2 * Copyright (c) 1993, 1994, 1995, 1996, 1998
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 static const char rcsid[] _U_ =
23 "@(#) $Header: /tcpdump/master/libpcap/pcap-bpf.c,v 1.67.2.4 2003/11/22 00:06:28 guy Exp $ (LBL)";
30 #include <sys/param.h> /* optionally get BSD define */
32 #include <sys/timeb.h>
33 #include <sys/socket.h>
35 #include <sys/ioctl.h>
36 #include <sys/utsname.h>
43 * Make "pcap.h" not include "pcap-bpf.h"; we are going to include the
44 * native OS version, as we need "struct bpf_config" from it.
46 #define PCAP_DONT_INCLUDE_PCAP_BPF_H
48 #include <sys/types.h>
51 * Prevent bpf.h from redefining the DLT_ values to their
52 * IFT_ values, as we're going to return the standard libpcap
53 * values, not IBM's non-standard IFT_ values.
59 #include <net/if_types.h> /* for IFT_ values */
60 #include <sys/sysconfig.h>
61 #include <sys/device.h>
66 #define domakedev makedev64
67 #define getmajor major64
68 #define bpf_hdr bpf_hdr32
70 #define domakedev makedev
71 #define getmajor major
72 #endif /* __64BIT__ */
74 #define BPF_NAME "bpf"
76 #define DRIVER_PATH "/usr/lib/drivers"
77 #define BPF_NODE "/dev/bpf"
78 static int bpfloadedflag = 0;
79 static int odmlockid = 0;
99 #endif /* HAVE_DAG_API */
101 #ifdef HAVE_OS_PROTO_H
102 #include "os-proto.h"
105 #include "gencode.h" /* for "no_optimize" */
107 static int pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp);
108 static int pcap_set_datalink_bpf(pcap_t *p, int dlt);
111 pcap_stats_bpf(pcap_t *p, struct pcap_stat *ps)
116 * "ps_recv" counts packets handed to the filter, not packets
117 * that passed the filter. This includes packets later dropped
118 * because we ran out of buffer space.
120 * "ps_drop" counts packets dropped inside the BPF device
121 * because we ran out of buffer space. It doesn't count
122 * packets dropped by the interface driver. It counts
123 * only packets that passed the filter.
125 * Both statistics include packets not yet read from the kernel
126 * by libpcap, and thus not yet seen by the application.
128 if (ioctl(p->fd, BIOCGSTATS, (caddr_t)&s) < 0) {
129 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCGSTATS: %s",
130 pcap_strerror(errno));
134 ps->ps_recv = s.bs_recv;
135 ps->ps_drop = s.bs_drop;
140 pcap_read_bpf(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
144 register u_char *bp, *ep;
145 struct bpf_insn *fcode;
147 fcode = p->md.use_bpf ? NULL : p->fcode.bf_insns;
150 * Has "pcap_breakloop()" been called?
154 * Yes - clear the flag that indicates that it
155 * has, and return -2 to indicate that we were
156 * told to break out of the loop.
163 cc = read(p->fd, (char *)p->buffer, p->bufsize);
165 /* Don't choke when we get ptraced */
174 * Sigh. More AIX wonderfulness.
176 * For some unknown reason the uiomove()
177 * operation in the bpf kernel extension
178 * used to copy the buffer into user
179 * space sometimes returns EFAULT. I have
180 * no idea why this is the case given that
181 * a kernel debugger shows the user buffer
182 * is correct. This problem appears to
183 * be mostly mitigated by the memset of
184 * the buffer before it is first used.
185 * Very strange.... Shaun Clowes
187 * In any case this means that we shouldn't
188 * treat EFAULT as a fatal error; as we
189 * don't have an API for returning
190 * a "some packets were dropped since
191 * the last packet you saw" indication,
192 * we just ignore EFAULT and keep reading.
199 #if defined(sun) && !defined(BSD)
201 * Due to a SunOS bug, after 2^31 bytes, the kernel
202 * file offset overflows and read fails with EINVAL.
203 * The lseek() to 0 will fix things.
206 if (lseek(p->fd, 0L, SEEK_CUR) +
208 (void)lseek(p->fd, 0L, SEEK_SET);
214 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "read: %s",
215 pcap_strerror(errno));
223 * Loop through each packet.
225 #define bhp ((struct bpf_hdr *)bp)
228 register int caplen, hdrlen;
231 * Has "pcap_breakloop()" been called?
232 * If so, return immediately - if we haven't read any
233 * packets, clear the flag and return -2 to indicate
234 * that we were told to break out of the loop, otherwise
235 * leave the flag set, so that the *next* call will break
236 * out of the loop without having read any packets, and
237 * return the number of packets we've processed so far.
250 caplen = bhp->bh_caplen;
251 hdrlen = bhp->bh_hdrlen;
253 * Short-circuit evaluation: if using BPF filter
254 * in kernel, no need to do it now.
257 bpf_filter(fcode, bp + hdrlen, bhp->bh_datalen, caplen)) {
260 * AIX's BPF returns seconds/nanoseconds time
261 * stamps, not seconds/microseconds time stamps.
263 * XXX - I'm guessing here that it's a "struct
264 * timestamp"; if not, this code won't compile,
265 * but, if not, you want to send us a bug report
266 * and fall back on using DLPI. It's not as if
267 * BPF used to work right on AIX before this
268 * change; this change attempts to fix the fact
271 bhp->bh_tstamp.tv_usec = bhp->bh_tstamp.tv_usec/1000;
274 * XXX A bpf_hdr matches a pcap_pkthdr.
276 (*callback)(user, (struct pcap_pkthdr*)bp, bp + hdrlen);
277 bp += BPF_WORDALIGN(caplen + hdrlen);
278 if (++n >= cnt && cnt > 0) {
287 bp += BPF_WORDALIGN(caplen + hdrlen);
297 bpf_odminit(char *errbuf)
301 if (odm_initialize() == -1) {
302 if (odm_err_msg(odmerrno, &errstr) == -1)
303 errstr = "Unknown error";
304 snprintf(errbuf, PCAP_ERRBUF_SIZE,
305 "bpf_load: odm_initialize failed: %s",
310 if ((odmlockid = odm_lock("/etc/objrepos/config_lock", ODM_WAIT)) == -1) {
311 if (odm_err_msg(odmerrno, &errstr) == -1)
312 errstr = "Unknown error";
313 snprintf(errbuf, PCAP_ERRBUF_SIZE,
314 "bpf_load: odm_lock of /etc/objrepos/config_lock failed: %s",
323 bpf_odmcleanup(char *errbuf)
327 if (odm_unlock(odmlockid) == -1) {
328 if (odm_err_msg(odmerrno, &errstr) == -1)
329 errstr = "Unknown error";
330 snprintf(errbuf, PCAP_ERRBUF_SIZE,
331 "bpf_load: odm_unlock failed: %s",
336 if (odm_terminate() == -1) {
337 if (odm_err_msg(odmerrno, &errstr) == -1)
338 errstr = "Unknown error";
339 snprintf(errbuf, PCAP_ERRBUF_SIZE,
340 "bpf_load: odm_terminate failed: %s",
349 bpf_load(char *errbuf)
353 int numminors, i, rc;
356 struct bpf_config cfg_bpf;
357 struct cfg_load cfg_ld;
358 struct cfg_kmod cfg_km;
361 * This is very very close to what happens in the real implementation
362 * but I've fixed some (unlikely) bug situations.
367 if (bpf_odminit(errbuf) != 0)
370 major = genmajor(BPF_NAME);
372 snprintf(errbuf, PCAP_ERRBUF_SIZE,
373 "bpf_load: genmajor failed: %s", pcap_strerror(errno));
377 minors = getminor(major, &numminors, BPF_NAME);
379 minors = genminor("bpf", major, 0, BPF_MINORS, 1, 1);
381 snprintf(errbuf, PCAP_ERRBUF_SIZE,
382 "bpf_load: genminor failed: %s",
383 pcap_strerror(errno));
388 if (bpf_odmcleanup(errbuf))
391 rc = stat(BPF_NODE "0", &sbuf);
392 if (rc == -1 && errno != ENOENT) {
393 snprintf(errbuf, PCAP_ERRBUF_SIZE,
394 "bpf_load: can't stat %s: %s",
395 BPF_NODE "0", pcap_strerror(errno));
399 if (rc == -1 || getmajor(sbuf.st_rdev) != major) {
400 for (i = 0; i < BPF_MINORS; i++) {
401 sprintf(buf, "%s%d", BPF_NODE, i);
403 if (mknod(buf, S_IRUSR | S_IFCHR, domakedev(major, i)) == -1) {
404 snprintf(errbuf, PCAP_ERRBUF_SIZE,
405 "bpf_load: can't mknod %s: %s",
406 buf, pcap_strerror(errno));
412 /* Check if the driver is loaded */
413 memset(&cfg_ld, 0x0, sizeof(cfg_ld));
415 sprintf(cfg_ld.path, "%s/%s", DRIVER_PATH, BPF_NAME);
416 if ((sysconfig(SYS_QUERYLOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) ||
417 (cfg_ld.kmid == 0)) {
418 /* Driver isn't loaded, load it now */
419 if (sysconfig(SYS_SINGLELOAD, (void *)&cfg_ld, sizeof(cfg_ld)) == -1) {
420 snprintf(errbuf, PCAP_ERRBUF_SIZE,
421 "bpf_load: could not load driver: %s",
427 /* Configure the driver */
428 cfg_km.cmd = CFG_INIT;
429 cfg_km.kmid = cfg_ld.kmid;
430 cfg_km.mdilen = sizeof(cfg_bpf);
431 cfg_km.mdiptr = (void *)&cfg_bpf;
432 for (i = 0; i < BPF_MINORS; i++) {
433 cfg_bpf.devno = domakedev(major, i);
434 if (sysconfig(SYS_CFGKMOD, (void *)&cfg_km, sizeof(cfg_km)) == -1) {
435 snprintf(errbuf, PCAP_ERRBUF_SIZE,
436 "bpf_load: could not configure driver: %s",
449 bpf_open(pcap_t *p, char *errbuf)
453 char device[sizeof "/dev/bpf0000000000"];
457 * Load the bpf driver, if it isn't already loaded,
458 * and create the BPF device entries, if they don't
461 if (bpf_load(errbuf) == -1)
466 * Go through all the minors and find one that isn't in use.
469 (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++);
470 fd = open(device, O_RDONLY);
471 } while (fd < 0 && errno == EBUSY);
474 * XXX better message for all minors used
477 snprintf(errbuf, PCAP_ERRBUF_SIZE, "(no devices found) %s: %s",
478 device, pcap_strerror(errno));
484 pcap_close_bpf(pcap_t *p)
486 if (p->buffer != NULL)
493 * XXX - on AIX, IBM's tcpdump (and perhaps the incompatible-with-everybody-
494 * else's libpcap in AIX 5.1) appears to forcibly load the BPF driver
495 * if it's not already loaded, and to create the BPF devices if they
498 * It'd be nice if we could do the same, although the code to do so
499 * might be version-dependent, alas (the way to do it isn't necessarily
503 pcap_open_live(const char *device, int snaplen, int promisc, int to_ms,
508 struct bpf_version bv;
510 struct bpf_dltlist bdl;
514 struct utsname osinfo;
517 if (strstr(device, "dag")) {
518 return dag_open_live(device, snaplen, promisc, to_ms, ebuf);
520 #endif /* HAVE_DAG_API */
523 memset(&bdl, 0, sizeof(bdl));
526 p = (pcap_t *)malloc(sizeof(*p));
528 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
529 pcap_strerror(errno));
532 memset(p, 0, sizeof(*p));
533 fd = bpf_open(p, ebuf);
538 p->snapshot = snaplen;
540 if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) {
541 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCVERSION: %s",
542 pcap_strerror(errno));
545 if (bv.bv_major != BPF_MAJOR_VERSION ||
546 bv.bv_minor < BPF_MINOR_VERSION) {
547 snprintf(ebuf, PCAP_ERRBUF_SIZE,
548 "kernel bpf filter out of date");
553 * Try finding a good size for the buffer; 32768 may be too
554 * big, so keep cutting it in half until we find a size
555 * that works, or run out of sizes to try. If the default
556 * is larger, don't make it smaller.
558 * XXX - there should be a user-accessible hook to set the
559 * initial buffer size.
561 if ((ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) || v < 32768)
563 for ( ; v != 0; v >>= 1) {
564 /* Ignore the return value - this is because the call fails
565 * on BPF systems that don't have kernel malloc. And if
566 * the call fails, it's no big deal, we just continue to
567 * use the standard buffer size.
569 (void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
571 (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
572 if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) >= 0)
573 break; /* that size worked; we're done */
575 if (errno != ENOBUFS) {
576 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSETIF: %s: %s",
577 device, pcap_strerror(errno));
583 snprintf(ebuf, PCAP_ERRBUF_SIZE,
584 "BIOCSBLEN: %s: No buffer size worked", device);
588 /* Get the data link layer type. */
589 if (ioctl(fd, BIOCGDLT, (caddr_t)&v) < 0) {
590 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGDLT: %s",
591 pcap_strerror(errno));
596 * AIX's BPF returns IFF_ types, not DLT_ types, in BIOCGDLT.
619 * We don't know what to map this to yet.
621 snprintf(ebuf, PCAP_ERRBUF_SIZE, "unknown interface type %u",
626 #if _BSDI_VERSION - 0 >= 199510
627 /* The SLIP and PPP link layer header changed in BSD/OS 2.1 */
642 case 12: /*DLT_C_HDLC*/
651 * We know the default link type -- now determine all the DLTs
652 * this interface supports. If this fails with EINVAL, it's
653 * not fatal; we just don't get to use the feature later.
655 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) == 0) {
656 bdl.bfl_list = (u_int *) malloc(sizeof(u_int) * bdl.bfl_len);
657 if (bdl.bfl_list == NULL) {
658 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
659 pcap_strerror(errno));
663 if (ioctl(fd, BIOCGDLTLIST, (caddr_t)&bdl) < 0) {
664 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
665 "BIOCGDLTLIST: %s", pcap_strerror(errno));
669 p->dlt_count = bdl.bfl_len;
670 p->dlt_list = bdl.bfl_list;
672 if (errno != EINVAL) {
673 (void)snprintf(ebuf, PCAP_ERRBUF_SIZE,
674 "BIOCGDLTLIST: %s", pcap_strerror(errno));
683 * XXX - is this seconds/nanoseconds in AIX?
684 * (Treating it as such doesn't fix the timeout
685 * problem described below.)
688 to.tv_sec = to_ms / 1000;
689 to.tv_usec = (to_ms * 1000) % 1000000;
690 if (ioctl(p->fd, BIOCSRTIMEOUT, (caddr_t)&to) < 0) {
691 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCSRTIMEOUT: %s",
692 pcap_strerror(errno));
700 * Darren Reed notes that
702 * On AIX (4.2 at least), if BIOCIMMEDIATE is not set, the
703 * timeout appears to be ignored and it waits until the buffer
704 * is filled before returning. The result of not having it
705 * set is almost worse than useless if your BPF filter
706 * is reducing things to only a few packets (i.e. one every
709 * so we turn BIOCIMMEDIATE mode on if this is AIX.
711 * We don't turn it on for other platforms, as that means we
712 * get woken up for every packet, which may not be what we want;
713 * in the Winter 1993 USENIX paper on BPF, they say:
715 * Since a process might want to look at every packet on a
716 * network and the time between packets can be only a few
717 * microseconds, it is not possible to do a read system call
718 * per packet and BPF must collect the data from several
719 * packets and return it as a unit when the monitoring
720 * application does a read.
722 * which I infer is the reason for the timeout - it means we
723 * wait that amount of time, in the hopes that more packets
724 * will arrive and we'll get them all with one read.
726 * Setting BIOCIMMEDIATE mode on FreeBSD (and probably other
727 * BSDs) causes the timeout to be ignored.
729 * On the other hand, some platforms (e.g., Linux) don't support
730 * timeouts, they just hand stuff to you as soon as it arrives;
731 * if that doesn't cause a problem on those platforms, it may
732 * be OK to have BIOCIMMEDIATE mode on BSD as well.
734 * (Note, though, that applications may depend on the read
735 * completing, even if no packets have arrived, when the timeout
736 * expires, e.g. GUI applications that have to check for input
737 * while waiting for packets to arrive; a non-zero timeout
738 * prevents "select()" from working right on FreeBSD and
739 * possibly other BSDs, as the timer doesn't start until a
740 * "read()" is done, so the timer isn't in effect if the
741 * application is blocked on a "select()", and the "select()"
742 * doesn't get woken up for a BPF device until the buffer
746 if (ioctl(p->fd, BIOCIMMEDIATE, &v) < 0) {
747 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCIMMEDIATE: %s",
748 pcap_strerror(errno));
751 #endif /* BIOCIMMEDIATE */
755 /* set promiscuous mode, okay if it fails */
756 if (ioctl(p->fd, BIOCPROMISC, NULL) < 0) {
757 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCPROMISC: %s",
758 pcap_strerror(errno));
762 if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) < 0) {
763 snprintf(ebuf, PCAP_ERRBUF_SIZE, "BIOCGBLEN: %s",
764 pcap_strerror(errno));
768 p->buffer = (u_char *)malloc(p->bufsize);
769 if (p->buffer == NULL) {
770 snprintf(ebuf, PCAP_ERRBUF_SIZE, "malloc: %s",
771 pcap_strerror(errno));
775 /* For some strange reason this seems to prevent the EFAULT
776 * problems we have experienced from AIX BPF. */
777 memset(p->buffer, 0x0, p->bufsize);
781 * On most BPF platforms, either you can do a "select()" or
782 * "poll()" on a BPF file descriptor and it works correctly,
783 * or you can do it and it will return "readable" if the
784 * hold buffer is full but not if the timeout expires *and*
785 * a non-blocking read will, if the hold buffer is empty
786 * but the store buffer isn't empty, rotate the buffers
787 * and return what packets are available.
789 * In the latter case, the fact that a non-blocking read
790 * will give you the available packets means you can work
791 * around the failure of "select()" and "poll()" to wake up
792 * and return "readable" when the timeout expires by using
793 * the timeout as the "select()" or "poll()" timeout, putting
794 * the BPF descriptor into non-blocking mode, and read from
795 * it regardless of whether "select()" reports it as readable
798 * However, in FreeBSD 4.3 and 4.4, "select()" and "poll()"
799 * won't wake up and return "readable" if the timer expires
800 * and non-blocking reads return EWOULDBLOCK if the hold
801 * buffer is empty, even if the store buffer is non-empty.
803 * This means the workaround in question won't work.
805 * Therefore, on FreeBSD 4.3 and 4.4, we set "p->selectable_fd"
806 * to -1, which means "sorry, you can't use 'select()' or 'poll()'
807 * here". On all other BPF platforms, we set it to the FD for
808 * the BPF device; in NetBSD, OpenBSD, and Darwin, a non-blocking
809 * read will, if the hold buffer is empty and the store buffer
810 * isn't empty, rotate the buffers and return what packets are
811 * there (and in sufficiently recent versions of OpenBSD
812 * "select()" and "poll()" should work correctly).
814 * XXX - what about AIX?
816 if (uname(&osinfo) == 0) {
818 * We can check what OS this is.
820 if (strcmp(osinfo.sysname, "FreeBSD") == 0 &&
821 (strcmp(osinfo.release, "4.3") == 0 ||
822 strcmp(osinfo.release, "4.4") == 0))
823 p->selectable_fd = -1;
825 p->selectable_fd = p->fd;
828 * We can't find out what OS this is, so assume we can
829 * do a "select()" or "poll()".
831 p->selectable_fd = p->fd;
834 p->read_op = pcap_read_bpf;
835 p->setfilter_op = pcap_setfilter_bpf;
836 p->set_datalink_op = pcap_set_datalink_bpf;
837 p->getnonblock_op = pcap_getnonblock_fd;
838 p->setnonblock_op = pcap_setnonblock_fd;
839 p->stats_op = pcap_stats_bpf;
840 p->close_op = pcap_close_bpf;
846 if (bdl.bfl_list != NULL)
854 pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
857 if (dag_platform_finddevs(alldevsp, errbuf) < 0)
859 #endif /* HAVE_DAG_API */
865 pcap_setfilter_bpf(pcap_t *p, struct bpf_program *fp)
868 * It looks that BPF code generated by gen_protochain() is not
869 * compatible with some of kernel BPF code (for example BSD/OS 3.1).
870 * Take a safer side for now.
874 * XXX - what if we already have a filter in the kernel?
876 if (install_bpf_program(p, fp) < 0)
878 p->md.use_bpf = 0; /* filtering in userland */
883 * Free any user-mode filter we might happen to have installed.
885 pcap_freecode(&p->fcode);
888 * Try to install the kernel filter.
890 if (ioctl(p->fd, BIOCSETF, (caddr_t)fp) < 0) {
891 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "BIOCSETF: %s",
892 pcap_strerror(errno));
895 p->md.use_bpf = 1; /* filtering in the kernel */
900 pcap_set_datalink_bpf(pcap_t *p, int dlt)
903 if (ioctl(p->fd, BIOCSDLT, &dlt) == -1) {
904 (void) snprintf(p->errbuf, sizeof(p->errbuf),
905 "Cannot set DLT %d: %s", dlt, strerror(errno));
projects / dragonfly.git / blob