 return (PCAP_ERROR); 3165 } 3166 memset(&ifr, 0, sizeof(ifr)); 3167 (void)pcap_strlcpy(ifr.ifr_name, p->opt.device, 3168 sizeof(ifr.ifr_name)); 3169 ifr.ifr_media = req.ifm_current | IFM_IEEE80211_MONITOR; 3170 if (ioctl(sock, SIOCSIFMEDIA, &ifr) == -1) { 3171 pcap_fmt_errmsg_for_errno(p->errbuf, 3172 PCAP_ERRBUF_SIZE, errno, "SIOCSIFMEDIA"); 3173 close(sock); 3174 return (PCAP_ERROR); 3175 } 3176 3177 pb->must_do_on_close |= MUST_CLEAR_RFMON; 3178 3179 /* 3180 * Add this to the list of pcaps to close when we exit. 3181 */ 3182 pcap_add_to_pcaps_to_close(p); 3183 } 3184 } 3185 return (0); 3186 } 3187 #endif /* HAVE_BSD_IEEE80211 */ 3188 3189 #if defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) 3190 /* 3191 * Check whether we have any 802.11 link-layer types; return the best 3192 * of the 802.11 link-layer types if we find one, and return -1 3193 * otherwise. 3194 * 3195 * DLT_IEEE802_11_RADIO, with the radiotap header, is considered the 3196 * best 802.11 link-layer type; any of the other 802.11-plus-radio 3197 * headers are second-best; 802.11 with no radio information is 3198 * the least good. 3199 */ 3200 static int 3201 find_802_11(struct bpf_dltlist *bdlp) 3202 { 3203 int new_dlt; 3204 u_int i; 3205 3206 /* 3207 * Scan the list of DLT_ values, looking for 802.11 values, 3208 * and, if we find any, choose the best of them. 3209 */ 3210 new_dlt = -1; 3211 for (i = 0; i < bdlp->bfl_len; i++) { 3212 switch (bdlp->bfl_list[i]) { 3213 3214 case DLT_IEEE802_11: 3215 /* 3216 * 802.11, but no radio. 3217 * 3218 * Offer this, and select it as the new mode 3219 * unless we've already found an 802.11 3220 * header with radio information. 3221 */ 3222 if (new_dlt == -1) 3223 new_dlt = bdlp->bfl_list[i]; 3224 break; 3225 3226 #ifdef DLT_PRISM_HEADER 3227 case DLT_PRISM_HEADER: 3228 #endif 3229 #ifdef DLT_AIRONET_HEADER 3230 case DLT_AIRONET_HEADER: 3231 #endif 3232 case DLT_IEEE802_11_RADIO_AVS: 3233 /* 3234 * 802.11 with radio, but not radiotap. 3235 * 3236 * Offer this, and select it as the new mode 3237 * unless we've already found the radiotap DLT_. 3238 */ 3239 if (new_dlt != DLT_IEEE802_11_RADIO) 3240 new_dlt = bdlp->bfl_list[i]; 3241 break; 3242 3243 case DLT_IEEE802_11_RADIO: 3244 /* 3245 * 802.11 with radiotap. 3246 * 3247 * Offer this, and select it as the new mode. 3248 */ 3249 new_dlt = bdlp->bfl_list[i]; 3250 break; 3251 3252 default: 3253 /* 3254 * Not 802.11. 3255 */ 3256 break; 3257 } 3258 } 3259 3260 return (new_dlt); 3261 } 3262 #endif /* defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) */ 3263 3264 #if defined(__APPLE__) && defined(BIOCGDLTLIST) 3265 /* 3266 * Remove non-802.11 header types from the list of DLT_ values, as we're in 3267 * monitor mode, and those header types aren't supported in monitor mode. 3268 */ 3269 static void 3270 remove_non_802_11(pcap_t *p) 3271 { 3272 int i, j; 3273 3274 /* 3275 * Scan the list of DLT_ values and discard non-802.11 ones. 3276 */ 3277 j = 0; 3278 for (i = 0; i < p->dlt_count; i++) { 3279 switch (p->dlt_list[i]) { 3280 3281 case DLT_EN10MB: 3282 case DLT_RAW: 3283 /* 3284 * Not 802.11. Don't offer this one. 3285 */ 3286 continue; 3287 3288 default: 3289 /* 3290 * Just copy this mode over. 3291 */ 3292 break; 3293 } 3294 3295 /* 3296 * Copy this DLT_ value to its new position. 3297 */ 3298 p->dlt_list[j] = p->dlt_list[i]; 3299 j++; 3300 } 3301 3302 /* 3303 * Set the DLT_ count to the number of entries we copied. 3304 */ 3305 p->dlt_count = j; 3306 } 3307 3308 /* 3309 * Remove 802.11 link-layer types from the list of DLT_ values, as 3310 * we're not in monitor mode, and those DLT_ values will switch us 3311 * to monitor mode. 3312 */ 3313 static void 3314 remove_802_11(pcap_t *p) 3315 { 3316 int i, j; 3317 3318 /* 3319 * Scan the list of DLT_ values and discard 802.11 values. 3320 */ 3321 j = 0; 3322 for (i = 0; i < p->dlt_count; i++) { 3323 switch (p->dlt_list[i]) { 3324 3325 case DLT_IEEE802_11: 3326 #ifdef DLT_PRISM_HEADER 3327 case DLT_PRISM_HEADER: 3328 #endif 3329 #ifdef DLT_AIRONET_HEADER 3330 case DLT_AIRONET_HEADER: 3331 #endif 3332 case DLT_IEEE802_11_RADIO: 3333 case DLT_IEEE802_11_RADIO_AVS: 3334 #ifdef DLT_PPI 3335 case DLT_PPI: 3336 #endif 3337 /* 3338 * 802.11. Don't offer this one. 3339 */ 3340 continue; 3341 3342 default: 3343 /* 3344 * Just copy this mode over. 3345 */ 3346 break; 3347 } 3348 3349 /* 3350 * Copy this DLT_ value to its new position. 3351 */ 3352 p->dlt_list[j] = p->dlt_list[i]; 3353 j++; 3354 } 3355 3356 /* 3357 * Set the DLT_ count to the number of entries we copied. 3358 */ 3359 p->dlt_count = j; 3360 } 3361 #endif /* defined(__APPLE__) && defined(BIOCGDLTLIST) */ 3362 3363 static int 3364 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp) 3365 { 3366 struct pcap_bpf *pb = p->priv; 3367 3368 /* 3369 * Free any user-mode filter we might happen to have installed. 3370 */ 3371 pcap_freecode(&p->fcode); 3372 3373 /* 3374 * Try to install the kernel filter. 3375 */ 3376 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) == 0) { 3377 /* 3378 * It worked. 3379 */ 3380 pb->filtering_in_kernel = 1; /* filtering in the kernel */ 3381 3382 /* 3383 * Discard any previously-received packets, as they might 3384 * have passed whatever filter was formerly in effect, but 3385 * might not pass this filter (BIOCSETF discards packets 3386 * buffered in the kernel, so you can lose packets in any 3387 * case). 3388 */ 3389 p->cc = 0; 3390 return (0); 3391 } 3392 3393 /* 3394 * We failed. 3395 * 3396 * If it failed with EINVAL, that's probably because the program 3397 * is invalid or too big. Validate it ourselves; if we like it 3398 * (we currently allow backward branches, to support protochain), 3399 * run it in userland. (There's no notion of "too big" for 3400 * userland.) 3401 * 3402 * Otherwise, just give up. 3403 * XXX - if the copy of the program into the kernel failed, 3404 * we will get EINVAL rather than, say, EFAULT on at least 3405 * some kernels. 3406 */ 3407 if (errno != EINVAL) { 3408 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 3409 errno, "BIOCSETF"); 3410 return (-1); 3411 } 3412 3413 /* 3414 * install_bpf_program() validates the program. 3415 * 3416 * XXX - what if we already have a filter in the kernel? 3417 */ 3418 if (install_bpf_program(p, fp) < 0) 3419 return (-1); 3420 pb->filtering_in_kernel = 0; /* filtering in userland */ 3421 return (0); 3422 } 3423 3424 /* 3425 * Set direction flag: Which packets do we accept on a forwarding 3426 * single device? IN, OUT or both? 3427 */ 3428 #if defined(BIOCSDIRECTION) 3429 static int 3430 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d) 3431 { 3432 u_int direction; 3433 const char *direction_name; 3434 3435 /* 3436 * FreeBSD and NetBSD. 3437 */ 3438 switch (d) { 3439 3440 case PCAP_D_IN: 3441 /* 3442 * Incoming, but not outgoing, so accept only 3443 * incoming packets. 3444 */ 3445 direction = BPF_D_IN; 3446 direction_name = "\"incoming only\""; 3447 break; 3448 3449 case PCAP_D_OUT: 3450 /* 3451 * Outgoing, but not incoming, so accept only 3452 * outgoing packets. 3453 */ 3454 direction = BPF_D_OUT; 3455 direction_name = "\"outgoing only\""; 3456 break; 3457 3458 default: 3459 /* 3460 * Incoming and outgoing, so accept both 3461 * incoming and outgoing packets. 3462 * 3463 * It's guaranteed, at this point, that d is a valid 3464 * direction value, so we know that this is PCAP_D_INOUT 3465 * if it's not PCAP_D_IN or PCAP_D_OUT. 3466 */ 3467 direction = BPF_D_INOUT; 3468 direction_name = "\"incoming and outgoing\""; 3469 break; 3470 } 3471 3472 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) { 3473 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf), 3474 errno, "Cannot set direction to %s", direction_name); 3475 return (-1); 3476 } 3477 return (0); 3478 } 3479 #elif defined(BIOCSDIRFILT) 3480 static int 3481 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d) 3482 { 3483 u_int dirfilt; 3484 const char *direction_name; 3485 3486 /* 3487 * OpenBSD; same functionality, different names, different 3488 * semantics (the flags mean "*don't* capture packets in 3489 * that direction", not "*capture only* packets in that 3490 * direction"). 3491 */ 3492 switch (d) { 3493 3494 case PCAP_D_IN: 3495 /* 3496 * Incoming, but not outgoing, so filter out 3497 * outgoing packets. 3498 */ 3499 dirfilt = BPF_DIRECTION_OUT; 3500 direction_name = "\"incoming only\""; 3501 break; 3502 3503 case PCAP_D_OUT: 3504 /* 3505 * Outgoing, but not incoming, so filter out 3506 * incoming packets. 3507 */ 3508 dirfilt = BPF_DIRECTION_IN; 3509 direction_name = "\"outgoing only\""; 3510 break; 3511 3512 default: 3513 /* 3514 * Incoming and outgoing, so don't filter out 3515 * any packets based on direction. 3516 * 3517 * It's guaranteed, at this point, that d is a valid 3518 * direction value, so we know that this is PCAP_D_INOUT 3519 * if it's not PCAP_D_IN or PCAP_D_OUT. 3520 */ 3521 dirfilt = 0; 3522 direction_name = "\"incoming and outgoing\""; 3523 break; 3524 } 3525 if (ioctl(p->fd, BIOCSDIRFILT, &dirfilt) == -1) { 3526 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf), 3527 errno, "Cannot set direction to %s", direction_name); 3528 return (-1); 3529 } 3530 return (0); 3531 } 3532 #elif defined(BIOCSSEESENT) 3533 static int 3534 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d) 3535 { 3536 u_int seesent; 3537 const char *direction_name; 3538 3539 /* 3540 * OS with just BIOCSSEESENT. 3541 */ 3542 switch (d) { 3543 3544 case PCAP_D_IN: 3545 /* 3546 * Incoming, but not outgoing, so we don't want to 3547 * see transmitted packets. 3548 */ 3549 seesent = 0; 3550 direction_name = "\"incoming only\""; 3551 break; 3552 3553 case PCAP_D_OUT: 3554 /* 3555 * Outgoing, but not incoming; we can't specify that. 3556 */ 3557 snprintf(p->errbuf, sizeof(p->errbuf), 3558 "Setting direction to \"outgoing only\" is not supported on this device"); 3559 return (-1); 3560 3561 default: 3562 /* 3563 * Incoming and outgoing, so we want to see transmitted 3564 * packets. 3565 * 3566 * It's guaranteed, at this point, that d is a valid 3567 * direction value, so we know that this is PCAP_D_INOUT 3568 * if it's not PCAP_D_IN or PCAP_D_OUT. 3569 */ 3570 seesent = 1; 3571 direction_name = "\"incoming and outgoing\""; 3572 break; 3573 } 3574 3575 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) { 3576 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf), 3577 errno, "Cannot set direction to %s", direction_name); 3578 return (-1); 3579 } 3580 return (0); 3581 } 3582 #else 3583 static int 3584 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d _U_) 3585 { 3586 (void) snprintf(p->errbuf, sizeof(p->errbuf), 3587 "Setting direction is not supported on this device"); 3588 return (-1); 3589 } 3590 #endif 3591 3592 #ifdef BIOCSDLT 3593 static int 3594 pcap_set_datalink_bpf(pcap_t *p, int dlt) 3595 { 3596 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) { 3597 pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf), 3598 errno, "Cannot set DLT %d", dlt); 3599 return (-1); 3600 } 3601 return (0); 3602 } 3603 #else 3604 static int 3605 pcap_set_datalink_bpf(pcap_t *p _U_, int dlt _U_) 3606 { 3607 return (0); 3608 } 3609 #endif 3610 3611 /* 3612 * Platform-specific information. 3613 */ 3614 const char * 3615 pcap_lib_version(void) 3616 { 3617 #ifdef HAVE_ZEROCOPY_BPF 3618 return (PCAP_VERSION_STRING " (with zerocopy support)"); 3619 #else 3620 return (PCAP_VERSION_STRING); 3621 #endif 3622 } 3623