| blob | b954058df9393bd45ed55ba2c2bb97b4b19d5bf5 |
1 /*
2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16 * nor the names of its contributors may be used to endorse or promote
17 * products derived from this software without specific prior written
18 * permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 *
32 */
34 #ifdef HAVE_CONFIG_H
36 #endif
46 /*
47 * \file pcap-rpcap.c
48 *
49 * This file keeps all the new funtions that are needed for the RPCAP protocol.
50 * Almost all the pcap functions need to be modified in order to become compatible
51 * with the RPCAP protocol. However, you can find here only the ones that are completely new.
52 *
53 * This file keeps also the functions that are 'private', i.e. are needed by the RPCAP
54 * protocol but are not exported to the user.
55 *
56 * \warning All the RPCAP functions that are allowed to return a buffer containing
57 * the error description can return max PCAP_ERRBUF_SIZE characters.
58 * However there is no guarantees that the string will be zero-terminated.
59 * Best practice is to define the errbuf variable as a char of size 'PCAP_ERRBUF_SIZE+1'
60 * and to insert manually a NULL character at the end of the buffer. This will
61 * guarantee that no buffer overflows occur even if we use the printf() to show
62 * the error on the screen.
63 */
65 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_remote to see if we want standard or extended statistics */
66 #define PCAP_STATS_EX 1 /* Used by pcap_stats_remote to see if we want standard or extended statistics */
68 /* Keeps a list of all the opened connections in the active mode. */
71 /*
72 * Private data for capturing on WinPcap devices.
73 */
79 #ifdef HAVE_DAG_API
81 #endif
82 };
84 /****************************************************
85 * *
86 * Locally defined functions *
87 * *
88 ****************************************************/
91 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
98 /****************************************************
99 * *
100 * Function bodies *
101 * *
102 ****************************************************/
104 /*
105 * \ingroup remote_pri_func
106 *
107 * \brief It traslates (i.e. de-serializes) a 'sockaddr_storage' structure from
108 * the network byte order to the host byte order.
109 *
110 * It accepts a 'sockaddr_storage' structure as it is received from the network and it
111 * converts it into the host byte order (by means of a set of ntoh() ).
112 * The function will allocate the 'sockaddrout' variable according to the address family
113 * in use. In case the address does not belong to the AF_INET nor AF_INET6 families,
114 * 'sockaddrout' is not allocated and a NULL pointer is returned.
115 * This usually happens because that address does not exist on the other host, so the
116 * RPCAP daemon sent a 'sockaddr_storage' structure containing all 'zero' values.
117 *
118 * \param sockaddrin: a 'sockaddr_storage' pointer to the variable that has to be
119 * de-serialized.
120 *
121 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
122 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
123 * This variable will be allocated automatically inside this function.
124 *
125 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
126 * that will contain the error message (in case there is one).
127 *
128 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
129 * can be only the fact that the malloc() failed to allocate memory.
130 * The error message is returned in the 'errbuf' variable, while the deserialized address
131 * is returned into the 'sockaddrout' variable.
132 *
133 * \warning This function supports only AF_INET and AF_INET6 address families.
134 *
135 * \warning The sockaddrout (if not NULL) must be deallocated by the user.
136 */
137 int rpcap_deseraddr(struct sockaddr_storage *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
138 {
139 /* Warning: we support only AF_INET and AF_INET6 */
141 {
150 {
153 }
156 }
158 {
169 {
172 }
175 }
177 /* It is neither AF_INET nor AF_INET6 */
180 }
182 /* \ingroup remote_pri_func
183 *
184 * \brief It reads a packet from the network socket. This does not make use of
185 * callback (hence the "nocb" string into its name).
186 *
187 * This function is called by the several pcap_next_ex() when they detect that
188 * we have a remote capture and they are the client side. In that case, they need
189 * to read packets from the socket.
190 *
191 * Parameters and return values are exactly the same of the pcap_next_ex().
192 *
193 * \warning By choice, this function does not make use of semaphores. A smarter
194 * implementation should put a semaphore into the data thread, and a signal will
195 * be raised as soon as there is data into the socket buffer.
196 * However this is complicated and it does not bring any advantages when reading
197 * from the network, in which network delays can be much more important than
198 * these optimizations. Therefore, we chose the following approach:
199 * - the 'timeout' chosen by the user is split in two (half on the server side,
200 * with the usual meaning, and half on the client side)
201 * - this function checks for packets; if there are no packets, it waits for
202 * timeout/2 and then it checks again. If packets are still missing, it returns,
203 * otherwise it reads packets.
204 */
206 {
209 char netbuf[RPCAP_NETBUF_SIZE]; /* size of the network buffer in which the packet is copied, just for UDP */
210 uint32 totread; /* number of bytes (of payload) currently read from the network (referred to the current pkt) */
214 /* Structures needed for the select() call */
221 /*
222 * Define the read timeout, to be used in the select()
223 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
224 */
228 /* Watch out sockdata to see if it has input */
231 /*
232 * 'fp->rmt_sockdata' has always to be set before calling the select(),
233 * since it is cleared by the select()
234 */
239 {
242 }
244 /* There is no data waiting, so return '0' */
248 /*
249 * data is here; so, let's copy it into the user buffer.
250 * I'm going to read a new packet; so I reset the number of bytes (payload only) read
251 */
254 /*
255 * We have to define 'header' as a pointer to a larger buffer,
256 * because in case of UDP we have to read all the message within a single call
257 */
262 {
263 /* Read the entire message from the network */
264 if (sock_recv(md->rmt_sockdata, netbuf, RPCAP_NETBUF_SIZE, SOCK_RECEIVEALL_NO, p->errbuf, PCAP_ERRBUF_SIZE) == -1)
266 }
267 else
268 {
269 if (sock_recv(md->rmt_sockdata, netbuf, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, p->errbuf, PCAP_ERRBUF_SIZE) == -1)
271 }
273 /* Checks if the message is correct */
277 {
279 {
290 }
291 }
293 /* In case of TCP, read the remaining of the packet from the socket */
295 {
296 /* Read the RPCAP packet header from the network */
303 }
306 {
307 /* Initialize returned structures */
316 /*
317 * I don't update the counter of the packets dropped by the network since we're using TCP,
318 * therefore no packets are dropped. Just update the number of packets received correctly
319 */
322 /* Copies the packet into the data buffer */
324 {
327 /*
328 * In case of UDP the packet has already been read, we have to copy it into 'buffer'.
329 * Another option should be to declare 'netbuf' as 'static'. However this prevents
330 * using several pcap instances within the same process (because the static buffer is shared among
331 * all processes)
332 */
333 memcpy(*pkt_data, netbuf + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr), (*pkt_header)->caplen);
335 /* We're using UDP, so we need to update the counter of the packets dropped by the network */
339 {
342 }
344 }
345 else
346 {
347 /* In case of TCP, read the remaining of the packet from the socket */
355 /* Checks if all the data has been read; if not, discard the data in excess */
356 /* This check has to be done only on TCP connections */
359 }
362 /* Packet read successfully */
364 }
365 else
366 {
367 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "Received a packet that is larger than the internal buffer size.");
369 }
371 }
373 /* \ingroup remote_pri_func
374 *
375 * \brief It reads a packet from the network socket.
376 *
377 * This function is called by the several pcap_read() when they detect that
378 * we have a remote capture and they are the client side. In that case, they need
379 * to read packets from the socket.
380 *
381 * This function relies on the pcap_read_nocb_remote to deliver packets. The
382 * difference, here, is that as soon as a packet is read, it is delivered
383 * to the application by means of a callback function.
384 *
385 * Parameters and return values are exactly the same of the pcap_read().
386 */
388 {
394 {
396 {
398 n++;
399 }
400 else
402 }
404 }
406 /* \ingroup remote_pri_func
407 *
408 * \brief It sends a CLOSE command to the capture server.
409 *
410 * This function is called when the user wants to close a pcap_t adapter.
411 * In case we're capturing from the network, it sends a command to the other
412 * peer that says 'ok, let's stop capturing'.
413 * This function is called automatically when the user calls the pcap_close().
414 *
415 * Parameters and return values are exactly the same of the pcap_close().
416 *
417 * \warning Since we're closing the connection, we do not check for errors.
418 */
420 {
422 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
428 /* detect if we're in active mode */
431 {
433 {
436 }
438 }
441 {
444 /* I don't check for errors, since I'm going to close everything */
446 }
447 else
448 {
451 /* I don't check for errors, since I'm going to close everything */
454 /* wait for the answer */
455 /* Don't check what we got, since the present libpcap does not uses this pcap_t anymore */
456 sock_recv(md->rmt_sockctrl, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, NULL, 0);
460 }
463 {
466 }
474 {
477 }
479 /* To avoid inconsistencies in the number of sock_init() */
481 }
483 /* \ingroup remote_pri_func
484 *
485 * \brief It retrieves network statistics from the other peer.
486 *
487 * This function is just a void cointainer, since the work is done by the rpcap_stats_remote().
488 * See that funcion for more details.
489 *
490 * Parameters and return values are exactly the same of the pcap_stats().
491 */
493 {
500 else
502 }
504 #ifdef _WIN32
505 /* \ingroup remote_pri_func
506 *
507 * \brief It retrieves network statistics from the other peer.
508 *
509 * This function is just a void cointainer, since the work is done by the rpcap_stats_remote().
510 * See that funcion for more details.
511 *
512 * Parameters and return values are exactly the same of the pcap_stats_ex().
513 */
515 {
518 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
520 }
521 #endif
523 /* \ingroup remote_pri_func
524 *
525 * \brief It retrieves network statistics from the other peer.
526 *
527 * This function can be called in two modes:
528 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e. the pcap_stats() )
529 * - PCAP_STATS_EX: if we want extended statistics (i.e. the pcap_stats_ex() )
530 *
531 * This 'mode' parameter is needed because in the standard pcap_stats() the variable that keeps the
532 * statistics is allocated by the user. Unfortunately, this structure has been extended in order
533 * to keep new stats. However, if the user has a smaller structure and it passes it to the pcap_stats,
534 * thid function will try to fill in more data than the size of the structure, so that the application
535 * goes in memory overflow.
536 * So, we need to know it we have to copy just the standard fields, or the extended fields as well.
537 *
538 * In case we want to copy the extended fields as well, the problem of memory overflow does no
539 * longer exist because the structure pcap_stat is no longer allocated by the program;
540 * it is allocated by the library instead.
541 *
542 * \param p: the pcap_t structure related to the current instance.
543 *
544 * \param ps: a 'pcap_stat' structure, needed for compatibility with pcap_stat(), in which
545 * the structure is allocated by the user. In case of pcap_stats_ex, this structure and the
546 * function return value point to the same variable.
547 *
548 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
549 *
550 * \return The structure that keeps the statistics, or NULL in case of error.
551 * The error string is placed in the pcap_t structure.
552 */
554 {
564 /*
565 * If the capture has still to start, we cannot ask statistics to the other peer,
566 * so we return a fake number
567 */
569 {
571 {
575 }
576 else
577 {
584 }
587 }
591 /* Send the PCAP_STATS command */
592 if (sock_send(md->rmt_sockctrl, (char *)&header, sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE))
595 /* Receive the RPCAP stats reply message */
596 if (sock_recv(md->rmt_sockctrl, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, p->errbuf, PCAP_ERRBUF_SIZE) == -1)
599 /* Checks if the message is correct */
600 retval = rpcap_checkmsg(p->errbuf, md->rmt_sockctrl, &header, RPCAP_MSG_STATS_REPLY, RPCAP_MSG_ERROR, 0);
603 {
605 {
612 /* Update totread, since the rpcap_checkmsg() already purged the buffer */
615 /* Do nothing; just exit; the error code is already into the errbuf */
621 }
622 }
632 {
636 }
637 else
638 {
645 }
647 /* Checks if all the data has been read; if not, discard the data in excess */
649 {
652 }
656 error:
661 }
663 /* \ingroup remote_pri_func
664 *
665 * \brief It opens a remote adapter by opening an RPCAP connection and so on.
666 *
667 * This function does basically the job of pcap_open_live() for a remote interface.
668 * In other words, we have a pcap_read for win32, which reads packets from NPF,
669 * another for LINUX, and so on. Now, we have a pcap_opensource_remote() as well.
670 * The difference, here, is the capture thread does not start until the
671 * pcap_startcapture_remote() is called.
672 *
673 * This is because, in remote capture, we cannot start capturing data as soon ad the
674 * 'open adapter' command is sent. Suppose the remote adapter is already overloaded;
675 * if we start a capture (which, by default, has a NULL filter) the new traffic can
676 * saturate the network.
677 *
678 * Instead, we want to "open" the adapter, then send a "start capture" command only
679 * when we're ready to start the capture.
680 * This funtion does this job: it sends a "open adapter" command (according to the
681 * RPCAP protocol), but it does not start the capture.
682 *
683 * Since the other libpcap functions do not share this way of life, we have to make
684 * some dirty things in order to make everyting working.
685 *
686 * \param fp: A pointer to a pcap_t structure that has been previously created with
687 * \ref pcap_create().
688 * \param source: see pcap_open().
689 * \param auth: see pcap_open().
690 *
691 * \return 0 in case of success, -1 otherwise. In case of success, the pcap_t pointer in fp can be
692 * used as a parameter to the following calls (pcap_compile() and so on). In case of
693 * problems, fp->errbuf contains a text explanation of error.
694 *
695 * \warning In case we call the pcap_compile() and the capture is not started, the filter
696 * will be saved into the pcap_t structure, and it will be sent to the other host later
697 * (when the pcap_startcapture_remote() is called).
698 */
700 {
710 /* socket-related variables */
715 /* RPCAP-related variables */
724 /*
725 * determine the type of the source (NULL, file, local, remote)
726 * You must have a valid source string even if we're in active mode, because otherwise
727 * the call to the following function will fail.
728 */
733 {
734 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE, "This function is able to open only remote interfaces");
736 }
740 /*
741 * Warning: this call can be the first one called by the user.
742 * For this reason, we have to initialize the WinSock support.
743 */
752 {
753 /*
754 * We're not in active mode; let's try to open a new
755 * control connection.
756 */
762 {
763 /* the user chose not to specify the port */
764 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
766 }
767 else
768 {
769 /* the user chose not to specify the port */
772 }
774 if ((sockctrl = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
782 }
784 /*
785 * Now it's time to start playing with the RPCAP protocol
786 * RPCAP open command: create the request message
787 */
792 rpcap_createhdr((struct rpcap_header *) sendbuf, RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface));
801 /* Receive the RPCAP open reply message */
802 if (sock_recv(sockctrl, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
805 /* Checks if the message is correct */
806 retval = rpcap_checkmsg(fp->errbuf, sockctrl, &header, RPCAP_MSG_OPEN_REPLY, RPCAP_MSG_ERROR, 0);
809 {
811 {
818 /* Update totread, since the rpcap_checkmsg() already purged the buffer */
820 /* Do nothing; just exit; the error code is already into the errbuf */
826 }
827 }
836 /* Set proper fields into the pcap_t struct */
843 /* This code is duplicated from the end of this function */
849 #ifdef _WIN32
851 #endif
854 /* Checks if all the data has been read; if not, discard the data in excess */
856 {
859 }
862 error:
863 /*
864 * When the connection has been established, we have to close it. So, at the
865 * beginning of this function, if an error occur we return immediately with
866 * a return NULL; when the connection is established, we have to come here
867 * ('goto error;') in order to close everything properly.
868 *
869 * Checks if all the data has been read; if not, discard the data in excess
870 */
881 }
883 /* \ingroup remote_pri_func
884 *
885 * \brief It starts a remote capture.
886 *
887 * This function is requires since the RPCAP protocol decouples the 'open' from the
888 * 'start capture' functions.
889 * This function takes all the parameters needed (which have been stored into the pcap_t structure)
890 * and sends them to the server.
891 * If everything is fine, it creates a new child thread that reads data from the network
892 * and puts data it into the user buffer.
893 * The pcap_read() will read data from the user buffer, as usual.
894 *
895 * The remote capture acts like a new "kernel", which puts packets directly into
896 * the buffer pointed by pcap_t.
897 * In fact, this function does not rely on a kernel that reads packets and put them
898 * into the user buffer; it has to do that on its own.
899 *
900 * \param fp: the pcap_t descriptor of the device currently open.
901 *
902 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
903 * is returned into the 'errbuf' field of the pcap_t structure.
904 */
906 {
909 char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the the data connection */
914 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
917 /* socket-related variables*/
921 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
922 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
925 /* RPCAP-related variables*/
930 /* Variables related to the buffer setting */
938 /*
939 * Let's check if sampling has been required.
940 * If so, let's set it first
941 */
946 /* detect if we're in active mode */
949 {
951 {
954 }
956 }
960 /*
961 * Gets the complete sockaddr structure used in the ctrl connection
962 * This is needed to get the address family of the control socket
963 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
964 * since the ctrl socket can already be open in case of active mode;
965 * so I would have to call getpeername() anyway
966 */
969 {
972 }
975 /* Get the numeric address of the remote host we are connected to */
978 {
981 }
983 /*
984 * Data connection is opened by the server toward the client if:
985 * - we're using TCP, and the user wants us to be in active mode
986 * - we're using UDP
987 */
989 {
990 /*
991 * We have to create a new socket to receive packets
992 * We have to do that immediately, since we have to tell the other
993 * end which network port we picked up
994 */
996 /* TEMP addrinfo is NULL in case of active */
1001 /* Let's the server pick up a free network port for us */
1009 /* addrinfo is no longer used */
1013 /* get the complete sockaddr structure used in the data connection */
1016 {
1019 }
1021 /* Get the local port the system picked up */
1024 {
1027 }
1028 }
1030 /*
1031 * Now it's time to start playing with the RPCAP protocol
1032 * RPCAP start capture command: create the request message
1033 */
1039 sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
1041 /* Fill the structure needed to open an adapter remotely */
1050 /* By default, apply half the timeout on one side, half of the other */
1054 /* portdata on the openreq is meaningful only if we're in active mode */
1056 {
1057 sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */
1059 }
1073 /* Pack the capture filter */
1081 /* Receive the RPCAP start capture reply message */
1082 if (sock_recv(md->rmt_sockctrl, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1085 /* Checks if the message is correct */
1086 retval = rpcap_checkmsg(fp->errbuf, md->rmt_sockctrl, &header, RPCAP_MSG_STARTCAP_REPLY, RPCAP_MSG_ERROR, 0);
1089 {
1091 {
1098 /* Update totread, since the rpcap_checkmsg() already purged the buffer */
1100 /* Do nothing; just exit; the error code is already into the errbuf */
1106 }
1107 }
1116 /*
1117 * In case of UDP data stream, the connection is always opened by the daemon
1118 * So, this case is already covered by the code above.
1119 * Now, we have still to handle TCP connections, because:
1120 * - if we're in active mode, we have to wait for a remote connection
1121 * - if we're in passive more, we have to start a connection
1122 *
1123 * We have to do he job in two steps because in case we're opening a TCP connection, we have
1124 * to tell the port we're using to the remote side; in case we're accepting a TCP
1125 * connection, we have to wait this info from the remote side.
1126 */
1129 {
1131 {
1137 /* Let's the server pick up a free network port for us */
1141 if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1144 /* addrinfo is no longer used */
1147 }
1148 else
1149 {
1152 /* Connection creation */
1158 {
1161 }
1163 /* Now that I accepted the connection, the server socket is no longer needed */
1166 }
1167 }
1169 /* Let's save the socket of the data connection */
1172 /* Allocates WinPcap/libpcap user buffer, which is a socket buffer in case of a remote capture */
1173 /* It has the same size of the one used on the other side of the connection */
1176 /* Let's get the actual size of the socket buffer */
1181 {
1184 }
1186 /*
1187 * Warning: on some kernels (e.g. Linux), the size of the user buffer does not take
1188 * into account the pcap_header and such, and it is set equal to the snaplen.
1189 * In my view, this is wrong (the meaning of the bufsize became a bit strange).
1190 * So, here bufsize is the whole size of the user buffer.
1191 * In case the bufsize returned is too small, let's adjust it accordingly.
1192 */
1196 /* if the current socket buffer is smaller than the desired one */
1198 {
1199 /* Loop until the buffer size is OK or the original socket buffer size is larger than this one */
1201 {
1202 res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&(fp->bufsize), sizeof(fp->bufsize));
1207 /*
1208 * If something goes wrong, half the buffer size (checking that it does not become smaller than
1209 * the current one)
1210 */
1214 {
1217 }
1218 }
1219 }
1221 /*
1222 * Let's allocate the packet; this is required in order to put the packet somewhere when
1223 * extracting data from the socket
1224 * Since buffering has already been done in the socket buffer, here we need just a buffer,
1225 * whose size is equal to the pcap header plus the snapshot length
1226 */
1231 {
1234 }
1237 /* Checks if all the data has been read; if not, discard the data in excess */
1239 {
1242 }
1244 /*
1245 * In case the user does not want to capture RPCAP packets, let's update the filter
1246 * We have to update it here (instead of sending it into the 'StartCapture' message
1247 * because when we generate the 'start capture' we do not know (yet) all the ports
1248 * we're currently using.
1249 */
1251 {
1257 /* We cannot use 'pcap_setfilter_remote' because formally the capture has not been started yet */
1258 /* (the 'fp->rmt_capstarted' variable will be updated some lines below) */
1263 }
1268 error:
1269 /*
1270 * When the connection has been established, we have to close it. So, at the
1271 * beginning of this function, if an error occur we return immediately with
1272 * a return NULL; when the connection is established, we have to come here
1273 * ('goto error;') in order to close everything properly.
1274 *
1275 * Checks if all the data has been read; if not, discard the data in excess
1276 */
1286 /*
1287 * We do not have to call pcap_close() here, because this function is always called
1288 * by the user in case something bad happens
1289 */
1290 // if (fp)
1291 // {
1292 // pcap_close(fp);
1293 // fp= NULL;
1294 // }
1297 }
1299 /*
1300 * \brief Takes a bpf program and sends it to the other host.
1301 *
1302 * This function can be called in two cases:
1303 * - the pcap_startcapture() is called (we have to send the filter along with
1304 * the 'start capture' command)
1305 * - we want to udpate the filter during a capture (i.e. the pcap_setfilter()
1306 * is called when the capture is still on)
1307 *
1308 * This function serializes the filter into the sending buffer ('sendbuf', passed
1309 * as a parameter) and return back. It does not send anything on the network.
1310 *
1311 * \param fp: the pcap_t descriptor of the device currently opened.
1312 *
1313 * \param sendbuf: the buffer on which the serialized data has to copied.
1314 *
1315 * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
1316 *
1317 * \param prog: the bpf program we have to copy.
1318 *
1319 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1320 * is returned into the 'errbuf' field of the pcap_t structure.
1321 */
1322 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
1323 {
1332 {
1337 }
1356 {
1362 insn++;
1363 bf_insn++;
1364 }
1367 }
1369 /* \ingroup remote_pri_func
1370 *
1371 * \brief Update a filter on a remote host.
1372 *
1373 * This function is called when the user wants to update a filter.
1374 * In case we're capturing from the network, it sends the filter to the other peer.
1375 * This function is *not* called automatically when the user calls the pcap_setfilter().
1376 * There will be two cases:
1377 * - the capture is already on: in this case, pcap_setfilter() calls pcap_updatefilter_remote()
1378 * - the capture has not started yet: in this case, pcap_setfilter() stores the filter into
1379 * the pcap_t structure, and then the filter is sent with the pcap_startcap().
1380 *
1381 * Parameters and return values are exactly the same of the pcap_setfilter().
1382 *
1383 * \warning This function *does not* clear the packet currently into the buffers. Therefore,
1384 * the user has to expect to receive some packets that are related to the previous filter.
1385 * If you want to discard all the packets before applying a new filter, you have to close
1386 * the current capture session and start a new one.
1387 */
1389 {
1412 /* Waits for the answer */
1413 if (sock_recv(md->rmt_sockctrl, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1416 /* Checks if the message is correct */
1417 retval = rpcap_checkmsg(fp->errbuf, md->rmt_sockctrl, &header, RPCAP_MSG_UPDATEFILTER_REPLY, 0);
1420 {
1422 {
1426 /* Do nothing; just exit from here; the error code is already into the errbuf */
1432 }
1433 }
1436 {
1439 }
1442 }
1444 /*
1445 * \ingroup remote_pri_func
1446 *
1447 * \brief Send a filter to a remote host.
1448 *
1449 * This function is called when the user wants to set a filter.
1450 * In case we're capturing from the network, it sends the filter to the other peer.
1451 * This function is called automatically when the user calls the pcap_setfilter().
1452 *
1453 * Parameters and return values are exactly the same of the pcap_setfilter().
1454 */
1456 {
1462 {
1463 /* copy filter into the pcap_t structure */
1467 }
1469 /* we have to update a filter during run-time */
1474 }
1476 /*
1477 * \ingroup remote_pri_func
1478 *
1479 * \brief Update the current filter in order not to capture rpcap packets.
1480 *
1481 * This function is called *only* when the user wants exclude RPCAP packets
1482 * related to the current session from the captured packets.
1483 *
1484 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1485 * is returned into the 'errbuf' field of the pcap_t structure.
1486 */
1488 {
1494 /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1496 {
1497 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1498 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1508 /* Get the name/port of the other peer */
1511 {
1514 }
1518 {
1521 }
1523 /* We cannot check the data port, because this is available only in case of TCP sockets */
1524 /* Get the name/port of the current host */
1526 {
1529 }
1531 /* Get the local port the system picked up */
1534 {
1537 }
1539 /* Let's now check the data port */
1541 {
1544 }
1546 /* Get the local port the system picked up */
1547 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
1548 {
1551 }
1558 {
1560 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1561 md->currentfilter, myaddress, peeraddress, myctrlport, peerctrlport, myaddress, peeraddress, mydataport);
1562 }
1563 else
1564 {
1568 }
1572 /* This is only an hack to make the pcap_compile() working properly */
1578 /* This is only an hack to make the pcap_compile() working properly */
1582 }
1585 }
1587 /*
1588 * \ingroup remote_pri_func
1589 *
1590 * \brief Set sampling parameters in the remote host.
1591 *
1592 * This function is called when the user wants to set activate sampling on the remote host.
1593 *
1594 * Sampling parameters are defined into the 'pcap_t' structure.
1595 *
1596 * \param p: the pcap_t descriptor of the device currently opened.
1597 *
1598 * \return '0' if everything is OK, '-1' is something goes wrong. The error message is returned
1599 * in the 'errbuf' member of the pcap_t structure.
1600 */
1602 {
1607 struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */
1612 /* If no samping is requested, return 'ok' */
1620 rpcap_createhdr((struct rpcap_header *) sendbuf, RPCAP_MSG_SETSAMPLING_REQ, 0, sizeof(struct rpcap_sampling));
1622 /* Fill the structure needed to open an adapter remotely */
1637 /* Waits for the answer */
1638 if (sock_recv(md->rmt_sockctrl, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, p->errbuf, PCAP_ERRBUF_SIZE) == -1)
1641 /* Checks if the message is correct */
1645 {
1647 {
1652 /* Do nothing; just exit from here; the error code is already into the errbuf */
1658 }
1659 }
1662 {
1665 }
1669 }
1671 /*********************************************************
1672 * *
1673 * Miscellaneous functions *
1674 * *
1675 *********************************************************/
1678 /* \ingroup remote_pri_func
1679 * \brief It sends a RPCAP error to the other peer.
1680 *
1681 * This function has to be called when the main program detects an error. This function
1682 * will send on the other peer the 'buffer' specified by the user.
1683 * This function *does not* request a RPCAP CLOSE connection. A CLOSE command must be sent
1684 * explicitly by the program, since we do not know it the error can be recovered in some
1685 * way or it is a non-recoverable one.
1686 *
1687 * \param sock: the socket we are currently using.
1688 *
1689 * \param error: an user-allocated (and '0' terminated) buffer that contains the error
1690 * description that has to be transmitted on the other peer. The error message cannot
1691 * be longer than PCAP_ERRBUF_SIZE.
1692 *
1693 * \param errcode: a integer which tells the other party the type of error we had;
1694 * currently is is not too much used.
1695 *
1696 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
1697 * that will contain the error message (in case there is one). It could be network problem.
1698 *
1699 * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
1700 * in the 'errbuf' variable.
1701 */
1703 {
1706 uint16 length;
1727 }
1729 /* \ingroup remote_pri_func
1730 * \brief Sends the authentication message.
1731 *
1732 * It sends the authentication parameters on the control socket.
1733 * This function is required in order to open the connection with the other end party.
1734 *
1735 * \param sock: the socket we are currently using.
1736 *
1737 * \param auth: authentication parameters that have to be sent.
1738 *
1739 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
1740 * that will contain the error message (in case there is one). It could be network problem
1741 * of the fact that the authorization failed.
1742 *
1743 * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
1744 * in the 'errbuf' variable.
1745 * The error message could be also 'the authentication failed'.
1746 */
1748 {
1749 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */
1753 uint16 auth_type;
1758 {
1762 {
1776 }
1777 }
1778 else
1779 {
1782 }
1802 {
1806 else
1815 else
1824 }
1829 if (sock_recv(sock, (char *)&header, sizeof(struct rpcap_header), SOCK_RECEIVEALL_YES, errbuf, PCAP_ERRBUF_SIZE) == -1)
1835 {
1837 {
1841 /* Do nothing; just exit from here; the error code is already into the errbuf */
1850 }
1851 }
1854 {
1857 }
1860 }
1862 /* \ingroup remote_pri_func
1863 * \brief Creates a structure of type rpcap_header.
1864 *
1865 * This function is provided just because the creation of an rpcap header is quite a common
1866 * task. It accepts all the values that appears into an rpcap_header, and it puts them in
1867 * place using the proper hton() calls.
1868 *
1869 * \param header: a pointer to a user-allocated buffer which will contain the serialized
1870 * header, ready to be sent on the network.
1871 *
1872 * \param type: a value (in the host by order) which will be placed into the header.type
1873 * field and that represents the type of the current message.
1874 *
1875 * \param value: a value (in the host by order) which will be placed into the header.value
1876 * field and that has a message-dependent meaning.
1877 *
1878 * \param length: a value (in the host by order) which will be placed into the header.length
1879 * field and that represents the payload length of the message.
1880 *
1881 * \return Nothing. The serialized header is returned into the 'header' variable.
1882 */
1884 {
1891 }
1893 /* ingroup remote_pri_func
1894 * \brief Checks if the header of the received message is correct.
1895 *
1896 * This function is a way to easily check if the message received, in a certain
1897 * state of the RPCAP protocol Finite State Machine, is valid. This function accepts,
1898 * as a parameter, the list of message types that are allowed in a certain situation,
1899 * and it returns the one which occurs.
1900 *
1901 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
1902 * that will contain the error message (in case there is one). It could be either problem
1903 * occurred inside this function (e.g. a network problem in case it tries to send an
1904 * error on the other peer and the send() call fails), an error message which has been
1905 * sent to us from the other party, or a version error (the message receive has a version
1906 * number that is incompatible with our).
1907 *
1908 * \param sock: the socket that has to be used to receive data. This function can
1909 * read data from socket in case the version contained into the message is not compatible
1910 * with our. In that case, all the message is purged from the socket, so that the following
1911 * recv() calls will return a new message.
1912 *
1913 * \param header: a pointer to and 'rpcap_header' structure that keeps the data received from
1914 * the network (still in network byte order) and that has to be checked.
1915 *
1916 * \param first: this function has a variable number of parameters. From this point on,
1917 * all the messages that are valid in this context must be passed as parameters.
1918 * The message type list must be terminated with a '0' value, the null message type,
1919 * which means 'no more types to check'. The RPCAP protocol does not define anything with
1920 * message type equal to zero, so there is no ambiguity in using this value as a list terminator.
1921 *
1922 * \return The message type of the message that has been detected. In case of errors (e.g. the
1923 * header contains a type that is not listed among the allowed types), this function will
1924 * return the following codes:
1925 * - (-1) if the version is incompatible.
1926 * - (-2) if the code is not among the one listed into the parameters list
1927 * - (-3) if a network error (connection reset, ...)
1928 * - RPCAP_MSG_ERROR if the message is an error message (it follow that the RPCAP_MSG_ERROR
1929 * could not be present in the allowed message-types list, because this function checks
1930 * for errors anyway)
1931 *
1932 * In case either the version is incompatible or nothing matches (i.e. it returns '-1' or '-2'),
1933 * it discards the message body (i.e. it reads the remaining part of the message from the
1934 * network and it discards it) so that the application is ready to receive a new message.
1935 */
1937 {
1939 uint8 type;
1940 int32 len;
1944 /* Check if the present version of the protocol can handle this message */
1946 {
1951 }
1956 {
1957 /*
1958 * The message matches with one of the types listed
1959 * There is no need of conversions since both values are uint8
1960 *
1961 * Check if the other side reported an error.
1962 * If yes, it retrieves it and it returns it back to the caller
1963 */
1965 {
1969 {
1970 if (sock_recv(sock, errbuf, PCAP_ERRBUF_SIZE - 1, SOCK_RECEIVEALL_YES, errbuf, PCAP_ERRBUF_SIZE))
1975 /* Put '\0' at the end of the string */
1977 }
1978 else
1979 {
1983 /* Put '\0' at the end of the string */
1985 }
1990 }
1993 {
1996 }
1998 /* get next argument */
2000 }
2002 /* we already have an error, so please discard this one */
2005 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The other endpoint sent a message that is not allowed here.");
2010 }
2012 /* \ingroup remote_pri_func
2013 * \brief Checks if the version contained into the message is compatible with
2014 * the one handled by this implementation.
2015 *
2016 * Right now, this function does not have any sophisticated task: if the versions
2017 * are different, it returns -1 and it discards the message.
2018 * It is expected that in the future this message will become more complex.
2019 *
2020 * \param sock: the socket that has to be used to receive data. This function can
2021 * read data from socket in case the version contained into the message is not compatible
2022 * with our. In that case, all the message is purged from the socket, so that the following
2023 * recv() calls will return a new (clean) message.
2024 *
2025 * \param header: a pointer to and 'rpcap_header' structure that keeps the data received from
2026 * the network (still in network byte order) and that has to be checked.
2027 *
2028 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
2029 * that will contain the error message (in case there is one). The error message is
2030 * "incompatible version".
2031 *
2032 * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
2033 * in the 'errbuf' variable.
2034 */
2036 {
2037 /*
2038 * This is a sample function.
2039 *
2040 * In the real world, you have to check at the type code,
2041 * and decide accordingly.
2042 */
2045 {
2048 /* we already have an error, so please discard this one */
2051 }
2054 }
2056 /* \ingroup remote_pri_func
2057 *
2058 * \brief It returns the socket currently used for this active connection
2059 * (active mode only) and provides an indication of whether this connection
2060 * is in active mode or not.
2061 *
2062 * This function is just for internal use; it returns the socket ID of the
2063 * active connection currently opened.
2064 *
2065 * \param host: a string that keeps the host name of the host for which we
2066 * want to get the socket ID for that active connection.
2067 *
2068 * \param isactive: a pointer to an int that is set to 1 if there's an
2069 * active connection to that host and 0 otherwise.
2070 *
2071 * \param errbuf: a pointer to a user-allocated buffer (of size
2072 * PCAP_ERRBUF_SIZE) that will contain the error message (in case
2073 * there is one).
2074 *
2075 * \return the socket identifier if everything is fine, '0' if this host
2076 * is not in the active host list. An indication of whether this host
2077 * is in the active host list is returned into the isactive variable.
2078 * It returns 'INVALID_SOCKET' in case of error. The error message is
2079 * returned into the errbuf variable.
2080 */
2082 {
2084 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
2087 /* retrieve the network address corresponding to 'host' */
2095 {
2099 }
2104 {
2107 {
2111 }
2114 }
2116 }
2121 /*
2122 * The host for which you want to get the socket ID does not have an
2123 * active connection.
2124 */
2127 }