forked from the-tcpdump-group/libpcap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.capture-module
351 lines (264 loc) · 14.2 KB
/
README.capture-module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
How to write a libpcap module
WARNING: this document describes an unstable interface; future releases
of libpcap may, and some probably will, change the interface in an
incompatible fashion. If you submit your module to the libpcap
developers for inclusion in libpcap, not only does that make it more
likely that it will be available in the libpcap provided by operating
system vendors (such as Linux distributions), but it also means that we
will attempt to update it to handle future changes to this interface.
If we add new capabilities, we may have to ask you how to provide those
additional capabilities if you're using an underlying mechanism for
which we have neither the source code nor the documentation.
NOTE: this document assumes familiarity with the entire libpcap API.
TODO: more routines, more stuff that the activate routine has to do
(such as setting the list of DLT_s), convert to Markdown?
On Linux, *BSD, macOS, Solaris, AIX, HP-UX, IRIX, and Tru64 UNIX,
Libpcap supports capturing on network interfaces as supported by the
operating system networking stack, using the native packet capture
mechanism provided by the OS. On Windows, it supports it with the help
of the driver and library supplied by WinPcap and Npcap.
In addition, it also supports capturing on other types of devices, such
as:
specialized capture cards, such as Endace DAG cards;
network adapters that provide special high-performance code
paths, such as CSPI Myricom adapters;
buses such as USB;
software communication channels such as D-Bus and Linux netlink;
etc..
Support for those devices is provided by modules compiled into libpcap.
If you want to add such a module, you would first have to check the list
of link-layer header types supported by libpcap, to see if one of those
would be sufficient for your device. The current version of the list
can be found at
https://www.tcpdump.org/linktypes.html
If none of those would work for your device, please follow the guidelines
on the same page to request a new link-layer header type.
Once you have a link-layer header type value or values that you can use,
you can add new module.
The module should be a C source file, with a name of the form
pcap-{MOD}.c, where {MOD} is a name appropriate for your device; for
example, the support for DAG cards is in pcap-dag.c, and the support for
capturing USB traffic on Linux is pcap-usb-linux.c.
Your module is assumed to support one or more named devices. The names
should be relatively short names, containing only lower-case
alphanumeric characters, consisting of a prefix that ends with an
alphabetic character and, if there can be more than one device instance,
possibly followed by a numerical device ID, such as "mydevice" or
"mydevice0"/"mydevice1"/.... If you have more than one type of device
that you can support, you can have more than one prefix, each of which
can be followed by a numerical device ID.
The two exported functions that your module must provide are routines to
provide a list of device instances and a program to initialize a
created-but-not-activated pcap_t for an instance of one of your devices.
The "list of device instances" routine takes, as arguments:
a pointer to a pcap_if_list_t;
a pointer to an error message buffer.
The error message buffer may be assumed to be PCAP_ERRBUF_SIZE bytes
large, but must not be assumed to be larger. By convention, the routine
typically has a name containing "findalldevs".
The routine should attempt to determine what device instances are
available and add them to the list pointed to by the first argument;
this may be impossible for some modules, but, for those modules, it may
be difficult to capture on the devices using Wirehshark (although it
should be possible to capture on them using tcpdump, TShark, or other
programs that take a device name on the command line), so we recommend
that your routine provide the list of devices if possible. If it
cannot, it should just immediately return 0.
The routine should add devices to the list by calling the add_dev()
routine in libpcap, declared in the pcap-int.h header. It takes, as
arguments:
the pointer to the pcap_if_list_t passed as an argument to the
routine;
the device name, as described above;
a 32-bit word of flags, as provided by pcap_findalldevs();
a text description of the device, or NULL if there is no
description;
the error message buffer pointer provided to the routine.
add_dev() will, if it succeeds, return a pointer to a pcap_if_t that was
added to the list of devices. If it fails, it will return NULL; in this
case, the error message buffer has been filled in with an error string,
and your routine must return -1 to indicate the error.
If your routine succeeds, it must return 0. If it fails, it must fill
in the error message buffer with an error string and return -1.
The "initialize the pcap_t" routine takes, as arguments:
a pointer to a device name;
a pointer to an error message buffer;
a pointer to an int.
It returns a pointer to a pcap_t.
Your module will probably need, for each pcap_t for an opened device, a
private data structure to maintain its own information about the opened
device. These should be allocated per opened instance, not per device;
if, for example, mydevice0 can be captured on by more than one program
at the same time, there will be more than one pcap_t opened for
mydevice0, and so there will be separate private data structures for
each pcap_t. If you need to maintain per-device, rather than per-opened
instance information, you will have to maintain that yourself.
The routine should first check the device to see whether it looks like a
device that this module would handle; for example, it should begin with
one of the device name prefixes for your module and, if your devices
have instance numbers, be followed by a number. If it is not one of
those devices, you must set the integer pointed to by the third
argument to 0, to indicate that this is *not* one of the devices for
your module, and return NULL.
If it *is* one of those devices, it should call pcap_create_common,
passing to it the error message buffer as the first argument and the
size of the per-opened instance data structure as the second argument.
If it fails, it will return NULL; you must return NULL in this case.
If it succeeds, the pcap_t pointed to by the return value has been
partially initialized, but you will need to complete the process. It
has a "priv" member, which is a void * that points to the private data
structure attached to it; that structure has been initialized to zeroes.
What you need to set are some function pointers to your routines to
handle certain operations:
activate_op
the routine called when pcap_activate() is done on the
pcap_t
can_set_rfmon_op
the routine called when pcap_can_set_rfmon() is done on
the pcap_t - if your device doesn't support 802.11
monitor mode, you can leave this as initialized by
pcap_create_common(), as that routine will return "no,
monitor mode isn't supported".
Once you've set the activate_op and, if necessary, the can_set_rfmon_op,
you must return the pcap_t * that was returned to you.
Your activate routine takes, as an argument, a pointer to the pcap_t
being activated, and returns an int.
The perameters set for the device in the pcap_create() call, and after
that call(), are mostly in the opt member of the pcap_t:
device
the name of the device
timeout
the buffering timeout, in milliseconds
buffer_size
the buffer size to use
promisc
1 if promiscuous mode is to be used, 0 otherwise
rfmon
1 if monitor mode is to be used, 0 otherwise
immediate
1 if the device should be in immediate mode, 0 otherwise
nonblock
1 if the device should be in non-blocking mode, 0
otherwise
tstamp_type
the type of time stamp to supply
tstamp_precision
the time stamp precision to supply
The snapshot member of the pcap_t structure will contain the snapshot
length to be used.
Your routine should attempt to set up the device for capturing. If it
fails, it must return an error indication which is one of the PCAP_ERROR
values. For PCAP_ERROR, it must also set the errbuf member of the
pcap_t to an error string. For PCAP_ERROR_NO_SUCH_DEVICE and
PCAP_ERROR_PERM_DENIED, it may set it to an error string providing
additional information that may be useful for debugging, or may just
leave it as a null string.
If it succeeds, it must set certain function pointers in the pcap_t
structure:
read_op
called whenever packets are to be read
inject_op
called whenever packets are to be injected
setfilter_op
called whenever pcap_setfilter() is called
setdirection_op
called whenever pcap_setdirection() is called
set_datalink_op
called whnever pcap_set_datalink() is called
getnonblock_op
called whenever pcap_getnonblock() is called
setnonblock_op
called whenever pcap_setnonblock() is called
stats_op
called whenever pcap_stats() is called
cleanup_op
called if the activate routine fails or pcap_close() is
called
and must also set the linktype member to the DLT_ value for the device.
On UN*Xes, if the device supports waiting for packets to arrive with
select()/poll()/epoll()/kqueues etc., it should set the selectable_fd
member of the structure to the descriptor you would use with those
calls. If it does not, then, if that's because the device polls for
packets rather than receiving interrupts or other signals when packets
arrive, it should have a struct timeval in the private data structure,
set the value of that struct timeval to the poll timeout, and set the
required_select_timeout member of the pcap_t to point to the struct
timeval.
The read_op routine is called when pcap_dispatch(), pcap_loop(),
pcap_next(), or pcap_next_ex() is called. It is passed the same
arguments as pcap_dispatch() is called.
The routine should first check if the break_loop member of the pcap_t is
non-zero and, if so, set that member to zero and return
PCAP_ERROR_BREAK.
Then, if the pcap_t is in blocking mode (as opposed to non-blocking
mode), and there are no packets immediately available to be passed to
the callback, it should block waiting for packets to arrive, using the
buffering timeout, first, and read packets from the device if necessary.
Then it should loop through the available packets, calling the callback
routine for each packet:
If the PACKET_COUNT_IS_UNLIMITED() macro evaluates to true when
passed the packet count argument, the loop should continue until
there are no more packets immediately available or the
break_loop member of the pcap_t is non-zero. If the break_loop
member is fount to be non-zero, it should set that member to
zero and return PCAP_ERROR_BREAK.
If it doesn't evaluat to true, then the loop should also
terminate if the specified number of packets have been delivered
to the callback.
Note that there is *NO* requirement that the packet header or data
provided to the callback remain available, or valid, after the callback
routine returns; if the callback needs to save the data for other code
to use, it must make a copy of that data. This means that the module is
free to, for example, overwrite the buffer into which it read the
packet, or release back to the kernel a packet in a memory-mapped
buffer shared between the kernel and userland, after the callback
returns.
If an error occurs when reading packets from the device, it must set the
errbuf member of the pcap_t to an error string and return PCAP_ERROR.
If no error occurs, it must return the number of packets that were
supplied to the callback routine.
The inject routine is passed a pointer to the pcap_t, a buffer
containing the contents of the packet to inject, and the number of bytes
in the packet. If the device doesn't support packet injection, the
routine must set the errbuf member of the pcap_t to a message indicating
that packet injection isn't supported and return PCAP_ERROR. Otherwise,
it should attempt to inject the packet; if the attempt fails, it must
set the errbuf member of the pcap_t to an error message and return
PCAP_ERROR. Otherwise, it should return the number of bytes injected.
The setfilter routine is passed a pointer to the pcap_t and a pointer
to a struct bpf_program containing a BPF program to be used as a filter.
If the mechanism used by your module can perform filtering with a BPF
program, it would attempt to set that filter to the specified program.
If that failed because the program was too large, or used BPF features
not supported by that mechanism, the module should fall back on
filtering in userland by saving a copy of the filter with a call to
install_bpf_program(), setting a flag in the private data instructure
indicating that filtering is being done by the module and, in the read
routine's main loop, checking the flag and, if it's set, calling
pcap_filter(), passing it the fcode.bf_insns member of the pcap_t, the
raw packet data, the on-the-wire length of the packet, and the captured
length of the packet, and only passing the packet to the callback
routine, and counting it, if pcap_filter() returns a non-zero value.
(If the flag is not set, all packets should be passed to the callback
routine and counted, as the filtering is being done by the mechanism
used by the module.) If install_bpf_program() returns a negative value,
the routine should return PCAP_ERROR.
If the attempt to set the filter failed for any other reason, the
routine must set the errbuf member of the pcap_t to an error message and
return PCAP_ERROR.
If the attempt to set the filter succeeded, or it failed because the
mechanism used by the module rejected it and the call to
install_bpf_program() succeeded, the routine should return 0.
If the mechanism the module uses doesn't support filtering, the pointer
to the setfilter routine can just be set to point to
install_bpf_program; the module does not need a routine of its own to
handle that.
The setdirection routine is passed a pointer to the pcap_t and a
pcap_direction_t indicating which packet directions should be accepted.
If the module can't arrange to handle only incoming packets or only
outgoing packets, it can set the pointer to the setdirection routine to
NULL, and calls to pcap_setdirection() will fail with an error message
indicating that setting the direction isn't supported.
XXX describe set_datalink, including what the activate routine has to do
XXX
XXX describe the rest of the routines XXX