S<[ B<-c> E<lt>capture packet countE<gt> ]>
S<[ B<-d> E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt> ]>
S<[ B<-D> ]>
+S<[ B<-e> E<lt>fieldE<gt> ]>
+S<[ B<-E> E<lt>field print optionE<gt> ]>
S<[ B<-f> E<lt>capture filterE<gt> ]>
S<[ B<-F> E<lt>file formatE<gt> ]>
S<[ B<-h> ]>
S<[ B<-s> E<lt>capture snaplenE<gt> ]>
S<[ B<-S> ]>
S<[ B<-t> ad|a|r|d|e ]>
-S<[ B<-T> pdml|psml|ps|text ]>
+S<[ B<-T> pdml|psml|ps|text|fields ]>
S<[ B<-v> ]>
S<[ B<-V> ]>
S<[ B<-w> E<lt>outfileE<gt>|- ]>
B<filesize>:I<value> Stop writing to a capture file after it reaches a size of I<value>
kilobytes (where a kilobyte is 1024 bytes). If this option
-is used together with the -b option, Wireshark will stop writing to the
-current capture file and switch to the next one if filesize is reached.
+is used together with the -b option, B<TShark> will stop writing to the
+current capture file and switch to the next one if filesize is reached. When reading a capture file,
+B<TShark> will stop reading the file after the number of bytes read exceeds this number
+(the complete packet will be read, so more bytes than this number may be read).
B<files>:I<value> Stop writing to capture files after I<value> number of files were written.
=item -c E<lt>capture packet countE<gt>
Set the maximum number of packets to read when capturing live
-data.
+data. If reading a capture file, set the maximum number of packets to read.
=item -d E<lt>layer typeE<gt>==E<lt>selectorE<gt>,E<lt>decode-as protocolE<gt>
If B<TShark -D> is not run from such an account, it will not list
any interfaces.
+=item -e E<lt>fieldE<gt>
+
+Add a field to the list of fields to display if B<-T fields> is selected. This option can be used multiple times
+on the command line. At least one field must be provided if the fields option is selected.
+
+Example: B<-e frame.number -e ip.addr -e udp>
+
+Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. B<-E> controls the format of the printed fields.
+
+=item -E E<lt>field print optionE<gt>
+
+Set an option controlling the printing of fields when B<-T fields> is selected.
+
+Options are:
+
+B<header=y|n> If B<y>, print a list of the field names given using B<-e> as the first line of the output; the field name will be separated using the same character as the field values. Defaults to B<n>.
+
+B<separator=/t|/s|>E<lt>characterE<gt> Set the separator character to use for fields. If B</t> tab will be used (this is the default), if B</s>, s single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
+
+B<quote=d|s|n> Set the quote character to use to surround fields. B<d> uses double-quotes, B<s> single-quotes, B<n> no quotes (the default).
+
=item -f E<lt>capture filterE<gt>
Set the capture filter expression.
/* allocates with a packet lifetime scope an array of type made of num elements */
#define ep_alloc_array(type,num) (type*)ep_alloc(sizeof(type)*(num))
+/* allocates with a packet lifetime scope an array of type made of num elements,
+ * initialised to zero.
+ */
+#define ep_alloc_array0(type,num) (type*)ep_alloc0(sizeof(type)*(num))
+
/*
* Splits a string into a maximum of max_tokens pieces, using the given
* delimiter. If max_tokens is reached, the remainder of string is appended
#include <epan/epan_dissect.h>
#include <epan/tvbuff.h>
#include <epan/packet.h>
+#include <epan/emem.h>
#include "packet-range.h"
#include "print.h"
epan_dissect_t *edt;
} write_pdml_data;
+typedef struct {
+ output_fields_t* fields;
+ epan_dissect_t *edt;
+} write_field_data_t;
+
+struct _output_fields {
+ gboolean print_header;
+ gchar separator;
+ GPtrArray* fields;
+ GHashTable* field_indicies;
+ const gchar** field_values;
+ gchar quote;
+};
+
+static const gchar* get_field_hex_value(GSList* src_list, field_info *fi);
+static const gchar* get_node_field_value(field_info* fi, epan_dissect_t* edt);
static void proto_tree_print_node(proto_node *node, gpointer data);
static void proto_tree_write_node_pdml(proto_node *node, gpointer data);
static const guint8 *get_field_data(GSList *src_list, field_info *fi);
static void print_pdml_geninfo(proto_tree *tree, FILE *fh);
+static void proto_tree_get_node_field_values(proto_node *node, gpointer data);
+
static FILE *
open_print_dest(int to_file, const char *dest)
{
return stream;
}
+
+output_fields_t* output_fields_new()
+{
+ output_fields_t* fields = g_new(output_fields_t, 1);
+ fields->print_header = FALSE;
+ fields->separator = '\t';
+ fields->fields = NULL; /*Do lazy initialisation */
+ fields->field_indicies = NULL;
+ fields->field_values = NULL;
+ fields->quote='\0';
+ return fields;
+}
+
+gsize output_fields_num_fields(output_fields_t* fields)
+{
+ g_assert(fields);
+
+ if(NULL == fields->fields) {
+ return 0;
+ } else {
+ return fields->fields->len;
+ }
+}
+
+void output_fields_free(output_fields_t* fields)
+{
+ g_assert(fields);
+
+ if(NULL != fields->field_indicies) {
+ /* Keys are stored in fields->fields, values are
+ * integers.
+ */
+ g_hash_table_destroy(fields->field_indicies);
+ }
+ if(NULL != fields->fields) {
+ gsize i;
+ for(i = 0; i < fields->fields->len; ++i) {
+ gchar* field = g_ptr_array_index(fields->fields,i);
+ g_free(field);
+ }
+ g_ptr_array_free(fields->fields, TRUE);
+ }
+
+ g_free(fields);
+}
+
+void output_fields_add(output_fields_t* fields, const gchar* field)
+{
+ gchar* field_copy;
+
+ g_assert(fields);
+ g_assert(field);
+
+
+ if(NULL == fields->fields) {
+ fields->fields = g_ptr_array_new();
+ }
+
+ field_copy = g_strdup(field);
+
+ g_ptr_array_add(fields->fields, field_copy);
+}
+
+gboolean output_fields_set_option(output_fields_t* info, gchar* option)
+{
+ const gchar* option_name;
+ const gchar* option_value;
+
+ g_assert(info);
+ g_assert(option);
+
+ if('\0' == *option) {
+ return FALSE; /* Is this guarded against by option parsing? */
+ }
+ option_name = strtok(option,"=");
+ option_value = option + strlen(option_name) + 1;
+ if(0 == strcmp(option_name, "header")) {
+ switch(NULL == option_value ? '\0' : *option_value) {
+ case 'n':
+ info->print_header = FALSE;
+ break;
+ case 'y':
+ info->print_header = TRUE;
+ break;
+ default:
+ return FALSE;
+ }
+ return TRUE;
+ }
+
+ if(0 == strcmp(option_name,"separator")) {
+ switch(NULL == option_value ? '\0' : *option_value) {
+ case '\0':
+ return FALSE;
+ case '/':
+ switch(*++option_value) {
+ case 't':
+ info->separator = '\t';
+ break;
+ case 's':
+ info->separator = ' ';
+ break;
+ default:
+ info->separator = '\\';
+ }
+ break;
+ default:
+ info->separator = *option_value;
+ break;
+ }
+ return TRUE;
+ }
+
+ if(0 == strcmp(option_name, "quote")) {
+ switch(NULL == option_value ? '\0' : *option_value) {
+ default: /* Fall through */
+ case '\0':
+ info->quote='\0';
+ return FALSE;
+ case 'd':
+ info->quote='"';
+ break;
+ case 's':
+ info->quote='\'';
+ break;
+ case 'n':
+ info->quote='\0';
+ break;
+ }
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+void output_fields_list_options(FILE *fh)
+{
+ fprintf(fh, "TShark: The available options for field output \"E\" are:\n");
+ fputs("header=y|n Print field abbreviations as first line of output (def: N: no)\n", fh);
+ fputs("separator=/t|/s|<character> Set the separator to use; \"/t\" = tab,\n \"/s\" = space (def: /t: tab)\n", fh);
+ fputs("quote=d|s|n Print either d: double-quotes, s: single quotes or n: no quotes around field values (def: n: none)\n", fh);
+}
+
+
+void write_fields_preamble(output_fields_t* fields, FILE *fh)
+{
+ gsize i;
+
+ g_assert(fields);
+ g_assert(fh);
+
+ if(!fields->print_header) {
+ return;
+ }
+
+ for(i = 0; i < fields->fields->len; ++i) {
+ const gchar* field = g_ptr_array_index(fields->fields,i);
+ if(i != 0 ) {
+ fputc(fields->separator, fh);
+ }
+ fputs(field, fh);
+ }
+ fputc('\n', fh);
+}
+
+
+
+
+static void proto_tree_get_node_field_values(proto_node *node, gpointer data)
+{
+ write_field_data_t *call_data;
+ field_info *fi;
+ gpointer field_index;
+
+ call_data = data;
+ fi = PITEM_FINFO(node);
+
+ field_index = g_hash_table_lookup(call_data->fields->field_indicies, fi->hfinfo->abbrev);
+ if(NULL != field_index) {
+ const gchar* value;
+
+ value = get_node_field_value(fi, call_data->edt); /* ep_alloced string */
+
+ if(NULL != value && '\0' != *value) {
+ guint actual_index;
+ actual_index = GPOINTER_TO_UINT(field_index);
+ /* Unwrap change made to disambiguiate zero / null */
+ call_data->fields->field_values[actual_index - 1] = value;
+ }
+ }
+
+ /* Recurse here. */
+ if (node->first_child != NULL) {
+ proto_tree_children_foreach(node,
+ proto_tree_get_node_field_values, call_data);
+ }
+}
+
+void proto_tree_write_fields(output_fields_t* fields, epan_dissect_t *edt, FILE *fh)
+{
+ gsize i;
+
+ write_field_data_t data;
+
+ g_assert(fields);
+ g_assert(edt);
+ g_assert(fh);
+
+ data.fields = fields;
+ data.edt = edt;
+
+ if(NULL == fields->field_indicies) {
+ /* Prepare a lookup table from string abbreviation for field to its index. */
+ fields->field_indicies = g_hash_table_new(g_str_hash, g_str_equal);
+
+ i = 0;
+ while( i < fields->fields->len) {
+ gchar* field = g_ptr_array_index(fields->fields, i);
+ /* Store field indicies +1 so that zero is not a valid value,
+ * and can be distinguished from NULL as a pointer.
+ */
+ ++i;
+ g_hash_table_insert(fields->field_indicies, field, GUINT_TO_POINTER(i));
+ }
+ }
+
+ /* Buffer to store values for this packet */
+ fields->field_values = ep_alloc_array0(const gchar*, fields->fields->len);
+
+ proto_tree_children_foreach(edt->tree, proto_tree_get_node_field_values,
+ &data);
+
+ for(i = 0; i < fields->fields->len; ++i) {
+ if(0 != i) {
+ fputc(fields->separator, fh);
+ }
+ if(NULL != fields->field_values[i]) {
+ if(fields->quote != '\0') {
+ fputc(fields->quote, fh);
+ }
+ fputs(fields->field_values[i], fh);
+ if(fields->quote != '\0') {
+ fputc(fields->quote, fh);
+ }
+ }
+ }
+}
+
+void write_fields_finale(output_fields_t* fields _U_ , FILE *fh _U_)
+{
+ /* Nothing to do */
+}
+
+/* Returns an ep_alloced string or a static constant*/
+static const gchar* get_node_field_value(field_info* fi, epan_dissect_t* edt)
+{
+ /* Text label. */
+ if (fi->hfinfo->id == hf_text_only) {
+ /* Get the text */
+ if (fi->rep) {
+ return fi->rep->representation;
+ }
+ else {
+ return get_field_hex_value(edt->pi.data_src, fi);
+ }
+ }
+ /* Uninterpreted data, i.e., the "Data" protocol, is
+ * printed as a field instead of a protocol. */
+ else if (fi->hfinfo->id == proto_data) {
+ return get_field_hex_value(edt->pi.data_src, fi);
+ }
+
+ /* Normal protocols and fields */
+ else {
+ gchar *dfilter_string;
+ gint chop_len;
+
+ switch (fi->hfinfo->type)
+ {
+ case FT_PROTOCOL:
+ /* Print out the full details for the protocol. */
+ if (fi->rep) {
+ return fi->rep->representation;
+ } else {
+ /* Just print out the protocol abbreviation */
+ return fi->hfinfo->abbrev;;
+ }
+ case FT_NONE:
+ return NULL;
+ default:
+ /* XXX - this is a hack until we can just call
+ * fvalue_to_string_repr() for *all* FT_* types. */
+ dfilter_string = proto_construct_match_selected_string(fi,
+ edt);
+ if (dfilter_string != NULL) {
+ chop_len = strlen(fi->hfinfo->abbrev) + 4; /* for " == " */
+
+ /* XXX - Remove double-quotes. Again, once we
+ * can call fvalue_to_string_repr(), we can
+ * ask it not to produce the version for
+ * display-filters, and thus, no
+ * double-quotes. */
+ if (dfilter_string[strlen(dfilter_string)-1] == '"') {
+ dfilter_string[strlen(dfilter_string)-1] = '\0';
+ chop_len++;
+ }
+
+ return &(dfilter_string[chop_len]);
+ } else {
+ return get_field_hex_value(edt->pi.data_src, fi);
+ }
+ }
+ }
+}
+
+static const gchar*
+get_field_hex_value(GSList* src_list, field_info *fi)
+{
+ const guint8 *pd;
+
+ if (fi->length > tvb_length_remaining(fi->ds_tvb, fi->start)) {
+ return "field length invalid!";
+ }
+
+ /* Find the data for this field. */
+ pd = get_field_data(src_list, fi);
+
+ if (pd) {
+ int i;
+ gchar* buffer;
+ gchar* p;
+ int len;
+ const int chars_per_byte = 2;
+
+ len = chars_per_byte * fi->length;
+ buffer = ep_alloc_array(gchar, len + 1);
+ buffer[len] = '\0'; /* Ensure NULL termination in bad cases */
+ p = buffer;
+ /* Print a simple hex dump */
+ for (i = 0 ; i < fi->length; i++) {
+ g_snprintf(p, len, "%02x", pd[i]);
+ p += chars_per_byte;
+ len -= chars_per_byte;
+ }
+ return buffer;
+ } else {
+ return NULL;
+ }
+}
before each new packet */
} print_args_t;
+/*
+ * Print user selected list of fields
+ */
+struct _output_fields;
+typedef struct _output_fields output_fields_t;
+
+extern output_fields_t* output_fields_new();
+extern void output_fields_free(output_fields_t* info);
+extern void output_fields_add(output_fields_t* info, const gchar* field);
+extern gsize output_fields_num_fields(output_fields_t* info);
+extern gboolean output_fields_set_option(output_fields_t* info, gchar* option);
+extern void output_fields_list_options(FILE *fh);
/*
* Higher-level packet-printing code.
*/
extern void proto_tree_write_csv(epan_dissect_t *edt, FILE *fh);
extern void write_csv_finale(FILE *fh);
+extern void write_fields_preamble(output_fields_t* fields, FILE *fh);
+extern void proto_tree_write_fields(output_fields_t* fields, epan_dissect_t *edt, FILE *fh);
+extern void write_fields_finale(output_fields_t* fields, FILE *fh);
+
#endif /* print.h */
*/
typedef enum {
WRITE_TEXT, /* summary or detail text */
- WRITE_XML /* PDML or PSML */
+ WRITE_XML, /* PDML or PSML */
+ WRITE_FIELDS /* User defined list of fields */
/* Add CSV and the like here */
} output_action_e;
static output_action_e output_action;
static print_format_e print_format = PR_FMT_TEXT;
static print_stream_t *print_stream;
+static output_fields_t* output_fields = NULL;
+
/*
* Standard secondary message for unexpected errors.
*/
#endif /* _WIN32 */
#endif /* HAVE_LIBPCAP */
-static int load_cap_file(capture_file *, char *, int);
+static int load_cap_file(capture_file *, char *, int, int, gint64);
static gboolean process_packet(capture_file *cf, gint64 offset,
const struct wtap_pkthdr *whdr, union wtap_pseudo_header *pseudo_header,
const guchar *pd);
fprintf(output, " -V add output of packet tree (Packet Details)\n");
fprintf(output, " -S display packets even when writing to a file\n");
fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
- fprintf(output, " -T pdml|ps|psml|text output format of text output (def: text)\n");
+ fprintf(output, " -T pdml|ps|psml|text|fields\n");
+ fprintf(output, " format of text output (def: text)\n");
+ fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port);\n");
+ fprintf(output, " this option can be repeated to print multiple fields\n");
+ fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
+ fprintf(output, " header=y|n switch headers on and off\n");
+ fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
+ fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
fprintf(output, " -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)\n");
fprintf(output, " -l flush output after each packet\n");
fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
int status;
int optind_initial;
-#define OPTSTRING_INIT "a:b:c:d:Df:F:G:hi:lLnN:o:pqr:R:s:St:T:vVw:xX:y:z:"
+#define OPTSTRING_INIT "a:b:c:d:De:E:f:F:G:hi:lLnN:o:pqr:R:s:St:T:vVw:xX:y:z:"
#ifdef HAVE_LIBPCAP
#ifdef _WIN32
#define OPTSTRING_WIN32 "B:"
/* Print format defaults to this. */
print_format = PR_FMT_TEXT;
+ output_fields = output_fields_new();
+
/* Now get our args */
while ((opt = getopt(argc, argv, optstring)) != -1) {
switch (opt) {
arg_error = TRUE;
#endif
break;
+ case 'e':
+ /* Field entry */
+ output_fields_add(output_fields, optarg);
+ break;
+ case 'E':
+ /* Field option */
+ if(!output_fields_set_option(output_fields, optarg)) {
+ cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
+ output_fields_list_options(stderr);
+ exit(1);
+ }
+ break;
case 'F':
out_file_type = wtap_short_string_to_file_type(optarg);
if (out_file_type < 0) {
} else if (strcmp(optarg, "psml") == 0) {
output_action = WRITE_XML;
verbose = FALSE;
+ } else if(strcmp(optarg, "fields") == 0) {
+ output_action = WRITE_FIELDS;
+ verbose = TRUE; /* Need full tree info */
} else {
cmdarg_err("Invalid -T parameter.");
- cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", or \"psml\".");
+ cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", \"psml\" or \"fields\".");
exit(1);
}
break;
}
}
+ /* If we specified output fields, but not the output field type... */
+ if(WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
+ cmdarg_err("Output fields were specified with \"-e\", "
+ "but \"-Tfields\" was not specified.");
+ exit(1);
+ } else if(WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
+ cmdarg_err("\"-Tfields\" was specified, but no fields were "
+ "specified with \"-e\".");
+
+ exit(1);
+ }
+
/* If no capture filter or read filter has been specified, and there are
still command-line arguments, treat them as the tokens of a capture
filter (if no "-r" flag was specified) or a read filter (if a "-r"
exit(1);
}
} else {
- /* If they didn't specify a "-w" flag, but specified a maximum capture
- file size, tell them that this doesn't work, and exit. */
- if (capture_opts.has_autostop_filesize && capture_opts.save_file == NULL) {
- cmdarg_err("Maximum capture file size specified, but "
- "capture isn't being saved to a file.");
- exit(1);
- }
-
if (cf_name) {
/*
* "-r" was specified, so we're reading a capture file.
"a capture isn't being done.");
exit(1);
}
- if (capture_opts.has_autostop_packets) {
- cmdarg_err("A maximum number of captured packets was specified, but "
- "a capture isn't being done.");
- exit(1);
- }
- if (capture_opts.has_autostop_filesize) {
- cmdarg_err("A maximum capture file size was specified, but "
- "a capture isn't being done.");
- exit(1);
- }
+
+ /* Note: TShark now allows the restriction of a _read_ file by packet count
+ * and byte count as well as a write file. Other autostop options remain valid
+ * only for a write file.
+ */
if (capture_opts.has_autostop_duration) {
cmdarg_err("A maximum capture time was specified, but "
"a capture isn't being done.");
/* Process the packets in the file */
#ifdef HAVE_LIBPCAP
- err = load_cap_file(&cfile, capture_opts.save_file, out_file_type);
+ err = load_cap_file(&cfile, capture_opts.save_file, out_file_type,
+ capture_opts.has_autostop_packets ? capture_opts.autostop_packets : 0,
+ capture_opts.has_autostop_filesize ? capture_opts.autostop_filesize : 0);
#else
err = load_cap_file(&cfile, NULL, out_file_type);
#endif
funnel_dump_all_text_windows();
epan_cleanup();
+ output_fields_free(output_fields);
+ output_fields = NULL;
+
return 0;
}
#endif /* HAVE_LIBPCAP */
static int
-load_cap_file(capture_file *cf, char *save_file, int out_file_type)
+load_cap_file(capture_file *cf, char *save_file, int out_file_type,
+ int max_packet_count, gint64 max_byte_count)
{
gint linktype;
int snapshot_length;
exit(2);
}
}
+ /* Stop reading if we have the maximum number of packets;
+ * note that a zero max_packet_count will never be matched
+ * (unless we roll over the packet number?)
+ */
+ if(max_packet_count == cf->count || (max_byte_count != 0 && data_offset >= max_byte_count)) {
+ err = 0; /* This is not an error */
+ break;
+ }
}
}
if (err != 0) {
write_psml_preamble(stdout);
return !ferror(stdout);
+ case WRITE_FIELDS:
+ write_fields_preamble(output_fields, stdout);
+ return !ferror(stdout);
+
default:
g_assert_not_reached();
return FALSE;
proto_tree_write_pdml(edt, stdout);
printf("\n");
return !ferror(stdout);
+ case WRITE_FIELDS:
+ proto_tree_write_fields(output_fields, edt, stdout);
+ printf("\n");
+ return !ferror(stdout);
}
} else {
/* Just fill in the columns. */
case WRITE_XML:
proto_tree_write_psml(edt, stdout);
return !ferror(stdout);
+ case WRITE_FIELDS: /*No non-verbose "fields" format */
+ g_assert_not_reached();
+ break;
}
}
if (print_hex) {
write_psml_finale(stdout);
return !ferror(stdout);
+ case WRITE_FIELDS:
+ write_fields_finale(output_fields, stdout);
+ return !ferror(stdout);
+
default:
g_assert_not_reached();
return FALSE;
git.samba.org / obnox / wireshark / wip.git / commitdiff