S<[ B<-o> E<lt>preference settingE<gt> ] ...>
S<[ B<-r> E<lt>infile or pipeE<gt> ]>
S<[ B<-R> E<lt>read (display) filterE<gt> ]>
+S<[ B<-s> ]>
S<[ B<-S> E<lt>field formatE<gt> ]>
S<[ B<-t> ad|a|r|d|e ]>
S<[ B<-v> ]>
matches the pcap_pkthdr struct and packet data used in libpcap.
struct rawshark_rec_s {
- struct timeval ts; /* Time stamp */
+ uint32_t ts_sec; /* Time stamp (seconds) */
+ uint32_t ts_usec; /* Time stamp (microseconds) */
uint32_t caplen; /* Length of the packet buffer */
uint32_t len; /* "On the wire" length of the packet */
uint8_t *data; /* Packet data */
=item -R E<lt>read (display) filterE<gt>
Cause the specified filter (which uses the syntax of read/display filters,
-rather than that of capture filters) to be applied before printing the output. Packets not
-matching the filter are discarded rather than being printed or written.
+rather than that of capture filters) to be applied before printing the output.
-=item -s E<lt>capture snaplenE<gt>
+=item -s
-Set the default snapshot length to use when capturing live data.
-No more than I<snaplen> bytes of each network packet will be read into
-memory, or saved to disk. A value of 0 specifies a snapshot length of
-65535, so that the full packet is captured; this is the default.
+Allows standard pcap files to be used as input, by skipping over the 24
+byte pcap file header.
=item -S
fprintf(output, "Processing:\n");
fprintf(output, " -R <read filter> packet filter in Wireshark display filter syntax\n");
fprintf(output, " -F <field> field to display\n");
+ fprintf(output, " -s skip PCAP header on input\n");
fprintf(output, " -n disable all name resolution (def: all enabled)\n");
fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
fprintf(output, " -d <encap:dlt>|<proto:protoname>\n");
GLogLevelFlags log_flags;
GPtrArray *disp_fields = g_ptr_array_new();
guint fc;
+ gboolean skip_pcap_header = FALSE;
- #define OPTSTRING_INIT "d:F:hlnN:o:r:R:S:t:v"
+ #define OPTSTRING_INIT "d:F:hlnN:o:r:R:sS:t:v"
static const char optstring[] = OPTSTRING_INIT;
exit(1);
}
break;
+ case 's': /* Skip PCAP header */
+ skip_pcap_header = TRUE;
+ break;
case 'S': /* Print string representations */
if (!parse_field_string_format(optarg)) {
cmdarg_err("Invalid field string format");
}
}
+ /* Notify all registered modules that have had any of their preferences
+ changed either from one of the preferences file or from the command
+ line that their preferences have changed.
+ Initialize preferences before display filters, otherwise modules
+ like MATE won't work. */
+ prefs_apply_all();
+
/* Initialize our display fields */
for (fc = 0; fc < disp_fields->len; fc++) {
protocolinfo_init(g_ptr_array_index(disp_fields, fc));
WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
#endif /* _WIN32 */
- /* Notify all registered modules that have had any of their preferences
- changed either from one of the preferences file or from the command
- line that their preferences have changed. */
- prefs_apply_all();
-
/* At this point MATE will have registered its field array so we can
have a tap filter with one of MATE's late-registered fields as part
of the filter. We can now process all the "-z" arguments. */
exit(2);
}
+ /* Do we need to PCAP header and magic? */
+ if (skip_pcap_header) {
+ guint bytes_left = sizeof(struct pcap_hdr) + sizeof(guint32);
+ gchar buf[sizeof(struct pcap_hdr) + sizeof(guint32)];
+ while (bytes_left > 0) {
+ guint bytes = read(fd, buf, bytes_left);
+ if (bytes <= 0) {
+ cmdarg_err("Not enough bytes for pcap header.");
+ exit(2);
+ }
+ bytes_left -= bytes;
+ }
+ }
+
/* Set timestamp precision; there should arguably be a command-line
option to let the user set this. */
#if 0
*/
static gboolean
raw_pipe_read(struct wtap_pkthdr *phdr, guchar * pd, int *err, gchar **err_info, gint64 *data_offset) {
- struct pcap_pkthdr hdr;
+ struct pcaprec_hdr hdr;
int bytes_read = 0;
- int bytes_needed = sizeof(struct pcap_pkthdr);
+ int bytes_needed = sizeof(struct pcaprec_hdr);
+ guchar *ptr = (guchar*)&hdr;
static gchar err_str[100];
/* Copied from capture_loop.c */
while (bytes_needed > 0) {
- bytes_read = read(fd, &hdr, bytes_needed);
+ bytes_read = read(fd, ptr, bytes_needed);
if (bytes_read == 0) {
*err = 0;
return FALSE;
}
bytes_needed -= bytes_read;
*data_offset += bytes_read;
+ ptr += bytes_read;
}
bytes_read = 0;
- phdr->ts.secs = hdr.ts.tv_sec;
- phdr->ts.nsecs = hdr.ts.tv_usec * 1000;
- phdr->caplen = bytes_needed = hdr.caplen;
- phdr->len = hdr.len;
+ phdr->ts.secs = hdr.ts_sec;
+ phdr->ts.nsecs = hdr.ts_usec * 1000;
+ phdr->caplen = bytes_needed = hdr.incl_len;
+ phdr->len = hdr.orig_len;
phdr->pkt_encap = encap;
#if 0
return FALSE;
}
+ ptr = pd;
while (bytes_needed > 0) {
- bytes_read = read(fd, pd, bytes_needed);
+ bytes_read = read(fd, ptr, bytes_needed);
if (bytes_read == 0) {
*err = WTAP_ERR_SHORT_READ;
*err_info = "Got zero bytes reading data from pipe";
}
bytes_needed -= bytes_read;
*data_offset += bytes_read;
+ ptr += bytes_read;
}
return TRUE;
}