3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
51 #ifdef HAVE_SYS_STAT_H
52 # include <sys/stat.h>
56 #include <zlib.h> /* to get the libz version number */
60 # include <sys/capability.h>
63 #ifndef HAVE_GETOPT_LONG
64 #include "wsutil/wsgetopt.h"
69 #include <epan/exceptions.h>
70 #include <epan/epan-int.h>
71 #include <epan/epan.h>
73 #include <wsutil/clopts_common.h>
74 #include <wsutil/cmdarg_err.h>
75 #include <wsutil/crash_info.h>
76 #include <wsutil/privileges.h>
77 #include <wsutil/file_util.h>
78 #include <wsutil/filesystem.h>
79 #include <wsutil/report_err.h>
80 #include <wsutil/ws_version_info.h>
83 #include <epan/timestamp.h>
84 #include <epan/packet.h>
86 #include <epan/wslua/init_wslua.h>
89 #include "frame_tvbuff.h"
90 #include <epan/disabled_protos.h>
91 #include <epan/prefs.h>
92 #include <epan/column.h>
93 #include <epan/print.h>
94 #include <epan/addr_resolv.h>
96 #include "ui/capture_ui_utils.h"
99 #include "ui/ui_util.h"
100 #include "ui/cli/tshark-tap.h"
101 #include "register.h"
102 #include <epan/epan_dissect.h>
103 #include <epan/tap.h>
104 #include <epan/stat_tap_ui.h>
105 #include <epan/conversation_table.h>
106 #include <epan/ex-opt.h>
108 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
109 #include <epan/asn1.h>
110 #include <epan/dissectors/packet-kerberos.h>
113 #include "capture_opts.h"
115 #include "caputils/capture-pcap-util.h"
118 #include "caputils/capture_ifinfo.h"
120 #include "caputils/capture-wpcap.h"
121 #include <wsutil/os_version_info.h>
122 #include <wsutil/unicode-utils.h>
124 #include <capchild/capture_session.h>
125 #include <capchild/capture_sync.h>
126 #endif /* HAVE_LIBPCAP */
128 #include <epan/funnel.h>
131 #include <wsutil/plugins.h>
135 * This is the template for the decode as option; it is shared between the
136 * various functions that output the usage for this parameter.
138 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
140 static guint32 cum_bytes;
141 static const frame_data *ref;
142 static frame_data ref_frame;
143 static frame_data *prev_dis;
144 static frame_data prev_dis_frame;
145 static frame_data *prev_cap;
146 static frame_data prev_cap_frame;
148 static const char* prev_display_dissector_name = NULL;
150 static gboolean perform_two_pass_analysis;
153 * The way the packet decode is to be written.
156 WRITE_TEXT, /* summary or detail text */
157 WRITE_XML, /* PDML or PSML */
158 WRITE_FIELDS /* User defined list of fields */
159 /* Add CSV and the like here */
162 static output_action_e output_action;
163 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
164 static gboolean print_packet_info; /* TRUE if we're to print packet information */
165 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
166 static gboolean print_details; /* TRUE if we're to print packet details information */
167 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
168 static gboolean line_buffered;
169 static gboolean really_quiet = FALSE;
171 static print_format_e print_format = PR_FMT_TEXT;
172 static print_stream_t *print_stream;
174 static output_fields_t* output_fields = NULL;
176 /* The line separator used between packets, changeable via the -S option */
177 static const char *separator = "";
181 * TRUE if we're to print packet counts to keep track of captured packets.
183 static gboolean print_packet_counts;
185 static capture_options global_capture_opts;
186 static capture_session global_capture_session;
189 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
190 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
193 static gboolean capture(void);
194 static void report_counts(void);
196 static BOOL WINAPI capture_cleanup(DWORD);
198 static void capture_cleanup(int);
200 static void report_counts_siginfo(int);
204 #else /* HAVE_LIBPCAP */
206 static char *output_file_name;
208 #endif /* HAVE_LIBPCAP */
210 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
211 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
212 struct wtap_pkthdr *whdr, const guchar *pd,
214 static void show_capture_file_io_error(const char *, int, gboolean);
215 static void show_print_file_io_error(int err);
216 static gboolean write_preamble(capture_file *cf);
217 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
218 static gboolean write_finale(void);
219 static const char *cf_open_error_message(int err, gchar *err_info,
220 gboolean for_writing, int file_type);
222 static void open_failure_message(const char *filename, int err,
223 gboolean for_writing);
224 static void failure_message(const char *msg_format, va_list ap);
225 static void read_failure_message(const char *filename, int err);
226 static void write_failure_message(const char *filename, int err);
227 static void failure_message_cont(const char *msg_format, va_list ap);
231 static GHashTable *output_only_tables = NULL;
234 const char *sstr; /* The short string */
235 const char *lstr; /* The long string */
239 string_compare(gconstpointer a, gconstpointer b)
241 return strcmp(((const struct string_elem *)a)->sstr,
242 ((const struct string_elem *)b)->sstr);
246 string_elem_print(gpointer data, gpointer not_used _U_)
248 fprintf(stderr, " %s - %s\n",
249 ((struct string_elem *)data)->sstr,
250 ((struct string_elem *)data)->lstr);
254 list_capture_types(void) {
256 struct string_elem *captypes;
259 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
261 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
262 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
263 if (wtap_dump_can_open(i)) {
264 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
265 captypes[i].lstr = wtap_file_type_subtype_string(i);
266 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
269 g_slist_foreach(list, string_elem_print, NULL);
275 list_read_capture_types(void) {
277 struct string_elem *captypes;
279 const char *magic = "Magic-value-based";
280 const char *heuristic = "Heuristics-based";
282 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
283 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
285 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
286 for (i = 0; open_routines[i].name != NULL; i++) {
287 captypes[i].sstr = open_routines[i].name;
288 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
289 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
291 g_slist_foreach(list, string_elem_print, NULL);
297 print_usage(FILE *output)
299 fprintf(output, "\n");
300 fprintf(output, "Usage: tshark [options] ...\n");
301 fprintf(output, "\n");
304 fprintf(output, "Capture interface:\n");
305 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
306 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
307 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
308 fprintf(output, " -p don't capture in promiscuous mode\n");
309 #ifdef HAVE_PCAP_CREATE
310 fprintf(output, " -I capture in monitor mode, if available\n");
312 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
313 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
315 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
316 fprintf(output, " -D print list of interfaces and exit\n");
317 fprintf(output, " -L print list of link-layer types of iface and exit\n");
318 fprintf(output, "\n");
319 fprintf(output, "Capture stop conditions:\n");
320 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
321 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
322 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
323 fprintf(output, " files:NUM - stop after NUM files\n");
324 /*fprintf(output, "\n");*/
325 fprintf(output, "Capture output:\n");
326 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
327 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
328 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
329 #endif /* HAVE_LIBPCAP */
330 #ifdef HAVE_PCAP_REMOTE
331 fprintf(output, "RPCAP options:\n");
332 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
334 /*fprintf(output, "\n");*/
335 fprintf(output, "Input file:\n");
336 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
338 fprintf(output, "\n");
339 fprintf(output, "Processing:\n");
340 fprintf(output, " -2 perform a two-pass analysis\n");
341 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
342 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
343 fprintf(output, " syntax\n");
344 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
345 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
346 fprintf(output, " -d %s ...\n", decode_as_arg_template);
347 fprintf(output, " \"Decode As\", see the man page for details\n");
348 fprintf(output, " Example: tcp.port==8888,http\n");
349 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
350 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
352 /*fprintf(output, "\n");*/
353 fprintf(output, "Output:\n");
354 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
355 fprintf(output, " (or to the standard output for \"-\")\n");
356 fprintf(output, " -C <config profile> start with specified configuration profile\n");
357 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
358 fprintf(output, " an empty \"-F\" option will list the file types\n");
359 fprintf(output, " -V add output of packet tree (Packet Details)\n");
360 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
361 fprintf(output, " separated\n");
362 fprintf(output, " -P print packet summary even when writing to a file\n");
363 fprintf(output, " -S <separator> the line separator to print between packets\n");
364 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
365 fprintf(output, " -T pdml|ps|psml|text|fields\n");
366 fprintf(output, " format of text output (def: text)\n");
367 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
368 fprintf(output, " _ws.col.Info)\n");
369 fprintf(output, " this option can be repeated to print multiple fields\n");
370 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
371 fprintf(output, " header=y|n switch headers on and off\n");
372 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
373 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
374 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
375 fprintf(output, " aggregator\n");
376 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
377 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
378 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
379 fprintf(output, " -l flush standard output after each packet\n");
380 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
381 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
382 fprintf(output, " -g enable group read access on the output file(s)\n");
383 fprintf(output, " -W n Save extra information in the file, if supported.\n");
384 fprintf(output, " n = write network address resolution information\n");
385 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
386 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
387 fprintf(output, " --capture-comment <comment>\n");
388 fprintf(output, " add a capture comment to the newly created\n");
389 fprintf(output, " output file (only for pcapng)\n");
391 fprintf(output, "\n");
392 fprintf(output, "Miscellaneous:\n");
393 fprintf(output, " -h display this help and exit\n");
394 fprintf(output, " -v display version info and exit\n");
395 fprintf(output, " -o <name>:<value> ... override preference setting\n");
396 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
397 fprintf(output, " -G [report] dump one of several available reports and exit\n");
398 fprintf(output, " default report=\"fields\"\n");
399 fprintf(output, " use \"-G ?\" for more help\n");
401 fprintf(output, "\n");
402 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
403 fprintf(output, "You might want to reset it\n");
404 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
405 fprintf(output, "\n");
411 glossary_option_help(void)
417 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
419 fprintf(output, "\n");
420 fprintf(output, "Usage: tshark -G [report]\n");
421 fprintf(output, "\n");
422 fprintf(output, "Glossary table reports:\n");
423 fprintf(output, " -G column-formats dump column format codes and exit\n");
424 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
425 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
426 fprintf(output, " -G fields dump fields glossary and exit\n");
427 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
428 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
429 fprintf(output, " -G plugins dump installed plugins and exit\n");
430 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
431 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
432 fprintf(output, "\n");
433 fprintf(output, "Preference reports:\n");
434 fprintf(output, " -G currentprefs dump current preferences and exit\n");
435 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
436 fprintf(output, "\n");
440 * For a dissector table, print on the stream described by output,
441 * its short name (which is what's used in the "-d" option) and its
445 display_dissector_table_names(const char *table_name, const char *ui_name,
448 if ((prev_display_dissector_name == NULL) ||
449 (strcmp(prev_display_dissector_name, table_name) != 0)) {
450 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
451 prev_display_dissector_name = table_name;
456 * For a dissector handle, print on the stream described by output,
457 * the filter name (which is what's used in the "-d" option) and the full
458 * name for the protocol that corresponds to this handle.
461 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
464 const gchar *proto_filter_name;
465 const gchar *proto_ui_name;
467 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
469 if (proto_id != -1) {
470 proto_filter_name = proto_get_protocol_filter_name(proto_id);
471 proto_ui_name = proto_get_protocol_name(proto_id);
472 g_assert(proto_filter_name != NULL);
473 g_assert(proto_ui_name != NULL);
475 if ((prev_display_dissector_name == NULL) ||
476 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
477 fprintf((FILE *)output, "\t%s (%s)\n",
480 prev_display_dissector_name = proto_filter_name;
486 * The protocol_name_search structure is used by find_protocol_name_func()
487 * to pass parameters and store results
489 struct protocol_name_search{
490 gchar *searched_name; /* Protocol filter name we are looking for */
491 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
492 guint nb_match; /* How many dissectors matched searched_name */
494 typedef struct protocol_name_search *protocol_name_search_t;
497 * This function parses all dissectors associated with a table to find the
498 * one whose protocol has the specified filter name. It is called
499 * as a reference function in a call to dissector_table_foreach_handle.
500 * The name we are looking for, as well as the results, are stored in the
501 * protocol_name_search struct pointed to by user_data.
502 * If called using dissector_table_foreach_handle, we actually parse the
503 * whole list of dissectors.
506 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
510 const gchar *protocol_filter_name;
511 protocol_name_search_t search_info;
515 search_info = (protocol_name_search_t)user_data;
517 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
518 if (proto_id != -1) {
519 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
520 g_assert(protocol_filter_name != NULL);
521 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
523 if (search_info->nb_match == 0) {
524 /* Record this handle only if this is the first match */
525 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
527 search_info->nb_match++;
533 * Allow dissector key names to be sorted alphabetically
537 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
539 return strcmp((const char*)dissector_a, (const char*)dissector_b);
543 * Print all layer type names supported.
544 * We send the output to the stream described by the handle output.
548 fprint_all_layer_types(FILE *output)
551 prev_display_dissector_name = NULL;
552 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
556 * Print all protocol names supported for a specific layer type.
557 * table_name contains the layer type name in which the search is performed.
558 * We send the output to the stream described by the handle output.
562 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
565 prev_display_dissector_name = NULL;
566 dissector_table_foreach_handle(table_name,
567 display_dissector_names,
572 * The function below parses the command-line parameters for the decode as
573 * feature (a string pointer by cl_param).
574 * It checks the format of the command-line, searches for a matching table
575 * and dissector. If a table/dissector match is not found, we display a
576 * summary of the available tables/dissectors (on stderr) and return FALSE.
577 * If everything is fine, we get the "Decode as" preference activated,
578 * then we return TRUE.
581 add_decode_as(const gchar *cl_param)
584 guint32 selector, selector2;
585 gchar *decoded_param;
586 gchar *remaining_param;
588 gchar *dissector_str;
589 dissector_handle_t dissector_matching;
590 dissector_table_t table_matching;
591 ftenum_t dissector_table_selector_type;
592 struct protocol_name_search user_protocol_name;
596 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
599 decoded_param = g_strdup(cl_param);
600 g_assert(decoded_param);
603 /* The lines below will parse this string (modifying it) to extract all
604 necessary information. Note that decoded_param is still needed since
605 strings are not copied - we just save pointers. */
607 /* This section extracts a layer type (table_name) from decoded_param */
608 table_name = decoded_param; /* Layer type string starts from beginning */
610 remaining_param = strchr(table_name, '=');
611 if (remaining_param == NULL) {
612 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
613 /* If the argument does not follow the template, carry on anyway to check
614 if the table name is at least correct. If remaining_param is NULL,
615 we'll exit anyway further down */
618 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
621 /* Remove leading and trailing spaces from the table name */
622 while ( table_name[0] == ' ' )
624 while ( table_name[strlen(table_name) - 1] == ' ' )
625 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
627 /* The following part searches a table matching with the layer type specified */
628 table_matching = NULL;
630 /* Look for the requested table */
631 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
632 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
635 table_matching = find_dissector_table(table_name);
636 if (!table_matching) {
637 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
641 if (!table_matching) {
642 /* Display a list of supported layer types to help the user, if the
643 specified layer type was not found */
644 cmdarg_err("Valid layer types are:");
645 fprint_all_layer_types(stderr);
647 if (remaining_param == NULL || !table_matching) {
648 /* Exit if the layer type was not found, or if no '=' separator was found
650 g_free(decoded_param);
654 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
655 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
658 remaining_param++; /* Move to the second '=' */
659 *remaining_param = '\0'; /* Remove the second '=' */
661 remaining_param++; /* Position after the layer type string */
663 /* This section extracts a selector value (selector_str) from decoded_param */
665 selector_str = remaining_param; /* Next part starts with the selector number */
667 remaining_param = strchr(selector_str, ',');
668 if (remaining_param == NULL) {
669 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
670 /* If the argument does not follow the template, carry on anyway to check
671 if the selector value is at least correct. If remaining_param is NULL,
672 we'll exit anyway further down */
675 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
678 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
680 switch (dissector_table_selector_type) {
686 /* The selector for this table is an unsigned number. Parse it as such.
687 There's no need to remove leading and trailing spaces from the
688 selector number string, because sscanf will do that for us. */
689 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
694 if (op != ':' && op != '-') {
695 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
696 g_free(decoded_param);
700 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
701 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
702 g_free(decoded_param);
706 else if (selector2 < selector) {
707 /* We could swap them for the user, but maybe it's better to call
708 * this out as an error in case it's not what was intended? */
709 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
710 g_free(decoded_param);
715 cmdarg_err("Invalid selector number \"%s\"", selector_str);
716 g_free(decoded_param);
725 /* The selector for this table is a string. */
729 /* There are currently no dissector tables with any types other
730 than the ones listed above. */
731 g_assert_not_reached();
734 if (remaining_param == NULL) {
735 /* Exit if no ',' separator was found (see above) */
736 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
737 fprint_all_protocols_for_layer_types(stderr, table_name);
738 g_free(decoded_param);
742 remaining_param++; /* Position after the selector number string */
744 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
746 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
748 /* Remove leading and trailing spaces from the dissector name */
749 while ( dissector_str[0] == ' ' )
751 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
752 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
754 dissector_matching = NULL;
756 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
757 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
758 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
761 user_protocol_name.nb_match = 0;
762 user_protocol_name.searched_name = dissector_str;
763 user_protocol_name.matched_handle = NULL;
765 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
767 if (user_protocol_name.nb_match != 0) {
768 dissector_matching = user_protocol_name.matched_handle;
769 if (user_protocol_name.nb_match > 1) {
770 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
774 /* OK, check whether the problem is that there isn't any such
775 protocol, or that there is but it's not specified as a protocol
776 that's valid for that dissector table.
777 Note, we don't exit here, but dissector_matching will remain NULL,
779 if (proto_get_id_by_filter_name(dissector_str) == -1) {
780 /* No such protocol */
781 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
783 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
784 dissector_str, table_name);
789 if (!dissector_matching) {
790 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
791 fprint_all_protocols_for_layer_types(stderr, table_name);
792 g_free(decoded_param);
796 /* This is the end of the code that parses the command-line options.
797 All information is now stored in the variables:
801 The above variables that are strings are still pointing to areas within
802 decoded_parm. decoded_parm thus still needs to be kept allocated in
803 until we stop needing these variables
804 decoded_param will be deallocated at each exit point of this function */
807 /* We now have a pointer to the handle for the requested dissector
808 (requested protocol) inside the variable dissector_matching */
809 switch (dissector_table_selector_type) {
815 /* The selector for this table is an unsigned number. */
817 dissector_change_uint(table_name, selector, dissector_matching);
818 } else if (op == ':') {
819 for (i = selector; i < (guint64)selector + selector2; i++) {
820 dissector_change_uint(table_name, (guint32)i, dissector_matching);
822 } else { /* op == '-' */
823 for (i = selector; i <= selector2; i++) {
824 dissector_change_uint(table_name, (guint32)i, dissector_matching);
833 /* The selector for this table is a string. */
834 dissector_change_string(table_name, selector_str, dissector_matching);
838 /* There are currently no dissector tables with any types other
839 than the ones listed above. */
840 g_assert_not_reached();
842 g_free(decoded_param); /* "Decode As" rule has been successfully added */
847 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
848 const gchar *message, gpointer user_data)
850 /* ignore log message, if log_level isn't interesting based
851 upon the console log preferences.
852 If the preferences haven't been loaded loaded yet, display the
855 The default console_log_level preference value is such that only
856 ERROR, CRITICAL and WARNING level messages are processed;
857 MESSAGE, INFO and DEBUG level messages are ignored.
859 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
860 ERROR and CRITICAL level messages so the current code is a behavioral
861 change. The current behavior is the same as in Wireshark.
863 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
864 prefs.console_log_level != 0) {
868 g_log_default_handler(log_domain, log_level, message, user_data);
873 output_file_description(const char *fname)
875 char *save_file_string;
877 /* Get a string that describes what we're writing to */
878 if (strcmp(fname, "-") == 0) {
879 /* We're writing to the standard output */
880 save_file_string = g_strdup("standard output");
882 /* We're writing to a file with the name in save_file */
883 save_file_string = g_strdup_printf("file \"%s\"", fname);
885 return save_file_string;
889 print_current_user(void) {
890 gchar *cur_user, *cur_group;
892 if (started_with_special_privs()) {
893 cur_user = get_cur_username();
894 cur_group = get_cur_groupname();
895 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
896 cur_user, cur_group);
899 if (running_with_special_privs()) {
900 fprintf(stderr, " This could be dangerous.");
902 fprintf(stderr, "\n");
907 get_tshark_compiled_version_info(GString *str)
909 /* Capture libraries */
910 get_compiled_caplibs_version(str);
913 g_string_append(str, ", ");
915 g_string_append(str, "with libz ");
917 g_string_append(str, ZLIB_VERSION);
918 #else /* ZLIB_VERSION */
919 g_string_append(str, "(version unknown)");
920 #endif /* ZLIB_VERSION */
921 #else /* HAVE_LIBZ */
922 g_string_append(str, "without libz");
923 #endif /* HAVE_LIBZ */
927 get_tshark_runtime_version_info(GString *str)
930 /* Capture libraries */
931 g_string_append(str, ", ");
932 get_runtime_caplibs_version(str);
936 #if defined(HAVE_LIBZ) && !defined(_WIN32)
937 g_string_append_printf(str, ", with libz %s", zlibVersion());
940 /* stuff used by libwireshark */
941 epan_get_runtime_version_info(str);
945 main(int argc, char *argv[])
947 GString *comp_info_str;
948 GString *runtime_info_str;
949 char *init_progfile_dir_error;
951 static const struct option long_options[] = {
952 {(char *)"help", no_argument, NULL, 'h'},
953 {(char *)"version", no_argument, NULL, 'v'},
954 LONGOPT_CAPTURE_COMMON
957 gboolean arg_error = FALSE;
963 char *gpf_path, *pf_path;
964 char *gdp_path, *dp_path;
965 int gpf_open_errno, gpf_read_errno;
966 int pf_open_errno, pf_read_errno;
967 int gdp_open_errno, gdp_read_errno;
968 int dp_open_errno, dp_read_errno;
970 volatile int exit_status = 0;
972 gboolean list_link_layer_types = FALSE;
973 gboolean start_capture = FALSE;
978 gboolean capture_option_specified = FALSE;
980 gboolean quiet = FALSE;
981 #ifdef PCAP_NG_DEFAULT
982 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
984 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
986 volatile gboolean out_file_name_res = FALSE;
987 volatile int in_file_type = WTAP_TYPE_AUTO;
988 gchar *volatile cf_name = NULL;
989 gchar *rfilter = NULL;
990 gchar *dfilter = NULL;
991 #ifdef HAVE_PCAP_OPEN_DEAD
992 struct bpf_program fcode;
994 dfilter_t *rfcode = NULL;
995 dfilter_t *dfcode = NULL;
999 gchar *output_only = NULL;
1002 * The leading + ensures that getopt_long() does not permute the argv[]
1005 * We have to make sure that the first getopt_long() preserves the content
1006 * of argv[] for the subsequent getopt_long() call.
1008 * We use getopt_long() in both cases to ensure that we're using a routine
1009 * whose permutation behavior we can control in the same fashion on all
1010 * platforms, and so that, if we ever need to process a long argument before
1011 * doing further initialization, we can do so.
1013 * Glibc and Solaris libc document that a leading + disables permutation
1014 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1015 * and OS X don't document it, but do so anyway.
1017 * We do *not* use a leading - because the behavior of a leading - is
1018 * platform-dependent.
1020 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1022 static const char optstring[] = OPTSTRING;
1024 /* Set the C-language locale to the native environment. */
1025 setlocale(LC_ALL, "");
1027 cmdarg_err_init(failure_message, failure_message_cont);
1030 arg_list_utf_16to8(argc, argv);
1031 create_app_running_mutex();
1032 #if !GLIB_CHECK_VERSION(2,31,0)
1033 g_thread_init(NULL);
1038 * Get credential information for later use, and drop privileges
1039 * before doing anything else.
1040 * Let the user know if anything happened.
1042 init_process_policies();
1043 relinquish_special_privs_perm();
1044 print_current_user();
1047 * Attempt to get the pathname of the executable file.
1049 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1050 if (init_progfile_dir_error != NULL) {
1051 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1052 init_progfile_dir_error);
1055 initialize_funnel_ops();
1058 /* Load wpcap if possible. Do this before collecting the run-time version information */
1061 /* Warn the user if npf.sys isn't loaded. */
1062 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1063 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1064 "capturing or\nlisting interfaces.\n");
1068 /* Get the compile-time version information string */
1069 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1070 epan_get_compiled_version_info);
1072 /* Get the run-time version information string */
1073 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1075 /* Add it to the information to be reported on a crash. */
1076 ws_add_crash_info("TShark (Wireshark) %s\n"
1081 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1084 * In order to have the -X opts assigned before the wslua machine starts
1085 * we need to call getopt_long before epan_init() gets called.
1087 * In order to handle, for example, -o options, we also need to call it
1088 * *after* epan_init() gets called, so that the dissectors have had a
1089 * chance to register their preferences.
1091 * XXX - can we do this all with one getopt_long() call, saving the
1092 * arguments we can't handle until after initializing libwireshark,
1093 * and then process them after initializing libwireshark?
1097 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1099 case 'C': /* Configuration Profile */
1100 if (profile_exists (optarg, FALSE)) {
1101 set_profile_name (optarg);
1103 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1107 case 'P': /* Print packet summary info even when writing to a file */
1108 print_packet_info = TRUE;
1109 print_summary = TRUE;
1111 case 'O': /* Only output these protocols */
1112 output_only = g_strdup(optarg);
1114 case 'V': /* Verbose */
1115 print_details = TRUE;
1116 print_packet_info = TRUE;
1118 case 'x': /* Print packet data in hex (and ASCII) */
1120 /* The user asked for hex output, so let's ensure they get it,
1121 * even if they're writing to a file.
1123 print_packet_info = TRUE;
1134 * Print packet summary information is the default, unless either -V or -x
1135 * were specified and -P was not. Note that this is new behavior, which
1136 * allows for the possibility of printing only hex/ascii output without
1137 * necessarily requiring that either the summary or details be printed too.
1139 if (print_summary == -1)
1140 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1142 /** Send All g_log messages to our own handler **/
1146 G_LOG_LEVEL_CRITICAL|
1147 G_LOG_LEVEL_WARNING|
1148 G_LOG_LEVEL_MESSAGE|
1151 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1153 g_log_set_handler(NULL,
1154 (GLogLevelFlags)log_flags,
1155 tshark_log_handler, NULL /* user_data */);
1156 g_log_set_handler(LOG_DOMAIN_MAIN,
1157 (GLogLevelFlags)log_flags,
1158 tshark_log_handler, NULL /* user_data */);
1161 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1162 (GLogLevelFlags)log_flags,
1163 tshark_log_handler, NULL /* user_data */);
1164 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1165 (GLogLevelFlags)log_flags,
1166 tshark_log_handler, NULL /* user_data */);
1169 init_report_err(failure_message, open_failure_message, read_failure_message,
1170 write_failure_message);
1173 capture_opts_init(&global_capture_opts);
1174 capture_session_init(&global_capture_session, &cfile);
1177 timestamp_set_type(TS_RELATIVE);
1178 timestamp_set_precision(TS_PREC_AUTO);
1179 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1181 init_open_routines();
1184 /* Register all the plugin types we have. */
1185 epan_register_plugin_types(); /* Types known to libwireshark */
1186 wtap_register_plugin_types(); /* Types known to libwiretap */
1188 /* Scan for plugins. This does *not* call their registration routines;
1189 that's done later. */
1192 /* Register all libwiretap plugin modules. */
1193 register_all_wiretap_modules();
1196 /* Register all dissectors; we must do this before checking for the
1197 "-G" flag, as the "-G" flag dumps information registered by the
1198 dissectors, and we must do it before we read the preferences, in
1199 case any dissectors register preferences. */
1200 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1202 /* Register all tap listeners; we do this before we parse the arguments,
1203 as the "-z" argument can specify a registered tap. */
1205 /* we register the plugin taps before the other taps because
1206 stats_tree taps plugins will be registered as tap listeners
1207 by stats_tree_stat.c and need to registered before that */
1209 register_all_plugin_tap_listeners();
1211 register_all_tap_listeners();
1212 conversation_table_set_gui_info(init_iousers);
1213 hostlist_table_set_gui_info(init_hostlists);
1215 /* If invoked with the "-G" flag, we dump out information based on
1216 the argument to the "-G" flag; if no argument is specified,
1217 for backwards compatibility we dump out a glossary of display
1220 XXX - we do this here, for now, to support "-G" with no arguments.
1221 If none of our build or other processes uses "-G" with no arguments,
1222 we can just process it with the other arguments. */
1223 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1224 proto_initialize_all_prefixes();
1227 proto_registrar_dump_fields();
1229 if (strcmp(argv[2], "column-formats") == 0)
1230 column_dump_column_formats();
1231 else if (strcmp(argv[2], "currentprefs") == 0) {
1232 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1233 &pf_open_errno, &pf_read_errno, &pf_path);
1236 else if (strcmp(argv[2], "decodes") == 0)
1237 dissector_dump_decodes();
1238 else if (strcmp(argv[2], "defaultprefs") == 0)
1240 else if (strcmp(argv[2], "dissector-tables") == 0)
1241 dissector_dump_dissector_tables();
1242 else if (strcmp(argv[2], "fields") == 0)
1243 proto_registrar_dump_fields();
1244 else if (strcmp(argv[2], "ftypes") == 0)
1245 proto_registrar_dump_ftypes();
1246 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1247 dissector_dump_heur_decodes();
1248 else if (strcmp(argv[2], "plugins") == 0) {
1253 wslua_plugins_dump_all();
1256 else if (strcmp(argv[2], "protocols") == 0)
1257 proto_registrar_dump_protocols();
1258 else if (strcmp(argv[2], "values") == 0)
1259 proto_registrar_dump_values();
1260 else if (strcmp(argv[2], "?") == 0)
1261 glossary_option_help();
1262 else if (strcmp(argv[2], "-?") == 0)
1263 glossary_option_help();
1265 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1272 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1273 &pf_open_errno, &pf_read_errno, &pf_path);
1274 if (gpf_path != NULL) {
1275 if (gpf_open_errno != 0) {
1276 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1277 pf_path, g_strerror(gpf_open_errno));
1279 if (gpf_read_errno != 0) {
1280 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1281 pf_path, g_strerror(gpf_read_errno));
1284 if (pf_path != NULL) {
1285 if (pf_open_errno != 0) {
1286 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1287 g_strerror(pf_open_errno));
1289 if (pf_read_errno != 0) {
1290 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1291 pf_path, g_strerror(pf_read_errno));
1297 /* Read the disabled protocols file. */
1298 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1299 &dp_path, &dp_open_errno, &dp_read_errno);
1300 if (gdp_path != NULL) {
1301 if (gdp_open_errno != 0) {
1302 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1303 gdp_path, g_strerror(gdp_open_errno));
1305 if (gdp_read_errno != 0) {
1306 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1307 gdp_path, g_strerror(gdp_read_errno));
1311 if (dp_path != NULL) {
1312 if (dp_open_errno != 0) {
1314 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1315 g_strerror(dp_open_errno));
1317 if (dp_read_errno != 0) {
1319 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1320 g_strerror(dp_read_errno));
1325 cap_file_init(&cfile);
1327 /* Print format defaults to this. */
1328 print_format = PR_FMT_TEXT;
1330 output_fields = output_fields_new();
1333 * To reset the options parser, set optreset to 1 on platforms that
1334 * have optreset (documented in *BSD and OS X, apparently present but
1335 * not documented in Solaris - the Illumos repository seems to
1336 * suggest that the first Solaris getopt_long(), at least as of 2004,
1337 * was based on the NetBSD one, it had optreset) and set optind to 1,
1338 * and set optind to 0 otherwise (documented as working in the GNU
1339 * getopt_long(). Setting optind to 0 didn't originally work in the
1340 * NetBSD one, but that was added later - we don't want to depend on
1341 * it if we have optreset).
1343 * Also reset opterr to 1, so that error messages are printed by
1346 #ifdef HAVE_OPTRESET
1354 /* Now get our args */
1355 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1357 case '2': /* Perform two pass analysis */
1358 perform_two_pass_analysis = TRUE;
1360 case 'a': /* autostop criteria */
1361 case 'b': /* Ringbuffer option */
1362 case 'c': /* Capture x packets */
1363 case 'f': /* capture filter */
1364 case 'g': /* enable group read access on file(s) */
1365 case 'i': /* Use interface x */
1366 case 'p': /* Don't capture in promiscuous mode */
1367 #ifdef HAVE_PCAP_REMOTE
1368 case 'A': /* Authentication */
1370 #ifdef HAVE_PCAP_CREATE
1371 case 'I': /* Capture in monitor mode, if available */
1373 case 's': /* Set the snapshot (capture) length */
1374 case 'w': /* Write to capture file x */
1375 case 'y': /* Set the pcap data link type */
1376 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1377 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1378 case 'B': /* Buffer size */
1379 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1381 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1388 * Output file name, if we're reading a file and writing to another
1391 output_file_name = optarg;
1393 capture_option_specified = TRUE;
1399 /* already processed; just ignore it now */
1401 case 'd': /* Decode as rule */
1402 if (!add_decode_as(optarg))
1405 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1406 case 'K': /* Kerberos keytab file */
1407 read_keytab_file(optarg);
1410 case 'D': /* Print a list of capture devices and exit */
1412 if_list = capture_interface_list(&err, &err_str,NULL);
1413 if (if_list == NULL) {
1415 cmdarg_err("There are no interfaces on which a capture can be done");
1417 cmdarg_err("%s", err_str);
1422 capture_opts_print_interfaces(if_list);
1423 free_interface_list(if_list);
1426 capture_option_specified = TRUE;
1432 output_fields_add(output_fields, optarg);
1436 if (!output_fields_set_option(output_fields, optarg)) {
1437 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1438 output_fields_list_options(stderr);
1443 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1444 if (out_file_type < 0) {
1445 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1446 list_capture_types();
1450 case 'W': /* Select extra information to save in our capture file */
1451 /* This is patterned after the -N flag which may not be the best idea. */
1452 if (strchr(optarg, 'n')) {
1453 out_file_name_res = TRUE;
1455 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1456 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1460 case 'H': /* Read address to name mappings from a hosts file */
1461 if (! add_hosts_file(optarg))
1463 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1466 out_file_name_res = TRUE;
1469 case 'h': /* Print help and exit */
1470 printf("TShark (Wireshark) %s\n"
1471 "Dump and analyze network traffic.\n"
1472 "See http://www.wireshark.org for more information.\n",
1473 get_ws_vcs_version_info());
1474 print_usage(stdout);
1477 case 'l': /* "Line-buffer" standard output */
1478 /* This isn't line-buffering, strictly speaking, it's just
1479 flushing the standard output after the information for
1480 each packet is printed; however, that should be good
1481 enough for all the purposes to which "-l" is put (and
1482 is probably actually better for "-V", as it does fewer
1485 See the comment in "process_packet()" for an explanation of
1486 why we do that, and why we don't just use "setvbuf()" to
1487 make the standard output line-buffered (short version: in
1488 Windows, "line-buffered" is the same as "fully-buffered",
1489 and the output buffer is only flushed when it fills up). */
1490 line_buffered = TRUE;
1492 case 'L': /* Print list of link-layer types and exit */
1494 list_link_layer_types = TRUE;
1496 capture_option_specified = TRUE;
1500 case 'n': /* No name resolution */
1501 gbl_resolv_flags.mac_name = FALSE;
1502 gbl_resolv_flags.network_name = FALSE;
1503 gbl_resolv_flags.transport_name = FALSE;
1504 gbl_resolv_flags.concurrent_dns = FALSE;
1506 case 'N': /* Select what types of addresses/port #s to resolve */
1507 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1508 if (badopt != '\0') {
1509 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1511 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1512 "\t'm' to enable MAC address resolution\n"
1513 "\t'n' to enable network address resolution\n"
1514 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1515 "\t for network address resolution\n"
1516 "\t't' to enable transport-layer port number resolution");
1520 case 'o': /* Override preference from command line */
1521 switch (prefs_set_pref(optarg)) {
1526 case PREFS_SET_SYNTAX_ERR:
1527 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1531 case PREFS_SET_NO_SUCH_PREF:
1532 case PREFS_SET_OBSOLETE:
1533 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1538 case 'q': /* Quiet */
1541 case 'Q': /* Really quiet */
1543 really_quiet = TRUE;
1545 case 'r': /* Read capture file x */
1546 cf_name = g_strdup(optarg);
1548 case 'R': /* Read file filter */
1552 /* already processed; just ignore it now */
1554 case 'S': /* Set the line Separator to be printed between packets */
1557 case 't': /* Time stamp type */
1558 if (strcmp(optarg, "r") == 0)
1559 timestamp_set_type(TS_RELATIVE);
1560 else if (strcmp(optarg, "a") == 0)
1561 timestamp_set_type(TS_ABSOLUTE);
1562 else if (strcmp(optarg, "ad") == 0)
1563 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1564 else if (strcmp(optarg, "adoy") == 0)
1565 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1566 else if (strcmp(optarg, "d") == 0)
1567 timestamp_set_type(TS_DELTA);
1568 else if (strcmp(optarg, "dd") == 0)
1569 timestamp_set_type(TS_DELTA_DIS);
1570 else if (strcmp(optarg, "e") == 0)
1571 timestamp_set_type(TS_EPOCH);
1572 else if (strcmp(optarg, "u") == 0)
1573 timestamp_set_type(TS_UTC);
1574 else if (strcmp(optarg, "ud") == 0)
1575 timestamp_set_type(TS_UTC_WITH_YMD);
1576 else if (strcmp(optarg, "udoy") == 0)
1577 timestamp_set_type(TS_UTC_WITH_YDOY);
1579 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1580 cmdarg_err_cont("\t\"a\" for absolute\n"
1581 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1582 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1583 "\t\"d\" for delta\n"
1584 "\t\"dd\" for delta displayed\n"
1585 "\t\"e\" for epoch\n"
1586 "\t\"r\" for relative\n"
1587 "\t\"u\" for absolute UTC\n"
1588 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1589 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1593 case 'T': /* printing Type */
1594 print_packet_info = TRUE;
1595 if (strcmp(optarg, "text") == 0) {
1596 output_action = WRITE_TEXT;
1597 print_format = PR_FMT_TEXT;
1598 } else if (strcmp(optarg, "ps") == 0) {
1599 output_action = WRITE_TEXT;
1600 print_format = PR_FMT_PS;
1601 } else if (strcmp(optarg, "pdml") == 0) {
1602 output_action = WRITE_XML;
1603 print_details = TRUE; /* Need details */
1604 print_summary = FALSE; /* Don't allow summary */
1605 } else if (strcmp(optarg, "psml") == 0) {
1606 output_action = WRITE_XML;
1607 print_details = FALSE; /* Don't allow details */
1608 print_summary = TRUE; /* Need summary */
1609 } else if (strcmp(optarg, "fields") == 0) {
1610 output_action = WRITE_FIELDS;
1611 print_details = TRUE; /* Need full tree info */
1612 print_summary = FALSE; /* Don't allow summary */
1614 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1615 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1616 "\t specified by the -E option.\n"
1617 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1618 "\t details of a decoded packet. This information is equivalent to\n"
1619 "\t the packet details printed with the -V flag.\n"
1620 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1621 "\t the packets, or a multi-line view of the details of each of\n"
1622 "\t the packets, depending on whether the -V flag was specified.\n"
1623 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1624 "\t summary information of a decoded packet. This information is\n"
1625 "\t equivalent to the information shown in the one-line summary\n"
1626 "\t printed by default.\n"
1627 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1628 "\t packets, or a multi-line view of the details of each of the\n"
1629 "\t packets, depending on whether the -V flag was specified.\n"
1630 "\t This is the default.");
1634 case 'u': /* Seconds type */
1635 if (strcmp(optarg, "s") == 0)
1636 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1637 else if (strcmp(optarg, "hms") == 0)
1638 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1640 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1641 cmdarg_err_cont("\t\"s\" for seconds\n"
1642 "\t\"hms\" for hours, minutes and seconds");
1646 case 'v': /* Show version and exit */
1648 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1649 g_string_free(comp_info_str, TRUE);
1650 g_string_free(runtime_info_str, TRUE);
1651 /* We don't really have to cleanup here, but it's a convenient way to test
1652 * start-up and shut-down of the epan library without any UI-specific
1653 * cruft getting in the way. Makes the results of running
1654 * $ ./tools/valgrind-wireshark -n
1655 * much more useful. */
1659 case 'O': /* Only output these protocols */
1660 /* already processed; just ignore it now */
1662 case 'V': /* Verbose */
1663 /* already processed; just ignore it now */
1665 case 'x': /* Print packet data in hex (and ASCII) */
1666 /* already processed; just ignore it now */
1669 /* already processed; just ignore it now */
1675 /* We won't call the init function for the stat this soon
1676 as it would disallow MATE's fields (which are registered
1677 by the preferences set callback) from being used as
1678 part of a tap filter. Instead, we just add the argument
1679 to a list of stat arguments. */
1680 if (strcmp("help", optarg) == 0) {
1681 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1682 list_stat_cmd_args();
1685 if (!process_stat_cmd_arg(optarg)) {
1686 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1687 list_stat_cmd_args();
1692 case '?': /* Bad flag - print usage message */
1695 list_capture_types();
1698 print_usage(stderr);
1705 /* If we specified output fields, but not the output field type... */
1706 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1707 cmdarg_err("Output fields were specified with \"-e\", "
1708 "but \"-Tfields\" was not specified.");
1710 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1711 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1712 "specified with \"-e\".");
1717 /* If no capture filter or display filter has been specified, and there are
1718 still command-line arguments, treat them as the tokens of a capture
1719 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1720 flag was specified. */
1721 if (optind < argc) {
1722 if (cf_name != NULL) {
1723 if (dfilter != NULL) {
1724 cmdarg_err("Display filters were specified both with \"-d\" "
1725 "and with additional command-line arguments.");
1728 dfilter = get_args_as_string(argc, argv, optind);
1733 if (global_capture_opts.default_options.cfilter) {
1734 cmdarg_err("A default capture filter was specified both with \"-f\""
1735 " and with additional command-line arguments.");
1738 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1739 interface_options interface_opts;
1740 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1741 if (interface_opts.cfilter == NULL) {
1742 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1743 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1744 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1746 cmdarg_err("A capture filter was specified both with \"-f\""
1747 " and with additional command-line arguments.");
1751 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1753 capture_option_specified = TRUE;
1759 if (!global_capture_opts.saving_to_file) {
1760 /* We're not saving the capture to a file; if "-q" wasn't specified,
1761 we should print packet information */
1763 print_packet_info = TRUE;
1765 /* We're saving to a file; if we're writing to the standard output.
1766 and we'll also be writing dissected packets to the standard
1767 output, reject the request. At best, we could redirect that
1768 to the standard error; we *can't* write both to the standard
1769 output and have either of them be useful. */
1770 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1771 cmdarg_err("You can't write both raw packet data and dissected packets"
1772 " to the standard output.");
1777 /* We're not saving the capture to a file; if "-q" wasn't specified,
1778 we should print packet information */
1780 print_packet_info = TRUE;
1783 #ifndef HAVE_LIBPCAP
1784 if (capture_option_specified)
1785 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1788 print_usage(stderr);
1793 if (output_action != WRITE_TEXT) {
1794 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1799 if (output_only != NULL) {
1802 if (!print_details) {
1803 cmdarg_err("-O requires -V");
1807 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1808 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1809 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1813 if (rfilter != NULL && !perform_two_pass_analysis) {
1814 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1819 if (list_link_layer_types) {
1820 /* We're supposed to list the link-layer types for an interface;
1821 did the user also specify a capture file to be read? */
1823 /* Yes - that's bogus. */
1824 cmdarg_err("You can't specify -L and a capture file to be read.");
1827 /* No - did they specify a ring buffer option? */
1828 if (global_capture_opts.multi_files_on) {
1829 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1835 * "-r" was specified, so we're reading a capture file.
1836 * Capture options don't apply here.
1839 /* We don't support capture filters when reading from a capture file
1840 (the BPF compiler doesn't support all link-layer types that we
1841 support in capture files we read). */
1842 if (global_capture_opts.default_options.cfilter) {
1843 cmdarg_err("Only read filters, not capture filters, "
1844 "can be specified when reading a capture file.");
1847 if (global_capture_opts.multi_files_on) {
1848 cmdarg_err("Multiple capture files requested, but "
1849 "a capture isn't being done.");
1852 if (global_capture_opts.has_file_duration) {
1853 cmdarg_err("Switching capture files after a time interval was specified, but "
1854 "a capture isn't being done.");
1857 if (global_capture_opts.has_ring_num_files) {
1858 cmdarg_err("A ring buffer of capture files was specified, but "
1859 "a capture isn't being done.");
1862 if (global_capture_opts.has_autostop_files) {
1863 cmdarg_err("A maximum number of capture files was specified, but "
1864 "a capture isn't being done.");
1867 if (global_capture_opts.capture_comment) {
1868 cmdarg_err("A capture comment was specified, but "
1869 "a capture isn't being done.\nThere's no support for adding "
1870 "a capture comment to an existing capture file.");
1874 /* Note: TShark now allows the restriction of a _read_ file by packet count
1875 * and byte count as well as a write file. Other autostop options remain valid
1876 * only for a write file.
1878 if (global_capture_opts.has_autostop_duration) {
1879 cmdarg_err("A maximum capture time was specified, but "
1880 "a capture isn't being done.");
1885 * "-r" wasn't specified, so we're doing a live capture.
1887 if (perform_two_pass_analysis) {
1888 /* Two-pass analysis doesn't work with live capture since it requires us
1889 * to buffer packets until we've read all of them, but a live capture
1890 * has no useful/meaningful definition of "all" */
1891 cmdarg_err("Live captures do not support two-pass analysis.");
1895 if (global_capture_opts.saving_to_file) {
1896 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1898 /* When capturing, we only support writing pcap or pcap-ng format. */
1899 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1900 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1901 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1904 if (global_capture_opts.capture_comment &&
1905 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1906 cmdarg_err("A capture comment can only be written to a pcapng file.");
1909 if (global_capture_opts.multi_files_on) {
1910 /* Multiple-file mode doesn't work under certain conditions:
1911 a) it doesn't work if you're writing to the standard output;
1912 b) it doesn't work if you're writing to a pipe;
1914 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1915 cmdarg_err("Multiple capture files requested, but "
1916 "the capture is being written to the standard output.");
1919 if (global_capture_opts.output_to_pipe) {
1920 cmdarg_err("Multiple capture files requested, but "
1921 "the capture file is a pipe.");
1924 if (!global_capture_opts.has_autostop_filesize &&
1925 !global_capture_opts.has_file_duration) {
1926 cmdarg_err("Multiple capture files requested, but "
1927 "no maximum capture file size or duration was specified.");
1931 /* Currently, we don't support read or display filters when capturing
1932 and saving the packets. */
1933 if (rfilter != NULL) {
1934 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1937 if (dfilter != NULL) {
1938 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1941 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1943 /* They didn't specify a "-w" flag, so we won't be saving to a
1944 capture file. Check for options that only make sense if
1945 we're saving to a file. */
1946 if (global_capture_opts.has_autostop_filesize) {
1947 cmdarg_err("Maximum capture file size specified, but "
1948 "capture isn't being saved to a file.");
1951 if (global_capture_opts.multi_files_on) {
1952 cmdarg_err("Multiple capture files requested, but "
1953 "the capture isn't being saved to a file.");
1956 if (global_capture_opts.capture_comment) {
1957 cmdarg_err("A capture comment was specified, but "
1958 "the capture isn't being saved to a file.");
1967 /* Start windows sockets */
1968 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1971 /* Notify all registered modules that have had any of their preferences
1972 changed either from one of the preferences file or from the command
1973 line that their preferences have changed. */
1976 /* At this point MATE will have registered its field array so we can
1977 have a tap filter with one of MATE's late-registered fields as part
1978 of the filter. We can now process all the "-z" arguments. */
1979 start_requested_stats();
1981 /* At this point MATE will have registered its field array so we can
1982 check if the fields specified by the user are all good.
1984 if (!output_fields_valid(output_fields)) {
1985 cmdarg_err("Some fields aren't valid");
1990 /* We currently don't support taps, or printing dissected packets,
1991 if we're writing to a pipe. */
1992 if (global_capture_opts.saving_to_file &&
1993 global_capture_opts.output_to_pipe) {
1994 if (tap_listeners_require_dissection()) {
1995 cmdarg_err("Taps aren't supported when saving to a pipe.");
1998 if (print_packet_info) {
1999 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2005 if (ex_opt_count("read_format") > 0) {
2006 const gchar* name = ex_opt_get_next("read_format");
2007 in_file_type = open_info_name_to_type(name);
2008 if (in_file_type == WTAP_TYPE_AUTO) {
2009 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2010 list_read_capture_types();
2015 /* disabled protocols as per configuration file */
2016 if (gdp_path == NULL && dp_path == NULL) {
2017 set_disabled_protos_list();
2020 /* Build the column format array */
2021 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2024 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2025 capture_opts_trim_ring_num_files(&global_capture_opts);
2028 if (rfilter != NULL) {
2029 if (!dfilter_compile(rfilter, &rfcode)) {
2030 cmdarg_err("%s", dfilter_error_msg);
2032 #ifdef HAVE_PCAP_OPEN_DEAD
2036 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2038 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2040 " Note: That read filter code looks like a valid capture filter;\n"
2041 " maybe you mixed them up?");
2050 cfile.rfcode = rfcode;
2052 if (dfilter != NULL) {
2053 if (!dfilter_compile(dfilter, &dfcode)) {
2054 cmdarg_err("%s", dfilter_error_msg);
2056 #ifdef HAVE_PCAP_OPEN_DEAD
2060 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2062 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2064 " Note: That display filter code looks like a valid capture filter;\n"
2065 " maybe you mixed them up?");
2074 cfile.dfcode = dfcode;
2076 if (print_packet_info) {
2077 /* If we're printing as text or PostScript, we have
2078 to create a print stream. */
2079 if (output_action == WRITE_TEXT) {
2080 switch (print_format) {
2083 print_stream = print_stream_text_stdio_new(stdout);
2087 print_stream = print_stream_ps_stdio_new(stdout);
2091 g_assert_not_reached();
2096 /* We have to dissect each packet if:
2098 we're printing information about each packet;
2100 we're using a read filter on the packets;
2102 we're using a display filter on the packets;
2104 we're using any taps that need dissection. */
2105 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2109 * We're reading a capture file.
2111 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2116 /* Process the packets in the file */
2119 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2120 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2121 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2123 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2126 CATCH(OutOfMemoryError) {
2130 "Sorry, but TShark has to terminate now.\n"
2132 "More information and workarounds can be found at\n"
2133 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2138 /* We still dump out the results of taps, etc., as we might have
2139 read some packets; however, we exit with an error status. */
2143 /* No capture file specified, so we're supposed to do a live capture
2144 or get a list of link-layer types for a live capture device;
2145 do we have support for live captures? */
2147 /* if no interface was specified, pick a default */
2148 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2149 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2150 if (exit_status != 0)
2153 /* if requested, list the link layer types and exit */
2154 if (list_link_layer_types) {
2157 /* Get the list of link-layer types for the capture devices. */
2158 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2159 interface_options interface_opts;
2160 if_capabilities_t *caps;
2162 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2163 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2165 cmdarg_err("%s", err_str);
2169 if (caps->data_link_types == NULL) {
2170 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2173 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2174 free_if_capabilities(caps);
2180 * If the standard error isn't a terminal, don't print packet counts,
2181 * as they won't show up on the user's terminal and they'll get in
2182 * the way of error messages in the file (to which we assume the
2183 * standard error was redirected; if it's redirected to the null
2184 * device, there's no point in printing packet counts anyway).
2186 * Otherwise, if we're printing packet information and the standard
2187 * output is a terminal (which we assume means the standard output and
2188 * error are going to the same terminal), don't print packet counts,
2189 * as they'll get in the way of the packet information.
2191 * Otherwise, if the user specified -q, don't print packet counts.
2193 * Otherwise, print packet counts.
2195 * XXX - what if the user wants to do a live capture, doesn't want
2196 * to save it to a file, doesn't want information printed for each
2197 * packet, does want some "-z" statistic, and wants packet counts
2198 * so they know whether they're seeing any packets? -q will
2199 * suppress the information printed for each packet, but it'll
2200 * also suppress the packet counts.
2202 if (!isatty(fileno(stderr)))
2203 print_packet_counts = FALSE;
2204 else if (print_packet_info && isatty(fileno(stdout)))
2205 print_packet_counts = FALSE;
2207 print_packet_counts = FALSE;
2209 print_packet_counts = TRUE;
2211 if (print_packet_info) {
2212 if (!write_preamble(&cfile)) {
2213 show_print_file_io_error(errno);
2219 * XXX - this returns FALSE if an error occurred, but it also
2220 * returns FALSE if the capture stops because a time limit
2221 * was reached (and possibly other limits), so we can't assume
2222 * it means an error.
2224 * The capture code is a bit twisty, so it doesn't appear to
2225 * be an easy fix. We just ignore the return value for now.
2226 * Instead, pass on the exit status from the capture child.
2229 exit_status = global_capture_session.fork_child_status;
2231 if (print_packet_info) {
2232 if (!write_finale()) {
2234 show_print_file_io_error(err);
2238 /* No - complain. */
2239 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2246 if (cfile.frames != NULL) {
2247 free_frame_data_sequence(cfile.frames);
2248 cfile.frames = NULL;
2251 draw_tap_listeners(TRUE);
2252 funnel_dump_all_text_windows();
2253 epan_free(cfile.epan);
2256 output_fields_free(output_fields);
2257 output_fields = NULL;
2262 /*#define USE_BROKEN_G_MAIN_LOOP*/
2264 #ifdef USE_BROKEN_G_MAIN_LOOP
2267 gboolean loop_running = FALSE;
2269 guint32 packet_count = 0;
2272 typedef struct pipe_input_tag {
2276 pipe_input_cb_t input_cb;
2277 guint pipe_input_id;
2279 GMutex *callback_running;
2283 static pipe_input_t pipe_input;
2286 /* The timer has expired, see if there's stuff to read from the pipe,
2287 if so, do the callback */
2289 pipe_timer_cb(gpointer data)
2295 pipe_input_t *pipe_input_p = data;
2296 gint iterations = 0;
2298 g_mutex_lock (pipe_input_p->callback_running);
2300 /* try to read data from the pipe only 5 times, to avoid blocking */
2301 while(iterations < 5) {
2302 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2304 /* Oddly enough although Named pipes don't work on win9x,
2305 PeekNamedPipe does !!! */
2306 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2307 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2309 /* Get the child process exit status */
2310 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2313 /* If the Peek returned an error, or there are bytes to be read
2314 or the childwatcher thread has terminated then call the normal
2316 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2318 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2320 /* And call the real handler */
2321 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2322 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2323 /* pipe closed, return false so that the timer is stopped */
2324 g_mutex_unlock (pipe_input_p->callback_running);
2329 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2330 /* No data, stop now */
2337 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2339 g_mutex_unlock (pipe_input_p->callback_running);
2341 /* we didn't stopped the timer, so let it run */
2348 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2351 pipe_input.source = source;
2352 pipe_input.child_process = child_process;
2353 pipe_input.user_data = user_data;
2354 pipe_input.input_cb = input_cb;
2357 #if GLIB_CHECK_VERSION(2,31,0)
2358 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2359 g_mutex_init(pipe_input.callback_running);
2361 pipe_input.callback_running = g_mutex_new();
2363 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2364 do this but that doesn't cover all win32 platforms. GTK can do
2365 this but doesn't seem to work over processes. Attempt to do
2366 something similar here, start a timer and check for data on every
2368 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2369 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2373 static const nstime_t *
2374 tshark_get_frame_ts(void *data, guint32 frame_num)
2376 capture_file *cf = (capture_file *) data;
2378 if (ref && ref->num == frame_num)
2379 return &ref->abs_ts;
2381 if (prev_dis && prev_dis->num == frame_num)
2382 return &prev_dis->abs_ts;
2384 if (prev_cap && prev_cap->num == frame_num)
2385 return &prev_cap->abs_ts;
2388 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2390 return (fd) ? &fd->abs_ts : NULL;
2397 tshark_epan_new(capture_file *cf)
2399 epan_t *epan = epan_new();
2402 epan->get_frame_ts = tshark_get_frame_ts;
2403 epan->get_interface_name = cap_file_get_interface_name;
2404 epan->get_user_comment = NULL;
2415 GString *str = g_string_new("");
2416 #ifdef USE_TSHARK_SELECT
2420 struct sigaction action, oldaction;
2423 /* Create new dissection section. */
2424 epan_free(cfile.epan);
2425 cfile.epan = tshark_epan_new(&cfile);
2428 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2429 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2431 /* Catch SIGINT and SIGTERM and, if we get either of them,
2432 clean up and exit. If SIGHUP isn't being ignored, catch
2433 it too and, if we get it, clean up and exit.
2435 We restart any read that was in progress, so that it doesn't
2436 disrupt reading from the sync pipe. The signal handler tells
2437 the capture child to finish; it will report that it finished,
2438 or will exit abnormally, so we'll stop reading from the sync
2439 pipe, pick up the exit status, and quit. */
2440 memset(&action, 0, sizeof(action));
2441 action.sa_handler = capture_cleanup;
2442 action.sa_flags = SA_RESTART;
2443 sigemptyset(&action.sa_mask);
2444 sigaction(SIGTERM, &action, NULL);
2445 sigaction(SIGINT, &action, NULL);
2446 sigaction(SIGHUP, NULL, &oldaction);
2447 if (oldaction.sa_handler == SIG_DFL)
2448 sigaction(SIGHUP, &action, NULL);
2451 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2452 quiet mode, report the number of packets we've captured.
2454 Again, restart any read that was in progress, so that it doesn't
2455 disrupt reading from the sync pipe. */
2456 action.sa_handler = report_counts_siginfo;
2457 action.sa_flags = SA_RESTART;
2458 sigemptyset(&action.sa_mask);
2459 sigaction(SIGINFO, &action, NULL);
2460 #endif /* SIGINFO */
2463 global_capture_session.state = CAPTURE_PREPARING;
2465 /* Let the user know which interfaces were chosen. */
2466 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2467 interface_options interface_opts;
2469 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2470 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2471 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2472 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2475 if (global_capture_opts.ifaces->len < 2)
2477 if (global_capture_opts.ifaces->len < 4)
2480 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2481 interface_options interface_opts;
2483 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2485 if (global_capture_opts.ifaces->len > 2) {
2486 g_string_append_printf(str, ",");
2488 g_string_append_printf(str, " ");
2489 if (i == global_capture_opts.ifaces->len - 1) {
2490 g_string_append_printf(str, "and ");
2493 g_string_append_printf(str, "'%s'", interface_opts.descr);
2496 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2498 if (really_quiet == FALSE)
2499 fprintf(stderr, "Capturing on %s\n", str->str);
2501 g_string_free(str, TRUE);
2503 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2508 /* the actual capture loop
2510 * XXX - glib doesn't seem to provide any event based loop handling.
2512 * XXX - for whatever reason,
2513 * calling g_main_loop_new() ends up in 100% cpu load.
2515 * But that doesn't matter: in UNIX we can use select() to find an input
2516 * source with something to do.
2518 * But that doesn't matter because we're in a CLI (that doesn't need to
2519 * update a GUI or something at the same time) so it's OK if we block
2520 * trying to read from the pipe.
2522 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2523 * wrong (but I leave it there in case I am...).
2526 #ifdef USE_TSHARK_SELECT
2528 FD_SET(pipe_input.source, &readfds);
2531 loop_running = TRUE;
2535 while (loop_running)
2537 #ifdef USE_TSHARK_SELECT
2538 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2542 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2544 } else if (ret == 1) {
2546 /* Call the real handler */
2547 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2548 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2551 #ifdef USE_TSHARK_SELECT
2556 CATCH(OutOfMemoryError) {
2560 "Sorry, but TShark has to terminate now.\n"
2562 "More information and workarounds can be found at\n"
2563 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2570 /* capture child detected an error */
2572 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2574 cmdarg_err("%s", error_msg);
2575 cmdarg_err_cont("%s", secondary_error_msg);
2579 /* capture child detected an capture filter related error */
2581 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2583 capture_options *capture_opts = cap_session->capture_opts;
2584 dfilter_t *rfcode = NULL;
2585 interface_options interface_opts;
2587 g_assert(i < capture_opts->ifaces->len);
2588 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2590 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2592 "Invalid capture filter \"%s\" for interface '%s'.\n"
2594 "That string looks like a valid display filter; however, it isn't a valid\n"
2595 "capture filter (%s).\n"
2597 "Note that display filters and capture filters don't have the same syntax,\n"
2598 "so you can't use most display filter expressions as capture filters.\n"
2600 "See the User's Guide for a description of the capture filter syntax.",
2601 interface_opts.cfilter, interface_opts.descr, error_message);
2602 dfilter_free(rfcode);
2605 "Invalid capture filter \"%s\" for interface '%s'.\n"
2607 "That string isn't a valid capture filter (%s).\n"
2608 "See the User's Guide for a description of the capture filter syntax.",
2609 interface_opts.cfilter, interface_opts.descr, error_message);
2614 /* capture child tells us we have a new (or the first) capture file */
2616 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2618 capture_options *capture_opts = cap_session->capture_opts;
2619 capture_file *cf = (capture_file *) cap_session->cf;
2620 gboolean is_tempfile;
2623 if (cap_session->state == CAPTURE_PREPARING) {
2624 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2626 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2628 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2630 /* free the old filename */
2631 if (capture_opts->save_file != NULL) {
2633 /* we start a new capture file, close the old one (if we had one before) */
2634 if (cf->state != FILE_CLOSED) {
2635 if (cf->wth != NULL) {
2636 wtap_close(cf->wth);
2639 cf->state = FILE_CLOSED;
2642 g_free(capture_opts->save_file);
2643 is_tempfile = FALSE;
2645 epan_free(cf->epan);
2646 cf->epan = tshark_epan_new(cf);
2648 /* we didn't had a save_file before, must be a tempfile */
2652 /* save the new filename */
2653 capture_opts->save_file = g_strdup(new_file);
2655 /* if we are in real-time mode, open the new file now */
2656 if (do_dissection) {
2657 /* this is probably unecessary, but better safe than sorry */
2658 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2659 /* Attempt to open the capture file and set up to read from it. */
2660 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2664 /* Don't unlink (delete) the save file - leave it around,
2665 for debugging purposes. */
2666 g_free(capture_opts->save_file);
2667 capture_opts->save_file = NULL;
2672 cap_session->state = CAPTURE_RUNNING;
2678 /* capture child tells us we have new packets to read */
2680 capture_input_new_packets(capture_session *cap_session, int to_read)
2686 capture_file *cf = (capture_file *)cap_session->cf;
2687 gboolean filtering_tap_listeners;
2692 * Prevent a SIGINFO handler from writing to the standard error while
2693 * we're doing so or writing to the standard output; instead, have it
2694 * just set a flag telling us to print that information when we're done.
2697 #endif /* SIGINFO */
2699 /* Do we have any tap listeners with filters? */
2700 filtering_tap_listeners = have_filtering_tap_listeners();
2702 /* Get the union of the flags for all tap listeners. */
2703 tap_flags = union_of_tap_listener_flags();
2705 if (do_dissection) {
2706 gboolean create_proto_tree;
2707 epan_dissect_t *edt;
2709 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2710 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2711 create_proto_tree = TRUE;
2713 create_proto_tree = FALSE;
2715 /* The protocol tree will be "visible", i.e., printed, only if we're
2716 printing packet details, which is true if we're printing stuff
2717 ("print_packet_info" is true) and we're in verbose mode
2718 ("packet_details" is true). */
2719 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2721 while (to_read-- && cf->wth) {
2722 wtap_cleareof(cf->wth);
2723 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2725 /* read from file failed, tell the capture child to stop */
2726 sync_pipe_stop(cap_session);
2727 wtap_close(cf->wth);
2730 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2731 wtap_buf_ptr(cf->wth),
2735 /* packet successfully read and gone through the "Read Filter" */
2740 epan_dissect_free(edt);
2744 * Dumpcap's doing all the work; we're not doing any dissection.
2745 * Count all the packets it wrote.
2747 packet_count += to_read;
2750 if (print_packet_counts) {
2751 /* We're printing packet counts. */
2752 if (packet_count != 0) {
2753 fprintf(stderr, "\r%u ", packet_count);
2754 /* stderr could be line buffered */
2761 * Allow SIGINFO handlers to write.
2766 * If a SIGINFO handler asked us to write out capture counts, do so.
2770 #endif /* SIGINFO */
2776 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2777 /* Report the count only if we aren't printing a packet count
2778 as packets arrive. */
2779 fprintf(stderr, "%u packet%s captured\n", packet_count,
2780 plurality(packet_count, "", "s"));
2783 infoprint = FALSE; /* we just reported it */
2784 #endif /* SIGINFO */
2789 report_counts_siginfo(int signum _U_)
2791 int sav_errno = errno;
2792 /* If we've been told to delay printing, just set a flag asking
2793 that we print counts (if we're supposed to), otherwise print
2794 the count of packets captured (if we're supposed to). */
2801 #endif /* SIGINFO */
2804 /* capture child detected any packet drops? */
2806 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2808 if (print_packet_counts) {
2809 /* We're printing packet counts to stderr.
2810 Send a newline so that we move to the line after the packet count. */
2811 fprintf(stderr, "\n");
2815 /* We're printing packet counts to stderr.
2816 Send a newline so that we move to the line after the packet count. */
2817 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2823 * Capture child closed its side of the pipe, report any error and
2824 * do the required cleanup.
2827 capture_input_closed(capture_session *cap_session, gchar *msg)
2829 capture_file *cf = (capture_file *) cap_session->cf;
2832 fprintf(stderr, "tshark: %s\n", msg);
2836 if (cf != NULL && cf->wth != NULL) {
2837 wtap_close(cf->wth);
2838 if (cf->is_tempfile) {
2839 ws_unlink(cf->filename);
2842 #ifdef USE_BROKEN_G_MAIN_LOOP
2843 /*g_main_loop_quit(loop);*/
2844 g_main_loop_quit(loop);
2846 loop_running = FALSE;
2855 capture_cleanup(DWORD ctrltype _U_)
2857 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2858 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2859 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2860 like SIGTERM at least when the machine's shutting down.
2862 For now, we handle them all as indications that we should clean up
2863 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2866 We must return TRUE so that no other handler - such as one that would
2867 terminate the process - gets called.
2869 XXX - for some reason, typing ^C to TShark, if you run this in
2870 a Cygwin console window in at least some versions of Cygwin,
2871 causes TShark to terminate immediately; this routine gets
2872 called, but the main loop doesn't get a chance to run and
2873 exit cleanly, at least if this is compiled with Microsoft Visual
2874 C++ (i.e., it's a property of the Cygwin console window or Bash;
2875 it happens if TShark is not built with Cygwin - for all I know,
2876 building it with Cygwin may make the problem go away). */
2878 /* tell the capture child to stop */
2879 sync_pipe_stop(&global_capture_session);
2881 /* don't stop our own loop already here, otherwise status messages and
2882 * cleanup wouldn't be done properly. The child will indicate the stop of
2883 * everything by calling capture_input_closed() later */
2889 capture_cleanup(int signum _U_)
2891 /* tell the capture child to stop */
2892 sync_pipe_stop(&global_capture_session);
2894 /* don't stop our own loop already here, otherwise status messages and
2895 * cleanup wouldn't be done properly. The child will indicate the stop of
2896 * everything by calling capture_input_closed() later */
2899 #endif /* HAVE_LIBPCAP */
2902 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2903 gint64 offset, struct wtap_pkthdr *whdr,
2910 /* The frame number of this packet is one more than the count of
2911 frames in this packet. */
2912 framenum = cf->count + 1;
2914 /* If we're not running a display filter and we're not printing any
2915 packet information, we don't need to do a dissection. This means
2916 that all packets can be marked as 'passed'. */
2919 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2921 /* If we're going to print packet information, or we're going to
2922 run a read filter, or display filter, or we're going to process taps, set up to
2923 do a dissection and do so. */
2925 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2926 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2927 /* Grab any resolved addresses */
2928 host_name_lookup_process();
2930 /* If we're running a read filter, prime the epan_dissect_t with that
2933 epan_dissect_prime_dfilter(edt, cf->rfcode);
2936 epan_dissect_prime_dfilter(edt, cf->dfcode);
2938 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2940 if (ref == &fdlocal) {
2941 ref_frame = fdlocal;
2945 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2947 /* Run the read filter if we have one. */
2949 passed = dfilter_apply_edt(cf->rfcode, edt);
2953 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2954 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2956 /* If we're not doing dissection then there won't be any dependent frames.
2957 * More importantly, edt.pi.dependent_frames won't be initialized because
2958 * epan hasn't been initialized.
2959 * if we *are* doing dissection, then mark the dependent frames, but only
2960 * if a display filter was given and it matches this packet.
2962 if (edt && cf->dfcode) {
2963 if (dfilter_apply_edt(cf->dfcode, edt)) {
2964 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2970 /* if we don't add it to the frame_data_sequence, clean it up right now
2972 frame_data_destroy(&fdlocal);
2976 epan_dissect_reset(edt);
2982 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2983 struct wtap_pkthdr *phdr, Buffer *buf,
2989 /* If we're not running a display filter and we're not printing any
2990 packet information, we don't need to do a dissection. This means
2991 that all packets can be marked as 'passed'. */
2994 /* If we're going to print packet information, or we're going to
2995 run a read filter, or we're going to process taps, set up to
2996 do a dissection and do so. */
2998 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2999 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3000 /* Grab any resolved addresses */
3001 host_name_lookup_process();
3003 /* If we're running a display filter, prime the epan_dissect_t with that
3006 epan_dissect_prime_dfilter(edt, cf->dfcode);
3008 col_custom_prime_edt(edt, &cf->cinfo);
3010 /* We only need the columns if either
3011 1) some tap needs the columns
3013 2) we're printing packet info but we're *not* verbose; in verbose
3014 mode, we print the protocol tree, not the protocol summary.
3016 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
3021 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3028 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3030 /* Run the read/display filter if we have one. */
3032 passed = dfilter_apply_edt(cf->dfcode, edt);
3036 frame_data_set_after_dissect(fdata, &cum_bytes);
3037 /* Process this packet. */
3038 if (print_packet_info) {
3039 /* We're printing packet information; print the information for
3041 print_packet(cf, edt);
3043 /* The ANSI C standard does not appear to *require* that a line-buffered
3044 stream be flushed to the host environment whenever a newline is
3045 written, it just says that, on such a stream, characters "are
3046 intended to be transmitted to or from the host environment as a
3047 block when a new-line character is encountered".
3049 The Visual C++ 6.0 C implementation doesn't do what is intended;
3050 even if you set a stream to be line-buffered, it still doesn't
3051 flush the buffer at the end of every line.
3053 So, if the "-l" flag was specified, we flush the standard output
3054 at the end of a packet. This will do the right thing if we're
3055 printing packet summary lines, and, as we print the entire protocol
3056 tree for a single packet without waiting for anything to happen,
3057 it should be as good as line-buffered mode if we're printing
3058 protocol trees. (The whole reason for the "-l" flag in either
3059 tcpdump or TShark is to allow the output of a live capture to
3060 be piped to a program or script and to have that script see the
3061 information for the packet as soon as it's printed, rather than
3062 having to wait until a standard I/O buffer fills up. */
3066 if (ferror(stdout)) {
3067 show_print_file_io_error(errno);
3076 epan_dissect_reset(edt);
3078 return passed || fdata->flags.dependent_of_displayed;
3082 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3083 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3086 int snapshot_length;
3090 gchar *err_info = NULL;
3092 char *save_file_string = NULL;
3093 gboolean filtering_tap_listeners;
3095 wtapng_section_t *shb_hdr;
3096 wtapng_iface_descriptions_t *idb_inf;
3097 char *appname = NULL;
3098 struct wtap_pkthdr phdr;
3100 epan_dissect_t *edt = NULL;
3102 wtap_phdr_init(&phdr);
3104 shb_hdr = wtap_file_get_shb_info(cf->wth);
3105 idb_inf = wtap_file_get_idb_info(cf->wth);
3106 #ifdef PCAP_NG_DEFAULT
3107 if (idb_inf->interface_data->len > 1) {
3108 linktype = WTAP_ENCAP_PER_PACKET;
3110 linktype = wtap_file_encap(cf->wth);
3113 linktype = wtap_file_encap(cf->wth);
3115 if (save_file != NULL) {
3116 /* Get a string that describes what we're writing to */
3117 save_file_string = output_file_description(save_file);
3119 /* Set up to write to the capture file. */
3120 snapshot_length = wtap_snapshot_length(cf->wth);
3121 if (snapshot_length == 0) {
3122 /* Snapshot length of input file not known. */
3123 snapshot_length = WTAP_MAX_PACKET_SIZE;
3125 /* If we don't have an application name add Tshark */
3126 if (shb_hdr->shb_user_appl == NULL) {
3127 appname = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3128 shb_hdr->shb_user_appl = appname;
3131 if (linktype != WTAP_ENCAP_PER_PACKET &&
3132 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3133 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3134 snapshot_length, FALSE /* compressed */, &err);
3136 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3137 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3143 /* We couldn't set up to write to the capture file. */
3146 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3147 cmdarg_err("Capture files can't be written in that format.");
3150 case WTAP_ERR_UNWRITABLE_ENCAP:
3151 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3152 cmdarg_err("The capture file being read can't be written as a "
3153 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3156 case WTAP_ERR_CANT_OPEN:
3157 cmdarg_err("The %s couldn't be created for some "
3158 "unknown reason.", save_file_string);
3161 case WTAP_ERR_SHORT_WRITE:
3162 cmdarg_err("A full header couldn't be written to the %s.",
3167 cmdarg_err("The %s could not be created: %s.", save_file_string,
3168 wtap_strerror(err));
3174 if (print_packet_info) {
3175 if (!write_preamble(cf)) {
3177 show_print_file_io_error(err);
3186 /* Do we have any tap listeners with filters? */
3187 filtering_tap_listeners = have_filtering_tap_listeners();
3189 /* Get the union of the flags for all tap listeners. */
3190 tap_flags = union_of_tap_listener_flags();
3192 if (perform_two_pass_analysis) {
3195 /* Allocate a frame_data_sequence for all the frames. */
3196 cf->frames = new_frame_data_sequence();
3198 if (do_dissection) {
3199 gboolean create_proto_tree = FALSE;
3201 /* If we're going to be applying a filter, we'll need to
3202 create a protocol tree against which to apply the filter. */
3203 if (cf->rfcode || cf->dfcode)
3204 create_proto_tree = TRUE;
3206 /* We're not going to display the protocol tree on this pass,
3207 so it's not going to be "visible". */
3208 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3211 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3212 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3213 wtap_buf_ptr(cf->wth))) {
3214 /* Stop reading if we have the maximum number of packets;
3215 * When the -c option has not been used, max_packet_count
3216 * starts at 0, which practically means, never stop reading.
3217 * (unless we roll over max_packet_count ?)
3219 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3220 err = 0; /* This is not an error */
3227 epan_dissect_free(edt);
3231 /* Close the sequential I/O side, to free up memory it requires. */
3232 wtap_sequential_close(cf->wth);
3234 /* Allow the protocol dissectors to free up memory that they
3235 * don't need after the sequential run-through of the packets. */
3236 postseq_cleanup_all_protocols();
3240 ws_buffer_init(&buf, 1500);
3242 if (do_dissection) {
3243 gboolean create_proto_tree;
3245 if (cf->dfcode || print_details || filtering_tap_listeners ||
3246 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3247 create_proto_tree = TRUE;
3249 create_proto_tree = FALSE;
3251 /* The protocol tree will be "visible", i.e., printed, only if we're
3252 printing packet details, which is true if we're printing stuff
3253 ("print_packet_info" is true) and we're in verbose mode
3254 ("packet_details" is true). */
3255 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3258 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3259 fdata = frame_data_sequence_find(cf->frames, framenum);
3260 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3262 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3264 /* Either there's no read filtering or this packet passed the
3265 filter, so, if we're writing to a capture file, write
3268 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3269 /* Error writing to a capture file */
3272 case WTAP_ERR_UNWRITABLE_ENCAP:
3274 * This is a problem with the particular frame we're writing
3275 * and the file type and subtype we're writing; note that,
3276 * and report the frame number and file type/subtype.
3278 * XXX - framenum is not necessarily the frame number in
3279 * the input file if there was a read filter.
3282 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3283 framenum, cf->filename,
3284 wtap_file_type_subtype_short_string(out_file_type));
3287 case WTAP_ERR_PACKET_TOO_LARGE:
3289 * This is a problem with the particular frame we're writing
3290 * and the file type and subtype we're writing; note that,
3291 * and report the frame number and file type/subtype.
3293 * XXX - framenum is not necessarily the frame number in
3294 * the input file if there was a read filter.
3297 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3298 framenum, cf->filename,
3299 wtap_file_type_subtype_short_string(out_file_type));
3302 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3304 * This is a problem with the particular record we're writing
3305 * and the file type and subtype we're writing; note that,
3306 * and report the record number and file type/subtype.
3308 * XXX - framenum is not necessarily the record number in
3309 * the input file if there was a read filter.
3312 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3313 framenum, cf->filename,
3314 wtap_file_type_subtype_short_string(out_file_type));
3317 case WTAP_ERR_UNWRITABLE_REC_DATA:
3319 * This is a problem with the particular record we're writing
3320 * and the file type and subtype we're writing; note that,
3321 * and report the record number and file type/subtype.
3323 * XXX - framenum is not necessarily the record number in
3324 * the input file if there was a read filter.
3327 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3328 framenum, cf->filename,
3329 wtap_file_type_subtype_short_string(out_file_type),
3330 err_info != NULL ? err_info : "no information supplied");
3335 show_capture_file_io_error(save_file, err, FALSE);
3338 wtap_dump_close(pdh, &err);
3349 epan_dissect_free(edt);
3353 ws_buffer_free(&buf);
3358 if (do_dissection) {
3359 gboolean create_proto_tree;
3361 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3362 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3363 create_proto_tree = TRUE;
3365 create_proto_tree = FALSE;
3367 /* The protocol tree will be "visible", i.e., printed, only if we're
3368 printing packet details, which is true if we're printing stuff
3369 ("print_packet_info" is true) and we're in verbose mode
3370 ("packet_details" is true). */
3371 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3374 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3377 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3378 wtap_buf_ptr(cf->wth),
3380 /* Either there's no read filtering or this packet passed the
3381 filter, so, if we're writing to a capture file, write
3384 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3385 /* Error writing to a capture file */
3388 case WTAP_ERR_UNWRITABLE_ENCAP:
3390 * This is a problem with the particular frame we're writing
3391 * and the file type and subtype we're writing; note that,
3392 * and report the frame number and file type/subtype.
3395 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3396 framenum, cf->filename,
3397 wtap_file_type_subtype_short_string(out_file_type));
3400 case WTAP_ERR_PACKET_TOO_LARGE:
3402 * This is a problem with the particular frame we're writing
3403 * and the file type and subtype we're writing; note that,
3404 * and report the frame number and file type/subtype.
3407 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3408 framenum, cf->filename,
3409 wtap_file_type_subtype_short_string(out_file_type));
3412 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3414 * This is a problem with the particular record we're writing
3415 * and the file type and subtype we're writing; note that,
3416 * and report the record number and file type/subtype.
3419 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3420 framenum, cf->filename,
3421 wtap_file_type_subtype_short_string(out_file_type));
3424 case WTAP_ERR_UNWRITABLE_REC_DATA:
3426 * This is a problem with the particular record we're writing
3427 * and the file type and subtype we're writing; note that,
3428 * and report the record number and file type/subtype.
3431 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3432 framenum, cf->filename,
3433 wtap_file_type_subtype_short_string(out_file_type),
3434 err_info != NULL ? err_info : "no information supplied");
3439 show_capture_file_io_error(save_file, err, FALSE);
3442 wtap_dump_close(pdh, &err);
3449 /* Stop reading if we have the maximum number of packets;
3450 * When the -c option has not been used, max_packet_count
3451 * starts at 0, which practically means, never stop reading.
3452 * (unless we roll over max_packet_count ?)
3454 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3455 err = 0; /* This is not an error */
3461 epan_dissect_free(edt);
3466 wtap_phdr_cleanup(&phdr);
3470 * Print a message noting that the read failed somewhere along the line.
3472 * If we're printing packet data, and the standard output and error are
3473 * going to the same place, flush the standard output, so everything
3474 * buffered up is written, and then print a newline to the standard error
3475 * before printing the error message, to separate it from the packet
3476 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3477 * the _fstat() documentation at Microsoft doesn't indicate whether
3478 * st_ino is even supported.)
3481 if (print_packet_info) {
3482 ws_statb64 stat_stdout, stat_stderr;
3484 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3485 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3486 stat_stdout.st_ino == stat_stderr.st_ino) {
3488 fprintf(stderr, "\n");
3495 case WTAP_ERR_UNSUPPORTED:
3496 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3498 err_info != NULL ? err_info : "no information supplied");
3502 case WTAP_ERR_SHORT_READ:
3503 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3507 case WTAP_ERR_BAD_FILE:
3508 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3510 err_info != NULL ? err_info : "no information supplied");
3514 case WTAP_ERR_DECOMPRESS:
3515 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3516 "(%s)", cf->filename,
3517 err_info != NULL ? err_info : "no information supplied");
3522 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3523 cf->filename, wtap_strerror(err));
3526 if (save_file != NULL) {
3527 /* Now close the capture file. */
3528 if (!wtap_dump_close(pdh, &err))
3529 show_capture_file_io_error(save_file, err, TRUE);
3532 if (save_file != NULL) {
3533 if (pdh && out_file_name_res) {
3534 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3535 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3536 wtap_file_type_subtype_short_string(out_file_type));
3539 /* Now close the capture file. */
3540 if (!wtap_dump_close(pdh, &err))
3541 show_capture_file_io_error(save_file, err, TRUE);
3543 if (print_packet_info) {
3544 if (!write_finale()) {
3546 show_print_file_io_error(err);
3553 wtap_close(cf->wth);
3556 g_free(save_file_string);
3564 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3565 const guchar *pd, guint tap_flags)
3571 /* Count this packet. */
3574 /* If we're not running a display filter and we're not printing any
3575 packet information, we don't need to do a dissection. This means
3576 that all packets can be marked as 'passed'. */
3579 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3581 /* If we're going to print packet information, or we're going to
3582 run a read filter, or we're going to process taps, set up to
3583 do a dissection and do so. */
3585 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3586 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3587 /* Grab any resolved addresses */
3588 host_name_lookup_process();
3590 /* If we're running a filter, prime the epan_dissect_t with that
3593 epan_dissect_prime_dfilter(edt, cf->dfcode);
3595 col_custom_prime_edt(edt, &cf->cinfo);
3597 /* We only need the columns if either
3598 1) some tap needs the columns
3600 2) we're printing packet info but we're *not* verbose; in verbose
3601 mode, we print the protocol tree, not the protocol summary.
3603 3) there is a column mapped as an individual field */
3604 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3609 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3611 if (ref == &fdata) {
3616 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3618 /* Run the filter if we have it. */
3620 passed = dfilter_apply_edt(cf->dfcode, edt);
3624 frame_data_set_after_dissect(&fdata, &cum_bytes);
3626 /* Process this packet. */
3627 if (print_packet_info) {
3628 /* We're printing packet information; print the information for
3630 print_packet(cf, edt);
3632 /* The ANSI C standard does not appear to *require* that a line-buffered
3633 stream be flushed to the host environment whenever a newline is
3634 written, it just says that, on such a stream, characters "are
3635 intended to be transmitted to or from the host environment as a
3636 block when a new-line character is encountered".
3638 The Visual C++ 6.0 C implementation doesn't do what is intended;
3639 even if you set a stream to be line-buffered, it still doesn't
3640 flush the buffer at the end of every line.
3642 So, if the "-l" flag was specified, we flush the standard output
3643 at the end of a packet. This will do the right thing if we're
3644 printing packet summary lines, and, as we print the entire protocol
3645 tree for a single packet without waiting for anything to happen,
3646 it should be as good as line-buffered mode if we're printing
3647 protocol trees. (The whole reason for the "-l" flag in either
3648 tcpdump or TShark is to allow the output of a live capture to
3649 be piped to a program or script and to have that script see the
3650 information for the packet as soon as it's printed, rather than
3651 having to wait until a standard I/O buffer fills up. */
3655 if (ferror(stdout)) {
3656 show_print_file_io_error(errno);
3661 /* this must be set after print_packet() [bug #8160] */
3662 prev_dis_frame = fdata;
3663 prev_dis = &prev_dis_frame;
3666 prev_cap_frame = fdata;
3667 prev_cap = &prev_cap_frame;
3670 epan_dissect_reset(edt);
3671 frame_data_destroy(&fdata);
3677 write_preamble(capture_file *cf)
3679 switch (output_action) {
3682 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3686 write_pdml_preamble(stdout, cf->filename);
3688 write_psml_preamble(&cf->cinfo, stdout);
3689 return !ferror(stdout);
3692 write_fields_preamble(output_fields, stdout);
3693 return !ferror(stdout);
3696 g_assert_not_reached();
3702 get_line_buf(size_t len)
3704 static char *line_bufp = NULL;
3705 static size_t line_buf_len = 256;
3706 size_t new_line_buf_len;
3708 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3709 new_line_buf_len *= 2)
3711 if (line_bufp == NULL) {
3712 line_buf_len = new_line_buf_len;
3713 line_bufp = (char *)g_malloc(line_buf_len + 1);
3715 if (new_line_buf_len > line_buf_len) {
3716 line_buf_len = new_line_buf_len;
3717 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3724 put_string(char *dest, const char *str, size_t str_len)
3726 memcpy(dest, str, str_len);
3727 dest[str_len] = '\0';
3731 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3735 for (i = str_len; i < str_with_spaces; i++)
3738 put_string(dest, str, str_len);
3742 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3746 memcpy(dest, str, str_len);
3747 for (i = str_len; i < str_with_spaces; i++)
3750 dest[str_with_spaces] = '\0';
3754 print_columns(capture_file *cf)
3762 line_bufp = get_line_buf(256);
3765 for (i = 0; i < cf->cinfo.num_cols; i++) {
3766 /* Skip columns not marked as visible. */
3767 if (!get_column_visible(i))
3769 switch (cf->cinfo.col_fmt[i]) {
3771 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3774 line_bufp = get_line_buf(buf_offset + column_len);
3775 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3781 case COL_ABS_YMD_TIME: /* XXX - wider */
3782 case COL_ABS_YDOY_TIME: /* XXX - wider */
3784 case COL_UTC_YMD_TIME: /* XXX - wider */
3785 case COL_UTC_YDOY_TIME: /* XXX - wider */
3786 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3787 if (column_len < 10)
3789 line_bufp = get_line_buf(buf_offset + column_len);
3790 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3796 case COL_DEF_DL_SRC:
3797 case COL_RES_DL_SRC:
3798 case COL_UNRES_DL_SRC:
3799 case COL_DEF_NET_SRC:
3800 case COL_RES_NET_SRC:
3801 case COL_UNRES_NET_SRC:
3802 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3803 if (column_len < 12)
3805 line_bufp = get_line_buf(buf_offset + column_len);
3806 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3812 case COL_DEF_DL_DST:
3813 case COL_RES_DL_DST:
3814 case COL_UNRES_DL_DST:
3815 case COL_DEF_NET_DST:
3816 case COL_RES_NET_DST:
3817 case COL_UNRES_NET_DST:
3818 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3819 if (column_len < 12)
3821 line_bufp = get_line_buf(buf_offset + column_len);
3822 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3826 column_len = strlen(cf->cinfo.col_data[i]);
3827 line_bufp = get_line_buf(buf_offset + column_len);
3828 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3831 buf_offset += column_len;
3832 if (i != cf->cinfo.num_cols - 1) {
3834 * This isn't the last column, so we need to print a
3835 * separator between this column and the next.
3837 * If we printed a network source and are printing a
3838 * network destination of the same type next, separate
3839 * them with " -> "; if we printed a network destination
3840 * and are printing a network source of the same type
3841 * next, separate them with " <- "; otherwise separate them
3844 * We add enough space to the buffer for " <- " or " -> ",
3845 * even if we're only adding " ".
3847 line_bufp = get_line_buf(buf_offset + 4);
3848 switch (cf->cinfo.col_fmt[i]) {
3853 switch (cf->cinfo.col_fmt[i + 1]) {
3858 put_string(line_bufp + buf_offset, " -> ", 4);
3863 put_string(line_bufp + buf_offset, " ", 1);
3869 case COL_DEF_DL_SRC:
3870 case COL_RES_DL_SRC:
3871 case COL_UNRES_DL_SRC:
3872 switch (cf->cinfo.col_fmt[i + 1]) {
3874 case COL_DEF_DL_DST:
3875 case COL_RES_DL_DST:
3876 case COL_UNRES_DL_DST:
3877 put_string(line_bufp + buf_offset, " -> ", 4);
3882 put_string(line_bufp + buf_offset, " ", 1);
3888 case COL_DEF_NET_SRC:
3889 case COL_RES_NET_SRC:
3890 case COL_UNRES_NET_SRC:
3891 switch (cf->cinfo.col_fmt[i + 1]) {
3893 case COL_DEF_NET_DST:
3894 case COL_RES_NET_DST:
3895 case COL_UNRES_NET_DST:
3896 put_string(line_bufp + buf_offset, " -> ", 4);
3901 put_string(line_bufp + buf_offset, " ", 1);
3910 switch (cf->cinfo.col_fmt[i + 1]) {
3915 put_string(line_bufp + buf_offset, " <- ", 4);
3920 put_string(line_bufp + buf_offset, " ", 1);
3926 case COL_DEF_DL_DST:
3927 case COL_RES_DL_DST:
3928 case COL_UNRES_DL_DST:
3929 switch (cf->cinfo.col_fmt[i + 1]) {
3931 case COL_DEF_DL_SRC:
3932 case COL_RES_DL_SRC:
3933 case COL_UNRES_DL_SRC:
3934 put_string(line_bufp + buf_offset, " <- ", 4);
3939 put_string(line_bufp + buf_offset, " ", 1);
3945 case COL_DEF_NET_DST:
3946 case COL_RES_NET_DST:
3947 case COL_UNRES_NET_DST:
3948 switch (cf->cinfo.col_fmt[i + 1]) {
3950 case COL_DEF_NET_SRC:
3951 case COL_RES_NET_SRC:
3952 case COL_UNRES_NET_SRC:
3953 put_string(line_bufp + buf_offset, " <- ", 4);
3958 put_string(line_bufp + buf_offset, " ", 1);
3965 put_string(line_bufp + buf_offset, " ", 1);
3971 return print_line(print_stream, 0, line_bufp);
3975 print_packet(capture_file *cf, epan_dissect_t *edt)
3977 print_args_t print_args;
3979 if (print_summary || output_fields_has_cols(output_fields)) {
3980 /* Just fill in the columns. */
3981 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3983 if (print_summary) {
3984 /* Now print them. */
3985 switch (output_action) {
3988 if (!print_columns(cf))
3993 write_psml_columns(edt, stdout);
3994 return !ferror(stdout);
3995 case WRITE_FIELDS: /*No non-verbose "fields" format */
3996 g_assert_not_reached();
4001 if (print_details) {
4002 /* Print the information in the protocol tree. */
4003 switch (output_action) {
4006 /* Only initialize the fields that are actually used in proto_tree_print.
4007 * This is particularly important for .range, as that's heap memory which
4008 * we would otherwise have to g_free().
4009 print_args.to_file = TRUE;
4010 print_args.format = print_format;
4011 print_args.print_summary = print_summary;
4012 print_args.print_formfeed = FALSE;
4013 packet_range_init(&print_args.range, &cfile);
4015 print_args.print_hex = print_hex;
4016 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4018 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4021 if (!print_line(print_stream, 0, separator))
4027 write_pdml_proto_tree(edt, stdout);
4029 return !ferror(stdout);
4031 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4033 return !ferror(stdout);
4037 if (print_summary || print_details) {
4038 if (!print_line(print_stream, 0, ""))
4041 if (!print_hex_data(print_stream, edt))
4043 if (!print_line(print_stream, 0, separator))
4052 switch (output_action) {
4055 return print_finale(print_stream);
4059 write_pdml_finale(stdout);
4061 write_psml_finale(stdout);
4062 return !ferror(stdout);
4065 write_fields_finale(output_fields, stdout);
4066 return !ferror(stdout);
4069 g_assert_not_reached();
4075 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4079 char err_msg[2048+1];
4081 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4085 /* The open succeeded. Fill in the information for this file. */
4087 /* Create new epan session for dissection. */
4088 epan_free(cf->epan);
4089 cf->epan = tshark_epan_new(cf);
4092 cf->f_datalen = 0; /* not used, but set it anyway */
4094 /* Set the file name because we need it to set the follow stream filter.
4095 XXX - is that still true? We need it for other reasons, though,
4097 cf->filename = g_strdup(fname);
4099 /* Indicate whether it's a permanent or temporary file. */
4100 cf->is_tempfile = is_tempfile;
4102 /* No user changes yet. */
4103 cf->unsaved_changes = FALSE;
4105 cf->cd_t = wtap_file_type_subtype(cf->wth);
4106 cf->open_type = type;
4108 cf->drops_known = FALSE;
4110 cf->snap = wtap_snapshot_length(cf->wth);
4111 if (cf->snap == 0) {
4112 /* Snapshot length not known. */
4113 cf->has_snap = FALSE;
4114 cf->snap = WTAP_MAX_PACKET_SIZE;
4116 cf->has_snap = TRUE;
4117 nstime_set_zero(&cf->elapsed_time);
4122 cf->state = FILE_READ_IN_PROGRESS;
4124 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4125 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4130 g_snprintf(err_msg, sizeof err_msg,
4131 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4132 cmdarg_err("%s", err_msg);
4137 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4139 char *save_file_string;
4141 save_file_string = output_file_description(fname);
4146 cmdarg_err("Not all the packets could be written to the %s because there is "
4147 "no space left on the file system.",
4153 cmdarg_err("Not all the packets could be written to the %s because you are "
4154 "too close to, or over your disk quota.",
4159 case WTAP_ERR_CANT_CLOSE:
4160 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4164 case WTAP_ERR_SHORT_WRITE:
4165 cmdarg_err("Not all the packets could be written to the %s.",
4171 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4172 wtap_strerror(err));
4174 cmdarg_err("An error occurred while writing to the %s: %s.",
4175 save_file_string, wtap_strerror(err));
4179 g_free(save_file_string);
4183 show_print_file_io_error(int err)
4188 cmdarg_err("Not all the packets could be printed because there is "
4189 "no space left on the file system.");
4194 cmdarg_err("Not all the packets could be printed because you are "
4195 "too close to, or over your disk quota.");
4200 cmdarg_err("An error occurred while printing packets: %s.",
4207 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4211 static char errmsg_errno[1024+1];
4214 /* Wiretap error. */
4217 case WTAP_ERR_NOT_REGULAR_FILE:
4218 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4221 case WTAP_ERR_RANDOM_OPEN_PIPE:
4222 /* Seen only when opening a capture file for reading. */
4223 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4226 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4227 /* Seen only when opening a capture file for reading. */
4228 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4231 case WTAP_ERR_UNSUPPORTED:
4232 /* Seen only when opening a capture file for reading. */
4233 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4234 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4236 err_info != NULL ? err_info : "no information supplied");
4238 errmsg = errmsg_errno;
4241 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4242 /* Seen only when opening a capture file for writing. */
4243 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4244 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4245 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4246 errmsg = errmsg_errno;
4249 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4250 /* Seen only when opening a capture file for writing. */
4251 errmsg = "TShark doesn't support writing capture files in that format.";
4254 case WTAP_ERR_UNWRITABLE_ENCAP:
4255 /* Seen only when opening a capture file for writing. */
4256 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4257 "TShark can't save this capture as a \"%s\" file.",
4258 wtap_file_type_subtype_short_string(file_type));
4259 errmsg = errmsg_errno;
4262 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4264 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4265 "TShark can't save this capture as a \"%s\" file.",
4266 wtap_file_type_subtype_short_string(file_type));
4267 errmsg = errmsg_errno;
4269 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4272 case WTAP_ERR_BAD_FILE:
4273 /* Seen only when opening a capture file for reading. */
4274 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4275 "The file \"%%s\" appears to be damaged or corrupt.\n"
4277 err_info != NULL ? err_info : "no information supplied");
4279 errmsg = errmsg_errno;
4282 case WTAP_ERR_CANT_OPEN:
4284 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4286 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4289 case WTAP_ERR_SHORT_READ:
4290 errmsg = "The file \"%s\" appears to have been cut short"
4291 " in the middle of a packet or other data.";
4294 case WTAP_ERR_SHORT_WRITE:
4295 errmsg = "A full header couldn't be written to the file \"%s\".";
4298 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4299 errmsg = "This file type cannot be written as a compressed file.";
4302 case WTAP_ERR_DECOMPRESS:
4303 /* Seen only when opening a capture file for reading. */
4304 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4305 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4307 err_info != NULL ? err_info : "no information supplied");
4309 errmsg = errmsg_errno;
4313 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4314 "The file \"%%s\" could not be %s: %s.",
4315 for_writing ? "created" : "opened",
4316 wtap_strerror(err));
4317 errmsg = errmsg_errno;
4321 errmsg = file_open_error_message(err, for_writing);
4326 * Open/create errors are reported with an console message in TShark.
4329 open_failure_message(const char *filename, int err, gboolean for_writing)
4331 fprintf(stderr, "tshark: ");
4332 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4333 fprintf(stderr, "\n");
4337 * General errors are reported with an console message in TShark.
4340 failure_message(const char *msg_format, va_list ap)
4342 fprintf(stderr, "tshark: ");
4343 vfprintf(stderr, msg_format, ap);
4344 fprintf(stderr, "\n");
4348 * Read errors are reported with an console message in TShark.
4351 read_failure_message(const char *filename, int err)
4353 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4354 filename, g_strerror(err));
4358 * Write errors are reported with an console message in TShark.
4361 write_failure_message(const char *filename, int err)
4363 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4364 filename, g_strerror(err));
4368 * Report additional information for an error in command-line arguments.
4371 failure_message_cont(const char *msg_format, va_list ap)
4373 vfprintf(stderr, msg_format, ap);
4374 fprintf(stderr, "\n");
4378 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4383 * indent-tabs-mode: nil
4386 * vi: set shiftwidth=2 tabstop=8 expandtab:
4387 * :indentSize=2:tabSize=8:noTabs=true: