1 /* 2 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Support for splitting captures into multiple files with a maximum 22 * file size: 23 * 24 * Copyright (c) 2001 25 * Seth Webster <swebster@sst.ll.mit.edu> 26 */ 27 28 #include <sys/cdefs.h> 29 #ifndef lint 30 #if 0 31 static const char copyright[] _U_ = 32 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\ 33 The Regents of the University of California. All rights reserved.\n"; 34 static const char rcsid[] _U_ = 35 "@(#) Header: /tcpdump/master/tcpdump/tcpdump.c,v 1.283 2008-09-25 21:45:50 guy Exp (LBL)"; 36 #else 37 __RCSID("$NetBSD: tcpdump.c,v 1.6 2013/04/12 23:51:50 christos Exp $"); 38 #endif 39 #endif 40 41 /* 42 * tcpdump - monitor tcp/ip traffic on an ethernet. 43 * 44 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 45 * Mercilessly hacked and occasionally improved since then via the 46 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 47 */ 48 49 #ifdef HAVE_CONFIG_H 50 #include "config.h" 51 #endif 52 53 #include <tcpdump-stdinc.h> 54 55 #ifdef WIN32 56 #include "getopt.h" 57 #include "w32_fzs.h" 58 extern int strcasecmp (const char *__s1, const char *__s2); 59 extern int SIZE_BUF; 60 #define off_t long 61 #define uint UINT 62 #endif /* WIN32 */ 63 64 #ifdef HAVE_SMI_H 65 #include <smi.h> 66 #endif 67 68 #include <pcap.h> 69 #include <signal.h> 70 #include <stdio.h> 71 #include <stdlib.h> 72 #include <string.h> 73 #include <limits.h> 74 #include <resolv.h> 75 #ifndef WIN32 76 #include <sys/wait.h> 77 #include <sys/resource.h> 78 #include <pwd.h> 79 #include <grp.h> 80 #include <errno.h> 81 #endif /* WIN32 */ 82 83 84 #include "netdissect.h" 85 #include "interface.h" 86 #include "addrtoname.h" 87 #include "machdep.h" 88 #include "setsignal.h" 89 #include "gmt2local.h" 90 #include "pcap-missing.h" 91 92 #ifndef NAME_MAX 93 #define NAME_MAX 255 94 #endif 95 96 #ifdef SIGINFO 97 #define SIGNAL_REQ_INFO SIGINFO 98 #elif SIGUSR1 99 #define SIGNAL_REQ_INFO SIGUSR1 100 #endif 101 102 netdissect_options Gndo; 103 netdissect_options *gndo = &Gndo; 104 105 static int dflag; /* print filter code */ 106 static int Lflag; /* list available data link types and exit */ 107 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 108 static int Jflag; /* list available time stamp types */ 109 #endif 110 static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */ 111 112 static int infodelay; 113 static int infoprint; 114 115 char *program_name; 116 117 int32_t thiszone; /* seconds offset from gmt to local time */ 118 119 /* Forwards */ 120 static RETSIGTYPE cleanup(int); 121 static RETSIGTYPE child_cleanup(int); 122 static void usage(void) __attribute__((noreturn)); 123 static void show_dlts_and_exit(const char *device, pcap_t *pd) __attribute__((noreturn)); 124 125 static void print_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 126 static void ndo_default_print(netdissect_options *, const u_char *, u_int); 127 static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *); 128 static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 129 static void droproot(const char *, const char *); 130 static void ndo_error(netdissect_options *ndo, const char *fmt, ...) 131 __attribute__ ((noreturn, format (printf, 2, 3))); 132 static void ndo_warning(netdissect_options *ndo, const char *fmt, ...); 133 134 #ifdef SIGNAL_REQ_INFO 135 RETSIGTYPE requestinfo(int); 136 #endif 137 138 #if defined(USE_WIN32_MM_TIMER) 139 #include <MMsystem.h> 140 static UINT timer_id; 141 static void CALLBACK verbose_stats_dump(UINT, UINT, DWORD_PTR, DWORD_PTR, DWORD_PTR); 142 #elif defined(HAVE_ALARM) 143 static void verbose_stats_dump(int sig); 144 #endif 145 146 static void info(int); 147 static u_int packets_captured; 148 149 struct printer { 150 if_printer f; 151 int type; 152 }; 153 154 155 struct ndo_printer { 156 if_ndo_printer f; 157 int type; 158 }; 159 160 161 static struct printer printers[] = { 162 { arcnet_if_print, DLT_ARCNET }, 163 #ifdef DLT_ARCNET_LINUX 164 { arcnet_linux_if_print, DLT_ARCNET_LINUX }, 165 #endif 166 { token_if_print, DLT_IEEE802 }, 167 #ifdef DLT_LANE8023 168 { lane_if_print, DLT_LANE8023 }, 169 #endif 170 #ifdef DLT_CIP 171 { cip_if_print, DLT_CIP }, 172 #endif 173 #ifdef DLT_ATM_CLIP 174 { cip_if_print, DLT_ATM_CLIP }, 175 #endif 176 { sl_if_print, DLT_SLIP }, 177 #ifdef DLT_SLIP_BSDOS 178 { sl_bsdos_if_print, DLT_SLIP_BSDOS }, 179 #endif 180 { ppp_if_print, DLT_PPP }, 181 #ifdef DLT_PPP_WITHDIRECTION 182 { ppp_if_print, DLT_PPP_WITHDIRECTION }, 183 #endif 184 #ifdef DLT_PPP_BSDOS 185 { ppp_bsdos_if_print, DLT_PPP_BSDOS }, 186 #endif 187 { fddi_if_print, DLT_FDDI }, 188 { null_if_print, DLT_NULL }, 189 #ifdef DLT_LOOP 190 { null_if_print, DLT_LOOP }, 191 #endif 192 { raw_if_print, DLT_RAW }, 193 { atm_if_print, DLT_ATM_RFC1483 }, 194 #ifdef DLT_C_HDLC 195 { chdlc_if_print, DLT_C_HDLC }, 196 #endif 197 #ifdef DLT_HDLC 198 { chdlc_if_print, DLT_HDLC }, 199 #endif 200 #ifdef DLT_PPP_SERIAL 201 { ppp_hdlc_if_print, DLT_PPP_SERIAL }, 202 #endif 203 #ifdef DLT_PPP_ETHER 204 { pppoe_if_print, DLT_PPP_ETHER }, 205 #endif 206 #ifdef DLT_LINUX_SLL 207 { sll_if_print, DLT_LINUX_SLL }, 208 #endif 209 #ifdef DLT_IEEE802_11 210 { ieee802_11_if_print, DLT_IEEE802_11}, 211 #endif 212 #ifdef DLT_LTALK 213 { ltalk_if_print, DLT_LTALK }, 214 #endif 215 #if defined(DLT_PFLOG) && defined(HAVE_NET_PFVAR_H) 216 { pflog_if_print, DLT_PFLOG }, 217 #endif 218 #ifdef DLT_PFSYNC 219 { pfsync_if_print, DLT_PFSYNC }, 220 #endif 221 #ifdef DLT_FR 222 { fr_if_print, DLT_FR }, 223 #endif 224 #ifdef DLT_FRELAY 225 { fr_if_print, DLT_FRELAY }, 226 #endif 227 #ifdef DLT_SUNATM 228 { sunatm_if_print, DLT_SUNATM }, 229 #endif 230 #ifdef DLT_IP_OVER_FC 231 { ipfc_if_print, DLT_IP_OVER_FC }, 232 #endif 233 #ifdef DLT_PRISM_HEADER 234 { prism_if_print, DLT_PRISM_HEADER }, 235 #endif 236 #ifdef DLT_IEEE802_11_RADIO 237 { ieee802_11_radio_if_print, DLT_IEEE802_11_RADIO }, 238 #endif 239 #ifdef DLT_ENC 240 { enc_if_print, DLT_ENC }, 241 #endif 242 #ifdef DLT_SYMANTEC_FIREWALL 243 { symantec_if_print, DLT_SYMANTEC_FIREWALL }, 244 #endif 245 #ifdef DLT_APPLE_IP_OVER_IEEE1394 246 { ap1394_if_print, DLT_APPLE_IP_OVER_IEEE1394 }, 247 #endif 248 #ifdef DLT_IEEE802_11_RADIO_AVS 249 { ieee802_11_radio_avs_if_print, DLT_IEEE802_11_RADIO_AVS }, 250 #endif 251 #ifdef DLT_JUNIPER_ATM1 252 { juniper_atm1_print, DLT_JUNIPER_ATM1 }, 253 #endif 254 #ifdef DLT_JUNIPER_ATM2 255 { juniper_atm2_print, DLT_JUNIPER_ATM2 }, 256 #endif 257 #ifdef DLT_JUNIPER_MFR 258 { juniper_mfr_print, DLT_JUNIPER_MFR }, 259 #endif 260 #ifdef DLT_JUNIPER_MLFR 261 { juniper_mlfr_print, DLT_JUNIPER_MLFR }, 262 #endif 263 #ifdef DLT_JUNIPER_MLPPP 264 { juniper_mlppp_print, DLT_JUNIPER_MLPPP }, 265 #endif 266 #ifdef DLT_JUNIPER_PPPOE 267 { juniper_pppoe_print, DLT_JUNIPER_PPPOE }, 268 #endif 269 #ifdef DLT_JUNIPER_PPPOE_ATM 270 { juniper_pppoe_atm_print, DLT_JUNIPER_PPPOE_ATM }, 271 #endif 272 #ifdef DLT_JUNIPER_GGSN 273 { juniper_ggsn_print, DLT_JUNIPER_GGSN }, 274 #endif 275 #ifdef DLT_JUNIPER_ES 276 { juniper_es_print, DLT_JUNIPER_ES }, 277 #endif 278 #ifdef DLT_JUNIPER_MONITOR 279 { juniper_monitor_print, DLT_JUNIPER_MONITOR }, 280 #endif 281 #ifdef DLT_JUNIPER_SERVICES 282 { juniper_services_print, DLT_JUNIPER_SERVICES }, 283 #endif 284 #ifdef DLT_JUNIPER_ETHER 285 { juniper_ether_print, DLT_JUNIPER_ETHER }, 286 #endif 287 #ifdef DLT_JUNIPER_PPP 288 { juniper_ppp_print, DLT_JUNIPER_PPP }, 289 #endif 290 #ifdef DLT_JUNIPER_FRELAY 291 { juniper_frelay_print, DLT_JUNIPER_FRELAY }, 292 #endif 293 #ifdef DLT_JUNIPER_CHDLC 294 { juniper_chdlc_print, DLT_JUNIPER_CHDLC }, 295 #endif 296 #ifdef DLT_MFR 297 { mfr_if_print, DLT_MFR }, 298 #endif 299 #if defined(DLT_BLUETOOTH_HCI_H4_WITH_PHDR) && defined(HAVE_PCAP_BLUETOOTH_H) 300 { bt_if_print, DLT_BLUETOOTH_HCI_H4_WITH_PHDR}, 301 #endif 302 #ifdef HAVE_PCAP_USB_H 303 #ifdef DLT_USB_LINUX 304 { usb_linux_48_byte_print, DLT_USB_LINUX}, 305 #endif /* DLT_USB_LINUX */ 306 #ifdef DLT_USB_LINUX_MMAPPED 307 { usb_linux_64_byte_print, DLT_USB_LINUX_MMAPPED}, 308 #endif /* DLT_USB_LINUX_MMAPPED */ 309 #endif /* HAVE_PCAP_USB_H */ 310 #ifdef DLT_IPV4 311 { raw_if_print, DLT_IPV4 }, 312 #endif 313 #ifdef DLT_IPV6 314 { raw_if_print, DLT_IPV6 }, 315 #endif 316 { NULL, 0 }, 317 }; 318 319 static struct ndo_printer ndo_printers[] = { 320 { ether_if_print, DLT_EN10MB }, 321 #ifdef DLT_IPNET 322 { ipnet_if_print, DLT_IPNET }, 323 #endif 324 #ifdef DLT_IEEE802_15_4 325 { ieee802_15_4_if_print, DLT_IEEE802_15_4 }, 326 #endif 327 #ifdef DLT_IEEE802_15_4_NOFCS 328 { ieee802_15_4_if_print, DLT_IEEE802_15_4_NOFCS }, 329 #endif 330 #ifdef DLT_PPI 331 { ppi_if_print, DLT_PPI }, 332 #endif 333 #ifdef DLT_NETANALYZER 334 { netanalyzer_if_print, DLT_NETANALYZER }, 335 #endif 336 #ifdef DLT_NETANALYZER_TRANSPARENT 337 { netanalyzer_transparent_if_print, DLT_NETANALYZER_TRANSPARENT }, 338 #endif 339 { NULL, 0 }, 340 }; 341 342 if_printer 343 lookup_printer(int type) 344 { 345 struct printer *p; 346 347 for (p = printers; p->f; ++p) 348 if (type == p->type) 349 return p->f; 350 351 return NULL; 352 /* NOTREACHED */ 353 } 354 355 if_ndo_printer 356 lookup_ndo_printer(int type) 357 { 358 struct ndo_printer *p; 359 360 for (p = ndo_printers; p->f; ++p) 361 if (type == p->type) 362 return p->f; 363 364 return NULL; 365 /* NOTREACHED */ 366 } 367 368 static pcap_t *pd; 369 370 static int supports_monitor_mode; 371 372 extern int optind; 373 extern int opterr; 374 extern char *optarg; 375 376 struct print_info { 377 netdissect_options *ndo; 378 union { 379 if_printer printer; 380 if_ndo_printer ndo_printer; 381 } p; 382 int ndo_type; 383 }; 384 385 struct dump_info { 386 char *WFileName; 387 char *CurrentFileName; 388 pcap_t *pd; 389 pcap_dumper_t *p; 390 }; 391 392 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 393 static void 394 show_tstamp_types_and_exit(const char *device, pcap_t *pd) 395 { 396 int n_tstamp_types; 397 int *tstamp_types = 0; 398 const char *tstamp_type_name; 399 int i; 400 401 n_tstamp_types = pcap_list_tstamp_types(pd, &tstamp_types); 402 if (n_tstamp_types < 0) 403 error("%s", pcap_geterr(pd)); 404 405 if (n_tstamp_types == 0) { 406 fprintf(stderr, "Time stamp type cannot be set for %s\n", 407 device); 408 exit(0); 409 } 410 fprintf(stderr, "Time stamp types for %s (use option -j to set):\n", 411 device); 412 for (i = 0; i < n_tstamp_types; i++) { 413 tstamp_type_name = pcap_tstamp_type_val_to_name(tstamp_types[i]); 414 if (tstamp_type_name != NULL) { 415 (void) fprintf(stderr, " %s (%s)\n", tstamp_type_name, 416 pcap_tstamp_type_val_to_description(tstamp_types[i])); 417 } else { 418 (void) fprintf(stderr, " %d\n", tstamp_types[i]); 419 } 420 } 421 pcap_free_tstamp_types(tstamp_types); 422 exit(0); 423 } 424 #endif 425 426 static void 427 show_dlts_and_exit(const char *device, pcap_t *pd) 428 { 429 int n_dlts; 430 int *dlts = 0; 431 const char *dlt_name; 432 433 n_dlts = pcap_list_datalinks(pd, &dlts); 434 if (n_dlts < 0) 435 error("%s", pcap_geterr(pd)); 436 else if (n_dlts == 0 || !dlts) 437 error("No data link types."); 438 439 /* 440 * If the interface is known to support monitor mode, indicate 441 * whether these are the data link types available when not in 442 * monitor mode, if -I wasn't specified, or when in monitor mode, 443 * when -I was specified (the link-layer types available in 444 * monitor mode might be different from the ones available when 445 * not in monitor mode). 446 */ 447 if (supports_monitor_mode) 448 (void) fprintf(stderr, "Data link types for %s %s (use option -y to set):\n", 449 device, 450 Iflag ? "when in monitor mode" : "when not in monitor mode"); 451 else 452 (void) fprintf(stderr, "Data link types for %s (use option -y to set):\n", 453 device); 454 455 while (--n_dlts >= 0) { 456 dlt_name = pcap_datalink_val_to_name(dlts[n_dlts]); 457 if (dlt_name != NULL) { 458 (void) fprintf(stderr, " %s (%s)", dlt_name, 459 pcap_datalink_val_to_description(dlts[n_dlts])); 460 461 /* 462 * OK, does tcpdump handle that type? 463 */ 464 if (lookup_printer(dlts[n_dlts]) == NULL 465 && lookup_ndo_printer(dlts[n_dlts]) == NULL) 466 (void) fprintf(stderr, " (printing not supported)"); 467 fprintf(stderr, "\n"); 468 } else { 469 (void) fprintf(stderr, " DLT %d (printing not supported)\n", 470 dlts[n_dlts]); 471 } 472 } 473 pcap_free_datalinks(dlts); 474 exit(0); 475 } 476 477 /* 478 * Set up flags that might or might not be supported depending on the 479 * version of libpcap we're using. 480 */ 481 #if defined(HAVE_PCAP_CREATE) || defined(WIN32) 482 #define B_FLAG "B:" 483 #define B_FLAG_USAGE " [ -B size ]" 484 #else /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */ 485 #define B_FLAG 486 #define B_FLAG_USAGE 487 #endif /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */ 488 489 #ifdef HAVE_PCAP_CREATE 490 #define I_FLAG "I" 491 #else /* HAVE_PCAP_CREATE */ 492 #define I_FLAG 493 #endif /* HAVE_PCAP_CREATE */ 494 495 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 496 #define j_FLAG "j:" 497 #define j_FLAG_USAGE " [ -j tstamptype ]" 498 #define J_FLAG "J" 499 #else /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 500 #define j_FLAG 501 #define j_FLAG_USAGE 502 #define J_FLAG 503 #endif /* PCAP_ERROR_TSTAMP_TYPE_NOTSUP */ 504 505 #ifdef HAVE_PCAP_FINDALLDEVS 506 #ifndef HAVE_PCAP_IF_T 507 #undef HAVE_PCAP_FINDALLDEVS 508 #endif 509 #endif 510 511 #ifdef HAVE_PCAP_FINDALLDEVS 512 #define D_FLAG "D" 513 #else 514 #define D_FLAG 515 #endif 516 517 #ifdef HAVE_PCAP_DUMP_FLUSH 518 #define U_FLAG "U" 519 #else 520 #define U_FLAG 521 #endif 522 523 #ifndef WIN32 524 /* Drop root privileges and chroot if necessary */ 525 static void 526 droproot(const char *username, const char *chroot_dir) 527 { 528 struct passwd *pw = NULL; 529 530 if (chroot_dir && !username) { 531 fprintf(stderr, "tcpdump: Chroot without dropping root is insecure\n"); 532 exit(1); 533 } 534 535 pw = getpwnam(username); 536 if (pw) { 537 if (initgroups(pw->pw_name, pw->pw_gid) != 0) { 538 fprintf(stderr, "tcpdump: Couldn't initgroups to " 539 "'%.32s' gid=%lu: %s\n", pw->pw_name, 540 (unsigned long)pw->pw_gid, 541 pcap_strerror(errno)); 542 exit(1); 543 } 544 if (chroot_dir) { 545 setprotoent(1); 546 res_init(); 547 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) { 548 fprintf(stderr, "tcpdump: Couldn't chroot/chdir to '%.64s': %s\n", 549 chroot_dir, pcap_strerror(errno)); 550 exit(1); 551 } 552 } 553 if (setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) { 554 fprintf(stderr, "tcpdump: Couldn't change to " 555 "'%.32s' uid=%lu gid=%lu: %s\n", 556 username, 557 (unsigned long)pw->pw_uid, 558 (unsigned long)pw->pw_gid, 559 pcap_strerror(errno)); 560 exit(1); 561 } 562 } 563 else { 564 fprintf(stderr, "tcpdump: Couldn't find user '%.32s'\n", 565 username); 566 exit(1); 567 } 568 } 569 #endif /* WIN32 */ 570 571 static int 572 getWflagChars(int x) 573 { 574 int c = 0; 575 576 x -= 1; 577 while (x > 0) { 578 c += 1; 579 x /= 10; 580 } 581 582 return c; 583 } 584 585 586 static void 587 MakeFilename(char *buffer, char *orig_name, int cnt, int max_chars) 588 { 589 char *filename = malloc(NAME_MAX + 1); 590 591 /* Process with strftime if Gflag is set. */ 592 if (Gflag != 0) { 593 struct tm *local_tm; 594 595 /* Convert Gflag_time to a usable format */ 596 if ((local_tm = localtime(&Gflag_time)) == NULL) { 597 error("MakeTimedFilename: localtime"); 598 } 599 600 /* There's no good way to detect an error in strftime since a return 601 * value of 0 isn't necessarily failure. 602 */ 603 strftime(filename, NAME_MAX, orig_name, local_tm); 604 } else { 605 strncpy(filename, orig_name, NAME_MAX); 606 } 607 608 if (cnt == 0 && max_chars == 0) 609 strncpy(buffer, filename, NAME_MAX + 1); 610 else 611 if (snprintf(buffer, NAME_MAX + 1, "%s%0*d", filename, max_chars, cnt) > NAME_MAX) 612 /* Report an error if the filename is too large */ 613 error("too many output files or filename is too long (> %d)", NAME_MAX); 614 free(filename); 615 } 616 617 static int tcpdump_printf(netdissect_options *ndo _U_, 618 const char *fmt, ...) 619 { 620 621 va_list args; 622 int ret; 623 624 va_start(args, fmt); 625 ret=vfprintf(stdout, fmt, args); 626 va_end(args); 627 628 return ret; 629 } 630 631 int 632 main(int argc, char **argv) 633 { 634 register int cnt, op, i; 635 bpf_u_int32 localnet, netmask; 636 register char *cp, *infile, *cmdbuf, *device, *RFileName, *WFileName; 637 pcap_handler callback; 638 int type; 639 struct bpf_program fcode; 640 #ifndef WIN32 641 RETSIGTYPE (*oldhandler)(int); 642 #endif 643 struct print_info printinfo; 644 struct dump_info dumpinfo; 645 u_char *pcap_userdata; 646 char ebuf[PCAP_ERRBUF_SIZE]; 647 char *username = NULL; 648 char *chroot_dir = NULL; 649 #ifdef HAVE_PCAP_FINDALLDEVS 650 pcap_if_t *devpointer; 651 int devnum; 652 #endif 653 int status; 654 #ifdef WIN32 655 if(wsockinit() != 0) return 1; 656 #endif /* WIN32 */ 657 658 jflag=-1; /* not set */ 659 gndo->ndo_Oflag=1; 660 gndo->ndo_Rflag=1; 661 gndo->ndo_dlt=-1; 662 gndo->ndo_default_print=ndo_default_print; 663 gndo->ndo_printf=tcpdump_printf; 664 gndo->ndo_error=ndo_error; 665 gndo->ndo_warning=ndo_warning; 666 gndo->ndo_snaplen = DEFAULT_SNAPLEN; 667 668 cnt = -1; 669 device = NULL; 670 infile = NULL; 671 RFileName = NULL; 672 WFileName = NULL; 673 if ((cp = strrchr(argv[0], '/')) != NULL) 674 program_name = cp + 1; 675 else 676 program_name = argv[0]; 677 678 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0) 679 error("%s", ebuf); 680 681 #ifdef LIBSMI 682 smiInit("tcpdump"); 683 #endif 684 685 while ( 686 (op = getopt(argc, argv, "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpqr:Rs:StT:u" U_FLAG "vw:W:xXy:Yz:Z:")) != -1) 687 switch (op) { 688 689 case 'a': 690 /* compatibility for old -a */ 691 break; 692 693 case 'A': 694 ++Aflag; 695 break; 696 697 case 'b': 698 ++bflag; 699 break; 700 701 #if defined(HAVE_PCAP_CREATE) || defined(WIN32) 702 case 'B': 703 Bflag = atoi(optarg)*1024; 704 if (Bflag <= 0) 705 error("invalid packet buffer size %s", optarg); 706 break; 707 #endif /* defined(HAVE_PCAP_CREATE) || defined(WIN32) */ 708 709 case 'c': 710 cnt = atoi(optarg); 711 if (cnt <= 0) 712 error("invalid packet count %s", optarg); 713 break; 714 715 case 'C': 716 Cflag = atoi(optarg) * 1000000; 717 if (Cflag < 0) 718 error("invalid file size %s", optarg); 719 break; 720 721 case 'd': 722 ++dflag; 723 break; 724 725 #ifdef HAVE_PCAP_FINDALLDEVS 726 case 'D': 727 if (pcap_findalldevs(&devpointer, ebuf) < 0) 728 error("%s", ebuf); 729 else { 730 for (i = 0; devpointer != 0; i++) { 731 printf("%d.%s", i+1, devpointer->name); 732 if (devpointer->description != NULL) 733 printf(" (%s)", devpointer->description); 734 printf("\n"); 735 devpointer = devpointer->next; 736 } 737 } 738 return 0; 739 #endif /* HAVE_PCAP_FINDALLDEVS */ 740 741 case 'L': 742 Lflag++; 743 break; 744 745 case 'e': 746 ++eflag; 747 break; 748 749 case 'E': 750 #ifndef HAVE_LIBCRYPTO 751 warning("crypto code not compiled in"); 752 #endif 753 gndo->ndo_espsecret = optarg; 754 break; 755 756 case 'f': 757 ++fflag; 758 break; 759 760 case 'F': 761 infile = optarg; 762 break; 763 764 case 'G': 765 Gflag = atoi(optarg); 766 if (Gflag < 0) 767 error("invalid number of seconds %s", optarg); 768 769 /* We will create one file initially. */ 770 Gflag_count = 0; 771 772 /* Grab the current time for rotation use. */ 773 if ((Gflag_time = time(NULL)) == (time_t)-1) { 774 error("main: can't get current time: %s", 775 pcap_strerror(errno)); 776 } 777 break; 778 779 case 'h': 780 usage(); 781 break; 782 783 case 'H': 784 ++Hflag; 785 break; 786 787 case 'i': 788 if (optarg[0] == '0' && optarg[1] == 0) 789 error("Invalid adapter index"); 790 791 #ifdef HAVE_PCAP_FINDALLDEVS 792 /* 793 * If the argument is a number, treat it as 794 * an index into the list of adapters, as 795 * printed by "tcpdump -D". 796 * 797 * This should be OK on UNIX systems, as interfaces 798 * shouldn't have names that begin with digits. 799 * It can be useful on Windows, where more than 800 * one interface can have the same name. 801 */ 802 if ((devnum = atoi(optarg)) != 0) { 803 if (devnum < 0) 804 error("Invalid adapter index"); 805 806 if (pcap_findalldevs(&devpointer, ebuf) < 0) 807 error("%s", ebuf); 808 else { 809 /* 810 * Look for the devnum-th entry 811 * in the list of devices 812 * (1-based). 813 */ 814 for (i = 0; 815 i < devnum-1 && devpointer != NULL; 816 i++, devpointer = devpointer->next) 817 ; 818 if (devpointer == NULL) 819 error("Invalid adapter index"); 820 } 821 device = devpointer->name; 822 break; 823 } 824 #endif /* HAVE_PCAP_FINDALLDEVS */ 825 device = optarg; 826 break; 827 828 #ifdef HAVE_PCAP_CREATE 829 case 'I': 830 ++Iflag; 831 break; 832 #endif /* HAVE_PCAP_CREATE */ 833 834 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 835 case 'j': 836 jflag = pcap_tstamp_type_name_to_val(optarg); 837 if (jflag < 0) 838 error("invalid time stamp type %s", optarg); 839 break; 840 841 case 'J': 842 Jflag++; 843 break; 844 #endif 845 846 case 'l': 847 #ifdef WIN32 848 /* 849 * _IOLBF is the same as _IOFBF in Microsoft's C 850 * libraries; the only alternative they offer 851 * is _IONBF. 852 * 853 * XXX - this should really be checking for MSVC++, 854 * not WIN32, if, for example, MinGW has its own 855 * C library that is more UNIX-compatible. 856 */ 857 setvbuf(stdout, NULL, _IONBF, 0); 858 #else /* WIN32 */ 859 #ifdef HAVE_SETLINEBUF 860 setlinebuf(stdout); 861 #else 862 setvbuf(stdout, NULL, _IOLBF, 0); 863 #endif 864 #endif /* WIN32 */ 865 break; 866 867 case 'K': 868 ++Kflag; 869 break; 870 871 case 'm': 872 #ifdef LIBSMI 873 if (smiLoadModule(optarg) == 0) { 874 error("could not load MIB module %s", optarg); 875 } 876 sflag = 1; 877 #else 878 (void)fprintf(stderr, "%s: ignoring option `-m %s' ", 879 program_name, optarg); 880 (void)fprintf(stderr, "(no libsmi support)\n"); 881 #endif 882 break; 883 884 case 'M': 885 /* TCP-MD5 shared secret */ 886 #ifndef HAVE_LIBCRYPTO 887 warning("crypto code not compiled in"); 888 #endif 889 sigsecret = optarg; 890 break; 891 892 case 'n': 893 ++nflag; 894 break; 895 896 case 'N': 897 ++Nflag; 898 break; 899 900 case 'O': 901 Oflag = 0; 902 break; 903 904 case 'p': 905 ++pflag; 906 break; 907 908 case 'q': 909 ++qflag; 910 ++suppress_default_print; 911 break; 912 913 case 'r': 914 RFileName = optarg; 915 break; 916 917 case 'R': 918 Rflag = 0; 919 break; 920 921 case 's': { 922 char *end; 923 924 snaplen = strtol(optarg, &end, 0); 925 if (optarg == end || *end != '\0' 926 || snaplen < 0 || snaplen > MAXIMUM_SNAPLEN) 927 error("invalid snaplen %s", optarg); 928 else if (snaplen == 0) 929 snaplen = MAXIMUM_SNAPLEN; 930 break; 931 } 932 933 case 'S': 934 ++Sflag; 935 break; 936 937 case 't': 938 ++tflag; 939 break; 940 941 case 'T': 942 if (strcasecmp(optarg, "vat") == 0) 943 packettype = PT_VAT; 944 else if (strcasecmp(optarg, "wb") == 0) 945 packettype = PT_WB; 946 else if (strcasecmp(optarg, "rpc") == 0) 947 packettype = PT_RPC; 948 else if (strcasecmp(optarg, "rtp") == 0) 949 packettype = PT_RTP; 950 else if (strcasecmp(optarg, "rtcp") == 0) 951 packettype = PT_RTCP; 952 else if (strcasecmp(optarg, "snmp") == 0) 953 packettype = PT_SNMP; 954 else if (strcasecmp(optarg, "cnfp") == 0) 955 packettype = PT_CNFP; 956 else if (strcasecmp(optarg, "tftp") == 0) 957 packettype = PT_TFTP; 958 else if (strcasecmp(optarg, "aodv") == 0) 959 packettype = PT_AODV; 960 else if (strcasecmp(optarg, "carp") == 0) 961 packettype = PT_CARP; 962 else 963 error("unknown packet type `%s'", optarg); 964 break; 965 966 case 'u': 967 ++uflag; 968 break; 969 970 #ifdef HAVE_PCAP_DUMP_FLUSH 971 case 'U': 972 ++Uflag; 973 break; 974 #endif 975 976 case 'v': 977 ++vflag; 978 break; 979 980 case 'w': 981 WFileName = optarg; 982 break; 983 984 case 'W': 985 Wflag = atoi(optarg); 986 if (Wflag < 0) 987 error("invalid number of output files %s", optarg); 988 WflagChars = getWflagChars(Wflag); 989 break; 990 991 case 'x': 992 ++xflag; 993 ++suppress_default_print; 994 break; 995 996 case 'X': 997 ++Xflag; 998 ++suppress_default_print; 999 break; 1000 1001 case 'y': 1002 gndo->ndo_dltname = optarg; 1003 gndo->ndo_dlt = 1004 pcap_datalink_name_to_val(gndo->ndo_dltname); 1005 if (gndo->ndo_dlt < 0) 1006 error("invalid data link type %s", gndo->ndo_dltname); 1007 break; 1008 1009 #if defined(HAVE_PCAP_DEBUG) || defined(HAVE_YYDEBUG) 1010 case 'Y': 1011 { 1012 /* Undocumented flag */ 1013 #ifdef HAVE_PCAP_DEBUG 1014 extern int pcap_debug; 1015 pcap_debug = 1; 1016 #else 1017 extern int yydebug; 1018 yydebug = 1; 1019 #endif 1020 } 1021 break; 1022 #endif 1023 case 'z': 1024 if (optarg) { 1025 zflag = strdup(optarg); 1026 } else { 1027 usage(); 1028 /* NOTREACHED */ 1029 } 1030 break; 1031 1032 case 'Z': 1033 if (optarg) { 1034 username = strdup(optarg); 1035 } 1036 else { 1037 usage(); 1038 /* NOTREACHED */ 1039 } 1040 break; 1041 1042 default: 1043 usage(); 1044 /* NOTREACHED */ 1045 } 1046 1047 switch (tflag) { 1048 1049 case 0: /* Default */ 1050 case 4: /* Default + Date*/ 1051 thiszone = gmt2local(0); 1052 break; 1053 1054 case 1: /* No time stamp */ 1055 case 2: /* Unix timeval style */ 1056 case 3: /* Microseconds since previous packet */ 1057 case 5: /* Microseconds since first packet */ 1058 break; 1059 1060 default: /* Not supported */ 1061 error("only -t, -tt, -ttt, -tttt and -ttttt are supported"); 1062 break; 1063 } 1064 1065 #ifdef WITH_CHROOT 1066 /* if run as root, prepare for chrooting */ 1067 if (getuid() == 0 || geteuid() == 0) { 1068 /* future extensibility for cmd-line arguments */ 1069 if (!chroot_dir) 1070 chroot_dir = WITH_CHROOT; 1071 } 1072 #endif 1073 1074 #ifdef WITH_USER 1075 /* if run as root, prepare for dropping root privileges */ 1076 if (getuid() == 0 || geteuid() == 0) { 1077 /* Run with '-Z root' to restore old behaviour */ 1078 if (!username) 1079 username = WITH_USER; 1080 } 1081 #endif 1082 1083 if (RFileName != NULL) { 1084 int dlt; 1085 const char *dlt_name; 1086 1087 #ifndef WIN32 1088 /* 1089 * We don't need network access, so relinquish any set-UID 1090 * or set-GID privileges we have (if any). 1091 * 1092 * We do *not* want set-UID privileges when opening a 1093 * trace file, as that might let the user read other 1094 * people's trace files (especially if we're set-UID 1095 * root). 1096 */ 1097 if (setgid(getgid()) != 0 || setuid(getuid()) != 0 ) 1098 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 1099 #endif /* WIN32 */ 1100 pd = pcap_open_offline(RFileName, ebuf); 1101 if (pd == NULL) 1102 error("%s", ebuf); 1103 dlt = pcap_datalink(pd); 1104 dlt_name = pcap_datalink_val_to_name(dlt); 1105 if (dlt_name == NULL) { 1106 fprintf(stderr, "reading from file %s, link-type %u\n", 1107 RFileName, dlt); 1108 } else { 1109 fprintf(stderr, 1110 "reading from file %s, link-type %s (%s)\n", 1111 RFileName, dlt_name, 1112 pcap_datalink_val_to_description(dlt)); 1113 } 1114 localnet = 0; 1115 netmask = 0; 1116 if (fflag != 0) 1117 error("-f and -r options are incompatible"); 1118 } else { 1119 if (device == NULL) { 1120 device = pcap_lookupdev(ebuf); 1121 if (device == NULL) 1122 error("%s", ebuf); 1123 } 1124 #ifdef WIN32 1125 if(strlen(device) == 1) //we assume that an ASCII string is always longer than 1 char 1126 { //a Unicode string has a \0 as second byte (so strlen() is 1) 1127 fprintf(stderr, "%s: listening on %ws\n", program_name, device); 1128 } 1129 else 1130 { 1131 fprintf(stderr, "%s: listening on %s\n", program_name, device); 1132 } 1133 1134 fflush(stderr); 1135 #endif /* WIN32 */ 1136 #ifdef HAVE_PCAP_CREATE 1137 pd = pcap_create(device, ebuf); 1138 if (pd == NULL) 1139 error("%s", ebuf); 1140 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1141 if (Jflag) 1142 show_tstamp_types_and_exit(device, pd); 1143 #endif 1144 /* 1145 * Is this an interface that supports monitor mode? 1146 */ 1147 if (pcap_can_set_rfmon(pd) == 1) 1148 supports_monitor_mode = 1; 1149 else 1150 supports_monitor_mode = 0; 1151 status = pcap_set_snaplen(pd, snaplen); 1152 if (status != 0) 1153 error("%s: Can't set snapshot length: %s", 1154 device, pcap_statustostr(status)); 1155 status = pcap_set_promisc(pd, !pflag); 1156 if (status != 0) 1157 error("%s: Can't set promiscuous mode: %s", 1158 device, pcap_statustostr(status)); 1159 if (Iflag) { 1160 status = pcap_set_rfmon(pd, 1); 1161 if (status != 0) 1162 error("%s: Can't set monitor mode: %s", 1163 device, pcap_statustostr(status)); 1164 } 1165 status = pcap_set_timeout(pd, 1000); 1166 if (status != 0) 1167 error("%s: pcap_set_timeout failed: %s", 1168 device, pcap_statustostr(status)); 1169 if (Bflag != 0) { 1170 status = pcap_set_buffer_size(pd, Bflag); 1171 if (status != 0) 1172 error("%s: Can't set buffer size: %s", 1173 device, pcap_statustostr(status)); 1174 } 1175 #ifdef HAVE_PCAP_SET_TSTAMP_TYPE 1176 if (jflag != -1) { 1177 status = pcap_set_tstamp_type(pd, jflag); 1178 if (status < 0) 1179 error("%s: Can't set time stamp type: %s", 1180 device, pcap_statustostr(status)); 1181 } 1182 #endif 1183 status = pcap_activate(pd); 1184 if (status < 0) { 1185 /* 1186 * pcap_activate() failed. 1187 */ 1188 cp = pcap_geterr(pd); 1189 if (status == PCAP_ERROR) 1190 error("%s", cp); 1191 else if ((status == PCAP_ERROR_NO_SUCH_DEVICE || 1192 status == PCAP_ERROR_PERM_DENIED) && 1193 *cp != '\0') 1194 error("%s: %s\n(%s)", device, 1195 pcap_statustostr(status), cp); 1196 else 1197 error("%s: %s", device, 1198 pcap_statustostr(status)); 1199 } else if (status > 0) { 1200 /* 1201 * pcap_activate() succeeded, but it's warning us 1202 * of a problem it had. 1203 */ 1204 cp = pcap_geterr(pd); 1205 if (status == PCAP_WARNING) 1206 warning("%s", cp); 1207 else if (status == PCAP_WARNING_PROMISC_NOTSUP && 1208 *cp != '\0') 1209 warning("%s: %s\n(%s)", device, 1210 pcap_statustostr(status), cp); 1211 else 1212 warning("%s: %s", device, 1213 pcap_statustostr(status)); 1214 } 1215 #else 1216 *ebuf = '\0'; 1217 pd = pcap_open_live(device, snaplen, !pflag, 1000, ebuf); 1218 if (pd == NULL) 1219 error("%s", ebuf); 1220 else if (*ebuf) 1221 warning("%s", ebuf); 1222 #endif /* HAVE_PCAP_CREATE */ 1223 /* 1224 * Let user own process after socket has been opened. 1225 */ 1226 #ifndef WIN32 1227 if (setgid(getgid()) != 0 || setuid(getuid()) != 0) 1228 fprintf(stderr, "Warning: setgid/setuid failed !\n"); 1229 #endif /* WIN32 */ 1230 #if !defined(HAVE_PCAP_CREATE) && defined(WIN32) 1231 if(Bflag != 0) 1232 if(pcap_setbuff(pd, Bflag)==-1){ 1233 error("%s", pcap_geterr(pd)); 1234 } 1235 #endif /* !defined(HAVE_PCAP_CREATE) && defined(WIN32) */ 1236 if (Lflag) 1237 show_dlts_and_exit(device, pd); 1238 if (gndo->ndo_dlt >= 0) { 1239 #ifdef HAVE_PCAP_SET_DATALINK 1240 if (pcap_set_datalink(pd, gndo->ndo_dlt) < 0) 1241 error("%s", pcap_geterr(pd)); 1242 #else 1243 /* 1244 * We don't actually support changing the 1245 * data link type, so we only let them 1246 * set it to what it already is. 1247 */ 1248 if (gndo->ndo_dlt != pcap_datalink(pd)) { 1249 error("%s is not one of the DLTs supported by this device\n", 1250 gndo->ndo_dltname); 1251 } 1252 #endif 1253 (void)fprintf(stderr, "%s: data link type %s\n", 1254 program_name, gndo->ndo_dltname); 1255 (void)fflush(stderr); 1256 } 1257 i = pcap_snapshot(pd); 1258 if (snaplen < i) { 1259 warning("snaplen raised from %d to %d", snaplen, i); 1260 snaplen = i; 1261 } 1262 if (pcap_lookupnet(device, &localnet, &netmask, ebuf) < 0) { 1263 localnet = 0; 1264 netmask = 0; 1265 warning("%s", ebuf); 1266 } 1267 } 1268 if (infile) 1269 cmdbuf = read_infile(infile); 1270 else 1271 cmdbuf = copy_argv(&argv[optind]); 1272 1273 if (pcap_compile(pd, &fcode, cmdbuf, Oflag, netmask) < 0) 1274 error("%s", pcap_geterr(pd)); 1275 free(cmdbuf); 1276 if (dflag) { 1277 bpf_dump(&fcode, dflag); 1278 pcap_close(pd); 1279 exit(0); 1280 } 1281 init_addrtoname(localnet, netmask); 1282 init_checksum(); 1283 1284 #ifndef WIN32 1285 (void)setsignal(SIGPIPE, cleanup); 1286 (void)setsignal(SIGTERM, cleanup); 1287 (void)setsignal(SIGINT, cleanup); 1288 #endif /* WIN32 */ 1289 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 1290 (void)setsignal(SIGCHLD, child_cleanup); 1291 #endif 1292 /* Cooperate with nohup(1) */ 1293 #ifndef WIN32 1294 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) 1295 (void)setsignal(SIGHUP, oldhandler); 1296 #endif /* WIN32 */ 1297 1298 1299 if (pcap_setfilter(pd, &fcode) < 0) 1300 error("%s", pcap_geterr(pd)); 1301 if (WFileName) { 1302 pcap_dumper_t *p; 1303 /* Do not exceed the default NAME_MAX for files. */ 1304 dumpinfo.CurrentFileName = (char *)malloc(NAME_MAX + 1); 1305 1306 if (dumpinfo.CurrentFileName == NULL) 1307 error("malloc of dumpinfo.CurrentFileName"); 1308 1309 /* We do not need numbering for dumpfiles if Cflag isn't set. */ 1310 if (Cflag != 0) 1311 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, WflagChars); 1312 else 1313 MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0); 1314 1315 p = pcap_dump_open(pd, dumpinfo.CurrentFileName); 1316 if (p == NULL) 1317 error("%s", pcap_geterr(pd)); 1318 if (Cflag != 0 || Gflag != 0) { 1319 callback = dump_packet_and_trunc; 1320 dumpinfo.WFileName = WFileName; 1321 dumpinfo.pd = pd; 1322 dumpinfo.p = p; 1323 pcap_userdata = (u_char *)&dumpinfo; 1324 } else { 1325 callback = dump_packet; 1326 pcap_userdata = (u_char *)p; 1327 } 1328 #ifdef HAVE_PCAP_DUMP_FLUSH 1329 if (Uflag) 1330 pcap_dump_flush(p); 1331 #endif 1332 } else { 1333 type = pcap_datalink(pd); 1334 printinfo.ndo_type = 1; 1335 printinfo.ndo = gndo; 1336 printinfo.p.ndo_printer = lookup_ndo_printer(type); 1337 if (printinfo.p.ndo_printer == NULL) { 1338 printinfo.p.printer = lookup_printer(type); 1339 printinfo.ndo_type = 0; 1340 if (printinfo.p.printer == NULL) { 1341 gndo->ndo_dltname = pcap_datalink_val_to_name(type); 1342 if (gndo->ndo_dltname != NULL) 1343 error("packet printing is not supported for link type %s: use -w", 1344 gndo->ndo_dltname); 1345 else 1346 error("packet printing is not supported for link type %d: use -w", type); 1347 } 1348 } 1349 callback = print_packet; 1350 pcap_userdata = (u_char *)&printinfo; 1351 } 1352 1353 #ifdef SIGNAL_REQ_INFO 1354 /* 1355 * We can't get statistics when reading from a file rather 1356 * than capturing from a device. 1357 */ 1358 if (RFileName == NULL) 1359 (void)setsignal(SIGNAL_REQ_INFO, requestinfo); 1360 #endif 1361 1362 if (vflag > 0 && WFileName) { 1363 /* 1364 * When capturing to a file, "-v" means tcpdump should, 1365 * every 10 secodns, "v"erbosely report the number of 1366 * packets captured. 1367 */ 1368 #ifdef USE_WIN32_MM_TIMER 1369 /* call verbose_stats_dump() each 1000 +/-100msec */ 1370 timer_id = timeSetEvent(1000, 100, verbose_stats_dump, 0, TIME_PERIODIC); 1371 setvbuf(stderr, NULL, _IONBF, 0); 1372 #elif defined(HAVE_ALARM) 1373 (void)setsignal(SIGALRM, verbose_stats_dump); 1374 alarm(1); 1375 #endif 1376 } 1377 1378 #ifndef WIN32 1379 if (RFileName == NULL) { 1380 int dlt; 1381 const char *dlt_name; 1382 1383 if (!vflag && !WFileName) { 1384 (void)fprintf(stderr, 1385 "%s: verbose output suppressed, use -v or -vv for full protocol decode\n", 1386 program_name); 1387 } else 1388 (void)fprintf(stderr, "%s: ", program_name); 1389 dlt = pcap_datalink(pd); 1390 dlt_name = pcap_datalink_val_to_name(dlt); 1391 if (dlt_name == NULL) { 1392 (void)fprintf(stderr, "listening on %s, link-type %u, capture size %u bytes\n", 1393 device, dlt, snaplen); 1394 } else { 1395 (void)fprintf(stderr, "listening on %s, link-type %s (%s), capture size %u bytes\n", 1396 device, dlt_name, 1397 pcap_datalink_val_to_description(dlt), snaplen); 1398 } 1399 (void)fflush(stderr); 1400 } 1401 1402 /* 1403 * If a user name was specified with "-Z", attempt to switch to 1404 * that user's UID. This would probably be used with sudo, 1405 * to allow tcpdump to be run in a special restricted 1406 * account (if you just want to allow users to open capture 1407 * devices, and can't just give users that permission, 1408 * you'd make tcpdump set-UID or set-GID). 1409 * 1410 * Tcpdump doesn't necessarily write only to one savefile; 1411 * the general only way to allow a -Z instance to write to 1412 * savefiles as the user under whose UID it's run, rather 1413 * than as the user specified with -Z, would thus be to switch 1414 * to the original user ID before opening a capture file and 1415 * then switch back to the -Z user ID after opening the savefile. 1416 * Switching to the -Z user ID only after opening the first 1417 * savefile doesn't handle the general case. 1418 */ 1419 if (getuid() == 0 || geteuid() == 0) { 1420 if (username || chroot_dir) 1421 droproot(username, chroot_dir); 1422 } 1423 #endif /* WIN32 */ 1424 status = pcap_loop(pd, cnt, callback, pcap_userdata); 1425 if (WFileName == NULL) { 1426 /* 1427 * We're printing packets. Flush the printed output, 1428 * so it doesn't get intermingled with error output. 1429 */ 1430 if (status == -2) { 1431 /* 1432 * We got interrupted, so perhaps we didn't 1433 * manage to finish a line we were printing. 1434 * Print an extra newline, just in case. 1435 */ 1436 putchar('\n'); 1437 } 1438 (void)fflush(stdout); 1439 } 1440 if (status == -1) { 1441 /* 1442 * Error. Report it. 1443 */ 1444 (void)fprintf(stderr, "%s: pcap_loop: %s\n", 1445 program_name, pcap_geterr(pd)); 1446 } 1447 if (RFileName == NULL) { 1448 /* 1449 * We're doing a live capture. Report the capture 1450 * statistics. 1451 */ 1452 info(1); 1453 } 1454 pcap_close(pd); 1455 exit(status == -1 ? 1 : 0); 1456 } 1457 1458 /* make a clean exit on interrupts */ 1459 static RETSIGTYPE 1460 cleanup(int signo _U_) 1461 { 1462 #ifdef USE_WIN32_MM_TIMER 1463 if (timer_id) 1464 timeKillEvent(timer_id); 1465 timer_id = 0; 1466 #elif defined(HAVE_ALARM) 1467 alarm(0); 1468 #endif 1469 1470 #ifdef HAVE_PCAP_BREAKLOOP 1471 /* 1472 * We have "pcap_breakloop()"; use it, so that we do as little 1473 * as possible in the signal handler (it's probably not safe 1474 * to do anything with standard I/O streams in a signal handler - 1475 * the ANSI C standard doesn't say it is). 1476 */ 1477 pcap_breakloop(pd); 1478 #else 1479 /* 1480 * We don't have "pcap_breakloop()"; this isn't safe, but 1481 * it's the best we can do. Print the summary if we're 1482 * not reading from a savefile - i.e., if we're doing a 1483 * live capture - and exit. 1484 */ 1485 if (pd != NULL && pcap_file(pd) == NULL) { 1486 /* 1487 * We got interrupted, so perhaps we didn't 1488 * manage to finish a line we were printing. 1489 * Print an extra newline, just in case. 1490 */ 1491 putchar('\n'); 1492 (void)fflush(stdout); 1493 info(1); 1494 } 1495 exit(0); 1496 #endif 1497 } 1498 1499 /* 1500 On windows, we do not use a fork, so we do not care less about 1501 waiting a child processes to die 1502 */ 1503 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 1504 static RETSIGTYPE 1505 child_cleanup(int signo _U_) 1506 { 1507 wait(NULL); 1508 } 1509 #endif /* HAVE_FORK && HAVE_VFORK */ 1510 1511 static void 1512 info(register int verbose) 1513 { 1514 struct pcap_stat stat; 1515 1516 /* 1517 * Older versions of libpcap didn't set ps_ifdrop on some 1518 * platforms; initialize it to 0 to handle that. 1519 */ 1520 stat.ps_ifdrop = 0; 1521 if (pcap_stats(pd, &stat) < 0) { 1522 (void)fprintf(stderr, "pcap_stats: %s\n", pcap_geterr(pd)); 1523 infoprint = 0; 1524 return; 1525 } 1526 1527 if (!verbose) 1528 fprintf(stderr, "%s: ", program_name); 1529 1530 (void)fprintf(stderr, "%u packet%s captured", packets_captured, 1531 PLURAL_SUFFIX(packets_captured)); 1532 if (!verbose) 1533 fputs(", ", stderr); 1534 else 1535 putc('\n', stderr); 1536 (void)fprintf(stderr, "%u packet%s received by filter", stat.ps_recv, 1537 PLURAL_SUFFIX(stat.ps_recv)); 1538 if (!verbose) 1539 fputs(", ", stderr); 1540 else 1541 putc('\n', stderr); 1542 (void)fprintf(stderr, "%u packet%s dropped by kernel", stat.ps_drop, 1543 PLURAL_SUFFIX(stat.ps_drop)); 1544 if (stat.ps_ifdrop != 0) { 1545 if (!verbose) 1546 fputs(", ", stderr); 1547 else 1548 putc('\n', stderr); 1549 (void)fprintf(stderr, "%u packet%s dropped by interface\n", 1550 stat.ps_ifdrop, PLURAL_SUFFIX(stat.ps_ifdrop)); 1551 } else 1552 putc('\n', stderr); 1553 infoprint = 0; 1554 } 1555 1556 #if defined(HAVE_FORK) || defined(HAVE_VFORK) 1557 static void 1558 compress_savefile(const char *filename) 1559 { 1560 # ifdef HAVE_FORK 1561 if (fork()) 1562 # else 1563 if (vfork()) 1564 # endif 1565 return; 1566 /* 1567 * Set to lowest priority so that this doesn't disturb the capture 1568 */ 1569 #ifdef NZERO 1570 setpriority(PRIO_PROCESS, 0, NZERO - 1); 1571 #else 1572 setpriority(PRIO_PROCESS, 0, 19); 1573 #endif 1574 if (execlp(zflag, zflag, filename, (char *)NULL) == -1) 1575 fprintf(stderr, 1576 "compress_savefile:execlp(%s, %s): %s\n", 1577 zflag, 1578 filename, 1579 strerror(errno)); 1580 # ifdef HAVE_FORK 1581 exit(1); 1582 # else 1583 _exit(1); 1584 # endif 1585 } 1586 #else /* HAVE_FORK && HAVE_VFORK */ 1587 static void 1588 compress_savefile(const char *filename) 1589 { 1590 fprintf(stderr, 1591 "compress_savefile failed. Functionality not implemented under your system\n"); 1592 } 1593 #endif /* HAVE_FORK && HAVE_VFORK */ 1594 1595 static void 1596 dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 1597 { 1598 struct dump_info *dump_info; 1599 1600 ++packets_captured; 1601 1602 ++infodelay; 1603 1604 dump_info = (struct dump_info *)user; 1605 1606 /* 1607 * XXX - this won't force the file to rotate on the specified time 1608 * boundary, but it will rotate on the first packet received after the 1609 * specified Gflag number of seconds. Note: if a Gflag time boundary 1610 * and a Cflag size boundary coincide, the time rotation will occur 1611 * first thereby cancelling the Cflag boundary (since the file should 1612 * be 0). 1613 */ 1614 if (Gflag != 0) { 1615 /* Check if it is time to rotate */ 1616 time_t t; 1617 1618 /* Get the current time */ 1619 if ((t = time(NULL)) == (time_t)-1) { 1620 error("dump_and_trunc_packet: can't get current_time: %s", 1621 pcap_strerror(errno)); 1622 } 1623 1624 1625 /* If the time is greater than the specified window, rotate */ 1626 if (t - Gflag_time >= Gflag) { 1627 /* Update the Gflag_time */ 1628 Gflag_time = t; 1629 /* Update Gflag_count */ 1630 Gflag_count++; 1631 /* 1632 * Close the current file and open a new one. 1633 */ 1634 pcap_dump_close(dump_info->p); 1635 1636 /* 1637 * Compress the file we just closed, if the user asked for it 1638 */ 1639 if (zflag != NULL) 1640 compress_savefile(dump_info->CurrentFileName); 1641 1642 /* 1643 * Check to see if we've exceeded the Wflag (when 1644 * not using Cflag). 1645 */ 1646 if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) { 1647 (void)fprintf(stderr, "Maximum file limit reached: %d\n", 1648 Wflag); 1649 exit(0); 1650 /* NOTREACHED */ 1651 } 1652 if (dump_info->CurrentFileName != NULL) 1653 free(dump_info->CurrentFileName); 1654 /* Allocate space for max filename + \0. */ 1655 dump_info->CurrentFileName = (char *)malloc(NAME_MAX + 1); 1656 if (dump_info->CurrentFileName == NULL) 1657 error("dump_packet_and_trunc: malloc"); 1658 /* 1659 * This is always the first file in the Cflag 1660 * rotation: e.g. 0 1661 * We also don't need numbering if Cflag is not set. 1662 */ 1663 if (Cflag != 0) 1664 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 1665 WflagChars); 1666 else 1667 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0); 1668 1669 dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 1670 if (dump_info->p == NULL) 1671 error("%s", pcap_geterr(pd)); 1672 } 1673 } 1674 1675 /* 1676 * XXX - this won't prevent capture files from getting 1677 * larger than Cflag - the last packet written to the 1678 * file could put it over Cflag. 1679 */ 1680 if (Cflag != 0 && pcap_dump_ftell(dump_info->p) > Cflag) { 1681 /* 1682 * Close the current file and open a new one. 1683 */ 1684 pcap_dump_close(dump_info->p); 1685 1686 /* 1687 * Compress the file we just closed, if the user asked for it 1688 */ 1689 if (zflag != NULL) 1690 compress_savefile(dump_info->CurrentFileName); 1691 1692 Cflag_count++; 1693 if (Wflag > 0) { 1694 if (Cflag_count >= Wflag) 1695 Cflag_count = 0; 1696 } 1697 if (dump_info->CurrentFileName != NULL) 1698 free(dump_info->CurrentFileName); 1699 dump_info->CurrentFileName = (char *)malloc(NAME_MAX + 1); 1700 if (dump_info->CurrentFileName == NULL) 1701 error("dump_packet_and_trunc: malloc"); 1702 MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, Cflag_count, WflagChars); 1703 dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName); 1704 if (dump_info->p == NULL) 1705 error("%s", pcap_geterr(pd)); 1706 } 1707 1708 pcap_dump((u_char *)dump_info->p, h, sp); 1709 #ifdef HAVE_PCAP_DUMP_FLUSH 1710 if (Uflag) 1711 pcap_dump_flush(dump_info->p); 1712 #endif 1713 1714 --infodelay; 1715 if (infoprint) 1716 info(0); 1717 } 1718 1719 static void 1720 dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 1721 { 1722 ++packets_captured; 1723 1724 ++infodelay; 1725 1726 pcap_dump(user, h, sp); 1727 #ifdef HAVE_PCAP_DUMP_FLUSH 1728 if (Uflag) 1729 pcap_dump_flush((pcap_dumper_t *)user); 1730 #endif 1731 1732 --infodelay; 1733 if (infoprint) 1734 info(0); 1735 } 1736 1737 static void 1738 print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) 1739 { 1740 struct print_info *print_info; 1741 u_int hdrlen; 1742 1743 ++packets_captured; 1744 1745 ++infodelay; 1746 ts_print(&h->ts); 1747 1748 print_info = (struct print_info *)user; 1749 1750 /* 1751 * Some printers want to check that they're not walking off the 1752 * end of the packet. 1753 * Rather than pass it all the way down, we set this global. 1754 */ 1755 snapend = sp + h->caplen; 1756 1757 if(print_info->ndo_type) { 1758 hdrlen = (*print_info->p.ndo_printer)(print_info->ndo, h, sp); 1759 } else { 1760 hdrlen = (*print_info->p.printer)(h, sp); 1761 } 1762 1763 if (Xflag) { 1764 /* 1765 * Print the raw packet data in hex and ASCII. 1766 */ 1767 if (Xflag > 1) { 1768 /* 1769 * Include the link-layer header. 1770 */ 1771 hex_and_ascii_print("\n\t", sp, h->caplen); 1772 } else { 1773 /* 1774 * Don't include the link-layer header - and if 1775 * we have nothing past the link-layer header, 1776 * print nothing. 1777 */ 1778 if (h->caplen > hdrlen) 1779 hex_and_ascii_print("\n\t", sp + hdrlen, 1780 h->caplen - hdrlen); 1781 } 1782 } else if (xflag) { 1783 /* 1784 * Print the raw packet data in hex. 1785 */ 1786 if (xflag > 1) { 1787 /* 1788 * Include the link-layer header. 1789 */ 1790 hex_print("\n\t", sp, h->caplen); 1791 } else { 1792 /* 1793 * Don't include the link-layer header - and if 1794 * we have nothing past the link-layer header, 1795 * print nothing. 1796 */ 1797 if (h->caplen > hdrlen) 1798 hex_print("\n\t", sp + hdrlen, 1799 h->caplen - hdrlen); 1800 } 1801 } else if (Aflag) { 1802 /* 1803 * Print the raw packet data in ASCII. 1804 */ 1805 if (Aflag > 1) { 1806 /* 1807 * Include the link-layer header. 1808 */ 1809 ascii_print(sp, h->caplen); 1810 } else { 1811 /* 1812 * Don't include the link-layer header - and if 1813 * we have nothing past the link-layer header, 1814 * print nothing. 1815 */ 1816 if (h->caplen > hdrlen) 1817 ascii_print(sp + hdrlen, h->caplen - hdrlen); 1818 } 1819 } 1820 1821 putchar('\n'); 1822 1823 --infodelay; 1824 if (infoprint) 1825 info(0); 1826 } 1827 1828 #ifdef WIN32 1829 /* 1830 * XXX - there should really be libpcap calls to get the version 1831 * number as a string (the string would be generated from #defines 1832 * at run time, so that it's not generated from string constants 1833 * in the library, as, on many UNIX systems, those constants would 1834 * be statically linked into the application executable image, and 1835 * would thus reflect the version of libpcap on the system on 1836 * which the application was *linked*, not the system on which it's 1837 * *running*. 1838 * 1839 * That routine should be documented, unlike the "version[]" 1840 * string, so that UNIX vendors providing their own libpcaps 1841 * don't omit it (as a couple of vendors have...). 1842 * 1843 * Packet.dll should perhaps also export a routine to return the 1844 * version number of the Packet.dll code, to supply the 1845 * "Wpcap_version" information on Windows. 1846 */ 1847 char WDversion[]="current-cvs.tcpdump.org"; 1848 #if !defined(HAVE_GENERATED_VERSION) 1849 char version[]="current-cvs.tcpdump.org"; 1850 #endif 1851 char pcap_version[]="current-cvs.tcpdump.org"; 1852 char Wpcap_version[]="3.1"; 1853 #endif 1854 1855 /* 1856 * By default, print the specified data out in hex and ASCII. 1857 */ 1858 static void 1859 ndo_default_print(netdissect_options *ndo _U_, const u_char *bp, u_int length) 1860 { 1861 hex_and_ascii_print("\n\t", bp, length); /* pass on lf and identation string */ 1862 } 1863 1864 void 1865 default_print(const u_char *bp, u_int length) 1866 { 1867 ndo_default_print(gndo, bp, length); 1868 } 1869 1870 #ifdef SIGNAL_REQ_INFO 1871 RETSIGTYPE requestinfo(int signo _U_) 1872 { 1873 if (infodelay) 1874 ++infoprint; 1875 else 1876 info(0); 1877 } 1878 #endif 1879 1880 /* 1881 * Called once each second in verbose mode while dumping to file 1882 */ 1883 #ifdef USE_WIN32_MM_TIMER 1884 void CALLBACK verbose_stats_dump (UINT timer_id _U_, UINT msg _U_, DWORD_PTR arg _U_, 1885 DWORD_PTR dw1 _U_, DWORD_PTR dw2 _U_) 1886 { 1887 struct pcap_stat stat; 1888 1889 if (infodelay == 0 && pcap_stats(pd, &stat) >= 0) 1890 fprintf(stderr, "Got %u\r", packets_captured); 1891 } 1892 #elif defined(HAVE_ALARM) 1893 static void verbose_stats_dump(int sig _U_) 1894 { 1895 struct pcap_stat stat; 1896 1897 if (infodelay == 0 && pcap_stats(pd, &stat) >= 0) 1898 fprintf(stderr, "Got %u\r", packets_captured); 1899 alarm(1); 1900 } 1901 #endif 1902 1903 static void 1904 usage(void) 1905 { 1906 extern char version[]; 1907 #ifndef HAVE_PCAP_LIB_VERSION 1908 #if defined(WIN32) || defined(HAVE_PCAP_VERSION) 1909 extern char pcap_version[]; 1910 #else /* defined(WIN32) || defined(HAVE_PCAP_VERSION) */ 1911 static char pcap_version[] = "unknown"; 1912 #endif /* defined(WIN32) || defined(HAVE_PCAP_VERSION) */ 1913 #endif /* HAVE_PCAP_LIB_VERSION */ 1914 1915 #ifdef HAVE_PCAP_LIB_VERSION 1916 #ifdef WIN32 1917 (void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version); 1918 #else /* WIN32 */ 1919 (void)fprintf(stderr, "%s version %s\n", program_name, version); 1920 #endif /* WIN32 */ 1921 (void)fprintf(stderr, "%s\n",pcap_lib_version()); 1922 #else /* HAVE_PCAP_LIB_VERSION */ 1923 #ifdef WIN32 1924 (void)fprintf(stderr, "%s version %s, based on tcpdump version %s\n", program_name, WDversion, version); 1925 (void)fprintf(stderr, "WinPcap version %s, based on libpcap version %s\n",Wpcap_version, pcap_version); 1926 #else /* WIN32 */ 1927 (void)fprintf(stderr, "%s version %s\n", program_name, version); 1928 (void)fprintf(stderr, "libpcap version %s\n", pcap_version); 1929 #endif /* WIN32 */ 1930 #endif /* HAVE_PCAP_LIB_VERSION */ 1931 (void)fprintf(stderr, 1932 "Usage: %s [-aAbd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqRStu" U_FLAG "vxX]" B_FLAG_USAGE " [ -c count ]\n", program_name); 1933 (void)fprintf(stderr, 1934 "\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n"); 1935 (void)fprintf(stderr, 1936 "\t\t[ -i interface ]" j_FLAG_USAGE " [ -M secret ]\n"); 1937 (void)fprintf(stderr, 1938 "\t\t[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]\n"); 1939 (void)fprintf(stderr, 1940 "\t\t[ -W filecount ] [ -y datalinktype ] [ -z command ]\n"); 1941 (void)fprintf(stderr, 1942 "\t\t[ -Z user ] [ expression ]\n"); 1943 exit(1); 1944 } 1945 1946 1947 1948 /* VARARGS */ 1949 static void 1950 ndo_error(netdissect_options *ndo _U_, const char *fmt, ...) 1951 { 1952 va_list ap; 1953 1954 (void)fprintf(stderr, "%s: ", program_name); 1955 va_start(ap, fmt); 1956 (void)vfprintf(stderr, fmt, ap); 1957 va_end(ap); 1958 if (*fmt) { 1959 fmt += strlen(fmt); 1960 if (fmt[-1] != '\n') 1961 (void)fputc('\n', stderr); 1962 } 1963 exit(1); 1964 /* NOTREACHED */ 1965 } 1966 1967 /* VARARGS */ 1968 static void 1969 ndo_warning(netdissect_options *ndo _U_, const char *fmt, ...) 1970 { 1971 va_list ap; 1972 1973 (void)fprintf(stderr, "%s: WARNING: ", program_name); 1974 va_start(ap, fmt); 1975 (void)vfprintf(stderr, fmt, ap); 1976 va_end(ap); 1977 if (*fmt) { 1978 fmt += strlen(fmt); 1979 if (fmt[-1] != '\n') 1980 (void)fputc('\n', stderr); 1981 } 1982 } 1983