678 lines
15 KiB
C
678 lines
15 KiB
C
/* $OpenBSD: pcap.c,v 1.24 2018/06/03 10:29:28 sthen Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 1993, 1994, 1995, 1996, 1997, 1998
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
* must display the following acknowledgement:
|
|
* This product includes software developed by the Computer Systems
|
|
* Engineering Group at Lawrence Berkeley Laboratory.
|
|
* 4. Neither the name of the University nor of the Laboratory may be used
|
|
* to endorse or promote products derived from this software without
|
|
* specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
|
|
#ifdef HAVE_OS_PROTO_H
|
|
#include "os-proto.h"
|
|
#endif
|
|
|
|
#include "pcap-int.h"
|
|
|
|
static const char pcap_version_string[] = "OpenBSD libpcap";
|
|
|
|
int
|
|
pcap_dispatch(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
|
|
{
|
|
|
|
if (p->sf.rfile != NULL)
|
|
return (pcap_offline_read(p, cnt, callback, user));
|
|
return (pcap_read(p, cnt, callback, user));
|
|
}
|
|
|
|
int
|
|
pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
|
|
{
|
|
int n;
|
|
|
|
for (;;) {
|
|
if (p->sf.rfile != NULL)
|
|
n = pcap_offline_read(p, cnt, callback, user);
|
|
else {
|
|
/*
|
|
* XXX keep reading until we get something
|
|
* (or an error occurs)
|
|
*/
|
|
do {
|
|
n = pcap_read(p, cnt, callback, user);
|
|
} while (n == 0);
|
|
}
|
|
if (n <= 0)
|
|
return (n);
|
|
if (cnt > 0) {
|
|
cnt -= n;
|
|
if (cnt <= 0)
|
|
return (0);
|
|
}
|
|
}
|
|
}
|
|
|
|
struct singleton {
|
|
struct pcap_pkthdr *hdr;
|
|
const u_char *pkt;
|
|
};
|
|
|
|
|
|
static void
|
|
pcap_oneshot(u_char *userData, const struct pcap_pkthdr *h, const u_char *pkt)
|
|
{
|
|
struct singleton *sp = (struct singleton *)userData;
|
|
*sp->hdr = *h;
|
|
sp->pkt = pkt;
|
|
}
|
|
|
|
const u_char *
|
|
pcap_next(pcap_t *p, struct pcap_pkthdr *h)
|
|
{
|
|
struct singleton s;
|
|
|
|
s.hdr = h;
|
|
if (pcap_dispatch(p, 1, pcap_oneshot, (u_char*)&s) <= 0)
|
|
return (0);
|
|
return (s.pkt);
|
|
}
|
|
|
|
struct pkt_for_fakecallback {
|
|
struct pcap_pkthdr *hdr;
|
|
const u_char **pkt;
|
|
};
|
|
|
|
static void
|
|
pcap_fakecallback(u_char *userData, const struct pcap_pkthdr *h,
|
|
const u_char *pkt)
|
|
{
|
|
struct pkt_for_fakecallback *sp = (struct pkt_for_fakecallback *)userData;
|
|
|
|
*sp->hdr = *h;
|
|
*sp->pkt = pkt;
|
|
}
|
|
|
|
int
|
|
pcap_next_ex(pcap_t *p, struct pcap_pkthdr **pkt_header,
|
|
const u_char **pkt_data)
|
|
{
|
|
struct pkt_for_fakecallback s;
|
|
|
|
s.hdr = &p->pcap_header;
|
|
s.pkt = pkt_data;
|
|
|
|
/* Saves a pointer to the packet headers */
|
|
*pkt_header= &p->pcap_header;
|
|
|
|
if (p->sf.rfile != NULL) {
|
|
int status;
|
|
|
|
/* We are on an offline capture */
|
|
status = pcap_offline_read(p, 1, pcap_fakecallback,
|
|
(u_char *)&s);
|
|
|
|
/*
|
|
* Return codes for pcap_offline_read() are:
|
|
* - 0: EOF
|
|
* - -1: error
|
|
* - >1: OK
|
|
* The first one ('0') conflicts with the return code of
|
|
* 0 from pcap_read() meaning "no packets arrived before
|
|
* the timeout expired", so we map it to -2 so you can
|
|
* distinguish between an EOF from a savefile and a
|
|
* "no packets arrived before the timeout expired, try
|
|
* again" from a live capture.
|
|
*/
|
|
if (status == 0)
|
|
return (-2);
|
|
else
|
|
return (status);
|
|
}
|
|
|
|
/*
|
|
* Return codes for pcap_read() are:
|
|
* - 0: timeout
|
|
* - -1: error
|
|
* - -2: loop was broken out of with pcap_breakloop()
|
|
* - >1: OK
|
|
* The first one ('0') conflicts with the return code of 0 from
|
|
* pcap_offline_read() meaning "end of file".
|
|
*/
|
|
return (pcap_read(p, 1, pcap_fakecallback, (u_char *)&s));
|
|
}
|
|
|
|
int
|
|
pcap_check_activated(pcap_t *p)
|
|
{
|
|
if (p->activated) {
|
|
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "can't perform "
|
|
" operation on activated capture");
|
|
return -1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
pcap_set_snaplen(pcap_t *p, int snaplen)
|
|
{
|
|
if (pcap_check_activated(p))
|
|
return PCAP_ERROR_ACTIVATED;
|
|
p->snapshot = snaplen;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
pcap_set_promisc(pcap_t *p, int promisc)
|
|
{
|
|
if (pcap_check_activated(p))
|
|
return PCAP_ERROR_ACTIVATED;
|
|
p->opt.promisc = promisc;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
pcap_set_rfmon(pcap_t *p, int rfmon)
|
|
{
|
|
if (pcap_check_activated(p))
|
|
return PCAP_ERROR_ACTIVATED;
|
|
p->opt.rfmon = rfmon;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
pcap_set_timeout(pcap_t *p, int timeout_ms)
|
|
{
|
|
if (pcap_check_activated(p))
|
|
return PCAP_ERROR_ACTIVATED;
|
|
p->md.timeout = timeout_ms;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
pcap_set_immediate_mode(pcap_t *p, int immediate)
|
|
{
|
|
if (pcap_check_activated(p))
|
|
return PCAP_ERROR_ACTIVATED;
|
|
p->opt.immediate = immediate;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
pcap_set_buffer_size(pcap_t *p, int buffer_size)
|
|
{
|
|
if (pcap_check_activated(p))
|
|
return PCAP_ERROR_ACTIVATED;
|
|
p->opt.buffer_size = buffer_size;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Force the loop in "pcap_read()" or "pcap_read_offline()" to terminate.
|
|
*/
|
|
void
|
|
pcap_breakloop(pcap_t *p)
|
|
{
|
|
p->break_loop = 1;
|
|
}
|
|
|
|
int
|
|
pcap_datalink(pcap_t *p)
|
|
{
|
|
return (p->linktype);
|
|
}
|
|
|
|
int
|
|
pcap_list_datalinks(pcap_t *p, int **dlt_buffer)
|
|
{
|
|
if (p->dlt_count == 0) {
|
|
/*
|
|
* We couldn't fetch the list of DLTs, which means
|
|
* this platform doesn't support changing the
|
|
* DLT for an interface. Return a list of DLTs
|
|
* containing only the DLT this device supports.
|
|
*/
|
|
*dlt_buffer = malloc(sizeof(**dlt_buffer));
|
|
if (*dlt_buffer == NULL) {
|
|
(void)snprintf(p->errbuf, sizeof(p->errbuf),
|
|
"malloc: %s", pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
**dlt_buffer = p->linktype;
|
|
return (1);
|
|
} else {
|
|
*dlt_buffer = reallocarray(NULL, sizeof(**dlt_buffer),
|
|
p->dlt_count);
|
|
if (*dlt_buffer == NULL) {
|
|
(void)snprintf(p->errbuf, sizeof(p->errbuf),
|
|
"malloc: %s", pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
(void)memcpy(*dlt_buffer, p->dlt_list,
|
|
sizeof(**dlt_buffer) * p->dlt_count);
|
|
return (p->dlt_count);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* In Windows, you might have a library built with one version of the
|
|
* C runtime library and an application built with another version of
|
|
* the C runtime library, which means that the library might use one
|
|
* version of malloc() and free() and the application might use another
|
|
* version of malloc() and free(). If so, that means something
|
|
* allocated by the library cannot be freed by the application, so we
|
|
* need to have a pcap_free_datalinks() routine to free up the list
|
|
* allocated by pcap_list_datalinks(), even though it's just a wrapper
|
|
* around free().
|
|
*/
|
|
void
|
|
pcap_free_datalinks(int *dlt_list)
|
|
{
|
|
free(dlt_list);
|
|
}
|
|
|
|
struct dlt_choice {
|
|
const char *name;
|
|
const char *description;
|
|
int dlt;
|
|
};
|
|
|
|
static struct dlt_choice dlts[] = {
|
|
#define DLT_CHOICE(code, description) { #code, description, code }
|
|
DLT_CHOICE(DLT_NULL, "no link-layer encapsulation"),
|
|
DLT_CHOICE(DLT_EN10MB, "Ethernet (10Mb)"),
|
|
DLT_CHOICE(DLT_EN3MB, "Experimental Ethernet (3Mb)"),
|
|
DLT_CHOICE(DLT_AX25, "Amateur Radio AX.25"),
|
|
DLT_CHOICE(DLT_PRONET, "Proteon ProNET Token Ring"),
|
|
DLT_CHOICE(DLT_CHAOS, "Chaos"),
|
|
DLT_CHOICE(DLT_IEEE802, "IEEE 802 Networks"),
|
|
DLT_CHOICE(DLT_ARCNET, "ARCNET"),
|
|
DLT_CHOICE(DLT_SLIP, "Serial Line IP"),
|
|
DLT_CHOICE(DLT_PPP, "Point-to-point Protocol"),
|
|
DLT_CHOICE(DLT_PPP_SERIAL, "PPP over serial"),
|
|
DLT_CHOICE(DLT_FDDI, "FDDI"),
|
|
DLT_CHOICE(DLT_ATM_RFC1483, "LLC/SNAP encapsulated atm"),
|
|
DLT_CHOICE(DLT_LOOP, "loopback type (af header)"),
|
|
DLT_CHOICE(DLT_ENC, "IPSEC enc type (af header, spi, flags)"),
|
|
DLT_CHOICE(DLT_RAW, "raw IP"),
|
|
DLT_CHOICE(DLT_SLIP_BSDOS, "BSD/OS Serial Line IP"),
|
|
DLT_CHOICE(DLT_PPP_BSDOS, "BSD/OS Point-to-point Protocol"),
|
|
DLT_CHOICE(DLT_PFSYNC, "Packet filter state syncing"),
|
|
DLT_CHOICE(DLT_PPP_ETHER, "PPP over Ethernet; session only w/o ether header"),
|
|
DLT_CHOICE(DLT_IEEE802_11, "IEEE 802.11 wireless"),
|
|
DLT_CHOICE(DLT_PFLOG, "Packet filter logging, by pcap people"),
|
|
DLT_CHOICE(DLT_IEEE802_11_RADIO, "IEEE 802.11 plus WLAN header"),
|
|
DLT_CHOICE(DLT_OPENFLOW, "OpenFlow"),
|
|
DLT_CHOICE(DLT_USBPCAP, "USB"),
|
|
#undef DLT_CHOICE
|
|
{ NULL, NULL, -1}
|
|
};
|
|
|
|
int
|
|
pcap_datalink_name_to_val(const char *name)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; dlts[i].name != NULL; i++) {
|
|
/* Skip leading "DLT_" */
|
|
if (strcasecmp(dlts[i].name + 4, name) == 0)
|
|
return (dlts[i].dlt);
|
|
}
|
|
return (-1);
|
|
}
|
|
|
|
const char *
|
|
pcap_datalink_val_to_name(int dlt)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; dlts[i].name != NULL; i++) {
|
|
if (dlts[i].dlt == dlt)
|
|
return (dlts[i].name + 4); /* Skip leading "DLT_" */
|
|
}
|
|
return (NULL);
|
|
}
|
|
|
|
const char *
|
|
pcap_datalink_val_to_description(int dlt)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; dlts[i].name != NULL; i++) {
|
|
if (dlts[i].dlt == dlt)
|
|
return (dlts[i].description);
|
|
}
|
|
return (NULL);
|
|
}
|
|
|
|
int
|
|
pcap_snapshot(pcap_t *p)
|
|
{
|
|
return (p->snapshot);
|
|
}
|
|
|
|
int
|
|
pcap_is_swapped(pcap_t *p)
|
|
{
|
|
return (p->sf.swapped);
|
|
}
|
|
|
|
int
|
|
pcap_major_version(pcap_t *p)
|
|
{
|
|
return (p->sf.version_major);
|
|
}
|
|
|
|
int
|
|
pcap_minor_version(pcap_t *p)
|
|
{
|
|
return (p->sf.version_minor);
|
|
}
|
|
|
|
FILE *
|
|
pcap_file(pcap_t *p)
|
|
{
|
|
return (p->sf.rfile);
|
|
}
|
|
|
|
int
|
|
pcap_fileno(pcap_t *p)
|
|
{
|
|
return (p->fd);
|
|
}
|
|
|
|
void
|
|
pcap_perror(pcap_t *p, const char *prefix)
|
|
{
|
|
fprintf(stderr, "%s: %s\n", prefix, p->errbuf);
|
|
}
|
|
|
|
int
|
|
pcap_get_selectable_fd(pcap_t *p)
|
|
{
|
|
return (p->fd);
|
|
}
|
|
|
|
char *
|
|
pcap_geterr(pcap_t *p)
|
|
{
|
|
return (p->errbuf);
|
|
}
|
|
|
|
int
|
|
pcap_getnonblock(pcap_t *p, char *errbuf)
|
|
{
|
|
int fdflags;
|
|
|
|
fdflags = fcntl(p->fd, F_GETFL);
|
|
if (fdflags == -1) {
|
|
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s",
|
|
pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
if (fdflags & O_NONBLOCK)
|
|
return (1);
|
|
else
|
|
return (0);
|
|
}
|
|
|
|
int
|
|
pcap_setnonblock(pcap_t *p, int nonblock, char *errbuf)
|
|
{
|
|
int fdflags;
|
|
|
|
fdflags = fcntl(p->fd, F_GETFL);
|
|
if (fdflags == -1) {
|
|
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_GETFL: %s",
|
|
pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
if (nonblock)
|
|
fdflags |= O_NONBLOCK;
|
|
else
|
|
fdflags &= ~O_NONBLOCK;
|
|
if (fcntl(p->fd, F_SETFL, fdflags) == -1) {
|
|
snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "F_SETFL: %s",
|
|
pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Generate error strings for PCAP_ERROR_ and PCAP_WARNING_ values.
|
|
*/
|
|
const char *
|
|
pcap_statustostr(int errnum)
|
|
{
|
|
static char ebuf[15+10+1];
|
|
|
|
switch (errnum) {
|
|
|
|
case PCAP_WARNING:
|
|
return("Generic warning");
|
|
|
|
case PCAP_WARNING_TSTAMP_TYPE_NOTSUP:
|
|
return ("That type of time stamp is not supported by that device");
|
|
|
|
case PCAP_WARNING_PROMISC_NOTSUP:
|
|
return ("That device doesn't support promiscuous mode");
|
|
|
|
case PCAP_ERROR:
|
|
return("Generic error");
|
|
|
|
case PCAP_ERROR_BREAK:
|
|
return("Loop terminated by pcap_breakloop");
|
|
|
|
case PCAP_ERROR_NOT_ACTIVATED:
|
|
return("The pcap_t has not been activated");
|
|
|
|
case PCAP_ERROR_ACTIVATED:
|
|
return ("The setting can't be changed after the pcap_t is activated");
|
|
|
|
case PCAP_ERROR_NO_SUCH_DEVICE:
|
|
return ("No such device exists");
|
|
|
|
case PCAP_ERROR_RFMON_NOTSUP:
|
|
return ("That device doesn't support monitor mode");
|
|
|
|
case PCAP_ERROR_NOT_RFMON:
|
|
return ("That operation is supported only in monitor mode");
|
|
|
|
case PCAP_ERROR_PERM_DENIED:
|
|
return ("You don't have permission to capture on that device");
|
|
|
|
case PCAP_ERROR_IFACE_NOT_UP:
|
|
return ("That device is not up");
|
|
|
|
case PCAP_ERROR_CANTSET_TSTAMP_TYPE:
|
|
return ("That device doesn't support setting the time stamp type");
|
|
|
|
case PCAP_ERROR_PROMISC_PERM_DENIED:
|
|
return ("You don't have permission to capture in promiscuous mode on that device");
|
|
}
|
|
(void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum);
|
|
return(ebuf);
|
|
}
|
|
|
|
/*
|
|
* Not all systems have strerror().
|
|
*/
|
|
const char *
|
|
pcap_strerror(int errnum)
|
|
{
|
|
#ifdef HAVE_STRERROR
|
|
return (strerror(errnum));
|
|
#else
|
|
extern int sys_nerr;
|
|
extern const char *const sys_errlist[];
|
|
static char ebuf[20];
|
|
|
|
if ((unsigned int)errnum < sys_nerr)
|
|
return ((char *)sys_errlist[errnum]);
|
|
(void)snprintf(ebuf, sizeof ebuf, "Unknown error: %d", errnum);
|
|
return(ebuf);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* On some platforms, we need to clean up promiscuous or monitor mode
|
|
* when we close a device - and we want that to happen even if the
|
|
* application just exits without explicitl closing devices.
|
|
* On those platforms, we need to register a "close all the pcaps"
|
|
* routine to be called when we exit, and need to maintain a list of
|
|
* pcaps that need to be closed to clean up modes.
|
|
*
|
|
* XXX - not thread-safe.
|
|
*/
|
|
|
|
/*
|
|
* List of pcaps on which we've done something that needs to be
|
|
* cleaned up.
|
|
* If there are any such pcaps, we arrange to call "pcap_close_all()"
|
|
* when we exit, and have it close all of them.
|
|
*/
|
|
static struct pcap *pcaps_to_close;
|
|
|
|
/*
|
|
* TRUE if we've already called "atexit()" to cause "pcap_close_all()" to
|
|
* be called on exit.
|
|
*/
|
|
static int did_atexit;
|
|
|
|
static void
|
|
pcap_close_all(void)
|
|
{
|
|
struct pcap *handle;
|
|
|
|
while ((handle = pcaps_to_close) != NULL)
|
|
pcap_close(handle);
|
|
}
|
|
|
|
int
|
|
pcap_do_addexit(pcap_t *p)
|
|
{
|
|
/*
|
|
* If we haven't already done so, arrange to have
|
|
* "pcap_close_all()" called when we exit.
|
|
*/
|
|
if (!did_atexit) {
|
|
if (atexit(pcap_close_all) == -1) {
|
|
/*
|
|
* "atexit()" failed; let our caller know.
|
|
*/
|
|
(void)strlcpy(p->errbuf, "atexit failed",
|
|
PCAP_ERRBUF_SIZE);
|
|
return (0);
|
|
}
|
|
did_atexit = 1;
|
|
}
|
|
return (1);
|
|
}
|
|
|
|
void
|
|
pcap_add_to_pcaps_to_close(pcap_t *p)
|
|
{
|
|
p->md.next = pcaps_to_close;
|
|
pcaps_to_close = p;
|
|
}
|
|
|
|
void
|
|
pcap_remove_from_pcaps_to_close(pcap_t *p)
|
|
{
|
|
pcap_t *pc, *prevpc;
|
|
|
|
for (pc = pcaps_to_close, prevpc = NULL; pc != NULL;
|
|
prevpc = pc, pc = pc->md.next) {
|
|
if (pc == p) {
|
|
/*
|
|
* Found it. Remove it from the list.
|
|
*/
|
|
if (prevpc == NULL) {
|
|
/*
|
|
* It was at the head of the list.
|
|
*/
|
|
pcaps_to_close = pc->md.next;
|
|
} else {
|
|
/*
|
|
* It was in the middle of the list.
|
|
*/
|
|
prevpc->md.next = pc->md.next;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
pcap_t *
|
|
pcap_open_dead(int linktype, int snaplen)
|
|
{
|
|
pcap_t *p;
|
|
|
|
p = calloc(1, sizeof(*p));
|
|
if (p == NULL)
|
|
return NULL;
|
|
p->snapshot = snaplen;
|
|
p->linktype = linktype;
|
|
p->fd = -1;
|
|
return p;
|
|
}
|
|
|
|
/*
|
|
* Given a BPF program, a pcap_pkthdr structure for a packet, and the raw
|
|
* data for the packet, check whether the packet passes the filter.
|
|
* Returns the return value of the filter program, which will be zero if
|
|
* the packet doesn't pass and non-zero if the packet does pass.
|
|
*/
|
|
int
|
|
pcap_offline_filter(const struct bpf_program *fp, const struct pcap_pkthdr *h,
|
|
const u_char *pkt)
|
|
{
|
|
struct bpf_insn *fcode = fp->bf_insns;
|
|
|
|
if (fcode != NULL)
|
|
return (bpf_filter(fcode, pkt, h->len, h->caplen));
|
|
else
|
|
return (0);
|
|
}
|
|
|
|
const char *
|
|
pcap_lib_version(void)
|
|
{
|
|
return (pcap_version_string);
|
|
}
|
|
|