3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #ifdef HAVE_WINSOCK2_H
40 # include <winsock2.h>
48 # include <sys/capability.h>
51 #ifndef HAVE_GETOPT_LONG
52 #include "wsutil/wsgetopt.h"
57 #include <epan/exceptions.h>
58 #include <epan/epan-int.h>
59 #include <epan/epan.h>
61 #include <wsutil/clopts_common.h>
62 #include <wsutil/cmdarg_err.h>
63 #include <wsutil/crash_info.h>
64 #include <wsutil/filesystem.h>
65 #include <wsutil/file_util.h>
66 #include <wsutil/privileges.h>
67 #include <wsutil/report_message.h>
68 #include <version_info.h>
69 #include <wiretap/wtap_opttypes.h>
70 #include <wiretap/pcapng.h>
73 #include <epan/timestamp.h>
74 #include <epan/packet.h>
76 #include <epan/wslua/init_wslua.h>
78 #include "frame_tvbuff.h"
79 #include <epan/disabled_protos.h>
80 #include <epan/prefs.h>
81 #include <epan/column.h>
82 #include <epan/decode_as.h>
83 #include <epan/print.h>
84 #include <epan/addr_resolv.h>
86 #include "ui/capture_ui_utils.h"
89 #include "ui/ui_util.h"
90 #include "ui/decode_as_utils.h"
91 #include "ui/filter_files.h"
92 #include "ui/cli/tshark-tap.h"
93 #include "ui/cli/tap-exportobject.h"
94 #include "ui/tap_export_pdu.h"
95 #include "ui/dissect_opts.h"
96 #include "ui/failure_message.h"
97 #if defined(HAVE_LIBSMI)
98 #include "epan/oids.h"
100 #if defined(HAVE_GEOIP)
101 #include "epan/geoip_db.h"
103 #include "register.h"
104 #include <epan/epan_dissect.h>
105 #include <epan/tap.h>
106 #include <epan/stat_tap_ui.h>
107 #include <epan/conversation_table.h>
108 #include <epan/srt_table.h>
109 #include <epan/rtd_table.h>
110 #include <epan/ex-opt.h>
111 #include <epan/exported_pdu.h>
113 #include "capture_opts.h"
115 #include "caputils/capture-pcap-util.h"
118 #include "caputils/capture_ifinfo.h"
120 #include "caputils/capture-wpcap.h"
121 #include <wsutil/os_version_info.h>
122 #include <wsutil/unicode-utils.h>
124 #include <capchild/capture_session.h>
125 #include <capchild/capture_sync.h>
126 #include <capture_info.h>
127 #endif /* HAVE_LIBPCAP */
129 #include <epan/funnel.h>
131 #include <wsutil/str_util.h>
132 #include <wsutil/utf8_entities.h>
139 #include <wsutil/plugins.h>
143 #define INVALID_OPTION 1
144 #define INVALID_INTERFACE 2
145 #define INVALID_FILE 2
146 #define INVALID_FILTER 2
147 #define INVALID_EXPORT 2
148 #define INVALID_CAPABILITY 2
149 #define INVALID_TAP 2
150 #define INVALID_DATA_LINK 2
151 #define INVALID_TIMESTAMP_TYPE 2
152 #define INVALID_CAPTURE 2
153 #define INIT_FAILED 2
156 * values 128..65535 are capture+dissect options, 65536 is used by
157 * ui/commandline.c, so start tshark-specific options 1000 after this
159 #define LONGOPT_COLOR (65536+1000)
160 #define LONGOPT_NO_DUPLICATE_KEYS (65536+1001)
163 #define tshark_debug(...) g_warning(__VA_ARGS__)
165 #define tshark_debug(...)
168 static guint32 cum_bytes;
169 static const frame_data *ref;
170 static frame_data ref_frame;
171 static frame_data *prev_dis;
172 static frame_data prev_dis_frame;
173 static frame_data *prev_cap;
174 static frame_data prev_cap_frame;
176 static gboolean perform_two_pass_analysis;
177 static guint32 epan_auto_reset_count = 0;
178 static gboolean epan_auto_reset = FALSE;
181 * The way the packet decode is to be written.
184 WRITE_TEXT, /* summary or detail text */
185 WRITE_XML, /* PDML or PSML */
186 WRITE_FIELDS, /* User defined list of fields */
187 WRITE_JSON, /* JSON */
188 WRITE_JSON_RAW, /* JSON only raw hex */
189 WRITE_EK /* JSON bulk insert to Elasticsearch */
190 /* Add CSV and the like here */
193 static output_action_e output_action;
194 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
195 static gboolean print_packet_info; /* TRUE if we're to print packet information */
196 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
197 static gboolean print_details; /* TRUE if we're to print packet details information */
198 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
199 static gboolean line_buffered;
200 static gboolean really_quiet = FALSE;
201 static gchar* delimiter_char = " ";
202 static gboolean dissect_color = FALSE;
204 static print_format_e print_format = PR_FMT_TEXT;
205 static print_stream_t *print_stream = NULL;
207 static output_fields_t* output_fields = NULL;
208 static gchar **protocolfilter = NULL;
209 static pf_flags protocolfilter_flags = PF_NONE;
211 static gboolean no_duplicate_keys = FALSE;
212 static proto_node_children_grouper_func node_children_grouper = proto_node_group_children_by_unique;
214 /* The line separator used between packets, changeable via the -S option */
215 static const char *separator = "";
219 * TRUE if we're to print packet counts to keep track of captured packets.
221 static gboolean print_packet_counts;
223 static capture_options global_capture_opts;
224 static capture_session global_capture_session;
225 static info_data_t global_info_data;
228 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
229 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
232 static gboolean capture(void);
233 static void report_counts(void);
235 static BOOL WINAPI capture_cleanup(DWORD);
237 static void capture_cleanup(int);
239 static void report_counts_siginfo(int);
243 #else /* HAVE_LIBPCAP */
245 static char *output_file_name;
247 #endif /* HAVE_LIBPCAP */
249 static void reset_epan_mem(capture_file *cf, epan_dissect_t *edt, gboolean tree, gboolean visual);
250 static gboolean process_cap_file(capture_file *, char *, int, gboolean, int, gint64);
251 static gboolean process_packet_single_pass(capture_file *cf,
252 epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
253 const guchar *pd, guint tap_flags);
254 static void show_print_file_io_error(int err);
255 static gboolean write_preamble(capture_file *cf);
256 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
257 static gboolean write_finale(void);
259 static void failure_warning_message(const char *msg_format, va_list ap);
260 static void open_failure_message(const char *filename, int err,
261 gboolean for_writing);
262 static void read_failure_message(const char *filename, int err);
263 static void write_failure_message(const char *filename, int err);
264 static void failure_message_cont(const char *msg_format, va_list ap);
268 static GHashTable *output_only_tables = NULL;
271 const char *sstr; /* The short string */
272 const char *lstr; /* The long string */
276 string_compare(gconstpointer a, gconstpointer b)
278 return strcmp(((const struct string_elem *)a)->sstr,
279 ((const struct string_elem *)b)->sstr);
283 string_elem_print(gpointer data, gpointer not_used _U_)
285 fprintf(stderr, " %s - %s\n",
286 ((struct string_elem *)data)->sstr,
287 ((struct string_elem *)data)->lstr);
291 list_capture_types(void) {
293 struct string_elem *captypes;
296 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
298 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
299 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
300 if (wtap_dump_can_open(i)) {
301 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
302 captypes[i].lstr = wtap_file_type_subtype_string(i);
303 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
306 g_slist_foreach(list, string_elem_print, NULL);
312 list_read_capture_types(void) {
314 struct string_elem *captypes;
316 const char *magic = "Magic-value-based";
317 const char *heuristic = "Heuristics-based";
319 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
320 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
322 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
323 for (i = 0; open_routines[i].name != NULL; i++) {
324 captypes[i].sstr = open_routines[i].name;
325 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
326 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
328 g_slist_foreach(list, string_elem_print, NULL);
334 print_usage(FILE *output)
336 fprintf(output, "\n");
337 fprintf(output, "Usage: tshark [options] ...\n");
338 fprintf(output, "\n");
341 fprintf(output, "Capture interface:\n");
342 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
343 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
344 #ifdef HAVE_PCAP_CREATE
345 fprintf(output, " -s <snaplen> packet snapshot length (def: appropriate maximum)\n");
347 fprintf(output, " -s <snaplen> packet snapshot length (def: %u)\n", WTAP_MAX_PACKET_SIZE_STANDARD);
349 fprintf(output, " -p don't capture in promiscuous mode\n");
350 #ifdef HAVE_PCAP_CREATE
351 fprintf(output, " -I capture in monitor mode, if available\n");
353 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
354 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
356 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
357 fprintf(output, " --time-stamp-type <type> timestamp method for interface\n");
358 fprintf(output, " -D print list of interfaces and exit\n");
359 fprintf(output, " -L print list of link-layer types of iface and exit\n");
360 fprintf(output, " --list-time-stamp-types print list of timestamp types for iface and exit\n");
361 fprintf(output, "\n");
362 fprintf(output, "Capture stop conditions:\n");
363 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
364 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
365 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
366 fprintf(output, " files:NUM - stop after NUM files\n");
367 /*fprintf(output, "\n");*/
368 fprintf(output, "Capture output:\n");
369 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
370 fprintf(output, " interval:NUM - create time intervals of NUM secs\n");
371 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
372 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
373 #endif /* HAVE_LIBPCAP */
374 #ifdef HAVE_PCAP_REMOTE
375 fprintf(output, "RPCAP options:\n");
376 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
378 /*fprintf(output, "\n");*/
379 fprintf(output, "Input file:\n");
380 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
382 fprintf(output, "\n");
383 fprintf(output, "Processing:\n");
384 fprintf(output, " -2 perform a two-pass analysis\n");
385 fprintf(output, " -M <packet count> perform session auto reset\n");
386 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
387 fprintf(output, " (requires -2)\n");
388 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
389 fprintf(output, " syntax\n");
390 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
391 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
392 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
393 fprintf(output, " \"Decode As\", see the man page for details\n");
394 fprintf(output, " Example: tcp.port==8888,http\n");
395 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
396 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
397 fprintf(output, " --enable-protocol <proto_name>\n");
398 fprintf(output, " enable dissection of proto_name\n");
399 fprintf(output, " --disable-protocol <proto_name>\n");
400 fprintf(output, " disable dissection of proto_name\n");
401 fprintf(output, " --enable-heuristic <short_name>\n");
402 fprintf(output, " enable dissection of heuristic protocol\n");
403 fprintf(output, " --disable-heuristic <short_name>\n");
404 fprintf(output, " disable dissection of heuristic protocol\n");
406 /*fprintf(output, "\n");*/
407 fprintf(output, "Output:\n");
408 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
409 fprintf(output, " (or to the standard output for \"-\")\n");
410 fprintf(output, " -C <config profile> start with specified configuration profile\n");
411 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
412 fprintf(output, " an empty \"-F\" option will list the file types\n");
413 fprintf(output, " -V add output of packet tree (Packet Details)\n");
414 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
415 fprintf(output, " separated\n");
416 fprintf(output, " -P print packet summary even when writing to a file\n");
417 fprintf(output, " -S <separator> the line separator to print between packets\n");
418 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
419 fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
420 fprintf(output, " format of text output (def: text)\n");
421 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
422 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
423 fprintf(output, " nodes, unless child is specified also in the filter)\n");
424 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
425 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
426 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
427 fprintf(output, " _ws.col.Info)\n");
428 fprintf(output, " this option can be repeated to print multiple fields\n");
429 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
430 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
431 fprintf(output, " header=y|n switch headers on and off\n");
432 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
433 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
434 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
435 fprintf(output, " aggregator\n");
436 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
437 fprintf(output, " -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)\n");
438 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
439 fprintf(output, " -l flush standard output after each packet\n");
440 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
441 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
442 fprintf(output, " -g enable group read access on the output file(s)\n");
443 fprintf(output, " -W n Save extra information in the file, if supported.\n");
444 fprintf(output, " n = write network address resolution information\n");
445 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
446 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
447 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
448 fprintf(output, " --capture-comment <comment>\n");
449 fprintf(output, " add a capture comment to the newly created\n");
450 fprintf(output, " output file (only for pcapng)\n");
451 fprintf(output, " --export-objects <protocol>,<destdir> save exported objects for a protocol to\n");
452 fprintf(output, " a directory named \"destdir\"\n");
453 fprintf(output, " --color color output text similarly to the Wireshark GUI,\n");
454 fprintf(output, " requires a terminal with 24-bit color support\n");
455 fprintf(output, " Also supplies color attributes to pdml and psml formats\n");
456 fprintf(output, " (Note that attributes are nonstandard)\n");
457 fprintf(output, " --no-duplicate-keys If -T json is specified, merge duplicate keys in an object\n");
458 fprintf(output, " into a single key with as value a json array containing all\n");
459 fprintf(output, " values");
461 fprintf(output, "\n");
462 fprintf(output, "Miscellaneous:\n");
463 fprintf(output, " -h display this help and exit\n");
464 fprintf(output, " -v display version info and exit\n");
465 fprintf(output, " -o <name>:<value> ... override preference setting\n");
466 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
467 fprintf(output, " -G [report] dump one of several available reports and exit\n");
468 fprintf(output, " default report=\"fields\"\n");
469 fprintf(output, " use \"-G ?\" for more help\n");
471 fprintf(output, "\n");
472 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
473 fprintf(output, "You might want to reset it\n");
474 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
480 glossary_option_help(void)
486 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
488 fprintf(output, "\n");
489 fprintf(output, "Usage: tshark -G [report]\n");
490 fprintf(output, "\n");
491 fprintf(output, "Glossary table reports:\n");
492 fprintf(output, " -G column-formats dump column format codes and exit\n");
493 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
494 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
495 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
496 fprintf(output, " -G fields dump fields glossary and exit\n");
497 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
498 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
499 fprintf(output, " -G plugins dump installed plugins and exit\n");
500 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
501 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
502 fprintf(output, "\n");
503 fprintf(output, "Preference reports:\n");
504 fprintf(output, " -G currentprefs dump current preferences and exit\n");
505 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
506 fprintf(output, " -G folders dump about:folders\n");
507 fprintf(output, "\n");
511 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
512 const gchar *message, gpointer user_data)
514 /* ignore log message, if log_level isn't interesting based
515 upon the console log preferences.
516 If the preferences haven't been loaded loaded yet, display the
519 The default console_log_level preference value is such that only
520 ERROR, CRITICAL and WARNING level messages are processed;
521 MESSAGE, INFO and DEBUG level messages are ignored.
523 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
524 ERROR and CRITICAL level messages so the current code is a behavioral
525 change. The current behavior is the same as in Wireshark.
527 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
528 prefs.console_log_level != 0) {
532 g_log_default_handler(log_domain, log_level, message, user_data);
537 print_current_user(void) {
538 gchar *cur_user, *cur_group;
540 if (started_with_special_privs()) {
541 cur_user = get_cur_username();
542 cur_group = get_cur_groupname();
543 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
544 cur_user, cur_group);
547 if (running_with_special_privs()) {
548 fprintf(stderr, " This could be dangerous.");
550 fprintf(stderr, "\n");
555 get_tshark_compiled_version_info(GString *str)
557 /* Capture libraries */
558 get_compiled_caplibs_version(str);
562 get_tshark_runtime_version_info(GString *str)
565 /* Capture libraries */
566 g_string_append(str, ", ");
567 get_runtime_caplibs_version(str);
570 /* stuff used by libwireshark */
571 epan_get_runtime_version_info(str);
577 const char *constpath;
579 #if defined(HAVE_LIBSMI) || defined(HAVE_GEOIP) || defined(HAVE_EXTCAP)
587 * Fetching the "File" dialogs folder not implemented.
588 * This is arguably just a pwd for a ui/cli .
592 printf("%-21s\t%s\n", "Temp:", g_get_tmp_dir());
595 path = get_persconffile_path("", FALSE);
596 printf("%-21s\t%s\n", "Personal configuration:", path);
600 constpath = get_datafile_dir();
601 if (constpath != NULL) {
602 printf("%-21s\t%s\n", "Global configuration:", constpath);
606 constpath = get_systemfile_dir();
607 printf("%-21s\t%s\n", "System:", constpath);
610 constpath = get_progfile_dir();
611 printf("%-21s\t%s\n", "Program:", constpath);
615 printf("%-21s\t%s\n", "Personal Plugins:", get_plugins_pers_dir_with_version());
618 printf("%-21s\t%s\n", "Global Plugins:", get_plugins_dir_with_version());
622 /* pers lua plugins */
623 printf("%-21s\t%s\n", "Personal Lua Plugins:", get_plugins_pers_dir());
625 /* global lua plugins */
626 printf("%-21s\t%s\n", "Global Lua Plugins:", get_plugins_dir());
631 constpath = get_extcap_dir();
633 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
634 for(i = 0; resultArray[i]; i++)
635 printf("%-21s\t%s\n", "Extcap path:", g_strstrip(resultArray[i]));
637 g_strfreev(resultArray);
642 path = geoip_db_get_paths();
644 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
646 for(i = 0; resultArray[i]; i++)
647 printf("%-21s\t%s\n", "GeoIP path:", g_strstrip(resultArray[i]));
649 g_strfreev(resultArray);
655 path = oid_get_default_mib_path();
656 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
658 for(i = 0; resultArray[i]; i++)
659 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
661 g_strfreev(resultArray);
668 main(int argc, char *argv[])
670 GString *comp_info_str;
671 GString *runtime_info_str;
672 char *init_progfile_dir_error;
674 static const struct option long_options[] = {
675 {"help", no_argument, NULL, 'h'},
676 {"version", no_argument, NULL, 'v'},
677 LONGOPT_CAPTURE_COMMON
678 LONGOPT_DISSECT_COMMON
679 {"export-objects", required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
680 {"color", no_argument, NULL, LONGOPT_COLOR},
681 {"no-duplicate-keys", no_argument, NULL, LONGOPT_NO_DUPLICATE_KEYS},
684 gboolean arg_error = FALSE;
692 volatile gboolean success;
693 volatile int exit_status = EXIT_SUCCESS;
695 int caps_queries = 0;
696 gboolean start_capture = FALSE;
700 gboolean capture_option_specified = FALSE;
702 gboolean quiet = FALSE;
703 #ifdef PCAP_NG_DEFAULT
704 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
706 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
708 volatile gboolean out_file_name_res = FALSE;
709 volatile int in_file_type = WTAP_TYPE_AUTO;
710 gchar *volatile cf_name = NULL;
711 gchar *rfilter = NULL;
712 gchar *dfilter = NULL;
713 #ifdef HAVE_PCAP_OPEN_DEAD
714 struct bpf_program fcode;
716 dfilter_t *rfcode = NULL;
717 dfilter_t *dfcode = NULL;
721 gchar *output_only = NULL;
722 gchar *volatile pdu_export_arg = NULL;
723 const char *volatile exp_pdu_filename = NULL;
724 exp_pdu_t exp_pdu_tap_data;
727 * The leading + ensures that getopt_long() does not permute the argv[]
730 * We have to make sure that the first getopt_long() preserves the content
731 * of argv[] for the subsequent getopt_long() call.
733 * We use getopt_long() in both cases to ensure that we're using a routine
734 * whose permutation behavior we can control in the same fashion on all
735 * platforms, and so that, if we ever need to process a long argument before
736 * doing further initialization, we can do so.
738 * Glibc and Solaris libc document that a leading + disables permutation
739 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
740 * and macOS don't document it, but do so anyway.
742 * We do *not* use a leading - because the behavior of a leading - is
743 * platform-dependent.
745 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON "M:C:e:E:F:gG:hH:j:J:lo:O:PqQr:R:S:T:U:vVw:W:xX:Y:z:"
747 static const char optstring[] = OPTSTRING;
749 tshark_debug("tshark started with %d args", argc);
751 /* Set the C-language locale to the native environment. */
752 setlocale(LC_ALL, "");
754 cmdarg_err_init(failure_warning_message, failure_message_cont);
757 arg_list_utf_16to8(argc, argv);
758 create_app_running_mutex();
759 #if !GLIB_CHECK_VERSION(2,31,0)
765 * Get credential information for later use, and drop privileges
766 * before doing anything else.
767 * Let the user know if anything happened.
769 init_process_policies();
770 relinquish_special_privs_perm();
771 print_current_user();
774 * Attempt to get the pathname of the directory containing the
777 init_progfile_dir_error = init_progfile_dir(argv[0], main);
778 if (init_progfile_dir_error != NULL) {
780 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
781 "It won't be possible to capture traffic.\n"
782 "Report this to the Wireshark developers.",
783 init_progfile_dir_error);
784 g_free(init_progfile_dir_error);
787 initialize_funnel_ops();
790 ws_init_dll_search_path();
792 /* Load wpcap if possible. Do this before collecting the run-time version information */
795 /* Warn the user if npf.sys isn't loaded. */
796 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
797 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
798 "capturing or\nlisting interfaces.\n");
800 #endif /* HAVE_LIBPCAP */
803 /* Get the compile-time version information string */
804 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
805 epan_get_compiled_version_info);
807 /* Get the run-time version information string */
808 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
810 /* Add it to the information to be reported on a crash. */
811 ws_add_crash_info("TShark (Wireshark) %s\n"
816 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
817 g_string_free(comp_info_str, TRUE);
818 g_string_free(runtime_info_str, TRUE);
820 /* Fail sometimes. Useful for testing fuzz scripts. */
821 /* if (g_random_int_range(0, 100) < 5) abort(); */
824 * In order to have the -X opts assigned before the wslua machine starts
825 * we need to call getopt_long before epan_init() gets called.
827 * In order to handle, for example, -o options, we also need to call it
828 * *after* epan_init() gets called, so that the dissectors have had a
829 * chance to register their preferences.
831 * XXX - can we do this all with one getopt_long() call, saving the
832 * arguments we can't handle until after initializing libwireshark,
833 * and then process them after initializing libwireshark?
837 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
839 case 'C': /* Configuration Profile */
840 if (profile_exists (optarg, FALSE)) {
841 set_profile_name (optarg);
843 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
844 exit_status = INVALID_OPTION;
848 case 'P': /* Print packet summary info even when writing to a file */
849 print_packet_info = TRUE;
850 print_summary = TRUE;
852 case 'O': /* Only output these protocols */
853 output_only = g_strdup(optarg);
855 case 'V': /* Verbose */
856 print_details = TRUE;
857 print_packet_info = TRUE;
859 case 'x': /* Print packet data in hex (and ASCII) */
861 /* The user asked for hex output, so let's ensure they get it,
862 * even if they're writing to a file.
864 print_packet_info = TRUE;
875 * Print packet summary information is the default, unless either -V or -x
876 * were specified and -P was not. Note that this is new behavior, which
877 * allows for the possibility of printing only hex/ascii output without
878 * necessarily requiring that either the summary or details be printed too.
880 if (print_summary == -1)
881 print_summary = (print_details || print_hex) ? FALSE : TRUE;
883 /** Send All g_log messages to our own handler **/
887 G_LOG_LEVEL_CRITICAL|
892 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
894 g_log_set_handler(NULL,
895 (GLogLevelFlags)log_flags,
896 tshark_log_handler, NULL /* user_data */);
897 g_log_set_handler(LOG_DOMAIN_MAIN,
898 (GLogLevelFlags)log_flags,
899 tshark_log_handler, NULL /* user_data */);
902 g_log_set_handler(LOG_DOMAIN_CAPTURE,
903 (GLogLevelFlags)log_flags,
904 tshark_log_handler, NULL /* user_data */);
905 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
906 (GLogLevelFlags)log_flags,
907 tshark_log_handler, NULL /* user_data */);
910 init_report_message(failure_warning_message, failure_warning_message,
911 open_failure_message, read_failure_message,
912 write_failure_message);
915 capture_opts_init(&global_capture_opts);
916 capture_session_init(&global_capture_session, &cfile);
919 timestamp_set_type(TS_RELATIVE);
920 timestamp_set_precision(TS_PREC_AUTO);
921 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
926 /* Register all the plugin types we have. */
927 epan_register_plugin_types(); /* Types known to libwireshark */
929 /* Scan for plugins. This does *not* call their registration routines;
930 that's done later. */
931 scan_plugins(REPORT_LOAD_FAILURE);
933 /* Register all libwiretap plugin modules. */
934 register_all_wiretap_modules();
937 /* Register all dissectors; we must do this before checking for the
938 "-G" flag, as the "-G" flag dumps information registered by the
939 dissectors, and we must do it before we read the preferences, in
940 case any dissectors register preferences. */
941 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
943 exit_status = INIT_FAILED;
947 /* Register all tap listeners; we do this before we parse the arguments,
948 as the "-z" argument can specify a registered tap. */
950 /* we register the plugin taps before the other taps because
951 stats_tree taps plugins will be registered as tap listeners
952 by stats_tree_stat.c and need to registered before that */
954 register_all_plugin_tap_listeners();
957 extcap_register_preferences();
959 register_all_tap_listeners();
960 conversation_table_set_gui_info(init_iousers);
961 hostlist_table_set_gui_info(init_hostlists);
962 srt_table_iterate_tables(register_srt_tables, NULL);
963 rtd_table_iterate_tables(register_rtd_tables, NULL);
964 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
966 /* If invoked with the "-G" flag, we dump out information based on
967 the argument to the "-G" flag; if no argument is specified,
968 for backwards compatibility we dump out a glossary of display
971 XXX - we do this here, for now, to support "-G" with no arguments.
972 If none of our build or other processes uses "-G" with no arguments,
973 we can just process it with the other arguments. */
974 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
975 proto_initialize_all_prefixes();
978 proto_registrar_dump_fields();
980 if (strcmp(argv[2], "column-formats") == 0)
981 column_dump_column_formats();
982 else if (strcmp(argv[2], "currentprefs") == 0) {
983 epan_load_settings();
986 else if (strcmp(argv[2], "decodes") == 0)
987 dissector_dump_decodes();
988 else if (strcmp(argv[2], "defaultprefs") == 0)
990 else if (strcmp(argv[2], "dissector-tables") == 0)
991 dissector_dump_dissector_tables();
992 else if (strcmp(argv[2], "fieldcount") == 0) {
993 /* return value for the test suite */
994 exit_status = proto_registrar_dump_fieldcount();
996 } else if (strcmp(argv[2], "fields") == 0)
997 proto_registrar_dump_fields();
998 else if (strcmp(argv[2], "folders") == 0)
1000 else if (strcmp(argv[2], "ftypes") == 0)
1001 proto_registrar_dump_ftypes();
1002 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1003 dissector_dump_heur_decodes();
1004 else if (strcmp(argv[2], "plugins") == 0) {
1009 wslua_plugins_dump_all();
1012 else if (strcmp(argv[2], "protocols") == 0)
1013 proto_registrar_dump_protocols();
1014 else if (strcmp(argv[2], "values") == 0)
1015 proto_registrar_dump_values();
1016 else if (strcmp(argv[2], "?") == 0)
1017 glossary_option_help();
1018 else if (strcmp(argv[2], "-?") == 0)
1019 glossary_option_help();
1021 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1022 exit_status = INVALID_OPTION;
1026 exit_status = EXIT_SUCCESS;
1030 tshark_debug("tshark reading settings");
1032 /* Load libwireshark settings from the current profile. */
1033 prefs_p = epan_load_settings();
1035 read_filter_list(CFILTER_LIST);
1037 cap_file_init(&cfile);
1039 /* Print format defaults to this. */
1040 print_format = PR_FMT_TEXT;
1041 delimiter_char = " ";
1043 output_fields = output_fields_new();
1046 * To reset the options parser, set optreset to 1 on platforms that
1047 * have optreset (documented in *BSD and macOS, apparently present but
1048 * not documented in Solaris - the Illumos repository seems to
1049 * suggest that the first Solaris getopt_long(), at least as of 2004,
1050 * was based on the NetBSD one, it had optreset) and set optind to 1,
1051 * and set optind to 0 otherwise (documented as working in the GNU
1052 * getopt_long(). Setting optind to 0 didn't originally work in the
1053 * NetBSD one, but that was added later - we don't want to depend on
1054 * it if we have optreset).
1056 * Also reset opterr to 1, so that error messages are printed by
1059 #ifdef HAVE_OPTRESET
1067 /* Now get our args */
1068 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1070 case '2': /* Perform two pass analysis */
1071 if(epan_auto_reset){
1072 cmdarg_err("-2 does not support auto session reset.");
1075 perform_two_pass_analysis = TRUE;
1078 if(perform_two_pass_analysis){
1079 cmdarg_err("-M does not support two pass analysis.");
1082 epan_auto_reset_count = get_positive_int(optarg, "epan reset count");
1083 epan_auto_reset = TRUE;
1085 case 'a': /* autostop criteria */
1086 case 'b': /* Ringbuffer option */
1087 case 'c': /* Capture x packets */
1088 case 'f': /* capture filter */
1089 case 'g': /* enable group read access on file(s) */
1090 case 'i': /* Use interface x */
1091 case LONGOPT_SET_TSTAMP_TYPE: /* Set capture timestamp type */
1092 case 'p': /* Don't capture in promiscuous mode */
1093 #ifdef HAVE_PCAP_REMOTE
1094 case 'A': /* Authentication */
1096 #ifdef HAVE_PCAP_CREATE
1097 case 'I': /* Capture in monitor mode, if available */
1099 case 's': /* Set the snapshot (capture) length */
1100 case 'w': /* Write to capture file x */
1101 case 'y': /* Set the pcap data link type */
1102 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1103 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1104 case 'B': /* Buffer size */
1107 exit_status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1108 if (exit_status != 0) {
1114 * Output file name, if we're reading a file and writing to another
1117 output_file_name = optarg;
1119 capture_option_specified = TRUE;
1125 /* already processed; just ignore it now */
1127 case 'D': /* Print a list of capture devices and exit */
1129 if_list = capture_interface_list(&err, &err_str,NULL);
1130 if (if_list == NULL) {
1132 cmdarg_err("There are no interfaces on which a capture can be done");
1134 cmdarg_err("%s", err_str);
1137 exit_status = INVALID_INTERFACE;
1140 capture_opts_print_interfaces(if_list);
1141 free_interface_list(if_list);
1142 exit_status = EXIT_SUCCESS;
1145 capture_option_specified = TRUE;
1151 output_fields_add(output_fields, optarg);
1155 if (!output_fields_set_option(output_fields, optarg)) {
1156 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1157 output_fields_list_options(stderr);
1158 exit_status = INVALID_OPTION;
1163 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1164 if (out_file_type < 0) {
1165 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1166 list_capture_types();
1167 exit_status = INVALID_OPTION;
1172 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1175 protocolfilter_flags = PF_INCLUDE_CHILDREN;
1176 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1178 case 'W': /* Select extra information to save in our capture file */
1179 /* This is patterned after the -N flag which may not be the best idea. */
1180 if (strchr(optarg, 'n')) {
1181 out_file_name_res = TRUE;
1183 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1184 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1185 exit_status = INVALID_OPTION;
1189 case 'H': /* Read address to name mappings from a hosts file */
1190 if (! add_hosts_file(optarg))
1192 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1193 exit_status = INVALID_OPTION;
1196 out_file_name_res = TRUE;
1199 case 'h': /* Print help and exit */
1200 printf("TShark (Wireshark) %s\n"
1201 "Dump and analyze network traffic.\n"
1202 "See https://www.wireshark.org for more information.\n",
1203 get_ws_vcs_version_info());
1204 print_usage(stdout);
1205 exit_status = EXIT_SUCCESS;
1208 case 'l': /* "Line-buffer" standard output */
1209 /* The ANSI C standard does not appear to *require* that a line-buffered
1210 stream be flushed to the host environment whenever a newline is
1211 written, it just says that, on such a stream, characters "are
1212 intended to be transmitted to or from the host environment as a
1213 block when a new-line character is encountered".
1215 The Visual C++ 6.0 C implementation doesn't do what is intended;
1216 even if you set a stream to be line-buffered, it still doesn't
1217 flush the buffer at the end of every line.
1219 The whole reason for the "-l" flag in either tcpdump or TShark
1220 is to allow the output of a live capture to be piped to a program
1221 or script and to have that script see the information for the
1222 packet as soon as it's printed, rather than having to wait until
1223 a standard I/O buffer fills up.
1225 So, if the "-l" flag is specified, we flush the standard output
1226 at the end of a packet. This will do the right thing if we're
1227 printing packet summary lines, and, as we print the entire protocol
1228 tree for a single packet without waiting for anything to happen,
1229 it should be as good as line-buffered mode if we're printing
1230 protocol trees - arguably even better, as it may do fewer
1232 line_buffered = TRUE;
1234 case 'L': /* Print list of link-layer types and exit */
1236 caps_queries |= CAPS_QUERY_LINK_TYPES;
1238 capture_option_specified = TRUE;
1242 case LONGOPT_LIST_TSTAMP_TYPES: /* List possible timestamp types */
1244 caps_queries |= CAPS_QUERY_TIMESTAMP_TYPES;
1246 capture_option_specified = TRUE;
1250 case 'o': /* Override preference from command line */
1252 char *errmsg = NULL;
1254 switch (prefs_set_pref(optarg, &errmsg)) {
1259 case PREFS_SET_SYNTAX_ERR:
1260 cmdarg_err("Invalid -o flag \"%s\"%s%s", optarg,
1261 errmsg ? ": " : "", errmsg ? errmsg : "");
1263 exit_status = INVALID_OPTION;
1267 case PREFS_SET_NO_SUCH_PREF:
1268 case PREFS_SET_OBSOLETE:
1269 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1270 exit_status = INVALID_OPTION;
1276 case 'q': /* Quiet */
1279 case 'Q': /* Really quiet */
1281 really_quiet = TRUE;
1283 case 'r': /* Read capture file x */
1284 cf_name = g_strdup(optarg);
1286 case 'R': /* Read file filter */
1290 /* already processed; just ignore it now */
1292 case 'S': /* Set the line Separator to be printed between packets */
1295 case 'T': /* printing Type */
1296 print_packet_info = TRUE;
1297 if (strcmp(optarg, "text") == 0) {
1298 output_action = WRITE_TEXT;
1299 print_format = PR_FMT_TEXT;
1300 } else if (strcmp(optarg, "tabs") == 0) {
1301 output_action = WRITE_TEXT;
1302 print_format = PR_FMT_TEXT;
1303 delimiter_char = "\t";
1304 } else if (strcmp(optarg, "ps") == 0) {
1305 output_action = WRITE_TEXT;
1306 print_format = PR_FMT_PS;
1307 } else if (strcmp(optarg, "pdml") == 0) {
1308 output_action = WRITE_XML;
1309 print_details = TRUE; /* Need details */
1310 print_summary = FALSE; /* Don't allow summary */
1311 } else if (strcmp(optarg, "psml") == 0) {
1312 output_action = WRITE_XML;
1313 print_details = FALSE; /* Don't allow details */
1314 print_summary = TRUE; /* Need summary */
1315 } else if (strcmp(optarg, "fields") == 0) {
1316 output_action = WRITE_FIELDS;
1317 print_details = TRUE; /* Need full tree info */
1318 print_summary = FALSE; /* Don't allow summary */
1319 } else if (strcmp(optarg, "json") == 0) {
1320 output_action = WRITE_JSON;
1321 print_details = TRUE; /* Need details */
1322 print_summary = FALSE; /* Don't allow summary */
1323 } else if (strcmp(optarg, "ek") == 0) {
1324 output_action = WRITE_EK;
1325 print_details = TRUE; /* Need details */
1326 print_summary = FALSE; /* Don't allow summary */
1327 } else if (strcmp(optarg, "jsonraw") == 0) {
1328 output_action = WRITE_JSON_RAW;
1329 print_details = TRUE; /* Need details */
1330 print_summary = FALSE; /* Don't allow summary */
1333 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1334 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1335 "\t specified by the -E option.\n"
1336 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1337 "\t details of a decoded packet. This information is equivalent to\n"
1338 "\t the packet details printed with the -V flag.\n"
1339 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1340 "\t the packets, or a multi-line view of the details of each of\n"
1341 "\t the packets, depending on whether the -V flag was specified.\n"
1342 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1343 "\t summary information of a decoded packet. This information is\n"
1344 "\t equivalent to the information shown in the one-line summary\n"
1345 "\t printed by default.\n"
1346 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1347 "\t summary information of a decoded packet. This information is \n"
1348 "\t equivalent to the packet details printed with the -V flag.\n"
1349 "\t\"jsonraw\" Packet Details, a JSON-based format for machine parsing\n"
1350 "\t including only raw hex decoded fields (same as -T json -x but\n"
1351 "\t without text decoding, only raw fields included). \n"
1352 "\t\"ek\" Packet Details, an EK JSON-based format for the bulk insert \n"
1353 "\t into elastic search cluster. This information is \n"
1354 "\t equivalent to the packet details printed with the -V flag.\n"
1355 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1356 "\t packets, or a multi-line view of the details of each of the\n"
1357 "\t packets, depending on whether the -V flag was specified.\n"
1358 "\t This is the default.\n"
1359 "\t\"tabs\" Similar to the text report except that each column of the\n"
1360 "\t human-readable one-line summary is delimited with an ASCII\n"
1361 "\t horizontal tab character.");
1362 exit_status = INVALID_OPTION;
1366 case 'U': /* Export PDUs to file */
1368 GSList *export_pdu_tap_name_list = NULL;
1371 cmdarg_err("A tap name is required. Valid names are:");
1372 for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
1373 cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data));
1375 exit_status = INVALID_OPTION;
1378 pdu_export_arg = g_strdup(optarg);
1381 case 'v': /* Show version and exit */
1382 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1383 epan_get_compiled_version_info);
1384 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1385 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1386 g_string_free(comp_info_str, TRUE);
1387 g_string_free(runtime_info_str, TRUE);
1388 /* We don't really have to cleanup here, but it's a convenient way to test
1389 * start-up and shut-down of the epan library without any UI-specific
1390 * cruft getting in the way. Makes the results of running
1391 * $ ./tools/valgrind-wireshark -n
1392 * much more useful. */
1397 exit_status = EXIT_SUCCESS;
1399 case 'O': /* Only output these protocols */
1400 /* already processed; just ignore it now */
1402 case 'V': /* Verbose */
1403 /* already processed; just ignore it now */
1405 case 'x': /* Print packet data in hex (and ASCII) */
1406 /* already processed; just ignore it now */
1409 /* already processed; just ignore it now */
1415 /* We won't call the init function for the stat this soon
1416 as it would disallow MATE's fields (which are registered
1417 by the preferences set callback) from being used as
1418 part of a tap filter. Instead, we just add the argument
1419 to a list of stat arguments. */
1420 if (strcmp("help", optarg) == 0) {
1421 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1422 list_stat_cmd_args();
1423 exit_status = EXIT_SUCCESS;
1426 if (!process_stat_cmd_arg(optarg)) {
1427 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1428 list_stat_cmd_args();
1429 exit_status = INVALID_OPTION;
1433 case 'd': /* Decode as rule */
1434 case 'K': /* Kerberos keytab file */
1435 case 'n': /* No name resolution */
1436 case 'N': /* Select what types of addresses/port #s to resolve */
1437 case 't': /* Time stamp type */
1438 case 'u': /* Seconds type */
1439 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1440 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1441 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1442 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1443 if (!dissect_opts_handle_opt(opt, optarg)) {
1444 exit_status = INVALID_OPTION;
1448 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1449 if (strcmp("help", optarg) == 0) {
1450 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1451 eo_list_object_types();
1452 exit_status = EXIT_SUCCESS;
1455 if (!eo_tap_opt_add(optarg)) {
1456 exit_status = INVALID_OPTION;
1460 case LONGOPT_COLOR: /* print in color where appropriate */
1461 dissect_color = TRUE;
1463 case LONGOPT_NO_DUPLICATE_KEYS:
1464 no_duplicate_keys = TRUE;
1465 node_children_grouper = proto_node_group_children_by_json_key;
1468 case '?': /* Bad flag - print usage message */
1471 list_capture_types();
1474 print_usage(stderr);
1476 exit_status = INVALID_OPTION;
1482 if (no_duplicate_keys && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW) {
1483 cmdarg_err("--no-duplicate-keys can only be used with \"-T json\" and \"-T jsonraw\"");
1484 exit_status = INVALID_OPTION;
1488 /* If we specified output fields, but not the output field type... */
1489 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1490 cmdarg_err("Output fields were specified with \"-e\", "
1491 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1492 exit_status = INVALID_OPTION;
1494 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1495 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1496 "specified with \"-e\".");
1498 exit_status = INVALID_OPTION;
1502 if (dissect_color) {
1503 if (!color_filters_init(&err_msg, NULL)) {
1504 fprintf(stderr, "%s\n", err_msg);
1509 /* If no capture filter or display filter has been specified, and there are
1510 still command-line arguments, treat them as the tokens of a capture
1511 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1512 flag was specified. */
1513 if (optind < argc) {
1514 if (cf_name != NULL) {
1515 if (dfilter != NULL) {
1516 cmdarg_err("Display filters were specified both with \"-d\" "
1517 "and with additional command-line arguments.");
1518 exit_status = INVALID_OPTION;
1521 dfilter = get_args_as_string(argc, argv, optind);
1526 if (global_capture_opts.default_options.cfilter) {
1527 cmdarg_err("A default capture filter was specified both with \"-f\""
1528 " and with additional command-line arguments.");
1529 exit_status = INVALID_OPTION;
1532 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1533 interface_options *interface_opts;
1534 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
1535 if (interface_opts->cfilter == NULL) {
1536 interface_opts->cfilter = get_args_as_string(argc, argv, optind);
1538 cmdarg_err("A capture filter was specified both with \"-f\""
1539 " and with additional command-line arguments.");
1540 exit_status = INVALID_OPTION;
1544 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1546 capture_option_specified = TRUE;
1552 if (!global_capture_opts.saving_to_file) {
1553 /* We're not saving the capture to a file; if "-q" wasn't specified,
1554 we should print packet information */
1556 print_packet_info = TRUE;
1558 /* We're saving to a file; if we're writing to the standard output.
1559 and we'll also be writing dissected packets to the standard
1560 output, reject the request. At best, we could redirect that
1561 to the standard error; we *can't* write both to the standard
1562 output and have either of them be useful. */
1563 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1564 cmdarg_err("You can't write both raw packet data and dissected packets"
1565 " to the standard output.");
1566 exit_status = INVALID_OPTION;
1571 /* We're not saving the capture to a file; if "-q" wasn't specified,
1572 we should print packet information */
1574 print_packet_info = TRUE;
1577 #ifndef HAVE_LIBPCAP
1578 if (capture_option_specified)
1579 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1582 print_usage(stderr);
1583 exit_status = INVALID_OPTION;
1588 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
1589 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
1590 exit_status = INVALID_OPTION;
1595 if (output_only != NULL) {
1598 if (!print_details) {
1599 cmdarg_err("-O requires -V");
1600 exit_status = INVALID_OPTION;
1604 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1605 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1606 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1610 if (rfilter != NULL && !perform_two_pass_analysis) {
1611 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1612 exit_status = INVALID_OPTION;
1618 /* We're supposed to list the link-layer/timestamp types for an interface;
1619 did the user also specify a capture file to be read? */
1621 /* Yes - that's bogus. */
1622 cmdarg_err("You can't specify %s and a capture file to be read.",
1623 caps_queries & CAPS_QUERY_LINK_TYPES ? "-L" : "--list-time-stamp-types");
1624 exit_status = INVALID_OPTION;
1627 /* No - did they specify a ring buffer option? */
1628 if (global_capture_opts.multi_files_on) {
1629 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1630 exit_status = INVALID_OPTION;
1636 * "-r" was specified, so we're reading a capture file.
1637 * Capture options don't apply here.
1640 /* We don't support capture filters when reading from a capture file
1641 (the BPF compiler doesn't support all link-layer types that we
1642 support in capture files we read). */
1643 if (global_capture_opts.default_options.cfilter) {
1644 cmdarg_err("Only read filters, not capture filters, "
1645 "can be specified when reading a capture file.");
1646 exit_status = INVALID_OPTION;
1649 if (global_capture_opts.multi_files_on) {
1650 cmdarg_err("Multiple capture files requested, but "
1651 "a capture isn't being done.");
1652 exit_status = INVALID_OPTION;
1655 if (global_capture_opts.has_file_duration) {
1656 cmdarg_err("Switching capture files after a time period was specified, but "
1657 "a capture isn't being done.");
1658 exit_status = INVALID_OPTION;
1661 if (global_capture_opts.has_file_interval) {
1662 cmdarg_err("Switching capture files after a time interval was specified, but "
1663 "a capture isn't being done.");
1664 exit_status = INVALID_OPTION;
1667 if (global_capture_opts.has_ring_num_files) {
1668 cmdarg_err("A ring buffer of capture files was specified, but "
1669 "a capture isn't being done.");
1670 exit_status = INVALID_OPTION;
1673 if (global_capture_opts.has_autostop_files) {
1674 cmdarg_err("A maximum number of capture files was specified, but "
1675 "a capture isn't being done.");
1676 exit_status = INVALID_OPTION;
1679 if (global_capture_opts.capture_comment) {
1680 cmdarg_err("A capture comment was specified, but "
1681 "a capture isn't being done.\nThere's no support for adding "
1682 "a capture comment to an existing capture file.");
1683 exit_status = INVALID_OPTION;
1687 /* Note: TShark now allows the restriction of a _read_ file by packet count
1688 * and byte count as well as a write file. Other autostop options remain valid
1689 * only for a write file.
1691 if (global_capture_opts.has_autostop_duration) {
1692 cmdarg_err("A maximum capture time was specified, but "
1693 "a capture isn't being done.");
1694 exit_status = INVALID_OPTION;
1699 * "-r" wasn't specified, so we're doing a live capture.
1701 if (perform_two_pass_analysis) {
1702 /* Two-pass analysis doesn't work with live capture since it requires us
1703 * to buffer packets until we've read all of them, but a live capture
1704 * has no useful/meaningful definition of "all" */
1705 cmdarg_err("Live captures do not support two-pass analysis.");
1706 exit_status = INVALID_OPTION;
1710 if (global_capture_opts.saving_to_file) {
1711 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1713 /* When capturing, we only support writing pcap or pcap-ng format. */
1714 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1715 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1716 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1717 exit_status = INVALID_OPTION;
1720 if (global_capture_opts.capture_comment &&
1721 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1722 cmdarg_err("A capture comment can only be written to a pcapng file.");
1723 exit_status = INVALID_OPTION;
1726 if (global_capture_opts.multi_files_on) {
1727 /* Multiple-file mode doesn't work under certain conditions:
1728 a) it doesn't work if you're writing to the standard output;
1729 b) it doesn't work if you're writing to a pipe;
1731 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1732 cmdarg_err("Multiple capture files requested, but "
1733 "the capture is being written to the standard output.");
1734 exit_status = INVALID_OPTION;
1737 if (global_capture_opts.output_to_pipe) {
1738 cmdarg_err("Multiple capture files requested, but "
1739 "the capture file is a pipe.");
1740 exit_status = INVALID_OPTION;
1743 if (!global_capture_opts.has_autostop_filesize &&
1744 !global_capture_opts.has_file_duration &&
1745 !global_capture_opts.has_file_interval) {
1746 cmdarg_err("Multiple capture files requested, but "
1747 "no maximum capture file size, duration or interval was specified.");
1748 exit_status = INVALID_OPTION;
1752 /* Currently, we don't support read or display filters when capturing
1753 and saving the packets. */
1754 if (rfilter != NULL) {
1755 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1756 exit_status = INVALID_OPTION;
1759 if (dfilter != NULL) {
1760 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1761 exit_status = INVALID_OPTION;
1764 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1766 /* They didn't specify a "-w" flag, so we won't be saving to a
1767 capture file. Check for options that only make sense if
1768 we're saving to a file. */
1769 if (global_capture_opts.has_autostop_filesize) {
1770 cmdarg_err("Maximum capture file size specified, but "
1771 "capture isn't being saved to a file.");
1772 exit_status = INVALID_OPTION;
1775 if (global_capture_opts.multi_files_on) {
1776 cmdarg_err("Multiple capture files requested, but "
1777 "the capture isn't being saved to a file.");
1778 exit_status = INVALID_OPTION;
1781 if (global_capture_opts.capture_comment) {
1782 cmdarg_err("A capture comment was specified, but "
1783 "the capture isn't being saved to a file.");
1784 exit_status = INVALID_OPTION;
1793 /* Start windows sockets */
1794 result = WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1797 exit_status = INIT_FAILED;
1802 /* Notify all registered modules that have had any of their preferences
1803 changed either from one of the preferences file or from the command
1804 line that their preferences have changed. */
1807 /* At this point MATE will have registered its field array so we can
1808 have a tap filter with one of MATE's late-registered fields as part
1809 of the filter. We can now process all the "-z" arguments. */
1810 start_requested_stats();
1812 /* We can also enable specified taps for export object */
1813 start_exportobjects();
1815 /* At this point MATE will have registered its field array so we can
1816 check if the fields specified by the user are all good.
1820 GSList *invalid_fields = output_fields_valid(output_fields);
1821 if (invalid_fields != NULL) {
1823 cmdarg_err("Some fields aren't valid:");
1824 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
1825 cmdarg_err_cont("\t%s", (gchar *)it->data);
1827 g_slist_free(invalid_fields);
1828 exit_status = INVALID_OPTION;
1833 /* We currently don't support taps, or printing dissected packets,
1834 if we're writing to a pipe. */
1835 if (global_capture_opts.saving_to_file &&
1836 global_capture_opts.output_to_pipe) {
1837 if (tap_listeners_require_dissection()) {
1838 cmdarg_err("Taps aren't supported when saving to a pipe.");
1839 exit_status = INVALID_OPTION;
1842 if (print_packet_info) {
1843 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1844 exit_status = INVALID_OPTION;
1850 if (ex_opt_count("read_format") > 0) {
1851 const gchar* name = ex_opt_get_next("read_format");
1852 in_file_type = open_info_name_to_type(name);
1853 if (in_file_type == WTAP_TYPE_AUTO) {
1854 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1855 list_read_capture_types();
1856 exit_status = INVALID_OPTION;
1861 timestamp_set_type(global_dissect_options.time_format);
1864 * Enabled and disabled protocols and heuristic dissectors as per
1865 * command-line options.
1867 if (!setup_enabled_and_disabled_protocols()) {
1868 exit_status = INVALID_OPTION;
1872 /* Build the column format array */
1873 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1876 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1877 capture_opts_trim_ring_num_files(&global_capture_opts);
1880 if (rfilter != NULL) {
1881 tshark_debug("Compiling read filter: '%s'", rfilter);
1882 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
1883 cmdarg_err("%s", err_msg);
1889 #ifdef HAVE_PCAP_OPEN_DEAD
1893 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1895 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1897 " Note: That read filter code looks like a valid capture filter;\n"
1898 " maybe you mixed them up?");
1904 exit_status = INVALID_INTERFACE;
1908 cfile.rfcode = rfcode;
1910 if (dfilter != NULL) {
1911 tshark_debug("Compiling display filter: '%s'", dfilter);
1912 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
1913 cmdarg_err("%s", err_msg);
1919 #ifdef HAVE_PCAP_OPEN_DEAD
1923 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1925 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1927 " Note: That display filter code looks like a valid capture filter;\n"
1928 " maybe you mixed them up?");
1934 exit_status = INVALID_FILTER;
1938 cfile.dfcode = dfcode;
1940 if (print_packet_info) {
1941 /* If we're printing as text or PostScript, we have
1942 to create a print stream. */
1943 if (output_action == WRITE_TEXT) {
1944 switch (print_format) {
1947 print_stream = print_stream_text_stdio_new(stdout);
1951 print_stream = print_stream_ps_stdio_new(stdout);
1955 g_assert_not_reached();
1960 /* PDU export requested. Take the ownership of the '-w' file, apply tap
1961 * filters and start tapping. */
1962 if (pdu_export_arg) {
1963 const char *exp_pdu_tap_name = pdu_export_arg;
1964 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
1965 char *exp_pdu_error;
1970 cmdarg_err("PDUs export requires a capture file (specify with -r).");
1971 exit_status = INVALID_OPTION;
1974 /* Take ownership of the '-w' output file. */
1976 exp_pdu_filename = global_capture_opts.save_file;
1977 global_capture_opts.save_file = NULL;
1979 exp_pdu_filename = output_file_name;
1980 output_file_name = NULL;
1982 if (exp_pdu_filename == NULL) {
1983 cmdarg_err("PDUs export requires an output file (-w).");
1984 exit_status = INVALID_OPTION;
1988 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
1990 if (exp_pdu_error) {
1991 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
1992 g_free(exp_pdu_error);
1993 exit_status = INVALID_TAP;
1997 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
1999 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
2000 exit_status = INVALID_FILE;
2004 /* Activate the export PDU tap */
2005 comment = g_strdup_printf("Dump of PDUs from %s", cf_name);
2006 err = exp_pdu_open(&exp_pdu_tap_data, exp_fd, comment);
2008 cfile_dump_open_failure_message("TShark", exp_pdu_filename, err,
2009 WTAP_FILE_TYPE_SUBTYPE_PCAPNG);
2011 exit_status = INVALID_EXPORT;
2016 /* We have to dissect each packet if:
2018 we're printing information about each packet;
2020 we're using a read filter on the packets;
2022 we're using a display filter on the packets;
2024 we're exporting PDUs;
2026 we're using any taps that need dissection. */
2027 do_dissection = print_packet_info || rfcode || dfcode || pdu_export_arg ||
2028 tap_listeners_require_dissection() || dissect_color;
2029 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2032 tshark_debug("tshark: Opening capture file: %s", cf_name);
2034 * We're reading a capture file.
2036 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2041 exit_status = INVALID_FILE;
2045 /* Process the packets in the file */
2046 tshark_debug("tshark: invoking process_cap_file() to process the packets");
2049 success = process_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2050 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2051 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2053 success = process_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2056 CATCH(OutOfMemoryError) {
2060 "Sorry, but TShark has to terminate now.\n"
2062 "More information and workarounds can be found at\n"
2063 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2069 /* We still dump out the results of taps, etc., as we might have
2070 read some packets; however, we exit with an error status. */
2074 if (pdu_export_arg) {
2075 err = exp_pdu_close(&exp_pdu_tap_data);
2077 cfile_close_failure_message(exp_pdu_filename, err);
2080 g_free(pdu_export_arg);
2083 tshark_debug("tshark: no capture file specified");
2084 /* No capture file specified, so we're supposed to do a live capture
2085 or get a list of link-layer types for a live capture device;
2086 do we have support for live captures? */
2088 /* if no interface was specified, pick a default */
2089 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2090 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2091 if (exit_status != 0) {
2095 /* if requested, list the link layer types and exit */
2099 /* Get the list of link-layer types for the capture devices. */
2100 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2101 interface_options *interface_opts;
2102 if_capabilities_t *caps;
2103 char *auth_str = NULL;
2104 int if_caps_queries = caps_queries;
2106 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2107 #ifdef HAVE_PCAP_REMOTE
2108 if (interface_opts->auth_type == CAPTURE_AUTH_PWD) {
2109 auth_str = g_strdup_printf("%s:%s", interface_opts->auth_username, interface_opts->auth_password);
2112 caps = capture_get_if_capabilities(interface_opts->name, interface_opts->monitor_mode, auth_str, &err_str, NULL);
2115 cmdarg_err("%s", err_str);
2117 exit_status = INVALID_CAPABILITY;
2120 if ((if_caps_queries & CAPS_QUERY_LINK_TYPES) && caps->data_link_types == NULL) {
2121 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts->name);
2122 exit_status = INVALID_DATA_LINK;
2125 if ((if_caps_queries & CAPS_QUERY_TIMESTAMP_TYPES) && caps->timestamp_types == NULL) {
2126 cmdarg_err("The capture device \"%s\" has no timestamp types.", interface_opts->name);
2127 exit_status = INVALID_TIMESTAMP_TYPE;
2130 if (interface_opts->monitor_mode)
2131 if_caps_queries |= CAPS_MONITOR_MODE;
2132 capture_opts_print_if_capabilities(caps, interface_opts->name, if_caps_queries);
2133 free_if_capabilities(caps);
2135 exit_status = EXIT_SUCCESS;
2140 * If the standard error isn't a terminal, don't print packet counts,
2141 * as they won't show up on the user's terminal and they'll get in
2142 * the way of error messages in the file (to which we assume the
2143 * standard error was redirected; if it's redirected to the null
2144 * device, there's no point in printing packet counts anyway).
2146 * Otherwise, if we're printing packet information and the standard
2147 * output is a terminal (which we assume means the standard output and
2148 * error are going to the same terminal), don't print packet counts,
2149 * as they'll get in the way of the packet information.
2151 * Otherwise, if the user specified -q, don't print packet counts.
2153 * Otherwise, print packet counts.
2155 * XXX - what if the user wants to do a live capture, doesn't want
2156 * to save it to a file, doesn't want information printed for each
2157 * packet, does want some "-z" statistic, and wants packet counts
2158 * so they know whether they're seeing any packets? -q will
2159 * suppress the information printed for each packet, but it'll
2160 * also suppress the packet counts.
2162 if (!ws_isatty(ws_fileno(stderr)))
2163 print_packet_counts = FALSE;
2164 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2165 print_packet_counts = FALSE;
2167 print_packet_counts = FALSE;
2169 print_packet_counts = TRUE;
2171 if (print_packet_info) {
2172 if (!write_preamble(&cfile)) {
2173 show_print_file_io_error(errno);
2174 exit_status = INVALID_FILE;
2179 tshark_debug("tshark: performing live capture");
2181 * XXX - this returns FALSE if an error occurred, but it also
2182 * returns FALSE if the capture stops because a time limit
2183 * was reached (and possibly other limits), so we can't assume
2184 * it means an error.
2186 * The capture code is a bit twisty, so it doesn't appear to
2187 * be an easy fix. We just ignore the return value for now.
2188 * Instead, pass on the exit status from the capture child.
2191 exit_status = global_capture_session.fork_child_status;
2193 if (print_packet_info) {
2194 if (!write_finale()) {
2195 show_print_file_io_error(errno);
2199 /* No - complain. */
2200 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2201 exit_status = INVALID_CAPTURE;
2208 if (cfile.frames != NULL) {
2209 free_frame_data_sequence(cfile.frames);
2210 cfile.frames = NULL;
2213 draw_tap_listeners(TRUE);
2214 funnel_dump_all_text_windows();
2215 epan_free(cfile.epan);
2221 output_fields_free(output_fields);
2222 output_fields = NULL;
2225 destroy_print_stream(print_stream);
2227 capture_opts_cleanup(&global_capture_opts);
2229 col_cleanup(&cfile.cinfo);
2230 free_filter_lists();
2240 /*#define USE_BROKEN_G_MAIN_LOOP*/
2242 #ifdef USE_BROKEN_G_MAIN_LOOP
2245 gboolean loop_running = FALSE;
2247 guint32 packet_count = 0;
2250 typedef struct pipe_input_tag {
2253 ws_process_id *child_process;
2254 pipe_input_cb_t input_cb;
2255 guint pipe_input_id;
2257 GMutex *callback_running;
2261 static pipe_input_t pipe_input;
2264 /* The timer has expired, see if there's stuff to read from the pipe,
2265 if so, do the callback */
2267 pipe_timer_cb(gpointer data)
2273 pipe_input_t *pipe_input_p = data;
2274 gint iterations = 0;
2276 g_mutex_lock (pipe_input_p->callback_running);
2278 /* try to read data from the pipe only 5 times, to avoid blocking */
2279 while(iterations < 5) {
2280 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2282 /* Oddly enough although Named pipes don't work on win9x,
2283 PeekNamedPipe does !!! */
2284 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2285 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2287 /* Get the child process exit status */
2288 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2291 /* If the Peek returned an error, or there are bytes to be read
2292 or the childwatcher thread has terminated then call the normal
2294 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2296 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2298 /* And call the real handler */
2299 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2300 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2301 /* pipe closed, return false so that the timer is stopped */
2302 g_mutex_unlock (pipe_input_p->callback_running);
2307 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2308 /* No data, stop now */
2315 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2317 g_mutex_unlock (pipe_input_p->callback_running);
2319 /* we didn't stopped the timer, so let it run */
2326 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2329 pipe_input.source = source;
2330 pipe_input.child_process = child_process;
2331 pipe_input.user_data = user_data;
2332 pipe_input.input_cb = input_cb;
2335 #if GLIB_CHECK_VERSION(2,31,0)
2336 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2337 g_mutex_init(pipe_input.callback_running);
2339 pipe_input.callback_running = g_mutex_new();
2341 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2342 do this but that doesn't cover all win32 platforms. GTK can do
2343 this but doesn't seem to work over processes. Attempt to do
2344 something similar here, start a timer and check for data on every
2346 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2347 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2351 static const nstime_t *
2352 tshark_get_frame_ts(void *data, guint32 frame_num)
2354 capture_file *cf = (capture_file *) data;
2356 if (ref && ref->num == frame_num)
2357 return &ref->abs_ts;
2359 if (prev_dis && prev_dis->num == frame_num)
2360 return &prev_dis->abs_ts;
2362 if (prev_cap && prev_cap->num == frame_num)
2363 return &prev_cap->abs_ts;
2366 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2368 return (fd) ? &fd->abs_ts : NULL;
2375 tshark_epan_new(capture_file *cf)
2377 epan_t *epan = epan_new();
2380 epan->get_frame_ts = tshark_get_frame_ts;
2381 epan->get_interface_name = cap_file_get_interface_name;
2382 epan->get_interface_description = cap_file_get_interface_description;
2383 epan->get_user_comment = NULL;
2395 #ifdef USE_TSHARK_SELECT
2399 struct sigaction action, oldaction;
2402 /* Create new dissection section. */
2403 epan_free(cfile.epan);
2404 cfile.epan = tshark_epan_new(&cfile);
2407 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2408 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2410 /* Catch SIGINT and SIGTERM and, if we get either of them,
2411 clean up and exit. If SIGHUP isn't being ignored, catch
2412 it too and, if we get it, clean up and exit.
2414 We restart any read that was in progress, so that it doesn't
2415 disrupt reading from the sync pipe. The signal handler tells
2416 the capture child to finish; it will report that it finished,
2417 or will exit abnormally, so we'll stop reading from the sync
2418 pipe, pick up the exit status, and quit. */
2419 memset(&action, 0, sizeof(action));
2420 action.sa_handler = capture_cleanup;
2421 action.sa_flags = SA_RESTART;
2422 sigemptyset(&action.sa_mask);
2423 sigaction(SIGTERM, &action, NULL);
2424 sigaction(SIGINT, &action, NULL);
2425 sigaction(SIGHUP, NULL, &oldaction);
2426 if (oldaction.sa_handler == SIG_DFL)
2427 sigaction(SIGHUP, &action, NULL);
2430 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2431 quiet mode, report the number of packets we've captured.
2433 Again, restart any read that was in progress, so that it doesn't
2434 disrupt reading from the sync pipe. */
2435 action.sa_handler = report_counts_siginfo;
2436 action.sa_flags = SA_RESTART;
2437 sigemptyset(&action.sa_mask);
2438 sigaction(SIGINFO, &action, NULL);
2439 #endif /* SIGINFO */
2442 global_capture_session.state = CAPTURE_PREPARING;
2444 /* Let the user know which interfaces were chosen. */
2445 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2446 interface_options *interface_opts;
2448 interface_opts = &g_array_index(global_capture_opts.ifaces, interface_options, i);
2449 interface_opts->descr = get_interface_descriptive_name(interface_opts->name);
2451 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2452 if (really_quiet == FALSE)
2453 fprintf(stderr, "Capturing on %s\n", str->str);
2455 g_string_free(str, TRUE);
2457 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2462 /* the actual capture loop
2464 * XXX - glib doesn't seem to provide any event based loop handling.
2466 * XXX - for whatever reason,
2467 * calling g_main_loop_new() ends up in 100% cpu load.
2469 * But that doesn't matter: in UNIX we can use select() to find an input
2470 * source with something to do.
2472 * But that doesn't matter because we're in a CLI (that doesn't need to
2473 * update a GUI or something at the same time) so it's OK if we block
2474 * trying to read from the pipe.
2476 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2477 * wrong (but I leave it there in case I am...).
2480 #ifdef USE_TSHARK_SELECT
2482 FD_SET(pipe_input.source, &readfds);
2485 loop_running = TRUE;
2489 while (loop_running)
2491 #ifdef USE_TSHARK_SELECT
2492 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2496 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2498 } else if (ret == 1) {
2500 /* Call the real handler */
2501 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2502 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2505 #ifdef USE_TSHARK_SELECT
2510 CATCH(OutOfMemoryError) {
2514 "Sorry, but TShark has to terminate now.\n"
2516 "More information and workarounds can be found at\n"
2517 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2524 /* capture child detected an error */
2526 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2528 cmdarg_err("%s", error_msg);
2529 cmdarg_err_cont("%s", secondary_error_msg);
2533 /* capture child detected an capture filter related error */
2535 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2537 capture_options *capture_opts = cap_session->capture_opts;
2538 dfilter_t *rfcode = NULL;
2539 interface_options *interface_opts;
2541 g_assert(i < capture_opts->ifaces->len);
2542 interface_opts = &g_array_index(capture_opts->ifaces, interface_options, i);
2544 if (dfilter_compile(interface_opts->cfilter, &rfcode, NULL) && rfcode != NULL) {
2546 "Invalid capture filter \"%s\" for interface '%s'.\n"
2548 "That string looks like a valid display filter; however, it isn't a valid\n"
2549 "capture filter (%s).\n"
2551 "Note that display filters and capture filters don't have the same syntax,\n"
2552 "so you can't use most display filter expressions as capture filters.\n"
2554 "See the User's Guide for a description of the capture filter syntax.",
2555 interface_opts->cfilter, interface_opts->descr, error_message);
2556 dfilter_free(rfcode);
2559 "Invalid capture filter \"%s\" for interface '%s'.\n"
2561 "That string isn't a valid capture filter (%s).\n"
2562 "See the User's Guide for a description of the capture filter syntax.",
2563 interface_opts->cfilter, interface_opts->descr, error_message);
2568 /* capture child tells us we have a new (or the first) capture file */
2570 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2572 capture_options *capture_opts = cap_session->capture_opts;
2573 capture_file *cf = (capture_file *) cap_session->cf;
2574 gboolean is_tempfile;
2577 if (cap_session->state == CAPTURE_PREPARING) {
2578 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2580 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2582 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2584 /* free the old filename */
2585 if (capture_opts->save_file != NULL) {
2587 /* we start a new capture file, close the old one (if we had one before) */
2588 if (cf->state != FILE_CLOSED) {
2589 if (cf->wth != NULL) {
2590 wtap_close(cf->wth);
2593 cf->state = FILE_CLOSED;
2596 g_free(capture_opts->save_file);
2597 is_tempfile = FALSE;
2599 epan_free(cf->epan);
2600 cf->epan = tshark_epan_new(cf);
2602 /* we didn't had a save_file before, must be a tempfile */
2606 /* save the new filename */
2607 capture_opts->save_file = g_strdup(new_file);
2609 /* if we are in real-time mode, open the new file now */
2610 if (do_dissection) {
2611 /* this is probably unecessary, but better safe than sorry */
2612 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2613 /* Attempt to open the capture file and set up to read from it. */
2614 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2618 /* Don't unlink (delete) the save file - leave it around,
2619 for debugging purposes. */
2620 g_free(capture_opts->save_file);
2621 capture_opts->save_file = NULL;
2626 cap_session->state = CAPTURE_RUNNING;
2632 /* capture child tells us we have new packets to read */
2634 capture_input_new_packets(capture_session *cap_session, int to_read)
2640 capture_file *cf = (capture_file *)cap_session->cf;
2641 gboolean filtering_tap_listeners;
2646 * Prevent a SIGINFO handler from writing to the standard error while
2647 * we're doing so or writing to the standard output; instead, have it
2648 * just set a flag telling us to print that information when we're done.
2651 #endif /* SIGINFO */
2653 /* Do we have any tap listeners with filters? */
2654 filtering_tap_listeners = have_filtering_tap_listeners();
2656 /* Get the union of the flags for all tap listeners. */
2657 tap_flags = union_of_tap_listener_flags();
2659 if (do_dissection) {
2660 gboolean create_proto_tree;
2661 epan_dissect_t *edt;
2664 * Determine whether we need to create a protocol tree.
2667 * we're going to apply a read filter;
2669 * we're going to apply a display filter;
2671 * we're going to print the protocol tree;
2673 * one of the tap listeners is going to apply a filter;
2675 * one of the tap listeners requires a protocol tree;
2677 * a postdissector wants field values or protocols
2678 * on the first pass;
2680 * we have custom columns (which require field values, which
2681 * currently requires that we build a protocol tree).
2684 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2685 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
2686 have_custom_cols(&cf->cinfo) || dissect_color);
2688 /* The protocol tree will be "visible", i.e., printed, only if we're
2689 printing packet details, which is true if we're printing stuff
2690 ("print_packet_info" is true) and we're in verbose mode
2691 ("packet_details" is true). */
2692 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2694 while (to_read-- && cf->wth) {
2695 wtap_cleareof(cf->wth);
2696 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2697 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
2699 /* read from file failed, tell the capture child to stop */
2700 sync_pipe_stop(cap_session);
2701 wtap_close(cf->wth);
2704 ret = process_packet_single_pass(cf, edt, data_offset,
2706 wtap_buf_ptr(cf->wth), tap_flags);
2709 /* packet successfully read and gone through the "Read Filter" */
2714 epan_dissect_free(edt);
2718 * Dumpcap's doing all the work; we're not doing any dissection.
2719 * Count all the packets it wrote.
2721 packet_count += to_read;
2724 if (print_packet_counts) {
2725 /* We're printing packet counts. */
2726 if (packet_count != 0) {
2727 fprintf(stderr, "\r%u ", packet_count);
2728 /* stderr could be line buffered */
2735 * Allow SIGINFO handlers to write.
2740 * If a SIGINFO handler asked us to write out capture counts, do so.
2744 #endif /* SIGINFO */
2750 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2751 /* Report the count only if we aren't printing a packet count
2752 as packets arrive. */
2753 fprintf(stderr, "%u packet%s captured\n", packet_count,
2754 plurality(packet_count, "", "s"));
2757 infoprint = FALSE; /* we just reported it */
2758 #endif /* SIGINFO */
2763 report_counts_siginfo(int signum _U_)
2765 int sav_errno = errno;
2766 /* If we've been told to delay printing, just set a flag asking
2767 that we print counts (if we're supposed to), otherwise print
2768 the count of packets captured (if we're supposed to). */
2775 #endif /* SIGINFO */
2778 /* capture child detected any packet drops? */
2780 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2782 if (print_packet_counts) {
2783 /* We're printing packet counts to stderr.
2784 Send a newline so that we move to the line after the packet count. */
2785 fprintf(stderr, "\n");
2789 /* We're printing packet counts to stderr.
2790 Send a newline so that we move to the line after the packet count. */
2791 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2797 * Capture child closed its side of the pipe, report any error and
2798 * do the required cleanup.
2801 capture_input_closed(capture_session *cap_session, gchar *msg)
2803 capture_file *cf = (capture_file *) cap_session->cf;
2806 fprintf(stderr, "tshark: %s\n", msg);
2810 if (cf != NULL && cf->wth != NULL) {
2811 wtap_close(cf->wth);
2812 if (cf->is_tempfile) {
2813 ws_unlink(cf->filename);
2816 #ifdef USE_BROKEN_G_MAIN_LOOP
2817 /*g_main_loop_quit(loop);*/
2818 g_main_loop_quit(loop);
2820 loop_running = FALSE;
2829 capture_cleanup(DWORD ctrltype _U_)
2831 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2832 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2833 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2834 like SIGTERM at least when the machine's shutting down.
2836 For now, we handle them all as indications that we should clean up
2837 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2840 We must return TRUE so that no other handler - such as one that would
2841 terminate the process - gets called.
2843 XXX - for some reason, typing ^C to TShark, if you run this in
2844 a Cygwin console window in at least some versions of Cygwin,
2845 causes TShark to terminate immediately; this routine gets
2846 called, but the main loop doesn't get a chance to run and
2847 exit cleanly, at least if this is compiled with Microsoft Visual
2848 C++ (i.e., it's a property of the Cygwin console window or Bash;
2849 it happens if TShark is not built with Cygwin - for all I know,
2850 building it with Cygwin may make the problem go away). */
2852 /* tell the capture child to stop */
2853 sync_pipe_stop(&global_capture_session);
2855 /* don't stop our own loop already here, otherwise status messages and
2856 * cleanup wouldn't be done properly. The child will indicate the stop of
2857 * everything by calling capture_input_closed() later */
2863 capture_cleanup(int signum _U_)
2865 /* tell the capture child to stop */
2866 sync_pipe_stop(&global_capture_session);
2868 /* don't stop our own loop already here, otherwise status messages and
2869 * cleanup wouldn't be done properly. The child will indicate the stop of
2870 * everything by calling capture_input_closed() later */
2873 #endif /* HAVE_LIBPCAP */
2876 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2877 gint64 offset, struct wtap_pkthdr *whdr,
2884 /* The frame number of this packet is one more than the count of
2885 frames in this packet. */
2886 framenum = cf->count + 1;
2888 /* If we're not running a display filter and we're not printing any
2889 packet information, we don't need to do a dissection. This means
2890 that all packets can be marked as 'passed'. */
2893 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2895 /* If we're going to run a read filter or a display filter, set up to
2896 do a dissection and do so. (This is the first pass of two passes
2897 over the packets, so we will not be printing any information
2898 from the dissection or running taps on the packet; if we're doing
2899 any of that, we'll do it in the second pass.) */
2901 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2902 gbl_resolv_flags.transport_name)
2903 /* Grab any resolved addresses */
2904 host_name_lookup_process();
2906 /* If we're running a read filter, prime the epan_dissect_t with that
2909 epan_dissect_prime_with_dfilter(edt, cf->rfcode);
2912 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
2914 /* This is the first pass, so prime the epan_dissect_t with the
2915 hfids postdissectors want on the first pass. */
2916 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
2918 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2920 if (ref == &fdlocal) {
2921 ref_frame = fdlocal;
2925 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2927 /* Run the read filter if we have one. */
2929 passed = dfilter_apply_edt(cf->rfcode, edt);
2933 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2934 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2936 /* If we're not doing dissection then there won't be any dependent frames.
2937 * More importantly, edt.pi.dependent_frames won't be initialized because
2938 * epan hasn't been initialized.
2939 * if we *are* doing dissection, then mark the dependent frames, but only
2940 * if a display filter was given and it matches this packet.
2942 if (edt && cf->dfcode) {
2943 if (dfilter_apply_edt(cf->dfcode, edt)) {
2944 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2950 /* if we don't add it to the frame_data_sequence, clean it up right now
2952 frame_data_destroy(&fdlocal);
2956 epan_dissect_reset(edt);
2962 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt,
2963 frame_data *fdata, struct wtap_pkthdr *phdr,
2964 Buffer *buf, guint tap_flags)
2969 /* If we're not running a display filter and we're not printing any
2970 packet information, we don't need to do a dissection. This means
2971 that all packets can be marked as 'passed'. */
2974 /* If we're going to print packet information, or we're going to
2975 run a read filter, or we're going to process taps, set up to
2976 do a dissection and do so. (This is the second pass of two
2977 passes over the packets; that's the pass where we print
2978 packet information or run taps.) */
2980 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2981 gbl_resolv_flags.transport_name)
2982 /* Grab any resolved addresses */
2983 host_name_lookup_process();
2985 /* If we're running a display filter, prime the epan_dissect_t with that
2988 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
2990 col_custom_prime_edt(edt, &cf->cinfo);
2992 /* We only need the columns if either
2993 1) some tap needs the columns
2995 2) we're printing packet info but we're *not* verbose; in verbose
2996 mode, we print the protocol tree, not the protocol summary.
2998 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3003 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3010 if (dissect_color) {
3011 color_filters_prime_edt(edt);
3012 fdata->flags.need_colorize = 1;
3015 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3017 /* Run the read/display filter if we have one. */
3019 passed = dfilter_apply_edt(cf->dfcode, edt);
3023 frame_data_set_after_dissect(fdata, &cum_bytes);
3024 /* Process this packet. */
3025 if (print_packet_info) {
3026 /* We're printing packet information; print the information for
3028 print_packet(cf, edt);
3030 /* If we're doing "line-buffering", flush the standard output
3031 after every packet. See the comment above, for the "-l"
3032 option, for an explanation of why we do that. */
3036 if (ferror(stdout)) {
3037 show_print_file_io_error(errno);
3046 epan_dissect_reset(edt);
3048 return passed || fdata->flags.dependent_of_displayed;
3052 process_cap_file(capture_file *cf, char *save_file, int out_file_type,
3053 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3055 gboolean success = TRUE;
3057 int snapshot_length;
3060 int err = 0, err_pass1 = 0;
3061 gchar *err_info = NULL, *err_info_pass1 = NULL;
3063 gboolean filtering_tap_listeners;
3065 GArray *shb_hdrs = NULL;
3066 wtapng_iface_descriptions_t *idb_inf = NULL;
3067 GArray *nrb_hdrs = NULL;
3068 struct wtap_pkthdr phdr;
3070 epan_dissect_t *edt = NULL;
3071 char *shb_user_appl;
3073 wtap_phdr_init(&phdr);
3075 idb_inf = wtap_file_get_idb_info(cf->wth);
3076 #ifdef PCAP_NG_DEFAULT
3077 if (idb_inf->interface_data->len > 1) {
3078 linktype = WTAP_ENCAP_PER_PACKET;
3080 linktype = wtap_file_encap(cf->wth);
3083 linktype = wtap_file_encap(cf->wth);
3085 if (save_file != NULL) {
3086 /* Set up to write to the capture file. */
3087 snapshot_length = wtap_snapshot_length(cf->wth);
3088 if (snapshot_length == 0) {
3089 /* Snapshot length of input file not known. */
3090 snapshot_length = WTAP_MAX_PACKET_SIZE_STANDARD;
3092 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3094 shb_hdrs = wtap_file_get_shb_for_new_file(cf->wth);
3095 nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->wth);
3097 /* If we don't have an application name add Tshark */
3098 if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3099 /* this is free'd by wtap_block_free() later */
3100 wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info());
3103 if (linktype != WTAP_ENCAP_PER_PACKET &&
3104 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3105 tshark_debug("tshark: writing PCAP format to %s", save_file);
3106 if (strcmp(save_file, "-") == 0) {
3107 /* Write to the standard output. */
3108 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3109 snapshot_length, FALSE /* compressed */, &err);
3111 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3112 snapshot_length, FALSE /* compressed */, &err);
3116 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3117 if (strcmp(save_file, "-") == 0) {
3118 /* Write to the standard output. */
3119 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3120 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3122 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3123 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3131 /* We couldn't set up to write to the capture file. */
3132 cfile_dump_open_failure_message("TShark", save_file, err, out_file_type);
3137 /* Set up to print packet information. */
3138 if (print_packet_info) {
3139 if (!write_preamble(cf)) {
3140 show_print_file_io_error(errno);
3150 /* Do we have any tap listeners with filters? */
3151 filtering_tap_listeners = have_filtering_tap_listeners();
3153 /* Get the union of the flags for all tap listeners. */
3154 tap_flags = union_of_tap_listener_flags();
3156 if (perform_two_pass_analysis) {
3159 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3161 /* Allocate a frame_data_sequence for all the frames. */
3162 cf->frames = new_frame_data_sequence();
3164 if (do_dissection) {
3165 gboolean create_proto_tree;
3168 * Determine whether we need to create a protocol tree.
3171 * we're going to apply a read filter;
3173 * we're going to apply a display filter;
3175 * a postdissector wants field values or protocols
3176 * on the first pass.
3179 (cf->rfcode != NULL || cf->dfcode != NULL || postdissectors_want_hfids() || dissect_color);
3181 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3183 /* We're not going to display the protocol tree on this pass,
3184 so it's not going to be "visible". */
3185 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3188 tshark_debug("tshark: reading records for first pass");
3189 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3190 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3191 wtap_buf_ptr(cf->wth))) {
3192 /* Stop reading if we have the maximum number of packets;
3193 * When the -c option has not been used, max_packet_count
3194 * starts at 0, which practically means, never stop reading.
3195 * (unless we roll over max_packet_count ?)
3197 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3198 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3199 max_packet_count, data_offset, max_byte_count);
3200 err = 0; /* This is not an error */
3207 * If we got a read error on the first pass, remember the error, so
3208 * but do the second pass, so we can at least process the packets we
3209 * read, and then report the first-pass error after the second pass
3210 * (and before we report any second-pass errors), so all the the
3211 * errors show up at the end.
3215 err_info_pass1 = err_info;
3221 epan_dissect_free(edt);
3225 /* Close the sequential I/O side, to free up memory it requires. */
3226 wtap_sequential_close(cf->wth);
3228 /* Allow the protocol dissectors to free up memory that they
3229 * don't need after the sequential run-through of the packets. */
3230 postseq_cleanup_all_protocols();
3234 ws_buffer_init(&buf, 1500);
3236 tshark_debug("tshark: done with first pass");
3238 if (do_dissection) {
3239 gboolean create_proto_tree;
3242 * Determine whether we need to create a protocol tree.
3245 * we're going to apply a display filter;
3247 * we're going to print the protocol tree;
3249 * one of the tap listeners requires a protocol tree;
3251 * we have custom columns (which require field values, which
3252 * currently requires that we build a protocol tree).
3255 (cf->dfcode || print_details || filtering_tap_listeners ||
3256 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo) || dissect_color);
3258 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3260 /* The protocol tree will be "visible", i.e., printed, only if we're
3261 printing packet details, which is true if we're printing stuff
3262 ("print_packet_info" is true) and we're in verbose mode
3263 ("packet_details" is true). */
3264 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3267 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3268 fdata = frame_data_sequence_find(cf->frames, framenum);
3269 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3271 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3272 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3274 /* Either there's no read filtering or this packet passed the
3275 filter, so, if we're writing to a capture file, write
3278 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3279 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3280 /* Error writing to a capture file */
3281 tshark_debug("tshark: error writing to a capture file (%d)", err);
3283 /* Report the error.
3284 XXX - framenum is not necessarily the frame number in
3285 the input file if there was a read filter. */
3286 cfile_write_failure_message("TShark", cf->filename, save_file,
3287 err, err_info, framenum,
3289 wtap_dump_close(pdh, &err);
3290 wtap_block_array_free(shb_hdrs);
3291 wtap_block_array_free(nrb_hdrs);
3300 epan_dissect_free(edt);
3304 ws_buffer_free(&buf);
3306 tshark_debug("tshark: done with second pass");
3309 /* !perform_two_pass_analysis */
3311 gboolean create_proto_tree = FALSE;
3312 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3314 if (do_dissection) {
3316 * Determine whether we need to create a protocol tree.
3319 * we're going to apply a read filter;
3321 * we're going to apply a display filter;
3323 * we're going to print the protocol tree;
3325 * one of the tap listeners is going to apply a filter;
3327 * one of the tap listeners requires a protocol tree;
3329 * a postdissector wants field values or protocols
3330 * on the first pass;
3332 * we have custom columns (which require field values, which
3333 * currently requires that we build a protocol tree).
3336 (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3337 (tap_flags & TL_REQUIRES_PROTO_TREE) || postdissectors_want_hfids() ||
3338 have_custom_cols(&cf->cinfo) || dissect_color);
3340 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3342 /* The protocol tree will be "visible", i.e., printed, only if we're
3343 printing packet details, which is true if we're printing stuff
3344 ("print_packet_info" is true) and we're in verbose mode
3345 ("packet_details" is true). */
3346 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3349 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3352 tshark_debug("tshark: processing packet #%d", framenum);
3354 reset_epan_mem(cf, edt, create_proto_tree, print_packet_info && print_details);
3356 if (process_packet_single_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3357 wtap_buf_ptr(cf->wth), tap_flags)) {
3358 /* Either there's no read filtering or this packet passed the
3359 filter, so, if we're writing to a capture file, write
3362 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3363 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3364 /* Error writing to a capture file */
3365 tshark_debug("tshark: error writing to a capture file (%d)", err);
3366 cfile_write_failure_message("TShark", cf->filename, save_file,
3367 err, err_info, framenum, out_file_type);
3368 wtap_dump_close(pdh, &err);
3369 wtap_block_array_free(shb_hdrs);
3370 wtap_block_array_free(nrb_hdrs);
3375 /* Stop reading if we have the maximum number of packets;
3376 * When the -c option has not been used, max_packet_count
3377 * starts at 0, which practically means, never stop reading.
3378 * (unless we roll over max_packet_count ?)
3380 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3381 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3382 max_packet_count, data_offset, max_byte_count);
3383 err = 0; /* This is not an error */
3389 epan_dissect_free(edt);
3394 wtap_phdr_cleanup(&phdr);
3396 if (err != 0 || err_pass1 != 0) {
3397 tshark_debug("tshark: something failed along the line (%d)", err);
3399 * Print a message noting that the read failed somewhere along the line.
3401 * If we're printing packet data, and the standard output and error are
3402 * going to the same place, flush the standard output, so everything
3403 * buffered up is written, and then print a newline to the standard error
3404 * before printing the error message, to separate it from the packet
3405 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3406 * the _fstat() documentation at Microsoft doesn't indicate whether
3407 * st_ino is even supported.)
3410 if (print_packet_info) {
3411 ws_statb64 stat_stdout, stat_stderr;
3413 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3414 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3415 stat_stdout.st_ino == stat_stderr.st_ino) {
3417 fprintf(stderr, "\n");
3422 if (err_pass1 != 0) {
3423 /* Error on pass 1 of two-pass processing. */
3424 cfile_read_failure_message("TShark", cf->filename, err_pass1,
3428 /* Error on pass 2 of two-pass processing or on the only pass of
3429 one-pass processing. */
3430 cfile_read_failure_message("TShark", cf->filename, err, err_info);
3434 if (save_file != NULL) {
3435 if (pdh && out_file_name_res) {
3436 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3437 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3438 wtap_file_type_subtype_short_string(out_file_type));
3441 /* Now close the capture file. */
3442 if (!wtap_dump_close(pdh, &err)) {
3443 cfile_close_failure_message(save_file, err);
3447 if (print_packet_info) {
3448 if (!write_finale()) {
3449 show_print_file_io_error(errno);
3456 wtap_close(cf->wth);
3459 wtap_block_array_free(shb_hdrs);
3460 wtap_block_array_free(nrb_hdrs);
3466 process_packet_single_pass(capture_file *cf, epan_dissect_t *edt, gint64 offset,
3467 struct wtap_pkthdr *whdr, const guchar *pd,
3474 /* Count this packet. */
3477 /* If we're not running a display filter and we're not printing any
3478 packet information, we don't need to do a dissection. This means
3479 that all packets can be marked as 'passed'. */
3482 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3484 /* If we're going to print packet information, or we're going to
3485 run a read filter, or we're going to process taps, set up to
3486 do a dissection and do so. (This is the one and only pass
3487 over the packets, so, if we'll be printing packet information
3488 or running taps, we'll be doing it here.) */
3490 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3491 gbl_resolv_flags.transport_name))
3492 /* Grab any resolved addresses */
3493 host_name_lookup_process();
3495 /* If we're running a filter, prime the epan_dissect_t with that
3498 epan_dissect_prime_with_dfilter(edt, cf->dfcode);
3500 /* This is the first and only pass, so prime the epan_dissect_t
3501 with the hfids postdissectors want on the first pass. */
3502 prime_epan_dissect_with_postdissector_wanted_hfids(edt);
3504 col_custom_prime_edt(edt, &cf->cinfo);
3506 /* We only need the columns if either
3507 1) some tap needs the columns
3509 2) we're printing packet info but we're *not* verbose; in verbose
3510 mode, we print the protocol tree, not the protocol summary.
3512 3) there is a column mapped as an individual field */
3513 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3518 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3520 if (ref == &fdata) {
3525 if (dissect_color) {
3526 color_filters_prime_edt(edt);
3527 fdata.flags.need_colorize = 1;
3530 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3532 /* Run the filter if we have it. */
3534 passed = dfilter_apply_edt(cf->dfcode, edt);
3538 frame_data_set_after_dissect(&fdata, &cum_bytes);
3540 /* Process this packet. */
3541 if (print_packet_info) {
3542 /* We're printing packet information; print the information for
3545 print_packet(cf, edt);
3547 /* If we're doing "line-buffering", flush the standard output
3548 after every packet. See the comment above, for the "-l"
3549 option, for an explanation of why we do that. */
3553 if (ferror(stdout)) {
3554 show_print_file_io_error(errno);
3559 /* this must be set after print_packet() [bug #8160] */
3560 prev_dis_frame = fdata;
3561 prev_dis = &prev_dis_frame;
3564 prev_cap_frame = fdata;
3565 prev_cap = &prev_cap_frame;
3568 epan_dissect_reset(edt);
3569 frame_data_destroy(&fdata);
3575 write_preamble(capture_file *cf)
3577 switch (output_action) {
3580 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3584 write_pdml_preamble(stdout, cf->filename);
3586 write_psml_preamble(&cf->cinfo, stdout);
3587 return !ferror(stdout);
3590 write_fields_preamble(output_fields, stdout);
3591 return !ferror(stdout);
3594 case WRITE_JSON_RAW:
3595 write_json_preamble(stdout);
3596 return !ferror(stdout);
3599 return !ferror(stdout);
3602 g_assert_not_reached();
3608 get_line_buf(size_t len)
3610 static char *line_bufp = NULL;
3611 static size_t line_buf_len = 256;
3612 size_t new_line_buf_len;
3614 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3615 new_line_buf_len *= 2)
3617 if (line_bufp == NULL) {
3618 line_buf_len = new_line_buf_len;
3619 line_bufp = (char *)g_malloc(line_buf_len + 1);
3621 if (new_line_buf_len > line_buf_len) {
3622 line_buf_len = new_line_buf_len;
3623 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3630 put_string(char *dest, const char *str, size_t str_len)
3632 memcpy(dest, str, str_len);
3633 dest[str_len] = '\0';
3637 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3641 for (i = str_len; i < str_with_spaces; i++)
3644 put_string(dest, str, str_len);
3648 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3652 memcpy(dest, str, str_len);
3653 for (i = str_len; i < str_with_spaces; i++)
3656 dest[str_with_spaces] = '\0';
3660 print_columns(capture_file *cf, const epan_dissect_t *edt)
3667 col_item_t* col_item;
3668 gchar str_format[11];
3669 const color_filter_t *color_filter = NULL;
3671 line_bufp = get_line_buf(256);
3676 color_filter = edt->pi.fd->color_filter;
3678 for (i = 0; i < cf->cinfo.num_cols; i++) {
3679 col_item = &cf->cinfo.columns[i];
3680 /* Skip columns not marked as visible. */
3681 if (!get_column_visible(i))
3683 switch (col_item->col_fmt) {
3685 column_len = col_len = strlen(col_item->col_data);
3688 line_bufp = get_line_buf(buf_offset + column_len);
3689 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3695 case COL_ABS_YMD_TIME: /* XXX - wider */
3696 case COL_ABS_YDOY_TIME: /* XXX - wider */
3698 case COL_UTC_YMD_TIME: /* XXX - wider */
3699 case COL_UTC_YDOY_TIME: /* XXX - wider */
3700 column_len = col_len = strlen(col_item->col_data);
3701 if (column_len < 10)
3703 line_bufp = get_line_buf(buf_offset + column_len);
3704 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3710 case COL_DEF_DL_SRC:
3711 case COL_RES_DL_SRC:
3712 case COL_UNRES_DL_SRC:
3713 case COL_DEF_NET_SRC:
3714 case COL_RES_NET_SRC:
3715 case COL_UNRES_NET_SRC:
3716 column_len = col_len = strlen(col_item->col_data);
3717 if (column_len < 12)
3719 line_bufp = get_line_buf(buf_offset + column_len);
3720 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3726 case COL_DEF_DL_DST:
3727 case COL_RES_DL_DST:
3728 case COL_UNRES_DL_DST:
3729 case COL_DEF_NET_DST:
3730 case COL_RES_NET_DST:
3731 case COL_UNRES_NET_DST:
3732 column_len = col_len = strlen(col_item->col_data);
3733 if (column_len < 12)
3735 line_bufp = get_line_buf(buf_offset + column_len);
3736 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3740 column_len = strlen(col_item->col_data);
3741 line_bufp = get_line_buf(buf_offset + column_len);
3742 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3745 buf_offset += column_len;
3746 if (i != cf->cinfo.num_cols - 1) {
3748 * This isn't the last column, so we need to print a
3749 * separator between this column and the next.
3751 * If we printed a network source and are printing a
3752 * network destination of the same type next, separate
3753 * them with a UTF-8 right arrow; if we printed a network
3754 * destination and are printing a network source of the same
3755 * type next, separate them with a UTF-8 left arrow;
3756 * otherwise separate them with a space.
3758 * We add enough space to the buffer for " \xe2\x86\x90 "
3759 * or " \xe2\x86\x92 ", even if we're only adding " ".
3761 line_bufp = get_line_buf(buf_offset + 5);
3762 switch (col_item->col_fmt) {
3767 switch (cf->cinfo.columns[i+1].col_fmt) {
3772 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
3773 put_string(line_bufp + buf_offset, str_format, 5);
3778 put_string(line_bufp + buf_offset, delimiter_char, 1);
3784 case COL_DEF_DL_SRC:
3785 case COL_RES_DL_SRC:
3786 case COL_UNRES_DL_SRC:
3787 switch (cf->cinfo.columns[i+1].col_fmt) {
3789 case COL_DEF_DL_DST:
3790 case COL_RES_DL_DST:
3791 case COL_UNRES_DL_DST:
3792 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
3793 put_string(line_bufp + buf_offset, str_format, 5);
3798 put_string(line_bufp + buf_offset, delimiter_char, 1);
3804 case COL_DEF_NET_SRC:
3805 case COL_RES_NET_SRC:
3806 case COL_UNRES_NET_SRC:
3807 switch (cf->cinfo.columns[i+1].col_fmt) {
3809 case COL_DEF_NET_DST:
3810 case COL_RES_NET_DST:
3811 case COL_UNRES_NET_DST:
3812 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_RIGHTWARDS_ARROW, delimiter_char);
3813 put_string(line_bufp + buf_offset, str_format, 5);
3818 put_string(line_bufp + buf_offset, delimiter_char, 1);
3827 switch (cf->cinfo.columns[i+1].col_fmt) {
3832 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
3833 put_string(line_bufp + buf_offset, str_format, 5);
3838 put_string(line_bufp + buf_offset, delimiter_char, 1);
3844 case COL_DEF_DL_DST:
3845 case COL_RES_DL_DST:
3846 case COL_UNRES_DL_DST:
3847 switch (cf->cinfo.columns[i+1].col_fmt) {
3849 case COL_DEF_DL_SRC:
3850 case COL_RES_DL_SRC:
3851 case COL_UNRES_DL_SRC:
3852 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
3853 put_string(line_bufp + buf_offset, str_format, 5);
3858 put_string(line_bufp + buf_offset, delimiter_char, 1);
3864 case COL_DEF_NET_DST:
3865 case COL_RES_NET_DST:
3866 case COL_UNRES_NET_DST:
3867 switch (cf->cinfo.columns[i+1].col_fmt) {
3869 case COL_DEF_NET_SRC:
3870 case COL_RES_NET_SRC:
3871 case COL_UNRES_NET_SRC:
3872 g_snprintf(str_format, sizeof(str_format), "%s%s%s", delimiter_char, UTF8_LEFTWARDS_ARROW, delimiter_char);
3873 put_string(line_bufp + buf_offset, str_format, 5);
3878 put_string(line_bufp + buf_offset, delimiter_char, 1);
3885 put_string(line_bufp + buf_offset, delimiter_char, 1);
3892 if (dissect_color && color_filter != NULL)
3893 return print_line_color(print_stream, 0, line_bufp, &color_filter->fg_color, &color_filter->bg_color);
3895 return print_line(print_stream, 0, line_bufp);
3899 print_packet(capture_file *cf, epan_dissect_t *edt)
3901 if (print_summary || output_fields_has_cols(output_fields)) {
3902 /* Just fill in the columns. */
3903 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3905 if (print_summary) {
3906 /* Now print them. */
3907 switch (output_action) {
3910 if (!print_columns(cf, edt))
3915 write_psml_columns(edt, stdout, dissect_color);
3916 return !ferror(stdout);
3917 case WRITE_FIELDS: /*No non-verbose "fields" format */
3920 case WRITE_JSON_RAW:
3921 g_assert_not_reached();
3926 if (print_details) {
3927 /* Print the information in the protocol tree. */
3928 switch (output_action) {
3931 if (!proto_tree_print(print_details ? print_dissections_expanded : print_dissections_none,
3932 print_hex, edt, output_only_tables, print_stream))
3935 if (!print_line(print_stream, 0, separator))
3941 write_pdml_proto_tree(output_fields, protocolfilter, protocolfilter_flags, edt, stdout, dissect_color);
3943 return !ferror(stdout);
3945 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
3947 return !ferror(stdout);
3949 write_json_proto_tree(output_fields, print_dissections_expanded,
3950 print_hex, protocolfilter, protocolfilter_flags,
3951 edt, node_children_grouper, stdout);
3952 return !ferror(stdout);
3953 case WRITE_JSON_RAW:
3954 write_json_proto_tree(output_fields, print_dissections_none, TRUE,
3955 protocolfilter, protocolfilter_flags,
3956 edt, node_children_grouper, stdout);
3957 return !ferror(stdout);
3959 write_ek_proto_tree(output_fields, print_hex, protocolfilter,
3960 protocolfilter_flags, edt, stdout);
3961 return !ferror(stdout);
3965 if (print_summary || print_details) {
3966 if (!print_line(print_stream, 0, ""))
3969 if (!print_hex_data(print_stream, edt))
3971 if (!print_line(print_stream, 0, separator))
3980 switch (output_action) {
3983 return print_finale(print_stream);
3987 write_pdml_finale(stdout);
3989 write_psml_finale(stdout);
3990 return !ferror(stdout);
3993 write_fields_finale(output_fields, stdout);
3994 return !ferror(stdout);
3997 case WRITE_JSON_RAW:
3998 write_json_finale(stdout);
3999 return !ferror(stdout);
4002 return !ferror(stdout);
4005 g_assert_not_reached();
4011 cf_close(capture_file *cf)
4013 g_free(cf->filename);
4017 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4022 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4026 /* The open succeeded. Fill in the information for this file. */
4028 /* Create new epan session for dissection. */
4029 epan_free(cf->epan);
4030 cf->epan = tshark_epan_new(cf);
4033 cf->f_datalen = 0; /* not used, but set it anyway */
4035 /* Set the file name because we need it to set the follow stream filter.
4036 XXX - is that still true? We need it for other reasons, though,
4038 cf->filename = g_strdup(fname);
4040 /* Indicate whether it's a permanent or temporary file. */
4041 cf->is_tempfile = is_tempfile;
4043 /* No user changes yet. */
4044 cf->unsaved_changes = FALSE;
4046 cf->cd_t = wtap_file_type_subtype(cf->wth);
4047 cf->open_type = type;
4049 cf->drops_known = FALSE;
4051 cf->snap = wtap_snapshot_length(cf->wth);
4052 nstime_set_zero(&cf->elapsed_time);
4057 cf->state = FILE_READ_IN_PROGRESS;
4059 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4060 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4065 cfile_open_failure_message("TShark", fname, *err, err_info);
4070 show_print_file_io_error(int err)
4075 cmdarg_err("Not all the packets could be printed because there is "
4076 "no space left on the file system.");
4081 cmdarg_err("Not all the packets could be printed because you are "
4082 "too close to, or over your disk quota.");
4087 cmdarg_err("An error occurred while printing packets: %s.",
4094 * General errors and warnings are reported with an console message
4098 failure_warning_message(const char *msg_format, va_list ap)
4100 fprintf(stderr, "tshark: ");
4101 vfprintf(stderr, msg_format, ap);
4102 fprintf(stderr, "\n");
4106 * Open/create errors are reported with an console message in TShark.
4109 open_failure_message(const char *filename, int err, gboolean for_writing)
4111 fprintf(stderr, "tshark: ");
4112 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4113 fprintf(stderr, "\n");
4117 * Read errors are reported with an console message in TShark.
4120 read_failure_message(const char *filename, int err)
4122 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4123 filename, g_strerror(err));
4127 * Write errors are reported with an console message in TShark.
4130 write_failure_message(const char *filename, int err)
4132 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4133 filename, g_strerror(err));
4136 static void reset_epan_mem(capture_file *cf,epan_dissect_t *edt, gboolean tree, gboolean visual)
4138 if (!epan_auto_reset || (cf->count < epan_auto_reset_count))
4141 fprintf(stderr, "resetting session.\n");
4143 epan_dissect_cleanup(edt);
4144 epan_free(cf->epan);
4146 cf->epan = tshark_epan_new(cf);
4147 epan_dissect_init(edt, cf->epan, tree, visual);
4152 * Report additional information for an error in command-line arguments.
4155 failure_message_cont(const char *msg_format, va_list ap)
4157 vfprintf(stderr, msg_format, ap);
4158 fprintf(stderr, "\n");
4162 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4167 * indent-tabs-mode: nil
4170 * vi: set shiftwidth=2 tabstop=8 expandtab:
4171 * :indentSize=2:tabSize=8:noTabs=true: