X-Git-Url: http://git.samba.org/?a=blobdiff_plain;f=tshark.c;h=7a8c2d4d63e80d1e8dc435f0cf9ef9bd8f407c3f;hb=f2bee8dd57696c5da50f931fee8f8a03ba1ea756;hp=10394d1eb3070b4bf62b1d0ce3aeb1a3555455e7;hpb=2b68a6f450ae9094241707caaf87f2d16e258cf5;p=metze%2Fwireshark%2Fwip.git diff --git a/tshark.c b/tshark.c index 10394d1eb3..7a8c2d4d63 100644 --- a/tshark.c +++ b/tshark.c @@ -30,32 +30,16 @@ #include #include -#ifdef HAVE_UNISTD_H -#include -#endif - #ifdef HAVE_GETOPT_H #include #endif #include -#ifdef HAVE_FCNTL_H -#include -#endif - #ifndef _WIN32 #include #endif -#ifdef HAVE_SYS_STAT_H -# include -#endif - -#ifdef HAVE_LIBZ -#include /* to get the libz version number */ -#endif - #ifdef HAVE_LIBCAP # include #endif @@ -77,8 +61,9 @@ #include #include #include -#include -#include +#include +#include +#include #include "globals.h" #include @@ -86,7 +71,6 @@ #ifdef HAVE_LUA #include #endif -#include "file.h" #include "frame_tvbuff.h" #include #include @@ -98,8 +82,11 @@ #endif #include "ui/util.h" #include "ui/ui_util.h" +#include "ui/decode_as_utils.h" #include "ui/cli/tshark-tap.h" +#include "ui/tap_export_pdu.h" #include "register.h" +#include "filter_files.h" #include #include #include @@ -107,6 +94,7 @@ #include #include #include +#include #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) #include @@ -126,19 +114,28 @@ #endif /* _WIN32 */ #include #include +#include #endif /* HAVE_LIBPCAP */ #include "log.h" #include +#include +#include + +#ifdef HAVE_EXTCAP +#include "extcap.h" +#endif + #ifdef HAVE_PLUGINS #include #endif -/* - * This is the template for the decode as option; it is shared between the - * various functions that output the usage for this parameter. - */ -static const gchar decode_as_arg_template[] = "==,"; + +#if 0 +#define tshark_debug(...) g_warning(__VA_ARGS__) +#else +#define tshark_debug(...) +#endif static guint32 cum_bytes; static const frame_data *ref; @@ -148,8 +145,6 @@ static frame_data prev_dis_frame; static frame_data *prev_cap; static frame_data prev_cap_frame; -static const char* prev_display_dissector_name = NULL; - static gboolean perform_two_pass_analysis; /* @@ -158,7 +153,9 @@ static gboolean perform_two_pass_analysis; typedef enum { WRITE_TEXT, /* summary or detail text */ WRITE_XML, /* PDML or PSML */ - WRITE_FIELDS /* User defined list of fields */ + WRITE_FIELDS, /* User defined list of fields */ + WRITE_JSON, /* JSON */ + WRITE_EK /* JSON bulk insert to Elasticsearch */ /* Add CSV and the like here */ } output_action_e; @@ -175,6 +172,7 @@ static print_format_e print_format = PR_FMT_TEXT; static print_stream_t *print_stream; static output_fields_t* output_fields = NULL; +static gchar **protocolfilter = NULL; /* The line separator used between packets, changeable via the -S option */ static const char *separator = ""; @@ -187,6 +185,7 @@ static gboolean print_packet_counts; static capture_options global_capture_opts; static capture_session global_capture_session; +static info_data_t global_info_data; #ifdef SIGINFO static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */ @@ -345,12 +344,18 @@ print_usage(FILE *output) fprintf(output, " -Y packet displaY filter in Wireshark display filter\n"); fprintf(output, " syntax\n"); fprintf(output, " -n disable all name resolutions (def: all enabled)\n"); - fprintf(output, " -N enable specific name resolution(s): \"mntC\"\n"); - fprintf(output, " -d %s ...\n", decode_as_arg_template); + fprintf(output, " -N enable specific name resolution(s): \"mnNtCd\"\n"); + fprintf(output, " -d %s ...\n", DECODE_AS_ARG_TEMPLATE); fprintf(output, " \"Decode As\", see the man page for details\n"); fprintf(output, " Example: tcp.port==8888,http\n"); fprintf(output, " -H read a list of entries from a hosts file, which will\n"); fprintf(output, " then be written to a capture file. (Implies -W n)\n"); + fprintf(output, " --disable-protocol \n"); + fprintf(output, " disable dissection of proto_name\n"); + fprintf(output, " --enable-heuristic \n"); + fprintf(output, " enable dissection of heuristic protocol\n"); + fprintf(output, " --disable-heuristic \n"); + fprintf(output, " disable dissection of heuristic protocol\n"); /*fprintf(output, "\n");*/ fprintf(output, "Output:\n"); @@ -365,12 +370,15 @@ print_usage(FILE *output) fprintf(output, " -P print packet summary even when writing to a file\n"); fprintf(output, " -S the line separator to print between packets\n"); fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n"); - fprintf(output, " -T pdml|ps|psml|text|fields\n"); + fprintf(output, " -T pdml|ps|psml|json|ek|text|fields\n"); fprintf(output, " format of text output (def: text)\n"); + fprintf(output, " -j protocols layers filter if -T ek|pdml|json selected,\n"); + fprintf(output, " (e.g. \"http tcp ip\",\n"); fprintf(output, " -e field to print if -Tfields selected (e.g. tcp.port,\n"); fprintf(output, " _ws.col.Info)\n"); fprintf(output, " this option can be repeated to print multiple fields\n"); fprintf(output, " -E= set options for output when -Tfields selected:\n"); + fprintf(output, " bom=y|n print a UTF-8 BOM\n"); fprintf(output, " header=y|n switch headers on and off\n"); fprintf(output, " separator=/t|/s| select tab, space, printable character as separator\n"); fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n"); @@ -386,6 +394,7 @@ print_usage(FILE *output) fprintf(output, " -W n Save extra information in the file, if supported.\n"); fprintf(output, " n = write network address resolution information\n"); fprintf(output, " -X : eXtension options, see the man page for details\n"); + fprintf(output, " -U tap_name PDUs export mode, see the man page for details\n"); fprintf(output, " -z various statistics, see the man page for details\n"); fprintf(output, " --capture-comment \n"); fprintf(output, " add a capture comment to the newly created\n"); @@ -426,6 +435,7 @@ glossary_option_help(void) fprintf(output, " -G column-formats dump column format codes and exit\n"); fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n"); fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n"); + fprintf(output, " -G fieldcount dump count of header fields and exit\n"); fprintf(output, " -G fields dump fields glossary and exit\n"); fprintf(output, " -G ftypes dump field type basic and descriptive names\n"); fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n"); @@ -439,413 +449,6 @@ glossary_option_help(void) fprintf(output, "\n"); } -/* - * For a dissector table, print on the stream described by output, - * its short name (which is what's used in the "-d" option) and its - * descriptive name. - */ -static void -display_dissector_table_names(const char *table_name, const char *ui_name, - gpointer output) -{ - if ((prev_display_dissector_name == NULL) || - (strcmp(prev_display_dissector_name, table_name) != 0)) { - fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name); - prev_display_dissector_name = table_name; - } -} - -/* - * For a dissector handle, print on the stream described by output, - * the filter name (which is what's used in the "-d" option) and the full - * name for the protocol that corresponds to this handle. - */ -static void -display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output) -{ - int proto_id; - const gchar *proto_filter_name; - const gchar *proto_ui_name; - - proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle); - - if (proto_id != -1) { - proto_filter_name = proto_get_protocol_filter_name(proto_id); - proto_ui_name = proto_get_protocol_name(proto_id); - g_assert(proto_filter_name != NULL); - g_assert(proto_ui_name != NULL); - - if ((prev_display_dissector_name == NULL) || - (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) { - fprintf((FILE *)output, "\t%s (%s)\n", - proto_filter_name, - proto_ui_name); - prev_display_dissector_name = proto_filter_name; - } - } -} - -/* - * The protocol_name_search structure is used by find_protocol_name_func() - * to pass parameters and store results - */ -struct protocol_name_search{ - gchar *searched_name; /* Protocol filter name we are looking for */ - dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */ - guint nb_match; /* How many dissectors matched searched_name */ -}; -typedef struct protocol_name_search *protocol_name_search_t; - -/* - * This function parses all dissectors associated with a table to find the - * one whose protocol has the specified filter name. It is called - * as a reference function in a call to dissector_table_foreach_handle. - * The name we are looking for, as well as the results, are stored in the - * protocol_name_search struct pointed to by user_data. - * If called using dissector_table_foreach_handle, we actually parse the - * whole list of dissectors. - */ -static void -find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data) - -{ - int proto_id; - const gchar *protocol_filter_name; - protocol_name_search_t search_info; - - g_assert(handle); - - search_info = (protocol_name_search_t)user_data; - - proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle); - if (proto_id != -1) { - protocol_filter_name = proto_get_protocol_filter_name(proto_id); - g_assert(protocol_filter_name != NULL); - if (strcmp(protocol_filter_name, search_info->searched_name) == 0) { - /* Found a match */ - if (search_info->nb_match == 0) { - /* Record this handle only if this is the first match */ - search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */ - } - search_info->nb_match++; - } - } -} - -/* - * Allow dissector key names to be sorted alphabetically - */ - -static gint -compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b) -{ - return strcmp((const char*)dissector_a, (const char*)dissector_b); -} - -/* - * Print all layer type names supported. - * We send the output to the stream described by the handle output. - */ - -static void -fprint_all_layer_types(FILE *output) - -{ - prev_display_dissector_name = NULL; - dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name); -} - -/* - * Print all protocol names supported for a specific layer type. - * table_name contains the layer type name in which the search is performed. - * We send the output to the stream described by the handle output. - */ - -static void -fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name) - -{ - prev_display_dissector_name = NULL; - dissector_table_foreach_handle(table_name, - display_dissector_names, - (gpointer)output); -} - -/* - * The function below parses the command-line parameters for the decode as - * feature (a string pointer by cl_param). - * It checks the format of the command-line, searches for a matching table - * and dissector. If a table/dissector match is not found, we display a - * summary of the available tables/dissectors (on stderr) and return FALSE. - * If everything is fine, we get the "Decode as" preference activated, - * then we return TRUE. - */ -static gboolean -add_decode_as(const gchar *cl_param) -{ - gchar *table_name; - guint32 selector, selector2; - gchar *decoded_param; - gchar *remaining_param; - gchar *selector_str; - gchar *dissector_str; - dissector_handle_t dissector_matching; - dissector_table_t table_matching; - ftenum_t dissector_table_selector_type; - struct protocol_name_search user_protocol_name; - guint64 i; - char op; - - /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */ - - g_assert(cl_param); - decoded_param = g_strdup(cl_param); - g_assert(decoded_param); - - - /* The lines below will parse this string (modifying it) to extract all - necessary information. Note that decoded_param is still needed since - strings are not copied - we just save pointers. */ - - /* This section extracts a layer type (table_name) from decoded_param */ - table_name = decoded_param; /* Layer type string starts from beginning */ - - remaining_param = strchr(table_name, '='); - if (remaining_param == NULL) { - cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template); - /* If the argument does not follow the template, carry on anyway to check - if the table name is at least correct. If remaining_param is NULL, - we'll exit anyway further down */ - } - else { - *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */ - } - - /* Remove leading and trailing spaces from the table name */ - while ( table_name[0] == ' ' ) - table_name++; - while ( table_name[strlen(table_name) - 1] == ' ' ) - table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */ - -/* The following part searches a table matching with the layer type specified */ - table_matching = NULL; - -/* Look for the requested table */ - if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */ - cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */ - } - else { - table_matching = find_dissector_table(table_name); - if (!table_matching) { - cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */ - } - } - - if (!table_matching) { - /* Display a list of supported layer types to help the user, if the - specified layer type was not found */ - cmdarg_err("Valid layer types are:"); - fprint_all_layer_types(stderr); - } - if (remaining_param == NULL || !table_matching) { - /* Exit if the layer type was not found, or if no '=' separator was found - (see above) */ - g_free(decoded_param); - return FALSE; - } - - if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */ - cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1); - } - else { - remaining_param++; /* Move to the second '=' */ - *remaining_param = '\0'; /* Remove the second '=' */ - } - remaining_param++; /* Position after the layer type string */ - - /* This section extracts a selector value (selector_str) from decoded_param */ - - selector_str = remaining_param; /* Next part starts with the selector number */ - - remaining_param = strchr(selector_str, ','); - if (remaining_param == NULL) { - cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template); - /* If the argument does not follow the template, carry on anyway to check - if the selector value is at least correct. If remaining_param is NULL, - we'll exit anyway further down */ - } - else { - *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */ - } - - dissector_table_selector_type = get_dissector_table_selector_type(table_name); - - switch (dissector_table_selector_type) { - - case FT_UINT8: - case FT_UINT16: - case FT_UINT24: - case FT_UINT32: - /* The selector for this table is an unsigned number. Parse it as such. - There's no need to remove leading and trailing spaces from the - selector number string, because sscanf will do that for us. */ - switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) { - case 1: - op = '\0'; - break; - case 3: - if (op != ':' && op != '-') { - cmdarg_err("Invalid selector numeric range \"%s\"", selector_str); - g_free(decoded_param); - return FALSE; - } - if (op == ':') { - if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) { - cmdarg_err("Invalid selector numeric range \"%s\"", selector_str); - g_free(decoded_param); - return FALSE; - } - } - else if (selector2 < selector) { - /* We could swap them for the user, but maybe it's better to call - * this out as an error in case it's not what was intended? */ - cmdarg_err("Invalid selector numeric range \"%s\"", selector_str); - g_free(decoded_param); - return FALSE; - } - break; - default: - cmdarg_err("Invalid selector number \"%s\"", selector_str); - g_free(decoded_param); - return FALSE; - } - break; - - case FT_STRING: - case FT_STRINGZ: - case FT_UINT_STRING: - case FT_STRINGZPAD: - /* The selector for this table is a string. */ - break; - - default: - /* There are currently no dissector tables with any types other - than the ones listed above. */ - g_assert_not_reached(); - } - - if (remaining_param == NULL) { - /* Exit if no ',' separator was found (see above) */ - cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name); - fprint_all_protocols_for_layer_types(stderr, table_name); - g_free(decoded_param); - return FALSE; - } - - remaining_param++; /* Position after the selector number string */ - - /* This section extracts a protocol filter name (dissector_str) from decoded_param */ - - dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */ - - /* Remove leading and trailing spaces from the dissector name */ - while ( dissector_str[0] == ' ' ) - dissector_str++; - while ( dissector_str[strlen(dissector_str) - 1] == ' ' ) - dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */ - - dissector_matching = NULL; - - /* We now have a pointer to the handle for the requested table inside the variable table_matching */ - if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */ - cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */ - } - else { - user_protocol_name.nb_match = 0; - user_protocol_name.searched_name = dissector_str; - user_protocol_name.matched_handle = NULL; - - dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */ - - if (user_protocol_name.nb_match != 0) { - dissector_matching = user_protocol_name.matched_handle; - if (user_protocol_name.nb_match > 1) { - cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match); - } - } - else { - /* OK, check whether the problem is that there isn't any such - protocol, or that there is but it's not specified as a protocol - that's valid for that dissector table. - Note, we don't exit here, but dissector_matching will remain NULL, - so we exit below */ - if (proto_get_id_by_filter_name(dissector_str) == -1) { - /* No such protocol */ - cmdarg_err("Unknown protocol -- \"%s\"", dissector_str); - } else { - cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"", - dissector_str, table_name); - } - } - } - - if (!dissector_matching) { - cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name); - fprint_all_protocols_for_layer_types(stderr, table_name); - g_free(decoded_param); - return FALSE; - } - -/* This is the end of the code that parses the command-line options. - All information is now stored in the variables: - table_name - selector - dissector_matching - The above variables that are strings are still pointing to areas within - decoded_parm. decoded_parm thus still needs to be kept allocated in - until we stop needing these variables - decoded_param will be deallocated at each exit point of this function */ - - - /* We now have a pointer to the handle for the requested dissector - (requested protocol) inside the variable dissector_matching */ - switch (dissector_table_selector_type) { - - case FT_UINT8: - case FT_UINT16: - case FT_UINT24: - case FT_UINT32: - /* The selector for this table is an unsigned number. */ - if (op == '\0') { - dissector_change_uint(table_name, selector, dissector_matching); - } else if (op == ':') { - for (i = selector; i < (guint64)selector + selector2; i++) { - dissector_change_uint(table_name, (guint32)i, dissector_matching); - } - } else { /* op == '-' */ - for (i = selector; i <= selector2; i++) { - dissector_change_uint(table_name, (guint32)i, dissector_matching); - } - } - break; - - case FT_STRING: - case FT_STRINGZ: - case FT_UINT_STRING: - case FT_STRINGZPAD: - /* The selector for this table is a string. */ - dissector_change_string(table_name, selector_str, dissector_matching); - break; - - default: - /* There are currently no dissector tables with any types other - than the ones listed above. */ - g_assert_not_reached(); - } - g_free(decoded_param); /* "Decode As" rule has been successfully added */ - return TRUE; -} - static void tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level, const gchar *message, gpointer user_data) @@ -911,19 +514,6 @@ get_tshark_compiled_version_info(GString *str) { /* Capture libraries */ get_compiled_caplibs_version(str); - - /* LIBZ */ - g_string_append(str, ", "); -#ifdef HAVE_LIBZ - g_string_append(str, "with libz "); -#ifdef ZLIB_VERSION - g_string_append(str, ZLIB_VERSION); -#else /* ZLIB_VERSION */ - g_string_append(str, "(version unknown)"); -#endif /* ZLIB_VERSION */ -#else /* HAVE_LIBZ */ - g_string_append(str, "without libz"); -#endif /* HAVE_LIBZ */ } static void @@ -935,11 +525,6 @@ get_tshark_runtime_version_info(GString *str) get_runtime_caplibs_version(str); #endif - /* zlib */ -#if defined(HAVE_LIBZ) && !defined(_WIN32) - g_string_append_printf(str, ", with libz %s", zlibVersion()); -#endif - /* stuff used by libwireshark */ epan_get_runtime_version_info(str); } @@ -951,14 +536,12 @@ main(int argc, char *argv[]) GString *runtime_info_str; char *init_progfile_dir_error; int opt; -DIAG_OFF(cast-qual) static const struct option long_options[] = { - {(char *)"help", no_argument, NULL, 'h'}, - {(char *)"version", no_argument, NULL, 'v'}, + {"help", no_argument, NULL, 'h'}, + {"version", no_argument, NULL, 'v'}, LONGOPT_CAPTURE_COMMON {0, 0, 0, 0 } }; -DIAG_ON(cast-qual) gboolean arg_error = FALSE; #ifdef _WIN32 @@ -967,10 +550,12 @@ DIAG_ON(cast-qual) char *gpf_path, *pf_path; char *gdp_path, *dp_path; + char *cf_path; int gpf_open_errno, gpf_read_errno; int pf_open_errno, pf_read_errno; int gdp_open_errno, gdp_read_errno; int dp_open_errno, dp_read_errno; + int cf_open_errno; int err; volatile int exit_status = 0; #ifdef HAVE_LIBPCAP @@ -1003,6 +588,11 @@ DIAG_ON(cast-qual) char badopt; int log_flags; gchar *output_only = NULL; + GSList *disable_protocol_slist = NULL; + GSList *enable_heur_slist = NULL; + GSList *disable_heur_slist = NULL; + gchar *volatile pdu_export_arg = NULL; + exp_pdu_t exp_pdu_tap_data; /* * The leading + ensures that getopt_long() does not permute the argv[] @@ -1023,10 +613,12 @@ DIAG_ON(cast-qual) * We do *not* use a leading - because the behavior of a leading - is * platform-dependent. */ -#define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:" +#define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:j:" "K:lnN:o:O:PqQr:R:S:t:T:u:U:vVw:W:xX:Y:z:" static const char optstring[] = OPTSTRING; + tshark_debug("tshark started with %d args", argc); + /* Set the C-language locale to the native environment. */ setlocale(LC_ALL, ""); @@ -1052,7 +644,7 @@ DIAG_ON(cast-qual) /* * Attempt to get the pathname of the executable file. */ - init_progfile_dir_error = init_progfile_dir(argv[0], (void *)main); + init_progfile_dir_error = init_progfile_dir(argv[0], main); if (init_progfile_dir_error != NULL) { fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n", init_progfile_dir_error); @@ -1061,6 +653,7 @@ DIAG_ON(cast-qual) initialize_funnel_ops(); #ifdef _WIN32 + ws_init_dll_search_path(); /* Load wpcap if possible. Do this before collecting the run-time version information */ load_wpcap(); @@ -1088,6 +681,9 @@ DIAG_ON(cast-qual) g_string_free(comp_info_str, TRUE); g_string_free(runtime_info_str, TRUE); + /* Fail sometimes. Useful for testing fuzz scripts. */ + /* if (g_random_int_range(0, 100) < 5) abort(); */ + /* * In order to have the -X opts assigned before the wslua machine starts * we need to call getopt_long before epan_init() gets called. @@ -1205,7 +801,9 @@ DIAG_ON(cast-qual) "-G" flag, as the "-G" flag dumps information registered by the dissectors, and we must do it before we read the preferences, in case any dissectors register preferences. */ - epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL); + if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, + NULL)) + return 2; /* Register all tap listeners; we do this before we parse the arguments, as the "-z" argument can specify a registered tap. */ @@ -1221,6 +819,7 @@ DIAG_ON(cast-qual) hostlist_table_set_gui_info(init_hostlists); srt_table_iterate_tables(register_srt_tables, NULL); rtd_table_iterate_tables(register_rtd_tables, NULL); + new_stat_tap_iterate_tables(register_simple_stat_tables, NULL); /* If invoked with the "-G" flag, we dump out information based on the argument to the "-G" flag; if no argument is specified, @@ -1249,7 +848,10 @@ DIAG_ON(cast-qual) write_prefs(NULL); else if (strcmp(argv[2], "dissector-tables") == 0) dissector_dump_dissector_tables(); - else if (strcmp(argv[2], "fields") == 0) + else if (strcmp(argv[2], "fieldcount") == 0) { + /* return value for the test suite */ + return proto_registrar_dump_fieldcount(); + } else if (strcmp(argv[2], "fields") == 0) proto_registrar_dump_fields(); else if (strcmp(argv[2], "ftypes") == 0) proto_registrar_dump_ftypes(); @@ -1279,6 +881,11 @@ DIAG_ON(cast-qual) return 0; } + /* load the decode as entries of this profile */ + load_decode_as_entries(); + + tshark_debug("tshark reading preferences"); + prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path, &pf_open_errno, &pf_read_errno, &pf_path); if (gpf_path != NULL) { @@ -1304,9 +911,18 @@ DIAG_ON(cast-qual) pf_path = NULL; } + read_filter_list(CFILTER_LIST, &cf_path, &cf_open_errno); + if (cf_path != NULL) { + cmdarg_err("Could not open your capture filter file\n\"%s\": %s.", + cf_path, g_strerror(cf_open_errno)); + g_free(cf_path); + } + /* Read the disabled protocols file. */ read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno, &dp_path, &dp_open_errno, &dp_read_errno); + read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno, + &dp_path, &dp_open_errno, &dp_read_errno); if (gdp_path != NULL) { if (gdp_open_errno != 0) { cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.", @@ -1409,7 +1025,7 @@ DIAG_ON(cast-qual) /* already processed; just ignore it now */ break; case 'd': /* Decode as rule */ - if (!add_decode_as(optarg)) + if (!decode_as_command_option(optarg)) return 1; break; #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) @@ -1457,6 +1073,9 @@ DIAG_ON(cast-qual) return 1; } break; + case 'j': + protocolfilter = wmem_strsplit(wmem_epan_scope(), optarg, " ", -1); + break; case 'W': /* Select extra information to save in our capture file */ /* This is patterned after the -N flag which may not be the best idea. */ if (strchr(optarg, 'n')) { @@ -1508,17 +1127,14 @@ DIAG_ON(cast-qual) #endif break; case 'n': /* No name resolution */ - gbl_resolv_flags.mac_name = FALSE; - gbl_resolv_flags.network_name = FALSE; - gbl_resolv_flags.transport_name = FALSE; - gbl_resolv_flags.concurrent_dns = FALSE; + disable_name_resolution(); break; case 'N': /* Select what types of addresses/port #s to resolve */ badopt = string_to_name_resolve(optarg, &gbl_resolv_flags); if (badopt != '\0') { cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:", badopt); - cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n" + cmdarg_err_cont("\t'd' to enable address resolution from captured DNS packets\n" "\t'm' to enable MAC address resolution\n" "\t'n' to enable network address resolution\n" "\t'N' to enable using external resolvers (e.g., DNS)\n" @@ -1620,7 +1236,16 @@ DIAG_ON(cast-qual) output_action = WRITE_FIELDS; print_details = TRUE; /* Need full tree info */ print_summary = FALSE; /* Don't allow summary */ - } else { + } else if (strcmp(optarg, "json") == 0) { + output_action = WRITE_JSON; + print_details = TRUE; /* Need details */ + print_summary = FALSE; /* Don't allow summary */ + } else if (strcmp(optarg, "ek") == 0) { + output_action = WRITE_EK; + print_details = TRUE; /* Need details */ + print_summary = FALSE; /* Don't allow summary */ + } + else { cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */ cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n" "\t specified by the -E option.\n" @@ -1634,6 +1259,12 @@ DIAG_ON(cast-qual) "\t summary information of a decoded packet. This information is\n" "\t equivalent to the information shown in the one-line summary\n" "\t printed by default.\n" + "\t\"json\" Packet Summary, an JSON-based format for the details\n" + "\t summary information of a decoded packet. This information is \n" + "\t equivalent to the packet details printed with the -V flag.\n" + "\t\"ek\" Packet Summary, an EK JSON-based format for the bulk insert \n" + "\t into elastic search cluster. This information is \n" + "\t equivalent to the packet details printed with the -V flag.\n" "\t\"text\" Text of a human-readable one-line summary of each of the\n" "\t packets, or a multi-line view of the details of each of the\n" "\t packets, depending on whether the -V flag was specified.\n" @@ -1653,6 +1284,20 @@ DIAG_ON(cast-qual) return 1; } break; + case 'U': /* Export PDUs to file */ + { + GSList *export_pdu_tap_name_list = NULL; + + if (!*optarg) { + cmdarg_err("Tap name is required! Valid names are:"); + for (export_pdu_tap_name_list = get_export_pdu_tap_list(); export_pdu_tap_name_list; export_pdu_tap_name_list = g_slist_next(export_pdu_tap_name_list)) { + cmdarg_err("%s\n", (const char*)(export_pdu_tap_name_list->data)); + } + return 1; + } + pdu_export_arg = g_strdup(optarg); + break; + } case 'v': /* Show version and exit */ comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info, epan_get_compiled_version_info); @@ -1665,6 +1310,9 @@ DIAG_ON(cast-qual) * cruft getting in the way. Makes the results of running * $ ./tools/valgrind-wireshark -n * much more useful. */ +#ifdef HAVE_EXTCAP + extcap_cleanup(); +#endif epan_cleanup(); return 0; case 'O': /* Only output these protocols */ @@ -1699,6 +1347,16 @@ DIAG_ON(cast-qual) return 1; } break; + case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */ + disable_protocol_slist = g_slist_append(disable_protocol_slist, optarg); + break; + case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */ + enable_heur_slist = g_slist_append(enable_heur_slist, optarg); + break; + case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */ + disable_heur_slist = g_slist_append(disable_heur_slist, optarg); + break; + default: case '?': /* Bad flag - print usage message */ switch(optopt) { @@ -1714,9 +1372,9 @@ DIAG_ON(cast-qual) } /* If we specified output fields, but not the output field type... */ - if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) { + if ((WRITE_FIELDS != output_action && WRITE_XML != output_action && WRITE_JSON != output_action && WRITE_EK != output_action) && 0 != output_fields_num_fields(output_fields)) { cmdarg_err("Output fields were specified with \"-e\", " - "but \"-Tfields\" was not specified."); + "but \"-Tek, -Tfields, -Tjson or -Tpdml\" was not specified."); return 1; } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) { cmdarg_err("\"-Tfields\" was specified, but no fields were " @@ -1801,8 +1459,8 @@ DIAG_ON(cast-qual) } if (print_hex) { - if (output_action != WRITE_TEXT) { - cmdarg_err("Raw packet hex data can only be printed as text or PostScript"); + if (output_action != WRITE_TEXT && output_action != WRITE_JSON && output_action != WRITE_EK) { + cmdarg_err("Raw packet hex data can only be printed as text, PostScript, JSON or EK JSON"); return 1; } } @@ -1992,11 +1650,19 @@ DIAG_ON(cast-qual) /* At this point MATE will have registered its field array so we can check if the fields specified by the user are all good. */ - if (!output_fields_valid(output_fields)) { - cmdarg_err("Some fields aren't valid"); - return 1; - } + { + GSList* it = NULL; + GSList *invalid_fields = output_fields_valid(output_fields); + if (invalid_fields != NULL) { + cmdarg_err("Some fields aren't valid:"); + for (it=invalid_fields; it != NULL; it = g_slist_next(it)) { + cmdarg_err_cont("\t%s", (gchar *)it->data); + } + g_slist_free(invalid_fields); + return 1; + } + } #ifdef HAVE_LIBPCAP /* We currently don't support taps, or printing dissected packets, if we're writing to a pipe. */ @@ -2026,6 +1692,31 @@ DIAG_ON(cast-qual) /* disabled protocols as per configuration file */ if (gdp_path == NULL && dp_path == NULL) { set_disabled_protos_list(); + set_disabled_heur_dissector_list(); + } + + if(disable_protocol_slist) { + GSList *proto_disable; + for (proto_disable = disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable)) + { + proto_disable_proto_by_name((char*)proto_disable->data); + } + } + + if(enable_heur_slist) { + GSList *heur_enable; + for (heur_enable = enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable)) + { + proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE); + } + } + + if(disable_heur_slist) { + GSList *heur_disable; + for (heur_disable = disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable)) + { + proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE); + } } /* Build the column format array */ @@ -2037,9 +1728,13 @@ DIAG_ON(cast-qual) #endif if (rfilter != NULL) { + tshark_debug("Compiling read filter: '%s'", rfilter); if (!dfilter_compile(rfilter, &rfcode, &err_msg)) { cmdarg_err("%s", err_msg); g_free(err_msg); +#ifdef HAVE_EXTCAP + extcap_cleanup(); +#endif epan_cleanup(); #ifdef HAVE_PCAP_OPEN_DEAD { @@ -2062,9 +1757,13 @@ DIAG_ON(cast-qual) cfile.rfcode = rfcode; if (dfilter != NULL) { + tshark_debug("Compiling display filter: '%s'", dfilter); if (!dfilter_compile(dfilter, &dfcode, &err_msg)) { cmdarg_err("%s", err_msg); g_free(err_msg); +#ifdef HAVE_EXTCAP + extcap_cleanup(); +#endif epan_cleanup(); #ifdef HAVE_PCAP_OPEN_DEAD { @@ -2106,6 +1805,55 @@ DIAG_ON(cast-qual) } } + /* PDU export requested. Take the ownership of the '-w' file, apply tap + * filters and start tapping. */ + if (pdu_export_arg) { + const char *exp_pdu_filename; + const char *exp_pdu_tap_name = pdu_export_arg; + const char *exp_pdu_filter = dfilter; /* may be NULL to disable filter */ + char *exp_pdu_error; + int exp_fd; + + if (!cf_name) { + cmdarg_err("PDUs export requires a capture file (specify with -r)."); + return 1; + } + /* Take ownership of the '-w' output file. */ +#ifdef HAVE_LIBPCAP + exp_pdu_filename = global_capture_opts.save_file; + global_capture_opts.save_file = NULL; +#else + exp_pdu_filename = output_file_name; + output_file_name = NULL; +#endif + if (exp_pdu_filename == NULL) { + cmdarg_err("PDUs export requires an output file (-w)."); + return 1; + } + + exp_pdu_error = exp_pdu_pre_open(exp_pdu_tap_name, exp_pdu_filter, + &exp_pdu_tap_data); + if (exp_pdu_error) { + cmdarg_err("Cannot register tap: %s", exp_pdu_error); + g_free(exp_pdu_error); + return 2; + } + + exp_fd = ws_open(exp_pdu_filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644); + if (exp_fd == -1) { + cmdarg_err("%s: %s", exp_pdu_filename, file_open_error_message(errno, TRUE)); + return 2; + } + + /* Activate the export PDU tap */ + err = exp_pdu_open(&exp_pdu_tap_data, exp_fd, + g_strdup_printf("Dump of PDUs from %s", cf_name)); + if (err != 0) { + cmdarg_err("Failed to start the PDU export: %s", g_strerror(err)); + return 2; + } + } + /* We have to dissect each packet if: we're printing information about each packet; @@ -2114,19 +1862,28 @@ DIAG_ON(cast-qual) we're using a display filter on the packets; + we're exporting PDUs; + we're using any taps that need dissection. */ - do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection(); + do_dissection = print_packet_info || rfcode || dfcode || pdu_export_arg || + tap_listeners_require_dissection(); + tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE"); if (cf_name) { + tshark_debug("tshark: Opening capture file: %s", cf_name); /* * We're reading a capture file. */ if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) { +#ifdef HAVE_EXTCAP + extcap_cleanup(); +#endif epan_cleanup(); return 2; } /* Process the packets in the file */ + tshark_debug("tshark: invoking load_cap_file() to process the packets"); TRY { #ifdef HAVE_LIBPCAP err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res, @@ -2152,7 +1909,17 @@ DIAG_ON(cast-qual) read some packets; however, we exit with an error status. */ exit_status = 2; } + + if (pdu_export_arg) { + err = exp_pdu_close(&exp_pdu_tap_data); + if (err) { + cmdarg_err("%s", wtap_strerror(err)); + exit_status = 2; + } + g_free(pdu_export_arg); + } } else { + tshark_debug("tshark: no capture file specified"); /* No capture file specified, so we're supposed to do a live capture or get a list of link-layer types for a live capture device; do we have support for live captures? */ @@ -2171,9 +1938,16 @@ DIAG_ON(cast-qual) for (i = 0; i < global_capture_opts.ifaces->len; i++) { interface_options interface_opts; if_capabilities_t *caps; + char *auth_str = NULL; interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i); - caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL); +#ifdef HAVE_PCAP_REMOTE + if (interface_opts.auth_type == CAPTURE_AUTH_PWD) { + auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password); + } +#endif + caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL); + g_free(auth_str); if (caps == NULL) { cmdarg_err("%s", err_str); g_free(err_str); @@ -2212,9 +1986,9 @@ DIAG_ON(cast-qual) * suppress the information printed for each packet, but it'll * also suppress the packet counts. */ - if (!isatty(fileno(stderr))) + if (!ws_isatty(ws_fileno(stderr))) print_packet_counts = FALSE; - else if (print_packet_info && isatty(fileno(stdout))) + else if (print_packet_info && ws_isatty(ws_fileno(stdout))) print_packet_counts = FALSE; else if (quiet) print_packet_counts = FALSE; @@ -2228,6 +2002,7 @@ DIAG_ON(cast-qual) } } + tshark_debug("tshark: performing live capture"); /* * XXX - this returns FALSE if an error occurred, but it also * returns FALSE if the capture stops because a time limit @@ -2264,6 +2039,9 @@ DIAG_ON(cast-qual) draw_tap_listeners(TRUE); funnel_dump_all_text_windows(); epan_free(cfile.epan); +#ifdef HAVE_EXTCAP + extcap_cleanup(); +#endif epan_cleanup(); output_fields_free(output_fields); @@ -2490,7 +2268,7 @@ capture(void) fflush(stderr); g_string_free(str, TRUE); - ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL); + ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL); if (!ret) return FALSE; @@ -2913,7 +2691,7 @@ process_packet_first_pass(capture_file *cf, epan_dissect_t *edt, do a dissection and do so. */ if (edt) { if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name || - gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns) + gbl_resolv_flags.transport_name) /* Grab any resolved addresses */ host_name_lookup_process(); @@ -2986,7 +2764,7 @@ process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fd do a dissection and do so. */ if (edt) { if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name || - gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns) + gbl_resolv_flags.transport_name) /* Grab any resolved addresses */ host_name_lookup_process(); @@ -3003,7 +2781,7 @@ process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fd 2) we're printing packet info but we're *not* verbose; in verbose mode, we print the protocol tree, not the protocol summary. */ - if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary)) + if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields)) cinfo = &cf->cinfo; else cinfo = NULL; @@ -3082,16 +2860,16 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, char *save_file_string = NULL; gboolean filtering_tap_listeners; guint tap_flags; - wtapng_section_t *shb_hdr; - wtapng_iface_descriptions_t *idb_inf; - char *appname = NULL; + GArray *shb_hdrs = NULL; + wtapng_iface_descriptions_t *idb_inf = NULL; + GArray *nrb_hdrs = NULL; struct wtap_pkthdr phdr; Buffer buf; epan_dissect_t *edt = NULL; + char *shb_user_appl; wtap_phdr_init(&phdr); - shb_hdr = wtap_file_get_shb_info(cf->wth); idb_inf = wtap_file_get_idb_info(cf->wth); #ifdef PCAP_NG_DEFAULT if (idb_inf->interface_data->len > 1) { @@ -3112,19 +2890,40 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, /* Snapshot length of input file not known. */ snapshot_length = WTAP_MAX_PACKET_SIZE; } + tshark_debug("tshark: snapshot_length = %d", snapshot_length); + + shb_hdrs = wtap_file_get_shb_for_new_file(cf->wth); + nrb_hdrs = wtap_file_get_nrb_for_new_file(cf->wth); + /* If we don't have an application name add Tshark */ - if (shb_hdr->shb_user_appl == NULL) { - appname = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info()); - shb_hdr->shb_user_appl = appname; + if (wtap_block_get_string_option_value(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, &shb_user_appl) != WTAP_OPTTYPE_SUCCESS) { + /* this is free'd by wtap_block_free() later */ + wtap_block_add_string_option_format(g_array_index(shb_hdrs, wtap_block_t, 0), OPT_SHB_USERAPPL, "TShark (Wireshark) %s", get_ws_vcs_version_info()); } if (linktype != WTAP_ENCAP_PER_PACKET && - out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) - pdh = wtap_dump_open(save_file, out_file_type, linktype, - snapshot_length, FALSE /* compressed */, &err); - else - pdh = wtap_dump_open_ng(save_file, out_file_type, linktype, - snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err); + out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) { + tshark_debug("tshark: writing PCAP format to %s", save_file); + if (strcmp(save_file, "-") == 0) { + /* Write to the standard output. */ + pdh = wtap_dump_open_stdout(out_file_type, linktype, + snapshot_length, FALSE /* compressed */, &err); + } else { + pdh = wtap_dump_open(save_file, out_file_type, linktype, + snapshot_length, FALSE /* compressed */, &err); + } + } + else { + tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file); + if (strcmp(save_file, "-") == 0) { + /* Write to the standard output. */ + pdh = wtap_dump_open_stdout_ng(out_file_type, linktype, + snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err); + } else { + pdh = wtap_dump_open_ng(save_file, out_file_type, linktype, + snapshot_length, FALSE /* compressed */, shb_hdrs, idb_inf, nrb_hdrs, &err); + } + } g_free(idb_inf); idb_inf = NULL; @@ -3182,6 +2981,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, if (perform_two_pass_analysis) { frame_data *fdata; + tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE"); + /* Allocate a frame_data_sequence for all the frames. */ cf->frames = new_frame_data_sequence(); @@ -3193,11 +2994,14 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, if (cf->rfcode || cf->dfcode) create_proto_tree = TRUE; + tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE"); + /* We're not going to display the protocol tree on this pass, so it's not going to be "visible". */ edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE); } + tshark_debug("tshark: reading records for first pass"); while (wtap_read(cf->wth, &err, &err_info, &data_offset)) { if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth))) { @@ -3207,6 +3011,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, * (unless we roll over max_packet_count ?) */ if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) { + tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached", + max_packet_count, data_offset, max_byte_count); err = 0; /* This is not an error */ break; } @@ -3229,6 +3035,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, prev_cap = NULL; ws_buffer_init(&buf, 1500); + tshark_debug("tshark: done with first pass"); + if (do_dissection) { gboolean create_proto_tree; @@ -3238,6 +3046,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, else create_proto_tree = FALSE; + tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE"); + /* The protocol tree will be "visible", i.e., printed, only if we're printing packet details, which is true if we're printing stuff ("print_packet_info" is true) and we're in verbose mode @@ -3249,14 +3059,17 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, fdata = frame_data_sequence_find(cf->frames, framenum); if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err, &err_info)) { + tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum); if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf, tap_flags)) { /* Either there's no read filtering or this packet passed the filter, so, if we're writing to a capture file, write this packet out. */ if (pdh != NULL) { + tshark_debug("tshark: writing packet #%d to outfile", framenum); if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) { /* Error writing to a capture file */ + tshark_debug("tshark: error writing to a capture file (%d)", err); switch (err) { case WTAP_ERR_UNWRITABLE_ENCAP: @@ -3326,8 +3139,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, break; } wtap_dump_close(pdh, &err); - g_free(shb_hdr); - g_free(appname); + wtap_block_array_free(shb_hdrs); + wtap_block_array_free(nrb_hdrs); exit(2); } } @@ -3341,10 +3154,15 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, } ws_buffer_free(&buf); + + tshark_debug("tshark: done with second pass"); } else { + /* !perform_two_pass_analysis */ framenum = 0; + tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE"); + if (do_dissection) { gboolean create_proto_tree; @@ -3354,6 +3172,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, else create_proto_tree = FALSE; + tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE"); + /* The protocol tree will be "visible", i.e., printed, only if we're printing packet details, which is true if we're printing stuff ("print_packet_info" is true) and we're in verbose mode @@ -3364,6 +3184,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, while (wtap_read(cf->wth, &err, &err_info, &data_offset)) { framenum++; + tshark_debug("tshark: processing packet #%d", framenum); + if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), tap_flags)) { @@ -3371,8 +3193,10 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, filter, so, if we're writing to a capture file, write this packet out. */ if (pdh != NULL) { + tshark_debug("tshark: writing packet #%d to outfile", framenum); if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) { /* Error writing to a capture file */ + tshark_debug("tshark: error writing to a capture file (%d)", err); switch (err) { case WTAP_ERR_UNWRITABLE_ENCAP: @@ -3430,8 +3254,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, break; } wtap_dump_close(pdh, &err); - g_free(shb_hdr); - g_free(appname); + wtap_block_array_free(shb_hdrs); + wtap_block_array_free(nrb_hdrs); exit(2); } } @@ -3442,6 +3266,8 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, * (unless we roll over max_packet_count ?) */ if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) { + tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached", + max_packet_count, data_offset, max_byte_count); err = 0; /* This is not an error */ break; } @@ -3456,6 +3282,7 @@ load_cap_file(capture_file *cf, char *save_file, int out_file_type, wtap_phdr_cleanup(&phdr); if (err != 0) { + tshark_debug("tshark: something failed along the line (%d)", err); /* * Print a message noting that the read failed somewhere along the line. * @@ -3544,8 +3371,8 @@ out: cf->wth = NULL; g_free(save_file_string); - g_free(shb_hdr); - g_free(appname); + wtap_block_array_free(shb_hdrs); + wtap_block_array_free(nrb_hdrs); return err; } @@ -3573,7 +3400,7 @@ process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap do a dissection and do so. */ if (edt) { if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name || - gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)) + gbl_resolv_flags.transport_name)) /* Grab any resolved addresses */ host_name_lookup_process(); @@ -3682,6 +3509,13 @@ write_preamble(capture_file *cf) write_fields_preamble(output_fields, stdout); return !ferror(stdout); + case WRITE_JSON: + write_json_preamble(stdout); + return !ferror(stdout); + + case WRITE_EK: + return !ferror(stdout); + default: g_assert_not_reached(); return FALSE; @@ -3748,21 +3582,23 @@ print_columns(capture_file *cf) size_t buf_offset; size_t column_len; size_t col_len; + col_item_t* col_item; line_bufp = get_line_buf(256); buf_offset = 0; *line_bufp = '\0'; for (i = 0; i < cf->cinfo.num_cols; i++) { + col_item = &cf->cinfo.columns[i]; /* Skip columns not marked as visible. */ if (!get_column_visible(i)) continue; - switch (cf->cinfo.col_fmt[i]) { + switch (col_item->col_fmt) { case COL_NUMBER: - column_len = col_len = strlen(cf->cinfo.col_data[i]); + column_len = col_len = strlen(col_item->col_data); if (column_len < 3) column_len = 3; line_bufp = get_line_buf(buf_offset + column_len); - put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len); + put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len); break; case COL_CLS_TIME: @@ -3773,11 +3609,11 @@ print_columns(capture_file *cf) case COL_UTC_TIME: case COL_UTC_YMD_TIME: /* XXX - wider */ case COL_UTC_YDOY_TIME: /* XXX - wider */ - column_len = col_len = strlen(cf->cinfo.col_data[i]); + column_len = col_len = strlen(col_item->col_data); if (column_len < 10) column_len = 10; line_bufp = get_line_buf(buf_offset + column_len); - put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len); + put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len); break; case COL_DEF_SRC: @@ -3789,11 +3625,11 @@ print_columns(capture_file *cf) case COL_DEF_NET_SRC: case COL_RES_NET_SRC: case COL_UNRES_NET_SRC: - column_len = col_len = strlen(cf->cinfo.col_data[i]); + column_len = col_len = strlen(col_item->col_data); if (column_len < 12) column_len = 12; line_bufp = get_line_buf(buf_offset + column_len); - put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len); + put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len); break; case COL_DEF_DST: @@ -3805,17 +3641,17 @@ print_columns(capture_file *cf) case COL_DEF_NET_DST: case COL_RES_NET_DST: case COL_UNRES_NET_DST: - column_len = col_len = strlen(cf->cinfo.col_data[i]); + column_len = col_len = strlen(col_item->col_data); if (column_len < 12) column_len = 12; line_bufp = get_line_buf(buf_offset + column_len); - put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len); + put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len); break; default: - column_len = strlen(cf->cinfo.col_data[i]); + column_len = strlen(col_item->col_data); line_bufp = get_line_buf(buf_offset + column_len); - put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len); + put_string(line_bufp + buf_offset, col_item->col_data, column_len); break; } buf_offset += column_len; @@ -3826,27 +3662,27 @@ print_columns(capture_file *cf) * * If we printed a network source and are printing a * network destination of the same type next, separate - * them with " -> "; if we printed a network destination - * and are printing a network source of the same type - * next, separate them with " <- "; otherwise separate them - * with a space. + * them with a UTF-8 right arrow; if we printed a network + * destination and are printing a network source of the same + * type next, separate them with a UTF-8 left arrow; + * otherwise separate them with a space. * - * We add enough space to the buffer for " <- " or " -> ", - * even if we're only adding " ". + * We add enough space to the buffer for " \xe2\x86\x90 " + * or " \xe2\x86\x92 ", even if we're only adding " ". */ - line_bufp = get_line_buf(buf_offset + 4); - switch (cf->cinfo.col_fmt[i]) { + line_bufp = get_line_buf(buf_offset + 5); + switch (col_item->col_fmt) { case COL_DEF_SRC: case COL_RES_SRC: case COL_UNRES_SRC: - switch (cf->cinfo.col_fmt[i + 1]) { + switch (cf->cinfo.columns[i+1].col_fmt) { case COL_DEF_DST: case COL_RES_DST: case COL_UNRES_DST: - put_string(line_bufp + buf_offset, " -> ", 4); - buf_offset += 4; + put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5); + buf_offset += 5; break; default: @@ -3859,13 +3695,13 @@ print_columns(capture_file *cf) case COL_DEF_DL_SRC: case COL_RES_DL_SRC: case COL_UNRES_DL_SRC: - switch (cf->cinfo.col_fmt[i + 1]) { + switch (cf->cinfo.columns[i+1].col_fmt) { case COL_DEF_DL_DST: case COL_RES_DL_DST: case COL_UNRES_DL_DST: - put_string(line_bufp + buf_offset, " -> ", 4); - buf_offset += 4; + put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5); + buf_offset += 5; break; default: @@ -3878,13 +3714,13 @@ print_columns(capture_file *cf) case COL_DEF_NET_SRC: case COL_RES_NET_SRC: case COL_UNRES_NET_SRC: - switch (cf->cinfo.col_fmt[i + 1]) { + switch (cf->cinfo.columns[i+1].col_fmt) { case COL_DEF_NET_DST: case COL_RES_NET_DST: case COL_UNRES_NET_DST: - put_string(line_bufp + buf_offset, " -> ", 4); - buf_offset += 4; + put_string(line_bufp + buf_offset, " " UTF8_RIGHTWARDS_ARROW " ", 5); + buf_offset += 5; break; default: @@ -3897,13 +3733,13 @@ print_columns(capture_file *cf) case COL_DEF_DST: case COL_RES_DST: case COL_UNRES_DST: - switch (cf->cinfo.col_fmt[i + 1]) { + switch (cf->cinfo.columns[i+1].col_fmt) { case COL_DEF_SRC: case COL_RES_SRC: case COL_UNRES_SRC: - put_string(line_bufp + buf_offset, " <- ", 4); - buf_offset += 4; + put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5); + buf_offset += 5; break; default: @@ -3916,13 +3752,13 @@ print_columns(capture_file *cf) case COL_DEF_DL_DST: case COL_RES_DL_DST: case COL_UNRES_DL_DST: - switch (cf->cinfo.col_fmt[i + 1]) { + switch (cf->cinfo.columns[i+1].col_fmt) { case COL_DEF_DL_SRC: case COL_RES_DL_SRC: case COL_UNRES_DL_SRC: - put_string(line_bufp + buf_offset, " <- ", 4); - buf_offset += 4; + put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5); + buf_offset += 5; break; default: @@ -3935,13 +3771,13 @@ print_columns(capture_file *cf) case COL_DEF_NET_DST: case COL_RES_NET_DST: case COL_UNRES_NET_DST: - switch (cf->cinfo.col_fmt[i + 1]) { + switch (cf->cinfo.columns[i+1].col_fmt) { case COL_DEF_NET_SRC: case COL_RES_NET_SRC: case COL_UNRES_NET_SRC: - put_string(line_bufp + buf_offset, " <- ", 4); - buf_offset += 4; + put_string(line_bufp + buf_offset, " " UTF8_LEFTWARDS_ARROW " ", 5); + buf_offset += 5; break; default: @@ -3983,6 +3819,8 @@ print_packet(capture_file *cf, epan_dissect_t *edt) write_psml_columns(edt, stdout); return !ferror(stdout); case WRITE_FIELDS: /*No non-verbose "fields" format */ + case WRITE_JSON: + case WRITE_EK: g_assert_not_reached(); break; } @@ -4014,13 +3852,23 @@ print_packet(capture_file *cf, epan_dissect_t *edt) break; case WRITE_XML: - write_pdml_proto_tree(edt, stdout); + write_pdml_proto_tree(output_fields, protocolfilter, edt, stdout); printf("\n"); return !ferror(stdout); case WRITE_FIELDS: write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout); printf("\n"); return !ferror(stdout); + case WRITE_JSON: + print_args.print_hex = print_hex; + write_json_proto_tree(output_fields, &print_args, protocolfilter, edt, stdout); + printf("\n"); + return !ferror(stdout); + case WRITE_EK: + print_args.print_hex = print_hex; + write_ek_proto_tree(output_fields, &print_args, protocolfilter, edt, stdout); + printf("\n"); + return !ferror(stdout); } } if (print_hex) { @@ -4055,6 +3903,13 @@ write_finale(void) write_fields_finale(output_fields, stdout); return !ferror(stdout); + case WRITE_JSON: + write_json_finale(stdout); + return !ferror(stdout); + + case WRITE_EK: + return !ferror(stdout); + default: g_assert_not_reached(); return FALSE;