2 * Routines for printing packet analysis trees.
4 * Gilbert Ramirez <gram@alumni.rice.edu>
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
30 #include <epan/packet.h>
31 #include <epan/epan.h>
32 #include <epan/epan_dissect.h>
33 #include <epan/to_str.h>
34 #include <epan/expert.h>
35 #include <epan/packet-range.h>
36 #include <epan/prefs.h>
37 #include <epan/print.h>
38 #include <epan/charsets.h>
39 #include <wsutil/filesystem.h>
40 #include <ws_version_info.h>
41 #include <wsutil/utf8_entities.h>
42 #include <ftypes/ftypes-int.h>
44 #define PDML_VERSION "0"
45 #define PSML_VERSION "0"
49 print_stream_t *stream;
52 print_dissections_e print_dissections;
53 gboolean print_hex_for_data;
54 packet_char_enc encoding;
55 GHashTable *output_only_tables; /* output only these protocols */
74 output_fields_t *fields;
78 struct _output_fields {
80 gboolean print_header;
85 GHashTable *field_indicies;
86 GPtrArray **field_values;
88 gboolean includes_col_fields;
91 static gchar *get_field_hex_value(GSList *src_list, field_info *fi);
92 static void proto_tree_print_node(proto_node *node, gpointer data);
93 static void proto_tree_write_node_pdml(proto_node *node, gpointer data);
94 static void proto_tree_write_node_json(proto_node *node, gpointer data);
95 static void proto_tree_write_node_ek(proto_node *node, gpointer data);
96 static const guint8 *get_field_data(GSList *src_list, field_info *fi);
97 static void pdml_write_field_hex_value(write_pdml_data *pdata, field_info *fi);
98 static void json_write_field_hex_value(write_json_data *pdata, field_info *fi);
99 static gboolean print_hex_data_buffer(print_stream_t *stream, const guchar *cp,
100 guint length, packet_char_enc encoding);
101 static void write_specified_fields(fields_format format,
102 output_fields_t *fields,
103 epan_dissect_t *edt, column_info *cinfo,
105 static void print_escaped_xml(FILE *fh, const char *unescaped_string);
106 static void print_escaped_json(FILE *fh, const char *unescaped_string);
107 static void print_escaped_ek(FILE *fh, const char *unescaped_string);
109 static void print_pdml_geninfo(epan_dissect_t *edt, FILE *fh);
111 static void proto_tree_get_node_field_values(proto_node *node, gpointer data);
113 static gboolean json_is_first;
115 /* Cache the protocols and field handles that the print functionality needs
116 This helps break explicit dependency on the dissectors. */
117 static int proto_data = -1;
118 static int proto_frame = -1;
119 static int hf_frame_arrival_time = -1;
120 static int hf_frame_number = -1;
121 static int hf_frame_len = -1;
122 static int hf_frame_capture_len = -1;
124 void print_cache_field_handles(void)
126 proto_data = proto_get_id_by_short_name("Data");
127 proto_frame = proto_get_id_by_short_name("Frame");
128 hf_frame_arrival_time = proto_registrar_get_id_byname("frame.time");
129 hf_frame_number = proto_registrar_get_id_byname("frame.number");
130 hf_frame_len = proto_registrar_get_id_byname("frame.len");
131 hf_frame_capture_len = proto_registrar_get_id_byname("frame.cap_len");
135 proto_tree_print(print_args_t *print_args, epan_dissect_t *edt,
136 GHashTable *output_only_tables, print_stream_t *stream)
140 /* Create the output */
142 data.stream = stream;
144 data.src_list = edt->pi.data_src;
145 data.encoding = (packet_char_enc)edt->pi.fd->flags.encoding;
146 data.print_dissections = print_args->print_dissections;
147 /* If we're printing the entire packet in hex, don't
148 print uninterpreted data fields in hex as well. */
149 data.print_hex_for_data = !print_args->print_hex;
150 data.output_only_tables = output_only_tables;
152 proto_tree_children_foreach(edt->tree, proto_tree_print_node, &data);
156 /* Print a tree's data, and any child nodes. */
158 proto_tree_print_node(proto_node *node, gpointer data)
160 field_info *fi = PNODE_FINFO(node);
161 print_data *pdata = (print_data*) data;
163 gchar label_str[ITEM_LABEL_LENGTH];
166 /* dissection with an invisible proto tree? */
169 /* Don't print invisible entries. */
170 if (PROTO_ITEM_IS_HIDDEN(node) && (prefs.display_hidden_proto_items == FALSE))
173 /* Give up if we've already gotten an error. */
177 /* was a free format label produced? */
179 label_ptr = fi->rep->representation;
181 else { /* no, make a generic label */
182 label_ptr = label_str;
183 proto_item_fill_label(fi, label_str);
186 if (PROTO_ITEM_IS_GENERATED(node))
187 label_ptr = g_strconcat("[", label_ptr, "]", NULL);
189 pdata->success = print_line(pdata->stream, pdata->level, label_ptr);
191 if (PROTO_ITEM_IS_GENERATED(node))
198 * If -O is specified, only display the protocols which are in the
199 * lookup table. Only check on the first level: once we start printing
200 * a tree, print the rest of the subtree. Otherwise we won't print
201 * subitems whose abbreviation doesn't match the protocol--for example
202 * text items (whose abbreviation is simply "text").
204 if ((pdata->output_only_tables != NULL) && (pdata->level == 0)
205 && (g_hash_table_lookup(pdata->output_only_tables, fi->hfinfo->abbrev) == NULL)) {
209 /* If it's uninterpreted data, dump it (unless our caller will
210 be printing the entire packet in hex). */
211 if ((fi->hfinfo->id == proto_data) && (pdata->print_hex_for_data)) {
213 * Find the data for this field.
215 pd = get_field_data(pdata->src_list, fi);
217 if (!print_line(pdata->stream, 0, "")) {
218 pdata->success = FALSE;
221 if (!print_hex_data_buffer(pdata->stream, pd,
222 fi->length, pdata->encoding)) {
223 pdata->success = FALSE;
229 /* If we're printing all levels, or if this node is one with a
230 subtree and its subtree is expanded, recurse into the subtree,
232 g_assert((fi->tree_type >= -1) && (fi->tree_type < num_tree_types));
233 if ((pdata->print_dissections == print_dissections_expanded) ||
234 ((pdata->print_dissections == print_dissections_as_displayed) &&
235 (fi->tree_type >= 0) && tree_expanded(fi->tree_type))) {
236 if (node->first_child != NULL) {
238 proto_tree_children_foreach(node,
239 proto_tree_print_node, pdata);
247 #define PDML2HTML_XSL "pdml2html.xsl"
249 write_pdml_preamble(FILE *fh, const gchar *filename)
251 time_t t = time(NULL);
252 struct tm * timeinfo;
256 /* Create the output */
257 timeinfo = localtime(&t);
258 if (timeinfo != NULL) {
259 fmt_ts = asctime(timeinfo);
260 fmt_ts[strlen(fmt_ts)-1] = 0; /* overwrite \n */
263 ts = "Not representable";
265 fprintf(fh, "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n");
266 fprintf(fh, "<?xml-stylesheet type=\"text/xsl\" href=\"" PDML2HTML_XSL "\"?>\n");
267 fprintf(fh, "<!-- You can find " PDML2HTML_XSL " in %s or at https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=" PDML2HTML_XSL ". -->\n", get_datafile_dir());
268 fprintf(fh, "<pdml version=\"" PDML_VERSION "\" creator=\"%s/%s\" time=\"%s\" capture_file=\"", PACKAGE, VERSION, ts);
270 /* \todo filename should be converted to UTF-8. */
271 print_escaped_xml(fh, filename);
273 fprintf(fh, "\">\n");
277 write_json_preamble(FILE *fh)
280 json_is_first = TRUE;
283 /* Check if the str match the protocolfilter. json_filter is space
284 delimited string and str need to exact-match to one of the value. */
285 static gboolean check_protocolfilter(gchar **protocolfilter, const char *str)
287 gboolean res = FALSE;
290 if (str == NULL || protocolfilter == NULL) {
294 for (ptr = protocolfilter; *ptr; ptr++) {
295 if (strcmp(*ptr, str) == 0) {
305 write_pdml_proto_tree(output_fields_t* fields, gchar **protocolfilter, epan_dissect_t *edt, FILE *fh)
307 write_pdml_data data;
312 /* Create the output */
313 fprintf(fh, "<packet>\n");
315 /* Print a "geninfo" protocol as required by PDML */
316 print_pdml_geninfo(edt, fh);
318 if (fields == NULL || fields->fields == NULL) {
319 /* Write out all fields */
322 data.src_list = edt->pi.data_src;
323 data.filter = protocolfilter;
325 proto_tree_children_foreach(edt->tree, proto_tree_write_node_pdml,
328 /* Write out specified fields */
329 write_specified_fields(FORMAT_XML, fields, edt, NULL, fh);
332 fprintf(fh, "</packet>\n\n");
336 write_json_proto_tree(output_fields_t* fields, print_args_t *print_args, gchar **protocolfilter, epan_dissect_t *edt, FILE *fh)
338 write_json_data data;
340 time_t t = time(NULL);
341 struct tm * timeinfo;
346 /* Create the output */
347 timeinfo = localtime(&t);
348 if (timeinfo != NULL)
349 strftime(ts, sizeof ts, "%Y-%m-%d", timeinfo);
351 g_strlcpy(ts, "XXXX-XX-XX", sizeof ts); /* XXX - better way of saying "Not representable"? */
356 json_is_first = FALSE;
359 fprintf(fh, " \"_index\": \"packets-%s\",\n", ts);
360 fputs(" \"_type\": \"pcap_file\",\n", fh);
361 fputs(" \"_score\": null,\n", fh);
362 fputs(" \"_source\": {\n", fh);
363 fputs(" \"layers\": {\n", fh);
365 if (fields == NULL || fields->fields == NULL) {
366 /* Write out all fields */
369 data.src_list = edt->pi.data_src;
370 data.filter = protocolfilter;
371 data.print_hex = print_args->print_hex;
373 proto_tree_children_foreach(edt->tree, proto_tree_write_node_json,
376 /* Write out specified fields */
377 write_specified_fields(FORMAT_JSON, fields, edt, NULL, fh);
387 write_ek_proto_tree(output_fields_t* fields, print_args_t *print_args, gchar **protocolfilter, epan_dissect_t *edt, FILE *fh)
389 write_json_data data;
391 time_t t = time(NULL);
397 /* Create the output */
398 timeinfo = localtime(&t);
399 if (timeinfo != NULL)
400 strftime(ts, sizeof ts, "%Y-%m-%d", timeinfo);
402 g_strlcpy(ts, "XXXX-XX-XX", sizeof ts); /* XXX - better way of saying "Not representable"? */
404 fprintf(fh, "{\"index\" : {\"_index\": \"packets-%s\", \"_type\": \"pcap_file\", \"_score\": null}}\n", ts);
405 /* Timestamp added for time indexing in Elasticsearch */
406 fprintf(fh, "{\"timestamp\" : \"%" G_GUINT64_FORMAT "%03d\", \"layers\" : {", (guint64)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs/1000000);
408 if (fields == NULL || fields->fields == NULL) {
409 /* Write out all fields */
412 data.src_list = edt->pi.data_src;
413 data.filter = protocolfilter;
414 data.print_hex = print_args->print_hex;
416 proto_tree_children_foreach(edt->tree, proto_tree_write_node_ek,
419 /* Write out specified fields */
420 write_specified_fields(FORMAT_EK, fields, edt, NULL, fh);
427 write_fields_proto_tree(output_fields_t* fields, epan_dissect_t *edt, column_info *cinfo, FILE *fh)
432 /* Create the output */
433 write_specified_fields(FORMAT_CSV, fields, edt, cinfo, fh);
436 /* Write out a tree's data, and any child nodes, as PDML */
438 proto_tree_write_node_pdml(proto_node *node, gpointer data)
440 field_info *fi = PNODE_FINFO(node);
441 write_pdml_data *pdata = (write_pdml_data*) data;
442 const gchar *label_ptr;
443 gchar label_str[ITEM_LABEL_LENGTH];
444 char *dfilter_string;
446 gboolean wrap_in_fake_protocol;
448 /* dissection with an invisible proto tree? */
451 /* Will wrap up top-level field items inside a fake protocol wrapper to
452 preserve the PDML schema */
453 wrap_in_fake_protocol =
454 (((fi->hfinfo->type != FT_PROTOCOL) ||
455 (fi->hfinfo->id == proto_data)) &&
456 (pdata->level == 0));
458 /* Indent to the correct level */
459 for (i = -1; i < pdata->level; i++) {
460 fputs(" ", pdata->fh);
463 if (wrap_in_fake_protocol) {
464 /* Open fake protocol wrapper */
465 fputs("<proto name=\"fake-field-wrapper\">\n", pdata->fh);
467 /* Indent to increased level before writing out field */
469 for (i = -1; i < pdata->level; i++) {
470 fputs(" ", pdata->fh);
474 /* Text label. It's printed as a field with no name. */
475 if (fi->hfinfo->id == hf_text_only) {
478 label_ptr = fi->rep->representation;
484 /* Show empty name since it is a required field */
485 fputs("<field name=\"", pdata->fh);
486 fputs("\" show=\"", pdata->fh);
487 print_escaped_xml(pdata->fh, label_ptr);
489 fprintf(pdata->fh, "\" size=\"%d", fi->length);
490 if (node->parent && node->parent->finfo && (fi->start < node->parent->finfo->start)) {
491 fprintf(pdata->fh, "\" pos=\"%d", node->parent->finfo->start + fi->start);
493 fprintf(pdata->fh, "\" pos=\"%d", fi->start);
496 if (fi->length > 0) {
497 fputs("\" value=\"", pdata->fh);
498 pdml_write_field_hex_value(pdata, fi);
501 if (node->first_child != NULL) {
502 fputs("\">\n", pdata->fh);
505 fputs("\"/>\n", pdata->fh);
509 /* Uninterpreted data, i.e., the "Data" protocol, is
510 * printed as a field instead of a protocol. */
511 else if (fi->hfinfo->id == proto_data) {
512 /* Write out field with data */
513 fputs("<field name=\"data\" value=\"", pdata->fh);
514 pdml_write_field_hex_value(pdata, fi);
515 fputs("\">\n", pdata->fh);
517 /* Normal protocols and fields */
519 if ((fi->hfinfo->type == FT_PROTOCOL) && (fi->hfinfo->id != proto_expert)) {
520 fputs("<proto name=\"", pdata->fh);
523 fputs("<field name=\"", pdata->fh);
525 print_escaped_xml(pdata->fh, fi->hfinfo->abbrev);
529 * http://www.nbee.org/doku.php?id=netpdl:pdml_specification
531 * the show fields contains things in 'human readable' format
532 * showname: contains only the name of the field
533 * show: contains only the data of the field
534 * showdtl: contains additional details of the field data
535 * showmap: contains mappings of the field data (e.g. the hostname to an IP address)
537 * XXX - the showname shouldn't contain the field data itself
538 * (like it's contained in the fi->rep->representation).
539 * Unfortunately, we don't have the field data representation for
540 * all fields, so this isn't currently possible */
541 fputs("\" showname=\"", pdata->fh);
542 print_escaped_xml(pdata->fh, fi->hfinfo->name);
546 fputs("\" showname=\"", pdata->fh);
547 print_escaped_xml(pdata->fh, fi->rep->representation);
550 label_ptr = label_str;
551 proto_item_fill_label(fi, label_str);
552 fputs("\" showname=\"", pdata->fh);
553 print_escaped_xml(pdata->fh, label_ptr);
556 if (PROTO_ITEM_IS_HIDDEN(node) && (prefs.display_hidden_proto_items == FALSE))
557 fprintf(pdata->fh, "\" hide=\"yes");
559 fprintf(pdata->fh, "\" size=\"%d", fi->length);
560 if (node->parent && node->parent->finfo && (fi->start < node->parent->finfo->start)) {
561 fprintf(pdata->fh, "\" pos=\"%d", node->parent->finfo->start + fi->start);
563 fprintf(pdata->fh, "\" pos=\"%d", fi->start);
565 /* fprintf(pdata->fh, "\" id=\"%d", fi->hfinfo->id);*/
567 /* show, value, and unmaskedvalue attributes */
568 switch (fi->hfinfo->type)
573 fputs("\" show=\"\" value=\"", pdata->fh);
576 dfilter_string = fvalue_to_string_repr(NULL, &fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
577 if (dfilter_string != NULL) {
579 fputs("\" show=\"", pdata->fh);
580 print_escaped_xml(pdata->fh, dfilter_string);
582 wmem_free(NULL, dfilter_string);
585 * XXX - should we omit "value" for any fields?
586 * What should we do for fields whose length is 0?
587 * They might come from a pseudo-header or from
588 * the capture header (e.g., time stamps), or
589 * they might be generated fields.
591 if (fi->length > 0) {
592 fputs("\" value=\"", pdata->fh);
594 if (fi->hfinfo->bitmask!=0) {
595 switch (fi->value.ftype->ftype) {
600 fprintf(pdata->fh, "%X", (guint) fvalue_get_sinteger(&fi->value));
606 fprintf(pdata->fh, "%X", fvalue_get_uinteger(&fi->value));
612 fprintf(pdata->fh, "%" G_GINT64_MODIFIER "X", fvalue_get_sinteger64(&fi->value));
619 fprintf(pdata->fh, "%" G_GINT64_MODIFIER "X", fvalue_get_uinteger64(&fi->value));
622 g_assert_not_reached();
624 fputs("\" unmaskedvalue=\"", pdata->fh);
625 pdml_write_field_hex_value(pdata, fi);
628 pdml_write_field_hex_value(pdata, fi);
633 if (node->first_child != NULL) {
634 fputs("\">\n", pdata->fh);
636 else if (fi->hfinfo->id == proto_data) {
637 fputs("\">\n", pdata->fh);
640 fputs("\"/>\n", pdata->fh);
644 /* We print some levels for PDML. Recurse here. */
645 if (node->first_child != NULL) {
646 if (pdata->filter == NULL || check_protocolfilter(pdata->filter, fi->hfinfo->abbrev)) {
648 proto_tree_children_foreach(node,
649 proto_tree_write_node_pdml, pdata);
652 /* Indent to the correct level */
653 for (i = -2; i < pdata->level; i++) {
654 fputs(" ", pdata->fh);
656 /* print dummy field */
657 fputs("<field name=\"filtered\" value=\"", pdata->fh);
658 print_escaped_xml(pdata->fh, fi->hfinfo->abbrev);
659 fputs("\" />\n", pdata->fh);
663 /* Take back the extra level we added for fake wrapper protocol */
664 if (wrap_in_fake_protocol) {
668 if (node->first_child != NULL) {
669 /* Indent to correct level */
670 for (i = -1; i < pdata->level; i++) {
671 fputs(" ", pdata->fh);
673 /* Close off current element */
674 /* Data and expert "protocols" use simple tags */
675 if ((fi->hfinfo->id != proto_data) && (fi->hfinfo->id != proto_expert)) {
676 if (fi->hfinfo->type == FT_PROTOCOL) {
677 fputs("</proto>\n", pdata->fh);
680 fputs("</field>\n", pdata->fh);
683 fputs("</field>\n", pdata->fh);
687 /* Close off fake wrapper protocol */
688 if (wrap_in_fake_protocol) {
689 fputs("</proto>\n", pdata->fh);
694 /* Write out a tree's data, and any child nodes, as JSON */
696 proto_tree_write_node_json(proto_node *node, gpointer data)
698 field_info *fi = PNODE_FINFO(node);
699 write_json_data *pdata = (write_json_data*) data;
700 const gchar *label_ptr;
701 gchar label_str[ITEM_LABEL_LENGTH];
702 char *dfilter_string;
705 /* dissection with an invisible proto tree? */
708 /* Indent to the correct level */
709 for (i = -3; i < pdata->level; i++) {
710 fputs(" ", pdata->fh);
713 /* Text label. It's printed as a field with no name. */
714 if (fi->hfinfo->id == hf_text_only) {
717 label_ptr = fi->rep->representation;
723 /* Show empty name since it is a required field */
724 fputs("\"", pdata->fh);
725 print_escaped_json(pdata->fh, label_ptr);
727 if (node->first_child != NULL) {
728 fputs("\": {\n", pdata->fh);
731 if (node->next == NULL) {
732 fputs("\": \"\"\n", pdata->fh);
734 fputs("\": \"\",\n", pdata->fh);
739 /* Normal protocols and fields */
744 if (pdata->print_hex && fi->length > 0) {
745 fputs("\"", pdata->fh);
746 print_escaped_json(pdata->fh, fi->hfinfo->abbrev);
747 fputs("_raw", pdata->fh);
748 fputs("\": \"", pdata->fh);
750 if (fi->hfinfo->bitmask!=0) {
751 switch (fi->value.ftype->ftype) {
756 fprintf(pdata->fh, "%X", (guint) fvalue_get_sinteger(&fi->value));
762 fprintf(pdata->fh, "%X", fvalue_get_uinteger(&fi->value));
768 fprintf(pdata->fh, "%" G_GINT64_MODIFIER "X", fvalue_get_sinteger64(&fi->value));
775 fprintf(pdata->fh, "%" G_GINT64_MODIFIER "X", fvalue_get_uinteger64(&fi->value));
778 g_assert_not_reached();
780 fputs("\",\n", pdata->fh);
783 json_write_field_hex_value(pdata, fi);
784 fputs("\",\n", pdata->fh);
787 /* Indent to the correct level */
788 for (i = -3; i < pdata->level; i++) {
789 fputs(" ", pdata->fh);
794 fputs("\"", pdata->fh);
796 print_escaped_json(pdata->fh, fi->hfinfo->abbrev);
798 /* show, value, and unmaskedvalue attributes */
799 switch (fi->hfinfo->type)
802 if (node->first_child != NULL) {
803 fputs("\": {\n", pdata->fh);
805 fputs("\": \"", pdata->fh);
807 print_escaped_json(pdata->fh, fi->rep->representation);
810 label_ptr = label_str;
811 proto_item_fill_label(fi, label_str);
812 print_escaped_json(pdata->fh, label_ptr);
814 if (node->next == NULL) {
815 fputs("\"\n", pdata->fh);
817 fputs("\",\n", pdata->fh);
822 if (node->first_child != NULL) {
823 fputs("\": {\n", pdata->fh);
825 if (node->next == NULL) {
826 fputs("\": \"\"\n", pdata->fh);
828 fputs("\": \"\",\n", pdata->fh);
833 dfilter_string = fvalue_to_string_repr(NULL, &fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
834 if (dfilter_string != NULL) {
835 fputs("\": \"", pdata->fh);
836 print_escaped_json(pdata->fh, dfilter_string);
837 if (node->first_child != NULL) {
838 fputs("\",\n", pdata->fh);
839 /* Indent to the correct level */
840 for (i = -3; i < pdata->level; i++) {
841 fputs(" ", pdata->fh);
843 fputs("\"", pdata->fh);
844 print_escaped_json(pdata->fh, fi->hfinfo->abbrev);
845 fputs("_tree\": {\n", pdata->fh);
848 wmem_free(NULL, dfilter_string);
850 if (node->first_child == NULL) {
851 if (node->next == NULL) {
852 fputs("\"\n", pdata->fh);
854 fputs("\",\n", pdata->fh);
861 /* We print some levels for JSON. Recurse here. */
862 if (node->first_child != NULL) {
863 if (pdata->filter == NULL || check_protocolfilter(pdata->filter, fi->hfinfo->abbrev)) {
865 proto_tree_children_foreach(node, proto_tree_write_node_json, pdata);
868 /* Indent to the correct level */
869 for (i = -4; i < pdata->level; i++) {
870 fputs(" ", pdata->fh);
872 /* print dummy field */
873 fputs("\"filtered\": \"", pdata->fh);
874 print_escaped_json(pdata->fh, fi->hfinfo->abbrev);
875 fputs("\"\n", pdata->fh);
879 if (node->first_child != NULL) {
880 /* Indent to correct level */
881 for (i = -3; i < pdata->level; i++) {
882 fputs(" ", pdata->fh);
884 /* Close off current element */
885 if (node->next == NULL) {
886 fputs("}\n", pdata->fh);
888 fputs("},\n", pdata->fh);
893 /* Write out a tree's data, and any child nodes, as JSON for EK */
895 proto_tree_write_node_ek(proto_node *node, gpointer data)
897 field_info *fi = PNODE_FINFO(node);
898 field_info *fi_parent = PNODE_FINFO(node->parent);
899 write_json_data *pdata = (write_json_data*) data;
900 const gchar *label_ptr;
901 gchar label_str[ITEM_LABEL_LENGTH];
902 char *dfilter_string;
904 gchar *abbrev_escaped = NULL;
906 /* dissection with an invisible proto tree? */
909 /* Text label. It's printed as a field with no name. */
910 if (fi->hfinfo->id == hf_text_only) {
913 label_ptr = fi->rep->representation;
919 /* Show empty name since it is a required field */
920 fputs("\"", pdata->fh);
921 if (fi_parent != NULL) {
922 print_escaped_ek(pdata->fh, fi_parent->hfinfo->abbrev);
923 fputs("_", pdata->fh);
925 print_escaped_ek(pdata->fh, fi->hfinfo->abbrev);
927 if (node->first_child != NULL) {
928 fputs("\": \"", pdata->fh);
929 print_escaped_json(pdata->fh, label_ptr);
930 fputs("\",", pdata->fh);
934 if (node->next == NULL) {
935 fputs("\": \"", pdata->fh);
936 print_escaped_json(pdata->fh, label_ptr);
937 fputs("\"", pdata->fh);
939 fputs("\": \"", pdata->fh);
940 print_escaped_json(pdata->fh, label_ptr);
941 fputs("\",", pdata->fh);
946 /* Normal protocols and fields */
951 if (pdata->print_hex && fi->length > 0) {
952 fputs("\"", pdata->fh);
953 if (fi_parent != NULL) {
954 print_escaped_ek(pdata->fh, fi_parent->hfinfo->abbrev);
955 fputs("_", pdata->fh);
957 print_escaped_ek(pdata->fh, fi->hfinfo->abbrev);
958 fputs("_raw", pdata->fh);
959 fputs("\": \"", pdata->fh);
961 if (fi->hfinfo->bitmask!=0) {
962 switch (fi->value.ftype->ftype) {
967 fprintf(pdata->fh, "%X", (guint) fvalue_get_sinteger(&fi->value));
973 fprintf(pdata->fh, "%X", fvalue_get_uinteger(&fi->value));
979 fprintf(pdata->fh, "%" G_GINT64_MODIFIER "X", fvalue_get_sinteger64(&fi->value));
986 fprintf(pdata->fh, "%" G_GINT64_MODIFIER "X", fvalue_get_uinteger64(&fi->value));
989 g_assert_not_reached();
991 fputs("\",", pdata->fh);
994 json_write_field_hex_value(pdata, fi);
995 fputs("\",", pdata->fh);
1001 fputs("\"", pdata->fh);
1003 if (fi_parent != NULL) {
1004 print_escaped_ek(pdata->fh, fi_parent->hfinfo->abbrev);
1005 fputs("_", pdata->fh);
1007 print_escaped_ek(pdata->fh, fi->hfinfo->abbrev);
1009 /* show, value, and unmaskedvalue attributes */
1010 switch (fi->hfinfo->type)
1013 if (node->first_child != NULL) {
1014 fputs("\": {", pdata->fh);
1016 fputs("\": \"", pdata->fh);
1018 print_escaped_json(pdata->fh, fi->rep->representation);
1021 label_ptr = label_str;
1022 proto_item_fill_label(fi, label_str);
1023 print_escaped_json(pdata->fh, label_ptr);
1025 if (node->next == NULL) {
1026 fputs("\"", pdata->fh);
1028 fputs("\",", pdata->fh);
1033 if (node->first_child != NULL) {
1034 fputs("\": \"\",", pdata->fh);
1036 if (node->next == NULL) {
1037 fputs("\": \"\"", pdata->fh);
1039 fputs("\": \"\",", pdata->fh);
1044 dfilter_string = fvalue_to_string_repr(NULL, &fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
1045 if (dfilter_string != NULL) {
1046 fputs("\": \"", pdata->fh);
1047 print_escaped_json(pdata->fh, dfilter_string);
1049 wmem_free(NULL, dfilter_string);
1051 if (node->next == NULL && node->first_child == NULL) {
1052 fputs("\"", pdata->fh);
1054 fputs("\",", pdata->fh);
1060 /* We print some levels for JSON. Recurse here. */
1061 if (node->first_child != NULL) {
1063 if (pdata->filter != NULL) {
1065 /* to to thread the '.' and '_' equally. The '.' is replace by print_escaped_ek for '_' */
1066 if (fi->hfinfo->abbrev != NULL) {
1067 if (strlen(fi->hfinfo->abbrev) > 0) {
1068 abbrev_escaped = g_strdup(fi->hfinfo->abbrev);
1071 while(abbrev_escaped[i]!='\0') {
1072 if(abbrev_escaped[i]=='.') {
1073 abbrev_escaped[i]='_';
1080 if(check_protocolfilter(pdata->filter, fi->hfinfo->abbrev) || check_protocolfilter(pdata->filter, abbrev_escaped)) {
1082 proto_tree_children_foreach(node, proto_tree_write_node_ek, pdata);
1085 /* print dummy field */
1086 fputs("\"filtered\": \"", pdata->fh);
1087 print_escaped_ek(pdata->fh, fi->hfinfo->abbrev);
1088 fputs("\"", pdata->fh);
1091 /* release abbrev_escaped string */
1092 if (abbrev_escaped != NULL) {
1093 g_free(abbrev_escaped);
1098 proto_tree_children_foreach(node,
1099 proto_tree_write_node_ek, pdata);
1104 if (node->first_child != NULL) {
1105 if (fi->hfinfo->type == FT_PROTOCOL) {
1106 /* Close off current element */
1107 if (node->next == NULL) {
1108 fputs("}", pdata->fh);
1110 fputs("},", pdata->fh);
1113 if (node->next != NULL) {
1114 fputs(",", pdata->fh);
1120 /* Print info for a 'geninfo' pseudo-protocol. This is required by
1121 * the PDML spec. The information is contained in Wireshark's 'frame' protocol,
1122 * but we produce a 'geninfo' protocol in the PDML to conform to spec.
1123 * The 'frame' protocol follows the 'geninfo' protocol in the PDML. */
1125 print_pdml_geninfo(epan_dissect_t *edt, FILE *fh)
1127 guint32 num, len, caplen;
1128 GPtrArray *finfo_array;
1129 field_info *frame_finfo;
1132 /* Get frame protocol's finfo. */
1133 finfo_array = proto_find_first_finfo(edt->tree, proto_frame);
1134 if (g_ptr_array_len(finfo_array) < 1) {
1137 frame_finfo = (field_info *)finfo_array->pdata[0];
1138 g_ptr_array_free(finfo_array, TRUE);
1140 /* frame.number, packet_info.num */
1143 /* frame.frame_len, packet_info.frame_data->pkt_len */
1144 len = edt->pi.fd->pkt_len;
1146 /* frame.cap_len --> packet_info.frame_data->cap_len */
1147 caplen = edt->pi.fd->cap_len;
1149 /* Print geninfo start */
1151 " <proto name=\"geninfo\" pos=\"0\" showname=\"General information\" size=\"%d\">\n",
1152 frame_finfo->length);
1154 /* Print geninfo.num */
1156 " <field name=\"num\" pos=\"0\" show=\"%u\" showname=\"Number\" value=\"%x\" size=\"%d\"/>\n",
1157 num, num, frame_finfo->length);
1159 /* Print geninfo.len */
1161 " <field name=\"len\" pos=\"0\" show=\"%u\" showname=\"Frame Length\" value=\"%x\" size=\"%d\"/>\n",
1162 len, len, frame_finfo->length);
1164 /* Print geninfo.caplen */
1166 " <field name=\"caplen\" pos=\"0\" show=\"%u\" showname=\"Captured Length\" value=\"%x\" size=\"%d\"/>\n",
1167 caplen, caplen, frame_finfo->length);
1169 tmp = abs_time_to_str(NULL, &edt->pi.abs_ts, ABSOLUTE_TIME_LOCAL, TRUE);
1171 /* Print geninfo.timestamp */
1173 " <field name=\"timestamp\" pos=\"0\" show=\"%s\" showname=\"Captured Time\" value=\"%d.%09d\" size=\"%d\"/>\n",
1174 tmp, (int)edt->pi.abs_ts.secs, edt->pi.abs_ts.nsecs, frame_finfo->length);
1176 wmem_free(NULL, tmp);
1178 /* Print geninfo end */
1184 write_pdml_finale(FILE *fh)
1186 fputs("</pdml>\n", fh);
1190 write_json_finale(FILE *fh)
1196 write_psml_preamble(column_info *cinfo, FILE *fh)
1200 fprintf(fh, "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n");
1201 fprintf(fh, "<psml version=\"" PSML_VERSION "\" creator=\"%s/%s\">\n", PACKAGE, VERSION);
1202 fprintf(fh, "<structure>\n");
1204 for (i = 0; i < cinfo->num_cols; i++) {
1205 fprintf(fh, "<section>");
1206 print_escaped_xml(fh, cinfo->columns[i].col_title);
1207 fprintf(fh, "</section>\n");
1210 fprintf(fh, "</structure>\n\n");
1214 write_psml_columns(epan_dissect_t *edt, FILE *fh)
1218 fprintf(fh, "<packet>\n");
1220 for (i = 0; i < edt->pi.cinfo->num_cols; i++) {
1221 fprintf(fh, "<section>");
1222 print_escaped_xml(fh, edt->pi.cinfo->columns[i].col_data);
1223 fprintf(fh, "</section>\n");
1226 fprintf(fh, "</packet>\n\n");
1230 write_psml_finale(FILE *fh)
1232 fputs("</psml>\n", fh);
1235 static gchar *csv_massage_str(const gchar *source, const gchar *exceptions)
1240 /* In general, our output for any field can contain Unicode characters,
1241 so g_strescape (which escapes any non-ASCII) is the wrong thing to do.
1242 Unfortunately glib doesn't appear to provide g_unicode_strescape()... */
1243 csv_str = g_strescape(source, exceptions);
1245 /* Locate the UTF-8 right arrow character and replace it by an ASCII equivalent */
1246 while ( (tmp_str = strstr(tmp_str, UTF8_RIGHTWARDS_ARROW)) != NULL ) {
1252 while ( (tmp_str = strstr(tmp_str, "\\\"")) != NULL )
1257 static void csv_write_str(const char *str, char sep, FILE *fh)
1261 /* Do not escape the UTF-8 right arrow character */
1262 csv_str = csv_massage_str(str, UTF8_RIGHTWARDS_ARROW);
1263 fprintf(fh, "\"%s\"%c", csv_str, sep);
1268 write_csv_column_titles(column_info *cinfo, FILE *fh)
1272 for (i = 0; i < cinfo->num_cols - 1; i++)
1273 csv_write_str(cinfo->columns[i].col_title, ',', fh);
1274 csv_write_str(cinfo->columns[i].col_title, '\n', fh);
1278 write_csv_columns(epan_dissect_t *edt, FILE *fh)
1282 for (i = 0; i < edt->pi.cinfo->num_cols - 1; i++)
1283 csv_write_str(edt->pi.cinfo->columns[i].col_data, ',', fh);
1284 csv_write_str(edt->pi.cinfo->columns[i].col_data, '\n', fh);
1288 write_carrays_hex_data(guint32 num, FILE *fh, epan_dissect_t *edt)
1290 guint32 i = 0, src_num = 0;
1297 struct data_source *src;
1299 for (src_le = edt->pi.data_src; src_le != NULL; src_le = src_le->next) {
1300 memset(ascii, 0, sizeof(ascii));
1301 src = (struct data_source *)src_le->data;
1302 tvb = get_data_source_tvb(src);
1303 length = tvb_captured_length(tvb);
1307 cp = tvb_get_ptr(tvb, 0, length);
1309 name = get_data_source_name(src);
1311 fprintf(fh, "/* %s */\n", name);
1312 wmem_free(NULL, name);
1315 fprintf(fh, "static const unsigned char pkt%u_%u[%u] = {\n",
1316 num, src_num, length);
1318 fprintf(fh, "static const unsigned char pkt%u[%u] = {\n",
1323 for (i = 0; i < length; i++) {
1324 fprintf(fh, "0x%02x", *(cp + i));
1325 ascii[i % 8] = g_ascii_isprint(*(cp + i)) ? *(cp + i) : '.';
1327 if (i == (length - 1)) {
1332 for ( j = 0; j < 8 - rem; j++ )
1335 fprintf(fh, " /* %s */\n};\n\n", ascii);
1339 if (!((i + 1) % 8)) {
1340 fprintf(fh, ", /* %s */\n", ascii);
1341 memset(ascii, 0, sizeof(ascii));
1351 * Find the data source for a specified field, and return a pointer
1352 * to the data in it. Returns NULL if the data is out of bounds.
1354 /* XXX: What am I missing ?
1355 * Why bother searching for fi->ds_tvb for the matching tvb
1356 * in the data_source list ?
1357 * IOW: Why not just use fi->ds_tvb for the arg to tvb_get_ptr() ?
1360 static const guint8 *
1361 get_field_data(GSList *src_list, field_info *fi)
1365 gint length, tvbuff_length;
1366 struct data_source *src;
1368 for (src_le = src_list; src_le != NULL; src_le = src_le->next) {
1369 src = (struct data_source *)src_le->data;
1370 src_tvb = get_data_source_tvb(src);
1371 if (fi->ds_tvb == src_tvb) {
1375 * XXX - a field can have a length that runs past
1376 * the end of the tvbuff. Ideally, that should
1377 * be fixed when adding an item to the protocol
1378 * tree, but checking the length when doing
1379 * that could be expensive. Until we fix that,
1380 * we'll do the check here.
1382 tvbuff_length = tvb_captured_length_remaining(src_tvb,
1384 if (tvbuff_length < 0) {
1387 length = fi->length;
1388 if (length > tvbuff_length)
1389 length = tvbuff_length;
1390 return tvb_get_ptr(src_tvb, fi->start, length);
1393 g_assert_not_reached();
1394 return NULL; /* not found */
1397 /* Print a string, escaping out certain characters that need to
1398 * escaped out for XML. */
1400 print_escaped_xml(FILE *fh, const char *unescaped_string)
1405 if (fh == NULL || unescaped_string == NULL) {
1409 for (p = unescaped_string; *p != '\0'; p++) {
1421 fputs(""", fh);
1424 fputs("'", fh);
1427 if (g_ascii_isprint(*p))
1430 g_snprintf(temp_str, sizeof(temp_str), "\\x%x", (guint8)*p);
1431 fputs(temp_str, fh);
1438 print_escaped_bare(FILE *fh, const char *unescaped_string, gboolean change_dot)
1443 if (fh == NULL || unescaped_string == NULL) {
1447 for (p = unescaped_string; *p != '\0'; p++) {
1480 if (g_ascii_isprint(*p))
1483 g_snprintf(temp_str, sizeof(temp_str), "\\u00%02x", (guint8)*p);
1484 fputs(temp_str, fh);
1490 /* Print a string, escaping out certain characters that need to
1491 * escaped out for JSON. */
1493 print_escaped_json(FILE *fh, const char *unescaped_string)
1495 print_escaped_bare(fh, unescaped_string, FALSE);
1498 /* Print a string, escaping out certain characters that need to
1499 * escaped out for Elasticsearch title. */
1501 print_escaped_ek(FILE *fh, const char *unescaped_string)
1503 print_escaped_bare(fh, unescaped_string, TRUE);
1507 pdml_write_field_hex_value(write_pdml_data *pdata, field_info *fi)
1515 if (fi->length > tvb_captured_length_remaining(fi->ds_tvb, fi->start)) {
1516 fprintf(pdata->fh, "field length invalid!");
1520 /* Find the data for this field. */
1521 pd = get_field_data(pdata->src_list, fi);
1524 /* Print a simple hex dump */
1525 for (i = 0 ; i < fi->length; i++) {
1526 fprintf(pdata->fh, "%02x", pd[i]);
1532 json_write_field_hex_value(write_json_data *pdata, field_info *fi)
1540 if (fi->length > tvb_captured_length_remaining(fi->ds_tvb, fi->start)) {
1541 fprintf(pdata->fh, "field length invalid!");
1545 /* Find the data for this field. */
1546 pd = get_field_data(pdata->src_list, fi);
1549 /* Print a simple hex dump */
1550 for (i = 0 ; i < fi->length; i++) {
1551 fprintf(pdata->fh, "%02x", pd[i]);
1557 print_hex_data(print_stream_t *stream, epan_dissect_t *edt)
1559 gboolean multiple_sources;
1565 struct data_source *src;
1568 * Set "multiple_sources" iff this frame has more than one
1569 * data source; if it does, we need to print the name of
1570 * the data source before printing the data from the
1573 multiple_sources = (edt->pi.data_src->next != NULL);
1575 for (src_le = edt->pi.data_src; src_le != NULL;
1576 src_le = src_le->next) {
1577 src = (struct data_source *)src_le->data;
1578 tvb = get_data_source_tvb(src);
1579 if (multiple_sources) {
1580 name = get_data_source_name(src);
1581 line = g_strdup_printf("%s:", name);
1582 wmem_free(NULL, name);
1583 print_line(stream, 0, line);
1586 length = tvb_captured_length(tvb);
1589 cp = tvb_get_ptr(tvb, 0, length);
1590 if (!print_hex_data_buffer(stream, cp, length,
1591 (packet_char_enc)edt->pi.fd->flags.encoding))
1598 * This routine is based on a routine created by Dan Lasley
1599 * <DLASLEY@PROMUS.com>.
1601 * It was modified for Wireshark by Gilbert Ramirez and others.
1604 #define MAX_OFFSET_LEN 8 /* max length of hex offset of bytes */
1605 #define BYTES_PER_LINE 16 /* max byte values printed on a line */
1606 #define HEX_DUMP_LEN (BYTES_PER_LINE*3)
1607 /* max number of characters hex dump takes -
1608 2 digits plus trailing blank */
1609 #define DATA_DUMP_LEN (HEX_DUMP_LEN + 2 + BYTES_PER_LINE)
1610 /* number of characters those bytes take;
1611 3 characters per byte of hex dump,
1612 2 blanks separating hex from ASCII,
1613 1 character per byte of ASCII dump */
1614 #define MAX_LINE_LEN (MAX_OFFSET_LEN + 2 + DATA_DUMP_LEN)
1615 /* number of characters per line;
1616 offset, 2 blanks separating offset
1617 from data dump, data dump */
1620 print_hex_data_buffer(print_stream_t *stream, const guchar *cp,
1621 guint length, packet_char_enc encoding)
1623 register unsigned int ad, i, j, k, l;
1625 gchar line[MAX_LINE_LEN + 1];
1626 unsigned int use_digits;
1628 static gchar binhex[16] = {
1629 '0', '1', '2', '3', '4', '5', '6', '7',
1630 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
1633 * How many of the leading digits of the offset will we supply?
1634 * We always supply at least 4 digits, but if the maximum offset
1635 * won't fit in 4 digits, we use as many digits as will be needed.
1637 if (((length - 1) & 0xF0000000) != 0)
1638 use_digits = 8; /* need all 8 digits */
1639 else if (((length - 1) & 0x0F000000) != 0)
1640 use_digits = 7; /* need 7 digits */
1641 else if (((length - 1) & 0x00F00000) != 0)
1642 use_digits = 6; /* need 6 digits */
1643 else if (((length - 1) & 0x000F0000) != 0)
1644 use_digits = 5; /* need 5 digits */
1646 use_digits = 4; /* we'll supply 4 digits */
1652 while (i < length) {
1653 if ((i & 15) == 0) {
1655 * Start of a new line.
1661 c = (ad >> (l*4)) & 0xF;
1662 line[j++] = binhex[c];
1666 memset(line+j, ' ', DATA_DUMP_LEN);
1669 * Offset in line of ASCII dump.
1671 k = j + HEX_DUMP_LEN + 2;
1674 line[j++] = binhex[c>>4];
1675 line[j++] = binhex[c&0xf];
1677 if (encoding == PACKET_CHAR_ENC_CHAR_EBCDIC) {
1678 c = EBCDIC_to_ASCII1(c);
1680 line[k++] = ((c >= ' ') && (c < 0x7f)) ? c : '.';
1682 if (((i & 15) == 0) || (i == length)) {
1684 * We'll be starting a new line, or
1685 * we're finished printing this buffer;
1686 * dump out the line we've constructed,
1687 * and advance the offset.
1690 if (!print_line(stream, 0, line))
1698 gsize output_fields_num_fields(output_fields_t* fields)
1702 if (NULL == fields->fields) {
1705 return fields->fields->len;
1709 void output_fields_free(output_fields_t* fields)
1713 if (NULL != fields->fields) {
1716 if (NULL != fields->field_indicies) {
1717 /* Keys are stored in fields->fields, values are
1720 g_hash_table_destroy(fields->field_indicies);
1723 if (NULL != fields->field_values) {
1724 g_free(fields->field_values);
1727 for(i = 0; i < fields->fields->len; ++i) {
1728 gchar* field = (gchar *)g_ptr_array_index(fields->fields,i);
1731 g_ptr_array_free(fields->fields, TRUE);
1737 #define COLUMN_FIELD_FILTER "_ws.col."
1739 void output_fields_add(output_fields_t *fields, const gchar *field)
1747 if (NULL == fields->fields) {
1748 fields->fields = g_ptr_array_new();
1751 field_copy = g_strdup(field);
1753 g_ptr_array_add(fields->fields, field_copy);
1755 /* See if we have a column as a field entry */
1756 if (!strncmp(field, COLUMN_FIELD_FILTER, strlen(COLUMN_FIELD_FILTER)))
1757 fields->includes_col_fields = TRUE;
1762 output_field_check(void *data, void *user_data)
1764 gchar *field = (gchar *)data;
1765 GSList **invalid_fields = (GSList **)user_data;
1767 if (!strncmp(field, COLUMN_FIELD_FILTER, strlen(COLUMN_FIELD_FILTER)))
1770 if (!proto_registrar_get_byname(field)) {
1771 *invalid_fields = g_slist_prepend(*invalid_fields, field);
1777 output_fields_valid(output_fields_t *fields)
1779 GSList *invalid_fields = NULL;
1780 if (fields->fields == NULL) {
1784 g_ptr_array_foreach(fields->fields, output_field_check, &invalid_fields);
1786 return invalid_fields;
1789 gboolean output_fields_set_option(output_fields_t *info, gchar *option)
1791 const gchar *option_name;
1792 const gchar *option_value;
1797 if ('\0' == *option) {
1798 return FALSE; /* this happens if we're called from tshark -E '' */
1800 option_name = strtok(option, "=");
1804 option_value = option + strlen(option_name) + 1;
1805 if (*option_value == '\0') {
1809 if (0 == strcmp(option_name, "header")) {
1810 switch (*option_value) {
1812 info->print_header = FALSE;
1815 info->print_header = TRUE;
1822 else if (0 == strcmp(option_name, "separator")) {
1823 switch (*option_value) {
1825 switch (*++option_value) {
1827 info->separator = '\t';
1830 info->separator = ' ';
1833 info->separator = '\\';
1837 info->separator = *option_value;
1842 else if (0 == strcmp(option_name, "occurrence")) {
1843 switch (*option_value) {
1847 info->occurrence = *option_value;
1854 else if (0 == strcmp(option_name, "aggregator")) {
1855 switch (*option_value) {
1857 switch (*++option_value) {
1859 info->aggregator = ' ';
1862 info->aggregator = '\\';
1866 info->aggregator = *option_value;
1871 else if (0 == strcmp(option_name, "quote")) {
1872 switch (*option_value) {
1888 else if (0 == strcmp(option_name, "bom")) {
1889 switch (*option_value) {
1891 info->print_bom = FALSE;
1894 info->print_bom = TRUE;
1905 void output_fields_list_options(FILE *fh)
1907 fprintf(fh, "TShark: The available options for field output \"E\" are:\n");
1908 fputs("bom=y|n Prepend output with the UTF-8 BOM (def: N: no)\n", fh);
1909 fputs("header=y|n Print field abbreviations as first line of output (def: N: no)\n", fh);
1910 fputs("separator=/t|/s|<character> Set the separator to use;\n \"/t\" = tab, \"/s\" = space (def: /t: tab)\n", fh);
1911 fputs("occurrence=f|l|a Select the occurrence of a field to use;\n \"f\" = first, \"l\" = last, \"a\" = all (def: a: all)\n", fh);
1912 fputs("aggregator=,|/s|<character> Set the aggregator to use;\n \",\" = comma, \"/s\" = space (def: ,: comma)\n", fh);
1913 fputs("quote=d|s|n Print either d: double-quotes, s: single quotes or \n n: no quotes around field values (def: n: none)\n", fh);
1916 gboolean output_fields_has_cols(output_fields_t* fields)
1919 return fields->includes_col_fields;
1922 void write_fields_preamble(output_fields_t* fields, FILE *fh)
1928 g_assert(fields->fields);
1930 if (fields->print_bom) {
1931 fputs(UTF8_BOM, fh);
1935 if (!fields->print_header) {
1939 for(i = 0; i < fields->fields->len; ++i) {
1940 const gchar* field = (const gchar *)g_ptr_array_index(fields->fields,i);
1942 fputc(fields->separator, fh);
1949 static void format_field_values(output_fields_t* fields, gpointer field_index, const gchar* value)
1957 /* Unwrap change made to disambiguiate zero / null */
1958 indx = GPOINTER_TO_UINT(field_index) - 1;
1960 if (fields->field_values[indx] == NULL) {
1961 fields->field_values[indx] = g_ptr_array_new();
1964 /* Essentially: fieldvalues[indx] is a 'GPtrArray *' with each array entry */
1965 /* pointing to a string which is (part of) the final output string. */
1967 fv_p = fields->field_values[indx];
1969 switch (fields->occurrence) {
1971 /* print the value of only the first occurrence of the field */
1972 if (g_ptr_array_len(fv_p) != 0)
1976 /* print the value of only the last occurrence of the field */
1977 g_ptr_array_set_size(fv_p, 0);
1980 /* print the value of all accurrences of the field */
1981 /* If not the first, add the 'aggregator' */
1982 if (g_ptr_array_len(fv_p) > 0) {
1983 g_ptr_array_add(fv_p, (gpointer)g_strdup_printf("%c", fields->aggregator));
1987 g_assert_not_reached();
1991 g_ptr_array_add(fv_p, (gpointer)value);
1994 static void proto_tree_get_node_field_values(proto_node *node, gpointer data)
1996 write_field_data_t *call_data;
1998 gpointer field_index;
2000 call_data = (write_field_data_t *)data;
2001 fi = PNODE_FINFO(node);
2003 /* dissection with an invisible proto tree? */
2006 field_index = g_hash_table_lookup(call_data->fields->field_indicies, fi->hfinfo->abbrev);
2007 if (NULL != field_index) {
2008 format_field_values(call_data->fields, field_index,
2009 get_node_field_value(fi, call_data->edt) /* g_ alloc'd string */
2014 if (node->first_child != NULL) {
2015 proto_tree_children_foreach(node, proto_tree_get_node_field_values,
2020 static void write_specified_fields(fields_format format, output_fields_t *fields, epan_dissect_t *edt, column_info *cinfo, FILE *fh)
2023 gboolean first = TRUE;
2026 gpointer field_index;
2028 write_field_data_t data;
2031 g_assert(fields->fields);
2035 data.fields = fields;
2038 if (NULL == fields->field_indicies) {
2039 /* Prepare a lookup table from string abbreviation for field to its index. */
2040 fields->field_indicies = g_hash_table_new(g_str_hash, g_str_equal);
2043 while (i < fields->fields->len) {
2044 gchar *field = (gchar *)g_ptr_array_index(fields->fields, i);
2045 /* Store field indicies +1 so that zero is not a valid value,
2046 * and can be distinguished from NULL as a pointer.
2049 g_hash_table_insert(fields->field_indicies, field, GUINT_TO_POINTER(i));
2053 /* Array buffer to store values for this packet */
2054 /* Allocate an array for the 'GPtrarray *' the first time */
2055 /* ths function is invoked for a file; */
2056 /* Any and all 'GPtrArray *' are freed (after use) each */
2057 /* time (each packet) this function is invoked for a flle. */
2058 /* XXX: ToDo: use packet-scope'd memory & (if/when implemented) wmem ptr_array */
2059 if (NULL == fields->field_values)
2060 fields->field_values = g_new0(GPtrArray*, fields->fields->len); /* free'd in output_fields_free() */
2062 proto_tree_children_foreach(edt->tree, proto_tree_get_node_field_values,
2067 if (fields->includes_col_fields) {
2068 for (col = 0; col < cinfo->num_cols; col++) {
2069 /* Prepend COLUMN_FIELD_FILTER as the field name */
2070 col_name = g_strdup_printf("%s%s", COLUMN_FIELD_FILTER, cinfo->columns[col].col_title);
2071 field_index = g_hash_table_lookup(fields->field_indicies, col_name);
2074 if (NULL != field_index) {
2075 format_field_values(fields, field_index, g_strdup(cinfo->columns[col].col_data));
2080 for(i = 0; i < fields->fields->len; ++i) {
2082 fputc(fields->separator, fh);
2084 if (NULL != fields->field_values[i]) {
2088 fv_p = fields->field_values[i];
2089 if (fields->quote != '\0') {
2090 fputc(fields->quote, fh);
2093 /* Output the array of (partial) field values */
2094 for (j = 0; j < g_ptr_array_len(fv_p); j++ ) {
2095 str = (gchar *)g_ptr_array_index(fv_p, j);
2099 if (fields->quote != '\0') {
2100 fputc(fields->quote, fh);
2102 g_ptr_array_free(fv_p, TRUE); /* get ready for the next packet */
2103 fields->field_values[i] = NULL;
2108 for(i = 0; i < fields->fields->len; ++i) {
2109 gchar *field = (gchar *)g_ptr_array_index(fields->fields, i);
2111 if (NULL != fields->field_values[i]) {
2115 fv_p = fields->field_values[i];
2117 /* Output the array of (partial) field values */
2118 for (j = 0; j < (g_ptr_array_len(fv_p)); j+=2 ) {
2119 str = (gchar *)g_ptr_array_index(fv_p, j);
2121 fprintf(fh, " <field name=\"%s\" value=", field);
2123 print_escaped_xml(fh, str);
2124 fputs("\"/>\n", fh);
2127 g_ptr_array_free(fv_p, TRUE); /* get ready for the next packet */
2128 fields->field_values[i] = NULL;
2133 for(i = 0; i < fields->fields->len; ++i) {
2134 gchar *field = (gchar *)g_ptr_array_index(fields->fields, i);
2136 if (NULL != fields->field_values[i]) {
2140 fv_p = fields->field_values[i];
2142 /* Output the array of (partial) field values */
2143 for (j = 0; j < (g_ptr_array_len(fv_p)); j += 2) {
2144 str = (gchar *)g_ptr_array_index(fv_p, j);
2150 fprintf(fh, " \"%s\": [", field);
2153 print_escaped_json(fh, str);
2157 if (j + 2 < (g_ptr_array_len(fv_p))) {
2167 g_ptr_array_free(fv_p, TRUE); /* get ready for the next packet */
2168 fields->field_values[i] = NULL;
2174 for(i = 0; i < fields->fields->len; ++i) {
2175 gchar *field = (gchar *)g_ptr_array_index(fields->fields, i);
2177 if (NULL != fields->field_values[i]) {
2181 fv_p = fields->field_values[i];
2183 /* Output the array of (partial) field values */
2184 for (j = 0; j < (g_ptr_array_len(fv_p)); j += 2) {
2185 str = (gchar *)g_ptr_array_index(fv_p, j);
2192 print_escaped_ek(fh, field);
2196 print_escaped_json(fh, str);
2200 if (j + 2 < (g_ptr_array_len(fv_p))) {
2210 g_ptr_array_free(fv_p, TRUE); /* get ready for the next packet */
2211 fields->field_values[i] = NULL;
2217 fprintf(stderr, "Unknown fields format %d\n", format);
2218 g_assert_not_reached();
2223 void write_fields_finale(output_fields_t* fields _U_ , FILE *fh _U_)
2228 /* Returns an g_malloced string */
2229 gchar* get_node_field_value(field_info* fi, epan_dissect_t* edt)
2231 if (fi->hfinfo->id == hf_text_only) {
2235 return g_strdup(fi->rep->representation);
2238 return get_field_hex_value(edt->pi.data_src, fi);
2241 else if (fi->hfinfo->id == proto_data) {
2242 /* Uninterpreted data, i.e., the "Data" protocol, is
2243 * printed as a field instead of a protocol. */
2244 return get_field_hex_value(edt->pi.data_src, fi);
2247 /* Normal protocols and fields */
2248 gchar *dfilter_string;
2250 switch (fi->hfinfo->type)
2253 /* Print out the full details for the protocol. */
2255 return g_strdup(fi->rep->representation);
2257 /* Just print out the protocol abbreviation */
2258 return g_strdup(fi->hfinfo->abbrev);
2261 /* Return "1" so that the presence of a field of type
2262 * FT_NONE can be checked when using -T fields */
2263 return g_strdup("1");
2265 dfilter_string = fvalue_to_string_repr(NULL, &fi->value, FTREPR_DISPLAY, fi->hfinfo->display);
2266 if (dfilter_string != NULL) {
2267 gchar* ret = g_strdup(dfilter_string);
2268 wmem_free(NULL, dfilter_string);
2271 return get_field_hex_value(edt->pi.data_src, fi);
2278 get_field_hex_value(GSList *src_list, field_info *fi)
2285 if (fi->length > tvb_captured_length_remaining(fi->ds_tvb, fi->start)) {
2286 return g_strdup("field length invalid!");
2289 /* Find the data for this field. */
2290 pd = get_field_data(src_list, fi);
2297 const int chars_per_byte = 2;
2299 len = chars_per_byte * fi->length;
2300 buffer = (gchar *)g_malloc(sizeof(gchar)*(len + 1));
2301 buffer[len] = '\0'; /* Ensure NULL termination in bad cases */
2303 /* Print a simple hex dump */
2304 for (i = 0 ; i < fi->length; i++) {
2305 g_snprintf(p, chars_per_byte+1, "%02x", pd[i]);
2306 p += chars_per_byte;
2314 output_fields_t* output_fields_new(void)
2316 output_fields_t* fields = g_new(output_fields_t, 1);
2317 fields->print_bom = FALSE;
2318 fields->print_header = FALSE;
2319 fields->separator = '\t';
2320 fields->occurrence = 'a';
2321 fields->aggregator = ',';
2322 fields->fields = NULL; /*Do lazy initialisation */
2323 fields->field_indicies = NULL;
2324 fields->field_values = NULL;
2325 fields->quote ='\0';
2326 fields->includes_col_fields = FALSE;
2331 * Editor modelines - http://www.wireshark.org/tools/modelines.html
2336 * indent-tabs-mode: nil
2339 * vi: set shiftwidth=4 tabstop=8 expandtab:
2340 * :indentSize=4:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob