1 files changed, 413 insertions, 0 deletions
diff --git a/pcap-snoop.c b/pcap-snoop.c
new file mode 100644
index 0000000..330e01d
--- /dev/null
+++ b/pcap-snoop.c
@@ -0,0 +1,413 @@
+/*
+ * Copyright (c) 1993, 1994, 1995, 1996, 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+#ifndef lint
+static const char rcsid[] _U_ =
+    "@(#) $Header: /tcpdump/master/libpcap/pcap-snoop.c,v 1.59 2008-12-02 16:25:14 guy Exp $ (LBL)";
+#endif
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <net/raw.h>
+#include <net/if.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/if_ether.h>
+#include <netinet/ip_var.h>
+#include <netinet/udp.h>
+#include <netinet/udp_var.h>
+#include <netinet/tcp.h>
+#include <netinet/tcpip.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "pcap-int.h"
+
+#ifdef HAVE_OS_PROTO_H
+#include "os-proto.h"
+#endif
+
+static int
+pcap_read_snoop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
+{
+	int cc;
+	register struct snoopheader *sh;
+	register u_int datalen;
+	register u_int caplen;
+	register u_char *cp;
+
+again:
+	/*
+	 * Has "pcap_breakloop()" been called?
+	 */
+	if (p->break_loop) {
+		/*
+		 * Yes - clear the flag that indicates that it
+		 * has, and return -2 to indicate that we were
+		 * told to break out of the loop.
+		 */
+		p->break_loop = 0;
+		return (-2);
+	}
+	cc = read(p->fd, (char *)p->buffer, p->bufsize);
+	if (cc < 0) {
+		/* Don't choke when we get ptraced */
+		switch (errno) {
+
+		case EINTR:
+			goto again;
+
+		case EWOULDBLOCK:
+			return (0);			/* XXX */
+		}
+		snprintf(p->errbuf, sizeof(p->errbuf),
+		    "read: %s", pcap_strerror(errno));
+		return (-1);
+	}
+	sh = (struct snoopheader *)p->buffer;
+	datalen = sh->snoop_packetlen;
+
+	/*
+	 * XXX - Sigh, snoop_packetlen is a 16 bit quantity.  If we
+	 * got a short length, but read a full sized snoop pakcet,
+	 * assume we overflowed and add back the 64K...
+	 */
+	if (cc == (p->snapshot + sizeof(struct snoopheader)) &&
+	    (datalen < p->snapshot))
+		datalen += (64 * 1024);
+
+	caplen = (datalen < p->snapshot) ? datalen : p->snapshot;
+	cp = (u_char *)(sh + 1) + p->offset;		/* XXX */
+
+	/* 
+	 * XXX unfortunately snoop loopback isn't exactly like
+	 * BSD's.  The address family is encoded in the first 2
+	 * bytes rather than the first 4 bytes!  Luckily the last
+	 * two snoop loopback bytes are zeroed.
+	 */
+	if (p->linktype == DLT_NULL && *((short *)(cp + 2)) == 0) {
+		u_int *uip = (u_int *)cp;
+		*uip >>= 16;
+	}
+
+	if (p->fcode.bf_insns == NULL ||
+	    bpf_filter(p->fcode.bf_insns, cp, datalen, caplen)) {
+		struct pcap_pkthdr h;
+		++p->md.stat.ps_recv;
+		h.ts.tv_sec = sh->snoop_timestamp.tv_sec;
+		h.ts.tv_usec = sh->snoop_timestamp.tv_usec;
+		h.len = datalen;
+		h.caplen = caplen;
+		(*callback)(user, &h, cp);
+		return (1);
+	}
+	return (0);
+}
+
+static int
+pcap_inject_snoop(pcap_t *p, const void *buf, size_t size)
+{
+	int ret;
+
+	/*
+	 * XXX - libnet overwrites the source address with what I
+	 * presume is the interface's address; is that required?
+	 */
+	ret = write(p->fd, buf, size);
+	if (ret == -1) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "send: %s",
+		    pcap_strerror(errno));
+		return (-1);
+	}
+	return (ret);
+}                           
+
+static int
+pcap_stats_snoop(pcap_t *p, struct pcap_stat *ps)
+{
+	register struct rawstats *rs;
+	struct rawstats rawstats;
+
+	rs = &rawstats;
+	memset(rs, 0, sizeof(*rs));
+	if (ioctl(p->fd, SIOCRAWSTATS, (char *)rs) < 0) {
+		snprintf(p->errbuf, sizeof(p->errbuf),
+		    "SIOCRAWSTATS: %s", pcap_strerror(errno));
+		return (-1);
+	}
+
+	/*
+	 * "ifdrops" are those dropped by the network interface
+	 * due to resource shortages or hardware errors.
+	 *
+	 * "sbdrops" are those dropped due to socket buffer limits.
+	 *
+	 * As filter is done in userland, "sbdrops" counts packets
+	 * regardless of whether they would've passed the filter.
+	 *
+	 * XXX - does this count *all* Snoop or Drain sockets,
+	 * rather than just this socket?  If not, why does it have
+	 * both Snoop and Drain statistics?
+	 */
+	p->md.stat.ps_drop =
+	    rs->rs_snoop.ss_ifdrops + rs->rs_snoop.ss_sbdrops +
+	    rs->rs_drain.ds_ifdrops + rs->rs_drain.ds_sbdrops;
+
+	/*
+	 * "ps_recv" counts only packets that passed the filter.
+	 * As filtering is done in userland, this does not include
+	 * packets dropped because we ran out of buffer space.
+	 */
+	*ps = p->md.stat;
+	return (0);
+}
+
+/* XXX can't disable promiscuous */
+static int
+pcap_activate_snoop(pcap_t *p)
+{
+	int fd;
+	struct sockaddr_raw sr;
+	struct snoopfilter sf;
+	u_int v;
+	int ll_hdrlen;
+	int snooplen;
+	struct ifreq ifr;
+
+	fd = socket(PF_RAW, SOCK_RAW, RAWPROTO_SNOOP);
+	if (fd < 0) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "snoop socket: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+	p->fd = fd;
+	memset(&sr, 0, sizeof(sr));
+	sr.sr_family = AF_RAW;
+	(void)strncpy(sr.sr_ifname, p->opt.source, sizeof(sr.sr_ifname));
+	if (bind(fd, (struct sockaddr *)&sr, sizeof(sr))) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "snoop bind: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+	memset(&sf, 0, sizeof(sf));
+	if (ioctl(fd, SIOCADDSNOOP, &sf) < 0) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCADDSNOOP: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+	if (p->opt.buffer_size != 0)
+		v = p->opt.buffer_size;
+	else
+		v = 64 * 1024;	/* default to 64K buffer size */
+	(void)setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (char *)&v, sizeof(v));
+	/*
+	 * XXX hack - map device name to link layer type
+	 */
+	if (strncmp("et", p->opt.source, 2) == 0 ||	/* Challenge 10 Mbit */
+	    strncmp("ec", p->opt.source, 2) == 0 ||	/* Indigo/Indy 10 Mbit,
+							   O2 10/100 */
+	    strncmp("ef", p->opt.source, 2) == 0 ||	/* O200/2000 10/100 Mbit */
+	    strncmp("eg", p->opt.source, 2) == 0 ||	/* Octane/O2xxx/O3xxx Gigabit */
+	    strncmp("gfe", p->opt.source, 3) == 0 ||	/* GIO 100 Mbit */
+	    strncmp("fxp", p->opt.source, 3) == 0 ||	/* Challenge VME Enet */
+	    strncmp("ep", p->opt.source, 2) == 0 ||	/* Challenge 8x10 Mbit EPLEX */
+	    strncmp("vfe", p->opt.source, 3) == 0 ||	/* Challenge VME 100Mbit */
+	    strncmp("fa", p->opt.source, 2) == 0 ||
+	    strncmp("qaa", p->opt.source, 3) == 0 ||
+	    strncmp("cip", p->opt.source, 3) == 0 ||
+	    strncmp("el", p->opt.source, 2) == 0) {
+		p->linktype = DLT_EN10MB;
+		p->offset = RAW_HDRPAD(sizeof(struct ether_header));
+		ll_hdrlen = sizeof(struct ether_header);
+		/*
+		 * This is (presumably) a real Ethernet capture; give it a
+		 * link-layer-type list with DLT_EN10MB and DLT_DOCSIS, so
+		 * that an application can let you choose it, in case you're
+		 * capturing DOCSIS traffic that a Cisco Cable Modem
+		 * Termination System is putting out onto an Ethernet (it
+		 * doesn't put an Ethernet header onto the wire, it puts raw
+		 * DOCSIS frames out on the wire inside the low-level
+		 * Ethernet framing).
+		 *
+		 * XXX - are there any sorts of "fake Ethernet" that have
+		 * Ethernet link-layer headers but that *shouldn't offer
+		 * DLT_DOCSIS as a Cisco CMTS won't put traffic onto it
+		 * or get traffic bridged onto it?  "el" is for ATM LANE
+		 * Ethernet devices, so that might be the case for them;
+		 * the same applies for "qaa" classical IP devices.  If
+		 * "fa" devices are for FORE SPANS, that'd apply to them
+		 * as well; what are "cip" devices - some other ATM
+		 * Classical IP devices?
+		 */
+		p->dlt_list = (u_int *) malloc(sizeof(u_int) * 2);
+		/*
+		 * If that fails, just leave the list empty.
+		 */
+		if (p->dlt_list != NULL) {
+			p->dlt_list[0] = DLT_EN10MB;
+			p->dlt_list[1] = DLT_DOCSIS;
+			p->dlt_count = 2;
+		}
+	} else if (strncmp("ipg", p->opt.source, 3) == 0 ||
+		   strncmp("rns", p->opt.source, 3) == 0 ||	/* O2/200/2000 FDDI */
+		   strncmp("xpi", p->opt.source, 3) == 0) {
+		p->linktype = DLT_FDDI;
+		p->offset = 3;				/* XXX yeah? */
+		ll_hdrlen = 13;
+	} else if (strncmp("ppp", p->opt.source, 3) == 0) {
+		p->linktype = DLT_RAW;
+		ll_hdrlen = 0;	/* DLT_RAW meaning "no PPP header, just the IP packet"? */
+	} else if (strncmp("qfa", p->opt.source, 3) == 0) {
+		p->linktype = DLT_IP_OVER_FC;
+		ll_hdrlen = 24;
+	} else if (strncmp("pl", p->opt.source, 2) == 0) {
+		p->linktype = DLT_RAW;
+		ll_hdrlen = 0;	/* Cray UNICOS/mp pseudo link */
+	} else if (strncmp("lo", p->opt.source, 2) == 0) {
+		p->linktype = DLT_NULL;
+		ll_hdrlen = 4;
+	} else {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
+		    "snoop: unknown physical layer type");
+		goto bad;
+	}
+
+	if (p->opt.rfmon) {
+		/*
+		 * No monitor mode on Irix (no Wi-Fi devices on
+		 * hardware supported by Irix).
+		 */
+		return (PCAP_ERROR_RFMON_NOTSUP);
+	}
+
+#ifdef SIOCGIFMTU
+	/*
+	 * XXX - IRIX appears to give you an error if you try to set the
+	 * capture length to be greater than the MTU, so let's try to get
+	 * the MTU first and, if that succeeds, trim the snap length
+	 * to be no greater than the MTU.
+	 */
+	(void)strncpy(ifr.ifr_name, p->opt.source, sizeof(ifr.ifr_name));
+	if (ioctl(fd, SIOCGIFMTU, (char *)&ifr) < 0) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCGIFMTU: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+	/*
+	 * OK, we got it.
+	 *
+	 * XXX - some versions of IRIX 6.5 define "ifr_mtu" and have an
+	 * "ifru_metric" member of the "ifr_ifru" union in an "ifreq"
+	 * structure, others don't.
+	 *
+	 * I've no idea what's going on, so, if "ifr_mtu" isn't defined,
+	 * we define it as "ifr_metric", as using that field appears to
+	 * work on the versions that lack "ifr_mtu" (and, on those that
+	 * don't lack it, "ifru_metric" and "ifru_mtu" are both "int"
+	 * members of the "ifr_ifru" union, which suggests that they
+	 * may be interchangeable in this case).
+	 */
+#ifndef ifr_mtu
+#define ifr_mtu	ifr_metric
+#endif
+	if (p->snapshot > ifr.ifr_mtu + ll_hdrlen)
+		p->snapshot = ifr.ifr_mtu + ll_hdrlen;
+#endif
+
+	/*
+	 * The argument to SIOCSNOOPLEN is the number of link-layer
+	 * payload bytes to capture - it doesn't count link-layer
+	 * header bytes.
+	 */
+	snooplen = p->snapshot - ll_hdrlen;
+	if (snooplen < 0)
+		snooplen = 0;
+	if (ioctl(fd, SIOCSNOOPLEN, &snooplen) < 0) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCSNOOPLEN: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+	v = 1;
+	if (ioctl(fd, SIOCSNOOPING, &v) < 0) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "SIOCSNOOPING: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+
+	p->bufsize = 4096;				/* XXX */
+	p->buffer = (u_char *)malloc(p->bufsize);
+	if (p->buffer == NULL) {
+		snprintf(p->errbuf, PCAP_ERRBUF_SIZE, "malloc: %s",
+		    pcap_strerror(errno));
+		goto bad;
+	}
+
+	/*
+	 * "p->fd" is a socket, so "select()" should work on it.
+	 */
+	p->selectable_fd = p->fd;
+
+	p->read_op = pcap_read_snoop;
+	p->inject_op = pcap_inject_snoop;
+	p->setfilter_op = install_bpf_program;	/* no kernel filtering */
+	p->setdirection_op = NULL;	/* Not implemented. */
+	p->set_datalink_op = NULL;	/* can't change data link type */
+	p->getnonblock_op = pcap_getnonblock_fd;
+	p->setnonblock_op = pcap_setnonblock_fd;
+	p->stats_op = pcap_stats_snoop;
+
+	return (0);
+ bad:
+	pcap_cleanup_live_common(p);
+	return (PCAP_ERROR);
+}
+
+pcap_t *
+pcap_create(const char *device, char *ebuf)
+{
+	pcap_t *p;
+
+	p = pcap_create_common(device, ebuf);
+	if (p == NULL)
+		return (NULL);
+
+	p->activate_op = pcap_activate_snoop;
+	return (p);
+}
+
+int
+pcap_platform_finddevs(pcap_if_t **alldevsp, char *errbuf)
+{
+	return (0);
+}