1 /* $OpenBSD: pcap.c,v 1.20 2016/11/16 13:47:27 reyk Exp $ */ 2 3 /* 4 * Copyright (c) 1993, 1994, 1995, 1996, 1997, 1998 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the Computer Systems 18 * Engineering Group at Lawrence Berkeley Laboratory. 19 * 4. Neither the name of the University nor of the Laboratory may be used 20 * to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/types.h> 37 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <string.h> 41 #include <unistd.h> 42 #include <errno.h> 43 #include <fcntl.h> 44 45 #ifdef HAVE_OS_PROTO_H 46 #include "os-proto.h" 47 #endif 48 49 #include "pcap-int.h" 50 51 static const char pcap_version_string[] = "OpenBSD libpcap"; 52 53 int 54 pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 55 { 56 57 if (p->sf.rfile != NULL) 58 return (pcap_offline_read(p, cnt, callback, user)); 59 return (pcap_read(p, cnt, callback, user)); 60 } 61 62 int 63 pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) 64 { 65 int n; 66 67 for (;;) { 68 if (p->sf.rfile != NULL) 69 n = pcap_offline_read(p, cnt, callback, user); 70 else { 71 /* 72 * XXX keep reading until we get something 73 * (or an error occurs) 74 */ 75 do { 76 n = pcap_read(p, cnt, callback, user); 77 } while (n == 0); 78 } 79 if (n <= 0) 80 return (n); 81 if (cnt > 0) { 82 cnt -= n; 83 if (cnt <= 0) 84 return (0); 85 } 86 } 87 } 88 89 struct singleton { 90 struct pcap_pkthdr *hdr; 91 const u_char *pkt; 92 }; 93 94 95 static void 96 pcap_oneshot(u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt) 97 { 98 struct singleton *sp = (struct singleton *)userData; 99 *sp->hdr = *h; 100 sp->pkt = pkt; 101 } 102 103 const u_char * 104 pcap_next(pcap_t *p, struct pcap_pkthdr *h) 105 { 106 struct singleton s; 107 108 s.hdr = h; 109 if (pcap_dispatch(p, 1, pcap_oneshot, (u_char*)&s) <= 0) 110 return (0); 111 return (s.pkt); 112 } 113 114 struct pkt_for_fakecallback { 115 struct pcap_pkthdr *hdr; 116 const u_char **pkt; 117 }; 118 119 static void 120 pcap_fakecallback(u_char *userData, const struct pcap_pkthdr *h, 121 const u_char *pkt) 122 { 123 struct pkt_for_fakecallback *sp = (struct pkt_for_fakecallback *)userData; 124 125 *sp->hdr = *h; 126 *sp->pkt = pkt; 127 } 128 129 int 130 pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header, 131 const u_char **pkt_data) 132 { 133 struct pkt_for_fakecallback s; 134 135 s.hdr = &p->pcap_header; 136 s.pkt = pkt_data; 137 138 /* Saves a pointer to the packet headers */ 139 *pkt_header= &p->pcap_header; 140 141 if (p->sf.rfile != NULL) { 142 int status; 143 144 /* We are on an offline capture */ 145 status = pcap_offline_read(p, 1, pcap_fakecallback, 146 (u_char *)&s); 147 148 /* 149 * Return codes for pcap_offline_read() are: 150 * - 0: EOF 151 * - -1: error 152 * - >1: OK 153 * The first one ('0') conflicts with the return code of 154 * 0 from pcap_read() meaning "no packets arrived before 155 * the timeout expired", so we map it to -2 so you can 156 * distinguish between an EOF from a savefile and a 157 * "no packets arrived before the timeout expired, try 158 * again" from a live capture. 159 */ 160 if (status == 0) 161 return (-2); 162 else 163 return (status); 164 } 165 166 /* 167 * Return codes for pcap_read() are: 168 * - 0: timeout 169 * - -1: error 170 * - -2: loop was broken out of with pcap_breakloop() 171 * - >1: OK 172 * The first one ('0') conflicts with the return code of 0 from 173 * pcap_offline_read() meaning "end of file". 174 */ 175 return (pcap_read(p, 1, pcap_fakecallback, (u_char *)&s)); 176 } 177 178 int 179 pcap_check_activated(pcap_t *p) 180 { 181 if (p->activated) { 182 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't perform " 183 " operation on activated capture"); 184 return -1; 185 } 186 return 0; 187 } 188 189 int 190 pcap_set_snaplen(pcap_t *p, int snaplen) 191 { 192 if (pcap_check_activated(p)) 193 return PCAP_ERROR_ACTIVATED; 194 p->snapshot = snaplen; 195 return 0; 196 } 197 198 int 199 pcap_set_promisc(pcap_t *p, int promisc) 200 { 201 if (pcap_check_activated(p)) 202 return PCAP_ERROR_ACTIVATED; 203 p->opt.promisc = promisc; 204 return 0; 205 } 206 207 int 208 pcap_set_rfmon(pcap_t *p, int rfmon) 209 { 210 if (pcap_check_activated(p)) 211 return PCAP_ERROR_ACTIVATED; 212 p->opt.rfmon = rfmon; 213 return 0; 214 } 215 216 int 217 pcap_set_timeout(pcap_t *p, int timeout_ms) 218 { 219 if (pcap_check_activated(p)) 220 return PCAP_ERROR_ACTIVATED; 221 p->md.timeout = timeout_ms; 222 return 0; 223 } 224 225 int 226 pcap_set_buffer_size(pcap_t *p, int buffer_size) 227 { 228 if (pcap_check_activated(p)) 229 return PCAP_ERROR_ACTIVATED; 230 p->opt.buffer_size = buffer_size; 231 return 0; 232 } 233 234 /* 235 * Force the loop in "pcap_read()" or "pcap_read_offline()" to terminate. 236 */ 237 void 238 pcap_breakloop(pcap_t *p) 239 { 240 p->break_loop = 1; 241 } 242 243 int 244 pcap_datalink(pcap_t *p) 245 { 246 return (p->linktype); 247 } 248 249 int 250 pcap_list_datalinks(pcap_t *p, int **dlt_buffer) 251 { 252 if (p->dlt_count == 0) { 253 /* 254 * We couldn't fetch the list of DLTs, which means 255 * this platform doesn't support changing the 256 * DLT for an interface. Return a list of DLTs 257 * containing only the DLT this device supports. 258 */ 259 *dlt_buffer = malloc(sizeof(**dlt_buffer)); 260 if (*dlt_buffer == NULL) { 261 (void)snprintf(p->errbuf, sizeof(p->errbuf), 262 "malloc: %s", pcap_strerror(errno)); 263 return (-1); 264 } 265 **dlt_buffer = p->linktype; 266 return (1); 267 } else { 268 *dlt_buffer = reallocarray(NULL, sizeof(**dlt_buffer), 269 p->dlt_count); 270 if (*dlt_buffer == NULL) { 271 (void)snprintf(p->errbuf, sizeof(p->errbuf), 272 "malloc: %s", pcap_strerror(errno)); 273 return (-1); 274 } 275 (void)memcpy(*dlt_buffer, p->dlt_list, 276 sizeof(**dlt_buffer) * p->dlt_count); 277 return (p->dlt_count); 278 } 279 } 280 281 /* 282 * In Windows, you might have a library built with one version of the 283 * C runtime library and an application built with another version of 284 * the C runtime library, which means that the library might use one 285 * version of malloc() and free() and the application might use another 286 * version of malloc() and free(). If so, that means something 287 * allocated by the library cannot be freed by the application, so we 288 * need to have a pcap_free_datalinks() routine to free up the list 289 * allocated by pcap_list_datalinks(), even though it's just a wrapper 290 * around free(). 291 */ 292 void 293 pcap_free_datalinks(int *dlt_list) 294 { 295 free(dlt_list); 296 } 297 298 struct dlt_choice { 299 const char *name; 300 const char *description; 301 int dlt; 302 }; 303 304 static struct dlt_choice dlts[] = { 305 #define DLT_CHOICE(code, description) { #code, description, code } 306 DLT_CHOICE(DLT_NULL, "no link-layer encapsulation"), 307 DLT_CHOICE(DLT_EN10MB, "Ethernet (10Mb)"), 308 DLT_CHOICE(DLT_EN3MB, "Experimental Ethernet (3Mb)"), 309 DLT_CHOICE(DLT_AX25, "Amateur Radio AX.25"), 310 DLT_CHOICE(DLT_PRONET, "Proteon ProNET Token Ring"), 311 DLT_CHOICE(DLT_CHAOS, "Chaos"), 312 DLT_CHOICE(DLT_IEEE802, "IEEE 802 Networks"), 313 DLT_CHOICE(DLT_ARCNET, "ARCNET"), 314 DLT_CHOICE(DLT_SLIP, "Serial Line IP"), 315 DLT_CHOICE(DLT_PPP, "Point-to-point Protocol"), 316 DLT_CHOICE(DLT_FDDI, "FDDI"), 317 DLT_CHOICE(DLT_ATM_RFC1483, "LLC/SNAP encapsulated atm"), 318 DLT_CHOICE(DLT_LOOP, "loopback type (af header)"), 319 DLT_CHOICE(DLT_ENC, "IPSEC enc type (af header, spi, flags)"), 320 DLT_CHOICE(DLT_RAW, "raw IP"), 321 DLT_CHOICE(DLT_SLIP_BSDOS, "BSD/OS Serial Line IP"), 322 DLT_CHOICE(DLT_PPP_BSDOS, "BSD/OS Point-to-point Protocol"), 323 DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"), 324 DLT_CHOICE(DLT_PPP_ETHER, "PPP over Ethernet; session only w/o ether header"), 325 DLT_CHOICE(DLT_IEEE802_11, "IEEE 802.11 wireless"), 326 DLT_CHOICE(DLT_PFLOG, "Packet filter logging, by pcap people"), 327 DLT_CHOICE(DLT_IEEE802_11_RADIO, "IEEE 802.11 plus WLAN header"), 328 DLT_CHOICE(DLT_OPENFLOW, "OpenFlow"), 329 #undef DLT_CHOICE 330 { NULL, NULL, -1} 331 }; 332 333 int 334 pcap_datalink_name_to_val(const char *name) 335 { 336 int i; 337 338 for (i = 0; dlts[i].name != NULL; i++) { 339 /* Skip leading "DLT_" */ 340 if (strcasecmp(dlts[i].name + 4, name) == 0) 341 return (dlts[i].dlt); 342 } 343 return (-1); 344 } 345 346 const char * 347 pcap_datalink_val_to_name(int dlt) 348 { 349 int i; 350 351 for (i = 0; dlts[i].name != NULL; i++) { 352 if (dlts[i].dlt == dlt) 353 return (dlts[i].name + 4); /* Skip leading "DLT_" */ 354 } 355 return (NULL); 356 } 357 358 const char * 359 pcap_datalink_val_to_description(int dlt) 360 { 361 int i; 362 363 for (i = 0; dlts[i].name != NULL; i++) { 364 if (dlts[i].dlt == dlt) 365 return (dlts[i].description); 366 } 367 return (NULL); 368 } 369 370 int 371 pcap_snapshot(pcap_t *p) 372 { 373 return (p->snapshot); 374 } 375 376 int 377 pcap_is_swapped(pcap_t *p) 378 { 379 return (p->sf.swapped); 380 } 381 382 int 383 pcap_major_version(pcap_t *p) 384 { 385 return (p->sf.version_major); 386 } 387 388 int 389 pcap_minor_version(pcap_t *p) 390 { 391 return (p->sf.version_minor); 392 } 393 394 FILE * 395 pcap_file(pcap_t *p) 396 { 397 return (p->sf.rfile); 398 } 399 400 int 401 pcap_fileno(pcap_t *p) 402 { 403 return (p->fd); 404 } 405 406 void 407 pcap_perror(pcap_t *p, char *prefix) 408 { 409 fprintf(stderr, "%s: %s\n", prefix, p->errbuf); 410 } 411 412 int 413 pcap_get_selectable_fd(pcap_t *p) 414 { 415 return (p->fd); 416 } 417 418 char * 419 pcap_geterr(pcap_t *p) 420 { 421 return (p->errbuf); 422 } 423 424 int 425 pcap_getnonblock(pcap_t *p, char *errbuf) 426 { 427 int fdflags; 428 429 fdflags = fcntl(p->fd, F_GETFL); 430 if (fdflags == -1) { 431 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s", 432 pcap_strerror(errno)); 433 return (-1); 434 } 435 if (fdflags & O_NONBLOCK) 436 return (1); 437 else 438 return (0); 439 } 440 441 int 442 pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf) 443 { 444 int fdflags; 445 446 fdflags = fcntl(p->fd, F_GETFL); 447 if (fdflags == -1) { 448 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s", 449 pcap_strerror(errno)); 450 return (-1); 451 } 452 if (nonblock) 453 fdflags |= O_NONBLOCK; 454 else 455 fdflags &= ~O_NONBLOCK; 456 if (fcntl(p->fd, F_SETFL, fdflags) == -1) { 457 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_SETFL: %s", 458 pcap_strerror(errno)); 459 return (-1); 460 } 461 return (0); 462 } 463 464 /* 465 * Generate error strings for PCAP_ERROR_ and PCAP_WARNING_ values. 466 */ 467 const char * 468 pcap_statustostr(int errnum) 469 { 470 static char ebuf[15+10+1]; 471 472 switch (errnum) { 473 474 case PCAP_WARNING: 475 return("Generic warning"); 476 477 case PCAP_WARNING_TSTAMP_TYPE_NOTSUP: 478 return ("That type of time stamp is not supported by that device"); 479 480 case PCAP_WARNING_PROMISC_NOTSUP: 481 return ("That device doesn't support promiscuous mode"); 482 483 case PCAP_ERROR: 484 return("Generic error"); 485 486 case PCAP_ERROR_BREAK: 487 return("Loop terminated by pcap_breakloop"); 488 489 case PCAP_ERROR_NOT_ACTIVATED: 490 return("The pcap_t has not been activated"); 491 492 case PCAP_ERROR_ACTIVATED: 493 return ("The setting can't be changed after the pcap_t is activated"); 494 495 case PCAP_ERROR_NO_SUCH_DEVICE: 496 return ("No such device exists"); 497 498 case PCAP_ERROR_RFMON_NOTSUP: 499 return ("That device doesn't support monitor mode"); 500 501 case PCAP_ERROR_NOT_RFMON: 502 return ("That operation is supported only in monitor mode"); 503 504 case PCAP_ERROR_PERM_DENIED: 505 return ("You don't have permission to capture on that device"); 506 507 case PCAP_ERROR_IFACE_NOT_UP: 508 return ("That device is not up"); 509 510 case PCAP_ERROR_CANTSET_TSTAMP_TYPE: 511 return ("That device doesn't support setting the time stamp type"); 512 513 case PCAP_ERROR_PROMISC_PERM_DENIED: 514 return ("You don't have permission to capture in promiscuous mode on that device"); 515 } 516 (void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum); 517 return(ebuf); 518 } 519 520 /* 521 * Not all systems have strerror(). 522 */ 523 char * 524 pcap_strerror(int errnum) 525 { 526 #ifdef HAVE_STRERROR 527 return (strerror(errnum)); 528 #else 529 extern int sys_nerr; 530 extern const char *const sys_errlist[]; 531 static char ebuf[20]; 532 533 if ((unsigned int)errnum < sys_nerr) 534 return ((char *)sys_errlist[errnum]); 535 (void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum); 536 return(ebuf); 537 #endif 538 } 539 540 /* 541 * On some platforms, we need to clean up promiscuous or monitor mode 542 * when we close a device - and we want that to happen even if the 543 * application just exits without explicitl closing devices. 544 * On those platforms, we need to register a "close all the pcaps" 545 * routine to be called when we exit, and need to maintain a list of 546 * pcaps that need to be closed to clean up modes. 547 * 548 * XXX - not thread-safe. 549 */ 550 551 /* 552 * List of pcaps on which we've done something that needs to be 553 * cleaned up. 554 * If there are any such pcaps, we arrange to call "pcap_close_all()" 555 * when we exit, and have it close all of them. 556 */ 557 static struct pcap *pcaps_to_close; 558 559 /* 560 * TRUE if we've already called "atexit()" to cause "pcap_close_all()" to 561 * be called on exit. 562 */ 563 static int did_atexit; 564 565 static void 566 pcap_close_all(void) 567 { 568 struct pcap *handle; 569 570 while ((handle = pcaps_to_close) != NULL) 571 pcap_close(handle); 572 } 573 574 int 575 pcap_do_addexit(pcap_t *p) 576 { 577 /* 578 * If we haven't already done so, arrange to have 579 * "pcap_close_all()" called when we exit. 580 */ 581 if (!did_atexit) { 582 if (atexit(pcap_close_all) == -1) { 583 /* 584 * "atexit()" failed; let our caller know. 585 */ 586 (void)strlcpy(p->errbuf, "atexit failed", 587 PCAP_ERRBUF_SIZE); 588 return (0); 589 } 590 did_atexit = 1; 591 } 592 return (1); 593 } 594 595 void 596 pcap_add_to_pcaps_to_close(pcap_t *p) 597 { 598 p->md.next = pcaps_to_close; 599 pcaps_to_close = p; 600 } 601 602 void 603 pcap_remove_from_pcaps_to_close(pcap_t *p) 604 { 605 pcap_t *pc, *prevpc; 606 607 for (pc = pcaps_to_close, prevpc = NULL; pc != NULL; 608 prevpc = pc, pc = pc->md.next) { 609 if (pc == p) { 610 /* 611 * Found it. Remove it from the list. 612 */ 613 if (prevpc == NULL) { 614 /* 615 * It was at the head of the list. 616 */ 617 pcaps_to_close = pc->md.next; 618 } else { 619 /* 620 * It was in the middle of the list. 621 */ 622 prevpc->md.next = pc->md.next; 623 } 624 break; 625 } 626 } 627 } 628 629 pcap_t * 630 pcap_open_dead(int linktype, int snaplen) 631 { 632 pcap_t *p; 633 634 p = calloc(1, sizeof(*p)); 635 if (p == NULL) 636 return NULL; 637 p->snapshot = snaplen; 638 p->linktype = linktype; 639 p->fd = -1; 640 return p; 641 } 642 643 /* 644 * Given a BPF program, a pcap_pkthdr structure for a packet, and the raw 645 * data for the packet, check whether the packet passes the filter. 646 * Returns the return value of the filter program, which will be zero if 647 * the packet doesn't pass and non-zero if the packet does pass. 648 */ 649 int 650 pcap_offline_filter(const struct bpf_program *fp, const struct pcap_pkthdr *h, 651 const u_char *pkt) 652 { 653 struct bpf_insn *fcode = fp->bf_insns; 654 655 if (fcode != NULL) 656 return (bpf_filter(fcode, pkt, h->len, h->caplen)); 657 else 658 return (0); 659 } 660 661 const char * 662 pcap_lib_version(void) 663 { 664 return (pcap_version_string); 665 } 666 667