| blob | 2131ad683c0c6c966356716fe7581c1792ef37a9 |
1 /* capture.c
2 * Routines for packet capture
3 *
4 * $Id$
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
27 #ifdef HAVE_LIBPCAP
29 #ifdef HAVE_UNISTD_H
30 #include <unistd.h>
31 #endif
33 #include <stdio.h>
34 #include <string.h>
36 #include <glib.h>
38 #include <epan/packet.h>
39 #include <epan/dfilter/dfilter.h>
48 #include <epan/prefs.h>
50 #ifdef _WIN32
52 #endif
69 };
71 /* this callback mechanism should possibly be replaced by the g_signal_...() stuff (if I only would know how :-) */
73 capture_callback_t cb_fct;
74 gpointer user_data;
79 static void
81 {
85 /* there should be at least one interested */
92 }
93 }
96 void
98 {
106 }
108 void
110 {
120 }
122 }
125 }
127 /**
128 * Start a capture.
129 *
130 * @return TRUE if the capture starts successfully, FALSE otherwise.
131 */
132 gboolean
133 capture_start(capture_options *capture_opts, capture_session *cap_session, void(*update_cb)(void))
134 {
135 gboolean ret;
136 guint i;
141 #ifdef _WIN32
143 #else
145 #endif
147 interface_options interface_opts;
153 }
157 }
158 }
163 }
164 }
167 }
170 /* try to start the capture child process */
176 }
181 /* the capture child might not respond shortly after bringing it up */
182 /* (for example: it will block if no input arrives from an input capture pipe (e.g. mkfifo)) */
184 /* to prevent problems, bring the main GUI into "capture mode" right after a successful */
185 /* spawn/exec of the capture child, without waiting for any response from it */
190 }
193 }
196 void
198 {
203 /* stop the capture child gracefully */
205 }
208 void
210 {
217 }
220 void
222 {
225 /* kill the capture child */
227 }
229 /* We've succeeded in doing a (non real-time) capture; try to read it into a new capture file */
230 static gboolean
233 {
237 /* Capture succeeded; attempt to open the capture file. */
238 if (cf_open((capture_file *)cap_session->cf, capture_opts->save_file, is_tempfile, &err) != CF_OK) {
239 /* We're not doing a capture any more, so we don't have a save file. */
241 }
243 /* Set the read filter to NULL. */
244 /* XXX - this is odd here; try to put it somewhere where it fits better */
247 /* Get the packet-drop statistics.
249 XXX - there are currently no packet-drop statistics stored
250 in libpcap captures, and that's what we're reading.
252 At some point, we will add support in Wiretap to return
253 packet-drop statistics for capture file formats that store it,
254 and will make "cf_read()" get those statistics from Wiretap.
255 We clear the statistics (marking them as "not known") in
256 "cf_open()", and "cf_read()" will only fetch them and mark
257 them as known if Wiretap supplies them, so if we get the
258 statistics now, after calling "cf_open()" but before calling
259 "cf_read()", the values we store will be used by "cf_read()".
261 If a future libpcap capture file format stores the statistics,
262 we'll put them into the capture file that we write, and will
263 thus not have to set them here - "cf_read()" will get them from
264 the file and use them. */
268 /* XXX - on some systems, libpcap doesn't bother filling in
269 "ps_ifdrop" - it doesn't even set it to zero - so we don't
270 bother looking at it.
272 Ideally, libpcap would have an interface that gave us
273 several statistics - perhaps including various interface
274 error statistics - and would tell us which of them it
275 supplies, allowing us to display only the ones it does. */
277 }
279 /* read in the packet data */
284 /* Just because we got an error, that doesn't mean we were unable
285 to read any of the file; we handle what we could get from the
286 file. */
290 /* User wants to quit program. Exit by leaving the main loop,
291 so that any quit functions we registered get called. */
294 }
296 /* if we didn't capture even a single packet, close the file again */
306 " http://wiki.wireshark.org/CaptureSetup"
307 #ifdef _WIN32
310 "Try to switch off promiscuous mode in the Capture Options!"
311 #endif
316 }
318 }
321 /* capture child tells us we have a new (or the first) capture file */
322 gboolean
324 {
326 gboolean is_tempfile;
331 }
336 /* free the old filename */
338 /* we start a new capture file, close the old one (if we had one before). */
339 /* (we can only have an open capture file in real_time_mode!) */
347 }
348 }
353 /* we didn't have a save_file before; must be a tempfile */
356 }
358 /* save the new filename */
361 /* if we are in real-time mode, open the new file now */
363 /* Attempt to open the capture file and set up to read from it. */
368 /* Don't unlink (delete) the save file - leave it around,
369 for debugging purposes. */
373 }
376 }
381 }
387 }
391 }
394 /* capture child tells us we have new packets to read */
395 void
397 {
404 /* Read from the capture file the number of records the child told us it added. */
409 /* Just because we got an error, that doesn't mean we were unable
410 to read any of the file; we handle what we could get from the
411 file.
413 XXX - abort on a read error? */
418 /* Kill the child capture process; the user wants to exit, and we
419 shouldn't just leave it running. */
422 }
424 /* increase the capture file packet counter by the number of incoming packets */
430 }
432 /* update the main window so we get events (e.g. from the stop toolbar button) */
433 /* This causes a hang on Windows (see bug 7305). Do we need this on any platform? */
434 #ifndef _WIN32
436 #endif
440 }
443 /* Capture child told us how many dropped packets it counted.
444 */
445 void
447 {
448 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_INFO, "%u packet%s dropped", dropped, plurality(dropped, "", "s"));
454 }
457 /* Capture child told us that an error has occurred while starting/running
458 the capture.
459 The buffer we're handed has *two* null-terminated strings in it - a
460 primary message and a secondary message, one right after the other.
461 The secondary message might be a null string.
462 */
463 void
466 {
477 /* We have both primary and secondary messages. */
484 /* We have only a primary message. */
488 }
491 /* the capture child will close the sync_pipe if required, nothing to do for now */
492 }
494 /* Capture child told us that an error has occurred while parsing a
495 capture filter when starting/running the capture.
496 */
497 void
500 {
506 interface_options interface_opts;
508 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture filter error message from child: \"%s\"", error_message);
517 /* Did the user try a display filter? */
540 }
545 /* the capture child will close the sync_pipe if required, nothing to do for now */
546 }
548 /* capture child closed its side of the pipe, do the required cleanup */
549 void
551 {
563 /* We didn't start a capture; note that the attempt to start it
564 failed. */
567 /* We started a capture; process what's left of the capture file if
568 we were in "update list of packets in real time" mode, or process
569 all of it if we weren't. */
571 cf_read_status_t status;
573 /* Read what remains of the capture file. */
576 /* XXX: If -Q (quit-after-cap) then cf->count clr'd below so save it first */
578 /* Tell the GUI we are not doing a capture any more.
579 Must be done after the cf_finish_tail(), so file lengths are
580 correctly displayed */
583 /* Finish the capture. */
596 " http://wiki.wireshark.org/CaptureSetup"
597 #ifdef _WIN32
600 "Try to switch off promiscuous mode in the Capture Options!"
601 #endif
606 }
609 /* Just because we got an error, that doesn't mean we were unable
610 to read any of the file; we handle what we could get from the
611 file. */
615 /* Exit by leaving the main loop, so that any quit functions
616 we registered get called. */
619 }
621 /* first of all, we are not doing a capture any more */
624 /* this is a normal mode capture and if no error happened, read in the capture file data */
627 cf_get_drops_known((capture_file *)cap_session->cf), cf_get_drops((capture_file *)cap_session->cf));
628 }
629 }
630 }
637 /* if we couldn't open a capture file, there's nothing more for us to do */
641 }
643 /* does the user wants to restart the current capture? */
649 /* If we have a ring buffer, the original save file has been overwritten
650 with the "ring filename". Restore it before starting again */
654 }
656 /* if it was a tempfile, throw away the old filename (so it will become a tempfile again) */
660 }
662 /* ... and start the capture again */
665 }
667 /* close the currently loaded capture file */
670 capture_start(capture_opts, cap_session,NULL); /*XXX is this NULL ok or we need an update_cb???*/
672 /* We're not doing a capture any more, so we don't have a save file. */
675 }
676 }
678 if_stat_cache_t *
684 guint i;
685 interface_t device;
687 /* Fire up dumpcap. */
688 /*
689 * XXX - on systems with BPF, the number of BPF devices limits the
690 * number of devices on which you can capture simultaneously.
691 *
692 * This means that
693 *
694 * 1) this might fail if you run out of BPF devices
695 *
696 * and
697 *
698 * 2) opening every interface could leave too few BPF devices
699 * for *other* programs.
700 *
701 * It also means the system could end up getting a lot of traffic
702 * that it has to pass through the networking stack and capture
703 * mechanism, so opening all the devices and presenting packet
704 * counts might not always be a good idea.
705 */
712 /* Initialize the cache */
719 }
720 }
721 }
723 }
725 #define MAX_STAT_LINE_LEN 500
727 static void
744 }
750 }
751 }
753 }
754 }
756 gboolean
763 }
771 }
772 }
774 }
776 void
788 /* XXX - report failure? */
790 }
796 }
798 }