1 /* 2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Support for splitting captures into multiple files with a maximum 22 * file size: 23 * 24 * Copyright (c) 2001 25 * Seth Webster <swebster@sst.ll.mit.edu> 26 */ 27 28 #include <sys/cdefs.h> 29 #ifndef lint 30 __RCSID("$NetBSD: tcpdump.c,v 1.20 2024/09/02 16:15:33 christos Exp $"); 31 #endif 32 33 /* 34 * tcpdump - dump traffic on a network 35 * 36 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 37 * Mercilessly hacked and occasionally improved since then via the 38 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 39 */ 40 41 #include <config.h> 42 43 /* 44 * Some older versions of Mac OS X ship pcap.h from libpcap 0.6 with a 45 * libpcap based on 0.8. That means it has pcap_findalldevs() but the 46 * header doesn't define pcap_if_t, meaning that we can't actually *use* 47 * pcap_findalldevs(). 48 */ 49 #ifdef HAVE_PCAP_FINDALLDEVS 50 #ifndef HAVE_PCAP_IF_T 51 #undef HAVE_PCAP_FINDALLDEVS 52 #endif 53 #endif 54 55 #include "netdissect-stdinc.h" 56 57 /* 58 * This must appear after including netdissect-stdinc.h, so that _U_ is 59 * defined. 60 */ 61 #ifndef lint 62 static const char copyright[] _U_ = 63 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\ 64 The Regents of the University of California. All rights reserved.\n"; 65 #endif 66 67 #include <sys/stat.h> 68 69 #include <fcntl.h> 70 71 #ifdef HAVE_LIBCRYPTO 72 #include <openssl/crypto.h> 73 #endif 74 75 #ifdef HAVE_GETOPT_LONG 76 #include <getopt.h> 77 #else 78 #include "missing/getopt_long.h" 79 #endif 80 /* Capsicum-specific code requires macros from <net/bpf.h>, which will fail 81 * to compile if <pcap.h> has already been included; including the headers 82 * in the opposite order works fine. For the most part anyway, because in 83 * FreeBSD <pcap/pcap.h> declares bpf_dump() instead of <net/bpf.h>. Thus 84 * interface.h takes care of it later to avoid a compiler warning. 85 */ 86 #ifdef HAVE_CAPSICUM 87 #include <sys/capsicum.h> 88 #include <sys/ioccom.h> 89 #include <net/bpf.h> 90 #include <libgen.h> 91 #ifdef HAVE_CASPER 92 #include <libcasper.h> 93 #include <casper/cap_dns.h> 94 #include <sys/nv.h> 95 #endif /* HAVE_CASPER */ 96 #endif /* HAVE_CAPSICUM */ 97 #ifdef HAVE_PCAP_OPEN 98 /* 99 * We found pcap_open() in the capture library, so we'll be using 100 * the remote capture APIs; define PCAP_REMOTE before we include pcap.h, 101 * so we get those APIs declared, and the types and #defines that they 102 * use defined. 103 * 104 * WinPcap's headers require that PCAP_REMOTE be defined in order to get 105 * remote-capture APIs declared and types and #defines that they use 106 * defined. 107 * 108 * (Versions of libpcap with those APIs, and thus Npcap, which is based on 109 * those versions of libpcap, don't require it.) 110 */ 111 #define HAVE_REMOTE 112 #endif 113 #include <pcap.h> 114 #include <signal.h> 115 #include <stdio.h> 116 #include <stdarg.h> 117 #include <stdlib.h> 118 #include <string.h> 119 #include <limits.h> 120 #include <resolv.h> 121 #ifdef _WIN32 122 #include <windows.h> 123 #else 124 #include <sys/time.h> 125 #include <sys/wait.h> 126 #include <sys/resource.h> 127 #include <pwd.h> 128 #include <grp.h> 129 #endif /* _WIN32 */ 130 131 /* 132 * Pathname separator. 133 * Use this in pathnames, but do *not* use it in URLs. 134 */ 135 #ifdef _WIN32 136 #define PATH_SEPARATOR '\\' 137 #else 138 #define PATH_SEPARATOR '/' 139 #endif 140 141 /* capabilities convenience library */ 142 /* If a code depends on HAVE_LIBCAP_NG, it depends also on HAVE_CAP_NG_H. 143 * If HAVE_CAP_NG_H is not defined, undefine HAVE_LIBCAP_NG. 144 * Thus, the later tests are done only on HAVE_LIBCAP_NG. 145 */ 146 #ifdef HAVE_LIBCAP_NG 147 #ifdef HAVE_CAP_NG_H 148 #include <cap-ng.h> 149 #else 150 #undef HAVE_LIBCAP_NG 151 #endif /* HAVE_CAP_NG_H */ 152 #endif /* HAVE_LIBCAP_NG */ 153 154 #ifdef __FreeBSD__ 155 #include <sys/sysctl.h> 156 #endif /* __FreeBSD__ */ 157 158 #include "netdissect-stdinc.h" 159 #include "netdissect.h" 160 #include "interface.h" 161 #include "addrtoname.h" 162 #include "machdep.h" 163 #include "pcap-missing.h" 164 #include "ascii_strcasecmp.h" 165 166 #include "print.h" 167 168 #include "diag-control.h" 169 170 #include "fptype.h" 171 172 #ifndef PATH_MAX 173 #define PATH_MAX 1024 174 #endif 175 176 #if defined(SIGINFO) 177 #define SIGNAL_REQ_INFO SIGINFO 178 #elif defined(SIGUSR1) 179 #define SIGNAL_REQ_INFO SIGUSR1 180 #endif 181 182 #if defined(HAVE_PCAP_DUMP_FLUSH) && defined(SIGUSR2) 183 #define SIGNAL_FLUSH_PCAP SIGUSR2 184 #endif 185 186 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 187 static int Bflag; /* buffer size */ 188 #endif 189 #ifdef HAVE_PCAP_DUMP_FTELL64 190 static int64_t Cflag; /* rotate dump files after this many bytes */ 191 #else 192 static long Cflag; /* rotate dump files after this many bytes */ 193 #endif 194 static int Cflag_count; /* Keep track of which file number we're writing */ 195 #ifdef HAVE_PCAP_FINDALLDEVS 196 static int Dflag; /* list available devices and exit */ 197 #endif 198 #ifdef HAVE_PCAP_FINDALLDEVS_EX 199 static char *remote_interfaces_source; /* list available devices from this source and exit */ 200 #endif 201 202 /* 203 * This is exported because, in some versions of libpcap, if libpcap 204 * is built with optimizer debugging code (which is *NOT* the default 205 * configuration!), the library *imports*(!) a variable named dflag, 206 * under the expectation that tcpdump is exporting it, to govern 207 * how much debugging information to print when optimizing 208 * the generated BPF code. 209 * 210 * This is a horrible hack; newer versions of libpcap don't import 211 * dflag but, instead, *if* built with optimizer debugging code, 212 * *export* a routine to set that flag. 213 */ 214 extern int dflag; 215 int dflag; /* print filter code */ 216 static int Gflag; /* rotate dump files after this many seconds */ 217 static int Gflag_count; /* number of files created with Gflag rotation */ 218 static time_t Gflag_time; /* The last time_t the dump file was rotated. */ 219 static int Lflag; /* list available data link types and exit */ 220 static int Iflag; /* rfmon (monitor) mode */ 221 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 222 static int Jflag; /* list available time stamp types */ 223 static int jflag = -1; /* packet time stamp source */ 224 #endif 225 static int lflag; /* line-buffered output */ 226 static int pflag; /* don't go promiscuous */ 227 #ifdef HAVE_PCAP_SETDIRECTION 228 static int Qflag = -1; /* restrict captured packet by send/receive direction */ 229 #endif 230 #ifdef HAVE_PCAP_DUMP_FLUSH 231 static int Uflag; /* "unbuffered" output of dump files */ 232 #endif 233 static int Wflag; /* recycle output files after this number of files */ 234 static int WflagChars; 235 static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */ 236 static int timeout = 1000; /* default timeout = 1000 ms = 1 s */ 237 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 238 static int immediate_mode; 239 #endif 240 static int count_mode; 241 242 static int infodelay; 243 static int infoprint; 244 245 char *program_name; 246 247 /* Forwards */ 248 static NORETURN void error(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 249 static void warning(FORMAT_STRING(const char *), ...) PRINTFLIKE(1, 2); 250 static NORETURN void exit_tcpdump(int); 251 static void (*setsignal (int sig, void (*func)(int)))(int); 252 static void cleanup(int); 253 static void child_cleanup(int); 254 static void print_version(FILE *); 255 static void print_usage(FILE *); 256 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 257 static NORETURN void show_tstamp_types_and_exit(pcap_t *, const char *device); 258 #endif 259 static NORETURN void show_dlts_and_exit(pcap_t *, const char *device); 260 #ifdef HAVE_PCAP_FINDALLDEVS 261 static NORETURN void show_devices_and_exit(void); 262 #endif 263 #ifdef HAVE_PCAP_FINDALLDEVS_EX 264 static NORETURN void show_remote_devices_and_exit(void); 265 #endif 266 267 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 268 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *); 269 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 270 static void droproot(const char *, const char *); 271 272 #ifdef SIGNAL_REQ_INFO 273 static void requestinfo(int); 274 #endif 275 276 #ifdef SIGNAL_FLUSH_PCAP 277 static void flushpcap(int); 278 #endif 279 280 #ifdef _WIN32 281 static HANDLE timer_handle = INVALID_HANDLE_VALUE; 282 static void CALLBACK verbose_stats_dump(PVOID param, BOOLEAN timer_fired); 283 #else /* _WIN32 */ 284 static void verbose_stats_dump(int sig); 285 #endif /* _WIN32 */ 286 287 static void info(int); 288 static u_int packets_captured; 289 290 #ifdef HAVE_PCAP_FINDALLDEVS 291 static const struct tok status_flags[] = { 292 #ifdef PCAP_IF_UP 293 { PCAP_IF_UP, "Up" }, 294 #endif 295 #ifdef PCAP_IF_RUNNING 296 { PCAP_IF_RUNNING, "Running" }, 297 #endif 298 { PCAP_IF_LOOPBACK, "Loopback" }, 299 #ifdef PCAP_IF_WIRELESS 300 { PCAP_IF_WIRELESS, "Wireless" }, 301 #endif 302 { 0, NULL } 303 }; 304 #endif 305 306 static pcap_t *pd; 307 static pcap_dumper_t *pdd = NULL; 308 309 static int supports_monitor_mode; 310 311 extern int optind; 312 extern int opterr; 313 extern char *optarg; 314 315 struct dump_info { 316 char *WFileName; 317 char *CurrentFileName; 318 pcap_t *pd; 319 pcap_dumper_t *pdd; 320 netdissect_options *ndo; 321 #ifdef HAVE_CAPSICUM 322 int dirfd; 323 #endif 324 }; 325 326 #if defined(HAVE_PCAP_SET_PARSER_DEBUG) 327 /* 328 * We have pcap_set_parser_debug() in libpcap; declare it (it's not declared 329 * by any libpcap header, because it's a special hack, only available if 330 * libpcap was configured to include it, and only intended for use by 331 * libpcap developers trying to debug the parser for filter expressions). 332 */ 333 #ifdef _WIN32 334 __declspec(dllimport) 335 #else /* _WIN32 */ 336 extern 337 #endif /* _WIN32 */ 338 void pcap_set_parser_debug(int); 339 #elif defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG) 340 /* 341 * We don't have pcap_set_parser_debug() in libpcap, but we do have 342 * pcap_debug or yydebug. Make a local version of pcap_set_parser_debug() 343 * to set the flag, and define HAVE_PCAP_SET_PARSER_DEBUG. 344 */ 345 static void 346 pcap_set_parser_debug(int value) 347 { 348 #ifdef HAVE_PCAP_DEBUG 349 extern int pcap_debug __weak; 350 351 if (&pcap_debug) 352 pcap_debug = value; 353 #else /* HAVE_PCAP_DEBUG */ 354 extern int yydebug; 355 356 yydebug = value; 357 #endif /* HAVE_PCAP_DEBUG */ 358 } 359 360 #define HAVE_PCAP_SET_PARSER_DEBUG 361 #endif 362 363 #if defined(HAVE_PCAP_SET_OPTIMIZER_DEBUG) 364 /* 365 * We have pcap_set_optimizer_debug() in libpcap; declare it (it's not declared 366 * by any libpcap header, because it's a special hack, only available if 367 * libpcap was configured to include it, and only intended for use by 368 * libpcap developers trying to debug the optimizer for filter expressions). 369 */ 370 #ifdef _WIN32 371 __declspec(dllimport) 372 #else /* _WIN32 */ 373 extern 374 #endif /* _WIN32 */ 375 void pcap_set_optimizer_debug(int); 376 #endif 377 378 /* VARARGS */ 379 static void 380 error(const char *fmt, ...) 381 { 382 va_list ap; 383 384 (void)fprintf(stderr, "%s: ", program_name); 385 va_start(ap, fmt); 386 (void)vfprintf(stderr, fmt, ap); 387 va_end(ap); 388 if (*fmt) { 389 fmt += strlen(fmt); 390 if (fmt[-1] != '\n') 391 (void)fputc('\n', stderr); 392 } 393 exit_tcpdump(S_ERR_HOST_PROGRAM); 394 /* NOTREACHED */ 395 } 396 397 /* VARARGS */ 398 static void 399 warning(const char *fmt, ...) 400 { 401 va_list ap; 402 403 (void)fprintf(stderr, "%s: WARNING: ", program_name); 404 va_start(ap, fmt); 405 (void)vfprintf(stderr, fmt, ap); 406 va_end(ap); 407 if (*fmt) { 408 fmt += strlen(fmt); 409 if (fmt[-1] != '\n') 410 (void)fputc('\n', stderr); 411 } 412 } 413 414 static void 415 exit_tcpdump(int status) 416 { 417 nd_cleanup(); 418 exit(status); 419 } 420 421 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 422 static void 423 show_tstamp_types_and_exit(pcap_t *pc, const char *device) 424 { 425 int n_tstamp_types; 426 int *tstamp_types = 0; 427 const char *tstamp_type_name; 428 int i; 429 430 n_tstamp_types = pcap_list_tstamp_types(pc, &tstamp_types); 431 if (n_tstamp_types < 0) 432 error("%s", pcap_geterr(pc)); 433 434 if (n_tstamp_types == 0) { 435 fprintf(stderr, "Time stamp type cannot be set for %s\n", 436 device); 437 exit_tcpdump(S_SUCCESS); 438 } 439 fprintf(stdout, "Time stamp types for %s (use option -j to set):\n", 440 device); 441 for (i = 0; i < n_tstamp_types; i++) { 442 tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]); 443 if (tstamp_type_name != NULL) { 444 (void) fprintf(stdout, " %s (%s)\n", tstamp_type_name, 445 pcap_tstamp_type_val_to_description(tstamp_types[i])); 446 } else { 447 (void) fprintf(stdout, " %d\n", tstamp_types[i]); 448 } 449 } 450 pcap_free_tstamp_types(tstamp_types); 451 exit_tcpdump(S_SUCCESS); 452 } 453 #endif 454 455 static void 456 show_dlts_and_exit(pcap_t *pc, const char *device) 457 { 458 int n_dlts, i; 459 int *dlts = 0; 460 const char *dlt_name; 461 462 n_dlts = pcap_list_datalinks(pc, &dlts); 463 if (n_dlts < 0) 464 error("%s", pcap_geterr(pc)); 465 else if (n_dlts == 0 || !dlts) 466 error("No data link types."); 467 468 /* 469 * If the interface is known to support monitor mode, indicate 470 * whether these are the data link types available when not in 471 * monitor mode, if -I wasn't specified, or when in monitor mode, 472 * when -I was specified (the link-layer types available in 473 * monitor mode might be different from the ones available when 474 * not in monitor mode). 475 */ 476 (void) fprintf(stdout, "Data link types for "); 477 if (supports_monitor_mode) 478 (void) fprintf(stdout, "%s %s", 479 device, 480 Iflag ? "when in monitor mode" : "when not in monitor mode"); 481 else 482 (void) fprintf(stdout, "%s", 483 device); 484 (void) fprintf(stdout, " (use option -y to set):\n"); 485 486 for (i = 0; i < n_dlts; i++) { 487 dlt_name = pcap_datalink_val_to_name(dlts[i]); 488 if (dlt_name != NULL) { 489 (void) fprintf(stdout, " %s (%s)", dlt_name, 490 pcap_datalink_val_to_description(dlts[i])); 491 492 /* 493 * OK, does tcpdump handle that type? 494 */ 495 if (!has_printer(dlts[i])) 496 (void) fprintf(stdout, " (printing not supported)"); 497 fprintf(stdout, "\n"); 498 } else { 499 (void) fprintf(stdout, " DLT %d (printing not supported)\n", 500 dlts[i]); 501 } 502 } 503 #ifdef HAVE_PCAP_FREE_DATALINKS 504 pcap_free_datalinks(dlts); 505 #endif 506 exit_tcpdump(S_SUCCESS); 507 } 508 509 #ifdef HAVE_PCAP_FINDALLDEVS 510 static void 511 show_devices_and_exit(void) 512 { 513 pcap_if_t *dev, *devlist; 514 char ebuf[PCAP_ERRBUF_SIZE]; 515 int i; 516 517 if (pcap_findalldevs(&devlist, ebuf) < 0) 518 error("%s", ebuf); 519 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 520 printf("%d.%s", i+1, dev->name); 521 if (dev->description != NULL) 522 printf(" (%s)", dev->description); 523 if (dev->flags != 0) { 524 printf(" ["); 525 printf("%s", bittok2str(status_flags, "none", dev->flags)); 526 #ifdef PCAP_IF_WIRELESS 527 if (dev->flags & PCAP_IF_WIRELESS) { 528 switch (dev->flags & PCAP_IF_CONNECTION_STATUS) { 529 530 case PCAP_IF_CONNECTION_STATUS_UNKNOWN: 531 printf(", Association status unknown"); 532 break; 533 534 case PCAP_IF_CONNECTION_STATUS_CONNECTED: 535 printf(", Associated"); 536 break; 537 538 case PCAP_IF_CONNECTION_STATUS_DISCONNECTED: 539 printf(", Not associated"); 540 break; 541 542 case PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE: 543 break; 544 } 545 } else { 546 switch (dev->flags & PCAP_IF_CONNECTION_STATUS) { 547 548 case PCAP_IF_CONNECTION_STATUS_UNKNOWN: 549 printf(", Connection status unknown"); 550 break; 551 552 case PCAP_IF_CONNECTION_STATUS_CONNECTED: 553 printf(", Connected"); 554 break; 555 556 case PCAP_IF_CONNECTION_STATUS_DISCONNECTED: 557 printf(", Disconnected"); 558 break; 559 560 case PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE: 561 break; 562 } 563 } 564 #endif 565 printf("]"); 566 } 567 printf("\n"); 568 } 569 pcap_freealldevs(devlist); 570 exit_tcpdump(S_SUCCESS); 571 } 572 #endif /* HAVE_PCAP_FINDALLDEVS */ 573 574 #ifdef HAVE_PCAP_FINDALLDEVS_EX 575 static void 576 show_remote_devices_and_exit(void) 577 { 578 pcap_if_t *dev, *devlist; 579 char ebuf[PCAP_ERRBUF_SIZE]; 580 int i; 581 582 if (pcap_findalldevs_ex(remote_interfaces_source, NULL, &devlist, 583 ebuf) < 0) 584 error("%s", ebuf); 585 for (i = 0, dev = devlist; dev != NULL; i++, dev = dev->next) { 586 printf("%d.%s", i+1, dev->name); 587 if (dev->description != NULL) 588 printf(" (%s)", dev->description); 589 if (dev->flags != 0) 590 printf(" [%s]", bittok2str(status_flags, "none", dev->flags)); 591 printf("\n"); 592 } 593 pcap_freealldevs(devlist); 594 exit_tcpdump(S_SUCCESS); 595 } 596 #endif /* HAVE_PCAP_FINDALLDEVS */ 597 598 /* 599 * Short options. 600 * 601 * Note that there we use all letters for short options except for g, k, 602 * o, and P, and those are used by other versions of tcpdump, and we should 603 * only use them for the same purposes that the other versions of tcpdump 604 * use them: 605 * 606 * macOS tcpdump uses -g to force non--v output for IP to be on one 607 * line, making it more "g"repable; 608 * 609 * macOS tcpdump uses -k to specify that packet comments in pcapng files 610 * should be printed; 611 * 612 * OpenBSD tcpdump uses -o to indicate that OS fingerprinting should be done 613 * for hosts sending TCP SYN packets; 614 * 615 * macOS tcpdump uses -P to indicate that -w should write pcapng rather 616 * than pcap files. 617 * 618 * macOS tcpdump also uses -Q to specify expressions that match packet 619 * metadata, including but not limited to the packet direction. 620 * The expression syntax is different from a simple "in|out|inout", 621 * and those expressions aren't accepted by macOS tcpdump, but the 622 * equivalents would be "in" = "dir=in", "out" = "dir=out", and 623 * "inout" = "dir=in or dir=out", and the parser could conceivably 624 * special-case "in", "out", and "inout" as expressions for backwards 625 * compatibility, so all is not (yet) lost. 626 */ 627 628 /* 629 * Set up flags that might or might not be supported depending on the 630 * version of libpcap we're using. 631 */ 632 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 633 #define B_FLAG "B:" 634 #define B_FLAG_USAGE " [ -B size ]" 635 #else /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 636 #define B_FLAG 637 #define B_FLAG_USAGE 638 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 639 640 #ifdef HAVE_PCAP_FINDALLDEVS 641 #define D_FLAG "D" 642 #else 643 #define D_FLAG 644 #endif 645 646 #ifdef HAVE_PCAP_CREATE 647 #define I_FLAG "I" 648 #else /* HAVE_PCAP_CREATE */ 649 #define I_FLAG 650 #endif /* HAVE_PCAP_CREATE */ 651 652 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 653 #define j_FLAG "j:" 654 #define j_FLAG_USAGE " [ -j tstamptype ]" 655 #define J_FLAG "J" 656 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 657 #define j_FLAG 658 #define j_FLAG_USAGE 659 #define J_FLAG 660 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 661 662 #ifdef USE_LIBSMI 663 #define m_FLAG_USAGE "[ -m module ] ..." 664 #endif 665 666 #ifdef HAVE_PCAP_SETDIRECTION 667 #define Q_FLAG "Q:" 668 #define Q_FLAG_USAGE " [ -Q in|out|inout ]" 669 #else 670 #define Q_FLAG 671 #define Q_FLAG_USAGE 672 #endif 673 674 #ifdef HAVE_PCAP_DUMP_FLUSH 675 #define U_FLAG "U" 676 #else 677 #define U_FLAG 678 #endif 679 680 #define SHORTOPTS "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpq" Q_FLAG "r:s:StT:u" U_FLAG "vV:w:W:xXy:Yz:Z:#" 681 682 /* 683 * Long options. 684 * 685 * We do not currently have long options corresponding to all short 686 * options; we should probably pick appropriate option names for them. 687 * 688 * However, the short options where the number of times the option is 689 * specified matters, such as -v and -d and -t, should probably not 690 * just map to a long option, as saying 691 * 692 * tcpdump --verbose --verbose 693 * 694 * doesn't make sense; it should be --verbosity={N} or something such 695 * as that. 696 * 697 * For long options with no corresponding short options, we define values 698 * outside the range of ASCII graphic characters, make that the last 699 * component of the entry for the long option, and have a case for that 700 * option in the switch statement. 701 */ 702 #define OPTION_VERSION 128 703 #define OPTION_TSTAMP_PRECISION 129 704 #define OPTION_IMMEDIATE_MODE 130 705 #define OPTION_PRINT 131 706 #define OPTION_LIST_REMOTE_INTERFACES 132 707 #define OPTION_TSTAMP_MICRO 133 708 #define OPTION_TSTAMP_NANO 134 709 #define OPTION_FP_TYPE 135 710 #define OPTION_COUNT 136 711 712 static const struct option longopts[] = { 713 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 714 { "buffer-size", required_argument, NULL, 'B' }, 715 #endif 716 { "list-interfaces", no_argument, NULL, 'D' }, 717 #ifdef HAVE_PCAP_FINDALLDEVS_EX 718 { "list-remote-interfaces", required_argument, NULL, OPTION_LIST_REMOTE_INTERFACES }, 719 #endif 720 { "help", no_argument, NULL, 'h' }, 721 { "interface", required_argument, NULL, 'i' }, 722 #ifdef HAVE_PCAP_CREATE 723 { "monitor-mode", no_argument, NULL, 'I' }, 724 #endif 725 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 726 { "time-stamp-type", required_argument, NULL, 'j' }, 727 { "list-time-stamp-types", no_argument, NULL, 'J' }, 728 #endif 729 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 730 { "micro", no_argument, NULL, OPTION_TSTAMP_MICRO}, 731 { "nano", no_argument, NULL, OPTION_TSTAMP_NANO}, 732 { "time-stamp-precision", required_argument, NULL, OPTION_TSTAMP_PRECISION}, 733 #endif 734 { "dont-verify-checksums", no_argument, NULL, 'K' }, 735 { "list-data-link-types", no_argument, NULL, 'L' }, 736 { "no-optimize", no_argument, NULL, 'O' }, 737 { "no-promiscuous-mode", no_argument, NULL, 'p' }, 738 #ifdef HAVE_PCAP_SETDIRECTION 739 { "direction", required_argument, NULL, 'Q' }, 740 #endif 741 { "snapshot-length", required_argument, NULL, 's' }, 742 { "absolute-tcp-sequence-numbers", no_argument, NULL, 'S' }, 743 #ifdef HAVE_PCAP_DUMP_FLUSH 744 { "packet-buffered", no_argument, NULL, 'U' }, 745 #endif 746 { "linktype", required_argument, NULL, 'y' }, 747 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 748 { "immediate-mode", no_argument, NULL, OPTION_IMMEDIATE_MODE }, 749 #endif 750 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 751 { "debug-filter-parser", no_argument, NULL, 'Y' }, 752 #endif 753 { "relinquish-privileges", required_argument, NULL, 'Z' }, 754 { "count", no_argument, NULL, OPTION_COUNT }, 755 { "fp-type", no_argument, NULL, OPTION_FP_TYPE }, 756 { "number", no_argument, NULL, '#' }, 757 { "print", no_argument, NULL, OPTION_PRINT }, 758 { "version", no_argument, NULL, OPTION_VERSION }, 759 { NULL, 0, NULL, 0 } 760 }; 761 762 #ifdef HAVE_PCAP_FINDALLDEVS_EX 763 #define LIST_REMOTE_INTERFACES_USAGE "[ --list-remote-interfaces remote-source ]" 764 #else 765 #define LIST_REMOTE_INTERFACES_USAGE 766 #endif 767 768 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 769 #define IMMEDIATE_MODE_USAGE " [ --immediate-mode ]" 770 #else 771 #define IMMEDIATE_MODE_USAGE "" 772 #endif 773 774 #ifndef _WIN32 775 /* Drop root privileges and chroot if necessary */ 776 static void 777 droproot(const char *username, const char *chroot_dir) 778 { 779 struct passwd *pw = NULL; 780 781 if (chroot_dir && !username) 782 error("Chroot without dropping root is insecure"); 783 784 pw = getpwnam(username); 785 if (pw) { 786 if (initgroups(pw->pw_name, pw->pw_gid) != 0) { 787 fprintf(stderr, "tcpdump: Couldn't initgroups to " 788 "'%.32s' gid=%lu: %s\n", pw->pw_name, 789 (unsigned long)pw->pw_gid, 790 pcap_strerror(errno)); 791 exit(1); 792 } 793 if (chroot_dir) { 794 setprotoent(1); 795 res_init(); 796 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) 797 error("Couldn't chroot/chdir to '%.64s': %s", 798 chroot_dir, pcap_strerror(errno)); 799 } 800 #ifdef HAVE_LIBCAP_NG 801 { 802 int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); 803 if (ret < 0) 804 error("capng_change_id(): return %d\n", ret); 805 else 806 fprintf(stderr, "dropped privs to %s\n", username); 807 } 808 #else 809 if (initgroups(pw->pw_name, pw->pw_gid) != 0 || 810 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) 811 error("Couldn't change to '%.32s' uid=%lu gid=%lu: %s", 812 username, 813 (unsigned long)pw->pw_uid, 814 (unsigned long)pw->pw_gid, 815 pcap_strerror(errno)); 816 else { 817 // fprintf(stderr, "dropped privs to %s\n", username); 818 } 819 #endif /* HAVE_LIBCAP_NG */ 820 } else 821 error("Couldn't find user '%.32s'", username); 822 #ifdef HAVE_LIBCAP_NG 823 /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT anymore. */ 824 DIAG_OFF_ASSIGN_ENUM 825 capng_updatev( 826 CAPNG_DROP, 827 CAPNG_EFFECTIVE | CAPNG_PERMITTED, 828 CAP_SETUID, 829 CAP_SETGID, 830 CAP_SYS_CHROOT, 831 -1); 832 DIAG_ON_ASSIGN_ENUM 833 capng_apply(CAPNG_SELECT_BOTH); 834 #endif /* HAVE_LIBCAP_NG */ 835 836 } 837 #endif /* _WIN32 */ 838 839 static int 840 getWflagChars(int x) 841 { 842 int c = 0; 843 844 x -= 1; 845 while (x > 0) { 846 c += 1; 847 x /= 10; 848 } 849 850 return c; 851 } 852 853 854 static void 855 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars) 856 { 857 char *filename = malloc(PATH_MAX + 1); 858 if (filename == NULL) 859 error("%s: malloc", __func__); 860 if (strlen(orig_name) == 0) 861 error("an empty string is not a valid file name"); 862 863 /* Process with strftime if Gflag is set. */ 864 if (Gflag != 0) { 865 struct tm *local_tm; 866 867 /* Convert Gflag_time to a usable format */ 868 if ((local_tm = localtime(&Gflag_time)) == NULL) { 869 error("%s: localtime", __func__); 870 } 871 872 /* There's no good way to detect an error in strftime since a return 873 * value of 0 isn't necessarily failure; if orig_name is an empty 874 * string, the formatted string will be empty. 875 * 876 * However, the C90 standard says that, if there *is* a 877 * buffer overflow, the content of the buffer is undefined, 878 * so we must check for a buffer overflow. 879 * 880 * So we check above for an empty orig_name, and only call 881 * strftime() if it's non-empty, in which case the return 882 * value will only be 0 if the formatted date doesn't fit 883 * in the buffer. 884 * 885 * (We check above because, even if we don't use -G, we 886 * want a better error message than "tcpdump: : No such 887 * file or directory" for this case.) 888 */ 889 if (strftime(filename, PATH_MAX, orig_name, local_tm) == 0) { 890 error("%s: strftime", __func__); 891 } 892 } else { 893 strncpy(filename, orig_name, PATH_MAX); 894 } 895 896 if (cnt == 0 && max_chars == 0) 897 strncpy(buffer, filename, PATH_MAX + 1); 898 else 899 if (snprintf(buffer, PATH_MAX + 1, "%s%0*d", filename, max_chars, cnt) > PATH_MAX) 900 /* Report an error if the filename is too large */ 901 error("too many output files or filename is too long (> %d)", PATH_MAX); 902 free(filename); 903 } 904 905 static char * 906 get_next_file(FILE *VFile, char *ptr) 907 { 908 char *ret; 909 size_t len; 910 911 ret = fgets(ptr, PATH_MAX, VFile); 912 if (!ret) 913 return NULL; 914 915 len = strlen (ptr); 916 if (len > 0 && ptr[len - 1] == '\n') 917 ptr[len - 1] = '\0'; 918 919 return ret; 920 } 921 922 #ifdef HAVE_CASPER 923 static cap_channel_t * 924 capdns_setup(void) 925 { 926 cap_channel_t *capcas, *capdnsloc; 927 const char *types[1]; 928 int families[2]; 929 930 capcas = cap_init(); 931 if (capcas == NULL) 932 error("unable to create casper process"); 933 capdnsloc = cap_service_open(capcas, "system.dns"); 934 /* Casper capability no longer needed. */ 935 cap_close(capcas); 936 if (capdnsloc == NULL) 937 error("unable to open system.dns service"); 938 /* Limit system.dns to reverse DNS lookups. */ 939 types[0] = "ADDR"; 940 if (cap_dns_type_limit(capdnsloc, types, 1) < 0) 941 error("unable to limit access to system.dns service"); 942 families[0] = AF_INET; 943 families[1] = AF_INET6; 944 if (cap_dns_family_limit(capdnsloc, families, 2) < 0) 945 error("unable to limit access to system.dns service"); 946 947 return (capdnsloc); 948 } 949 #endif /* HAVE_CASPER */ 950 951 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 952 static int 953 tstamp_precision_from_string(const char *precision) 954 { 955 if (strncmp(precision, "nano", strlen("nano")) == 0) 956 return PCAP_TSTAMP_PRECISION_NANO; 957 958 if (strncmp(precision, "micro", strlen("micro")) == 0) 959 return PCAP_TSTAMP_PRECISION_MICRO; 960 961 return -EINVAL; 962 } 963 964 static const char * 965 tstamp_precision_to_string(int precision) 966 { 967 switch (precision) { 968 969 case PCAP_TSTAMP_PRECISION_MICRO: 970 return "micro"; 971 972 case PCAP_TSTAMP_PRECISION_NANO: 973 return "nano"; 974 975 default: 976 return "unknown"; 977 } 978 } 979 #endif 980 981 #ifdef HAVE_CAPSICUM 982 /* 983 * Ensure that, on a dump file's descriptor, we have all the rights 984 * necessary to make the standard I/O library work with an fdopen()ed 985 * FILE * from that descriptor. 986 * 987 * A long time ago in a galaxy far, far away, AT&T decided that, instead 988 * of providing separate APIs for getting and setting the FD_ flags on a 989 * descriptor, getting and setting the O_ flags on a descriptor, and 990 * locking files, they'd throw them all into a kitchen-sink fcntl() call 991 * along the lines of ioctl(), the fact that ioctl() operations are 992 * largely specific to particular character devices but fcntl() operations 993 * are either generic to all descriptors or generic to all descriptors for 994 * regular files notwithstanding. 995 * 996 * The Capsicum people decided that fine-grained control of descriptor 997 * operations was required, so that you need to grant permission for 998 * reading, writing, seeking, and fcntl-ing. The latter, courtesy of 999 * AT&T's decision, means that "fcntl-ing" isn't a thing, but a motley 1000 * collection of things, so there are *individual* fcntls for which 1001 * permission needs to be granted. 1002 * 1003 * The FreeBSD standard I/O people implemented some optimizations that 1004 * requires that the standard I/O routines be able to determine whether 1005 * the descriptor for the FILE * is open append-only or not; as that 1006 * descriptor could have come from an open() rather than an fopen(), 1007 * that requires that it be able to do an F_GETFL fcntl() to read 1008 * the O_ flags. 1009 * 1010 * Tcpdump uses ftell() to determine how much data has been written 1011 * to a file in order to, when used with -C, determine when it's time 1012 * to rotate capture files. ftell() therefore needs to do an lseek() 1013 * to find out the file offset and must, thanks to the aforementioned 1014 * optimization, also know whether the descriptor is open append-only 1015 * or not. 1016 * 1017 * The net result of all the above is that we need to grant CAP_SEEK, 1018 * CAP_WRITE, and CAP_FCNTL with the CAP_FCNTL_GETFL subcapability. 1019 * 1020 * Perhaps this is the universe's way of saying that either 1021 * 1022 * 1) there needs to be an fopenat() call and a pcap_dump_openat() call 1023 * using it, so that Capsicum-capable tcpdump wouldn't need to do 1024 * an fdopen() 1025 * 1026 * or 1027 * 1028 * 2) there needs to be a cap_fdopen() call in the FreeBSD standard 1029 * I/O library that knows what rights are needed by the standard 1030 * I/O library, based on the open mode, and assigns them, perhaps 1031 * with an additional argument indicating, for example, whether 1032 * seeking should be allowed, so that tcpdump doesn't need to know 1033 * what the standard I/O library happens to require this week. 1034 */ 1035 static void 1036 set_dumper_capsicum_rights(pcap_dumper_t *p) 1037 { 1038 int fd = fileno(pcap_dump_file(p)); 1039 cap_rights_t rights; 1040 1041 cap_rights_init(&rights, CAP_SEEK, CAP_WRITE, CAP_FCNTL); 1042 if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS) { 1043 error("unable to limit dump descriptor"); 1044 } 1045 if (cap_fcntls_limit(fd, CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) { 1046 error("unable to limit dump descriptor fcntls"); 1047 } 1048 } 1049 #endif 1050 1051 /* 1052 * Copy arg vector into a new buffer, concatenating arguments with spaces. 1053 */ 1054 static char * 1055 copy_argv(char **argv) 1056 { 1057 char **p; 1058 size_t len = 0; 1059 char *buf; 1060 char *src, *dst; 1061 1062 p = argv; 1063 if (*p == NULL) 1064 return 0; 1065 1066 while (*p) 1067 len += strlen(*p++) + 1; 1068 1069 buf = (char *)malloc(len); 1070 if (buf == NULL) 1071 error("%s: malloc", __func__); 1072 1073 p = argv; 1074 dst = buf; 1075 while ((src = *p++) != NULL) { 1076 while ((*dst++ = *src++) != '\0') 1077 ; 1078 dst[-1] = ' '; 1079 } 1080 dst[-1] = '\0'; 1081 1082 return buf; 1083 } 1084 1085 /* 1086 * On Windows, we need to open the file in binary mode, so that 1087 * we get all the bytes specified by the size we get from "fstat()". 1088 * On UNIX, that's not necessary. O_BINARY is defined on Windows; 1089 * we define it as 0 if it's not defined, so it does nothing. 1090 */ 1091 #ifndef O_BINARY 1092 #define O_BINARY 0 1093 #endif 1094 1095 static char * 1096 read_infile(char *fname) 1097 { 1098 int i, fd; 1099 ssize_t cc; 1100 char *cp; 1101 our_statb buf; 1102 1103 fd = open(fname, O_RDONLY|O_BINARY); 1104 if (fd < 0) 1105 error("can't open %s: %s", fname, pcap_strerror(errno)); 1106 1107 if (our_fstat(fd, &buf) < 0) 1108 error("can't stat %s: %s", fname, pcap_strerror(errno)); 1109 1110 /* 1111 * Reject files whose size doesn't fit into an int; a filter 1112 * *that* large will probably be too big. 1113 */ 1114 if (buf.st_size > INT_MAX) 1115 error("%s is too large", fname); 1116 1117 cp = malloc((u_int)buf.st_size + 1); 1118 if (cp == NULL) 1119 error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, 1120 fname, pcap_strerror(errno)); 1121 cc = read(fd, cp, (u_int)buf.st_size); 1122 if (cc < 0) 1123 error("read %s: %s", fname, pcap_strerror(errno)); 1124 if (cc != buf.st_size) 1125 error("short read %s (%d != %d)", fname, (int) cc, 1126 (int)buf.st_size); 1127 1128 close(fd); 1129 /* replace "# comment" with spaces */ 1130 for (i = 0; i < cc; i++) { 1131 if (cp[i] == '#') 1132 while (i < cc && cp[i] != '\n') 1133 cp[i++] = ' '; 1134 } 1135 cp[cc] = '\0'; 1136 return (cp); 1137 } 1138 1139 #ifdef HAVE_PCAP_FINDALLDEVS 1140 static long 1141 parse_interface_number(const char *device) 1142 { 1143 const char *p; 1144 long devnum; 1145 char *end; 1146 1147 /* 1148 * Search for a colon, terminating any scheme at the beginning 1149 * of the device. 1150 */ 1151 p = strchr(device, ':'); 1152 if (p != NULL) { 1153 /* 1154 * We found it. Is it followed by "//"? 1155 */ 1156 p++; /* skip the : */ 1157 if (strncmp(p, "//", 2) == 0) { 1158 /* 1159 * Yes. Search for the next /, at the end of the 1160 * authority part of the URL. 1161 */ 1162 p += 2; /* skip the // */ 1163 p = strchr(p, '/'); 1164 if (p != NULL) { 1165 /* 1166 * OK, past the / is the path. 1167 */ 1168 device = p + 1; 1169 } 1170 } 1171 } 1172 devnum = strtol(device, &end, 10); 1173 if (device != end && *end == '\0') { 1174 /* 1175 * It's all-numeric, but is it a valid number? 1176 */ 1177 if (devnum <= 0) { 1178 /* 1179 * No, it's not an ordinal. 1180 */ 1181 error("Invalid adapter index %s", device); 1182 } 1183 return (devnum); 1184 } else { 1185 /* 1186 * It's not all-numeric; return -1, so our caller 1187 * knows that. 1188 */ 1189 return (-1); 1190 } 1191 } 1192 1193 static char * 1194 find_interface_by_number(const char *url 1195 #ifndef HAVE_PCAP_FINDALLDEVS_EX 1196 _U_ 1197 #endif 1198 , long devnum) 1199 { 1200 pcap_if_t *dev, *devlist; 1201 long i; 1202 char ebuf[PCAP_ERRBUF_SIZE]; 1203 char *device; 1204 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1205 const char *endp; 1206 char *host_url; 1207 #endif 1208 int status; 1209 1210 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1211 /* 1212 * Search for a colon, terminating any scheme at the beginning 1213 * of the URL. 1214 */ 1215 endp = strchr(url, ':'); 1216 if (endp != NULL) { 1217 /* 1218 * We found it. Is it followed by "//"? 1219 */ 1220 endp++; /* skip the : */ 1221 if (strncmp(endp, "//", 2) == 0) { 1222 /* 1223 * Yes. Search for the next /, at the end of the 1224 * authority part of the URL. 1225 */ 1226 endp += 2; /* skip the // */ 1227 endp = strchr(endp, '/'); 1228 } else 1229 endp = NULL; 1230 } 1231 if (endp != NULL) { 1232 /* 1233 * OK, everything from device to endp is a URL to hand 1234 * to pcap_findalldevs_ex(). 1235 */ 1236 endp++; /* Include the trailing / in the URL; pcap_findalldevs_ex() requires it */ 1237 host_url = malloc(endp - url + 1); 1238 if (host_url == NULL && (endp - url + 1) > 0) 1239 error("Invalid allocation for host"); 1240 1241 memcpy(host_url, url, endp - url); 1242 host_url[endp - url] = '\0'; 1243 status = pcap_findalldevs_ex(host_url, NULL, &devlist, ebuf); 1244 free(host_url); 1245 } else 1246 #endif 1247 status = pcap_findalldevs(&devlist, ebuf); 1248 if (status < 0) 1249 error("%s", ebuf); 1250 /* 1251 * Look for the devnum-th entry in the list of devices (1-based). 1252 */ 1253 for (i = 0, dev = devlist; i < devnum-1 && dev != NULL; 1254 i++, dev = dev->next) 1255 ; 1256 if (dev == NULL) { 1257 pcap_freealldevs(devlist); 1258 error("Invalid adapter index %ld: only %ld interfaces found", 1259 devnum, i); 1260 } 1261 device = strdup(dev->name); 1262 pcap_freealldevs(devlist); 1263 return (device); 1264 } 1265 #endif 1266 1267 #ifdef HAVE_PCAP_OPEN 1268 /* 1269 * Prefixes for rpcap URLs. 1270 */ 1271 static char rpcap_prefix[] = "rpcap://"; 1272 static char rpcap_ssl_prefix[] = "rpcaps://"; 1273 #endif 1274 1275 static pcap_t * 1276 open_interface(const char *device, netdissect_options *ndo, char *ebuf) 1277 { 1278 pcap_t *pc; 1279 #ifdef HAVE_PCAP_CREATE 1280 int status; 1281 char *cp; 1282 #endif 1283 1284 #ifdef HAVE_PCAP_OPEN 1285 /* 1286 * Is this an rpcap URL? 1287 */ 1288 if (strncmp(device, rpcap_prefix, sizeof(rpcap_prefix) - 1) == 0 || 1289 strncmp(device, rpcap_ssl_prefix, sizeof(rpcap_ssl_prefix) - 1) == 0) { 1290 /* 1291 * Yes. Open it with pcap_open(). 1292 */ 1293 *ebuf = '\0'; 1294 pc = pcap_open(device, ndo->ndo_snaplen, 1295 pflag ? 0 : PCAP_OPENFLAG_PROMISCUOUS, timeout, NULL, 1296 ebuf); 1297 if (pc == NULL) { 1298 /* 1299 * If this failed with "No such device" or "The system 1300 * cannot find the device specified", that means 1301 * the interface doesn't exist; return NULL, so that 1302 * the caller can see whether the device name is 1303 * actually an interface index. 1304 */ 1305 if (strstr(ebuf, "No such device") != NULL || 1306 strstr(ebuf, "The system cannot find the device specified") != NULL) 1307 return (NULL); 1308 error("%s", ebuf); 1309 } 1310 if (*ebuf) 1311 warning("%s", ebuf); 1312 return (pc); 1313 } 1314 #endif /* HAVE_PCAP_OPEN */ 1315 1316 #ifdef HAVE_PCAP_CREATE 1317 pc = pcap_create(device, ebuf); 1318 if (pc == NULL) { 1319 /* 1320 * If this failed with "No such device", that means 1321 * the interface doesn't exist; return NULL, so that 1322 * the caller can see whether the device name is 1323 * actually an interface index. 1324 */ 1325 if (strstr(ebuf, "No such device") != NULL) 1326 return (NULL); 1327 error("%s", ebuf); 1328 } 1329 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1330 if (Jflag) 1331 show_tstamp_types_and_exit(pc, device); 1332 #endif 1333 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1334 status = pcap_set_tstamp_precision(pc, ndo->ndo_tstamp_precision); 1335 if (status != 0) 1336 error("%s: Can't set %ssecond time stamp precision: %s", 1337 device, 1338 tstamp_precision_to_string(ndo->ndo_tstamp_precision), 1339 pcap_statustostr(status)); 1340 #endif 1341 1342 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1343 if (immediate_mode) { 1344 status = pcap_set_immediate_mode(pc, 1); 1345 if (status != 0) 1346 error("%s: Can't set immediate mode: %s", 1347 device, pcap_statustostr(status)); 1348 } 1349 #endif 1350 /* 1351 * Is this an interface that supports monitor mode? 1352 */ 1353 if (pcap_can_set_rfmon(pc) == 1) 1354 supports_monitor_mode = 1; 1355 else 1356 supports_monitor_mode = 0; 1357 if (ndo->ndo_snaplen != 0) { 1358 /* 1359 * A snapshot length was explicitly specified; 1360 * use it. 1361 */ 1362 status = pcap_set_snaplen(pc, ndo->ndo_snaplen); 1363 if (status != 0) 1364 error("%s: Can't set snapshot length: %s", 1365 device, pcap_statustostr(status)); 1366 } 1367 status = pcap_set_promisc(pc, !pflag); 1368 if (status != 0) 1369 error("%s: Can't set promiscuous mode: %s", 1370 device, pcap_statustostr(status)); 1371 if (Iflag) { 1372 status = pcap_set_rfmon(pc, 1); 1373 if (status != 0) 1374 error("%s: Can't set monitor mode: %s", 1375 device, pcap_statustostr(status)); 1376 } 1377 status = pcap_set_timeout(pc, timeout); 1378 if (status != 0) 1379 error("%s: pcap_set_timeout failed: %s", 1380 device, pcap_statustostr(status)); 1381 if (Bflag != 0) { 1382 status = pcap_set_buffer_size(pc, Bflag); 1383 if (status != 0) 1384 error("%s: Can't set buffer size: %s", 1385 device, pcap_statustostr(status)); 1386 } 1387 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1388 if (jflag != -1) { 1389 status = pcap_set_tstamp_type(pc, jflag); 1390 if (status < 0) 1391 error("%s: Can't set time stamp type: %s", 1392 device, pcap_statustostr(status)); 1393 else if (status > 0) 1394 warning("When trying to set timestamp type '%s' on %s: %s", 1395 pcap_tstamp_type_val_to_name(jflag), device, 1396 pcap_statustostr(status)); 1397 } 1398 #endif 1399 status = pcap_activate(pc); 1400 if (status < 0) { 1401 /* 1402 * pcap_activate() failed. 1403 */ 1404 cp = pcap_geterr(pc); 1405 if (status == PCAP_ERROR) 1406 error("%s", cp); 1407 else if (status == PCAP_ERROR_NO_SUCH_DEVICE) { 1408 /* 1409 * Return an error for our caller to handle. 1410 */ 1411 snprintf(ebuf, PCAP_ERRBUF_SIZE, "%s: %s\n(%s)", 1412 device, pcap_statustostr(status), cp); 1413 } else if (status == PCAP_ERROR_PERM_DENIED && *cp != '\0') 1414 error("%s: %s\n(%s)", device, 1415 pcap_statustostr(status), cp); 1416 #ifdef __FreeBSD__ 1417 else if (status == PCAP_ERROR_RFMON_NOTSUP && 1418 strncmp(device, "wlan", 4) == 0) { 1419 char parent[8], newdev[8]; 1420 char sysctl[32]; 1421 size_t s = sizeof(parent); 1422 1423 snprintf(sysctl, sizeof(sysctl), 1424 "net.wlan.%d.%%parent", atoi(device + 4)); 1425 sysctlbyname(sysctl, parent, &s, NULL, 0); 1426 strlcpy(newdev, device, sizeof(newdev)); 1427 /* Suggest a new wlan device. */ 1428 /* FIXME: incrementing the index this way is not going to work well 1429 * when the index is 9 or greater but the only consequence in this 1430 * specific case would be an error message that looks a bit odd. 1431 */ 1432 newdev[strlen(newdev)-1]++; 1433 error("%s is not a monitor mode VAP\n" 1434 "To create a new monitor mode VAP use:\n" 1435 " ifconfig %s create wlandev %s wlanmode monitor\n" 1436 "and use %s as the tcpdump interface", 1437 device, newdev, parent, newdev); 1438 } 1439 #endif 1440 else 1441 error("%s: %s", device, 1442 pcap_statustostr(status)); 1443 pcap_close(pc); 1444 return (NULL); 1445 } else if (status > 0) { 1446 /* 1447 * pcap_activate() succeeded, but it's warning us 1448 * of a problem it had. 1449 */ 1450 cp = pcap_geterr(pc); 1451 if (status == PCAP_WARNING) 1452 warning("%s", cp); 1453 else if (status == PCAP_WARNING_PROMISC_NOTSUP && 1454 *cp != '\0') 1455 warning("%s: %s\n(%s)", device, 1456 pcap_statustostr(status), cp); 1457 else 1458 warning("%s: %s", device, 1459 pcap_statustostr(status)); 1460 } 1461 #ifdef HAVE_PCAP_SETDIRECTION 1462 if (Qflag != -1) { 1463 status = pcap_setdirection(pc, Qflag); 1464 if (status != 0) 1465 error("%s: pcap_setdirection() failed: %s", 1466 device, pcap_geterr(pc)); 1467 } 1468 #endif /* HAVE_PCAP_SETDIRECTION */ 1469 #else /* HAVE_PCAP_CREATE */ 1470 *ebuf = '\0'; 1471 /* 1472 * If no snapshot length was specified, or a length of 0 was 1473 * specified, default to 256KB. 1474 */ 1475 if (ndo->ndo_snaplen == 0) 1476 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 1477 pc = pcap_open_live(device, ndo->ndo_snaplen, !pflag, timeout, ebuf); 1478 if (pc == NULL) { 1479 /* 1480 * If this failed with "No such device", that means 1481 * the interface doesn't exist; return NULL, so that 1482 * the caller can see whether the device name is 1483 * actually an interface index. 1484 */ 1485 if (strstr(ebuf, "No such device") != NULL) 1486 return (NULL); 1487 error("%s", ebuf); 1488 } 1489 if (*ebuf) 1490 warning("%s", ebuf); 1491 #endif /* HAVE_PCAP_CREATE */ 1492 1493 return (pc); 1494 } 1495 1496 int 1497 main(int argc, char **argv) 1498 { 1499 int cnt, op, i; 1500 bpf_u_int32 localnet = 0, netmask = 0; 1501 char *cp, *infile, *cmdbuf, *device, *RFileName, *VFileName, *WFileName; 1502 char *endp; 1503 pcap_handler callback; 1504 int dlt; 1505 const char *dlt_name; 1506 struct bpf_program fcode; 1507 #ifndef _WIN32 1508 void (*oldhandler)(int); 1509 #endif 1510 struct dump_info dumpinfo; 1511 u_char *pcap_userdata; 1512 char ebuf[PCAP_ERRBUF_SIZE]; 1513 char VFileLine[PATH_MAX + 1]; 1514 const char *username = NULL; 1515 #ifndef _WIN32 1516 const char *chroot_dir = NULL; 1517 #endif 1518 char *ret = NULL; 1519 char *end; 1520 #ifdef HAVE_PCAP_FINDALLDEVS 1521 pcap_if_t *devlist; 1522 long devnum; 1523 #endif 1524 int status; 1525 FILE *VFile; 1526 #ifdef HAVE_CAPSICUM 1527 cap_rights_t rights; 1528 int cansandbox; 1529 #endif /* HAVE_CAPSICUM */ 1530 int Oflag = 1; /* run filter code optimizer */ 1531 int yflag_dlt = -1; 1532 const char *yflag_dlt_name = NULL; 1533 int print = 0; 1534 1535 netdissect_options Ndo; 1536 netdissect_options *ndo = &Ndo; 1537 1538 /* 1539 * Initialize the netdissect code. 1540 */ 1541 if (nd_init(ebuf, sizeof(ebuf)) == -1) 1542 error("%s", ebuf); 1543 1544 memset(ndo, 0, sizeof(*ndo)); 1545 ndo_set_function_pointers(ndo); 1546 1547 cnt = -1; 1548 device = NULL; 1549 infile = NULL; 1550 RFileName = NULL; 1551 VFileName = NULL; 1552 VFile = NULL; 1553 WFileName = NULL; 1554 dlt = -1; 1555 if ((cp = strrchr(argv[0], PATH_SEPARATOR)) != NULL) 1556 ndo->program_name = program_name = cp + 1; 1557 else 1558 ndo->program_name = program_name = argv[0]; 1559 1560 #if defined(HAVE_PCAP_WSOCKINIT) 1561 if (pcap_wsockinit() != 0) 1562 error("Attempting to initialize Winsock failed"); 1563 #elif defined(HAVE_WSOCKINIT) 1564 if (wsockinit() != 0) 1565 error("Attempting to initialize Winsock failed"); 1566 #endif 1567 1568 /* 1569 * On platforms where the CPU doesn't support unaligned loads, 1570 * force unaligned accesses to abort with SIGBUS, rather than 1571 * being fixed up (slowly) by the OS kernel; on those platforms, 1572 * misaligned accesses are bugs, and we want tcpdump to crash so 1573 * that the bugs are reported. 1574 */ 1575 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0) 1576 error("%s", ebuf); 1577 1578 /* 1579 * An explicit tzset() call is usually not needed as it happens 1580 * implicitly the first time we call localtime() or mktime(), 1581 * but in some cases (sandboxing, chroot) this may be too late. 1582 */ 1583 tzset(); 1584 1585 while ( 1586 (op = getopt_long(argc, argv, SHORTOPTS, longopts, NULL)) != -1) 1587 switch (op) { 1588 1589 case 'a': 1590 /* compatibility for old -a */ 1591 break; 1592 1593 case 'A': 1594 ++ndo->ndo_Aflag; 1595 break; 1596 1597 case 'b': 1598 ++ndo->ndo_bflag; 1599 break; 1600 1601 #if defined(HAVE_PCAP_CREATE) || defined(_WIN32) 1602 case 'B': 1603 Bflag = atoi(optarg)*1024; 1604 if (Bflag <= 0) 1605 error("invalid packet buffer size %s", optarg); 1606 break; 1607 #endif /* defined(HAVE_PCAP_CREATE) || defined(_WIN32) */ 1608 1609 case 'c': 1610 cnt = atoi(optarg); 1611 if (cnt <= 0) 1612 error("invalid packet count %s", optarg); 1613 break; 1614 1615 case 'C': 1616 errno = 0; 1617 #ifdef HAVE_PCAP_DUMP_FTELL64 1618 Cflag = strtoint64_t(optarg, &endp, 10); 1619 #else 1620 Cflag = strtol(optarg, &endp, 10); 1621 #endif 1622 if (endp == optarg || *endp != '\0' || errno != 0 1623 || Cflag <= 0) 1624 error("invalid file size %s", optarg); 1625 /* 1626 * Will multiplying it by 1000000 overflow? 1627 */ 1628 #ifdef HAVE_PCAP_DUMP_FTELL64 1629 if (Cflag > INT64_T_CONSTANT(0x7fffffffffffffff) / 1000000) 1630 #else 1631 if (Cflag > LONG_MAX / 1000000) 1632 #endif 1633 error("file size %s is too large", optarg); 1634 Cflag *= 1000000; 1635 break; 1636 1637 case 'd': 1638 ++dflag; 1639 break; 1640 1641 #ifdef HAVE_PCAP_FINDALLDEVS 1642 case 'D': 1643 Dflag++; 1644 break; 1645 #endif 1646 1647 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1648 case OPTION_LIST_REMOTE_INTERFACES: 1649 remote_interfaces_source = optarg; 1650 break; 1651 #endif 1652 1653 case 'L': 1654 Lflag++; 1655 break; 1656 1657 case 'e': 1658 ++ndo->ndo_eflag; 1659 break; 1660 1661 case 'E': 1662 #ifndef HAVE_LIBCRYPTO 1663 warning("crypto code not compiled in"); 1664 #endif 1665 ndo->ndo_espsecret = optarg; 1666 break; 1667 1668 case 'f': 1669 ++ndo->ndo_fflag; 1670 break; 1671 1672 case 'F': 1673 infile = optarg; 1674 break; 1675 1676 case 'G': 1677 Gflag = atoi(optarg); 1678 if (Gflag < 0) 1679 error("invalid number of seconds %s", optarg); 1680 1681 /* We will create one file initially. */ 1682 Gflag_count = 0; 1683 1684 /* Grab the current time for rotation use. */ 1685 if ((Gflag_time = time(NULL)) == (time_t)-1) { 1686 error("%s: can't get current time: %s", 1687 __func__, pcap_strerror(errno)); 1688 } 1689 break; 1690 1691 case 'h': 1692 print_usage(stdout); 1693 exit_tcpdump(S_SUCCESS); 1694 break; 1695 1696 case 'H': 1697 ++ndo->ndo_Hflag; 1698 break; 1699 1700 case 'i': 1701 device = optarg; 1702 break; 1703 1704 #ifdef HAVE_PCAP_CREATE 1705 case 'I': 1706 ++Iflag; 1707 break; 1708 #endif /* HAVE_PCAP_CREATE */ 1709 1710 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1711 case 'j': 1712 jflag = pcap_tstamp_type_name_to_val(optarg); 1713 if (jflag < 0) 1714 error("invalid time stamp type %s", optarg); 1715 break; 1716 1717 case 'J': 1718 Jflag++; 1719 break; 1720 #endif 1721 1722 case 'l': 1723 #ifdef _WIN32 1724 /* 1725 * _IOLBF is the same as _IOFBF in Microsoft's C 1726 * libraries; the only alternative they offer 1727 * is _IONBF. 1728 * 1729 * XXX - this should really be checking for MSVC++, 1730 * not _WIN32, if, for example, MinGW has its own 1731 * C library that is more UNIX-compatible. 1732 */ 1733 setvbuf(stdout, NULL, _IONBF, 0); 1734 #else /* _WIN32 */ 1735 #ifdef HAVE_SETLINEBUF 1736 setlinebuf(stdout); 1737 #else 1738 setvbuf(stdout, NULL, _IOLBF, 0); 1739 #endif 1740 #endif /* _WIN32 */ 1741 lflag = 1; 1742 break; 1743 1744 case 'K': 1745 ++ndo->ndo_Kflag; 1746 break; 1747 1748 case 'm': 1749 if (nd_have_smi_support()) { 1750 if (nd_load_smi_module(optarg, ebuf, sizeof(ebuf)) == -1) 1751 error("%s", ebuf); 1752 } else { 1753 (void)fprintf(stderr, "%s: ignoring option '-m %s' ", 1754 program_name, optarg); 1755 (void)fprintf(stderr, "(no libsmi support)\n"); 1756 } 1757 break; 1758 1759 case 'M': 1760 /* TCP-MD5 shared secret */ 1761 #ifndef HAVE_LIBCRYPTO 1762 warning("crypto code not compiled in"); 1763 #endif 1764 ndo->ndo_sigsecret = optarg; 1765 break; 1766 1767 case 'n': 1768 ++ndo->ndo_nflag; 1769 break; 1770 1771 case 'N': 1772 ++ndo->ndo_Nflag; 1773 break; 1774 1775 case 'O': 1776 Oflag = 0; 1777 break; 1778 1779 case 'p': 1780 ++pflag; 1781 break; 1782 1783 case 'q': 1784 ++ndo->ndo_qflag; 1785 ++ndo->ndo_suppress_default_print; 1786 break; 1787 1788 #ifdef HAVE_PCAP_SETDIRECTION 1789 case 'Q': 1790 if (ascii_strcasecmp(optarg, "in") == 0) 1791 Qflag = PCAP_D_IN; 1792 else if (ascii_strcasecmp(optarg, "out") == 0) 1793 Qflag = PCAP_D_OUT; 1794 else if (ascii_strcasecmp(optarg, "inout") == 0) 1795 Qflag = PCAP_D_INOUT; 1796 else 1797 error("unknown capture direction '%s'", optarg); 1798 break; 1799 #endif /* HAVE_PCAP_SETDIRECTION */ 1800 1801 case 'r': 1802 RFileName = optarg; 1803 break; 1804 1805 case 's': 1806 ndo->ndo_snaplen = (int)strtol(optarg, &end, 0); 1807 if (optarg == end || *end != '\0' 1808 || ndo->ndo_snaplen < 0 || ndo->ndo_snaplen > MAXIMUM_SNAPLEN) 1809 error("invalid snaplen %s (must be >= 0 and <= %d)", 1810 optarg, MAXIMUM_SNAPLEN); 1811 break; 1812 1813 case 'S': 1814 ++ndo->ndo_Sflag; 1815 break; 1816 1817 case 't': 1818 ++ndo->ndo_tflag; 1819 break; 1820 1821 case 'T': 1822 if (ascii_strcasecmp(optarg, "vat") == 0) 1823 ndo->ndo_packettype = PT_VAT; 1824 else if (ascii_strcasecmp(optarg, "wb") == 0) 1825 ndo->ndo_packettype = PT_WB; 1826 else if (ascii_strcasecmp(optarg, "rpc") == 0) 1827 ndo->ndo_packettype = PT_RPC; 1828 else if (ascii_strcasecmp(optarg, "rtp") == 0) 1829 ndo->ndo_packettype = PT_RTP; 1830 else if (ascii_strcasecmp(optarg, "rtcp") == 0) 1831 ndo->ndo_packettype = PT_RTCP; 1832 else if (ascii_strcasecmp(optarg, "snmp") == 0) 1833 ndo->ndo_packettype = PT_SNMP; 1834 else if (ascii_strcasecmp(optarg, "cnfp") == 0) 1835 ndo->ndo_packettype = PT_CNFP; 1836 else if (ascii_strcasecmp(optarg, "tftp") == 0) 1837 ndo->ndo_packettype = PT_TFTP; 1838 else if (ascii_strcasecmp(optarg, "aodv") == 0) 1839 ndo->ndo_packettype = PT_AODV; 1840 else if (ascii_strcasecmp(optarg, "carp") == 0) 1841 ndo->ndo_packettype = PT_CARP; 1842 else if (ascii_strcasecmp(optarg, "radius") == 0) 1843 ndo->ndo_packettype = PT_RADIUS; 1844 else if (ascii_strcasecmp(optarg, "zmtp1") == 0) 1845 ndo->ndo_packettype = PT_ZMTP1; 1846 else if (ascii_strcasecmp(optarg, "vxlan") == 0) 1847 ndo->ndo_packettype = PT_VXLAN; 1848 else if (ascii_strcasecmp(optarg, "pgm") == 0) 1849 ndo->ndo_packettype = PT_PGM; 1850 else if (ascii_strcasecmp(optarg, "pgm_zmtp1") == 0) 1851 ndo->ndo_packettype = PT_PGM_ZMTP1; 1852 else if (ascii_strcasecmp(optarg, "lmp") == 0) 1853 ndo->ndo_packettype = PT_LMP; 1854 else if (ascii_strcasecmp(optarg, "resp") == 0) 1855 ndo->ndo_packettype = PT_RESP; 1856 else if (ascii_strcasecmp(optarg, "ptp") == 0) 1857 ndo->ndo_packettype = PT_PTP; 1858 else if (ascii_strcasecmp(optarg, "someip") == 0) 1859 ndo->ndo_packettype = PT_SOMEIP; 1860 else if (ascii_strcasecmp(optarg, "domain") == 0) 1861 ndo->ndo_packettype = PT_DOMAIN; 1862 else 1863 error("unknown packet type '%s'", optarg); 1864 break; 1865 1866 case 'u': 1867 ++ndo->ndo_uflag; 1868 break; 1869 1870 #ifdef HAVE_PCAP_DUMP_FLUSH 1871 case 'U': 1872 ++Uflag; 1873 break; 1874 #endif 1875 1876 case 'v': 1877 ++ndo->ndo_vflag; 1878 break; 1879 1880 case 'V': 1881 VFileName = optarg; 1882 break; 1883 1884 case 'w': 1885 WFileName = optarg; 1886 break; 1887 1888 case 'W': 1889 Wflag = atoi(optarg); 1890 if (Wflag <= 0) 1891 error("invalid number of output files %s", optarg); 1892 WflagChars = getWflagChars(Wflag); 1893 break; 1894 1895 case 'x': 1896 ++ndo->ndo_xflag; 1897 ++ndo->ndo_suppress_default_print; 1898 break; 1899 1900 case 'X': 1901 ++ndo->ndo_Xflag; 1902 ++ndo->ndo_suppress_default_print; 1903 break; 1904 1905 case 'y': 1906 yflag_dlt_name = optarg; 1907 yflag_dlt = 1908 pcap_datalink_name_to_val(yflag_dlt_name); 1909 if (yflag_dlt < 0) 1910 error("invalid data link type %s", yflag_dlt_name); 1911 break; 1912 1913 #ifdef HAVE_PCAP_SET_PARSER_DEBUG 1914 case 'Y': 1915 { 1916 /* Undocumented flag */ 1917 pcap_set_parser_debug(1); 1918 } 1919 break; 1920 #endif 1921 case 'z': 1922 zflag = optarg; 1923 break; 1924 1925 case 'Z': 1926 username = optarg; 1927 break; 1928 1929 case '#': 1930 ndo->ndo_packet_number = 1; 1931 break; 1932 1933 case OPTION_VERSION: 1934 print_version(stdout); 1935 exit_tcpdump(S_SUCCESS); 1936 break; 1937 1938 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1939 case OPTION_TSTAMP_PRECISION: 1940 ndo->ndo_tstamp_precision = tstamp_precision_from_string(optarg); 1941 if (ndo->ndo_tstamp_precision < 0) 1942 error("unsupported time stamp precision"); 1943 break; 1944 #endif 1945 1946 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE 1947 case OPTION_IMMEDIATE_MODE: 1948 immediate_mode = 1; 1949 break; 1950 #endif 1951 1952 case OPTION_PRINT: 1953 print = 1; 1954 break; 1955 1956 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 1957 case OPTION_TSTAMP_MICRO: 1958 ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO; 1959 break; 1960 1961 case OPTION_TSTAMP_NANO: 1962 ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_NANO; 1963 break; 1964 #endif 1965 1966 case OPTION_FP_TYPE: 1967 /* 1968 * Print out the type of floating-point arithmetic 1969 * we're doing; it's probably IEEE, unless somebody 1970 * tries to run this on a VAX, but the precision 1971 * may differ (e.g., it might be 32-bit, 64-bit, 1972 * or 80-bit). 1973 */ 1974 float_type_check(0x4e93312d); 1975 return 0; 1976 1977 case OPTION_COUNT: 1978 count_mode = 1; 1979 break; 1980 1981 default: 1982 print_usage(stderr); 1983 exit_tcpdump(S_ERR_HOST_PROGRAM); 1984 /* NOTREACHED */ 1985 } 1986 1987 #ifdef HAVE_PCAP_FINDALLDEVS 1988 if (Dflag) 1989 show_devices_and_exit(); 1990 #endif 1991 #ifdef HAVE_PCAP_FINDALLDEVS_EX 1992 if (remote_interfaces_source != NULL) 1993 show_remote_devices_and_exit(); 1994 #endif 1995 1996 switch (ndo->ndo_tflag) { 1997 1998 case 0: /* Default */ 1999 case 1: /* No time stamp */ 2000 case 2: /* Unix timeval style */ 2001 case 3: /* Microseconds/nanoseconds since previous packet */ 2002 case 4: /* Date + Default */ 2003 case 5: /* Microseconds/nanoseconds since first packet */ 2004 break; 2005 2006 default: /* Not supported */ 2007 error("only -t, -tt, -ttt, -tttt and -ttttt are supported"); 2008 break; 2009 } 2010 2011 if (ndo->ndo_fflag != 0 && (VFileName != NULL || RFileName != NULL)) 2012 error("-f can not be used with -V or -r"); 2013 2014 if (VFileName != NULL && RFileName != NULL) 2015 error("-V and -r are mutually exclusive."); 2016 2017 /* 2018 * If we're printing dissected packets to the standard output, 2019 * and either the standard output is a terminal or we're doing 2020 * "line" buffering, set the capture timeout to .1 second rather 2021 * than 1 second, as the user's probably expecting to see packets 2022 * pop up immediately shortly after they arrive. 2023 * 2024 * XXX - would there be some value appropriate for all cases, 2025 * based on, say, the buffer size and packet input rate? 2026 */ 2027 if ((WFileName == NULL || print) && (isatty(1) || lflag)) 2028 timeout = 100; 2029 2030 #ifdef WITH_CHROOT 2031 /* if run as root, prepare for chrooting */ 2032 if (getuid() == 0 || geteuid() == 0) { 2033 /* future extensibility for cmd-line arguments */ 2034 if (!chroot_dir) 2035 chroot_dir = WITH_CHROOT; 2036 } 2037 #endif 2038 2039 #ifdef WITH_USER 2040 /* if run as root, prepare for dropping root privileges */ 2041 if (getuid() == 0 || geteuid() == 0) { 2042 /* Run with '-Z root' to restore old behaviour */ 2043 if (!username) 2044 username = WITH_USER; 2045 else if (strcmp(username, "root") == 0) 2046 username = NULL; 2047 } 2048 #endif 2049 2050 if (RFileName != NULL || VFileName != NULL) { 2051 /* 2052 * If RFileName is non-null, it's the pathname of a 2053 * savefile to read. If VFileName is non-null, it's 2054 * the pathname of a file containing a list of pathnames 2055 * (one per line) of savefiles to read. 2056 * 2057 * In either case, we're reading a savefile, not doing 2058 * a live capture. 2059 */ 2060 #ifndef _WIN32 2061 /* 2062 * We don't need network access, so relinquish any set-UID 2063 * or set-GID privileges we have (if any). 2064 * 2065 * We do *not* want set-UID privileges when opening a 2066 * trace file, as that might let the user read other 2067 * people's trace files (especially if we're set-UID 2068 * root). 2069 */ 2070 if (setgid(getgid()) != 0 || setuid(getuid()) != 0 ) 2071 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 2072 #endif /* _WIN32 */ 2073 if (VFileName != NULL) { 2074 if (VFileName[0] == '-' && VFileName[1] == '\0') 2075 VFile = stdin; 2076 else 2077 VFile = fopen(VFileName, "r"); 2078 2079 if (VFile == NULL) 2080 error("Unable to open file: %s\n", pcap_strerror(errno)); 2081 2082 ret = get_next_file(VFile, VFileLine); 2083 if (!ret) 2084 error("Nothing in %s\n", VFileName); 2085 RFileName = VFileLine; 2086 } 2087 2088 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 2089 pd = pcap_open_offline_with_tstamp_precision(RFileName, 2090 ndo->ndo_tstamp_precision, ebuf); 2091 #else 2092 pd = pcap_open_offline(RFileName, ebuf); 2093 #endif 2094 2095 if (pd == NULL) 2096 error("%s", ebuf); 2097 #ifdef HAVE_CAPSICUM 2098 cap_rights_init(&rights, CAP_READ); 2099 if (cap_rights_limit(fileno(pcap_file(pd)), &rights) < 0 && 2100 errno != ENOSYS) { 2101 error("unable to limit pcap descriptor"); 2102 } 2103 #endif 2104 dlt = pcap_datalink(pd); 2105 dlt_name = pcap_datalink_val_to_name(dlt); 2106 fprintf(stderr, "reading from file %s", RFileName); 2107 if (dlt_name == NULL) { 2108 fprintf(stderr, ", link-type %u", dlt); 2109 } else { 2110 fprintf(stderr, ", link-type %s (%s)", dlt_name, 2111 pcap_datalink_val_to_description(dlt)); 2112 } 2113 fprintf(stderr, ", snapshot length %d\n", pcap_snapshot(pd)); 2114 #ifdef DLT_LINUX_SLL2 2115 if (dlt == DLT_LINUX_SLL2) 2116 fprintf(stderr, "Warning: interface names might be incorrect\n"); 2117 #endif 2118 } else if (dflag && !device) { 2119 int dump_dlt = DLT_EN10MB; 2120 /* 2121 * We're dumping the compiled code without an explicit 2122 * device specification. (If a device is specified, we 2123 * definitely want to open it to use the DLT of that device.) 2124 * Either default to DLT_EN10MB with a warning, or use 2125 * the user-specified value if supplied. 2126 */ 2127 /* 2128 * If no snapshot length was specified, or a length of 0 was 2129 * specified, default to 256KB. 2130 */ 2131 if (ndo->ndo_snaplen == 0) 2132 ndo->ndo_snaplen = MAXIMUM_SNAPLEN; 2133 /* 2134 * If a DLT was specified with the -y flag, use that instead. 2135 */ 2136 if (yflag_dlt != -1) 2137 dump_dlt = yflag_dlt; 2138 else 2139 fprintf(stderr, "Warning: assuming Ethernet\n"); 2140 pd = pcap_open_dead(dump_dlt, ndo->ndo_snaplen); 2141 } else { 2142 /* 2143 * We're doing a live capture. 2144 */ 2145 if (device == NULL) { 2146 /* 2147 * No interface was specified. Pick one. 2148 */ 2149 #ifdef HAVE_PCAP_FINDALLDEVS 2150 /* 2151 * Find the list of interfaces, and pick 2152 * the first interface. 2153 */ 2154 if (pcap_findalldevs(&devlist, ebuf) == -1) 2155 error("%s", ebuf); 2156 if (devlist == NULL) 2157 error("no interfaces available for capture"); 2158 device = strdup(devlist->name); 2159 pcap_freealldevs(devlist); 2160 #else /* HAVE_PCAP_FINDALLDEVS */ 2161 /* 2162 * Use whatever interface pcap_lookupdev() 2163 * chooses. 2164 */ 2165 device = pcap_lookupdev(ebuf); 2166 if (device == NULL) 2167 error("%s", ebuf); 2168 #endif 2169 } 2170 2171 /* 2172 * Try to open the interface with the specified name. 2173 */ 2174 pd = open_interface(device, ndo, ebuf); 2175 if (pd == NULL) { 2176 /* 2177 * That failed. If we can get a list of 2178 * interfaces, and the interface name 2179 * is purely numeric, try to use it as 2180 * a 1-based index in the list of 2181 * interfaces. 2182 */ 2183 #ifdef HAVE_PCAP_FINDALLDEVS 2184 devnum = parse_interface_number(device); 2185 if (devnum == -1) { 2186 /* 2187 * It's not a number; just report 2188 * the open error and fail. 2189 */ 2190 error("%s", ebuf); 2191 } 2192 2193 /* 2194 * OK, it's a number; try to find the 2195 * interface with that index, and try 2196 * to open it. 2197 * 2198 * find_interface_by_number() exits if it 2199 * couldn't be found. 2200 */ 2201 device = find_interface_by_number(device, devnum); 2202 pd = open_interface(device, ndo, ebuf); 2203 if (pd == NULL) 2204 error("%s", ebuf); 2205 #else /* HAVE_PCAP_FINDALLDEVS */ 2206 /* 2207 * We can't get a list of interfaces; just 2208 * fail. 2209 */ 2210 error("%s", ebuf); 2211 #endif /* HAVE_PCAP_FINDALLDEVS */ 2212 } 2213 2214 /* 2215 * Let user own process after capture device has 2216 * been opened. 2217 */ 2218 #ifndef _WIN32 2219 if (setgid(getgid()) != 0 || setuid(getuid()) != 0) 2220 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 2221 #endif /* _WIN32 */ 2222 #if !defined(HAVE_PCAP_CREATE) && defined(_WIN32) 2223 if(Bflag != 0) 2224 if(pcap_setbuff(pd, Bflag)==-1){ 2225 error("%s", pcap_geterr(pd)); 2226 } 2227 #endif /* !defined(HAVE_PCAP_CREATE) && defined(_WIN32) */ 2228 if (Lflag) 2229 show_dlts_and_exit(pd, device); 2230 if (yflag_dlt >= 0) { 2231 #ifdef HAVE_PCAP_SET_DATALINK 2232 if (pcap_set_datalink(pd, yflag_dlt) < 0) 2233 error("%s", pcap_geterr(pd)); 2234 #else 2235 /* 2236 * We don't actually support changing the 2237 * data link type, so we only let them 2238 * set it to what it already is. 2239 */ 2240 if (yflag_dlt != pcap_datalink(pd)) { 2241 error("%s is not one of the DLTs supported by this device\n", 2242 yflag_dlt_name); 2243 } 2244 #endif 2245 (void)fprintf(stderr, "%s: data link type %s\n", 2246 program_name, 2247 pcap_datalink_val_to_name(yflag_dlt)); 2248 (void)fflush(stderr); 2249 } 2250 #if defined(DLT_LINUX_SLL2) && defined(HAVE_PCAP_SET_DATALINK) 2251 else { 2252 /* 2253 * Attempt to set default linktype to 2254 * DLT_LINUX_SLL2 when capturing on the 2255 * "any" device. 2256 * 2257 * If the attempt fails, just quietly drive 2258 * on; this may be a non-Linux "any" device 2259 * that doesn't support DLT_LINUX_SLL2. 2260 */ 2261 if (strcmp(device, "any") == 0) { 2262 DIAG_OFF_WARN_UNUSED_RESULT 2263 (void) pcap_set_datalink(pd, DLT_LINUX_SLL2); 2264 DIAG_ON_WARN_UNUSED_RESULT 2265 } 2266 } 2267 #endif 2268 i = pcap_snapshot(pd); 2269 if (ndo->ndo_snaplen < i) { 2270 if (ndo->ndo_snaplen != 0) 2271 warning("snaplen raised from %d to %d", ndo->ndo_snaplen, i); 2272 ndo->ndo_snaplen = i; 2273 } else if (ndo->ndo_snaplen > i) { 2274 warning("snaplen lowered from %d to %d", ndo->ndo_snaplen, i); 2275 ndo->ndo_snaplen = i; 2276 } 2277 if(ndo->ndo_fflag != 0) { 2278 if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) { 2279 warning("foreign (-f) flag used but: %s", ebuf); 2280 } 2281 } 2282 2283 } 2284 if (infile) 2285 cmdbuf = read_infile(infile); 2286 else 2287 cmdbuf = copy_argv(&argv[optind]); 2288 2289 #ifdef HAVE_PCAP_SET_OPTIMIZER_DEBUG 2290 pcap_set_optimizer_debug(dflag); 2291 #endif 2292 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2293 error("%s", pcap_geterr(pd)); 2294 if (dflag) { 2295 bpf_dump(&fcode, dflag); 2296 pcap_close(pd); 2297 free(cmdbuf); 2298 pcap_freecode(&fcode); 2299 exit_tcpdump(S_SUCCESS); 2300 } 2301 2302 #ifdef HAVE_CASPER 2303 if (!ndo->ndo_nflag) 2304 capdns = capdns_setup(); 2305 #endif /* HAVE_CASPER */ 2306 2307 init_print(ndo, localnet, netmask); 2308 2309 #ifndef _WIN32 2310 (void)setsignal(SIGPIPE, cleanup); 2311 (void)setsignal(SIGTERM, cleanup); 2312 #endif /* _WIN32 */ 2313 (void)setsignal(SIGINT, cleanup); 2314 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2315 (void)setsignal(SIGCHLD, child_cleanup); 2316 #endif 2317 /* Cooperate with nohup(1) */ 2318 #ifndef _WIN32 2319 /* 2320 * In illumos /usr/include/sys/iso/signal_iso.h causes Clang to 2321 * generate a -Wstrict-prototypes warning here, see [1]. The 2322 * __illumos__ macro is available since at least GCC 11 and Clang 13, 2323 * see [2]. 2324 * 1: https://www.illumos.org/issues/16344 2325 * 2: https://www.illumos.org/issues/13726 2326 */ 2327 #ifdef __illumos__ 2328 DIAG_OFF_STRICT_PROTOTYPES 2329 #endif /* __illumos__ */ 2330 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) 2331 #ifdef __illumos__ 2332 DIAG_ON_STRICT_PROTOTYPES 2333 #endif /* __illumos__ */ 2334 (void)setsignal(SIGHUP, oldhandler); 2335 #endif /* _WIN32 */ 2336 2337 #ifndef _WIN32 2338 /* 2339 * If a user name was specified with "-Z", attempt to switch to 2340 * that user's UID. This would probably be used with sudo, 2341 * to allow tcpdump to be run in a special restricted 2342 * account (if you just want to allow users to open capture 2343 * devices, and can't just give users that permission, 2344 * you'd make tcpdump set-UID or set-GID). 2345 * 2346 * Tcpdump doesn't necessarily write only to one savefile; 2347 * the general only way to allow a -Z instance to write to 2348 * savefiles as the user under whose UID it's run, rather 2349 * than as the user specified with -Z, would thus be to switch 2350 * to the original user ID before opening a capture file and 2351 * then switch back to the -Z user ID after opening the savefile. 2352 * Switching to the -Z user ID only after opening the first 2353 * savefile doesn't handle the general case. 2354 */ 2355 2356 if (getuid() == 0 || geteuid() == 0) { 2357 #ifdef HAVE_LIBCAP_NG 2358 /* Initialize capng */ 2359 capng_clear(CAPNG_SELECT_BOTH); 2360 if (username) { 2361 DIAG_OFF_ASSIGN_ENUM 2362 capng_updatev( 2363 CAPNG_ADD, 2364 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2365 CAP_SETUID, 2366 CAP_SETGID, 2367 -1); 2368 DIAG_ON_ASSIGN_ENUM 2369 } 2370 if (chroot_dir) { 2371 DIAG_OFF_ASSIGN_ENUM 2372 capng_update( 2373 CAPNG_ADD, 2374 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2375 CAP_SYS_CHROOT 2376 ); 2377 DIAG_ON_ASSIGN_ENUM 2378 } 2379 2380 if (WFileName) { 2381 DIAG_OFF_ASSIGN_ENUM 2382 capng_update( 2383 CAPNG_ADD, 2384 CAPNG_PERMITTED | CAPNG_EFFECTIVE, 2385 CAP_DAC_OVERRIDE 2386 ); 2387 DIAG_ON_ASSIGN_ENUM 2388 } 2389 capng_apply(CAPNG_SELECT_BOTH); 2390 #endif /* HAVE_LIBCAP_NG */ 2391 if (username || chroot_dir) { 2392 #ifndef HAVE_LIBCAP_NG 2393 if (!WFileName) 2394 #endif 2395 droproot(username, chroot_dir); 2396 } 2397 } 2398 #endif /* _WIN32 */ 2399 2400 if (pcap_setfilter(pd, &fcode) < 0) 2401 error("%s", pcap_geterr(pd)); 2402 #ifdef HAVE_CAPSICUM 2403 if (RFileName == NULL && VFileName == NULL && pcap_fileno(pd) != -1) { 2404 static const unsigned long cmds[] = { BIOCGSTATS, BIOCROTZBUF }; 2405 2406 /* 2407 * The various libpcap devices use a combination of 2408 * read (bpf), ioctl (bpf, netmap), poll (netmap) 2409 * so we add the relevant access rights. 2410 */ 2411 cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_EVENT); 2412 if (cap_rights_limit(pcap_fileno(pd), &rights) < 0 && 2413 errno != ENOSYS) { 2414 error("unable to limit pcap descriptor"); 2415 } 2416 if (cap_ioctls_limit(pcap_fileno(pd), cmds, 2417 sizeof(cmds) / sizeof(cmds[0])) < 0 && errno != ENOSYS) { 2418 error("unable to limit ioctls on pcap descriptor"); 2419 } 2420 } 2421 #endif 2422 if (WFileName) { 2423 /* Do not exceed the default PATH_MAX for files. */ 2424 dumpinfo.CurrentFileName = (char *)malloc(PATH_MAX + 1); 2425 2426 if (dumpinfo.CurrentFileName == NULL) 2427 error("malloc of dumpinfo.CurrentFileName"); 2428 2429 /* We do not need numbering for dumpfiles if Cflag isn't set. */ 2430 if (Cflag != 0) 2431 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars); 2432 else 2433 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0); 2434 2435 pdd = pcap_dump_open(pd, dumpinfo.CurrentFileName); 2436 #ifdef HAVE_LIBCAP_NG 2437 /* Give up CAP_DAC_OVERRIDE capability. 2438 * Only allow it to be restored if the -C or -G flag have been 2439 * set since we may need to create more files later on. 2440 */ 2441 capng_update( 2442 CAPNG_DROP, 2443 (Cflag || Gflag ? 0 : CAPNG_PERMITTED) 2444 | CAPNG_EFFECTIVE, 2445 CAP_DAC_OVERRIDE 2446 ); 2447 capng_apply(CAPNG_SELECT_BOTH); 2448 #endif /* HAVE_LIBCAP_NG */ 2449 if (pdd == NULL) 2450 error("%s", pcap_geterr(pd)); 2451 #ifdef HAVE_CAPSICUM 2452 set_dumper_capsicum_rights(pdd); 2453 #endif 2454 if (Cflag != 0 || Gflag != 0) { 2455 #ifdef HAVE_CAPSICUM 2456 /* 2457 * basename() and dirname() may modify their input buffer 2458 * and they do since FreeBSD 12.0, but they didn't before. 2459 * Hence use the return value only, but always assume the 2460 * input buffer has been modified and would need to be 2461 * reset before the next use. 2462 */ 2463 char *WFileName_copy; 2464 2465 if ((WFileName_copy = strdup(WFileName)) == NULL) { 2466 error("Unable to allocate memory for file %s", 2467 WFileName); 2468 } 2469 DIAG_OFF_C11_EXTENSIONS 2470 dumpinfo.WFileName = strdup(basename(WFileName_copy)); 2471 DIAG_ON_C11_EXTENSIONS 2472 if (dumpinfo.WFileName == NULL) { 2473 error("Unable to allocate memory for file %s", 2474 WFileName); 2475 } 2476 free(WFileName_copy); 2477 2478 if ((WFileName_copy = strdup(WFileName)) == NULL) { 2479 error("Unable to allocate memory for file %s", 2480 WFileName); 2481 } 2482 DIAG_OFF_C11_EXTENSIONS 2483 char *WFileName_dirname = dirname(WFileName_copy); 2484 DIAG_ON_C11_EXTENSIONS 2485 dumpinfo.dirfd = open(WFileName_dirname, 2486 O_DIRECTORY | O_RDONLY); 2487 if (dumpinfo.dirfd < 0) { 2488 error("unable to open directory %s", 2489 WFileName_dirname); 2490 } 2491 free(WFileName_dirname); 2492 free(WFileName_copy); 2493 2494 cap_rights_init(&rights, CAP_CREATE, CAP_FCNTL, 2495 CAP_FTRUNCATE, CAP_LOOKUP, CAP_SEEK, CAP_WRITE); 2496 if (cap_rights_limit(dumpinfo.dirfd, &rights) < 0 && 2497 errno != ENOSYS) { 2498 error("unable to limit directory rights"); 2499 } 2500 if (cap_fcntls_limit(dumpinfo.dirfd, CAP_FCNTL_GETFL) < 0 && 2501 errno != ENOSYS) { 2502 error("unable to limit dump descriptor fcntls"); 2503 } 2504 #else /* !HAVE_CAPSICUM */ 2505 dumpinfo.WFileName = WFileName; 2506 #endif 2507 callback = dump_packet_and_trunc; 2508 dumpinfo.pd = pd; 2509 dumpinfo.pdd = pdd; 2510 pcap_userdata = (u_char *)&dumpinfo; 2511 } else { 2512 callback = dump_packet; 2513 dumpinfo.WFileName = WFileName; 2514 dumpinfo.pd = pd; 2515 dumpinfo.pdd = pdd; 2516 pcap_userdata = (u_char *)&dumpinfo; 2517 } 2518 if (print) { 2519 dlt = pcap_datalink(pd); 2520 ndo->ndo_if_printer = get_if_printer(dlt); 2521 dumpinfo.ndo = ndo; 2522 } else 2523 dumpinfo.ndo = NULL; 2524 2525 #ifdef HAVE_PCAP_DUMP_FLUSH 2526 if (Uflag) 2527 pcap_dump_flush(pdd); 2528 #endif 2529 } else { 2530 dlt = pcap_datalink(pd); 2531 ndo->ndo_if_printer = get_if_printer(dlt); 2532 callback = print_packet; 2533 pcap_userdata = (u_char *)ndo; 2534 } 2535 2536 #ifdef SIGNAL_REQ_INFO 2537 /* 2538 * We can't get statistics when reading from a file rather 2539 * than capturing from a device. 2540 */ 2541 if (RFileName == NULL) 2542 (void)setsignal(SIGNAL_REQ_INFO, requestinfo); 2543 #endif 2544 #ifdef SIGNAL_FLUSH_PCAP 2545 (void)setsignal(SIGNAL_FLUSH_PCAP, flushpcap); 2546 #endif 2547 2548 if (ndo->ndo_vflag > 0 && WFileName && RFileName == NULL && !print) { 2549 /* 2550 * When capturing to a file, if "--print" wasn't specified, 2551 *"-v" means tcpdump should, once per second, 2552 * "v"erbosely report the number of packets captured. 2553 * Except when reading from a file, because -r, -w and -v 2554 * together used to make a corner case, in which pcap_loop() 2555 * errored due to EINTR (see GH #155 for details). 2556 */ 2557 #ifdef _WIN32 2558 /* 2559 * https://blogs.msdn.microsoft.com/oldnewthing/20151230-00/?p=92741 2560 * 2561 * suggests that this dates back to W2K. 2562 * 2563 * I don't know what a "long wait" is, but we'll assume 2564 * that printing the stats could be a "long wait". 2565 */ 2566 CreateTimerQueueTimer(&timer_handle, NULL, 2567 verbose_stats_dump, NULL, 1000, 1000, 2568 WT_EXECUTEDEFAULT|WT_EXECUTELONGFUNCTION); 2569 setvbuf(stderr, NULL, _IONBF, 0); 2570 #else /* _WIN32 */ 2571 /* 2572 * Assume this is UN*X, and that it has setitimer(); that 2573 * dates back to UNIX 95. 2574 */ 2575 struct itimerval timer; 2576 (void)setsignal(SIGALRM, verbose_stats_dump); 2577 timer.it_interval.tv_sec = 1; 2578 timer.it_interval.tv_usec = 0; 2579 timer.it_value.tv_sec = 1; 2580 timer.it_value.tv_usec = 1; 2581 setitimer(ITIMER_REAL, &timer, NULL); 2582 #endif /* _WIN32 */ 2583 } 2584 2585 if (RFileName == NULL) { 2586 /* 2587 * Live capture (if -V was specified, we set RFileName 2588 * to a file from the -V file). Print a message to 2589 * the standard error on UN*X. 2590 */ 2591 if (!ndo->ndo_vflag && !WFileName) { 2592 (void)fprintf(stderr, 2593 "%s: verbose output suppressed, use -v[v]... for full protocol decode\n", 2594 program_name); 2595 } else 2596 (void)fprintf(stderr, "%s: ", program_name); 2597 dlt = pcap_datalink(pd); 2598 dlt_name = pcap_datalink_val_to_name(dlt); 2599 (void)fprintf(stderr, "listening on %s", device); 2600 if (dlt_name == NULL) { 2601 (void)fprintf(stderr, ", link-type %u", dlt); 2602 } else { 2603 (void)fprintf(stderr, ", link-type %s (%s)", dlt_name, 2604 pcap_datalink_val_to_description(dlt)); 2605 } 2606 (void)fprintf(stderr, ", snapshot length %d bytes\n", ndo->ndo_snaplen); 2607 (void)fflush(stderr); 2608 } 2609 2610 /* 2611 * If a user name was specified with "-Z", attempt to switch to 2612 * that user's UID. This would probably be used with sudo, 2613 * to allow tcpdump to be run in a special restricted 2614 * account (if you just want to allow users to open capture 2615 * devices, and can't just give users that permission, 2616 * you'd make tcpdump set-UID or set-GID). 2617 * 2618 * Tcpdump doesn't necessarily write only to one savefile; 2619 * the general only way to allow a -Z instance to write to 2620 * savefiles as the user under whose UID it's run, rather 2621 * than as the user specified with -Z, would thus be to switch 2622 * to the original user ID before opening a capture file and 2623 * then switch back to the -Z user ID after opening the savefile. 2624 * Switching to the -Z user ID only after opening the first 2625 * savefile doesn't handle the general case. 2626 */ 2627 if (getuid() == 0 || geteuid() == 0) { 2628 if (username || chroot_dir) 2629 droproot(username, chroot_dir); 2630 } 2631 2632 #ifdef HAVE_CAPSICUM 2633 cansandbox = (VFileName == NULL && zflag == NULL); 2634 #ifdef HAVE_CASPER 2635 cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL)); 2636 #else 2637 cansandbox = (cansandbox && ndo->ndo_nflag); 2638 #endif /* HAVE_CASPER */ 2639 cansandbox = (cansandbox && (pcap_fileno(pd) != -1 || 2640 RFileName != NULL)); 2641 2642 if (cansandbox && cap_enter() < 0 && errno != ENOSYS) 2643 error("unable to enter the capability mode"); 2644 #endif /* HAVE_CAPSICUM */ 2645 2646 do { 2647 status = pcap_loop(pd, cnt, callback, pcap_userdata); 2648 if (WFileName == NULL) { 2649 /* 2650 * We're printing packets. Flush the printed output, 2651 * so it doesn't get intermingled with error output. 2652 */ 2653 if (status == -2) { 2654 /* 2655 * We got interrupted, so perhaps we didn't 2656 * manage to finish a line we were printing. 2657 * Print an extra newline, just in case. 2658 */ 2659 putchar('\n'); 2660 } 2661 (void)fflush(stdout); 2662 } 2663 if (status == -2) { 2664 /* 2665 * We got interrupted. If we are reading multiple 2666 * files (via -V) set these so that we stop. 2667 */ 2668 VFileName = NULL; 2669 ret = NULL; 2670 } 2671 if (status == -1) { 2672 /* 2673 * Error. Report it. 2674 */ 2675 (void)fprintf(stderr, "%s: pcap_loop: %s\n", 2676 program_name, pcap_geterr(pd)); 2677 } 2678 if (RFileName == NULL) { 2679 /* 2680 * We're doing a live capture. Report the capture 2681 * statistics. 2682 */ 2683 info(1); 2684 } 2685 pcap_close(pd); 2686 if (VFileName != NULL) { 2687 ret = get_next_file(VFile, VFileLine); 2688 if (ret) { 2689 int new_dlt; 2690 2691 RFileName = VFileLine; 2692 pd = pcap_open_offline(RFileName, ebuf); 2693 if (pd == NULL) 2694 error("%s", ebuf); 2695 #ifdef HAVE_CAPSICUM 2696 cap_rights_init(&rights, CAP_READ); 2697 if (cap_rights_limit(fileno(pcap_file(pd)), 2698 &rights) < 0 && errno != ENOSYS) { 2699 error("unable to limit pcap descriptor"); 2700 } 2701 #endif 2702 new_dlt = pcap_datalink(pd); 2703 if (new_dlt != dlt) { 2704 /* 2705 * The new file has a different 2706 * link-layer header type from the 2707 * previous one. 2708 */ 2709 if (WFileName != NULL) { 2710 /* 2711 * We're writing raw packets 2712 * that match the filter to 2713 * a pcap file. pcap files 2714 * don't support multiple 2715 * different link-layer 2716 * header types, so we fail 2717 * here. 2718 */ 2719 error("%s: new dlt does not match original", RFileName); 2720 } 2721 2722 /* 2723 * We're printing the decoded packets; 2724 * switch to the new DLT. 2725 * 2726 * To do that, we need to change 2727 * the printer, change the DLT name, 2728 * and recompile the filter with 2729 * the new DLT. 2730 */ 2731 dlt = new_dlt; 2732 ndo->ndo_if_printer = get_if_printer(dlt); 2733 /* Free the old filter */ 2734 pcap_freecode(&fcode); 2735 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 2736 error("%s", pcap_geterr(pd)); 2737 } 2738 2739 /* 2740 * Set the filter on the new file. 2741 */ 2742 if (pcap_setfilter(pd, &fcode) < 0) 2743 error("%s", pcap_geterr(pd)); 2744 2745 /* 2746 * Report the new file. 2747 */ 2748 dlt_name = pcap_datalink_val_to_name(dlt); 2749 fprintf(stderr, "reading from file %s", RFileName); 2750 if (dlt_name == NULL) { 2751 fprintf(stderr, ", link-type %u", dlt); 2752 } else { 2753 fprintf(stderr, ", link-type %s (%s)", 2754 dlt_name, 2755 pcap_datalink_val_to_description(dlt)); 2756 } 2757 fprintf(stderr, ", snapshot length %d\n", pcap_snapshot(pd)); 2758 } 2759 } 2760 } 2761 while (ret != NULL); 2762 2763 if (count_mode && RFileName != NULL) 2764 fprintf(stdout, "%u packet%s\n", packets_captured, 2765 PLURAL_SUFFIX(packets_captured)); 2766 2767 free(cmdbuf); 2768 pcap_freecode(&fcode); 2769 exit_tcpdump(status == -1 ? S_ERR_HOST_PROGRAM : S_SUCCESS); 2770 } 2771 2772 /* 2773 * Catch a signal. 2774 */ 2775 static void 2776 (*setsignal (int sig, void (*func)(int)))(int) 2777 { 2778 #ifdef _WIN32 2779 return (signal(sig, func)); 2780 #else 2781 struct sigaction old, new; 2782 2783 memset(&new, 0, sizeof(new)); 2784 new.sa_handler = func; 2785 if ((sig == SIGCHLD) 2786 # ifdef SIGNAL_REQ_INFO 2787 || (sig == SIGNAL_REQ_INFO) 2788 # endif 2789 # ifdef SIGNAL_FLUSH_PCAP 2790 || (sig == SIGNAL_FLUSH_PCAP) 2791 # endif 2792 ) 2793 new.sa_flags = SA_RESTART; 2794 if (sigaction(sig, &new, &old) < 0) 2795 /* The same workaround as for SIG_DFL above. */ 2796 #ifdef __illumos__ 2797 DIAG_OFF_STRICT_PROTOTYPES 2798 #endif /* __illumos__ */ 2799 return (SIG_ERR); 2800 #ifdef __illumos__ 2801 DIAG_ON_STRICT_PROTOTYPES 2802 #endif /* __illumos__ */ 2803 return (old.sa_handler); 2804 #endif 2805 } 2806 2807 /* make a clean exit on interrupts */ 2808 static void 2809 cleanup(int signo _U_) 2810 { 2811 #ifdef _WIN32 2812 if (timer_handle != INVALID_HANDLE_VALUE) { 2813 DeleteTimerQueueTimer(NULL, timer_handle, NULL); 2814 CloseHandle(timer_handle); 2815 timer_handle = INVALID_HANDLE_VALUE; 2816 } 2817 #else /* _WIN32 */ 2818 struct itimerval timer; 2819 2820 timer.it_interval.tv_sec = 0; 2821 timer.it_interval.tv_usec = 0; 2822 timer.it_value.tv_sec = 0; 2823 timer.it_value.tv_usec = 0; 2824 setitimer(ITIMER_REAL, &timer, NULL); 2825 #endif /* _WIN32 */ 2826 2827 #ifdef HAVE_PCAP_BREAKLOOP 2828 /* 2829 * We have "pcap_breakloop()"; use it, so that we do as little 2830 * as possible in the signal handler (it's probably not safe 2831 * to do anything with standard I/O streams in a signal handler - 2832 * the ANSI C standard doesn't say it is). 2833 */ 2834 pcap_breakloop(pd); 2835 #else 2836 /* 2837 * We don't have "pcap_breakloop()"; this isn't safe, but 2838 * it's the best we can do. Print the summary if we're 2839 * not reading from a savefile - i.e., if we're doing a 2840 * live capture - and exit. 2841 */ 2842 if (pd != NULL && pcap_file(pd) == NULL) { 2843 /* 2844 * We got interrupted, so perhaps we didn't 2845 * manage to finish a line we were printing. 2846 * Print an extra newline, just in case. 2847 */ 2848 putchar('\n'); 2849 (void)fflush(stdout); 2850 info(1); 2851 } 2852 exit_tcpdump(S_SUCCESS); 2853 #endif 2854 } 2855 2856 /* 2857 On windows, we do not use a fork, so we do not care less about 2858 waiting a child processes to die 2859 */ 2860 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2861 static void 2862 child_cleanup(int signo _U_) 2863 { 2864 while (waitpid(-1, NULL, WNOHANG) >= 0); 2865 } 2866 #endif /* HAVE_FORK && HAVE_VFORK */ 2867 2868 static void 2869 info(int verbose) 2870 { 2871 struct pcap_stat stats; 2872 2873 /* 2874 * Older versions of libpcap didn't set ps_ifdrop on some 2875 * platforms; initialize it to 0 to handle that. 2876 */ 2877 stats.ps_ifdrop = 0; 2878 if (pcap_stats(pd, &stats) < 0) { 2879 (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd)); 2880 infoprint = 0; 2881 return; 2882 } 2883 2884 if (!verbose) 2885 fprintf(stderr, "%s: ", program_name); 2886 2887 (void)fprintf(stderr, "%u packet%s captured", packets_captured, 2888 PLURAL_SUFFIX(packets_captured)); 2889 if (!verbose) 2890 fputs(", ", stderr); 2891 else 2892 putc('\n', stderr); 2893 (void)fprintf(stderr, "%u packet%s received by filter", stats.ps_recv, 2894 PLURAL_SUFFIX(stats.ps_recv)); 2895 if (!verbose) 2896 fputs(", ", stderr); 2897 else 2898 putc('\n', stderr); 2899 (void)fprintf(stderr, "%u packet%s dropped by kernel", stats.ps_drop, 2900 PLURAL_SUFFIX(stats.ps_drop)); 2901 if (stats.ps_ifdrop != 0) { 2902 if (!verbose) 2903 fputs(", ", stderr); 2904 else 2905 putc('\n', stderr); 2906 (void)fprintf(stderr, "%u packet%s dropped by interface\n", 2907 stats.ps_ifdrop, PLURAL_SUFFIX(stats.ps_ifdrop)); 2908 } else 2909 putc('\n', stderr); 2910 infoprint = 0; 2911 } 2912 2913 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 2914 #ifdef HAVE_FORK 2915 #define fork_subprocess() fork() 2916 #else 2917 #define fork_subprocess() vfork() 2918 #endif 2919 static void 2920 compress_savefile(const char *filename) 2921 { 2922 pid_t child; 2923 2924 child = fork_subprocess(); 2925 if (child == -1) { 2926 fprintf(stderr, 2927 "compress_savefile: fork failed: %s\n", 2928 pcap_strerror(errno)); 2929 return; 2930 } 2931 if (child != 0) { 2932 /* Parent process. */ 2933 return; 2934 } 2935 2936 /* 2937 * Child process. 2938 * Set to lowest priority so that this doesn't disturb the capture. 2939 */ 2940 #ifdef NZERO 2941 setpriority(PRIO_PROCESS, 0, NZERO - 1); 2942 #else 2943 setpriority(PRIO_PROCESS, 0, 19); 2944 #endif 2945 if (execlp(zflag, zflag, filename, (char *)NULL) == -1) 2946 fprintf(stderr, 2947 "compress_savefile: execlp(%s, %s) failed: %s\n", 2948 zflag, 2949 filename, 2950 pcap_strerror(errno)); 2951 #ifdef HAVE_FORK 2952 exit(S_ERR_HOST_PROGRAM); 2953 #else 2954 _exit(S_ERR_HOST_PROGRAM); 2955 #endif 2956 } 2957 #else /* HAVE_FORK && HAVE_VFORK */ 2958 static void 2959 compress_savefile(const char *filename) 2960 { 2961 fprintf(stderr, 2962 "compress_savefile failed. Functionality not implemented under your system\n"); 2963 } 2964 #endif /* HAVE_FORK && HAVE_VFORK */ 2965 2966 static void 2967 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 2968 { 2969 struct dump_info *dump_info; 2970 2971 ++packets_captured; 2972 2973 ++infodelay; 2974 2975 dump_info = (struct dump_info *)user; 2976 2977 /* 2978 * XXX - this won't force the file to rotate on the specified time 2979 * boundary, but it will rotate on the first packet received after the 2980 * specified Gflag number of seconds. Note: if a Gflag time boundary 2981 * and a Cflag size boundary coincide, the time rotation will occur 2982 * first thereby cancelling the Cflag boundary (since the file should 2983 * be 0). 2984 */ 2985 if (Gflag != 0) { 2986 /* Check if it is time to rotate */ 2987 time_t t; 2988 2989 /* Get the current time */ 2990 if ((t = time(NULL)) == (time_t)-1) { 2991 error("%s: can't get current_time: %s", 2992 __func__, pcap_strerror(errno)); 2993 } 2994 2995 2996 /* If the time is greater than the specified window, rotate */ 2997 if (t - Gflag_time >= Gflag) { 2998 #ifdef HAVE_CAPSICUM 2999 FILE *fp; 3000 int fd; 3001 #endif 3002 3003 /* Update the Gflag_time */ 3004 Gflag_time = t; 3005 /* Update Gflag_count */ 3006 Gflag_count++; 3007 /* 3008 * Close the current file and open a new one. 3009 */ 3010 pcap_dump_close(dump_info->pdd); 3011 3012 /* 3013 * Compress the file we just closed, if the user asked for it 3014 */ 3015 if (zflag != NULL) 3016 compress_savefile(dump_info->CurrentFileName); 3017 3018 /* 3019 * Check to see if we've exceeded the Wflag (when 3020 * not using Cflag). 3021 */ 3022 if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) { 3023 (void)fprintf(stderr, "Maximum file limit reached: %d\n", 3024 Wflag); 3025 info(1); 3026 exit_tcpdump(S_SUCCESS); 3027 /* NOTREACHED */ 3028 } 3029 if (dump_info->CurrentFileName != NULL) 3030 free(dump_info->CurrentFileName); 3031 /* Allocate space for max filename + \0. */ 3032 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 3033 if (dump_info->CurrentFileName == NULL) 3034 error("dump_packet_and_trunc: malloc"); 3035 /* 3036 * Gflag was set otherwise we wouldn't be here. Reset the count 3037 * so multiple files would end with 1,2,3 in the filename. 3038 * The counting is handled with the -C flow after this. 3039 */ 3040 Cflag_count = 0; 3041 3042 /* 3043 * This is always the first file in the Cflag 3044 * rotation: e.g. 0 3045 * We also don't need numbering if Cflag is not set. 3046 */ 3047 if (Cflag != 0) 3048 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 3049 WflagChars); 3050 else 3051 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0); 3052 3053 #ifdef HAVE_LIBCAP_NG 3054 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3055 capng_apply(CAPNG_SELECT_BOTH); 3056 #endif /* HAVE_LIBCAP_NG */ 3057 #ifdef HAVE_CAPSICUM 3058 fd = openat(dump_info->dirfd, 3059 dump_info->CurrentFileName, 3060 O_CREAT | O_WRONLY | O_TRUNC, 0644); 3061 if (fd < 0) { 3062 error("unable to open file %s", 3063 dump_info->CurrentFileName); 3064 } 3065 fp = fdopen(fd, "w"); 3066 if (fp == NULL) { 3067 error("unable to fdopen file %s", 3068 dump_info->CurrentFileName); 3069 } 3070 dump_info->pdd = pcap_dump_fopen(dump_info->pd, fp); 3071 #else /* !HAVE_CAPSICUM */ 3072 dump_info->pdd = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 3073 #endif 3074 #ifdef HAVE_LIBCAP_NG 3075 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3076 capng_apply(CAPNG_SELECT_BOTH); 3077 #endif /* HAVE_LIBCAP_NG */ 3078 if (dump_info->pdd == NULL) 3079 error("%s", pcap_geterr(pd)); 3080 #ifdef HAVE_CAPSICUM 3081 set_dumper_capsicum_rights(dump_info->pdd); 3082 #endif 3083 } 3084 } 3085 3086 /* 3087 * XXX - this won't prevent capture files from getting 3088 * larger than Cflag - the last packet written to the 3089 * file could put it over Cflag. 3090 */ 3091 if (Cflag != 0) { 3092 #ifdef HAVE_PCAP_DUMP_FTELL64 3093 int64_t size = pcap_dump_ftell64(dump_info->pdd); 3094 #else 3095 /* 3096 * XXX - this only handles a Cflag value > 2^31-1 on 3097 * LP64 platforms; to handle ILP32 (32-bit UN*X and 3098 * Windows) or LLP64 (64-bit Windows) would require 3099 * a version of libpcap with pcap_dump_ftell64(). 3100 */ 3101 long size = pcap_dump_ftell(dump_info->pdd); 3102 #endif 3103 3104 if (size == -1) 3105 error("ftell fails on output file"); 3106 if (size > Cflag) { 3107 #ifdef HAVE_CAPSICUM 3108 FILE *fp; 3109 int fd; 3110 #endif 3111 3112 /* 3113 * Close the current file and open a new one. 3114 */ 3115 pcap_dump_close(dump_info->pdd); 3116 3117 /* 3118 * Compress the file we just closed, if the user 3119 * asked for it. 3120 */ 3121 if (zflag != NULL) 3122 compress_savefile(dump_info->CurrentFileName); 3123 3124 Cflag_count++; 3125 if (Wflag > 0) { 3126 if (Cflag_count >= Wflag) 3127 Cflag_count = 0; 3128 } 3129 if (dump_info->CurrentFileName != NULL) 3130 free(dump_info->CurrentFileName); 3131 dump_info->CurrentFileName = (char *)malloc(PATH_MAX + 1); 3132 if (dump_info->CurrentFileName == NULL) 3133 error("%s: malloc", __func__); 3134 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars); 3135 #ifdef HAVE_LIBCAP_NG 3136 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3137 capng_apply(CAPNG_SELECT_BOTH); 3138 #endif /* HAVE_LIBCAP_NG */ 3139 #ifdef HAVE_CAPSICUM 3140 fd = openat(dump_info->dirfd, dump_info->CurrentFileName, 3141 O_CREAT | O_WRONLY | O_TRUNC, 0644); 3142 if (fd < 0) { 3143 error("unable to open file %s", 3144 dump_info->CurrentFileName); 3145 } 3146 fp = fdopen(fd, "w"); 3147 if (fp == NULL) { 3148 error("unable to fdopen file %s", 3149 dump_info->CurrentFileName); 3150 } 3151 dump_info->pdd = pcap_dump_fopen(dump_info->pd, fp); 3152 #else /* !HAVE_CAPSICUM */ 3153 dump_info->pdd = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 3154 #endif 3155 #ifdef HAVE_LIBCAP_NG 3156 capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE); 3157 capng_apply(CAPNG_SELECT_BOTH); 3158 #endif /* HAVE_LIBCAP_NG */ 3159 if (dump_info->pdd == NULL) 3160 error("%s", pcap_geterr(pd)); 3161 #ifdef HAVE_CAPSICUM 3162 set_dumper_capsicum_rights(dump_info->pdd); 3163 #endif 3164 } 3165 } 3166 3167 pcap_dump((u_char *)dump_info->pdd, h, sp); 3168 #ifdef HAVE_PCAP_DUMP_FLUSH 3169 if (Uflag) 3170 pcap_dump_flush(dump_info->pdd); 3171 #endif 3172 3173 if (dump_info->ndo != NULL) 3174 pretty_print_packet(dump_info->ndo, h, sp, packets_captured); 3175 3176 --infodelay; 3177 if (infoprint) 3178 info(0); 3179 } 3180 3181 static void 3182 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 3183 { 3184 struct dump_info *dump_info; 3185 3186 ++packets_captured; 3187 3188 ++infodelay; 3189 3190 dump_info = (struct dump_info *)user; 3191 3192 pcap_dump((u_char *)dump_info->pdd, h, sp); 3193 #ifdef HAVE_PCAP_DUMP_FLUSH 3194 if (Uflag) 3195 pcap_dump_flush(dump_info->pdd); 3196 #endif 3197 3198 if (dump_info->ndo != NULL) 3199 pretty_print_packet(dump_info->ndo, h, sp, packets_captured); 3200 3201 --infodelay; 3202 if (infoprint) 3203 info(0); 3204 } 3205 3206 static void 3207 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 3208 { 3209 ++packets_captured; 3210 3211 ++infodelay; 3212 3213 if (!count_mode) 3214 pretty_print_packet((netdissect_options *)user, h, sp, packets_captured); 3215 3216 --infodelay; 3217 if (infoprint) 3218 info(0); 3219 } 3220 3221 #ifdef SIGNAL_REQ_INFO 3222 static void 3223 requestinfo(int signo _U_) 3224 { 3225 if (infodelay) 3226 ++infoprint; 3227 else 3228 info(0); 3229 } 3230 #endif 3231 3232 #ifdef SIGNAL_FLUSH_PCAP 3233 static void 3234 flushpcap(int signo _U_) 3235 { 3236 if (pdd != NULL) 3237 pcap_dump_flush(pdd); 3238 } 3239 #endif 3240 3241 static void 3242 print_packets_captured (void) 3243 { 3244 static u_int prev_packets_captured, first = 1; 3245 3246 if (infodelay == 0 && (first || packets_captured != prev_packets_captured)) { 3247 fprintf(stderr, "Got %u\r", packets_captured); 3248 first = 0; 3249 prev_packets_captured = packets_captured; 3250 } 3251 } 3252 3253 /* 3254 * Called once each second in verbose mode while dumping to file 3255 */ 3256 #ifdef _WIN32 3257 static void CALLBACK verbose_stats_dump(PVOID param _U_, 3258 BOOLEAN timer_fired _U_) 3259 { 3260 print_packets_captured(); 3261 } 3262 #else /* _WIN32 */ 3263 static void verbose_stats_dump(int sig _U_) 3264 { 3265 print_packets_captured(); 3266 } 3267 #endif /* _WIN32 */ 3268 3269 DIAG_OFF_DEPRECATION 3270 static void 3271 print_version(FILE *f) 3272 { 3273 #ifndef HAVE_PCAP_LIB_VERSION 3274 #ifdef HAVE_PCAP_VERSION 3275 extern char pcap_version[]; 3276 #else /* HAVE_PCAP_VERSION */ 3277 static char pcap_version[] = "unknown"; 3278 #endif /* HAVE_PCAP_VERSION */ 3279 #endif /* HAVE_PCAP_LIB_VERSION */ 3280 const char *smi_version_string; 3281 3282 (void)fprintf(f, "%s version " PACKAGE_VERSION "\n", program_name); 3283 #ifdef HAVE_PCAP_LIB_VERSION 3284 (void)fprintf(f, "%s\n", pcap_lib_version()); 3285 #else /* HAVE_PCAP_LIB_VERSION */ 3286 (void)fprintf(f, "libpcap version %s\n", pcap_version); 3287 #endif /* HAVE_PCAP_LIB_VERSION */ 3288 3289 #if defined(HAVE_LIBCRYPTO) && defined(SSLEAY_VERSION) 3290 (void)fprintf (f, "%s\n", SSLeay_version(SSLEAY_VERSION)); 3291 #endif 3292 3293 smi_version_string = nd_smi_version_string(); 3294 if (smi_version_string != NULL) 3295 (void)fprintf (f, "SMI-library: %s\n", smi_version_string); 3296 3297 #if defined(__SANITIZE_ADDRESS__) 3298 (void)fprintf (f, "Compiled with AddressSanitizer/GCC.\n"); 3299 #elif defined(__has_feature) 3300 # if __has_feature(address_sanitizer) 3301 (void)fprintf (f, "Compiled with AddressSanitizer/Clang.\n"); 3302 # elif __has_feature(memory_sanitizer) 3303 (void)fprintf (f, "Compiled with MemorySanitizer/Clang.\n"); 3304 # endif 3305 #endif /* __SANITIZE_ADDRESS__ or __has_feature */ 3306 (void)fprintf (f, "%zu-bit build, %zu-bit time_t\n", 3307 sizeof(void *) * 8, sizeof(time_t) * 8); 3308 } 3309 DIAG_ON_DEPRECATION 3310 3311 static void 3312 print_usage(FILE *f) 3313 { 3314 print_version(f); 3315 (void)fprintf(f, 3316 "Usage: %s [-Abd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqStu" U_FLAG "vxX#]" B_FLAG_USAGE " [ -c count ] [--count]\n", program_name); 3317 (void)fprintf(f, 3318 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n"); 3319 (void)fprintf(f, 3320 "\t\t[ -i interface ]" IMMEDIATE_MODE_USAGE j_FLAG_USAGE "\n"); 3321 #ifdef HAVE_PCAP_FINDALLDEVS_EX 3322 (void)fprintf(f, 3323 "\t\t" LIST_REMOTE_INTERFACES_USAGE "\n"); 3324 #endif 3325 #ifdef USE_LIBSMI 3326 (void)fprintf(f, 3327 "\t\t" m_FLAG_USAGE "\n"); 3328 #endif 3329 (void)fprintf(f, 3330 "\t\t[ -M secret ] [ --number ] [ --print ]" Q_FLAG_USAGE "\n"); 3331 (void)fprintf(f, 3332 "\t\t[ -r file ] [ -s snaplen ] [ -T type ] [ --version ]\n"); 3333 (void)fprintf(f, 3334 "\t\t[ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ]\n"); 3335 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION 3336 (void)fprintf(f, 3337 "\t\t[ --time-stamp-precision precision ] [ --micro ] [ --nano ]\n"); 3338 #endif 3339 (void)fprintf(f, 3340 "\t\t[ -z postrotate-command ] [ -Z user ] [ expression ]\n"); 3341 } 3342