2 * Copyright (c) 1993, 1994, 1995, 1996, 1998
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 static const char rcsid[] _U_ =
23 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.116 2008-09-16 18:42:29 guy Exp $ (LBL)";
30 #include <sys/param.h> /* optionally get BSD define */
31 #ifdef HAVE_ZEROCOPY_BPF
35 #include <sys/socket.h>
37 * <net/bpf.h> defines ioctls, but doesn't include <sys/ioccom.h>.
39 * We include <sys/ioctl.h> as it might be necessary to declare ioctl();
40 * at least on *BSD and Mac OS X, it also defines various SIOC ioctls -
41 * we could include <sys/sockio.h>, but if we're already including
42 * <sys/ioctl.h>, which includes <sys/sockio.h> on those platforms,
43 * there's not much point in doing so.
45 * If we have <sys/ioccom.h>, we include it as well, to handle systems
46 * such as Solaris which don't arrange to include <sys/ioccom.h> if you
47 * include <sys/ioctl.h>
49 #include <sys/ioctl.h>
50 #ifdef HAVE_SYS_IOCCOM_H
51 #include <sys/ioccom.h>
53 #include <sys/utsname.h>
55 #ifdef HAVE_ZEROCOPY_BPF
56 #include <machine/atomic.h>
64 * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
65 * native OS version, as we need "struct bpf_config" from it.
67 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
69 #include <sys/types.h>
72 * Prevent bpf.h from redefining the DLT_ values to their
73 * IFT_ values, as we're going to return the standard libpcap
74 * values, not IBM's non-standard IFT_ values.
80 #include <net/if_types.h> /* for IFT_ values */
81 #include <sys/sysconfig.h>
82 #include <sys/device.h>
83 #include <sys/cfgodm.h>
87 #define domakedev makedev64
88 #define getmajor major64
89 #define bpf_hdr bpf_hdr32
91 #define domakedev makedev
92 #define getmajor major
93 #endif /* __64BIT__ */
95 #define BPF_NAME "bpf"
97 #define DRIVER_PATH "/usr/lib/drivers"
98 #define BPF_NODE "/dev/bpf"
99 static int bpfloadedflag = 0;
100 static int odmlockid = 0;
102 static int bpf_load(char *errbuf);
119 #ifdef HAVE_NET_IF_MEDIA_H
120 # include <net/if_media.h>
123 #include "pcap-int.h"
126 #include "pcap-dag.h"
127 #endif /* HAVE_DAG_API */
130 #include "pcap-snf.h"
131 #endif /* HAVE_SNF_API */
133 #ifdef HAVE_OS_PROTO_H
134 #include "os-proto.h"
138 # if (defined(HAVE_NET_IF_MEDIA_H) && defined(IFM_IEEE80211)) && !defined(__APPLE__)
139 #define HAVE_BSD_IEEE80211
142 # if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)
143 static int find_802_11(struct bpf_dltlist *);
145 # ifdef HAVE_BSD_IEEE80211
146 static int monitor_mode(pcap_t *, int);
149 # if defined(__APPLE__)
150 static void remove_en(pcap_t *);
151 static void remove_802_11(pcap_t *);
154 # endif /* defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) */
156 #endif /* BIOCGDLTLIST */
159 * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
160 * don't get DLT_DOCSIS defined.
163 #define DLT_DOCSIS 143
167 * On OS X, we don't even get any of the 802.11-plus-radio-header DLT_'s
168 * defined, even though some of them are used by various Airport drivers.
170 #ifndef DLT_PRISM_HEADER
171 #define DLT_PRISM_HEADER 119
173 #ifndef DLT_AIRONET_HEADER
174 #define DLT_AIRONET_HEADER 120
176 #ifndef DLT_IEEE802_11_RADIO
177 #define DLT_IEEE802_11_RADIO 127
179 #ifndef DLT_IEEE802_11_RADIO_AVS
180 #define DLT_IEEE802_11_RADIO_AVS 163
183 static int pcap_can_set_rfmon_bpf(pcap_t *p);
184 static int pcap_activate_bpf(pcap_t *p);
185 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
186 static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t);
187 static int pcap_set_datalink_bpf(pcap_t *p, int dlt);
189 #ifdef HAVE_ZEROCOPY_BPF
191 * For zerocopy bpf, we need to override the setnonblock/getnonblock routines
192 * so we don't call select(2) if the pcap handle is in non-blocking mode. We
193 * preserve the timeout supplied by pcap_open functions to make sure it
194 * does not get clobbered if the pcap handle moves between blocking and non-
198 pcap_getnonblock_zbuf(pcap_t *p, char *errbuf)
201 * Use a negative value for the timeout to represent that the
202 * pcap handle is in non-blocking mode.
204 return (p->md.timeout < 0);
208 pcap_setnonblock_zbuf(pcap_t *p, int nonblock, char *errbuf)
211 * Map each value to the corresponding 2's complement, to
212 * preserve the timeout value provided with pcap_set_timeout.
213 * (from pcap-linux.c).
216 if (p->md.timeout >= 0) {
218 * Timeout is non-negative, so we're not already
219 * in non-blocking mode; set it to the 2's
220 * complement, to make it negative, as an
221 * indication that we're in non-blocking mode.
223 p->md.timeout = p->md.timeout * -1 - 1;
226 if (p->md.timeout < 0) {
228 * Timeout is negative, so we're not already
229 * in blocking mode; reverse the previous
230 * operation, to make the timeout non-negative
233 p->md.timeout = (p->md.timeout + 1) * -1;
240 * Zero-copy specific close method. Un-map the shared buffers then call
241 * pcap_cleanup_live_common.
244 pcap_cleanup_zbuf(pcap_t *p)
247 * Delete the mappings. Note that p->buffer gets initialized to one
248 * of the mmapped regions in this case, so do not try and free it
249 * directly; null it out so that pcap_cleanup_live_common() doesn't
252 if (p->md.zbuf1 != MAP_FAILED && p->md.zbuf1 != NULL)
253 (void) munmap(p->md.zbuf1, p->md.zbufsize);
254 if (p->md.zbuf2 != MAP_FAILED && p->md.zbuf2 != NULL)
255 (void) munmap(p->md.zbuf2, p->md.zbufsize);
257 pcap_cleanup_live_common(p);
261 * Zero-copy BPF buffer routines to check for and acknowledge BPF data in
262 * shared memory buffers.
264 * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer,
265 * and set up p->buffer and cc to reflect one if available. Notice that if
266 * there was no prior buffer, we select zbuf1 as this will be the first
267 * buffer filled for a fresh BPF session.
270 pcap_next_zbuf_shm(pcap_t *p, int *cc)
272 struct bpf_zbuf_header *bzh;
274 if (p->md.zbuffer == p->md.zbuf2 || p->md.zbuffer == NULL) {
275 bzh = (struct bpf_zbuf_header *)p->md.zbuf1;
276 if (bzh->bzh_user_gen !=
277 atomic_load_acq_int(&bzh->bzh_kernel_gen)) {
279 p->md.zbuffer = (u_char *)p->md.zbuf1;
280 p->buffer = p->md.zbuffer + sizeof(*bzh);
281 *cc = bzh->bzh_kernel_len;
284 } else if (p->md.zbuffer == p->md.zbuf1) {
285 bzh = (struct bpf_zbuf_header *)p->md.zbuf2;
286 if (bzh->bzh_user_gen !=
287 atomic_load_acq_int(&bzh->bzh_kernel_gen)) {
289 p->md.zbuffer = (u_char *)p->md.zbuf2;
290 p->buffer = p->md.zbuffer + sizeof(*bzh);
291 *cc = bzh->bzh_kernel_len;
300 * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using
301 * select() for data or a timeout, and possibly force rotation of the buffer
302 * in the event we time out or are in immediate mode. Invoke the shared
303 * memory check before doing system calls in order to avoid doing avoidable
307 pcap_next_zbuf(pcap_t *p, int *cc)
316 #define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000))
318 * Start out by seeing whether anything is waiting by checking the
319 * next shared memory buffer for data.
321 data = pcap_next_zbuf_shm(p, cc);
325 * If a previous sleep was interrupted due to signal delivery, make
326 * sure that the timeout gets adjusted accordingly. This requires
327 * that we analyze when the timeout should be been expired, and
328 * subtract the current time from that. If after this operation,
329 * our timeout is less then or equal to zero, handle it like a
332 tmout = p->md.timeout;
334 (void) clock_gettime(CLOCK_MONOTONIC, &cur);
335 if (p->md.interrupted && p->md.timeout) {
336 expire = TSTOMILLI(&p->md.firstsel) + p->md.timeout;
337 tmout = expire - TSTOMILLI(&cur);
340 p->md.interrupted = 0;
341 data = pcap_next_zbuf_shm(p, cc);
344 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) {
345 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
346 "BIOCROTZBUF: %s", strerror(errno));
349 return (pcap_next_zbuf_shm(p, cc));
353 * No data in the buffer, so must use select() to wait for data or
354 * the next timeout. Note that we only call select if the handle
355 * is in blocking mode.
357 if (p->md.timeout >= 0) {
359 FD_SET(p->fd, &r_set);
361 tv.tv_sec = tmout / 1000;
362 tv.tv_usec = (tmout * 1000) % 1000000;
364 r = select(p->fd + 1, &r_set, NULL, NULL,
365 p->md.timeout != 0 ? &tv : NULL);
366 if (r < 0 && errno == EINTR) {
367 if (!p->md.interrupted && p->md.timeout) {
368 p->md.interrupted = 1;
369 p->md.firstsel = cur;
373 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
374 "select: %s", strerror(errno));
378 p->md.interrupted = 0;
380 * Check again for data, which may exist now that we've either been
381 * woken up as a result of data or timed out. Try the "there's data"
382 * case first since it doesn't require a system call.
384 data = pcap_next_zbuf_shm(p, cc);
388 * Try forcing a buffer rotation to dislodge timed out or immediate
391 if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) {
392 (void) snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
393 "BIOCROTZBUF: %s", strerror(errno));
396 return (pcap_next_zbuf_shm(p, cc));
400 * Notify kernel that we are done with the buffer. We don't reset zbuffer so
401 * that we know which buffer to use next time around.
404 pcap_ack_zbuf(pcap_t *p)
407 atomic_store_rel_int(&p->md.bzh->bzh_user_gen,
408 p->md.bzh->bzh_kernel_gen);
416 pcap_create(const char *device, char *ebuf)
421 if (strstr(device, "dag"))
422 return (dag_create(device, ebuf));
423 #endif /* HAVE_DAG_API */
425 if (strstr(device, "snf"))
426 return (snf_create(device, ebuf));
427 #endif /* HAVE_SNF_API */
429 p = pcap_create_common(device, ebuf);
433 p->activate_op = pcap_activate_bpf;
434 p->can_set_rfmon_op = pcap_can_set_rfmon_bpf;
442 #ifdef HAVE_CLONING_BPF
443 static const char device[] = "/dev/bpf";
446 char device[sizeof "/dev/bpf0000000000"];
451 * Load the bpf driver, if it isn't already loaded,
452 * and create the BPF device entries, if they don't
455 if (bpf_load(p->errbuf) == PCAP_ERROR)
459 #ifdef HAVE_CLONING_BPF
460 if ((fd = open(device, O_RDWR)) == -1 &&
461 (errno != EACCES || (fd = open(device, O_RDONLY)) == -1)) {
463 fd = PCAP_ERROR_PERM_DENIED;
466 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
467 "(cannot open device) %s: %s", device, pcap_strerror(errno));
471 * Go through all the minors and find one that isn't in use.
474 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
476 * Initially try a read/write open (to allow the inject
477 * method to work). If that fails due to permission
478 * issues, fall back to read-only. This allows a
479 * non-root user to be granted specific access to pcap
480 * capabilities via file permissions.
482 * XXX - we should have an API that has a flag that
483 * controls whether to open read-only or read-write,
484 * so that denial of permission to send (or inability
485 * to send, if sending packets isn't supported on
486 * the device in question) can be indicated at open
489 fd = open(device, O_RDWR);
490 if (fd == -1 && errno == EACCES)
491 fd = open(device, O_RDONLY);
492 } while (fd < 0 && errno == EBUSY);
495 * XXX better message for all minors used
499 fd = PCAP_ERROR_PERM_DENIED;
502 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s",
503 device, pcap_strerror(errno));
512 get_dlt_list(int fd, int v, struct bpf_dltlist *bdlp, char *ebuf)
514 memset(bdlp, 0, sizeof(*bdlp));
515 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) == 0) {
519 bdlp->bfl_list = (u_int *) malloc(sizeof(u_int) * (bdlp->bfl_len + 1));
520 if (bdlp->bfl_list == NULL) {
521 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
522 pcap_strerror(errno));
526 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) < 0) {
527 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
528 "BIOCGDLTLIST: %s", pcap_strerror(errno));
529 free(bdlp->bfl_list);
534 * OK, for real Ethernet devices, add DLT_DOCSIS to the
535 * list, so that an application can let you choose it,
536 * in case you're capturing DOCSIS traffic that a Cisco
537 * Cable Modem Termination System is putting out onto
538 * an Ethernet (it doesn't put an Ethernet header onto
539 * the wire, it puts raw DOCSIS frames out on the wire
540 * inside the low-level Ethernet framing).
542 * A "real Ethernet device" is defined here as a device
543 * that has a link-layer type of DLT_EN10MB and that has
544 * no alternate link-layer types; that's done to exclude
545 * 802.11 interfaces (which might or might not be the
546 * right thing to do, but I suspect it is - Ethernet <->
547 * 802.11 bridges would probably badly mishandle frames
548 * that don't have Ethernet headers).
550 * On Solaris with BPF, Ethernet devices also offer
551 * DLT_IPNET, so we, if DLT_IPNET is defined, we don't
552 * treat it as an indication that the device isn't an
555 if (v == DLT_EN10MB) {
557 for (i = 0; i < bdlp->bfl_len; i++) {
558 if (bdlp->bfl_list[i] != DLT_EN10MB
560 && bdlp->bfl_list[i] != DLT_IPNET
569 * We reserved one more slot at the end of
572 bdlp->bfl_list[bdlp->bfl_len] = DLT_DOCSIS;
578 * EINVAL just means "we don't support this ioctl on
579 * this device"; don't treat it as an error.
581 if (errno != EINVAL) {
582 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
583 "BIOCGDLTLIST: %s", pcap_strerror(errno));
592 pcap_can_set_rfmon_bpf(pcap_t *p)
594 #if defined(__APPLE__)
595 struct utsname osinfo;
599 struct bpf_dltlist bdl;
603 * The joys of monitor mode on OS X.
605 * Prior to 10.4, it's not supported at all.
607 * In 10.4, if adapter enN supports monitor mode, there's a
608 * wltN adapter corresponding to it; you open it, instead of
609 * enN, to get monitor mode. You get whatever link-layer
610 * headers it supplies.
612 * In 10.5, and, we assume, later releases, if adapter enN
613 * supports monitor mode, it offers, among its selectable
614 * DLT_ values, values that let you get the 802.11 header;
615 * selecting one of those values puts the adapter into monitor
616 * mode (i.e., you can't get 802.11 headers except in monitor
617 * mode, and you can't get Ethernet headers in monitor mode).
619 if (uname(&osinfo) == -1) {
621 * Can't get the OS version; just say "no".
626 * We assume osinfo.sysname is "Darwin", because
627 * __APPLE__ is defined. We just check the version.
629 if (osinfo.release[0] < '8' && osinfo.release[1] == '.') {
631 * 10.3 (Darwin 7.x) or earlier.
632 * Monitor mode not supported.
636 if (osinfo.release[0] == '8' && osinfo.release[1] == '.') {
638 * 10.4 (Darwin 8.x). s/en/wlt/, and check
639 * whether the device exists.
641 if (strncmp(p->opt.source, "en", 2) != 0) {
643 * Not an enN device; no monitor mode.
647 fd = socket(AF_INET, SOCK_DGRAM, 0);
649 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
650 "socket: %s", pcap_strerror(errno));
653 strlcpy(ifr.ifr_name, "wlt", sizeof(ifr.ifr_name));
654 strlcat(ifr.ifr_name, p->opt.source + 2, sizeof(ifr.ifr_name));
655 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) {
668 * Everything else is 10.5 or later; for those,
669 * we just open the enN device, and check whether
670 * we have any 802.11 devices.
672 * First, open a BPF device.
679 * Now bind to the device.
681 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name));
682 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
683 if (errno == ENETDOWN) {
685 * Return a "network down" indication, so that
686 * the application can report that rather than
687 * saying we had a mysterious failure and
688 * suggest that they report a problem to the
689 * libpcap developers.
692 return (PCAP_ERROR_IFACE_NOT_UP);
694 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
696 p->opt.source, pcap_strerror(errno));
703 * We know the default link type -- now determine all the DLTs
704 * this interface supports. If this fails with EINVAL, it's
705 * not fatal; we just don't get to use the feature later.
706 * (We don't care about DLT_DOCSIS, so we pass DLT_NULL
707 * as the default DLT for this adapter.)
709 if (get_dlt_list(fd, DLT_NULL, &bdl, p->errbuf) == PCAP_ERROR) {
713 if (find_802_11(&bdl) != -1) {
715 * We have an 802.11 DLT, so we can set monitor mode.
722 #endif /* BIOCGDLTLIST */
724 #elif defined(HAVE_BSD_IEEE80211)
727 ret = monitor_mode(p, 0);
728 if (ret == PCAP_ERROR_RFMON_NOTSUP)
729 return (0); /* not an error, just a "can't do" */
731 return (1); /* success */
739 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps)
744 * "ps_recv" counts packets handed to the filter, not packets
745 * that passed the filter. This includes packets later dropped
746 * because we ran out of buffer space.
748 * "ps_drop" counts packets dropped inside the BPF device
749 * because we ran out of buffer space. It doesn't count
750 * packets dropped by the interface driver. It counts
751 * only packets that passed the filter.
753 * Both statistics include packets not yet read from the kernel
754 * by libpcap, and thus not yet seen by the application.
756 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
757 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
758 pcap_strerror(errno));
762 ps->ps_recv = s.bs_recv;
763 ps->ps_drop = s.bs_drop;
769 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
773 register u_char *bp, *ep;
778 #ifdef HAVE_ZEROCOPY_BPF
784 * Has "pcap_breakloop()" been called?
788 * Yes - clear the flag that indicates that it
789 * has, and return PCAP_ERROR_BREAK to indicate
790 * that we were told to break out of the loop.
793 return (PCAP_ERROR_BREAK);
798 * When reading without zero-copy from a file descriptor, we
799 * use a single buffer and return a length of data in the
800 * buffer. With zero-copy, we update the p->buffer pointer
801 * to point at whatever underlying buffer contains the next
802 * data and update cc to reflect the data found in the
805 #ifdef HAVE_ZEROCOPY_BPF
806 if (p->md.zerocopy) {
807 if (p->buffer != NULL)
809 i = pcap_next_zbuf(p, &cc);
817 cc = read(p->fd, (char *)p->buffer, p->bufsize);
820 /* Don't choke when we get ptraced */
829 * Sigh. More AIX wonderfulness.
831 * For some unknown reason the uiomove()
832 * operation in the bpf kernel extension
833 * used to copy the buffer into user
834 * space sometimes returns EFAULT. I have
835 * no idea why this is the case given that
836 * a kernel debugger shows the user buffer
837 * is correct. This problem appears to
838 * be mostly mitigated by the memset of
839 * the buffer before it is first used.
840 * Very strange.... Shaun Clowes
842 * In any case this means that we shouldn't
843 * treat EFAULT as a fatal error; as we
844 * don't have an API for returning
845 * a "some packets were dropped since
846 * the last packet you saw" indication,
847 * we just ignore EFAULT and keep reading.
857 * The device on which we're capturing
860 * XXX - we should really return
861 * PCAP_ERROR_IFACE_NOT_UP, but
862 * pcap_dispatch() etc. aren't
863 * defined to retur that.
865 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
866 "The interface went down");
869 #if defined(sun) && !defined(BSD) && !defined(__svr4__) && !defined(__SVR4)
871 * Due to a SunOS bug, after 2^31 bytes, the kernel
872 * file offset overflows and read fails with EINVAL.
873 * The lseek() to 0 will fix things.
876 if (lseek(p->fd, 0L, SEEK_CUR) +
878 (void)lseek(p->fd, 0L, SEEK_SET);
884 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s",
885 pcap_strerror(errno));
893 * Loop through each packet.
895 #define bhp ((struct bpf_hdr *)bp)
901 register int caplen, hdrlen;
904 * Has "pcap_breakloop()" been called?
905 * If so, return immediately - if we haven't read any
906 * packets, clear the flag and return PCAP_ERROR_BREAK
907 * to indicate that we were told to break out of the loop,
908 * otherwise leave the flag set, so that the *next* call
909 * will break out of the loop without having read any
910 * packets, and return the number of packets we've
916 return (PCAP_ERROR_BREAK);
924 caplen = bhp->bh_caplen;
925 hdrlen = bhp->bh_hdrlen;
928 * Short-circuit evaluation: if using BPF filter
929 * in kernel, no need to do it now - we already know
930 * the packet passed the filter.
933 * Note: the filter code was generated assuming
934 * that p->fddipad was the amount of padding
935 * before the header, as that's what's required
936 * in the kernel, so we run the filter before
937 * skipping that padding.
941 bpf_filter(p->fcode.bf_insns, datap, bhp->bh_datalen, caplen)) {
942 struct pcap_pkthdr pkthdr;
944 pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec;
947 * AIX's BPF returns seconds/nanoseconds time
948 * stamps, not seconds/microseconds time stamps.
950 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000;
952 pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec;
956 pkthdr.caplen = caplen - pad;
959 if (bhp->bh_datalen > pad)
960 pkthdr.len = bhp->bh_datalen - pad;
965 pkthdr.caplen = caplen;
966 pkthdr.len = bhp->bh_datalen;
968 (*callback)(user, &pkthdr, datap);
969 bp += BPF_WORDALIGN(caplen + hdrlen);
970 if (++n >= cnt && cnt > 0) {
979 bp += BPF_WORDALIGN(caplen + hdrlen);
988 pcap_inject_bpf(pcap_t *p, const void *buf, size_t size)
992 ret = write(p->fd, buf, size);
994 if (ret == -1 && errno == EAFNOSUPPORT) {
996 * In Mac OS X, there's a bug wherein setting the
997 * BIOCSHDRCMPLT flag causes writes to fail; see,
1000 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch
1002 * So, if, on OS X, we get EAFNOSUPPORT from the write, we
1003 * assume it's due to that bug, and turn off that flag
1004 * and try again. If we succeed, it either means that
1005 * somebody applied the fix from that URL, or other patches
1008 * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/
1010 * and are running a Darwin kernel with those fixes, or
1011 * that Apple fixed the problem in some OS X release.
1013 u_int spoof_eth_src = 0;
1015 if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
1016 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1017 "send: can't turn off BIOCSHDRCMPLT: %s",
1018 pcap_strerror(errno));
1019 return (PCAP_ERROR);
1023 * Now try the write again.
1025 ret = write(p->fd, buf, size);
1027 #endif /* __APPLE__ */
1029 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
1030 pcap_strerror(errno));
1031 return (PCAP_ERROR);
1038 bpf_odminit(char *errbuf)
1042 if (odm_initialize() == -1) {
1043 if (odm_err_msg(odmerrno, &errstr) == -1)
1044 errstr = "Unknown error";
1045 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1046 "bpf_load: odm_initialize failed: %s",
1048 return (PCAP_ERROR);
1051 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) {
1052 if (odm_err_msg(odmerrno, &errstr) == -1)
1053 errstr = "Unknown error";
1054 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1055 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s",
1057 (void)odm_terminate();
1058 return (PCAP_ERROR);
1065 bpf_odmcleanup(char *errbuf)
1069 if (odm_unlock(odmlockid) == -1) {
1070 if (errbuf != NULL) {
1071 if (odm_err_msg(odmerrno, &errstr) == -1)
1072 errstr = "Unknown error";
1073 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1074 "bpf_load: odm_unlock failed: %s",
1077 return (PCAP_ERROR);
1080 if (odm_terminate() == -1) {
1081 if (errbuf != NULL) {
1082 if (odm_err_msg(odmerrno, &errstr) == -1)
1083 errstr = "Unknown error";
1084 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1085 "bpf_load: odm_terminate failed: %s",
1088 return (PCAP_ERROR);
1095 bpf_load(char *errbuf)
1099 int numminors, i, rc;
1102 struct bpf_config cfg_bpf;
1103 struct cfg_load cfg_ld;
1104 struct cfg_kmod cfg_km;
1107 * This is very very close to what happens in the real implementation
1108 * but I've fixed some (unlikely) bug situations.
1113 if (bpf_odminit(errbuf) == PCAP_ERROR)
1114 return (PCAP_ERROR);
1116 major = genmajor(BPF_NAME);
1118 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1119 "bpf_load: genmajor failed: %s", pcap_strerror(errno));
1120 (void)bpf_odmcleanup(NULL);
1121 return (PCAP_ERROR);
1124 minors = getminor(major, &numminors, BPF_NAME);
1126 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1);
1128 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1129 "bpf_load: genminor failed: %s",
1130 pcap_strerror(errno));
1131 (void)bpf_odmcleanup(NULL);
1132 return (PCAP_ERROR);
1136 if (bpf_odmcleanup(errbuf) == PCAP_ERROR)
1137 return (PCAP_ERROR);
1139 rc = stat(BPF_NODE "0", &sbuf);
1140 if (rc == -1 && errno != ENOENT) {
1141 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1142 "bpf_load: can't stat %s: %s",
1143 BPF_NODE "0", pcap_strerror(errno));
1144 return (PCAP_ERROR);
1147 if (rc == -1 || getmajor(sbuf.st_rdev) != major) {
1148 for (i = 0; i < BPF_MINORS; i++) {
1149 sprintf(buf, "%s%d", BPF_NODE, i);
1151 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) {
1152 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1153 "bpf_load: can't mknod %s: %s",
1154 buf, pcap_strerror(errno));
1155 return (PCAP_ERROR);
1160 /* Check if the driver is loaded */
1161 memset(&cfg_ld, 0x0, sizeof(cfg_ld));
1163 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME);
1164 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) ||
1165 (cfg_ld.kmid == 0)) {
1166 /* Driver isn't loaded, load it now */
1167 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) {
1168 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1169 "bpf_load: could not load driver: %s",
1171 return (PCAP_ERROR);
1175 /* Configure the driver */
1176 cfg_km.cmd = CFG_INIT;
1177 cfg_km.kmid = cfg_ld.kmid;
1178 cfg_km.mdilen = sizeof(cfg_bpf);
1179 cfg_km.mdiptr = (void *)&cfg_bpf;
1180 for (i = 0; i < BPF_MINORS; i++) {
1181 cfg_bpf.devno = domakedev(major, i);
1182 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) {
1183 snprintf(errbuf, PCAP_ERRBUF_SIZE,
1184 "bpf_load: could not configure driver: %s",
1186 return (PCAP_ERROR);
1197 * Turn off rfmon mode if necessary.
1200 pcap_cleanup_bpf(pcap_t *p)
1202 #ifdef HAVE_BSD_IEEE80211
1204 struct ifmediareq req;
1208 if (p->md.must_do_on_close != 0) {
1210 * There's something we have to do when closing this
1213 #ifdef HAVE_BSD_IEEE80211
1214 if (p->md.must_do_on_close & MUST_CLEAR_RFMON) {
1216 * We put the interface into rfmon mode;
1217 * take it out of rfmon mode.
1219 * XXX - if somebody else wants it in rfmon
1220 * mode, this code cannot know that, so it'll take
1221 * it out of rfmon mode.
1223 sock = socket(AF_INET, SOCK_DGRAM, 0);
1226 "Can't restore interface flags (socket() failed: %s).\n"
1227 "Please adjust manually.\n",
1230 memset(&req, 0, sizeof(req));
1231 strncpy(req.ifm_name, p->md.device,
1232 sizeof(req.ifm_name));
1233 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
1235 "Can't restore interface flags (SIOCGIFMEDIA failed: %s).\n"
1236 "Please adjust manually.\n",
1239 if (req.ifm_current & IFM_IEEE80211_MONITOR) {
1241 * Rfmon mode is currently on;
1244 memset(&ifr, 0, sizeof(ifr));
1245 (void)strncpy(ifr.ifr_name,
1247 sizeof(ifr.ifr_name));
1249 req.ifm_current & ~IFM_IEEE80211_MONITOR;
1250 if (ioctl(sock, SIOCSIFMEDIA,
1253 "Can't restore interface flags (SIOCSIFMEDIA failed: %s).\n"
1254 "Please adjust manually.\n",
1262 #endif /* HAVE_BSD_IEEE80211 */
1265 * Take this pcap out of the list of pcaps for which we
1266 * have to take the interface out of some mode.
1268 pcap_remove_from_pcaps_to_close(p);
1269 p->md.must_do_on_close = 0;
1272 #ifdef HAVE_ZEROCOPY_BPF
1274 * In zero-copy mode, p->buffer is just a pointer into one of the two
1275 * memory-mapped buffers, so no need to free it.
1277 if (p->md.zerocopy) {
1278 if (p->md.zbuf1 != MAP_FAILED && p->md.zbuf1 != NULL)
1279 munmap(p->md.zbuf1, p->md.zbufsize);
1280 if (p->md.zbuf2 != MAP_FAILED && p->md.zbuf2 != NULL)
1281 munmap(p->md.zbuf2, p->md.zbufsize);
1284 if (p->md.device != NULL) {
1286 p->md.device = NULL;
1288 pcap_cleanup_live_common(p);
1292 check_setif_failure(pcap_t *p, int error)
1300 if (error == ENXIO) {
1302 * No such device exists.
1305 if (p->opt.rfmon && strncmp(p->opt.source, "wlt", 3) == 0) {
1307 * Monitor mode was requested, and we're trying
1308 * to open a "wltN" device. Assume that this
1309 * is 10.4 and that we were asked to open an
1310 * "enN" device; if that device exists, return
1311 * "monitor mode not supported on the device".
1313 fd = socket(AF_INET, SOCK_DGRAM, 0);
1315 strlcpy(ifr.ifr_name, "en",
1316 sizeof(ifr.ifr_name));
1317 strlcat(ifr.ifr_name, p->opt.source + 3,
1318 sizeof(ifr.ifr_name));
1319 if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) {
1321 * We assume this failed because
1322 * the underlying device doesn't
1325 err = PCAP_ERROR_NO_SUCH_DEVICE;
1326 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1327 "SIOCGIFFLAGS on %s failed: %s",
1328 ifr.ifr_name, pcap_strerror(errno));
1331 * The underlying "enN" device
1332 * exists, but there's no
1333 * corresponding "wltN" device;
1334 * that means that the "enN"
1335 * device doesn't support
1336 * monitor mode, probably because
1337 * it's an Ethernet device rather
1338 * than a wireless device.
1340 err = PCAP_ERROR_RFMON_NOTSUP;
1345 * We can't find out whether there's
1346 * an underlying "enN" device, so
1347 * just report "no such device".
1349 err = PCAP_ERROR_NO_SUCH_DEVICE;
1350 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1351 "socket() failed: %s",
1352 pcap_strerror(errno));
1360 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF failed: %s",
1361 pcap_strerror(errno));
1362 return (PCAP_ERROR_NO_SUCH_DEVICE);
1363 } else if (errno == ENETDOWN) {
1365 * Return a "network down" indication, so that
1366 * the application can report that rather than
1367 * saying we had a mysterious failure and
1368 * suggest that they report a problem to the
1369 * libpcap developers.
1371 return (PCAP_ERROR_IFACE_NOT_UP);
1374 * Some other error; fill in the error string, and
1375 * return PCAP_ERROR.
1377 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
1378 p->opt.source, pcap_strerror(errno));
1379 return (PCAP_ERROR);
1384 * Default capture buffer size.
1385 * 32K isn't very much for modern machines with fast networks; we
1386 * pick .5M, as that's the maximum on at least some systems with BPF.
1388 #define DEFAULT_BUFSIZE 524288
1391 pcap_activate_bpf(pcap_t *p)
1396 struct bpf_version bv;
1399 char *wltdev = NULL;
1402 struct bpf_dltlist bdl;
1403 #if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)
1406 #endif /* BIOCGDLTLIST */
1407 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
1408 u_int spoof_eth_src = 1;
1411 struct bpf_insn total_insn;
1412 struct bpf_program total_prog;
1413 struct utsname osinfo;
1414 int have_osinfo = 0;
1415 #ifdef HAVE_ZEROCOPY_BPF
1417 u_int bufmode, zbufmax;
1428 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
1429 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
1430 pcap_strerror(errno));
1431 status = PCAP_ERROR;
1434 if (bv.bv_major != BPF_MAJOR_VERSION ||
1435 bv.bv_minor < BPF_MINOR_VERSION) {
1436 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1437 "kernel bpf filter out of date");
1438 status = PCAP_ERROR;
1442 p->md.device = strdup(p->opt.source);
1443 if (p->md.device == NULL) {
1444 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s",
1445 pcap_strerror(errno));
1446 status = PCAP_ERROR;
1451 * Attempt to find out the version of the OS on which we're running.
1453 if (uname(&osinfo) == 0)
1458 * See comment in pcap_can_set_rfmon_bpf() for an explanation
1459 * of why we check the version number.
1464 * We assume osinfo.sysname is "Darwin", because
1465 * __APPLE__ is defined. We just check the version.
1467 if (osinfo.release[0] < '8' &&
1468 osinfo.release[1] == '.') {
1470 * 10.3 (Darwin 7.x) or earlier.
1472 status = PCAP_ERROR_RFMON_NOTSUP;
1475 if (osinfo.release[0] == '8' &&
1476 osinfo.release[1] == '.') {
1478 * 10.4 (Darwin 8.x). s/en/wlt/
1480 if (strncmp(p->opt.source, "en", 2) != 0) {
1482 * Not an enN device; check
1483 * whether the device even exists.
1485 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
1487 strlcpy(ifr.ifr_name,
1489 sizeof(ifr.ifr_name));
1490 if (ioctl(sockfd, SIOCGIFFLAGS,
1491 (char *)&ifr) < 0) {
1499 status = PCAP_ERROR_NO_SUCH_DEVICE;
1502 "SIOCGIFFLAGS failed: %s",
1503 pcap_strerror(errno));
1505 status = PCAP_ERROR_RFMON_NOTSUP;
1509 * We can't find out whether
1510 * the device exists, so just
1511 * report "no such device".
1513 status = PCAP_ERROR_NO_SUCH_DEVICE;
1516 "socket() failed: %s",
1517 pcap_strerror(errno));
1521 wltdev = malloc(strlen(p->opt.source) + 2);
1522 if (wltdev == NULL) {
1523 (void)snprintf(p->errbuf,
1524 PCAP_ERRBUF_SIZE, "malloc: %s",
1525 pcap_strerror(errno));
1526 status = PCAP_ERROR;
1529 strcpy(wltdev, "wlt");
1530 strcat(wltdev, p->opt.source + 2);
1531 free(p->opt.source);
1532 p->opt.source = wltdev;
1535 * Everything else is 10.5 or later; for those,
1536 * we just open the enN device, and set the DLT.
1540 #endif /* __APPLE__ */
1541 #ifdef HAVE_ZEROCOPY_BPF
1543 * If the BPF extension to set buffer mode is present, try setting
1544 * the mode to zero-copy. If that fails, use regular buffering. If
1545 * it succeeds but other setup fails, return an error to the user.
1547 bufmode = BPF_BUFMODE_ZBUF;
1548 if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) {
1550 * We have zerocopy BPF; use it.
1555 * Set the cleanup and set/get nonblocking mode ops
1556 * as appropriate for zero-copy mode.
1558 p->cleanup_op = pcap_cleanup_zbuf;
1559 p->setnonblock_op = pcap_setnonblock_zbuf;
1560 p->getnonblock_op = pcap_getnonblock_zbuf;
1563 * How to pick a buffer size: first, query the maximum buffer
1564 * size supported by zero-copy. This also lets us quickly
1565 * determine whether the kernel generally supports zero-copy.
1566 * Then, if a buffer size was specified, use that, otherwise
1567 * query the default buffer size, which reflects kernel
1568 * policy for a desired default. Round to the nearest page
1571 if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) {
1572 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGETZMAX: %s",
1573 pcap_strerror(errno));
1577 if (p->opt.buffer_size != 0) {
1579 * A buffer size was explicitly specified; use it.
1581 v = p->opt.buffer_size;
1583 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) ||
1584 v < DEFAULT_BUFSIZE)
1585 v = DEFAULT_BUFSIZE;
1588 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */
1590 p->md.zbufsize = roundup(v, getpagesize());
1591 if (p->md.zbufsize > zbufmax)
1592 p->md.zbufsize = zbufmax;
1593 p->md.zbuf1 = mmap(NULL, p->md.zbufsize, PROT_READ | PROT_WRITE,
1595 p->md.zbuf2 = mmap(NULL, p->md.zbufsize, PROT_READ | PROT_WRITE,
1597 if (p->md.zbuf1 == MAP_FAILED || p->md.zbuf2 == MAP_FAILED) {
1598 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "mmap: %s",
1599 pcap_strerror(errno));
1602 bzero(&bz, sizeof(bz));
1603 bz.bz_bufa = p->md.zbuf1;
1604 bz.bz_bufb = p->md.zbuf2;
1605 bz.bz_buflen = p->md.zbufsize;
1606 if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) {
1607 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETZBUF: %s",
1608 pcap_strerror(errno));
1611 (void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name));
1612 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
1613 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
1614 p->opt.source, pcap_strerror(errno));
1617 v = p->md.zbufsize - sizeof(struct bpf_zbuf_header);
1622 * We don't have zerocopy BPF.
1623 * Set the buffer size.
1625 if (p->opt.buffer_size != 0) {
1627 * A buffer size was explicitly specified; use it.
1629 if (ioctl(fd, BIOCSBLEN,
1630 (caddr_t)&p->opt.buffer_size) < 0) {
1631 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1632 "BIOCSBLEN: %s: %s", p->opt.source,
1633 pcap_strerror(errno));
1634 status = PCAP_ERROR;
1639 * Now bind to the device.
1641 (void)strncpy(ifr.ifr_name, p->opt.source,
1642 sizeof(ifr.ifr_name));
1643 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
1644 status = check_setif_failure(p, errno);
1649 * No buffer size was explicitly specified.
1651 * Try finding a good size for the buffer;
1652 * DEFAULT_BUFSIZE may be too big, so keep
1653 * cutting it in half until we find a size
1654 * that works, or run out of sizes to try.
1655 * If the default is larger, don't make it smaller.
1657 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) ||
1658 v < DEFAULT_BUFSIZE)
1659 v = DEFAULT_BUFSIZE;
1660 for ( ; v != 0; v >>= 1) {
1662 * Ignore the return value - this is because the
1663 * call fails on BPF systems that don't have
1664 * kernel malloc. And if the call fails, it's
1665 * no big deal, we just continue to use the
1666 * standard buffer size.
1668 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
1670 (void)strncpy(ifr.ifr_name, p->opt.source,
1671 sizeof(ifr.ifr_name));
1672 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0)
1673 break; /* that size worked; we're done */
1675 if (errno != ENOBUFS) {
1676 status = check_setif_failure(p, errno);
1682 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1683 "BIOCSBLEN: %s: No buffer size worked",
1685 status = PCAP_ERROR;
1691 /* Get the data link layer type. */
1692 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
1693 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
1694 pcap_strerror(errno));
1695 status = PCAP_ERROR;
1701 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
1724 * We don't know what to map this to yet.
1726 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
1728 status = PCAP_ERROR;
1732 #if _BSDI_VERSION - 0 >= 199510
1733 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
1748 case 12: /*DLT_C_HDLC*/
1756 * We know the default link type -- now determine all the DLTs
1757 * this interface supports. If this fails with EINVAL, it's
1758 * not fatal; we just don't get to use the feature later.
1760 if (get_dlt_list(fd, v, &bdl, p->errbuf) == -1) {
1761 status = PCAP_ERROR;
1764 p->dlt_count = bdl.bfl_len;
1765 p->dlt_list = bdl.bfl_list;
1769 * Monitor mode fun, continued.
1771 * For 10.5 and, we're assuming, later releases, as noted above,
1772 * 802.1 adapters that support monitor mode offer both DLT_EN10MB,
1773 * DLT_IEEE802_11, and possibly some 802.11-plus-radio-information
1774 * DLT_ value. Choosing one of the 802.11 DLT_ values will turn
1777 * Therefore, if the user asked for monitor mode, we filter out
1778 * the DLT_EN10MB value, as you can't get that in monitor mode,
1779 * and, if the user didn't ask for monitor mode, we filter out
1780 * the 802.11 DLT_ values, because selecting those will turn
1781 * monitor mode on. Then, for monitor mode, if an 802.11-plus-
1782 * radio DLT_ value is offered, we try to select that, otherwise
1783 * we try to select DLT_IEEE802_11.
1786 if (isdigit((unsigned)osinfo.release[0]) &&
1787 (osinfo.release[0] == '9' ||
1788 isdigit((unsigned)osinfo.release[1]))) {
1790 * 10.5 (Darwin 9.x), or later.
1792 new_dlt = find_802_11(&bdl);
1793 if (new_dlt != -1) {
1795 * We have at least one 802.11 DLT_ value,
1796 * so this is an 802.11 interface.
1797 * new_dlt is the best of the 802.11
1798 * DLT_ values in the list.
1802 * Our caller wants monitor mode.
1803 * Purge DLT_EN10MB from the list
1804 * of link-layer types, as selecting
1805 * it will keep monitor mode off.
1810 * If the new mode we want isn't
1811 * the default mode, attempt to
1812 * select the new mode.
1815 if (ioctl(p->fd, BIOCSDLT,
1827 * Our caller doesn't want
1828 * monitor mode. Unless this
1829 * is being done by pcap_open_live(),
1830 * purge the 802.11 link-layer types
1831 * from the list, as selecting
1832 * one of them will turn monitor
1841 * The caller requested monitor
1842 * mode, but we have no 802.11
1843 * link-layer types, so they
1846 status = PCAP_ERROR_RFMON_NOTSUP;
1852 #elif defined(HAVE_BSD_IEEE80211)
1854 * *BSD with the new 802.11 ioctls.
1855 * Do we want monitor mode?
1859 * Try to put the interface into monitor mode.
1861 status = monitor_mode(p, 1);
1870 * We're in monitor mode.
1871 * Try to find the best 802.11 DLT_ value and, if we
1872 * succeed, try to switch to that mode if we're not
1873 * already in that mode.
1875 new_dlt = find_802_11(&bdl);
1876 if (new_dlt != -1) {
1878 * We have at least one 802.11 DLT_ value.
1879 * new_dlt is the best of the 802.11
1880 * DLT_ values in the list.
1882 * If the new mode we want isn't the default mode,
1883 * attempt to select the new mode.
1886 if (ioctl(p->fd, BIOCSDLT, &new_dlt) != -1) {
1888 * We succeeded; make this the
1896 #endif /* various platforms */
1897 #endif /* BIOCGDLTLIST */
1900 * If this is an Ethernet device, and we don't have a DLT_ list,
1901 * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give
1902 * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to
1903 * do, but there's not much we can do about that without finding
1904 * some other way of determining whether it's an Ethernet or 802.11
1907 if (v == DLT_EN10MB && p->dlt_count == 0) {
1908 p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
1910 * If that fails, just leave the list empty.
1912 if (p->dlt_list != NULL) {
1913 p->dlt_list[0] = DLT_EN10MB;
1914 p->dlt_list[1] = DLT_DOCSIS;
1920 p->fddipad = PCAP_FDDIPAD;
1926 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
1928 * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so
1929 * the link-layer source address isn't forcibly overwritten.
1930 * (Should we ignore errors? Should we do this only if
1931 * we're open for writing?)
1933 * XXX - I seem to remember some packet-sending bug in some
1934 * BSDs - check CVS log for "bpf.c"?
1936 if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
1937 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1938 "BIOCSHDRCMPLT: %s", pcap_strerror(errno));
1939 status = PCAP_ERROR;
1944 #ifdef HAVE_ZEROCOPY_BPF
1945 if (p->md.timeout != 0 && !p->md.zerocopy) {
1947 if (p->md.timeout) {
1950 * XXX - is this seconds/nanoseconds in AIX?
1951 * (Treating it as such doesn't fix the timeout
1952 * problem described below.)
1954 * XXX - Mac OS X 10.6 mishandles BIOCSRTIMEOUT in
1955 * 64-bit userland - it takes, as an argument, a
1956 * "struct BPF_TIMEVAL", which has 32-bit tv_sec
1957 * and tv_usec, rather than a "struct timeval".
1959 * If this platform defines "struct BPF_TIMEVAL",
1960 * we check whether the structure size in BIOCSRTIMEOUT
1961 * is that of a "struct timeval" and, if not, we use
1962 * a "struct BPF_TIMEVAL" rather than a "struct timeval".
1963 * (That way, if the bug is fixed in a future release,
1964 * we will still do the right thing.)
1967 #ifdef HAVE_STRUCT_BPF_TIMEVAL
1968 struct BPF_TIMEVAL bpf_to;
1970 if (IOCPARM_LEN(BIOCSRTIMEOUT) != sizeof(struct timeval)) {
1971 bpf_to.tv_sec = p->md.timeout / 1000;
1972 bpf_to.tv_usec = (p->md.timeout * 1000) % 1000000;
1973 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&bpf_to) < 0) {
1974 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1975 "BIOCSRTIMEOUT: %s", pcap_strerror(errno));
1976 status = PCAP_ERROR;
1981 to.tv_sec = p->md.timeout / 1000;
1982 to.tv_usec = (p->md.timeout * 1000) % 1000000;
1983 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
1984 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1985 "BIOCSRTIMEOUT: %s", pcap_strerror(errno));
1986 status = PCAP_ERROR;
1989 #ifdef HAVE_STRUCT_BPF_TIMEVAL
1995 #ifdef BIOCIMMEDIATE
1997 * Darren Reed notes that
1999 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
2000 * timeout appears to be ignored and it waits until the buffer
2001 * is filled before returning. The result of not having it
2002 * set is almost worse than useless if your BPF filter
2003 * is reducing things to only a few packets (i.e. one every
2006 * so we turn BIOCIMMEDIATE mode on if this is AIX.
2008 * We don't turn it on for other platforms, as that means we
2009 * get woken up for every packet, which may not be what we want;
2010 * in the Winter 1993 USENIX paper on BPF, they say:
2012 * Since a process might want to look at every packet on a
2013 * network and the time between packets can be only a few
2014 * microseconds, it is not possible to do a read system call
2015 * per packet and BPF must collect the data from several
2016 * packets and return it as a unit when the monitoring
2017 * application does a read.
2019 * which I infer is the reason for the timeout - it means we
2020 * wait that amount of time, in the hopes that more packets
2021 * will arrive and we'll get them all with one read.
2023 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other
2024 * BSDs) causes the timeout to be ignored.
2026 * On the other hand, some platforms (e.g., Linux) don't support
2027 * timeouts, they just hand stuff to you as soon as it arrives;
2028 * if that doesn't cause a problem on those platforms, it may
2029 * be OK to have BIOCIMMEDIATE mode on BSD as well.
2031 * (Note, though, that applications may depend on the read
2032 * completing, even if no packets have arrived, when the timeout
2033 * expires, e.g. GUI applications that have to check for input
2034 * while waiting for packets to arrive; a non-zero timeout
2035 * prevents "select()" from working right on FreeBSD and
2036 * possibly other BSDs, as the timer doesn't start until a
2037 * "read()" is done, so the timer isn't in effect if the
2038 * application is blocked on a "select()", and the "select()"
2039 * doesn't get woken up for a BPF device until the buffer
2043 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
2044 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
2045 pcap_strerror(errno));
2046 status = PCAP_ERROR;
2049 #endif /* BIOCIMMEDIATE */
2052 if (p->opt.promisc) {
2053 /* set promiscuous mode, just warn if it fails */
2054 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
2055 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s",
2056 pcap_strerror(errno));
2057 status = PCAP_WARNING_PROMISC_NOTSUP;
2061 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
2062 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
2063 pcap_strerror(errno));
2064 status = PCAP_ERROR;
2068 #ifdef HAVE_ZEROCOPY_BPF
2069 if (!p->md.zerocopy) {
2071 p->buffer = (u_char *)malloc(p->bufsize);
2072 if (p->buffer == NULL) {
2073 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s",
2074 pcap_strerror(errno));
2075 status = PCAP_ERROR;
2079 /* For some strange reason this seems to prevent the EFAULT
2080 * problems we have experienced from AIX BPF. */
2081 memset(p->buffer, 0x0, p->bufsize);
2083 #ifdef HAVE_ZEROCOPY_BPF
2088 * If there's no filter program installed, there's
2089 * no indication to the kernel of what the snapshot
2090 * length should be, so no snapshotting is done.
2092 * Therefore, when we open the device, we install
2093 * an "accept everything" filter with the specified
2096 total_insn.code = (u_short)(BPF_RET | BPF_K);
2099 total_insn.k = p->snapshot;
2101 total_prog.bf_len = 1;
2102 total_prog.bf_insns = &total_insn;
2103 if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) {
2104 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
2105 pcap_strerror(errno));
2106 status = PCAP_ERROR;
2111 * On most BPF platforms, either you can do a "select()" or
2112 * "poll()" on a BPF file descriptor and it works correctly,
2113 * or you can do it and it will return "readable" if the
2114 * hold buffer is full but not if the timeout expires *and*
2115 * a non-blocking read will, if the hold buffer is empty
2116 * but the store buffer isn't empty, rotate the buffers
2117 * and return what packets are available.
2119 * In the latter case, the fact that a non-blocking read
2120 * will give you the available packets means you can work
2121 * around the failure of "select()" and "poll()" to wake up
2122 * and return "readable" when the timeout expires by using
2123 * the timeout as the "select()" or "poll()" timeout, putting
2124 * the BPF descriptor into non-blocking mode, and read from
2125 * it regardless of whether "select()" reports it as readable
2128 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()"
2129 * won't wake up and return "readable" if the timer expires
2130 * and non-blocking reads return EWOULDBLOCK if the hold
2131 * buffer is empty, even if the store buffer is non-empty.
2133 * This means the workaround in question won't work.
2135 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd"
2136 * to -1, which means "sorry, you can't use 'select()' or 'poll()'
2137 * here". On all other BPF platforms, we set it to the FD for
2138 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking
2139 * read will, if the hold buffer is empty and the store buffer
2140 * isn't empty, rotate the buffers and return what packets are
2141 * there (and in sufficiently recent versions of OpenBSD
2142 * "select()" and "poll()" should work correctly).
2144 * XXX - what about AIX?
2146 p->selectable_fd = p->fd; /* assume select() works until we know otherwise */
2149 * We can check what OS this is.
2151 if (strcmp(osinfo.sysname, "FreeBSD") == 0) {
2152 if (strncmp(osinfo.release, "4.3-", 4) == 0 ||
2153 strncmp(osinfo.release, "4.4-", 4) == 0)
2154 p->selectable_fd = -1;
2158 p->read_op = pcap_read_bpf;
2159 p->inject_op = pcap_inject_bpf;
2160 p->setfilter_op = pcap_setfilter_bpf;
2161 p->setdirection_op = pcap_setdirection_bpf;
2162 p->set_datalink_op = pcap_set_datalink_bpf;
2163 p->getnonblock_op = pcap_getnonblock_fd;
2164 p->setnonblock_op = pcap_setnonblock_fd;
2165 p->stats_op = pcap_stats_bpf;
2166 p->cleanup_op = pcap_cleanup_bpf;
2170 pcap_cleanup_bpf(p);
2175 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
2178 if (dag_platform_finddevs(alldevsp, errbuf) < 0)
2180 #endif /* HAVE_DAG_API */
2182 if (snf_platform_finddevs(alldevsp, errbuf) < 0)
2184 #endif /* HAVE_SNF_API */
2189 #ifdef HAVE_BSD_IEEE80211
2191 monitor_mode(pcap_t *p, int set)
2194 struct ifmediareq req;
2200 sock = socket(AF_INET, SOCK_DGRAM, 0);
2202 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't open socket: %s",
2203 pcap_strerror(errno));
2204 return (PCAP_ERROR);
2207 memset(&req, 0, sizeof req);
2208 strncpy(req.ifm_name, p->opt.source, sizeof req.ifm_name);
2211 * Find out how many media types we have.
2213 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
2215 * Can't get the media types.
2217 if (errno == EINVAL) {
2219 * Interface doesn't support SIOC{G,S}IFMEDIA.
2222 return (PCAP_ERROR_RFMON_NOTSUP);
2224 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA 1: %s",
2225 pcap_strerror(errno));
2227 return (PCAP_ERROR);
2229 if (req.ifm_count == 0) {
2234 return (PCAP_ERROR_RFMON_NOTSUP);
2238 * Allocate a buffer to hold all the media types, and
2239 * get the media types.
2241 media_list = malloc(req.ifm_count * sizeof(int));
2242 if (media_list == NULL) {
2243 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s",
2244 pcap_strerror(errno));
2246 return (PCAP_ERROR);
2248 req.ifm_ulist = media_list;
2249 if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
2250 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMEDIA: %s",
2251 pcap_strerror(errno));
2254 return (PCAP_ERROR);
2258 * Look for an 802.11 "automatic" media type.
2259 * We assume that all 802.11 adapters have that media type,
2260 * and that it will carry the monitor mode supported flag.
2263 for (i = 0; i < req.ifm_count; i++) {
2264 if (IFM_TYPE(media_list[i]) == IFM_IEEE80211
2265 && IFM_SUBTYPE(media_list[i]) == IFM_AUTO) {
2266 /* OK, does it do monitor mode? */
2267 if (media_list[i] & IFM_IEEE80211_MONITOR) {
2276 * This adapter doesn't support monitor mode.
2279 return (PCAP_ERROR_RFMON_NOTSUP);
2284 * Don't just check whether we can enable monitor mode,
2285 * do so, if it's not already enabled.
2287 if ((req.ifm_current & IFM_IEEE80211_MONITOR) == 0) {
2289 * Monitor mode isn't currently on, so turn it on,
2290 * and remember that we should turn it off when the
2295 * If we haven't already done so, arrange to have
2296 * "pcap_close_all()" called when we exit.
2298 if (!pcap_do_addexit(p)) {
2300 * "atexit()" failed; don't put the interface
2301 * in monitor mode, just give up.
2303 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2306 return (PCAP_ERROR);
2308 memset(&ifr, 0, sizeof(ifr));
2309 (void)strncpy(ifr.ifr_name, p->opt.source,
2310 sizeof(ifr.ifr_name));
2311 ifr.ifr_media = req.ifm_current | IFM_IEEE80211_MONITOR;
2312 if (ioctl(sock, SIOCSIFMEDIA, &ifr) == -1) {
2313 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2314 "SIOCSIFMEDIA: %s", pcap_strerror(errno));
2316 return (PCAP_ERROR);
2319 p->md.must_do_on_close |= MUST_CLEAR_RFMON;
2322 * Add this to the list of pcaps to close when we exit.
2324 pcap_add_to_pcaps_to_close(p);
2329 #endif /* HAVE_BSD_IEEE80211 */
2331 #if defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211))
2333 * Check whether we have any 802.11 link-layer types; return the best
2334 * of the 802.11 link-layer types if we find one, and return -1
2337 * DLT_IEEE802_11_RADIO, with the radiotap header, is considered the
2338 * best 802.11 link-layer type; any of the other 802.11-plus-radio
2339 * headers are second-best; 802.11 with no radio information is
2343 find_802_11(struct bpf_dltlist *bdlp)
2349 * Scan the list of DLT_ values, looking for 802.11 values,
2350 * and, if we find any, choose the best of them.
2353 for (i = 0; i < bdlp->bfl_len; i++) {
2354 switch (bdlp->bfl_list[i]) {
2356 case DLT_IEEE802_11:
2358 * 802.11, but no radio.
2360 * Offer this, and select it as the new mode
2361 * unless we've already found an 802.11
2362 * header with radio information.
2365 new_dlt = bdlp->bfl_list[i];
2368 case DLT_PRISM_HEADER:
2369 case DLT_AIRONET_HEADER:
2370 case DLT_IEEE802_11_RADIO_AVS:
2372 * 802.11 with radio, but not radiotap.
2374 * Offer this, and select it as the new mode
2375 * unless we've already found the radiotap DLT_.
2377 if (new_dlt != DLT_IEEE802_11_RADIO)
2378 new_dlt = bdlp->bfl_list[i];
2381 case DLT_IEEE802_11_RADIO:
2383 * 802.11 with radiotap.
2385 * Offer this, and select it as the new mode.
2387 new_dlt = bdlp->bfl_list[i];
2400 #endif /* defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) */
2402 #if defined(__APPLE__) && defined(BIOCGDLTLIST)
2404 * Remove DLT_EN10MB from the list of DLT_ values, as we're in monitor mode,
2405 * and DLT_EN10MB isn't supported in monitor mode.
2408 remove_en(pcap_t *p)
2413 * Scan the list of DLT_ values and discard DLT_EN10MB.
2416 for (i = 0; i < p->dlt_count; i++) {
2417 switch (p->dlt_list[i]) {
2421 * Don't offer this one.
2427 * Just copy this mode over.
2433 * Copy this DLT_ value to its new position.
2435 p->dlt_list[j] = p->dlt_list[i];
2440 * Set the DLT_ count to the number of entries we copied.
2446 * Remove 802.11 link-layer types from the list of DLT_ values, as
2447 * we're not in monitor mode, and those DLT_ values will switch us
2451 remove_802_11(pcap_t *p)
2456 * Scan the list of DLT_ values and discard 802.11 values.
2459 for (i = 0; i < p->dlt_count; i++) {
2460 switch (p->dlt_list[i]) {
2462 case DLT_IEEE802_11:
2463 case DLT_PRISM_HEADER:
2464 case DLT_AIRONET_HEADER:
2465 case DLT_IEEE802_11_RADIO:
2466 case DLT_IEEE802_11_RADIO_AVS:
2468 * 802.11. Don't offer this one.
2474 * Just copy this mode over.
2480 * Copy this DLT_ value to its new position.
2482 p->dlt_list[j] = p->dlt_list[i];
2487 * Set the DLT_ count to the number of entries we copied.
2491 #endif /* defined(__APPLE__) && defined(BIOCGDLTLIST) */
2494 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
2497 * Free any user-mode filter we might happen to have installed.
2499 pcap_freecode(&p->fcode);
2502 * Try to install the kernel filter.
2504 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) == 0) {
2508 p->md.use_bpf = 1; /* filtering in the kernel */
2511 * Discard any previously-received packets, as they might
2512 * have passed whatever filter was formerly in effect, but
2513 * might not pass this filter (BIOCSETF discards packets
2514 * buffered in the kernel, so you can lose packets in any
2524 * If it failed with EINVAL, that's probably because the program
2525 * is invalid or too big. Validate it ourselves; if we like it
2526 * (we currently allow backward branches, to support protochain),
2527 * run it in userland. (There's no notion of "too big" for
2530 * Otherwise, just give up.
2531 * XXX - if the copy of the program into the kernel failed,
2532 * we will get EINVAL rather than, say, EFAULT on at least
2535 if (errno != EINVAL) {
2536 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
2537 pcap_strerror(errno));
2542 * install_bpf_program() validates the program.
2544 * XXX - what if we already have a filter in the kernel?
2546 if (install_bpf_program(p, fp) < 0)
2548 p->md.use_bpf = 0; /* filtering in userland */
2553 * Set direction flag: Which packets do we accept on a forwarding
2554 * single device? IN, OUT or both?
2557 pcap_setdirection_bpf(pcap_t *p, pcap_direction_t d)
2559 #if defined(BIOCSDIRECTION)
2562 direction = (d == PCAP_D_IN) ? BPF_D_IN :
2563 ((d == PCAP_D_OUT) ? BPF_D_OUT : BPF_D_INOUT);
2564 if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) {
2565 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2566 "Cannot set direction to %s: %s",
2567 (d == PCAP_D_IN) ? "PCAP_D_IN" :
2568 ((d == PCAP_D_OUT) ? "PCAP_D_OUT" : "PCAP_D_INOUT"),
2573 #elif defined(BIOCSSEESENT)
2577 * We don't support PCAP_D_OUT.
2579 if (d == PCAP_D_OUT) {
2580 snprintf(p->errbuf, sizeof(p->errbuf),
2581 "Setting direction to PCAP_D_OUT is not supported on BPF");
2585 seesent = (d == PCAP_D_INOUT);
2586 if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) {
2587 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2588 "Cannot set direction to %s: %s",
2589 (d == PCAP_D_INOUT) ? "PCAP_D_INOUT" : "PCAP_D_IN",
2595 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2596 "This system doesn't support BIOCSSEESENT, so the direction can't be set");
2602 pcap_set_datalink_bpf(pcap_t *p, int dlt)
2605 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) {
2606 (void) snprintf(p->errbuf, sizeof(p->errbuf),
2607 "Cannot set DLT %d: %s", dlt, strerror(errno));
projects / profile / ivi / libpcap.git / blob