3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
52 #ifdef HAVE_SYS_STAT_H
53 # include <sys/stat.h>
57 #include "wsutil/wsgetopt.h"
62 #include <epan/exceptions.h>
63 #include <epan/epan-int.h>
64 #include <epan/epan.h>
65 #include <wsutil/crash_info.h>
66 #include <wsutil/privileges.h>
67 #include <wsutil/file_util.h>
68 #include <wsutil/filesystem.h>
71 #include <epan/timestamp.h>
72 #include <epan/packet.h>
74 #include "frame_tvbuff.h"
75 #include <epan/disabled_protos.h>
76 #include <epan/prefs.h>
77 #include <epan/column.h>
78 #include <epan/print.h>
79 #include <epan/addr_resolv.h>
81 #include "clopts_common.h"
82 #include "cmdarg_err.h"
83 #include "version_info.h"
84 #include <epan/plugins.h>
86 #include <epan/epan_dissect.h>
88 #include <epan/stat_cmd_args.h>
89 #include <epan/timestamp.h>
90 #include <epan/ex-opt.h>
92 #include "capture_opts.h"
95 #include "capture_ui_utils.h"
96 #include "capture_ifinfo.h"
97 #include "capture-pcap-util.h"
99 #include "capture-wpcap.h"
100 #include <wsutil/unicode-utils.h>
102 #include "capture_session.h"
103 #include "capture_sync.h"
104 #include "capture_opts.h"
105 #endif /* HAVE_LIBPCAP */
107 #include <epan/funnel.h>
110 * This is the template for the decode as option; it is shared between the
111 * various functions that output the usage for this parameter.
113 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
115 static guint32 cum_bytes;
116 static const frame_data *ref;
117 static frame_data ref_frame;
118 static frame_data *prev_dis;
119 static frame_data prev_dis_frame;
120 static frame_data *prev_cap;
121 static frame_data prev_cap_frame;
123 static const char* prev_display_dissector_name = NULL;
125 static gboolean perform_two_pass_analysis;
128 * The way the packet decode is to be written.
131 WRITE_TEXT, /* summary or detail text */
132 WRITE_XML, /* PDML or PSML */
133 WRITE_FIELDS /* User defined list of fields */
134 /* Add CSV and the like here */
137 static output_action_e output_action;
138 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
139 static gboolean print_packet_info; /* TRUE if we're to print packet information */
140 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
141 static gboolean print_details; /* TRUE if we're to print packet details information */
142 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
143 static gboolean line_buffered;
144 static gboolean really_quiet = FALSE;
146 static print_format_e print_format = PR_FMT_TEXT;
147 static print_stream_t *print_stream;
149 static output_fields_t* output_fields = NULL;
151 /* The line separator used between packets, changeable via the -S option */
152 static const char *separator = "";
156 * TRUE if we're to print packet counts to keep track of captured packets.
158 static gboolean print_packet_counts;
160 static capture_options global_capture_opts;
161 static capture_session global_capture_session;
164 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
165 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
168 static gboolean capture(void);
169 static void report_counts(void);
171 static BOOL WINAPI capture_cleanup(DWORD);
173 static void capture_cleanup(int);
175 static void report_counts_siginfo(int);
178 #endif /* HAVE_LIBPCAP */
180 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
181 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
182 struct wtap_pkthdr *whdr, const guchar *pd,
184 static void show_capture_file_io_error(const char *, int, gboolean);
185 static void show_print_file_io_error(int err);
186 static gboolean write_preamble(capture_file *cf);
187 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
188 static gboolean write_finale(void);
189 static const char *cf_open_error_message(int err, gchar *err_info,
190 gboolean for_writing, int file_type);
192 static void open_failure_message(const char *filename, int err,
193 gboolean for_writing);
194 static void failure_message(const char *msg_format, va_list ap);
195 static void read_failure_message(const char *filename, int err);
196 static void write_failure_message(const char *filename, int err);
201 const char *sstr; /* The short string */
202 const char *lstr; /* The long string */
206 string_compare(gconstpointer a, gconstpointer b)
208 return strcmp(((const struct string_elem *)a)->sstr,
209 ((const struct string_elem *)b)->sstr);
213 string_elem_print(gpointer data, gpointer not_used _U_)
215 fprintf(stderr, " %s - %s\n",
216 ((struct string_elem *)data)->sstr,
217 ((struct string_elem *)data)->lstr);
221 list_capture_types(void) {
223 struct string_elem *captypes;
226 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
228 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
229 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
230 if (wtap_dump_can_open(i)) {
231 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
232 captypes[i].lstr = wtap_file_type_subtype_string(i);
233 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
236 g_slist_foreach(list, string_elem_print, NULL);
242 print_usage(gboolean print_ver)
249 "TShark " VERSION "%s\n"
250 "Dump and analyze network traffic.\n"
251 "See http://www.wireshark.org for more information.\n"
254 wireshark_svnversion, get_copyright_info());
258 fprintf(output, "\n");
259 fprintf(output, "Usage: tshark [options] ...\n");
260 fprintf(output, "\n");
263 fprintf(output, "Capture interface:\n");
264 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
265 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
266 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
267 fprintf(output, " -p don't capture in promiscuous mode\n");
268 #ifdef HAVE_PCAP_CREATE
269 fprintf(output, " -I capture in monitor mode, if available\n");
271 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
272 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
274 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
275 fprintf(output, " -D print list of interfaces and exit\n");
276 fprintf(output, " -L print list of link-layer types of iface and exit\n");
277 fprintf(output, "\n");
278 fprintf(output, "Capture stop conditions:\n");
279 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
280 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
281 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
282 fprintf(output, " files:NUM - stop after NUM files\n");
283 /*fprintf(output, "\n");*/
284 fprintf(output, "Capture output:\n");
285 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
286 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
287 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
288 #endif /* HAVE_LIBPCAP */
289 #ifdef HAVE_PCAP_REMOTE
290 fprintf(output, "RPCAP options:\n");
291 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
293 /*fprintf(output, "\n");*/
294 fprintf(output, "Input file:\n");
295 fprintf(output, " -r <infile> set the filename to read from (no pipes or stdin!)\n");
297 fprintf(output, "\n");
298 fprintf(output, "Processing:\n");
299 fprintf(output, " -2 perform a two-pass analysis\n");
300 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
301 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter syntax\n");
302 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
303 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
304 fprintf(output, " -d %s ...\n", decode_as_arg_template);
305 fprintf(output, " \"Decode As\", see the man page for details\n");
306 fprintf(output, " Example: tcp.port==8888,http\n");
307 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
308 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
310 /*fprintf(output, "\n");*/
311 fprintf(output, "Output:\n");
312 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
313 fprintf(output, " (or to the standard output for \"-\")\n");
314 fprintf(output, " -C <config profile> start with specified configuration profile\n");
315 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
316 fprintf(output, " an empty \"-F\" option will list the file types\n");
317 fprintf(output, " -V add output of packet tree (Packet Details)\n");
318 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
319 fprintf(output, " separated\n");
320 fprintf(output, " -P print packet summary even when writing to a file\n");
321 fprintf(output, " -S <separator> the line separator to print between packets\n");
322 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
323 fprintf(output, " -T pdml|ps|psml|text|fields\n");
324 fprintf(output, " format of text output (def: text)\n");
325 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port, _ws.col.Info);\n");
326 fprintf(output, " this option can be repeated to print multiple fields\n");
327 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
328 fprintf(output, " header=y|n switch headers on and off\n");
329 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
330 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
331 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
332 fprintf(output, " aggregator\n");
333 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
334 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
335 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
336 fprintf(output, " -l flush standard output after each packet\n");
337 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
338 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
339 fprintf(output, " -g enable group read access on the output file(s)\n");
340 fprintf(output, " -W n Save extra information in the file, if supported.\n");
341 fprintf(output, " n = write network address resolution information\n");
342 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
343 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
344 fprintf(output, " --capture-comment <comment>\n");
345 fprintf(output, " add a capture comment to the newly created\n");
346 fprintf(output, " output file (only for pcapng)\n");
348 fprintf(output, "\n");
349 fprintf(output, "Miscellaneous:\n");
350 fprintf(output, " -h display this help and exit\n");
351 fprintf(output, " -v display version info and exit\n");
352 fprintf(output, " -o <name>:<value> ... override preference setting\n");
353 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
354 fprintf(output, " -G [report] dump one of several available reports and exit\n");
355 fprintf(output, " default report=\"fields\"\n");
356 fprintf(output, " use \"-G ?\" for more help\n");
358 fprintf(output, "\n");
359 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
360 fprintf(output, "You might want to reset it\n");
361 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
362 fprintf(output, "\n");
368 glossary_option_help(void)
374 fprintf(output, "TShark " VERSION "%s\n", wireshark_svnversion);
376 fprintf(output, "\n");
377 fprintf(output, "Usage: tshark -G [report]\n");
378 fprintf(output, "\n");
379 fprintf(output, "Glossary table reports:\n");
380 fprintf(output, " -G column-formats dump column format codes and exit\n");
381 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
382 fprintf(output, " -G fields dump fields glossary and exit\n");
383 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
384 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
385 fprintf(output, " -G plugins dump installed plugins and exit\n");
386 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
387 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
388 fprintf(output, "\n");
389 fprintf(output, "Preference reports:\n");
390 fprintf(output, " -G currentprefs dump current preferences and exit\n");
391 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
392 fprintf(output, "\n");
396 * For a dissector table, print on the stream described by output,
397 * its short name (which is what's used in the "-d" option) and its
401 display_dissector_table_names(const char *table_name, const char *ui_name,
404 if ((prev_display_dissector_name == NULL) ||
405 (strcmp(prev_display_dissector_name, table_name) != 0)) {
406 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
407 prev_display_dissector_name = table_name;
412 * For a dissector handle, print on the stream described by output,
413 * the filter name (which is what's used in the "-d" option) and the full
414 * name for the protocol that corresponds to this handle.
417 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
420 const gchar *proto_filter_name;
421 const gchar *proto_ui_name;
423 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
425 if (proto_id != -1) {
426 proto_filter_name = proto_get_protocol_filter_name(proto_id);
427 proto_ui_name = proto_get_protocol_name(proto_id);
428 g_assert(proto_filter_name != NULL);
429 g_assert(proto_ui_name != NULL);
431 if ((prev_display_dissector_name == NULL) ||
432 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
433 fprintf((FILE *)output, "\t%s (%s)\n",
436 prev_display_dissector_name = proto_filter_name;
442 * The protocol_name_search structure is used by find_protocol_name_func()
443 * to pass parameters and store results
445 struct protocol_name_search{
446 gchar *searched_name; /* Protocol filter name we are looking for */
447 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
448 guint nb_match; /* How many dissectors matched searched_name */
450 typedef struct protocol_name_search *protocol_name_search_t;
453 * This function parses all dissectors associated with a table to find the
454 * one whose protocol has the specified filter name. It is called
455 * as a reference function in a call to dissector_table_foreach_handle.
456 * The name we are looking for, as well as the results, are stored in the
457 * protocol_name_search struct pointed to by user_data.
458 * If called using dissector_table_foreach_handle, we actually parse the
459 * whole list of dissectors.
462 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
466 const gchar *protocol_filter_name;
467 protocol_name_search_t search_info;
471 search_info = (protocol_name_search_t)user_data;
473 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
474 if (proto_id != -1) {
475 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
476 g_assert(protocol_filter_name != NULL);
477 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
479 if (search_info->nb_match == 0) {
480 /* Record this handle only if this is the first match */
481 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
483 search_info->nb_match++;
489 * Allow dissector key names to be sorted alphabetically
493 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
495 return strcmp((const char*)dissector_a, (const char*)dissector_b);
499 * Print all layer type names supported.
500 * We send the output to the stream described by the handle output.
504 fprint_all_layer_types(FILE *output)
507 prev_display_dissector_name = NULL;
508 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
512 * Print all protocol names supported for a specific layer type.
513 * table_name contains the layer type name in which the search is performed.
514 * We send the output to the stream described by the handle output.
518 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
521 prev_display_dissector_name = NULL;
522 dissector_table_foreach_handle(table_name,
523 display_dissector_names,
528 * The function below parses the command-line parameters for the decode as
529 * feature (a string pointer by cl_param).
530 * It checks the format of the command-line, searches for a matching table
531 * and dissector. If a table/dissector match is not found, we display a
532 * summary of the available tables/dissectors (on stderr) and return FALSE.
533 * If everything is fine, we get the "Decode as" preference activated,
534 * then we return TRUE.
537 add_decode_as(const gchar *cl_param)
540 guint32 selector, selector2;
541 gchar *decoded_param;
542 gchar *remaining_param;
544 gchar *dissector_str;
545 dissector_handle_t dissector_matching;
546 dissector_table_t table_matching;
547 ftenum_t dissector_table_selector_type;
548 struct protocol_name_search user_protocol_name;
552 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
555 decoded_param = g_strdup(cl_param);
556 g_assert(decoded_param);
559 /* The lines below will parse this string (modifying it) to extract all
560 necessary information. Note that decoded_param is still needed since
561 strings are not copied - we just save pointers. */
563 /* This section extracts a layer type (table_name) from decoded_param */
564 table_name = decoded_param; /* Layer type string starts from beginning */
566 remaining_param = strchr(table_name, '=');
567 if (remaining_param == NULL) {
568 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
569 /* If the argument does not follow the template, carry on anyway to check
570 if the table name is at least correct. If remaining_param is NULL,
571 we'll exit anyway further down */
574 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
577 /* Remove leading and trailing spaces from the table name */
578 while ( table_name[0] == ' ' )
580 while ( table_name[strlen(table_name) - 1] == ' ' )
581 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
583 /* The following part searches a table matching with the layer type specified */
584 table_matching = NULL;
586 /* Look for the requested table */
587 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
588 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
591 table_matching = find_dissector_table(table_name);
592 if (!table_matching) {
593 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
597 if (!table_matching) {
598 /* Display a list of supported layer types to help the user, if the
599 specified layer type was not found */
600 cmdarg_err("Valid layer types are:");
601 fprint_all_layer_types(stderr);
603 if (remaining_param == NULL || !table_matching) {
604 /* Exit if the layer type was not found, or if no '=' separator was found
606 g_free(decoded_param);
610 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
611 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
614 remaining_param++; /* Move to the second '=' */
615 *remaining_param = '\0'; /* Remove the second '=' */
617 remaining_param++; /* Position after the layer type string */
619 /* This section extracts a selector value (selector_str) from decoded_param */
621 selector_str = remaining_param; /* Next part starts with the selector number */
623 remaining_param = strchr(selector_str, ',');
624 if (remaining_param == NULL) {
625 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
626 /* If the argument does not follow the template, carry on anyway to check
627 if the selector value is at least correct. If remaining_param is NULL,
628 we'll exit anyway further down */
631 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
634 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
636 switch (dissector_table_selector_type) {
642 /* The selector for this table is an unsigned number. Parse it as such.
643 There's no need to remove leading and trailing spaces from the
644 selector number string, because sscanf will do that for us. */
645 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
650 if (op != ':' && op != '-') {
651 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
652 g_free(decoded_param);
656 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
657 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
658 g_free(decoded_param);
662 else if (selector2 < selector) {
663 /* We could swap them for the user, but maybe it's better to call
664 * this out as an error in case it's not what was intended? */
665 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
666 g_free(decoded_param);
671 cmdarg_err("Invalid selector number \"%s\"", selector_str);
672 g_free(decoded_param);
679 /* The selector for this table is a string. */
683 /* There are currently no dissector tables with any types other
684 than the ones listed above. */
685 g_assert_not_reached();
688 if (remaining_param == NULL) {
689 /* Exit if no ',' separator was found (see above) */
690 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
691 fprint_all_protocols_for_layer_types(stderr, table_name);
692 g_free(decoded_param);
696 remaining_param++; /* Position after the selector number string */
698 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
700 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
702 /* Remove leading and trailing spaces from the dissector name */
703 while ( dissector_str[0] == ' ' )
705 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
706 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
708 dissector_matching = NULL;
710 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
711 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
712 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
715 user_protocol_name.nb_match = 0;
716 user_protocol_name.searched_name = dissector_str;
717 user_protocol_name.matched_handle = NULL;
719 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
721 if (user_protocol_name.nb_match != 0) {
722 dissector_matching = user_protocol_name.matched_handle;
723 if (user_protocol_name.nb_match > 1) {
724 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
728 /* OK, check whether the problem is that there isn't any such
729 protocol, or that there is but it's not specified as a protocol
730 that's valid for that dissector table.
731 Note, we don't exit here, but dissector_matching will remain NULL,
733 if (proto_get_id_by_filter_name(dissector_str) == -1) {
734 /* No such protocol */
735 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
737 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
738 dissector_str, table_name);
743 if (!dissector_matching) {
744 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
745 fprint_all_protocols_for_layer_types(stderr, table_name);
746 g_free(decoded_param);
750 /* This is the end of the code that parses the command-line options.
751 All information is now stored in the variables:
755 The above variables that are strings are still pointing to areas within
756 decoded_parm. decoded_parm thus still needs to be kept allocated in
757 until we stop needing these variables
758 decoded_param will be deallocated at each exit point of this function */
761 /* We now have a pointer to the handle for the requested dissector
762 (requested protocol) inside the variable dissector_matching */
763 switch (dissector_table_selector_type) {
769 /* The selector for this table is an unsigned number. */
771 dissector_change_uint(table_name, selector, dissector_matching);
772 } else if (op == ':') {
773 for (i = selector; i < (guint64)selector + selector2; i++) {
774 dissector_change_uint(table_name, (guint32)i, dissector_matching);
776 } else { /* op == '-' */
777 for (i = selector; i <= selector2; i++) {
778 dissector_change_uint(table_name, (guint32)i, dissector_matching);
785 /* The selector for this table is a string. */
786 dissector_change_string(table_name, selector_str, dissector_matching);
790 /* There are currently no dissector tables with any types other
791 than the ones listed above. */
792 g_assert_not_reached();
794 g_free(decoded_param); /* "Decode As" rule has been successfully added */
799 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
800 const gchar *message, gpointer user_data)
802 /* ignore log message, if log_level isn't interesting based
803 upon the console log preferences.
804 If the preferences haven't been loaded loaded yet, display the
807 The default console_log_level preference value is such that only
808 ERROR, CRITICAL and WARNING level messages are processed;
809 MESSAGE, INFO and DEBUG level messages are ignored.
811 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
812 ERROR and CRITICAL level messages so the current code is a behavioral
813 change. The current behavior is the same as in Wireshark.
815 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
816 prefs.console_log_level != 0) {
820 g_log_default_handler(log_domain, log_level, message, user_data);
825 output_file_description(const char *fname)
827 char *save_file_string;
829 /* Get a string that describes what we're writing to */
830 if (strcmp(fname, "-") == 0) {
831 /* We're writing to the standard output */
832 save_file_string = g_strdup("standard output");
834 /* We're writing to a file with the name in save_file */
835 save_file_string = g_strdup_printf("file \"%s\"", fname);
837 return save_file_string;
841 print_current_user(void) {
842 gchar *cur_user, *cur_group;
844 if (started_with_special_privs()) {
845 cur_user = get_cur_username();
846 cur_group = get_cur_groupname();
847 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
848 cur_user, cur_group);
851 if (running_with_special_privs()) {
852 fprintf(stderr, " This could be dangerous.");
854 fprintf(stderr, "\n");
859 check_capture_privs(void) {
862 /* Warn the user if npf.sys isn't loaded. */
863 if (!npf_sys_is_running() && get_os_major_version() >= 6) {
864 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
865 "capturing or\nlisting interfaces.\n");
871 show_version(GString *comp_info_str, GString *runtime_info_str)
873 printf("TShark " VERSION "%s\n"
880 wireshark_svnversion, get_copyright_info(), comp_info_str->str,
881 runtime_info_str->str);
885 main(int argc, char *argv[])
887 GString *comp_info_str;
888 GString *runtime_info_str;
889 char *init_progfile_dir_error;
891 struct option long_options[] = {
892 {(char *)"capture-comment", required_argument, NULL, LONGOPT_NUM_CAP_COMMENT },
895 gboolean arg_error = FALSE;
901 char *gpf_path, *pf_path;
902 char *gdp_path, *dp_path;
903 int gpf_open_errno, gpf_read_errno;
904 int pf_open_errno, pf_read_errno;
905 int gdp_open_errno, gdp_read_errno;
906 int dp_open_errno, dp_read_errno;
908 volatile int exit_status = 0;
910 gboolean list_link_layer_types = FALSE;
911 gboolean start_capture = FALSE;
916 gboolean capture_option_specified = FALSE;
918 gboolean quiet = FALSE;
919 #ifdef PCAP_NG_DEFAULT
920 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
922 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
924 volatile gboolean out_file_name_res = FALSE;
925 gchar *volatile cf_name = NULL;
926 gchar *rfilter = NULL;
927 gchar *dfilter = NULL;
928 #ifdef HAVE_PCAP_OPEN_DEAD
929 struct bpf_program fcode;
931 dfilter_t *rfcode = NULL;
932 dfilter_t *dfcode = NULL;
937 gchar *output_only = NULL;
939 #ifdef HAVE_PCAP_REMOTE
940 #define OPTSTRING_A "A:"
942 #define OPTSTRING_A ""
945 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
946 #define OPTSTRING_B "B:"
948 #define OPTSTRING_B ""
949 #endif /* _WIN32 or HAVE_PCAP_CREATE */
950 #else /* HAVE_LIBPCAP */
951 #define OPTSTRING_B ""
952 #endif /* HAVE_LIBPCAP */
954 #ifdef HAVE_PCAP_CREATE
955 #define OPTSTRING_I "I"
957 #define OPTSTRING_I ""
960 /* the leading - ensures that getopt() does not permute the argv[] entries
961 we have to make sure that the first getopt() preserves the content of argv[]
962 for the subsequent getopt_long() call */
963 #define OPTSTRING "-2a:" OPTSTRING_A "b:" OPTSTRING_B "c:C:d:De:E:f:F:gG:hH:i:" OPTSTRING_I "K:lLnN:o:O:pPqQr:R:s:S:t:T:u:vVw:W:xX:y:Y:z:"
965 static const char optstring[] = OPTSTRING;
967 /* Assemble the compile-time version information string */
968 comp_info_str = g_string_new("Compiled ");
969 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
971 /* Assemble the run-time version information string */
972 runtime_info_str = g_string_new("Running ");
973 get_runtime_version_info(runtime_info_str, NULL);
975 /* Add it to the information to be reported on a crash. */
976 ws_add_crash_info("TShark " VERSION "%s\n"
981 wireshark_svnversion, comp_info_str->str, runtime_info_str->str);
984 arg_list_utf_16to8(argc, argv);
985 create_app_running_mutex();
986 #if !GLIB_CHECK_VERSION(2,31,0)
992 * Get credential information for later use.
994 init_process_policies();
997 * Attempt to get the pathname of the executable file.
999 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1000 if (init_progfile_dir_error != NULL) {
1001 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1002 init_progfile_dir_error);
1006 * In order to have the -X opts assigned before the wslua machine starts
1007 * we need to call getopts before epan_init() gets called.
1010 optind_initial = optind;
1012 while ((opt = getopt(argc, argv, optstring)) != -1) {
1014 case 'C': /* Configuration Profile */
1015 if (profile_exists (optarg, FALSE)) {
1016 set_profile_name (optarg);
1018 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1022 case 'P': /* Print packet summary info even when writing to a file */
1023 print_packet_info = TRUE;
1024 print_summary = TRUE;
1026 case 'O': /* Only output these protocols */
1027 output_only = g_strdup(optarg);
1029 case 'V': /* Verbose */
1030 print_details = TRUE;
1031 print_packet_info = TRUE;
1033 case 'x': /* Print packet data in hex (and ASCII) */
1035 /* The user asked for hex output, so let's ensure they get it,
1036 * even if they're writing to a file.
1038 print_packet_info = TRUE;
1049 * Print packet summary information is the default, unless either -V or -x
1050 * were specified and -P was not. Note that this is new behavior, which
1051 * allows for the possibility of printing only hex/ascii output without
1052 * necessarily requiring that either the summary or details be printed too.
1054 if (print_summary == -1)
1055 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1057 optind = optind_initial;
1062 /** Send All g_log messages to our own handler **/
1066 G_LOG_LEVEL_CRITICAL|
1067 G_LOG_LEVEL_WARNING|
1068 G_LOG_LEVEL_MESSAGE|
1071 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1073 g_log_set_handler(NULL,
1074 (GLogLevelFlags)log_flags,
1075 tshark_log_handler, NULL /* user_data */);
1076 g_log_set_handler(LOG_DOMAIN_MAIN,
1077 (GLogLevelFlags)log_flags,
1078 tshark_log_handler, NULL /* user_data */);
1081 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1082 (GLogLevelFlags)log_flags,
1083 tshark_log_handler, NULL /* user_data */);
1084 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1085 (GLogLevelFlags)log_flags,
1086 tshark_log_handler, NULL /* user_data */);
1089 initialize_funnel_ops();
1092 capture_opts_init(&global_capture_opts);
1093 capture_session_init(&global_capture_session, (void *)&cfile);
1096 timestamp_set_type(TS_RELATIVE);
1097 timestamp_set_precision(TS_PREC_AUTO);
1098 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1100 /* Register all dissectors; we must do this before checking for the
1101 "-G" flag, as the "-G" flag dumps information registered by the
1102 dissectors, and we must do it before we read the preferences, in
1103 case any dissectors register preferences. */
1104 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL,
1105 failure_message, open_failure_message, read_failure_message,
1106 write_failure_message);
1108 /* Register all tap listeners; we do this before we parse the arguments,
1109 as the "-z" argument can specify a registered tap. */
1111 /* we register the plugin taps before the other taps because
1112 stats_tree taps plugins will be registered as tap listeners
1113 by stats_tree_stat.c and need to registered before that */
1115 register_all_plugin_tap_listeners();
1117 register_all_tap_listeners();
1119 /* If invoked with the "-G" flag, we dump out information based on
1120 the argument to the "-G" flag; if no argument is specified,
1121 for backwards compatibility we dump out a glossary of display
1124 XXX - we do this here, for now, to support "-G" with no arguments.
1125 If none of our build or other processes uses "-G" with no arguments,
1126 we can just process it with the other arguments. */
1127 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1128 proto_initialize_all_prefixes();
1131 proto_registrar_dump_fields();
1133 if (strcmp(argv[2], "column-formats") == 0)
1134 column_dump_column_formats();
1135 else if (strcmp(argv[2], "currentprefs") == 0) {
1136 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1137 &pf_open_errno, &pf_read_errno, &pf_path);
1140 else if (strcmp(argv[2], "decodes") == 0)
1141 dissector_dump_decodes();
1142 else if (strcmp(argv[2], "defaultprefs") == 0)
1144 else if (strcmp(argv[2], "fields") == 0)
1145 proto_registrar_dump_fields();
1146 else if (strcmp(argv[2], "ftypes") == 0)
1147 proto_registrar_dump_ftypes();
1148 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1149 dissector_dump_heur_decodes();
1150 else if (strcmp(argv[2], "plugins") == 0)
1152 else if (strcmp(argv[2], "protocols") == 0)
1153 proto_registrar_dump_protocols();
1154 else if (strcmp(argv[2], "values") == 0)
1155 proto_registrar_dump_values();
1156 else if (strcmp(argv[2], "?") == 0)
1157 glossary_option_help();
1158 else if (strcmp(argv[2], "-?") == 0)
1159 glossary_option_help();
1161 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1168 /* Set the C-language locale to the native environment. */
1169 setlocale(LC_ALL, "");
1171 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1172 &pf_open_errno, &pf_read_errno, &pf_path);
1173 if (gpf_path != NULL) {
1174 if (gpf_open_errno != 0) {
1175 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1176 pf_path, g_strerror(gpf_open_errno));
1178 if (gpf_read_errno != 0) {
1179 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1180 pf_path, g_strerror(gpf_read_errno));
1183 if (pf_path != NULL) {
1184 if (pf_open_errno != 0) {
1185 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1186 g_strerror(pf_open_errno));
1188 if (pf_read_errno != 0) {
1189 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1190 pf_path, g_strerror(pf_read_errno));
1196 /* Read the disabled protocols file. */
1197 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1198 &dp_path, &dp_open_errno, &dp_read_errno);
1199 if (gdp_path != NULL) {
1200 if (gdp_open_errno != 0) {
1201 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1202 gdp_path, g_strerror(gdp_open_errno));
1204 if (gdp_read_errno != 0) {
1205 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1206 gdp_path, g_strerror(gdp_read_errno));
1210 if (dp_path != NULL) {
1211 if (dp_open_errno != 0) {
1213 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1214 g_strerror(dp_open_errno));
1216 if (dp_read_errno != 0) {
1218 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1219 g_strerror(dp_read_errno));
1224 check_capture_privs();
1226 cap_file_init(&cfile);
1228 /* Print format defaults to this. */
1229 print_format = PR_FMT_TEXT;
1231 output_fields = output_fields_new();
1233 /* Now get our args */
1234 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1236 case '2': /* Perform two pass analysis */
1237 perform_two_pass_analysis = TRUE;
1239 case 'a': /* autostop criteria */
1240 case 'b': /* Ringbuffer option */
1241 case 'c': /* Capture x packets */
1242 case 'f': /* capture filter */
1243 case 'g': /* enable group read access on file(s) */
1244 case 'i': /* Use interface x */
1245 case 'p': /* Don't capture in promiscuous mode */
1246 #ifdef HAVE_PCAP_REMOTE
1247 case 'A': /* Authentication */
1249 #ifdef HAVE_PCAP_CREATE
1250 case 'I': /* Capture in monitor mode, if available */
1252 case 's': /* Set the snapshot (capture) length */
1253 case 'w': /* Write to capture file x */
1254 case 'y': /* Set the pcap data link type */
1255 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1256 #if defined(_WIN32) || defined(HAVE_PCAP_CREATE)
1257 case 'B': /* Buffer size */
1258 #endif /* _WIN32 or HAVE_PCAP_CREATE */
1260 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1265 capture_option_specified = TRUE;
1270 /* Configuration profile settings were already processed just ignore them this time*/
1272 case 'd': /* Decode as rule */
1273 if (!add_decode_as(optarg))
1276 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1277 case 'K': /* Kerberos keytab file */
1278 read_keytab_file(optarg);
1281 case 'D': /* Print a list of capture devices and exit */
1283 if_list = capture_interface_list(&err, &err_str,NULL);
1284 if (if_list == NULL) {
1286 case CANT_GET_INTERFACE_LIST:
1287 case DONT_HAVE_PCAP:
1288 cmdarg_err("%s", err_str);
1292 case NO_INTERFACES_FOUND:
1293 cmdarg_err("There are no interfaces on which a capture can be done");
1298 capture_opts_print_interfaces(if_list);
1299 free_interface_list(if_list);
1302 capture_option_specified = TRUE;
1308 output_fields_add(output_fields, optarg);
1312 if (!output_fields_set_option(output_fields, optarg)) {
1313 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1314 output_fields_list_options(stderr);
1319 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1320 if (out_file_type < 0) {
1321 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1322 list_capture_types();
1326 case 'W': /* Select extra information to save in our capture file */
1327 /* This is patterned after the -N flag which may not be the best idea. */
1328 if (strchr(optarg, 'n')) {
1329 out_file_name_res = TRUE;
1331 cmdarg_err("Invalid -W argument \"%s\"", optarg);
1335 case 'H': /* Read address to name mappings from a hosts file */
1336 if (! add_hosts_file(optarg))
1338 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1341 out_file_name_res = TRUE;
1344 case 'h': /* Print help and exit */
1348 case 'l': /* "Line-buffer" standard output */
1349 /* This isn't line-buffering, strictly speaking, it's just
1350 flushing the standard output after the information for
1351 each packet is printed; however, that should be good
1352 enough for all the purposes to which "-l" is put (and
1353 is probably actually better for "-V", as it does fewer
1356 See the comment in "process_packet()" for an explanation of
1357 why we do that, and why we don't just use "setvbuf()" to
1358 make the standard output line-buffered (short version: in
1359 Windows, "line-buffered" is the same as "fully-buffered",
1360 and the output buffer is only flushed when it fills up). */
1361 line_buffered = TRUE;
1363 case 'L': /* Print list of link-layer types and exit */
1365 list_link_layer_types = TRUE;
1367 capture_option_specified = TRUE;
1371 case 'n': /* No name resolution */
1372 gbl_resolv_flags.mac_name = FALSE;
1373 gbl_resolv_flags.network_name = FALSE;
1374 gbl_resolv_flags.transport_name = FALSE;
1375 gbl_resolv_flags.concurrent_dns = FALSE;
1377 case 'N': /* Select what types of addresses/port #s to resolve */
1378 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1379 if (badopt != '\0') {
1380 cmdarg_err("-N specifies unknown resolving option '%c';",
1382 cmdarg_err_cont( " Valid options are 'm', 'n', 't', and 'C'");
1386 case 'o': /* Override preference from command line */
1387 switch (prefs_set_pref(optarg)) {
1392 case PREFS_SET_SYNTAX_ERR:
1393 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1397 case PREFS_SET_NO_SUCH_PREF:
1398 case PREFS_SET_OBSOLETE:
1399 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1404 case 'q': /* Quiet */
1407 case 'Q': /* Really quiet */
1409 really_quiet = TRUE;
1411 case 'r': /* Read capture file x */
1412 cf_name = g_strdup(optarg);
1414 case 'R': /* Read file filter */
1418 /* already processed; just ignore it now */
1420 case 'S': /* Set the line Separator to be printed between packets */
1421 separator = strdup(optarg);
1423 case 't': /* Time stamp type */
1424 if (strcmp(optarg, "r") == 0)
1425 timestamp_set_type(TS_RELATIVE);
1426 else if (strcmp(optarg, "a") == 0)
1427 timestamp_set_type(TS_ABSOLUTE);
1428 else if (strcmp(optarg, "ad") == 0)
1429 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1430 else if (strcmp(optarg, "adoy") == 0)
1431 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1432 else if (strcmp(optarg, "d") == 0)
1433 timestamp_set_type(TS_DELTA);
1434 else if (strcmp(optarg, "dd") == 0)
1435 timestamp_set_type(TS_DELTA_DIS);
1436 else if (strcmp(optarg, "e") == 0)
1437 timestamp_set_type(TS_EPOCH);
1438 else if (strcmp(optarg, "u") == 0)
1439 timestamp_set_type(TS_UTC);
1440 else if (strcmp(optarg, "ud") == 0)
1441 timestamp_set_type(TS_UTC_WITH_YMD);
1442 else if (strcmp(optarg, "udoy") == 0)
1443 timestamp_set_type(TS_UTC_WITH_YDOY);
1445 cmdarg_err("Invalid time stamp type \"%s\"", optarg);
1447 "It must be \"a\" for absolute, \"ad\" for absolute with YYYY-MM-DD date,");
1449 "\"adoy\" for absolute with YYYY/DOY date, \"d\" for delta,");
1451 "\"dd\" for delta displayed, \"e\" for epoch, \"r\" for relative,");
1453 "\"u\" for absolute UTC, \"ud\" for absolute UTC with YYYY-MM-DD date,");
1455 "or \"udoy\" for absolute UTC with YYYY/DOY date.");
1459 case 'T': /* printing Type */
1460 if (strcmp(optarg, "text") == 0) {
1461 output_action = WRITE_TEXT;
1462 print_format = PR_FMT_TEXT;
1463 } else if (strcmp(optarg, "ps") == 0) {
1464 output_action = WRITE_TEXT;
1465 print_format = PR_FMT_PS;
1466 } else if (strcmp(optarg, "pdml") == 0) {
1467 output_action = WRITE_XML;
1468 print_details = TRUE; /* Need details */
1469 print_summary = FALSE; /* Don't allow summary */
1470 } else if (strcmp(optarg, "psml") == 0) {
1471 output_action = WRITE_XML;
1472 print_details = FALSE; /* Don't allow details */
1473 print_summary = TRUE; /* Need summary */
1474 } else if (strcmp(optarg, "fields") == 0) {
1475 output_action = WRITE_FIELDS;
1476 print_details = TRUE; /* Need full tree info */
1477 print_summary = FALSE; /* Don't allow summary */
1479 cmdarg_err("Invalid -T parameter.");
1480 cmdarg_err_cont("It must be \"ps\", \"text\", \"pdml\", \"psml\" or \"fields\".");
1484 case 'u': /* Seconds type */
1485 if (strcmp(optarg, "s") == 0)
1486 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1487 else if (strcmp(optarg, "hms") == 0)
1488 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1490 cmdarg_err("Invalid seconds type \"%s\"", optarg);
1491 cmdarg_err_cont("It must be \"s\" for seconds or \"hms\" for hours, minutes and seconds.");
1495 case 'v': /* Show version and exit */
1497 show_version(comp_info_str, runtime_info_str);
1498 g_string_free(comp_info_str, TRUE);
1499 g_string_free(runtime_info_str, TRUE);
1500 /* We don't really have to cleanup here, but it's a convenient way to test
1501 * start-up and shut-down of the epan library without any UI-specific
1502 * cruft getting in the way. Makes the results of running
1503 * $ ./tools/valgrind-wireshark -n
1504 * much more useful. */
1508 case 'O': /* Only output these protocols */
1509 /* already processed; just ignore it now */
1511 case 'V': /* Verbose */
1512 /* already processed; just ignore it now */
1514 case 'x': /* Print packet data in hex (and ASCII) */
1515 /* already processed; just ignore it now */
1523 /* We won't call the init function for the stat this soon
1524 as it would disallow MATE's fields (which are registered
1525 by the preferences set callback) from being used as
1526 part of a tap filter. Instead, we just add the argument
1527 to a list of stat arguments. */
1528 if (!process_stat_cmd_arg(optarg)) {
1529 if (strcmp("help", optarg)==0) {
1530 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1531 list_stat_cmd_args();
1534 cmdarg_err("Invalid -z argument \"%s\".", optarg);
1535 cmdarg_err_cont(" -z argument must be one of :");
1536 list_stat_cmd_args();
1541 case '?': /* Bad flag - print usage message */
1544 list_capture_types();
1554 /* If we specified output fields, but not the output field type... */
1555 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1556 cmdarg_err("Output fields were specified with \"-e\", "
1557 "but \"-Tfields\" was not specified.");
1559 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1560 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1561 "specified with \"-e\".");
1566 /* If no capture filter or display filter has been specified, and there are
1567 still command-line arguments, treat them as the tokens of a capture
1568 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1569 flag was specified. */
1570 if (optind < argc) {
1571 if (cf_name != NULL) {
1572 if (dfilter != NULL) {
1573 cmdarg_err("Display filters were specified both with \"-d\" "
1574 "and with additional command-line arguments.");
1577 dfilter = get_args_as_string(argc, argv, optind);
1582 if (global_capture_opts.default_options.cfilter) {
1583 cmdarg_err("A default capture filter was specified both with \"-f\""
1584 " and with additional command-line arguments.");
1587 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1588 interface_options interface_opts;
1589 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1590 if (interface_opts.cfilter == NULL) {
1591 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1592 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1593 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1595 cmdarg_err("A capture filter was specified both with \"-f\""
1596 " and with additional command-line arguments.");
1600 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1602 capture_option_specified = TRUE;
1608 if (!global_capture_opts.saving_to_file) {
1609 /* We're not saving the capture to a file; if "-q" wasn't specified,
1610 we should print packet information */
1612 print_packet_info = TRUE;
1614 /* We're saving to a file; if we're writing to the standard output.
1615 and we'll also be writing dissected packets to the standard
1616 output, reject the request. At best, we could redirect that
1617 to the standard error; we *can't* write both to the standard
1618 output and have either of them be useful. */
1619 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1620 cmdarg_err("You can't write both raw packet data and dissected packets"
1621 " to the standard output.");
1626 /* We're not saving the capture to a file; if "-q" wasn't specified,
1627 we should print packet information */
1629 print_packet_info = TRUE;
1632 #ifndef HAVE_LIBPCAP
1633 if (capture_option_specified)
1634 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1642 if (output_action != WRITE_TEXT) {
1643 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1648 if (output_only != NULL) {
1651 if (!print_details) {
1652 cmdarg_err("-O requires -V");
1656 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1657 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1658 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1662 if (rfilter != NULL && !perform_two_pass_analysis) {
1663 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1668 if (list_link_layer_types) {
1669 /* We're supposed to list the link-layer types for an interface;
1670 did the user also specify a capture file to be read? */
1672 /* Yes - that's bogus. */
1673 cmdarg_err("You can't specify -L and a capture file to be read.");
1676 /* No - did they specify a ring buffer option? */
1677 if (global_capture_opts.multi_files_on) {
1678 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1684 * "-r" was specified, so we're reading a capture file.
1685 * Capture options don't apply here.
1688 /* We don't support capture filters when reading from a capture file
1689 (the BPF compiler doesn't support all link-layer types that we
1690 support in capture files we read). */
1691 if (global_capture_opts.default_options.cfilter) {
1692 cmdarg_err("Only read filters, not capture filters, "
1693 "can be specified when reading a capture file.");
1696 if (global_capture_opts.multi_files_on) {
1697 cmdarg_err("Multiple capture files requested, but "
1698 "a capture isn't being done.");
1701 if (global_capture_opts.has_file_duration) {
1702 cmdarg_err("Switching capture files after a time interval was specified, but "
1703 "a capture isn't being done.");
1706 if (global_capture_opts.has_ring_num_files) {
1707 cmdarg_err("A ring buffer of capture files was specified, but "
1708 "a capture isn't being done.");
1711 if (global_capture_opts.has_autostop_files) {
1712 cmdarg_err("A maximum number of capture files was specified, but "
1713 "a capture isn't being done.");
1716 if (global_capture_opts.capture_comment) {
1717 cmdarg_err("A capture comment was specified, but "
1718 "a capture isn't being done.\nThere's no support for adding "
1719 "a capture comment to an existing capture file.");
1723 /* Note: TShark now allows the restriction of a _read_ file by packet count
1724 * and byte count as well as a write file. Other autostop options remain valid
1725 * only for a write file.
1727 if (global_capture_opts.has_autostop_duration) {
1728 cmdarg_err("A maximum capture time was specified, but "
1729 "a capture isn't being done.");
1734 * "-r" wasn't specified, so we're doing a live capture.
1736 if (global_capture_opts.saving_to_file) {
1737 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1739 /* When capturing, we only support writing pcap or pcap-ng format. */
1740 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1741 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1742 cmdarg_err("Live captures can only be saved in libpcap format.");
1745 if (global_capture_opts.capture_comment &&
1746 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1747 cmdarg_err("A capture comment can only be written to a pcapng file.");
1750 if (global_capture_opts.multi_files_on) {
1751 /* Multiple-file mode doesn't work under certain conditions:
1752 a) it doesn't work if you're writing to the standard output;
1753 b) it doesn't work if you're writing to a pipe;
1755 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1756 cmdarg_err("Multiple capture files requested, but "
1757 "the capture is being written to the standard output.");
1760 if (global_capture_opts.output_to_pipe) {
1761 cmdarg_err("Multiple capture files requested, but "
1762 "the capture file is a pipe.");
1765 if (!global_capture_opts.has_autostop_filesize &&
1766 !global_capture_opts.has_file_duration) {
1767 cmdarg_err("Multiple capture files requested, but "
1768 "no maximum capture file size or duration was specified.");
1772 /* Currently, we don't support read or display filters when capturing
1773 and saving the packets. */
1774 if (rfilter != NULL) {
1775 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1778 if (dfilter != NULL) {
1779 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1783 /* They didn't specify a "-w" flag, so we won't be saving to a
1784 capture file. Check for options that only make sense if
1785 we're saving to a file. */
1786 if (global_capture_opts.has_autostop_filesize) {
1787 cmdarg_err("Maximum capture file size specified, but "
1788 "capture isn't being saved to a file.");
1791 if (global_capture_opts.multi_files_on) {
1792 cmdarg_err("Multiple capture files requested, but "
1793 "the capture isn't being saved to a file.");
1796 if (global_capture_opts.capture_comment) {
1797 cmdarg_err("A capture comment was specified, but "
1798 "the capture isn't being saved to a file.");
1807 /* Start windows sockets */
1808 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1811 /* Notify all registered modules that have had any of their preferences
1812 changed either from one of the preferences file or from the command
1813 line that their preferences have changed. */
1816 /* At this point MATE will have registered its field array so we can
1817 have a tap filter with one of MATE's late-registered fields as part
1818 of the filter. We can now process all the "-z" arguments. */
1819 start_requested_stats();
1822 /* We currently don't support taps, or printing dissected packets,
1823 if we're writing to a pipe. */
1824 if (global_capture_opts.saving_to_file &&
1825 global_capture_opts.output_to_pipe) {
1826 if (tap_listeners_require_dissection()) {
1827 cmdarg_err("Taps aren't supported when saving to a pipe.");
1830 if (print_packet_info) {
1831 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1837 /* disabled protocols as per configuration file */
1838 if (gdp_path == NULL && dp_path == NULL) {
1839 set_disabled_protos_list();
1842 /* Build the column format array */
1843 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1846 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1847 capture_opts_trim_ring_num_files(&global_capture_opts);
1850 if (rfilter != NULL) {
1851 if (!dfilter_compile(rfilter, &rfcode)) {
1852 cmdarg_err("%s", dfilter_error_msg);
1854 #ifdef HAVE_PCAP_OPEN_DEAD
1858 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1860 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1862 " Note: That read filter code looks like a valid capture filter;");
1864 " maybe you mixed them up?");
1873 cfile.rfcode = rfcode;
1875 if (dfilter != NULL) {
1876 if (!dfilter_compile(dfilter, &dfcode)) {
1877 cmdarg_err("%s", dfilter_error_msg);
1879 #ifdef HAVE_PCAP_OPEN_DEAD
1883 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1885 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1887 " Note: That display filter code looks like a valid capture filter;");
1889 " maybe you mixed them up?");
1898 cfile.dfcode = dfcode;
1900 if (print_packet_info) {
1901 /* If we're printing as text or PostScript, we have
1902 to create a print stream. */
1903 if (output_action == WRITE_TEXT) {
1904 switch (print_format) {
1907 print_stream = print_stream_text_stdio_new(stdout);
1911 print_stream = print_stream_ps_stdio_new(stdout);
1915 g_assert_not_reached();
1920 /* We have to dissect each packet if:
1922 we're printing information about each packet;
1924 we're using a read filter on the packets;
1926 we're using a display filter on the packets;
1928 we're using any taps that need dissection. */
1929 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
1933 * We're reading a capture file.
1937 * Immediately relinquish any special privileges we have; we must not
1938 * be allowed to read any capture files the user running TShark
1941 relinquish_special_privs_perm();
1942 print_current_user();
1944 if (cf_open(&cfile, cf_name, FALSE, &err) != CF_OK) {
1949 /* Set timestamp precision; there should arguably be a command-line
1950 option to let the user set this. */
1951 switch(wtap_file_tsprecision(cfile.wth)) {
1952 case(WTAP_FILE_TSPREC_SEC):
1953 timestamp_set_precision(TS_PREC_AUTO_SEC);
1955 case(WTAP_FILE_TSPREC_DSEC):
1956 timestamp_set_precision(TS_PREC_AUTO_DSEC);
1958 case(WTAP_FILE_TSPREC_CSEC):
1959 timestamp_set_precision(TS_PREC_AUTO_CSEC);
1961 case(WTAP_FILE_TSPREC_MSEC):
1962 timestamp_set_precision(TS_PREC_AUTO_MSEC);
1964 case(WTAP_FILE_TSPREC_USEC):
1965 timestamp_set_precision(TS_PREC_AUTO_USEC);
1967 case(WTAP_FILE_TSPREC_NSEC):
1968 timestamp_set_precision(TS_PREC_AUTO_NSEC);
1971 g_assert_not_reached();
1974 /* Process the packets in the file */
1977 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
1978 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
1979 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
1981 err = load_cap_file(&cfile, NULL, out_file_type, out_file_name_res, 0, 0);
1984 CATCH(OutOfMemoryError) {
1988 "Sorry, but TShark has to terminate now!\n"
1990 "Some infos / workarounds can be found at:\n"
1991 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
1996 /* We still dump out the results of taps, etc., as we might have
1997 read some packets; however, we exit with an error status. */
2001 /* No capture file specified, so we're supposed to do a live capture
2002 or get a list of link-layer types for a live capture device;
2003 do we have support for live captures? */
2005 /* if no interface was specified, pick a default */
2006 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2007 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2008 if (exit_status != 0)
2011 /* if requested, list the link layer types and exit */
2012 if (list_link_layer_types) {
2015 /* Get the list of link-layer types for the capture devices. */
2016 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2017 interface_options interface_opts;
2018 if_capabilities_t *caps;
2020 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2021 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2023 cmdarg_err("%s", err_str);
2027 if (caps->data_link_types == NULL) {
2028 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2031 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2032 free_if_capabilities(caps);
2038 * If the standard error isn't a terminal, don't print packet counts,
2039 * as they won't show up on the user's terminal and they'll get in
2040 * the way of error messages in the file (to which we assume the
2041 * standard error was redirected; if it's redirected to the null
2042 * device, there's no point in printing packet counts anyway).
2044 * Otherwise, if we're printing packet information and the standard
2045 * output is a terminal (which we assume means the standard output and
2046 * error are going to the same terminal), don't print packet counts,
2047 * as they'll get in the way of the packet information.
2049 * Otherwise, if the user specified -q, don't print packet counts.
2051 * Otherwise, print packet counts.
2053 * XXX - what if the user wants to do a live capture, doesn't want
2054 * to save it to a file, doesn't want information printed for each
2055 * packet, does want some "-z" statistic, and wants packet counts
2056 * so they know whether they're seeing any packets? -q will
2057 * suppress the information printed for each packet, but it'll
2058 * also suppress the packet counts.
2060 if (!isatty(fileno(stderr)))
2061 print_packet_counts = FALSE;
2062 else if (print_packet_info && isatty(fileno(stdout)))
2063 print_packet_counts = FALSE;
2065 print_packet_counts = FALSE;
2067 print_packet_counts = TRUE;
2069 if (print_packet_info) {
2070 if (!write_preamble(NULL)) {
2071 show_print_file_io_error(errno);
2076 /* For now, assume libpcap gives microsecond precision. */
2077 timestamp_set_precision(TS_PREC_AUTO_USEC);
2080 * XXX - this returns FALSE if an error occurred, but it also
2081 * returns FALSE if the capture stops because a time limit
2082 * was reached (and possibly other limits), so we can't assume
2083 * it means an error.
2085 * The capture code is a bit twisty, so it doesn't appear to
2086 * be an easy fix. We just ignore the return value for now.
2087 * Instead, pass on the exit status from the capture child.
2090 exit_status = global_capture_session.fork_child_status;
2092 if (print_packet_info) {
2093 if (!write_finale()) {
2095 show_print_file_io_error(err);
2099 /* No - complain. */
2100 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2107 if (cfile.frames != NULL) {
2108 free_frame_data_sequence(cfile.frames);
2109 cfile.frames = NULL;
2112 draw_tap_listeners(TRUE);
2113 funnel_dump_all_text_windows();
2114 epan_free(cfile.epan);
2117 output_fields_free(output_fields);
2118 output_fields = NULL;
2123 /*#define USE_BROKEN_G_MAIN_LOOP*/
2125 #ifdef USE_BROKEN_G_MAIN_LOOP
2128 gboolean loop_running = FALSE;
2130 guint32 packet_count = 0;
2133 /* XXX - move to the right position / file */
2134 /* read from a pipe (callback) */
2135 typedef gboolean (*pipe_input_cb_t) (gint source, gpointer user_data);
2137 typedef struct pipe_input_tag {
2141 pipe_input_cb_t input_cb;
2142 guint pipe_input_id;
2144 GMutex *callback_running;
2148 static pipe_input_t pipe_input;
2151 /* The timer has expired, see if there's stuff to read from the pipe,
2152 if so, do the callback */
2154 pipe_timer_cb(gpointer data)
2160 pipe_input_t *pipe_input_p = data;
2161 gint iterations = 0;
2163 g_mutex_lock (pipe_input_p->callback_running);
2165 /* try to read data from the pipe only 5 times, to avoid blocking */
2166 while(iterations < 5) {
2167 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2169 /* Oddly enough although Named pipes don't work on win9x,
2170 PeekNamedPipe does !!! */
2171 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2172 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2174 /* Get the child process exit status */
2175 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2178 /* If the Peek returned an error, or there are bytes to be read
2179 or the childwatcher thread has terminated then call the normal
2181 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2183 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2185 /* And call the real handler */
2186 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2187 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2188 /* pipe closed, return false so that the timer is stopped */
2189 g_mutex_unlock (pipe_input_p->callback_running);
2194 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2195 /* No data, stop now */
2202 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2204 g_mutex_unlock (pipe_input_p->callback_running);
2206 /* we didn't stopped the timer, so let it run */
2213 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2216 pipe_input.source = source;
2217 pipe_input.child_process = child_process;
2218 pipe_input.user_data = user_data;
2219 pipe_input.input_cb = input_cb;
2222 #if GLIB_CHECK_VERSION(2,31,0)
2223 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2224 g_mutex_init(pipe_input.callback_running);
2226 pipe_input.callback_running = g_mutex_new();
2228 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2229 do this but that doesn't cover all win32 platforms. GTK can do
2230 this but doesn't seem to work over processes. Attempt to do
2231 something similar here, start a timer and check for data on every
2233 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2234 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2238 static const nstime_t *
2239 tshark_get_frame_ts(void *data, guint32 frame_num)
2241 capture_file *cf = (capture_file *) data;
2243 if (ref && ref->num == frame_num)
2244 return &ref->abs_ts;
2246 if (prev_dis && prev_dis->num == frame_num)
2247 return &prev_dis->abs_ts;
2249 if (prev_cap && prev_cap->num == frame_num)
2250 return &prev_cap->abs_ts;
2253 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2255 return (fd) ? &fd->abs_ts : NULL;
2262 tshark_epan_new(capture_file *cf)
2264 epan_t *epan = epan_new();
2267 epan->get_frame_ts = tshark_get_frame_ts;
2268 epan->get_interface_name = cap_file_get_interface_name;
2269 epan->get_user_comment = NULL;
2280 GString *str = g_string_new("");
2281 #ifdef USE_TSHARK_SELECT
2285 struct sigaction action, oldaction;
2289 * XXX - dropping privileges is still required, until code cleanup is done
2291 * remove all dependencies to pcap specific code and using only dumpcap is almost done.
2292 * when it's done, we don't need special privileges to run tshark at all,
2293 * therefore we don't need to drop these privileges
2294 * The only thing we might want to keep is a warning if tshark is run as root,
2295 * as it's no longer necessary and potentially dangerous.
2297 * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID:
2298 * We've opened the capture device, so we shouldn't need any special
2299 * privileges any more; relinquish those privileges.
2301 * XXX - if we have saved set-user-ID support, we should give up those
2302 * privileges immediately, and then reclaim them long enough to get
2303 * a list of network interfaces and to open one, and then give them
2304 * up again, so that stuff we do while processing the argument list,
2305 * reading the user's preferences, loading and starting plugins
2306 * (especially *user* plugins), etc. is done with the user's privileges,
2307 * not special privileges.
2309 relinquish_special_privs_perm();
2310 print_current_user();
2312 /* Create new dissection section. */
2313 epan_free(cfile.epan);
2314 cfile.epan = tshark_epan_new(&cfile);
2317 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2318 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2320 /* Catch SIGINT and SIGTERM and, if we get either of them,
2321 clean up and exit. If SIGHUP isn't being ignored, catch
2322 it too and, if we get it, clean up and exit.
2324 We restart any read that was in progress, so that it doesn't
2325 disrupt reading from the sync pipe. The signal handler tells
2326 the capture child to finish; it will report that it finished,
2327 or will exit abnormally, so we'll stop reading from the sync
2328 pipe, pick up the exit status, and quit. */
2329 memset(&action, 0, sizeof(action));
2330 action.sa_handler = capture_cleanup;
2331 action.sa_flags = SA_RESTART;
2332 sigemptyset(&action.sa_mask);
2333 sigaction(SIGTERM, &action, NULL);
2334 sigaction(SIGINT, &action, NULL);
2335 sigaction(SIGHUP, NULL, &oldaction);
2336 if (oldaction.sa_handler == SIG_DFL)
2337 sigaction(SIGHUP, &action, NULL);
2340 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2341 quiet mode, report the number of packets we've captured.
2343 Again, restart any read that was in progress, so that it doesn't
2344 disrupt reading from the sync pipe. */
2345 action.sa_handler = report_counts_siginfo;
2346 action.sa_flags = SA_RESTART;
2347 sigemptyset(&action.sa_mask);
2348 sigaction(SIGINFO, &action, NULL);
2349 #endif /* SIGINFO */
2352 global_capture_session.state = CAPTURE_PREPARING;
2354 /* Let the user know which interfaces were chosen. */
2355 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2356 interface_options interface_opts;
2358 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2359 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2360 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2361 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2364 if (global_capture_opts.ifaces->len < 2)
2366 if (global_capture_opts.ifaces->len < 4)
2369 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2370 interface_options interface_opts;
2372 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2374 if (global_capture_opts.ifaces->len > 2) {
2375 g_string_append_printf(str, ",");
2377 g_string_append_printf(str, " ");
2378 if (i == global_capture_opts.ifaces->len - 1) {
2379 g_string_append_printf(str, "and ");
2382 g_string_append_printf(str, "'%s'", interface_opts.descr);
2385 g_string_append_printf(str, "%u interfaces", global_capture_opts.ifaces->len);
2387 if (really_quiet == FALSE)
2388 fprintf(stderr, "Capturing on %s\n", str->str);
2390 g_string_free(str, TRUE);
2392 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2397 /* the actual capture loop
2399 * XXX - glib doesn't seem to provide any event based loop handling.
2401 * XXX - for whatever reason,
2402 * calling g_main_loop_new() ends up in 100% cpu load.
2404 * But that doesn't matter: in UNIX we can use select() to find an input
2405 * source with something to do.
2407 * But that doesn't matter because we're in a CLI (that doesn't need to
2408 * update a GUI or something at the same time) so it's OK if we block
2409 * trying to read from the pipe.
2411 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2412 * wrong (but I leave it there in case I am...).
2415 #ifdef USE_TSHARK_SELECT
2417 FD_SET(pipe_input.source, &readfds);
2420 loop_running = TRUE;
2424 while (loop_running)
2426 #ifdef USE_TSHARK_SELECT
2427 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2433 } else if (ret == 1) {
2435 /* Call the real handler */
2436 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2437 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2440 #ifdef USE_TSHARK_SELECT
2445 CATCH(OutOfMemoryError) {
2449 "Sorry, but TShark has to terminate now!\n"
2451 "Some infos / workarounds can be found at:\n"
2452 "http://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2459 /* capture child detected an error */
2461 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2463 cmdarg_err("%s", error_msg);
2464 cmdarg_err_cont("%s", secondary_error_msg);
2468 /* capture child detected an capture filter related error */
2470 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2472 capture_options *capture_opts = cap_session->capture_opts;
2473 dfilter_t *rfcode = NULL;
2474 interface_options interface_opts;
2476 g_assert(i < capture_opts->ifaces->len);
2477 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2479 if (dfilter_compile(interface_opts.cfilter, &rfcode) && rfcode != NULL) {
2481 "Invalid capture filter \"%s\" for interface '%s'!\n"
2483 "That string looks like a valid display filter; however, it isn't a valid\n"
2484 "capture filter (%s).\n"
2486 "Note that display filters and capture filters don't have the same syntax,\n"
2487 "so you can't use most display filter expressions as capture filters.\n"
2489 "See the User's Guide for a description of the capture filter syntax.",
2490 interface_opts.cfilter, interface_opts.descr, error_message);
2491 dfilter_free(rfcode);
2494 "Invalid capture filter \"%s\" for interface '%s'!\n"
2496 "That string isn't a valid capture filter (%s).\n"
2497 "See the User's Guide for a description of the capture filter syntax.",
2498 interface_opts.cfilter, interface_opts.descr, error_message);
2503 /* capture child tells us we have a new (or the first) capture file */
2505 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2507 capture_options *capture_opts = cap_session->capture_opts;
2508 gboolean is_tempfile;
2511 if (cap_session->state == CAPTURE_PREPARING) {
2512 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started!");
2514 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2516 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2518 /* free the old filename */
2519 if (capture_opts->save_file != NULL) {
2521 /* we start a new capture file, close the old one (if we had one before) */
2522 if ( ((capture_file *) cap_session->cf)->state != FILE_CLOSED) {
2523 if ( ((capture_file *) cap_session->cf)->wth != NULL) {
2524 wtap_close(((capture_file *) cap_session->cf)->wth);
2525 ((capture_file *) cap_session->cf)->wth = NULL;
2527 ((capture_file *) cap_session->cf)->state = FILE_CLOSED;
2530 g_free(capture_opts->save_file);
2531 is_tempfile = FALSE;
2533 /* we didn't had a save_file before, must be a tempfile */
2537 /* save the new filename */
2538 capture_opts->save_file = g_strdup(new_file);
2540 /* if we are in real-time mode, open the new file now */
2541 if (do_dissection) {
2542 /* Attempt to open the capture file and set up to read from it. */
2543 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, is_tempfile, &err)) {
2547 /* Don't unlink (delete) the save file - leave it around,
2548 for debugging purposes. */
2549 g_free(capture_opts->save_file);
2550 capture_opts->save_file = NULL;
2555 cap_session->state = CAPTURE_RUNNING;
2561 /* capture child tells us we have new packets to read */
2563 capture_input_new_packets(capture_session *cap_session, int to_read)
2569 capture_file *cf = (capture_file *)cap_session->cf;
2570 gboolean filtering_tap_listeners;
2575 * Prevent a SIGINFO handler from writing to the standard error while
2576 * we're doing so or writing to the standard output; instead, have it
2577 * just set a flag telling us to print that information when we're done.
2580 #endif /* SIGINFO */
2582 /* Do we have any tap listeners with filters? */
2583 filtering_tap_listeners = have_filtering_tap_listeners();
2585 /* Get the union of the flags for all tap listeners. */
2586 tap_flags = union_of_tap_listener_flags();
2588 if (do_dissection) {
2589 gboolean create_proto_tree;
2590 epan_dissect_t *edt;
2592 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2593 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2594 create_proto_tree = TRUE;
2596 create_proto_tree = FALSE;
2598 /* The protocol tree will be "visible", i.e., printed, only if we're
2599 printing packet details, which is true if we're printing stuff
2600 ("print_packet_info" is true) and we're in verbose mode
2601 ("packet_details" is true). */
2602 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2604 while (to_read-- && cf->wth) {
2605 wtap_cleareof(cf->wth);
2606 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2608 /* read from file failed, tell the capture child to stop */
2609 sync_pipe_stop(cap_session);
2610 wtap_close(cf->wth);
2613 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2614 wtap_buf_ptr(cf->wth),
2618 /* packet successfully read and gone through the "Read Filter" */
2623 epan_dissect_free(edt);
2627 * Dumpcap's doing all the work; we're not doing any dissection.
2628 * Count all the packets it wrote.
2630 packet_count += to_read;
2633 if (print_packet_counts) {
2634 /* We're printing packet counts. */
2635 if (packet_count != 0) {
2636 fprintf(stderr, "\r%u ", packet_count);
2637 /* stderr could be line buffered */
2644 * Allow SIGINFO handlers to write.
2649 * If a SIGINFO handler asked us to write out capture counts, do so.
2653 #endif /* SIGINFO */
2659 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2660 /* Report the count only if we aren't printing a packet count
2661 as packets arrive. */
2662 fprintf(stderr, "%u packet%s captured\n", packet_count,
2663 plurality(packet_count, "", "s"));
2666 infoprint = FALSE; /* we just reported it */
2667 #endif /* SIGINFO */
2672 report_counts_siginfo(int signum _U_)
2674 int sav_errno = errno;
2675 /* If we've been told to delay printing, just set a flag asking
2676 that we print counts (if we're supposed to), otherwise print
2677 the count of packets captured (if we're supposed to). */
2684 #endif /* SIGINFO */
2687 /* capture child detected any packet drops? */
2689 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2691 if (print_packet_counts) {
2692 /* We're printing packet counts to stderr.
2693 Send a newline so that we move to the line after the packet count. */
2694 fprintf(stderr, "\n");
2698 /* We're printing packet counts to stderr.
2699 Send a newline so that we move to the line after the packet count. */
2700 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2706 * Capture child closed its side of the pipe, report any error and
2707 * do the required cleanup.
2710 capture_input_closed(capture_session *cap_session, gchar *msg)
2712 capture_file *cf = (capture_file *) cap_session->cf;
2715 fprintf(stderr, "tshark: %s\n", msg);
2719 if (cf != NULL && cf->wth != NULL) {
2720 wtap_close(cf->wth);
2721 if (cf->is_tempfile) {
2722 ws_unlink(cf->filename);
2725 #ifdef USE_BROKEN_G_MAIN_LOOP
2726 /*g_main_loop_quit(loop);*/
2729 loop_running = FALSE;
2738 capture_cleanup(DWORD ctrltype _U_)
2740 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2741 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2742 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2743 like SIGTERM at least when the machine's shutting down.
2745 For now, we handle them all as indications that we should clean up
2746 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2749 We must return TRUE so that no other handler - such as one that would
2750 terminate the process - gets called.
2752 XXX - for some reason, typing ^C to TShark, if you run this in
2753 a Cygwin console window in at least some versions of Cygwin,
2754 causes TShark to terminate immediately; this routine gets
2755 called, but the main loop doesn't get a chance to run and
2756 exit cleanly, at least if this is compiled with Microsoft Visual
2757 C++ (i.e., it's a property of the Cygwin console window or Bash;
2758 it happens if TShark is not built with Cygwin - for all I know,
2759 building it with Cygwin may make the problem go away). */
2761 /* tell the capture child to stop */
2762 sync_pipe_stop(&global_capture_session);
2764 /* don't stop our own loop already here, otherwise status messages and
2765 * cleanup wouldn't be done properly. The child will indicate the stop of
2766 * everything by calling capture_input_closed() later */
2772 capture_cleanup(int signum _U_)
2774 /* tell the capture child to stop */
2775 sync_pipe_stop(&global_capture_session);
2777 /* don't stop our own loop already here, otherwise status messages and
2778 * cleanup wouldn't be done properly. The child will indicate the stop of
2779 * everything by calling capture_input_closed() later */
2782 #endif /* HAVE_LIBPCAP */
2785 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2786 gint64 offset, struct wtap_pkthdr *whdr,
2793 /* The frame number of this packet is one more than the count of
2794 frames in this packet. */
2795 framenum = cf->count + 1;
2797 /* If we're not running a display filter and we're not printing any
2798 packet information, we don't need to do a dissection. This means
2799 that all packets can be marked as 'passed'. */
2802 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2804 /* If we're going to print packet information, or we're going to
2805 run a read filter, or display filter, or we're going to process taps, set up to
2806 do a dissection and do so. */
2808 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2809 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2810 /* Grab any resolved addresses */
2811 host_name_lookup_process();
2813 /* If we're running a read filter, prime the epan_dissect_t with that
2816 epan_dissect_prime_dfilter(edt, cf->rfcode);
2818 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2820 if (ref == &fdlocal) {
2821 ref_frame = fdlocal;
2825 epan_dissect_run(edt, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2827 /* Run the read filter if we have one. */
2829 passed = dfilter_apply_edt(cf->rfcode, edt);
2833 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2834 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2836 /* If we're not doing dissection then there won't be any dependent frames.
2837 * More importantly, edt.pi.dependent_frames won't be initialized because
2838 * epan hasn't been initialized.
2841 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2846 /* if we don't add it to the frame_data_sequence, clean it up right now
2848 frame_data_destroy(&fdlocal);
2852 epan_dissect_reset(edt);
2858 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2859 struct wtap_pkthdr *phdr, Buffer *buf,
2865 /* If we're not running a display filter and we're not printing any
2866 packet information, we don't need to do a dissection. This means
2867 that all packets can be marked as 'passed'. */
2870 /* If we're going to print packet information, or we're going to
2871 run a read filter, or we're going to process taps, set up to
2872 do a dissection and do so. */
2874 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2875 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2876 /* Grab any resolved addresses */
2877 host_name_lookup_process();
2879 /* If we're running a display filter, prime the epan_dissect_t with that
2882 epan_dissect_prime_dfilter(edt, cf->dfcode);
2884 col_custom_prime_edt(edt, &cf->cinfo);
2886 /* We only need the columns if either
2887 1) some tap needs the columns
2889 2) we're printing packet info but we're *not* verbose; in verbose
2890 mode, we print the protocol tree, not the protocol summary.
2892 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
2897 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
2904 epan_dissect_run_with_taps(edt, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
2906 /* Run the read/display filter if we have one. */
2908 passed = dfilter_apply_edt(cf->dfcode, edt);
2912 frame_data_set_after_dissect(fdata, &cum_bytes);
2913 /* Process this packet. */
2914 if (print_packet_info) {
2915 /* We're printing packet information; print the information for
2917 print_packet(cf, edt);
2919 /* The ANSI C standard does not appear to *require* that a line-buffered
2920 stream be flushed to the host environment whenever a newline is
2921 written, it just says that, on such a stream, characters "are
2922 intended to be transmitted to or from the host environment as a
2923 block when a new-line character is encountered".
2925 The Visual C++ 6.0 C implementation doesn't do what is intended;
2926 even if you set a stream to be line-buffered, it still doesn't
2927 flush the buffer at the end of every line.
2929 So, if the "-l" flag was specified, we flush the standard output
2930 at the end of a packet. This will do the right thing if we're
2931 printing packet summary lines, and, as we print the entire protocol
2932 tree for a single packet without waiting for anything to happen,
2933 it should be as good as line-buffered mode if we're printing
2934 protocol trees. (The whole reason for the "-l" flag in either
2935 tcpdump or TShark is to allow the output of a live capture to
2936 be piped to a program or script and to have that script see the
2937 information for the packet as soon as it's printed, rather than
2938 having to wait until a standard I/O buffer fills up. */
2942 if (ferror(stdout)) {
2943 show_print_file_io_error(errno);
2952 epan_dissect_reset(edt);
2954 return passed || fdata->flags.dependent_of_displayed;
2958 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
2959 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
2962 int snapshot_length;
2966 gchar *err_info = NULL;
2968 char *save_file_string = NULL;
2969 gboolean filtering_tap_listeners;
2971 wtapng_section_t *shb_hdr;
2972 wtapng_iface_descriptions_t *idb_inf;
2975 epan_dissect_t *edt = NULL;
2977 shb_hdr = wtap_file_get_shb_info(cf->wth);
2978 idb_inf = wtap_file_get_idb_info(cf->wth);
2979 #ifdef PCAP_NG_DEFAULT
2980 if (idb_inf->number_of_interfaces > 1) {
2981 linktype = WTAP_ENCAP_PER_PACKET;
2983 linktype = wtap_file_encap(cf->wth);
2986 linktype = wtap_file_encap(cf->wth);
2988 if (save_file != NULL) {
2989 /* Get a string that describes what we're writing to */
2990 save_file_string = output_file_description(save_file);
2992 /* Set up to write to the capture file. */
2993 snapshot_length = wtap_snapshot_length(cf->wth);
2994 if (snapshot_length == 0) {
2995 /* Snapshot length of input file not known. */
2996 snapshot_length = WTAP_MAX_PACKET_SIZE;
2998 /* If we don't have an application name add Tshark */
2999 if (shb_hdr->shb_user_appl == NULL) {
3000 g_snprintf(appname, sizeof(appname), "TShark " VERSION "%s", wireshark_svnversion);
3001 shb_hdr->shb_user_appl = appname;
3004 if (linktype != WTAP_ENCAP_PER_PACKET &&
3005 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3006 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3007 snapshot_length, FALSE /* compressed */, &err);
3009 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3010 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3016 /* We couldn't set up to write to the capture file. */
3019 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
3020 cmdarg_err("Capture files can't be written in that format.");
3023 case WTAP_ERR_UNSUPPORTED_ENCAP:
3024 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3025 cmdarg_err("The capture file being read can't be written as a "
3026 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3029 case WTAP_ERR_CANT_OPEN:
3030 cmdarg_err("The %s couldn't be created for some "
3031 "unknown reason.", save_file_string);
3034 case WTAP_ERR_SHORT_WRITE:
3035 cmdarg_err("A full header couldn't be written to the %s.",
3040 cmdarg_err("The %s could not be created: %s.", save_file_string,
3041 wtap_strerror(err));
3047 if (print_packet_info) {
3048 if (!write_preamble(cf)) {
3050 show_print_file_io_error(err);
3059 if (pdh && out_file_name_res) {
3060 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3061 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3062 wtap_file_type_subtype_short_string(out_file_type));
3066 /* Do we have any tap listeners with filters? */
3067 filtering_tap_listeners = have_filtering_tap_listeners();
3069 /* Get the union of the flags for all tap listeners. */
3070 tap_flags = union_of_tap_listener_flags();
3072 if (perform_two_pass_analysis) {
3075 /* Allocate a frame_data_sequence for all the frames. */
3076 cf->frames = new_frame_data_sequence();
3078 if (do_dissection) {
3079 gboolean create_proto_tree = FALSE;
3081 /* If we're going to be applying a filter, we'll need to
3082 create a protocol tree against which to apply the filter. */
3084 create_proto_tree = TRUE;
3086 /* We're not going to display the protocol tree on this pass,
3087 so it's not going to be "visible". */
3088 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3091 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3092 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3093 wtap_buf_ptr(cf->wth))) {
3094 /* Stop reading if we have the maximum number of packets;
3095 * When the -c option has not been used, max_packet_count
3096 * starts at 0, which practically means, never stop reading.
3097 * (unless we roll over max_packet_count ?)
3099 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3100 err = 0; /* This is not an error */
3107 epan_dissect_free(edt);
3111 /* Close the sequential I/O side, to free up memory it requires. */
3112 wtap_sequential_close(cf->wth);
3114 /* Allow the protocol dissectors to free up memory that they
3115 * don't need after the sequential run-through of the packets. */
3116 postseq_cleanup_all_protocols();
3120 buffer_init(&buf, 1500);
3122 if (do_dissection) {
3123 gboolean create_proto_tree;
3125 if (cf->dfcode || print_details || filtering_tap_listeners ||
3126 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3127 create_proto_tree = TRUE;
3129 create_proto_tree = FALSE;
3131 /* The protocol tree will be "visible", i.e., printed, only if we're
3132 printing packet details, which is true if we're printing stuff
3133 ("print_packet_info" is true) and we're in verbose mode
3134 ("packet_details" is true). */
3135 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3138 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3139 fdata = frame_data_sequence_find(cf->frames, framenum);
3140 if (wtap_seek_read(cf->wth, fdata->file_off, &cf->phdr,
3141 &buf, fdata->cap_len, &err, &err_info)) {
3142 if (process_packet_second_pass(cf, edt, fdata, &cf->phdr, &buf,
3144 /* Either there's no read filtering or this packet passed the
3145 filter, so, if we're writing to a capture file, write
3148 if (!wtap_dump(pdh, &cf->phdr, buffer_start_ptr(&cf->buf), &err)) {
3149 /* Error writing to a capture file */
3152 case WTAP_ERR_UNSUPPORTED_ENCAP:
3154 * This is a problem with the particular frame we're writing;
3155 * note that, and give the frame number.
3157 * XXX - framenum is not necessarily the frame number in
3158 * the input file if there was a read filter.
3161 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3162 framenum, cf->filename,
3163 wtap_file_type_subtype_short_string(out_file_type));
3167 show_capture_file_io_error(save_file, err, FALSE);
3170 wtap_dump_close(pdh, &err);
3180 epan_dissect_free(edt);
3189 if (do_dissection) {
3190 gboolean create_proto_tree;
3192 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3193 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3194 create_proto_tree = TRUE;
3196 create_proto_tree = FALSE;
3198 /* The protocol tree will be "visible", i.e., printed, only if we're
3199 printing packet details, which is true if we're printing stuff
3200 ("print_packet_info" is true) and we're in verbose mode
3201 ("packet_details" is true). */
3202 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3205 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3208 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3209 wtap_buf_ptr(cf->wth),
3211 /* Either there's no read filtering or this packet passed the
3212 filter, so, if we're writing to a capture file, write
3215 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err)) {
3216 /* Error writing to a capture file */
3219 case WTAP_ERR_UNSUPPORTED_ENCAP:
3221 * This is a problem with the particular frame we're writing;
3222 * note that, and give the frame number.
3225 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3226 framenum, cf->filename,
3227 wtap_file_type_subtype_short_string(out_file_type));
3231 show_capture_file_io_error(save_file, err, FALSE);
3234 wtap_dump_close(pdh, &err);
3240 /* Stop reading if we have the maximum number of packets;
3241 * When the -c option has not been used, max_packet_count
3242 * starts at 0, which practically means, never stop reading.
3243 * (unless we roll over max_packet_count ?)
3245 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3246 err = 0; /* This is not an error */
3252 epan_dissect_free(edt);
3259 * Print a message noting that the read failed somewhere along the line.
3261 * If we're printing packet data, and the standard output and error are
3262 * going to the same place, flush the standard output, so everything
3263 * buffered up is written, and then print a newline to the standard error
3264 * before printing the error message, to separate it from the packet
3265 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3266 * the _fstat() documentation at Microsoft doesn't indicate whether
3267 * st_ino is even supported.)
3270 if (print_packet_info) {
3271 struct stat stat_stdout, stat_stderr;
3273 if (fstat(1, &stat_stdout) == 0 && fstat(2, &stat_stderr) == 0) {
3274 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3275 stat_stdout.st_ino == stat_stderr.st_ino) {
3277 fprintf(stderr, "\n");
3284 case WTAP_ERR_UNSUPPORTED:
3285 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3286 cf->filename, err_info);
3290 case WTAP_ERR_UNSUPPORTED_ENCAP:
3291 cmdarg_err("The file \"%s\" has a packet with a network type that TShark doesn't support.\n(%s)",
3292 cf->filename, err_info);
3296 case WTAP_ERR_CANT_READ:
3297 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
3301 case WTAP_ERR_SHORT_READ:
3302 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3306 case WTAP_ERR_BAD_FILE:
3307 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3308 cf->filename, err_info);
3312 case WTAP_ERR_DECOMPRESS:
3313 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3314 "(%s)", cf->filename, err_info);
3318 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3319 cf->filename, wtap_strerror(err));
3322 if (save_file != NULL) {
3323 /* Now close the capture file. */
3324 if (!wtap_dump_close(pdh, &err))
3325 show_capture_file_io_error(save_file, err, TRUE);
3328 if (save_file != NULL) {
3329 /* Now close the capture file. */
3330 if (!wtap_dump_close(pdh, &err))
3331 show_capture_file_io_error(save_file, err, TRUE);
3333 if (print_packet_info) {
3334 if (!write_finale()) {
3336 show_print_file_io_error(err);
3343 wtap_close(cf->wth);
3346 g_free(save_file_string);
3353 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3354 const guchar *pd, guint tap_flags)
3360 /* Count this packet. */
3363 /* If we're not running a display filter and we're not printing any
3364 packet information, we don't need to do a dissection. This means
3365 that all packets can be marked as 'passed'. */
3368 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3370 /* If we're going to print packet information, or we're going to
3371 run a read filter, or we're going to process taps, set up to
3372 do a dissection and do so. */
3374 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3375 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3376 /* Grab any resolved addresses */
3377 host_name_lookup_process();
3379 /* If we're running a filter, prime the epan_dissect_t with that
3382 epan_dissect_prime_dfilter(edt, cf->dfcode);
3384 col_custom_prime_edt(edt, &cf->cinfo);
3386 /* We only need the columns if either
3387 1) some tap needs the columns
3389 2) we're printing packet info but we're *not* verbose; in verbose
3390 mode, we print the protocol tree, not the protocol summary.
3392 3) there is a column mapped as an individual field */
3393 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3398 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3400 if (ref == &fdata) {
3405 epan_dissect_run_with_taps(edt, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3407 /* Run the filter if we have it. */
3409 passed = dfilter_apply_edt(cf->dfcode, edt);
3413 frame_data_set_after_dissect(&fdata, &cum_bytes);
3415 /* Process this packet. */
3416 if (print_packet_info) {
3417 /* We're printing packet information; print the information for
3419 print_packet(cf, edt);
3421 /* The ANSI C standard does not appear to *require* that a line-buffered
3422 stream be flushed to the host environment whenever a newline is
3423 written, it just says that, on such a stream, characters "are
3424 intended to be transmitted to or from the host environment as a
3425 block when a new-line character is encountered".
3427 The Visual C++ 6.0 C implementation doesn't do what is intended;
3428 even if you set a stream to be line-buffered, it still doesn't
3429 flush the buffer at the end of every line.
3431 So, if the "-l" flag was specified, we flush the standard output
3432 at the end of a packet. This will do the right thing if we're
3433 printing packet summary lines, and, as we print the entire protocol
3434 tree for a single packet without waiting for anything to happen,
3435 it should be as good as line-buffered mode if we're printing
3436 protocol trees. (The whole reason for the "-l" flag in either
3437 tcpdump or TShark is to allow the output of a live capture to
3438 be piped to a program or script and to have that script see the
3439 information for the packet as soon as it's printed, rather than
3440 having to wait until a standard I/O buffer fills up. */
3444 if (ferror(stdout)) {
3445 show_print_file_io_error(errno);
3450 /* this must be set after print_packet() [bug #8160] */
3451 prev_dis_frame = fdata;
3452 prev_dis = &prev_dis_frame;
3455 prev_cap_frame = fdata;
3456 prev_cap = &prev_cap_frame;
3459 epan_dissect_reset(edt);
3460 frame_data_destroy(&fdata);
3466 write_preamble(capture_file *cf)
3468 switch (output_action) {
3471 return print_preamble(print_stream, cf ? cf->filename : NULL, wireshark_svnversion);
3475 write_pdml_preamble(stdout, cf ? cf->filename : NULL);
3477 write_psml_preamble(stdout);
3478 return !ferror(stdout);
3481 write_fields_preamble(output_fields, stdout);
3482 return !ferror(stdout);
3485 g_assert_not_reached();
3491 get_line_buf(size_t len)
3493 static char *line_bufp = NULL;
3494 static size_t line_buf_len = 256;
3495 size_t new_line_buf_len;
3497 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3498 new_line_buf_len *= 2)
3500 if (line_bufp == NULL) {
3501 line_buf_len = new_line_buf_len;
3502 line_bufp = (char *)g_malloc(line_buf_len + 1);
3504 if (new_line_buf_len > line_buf_len) {
3505 line_buf_len = new_line_buf_len;
3506 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3513 put_string(char *dest, const char *str, size_t str_len)
3515 memcpy(dest, str, str_len);
3516 dest[str_len] = '\0';
3520 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3524 for (i = str_len; i < str_with_spaces; i++)
3527 put_string(dest, str, str_len);
3531 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3535 memcpy(dest, str, str_len);
3536 for (i = str_len; i < str_with_spaces; i++)
3539 dest[str_with_spaces] = '\0';
3543 print_columns(capture_file *cf)
3551 line_bufp = get_line_buf(256);
3554 for (i = 0; i < cf->cinfo.num_cols; i++) {
3555 /* Skip columns not marked as visible. */
3556 if (!get_column_visible(i))
3558 switch (cf->cinfo.col_fmt[i]) {
3560 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3563 line_bufp = get_line_buf(buf_offset + column_len);
3564 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3570 case COL_ABS_YMD_TIME: /* XXX - wider */
3571 case COL_ABS_YDOY_TIME: /* XXX - wider */
3573 case COL_UTC_YMD_TIME: /* XXX - wider */
3574 case COL_UTC_YDOY_TIME: /* XXX - wider */
3575 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3576 if (column_len < 10)
3578 line_bufp = get_line_buf(buf_offset + column_len);
3579 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3585 case COL_DEF_DL_SRC:
3586 case COL_RES_DL_SRC:
3587 case COL_UNRES_DL_SRC:
3588 case COL_DEF_NET_SRC:
3589 case COL_RES_NET_SRC:
3590 case COL_UNRES_NET_SRC:
3591 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3592 if (column_len < 12)
3594 line_bufp = get_line_buf(buf_offset + column_len);
3595 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3601 case COL_DEF_DL_DST:
3602 case COL_RES_DL_DST:
3603 case COL_UNRES_DL_DST:
3604 case COL_DEF_NET_DST:
3605 case COL_RES_NET_DST:
3606 case COL_UNRES_NET_DST:
3607 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3608 if (column_len < 12)
3610 line_bufp = get_line_buf(buf_offset + column_len);
3611 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3615 column_len = strlen(cf->cinfo.col_data[i]);
3616 line_bufp = get_line_buf(buf_offset + column_len);
3617 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3620 buf_offset += column_len;
3621 if (i != cf->cinfo.num_cols - 1) {
3623 * This isn't the last column, so we need to print a
3624 * separator between this column and the next.
3626 * If we printed a network source and are printing a
3627 * network destination of the same type next, separate
3628 * them with " -> "; if we printed a network destination
3629 * and are printing a network source of the same type
3630 * next, separate them with " <- "; otherwise separate them
3633 * We add enough space to the buffer for " <- " or " -> ",
3634 * even if we're only adding " ".
3636 line_bufp = get_line_buf(buf_offset + 4);
3637 switch (cf->cinfo.col_fmt[i]) {
3642 switch (cf->cinfo.col_fmt[i + 1]) {
3647 put_string(line_bufp + buf_offset, " -> ", 4);
3652 put_string(line_bufp + buf_offset, " ", 1);
3658 case COL_DEF_DL_SRC:
3659 case COL_RES_DL_SRC:
3660 case COL_UNRES_DL_SRC:
3661 switch (cf->cinfo.col_fmt[i + 1]) {
3663 case COL_DEF_DL_DST:
3664 case COL_RES_DL_DST:
3665 case COL_UNRES_DL_DST:
3666 put_string(line_bufp + buf_offset, " -> ", 4);
3671 put_string(line_bufp + buf_offset, " ", 1);
3677 case COL_DEF_NET_SRC:
3678 case COL_RES_NET_SRC:
3679 case COL_UNRES_NET_SRC:
3680 switch (cf->cinfo.col_fmt[i + 1]) {
3682 case COL_DEF_NET_DST:
3683 case COL_RES_NET_DST:
3684 case COL_UNRES_NET_DST:
3685 put_string(line_bufp + buf_offset, " -> ", 4);
3690 put_string(line_bufp + buf_offset, " ", 1);
3699 switch (cf->cinfo.col_fmt[i + 1]) {
3704 put_string(line_bufp + buf_offset, " <- ", 4);
3709 put_string(line_bufp + buf_offset, " ", 1);
3715 case COL_DEF_DL_DST:
3716 case COL_RES_DL_DST:
3717 case COL_UNRES_DL_DST:
3718 switch (cf->cinfo.col_fmt[i + 1]) {
3720 case COL_DEF_DL_SRC:
3721 case COL_RES_DL_SRC:
3722 case COL_UNRES_DL_SRC:
3723 put_string(line_bufp + buf_offset, " <- ", 4);
3728 put_string(line_bufp + buf_offset, " ", 1);
3734 case COL_DEF_NET_DST:
3735 case COL_RES_NET_DST:
3736 case COL_UNRES_NET_DST:
3737 switch (cf->cinfo.col_fmt[i + 1]) {
3739 case COL_DEF_NET_SRC:
3740 case COL_RES_NET_SRC:
3741 case COL_UNRES_NET_SRC:
3742 put_string(line_bufp + buf_offset, " <- ", 4);
3747 put_string(line_bufp + buf_offset, " ", 1);
3754 put_string(line_bufp + buf_offset, " ", 1);
3760 return print_line(print_stream, 0, line_bufp);
3764 print_packet(capture_file *cf, epan_dissect_t *edt)
3766 print_args_t print_args;
3768 if (print_summary || output_fields_has_cols(output_fields)) {
3769 /* Just fill in the columns. */
3770 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3772 if (print_summary) {
3773 /* Now print them. */
3774 switch (output_action) {
3777 if (!print_columns(cf))
3782 proto_tree_write_psml(edt, stdout);
3783 return !ferror(stdout);
3784 case WRITE_FIELDS: /*No non-verbose "fields" format */
3785 g_assert_not_reached();
3790 if (print_details) {
3791 /* Print the information in the protocol tree. */
3792 switch (output_action) {
3795 /* Only initialize the fields that are actually used in proto_tree_print.
3796 * This is particularly important for .range, as that's heap memory which
3797 * we would otherwise have to g_free().
3798 print_args.to_file = TRUE;
3799 print_args.format = print_format;
3800 print_args.print_summary = print_summary;
3801 print_args.print_formfeed = FALSE;
3802 packet_range_init(&print_args.range, &cfile);
3804 print_args.print_hex = print_hex;
3805 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
3807 if (!proto_tree_print(&print_args, edt, print_stream))
3810 if (!print_line(print_stream, 0, separator))
3816 proto_tree_write_pdml(edt, stdout);
3818 return !ferror(stdout);
3820 proto_tree_write_fields(output_fields, edt, &cf->cinfo, stdout);
3822 return !ferror(stdout);
3826 if (print_summary || print_details) {
3827 if (!print_line(print_stream, 0, ""))
3830 if (!print_hex_data(print_stream, edt))
3832 if (!print_line(print_stream, 0, separator))
3841 switch (output_action) {
3844 return print_finale(print_stream);
3848 write_pdml_finale(stdout);
3850 write_psml_finale(stdout);
3851 return !ferror(stdout);
3854 write_fields_finale(output_fields, stdout);
3855 return !ferror(stdout);
3858 g_assert_not_reached();
3864 cf_open(capture_file *cf, const char *fname, gboolean is_tempfile, int *err)
3868 char err_msg[2048+1];
3870 wth = wtap_open_offline(fname, err, &err_info, perform_two_pass_analysis);
3874 /* The open succeeded. Fill in the information for this file. */
3876 /* Create new epan session for dissection. */
3877 epan_free(cf->epan);
3878 cf->epan = tshark_epan_new(cf);
3881 cf->f_datalen = 0; /* not used, but set it anyway */
3883 /* Set the file name because we need it to set the follow stream filter.
3884 XXX - is that still true? We need it for other reasons, though,
3886 cf->filename = g_strdup(fname);
3888 /* Indicate whether it's a permanent or temporary file. */
3889 cf->is_tempfile = is_tempfile;
3891 /* No user changes yet. */
3892 cf->unsaved_changes = FALSE;
3894 cf->cd_t = wtap_file_type_subtype(cf->wth);
3896 cf->drops_known = FALSE;
3898 cf->snap = wtap_snapshot_length(cf->wth);
3899 if (cf->snap == 0) {
3900 /* Snapshot length not known. */
3901 cf->has_snap = FALSE;
3902 cf->snap = WTAP_MAX_PACKET_SIZE;
3904 cf->has_snap = TRUE;
3905 nstime_set_zero(&cf->elapsed_time);
3910 cf->state = FILE_READ_IN_PROGRESS;
3912 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
3913 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
3918 g_snprintf(err_msg, sizeof err_msg,
3919 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
3920 cmdarg_err("%s", err_msg);
3925 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
3927 char *save_file_string;
3929 save_file_string = output_file_description(fname);
3934 cmdarg_err("Not all the packets could be written to the %s because there is "
3935 "no space left on the file system.",
3941 cmdarg_err("Not all the packets could be written to the %s because you are "
3942 "too close to, or over your disk quota.",
3947 case WTAP_ERR_CANT_CLOSE:
3948 cmdarg_err("The %s couldn't be closed for some unknown reason.",
3952 case WTAP_ERR_SHORT_WRITE:
3953 cmdarg_err("Not all the packets could be written to the %s.",
3959 cmdarg_err("The %s could not be closed: %s.", save_file_string,
3960 wtap_strerror(err));
3962 cmdarg_err("An error occurred while writing to the %s: %s.",
3963 save_file_string, wtap_strerror(err));
3967 g_free(save_file_string);
3971 show_print_file_io_error(int err)
3976 cmdarg_err("Not all the packets could be printed because there is "
3977 "no space left on the file system.");
3982 cmdarg_err("Not all the packets could be printed because you are "
3983 "too close to, or over your disk quota.");
3988 cmdarg_err("An error occurred while printing packets: %s.",
3995 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
3999 static char errmsg_errno[1024+1];
4002 /* Wiretap error. */
4005 case WTAP_ERR_NOT_REGULAR_FILE:
4006 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4009 case WTAP_ERR_RANDOM_OPEN_PIPE:
4010 /* Seen only when opening a capture file for reading. */
4011 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4014 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4015 /* Seen only when opening a capture file for reading. */
4016 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4019 case WTAP_ERR_UNSUPPORTED:
4020 /* Seen only when opening a capture file for reading. */
4021 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4022 "The file \"%%s\" isn't a capture file in a format TShark understands.\n"
4025 errmsg = errmsg_errno;
4028 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4029 /* Seen only when opening a capture file for writing. */
4030 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4031 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4032 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4033 errmsg = errmsg_errno;
4036 case WTAP_ERR_UNSUPPORTED_FILE_TYPE:
4037 /* Seen only when opening a capture file for writing. */
4038 errmsg = "TShark doesn't support writing capture files in that format.";
4041 case WTAP_ERR_UNSUPPORTED_ENCAP:
4043 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4044 "TShark can't save this capture as a \"%s\" file.",
4045 wtap_file_type_subtype_short_string(file_type));
4047 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4048 "The file \"%%s\" is a capture for a network type that TShark doesn't support.\n"
4052 errmsg = errmsg_errno;
4055 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4057 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4058 "TShark can't save this capture as a \"%s\" file.",
4059 wtap_file_type_subtype_short_string(file_type));
4060 errmsg = errmsg_errno;
4062 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4065 case WTAP_ERR_BAD_FILE:
4066 /* Seen only when opening a capture file for reading. */
4067 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4068 "The file \"%%s\" appears to be damaged or corrupt.\n"
4071 errmsg = errmsg_errno;
4074 case WTAP_ERR_CANT_OPEN:
4076 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4078 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4081 case WTAP_ERR_SHORT_READ:
4082 errmsg = "The file \"%s\" appears to have been cut short"
4083 " in the middle of a packet or other data.";
4086 case WTAP_ERR_SHORT_WRITE:
4087 errmsg = "A full header couldn't be written to the file \"%s\".";
4090 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4091 errmsg = "This file type cannot be written as a compressed file.";
4094 case WTAP_ERR_DECOMPRESS:
4095 /* Seen only when opening a capture file for reading. */
4096 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4097 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4100 errmsg = errmsg_errno;
4104 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4105 "The file \"%%s\" could not be %s: %s.",
4106 for_writing ? "created" : "opened",
4107 wtap_strerror(err));
4108 errmsg = errmsg_errno;
4112 errmsg = file_open_error_message(err, for_writing);
4117 * Open/create errors are reported with an console message in TShark.
4120 open_failure_message(const char *filename, int err, gboolean for_writing)
4122 fprintf(stderr, "tshark: ");
4123 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4124 fprintf(stderr, "\n");
4129 * General errors are reported with an console message in TShark.
4132 failure_message(const char *msg_format, va_list ap)
4134 fprintf(stderr, "tshark: ");
4135 vfprintf(stderr, msg_format, ap);
4136 fprintf(stderr, "\n");
4140 * Read errors are reported with an console message in TShark.
4143 read_failure_message(const char *filename, int err)
4145 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4146 filename, g_strerror(err));
4150 * Write errors are reported with an console message in TShark.
4153 write_failure_message(const char *filename, int err)
4155 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4156 filename, g_strerror(err));
4160 * Report an error in command-line arguments.
4163 cmdarg_err(const char *fmt, ...)
4168 failure_message(fmt, ap);
4173 * Report additional information for an error in command-line arguments.
4176 cmdarg_err_cont(const char *fmt, ...)
4181 vfprintf(stderr, fmt, ap);
4182 fprintf(stderr, "\n");
4188 * Editor modelines - http://www.wireshark.org/tools/modelines.html
4193 * indent-tabs-mode: nil
4196 * vi: set shiftwidth=2 tabstop=8 expandtab:
4197 * :indentSize=2:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob