1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  */
21 
22 #ifdef HAVE_CONFIG_H
23 #include <config.h>
24 #endif
25 
26 #include <sys/param.h>
27 #include <sys/file.h>
28 #include <sys/ioctl.h>
29 #include <sys/socket.h>
30 #include <sys/time.h>
31 
32 #include <net/raw.h>
33 #include <net/if.h>
34 
35 #include <netinet/in.h>
36 #include <netinet/in_systm.h>
37 #include <netinet/ip.h>
38 #include <netinet/if_ether.h>
39 #include <netinet/ip_var.h>
40 #include <netinet/udp.h>
41 #include <netinet/udp_var.h>
42 #include <netinet/tcp.h>
43 #include <netinet/tcpip.h>
44 
45 #include <errno.h>
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <unistd.h>
50 
51 #include "pcap-int.h"
52 
53 #ifdef HAVE_OS_PROTO_H
54 #include "os-proto.h"
55 #endif
56 
57 /*
58  * Private data for capturing on snoop devices.
59  */
60 struct pcap_snoop {
61 	struct pcap_stat stat;
62 };
63 
64 static int
pcap_read_snoop(pcap_t * p,int cnt,pcap_handler callback,u_char * user)65 pcap_read_snoop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
66 {
67 	struct pcap_snoop *psn = p->priv;
68 	int cc;
69 	register struct snoopheader *sh;
70 	register u_int datalen;
71 	register u_int caplen;
72 	register u_char *cp;
73 
74 again:
75 	/*
76 	 * Has "pcap_breakloop()" been called?
77 	 */
78 	if (p->break_loop) {
79 		/*
80 		 * Yes - clear the flag that indicates that it
81 		 * has, and return -2 to indicate that we were
82 		 * told to break out of the loop.
83 		 */
84 		p->break_loop = 0;
85 		return (-2);
86 	}
87 	cc = read(p->fd, (char *)p->buffer, p->bufsize);
88 	if (cc < 0) {
89 		/* Don't choke when we get ptraced */
90 		switch (errno) {
91 
92 		case EINTR:
93 			goto again;
94 
95 		case EWOULDBLOCK:
96 			return (0);			/* XXX */
97 		}
98 		pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
99 		    errno, "read");
100 		return (-1);
101 	}
102 	sh = (struct snoopheader *)p->buffer;
103 	datalen = sh->snoop_packetlen;
104 
105 	/*
106 	 * XXX - Sigh, snoop_packetlen is a 16 bit quantity.  If we
107 	 * got a short length, but read a full sized snoop pakcet,
108 	 * assume we overflowed and add back the 64K...
109 	 */
110 	if (cc == (p->snapshot + sizeof(struct snoopheader)) &&
111 	    (datalen < p->snapshot))
112 		datalen += (64 * 1024);
113 
114 	caplen = (datalen < p->snapshot) ? datalen : p->snapshot;
115 	cp = (u_char *)(sh + 1) + p->offset;		/* XXX */
116 
117 	/*
118 	 * XXX unfortunately snoop loopback isn't exactly like
119 	 * BSD's.  The address family is encoded in the first 2
120 	 * bytes rather than the first 4 bytes!  Luckily the last
121 	 * two snoop loopback bytes are zeroed.
122 	 */
123 	if (p->linktype == DLT_NULL && *((short *)(cp + 2)) == 0) {
124 		u_int *uip = (u_int *)cp;
125 		*uip >>= 16;
126 	}
127 
128 	if (p->fcode.bf_insns == NULL ||
129 	    bpf_filter(p->fcode.bf_insns, cp, datalen, caplen)) {
130 		struct pcap_pkthdr h;
131 		++psn->stat.ps_recv;
132 		h.ts.tv_sec = sh->snoop_timestamp.tv_sec;
133 		h.ts.tv_usec = sh->snoop_timestamp.tv_usec;
134 		h.len = datalen;
135 		h.caplen = caplen;
136 		(*callback)(user, &h, cp);
137 		return (1);
138 	}
139 	return (0);
140 }
141 
142 static int
pcap_inject_snoop(pcap_t * p,const void * buf,size_t size)143 pcap_inject_snoop(pcap_t *p, const void *buf, size_t size)
144 {
145 	int ret;
146 
147 	/*
148 	 * XXX - libnet overwrites the source address with what I
149 	 * presume is the interface's address; is that required?
150 	 */
151 	ret = write(p->fd, buf, size);
152 	if (ret == -1) {
153 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
154 		    errno, "send");
155 		return (-1);
156 	}
157 	return (ret);
158 }
159 
160 static int
pcap_stats_snoop(pcap_t * p,struct pcap_stat * ps)161 pcap_stats_snoop(pcap_t *p, struct pcap_stat *ps)
162 {
163 	struct pcap_snoop *psn = p->priv;
164 	register struct rawstats *rs;
165 	struct rawstats rawstats;
166 
167 	rs = &rawstats;
168 	memset(rs, 0, sizeof(*rs));
169 	if (ioctl(p->fd, SIOCRAWSTATS, (char *)rs) < 0) {
170 		pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
171 		    errno, "SIOCRAWSTATS");
172 		return (-1);
173 	}
174 
175 	/*
176 	 * "ifdrops" are those dropped by the network interface
177 	 * due to resource shortages or hardware errors.
178 	 *
179 	 * "sbdrops" are those dropped due to socket buffer limits.
180 	 *
181 	 * As filter is done in userland, "sbdrops" counts packets
182 	 * regardless of whether they would've passed the filter.
183 	 *
184 	 * XXX - does this count *all* Snoop or Drain sockets,
185 	 * rather than just this socket?  If not, why does it have
186 	 * both Snoop and Drain statistics?
187 	 */
188 	psn->stat.ps_drop =
189 	    rs->rs_snoop.ss_ifdrops + rs->rs_snoop.ss_sbdrops +
190 	    rs->rs_drain.ds_ifdrops + rs->rs_drain.ds_sbdrops;
191 
192 	/*
193 	 * "ps_recv" counts only packets that passed the filter.
194 	 * As filtering is done in userland, this does not include
195 	 * packets dropped because we ran out of buffer space.
196 	 */
197 	*ps = psn->stat;
198 	return (0);
199 }
200 
201 /* XXX can't disable promiscuous */
202 static int
pcap_activate_snoop(pcap_t * p)203 pcap_activate_snoop(pcap_t *p)
204 {
205 	int fd;
206 	struct sockaddr_raw sr;
207 	struct snoopfilter sf;
208 	u_int v;
209 	int ll_hdrlen;
210 	int snooplen;
211 	struct ifreq ifr;
212 
213 	fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP);
214 	if (fd < 0) {
215 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
216 		    errno, "snoop socket");
217 		goto bad;
218 	}
219 	p->fd = fd;
220 	memset(&sr, 0, sizeof(sr));
221 	sr.sr_family = AF_RAW;
222 	(void)strncpy(sr.sr_ifname, p->opt.device, sizeof(sr.sr_ifname));
223 	if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) {
224 		/*
225 		 * XXX - there's probably a particular bind error that
226 		 * means "there's no such device" and a particular bind
227 		 * error that means "that device doesn't support snoop";
228 		 * they might be the same error, if they both end up
229 		 * meaning "snoop doesn't know about that device".
230 		 */
231 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
232 		    errno, "snoop bind");
233 		goto bad;
234 	}
235 	memset(&sf, 0, sizeof(sf));
236 	if (ioctl(fd, SIOCADDSNOOP, &sf) < 0) {
237 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
238 		    errno, "SIOCADDSNOOP");
239 		goto bad;
240 	}
241 	if (p->opt.buffer_size != 0)
242 		v = p->opt.buffer_size;
243 	else
244 		v = 64 * 1024;	/* default to 64K buffer size */
245 	(void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (char *)&v, sizeof(v));
246 	/*
247 	 * XXX hack - map device name to link layer type
248 	 */
249 	if (strncmp("et", p->opt.device, 2) == 0 ||	/* Challenge 10 Mbit */
250 	    strncmp("ec", p->opt.device, 2) == 0 ||	/* Indigo/Indy 10 Mbit,
251 							   O2 10/100 */
252 	    strncmp("ef", p->opt.device, 2) == 0 ||	/* O200/2000 10/100 Mbit */
253 	    strncmp("eg", p->opt.device, 2) == 0 ||	/* Octane/O2xxx/O3xxx Gigabit */
254 	    strncmp("gfe", p->opt.device, 3) == 0 ||	/* GIO 100 Mbit */
255 	    strncmp("fxp", p->opt.device, 3) == 0 ||	/* Challenge VME Enet */
256 	    strncmp("ep", p->opt.device, 2) == 0 ||	/* Challenge 8x10 Mbit EPLEX */
257 	    strncmp("vfe", p->opt.device, 3) == 0 ||	/* Challenge VME 100Mbit */
258 	    strncmp("fa", p->opt.device, 2) == 0 ||
259 	    strncmp("qaa", p->opt.device, 3) == 0 ||
260 	    strncmp("cip", p->opt.device, 3) == 0 ||
261 	    strncmp("el", p->opt.device, 2) == 0) {
262 		p->linktype = DLT_EN10MB;
263 		p->offset = RAW_HDRPAD(sizeof(struct ether_header));
264 		ll_hdrlen = sizeof(struct ether_header);
265 		/*
266 		 * This is (presumably) a real Ethernet capture; give it a
267 		 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
268 		 * that an application can let you choose it, in case you're
269 		 * capturing DOCSIS traffic that a Cisco Cable Modem
270 		 * Termination System is putting out onto an Ethernet (it
271 		 * doesn't put an Ethernet header onto the wire, it puts raw
272 		 * DOCSIS frames out on the wire inside the low-level
273 		 * Ethernet framing).
274 		 *
275 		 * XXX - are there any sorts of "fake Ethernet" that have
276 		 * Ethernet link-layer headers but that *shouldn't offer
277 		 * DLT_DOCSIS as a Cisco CMTS won't put traffic onto it
278 		 * or get traffic bridged onto it?  "el" is for ATM LANE
279 		 * Ethernet devices, so that might be the case for them;
280 		 * the same applies for "qaa" classical IP devices.  If
281 		 * "fa" devices are for FORE SPANS, that'd apply to them
282 		 * as well; what are "cip" devices - some other ATM
283 		 * Classical IP devices?
284 		 */
285 		p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
286 		/*
287 		 * If that fails, just leave the list empty.
288 		 */
289 		if (p->dlt_list != NULL) {
290 			p->dlt_list[0] = DLT_EN10MB;
291 			p->dlt_list[1] = DLT_DOCSIS;
292 			p->dlt_count = 2;
293 		}
294 	} else if (strncmp("ipg", p->opt.device, 3) == 0 ||
295 		   strncmp("rns", p->opt.device, 3) == 0 ||	/* O2/200/2000 FDDI */
296 		   strncmp("xpi", p->opt.device, 3) == 0) {
297 		p->linktype = DLT_FDDI;
298 		p->offset = 3;				/* XXX yeah? */
299 		ll_hdrlen = 13;
300 	} else if (strncmp("ppp", p->opt.device, 3) == 0) {
301 		p->linktype = DLT_RAW;
302 		ll_hdrlen = 0;	/* DLT_RAW meaning "no PPP header, just the IP packet"? */
303 	} else if (strncmp("qfa", p->opt.device, 3) == 0) {
304 		p->linktype = DLT_IP_OVER_FC;
305 		ll_hdrlen = 24;
306 	} else if (strncmp("pl", p->opt.device, 2) == 0) {
307 		p->linktype = DLT_RAW;
308 		ll_hdrlen = 0;	/* Cray UNICOS/mp pseudo link */
309 	} else if (strncmp("lo", p->opt.device, 2) == 0) {
310 		p->linktype = DLT_NULL;
311 		ll_hdrlen = 4;
312 	} else {
313 		pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
314 		    "snoop: unknown physical layer type");
315 		goto bad;
316 	}
317 
318 	if (p->opt.rfmon) {
319 		/*
320 		 * No monitor mode on Irix (no Wi-Fi devices on
321 		 * hardware supported by Irix).
322 		 */
323 		return (PCAP_ERROR_RFMON_NOTSUP);
324 	}
325 
326 	/*
327 	 * Turn a negative snapshot value (invalid), a snapshot value of
328 	 * 0 (unspecified), or a value bigger than the normal maximum
329 	 * value, into the maximum allowed value.
330 	 *
331 	 * If some application really *needs* a bigger snapshot
332 	 * length, we should just increase MAXIMUM_SNAPLEN.
333 	 */
334 	if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
335 		p->snapshot = MAXIMUM_SNAPLEN;
336 
337 #ifdef SIOCGIFMTU
338 	/*
339 	 * XXX - IRIX appears to give you an error if you try to set the
340 	 * capture length to be greater than the MTU, so let's try to get
341 	 * the MTU first and, if that succeeds, trim the snap length
342 	 * to be no greater than the MTU.
343 	 */
344 	(void)strncpy(ifr.ifr_name, p->opt.device, sizeof(ifr.ifr_name));
345 	if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) {
346 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
347 		    errno, "SIOCGIFMTU");
348 		goto bad;
349 	}
350 	/*
351 	 * OK, we got it.
352 	 *
353 	 * XXX - some versions of IRIX 6.5 define "ifr_mtu" and have an
354 	 * "ifru_metric" member of the "ifr_ifru" union in an "ifreq"
355 	 * structure, others don't.
356 	 *
357 	 * I've no idea what's going on, so, if "ifr_mtu" isn't defined,
358 	 * we define it as "ifr_metric", as using that field appears to
359 	 * work on the versions that lack "ifr_mtu" (and, on those that
360 	 * don't lack it, "ifru_metric" and "ifru_mtu" are both "int"
361 	 * members of the "ifr_ifru" union, which suggests that they
362 	 * may be interchangeable in this case).
363 	 */
364 #ifndef ifr_mtu
365 #define ifr_mtu	ifr_metric
366 #endif
367 	if (p->snapshot > ifr.ifr_mtu + ll_hdrlen)
368 		p->snapshot = ifr.ifr_mtu + ll_hdrlen;
369 #endif
370 
371 	/*
372 	 * The argument to SIOCSNOOPLEN is the number of link-layer
373 	 * payload bytes to capture - it doesn't count link-layer
374 	 * header bytes.
375 	 */
376 	snooplen = p->snapshot - ll_hdrlen;
377 	if (snooplen < 0)
378 		snooplen = 0;
379 	if (ioctl(fd, SIOCSNOOPLEN, &snooplen) < 0) {
380 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
381 		    errno, "SIOCSNOOPLEN");
382 		goto bad;
383 	}
384 	v = 1;
385 	if (ioctl(fd, SIOCSNOOPING, &v) < 0) {
386 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
387 		    errno, "SIOCSNOOPING");
388 		goto bad;
389 	}
390 
391 	p->bufsize = 4096;				/* XXX */
392 	p->buffer = malloc(p->bufsize);
393 	if (p->buffer == NULL) {
394 		pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
395 		    errno, "malloc");
396 		goto bad;
397 	}
398 
399 	/*
400 	 * "p->fd" is a socket, so "select()" should work on it.
401 	 */
402 	p->selectable_fd = p->fd;
403 
404 	p->read_op = pcap_read_snoop;
405 	p->inject_op = pcap_inject_snoop;
406 	p->setfilter_op = install_bpf_program;	/* no kernel filtering */
407 	p->setdirection_op = NULL;	/* Not implemented. */
408 	p->set_datalink_op = NULL;	/* can't change data link type */
409 	p->getnonblock_op = pcap_getnonblock_fd;
410 	p->setnonblock_op = pcap_setnonblock_fd;
411 	p->stats_op = pcap_stats_snoop;
412 
413 	return (0);
414  bad:
415 	pcap_cleanup_live_common(p);
416 	return (PCAP_ERROR);
417 }
418 
419 pcap_t *
pcap_create_interface(const char * device _U_,char * ebuf)420 pcap_create_interface(const char *device _U_, char *ebuf)
421 {
422 	pcap_t *p;
423 
424 	p = pcap_create_common(ebuf, sizeof (struct pcap_snoop));
425 	if (p == NULL)
426 		return (NULL);
427 
428 	p->activate_op = pcap_activate_snoop;
429 	return (p);
430 }
431 
432 /*
433  * XXX - there's probably a particular bind error that means "that device
434  * doesn't support snoop"; if so, we should try a bind and use that.
435  */
436 static int
can_be_bound(const char * name _U_)437 can_be_bound(const char *name _U_)
438 {
439 	return (1);
440 }
441 
442 static int
get_if_flags(const char * name _U_,bpf_u_int32 * flags _U_,char * errbuf _U_)443 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
444 {
445 	/*
446 	 * Nothing we can do.
447 	 * XXX - is there a way to find out whether an adapter has
448 	 * something plugged into it?
449 	 */
450 	return (0);
451 }
452 
453 int
pcap_platform_finddevs(pcap_if_list_t * devlistp,char * errbuf)454 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
455 {
456 	return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound,
457 	    get_if_flags));
458 }
459 
460 /*
461  * Libpcap version string.
462  */
463 const char *
pcap_lib_version(void)464 pcap_lib_version(void)
465 {
466 	return (PCAP_VERSION_STRING);
467 }
468