-
Notifications
You must be signed in to change notification settings - Fork 0
/
pcap-rpcap.c
3467 lines (3068 loc) · 103 KB
/
pcap-rpcap.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright (c) 2002 - 2005 NetGroup, Politecnico di Torino (Italy)
* Copyright (c) 2005 - 2008 CACE Technologies, Davis (California)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the Politecnico di Torino, CACE Technologies
* nor the names of its contributors may be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include "ftmacros.h"
#include <string.h> /* for strlen(), ... */
#include <stdlib.h> /* for malloc(), free(), ... */
#include <stdarg.h> /* for functions with variable number of arguments */
#include <errno.h> /* for the errno variable */
#include "sockutils.h"
#include "pcap-int.h"
#include "rpcap-protocol.h"
#include "pcap-rpcap.h"
#ifdef HAVE_OPENSSL
#include "sslutils.h"
#endif
/*
* This file contains the pcap module for capturing from a remote machine's
* interfaces using the RPCAP protocol.
*
* WARNING: All the RPCAP functions that are allowed to return a buffer
* containing the error description can return max PCAP_ERRBUF_SIZE characters.
* However there is no guarantees that the string will be zero-terminated.
* Best practice is to define the errbuf variable as a char of size
* 'PCAP_ERRBUF_SIZE+1' and to insert manually a NULL character at the end
* of the buffer. This will guarantee that no buffer overflows occur even
* if we use the printf() to show the error on the screen.
*
* XXX - actually, null-terminating the error string is part of the
* contract for the pcap API; if there's any place in the pcap code
* that doesn't guarantee null-termination, even at the expense of
* cutting the message short, that's a bug and needs to be fixed.
*/
#define PCAP_STATS_STANDARD 0 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
#ifdef _WIN32
#define PCAP_STATS_EX 1 /* Used by pcap_stats_rpcap to see if we want standard or extended statistics */
#endif
/*
* \brief Keeps a list of all the opened connections in the active mode.
*
* This structure defines a linked list of items that are needed to keep the info required to
* manage the active mode.
* In other words, when a new connection in active mode starts, this structure is updated so that
* it reflects the list of active mode connections currently opened.
* This structure is required by findalldevs() and open_remote() to see if they have to open a new
* control connection toward the host, or they already have a control connection in place.
*/
struct activehosts
{
struct sockaddr_storage host;
SOCKET sockctrl;
SSL *ssl;
uint8 protocol_version;
struct activehosts *next;
};
/* Keeps a list of all the opened connections in the active mode. */
static struct activehosts *activeHosts;
/*
* Keeps the main socket identifier when we want to accept a new remote
* connection (active mode only).
* See the documentation of pcap_remoteact_accept() and
* pcap_remoteact_cleanup() for more details.
*/
static SOCKET sockmain;
static SSL *ssl_main;
/*
* Private data for capturing remotely using the rpcap protocol.
*/
struct pcap_rpcap {
/*
* This is '1' if we're the network client; it is needed by several
* functions (such as pcap_setfilter()) to know whether they have
* to use the socket or have to open the local adapter.
*/
int rmt_clientside;
SOCKET rmt_sockctrl; /* socket ID of the socket used for the control connection */
SOCKET rmt_sockdata; /* socket ID of the socket used for the data connection */
SSL *ctrl_ssl, *data_ssl; /* optional transport of rmt_sockctrl and rmt_sockdata via TLS */
int rmt_flags; /* we have to save flags, since they are passed by the pcap_open_live(), but they are used by the pcap_startcapture() */
int rmt_capstarted; /* 'true' if the capture is already started (needed to knoe if we have to call the pcap_startcapture() */
char *currentfilter; /* Pointer to a buffer (allocated at run-time) that stores the current filter. Needed when flag PCAP_OPENFLAG_NOCAPTURE_RPCAP is turned on. */
uint8 protocol_version; /* negotiated protocol version */
uint8 uses_ssl; /* User asked for rpcaps scheme */
unsigned int TotNetDrops; /* keeps the number of packets that have been dropped by the network */
/*
* This keeps the number of packets that have been received by the
* application.
*
* Packets dropped by the kernel buffer are not counted in this
* variable. It is always equal to (TotAccepted - TotDrops),
* except for the case of remote capture, in which we have also
* packets in flight, i.e. that have been transmitted by the remote
* host, but that have not been received (yet) from the client.
* In this case, (TotAccepted - TotDrops - TotNetDrops) gives a
* wrong result, since this number does not corresponds always to
* the number of packet received by the application. For this reason,
* in the remote capture we need another variable that takes into
* account of the number of packets actually received by the
* application.
*/
unsigned int TotCapt;
struct pcap_stat stat;
/* XXX */
struct pcap *next; /* list of open pcaps that need stuff cleared on close */
};
/****************************************************
* *
* Locally defined functions *
* *
****************************************************/
static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode);
static int pcap_pack_bpffilter(pcap_t *fp, char *sendbuf, int *sendbufidx, struct bpf_program *prog);
static int pcap_createfilter_norpcappkt(pcap_t *fp, struct bpf_program *prog);
static int pcap_updatefilter_remote(pcap_t *fp, struct bpf_program *prog);
static void pcap_save_current_filter_rpcap(pcap_t *fp, const char *filter);
static int pcap_setfilter_rpcap(pcap_t *fp, struct bpf_program *prog);
static int pcap_setsampling_remote(pcap_t *fp);
static int pcap_startcapture_remote(pcap_t *fp);
static int rpcap_recv_msg_header(SOCKET sock, SSL *, struct rpcap_header *header, char *errbuf);
static int rpcap_check_msg_ver(SOCKET sock, SSL *, uint8 expected_ver, struct rpcap_header *header, char *errbuf);
static int rpcap_check_msg_type(SOCKET sock, SSL *, uint8 request_type, struct rpcap_header *header, uint16 *errcode, char *errbuf);
static int rpcap_process_msg_header(SOCKET sock, SSL *, uint8 ver, uint8 request_type, struct rpcap_header *header, char *errbuf);
static int rpcap_recv(SOCKET sock, SSL *, void *buffer, size_t toread, uint32 *plen, char *errbuf);
static void rpcap_msg_err(SOCKET sockctrl, SSL *, uint32 plen, char *remote_errbuf);
static int rpcap_discard(SOCKET sock, SSL *, uint32 len, char *errbuf);
static int rpcap_read_packet_msg(struct pcap_rpcap const *, pcap_t *p, size_t size);
/****************************************************
* *
* Function bodies *
* *
****************************************************/
/*
* This function translates (i.e. de-serializes) a 'rpcap_sockaddr'
* structure from the network byte order to a 'sockaddr_in" or
* 'sockaddr_in6' structure in the host byte order.
*
* It accepts an 'rpcap_sockaddr' structure as it is received from the
* network, and checks the address family field against various values
* to see whether it looks like an IPv4 address, an IPv6 address, or
* neither of those. It checks for multiple values in order to try
* to handle older rpcap daemons that sent the native OS's 'sockaddr_in'
* or 'sockaddr_in6' structures over the wire with some members
* byte-swapped, and to handle the fact that AF_INET6 has different
* values on different OSes.
*
* For IPv4 addresses, it converts the address family to host byte
* order from network byte order and puts it into the structure,
* sets the length if a sockaddr structure has a length, converts the
* port number to host byte order from network byte order and puts
* it into the structure, copies over the IPv4 address, and zeroes
* out the zero padding.
*
* For IPv6 addresses, it converts the address family to host byte
* order from network byte order and puts it into the structure,
* sets the length if a sockaddr structure has a length, converts the
* port number and flow information to host byte order from network
* byte order and puts them into the structure, copies over the IPv6
* address, and converts the scope ID to host byte order from network
* byte order and puts it into the structure.
*
* The function will allocate the 'sockaddrout' variable according to the
* address family in use. In case the address does not belong to the
* AF_INET nor AF_INET6 families, 'sockaddrout' is not allocated and a
* NULL pointer is returned. This usually happens because that address
* does not exist on the other host, or is of an address family other
* than AF_INET or AF_INET6, so the RPCAP daemon sent a 'sockaddr_storage'
* structure containing all 'zero' values.
*
* Older RPCAPDs sent the addresses over the wire in the OS's native
* structure format. For most OSes, this looks like the over-the-wire
* format, but might have a different value for AF_INET6 than the value
* on the machine receiving the reply. For OSes with the newer BSD-style
* sockaddr structures, this has, instead of a 2-byte address family,
* a 1-byte structure length followed by a 1-byte address family. The
* RPCAPD code would put the address family in network byte order before
* sending it; that would set it to 0 on a little-endian machine, as
* htons() of any value between 1 and 255 would result in a value > 255,
* with its lower 8 bits zero, so putting that back into a 1-byte field
* would set it to 0.
*
* Therefore, for older RPCAPDs running on an OS with newer BSD-style
* sockaddr structures, the family field, if treated as a big-endian
* (network byte order) 16-bit field, would be:
*
* (length << 8) | family if sent by a big-endian machine
* (length << 8) if sent by a little-endian machine
*
* For current RPCAPDs, and for older RPCAPDs running on an OS with
* older BSD-style sockaddr structures, the family field, if treated
* as a big-endian 16-bit field, would just contain the family.
*
* \param sockaddrin: a 'rpcap_sockaddr' pointer to the variable that has
* to be de-serialized.
*
* \param sockaddrout: a 'sockaddr_storage' pointer to the variable that will contain
* the de-serialized data. The structure returned can be either a 'sockaddr_in' or 'sockaddr_in6'.
* This variable will be allocated automatically inside this function.
*
* \param errbuf: a pointer to a user-allocated buffer (of size PCAP_ERRBUF_SIZE)
* that will contain the error message (in case there is one).
*
* \return '0' if everything is fine, '-1' if some errors occurred. Basically, the error
* can be only the fact that the malloc() failed to allocate memory.
* The error message is returned in the 'errbuf' variable, while the deserialized address
* is returned into the 'sockaddrout' variable.
*
* \warning This function supports only AF_INET and AF_INET6 address families.
*
* \warning The sockaddrout (if not NULL) must be deallocated by the user.
*/
/*
* Possible IPv4 family values other than the designated over-the-wire value,
* which is 2 (because everybody uses 2 for AF_INET4).
*/
#define SOCKADDR_IN_LEN 16 /* length of struct sockaddr_in */
#define SOCKADDR_IN6_LEN 28 /* length of struct sockaddr_in6 */
#define NEW_BSD_AF_INET_BE ((SOCKADDR_IN_LEN << 8) | 2)
#define NEW_BSD_AF_INET_LE (SOCKADDR_IN_LEN << 8)
/*
* Possible IPv6 family values other than the designated over-the-wire value,
* which is 23 (because that's what Windows uses, and most RPCAP servers
* out there are probably running Windows, as WinPcap includes the server
* but few if any UN*Xes build and ship it).
*
* The new BSD sockaddr structure format was in place before 4.4-Lite, so
* all the free-software BSDs use it.
*/
#define NEW_BSD_AF_INET6_BSD_BE ((SOCKADDR_IN6_LEN << 8) | 24) /* NetBSD, OpenBSD, BSD/OS */
#define NEW_BSD_AF_INET6_FREEBSD_BE ((SOCKADDR_IN6_LEN << 8) | 28) /* FreeBSD, DragonFly BSD */
#define NEW_BSD_AF_INET6_DARWIN_BE ((SOCKADDR_IN6_LEN << 8) | 30) /* macOS, iOS, anything else Darwin-based */
#define NEW_BSD_AF_INET6_LE (SOCKADDR_IN6_LEN << 8)
#define LINUX_AF_INET6 10
#define HPUX_AF_INET6 22
#define AIX_AF_INET6 24
#define SOLARIS_AF_INET6 26
static int
rpcap_deseraddr(struct rpcap_sockaddr *sockaddrin, struct sockaddr_storage **sockaddrout, char *errbuf)
{
/* Warning: we support only AF_INET and AF_INET6 */
switch (ntohs(sockaddrin->family))
{
case RPCAP_AF_INET:
case NEW_BSD_AF_INET_BE:
case NEW_BSD_AF_INET_LE:
{
struct rpcap_sockaddr_in *sockaddrin_ipv4;
struct sockaddr_in *sockaddrout_ipv4;
(*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in));
if ((*sockaddrout) == NULL)
{
pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
errno, "malloc() failed");
return -1;
}
sockaddrin_ipv4 = (struct rpcap_sockaddr_in *) sockaddrin;
sockaddrout_ipv4 = (struct sockaddr_in *) (*sockaddrout);
sockaddrout_ipv4->sin_family = AF_INET;
sockaddrout_ipv4->sin_port = ntohs(sockaddrin_ipv4->port);
memcpy(&sockaddrout_ipv4->sin_addr, &sockaddrin_ipv4->addr, sizeof(sockaddrout_ipv4->sin_addr));
memset(sockaddrout_ipv4->sin_zero, 0, sizeof(sockaddrout_ipv4->sin_zero));
break;
}
#ifdef AF_INET6
case RPCAP_AF_INET6:
case NEW_BSD_AF_INET6_BSD_BE:
case NEW_BSD_AF_INET6_FREEBSD_BE:
case NEW_BSD_AF_INET6_DARWIN_BE:
case NEW_BSD_AF_INET6_LE:
case LINUX_AF_INET6:
case HPUX_AF_INET6:
case AIX_AF_INET6:
case SOLARIS_AF_INET6:
{
struct rpcap_sockaddr_in6 *sockaddrin_ipv6;
struct sockaddr_in6 *sockaddrout_ipv6;
(*sockaddrout) = (struct sockaddr_storage *) malloc(sizeof(struct sockaddr_in6));
if ((*sockaddrout) == NULL)
{
pcap_fmt_errmsg_for_errno(errbuf, PCAP_ERRBUF_SIZE,
errno, "malloc() failed");
return -1;
}
sockaddrin_ipv6 = (struct rpcap_sockaddr_in6 *) sockaddrin;
sockaddrout_ipv6 = (struct sockaddr_in6 *) (*sockaddrout);
sockaddrout_ipv6->sin6_family = AF_INET6;
sockaddrout_ipv6->sin6_port = ntohs(sockaddrin_ipv6->port);
sockaddrout_ipv6->sin6_flowinfo = ntohl(sockaddrin_ipv6->flowinfo);
memcpy(&sockaddrout_ipv6->sin6_addr, &sockaddrin_ipv6->addr, sizeof(sockaddrout_ipv6->sin6_addr));
sockaddrout_ipv6->sin6_scope_id = ntohl(sockaddrin_ipv6->scope_id);
break;
}
#endif
default:
/*
* It is neither AF_INET nor AF_INET6 (or, if the OS doesn't
* support AF_INET6, it's not AF_INET).
*/
*sockaddrout = NULL;
break;
}
return 0;
}
/*
* This function reads a packet from the network socket. It does not
* deliver the packet to a pcap_dispatch()/pcap_loop() callback (hence
* the "nocb" string into its name).
*
* This function is called by pcap_read_rpcap().
*
* WARNING: By choice, this function does not make use of semaphores. A smarter
* implementation should put a semaphore into the data thread, and a signal will
* be raised as soon as there is data into the socket buffer.
* However this is complicated and it does not bring any advantages when reading
* from the network, in which network delays can be much more important than
* these optimizations. Therefore, we chose the following approach:
* - the 'timeout' chosen by the user is split in two (half on the server side,
* with the usual meaning, and half on the client side)
* - this function checks for packets; if there are no packets, it waits for
* timeout/2 and then it checks again. If packets are still missing, it returns,
* otherwise it reads packets.
*/
static int pcap_read_nocb_remote(pcap_t *p, struct pcap_pkthdr *pkt_header, u_char **pkt_data)
{
struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
struct rpcap_header *header; /* general header according to the RPCAP format */
struct rpcap_pkthdr *net_pkt_header; /* header of the packet, from the message */
u_char *net_pkt_data; /* packet data from the message */
uint32 plen;
int retval = 0; /* generic return value */
int msglen;
/* Structures needed for the select() call */
struct timeval tv; /* maximum time the select() can block waiting for data */
fd_set rfds; /* set of socket descriptors we have to check */
/*
* Define the packet buffer timeout, to be used in the select()
* 'timeout', in pcap_t, is in milliseconds; we have to convert it into sec and microsec
*/
tv.tv_sec = p->opt.timeout / 1000;
tv.tv_usec = (suseconds_t)((p->opt.timeout - tv.tv_sec * 1000) * 1000);
#ifdef HAVE_OPENSSL
/* Check if we still have bytes available in the last decoded TLS record.
* If that's the case, we know SSL_read will not block. */
retval = pr->data_ssl && SSL_pending(pr->data_ssl) > 0;
#endif
if (! retval)
{
/* Watch out sockdata to see if it has input */
FD_ZERO(&rfds);
/*
* 'fp->rmt_sockdata' has always to be set before calling the select(),
* since it is cleared by the select()
*/
FD_SET(pr->rmt_sockdata, &rfds);
retval = select((int) pr->rmt_sockdata + 1, &rfds, NULL, NULL, &tv);
if (retval == -1)
{
#ifndef _WIN32
if (errno == EINTR)
{
/* Interrupted. */
return 0;
}
#endif
sock_geterror("select(): ", p->errbuf, PCAP_ERRBUF_SIZE);
return -1;
}
}
/* There is no data waiting, so return '0' */
if (retval == 0)
return 0;
/*
* We have to define 'header' as a pointer to a larger buffer,
* because in case of UDP we have to read all the message within a single call
*/
header = (struct rpcap_header *) p->buffer;
net_pkt_header = (struct rpcap_pkthdr *) ((char *)p->buffer + sizeof(struct rpcap_header));
net_pkt_data = (u_char *)p->buffer + sizeof(struct rpcap_header) + sizeof(struct rpcap_pkthdr);
if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
{
/* Read the entire message from the network */
msglen = sock_recv_dgram(pr->rmt_sockdata, pr->data_ssl, p->buffer,
p->bufsize, p->errbuf, PCAP_ERRBUF_SIZE);
if (msglen == -1)
{
/* Network error. */
return -1;
}
if (msglen == -3)
{
/* Interrupted receive. */
return 0;
}
if ((size_t)msglen < sizeof(struct rpcap_header))
{
/*
* Message is shorter than an rpcap header.
*/
pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"UDP packet message is shorter than an rpcap header");
return -1;
}
plen = ntohl(header->plen);
if ((size_t)msglen < sizeof(struct rpcap_header) + plen)
{
/*
* Message is shorter than the header claims it
* is.
*/
pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"UDP packet message is shorter than its rpcap header claims");
return -1;
}
}
else
{
int status;
if ((size_t)p->cc < sizeof(struct rpcap_header))
{
/*
* We haven't read any of the packet header yet.
* The size we should get is the size of the
* packet header.
*/
status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header));
if (status == -1)
{
/* Network error. */
return -1;
}
if (status == -3)
{
/* Interrupted receive. */
return 0;
}
}
/*
* We have the header, so we know how long the
* message payload is. The size we should get
* is the size of the packet header plus the
* size of the payload.
*/
plen = ntohl(header->plen);
if (plen > p->bufsize - sizeof(struct rpcap_header))
{
/*
* This is bigger than the largest
* record we'd expect. (We do it by
* subtracting in order to avoid an
* overflow.)
*/
pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"Server sent us a message larger than the largest expected packet message");
return -1;
}
status = rpcap_read_packet_msg(pr, p, sizeof(struct rpcap_header) + plen);
if (status == -1)
{
/* Network error. */
return -1;
}
if (status == -3)
{
/* Interrupted receive. */
return 0;
}
/*
* We have the entire message; reset the buffer pointer
* and count, as the next read should start a new
* message.
*/
p->bp = p->buffer;
p->cc = 0;
}
/*
* We have the entire message.
*/
header->plen = plen;
/*
* Did the server specify the version we negotiated?
*/
if (rpcap_check_msg_ver(pr->rmt_sockdata, pr->data_ssl, pr->protocol_version,
header, p->errbuf) == -1)
{
return 0; /* Return 'no packets received' */
}
/*
* Is this a RPCAP_MSG_PACKET message?
*/
if (header->type != RPCAP_MSG_PACKET)
{
return 0; /* Return 'no packets received' */
}
if (ntohl(net_pkt_header->caplen) > plen)
{
pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"Packet's captured data goes past the end of the received packet message.");
return -1;
}
/* Fill in packet header */
pkt_header->caplen = ntohl(net_pkt_header->caplen);
pkt_header->len = ntohl(net_pkt_header->len);
pkt_header->ts.tv_sec = ntohl(net_pkt_header->timestamp_sec);
pkt_header->ts.tv_usec = ntohl(net_pkt_header->timestamp_usec);
/* Supply a pointer to the beginning of the packet data */
*pkt_data = net_pkt_data;
/*
* I don't update the counter of the packets dropped by the network since we're using TCP,
* therefore no packets are dropped. Just update the number of packets received correctly
*/
pr->TotCapt++;
if (pr->rmt_flags & PCAP_OPENFLAG_DATATX_UDP)
{
unsigned int npkt;
/* We're using UDP, so we need to update the counter of the packets dropped by the network */
npkt = ntohl(net_pkt_header->npkt);
if (pr->TotCapt != npkt)
{
pr->TotNetDrops += (npkt - pr->TotCapt);
pr->TotCapt = npkt;
}
}
/* Packet read successfully */
return 1;
}
/*
* This function reads a packet from the network socket.
*
* This function relies on the pcap_read_nocb_remote to deliver packets. The
* difference, here, is that as soon as a packet is read, it is delivered
* to the application by means of a callback function.
*/
static int pcap_read_rpcap(pcap_t *p, int cnt, pcap_handler callback, u_char *user)
{
struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
struct pcap_pkthdr pkt_header;
u_char *pkt_data;
int n = 0;
int ret;
/*
* If this is client-side, and we haven't already started
* the capture, start it now.
*/
if (pr->rmt_clientside)
{
/* We are on an remote capture */
if (!pr->rmt_capstarted)
{
/*
* The capture isn't started yet, so try to
* start it.
*/
if (pcap_startcapture_remote(p))
return -1;
}
}
while (n < cnt || PACKET_COUNT_IS_UNLIMITED(cnt))
{
/*
* Has "pcap_breakloop()" been called?
*/
if (p->break_loop) {
/*
* Yes - clear the flag that indicates that it
* has, and return PCAP_ERROR_BREAK to indicate
* that we were told to break out of the loop.
*/
p->break_loop = 0;
return (PCAP_ERROR_BREAK);
}
/*
* Read some packets.
*/
ret = pcap_read_nocb_remote(p, &pkt_header, &pkt_data);
if (ret == 1)
{
/*
* We got a packet. Hand it to the callback
* and count it so we can return the count.
*/
(*callback)(user, &pkt_header, pkt_data);
n++;
}
else if (ret == -1)
{
/* Error. */
return ret;
}
else
{
/*
* No packet; this could mean that we timed
* out, or that we got interrupted, or that
* we got a bad packet.
*
* Were we told to break out of the loop?
*/
if (p->break_loop) {
/*
* Yes.
*/
p->break_loop = 0;
return (PCAP_ERROR_BREAK);
}
/* No - return the number of packets we've processed. */
return n;
}
}
return n;
}
/*
* This function sends a CLOSE command to the capture server if we're in
* passive mode and an ENDCAP command to the capture server if we're in
* active mode.
*
* It is called when the user calls pcap_close(). It sends a command
* to our peer that says 'ok, let's stop capturing'.
*
* WARNING: Since we're closing the connection, we do not check for errors.
*/
static void pcap_cleanup_rpcap(pcap_t *fp)
{
struct pcap_rpcap *pr = fp->priv; /* structure used when doing a remote live capture */
struct rpcap_header header; /* header of the RPCAP packet */
struct activehosts *temp; /* temp var needed to scan the host list chain, to detect if we're in active mode */
int active = 0; /* active mode or not? */
/* detect if we're in active mode */
temp = activeHosts;
while (temp)
{
if (temp->sockctrl == pr->rmt_sockctrl)
{
active = 1;
break;
}
temp = temp->next;
}
if (!active)
{
rpcap_createhdr(&header, pr->protocol_version,
RPCAP_MSG_CLOSE, 0, 0);
/*
* Send the close request; don't report any errors, as
* we're closing this pcap_t, and have no place to report
* the error. No reply is sent to this message.
*/
(void)sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
sizeof(struct rpcap_header), NULL, 0);
}
else
{
rpcap_createhdr(&header, pr->protocol_version,
RPCAP_MSG_ENDCAP_REQ, 0, 0);
/*
* Send the end capture request; don't report any errors,
* as we're closing this pcap_t, and have no place to
* report the error.
*/
if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
sizeof(struct rpcap_header), NULL, 0) == 0)
{
/*
* Wait for the answer; don't report any errors,
* as we're closing this pcap_t, and have no
* place to report the error.
*/
if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl,
pr->protocol_version, RPCAP_MSG_ENDCAP_REQ,
&header, NULL) == 0)
{
(void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl,
header.plen, NULL);
}
}
}
if (pr->rmt_sockdata)
{
#ifdef HAVE_OPENSSL
if (pr->data_ssl)
{
// Finish using the SSL handle for the data socket.
// This must be done *before* the socket is closed.
ssl_finish(pr->data_ssl);
pr->data_ssl = NULL;
}
#endif
sock_close(pr->rmt_sockdata, NULL, 0);
pr->rmt_sockdata = 0;
}
if ((!active) && (pr->rmt_sockctrl))
{
#ifdef HAVE_OPENSSL
if (pr->ctrl_ssl)
{
// Finish using the SSL handle for the control socket.
// This must be done *before* the socket is closed.
ssl_finish(pr->ctrl_ssl);
pr->ctrl_ssl = NULL;
}
#endif
sock_close(pr->rmt_sockctrl, NULL, 0);
}
pr->rmt_sockctrl = 0;
pr->ctrl_ssl = NULL;
if (pr->currentfilter)
{
free(pr->currentfilter);
pr->currentfilter = NULL;
}
pcap_cleanup_live_common(fp);
/* To avoid inconsistencies in the number of sock_init() */
sock_cleanup();
}
/*
* This function retrieves network statistics from our peer;
* it provides only the standard statistics.
*/
static int pcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps)
{
struct pcap_stat *retval;
retval = rpcap_stats_rpcap(p, ps, PCAP_STATS_STANDARD);
if (retval)
return 0;
else
return -1;
}
#ifdef _WIN32
/*
* This function retrieves network statistics from our peer;
* it provides the additional statistics supported by pcap_stats_ex().
*/
static struct pcap_stat *pcap_stats_ex_rpcap(pcap_t *p, int *pcap_stat_size)
{
*pcap_stat_size = sizeof (p->stat);
/* PCAP_STATS_EX (third param) means 'extended pcap_stats()' */
return (rpcap_stats_rpcap(p, &(p->stat), PCAP_STATS_EX));
}
#endif
/*
* This function retrieves network statistics from our peer. It
* is used by the two previous functions.
*
* It can be called in two modes:
* - PCAP_STATS_STANDARD: if we want just standard statistics (i.e.,
* for pcap_stats())
* - PCAP_STATS_EX: if we want extended statistics (i.e., for
* pcap_stats_ex())
*
* This 'mode' parameter is needed because in pcap_stats() the variable that
* keeps the statistics is allocated by the user. On Windows, this structure
* has been extended in order to keep new stats. However, if the user has a
* smaller structure and it passes it to pcap_stats(), this function will
* try to fill in more data than the size of the structure, so that memory
* after the structure will be overwritten.
*
* So, we need to know it we have to copy just the standard fields, or the
* extended fields as well.
*
* In case we want to copy the extended fields as well, the problem of
* memory overflow no longer exists because the structure that's filled
* in is part of the pcap_t, so that it can be guaranteed to be large
* enough for the additional statistics.
*
* \param p: the pcap_t structure related to the current instance.
*
* \param ps: a pointer to a 'pcap_stat' structure, needed for compatibility
* with pcap_stat(), where the structure is allocated by the user. In case
* of pcap_stats_ex(), this structure and the function return value point
* to the same variable.
*
* \param mode: one of PCAP_STATS_STANDARD or PCAP_STATS_EX.
*
* \return The structure that keeps the statistics, or NULL in case of error.
* The error string is placed in the pcap_t structure.
*/
static struct pcap_stat *rpcap_stats_rpcap(pcap_t *p, struct pcap_stat *ps, int mode)
{
struct pcap_rpcap *pr = p->priv; /* structure used when doing a remote live capture */
struct rpcap_header header; /* header of the RPCAP packet */
struct rpcap_stats netstats; /* statistics sent on the network */
uint32 plen; /* data remaining in the message */
#ifdef _WIN32
if (mode != PCAP_STATS_STANDARD && mode != PCAP_STATS_EX)
#else
if (mode != PCAP_STATS_STANDARD)
#endif
{
pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
"Invalid stats mode %d", mode);
return NULL;
}
/*
* If the capture has not yet started, we cannot request statistics
* for the capture from our peer, so we return 0 for all statistics,
* as nothing's been seen yet.
*/
if (!pr->rmt_capstarted)
{
ps->ps_drop = 0;
ps->ps_ifdrop = 0;
ps->ps_recv = 0;
#ifdef _WIN32
if (mode == PCAP_STATS_EX)
{
ps->ps_capt = 0;
ps->ps_sent = 0;
ps->ps_netdrop = 0;
}
#endif /* _WIN32 */
return ps;
}
rpcap_createhdr(&header, pr->protocol_version,
RPCAP_MSG_STATS_REQ, 0, 0);
/* Send the PCAP_STATS command */
if (sock_send(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&header,
sizeof(struct rpcap_header), p->errbuf, PCAP_ERRBUF_SIZE) < 0)
return NULL; /* Unrecoverable network error */
/* Receive and process the reply message header. */
if (rpcap_process_msg_header(pr->rmt_sockctrl, pr->ctrl_ssl, pr->protocol_version,
RPCAP_MSG_STATS_REQ, &header, p->errbuf) == -1)
return NULL; /* Error */
plen = header.plen;
/* Read the reply body */
if (rpcap_recv(pr->rmt_sockctrl, pr->ctrl_ssl, (char *)&netstats,
sizeof(struct rpcap_stats), &plen, p->errbuf) == -1)
goto error;
ps->ps_drop = ntohl(netstats.krnldrop);
ps->ps_ifdrop = ntohl(netstats.ifdrop);
ps->ps_recv = ntohl(netstats.ifrecv);
#ifdef _WIN32
if (mode == PCAP_STATS_EX)
{
ps->ps_capt = pr->TotCapt;
ps->ps_netdrop = pr->TotNetDrops;
ps->ps_sent = ntohl(netstats.svrcapt);
}
#endif /* _WIN32 */
/* Discard the rest of the message. */
if (rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, p->errbuf) == -1)
goto error_nodiscard;
return ps;
error:
/*
* Discard the rest of the message.
* We already reported an error; if this gets an error, just
* drive on.
*/
(void)rpcap_discard(pr->rmt_sockctrl, pr->ctrl_ssl, plen, NULL);
error_nodiscard:
return NULL;
}
/*
* This function returns the entry in the list of active hosts for this
* active connection (active mode only), or NULL if there is no
* active connection or an error occurred. It is just for internal
* use.
*
* \param host: a string that keeps the host name of the host for which we
* want to get the socket ID for that active connection.
*
* \param error: a pointer to an int that is set to 1 if an error occurred
* and 0 otherwise.
*
* \param errbuf: a pointer to a user-allocated buffer (of size
* PCAP_ERRBUF_SIZE) that will contain the error message (in case
* there is one).
*
* \return the entry for this host in the list of active connections
* if found, NULL if it's not found or there's an error.
*/
static struct activehosts *
rpcap_remoteact_getsock(const char *host, int *error, char *errbuf)
{
struct activehosts *temp; /* temp var needed to scan the host list chain */
struct addrinfo hints, *addrinfo, *ai_next; /* temp var needed to translate between hostname to its address */
int retval;
/* retrieve the network address corresponding to 'host' */
addrinfo = NULL;
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
retval = getaddrinfo(host, "0", &hints, &addrinfo);
if (retval != 0)
{