| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This part is in line with the draft-ietf-opsawg-pcap.
Moreover:
Update some comments.
Update pcap-sita.html.
|
| |
|
|
|
|
|
|
| |
This reverts commit c2dfd817646d071bf62a3968a0454301e5395d18.
From a Denis remark: struct pcap_file_header is in a public header.
pcap-savefile.manfile.in will be updated separately.
|
| |
|
|
|
|
| |
Update pcap-savefile.manfile.in accordingly.
This is in line with the draft-ietf-opsawg-pcap.
|
| | |
|
| |
|
|
| |
32-bit code.
|
| |
|
|
|
|
| |
_declspec(deprecated(msg)) doesn't require the function name, and takes
a message as an argument and causes it to be used as the warning/error
message for use of an undeclared function.
|
| |
|
|
| |
[skip ci]
|
| |
|
|
| |
As discussed on the mailing list in August 2020.
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| | |
If TLS is used with rpcap, user names and pasword don't go over the wire
in clear text.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Don't commit to it being a "class" field.
Fix the bitfield for it.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
There's a reserved field that was originally intended to handle
alternate link-layer type values; it would contain a "class" value
indicating what the lower 16 bits of the field indicate. We currently
only support a "class" value of 0, meaning "it's a LINKTYPE_ value".
Reject files where it's non-zero.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Don't tell people to use a routine that doesn't exist; instead, if they
need it, tell them to request it ("request" includes "give us a reason
to believe that they really need it" - what operations do you expect to
do on the HANDLE in question? Note that pcap_getevent() is what you
want if you want to wait for an event on it.).
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
This reverts commit 8b6b13d4cbb685db047af04c49817ed81fff7c35.
That solution allowed you to intermix declarations/definitions and
before the extern "C", so you can see what's being imported.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead, explictly flag individual functions with extern "C" by adding
it to the tag we're already using for exported functions, and creating a
new tag to use for non-exported functions.
Rename those tags, and the tags used for exported data, to say what they
do, rather than saying "this is an API" (we may export things we don't
want to be treated as part of the API, but that we have to export
because some programs use them).
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This 1) indicates what version of libpcap first had a given
API and 2) allows upstream providers whose build environments allow
APIs to be designated as "first available in this release" to do so
by appropriately defining them. ("Upstream providers" here means
"Apple", as far as I know, but perhaps there are others.)
|
| |/
|
|
| |
keep growing
|
| | |
|
| |
|
|
| |
[skip ci]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I don't know whether a Windows HANDLE can be expected to survive
conversion to an int - and there's no need for it to have to be
converted. If a caller needs to do something with a HANDLE associated
with a pcap_t, it should call the new pcap_handle() routine and get a
HANDLE; code for UN*X that uses the result of pcap_fileno() is unlikely
to work on Windows anyway.
Squelch the "pointer truncation from 'HANDLE' to 'DWORD'" warning, as,
if that truncation causes an issue, callers should use pcap_handle(),
and if it *doesn't* cause an issue, it's, well, not an issue.
|
| |
|
|
| |
[skip ci]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a routine pcap_init() that initializes pcap, specifying whether
strings should be treated as being in UTF-8 or a local character
encoding.
On UN*Xes, we don't change our behavior based on that setting; if there
is ever an issue with local character encodings *other* than UTF-8, we
can use it.
On Windows, the local character encoding is the local ANSI code page; if
pcap_init() isn't called, or is called with PCAP_CHAR_ENC_LOCAL, strings
are treated as being in the current ANSI code page, as before, otherwise
they're treated as being in UTF-8. This includes file path names and
error messages.
In addition, if pcap_init() is called, regardless of the options, we
disable pcap_lookupdev(), making it always return NULL, as it retunred
*UTF-16LE* strings (plural!) on Windows NT, and pcap_create() had to
check for UTF-16LE strings to work around that. That workaround is
unsafe (it will read past the end of the input string if the string is
one ASCII character), and is also disabled if pcap_init() is called.
We also make rpcapd send UTF-8 error message strings over the wire;
sending local code page strings is a Bad Idea, as the client has no idea
what the server's code page is. (Do not assume the client and server
are necessarily in the same location.)
Fix the capitalization of "Winsock" while we're at it; Microsoft appears
to spell it "Winsock", rather than "WinSock".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a pain to detect, because the PF_PACKET socket code appears to
get separate "interface went down" and "interface went away"
notifications in my "unplug a USB Wi-Fi adapter" tests on my VMware
Fusion Ubuntu 18.04 virtual machine (5.3.0 kernel), and the first
notification delivers a wakeup and returns ENETDOWN while the second
notificaiton delivers *no* wakeup and sets the ifindex member of the
struct packet_sock for the socket, so there's nothing we can test after
the wakeup that's guaranteed to indicate that the interface has
disappeared.
So what we have to do is remember the ENETDOWN but not return it as an
error, and then arrange to periodically check whether the interface is
still there; if it isn't, we *then* return the "interface went away"
error, and, if we see traffic or see that the interface is up, we clear
the remembered ENETDOWN and stop doing the periodic checks.
This is tricky, because it needs to work not only for blocking pcap_t's,
where we're in a loop doing poll() calls, so we can keep checking within
the loop, but also for non-blocking pcap_t's on which the caller is
doing select()/poll()/epoll_wait().
In order to make *that* work, we need to tweak the semantics of
pcap_get_required_select_timeout() so that it's not guaranteed that it
will always return the same value, so that it should be called within
event loops rather than called once outside the event loop. Normally,
there is no timeout required for Linux PF_PACKET sockets, but when we're
doing the periodic tests, the timeout is required.
While we're doing that, we make the return value of
pcap_get_required_select_timeout() a const pointer - there was no good
reason for the caller to modify it (it doesn't belong to the caller).
If poll() returns POLLERR, use getsockopt(SO_ERROR) to get the socket
error, rather than a read().
Update the documentation to reflect this, and make various other
cleanups (including documenting the error return value for
pcap_get_selectable_fd() to -1 rather than PCAP_ERROR - it's not an
error code, it's just a specific error value). Also note that, for
kqueues on *BSD/macOS and for select/poll on Linux, the timeout needn't
be used as a timeout for the call - you can have a timer, so that when
that *particular* timer fires, you try calling pcap_dispatch() on the
pcap_t to which it corresponds.
Update selpolltest to add more capabilities needed when testing this on
Linux.
This should address GitHub issue #859 and pull request #858.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Try to work around software using pcap that defines _MSC_VER with non-MS
compilers before including pcap.h.
We expect _MSC_VER to be defined only for Microsoft's compiler, and to
be defined with a value that reflects what version of the compiler is
being used, so that we can determine, among other things, what Microsoft
extensions are available.
Try to detect it being defined by other software that wants to trick us
into thinking something's being compiled with Microsoft's compiler, and
undo the definition of _MSC_VER.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Define PCAP_TSTAMP_HOST_{LOW,HI}PREC as synced with the system clock;
add a new PCAP_TSTAMP_HOST_HIPREC_UNSYNCED type for high-precision time
stamps not necessarily synced with the system clock.
This should better match Npcap, including a proposed future "high
precision and synced with the system clock" time stamps for Npcap on
Windows 8 and later.
(This may still not match what FreeBSD offers, but at least it removes
an Npcap mismatch.)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Introduce pcap_datalink_val_to_description_or_dlt, and
use that when reporting an error. This was inspired by
seeing "tcpdump: no VLAN support for data link type 113".
The new equivalent message is
"tcpdump: no VLAN support for Linux cooked".
|
| |
|
|
|
|
|
|
| |
Make pcap_dump_fopen() a macro on Windows, wrapping the caller's CRT
functions for getting the raw OS file HANDLE and calling the exported
hopen variant. pcap_dump_hopen() creates a stream from that using
libpcap's CRT and passes that stream to the real pcap_dump_fopen(). This
mirrors what was done for pcap_fopen_offline().
|
| | |
|
| |
|
|
| |
Put it in portability.h as well, with redefinition protections.
|
| |
|
|
|
|
| |
We can't change the signature of pcap_remoteact_accept(); add
pcap_remoteact_accept_ex() with the new signature, and have
pcap_remoteact_accept() as a wrapper with the old signature.
|
| |\ |
|
| | |
| |
| |
| | |
Added one boolean argument to pcap_remoteact_accept().
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch also encode the control sockets in adition to the data
socket. Clients performs a TLS handshake when the scheme is rpcaps://
rather than rpcap://. Both active and passive modes are supported, but
transfert via UDP is not (yet) supported (the lib returns an error in
that case).
I did some adaptation to the windows code but couldn't tested so for all
I know it may not even compile.
Also tried to fix the indentation.
|
| |/
|
|
|
|
|
|
|
|
| |
We don't modify the source argument to pcap_findalldevs_ex(), so make
that a promise, so compilers don't get upset when a constant string is
passed.
See, for example:
https://stackoverflow.com/questions/52397129/winpcap-findalldevs-const-char-incompatible-to-char
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pcap.h will include pcap/pcap.h and pcap/bpf.h that both defines the
bpf_filter and bpf_validate functions.
In most cases this won't be an issue, most people are using the libpcap
as a system library, gcc preprocessor will therefore disable part of the
warnings according to the `3` in
https://gcc.gnu.org/onlinedocs/cpp/Preprocessor-Output.html
In case libpcap is included in a project that actually have more warning
(-Wredundant-decls), and also using local headers we end up having quite
a lot of warning.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As documented in https://www.tcpdump.org/manpages/pcap-savefile.5.txt,
this field must be 0.
It was previously propagated from the input file to the output file
when reading/writing with: tcpdump -r input.pcap -w output.pcap
Add/update the appropriate comments.
Moreover:
Set the initializations in the order of structure fields.
|
| |
|
|
|
| |
As discussed on tcpdump-workers: emphasize the fact this function is
Linux-specific.
|
| |
|
|
|
| |
We don't seem to reliably get the NDIS "unsupported OID" errors from
packet.dll, so just treat *all* OID get errors as "try something else".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add:
PCAP_IF_WIRELESS, which indicates whether the interface is "wireless" or
not.
PCAP_IF_CONNECTION_STATUS, which is a bitmask for a two-bit field that
can have one of the values:
PCAP_IF_CONNECTION_STATUS_UNKNOWN if the status of whether the interface
is "connected" or "disconnected" is unknown;
PCAP_IF_CONNECTION_STATUS_CONNECTED if the interface is "connected";
PCAP_IF_CONNECTION_STATUS_DISCONNECTED if the interface is
"disconnected";
PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE if the notion of "connected" or
"disconnected" doesn't apply to this interface.
Take that into account when sorting interfaces in the interface list,
penalizing "disconnected" interfaces, as you won't see traffic on them
if they're not wireless and you'd have to be in some form of "monitor
mode" to see traffic on them if they're wireless.
This should address GitHub issue #700.
|
| |
|
|
|
|
|
|
|
|
|
| |
DAG adapters don't support blocking until packets arrive; a program
using select()/poll()/epoll()/kqueue-based event loop must periodically
poll DAG pcap_t's to see if they have packets available. Add
pcap_get_required_select_timeout(), which returns a pointer to a struct
timeval containing the appropriate timeout interval if polling is
required and NULL if polling isn't required or isn't supported.
Clean up the pcap_get_selectable_fd() documentation while we're at it.
|
| |
|
|
|
|
| |
"We're building libpcap" and "we're building a libpcap shared library"
are different; the former is true even when building a static libpcap.
Use BUILDING_PCAP for the former and pcap_EXPORTS for the latter.
|
| |
|
|
|
| |
CMake automatically defines pcap_EXPORTS, so we don't have to define
anything ourselves. Define it with autotools as well.
|
| | |
|
