libpcap  1.10.1
About: libpcap is a packet filter library used by tools like tcpdump.
  Fossies Dox: libpcap-1.10.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

pcap-bpf.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 1993, 1994, 1995, 1996, 1998
3  * The Regents of the University of California. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  */
21 
22 #ifdef HAVE_CONFIG_H
23 #include <config.h>
24 #endif
25 
26 #include <sys/param.h> /* optionally get BSD define */
27 #include <sys/socket.h>
28 #include <time.h>
29 /*
30  * <net/bpf.h> defines ioctls, but doesn't include <sys/ioccom.h>.
31  *
32  * We include <sys/ioctl.h> as it might be necessary to declare ioctl();
33  * at least on *BSD and macOS, it also defines various SIOC ioctls -
34  * we could include <sys/sockio.h>, but if we're already including
35  * <sys/ioctl.h>, which includes <sys/sockio.h> on those platforms,
36  * there's not much point in doing so.
37  *
38  * If we have <sys/ioccom.h>, we include it as well, to handle systems
39  * such as Solaris which don't arrange to include <sys/ioccom.h> if you
40  * include <sys/ioctl.h>
41  */
42 #include <sys/ioctl.h>
43 #ifdef HAVE_SYS_IOCCOM_H
44 #include <sys/ioccom.h>
45 #endif
46 #include <sys/utsname.h>
47 
48 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2)
49 /*
50  * Add support for capturing on FreeBSD usbusN interfaces.
51  */
52 static const char usbus_prefix[] = "usbus";
53 #define USBUS_PREFIX_LEN (sizeof(usbus_prefix) - 1)
54 #include <dirent.h>
55 #endif
56 
57 #include <net/if.h>
58 
59 #ifdef _AIX
60 
61 /*
62  * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
63  * native OS version, as we need "struct bpf_config" from it.
64  */
65 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
66 
67 #include <sys/types.h>
68 
69 /*
70  * Prevent bpf.h from redefining the DLT_ values to their
71  * IFT_ values, as we're going to return the standard libpcap
72  * values, not IBM's non-standard IFT_ values.
73  */
74 #undef _AIX
75 #include <net/bpf.h>
76 #define _AIX
77 
78 /*
79  * If both BIOCROTZBUF and BPF_BUFMODE_ZBUF are defined, we have
80  * zero-copy BPF.
81  */
82 #if defined(BIOCROTZBUF) && defined(BPF_BUFMODE_ZBUF)
83  #define HAVE_ZEROCOPY_BPF
84  #include <sys/mman.h>
85  #include <machine/atomic.h>
86 #endif
87 
88 #include <net/if_types.h> /* for IFT_ values */
89 #include <sys/sysconfig.h>
90 #include <sys/device.h>
91 #include <sys/cfgodm.h>
92 #include <cf.h>
93 
94 #ifdef __64BIT__
95 #define domakedev makedev64
96 #define getmajor major64
97 #define bpf_hdr bpf_hdr32
98 #else /* __64BIT__ */
99 #define domakedev makedev
100 #define getmajor major
101 #endif /* __64BIT__ */
102 
103 #define BPF_NAME "bpf"
104 #define BPF_MINORS 4
105 #define DRIVER_PATH "/usr/lib/drivers"
106 #define BPF_NODE "/dev/bpf"
107 static int bpfloadedflag = 0;
108 static int odmlockid = 0;
109 
110 static int bpf_load(char *errbuf);
111 
112 #else /* _AIX */
113 
114 #include <net/bpf.h>
115 
116 #endif /* _AIX */
117 
118 #include <fcntl.h>
119 #include <errno.h>
120 #include <netdb.h>
121 #include <stdio.h>
122 #include <stdlib.h>
123 #include <string.h>
124 #include <unistd.h>
125 
126 #ifdef SIOCGIFMEDIA
127 # include <net/if_media.h>
128 #endif
129 
130 #include "pcap-int.h"
131 
132 #ifdef HAVE_OS_PROTO_H
133 #include "os-proto.h"
134 #endif
135 
136 /*
137  * Later versions of NetBSD stick padding in front of FDDI frames
138  * to align the IP header on a 4-byte boundary.
139  */
140 #if defined(__NetBSD__) && __NetBSD_Version__ > 106000000
141 #define PCAP_FDDIPAD 3
142 #endif
143 
144 /*
145  * Private data for capturing on BPF devices.
146  */
147 struct pcap_bpf {
148 #ifdef HAVE_ZEROCOPY_BPF
149  /*
150  * Zero-copy read buffer -- for zero-copy BPF. 'buffer' above will
151  * alternative between these two actual mmap'd buffers as required.
152  * As there is a header on the front size of the mmap'd buffer, only
153  * some of the buffer is exposed to libpcap as a whole via bufsize;
154  * zbufsize is the true size. zbuffer tracks the current zbuf
155  * associated with buffer so that it can be used to decide which the
156  * next buffer to read will be.
157  */
158  u_char *zbuf1, *zbuf2, *zbuffer;
159  u_int zbufsize;
160  u_int zerocopy;
161  u_int interrupted;
162  struct timespec firstsel;
163  /*
164  * If there's currently a buffer being actively processed, then it is
165  * referenced here; 'buffer' is also pointed at it, but offset by the
166  * size of the header.
167  */
168  struct bpf_zbuf_header *bzh;
169  int nonblock; /* true if in nonblocking mode */
170 #endif /* HAVE_ZEROCOPY_BPF */
171 
172  char *device; /* device name */
173  int filtering_in_kernel; /* using kernel filter */
174  int must_do_on_close; /* stuff we must do when we close */
175 };
176 
177 /*
178  * Stuff to do when we close.
179  */
180 #define MUST_CLEAR_RFMON 0x00000001 /* clear rfmon (monitor) mode */
181 #define MUST_DESTROY_USBUS 0x00000002 /* destroy usbusN interface */
182 
183 #ifdef BIOCGDLTLIST
184 # if (defined(HAVE_NET_IF_MEDIA_H) && defined(IFM_IEEE80211)) && !defined(__APPLE__)
185 #define HAVE_BSD_IEEE80211
186 
187 /*
188  * The ifm_ulist member of a struct ifmediareq is an int * on most systems,
189  * but it's a uint64_t on newer versions of OpenBSD.
190  *
191  * We check this by checking whether IFM_GMASK is defined and > 2^32-1.
192  */
193 # if defined(IFM_GMASK) && IFM_GMASK > 0xFFFFFFFF
194 # define IFM_ULIST_TYPE uint64_t
195 # else
196 # define IFM_ULIST_TYPE int
197 # endif
198 # endif
199 
200 # if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)
201 static int find_802_11(struct bpf_dltlist *);
202 
203 # ifdef HAVE_BSD_IEEE80211
204 static int monitor_mode(pcap_t *, int);
205 # endif
206 
207 # if defined(__APPLE__)
208 static void remove_non_802_11(pcap_t *);
209 static void remove_802_11(pcap_t *);
210 # endif
211 
212 # endif /* defined(__APPLE__) || defined(HAVE_BSD_IEEE80211) */
213 
214 #endif /* BIOCGDLTLIST */
215 
216 #if defined(sun) && defined(LIFNAMSIZ) && defined(lifr_zoneid)
217 #include <zone.h>
218 #endif
219 
220 /*
221  * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
222  * don't get DLT_DOCSIS defined.
223  */
224 #ifndef DLT_DOCSIS
225 #define DLT_DOCSIS 143
226 #endif
227 
228 /*
229  * In some versions of macOS, we might not even get any of the
230  * 802.11-plus-radio-header DLT_'s defined, even though some
231  * of them are used by various Airport drivers in those versions.
232  */
233 #ifndef DLT_PRISM_HEADER
234 #define DLT_PRISM_HEADER 119
235 #endif
236 #ifndef DLT_AIRONET_HEADER
237 #define DLT_AIRONET_HEADER 120
238 #endif
239 #ifndef DLT_IEEE802_11_RADIO
240 #define DLT_IEEE802_11_RADIO 127
241 #endif
242 #ifndef DLT_IEEE802_11_RADIO_AVS
243 #define DLT_IEEE802_11_RADIO_AVS 163
244 #endif
245 
246 static int pcap_can_set_rfmon_bpf(pcap_t *p);
247 static int pcap_activate_bpf(pcap_t *p);
248 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
250 static int pcap_set_datalink_bpf(pcap_t *p, int dlt);
251 
252 /*
253  * For zerocopy bpf, the setnonblock/getnonblock routines need to modify
254  * pb->nonblock so we don't call select(2) if the pcap handle is in non-
255  * blocking mode.
256  */
257 static int
259 {
260 #ifdef HAVE_ZEROCOPY_BPF
261  struct pcap_bpf *pb = p->priv;
262 
263  if (pb->zerocopy)
264  return (pb->nonblock);
265 #endif
266  return (pcap_getnonblock_fd(p));
267 }
268 
269 static int
270 pcap_setnonblock_bpf(pcap_t *p, int nonblock)
271 {
272 #ifdef HAVE_ZEROCOPY_BPF
273  struct pcap_bpf *pb = p->priv;
274 
275  if (pb->zerocopy) {
276  pb->nonblock = nonblock;
277  return (0);
278  }
279 #endif
280  return (pcap_setnonblock_fd(p, nonblock));
281 }
282 
283 #ifdef HAVE_ZEROCOPY_BPF
284 /*
285  * Zero-copy BPF buffer routines to check for and acknowledge BPF data in
286  * shared memory buffers.
287  *
288  * pcap_next_zbuf_shm(): Check for a newly available shared memory buffer,
289  * and set up p->buffer and cc to reflect one if available. Notice that if
290  * there was no prior buffer, we select zbuf1 as this will be the first
291  * buffer filled for a fresh BPF session.
292  */
293 static int
294 pcap_next_zbuf_shm(pcap_t *p, int *cc)
295 {
296  struct pcap_bpf *pb = p->priv;
297  struct bpf_zbuf_header *bzh;
298 
299  if (pb->zbuffer == pb->zbuf2 || pb->zbuffer == NULL) {
300  bzh = (struct bpf_zbuf_header *)pb->zbuf1;
301  if (bzh->bzh_user_gen !=
302  atomic_load_acq_int(&bzh->bzh_kernel_gen)) {
303  pb->bzh = bzh;
304  pb->zbuffer = (u_char *)pb->zbuf1;
305  p->buffer = pb->zbuffer + sizeof(*bzh);
306  *cc = bzh->bzh_kernel_len;
307  return (1);
308  }
309  } else if (pb->zbuffer == pb->zbuf1) {
310  bzh = (struct bpf_zbuf_header *)pb->zbuf2;
311  if (bzh->bzh_user_gen !=
312  atomic_load_acq_int(&bzh->bzh_kernel_gen)) {
313  pb->bzh = bzh;
314  pb->zbuffer = (u_char *)pb->zbuf2;
315  p->buffer = pb->zbuffer + sizeof(*bzh);
316  *cc = bzh->bzh_kernel_len;
317  return (1);
318  }
319  }
320  *cc = 0;
321  return (0);
322 }
323 
324 /*
325  * pcap_next_zbuf() -- Similar to pcap_next_zbuf_shm(), except wait using
326  * select() for data or a timeout, and possibly force rotation of the buffer
327  * in the event we time out or are in immediate mode. Invoke the shared
328  * memory check before doing system calls in order to avoid doing avoidable
329  * work.
330  */
331 static int
332 pcap_next_zbuf(pcap_t *p, int *cc)
333 {
334  struct pcap_bpf *pb = p->priv;
335  struct bpf_zbuf bz;
336  struct timeval tv;
337  struct timespec cur;
338  fd_set r_set;
339  int data, r;
340  int expire, tmout;
341 
342 #define TSTOMILLI(ts) (((ts)->tv_sec * 1000) + ((ts)->tv_nsec / 1000000))
343  /*
344  * Start out by seeing whether anything is waiting by checking the
345  * next shared memory buffer for data.
346  */
347  data = pcap_next_zbuf_shm(p, cc);
348  if (data)
349  return (data);
350  /*
351  * If a previous sleep was interrupted due to signal delivery, make
352  * sure that the timeout gets adjusted accordingly. This requires
353  * that we analyze when the timeout should be been expired, and
354  * subtract the current time from that. If after this operation,
355  * our timeout is less then or equal to zero, handle it like a
356  * regular timeout.
357  */
358  tmout = p->opt.timeout;
359  if (tmout)
360  (void) clock_gettime(CLOCK_MONOTONIC, &cur);
361  if (pb->interrupted && p->opt.timeout) {
362  expire = TSTOMILLI(&pb->firstsel) + p->opt.timeout;
363  tmout = expire - TSTOMILLI(&cur);
364 #undef TSTOMILLI
365  if (tmout <= 0) {
366  pb->interrupted = 0;
367  data = pcap_next_zbuf_shm(p, cc);
368  if (data)
369  return (data);
370  if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) {
372  PCAP_ERRBUF_SIZE, errno, "BIOCROTZBUF");
373  return (PCAP_ERROR);
374  }
375  return (pcap_next_zbuf_shm(p, cc));
376  }
377  }
378  /*
379  * No data in the buffer, so must use select() to wait for data or
380  * the next timeout. Note that we only call select if the handle
381  * is in blocking mode.
382  */
383  if (!pb->nonblock) {
384  FD_ZERO(&r_set);
385  FD_SET(p->fd, &r_set);
386  if (tmout != 0) {
387  tv.tv_sec = tmout / 1000;
388  tv.tv_usec = (tmout * 1000) % 1000000;
389  }
390  r = select(p->fd + 1, &r_set, NULL, NULL,
391  p->opt.timeout != 0 ? &tv : NULL);
392  if (r < 0 && errno == EINTR) {
393  if (!pb->interrupted && p->opt.timeout) {
394  pb->interrupted = 1;
395  pb->firstsel = cur;
396  }
397  return (0);
398  } else if (r < 0) {
400  errno, "select");
401  return (PCAP_ERROR);
402  }
403  }
404  pb->interrupted = 0;
405  /*
406  * Check again for data, which may exist now that we've either been
407  * woken up as a result of data or timed out. Try the "there's data"
408  * case first since it doesn't require a system call.
409  */
410  data = pcap_next_zbuf_shm(p, cc);
411  if (data)
412  return (data);
413  /*
414  * Try forcing a buffer rotation to dislodge timed out or immediate
415  * data.
416  */
417  if (ioctl(p->fd, BIOCROTZBUF, &bz) < 0) {
419  errno, "BIOCROTZBUF");
420  return (PCAP_ERROR);
421  }
422  return (pcap_next_zbuf_shm(p, cc));
423 }
424 
425 /*
426  * Notify kernel that we are done with the buffer. We don't reset zbuffer so
427  * that we know which buffer to use next time around.
428  */
429 static int
430 pcap_ack_zbuf(pcap_t *p)
431 {
432  struct pcap_bpf *pb = p->priv;
433 
434  atomic_store_rel_int(&pb->bzh->bzh_user_gen,
435  pb->bzh->bzh_kernel_gen);
436  pb->bzh = NULL;
437  p->buffer = NULL;
438  return (0);
439 }
440 #endif /* HAVE_ZEROCOPY_BPF */
441 
442 pcap_t *
443 pcap_create_interface(const char *device _U_, char *ebuf)
444 {
445  pcap_t *p;
446 
447  p = PCAP_CREATE_COMMON(ebuf, struct pcap_bpf);
448  if (p == NULL)
449  return (NULL);
450 
453 #ifdef BIOCSTSTAMP
454  /*
455  * We claim that we support microsecond and nanosecond time
456  * stamps.
457  */
458  p->tstamp_precision_list = malloc(2 * sizeof(u_int));
459  if (p->tstamp_precision_list == NULL) {
461  "malloc");
462  free(p);
463  return (NULL);
464  }
467  p->tstamp_precision_count = 2;
468 #endif /* BIOCSTSTAMP */
469  return (p);
470 }
471 
472 /*
473  * On success, returns a file descriptor for a BPF device.
474  * On failure, returns a PCAP_ERROR_ value, and sets p->errbuf.
475  */
476 static int
477 bpf_open(char *errbuf)
478 {
479  int fd = -1;
480  static const char cloning_device[] = "/dev/bpf";
481  int n = 0;
482  char device[sizeof "/dev/bpf0000000000"];
483  static int no_cloning_bpf = 0;
484 
485 #ifdef _AIX
486  /*
487  * Load the bpf driver, if it isn't already loaded,
488  * and create the BPF device entries, if they don't
489  * already exist.
490  */
491  if (bpf_load(errbuf) == PCAP_ERROR)
492  return (PCAP_ERROR);
493 #endif
494 
495  /*
496  * First, unless we've already tried opening /dev/bpf and
497  * gotten ENOENT, try opening /dev/bpf.
498  * If it fails with ENOENT, remember that, so we don't try
499  * again, and try /dev/bpfN.
500  */
501  if (!no_cloning_bpf &&
502  (fd = open(cloning_device, O_RDWR)) == -1 &&
503  ((errno != EACCES && errno != ENOENT) ||
504  (fd = open(cloning_device, O_RDONLY)) == -1)) {
505  if (errno != ENOENT) {
506  if (errno == EACCES)
508  else
509  fd = PCAP_ERROR;
511  errno, "(cannot open device) %s", cloning_device);
512  return (fd);
513  }
514  no_cloning_bpf = 1;
515  }
516 
517  if (no_cloning_bpf) {
518  /*
519  * We don't have /dev/bpf.
520  * Go through all the /dev/bpfN minors and find one
521  * that isn't in use.
522  */
523  do {
524  (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
525  /*
526  * Initially try a read/write open (to allow the inject
527  * method to work). If that fails due to permission
528  * issues, fall back to read-only. This allows a
529  * non-root user to be granted specific access to pcap
530  * capabilities via file permissions.
531  *
532  * XXX - we should have an API that has a flag that
533  * controls whether to open read-only or read-write,
534  * so that denial of permission to send (or inability
535  * to send, if sending packets isn't supported on
536  * the device in question) can be indicated at open
537  * time.
538  */
539  fd = open(device, O_RDWR);
540  if (fd == -1 && errno == EACCES)
541  fd = open(device, O_RDONLY);
542  } while (fd < 0 && errno == EBUSY);
543  }
544 
545  /*
546  * XXX better message for all minors used
547  */
548  if (fd < 0) {
549  switch (errno) {
550 
551  case ENOENT:
552  fd = PCAP_ERROR;
553  if (n == 1) {
554  /*
555  * /dev/bpf0 doesn't exist, which
556  * means we probably have no BPF
557  * devices.
558  */
559  snprintf(errbuf, PCAP_ERRBUF_SIZE,
560  "(there are no BPF devices)");
561  } else {
562  /*
563  * We got EBUSY on at least one
564  * BPF device, so we have BPF
565  * devices, but all the ones
566  * that exist are busy.
567  */
568  snprintf(errbuf, PCAP_ERRBUF_SIZE,
569  "(all BPF devices are busy)");
570  }
571  break;
572 
573  case EACCES:
574  /*
575  * Got EACCES on the last device we tried,
576  * and EBUSY on all devices before that,
577  * if any.
578  */
581  errno, "(cannot open BPF device) %s", device);
582  break;
583 
584  default:
585  /*
586  * Some other problem.
587  */
588  fd = PCAP_ERROR;
590  errno, "(cannot open BPF device) %s", device);
591  break;
592  }
593  }
594 
595  return (fd);
596 }
597 
598 /*
599  * Bind a network adapter to a BPF device, given a descriptor for the
600  * BPF device and the name of the network adapter.
601  *
602  * Use BIOCSETLIF if available (meaning "on Solaris"), as it supports
603  * longer device names.
604  *
605  * If the name is longer than will fit, return PCAP_ERROR_NO_SUCH_DEVICE
606  * before trying to bind the interface, as there cannot be such a device.
607  *
608  * If the attempt succeeds, return BPF_BIND_SUCCEEDED.
609  *
610  * If the attempt fails:
611  *
612  * if it fails with ENXIO, return PCAP_ERROR_NO_SUCH_DEVICE, as
613  * the device doesn't exist;
614  *
615  * if it fails with ENETDOWN, return PCAP_ERROR_IFACE_NOT_UP, as
616  * the interface exists but isn't up and the OS doesn't allow
617  * binding to an interface that isn't up;
618  *
619  * if it fails with ENOBUFS, return BPF_BIND_BUFFER_TOO_BIG, and
620  * fill in an error message, as the buffer being requested is too
621  * large;
622  *
623  * otherwise, return PCAP_ERROR and fill in an error message.
624  */
625 #define BPF_BIND_SUCCEEDED 0
626 #define BPF_BIND_BUFFER_TOO_BIG 1
627 
628 static int
629 bpf_bind(int fd, const char *name, char *errbuf)
630 {
631  int status;
632 #ifdef LIFNAMSIZ
633  struct lifreq ifr;
634 
635  if (strlen(name) >= sizeof(ifr.lifr_name)) {
636  /* The name is too long, so it can't possibly exist. */
637  return (PCAP_ERROR_NO_SUCH_DEVICE);
638  }
639  (void)pcap_strlcpy(ifr.lifr_name, name, sizeof(ifr.lifr_name));
640  status = ioctl(fd, BIOCSETLIF, (caddr_t)&ifr);
641 #else
642  struct ifreq ifr;
643 
644  if (strlen(name) >= sizeof(ifr.ifr_name)) {
645  /* The name is too long, so it can't possibly exist. */
646  return (PCAP_ERROR_NO_SUCH_DEVICE);
647  }
648  (void)pcap_strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
649  status = ioctl(fd, BIOCSETIF, (caddr_t)&ifr);
650 #endif
651 
652  if (status < 0) {
653  switch (errno) {
654 
655  case ENXIO:
656  /*
657  * There's no such device.
658  */
659  return (PCAP_ERROR_NO_SUCH_DEVICE);
660 
661  case ENETDOWN:
662  /*
663  * Return a "network down" indication, so that
664  * the application can report that rather than
665  * saying we had a mysterious failure and
666  * suggest that they report a problem to the
667  * libpcap developers.
668  */
669  return (PCAP_ERROR_IFACE_NOT_UP);
670 
671  case ENOBUFS:
672  /*
673  * The buffer size is too big.
674  * Return a special indication so that, if we're
675  * trying to crank the buffer size down, we know
676  * we have to continue; add an error message that
677  * tells the user what needs to be fixed.
678  */
680  errno, "The requested buffer size for %s is too large",
681  name);
682  return (BPF_BIND_BUFFER_TOO_BIG);
683 
684  default:
686  errno, "Binding interface %s to BPF device failed",
687  name);
688  return (PCAP_ERROR);
689  }
690  }
691  return (BPF_BIND_SUCCEEDED);
692 }
693 
694 /*
695  * Open and bind to a device; used if we're not actually going to use
696  * the device, but are just testing whether it can be opened, or opening
697  * it to get information about it.
698  *
699  * Returns an error code on failure (always negative), and an FD for
700  * the now-bound BPF device on success (always non-negative).
701  */
702 static int
703 bpf_open_and_bind(const char *name, char *errbuf)
704 {
705  int fd;
706  int status;
707 
708  /*
709  * First, open a BPF device.
710  */
711  fd = bpf_open(errbuf);
712  if (fd < 0)
713  return (fd); /* fd is the appropriate error code */
714 
715  /*
716  * Now bind to the device.
717  */
718  status = bpf_bind(fd, name, errbuf);
719  if (status != BPF_BIND_SUCCEEDED) {
720  close(fd);
721  if (status == BPF_BIND_BUFFER_TOO_BIG) {
722  /*
723  * We didn't specify a buffer size, so
724  * this *really* shouldn't fail because
725  * there's no buffer space. Fail.
726  */
727  return (PCAP_ERROR);
728  }
729  return (status);
730  }
731 
732  /*
733  * Success.
734  */
735  return (fd);
736 }
737 
738 #ifdef __APPLE__
739 static int
740 device_exists(int fd, const char *name, char *errbuf)
741 {
742  int status;
743  struct ifreq ifr;
744 
745  if (strlen(name) >= sizeof(ifr.ifr_name)) {
746  /* The name is too long, so it can't possibly exist. */
747  return (PCAP_ERROR_NO_SUCH_DEVICE);
748  }
749  (void)pcap_strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
750  status = ioctl(fd, SIOCGIFFLAGS, (caddr_t)&ifr);
751 
752  if (status < 0) {
753  if (errno == ENXIO || errno == EINVAL) {
754  /*
755  * macOS and *BSD return one of those two
756  * errors if the device doesn't exist.
757  * Don't fill in an error, as this is
758  * an "expected" condition.
759  */
760  return (PCAP_ERROR_NO_SUCH_DEVICE);
761  }
762 
763  /*
764  * Some other error - provide a message for it, as
765  * it's "unexpected".
766  */
768  "Can't get interface flags on %s", name);
769  return (PCAP_ERROR);
770  }
771 
772  /*
773  * The device exists.
774  */
775  return (0);
776 }
777 #endif
778 
779 #ifdef BIOCGDLTLIST
780 static int
781 get_dlt_list(int fd, int v, struct bpf_dltlist *bdlp, char *ebuf)
782 {
783  memset(bdlp, 0, sizeof(*bdlp));
784  if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) == 0) {
785  u_int i;
786  int is_ethernet;
787 
788  bdlp->bfl_list = (u_int *) malloc(sizeof(u_int) * (bdlp->bfl_len + 1));
789  if (bdlp->bfl_list == NULL) {
791  errno, "malloc");
792  return (PCAP_ERROR);
793  }
794 
795  if (ioctl(fd, BIOCGDLTLIST, (caddr_t)bdlp) < 0) {
797  errno, "BIOCGDLTLIST");
798  free(bdlp->bfl_list);
799  return (PCAP_ERROR);
800  }
801 
802  /*
803  * OK, for real Ethernet devices, add DLT_DOCSIS to the
804  * list, so that an application can let you choose it,
805  * in case you're capturing DOCSIS traffic that a Cisco
806  * Cable Modem Termination System is putting out onto
807  * an Ethernet (it doesn't put an Ethernet header onto
808  * the wire, it puts raw DOCSIS frames out on the wire
809  * inside the low-level Ethernet framing).
810  *
811  * A "real Ethernet device" is defined here as a device
812  * that has a link-layer type of DLT_EN10MB and that has
813  * no alternate link-layer types; that's done to exclude
814  * 802.11 interfaces (which might or might not be the
815  * right thing to do, but I suspect it is - Ethernet <->
816  * 802.11 bridges would probably badly mishandle frames
817  * that don't have Ethernet headers).
818  *
819  * On Solaris with BPF, Ethernet devices also offer
820  * DLT_IPNET, so we, if DLT_IPNET is defined, we don't
821  * treat it as an indication that the device isn't an
822  * Ethernet.
823  */
824  if (v == DLT_EN10MB) {
825  is_ethernet = 1;
826  for (i = 0; i < bdlp->bfl_len; i++) {
827  if (bdlp->bfl_list[i] != DLT_EN10MB
828 #ifdef DLT_IPNET
829  && bdlp->bfl_list[i] != DLT_IPNET
830 #endif
831  ) {
832  is_ethernet = 0;
833  break;
834  }
835  }
836  if (is_ethernet) {
837  /*
838  * We reserved one more slot at the end of
839  * the list.
840  */
841  bdlp->bfl_list[bdlp->bfl_len] = DLT_DOCSIS;
842  bdlp->bfl_len++;
843  }
844  }
845  } else {
846  /*
847  * EINVAL just means "we don't support this ioctl on
848  * this device"; don't treat it as an error.
849  */
850  if (errno != EINVAL) {
852  errno, "BIOCGDLTLIST");
853  return (PCAP_ERROR);
854  }
855  }
856  return (0);
857 }
858 #endif
859 
860 #if defined(__APPLE__)
861 static int
863 {
864  struct utsname osinfo;
865  int fd;
866 #ifdef BIOCGDLTLIST
867  struct bpf_dltlist bdl;
868  int err;
869 #endif
870 
871  /*
872  * The joys of monitor mode on Mac OS X/OS X/macOS.
873  *
874  * Prior to 10.4, it's not supported at all.
875  *
876  * In 10.4, if adapter enN supports monitor mode, there's a
877  * wltN adapter corresponding to it; you open it, instead of
878  * enN, to get monitor mode. You get whatever link-layer
879  * headers it supplies.
880  *
881  * In 10.5, and, we assume, later releases, if adapter enN
882  * supports monitor mode, it offers, among its selectable
883  * DLT_ values, values that let you get the 802.11 header;
884  * selecting one of those values puts the adapter into monitor
885  * mode (i.e., you can't get 802.11 headers except in monitor
886  * mode, and you can't get Ethernet headers in monitor mode).
887  */
888  if (uname(&osinfo) == -1) {
889  /*
890  * Can't get the OS version; just say "no".
891  */
892  return (0);
893  }
894  /*
895  * We assume osinfo.sysname is "Darwin", because
896  * __APPLE__ is defined. We just check the version.
897  */
898  if (osinfo.release[0] < '8' && osinfo.release[1] == '.') {
899  /*
900  * 10.3 (Darwin 7.x) or earlier.
901  * Monitor mode not supported.
902  */
903  return (0);
904  }
905  if (osinfo.release[0] == '8' && osinfo.release[1] == '.') {
906  char *wlt_name;
907  int status;
908 
909  /*
910  * 10.4 (Darwin 8.x). s/en/wlt/, and check
911  * whether the device exists.
912  */
913  if (strncmp(p->opt.device, "en", 2) != 0) {
914  /*
915  * Not an enN device; no monitor mode.
916  */
917  return (0);
918  }
919  fd = socket(AF_INET, SOCK_DGRAM, 0);
920  if (fd == -1) {
922  errno, "socket");
923  return (PCAP_ERROR);
924  }
925  if (pcap_asprintf(&wlt_name, "wlt%s", p->opt.device + 2) == -1) {
927  errno, "malloc");
928  close(fd);
929  return (PCAP_ERROR);
930  }
931  status = device_exists(fd, wlt_name, p->errbuf);
932  free(wlt_name);
933  close(fd);
934  if (status != 0) {
935  if (status == PCAP_ERROR_NO_SUCH_DEVICE)
936  return (0);
937 
938  /*
939  * Error.
940  */
941  return (status);
942  }
943  return (1);
944  }
945 
946 #ifdef BIOCGDLTLIST
947  /*
948  * Everything else is 10.5 or later; for those,
949  * we just open the enN device, and check whether
950  * we have any 802.11 devices.
951  *
952  * First, open a BPF device.
953  */
954  fd = bpf_open(p->errbuf);
955  if (fd < 0)
956  return (fd); /* fd is the appropriate error code */
957 
958  /*
959  * Now bind to the device.
960  */
961  err = bpf_bind(fd, p->opt.device, p->errbuf);
962  if (err != BPF_BIND_SUCCEEDED) {
963  close(fd);
964  if (err == BPF_BIND_BUFFER_TOO_BIG) {
965  /*
966  * We didn't specify a buffer size, so
967  * this *really* shouldn't fail because
968  * there's no buffer space. Fail.
969  */
970  return (PCAP_ERROR);
971  }
972  return (err);
973  }
974 
975  /*
976  * We know the default link type -- now determine all the DLTs
977  * this interface supports. If this fails with EINVAL, it's
978  * not fatal; we just don't get to use the feature later.
979  * (We don't care about DLT_DOCSIS, so we pass DLT_NULL
980  * as the default DLT for this adapter.)
981  */
982  if (get_dlt_list(fd, DLT_NULL, &bdl, p->errbuf) == PCAP_ERROR) {
983  close(fd);
984  return (PCAP_ERROR);
985  }
986  if (find_802_11(&bdl) != -1) {
987  /*
988  * We have an 802.11 DLT, so we can set monitor mode.
989  */
990  free(bdl.bfl_list);
991  close(fd);
992  return (1);
993  }
994  free(bdl.bfl_list);
995  close(fd);
996 #endif /* BIOCGDLTLIST */
997  return (0);
998 }
999 #elif defined(HAVE_BSD_IEEE80211)
1000 static int
1002 {
1003  int ret;
1004 
1005  ret = monitor_mode(p, 0);
1006  if (ret == PCAP_ERROR_RFMON_NOTSUP)
1007  return (0); /* not an error, just a "can't do" */
1008  if (ret == 0)
1009  return (1); /* success */
1010  return (ret);
1011 }
1012 #else
1013 static int
1015 {
1016  return (0);
1017 }
1018 #endif
1019 
1020 static int
1022 {
1023  struct bpf_stat s;
1024 
1025  /*
1026  * "ps_recv" counts packets handed to the filter, not packets
1027  * that passed the filter. This includes packets later dropped
1028  * because we ran out of buffer space.
1029  *
1030  * "ps_drop" counts packets dropped inside the BPF device
1031  * because we ran out of buffer space. It doesn't count
1032  * packets dropped by the interface driver. It counts
1033  * only packets that passed the filter.
1034  *
1035  * Both statistics include packets not yet read from the kernel
1036  * by libpcap, and thus not yet seen by the application.
1037  */
1038  if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
1040  errno, "BIOCGSTATS");
1041  return (PCAP_ERROR);
1042  }
1043 
1044  ps->ps_recv = s.bs_recv;
1045  ps->ps_drop = s.bs_drop;
1046  ps->ps_ifdrop = 0;
1047  return (0);
1048 }
1049 
1050 static int
1051 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
1052 {
1053  struct pcap_bpf *pb = p->priv;
1054  int cc;
1055  int n = 0;
1056  register u_char *bp, *ep;
1057  u_char *datap;
1058 #ifdef PCAP_FDDIPAD
1059  register u_int pad;
1060 #endif
1061 #ifdef HAVE_ZEROCOPY_BPF
1062  int i;
1063 #endif
1064 
1065  again:
1066  /*
1067  * Has "pcap_breakloop()" been called?
1068  */
1069  if (p->break_loop) {
1070  /*
1071  * Yes - clear the flag that indicates that it
1072  * has, and return PCAP_ERROR_BREAK to indicate
1073  * that we were told to break out of the loop.
1074  */
1075  p->break_loop = 0;
1076  return (PCAP_ERROR_BREAK);
1077  }
1078  cc = p->cc;
1079  if (p->cc == 0) {
1080  /*
1081  * When reading without zero-copy from a file descriptor, we
1082  * use a single buffer and return a length of data in the
1083  * buffer. With zero-copy, we update the p->buffer pointer
1084  * to point at whatever underlying buffer contains the next
1085  * data and update cc to reflect the data found in the
1086  * buffer.
1087  */
1088 #ifdef HAVE_ZEROCOPY_BPF
1089  if (pb->zerocopy) {
1090  if (p->buffer != NULL)
1091  pcap_ack_zbuf(p);
1092  i = pcap_next_zbuf(p, &cc);
1093  if (i == 0)
1094  goto again;
1095  if (i < 0)
1096  return (PCAP_ERROR);
1097  } else
1098 #endif
1099  {
1100  cc = (int)read(p->fd, p->buffer, p->bufsize);
1101  }
1102  if (cc < 0) {
1103  /* Don't choke when we get ptraced */
1104  switch (errno) {
1105 
1106  case EINTR:
1107  goto again;
1108 
1109 #ifdef _AIX
1110  case EFAULT:
1111  /*
1112  * Sigh. More AIX wonderfulness.
1113  *
1114  * For some unknown reason the uiomove()
1115  * operation in the bpf kernel extension
1116  * used to copy the buffer into user
1117  * space sometimes returns EFAULT. I have
1118  * no idea why this is the case given that
1119  * a kernel debugger shows the user buffer
1120  * is correct. This problem appears to
1121  * be mostly mitigated by the memset of
1122  * the buffer before it is first used.
1123  * Very strange.... Shaun Clowes
1124  *
1125  * In any case this means that we shouldn't
1126  * treat EFAULT as a fatal error; as we
1127  * don't have an API for returning
1128  * a "some packets were dropped since
1129  * the last packet you saw" indication,
1130  * we just ignore EFAULT and keep reading.
1131  */
1132  goto again;
1133 #endif
1134 
1135  case EWOULDBLOCK:
1136  return (0);
1137 
1138  case ENXIO: /* FreeBSD, DragonFly BSD, and Darwin */
1139  case EIO: /* OpenBSD */
1140  /* NetBSD appears not to return an error in this case */
1141  /*
1142  * The device on which we're capturing
1143  * went away.
1144  *
1145  * XXX - we should really return
1146  * an appropriate error for that,
1147  * but pcap_dispatch() etc. aren't
1148  * documented as having error returns
1149  * other than PCAP_ERROR or PCAP_ERROR_BREAK.
1150  */
1152  "The interface disappeared");
1153  return (PCAP_ERROR);
1154 
1155 #if defined(sun) && !defined(BSD) && !defined(__svr4__) && !defined(__SVR4)
1156  /*
1157  * Due to a SunOS bug, after 2^31 bytes, the kernel
1158  * file offset overflows and read fails with EINVAL.
1159  * The lseek() to 0 will fix things.
1160  */
1161  case EINVAL:
1162  if (lseek(p->fd, 0L, SEEK_CUR) +
1163  p->bufsize < 0) {
1164  (void)lseek(p->fd, 0L, SEEK_SET);
1165  goto again;
1166  }
1167  /* fall through */
1168 #endif
1169  }
1171  errno, "read");
1172  return (PCAP_ERROR);
1173  }
1174  bp = (u_char *)p->buffer;
1175  } else
1176  bp = p->bp;
1177 
1178  /*
1179  * Loop through each packet.
1180  */
1181 #ifdef BIOCSTSTAMP
1182 #define bhp ((struct bpf_xhdr *)bp)
1183 #else
1184 #define bhp ((struct bpf_hdr *)bp)
1185 #endif
1186  ep = bp + cc;
1187 #ifdef PCAP_FDDIPAD
1188  pad = p->fddipad;
1189 #endif
1190  while (bp < ep) {
1191  register u_int caplen, hdrlen;
1192 
1193  /*
1194  * Has "pcap_breakloop()" been called?
1195  * If so, return immediately - if we haven't read any
1196  * packets, clear the flag and return PCAP_ERROR_BREAK
1197  * to indicate that we were told to break out of the loop,
1198  * otherwise leave the flag set, so that the *next* call
1199  * will break out of the loop without having read any
1200  * packets, and return the number of packets we've
1201  * processed so far.
1202  */
1203  if (p->break_loop) {
1204  p->bp = bp;
1205  p->cc = (int)(ep - bp);
1206  /*
1207  * ep is set based on the return value of read(),
1208  * but read() from a BPF device doesn't necessarily
1209  * return a value that's a multiple of the alignment
1210  * value for BPF_WORDALIGN(). However, whenever we
1211  * increment bp, we round up the increment value by
1212  * a value rounded up by BPF_WORDALIGN(), so we
1213  * could increment bp past ep after processing the
1214  * last packet in the buffer.
1215  *
1216  * We treat ep < bp as an indication that this
1217  * happened, and just set p->cc to 0.
1218  */
1219  if (p->cc < 0)
1220  p->cc = 0;
1221  if (n == 0) {
1222  p->break_loop = 0;
1223  return (PCAP_ERROR_BREAK);
1224  } else
1225  return (n);
1226  }
1227 
1228  caplen = bhp->bh_caplen;
1229  hdrlen = bhp->bh_hdrlen;
1230  datap = bp + hdrlen;
1231  /*
1232  * Short-circuit evaluation: if using BPF filter
1233  * in kernel, no need to do it now - we already know
1234  * the packet passed the filter.
1235  *
1236 #ifdef PCAP_FDDIPAD
1237  * Note: the filter code was generated assuming
1238  * that p->fddipad was the amount of padding
1239  * before the header, as that's what's required
1240  * in the kernel, so we run the filter before
1241  * skipping that padding.
1242 #endif
1243  */
1244  if (pb->filtering_in_kernel ||
1245  pcap_filter(p->fcode.bf_insns, datap, bhp->bh_datalen, caplen)) {
1246  struct pcap_pkthdr pkthdr;
1247 #ifdef BIOCSTSTAMP
1248  struct bintime bt;
1249 
1250  bt.sec = bhp->bh_tstamp.bt_sec;
1251  bt.frac = bhp->bh_tstamp.bt_frac;
1253  struct timespec ts;
1254 
1255  bintime2timespec(&bt, &ts);
1256  pkthdr.ts.tv_sec = ts.tv_sec;
1257  pkthdr.ts.tv_usec = ts.tv_nsec;
1258  } else {
1259  struct timeval tv;
1260 
1261  bintime2timeval(&bt, &tv);
1262  pkthdr.ts.tv_sec = tv.tv_sec;
1263  pkthdr.ts.tv_usec = tv.tv_usec;
1264  }
1265 #else
1266  pkthdr.ts.tv_sec = bhp->bh_tstamp.tv_sec;
1267 #ifdef _AIX
1268  /*
1269  * AIX's BPF returns seconds/nanoseconds time
1270  * stamps, not seconds/microseconds time stamps.
1271  */
1272  pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec/1000;
1273 #else
1274  pkthdr.ts.tv_usec = bhp->bh_tstamp.tv_usec;
1275 #endif
1276 #endif /* BIOCSTSTAMP */
1277 #ifdef PCAP_FDDIPAD
1278  if (caplen > pad)
1279  pkthdr.caplen = caplen - pad;
1280  else
1281  pkthdr.caplen = 0;
1282  if (bhp->bh_datalen > pad)
1283  pkthdr.len = bhp->bh_datalen - pad;
1284  else
1285  pkthdr.len = 0;
1286  datap += pad;
1287 #else
1288  pkthdr.caplen = caplen;
1289  pkthdr.len = bhp->bh_datalen;
1290 #endif
1291  (*callback)(user, &pkthdr, datap);
1292  bp += BPF_WORDALIGN(caplen + hdrlen);
1293  if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) {
1294  p->bp = bp;
1295  p->cc = (int)(ep - bp);
1296  /*
1297  * See comment above about p->cc < 0.
1298  */
1299  if (p->cc < 0)
1300  p->cc = 0;
1301  return (n);
1302  }
1303  } else {
1304  /*
1305  * Skip this packet.
1306  */
1307  bp += BPF_WORDALIGN(caplen + hdrlen);
1308  }
1309  }
1310 #undef bhp
1311  p->cc = 0;
1312  return (n);
1313 }
1314 
1315 static int
1316 pcap_inject_bpf(pcap_t *p, const void *buf, int size)
1317 {
1318  int ret;
1319 
1320  ret = (int)write(p->fd, buf, size);
1321 #ifdef __APPLE__
1322  if (ret == -1 && errno == EAFNOSUPPORT) {
1323  /*
1324  * In some versions of macOS, there's a bug wherein setting
1325  * the BIOCSHDRCMPLT flag causes writes to fail; see, for
1326  * example:
1327  *
1328  * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/BIOCSHDRCMPLT-10.3.3.patch
1329  *
1330  * So, if, on macOS, we get EAFNOSUPPORT from the write, we
1331  * assume it's due to that bug, and turn off that flag
1332  * and try again. If we succeed, it either means that
1333  * somebody applied the fix from that URL, or other patches
1334  * for that bug from
1335  *
1336  * http://cerberus.sourcefire.com/~jeff/archives/patches/macosx/
1337  *
1338  * and are running a Darwin kernel with those fixes, or
1339  * that Apple fixed the problem in some macOS release.
1340  */
1341  u_int spoof_eth_src = 0;
1342 
1343  if (ioctl(p->fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
1345  errno, "send: can't turn off BIOCSHDRCMPLT");
1346  return (PCAP_ERROR);
1347  }
1348 
1349  /*
1350  * Now try the write again.
1351  */
1352  ret = (int)write(p->fd, buf, size);
1353  }
1354 #endif /* __APPLE__ */
1355  if (ret == -1) {
1357  errno, "send");
1358  return (PCAP_ERROR);
1359  }
1360  return (ret);
1361 }
1362 
1363 #ifdef _AIX
1364 static int
1365 bpf_odminit(char *errbuf)
1366 {
1367  char *errstr;
1368 
1369  if (odm_initialize() == -1) {
1370  if (odm_err_msg(odmerrno, &errstr) == -1)
1371  errstr = "Unknown error";
1372  snprintf(errbuf, PCAP_ERRBUF_SIZE,
1373  "bpf_load: odm_initialize failed: %s",
1374  errstr);
1375  return (PCAP_ERROR);
1376  }
1377 
1378  if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) {
1379  if (odm_err_msg(odmerrno, &errstr) == -1)
1380  errstr = "Unknown error";
1381  snprintf(errbuf, PCAP_ERRBUF_SIZE,
1382  "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s",
1383  errstr);
1384  (void)odm_terminate();
1385  return (PCAP_ERROR);
1386  }
1387 
1388  return (0);
1389 }
1390 
1391 static int
1392 bpf_odmcleanup(char *errbuf)
1393 {
1394  char *errstr;
1395 
1396  if (odm_unlock(odmlockid) == -1) {
1397  if (errbuf != NULL) {
1398  if (odm_err_msg(odmerrno, &errstr) == -1)
1399  errstr = "Unknown error";
1400  snprintf(errbuf, PCAP_ERRBUF_SIZE,
1401  "bpf_load: odm_unlock failed: %s",
1402  errstr);
1403  }
1404  return (PCAP_ERROR);
1405  }
1406 
1407  if (odm_terminate() == -1) {
1408  if (errbuf != NULL) {
1409  if (odm_err_msg(odmerrno, &errstr) == -1)
1410  errstr = "Unknown error";
1411  snprintf(errbuf, PCAP_ERRBUF_SIZE,
1412  "bpf_load: odm_terminate failed: %s",
1413  errstr);
1414  }
1415  return (PCAP_ERROR);
1416  }
1417 
1418  return (0);
1419 }
1420 
1421 static int
1422 bpf_load(char *errbuf)
1423 {
1424  long major;
1425  int *minors;
1426  int numminors, i, rc;
1427  char buf[1024];
1428  struct stat sbuf;
1429  struct bpf_config cfg_bpf;
1430  struct cfg_load cfg_ld;
1431  struct cfg_kmod cfg_km;
1432 
1433  /*
1434  * This is very very close to what happens in the real implementation
1435  * but I've fixed some (unlikely) bug situations.
1436  */
1437  if (bpfloadedflag)
1438  return (0);
1439 
1440  if (bpf_odminit(errbuf) == PCAP_ERROR)
1441  return (PCAP_ERROR);
1442 
1443  major = genmajor(BPF_NAME);
1444  if (major == -1) {
1446  errno, "bpf_load: genmajor failed");
1447  (void)bpf_odmcleanup(NULL);
1448  return (PCAP_ERROR);
1449  }
1450 
1451  minors = getminor(major, &numminors, BPF_NAME);
1452  if (!minors) {
1453  minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1);
1454  if (!minors) {
1456  errno, "bpf_load: genminor failed");
1457  (void)bpf_odmcleanup(NULL);
1458  return (PCAP_ERROR);
1459  }
1460  }
1461 
1462  if (bpf_odmcleanup(errbuf) == PCAP_ERROR)
1463  return (PCAP_ERROR);
1464 
1465  rc = stat(BPF_NODE "0", &sbuf);
1466  if (rc == -1 && errno != ENOENT) {
1468  errno, "bpf_load: can't stat %s", BPF_NODE "0");
1469  return (PCAP_ERROR);
1470  }
1471 
1472  if (rc == -1 || getmajor(sbuf.st_rdev) != major) {
1473  for (i = 0; i < BPF_MINORS; i++) {
1474  snprintf(buf, sizeof(buf), "%s%d", BPF_NODE, i);
1475  unlink(buf);
1476  if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) {
1479  "bpf_load: can't mknod %s", buf);
1480  return (PCAP_ERROR);
1481  }
1482  }
1483  }
1484 
1485  /* Check if the driver is loaded */
1486  memset(&cfg_ld, 0x0, sizeof(cfg_ld));
1487  snprintf(buf, sizeof(buf), "%s/%s", DRIVER_PATH, BPF_NAME);
1488  cfg_ld.path = buf;
1489  if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) ||
1490  (cfg_ld.kmid == 0)) {
1491  /* Driver isn't loaded, load it now */
1492  if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) {
1494  errno, "bpf_load: could not load driver");
1495  return (PCAP_ERROR);
1496  }
1497  }
1498 
1499  /* Configure the driver */
1500  cfg_km.cmd = CFG_INIT;
1501  cfg_km.kmid = cfg_ld.kmid;
1502  cfg_km.mdilen = sizeof(cfg_bpf);
1503  cfg_km.mdiptr = (void *)&cfg_bpf;
1504  for (i = 0; i < BPF_MINORS; i++) {
1505  cfg_bpf.devno = domakedev(major, i);
1506  if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) {
1508  errno, "bpf_load: could not configure driver");
1509  return (PCAP_ERROR);
1510  }
1511  }
1512 
1513  bpfloadedflag = 1;
1514 
1515  return (0);
1516 }
1517 #endif
1518 
1519 /*
1520  * Undo any operations done when opening the device when necessary.
1521  */
1522 static void
1524 {
1525  struct pcap_bpf *pb = p->priv;
1526 #ifdef HAVE_BSD_IEEE80211
1527  int sock;
1528  struct ifmediareq req;
1529  struct ifreq ifr;
1530 #endif
1531 
1532  if (pb->must_do_on_close != 0) {
1533  /*
1534  * There's something we have to do when closing this
1535  * pcap_t.
1536  */
1537 #ifdef HAVE_BSD_IEEE80211
1538  if (pb->must_do_on_close & MUST_CLEAR_RFMON) {
1539  /*
1540  * We put the interface into rfmon mode;
1541  * take it out of rfmon mode.
1542  *
1543  * XXX - if somebody else wants it in rfmon
1544  * mode, this code cannot know that, so it'll take
1545  * it out of rfmon mode.
1546  */
1547  sock = socket(AF_INET, SOCK_DGRAM, 0);
1548  if (sock == -1) {
1549  fprintf(stderr,
1550  "Can't restore interface flags (socket() failed: %s).\n"
1551  "Please adjust manually.\n",
1552  strerror(errno));
1553  } else {
1554  memset(&req, 0, sizeof(req));
1555  pcap_strlcpy(req.ifm_name, pb->device,
1556  sizeof(req.ifm_name));
1557  if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
1558  fprintf(stderr,
1559  "Can't restore interface flags (SIOCGIFMEDIA failed: %s).\n"
1560  "Please adjust manually.\n",
1561  strerror(errno));
1562  } else {
1563  if (req.ifm_current & IFM_IEEE80211_MONITOR) {
1564  /*
1565  * Rfmon mode is currently on;
1566  * turn it off.
1567  */
1568  memset(&ifr, 0, sizeof(ifr));
1569  (void)pcap_strlcpy(ifr.ifr_name,
1570  pb->device,
1571  sizeof(ifr.ifr_name));
1572  ifr.ifr_media =
1573  req.ifm_current & ~~IFM_IEEE80211_MONITOR;
1574  if (ioctl(sock, SIOCSIFMEDIA,
1575  &ifr) == -1) {
1576  fprintf(stderr,
1577  "Can't restore interface flags (SIOCSIFMEDIA failed: %s).\n"
1578  "Please adjust manually.\n",
1579  strerror(errno));
1580  }
1581  }
1582  }
1583  close(sock);
1584  }
1585  }
1586 #endif /* HAVE_BSD_IEEE80211 */
1587 
1588 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2)
1589  /*
1590  * Attempt to destroy the usbusN interface that we created.
1591  */
1593  if (if_nametoindex(pb->device) > 0) {
1594  int s;
1595 
1596  s = socket(AF_LOCAL, SOCK_DGRAM, 0);
1597  if (s >= 0) {
1598  pcap_strlcpy(ifr.ifr_name, pb->device,
1599  sizeof(ifr.ifr_name));
1600  ioctl(s, SIOCIFDESTROY, &ifr);
1601  close(s);
1602  }
1603  }
1604  }
1605 #endif /* defined(__FreeBSD__) && defined(SIOCIFCREATE2) */
1606  /*
1607  * Take this pcap out of the list of pcaps for which we
1608  * have to take the interface out of some mode.
1609  */
1611  pb->must_do_on_close = 0;
1612  }
1613 
1614 #ifdef HAVE_ZEROCOPY_BPF
1615  if (pb->zerocopy) {
1616  /*
1617  * Delete the mappings. Note that p->buffer gets
1618  * initialized to one of the mmapped regions in
1619  * this case, so do not try and free it directly;
1620  * null it out so that pcap_cleanup_live_common()
1621  * doesn't try to free it.
1622  */
1623  if (pb->zbuf1 != MAP_FAILED && pb->zbuf1 != NULL)
1624  (void) munmap(pb->zbuf1, pb->zbufsize);
1625  if (pb->zbuf2 != MAP_FAILED && pb->zbuf2 != NULL)
1626  (void) munmap(pb->zbuf2, pb->zbufsize);
1627  p->buffer = NULL;
1628  }
1629 #endif
1630  if (pb->device != NULL) {
1631  free(pb->device);
1632  pb->device = NULL;
1633  }
1635 }
1636 
1637 #ifdef __APPLE__
1638 static int
1640 {
1641  int fd;
1642  int err;
1643 
1645  /*
1646  * No such device exists.
1647  */
1648  if (p->opt.rfmon && strncmp(p->opt.device, "wlt", 3) == 0) {
1649  /*
1650  * Monitor mode was requested, and we're trying
1651  * to open a "wltN" device. Assume that this
1652  * is 10.4 and that we were asked to open an
1653  * "enN" device; if that device exists, return
1654  * "monitor mode not supported on the device".
1655  */
1656  fd = socket(AF_INET, SOCK_DGRAM, 0);
1657  if (fd != -1) {
1658  char *en_name;
1659 
1660  if (pcap_asprintf(&en_name, "en%s",
1661  p->opt.device + 3) == -1) {
1662  /*
1663  * We can't find out whether there's
1664  * an underlying "enN" device, so
1665  * just report "no such device".
1666  */
1669  "malloc");
1670  close(fd);
1671  return (PCAP_ERROR_NO_SUCH_DEVICE);
1672  }
1673  err = device_exists(fd, en_name, p->errbuf);
1674  free(en_name);
1675  if (err != 0) {
1676  if (err == PCAP_ERROR_NO_SUCH_DEVICE) {
1677  /*
1678  * The underlying "enN" device
1679  * exists, but there's no
1680  * corresponding "wltN" device;
1681  * that means that the "enN"
1682  * device doesn't support
1683  * monitor mode, probably
1684  * because it's an Ethernet
1685  * device rather than a
1686  * wireless device.
1687  */
1689  }
1690  }
1691  close(fd);
1692  } else {
1693  /*
1694  * We can't find out whether there's
1695  * an underlying "enN" device, so
1696  * just report "no such device".
1697  */
1701  "socket() failed");
1702  }
1703  return (err);
1704  }
1705 
1706  /*
1707  * No such device.
1708  */
1709  return (PCAP_ERROR_NO_SUCH_DEVICE);
1710  }
1711 
1712  /*
1713  * Just return the error status; it's what we want, and, if it's
1714  * PCAP_ERROR, the error string has been filled in.
1715  */
1716  return (error);
1717 }
1718 #else
1719 static int
1721 {
1722  /*
1723  * Just return the error status; it's what we want, and, if it's
1724  * PCAP_ERROR, the error string has been filled in.
1725  */
1726  return (error);
1727 }
1728 #endif
1729 
1730 /*
1731  * Default capture buffer size.
1732  * 32K isn't very much for modern machines with fast networks; we
1733  * pick .5M, as that's the maximum on at least some systems with BPF.
1734  *
1735  * However, on AIX 3.5, the larger buffer sized caused unrecoverable
1736  * read failures under stress, so we leave it as 32K; yet another
1737  * place where AIX's BPF is broken.
1738  */
1739 #ifdef _AIX
1740 #define DEFAULT_BUFSIZE 32768
1741 #else
1742 #define DEFAULT_BUFSIZE 524288
1743 #endif
1744 
1745 static int
1747 {
1748  struct pcap_bpf *pb = p->priv;
1749  int status = 0;
1750 #ifdef HAVE_BSD_IEEE80211
1751  int retv;
1752 #endif
1753  int fd;
1754 #if defined(LIFNAMSIZ) && defined(ZONENAME_MAX) && defined(lifr_zoneid)
1755  struct lifreq ifr;
1756  char *zonesep;
1757 #endif
1758  struct bpf_version bv;
1759 #ifdef __APPLE__
1760  int sockfd;
1761  char *wltdev = NULL;
1762 #endif
1763 #ifdef BIOCGDLTLIST
1764  struct bpf_dltlist bdl;
1765 #if defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)
1766  int new_dlt;
1767 #endif
1768 #endif /* BIOCGDLTLIST */
1769 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
1770  u_int spoof_eth_src = 1;
1771 #endif
1772  u_int v;
1773  struct bpf_insn total_insn;
1774  struct bpf_program total_prog;
1775  struct utsname osinfo;
1776  int have_osinfo = 0;
1777 #ifdef HAVE_ZEROCOPY_BPF
1778  struct bpf_zbuf bz;
1779  u_int bufmode, zbufmax;
1780 #endif
1781 
1782  fd = bpf_open(p->errbuf);
1783  if (fd < 0) {
1784  status = fd;
1785  goto bad;
1786  }
1787 
1788  p->fd = fd;
1789 
1790  if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
1792  errno, "BIOCVERSION");
1793  status = PCAP_ERROR;
1794  goto bad;
1795  }
1796  if (bv.bv_major != BPF_MAJOR_VERSION ||
1797  bv.bv_minor < BPF_MINOR_VERSION) {
1799  "kernel bpf filter out of date");
1800  status = PCAP_ERROR;
1801  goto bad;
1802  }
1803 
1804  /*
1805  * Turn a negative snapshot value (invalid), a snapshot value of
1806  * 0 (unspecified), or a value bigger than the normal maximum
1807  * value, into the maximum allowed value.
1808  *
1809  * If some application really *needs* a bigger snapshot
1810  * length, we should just increase MAXIMUM_SNAPLEN.
1811  */
1812  if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
1814 
1815 #if defined(LIFNAMSIZ) && defined(ZONENAME_MAX) && defined(lifr_zoneid)
1816  /*
1817  * Retrieve the zoneid of the zone we are currently executing in.
1818  */
1819  if ((ifr.lifr_zoneid = getzoneid()) == -1) {
1821  errno, "getzoneid()");
1822  status = PCAP_ERROR;
1823  goto bad;
1824  }
1825  /*
1826  * Check if the given source datalink name has a '/' separated
1827  * zonename prefix string. The zonename prefixed source datalink can
1828  * be used by pcap consumers in the Solaris global zone to capture
1829  * traffic on datalinks in non-global zones. Non-global zones
1830  * do not have access to datalinks outside of their own namespace.
1831  */
1832  if ((zonesep = strchr(p->opt.device, '/')) != NULL) {
1833  char path_zname[ZONENAME_MAX];
1834  int znamelen;
1835  char *lnamep;
1836 
1837  if (ifr.lifr_zoneid != GLOBAL_ZONEID) {
1839  "zonename/linkname only valid in global zone.");
1840  status = PCAP_ERROR;
1841  goto bad;
1842  }
1843  znamelen = zonesep - p->opt.device;
1844  (void) pcap_strlcpy(path_zname, p->opt.device, znamelen + 1);
1845  ifr.lifr_zoneid = getzoneidbyname(path_zname);
1846  if (ifr.lifr_zoneid == -1) {
1848  errno, "getzoneidbyname(%s)", path_zname);
1849  status = PCAP_ERROR;
1850  goto bad;
1851  }
1852  lnamep = strdup(zonesep + 1);
1853  if (lnamep == NULL) {
1855  errno, "strdup");
1856  status = PCAP_ERROR;
1857  goto bad;
1858  }
1859  free(p->opt.device);
1860  p->opt.device = lnamep;
1861  }
1862 #endif
1863 
1864  pb->device = strdup(p->opt.device);
1865  if (pb->device == NULL) {
1867  errno, "strdup");
1868  status = PCAP_ERROR;
1869  goto bad;
1870  }
1871 
1872  /*
1873  * Attempt to find out the version of the OS on which we're running.
1874  */
1875  if (uname(&osinfo) == 0)
1876  have_osinfo = 1;
1877 
1878 #ifdef __APPLE__
1879  /*
1880  * See comment in pcap_can_set_rfmon_bpf() for an explanation
1881  * of why we check the version number.
1882  */
1883  if (p->opt.rfmon) {
1884  if (have_osinfo) {
1885  /*
1886  * We assume osinfo.sysname is "Darwin", because
1887  * __APPLE__ is defined. We just check the version.
1888  */
1889  if (osinfo.release[0] < '8' &&
1890  osinfo.release[1] == '.') {
1891  /*
1892  * 10.3 (Darwin 7.x) or earlier.
1893  */
1894  status = PCAP_ERROR_RFMON_NOTSUP;
1895  goto bad;
1896  }
1897  if (osinfo.release[0] == '8' &&
1898  osinfo.release[1] == '.') {
1899  /*
1900  * 10.4 (Darwin 8.x). s/en/wlt/
1901  */
1902  if (strncmp(p->opt.device, "en", 2) != 0) {
1903  /*
1904  * Not an enN device; check
1905  * whether the device even exists.
1906  */
1907  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
1908  if (sockfd != -1) {
1909  status = device_exists(sockfd,
1910  p->opt.device, p->errbuf);
1911  if (status == 0) {
1912  /*
1913  * The device exists,
1914  * but it's not an
1915  * enN device; that
1916  * means it doesn't
1917  * support monitor
1918  * mode.
1919  */
1920  status = PCAP_ERROR_RFMON_NOTSUP;
1921  }
1922  close(sockfd);
1923  } else {
1924  /*
1925  * We can't find out whether
1926  * the device exists, so just
1927  * report "no such device".
1928  */
1929  status = PCAP_ERROR_NO_SUCH_DEVICE;
1932  "socket() failed");
1933  }
1934  goto bad;
1935  }
1936  wltdev = malloc(strlen(p->opt.device) + 2);
1937  if (wltdev == NULL) {
1940  "malloc");
1941  status = PCAP_ERROR;
1942  goto bad;
1943  }
1944  strcpy(wltdev, "wlt");
1945  strcat(wltdev, p->opt.device + 2);
1946  free(p->opt.device);
1947  p->opt.device = wltdev;
1948  }
1949  /*
1950  * Everything else is 10.5 or later; for those,
1951  * we just open the enN device, and set the DLT.
1952  */
1953  }
1954  }
1955 #endif /* __APPLE__ */
1956 
1957  /*
1958  * If this is FreeBSD, and the device name begins with "usbus",
1959  * try to create the interface if it's not available.
1960  */
1961 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2)
1962  if (strncmp(p->opt.device, usbus_prefix, USBUS_PREFIX_LEN) == 0) {
1963  /*
1964  * Do we already have an interface with that name?
1965  */
1966  if (if_nametoindex(p->opt.device) == 0) {
1967  /*
1968  * No. We need to create it, and, if we
1969  * succeed, remember that we should destroy
1970  * it when the pcap_t is closed.
1971  */
1972  int s;
1973  struct ifreq ifr;
1974 
1975  /*
1976  * Open a socket to use for ioctls to
1977  * create the interface.
1978  */
1979  s = socket(AF_LOCAL, SOCK_DGRAM, 0);
1980  if (s < 0) {
1983  "Can't open socket");
1984  status = PCAP_ERROR;
1985  goto bad;
1986  }
1987 
1988  /*
1989  * If we haven't already done so, arrange to have
1990  * "pcap_close_all()" called when we exit.
1991  */
1992  if (!pcap_do_addexit(p)) {
1993  /*
1994  * "atexit()" failed; don't create the
1995  * interface, just give up.
1996  */
1998  "atexit failed");
1999  close(s);
2000  status = PCAP_ERROR;
2001  goto bad;
2002  }
2003 
2004  /*
2005  * Create the interface.
2006  */
2007  pcap_strlcpy(ifr.ifr_name, p->opt.device, sizeof(ifr.ifr_name));
2008  if (ioctl(s, SIOCIFCREATE2, &ifr) < 0) {
2009  if (errno == EINVAL) {
2011  "Invalid USB bus interface %s",
2012  p->opt.device);
2013  } else {
2016  "Can't create interface for %s",
2017  p->opt.device);
2018  }
2019  close(s);
2020  status = PCAP_ERROR;
2021  goto bad;
2022  }
2023 
2024  /*
2025  * Make sure we clean this up when we close.
2026  */
2028 
2029  /*
2030  * Add this to the list of pcaps to close when we exit.
2031  */
2033  }
2034  }
2035 #endif /* defined(__FreeBSD__) && defined(SIOCIFCREATE2) */
2036 
2037 #ifdef HAVE_ZEROCOPY_BPF
2038  /*
2039  * If the BPF extension to set buffer mode is present, try setting
2040  * the mode to zero-copy. If that fails, use regular buffering. If
2041  * it succeeds but other setup fails, return an error to the user.
2042  */
2043  bufmode = BPF_BUFMODE_ZBUF;
2044  if (ioctl(fd, BIOCSETBUFMODE, (caddr_t)&bufmode) == 0) {
2045  /*
2046  * We have zerocopy BPF; use it.
2047  */
2048  pb->zerocopy = 1;
2049 
2050  /*
2051  * How to pick a buffer size: first, query the maximum buffer
2052  * size supported by zero-copy. This also lets us quickly
2053  * determine whether the kernel generally supports zero-copy.
2054  * Then, if a buffer size was specified, use that, otherwise
2055  * query the default buffer size, which reflects kernel
2056  * policy for a desired default. Round to the nearest page
2057  * size.
2058  */
2059  if (ioctl(fd, BIOCGETZMAX, (caddr_t)&zbufmax) < 0) {
2061  errno, "BIOCGETZMAX");
2062  status = PCAP_ERROR;
2063  goto bad;
2064  }
2065 
2066  if (p->opt.buffer_size != 0) {
2067  /*
2068  * A buffer size was explicitly specified; use it.
2069  */
2070  v = p->opt.buffer_size;
2071  } else {
2072  if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) ||
2073  v < DEFAULT_BUFSIZE)
2074  v = DEFAULT_BUFSIZE;
2075  }
2076 #ifndef roundup
2077 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) /* to any y */
2078 #endif
2079  pb->zbufsize = roundup(v, getpagesize());
2080  if (pb->zbufsize > zbufmax)
2081  pb->zbufsize = zbufmax;
2082  pb->zbuf1 = mmap(NULL, pb->zbufsize, PROT_READ | PROT_WRITE,
2083  MAP_ANON, -1, 0);
2084  pb->zbuf2 = mmap(NULL, pb->zbufsize, PROT_READ | PROT_WRITE,
2085  MAP_ANON, -1, 0);
2086  if (pb->zbuf1 == MAP_FAILED || pb->zbuf2 == MAP_FAILED) {
2088  errno, "mmap");
2089  status = PCAP_ERROR;
2090  goto bad;
2091  }
2092  memset(&bz, 0, sizeof(bz)); /* bzero() deprecated, replaced with memset() */
2093  bz.bz_bufa = pb->zbuf1;
2094  bz.bz_bufb = pb->zbuf2;
2095  bz.bz_buflen = pb->zbufsize;
2096  if (ioctl(fd, BIOCSETZBUF, (caddr_t)&bz) < 0) {
2098  errno, "BIOCSETZBUF");
2099  status = PCAP_ERROR;
2100  goto bad;
2101  }
2102  status = bpf_bind(fd, p->opt.device, ifnamsiz, p->errbuf);
2103  if (status != BPF_BIND_SUCCEEDED) {
2104  if (status == BPF_BIND_BUFFER_TOO_BIG) {
2105  /*
2106  * The requested buffer size
2107  * is too big. Fail.
2108  *
2109  * XXX - should we do the "keep cutting
2110  * the buffer size in half" loop here if
2111  * we're using the default buffer size?
2112  */
2113  status = PCAP_ERROR;
2114  }
2115  goto bad;
2116  }
2117  v = pb->zbufsize - sizeof(struct bpf_zbuf_header);
2118  } else
2119 #endif
2120  {
2121  /*
2122  * We don't have zerocopy BPF.
2123  * Set the buffer size.
2124  */
2125  if (p->opt.buffer_size != 0) {
2126  /*
2127  * A buffer size was explicitly specified; use it.
2128  */
2129  if (ioctl(fd, BIOCSBLEN,
2130  (caddr_t)&p->opt.buffer_size) < 0) {
2133  "BIOCSBLEN: %s", p->opt.device);
2134  status = PCAP_ERROR;
2135  goto bad;
2136  }
2137 
2138  /*
2139  * Now bind to the device.
2140  */
2141  status = bpf_bind(fd, p->opt.device, p->errbuf);
2142  if (status != BPF_BIND_SUCCEEDED) {
2143  if (status == BPF_BIND_BUFFER_TOO_BIG) {
2144  /*
2145  * The requested buffer size
2146  * is too big. Fail.
2147  */
2148  status = PCAP_ERROR;
2149  goto bad;
2150  }
2151 
2152  /*
2153  * Special checks on macOS to deal with
2154  * the way monitor mode was done on
2155  * 10.4 Tiger.
2156  */
2157  status = check_setif_failure(p, status);
2158  goto bad;
2159  }
2160  } else {
2161  /*
2162  * No buffer size was explicitly specified.
2163  *
2164  * Try finding a good size for the buffer;
2165  * DEFAULT_BUFSIZE may be too big, so keep
2166  * cutting it in half until we find a size
2167  * that works, or run out of sizes to try.
2168  * If the default is larger, don't make it smaller.
2169  */
2170  if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) ||
2171  v < DEFAULT_BUFSIZE)
2172  v = DEFAULT_BUFSIZE;
2173  for ( ; v != 0; v >>= 1) {
2174  /*
2175  * Ignore the return value - this is because the
2176  * call fails on BPF systems that don't have
2177  * kernel malloc. And if the call fails, it's
2178  * no big deal, we just continue to use the
2179  * standard buffer size.
2180  */
2181  (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
2182 
2183  status = bpf_bind(fd, p->opt.device, p->errbuf);
2184  if (status == BPF_BIND_SUCCEEDED)
2185  break; /* that size worked; we're done */
2186 
2187  /*
2188  * If the attempt failed because the
2189  * buffer was too big, cut the buffer
2190  * size in half and try again.
2191  *
2192  * Otherwise, fail.
2193  */
2194  if (errno != BPF_BIND_BUFFER_TOO_BIG) {
2195  /*
2196  * Special checks on macOS to deal
2197  * with the way monitor mode was
2198  * done on 10.4 Tiger.
2199  */
2200  status = check_setif_failure(p, status);
2201  goto bad;
2202  }
2203  }
2204 
2205  if (v == 0) {
2207  "BIOCSBLEN: %s: No buffer size worked",
2208  p->opt.device);
2209  status = PCAP_ERROR;
2210  goto bad;
2211  }
2212  }
2213  }
2214 
2215  /* Get the data link layer type. */
2216  if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
2218  errno, "BIOCGDLT");
2219  status = PCAP_ERROR;
2220  goto bad;
2221  }
2222 
2223 #ifdef _AIX
2224  /*
2225  * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
2226  */
2227  switch (v) {
2228 
2229  case IFT_ETHER:
2230  case IFT_ISO88023:
2231  v = DLT_EN10MB;
2232  break;
2233 
2234  case IFT_FDDI:
2235  v = DLT_FDDI;
2236  break;
2237 
2238  case IFT_ISO88025:
2239  v = DLT_IEEE802;
2240  break;
2241 
2242  case IFT_LOOP:
2243  v = DLT_NULL;
2244  break;
2245 
2246  default:
2247  /*
2248  * We don't know what to map this to yet.
2249  */
2250  snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
2251  v);
2252  status = PCAP_ERROR;
2253  goto bad;
2254  }
2255 #endif
2256 #if _BSDI_VERSION - 0 >= 199510
2257  /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
2258  switch (v) {
2259 
2260  case DLT_SLIP:
2261  v = DLT_SLIP_BSDOS;
2262  break;
2263 
2264  case DLT_PPP:
2265  v = DLT_PPP_BSDOS;
2266  break;
2267 
2268  case 11: /*DLT_FR*/
2269  v = DLT_FRELAY;
2270  break;
2271 
2272  case 12: /*DLT_C_HDLC*/
2273  v = DLT_CHDLC;
2274  break;
2275  }
2276 #endif
2277 
2278 #ifdef BIOCGDLTLIST
2279  /*
2280  * We know the default link type -- now determine all the DLTs
2281  * this interface supports. If this fails with EINVAL, it's
2282  * not fatal; we just don't get to use the feature later.
2283  */
2284  if (get_dlt_list(fd, v, &bdl, p->errbuf) == -1) {
2285  status = PCAP_ERROR;
2286  goto bad;
2287  }
2288  p->dlt_count = bdl.bfl_len;
2289  p->dlt_list = bdl.bfl_list;
2290 
2291 #ifdef __APPLE__
2292  /*
2293  * Monitor mode fun, continued.
2294  *
2295  * For 10.5 and, we're assuming, later releases, as noted above,
2296  * 802.1 adapters that support monitor mode offer both DLT_EN10MB,
2297  * DLT_IEEE802_11, and possibly some 802.11-plus-radio-information
2298  * DLT_ value. Choosing one of the 802.11 DLT_ values will turn
2299  * monitor mode on.
2300  *
2301  * Therefore, if the user asked for monitor mode, we filter out
2302  * the DLT_EN10MB value, as you can't get that in monitor mode,
2303  * and, if the user didn't ask for monitor mode, we filter out
2304  * the 802.11 DLT_ values, because selecting those will turn
2305  * monitor mode on. Then, for monitor mode, if an 802.11-plus-
2306  * radio DLT_ value is offered, we try to select that, otherwise
2307  * we try to select DLT_IEEE802_11.
2308  */
2309  if (have_osinfo) {
2310  if (PCAP_ISDIGIT((unsigned)osinfo.release[0]) &&
2311  (osinfo.release[0] == '9' ||
2312  PCAP_ISDIGIT((unsigned)osinfo.release[1]))) {
2313  /*
2314  * 10.5 (Darwin 9.x), or later.
2315  */
2316  new_dlt = find_802_11(&bdl);
2317  if (new_dlt != -1) {
2318  /*
2319  * We have at least one 802.11 DLT_ value,
2320  * so this is an 802.11 interface.
2321  * new_dlt is the best of the 802.11
2322  * DLT_ values in the list.
2323  */
2324  if (p->opt.rfmon) {
2325  /*
2326  * Our caller wants monitor mode.
2327  * Purge DLT_EN10MB from the list
2328  * of link-layer types, as selecting
2329  * it will keep monitor mode off.
2330  */
2331  remove_non_802_11(p);
2332 
2333  /*
2334  * If the new mode we want isn't
2335  * the default mode, attempt to
2336  * select the new mode.
2337  */
2338  if ((u_int)new_dlt != v) {
2339  if (ioctl(p->fd, BIOCSDLT,
2340  &new_dlt) != -1) {
2341  /*
2342  * We succeeded;
2343  * make this the
2344  * new DLT_ value.
2345  */
2346  v = new_dlt;
2347  }
2348  }
2349  } else {
2350  /*
2351  * Our caller doesn't want
2352  * monitor mode. Unless this
2353  * is being done by pcap_open_live(),
2354  * purge the 802.11 link-layer types
2355  * from the list, as selecting
2356  * one of them will turn monitor
2357  * mode on.
2358  */
2359  if (!p->oldstyle)
2360  remove_802_11(p);
2361  }
2362  } else {
2363  if (p->opt.rfmon) {
2364  /*
2365  * The caller requested monitor
2366  * mode, but we have no 802.11
2367  * link-layer types, so they
2368  * can't have it.
2369  */
2370  status = PCAP_ERROR_RFMON_NOTSUP;
2371  goto bad;
2372  }
2373  }
2374  }
2375  }
2376 #elif defined(HAVE_BSD_IEEE80211)
2377  /*
2378  * *BSD with the new 802.11 ioctls.
2379  * Do we want monitor mode?
2380  */
2381  if (p->opt.rfmon) {
2382  /*
2383  * Try to put the interface into monitor mode.
2384  */
2385  retv = monitor_mode(p, 1);
2386  if (retv != 0) {
2387  /*
2388  * We failed.
2389  */
2390  status = retv;
2391  goto bad;
2392  }
2393 
2394  /*
2395  * We're in monitor mode.
2396  * Try to find the best 802.11 DLT_ value and, if we
2397  * succeed, try to switch to that mode if we're not
2398  * already in that mode.
2399  */
2400  new_dlt = find_802_11(&bdl);
2401  if (new_dlt != -1) {
2402  /*
2403  * We have at least one 802.11 DLT_ value.
2404  * new_dlt is the best of the 802.11
2405  * DLT_ values in the list.
2406  *
2407  * If the new mode we want isn't the default mode,
2408  * attempt to select the new mode.
2409  */
2410  if ((u_int)new_dlt != v) {
2411  if (ioctl(p->fd, BIOCSDLT, &new_dlt) != -1) {
2412  /*
2413  * We succeeded; make this the
2414  * new DLT_ value.
2415  */
2416  v = new_dlt;
2417  }
2418  }
2419  }
2420  }
2421 #endif /* various platforms */
2422 #endif /* BIOCGDLTLIST */
2423 
2424  /*
2425  * If this is an Ethernet device, and we don't have a DLT_ list,
2426  * give it a list with DLT_EN10MB and DLT_DOCSIS. (That'd give
2427  * 802.11 interfaces DLT_DOCSIS, which isn't the right thing to
2428  * do, but there's not much we can do about that without finding
2429  * some other way of determining whether it's an Ethernet or 802.11
2430  * device.)
2431  */
2432  if (v == DLT_EN10MB && p->dlt_count == 0) {
2433  p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
2434  /*
2435  * If that fails, just leave the list empty.
2436  */
2437  if (p->dlt_list != NULL) {
2438  p->dlt_list[0] = DLT_EN10MB;
2439  p->dlt_list[1] = DLT_DOCSIS;
2440  p->dlt_count = 2;
2441  }
2442  }
2443 #ifdef PCAP_FDDIPAD
2444  if (v == DLT_FDDI)
2445  p->fddipad = PCAP_FDDIPAD;
2446  else
2447 #endif
2448  p->fddipad = 0;
2449  p->linktype = v;
2450 
2451 #if defined(BIOCGHDRCMPLT) && defined(BIOCSHDRCMPLT)
2452  /*
2453  * Do a BIOCSHDRCMPLT, if defined, to turn that flag on, so
2454  * the link-layer source address isn't forcibly overwritten.
2455  * (Should we ignore errors? Should we do this only if
2456  * we're open for writing?)
2457  *
2458  * XXX - I seem to remember some packet-sending bug in some
2459  * BSDs - check CVS log for "bpf.c"?
2460  */
2461  if (ioctl(fd, BIOCSHDRCMPLT, &spoof_eth_src) == -1) {
2463  errno, "BIOCSHDRCMPLT");
2464  status = PCAP_ERROR;
2465  goto bad;
2466  }
2467 #endif
2468  /* set timeout */
2469 #ifdef HAVE_ZEROCOPY_BPF
2470  /*
2471  * In zero-copy mode, we just use the timeout in select().
2472  * XXX - what if we're in non-blocking mode and the *application*
2473  * is using select() or poll() or kqueues or....?
2474  */
2475  if (p->opt.timeout && !pb->zerocopy) {
2476 #else
2477  if (p->opt.timeout) {
2478 #endif
2479  /*
2480  * XXX - is this seconds/nanoseconds in AIX?
2481  * (Treating it as such doesn't fix the timeout
2482  * problem described below.)
2483  *
2484  * XXX - Mac OS X 10.6 mishandles BIOCSRTIMEOUT in
2485  * 64-bit userland - it takes, as an argument, a
2486  * "struct BPF_TIMEVAL", which has 32-bit tv_sec
2487  * and tv_usec, rather than a "struct timeval".
2488  *
2489  * If this platform defines "struct BPF_TIMEVAL",
2490  * we check whether the structure size in BIOCSRTIMEOUT
2491  * is that of a "struct timeval" and, if not, we use
2492  * a "struct BPF_TIMEVAL" rather than a "struct timeval".
2493  * (That way, if the bug is fixed in a future release,
2494  * we will still do the right thing.)
2495  */
2496  struct timeval to;
2497 #ifdef HAVE_STRUCT_BPF_TIMEVAL
2498  struct BPF_TIMEVAL bpf_to;
2499 
2500  if (IOCPARM_LEN(BIOCSRTIMEOUT) != sizeof(struct timeval)) {
2501  bpf_to.tv_sec = p->opt.timeout / 1000;
2502  bpf_to.tv_usec = (p->opt.timeout * 1000) % 1000000;
2503  if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&bpf_to) < 0) {
2505  errno, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT");
2506  status = PCAP_ERROR;
2507  goto bad;
2508  }
2509  } else {
2510 #endif
2511  to.tv_sec = p->opt.timeout / 1000;
2512  to.tv_usec = (p->opt.timeout * 1000) % 1000000;
2513  if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
2515  errno, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT");
2516  status = PCAP_ERROR;
2517  goto bad;
2518  }
2519 #ifdef HAVE_STRUCT_BPF_TIMEVAL
2520  }
2521 #endif
2522  }
2523 
2524 #ifdef BIOCIMMEDIATE
2525  /*
2526  * Darren Reed notes that
2527  *
2528  * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
2529  * timeout appears to be ignored and it waits until the buffer
2530  * is filled before returning. The result of not having it
2531  * set is almost worse than useless if your BPF filter
2532  * is reducing things to only a few packets (i.e. one every
2533  * second or so).
2534  *
2535  * so we always turn BIOCIMMEDIATE mode on if this is AIX.
2536  *
2537  * For other platforms, we don't turn immediate mode on by default,
2538  * as that would mean we get woken up for every packet, which
2539  * probably isn't what you want for a packet sniffer.
2540  *
2541  * We set immediate mode if the caller requested it by calling
2542  * pcap_set_immediate() before calling pcap_activate().
2543  */
2544 #ifndef _AIX
2545  if (p->opt.immediate) {
2546 #endif /* _AIX */
2547  v = 1;
2548  if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
2550  errno, "BIOCIMMEDIATE");
2551  status = PCAP_ERROR;
2552  goto bad;
2553  }
2554 #ifndef _AIX
2555  }
2556 #endif /* _AIX */
2557 #else /* BIOCIMMEDIATE */
2558  if (p->opt.immediate) {
2559  /*
2560  * We don't support immediate mode. Fail.
2561  */
2562  snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Immediate mode not supported");
2563  status = PCAP_ERROR;
2564  goto bad;
2565  }
2566 #endif /* BIOCIMMEDIATE */
2567 
2568  if (p->opt.promisc) {
2569  /* set promiscuous mode, just warn if it fails */
2570  if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
2572  errno, "BIOCPROMISC");
2573  status = PCAP_WARNING_PROMISC_NOTSUP;
2574  }
2575  }
2576 
2577 #ifdef BIOCSTSTAMP
2578  v = BPF_T_BINTIME;
2579  if (ioctl(p->fd, BIOCSTSTAMP, &v) < 0) {
2581  errno, "BIOCSTSTAMP");
2582  status = PCAP_ERROR;
2583  goto bad;
2584  }
2585 #endif /* BIOCSTSTAMP */
2586 
2587  if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
2589  errno, "BIOCGBLEN");
2590  status = PCAP_ERROR;
2591  goto bad;
2592  }
2593  p->bufsize = v;
2594 #ifdef HAVE_ZEROCOPY_BPF
2595  if (!pb->zerocopy) {
2596 #endif
2597  p->buffer = malloc(p->bufsize);
2598  if (p->buffer == NULL) {
2600  errno, "malloc");
2601  status = PCAP_ERROR;
2602  goto bad;
2603  }
2604 #ifdef _AIX
2605  /* For some strange reason this seems to prevent the EFAULT
2606  * problems we have experienced from AIX BPF. */
2607  memset(p->buffer, 0x0, p->bufsize);
2608 #endif
2609 #ifdef HAVE_ZEROCOPY_BPF
2610  }
2611 #endif
2612 
2613  /*
2614  * If there's no filter program installed, there's
2615  * no indication to the kernel of what the snapshot
2616  * length should be, so no snapshotting is done.
2617  *
2618  * Therefore, when we open the device, we install
2619  * an "accept everything" filter with the specified
2620  * snapshot length.
2621  */
2622  total_insn.code = (u_short)(BPF_RET | BPF_K);
2623  total_insn.jt = 0;
2624  total_insn.jf = 0;
2625  total_insn.k = p->snapshot;
2626 
2627  total_prog.bf_len = 1;
2628  total_prog.bf_insns = &total_insn;
2629  if (ioctl(p->fd, BIOCSETF, (caddr_t)&total_prog) < 0) {
2631  errno, "BIOCSETF");
2632  status = PCAP_ERROR;
2633  goto bad;
2634  }
2635 
2636  /*
2637  * On most BPF platforms, either you can do a "select()" or
2638  * "poll()" on a BPF file descriptor and it works correctly,
2639  * or you can do it and it will return "readable" if the
2640  * hold buffer is full but not if the timeout expires *and*
2641  * a non-blocking read will, if the hold buffer is empty
2642  * but the store buffer isn't empty, rotate the buffers
2643  * and return what packets are available.
2644  *
2645  * In the latter case, the fact that a non-blocking read
2646  * will give you the available packets means you can work
2647  * around the failure of "select()" and "poll()" to wake up
2648  * and return "readable" when the timeout expires by using
2649  * the timeout as the "select()" or "poll()" timeout, putting
2650  * the BPF descriptor into non-blocking mode, and read from
2651  * it regardless of whether "select()" reports it as readable
2652  * or not.
2653  *
2654  * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()"
2655  * won't wake up and return "readable" if the timer expires
2656  * and non-blocking reads return EWOULDBLOCK if the hold
2657  * buffer is empty, even if the store buffer is non-empty.
2658  *
2659  * This means the workaround in question won't work.
2660  *
2661  * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd"
2662  * to -1, which means "sorry, you can't use 'select()' or 'poll()'
2663  * here". On all other BPF platforms, we set it to the FD for
2664  * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking
2665  * read will, if the hold buffer is empty and the store buffer
2666  * isn't empty, rotate the buffers and return what packets are
2667  * there (and in sufficiently recent versions of OpenBSD
2668  * "select()" and "poll()" should work correctly).
2669  *
2670  * XXX - what about AIX?
2671  */
2672  p->selectable_fd = p->fd; /* assume select() works until we know otherwise */
2673  if (have_osinfo) {
2674  /*
2675  * We can check what OS this is.
2676  */
2677  if (strcmp(osinfo.sysname, "FreeBSD") == 0) {
2678  if (strncmp(osinfo.release, "4.3-", 4) == 0 ||
2679  strncmp(osinfo.release, "4.4-", 4) == 0)
2680  p->selectable_fd = -1;
2681  }
2682  }
2683 
2684  p->read_op = pcap_read_bpf;
2691  p->stats_op = pcap_stats_bpf;
2693 
2694  return (status);
2695  bad:
2696  pcap_cleanup_bpf(p);
2697  return (status);
2698 }
2699 
2700 /*
2701  * Not all interfaces can be bound to by BPF, so try to bind to
2702  * the specified interface; return 0 if we fail with
2703  * PCAP_ERROR_NO_SUCH_DEVICE (which means we got an ENXIO when we tried
2704  * to bind, which means this interface isn't in the list of interfaces
2705  * attached to BPF) and 1 otherwise.
2706  */
2707 static int
2708 check_bpf_bindable(const char *name)
2709 {
2710  int fd;
2711  char errbuf[PCAP_ERRBUF_SIZE];
2712 
2713  /*
2714  * On macOS, we don't do this check if the device name begins
2715  * with "wlt"; at least some versions of macOS (actually, it
2716  * was called "Mac OS X" then...) offer monitor mode capturing
2717  * by having a separate "monitor mode" device for each wireless
2718  * adapter, rather than by implementing the ioctls that
2719  * {Free,Net,Open,DragonFly}BSD provide. Opening that device
2720  * puts the adapter into monitor mode, which, at least for
2721  * some adapters, causes them to deassociate from the network
2722  * with which they're associated.
2723  *
2724  * Instead, we try to open the corresponding "en" device (so
2725  * that we don't end up with, for users without sufficient
2726  * privilege to open capture devices, a list of adapters that
2727  * only includes the wlt devices).
2728  */
2729 #ifdef __APPLE__
2730  if (strncmp(name, "wlt", 3) == 0) {
2731  char *en_name;
2732  size_t en_name_len;
2733 
2734  /*
2735  * Try to allocate a buffer for the "en"
2736  * device's name.
2737  */
2738  en_name_len = strlen(name) - 1;
2739  en_name = malloc(en_name_len + 1);
2740  if (en_name == NULL) {
2742  errno, "malloc");
2743  return (-1);
2744  }
2745  strcpy(en_name, "en");
2746  strcat(en_name, name + 3);
2747  fd = bpf_open_and_bind(en_name, errbuf);
2748  free(en_name);
2749  } else
2750 #endif /* __APPLE */
2751  fd = bpf_open_and_bind(name, errbuf);
2752  if (fd < 0) {
2753  /*
2754  * Error - was it PCAP_ERROR_NO_SUCH_DEVICE?
2755  */
2756  if (fd == PCAP_ERROR_NO_SUCH_DEVICE) {
2757  /*
2758  * Yes, so we can't bind to this because it's
2759  * not something supported by BPF.
2760  */
2761  return (0);
2762  }
2763  /*
2764  * No, so we don't know whether it's supported or not;
2765  * say it is, so that the user can at least try to
2766  * open it and report the error (which is probably
2767  * "you don't have permission to open BPF devices";
2768  * reporting those interfaces means users will ask
2769  * "why am I getting a permissions error when I try
2770  * to capture" rather than "why am I not seeing any
2771  * interfaces", making the underlying problem clearer).
2772  */
2773  return (1);
2774  }
2775 
2776  /*
2777  * Success.
2778  */
2779  close(fd);
2780  return (1);
2781 }
2782 
2783 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2)
2784 static int
2785 get_usb_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
2786 {
2787  /*
2788  * XXX - if there's a way to determine whether there's something
2789  * plugged into a given USB bus, use that to determine whether
2790  * this device is "connected" or not.
2791  */
2792  return (0);
2793 }
2794 
2795 static int
2796 finddevs_usb(pcap_if_list_t *devlistp, char *errbuf)
2797 {
2798  DIR *usbdir;
2799  struct dirent *usbitem;
2800  size_t name_max;
2801  char *name;
2802 
2803  /*
2804  * We might have USB sniffing support, so try looking for USB
2805  * interfaces.
2806  *
2807  * We want to report a usbusN device for each USB bus, but
2808  * usbusN interfaces might, or might not, exist for them -
2809  * we create one if there isn't already one.
2810  *
2811  * So, instead, we look in /dev/usb for all buses and create
2812  * a "usbusN" device for each one.
2813  */
2814  usbdir = opendir("/dev/usb");
2815  if (usbdir == NULL) {
2816  /*
2817  * Just punt.
2818  */
2819  return (0);
2820  }
2821 
2822  /*
2823  * Leave enough room for a 32-bit (10-digit) bus number.
2824  * Yes, that's overkill, but we won't be using
2825  * the buffer very long.
2826  */
2827  name_max = USBUS_PREFIX_LEN + 10 + 1;
2828  name = malloc(name_max);
2829  if (name == NULL) {
2830  closedir(usbdir);
2831  return (0);
2832  }
2833  while ((usbitem = readdir(usbdir)) != NULL) {
2834  char *p;
2835  size_t busnumlen;
2836 
2837  if (strcmp(usbitem->d_name, ".") == 0 ||
2838  strcmp(usbitem->d_name, "..") == 0) {
2839  /*
2840  * Ignore these.
2841  */
2842  continue;
2843  }
2844  p = strchr(usbitem->d_name, '.');
2845  if (p == NULL)
2846  continue;
2847  busnumlen = p - usbitem->d_name;
2848  memcpy(name, usbus_prefix, USBUS_PREFIX_LEN);
2849  memcpy(name + USBUS_PREFIX_LEN, usbitem->d_name, busnumlen);
2850  *(name + USBUS_PREFIX_LEN + busnumlen) = '\0';
2851  /*
2852  * There's an entry in this directory for every USB device,
2853  * not for every bus; if there's more than one device on
2854  * the bus, there'll be more than one entry for that bus,
2855  * so we need to avoid adding multiple capture devices
2856  * for each bus.
2857  */
2858  if (find_or_add_dev(devlistp, name, PCAP_IF_UP,
2859  get_usb_if_flags, NULL, errbuf) == NULL) {
2860  free(name);
2861  closedir(usbdir);
2862  return (PCAP_ERROR);
2863  }
2864  }
2865  free(name);
2866  closedir(usbdir);
2867  return (0);
2868 }
2869 #endif
2870 
2871 /*
2872  * Get additional flags for a device, using SIOCGIFMEDIA.
2873  */
2874 #ifdef SIOCGIFMEDIA
2875 static int
2876 get_if_flags(const char *name, bpf_u_int32 *flags, char *errbuf)
2877 {
2878  int sock;
2879  struct ifmediareq req;
2880 
2881  sock = socket(AF_INET, SOCK_DGRAM, 0);
2882  if (sock == -1) {
2884  "Can't create socket to get media information for %s",
2885  name);
2886  return (-1);
2887  }
2888  memset(&req, 0, sizeof(req));
2889  pcap_strlcpy(req.ifm_name, name, sizeof(req.ifm_name));
2890  if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
2891  if (errno == EOPNOTSUPP || errno == EINVAL || errno == ENOTTY ||
2892  errno == ENODEV || errno == EPERM
2893 #ifdef EPWROFF
2894  || errno == EPWROFF
2895 #endif
2896  ) {
2897  /*
2898  * Not supported, so we can't provide any
2899  * additional information. Assume that
2900  * this means that "connected" vs.
2901  * "disconnected" doesn't apply.
2902  *
2903  * The ioctl routine for Apple's pktap devices,
2904  * annoyingly, checks for "are you root?" before
2905  * checking whether the ioctl is valid, so it
2906  * returns EPERM, rather than ENOTSUP, for the
2907  * invalid SIOCGIFMEDIA, unless you're root.
2908  * So, just as we do for some ethtool ioctls
2909  * on Linux, which makes the same mistake, we
2910  * also treat EPERM as meaning "not supported".
2911  *
2912  * And it appears that Apple's llw0 device, which
2913  * appears to be part of the Skywalk subsystem:
2914  *
2915  * http://newosxbook.com/bonus/vol1ch16.html
2916  *
2917  * can sometimes return EPWROFF ("Device power
2918  * is off") for that ioctl, so we treat *that*
2919  * as another indication that we can't get a
2920  * connection status. (If it *isn't* "powered
2921  * off", it's reported as a wireless device,
2922  * complete with an active/inactive state.)
2923  */
2925  close(sock);
2926  return (0);
2927  }
2929  "SIOCGIFMEDIA on %s failed", name);
2930  close(sock);
2931  return (-1);
2932  }
2933  close(sock);
2934 
2935  /*
2936  * OK, what type of network is this?
2937  */
2938  switch (IFM_TYPE(req.ifm_active)) {
2939 
2940  case IFM_IEEE80211:
2941  /*
2942  * Wireless.
2943  */
2944  *flags |= PCAP_IF_WIRELESS;
2945  break;
2946  }
2947 
2948  /*
2949  * Do we know whether it's connected?
2950  */
2951  if (req.ifm_status & IFM_AVALID) {
2952  /*
2953  * Yes.
2954  */
2955  if (req.ifm_status & IFM_ACTIVE) {
2956  /*
2957  * It's connected.
2958  */
2960  } else {
2961  /*
2962  * It's disconnected.
2963  */
2965  }
2966  }
2967  return (0);
2968 }
2969 #else
2970 static int
2971 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
2972 {
2973  /*
2974  * Nothing we can do other than mark loopback devices as "the
2975  * connected/disconnected status doesn't apply".
2976  *
2977  * XXX - on Solaris, can we do what the dladm command does,
2978  * i.e. get a connected/disconnected indication from a kstat?
2979  * (Note that you can also get the link speed, and possibly
2980  * other information, from a kstat as well.)
2981  */
2982  if (*flags & PCAP_IF_LOOPBACK) {
2983  /*
2984  * Loopback devices aren't wireless, and "connected"/
2985  * "disconnected" doesn't apply to them.
2986  */
2988  return (0);
2989  }
2990  return (0);
2991 }
2992 #endif
2993 
2994 int
2995 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
2996 {
2997  /*
2998  * Get the list of regular interfaces first.
2999  */
3000  if (pcap_findalldevs_interfaces(devlistp, errbuf, check_bpf_bindable,
3001  get_if_flags) == -1)
3002  return (-1); /* failure */
3003 
3004 #if defined(__FreeBSD__) && defined(SIOCIFCREATE2)
3005  if (finddevs_usb(devlistp, errbuf) == -1)
3006  return (-1);
3007 #endif
3008 
3009  return (0);
3010 }
3011 
3012 #ifdef HAVE_BSD_IEEE80211
3013 static int
3014 monitor_mode(pcap_t *p, int set)
3015 {
3016  struct pcap_bpf *pb = p->priv;
3017  int sock;
3018  struct ifmediareq req;
3019  IFM_ULIST_TYPE *media_list;
3020  int i;
3021  int can_do;
3022  struct ifreq ifr;
3023 
3024  sock = socket(AF_INET, SOCK_DGRAM, 0);
3025  if (sock == -1) {
3027  errno, "can't open socket");
3028  return (PCAP_ERROR);
3029  }
3030 
3031  memset(&req, 0, sizeof req);
3032  pcap_strlcpy(req.ifm_name, p->opt.device, sizeof req.ifm_name);
3033 
3034  /*
3035  * Find out how many media types we have.
3036  */
3037  if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
3038  /*
3039  * Can't get the media types.
3040  */
3041  switch (errno) {
3042 
3043  case ENXIO:
3044  /*
3045  * There's no such device.
3046  */
3047  close(sock);
3048  return (PCAP_ERROR_NO_SUCH_DEVICE);
3049 
3050  case EINVAL:
3051  /*
3052  * Interface doesn't support SIOC{G,S}IFMEDIA.
3053  */
3054  close(sock);
3055  return (PCAP_ERROR_RFMON_NOTSUP);
3056 
3057  default:
3059  errno, "SIOCGIFMEDIA");
3060  close(sock);
3061  return (PCAP_ERROR);
3062  }
3063  }
3064  if (req.ifm_count == 0) {
3065  /*
3066  * No media types.
3067  */
3068  close(sock);
3069  return (PCAP_ERROR_RFMON_NOTSUP);
3070  }
3071 
3072  /*
3073  * Allocate a buffer to hold all the media types, and
3074  * get the media types.
3075  */
3076  media_list = malloc(req.ifm_count * sizeof(*media_list));
3077  if (media_list == NULL) {
3079  errno, "malloc");
3080  close(sock);
3081  return (PCAP_ERROR);
3082  }
3083  req.ifm_ulist = media_list;
3084  if (ioctl(sock, SIOCGIFMEDIA, &req) < 0) {
3086  errno, "SIOCGIFMEDIA");
3087  free(media_list);
3088  close(sock);
3089  return (PCAP_ERROR);
3090  }
3091 
3092  /*
3093  * Look for an 802.11 "automatic" media type.
3094  * We assume that all 802.11 adapters have that media type,
3095  * and that it will carry the monitor mode supported flag.
3096  */
3097  can_do = 0;
3098  for (i = 0; i < req.ifm_count; i++) {
3099  if (IFM_TYPE(media_list[i]) == IFM_IEEE80211
3100  && IFM_SUBTYPE(media_list[i]) == IFM_AUTO) {
3101  /* OK, does it do monitor mode? */
3102  if (media_list[i] & IFM_IEEE80211_MONITOR) {
3103  can_do = 1;
3104  break;
3105  }
3106  }
3107  }
3108  free(media_list);
3109  if (!can_do) {
3110  /*
3111  * This adapter doesn't support monitor mode.
3112  */
3113  close(sock);
3114  return (PCAP_ERROR_RFMON_NOTSUP);
3115  }
3116 
3117  if (set) {
3118  /*
3119  * Don't just check whether we can enable monitor mode,
3120  * do so, if it's not already enabled.
3121  */
3122  if ((req.ifm_current & IFM_IEEE80211_MONITOR) == 0) {
3123  /*
3124  * Monitor mode isn't currently on, so turn it on,
3125  * and remember that we should turn it off when the
3126  * pcap_t is closed.
3127  */
3128 
3129  /*
3130  * If we haven't already done so, arrange to have
3131  * "pcap_close_all()" called when we exit.
3132  */
3133  if (!pcap_do_addexit(p)) {
3134  /*
3135  * "atexit()" failed; don't put the interface
3136  * in monitor mode, just give up.
3137  */
3138  close(sock);
3139  return (PCAP_ERROR);
3140  }
3141  memset(&ifr, 0, sizeof(ifr));
3142  (void)pcap_strlcpy(ifr.ifr_name, p->opt.device,
3143  sizeof(ifr.ifr_name));
3144  ifr.ifr_media = req.ifm_current | IFM_IEEE80211_MONITOR;
3145  if (ioctl(sock, SIOCSIFMEDIA, &ifr) == -1) {
3147  PCAP_ERRBUF_SIZE, errno, "SIOCSIFMEDIA");
3148  close(sock);
3149  return (PCAP_ERROR);
3150  }
3151 
3153 
3154  /*
3155  * Add this to the list of pcaps to close when we exit.
3156  */
3158  }
3159  }
3160  return (0);
3161 }
3162 #endif /* HAVE_BSD_IEEE80211 */
3163 
3164 #if defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211))
3165 /*
3166  * Check whether we have any 802.11 link-layer types; return the best
3167  * of the 802.11 link-layer types if we find one, and return -1
3168  * otherwise.
3169  *
3170  * DLT_IEEE802_11_RADIO, with the radiotap header, is considered the
3171  * best 802.11 link-layer type; any of the other 802.11-plus-radio
3172  * headers are second-best; 802.11 with no radio information is
3173  * the least good.
3174  */
3175 static int
3176 find_802_11(struct bpf_dltlist *bdlp)
3177 {
3178  int new_dlt;
3179  u_int i;
3180 
3181  /*
3182  * Scan the list of DLT_ values, looking for 802.11 values,
3183  * and, if we find any, choose the best of them.
3184  */
3185  new_dlt = -1;
3186  for (i = 0; i < bdlp->bfl_len; i++) {
3187  switch (bdlp->bfl_list[i]) {
3188 
3189  case DLT_IEEE802_11:
3190  /*
3191  * 802.11, but no radio.
3192  *
3193  * Offer this, and select it as the new mode
3194  * unless we've already found an 802.11
3195  * header with radio information.
3196  */
3197  if (new_dlt == -1)
3198  new_dlt = bdlp->bfl_list[i];
3199  break;
3200 
3201 #ifdef DLT_PRISM_HEADER
3202  case DLT_PRISM_HEADER:
3203 #endif
3204 #ifdef DLT_AIRONET_HEADER
3205  case DLT_AIRONET_HEADER:
3206 #endif
3208  /*
3209  * 802.11 with radio, but not radiotap.
3210  *
3211  * Offer this, and select it as the new mode
3212  * unless we've already found the radiotap DLT_.
3213  */
3214  if (new_dlt != DLT_IEEE802_11_RADIO)
3215  new_dlt = bdlp->bfl_list[i];
3216  break;
3217 
3218  case DLT_IEEE802_11_RADIO:
3219  /*
3220  * 802.11 with radiotap.
3221  *
3222  * Offer this, and select it as the new mode.
3223  */
3224  new_dlt = bdlp->bfl_list[i];
3225  break;
3226 
3227  default:
3228  /*
3229  * Not 802.11.
3230  */
3231  break;
3232  }
3233  }
3234 
3235  return (new_dlt);
3236 }
3237 #endif /* defined(BIOCGDLTLIST) && (defined(__APPLE__) || defined(HAVE_BSD_IEEE80211)) */
3238 
3239 #if defined(__APPLE__) && defined(BIOCGDLTLIST)
3240 /*
3241  * Remove non-802.11 header types from the list of DLT_ values, as we're in
3242  * monitor mode, and those header types aren't supported in monitor mode.
3243  */
3244 static void
3245 remove_non_802_11(pcap_t *p)
3246 {
3247  int i, j;
3248 
3249  /*
3250  * Scan the list of DLT_ values and discard non-802.11 ones.
3251  */
3252  j = 0;
3253  for (i = 0; i < p->dlt_count; i++) {
3254  switch (p->dlt_list[i]) {
3255 
3256  case DLT_EN10MB:
3257  case DLT_RAW:
3258  /*
3259  * Not 802.11. Don't offer this one.
3260  */
3261  continue;
3262 
3263  default:
3264  /*
3265  * Just copy this mode over.
3266  */
3267  break;
3268  }
3269 
3270  /*
3271  * Copy this DLT_ value to its new position.
3272  */
3273  p->dlt_list[j] = p->dlt_list[i];
3274  j++;
3275  }
3276 
3277  /*
3278  * Set the DLT_ count to the number of entries we copied.
3279  */
3280  p->dlt_count = j;
3281 }
3282 
3283 /*
3284  * Remove 802.11 link-layer types from the list of DLT_ values, as
3285  * we're not in monitor mode, and those DLT_ values will switch us
3286  * to monitor mode.
3287  */
3288 static void
3289 remove_802_11(pcap_t *p)
3290 {
3291  int i, j;
3292 
3293  /*
3294  * Scan the list of DLT_ values and discard 802.11 values.
3295  */
3296  j = 0;
3297  for (i = 0; i < p->dlt_count; i++) {
3298  switch (p->dlt_list[i]) {
3299 
3300  case DLT_IEEE802_11:
3301 #ifdef DLT_PRISM_HEADER
3302  case DLT_PRISM_HEADER:
3303 #endif
3304 #ifdef DLT_AIRONET_HEADER
3305  case DLT_AIRONET_HEADER:
3306 #endif
3307  case DLT_IEEE802_11_RADIO:
3309 #ifdef DLT_PPI
3310  case DLT_PPI:
3311 #endif
3312  /*
3313  * 802.11. Don't offer this one.
3314  */
3315  continue;
3316 
3317  default:
3318  /*
3319  * Just copy this mode over.
3320  */
3321  break;
3322  }
3323 
3324  /*
3325  * Copy this DLT_ value to its new position.
3326  */
3327  p->dlt_list[j] = p->dlt_list[i];
3328  j++;
3329  }
3330 
3331  /*
3332  * Set the DLT_ count to the number of entries we copied.
3333  */
3334  p->dlt_count = j;
3335 }
3336 #endif /* defined(__APPLE__) && defined(BIOCGDLTLIST) */
3337 
3338 static int
3340 {
3341  struct pcap_bpf *pb = p->priv;
3342 
3343  /*
3344  * Free any user-mode filter we might happen to have installed.
3345  */
3346  pcap_freecode(&p->fcode);
3347 
3348  /*
3349  * Try to install the kernel filter.
3350  */
3351  if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) == 0) {
3352  /*
3353  * It worked.
3354  */
3355  pb->filtering_in_kernel = 1; /* filtering in the kernel */
3356 
3357  /*
3358  * Discard any previously-received packets, as they might
3359  * have passed whatever filter was formerly in effect, but
3360  * might not pass this filter (BIOCSETF discards packets
3361  * buffered in the kernel, so you can lose packets in any
3362  * case).
3363  */
3364  p->cc = 0;
3365  return (0);
3366  }
3367 
3368  /*
3369  * We failed.
3370  *
3371  * If it failed with EINVAL, that's probably because the program
3372  * is invalid or too big. Validate it ourselves; if we like it
3373  * (we currently allow backward branches, to support protochain),
3374  * run it in userland. (There's no notion of "too big" for
3375  * userland.)
3376  *
3377  * Otherwise, just give up.
3378  * XXX - if the copy of the program into the kernel failed,
3379  * we will get EINVAL rather than, say, EFAULT on at least
3380  * some kernels.
3381  */
3382  if (errno != EINVAL) {
3384  errno, "BIOCSETF");
3385  return (-1);
3386  }
3387 
3388  /*
3389  * install_bpf_program() validates the program.
3390  *
3391  * XXX - what if we already have a filter in the kernel?
3392  */
3393  if (install_bpf_program(p, fp) < 0)
3394  return (-1);
3395  pb->filtering_in_kernel = 0; /* filtering in userland */
3396  return (0);
3397 }
3398 
3399 /*
3400  * Set direction flag: Which packets do we accept on a forwarding
3401  * single device? IN, OUT or both?
3402  */
3403 #if defined(BIOCSDIRECTION)
3404 static int
3406 {
3407  u_int direction;
3408  const char *direction_name;
3409 
3410  /*
3411  * FreeBSD and NetBSD.
3412  */
3413  switch (d) {
3414 
3415  case PCAP_D_IN:
3416  /*
3417  * Incoming, but not outgoing, so accept only
3418  * incoming packets.
3419  */
3420  direction = BPF_D_IN;
3421  direction_name = "\"incoming only\"";
3422  break;
3423 
3424  case PCAP_D_OUT:
3425  /*
3426  * Outgoing, but not incoming, so accept only
3427  * outgoing packets.
3428  */
3429  direction = BPF_D_OUT;
3430  direction_name = "\"outgoing only\"";
3431  break;
3432 
3433  default:
3434  /*
3435  * Incoming and outgoing, so accept both
3436  * incoming and outgoing packets.
3437  *
3438  * It's guaranteed, at this point, that d is a valid
3439  * direction value, so we know that this is PCAP_D_INOUT
3440  * if it's not PCAP_D_IN or PCAP_D_OUT.
3441  */
3442  direction = BPF_D_INOUT;
3443  direction_name = "\"incoming and outgoing\"";
3444  break;
3445  }
3446 
3447  if (ioctl(p->fd, BIOCSDIRECTION, &direction) == -1) {
3448  pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
3449  errno, "Cannot set direction to %s", direction_name);
3450  return (-1);
3451  }
3452  return (0);
3453 }
3454 #elif defined(BIOCSDIRFILT)
3455 static int
3457 {
3458  u_int dirfilt;
3459  const char *direction_name;
3460 
3461  /*
3462  * OpenBSD; same functionality, different names, different
3463  * semantics (the flags mean "*don't* capture packets in
3464  * that direction", not "*capture only* packets in that
3465  * direction").
3466  */
3467  switch (d) {
3468 
3469  case PCAP_D_IN:
3470  /*
3471  * Incoming, but not outgoing, so filter out
3472  * outgoing packets.
3473  */
3474  dirfilt = BPF_DIRECTION_OUT;
3475  direction_name = "\"incoming only\"";
3476  break;
3477 
3478  case PCAP_D_OUT:
3479  /*
3480  * Outgoing, but not incoming, so filter out
3481  * incoming packets.
3482  */
3483  dirfilt = BPF_DIRECTION_IN;
3484  direction_name = "\"outgoing only\"";
3485  break;
3486 
3487  default:
3488  /*
3489  * Incoming and outgoing, so don't filter out
3490  * any packets based on direction.
3491  *
3492  * It's guaranteed, at this point, that d is a valid
3493  * direction value, so we know that this is PCAP_D_INOUT
3494  * if it's not PCAP_D_IN or PCAP_D_OUT.
3495  */
3496  dirfilt = 0;
3497  direction_name = "\"incoming and outgoing\"";
3498  break;
3499  }
3500  if (ioctl(p->fd, BIOCSDIRFILT, &dirfilt) == -1) {
3501  pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
3502  errno, "Cannot set direction to %s", direction_name);
3503  return (-1);
3504  }
3505  return (0);
3506 }
3507 #elif defined(BIOCSSEESENT)
3508 static int
3510 {
3511  u_int seesent;
3512  const char *direction_name;
3513 
3514  /*
3515  * OS with just BIOCSSEESENT.
3516  */
3517  switch (d) {
3518 
3519  case PCAP_D_IN:
3520  /*
3521  * Incoming, but not outgoing, so we don't want to
3522  * see transmitted packets.
3523  */
3524  seesent = 0;
3525  direction_name = "\"incoming only\"";
3526  break;
3527 
3528  case PCAP_D_OUT:
3529  /*
3530  * Outgoing, but not incoming; we can't specify that.
3531  */
3532  snprintf(p->errbuf, sizeof(p->errbuf),
3533  "Setting direction to \"outgoing only\" is not supported on this device");
3534  return (-1);
3535 
3536  default:
3537  /*
3538  * Incoming and outgoing, so we want to see transmitted
3539  * packets.
3540  *
3541  * It's guaranteed, at this point, that d is a valid
3542  * direction value, so we know that this is PCAP_D_INOUT
3543  * if it's not PCAP_D_IN or PCAP_D_OUT.
3544  */
3545  seesent = 1;
3546  direction_name = "\"incoming and outgoing\"";
3547  break;
3548  }
3549 
3550  if (ioctl(p->fd, BIOCSSEESENT, &seesent) == -1) {
3551  pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
3552  errno, "Cannot set direction to %s", direction_name);
3553  return (-1);
3554  }
3555  return (0);
3556 }
3557 #else
3558 static int
3560 {
3561  (void) snprintf(p->errbuf, sizeof(p->errbuf),
3562  "Setting direction is not supported on this device");
3563  return (-1);
3564 }
3565 #endif
3566 
3567 #ifdef BIOCSDLT
3568 static int
3569 pcap_set_datalink_bpf(pcap_t *p, int dlt)
3570 {
3571  if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) {
3572  pcap_fmt_errmsg_for_errno(p->errbuf, sizeof(p->errbuf),
3573  errno, "Cannot set DLT %d", dlt);
3574  return (-1);
3575  }
3576  return (0);
3577 }
3578 #else
3579 static int
3581 {
3582  return (0);
3583 }
3584 #endif
3585 
3586 /*
3587  * Platform-specific information.
3588  */
3589 const char *
3591 {
3592 #ifdef HAVE_ZEROCOPY_BPF
3593  return (PCAP_VERSION_STRING " (with zerocopy support)");
3594 #else
3595  return (PCAP_VERSION_STRING);
3596 #endif
3597 }
int pcap_asprintf(char **strp, const char *format,...)
Definition: asprintf.c:91
#define BPF_WORDALIGN(x)
Definition: bpf.h:112
u_int bpf_u_int32
Definition: bpf.h:98
u_int pcap_filter(const struct bpf_insn *pc, const u_char *p, u_int wirelen, u_int buflen)
Definition: bpf_filter.c:391
static void error(const char *,...)
#define DLT_IEEE802_11_RADIO
Definition: dlt.h:396
#define DLT_RAW
Definition: dlt.h:88
#define DLT_AIRONET_HEADER
Definition: dlt.h:289
#define DLT_IEEE802
Definition: dlt.h:68
#define DLT_EN10MB
Definition: dlt.h:63
#define DLT_FRELAY
Definition: dlt.h:215
#define DLT_PPP_BSDOS
Definition: dlt.h:104
#define DLT_SLIP
Definition: dlt.h:70
#define DLT_NULL
Definition: dlt.h:62
#define DLT_PRISM_HEADER
Definition: dlt.h:283
#define DLT_DOCSIS
Definition: dlt.h:465
#define DLT_IPNET
Definition: dlt.h:1024
#define DLT_PPI
Definition: dlt.h:722
#define DLT_PPP
Definition: dlt.h:71
#define DLT_IEEE802_11_RADIO_AVS
Definition: dlt.h:542
#define DLT_IEEE802_11
Definition: dlt.h:200
#define DLT_CHDLC
Definition: dlt.h:198
#define DLT_SLIP_BSDOS
Definition: dlt.h:103
#define DLT_FDDI
Definition: dlt.h:72
int pcap_findalldevs_interfaces(pcap_if_list_t *devlistp, char *errbuf, int(*check_usable)(const char *), get_if_flags_func get_flags_func)
Definition: fad-getad.c:146
void pcap_fmt_errmsg_for_errno(char *errbuf, size_t errbuflen, int errnum, const char *fmt,...)
Definition: fmtutils.c:269
void pcap_freecode(struct bpf_program *program)
Definition: gencode.c:900
int install_bpf_program(pcap_t *p, struct bpf_program *fp)
Definition: optimize.c:2939
int snprintf(char *, size_t, const char *,...)
char * strerror(int)
int ioctl(int, int, caddr_t)
int munmap(caddr_t, int)
off_t lseek(int, off_t, int)
int getpagesize(void)
int select(int, fd_set *, fd_set *, fd_set *, struct timeval *)
int read(int, char *, u_int)
int write(int, char *, u_int)
int socket(int, int, int)
int close(int)
static int get_if_flags(const char *name, bpf_u_int32 *flags, char *errbuf)
Definition: pcap-bpf.c:2971
#define bhp
static int pcap_activate_bpf(pcap_t *p)
Definition: pcap-bpf.c:1746
#define BPF_BIND_SUCCEEDED
Definition: pcap-bpf.c:625
const char * pcap_lib_version(void)
Definition: pcap-bpf.c:3590
#define MUST_DESTROY_USBUS
Definition: pcap-bpf.c:181
static int pcap_inject_bpf(pcap_t *p, const void *buf, int size)
Definition: pcap-bpf.c:1316
#define BPF_BIND_BUFFER_TOO_BIG
Definition: pcap-bpf.c:626
static int bpf_open_and_bind(const char *name, char *errbuf)
Definition: pcap-bpf.c:703
int pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
Definition: pcap-bpf.c:2995
static int bpf_bind(int fd, const char *name, char *errbuf)
Definition: pcap-bpf.c:629
#define MUST_CLEAR_RFMON
Definition: pcap-bpf.c:180
#define DEFAULT_BUFSIZE
Definition: pcap-bpf.c:1742
pcap_t * pcap_create_interface(const char *device, char *ebuf)
Definition: pcap-bpf.c:443
static int bpf_open(char *errbuf)
Definition: pcap-bpf.c:477
static int pcap_getnonblock_bpf(pcap_t *p)
Definition: pcap-bpf.c:258
static int pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
Definition: pcap-bpf.c:1051
static int pcap_can_set_rfmon_bpf(pcap_t *p)
Definition: pcap-bpf.c:1014
static void pcap_cleanup_bpf(pcap_t *p)
Definition: pcap-bpf.c:1523
static int pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps)
Definition: pcap-bpf.c:1021
static int pcap_setdirection_bpf(pcap_t *, pcap_direction_t)
Definition: pcap-bpf.c:3559
static int check_setif_failure(pcap_t *p, int error)
Definition: pcap-bpf.c:1720
static int check_bpf_bindable(const char *name)
Definition: pcap-bpf.c:2708
static int pcap_setnonblock_bpf(pcap_t *p, int nonblock)
Definition: pcap-bpf.c:270
static int pcap_set_datalink_bpf(pcap_t *p, int dlt)
Definition: pcap-bpf.c:3580
static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
Definition: pcap-bpf.c:3339
#define _U_
Definition: pcap-dos.h:93
int errno
#define MAXIMUM_SNAPLEN
Definition: pcap-int.h:131
void pcap_add_to_pcaps_to_close(pcap_t *)
Definition: pcap.c:3946
int pcap_do_addexit(pcap_t *)
Definition: pcap.c:3926
#define PACKET_COUNT_IS_UNLIMITED(count)
Definition: pcap-int.h:444
void pcap_cleanup_live_common(pcap_t *)
Definition: pcap.c:3987
pcap_if_t * find_or_add_dev(pcap_if_list_t *, const char *, bpf_u_int32, get_if_flags_func, const char *, char *)
Definition: pcap.c:1233
int pcap_getnonblock_fd(pcap_t *)
Definition: pcap.c:3537
#define PCAP_ISDIGIT(c)
Definition: pcap-int.h:138
void pcap_remove_from_pcaps_to_close(pcap_t *)
Definition: pcap.c:3953
int pcap_setnonblock_fd(pcap_t *p, int)
Definition: pcap.c:3583
#define PCAP_VERSION_STRING
Definition: pcap-int.h:59
#define PCAP_CREATE_COMMON(ebuf, type)
Definition: pcap-int.h:474
static struct sock_filter total_insn
Definition: pcap-linux.c:333
#define BPF_K
Definition: pcap-npf.c:53
#define BPF_RET
Definition: pcap-npf.c:52
#define PCAP_FDDIPAD
Definition: pcap-pf.c:74
struct pcap_stat stat
Definition: pcap-septel.c:51
#define PCAP_ERROR_PERM_DENIED
Definition: pcap.h:346
#define PCAP_TSTAMP_PRECISION_NANO
Definition: pcap.h:512
#define PCAP_ERROR_RFMON_NOTSUP
Definition: pcap.h:344
#define PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE
Definition: pcap.h:317
#define PCAP_IF_LOOPBACK
Definition: pcap.h:309
void(* pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *)
Definition: pcap.h:330
#define PCAP_IF_CONNECTION_STATUS_CONNECTED
Definition: pcap.h:315
#define PCAP_WARNING_PROMISC_NOTSUP
Definition: pcap.h:358
#define PCAP_ERROR_IFACE_NOT_UP
Definition: pcap.h:347
#define PCAP_IF_UP
Definition: pcap.h:310
#define PCAP_ERROR_BREAK
Definition: pcap.h:340
#define PCAP_ERROR_NO_SUCH_DEVICE
Definition: pcap.h:343
#define PCAP_TSTAMP_PRECISION_MICRO
Definition: pcap.h:511
#define PCAP_IF_WIRELESS
Definition: pcap.h:312
pcap_direction_t
Definition: pcap.h:227
@ PCAP_D_IN
Definition: pcap.h:229
@ PCAP_D_OUT
Definition: pcap.h:230
#define PCAP_ERRBUF_SIZE
Definition: pcap.h:152
#define PCAP_IF_CONNECTION_STATUS_DISCONNECTED
Definition: pcap.h:316
#define PCAP_ERROR
Definition: pcap.h:339
size_t pcap_strlcpy(char *restrict dst, const char *restrict src, size_t dsize)
Definition: strlcpy.c:34
Definition: bpf.h:245
struct bpf_insn * bf_insns
Definition: bpf.h:119
u_int bf_len
Definition: bpf.h:118
int must_do_on_close
Definition: pcap-bpf.c:174
int filtering_in_kernel
Definition: pcap-bpf.c:173
char * device
Definition: pcap-bpf.c:172
int timeout
Definition: pcap-int.h:147
char * device
Definition: pcap-int.h:146
int rfmon
Definition: pcap-int.h:150
int tstamp_precision
Definition: pcap-int.h:154
int immediate
Definition: pcap-int.h:151
int promisc
Definition: pcap-int.h:149
u_int buffer_size
Definition: pcap-int.h:148
bpf_u_int32 caplen
Definition: pcap.h:247
struct timeval ts
Definition: pcap.h:246
bpf_u_int32 len
Definition: pcap.h:248
u_int ps_drop
Definition: pcap.h:256
u_int ps_recv
Definition: pcap.h:255
u_int ps_ifdrop
Definition: pcap.h:257
Definition: pcap-int.h:200
stats_op_t stats_op
Definition: pcap-int.h:320
activate_op_t activate_op
Definition: pcap-int.h:311
setnonblock_op_t setnonblock_op
Definition: pcap-int.h:319
setfilter_op_t setfilter_op
Definition: pcap-int.h:315
u_int * tstamp_precision_list
Definition: pcap-int.h:304
sig_atomic_t break_loop
Definition: pcap-int.h:225
int dlt_count
Definition: pcap-int.h:299
u_int fddipad
Definition: pcap-int.h:235
u_int bufsize
Definition: pcap-int.h:220
void * priv
Definition: pcap-int.h:227
getnonblock_op_t getnonblock_op
Definition: pcap-int.h:318
u_int * dlt_list
Definition: pcap-int.h:300
read_op_t read_op
Definition: pcap-int.h:204
void * buffer
Definition: pcap-int.h:221
u_char * bp
Definition: pcap-int.h:222
int snapshot
Definition: pcap-int.h:247
cleanup_op_t cleanup_op
Definition: pcap-int.h:346
setdirection_op_t setdirection_op
Definition: pcap-int.h:316
int tstamp_precision_count
Definition: pcap-int.h:303
inject_op_t inject_op
Definition: pcap-int.h:313
int cc
Definition: pcap-int.h:223
struct bpf_program fcode
Definition: pcap-int.h:293
set_datalink_op_t set_datalink_op
Definition: pcap-int.h:317
char errbuf[256+1]
Definition: pcap-int.h:295
int linktype
Definition: pcap-int.h:248
int selectable_fd
Definition: pcap-int.h:274
int fd
Definition: pcap-int.h:214
can_set_rfmon_op_t can_set_rfmon_op
Definition: pcap-int.h:312
struct pcap_opt opt
Definition: pcap-int.h:254
int oldstyle
Definition: pcap-int.h:252