1 /*
2 * Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
3 * Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Politecnico di Torino, CACE Technologies
16 * nor the names of its contributors may be used to endorse or promote
17 * products derived from this software without specific prior written
18 * permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
23 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 *
32 */
33
34 #ifdef HAVE_CONFIG_H
35 #include <config.h>
36 #endif
37
38 #include "ftmacros.h"
39
40 #include <string.h> /* for strlen(), ... */
41 #include <stdlib.h> /* for malloc(), free(), ... */
42 #include <stdarg.h> /* for functions with variable number of arguments */
43 #include <errno.h> /* for the errno variable */
44 #include "sockutils.h"
45 #include "pcap-int.h"
46 #include "rpcap-protocol.h"
47 #include "pcap-rpcap.h"
48
49 /*
50 * This file contains the pcap module for capturing from a remote machine's
51 * interfaces using the RPCAP protocol.
52 *
53 * WARNING: All the RPCAP functions that are allowed to return a buffer
54 * containing the error description can return max PCAP_ERRBUF_SIZE characters.
55 * However there is no guarantees that the string will be zero-terminated.
56 * Best practice is to define the errbuf variable as a char of size
57 * 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
58 * of the buffer. This will guarantee that no buffer overflows occur even
59 * if we use the printf() to show the error on the screen.
60 *
61 * XXX - actually, null-terminating the error string is part of the
62 * contract for the pcap API; if there's any place in the pcap code
63 * that doesn't guarantee null-termination, even at the expense of
64 * cutting the message short, that's a bug and needs to be fixed.
65 */
66
67 #define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
68 #ifdef _WIN32
69 #define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
70 #endif
71
72 /*
73 * \brief Keeps a list of all the opened connections in the active mode.
74 *
75 * This structure defines a linked list of items that are needed to keep the info required to
76 * manage the active mode.
77 * In other words, when a new connection in active mode starts, this structure is updated so that
78 * it reflects the list of active mode connections currently opened.
79 * This structure is required by findalldevs() and open_remote() to see if they have to open a new
80 * control connection toward the host, or they already have a control connection in place.
81 */
82 struct activehosts
83 {
84 struct sockaddr_storage host;
85 SOCKET sockctrl;
86 uint8 protocol_version;
87 struct activehosts *next;
88 };
89
90 /* Keeps a list of all the opened connections in the active mode. */
91 static struct activehosts *activeHosts;
92
93 /*
94 * Keeps the main socket identifier when we want to accept a new remote
95 * connection (active mode only).
96 * See the documentation of pcap_remoteact_accept() and
97 * pcap_remoteact_cleanup() for more details.
98 */
99 static SOCKET sockmain;
100
101 /*
102 * Private data for capturing remotely using the rpcap protocol.
103 */
104 struct pcap_rpcap {
105 /*
106 * This is '1' if we're the network client; it is needed by several
107 * functions (such as pcap_setfilter()) to know whether they have
108 * to use the socket or have to open the local adapter.
109 */
110 int rmt_clientside;
111
112 SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */
113 SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */
114 int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
115 int rmt_capstarted; /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */
116 char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
117
118 uint8 protocol_version; /* negotiated protocol version */
119
120 unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */
121
122 /*
123 * This keeps the number of packets that have been received by the
124 * application.
125 *
126 * Packets dropped by the kernel buffer are not counted in this
127 * variable. It is always equal to (TotAccepted - TotDrops),
128 * except for the case of remote capture, in which we have also
129 * packets in flight, i.e. that have been transmitted by the remote
130 * host, but that have not been received (yet) from the client.
131 * In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
132 * wrong result, since this number does not corresponds always to
133 * the number of packet received by the application. For this reason,
134 * in the remote capture we need another variable that takes into
135 * account of the number of packets actually received by the
136 * application.
137 */
138 unsigned int TotCapt;
139
140 struct pcap_stat stat;
141 /* XXX */
142 struct pcap *next; /* list of open pcaps that need stuff cleared on close */
143 };
144
145 /****************************************************
146 * *
147 * Locally defined functions *
148 * *
149 ****************************************************/
150 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
151 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
152 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
153 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
154 static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
155 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
156 static int pcap_setsampling_remote(pcap_t *fp);
157 static int pcap_startcapture_remote(pcap_t *fp);
158 static int rpcap_recv_msg_header(SOCKET sock, struct rpcap_header *header, char *errbuf);
159 static int rpcap_check_msg_ver(SOCKET sock, uint8 expected_ver, struct rpcap_header *header, char *errbuf);
160 static int rpcap_check_msg_type(SOCKET sock, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf);
161 static int rpcap_process_msg_header(SOCKET sock, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf);
162 static int rpcap_recv(SOCKET sock, void *buffer, size_t toread, uint32 *plen, char *errbuf);
163 static void rpcap_msg_err(SOCKET sockctrl, uint32 plen, char *remote_errbuf);
164 static int rpcap_discard(SOCKET sock, uint32 len, char *errbuf);
165 static int rpcap_read_packet_msg(SOCKET sock, pcap_t *p, size_t size);
166
167 /****************************************************
168 * *
169 * Function bodies *
170 * *
171 ****************************************************/
172
173 /*
174 * This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
175 * structure from the network byte order to a 'sockaddr_in" or
176 * 'sockaddr_in6' structure in the host byte order.
177 *
178 * It accepts an 'rpcap_sockaddr' structure as it is received from the
179 * network, and checks the address family field against various values
180 * to see whether it looks like an IPv4 address, an IPv6 address, or
181 * neither of those. It checks for multiple values in order to try
182 * to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
183 * or 'sockaddr_in6' structures over the wire with some members
184 * byte-swapped, and to handle the fact that AF_INET6 has different
185 * values on different OSes.
186 *
187 * For IPv4 addresses, it converts the address family to host byte
188 * order from network byte order and puts it into the structure,
189 * sets the length if a sockaddr structure has a length, converts the
190 * port number to host byte order from network byte order and puts
191 * it into the structure, copies over the IPv4 address, and zeroes
192 * out the zero padding.
193 *
194 * For IPv6 addresses, it converts the address family to host byte
195 * order from network byte order and puts it into the structure,
196 * sets the length if a sockaddr structure has a length, converts the
197 * port number and flow information to host byte order from network
198 * byte order and puts them into the structure, copies over the IPv6
199 * address, and converts the scope ID to host byte order from network
200 * byte order and puts it into the structure.
201 *
202 * The function will allocate the 'sockaddrout' variable according to the
203 * address family in use. In case the address does not belong to the
204 * AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
205 * NULL pointer is returned. This usually happens because that address
206 * does not exist on the other host, or is of an address family other
207 * than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
208 * structure containing all 'zero' values.
209 *
210 * Older RPCAPDs sent the addresses over the wire in the OS's native
211 * structure format. For most OSes, this looks like the over-the-wire
212 * format, but might have a different value for AF_INET6 than the value
213 * on the machine receiving the reply. For OSes with the newer BSD-style
214 * sockaddr structures, this has, instead of a 2-byte address family,
215 * a 1-byte structure length followed by a 1-byte address family. The
216 * RPCAPD code would put the address family in network byte order before
217 * sending it; that would set it to 0 on a little-endian machine, as
218 * htons() of any value between 1 and 255 would result in a value > 255,
219 * with its lower 8 bits zero, so putting that back into a 1-byte field
220 * would set it to 0.
221 *
222 * Therefore, for older RPCAPDs running on an OS with newer BSD-style
223 * sockaddr structures, the family field, if treated as a big-endian
224 * (network byte order) 16-bit field, would be:
225 *
226 * (length << 8) | family if sent by a big-endian machine
227 * (length << 8) if sent by a little-endian machine
228 *
229 * For current RPCAPDs, and for older RPCAPDs running on an OS with
230 * older BSD-style sockaddr structures, the family field, if treated
231 * as a big-endian 16-bit field, would just contain the family.
232 *
233 * \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
234 * to be de-serialized.
235 *
236 * \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
237 * the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
238 * This variable will be allocated automatically inside this function.
239 *
240 * \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
241 * that will contain the error message (in case there is one).
242 *
243 * \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
244 * can be only the fact that the malloc() failed to allocate memory.
245 * The error message is returned in the 'errbuf' variable, while the deserialized address
246 * is returned into the 'sockaddrout' variable.
247 *
248 * \warning This function supports only AF_INET and AF_INET6 address families.
249 *
250 * \warning The sockaddrout (if not NULL) must be deallocated by the user.
251 */
252
253 /*
254 * Possible IPv4 family values other than the designated over-the-wire value,
255 * which is 2 (because everybody uses 2 for AF_INET4).
256 */
257 #define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */
258 #define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */
259 #define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2)
260 #define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8)
261
262 /*
263 * Possible IPv6 family values other than the designated over-the-wire value,
264 * which is 23 (because that's what Windows uses, and most RPCAP servers
265 * out there are probably running Windows, as WinPcap includes the server
266 * but few if any UN*Xes build and ship it).
267 *
268 * The new BSD sockaddr structure format was in place before 4.4-Lite, so
269 * all the free-software BSDs use it.
270 */
271 #define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */
272 #define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */
273 #define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */
274 #define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8)
275 #define LINUX_AF_INET6 10
276 #define HPUX_AF_INET6 22
277 #define AIX_AF_INET6 24
278 #define SOLARIS_AF_INET6 26
279
280 static int
rpcap_deseraddr(struct rpcap_sockaddr * sockaddrin,struct sockaddr_storage ** sockaddrout,char * errbuf)281 rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
282 {
283 /* Warning: we support only AF_INET and AF_INET6 */
284 switch (ntohs(sockaddrin->family))
285 {
286 case RPCAP_AF_INET:
287 case NEW_BSD_AF_INET_BE:
288 case NEW_BSD_AF_INET_LE:
289 {
290 struct rpcap_sockaddr_in *sockaddrin_ipv4;
291 struct sockaddr_in *sockaddrout_ipv4;
292
293 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in));
294 if ((*sockaddrout) == NULL)
295 {
296 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
297 errno, "malloc() failed");
298 return -1;
299 }
300 sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
301 sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
302 sockaddrout_ipv4->sin_family = AF_INET;
303 sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
304 memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
305 memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
306 break;
307 }
308
309 #ifdef AF_INET6
310 case RPCAP_AF_INET6:
311 case NEW_BSD_AF_INET6_BSD_BE:
312 case NEW_BSD_AF_INET6_FREEBSD_BE:
313 case NEW_BSD_AF_INET6_DARWIN_BE:
314 case NEW_BSD_AF_INET6_LE:
315 case LINUX_AF_INET6:
316 case HPUX_AF_INET6:
317 case AIX_AF_INET6:
318 case SOLARIS_AF_INET6:
319 {
320 struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
321 struct sockaddr_in6 *sockaddrout_ipv6;
322
323 (*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6));
324 if ((*sockaddrout) == NULL)
325 {
326 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
327 errno, "malloc() failed");
328 return -1;
329 }
330 sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
331 sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
332 sockaddrout_ipv6->sin6_family = AF_INET6;
333 sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
334 sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
335 memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
336 sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
337 break;
338 }
339 #endif
340
341 default:
342 /*
343 * It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
344 * support AF_INET6, it's not AF_INET).
345 */
346 *sockaddrout = NULL;
347 break;
348 }
349 return 0;
350 }
351
352 /*
353 * This function reads a packet from the network socket. It does not
354 * deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
355 * the "nocb" string into its name).
356 *
357 * This function is called by pcap_read_rpcap().
358 *
359 * WARNING: By choice, this function does not make use of semaphores. A smarter
360 * implementation should put a semaphore into the data thread, and a signal will
361 * be raised as soon as there is data into the socket buffer.
362 * However this is complicated and it does not bring any advantages when reading
363 * from the network, in which network delays can be much more important than
364 * these optimizations. Therefore, we chose the following approach:
365 * - the 'timeout' chosen by the user is split in two (half on the server side,
366 * with the usual meaning, and half on the client side)
367 * - this function checks for packets; if there are no packets, it waits for
368 * timeout/2 and then it checks again. If packets are still missing, it returns,
369 * otherwise it reads packets.
370 */
pcap_read_nocb_remote(pcap_t * p,struct pcap_pkthdr * pkt_header,u_char ** pkt_data)371 static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
372 {
373 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
374 struct rpcap_header *header; /* general header according to the RPCAP format */
375 struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */
376 u_char *net_pkt_data; /* packet data from the message */
377 uint32 plen;
378 int retval; /* generic return value */
379 int msglen;
380
381 /* Structures needed for the select() call */
382 struct timeval tv; /* maximum time the select() can block waiting for data */
383 fd_set rfds; /* set of socket descriptors we have to check */
384
385 /*
386 * Define the packet buffer timeout, to be used in the select()
387 * 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
388 */
389 tv.tv_sec = p->opt.timeout / 1000;
390 tv.tv_usec = (p->opt.timeout - tv.tv_sec * 1000) * 1000;
391
392 /* Watch out sockdata to see if it has input */
393 FD_ZERO(&rfds);
394
395 /*
396 * 'fp->rmt_sockdata' has always to be set before calling the select(),
397 * since it is cleared by the select()
398 */
399 FD_SET(pr->rmt_sockdata, &rfds);
400
401 retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
402 if (retval == -1)
403 {
404 #ifndef _WIN32
405 if (errno == EINTR)
406 {
407 /* Interrupted. */
408 return 0;
409 }
410 #endif
411 sock_geterror("select()", p->errbuf, PCAP_ERRBUF_SIZE);
412 return -1;
413 }
414
415 /* There is no data waiting, so return '0' */
416 if (retval == 0)
417 return 0;
418
419 /*
420 * We have to define 'header' as a pointer to a larger buffer,
421 * because in case of UDP we have to read all the message within a single call
422 */
423 header = (struct rpcap_header *) p->buffer;
424 net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
425 net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
426
427 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
428 {
429 /* Read the entire message from the network */
430 msglen = sock_recv_dgram(pr->rmt_sockdata, p->buffer,
431 p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE);
432 if (msglen == -1)
433 {
434 /* Network error. */
435 return -1;
436 }
437 if (msglen == -3)
438 {
439 /* Interrupted receive. */
440 return 0;
441 }
442 if ((size_t)msglen < sizeof(struct rpcap_header))
443 {
444 /*
445 * Message is shorter than an rpcap header.
446 */
447 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
448 "UDP packet message is shorter than an rpcap header");
449 return -1;
450 }
451 plen = ntohl(header->plen);
452 if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
453 {
454 /*
455 * Message is shorter than the header claims it
456 * is.
457 */
458 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
459 "UDP packet message is shorter than its rpcap header claims");
460 return -1;
461 }
462 }
463 else
464 {
465 int status;
466
467 if ((size_t)p->cc < sizeof(struct rpcap_header))
468 {
469 /*
470 * We haven't read any of the packet header yet.
471 * The size we should get is the size of the
472 * packet header.
473 */
474 status = rpcap_read_packet_msg(pr->rmt_sockdata, p,
475 sizeof(struct rpcap_header));
476 if (status == -1)
477 {
478 /* Network error. */
479 return -1;
480 }
481 if (status == -3)
482 {
483 /* Interrupted receive. */
484 return 0;
485 }
486 }
487
488 /*
489 * We have the header, so we know how long the
490 * message payload is. The size we should get
491 * is the size of the packet header plus the
492 * size of the payload.
493 */
494 plen = ntohl(header->plen);
495 if (plen > p->bufsize - sizeof(struct rpcap_header))
496 {
497 /*
498 * This is bigger than the largest
499 * record we'd expect. (We do it by
500 * subtracting in order to avoid an
501 * overflow.)
502 */
503 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
504 "Server sent us a message larger than the largest expected packet message");
505 return -1;
506 }
507 status = rpcap_read_packet_msg(pr->rmt_sockdata, p,
508 sizeof(struct rpcap_header) + plen);
509 if (status == -1)
510 {
511 /* Network error. */
512 return -1;
513 }
514 if (status == -3)
515 {
516 /* Interrupted receive. */
517 return 0;
518 }
519
520 /*
521 * We have the entire message; reset the buffer pointer
522 * and count, as the next read should start a new
523 * message.
524 */
525 p->bp = p->buffer;
526 p->cc = 0;
527 }
528
529 /*
530 * We have the entire message.
531 */
532 header->plen = plen;
533
534 /*
535 * Did the server specify the version we negotiated?
536 */
537 if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->protocol_version,
538 header, p->errbuf) == -1)
539 {
540 return 0; /* Return 'no packets received' */
541 }
542
543 /*
544 * Is this a RPCAP_MSG_PACKET message?
545 */
546 if (header->type != RPCAP_MSG_PACKET)
547 {
548 return 0; /* Return 'no packets received' */
549 }
550
551 if (ntohl(net_pkt_header->caplen) > plen)
552 {
553 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
554 "Packet's captured data goes past the end of the received packet message.");
555 return -1;
556 }
557
558 /* Fill in packet header */
559 pkt_header->caplen = ntohl(net_pkt_header->caplen);
560 pkt_header->len = ntohl(net_pkt_header->len);
561 pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
562 pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
563
564 /* Supply a pointer to the beginning of the packet data */
565 *pkt_data = net_pkt_data;
566
567 /*
568 * I don't update the counter of the packets dropped by the network since we're using TCP,
569 * therefore no packets are dropped. Just update the number of packets received correctly
570 */
571 pr->TotCapt++;
572
573 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
574 {
575 unsigned int npkt;
576
577 /* We're using UDP, so we need to update the counter of the packets dropped by the network */
578 npkt = ntohl(net_pkt_header->npkt);
579
580 if (pr->TotCapt != npkt)
581 {
582 pr->TotNetDrops += (npkt - pr->TotCapt);
583 pr->TotCapt = npkt;
584 }
585 }
586
587 /* Packet read successfully */
588 return 1;
589 }
590
591 /*
592 * This function reads a packet from the network socket.
593 *
594 * This function relies on the pcap_read_nocb_remote to deliver packets. The
595 * difference, here, is that as soon as a packet is read, it is delivered
596 * to the application by means of a callback function.
597 */
pcap_read_rpcap(pcap_t * p,int cnt,pcap_handler callback,u_char * user)598 static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
599 {
600 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
601 struct pcap_pkthdr pkt_header;
602 u_char *pkt_data;
603 int n = 0;
604 int ret;
605
606 /*
607 * If this is client-side, and we haven't already started
608 * the capture, start it now.
609 */
610 if (pr->rmt_clientside)
611 {
612 /* We are on an remote capture */
613 if (!pr->rmt_capstarted)
614 {
615 /*
616 * The capture isn't started yet, so try to
617 * start it.
618 */
619 if (pcap_startcapture_remote(p))
620 return -1;
621 }
622 }
623
624 while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
625 {
626 /*
627 * Has "pcap_breakloop()" been called?
628 */
629 if (p->break_loop) {
630 /*
631 * Yes - clear the flag that indicates that it
632 * has, and return PCAP_ERROR_BREAK to indicate
633 * that we were told to break out of the loop.
634 */
635 p->break_loop = 0;
636 return (PCAP_ERROR_BREAK);
637 }
638
639 /*
640 * Read some packets.
641 */
642 ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
643 if (ret == 1)
644 {
645 /*
646 * We got a packet. Hand it to the callback
647 * and count it so we can return the count.
648 */
649 (*callback)(user, &pkt_header, pkt_data);
650 n++;
651 }
652 else if (ret == -1)
653 {
654 /* Error. */
655 return ret;
656 }
657 else
658 {
659 /*
660 * No packet; this could mean that we timed
661 * out, or that we got interrupted, or that
662 * we got a bad packet.
663 *
664 * Were we told to break out of the loop?
665 */
666 if (p->break_loop) {
667 /*
668 * Yes.
669 */
670 p->break_loop = 0;
671 return (PCAP_ERROR_BREAK);
672 }
673 /* No - return the number of packets we've processed. */
674 return n;
675 }
676 }
677 return n;
678 }
679
680 /*
681 * This function sends a CLOSE command to the capture server.
682 *
683 * It is called when the user calls pcap_close(). It sends a command
684 * to our peer that says 'ok, let's stop capturing'.
685 *
686 * WARNING: Since we're closing the connection, we do not check for errors.
687 */
pcap_cleanup_rpcap(pcap_t * fp)688 static void pcap_cleanup_rpcap(pcap_t *fp)
689 {
690 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
691 struct rpcap_header header; /* header of the RPCAP packet */
692 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
693 int active = 0; /* active mode or not? */
694
695 /* detect if we're in active mode */
696 temp = activeHosts;
697 while (temp)
698 {
699 if (temp->sockctrl == pr->rmt_sockctrl)
700 {
701 active = 1;
702 break;
703 }
704 temp = temp->next;
705 }
706
707 if (!active)
708 {
709 rpcap_createhdr(&header, pr->protocol_version,
710 RPCAP_MSG_CLOSE, 0, 0);
711
712 /*
713 * Send the close request; don't report any errors, as
714 * we're closing this pcap_t, and have no place to report
715 * the error. No reply is sent to this message.
716 */
717 (void)sock_send(pr->rmt_sockctrl, (char *)&header,
718 sizeof(struct rpcap_header), NULL, 0);
719 }
720 else
721 {
722 rpcap_createhdr(&header, pr->protocol_version,
723 RPCAP_MSG_ENDCAP_REQ, 0, 0);
724
725 /*
726 * Send the end capture request; don't report any errors,
727 * as we're closing this pcap_t, and have no place to
728 * report the error.
729 */
730 if (sock_send(pr->rmt_sockctrl, (char *)&header,
731 sizeof(struct rpcap_header), NULL, 0) == 0)
732 {
733 /*
734 * Wait for the answer; don't report any errors,
735 * as we're closing this pcap_t, and have no
736 * place to report the error.
737 */
738 if (rpcap_process_msg_header(pr->rmt_sockctrl,
739 pr->protocol_version, RPCAP_MSG_ENDCAP_REQ,
740 &header, NULL) == 0)
741 {
742 (void)rpcap_discard(pr->rmt_sockctrl,
743 header.plen, NULL);
744 }
745 }
746 }
747
748 if (pr->rmt_sockdata)
749 {
750 sock_close(pr->rmt_sockdata, NULL, 0);
751 pr->rmt_sockdata = 0;
752 }
753
754 if ((!active) && (pr->rmt_sockctrl))
755 sock_close(pr->rmt_sockctrl, NULL, 0);
756
757 pr->rmt_sockctrl = 0;
758
759 if (pr->currentfilter)
760 {
761 free(pr->currentfilter);
762 pr->currentfilter = NULL;
763 }
764
765 pcap_cleanup_live_common(fp);
766
767 /* To avoid inconsistencies in the number of sock_init() */
768 sock_cleanup();
769 }
770
771 /*
772 * This function retrieves network statistics from our peer;
773 * it provides only the standard statistics.
774 */
pcap_stats_rpcap(pcap_t * p,struct pcap_stat * ps)775 static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
776 {
777 struct pcap_stat *retval;
778
779 retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
780
781 if (retval)
782 return 0;
783 else
784 return -1;
785 }
786
787 #ifdef _WIN32
788 /*
789 * This function retrieves network statistics from our peer;
790 * it provides the additional statistics supported by pcap_stats_ex().
791 */
pcap_stats_ex_rpcap(pcap_t * p,int * pcap_stat_size)792 static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
793 {
794 *pcap_stat_size = sizeof (p->stat);
795
796 /* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
797 return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
798 }
799 #endif
800
801 /*
802 * This function retrieves network statistics from our peer. It
803 * is used by the two previous functions.
804 *
805 * It can be called in two modes:
806 * - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
807 * for pcap_stats())
808 * - PCAP_STATS_EX: if we want extended statistics (i.e., for
809 * pcap_stats_ex())
810 *
811 * This 'mode' parameter is needed because in pcap_stats() the variable that
812 * keeps the statistics is allocated by the user. On Windows, this structure
813 * has been extended in order to keep new stats. However, if the user has a
814 * smaller structure and it passes it to pcap_stats(), this function will
815 * try to fill in more data than the size of the structure, so that memory
816 * after the structure will be overwritten.
817 *
818 * So, we need to know it we have to copy just the standard fields, or the
819 * extended fields as well.
820 *
821 * In case we want to copy the extended fields as well, the problem of
822 * memory overflow no longer exists because the structure that's filled
823 * in is part of the pcap_t, so that it can be guaranteed to be large
824 * enough for the additional statistics.
825 *
826 * \param p: the pcap_t structure related to the current instance.
827 *
828 * \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
829 * with pcap_stat(), where the structure is allocated by the user. In case
830 * of pcap_stats_ex(), this structure and the function return value point
831 * to the same variable.
832 *
833 * \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
834 *
835 * \return The structure that keeps the statistics, or NULL in case of error.
836 * The error string is placed in the pcap_t structure.
837 */
rpcap_stats_rpcap(pcap_t * p,struct pcap_stat * ps,int mode)838 static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
839 {
840 struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
841 struct rpcap_header header; /* header of the RPCAP packet */
842 struct rpcap_stats netstats; /* statistics sent on the network */
843 uint32 plen; /* data remaining in the message */
844
845 #ifdef _WIN32
846 if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
847 #else
848 if (mode != PCAP_STATS_STANDARD)
849 #endif
850 {
851 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
852 "Invalid stats mode %d", mode);
853 return NULL;
854 }
855
856 /*
857 * If the capture has not yet started, we cannot request statistics
858 * for the capture from our peer, so we return 0 for all statistics,
859 * as nothing's been seen yet.
860 */
861 if (!pr->rmt_capstarted)
862 {
863 ps->ps_drop = 0;
864 ps->ps_ifdrop = 0;
865 ps->ps_recv = 0;
866 #ifdef _WIN32
867 if (mode == PCAP_STATS_EX)
868 {
869 ps->ps_capt = 0;
870 ps->ps_sent = 0;
871 ps->ps_netdrop = 0;
872 }
873 #endif /* _WIN32 */
874
875 return ps;
876 }
877
878 rpcap_createhdr(&header, pr->protocol_version,
879 RPCAP_MSG_STATS_REQ, 0, 0);
880
881 /* Send the PCAP_STATS command */
882 if (sock_send(pr->rmt_sockctrl, (char *)&header,
883 sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
884 return NULL; /* Unrecoverable network error */
885
886 /* Receive and process the reply message header. */
887 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
888 RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
889 return NULL; /* Error */
890
891 plen = header.plen;
892
893 /* Read the reply body */
894 if (rpcap_recv(pr->rmt_sockctrl, (char *)&netstats,
895 sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
896 goto error;
897
898 ps->ps_drop = ntohl(netstats.krnldrop);
899 ps->ps_ifdrop = ntohl(netstats.ifdrop);
900 ps->ps_recv = ntohl(netstats.ifrecv);
901 #ifdef _WIN32
902 if (mode == PCAP_STATS_EX)
903 {
904 ps->ps_capt = pr->TotCapt;
905 ps->ps_netdrop = pr->TotNetDrops;
906 ps->ps_sent = ntohl(netstats.svrcapt);
907 }
908 #endif /* _WIN32 */
909
910 /* Discard the rest of the message. */
911 if (rpcap_discard(pr->rmt_sockctrl, plen, p->errbuf) == -1)
912 goto error_nodiscard;
913
914 return ps;
915
916 error:
917 /*
918 * Discard the rest of the message.
919 * We already reported an error; if this gets an error, just
920 * drive on.
921 */
922 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL);
923
924 error_nodiscard:
925 return NULL;
926 }
927
928 /*
929 * This function returns the entry in the list of active hosts for this
930 * active connection (active mode only), or NULL if there is no
931 * active connection or an error occurred. It is just for internal
932 * use.
933 *
934 * \param host: a string that keeps the host name of the host for which we
935 * want to get the socket ID for that active connection.
936 *
937 * \param error: a pointer to an int that is set to 1 if an error occurred
938 * and 0 otherwise.
939 *
940 * \param errbuf: a pointer to a user-allocated buffer (of size
941 * PCAP_ERRBUF_SIZE) that will contain the error message (in case
942 * there is one).
943 *
944 * \return the entry for this host in the list of active connections
945 * if found, NULL if it's not found or there's an error.
946 */
947 static struct activehosts *
rpcap_remoteact_getsock(const char * host,int * error,char * errbuf)948 rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
949 {
950 struct activehosts *temp; /* temp var needed to scan the host list chain */
951 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
952 int retval;
953
954 /* retrieve the network address corresponding to 'host' */
955 addrinfo = NULL;
956 memset(&hints, 0, sizeof(struct addrinfo));
957 hints.ai_family = PF_UNSPEC;
958 hints.ai_socktype = SOCK_STREAM;
959
960 retval = getaddrinfo(host, "0", &hints, &addrinfo);
961 if (retval != 0)
962 {
963 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s",
964 gai_strerror(retval));
965 *error = 1;
966 return NULL;
967 }
968
969 temp = activeHosts;
970
971 while (temp)
972 {
973 ai_next = addrinfo;
974 while (ai_next)
975 {
976 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
977 {
978 *error = 0;
979 freeaddrinfo(addrinfo);
980 return temp;
981 }
982
983 ai_next = ai_next->ai_next;
984 }
985 temp = temp->next;
986 }
987
988 if (addrinfo)
989 freeaddrinfo(addrinfo);
990
991 /*
992 * The host for which you want to get the socket ID does not have an
993 * active connection.
994 */
995 *error = 0;
996 return NULL;
997 }
998
999 /*
1000 * This function starts a remote capture.
1001 *
1002 * This function is required since the RPCAP protocol decouples the 'open'
1003 * from the 'start capture' functions.
1004 * This function takes all the parameters needed (which have been stored
1005 * into the pcap_t structure) and sends them to the server.
1006 *
1007 * \param fp: the pcap_t descriptor of the device currently open.
1008 *
1009 * \return '0' if everything is fine, '-1' otherwise. The error message
1010 * (if one) is returned into the 'errbuf' field of the pcap_t structure.
1011 */
pcap_startcapture_remote(pcap_t * fp)1012 static int pcap_startcapture_remote(pcap_t *fp)
1013 {
1014 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1015 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1016 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1017 char portdata[PCAP_BUF_SIZE]; /* temp variable needed to keep the network port for the data connection */
1018 uint32 plen;
1019 int active = 0; /* '1' if we're in active mode */
1020 struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
1021 char host[INET6_ADDRSTRLEN + 1]; /* numeric name of the other host */
1022
1023 /* socket-related variables*/
1024 struct addrinfo hints; /* temp, needed to open a socket connection */
1025 struct addrinfo *addrinfo; /* temp, needed to open a socket connection */
1026 SOCKET sockdata = 0; /* socket descriptor of the data connection */
1027 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1028 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1029 int ai_family; /* temp, keeps the address family used by the control connection */
1030
1031 /* RPCAP-related variables*/
1032 struct rpcap_header header; /* header of the RPCAP packet */
1033 struct rpcap_startcapreq *startcapreq; /* start capture request message */
1034 struct rpcap_startcapreply startcapreply; /* start capture reply message */
1035
1036 /* Variables related to the buffer setting */
1037 int res;
1038 socklen_t itemp;
1039 int sockbufsize = 0;
1040 uint32 server_sockbufsize;
1041
1042 /*
1043 * Let's check if sampling has been required.
1044 * If so, let's set it first
1045 */
1046 if (pcap_setsampling_remote(fp) != 0)
1047 return -1;
1048
1049 /* detect if we're in active mode */
1050 temp = activeHosts;
1051 while (temp)
1052 {
1053 if (temp->sockctrl == pr->rmt_sockctrl)
1054 {
1055 active = 1;
1056 break;
1057 }
1058 temp = temp->next;
1059 }
1060
1061 addrinfo = NULL;
1062
1063 /*
1064 * Gets the complete sockaddr structure used in the ctrl connection
1065 * This is needed to get the address family of the control socket
1066 * Tip: I cannot save the ai_family of the ctrl sock in the pcap_t struct,
1067 * since the ctrl socket can already be open in case of active mode;
1068 * so I would have to call getpeername() anyway
1069 */
1070 saddrlen = sizeof(struct sockaddr_storage);
1071 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1072 {
1073 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1074 goto error_nodiscard;
1075 }
1076 ai_family = ((struct sockaddr_storage *) &saddr)->ss_family;
1077
1078 /* Get the numeric address of the remote host we are connected to */
1079 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, host,
1080 sizeof(host), NULL, 0, NI_NUMERICHOST))
1081 {
1082 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1083 goto error_nodiscard;
1084 }
1085
1086 /*
1087 * Data connection is opened by the server toward the client if:
1088 * - we're using TCP, and the user wants us to be in active mode
1089 * - we're using UDP
1090 */
1091 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1092 {
1093 /*
1094 * We have to create a new socket to receive packets
1095 * We have to do that immediately, since we have to tell the other
1096 * end which network port we picked up
1097 */
1098 memset(&hints, 0, sizeof(struct addrinfo));
1099 /* TEMP addrinfo is NULL in case of active */
1100 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1101 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1102 hints.ai_flags = AI_PASSIVE; /* Data connection is opened by the server toward the client */
1103
1104 /* Let's the server pick up a free network port for us */
1105 if (sock_initaddress(NULL, "0", &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1106 goto error_nodiscard;
1107
1108 if ((sockdata = sock_open(addrinfo, SOCKOPEN_SERVER,
1109 1 /* max 1 connection in queue */, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1110 goto error_nodiscard;
1111
1112 /* addrinfo is no longer used */
1113 freeaddrinfo(addrinfo);
1114 addrinfo = NULL;
1115
1116 /* get the complete sockaddr structure used in the data connection */
1117 saddrlen = sizeof(struct sockaddr_storage);
1118 if (getsockname(sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1119 {
1120 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1121 goto error_nodiscard;
1122 }
1123
1124 /* Get the local port the system picked up */
1125 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL,
1126 0, portdata, sizeof(portdata), NI_NUMERICSERV))
1127 {
1128 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1129 goto error_nodiscard;
1130 }
1131 }
1132
1133 /*
1134 * Now it's time to start playing with the RPCAP protocol
1135 * RPCAP start capture command: create the request message
1136 */
1137 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1138 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1139 goto error_nodiscard;
1140
1141 rpcap_createhdr((struct rpcap_header *) sendbuf,
1142 pr->protocol_version, RPCAP_MSG_STARTCAP_REQ, 0,
1143 sizeof(struct rpcap_startcapreq) + sizeof(struct rpcap_filter) + fp->fcode.bf_len * sizeof(struct rpcap_filterbpf_insn));
1144
1145 /* Fill the structure needed to open an adapter remotely */
1146 startcapreq = (struct rpcap_startcapreq *) &sendbuf[sendbufidx];
1147
1148 if (sock_bufferize(NULL, sizeof(struct rpcap_startcapreq), NULL,
1149 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1150 goto error_nodiscard;
1151
1152 memset(startcapreq, 0, sizeof(struct rpcap_startcapreq));
1153
1154 /* By default, apply half the timeout on one side, half of the other */
1155 fp->opt.timeout = fp->opt.timeout / 2;
1156 startcapreq->read_timeout = htonl(fp->opt.timeout);
1157
1158 /* portdata on the openreq is meaningful only if we're in active mode */
1159 if ((active) || (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1160 {
1161 sscanf(portdata, "%d", (int *)&(startcapreq->portdata)); /* cast to avoid a compiler warning */
1162 startcapreq->portdata = htons(startcapreq->portdata);
1163 }
1164
1165 startcapreq->snaplen = htonl(fp->snapshot);
1166 startcapreq->flags = 0;
1167
1168 if (pr->rmt_flags & PCAP_OPENFLAG_PROMISCUOUS)
1169 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_PROMISC;
1170 if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
1171 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_DGRAM;
1172 if (active)
1173 startcapreq->flags |= RPCAP_STARTCAPREQ_FLAG_SERVEROPEN;
1174
1175 startcapreq->flags = htons(startcapreq->flags);
1176
1177 /* Pack the capture filter */
1178 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, &fp->fcode))
1179 goto error_nodiscard;
1180
1181 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf,
1182 PCAP_ERRBUF_SIZE) < 0)
1183 goto error_nodiscard;
1184
1185 /* Receive and process the reply message header. */
1186 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
1187 RPCAP_MSG_STARTCAP_REQ, &header, fp->errbuf) == -1)
1188 goto error_nodiscard;
1189
1190 plen = header.plen;
1191
1192 if (rpcap_recv(pr->rmt_sockctrl, (char *)&startcapreply,
1193 sizeof(struct rpcap_startcapreply), &plen, fp->errbuf) == -1)
1194 goto error;
1195
1196 /*
1197 * In case of UDP data stream, the connection is always opened by the daemon
1198 * So, this case is already covered by the code above.
1199 * Now, we have still to handle TCP connections, because:
1200 * - if we're in active mode, we have to wait for a remote connection
1201 * - if we're in passive more, we have to start a connection
1202 *
1203 * We have to do he job in two steps because in case we're opening a TCP connection, we have
1204 * to tell the port we're using to the remote side; in case we're accepting a TCP
1205 * connection, we have to wait this info from the remote side.
1206 */
1207 if (!(pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP))
1208 {
1209 if (!active)
1210 {
1211 memset(&hints, 0, sizeof(struct addrinfo));
1212 hints.ai_family = ai_family; /* Use the same address family of the control socket */
1213 hints.ai_socktype = (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP) ? SOCK_DGRAM : SOCK_STREAM;
1214 pcap_snprintf(portdata, PCAP_BUF_SIZE, "%d", ntohs(startcapreply.portdata));
1215
1216 /* Let's the server pick up a free network port for us */
1217 if (sock_initaddress(host, portdata, &hints, &addrinfo, fp->errbuf, PCAP_ERRBUF_SIZE) == -1)
1218 goto error;
1219
1220 if ((sockdata = sock_open(addrinfo, SOCKOPEN_CLIENT, 0, fp->errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
1221 goto error;
1222
1223 /* addrinfo is no longer used */
1224 freeaddrinfo(addrinfo);
1225 addrinfo = NULL;
1226 }
1227 else
1228 {
1229 SOCKET socktemp; /* We need another socket, since we're going to accept() a connection */
1230
1231 /* Connection creation */
1232 saddrlen = sizeof(struct sockaddr_storage);
1233
1234 socktemp = accept(sockdata, (struct sockaddr *) &saddr, &saddrlen);
1235
1236 if (socktemp == INVALID_SOCKET)
1237 {
1238 sock_geterror("accept()", fp->errbuf, PCAP_ERRBUF_SIZE);
1239 goto error;
1240 }
1241
1242 /* Now that I accepted the connection, the server socket is no longer needed */
1243 sock_close(sockdata, fp->errbuf, PCAP_ERRBUF_SIZE);
1244 sockdata = socktemp;
1245 }
1246 }
1247
1248 /* Let's save the socket of the data connection */
1249 pr->rmt_sockdata = sockdata;
1250
1251 /*
1252 * Set the size of the socket buffer for the data socket.
1253 * It has the same size as the local capture buffer used
1254 * on the other side of the connection.
1255 */
1256 server_sockbufsize = ntohl(startcapreply.bufsize);
1257
1258 /* Let's get the actual size of the socket buffer */
1259 itemp = sizeof(sockbufsize);
1260
1261 res = getsockopt(sockdata, SOL_SOCKET, SO_RCVBUF, (char *)&sockbufsize, &itemp);
1262 if (res == -1)
1263 {
1264 sock_geterror("pcap_startcapture_remote(): getsockopt() failed", fp->errbuf, PCAP_ERRBUF_SIZE);
1265 goto error;
1266 }
1267
1268 /*
1269 * Warning: on some kernels (e.g. Linux), the size of the user
1270 * buffer does not take into account the pcap_header and such,
1271 * and it is set equal to the snaplen.
1272 *
1273 * In my view, this is wrong (the meaning of the bufsize became
1274 * a bit strange). So, here bufsize is the whole size of the
1275 * user buffer. In case the bufsize returned is too small,
1276 * let's adjust it accordingly.
1277 */
1278 if (server_sockbufsize <= (u_int) fp->snapshot)
1279 server_sockbufsize += sizeof(struct pcap_pkthdr);
1280
1281 /* if the current socket buffer is smaller than the desired one */
1282 if ((u_int) sockbufsize < server_sockbufsize)
1283 {
1284 /*
1285 * Loop until the buffer size is OK or the original
1286 * socket buffer size is larger than this one.
1287 */
1288 for (;;)
1289 {
1290 res = setsockopt(sockdata, SOL_SOCKET, SO_RCVBUF,
1291 (char *)&(server_sockbufsize),
1292 sizeof(server_sockbufsize));
1293
1294 if (res == 0)
1295 break;
1296
1297 /*
1298 * If something goes wrong, halve the buffer size
1299 * (checking that it does not become smaller than
1300 * the current one).
1301 */
1302 server_sockbufsize /= 2;
1303
1304 if ((u_int) sockbufsize >= server_sockbufsize)
1305 {
1306 server_sockbufsize = sockbufsize;
1307 break;
1308 }
1309 }
1310 }
1311
1312 /*
1313 * Let's allocate the packet; this is required in order to put
1314 * the packet somewhere when extracting data from the socket.
1315 * Since buffering has already been done in the socket buffer,
1316 * here we need just a buffer whose size is equal to the
1317 * largest possible packet message for the snapshot size,
1318 * namely the length of the message header plus the length
1319 * of the packet header plus the snapshot length.
1320 */
1321 fp->bufsize = sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr) + fp->snapshot;
1322
1323 fp->buffer = (u_char *)malloc(fp->bufsize);
1324 if (fp->buffer == NULL)
1325 {
1326 pcap_fmt_errmsg_for_errno(fp->errbuf, PCAP_ERRBUF_SIZE,
1327 errno, "malloc");
1328 goto error;
1329 }
1330
1331 /*
1332 * The buffer is currently empty.
1333 */
1334 fp->bp = fp->buffer;
1335 fp->cc = 0;
1336
1337 /* Discard the rest of the message. */
1338 if (rpcap_discard(pr->rmt_sockctrl, plen, fp->errbuf) == -1)
1339 goto error_nodiscard;
1340
1341 /*
1342 * In case the user does not want to capture RPCAP packets, let's update the filter
1343 * We have to update it here (instead of sending it into the 'StartCapture' message
1344 * because when we generate the 'start capture' we do not know (yet) all the ports
1345 * we're currently using.
1346 */
1347 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1348 {
1349 struct bpf_program fcode;
1350
1351 if (pcap_createfilter_norpcappkt(fp, &fcode) == -1)
1352 goto error;
1353
1354 /* We cannot use 'pcap_setfilter_rpcap' because formally the capture has not been started yet */
1355 /* (the 'pr->rmt_capstarted' variable will be updated some lines below) */
1356 if (pcap_updatefilter_remote(fp, &fcode) == -1)
1357 goto error;
1358
1359 pcap_freecode(&fcode);
1360 }
1361
1362 pr->rmt_capstarted = 1;
1363 return 0;
1364
1365 error:
1366 /*
1367 * When the connection has been established, we have to close it. So, at the
1368 * beginning of this function, if an error occur we return immediately with
1369 * a return NULL; when the connection is established, we have to come here
1370 * ('goto error;') in order to close everything properly.
1371 */
1372
1373 /*
1374 * Discard the rest of the message.
1375 * We already reported an error; if this gets an error, just
1376 * drive on.
1377 */
1378 (void)rpcap_discard(pr->rmt_sockctrl, plen, NULL);
1379
1380 error_nodiscard:
1381 if ((sockdata) && (sockdata != -1)) /* we can be here because sockdata said 'error' */
1382 sock_close(sockdata, NULL, 0);
1383
1384 if (!active)
1385 sock_close(pr->rmt_sockctrl, NULL, 0);
1386
1387 if (addrinfo != NULL)
1388 freeaddrinfo(addrinfo);
1389
1390 /*
1391 * We do not have to call pcap_close() here, because this function is always called
1392 * by the user in case something bad happens
1393 */
1394 #if 0
1395 if (fp)
1396 {
1397 pcap_close(fp);
1398 fp= NULL;
1399 }
1400 #endif
1401
1402 return -1;
1403 }
1404
1405 /*
1406 * This function takes a bpf program and sends it to the other host.
1407 *
1408 * This function can be called in two cases:
1409 * - pcap_startcapture_remote() is called (we have to send the filter
1410 * along with the 'start capture' command)
1411 * - we want to udpate the filter during a capture (i.e. pcap_setfilter()
1412 * after the capture has been started)
1413 *
1414 * This function serializes the filter into the sending buffer ('sendbuf',
1415 * passed as a parameter) and return back. It does not send anything on
1416 * the network.
1417 *
1418 * \param fp: the pcap_t descriptor of the device currently opened.
1419 *
1420 * \param sendbuf: the buffer on which the serialized data has to copied.
1421 *
1422 * \param sendbufidx: it is used to return the abounf of bytes copied into the buffer.
1423 *
1424 * \param prog: the bpf program we have to copy.
1425 *
1426 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1427 * is returned into the 'errbuf' field of the pcap_t structure.
1428 */
pcap_pack_bpffilter(pcap_t * fp,char * sendbuf,int * sendbufidx,struct bpf_program * prog)1429 static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog)
1430 {
1431 struct rpcap_filter *filter;
1432 struct rpcap_filterbpf_insn *insn;
1433 struct bpf_insn *bf_insn;
1434 struct bpf_program fake_prog; /* To be used just in case the user forgot to set a filter */
1435 unsigned int i;
1436
1437 if (prog->bf_len == 0) /* No filters have been specified; so, let's apply a "fake" filter */
1438 {
1439 if (pcap_compile(fp, &fake_prog, NULL /* buffer */, 1, 0) == -1)
1440 return -1;
1441
1442 prog = &fake_prog;
1443 }
1444
1445 filter = (struct rpcap_filter *) sendbuf;
1446
1447 if (sock_bufferize(NULL, sizeof(struct rpcap_filter), NULL, sendbufidx,
1448 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1449 return -1;
1450
1451 filter->filtertype = htons(RPCAP_UPDATEFILTER_BPF);
1452 filter->nitems = htonl((int32)prog->bf_len);
1453
1454 if (sock_bufferize(NULL, prog->bf_len * sizeof(struct rpcap_filterbpf_insn),
1455 NULL, sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1456 return -1;
1457
1458 insn = (struct rpcap_filterbpf_insn *) (filter + 1);
1459 bf_insn = prog->bf_insns;
1460
1461 for (i = 0; i < prog->bf_len; i++)
1462 {
1463 insn->code = htons(bf_insn->code);
1464 insn->jf = bf_insn->jf;
1465 insn->jt = bf_insn->jt;
1466 insn->k = htonl(bf_insn->k);
1467
1468 insn++;
1469 bf_insn++;
1470 }
1471
1472 return 0;
1473 }
1474
1475 /*
1476 * This function updates a filter on a remote host.
1477 *
1478 * It is called when the user wants to update a filter.
1479 * In case we're capturing from the network, it sends the filter to our
1480 * peer.
1481 * This function is *not* called automatically when the user calls
1482 * pcap_setfilter().
1483 * There will be two cases:
1484 * - the capture has been started: in this case, pcap_setfilter_rpcap()
1485 * calls pcap_updatefilter_remote()
1486 * - the capture has not started yet: in this case, pcap_setfilter_rpcap()
1487 * stores the filter into the pcap_t structure, and then the filter is
1488 * sent with pcap_startcap().
1489 *
1490 * WARNING This function *does not* clear the packet currently into the
1491 * buffers. Therefore, the user has to expect to receive some packets
1492 * that are related to the previous filter. If you want to discard all
1493 * the packets before applying a new filter, you have to close the
1494 * current capture session and start a new one.
1495 *
1496 * XXX - we really should have pcap_setfilter() always discard packets
1497 * received with the old filter, and have a separate pcap_setfilter_noflush()
1498 * function that doesn't discard any packets.
1499 */
pcap_updatefilter_remote(pcap_t * fp,struct bpf_program * prog)1500 static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog)
1501 {
1502 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1503 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
1504 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1505 struct rpcap_header header; /* To keep the reply message */
1506
1507 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL, &sendbufidx,
1508 RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1509 return -1;
1510
1511 rpcap_createhdr((struct rpcap_header *) sendbuf,
1512 pr->protocol_version, RPCAP_MSG_UPDATEFILTER_REQ, 0,
1513 sizeof(struct rpcap_filter) + prog->bf_len * sizeof(struct rpcap_filterbpf_insn));
1514
1515 if (pcap_pack_bpffilter(fp, &sendbuf[sendbufidx], &sendbufidx, prog))
1516 return -1;
1517
1518 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf,
1519 PCAP_ERRBUF_SIZE) < 0)
1520 return -1;
1521
1522 /* Receive and process the reply message header. */
1523 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
1524 RPCAP_MSG_UPDATEFILTER_REQ, &header, fp->errbuf) == -1)
1525 return -1;
1526
1527 /*
1528 * It shouldn't have any contents; discard it if it does.
1529 */
1530 if (rpcap_discard(pr->rmt_sockctrl, header.plen, fp->errbuf) == -1)
1531 return -1;
1532
1533 return 0;
1534 }
1535
1536 static void
pcap_save_current_filter_rpcap(pcap_t * fp,const char * filter)1537 pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter)
1538 {
1539 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1540
1541 /*
1542 * Check if:
1543 * - We are on an remote capture
1544 * - we do not want to capture RPCAP traffic
1545 *
1546 * If so, we have to save the current filter, because we have to
1547 * add some piece of stuff later
1548 */
1549 if (pr->rmt_clientside &&
1550 (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP))
1551 {
1552 if (pr->currentfilter)
1553 free(pr->currentfilter);
1554
1555 if (filter == NULL)
1556 filter = "";
1557
1558 pr->currentfilter = strdup(filter);
1559 }
1560 }
1561
1562 /*
1563 * This function sends a filter to a remote host.
1564 *
1565 * This function is called when the user wants to set a filter.
1566 * It sends the filter to our peer.
1567 * This function is called automatically when the user calls pcap_setfilter().
1568 *
1569 * Parameters and return values are exactly the same of pcap_setfilter().
1570 */
pcap_setfilter_rpcap(pcap_t * fp,struct bpf_program * prog)1571 static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog)
1572 {
1573 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1574
1575 if (!pr->rmt_capstarted)
1576 {
1577 /* copy filter into the pcap_t structure */
1578 if (install_bpf_program(fp, prog) == -1)
1579 return -1;
1580 return 0;
1581 }
1582
1583 /* we have to update a filter during run-time */
1584 if (pcap_updatefilter_remote(fp, prog))
1585 return -1;
1586
1587 return 0;
1588 }
1589
1590 /*
1591 * This function updates the current filter in order not to capture rpcap
1592 * packets.
1593 *
1594 * This function is called *only* when the user wants exclude RPCAP packets
1595 * related to the current session from the captured packets.
1596 *
1597 * \return '0' if everything is fine, '-1' otherwise. The error message (if one)
1598 * is returned into the 'errbuf' field of the pcap_t structure.
1599 */
pcap_createfilter_norpcappkt(pcap_t * fp,struct bpf_program * prog)1600 static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog)
1601 {
1602 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1603 int RetVal = 0;
1604
1605 /* We do not want to capture our RPCAP traffic. So, let's update the filter */
1606 if (pr->rmt_flags & PCAP_OPENFLAG_NOCAPTURE_RPCAP)
1607 {
1608 struct sockaddr_storage saddr; /* temp, needed to retrieve the network data port chosen on the local machine */
1609 socklen_t saddrlen; /* temp, needed to retrieve the network data port chosen on the local machine */
1610 char myaddress[128];
1611 char myctrlport[128];
1612 char mydataport[128];
1613 char peeraddress[128];
1614 char peerctrlport[128];
1615 char *newfilter;
1616
1617 /* Get the name/port of our peer */
1618 saddrlen = sizeof(struct sockaddr_storage);
1619 if (getpeername(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1620 {
1621 sock_geterror("getpeername()", fp->errbuf, PCAP_ERRBUF_SIZE);
1622 return -1;
1623 }
1624
1625 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, peeraddress,
1626 sizeof(peeraddress), peerctrlport, sizeof(peerctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1627 {
1628 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1629 return -1;
1630 }
1631
1632 /* We cannot check the data port, because this is available only in case of TCP sockets */
1633 /* Get the name/port of the current host */
1634 if (getsockname(pr->rmt_sockctrl, (struct sockaddr *) &saddr, &saddrlen) == -1)
1635 {
1636 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1637 return -1;
1638 }
1639
1640 /* Get the local port the system picked up */
1641 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, myaddress,
1642 sizeof(myaddress), myctrlport, sizeof(myctrlport), NI_NUMERICHOST | NI_NUMERICSERV))
1643 {
1644 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1645 return -1;
1646 }
1647
1648 /* Let's now check the data port */
1649 if (getsockname(pr->rmt_sockdata, (struct sockaddr *) &saddr, &saddrlen) == -1)
1650 {
1651 sock_geterror("getsockname()", fp->errbuf, PCAP_ERRBUF_SIZE);
1652 return -1;
1653 }
1654
1655 /* Get the local port the system picked up */
1656 if (getnameinfo((struct sockaddr *) &saddr, saddrlen, NULL, 0, mydataport, sizeof(mydataport), NI_NUMERICSERV))
1657 {
1658 sock_geterror("getnameinfo()", fp->errbuf, PCAP_ERRBUF_SIZE);
1659 return -1;
1660 }
1661
1662 if (pr->currentfilter && pr->currentfilter[0] != '\0')
1663 {
1664 /*
1665 * We have a current filter; add items to it to
1666 * filter out this rpcap session.
1667 */
1668 if (pcap_asprintf(&newfilter,
1669 "(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1670 pr->currentfilter, myaddress, peeraddress,
1671 myctrlport, peerctrlport, myaddress, peeraddress,
1672 mydataport) == -1)
1673 {
1674 /* Failed. */
1675 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1676 "Can't allocate memory for new filter");
1677 return -1;
1678 }
1679 }
1680 else
1681 {
1682 /*
1683 * We have no current filter; construct a filter to
1684 * filter out this rpcap session.
1685 */
1686 if (pcap_asprintf(&newfilter,
1687 "not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)",
1688 myaddress, peeraddress, myctrlport, peerctrlport,
1689 myaddress, peeraddress, mydataport) == -1)
1690 {
1691 /* Failed. */
1692 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1693 "Can't allocate memory for new filter");
1694 return -1;
1695 }
1696 }
1697
1698 /*
1699 * This is only an hack to prevent the save_current_filter
1700 * routine, which will be called when we call pcap_compile(),
1701 * from saving the modified filter.
1702 */
1703 pr->rmt_clientside = 0;
1704
1705 if (pcap_compile(fp, prog, newfilter, 1, 0) == -1)
1706 RetVal = -1;
1707
1708 /* Undo the hack. */
1709 pr->rmt_clientside = 1;
1710
1711 free(newfilter);
1712 }
1713
1714 return RetVal;
1715 }
1716
1717 /*
1718 * This function sets sampling parameters in the remote host.
1719 *
1720 * It is called when the user wants to set activate sampling on the
1721 * remote host.
1722 *
1723 * Sampling parameters are defined into the 'pcap_t' structure.
1724 *
1725 * \param p: the pcap_t descriptor of the device currently opened.
1726 *
1727 * \return '0' if everything is OK, '-1' is something goes wrong. The
1728 * error message is returned in the 'errbuf' member of the pcap_t structure.
1729 */
pcap_setsampling_remote(pcap_t * fp)1730 static int pcap_setsampling_remote(pcap_t *fp)
1731 {
1732 struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
1733 char sendbuf[RPCAP_NETBUF_SIZE];/* temporary buffer in which data to be sent is buffered */
1734 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1735 struct rpcap_header header; /* To keep the reply message */
1736 struct rpcap_sampling *sampling_pars; /* Structure that is needed to send sampling parameters to the remote host */
1737
1738 /* If no samping is requested, return 'ok' */
1739 if (fp->rmt_samp.method == PCAP_SAMP_NOSAMP)
1740 return 0;
1741
1742 /*
1743 * Check for sampling parameters that don't fit in a message.
1744 * We'll let the server complain about invalid parameters
1745 * that do fit into the message.
1746 */
1747 if (fp->rmt_samp.method < 0 || fp->rmt_samp.method > 255) {
1748 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1749 "Invalid sampling method %d", fp->rmt_samp.method);
1750 return -1;
1751 }
1752 if (fp->rmt_samp.value < 0 || fp->rmt_samp.value > 65535) {
1753 pcap_snprintf(fp->errbuf, PCAP_ERRBUF_SIZE,
1754 "Invalid sampling value %d", fp->rmt_samp.value);
1755 return -1;
1756 }
1757
1758 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1759 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1760 return -1;
1761
1762 rpcap_createhdr((struct rpcap_header *) sendbuf,
1763 pr->protocol_version, RPCAP_MSG_SETSAMPLING_REQ, 0,
1764 sizeof(struct rpcap_sampling));
1765
1766 /* Fill the structure needed to open an adapter remotely */
1767 sampling_pars = (struct rpcap_sampling *) &sendbuf[sendbufidx];
1768
1769 if (sock_bufferize(NULL, sizeof(struct rpcap_sampling), NULL,
1770 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, fp->errbuf, PCAP_ERRBUF_SIZE))
1771 return -1;
1772
1773 memset(sampling_pars, 0, sizeof(struct rpcap_sampling));
1774
1775 sampling_pars->method = (uint8)fp->rmt_samp.method;
1776 sampling_pars->value = (uint16)htonl(fp->rmt_samp.value);
1777
1778 if (sock_send(pr->rmt_sockctrl, sendbuf, sendbufidx, fp->errbuf,
1779 PCAP_ERRBUF_SIZE) < 0)
1780 return -1;
1781
1782 /* Receive and process the reply message header. */
1783 if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->protocol_version,
1784 RPCAP_MSG_SETSAMPLING_REQ, &header, fp->errbuf) == -1)
1785 return -1;
1786
1787 /*
1788 * It shouldn't have any contents; discard it if it does.
1789 */
1790 if (rpcap_discard(pr->rmt_sockctrl, header.plen, fp->errbuf) == -1)
1791 return -1;
1792
1793 return 0;
1794 }
1795
1796 /*********************************************************
1797 * *
1798 * Miscellaneous functions *
1799 * *
1800 *********************************************************/
1801
1802 /*
1803 * This function performs authentication and protocol version
1804 * negotiation. It is required in order to open the connection
1805 * with the other end party.
1806 *
1807 * It sends authentication parameters on the control socket and
1808 * reads the reply. If the reply is a success indication, it
1809 * checks whether the reply includes minimum and maximum supported
1810 * versions from the server; if not, it assumes both are 0, as
1811 * that means it's an older server that doesn't return supported
1812 * version numbers in authentication replies, so it only supports
1813 * version 0. It then tries to determine the maximum version
1814 * supported both by us and by the server. If it can find such a
1815 * version, it sets us up to use that version; otherwise, it fails,
1816 * indicating that there is no version supported by us and by the
1817 * server.
1818 *
1819 * \param sock: the socket we are currently using.
1820 *
1821 * \param ver: pointer to variable to which to set the protocol version
1822 * number we selected.
1823 *
1824 * \param auth: authentication parameters that have to be sent.
1825 *
1826 * \param errbuf: a pointer to a user-allocated buffer (of size
1827 * PCAP_ERRBUF_SIZE) that will contain the error message (in case there
1828 * is one). It could be a network problem or the fact that the authorization
1829 * failed.
1830 *
1831 * \return '0' if everything is fine, '-1' for an error. For errors,
1832 * an error message string is returned in the 'errbuf' variable.
1833 */
rpcap_doauth(SOCKET sockctrl,uint8 * ver,struct pcap_rmtauth * auth,char * errbuf)1834 static int rpcap_doauth(SOCKET sockctrl, uint8 *ver, struct pcap_rmtauth *auth, char *errbuf)
1835 {
1836 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data that has to be sent is buffered */
1837 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
1838 uint16 length; /* length of the payload of this message */
1839 struct rpcap_auth *rpauth;
1840 uint16 auth_type;
1841 struct rpcap_header header;
1842 size_t str_length;
1843 uint32 plen;
1844 struct rpcap_authreply authreply; /* authentication reply message */
1845 uint8 ourvers;
1846
1847 if (auth)
1848 {
1849 switch (auth->type)
1850 {
1851 case RPCAP_RMTAUTH_NULL:
1852 length = sizeof(struct rpcap_auth);
1853 break;
1854
1855 case RPCAP_RMTAUTH_PWD:
1856 length = sizeof(struct rpcap_auth);
1857 if (auth->username)
1858 {
1859 str_length = strlen(auth->username);
1860 if (str_length > 65535)
1861 {
1862 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "User name is too long (> 65535 bytes)");
1863 return -1;
1864 }
1865 length += (uint16)str_length;
1866 }
1867 if (auth->password)
1868 {
1869 str_length = strlen(auth->password);
1870 if (str_length > 65535)
1871 {
1872 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Password is too long (> 65535 bytes)");
1873 return -1;
1874 }
1875 length += (uint16)str_length;
1876 }
1877 break;
1878
1879 default:
1880 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Authentication type not recognized.");
1881 return -1;
1882 }
1883
1884 auth_type = (uint16)auth->type;
1885 }
1886 else
1887 {
1888 auth_type = RPCAP_RMTAUTH_NULL;
1889 length = sizeof(struct rpcap_auth);
1890 }
1891
1892 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
1893 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1894 return -1;
1895
1896 rpcap_createhdr((struct rpcap_header *) sendbuf, 0,
1897 RPCAP_MSG_AUTH_REQ, 0, length);
1898
1899 rpauth = (struct rpcap_auth *) &sendbuf[sendbufidx];
1900
1901 if (sock_bufferize(NULL, sizeof(struct rpcap_auth), NULL,
1902 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
1903 return -1;
1904
1905 memset(rpauth, 0, sizeof(struct rpcap_auth));
1906
1907 rpauth->type = htons(auth_type);
1908
1909 if (auth_type == RPCAP_RMTAUTH_PWD)
1910 {
1911 if (auth->username)
1912 rpauth->slen1 = (uint16)strlen(auth->username);
1913 else
1914 rpauth->slen1 = 0;
1915
1916 if (sock_bufferize(auth->username, rpauth->slen1, sendbuf,
1917 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
1918 return -1;
1919
1920 if (auth->password)
1921 rpauth->slen2 = (uint16)strlen(auth->password);
1922 else
1923 rpauth->slen2 = 0;
1924
1925 if (sock_bufferize(auth->password, rpauth->slen2, sendbuf,
1926 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
1927 return -1;
1928
1929 rpauth->slen1 = htons(rpauth->slen1);
1930 rpauth->slen2 = htons(rpauth->slen2);
1931 }
1932
1933 if (sock_send(sockctrl, sendbuf, sendbufidx, errbuf,
1934 PCAP_ERRBUF_SIZE) < 0)
1935 return -1;
1936
1937 /* Receive and process the reply message header */
1938 if (rpcap_process_msg_header(sockctrl, 0, RPCAP_MSG_AUTH_REQ,
1939 &header, errbuf) == -1)
1940 return -1;
1941
1942 /*
1943 * OK, it's an authentication reply, so we're logged in.
1944 *
1945 * Did it send any additional information?
1946 */
1947 plen = header.plen;
1948 if (plen != 0)
1949 {
1950 /* Yes - is it big enough to be version information? */
1951 if (plen < sizeof(struct rpcap_authreply))
1952 {
1953 /* No - discard it and fail. */
1954 (void)rpcap_discard(sockctrl, plen, NULL);
1955 return -1;
1956 }
1957
1958 /* Read the reply body */
1959 if (rpcap_recv(sockctrl, (char *)&authreply,
1960 sizeof(struct rpcap_authreply), &plen, errbuf) == -1)
1961 {
1962 (void)rpcap_discard(sockctrl, plen, NULL);
1963 return -1;
1964 }
1965
1966 /* Discard the rest of the message, if there is any. */
1967 if (rpcap_discard(sockctrl, plen, errbuf) == -1)
1968 return -1;
1969
1970 /*
1971 * Check the minimum and maximum versions for sanity;
1972 * the minimum must be <= the maximum.
1973 */
1974 if (authreply.minvers > authreply.maxvers)
1975 {
1976 /*
1977 * Bogus - give up on this server.
1978 */
1979 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
1980 "The server's minimum supported protocol version is greater than its maximum supported protocol version");
1981 return -1;
1982 }
1983 }
1984 else
1985 {
1986 /* No - it supports only version 0. */
1987 authreply.minvers = 0;
1988 authreply.maxvers = 0;
1989 }
1990
1991 /*
1992 * OK, let's start with the maximum version the server supports.
1993 */
1994 ourvers = authreply.maxvers;
1995
1996 #if RPCAP_MIN_VERSION != 0
1997 /*
1998 * If that's less than the minimum version we support, we
1999 * can't communicate.
2000 */
2001 if (ourvers < RPCAP_MIN_VERSION)
2002 goto novers;
2003 #endif
2004
2005 /*
2006 * If that's greater than the maximum version we support,
2007 * choose the maximum version we support.
2008 */
2009 if (ourvers > RPCAP_MAX_VERSION)
2010 {
2011 ourvers = RPCAP_MAX_VERSION;
2012
2013 /*
2014 * If that's less than the minimum version they
2015 * support, we can't communicate.
2016 */
2017 if (ourvers < authreply.minvers)
2018 goto novers;
2019 }
2020
2021 *ver = ourvers;
2022 return 0;
2023
2024 novers:
2025 /*
2026 * There is no version we both support; that is a fatal error.
2027 */
2028 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
2029 "The server doesn't support any protocol version that we support");
2030 return -1;
2031 }
2032
2033 /* We don't currently support non-blocking mode. */
2034 static int
pcap_getnonblock_rpcap(pcap_t * p)2035 pcap_getnonblock_rpcap(pcap_t *p)
2036 {
2037 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2038 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2039 return (-1);
2040 }
2041
2042 static int
pcap_setnonblock_rpcap(pcap_t * p,int nonblock _U_)2043 pcap_setnonblock_rpcap(pcap_t *p, int nonblock _U_)
2044 {
2045 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
2046 "Non-blocking mode isn't supported for capturing remotely with rpcap");
2047 return (-1);
2048 }
2049
2050 static int
rpcap_setup_session(const char * source,struct pcap_rmtauth * auth,int * activep,SOCKET * sockctrlp,uint8 * protocol_versionp,char * host,char * port,char * iface,char * errbuf)2051 rpcap_setup_session(const char *source, struct pcap_rmtauth *auth,
2052 int *activep, SOCKET *sockctrlp, uint8 *protocol_versionp,
2053 char *host, char *port, char *iface, char *errbuf)
2054 {
2055 int type;
2056 struct activehosts *activeconn; /* active connection, if there is one */
2057 int error; /* 1 if rpcap_remoteact_getsock got an error */
2058
2059 /*
2060 * Determine the type of the source (NULL, file, local, remote).
2061 * You must have a valid source string even if we're in active mode,
2062 * because otherwise the call to the following function will fail.
2063 */
2064 if (pcap_parsesrcstr(source, &type, host, port, iface, errbuf) == -1)
2065 return -1;
2066
2067 /*
2068 * It must be remote.
2069 */
2070 if (type != PCAP_SRC_IFREMOTE)
2071 {
2072 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
2073 "Non-remote interface passed to remote capture routine");
2074 return -1;
2075 }
2076
2077 /* Warning: this call can be the first one called by the user. */
2078 /* For this reason, we have to initialize the WinSock support. */
2079 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2080 return -1;
2081
2082 /* Check for active mode */
2083 activeconn = rpcap_remoteact_getsock(host, &error, errbuf);
2084 if (activeconn != NULL)
2085 {
2086 *activep = 1;
2087 *sockctrlp = activeconn->sockctrl;
2088 *protocol_versionp = activeconn->protocol_version;
2089 }
2090 else
2091 {
2092 *activep = 0;
2093 struct addrinfo hints; /* temp variable needed to resolve hostnames into to socket representation */
2094 struct addrinfo *addrinfo; /* temp variable needed to resolve hostnames into to socket representation */
2095
2096 if (error)
2097 {
2098 /*
2099 * Call failed.
2100 */
2101 return -1;
2102 }
2103
2104 /*
2105 * We're not in active mode; let's try to open a new
2106 * control connection.
2107 */
2108 memset(&hints, 0, sizeof(struct addrinfo));
2109 hints.ai_family = PF_UNSPEC;
2110 hints.ai_socktype = SOCK_STREAM;
2111
2112 if (port[0] == 0)
2113 {
2114 /* the user chose not to specify the port */
2115 if (sock_initaddress(host, RPCAP_DEFAULT_NETPORT,
2116 &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2117 return -1;
2118 }
2119 else
2120 {
2121 if (sock_initaddress(host, port, &hints, &addrinfo,
2122 errbuf, PCAP_ERRBUF_SIZE) == -1)
2123 return -1;
2124 }
2125
2126 if ((*sockctrlp = sock_open(addrinfo, SOCKOPEN_CLIENT, 0,
2127 errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2128 {
2129 freeaddrinfo(addrinfo);
2130 return -1;
2131 }
2132
2133 /* addrinfo is no longer used */
2134 freeaddrinfo(addrinfo);
2135 addrinfo = NULL;
2136
2137 if (rpcap_doauth(*sockctrlp, protocol_versionp, auth,
2138 errbuf) == -1)
2139 {
2140 sock_close(*sockctrlp, NULL, 0);
2141 return -1;
2142 }
2143 }
2144 return 0;
2145 }
2146
2147 /*
2148 * This function opens a remote adapter by opening an RPCAP connection and
2149 * so on.
2150 *
2151 * It does the job of pcap_open_live() for a remote interface; it's called
2152 * by pcap_open() for remote interfaces.
2153 *
2154 * We do not start the capture until pcap_startcapture_remote() is called.
2155 *
2156 * This is because, when doing a remote capture, we cannot start capturing
2157 * data as soon as the 'open adapter' command is sent. Suppose the remote
2158 * adapter is already overloaded; if we start a capture (which, by default,
2159 * has a NULL filter) the new traffic can saturate the network.
2160 *
2161 * Instead, we want to "open" the adapter, then send a "start capture"
2162 * command only when we're ready to start the capture.
2163 * This function does this job: it sends an "open adapter" command
2164 * (according to the RPCAP protocol), but it does not start the capture.
2165 *
2166 * Since the other libpcap functions do not share this way of life, we
2167 * have to do some dirty things in order to make everything work.
2168 *
2169 * \param source: see pcap_open().
2170 * \param snaplen: see pcap_open().
2171 * \param flags: see pcap_open().
2172 * \param read_timeout: see pcap_open().
2173 * \param auth: see pcap_open().
2174 * \param errbuf: see pcap_open().
2175 *
2176 * \return a pcap_t pointer in case of success, NULL otherwise. In case of
2177 * success, the pcap_t pointer can be used as a parameter to the following
2178 * calls (pcap_compile() and so on). In case of problems, errbuf contains
2179 * a text explanation of error.
2180 *
2181 * WARNING: In case we call pcap_compile() and the capture has not yet
2182 * been started, the filter will be saved into the pcap_t structure,
2183 * and it will be sent to the other host later (when
2184 * pcap_startcapture_remote() is called).
2185 */
pcap_open_rpcap(const char * source,int snaplen,int flags,int read_timeout,struct pcap_rmtauth * auth,char * errbuf)2186 pcap_t *pcap_open_rpcap(const char *source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf)
2187 {
2188 pcap_t *fp;
2189 char *source_str;
2190 struct pcap_rpcap *pr; /* structure used when doing a remote live capture */
2191 char host[PCAP_BUF_SIZE], ctrlport[PCAP_BUF_SIZE], iface[PCAP_BUF_SIZE];
2192 SOCKET sockctrl;
2193 uint8 protocol_version; /* negotiated protocol version */
2194 int active;
2195 uint32 plen;
2196 char sendbuf[RPCAP_NETBUF_SIZE]; /* temporary buffer in which data to be sent is buffered */
2197 int sendbufidx = 0; /* index which keeps the number of bytes currently buffered */
2198
2199 /* RPCAP-related variables */
2200 struct rpcap_header header; /* header of the RPCAP packet */
2201 struct rpcap_openreply openreply; /* open reply message */
2202
2203 fp = pcap_create_common(errbuf, sizeof (struct pcap_rpcap));
2204 if (fp == NULL)
2205 {
2206 return NULL;
2207 }
2208 source_str = strdup(source);
2209 if (source_str == NULL) {
2210 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2211 errno, "malloc");
2212 return NULL;
2213 }
2214
2215 /*
2216 * Turn a negative snapshot value (invalid), a snapshot value of
2217 * 0 (unspecified), or a value bigger than the normal maximum
2218 * value, into the maximum allowed value.
2219 *
2220 * If some application really *needs* a bigger snapshot
2221 * length, we should just increase MAXIMUM_SNAPLEN.
2222 *
2223 * XXX - should we leave this up to the remote server to
2224 * do?
2225 */
2226 if (snaplen <= 0 || snaplen > MAXIMUM_SNAPLEN)
2227 snaplen = MAXIMUM_SNAPLEN;
2228
2229 fp->opt.device = source_str;
2230 fp->snapshot = snaplen;
2231 fp->opt.timeout = read_timeout;
2232 pr = fp->priv;
2233 pr->rmt_flags = flags;
2234
2235 /*
2236 * Attempt to set up the session with the server.
2237 */
2238 if (rpcap_setup_session(fp->opt.device, auth, &active, &sockctrl,
2239 &protocol_version, host, ctrlport, iface, errbuf) == -1)
2240 {
2241 /* Session setup failed. */
2242 pcap_close(fp);
2243 return NULL;
2244 }
2245
2246 /*
2247 * Now it's time to start playing with the RPCAP protocol
2248 * RPCAP open command: create the request message
2249 */
2250 if (sock_bufferize(NULL, sizeof(struct rpcap_header), NULL,
2251 &sendbufidx, RPCAP_NETBUF_SIZE, SOCKBUF_CHECKONLY, errbuf, PCAP_ERRBUF_SIZE))
2252 goto error_nodiscard;
2253
2254 rpcap_createhdr((struct rpcap_header *) sendbuf, protocol_version,
2255 RPCAP_MSG_OPEN_REQ, 0, (uint32) strlen(iface));
2256
2257 if (sock_bufferize(iface, (int) strlen(iface), sendbuf, &sendbufidx,
2258 RPCAP_NETBUF_SIZE, SOCKBUF_BUFFERIZE, errbuf, PCAP_ERRBUF_SIZE))
2259 goto error_nodiscard;
2260
2261 if (sock_send(sockctrl, sendbuf, sendbufidx, errbuf,
2262 PCAP_ERRBUF_SIZE) < 0)
2263 goto error_nodiscard;
2264
2265 /* Receive and process the reply message header. */
2266 if (rpcap_process_msg_header(sockctrl, protocol_version,
2267 RPCAP_MSG_OPEN_REQ, &header, errbuf) == -1)
2268 goto error_nodiscard;
2269 plen = header.plen;
2270
2271 /* Read the reply body */
2272 if (rpcap_recv(sockctrl, (char *)&openreply,
2273 sizeof(struct rpcap_openreply), &plen, errbuf) == -1)
2274 goto error;
2275
2276 /* Discard the rest of the message, if there is any. */
2277 if (rpcap_discard(sockctrl, plen, errbuf) == -1)
2278 goto error_nodiscard;
2279
2280 /* Set proper fields into the pcap_t struct */
2281 fp->linktype = ntohl(openreply.linktype);
2282 fp->tzoff = ntohl(openreply.tzoff);
2283 pr->rmt_sockctrl = sockctrl;
2284 pr->protocol_version = protocol_version;
2285 pr->rmt_clientside = 1;
2286
2287 /* This code is duplicated from the end of this function */
2288 fp->read_op = pcap_read_rpcap;
2289 fp->save_current_filter_op = pcap_save_current_filter_rpcap;
2290 fp->setfilter_op = pcap_setfilter_rpcap;
2291 fp->getnonblock_op = pcap_getnonblock_rpcap;
2292 fp->setnonblock_op = pcap_setnonblock_rpcap;
2293 fp->stats_op = pcap_stats_rpcap;
2294 #ifdef _WIN32
2295 fp->stats_ex_op = pcap_stats_ex_rpcap;
2296 #endif
2297 fp->cleanup_op = pcap_cleanup_rpcap;
2298
2299 fp->activated = 1;
2300 return fp;
2301
2302 error:
2303 /*
2304 * When the connection has been established, we have to close it. So, at the
2305 * beginning of this function, if an error occur we return immediately with
2306 * a return NULL; when the connection is established, we have to come here
2307 * ('goto error;') in order to close everything properly.
2308 */
2309
2310 /*
2311 * Discard the rest of the message.
2312 * We already reported an error; if this gets an error, just
2313 * drive on.
2314 */
2315 (void)rpcap_discard(sockctrl, plen, NULL);
2316
2317 error_nodiscard:
2318 if (!active)
2319 sock_close(sockctrl, NULL, 0);
2320
2321 pcap_close(fp);
2322 return NULL;
2323 }
2324
2325 /* String identifier to be used in the pcap_findalldevs_ex() */
2326 #define PCAP_TEXT_SOURCE_ADAPTER "Network adapter"
2327 #define PCAP_TEXT_SOURCE_ADAPTER_LEN (sizeof PCAP_TEXT_SOURCE_ADAPTER - 1)
2328 /* String identifier to be used in the pcap_findalldevs_ex() */
2329 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST "on remote node"
2330 #define PCAP_TEXT_SOURCE_ON_REMOTE_HOST_LEN (sizeof PCAP_TEXT_SOURCE_ON_REMOTE_HOST - 1)
2331
2332 static void
freeaddr(struct pcap_addr * addr)2333 freeaddr(struct pcap_addr *addr)
2334 {
2335 free(addr->addr);
2336 free(addr->netmask);
2337 free(addr->broadaddr);
2338 free(addr->dstaddr);
2339 free(addr);
2340 }
2341
2342 int
pcap_findalldevs_ex_remote(const char * source,struct pcap_rmtauth * auth,pcap_if_t ** alldevs,char * errbuf)2343 pcap_findalldevs_ex_remote(const char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf)
2344 {
2345 uint8 protocol_version; /* protocol version */
2346 SOCKET sockctrl; /* socket descriptor of the control connection */
2347 uint32 plen;
2348 struct rpcap_header header; /* structure that keeps the general header of the rpcap protocol */
2349 int i, j; /* temp variables */
2350 int nif; /* Number of interfaces listed */
2351 int active; /* 'true' if we the other end-party is in active mode */
2352 char host[PCAP_BUF_SIZE], port[PCAP_BUF_SIZE];
2353 char tmpstring[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2354 pcap_if_t *lastdev; /* Last device in the pcap_if_t list */
2355 pcap_if_t *dev; /* Device we're adding to the pcap_if_t list */
2356
2357 /* List starts out empty. */
2358 (*alldevs) = NULL;
2359 lastdev = NULL;
2360
2361 /*
2362 * Attempt to set up the session with the server.
2363 */
2364 if (rpcap_setup_session(source, auth, &active, &sockctrl,
2365 &protocol_version, host, port, NULL, errbuf) == -1)
2366 {
2367 /* Session setup failed. */
2368 return -1;
2369 }
2370
2371 /* RPCAP findalldevs command */
2372 rpcap_createhdr(&header, protocol_version, RPCAP_MSG_FINDALLIF_REQ,
2373 0, 0);
2374
2375 if (sock_send(sockctrl, (char *)&header, sizeof(struct rpcap_header),
2376 errbuf, PCAP_ERRBUF_SIZE) < 0)
2377 goto error_nodiscard;
2378
2379 /* Receive and process the reply message header. */
2380 if (rpcap_process_msg_header(sockctrl, protocol_version,
2381 RPCAP_MSG_FINDALLIF_REQ, &header, errbuf) == -1)
2382 goto error_nodiscard;
2383
2384 plen = header.plen;
2385
2386 /* read the number of interfaces */
2387 nif = ntohs(header.value);
2388
2389 /* loop until all interfaces have been received */
2390 for (i = 0; i < nif; i++)
2391 {
2392 struct rpcap_findalldevs_if findalldevs_if;
2393 char tmpstring2[PCAP_BUF_SIZE + 1]; /* Needed to convert names and descriptions from 'old' syntax to the 'new' one */
2394 struct pcap_addr *addr, *prevaddr;
2395
2396 tmpstring2[PCAP_BUF_SIZE] = 0;
2397
2398 /* receive the findalldevs structure from remote host */
2399 if (rpcap_recv(sockctrl, (char *)&findalldevs_if,
2400 sizeof(struct rpcap_findalldevs_if), &plen, errbuf) == -1)
2401 goto error;
2402
2403 findalldevs_if.namelen = ntohs(findalldevs_if.namelen);
2404 findalldevs_if.desclen = ntohs(findalldevs_if.desclen);
2405 findalldevs_if.naddr = ntohs(findalldevs_if.naddr);
2406
2407 /* allocate the main structure */
2408 dev = (pcap_if_t *)malloc(sizeof(pcap_if_t));
2409 if (dev == NULL)
2410 {
2411 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2412 errno, "malloc() failed");
2413 goto error;
2414 }
2415
2416 /* Initialize the structure to 'zero' */
2417 memset(dev, 0, sizeof(pcap_if_t));
2418
2419 /* Append it to the list. */
2420 if (lastdev == NULL)
2421 {
2422 /*
2423 * List is empty, so it's also the first device.
2424 */
2425 *alldevs = dev;
2426 }
2427 else
2428 {
2429 /*
2430 * Append after the last device.
2431 */
2432 lastdev->next = dev;
2433 }
2434 /* It's now the last device. */
2435 lastdev = dev;
2436
2437 /* allocate mem for name and description */
2438 if (findalldevs_if.namelen)
2439 {
2440
2441 if (findalldevs_if.namelen >= sizeof(tmpstring))
2442 {
2443 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface name too long");
2444 goto error;
2445 }
2446
2447 /* Retrieve adapter name */
2448 if (rpcap_recv(sockctrl, tmpstring,
2449 findalldevs_if.namelen, &plen, errbuf) == -1)
2450 goto error;
2451
2452 tmpstring[findalldevs_if.namelen] = 0;
2453
2454 /* Create the new device identifier */
2455 if (pcap_createsrcstr(tmpstring2, PCAP_SRC_IFREMOTE,
2456 host, port, tmpstring, errbuf) == -1)
2457 goto error;
2458
2459 dev->name = strdup(tmpstring2);
2460 if (dev->name == NULL)
2461 {
2462 pcap_fmt_errmsg_for_errno(errbuf,
2463 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2464 goto error;
2465 }
2466 }
2467
2468 if (findalldevs_if.desclen)
2469 {
2470 if (findalldevs_if.desclen >= sizeof(tmpstring))
2471 {
2472 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Interface description too long");
2473 goto error;
2474 }
2475
2476 /* Retrieve adapter description */
2477 if (rpcap_recv(sockctrl, tmpstring,
2478 findalldevs_if.desclen, &plen, errbuf) == -1)
2479 goto error;
2480
2481 tmpstring[findalldevs_if.desclen] = 0;
2482
2483 if (pcap_asprintf(&dev->description,
2484 "%s '%s' %s %s", PCAP_TEXT_SOURCE_ADAPTER,
2485 tmpstring, PCAP_TEXT_SOURCE_ON_REMOTE_HOST, host) == -1)
2486 {
2487 pcap_fmt_errmsg_for_errno(errbuf,
2488 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2489 goto error;
2490 }
2491 }
2492
2493 dev->flags = ntohl(findalldevs_if.flags);
2494
2495 prevaddr = NULL;
2496 /* loop until all addresses have been received */
2497 for (j = 0; j < findalldevs_if.naddr; j++)
2498 {
2499 struct rpcap_findalldevs_ifaddr ifaddr;
2500
2501 /* Retrieve the interface addresses */
2502 if (rpcap_recv(sockctrl, (char *)&ifaddr,
2503 sizeof(struct rpcap_findalldevs_ifaddr),
2504 &plen, errbuf) == -1)
2505 goto error;
2506
2507 /*
2508 * Deserialize all the address components.
2509 */
2510 addr = (struct pcap_addr *) malloc(sizeof(struct pcap_addr));
2511 if (addr == NULL)
2512 {
2513 pcap_fmt_errmsg_for_errno(errbuf,
2514 PCAP_ERRBUF_SIZE, errno, "malloc() failed");
2515 goto error;
2516 }
2517 addr->next = NULL;
2518 addr->addr = NULL;
2519 addr->netmask = NULL;
2520 addr->broadaddr = NULL;
2521 addr->dstaddr = NULL;
2522
2523 if (rpcap_deseraddr(&ifaddr.addr,
2524 (struct sockaddr_storage **) &addr->addr, errbuf) == -1)
2525 {
2526 freeaddr(addr);
2527 goto error;
2528 }
2529 if (rpcap_deseraddr(&ifaddr.netmask,
2530 (struct sockaddr_storage **) &addr->netmask, errbuf) == -1)
2531 {
2532 freeaddr(addr);
2533 goto error;
2534 }
2535 if (rpcap_deseraddr(&ifaddr.broadaddr,
2536 (struct sockaddr_storage **) &addr->broadaddr, errbuf) == -1)
2537 {
2538 freeaddr(addr);
2539 goto error;
2540 }
2541 if (rpcap_deseraddr(&ifaddr.dstaddr,
2542 (struct sockaddr_storage **) &addr->dstaddr, errbuf) == -1)
2543 {
2544 freeaddr(addr);
2545 goto error;
2546 }
2547
2548 if ((addr->addr == NULL) && (addr->netmask == NULL) &&
2549 (addr->broadaddr == NULL) && (addr->dstaddr == NULL))
2550 {
2551 /*
2552 * None of the addresses are IPv4 or IPv6
2553 * addresses, so throw this entry away.
2554 */
2555 free(addr);
2556 }
2557 else
2558 {
2559 /*
2560 * Add this entry to the list.
2561 */
2562 if (prevaddr == NULL)
2563 {
2564 dev->addresses = addr;
2565 }
2566 else
2567 {
2568 prevaddr->next = addr;
2569 }
2570 prevaddr = addr;
2571 }
2572 }
2573 }
2574
2575 /* Discard the rest of the message. */
2576 if (rpcap_discard(sockctrl, plen, errbuf) == 1)
2577 goto error_nodiscard;
2578
2579 /* Control connection has to be closed only in case the remote machine is in passive mode */
2580 if (!active)
2581 {
2582 /* DO not send RPCAP_CLOSE, since we did not open a pcap_t; no need to free resources */
2583 if (sock_close(sockctrl, errbuf, PCAP_ERRBUF_SIZE))
2584 return -1;
2585 }
2586
2587 /* To avoid inconsistencies in the number of sock_init() */
2588 sock_cleanup();
2589
2590 return 0;
2591
2592 error:
2593 /*
2594 * In case there has been an error, I don't want to overwrite it with a new one
2595 * if the following call fails. I want to return always the original error.
2596 *
2597 * Take care: this connection can already be closed when we try to close it.
2598 * This happens because a previous error in the rpcapd, which requested to
2599 * closed the connection. In that case, we already recognized that into the
2600 * rpspck_isheaderok() and we already acknowledged the closing.
2601 * In that sense, this call is useless here (however it is needed in case
2602 * the client generates the error).
2603 *
2604 * Checks if all the data has been read; if not, discard the data in excess
2605 */
2606 (void) rpcap_discard(sockctrl, plen, NULL);
2607
2608 error_nodiscard:
2609 /* Control connection has to be closed only in case the remote machine is in passive mode */
2610 if (!active)
2611 sock_close(sockctrl, NULL, 0);
2612
2613 /* To avoid inconsistencies in the number of sock_init() */
2614 sock_cleanup();
2615
2616 /* Free whatever interfaces we've allocated. */
2617 pcap_freealldevs(*alldevs);
2618
2619 return -1;
2620 }
2621
2622 /*
2623 * Active mode routines.
2624 *
2625 * The old libpcap API is somewhat ugly, and makes active mode difficult
2626 * to implement; we provide some APIs for it that work only with rpcap.
2627 */
2628
pcap_remoteact_accept(const char * address,const char * port,const char * hostlist,char * connectinghost,struct pcap_rmtauth * auth,char * errbuf)2629 SOCKET pcap_remoteact_accept(const char *address, const char *port, const char *hostlist, char *connectinghost, struct pcap_rmtauth *auth, char *errbuf)
2630 {
2631 /* socket-related variables */
2632 struct addrinfo hints; /* temporary struct to keep settings needed to open the new socket */
2633 struct addrinfo *addrinfo; /* keeps the addrinfo chain; required to open a new socket */
2634 struct sockaddr_storage from; /* generic sockaddr_storage variable */
2635 socklen_t fromlen; /* keeps the length of the sockaddr_storage variable */
2636 SOCKET sockctrl; /* keeps the main socket identifier */
2637 uint8 protocol_version; /* negotiated protocol version */
2638 struct activehosts *temp, *prev; /* temp var needed to scan he host list chain */
2639
2640 *connectinghost = 0; /* just in case */
2641
2642 /* Prepare to open a new server socket */
2643 memset(&hints, 0, sizeof(struct addrinfo));
2644 /* WARNING Currently it supports only ONE socket family among ipv4 and IPv6 */
2645 hints.ai_family = AF_INET; /* PF_UNSPEC to have both IPv4 and IPv6 server */
2646 hints.ai_flags = AI_PASSIVE; /* Ready to a bind() socket */
2647 hints.ai_socktype = SOCK_STREAM;
2648
2649 /* Warning: this call can be the first one called by the user. */
2650 /* For this reason, we have to initialize the WinSock support. */
2651 if (sock_init(errbuf, PCAP_ERRBUF_SIZE) == -1)
2652 return (SOCKET)-1;
2653
2654 /* Do the work */
2655 if ((port == NULL) || (port[0] == 0))
2656 {
2657 if (sock_initaddress(address, RPCAP_DEFAULT_NETPORT_ACTIVE, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2658 {
2659 return (SOCKET)-2;
2660 }
2661 }
2662 else
2663 {
2664 if (sock_initaddress(address, port, &hints, &addrinfo, errbuf, PCAP_ERRBUF_SIZE) == -1)
2665 {
2666 return (SOCKET)-2;
2667 }
2668 }
2669
2670
2671 if ((sockmain = sock_open(addrinfo, SOCKOPEN_SERVER, 1, errbuf, PCAP_ERRBUF_SIZE)) == INVALID_SOCKET)
2672 {
2673 freeaddrinfo(addrinfo);
2674 return (SOCKET)-2;
2675 }
2676 freeaddrinfo(addrinfo);
2677
2678 /* Connection creation */
2679 fromlen = sizeof(struct sockaddr_storage);
2680
2681 sockctrl = accept(sockmain, (struct sockaddr *) &from, &fromlen);
2682
2683 /* We're not using sock_close, since we do not want to send a shutdown */
2684 /* (which is not allowed on a non-connected socket) */
2685 closesocket(sockmain);
2686 sockmain = 0;
2687
2688 if (sockctrl == INVALID_SOCKET)
2689 {
2690 sock_geterror("accept()", errbuf, PCAP_ERRBUF_SIZE);
2691 return (SOCKET)-2;
2692 }
2693
2694 /* Get the numeric for of the name of the connecting host */
2695 if (getnameinfo((struct sockaddr *) &from, fromlen, connectinghost, RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST))
2696 {
2697 sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE);
2698 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2699 sock_close(sockctrl, NULL, 0);
2700 return (SOCKET)-1;
2701 }
2702
2703 /* checks if the connecting host is among the ones allowed */
2704 if (sock_check_hostlist((char *)hostlist, RPCAP_HOSTLIST_SEP, &from, errbuf, PCAP_ERRBUF_SIZE) < 0)
2705 {
2706 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2707 sock_close(sockctrl, NULL, 0);
2708 return (SOCKET)-1;
2709 }
2710
2711 /*
2712 * Send authentication to the remote machine.
2713 */
2714 if (rpcap_doauth(sockctrl, &protocol_version, auth, errbuf) == -1)
2715 {
2716 /* Unrecoverable error. */
2717 rpcap_senderror(sockctrl, 0, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2718 sock_close(sockctrl, NULL, 0);
2719 return (SOCKET)-3;
2720 }
2721
2722 /* Checks that this host does not already have a cntrl connection in place */
2723
2724 /* Initialize pointers */
2725 temp = activeHosts;
2726 prev = NULL;
2727
2728 while (temp)
2729 {
2730 /* This host already has an active connection in place, so I don't have to update the host list */
2731 if (sock_cmpaddr(&temp->host, &from) == 0)
2732 return sockctrl;
2733
2734 prev = temp;
2735 temp = temp->next;
2736 }
2737
2738 /* The host does not exist in the list; so I have to update the list */
2739 if (prev)
2740 {
2741 prev->next = (struct activehosts *) malloc(sizeof(struct activehosts));
2742 temp = prev->next;
2743 }
2744 else
2745 {
2746 activeHosts = (struct activehosts *) malloc(sizeof(struct activehosts));
2747 temp = activeHosts;
2748 }
2749
2750 if (temp == NULL)
2751 {
2752 pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
2753 errno, "malloc() failed");
2754 rpcap_senderror(sockctrl, protocol_version, PCAP_ERR_REMOTEACCEPT, errbuf, NULL);
2755 sock_close(sockctrl, NULL, 0);
2756 return (SOCKET)-1;
2757 }
2758
2759 memcpy(&temp->host, &from, fromlen);
2760 temp->sockctrl = sockctrl;
2761 temp->protocol_version = protocol_version;
2762 temp->next = NULL;
2763
2764 return sockctrl;
2765 }
2766
pcap_remoteact_close(const char * host,char * errbuf)2767 int pcap_remoteact_close(const char *host, char *errbuf)
2768 {
2769 struct activehosts *temp, *prev; /* temp var needed to scan the host list chain */
2770 struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
2771 int retval;
2772
2773 temp = activeHosts;
2774 prev = NULL;
2775
2776 /* retrieve the network address corresponding to 'host' */
2777 addrinfo = NULL;
2778 memset(&hints, 0, sizeof(struct addrinfo));
2779 hints.ai_family = PF_UNSPEC;
2780 hints.ai_socktype = SOCK_STREAM;
2781
2782 retval = getaddrinfo(host, "0", &hints, &addrinfo);
2783 if (retval != 0)
2784 {
2785 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "getaddrinfo() %s", gai_strerror(retval));
2786 return -1;
2787 }
2788
2789 while (temp)
2790 {
2791 ai_next = addrinfo;
2792 while (ai_next)
2793 {
2794 if (sock_cmpaddr(&temp->host, (struct sockaddr_storage *) ai_next->ai_addr) == 0)
2795 {
2796 struct rpcap_header header;
2797 int status = 0;
2798
2799 /* Close this connection */
2800 rpcap_createhdr(&header, temp->protocol_version,
2801 RPCAP_MSG_CLOSE, 0, 0);
2802
2803 /*
2804 * Don't check for errors, since we're
2805 * just cleaning up.
2806 */
2807 if (sock_send(temp->sockctrl,
2808 (char *)&header,
2809 sizeof(struct rpcap_header), errbuf,
2810 PCAP_ERRBUF_SIZE) < 0)
2811 {
2812 /*
2813 * Let that error be the one we
2814 * report.
2815 */
2816 (void)sock_close(temp->sockctrl, NULL,
2817 0);
2818 status = -1;
2819 }
2820 else
2821 {
2822 if (sock_close(temp->sockctrl, errbuf,
2823 PCAP_ERRBUF_SIZE) == -1)
2824 status = -1;
2825 }
2826
2827 /*
2828 * Remove the host from the list of active
2829 * hosts.
2830 */
2831 if (prev)
2832 prev->next = temp->next;
2833 else
2834 activeHosts = temp->next;
2835
2836 freeaddrinfo(addrinfo);
2837
2838 free(temp);
2839
2840 /* To avoid inconsistencies in the number of sock_init() */
2841 sock_cleanup();
2842
2843 return status;
2844 }
2845
2846 ai_next = ai_next->ai_next;
2847 }
2848 prev = temp;
2849 temp = temp->next;
2850 }
2851
2852 if (addrinfo)
2853 freeaddrinfo(addrinfo);
2854
2855 /* To avoid inconsistencies in the number of sock_init() */
2856 sock_cleanup();
2857
2858 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The host you want to close the active connection is not known");
2859 return -1;
2860 }
2861
pcap_remoteact_cleanup(void)2862 void pcap_remoteact_cleanup(void)
2863 {
2864 /* Very dirty, but it works */
2865 if (sockmain)
2866 {
2867 closesocket(sockmain);
2868
2869 /* To avoid inconsistencies in the number of sock_init() */
2870 sock_cleanup();
2871 }
2872
2873 }
2874
pcap_remoteact_list(char * hostlist,char sep,int size,char * errbuf)2875 int pcap_remoteact_list(char *hostlist, char sep, int size, char *errbuf)
2876 {
2877 struct activehosts *temp; /* temp var needed to scan the host list chain */
2878 size_t len;
2879 char hoststr[RPCAP_HOSTLIST_SIZE + 1];
2880
2881 temp = activeHosts;
2882
2883 len = 0;
2884 *hostlist = 0;
2885
2886 while (temp)
2887 {
2888 /*int sock_getascii_addrport(const struct sockaddr_storage *sockaddr, char *address, int addrlen, char *port, int portlen, int flags, char *errbuf, int errbuflen) */
2889
2890 /* Get the numeric form of the name of the connecting host */
2891 if (sock_getascii_addrport((struct sockaddr_storage *) &temp->host, hoststr,
2892 RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST, errbuf, PCAP_ERRBUF_SIZE) != -1)
2893 /* if (getnameinfo( (struct sockaddr *) &temp->host, sizeof (struct sockaddr_storage), hoststr, */
2894 /* RPCAP_HOSTLIST_SIZE, NULL, 0, NI_NUMERICHOST) ) */
2895 {
2896 /* sock_geterror("getnameinfo()", errbuf, PCAP_ERRBUF_SIZE); */
2897 return -1;
2898 }
2899
2900 len = len + strlen(hoststr) + 1 /* the separator */;
2901
2902 if ((size < 0) || (len >= (size_t)size))
2903 {
2904 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "The string you provided is not able to keep "
2905 "the hostnames for all the active connections");
2906 return -1;
2907 }
2908
2909 pcap_strlcat(hostlist, hoststr, PCAP_ERRBUF_SIZE);
2910 hostlist[len - 1] = sep;
2911 hostlist[len] = 0;
2912
2913 temp = temp->next;
2914 }
2915
2916 return 0;
2917 }
2918
2919 /*
2920 * Receive the header of a message.
2921 */
rpcap_recv_msg_header(SOCKET sock,struct rpcap_header * header,char * errbuf)2922 static int rpcap_recv_msg_header(SOCKET sock, struct rpcap_header *header, char *errbuf)
2923 {
2924 int nrecv;
2925
2926 nrecv = sock_recv(sock, (char *) header, sizeof(struct rpcap_header),
2927 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
2928 PCAP_ERRBUF_SIZE);
2929 if (nrecv == -1)
2930 {
2931 /* Network error. */
2932 return -1;
2933 }
2934 header->plen = ntohl(header->plen);
2935 return 0;
2936 }
2937
2938 /*
2939 * Make sure the protocol version of a received message is what we were
2940 * expecting.
2941 */
rpcap_check_msg_ver(SOCKET sock,uint8 expected_ver,struct rpcap_header * header,char * errbuf)2942 static int rpcap_check_msg_ver(SOCKET sock, uint8 expected_ver, struct rpcap_header *header, char *errbuf)
2943 {
2944 /*
2945 * Did the server specify the version we negotiated?
2946 */
2947 if (header->ver != expected_ver)
2948 {
2949 /*
2950 * Discard the rest of the message.
2951 */
2952 if (rpcap_discard(sock, header->plen, errbuf) == -1)
2953 return -1;
2954
2955 /*
2956 * Tell our caller that it's not the negotiated version.
2957 */
2958 if (errbuf != NULL)
2959 {
2960 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
2961 "Server sent us a message with version %u when we were expecting %u",
2962 header->ver, expected_ver);
2963 }
2964 return -1;
2965 }
2966 return 0;
2967 }
2968
2969 /*
2970 * Check the message type of a received message, which should either be
2971 * the expected message type or RPCAP_MSG_ERROR.
2972 */
rpcap_check_msg_type(SOCKET sock,uint8 request_type,struct rpcap_header * header,uint16 * errcode,char * errbuf)2973 static int rpcap_check_msg_type(SOCKET sock, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf)
2974 {
2975 const char *request_type_string;
2976 const char *msg_type_string;
2977
2978 /*
2979 * What type of message is it?
2980 */
2981 if (header->type == RPCAP_MSG_ERROR)
2982 {
2983 /*
2984 * The server reported an error.
2985 * Hand that error back to our caller.
2986 */
2987 *errcode = ntohs(header->value);
2988 rpcap_msg_err(sock, header->plen, errbuf);
2989 return -1;
2990 }
2991
2992 *errcode = 0;
2993
2994 /*
2995 * For a given request type value, the expected reply type value
2996 * is the request type value with ORed with RPCAP_MSG_IS_REPLY.
2997 */
2998 if (header->type != (request_type | RPCAP_MSG_IS_REPLY))
2999 {
3000 /*
3001 * This isn't a reply to the request we sent.
3002 */
3003
3004 /*
3005 * Discard the rest of the message.
3006 */
3007 if (rpcap_discard(sock, header->plen, errbuf) == -1)
3008 return -1;
3009
3010 /*
3011 * Tell our caller about it.
3012 */
3013 request_type_string = rpcap_msg_type_string(request_type);
3014 msg_type_string = rpcap_msg_type_string(header->type);
3015 if (errbuf != NULL)
3016 {
3017 if (request_type_string == NULL)
3018 {
3019 /* This should not happen. */
3020 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3021 "rpcap_check_msg_type called for request message with type %u",
3022 request_type);
3023 return -1;
3024 }
3025 if (msg_type_string != NULL)
3026 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3027 "%s message received in response to a %s message",
3028 msg_type_string, request_type_string);
3029 else
3030 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE,
3031 "Message of unknown type %u message received in response to a %s request",
3032 header->type, request_type_string);
3033 }
3034 return -1;
3035 }
3036
3037 return 0;
3038 }
3039
3040 /*
3041 * Receive and process the header of a message.
3042 */
rpcap_process_msg_header(SOCKET sock,uint8 expected_ver,uint8 request_type,struct rpcap_header * header,char * errbuf)3043 static int rpcap_process_msg_header(SOCKET sock, uint8 expected_ver, uint8 request_type, struct rpcap_header *header, char *errbuf)
3044 {
3045 uint16 errcode;
3046
3047 if (rpcap_recv_msg_header(sock, header, errbuf) == -1)
3048 {
3049 /* Network error. */
3050 return -1;
3051 }
3052
3053 /*
3054 * Did the server specify the version we negotiated?
3055 */
3056 if (rpcap_check_msg_ver(sock, expected_ver, header, errbuf) == -1)
3057 return -1;
3058
3059 /*
3060 * Check the message type.
3061 */
3062 return rpcap_check_msg_type(sock, request_type, header,
3063 &errcode, errbuf);
3064 }
3065
3066 /*
3067 * Read data from a message.
3068 * If we're trying to read more data that remains, puts an error
3069 * message into errmsgbuf and returns -2. Otherwise, tries to read
3070 * the data and, if that succeeds, subtracts the amount read from
3071 * the number of bytes of data that remains.
3072 * Returns 0 on success, logs a message and returns -1 on a network
3073 * error.
3074 */
rpcap_recv(SOCKET sock,void * buffer,size_t toread,uint32 * plen,char * errbuf)3075 static int rpcap_recv(SOCKET sock, void *buffer, size_t toread, uint32 *plen, char *errbuf)
3076 {
3077 int nread;
3078
3079 if (toread > *plen)
3080 {
3081 /* The server sent us a bad message */
3082 pcap_snprintf(errbuf, PCAP_ERRBUF_SIZE, "Message payload is too short");
3083 return -1;
3084 }
3085 nread = sock_recv(sock, buffer, toread,
3086 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf, PCAP_ERRBUF_SIZE);
3087 if (nread == -1)
3088 {
3089 return -1;
3090 }
3091 *plen -= nread;
3092 return 0;
3093 }
3094
3095 /*
3096 * This handles the RPCAP_MSG_ERROR message.
3097 */
rpcap_msg_err(SOCKET sockctrl,uint32 plen,char * remote_errbuf)3098 static void rpcap_msg_err(SOCKET sockctrl, uint32 plen, char *remote_errbuf)
3099 {
3100 char errbuf[PCAP_ERRBUF_SIZE];
3101
3102 if (plen >= PCAP_ERRBUF_SIZE)
3103 {
3104 /*
3105 * Message is too long; just read as much of it as we
3106 * can into the buffer provided, and discard the rest.
3107 */
3108 if (sock_recv(sockctrl, remote_errbuf, PCAP_ERRBUF_SIZE - 1,
3109 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3110 PCAP_ERRBUF_SIZE) == -1)
3111 {
3112 // Network error.
3113 pcap_snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3114 return;
3115 }
3116
3117 /*
3118 * Null-terminate it.
3119 */
3120 remote_errbuf[PCAP_ERRBUF_SIZE - 1] = '\0';
3121
3122 /*
3123 * Throw away the rest.
3124 */
3125 (void)rpcap_discard(sockctrl, plen - (PCAP_ERRBUF_SIZE - 1), remote_errbuf);
3126 }
3127 else if (plen == 0)
3128 {
3129 /* Empty error string. */
3130 remote_errbuf[0] = '\0';
3131 }
3132 else
3133 {
3134 if (sock_recv(sockctrl, remote_errbuf, plen,
3135 SOCK_RECEIVEALL_YES|SOCK_EOF_IS_ERROR, errbuf,
3136 PCAP_ERRBUF_SIZE) == -1)
3137 {
3138 // Network error.
3139 pcap_snprintf(remote_errbuf, PCAP_ERRBUF_SIZE, "Read of error message from client failed: %s", errbuf);
3140 return;
3141 }
3142
3143 /*
3144 * Null-terminate it.
3145 */
3146 remote_errbuf[plen] = '\0';
3147 }
3148 }
3149
3150 /*
3151 * Discard data from a connection.
3152 * Mostly used to discard wrong-sized messages.
3153 * Returns 0 on success, logs a message and returns -1 on a network
3154 * error.
3155 */
rpcap_discard(SOCKET sock,uint32 len,char * errbuf)3156 static int rpcap_discard(SOCKET sock, uint32 len, char *errbuf)
3157 {
3158 if (len != 0)
3159 {
3160 if (sock_discard(sock, len, errbuf, PCAP_ERRBUF_SIZE) == -1)
3161 {
3162 // Network error.
3163 return -1;
3164 }
3165 }
3166 return 0;
3167 }
3168
3169 /*
3170 * Read bytes into the pcap_t's buffer until we have the specified
3171 * number of bytes read or we get an error or interrupt indication.
3172 */
rpcap_read_packet_msg(SOCKET sock,pcap_t * p,size_t size)3173 static int rpcap_read_packet_msg(SOCKET sock, pcap_t *p, size_t size)
3174 {
3175 u_char *bp;
3176 int cc;
3177 int bytes_read;
3178
3179 bp = p->bp;
3180 cc = p->cc;
3181
3182 /*
3183 * Loop until we have the amount of data requested or we get
3184 * an error or interrupt.
3185 */
3186 while ((size_t)cc < size)
3187 {
3188 /*
3189 * We haven't read all of the packet header yet.
3190 * Read what remains, which could be all of it.
3191 */
3192 bytes_read = sock_recv(sock, bp, size - cc,
3193 SOCK_RECEIVEALL_NO|SOCK_EOF_IS_ERROR, p->errbuf,
3194 PCAP_ERRBUF_SIZE);
3195 if (bytes_read == -1)
3196 {
3197 /*
3198 * Network error. Update the read pointer and
3199 * byte count, and return an error indication.
3200 */
3201 p->bp = bp;
3202 p->cc = cc;
3203 return -1;
3204 }
3205 if (bytes_read == -3)
3206 {
3207 /*
3208 * Interrupted receive. Update the read
3209 * pointer and byte count, and return
3210 * an interrupted indication.
3211 */
3212 p->bp = bp;
3213 p->cc = cc;
3214 return -3;
3215 }
3216 if (bytes_read == 0)
3217 {
3218 /*
3219 * EOF - server terminated the connection.
3220 * Update the read pointer and byte count, and
3221 * return an error indication.
3222 */
3223 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
3224 "The server terminated the connection.");
3225 return -1;
3226 }
3227 bp += bytes_read;
3228 cc += bytes_read;
3229 }
3230 p->bp = bp;
3231 p->cc = cc;
3232 return 0;
3233 }
3234