diff options
Diffstat (limited to 'capture/capture-pcap-util.c')
-rw-r--r-- | capture/capture-pcap-util.c | 1826 |
1 files changed, 1826 insertions, 0 deletions
diff --git a/capture/capture-pcap-util.c b/capture/capture-pcap-util.c new file mode 100644 index 00000000..ac54bb36 --- /dev/null +++ b/capture/capture-pcap-util.c @@ -0,0 +1,1826 @@ +/* capture-pcap-util.c + * Utility routines for packet capture + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" +#define WS_LOG_DOMAIN LOG_DOMAIN_CAPCHILD + +#ifdef HAVE_LIBPCAP + +#include <wireshark.h> + +#include <stdlib.h> +#include <stdio.h> +#include <limits.h> +#include <string.h> + +#include <sys/types.h> + +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif + +#ifdef __APPLE__ +#include <dlfcn.h> +#endif + +#include "ws_attributes.h" + +/* + * Linux bonding devices mishandle unknown ioctls; they fail + * with ENODEV rather than ENOTSUP, EOPNOTSUPP, or ENOTTY, + * so pcap_can_set_rfmon() returns a "no such device" indication + * if we try to do SIOCGIWMODE on them. + * + * So, on Linux, we check for bonding devices, if we can, before + * trying pcap_can_set_rfmon(), as pcap_can_set_rfmon() will + * end up trying SIOCGIWMODE on the device if that ioctl exists. + */ +#if defined(HAVE_PCAP_CREATE) && defined(__linux__) + +#include <sys/ioctl.h> + +/* + * If we're building for a Linux version that supports bonding, + * HAVE_BONDING will be defined. + */ + +#ifdef HAVE_LINUX_SOCKIOS_H +#include <linux/sockios.h> +#endif + +#ifdef HAVE_LINUX_IF_BONDING_H +#include <linux/if_bonding.h> +#endif + +#if defined(BOND_INFO_QUERY_OLD) || defined(SIOCBONDINFOQUERY) +#define HAVE_BONDING +#endif + +#endif /* defined(HAVE_PCAP_CREATE) && defined(__linux__) */ + +#include "capture/capture_ifinfo.h" +#include "capture/capture-pcap-util.h" +#include "capture/capture-pcap-util-int.h" +#ifdef _WIN32 +#include "capture/capture-wpcap.h" +#else +#define ws_pcap_findalldevs_ex pcap_findalldevs_ex +#endif + +#include <wsutil/file_util.h> +#include <wsutil/please_report_bug.h> +#include <wsutil/wslog.h> + +#ifndef _WIN32 +#include <netinet/in.h> +#else +#include <ws2tcpip.h> +#endif + +#ifdef _WIN32 +#include "capture/capture_win_ifnames.h" /* windows friendly interface names */ +#endif + +#if defined(__FreeBSD__) || defined(__OpenBSD__) +/* + * Needed for the code to get a device description. + */ +#include <errno.h> +#include <net/if.h> +#include <sys/sockio.h> +#include <sys/ioctl.h> +#endif + +/* + * Given an interface name, find the "friendly name" and interface + * type for the interface. + */ + +#if defined(HAVE_MACOS_FRAMEWORKS) + +#include <CoreFoundation/CoreFoundation.h> +#include <SystemConfiguration/SystemConfiguration.h> + +#include <wsutil/cfutils.h> + +/* + * On macOS, we get the "friendly name" and interface type for the interface + * from the System Configuration framework. + * + * To find the System Configuration framework information for the + * interface, we get all the interfaces that the System Configuration + * framework knows about and look for the one with a "BSD name" matching + * the interface name. + * + * If we find it, we use its "localized display name", if it has one, as + * the "friendly name". + * + * As for the interface type: + * + * Yes, fetching all the network addresses for an interface gets you an + * AF_LINK address, of type "struct sockaddr_dl", and, yes, that includes + * an SNMP MIB-II ifType value. + * + * However, it's IFT_ETHER, i.e. Ethernet, for AirPort interfaces, + * not IFT_IEEE80211 (which isn't defined in macOS in any case). + * + * Perhaps some other BSD-flavored OSes won't make this mistake; + * however, FreeBSD 7.0 and OpenBSD 4.2, at least, appear to have + * made the same mistake, at least for my Belkin ZyDAS stick. + * + * SCNetworkInterfaceGetInterfaceType() will get the interface + * type. The interface type is a CFString, and: + * + * kSCNetworkInterfaceTypeIEEE80211 means IF_WIRELESS; + * kSCNetworkInterfaceTypeBluetooth means IF_BLUETOOTH; + * kSCNetworkInterfaceTypeModem or + * kSCNetworkInterfaceTypePPP or + * maybe kSCNetworkInterfaceTypeWWAN means IF_DIALUP + */ +static void +add_unix_interface_ifinfo(if_info_t *if_info, const char *name, + const char *description _U_) +{ + CFStringRef name_CFString; + CFArrayRef interfaces; + CFIndex num_interfaces; + CFIndex i; + SCNetworkInterfaceRef interface; + CFStringRef bsdname_CFString; + CFStringRef friendly_name_CFString; + CFStringRef interface_type_CFString; + + interfaces = SCNetworkInterfaceCopyAll(); + if (interfaces == NULL) { + /* + * Couldn't get a list of interfaces. + */ + return; + } + + name_CFString = CFStringCreateWithCString(kCFAllocatorDefault, + name, kCFStringEncodingUTF8); + if (name_CFString == NULL) { + /* + * Couldn't convert the interface name to a CFString. + */ + CFRelease(interfaces); + return; + } + + num_interfaces = CFArrayGetCount(interfaces); + for (i = 0; i < num_interfaces; i++) { + interface = (SCNetworkInterfaceRef)CFArrayGetValueAtIndex(interfaces, i); + bsdname_CFString = SCNetworkInterfaceGetBSDName(interface); + if (bsdname_CFString == NULL) { + /* + * This interface has no BSD name, so it's not + * a regular network interface. + */ + continue; + } + if (CFStringCompare(name_CFString, bsdname_CFString, 0) == 0) { + /* + * This is the interface. + * First, get the friendly name. + */ + friendly_name_CFString = SCNetworkInterfaceGetLocalizedDisplayName(interface); + if (friendly_name_CFString != NULL) + if_info->friendly_name = CFString_to_C_string(friendly_name_CFString); + + /* + * Now get the interface type. + */ + interface_type_CFString = SCNetworkInterfaceGetInterfaceType(interface); + if (CFStringCompare(interface_type_CFString, + kSCNetworkInterfaceTypeIEEE80211, 0) == kCFCompareEqualTo) + if_info->type = IF_WIRELESS; + else if (CFStringCompare(interface_type_CFString, + kSCNetworkInterfaceTypeBluetooth, 0) == kCFCompareEqualTo) + if_info->type = IF_BLUETOOTH; + else if (CFStringCompare(interface_type_CFString, + kSCNetworkInterfaceTypeModem, 0) == kCFCompareEqualTo) + if_info->type = IF_DIALUP; + else if (CFStringCompare(interface_type_CFString, + kSCNetworkInterfaceTypePPP, 0) == kCFCompareEqualTo) + if_info->type = IF_DIALUP; + else if (CFStringCompare(interface_type_CFString, + kSCNetworkInterfaceTypeWWAN, 0) == kCFCompareEqualTo) + if_info->type = IF_DIALUP; + else + if_info->type = IF_WIRED; + break; + } + } + + CFRelease(interfaces); + CFRelease(name_CFString); +} +#elif defined(__linux__) +/* + * Linux doesn't offer any form of "friendly name", but you can + * determine an interface type to some degree. + */ +static void +add_unix_interface_ifinfo(if_info_t *if_info, const char *name, + const char *description _U_) +{ + char *wireless_path; + ws_statb64 statb; + + /* + * Look for /sys/class/net/{device}/wireless. If it exists, + * it's a wireless interface. + */ + wireless_path = ws_strdup_printf("/sys/class/net/%s/wireless", name); + if (wireless_path != NULL) { + if (ws_stat64(wireless_path, &statb) == 0) + if_info->type = IF_WIRELESS; + g_free(wireless_path); + } + if (if_info->type == IF_WIRED) { + /* + * We still don't know what it is. Check for + * Bluetooth and USB devices. + */ + if (strstr(name, "bluetooth") != NULL) { + /* + * XXX - this is for raw Bluetooth capture; what + * about IP-over-Bluetooth devices? + */ + if_info->type = IF_BLUETOOTH; + } else if (strstr(name, "usbmon") != NULL) + if_info->type = IF_USB; + } +} +#elif !defined(_WIN32) +/* + * On other UN*Xes, if there is a description, it's a friendly + * name, and there is no vendor description. ("Other UN*Xes" + * currently means "FreeBSD and OpenBSD".) + */ +static void +add_unix_interface_ifinfo(if_info_t *if_info, const char *name _U_, + const char *description) +{ + if_info->friendly_name = g_strdup(description); +} +#endif + +if_info_t * +if_info_get(const char *name) +{ + char *description = NULL; + if_info_t *if_info; +#ifdef SIOCGIFDESCR + /* + * Try to fetch the description of this interface. + * XXX - this is only here because libpcap has no API to + * get the description of a *single* interface; it really + * needs both an API to get pcapng-IDB-style attributes + * for a single interface and to get a list of interfaces + * with pcapng-IDB-style attributes for each interface. + */ + int s; + struct ifreq ifrdesc; +#ifndef IFDESCRSIZE + size_t descrlen = 64; +#else + size_t descrlen = IFDESCRSIZE; +#endif /* IFDESCRSIZE */ + + /* + * Get the description for the interface. + */ + memset(&ifrdesc, 0, sizeof ifrdesc); + (void) g_strlcpy(ifrdesc.ifr_name, name, sizeof ifrdesc.ifr_name); + s = socket(AF_INET, SOCK_DGRAM, 0); + if (s >= 0) { +#ifdef __FreeBSD__ + /* + * On FreeBSD, if the buffer isn't big enough for the + * description, the ioctl succeeds, but the description + * isn't copied, ifr_buffer.length is set to the description + * length, and ifr_buffer.buffer is set to NULL. + */ + for (;;) { + g_free(description); + if ((description = (char*)g_malloc(descrlen)) != NULL) { + ifrdesc.ifr_buffer.buffer = description; + ifrdesc.ifr_buffer.length = descrlen; + if (ioctl(s, SIOCGIFDESCR, &ifrdesc) == 0) { + if (ifrdesc.ifr_buffer.buffer == + description) + break; + else + descrlen = ifrdesc.ifr_buffer.length; + } else { + /* + * Failed to get interface description. + */ + g_free(description); + description = NULL; + break; + } + } else + break; + } +#else /* __FreeBSD__ */ + /* + * The only other OS that currently supports + * SIOCGIFDESCR is OpenBSD, and it has no way + * to get the description length - it's clamped + * to a maximum of IFDESCRSIZE. + */ + if ((description = (char*)g_malloc(descrlen)) != NULL) { + ifrdesc.ifr_data = (caddr_t)description; + if (ioctl(s, SIOCGIFDESCR, &ifrdesc) != 0) { + /* + * Failed to get interface description. + */ + g_free(description); + description = NULL; + } + } +#endif /* __FreeBSD__ */ + close(s); + if (description != NULL && strlen(description) == 0) { + /* + * Description is empty, so discard it. + */ + g_free(description); + description = NULL; + } + } + +#ifdef __FreeBSD__ + /* + * For FreeBSD, if we didn't get a description, and this is + * a device with a name of the form usbusN, label it as a USB + * bus. + */ + if (description == NULL) { + if (strncmp(name, "usbus", 5) == 0) { + /* + * OK, it begins with "usbus". + */ + long busnum; + char *p; + + errno = 0; + busnum = strtol(name + 5, &p, 10); + if (errno == 0 && p != name + 5 && *p == '\0' && + busnum >= 0 && busnum <= INT_MAX) { + /* + * OK, it's a valid number that's not + * bigger than INT_MAX. Construct + * a description from it. + */ + static const char descr_prefix[] = "USB bus number "; + size_t descr_size; + + /* + * Allow enough room for a 32-bit bus number. + * sizeof (descr_prefix) includes the + * terminating NUL. + */ + descr_size = sizeof (descr_prefix) + 10; + description = g_malloc(descr_size); + if (description != NULL) { + snprintf(description, descr_size, + "%s%ld", descr_prefix, busnum); + } + } + } + } +#endif /* __FreeBSD__ */ +#endif /* SIOCGIFDESCR */ + if_info = if_info_new(name, description, false); + g_free(description); + return if_info; +} + +void +if_info_free(if_info_t *if_info) +{ + g_free(if_info->name); + g_free(if_info->friendly_name); + g_free(if_info->vendor_description); + g_free(if_info->extcap); + g_slist_free_full(if_info->addrs, g_free); + g_free(if_info); +} + +if_info_t * +if_info_new(const char *name, const char *description, bool loopback) +{ + if_info_t *if_info; +#ifdef _WIN32 + const char *guid_text; + GUID guid; +#endif + + if_info = g_new(if_info_t, 1); + if_info->name = g_strdup(name); + if_info->friendly_name = NULL; /* default - unknown */ + if_info->vendor_description = NULL; + if_info->type = IF_WIRED; /* default */ + if_info->extcap = g_strdup(""); +#ifdef _WIN32 + /* + * Get the interface type. + * + * Much digging failed to reveal any obvious way to get something + * such as the SNMP MIB-II ifType value for an interface: + * + * https://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib + * + * by making some NDIS request. And even if there were such + * a way, there's no guarantee that the ifType reflects an + * interface type that a user would view as correct (for + * example, some systems report Wi-Fi interfaces as + * Ethernet interfaces). + * + * So we look for keywords in the vendor's interface + * description. + */ + if (description && (strstr(description, "generic dialup") != NULL || + strstr(description, "PPP/SLIP") != NULL)) { + if_info->type = IF_DIALUP; + } else if (description && (strstr(description, "Wireless") != NULL || + strstr(description,"802.11") != NULL)) { + if_info->type = IF_WIRELESS; + } else if (description && (strstr(description, "AirPcap") != NULL || + strstr(name, "airpcap") != NULL)) { + if_info->type = IF_AIRPCAP; + } else if (description && strstr(description, "Bluetooth") != NULL ) { + if_info->type = IF_BLUETOOTH; + } else if (description && strstr(description, "VMware") != NULL) { + /* + * Bridge, NAT, or host-only interface on a VMware host. + * + * XXX - what about guest interfaces? + */ + if_info->type = IF_VIRTUAL; + } + + /* + * On Windows, the "description" is a vendor description, + * and the friendly name isn't returned by Npcap/WinPcap. + * Fetch it ourselves. + */ + + /* + * Skip over the "\Device\NPF_" prefix in the device name, + * if present. + */ + if (strncmp("\\Device\\NPF_", name, 12) == 0) + guid_text = name + 12; + else + guid_text = name; + + /* Now try to parse what remains as a GUID. */ + if (parse_as_guid(guid_text, &guid)) { + /* + * Success. Try to get a friendly name using the GUID. + * As this is a regular interface, the description is a + * vendor description. + */ + if_info->friendly_name = get_interface_friendly_name_from_device_guid(&guid); + if_info->vendor_description = g_strdup(description); + } else { + /* + * This is probably not a regular interface; we only + * support NT 5 (W2K) and later, so all regular interfaces + * should have GUIDs at the end of the name. Therefore, + * the description, if supplied, is a friendly name + * provided by WinPcap, and there is no vendor + * description. + */ + if_info->friendly_name = g_strdup(description); + if_info->vendor_description = NULL; + } +#else + /* + * On UN*X, if there is a description, it's a friendly + * name, and there is no vendor description. + * + * Try the platform's way of getting a friendly name and + * interface type first. + * + * If that fails, then, for a loopback interface, give it the + * friendly name "Loopback" and, for VMware interfaces, + * give them the type IF_VIRTUAL. + */ + add_unix_interface_ifinfo(if_info, name, description); + if (if_info->type == IF_WIRED) { + /* + * This is the default interface type. + * + * Bridge, NAT, or host-only interfaces on VMWare hosts + * have the name vmnet[0-9]+. Guests might use a native + * (LANCE or E1000) driver or the vmxnet driver. Check + * the name. + */ + if (g_ascii_strncasecmp(name, "vmnet", 5) == 0) + if_info->type = IF_VIRTUAL; + else if (g_ascii_strncasecmp(name, "vmxnet", 6) == 0) + if_info->type = IF_VIRTUAL; + } + if (if_info->friendly_name == NULL) { + /* + * We couldn't get interface information using platform- + * dependent calls. + * + * If this is a loopback interface, give it a + * "friendly name" of "Loopback". + */ + if (loopback) + if_info->friendly_name = g_strdup("Loopback"); + } + if_info->vendor_description = NULL; +#endif + if_info->loopback = loopback; + if_info->addrs = NULL; + return if_info; +} + +void +if_info_add_address(if_info_t *if_info, struct sockaddr *addr) +{ + if_addr_t *if_addr; + struct sockaddr_in *ai; + struct sockaddr_in6 *ai6; + + switch (addr->sa_family) { + + case AF_INET: + ai = (struct sockaddr_in *)(void *)addr; + if_addr = (if_addr_t *)g_malloc(sizeof(*if_addr)); + if_addr->ifat_type = IF_AT_IPv4; + if_addr->addr.ip4_addr = ai->sin_addr.s_addr; + if_info->addrs = g_slist_prepend(if_info->addrs, if_addr); + break; + + case AF_INET6: + ai6 = (struct sockaddr_in6 *)(void *)addr; + if_addr = (if_addr_t *)g_malloc(sizeof(*if_addr)); + if_addr->ifat_type = IF_AT_IPv6; + memcpy((void *)&if_addr->addr.ip6_addr, + (void *)&ai6->sin6_addr.s6_addr, + sizeof if_addr->addr.ip6_addr); + if_info->addrs = g_slist_prepend(if_info->addrs, if_addr); + break; + } +} + +/* + * Get all IP address information for the given interface. + */ +static void +if_info_ip(if_info_t *if_info, pcap_if_t *d) +{ + pcap_addr_t *a; + + /* All addresses */ + for (a = d->addresses; a != NULL; a = a->next) { + if (a->addr != NULL) + if_info_add_address(if_info, a->addr); + } + + if(if_info->addrs){ + if_info->addrs = g_slist_reverse(if_info->addrs); + } +} + +#ifdef HAVE_PCAP_REMOTE +GList * +get_interface_list_findalldevs_ex(const char *hostname, const char *port, + int auth_type, const char *username, + const char *passwd, int *err, char **err_str) +{ + char source[PCAP_BUF_SIZE]; + struct pcap_rmtauth auth; + GList *il = NULL; + pcap_if_t *alldevs, *dev; + if_info_t *if_info; + /* + * WinPcap can overflow PCAP_ERRBUF_SIZE if the host is unreachable. + * Fudge a larger size. + */ + char errbuf[PCAP_ERRBUF_SIZE*4]; + + if (pcap_createsrcstr(source, PCAP_SRC_IFREMOTE, hostname, port, + NULL, errbuf) == -1) { + *err = CANT_GET_INTERFACE_LIST; + if (strcmp(errbuf, "not supported") == 0) { + /* + * macOS 14's pcap_createsrcstr(), which is a + * stub that always returns -1 with an error + * message of "not supported". + * + * In this case, as we passed it an rpcap:// + * URL, treat that as meaning "remote capture + * not supported". + */ + g_strlcpy(errbuf, "Remote capture not supported", + PCAP_ERRBUF_SIZE); + } + if (err_str != NULL) + *err_str = cant_get_if_list_error_message(errbuf); + return NULL; + } + + auth.type = auth_type; + auth.username = g_strdup(username); + auth.password = g_strdup(passwd); + + if (ws_pcap_findalldevs_ex(source, &auth, &alldevs, errbuf) == -1) { + *err = CANT_GET_INTERFACE_LIST; + if (strcmp(errbuf, "not supported") == 0) { + /* + * macOS 14's pcap_findalldevs_ex(), which is a + * stub that always returns -1 with an error + * message of "not supported". + * + * In this case, as we passed it an rpcap:// + * URL, treat that as meaning "remote capture + * not supported". + */ + g_strlcpy(errbuf, "Remote capture not supported", + PCAP_ERRBUF_SIZE); + } + if (err_str != NULL) + *err_str = cant_get_if_list_error_message(errbuf); + g_free(auth.username); + g_free(auth.password); + return NULL; + } + + if (alldevs == NULL) { + /* + * No interfaces found. + */ + *err = 0; + if (err_str != NULL) + *err_str = NULL; + g_free(auth.username); + g_free(auth.password); + return NULL; + } + + for (dev = alldevs; dev != NULL; dev = dev->next) { + if_info = if_info_new(dev->name, dev->description, + (dev->flags & PCAP_IF_LOOPBACK) ? true : false); + il = g_list_append(il, if_info); + if_info_ip(if_info, dev); + } + pcap_freealldevs(alldevs); + g_free(auth.username); + g_free(auth.password); + + return il; +} +#endif + +GList * +get_interface_list_findalldevs(int *err, char **err_str) +{ + GList *il = NULL; + pcap_if_t *alldevs, *dev; + if_info_t *if_info; + char errbuf[PCAP_ERRBUF_SIZE]; + + if (pcap_findalldevs(&alldevs, errbuf) == -1) { + *err = CANT_GET_INTERFACE_LIST; + if (err_str != NULL) + *err_str = cant_get_if_list_error_message(errbuf); + return NULL; + } + + if (alldevs == NULL) { + /* + * No interfaces found. + */ + *err = 0; + if (err_str != NULL) + *err_str = NULL; + return NULL; + } + + for (dev = alldevs; dev != NULL; dev = dev->next) { + if_info = if_info_new(dev->name, dev->description, + (dev->flags & PCAP_IF_LOOPBACK) ? true : false); + il = g_list_append(il, if_info); + if_info_ip(if_info, dev); + } + pcap_freealldevs(alldevs); + + return il; +} + +static void +free_if_cb(void * data, void * user_data _U_) +{ + if_info_free((if_info_t *)data); +} + +void +free_interface_list(GList *if_list) +{ + g_list_foreach(if_list, free_if_cb, NULL); + g_list_free(if_list); +} + +static void +free_linktype_cb(void * data, void * user_data _U_) +{ + data_link_info_t *linktype_info = (data_link_info_t *)data; + + g_free(linktype_info->name); + g_free(linktype_info->description); + g_free(linktype_info); +} + +static void +free_timestamp_cb(void * data, void * user_data _U_) +{ + timestamp_info_t *timestamp_info = (timestamp_info_t *)data; + + g_free(timestamp_info->name); + g_free(timestamp_info->description); + g_free(data); +} + +void +free_if_capabilities(if_capabilities_t *caps) +{ + g_list_foreach(caps->data_link_types, free_linktype_cb, NULL); + g_list_free(caps->data_link_types); + + g_list_foreach(caps->timestamp_types, free_timestamp_cb, NULL); + g_list_free(caps->timestamp_types); + + g_free(caps); +} + +const char * +linktype_val_to_name(int dlt) +{ + return pcap_datalink_val_to_name(dlt); +} + +int +linktype_name_to_val(const char *linktype) +{ + return pcap_datalink_name_to_val(linktype); +} + +/* + * Get the data-link type for a libpcap device. + * This works around AIX 5.x's non-standard and incompatible-with-the- + * rest-of-the-universe libpcap. + */ +int +get_pcap_datalink(pcap_t *pch, +#ifdef _AIX + const char* devicename +#else + const char* devicename _U_ +#endif + ) +{ + int datalink; +#ifdef _AIX + const char *ifacename; +#endif + + datalink = pcap_datalink(pch); +#ifdef _AIX + + /* + * The libpcap that comes with AIX 5.x uses RFC 1573 ifType values + * rather than DLT_ values for link-layer types; the ifType values + * for LAN devices are: + * + * Ethernet 6 + * 802.3 7 + * Token Ring 9 + * FDDI 15 + * + * and the ifType value for a loopback device is 24. + * + * The AIX names for LAN devices begin with: + * + * Ethernet en + * 802.3 et + * Token Ring tr + * FDDI fi + * + * and the AIX names for loopback devices begin with "lo". + * + * (The difference between "Ethernet" and "802.3" is presumably + * whether packets have an Ethernet header, with a packet type, + * or an 802.3 header, with a packet length, followed by an 802.2 + * header and possibly a SNAP header.) + * + * If the device name matches "datalink" interpreted as an ifType + * value, rather than as a DLT_ value, we will assume this is AIX's + * non-standard, incompatible libpcap, rather than a standard libpcap, + * and will map the link-layer type to the standard DLT_ value for + * that link-layer type, as that's what the rest of Wireshark expects. + * + * (This means the capture files won't be readable by a tcpdump + * linked with AIX's non-standard libpcap, but so it goes. They + * *will* be readable by standard versions of tcpdump, Wireshark, + * and so on.) + * + * XXX - if we conclude we're using AIX libpcap, should we also + * set a flag to cause us to assume the time stamps are in + * seconds-and-nanoseconds form, and to convert them to + * seconds-and-microseconds form before processing them and + * writing them out? + */ + + /* + * Find the last component of the device name, which is the + * interface name. + */ + ifacename = strchr(devicename, '/'); + if (ifacename == NULL) + ifacename = devicename; + + /* See if it matches any of the LAN device names. */ + if (strncmp(ifacename, "en", 2) == 0) { + if (datalink == 6) { + /* + * That's the RFC 1573 value for Ethernet; + * map it to DLT_EN10MB. + */ + datalink = 1; + } + } else if (strncmp(ifacename, "et", 2) == 0) { + if (datalink == 7) { + /* + * That's the RFC 1573 value for 802.3; + * map it to DLT_EN10MB. + * + * (libpcap, tcpdump, Wireshark, etc. don't + * care if it's Ethernet or 802.3.) + */ + datalink = 1; + } + } else if (strncmp(ifacename, "tr", 2) == 0) { + if (datalink == 9) { + /* + * That's the RFC 1573 value for 802.5 (Token Ring); + * map it to DLT_IEEE802, which is what's used for + * Token Ring. + */ + datalink = 6; + } + } else if (strncmp(ifacename, "fi", 2) == 0) { + if (datalink == 15) { + /* + * That's the RFC 1573 value for FDDI; + * map it to DLT_FDDI. + */ + datalink = 10; + } + } else if (strncmp(ifacename, "lo", 2) == 0) { + if (datalink == 24) { + /* + * That's the RFC 1573 value for "software loopback" + * devices; map it to DLT_NULL, which is what's used + * for loopback devices on BSD. + */ + datalink = 0; + } + } +#endif + + return datalink; +} + +/* Set the data link type on a pcap. */ +bool +set_pcap_datalink(pcap_t *pcap_h, int datalink, char *name, + char *errmsg, size_t errmsg_len, + char *secondary_errmsg, size_t secondary_errmsg_len) +{ + char *set_datalink_err_str; + + if (datalink == -1) + return true; /* just use the default */ + if (pcap_set_datalink(pcap_h, datalink) == 0) + return true; /* no error */ + set_datalink_err_str = pcap_geterr(pcap_h); + snprintf(errmsg, errmsg_len, "Unable to set data link type on interface '%s' (%s).", + name, set_datalink_err_str); + /* + * If the error isn't "XXX is not one of the DLTs supported by this device", + * tell the user to tell the Wireshark developers about it. + */ + if (strstr(set_datalink_err_str, "is not one of the DLTs supported by this device") == NULL) + snprintf(secondary_errmsg, secondary_errmsg_len, + "%s", please_report_bug()); + else + secondary_errmsg[0] = '\0'; + return false; +} + +static data_link_info_t * +create_data_link_info(int dlt) +{ + data_link_info_t *data_link_info; + const char *text; + + data_link_info = g_new(data_link_info_t, 1); + data_link_info->dlt = dlt; + text = pcap_datalink_val_to_name(dlt); + if (text != NULL) + data_link_info->name = g_strdup(text); + else + data_link_info->name = ws_strdup_printf("DLT %d", dlt); + text = pcap_datalink_val_to_description(dlt); + data_link_info->description = g_strdup(text); + return data_link_info; +} + +static GList * +get_data_link_types(pcap_t *pch, interface_options *interface_opts, + cap_device_open_status *status, char **status_str) +{ + GList *data_link_types; + int deflt; + int *linktypes; + int i, nlt; + data_link_info_t *data_link_info; + + deflt = get_pcap_datalink(pch, interface_opts->name); + nlt = pcap_list_datalinks(pch, &linktypes); + if (nlt < 0) { + /* + * A negative return is an error. + */ +#ifdef HAVE_PCAP_CREATE + /* + * If we have pcap_create(), we have + * pcap_statustostr(), and we can get back errors + * other than PCAP_ERROR (-1), such as + * PCAP_ERROR_NOT_ACTIVATED. and we should report + * them properly. + */ + switch (nlt) { + + case PCAP_ERROR: + *status = CAP_DEVICE_OPEN_ERROR_OTHER; + *status_str = ws_strdup_printf("pcap_list_datalinks() failed: %s", + pcap_geterr(pch)); + break; + + default: + /* + * This "shouldn't happen". + */ + *status = CAP_DEVICE_OPEN_ERROR_OTHER; + *status_str = ws_strdup_printf("pcap_list_datalinks() failed: %s - %s", + pcap_statustostr(nlt), pcap_geterr(pch)); + break; + } +#else /* HAVE_PCAP_CREATE */ + *status = CAP_DEVICE_OPEN_ERROR_OTHER; + *status_str = ws_strdup_printf("pcap_list_datalinks() failed: %s", + pcap_geterr(pch)); +#endif /* HAVE_PCAP_CREATE */ + return NULL; + } + data_link_types = NULL; + for (i = 0; i < nlt; i++) { + data_link_info = create_data_link_info(linktypes[i]); + + /* + * XXX - for 802.11, make the most detailed 802.11 + * version the default, rather than the one the + * device has as the default? + */ + if (linktypes[i] == deflt) + data_link_types = g_list_prepend(data_link_types, + data_link_info); + else + data_link_types = g_list_append(data_link_types, + data_link_info); + } +#ifdef HAVE_PCAP_FREE_DATALINKS + pcap_free_datalinks(linktypes); +#else + /* + * In Windows, there's no guarantee that if you have a library + * built with one version of the MSVC++ run-time library, and + * it returns a pointer to allocated data, you can free that + * data from a program linked with another version of the + * MSVC++ run-time library. + * + * This is not an issue on UN*X. + * + * See the mail threads starting at + * + * https://www.winpcap.org/pipermail/winpcap-users/2006-September/001421.html + * + * and + * + * https://www.winpcap.org/pipermail/winpcap-users/2008-May/002498.html + */ +#ifndef _WIN32 +#define xx_free free /* hack so checkAPIs doesn't complain */ + xx_free(linktypes); +#endif /* _WIN32 */ +#endif /* HAVE_PCAP_FREE_DATALINKS */ + + *status_str = NULL; + return data_link_types; +} + +/* Get supported timestamp types for a libpcap device. */ +static GList* +get_pcap_timestamp_types(pcap_t *pch _U_, char **err_str _U_) +{ + GList *list = NULL; +#ifdef HAVE_PCAP_SET_TSTAMP_TYPE + int *types; + int ntypes = pcap_list_tstamp_types(pch, &types); + + if (err_str) + *err_str = ntypes < 0 ? pcap_geterr(pch) : NULL; + + if (ntypes <= 0) + return NULL; + + while (ntypes--) { + timestamp_info_t *info = (timestamp_info_t *)g_malloc(sizeof *info); + info->name = g_strdup(pcap_tstamp_type_val_to_name(types[ntypes])); + info->description = g_strdup(pcap_tstamp_type_val_to_description(types[ntypes])); + list = g_list_prepend(list, info); + } + + pcap_free_tstamp_types(types); +#endif + return list; +} + +#ifdef HAVE_PCAP_SET_TSTAMP_PRECISION +/* + * Request high-resolution time stamps. + * + * We don't check for errors - if this fails, we just live with boring old + * microsecond-resolution time stamps. The only errors pcap_set_tstamp_precision() + * is documenting as returning are PCAP_ERROR_TSTAMP_PRECISION_NOTSUP, which just + * means we can't do nanosecond precision on this adapter, in which case we + * just live with whatever resolution we get by default, and + * PCAP_ERROR_ACTIVATED, which shouldn't happen as we shouldn't call this + * after we've activated the pcap_t. + */ +void +request_high_resolution_timestamp(pcap_t *pcap_h) +{ +#ifdef __APPLE__ + /* + * On macOS, if you build with a newer SDK, pcap_set_tstamp_precision() + * is available, so the code will be built with it. + * + * However, if you then try to run on an older release that + * doesn't have pcap_set_tstamp_precision(), the dynamic linker + * will fail, as it won't find pcap_set_tstamp_precision(). + * + * libpcap doesn't use macOS "weak linking" for new routines, + * so we can't just check whether a pointer to + * pcap_set_tstamp_precision() is null and, if it is, not + * call it. We have to, instead, use dlopen() to load + * libpcap, and dlsym() to find a pointer to pcap_set_tstamp_precision(), + * and if we find the pointer, call it. + */ + static bool initialized = false; + static int (*p_pcap_set_tstamp_precision)(pcap_t *, int); + + if (!initialized) { + p_pcap_set_tstamp_precision = + (int (*)(pcap_t *, int)) + dlsym(RTLD_NEXT, "pcap_set_tstamp_precision"); + initialized = true; + } + if (p_pcap_set_tstamp_precision != NULL) + (*p_pcap_set_tstamp_precision)(pcap_h, PCAP_TSTAMP_PRECISION_NANO); +#else /* __APPLE__ */ + /* + * On other UN*Xes we require that we be run on an OS version + * with a libpcap equal to or later than the version with which + * we were built. + */ + pcap_set_tstamp_precision(pcap_h, PCAP_TSTAMP_PRECISION_NANO); +#endif /* __APPLE__ */ +} + +/* + * Return true if the pcap_t in question is set up for high-precision + * time stamps, false otherwise. + */ +bool +have_high_resolution_timestamp(pcap_t *pcap_h) +{ +#ifdef __APPLE__ + /* + * See above. + */ + static bool initialized = false; + static int (*p_pcap_get_tstamp_precision)(pcap_t *); + + if (!initialized) { + p_pcap_get_tstamp_precision = + (int (*)(pcap_t *)) + dlsym(RTLD_NEXT, "pcap_get_tstamp_precision"); + initialized = true; + } + if (p_pcap_get_tstamp_precision != NULL) + return (*p_pcap_get_tstamp_precision)(pcap_h) == PCAP_TSTAMP_PRECISION_NANO; + else + return false; /* Can't get implies couldn't set */ +#else /* __APPLE__ */ + /* + * On other UN*Xes we require that we be run on an OS version + * with a libpcap equal to or later than the version with which + * we were built. + */ + return pcap_get_tstamp_precision(pcap_h) == PCAP_TSTAMP_PRECISION_NANO; +#endif /* __APPLE__ */ +} + +#endif /* HAVE_PCAP_SET_TSTAMP_PRECISION */ + +#ifdef HAVE_PCAP_CREATE +#ifdef HAVE_BONDING +static bool +is_linux_bonding_device(const char *ifname) +{ + int fd; + struct ifreq ifr; + ifbond ifb; + + fd = socket(PF_INET, SOCK_DGRAM, 0); + if (fd == -1) + return false; + + memset(&ifr, 0, sizeof ifr); + (void) g_strlcpy(ifr.ifr_name, ifname, sizeof ifr.ifr_name); + memset(&ifb, 0, sizeof ifb); + ifr.ifr_data = (caddr_t)&ifb; +#if defined(SIOCBONDINFOQUERY) + if (ioctl(fd, SIOCBONDINFOQUERY, &ifr) == 0) { + close(fd); + return true; + } +#else + if (ioctl(fd, BOND_INFO_QUERY_OLD, &ifr) == 0) { + close(fd); + return true; + } +#endif + + close(fd); + return false; +} +#else +static bool +is_linux_bonding_device(const char *ifname _U_) +{ + return false; +} +#endif + +if_capabilities_t * +get_if_capabilities_pcap_create(interface_options *interface_opts, + cap_device_open_status *open_status, char **open_status_str) +{ + if_capabilities_t *caps; + char errbuf[PCAP_ERRBUF_SIZE]; + pcap_t *pch; + int status; + + pch = pcap_create(interface_opts->name, errbuf); + if (pch == NULL) { + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = g_strdup(errbuf); + return NULL; + } + + if (is_linux_bonding_device(interface_opts->name)) { + /* + * Linux bonding device; not Wi-Fi, so no monitor mode, and + * calling pcap_can_set_rfmon() might get a "no such device" + * error. + */ + status = 0; + } else { + /* + * Not a Linux bonding device, so go ahead. + */ + status = pcap_can_set_rfmon(pch); + } + if (status < 0) { + /* Error. */ + switch (status) { + + case PCAP_ERROR_NO_SUCH_DEVICE: + *open_status = CAP_DEVICE_OPEN_ERROR_NO_SUCH_DEVICE; + *open_status_str = ws_strdup_printf("pcap_can_set_rfmon() failed: %s", + pcap_geterr(pch)); + break; + + case PCAP_ERROR_PERM_DENIED: + *open_status = CAP_DEVICE_OPEN_ERROR_PERM_DENIED; + *open_status_str = ws_strdup_printf("pcap_can_set_rfmon() failed: %s", + pcap_geterr(pch)); + break; + + case PCAP_ERROR: + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = ws_strdup_printf("pcap_can_set_rfmon() failed: %s", + pcap_geterr(pch)); + break; + + default: + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = ws_strdup_printf("pcap_can_set_rfmon() failed: %s - %s", + pcap_statustostr(status), pcap_geterr(pch)); + break; + } + pcap_close(pch); + return NULL; + } + caps = (if_capabilities_t *)g_malloc(sizeof *caps); + if (status == 0) + caps->can_set_rfmon = false; + else if (status == 1) { + caps->can_set_rfmon = true; + if (interface_opts->monitor_mode) + pcap_set_rfmon(pch, 1); + } else { + /* + * This "should not happen". + */ + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = ws_strdup_printf("pcap_can_set_rfmon() returned %d", + status); + pcap_close(pch); + g_free(caps); + return NULL; + } + + status = pcap_activate(pch); + if (status < 0) { + /* Error. */ + switch (status) { + + case PCAP_ERROR_NO_SUCH_DEVICE: + *open_status = CAP_DEVICE_OPEN_ERROR_NO_SUCH_DEVICE; + *open_status_str = ws_strdup_printf("pcap_activate() failed: %s", + pcap_geterr(pch)); + break; + + case PCAP_ERROR_PERM_DENIED: + *open_status = CAP_DEVICE_OPEN_ERROR_PERM_DENIED; + *open_status_str = ws_strdup_printf("pcap_activate() failed: %s", + pcap_geterr(pch)); + break; + + case PCAP_ERROR_IFACE_NOT_UP: + *open_status = CAP_DEVICE_OPEN_ERROR_IFACE_NOT_UP; + *open_status_str = ws_strdup_printf("pcap_activate() failed: %s", + pcap_geterr(pch)); + break; + + case PCAP_ERROR: + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = ws_strdup_printf("pcap_activate() failed: %s", + pcap_geterr(pch)); + break; + + default: + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = ws_strdup_printf("pcap_activate() failed: %s - %s", + pcap_statustostr(status), pcap_geterr(pch)); + break; + } + pcap_close(pch); + g_free(caps); + return NULL; + } + + caps->data_link_types = get_data_link_types(pch, interface_opts, + open_status, open_status_str); + if (caps->data_link_types == NULL) { + pcap_close(pch); + g_free(caps); + return NULL; + } + + caps->timestamp_types = get_pcap_timestamp_types(pch, NULL); + + pcap_close(pch); + + if (open_status_str != NULL) + *open_status_str = NULL; + return caps; +} + +pcap_t * +open_capture_device_pcap_create( +#if defined(HAVE_PCAP_SET_TSTAMP_PRECISION) + capture_options* capture_opts, +#else + capture_options* capture_opts _U_, +#endif + interface_options *interface_opts, int timeout, + cap_device_open_status *open_status, + char (*open_status_str)[PCAP_ERRBUF_SIZE]) +{ + pcap_t *pcap_h; + int status; + + ws_debug("Calling pcap_create() using %s.", interface_opts->name); + pcap_h = pcap_create(interface_opts->name, *open_status_str); + ws_debug("pcap_create() returned %p.", (void *)pcap_h); + if (pcap_h == NULL) { + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + return NULL; + } + if (interface_opts->has_snaplen) { + ws_debug("Calling pcap_set_snaplen() with snaplen %d.", + interface_opts->snaplen); + pcap_set_snaplen(pcap_h, interface_opts->snaplen); + } + ws_debug("Calling pcap_set_promisc() with promisc_mode %d.", + interface_opts->promisc_mode); + pcap_set_promisc(pcap_h, interface_opts->promisc_mode); + pcap_set_timeout(pcap_h, timeout); + +#ifdef HAVE_PCAP_SET_TSTAMP_PRECISION + /* + * If we're writing pcapng files, try to enable + * nanosecond-resolution capture; any code that + * can read pcapng files must be able to handle + * nanosecond-resolution time stamps. We don't + * care whether it succeeds or fails - if it fails, + * we just use the microsecond-precision time stamps + * we get. + * + * If we're writing pcap files, don't try to enable + * nanosecond-resolution capture, as not all code + * that reads pcap files recognizes the nanosecond- + * resolution pcap file magic number. + * We don't care whether this succeeds or fails; if it + * fails (because we don't have pcap_set_tstamp_precision(), + * or because we do but the OS or device doesn't support + * nanosecond resolution timing), we just use microsecond- + * resolution time stamps. + */ + if (capture_opts->use_pcapng) + request_high_resolution_timestamp(pcap_h); +#endif /* HAVE_PCAP_SET_TSTAMP_PRECISION */ + +#ifdef HAVE_PCAP_SET_TSTAMP_TYPE + if (interface_opts->timestamp_type) { + status = pcap_set_tstamp_type(pcap_h, interface_opts->timestamp_type_id); + /* + * XXX - what if it fails because that time stamp type + * isn't supported? + */ + if (status == PCAP_ERROR) { + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + pcap_close(pcap_h); + return NULL; + } + } +#endif /* HAVE_PCAP_SET_TSTAMP_PRECISION */ + + ws_debug("buffersize %d.", interface_opts->buffer_size); + if (interface_opts->buffer_size != 0) + pcap_set_buffer_size(pcap_h, + interface_opts->buffer_size * 1024 * 1024); + ws_debug("monitor_mode %d.", interface_opts->monitor_mode); + if (interface_opts->monitor_mode) + pcap_set_rfmon(pcap_h, 1); + status = pcap_activate(pcap_h); + ws_debug("pcap_activate() returned %d.", status); + if (status < 0) { + /* Failed to activate, set to NULL */ + switch (status) { + + case PCAP_ERROR_NO_SUCH_DEVICE: + *open_status = CAP_DEVICE_OPEN_ERROR_NO_SUCH_DEVICE; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + + case PCAP_ERROR_PERM_DENIED: + *open_status = CAP_DEVICE_OPEN_ERROR_PERM_DENIED; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + +#ifdef HAVE_PCAP_ERROR_PROMISC_PERM_DENIED + case PCAP_ERROR_PROMISC_PERM_DENIED: + *open_status = CAP_DEVICE_OPEN_ERROR_PROMISC_PERM_DENIED; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; +#endif + + case PCAP_ERROR_RFMON_NOTSUP: + *open_status = CAP_DEVICE_OPEN_ERROR_RFMON_NOTSUP; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + + case PCAP_ERROR_IFACE_NOT_UP: + *open_status = CAP_DEVICE_OPEN_ERROR_IFACE_NOT_UP; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + + case PCAP_ERROR: + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + + default: + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + snprintf(*open_status_str, sizeof *open_status_str, + "%s - %s", pcap_statustostr(status), pcap_geterr(pcap_h)); + break; + } + pcap_close(pcap_h); + return NULL; + } + if (status > 0) { + /* + * Warning. The call succeeded, but something happened + * that the user might want to know. + */ + switch (status) { + + case PCAP_WARNING_PROMISC_NOTSUP: + *open_status = CAP_DEVICE_OPEN_WARNING_PROMISC_NOTSUP; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + +#ifdef HAVE_PCAP_WARNING_TSTAMP_TYPE_NOTSUP + case PCAP_WARNING_TSTAMP_TYPE_NOTSUP: + *open_status = CAP_DEVICE_OPEN_WARNING_TSTAMP_TYPE_NOTSUP; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; +#endif + + case PCAP_WARNING: + *open_status = CAP_DEVICE_OPEN_WARNING_OTHER; + (void) g_strlcpy(*open_status_str, pcap_geterr(pcap_h), + sizeof *open_status_str); + break; + + default: + *open_status = CAP_DEVICE_OPEN_WARNING_OTHER; + snprintf(*open_status_str, sizeof *open_status_str, + "%s - %s", pcap_statustostr(status), pcap_geterr(pcap_h)); + break; + } + } else { + /* + * No warning issued. + */ + *open_status = CAP_DEVICE_OPEN_NO_ERR; + } + return pcap_h; +} +#endif /* HAVE_PCAP_CREATE */ + +if_capabilities_t * +get_if_capabilities_pcap_open_live(interface_options *interface_opts, + cap_device_open_status *open_status, char **open_status_str) +{ + if_capabilities_t *caps; + char errbuf[PCAP_ERRBUF_SIZE]; + pcap_t *pch; + + pch = pcap_open_live(interface_opts->name, MIN_PACKET_SIZE, 0, 0, + errbuf); + if (pch == NULL) { + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + *open_status_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf); + return NULL; + } + + caps = (if_capabilities_t *)g_malloc(sizeof *caps); + caps->can_set_rfmon = false; + caps->data_link_types = get_data_link_types(pch, interface_opts, + open_status, open_status_str); + if (caps->data_link_types == NULL) { + pcap_close(pch); + g_free(caps); + return NULL; + } + + caps->timestamp_types = get_pcap_timestamp_types(pch, NULL); + + pcap_close(pch); + + *open_status = CAP_DEVICE_OPEN_NO_ERR; + *open_status_str = NULL; + return caps; +} + +pcap_t * +open_capture_device_pcap_open_live(interface_options *interface_opts, + int timeout, cap_device_open_status *open_status, + char (*open_status_str)[PCAP_ERRBUF_SIZE]) +{ + pcap_t *pcap_h; + int snaplen; + + if (interface_opts->has_snaplen) + snaplen = interface_opts->snaplen; + else { + /* + * Default - use the non-D-Bus maximum snapshot length of + * 256KB, which should be big enough (libpcap didn't get + * D-Bus support until after it goet pcap_create() and + * pcap_activate(), so we don't have D-Bus support and + * don't have to worry about really huge packets). + */ + snaplen = 256*1024; + } + ws_debug("pcap_open_live() calling using name %s, snaplen %d, promisc_mode %d.", + interface_opts->name, snaplen, interface_opts->promisc_mode); + /* + * This might succeed but put a messsage in *open_status_str; + * that means that a warning was issued. + * + * Clear the error message buffer, so that if it's not an empty + * string after the call, we know a warning was issued. + */ + (*open_status_str)[0] = '\0'; + pcap_h = pcap_open_live(interface_opts->name, snaplen, + interface_opts->promisc_mode, timeout, *open_status_str); + ws_debug("pcap_open_live() returned %p.", (void *)pcap_h); + if (pcap_h == NULL) { + *open_status = CAP_DEVICE_OPEN_ERROR_OTHER; + return NULL; + } + if ((*open_status_str)[0] != '\0') { + /* + * Warning. The call succeeded, but something happened + * that the user might want to know. + */ + *open_status = CAP_DEVICE_OPEN_WARNING_OTHER; + } else { + /* + * No warning issued. + */ + *open_status = CAP_DEVICE_OPEN_NO_ERR; + } + +#ifdef _WIN32 + /* Try to set the capture buffer size. */ + if (interface_opts->buffer_size > 1) { + /* + * We have no mechanism to report a warning if this + * fails; we just keep capturing with the smaller buffer, + * as is the case on systems with BPF and pcap_create() + * and pcap_set_buffer_size(), where pcap_activate() just + * silently clamps the buffer size to the maximum. + */ + pcap_setbuff(pcap_h, interface_opts->buffer_size * 1024 * 1024); + } +#endif + + return pcap_h; +} + +/* + * Get the capabilities of a network device. + */ +if_capabilities_t * +get_if_capabilities(interface_options *interface_opts, + cap_device_open_status *status, char **status_str) +{ +#if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE) + if_capabilities_t *caps; + char errbuf[PCAP_ERRBUF_SIZE]; + pcap_t *pch; + int deflt; + data_link_info_t *data_link_info; + + if (strncmp (interface_opts->name, "rpcap://", 8) == 0) { + struct pcap_rmtauth auth; + + auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ? + RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL; + auth.username = interface_opts->auth_username; + auth.password = interface_opts->auth_password; + + /* + * WinPcap 4.1.2, and possibly earlier versions, have a bug + * wherein, when an open with an rpcap: URL fails, the error + * message for the error is not copied to errbuf and whatever + * on-the-stack junk is in errbuf is treated as the error + * message. + * + * To work around that (and any other bugs of that sort), we + * initialize errbuf to an empty string. If we get an error + * and the string is empty, we report it as an unknown error. + * (If we *don't* get an error, and the string is *non*-empty, + * that could be a warning returned, such as "can't turn + * promiscuous mode on"; we currently don't do so.) + */ + errbuf[0] = '\0'; + pch = pcap_open(interface_opts->name, MIN_PACKET_SIZE, 0, 0, &auth, + errbuf); + if (pch == NULL) { + /* + * We don't know whether it's a permission error or not. + * And, if it is, the user will either have to ask for + * permission for their own remote account or will have + * to use an account that *does* have permissions. + */ + *status = CAP_DEVICE_OPEN_ERROR_GENERIC; + if (strcmp(errbuf, "not supported") == 0) { + /* + * macOS 14's pcap_open(), which is a stub that + * always returns NULL with an error message of + * "not supported". + * + * In this case, as we passed it an rpcap:// + * URL, treat that as meaning "remote capture + * not supported". + */ + g_strlcpy(errbuf, "Remote capture not supported", + PCAP_ERRBUF_SIZE); + } + *status_str = g_strdup(errbuf[0] == '\0' ? "Unknown error (pcap bug; actual error cause not reported)" : errbuf); + return NULL; + } + + caps = (if_capabilities_t *)g_malloc(sizeof *caps); + caps->can_set_rfmon = false; + caps->data_link_types = NULL; + deflt = get_pcap_datalink(pch, interface_opts->name); + data_link_info = create_data_link_info(deflt); + caps->data_link_types = g_list_append(caps->data_link_types, data_link_info); + caps->timestamp_types = get_pcap_timestamp_types(pch, NULL); + pcap_close(pch); + + /* + * This doesn't return warnings for remote devices, and + * we don't use it for local devices. + */ + *status = CAP_DEVICE_OPEN_NO_ERR; + *status_str = NULL; + return caps; + } +#endif /* defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE) */ + + /* + * Local interface. + */ + return get_if_capabilities_local(interface_opts, status, status_str); +} + +pcap_t * +open_capture_device(capture_options *capture_opts, + interface_options *interface_opts, int timeout, + cap_device_open_status *open_status, + char (*open_status_str)[PCAP_ERRBUF_SIZE]) +{ + pcap_t *pcap_h; +#if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE) + struct pcap_rmtauth auth; +#endif + + /* Open the network interface to capture from it. + Some versions of libpcap may put warnings into the error buffer + if they succeed; to tell if that's happened, we have to clear + the error buffer, and check if it's still a null string. */ + ws_debug("Entering open_capture_device()."); + *open_status = CAP_DEVICE_OPEN_NO_ERR; + (*open_status_str)[0] = '\0'; +#if defined(HAVE_PCAP_OPEN) && defined(HAVE_PCAP_REMOTE) + /* + * If we're opening a remote device, use pcap_open(); that's currently + * the only open routine that supports remote devices. + */ + if (strncmp (interface_opts->name, "rpcap://", 8) == 0) { + int snaplen; + + auth.type = interface_opts->auth_type == CAPTURE_AUTH_PWD ? + RPCAP_RMTAUTH_PWD : RPCAP_RMTAUTH_NULL; + auth.username = interface_opts->auth_username; + auth.password = interface_opts->auth_password; + + if (interface_opts->has_snaplen) + snaplen = interface_opts->snaplen; + else { + /* + * Default - use the non-D-Bus maximum snapshot length, + * which should be big enough, except for D-Bus. + */ + snaplen = 256*1024; + } + ws_debug("Calling pcap_open() using name %s, snaplen %d, promisc_mode %d, datatx_udp %d, nocap_rpcap %d.", + interface_opts->name, snaplen, + interface_opts->promisc_mode, interface_opts->datatx_udp, + interface_opts->nocap_rpcap); + pcap_h = pcap_open(interface_opts->name, snaplen, + /* flags */ + (interface_opts->promisc_mode ? PCAP_OPENFLAG_PROMISCUOUS : 0) | + (interface_opts->datatx_udp ? PCAP_OPENFLAG_DATATX_UDP : 0) | + (interface_opts->nocap_rpcap ? PCAP_OPENFLAG_NOCAPTURE_RPCAP : 0), + timeout, &auth, *open_status_str); + if (pcap_h == NULL) { + /* + * Error. + * + * We don't know whether it's a permission error + * or not. + * (If it is, maybe we can give ourselves permission + * or maybe we just have to ask politely for + * permission.) + */ + *open_status = CAP_DEVICE_OPEN_ERROR_GENERIC; + if (strcmp(*open_status_str, "not supported") == 0) { + /* + * macOS 14's pcap_open(), which is a stub + * that always returns NULL with an error + * message of "not supported". + * + * In this case, as we passed it an rpcap:// + * URL, treat that as meaning "remote capture + * not supported". + */ + g_strlcpy(*open_status_str, + "Remote capture not supported", + PCAP_ERRBUF_SIZE); + } + + /* Did pcap actually supply an error message? */ + if ((*open_status_str)[0] == '\0') { + /* + * Work around known WinPcap bug wherein + * no error message is filled in on a + * failure to open an rpcap: URL. + */ + (void) g_strlcpy(*open_status_str, + "Unknown error (pcap bug; actual error cause not reported)", + sizeof *open_status_str); + } + } + ws_debug("pcap_open() returned %p.", (void *)pcap_h); + ws_debug("open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name); + /* + * This doesn't return warnings for remote devices, and + * we don't use it for local devices. + */ + *open_status = CAP_DEVICE_OPEN_NO_ERR; + return pcap_h; + } +#endif + + pcap_h = open_capture_device_local(capture_opts, interface_opts, + timeout, open_status, open_status_str); + ws_debug("open_capture_device %s : %s", pcap_h ? "SUCCESS" : "FAILURE", interface_opts->name); + return pcap_h; +} + +#endif /* HAVE_LIBPCAP */ + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ |