5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * Rawshark - Raw field extractor by Gerald Combs <gerald@wireshark.org>
10 * and Loris Degioanni <loris.degioanni@cacetech.com>
11 * Based on TShark, by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris
14 * This program is free software; you can redistribute it and/or
15 * modify it under the terms of the GNU General Public License
16 * as published by the Free Software Foundation; either version 2
17 * of the License, or (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
30 * Rawshark does the following:
31 * - Opens a specified file or named pipe
32 * - Applies a specfied DLT or "decode as" encapsulation
33 * - Reads frames prepended with a libpcap packet header.
34 * - Prints a status line, followed by fields from a specified list.
58 #ifdef HAVE_SYS_STAT_H
59 # include <sys/stat.h>
63 #include "wsutil/wsgetopt.h"
67 #include <epan/epan-int.h>
68 #include <epan/epan.h>
69 #include <epan/filesystem.h>
70 #include <wsutil/crash_info.h>
71 #include <wsutil/privileges.h>
72 #include <wsutil/file_util.h>
75 #include <epan/packet.h>
77 #include "frame_tvbuff.h"
78 #include <epan/disabled_protos.h>
79 #include <epan/prefs.h>
80 #include <epan/column.h>
81 #include <epan/print.h>
82 #include <epan/addr_resolv.h>
84 #include "clopts_common.h"
85 #include "cmdarg_err.h"
86 #include "version_info.h"
87 #include <epan/plugins.h>
89 #include "conditions.h"
90 #include "capture_stop_conditions.h"
91 #include "capture_ui_utils.h"
92 #include <epan/epan_dissect.h>
93 #include <epan/stat_cmd_args.h>
94 #include <epan/timestamp.h>
95 #include <wsutil/unicode-utils.h>
96 #include "epan/column-utils.h"
97 #include "epan/proto.h"
100 #include <wiretap/wtap.h>
101 #include <wiretap/libpcap.h>
102 #include <wiretap/pcap-encap.h>
106 #include "capture-pcap-util.h"
108 #include "capture-wpcap.h"
110 #endif /* HAVE_LIBPCAP */
114 #include <wsutil/unicode-utils.h>
118 * This is the template for the decode as option; it is shared between the
119 * various functions that output the usage for this parameter.
121 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
123 static guint32 cum_bytes;
124 static const frame_data *ref;
125 static frame_data ref_frame;
126 static frame_data *prev_dis;
127 static frame_data prev_dis_frame;
128 static frame_data *prev_cap;
129 static frame_data prev_cap_frame;
132 * The way the packet decode is to be written.
135 WRITE_TEXT, /* summary or detail text */
136 WRITE_XML /* PDML or PSML */
137 /* Add CSV and the like here */
140 static gboolean line_buffered;
141 static print_format_e print_format = PR_FMT_TEXT;
143 static gboolean want_pcap_pkthdr;
145 cf_status_t raw_cf_open(capture_file *cf, const char *fname);
146 static int load_cap_file(capture_file *cf);
147 static gboolean process_packet(capture_file *cf, gint64 offset,
148 struct wtap_pkthdr *whdr, const guchar *pd);
149 static void show_print_file_io_error(int err);
151 static void open_failure_message(const char *filename, int err,
152 gboolean for_writing);
153 static void failure_message(const char *msg_format, va_list ap);
154 static void read_failure_message(const char *filename, int err);
155 static void write_failure_message(const char *filename, int err);
156 static void protocolinfo_init(char *field);
157 static gboolean parse_field_string_format(char *format);
160 SF_NONE, /* No format (placeholder) */
161 SF_NAME, /* %D Field name / description */
162 SF_NUMVAL, /* %N Numeric value */
163 SF_STRVAL /* %S String value */
166 typedef struct string_fmt_s {
168 string_fmt_e format; /* Valid if plain is NULL */
174 dfilter_t *rfcodes[64];
176 dfilter_t *rfieldfcodes[64];
179 GPtrArray *string_fmts;
182 print_usage(gboolean print_ver)
189 "Rawshark " VERSION "%s\n"
190 "Dump and analyze network traffic.\n"
191 "See http://www.wireshark.org for more information.\n"
194 wireshark_svnversion, get_copyright_info());
198 fprintf(output, "\n");
199 fprintf(output, "Usage: rawshark [options] ...\n");
200 fprintf(output, "\n");
202 fprintf(output, "Input file:\n");
203 fprintf(output, " -r <infile> set the pipe or file name to read from\n");
205 fprintf(output, "\n");
206 fprintf(output, "Processing:\n");
207 fprintf(output, " -d <encap:linktype>|<proto:protoname>\n");
208 fprintf(output, " packet encapsulation or protocol\n");
209 fprintf(output, " -F <field> field to display\n");
210 fprintf(output, " -n disable all name resolution (def: all enabled)\n");
211 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
212 fprintf(output, " -p use the system's packet header format\n");
213 fprintf(output, " (which may have 64-bit timestamps)\n");
214 fprintf(output, " -R <read filter> packet filter in Wireshark display filter syntax\n");
215 fprintf(output, " -s skip PCAP header on input\n");
217 fprintf(output, "\n");
218 fprintf(output, "Output:\n");
219 fprintf(output, " -l flush output after each packet\n");
220 fprintf(output, " -S format string for fields\n");
221 fprintf(output, " (%%D - name, %%S - stringval, %%N numval)\n");
222 fprintf(output, " -t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)\n");
224 fprintf(output, "\n");
225 fprintf(output, "Miscellaneous:\n");
226 fprintf(output, " -h display this help and exit\n");
227 fprintf(output, " -o <name>:<value> ... override preference setting\n");
228 fprintf(output, " -v display version info and exit\n");
232 log_func_ignore (const gchar *log_domain _U_, GLogLevelFlags log_level _U_,
233 const gchar *message _U_, gpointer user_data _U_)
238 * Open a pipe for raw input. This is a stripped-down version of
239 * pcap_loop.c:cap_pipe_open_live().
240 * We check if "pipe_name" is "-" (stdin) or a FIFO, and open it.
241 * @param pipe_name The name of the pipe or FIFO.
242 * @return A POSIX file descriptor on success, or -1 on failure.
245 raw_pipe_open(const char *pipe_name)
248 ws_statb64 pipe_stat;
250 char *pncopy, *pos = NULL;
257 g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, "open_raw_pipe: %s", pipe_name);
260 * XXX Rawshark blocks until we return
262 if (strcmp(pipe_name, "-") == 0) {
263 rfd = 0; /* read from stdin */
266 * This is needed to set the stdin pipe into binary mode, otherwise
267 * CR/LF are mangled...
269 _setmode(0, _O_BINARY);
273 if (ws_stat64(pipe_name, &pipe_stat) < 0) {
274 fprintf(stderr, "rawshark: The pipe %s could not be checked: %s\n",
275 pipe_name, g_strerror(errno));
278 if (! S_ISFIFO(pipe_stat.st_mode)) {
279 if (S_ISCHR(pipe_stat.st_mode)) {
281 * Assume the user specified an interface on a system where
282 * interfaces are in /dev. Pretend we haven't seen it.
286 fprintf(stderr, "rawshark: \"%s\" is neither an interface nor a pipe\n",
291 rfd = ws_open(pipe_name, O_RDONLY | O_NONBLOCK, 0000 /* no creation so don't matter */);
293 fprintf(stderr, "rawshark: \"%s\" could not be opened: %s\n",
294 pipe_name, g_strerror(errno));
298 #define PIPE_STR "\\pipe\\"
299 /* Under Windows, named pipes _must_ have the form
300 * "\\<server>\pipe\<pipe_name>". <server> may be "." for localhost.
302 pncopy = g_strdup(pipe_name);
303 if (strstr(pncopy, "\\\\") == pncopy) {
304 pos = strchr(pncopy + 3, '\\');
305 if (pos && g_ascii_strncasecmp(pos, PIPE_STR, strlen(PIPE_STR)) != 0)
312 fprintf(stderr, "rawshark: \"%s\" is neither an interface nor a pipe\n",
317 /* Wait for the pipe to appear */
319 hPipe = CreateFile(utf_8to16(pipe_name), GENERIC_READ, 0, NULL,
320 OPEN_EXISTING, 0, NULL);
322 if (hPipe != INVALID_HANDLE_VALUE)
325 err = GetLastError();
326 if (err != ERROR_PIPE_BUSY) {
327 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
328 NULL, err, 0, (LPTSTR) &err_str, 0, NULL);
329 fprintf(stderr, "rawshark: \"%s\" could not be opened: %s (error %d)\n",
330 pipe_name, utf_16to8(err_str), err);
335 if (!WaitNamedPipe(utf_8to16(pipe_name), 30 * 1000)) {
336 err = GetLastError();
337 FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,
338 NULL, err, 0, (LPTSTR) &err_str, 0, NULL);
339 fprintf(stderr, "rawshark: \"%s\" could not be waited for: %s (error %d)\n",
340 pipe_name, utf_16to8(err_str), err);
346 rfd = _open_osfhandle((long) hPipe, _O_RDONLY);
348 fprintf(stderr, "rawshark: \"%s\" could not be opened: %s\n",
349 pipe_name, g_strerror(errno));
359 * Parse a link-type argument of the form "encap:<pcap linktype>" or
360 * "proto:<proto name>". "Pcap linktype" must be a name conforming to
361 * pcap_datalink_name_to_val() or an integer; the integer should be
362 * a LINKTYPE_ value supported by Wiretap. "Proto name" must be
363 * a protocol name, e.g. "http".
366 set_link_type(const char *lt_arg) {
367 char *spec_ptr = strchr(lt_arg, ':');
371 dissector_handle_t dhandle;
379 if (strncmp(lt_arg, "encap:", strlen("encap:")) == 0) {
380 dlt_val = linktype_name_to_val(spec_ptr);
383 val = strtol(spec_ptr, &p, 10);
384 if (p == spec_ptr || *p != '\0' || errno != 0 || val > INT_MAX) {
390 * In those cases where a given link-layer header type
391 * has different LINKTYPE_ and DLT_ values, linktype_name_to_val()
392 * will return the OS's DLT_ value for that link-layer header
393 * type, not its OS-independent LINKTYPE_ value.
395 * On a given OS, wtap_pcap_encap_to_wtap_encap() should
396 * be able to map either LINKTYPE_ values or DLT_ values
397 * for the OS to the appropriate Wiretap encapsulation.
399 encap = wtap_pcap_encap_to_wtap_encap(dlt_val);
400 if (encap == WTAP_ENCAP_UNKNOWN) {
404 } else if (strncmp(lt_arg, "proto:", strlen("proto:")) == 0) {
405 dhandle = find_dissector(spec_ptr);
407 encap = WTAP_ENCAP_USER0;
408 pref_str = g_string_new("uat:user_dlts:");
409 /* This must match the format used in the user_dlts file */
410 g_string_append_printf(pref_str,
411 "\"User 0 (DLT=147)\",\"%s\",\"0\",\"\",\"0\",\"\"",
413 if (prefs_set_pref(pref_str->str) != PREFS_SET_OK) {
414 g_string_free(pref_str, TRUE);
417 g_string_free(pref_str, TRUE);
425 show_version(GString *comp_info_str, GString *runtime_info_str)
427 printf("Rawshark " VERSION "%s\n"
434 wireshark_svnversion, get_copyright_info(), comp_info_str->str,
435 runtime_info_str->str);
439 main(int argc, char *argv[])
441 GString *comp_info_str;
442 GString *runtime_info_str;
443 char *init_progfile_dir_error;
445 gboolean arg_error = FALSE;
451 char *gpf_path, *pf_path;
452 char *gdp_path, *dp_path;
453 int gpf_open_errno, gpf_read_errno;
454 int pf_open_errno, pf_read_errno;
455 int gdp_open_errno, gdp_read_errno;
456 int dp_open_errno, dp_read_errno;
458 gchar *pipe_name = NULL;
463 GPtrArray *disp_fields = g_ptr_array_new();
465 gboolean skip_pcap_header = FALSE;
467 #define OPTSTRING_INIT "d:F:hlnN:o:pr:R:sS:t:v"
469 static const char optstring[] = OPTSTRING_INIT;
471 /* Assemble the compile-time version information string */
472 comp_info_str = g_string_new("Compiled ");
473 get_compiled_version_info(comp_info_str, NULL, epan_get_compiled_version_info);
475 /* Assemble the run-time version information string */
476 runtime_info_str = g_string_new("Running ");
477 get_runtime_version_info(runtime_info_str, NULL);
479 /* Add it to the information to be reported on a crash. */
480 ws_add_crash_info("Rawshark " VERSION "%s\n"
485 wireshark_svnversion, comp_info_str->str, runtime_info_str->str);
488 arg_list_utf_16to8(argc, argv);
489 create_app_running_mutex();
493 * Get credential information for later use.
495 init_process_policies();
498 * Clear the filters arrays
500 memset(rfilters, 0, sizeof(rfilters));
501 memset(rfcodes, 0, sizeof(rfcodes));
506 * Initialize our string format
508 string_fmts = g_ptr_array_new();
511 * Attempt to get the pathname of the executable file.
513 init_progfile_dir_error = init_progfile_dir(argv[0], main);
514 if (init_progfile_dir_error != NULL) {
515 fprintf(stderr, "rawshark: Can't get pathname of rawshark program: %s.\n",
516 init_progfile_dir_error);
520 * Get credential information for later use.
522 init_process_policies();
524 /* nothing more than the standard GLib handler, but without a warning */
526 G_LOG_LEVEL_WARNING |
527 G_LOG_LEVEL_MESSAGE |
531 g_log_set_handler(NULL,
532 (GLogLevelFlags)log_flags,
533 log_func_ignore, NULL /* user_data */);
534 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
535 (GLogLevelFlags)log_flags,
536 log_func_ignore, NULL /* user_data */);
538 timestamp_set_type(TS_RELATIVE);
539 timestamp_set_precision(TS_PREC_AUTO);
540 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
542 /* Register all dissectors; we must do this before checking for the
543 "-G" flag, as the "-G" flag dumps information registered by the
544 dissectors, and we must do it before we read the preferences, in
545 case any dissectors register preferences. */
546 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL,
547 failure_message, open_failure_message, read_failure_message,
548 write_failure_message);
550 /* Set the C-language locale to the native environment. */
551 setlocale(LC_ALL, "");
553 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
554 &pf_open_errno, &pf_read_errno, &pf_path);
555 if (gpf_path != NULL) {
556 if (gpf_open_errno != 0) {
557 cmdarg_err("Can't open global preferences file \"%s\": %s.",
558 pf_path, g_strerror(gpf_open_errno));
560 if (gpf_read_errno != 0) {
561 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
562 pf_path, g_strerror(gpf_read_errno));
565 if (pf_path != NULL) {
566 if (pf_open_errno != 0) {
567 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
568 g_strerror(pf_open_errno));
570 if (pf_read_errno != 0) {
571 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
572 pf_path, g_strerror(pf_read_errno));
578 /* Read the disabled protocols file. */
579 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
580 &dp_path, &dp_open_errno, &dp_read_errno);
581 if (gdp_path != NULL) {
582 if (gdp_open_errno != 0) {
583 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
584 gdp_path, g_strerror(gdp_open_errno));
586 if (gdp_read_errno != 0) {
587 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
588 gdp_path, g_strerror(gdp_read_errno));
592 if (dp_path != NULL) {
593 if (dp_open_errno != 0) {
595 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
596 g_strerror(dp_open_errno));
598 if (dp_read_errno != 0) {
600 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
601 g_strerror(dp_read_errno));
607 /* Load Wpcap, if possible */
611 cap_file_init(&cfile);
613 /* Print format defaults to this. */
614 print_format = PR_FMT_TEXT;
616 /* Initialize our encapsulation type */
617 encap = WTAP_ENCAP_UNKNOWN;
619 /* Now get our args */
620 /* XXX - We should probably have an option to dump libpcap link types */
621 while ((opt = getopt(argc, argv, optstring)) != -1) {
623 case 'd': /* Payload type */
624 if (!set_link_type(optarg)) {
625 cmdarg_err("Invalid link type or protocol \"%s\"", optarg);
629 case 'F': /* Read field to display */
630 g_ptr_array_add(disp_fields, g_strdup(optarg));
632 case 'h': /* Print help and exit */
636 case 'l': /* "Line-buffer" standard output */
637 /* This isn't line-buffering, strictly speaking, it's just
638 flushing the standard output after the information for
639 each packet is printed; however, that should be good
640 enough for all the purposes to which "-l" is put (and
641 is probably actually better for "-V", as it does fewer
644 See the comment in "process_packet()" for an explanation of
645 why we do that, and why we don't just use "setvbuf()" to
646 make the standard output line-buffered (short version: in
647 Windows, "line-buffered" is the same as "fully-buffered",
648 and the output buffer is only flushed when it fills up). */
649 line_buffered = TRUE;
651 case 'n': /* No name resolution */
652 gbl_resolv_flags.mac_name = FALSE;
653 gbl_resolv_flags.network_name = FALSE;
654 gbl_resolv_flags.transport_name = FALSE;
655 gbl_resolv_flags.concurrent_dns = FALSE;
657 case 'N': /* Select what types of addresses/port #s to resolve */
658 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
659 if (badopt != '\0') {
660 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are 'm', 'n', and 't'",
665 case 'o': /* Override preference from command line */
666 switch (prefs_set_pref(optarg)) {
671 case PREFS_SET_SYNTAX_ERR:
672 cmdarg_err("Invalid -o flag \"%s\"", optarg);
676 case PREFS_SET_NO_SUCH_PREF:
677 case PREFS_SET_OBSOLETE:
678 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
683 case 'p': /* Expect pcap_pkthdr packet headers, which may have 64-bit timestamps */
684 want_pcap_pkthdr = TRUE;
686 case 'r': /* Read capture file xxx */
687 pipe_name = g_strdup(optarg);
689 case 'R': /* Read file filter */
690 if(n_rfilters < (int) sizeof(rfilters) / (int) sizeof(rfilters[0])) {
691 rfilters[n_rfilters++] = optarg;
694 cmdarg_err("Too many display filters");
698 case 's': /* Skip PCAP header */
699 skip_pcap_header = TRUE;
701 case 'S': /* Print string representations */
702 if (!parse_field_string_format(optarg)) {
703 cmdarg_err("Invalid field string format");
707 case 't': /* Time stamp type */
708 if (strcmp(optarg, "r") == 0)
709 timestamp_set_type(TS_RELATIVE);
710 else if (strcmp(optarg, "a") == 0)
711 timestamp_set_type(TS_ABSOLUTE);
712 else if (strcmp(optarg, "ad") == 0)
713 timestamp_set_type(TS_ABSOLUTE_WITH_DATE);
714 else if (strcmp(optarg, "d") == 0)
715 timestamp_set_type(TS_DELTA);
716 else if (strcmp(optarg, "dd") == 0)
717 timestamp_set_type(TS_DELTA_DIS);
718 else if (strcmp(optarg, "e") == 0)
719 timestamp_set_type(TS_EPOCH);
720 else if (strcmp(optarg, "u") == 0)
721 timestamp_set_type(TS_UTC);
722 else if (strcmp(optarg, "ud") == 0)
723 timestamp_set_type(TS_UTC_WITH_DATE);
725 cmdarg_err("Invalid time stamp type \"%s\"",
727 cmdarg_err_cont("It must be \"r\" for relative, \"a\" for absolute,");
728 cmdarg_err_cont("\"ad\" for absolute with date, or \"d\" for delta.");
732 case 'v': /* Show version and exit */
734 show_version(comp_info_str, runtime_info_str);
735 g_string_free(comp_info_str, TRUE);
736 g_string_free(runtime_info_str, TRUE);
741 case '?': /* Bad flag - print usage message */
748 /* Notify all registered modules that have had any of their preferences
749 changed either from one of the preferences file or from the command
750 line that their preferences have changed.
751 Initialize preferences before display filters, otherwise modules
752 like MATE won't work. */
755 /* Initialize our display fields */
756 for (fc = 0; fc < disp_fields->len; fc++) {
757 protocolinfo_init((char *)g_ptr_array_index(disp_fields, fc));
759 g_ptr_array_free(disp_fields, TRUE);
763 /* If no capture filter or read filter has been specified, and there are
764 still command-line arguments, treat them as the tokens of a capture
765 filter (if no "-r" flag was specified) or a read filter (if a "-r"
766 flag was specified. */
768 if (pipe_name != NULL) {
769 if (n_rfilters != 0) {
770 cmdarg_err("Read filters were specified both with \"-R\" "
771 "and with additional command-line arguments");
774 rfilters[n_rfilters] = get_args_as_string(argc, argv, optind);
778 /* Make sure we got a dissector handle for our payload. */
779 if (encap == WTAP_ENCAP_UNKNOWN) {
780 cmdarg_err("No valid payload dissector specified.");
791 /* Start windows sockets */
792 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
795 /* At this point MATE will have registered its field array so we can
796 have a tap filter with one of MATE's late-registered fields as part
797 of the filter. We can now process all the "-z" arguments. */
798 start_requested_stats();
800 /* disabled protocols as per configuration file */
801 if (gdp_path == NULL && dp_path == NULL) {
802 set_disabled_protos_list();
805 /* Build the column format array */
806 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
808 if (n_rfilters != 0) {
809 for (i = 0; i < n_rfilters; i++) {
810 if (!dfilter_compile(rfilters[i], &rfcodes[n_rfcodes])) {
811 cmdarg_err("%s", dfilter_error_msg);
821 * We're reading a pipe (or capture file).
825 * Immediately relinquish any special privileges we have; we must not
826 * be allowed to read any capture files the user running Rawshark
829 relinquish_special_privs_perm();
831 if (raw_cf_open(&cfile, pipe_name) != CF_OK) {
836 /* Do we need to PCAP header and magic? */
837 if (skip_pcap_header) {
838 size_t bytes_left = sizeof(struct pcap_hdr) + sizeof(guint32);
839 gchar buf[sizeof(struct pcap_hdr) + sizeof(guint32)];
840 while (bytes_left != 0) {
841 ssize_t bytes = read(fd, buf, (int)bytes_left);
843 cmdarg_err("Not enough bytes for pcap header.");
850 /* Set timestamp precision; there should arguably be a command-line
851 option to let the user set this. */
853 switch(wtap_file_tsprecision(cfile.wth)) {
854 case(WTAP_FILE_TSPREC_SEC):
855 timestamp_set_precision(TS_PREC_AUTO_SEC);
857 case(WTAP_FILE_TSPREC_DSEC):
858 timestamp_set_precision(TS_PREC_AUTO_DSEC);
860 case(WTAP_FILE_TSPREC_CSEC):
861 timestamp_set_precision(TS_PREC_AUTO_CSEC);
863 case(WTAP_FILE_TSPREC_MSEC):
864 timestamp_set_precision(TS_PREC_AUTO_MSEC);
866 case(WTAP_FILE_TSPREC_USEC):
867 timestamp_set_precision(TS_PREC_AUTO_USEC);
869 case(WTAP_FILE_TSPREC_NSEC):
870 timestamp_set_precision(TS_PREC_AUTO_NSEC);
873 g_assert_not_reached();
876 timestamp_set_precision(TS_PREC_AUTO_USEC);
879 /* Process the packets in the file */
880 err = load_cap_file(&cfile);
887 /* If you want to capture live packets, use TShark. */
888 cmdarg_err("Input file or pipe name not specified.");
898 * Read data from a raw pipe. The "raw" data consists of a libpcap
899 * packet header followed by the payload.
900 * @param pd [IN] A POSIX file descriptor. Because that's _exactly_ the sort
901 * of thing you want to use in Windows.
902 * @param phdr [OUT] Packet header information.
903 * @param err [OUT] Error indicator. Uses wiretap values.
904 * @param err_info [OUT] Error message.
905 * @param data_offset [OUT] data offset in the pipe.
906 * @return TRUE on success, FALSE on failure.
909 raw_pipe_read(struct wtap_pkthdr *phdr, guchar * pd, int *err, const gchar **err_info, gint64 *data_offset) {
910 struct pcap_pkthdr mem_hdr;
911 struct pcaprec_hdr disk_hdr;
912 ssize_t bytes_read = 0;
913 size_t bytes_needed = sizeof(disk_hdr);
914 guchar *ptr = (guchar*) &disk_hdr;
915 static gchar err_str[100];
917 if (want_pcap_pkthdr) {
918 bytes_needed = sizeof(mem_hdr);
919 ptr = (guchar*) &mem_hdr;
922 /* Copied from capture_loop.c */
923 while (bytes_needed > 0) {
924 bytes_read = read(fd, ptr, (int)bytes_needed);
925 if (bytes_read == 0) {
928 } else if (bytes_read < 0) {
929 *err = WTAP_ERR_CANT_READ;
930 *err_info = "Error reading header from pipe";
933 bytes_needed -= bytes_read;
934 *data_offset += bytes_read;
938 if (want_pcap_pkthdr) {
939 phdr->ts.secs = mem_hdr.ts.tv_sec;
940 phdr->ts.nsecs = (gint32)mem_hdr.ts.tv_usec * 1000;
941 phdr->caplen = mem_hdr.caplen;
942 phdr->len = mem_hdr.len;
944 phdr->ts.secs = disk_hdr.ts_sec;
945 phdr->ts.nsecs = disk_hdr.ts_usec * 1000;
946 phdr->caplen = disk_hdr.incl_len;
947 phdr->len = disk_hdr.orig_len;
949 bytes_needed = phdr->caplen;
951 phdr->pkt_encap = encap;
954 printf("tv_sec: %d (%04x)\n", hdr.ts.tv_sec, hdr.ts.tv_sec);
955 printf("tv_usec: %d (%04x)\n", hdr.ts.tv_usec, hdr.ts.tv_usec);
956 printf("caplen: %d (%04x)\n", hdr.caplen, hdr.caplen);
957 printf("len: %d (%04x)\n", hdr.len, hdr.len);
959 if (bytes_needed > WTAP_MAX_PACKET_SIZE) {
960 *err = WTAP_ERR_BAD_FILE;
961 g_snprintf(err_str, 100, "Bad packet length: %lu\n",
962 (unsigned long) bytes_needed);
968 while (bytes_needed > 0) {
969 bytes_read = read(fd, ptr, (int)bytes_needed);
970 if (bytes_read == 0) {
971 *err = WTAP_ERR_SHORT_READ;
972 *err_info = "Got zero bytes reading data from pipe";
974 } else if (bytes_read < 0) {
975 *err = WTAP_ERR_CANT_READ;
976 *err_info = "Error reading data from pipe";
979 bytes_needed -= bytes_read;
980 *data_offset += bytes_read;
987 load_cap_file(capture_file *cf)
990 const gchar *err_info;
991 gint64 data_offset = 0;
992 struct wtap_pkthdr phdr;
993 guchar pd[WTAP_MAX_PACKET_SIZE];
995 while (raw_pipe_read(&phdr, pd, &err, &err_info, &data_offset)) {
996 process_packet(cf, data_offset, &phdr, pd);
1000 /* Print a message noting that the read failed somewhere along the line. */
1003 case WTAP_ERR_UNSUPPORTED_ENCAP:
1004 cmdarg_err("The file \"%s\" has a packet with a network type that Rawshark doesn't support.\n(%s)",
1005 cf->filename, err_info);
1008 case WTAP_ERR_CANT_READ:
1009 cmdarg_err("An attempt to read from the file \"%s\" failed for some unknown reason.",
1013 case WTAP_ERR_SHORT_READ:
1014 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
1018 case WTAP_ERR_BAD_FILE:
1019 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
1020 cf->filename, err_info);
1023 case WTAP_ERR_DECOMPRESS:
1024 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n(%s)",
1025 cf->filename, err_info);
1029 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
1030 cf->filename, wtap_strerror(err));
1039 process_packet(capture_file *cf, gint64 offset, struct wtap_pkthdr *whdr,
1043 gboolean create_proto_tree;
1050 /* The user sends an empty packet when he wants to get output from us even if we don't currently have
1051 packets to process. We spit out a line with the timestamp and the text "void"
1053 printf("%lu %lu %lu void -\n", (unsigned long int)cf->count,
1054 (unsigned long int)whdr->ts.secs,
1055 (unsigned long int)whdr->ts.nsecs);
1062 /* Count this packet. */
1065 /* If we're going to print packet information, or we're going to
1066 run a read filter, or we're going to process taps, set up to
1067 do a dissection and do so. */
1068 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
1071 create_proto_tree = TRUE;
1073 /* The protocol tree will be "visible", i.e., printed, only if we're
1074 printing packet details, which is true if we're in verbose mode ("verbose"
1076 epan_dissect_init(&edt, cf->epan, create_proto_tree, FALSE);
1078 /* If we're running a read filter, prime the epan_dissect_t with that
1080 if (n_rfilters > 0) {
1081 for(i = 0; i < n_rfcodes; i++) {
1082 epan_dissect_prime_dfilter(&edt, rfcodes[i]);
1086 printf("%lu", (unsigned long int) cf->count);
1088 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
1091 if (ref == &fdata) {
1096 /* We only need the columns if we're printing packet info but we're
1097 *not* verbose; in verbose mode, we print the protocol tree, not
1098 the protocol summary. */
1099 epan_dissect_run_with_taps(&edt, whdr, frame_tvbuff_new(&fdata, pd), &fdata, &cf->cinfo);
1101 frame_data_set_after_dissect(&fdata, &cum_bytes);
1102 prev_dis_frame = fdata;
1103 prev_dis = &prev_dis_frame;
1105 prev_cap_frame = fdata;
1106 prev_cap = &prev_cap_frame;
1108 for(i = 0; i < n_rfilters; i++) {
1109 /* Run the read filter if we have one. */
1111 passed = dfilter_apply_edt(rfcodes[i], &edt);
1115 /* Print a one-line summary */
1116 printf(" %u", passed ? 1 : 0);
1121 /* The ANSI C standard does not appear to *require* that a line-buffered
1122 stream be flushed to the host environment whenever a newline is
1123 written, it just says that, on such a stream, characters "are
1124 intended to be transmitted to or from the host environment as a
1125 block when a new-line character is encountered".
1127 The Visual C++ 6.0 C implementation doesn't do what is intended;
1128 even if you set a stream to be line-buffered, it still doesn't
1129 flush the buffer at the end of every line.
1131 So, if the "-l" flag was specified, we flush the standard output
1132 at the end of a packet. This will do the right thing if we're
1133 printing packet summary lines, and, as we print the entire protocol
1134 tree for a single packet without waiting for anything to happen,
1135 it should be as good as line-buffered mode if we're printing
1136 protocol trees. (The whole reason for the "-l" flag in either
1137 tcpdump or Rawshark is to allow the output of a live capture to
1138 be piped to a program or script and to have that script see the
1139 information for the packet as soon as it's printed, rather than
1140 having to wait until a standard I/O buffer fills up. */
1144 if (ferror(stdout)) {
1145 show_print_file_io_error(errno);
1149 epan_dissect_cleanup(&edt);
1150 frame_data_destroy(&fdata);
1155 /****************************************************************************************
1156 * FIELD EXTRACTION ROUTINES
1157 ****************************************************************************************/
1158 typedef struct _pci_t {
1164 static const char* ftenum_to_string(header_field_info *hfi)
1170 if (string_fmts->len > 0 && hfi->strings) {
1178 return "FT_PROTOCOL";
1180 return "FT_BOOLEAN";
1205 case FT_ABSOLUTE_TIME:
1206 return "FT_ABSOLUTE_TIME";
1207 case FT_RELATIVE_TIME:
1208 return "FT_RELATIVE_TIME";
1212 return "FT_STRINGZ";
1213 case FT_UINT_STRING:
1214 return "FT_UINT_STRING";
1220 return "FT_UINT_BYTES";
1228 return "FT_FRAMENUM";
1236 return "FT_NUM_TYPES";
1242 static const char* absolute_time_display_e_to_string(absolute_time_display_e atd)
1245 case ABSOLUTE_TIME_LOCAL:
1246 return "ABSOLUTE_TIME_LOCAL";
1247 case ABSOLUTE_TIME_UTC:
1248 return "ABSOLUTE_TIME_UTC";
1254 static const char* base_display_e_to_string(base_display_e bd)
1266 return "BASE_DEC_HEX";
1268 return "BASE_HEX_DEC";
1275 * Copied from various parts of proto.c
1277 #define FIELD_STR_INIT_LEN 256
1278 #define cVALS(x) (const value_string*)(x)
1279 static gboolean print_field_value(field_info *finfo, int cmd_line_index)
1281 header_field_info *hfinfo;
1282 static char *fs_buf = NULL;
1283 char *fs_ptr = fs_buf;
1284 static GString *label_s = NULL;
1285 int fs_buf_len = FIELD_STR_INIT_LEN, fs_len;
1292 const true_false_string *tfstring = &tfs_true_false;
1294 hfinfo = finfo->hfinfo;
1297 fs_buf = (char *)g_malloc(fs_buf_len + 1);
1302 label_s = g_string_new("");
1305 if(finfo->value.ftype->val_to_string_repr)
1308 * this field has an associated value,
1311 fs_len = fvalue_string_repr_len(&finfo->value, FTREPR_DFILTER);
1312 while (fs_buf_len < fs_len) {
1314 fs_buf = (char *)g_realloc(fs_buf, fs_buf_len + 1);
1317 fvalue_to_string_repr(&finfo->value,
1321 /* String types are quoted. Remove them. */
1322 if ((finfo->value.ftype->ftype == FT_STRING || finfo->value.ftype->ftype == FT_STRINGZ) && fs_len > 2) {
1323 fs_buf[fs_len - 1] = '\0';
1328 if (string_fmts->len > 0 && finfo->hfinfo->strings) {
1329 g_string_truncate(label_s, 0);
1330 for (i = 0; i < string_fmts->len; i++) {
1331 sf = (string_fmt_t *)g_ptr_array_index(string_fmts, i);
1333 g_string_append(label_s, sf->plain);
1335 switch (sf->format) {
1337 g_string_append(label_s, hfinfo->name);
1340 g_string_append(label_s, fs_ptr);
1343 switch(hfinfo->type) {
1345 uvalue = fvalue_get_uinteger(&finfo->value);
1346 tfstring = (const struct true_false_string*) hfinfo->strings;
1347 g_string_append(label_s, uvalue ? tfstring->true_string : tfstring->false_string);
1353 DISSECTOR_ASSERT(!hfinfo->bitmask);
1354 svalue = fvalue_get_sinteger(&finfo->value);
1355 if (hfinfo->display & BASE_RANGE_STRING) {
1356 g_string_append(label_s, rval_to_str(svalue, RVALS(hfinfo->strings), "Unknown"));
1357 } else if (hfinfo->display & BASE_EXT_STRING) {
1358 g_string_append(label_s, val_to_str_ext(svalue, (const value_string_ext *) hfinfo->strings, "Unknown"));
1360 g_string_append(label_s, val_to_str(svalue, cVALS(hfinfo->strings), "Unknown"));
1364 DISSECTOR_ASSERT(!hfinfo->bitmask);
1365 svalue64 = (gint64)fvalue_get_integer64(&finfo->value);
1366 if (hfinfo->display & BASE_VAL64_STRING) {
1367 g_string_append(label_s, val64_to_str(svalue64, (const val64_string *)(hfinfo->strings), "Unknown"));
1374 uvalue = fvalue_get_uinteger(&finfo->value);
1375 if (!hfinfo->bitmask && hfinfo->display & BASE_RANGE_STRING) {
1376 g_string_append(label_s, rval_to_str(uvalue, RVALS(hfinfo->strings), "Unknown"));
1377 } else if (hfinfo->display & BASE_EXT_STRING) {
1378 g_string_append(label_s, val_to_str_ext(uvalue, (const value_string_ext *) hfinfo->strings, "Unknown"));
1380 g_string_append(label_s, val_to_str(uvalue, cVALS(hfinfo->strings), "Unknown"));
1384 DISSECTOR_ASSERT(!hfinfo->bitmask);
1385 uvalue64 = fvalue_get_integer64(&finfo->value);
1386 if (hfinfo->display & BASE_VAL64_STRING) {
1387 g_string_append(label_s, val64_to_str(uvalue64, (const val64_string *)(hfinfo->strings), "Unknown"));
1399 printf(" %u=\"%s\"", cmd_line_index, label_s->str);
1403 if(finfo->value.ftype->val_to_string_repr)
1405 printf(" %u=\"%s\"", cmd_line_index, fs_ptr);
1410 * This field doesn't have an associated value,
1414 printf(" %u=\"n.a.\"", cmd_line_index);
1419 protocolinfo_packet(void *prs, packet_info *pinfo _U_, epan_dissect_t *edt, const void *dummy _U_)
1421 pci_t *rs=(pci_t *)prs;
1425 gp=proto_get_finfo_ptr_array(edt->tree, rs->hf_index);
1432 * Print each occurrence of the field
1434 for (i = 0; i < gp->len; i++) {
1435 print_field_value((field_info *)gp->pdata[i], rs->cmd_line_index);
1441 int g_cmd_line_index = 0;
1444 * field must be persistent - we don't g_strdup() it below
1447 protocolinfo_init(char *field)
1450 header_field_info *hfi;
1451 GString *error_string;
1453 hfi=proto_registrar_get_byname(field);
1455 fprintf(stderr, "rawshark: Field \"%s\" doesn't exist.\n", field);
1459 switch (hfi->type) {
1461 case FT_ABSOLUTE_TIME:
1462 printf("%u %s %s - ",
1464 ftenum_to_string(hfi),
1465 absolute_time_display_e_to_string((absolute_time_display_e)hfi->display));
1469 printf("%u %s %s - ",
1471 ftenum_to_string(hfi),
1472 base_display_e_to_string((base_display_e)hfi->display));
1476 rs=(pci_t *)g_malloc(sizeof(pci_t));
1477 rs->hf_index=hfi->id;
1479 rs->cmd_line_index = g_cmd_line_index++;
1481 error_string=register_tap_listener("frame", rs, rs->filter, TL_REQUIRES_PROTO_TREE, NULL, protocolinfo_packet, NULL);
1483 /* error, we failed to attach to the tap. complain and clean up */
1484 fprintf(stderr, "rawshark: Couldn't register field extraction tap: %s\n",
1486 g_string_free(error_string, TRUE);
1497 * Given a format string, split it into a GPtrArray of string_fmt_t structs
1498 * and fill in string_fmt_parts.
1502 add_string_fmt(string_fmt_e format, gchar *plain) {
1503 string_fmt_t *sf = (string_fmt_t *)g_malloc(sizeof(string_fmt_t));
1505 sf->format = format;
1506 sf->plain = g_strdup(plain);
1508 g_ptr_array_add(string_fmts, sf);
1512 parse_field_string_format(gchar *format) {
1513 GString *plain_s = g_string_new("");
1521 len = strlen(format);
1522 g_ptr_array_set_size(string_fmts, 0);
1525 if (format[pos] == '%') {
1526 if (pos >= len) { /* There should always be a following character */
1530 if (plain_s->len > 0) {
1531 add_string_fmt(SF_NONE, plain_s->str);
1532 g_string_truncate(plain_s, 0);
1534 switch (format[pos]) {
1536 add_string_fmt(SF_NAME, NULL);
1539 add_string_fmt(SF_NUMVAL, NULL);
1542 add_string_fmt(SF_STRVAL, NULL);
1545 g_string_append_c(plain_s, '%');
1547 default: /* Invalid format */
1551 g_string_append_c(plain_s, format[pos]);
1556 if (plain_s->len > 0) {
1557 add_string_fmt(SF_NONE, plain_s->str);
1559 g_string_free(plain_s, TRUE);
1563 /****************************************************************************************
1564 * END OF FIELD EXTRACTION ROUTINES
1565 ****************************************************************************************/
1568 show_print_file_io_error(int err)
1573 cmdarg_err("Not all the packets could be printed because there is "
1574 "no space left on the file system.");
1579 cmdarg_err("Not all the packets could be printed because you are "
1580 "too close to, or over your disk quota.");
1585 cmdarg_err("An error occurred while printing packets: %s.",
1592 * Open/create errors are reported with an console message in Rawshark.
1595 open_failure_message(const char *filename, int err, gboolean for_writing)
1597 fprintf(stderr, "rawshark: ");
1598 fprintf(stderr, file_open_error_message(err, for_writing), filename);
1599 fprintf(stderr, "\n");
1602 static const nstime_t *
1603 raw_get_frame_ts(void *data _U_, guint32 frame_num)
1605 if (ref && ref->num == frame_num)
1606 return &ref->abs_ts;
1608 if (prev_dis && prev_dis->num == frame_num)
1609 return &prev_dis->abs_ts;
1611 if (prev_cap && prev_cap->num == frame_num)
1612 return &prev_cap->abs_ts;
1618 raw_epan_new(capture_file *cf)
1620 epan_t *epan = epan_new();
1623 epan->get_frame_ts = raw_get_frame_ts;
1624 epan->get_interface_name = cap_file_get_interface_name;
1625 epan->get_user_comment = NULL;
1631 raw_cf_open(capture_file *cf, const char *fname)
1633 if ((fd = raw_pipe_open(fname)) < 0)
1636 /* The open succeeded. Fill in the information for this file. */
1638 /* Create new epan session for dissection. */
1639 epan_free(cf->epan);
1640 cf->epan = raw_epan_new(cf);
1643 cf->f_datalen = 0; /* not used, but set it anyway */
1645 /* Set the file name because we need it to set the follow stream filter.
1646 XXX - is that still true? We need it for other reasons, though,
1648 cf->filename = g_strdup(fname);
1650 /* Indicate whether it's a permanent or temporary file. */
1651 cf->is_tempfile = FALSE;
1653 /* No user changes yet. */
1654 cf->unsaved_changes = FALSE;
1656 cf->cd_t = WTAP_FILE_UNKNOWN;
1658 cf->drops_known = FALSE;
1660 cf->has_snap = FALSE;
1661 cf->snap = WTAP_MAX_PACKET_SIZE;
1662 nstime_set_zero(&cf->elapsed_time);
1672 * General errors are reported with an console message in Rawshark.
1675 failure_message(const char *msg_format, va_list ap)
1677 fprintf(stderr, "rawshark: ");
1678 vfprintf(stderr, msg_format, ap);
1679 fprintf(stderr, "\n");
1683 * Read errors are reported with an console message in Rawshark.
1686 read_failure_message(const char *filename, int err)
1688 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
1689 filename, g_strerror(err));
1693 * Write errors are reported with an console message in Rawshark.
1696 write_failure_message(const char *filename, int err)
1698 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
1699 filename, g_strerror(err));
1703 * Report an error in command-line arguments.
1706 cmdarg_err(const char *fmt, ...)
1711 fprintf(stderr, "rawshark: ");
1712 vfprintf(stderr, fmt, ap);
1713 fprintf(stderr, "\n");
1718 * Report additional information for an error in command-line arguments.
1721 cmdarg_err_cont(const char *fmt, ...)
1726 vfprintf(stderr, fmt, ap);
1727 fprintf(stderr, "\n");
1738 * indent-tabs-mode: nil
1741 * ex: set shiftwidth=4 tabstop=8 expandtab:
1742 * :indentSize=4:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob