3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 # include <sys/capability.h>
47 #ifndef HAVE_GETOPT_LONG
48 #include "wsutil/wsgetopt.h"
53 #include <epan/exceptions.h>
54 #include <epan/epan-int.h>
55 #include <epan/epan.h>
57 #include <wsutil/clopts_common.h>
58 #include <wsutil/cmdarg_err.h>
59 #include <wsutil/crash_info.h>
60 #include <wsutil/filesystem.h>
61 #include <wsutil/file_util.h>
62 #include <wsutil/privileges.h>
63 #include <wsutil/report_err.h>
64 #include <ws_version_info.h>
65 #include <wiretap/wtap_opttypes.h>
66 #include <wiretap/pcapng.h>
69 #include <epan/timestamp.h>
70 #include <epan/packet.h>
72 #include <epan/wslua/init_wslua.h>
74 #include "frame_tvbuff.h"
75 #include <epan/disabled_protos.h>
76 #include <epan/prefs.h>
77 #include <epan/column.h>
78 #include <epan/decode_as.h>
79 #include <epan/print.h>
80 #include <epan/addr_resolv.h>
82 #include "ui/capture_ui_utils.h"
85 #include "ui/ui_util.h"
86 #include "ui/decode_as_utils.h"
87 #include "ui/cli/tshark-tap.h"
88 #include "ui/cli/tap-exportobject.h"
89 #include "ui/tap_export_pdu.h"
90 #include "ui/dissect_opts.h"
91 #if defined(HAVE_LIBSMI)
92 #include "epan/oids.h"
94 #if defined(HAVE_GEOIP)
95 #include "epan/geoip_db.h"
98 #include "filter_files.h"
99 #include <epan/epan_dissect.h>
100 #include <epan/tap.h>
101 #include <epan/stat_tap_ui.h>
102 #include <epan/conversation_table.h>
103 #include <epan/srt_table.h>
104 #include <epan/rtd_table.h>
105 #include <epan/ex-opt.h>
106 #include <epan/exported_pdu.h>
108 #include "capture_opts.h"
110 #include "caputils/capture-pcap-util.h"
113 #include "caputils/capture_ifinfo.h"
115 #include "caputils/capture-wpcap.h"
116 #include <wsutil/os_version_info.h>
117 #include <wsutil/unicode-utils.h>
119 #include <capchild/capture_session.h>
120 #include <capchild/capture_sync.h>
121 #include <capture_info.h>
122 #endif /* HAVE_LIBPCAP */
124 #include <epan/funnel.h>
126 #include <wsutil/str_util.h>
127 #include <wsutil/utf8_entities.h>
134 #include <wsutil/plugins.h>
138 #define INVALID_OPTION 1
139 #define INVALID_INTERFACE 2
140 #define INVALID_FILE 2
141 #define INVALID_FILTER 2
142 #define INVALID_EXPORT 2
143 #define INVALID_CAPABILITY 2
144 #define INVALID_TAP 2
145 #define INVALID_DATA_LINK 2
146 #define INVALID_CAPTURE 2
147 #define INIT_FAILED 2
150 #define tshark_debug(...) g_warning(__VA_ARGS__)
152 #define tshark_debug(...)
155 static guint32 cum_bytes;
156 static const frame_data *ref;
157 static frame_data ref_frame;
158 static frame_data *prev_dis;
159 static frame_data prev_dis_frame;
160 static frame_data *prev_cap;
161 static frame_data prev_cap_frame;
163 static gboolean perform_two_pass_analysis;
166 * The way the packet decode is to be written.
169 WRITE_TEXT, /* summary or detail text */
170 WRITE_XML, /* PDML or PSML */
171 WRITE_FIELDS, /* User defined list of fields */
172 WRITE_JSON, /* JSON */
173 WRITE_JSON_RAW, /* JSON only raw hex */
174 WRITE_EK /* JSON bulk insert to Elasticsearch */
175 /* Add CSV and the like here */
178 static output_action_e output_action;
179 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
180 static gboolean print_packet_info; /* TRUE if we're to print packet information */
181 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
182 static gboolean print_details; /* TRUE if we're to print packet details information */
183 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
184 static gboolean line_buffered;
185 static gboolean really_quiet = FALSE;
186 static gchar* delimiter_char = " ";
188 static print_format_e print_format = PR_FMT_TEXT;
189 static print_stream_t *print_stream = NULL;
191 static output_fields_t* output_fields = NULL;
192 static gchar **protocolfilter = NULL;
193 static pf_flags protocolfilter_flags = PF_NONE;
195 /* The line separator used between packets, changeable via the -S option */
196 static const char *separator = "";
200 * TRUE if we're to print packet counts to keep track of captured packets.
202 static gboolean print_packet_counts;
204 static capture_options global_capture_opts;
205 static capture_session global_capture_session;
206 static info_data_t global_info_data;
209 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
210 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
213 static gboolean capture(void);
214 static void report_counts(void);
216 static BOOL WINAPI capture_cleanup(DWORD);
218 static void capture_cleanup(int);
220 static void report_counts_siginfo(int);
224 #else /* HAVE_LIBPCAP */
226 static char *output_file_name;
228 #endif /* HAVE_LIBPCAP */
230 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
231 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
232 struct wtap_pkthdr *whdr, const guchar *pd,
234 static void show_capture_file_io_error(const char *, int, gboolean);
235 static void show_print_file_io_error(int err);
236 static gboolean write_preamble(capture_file *cf);
237 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
238 static gboolean write_finale(void);
239 static const char *cf_open_error_message(int err, gchar *err_info,
240 gboolean for_writing, int file_type);
242 static void open_failure_message(const char *filename, int err,
243 gboolean for_writing);
244 static void failure_message(const char *msg_format, va_list ap);
245 static void read_failure_message(const char *filename, int err);
246 static void write_failure_message(const char *filename, int err);
247 static void failure_message_cont(const char *msg_format, va_list ap);
251 static GHashTable *output_only_tables = NULL;
254 const char *sstr; /* The short string */
255 const char *lstr; /* The long string */
259 string_compare(gconstpointer a, gconstpointer b)
261 return strcmp(((const struct string_elem *)a)->sstr,
262 ((const struct string_elem *)b)->sstr);
266 string_elem_print(gpointer data, gpointer not_used _U_)
268 fprintf(stderr, " %s - %s\n",
269 ((struct string_elem *)data)->sstr,
270 ((struct string_elem *)data)->lstr);
274 list_capture_types(void) {
276 struct string_elem *captypes;
279 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
281 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
282 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
283 if (wtap_dump_can_open(i)) {
284 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
285 captypes[i].lstr = wtap_file_type_subtype_string(i);
286 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
289 g_slist_foreach(list, string_elem_print, NULL);
295 list_read_capture_types(void) {
297 struct string_elem *captypes;
299 const char *magic = "Magic-value-based";
300 const char *heuristic = "Heuristics-based";
302 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
303 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
305 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
306 for (i = 0; open_routines[i].name != NULL; i++) {
307 captypes[i].sstr = open_routines[i].name;
308 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
309 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
311 g_slist_foreach(list, string_elem_print, NULL);
317 print_usage(FILE *output)
319 fprintf(output, "\n");
320 fprintf(output, "Usage: tshark [options] ...\n");
321 fprintf(output, "\n");
324 fprintf(output, "Capture interface:\n");
325 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
326 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
327 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
328 fprintf(output, " -p don't capture in promiscuous mode\n");
329 #ifdef HAVE_PCAP_CREATE
330 fprintf(output, " -I capture in monitor mode, if available\n");
332 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
333 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
335 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
336 fprintf(output, " -D print list of interfaces and exit\n");
337 fprintf(output, " -L print list of link-layer types of iface and exit\n");
338 fprintf(output, "\n");
339 fprintf(output, "Capture stop conditions:\n");
340 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
341 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
342 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
343 fprintf(output, " files:NUM - stop after NUM files\n");
344 /*fprintf(output, "\n");*/
345 fprintf(output, "Capture output:\n");
346 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
347 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
348 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
349 #endif /* HAVE_LIBPCAP */
350 #ifdef HAVE_PCAP_REMOTE
351 fprintf(output, "RPCAP options:\n");
352 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
354 /*fprintf(output, "\n");*/
355 fprintf(output, "Input file:\n");
356 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
358 fprintf(output, "\n");
359 fprintf(output, "Processing:\n");
360 fprintf(output, " -2 perform a two-pass analysis\n");
361 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
362 fprintf(output, " (requires -2)\n");
363 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
364 fprintf(output, " syntax\n");
365 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
366 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
367 fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE);
368 fprintf(output, " \"Decode As\", see the man page for details\n");
369 fprintf(output, " Example: tcp.port==8888,http\n");
370 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
371 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
372 fprintf(output, " --disable-protocol <proto_name>\n");
373 fprintf(output, " disable dissection of proto_name\n");
374 fprintf(output, " --enable-heuristic <short_name>\n");
375 fprintf(output, " enable dissection of heuristic protocol\n");
376 fprintf(output, " --disable-heuristic <short_name>\n");
377 fprintf(output, " disable dissection of heuristic protocol\n");
379 /*fprintf(output, "\n");*/
380 fprintf(output, "Output:\n");
381 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
382 fprintf(output, " (or to the standard output for \"-\")\n");
383 fprintf(output, " -C <config profile> start with specified configuration profile\n");
384 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
385 fprintf(output, " an empty \"-F\" option will list the file types\n");
386 fprintf(output, " -V add output of packet tree (Packet Details)\n");
387 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
388 fprintf(output, " separated\n");
389 fprintf(output, " -P print packet summary even when writing to a file\n");
390 fprintf(output, " -S <separator> the line separator to print between packets\n");
391 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
392 fprintf(output, " -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?\n");
393 fprintf(output, " format of text output (def: text)\n");
394 fprintf(output, " -j <protocolfilter> protocols layers filter if -T ek|pdml|json selected\n");
395 fprintf(output, " (e.g. \"ip ip.flags text\", filter does not expand child\n");
396 fprintf(output, " nodes, unless child is specified also in the filter)\n");
397 fprintf(output, " -J <protocolfilter> top level protocol filter if -T ek|pdml|json selected\n");
398 fprintf(output, " (e.g. \"http tcp\", filter which expands all child nodes)\n");
399 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
400 fprintf(output, " _ws.col.Info)\n");
401 fprintf(output, " this option can be repeated to print multiple fields\n");
402 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
403 fprintf(output, " bom=y|n print a UTF-8 BOM\n");
404 fprintf(output, " header=y|n switch headers on and off\n");
405 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
406 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
407 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
408 fprintf(output, " aggregator\n");
409 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
410 fprintf(output, " -t a|ad|d|dd|e|r|u|ud|? output format of time stamps (def: r: rel. to first)\n");
411 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
412 fprintf(output, " -l flush standard output after each packet\n");
413 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
414 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
415 fprintf(output, " -g enable group read access on the output file(s)\n");
416 fprintf(output, " -W n Save extra information in the file, if supported.\n");
417 fprintf(output, " n = write network address resolution information\n");
418 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
419 fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n");
420 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
421 fprintf(output, " --capture-comment <comment>\n");
422 fprintf(output, " add a capture comment to the newly created\n");
423 fprintf(output, " output file (only for pcapng)\n");
424 fprintf(output, " --export-objects <protocol>,<destdir> save exported objects for a protocol to\n");
425 fprintf(output, " a directory named \"destdir\"\n");
427 fprintf(output, "\n");
428 fprintf(output, "Miscellaneous:\n");
429 fprintf(output, " -h display this help and exit\n");
430 fprintf(output, " -v display version info and exit\n");
431 fprintf(output, " -o <name>:<value> ... override preference setting\n");
432 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
433 fprintf(output, " -G [report] dump one of several available reports and exit\n");
434 fprintf(output, " default report=\"fields\"\n");
435 fprintf(output, " use \"-G ?\" for more help\n");
437 fprintf(output, "\n");
438 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
439 fprintf(output, "You might want to reset it\n");
440 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
441 fprintf(output, "\n");
447 glossary_option_help(void)
453 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
455 fprintf(output, "\n");
456 fprintf(output, "Usage: tshark -G [report]\n");
457 fprintf(output, "\n");
458 fprintf(output, "Glossary table reports:\n");
459 fprintf(output, " -G column-formats dump column format codes and exit\n");
460 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
461 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
462 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
463 fprintf(output, " -G fields dump fields glossary and exit\n");
464 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
465 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
466 fprintf(output, " -G plugins dump installed plugins and exit\n");
467 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
468 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
469 fprintf(output, "\n");
470 fprintf(output, "Preference reports:\n");
471 fprintf(output, " -G currentprefs dump current preferences and exit\n");
472 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
473 fprintf(output, " -G folders dump about:folders\n");
474 fprintf(output, "\n");
478 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
479 const gchar *message, gpointer user_data)
481 /* ignore log message, if log_level isn't interesting based
482 upon the console log preferences.
483 If the preferences haven't been loaded loaded yet, display the
486 The default console_log_level preference value is such that only
487 ERROR, CRITICAL and WARNING level messages are processed;
488 MESSAGE, INFO and DEBUG level messages are ignored.
490 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
491 ERROR and CRITICAL level messages so the current code is a behavioral
492 change. The current behavior is the same as in Wireshark.
494 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
495 prefs.console_log_level != 0) {
499 g_log_default_handler(log_domain, log_level, message, user_data);
504 output_file_description(const char *fname)
506 char *save_file_string;
508 /* Get a string that describes what we're writing to */
509 if (strcmp(fname, "-") == 0) {
510 /* We're writing to the standard output */
511 save_file_string = g_strdup("standard output");
513 /* We're writing to a file with the name in save_file */
514 save_file_string = g_strdup_printf("file \"%s\"", fname);
516 return save_file_string;
520 print_current_user(void) {
521 gchar *cur_user, *cur_group;
523 if (started_with_special_privs()) {
524 cur_user = get_cur_username();
525 cur_group = get_cur_groupname();
526 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
527 cur_user, cur_group);
530 if (running_with_special_privs()) {
531 fprintf(stderr, " This could be dangerous.");
533 fprintf(stderr, "\n");
538 get_tshark_compiled_version_info(GString *str)
540 /* Capture libraries */
541 get_compiled_caplibs_version(str);
545 get_tshark_runtime_version_info(GString *str)
548 /* Capture libraries */
549 g_string_append(str, ", ");
550 get_runtime_caplibs_version(str);
553 /* stuff used by libwireshark */
554 epan_get_runtime_version_info(str);
560 const char *constpath;
562 #if defined(HAVE_LIBSMI) || defined(HAVE_GEOIP) || defined(HAVE_EXTCAP)
570 * Fetching the "File" dialogs folder not implemented.
571 * This is arguably just a pwd for a ui/cli .
575 printf("%-21s\t%s\n", "Temp:", g_get_tmp_dir());
578 path = get_persconffile_path("", FALSE);
579 printf("%-21s\t%s\n", "Personal configuration:", path);
583 constpath = get_datafile_dir();
584 if (constpath != NULL) {
585 printf("%-21s\t%s\n", "Global configuration:", constpath);
589 constpath = get_systemfile_dir();
590 printf("%-21s\t%s\n", "System:", constpath);
593 constpath = get_progfile_dir();
594 printf("%-21s\t%s\n", "Program:", constpath);
596 #if defined(HAVE_PLUGINS) || defined(HAVE_LUA)
598 path = get_plugins_pers_dir();
600 printf("%-21s\t%s\n", "Personal Plugins:", path);
605 printf("%-21s\t%s\n", "Global Plugins:", get_plugin_dir());
610 path = geoip_db_get_paths();
612 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
614 for(i = 0; resultArray[i]; i++)
615 printf("%-21s\t%s\n", "GeoIP path:", g_strstrip(resultArray[i]));
617 g_strfreev(resultArray);
623 path = oid_get_default_mib_path();
624 resultArray = g_strsplit(path, G_SEARCHPATH_SEPARATOR_S, 10);
626 for(i = 0; resultArray[i]; i++)
627 printf("%-21s\t%s\n", "MIB/PIB path:", g_strstrip(resultArray[i]));
629 g_strfreev(resultArray);
635 constpath = get_extcap_dir();
637 resultArray = g_strsplit(constpath, G_SEARCHPATH_SEPARATOR_S, 10);
638 for(i = 0; resultArray[i]; i++)
639 printf("%-21s\t%s\n", "Extcap path:", g_strstrip(resultArray[i]));
641 g_strfreev(resultArray);
647 main(int argc, char *argv[])
649 GString *comp_info_str;
650 GString *runtime_info_str;
651 char *init_progfile_dir_error;
653 static const struct option long_options[] = {
654 {"help", no_argument, NULL, 'h'},
655 {"version", no_argument, NULL, 'v'},
656 LONGOPT_CAPTURE_COMMON
657 LONGOPT_DISSECT_COMMON
658 {"export-objects", required_argument, NULL, LONGOPT_EXPORT_OBJECTS},
661 gboolean arg_error = FALSE;
668 char *gpf_path, *pf_path;
669 char *gdp_path, *dp_path;
671 int gpf_open_errno, gpf_read_errno;
672 int pf_open_errno, pf_read_errno;
673 int gdp_open_errno, gdp_read_errno;
674 int dp_open_errno, dp_read_errno;
677 volatile int exit_status = EXIT_SUCCESS;
679 gboolean list_link_layer_types = FALSE;
680 gboolean start_capture = FALSE;
684 gboolean capture_option_specified = FALSE;
686 gboolean quiet = FALSE;
687 #ifdef PCAP_NG_DEFAULT
688 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
690 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
692 volatile gboolean out_file_name_res = FALSE;
693 volatile int in_file_type = WTAP_TYPE_AUTO;
694 gchar *volatile cf_name = NULL;
695 gchar *rfilter = NULL;
696 gchar *dfilter = NULL;
697 #ifdef HAVE_PCAP_OPEN_DEAD
698 struct bpf_program fcode;
700 dfilter_t *rfcode = NULL;
701 dfilter_t *dfcode = NULL;
705 gchar *output_only = NULL;
706 gchar *volatile pdu_export_arg = NULL;
707 exp_pdu_t exp_pdu_tap_data;
710 * The leading + ensures that getopt_long() does not permute the argv[]
713 * We have to make sure that the first getopt_long() preserves the content
714 * of argv[] for the subsequent getopt_long() call.
716 * We use getopt_long() in both cases to ensure that we're using a routine
717 * whose permutation behavior we can control in the same fashion on all
718 * platforms, and so that, if we ever need to process a long argument before
719 * doing further initialization, we can do so.
721 * Glibc and Solaris libc document that a leading + disables permutation
722 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
723 * and OS X don't document it, but do so anyway.
725 * We do *not* use a leading - because the behavior of a leading - is
726 * platform-dependent.
728 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON OPTSTRING_DISSECT_COMMON "C:e:E:F:gG:hH:j:J:lo:O:PqQr:R:S:T:U:vVw:W:xX:Y:z:"
730 static const char optstring[] = OPTSTRING;
732 tshark_debug("tshark started with %d args", argc);
734 /* Set the C-language locale to the native environment. */
735 setlocale(LC_ALL, "");
737 cmdarg_err_init(failure_message, failure_message_cont);
740 arg_list_utf_16to8(argc, argv);
741 create_app_running_mutex();
742 #if !GLIB_CHECK_VERSION(2,31,0)
748 * Get credential information for later use, and drop privileges
749 * before doing anything else.
750 * Let the user know if anything happened.
752 init_process_policies();
753 relinquish_special_privs_perm();
754 print_current_user();
757 * Attempt to get the pathname of the directory containing the
760 init_progfile_dir_error = init_progfile_dir(argv[0], main);
761 if (init_progfile_dir_error != NULL) {
763 "tshark: Can't get pathname of directory containing the tshark program: %s.\n"
764 "It won't be possible to capture traffic.\n"
765 "Report this to the Wireshark developers.",
766 init_progfile_dir_error);
767 g_free(init_progfile_dir_error);
770 initialize_funnel_ops();
773 ws_init_dll_search_path();
774 /* Load wpcap if possible. Do this before collecting the run-time version information */
777 /* Warn the user if npf.sys isn't loaded. */
778 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
779 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
780 "capturing or\nlisting interfaces.\n");
784 /* Get the compile-time version information string */
785 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
786 epan_get_compiled_version_info);
788 /* Get the run-time version information string */
789 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
791 /* Add it to the information to be reported on a crash. */
792 ws_add_crash_info("TShark (Wireshark) %s\n"
797 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
798 g_string_free(comp_info_str, TRUE);
799 g_string_free(runtime_info_str, TRUE);
801 /* Fail sometimes. Useful for testing fuzz scripts. */
802 /* if (g_random_int_range(0, 100) < 5) abort(); */
805 * In order to have the -X opts assigned before the wslua machine starts
806 * we need to call getopt_long before epan_init() gets called.
808 * In order to handle, for example, -o options, we also need to call it
809 * *after* epan_init() gets called, so that the dissectors have had a
810 * chance to register their preferences.
812 * XXX - can we do this all with one getopt_long() call, saving the
813 * arguments we can't handle until after initializing libwireshark,
814 * and then process them after initializing libwireshark?
818 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
820 case 'C': /* Configuration Profile */
821 if (profile_exists (optarg, FALSE)) {
822 set_profile_name (optarg);
824 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
825 exit_status = INVALID_OPTION;
829 case 'P': /* Print packet summary info even when writing to a file */
830 print_packet_info = TRUE;
831 print_summary = TRUE;
833 case 'O': /* Only output these protocols */
834 output_only = g_strdup(optarg);
836 case 'V': /* Verbose */
837 print_details = TRUE;
838 print_packet_info = TRUE;
840 case 'x': /* Print packet data in hex (and ASCII) */
842 /* The user asked for hex output, so let's ensure they get it,
843 * even if they're writing to a file.
845 print_packet_info = TRUE;
856 * Print packet summary information is the default, unless either -V or -x
857 * were specified and -P was not. Note that this is new behavior, which
858 * allows for the possibility of printing only hex/ascii output without
859 * necessarily requiring that either the summary or details be printed too.
861 if (print_summary == -1)
862 print_summary = (print_details || print_hex) ? FALSE : TRUE;
864 /** Send All g_log messages to our own handler **/
868 G_LOG_LEVEL_CRITICAL|
873 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
875 g_log_set_handler(NULL,
876 (GLogLevelFlags)log_flags,
877 tshark_log_handler, NULL /* user_data */);
878 g_log_set_handler(LOG_DOMAIN_MAIN,
879 (GLogLevelFlags)log_flags,
880 tshark_log_handler, NULL /* user_data */);
883 g_log_set_handler(LOG_DOMAIN_CAPTURE,
884 (GLogLevelFlags)log_flags,
885 tshark_log_handler, NULL /* user_data */);
886 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
887 (GLogLevelFlags)log_flags,
888 tshark_log_handler, NULL /* user_data */);
891 init_report_err(failure_message, open_failure_message, read_failure_message,
892 write_failure_message);
895 capture_opts_init(&global_capture_opts);
896 capture_session_init(&global_capture_session, &cfile);
899 timestamp_set_type(TS_RELATIVE);
900 timestamp_set_precision(TS_PREC_AUTO);
901 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
906 /* Register all the plugin types we have. */
907 epan_register_plugin_types(); /* Types known to libwireshark */
909 /* Scan for plugins. This does *not* call their registration routines;
910 that's done later. */
911 scan_plugins(REPORT_LOAD_FAILURE);
913 /* Register all libwiretap plugin modules. */
914 register_all_wiretap_modules();
917 /* Register all dissectors; we must do this before checking for the
918 "-G" flag, as the "-G" flag dumps information registered by the
919 dissectors, and we must do it before we read the preferences, in
920 case any dissectors register preferences. */
921 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
923 exit_status = INIT_FAILED;
927 /* Register all tap listeners; we do this before we parse the arguments,
928 as the "-z" argument can specify a registered tap. */
930 /* we register the plugin taps before the other taps because
931 stats_tree taps plugins will be registered as tap listeners
932 by stats_tree_stat.c and need to registered before that */
934 register_all_plugin_tap_listeners();
937 extcap_register_preferences();
939 register_all_tap_listeners();
940 conversation_table_set_gui_info(init_iousers);
941 hostlist_table_set_gui_info(init_hostlists);
942 srt_table_iterate_tables(register_srt_tables, NULL);
943 rtd_table_iterate_tables(register_rtd_tables, NULL);
944 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
946 /* If invoked with the "-G" flag, we dump out information based on
947 the argument to the "-G" flag; if no argument is specified,
948 for backwards compatibility we dump out a glossary of display
951 XXX - we do this here, for now, to support "-G" with no arguments.
952 If none of our build or other processes uses "-G" with no arguments,
953 we can just process it with the other arguments. */
954 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
955 proto_initialize_all_prefixes();
958 proto_registrar_dump_fields();
960 if (strcmp(argv[2], "column-formats") == 0)
961 column_dump_column_formats();
962 else if (strcmp(argv[2], "currentprefs") == 0) {
963 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
964 &pf_open_errno, &pf_read_errno, &pf_path);
967 else if (strcmp(argv[2], "decodes") == 0)
968 dissector_dump_decodes();
969 else if (strcmp(argv[2], "defaultprefs") == 0)
971 else if (strcmp(argv[2], "dissector-tables") == 0)
972 dissector_dump_dissector_tables();
973 else if (strcmp(argv[2], "fieldcount") == 0) {
974 /* return value for the test suite */
975 exit_status = proto_registrar_dump_fieldcount();
977 } else if (strcmp(argv[2], "fields") == 0)
978 proto_registrar_dump_fields();
979 else if (strcmp(argv[2], "folders") == 0)
981 else if (strcmp(argv[2], "ftypes") == 0)
982 proto_registrar_dump_ftypes();
983 else if (strcmp(argv[2], "heuristic-decodes") == 0)
984 dissector_dump_heur_decodes();
985 else if (strcmp(argv[2], "plugins") == 0) {
990 wslua_plugins_dump_all();
993 else if (strcmp(argv[2], "protocols") == 0)
994 proto_registrar_dump_protocols();
995 else if (strcmp(argv[2], "values") == 0)
996 proto_registrar_dump_values();
997 else if (strcmp(argv[2], "?") == 0)
998 glossary_option_help();
999 else if (strcmp(argv[2], "-?") == 0)
1000 glossary_option_help();
1002 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1003 exit_status = INVALID_OPTION;
1007 exit_status = EXIT_SUCCESS;
1011 /* load the decode as entries of this profile */
1012 load_decode_as_entries();
1014 tshark_debug("tshark reading preferences");
1016 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1017 &pf_open_errno, &pf_read_errno, &pf_path);
1018 if (gpf_path != NULL) {
1019 if (gpf_open_errno != 0) {
1020 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1021 pf_path, g_strerror(gpf_open_errno));
1023 if (gpf_read_errno != 0) {
1024 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1025 pf_path, g_strerror(gpf_read_errno));
1028 if (pf_path != NULL) {
1029 if (pf_open_errno != 0) {
1030 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1031 g_strerror(pf_open_errno));
1033 if (pf_read_errno != 0) {
1034 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1035 pf_path, g_strerror(pf_read_errno));
1041 read_filter_list(CFILTER_LIST, &cf_path, &cf_open_errno);
1042 if (cf_path != NULL) {
1043 cmdarg_err("Could not open your capture filter file\n\"%s\": %s.",
1044 cf_path, g_strerror(cf_open_errno));
1048 /* Read the disabled protocols file. */
1049 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1050 &dp_path, &dp_open_errno, &dp_read_errno);
1051 read_enabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1052 &dp_path, &dp_open_errno, &dp_read_errno);
1053 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1054 &dp_path, &dp_open_errno, &dp_read_errno);
1055 if (gdp_path != NULL) {
1056 if (gdp_open_errno != 0) {
1057 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1058 gdp_path, g_strerror(gdp_open_errno));
1060 if (gdp_read_errno != 0) {
1061 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1062 gdp_path, g_strerror(gdp_read_errno));
1066 if (dp_path != NULL) {
1067 if (dp_open_errno != 0) {
1069 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1070 g_strerror(dp_open_errno));
1072 if (dp_read_errno != 0) {
1074 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1075 g_strerror(dp_read_errno));
1080 cap_file_init(&cfile);
1082 /* Print format defaults to this. */
1083 print_format = PR_FMT_TEXT;
1084 delimiter_char = " ";
1086 output_fields = output_fields_new();
1089 * To reset the options parser, set optreset to 1 on platforms that
1090 * have optreset (documented in *BSD and OS X, apparently present but
1091 * not documented in Solaris - the Illumos repository seems to
1092 * suggest that the first Solaris getopt_long(), at least as of 2004,
1093 * was based on the NetBSD one, it had optreset) and set optind to 1,
1094 * and set optind to 0 otherwise (documented as working in the GNU
1095 * getopt_long(). Setting optind to 0 didn't originally work in the
1096 * NetBSD one, but that was added later - we don't want to depend on
1097 * it if we have optreset).
1099 * Also reset opterr to 1, so that error messages are printed by
1102 #ifdef HAVE_OPTRESET
1110 /* Now get our args */
1111 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1113 case '2': /* Perform two pass analysis */
1114 perform_two_pass_analysis = TRUE;
1116 case 'a': /* autostop criteria */
1117 case 'b': /* Ringbuffer option */
1118 case 'c': /* Capture x packets */
1119 case 'f': /* capture filter */
1120 case 'g': /* enable group read access on file(s) */
1121 case 'i': /* Use interface x */
1122 case 'p': /* Don't capture in promiscuous mode */
1123 #ifdef HAVE_PCAP_REMOTE
1124 case 'A': /* Authentication */
1126 #ifdef HAVE_PCAP_CREATE
1127 case 'I': /* Capture in monitor mode, if available */
1129 case 's': /* Set the snapshot (capture) length */
1130 case 'w': /* Write to capture file x */
1131 case 'y': /* Set the pcap data link type */
1132 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1133 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1134 case 'B': /* Buffer size */
1137 exit_status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1138 if (exit_status != 0) {
1144 * Output file name, if we're reading a file and writing to another
1147 output_file_name = optarg;
1149 capture_option_specified = TRUE;
1155 /* already processed; just ignore it now */
1157 case 'D': /* Print a list of capture devices and exit */
1159 if_list = capture_interface_list(&err, &err_str,NULL);
1160 if (if_list == NULL) {
1162 cmdarg_err("There are no interfaces on which a capture can be done");
1164 cmdarg_err("%s", err_str);
1167 exit_status = INVALID_INTERFACE;
1170 capture_opts_print_interfaces(if_list);
1171 free_interface_list(if_list);
1172 exit_status = EXIT_SUCCESS;
1175 capture_option_specified = TRUE;
1181 output_fields_add(output_fields, optarg);
1185 if (!output_fields_set_option(output_fields, optarg)) {
1186 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1187 output_fields_list_options(stderr);
1188 exit_status = INVALID_OPTION;
1193 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1194 if (out_file_type < 0) {
1195 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1196 list_capture_types();
1197 exit_status = INVALID_OPTION;
1202 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1205 protocolfilter_flags = PF_INCLUDE_CHILDREN;
1206 protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1);
1208 case 'W': /* Select extra information to save in our capture file */
1209 /* This is patterned after the -N flag which may not be the best idea. */
1210 if (strchr(optarg, 'n')) {
1211 out_file_name_res = TRUE;
1213 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1214 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1215 exit_status = INVALID_OPTION;
1219 case 'H': /* Read address to name mappings from a hosts file */
1220 if (! add_hosts_file(optarg))
1222 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1223 exit_status = INVALID_OPTION;
1226 out_file_name_res = TRUE;
1229 case 'h': /* Print help and exit */
1230 printf("TShark (Wireshark) %s\n"
1231 "Dump and analyze network traffic.\n"
1232 "See https://www.wireshark.org for more information.\n",
1233 get_ws_vcs_version_info());
1234 print_usage(stdout);
1235 exit_status = EXIT_SUCCESS;
1238 case 'l': /* "Line-buffer" standard output */
1239 /* This isn't line-buffering, strictly speaking, it's just
1240 flushing the standard output after the information for
1241 each packet is printed; however, that should be good
1242 enough for all the purposes to which "-l" is put (and
1243 is probably actually better for "-V", as it does fewer
1246 See the comment in "process_packet()" for an explanation of
1247 why we do that, and why we don't just use "setvbuf()" to
1248 make the standard output line-buffered (short version: in
1249 Windows, "line-buffered" is the same as "fully-buffered",
1250 and the output buffer is only flushed when it fills up). */
1251 line_buffered = TRUE;
1253 case 'L': /* Print list of link-layer types and exit */
1255 list_link_layer_types = TRUE;
1257 capture_option_specified = TRUE;
1261 case 'o': /* Override preference from command line */
1262 switch (prefs_set_pref(optarg)) {
1267 case PREFS_SET_SYNTAX_ERR:
1268 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1269 exit_status = INVALID_OPTION;
1273 case PREFS_SET_NO_SUCH_PREF:
1274 case PREFS_SET_OBSOLETE:
1275 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1276 exit_status = INVALID_OPTION;
1281 case 'q': /* Quiet */
1284 case 'Q': /* Really quiet */
1286 really_quiet = TRUE;
1288 case 'r': /* Read capture file x */
1289 cf_name = g_strdup(optarg);
1291 case 'R': /* Read file filter */
1295 /* already processed; just ignore it now */
1297 case 'S': /* Set the line Separator to be printed between packets */
1300 case 'T': /* printing Type */
1301 print_packet_info = TRUE;
1302 if (strcmp(optarg, "text") == 0) {
1303 output_action = WRITE_TEXT;
1304 print_format = PR_FMT_TEXT;
1305 } else if (strcmp(optarg, "tabs") == 0) {
1306 output_action = WRITE_TEXT;
1307 print_format = PR_FMT_TEXT;
1308 delimiter_char = "\t";
1309 } else if (strcmp(optarg, "ps") == 0) {
1310 output_action = WRITE_TEXT;
1311 print_format = PR_FMT_PS;
1312 } else if (strcmp(optarg, "pdml") == 0) {
1313 output_action = WRITE_XML;
1314 print_details = TRUE; /* Need details */
1315 print_summary = FALSE; /* Don't allow summary */
1316 } else if (strcmp(optarg, "psml") == 0) {
1317 output_action = WRITE_XML;
1318 print_details = FALSE; /* Don't allow details */
1319 print_summary = TRUE; /* Need summary */
1320 } else if (strcmp(optarg, "fields") == 0) {
1321 output_action = WRITE_FIELDS;
1322 print_details = TRUE; /* Need full tree info */
1323 print_summary = FALSE; /* Don't allow summary */
1324 } else if (strcmp(optarg, "json") == 0) {
1325 output_action = WRITE_JSON;
1326 print_details = TRUE; /* Need details */
1327 print_summary = FALSE; /* Don't allow summary */
1328 } else if (strcmp(optarg, "ek") == 0) {
1329 output_action = WRITE_EK;
1330 print_details = TRUE; /* Need details */
1331 print_summary = FALSE; /* Don't allow summary */
1332 } else if (strcmp(optarg, "jsonraw") == 0) {
1333 output_action = WRITE_JSON_RAW;
1334 print_details = TRUE; /* Need details */
1335 print_summary = FALSE; /* Don't allow summary */
1338 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1339 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1340 "\t specified by the -E option.\n"
1341 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1342 "\t details of a decoded packet. This information is equivalent to\n"
1343 "\t the packet details printed with the -V flag.\n"
1344 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1345 "\t the packets, or a multi-line view of the details of each of\n"
1346 "\t the packets, depending on whether the -V flag was specified.\n"
1347 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1348 "\t summary information of a decoded packet. This information is\n"
1349 "\t equivalent to the information shown in the one-line summary\n"
1350 "\t printed by default.\n"
1351 "\t\"json\" Packet Summary, an JSON-based format for the details\n"
1352 "\t summary information of a decoded packet. This information is \n"
1353 "\t equivalent to the packet details printed with the -V flag.\n"
1354 "\t\"jsonraw\" Packet Details, a JSON-based format for machine parsing\n"
1355 "\t including only raw hex decoded fields (same as -T json -x but\n"
1356 "\t without text decoding, only raw fields included). \n"
1357 "\t\"ek\" Packet Details, an EK JSON-based format for the bulk insert \n"
1358 "\t into elastic search cluster. This information is \n"
1359 "\t equivalent to the packet details printed with the -V flag.\n"
1360 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1361 "\t packets, or a multi-line view of the details of each of the\n"
1362 "\t packets, depending on whether the -V flag was specified.\n"
1363 "\t This is the default.\n"
1364 "\t\"tabs\" Similar to the text report except that each column of the\n"
1365 "\t human-readable one-line summary is delimited with an ASCII\n"
1366 "\t horizontal tab character.");
1367 exit_status = INVALID_OPTION;
1371 case 'U': /* Export PDUs to file */
1373 GSList *export_pdu_tap_name_list = NULL;
1376 cmdarg_err("A tap name is required. Valid names are:");
1377 for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) {
1378 cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data));
1380 exit_status = INVALID_OPTION;
1383 pdu_export_arg = g_strdup(optarg);
1386 case 'v': /* Show version and exit */
1387 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1388 epan_get_compiled_version_info);
1389 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1390 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1391 g_string_free(comp_info_str, TRUE);
1392 g_string_free(runtime_info_str, TRUE);
1393 /* We don't really have to cleanup here, but it's a convenient way to test
1394 * start-up and shut-down of the epan library without any UI-specific
1395 * cruft getting in the way. Makes the results of running
1396 * $ ./tools/valgrind-wireshark -n
1397 * much more useful. */
1402 exit_status = EXIT_SUCCESS;
1404 case 'O': /* Only output these protocols */
1405 /* already processed; just ignore it now */
1407 case 'V': /* Verbose */
1408 /* already processed; just ignore it now */
1410 case 'x': /* Print packet data in hex (and ASCII) */
1411 /* already processed; just ignore it now */
1414 /* already processed; just ignore it now */
1420 /* We won't call the init function for the stat this soon
1421 as it would disallow MATE's fields (which are registered
1422 by the preferences set callback) from being used as
1423 part of a tap filter. Instead, we just add the argument
1424 to a list of stat arguments. */
1425 if (strcmp("help", optarg) == 0) {
1426 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1427 list_stat_cmd_args();
1428 exit_status = EXIT_SUCCESS;
1431 if (!process_stat_cmd_arg(optarg)) {
1432 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1433 list_stat_cmd_args();
1434 exit_status = INVALID_OPTION;
1438 case 'd': /* Decode as rule */
1439 case 'K': /* Kerberos keytab file */
1440 case 'n': /* No name resolution */
1441 case 'N': /* Select what types of addresses/port #s to resolve */
1442 case 't': /* Time stamp type */
1443 case 'u': /* Seconds type */
1444 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1445 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1446 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1447 case LONGOPT_ENABLE_PROTOCOL: /* enable dissection of protocol (that is disabled by default) */
1448 if (!dissect_opts_handle_opt(opt, optarg)) {
1449 exit_status = INVALID_OPTION;
1453 case LONGOPT_EXPORT_OBJECTS: /* --export-objects */
1454 if (strcmp("help", optarg) == 0) {
1455 fprintf(stderr, "tshark: The available export object types for the \"--export-objects\" option are:\n");
1456 eo_list_object_types();
1457 exit_status = EXIT_SUCCESS;
1460 if (!eo_tap_opt_add(optarg)) {
1461 exit_status = INVALID_OPTION;
1466 case '?': /* Bad flag - print usage message */
1469 list_capture_types();
1472 print_usage(stderr);
1474 exit_status = INVALID_OPTION;
1480 /* If we specified output fields, but not the output field type... */
1481 if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) {
1482 cmdarg_err("Output fields were specified with \"-e\", "
1483 "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified.");
1484 exit_status = INVALID_OPTION;
1486 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1487 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1488 "specified with \"-e\".");
1490 exit_status = INVALID_OPTION;
1494 /* If no capture filter or display filter has been specified, and there are
1495 still command-line arguments, treat them as the tokens of a capture
1496 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1497 flag was specified. */
1498 if (optind < argc) {
1499 if (cf_name != NULL) {
1500 if (dfilter != NULL) {
1501 cmdarg_err("Display filters were specified both with \"-d\" "
1502 "and with additional command-line arguments.");
1503 exit_status = INVALID_OPTION;
1506 dfilter = get_args_as_string(argc, argv, optind);
1511 if (global_capture_opts.default_options.cfilter) {
1512 cmdarg_err("A default capture filter was specified both with \"-f\""
1513 " and with additional command-line arguments.");
1514 exit_status = INVALID_OPTION;
1517 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1518 interface_options interface_opts;
1519 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1520 if (interface_opts.cfilter == NULL) {
1521 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1522 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1523 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1525 cmdarg_err("A capture filter was specified both with \"-f\""
1526 " and with additional command-line arguments.");
1527 exit_status = INVALID_OPTION;
1531 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1533 capture_option_specified = TRUE;
1539 if (!global_capture_opts.saving_to_file) {
1540 /* We're not saving the capture to a file; if "-q" wasn't specified,
1541 we should print packet information */
1543 print_packet_info = TRUE;
1545 /* We're saving to a file; if we're writing to the standard output.
1546 and we'll also be writing dissected packets to the standard
1547 output, reject the request. At best, we could redirect that
1548 to the standard error; we *can't* write both to the standard
1549 output and have either of them be useful. */
1550 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1551 cmdarg_err("You can't write both raw packet data and dissected packets"
1552 " to the standard output.");
1553 exit_status = INVALID_OPTION;
1558 /* We're not saving the capture to a file; if "-q" wasn't specified,
1559 we should print packet information */
1561 print_packet_info = TRUE;
1564 #ifndef HAVE_LIBPCAP
1565 if (capture_option_specified)
1566 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1569 print_usage(stderr);
1570 exit_status = INVALID_OPTION;
1575 if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_JSON_RAW && output_action != WRITE_EK) {
1576 cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON, JSONRAW or EK JSON");
1577 exit_status = INVALID_OPTION;
1582 if (output_only != NULL) {
1585 if (!print_details) {
1586 cmdarg_err("-O requires -V");
1587 exit_status = INVALID_OPTION;
1591 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1592 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1593 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1597 if (rfilter != NULL && !perform_two_pass_analysis) {
1598 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1599 exit_status = INVALID_OPTION;
1604 if (list_link_layer_types) {
1605 /* We're supposed to list the link-layer types for an interface;
1606 did the user also specify a capture file to be read? */
1608 /* Yes - that's bogus. */
1609 cmdarg_err("You can't specify -L and a capture file to be read.");
1610 exit_status = INVALID_OPTION;
1613 /* No - did they specify a ring buffer option? */
1614 if (global_capture_opts.multi_files_on) {
1615 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1616 exit_status = INVALID_OPTION;
1622 * "-r" was specified, so we're reading a capture file.
1623 * Capture options don't apply here.
1626 /* We don't support capture filters when reading from a capture file
1627 (the BPF compiler doesn't support all link-layer types that we
1628 support in capture files we read). */
1629 if (global_capture_opts.default_options.cfilter) {
1630 cmdarg_err("Only read filters, not capture filters, "
1631 "can be specified when reading a capture file.");
1632 exit_status = INVALID_OPTION;
1635 if (global_capture_opts.multi_files_on) {
1636 cmdarg_err("Multiple capture files requested, but "
1637 "a capture isn't being done.");
1638 exit_status = INVALID_OPTION;
1641 if (global_capture_opts.has_file_duration) {
1642 cmdarg_err("Switching capture files after a time interval was specified, but "
1643 "a capture isn't being done.");
1644 exit_status = INVALID_OPTION;
1647 if (global_capture_opts.has_ring_num_files) {
1648 cmdarg_err("A ring buffer of capture files was specified, but "
1649 "a capture isn't being done.");
1650 exit_status = INVALID_OPTION;
1653 if (global_capture_opts.has_autostop_files) {
1654 cmdarg_err("A maximum number of capture files was specified, but "
1655 "a capture isn't being done.");
1656 exit_status = INVALID_OPTION;
1659 if (global_capture_opts.capture_comment) {
1660 cmdarg_err("A capture comment was specified, but "
1661 "a capture isn't being done.\nThere's no support for adding "
1662 "a capture comment to an existing capture file.");
1663 exit_status = INVALID_OPTION;
1667 /* Note: TShark now allows the restriction of a _read_ file by packet count
1668 * and byte count as well as a write file. Other autostop options remain valid
1669 * only for a write file.
1671 if (global_capture_opts.has_autostop_duration) {
1672 cmdarg_err("A maximum capture time was specified, but "
1673 "a capture isn't being done.");
1674 exit_status = INVALID_OPTION;
1679 * "-r" wasn't specified, so we're doing a live capture.
1681 if (perform_two_pass_analysis) {
1682 /* Two-pass analysis doesn't work with live capture since it requires us
1683 * to buffer packets until we've read all of them, but a live capture
1684 * has no useful/meaningful definition of "all" */
1685 cmdarg_err("Live captures do not support two-pass analysis.");
1686 exit_status = INVALID_OPTION;
1690 if (global_capture_opts.saving_to_file) {
1691 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1693 /* When capturing, we only support writing pcap or pcap-ng format. */
1694 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1695 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1696 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1697 exit_status = INVALID_OPTION;
1700 if (global_capture_opts.capture_comment &&
1701 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1702 cmdarg_err("A capture comment can only be written to a pcapng file.");
1703 exit_status = INVALID_OPTION;
1706 if (global_capture_opts.multi_files_on) {
1707 /* Multiple-file mode doesn't work under certain conditions:
1708 a) it doesn't work if you're writing to the standard output;
1709 b) it doesn't work if you're writing to a pipe;
1711 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1712 cmdarg_err("Multiple capture files requested, but "
1713 "the capture is being written to the standard output.");
1714 exit_status = INVALID_OPTION;
1717 if (global_capture_opts.output_to_pipe) {
1718 cmdarg_err("Multiple capture files requested, but "
1719 "the capture file is a pipe.");
1720 exit_status = INVALID_OPTION;
1723 if (!global_capture_opts.has_autostop_filesize &&
1724 !global_capture_opts.has_file_duration) {
1725 cmdarg_err("Multiple capture files requested, but "
1726 "no maximum capture file size or duration was specified.");
1727 exit_status = INVALID_OPTION;
1731 /* Currently, we don't support read or display filters when capturing
1732 and saving the packets. */
1733 if (rfilter != NULL) {
1734 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1735 exit_status = INVALID_OPTION;
1738 if (dfilter != NULL) {
1739 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1740 exit_status = INVALID_OPTION;
1743 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1745 /* They didn't specify a "-w" flag, so we won't be saving to a
1746 capture file. Check for options that only make sense if
1747 we're saving to a file. */
1748 if (global_capture_opts.has_autostop_filesize) {
1749 cmdarg_err("Maximum capture file size specified, but "
1750 "capture isn't being saved to a file.");
1751 exit_status = INVALID_OPTION;
1754 if (global_capture_opts.multi_files_on) {
1755 cmdarg_err("Multiple capture files requested, but "
1756 "the capture isn't being saved to a file.");
1757 exit_status = INVALID_OPTION;
1760 if (global_capture_opts.capture_comment) {
1761 cmdarg_err("A capture comment was specified, but "
1762 "the capture isn't being saved to a file.");
1763 exit_status = INVALID_OPTION;
1772 /* Start windows sockets */
1773 result = WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1776 exit_status = INIT_FAILED;
1781 /* Notify all registered modules that have had any of their preferences
1782 changed either from one of the preferences file or from the command
1783 line that their preferences have changed. */
1786 /* At this point MATE will have registered its field array so we can
1787 have a tap filter with one of MATE's late-registered fields as part
1788 of the filter. We can now process all the "-z" arguments. */
1789 start_requested_stats();
1791 /* We can also enable specified taps for export object */
1792 start_exportobjects();
1794 /* At this point MATE will have registered its field array so we can
1795 check if the fields specified by the user are all good.
1799 GSList *invalid_fields = output_fields_valid(output_fields);
1800 if (invalid_fields != NULL) {
1802 cmdarg_err("Some fields aren't valid:");
1803 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
1804 cmdarg_err_cont("\t%s", (gchar *)it->data);
1806 g_slist_free(invalid_fields);
1807 exit_status = INVALID_OPTION;
1812 /* We currently don't support taps, or printing dissected packets,
1813 if we're writing to a pipe. */
1814 if (global_capture_opts.saving_to_file &&
1815 global_capture_opts.output_to_pipe) {
1816 if (tap_listeners_require_dissection()) {
1817 cmdarg_err("Taps aren't supported when saving to a pipe.");
1818 exit_status = INVALID_OPTION;
1821 if (print_packet_info) {
1822 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
1823 exit_status = INVALID_OPTION;
1829 if (ex_opt_count("read_format") > 0) {
1830 const gchar* name = ex_opt_get_next("read_format");
1831 in_file_type = open_info_name_to_type(name);
1832 if (in_file_type == WTAP_TYPE_AUTO) {
1833 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
1834 list_read_capture_types();
1835 exit_status = INVALID_OPTION;
1840 timestamp_set_type(global_dissect_options.time_format);
1842 /* disabled protocols as per configuration file */
1843 if (gdp_path == NULL && dp_path == NULL) {
1844 set_disabled_protos_list();
1845 set_enabled_protos_list();
1846 set_disabled_heur_dissector_list();
1849 if(global_dissect_options.disable_protocol_slist) {
1850 GSList *proto_disable;
1851 for (proto_disable = global_dissect_options.disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
1853 proto_disable_proto_by_name((char*)proto_disable->data);
1857 if(global_dissect_options.enable_protocol_slist) {
1858 GSList *proto_enable;
1859 for (proto_enable = global_dissect_options.enable_protocol_slist; proto_enable != NULL; proto_enable = g_slist_next(proto_enable))
1861 proto_enable_proto_by_name((char*)proto_enable->data);
1865 if(global_dissect_options.enable_heur_slist) {
1866 GSList *heur_enable;
1867 for (heur_enable = global_dissect_options.enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
1869 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
1873 if(global_dissect_options.disable_heur_slist) {
1874 GSList *heur_disable;
1875 for (heur_disable = global_dissect_options.disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
1877 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
1881 /* Build the column format array */
1882 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
1885 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
1886 capture_opts_trim_ring_num_files(&global_capture_opts);
1889 if (rfilter != NULL) {
1890 tshark_debug("Compiling read filter: '%s'", rfilter);
1891 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
1892 cmdarg_err("%s", err_msg);
1898 #ifdef HAVE_PCAP_OPEN_DEAD
1902 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1904 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
1906 " Note: That read filter code looks like a valid capture filter;\n"
1907 " maybe you mixed them up?");
1913 exit_status = INVALID_INTERFACE;
1917 cfile.rfcode = rfcode;
1919 if (dfilter != NULL) {
1920 tshark_debug("Compiling display filter: '%s'", dfilter);
1921 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
1922 cmdarg_err("%s", err_msg);
1928 #ifdef HAVE_PCAP_OPEN_DEAD
1932 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
1934 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
1936 " Note: That display filter code looks like a valid capture filter;\n"
1937 " maybe you mixed them up?");
1943 exit_status = INVALID_FILTER;
1947 cfile.dfcode = dfcode;
1949 if (print_packet_info) {
1950 /* If we're printing as text or PostScript, we have
1951 to create a print stream. */
1952 if (output_action == WRITE_TEXT) {
1953 switch (print_format) {
1956 print_stream = print_stream_text_stdio_new(stdout);
1960 print_stream = print_stream_ps_stdio_new(stdout);
1964 g_assert_not_reached();
1969 /* PDU export requested. Take the ownership of the '-w' file, apply tap
1970 * filters and start tapping. */
1971 if (pdu_export_arg) {
1972 const char *exp_pdu_filename;
1973 const char *exp_pdu_tap_name = pdu_export_arg;
1974 const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */
1975 char *exp_pdu_error;
1979 cmdarg_err("PDUs export requires a capture file (specify with -r).");
1980 exit_status = INVALID_OPTION;
1983 /* Take ownership of the '-w' output file. */
1985 exp_pdu_filename = global_capture_opts.save_file;
1986 global_capture_opts.save_file = NULL;
1988 exp_pdu_filename = output_file_name;
1989 output_file_name = NULL;
1991 if (exp_pdu_filename == NULL) {
1992 cmdarg_err("PDUs export requires an output file (-w).");
1993 exit_status = INVALID_OPTION;
1997 exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter,
1999 if (exp_pdu_error) {
2000 cmdarg_err("Cannot register tap: %s", exp_pdu_error);
2001 g_free(exp_pdu_error);
2002 exit_status = INVALID_TAP;
2006 exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
2008 cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE));
2009 exit_status = INVALID_FILE;
2013 /* Activate the export PDU tap */
2014 err = exp_pdu_open(&exp_pdu_tap_data, exp_fd,
2015 g_strdup_printf("Dump of PDUs from %s", cf_name));
2017 cmdarg_err("Failed to start the PDU export: %s", g_strerror(err));
2018 exit_status = INVALID_EXPORT;
2023 /* We have to dissect each packet if:
2025 we're printing information about each packet;
2027 we're using a read filter on the packets;
2029 we're using a display filter on the packets;
2031 we're exporting PDUs;
2033 we're using any taps that need dissection. */
2034 do_dissection = print_packet_info || rfcode || dfcode || pdu_export_arg ||
2035 tap_listeners_require_dissection();
2036 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2039 tshark_debug("tshark: Opening capture file: %s", cf_name);
2041 * We're reading a capture file.
2043 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2048 exit_status = INVALID_FILE;
2052 /* Process the packets in the file */
2053 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2056 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2057 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2058 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2060 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2063 CATCH(OutOfMemoryError) {
2067 "Sorry, but TShark has to terminate now.\n"
2069 "More information and workarounds can be found at\n"
2070 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2075 /* We still dump out the results of taps, etc., as we might have
2076 read some packets; however, we exit with an error status. */
2080 if (pdu_export_arg) {
2081 err = exp_pdu_close(&exp_pdu_tap_data);
2083 cmdarg_err("%s", wtap_strerror(err));
2086 g_free(pdu_export_arg);
2089 tshark_debug("tshark: no capture file specified");
2090 /* No capture file specified, so we're supposed to do a live capture
2091 or get a list of link-layer types for a live capture device;
2092 do we have support for live captures? */
2094 /* if no interface was specified, pick a default */
2095 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2096 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2097 if (exit_status != 0) {
2101 /* if requested, list the link layer types and exit */
2102 if (list_link_layer_types) {
2105 /* Get the list of link-layer types for the capture devices. */
2106 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2107 interface_options interface_opts;
2108 if_capabilities_t *caps;
2109 char *auth_str = NULL;
2111 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2112 #ifdef HAVE_PCAP_REMOTE
2113 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2114 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2117 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2120 cmdarg_err("%s", err_str);
2122 exit_status = INVALID_CAPABILITY;
2125 if (caps->data_link_types == NULL) {
2126 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2127 exit_status = INVALID_DATA_LINK;
2130 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2131 free_if_capabilities(caps);
2133 exit_status = EXIT_SUCCESS;
2138 * If the standard error isn't a terminal, don't print packet counts,
2139 * as they won't show up on the user's terminal and they'll get in
2140 * the way of error messages in the file (to which we assume the
2141 * standard error was redirected; if it's redirected to the null
2142 * device, there's no point in printing packet counts anyway).
2144 * Otherwise, if we're printing packet information and the standard
2145 * output is a terminal (which we assume means the standard output and
2146 * error are going to the same terminal), don't print packet counts,
2147 * as they'll get in the way of the packet information.
2149 * Otherwise, if the user specified -q, don't print packet counts.
2151 * Otherwise, print packet counts.
2153 * XXX - what if the user wants to do a live capture, doesn't want
2154 * to save it to a file, doesn't want information printed for each
2155 * packet, does want some "-z" statistic, and wants packet counts
2156 * so they know whether they're seeing any packets? -q will
2157 * suppress the information printed for each packet, but it'll
2158 * also suppress the packet counts.
2160 if (!ws_isatty(ws_fileno(stderr)))
2161 print_packet_counts = FALSE;
2162 else if (print_packet_info && ws_isatty(ws_fileno(stdout)))
2163 print_packet_counts = FALSE;
2165 print_packet_counts = FALSE;
2167 print_packet_counts = TRUE;
2169 if (print_packet_info) {
2170 if (!write_preamble(&cfile)) {
2171 show_print_file_io_error(errno);
2172 exit_status = INVALID_FILE;
2177 tshark_debug("tshark: performing live capture");
2179 * XXX - this returns FALSE if an error occurred, but it also
2180 * returns FALSE if the capture stops because a time limit
2181 * was reached (and possibly other limits), so we can't assume
2182 * it means an error.
2184 * The capture code is a bit twisty, so it doesn't appear to
2185 * be an easy fix. We just ignore the return value for now.
2186 * Instead, pass on the exit status from the capture child.
2189 exit_status = global_capture_session.fork_child_status;
2191 if (print_packet_info) {
2192 if (!write_finale()) {
2194 show_print_file_io_error(err);
2198 /* No - complain. */
2199 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2200 exit_status = INVALID_CAPTURE;
2207 if (cfile.frames != NULL) {
2208 free_frame_data_sequence(cfile.frames);
2209 cfile.frames = NULL;
2212 draw_tap_listeners(TRUE);
2213 funnel_dump_all_text_windows();
2214 epan_free(cfile.epan);
2220 output_fields_free(output_fields);
2221 output_fields = NULL;
2224 destroy_print_stream(print_stream);
2226 capture_opts_cleanup(&global_capture_opts);
2228 col_cleanup(&cfile.cinfo);
2229 free_filter_lists();
2239 /*#define USE_BROKEN_G_MAIN_LOOP*/
2241 #ifdef USE_BROKEN_G_MAIN_LOOP
2244 gboolean loop_running = FALSE;
2246 guint32 packet_count = 0;
2249 typedef struct pipe_input_tag {
2252 ws_process_id *child_process;
2253 pipe_input_cb_t input_cb;
2254 guint pipe_input_id;
2256 GMutex *callback_running;
2260 static pipe_input_t pipe_input;
2263 /* The timer has expired, see if there's stuff to read from the pipe,
2264 if so, do the callback */
2266 pipe_timer_cb(gpointer data)
2272 pipe_input_t *pipe_input_p = data;
2273 gint iterations = 0;
2275 g_mutex_lock (pipe_input_p->callback_running);
2277 /* try to read data from the pipe only 5 times, to avoid blocking */
2278 while(iterations < 5) {
2279 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2281 /* Oddly enough although Named pipes don't work on win9x,
2282 PeekNamedPipe does !!! */
2283 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2284 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2286 /* Get the child process exit status */
2287 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2290 /* If the Peek returned an error, or there are bytes to be read
2291 or the childwatcher thread has terminated then call the normal
2293 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2295 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2297 /* And call the real handler */
2298 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2299 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2300 /* pipe closed, return false so that the timer is stopped */
2301 g_mutex_unlock (pipe_input_p->callback_running);
2306 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2307 /* No data, stop now */
2314 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2316 g_mutex_unlock (pipe_input_p->callback_running);
2318 /* we didn't stopped the timer, so let it run */
2325 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2328 pipe_input.source = source;
2329 pipe_input.child_process = child_process;
2330 pipe_input.user_data = user_data;
2331 pipe_input.input_cb = input_cb;
2334 #if GLIB_CHECK_VERSION(2,31,0)
2335 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2336 g_mutex_init(pipe_input.callback_running);
2338 pipe_input.callback_running = g_mutex_new();
2340 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2341 do this but that doesn't cover all win32 platforms. GTK can do
2342 this but doesn't seem to work over processes. Attempt to do
2343 something similar here, start a timer and check for data on every
2345 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2346 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2350 static const nstime_t *
2351 tshark_get_frame_ts(void *data, guint32 frame_num)
2353 capture_file *cf = (capture_file *) data;
2355 if (ref && ref->num == frame_num)
2356 return &ref->abs_ts;
2358 if (prev_dis && prev_dis->num == frame_num)
2359 return &prev_dis->abs_ts;
2361 if (prev_cap && prev_cap->num == frame_num)
2362 return &prev_cap->abs_ts;
2365 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2367 return (fd) ? &fd->abs_ts : NULL;
2374 tshark_epan_new(capture_file *cf)
2376 epan_t *epan = epan_new();
2379 epan->get_frame_ts = tshark_get_frame_ts;
2380 epan->get_interface_name = cap_file_get_interface_name;
2381 epan->get_interface_description = cap_file_get_interface_description;
2382 epan->get_user_comment = NULL;
2394 #ifdef USE_TSHARK_SELECT
2398 struct sigaction action, oldaction;
2401 /* Create new dissection section. */
2402 epan_free(cfile.epan);
2403 cfile.epan = tshark_epan_new(&cfile);
2406 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2407 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2409 /* Catch SIGINT and SIGTERM and, if we get either of them,
2410 clean up and exit. If SIGHUP isn't being ignored, catch
2411 it too and, if we get it, clean up and exit.
2413 We restart any read that was in progress, so that it doesn't
2414 disrupt reading from the sync pipe. The signal handler tells
2415 the capture child to finish; it will report that it finished,
2416 or will exit abnormally, so we'll stop reading from the sync
2417 pipe, pick up the exit status, and quit. */
2418 memset(&action, 0, sizeof(action));
2419 action.sa_handler = capture_cleanup;
2420 action.sa_flags = SA_RESTART;
2421 sigemptyset(&action.sa_mask);
2422 sigaction(SIGTERM, &action, NULL);
2423 sigaction(SIGINT, &action, NULL);
2424 sigaction(SIGHUP, NULL, &oldaction);
2425 if (oldaction.sa_handler == SIG_DFL)
2426 sigaction(SIGHUP, &action, NULL);
2429 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2430 quiet mode, report the number of packets we've captured.
2432 Again, restart any read that was in progress, so that it doesn't
2433 disrupt reading from the sync pipe. */
2434 action.sa_handler = report_counts_siginfo;
2435 action.sa_flags = SA_RESTART;
2436 sigemptyset(&action.sa_mask);
2437 sigaction(SIGINFO, &action, NULL);
2438 #endif /* SIGINFO */
2441 global_capture_session.state = CAPTURE_PREPARING;
2443 /* Let the user know which interfaces were chosen. */
2444 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2445 interface_options interface_opts;
2447 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2448 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2449 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2450 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2452 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2453 if (really_quiet == FALSE)
2454 fprintf(stderr, "Capturing on %s\n", str->str);
2456 g_string_free(str, TRUE);
2458 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2463 /* the actual capture loop
2465 * XXX - glib doesn't seem to provide any event based loop handling.
2467 * XXX - for whatever reason,
2468 * calling g_main_loop_new() ends up in 100% cpu load.
2470 * But that doesn't matter: in UNIX we can use select() to find an input
2471 * source with something to do.
2473 * But that doesn't matter because we're in a CLI (that doesn't need to
2474 * update a GUI or something at the same time) so it's OK if we block
2475 * trying to read from the pipe.
2477 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2478 * wrong (but I leave it there in case I am...).
2481 #ifdef USE_TSHARK_SELECT
2483 FD_SET(pipe_input.source, &readfds);
2486 loop_running = TRUE;
2490 while (loop_running)
2492 #ifdef USE_TSHARK_SELECT
2493 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2497 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2499 } else if (ret == 1) {
2501 /* Call the real handler */
2502 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2503 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2506 #ifdef USE_TSHARK_SELECT
2511 CATCH(OutOfMemoryError) {
2515 "Sorry, but TShark has to terminate now.\n"
2517 "More information and workarounds can be found at\n"
2518 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2525 /* capture child detected an error */
2527 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2529 cmdarg_err("%s", error_msg);
2530 cmdarg_err_cont("%s", secondary_error_msg);
2534 /* capture child detected an capture filter related error */
2536 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2538 capture_options *capture_opts = cap_session->capture_opts;
2539 dfilter_t *rfcode = NULL;
2540 interface_options interface_opts;
2542 g_assert(i < capture_opts->ifaces->len);
2543 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2545 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2547 "Invalid capture filter \"%s\" for interface '%s'.\n"
2549 "That string looks like a valid display filter; however, it isn't a valid\n"
2550 "capture filter (%s).\n"
2552 "Note that display filters and capture filters don't have the same syntax,\n"
2553 "so you can't use most display filter expressions as capture filters.\n"
2555 "See the User's Guide for a description of the capture filter syntax.",
2556 interface_opts.cfilter, interface_opts.descr, error_message);
2557 dfilter_free(rfcode);
2560 "Invalid capture filter \"%s\" for interface '%s'.\n"
2562 "That string isn't a valid capture filter (%s).\n"
2563 "See the User's Guide for a description of the capture filter syntax.",
2564 interface_opts.cfilter, interface_opts.descr, error_message);
2569 /* capture child tells us we have a new (or the first) capture file */
2571 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2573 capture_options *capture_opts = cap_session->capture_opts;
2574 capture_file *cf = (capture_file *) cap_session->cf;
2575 gboolean is_tempfile;
2578 if (cap_session->state == CAPTURE_PREPARING) {
2579 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2581 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2583 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2585 /* free the old filename */
2586 if (capture_opts->save_file != NULL) {
2588 /* we start a new capture file, close the old one (if we had one before) */
2589 if (cf->state != FILE_CLOSED) {
2590 if (cf->wth != NULL) {
2591 wtap_close(cf->wth);
2594 cf->state = FILE_CLOSED;
2597 g_free(capture_opts->save_file);
2598 is_tempfile = FALSE;
2600 epan_free(cf->epan);
2601 cf->epan = tshark_epan_new(cf);
2603 /* we didn't had a save_file before, must be a tempfile */
2607 /* save the new filename */
2608 capture_opts->save_file = g_strdup(new_file);
2610 /* if we are in real-time mode, open the new file now */
2611 if (do_dissection) {
2612 /* this is probably unecessary, but better safe than sorry */
2613 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2614 /* Attempt to open the capture file and set up to read from it. */
2615 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2619 /* Don't unlink (delete) the save file - leave it around,
2620 for debugging purposes. */
2621 g_free(capture_opts->save_file);
2622 capture_opts->save_file = NULL;
2627 cap_session->state = CAPTURE_RUNNING;
2633 /* capture child tells us we have new packets to read */
2635 capture_input_new_packets(capture_session *cap_session, int to_read)
2641 capture_file *cf = (capture_file *)cap_session->cf;
2642 gboolean filtering_tap_listeners;
2647 * Prevent a SIGINFO handler from writing to the standard error while
2648 * we're doing so or writing to the standard output; instead, have it
2649 * just set a flag telling us to print that information when we're done.
2652 #endif /* SIGINFO */
2654 /* Do we have any tap listeners with filters? */
2655 filtering_tap_listeners = have_filtering_tap_listeners();
2657 /* Get the union of the flags for all tap listeners. */
2658 tap_flags = union_of_tap_listener_flags();
2660 if (do_dissection) {
2661 gboolean create_proto_tree;
2662 epan_dissect_t *edt;
2664 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2665 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2666 create_proto_tree = TRUE;
2668 create_proto_tree = FALSE;
2670 /* The protocol tree will be "visible", i.e., printed, only if we're
2671 printing packet details, which is true if we're printing stuff
2672 ("print_packet_info" is true) and we're in verbose mode
2673 ("packet_details" is true). */
2674 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2676 while (to_read-- && cf->wth) {
2677 wtap_cleareof(cf->wth);
2678 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2680 /* read from file failed, tell the capture child to stop */
2681 sync_pipe_stop(cap_session);
2682 wtap_close(cf->wth);
2685 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2686 wtap_buf_ptr(cf->wth),
2690 /* packet successfully read and gone through the "Read Filter" */
2695 epan_dissect_free(edt);
2699 * Dumpcap's doing all the work; we're not doing any dissection.
2700 * Count all the packets it wrote.
2702 packet_count += to_read;
2705 if (print_packet_counts) {
2706 /* We're printing packet counts. */
2707 if (packet_count != 0) {
2708 fprintf(stderr, "\r%u ", packet_count);
2709 /* stderr could be line buffered */
2716 * Allow SIGINFO handlers to write.
2721 * If a SIGINFO handler asked us to write out capture counts, do so.
2725 #endif /* SIGINFO */
2731 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2732 /* Report the count only if we aren't printing a packet count
2733 as packets arrive. */
2734 fprintf(stderr, "%u packet%s captured\n", packet_count,
2735 plurality(packet_count, "", "s"));
2738 infoprint = FALSE; /* we just reported it */
2739 #endif /* SIGINFO */
2744 report_counts_siginfo(int signum _U_)
2746 int sav_errno = errno;
2747 /* If we've been told to delay printing, just set a flag asking
2748 that we print counts (if we're supposed to), otherwise print
2749 the count of packets captured (if we're supposed to). */
2756 #endif /* SIGINFO */
2759 /* capture child detected any packet drops? */
2761 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2763 if (print_packet_counts) {
2764 /* We're printing packet counts to stderr.
2765 Send a newline so that we move to the line after the packet count. */
2766 fprintf(stderr, "\n");
2770 /* We're printing packet counts to stderr.
2771 Send a newline so that we move to the line after the packet count. */
2772 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2778 * Capture child closed its side of the pipe, report any error and
2779 * do the required cleanup.
2782 capture_input_closed(capture_session *cap_session, gchar *msg)
2784 capture_file *cf = (capture_file *) cap_session->cf;
2787 fprintf(stderr, "tshark: %s\n", msg);
2791 if (cf != NULL && cf->wth != NULL) {
2792 wtap_close(cf->wth);
2793 if (cf->is_tempfile) {
2794 ws_unlink(cf->filename);
2797 #ifdef USE_BROKEN_G_MAIN_LOOP
2798 /*g_main_loop_quit(loop);*/
2799 g_main_loop_quit(loop);
2801 loop_running = FALSE;
2810 capture_cleanup(DWORD ctrltype _U_)
2812 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2813 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2814 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2815 like SIGTERM at least when the machine's shutting down.
2817 For now, we handle them all as indications that we should clean up
2818 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2821 We must return TRUE so that no other handler - such as one that would
2822 terminate the process - gets called.
2824 XXX - for some reason, typing ^C to TShark, if you run this in
2825 a Cygwin console window in at least some versions of Cygwin,
2826 causes TShark to terminate immediately; this routine gets
2827 called, but the main loop doesn't get a chance to run and
2828 exit cleanly, at least if this is compiled with Microsoft Visual
2829 C++ (i.e., it's a property of the Cygwin console window or Bash;
2830 it happens if TShark is not built with Cygwin - for all I know,
2831 building it with Cygwin may make the problem go away). */
2833 /* tell the capture child to stop */
2834 sync_pipe_stop(&global_capture_session);
2836 /* don't stop our own loop already here, otherwise status messages and
2837 * cleanup wouldn't be done properly. The child will indicate the stop of
2838 * everything by calling capture_input_closed() later */
2844 capture_cleanup(int signum _U_)
2846 /* tell the capture child to stop */
2847 sync_pipe_stop(&global_capture_session);
2849 /* don't stop our own loop already here, otherwise status messages and
2850 * cleanup wouldn't be done properly. The child will indicate the stop of
2851 * everything by calling capture_input_closed() later */
2854 #endif /* HAVE_LIBPCAP */
2857 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2858 gint64 offset, struct wtap_pkthdr *whdr,
2865 /* The frame number of this packet is one more than the count of
2866 frames in this packet. */
2867 framenum = cf->count + 1;
2869 /* If we're not running a display filter and we're not printing any
2870 packet information, we don't need to do a dissection. This means
2871 that all packets can be marked as 'passed'. */
2874 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2876 /* If we're going to run a read filter or a display filter, set up to
2877 do a dissection and do so. (This is the first pass of two passes
2878 over the packets, so we will not be printing any information
2879 from the dissection or running taps on the packet; if we're doing
2880 any of that, we'll do it in the second pass.) */
2882 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2883 gbl_resolv_flags.transport_name)
2884 /* Grab any resolved addresses */
2885 host_name_lookup_process();
2887 /* If we're running a read filter, prime the epan_dissect_t with that
2890 epan_dissect_prime_dfilter(edt, cf->rfcode);
2893 epan_dissect_prime_dfilter(edt, cf->dfcode);
2895 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2897 if (ref == &fdlocal) {
2898 ref_frame = fdlocal;
2902 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2904 /* Run the read filter if we have one. */
2906 passed = dfilter_apply_edt(cf->rfcode, edt);
2910 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2911 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2913 /* If we're not doing dissection then there won't be any dependent frames.
2914 * More importantly, edt.pi.dependent_frames won't be initialized because
2915 * epan hasn't been initialized.
2916 * if we *are* doing dissection, then mark the dependent frames, but only
2917 * if a display filter was given and it matches this packet.
2919 if (edt && cf->dfcode) {
2920 if (dfilter_apply_edt(cf->dfcode, edt)) {
2921 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2927 /* if we don't add it to the frame_data_sequence, clean it up right now
2929 frame_data_destroy(&fdlocal);
2933 epan_dissect_reset(edt);
2939 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2940 struct wtap_pkthdr *phdr, Buffer *buf,
2946 /* If we're not running a display filter and we're not printing any
2947 packet information, we don't need to do a dissection. This means
2948 that all packets can be marked as 'passed'. */
2951 /* If we're going to print packet information, or we're going to
2952 run a read filter, or we're going to process taps, set up to
2953 do a dissection and do so. (This is the second pass of two
2954 passes over the packets; that's the pass where we print
2955 packet information or run taps.) */
2957 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2958 gbl_resolv_flags.transport_name)
2959 /* Grab any resolved addresses */
2960 host_name_lookup_process();
2962 /* If we're running a display filter, prime the epan_dissect_t with that
2965 epan_dissect_prime_dfilter(edt, cf->dfcode);
2967 col_custom_prime_edt(edt, &cf->cinfo);
2969 /* We only need the columns if either
2970 1) some tap needs the columns
2972 2) we're printing packet info but we're *not* verbose; in verbose
2973 mode, we print the protocol tree, not the protocol summary.
2975 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
2980 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
2987 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
2989 /* Run the read/display filter if we have one. */
2991 passed = dfilter_apply_edt(cf->dfcode, edt);
2995 frame_data_set_after_dissect(fdata, &cum_bytes);
2996 /* Process this packet. */
2997 if (print_packet_info) {
2998 /* We're printing packet information; print the information for
3000 print_packet(cf, edt);
3002 /* The ANSI C standard does not appear to *require* that a line-buffered
3003 stream be flushed to the host environment whenever a newline is
3004 written, it just says that, on such a stream, characters "are
3005 intended to be transmitted to or from the host environment as a
3006 block when a new-line character is encountered".
3008 The Visual C++ 6.0 C implementation doesn't do what is intended;
3009 even if you set a stream to be line-buffered, it still doesn't
3010 flush the buffer at the end of every line.
3012 So, if the "-l" flag was specified, we flush the standard output
3013 at the end of a packet. This will do the right thing if we're
3014 printing packet summary lines, and, as we print the entire protocol
3015 tree for a single packet without waiting for anything to happen,
3016 it should be as good as line-buffered mode if we're printing
3017 protocol trees. (The whole reason for the "-l" flag in either
3018 tcpdump or TShark is to allow the output of a live capture to
3019 be piped to a program or script and to have that script see the
3020 information for the packet as soon as it's printed, rather than
3021 having to wait until a standard I/O buffer fills up. */
3025 if (ferror(stdout)) {
3026 show_print_file_io_error(errno);
3035 epan_dissect_reset(edt);
3037 return passed || fdata->flags.dependent_of_displayed;
3041 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3042 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3045 int snapshot_length;
3049 gchar *err_info = NULL;
3051 char *save_file_string = NULL;
3052 gboolean filtering_tap_listeners;
3054 GArray *shb_hdrs = NULL;
3055 wtapng_iface_descriptions_t *idb_inf = NULL;
3056 GArray *nrb_hdrs = NULL;
3057 struct wtap_pkthdr phdr;
3059 epan_dissect_t *edt = NULL;
3060 char *shb_user_appl;
3062 wtap_phdr_init(&phdr);
3064 idb_inf = wtap_file_get_idb_info(cf->wth);
3065 #ifdef PCAP_NG_DEFAULT
3066 if (idb_inf->interface_data->len > 1) {
3067 linktype = WTAP_ENCAP_PER_PACKET;
3069 linktype = wtap_file_encap(cf->wth);
3072 linktype = wtap_file_encap(cf->wth);
3074 if (save_file != NULL) {
3075 /* Get a string that describes what we're writing to */
3076 save_file_string = output_file_description(save_file);
3078 /* Set up to write to the capture file. */
3079 snapshot_length = wtap_snapshot_length(cf->wth);
3080 if (snapshot_length == 0) {
3081 /* Snapshot length of input file not known. */
3082 snapshot_length = WTAP_MAX_PACKET_SIZE;
3084 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3086 shb_hdrs = wtap_file_get_shb_for_new_file(cf->wth);
3087 nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->wth);
3089 /* If we don't have an application name add Tshark */
3090 if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) {
3091 /* this is free'd by wtap_block_free() later */
3092 wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info());
3095 if (linktype != WTAP_ENCAP_PER_PACKET &&
3096 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3097 tshark_debug("tshark: writing PCAP format to %s", save_file);
3098 if (strcmp(save_file, "-") == 0) {
3099 /* Write to the standard output. */
3100 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3101 snapshot_length, FALSE /* compressed */, &err);
3103 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3104 snapshot_length, FALSE /* compressed */, &err);
3108 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3109 if (strcmp(save_file, "-") == 0) {
3110 /* Write to the standard output. */
3111 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3112 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3114 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3115 snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err);
3123 /* We couldn't set up to write to the capture file. */
3126 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3127 cmdarg_err("Capture files can't be written in that format.");
3130 case WTAP_ERR_UNWRITABLE_ENCAP:
3131 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3132 cmdarg_err("The capture file being read can't be written as a "
3133 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3136 case WTAP_ERR_CANT_OPEN:
3137 cmdarg_err("The %s couldn't be created for some "
3138 "unknown reason.", save_file_string);
3141 case WTAP_ERR_SHORT_WRITE:
3142 cmdarg_err("A full header couldn't be written to the %s.",
3147 cmdarg_err("The %s could not be created: %s.", save_file_string,
3148 wtap_strerror(err));
3154 if (print_packet_info) {
3155 if (!write_preamble(cf)) {
3157 show_print_file_io_error(err);
3166 /* Do we have any tap listeners with filters? */
3167 filtering_tap_listeners = have_filtering_tap_listeners();
3169 /* Get the union of the flags for all tap listeners. */
3170 tap_flags = union_of_tap_listener_flags();
3172 if (perform_two_pass_analysis) {
3175 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3177 /* Allocate a frame_data_sequence for all the frames. */
3178 cf->frames = new_frame_data_sequence();
3180 if (do_dissection) {
3181 gboolean create_proto_tree = FALSE;
3183 /* If we're going to be applying a filter, we'll need to
3184 create a protocol tree against which to apply the filter. */
3185 if (cf->rfcode || cf->dfcode)
3186 create_proto_tree = TRUE;
3188 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3190 /* We're not going to display the protocol tree on this pass,
3191 so it's not going to be "visible". */
3192 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3195 tshark_debug("tshark: reading records for first pass");
3196 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3197 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3198 wtap_buf_ptr(cf->wth))) {
3199 /* Stop reading if we have the maximum number of packets;
3200 * When the -c option has not been used, max_packet_count
3201 * starts at 0, which practically means, never stop reading.
3202 * (unless we roll over max_packet_count ?)
3204 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3205 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3206 max_packet_count, data_offset, max_byte_count);
3207 err = 0; /* This is not an error */
3214 epan_dissect_free(edt);
3218 /* Close the sequential I/O side, to free up memory it requires. */
3219 wtap_sequential_close(cf->wth);
3221 /* Allow the protocol dissectors to free up memory that they
3222 * don't need after the sequential run-through of the packets. */
3223 postseq_cleanup_all_protocols();
3227 ws_buffer_init(&buf, 1500);
3229 tshark_debug("tshark: done with first pass");
3231 if (do_dissection) {
3232 gboolean create_proto_tree;
3234 if (cf->dfcode || print_details || filtering_tap_listeners ||
3235 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3236 create_proto_tree = TRUE;
3238 create_proto_tree = FALSE;
3240 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3242 /* The protocol tree will be "visible", i.e., printed, only if we're
3243 printing packet details, which is true if we're printing stuff
3244 ("print_packet_info" is true) and we're in verbose mode
3245 ("packet_details" is true). */
3246 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3249 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3250 fdata = frame_data_sequence_find(cf->frames, framenum);
3251 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3253 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3254 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3256 /* Either there's no read filtering or this packet passed the
3257 filter, so, if we're writing to a capture file, write
3260 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3261 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3262 /* Error writing to a capture file */
3263 tshark_debug("tshark: error writing to a capture file (%d)", err);
3266 case WTAP_ERR_UNWRITABLE_ENCAP:
3268 * This is a problem with the particular frame we're writing
3269 * and the file type and subtype we're writing; note that,
3270 * and report the frame number and file type/subtype.
3272 * XXX - framenum is not necessarily the frame number in
3273 * the input file if there was a read filter.
3276 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3277 framenum, cf->filename,
3278 wtap_file_type_subtype_short_string(out_file_type));
3281 case WTAP_ERR_PACKET_TOO_LARGE:
3283 * This is a problem with the particular frame we're writing
3284 * and the file type and subtype we're writing; note that,
3285 * and report the frame number and file type/subtype.
3287 * XXX - framenum is not necessarily the frame number in
3288 * the input file if there was a read filter.
3291 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3292 framenum, cf->filename,
3293 wtap_file_type_subtype_short_string(out_file_type));
3296 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3298 * This is a problem with the particular record we're writing
3299 * and the file type and subtype we're writing; note that,
3300 * and report the record number and file type/subtype.
3302 * XXX - framenum is not necessarily the record number in
3303 * the input file if there was a read filter.
3306 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3307 framenum, cf->filename,
3308 wtap_file_type_subtype_short_string(out_file_type));
3311 case WTAP_ERR_UNWRITABLE_REC_DATA:
3313 * This is a problem with the particular record we're writing
3314 * and the file type and subtype we're writing; note that,
3315 * and report the record number and file type/subtype.
3317 * XXX - framenum is not necessarily the record number in
3318 * the input file if there was a read filter.
3321 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3322 framenum, cf->filename,
3323 wtap_file_type_subtype_short_string(out_file_type),
3324 err_info != NULL ? err_info : "no information supplied");
3329 show_capture_file_io_error(save_file, err, FALSE);
3332 wtap_dump_close(pdh, &err);
3333 wtap_block_array_free(shb_hdrs);
3334 wtap_block_array_free(nrb_hdrs);
3343 epan_dissect_free(edt);
3347 ws_buffer_free(&buf);
3349 tshark_debug("tshark: done with second pass");
3352 /* !perform_two_pass_analysis */
3355 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3357 if (do_dissection) {
3358 gboolean create_proto_tree;
3360 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3361 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3362 create_proto_tree = TRUE;
3364 create_proto_tree = FALSE;
3366 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3368 /* The protocol tree will be "visible", i.e., printed, only if we're
3369 printing packet details, which is true if we're printing stuff
3370 ("print_packet_info" is true) and we're in verbose mode
3371 ("packet_details" is true). */
3372 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3375 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3378 tshark_debug("tshark: processing packet #%d", framenum);
3380 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3381 wtap_buf_ptr(cf->wth),
3383 /* Either there's no read filtering or this packet passed the
3384 filter, so, if we're writing to a capture file, write
3387 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3388 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3389 /* Error writing to a capture file */
3390 tshark_debug("tshark: error writing to a capture file (%d)", err);
3393 case WTAP_ERR_UNWRITABLE_ENCAP:
3395 * This is a problem with the particular frame we're writing
3396 * and the file type and subtype we're writing; note that,
3397 * and report the frame number and file type/subtype.
3400 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3401 framenum, cf->filename,
3402 wtap_file_type_subtype_short_string(out_file_type));
3405 case WTAP_ERR_PACKET_TOO_LARGE:
3407 * This is a problem with the particular frame we're writing
3408 * and the file type and subtype we're writing; note that,
3409 * and report the frame number and file type/subtype.
3412 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3413 framenum, cf->filename,
3414 wtap_file_type_subtype_short_string(out_file_type));
3417 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3419 * This is a problem with the particular record we're writing
3420 * and the file type and subtype we're writing; note that,
3421 * and report the record number and file type/subtype.
3424 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3425 framenum, cf->filename,
3426 wtap_file_type_subtype_short_string(out_file_type));
3429 case WTAP_ERR_UNWRITABLE_REC_DATA:
3431 * This is a problem with the particular record we're writing
3432 * and the file type and subtype we're writing; note that,
3433 * and report the record number and file type/subtype.
3436 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3437 framenum, cf->filename,
3438 wtap_file_type_subtype_short_string(out_file_type),
3439 err_info != NULL ? err_info : "no information supplied");
3444 show_capture_file_io_error(save_file, err, FALSE);
3447 wtap_dump_close(pdh, &err);
3448 wtap_block_array_free(shb_hdrs);
3449 wtap_block_array_free(nrb_hdrs);
3454 /* Stop reading if we have the maximum number of packets;
3455 * When the -c option has not been used, max_packet_count
3456 * starts at 0, which practically means, never stop reading.
3457 * (unless we roll over max_packet_count ?)
3459 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3460 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3461 max_packet_count, data_offset, max_byte_count);
3462 err = 0; /* This is not an error */
3468 epan_dissect_free(edt);
3473 wtap_phdr_cleanup(&phdr);
3476 tshark_debug("tshark: something failed along the line (%d)", err);
3478 * Print a message noting that the read failed somewhere along the line.
3480 * If we're printing packet data, and the standard output and error are
3481 * going to the same place, flush the standard output, so everything
3482 * buffered up is written, and then print a newline to the standard error
3483 * before printing the error message, to separate it from the packet
3484 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3485 * the _fstat() documentation at Microsoft doesn't indicate whether
3486 * st_ino is even supported.)
3489 if (print_packet_info) {
3490 ws_statb64 stat_stdout, stat_stderr;
3492 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3493 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3494 stat_stdout.st_ino == stat_stderr.st_ino) {
3496 fprintf(stderr, "\n");
3503 case WTAP_ERR_UNSUPPORTED:
3504 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3506 err_info != NULL ? err_info : "no information supplied");
3510 case WTAP_ERR_SHORT_READ:
3511 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3515 case WTAP_ERR_BAD_FILE:
3516 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3518 err_info != NULL ? err_info : "no information supplied");
3522 case WTAP_ERR_DECOMPRESS:
3523 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3524 "(%s)", cf->filename,
3525 err_info != NULL ? err_info : "no information supplied");
3530 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3531 cf->filename, wtap_strerror(err));
3534 if (save_file != NULL) {
3535 /* Now close the capture file. */
3536 if (!wtap_dump_close(pdh, &err))
3537 show_capture_file_io_error(save_file, err, TRUE);
3540 if (save_file != NULL) {
3541 if (pdh && out_file_name_res) {
3542 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3543 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3544 wtap_file_type_subtype_short_string(out_file_type));
3547 /* Now close the capture file. */
3548 if (!wtap_dump_close(pdh, &err))
3549 show_capture_file_io_error(save_file, err, TRUE);
3551 if (print_packet_info) {
3552 if (!write_finale()) {
3554 show_print_file_io_error(err);
3561 wtap_close(cf->wth);
3564 g_free(save_file_string);
3565 wtap_block_array_free(shb_hdrs);
3566 wtap_block_array_free(nrb_hdrs);
3572 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3573 const guchar *pd, guint tap_flags)
3579 /* Count this packet. */
3582 /* If we're not running a display filter and we're not printing any
3583 packet information, we don't need to do a dissection. This means
3584 that all packets can be marked as 'passed'. */
3587 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3589 /* If we're going to print packet information, or we're going to
3590 run a read filter, or we're going to process taps, set up to
3591 do a dissection and do so. (This is the one and only pass
3592 over the packets, so, if we'll be printing packet information
3593 or running taps, we'll be doing it here.) */
3595 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3596 gbl_resolv_flags.transport_name))
3597 /* Grab any resolved addresses */
3598 host_name_lookup_process();
3600 /* If we're running a filter, prime the epan_dissect_t with that
3603 epan_dissect_prime_dfilter(edt, cf->dfcode);
3605 col_custom_prime_edt(edt, &cf->cinfo);
3607 /* We only need the columns if either
3608 1) some tap needs the columns
3610 2) we're printing packet info but we're *not* verbose; in verbose
3611 mode, we print the protocol tree, not the protocol summary.
3613 3) there is a column mapped as an individual field */
3614 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3619 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3621 if (ref == &fdata) {
3626 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3628 /* Run the filter if we have it. */
3630 passed = dfilter_apply_edt(cf->dfcode, edt);
3634 frame_data_set_after_dissect(&fdata, &cum_bytes);
3636 /* Process this packet. */
3637 if (print_packet_info) {
3638 /* We're printing packet information; print the information for
3640 print_packet(cf, edt);
3642 /* The ANSI C standard does not appear to *require* that a line-buffered
3643 stream be flushed to the host environment whenever a newline is
3644 written, it just says that, on such a stream, characters "are
3645 intended to be transmitted to or from the host environment as a
3646 block when a new-line character is encountered".
3648 The Visual C++ 6.0 C implementation doesn't do what is intended;
3649 even if you set a stream to be line-buffered, it still doesn't
3650 flush the buffer at the end of every line.
3652 So, if the "-l" flag was specified, we flush the standard output
3653 at the end of a packet. This will do the right thing if we're
3654 printing packet summary lines, and, as we print the entire protocol
3655 tree for a single packet without waiting for anything to happen,
3656 it should be as good as line-buffered mode if we're printing
3657 protocol trees. (The whole reason for the "-l" flag in either
3658 tcpdump or TShark is to allow the output of a live capture to
3659 be piped to a program or script and to have that script see the
3660 information for the packet as soon as it's printed, rather than
3661 having to wait until a standard I/O buffer fills up. */
3665 if (ferror(stdout)) {
3666 show_print_file_io_error(errno);
3671 /* this must be set after print_packet() [bug #8160] */
3672 prev_dis_frame = fdata;
3673 prev_dis = &prev_dis_frame;
3676 prev_cap_frame = fdata;
3677 prev_cap = &prev_cap_frame;
3680 epan_dissect_reset(edt);
3681 frame_data_destroy(&fdata);
3687 write_preamble(capture_file *cf)
3689 switch (output_action) {
3692 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3696 write_pdml_preamble(stdout, cf->filename);
3698 write_psml_preamble(&cf->cinfo, stdout);
3699 return !ferror(stdout);
3702 write_fields_preamble(output_fields, stdout);
3703 return !ferror(stdout);
3706 case WRITE_JSON_RAW:
3707 write_json_preamble(stdout);
3708 return !ferror(stdout);
3711 return !ferror(stdout);
3714 g_assert_not_reached();
3720 get_line_buf(size_t len)
3722 static char *line_bufp = NULL;
3723 static size_t line_buf_len = 256;
3724 size_t new_line_buf_len;
3726 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3727 new_line_buf_len *= 2)
3729 if (line_bufp == NULL) {
3730 line_buf_len = new_line_buf_len;
3731 line_bufp = (char *)g_malloc(line_buf_len + 1);
3733 if (new_line_buf_len > line_buf_len) {
3734 line_buf_len = new_line_buf_len;
3735 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3742 put_string(char *dest, const char *str, size_t str_len)
3744 memcpy(dest, str, str_len);
3745 dest[str_len] = '\0';
3749 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3753 for (i = str_len; i < str_with_spaces; i++)
3756 put_string(dest, str, str_len);
3760 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3764 memcpy(dest, str, str_len);
3765 for (i = str_len; i < str_with_spaces; i++)
3768 dest[str_with_spaces] = '\0';
3772 print_columns(capture_file *cf)
3779 col_item_t* col_item;
3780 gchar str_format[11];
3782 line_bufp = get_line_buf(256);
3785 for (i = 0; i < cf->cinfo.num_cols; i++) {
3786 col_item = &cf->cinfo.columns[i];
3787 /* Skip columns not marked as visible. */
3788 if (!get_column_visible(i))
3790 switch (col_item->col_fmt) {
3792 column_len = col_len = strlen(col_item->col_data);
3795 line_bufp = get_line_buf(buf_offset + column_len);
3796 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3802 case COL_ABS_YMD_TIME: /* XXX - wider */
3803 case COL_ABS_YDOY_TIME: /* XXX - wider */
3805 case COL_UTC_YMD_TIME: /* XXX - wider */
3806 case COL_UTC_YDOY_TIME: /* XXX - wider */
3807 column_len = col_len = strlen(col_item->col_data);
3808 if (column_len < 10)
3810 line_bufp = get_line_buf(buf_offset + column_len);
3811 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3817 case COL_DEF_DL_SRC:
3818 case COL_RES_DL_SRC:
3819 case COL_UNRES_DL_SRC:
3820 case COL_DEF_NET_SRC:
3821 case COL_RES_NET_SRC:
3822 case COL_UNRES_NET_SRC:
3823 column_len = col_len = strlen(col_item->col_data);
3824 if (column_len < 12)
3826 line_bufp = get_line_buf(buf_offset + column_len);
3827 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3833 case COL_DEF_DL_DST:
3834 case COL_RES_DL_DST:
3835 case COL_UNRES_DL_DST:
3836 case COL_DEF_NET_DST:
3837 case COL_RES_NET_DST:
3838 case COL_UNRES_NET_DST:
3839 column_len = col_len = strlen(col_item->col_data);
3840 if (column_len < 12)
3842 line_bufp = get_line_buf(buf_offset + column_len);
3843 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3847 column_len = strlen(col_item->col_data);
3848 line_bufp = get_line_buf(buf_offset + column_len);
3849 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3852 buf_offset += column_len;
3853 if (i != cf->cinfo.num_cols - 1) {
3855 * This isn't the last column, so we need to print a
3856 * separator between this column and the next.
3858 * If we printed a network source and are printing a
3859 * network destination of the same type next, separate
3860 * them with a UTF-8 right arrow; if we printed a network
3861 * destination and are printing a network source of the same
3862 * type next, separate them with a UTF-8 left arrow;
3863 * otherwise separate them with a space.
3865 * We add enough space to the buffer for " \xe2\x86\x90 "
3866 * or " \xe2\x86\x92 ", even if we're only adding " ".
3868 line_bufp = get_line_buf(buf_offset + 5);
3869 switch (col_item->col_fmt) {
3874 switch (cf->cinfo.columns[i+1].col_fmt) {
3879 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_RIGHTWARDS_ARROW, delimiter_char);
3880 put_string(line_bufp + buf_offset, str_format, 5);
3885 put_string(line_bufp + buf_offset, delimiter_char, 1);
3891 case COL_DEF_DL_SRC:
3892 case COL_RES_DL_SRC:
3893 case COL_UNRES_DL_SRC:
3894 switch (cf->cinfo.columns[i+1].col_fmt) {
3896 case COL_DEF_DL_DST:
3897 case COL_RES_DL_DST:
3898 case COL_UNRES_DL_DST:
3899 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_RIGHTWARDS_ARROW, delimiter_char);
3900 put_string(line_bufp + buf_offset, str_format, 5);
3905 put_string(line_bufp + buf_offset, delimiter_char, 1);
3911 case COL_DEF_NET_SRC:
3912 case COL_RES_NET_SRC:
3913 case COL_UNRES_NET_SRC:
3914 switch (cf->cinfo.columns[i+1].col_fmt) {
3916 case COL_DEF_NET_DST:
3917 case COL_RES_NET_DST:
3918 case COL_UNRES_NET_DST:
3919 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_RIGHTWARDS_ARROW, delimiter_char);
3920 put_string(line_bufp + buf_offset, str_format, 5);
3925 put_string(line_bufp + buf_offset, delimiter_char, 1);
3934 switch (cf->cinfo.columns[i+1].col_fmt) {
3939 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_LEFTWARDS_ARROW, delimiter_char);
3940 put_string(line_bufp + buf_offset, str_format, 5);
3945 put_string(line_bufp + buf_offset, delimiter_char, 1);
3951 case COL_DEF_DL_DST:
3952 case COL_RES_DL_DST:
3953 case COL_UNRES_DL_DST:
3954 switch (cf->cinfo.columns[i+1].col_fmt) {
3956 case COL_DEF_DL_SRC:
3957 case COL_RES_DL_SRC:
3958 case COL_UNRES_DL_SRC:
3959 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_LEFTWARDS_ARROW, delimiter_char);
3960 put_string(line_bufp + buf_offset, str_format, 5);
3965 put_string(line_bufp + buf_offset, delimiter_char, 1);
3971 case COL_DEF_NET_DST:
3972 case COL_RES_NET_DST:
3973 case COL_UNRES_NET_DST:
3974 switch (cf->cinfo.columns[i+1].col_fmt) {
3976 case COL_DEF_NET_SRC:
3977 case COL_RES_NET_SRC:
3978 case COL_UNRES_NET_SRC:
3979 g_snprintf(str_format, sizeof(str_format), " %s%s", UTF8_LEFTWARDS_ARROW, delimiter_char);
3980 put_string(line_bufp + buf_offset, str_format, 5);
3985 put_string(line_bufp + buf_offset, delimiter_char, 1);
3992 put_string(line_bufp + buf_offset, delimiter_char, 1);
3998 return print_line(print_stream, 0, line_bufp);
4002 print_packet(capture_file *cf, epan_dissect_t *edt)
4004 print_args_t print_args;
4006 if (print_summary || output_fields_has_cols(output_fields)) {
4007 /* Just fill in the columns. */
4008 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4010 if (print_summary) {
4011 /* Now print them. */
4012 switch (output_action) {
4015 if (!print_columns(cf))
4020 write_psml_columns(edt, stdout);
4021 return !ferror(stdout);
4022 case WRITE_FIELDS: /*No non-verbose "fields" format */
4025 case WRITE_JSON_RAW:
4026 g_assert_not_reached();
4031 if (print_details) {
4032 /* Print the information in the protocol tree. */
4033 switch (output_action) {
4036 /* Only initialize the fields that are actually used in proto_tree_print.
4037 * This is particularly important for .range, as that's heap memory which
4038 * we would otherwise have to g_free().
4039 print_args.to_file = TRUE;
4040 print_args.format = print_format;
4041 print_args.print_summary = print_summary;
4042 print_args.print_formfeed = FALSE;
4043 packet_range_init(&print_args.range, &cfile);
4045 print_args.print_hex = print_hex;
4046 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4048 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4051 if (!print_line(print_stream, 0, separator))
4057 write_pdml_proto_tree(output_fields, protocolfilter, protocolfilter_flags, edt, stdout);
4059 return !ferror(stdout);
4061 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4063 return !ferror(stdout);
4065 print_args.print_dissections = print_dissections_expanded;
4066 print_args.print_hex = print_hex;
4067 write_json_proto_tree(output_fields, &print_args, protocolfilter, protocolfilter_flags, edt, stdout);
4069 return !ferror(stdout);
4070 case WRITE_JSON_RAW:
4071 print_args.print_dissections = print_dissections_none;
4072 print_args.print_hex = TRUE;
4073 write_json_proto_tree(output_fields, &print_args, protocolfilter, protocolfilter_flags, edt, stdout);
4075 return !ferror(stdout);
4077 print_args.print_hex = print_hex;
4078 write_ek_proto_tree(output_fields, &print_args, protocolfilter, protocolfilter_flags, edt, stdout);
4079 return !ferror(stdout);
4083 if (print_summary || print_details) {
4084 if (!print_line(print_stream, 0, ""))
4087 if (!print_hex_data(print_stream, edt))
4089 if (!print_line(print_stream, 0, separator))
4098 switch (output_action) {
4101 return print_finale(print_stream);
4105 write_pdml_finale(stdout);
4107 write_psml_finale(stdout);
4108 return !ferror(stdout);
4111 write_fields_finale(output_fields, stdout);
4112 return !ferror(stdout);
4115 case WRITE_JSON_RAW:
4116 write_json_finale(stdout);
4117 return !ferror(stdout);
4120 return !ferror(stdout);
4123 g_assert_not_reached();
4129 cf_close(capture_file *cf)
4131 g_free(cf->filename);
4135 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4139 char err_msg[2048+1];
4141 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4145 /* The open succeeded. Fill in the information for this file. */
4147 /* Create new epan session for dissection. */
4148 epan_free(cf->epan);
4149 cf->epan = tshark_epan_new(cf);
4152 cf->f_datalen = 0; /* not used, but set it anyway */
4154 /* Set the file name because we need it to set the follow stream filter.
4155 XXX - is that still true? We need it for other reasons, though,
4157 cf->filename = g_strdup(fname);
4159 /* Indicate whether it's a permanent or temporary file. */
4160 cf->is_tempfile = is_tempfile;
4162 /* No user changes yet. */
4163 cf->unsaved_changes = FALSE;
4165 cf->cd_t = wtap_file_type_subtype(cf->wth);
4166 cf->open_type = type;
4168 cf->drops_known = FALSE;
4170 cf->snap = wtap_snapshot_length(cf->wth);
4171 if (cf->snap == 0) {
4172 /* Snapshot length not known. */
4173 cf->has_snap = FALSE;
4174 cf->snap = WTAP_MAX_PACKET_SIZE;
4176 cf->has_snap = TRUE;
4177 nstime_set_zero(&cf->elapsed_time);
4182 cf->state = FILE_READ_IN_PROGRESS;
4184 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4185 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4190 g_snprintf(err_msg, sizeof err_msg,
4191 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4192 cmdarg_err("%s", err_msg);
4197 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4199 char *save_file_string;
4201 save_file_string = output_file_description(fname);
4206 cmdarg_err("Not all the packets could be written to the %s because there is "
4207 "no space left on the file system.",
4213 cmdarg_err("Not all the packets could be written to the %s because you are "
4214 "too close to, or over your disk quota.",
4219 case WTAP_ERR_CANT_CLOSE:
4220 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4224 case WTAP_ERR_SHORT_WRITE:
4225 cmdarg_err("Not all the packets could be written to the %s.",
4231 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4232 wtap_strerror(err));
4234 cmdarg_err("An error occurred while writing to the %s: %s.",
4235 save_file_string, wtap_strerror(err));
4239 g_free(save_file_string);
4243 show_print_file_io_error(int err)
4248 cmdarg_err("Not all the packets could be printed because there is "
4249 "no space left on the file system.");
4254 cmdarg_err("Not all the packets could be printed because you are "
4255 "too close to, or over your disk quota.");
4260 cmdarg_err("An error occurred while printing packets: %s.",
4267 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4271 static char errmsg_errno[1024+1];
4274 /* Wiretap error. */
4277 case WTAP_ERR_NOT_REGULAR_FILE:
4278 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4281 case WTAP_ERR_RANDOM_OPEN_PIPE:
4282 /* Seen only when opening a capture file for reading. */
4283 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4286 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4287 /* Seen only when opening a capture file for reading. */
4288 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4291 case WTAP_ERR_UNSUPPORTED:
4292 /* Seen only when opening a capture file for reading. */
4293 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4294 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4296 err_info != NULL ? err_info : "no information supplied");
4298 errmsg = errmsg_errno;
4301 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4302 /* Seen only when opening a capture file for writing. */
4303 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4304 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4305 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4306 errmsg = errmsg_errno;
4309 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4310 /* Seen only when opening a capture file for writing. */
4311 errmsg = "TShark doesn't support writing capture files in that format.";
4314 case WTAP_ERR_UNWRITABLE_ENCAP:
4315 /* Seen only when opening a capture file for writing. */
4316 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4317 "TShark can't save this capture as a \"%s\" file.",
4318 wtap_file_type_subtype_short_string(file_type));
4319 errmsg = errmsg_errno;
4322 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4324 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4325 "TShark can't save this capture as a \"%s\" file.",
4326 wtap_file_type_subtype_short_string(file_type));
4327 errmsg = errmsg_errno;
4329 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4332 case WTAP_ERR_BAD_FILE:
4333 /* Seen only when opening a capture file for reading. */
4334 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4335 "The file \"%%s\" appears to be damaged or corrupt.\n"
4337 err_info != NULL ? err_info : "no information supplied");
4339 errmsg = errmsg_errno;
4342 case WTAP_ERR_CANT_OPEN:
4344 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4346 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4349 case WTAP_ERR_SHORT_READ:
4350 errmsg = "The file \"%s\" appears to have been cut short"
4351 " in the middle of a packet or other data.";
4354 case WTAP_ERR_SHORT_WRITE:
4355 errmsg = "A full header couldn't be written to the file \"%s\".";
4358 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4359 errmsg = "This file type cannot be written as a compressed file.";
4362 case WTAP_ERR_DECOMPRESS:
4363 /* Seen only when opening a capture file for reading. */
4364 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4365 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4367 err_info != NULL ? err_info : "no information supplied");
4369 errmsg = errmsg_errno;
4373 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4374 "The file \"%%s\" could not be %s: %s.",
4375 for_writing ? "created" : "opened",
4376 wtap_strerror(err));
4377 errmsg = errmsg_errno;
4381 errmsg = file_open_error_message(err, for_writing);
4386 * Open/create errors are reported with an console message in TShark.
4389 open_failure_message(const char *filename, int err, gboolean for_writing)
4391 fprintf(stderr, "tshark: ");
4392 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4393 fprintf(stderr, "\n");
4397 * General errors are reported with an console message in TShark.
4400 failure_message(const char *msg_format, va_list ap)
4402 fprintf(stderr, "tshark: ");
4403 vfprintf(stderr, msg_format, ap);
4404 fprintf(stderr, "\n");
4408 * Read errors are reported with an console message in TShark.
4411 read_failure_message(const char *filename, int err)
4413 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4414 filename, g_strerror(err));
4418 * Write errors are reported with an console message in TShark.
4421 write_failure_message(const char *filename, int err)
4423 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4424 filename, g_strerror(err));
4428 * Report additional information for an error in command-line arguments.
4431 failure_message_cont(const char *msg_format, va_list ap)
4433 vfprintf(stderr, msg_format, ap);
4434 fprintf(stderr, "\n");
4438 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4443 * indent-tabs-mode: nil
4446 * vi: set shiftwidth=2 tabstop=8 expandtab:
4447 * :indentSize=2:tabSize=8:noTabs=true: