xref: /openbsd-src/usr.sbin/tcpdump/tcpdump.c (revision 78fec973f57e9fc9edd564490c79661460ad807b) 
1 /*	$OpenBSD: tcpdump.c,v 1.97 2022/07/09 23:24:44 halex Exp $	*/
2 
3 /*
4  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that: (1) source code distributions
9  * retain the above copyright notice and this paragraph in its entirety, (2)
10  * distributions including binary code include the above copyright notice and
11  * this paragraph in its entirety in the documentation or other materials
12  * provided with the distribution, and (3) all advertising materials mentioning
13  * features or use of this software display the following acknowledgement:
14  * ``This product includes software developed by the University of California,
15  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
16  * the University nor the names of its contributors may be used to endorse
17  * or promote products derived from this software without specific prior
18  * written permission.
19  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
20  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
21  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22  */
23 
24 /*
25  * tcpdump - monitor tcp/ip traffic on an ethernet.
26  *
27  * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory.
28  * Mercilessly hacked and occasionally improved since then via the
29  * combined efforts of Van, Steve McCanne and Craig Leres of LBL.
30  */
31 
32 #include <sys/types.h>
33 #include <sys/time.h>
34 #include <sys/ioctl.h>
35 #include <sys/wait.h>
36 
37 #include <netinet/in.h>
38 
39 #include <pcap.h>
40 #include <signal.h>
41 #include <stdio.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <unistd.h>
45 #include <limits.h>
46 #include <ctype.h>
47 #include <err.h>
48 #include <errno.h>
49 
50 #include "interface.h"
51 #include "addrtoname.h"
52 #include "setsignal.h"
53 #include "gmt2local.h"
54 
55 #include <sys/socket.h>
56 #include <net/if.h>
57 #include <net/pfvar.h>
58 #include "pfctl.h"
59 #include "pfctl_parser.h"
60 #include "privsep.h"
61 
62 int Aflag;			/* dump ascii */
63 int aflag;			/* translate network and broadcast addresses */
64 int Bflag = BPF_FILDROP_PASS;	/* BPF fildrop setting */
65 int dflag;			/* print filter code */
66 int eflag;			/* print ethernet header */
67 int fflag;			/* don't translate "foreign" IP address */
68 int Iflag;			/* include interface in output */
69 int Lflag;			/* List available link types */
70 int nflag;			/* leave addresses as numbers */
71 int Nflag;			/* remove domains from printed host names */
72 int Oflag = 1;			/* run filter code optimizer */
73 int oflag;			/* print passive OS fingerprints */
74 int pflag;			/* don't go promiscuous */
75 int qflag;			/* quick (shorter) output */
76 int Sflag;			/* print raw TCP sequence numbers */
77 int tflag = 1;			/* print packet arrival time */
78 int vflag;			/* verbose */
79 int xflag;			/* print packet in hex */
80 int Xflag;			/* print packet in emacs-hexl style */
81 
82 int packettype;
83 
84 char *program_name;
85 char *device = NULL;
86 
87 int32_t thiszone;		/* seconds offset from gmt to local time */
88 
89 extern volatile pid_t child_pid;
90 
91 /* Externs */
92 extern void bpf_dump(struct bpf_program *, int);
93 extern int esp_init(char *);
94 
95 /* Forwards */
96 void	cleanup(int);
97 void	gotchld(int);
98 extern __dead void usage(void);
99 
100 /* Length of saved portion of packet. */
101 int snaplen = 0;
102 
103 struct printer {
104 	pcap_handler f;
105 	int type;
106 };
107 
108 /* XXX needed if using old bpf.h */
109 #ifndef DLT_ATM_RFC1483
110 #define DLT_ATM_RFC1483 11
111 #endif
112 
113 static struct printer printers[] = {
114 	{ ether_if_print,		DLT_EN10MB },
115 	{ ether_if_print,		DLT_IEEE802 },
116 	{ sl_if_print,			DLT_SLIP },
117 	{ sl_bsdos_if_print,		DLT_SLIP_BSDOS },
118 	{ ppp_if_print,			DLT_PPP },
119 	{ ppp_hdlc_if_print,		DLT_PPP_SERIAL },
120 	{ fddi_if_print,		DLT_FDDI },
121 	{ null_if_print,		DLT_NULL },
122 	{ raw_if_print,			DLT_RAW },
123 	{ atm_if_print,			DLT_ATM_RFC1483 },
124 	{ loop_if_print,		DLT_LOOP },
125 	{ enc_if_print,			DLT_ENC },
126 	{ pflog_if_print,		DLT_PFLOG },
127 	{ pfsync_if_print,		DLT_PFSYNC },
128 	{ ppp_ether_if_print,		DLT_PPP_ETHER },
129 	{ ieee802_11_if_print,		DLT_IEEE802_11 },
130 	{ ieee802_11_radio_if_print,	DLT_IEEE802_11_RADIO },
131 	{ ofp_if_print,			DLT_OPENFLOW },
132 	{ usbpcap_if_print,		DLT_USBPCAP },
133 	{ NULL,				0 },
134 };
135 
136 static pcap_handler
137 lookup_printer(int type)
138 {
139 	struct printer *p;
140 
141 	for (p = printers; p->f; ++p) {
142 		if (type == p->type)
143 			return p->f;
144 	}
145 
146 	error("unknown data link type 0x%x", type);
147 	/* NOTREACHED */
148 }
149 
150 static int
151 init_pfosfp(void)
152 {
153 	pf_osfp_initialize();
154 	if (pfctl_file_fingerprints(-1,
155 	    PF_OPT_QUIET|PF_OPT_NOACTION, PF_OSFP_FILE) == 0)
156 		return 1;
157 	return 0;
158 }
159 
160 static pcap_t *pd;
161 
162 /* Multiple DLT support */
163 void		 pcap_list_linktypes(pcap_t *);
164 void		 pcap_print_linktype(u_int);
165 
166 void
167 pcap_print_linktype(u_int dlt)
168 {
169 	const char *name;
170 
171 	if ((name = pcap_datalink_val_to_name(dlt)) != NULL)
172 		fprintf(stderr, "%s\n", name);
173 	else
174 		fprintf(stderr, "<unknown: %u>\n", dlt);
175 }
176 
177 void
178 pcap_list_linktypes(pcap_t *p)
179 {
180 	int fd = p->fd;
181 	u_int n;
182 
183 #define MAXDLT	100
184 
185 	u_int dltlist[MAXDLT];
186 	struct bpf_dltlist dl = {MAXDLT, dltlist};
187 
188 	if (fd < 0)
189 		error("Invalid bpf descriptor");
190 
191 	if (ioctl(fd, BIOCGDLTLIST, &dl) == -1)
192 		err(1, "BIOCGDLTLIST");
193 
194 	if (dl.bfl_len > MAXDLT)
195 		error("Invalid number of linktypes: %u", dl.bfl_len);
196 
197 	fprintf(stderr, "%d link type%s supported:\n", dl.bfl_len,
198 	    dl.bfl_len == 1 ? "" : "s");
199 
200 	for (n = 0; n < dl.bfl_len; n++) {
201 		fprintf(stderr, "\t");
202 		pcap_print_linktype(dltlist[n]);
203 	}
204 }
205 
206 int
207 main(int argc, char **argv)
208 {
209 	int cnt = -1, op, i;
210 	bpf_u_int32 localnet, netmask;
211 	char *cp, *RFileName = NULL;
212 	char ebuf[PCAP_ERRBUF_SIZE], *WFileName = NULL;
213 	pcap_handler printer;
214 	struct bpf_program *fcode;
215 	u_char *pcap_userdata;
216 	u_int dirfilt = 0, dlt = (u_int) -1;
217 	const char *errstr;
218 
219 	if ((cp = strrchr(argv[0], '/')) != NULL)
220 		program_name = cp + 1;
221 	else
222 		program_name = argv[0];
223 
224 	/* '-P' used internally, exec privileged portion */
225 	if (argc >= 2 && strcmp("-P", argv[1]) == 0)
226 		priv_exec(argc, argv);
227 
228 	if (priv_init(argc, argv))
229 		error("Failed to setup privsep");
230 
231 	/* state: STATE_INIT */
232 
233 	opterr = 0;
234 	while ((op = getopt(argc, argv,
235 	    "AaB:c:D:deE:fF:i:IlLnNOopqr:s:StT:vw:xXy:")) != -1)
236 		switch (op) {
237 
238 		case 'A':
239 			xflag = 1;
240 			Aflag = 1;
241 			break;
242 
243 		case 'a':
244 			aflag = 1;
245 			break;
246 
247 		case 'B':
248 			if (strcasecmp(optarg, "pass") == 0)
249 				Bflag = BPF_FILDROP_PASS;
250 			else if (strcasecmp(optarg, "capture") == 0)
251 				Bflag = BPF_FILDROP_CAPTURE;
252 			else if (strcasecmp(optarg, "drop") == 0)
253 				Bflag = BPF_FILDROP_DROP;
254 			else {
255 				error("invalid BPF fildrop option: %s",
256 				    optarg);
257 			}
258 			break;
259 
260 		case 'c':
261 			cnt = strtonum(optarg, 1, INT_MAX, &errstr);
262 			if (errstr)
263 				error("invalid packet count %s: %s",
264 				    optarg, errstr);
265 			break;
266 
267 		case 'D':
268 			if (strcasecmp(optarg, "in") == 0)
269 				dirfilt = BPF_DIRECTION_OUT;
270 			else if (strcasecmp(optarg, "out") == 0)
271 				dirfilt = BPF_DIRECTION_IN;
272 			else
273 				error("invalid traffic direction %s", optarg);
274 			break;
275 
276 		case 'd':
277 			++dflag;
278 			break;
279 		case 'e':
280 			eflag = 1;
281 			break;
282 
283 		case 'f':
284 			fflag = 1;
285 			break;
286 
287 		case 'F':
288 			break;
289 
290 		case 'i':
291 			device = optarg;
292 			break;
293 
294 		case 'I':
295 			Iflag = 1;
296 			break;
297 
298 		case 'l':
299 			setvbuf(stdout, NULL, _IOLBF, 0);
300 			break;
301 		case 'L':
302 			Lflag = 1;
303 			break;
304 		case 'n':
305 			nflag = 1;
306 			break;
307 
308 		case 'N':
309 			Nflag = 1;
310 			break;
311 
312 		case 'O':
313 			Oflag = 0;
314 			break;
315 
316 		case 'o':
317 			oflag = 1;
318 			break;
319 
320 		case 'p':
321 			pflag = 1;
322 			break;
323 
324 		case 'q':
325 			qflag = 1;
326 			break;
327 
328 		case 'r':
329 			RFileName = optarg;
330 			break;
331 
332 		case 's':
333 			snaplen = strtonum(optarg, 1, INT_MAX, &errstr);
334 			if (errstr)
335 				error("invalid snaplen %s: %s", optarg, errstr);
336 			break;
337 
338 		case 'S':
339 			Sflag = 1;
340 			break;
341 
342 		case 't':
343 			--tflag;
344 			break;
345 
346 		case 'T':
347 			if (strcasecmp(optarg, "vat") == 0)
348 				packettype = PT_VAT;
349 			else if (strcasecmp(optarg, "wb") == 0)
350 				packettype = PT_WB;
351 			else if (strcasecmp(optarg, "rpc") == 0)
352 				packettype = PT_RPC;
353 			else if (strcasecmp(optarg, "rtp") == 0)
354 				packettype = PT_RTP;
355 			else if (strcasecmp(optarg, "rtcp") == 0)
356 				packettype = PT_RTCP;
357 			else if (strcasecmp(optarg, "cnfp") == 0)
358 				packettype = PT_CNFP;
359 			else if (strcasecmp(optarg, "vrrp") == 0)
360 				packettype = PT_VRRP;
361 			else if (strcasecmp(optarg, "tcp") == 0)
362 				packettype = PT_TCP;
363 			else if (strcasecmp(optarg, "gre") == 0)
364 				packettype = PT_GRE;
365 			else if (strcasecmp(optarg, "vxlan") == 0)
366 				packettype = PT_VXLAN;
367 			else if (strcasecmp(optarg, "geneve") == 0)
368 				packettype = PT_GENEVE;
369 			else if (strcasecmp(optarg, "erspan") == 0)
370 				packettype = PT_ERSPAN;
371 			else if (strcasecmp(optarg, "mpls") == 0)
372 				packettype = PT_MPLS;
373 			else if (strcasecmp(optarg, "tftp") == 0)
374 				packettype = PT_TFTP;
375 			else if (strcasecmp(optarg, "wg") == 0)
376 				packettype = PT_WIREGUARD;
377 			else if (strcasecmp(optarg, "sack") == 0)
378 				/*
379 				 * kept for compatibility; DEFAULT_SNAPLEN
380 				 * used to be too short to capture SACK.
381 				 */
382 				;
383 			else
384 				error("unknown packet type `%s'", optarg);
385 			break;
386 
387 		case 'v':
388 			++vflag;
389 			break;
390 
391 		case 'w':
392 			WFileName = optarg;
393 			break;
394 
395 		case 'y':
396 			i = pcap_datalink_name_to_val(optarg);
397 			if (i < 0)
398 				error("invalid data link type: %s", optarg);
399 			dlt = (u_int)i;
400 			break;
401 
402 		case 'x':
403 			xflag = 1;
404 			break;
405 
406 		case 'X':
407 			Xflag = 1;
408 			xflag = 1;
409 			break;
410 
411 		case 'E':
412 			if (esp_init(optarg) < 0)
413 				error("bad esp specification `%s'", optarg);
414 			break;
415 
416 		default:
417 			usage();
418 			/* NOTREACHED */
419 		}
420 
421 	if (snaplen == 0) {
422 		switch (dlt) {
423 		case DLT_IEEE802_11:
424 			snaplen = IEEE802_11_SNAPLEN;
425 			break;
426 		case DLT_IEEE802_11_RADIO:
427 			snaplen = IEEE802_11_RADIO_SNAPLEN;
428 			break;
429 		default:
430 			snaplen = DEFAULT_SNAPLEN;
431 			break;
432 		}
433 	}
434 
435 	if (aflag && nflag)
436 		error("-a and -n options are incompatible");
437 
438 	if (RFileName != NULL) {
439 		pd = priv_pcap_offline(RFileName, ebuf);
440 		if (pd == NULL)
441 			error("%s", ebuf);
442 		/* state: STATE_BPF */
443 		localnet = 0;
444 		netmask = 0;
445 		if (fflag != 0)
446 			error("-f and -r options are incompatible");
447 	} else {
448 		if (device == NULL) {
449 			device = pcap_lookupdev(ebuf);
450 			if (device == NULL)
451 				error("%s", ebuf);
452 		}
453 		pd = priv_pcap_live(device, snaplen, !pflag, 1000, ebuf,
454 		    dlt, dirfilt, Bflag);
455 		if (pd == NULL)
456 			error("%s", ebuf);
457 
458 		/* state: STATE_BPF */
459 		if (pcap_lookupnet(device, &localnet, &netmask, ebuf)) {
460 			if (fflag)
461 				warning("%s", ebuf);
462 			localnet = 0;
463 			netmask = 0;
464 		}
465 	}
466 	i = pcap_snapshot(pd);
467 	if (snaplen < i) {
468 		warning("snaplen raised from %d to %d", snaplen, i);
469 		snaplen = i;
470 	}
471 
472 	if (Lflag) {
473 		pcap_list_linktypes(pd);
474 		exit(0);
475 	}
476 
477 	fcode = priv_pcap_setfilter(pd, Oflag, netmask);
478 	/* state: STATE_FILTER */
479 	if (fcode == NULL)
480 		error("%s", pcap_geterr(pd));
481 	if (dflag) {
482 		bpf_dump(fcode, dflag);
483 		exit(0);
484 	}
485 	if (oflag)
486 		oflag = init_pfosfp();
487 	init_addrtoname(localnet, netmask);
488 
489 	if (WFileName) {
490 		pcap_dumper_t *p;
491 
492 		p = priv_pcap_dump_open(pd, WFileName);
493 		/* state: STATE_RUN */
494 		if (p == NULL)
495 			error("%s", pcap_geterr(pd));
496 		{
497 			FILE *fp = (FILE *)p;	/* XXX touching pcap guts! */
498 			fflush(fp);
499 			setvbuf(fp, NULL, _IONBF, 0);
500 		}
501 		printer = pcap_dump;
502 		pcap_userdata = (u_char *)p;
503 	} else {
504 		printer = lookup_printer(pcap_datalink(pd));
505 		pcap_userdata = NULL;
506 		priv_init_done();
507 		/* state: STATE_RUN */
508 	}
509 	if (RFileName == NULL) {
510 		(void)fprintf(stderr, "%s: listening on %s, link-type ",
511 		    program_name, device);
512 		pcap_print_linktype(pd->linktype);
513 		(void)fflush(stderr);
514 	}
515 
516 	if (tflag > 0)
517 		thiszone = gmt2local(0);
518 
519 	if (pledge("stdio", NULL) == -1)
520 		err(1, "pledge");
521 
522 	if (pcap_loop(pd, cnt, printer, pcap_userdata) < 0) {
523 		(void)fprintf(stderr, "%s: pcap_loop: %s\n",
524 		    program_name, pcap_geterr(pd));
525 		exit(1);
526 	}
527 	pcap_close(pd);
528 	exit(0);
529 }
530 
531 /* make a clean exit on interrupts */
532 void
533 cleanup(int signo)
534 {
535 	struct pcap_stat stat;
536 	sigset_t allsigs;
537 
538 	sigfillset(&allsigs);
539 	sigprocmask(SIG_BLOCK, &allsigs, NULL);
540 
541 	/* Can't print the summary if reading from a savefile */
542 	dprintf(STDERR_FILENO, "\n");
543 	if (pd != NULL && pcap_file(pd) == NULL) {
544 		if (priv_pcap_stats(&stat) < 0) {
545 			dprintf(STDERR_FILENO,
546 			    "pcap_stats: %s\n", pcap_geterr(pd));
547 		} else {
548 			dprintf(STDERR_FILENO,
549 			    "%u packets received by filter\n", stat.ps_recv);
550 			dprintf(STDERR_FILENO,
551 			    "%u packets dropped by kernel\n", stat.ps_drop);
552 		}
553 	}
554 	_exit(0);
555 }
556 
557 void
558 gotchld(int signo)
559 {
560 	pid_t pid;
561 	int status;
562 	int save_err = errno;
563 
564 	do {
565 		pid = waitpid(child_pid, &status, WNOHANG);
566 		if (pid > 0 && (WIFEXITED(status) || WIFSIGNALED(status)))
567 			cleanup(0);
568 	} while (pid == -1 && errno == EINTR);
569 
570 	if (pid == -1)
571 		_exit(1);
572 
573 	errno = save_err;
574 }
575 
576 /* dump the buffer in `emacs-hexl' style */
577 void
578 default_print_hexl(const u_char *cp, unsigned int length)
579 {
580 	unsigned int i, j, jm;
581 	int c;
582 	char ln[128], buf[128];
583 
584 	printf("\n");
585 	for (i = 0; i < length; i += 0x10) {
586 		snprintf(ln, sizeof(ln), "  %04x: ", (unsigned int)i);
587 		jm = length - i;
588 		jm = jm > 16 ? 16 : jm;
589 
590 		for (j = 0; j < jm; j++) {
591 			if ((j % 2) == 1)
592 				snprintf(buf, sizeof(buf), "%02x ",
593 				    (unsigned int)cp[i+j]);
594 			else
595 				snprintf(buf, sizeof(buf), "%02x",
596 				    (unsigned int)cp[i+j]);
597 			strlcat(ln, buf, sizeof ln);
598 		}
599 		for (; j < 16; j++) {
600 			if ((j % 2) == 1)
601 				snprintf(buf, sizeof buf, "   ");
602 			else
603 				snprintf(buf, sizeof buf, "  ");
604 			strlcat(ln, buf, sizeof ln);
605 		}
606 
607 		strlcat(ln, " ", sizeof ln);
608 		for (j = 0; j < jm; j++) {
609 			c = cp[i+j];
610 			c = isprint(c) ? c : '.';
611 			buf[0] = c;
612 			buf[1] = '\0';
613 			strlcat(ln, buf, sizeof ln);
614 		}
615 		printf("%s\n", ln);
616 	}
617 }
618 
619 /* dump the text from the buffer */
620 void
621 default_print_ascii(const u_char *cp, unsigned int length)
622 {
623 	int c, i;
624 
625 	printf("\n");
626 	for (i = 0; i < length; i++) {
627 		c = cp[i];
628 		if (isprint(c) || c == '\t' || c == '\n' || c == '\r')
629 			putchar(c);
630 		else
631 			putchar('.');
632 	}
633 }
634 
635 /* Like default_print() but data need not be aligned */
636 void
637 default_print_unaligned(const u_char *cp, u_int length)
638 {
639 	u_int i, s;
640 	int nshorts;
641 
642 	if (Xflag) {
643 		/* dump the buffer in `emacs-hexl' style */
644 		default_print_hexl(cp, length);
645 	} else if (Aflag) {
646 		/* dump the text in the buffer */
647 		default_print_ascii(cp, length);
648 	} else {
649 		/* dump the buffer in old tcpdump style */
650 		nshorts = (u_int) length / sizeof(u_short);
651 		i = 0;
652 		while (--nshorts >= 0) {
653 			if ((i++ % 8) == 0)
654 				printf("\n\t\t\t");
655 			s = *cp++;
656 			printf(" %02x%02x", s, *cp++);
657 		}
658 		if (length & 1) {
659 			if ((i % 8) == 0)
660 				printf("\n\t\t\t");
661 			printf(" %02x", *cp);
662 		}
663 	}
664 }
665 
666 void
667 default_print(const u_char *bp, u_int length)
668 {
669 	const u_short *sp;
670 	u_int i;
671 	int nshorts;
672 
673 	if (Xflag) {
674 		/* dump the buffer in `emacs-hexl' style */
675 		default_print_hexl(bp, length);
676 	} else if (Aflag) {
677 		/* dump the text in the buffer */
678 		default_print_ascii(bp, length);
679 	} else {
680 		/* dump the buffer in old tcpdump style */
681 		if ((long)bp & 1) {
682 			default_print_unaligned(bp, length);
683 			return;
684 		}
685 		sp = (u_short *)bp;
686 		nshorts = (u_int) length / sizeof(u_short);
687 		i = 0;
688 		while (--nshorts >= 0) {
689 			if ((i++ % 8) == 0)
690 				printf("\n\t\t\t");
691 			printf(" %04x", ntohs(*sp++));
692 		}
693 		if (length & 1) {
694 			if ((i % 8) == 0)
695 				printf("\n\t\t\t");
696 			printf(" %02x", *(u_char *)sp);
697 		}
698 	}
699 }
700 
701 void
702 set_slave_signals(void)
703 {
704 	setsignal(SIGTERM, cleanup);
705 	setsignal(SIGINT, cleanup);
706 	setsignal(SIGCHLD, gotchld);
707 	setsignal(SIGHUP, cleanup);
708 }
709 
710 __dead void
711 usage(void)
712 {
713 	(void)fprintf(stderr,
714 "Usage: %s [-AadefILlNnOopqStvXx] [-B fildrop] [-c count] [-D direction]\n",
715 	    program_name);
716 	(void)fprintf(stderr,
717 "\t       [-E [espalg:]espkey] [-F file] [-i interface] [-r file]\n");
718 	(void)fprintf(stderr,
719 "\t       [-s snaplen] [-T type] [-w file] [-y datalinktype] [expression]\n");
720 	exit(1);
721 }
722