libpcap  1.10.1
About: libpcap is a packet filter library used by tools like tcpdump.
  Fossies Dox: libpcap-1.10.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

pcap-pf.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996
3  * The Regents of the University of California. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  *
21  * packet filter subroutines for tcpdump
22  * Extraction/creation by Jeffrey Mogul, DECWRL
23  */
24 
25 #ifdef HAVE_CONFIG_H
26 #include <config.h>
27 #endif
28 
29 #include <sys/types.h>
30 #include <sys/time.h>
31 #include <sys/timeb.h>
32 #include <sys/socket.h>
33 #include <sys/file.h>
34 #include <sys/ioctl.h>
35 #include <net/pfilt.h>
36 
37 struct mbuf;
38 struct rtentry;
39 #include <net/if.h>
40 
41 #include <netinet/in.h>
42 #include <netinet/in_systm.h>
43 #include <netinet/ip.h>
44 #include <netinet/if_ether.h>
45 #include <netinet/ip_var.h>
46 #include <netinet/udp.h>
47 #include <netinet/udp_var.h>
48 #include <netinet/tcp.h>
49 #include <netinet/tcpip.h>
50 
51 #include <errno.h>
52 #include <netdb.h>
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <string.h>
56 #include <unistd.h>
57 
58 /*
59  * Make "pcap.h" not include "pcap/bpf.h"; we are going to include the
60  * native OS version, as we need various BPF ioctls from it.
61  */
62 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
63 #include <net/bpf.h>
64 
65 #include "pcap-int.h"
66 
67 #ifdef HAVE_OS_PROTO_H
68 #include "os-proto.h"
69 #endif
70 
71 /*
72  * FDDI packets are padded to make everything line up on a nice boundary.
73  */
74 #define PCAP_FDDIPAD 3
75 
76 /*
77  * Private data for capturing on Ultrix and DEC OSF/1^WDigital UNIX^W^W
78  * Tru64 UNIX packetfilter devices.
79  */
80 struct pcap_pf {
81  int filtering_in_kernel; /* using kernel filter */
82  u_long TotPkts; /* can't oflow for 79 hrs on ether */
83  u_long TotAccepted; /* count accepted by filter */
84  u_long TotDrops; /* count of dropped packets */
85  long TotMissed; /* missed by i/f during this run */
86  long OrigMissed; /* missed by i/f before this run */
87 };
88 
89 static int pcap_setfilter_pf(pcap_t *, struct bpf_program *);
90 
91 /*
92  * BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump
93  * applications aren't going to need more than 200 bytes of packet header
94  * and the read shouldn't return more packets than packetfilter's internal
95  * queue limit (bounded at 256).
96  */
97 #define BUFSPACE (200 * 256)
98 
99 static int
100 pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
101 {
102  struct pcap_pf *pf = pc->priv;
103  register u_char *p, *bp;
104  register int cc, n, buflen, inc;
105  register struct enstamp *sp;
106  struct enstamp stamp;
107  register u_int pad;
108 
109  again:
110  cc = pc->cc;
111  if (cc == 0) {
112  cc = read(pc->fd, (char *)pc->buffer + pc->offset, pc->bufsize);
113  if (cc < 0) {
114  if (errno == EWOULDBLOCK)
115  return (0);
116  if (errno == EINVAL &&
117  lseek(pc->fd, 0L, SEEK_CUR) + pc->bufsize < 0) {
118  /*
119  * Due to a kernel bug, after 2^31 bytes,
120  * the kernel file offset overflows and
121  * read fails with EINVAL. The lseek()
122  * to 0 will fix things.
123  */
124  (void)lseek(pc->fd, 0L, SEEK_SET);
125  goto again;
126  }
128  sizeof(pc->errbuf), errno, "pf read");
129  return (-1);
130  }
131  bp = (u_char *)pc->buffer + pc->offset;
132  } else
133  bp = pc->bp;
134  /*
135  * Loop through each packet.
136  */
137  n = 0;
138  pad = pc->fddipad;
139  while (cc > 0) {
140  /*
141  * Has "pcap_breakloop()" been called?
142  * If so, return immediately - if we haven't read any
143  * packets, clear the flag and return -2 to indicate
144  * that we were told to break out of the loop, otherwise
145  * leave the flag set, so that the *next* call will break
146  * out of the loop without having read any packets, and
147  * return the number of packets we've processed so far.
148  */
149  if (pc->break_loop) {
150  if (n == 0) {
151  pc->break_loop = 0;
152  return (-2);
153  } else {
154  pc->cc = cc;
155  pc->bp = bp;
156  return (n);
157  }
158  }
159  if (cc < sizeof(*sp)) {
160  snprintf(pc->errbuf, sizeof(pc->errbuf),
161  "pf short read (%d)", cc);
162  return (-1);
163  }
164  if ((long)bp & 3) {
165  sp = &stamp;
166  memcpy((char *)sp, (char *)bp, sizeof(*sp));
167  } else
168  sp = (struct enstamp *)bp;
169  if (sp->ens_stamplen != sizeof(*sp)) {
170  snprintf(pc->errbuf, sizeof(pc->errbuf),
171  "pf short stamplen (%d)",
172  sp->ens_stamplen);
173  return (-1);
174  }
175 
176  p = bp + sp->ens_stamplen;
177  buflen = sp->ens_count;
178  if (buflen > pc->snapshot)
179  buflen = pc->snapshot;
180 
181  /* Calculate inc before possible pad update */
182  inc = ENALIGN(buflen + sp->ens_stamplen);
183  cc -= inc;
184  bp += inc;
185  pf->TotPkts++;
186  pf->TotDrops += sp->ens_dropped;
187  pf->TotMissed = sp->ens_ifoverflows;
188  if (pf->OrigMissed < 0)
189  pf->OrigMissed = pf->TotMissed;
190 
191  /*
192  * Short-circuit evaluation: if using BPF filter
193  * in kernel, no need to do it now - we already know
194  * the packet passed the filter.
195  *
196  * Note: the filter code was generated assuming
197  * that pc->fddipad was the amount of padding
198  * before the header, as that's what's required
199  * in the kernel, so we run the filter before
200  * skipping that padding.
201  */
202  if (pf->filtering_in_kernel ||
203  pcap_filter(pc->fcode.bf_insns, p, sp->ens_count, buflen)) {
204  struct pcap_pkthdr h;
205  pf->TotAccepted++;
206  h.ts = sp->ens_tstamp;
207  h.len = sp->ens_count - pad;
208  p += pad;
209  buflen -= pad;
210  h.caplen = buflen;
211  (*callback)(user, &h, p);
212  if (++n >= cnt && !PACKET_COUNT_IS_UNLIMITED(cnt)) {
213  pc->cc = cc;
214  pc->bp = bp;
215  return (n);
216  }
217  }
218  }
219  pc->cc = 0;
220  return (n);
221 }
222 
223 static int
224 pcap_inject_pf(pcap_t *p, const void *buf, int size)
225 {
226  int ret;
227 
228  ret = write(p->fd, buf, size);
229  if (ret == -1) {
231  errno, "send");
232  return (-1);
233  }
234  return (ret);
235 }
236 
237 static int
239 {
240  struct pcap_pf *pf = p->priv;
241 
242  /*
243  * If packet filtering is being done in the kernel:
244  *
245  * "ps_recv" counts only packets that passed the filter.
246  * This does not include packets dropped because we
247  * ran out of buffer space. (XXX - perhaps it should,
248  * by adding "ps_drop" to "ps_recv", for compatibility
249  * with some other platforms. On the other hand, on
250  * some platforms "ps_recv" counts only packets that
251  * passed the filter, and on others it counts packets
252  * that didn't pass the filter....)
253  *
254  * "ps_drop" counts packets that passed the kernel filter
255  * (if any) but were dropped because the input queue was
256  * full.
257  *
258  * "ps_ifdrop" counts packets dropped by the network
259  * interface (regardless of whether they would have passed
260  * the input filter, of course).
261  *
262  * If packet filtering is not being done in the kernel:
263  *
264  * "ps_recv" counts only packets that passed the filter.
265  *
266  * "ps_drop" counts packets that were dropped because the
267  * input queue was full, regardless of whether they passed
268  * the userland filter.
269  *
270  * "ps_ifdrop" counts packets dropped by the network
271  * interface (regardless of whether they would have passed
272  * the input filter, of course).
273  *
274  * These statistics don't include packets not yet read from
275  * the kernel by libpcap, but they may include packets not
276  * yet read from libpcap by the application.
277  */
278  ps->ps_recv = pf->TotAccepted;
279  ps->ps_drop = pf->TotDrops;
280  ps->ps_ifdrop = pf->TotMissed - pf->OrigMissed;
281  return (0);
282 }
283 
284 /*
285  * We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
286  * don't get DLT_DOCSIS defined.
287  */
288 #ifndef DLT_DOCSIS
289 #define DLT_DOCSIS 143
290 #endif
291 
292 static int
294 {
295  struct pcap_pf *pf = p->priv;
296  short enmode;
297  int backlog = -1; /* request the most */
298  struct enfilter Filter;
299  struct endevp devparams;
300  int err;
301 
302  /*
303  * Initially try a read/write open (to allow the inject
304  * method to work). If that fails due to permission
305  * issues, fall back to read-only. This allows a
306  * non-root user to be granted specific access to pcap
307  * capabilities via file permissions.
308  *
309  * XXX - we should have an API that has a flag that
310  * controls whether to open read-only or read-write,
311  * so that denial of permission to send (or inability
312  * to send, if sending packets isn't supported on
313  * the device in question) can be indicated at open
314  * time.
315  *
316  * XXX - we assume here that "pfopen()" does not, in fact, modify
317  * its argument, even though it takes a "char *" rather than a
318  * "const char *" as its first argument. That appears to be
319  * the case, at least on Digital UNIX 4.0.
320  *
321  * XXX - is there an error that means "no such device"? Is
322  * there one that means "that device doesn't support pf"?
323  */
324  p->fd = pfopen(p->opt.device, O_RDWR);
325  if (p->fd == -1 && errno == EACCES)
326  p->fd = pfopen(p->opt.device, O_RDONLY);
327  if (p->fd < 0) {
328  if (errno == EACCES) {
330  "pf open: %s: Permission denied\n"
331 "your system may not be properly configured; see the packetfilter(4) man page",
332  p->opt.device);
334  } else {
336  errno, "pf open: %s", p->opt.device);
337  err = PCAP_ERROR;
338  }
339  goto bad;
340  }
341 
342  /*
343  * Turn a negative snapshot value (invalid), a snapshot value of
344  * 0 (unspecified), or a value bigger than the normal maximum
345  * value, into the maximum allowed value.
346  *
347  * If some application really *needs* a bigger snapshot
348  * length, we should just increase MAXIMUM_SNAPLEN.
349  */
350  if (p->snapshot <= 0 || p->snapshot > MAXIMUM_SNAPLEN)
352 
353  pf->OrigMissed = -1;
354  enmode = ENTSTAMP|ENNONEXCL;
355  if (!p->opt.immediate)
356  enmode |= ENBATCH;
357  if (p->opt.promisc)
358  enmode |= ENPROMISC;
359  if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
361  errno, "EIOCMBIS");
362  err = PCAP_ERROR;
363  goto bad;
364  }
365 #ifdef ENCOPYALL
366  /* Try to set COPYALL mode so that we see packets to ourself */
367  enmode = ENCOPYALL;
368  (void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */
369 #endif
370  /* set the backlog */
371  if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
373  errno, "EIOCSETW");
374  err = PCAP_ERROR;
375  goto bad;
376  }
377  /* discover interface type */
378  if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
380  errno, "EIOCDEVP");
381  err = PCAP_ERROR;
382  goto bad;
383  }
384  /* HACK: to compile prior to Ultrix 4.2 */
385 #ifndef ENDT_FDDI
386 #define ENDT_FDDI 4
387 #endif
388  switch (devparams.end_dev_type) {
389 
390  case ENDT_10MB:
391  p->linktype = DLT_EN10MB;
392  p->offset = 2;
393  /*
394  * This is (presumably) a real Ethernet capture; give it a
395  * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
396  * that an application can let you choose it, in case you're
397  * capturing DOCSIS traffic that a Cisco Cable Modem
398  * Termination System is putting out onto an Ethernet (it
399  * doesn't put an Ethernet header onto the wire, it puts raw
400  * DOCSIS frames out on the wire inside the low-level
401  * Ethernet framing).
402  */
403  p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
404  /*
405  * If that fails, just leave the list empty.
406  */
407  if (p->dlt_list != NULL) {
408  p->dlt_list[0] = DLT_EN10MB;
409  p->dlt_list[1] = DLT_DOCSIS;
410  p->dlt_count = 2;
411  }
412  break;
413 
414  case ENDT_FDDI:
415  p->linktype = DLT_FDDI;
416  break;
417 
418 #ifdef ENDT_SLIP
419  case ENDT_SLIP:
420  p->linktype = DLT_SLIP;
421  break;
422 #endif
423 
424 #ifdef ENDT_PPP
425  case ENDT_PPP:
426  p->linktype = DLT_PPP;
427  break;
428 #endif
429 
430 #ifdef ENDT_LOOPBACK
431  case ENDT_LOOPBACK:
432  /*
433  * It appears to use Ethernet framing, at least on
434  * Digital UNIX 4.0.
435  */
436  p->linktype = DLT_EN10MB;
437  p->offset = 2;
438  break;
439 #endif
440 
441 #ifdef ENDT_TRN
442  case ENDT_TRN:
443  p->linktype = DLT_IEEE802;
444  break;
445 #endif
446 
447  default:
448  /*
449  * XXX - what about ENDT_IEEE802? The pfilt.h header
450  * file calls this "IEEE 802 networks (non-Ethernet)",
451  * but that doesn't specify a specific link layer type;
452  * it could be 802.4, or 802.5 (except that 802.5 is
453  * ENDT_TRN), or 802.6, or 802.11, or.... That's why
454  * DLT_IEEE802 was hijacked to mean Token Ring in various
455  * BSDs, and why we went along with that hijacking.
456  *
457  * XXX - what about ENDT_HDLC and ENDT_NULL?
458  * Presumably, as ENDT_OTHER is just "Miscellaneous
459  * framing", there's not much we can do, as that
460  * doesn't specify a particular type of header.
461  */
463  "unknown data-link type %u", devparams.end_dev_type);
464  err = PCAP_ERROR;
465  goto bad;
466  }
467  /* set truncation */
468  if (p->linktype == DLT_FDDI) {
469  p->fddipad = PCAP_FDDIPAD;
470 
471  /* packetfilter includes the padding in the snapshot */
472  p->snapshot += PCAP_FDDIPAD;
473  } else
474  p->fddipad = 0;
475  if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&p->snapshot) < 0) {
477  errno, "EIOCTRUNCATE");
478  err = PCAP_ERROR;
479  goto bad;
480  }
481  /* accept all packets */
482  memset(&Filter, 0, sizeof(Filter));
483  Filter.enf_Priority = 37; /* anything > 2 */
484  Filter.enf_FilterLen = 0; /* means "always true" */
485  if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
487  errno, "EIOCSETF");
488  err = PCAP_ERROR;
489  goto bad;
490  }
491 
492  if (p->opt.timeout != 0) {
493  struct timeval timeout;
494  timeout.tv_sec = p->opt.timeout / 1000;
495  timeout.tv_usec = (p->opt.timeout * 1000) % 1000000;
496  if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
498  errno, "EIOCSRTIMEOUT");
499  err = PCAP_ERROR;
500  goto bad;
501  }
502  }
503 
504  p->bufsize = BUFSPACE;
505  p->buffer = malloc(p->bufsize + p->offset);
506  if (p->buffer == NULL) {
508  errno, "malloc");
509  err = PCAP_ERROR;
510  goto bad;
511  }
512 
513  /*
514  * "select()" and "poll()" work on packetfilter devices.
515  */
516  p->selectable_fd = p->fd;
517 
518  p->read_op = pcap_read_pf;
521  p->setdirection_op = NULL; /* Not implemented. */
522  p->set_datalink_op = NULL; /* can't change data link type */
525  p->stats_op = pcap_stats_pf;
526 
527  return (0);
528  bad:
530  return (err);
531 }
532 
533 pcap_t *
534 pcap_create_interface(const char *device _U_, char *ebuf)
535 {
536  pcap_t *p;
537 
538  p = PCAP_CREATE_COMMON(ebuf, struct pcap_pf);
539  if (p == NULL)
540  return (NULL);
541 
543  return (p);
544 }
545 
546 /*
547  * XXX - is there an error from pfopen() that means "no such device"?
548  * Is there one that means "that device doesn't support pf"?
549  */
550 static int
551 can_be_bound(const char *name _U_)
552 {
553  return (1);
554 }
555 
556 static int
557 get_if_flags(const char *name _U_, bpf_u_int32 *flags _U_, char *errbuf _U_)
558 {
559  /*
560  * Nothing we can do other than mark loopback devices as "the
561  * connected/disconnected status doesn't apply".
562  *
563  * XXX - is there a way to find out whether an adapter has
564  * something plugged into it?
565  */
566  if (*flags & PCAP_IF_LOOPBACK) {
567  /*
568  * Loopback devices aren't wireless, and "connected"/
569  * "disconnected" doesn't apply to them.
570  */
572  return (0);
573  }
574  return (0);
575 }
576 
577 int
578 pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
579 {
580  return (pcap_findalldevs_interfaces(devlistp, errbuf, can_be_bound,
581  get_if_flags));
582 }
583 
584 static int
586 {
587  struct pcap_pf *pf = p->priv;
588  struct bpf_version bv;
589 
590  /*
591  * See if BIOCVERSION works. If not, we assume the kernel doesn't
592  * support BPF-style filters (it's not documented in the bpf(7)
593  * or packetfiler(7) man pages, but the code used to fail if
594  * BIOCSETF worked but BIOCVERSION didn't, and I've seen it do
595  * kernel filtering in DU 4.0, so presumably BIOCVERSION works
596  * there, at least).
597  */
598  if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) >= 0) {
599  /*
600  * OK, we have the version of the BPF interpreter;
601  * is it the same major version as us, and the same
602  * or better minor version?
603  */
604  if (bv.bv_major == BPF_MAJOR_VERSION &&
605  bv.bv_minor >= BPF_MINOR_VERSION) {
606  /*
607  * Yes. Try to install the filter.
608  */
609  if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
611  sizeof(p->errbuf), errno, "BIOCSETF");
612  return (-1);
613  }
614 
615  /*
616  * OK, that succeeded. We're doing filtering in
617  * the kernel. (We assume we don't have a
618  * userland filter installed - that'd require
619  * a previous version check to have failed but
620  * this one to succeed.)
621  *
622  * XXX - this message should be supplied to the
623  * application as a warning of some sort,
624  * except that if it's a GUI application, it's
625  * not clear that it should be displayed in
626  * a window to annoy the user.
627  */
628  fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
629  pf->filtering_in_kernel = 1;
630 
631  /*
632  * Discard any previously-received packets,
633  * as they might have passed whatever filter
634  * was formerly in effect, but might not pass
635  * this filter (BIOCSETF discards packets buffered
636  * in the kernel, so you can lose packets in any
637  * case).
638  */
639  p->cc = 0;
640  return (0);
641  }
642 
643  /*
644  * We can't use the kernel's BPF interpreter; don't give
645  * up, just log a message and be inefficient.
646  *
647  * XXX - this should really be supplied to the application
648  * as a warning of some sort.
649  */
650  fprintf(stderr,
651  "tcpdump: Requires BPF language %d.%d or higher; kernel is %d.%d\n",
652  BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
653  bv.bv_major, bv.bv_minor);
654  }
655 
656  /*
657  * We couldn't do filtering in the kernel; do it in userland.
658  */
659  if (install_bpf_program(p, fp) < 0)
660  return (-1);
661 
662  /*
663  * XXX - this message should be supplied by the application as
664  * a warning of some sort.
665  */
666  fprintf(stderr, "tcpdump: Filtering in user process\n");
667  pf->filtering_in_kernel = 0;
668  return (0);
669 }
670 
671 /*
672  * Libpcap version string.
673  */
674 const char *
676 {
677  return (PCAP_VERSION_STRING);
678 }
u_int bpf_u_int32
Definition: bpf.h:98
u_int pcap_filter(const struct bpf_insn *pc, const u_char *p, u_int wirelen, u_int buflen)
Definition: bpf_filter.c:391
#define DLT_IEEE802
Definition: dlt.h:68
#define DLT_EN10MB
Definition: dlt.h:63
#define DLT_SLIP
Definition: dlt.h:70
#define DLT_DOCSIS
Definition: dlt.h:465
#define DLT_PPP
Definition: dlt.h:71
#define DLT_FDDI
Definition: dlt.h:72
int pcap_findalldevs_interfaces(pcap_if_list_t *devlistp, char *errbuf, int(*check_usable)(const char *), get_if_flags_func get_flags_func)
Definition: fad-getad.c:146
void pcap_fmt_errmsg_for_errno(char *errbuf, size_t errbuflen, int errnum, const char *fmt,...)
Definition: fmtutils.c:269
int install_bpf_program(pcap_t *p, struct bpf_program *fp)
Definition: optimize.c:2939
int snprintf(char *, size_t, const char *,...)
int pfopen(char *, int)
int ioctl(int, int, caddr_t)
off_t lseek(int, off_t, int)
int read(int, char *, u_int)
int write(int, char *, u_int)
#define _U_
Definition: pcap-dos.h:93
int errno
#define MAXIMUM_SNAPLEN
Definition: pcap-int.h:131
#define PACKET_COUNT_IS_UNLIMITED(count)
Definition: pcap-int.h:444
void pcap_cleanup_live_common(pcap_t *)
Definition: pcap.c:3987
int pcap_getnonblock_fd(pcap_t *)
Definition: pcap.c:3537
int pcap_setnonblock_fd(pcap_t *p, int)
Definition: pcap.c:3583
#define PCAP_VERSION_STRING
Definition: pcap-int.h:59
#define PCAP_CREATE_COMMON(ebuf, type)
Definition: pcap-int.h:474
static int get_if_flags(const char *name, bpf_u_int32 *flags, char *errbuf)
Definition: pcap-pf.c:557
#define PCAP_FDDIPAD
Definition: pcap-pf.c:74
static int pcap_inject_pf(pcap_t *p, const void *buf, int size)
Definition: pcap-pf.c:224
const char * pcap_lib_version(void)
Definition: pcap-pf.c:675
int pcap_platform_finddevs(pcap_if_list_t *devlistp, char *errbuf)
Definition: pcap-pf.c:578
static int pcap_read_pf(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
Definition: pcap-pf.c:100
static int pcap_stats_pf(pcap_t *p, struct pcap_stat *ps)
Definition: pcap-pf.c:238
pcap_t * pcap_create_interface(const char *device, char *ebuf)
Definition: pcap-pf.c:534
static int can_be_bound(const char *name)
Definition: pcap-pf.c:551
static int pcap_activate_pf(pcap_t *p)
Definition: pcap-pf.c:293
#define ENDT_FDDI
static int pcap_setfilter_pf(pcap_t *, struct bpf_program *)
Definition: pcap-pf.c:585
#define BUFSPACE
Definition: pcap-pf.c:97
#define PCAP_ERROR_PERM_DENIED
Definition: pcap.h:346
#define PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE
Definition: pcap.h:317
#define PCAP_IF_LOOPBACK
Definition: pcap.h:309
void(* pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *)
Definition: pcap.h:330
#define PCAP_ERRBUF_SIZE
Definition: pcap.h:152
#define PCAP_ERROR
Definition: pcap.h:339
struct bpf_insn * bf_insns
Definition: bpf.h:119
int timeout
Definition: pcap-int.h:147
char * device
Definition: pcap-int.h:146
int immediate
Definition: pcap-int.h:151
int promisc
Definition: pcap-int.h:149
u_long TotPkts
Definition: pcap-pf.c:82
u_long TotDrops
Definition: pcap-pf.c:84
long TotMissed
Definition: pcap-pf.c:85
u_long TotAccepted
Definition: pcap-pf.c:83
int filtering_in_kernel
Definition: pcap-pf.c:81
long OrigMissed
Definition: pcap-pf.c:86
bpf_u_int32 caplen
Definition: pcap.h:247
struct timeval ts
Definition: pcap.h:246
bpf_u_int32 len
Definition: pcap.h:248
u_int ps_drop
Definition: pcap.h:256
u_int ps_recv
Definition: pcap.h:255
u_int ps_ifdrop
Definition: pcap.h:257
Definition: pcap-int.h:200
stats_op_t stats_op
Definition: pcap-int.h:320
activate_op_t activate_op
Definition: pcap-int.h:311
setnonblock_op_t setnonblock_op
Definition: pcap-int.h:319
setfilter_op_t setfilter_op
Definition: pcap-int.h:315
sig_atomic_t break_loop
Definition: pcap-int.h:225
int dlt_count
Definition: pcap-int.h:299
u_int fddipad
Definition: pcap-int.h:235
u_int bufsize
Definition: pcap-int.h:220
void * priv
Definition: pcap-int.h:227
getnonblock_op_t getnonblock_op
Definition: pcap-int.h:318
int offset
Definition: pcap-int.h:250
u_int * dlt_list
Definition: pcap-int.h:300
read_op_t read_op
Definition: pcap-int.h:204
void * buffer
Definition: pcap-int.h:221
u_char * bp
Definition: pcap-int.h:222
int snapshot
Definition: pcap-int.h:247
setdirection_op_t setdirection_op
Definition: pcap-int.h:316
inject_op_t inject_op
Definition: pcap-int.h:313
int cc
Definition: pcap-int.h:223
struct bpf_program fcode
Definition: pcap-int.h:293
set_datalink_op_t set_datalink_op
Definition: pcap-int.h:317
char errbuf[256+1]
Definition: pcap-int.h:295
int linktype
Definition: pcap-int.h:248
int selectable_fd
Definition: pcap-int.h:274
int fd
Definition: pcap-int.h:214
struct pcap_opt opt
Definition: pcap-int.h:254