1 /* $OpenBSD: tcpdump.c,v 1.39 2004/09/16 11:29:51 markus Exp $ */ 2 3 /* 4 * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that: (1) source code distributions 9 * retain the above copyright notice and this paragraph in its entirety, (2) 10 * distributions including binary code include the above copyright notice and 11 * this paragraph in its entirety in the documentation or other materials 12 * provided with the distribution, and (3) all advertising materials mentioning 13 * features or use of this software display the following acknowledgement: 14 * ``This product includes software developed by the University of California, 15 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 16 * the University nor the names of its contributors may be used to endorse 17 * or promote products derived from this software without specific prior 18 * written permission. 19 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 20 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 21 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 22 */ 23 24 #ifndef lint 25 static const char copyright[] = 26 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997\n\ 27 The Regents of the University of California. All rights reserved.\n"; 28 static const char rcsid[] = 29 "@(#) $Header: /home/cvs/src/usr.sbin/tcpdump/tcpdump.c,v 1.39 2004/09/16 11:29:51 markus Exp $ (LBL)"; 30 #endif 31 32 /* 33 * tcpdump - monitor tcp/ip traffic on an ethernet. 34 * 35 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 36 * Mercilessly hacked and occasionally improved since then via the 37 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 38 */ 39 40 #include <sys/types.h> 41 #include <sys/time.h> 42 43 #include <netinet/in.h> 44 45 #include <pcap.h> 46 #include <signal.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <unistd.h> 51 #include <ctype.h> 52 53 #include "interface.h" 54 #include "addrtoname.h" 55 #include "machdep.h" 56 #include "setsignal.h" 57 #include "gmt2local.h" 58 59 #include <sys/socket.h> 60 #include <net/if.h> 61 #include <netinet/in.h> 62 #include <net/pfvar.h> 63 #include "pfctl.h" 64 #include "pfctl_parser.h" 65 #include "privsep.h" 66 67 int aflag; /* translate network and broadcast addresses */ 68 int dflag; /* print filter code */ 69 int eflag; /* print ethernet header */ 70 int fflag; /* don't translate "foreign" IP address */ 71 int nflag; /* leave addresses as numbers */ 72 int Nflag; /* remove domains from printed host names */ 73 int Oflag = 1; /* run filter code optimizer */ 74 int oflag; /* print passive OS fingerprints */ 75 int pflag; /* don't go promiscuous */ 76 int qflag; /* quick (shorter) output */ 77 int Sflag; /* print raw TCP sequence numbers */ 78 int tflag = 1; /* print packet arrival time */ 79 int vflag; /* verbose */ 80 int xflag; /* print packet in hex */ 81 int Xflag; /* print packet in emacs-hexl style */ 82 83 int packettype; 84 85 char *program_name; 86 87 int32_t thiszone; /* seconds offset from gmt to local time */ 88 89 /* Externs */ 90 extern void bpf_dump(struct bpf_program *, int); 91 extern int esp_init(char *); 92 93 /* Forwards */ 94 RETSIGTYPE cleanup(int); 95 extern __dead void usage(void); 96 97 /* Length of saved portion of packet. */ 98 int snaplen = DEFAULT_SNAPLEN; 99 100 struct printer { 101 pcap_handler f; 102 int type; 103 }; 104 105 /* XXX needed if using old bpf.h */ 106 #ifndef DLT_ATM_RFC1483 107 #define DLT_ATM_RFC1483 11 108 #endif 109 110 static struct printer printers[] = { 111 { ether_if_print, DLT_EN10MB }, 112 { ether_if_print, DLT_IEEE802 }, 113 { sl_if_print, DLT_SLIP }, 114 { sl_bsdos_if_print, DLT_SLIP_BSDOS }, 115 { ppp_if_print, DLT_PPP }, 116 { fddi_if_print, DLT_FDDI }, 117 { null_if_print, DLT_NULL }, 118 { raw_if_print, DLT_RAW }, 119 { atm_if_print, DLT_ATM_RFC1483 }, 120 { loop_if_print, DLT_LOOP }, 121 { enc_if_print, DLT_ENC }, 122 { pflog_if_print, DLT_PFLOG }, 123 { pflog_old_if_print, DLT_OLD_PFLOG }, 124 { pfsync_if_print, DLT_PFSYNC }, 125 { ppp_ether_if_print, DLT_PPP_ETHER }, 126 { NULL, 0 }, 127 }; 128 129 static pcap_handler 130 lookup_printer(int type) 131 { 132 struct printer *p; 133 134 for (p = printers; p->f; ++p) 135 if (type == p->type) 136 return p->f; 137 138 error("unknown data link type 0x%x", type); 139 /* NOTREACHED */ 140 } 141 142 static int 143 init_pfosfp(void) 144 { 145 pf_osfp_initialize(); 146 if (pfctl_file_fingerprints(-1, 147 PF_OPT_QUIET|PF_OPT_NOACTION, PF_OSFP_FILE) == 0) 148 return 1; 149 return 0; 150 } 151 152 static pcap_t *pd; 153 154 extern int optind; 155 extern int opterr; 156 extern char *optarg; 157 158 int 159 main(int argc, char **argv) 160 { 161 register int cnt, op, i; 162 bpf_u_int32 localnet, netmask; 163 register char *cp, *infile, *device, *RFileName, *WFileName; 164 pcap_handler printer; 165 struct bpf_program *fcode; 166 RETSIGTYPE (*oldhandler)(int); 167 u_char *pcap_userdata; 168 char ebuf[PCAP_ERRBUF_SIZE]; 169 170 cnt = -1; 171 device = NULL; 172 infile = NULL; 173 RFileName = NULL; 174 WFileName = NULL; 175 176 if (priv_init(argc, argv)) 177 error("Failed to setup privsep"); 178 179 /* state: STATE_INIT */ 180 if ((cp = strrchr(argv[0], '/')) != NULL) 181 program_name = cp + 1; 182 else 183 program_name = argv[0]; 184 185 if (abort_on_misalignment(ebuf, sizeof(ebuf)) < 0) 186 error("%s", ebuf); 187 188 opterr = 0; 189 while ((op = getopt(argc, argv, "ac:deE:fF:i:lnNOopqr:s:StT:vw:xXY")) != -1) 190 switch (op) { 191 192 case 'a': 193 ++aflag; 194 break; 195 196 case 'c': 197 cnt = atoi(optarg); 198 if (cnt <= 0) 199 error("invalid packet count %s", optarg); 200 break; 201 202 case 'd': 203 ++dflag; 204 break; 205 206 case 'e': 207 ++eflag; 208 break; 209 210 case 'f': 211 ++fflag; 212 break; 213 214 case 'F': 215 infile = optarg; 216 break; 217 218 case 'i': 219 device = optarg; 220 break; 221 222 case 'l': 223 #ifdef HAVE_SETLINEBUF 224 setlinebuf(stdout); 225 #else 226 setvbuf(stdout, NULL, _IOLBF, 0); 227 #endif 228 break; 229 230 case 'n': 231 ++nflag; 232 break; 233 234 case 'N': 235 ++Nflag; 236 break; 237 238 case 'O': 239 Oflag = 0; 240 break; 241 242 case 'o': 243 oflag = 1; 244 break; 245 246 case 'p': 247 ++pflag; 248 break; 249 250 case 'q': 251 ++qflag; 252 break; 253 254 case 'r': 255 RFileName = optarg; 256 break; 257 258 case 's': 259 snaplen = atoi(optarg); 260 if (snaplen <= 0) 261 error("invalid snaplen %s", optarg); 262 break; 263 264 case 'S': 265 ++Sflag; 266 break; 267 268 case 't': 269 --tflag; 270 break; 271 272 case 'T': 273 if (strcasecmp(optarg, "vat") == 0) 274 packettype = PT_VAT; 275 else if (strcasecmp(optarg, "wb") == 0) 276 packettype = PT_WB; 277 else if (strcasecmp(optarg, "rpc") == 0) 278 packettype = PT_RPC; 279 else if (strcasecmp(optarg, "rtp") == 0) 280 packettype = PT_RTP; 281 else if (strcasecmp(optarg, "rtcp") == 0) 282 packettype = PT_RTCP; 283 else if (strcasecmp(optarg, "cnfp") == 0) 284 packettype = PT_CNFP; 285 else if (strcasecmp(optarg, "vrrp") == 0) 286 packettype = PT_VRRP; 287 else if (strcasecmp(optarg, "tcp") == 0) 288 packettype = PT_TCP; 289 else if (strcasecmp(optarg, "sack") == 0) 290 snaplen = SACK_SNAPLEN; 291 else 292 error("unknown packet type `%s'", optarg); 293 break; 294 295 case 'v': 296 ++vflag; 297 break; 298 299 case 'w': 300 WFileName = optarg; 301 break; 302 #ifdef YYDEBUG 303 case 'Y': 304 { 305 /* Undocumented flag */ 306 extern int yydebug; 307 yydebug = 1; 308 } 309 break; 310 #endif 311 case 'x': 312 ++xflag; 313 break; 314 315 case 'X': 316 ++Xflag; 317 if (xflag == 0) ++xflag; 318 break; 319 320 case 'E': 321 if (esp_init(optarg) < 0) 322 error("bad esp specification `%s'", optarg); 323 break; 324 325 default: 326 usage(); 327 /* NOTREACHED */ 328 } 329 330 if (aflag && nflag) 331 error("-a and -n options are incompatible"); 332 333 if (RFileName != NULL) { 334 pd = priv_pcap_offline(RFileName, ebuf); 335 if (pd == NULL) 336 error("%s", ebuf); 337 338 /* state: STATE_BPF */ 339 localnet = 0; 340 netmask = 0; 341 if (fflag != 0) 342 error("-f and -r options are incompatible"); 343 } else { 344 if (device == NULL) { 345 device = pcap_lookupdev(ebuf); 346 if (device == NULL) 347 error("%s", ebuf); 348 } 349 pd = priv_pcap_live(device, snaplen, !pflag, 1000, ebuf); 350 if (pd == NULL) 351 error("%s", ebuf); 352 353 /* state: STATE_BPF */ 354 i = pcap_snapshot(pd); 355 if (snaplen < i) { 356 warning("snaplen raised from %d to %d", snaplen, i); 357 snaplen = i; 358 } 359 360 if (pcap_lookupnet(device, &localnet, &netmask, ebuf)) { 361 warning("%s", ebuf); 362 localnet = 0; 363 netmask = 0; 364 } 365 } 366 367 fcode = priv_pcap_setfilter(pd, Oflag, netmask); 368 /* state: STATE_FILTER */ 369 if (fcode == NULL) 370 error("%s", pcap_geterr(pd)); 371 if (dflag) { 372 bpf_dump(fcode, dflag); 373 exit(0); 374 } 375 init_addrtoname(localnet, netmask); 376 377 setsignal(SIGTERM, cleanup); 378 setsignal(SIGINT, cleanup); 379 /* Cooperate with nohup(1) XXX is this still necessary/working? */ 380 if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL) 381 (void)setsignal(SIGHUP, oldhandler); 382 383 if (WFileName) { 384 pcap_dumper_t *p; 385 386 p = priv_pcap_dump_open(pd, WFileName); 387 /* state: STATE_RUN */ 388 if (p == NULL) 389 error("%s", pcap_geterr(pd)); 390 { 391 FILE *fp = (FILE *)p; /* XXX touching pcap guts! */ 392 fflush(fp); 393 setvbuf(fp, NULL, _IONBF, 0); 394 } 395 printer = pcap_dump; 396 pcap_userdata = (u_char *)p; 397 } else { 398 printer = lookup_printer(pcap_datalink(pd)); 399 pcap_userdata = 0; 400 priv_init_done(); 401 /* state: STATE_RUN */ 402 } 403 if (RFileName == NULL) { 404 (void)fprintf(stderr, "%s: listening on %s\n", 405 program_name, device); 406 (void)fflush(stderr); 407 } 408 409 if (oflag) 410 oflag = init_pfosfp(); 411 if (tflag > 0) 412 thiszone = gmt2local(0); 413 414 415 if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) { 416 (void)fprintf(stderr, "%s: pcap_loop: %s\n", 417 program_name, pcap_geterr(pd)); 418 exit(1); 419 } 420 pcap_close(pd); 421 exit(0); 422 } 423 424 /* make a clean exit on interrupts */ 425 RETSIGTYPE 426 cleanup(int signo) 427 { 428 struct pcap_stat stat; 429 char buf[1024]; 430 431 /* Can't print the summary if reading from a savefile */ 432 if (pd != NULL && pcap_file(pd) == NULL) { 433 #if 0 434 (void)fflush(stdout); /* XXX unsafe */ 435 #endif 436 (void)write(STDERR_FILENO, "\n", 1); 437 if (pcap_stats(pd, &stat) < 0) { 438 (void)snprintf(buf, sizeof buf, 439 "pcap_stats: %s\n", pcap_geterr(pd)); 440 write(STDOUT_FILENO, buf, strlen(buf)); 441 } else { 442 (void)snprintf(buf, sizeof buf, 443 "%d packets received by filter\n", stat.ps_recv); 444 write(STDOUT_FILENO, buf, strlen(buf)); 445 (void)snprintf(buf, sizeof buf, 446 "%d packets dropped by kernel\n", stat.ps_drop); 447 write(STDOUT_FILENO, buf, strlen(buf)); 448 } 449 } 450 _exit(0); 451 } 452 453 /* dump the buffer in `emacs-hexl' style */ 454 void 455 default_print_hexl(const u_char *cp, unsigned int length, unsigned int offset) 456 { 457 unsigned int i, j, jm; 458 int c; 459 char ln[128], buf[128]; 460 461 printf("\n"); 462 for (i = 0; i < length; i += 0x10) { 463 snprintf(ln, sizeof(ln), " %04x: ", 464 (unsigned int)(i + offset)); 465 jm = length - i; 466 jm = jm > 16 ? 16 : jm; 467 468 for (j = 0; j < jm; j++) { 469 if ((j % 2) == 1) 470 snprintf(buf, sizeof(buf), "%02x ", 471 (unsigned int)cp[i+j]); 472 else 473 snprintf(buf, sizeof(buf), "%02x", 474 (unsigned int)cp[i+j]); 475 strlcat(ln, buf, sizeof ln); 476 } 477 for (; j < 16; j++) { 478 if ((j % 2) == 1) 479 snprintf(buf, sizeof buf, " "); 480 else 481 snprintf(buf, sizeof buf, " "); 482 strlcat(ln, buf, sizeof ln); 483 } 484 485 strlcat(ln, " ", sizeof ln); 486 for (j = 0; j < jm; j++) { 487 c = cp[i+j]; 488 c = isprint(c) ? c : '.'; 489 buf[0] = c; 490 buf[1] = '\0'; 491 strlcat(ln, buf, sizeof ln); 492 } 493 printf("%s\n", ln); 494 } 495 } 496 497 /* Like default_print() but data need not be aligned */ 498 void 499 default_print_unaligned(register const u_char *cp, register u_int length) 500 { 501 register u_int i, s; 502 register int nshorts; 503 504 if (Xflag) { 505 /* dump the buffer in `emacs-hexl' style */ 506 default_print_hexl(cp, length, 0); 507 } else { 508 /* dump the buffer in old tcpdump style */ 509 nshorts = (u_int) length / sizeof(u_short); 510 i = 0; 511 while (--nshorts >= 0) { 512 if ((i++ % 8) == 0) 513 (void)printf("\n\t\t\t"); 514 s = *cp++; 515 (void)printf(" %02x%02x", s, *cp++); 516 } 517 if (length & 1) { 518 if ((i % 8) == 0) 519 (void)printf("\n\t\t\t"); 520 (void)printf(" %02x", *cp); 521 } 522 } 523 } 524 525 void 526 default_print(register const u_char *bp, register u_int length) 527 { 528 register const u_short *sp; 529 register u_int i; 530 register int nshorts; 531 532 if (Xflag) { 533 /* dump the buffer in `emacs-hexl' style */ 534 default_print_hexl(bp, length, 0); 535 } else { 536 /* dump the buffer in old tcpdump style */ 537 if ((long)bp & 1) { 538 default_print_unaligned(bp, length); 539 return; 540 } 541 sp = (u_short *)bp; 542 nshorts = (u_int) length / sizeof(u_short); 543 i = 0; 544 while (--nshorts >= 0) { 545 if ((i++ % 8) == 0) 546 (void)printf("\n\t\t\t"); 547 (void)printf(" %04x", ntohs(*sp++)); 548 } 549 if (length & 1) { 550 if ((i % 8) == 0) 551 (void)printf("\n\t\t\t"); 552 (void)printf(" %02x", *(u_char *)sp); 553 } 554 } 555 } 556 557 __dead void 558 usage(void) 559 { 560 extern char version[]; 561 extern char pcap_version[]; 562 563 (void)fprintf(stderr, "%s version %s\n", program_name, version); 564 (void)fprintf(stderr, "libpcap version %s\n", pcap_version); 565 (void)fprintf(stderr, 566 "Usage: %s [-adeflnNoOpqStvxX] [-c count] [-E [espalg:]espkey] [-F file]\n", 567 program_name); 568 (void)fprintf(stderr, 569 "\t\t[-i interface] [-r file] [-s snaplen] [-T type] [-w file]\n"); 570 (void)fprintf(stderr, 571 "\t\t[expression]\n"); 572 exit(1); 573 } 574