See CHANGES for the details.
+Friday March 30, 2012. mcr@sandelman.ca
+Summary for 1.3.0 libpcap release
+ Handle DLT_PFSYNC in {FreeBSD, other *BSD+Mac OS X, other}.
+ Linux: Don't fail if netfilter isn't enabled in the kernel.
+ Add new link-layer type for NFC Forum LLCP.
+ Put the CANUSB stuff into EXTRA_DIST, so it shows up in the release tarball.
+ Add LINKTYPE_NG40/DLT_NG40.
+ Add DLT_MPEG_2_TS/LINKTYPE_MPEG_2_TS for MPEG-2 transport streams.
+ [PATCH] Fix AIX-3.5 crash with read failure during stress
+ AIX fixes.
+ Introduce --disable-shared configure option.
+ Added initial support for canusb devices.
+ Include the pcap(3PCAP) additions as 1.2.1 changes.
+ many updates to documentation: pcap.3pcap.in
+ Improve 'inbound'/'outbound' capture filters under Linux.
+ Note the cleanup of handling of new DLT_/LINKTYPE_ values.
+ On Lion, don't build for PPC.
+ For mac80211 devices we need to clean up monitor mode on exit.
+
Friday December 9, 2011. guy@alum.mit.edu.
Summary for 1.2.1 libpcap release
Update README file.
pcap-bt-linux.h
pcap-can-linux.c
pcap-can-linux.h
+pcap-canusb-linux.c
+pcap-canusb-linux.h
pcap-config.1
pcap-config.in
pcap-dag.c
#include "pcap/sll.h"
#include "pcap/ipnet.h"
#include "arcnet.h"
+#if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
+#include <linux/types.h>
+#include <linux/if_packet.h>
+#include <linux/filter.h>
+#endif
#ifdef HAVE_NET_PFVAR_H
#include <sys/socket.h>
#include <net/if.h>
{
extern int n_errors;
const char * volatile xbuf = buf;
- int len;
+ u_int len;
no_optimize = 0;
n_errors = 0;
off_nl_nosnap = -1;
return;
-#ifdef DLT_PFSYNC
case DLT_PFSYNC:
off_linktype = -1;
off_macpl = 4;
off_nl = 0;
off_nl_nosnap = 0;
return;
-#endif
case DLT_AX25_KISS:
/*
case DLT_ERF:
bpf_error("ERF link-layer type filtering not implemented");
-#ifdef DLT_PFSYNC
case DLT_PFSYNC:
bpf_error("PFSYNC link-layer type filtering not implemented");
-#endif
case DLT_LINUX_LAPD:
bpf_error("LAPD link-layer type filtering not implemented");
int dir;
{
struct block *b0, *b1;
+#ifdef INET6
+#ifndef CHASE_CHAIN
+ struct block *b2;
+#endif
+#endif
if (dir != Q_DEFAULT)
bpf_error("direction applied to 'proto'");
case Q_IPV6:
b0 = gen_linktype(ETHERTYPE_IPV6);
#ifndef CHASE_CHAIN
- b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
+ /*
+ * Also check for a fragment header before the final
+ * header.
+ */
+ b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT);
+ b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v);
+ gen_and(b2, b1);
+ b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
+ gen_or(b2, b1);
#else
b1 = gen_protochain(v, Q_IPV6);
#endif
}
/*
- * generate command for inbound/outbound. It's here so we can
- * make it link-type specific. 'dir' = 0 implies "inbound",
- * = 1 implies "outbound".
+ * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
+ * Outbound traffic is sent by this machine, while inbound traffic is
+ * sent by a remote machine (and may include packets destined for a
+ * unicast or multicast link-layer address we are not subscribing to).
+ * These are the same definitions implemented by pcap_setdirection().
+ * Capturing only unicast traffic destined for this host is probably
+ * better accomplished using a higher-layer filter.
*/
struct block *
gen_inbound(dir)
break;
case DLT_LINUX_SLL:
- if (dir) {
- /*
- * Match packets sent by this machine.
- */
- b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
- } else {
- /*
- * Match packets sent to this machine.
- * (No broadcast or multicast packets, or
- * packets sent to some other machine and
- * received promiscuously.)
- *
- * XXX - packets sent to other machines probably
- * shouldn't be matched, but what about broadcast
- * or multicast packets we received?
- */
- b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
+ /* match outgoing packets */
+ b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
+ if (!dir) {
+ /* to filter on inbound traffic, invert the match */
+ gen_not(b0);
}
break;
break;
default:
+ /*
+ * If we have packet meta-data indicating a direction,
+ * check it, otherwise give up as this link-layer type
+ * has nothing in the packet data.
+ */
+#if defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
+ /*
+ * We infer that this is Linux with PF_PACKET support.
+ * If this is a *live* capture, we can look at
+ * special meta-data in the filter expression;
+ * if it's a savefile, we can't.
+ */
+ if (bpf_pcap->sf.rfile != NULL) {
+ /* We have a FILE *, so this is a savefile */
+ bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
+ linktype);
+ b0 = NULL;
+ /* NOTREACHED */
+ }
+ /* match outgoing packets */
+ b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
+ PACKET_OUTGOING);
+ if (!dir) {
+ /* to filter on inbound traffic, invert the match */
+ gen_not(b0);
+ }
+#else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
bpf_error("inbound/outbound not supported on linktype %d",
linktype);
b0 = NULL;
/* NOTREACHED */
+#endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
}
return (b0);
}
struct slist *stmts; /* side effect stmts */
struct stmt s; /* branch stmt */
int mark;
- int longjt; /* jt branch requires long jump */
- int longjf; /* jf branch requires long jump */
+ u_int longjt; /* jt branch requires long jump */
+ u_int longjf; /* jf branch requires long jump */
int level;
int offset;
int sense;
void finish_parse(struct block *);
char *sdup(const char *);
-struct bpf_insn *icode_to_fcode(struct block *, int *);
+struct bpf_insn *icode_to_fcode(struct block *, u_int *);
int pcap_parse(void);
void lex_init(const char *);
void lex_cleanup(void);
static void opt_deadstores(struct block *);
static struct block *fold_edge(struct block *, struct edge *);
static inline int eq_blk(struct block *, struct block *);
-static int slength(struct slist *);
+static u_int slength(struct slist *);
static int count_blocks(struct block *);
static void number_blks_r(struct block *);
-static int count_stmts(struct block *);
+static u_int count_stmts(struct block *);
static int convert_code_r(struct block *);
#ifdef BDEBUG
static void opt_dump(struct block *);
/*
* Return the number of stmts in 's'.
*/
-static int
+static u_int
slength(s)
struct slist *s;
{
- int n = 0;
+ u_int n = 0;
for (; s; s = s->next)
if (s->s.code != NOP)
*
* an extra long jump if the false branch requires it (p->longjf).
*/
-static int
+static u_int
count_stmts(p)
struct block *p;
{
- int n;
+ u_int n;
if (p == 0 || isMarked(p))
return 0;
struct bpf_insn *
icode_to_fcode(root, lenp)
struct block *root;
- int *lenp;
+ u_int *lenp;
{
- int n;
+ u_int n;
struct bpf_insn *fp;
/*
#endif /* BIOCGDLTLIST */
+#if defined(sun) && defined(LIFNAMSIZ) && defined(lifr_zoneid)
+#include <zone.h>
+#endif
+
/*
* We include the OS's <net/bpf.h>, not our "pcap/bpf.h", so we probably
* don't get DLT_DOCSIS defined.
* Default capture buffer size.
* 32K isn't very much for modern machines with fast networks; we
* pick .5M, as that's the maximum on at least some systems with BPF.
+ *
+ * However, on AIX 3.5, the larger buffer sized caused unrecoverable
+ * read failures under stress, so we leave it as 32K; yet another
+ * place where AIX's BPF is broken.
*/
+#ifdef _AIX
+#define DEFAULT_BUFSIZE 32768
+#else
#define DEFAULT_BUFSIZE 524288
+#endif
static int
pcap_activate_bpf(pcap_t *p)
int status = 0;
int fd;
#ifdef LIFNAMSIZ
+ char *zonesep;
struct lifreq ifr;
char *ifrname = ifr.lifr_name;
const size_t ifnamsiz = sizeof(ifr.lifr_name);
goto bad;
}
+#if defined(LIFNAMSIZ) && defined(ZONENAME_MAX) && defined(lifr_zoneid)
+ /*
+ * Check if the given source network device has a '/' separated
+ * zonename prefix string. The zonename prefixed source device
+ * can be used by libpcap consumers to capture network traffic
+ * in non-global zones from the global zone on Solaris 11 and
+ * above. If the zonename prefix is present then we strip the
+ * prefix and pass the zone ID as part of lifr_zoneid.
+ */
+ if ((zonesep = strchr(p->opt.source, '/')) != NULL) {
+ char zonename[ZONENAME_MAX];
+ int znamelen;
+ char *lnamep;
+
+ znamelen = zonesep - p->opt.source;
+ (void) strlcpy(zonename, p->opt.source, znamelen + 1);
+ lnamep = strdup(zonesep + 1);
+ ifr.lifr_zoneid = getzoneidbyname(zonename);
+ free(p->opt.source);
+ p->opt.source = lnamep;
+ }
+#endif
+
p->md.device = strdup(p->opt.source);
if (p->md.device == NULL) {
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "strdup: %s",
#define LINKTYPE_AX25 DLT_AX25
#define LINKTYPE_PRONET DLT_PRONET
#define LINKTYPE_CHAOS DLT_CHAOS
-#define LINKTYPE_TOKEN_RING DLT_IEEE802 /* DLT_IEEE802 is used for Token Ring */
+#define LINKTYPE_IEEE802_5 DLT_IEEE802 /* DLT_IEEE802 is used for 802.5 Token Ring */
#define LINKTYPE_ARCNET_BSD DLT_ARCNET /* BSD-style headers */
#define LINKTYPE_SLIP DLT_SLIP
#define LINKTYPE_PPP DLT_PPP
#define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */
#define LINKTYPE_CISCO_IOS 118 /* For Cisco-internal use */
-#define LINKTYPE_PRISM_HEADER 119 /* 802.11+Prism II monitor mode */
-#define LINKTYPE_AIRONET_HEADER 120 /* FreeBSD Aironet driver stuff */
+#define LINKTYPE_IEEE802_11_PRISM 119 /* 802.11 plus Prism II monitor mode radio metadata header */
+#define LINKTYPE_IEEE802_11_AIRONET 120 /* 802.11 plus FreeBSD Aironet driver radio metadata header */
/*
* Reserved for Siemens HiPath HDLC.
#define LINKTYPE_PCI_EXP 125 /* PCI Express */
#define LINKTYPE_AURORA 126 /* Xilinx Aurora link layer */
-#define LINKTYPE_IEEE802_11_RADIO 127 /* 802.11 plus BSD radio header */
+#define LINKTYPE_IEEE802_11_RADIOTAP 127 /* 802.11 plus radiotap radio metadata header */
/*
* Reserved for the TZSP encapsulation, as per request from
* including radio information:
*
* http://www.shaftnet.org/~pizza/software/capturefrm.txt
- *
- * but could and arguably should also be used by non-AVS Linux
- * 802.11 drivers; that may happen in the future.
*/
-#define LINKTYPE_IEEE802_11_RADIO_AVS 163 /* 802.11 plus AVS radio header */
+#define LINKTYPE_IEEE802_11_AVS 163 /* 802.11 plus AVS radio metadata header */
/*
* Juniper-private data link type, as per request from
#define LINKTYPE_JUNIPER_MONITOR 164
/*
- * Reserved for BACnet MS/TP.
+ * BACnet MS/TP frames.
*/
#define LINKTYPE_BACNET_MS_TP 165
*/
#define LINKTYPE_IPOIB 242
-#define LINKTYPE_MATCHING_MAX 242 /* highest value in the "matching" range */
+/*
+ * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
+ *
+ * Requested by Guy Martin <gmsoft@tuxicoman.be>.
+ */
+#define LINKTYPE_MPEG_2_TS 243
+
+/*
+ * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
+ * used by their ng40 protocol tester.
+ *
+ * Requested by Jens Grimmer <jens.grimmer@ng4t.com>.
+ */
+#define LINKTYPE_NG40 244
+
+/*
+ * Pseudo-header giving adapter number and flags, followed by an NFC
+ * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
+ * as specified by NFC Forum Logical Link Control Protocol Technical
+ * Specification LLCP 1.1.
+ *
+ * Requested by Mike Wakerly <mikey@google.com>.
+ */
+#define LINKTYPE_NFC_LLCP 245
+
+/*
+ * pfsync output; DLT_PFSYNC is 18, which collides with DLT_CIP in
+ * SuSE 6.3, on OpenBSD, NetBSD, DragonFly BSD, and Mac OS X, and
+ * is 121, which collides with DLT_HHDLC, in FreeBSD. We pick a
+ * shiny new link-layer header type value that doesn't collide with
+ * anything, in the hopes that future pfsync savefiles, if any,
+ * won't require special hacks to distinguish from other savefiles.
+ *
+ */
+#define LINKTYPE_PFSYNC 246
+
+#define LINKTYPE_MATCHING_MAX 246 /* highest value in the "matching" range */
static struct linktype_map {
int dlt;
{ DLT_AX25, LINKTYPE_AX25 },
{ DLT_PRONET, LINKTYPE_PRONET },
{ DLT_CHAOS, LINKTYPE_CHAOS },
- { DLT_IEEE802, LINKTYPE_TOKEN_RING },
+ { DLT_IEEE802, LINKTYPE_IEEE802_5 },
{ DLT_ARCNET, LINKTYPE_ARCNET_BSD },
{ DLT_SLIP, LINKTYPE_SLIP },
{ DLT_PPP, LINKTYPE_PPP },
{ DLT_FDDI, LINKTYPE_FDDI },
+ { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL },
/*
* These DLT_* codes have different values on different
{ DLT_FR, LINKTYPE_FRELAY },
#endif
- { DLT_SYMANTEC_FIREWALL, LINKTYPE_SYMANTEC_FIREWALL },
{ DLT_ATM_RFC1483, LINKTYPE_ATM_RFC1483 },
{ DLT_RAW, LINKTYPE_RAW },
{ DLT_SLIP_BSDOS, LINKTYPE_SLIP_BSDOS },
int i;
/*
+ * Map DLT_PFSYNC, whatever it might be, to LINKTYPE_PFSYNC.
+ */
+ if (dlt == DLT_PFSYNC)
+ return (LINKTYPE_PFSYNC);
+
+ /*
* Map the values in the matching range.
*/
if (dlt >= DLT_MATCHING_MIN && dlt <= DLT_MATCHING_MAX)
int i;
/*
+ * Map LINKTYPE_PFSYNC to DLT_PFSYNC, whatever it might be.
+ * LINKTYPE_PFSYNC is in the matching range, to make sure
+ * it's as safe from reuse as we can arrange, so we do
+ * this test first.
+ */
+ if (linktype == LINKTYPE_PFSYNC)
+ return (DLT_PFSYNC);
+
+ /*
* Map the values in the matching range.
*/
if (linktype >= LINKTYPE_MATCHING_MIN &&
DLT_CHOICE(DLT_LINUX_SLL, "Linux cooked"),
DLT_CHOICE(DLT_LTALK, "Localtalk"),
DLT_CHOICE(DLT_PFLOG, "OpenBSD pflog file"),
+ DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"),
DLT_CHOICE(DLT_PRISM_HEADER, "802.11 plus Prism header"),
DLT_CHOICE(DLT_IP_OVER_FC, "RFC 2625 IP-over-Fibre Channel"),
DLT_CHOICE(DLT_SUNATM, "Sun raw ATM"),
#endif
/*
- * 17 is used for DLT_OLD_PFLOG in OpenBSD;
- * OBSOLETE: DLT_PFLOG is 117 in OpenBSD now as well. See below.
- * 18 is used for DLT_PFSYNC in OpenBSD; don't use it for anything else.
+ * 17 was used for DLT_PFLOG in OpenBSD; it no longer is.
+ *
+ * It was DLT_LANE8023 in SuSE 6.3, so we defined LINKTYPE_PFLOG
+ * as 117 so that pflog captures would use a link-layer header type
+ * value that didn't collide with any other values. On all
+ * platforms other than OpenBSD, we defined DLT_PFLOG as 117,
+ * and we mapped between LINKTYPE_PFLOG and DLT_PFLOG.
+ *
+ * OpenBSD eventually switched to using 117 for DLT_PFLOG as well.
+ *
+ * Don't use 17 for anything else.
+ */
+
+/*
+ * 18 is used for DLT_PFSYNC in OpenBSD, NetBSD, DragonFly BSD and
+ * Mac OS X; don't use it for anything else. (FreeBSD uses 121,
+ * which collides with DLT_HHDLC, even though it doesn't use 18
+ * for anything and doesn't appear to have ever used it for anything.)
+ *
+ * We define it as 18 on those platforms; it is, unfortunately, used
+ * for DLT_CIP in Suse 6.3, so we don't define it as DLT_PFSYNC
+ * in general. As the packet format for it, like that for
+ * DLT_PFLOG, is not only OS-dependent but OS-version-dependent,
+ * we don't support printing it in tcpdump except on OSes that
+ * have the relevant header files, so it's not that useful on
+ * other platforms.
*/
+#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(__DragonFly__) || defined(__APPLE__)
+#define DLT_PFSYNC 18
+#endif
#define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */
#define DLT_IPFILTER 116
/*
- * OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, but that's DLT_LANE8023
- * in SuSE 6.3, so we can't use 17 for it in capture-file headers.
- *
- * XXX: is there a conflict with DLT_PFSYNC 18 as well?
+ * OpenBSD DLT_PFLOG.
*/
-#ifdef __OpenBSD__
-#define DLT_OLD_PFLOG 17
-#define DLT_PFSYNC 18
-#endif
#define DLT_PFLOG 117
/*
#define DLT_AIRONET_HEADER 120
/*
- * Reserved for Siemens HiPath HDLC.
+ * Sigh.
+ *
+ * This was reserved for Siemens HiPath HDLC on 2002-01-25, as
+ * requested by Tomas Kukosa.
+ *
+ * On 2004-02-25, a FreeBSD checkin to sys/net/bpf.h was made that
+ * assigned 121 as DLT_PFSYNC. Its libpcap does DLT_ <-> LINKTYPE_
+ * mapping, so it probably supports capturing on the pfsync device
+ * but not saving the captured data to a pcap file.
+ *
+ * OpenBSD, from which pf came, however, uses 18 for DLT_PFSYNC;
+ * their libpcap does no DLT_ <-> LINKTYPE_ mapping, so it would
+ * use 18 in pcap files as well.
+ *
+ * NetBSD and DragonFly BSD also use 18 for DLT_PFSYNC; their
+ * libpcaps do DLT_ <-> LINKTYPE_ mapping, and neither has an entry
+ * for DLT_PFSYNC, so it might not be able to write out dump files
+ * with 18 as the link-layer header type. (Earlier versions might
+ * not have done mapping, in which case they'd work the same way
+ * OpenBSD does.)
+ *
+ * Mac OS X defines it as 18, but doesn't appear to use it as of
+ * Mac OS X 10.7.3. Its libpcap does DLT_ <-> LINKTYPE_ mapping.
+ *
+ * We'll define DLT_PFSYNC as 121 on FreeBSD and define it as 18 on
+ * all other platforms. We'll define DLT_HHDLC as 121 on everything
+ * except for FreeBSD; anybody who wants to compile, on FreeBSD, code
+ * that uses DLT_HHDLC is out of luck.
+ *
+ * We'll define LINKTYPE_PFSYNC as 18, *even on FreeBSD*, and map
+ * it, so that savefiles won't use 121 for PFSYNC - they'll all
+ * use 18. Code that uses pcap_datalink() to determine the link-layer
+ * header type of a savefile won't, when built and run on FreeBSD,
+ * be able to distinguish between LINKTYPE_PFSYNC and LINKTYPE_HHDLC
+ * capture files; code that doesn't, such as the code in Wireshark,
+ * will be able to distinguish between them.
*/
+#ifdef __FreeBSD__
+#define DLT_PFSYNC 121
+#else
#define DLT_HHDLC 121
+#endif
/*
* This is for RFC 2625 IP-over-Fibre Channel.
#define DLT_JUNIPER_MONITOR 164
/*
- * Reserved for BACnet MS/TP.
+ * BACnet MS/TP frames.
*/
#define DLT_BACNET_MS_TP 165
*/
#define DLT_IPOIB 242
-#define DLT_MATCHING_MAX 242 /* highest value in the "matching" range */
+/*
+ * MPEG-2 transport stream (ISO 13818-1/ITU-T H.222.0).
+ *
+ * Requested by Guy Martin <gmsoft@tuxicoman.be>.
+ */
+#define DLT_MPEG_2_TS 243
+
+/*
+ * ng4T GmbH's UMTS Iub/Iur-over-ATM and Iub/Iur-over-IP format as
+ * used by their ng40 protocol tester.
+ *
+ * Requested by Jens Grimmer <jens.grimmer@ng4t.com>.
+ */
+#define DLT_NG40 244
+
+/*
+ * Pseudo-header giving adapter number and flags, followed by an NFC
+ * (Near-Field Communications) Logical Link Control Protocol (LLCP) PDU,
+ * as specified by NFC Forum Logical Link Control Protocol Technical
+ * Specification LLCP 1.1.
+ *
+ * Requested by Mike Wakerly <mikey@google.com>.
+ */
+#define DLT_NFC_LLCP 245
+
+/*
+ * 245 is used as LINKTYPE_PFSYNC; do not use it for any other purpose.
+ *
+ * DLT_PFSYNC has different values on different platforms, and all of
+ * them collide with something used elsewhere. On platforms that
+ * don't already define it, define it as 245.
+ */
+#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && !defined(__DragonFly__) && !defined(__APPLE__)
+#define DLT_PFSYNC 246
+#endif
+
+#define DLT_MATCHING_MAX 246 /* highest value in the "matching" range */
/*
* DLT and savefile link type values are split into a class and
projects / dragonfly.git / commitdiff