3 * Wireshark - Network traffic analyzer
4 * By Gerald Combs <gerald@wireshark.org>
5 * Copyright 1998 Gerald Combs
7 * Rawshark - Raw field extractor by Gerald Combs <gerald@wireshark.org>
8 * and Loris Degioanni <loris.degioanni@cacetech.com>
9 * Based on TShark, by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 * Rawshark does the following:
29 * - Opens a specified file or named pipe
30 * - Applies a specfied DLT or "decode as" encapsulation
31 * - Reads frames prepended with a libpcap packet header.
32 * - Prints a status line, followed by fields from a specified list.
56 #ifdef HAVE_SYS_STAT_H
57 # include <sys/stat.h>
61 #include "wsutil/wsgetopt.h"
65 #include <epan/epan-int.h>
66 #include <epan/epan.h>
67 #include <wsutil/crash_info.h>
68 #include <wsutil/privileges.h>
69 #include <wsutil/file_util.h>
70 #include <wsutil/filesystem.h>
71 #include <wsutil/plugins.h>
72 #include <wsutil/report_err.h>
73 #include <wsutil/copyright_info.h>
76 #include <epan/packet.h>
77 #include <epan/ftypes/ftypes-int.h>
79 #include "frame_tvbuff.h"
80 #include <epan/disabled_protos.h>
81 #include <epan/prefs.h>
82 #include <epan/column.h>
83 #include <epan/print.h>
84 #include <epan/addr_resolv.h>
86 #include "clopts_common.h"
87 #include "cmdarg_err.h"
88 #include "version_info.h"
90 #include "conditions.h"
91 #include "capture_stop_conditions.h"
92 #include "capture_ui_utils.h"
93 #include <epan/epan_dissect.h>
94 #include <epan/stat_cmd_args.h>
95 #include <epan/timestamp.h>
96 #include <wsutil/unicode-utils.h>
97 #include "epan/column-utils.h"
98 #include "epan/proto.h"
101 #include <wiretap/wtap.h>
102 #include <wiretap/libpcap.h>
103 #include <wiretap/pcap-encap.h>
105 #include <wsutil/ws_version_info.h>
109 #include "capture-pcap-util.h"
111 #include "capture-wpcap.h"
113 #endif /* HAVE_LIBPCAP */
117 #include <wsutil/unicode-utils.h>
122 * This is the template for the decode as option; it is shared between the
123 * various functions that output the usage for this parameter.
125 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
128 static guint32 cum_bytes;
129 static const frame_data *ref;
130 static frame_data ref_frame;
131 static frame_data *prev_dis;
132 static frame_data prev_dis_frame;
133 static frame_data *prev_cap;
134 static frame_data prev_cap_frame;
137 * The way the packet decode is to be written.
140 WRITE_TEXT, /* summary or detail text */
141 WRITE_XML /* PDML or PSML */
142 /* Add CSV and the like here */
145 static gboolean line_buffered;
146 static print_format_e print_format = PR_FMT_TEXT;
148 static gboolean want_pcap_pkthdr;
150 cf_status_t raw_cf_open(capture_file *cf, const char *fname);
151 static int load_cap_file(capture_file *cf);
152 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
153 struct wtap_pkthdr *whdr, const guchar *pd);
154 static void show_print_file_io_error(int err);
156 static void open_failure_message(const char *filename, int err,
157 gboolean for_writing);
158 static void failure_message(const char *msg_format, va_list ap);
159 static void read_failure_message(const char *filename, int err);
160 static void write_failure_message(const char *filename, int err);
161 static void protocolinfo_init(char *field);
162 static gboolean parse_field_string_format(char *format);
165 SF_NONE, /* No format (placeholder) */
166 SF_NAME, /* %D Field name / description */
167 SF_NUMVAL, /* %N Numeric value */
168 SF_STRVAL /* %S String value */
171 typedef struct string_fmt_s {
173 string_fmt_e format; /* Valid if plain is NULL */
179 dfilter_t *rfcodes[64];
181 dfilter_t *rfieldfcodes[64];
184 GPtrArray *string_fmts;
187 print_usage(gboolean print_ver)
195 "Dump and analyze network traffic.\n"
196 "See http://www.wireshark.org for more information.\n"
199 get_ws_vcs_version_info(), get_copyright_info());
203 fprintf(output, "\n");
204 fprintf(output, "Usage: rawshark [options] ...\n");
205 fprintf(output, "\n");
207 fprintf(output, "Input file:\n");
208 fprintf(output, " -r <infile> set the pipe or file name to read from\n");
210 fprintf(output, "\n");
211 fprintf(output, "Processing:\n");
212 fprintf(output, " -d <encap:linktype>|<proto:protoname>\n");
213 fprintf(output, " packet encapsulation or protocol\n");
214 fprintf(output, " -F <field> field to display\n");
215 fprintf(output, " -n disable all name resolution (def: all enabled)\n");
216 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
217 fprintf(output, " -p use the system's packet header format\n");
218 fprintf(output, " (which may have 64-bit timestamps)\n");
219 fprintf(output, " -R <read filter> packet filter in Wireshark display filter syntax\n");
220 fprintf(output, " -s skip PCAP header on input\n");
222 fprintf(output, "\n");
223 fprintf(output, "Output:\n");
224 fprintf(output, " -l flush output after each packet\n");
225 fprintf(output, " -S format string for fields\n");
226 fprintf(output, " (%%D - name, %%S - stringval, %%N numval)\n");
227 fprintf(output, " -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)\n");
229 fprintf(output, "\n");
230 fprintf(output, "Miscellaneous:\n");
231 fprintf(output, " -h display this help and exit\n");
232 fprintf(output, " -o <name>:<value> ... override preference setting\n");
233 fprintf(output, " -v display version info and exit\n");
237 log_func_ignore (const gchar *log_domain _U_, GLogLevelFlags log_level _U_,
238 const gchar *message _U_, gpointer user_data _U_)
243 * Open a pipe for raw input. This is a stripped-down version of
244 * pcap_loop.c:cap_pipe_open_live().
245 * We check if "pipe_name" is "-" (stdin) or a FIFO, and open it.
246 * @param pipe_name The name of the pipe or FIFO.
247 * @return A POSIX file descriptor on success, or -1 on failure.
250 raw_pipe_open(const char *pipe_name)
253 ws_statb64 pipe_stat;
255 char *pncopy, *pos = NULL;
262 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_raw_pipe: %s", pipe_name);
265 * XXX Rawshark blocks until we return
267 if (strcmp(pipe_name, "-") == 0) {
268 rfd = 0; /* read from stdin */
271 * This is needed to set the stdin pipe into binary mode, otherwise
272 * CR/LF are mangled...
274 _setmode(0, _O_BINARY);
278 if (ws_stat64(pipe_name, &pipe_stat) < 0) {
279 fprintf(stderr, "rawshark: The pipe %s could not be checked: %s\n",
280 pipe_name, g_strerror(errno));
283 if (! S_ISFIFO(pipe_stat.st_mode)) {
284 if (S_ISCHR(pipe_stat.st_mode)) {
286 * Assume the user specified an interface on a system where
287 * interfaces are in /dev. Pretend we haven't seen it.
291 fprintf(stderr, "rawshark: \"%s\" is neither an interface nor a pipe\n",
296 rfd = ws_open(pipe_name, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
298 fprintf(stderr, "rawshark: \"%s\" could not be opened: %s\n",
299 pipe_name, g_strerror(errno));
303 #define PIPE_STR "\\pipe\\"
304 /* Under Windows, named pipes _must_ have the form
305 * "\\<server>\pipe\<pipe_name>". <server> may be "." for localhost.
307 pncopy = g_strdup(pipe_name);
308 if (strstr(pncopy, "\\\\") == pncopy) {
309 pos = strchr(pncopy + 3, '\\');
310 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
317 fprintf(stderr, "rawshark: \"%s\" is neither an interface nor a pipe\n",
322 /* Wait for the pipe to appear */
324 hPipe = CreateFile(utf_8to16(pipe_name), GENERIC_READ, 0, NULL,
325 OPEN_EXISTING, 0, NULL);
327 if (hPipe != INVALID_HANDLE_VALUE)
330 err = GetLastError();
331 if (err != ERROR_PIPE_BUSY) {
332 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
333 NULL, err, 0, (LPTSTR) &err_str, 0, NULL);
334 fprintf(stderr, "rawshark: \"%s\" could not be opened: %s (error %d)\n",
335 pipe_name, utf_16to8(err_str), err);
340 if (!WaitNamedPipe(utf_8to16(pipe_name), 30 * 1000)) {
341 err = GetLastError();
342 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
343 NULL, err, 0, (LPTSTR) &err_str, 0, NULL);
344 fprintf(stderr, "rawshark: \"%s\" could not be waited for: %s (error %d)\n",
345 pipe_name, utf_16to8(err_str), err);
351 rfd = _open_osfhandle((long) hPipe, _O_RDONLY);
353 fprintf(stderr, "rawshark: \"%s\" could not be opened: %s\n",
354 pipe_name, g_strerror(errno));
364 * Parse a link-type argument of the form "encap:<pcap linktype>" or
365 * "proto:<proto name>". "Pcap linktype" must be a name conforming to
366 * pcap_datalink_name_to_val() or an integer; the integer should be
367 * a LINKTYPE_ value supported by Wiretap. "Proto name" must be
368 * a protocol name, e.g. "http".
371 set_link_type(const char *lt_arg) {
372 char *spec_ptr = strchr(lt_arg, ':');
376 dissector_handle_t dhandle;
384 if (strncmp(lt_arg, "encap:", strlen("encap:")) == 0) {
385 dlt_val = linktype_name_to_val(spec_ptr);
388 val = strtol(spec_ptr, &p, 10);
389 if (p == spec_ptr || *p != '\0' || errno != 0 || val > INT_MAX) {
395 * In those cases where a given link-layer header type
396 * has different LINKTYPE_ and DLT_ values, linktype_name_to_val()
397 * will return the OS's DLT_ value for that link-layer header
398 * type, not its OS-independent LINKTYPE_ value.
400 * On a given OS, wtap_pcap_encap_to_wtap_encap() should
401 * be able to map either LINKTYPE_ values or DLT_ values
402 * for the OS to the appropriate Wiretap encapsulation.
404 encap = wtap_pcap_encap_to_wtap_encap(dlt_val);
405 if (encap == WTAP_ENCAP_UNKNOWN) {
409 } else if (strncmp(lt_arg, "proto:", strlen("proto:")) == 0) {
410 dhandle = find_dissector(spec_ptr);
412 encap = WTAP_ENCAP_USER0;
413 pref_str = g_string_new("uat:user_dlts:");
414 /* This must match the format used in the user_dlts file */
415 g_string_append_printf(pref_str,
416 "\"User 0 (DLT=147)\",\"%s\",\"0\",\"\",\"0\",\"\"",
418 if (prefs_set_pref(pref_str->str) != PREFS_SET_OK) {
419 g_string_free(pref_str, TRUE);
422 g_string_free(pref_str, TRUE);
430 show_version(GString *comp_info_str, GString *runtime_info_str)
432 printf("Rawshark %s\n"
439 get_ws_vcs_version_info(), get_copyright_info(), comp_info_str->str,
440 runtime_info_str->str);
444 main(int argc, char *argv[])
446 GString *comp_info_str;
447 GString *runtime_info_str;
448 char *init_progfile_dir_error;
450 gboolean arg_error = FALSE;
456 char *gpf_path, *pf_path;
457 char *gdp_path, *dp_path;
458 int gpf_open_errno, gpf_read_errno;
459 int pf_open_errno, pf_read_errno;
460 int gdp_open_errno, gdp_read_errno;
461 int dp_open_errno, dp_read_errno;
463 gchar *pipe_name = NULL;
468 GPtrArray *disp_fields = g_ptr_array_new();
470 gboolean skip_pcap_header = FALSE;
472 #define OPTSTRING_INIT "d:F:hlnN:o:pr:R:sS:t:v"
474 static const char optstring[] = OPTSTRING_INIT;
476 /* Assemble the compile-time version information string */
477 comp_info_str = g_string_new("Compiled ");
478 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
480 /* Assemble the run-time version information string */
481 runtime_info_str = g_string_new("Running ");
482 get_runtime_version_info(runtime_info_str, NULL);
484 /* Add it to the information to be reported on a crash. */
485 ws_add_crash_info("Rawshark %s\n"
490 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
493 arg_list_utf_16to8(argc, argv);
494 create_app_running_mutex();
498 * Get credential information for later use.
500 init_process_policies();
503 * Clear the filters arrays
505 memset(rfilters, 0, sizeof(rfilters));
506 memset(rfcodes, 0, sizeof(rfcodes));
511 * Initialize our string format
513 string_fmts = g_ptr_array_new();
516 * Attempt to get the pathname of the executable file.
518 init_progfile_dir_error = init_progfile_dir(argv[0], main);
519 if (init_progfile_dir_error != NULL) {
520 fprintf(stderr, "rawshark: Can't get pathname of rawshark program: %s.\n",
521 init_progfile_dir_error);
525 * Get credential information for later use.
527 init_process_policies();
529 /* nothing more than the standard GLib handler, but without a warning */
531 G_LOG_LEVEL_WARNING |
532 G_LOG_LEVEL_MESSAGE |
536 g_log_set_handler(NULL,
537 (GLogLevelFlags)log_flags,
538 log_func_ignore, NULL /* user_data */);
539 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
540 (GLogLevelFlags)log_flags,
541 log_func_ignore, NULL /* user_data */);
543 init_report_err(failure_message, open_failure_message, read_failure_message,
544 write_failure_message);
546 timestamp_set_type(TS_RELATIVE);
547 timestamp_set_precision(TS_PREC_AUTO);
548 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
550 /* Register all dissectors; we must do this before checking for the
551 "-G" flag, as the "-G" flag dumps information registered by the
552 dissectors, and we must do it before we read the preferences, in
553 case any dissectors register preferences. */
554 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
556 /* Set the C-language locale to the native environment. */
557 setlocale(LC_ALL, "");
559 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
560 &pf_open_errno, &pf_read_errno, &pf_path);
561 if (gpf_path != NULL) {
562 if (gpf_open_errno != 0) {
563 cmdarg_err("Can't open global preferences file \"%s\": %s.",
564 pf_path, g_strerror(gpf_open_errno));
566 if (gpf_read_errno != 0) {
567 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
568 pf_path, g_strerror(gpf_read_errno));
571 if (pf_path != NULL) {
572 if (pf_open_errno != 0) {
573 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
574 g_strerror(pf_open_errno));
576 if (pf_read_errno != 0) {
577 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
578 pf_path, g_strerror(pf_read_errno));
584 /* Read the disabled protocols file. */
585 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
586 &dp_path, &dp_open_errno, &dp_read_errno);
587 if (gdp_path != NULL) {
588 if (gdp_open_errno != 0) {
589 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
590 gdp_path, g_strerror(gdp_open_errno));
592 if (gdp_read_errno != 0) {
593 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
594 gdp_path, g_strerror(gdp_read_errno));
598 if (dp_path != NULL) {
599 if (dp_open_errno != 0) {
601 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
602 g_strerror(dp_open_errno));
604 if (dp_read_errno != 0) {
606 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
607 g_strerror(dp_read_errno));
613 /* Load Wpcap, if possible */
617 cap_file_init(&cfile);
619 /* Print format defaults to this. */
620 print_format = PR_FMT_TEXT;
622 /* Initialize our encapsulation type */
623 encap = WTAP_ENCAP_UNKNOWN;
625 /* Now get our args */
626 /* XXX - We should probably have an option to dump libpcap link types */
627 while ((opt = getopt(argc, argv, optstring)) != -1) {
629 case 'd': /* Payload type */
630 if (!set_link_type(optarg)) {
631 cmdarg_err("Invalid link type or protocol \"%s\"", optarg);
635 case 'F': /* Read field to display */
636 g_ptr_array_add(disp_fields, g_strdup(optarg));
638 case 'h': /* Print help and exit */
642 case 'l': /* "Line-buffer" standard output */
643 /* This isn't line-buffering, strictly speaking, it's just
644 flushing the standard output after the information for
645 each packet is printed; however, that should be good
646 enough for all the purposes to which "-l" is put (and
647 is probably actually better for "-V", as it does fewer
650 See the comment in "process_packet()" for an explanation of
651 why we do that, and why we don't just use "setvbuf()" to
652 make the standard output line-buffered (short version: in
653 Windows, "line-buffered" is the same as "fully-buffered",
654 and the output buffer is only flushed when it fills up). */
655 line_buffered = TRUE;
657 case 'n': /* No name resolution */
658 gbl_resolv_flags.mac_name = FALSE;
659 gbl_resolv_flags.network_name = FALSE;
660 gbl_resolv_flags.transport_name = FALSE;
661 gbl_resolv_flags.concurrent_dns = FALSE;
663 case 'N': /* Select what types of addresses/port #s to resolve */
664 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
665 if (badopt != '\0') {
666 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are 'm', 'n', and 't'",
671 case 'o': /* Override preference from command line */
672 switch (prefs_set_pref(optarg)) {
677 case PREFS_SET_SYNTAX_ERR:
678 cmdarg_err("Invalid -o flag \"%s\"", optarg);
682 case PREFS_SET_NO_SUCH_PREF:
683 case PREFS_SET_OBSOLETE:
684 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
689 case 'p': /* Expect pcap_pkthdr packet headers, which may have 64-bit timestamps */
690 want_pcap_pkthdr = TRUE;
692 case 'r': /* Read capture file xxx */
693 pipe_name = g_strdup(optarg);
695 case 'R': /* Read file filter */
696 if(n_rfilters < (int) sizeof(rfilters) / (int) sizeof(rfilters[0])) {
697 rfilters[n_rfilters++] = optarg;
700 cmdarg_err("Too many display filters");
704 case 's': /* Skip PCAP header */
705 skip_pcap_header = TRUE;
707 case 'S': /* Print string representations */
708 if (!parse_field_string_format(optarg)) {
709 cmdarg_err("Invalid field string format");
713 case 't': /* Time stamp type */
714 if (strcmp(optarg, "r") == 0)
715 timestamp_set_type(TS_RELATIVE);
716 else if (strcmp(optarg, "a") == 0)
717 timestamp_set_type(TS_ABSOLUTE);
718 else if (strcmp(optarg, "ad") == 0)
719 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
720 else if (strcmp(optarg, "adoy") == 0)
721 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
722 else if (strcmp(optarg, "d") == 0)
723 timestamp_set_type(TS_DELTA);
724 else if (strcmp(optarg, "dd") == 0)
725 timestamp_set_type(TS_DELTA_DIS);
726 else if (strcmp(optarg, "e") == 0)
727 timestamp_set_type(TS_EPOCH);
728 else if (strcmp(optarg, "u") == 0)
729 timestamp_set_type(TS_UTC);
730 else if (strcmp(optarg, "ud") == 0)
731 timestamp_set_type(TS_UTC_WITH_YMD);
732 else if (strcmp(optarg, "udoy") == 0)
733 timestamp_set_type(TS_UTC_WITH_YDOY);
735 cmdarg_err("Invalid time stamp type \"%s\"",
738 "It must be \"a\" for absolute, \"ad\" for absolute with YYYY-MM-DD date,");
740 "\"adoy\" for absolute with YYYY/DOY date, \"d\" for delta,");
742 "\"dd\" for delta displayed, \"e\" for epoch, \"r\" for relative,");
744 "\"u\" for absolute UTC, \"ud\" for absolute UTC with YYYY-MM-DD date,");
746 "or \"udoy\" for absolute UTC with YYYY/DOY date.");
750 case 'v': /* Show version and exit */
752 show_version(comp_info_str, runtime_info_str);
753 g_string_free(comp_info_str, TRUE);
754 g_string_free(runtime_info_str, TRUE);
759 case '?': /* Bad flag - print usage message */
766 /* Notify all registered modules that have had any of their preferences
767 changed either from one of the preferences file or from the command
768 line that their preferences have changed.
769 Initialize preferences before display filters, otherwise modules
770 like MATE won't work. */
773 /* Initialize our display fields */
774 for (fc = 0; fc < disp_fields->len; fc++) {
775 protocolinfo_init((char *)g_ptr_array_index(disp_fields, fc));
777 g_ptr_array_free(disp_fields, TRUE);
781 /* If no capture filter or read filter has been specified, and there are
782 still command-line arguments, treat them as the tokens of a capture
783 filter (if no "-r" flag was specified) or a read filter (if a "-r"
784 flag was specified. */
786 if (pipe_name != NULL) {
787 if (n_rfilters != 0) {
788 cmdarg_err("Read filters were specified both with \"-R\" "
789 "and with additional command-line arguments");
792 rfilters[n_rfilters] = get_args_as_string(argc, argv, optind);
796 /* Make sure we got a dissector handle for our payload. */
797 if (encap == WTAP_ENCAP_UNKNOWN) {
798 cmdarg_err("No valid payload dissector specified.");
809 /* Start windows sockets */
810 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
813 /* At this point MATE will have registered its field array so we can
814 have a tap filter with one of MATE's late-registered fields as part
815 of the filter. We can now process all the "-z" arguments. */
816 start_requested_stats();
818 /* disabled protocols as per configuration file */
819 if (gdp_path == NULL && dp_path == NULL) {
820 set_disabled_protos_list();
823 /* Build the column format array */
824 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
826 if (n_rfilters != 0) {
827 for (i = 0; i < n_rfilters; i++) {
828 if (!dfilter_compile(rfilters[i], &rfcodes[n_rfcodes])) {
829 cmdarg_err("%s", dfilter_error_msg);
830 epan_free(cfile.epan);
840 * We're reading a pipe (or capture file).
844 * Immediately relinquish any special privileges we have; we must not
845 * be allowed to read any capture files the user running Rawshark
848 relinquish_special_privs_perm();
850 if (raw_cf_open(&cfile, pipe_name) != CF_OK) {
851 epan_free(cfile.epan);
856 /* Do we need to PCAP header and magic? */
857 if (skip_pcap_header) {
858 size_t bytes_left = sizeof(struct pcap_hdr) + sizeof(guint32);
859 gchar buf[sizeof(struct pcap_hdr) + sizeof(guint32)];
860 while (bytes_left != 0) {
861 ssize_t bytes = read(fd, buf, (int)bytes_left);
863 cmdarg_err("Not enough bytes for pcap header.");
870 /* Set timestamp precision; there should arguably be a command-line
871 option to let the user set this. */
873 switch(wtap_file_tsprecision(cfile.wth)) {
874 case(WTAP_FILE_TSPREC_SEC):
875 timestamp_set_precision(TS_PREC_AUTO_SEC);
877 case(WTAP_FILE_TSPREC_DSEC):
878 timestamp_set_precision(TS_PREC_AUTO_DSEC);
880 case(WTAP_FILE_TSPREC_CSEC):
881 timestamp_set_precision(TS_PREC_AUTO_CSEC);
883 case(WTAP_FILE_TSPREC_MSEC):
884 timestamp_set_precision(TS_PREC_AUTO_MSEC);
886 case(WTAP_FILE_TSPREC_USEC):
887 timestamp_set_precision(TS_PREC_AUTO_USEC);
889 case(WTAP_FILE_TSPREC_NSEC):
890 timestamp_set_precision(TS_PREC_AUTO_NSEC);
893 g_assert_not_reached();
896 timestamp_set_precision(TS_PREC_AUTO_USEC);
899 /* Process the packets in the file */
900 err = load_cap_file(&cfile);
903 epan_free(cfile.epan);
908 /* If you want to capture live packets, use TShark. */
909 cmdarg_err("Input file or pipe name not specified.");
913 epan_free(cfile.epan);
920 * Read data from a raw pipe. The "raw" data consists of a libpcap
921 * packet header followed by the payload.
922 * @param pd [IN] A POSIX file descriptor. Because that's _exactly_ the sort
923 * of thing you want to use in Windows.
924 * @param phdr [OUT] Packet header information.
925 * @param err [OUT] Error indicator. Uses wiretap values.
926 * @param err_info [OUT] Error message.
927 * @param data_offset [OUT] data offset in the pipe.
928 * @return TRUE on success, FALSE on failure.
931 raw_pipe_read(struct wtap_pkthdr *phdr, guchar * pd, int *err, const gchar **err_info, gint64 *data_offset) {
932 struct pcap_pkthdr mem_hdr;
933 struct pcaprec_hdr disk_hdr;
934 ssize_t bytes_read = 0;
935 size_t bytes_needed = sizeof(disk_hdr);
936 guchar *ptr = (guchar*) &disk_hdr;
937 static gchar err_str[100];
939 if (want_pcap_pkthdr) {
940 bytes_needed = sizeof(mem_hdr);
941 ptr = (guchar*) &mem_hdr;
944 /* Copied from capture_loop.c */
945 while (bytes_needed > 0) {
946 bytes_read = read(fd, ptr, (int)bytes_needed);
947 if (bytes_read == 0) {
950 } else if (bytes_read < 0) {
951 *err = WTAP_ERR_CANT_READ;
952 *err_info = "Error reading header from pipe";
955 bytes_needed -= bytes_read;
956 *data_offset += bytes_read;
960 if (want_pcap_pkthdr) {
961 phdr->ts.secs = mem_hdr.ts.tv_sec;
962 phdr->ts.nsecs = (gint32)mem_hdr.ts.tv_usec * 1000;
963 phdr->caplen = mem_hdr.caplen;
964 phdr->len = mem_hdr.len;
966 phdr->ts.secs = disk_hdr.ts_sec;
967 phdr->ts.nsecs = disk_hdr.ts_usec * 1000;
968 phdr->caplen = disk_hdr.incl_len;
969 phdr->len = disk_hdr.orig_len;
971 bytes_needed = phdr->caplen;
973 phdr->pkt_encap = encap;
976 printf("mem_hdr: %lu disk_hdr: %lu\n", sizeof(mem_hdr), sizeof(disk_hdr));
977 printf("tv_sec: %u (%04x)\n", (unsigned int) phdr->ts.secs, (unsigned int) phdr->ts.secs);
978 printf("tv_nsec: %d (%04x)\n", phdr->ts.nsecs, phdr->ts.nsecs);
979 printf("caplen: %d (%04x)\n", phdr->caplen, phdr->caplen);
980 printf("len: %d (%04x)\n", phdr->len, phdr->len);
982 if (bytes_needed > WTAP_MAX_PACKET_SIZE) {
983 *err = WTAP_ERR_BAD_FILE;
984 g_snprintf(err_str, 100, "Bad packet length: %lu\n",
985 (unsigned long) bytes_needed);
991 while (bytes_needed > 0) {
992 bytes_read = read(fd, ptr, (int)bytes_needed);
993 if (bytes_read == 0) {
994 *err = WTAP_ERR_SHORT_READ;
995 *err_info = "Got zero bytes reading data from pipe";
997 } else if (bytes_read < 0) {
998 *err = WTAP_ERR_CANT_READ;
999 *err_info = "Error reading data from pipe";
1002 bytes_needed -= bytes_read;
1003 *data_offset += bytes_read;
1010 load_cap_file(capture_file *cf)
1013 const gchar *err_info;
1014 gint64 data_offset = 0;
1016 guchar pd[WTAP_MAX_PACKET_SIZE];
1017 struct wtap_pkthdr phdr;
1020 memset(&phdr, 0, sizeof(phdr));
1022 epan_dissect_init(&edt, cf->epan, TRUE, FALSE);
1024 while (raw_pipe_read(&phdr, pd, &err, &err_info, &data_offset)) {
1025 process_packet(cf, &edt, data_offset, &phdr, pd);
1028 epan_dissect_cleanup(&edt);
1031 /* Print a message noting that the read failed somewhere along the line. */
1034 case WTAP_ERR_UNSUPPORTED_ENCAP:
1035 cmdarg_err("The file \"%s\" has a packet with a network type that Rawshark doesn't support.\n(%s)",
1036 cf->filename, err_info);
1039 case WTAP_ERR_CANT_READ:
1040 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
1044 case WTAP_ERR_SHORT_READ:
1045 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
1049 case WTAP_ERR_BAD_FILE:
1050 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
1051 cf->filename, err_info);
1054 case WTAP_ERR_DECOMPRESS:
1055 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n(%s)",
1056 cf->filename, err_info);
1060 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
1061 cf->filename, wtap_strerror(err));
1070 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
1071 struct wtap_pkthdr *whdr, const guchar *pd)
1079 /* The user sends an empty packet when he wants to get output from us even if we don't currently have
1080 packets to process. We spit out a line with the timestamp and the text "void"
1082 printf("%lu %lu %lu void -\n", (unsigned long int)cf->count,
1083 (unsigned long int)whdr->ts.secs,
1084 (unsigned long int)whdr->ts.nsecs);
1091 /* Count this packet. */
1094 /* If we're going to print packet information, or we're going to
1095 run a read filter, or we're going to process taps, set up to
1096 do a dissection and do so. */
1097 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
1101 /* If we're running a read filter, prime the epan_dissect_t with that
1103 if (n_rfilters > 0) {
1104 for(i = 0; i < n_rfcodes; i++) {
1105 epan_dissect_prime_dfilter(edt, rfcodes[i]);
1109 printf("%lu", (unsigned long int) cf->count);
1111 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
1114 if (ref == &fdata) {
1119 /* We only need the columns if we're printing packet info but we're
1120 *not* verbose; in verbose mode, we print the protocol tree, not
1121 the protocol summary. */
1122 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, &cf->cinfo);
1124 frame_data_set_after_dissect(&fdata, &cum_bytes);
1125 prev_dis_frame = fdata;
1126 prev_dis = &prev_dis_frame;
1128 prev_cap_frame = fdata;
1129 prev_cap = &prev_cap_frame;
1131 for(i = 0; i < n_rfilters; i++) {
1132 /* Run the read filter if we have one. */
1134 passed = dfilter_apply_edt(rfcodes[i], edt);
1138 /* Print a one-line summary */
1139 printf(" %u", passed ? 1 : 0);
1144 /* The ANSI C standard does not appear to *require* that a line-buffered
1145 stream be flushed to the host environment whenever a newline is
1146 written, it just says that, on such a stream, characters "are
1147 intended to be transmitted to or from the host environment as a
1148 block when a new-line character is encountered".
1150 The Visual C++ 6.0 C implementation doesn't do what is intended;
1151 even if you set a stream to be line-buffered, it still doesn't
1152 flush the buffer at the end of every line.
1154 So, if the "-l" flag was specified, we flush the standard output
1155 at the end of a packet. This will do the right thing if we're
1156 printing packet summary lines, and, as we print the entire protocol
1157 tree for a single packet without waiting for anything to happen,
1158 it should be as good as line-buffered mode if we're printing
1159 protocol trees. (The whole reason for the "-l" flag in either
1160 tcpdump or Rawshark is to allow the output of a live capture to
1161 be piped to a program or script and to have that script see the
1162 information for the packet as soon as it's printed, rather than
1163 having to wait until a standard I/O buffer fills up. */
1167 if (ferror(stdout)) {
1168 show_print_file_io_error(errno);
1172 epan_dissect_reset(edt);
1173 frame_data_destroy(&fdata);
1178 /****************************************************************************************
1179 * FIELD EXTRACTION ROUTINES
1180 ****************************************************************************************/
1181 typedef struct _pci_t {
1187 static const char* ftenum_to_string(header_field_info *hfi)
1193 if (string_fmts->len > 0 && hfi->strings) {
1201 return "FT_PROTOCOL";
1203 return "FT_BOOLEAN";
1228 case FT_ABSOLUTE_TIME:
1229 return "FT_ABSOLUTE_TIME";
1230 case FT_RELATIVE_TIME:
1231 return "FT_RELATIVE_TIME";
1235 return "FT_STRINGZ";
1236 case FT_UINT_STRING:
1237 return "FT_UINT_STRING";
1243 return "FT_UINT_BYTES";
1251 return "FT_FRAMENUM";
1259 return "FT_REL_OID";
1261 return "FT_SYSTEM_ID";
1263 return "FT_STRIGZPAD";
1265 return "FT_NUM_TYPES";
1271 static const char* absolute_time_display_e_to_string(absolute_time_display_e atd)
1274 case ABSOLUTE_TIME_LOCAL:
1275 return "ABSOLUTE_TIME_LOCAL";
1276 case ABSOLUTE_TIME_UTC:
1277 return "ABSOLUTE_TIME_UTC";
1283 static const char* field_display_e_to_string(field_display_e bd)
1295 return "BASE_DEC_HEX";
1297 return "BASE_HEX_DEC";
1304 * Copied from various parts of proto.c
1306 #define FIELD_STR_INIT_LEN 256
1307 #define cVALS(x) (const value_string*)(x)
1308 static gboolean print_field_value(field_info *finfo, int cmd_line_index)
1310 header_field_info *hfinfo;
1311 static char *fs_buf = NULL;
1312 char *fs_ptr = fs_buf;
1313 static GString *label_s = NULL;
1314 int fs_buf_len = FIELD_STR_INIT_LEN, fs_len;
1321 const true_false_string *tfstring = &tfs_true_false;
1323 hfinfo = finfo->hfinfo;
1326 fs_buf = (char *)g_malloc(fs_buf_len + 1);
1331 label_s = g_string_new("");
1334 if(finfo->value.ftype->val_to_string_repr)
1337 * this field has an associated value,
1340 fs_len = fvalue_string_repr_len(&finfo->value, FTREPR_DFILTER);
1341 while (fs_buf_len < fs_len) {
1343 fs_buf = (char *)g_realloc(fs_buf, fs_buf_len + 1);
1346 fvalue_to_string_repr(&finfo->value,
1350 /* String types are quoted. Remove them. */
1351 if (IS_FT_STRING(finfo->value.ftype->ftype) && fs_len > 2) {
1352 fs_buf[fs_len - 1] = '\0';
1357 if (string_fmts->len > 0 && finfo->hfinfo->strings) {
1358 g_string_truncate(label_s, 0);
1359 for (i = 0; i < string_fmts->len; i++) {
1360 sf = (string_fmt_t *)g_ptr_array_index(string_fmts, i);
1362 g_string_append(label_s, sf->plain);
1364 switch (sf->format) {
1366 g_string_append(label_s, hfinfo->name);
1369 g_string_append(label_s, fs_ptr);
1372 switch(hfinfo->type) {
1374 uvalue = fvalue_get_uinteger(&finfo->value);
1375 tfstring = (const struct true_false_string*) hfinfo->strings;
1376 g_string_append(label_s, uvalue ? tfstring->true_string : tfstring->false_string);
1382 DISSECTOR_ASSERT(!hfinfo->bitmask);
1383 svalue = fvalue_get_sinteger(&finfo->value);
1384 if (hfinfo->display & BASE_RANGE_STRING) {
1385 g_string_append(label_s, rval_to_str_const(svalue, RVALS(hfinfo->strings), "Unknown"));
1386 } else if (hfinfo->display & BASE_EXT_STRING) {
1387 g_string_append(label_s, val_to_str_ext_const(svalue, (const value_string_ext *) hfinfo->strings, "Unknown"));
1389 g_string_append(label_s, val_to_str_const(svalue, cVALS(hfinfo->strings), "Unknown"));
1393 DISSECTOR_ASSERT(!hfinfo->bitmask);
1394 svalue64 = (gint64)fvalue_get_integer64(&finfo->value);
1395 if (hfinfo->display & BASE_VAL64_STRING) {
1396 g_string_append(label_s, val64_to_str_const(svalue64, (const val64_string *)(hfinfo->strings), "Unknown"));
1403 uvalue = fvalue_get_uinteger(&finfo->value);
1404 if (!hfinfo->bitmask && hfinfo->display & BASE_RANGE_STRING) {
1405 g_string_append(label_s, rval_to_str_const(uvalue, RVALS(hfinfo->strings), "Unknown"));
1406 } else if (hfinfo->display & BASE_EXT_STRING) {
1407 g_string_append(label_s, val_to_str_ext_const(uvalue, (const value_string_ext *) hfinfo->strings, "Unknown"));
1409 g_string_append(label_s, val_to_str_const(uvalue, cVALS(hfinfo->strings), "Unknown"));
1413 DISSECTOR_ASSERT(!hfinfo->bitmask);
1414 uvalue64 = fvalue_get_integer64(&finfo->value);
1415 if (hfinfo->display & BASE_VAL64_STRING) {
1416 g_string_append(label_s, val64_to_str_const(uvalue64, (const val64_string *)(hfinfo->strings), "Unknown"));
1428 printf(" %u=\"%s\"", cmd_line_index, label_s->str);
1432 if(finfo->value.ftype->val_to_string_repr)
1434 printf(" %u=\"%s\"", cmd_line_index, fs_ptr);
1439 * This field doesn't have an associated value,
1443 printf(" %u=\"n.a.\"", cmd_line_index);
1448 protocolinfo_packet(void *prs, packet_info *pinfo _U_, epan_dissect_t *edt, const void *dummy _U_)
1450 pci_t *rs=(pci_t *)prs;
1454 gp=proto_get_finfo_ptr_array(edt->tree, rs->hf_index);
1461 * Print each occurrence of the field
1463 for (i = 0; i < gp->len; i++) {
1464 print_field_value((field_info *)gp->pdata[i], rs->cmd_line_index);
1470 int g_cmd_line_index = 0;
1473 * field must be persistent - we don't g_strdup() it below
1476 protocolinfo_init(char *field)
1479 header_field_info *hfi;
1480 GString *error_string;
1482 hfi=proto_registrar_get_byname(field);
1484 fprintf(stderr, "rawshark: Field \"%s\" doesn't exist.\n", field);
1488 switch (hfi->type) {
1490 case FT_ABSOLUTE_TIME:
1491 printf("%u %s %s - ",
1493 ftenum_to_string(hfi),
1494 absolute_time_display_e_to_string((absolute_time_display_e)hfi->display));
1498 printf("%u %s %s - ",
1500 ftenum_to_string(hfi),
1501 field_display_e_to_string((field_display_e)hfi->display));
1505 rs=(pci_t *)g_malloc(sizeof(pci_t));
1506 rs->hf_index=hfi->id;
1508 rs->cmd_line_index = g_cmd_line_index++;
1510 error_string=register_tap_listener("frame", rs, rs->filter, TL_REQUIRES_PROTO_TREE, NULL, protocolinfo_packet, NULL);
1512 /* error, we failed to attach to the tap. complain and clean up */
1513 fprintf(stderr, "rawshark: Couldn't register field extraction tap: %s\n",
1515 g_string_free(error_string, TRUE);
1526 * Given a format string, split it into a GPtrArray of string_fmt_t structs
1527 * and fill in string_fmt_parts.
1531 add_string_fmt(string_fmt_e format, gchar *plain) {
1532 string_fmt_t *sf = (string_fmt_t *)g_malloc(sizeof(string_fmt_t));
1534 sf->format = format;
1535 sf->plain = g_strdup(plain);
1537 g_ptr_array_add(string_fmts, sf);
1541 parse_field_string_format(gchar *format) {
1542 GString *plain_s = g_string_new("");
1550 len = strlen(format);
1551 g_ptr_array_set_size(string_fmts, 0);
1554 if (format[pos] == '%') {
1555 if (pos >= len) { /* There should always be a following character */
1559 if (plain_s->len > 0) {
1560 add_string_fmt(SF_NONE, plain_s->str);
1561 g_string_truncate(plain_s, 0);
1563 switch (format[pos]) {
1565 add_string_fmt(SF_NAME, NULL);
1568 add_string_fmt(SF_NUMVAL, NULL);
1571 add_string_fmt(SF_STRVAL, NULL);
1574 g_string_append_c(plain_s, '%');
1576 default: /* Invalid format */
1580 g_string_append_c(plain_s, format[pos]);
1585 if (plain_s->len > 0) {
1586 add_string_fmt(SF_NONE, plain_s->str);
1588 g_string_free(plain_s, TRUE);
1592 /****************************************************************************************
1593 * END OF FIELD EXTRACTION ROUTINES
1594 ****************************************************************************************/
1597 show_print_file_io_error(int err)
1602 cmdarg_err("Not all the packets could be printed because there is "
1603 "no space left on the file system.");
1608 cmdarg_err("Not all the packets could be printed because you are "
1609 "too close to, or over your disk quota.");
1614 cmdarg_err("An error occurred while printing packets: %s.",
1621 * Open/create errors are reported with an console message in Rawshark.
1624 open_failure_message(const char *filename, int err, gboolean for_writing)
1626 fprintf(stderr, "rawshark: ");
1627 fprintf(stderr, file_open_error_message(err, for_writing), filename);
1628 fprintf(stderr, "\n");
1631 static const nstime_t *
1632 raw_get_frame_ts(void *data _U_, guint32 frame_num)
1634 if (ref && ref->num == frame_num)
1635 return &ref->abs_ts;
1637 if (prev_dis && prev_dis->num == frame_num)
1638 return &prev_dis->abs_ts;
1640 if (prev_cap && prev_cap->num == frame_num)
1641 return &prev_cap->abs_ts;
1647 raw_epan_new(capture_file *cf)
1649 epan_t *epan = epan_new();
1652 epan->get_frame_ts = raw_get_frame_ts;
1653 epan->get_interface_name = cap_file_get_interface_name;
1654 epan->get_user_comment = NULL;
1660 raw_cf_open(capture_file *cf, const char *fname)
1662 if ((fd = raw_pipe_open(fname)) < 0)
1665 /* The open succeeded. Fill in the information for this file. */
1667 /* Create new epan session for dissection. */
1668 epan_free(cf->epan);
1669 cf->epan = raw_epan_new(cf);
1672 cf->f_datalen = 0; /* not used, but set it anyway */
1674 /* Set the file name because we need it to set the follow stream filter.
1675 XXX - is that still true? We need it for other reasons, though,
1677 cf->filename = g_strdup(fname);
1679 /* Indicate whether it's a permanent or temporary file. */
1680 cf->is_tempfile = FALSE;
1682 /* No user changes yet. */
1683 cf->unsaved_changes = FALSE;
1685 cf->cd_t = WTAP_FILE_TYPE_SUBTYPE_UNKNOWN;
1686 cf->open_type = WTAP_TYPE_AUTO;
1688 cf->drops_known = FALSE;
1690 cf->has_snap = FALSE;
1691 cf->snap = WTAP_MAX_PACKET_SIZE;
1692 nstime_set_zero(&cf->elapsed_time);
1702 * General errors are reported with an console message in Rawshark.
1705 failure_message(const char *msg_format, va_list ap)
1707 fprintf(stderr, "rawshark: ");
1708 vfprintf(stderr, msg_format, ap);
1709 fprintf(stderr, "\n");
1713 * Read errors are reported with an console message in Rawshark.
1716 read_failure_message(const char *filename, int err)
1718 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
1719 filename, g_strerror(err));
1723 * Write errors are reported with an console message in Rawshark.
1726 write_failure_message(const char *filename, int err)
1728 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
1729 filename, g_strerror(err));
1733 * Report an error in command-line arguments.
1736 cmdarg_err(const char *fmt, ...)
1741 fprintf(stderr, "rawshark: ");
1742 vfprintf(stderr, fmt, ap);
1743 fprintf(stderr, "\n");
1748 * Report additional information for an error in command-line arguments.
1751 cmdarg_err_cont(const char *fmt, ...)
1756 vfprintf(stderr, fmt, ap);
1757 fprintf(stderr, "\n");
1768 * indent-tabs-mode: nil
1771 * ex: set shiftwidth=4 tabstop=8 expandtab:
1772 * :indentSize=4:tabSize=8:noTabs=true: