2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16 * nor the names of its contributors may be used to endorse or promote
17 * products derived from this software without specific prior written
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 #include <string.h> /* for strlen(), ... */
39 #include <stdlib.h> /* for malloc(), free(), ... */
40 #include <stdarg.h> /* for functions with variable number of arguments */
41 #include <errno.h> /* for the errno variable */
43 #include "pcap-rpcap.h"
44 #include "sockutils.h"
49 * This file keeps all the new funtions that are needed for the RPCAP protocol.
50 * Almost all the pcap functions need to be modified in order to become compatible
51 * with the RPCAP protocol. However, you can find here only the ones that are completely new.
53 * This file keeps also the functions that are 'private', i.e. are needed by the RPCAP
54 * protocol but are not exported to the user.
56 * \warning All the RPCAP functions that are allowed to return a buffer containing
57 * the error description can return max PCAP_ERRBUF_SIZE characters.
58 * However there is no guarantees that the string will be zero-terminated.
59 * Best practice is to define the errbuf variable as a char of size 'PCAP_ERRBUF_SIZE+1'
60 * and to insert manually a NULL character at the end of the buffer. This will
61 * guarantee that no buffer overflows occur even if we use the printf() to show
62 * the error on the screen.
65 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_remote to see if we want standard or extended statistics */
66 #define PCAP_STATS_EX 1 /* Used by pcap_stats_remote to see if we want standard or extended statistics */
68 /* Keeps a list of all the opened connections in the active mode. */
69 struct activehosts
*activeHosts
;
72 * Private data for capturing on WinPcap devices.
76 int rfmon_selfstart
; /* a flag tells whether the monitor mode is set by itself */
77 int filtering_in_kernel
; /* using kernel filter */
80 int dag_fcs_bits
; /* Number of checksum bits from link layer */
84 /****************************************************
86 * Locally defined functions *
88 ****************************************************/
89 static int rpcap_checkver(SOCKET sock
, struct rpcap_header
*header
, char *errbuf
);
90 static struct pcap_stat
*rpcap_stats_remote(pcap_t
*p
, struct pcap_stat
*ps
, int mode
);
91 static int pcap_pack_bpffilter(pcap_t
*fp
, char *sendbuf
, int *sendbufidx
, struct bpf_program
*prog
);
92 static int pcap_createfilter_norpcappkt(pcap_t
*fp
, struct bpf_program
*prog
);
93 static int pcap_updatefilter_remote(pcap_t
*fp
, struct bpf_program
*prog
);
94 static int pcap_setfilter_remote(pcap_t
*fp
, struct bpf_program
*prog
);
95 static int pcap_setsampling_remote(pcap_t
*p
);
98 /****************************************************
102 ****************************************************/
105 * \ingroup remote_pri_func
107 * \brief It traslates (i.e. de-serializes) a 'sockaddr_storage' structure from
108 * the network byte order to the host byte order.
110 * It accepts a 'sockaddr_storage' structure as it is received from the network and it
111 * converts it into the host byte order (by means of a set of ntoh() ).
112 * The function will allocate the 'sockaddrout' variable according to the address family
113 * in use. In case the address does not belong to the AF_INET nor AF_INET6 families,
114 * 'sockaddrout' is not allocated and a NULL pointer is returned.
115 * This usually happens because that address does not exist on the other host, so the
116 * RPCAP daemon sent a 'sockaddr_storage' structure containing all 'zero' values.
118 * \param sockaddrin: a 'sockaddr_storage' pointer to the variable that has to be
121 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
122 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
123 * This variable will be allocated automatically inside this function.
125 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
126 * that will contain the error message (in case there is one).
128 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
129 * can be only the fact that the malloc() failed to allocate memory.
130 * The error message is returned in the 'errbuf' variable, while the deserialized address
131 * is returned into the 'sockaddrout' variable.
133 * \warning This function supports only AF_INET and AF_INET6 address families.
135 * \warning The sockaddrout (if not NULL) must be deallocated by the user.
137 int rpcap_deseraddr(struct sockaddr_storage
*sockaddrin
, struct sockaddr_storage
**sockaddrout
, char *errbuf
)
139 /* Warning: we support only AF_INET and AF_INET6 */
140 if (ntohs(sockaddrin
->ss_family
) == AF_INET
)
142 struct sockaddr_in
*sockaddr
;
144 sockaddr
= (struct sockaddr_in
*) sockaddrin
;
145 sockaddr
->sin_family
= ntohs(sockaddr
->sin_family
);
146 sockaddr
->sin_port
= ntohs(sockaddr
->sin_port
);
148 (*sockaddrout
) = (struct sockaddr_storage
*) malloc(sizeof(struct sockaddr_in
));
149 if ((*sockaddrout
) == NULL
)
151 pcap_snprintf(errbuf
, PCAP_ERRBUF_SIZE
, "malloc() failed: %s", pcap_strerror(errno
));
154 memcpy(*sockaddrout
, sockaddr
, sizeof(struct sockaddr_in
));
157 if (ntohs(sockaddrin
->ss_family
) == AF_INET6
)
159 struct sockaddr_in6
*sockaddr
;
161 sockaddr
= (struct sockaddr_in6
*) sockaddrin
;
162 sockaddr
->sin6_family
= ntohs(sockaddr
->sin6_family
);
163 sockaddr
->sin6_port
= ntohs(sockaddr
->sin6_port
);
164 sockaddr
->sin6_flowinfo
= ntohl(sockaddr
->sin6_flowinfo
);
165 sockaddr
->sin6_scope_id
= ntohl(sockaddr
->sin6_scope_id
);
167 (*sockaddrout
) = (struct sockaddr_storage
*) malloc(sizeof(struct sockaddr_in6
));
168 if ((*sockaddrout
) == NULL
)
170 pcap_snprintf(errbuf
, PCAP_ERRBUF_SIZE
, "malloc() failed: %s", pcap_strerror(errno
));
173 memcpy(*sockaddrout
, sockaddr
, sizeof(struct sockaddr_in6
));
177 /* It is neither AF_INET nor AF_INET6 */
182 /* \ingroup remote_pri_func
184 * \brief It reads a packet from the network socket. This does not make use of
185 * callback (hence the "nocb" string into its name).
187 * This function is called by the several pcap_next_ex() when they detect that
188 * we have a remote capture and they are the client side. In that case, they need
189 * to read packets from the socket.
191 * Parameters and return values are exactly the same of the pcap_next_ex().
193 * \warning By choice, this function does not make use of semaphores. A smarter
194 * implementation should put a semaphore into the data thread, and a signal will
195 * be raised as soon as there is data into the socket buffer.
196 * However this is complicated and it does not bring any advantages when reading
197 * from the network, in which network delays can be much more important than
198 * these optimizations. Therefore, we chose the following approach:
199 * - the 'timeout' chosen by the user is split in two (half on the server side,
200 * with the usual meaning, and half on the client side)
201 * - this function checks for packets; if there are no packets, it waits for
202 * timeout/2 and then it checks again. If packets are still missing, it returns,
203 * otherwise it reads packets.
205 static int pcap_read_nocb_remote(pcap_t
*p
, struct pcap_pkthdr
**pkt_header
, u_char
**pkt_data
)
207 struct rpcap_header
*header
; /* general header according to the RPCAP format */
208 struct rpcap_pkthdr
*net_pkt_header
; /* header of the packet */
209 char netbuf
[RPCAP_NETBUF_SIZE
]; /* size of the network buffer in which the packet is copied, just for UDP */
210 uint32 totread
; /* number of bytes (of payload) currently read from the network (referred to the current pkt) */
212 int retval
; /* generic return value */
214 /* Structures needed for the select() call */
215 fd_set rfds
; /* set of socket descriptors we have to check */
216 struct timeval tv
; /* maximum time the select() can block waiting for data */
217 struct pcap_md
*md
; /* structure used when doing a remote live capture */
219 md
= (struct pcap_md
*) ((u_char
*)p
->priv
+ sizeof(struct pcap_win
));
222 * Define the read timeout, to be used in the select()
223 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
225 tv
.tv_sec
= p
->opt
.timeout
/ 1000;
226 tv
.tv_usec
= (p
->opt
.timeout
- tv
.tv_sec
* 1000) * 1000;
228 /* Watch out sockdata to see if it has input */
232 * 'fp->rmt_sockdata' has always to be set before calling the select(),
233 * since it is cleared by the select()
235 FD_SET(md
->rmt_sockdata
, &rfds
);
237 retval
= select((int) md
->rmt_sockdata
+ 1, &rfds
, NULL
, NULL
, &tv
);
240 sock_geterror("select(): ", p
->errbuf
, PCAP_ERRBUF_SIZE
);
244 /* There is no data waiting, so return '0' */
249 * data is here; so, let's copy it into the user buffer.
250 * I'm going to read a new packet; so I reset the number of bytes (payload only) read
255 * We have to define 'header' as a pointer to a larger buffer,
256 * because in case of UDP we have to read all the message within a single call
258 header
= (struct rpcap_header
*) netbuf
;
259 net_pkt_header
= (struct rpcap_pkthdr
*) (netbuf
+ sizeof(struct rpcap_header
));
261 if (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
)
263 /* Read the entire message from the network */
264 if (sock_recv(md
->rmt_sockdata
, netbuf
, RPCAP_NETBUF_SIZE
, SOCK_RECEIVEALL_NO
, p
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
269 if (sock_recv(md
->rmt_sockdata
, netbuf
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, p
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
273 /* Checks if the message is correct */
274 retval
= rpcap_checkmsg(p
->errbuf
, md
->rmt_sockdata
, header
, RPCAP_MSG_PACKET
, 0);
276 if (retval
!= RPCAP_MSG_PACKET
) /* the message is not the one expected */
280 case -3: /* Unrecoverable network error */
281 return -1; /* Do nothing; just exit from here; the error code is already into the errbuf */
283 case -2: /* The other endpoint sent a message that is not allowed here */
284 case -1: /* The other endpoint has a version number that is not compatible with our */
285 return 0; /* Return 'no packets received' */
288 SOCK_ASSERT("Internal error", 1);
289 return 0; /* Return 'no packets received' */
293 /* In case of TCP, read the remaining of the packet from the socket */
294 if (!(md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
))
296 /* Read the RPCAP packet header from the network */
297 nread
= sock_recv(md
->rmt_sockdata
, (char *)net_pkt_header
,
298 sizeof(struct rpcap_pkthdr
), SOCK_RECEIVEALL_YES
,
299 p
->errbuf
, PCAP_ERRBUF_SIZE
);
305 if ((ntohl(net_pkt_header
->caplen
) + sizeof(struct pcap_pkthdr
)) <= p
->bufsize
)
307 /* Initialize returned structures */
308 *pkt_header
= (struct pcap_pkthdr
*) p
->buffer
;
309 *pkt_data
= (u_char
*)p
->buffer
+ sizeof(struct pcap_pkthdr
);
311 (*pkt_header
)->caplen
= ntohl(net_pkt_header
->caplen
);
312 (*pkt_header
)->len
= ntohl(net_pkt_header
->len
);
313 (*pkt_header
)->ts
.tv_sec
= ntohl(net_pkt_header
->timestamp_sec
);
314 (*pkt_header
)->ts
.tv_usec
= ntohl(net_pkt_header
->timestamp_usec
);
317 * I don't update the counter of the packets dropped by the network since we're using TCP,
318 * therefore no packets are dropped. Just update the number of packets received correctly
322 /* Copies the packet into the data buffer */
323 if (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
)
328 * In case of UDP the packet has already been read, we have to copy it into 'buffer'.
329 * Another option should be to declare 'netbuf' as 'static'. However this prevents
330 * using several pcap instances within the same process (because the static buffer is shared among
333 memcpy(*pkt_data
, netbuf
+ sizeof(struct rpcap_header
) + sizeof(struct rpcap_pkthdr
), (*pkt_header
)->caplen
);
335 /* We're using UDP, so we need to update the counter of the packets dropped by the network */
336 npkt
= ntohl(net_pkt_header
->npkt
);
338 if (md
->TotCapt
!= npkt
)
340 md
->TotNetDrops
+= (npkt
- md
->TotCapt
);
347 /* In case of TCP, read the remaining of the packet from the socket */
348 nread
= sock_recv(md
->rmt_sockdata
, *pkt_data
,
349 (*pkt_header
)->caplen
, SOCK_RECEIVEALL_YES
,
350 p
->errbuf
, PCAP_ERRBUF_SIZE
);
355 /* Checks if all the data has been read; if not, discard the data in excess */
356 /* This check has to be done only on TCP connections */
357 if (totread
!= ntohl(header
->plen
))
358 sock_discard(md
->rmt_sockdata
, ntohl(header
->plen
) - totread
, NULL
, 0);
362 /* Packet read successfully */
367 pcap_snprintf(p
->errbuf
, PCAP_ERRBUF_SIZE
, "Received a packet that is larger than the internal buffer size.");
373 /* \ingroup remote_pri_func
375 * \brief It reads a packet from the network socket.
377 * This function is called by the several pcap_read() when they detect that
378 * we have a remote capture and they are the client side. In that case, they need
379 * to read packets from the socket.
381 * This function relies on the pcap_read_nocb_remote to deliver packets. The
382 * difference, here, is that as soon as a packet is read, it is delivered
383 * to the application by means of a callback function.
385 * Parameters and return values are exactly the same of the pcap_read().
387 static int pcap_read_remote(pcap_t
*p
, int cnt
, pcap_handler callback
, u_char
*user
)
389 struct pcap_pkthdr
*pkt_header
;
393 while ((n
< cnt
) || (cnt
< 0))
395 if (pcap_read_nocb_remote(p
, &pkt_header
, &pkt_data
) == 1)
397 (*callback
)(user
, pkt_header
, pkt_data
);
406 /* \ingroup remote_pri_func
408 * \brief It sends a CLOSE command to the capture server.
410 * This function is called when the user wants to close a pcap_t adapter.
411 * In case we're capturing from the network, it sends a command to the other
412 * peer that says 'ok, let's stop capturing'.
413 * This function is called automatically when the user calls the pcap_close().
415 * Parameters and return values are exactly the same of the pcap_close().
417 * \warning Since we're closing the connection, we do not check for errors.
419 static void pcap_cleanup_remote(pcap_t
*fp
)
421 struct rpcap_header header
; /* header of the RPCAP packet */
422 struct activehosts
*temp
; /* temp var needed to scan the host list chain, to detect if we're in active mode */
423 int active
= 0; /* active mode or not? */
424 struct pcap_md
*md
; /* structure used when doing a remote live capture */
426 md
= (struct pcap_md
*) ((u_char
*)fp
->priv
+ sizeof(struct pcap_win
));
428 /* detect if we're in active mode */
432 if (temp
->sockctrl
== md
->rmt_sockctrl
)
442 rpcap_createhdr(&header
, RPCAP_MSG_CLOSE
, 0, 0);
444 /* I don't check for errors, since I'm going to close everything */
445 sock_send(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), NULL
, 0);
449 rpcap_createhdr(&header
, RPCAP_MSG_ENDCAP_REQ
, 0, 0);
451 /* I don't check for errors, since I'm going to close everything */
452 sock_send(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), NULL
, 0);
454 /* wait for the answer */
455 /* Don't check what we got, since the present libpcap does not uses this pcap_t anymore */
456 sock_recv(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, NULL
, 0);
458 if (ntohl(header
.plen
) != 0)
459 sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
), NULL
, 0);
462 if (md
->rmt_sockdata
)
464 sock_close(md
->rmt_sockdata
, NULL
, 0);
465 md
->rmt_sockdata
= 0;
468 if ((!active
) && (md
->rmt_sockctrl
))
469 sock_close(md
->rmt_sockctrl
, NULL
, 0);
471 md
->rmt_sockctrl
= 0;
473 if (md
->currentfilter
)
475 free(md
->currentfilter
);
476 md
->currentfilter
= NULL
;
479 /* To avoid inconsistencies in the number of sock_init() */
483 /* \ingroup remote_pri_func
485 * \brief It retrieves network statistics from the other peer.
487 * This function is just a void cointainer, since the work is done by the rpcap_stats_remote().
488 * See that funcion for more details.
490 * Parameters and return values are exactly the same of the pcap_stats().
492 static int pcap_stats_remote(pcap_t
*p
, struct pcap_stat
*ps
)
494 struct pcap_stat
*retval
;
496 retval
= rpcap_stats_remote(p
, ps
, PCAP_STATS_STANDARD
);
505 /* \ingroup remote_pri_func
507 * \brief It retrieves network statistics from the other peer.
509 * This function is just a void cointainer, since the work is done by the rpcap_stats_remote().
510 * See that funcion for more details.
512 * Parameters and return values are exactly the same of the pcap_stats_ex().
514 static struct pcap_stat
*pcap_stats_ex_remote(pcap_t
*p
, int *pcap_stat_size
)
516 *pcap_stat_size
= sizeof (p
->stat
);
518 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
519 return (rpcap_stats_remote(p
, &(p
->stat
), PCAP_STATS_EX
));
523 /* \ingroup remote_pri_func
525 * \brief It retrieves network statistics from the other peer.
527 * This function can be called in two modes:
528 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e. the pcap_stats() )
529 * - PCAP_STATS_EX: if we want extended statistics (i.e. the pcap_stats_ex() )
531 * This 'mode' parameter is needed because in the standard pcap_stats() the variable that keeps the
532 * statistics is allocated by the user. Unfortunately, this structure has been extended in order
533 * to keep new stats. However, if the user has a smaller structure and it passes it to the pcap_stats,
534 * thid function will try to fill in more data than the size of the structure, so that the application
535 * goes in memory overflow.
536 * So, we need to know it we have to copy just the standard fields, or the extended fields as well.
538 * In case we want to copy the extended fields as well, the problem of memory overflow does no
539 * longer exist because the structure pcap_stat is no longer allocated by the program;
540 * it is allocated by the library instead.
542 * \param p: the pcap_t structure related to the current instance.
544 * \param ps: a 'pcap_stat' structure, needed for compatibility with pcap_stat(), in which
545 * the structure is allocated by the user. In case of pcap_stats_ex, this structure and the
546 * function return value point to the same variable.
548 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
550 * \return The structure that keeps the statistics, or NULL in case of error.
551 * The error string is placed in the pcap_t structure.
553 static struct pcap_stat
*rpcap_stats_remote(pcap_t
*p
, struct pcap_stat
*ps
, int mode
)
555 struct rpcap_header header
; /* header of the RPCAP packet */
556 struct rpcap_stats netstats
; /* statistics sent on the network */
557 uint32 totread
= 0; /* number of bytes of the payload read from the socket */
559 int retval
; /* temp variable which stores functions return value */
560 struct pcap_md
*md
; /* structure used when doing a remote live capture */
562 md
= (struct pcap_md
*) ((u_char
*)p
->priv
+ sizeof(struct pcap_win
));
565 * If the capture has still to start, we cannot ask statistics to the other peer,
566 * so we return a fake number
568 if (!md
->rmt_capstarted
)
570 if (mode
== PCAP_STATS_STANDARD
)
589 rpcap_createhdr(&header
, RPCAP_MSG_STATS_REQ
, 0, 0);
591 /* Send the PCAP_STATS command */
592 if (sock_send(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), p
->errbuf
, PCAP_ERRBUF_SIZE
))
595 /* Receive the RPCAP stats reply message */
596 if (sock_recv(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, p
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
599 /* Checks if the message is correct */
600 retval
= rpcap_checkmsg(p
->errbuf
, md
->rmt_sockctrl
, &header
, RPCAP_MSG_STATS_REPLY
, RPCAP_MSG_ERROR
, 0);
602 if (retval
!= RPCAP_MSG_STATS_REPLY
) /* the message is not the one expected */
606 case -3: /* Unrecoverable network error */
607 case -2: /* The other endpoint send a message that is not allowed here */
608 case -1: /* The other endpoint has a version number that is not compatible with our */
611 case RPCAP_MSG_ERROR
: /* The other endpoint reported an error */
612 /* Update totread, since the rpcap_checkmsg() already purged the buffer */
613 totread
= ntohl(header
.plen
);
615 /* Do nothing; just exit; the error code is already into the errbuf */
619 pcap_snprintf(p
->errbuf
, PCAP_ERRBUF_SIZE
, "Internal error");
624 nread
= sock_recv(md
->rmt_sockctrl
, (char *)&netstats
,
625 sizeof(struct rpcap_stats
), SOCK_RECEIVEALL_YES
,
626 p
->errbuf
, PCAP_ERRBUF_SIZE
);
631 if (mode
== PCAP_STATS_STANDARD
)
633 ps
->ps_drop
= ntohl(netstats
.krnldrop
);
634 ps
->ps_ifdrop
= ntohl(netstats
.ifdrop
);
635 ps
->ps_recv
= ntohl(netstats
.ifrecv
);
639 ps
->ps_capt
= md
->TotCapt
;
640 ps
->ps_drop
= ntohl(netstats
.krnldrop
);
641 ps
->ps_ifdrop
= ntohl(netstats
.ifdrop
);
642 ps
->ps_netdrop
= md
->TotNetDrops
;
643 ps
->ps_recv
= ntohl(netstats
.ifrecv
);
644 ps
->ps_sent
= ntohl(netstats
.svrcapt
);
647 /* Checks if all the data has been read; if not, discard the data in excess */
648 if (totread
!= ntohl(header
.plen
))
650 if (sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
) - totread
, NULL
, 0) == 1)
657 if (totread
!= ntohl(header
.plen
))
658 sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
) - totread
, NULL
, 0);
663 /* \ingroup remote_pri_func
665 * \brief It opens a remote adapter by opening an RPCAP connection and so on.
667 * This function does basically the job of pcap_open_live() for a remote interface.
668 * In other words, we have a pcap_read for win32, which reads packets from NPF,
669 * another for LINUX, and so on. Now, we have a pcap_opensource_remote() as well.
670 * The difference, here, is the capture thread does not start until the
671 * pcap_startcapture_remote() is called.
673 * This is because, in remote capture, we cannot start capturing data as soon ad the
674 * 'open adapter' command is sent. Suppose the remote adapter is already overloaded;
675 * if we start a capture (which, by default, has a NULL filter) the new traffic can
676 * saturate the network.
678 * Instead, we want to "open" the adapter, then send a "start capture" command only
679 * when we're ready to start the capture.
680 * This funtion does this job: it sends a "open adapter" command (according to the
681 * RPCAP protocol), but it does not start the capture.
683 * Since the other libpcap functions do not share this way of life, we have to make
684 * some dirty things in order to make everyting working.
686 * \param fp: A pointer to a pcap_t structure that has been previously created with
687 * \ref pcap_create().
688 * \param source: see pcap_open().
689 * \param auth: see pcap_open().
691 * \return 0 in case of success, -1 otherwise. In case of success, the pcap_t pointer in fp can be
692 * used as a parameter to the following calls (pcap_compile() and so on). In case of
693 * problems, fp->errbuf contains a text explanation of error.
695 * \warning In case we call the pcap_compile() and the capture is not started, the filter
696 * will be saved into the pcap_t structure, and it will be sent to the other host later
697 * (when the pcap_startcapture_remote() is called).
699 int pcap_opensource_remote(pcap_t
*fp
, struct pcap_rmtauth
*auth
)
701 char host
[PCAP_BUF_SIZE
], ctrlport
[PCAP_BUF_SIZE
], iface
[PCAP_BUF_SIZE
];
703 char sendbuf
[RPCAP_NETBUF_SIZE
]; /* temporary buffer in which data to be sent is buffered */
704 int sendbufidx
= 0; /* index which keeps the number of bytes currently buffered */
705 uint32 totread
= 0; /* number of bytes of the payload read from the socket */
707 int retval
; /* store the return value of the functions */
708 int active
= 0; /* '1' if we're in active mode */
710 /* socket-related variables */
711 struct addrinfo hints
; /* temp, needed to open a socket connection */
712 struct addrinfo
*addrinfo
; /* temp, needed to open a socket connection */
713 SOCKET sockctrl
= 0; /* socket descriptor of the control connection */
715 /* RPCAP-related variables */
716 struct rpcap_header header
; /* header of the RPCAP packet */
717 struct rpcap_openreply openreply
; /* open reply message */
719 struct pcap_md
*md
; /* structure used when doing a remote live capture */
721 md
= (struct pcap_md
*) ((u_char
*)fp
->priv
+ sizeof(struct pcap_win
));
725 * determine the type of the source (NULL, file, local, remote)
726 * You must have a valid source string even if we're in active mode, because otherwise
727 * the call to the following function will fail.
729 if (pcap_parsesrcstr(fp
->opt
.device
, &retval
, host
, ctrlport
, iface
, fp
->errbuf
) == -1)
732 if (retval
!= PCAP_SRC_IFREMOTE
)
734 pcap_snprintf(fp
->errbuf
, PCAP_ERRBUF_SIZE
, "This function is able to open only remote interfaces");
741 * Warning: this call can be the first one called by the user.
742 * For this reason, we have to initialize the WinSock support.
744 if (sock_init(fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
747 sockctrl
= rpcap_remoteact_getsock(host
, &active
, fp
->errbuf
);
748 if (sockctrl
== INVALID_SOCKET
)
754 * We're not in active mode; let's try to open a new
755 * control connection.
757 memset(&hints
, 0, sizeof(struct addrinfo
));
758 hints
.ai_family
= PF_UNSPEC
;
759 hints
.ai_socktype
= SOCK_STREAM
;
761 if ((ctrlport
== NULL
) || (ctrlport
[0] == 0))
763 /* the user chose not to specify the port */
764 if (sock_initaddress(host
, RPCAP_DEFAULT_NETPORT
, &hints
, &addrinfo
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
769 /* the user chose not to specify the port */
770 if (sock_initaddress(host
, ctrlport
, &hints
, &addrinfo
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
774 if ((sockctrl
= sock_open(addrinfo
, SOCKOPEN_CLIENT
, 0, fp
->errbuf
, PCAP_ERRBUF_SIZE
)) == INVALID_SOCKET
)
777 freeaddrinfo(addrinfo
);
780 if (rpcap_sendauth(sockctrl
, auth
, fp
->errbuf
) == -1)
785 * Now it's time to start playing with the RPCAP protocol
786 * RPCAP open command: create the request message
788 if (sock_bufferize(NULL
, sizeof(struct rpcap_header
), NULL
,
789 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
792 rpcap_createhdr((struct rpcap_header
*) sendbuf
, RPCAP_MSG_OPEN_REQ
, 0, (uint32
) strlen(iface
));
794 if (sock_bufferize(iface
, (int) strlen(iface
), sendbuf
, &sendbufidx
,
795 RPCAP_NETBUF_SIZE
, SOCKBUF_BUFFERIZE
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
798 if (sock_send(sockctrl
, sendbuf
, sendbufidx
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
801 /* Receive the RPCAP open reply message */
802 if (sock_recv(sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
805 /* Checks if the message is correct */
806 retval
= rpcap_checkmsg(fp
->errbuf
, sockctrl
, &header
, RPCAP_MSG_OPEN_REPLY
, RPCAP_MSG_ERROR
, 0);
808 if (retval
!= RPCAP_MSG_OPEN_REPLY
) /* the message is not the one expected */
812 case -3: /* Unrecoverable network error */
813 case -2: /* The other endpoint send a message that is not allowed here */
814 case -1: /* The other endpoint has a version number that is not compatible with our */
817 case RPCAP_MSG_ERROR
: /* The other endpoint reported an error */
818 /* Update totread, since the rpcap_checkmsg() already purged the buffer */
819 totread
= ntohl(header
.plen
);
820 /* Do nothing; just exit; the error code is already into the errbuf */
824 pcap_snprintf(fp
->errbuf
, PCAP_ERRBUF_SIZE
, "Internal error");
829 nread
= sock_recv(sockctrl
, (char *)&openreply
,
830 sizeof(struct rpcap_openreply
), SOCK_RECEIVEALL_YES
,
831 fp
->errbuf
, PCAP_ERRBUF_SIZE
);
836 /* Set proper fields into the pcap_t struct */
837 fp
->linktype
= ntohl(openreply
.linktype
);
838 fp
->tzoff
= ntohl(openreply
.tzoff
);
839 md
->rmt_sockctrl
= sockctrl
;
840 md
->rmt_clientside
= 1;
843 /* This code is duplicated from the end of this function */
844 fp
->read_op
= pcap_read_remote
;
845 fp
->setfilter_op
= pcap_setfilter_remote
;
846 fp
->getnonblock_op
= NULL
; /* This is not implemented in remote capture */
847 fp
->setnonblock_op
= NULL
; /* This is not implemented in remote capture */
848 fp
->stats_op
= pcap_stats_remote
;
850 fp
->stats_ex_op
= pcap_stats_ex_remote
;
852 fp
->cleanup_op
= pcap_cleanup_remote
;
854 /* Checks if all the data has been read; if not, discard the data in excess */
855 if (totread
!= ntohl(header
.plen
))
857 if (sock_discard(sockctrl
, ntohl(header
.plen
) - totread
, NULL
, 0) == 1)
864 * When the connection has been established, we have to close it. So, at the
865 * beginning of this function, if an error occur we return immediately with
866 * a return NULL; when the connection is established, we have to come here
867 * ('goto error;') in order to close everything properly.
869 * Checks if all the data has been read; if not, discard the data in excess
871 if (totread
!= ntohl(header
.plen
))
872 sock_discard(sockctrl
, ntohl(header
.plen
) - totread
, NULL
, 0);
875 freeaddrinfo(addrinfo
);
878 sock_close(sockctrl
, NULL
, 0);
883 /* \ingroup remote_pri_func
885 * \brief It starts a remote capture.
887 * This function is requires since the RPCAP protocol decouples the 'open' from the
888 * 'start capture' functions.
889 * This function takes all the parameters needed (which have been stored into the pcap_t structure)
890 * and sends them to the server.
891 * If everything is fine, it creates a new child thread that reads data from the network
892 * and puts data it into the user buffer.
893 * The pcap_read() will read data from the user buffer, as usual.
895 * The remote capture acts like a new "kernel", which puts packets directly into
896 * the buffer pointed by pcap_t.
897 * In fact, this function does not rely on a kernel that reads packets and put them
898 * into the user buffer; it has to do that on its own.
900 * \param fp: the pcap_t descriptor of the device currently open.
902 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
903 * is returned into the 'errbuf' field of the pcap_t structure.
905 int pcap_startcapture_remote(pcap_t
*fp
)
907 char sendbuf
[RPCAP_NETBUF_SIZE
]; /* temporary buffer in which data to be sent is buffered */
908 int sendbufidx
= 0; /* index which keeps the number of bytes currently buffered */
909 char portdata
[PCAP_BUF_SIZE
]; /* temp variable needed to keep the network port for the the data connection */
910 uint32 totread
= 0; /* number of bytes of the payload read from the socket */
912 int retval
; /* store the return value of the functions */
913 int active
= 0; /* '1' if we're in active mode */
914 struct activehosts
*temp
; /* temp var needed to scan the host list chain, to detect if we're in active mode */
915 char host
[INET6_ADDRSTRLEN
+ 1]; /* numeric name of the other host */
917 /* socket-related variables*/
918 struct addrinfo hints
; /* temp, needed to open a socket connection */
919 struct addrinfo
*addrinfo
; /* temp, needed to open a socket connection */
920 SOCKET sockdata
= 0; /* socket descriptor of the data connection */
921 struct sockaddr_storage saddr
; /* temp, needed to retrieve the network data port chosen on the local machine */
922 socklen_t saddrlen
; /* temp, needed to retrieve the network data port chosen on the local machine */
923 int ai_family
; /* temp, keeps the address family used by the control connection */
925 /* RPCAP-related variables*/
926 struct rpcap_header header
; /* header of the RPCAP packet */
927 struct rpcap_startcapreq
*startcapreq
; /* start capture request message */
928 struct rpcap_startcapreply startcapreply
; /* start capture reply message */
930 /* Variables related to the buffer setting */
934 struct pcap_md
*md
; /* structure used when doing a remote live capture */
936 md
= (struct pcap_md
*) ((u_char
*)fp
->priv
+ sizeof(struct pcap_win
));
939 * Let's check if sampling has been required.
940 * If so, let's set it first
942 if (pcap_setsampling_remote(fp
) != 0)
946 /* detect if we're in active mode */
950 if (temp
->sockctrl
== md
->rmt_sockctrl
)
961 * Gets the complete sockaddr structure used in the ctrl connection
962 * This is needed to get the address family of the control socket
963 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
964 * since the ctrl socket can already be open in case of active mode;
965 * so I would have to call getpeername() anyway
967 saddrlen
= sizeof(struct sockaddr_storage
);
968 if (getpeername(md
->rmt_sockctrl
, (struct sockaddr
*) &saddr
, &saddrlen
) == -1)
970 sock_geterror("getsockname(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
973 ai_family
= ((struct sockaddr_storage
*) &saddr
)->ss_family
;
975 /* Get the numeric address of the remote host we are connected to */
976 if (getnameinfo((struct sockaddr
*) &saddr
, saddrlen
, host
,
977 sizeof(host
), NULL
, 0, NI_NUMERICHOST
))
979 sock_geterror("getnameinfo(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
984 * Data connection is opened by the server toward the client if:
985 * - we're using TCP, and the user wants us to be in active mode
988 if ((active
) || (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
))
991 * We have to create a new socket to receive packets
992 * We have to do that immediately, since we have to tell the other
993 * end which network port we picked up
995 memset(&hints
, 0, sizeof(struct addrinfo
));
996 /* TEMP addrinfo is NULL in case of active */
997 hints
.ai_family
= ai_family
; /* Use the same address family of the control socket */
998 hints
.ai_socktype
= (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
) ? SOCK_DGRAM
: SOCK_STREAM
;
999 hints
.ai_flags
= AI_PASSIVE
; /* Data connection is opened by the server toward the client */
1001 /* Let's the server pick up a free network port for us */
1002 if (sock_initaddress(NULL
, "0", &hints
, &addrinfo
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1005 if ((sockdata
= sock_open(addrinfo
, SOCKOPEN_SERVER
,
1006 1 /* max 1 connection in queue */, fp
->errbuf
, PCAP_ERRBUF_SIZE
)) == INVALID_SOCKET
)
1009 /* addrinfo is no longer used */
1010 freeaddrinfo(addrinfo
);
1013 /* get the complete sockaddr structure used in the data connection */
1014 saddrlen
= sizeof(struct sockaddr_storage
);
1015 if (getsockname(sockdata
, (struct sockaddr
*) &saddr
, &saddrlen
) == -1)
1017 sock_geterror("getsockname(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1021 /* Get the local port the system picked up */
1022 if (getnameinfo((struct sockaddr
*) &saddr
, saddrlen
, NULL
,
1023 0, portdata
, sizeof(portdata
), NI_NUMERICSERV
))
1025 sock_geterror("getnameinfo(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1031 * Now it's time to start playing with the RPCAP protocol
1032 * RPCAP start capture command: create the request message
1034 if (sock_bufferize(NULL
, sizeof(struct rpcap_header
), NULL
,
1035 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1038 rpcap_createhdr((struct rpcap_header
*) sendbuf
, RPCAP_MSG_STARTCAP_REQ
, 0,
1039 sizeof(struct rpcap_startcapreq
) + sizeof(struct rpcap_filter
) + fp
->fcode
.bf_len
* sizeof(struct rpcap_filterbpf_insn
));
1041 /* Fill the structure needed to open an adapter remotely */
1042 startcapreq
= (struct rpcap_startcapreq
*) &sendbuf
[sendbufidx
];
1044 if (sock_bufferize(NULL
, sizeof(struct rpcap_startcapreq
), NULL
,
1045 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1048 memset(startcapreq
, 0, sizeof(struct rpcap_startcapreq
));
1050 /* By default, apply half the timeout on one side, half of the other */
1051 fp
->opt
.timeout
= fp
->opt
.timeout
/ 2;
1052 startcapreq
->read_timeout
= htonl(fp
->opt
.timeout
);
1054 /* portdata on the openreq is meaningful only if we're in active mode */
1055 if ((active
) || (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
))
1057 sscanf(portdata
, "%d", (int *)&(startcapreq
->portdata
)); /* cast to avoid a compiler warning */
1058 startcapreq
->portdata
= htons(startcapreq
->portdata
);
1061 startcapreq
->snaplen
= htonl(fp
->snapshot
);
1062 startcapreq
->flags
= 0;
1064 if (md
->rmt_flags
& PCAP_OPENFLAG_PROMISCUOUS
)
1065 startcapreq
->flags
|= RPCAP_STARTCAPREQ_FLAG_PROMISC
;
1066 if (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
)
1067 startcapreq
->flags
|= RPCAP_STARTCAPREQ_FLAG_DGRAM
;
1069 startcapreq
->flags
|= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN
;
1071 startcapreq
->flags
= htons(startcapreq
->flags
);
1073 /* Pack the capture filter */
1074 if (pcap_pack_bpffilter(fp
, &sendbuf
[sendbufidx
], &sendbufidx
, &fp
->fcode
))
1077 if (sock_send(md
->rmt_sockctrl
, sendbuf
, sendbufidx
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1081 /* Receive the RPCAP start capture reply message */
1082 if (sock_recv(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1085 /* Checks if the message is correct */
1086 retval
= rpcap_checkmsg(fp
->errbuf
, md
->rmt_sockctrl
, &header
, RPCAP_MSG_STARTCAP_REPLY
, RPCAP_MSG_ERROR
, 0);
1088 if (retval
!= RPCAP_MSG_STARTCAP_REPLY
) /* the message is not the one expected */
1092 case -3: /* Unrecoverable network error */
1093 case -2: /* The other endpoint send a message that is not allowed here */
1094 case -1: /* The other endpoint has a version number that is not compatible with our */
1097 case RPCAP_MSG_ERROR
: /* The other endpoint reported an error */
1098 /* Update totread, since the rpcap_checkmsg() already purged the buffer */
1099 totread
= ntohl(header
.plen
);
1100 /* Do nothing; just exit; the error code is already into the errbuf */
1104 pcap_snprintf(fp
->errbuf
, PCAP_ERRBUF_SIZE
, "Internal error");
1109 nread
= sock_recv(md
->rmt_sockctrl
, (char *)&startcapreply
,
1110 sizeof(struct rpcap_startcapreply
), SOCK_RECEIVEALL_YES
,
1111 fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1117 * In case of UDP data stream, the connection is always opened by the daemon
1118 * So, this case is already covered by the code above.
1119 * Now, we have still to handle TCP connections, because:
1120 * - if we're in active mode, we have to wait for a remote connection
1121 * - if we're in passive more, we have to start a connection
1123 * We have to do he job in two steps because in case we're opening a TCP connection, we have
1124 * to tell the port we're using to the remote side; in case we're accepting a TCP
1125 * connection, we have to wait this info from the remote side.
1128 if (!(md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
))
1132 memset(&hints
, 0, sizeof(struct addrinfo
));
1133 hints
.ai_family
= ai_family
; /* Use the same address family of the control socket */
1134 hints
.ai_socktype
= (md
->rmt_flags
& PCAP_OPENFLAG_DATATX_UDP
) ? SOCK_DGRAM
: SOCK_STREAM
;
1135 pcap_snprintf(portdata
, PCAP_BUF_SIZE
, "%d", ntohs(startcapreply
.portdata
));
1137 /* Let's the server pick up a free network port for us */
1138 if (sock_initaddress(host
, portdata
, &hints
, &addrinfo
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1141 if ((sockdata
= sock_open(addrinfo
, SOCKOPEN_CLIENT
, 0, fp
->errbuf
, PCAP_ERRBUF_SIZE
)) == INVALID_SOCKET
)
1144 /* addrinfo is no longer used */
1145 freeaddrinfo(addrinfo
);
1150 SOCKET socktemp
; /* We need another socket, since we're going to accept() a connection */
1152 /* Connection creation */
1153 saddrlen
= sizeof(struct sockaddr_storage
);
1155 socktemp
= accept(sockdata
, (struct sockaddr
*) &saddr
, &saddrlen
);
1159 sock_geterror("accept(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1163 /* Now that I accepted the connection, the server socket is no longer needed */
1164 sock_close(sockdata
, fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1165 sockdata
= socktemp
;
1169 /* Let's save the socket of the data connection */
1170 md
->rmt_sockdata
= sockdata
;
1172 /* Allocates WinPcap/libpcap user buffer, which is a socket buffer in case of a remote capture */
1173 /* It has the same size of the one used on the other side of the connection */
1174 fp
->bufsize
= ntohl(startcapreply
.bufsize
);
1176 /* Let's get the actual size of the socket buffer */
1177 itemp
= sizeof(sockbufsize
);
1179 res
= getsockopt(sockdata
, SOL_SOCKET
, SO_RCVBUF
, (char *)&sockbufsize
, &itemp
);
1182 sock_geterror("pcap_startcapture_remote()", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1183 SOCK_ASSERT(fp
->errbuf
, 1);
1187 * Warning: on some kernels (e.g. Linux), the size of the user buffer does not take
1188 * into account the pcap_header and such, and it is set equal to the snaplen.
1189 * In my view, this is wrong (the meaning of the bufsize became a bit strange).
1190 * So, here bufsize is the whole size of the user buffer.
1191 * In case the bufsize returned is too small, let's adjust it accordingly.
1193 if (fp
->bufsize
<= (u_int
) fp
->snapshot
)
1194 fp
->bufsize
+= sizeof(struct pcap_pkthdr
);
1196 /* if the current socket buffer is smaller than the desired one */
1197 if ((u_int
) sockbufsize
< fp
->bufsize
)
1199 /* Loop until the buffer size is OK or the original socket buffer size is larger than this one */
1202 res
= setsockopt(sockdata
, SOL_SOCKET
, SO_RCVBUF
, (char *)&(fp
->bufsize
), sizeof(fp
->bufsize
));
1208 * If something goes wrong, half the buffer size (checking that it does not become smaller than
1213 if ((u_int
) sockbufsize
>= fp
->bufsize
)
1215 fp
->bufsize
= sockbufsize
;
1222 * Let's allocate the packet; this is required in order to put the packet somewhere when
1223 * extracting data from the socket
1224 * Since buffering has already been done in the socket buffer, here we need just a buffer,
1225 * whose size is equal to the pcap header plus the snapshot length
1227 fp
->bufsize
= fp
->snapshot
+ sizeof(struct pcap_pkthdr
);
1229 fp
->buffer
= (u_char
*)malloc(fp
->bufsize
);
1230 if (fp
->buffer
== NULL
)
1232 pcap_snprintf(fp
->errbuf
, PCAP_ERRBUF_SIZE
, "malloc: %s", pcap_strerror(errno
));
1237 /* Checks if all the data has been read; if not, discard the data in excess */
1238 if (totread
!= ntohl(header
.plen
))
1240 if (sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
) - totread
, NULL
, 0) == 1)
1245 * In case the user does not want to capture RPCAP packets, let's update the filter
1246 * We have to update it here (instead of sending it into the 'StartCapture' message
1247 * because when we generate the 'start capture' we do not know (yet) all the ports
1248 * we're currently using.
1250 if (md
->rmt_flags
& PCAP_OPENFLAG_NOCAPTURE_RPCAP
)
1252 struct bpf_program fcode
;
1254 if (pcap_createfilter_norpcappkt(fp
, &fcode
) == -1)
1257 /* We cannot use 'pcap_setfilter_remote' because formally the capture has not been started yet */
1258 /* (the 'fp->rmt_capstarted' variable will be updated some lines below) */
1259 if (pcap_updatefilter_remote(fp
, &fcode
) == -1)
1262 pcap_freecode(&fcode
);
1265 md
->rmt_capstarted
= 1;
1270 * When the connection has been established, we have to close it. So, at the
1271 * beginning of this function, if an error occur we return immediately with
1272 * a return NULL; when the connection is established, we have to come here
1273 * ('goto error;') in order to close everything properly.
1275 * Checks if all the data has been read; if not, discard the data in excess
1277 if (totread
!= ntohl(header
.plen
))
1278 sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
) - totread
, NULL
, 0);
1280 if ((sockdata
) && (sockdata
!= -1)) /* we can be here because sockdata said 'error' */
1281 sock_close(sockdata
, NULL
, 0);
1284 sock_close(md
->rmt_sockctrl
, NULL
, 0);
1287 * We do not have to call pcap_close() here, because this function is always called
1288 * by the user in case something bad happens
1300 * \brief Takes a bpf program and sends it to the other host.
1302 * This function can be called in two cases:
1303 * - the pcap_startcapture() is called (we have to send the filter along with
1304 * the 'start capture' command)
1305 * - we want to udpate the filter during a capture (i.e. the pcap_setfilter()
1306 * is called when the capture is still on)
1308 * This function serializes the filter into the sending buffer ('sendbuf', passed
1309 * as a parameter) and return back. It does not send anything on the network.
1311 * \param fp: the pcap_t descriptor of the device currently opened.
1313 * \param sendbuf: the buffer on which the serialized data has to copied.
1315 * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
1317 * \param prog: the bpf program we have to copy.
1319 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1320 * is returned into the 'errbuf' field of the pcap_t structure.
1322 static int pcap_pack_bpffilter(pcap_t
*fp
, char *sendbuf
, int *sendbufidx
, struct bpf_program
*prog
)
1324 struct rpcap_filter
*filter
;
1325 struct rpcap_filterbpf_insn
*insn
;
1326 struct bpf_insn
*bf_insn
;
1327 struct bpf_program fake_prog
; /* To be used just in case the user forgot to set a filter */
1331 if (prog
->bf_len
== 0) /* No filters have been specified; so, let's apply a "fake" filter */
1333 if (pcap_compile(fp
, &fake_prog
, NULL
/* buffer */, 1, 0) == -1)
1339 filter
= (struct rpcap_filter
*) sendbuf
;
1341 if (sock_bufferize(NULL
, sizeof(struct rpcap_filter
), NULL
, sendbufidx
,
1342 RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1345 filter
->filtertype
= htons(RPCAP_UPDATEFILTER_BPF
);
1346 filter
->nitems
= htonl((int32
)prog
->bf_len
);
1348 if (sock_bufferize(NULL
, prog
->bf_len
* sizeof(struct rpcap_filterbpf_insn
),
1349 NULL
, sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1352 insn
= (struct rpcap_filterbpf_insn
*) (filter
+ 1);
1353 bf_insn
= prog
->bf_insns
;
1355 for (i
= 0; i
< prog
->bf_len
; i
++)
1357 insn
->code
= htons(bf_insn
->code
);
1358 insn
->jf
= bf_insn
->jf
;
1359 insn
->jt
= bf_insn
->jt
;
1360 insn
->k
= htonl(bf_insn
->k
);
1369 /* \ingroup remote_pri_func
1371 * \brief Update a filter on a remote host.
1373 * This function is called when the user wants to update a filter.
1374 * In case we're capturing from the network, it sends the filter to the other peer.
1375 * This function is *not* called automatically when the user calls the pcap_setfilter().
1376 * There will be two cases:
1377 * - the capture is already on: in this case, pcap_setfilter() calls pcap_updatefilter_remote()
1378 * - the capture has not started yet: in this case, pcap_setfilter() stores the filter into
1379 * the pcap_t structure, and then the filter is sent with the pcap_startcap().
1381 * Parameters and return values are exactly the same of the pcap_setfilter().
1383 * \warning This function *does not* clear the packet currently into the buffers. Therefore,
1384 * the user has to expect to receive some packets that are related to the previous filter.
1385 * If you want to discard all the packets before applying a new filter, you have to close
1386 * the current capture session and start a new one.
1388 static int pcap_updatefilter_remote(pcap_t
*fp
, struct bpf_program
*prog
)
1390 int retval
; /* general variable used to keep the return value of other functions */
1391 char sendbuf
[RPCAP_NETBUF_SIZE
];/* temporary buffer in which data to be sent is buffered */
1392 int sendbufidx
= 0; /* index which keeps the number of bytes currently buffered */
1393 struct rpcap_header header
; /* To keep the reply message */
1394 struct pcap_md
*md
; /* structure used when doing a remote live capture */
1396 md
= (struct pcap_md
*) ((u_char
*)fp
->priv
+ sizeof(struct pcap_win
));
1399 if (sock_bufferize(NULL
, sizeof(struct rpcap_header
), NULL
, &sendbufidx
,
1400 RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1403 rpcap_createhdr((struct rpcap_header
*) sendbuf
, RPCAP_MSG_UPDATEFILTER_REQ
, 0,
1404 sizeof(struct rpcap_filter
) + prog
->bf_len
* sizeof(struct rpcap_filterbpf_insn
));
1406 if (pcap_pack_bpffilter(fp
, &sendbuf
[sendbufidx
], &sendbufidx
, prog
))
1409 if (sock_send(md
->rmt_sockctrl
, sendbuf
, sendbufidx
, fp
->errbuf
, PCAP_ERRBUF_SIZE
))
1412 /* Waits for the answer */
1413 if (sock_recv(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1416 /* Checks if the message is correct */
1417 retval
= rpcap_checkmsg(fp
->errbuf
, md
->rmt_sockctrl
, &header
, RPCAP_MSG_UPDATEFILTER_REPLY
, 0);
1419 if (retval
!= RPCAP_MSG_UPDATEFILTER_REPLY
) /* the message is not the one expected */
1423 case -3: /* Unrecoverable network error */
1424 case -2: /* The other endpoint sent a message that is not allowed here */
1425 case -1: /* The other endpoint has a version number that is not compatible with our */
1426 /* Do nothing; just exit from here; the error code is already into the errbuf */
1430 SOCK_ASSERT("Internal error", 0);
1435 if (ntohl(header
.plen
) != 0) /* the message has an unexpected size */
1437 if (sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
), fp
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1445 * \ingroup remote_pri_func
1447 * \brief Send a filter to a remote host.
1449 * This function is called when the user wants to set a filter.
1450 * In case we're capturing from the network, it sends the filter to the other peer.
1451 * This function is called automatically when the user calls the pcap_setfilter().
1453 * Parameters and return values are exactly the same of the pcap_setfilter().
1455 static int pcap_setfilter_remote(pcap_t
*fp
, struct bpf_program
*prog
)
1457 struct pcap_md
*md
; /* structure used when doing a remote live capture */
1459 md
= (struct pcap_md
*) ((u_char
*)fp
->priv
+ sizeof(struct pcap_win
));
1461 if (!md
->rmt_capstarted
)
1463 /* copy filter into the pcap_t structure */
1464 if (install_bpf_program(fp
, prog
) == -1)
1469 /* we have to update a filter during run-time */
1470 if (pcap_updatefilter_remote(fp
, prog
))
1477 * \ingroup remote_pri_func
1479 * \brief Update the current filter in order not to capture rpcap packets.
1481 * This function is called *only* when the user wants exclude RPCAP packets
1482 * related to the current session from the captured packets.
1484 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1485 * is returned into the 'errbuf' field of the pcap_t structure.
1487 static int pcap_createfilter_norpcappkt(pcap_t
*fp
, struct bpf_program
*prog
)
1490 struct pcap_md
*md
; /* structure used when doing a remote live capture */
1492 md
= (struct pcap_md
*) ((u_char
*)fp
->priv
+ sizeof(struct pcap_win
));
1494 /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1495 if (md
->rmt_flags
& PCAP_OPENFLAG_NOCAPTURE_RPCAP
)
1497 struct sockaddr_storage saddr
; /* temp, needed to retrieve the network data port chosen on the local machine */
1498 socklen_t saddrlen
; /* temp, needed to retrieve the network data port chosen on the local machine */
1499 char myaddress
[128];
1500 char myctrlport
[128];
1501 char mydataport
[128];
1502 char peeraddress
[128];
1503 char peerctrlport
[128];
1505 const int newstringsize
= 1024;
1506 size_t currentfiltersize
;
1508 /* Get the name/port of the other peer */
1509 saddrlen
= sizeof(struct sockaddr_storage
);
1510 if (getpeername(md
->rmt_sockctrl
, (struct sockaddr
*) &saddr
, &saddrlen
) == -1)
1512 sock_geterror("getpeername(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1516 if (getnameinfo((struct sockaddr
*) &saddr
, saddrlen
, peeraddress
,
1517 sizeof(peeraddress
), peerctrlport
, sizeof(peerctrlport
), NI_NUMERICHOST
| NI_NUMERICSERV
))
1519 sock_geterror("getnameinfo(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1523 /* We cannot check the data port, because this is available only in case of TCP sockets */
1524 /* Get the name/port of the current host */
1525 if (getsockname(md
->rmt_sockctrl
, (struct sockaddr
*) &saddr
, &saddrlen
) == -1)
1527 sock_geterror("getsockname(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1531 /* Get the local port the system picked up */
1532 if (getnameinfo((struct sockaddr
*) &saddr
, saddrlen
, myaddress
,
1533 sizeof(myaddress
), myctrlport
, sizeof(myctrlport
), NI_NUMERICHOST
| NI_NUMERICSERV
))
1535 sock_geterror("getnameinfo(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1539 /* Let's now check the data port */
1540 if (getsockname(md
->rmt_sockdata
, (struct sockaddr
*) &saddr
, &saddrlen
) == -1)
1542 sock_geterror("getsockname(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1546 /* Get the local port the system picked up */
1547 if (getnameinfo((struct sockaddr
*) &saddr
, saddrlen
, NULL
, 0, mydataport
, sizeof(mydataport
), NI_NUMERICSERV
))
1549 sock_geterror("getnameinfo(): ", fp
->errbuf
, PCAP_ERRBUF_SIZE
);
1553 currentfiltersize
= strlen(md
->currentfilter
);
1555 newfilter
= (char *)malloc(currentfiltersize
+ newstringsize
+ 1);
1557 if (currentfiltersize
)
1559 pcap_snprintf(newfilter
, currentfiltersize
+ newstringsize
,
1560 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1561 md
->currentfilter
, myaddress
, peeraddress
, myctrlport
, peerctrlport
, myaddress
, peeraddress
, mydataport
);
1565 pcap_snprintf(newfilter
, currentfiltersize
+ newstringsize
,
1566 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1567 myaddress
, peeraddress
, myctrlport
, peerctrlport
, myaddress
, peeraddress
, mydataport
);
1570 newfilter
[currentfiltersize
+ newstringsize
] = 0;
1572 /* This is only an hack to make the pcap_compile() working properly */
1573 md
->rmt_clientside
= 0;
1575 if (pcap_compile(fp
, prog
, newfilter
, 1, 0) == -1)
1578 /* This is only an hack to make the pcap_compile() working properly */
1579 md
->rmt_clientside
= 1;
1588 * \ingroup remote_pri_func
1590 * \brief Set sampling parameters in the remote host.
1592 * This function is called when the user wants to set activate sampling on the remote host.
1594 * Sampling parameters are defined into the 'pcap_t' structure.
1596 * \param p: the pcap_t descriptor of the device currently opened.
1598 * \return '0' if everything is OK, '-1' is something goes wrong. The error message is returned
1599 * in the 'errbuf' member of the pcap_t structure.
1601 static int pcap_setsampling_remote(pcap_t
*p
)
1603 int retval
; /* general variable used to keep the return value of other functions */
1604 char sendbuf
[RPCAP_NETBUF_SIZE
];/* temporary buffer in which data to be sent is buffered */
1605 int sendbufidx
= 0; /* index which keeps the number of bytes currently buffered */
1606 struct rpcap_header header
; /* To keep the reply message */
1607 struct rpcap_sampling
*sampling_pars
; /* Structure that is needed to send sampling parameters to the remote host */
1608 struct pcap_md
*md
; /* structure used when doing a remote live capture */
1610 md
= (struct pcap_md
*) ((u_char
*)p
->priv
+ sizeof(struct pcap_win
));
1612 /* If no samping is requested, return 'ok' */
1613 if (md
->rmt_samp
.method
== PCAP_SAMP_NOSAMP
)
1616 if (sock_bufferize(NULL
, sizeof(struct rpcap_header
), NULL
,
1617 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, p
->errbuf
, PCAP_ERRBUF_SIZE
))
1620 rpcap_createhdr((struct rpcap_header
*) sendbuf
, RPCAP_MSG_SETSAMPLING_REQ
, 0, sizeof(struct rpcap_sampling
));
1622 /* Fill the structure needed to open an adapter remotely */
1623 sampling_pars
= (struct rpcap_sampling
*) &sendbuf
[sendbufidx
];
1625 if (sock_bufferize(NULL
, sizeof(struct rpcap_sampling
), NULL
,
1626 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, p
->errbuf
, PCAP_ERRBUF_SIZE
))
1629 memset(sampling_pars
, 0, sizeof(struct rpcap_sampling
));
1631 sampling_pars
->method
= md
->rmt_samp
.method
;
1632 sampling_pars
->value
= htonl(md
->rmt_samp
.value
);
1634 if (sock_send(md
->rmt_sockctrl
, sendbuf
, sendbufidx
, p
->errbuf
, PCAP_ERRBUF_SIZE
))
1637 /* Waits for the answer */
1638 if (sock_recv(md
->rmt_sockctrl
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, p
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1641 /* Checks if the message is correct */
1642 retval
= rpcap_checkmsg(p
->errbuf
, md
->rmt_sockctrl
, &header
, RPCAP_MSG_SETSAMPLING_REPLY
, 0);
1644 if (retval
!= RPCAP_MSG_SETSAMPLING_REPLY
) /* the message is not the one expected */
1648 case -3: /* Unrecoverable network error */
1649 case -2: /* The other endpoint sent a message that is not allowed here */
1650 case -1: /* The other endpoint has a version number that is not compatible with our */
1651 case RPCAP_MSG_ERROR
:
1652 /* Do nothing; just exit from here; the error code is already into the errbuf */
1656 SOCK_ASSERT("Internal error", 0);
1661 if (ntohl(header
.plen
) != 0) /* the message has an unexpected size */
1663 if (sock_discard(md
->rmt_sockctrl
, ntohl(header
.plen
), p
->errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1671 /*********************************************************
1673 * Miscellaneous functions *
1675 *********************************************************/
1678 /* \ingroup remote_pri_func
1679 * \brief It sends a RPCAP error to the other peer.
1681 * This function has to be called when the main program detects an error. This function
1682 * will send on the other peer the 'buffer' specified by the user.
1683 * This function *does not* request a RPCAP CLOSE connection. A CLOSE command must be sent
1684 * explicitly by the program, since we do not know it the error can be recovered in some
1685 * way or it is a non-recoverable one.
1687 * \param sock: the socket we are currently using.
1689 * \param error: an user-allocated (and '0' terminated) buffer that contains the error
1690 * description that has to be transmitted on the other peer. The error message cannot
1691 * be longer than PCAP_ERRBUF_SIZE.
1693 * \param errcode: a integer which tells the other party the type of error we had;
1694 * currently is is not too much used.
1696 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
1697 * that will contain the error message (in case there is one). It could be network problem.
1699 * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
1700 * in the 'errbuf' variable.
1702 int rpcap_senderror(SOCKET sock
, char *error
, unsigned short errcode
, char *errbuf
)
1704 char sendbuf
[RPCAP_NETBUF_SIZE
]; /* temporary buffer in which data to be sent is buffered */
1705 int sendbufidx
= 0; /* index which keeps the number of bytes currently buffered */
1708 length
= (uint16
)strlen(error
);
1710 if (length
> PCAP_ERRBUF_SIZE
)
1711 length
= PCAP_ERRBUF_SIZE
;
1713 rpcap_createhdr((struct rpcap_header
*) sendbuf
, RPCAP_MSG_ERROR
, errcode
, length
);
1715 if (sock_bufferize(NULL
, sizeof(struct rpcap_header
), NULL
, &sendbufidx
,
1716 RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, errbuf
, PCAP_ERRBUF_SIZE
))
1719 if (sock_bufferize(error
, length
, sendbuf
, &sendbufidx
,
1720 RPCAP_NETBUF_SIZE
, SOCKBUF_BUFFERIZE
, errbuf
, PCAP_ERRBUF_SIZE
))
1723 if (sock_send(sock
, sendbuf
, sendbufidx
, errbuf
, PCAP_ERRBUF_SIZE
))
1729 /* \ingroup remote_pri_func
1730 * \brief Sends the authentication message.
1732 * It sends the authentication parameters on the control socket.
1733 * This function is required in order to open the connection with the other end party.
1735 * \param sock: the socket we are currently using.
1737 * \param auth: authentication parameters that have to be sent.
1739 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
1740 * that will contain the error message (in case there is one). It could be network problem
1741 * of the fact that the authorization failed.
1743 * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
1744 * in the 'errbuf' variable.
1745 * The error message could be also 'the authentication failed'.
1747 int rpcap_sendauth(SOCKET sock
, struct pcap_rmtauth
*auth
, char *errbuf
)
1749 char sendbuf
[RPCAP_NETBUF_SIZE
]; /* temporary buffer in which data that has to be sent is buffered */
1750 int sendbufidx
= 0; /* index which keeps the number of bytes currently buffered */
1751 uint16 length
; /* length of the payload of this message */
1752 struct rpcap_auth
*rpauth
;
1754 struct rpcap_header header
;
1755 int retval
; /* temp variable which stores functions return value */
1759 auth_type
= auth
->type
;
1763 case RPCAP_RMTAUTH_NULL
:
1764 length
= sizeof(struct rpcap_auth
);
1767 case RPCAP_RMTAUTH_PWD
:
1768 length
= sizeof(struct rpcap_auth
);
1769 if (auth
->username
) length
+= (uint16
) strlen(auth
->username
);
1770 if (auth
->password
) length
+= (uint16
) strlen(auth
->password
);
1774 pcap_snprintf(errbuf
, PCAP_ERRBUF_SIZE
, "Authentication type not recognized.");
1780 auth_type
= RPCAP_RMTAUTH_NULL
;
1781 length
= sizeof(struct rpcap_auth
);
1785 if (sock_bufferize(NULL
, sizeof(struct rpcap_header
), NULL
,
1786 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, errbuf
, PCAP_ERRBUF_SIZE
))
1789 rpcap_createhdr((struct rpcap_header
*) sendbuf
, RPCAP_MSG_AUTH_REQ
, 0, length
);
1791 rpauth
= (struct rpcap_auth
*) &sendbuf
[sendbufidx
];
1793 if (sock_bufferize(NULL
, sizeof(struct rpcap_auth
), NULL
,
1794 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_CHECKONLY
, errbuf
, PCAP_ERRBUF_SIZE
))
1797 memset(rpauth
, 0, sizeof(struct rpcap_auth
));
1799 rpauth
->type
= htons(auth_type
);
1801 if (auth_type
== RPCAP_RMTAUTH_PWD
)
1805 rpauth
->slen1
= (uint16
) strlen(auth
->username
);
1809 if (sock_bufferize(auth
->username
, rpauth
->slen1
, sendbuf
,
1810 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_BUFFERIZE
, errbuf
, PCAP_ERRBUF_SIZE
))
1814 rpauth
->slen2
= (uint16
) strlen(auth
->password
);
1818 if (sock_bufferize(auth
->password
, rpauth
->slen2
, sendbuf
,
1819 &sendbufidx
, RPCAP_NETBUF_SIZE
, SOCKBUF_BUFFERIZE
, errbuf
, PCAP_ERRBUF_SIZE
))
1822 rpauth
->slen1
= htons(rpauth
->slen1
);
1823 rpauth
->slen2
= htons(rpauth
->slen2
);
1826 if (sock_send(sock
, sendbuf
, sendbufidx
, errbuf
, PCAP_ERRBUF_SIZE
))
1829 if (sock_recv(sock
, (char *)&header
, sizeof(struct rpcap_header
), SOCK_RECEIVEALL_YES
, errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1832 retval
= rpcap_checkmsg(errbuf
, sock
, &header
, RPCAP_MSG_AUTH_REPLY
, RPCAP_MSG_ERROR
, 0);
1834 if (retval
!= RPCAP_MSG_AUTH_REPLY
) /* the message is not the one expected */
1838 case -3: /* Unrecoverable network error */
1839 case -2: /* The other endpoint sent a message that is not allowed here */
1840 case -1: /* The other endpoint has a version number that is not compatible with our */
1841 /* Do nothing; just exit from here; the error code is already into the errbuf */
1844 case RPCAP_MSG_ERROR
:
1848 SOCK_ASSERT("Internal error", 0);
1853 if (ntohl(header
.plen
))
1855 if (sock_discard(sock
, ntohl(header
.plen
), errbuf
, PCAP_ERRBUF_SIZE
))
1862 /* \ingroup remote_pri_func
1863 * \brief Creates a structure of type rpcap_header.
1865 * This function is provided just because the creation of an rpcap header is quite a common
1866 * task. It accepts all the values that appears into an rpcap_header, and it puts them in
1867 * place using the proper hton() calls.
1869 * \param header: a pointer to a user-allocated buffer which will contain the serialized
1870 * header, ready to be sent on the network.
1872 * \param type: a value (in the host by order) which will be placed into the header.type
1873 * field and that represents the type of the current message.
1875 * \param value: a value (in the host by order) which will be placed into the header.value
1876 * field and that has a message-dependent meaning.
1878 * \param length: a value (in the host by order) which will be placed into the header.length
1879 * field and that represents the payload length of the message.
1881 * \return Nothing. The serialized header is returned into the 'header' variable.
1883 void rpcap_createhdr(struct rpcap_header
*header
, uint8 type
, uint16 value
, uint32 length
)
1885 memset(header
, 0, sizeof(struct rpcap_header
));
1887 header
->ver
= RPCAP_VERSION
;
1888 header
->type
= type
;
1889 header
->value
= htons(value
);
1890 header
->plen
= htonl(length
);
1893 /* ingroup remote_pri_func
1894 * \brief Checks if the header of the received message is correct.
1896 * This function is a way to easily check if the message received, in a certain
1897 * state of the RPCAP protocol Finite State Machine, is valid. This function accepts,
1898 * as a parameter, the list of message types that are allowed in a certain situation,
1899 * and it returns the one which occurs.
1901 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
1902 * that will contain the error message (in case there is one). It could be either problem
1903 * occurred inside this function (e.g. a network problem in case it tries to send an
1904 * error on the other peer and the send() call fails), an error message which has been
1905 * sent to us from the other party, or a version error (the message receive has a version
1906 * number that is incompatible with our).
1908 * \param sock: the socket that has to be used to receive data. This function can
1909 * read data from socket in case the version contained into the message is not compatible
1910 * with our. In that case, all the message is purged from the socket, so that the following
1911 * recv() calls will return a new message.
1913 * \param header: a pointer to and 'rpcap_header' structure that keeps the data received from
1914 * the network (still in network byte order) and that has to be checked.
1916 * \param first: this function has a variable number of parameters. From this point on,
1917 * all the messages that are valid in this context must be passed as parameters.
1918 * The message type list must be terminated with a '0' value, the null message type,
1919 * which means 'no more types to check'. The RPCAP protocol does not define anything with
1920 * message type equal to zero, so there is no ambiguity in using this value as a list terminator.
1922 * \return The message type of the message that has been detected. In case of errors (e.g. the
1923 * header contains a type that is not listed among the allowed types), this function will
1924 * return the following codes:
1925 * - (-1) if the version is incompatible.
1926 * - (-2) if the code is not among the one listed into the parameters list
1927 * - (-3) if a network error (connection reset, ...)
1928 * - RPCAP_MSG_ERROR if the message is an error message (it follow that the RPCAP_MSG_ERROR
1929 * could not be present in the allowed message-types list, because this function checks
1930 * for errors anyway)
1932 * In case either the version is incompatible or nothing matches (i.e. it returns '-1' or '-2'),
1933 * it discards the message body (i.e. it reads the remaining part of the message from the
1934 * network and it discards it) so that the application is ready to receive a new message.
1936 int rpcap_checkmsg(char *errbuf
, SOCKET sock
, struct rpcap_header
*header
, uint8 first
, ...)
1942 va_start(ap
, first
);
1944 /* Check if the present version of the protocol can handle this message */
1945 if (rpcap_checkver(sock
, header
, errbuf
))
1947 SOCK_ASSERT(errbuf
, 1);
1958 * The message matches with one of the types listed
1959 * There is no need of conversions since both values are uint8
1961 * Check if the other side reported an error.
1962 * If yes, it retrieves it and it returns it back to the caller
1964 if (header
->type
== RPCAP_MSG_ERROR
)
1966 len
= ntohl(header
->plen
);
1968 if (len
>= PCAP_ERRBUF_SIZE
)
1970 if (sock_recv(sock
, errbuf
, PCAP_ERRBUF_SIZE
- 1, SOCK_RECEIVEALL_YES
, errbuf
, PCAP_ERRBUF_SIZE
))
1973 sock_discard(sock
, len
- (PCAP_ERRBUF_SIZE
- 1), NULL
, 0);
1975 /* Put '\0' at the end of the string */
1976 errbuf
[PCAP_ERRBUF_SIZE
- 1] = 0;
1980 if (sock_recv(sock
, errbuf
, len
, SOCK_RECEIVEALL_YES
, errbuf
, PCAP_ERRBUF_SIZE
) == -1)
1983 /* Put '\0' at the end of the string */
1989 return header
->type
;
1992 if (header
->type
== type
)
1995 return header
->type
;
1998 /* get next argument */
1999 type
= va_arg(ap
, int);
2002 /* we already have an error, so please discard this one */
2003 sock_discard(sock
, ntohl(header
->plen
), NULL
, 0);
2005 pcap_snprintf(errbuf
, PCAP_ERRBUF_SIZE
, "The other endpoint sent a message that is not allowed here.");
2006 SOCK_ASSERT(errbuf
, 1);
2012 /* \ingroup remote_pri_func
2013 * \brief Checks if the version contained into the message is compatible with
2014 * the one handled by this implementation.
2016 * Right now, this function does not have any sophisticated task: if the versions
2017 * are different, it returns -1 and it discards the message.
2018 * It is expected that in the future this message will become more complex.
2020 * \param sock: the socket that has to be used to receive data. This function can
2021 * read data from socket in case the version contained into the message is not compatible
2022 * with our. In that case, all the message is purged from the socket, so that the following
2023 * recv() calls will return a new (clean) message.
2025 * \param header: a pointer to and 'rpcap_header' structure that keeps the data received from
2026 * the network (still in network byte order) and that has to be checked.
2028 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
2029 * that will contain the error message (in case there is one). The error message is
2030 * "incompatible version".
2032 * \return '0' if everything is fine, '-1' if some errors occurred. The error message is returned
2033 * in the 'errbuf' variable.
2035 static int rpcap_checkver(SOCKET sock
, struct rpcap_header
*header
, char *errbuf
)
2038 * This is a sample function.
2040 * In the real world, you have to check at the type code,
2041 * and decide accordingly.
2044 if (header
->ver
!= RPCAP_VERSION
)
2046 pcap_snprintf(errbuf
, PCAP_ERRBUF_SIZE
, "Incompatible version number: message discarded.");
2048 /* we already have an error, so please discard this one */
2049 sock_discard(sock
, ntohl(header
->plen
), NULL
, 0);
2056 /* \ingroup remote_pri_func
2058 * \brief It returns the socket currently used for this active connection
2059 * (active mode only) and provides an indication of whether this connection
2060 * is in active mode or not.
2062 * This function is just for internal use; it returns the socket ID of the
2063 * active connection currently opened.
2065 * \param host: a string that keeps the host name of the host for which we
2066 * want to get the socket ID for that active connection.
2068 * \param isactive: a pointer to an int that is set to 1 if there's an
2069 * active connection to that host and 0 otherwise.
2071 * \param errbuf: a pointer to a user-allocated buffer (of size
2072 * PCAP_ERRBUF_SIZE) that will contain the error message (in case
2075 * \return the socket identifier if everything is fine, '0' if this host
2076 * is not in the active host list. An indication of whether this host
2077 * is in the active host list is returned into the isactive variable.
2078 * It returns 'INVALID_SOCKET' in case of error. The error message is
2079 * returned into the errbuf variable.
2081 SOCKET
rpcap_remoteact_getsock(const char *host
, int *isactive
, char *errbuf
)
2083 struct activehosts
*temp
; /* temp var needed to scan the host list chain */
2084 struct addrinfo hints
, *addrinfo
, *ai_next
; /* temp var needed to translate between hostname to its address */
2087 /* retrieve the network address corresponding to 'host' */
2089 memset(&hints
, 0, sizeof(struct addrinfo
));
2090 hints
.ai_family
= PF_UNSPEC
;
2091 hints
.ai_socktype
= SOCK_STREAM
;
2093 retval
= getaddrinfo(host
, "0", &hints
, &addrinfo
);
2096 pcap_snprintf(errbuf
, PCAP_ERRBUF_SIZE
, "getaddrinfo() %s", gai_strerror(retval
));
2098 return INVALID_SOCKET
;
2108 if (sock_cmpaddr(&temp
->host
, (struct sockaddr_storage
*) ai_next
->ai_addr
) == 0) {
2110 return (temp
->sockctrl
);
2113 ai_next
= ai_next
->ai_next
;
2119 freeaddrinfo(addrinfo
);
2122 * The host for which you want to get the socket ID does not have an
2123 * active connection.