| blob | 1c74cba944f696a91baa0b1daa998c2fecfb9dda |
1 /* iface_monitor.c
2 * interface monitor by Pontus Fuchs <pontus.fuchs@gmail.com>
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
14 #ifdef HAVE_LIBPCAP
16 #if defined(HAVE_LIBNL)
18 /*
19 * Linux with libnl.
20 *
21 * Use Netlink to get indications of new/removed intrfaces.
22 */
24 #include <stdio.h>
25 #include <string.h>
26 #include <errno.h>
28 DIAG_OFF_PEDANTIC
29 #include <netlink/msg.h>
30 DIAG_ON_PEDANTIC
31 #include <netlink/attr.h>
32 DIAG_OFF_PEDANTIC
33 #include <netlink/route/link.h>
34 DIAG_ON_PEDANTIC
36 #ifndef IFF_UP
37 /*
38 * Apparently, some versions of libnl drag in headers that define IFF_UP
39 * and others don't. Include <net/if.h> iff IFF_UP isn't already defined,
40 * so that if <linux/if.h> has been included by some or all of the
41 * netlink headers, we don't include <net/if.h> and get a bunch of
42 * complaints about various structures being redefined.
43 */
44 #include <net/if.h>
45 #endif
47 /* libnl 1.x compatibility code */
48 #ifdef HAVE_LIBNL1
49 #define nl_sock nl_handle
50 #define nl_socket_disable_seq_check nl_disable_sequence_check
53 {
55 }
58 {
60 }
65 static void
67 {
78 }
83 }
89 /*
90 * You can't bind a PF_PACKET socket to an interface that's not
91 * up, so an interface going down is an "interface should be
92 * removed" indication.
93 *
94 * XXX - what indication, if any, do we get if the interface
95 * *completely goes away*?
96 *
97 * XXX - can we get events if an interface's link-layer or
98 * network addresses change?
99 */
102 #ifdef HAVE_LIBNL1
104 #else
115 /* Ignore other events */
117 }
118 #endif
123 }
125 static int
127 {
130 }
132 void
134 {
136 }
138 int
140 {
142 }
144 int
146 {
153 }
163 }
169 out_handle_destroy:
172 }
174 void
176 {
180 }
182 void
184 {
192 }
193 }
195 #elif defined(__APPLE__)
197 /*
198 * macOS.
199 *
200 * Use a PF_SYSTEM socket to get indications of new/removed intrfaces.
201 */
203 #include <stddef.h>
204 #include <stdio.h>
205 #include <errno.h>
206 #include <unistd.h>
208 #include <sys/socket.h>
209 #include <sys/ioctl.h>
210 #include <sys/types.h>
211 #include <net/if.h>
212 #include <sys/kern_event.h>
214 #include <glib.h>
219 int
221 {
225 /* Create a socket of type PF_SYSTEM to listen for events. */
230 /*
231 * Ask for DLIL messages.
232 *
233 * XXX - also ask for KEV_INET_SUBCLASS and KEV_INET6_SUBCLASS,
234 * to detect new or changed network addresses, so those can be
235 * updated as well? Can we specify multiple filters on a socket,
236 * or must we specify KEV_ANY_SUBCLASS and filter the events after
237 * receiving them?
238 */
246 }
250 }
252 void
254 {
256 }
258 int
260 {
262 }
264 /*
265 * Size of buffer for kernel network event.
266 */
267 #define NET_EVENT_DATA_SIZE (KEV_MSG_HEADER_SIZE + sizeof (struct net_event_data))
269 void
271 {
273 ssize_t received;
281 /* Error - ignore. */
283 }
285 /* Short read - ignore. */
287 }
291 /* Length of the message is bogus. */
293 }
297 /*
298 * Check type of event.
299 *
300 * Note: if we also ask for KEV_INET_SUBCLASS, we will get
301 * events with keys
302 *
303 * KEV_INET_NEW_ADDR
304 * KEV_INET_CHANGED_ADDR
305 * KEV_INET_CHANGED_ADDR
306 * KEV_INET_SIFDSTADDR
307 * KEV_INET_SIFBRDADDR
308 * KEV_INET_SIFNETMASK
309 *
310 * reflecting network address changes, with the data being a
311 * struct kev_in_data rather than struct net_event_data, and
312 * if we also ask for KEV_INET6_SUBCLASS, we will get events
313 * with keys
314 *
315 * KEV_INET6_NEW_LL_ADDR
316 * KEV_INET6_NEW_USER_ADDR
317 * KEV_INET6_NEW_RTADV_ADDR
318 * KEV_INET6_ADDR_DELETED
319 *
320 * with the data being a struct kev_in6_data.
321 */
325 /*
326 * A new interface has arrived.
327 *
328 * XXX - what we really want is "a new BPFable interface
329 * has arrived", but that's not available. While we're
330 * asking for additional help from BPF, it'd also be
331 * nice if we could ask it for a list of all interfaces
332 * that have had bpfattach()/bpf_attach() done on them,
333 * so we don't have to try to open the device in order
334 * to see whether we should show it as something on
335 * which we can capture.
336 */
341 /*
342 * An existing interface has been removed.
343 *
344 * XXX - use KEV_DL_IF_DETACHING instead, as that's
345 * called shortly after bpfdetach() is called, and
346 * bpfdetach() makes an interface no longer BPFable,
347 * and that's what we *really* care about.
348 */
353 /*
354 * Is there any reason to care about:
355 *
356 * KEV_DL_LINK_ON
357 * KEV_DL_LINK_OFF
358 * KEV_DL_SIFFLAGS
359 * KEV_DL_LINK_ADDRESS_CHANGED
360 * KEV_DL_IFCAP_CHANGED
361 *
362 * or any of the other events? On Snow Leopard and, I think,
363 * earlier releases, you can't attach a BPF device to an
364 * interface that's not up, so KEV_DL_SIFFLAGS might be
365 * worth listening to so that we only say "here's a new
366 * interface" when it goes up; on Lion (and possibly Mountain
367 * Lion), an interface doesn't have to be up in order to
368 * have a BPF device attached to it.
369 */
371 }
372 }
374 void
376 {
377 }
379 #elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
381 /*
382 * FreeBSD, NetBSD, OpenBSD, DragonFly BSD.
383 *
384 * Use a PF_ROUTE socket to get indications of new/removed intrfaces.
385 */
386 #include <stdio.h>
387 #include <stdlib.h>
388 #include <string.h>
389 #include <errno.h>
390 #include <unistd.h>
392 #include <sys/types.h>
393 #include <sys/socket.h>
394 #include <net/if.h>
395 #include <net/route.h>
396 #include <net/if_dl.h>
398 #include <netinet/in.h>
399 #include <netinet/in_var.h>
404 int
406 {
407 #ifdef RO_MSGFILTER
409 RTM_IFANNOUNCE,
410 };
411 #endif
413 /* Create a socket of type PF_ROUTE to listen for events. */
418 #ifdef RO_MSGFILTER
419 /*
420 * This OS supports filtering PF_ROUTE sockets for specific
421 * events; we only want interface announcement events.
422 *
423 * If this fails, we just live with extra events that we ignore,
424 * which we also do on platforms that don't support filtering.
425 */
427 #endif
428 #ifdef SO_RERROR
429 /*
430 * This OS supports getting error reports from recvmsg() if a
431 * receive buffer overflow occurs. If that happens, it means
432 * that we may have lost interface reports, so we should
433 * probably just refetch all interface data.
434 *
435 * If we can't get those error reports, we're out of luck.
436 */
439 #endif
443 }
445 void
447 {
449 }
451 int
453 {
455 }
457 void
459 {
468 ssize_t received;
480 /*
481 * Receive buffer overflow. Keep reading,
482 * to get any messages in the socket buffer.
483 *
484 * XXX - that means we may have lost indications;
485 * should there be a callback that indicates that
486 * all interface data should be refreshed?
487 */
490 /*
491 * Other error - just ignore.
492 */
494 }
495 }
497 /*
498 * We've seen a message.
499 */
501 }
503 /*
504 * XXX - should we check received, to make sure it's large
505 * enough?
506 */
516 /*
517 * A new interface has arrived.
518 *
519 * XXX - see comment about interface arrivals in the
520 * macOS section; it applies here as well.
521 */
526 /*
527 * An existing interface has been removed.
528 */
533 /*
534 * Ignore other notifications.
535 */
537 }
541 /*
542 * Ignore other messages.
543 */
545 }
546 }
547 }
549 void
551 {
552 }
556 int
558 {
560 }
562 void
564 {
565 }
567 int
569 {
571 }
573 void
575 {
576 }
578 void
580 {
581 }
587 /*
588 * Editor modelines - https://www.wireshark.org/tools/modelines.html
589 *
590 * Local variables:
591 * c-basic-offset: 4
592 * tab-width: 8
593 * indent-tabs-mode: nil
594 * End:
595 *
596 * vi: set shiftwidth=4 tabstop=8 expandtab:
597 * :indentSize=4:tabSize=8:noTabs=true:
598 */