mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-21 16:32:25 +01:00
609c85875a
Submitted by: mr
311 lines
7.9 KiB
C
311 lines
7.9 KiB
C
/*
|
|
* Copyright (c) 1990, 1991, 1992, 1993, 1994
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that: (1) source code distributions
|
|
* retain the above copyright notice and this paragraph in its entirety, (2)
|
|
* distributions including binary code include the above copyright notice and
|
|
* this paragraph in its entirety in the documentation or other materials
|
|
* provided with the distribution, and (3) all advertising materials mentioning
|
|
* features or use of this software display the following acknowledgement:
|
|
* ``This product includes software developed by the University of California,
|
|
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
|
|
* the University nor the names of its contributors may be used to endorse
|
|
* or promote products derived from this software without specific prior
|
|
* written permission.
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|
|
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
*/
|
|
#ifndef lint
|
|
static char rcsid[] =
|
|
"@(#)$Header: pcap-pf.c,v 1.32 94/06/10 17:41:01 mccanne Exp $ (LBL)";
|
|
#endif
|
|
|
|
/*
|
|
* packet filter subroutines for tcpdump
|
|
* Extraction/creation by Jeffrey Mogul, DECWRL
|
|
*
|
|
* Extracted from tcpdump.c.
|
|
*/
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/time.h>
|
|
#include <sys/timeb.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/file.h>
|
|
#include <sys/ioctl.h>
|
|
#include <net/pfilt.h>
|
|
|
|
#include <net/if.h>
|
|
#include <net/bpf.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/if_ether.h>
|
|
#include <netinet/ip_var.h>
|
|
#include <netinet/udp.h>
|
|
#include <netinet/udp_var.h>
|
|
#include <netinet/tcp.h>
|
|
#include <netinet/tcpip.h>
|
|
|
|
#include <ctype.h>
|
|
#include <errno.h>
|
|
#include <netdb.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
|
|
#include "pcap-int.h"
|
|
|
|
/*
|
|
* BUFSPACE is the size in bytes of the packet read buffer. Most tcpdump
|
|
* applications aren't going to need more than 200 bytes of packet header
|
|
* and the read shouldn't return more packets than packetfilter's internal
|
|
* queue limit (bounded at 256).
|
|
*/
|
|
#define BUFSPACE (200*256)
|
|
|
|
int
|
|
pcap_read(pcap_t *pc, int cnt, pcap_handler callback, u_char *user)
|
|
{
|
|
u_char *p;
|
|
struct bpf_insn *fcode;
|
|
int cc;
|
|
register u_char *bp;
|
|
int buflen, inc;
|
|
struct enstamp stamp;
|
|
int n;
|
|
fcode = pc->md.use_bpf ? 0 : pc->fcode.bf_insns;
|
|
again:
|
|
cc = pc->cc;
|
|
if (cc == 0) {
|
|
cc = read(pc->fd, (char *)pc->buffer, pc->bufsize);
|
|
if (cc < 0) {
|
|
if (errno == EWOULDBLOCK)
|
|
return (0);
|
|
if (errno == EINVAL &&
|
|
(long)(tell(pc->fd) + pc->bufsize) < 0) {
|
|
/*
|
|
* Due to a kernel bug, after 2^31 bytes,
|
|
* the kernel file offset overflows and
|
|
* read fails with EINVAL. The lseek()
|
|
* to 0 will fix things.
|
|
*/
|
|
(void)lseek(pc->fd, 0L, 0);
|
|
goto again;
|
|
}
|
|
sprintf(pc->errbuf, "pf read: %s",
|
|
pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
bp = pc->buffer;
|
|
} else
|
|
bp = pc->bp;
|
|
/*
|
|
* Loop through each packet.
|
|
*/
|
|
n = 0;
|
|
while (cc > 0) {
|
|
/* avoid alignment issues here */
|
|
bcopy((char *)bp, (char *)&stamp, sizeof(stamp));
|
|
if (stamp.ens_stamplen != sizeof(stamp))
|
|
/* buffer is garbage, treat it as poison */
|
|
break;
|
|
|
|
p = bp + stamp.ens_stamplen;
|
|
|
|
buflen = stamp.ens_count;
|
|
if (buflen > pc->snapshot)
|
|
buflen = pc->snapshot;
|
|
|
|
/*
|
|
* Short-circuit evaluation: if using BPF filter
|
|
* in kernel, no need to do it now.
|
|
*/
|
|
if (fcode == 0 ||
|
|
bpf_filter(fcode, p, stamp.ens_count, buflen)) {
|
|
struct pcap_pkthdr h;
|
|
pc->md.TotAccepted++;
|
|
h.ts = stamp.ens_tstamp;
|
|
h.len = stamp.ens_count;
|
|
h.caplen = buflen;
|
|
(*callback)(user, &h, p);
|
|
if (++n >= cnt && cnt > 0) {
|
|
inc = ENALIGN(buflen + stamp.ens_stamplen);
|
|
cc -= inc;
|
|
bp += inc;
|
|
pc->cc = cc;
|
|
pc->bp = bp;
|
|
return (n);
|
|
}
|
|
}
|
|
pc->md.TotPkts++;
|
|
pc->md.TotDrops += stamp.ens_dropped;
|
|
pc->md.TotMissed = stamp.ens_ifoverflows;
|
|
if (pc->md.OrigMissed < 0)
|
|
pc->md.OrigMissed = pc->md.TotMissed;
|
|
|
|
inc = ENALIGN(buflen + stamp.ens_stamplen);
|
|
cc -= inc;
|
|
bp += inc;
|
|
}
|
|
pc->cc = 0;
|
|
return (n);
|
|
}
|
|
|
|
int
|
|
pcap_stats(pcap_t *p, struct pcap_stat *ps)
|
|
{
|
|
ps->ps_recv = p->md.TotAccepted;
|
|
ps->ps_drop = p->md.TotDrops;
|
|
ps->ps_ifdrop = p->md.TotMissed - p->md.OrigMissed;
|
|
return (0);
|
|
}
|
|
|
|
pcap_t *
|
|
pcap_open_live(char *device, int snaplen, int promisc, int to_ms, char *ebuf)
|
|
{
|
|
pcap_t *p;
|
|
short enmode;
|
|
int backlog = -1; /* request the most */
|
|
struct enfilter Filter;
|
|
struct endevp devparams;
|
|
|
|
p = (pcap_t *)malloc(sizeof(*p));
|
|
if (p == 0) {
|
|
strcpy(ebuf, "no swap");
|
|
return (0);
|
|
}
|
|
bzero(p, sizeof(*p));
|
|
p->fd = pfopen(device, 0);
|
|
if (p->fd < 0) {
|
|
sprintf(ebuf, "pf open: %s: %s\n\
|
|
your system may not be properly configured; see \"man packetfilter(4)\"\n",
|
|
device, pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
p->md.OrigMissed = -1;
|
|
enmode = ENTSTAMP|ENBATCH|ENNONEXCL;
|
|
if (promisc)
|
|
enmode |= ENPROMISC;
|
|
if (ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode) < 0) {
|
|
sprintf(ebuf, "EIOCMBIS: %s", pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
#ifdef ENCOPYALL
|
|
/* Try to set COPYALL mode so that we see packets to ourself */
|
|
enmode = ENCOPYALL;
|
|
(void)ioctl(p->fd, EIOCMBIS, (caddr_t)&enmode);/* OK if this fails */
|
|
#endif
|
|
/* set the backlog */
|
|
if (ioctl(p->fd, EIOCSETW, (caddr_t)&backlog) < 0) {
|
|
sprintf(ebuf, "EIOCSETW: %s", pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
/* set truncation */
|
|
if (ioctl(p->fd, EIOCTRUNCATE, (caddr_t)&snaplen) < 0) {
|
|
sprintf(ebuf, "EIOCTRUNCATE: %s", pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
p->snapshot = snaplen;
|
|
/* accept all packets */
|
|
Filter.enf_Priority = 37; /* anything > 2 */
|
|
Filter.enf_FilterLen = 0; /* means "always true" */
|
|
if (ioctl(p->fd, EIOCSETF, (caddr_t)&Filter) < 0) {
|
|
sprintf(ebuf, "EIOCSETF: %s", pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
/* discover interface type */
|
|
if (ioctl(p->fd, EIOCDEVP, (caddr_t)&devparams) < 0) {
|
|
sprintf(ebuf, "EIOCDEVP: %s", pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
/* HACK: to compile prior to Ultrix 4.2 */
|
|
#ifndef ENDT_FDDI
|
|
#define ENDT_FDDI 4
|
|
#endif
|
|
switch (devparams.end_dev_type) {
|
|
case ENDT_10MB:
|
|
p->linktype = DLT_EN10MB;
|
|
break;
|
|
|
|
case ENDT_FDDI:
|
|
p->linktype = DLT_FDDI;
|
|
break;
|
|
|
|
default:
|
|
/*
|
|
* XXX
|
|
* Currently, the Ultrix packet filter supports only
|
|
* Ethernet and FDDI. Eventually, support for SLIP and PPP
|
|
* (and possibly others: T1?) should be added.
|
|
*/
|
|
#ifdef notdef
|
|
warning(
|
|
"Packet filter data-link type %d unknown, assuming Ethernet",
|
|
devparams.end_dev_type);
|
|
#endif
|
|
p->linktype = DLT_EN10MB;
|
|
break;
|
|
}
|
|
|
|
if (to_ms != 0) {
|
|
struct timeval timeout;
|
|
timeout.tv_sec = to_ms / 1000;
|
|
timeout.tv_usec = (to_ms * 1000) % 1000000;
|
|
if (ioctl(p->fd, EIOCSRTIMEOUT, (caddr_t)&timeout) < 0) {
|
|
sprintf(ebuf, "EIOCSRTIMEOUT: %s",
|
|
pcap_strerror(errno));
|
|
goto bad;
|
|
}
|
|
}
|
|
p->bufsize = BUFSPACE;
|
|
p->buffer = (u_char*)malloc(p->bufsize);
|
|
|
|
return (p);
|
|
bad:
|
|
free(p);
|
|
return (0);
|
|
}
|
|
|
|
int
|
|
pcap_setfilter(pcap_t *p, struct bpf_program *fp)
|
|
{
|
|
/*
|
|
* See if BIOCSETF works. If it does, the kernel supports
|
|
* BPF-style filters, and we do not need to do post-filtering.
|
|
*/
|
|
p->md.use_bpf = (ioctl(p->fd, BIOCSETF, (caddr_t)fp) >= 0);
|
|
if (p->md.use_bpf) {
|
|
struct bpf_version bv;
|
|
|
|
if (ioctl(p->fd, BIOCVERSION, (caddr_t)&bv) < 0) {
|
|
sprintf(p->errbuf, "BIOCVERSION: %s",
|
|
pcap_strerror(errno));
|
|
return (-1);
|
|
}
|
|
else if (bv.bv_major != BPF_MAJOR_VERSION ||
|
|
bv.bv_minor < BPF_MINOR_VERSION) {
|
|
fprintf(stderr,
|
|
"requires bpf language %d.%d or higher; kernel is %d.%d",
|
|
BPF_MAJOR_VERSION, BPF_MINOR_VERSION,
|
|
bv.bv_major, bv.bv_minor);
|
|
/* don't give up, just be inefficient */
|
|
p->md.use_bpf = 0;
|
|
}
|
|
} else
|
|
p->fcode = *fp;
|
|
|
|
/*XXX this goes in tcpdump*/
|
|
if (p->md.use_bpf)
|
|
fprintf(stderr, "tcpdump: Using kernel BPF filter\n");
|
|
else
|
|
fprintf(stderr, "tcpdump: Filtering in user process\n");
|
|
return (0);
|
|
}
|