libpcap  1.10.1
About: libpcap is a packet filter library used by tools like tcpdump.
  Fossies Dox: libpcap-1.10.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

pcap-rpcap.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3  * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  * notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  * notice, this list of conditions and the following disclaimer in the
14  * documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16  * nor the names of its contributors may be used to endorse or promote
17  * products derived from this software without specific prior written
18  * permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  *
32  */
33 
34 #ifdef HAVE_CONFIG_H
35 #include <config.h>
36 #endif
37 
38 #include "ftmacros.h"
39 
40 #include <string.h> /* for strlen(), ... */
41 #include <stdlib.h> /* for malloc(), free(), ... */
42 #include <stdarg.h> /* for functions with variable number of arguments */
43 #include <errno.h> /* for the errno variable */
44 #include "sockutils.h"
45 #include "pcap-int.h"
46 #include "rpcap-protocol.h"
47 #include "pcap-rpcap.h"
48 
49 #ifdef _WIN32
50 #include "charconv.h" /* for utf_8_to_acp_truncated() */
51 #endif
52 
53 #ifdef HAVE_OPENSSL
54 #include "sslutils.h"
55 #endif
56 
57 /*
58  * This file contains the pcap module for capturing from a remote machine's
59  * interfaces using the RPCAP protocol.
60  *
61  * WARNING: All the RPCAP functions that are allowed to return a buffer
62  * containing the error description can return max PCAP_ERRBUF_SIZE characters.
63  * However there is no guarantees that the string will be zero-terminated.
64  * Best practice is to define the errbuf variable as a char of size
65  * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
66  * of the buffer. This will guarantee that no buffer overflows occur even
67  * if we use the printf() to show the error on the screen.
68  *
69  * XXX - actually, null-terminating the error string is part of the
70  * contract for the pcap API; if there's any place in the pcap code
71  * that doesn't guarantee null-termination, even at the expense of
72  * cutting the message short, that's a bug and needs to be fixed.
73  */
74 
75 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
76 #ifdef _WIN32
77 #define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
78 #endif
79 
80 /*
81  * \brief Keeps a list of all the opened connections in the active mode.
82  *
83  * This structure defines a linked list of items that are needed to keep the info required to
84  * manage the active mode.
85  * In other words, when a new connection in active mode starts, this structure is updated so that
86  * it reflects the list of active mode connections currently opened.
87  * This structure is required by findalldevs() and open_remote() to see if they have to open a new
88  * control connection toward the host, or they already have a control connection in place.
89  */
91 {
92  struct sockaddr_storage host;
94  SSL *ssl;
96  struct activehosts *next;
97 };
98 
99 /* Keeps a list of all the opened connections in the active mode. */
100 static struct activehosts *activeHosts;
101 
102 /*
103  * Keeps the main socket identifier when we want to accept a new remote
104  * connection (active mode only).
105  * See the documentation of pcap_remoteact_accept() and
106  * pcap_remoteact_cleanup() for more details.
107  */
109 static SSL *ssl_main;
110 
111 /*
112  * Private data for capturing remotely using the rpcap protocol.
113  */
114 struct pcap_rpcap {
115  /*
116  * This is '1' if we're the network client; it is needed by several
117  * functions (such as pcap_setfilter()) to know whether they have
118  * to use the socket or have to open the local adapter.
119  */
121 
122  SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */
123  SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */
124  SSL *ctrl_ssl, *data_ssl; /* optional transport of rmt_sockctrl and rmt_sockdata via TLS */
125  int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
126  int rmt_capstarted; /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */
127  char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
128 
129  uint8 protocol_version; /* negotiated protocol version */
130  uint8 uses_ssl; /* User asked for rpcaps scheme */
131 
132  unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */
133 
134  /*
135  * This keeps the number of packets that have been received by the
136  * application.
137  *
138  * Packets dropped by the kernel buffer are not counted in this
139  * variable. It is always equal to (TotAccepted - TotDrops),
140  * except for the case of remote capture, in which we have also
141  * packets in flight, i.e. that have been transmitted by the remote
142  * host, but that have not been received (yet) from the client.
143  * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
144  * wrong result, since this number does not corresponds always to
145  * the number of packet received by the application. For this reason,
146  * in the remote capture we need another variable that takes into
147  * account of the number of packets actually received by the
148  * application.
149  */
150  unsigned int TotCapt;
151 
152  struct pcap_stat stat;
153  /* XXX */
154  struct pcap *next; /* list of open pcaps that need stuff cleared on close */
155 };
156 
157 /****************************************************
158  * *
159  * Locally defined functions *
160  * *
161  ****************************************************/
162 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
163 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
164 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
165 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
166 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
167 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
168 static int pcap_setsampling_remote(pcap_t *fp);
169 static int pcap_startcapture_remote(pcap_t *fp);
170 static int rpcap_recv_msg_header(SOCKET sock, SSL *, struct rpcap_header *header, char *errbuf);
171 static int rpcap_check_msg_ver(SOCKET sock, SSL *, uint8 expected_ver, struct rpcap_header *header, char *errbuf);
172 static int rpcap_check_msg_type(SOCKET sock, SSL *, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf);
173 static int rpcap_process_msg_header(SOCKET sock, SSL *, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf);
174 static int rpcap_recv(SOCKET sock, SSL *, void *buffer, size_t toread, uint32 *plen, char *errbuf);
175 static void rpcap_msg_err(SOCKET sockctrl, SSL *, uint32 plen, char *remote_errbuf);
176 static int rpcap_discard(SOCKET sock, SSL *, uint32 len, char *errbuf);
177 static int rpcap_read_packet_msg(struct pcap_rpcap const *, pcap_t *p, size_t size);
178 
179 /****************************************************
180  * *
181  * Function bodies *
182  * *
183  ****************************************************/
184 
185 /*
186  * This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
187  * structure from the network byte order to a 'sockaddr_in" or
188  * 'sockaddr_in6' structure in the host byte order.
189  *
190  * It accepts an 'rpcap_sockaddr' structure as it is received from the
191  * network, and checks the address family field against various values
192  * to see whether it looks like an IPv4 address, an IPv6 address, or
193  * neither of those. It checks for multiple values in order to try
194  * to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
195  * or 'sockaddr_in6' structures over the wire with some members
196  * byte-swapped, and to handle the fact that AF_INET6 has different
197  * values on different OSes.
198  *
199  * For IPv4 addresses, it converts the address family to host byte
200  * order from network byte order and puts it into the structure,
201  * sets the length if a sockaddr structure has a length, converts the
202  * port number to host byte order from network byte order and puts
203  * it into the structure, copies over the IPv4 address, and zeroes
204  * out the zero padding.
205  *
206  * For IPv6 addresses, it converts the address family to host byte
207  * order from network byte order and puts it into the structure,
208  * sets the length if a sockaddr structure has a length, converts the
209  * port number and flow information to host byte order from network
210  * byte order and puts them into the structure, copies over the IPv6
211  * address, and converts the scope ID to host byte order from network
212  * byte order and puts it into the structure.
213  *
214  * The function will allocate the 'sockaddrout' variable according to the
215  * address family in use. In case the address does not belong to the
216  * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
217  * NULL pointer is returned. This usually happens because that address
218  * does not exist on the other host, or is of an address family other
219  * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
220  * structure containing all 'zero' values.
221  *
222  * Older RPCAPDs sent the addresses over the wire in the OS's native
223  * structure format. For most OSes, this looks like the over-the-wire
224  * format, but might have a different value for AF_INET6 than the value
225  * on the machine receiving the reply. For OSes with the newer BSD-style
226  * sockaddr structures, this has, instead of a 2-byte address family,
227  * a 1-byte structure length followed by a 1-byte address family. The
228  * RPCAPD code would put the address family in network byte order before
229  * sending it; that would set it to 0 on a little-endian machine, as
230  * htons() of any value between 1 and 255 would result in a value > 255,
231  * with its lower 8 bits zero, so putting that back into a 1-byte field
232  * would set it to 0.
233  *
234  * Therefore, for older RPCAPDs running on an OS with newer BSD-style
235  * sockaddr structures, the family field, if treated as a big-endian
236  * (network byte order) 16-bit field, would be:
237  *
238  * (length << 8) | family if sent by a big-endian machine
239  * (length << 8) if sent by a little-endian machine
240  *
241  * For current RPCAPDs, and for older RPCAPDs running on an OS with
242  * older BSD-style sockaddr structures, the family field, if treated
243  * as a big-endian 16-bit field, would just contain the family.
244  *
245  * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
246  * to be de-serialized.
247  *
248  * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
249  * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
250  * This variable will be allocated automatically inside this function.
251  *
252  * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
253  * that will contain the error message (in case there is one).
254  *
255  * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
256  * can be only the fact that the malloc() failed to allocate memory.
257  * The error message is returned in the 'errbuf' variable, while the deserialized address
258  * is returned into the 'sockaddrout' variable.
259  *
260  * \warning This function supports only AF_INET and AF_INET6 address families.
261  *
262  * \warning The sockaddrout (if not NULL) must be deallocated by the user.
263  */
264 
265 /*
266  * Possible IPv4 family values other than the designated over-the-wire value,
267  * which is 2 (because everybody uses 2 for AF_INET4).
268  */
269 #define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */
270 #define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */
271 #define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2)
272 #define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8)
273 
274 /*
275  * Possible IPv6 family values other than the designated over-the-wire value,
276  * which is 23 (because that's what Windows uses, and most RPCAP servers
277  * out there are probably running Windows, as WinPcap includes the server
278  * but few if any UN*Xes build and ship it).
279  *
280  * The new BSD sockaddr structure format was in place before 4.4-Lite, so
281  * all the free-software BSDs use it.
282  */
283 #define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */
284 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */
285 #define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */
286 #define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8)
287 #define LINUX_AF_INET6 10
288 #define HPUX_AF_INET6 22
289 #define AIX_AF_INET6 24
290 #define SOLARIS_AF_INET6 26
291 
292 static int
293 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
294 {
295  /* Warning: we support only AF_INET and AF_INET6 */
296  switch (ntohs(sockaddrin->family))
297  {
298  case RPCAP_AF_INET:
299  case NEW_BSD_AF_INET_BE:
300  case NEW_BSD_AF_INET_LE:
301  {
302  struct rpcap_sockaddr_in *sockaddrin_ipv4;
303  struct sockaddr_in *sockaddrout_ipv4;
304 
305  (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in));
306  if ((*sockaddrout) == NULL)
307  {
309  errno, "malloc() failed");
310  return -1;
311  }
312  sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
313  sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
314  sockaddrout_ipv4->sin_family = AF_INET;
315  sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
316  memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
317  memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
318  break;
319  }
320 
321 #ifdef AF_INET6
322  case RPCAP_AF_INET6:
326  case NEW_BSD_AF_INET6_LE:
327  case LINUX_AF_INET6:
328  case HPUX_AF_INET6:
329  case AIX_AF_INET6:
330  case SOLARIS_AF_INET6:
331  {
332  struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
333  struct sockaddr_in6 *sockaddrout_ipv6;
334 
335  (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6));
336  if ((*sockaddrout) == NULL)
337  {
339  errno, "malloc() failed");
340  return -1;
341  }
342  sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
343  sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
344  sockaddrout_ipv6->sin6_family = AF_INET6;
345  sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
346  sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
347  memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
348  sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
349  break;
350  }
351 #endif
352 
353  default:
354  /*
355  * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
356  * support AF_INET6, it's not AF_INET).
357  */
358  *sockaddrout = NULL;
359  break;
360  }
361  return 0;
362 }
363 
364 /*
365  * This function reads a packet from the network socket. It does not
366  * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
367  * the "nocb" string into its name).
368  *
369  * This function is called by pcap_read_rpcap().
370  *
371  * WARNING: By choice, this function does not make use of semaphores. A smarter
372  * implementation should put a semaphore into the data thread, and a signal will
373  * be raised as soon as there is data into the socket buffer.
374  * However this is complicated and it does not bring any advantages when reading
375  * from the network, in which network delays can be much more important than
376  * these optimizations. Therefore, we chose the following approach:
377  * - the 'timeout' chosen by the user is split in two (half on the server side,
378  * with the usual meaning, and half on the client side)
379  * - this function checks for packets; if there are no packets, it waits for
380  * timeout/2 and then it checks again. If packets are still missing, it returns,
381  * otherwise it reads packets.
382  */
383 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
384 {
385  struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
386  struct rpcap_header *header; /* general header according to the RPCAP format */
387  struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */
388  u_char *net_pkt_data; /* packet data from the message */
389  uint32 plen;
390  int retval = 0; /* generic return value */
391  int msglen;
392 
393  /* Structures needed for the select() call */
394  struct timeval tv; /* maximum time the select() can block waiting for data */
395  fd_set rfds; /* set of socket descriptors we have to check */
396 
397  /*
398  * Define the packet buffer timeout, to be used in the select()
399  * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
400  */
401  tv.tv_sec = p->opt.timeout / 1000;
402  tv.tv_usec = (suseconds_t)((p->opt.timeout - tv.tv_sec * 1000) * 1000);
403 
404 #ifdef HAVE_OPENSSL
405  /* Check if we still have bytes available in the last decoded TLS record.
406  * If that's the case, we know SSL_read will not block. */
407  retval = pr->data_ssl && SSL_pending(pr->data_ssl) > 0;
408 #endif
409  if (! retval)
410  {
411  /* Watch out sockdata to see if it has input */
412  FD_ZERO(&rfds);
413 
414  /*
415  * 'fp->rmt_sockdata' has always to be set before calling the select(),
416  * since it is cleared by the select()
417  */
418  FD_SET(pr->rmt_sockdata, &rfds);
419 
420 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
421  retval = 1;
422 #else
423  retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
424 #endif
425 
426  if (retval == -1)
427  {
428 #ifndef _WIN32
429  if (errno == EINTR)
430  {
431  /* Interrupted. */
432  return 0;
433  }
434 #endif
435  sock_geterror("select()", p->errbuf, PCAP_ERRBUF_SIZE);
436  return -1;
437  }
438  }
439 
440  /* There is no data waiting, so return '0' */
441  if (retval == 0)
442  return 0;
443 
444  /*
445  * We have to define 'header' as a pointer to a larger buffer,
446  * because in case of UDP we have to read all the message within a single call
447  */
448  header = (struct rpcap_header *) p->buffer;
449  net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
450  net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
451 
453  {
454  /* Read the entire message from the network */
455  msglen = sock_recv_dgram(pr->rmt_sockdata, pr->data_ssl, p->buffer,
457  if (msglen == -1)
458  {
459  /* Network error. */
460  return -1;
461  }
462  if (msglen == -3)
463  {
464  /* Interrupted receive. */
465  return 0;
466  }
467  if ((size_t)msglen < sizeof(struct rpcap_header))
468  {
469  /*
470  * Message is shorter than an rpcap header.
471  */
473  "UDP packet message is shorter than an rpcap header");
474  return -1;
475  }
476  plen = ntohl(header->plen);
477  if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
478  {
479  /*
480  * Message is shorter than the header claims it
481  * is.
482  */
484  "UDP packet message is shorter than its rpcap header claims");
485  return -1;
486  }
487  }
488  else
489  {
490  int status;
491 
492  if ((size_t)p->cc < sizeof(struct rpcap_header))
493  {
494  /*
495  * We haven't read any of the packet header yet.
496  * The size we should get is the size of the
497  * packet header.
498  */
499  status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header));
500  if (status == -1)
501  {
502  /* Network error. */
503  return -1;
504  }
505  if (status == -3)
506  {
507  /* Interrupted receive. */
508  return 0;
509  }
510  }
511 
512  /*
513  * We have the header, so we know how long the
514  * message payload is. The size we should get
515  * is the size of the packet header plus the
516  * size of the payload.
517  */
518  plen = ntohl(header->plen);
519  if (plen > p->bufsize - sizeof(struct rpcap_header))
520  {
521  /*
522  * This is bigger than the largest
523  * record we'd expect. (We do it by
524  * subtracting in order to avoid an
525  * overflow.)
526  */
528  "Server sent us a message larger than the largest expected packet message");
529  return -1;
530  }
531  status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header) + plen);
532  if (status == -1)
533  {
534  /* Network error. */
535  return -1;
536  }
537  if (status == -3)
538  {
539  /* Interrupted receive. */
540  return 0;
541  }
542 
543  /*
544  * We have the entire message; reset the buffer pointer
545  * and count, as the next read should start a new
546  * message.
547  */
548  p->bp = p->buffer;
549  p->cc = 0;
550  }
551 
552  /*
553  * We have the entire message.
554  */
555  header->plen = plen;
556 
557  /*
558  * Did the server specify the version we negotiated?
559  */
561  header, p->errbuf) == -1)
562  {
563  return 0; /* Return 'no packets received' */
564  }
565 
566  /*
567  * Is this a RPCAP_MSG_PACKET message?
568  */
569  if (header->type != RPCAP_MSG_PACKET)
570  {
571  return 0; /* Return 'no packets received' */
572  }
573 
574  if (ntohl(net_pkt_header->caplen) > plen)
575  {
577  "Packet's captured data goes past the end of the received packet message.");
578  return -1;
579  }
580 
581  /* Fill in packet header */
582  pkt_header->caplen = ntohl(net_pkt_header->caplen);
583  pkt_header->len = ntohl(net_pkt_header->len);
584  pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
585  pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
586 
587  /* Supply a pointer to the beginning of the packet data */
588  *pkt_data = net_pkt_data;
589 
590  /*
591  * I don't update the counter of the packets dropped by the network since we're using TCP,
592  * therefore no packets are dropped. Just update the number of packets received correctly
593  */
594  pr->TotCapt++;
595 
597  {
598  unsigned int npkt;
599 
600  /* We're using UDP, so we need to update the counter of the packets dropped by the network */
601  npkt = ntohl(net_pkt_header->npkt);
602 
603  if (pr->TotCapt != npkt)
604  {
605  pr->TotNetDrops += (npkt - pr->TotCapt);
606  pr->TotCapt = npkt;
607  }
608  }
609 
610  /* Packet read successfully */
611  return 1;
612 }
613 
614 /*
615  * This function reads a packet from the network socket.
616  *
617  * This function relies on the pcap_read_nocb_remote to deliver packets. The
618  * difference, here, is that as soon as a packet is read, it is delivered
619  * to the application by means of a callback function.
620  */
621 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
622 {
623  struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
624  struct pcap_pkthdr pkt_header;
625  u_char *pkt_data;
626  int n = 0;
627  int ret;
628 
629  /*
630  * If this is client-side, and we haven't already started
631  * the capture, start it now.
632  */
633  if (pr->rmt_clientside)
634  {
635  /* We are on an remote capture */
636  if (!pr->rmt_capstarted)
637  {
638  /*
639  * The capture isn't started yet, so try to
640  * start it.
641  */
643  return -1;
644  }
645  }
646 
647  while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
648  {
649  /*
650  * Has "pcap_breakloop()" been called?
651  */
652  if (p->break_loop) {
653  /*
654  * Yes - clear the flag that indicates that it
655  * has, and return PCAP_ERROR_BREAK to indicate
656  * that we were told to break out of the loop.
657  */
658  p->break_loop = 0;
659  return (PCAP_ERROR_BREAK);
660  }
661 
662  /*
663  * Read some packets.
664  */
665  ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
666  if (ret == 1)
667  {
668  /*
669  * We got a packet. Hand it to the callback
670  * and count it so we can return the count.
671  */
672  (*callback)(user, &pkt_header, pkt_data);
673  n++;
674  }
675  else if (ret == -1)
676  {
677  /* Error. */
678  return ret;
679  }
680  else
681  {
682  /*
683  * No packet; this could mean that we timed
684  * out, or that we got interrupted, or that
685  * we got a bad packet.
686  *
687  * Were we told to break out of the loop?
688  */
689  if (p->break_loop) {
690  /*
691  * Yes.
692  */
693  p->break_loop = 0;
694  return (PCAP_ERROR_BREAK);
695  }
696  /* No - return the number of packets we've processed. */
697  return n;
698  }
699  }
700  return n;
701 }
702 
703 /*
704  * This function sends a CLOSE command to the capture server if we're in
705  * passive mode and an ENDCAP command to the capture server if we're in
706  * active mode.
707  *
708  * It is called when the user calls pcap_close(). It sends a command
709  * to our peer that says 'ok, let's stop capturing'.
710  *
711  * WARNING: Since we're closing the connection, we do not check for errors.
712  */
713 static void pcap_cleanup_rpcap(pcap_t *fp)
714 {
715  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
716  struct rpcap_header header; /* header of the RPCAP packet */
717  struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
718  int active = 0; /* active mode or not? */
719 
720  /* detect if we're in active mode */
721  temp = activeHosts;
722  while (temp)
723  {
724  if (temp->sockctrl == pr->rmt_sockctrl)
725  {
726  active = 1;
727  break;
728  }
729  temp = temp->next;
730  }
731 
732  if (!active)
733  {
734  rpcap_createhdr(&header, pr->protocol_version,
735  RPCAP_MSG_CLOSE, 0, 0);
736 
737  /*
738  * Send the close request; don't report any errors, as
739  * we're closing this pcap_t, and have no place to report
740  * the error. No reply is sent to this message.
741  */
742  (void)sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
743  sizeof(struct rpcap_header), NULL, 0);
744  }
745  else
746  {
747  rpcap_createhdr(&header, pr->protocol_version,
748  RPCAP_MSG_ENDCAP_REQ, 0, 0);
749 
750  /*
751  * Send the end capture request; don't report any errors,
752  * as we're closing this pcap_t, and have no place to
753  * report the error.
754  */
755  if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
756  sizeof(struct rpcap_header), NULL, 0) == 0)
757  {
758  /*
759  * Wait for the answer; don't report any errors,
760  * as we're closing this pcap_t, and have no
761  * place to report the error.
762  */
765  &header, NULL) == 0)
766  {
767  (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl,
768  header.plen, NULL);
769  }
770  }
771  }
772 
773  if (pr->rmt_sockdata)
774  {
775 #ifdef HAVE_OPENSSL
776  if (pr->data_ssl)
777  {
778  // Finish using the SSL handle for the data socket.
779  // This must be done *before* the socket is closed.
780  ssl_finish(pr->data_ssl);
781  pr->data_ssl = NULL;
782  }
783 #endif
784  sock_close(pr->rmt_sockdata, NULL, 0);
785  pr->rmt_sockdata = 0;
786  }
787 
788  if ((!active) && (pr->rmt_sockctrl))
789  {
790 #ifdef HAVE_OPENSSL
791  if (pr->ctrl_ssl)
792  {
793  // Finish using the SSL handle for the control socket.
794  // This must be done *before* the socket is closed.
795  ssl_finish(pr->ctrl_ssl);
796  pr->ctrl_ssl = NULL;
797  }
798 #endif
799  sock_close(pr->rmt_sockctrl, NULL, 0);
800  }
801 
802  pr->rmt_sockctrl = 0;
803  pr->ctrl_ssl = NULL;
804 
805  if (pr->currentfilter)
806  {
807  free(pr->currentfilter);
808  pr->currentfilter = NULL;
809  }
810 
812 
813  /* To avoid inconsistencies in the number of sock_init() */
814  sock_cleanup();
815 }
816 
817 /*
818  * This function retrieves network statistics from our peer;
819  * it provides only the standard statistics.
820  */
821 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
822 {
823  struct pcap_stat *retval;
824 
825  retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
826 
827  if (retval)
828  return 0;
829  else
830  return -1;
831 }
832 
833 #ifdef _WIN32
834 /*
835  * This function retrieves network statistics from our peer;
836  * it provides the additional statistics supported by pcap_stats_ex().
837  */
838 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
839 {
840  *pcap_stat_size = sizeof (p->stat);
841 
842  /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
843  return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
844 }
845 #endif
846 
847 /*
848  * This function retrieves network statistics from our peer. It
849  * is used by the two previous functions.
850  *
851  * It can be called in two modes:
852  * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
853  * for pcap_stats())
854  * - PCAP_STATS_EX: if we want extended statistics (i.e., for
855  * pcap_stats_ex())
856  *
857  * This 'mode' parameter is needed because in pcap_stats() the variable that
858  * keeps the statistics is allocated by the user. On Windows, this structure
859  * has been extended in order to keep new stats. However, if the user has a
860  * smaller structure and it passes it to pcap_stats(), this function will
861  * try to fill in more data than the size of the structure, so that memory
862  * after the structure will be overwritten.
863  *
864  * So, we need to know it we have to copy just the standard fields, or the
865  * extended fields as well.
866  *
867  * In case we want to copy the extended fields as well, the problem of
868  * memory overflow no longer exists because the structure that's filled
869  * in is part of the pcap_t, so that it can be guaranteed to be large
870  * enough for the additional statistics.
871  *
872  * \param p: the pcap_t structure related to the current instance.
873  *
874  * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
875  * with pcap_stat(), where the structure is allocated by the user. In case
876  * of pcap_stats_ex(), this structure and the function return value point
877  * to the same variable.
878  *
879  * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
880  *
881  * \return The structure that keeps the statistics, or NULL in case of error.
882  * The error string is placed in the pcap_t structure.
883  */
884 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
885 {
886  struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
887  struct rpcap_header header; /* header of the RPCAP packet */
888  struct rpcap_stats netstats; /* statistics sent on the network */
889  uint32 plen; /* data remaining in the message */
890 
891 #ifdef _WIN32
892  if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
893 #else
894  if (mode != PCAP_STATS_STANDARD)
895 #endif
896  {
898  "Invalid stats mode %d", mode);
899  return NULL;
900  }
901 
902  /*
903  * If the capture has not yet started, we cannot request statistics
904  * for the capture from our peer, so we return 0 for all statistics,
905  * as nothing's been seen yet.
906  */
907  if (!pr->rmt_capstarted)
908  {
909  ps->ps_drop = 0;
910  ps->ps_ifdrop = 0;
911  ps->ps_recv = 0;
912 #ifdef _WIN32
913  if (mode == PCAP_STATS_EX)
914  {
915  ps->ps_capt = 0;
916  ps->ps_sent = 0;
917  ps->ps_netdrop = 0;
918  }
919 #endif /* _WIN32 */
920 
921  return ps;
922  }
923 
924  rpcap_createhdr(&header, pr->protocol_version,
925  RPCAP_MSG_STATS_REQ, 0, 0);
926 
927  /* Send the PCAP_STATS command */
928  if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
929  sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
930  return NULL; /* Unrecoverable network error */
931 
932  /* Receive and process the reply message header. */
934  RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
935  return NULL; /* Error */
936 
937  plen = header.plen;
938 
939  /* Read the reply body */
940  if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&netstats,
941  sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
942  goto error;
943 
944  ps->ps_drop = ntohl(netstats.krnldrop);
945  ps->ps_ifdrop = ntohl(netstats.ifdrop);
946  ps->ps_recv = ntohl(netstats.ifrecv);
947 #ifdef _WIN32
948  if (mode == PCAP_STATS_EX)
949  {
950  ps->ps_capt = pr->TotCapt;
951  ps->ps_netdrop = pr->TotNetDrops;
952  ps->ps_sent = ntohl(netstats.svrcapt);
953  }
954 #endif /* _WIN32 */
955 
956  /* Discard the rest of the message. */
957  if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, p->errbuf) == -1)
958  goto error_nodiscard;
959 
960  return ps;
961 
962 error:
963  /*
964  * Discard the rest of the message.
965  * We already reported an error; if this gets an error, just
966  * drive on.
967  */
968  (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
969 
970 error_nodiscard:
971  return NULL;
972 }
973 
974 /*
975  * This function returns the entry in the list of active hosts for this
976  * active connection (active mode only), or NULL if there is no
977  * active connection or an error occurred. It is just for internal
978  * use.
979  *
980  * \param host: a string that keeps the host name of the host for which we
981  * want to get the socket ID for that active connection.
982  *
983  * \param error: a pointer to an int that is set to 1 if an error occurred
984  * and 0 otherwise.
985  *
986  * \param errbuf: a pointer to a user-allocated buffer (of size
987  * PCAP_ERRBUF_SIZE) that will contain the error message (in case
988  * there is one).
989  *
990  * \return the entry for this host in the list of active connections
991  * if found, NULL if it's not found or there's an error.
992  */
993 static struct activehosts *
994 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
995 {
996  struct activehosts *temp; /* temp var needed to scan the host list chain */
997  struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
998  int retval;
999 
1000  /* retrieve the network address corresponding to 'host' */
1001  addrinfo = NULL;
1002  memset(&hints, 0, sizeof(struct addrinfo));
1003  hints.ai_family = PF_UNSPEC;
1004  hints.ai_socktype = SOCK_STREAM;
1005 
1006  retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
1008  if (retval != 0)
1009  {
1010  *error = 1;
1011  return NULL;
1012  }
1013 
1014  temp = activeHosts;
1015 
1016  while (temp)
1017  {
1018  ai_next = addrinfo;
1019  while (ai_next)
1020  {
1021  if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
1022  {
1023  *error = 0;
1024  freeaddrinfo(addrinfo);
1025  return temp;
1026  }
1027 
1028  ai_next = ai_next->ai_next;
1029  }
1030  temp = temp->next;
1031  }
1032 
1033  if (addrinfo)
1034  freeaddrinfo(addrinfo);
1035 
1036  /*
1037  * The host for which you want to get the socket ID does not have an
1038  * active connection.
1039  */
1040  *error = 0;
1041  return NULL;
1042 }
1043 
1044 /*
1045  * This function starts a remote capture.
1046  *
1047  * This function is required since the RPCAP protocol decouples the 'open'
1048  * from the 'start capture' functions.
1049  * This function takes all the parameters needed (which have been stored
1050  * into the pcap_t structure) and sends them to the server.
1051  *
1052  * \param fp: the pcap_t descriptor of the device currently open.
1053  *
1054  * \return '0' if everything is fine, '-1' otherwise. The error message
1055  * (if one) is returned into the 'errbuf' field of the pcap_t structure.
1056  */
1058 {
1059  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1060  char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1061  int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1062  char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the data connection */
1063  uint32 plen;
1064  int active = 0; /* '1' if we're in active mode */
1065  struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
1066  char host[INET6_ADDRSTRLEN + 1]; /* numeric name of the other host */
1067 
1068  /* socket-related variables*/
1069  struct addrinfo hints; /* temp, needed to open a socket connection */
1070  struct addrinfo *addrinfo; /* temp, needed to open a socket connection */
1071  SOCKET sockdata = 0; /* socket descriptor of the data connection */
1072  struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1073  socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1074  int ai_family; /* temp, keeps the address family used by the control connection */
1075 
1076  /* RPCAP-related variables*/
1077  struct rpcap_header header; /* header of the RPCAP packet */
1078  struct rpcap_startcapreq *startcapreq; /* start capture request message */
1079  struct rpcap_startcapreply startcapreply; /* start capture reply message */
1080 
1081  /* Variables related to the buffer setting */
1082  int res;
1083  socklen_t itemp;
1084  int sockbufsize = 0;
1085  uint32 server_sockbufsize;
1086 
1087  // Take the opportunity to clear pr->data_ssl before any goto error,
1088  // as it seems pr->priv is not zeroed after its malloced.
1089  pr->data_ssl = NULL;
1090 
1091  /*
1092  * Let's check if sampling has been required.
1093  * If so, let's set it first
1094  */
1095  if (pcap_setsampling_remote(fp) != 0)
1096  return -1;
1097 
1098  /* detect if we're in active mode */
1099  temp = activeHosts;
1100  while (temp)
1101  {
1102  if (temp->sockctrl == pr->rmt_sockctrl)
1103  {
1104  active = 1;
1105  break;
1106  }
1107  temp = temp->next;
1108  }
1109 
1110  addrinfo = NULL;
1111 
1112  /*
1113  * Gets the complete sockaddr structure used in the ctrl connection
1114  * This is needed to get the address family of the control socket
1115  * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
1116  * since the ctrl socket can already be open in case of active mode;
1117  * so I would have to call getpeername() anyway
1118  */
1119  saddrlen = sizeof(struct sockaddr_storage);
1120  if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1121  {
1122  sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1123  goto error_nodiscard;
1124  }
1125  ai_family = ((struct sockaddr_storage *) &saddr)->ss_family;
1126 
1127  /* Get the numeric address of the remote host we are connected to */
1128  if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host,
1129  sizeof(host), NULL, 0, NI_NUMERICHOST))
1130  {
1131  sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1132  goto error_nodiscard;
1133  }
1134 
1135  /*
1136  * Data connection is opened by the server toward the client if:
1137  * - we're using TCP, and the user wants us to be in active mode
1138  * - we're using UDP
1139  */
1140  if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1141  {
1142  /*
1143  * We have to create a new socket to receive packets
1144  * We have to do that immediately, since we have to tell the other
1145  * end which network port we picked up
1146  */
1147  memset(&hints, 0, sizeof(struct addrinfo));
1148  /* TEMP addrinfo is NULL in case of active */
1149  hints.ai_family = ai_family; /* Use the same address family of the control socket */
1150  hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1151  hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
1152 
1153  /* Let's the server pick up a free network port for us */
1154  if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1155  goto error_nodiscard;
1156 
1157  if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
1158  1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1159  goto error_nodiscard;
1160 
1161  /* addrinfo is no longer used */
1162  freeaddrinfo(addrinfo);
1163  addrinfo = NULL;
1164 
1165  /* get the complete sockaddr structure used in the data connection */
1166  saddrlen = sizeof(struct sockaddr_storage);
1167  if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1168  {
1169  sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1170  goto error_nodiscard;
1171  }
1172 
1173  /* Get the local port the system picked up */
1174  if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
1175  0, portdata, sizeof(portdata), NI_NUMERICSERV))
1176  {
1177  sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1178  goto error_nodiscard;
1179  }
1180  }
1181 
1182  /*
1183  * Now it's time to start playing with the RPCAP protocol
1184  * RPCAP start capture command: create the request message
1185  */
1186  if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1188  goto error_nodiscard;
1189 
1190  rpcap_createhdr((struct rpcap_header *) sendbuf,
1192  sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
1193 
1194  /* Fill the structure needed to open an adapter remotely */
1195  startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx];
1196 
1197  if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL,
1199  goto error_nodiscard;
1200 
1201  memset(startcapreq, 0, sizeof(struct rpcap_startcapreq));
1202 
1203  /* By default, apply half the timeout on one side, half of the other */
1204  fp->opt.timeout = fp->opt.timeout / 2;
1205  startcapreq->read_timeout = htonl(fp->opt.timeout);
1206 
1207  /* portdata on the openreq is meaningful only if we're in active mode */
1208  if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1209  {
1210  sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */
1211  startcapreq->portdata = htons(startcapreq->portdata);
1212  }
1213 
1214  startcapreq->snaplen = htonl(fp->snapshot);
1215  startcapreq->flags = 0;
1216 
1218  startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC;
1220  startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM;
1221  if (active)
1222  startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN;
1223 
1224  startcapreq->flags = htons(startcapreq->flags);
1225 
1226  /* Pack the capture filter */
1227  if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode))
1228  goto error_nodiscard;
1229 
1230  if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1231  PCAP_ERRBUF_SIZE) < 0)
1232  goto error_nodiscard;
1233 
1234  /* Receive and process the reply message header. */
1236  RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1)
1237  goto error_nodiscard;
1238 
1239  plen = header.plen;
1240 
1241  if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&startcapreply,
1242  sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1)
1243  goto error;
1244 
1245  /*
1246  * In case of UDP data stream, the connection is always opened by the daemon
1247  * So, this case is already covered by the code above.
1248  * Now, we have still to handle TCP connections, because:
1249  * - if we're in active mode, we have to wait for a remote connection
1250  * - if we're in passive more, we have to start a connection
1251  *
1252  * We have to do he job in two steps because in case we're opening a TCP connection, we have
1253  * to tell the port we're using to the remote side; in case we're accepting a TCP
1254  * connection, we have to wait this info from the remote side.
1255  */
1256  if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1257  {
1258  if (!active)
1259  {
1260  memset(&hints, 0, sizeof(struct addrinfo));
1261  hints.ai_family = ai_family; /* Use the same address family of the control socket */
1262  hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1263  snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
1264 
1265  /* Let's the server pick up a free network port for us */
1266  if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1267  goto error;
1268 
1269  if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1270  goto error;
1271 
1272  /* addrinfo is no longer used */
1273  freeaddrinfo(addrinfo);
1274  addrinfo = NULL;
1275  }
1276  else
1277  {
1278  SOCKET socktemp; /* We need another socket, since we're going to accept() a connection */
1279 
1280  /* Connection creation */
1281  saddrlen = sizeof(struct sockaddr_storage);
1282 
1283  socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen);
1284 
1285  if (socktemp == INVALID_SOCKET)
1286  {
1287  sock_geterror("accept()", fp->errbuf, PCAP_ERRBUF_SIZE);
1288  goto error;
1289  }
1290 
1291  /* Now that I accepted the connection, the server socket is no longer needed */
1292  sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1293  sockdata = socktemp;
1294  }
1295  }
1296 
1297  /* Let's save the socket of the data connection */
1298  pr->rmt_sockdata = sockdata;
1299 
1300 #ifdef HAVE_OPENSSL
1301  if (pr->uses_ssl)
1302  {
1303  pr->data_ssl = ssl_promotion(0, sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1304  if (! pr->data_ssl) goto error;
1305  }
1306 #endif
1307 
1308  /*
1309  * Set the size of the socket buffer for the data socket.
1310  * It has the same size as the local capture buffer used
1311  * on the other side of the connection.
1312  */
1313  server_sockbufsize = ntohl(startcapreply.bufsize);
1314 
1315  /* Let's get the actual size of the socket buffer */
1316  itemp = sizeof(sockbufsize);
1317 
1318  res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp);
1319  if (res == -1)
1320  {
1321  sock_geterror("pcap_startcapture_remote(): getsockopt() failed", fp->errbuf, PCAP_ERRBUF_SIZE);
1322  goto error;
1323  }
1324 
1325  /*
1326  * Warning: on some kernels (e.g. Linux), the size of the user
1327  * buffer does not take into account the pcap_header and such,
1328  * and it is set equal to the snaplen.
1329  *
1330  * In my view, this is wrong (the meaning of the bufsize became
1331  * a bit strange). So, here bufsize is the whole size of the
1332  * user buffer. In case the bufsize returned is too small,
1333  * let's adjust it accordingly.
1334  */
1335  if (server_sockbufsize <= (u_int) fp->snapshot)
1336  server_sockbufsize += sizeof(struct pcap_pkthdr);
1337 
1338  /* if the current socket buffer is smaller than the desired one */
1339  if ((u_int) sockbufsize < server_sockbufsize)
1340  {
1341  /*
1342  * Loop until the buffer size is OK or the original
1343  * socket buffer size is larger than this one.
1344  */
1345  for (;;)
1346  {
1347  res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF,
1348  (char *)&(server_sockbufsize),
1349  sizeof(server_sockbufsize));
1350 
1351  if (res == 0)
1352  break;
1353 
1354  /*
1355  * If something goes wrong, halve the buffer size
1356  * (checking that it does not become smaller than
1357  * the current one).
1358  */
1359  server_sockbufsize /= 2;
1360 
1361  if ((u_int) sockbufsize >= server_sockbufsize)
1362  {
1363  server_sockbufsize = sockbufsize;
1364  break;
1365  }
1366  }
1367  }
1368 
1369  /*
1370  * Let's allocate the packet; this is required in order to put
1371  * the packet somewhere when extracting data from the socket.
1372  * Since buffering has already been done in the socket buffer,
1373  * here we need just a buffer whose size is equal to the
1374  * largest possible packet message for the snapshot size,
1375  * namely the length of the message header plus the length
1376  * of the packet header plus the snapshot length.
1377  */
1378  fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot;
1379 
1380  fp->buffer = (u_char *)malloc(fp->bufsize);
1381  if (fp->buffer == NULL)
1382  {
1384  errno, "malloc");
1385  goto error;
1386  }
1387 
1388  /*
1389  * The buffer is currently empty.
1390  */
1391  fp->bp = fp->buffer;
1392  fp->cc = 0;
1393 
1394  /* Discard the rest of the message. */
1395  if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, fp->errbuf) == -1)
1396  goto error_nodiscard;
1397 
1398  /*
1399  * In case the user does not want to capture RPCAP packets, let's update the filter
1400  * We have to update it here (instead of sending it into the 'StartCapture' message
1401  * because when we generate the 'start capture' we do not know (yet) all the ports
1402  * we're currently using.
1403  */
1405  {
1406  struct bpf_program fcode;
1407 
1408  if (pcap_createfilter_norpcappkt(fp, &fcode) == -1)
1409  goto error;
1410 
1411  /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */
1412  /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */
1413  if (pcap_updatefilter_remote(fp, &fcode) == -1)
1414  goto error;
1415 
1416  pcap_freecode(&fcode);
1417  }
1418 
1419  pr->rmt_capstarted = 1;
1420  return 0;
1421 
1422 error:
1423  /*
1424  * When the connection has been established, we have to close it. So, at the
1425  * beginning of this function, if an error occur we return immediately with
1426  * a return NULL; when the connection is established, we have to come here
1427  * ('goto error;') in order to close everything properly.
1428  */
1429 
1430  /*
1431  * Discard the rest of the message.
1432  * We already reported an error; if this gets an error, just
1433  * drive on.
1434  */
1435  (void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
1436 
1437 error_nodiscard:
1438 #ifdef HAVE_OPENSSL
1439  if (pr->data_ssl)
1440  {
1441  // Finish using the SSL handle for the data socket.
1442  // This must be done *before* the socket is closed.
1443  ssl_finish(pr->data_ssl);
1444  pr->data_ssl = NULL;
1445  }
1446 #endif
1447 
1448  /* we can be here because sockdata said 'error' */
1449  if ((sockdata != 0) && (sockdata != INVALID_SOCKET))
1450  sock_close(sockdata, NULL, 0);
1451 
1452  if (!active)
1453  {
1454 #ifdef HAVE_OPENSSL
1455  if (pr->ctrl_ssl)
1456  {
1457  // Finish using the SSL handle for the control socket.
1458  // This must be done *before* the socket is closed.
1459  ssl_finish(pr->ctrl_ssl);
1460  pr->ctrl_ssl = NULL;
1461  }
1462 #endif
1463  sock_close(pr->rmt_sockctrl, NULL, 0);
1464  }
1465 
1466  if (addrinfo != NULL)
1467  freeaddrinfo(addrinfo);
1468 
1469  /*
1470  * We do not have to call pcap_close() here, because this function is always called
1471  * by the user in case something bad happens
1472  */
1473 #if 0
1474  if (fp)
1475  {
1476  pcap_close(fp);
1477  fp= NULL;
1478  }
1479 #endif
1480 
1481  return -1;
1482 }
1483 
1484 /*
1485  * This function takes a bpf program and sends it to the other host.
1486  *
1487  * This function can be called in two cases:
1488  * - pcap_startcapture_remote() is called (we have to send the filter
1489  * along with the 'start capture' command)
1490  * - we want to update the filter during a capture (i.e. pcap_setfilter()
1491  * after the capture has been started)
1492  *
1493  * This function serializes the filter into the sending buffer ('sendbuf',
1494  * passed as a parameter) and return back. It does not send anything on
1495  * the network.
1496  *
1497  * \param fp: the pcap_t descriptor of the device currently opened.
1498  *
1499  * \param sendbuf: the buffer on which the serialized data has to copied.
1500  *
1501  * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
1502  *
1503  * \param prog: the bpf program we have to copy.
1504  *
1505  * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1506  * is returned into the 'errbuf' field of the pcap_t structure.
1507  */
1508 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
1509 {
1510  struct rpcap_filter *filter;
1511  struct rpcap_filterbpf_insn *insn;
1512  struct bpf_insn *bf_insn;
1513  struct bpf_program fake_prog; /* To be used just in case the user forgot to set a filter */
1514  unsigned int i;
1515 
1516  if (prog->bf_len == 0) /* No filters have been specified; so, let's apply a "fake" filter */
1517  {
1518  if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1)
1519  return -1;
1520 
1521  prog = &fake_prog;
1522  }
1523 
1524  filter = (struct rpcap_filter *) sendbuf;
1525 
1526  if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx,
1528  return -1;
1529 
1530  filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF);
1531  filter->nitems = htonl((int32)prog->bf_len);
1532 
1533  if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn),
1534  NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1535  return -1;
1536 
1537  insn = (struct rpcap_filterbpf_insn *) (filter + 1);
1538  bf_insn = prog->bf_insns;
1539 
1540  for (i = 0; i < prog->bf_len; i++)
1541  {
1542  insn->code = htons(bf_insn->code);
1543  insn->jf = bf_insn->jf;
1544  insn->jt = bf_insn->jt;
1545  insn->k = htonl(bf_insn->k);
1546 
1547  insn++;
1548  bf_insn++;
1549  }
1550 
1551  return 0;
1552 }
1553 
1554 /*
1555  * This function updates a filter on a remote host.
1556  *
1557  * It is called when the user wants to update a filter.
1558  * In case we're capturing from the network, it sends the filter to our
1559  * peer.
1560  * This function is *not* called automatically when the user calls
1561  * pcap_setfilter().
1562  * There will be two cases:
1563  * - the capture has been started: in this case, pcap_setfilter_rpcap()
1564  * calls pcap_updatefilter_remote()
1565  * - the capture has not started yet: in this case, pcap_setfilter_rpcap()
1566  * stores the filter into the pcap_t structure, and then the filter is
1567  * sent with pcap_startcap().
1568  *
1569  * WARNING This function *does not* clear the packet currently into the
1570  * buffers. Therefore, the user has to expect to receive some packets
1571  * that are related to the previous filter. If you want to discard all
1572  * the packets before applying a new filter, you have to close the
1573  * current capture session and start a new one.
1574  *
1575  * XXX - we really should have pcap_setfilter() always discard packets
1576  * received with the old filter, and have a separate pcap_setfilter_noflush()
1577  * function that doesn't discard any packets.
1578  */
1579 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
1580 {
1581  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1582  char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1583  int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1584  struct rpcap_header header; /* To keep the reply message */
1585 
1586  if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx,
1588  return -1;
1589 
1590  rpcap_createhdr((struct rpcap_header *) sendbuf,
1592  sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn));
1593 
1594  if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog))
1595  return -1;
1596 
1597  if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1598  PCAP_ERRBUF_SIZE) < 0)
1599  return -1;
1600 
1601  /* Receive and process the reply message header. */
1603  RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1)
1604  return -1;
1605 
1606  /*
1607  * It shouldn't have any contents; discard it if it does.
1608  */
1609  if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
1610  return -1;
1611 
1612  return 0;
1613 }
1614 
1615 static void
1616 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
1617 {
1618  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1619 
1620  /*
1621  * Check if:
1622  * - We are on an remote capture
1623  * - we do not want to capture RPCAP traffic
1624  *
1625  * If so, we have to save the current filter, because we have to
1626  * add some piece of stuff later
1627  */
1628  if (pr->rmt_clientside &&
1630  {
1631  if (pr->currentfilter)
1632  free(pr->currentfilter);
1633 
1634  if (filter == NULL)
1635  filter = "";
1636 
1637  pr->currentfilter = strdup(filter);
1638  }
1639 }
1640 
1641 /*
1642  * This function sends a filter to a remote host.
1643  *
1644  * This function is called when the user wants to set a filter.
1645  * It sends the filter to our peer.
1646  * This function is called automatically when the user calls pcap_setfilter().
1647  *
1648  * Parameters and return values are exactly the same of pcap_setfilter().
1649  */
1650 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
1651 {
1652  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1653 
1654  if (!pr->rmt_capstarted)
1655  {
1656  /* copy filter into the pcap_t structure */
1657  if (install_bpf_program(fp, prog) == -1)
1658  return -1;
1659  return 0;
1660  }
1661 
1662  /* we have to update a filter during run-time */
1663  if (pcap_updatefilter_remote(fp, prog))
1664  return -1;
1665 
1666  return 0;
1667 }
1668 
1669 /*
1670  * This function updates the current filter in order not to capture rpcap
1671  * packets.
1672  *
1673  * This function is called *only* when the user wants exclude RPCAP packets
1674  * related to the current session from the captured packets.
1675  *
1676  * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1677  * is returned into the 'errbuf' field of the pcap_t structure.
1678  */
1679 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
1680 {
1681  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1682  int RetVal = 0;
1683 
1684  /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1686  {
1687  struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1688  socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1689  char myaddress[128];
1690  char myctrlport[128];
1691  char mydataport[128];
1692  char peeraddress[128];
1693  char peerctrlport[128];
1694  char *newfilter;
1695 
1696  /* Get the name/port of our peer */
1697  saddrlen = sizeof(struct sockaddr_storage);
1698  if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1699  {
1700  sock_geterror("getpeername()", fp->errbuf, PCAP_ERRBUF_SIZE);
1701  return -1;
1702  }
1703 
1704  if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress,
1705  sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1706  {
1707  sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1708  return -1;
1709  }
1710 
1711  /* We cannot check the data port, because this is available only in case of TCP sockets */
1712  /* Get the name/port of the current host */
1713  if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1714  {
1715  sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1716  return -1;
1717  }
1718 
1719  /* Get the local port the system picked up */
1720  if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress,
1721  sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1722  {
1723  sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1724  return -1;
1725  }
1726 
1727  /* Let's now check the data port */
1728  if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1729  {
1730  sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1731  return -1;
1732  }
1733 
1734  /* Get the local port the system picked up */
1735  if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
1736  {
1737  sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1738  return -1;
1739  }
1740 
1741  if (pr->currentfilter && pr->currentfilter[0] != '\0')
1742  {
1743  /*
1744  * We have a current filter; add items to it to
1745  * filter out this rpcap session.
1746  */
1747  if (pcap_asprintf(&newfilter,
1748  "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1749  pr->currentfilter, myaddress, peeraddress,
1750  myctrlport, peerctrlport, myaddress, peeraddress,
1751  mydataport) == -1)
1752  {
1753  /* Failed. */
1755  "Can't allocate memory for new filter");
1756  return -1;
1757  }
1758  }
1759  else
1760  {
1761  /*
1762  * We have no current filter; construct a filter to
1763  * filter out this rpcap session.
1764  */
1765  if (pcap_asprintf(&newfilter,
1766  "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1767  myaddress, peeraddress, myctrlport, peerctrlport,
1768  myaddress, peeraddress, mydataport) == -1)
1769  {
1770  /* Failed. */
1772  "Can't allocate memory for new filter");
1773  return -1;
1774  }
1775  }
1776 
1777  /*
1778  * This is only an hack to prevent the save_current_filter
1779  * routine, which will be called when we call pcap_compile(),
1780  * from saving the modified filter.
1781  */
1782  pr->rmt_clientside = 0;
1783 
1784  if (pcap_compile(fp, prog, newfilter, 1, 0) == -1)
1785  RetVal = -1;
1786 
1787  /* Undo the hack. */
1788  pr->rmt_clientside = 1;
1789 
1790  free(newfilter);
1791  }
1792 
1793  return RetVal;
1794 }
1795 
1796 /*
1797  * This function sets sampling parameters in the remote host.
1798  *
1799  * It is called when the user wants to set activate sampling on the
1800  * remote host.
1801  *
1802  * Sampling parameters are defined into the 'pcap_t' structure.
1803  *
1804  * \param p: the pcap_t descriptor of the device currently opened.
1805  *
1806  * \return '0' if everything is OK, '-1' is something goes wrong. The
1807  * error message is returned in the 'errbuf' member of the pcap_t structure.
1808  */
1810 {
1811  struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1812  char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */
1813  int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1814  struct rpcap_header header; /* To keep the reply message */
1815  struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */
1816 
1817  /* If no samping is requested, return 'ok' */
1818  if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP)
1819  return 0;
1820 
1821  /*
1822  * Check for sampling parameters that don't fit in a message.
1823  * We'll let the server complain about invalid parameters
1824  * that do fit into the message.
1825  */
1826  if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) {
1828  "Invalid sampling method %d", fp->rmt_samp.method);
1829  return -1;
1830  }
1831  if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) {
1833  "Invalid sampling value %d", fp->rmt_samp.value);
1834  return -1;
1835  }
1836 
1837  if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1839  return -1;
1840 
1841  rpcap_createhdr((struct rpcap_header *) sendbuf,
1843  sizeof(struct rpcap_sampling));
1844 
1845  /* Fill the structure needed to open an adapter remotely */
1846  sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx];
1847 
1848  if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL,
1850  return -1;
1851 
1852  memset(sampling_pars, 0, sizeof(struct rpcap_sampling));
1853 
1854  sampling_pars->method = (uint8)fp->rmt_samp.method;
1855  sampling_pars->value = (uint16)htonl(fp->rmt_samp.value);
1856 
1857  if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, sendbuf, sendbufidx, fp->errbuf,
1858  PCAP_ERRBUF_SIZE) < 0)
1859  return -1;
1860 
1861  /* Receive and process the reply message header. */
1863  RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1)
1864  return -1;
1865 
1866  /*
1867  * It shouldn't have any contents; discard it if it does.
1868  */
1869  if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, header.plen, fp->errbuf) == -1)
1870  return -1;
1871 
1872  return 0;
1873 }
1874 
1875 /*********************************************************
1876  * *
1877  * Miscellaneous functions *
1878  * *
1879  *********************************************************/
1880 
1881 /*
1882  * This function performs authentication and protocol version
1883  * negotiation. It is required in order to open the connection
1884  * with the other end party.
1885  *
1886  * It sends authentication parameters on the control socket and
1887  * reads the reply. If the reply is a success indication, it
1888  * checks whether the reply includes minimum and maximum supported
1889  * versions from the server; if not, it assumes both are 0, as
1890  * that means it's an older server that doesn't return supported
1891  * version numbers in authentication replies, so it only supports
1892  * version 0. It then tries to determine the maximum version
1893  * supported both by us and by the server. If it can find such a
1894  * version, it sets us up to use that version; otherwise, it fails,
1895  * indicating that there is no version supported by us and by the
1896  * server.
1897  *
1898  * \param sock: the socket we are currently using.
1899  *
1900  * \param ver: pointer to variable to which to set the protocol version
1901  * number we selected.
1902  *
1903  * \param auth: authentication parameters that have to be sent.
1904  *
1905  * \param errbuf: a pointer to a user-allocated buffer (of size
1906  * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
1907  * is one). It could be a network problem or the fact that the authorization
1908  * failed.
1909  *
1910  * \return '0' if everything is fine, '-1' for an error. For errors,
1911  * an error message string is returned in the 'errbuf' variable.
1912  */
1913 static int rpcap_doauth(SOCKET sockctrl, SSL *ssl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
1914 {
1915  char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */
1916  int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1917  uint16 length; /* length of the payload of this message */
1918  struct rpcap_auth *rpauth;
1919  uint16 auth_type;
1920  struct rpcap_header header;
1921  size_t str_length;
1922  uint32 plen;
1923  struct rpcap_authreply authreply; /* authentication reply message */
1924  uint8 ourvers;
1925 
1926  if (auth)
1927  {
1928  switch (auth->type)
1929  {
1930  case RPCAP_RMTAUTH_NULL:
1931  length = sizeof(struct rpcap_auth);
1932  break;
1933 
1934  case RPCAP_RMTAUTH_PWD:
1935  length = sizeof(struct rpcap_auth);
1936  if (auth->username)
1937  {
1938  str_length = strlen(auth->username);
1939  if (str_length > 65535)
1940  {
1941  snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)");
1942  return -1;
1943  }
1944  length += (uint16)str_length;
1945  }
1946  if (auth->password)
1947  {
1948  str_length = strlen(auth->password);
1949  if (str_length > 65535)
1950  {
1951  snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)");
1952  return -1;
1953  }
1954  length += (uint16)str_length;
1955  }
1956  break;
1957 
1958  default:
1959  snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
1960  return -1;
1961  }
1962 
1963  auth_type = (uint16)auth->type;
1964  }
1965  else
1966  {
1967  auth_type = RPCAP_RMTAUTH_NULL;
1968  length = sizeof(struct rpcap_auth);
1969  }
1970 
1971  if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1972  &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1973  return -1;
1974 
1975  rpcap_createhdr((struct rpcap_header *) sendbuf, 0,
1976  RPCAP_MSG_AUTH_REQ, 0, length);
1977 
1978  rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx];
1979 
1980  if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL,
1981  &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1982  return -1;
1983 
1984  memset(rpauth, 0, sizeof(struct rpcap_auth));
1985 
1986  rpauth->type = htons(auth_type);
1987 
1988  if (auth_type == RPCAP_RMTAUTH_PWD)
1989  {
1990  if (auth->username)
1991  rpauth->slen1 = (uint16)strlen(auth->username);
1992  else
1993  rpauth->slen1 = 0;
1994 
1995  if (sock_bufferize(auth->username, rpauth->slen1, sendbuf,
1996  &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
1997  return -1;
1998 
1999  if (auth->password)
2000  rpauth->slen2 = (uint16)strlen(auth->password);
2001  else
2002  rpauth->slen2 = 0;
2003 
2004  if (sock_bufferize(auth->password, rpauth->slen2, sendbuf,
2005  &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2006  return -1;
2007 
2008  rpauth->slen1 = htons(rpauth->slen1);
2009  rpauth->slen2 = htons(rpauth->slen2);
2010  }
2011 
2012  if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
2013  PCAP_ERRBUF_SIZE) < 0)
2014  return -1;
2015 
2016  /* Receive and process the reply message header */
2017  if (rpcap_process_msg_header(sockctrl, ssl, 0, RPCAP_MSG_AUTH_REQ,
2018  &header, errbuf) == -1)
2019  return -1;
2020 
2021  /*
2022  * OK, it's an authentication reply, so we're logged in.
2023  *
2024  * Did it send any additional information?
2025  */
2026  plen = header.plen;
2027  if (plen != 0)
2028  {
2029  /* Yes - is it big enough to be version information? */
2030  if (plen < sizeof(struct rpcap_authreply))
2031  {
2032  /* No - discard it and fail. */
2033  (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2034  return -1;
2035  }
2036 
2037  /* Read the reply body */
2038  if (rpcap_recv(sockctrl, ssl, (char *)&authreply,
2039  sizeof(struct rpcap_authreply), &plen, errbuf) == -1)
2040  {
2041  (void)rpcap_discard(sockctrl, ssl, plen, NULL);
2042  return -1;
2043  }
2044 
2045  /* Discard the rest of the message, if there is any. */
2046  if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
2047  return -1;
2048 
2049  /*
2050  * Check the minimum and maximum versions for sanity;
2051  * the minimum must be <= the maximum.
2052  */
2053  if (authreply.minvers > authreply.maxvers)
2054  {
2055  /*
2056  * Bogus - give up on this server.
2057  */
2058  snprintf(errbuf, PCAP_ERRBUF_SIZE,
2059  "The server's minimum supported protocol version is greater than its maximum supported protocol version");
2060  return -1;
2061  }
2062  }
2063  else
2064  {
2065  /* No - it supports only version 0. */
2066  authreply.minvers = 0;
2067  authreply.maxvers = 0;
2068  }
2069 
2070  /*
2071  * OK, let's start with the maximum version the server supports.
2072  */
2073  ourvers = authreply.maxvers;
2074 
2075 #if RPCAP_MIN_VERSION != 0
2076  /*
2077  * If that's less than the minimum version we support, we
2078  * can't communicate.
2079  */
2080  if (ourvers < RPCAP_MIN_VERSION)
2081  goto novers;
2082 #endif
2083 
2084  /*
2085  * If that's greater than the maximum version we support,
2086  * choose the maximum version we support.
2087  */
2088  if (ourvers > RPCAP_MAX_VERSION)
2089  {
2090  ourvers = RPCAP_MAX_VERSION;
2091 
2092  /*
2093  * If that's less than the minimum version they
2094  * support, we can't communicate.
2095  */
2096  if (ourvers < authreply.minvers)
2097  goto novers;
2098  }
2099 
2100  *ver = ourvers;
2101  return 0;
2102 
2103 novers:
2104  /*
2105  * There is no version we both support; that is a fatal error.
2106  */
2107  snprintf(errbuf, PCAP_ERRBUF_SIZE,
2108  "The server doesn't support any protocol version that we support");
2109  return -1;
2110 }
2111 
2112 /* We don't currently support non-blocking mode. */
2113 static int
2115 {
2117  "Non-blocking mode isn't supported for capturing remotely with rpcap");
2118  return (-1);
2119 }
2120 
2121 static int
2123 {
2125  "Non-blocking mode isn't supported for capturing remotely with rpcap");
2126  return (-1);
2127 }
2128 
2129 static int
2130 rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
2131  int *activep, SOCKET *sockctrlp, uint8 *uses_sslp, SSL **sslp,
2132  int rmt_flags, uint8 *protocol_versionp, char *host, char *port,
2133  char *iface, char *errbuf)
2134 {
2135  int type;
2136  struct activehosts *activeconn; /* active connection, if there is one */
2137  int error; /* 1 if rpcap_remoteact_getsock got an error */
2138 
2139  /*
2140  * Determine the type of the source (NULL, file, local, remote).
2141  * You must have a valid source string even if we're in active mode,
2142  * because otherwise the call to the following function will fail.
2143  */
2144  if (pcap_parsesrcstr_ex(source, &type, host, port, iface, uses_sslp,
2145  errbuf) == -1)
2146  return -1;
2147 
2148  /*
2149  * It must be remote.
2150  */
2151  if (type != PCAP_SRC_IFREMOTE)
2152  {
2153  snprintf(errbuf, PCAP_ERRBUF_SIZE,
2154  "Non-remote interface passed to remote capture routine");
2155  return -1;
2156  }
2157 
2158  /*
2159  * We don't yet support DTLS, so if the user asks for a TLS
2160  * connection and asks for data packets to be sent over UDP,
2161  * we have to give up.
2162  */
2163  if (*uses_sslp && (rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
2164  {
2165  snprintf(errbuf, PCAP_ERRBUF_SIZE,
2166  "TLS not supported with UDP forward of remote packets");
2167  return -1;
2168  }
2169 
2170  /* Warning: this call can be the first one called by the user. */
2171  /* For this reason, we have to initialize the Winsock support. */
2172  if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2173  return -1;
2174 
2175  /* Check for active mode */
2176  activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
2177  if (activeconn != NULL)
2178  {
2179  *activep = 1;
2180  *sockctrlp = activeconn->sockctrl;
2181  *sslp = activeconn->ssl;
2182  *protocol_versionp = activeconn->protocol_version;
2183  }
2184  else
2185  {
2186  *activep = 0;
2187  struct addrinfo hints; /* temp variable needed to resolve hostnames into to socket representation */
2188  struct addrinfo *addrinfo; /* temp variable needed to resolve hostnames into to socket representation */
2189 
2190  if (error)
2191  {
2192  /*
2193  * Call failed.
2194  */
2195  return -1;
2196  }
2197 
2198  /*
2199  * We're not in active mode; let's try to open a new
2200  * control connection.
2201  */
2202  memset(&hints, 0, sizeof(struct addrinfo));
2203  hints.ai_family = PF_UNSPEC;
2204  hints.ai_socktype = SOCK_STREAM;
2205 
2206  if (port[0] == 0)
2207  {
2208  /* the user chose not to specify the port */
2210  &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2211  return -1;
2212  }
2213  else
2214  {
2215  if (sock_initaddress(host, port, &hints, &addrinfo,
2216  errbuf, PCAP_ERRBUF_SIZE) == -1)
2217  return -1;
2218  }
2219 
2220  if ((*sockctrlp = sock_open(addrinfo, SOCKOPEN_CLIENT, 0,
2221  errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2222  {
2223  freeaddrinfo(addrinfo);
2224  return -1;
2225  }
2226 
2227  /* addrinfo is no longer used */
2228  freeaddrinfo(addrinfo);
2229  addrinfo = NULL;
2230 
2231  if (*uses_sslp)
2232  {
2233 #ifdef HAVE_OPENSSL
2234  *sslp = ssl_promotion(0, *sockctrlp, errbuf,
2236  if (!*sslp)
2237  {
2238  sock_close(*sockctrlp, NULL, 0);
2239  return -1;
2240  }
2241 #else
2242  snprintf(errbuf, PCAP_ERRBUF_SIZE,
2243  "No TLS support");
2244  sock_close(*sockctrlp, NULL, 0);
2245  return -1;
2246 #endif
2247  }
2248 
2249  if (rpcap_doauth(*sockctrlp, *sslp, protocol_versionp, auth,
2250  errbuf) == -1)
2251  {
2252 #ifdef HAVE_OPENSSL
2253  if (*sslp)
2254  {
2255  // Finish using the SSL handle for the socket.
2256  // This must be done *before* the socket is
2257  // closed.
2258  ssl_finish(*sslp);
2259  }
2260 #endif
2261  sock_close(*sockctrlp, NULL, 0);
2262  return -1;
2263  }
2264  }
2265  return 0;
2266 }
2267 
2268 /*
2269  * This function opens a remote adapter by opening an RPCAP connection and
2270  * so on.
2271  *
2272  * It does the job of pcap_open_live() for a remote interface; it's called
2273  * by pcap_open() for remote interfaces.
2274  *
2275  * We do not start the capture until pcap_startcapture_remote() is called.
2276  *
2277  * This is because, when doing a remote capture, we cannot start capturing
2278  * data as soon as the 'open adapter' command is sent. Suppose the remote
2279  * adapter is already overloaded; if we start a capture (which, by default,
2280  * has a NULL filter) the new traffic can saturate the network.
2281  *
2282  * Instead, we want to "open" the adapter, then send a "start capture"
2283  * command only when we're ready to start the capture.
2284  * This function does this job: it sends an "open adapter" command
2285  * (according to the RPCAP protocol), but it does not start the capture.
2286  *
2287  * Since the other libpcap functions do not share this way of life, we
2288  * have to do some dirty things in order to make everything work.
2289  *
2290  * \param source: see pcap_open().
2291  * \param snaplen: see pcap_open().
2292  * \param flags: see pcap_open().
2293  * \param read_timeout: see pcap_open().
2294  * \param auth: see pcap_open().
2295  * \param errbuf: see pcap_open().
2296  *
2297  * \return a pcap_t pointer in case of success, NULL otherwise. In case of
2298  * success, the pcap_t pointer can be used as a parameter to the following
2299  * calls (pcap_compile() and so on). In case of problems, errbuf contains
2300  * a text explanation of error.
2301  *
2302  * WARNING: In case we call pcap_compile() and the capture has not yet
2303  * been started, the filter will be saved into the pcap_t structure,
2304  * and it will be sent to the other host later (when
2305  * pcap_startcapture_remote() is called).
2306  */
2307 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
2308 {
2309  pcap_t *fp;
2310  char *source_str;
2311  struct pcap_rpcap *pr; /* structure used when doing a remote live capture */
2312  char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE];
2313  SOCKET sockctrl;
2314  SSL *ssl = NULL;
2315  uint8 protocol_version; /* negotiated protocol version */
2316  int active;
2317  uint32 plen;
2318  char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
2319  int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
2320 
2321  /* RPCAP-related variables */
2322  struct rpcap_header header; /* header of the RPCAP packet */
2323  struct rpcap_openreply openreply; /* open reply message */
2324 
2325  fp = PCAP_CREATE_COMMON(errbuf, struct pcap_rpcap);
2326  if (fp == NULL)
2327  {
2328  return NULL;
2329  }
2330  source_str = strdup(source);
2331  if (source_str == NULL) {
2333  errno, "malloc");
2334  return NULL;
2335  }
2336 
2337  /*
2338  * Turn a negative snapshot value (invalid), a snapshot value of
2339  * 0 (unspecified), or a value bigger than the normal maximum
2340  * value, into the maximum allowed value.
2341  *
2342  * If some application really *needs* a bigger snapshot
2343  * length, we should just increase MAXIMUM_SNAPLEN.
2344  *
2345  * XXX - should we leave this up to the remote server to
2346  * do?
2347  */
2348  if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN)
2349  snaplen = MAXIMUM_SNAPLEN;
2350 
2351  fp->opt.device = source_str;
2352  fp->snapshot = snaplen;
2353  fp->opt.timeout = read_timeout;
2354  pr = fp->priv;
2355  pr->rmt_flags = flags;
2356 
2357  /*
2358  * Attempt to set up the session with the server.
2359  */
2360  if (rpcap_setup_session(fp->opt.device, auth, &active, &sockctrl,
2361  &pr->uses_ssl, &ssl, flags, &protocol_version, host, ctrlport,
2362  iface, errbuf) == -1)
2363  {
2364  /* Session setup failed. */
2365  pcap_close(fp);
2366  return NULL;
2367  }
2368 
2369  /* All good so far, save the ssl handler */
2370  ssl_main = ssl;
2371 
2372  /*
2373  * Now it's time to start playing with the RPCAP protocol
2374  * RPCAP open command: create the request message
2375  */
2376  if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
2377  &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2378  goto error_nodiscard;
2379 
2380  rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version,
2381  RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface));
2382 
2383  if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx,
2385  goto error_nodiscard;
2386 
2387  if (sock_send(sockctrl, ssl, sendbuf, sendbufidx, errbuf,
2388  PCAP_ERRBUF_SIZE) < 0)
2389  goto error_nodiscard;
2390 
2391  /* Receive and process the reply message header. */
2392  if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
2393  RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1)
2394  goto error_nodiscard;
2395  plen = header.plen;
2396 
2397  /* Read the reply body */
2398  if (rpcap_recv(sockctrl, ssl, (char *)&openreply,
2399  sizeof(struct rpcap_openreply), &plen, errbuf) == -1)
2400  goto error;
2401 
2402  /* Discard the rest of the message, if there is any. */
2403  if (rpcap_discard(sockctrl, ssl, plen, errbuf) == -1)
2404  goto error_nodiscard;
2405 
2406  /* Set proper fields into the pcap_t struct */
2407  fp->linktype = ntohl(openreply.linktype);
2408  pr->rmt_sockctrl = sockctrl;
2409  pr->ctrl_ssl = ssl;
2410  pr->protocol_version = protocol_version;
2411  pr->rmt_clientside = 1;
2412 
2413  /* This code is duplicated from the end of this function */
2414  fp->read_op = pcap_read_rpcap;
2419  fp->stats_op = pcap_stats_rpcap;
2420 #ifdef _WIN32
2421  fp->stats_ex_op = pcap_stats_ex_rpcap;
2422 #endif
2424 
2425  fp->activated = 1;
2426  return fp;
2427 
2428 error:
2429  /*
2430  * When the connection has been established, we have to close it. So, at the
2431  * beginning of this function, if an error occur we return immediately with
2432  * a return NULL; when the connection is established, we have to come here
2433  * ('goto error;') in order to close everything properly.
2434  */
2435 
2436  /*
2437  * Discard the rest of the message.
2438  * We already reported an error; if this gets an error, just
2439  * drive on.
2440  */
2441  (void)rpcap_discard(sockctrl, pr->ctrl_ssl, plen, NULL);
2442 
2443 error_nodiscard:
2444  if (!active)
2445  {
2446 #ifdef HAVE_OPENSSL
2447  if (ssl)
2448  {
2449  // Finish using the SSL handle for the socket.
2450  // This must be done *before* the socket is closed.
2451  ssl_finish(ssl);
2452  }
2453 #endif
2454  sock_close(sockctrl, NULL, 0);
2455  }
2456 
2457  pcap_close(fp);
2458  return NULL;
2459 }
2460 
2461 /* String identifier to be used in the pcap_findalldevs_ex() */
2462 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter"
2463 #define PCAP_TEXT_SOURCE_ADAPTER_LEN (sizeof PCAP_TEXT_SOURCE_ADAPTER - 1)
2464 /* String identifier to be used in the pcap_findalldevs_ex() */
2465 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node"
2466 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST_LEN (sizeof PCAP_TEXT_SOURCE_ON_REMOTE_HOST - 1)
2467 
2468 static void
2469 freeaddr(struct pcap_addr *addr)
2470 {
2471  free(addr->addr);
2472  free(addr->netmask);
2473  free(addr->broadaddr);
2474  free(addr->dstaddr);
2475  free(addr);
2476 }
2477 
2478 int
2479 pcap_findalldevs_ex_remote(const char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
2480 {
2481  uint8 protocol_version; /* protocol version */
2482  SOCKET sockctrl; /* socket descriptor of the control connection */
2483  SSL *ssl = NULL; /* optional SSL handler for sockctrl */
2484  uint32 plen;
2485  struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */
2486  int i, j; /* temp variables */
2487  int nif; /* Number of interfaces listed */
2488  int active; /* 'true' if we the other end-party is in active mode */
2489  uint8 uses_ssl;
2490  char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE];
2491  char tmpstring[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2492  pcap_if_t *lastdev; /* Last device in the pcap_if_t list */
2493  pcap_if_t *dev; /* Device we're adding to the pcap_if_t list */
2494 
2495  /* List starts out empty. */
2496  (*alldevs) = NULL;
2497  lastdev = NULL;
2498 
2499  /*
2500  * Attempt to set up the session with the server.
2501  */
2502  if (rpcap_setup_session(source, auth, &active, &sockctrl, &uses_ssl,
2503  &ssl, 0, &protocol_version, host, port, NULL, errbuf) == -1)
2504  {
2505  /* Session setup failed. */
2506  return -1;
2507  }
2508 
2509  /* RPCAP findalldevs command */
2510  rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ,
2511  0, 0);
2512 
2513  if (sock_send(sockctrl, ssl, (char *)&header, sizeof(struct rpcap_header),
2514  errbuf, PCAP_ERRBUF_SIZE) < 0)
2515  goto error_nodiscard;
2516 
2517  /* Receive and process the reply message header. */
2518  if (rpcap_process_msg_header(sockctrl, ssl, protocol_version,
2519  RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1)
2520  goto error_nodiscard;
2521 
2522  plen = header.plen;
2523 
2524  /* read the number of interfaces */
2525  nif = ntohs(header.value);
2526 
2527  /* loop until all interfaces have been received */
2528  for (i = 0; i < nif; i++)
2529  {
2530  struct rpcap_findalldevs_if findalldevs_if;
2531  char tmpstring2[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2532  struct pcap_addr *addr, *prevaddr;
2533 
2534  tmpstring2[PCAP_BUF_SIZE] = 0;
2535 
2536  /* receive the findalldevs structure from remote host */
2537  if (rpcap_recv(sockctrl, ssl, (char *)&findalldevs_if,
2538  sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1)
2539  goto error;
2540 
2541  findalldevs_if.namelen = ntohs(findalldevs_if.namelen);
2542  findalldevs_if.desclen = ntohs(findalldevs_if.desclen);
2543  findalldevs_if.naddr = ntohs(findalldevs_if.naddr);
2544 
2545  /* allocate the main structure */
2546  dev = (pcap_if_t *)malloc(sizeof(pcap_if_t));
2547  if (dev == NULL)
2548  {
2550  errno, "malloc() failed");
2551  goto error;
2552  }
2553 
2554  /* Initialize the structure to 'zero' */
2555  memset(dev, 0, sizeof(pcap_if_t));
2556 
2557  /* Append it to the list. */
2558  if (lastdev == NULL)
2559  {
2560  /*
2561  * List is empty, so it's also the first device.
2562  */
2563  *alldevs = dev;
2564  }
2565  else
2566  {
2567  /*
2568  * Append after the last device.
2569  */
2570  lastdev->next = dev;
2571  }
2572  /* It's now the last device. */
2573  lastdev = dev;
2574 
2575  /* allocate mem for name and description */
2576  if (findalldevs_if.namelen)
2577  {
2578 
2579  if (findalldevs_if.namelen >= sizeof(tmpstring))
2580  {
2581  snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long");
2582  goto error;
2583  }
2584 
2585  /* Retrieve adapter name */
2586  if (rpcap_recv(sockctrl, ssl, tmpstring,
2587  findalldevs_if.namelen, &plen, errbuf) == -1)
2588  goto error;
2589 
2590  tmpstring[findalldevs_if.namelen] = 0;
2591 
2592  /* Create the new device identifier */
2593  if (pcap_createsrcstr_ex(tmpstring2, PCAP_SRC_IFREMOTE,
2594  host, port, tmpstring, uses_ssl, errbuf) == -1)
2595  goto error;
2596 
2597  dev->name = strdup(tmpstring2);
2598  if (dev->name == NULL)
2599  {
2601  PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2602  goto error;
2603  }
2604  }
2605 
2606  if (findalldevs_if.desclen)
2607  {
2608  if (findalldevs_if.desclen >= sizeof(tmpstring))
2609  {
2610  snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long");
2611  goto error;
2612  }
2613 
2614  /* Retrieve adapter description */
2615  if (rpcap_recv(sockctrl, ssl, tmpstring,
2616  findalldevs_if.desclen, &plen, errbuf) == -1)
2617  goto error;
2618 
2619  tmpstring[findalldevs_if.desclen] = 0;
2620 
2621  if (pcap_asprintf(&dev->description,
2622  "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER,
2623  tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host) == -1)
2624  {
2626  PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2627  goto error;
2628  }
2629  }
2630 
2631  dev->flags = ntohl(findalldevs_if.flags);
2632 
2633  prevaddr = NULL;
2634  /* loop until all addresses have been received */
2635  for (j = 0; j < findalldevs_if.naddr; j++)
2636  {
2637  struct rpcap_findalldevs_ifaddr ifaddr;
2638 
2639  /* Retrieve the interface addresses */
2640  if (rpcap_recv(sockctrl, ssl, (char *)&ifaddr,
2641  sizeof(struct rpcap_findalldevs_ifaddr),
2642  &plen, errbuf) == -1)
2643  goto error;
2644 
2645  /*
2646  * Deserialize all the address components.
2647  */
2648  addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr));
2649  if (addr == NULL)
2650  {
2652  PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2653  goto error;
2654  }
2655  addr->next = NULL;
2656  addr->addr = NULL;
2657  addr->netmask = NULL;
2658  addr->broadaddr = NULL;
2659  addr->dstaddr = NULL;
2660 
2661  if (rpcap_deseraddr(&ifaddr.addr,
2662  (struct sockaddr_storage **) &addr->addr, errbuf) == -1)
2663  {
2664  freeaddr(addr);
2665  goto error;
2666  }
2667  if (rpcap_deseraddr(&ifaddr.netmask,
2668  (struct sockaddr_storage **) &addr->netmask, errbuf) == -1)
2669  {
2670  freeaddr(addr);
2671  goto error;
2672  }
2673  if (rpcap_deseraddr(&ifaddr.broadaddr,
2674  (struct sockaddr_storage **) &addr->broadaddr, errbuf) == -1)
2675  {
2676  freeaddr(addr);
2677  goto error;
2678  }
2679  if (rpcap_deseraddr(&ifaddr.dstaddr,
2680  (struct sockaddr_storage **) &addr->dstaddr, errbuf) == -1)
2681  {
2682  freeaddr(addr);
2683  goto error;
2684  }
2685 
2686  if ((addr->addr == NULL) && (addr->netmask == NULL) &&
2687  (addr->broadaddr == NULL) && (addr->dstaddr == NULL))
2688  {
2689  /*
2690  * None of the addresses are IPv4 or IPv6
2691  * addresses, so throw this entry away.
2692  */
2693  free(addr);
2694  }
2695  else
2696  {
2697  /*
2698  * Add this entry to the list.
2699  */
2700  if (prevaddr == NULL)
2701  {
2702  dev->addresses = addr;
2703  }
2704  else
2705  {
2706  prevaddr->next = addr;
2707  }
2708  prevaddr = addr;
2709  }
2710  }
2711  }
2712 
2713  /* Discard the rest of the message. */
2714  if (rpcap_discard(sockctrl, ssl, plen, errbuf) == 1)
2715  goto error_nodiscard;
2716 
2717  /* Control connection has to be closed only in case the remote machine is in passive mode */
2718  if (!active)
2719  {
2720  /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */
2721 #ifdef HAVE_OPENSSL
2722  if (ssl)
2723  {
2724  // Finish using the SSL handle for the socket.
2725  // This must be done *before* the socket is closed.
2726  ssl_finish(ssl);
2727  }
2728 #endif
2729  if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE))
2730  return -1;
2731  }
2732 
2733  /* To avoid inconsistencies in the number of sock_init() */
2734  sock_cleanup();
2735 
2736  return 0;
2737 
2738 error:
2739  /*
2740  * In case there has been an error, I don't want to overwrite it with a new one
2741  * if the following call fails. I want to return always the original error.
2742  *
2743  * Take care: this connection can already be closed when we try to close it.
2744  * This happens because a previous error in the rpcapd, which requested to
2745  * closed the connection. In that case, we already recognized that into the
2746  * rpspck_isheaderok() and we already acknowledged the closing.
2747  * In that sense, this call is useless here (however it is needed in case
2748  * the client generates the error).
2749  *
2750  * Checks if all the data has been read; if not, discard the data in excess
2751  */
2752  (void) rpcap_discard(sockctrl, ssl, plen, NULL);
2753 
2754 error_nodiscard:
2755  /* Control connection has to be closed only in case the remote machine is in passive mode */
2756  if (!active)
2757  {
2758 #ifdef HAVE_OPENSSL
2759  if (ssl)
2760  {
2761  // Finish using the SSL handle for the socket.
2762  // This must be done *before* the socket is closed.
2763  ssl_finish(ssl);
2764  }
2765 #endif
2766  sock_close(sockctrl, NULL, 0);
2767  }
2768 
2769  /* To avoid inconsistencies in the number of sock_init() */
2770  sock_cleanup();
2771 
2772  /* Free whatever interfaces we've allocated. */
2773  pcap_freealldevs(*alldevs);
2774 
2775  return -1;
2776 }
2777 
2778 /*
2779  * Active mode routines.
2780  *
2781  * The old libpcap API is somewhat ugly, and makes active mode difficult
2782  * to implement; we provide some APIs for it that work only with rpcap.
2783  */
2784 
2785 SOCKET pcap_remoteact_accept_ex(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, int uses_ssl, char *errbuf)
2786 {
2787  /* socket-related variables */
2788  struct addrinfo hints; /* temporary struct to keep settings needed to open the new socket */
2789  struct addrinfo *addrinfo; /* keeps the addrinfo chain; required to open a new socket */
2790  struct sockaddr_storage from; /* generic sockaddr_storage variable */
2791  socklen_t fromlen; /* keeps the length of the sockaddr_storage variable */
2792  SOCKET sockctrl; /* keeps the main socket identifier */
2793  SSL *ssl = NULL; /* Optional SSL handler for sockctrl */
2794  uint8 protocol_version; /* negotiated protocol version */
2795  struct activehosts *temp, *prev; /* temp var needed to scan he host list chain */
2796 
2797  *connectinghost = 0; /* just in case */
2798 
2799  /* Prepare to open a new server socket */
2800  memset(&hints, 0, sizeof(struct addrinfo));
2801  /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6 */
2802  hints.ai_family = AF_INET; /* PF_UNSPEC to have both IPv4 and IPv6 server */
2803  hints.ai_flags = AI_PASSIVE; /* Ready to a bind() socket */
2804  hints.ai_socktype = SOCK_STREAM;
2805 
2806  /* Warning: this call can be the first one called by the user. */
2807  /* For this reason, we have to initialize the Winsock support. */
2808  if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2809  return (SOCKET)-1;
2810 
2811  /* Do the work */
2812  if ((port == NULL) || (port[0] == 0))
2813  {
2814  if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2815  {
2816  return (SOCKET)-2;
2817  }
2818  }
2819  else
2820  {
2821  if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2822  {
2823  return (SOCKET)-2;
2824  }
2825  }
2826 
2827 
2828  if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2829  {
2830  freeaddrinfo(addrinfo);
2831  return (SOCKET)-2;
2832  }
2833  freeaddrinfo(addrinfo);
2834 
2835  /* Connection creation */
2836  fromlen = sizeof(struct sockaddr_storage);
2837 
2838  sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen);
2839 
2840  /* We're not using sock_close, since we do not want to send a shutdown */
2841  /* (which is not allowed on a non-connected socket) */
2843  sockmain = 0;
2844 
2845  if (sockctrl == INVALID_SOCKET)
2846  {
2847  sock_geterror("accept()", errbuf, PCAP_ERRBUF_SIZE);
2848  return (SOCKET)-2;
2849  }
2850 
2851  /* Promote to SSL early before any error message may be sent */
2852  if (uses_ssl)
2853  {
2854 #ifdef HAVE_OPENSSL
2855  ssl = ssl_promotion(0, sockctrl, errbuf, PCAP_ERRBUF_SIZE);
2856  if (! ssl)
2857  {
2858  sock_close(sockctrl, NULL, 0);
2859  return (SOCKET)-1;
2860  }
2861 #else
2862  snprintf(errbuf, PCAP_ERRBUF_SIZE, "No TLS support");
2863  sock_close(sockctrl, NULL, 0);
2864  return (SOCKET)-1;
2865 #endif
2866  }
2867 
2868  /* Get the numeric for of the name of the connecting host */
2869  if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST))
2870  {
2871  sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE);
2872  rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2873 #ifdef HAVE_OPENSSL
2874  if (ssl)
2875  {
2876  // Finish using the SSL handle for the socket.
2877  // This must be done *before* the socket is closed.
2878  ssl_finish(ssl);
2879  }
2880 #endif
2881  sock_close(sockctrl, NULL, 0);
2882  return (SOCKET)-1;
2883  }
2884 
2885  /* checks if the connecting host is among the ones allowed */
2886  if (sock_check_hostlist((char *)hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0)
2887  {
2888  rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2889 #ifdef HAVE_OPENSSL
2890  if (ssl)
2891  {
2892  // Finish using the SSL handle for the socket.
2893  // This must be done *before* the socket is closed.
2894  ssl_finish(ssl);
2895  }
2896 #endif
2897  sock_close(sockctrl, NULL, 0);
2898  return (SOCKET)-1;
2899  }
2900 
2901  /*
2902  * Send authentication to the remote machine.
2903  */
2904  if (rpcap_doauth(sockctrl, ssl, &protocol_version, auth, errbuf) == -1)
2905  {
2906  /* Unrecoverable error. */
2907  rpcap_senderror(sockctrl, ssl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2908 #ifdef HAVE_OPENSSL
2909  if (ssl)
2910  {
2911  // Finish using the SSL handle for the socket.
2912  // This must be done *before* the socket is closed.
2913  ssl_finish(ssl);
2914  }
2915 #endif
2916  sock_close(sockctrl, NULL, 0);
2917  return (SOCKET)-3;
2918  }
2919 
2920  /* Checks that this host does not already have a cntrl connection in place */
2921 
2922  /* Initialize pointers */
2923  temp = activeHosts;
2924  prev = NULL;
2925 
2926  while (temp)
2927  {
2928  /* This host already has an active connection in place, so I don't have to update the host list */
2929  if (sock_cmpaddr(&temp->host, &from) == 0)
2930  return sockctrl;
2931 
2932  prev = temp;
2933  temp = temp->next;
2934  }
2935 
2936  /* The host does not exist in the list; so I have to update the list */
2937  if (prev)
2938  {
2939  prev->next = (struct activehosts *) malloc(sizeof(struct activehosts));
2940  temp = prev->next;
2941  }
2942  else
2943  {
2944  activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts));
2945  temp = activeHosts;
2946  }
2947 
2948  if (temp == NULL)
2949  {
2951  errno, "malloc() failed");
2953 #ifdef HAVE_OPENSSL
2954  if (ssl)
2955  {
2956  // Finish using the SSL handle for the socket.
2957  // This must be done *before* the socket is closed.
2958  ssl_finish(ssl);
2959  }
2960 #endif
2961  sock_close(sockctrl, NULL, 0);
2962  return (SOCKET)-1;
2963  }
2964 
2965  memcpy(&temp->host, &from, fromlen);
2966  temp->sockctrl = sockctrl;
2967  temp->ssl = ssl;
2969  temp->next = NULL;
2970 
2971  return sockctrl;
2972 }
2973 
2974 SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
2975 {
2976  return pcap_remoteact_accept_ex(address, port, hostlist, connectinghost, auth, 0, errbuf);
2977 }
2978 
2979 int pcap_remoteact_close(const char *host, char *errbuf)
2980 {
2981  struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */
2982  struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
2983  int retval;
2984 
2985  temp = activeHosts;
2986  prev = NULL;
2987 
2988  /* retrieve the network address corresponding to 'host' */
2989  addrinfo = NULL;
2990  memset(&hints, 0, sizeof(struct addrinfo));
2991  hints.ai_family = PF_UNSPEC;
2992  hints.ai_socktype = SOCK_STREAM;
2993 
2994  retval = sock_initaddress(host, "0", &hints, &addrinfo, errbuf,
2996  if (retval != 0)
2997  {
2998  return -1;
2999  }
3000 
3001  while (temp)
3002  {
3003  ai_next = addrinfo;
3004  while (ai_next)
3005  {
3006  if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
3007  {
3008  struct rpcap_header header;
3009  int status = 0;
3010 
3011  /* Close this connection */
3012  rpcap_createhdr(&header, temp->protocol_version,
3013  RPCAP_MSG_CLOSE, 0, 0);
3014 
3015  /*
3016  * Don't check for errors, since we're
3017  * just cleaning up.
3018  */
3019  if (sock_send(temp->sockctrl, temp->ssl,
3020  (char *)&header,
3021  sizeof(struct rpcap_header), errbuf,
3022  PCAP_ERRBUF_SIZE) < 0)
3023  {
3024  /*
3025  * Let that error be the one we
3026  * report.
3027  */
3028 #ifdef HAVE_OPENSSL
3029  if (temp->ssl)
3030  {
3031  // Finish using the SSL handle
3032  // for the socket.
3033  // This must be done *before*
3034  // the socket is closed.
3035  ssl_finish(temp->ssl);
3036  }
3037 #endif
3038  (void)sock_close(temp->sockctrl, NULL,
3039  0);
3040  status = -1;
3041  }
3042  else
3043  {
3044 #ifdef HAVE_OPENSSL
3045  if (temp->ssl)
3046  {
3047  // Finish using the SSL handle
3048  // for the socket.
3049  // This must be done *before*
3050  // the socket is closed.
3051  ssl_finish(temp->ssl);
3052  }
3053 #endif
3054  if (sock_close(temp->sockctrl, errbuf,
3055  PCAP_ERRBUF_SIZE) == -1)
3056  status = -1;
3057  }
3058 
3059  /*
3060  * Remove the host from the list of active
3061  * hosts.
3062  */
3063  if (prev)
3064  prev->next = temp->next;
3065  else
3066  activeHosts = temp->next;
3067 
3068  freeaddrinfo(addrinfo);
3069 
3070  free(temp);
3071 
3072  /* To avoid inconsistencies in the number of sock_init() */
3073  sock_cleanup();
3074 
3075  return status;
3076  }
3077 
3078  ai_next = ai_next->ai_next;
3079  }
3080  prev = temp;
3081  temp = temp->next;
3082  }
3083 
3084  if (addrinfo)
3085  freeaddrinfo(addrinfo);
3086 
3087  /* To avoid inconsistencies in the number of sock_init() */
3088  sock_cleanup();
3089 
3090  snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known");
3091  return -1;
3092 }
3093 
3095 {
3096 # ifdef HAVE_OPENSSL
3097  if (ssl_main)
3098  {
3099  // Finish using the SSL handle for the main active socket.
3100  // This must be done *before* the socket is closed.
3101  ssl_finish(ssl_main);
3102  ssl_main = NULL;
3103  }
3104 # endif
3105 
3106  /* Very dirty, but it works */
3107  if (sockmain)
3108  {
3110 
3111  /* To avoid inconsistencies in the number of sock_init() */
3112  sock_cleanup();
3113  }
3114 }
3115 
3116 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
3117 {
3118  struct activehosts *temp; /* temp var needed to scan the host list chain */
3119  size_t len;
3120  char hoststr[RPCAP_HOSTLIST_SIZE + 1];
3121 
3122  temp = activeHosts;
3123 
3124  len = 0;
3125  *hostlist = 0;
3126 
3127  while (temp)
3128  {
3129  /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */
3130 
3131  /* Get the numeric form of the name of the connecting host */
3132  if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr,
3133  RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1)
3134  /* if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */
3135  /* RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */
3136  {
3137  /* sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE); */
3138  return -1;
3139  }
3140 
3141  len = len + strlen(hoststr) + 1 /* the separator */;
3142 
3143  if ((size < 0) || (len >= (size_t)size))
3144  {
3145  snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep "
3146  "the hostnames for all the active connections");
3147  return -1;
3148  }
3149 
3151  hostlist[len - 1] = sep;
3152  hostlist[len] = 0;
3153 
3154  temp = temp->next;
3155  }
3156 
3157  return 0;
3158 }
3159 
3160 /*
3161  * Receive the header of a message.
3162  */
3163 static int rpcap_recv_msg_header(SOCKET sock, SSL *ssl, struct rpcap_header *header, char *errbuf)
3164 {
3165  int nrecv;
3166 
3167  nrecv = sock_recv(sock, ssl, (char *) header, sizeof(struct rpcap_header),
3170  if (nrecv == -1)
3171  {
3172  /* Network error. */
3173  return -1;
3174  }
3175  header->plen = ntohl(header->plen);
3176  return 0;
3177 }
3178 
3179 /*
3180  * Make sure the protocol version of a received message is what we were
3181  * expecting.
3182  */
3183 static int rpcap_check_msg_ver(SOCKET sock, SSL *ssl, uint8 expected_ver, struct rpcap_header *header, char *errbuf)
3184 {
3185  /*
3186  * Did the server specify the version we negotiated?
3187  */
3188  if (header->ver != expected_ver)
3189  {
3190  /*
3191  * Discard the rest of the message.
3192  */
3193  if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
3194  return -1;
3195 
3196  /*
3197  * Tell our caller that it's not the negotiated version.
3198  */
3199  if (errbuf != NULL)
3200  {
3201  snprintf(errbuf, PCAP_ERRBUF_SIZE,
3202  "Server sent us a message with version %u when we were expecting %u",
3203  header->ver, expected_ver);
3204  }
3205  return -1;
3206  }
3207  return 0;
3208 }
3209 
3210 /*
3211  * Check the message type of a received message, which should either be
3212  * the expected message type or RPCAP_MSG_ERROR.
3213  */
3214 static int rpcap_check_msg_type(SOCKET sock, SSL *ssl, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf)
3215 {
3216  const char *request_type_string;
3217  const char *msg_type_string;
3218 
3219  /*
3220  * What type of message is it?
3221  */
3222  if (header->type == RPCAP_MSG_ERROR)
3223  {
3224  /*
3225  * The server reported an error.
3226  * Hand that error back to our caller.
3227  */
3228  *errcode = ntohs(header->value);
3229  rpcap_msg_err(sock, ssl, header->plen, errbuf);
3230  return -1;
3231  }
3232 
3233  *errcode = 0;
3234 
3235  /*
3236  * For a given request type value, the expected reply type value
3237  * is the request type value with ORed with RPCAP_MSG_IS_REPLY.
3238  */
3239  if (header->type != (request_type | RPCAP_MSG_IS_REPLY))
3240  {
3241  /*
3242  * This isn't a reply to the request we sent.
3243  */
3244 
3245  /*
3246  * Discard the rest of the message.
3247  */
3248  if (rpcap_discard(sock, ssl, header->plen, errbuf) == -1)
3249  return -1;
3250 
3251  /*
3252  * Tell our caller about it.
3253  */
3254  request_type_string = rpcap_msg_type_string(request_type);
3255  msg_type_string = rpcap_msg_type_string(header->type);
3256  if (errbuf != NULL)
3257  {
3258  if (request_type_string == NULL)
3259  {
3260  /* This should not happen. */
3261  snprintf(errbuf, PCAP_ERRBUF_SIZE,
3262  "rpcap_check_msg_type called for request message with type %u",
3263  request_type);
3264  return -1;
3265  }
3266  if (msg_type_string != NULL)
3267  snprintf(errbuf, PCAP_ERRBUF_SIZE,
3268  "%s message received in response to a %s message",
3269  msg_type_string, request_type_string);
3270  else
3271  snprintf(errbuf, PCAP_ERRBUF_SIZE,
3272  "Message of unknown type %u message received in response to a %s request",
3273  header->type, request_type_string);
3274  }
3275  return -1;
3276  }
3277 
3278  return 0;
3279 }
3280 
3281 /*
3282  * Receive and process the header of a message.
3283  */
3284 static int rpcap_process_msg_header(SOCKET sock, SSL *ssl, uint8 expected_ver, uint8 request_type, struct rpcap_header *header, char *errbuf)
3285 {
3286  uint16 errcode;
3287 
3288  if (rpcap_recv_msg_header(sock, ssl, header, errbuf) == -1)
3289  {
3290  /* Network error. */
3291  return -1;
3292  }
3293 
3294  /*
3295  * Did the server specify the version we negotiated?
3296  */
3297  if (rpcap_check_msg_ver(sock, ssl, expected_ver, header, errbuf) == -1)
3298  return -1;
3299 
3300  /*
3301  * Check the message type.
3302  */
3303  return rpcap_check_msg_type(sock, ssl, request_type, header,
3304  &errcode, errbuf);
3305 }
3306 
3307 /*
3308  * Read data from a message.
3309  * If we're trying to read more data that remains, puts an error
3310  * message into errmsgbuf and returns -2. Otherwise, tries to read
3311  * the data and, if that succeeds, subtracts the amount read from
3312  * the number of bytes of data that remains.
3313  * Returns 0 on success, logs a message and returns -1 on a network
3314  * error.
3315  */
3316 static int rpcap_recv(SOCKET sock, SSL *ssl, void *buffer, size_t toread, uint32 *plen, char *errbuf)
3317 {
3318  int nread;
3319 
3320  if (toread > *plen)
3321  {
3322  /* The server sent us a bad message */
3323  snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short");
3324  return -1;
3325  }
3326  nread = sock_recv(sock, ssl, buffer, toread,
3328  if (nread == -1)
3329  {
3330  return -1;
3331  }
3332  *plen -= nread;
3333  return 0;
3334 }
3335 
3336 /*
3337  * This handles the RPCAP_MSG_ERROR message.
3338  */
3339 static void rpcap_msg_err(SOCKET sockctrl, SSL *ssl, uint32 plen, char *remote_errbuf)
3340 {
3341  char errbuf[PCAP_ERRBUF_SIZE];
3342 
3343  if (plen >= PCAP_ERRBUF_SIZE)
3344  {
3345  /*
3346  * Message is too long; just read as much of it as we
3347  * can into the buffer provided, and discard the rest.
3348  */
3349  if (sock_recv(sockctrl, ssl, remote_errbuf, PCAP_ERRBUF_SIZE - 1,
3351  PCAP_ERRBUF_SIZE) == -1)
3352  {
3353  // Network error.
3354  snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3355  return;
3356  }
3357 
3358  /*
3359  * Null-terminate it.
3360  */
3361  remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0';
3362 
3363 #ifdef _WIN32
3364  /*
3365  * If we're not in UTF-8 mode, convert it to the local
3366  * code page.
3367  */
3368  if (!pcap_utf_8_mode)
3369  utf_8_to_acp_truncated(remote_errbuf);
3370 #endif
3371 
3372  /*
3373  * Throw away the rest.
3374  */
3375  (void)rpcap_discard(sockctrl, ssl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf);
3376  }
3377  else if (plen == 0)
3378  {
3379  /* Empty error string. */
3380  remote_errbuf[0] = '\0';
3381  }
3382  else
3383  {
3384  if (sock_recv(sockctrl, ssl, remote_errbuf, plen,
3386  PCAP_ERRBUF_SIZE) == -1)
3387  {
3388  // Network error.
3389  snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3390  return;
3391  }
3392 
3393  /*
3394  * Null-terminate it.
3395  */
3396  remote_errbuf[plen] = '\0';
3397  }
3398 }
3399 
3400 /*
3401  * Discard data from a connection.
3402  * Mostly used to discard wrong-sized messages.
3403  * Returns 0 on success, logs a message and returns -1 on a network
3404  * error.
3405  */
3406 static int rpcap_discard(SOCKET sock, SSL *ssl, uint32 len, char *errbuf)
3407 {
3408  if (len != 0)
3409  {
3410  if (sock_discard(sock, ssl, len, errbuf, PCAP_ERRBUF_SIZE) == -1)
3411  {
3412  // Network error.
3413  return -1;
3414  }
3415  }
3416  return 0;
3417 }
3418 
3419 /*
3420  * Read bytes into the pcap_t's buffer until we have the specified
3421  * number of bytes read or we get an error or interrupt indication.
3422  */
3423 static int rpcap_read_packet_msg(struct pcap_rpcap const *rp, pcap_t *p, size_t size)
3424 {
3425  u_char *bp;
3426  int cc;
3427  int bytes_read;
3428 
3429  bp = p->bp;
3430  cc = p->cc;
3431 
3432  /*
3433  * Loop until we have the amount of data requested or we get
3434  * an error or interrupt.
3435  */
3436  while ((size_t)cc < size)
3437  {
3438  /*
3439  * We haven't read all of the packet header yet.
3440  * Read what remains, which could be all of it.
3441  */
3442  bytes_read = sock_recv(rp->rmt_sockdata, rp->data_ssl, bp, size - cc,
3445 
3446  if (bytes_read == -1)
3447  {
3448  /*
3449  * Network error. Update the read pointer and
3450  * byte count, and return an error indication.
3451  */
3452  p->bp = bp;
3453  p->cc = cc;
3454  return -1;
3455  }
3456  if (bytes_read == -3)
3457  {
3458  /*
3459  * Interrupted receive. Update the read
3460  * pointer and byte count, and return
3461  * an interrupted indication.
3462  */
3463  p->bp = bp;
3464  p->cc = cc;
3465  return -3;
3466  }
3467  if (bytes_read == 0)
3468  {
3469  /*
3470  * EOF - server terminated the connection.
3471  * Update the read pointer and byte count, and
3472  * return an error indication.
3473  */
3475  "The server terminated the connection.");
3476  return -1;
3477  }
3478  bp += bytes_read;
3479  cc += bytes_read;
3480  }
3481  p->bp = bp;
3482  p->cc = cc;
3483  return 0;
3484 }
int pcap_asprintf(char **strp, const char *format,...)
Definition: asprintf.c:91
static void error(const char *,...)
char hostlist[64000+1]
Keeps the list of the hosts that are allowed to connect to this server.
Definition: rpcapd.c:80
void pcap_fmt_errmsg_for_errno(char *errbuf, size_t errbuflen, int errnum, const char *fmt,...)
Definition: fmtutils.c:269
int pcap_compile(pcap_t *p, struct bpf_program *program, const char *buf, int optimize, bpf_u_int32 mask)
Definition: gencode.c:724
void pcap_freecode(struct bpf_program *program)
Definition: gencode.c:900
int install_bpf_program(pcap_t *p, struct bpf_program *fp)
Definition: optimize.c:2939
int snprintf(char *, size_t, const char *,...)
int getsockname(int, struct sockaddr *, int *)
int setsockopt(int, int, int, char *, int)
int getpeername(int, struct sockaddr *, int *)
int accept(int, struct sockaddr *, int *)
int select(int, fd_set *, fd_set *, fd_set *, struct timeval *)
int sscanf(char *, const char *,...)
int getsockopt(int, int, int, char *, int *)
#define _U_
Definition: pcap-dos.h:93
int errno
#define MAXIMUM_SNAPLEN
Definition: pcap-int.h:131
#define PACKET_COUNT_IS_UNLIMITED(count)
Definition: pcap-int.h:444
void pcap_cleanup_live_common(pcap_t *)
Definition: pcap.c:3987
int pcap_createsrcstr_ex(char *, int, const char *, const char *, const char *, unsigned char, char *)
int pcap_parsesrcstr_ex(const char *, int *, char *, char *, char *, unsigned char *, char *)
int pcap_utf_8_mode
Definition: pcap.c:241
#define PCAP_CREATE_COMMON(ebuf, type)
Definition: pcap-int.h:474
int socklen_t
Definition: pcap-linux.c:168
void rpcap_createhdr(struct rpcap_header *header, uint8 type, uint16 value, uint32 length)
#define RPCAP_NETBUF_SIZE
int rpcap_senderror(int sock, char *error, unsigned short errcode, char *errbuf)
static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
Definition: pcap-rpcap.c:1650
static int rpcap_doauth(int sockctrl, void const *ssl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
Definition: pcap-rpcap.c:1913
static void pcap_cleanup_rpcap(pcap_t *fp)
Definition: pcap-rpcap.c:713
static int rpcap_check_msg_type(int sock, void const *, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf)
Definition: pcap-rpcap.c:3214
static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
Definition: pcap-rpcap.c:1616
static int rpcap_setup_session(const char *source, struct pcap_rmtauth *auth, int *activep, int *sockctrlp, uint8 *uses_sslp, void const **sslp, int rmt_flags, uint8 *protocol_versionp, char *host, char *port, char *iface, char *errbuf)
Definition: pcap-rpcap.c:2130
pcap_t * pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
Definition: pcap-rpcap.c:2307
#define NEW_BSD_AF_INET6_FREEBSD_BE
Definition: pcap-rpcap.c:284
static int pcap_setnonblock_rpcap(pcap_t *p, int nonblock)
Definition: pcap-rpcap.c:2122
int pcap_remoteact_accept_ex(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, int uses_ssl, char *errbuf)
Definition: pcap-rpcap.c:2785
static int rpcap_recv(int sock, void const *, void *buffer, size_t toread, uint32 *plen, char *errbuf)
Definition: pcap-rpcap.c:3316
static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
Definition: pcap-rpcap.c:1679
#define PCAP_STATS_STANDARD
Definition: pcap-rpcap.c:75
#define HPUX_AF_INET6
Definition: pcap-rpcap.c:288
static void freeaddr(struct pcap_addr *addr)
Definition: pcap-rpcap.c:2469
static int rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
Definition: pcap-rpcap.c:293
static struct activehosts * activeHosts
Definition: pcap-rpcap.c:100
#define NEW_BSD_AF_INET6_DARWIN_BE
Definition: pcap-rpcap.c:285
static int pcap_getnonblock_rpcap(pcap_t *p)
Definition: pcap-rpcap.c:2114
static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
Definition: pcap-rpcap.c:821
static int rpcap_recv_msg_header(int sock, void const *, struct rpcap_header *header, char *errbuf)
Definition: pcap-rpcap.c:3163
#define PCAP_TEXT_SOURCE_ADAPTER
Definition: pcap-rpcap.c:2462
int pcap_remoteact_close(const char *host, char *errbuf)
Definition: pcap-rpcap.c:2979
#define LINUX_AF_INET6
Definition: pcap-rpcap.c:287
int pcap_findalldevs_ex_remote(const char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
Definition: pcap-rpcap.c:2479
static struct activehosts * rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
Definition: pcap-rpcap.c:994
void pcap_remoteact_cleanup(void)
Definition: pcap-rpcap.c:3094
static int sockmain
Definition: pcap-rpcap.c:108
int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
Definition: pcap-rpcap.c:3116
static struct pcap_stat * rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
Definition: pcap-rpcap.c:884
static void rpcap_msg_err(int sockctrl, void const *, uint32 plen, char *remote_errbuf)
Definition: pcap-rpcap.c:3339
static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
Definition: pcap-rpcap.c:621
int pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
Definition: pcap-rpcap.c:2974
static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
Definition: pcap-rpcap.c:383
static int rpcap_read_packet_msg(struct pcap_rpcap const *, pcap_t *p, size_t size)
Definition: pcap-rpcap.c:3423
#define SOLARIS_AF_INET6
Definition: pcap-rpcap.c:290
#define NEW_BSD_AF_INET_LE
Definition: pcap-rpcap.c:272
static int rpcap_check_msg_ver(int sock, void const *, uint8 expected_ver, struct rpcap_header *header, char *errbuf)
Definition: pcap-rpcap.c:3183
#define NEW_BSD_AF_INET6_BSD_BE
Definition: pcap-rpcap.c:283
#define NEW_BSD_AF_INET6_LE
Definition: pcap-rpcap.c:286
static void const * ssl_main
Definition: pcap-rpcap.c:109
static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
Definition: pcap-rpcap.c:1579
#define NEW_BSD_AF_INET_BE
Definition: pcap-rpcap.c:271
#define PCAP_TEXT_SOURCE_ON_REMOTE_HOST
Definition: pcap-rpcap.c:2465
static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
Definition: pcap-rpcap.c:1508
static int rpcap_process_msg_header(int sock, void const *, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf)
Definition: pcap-rpcap.c:3284
static int rpcap_discard(int sock, void const *, uint32 len, char *errbuf)
Definition: pcap-rpcap.c:3406
static int pcap_startcapture_remote(pcap_t *fp)
Definition: pcap-rpcap.c:1057
#define AIX_AF_INET6
Definition: pcap-rpcap.c:289
static int pcap_setsampling_remote(pcap_t *fp)
Definition: pcap-rpcap.c:1809
#define PCAP_OPENFLAG_NOCAPTURE_RPCAP
Definition: pcap.h:966
#define PCAP_SAMP_NOSAMP
Definition: pcap.h:1132
void(* pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *)
Definition: pcap.h:330
#define PCAP_OPENFLAG_PROMISCUOUS
Definition: pcap.h:938
#define PCAP_ERROR_BREAK
Definition: pcap.h:340
#define RPCAP_RMTAUTH_PWD
Definition: pcap.h:1021
#define PCAP_OPENFLAG_DATATX_UDP
Definition: pcap.h:952
#define PCAP_BUF_SIZE
Definition: pcap.h:869
#define PCAP_ERRBUF_SIZE
Definition: pcap.h:152
#define RPCAP_RMTAUTH_NULL
Definition: pcap.h:1007
#define RPCAP_HOSTLIST_SIZE
Definition: pcap.h:1193
#define PCAP_SRC_IFREMOTE
Definition: pcap.h:876
void pcap_freealldevs(pcap_if_t *alldevs)
Definition: pcap.c:1431
void pcap_close(pcap_t *p)
Definition: pcap.c:4065
const char * rpcap_msg_type_string(uint8 type)
#define PCAP_ERR_REMOTEACCEPT
unsigned short uint16
#define RPCAP_MSG_STARTCAP_REQ
#define RPCAP_STARTCAPREQ_FLAG_SERVEROPEN
unsigned int uint32
#define RPCAP_AF_INET
#define RPCAP_MSG_STATS_REQ
#define RPCAP_MSG_SETSAMPLING_REQ
#define RPCAP_STARTCAPREQ_FLAG_PROMISC
#define RPCAP_STARTCAPREQ_FLAG_DGRAM
#define RPCAP_DEFAULT_NETPORT_ACTIVE
#define RPCAP_MAX_VERSION
int int32
#define RPCAP_AF_INET6
#define RPCAP_MIN_VERSION
#define RPCAP_MSG_IS_REPLY
#define RPCAP_MSG_UPDATEFILTER_REQ
#define RPCAP_MSG_AUTH_REQ
#define RPCAP_HOSTLIST_SEP
#define RPCAP_MSG_PACKET
#define RPCAP_MSG_CLOSE
#define RPCAP_MSG_FINDALLIF_REQ
#define RPCAP_UPDATEFILTER_BPF
#define RPCAP_MSG_OPEN_REQ
#define RPCAP_MSG_ENDCAP_REQ
#define RPCAP_DEFAULT_NETPORT
unsigned char uint8
#define RPCAP_MSG_ERROR
static char address[2048+1]
keeps the network address (either numeric or literal) to bind to
Definition: rpcapd.c:87
static int uses_ssl
'1' to use TLS over the data socket
Definition: rpcapd.c:94
static char port[2048+1]
keeps the network port to bind to
Definition: rpcapd.c:88
#define INVALID_SOCKET
In Winsock, the error return if socket() fails is INVALID_SOCKET; in UN*X, it's -1....
Definition: socket.h:80
#define SOCKET
In Winsock, a socket handle is of type SOCKET; in UN*X, it's a file descriptor, and therefore a signe...
Definition: socket.h:70
int sock_discard(int sock, void const *ssl, int size, char *errbuf, int errbuflen)
Definition: sockutils.c:1256
int sock_check_hostlist(char *hostlist, const char *sep, struct sockaddr_storage *from, char *errbuf, int errbuflen)
Definition: sockutils.c:1319
void sock_geterror(const char *caller, char *errbuf, int errbuflen)
Definition: sockutils.c:184
int sock_recv_dgram(int sock, void const *ssl, void *buffer, size_t size, char *errbuf, int errbuflen)
Definition: sockutils.c:1109
int sock_initaddress(const char *host, const char *port, struct addrinfo *hints, struct addrinfo **addrinfo, char *errbuf, int errbuflen)
Definition: sockutils.c:718
int sock_bufferize(const char *buffer, int size, char *tempbuf, int *offset, int totsize, int checkonly, char *errbuf, int errbuflen)
Definition: sockutils.c:939
int sock_close(int sock, char *errbuf, int errbuflen)
Definition: sockutils.c:510
int sock_send(int sock, void const *ssl, const char *buffer, size_t size, char *errbuf, int errbuflen)
Definition: sockutils.c:799
int sock_recv(int sock, void const *ssl, void *buffer, size_t size, int flags, char *errbuf, int errbuflen)
Definition: sockutils.c:1002
int sock_open(struct addrinfo *addrinfo, int server, int nconn, char *errbuf, int errbuflen)
Definition: sockutils.c:315
int sock_cmpaddr(struct sockaddr_storage *first, struct sockaddr_storage *second)
Definition: sockutils.c:1449
int sock_init(char *errbuf, int errbuflen)
Definition: sockutils.c:235
int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen)
Definition: sockutils.c:1579
void sock_cleanup(void)
Definition: sockutils.c:253
#define SOCKOPEN_CLIENT
Definition: sockutils.h:96
#define closesocket(a)
In Winsock, the close() call cannot be used on a socket; closesocket() must be used....
Definition: sockutils.h:52
#define SOCKOPEN_SERVER
Definition: sockutils.h:98
#define SOCKBUF_CHECKONLY
Definition: sockutils.h:91
#define SOCK_RECEIVEALL_NO
Definition: sockutils.h:103
#define SOCK_RECEIVEALL_YES
Definition: sockutils.h:104
#define SOCKBUF_BUFFERIZE
Definition: sockutils.h:93
#define SOCK_EOF_IS_ERROR
Definition: sockutils.h:107
#define SSL
Definition: sslutils.h:59
size_t pcap_strlcat(char *restrict dst, const char *restrict src, size_t dsize)
Definition: strlcat.c:36
int sockctrl
Definition: pcap-rpcap.c:93
struct sockaddr_storage host
Definition: pcap-rpcap.c:92
uint8 protocol_version
Definition: pcap-rpcap.c:95
void const * ssl
Definition: pcap-rpcap.c:94
struct activehosts * next
Definition: pcap-rpcap.c:96
Definition: bpf.h:245
bpf_u_int32 k
Definition: bpf.h:249
u_short code
Definition: bpf.h:246
u_char jf
Definition: bpf.h:248
u_char jt
Definition: bpf.h:247
struct bpf_insn * bf_insns
Definition: bpf.h:119
u_int bf_len
Definition: bpf.h:118
struct pcap_addr * next
Definition: pcap.h:323
struct sockaddr * addr
Definition: pcap.h:324
struct sockaddr * netmask
Definition: pcap.h:325
struct sockaddr * dstaddr
Definition: pcap.h:327
struct sockaddr * broadaddr
Definition: pcap.h:326
Definition: pcap.h:301
char * name
Definition: pcap.h:303
bpf_u_int32 flags
Definition: pcap.h:306
struct pcap_if * next
Definition: pcap.h:302
char * description
Definition: pcap.h:304
struct pcap_addr * addresses
Definition: pcap.h:305
int timeout
Definition: pcap-int.h:147
char * device
Definition: pcap-int.h:146
bpf_u_int32 caplen
Definition: pcap.h:247
struct timeval ts
Definition: pcap.h:246
bpf_u_int32 len
Definition: pcap.h:248
char * password
Definition: pcap.h:1062
char * username
Definition: pcap.h:1054
int type
Definition: pcap.h:1046
int rmt_sockctrl
Definition: pcap-rpcap.c:122
int rmt_flags
Definition: pcap-rpcap.c:125
void const * ctrl_ssl
Definition: pcap-rpcap.c:124
char * currentfilter
Definition: pcap-rpcap.c:127
int rmt_sockdata
Definition: pcap-rpcap.c:123
unsigned int TotNetDrops
Definition: pcap-rpcap.c:132
void const * data_ssl
Definition: pcap-rpcap.c:124
int rmt_clientside
Definition: pcap-rpcap.c:120
struct pcap * next
Definition: pcap-rpcap.c:154
unsigned int TotCapt
Definition: pcap-rpcap.c:150
int rmt_capstarted
Definition: pcap-rpcap.c:126
uint8 uses_ssl
Definition: pcap-rpcap.c:130
uint8 protocol_version
Definition: pcap-rpcap.c:129
struct pcap_stat stat
Definition: pcap-rpcap.c:152
u_int ps_drop
Definition: pcap.h:256
u_int ps_recv
Definition: pcap.h:255
u_int ps_ifdrop
Definition: pcap.h:257
Definition: pcap-int.h:200
stats_op_t stats_op
Definition: pcap-int.h:320
setnonblock_op_t setnonblock_op
Definition: pcap-int.h:319
setfilter_op_t setfilter_op
Definition: pcap-int.h:315
sig_atomic_t break_loop
Definition: pcap-int.h:225
u_int bufsize
Definition: pcap-int.h:220
void * priv
Definition: pcap-int.h:227
getnonblock_op_t getnonblock_op
Definition: pcap-int.h:318
read_op_t read_op
Definition: pcap-int.h:204
void * buffer
Definition: pcap-int.h:221
u_char * bp
Definition: pcap-int.h:222
int snapshot
Definition: pcap-int.h:247
save_current_filter_op_t save_current_filter_op
Definition: pcap-int.h:314
cleanup_op_t cleanup_op
Definition: pcap-int.h:346
int cc
Definition: pcap-int.h:223
struct bpf_program fcode
Definition: pcap-int.h:293
char errbuf[256+1]
Definition: pcap-int.h:295
int linktype
Definition: pcap-int.h:248
int activated
Definition: pcap-int.h:251
struct pcap_opt opt
Definition: pcap-int.h:254
struct rpcap_sockaddr netmask
struct rpcap_sockaddr broadaddr
struct rpcap_sockaddr addr
struct rpcap_sockaddr dstaddr
uint32 timestamp_usec
uint32 timestamp_sec