3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44 #include <zlib.h> /* to get the libz version number */
48 # include <sys/capability.h>
51 #ifndef HAVE_GETOPT_LONG
52 #include "wsutil/wsgetopt.h"
57 #include <epan/exceptions.h>
58 #include <epan/epan-int.h>
59 #include <epan/epan.h>
61 #include <wsutil/clopts_common.h>
62 #include <wsutil/cmdarg_err.h>
63 #include <wsutil/crash_info.h>
64 #include <wsutil/filesystem.h>
65 #include <wsutil/file_util.h>
66 #include <wsutil/privileges.h>
67 #include <wsutil/report_err.h>
68 #include <wsutil/ws_diag_control.h>
69 #include <wsutil/ws_version_info.h>
72 #include <epan/timestamp.h>
73 #include <epan/packet.h>
75 #include <epan/wslua/init_wslua.h>
77 #include "frame_tvbuff.h"
78 #include <epan/disabled_protos.h>
79 #include <epan/prefs.h>
80 #include <epan/column.h>
81 #include <epan/print.h>
82 #include <epan/addr_resolv.h>
84 #include "ui/capture_ui_utils.h"
87 #include "ui/ui_util.h"
88 #include "ui/cli/tshark-tap.h"
90 #include "filter_files.h"
91 #include <epan/epan_dissect.h>
93 #include <epan/stat_tap_ui.h>
94 #include <epan/conversation_table.h>
95 #include <epan/srt_table.h>
96 #include <epan/rtd_table.h>
97 #include <epan/ex-opt.h>
99 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
100 #include <epan/asn1.h>
101 #include <epan/dissectors/packet-kerberos.h>
104 #include "capture_opts.h"
106 #include "caputils/capture-pcap-util.h"
109 #include "caputils/capture_ifinfo.h"
111 #include "caputils/capture-wpcap.h"
112 #include <wsutil/os_version_info.h>
113 #include <wsutil/unicode-utils.h>
115 #include <capchild/capture_session.h>
116 #include <capchild/capture_sync.h>
117 #include <capture_info.h>
118 #endif /* HAVE_LIBPCAP */
120 #include <epan/funnel.h>
122 #include <wsutil/str_util.h>
125 #include <wsutil/plugins.h>
130 #define tshark_debug(...) g_warning(__VA_ARGS__)
132 #define tshark_debug(...)
137 * This is the template for the decode as option; it is shared between the
138 * various functions that output the usage for this parameter.
140 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
142 static guint32 cum_bytes;
143 static const frame_data *ref;
144 static frame_data ref_frame;
145 static frame_data *prev_dis;
146 static frame_data prev_dis_frame;
147 static frame_data *prev_cap;
148 static frame_data prev_cap_frame;
150 static const char* prev_display_dissector_name = NULL;
152 static gboolean perform_two_pass_analysis;
155 * The way the packet decode is to be written.
158 WRITE_TEXT, /* summary or detail text */
159 WRITE_XML, /* PDML or PSML */
160 WRITE_FIELDS /* User defined list of fields */
161 /* Add CSV and the like here */
164 static output_action_e output_action;
165 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
166 static gboolean print_packet_info; /* TRUE if we're to print packet information */
167 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
168 static gboolean print_details; /* TRUE if we're to print packet details information */
169 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
170 static gboolean line_buffered;
171 static gboolean really_quiet = FALSE;
173 static print_format_e print_format = PR_FMT_TEXT;
174 static print_stream_t *print_stream;
176 static output_fields_t* output_fields = NULL;
178 /* The line separator used between packets, changeable via the -S option */
179 static const char *separator = "";
183 * TRUE if we're to print packet counts to keep track of captured packets.
185 static gboolean print_packet_counts;
187 static capture_options global_capture_opts;
188 static capture_session global_capture_session;
189 static info_data_t global_info_data;
192 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
193 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
196 static gboolean capture(void);
197 static void report_counts(void);
199 static BOOL WINAPI capture_cleanup(DWORD);
201 static void capture_cleanup(int);
203 static void report_counts_siginfo(int);
207 #else /* HAVE_LIBPCAP */
209 static char *output_file_name;
211 #endif /* HAVE_LIBPCAP */
213 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
214 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
215 struct wtap_pkthdr *whdr, const guchar *pd,
217 static void show_capture_file_io_error(const char *, int, gboolean);
218 static void show_print_file_io_error(int err);
219 static gboolean write_preamble(capture_file *cf);
220 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
221 static gboolean write_finale(void);
222 static const char *cf_open_error_message(int err, gchar *err_info,
223 gboolean for_writing, int file_type);
225 static void open_failure_message(const char *filename, int err,
226 gboolean for_writing);
227 static void failure_message(const char *msg_format, va_list ap);
228 static void read_failure_message(const char *filename, int err);
229 static void write_failure_message(const char *filename, int err);
230 static void failure_message_cont(const char *msg_format, va_list ap);
234 static GHashTable *output_only_tables = NULL;
237 const char *sstr; /* The short string */
238 const char *lstr; /* The long string */
242 string_compare(gconstpointer a, gconstpointer b)
244 return strcmp(((const struct string_elem *)a)->sstr,
245 ((const struct string_elem *)b)->sstr);
249 string_elem_print(gpointer data, gpointer not_used _U_)
251 fprintf(stderr, " %s - %s\n",
252 ((struct string_elem *)data)->sstr,
253 ((struct string_elem *)data)->lstr);
257 list_capture_types(void) {
259 struct string_elem *captypes;
262 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
264 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
265 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
266 if (wtap_dump_can_open(i)) {
267 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
268 captypes[i].lstr = wtap_file_type_subtype_string(i);
269 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
272 g_slist_foreach(list, string_elem_print, NULL);
278 list_read_capture_types(void) {
280 struct string_elem *captypes;
282 const char *magic = "Magic-value-based";
283 const char *heuristic = "Heuristics-based";
285 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
286 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
288 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
289 for (i = 0; open_routines[i].name != NULL; i++) {
290 captypes[i].sstr = open_routines[i].name;
291 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
292 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
294 g_slist_foreach(list, string_elem_print, NULL);
300 print_usage(FILE *output)
302 fprintf(output, "\n");
303 fprintf(output, "Usage: tshark [options] ...\n");
304 fprintf(output, "\n");
307 fprintf(output, "Capture interface:\n");
308 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
309 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
310 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
311 fprintf(output, " -p don't capture in promiscuous mode\n");
312 #ifdef HAVE_PCAP_CREATE
313 fprintf(output, " -I capture in monitor mode, if available\n");
315 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
316 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
318 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
319 fprintf(output, " -D print list of interfaces and exit\n");
320 fprintf(output, " -L print list of link-layer types of iface and exit\n");
321 fprintf(output, "\n");
322 fprintf(output, "Capture stop conditions:\n");
323 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
324 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
325 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
326 fprintf(output, " files:NUM - stop after NUM files\n");
327 /*fprintf(output, "\n");*/
328 fprintf(output, "Capture output:\n");
329 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
330 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
331 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
332 #endif /* HAVE_LIBPCAP */
333 #ifdef HAVE_PCAP_REMOTE
334 fprintf(output, "RPCAP options:\n");
335 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
337 /*fprintf(output, "\n");*/
338 fprintf(output, "Input file:\n");
339 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
341 fprintf(output, "\n");
342 fprintf(output, "Processing:\n");
343 fprintf(output, " -2 perform a two-pass analysis\n");
344 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
345 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
346 fprintf(output, " syntax\n");
347 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
348 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mnNtCd\"\n");
349 fprintf(output, " -d %s ...\n", decode_as_arg_template);
350 fprintf(output, " \"Decode As\", see the man page for details\n");
351 fprintf(output, " Example: tcp.port==8888,http\n");
352 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
353 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
354 fprintf(output, " --disable-protocol <proto_name>\n");
355 fprintf(output, " disable dissection of proto_name\n");
356 fprintf(output, " --enable-heuristic <short_name>\n");
357 fprintf(output, " enable dissection of heuristic protocol\n");
358 fprintf(output, " --disable-heuristic <short_name>\n");
359 fprintf(output, " disable dissection of heuristic protocol\n");
361 /*fprintf(output, "\n");*/
362 fprintf(output, "Output:\n");
363 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
364 fprintf(output, " (or to the standard output for \"-\")\n");
365 fprintf(output, " -C <config profile> start with specified configuration profile\n");
366 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
367 fprintf(output, " an empty \"-F\" option will list the file types\n");
368 fprintf(output, " -V add output of packet tree (Packet Details)\n");
369 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
370 fprintf(output, " separated\n");
371 fprintf(output, " -P print packet summary even when writing to a file\n");
372 fprintf(output, " -S <separator> the line separator to print between packets\n");
373 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
374 fprintf(output, " -T pdml|ps|psml|text|fields\n");
375 fprintf(output, " format of text output (def: text)\n");
376 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
377 fprintf(output, " _ws.col.Info)\n");
378 fprintf(output, " this option can be repeated to print multiple fields\n");
379 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
380 fprintf(output, " header=y|n switch headers on and off\n");
381 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
382 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
383 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
384 fprintf(output, " aggregator\n");
385 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
386 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
387 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
388 fprintf(output, " -l flush standard output after each packet\n");
389 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
390 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
391 fprintf(output, " -g enable group read access on the output file(s)\n");
392 fprintf(output, " -W n Save extra information in the file, if supported.\n");
393 fprintf(output, " n = write network address resolution information\n");
394 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
395 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
396 fprintf(output, " --capture-comment <comment>\n");
397 fprintf(output, " add a capture comment to the newly created\n");
398 fprintf(output, " output file (only for pcapng)\n");
400 fprintf(output, "\n");
401 fprintf(output, "Miscellaneous:\n");
402 fprintf(output, " -h display this help and exit\n");
403 fprintf(output, " -v display version info and exit\n");
404 fprintf(output, " -o <name>:<value> ... override preference setting\n");
405 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
406 fprintf(output, " -G [report] dump one of several available reports and exit\n");
407 fprintf(output, " default report=\"fields\"\n");
408 fprintf(output, " use \"-G ?\" for more help\n");
410 fprintf(output, "\n");
411 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
412 fprintf(output, "You might want to reset it\n");
413 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
414 fprintf(output, "\n");
420 glossary_option_help(void)
426 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
428 fprintf(output, "\n");
429 fprintf(output, "Usage: tshark -G [report]\n");
430 fprintf(output, "\n");
431 fprintf(output, "Glossary table reports:\n");
432 fprintf(output, " -G column-formats dump column format codes and exit\n");
433 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
434 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
435 fprintf(output, " -G fieldcount dump count of header fields and exit\n");
436 fprintf(output, " -G fields dump fields glossary and exit\n");
437 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
438 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
439 fprintf(output, " -G plugins dump installed plugins and exit\n");
440 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
441 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
442 fprintf(output, "\n");
443 fprintf(output, "Preference reports:\n");
444 fprintf(output, " -G currentprefs dump current preferences and exit\n");
445 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
446 fprintf(output, "\n");
450 * For a dissector table, print on the stream described by output,
451 * its short name (which is what's used in the "-d" option) and its
455 display_dissector_table_names(const char *table_name, const char *ui_name,
458 if ((prev_display_dissector_name == NULL) ||
459 (strcmp(prev_display_dissector_name, table_name) != 0)) {
460 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
461 prev_display_dissector_name = table_name;
466 * For a dissector handle, print on the stream described by output,
467 * the filter name (which is what's used in the "-d" option) and the full
468 * name for the protocol that corresponds to this handle.
471 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
474 const gchar *proto_filter_name;
475 const gchar *proto_ui_name;
477 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
479 if (proto_id != -1) {
480 proto_filter_name = proto_get_protocol_filter_name(proto_id);
481 proto_ui_name = proto_get_protocol_name(proto_id);
482 g_assert(proto_filter_name != NULL);
483 g_assert(proto_ui_name != NULL);
485 if ((prev_display_dissector_name == NULL) ||
486 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
487 fprintf((FILE *)output, "\t%s (%s)\n",
490 prev_display_dissector_name = proto_filter_name;
496 * The protocol_name_search structure is used by find_protocol_name_func()
497 * to pass parameters and store results
499 struct protocol_name_search{
500 gchar *searched_name; /* Protocol filter name we are looking for */
501 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
502 guint nb_match; /* How many dissectors matched searched_name */
504 typedef struct protocol_name_search *protocol_name_search_t;
507 * This function parses all dissectors associated with a table to find the
508 * one whose protocol has the specified filter name. It is called
509 * as a reference function in a call to dissector_table_foreach_handle.
510 * The name we are looking for, as well as the results, are stored in the
511 * protocol_name_search struct pointed to by user_data.
512 * If called using dissector_table_foreach_handle, we actually parse the
513 * whole list of dissectors.
516 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
520 const gchar *protocol_filter_name;
521 protocol_name_search_t search_info;
525 search_info = (protocol_name_search_t)user_data;
527 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
528 if (proto_id != -1) {
529 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
530 g_assert(protocol_filter_name != NULL);
531 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
533 if (search_info->nb_match == 0) {
534 /* Record this handle only if this is the first match */
535 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
537 search_info->nb_match++;
543 * Allow dissector key names to be sorted alphabetically
547 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
549 return strcmp((const char*)dissector_a, (const char*)dissector_b);
553 * Print all layer type names supported.
554 * We send the output to the stream described by the handle output.
558 fprint_all_layer_types(FILE *output)
561 prev_display_dissector_name = NULL;
562 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
566 * Print all protocol names supported for a specific layer type.
567 * table_name contains the layer type name in which the search is performed.
568 * We send the output to the stream described by the handle output.
572 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
575 prev_display_dissector_name = NULL;
576 dissector_table_foreach_handle(table_name,
577 display_dissector_names,
582 * The function below parses the command-line parameters for the decode as
583 * feature (a string pointer by cl_param).
584 * It checks the format of the command-line, searches for a matching table
585 * and dissector. If a table/dissector match is not found, we display a
586 * summary of the available tables/dissectors (on stderr) and return FALSE.
587 * If everything is fine, we get the "Decode as" preference activated,
588 * then we return TRUE.
591 add_decode_as(const gchar *cl_param)
594 guint32 selector, selector2;
595 gchar *decoded_param;
596 gchar *remaining_param;
598 gchar *dissector_str;
599 dissector_handle_t dissector_matching;
600 dissector_table_t table_matching;
601 ftenum_t dissector_table_selector_type;
602 struct protocol_name_search user_protocol_name;
606 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
609 decoded_param = g_strdup(cl_param);
610 g_assert(decoded_param);
613 /* The lines below will parse this string (modifying it) to extract all
614 necessary information. Note that decoded_param is still needed since
615 strings are not copied - we just save pointers. */
617 /* This section extracts a layer type (table_name) from decoded_param */
618 table_name = decoded_param; /* Layer type string starts from beginning */
620 remaining_param = strchr(table_name, '=');
621 if (remaining_param == NULL) {
622 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
623 /* If the argument does not follow the template, carry on anyway to check
624 if the table name is at least correct. If remaining_param is NULL,
625 we'll exit anyway further down */
628 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
631 /* Remove leading and trailing spaces from the table name */
632 while ( table_name[0] == ' ' )
634 while ( table_name[strlen(table_name) - 1] == ' ' )
635 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
637 /* The following part searches a table matching with the layer type specified */
638 table_matching = NULL;
640 /* Look for the requested table */
641 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
642 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
645 table_matching = find_dissector_table(table_name);
646 if (!table_matching) {
647 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
651 if (!table_matching) {
652 /* Display a list of supported layer types to help the user, if the
653 specified layer type was not found */
654 cmdarg_err("Valid layer types are:");
655 fprint_all_layer_types(stderr);
657 if (remaining_param == NULL || !table_matching) {
658 /* Exit if the layer type was not found, or if no '=' separator was found
660 g_free(decoded_param);
664 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
665 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
668 remaining_param++; /* Move to the second '=' */
669 *remaining_param = '\0'; /* Remove the second '=' */
671 remaining_param++; /* Position after the layer type string */
673 /* This section extracts a selector value (selector_str) from decoded_param */
675 selector_str = remaining_param; /* Next part starts with the selector number */
677 remaining_param = strchr(selector_str, ',');
678 if (remaining_param == NULL) {
679 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
680 /* If the argument does not follow the template, carry on anyway to check
681 if the selector value is at least correct. If remaining_param is NULL,
682 we'll exit anyway further down */
685 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
688 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
690 switch (dissector_table_selector_type) {
696 /* The selector for this table is an unsigned number. Parse it as such.
697 There's no need to remove leading and trailing spaces from the
698 selector number string, because sscanf will do that for us. */
699 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
704 if (op != ':' && op != '-') {
705 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
706 g_free(decoded_param);
710 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
711 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
712 g_free(decoded_param);
716 else if (selector2 < selector) {
717 /* We could swap them for the user, but maybe it's better to call
718 * this out as an error in case it's not what was intended? */
719 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
720 g_free(decoded_param);
725 cmdarg_err("Invalid selector number \"%s\"", selector_str);
726 g_free(decoded_param);
735 /* The selector for this table is a string. */
739 /* There are currently no dissector tables with any types other
740 than the ones listed above. */
741 g_assert_not_reached();
744 if (remaining_param == NULL) {
745 /* Exit if no ',' separator was found (see above) */
746 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
747 fprint_all_protocols_for_layer_types(stderr, table_name);
748 g_free(decoded_param);
752 remaining_param++; /* Position after the selector number string */
754 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
756 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
758 /* Remove leading and trailing spaces from the dissector name */
759 while ( dissector_str[0] == ' ' )
761 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
762 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
764 dissector_matching = NULL;
766 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
767 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
768 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
771 user_protocol_name.nb_match = 0;
772 user_protocol_name.searched_name = dissector_str;
773 user_protocol_name.matched_handle = NULL;
775 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
777 if (user_protocol_name.nb_match != 0) {
778 dissector_matching = user_protocol_name.matched_handle;
779 if (user_protocol_name.nb_match > 1) {
780 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
784 /* OK, check whether the problem is that there isn't any such
785 protocol, or that there is but it's not specified as a protocol
786 that's valid for that dissector table.
787 Note, we don't exit here, but dissector_matching will remain NULL,
789 if (proto_get_id_by_filter_name(dissector_str) == -1) {
790 /* No such protocol */
791 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
793 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
794 dissector_str, table_name);
799 if (!dissector_matching) {
800 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
801 fprint_all_protocols_for_layer_types(stderr, table_name);
802 g_free(decoded_param);
806 /* This is the end of the code that parses the command-line options.
807 All information is now stored in the variables:
811 The above variables that are strings are still pointing to areas within
812 decoded_parm. decoded_parm thus still needs to be kept allocated in
813 until we stop needing these variables
814 decoded_param will be deallocated at each exit point of this function */
817 /* We now have a pointer to the handle for the requested dissector
818 (requested protocol) inside the variable dissector_matching */
819 switch (dissector_table_selector_type) {
825 /* The selector for this table is an unsigned number. */
827 dissector_change_uint(table_name, selector, dissector_matching);
828 } else if (op == ':') {
829 for (i = selector; i < (guint64)selector + selector2; i++) {
830 dissector_change_uint(table_name, (guint32)i, dissector_matching);
832 } else { /* op == '-' */
833 for (i = selector; i <= selector2; i++) {
834 dissector_change_uint(table_name, (guint32)i, dissector_matching);
843 /* The selector for this table is a string. */
844 dissector_change_string(table_name, selector_str, dissector_matching);
848 /* There are currently no dissector tables with any types other
849 than the ones listed above. */
850 g_assert_not_reached();
852 g_free(decoded_param); /* "Decode As" rule has been successfully added */
857 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
858 const gchar *message, gpointer user_data)
860 /* ignore log message, if log_level isn't interesting based
861 upon the console log preferences.
862 If the preferences haven't been loaded loaded yet, display the
865 The default console_log_level preference value is such that only
866 ERROR, CRITICAL and WARNING level messages are processed;
867 MESSAGE, INFO and DEBUG level messages are ignored.
869 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
870 ERROR and CRITICAL level messages so the current code is a behavioral
871 change. The current behavior is the same as in Wireshark.
873 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
874 prefs.console_log_level != 0) {
878 g_log_default_handler(log_domain, log_level, message, user_data);
883 output_file_description(const char *fname)
885 char *save_file_string;
887 /* Get a string that describes what we're writing to */
888 if (strcmp(fname, "-") == 0) {
889 /* We're writing to the standard output */
890 save_file_string = g_strdup("standard output");
892 /* We're writing to a file with the name in save_file */
893 save_file_string = g_strdup_printf("file \"%s\"", fname);
895 return save_file_string;
899 print_current_user(void) {
900 gchar *cur_user, *cur_group;
902 if (started_with_special_privs()) {
903 cur_user = get_cur_username();
904 cur_group = get_cur_groupname();
905 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
906 cur_user, cur_group);
909 if (running_with_special_privs()) {
910 fprintf(stderr, " This could be dangerous.");
912 fprintf(stderr, "\n");
917 get_tshark_compiled_version_info(GString *str)
919 /* Capture libraries */
920 get_compiled_caplibs_version(str);
923 g_string_append(str, ", ");
925 g_string_append(str, "with libz ");
927 g_string_append(str, ZLIB_VERSION);
928 #else /* ZLIB_VERSION */
929 g_string_append(str, "(version unknown)");
930 #endif /* ZLIB_VERSION */
931 #else /* HAVE_LIBZ */
932 g_string_append(str, "without libz");
933 #endif /* HAVE_LIBZ */
937 get_tshark_runtime_version_info(GString *str)
940 /* Capture libraries */
941 g_string_append(str, ", ");
942 get_runtime_caplibs_version(str);
946 #if defined(HAVE_LIBZ) && !defined(_WIN32)
947 g_string_append_printf(str, ", with libz %s", zlibVersion());
950 /* stuff used by libwireshark */
951 epan_get_runtime_version_info(str);
955 main(int argc, char *argv[])
957 GString *comp_info_str;
958 GString *runtime_info_str;
959 char *init_progfile_dir_error;
961 static const struct option long_options[] = {
962 {"help", no_argument, NULL, 'h'},
963 {"version", no_argument, NULL, 'v'},
964 LONGOPT_CAPTURE_COMMON
967 gboolean arg_error = FALSE;
973 char *gpf_path, *pf_path;
974 char *gdp_path, *dp_path;
976 int gpf_open_errno, gpf_read_errno;
977 int pf_open_errno, pf_read_errno;
978 int gdp_open_errno, gdp_read_errno;
979 int dp_open_errno, dp_read_errno;
982 volatile int exit_status = 0;
984 gboolean list_link_layer_types = FALSE;
985 gboolean start_capture = FALSE;
990 gboolean capture_option_specified = FALSE;
992 gboolean quiet = FALSE;
993 #ifdef PCAP_NG_DEFAULT
994 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
996 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
998 volatile gboolean out_file_name_res = FALSE;
999 volatile int in_file_type = WTAP_TYPE_AUTO;
1000 gchar *volatile cf_name = NULL;
1001 gchar *rfilter = NULL;
1002 gchar *dfilter = NULL;
1003 #ifdef HAVE_PCAP_OPEN_DEAD
1004 struct bpf_program fcode;
1006 dfilter_t *rfcode = NULL;
1007 dfilter_t *dfcode = NULL;
1012 gchar *output_only = NULL;
1013 GSList *disable_protocol_slist = NULL;
1014 GSList *enable_heur_slist = NULL;
1015 GSList *disable_heur_slist = NULL;
1018 * The leading + ensures that getopt_long() does not permute the argv[]
1021 * We have to make sure that the first getopt_long() preserves the content
1022 * of argv[] for the subsequent getopt_long() call.
1024 * We use getopt_long() in both cases to ensure that we're using a routine
1025 * whose permutation behavior we can control in the same fashion on all
1026 * platforms, and so that, if we ever need to process a long argument before
1027 * doing further initialization, we can do so.
1029 * Glibc and Solaris libc document that a leading + disables permutation
1030 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1031 * and OS X don't document it, but do so anyway.
1033 * We do *not* use a leading - because the behavior of a leading - is
1034 * platform-dependent.
1036 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1038 static const char optstring[] = OPTSTRING;
1040 tshark_debug("tshark started with %d args", argc);
1042 /* Set the C-language locale to the native environment. */
1043 setlocale(LC_ALL, "");
1045 cmdarg_err_init(failure_message, failure_message_cont);
1048 arg_list_utf_16to8(argc, argv);
1049 create_app_running_mutex();
1050 #if !GLIB_CHECK_VERSION(2,31,0)
1051 g_thread_init(NULL);
1056 * Get credential information for later use, and drop privileges
1057 * before doing anything else.
1058 * Let the user know if anything happened.
1060 init_process_policies();
1061 relinquish_special_privs_perm();
1062 print_current_user();
1065 * Attempt to get the pathname of the executable file.
1067 init_progfile_dir_error = init_progfile_dir(argv[0], main);
1068 if (init_progfile_dir_error != NULL) {
1069 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1070 init_progfile_dir_error);
1073 initialize_funnel_ops();
1076 /* Load wpcap if possible. Do this before collecting the run-time version information */
1079 /* Warn the user if npf.sys isn't loaded. */
1080 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1081 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1082 "capturing or\nlisting interfaces.\n");
1086 /* Get the compile-time version information string */
1087 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1088 epan_get_compiled_version_info);
1090 /* Get the run-time version information string */
1091 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1093 /* Add it to the information to be reported on a crash. */
1094 ws_add_crash_info("TShark (Wireshark) %s\n"
1099 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1100 g_string_free(comp_info_str, TRUE);
1101 g_string_free(runtime_info_str, TRUE);
1104 * In order to have the -X opts assigned before the wslua machine starts
1105 * we need to call getopt_long before epan_init() gets called.
1107 * In order to handle, for example, -o options, we also need to call it
1108 * *after* epan_init() gets called, so that the dissectors have had a
1109 * chance to register their preferences.
1111 * XXX - can we do this all with one getopt_long() call, saving the
1112 * arguments we can't handle until after initializing libwireshark,
1113 * and then process them after initializing libwireshark?
1117 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1119 case 'C': /* Configuration Profile */
1120 if (profile_exists (optarg, FALSE)) {
1121 set_profile_name (optarg);
1123 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1127 case 'P': /* Print packet summary info even when writing to a file */
1128 print_packet_info = TRUE;
1129 print_summary = TRUE;
1131 case 'O': /* Only output these protocols */
1132 output_only = g_strdup(optarg);
1134 case 'V': /* Verbose */
1135 print_details = TRUE;
1136 print_packet_info = TRUE;
1138 case 'x': /* Print packet data in hex (and ASCII) */
1140 /* The user asked for hex output, so let's ensure they get it,
1141 * even if they're writing to a file.
1143 print_packet_info = TRUE;
1154 * Print packet summary information is the default, unless either -V or -x
1155 * were specified and -P was not. Note that this is new behavior, which
1156 * allows for the possibility of printing only hex/ascii output without
1157 * necessarily requiring that either the summary or details be printed too.
1159 if (print_summary == -1)
1160 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1162 /** Send All g_log messages to our own handler **/
1166 G_LOG_LEVEL_CRITICAL|
1167 G_LOG_LEVEL_WARNING|
1168 G_LOG_LEVEL_MESSAGE|
1171 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1173 g_log_set_handler(NULL,
1174 (GLogLevelFlags)log_flags,
1175 tshark_log_handler, NULL /* user_data */);
1176 g_log_set_handler(LOG_DOMAIN_MAIN,
1177 (GLogLevelFlags)log_flags,
1178 tshark_log_handler, NULL /* user_data */);
1181 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1182 (GLogLevelFlags)log_flags,
1183 tshark_log_handler, NULL /* user_data */);
1184 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1185 (GLogLevelFlags)log_flags,
1186 tshark_log_handler, NULL /* user_data */);
1189 init_report_err(failure_message, open_failure_message, read_failure_message,
1190 write_failure_message);
1193 capture_opts_init(&global_capture_opts);
1194 capture_session_init(&global_capture_session, &cfile);
1197 timestamp_set_type(TS_RELATIVE);
1198 timestamp_set_precision(TS_PREC_AUTO);
1199 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1201 init_open_routines();
1204 /* Register all the plugin types we have. */
1205 epan_register_plugin_types(); /* Types known to libwireshark */
1206 wtap_register_plugin_types(); /* Types known to libwiretap */
1208 /* Scan for plugins. This does *not* call their registration routines;
1209 that's done later. */
1212 /* Register all libwiretap plugin modules. */
1213 register_all_wiretap_modules();
1216 /* Register all dissectors; we must do this before checking for the
1217 "-G" flag, as the "-G" flag dumps information registered by the
1218 dissectors, and we must do it before we read the preferences, in
1219 case any dissectors register preferences. */
1220 if (!epan_init(register_all_protocols, register_all_protocol_handoffs, NULL,
1224 /* Register all tap listeners; we do this before we parse the arguments,
1225 as the "-z" argument can specify a registered tap. */
1227 /* we register the plugin taps before the other taps because
1228 stats_tree taps plugins will be registered as tap listeners
1229 by stats_tree_stat.c and need to registered before that */
1231 register_all_plugin_tap_listeners();
1233 register_all_tap_listeners();
1234 conversation_table_set_gui_info(init_iousers);
1235 hostlist_table_set_gui_info(init_hostlists);
1236 srt_table_iterate_tables(register_srt_tables, NULL);
1237 rtd_table_iterate_tables(register_rtd_tables, NULL);
1238 new_stat_tap_iterate_tables(register_simple_stat_tables, NULL);
1240 /* If invoked with the "-G" flag, we dump out information based on
1241 the argument to the "-G" flag; if no argument is specified,
1242 for backwards compatibility we dump out a glossary of display
1245 XXX - we do this here, for now, to support "-G" with no arguments.
1246 If none of our build or other processes uses "-G" with no arguments,
1247 we can just process it with the other arguments. */
1248 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1249 proto_initialize_all_prefixes();
1252 proto_registrar_dump_fields();
1254 if (strcmp(argv[2], "column-formats") == 0)
1255 column_dump_column_formats();
1256 else if (strcmp(argv[2], "currentprefs") == 0) {
1257 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1258 &pf_open_errno, &pf_read_errno, &pf_path);
1261 else if (strcmp(argv[2], "decodes") == 0)
1262 dissector_dump_decodes();
1263 else if (strcmp(argv[2], "defaultprefs") == 0)
1265 else if (strcmp(argv[2], "dissector-tables") == 0)
1266 dissector_dump_dissector_tables();
1267 else if (strcmp(argv[2], "fieldcount") == 0) {
1268 /* return value for the test suite */
1269 return proto_registrar_dump_fieldcount();
1270 } else if (strcmp(argv[2], "fields") == 0)
1271 proto_registrar_dump_fields();
1272 else if (strcmp(argv[2], "ftypes") == 0)
1273 proto_registrar_dump_ftypes();
1274 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1275 dissector_dump_heur_decodes();
1276 else if (strcmp(argv[2], "plugins") == 0) {
1281 wslua_plugins_dump_all();
1284 else if (strcmp(argv[2], "protocols") == 0)
1285 proto_registrar_dump_protocols();
1286 else if (strcmp(argv[2], "values") == 0)
1287 proto_registrar_dump_values();
1288 else if (strcmp(argv[2], "?") == 0)
1289 glossary_option_help();
1290 else if (strcmp(argv[2], "-?") == 0)
1291 glossary_option_help();
1293 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1300 tshark_debug("tshark reading preferences");
1302 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1303 &pf_open_errno, &pf_read_errno, &pf_path);
1304 if (gpf_path != NULL) {
1305 if (gpf_open_errno != 0) {
1306 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1307 pf_path, g_strerror(gpf_open_errno));
1309 if (gpf_read_errno != 0) {
1310 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1311 pf_path, g_strerror(gpf_read_errno));
1314 if (pf_path != NULL) {
1315 if (pf_open_errno != 0) {
1316 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1317 g_strerror(pf_open_errno));
1319 if (pf_read_errno != 0) {
1320 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1321 pf_path, g_strerror(pf_read_errno));
1327 read_filter_list(CFILTER_LIST, &cf_path, &cf_open_errno);
1328 if (cf_path != NULL) {
1329 cmdarg_err("Could not open your capture filter file\n\"%s\": %s.",
1330 cf_path, g_strerror(cf_open_errno));
1334 /* Read the disabled protocols file. */
1335 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1336 &dp_path, &dp_open_errno, &dp_read_errno);
1337 read_disabled_heur_dissector_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1338 &dp_path, &dp_open_errno, &dp_read_errno);
1339 if (gdp_path != NULL) {
1340 if (gdp_open_errno != 0) {
1341 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1342 gdp_path, g_strerror(gdp_open_errno));
1344 if (gdp_read_errno != 0) {
1345 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1346 gdp_path, g_strerror(gdp_read_errno));
1350 if (dp_path != NULL) {
1351 if (dp_open_errno != 0) {
1353 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1354 g_strerror(dp_open_errno));
1356 if (dp_read_errno != 0) {
1358 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1359 g_strerror(dp_read_errno));
1364 cap_file_init(&cfile);
1366 /* Print format defaults to this. */
1367 print_format = PR_FMT_TEXT;
1369 output_fields = output_fields_new();
1372 * To reset the options parser, set optreset to 1 on platforms that
1373 * have optreset (documented in *BSD and OS X, apparently present but
1374 * not documented in Solaris - the Illumos repository seems to
1375 * suggest that the first Solaris getopt_long(), at least as of 2004,
1376 * was based on the NetBSD one, it had optreset) and set optind to 1,
1377 * and set optind to 0 otherwise (documented as working in the GNU
1378 * getopt_long(). Setting optind to 0 didn't originally work in the
1379 * NetBSD one, but that was added later - we don't want to depend on
1380 * it if we have optreset).
1382 * Also reset opterr to 1, so that error messages are printed by
1385 #ifdef HAVE_OPTRESET
1393 /* Now get our args */
1394 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1396 case '2': /* Perform two pass analysis */
1397 perform_two_pass_analysis = TRUE;
1399 case 'a': /* autostop criteria */
1400 case 'b': /* Ringbuffer option */
1401 case 'c': /* Capture x packets */
1402 case 'f': /* capture filter */
1403 case 'g': /* enable group read access on file(s) */
1404 case 'i': /* Use interface x */
1405 case 'p': /* Don't capture in promiscuous mode */
1406 #ifdef HAVE_PCAP_REMOTE
1407 case 'A': /* Authentication */
1409 #ifdef HAVE_PCAP_CREATE
1410 case 'I': /* Capture in monitor mode, if available */
1412 case 's': /* Set the snapshot (capture) length */
1413 case 'w': /* Write to capture file x */
1414 case 'y': /* Set the pcap data link type */
1415 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1416 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1417 case 'B': /* Buffer size */
1420 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1427 * Output file name, if we're reading a file and writing to another
1430 output_file_name = optarg;
1432 capture_option_specified = TRUE;
1438 /* already processed; just ignore it now */
1440 case 'd': /* Decode as rule */
1441 if (!add_decode_as(optarg))
1444 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1445 case 'K': /* Kerberos keytab file */
1446 read_keytab_file(optarg);
1449 case 'D': /* Print a list of capture devices and exit */
1451 if_list = capture_interface_list(&err, &err_str,NULL);
1452 if (if_list == NULL) {
1454 cmdarg_err("There are no interfaces on which a capture can be done");
1456 cmdarg_err("%s", err_str);
1461 capture_opts_print_interfaces(if_list);
1462 free_interface_list(if_list);
1465 capture_option_specified = TRUE;
1471 output_fields_add(output_fields, optarg);
1475 if (!output_fields_set_option(output_fields, optarg)) {
1476 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1477 output_fields_list_options(stderr);
1482 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1483 if (out_file_type < 0) {
1484 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1485 list_capture_types();
1489 case 'W': /* Select extra information to save in our capture file */
1490 /* This is patterned after the -N flag which may not be the best idea. */
1491 if (strchr(optarg, 'n')) {
1492 out_file_name_res = TRUE;
1494 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1495 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1499 case 'H': /* Read address to name mappings from a hosts file */
1500 if (! add_hosts_file(optarg))
1502 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1505 out_file_name_res = TRUE;
1508 case 'h': /* Print help and exit */
1509 printf("TShark (Wireshark) %s\n"
1510 "Dump and analyze network traffic.\n"
1511 "See https://www.wireshark.org for more information.\n",
1512 get_ws_vcs_version_info());
1513 print_usage(stdout);
1516 case 'l': /* "Line-buffer" standard output */
1517 /* This isn't line-buffering, strictly speaking, it's just
1518 flushing the standard output after the information for
1519 each packet is printed; however, that should be good
1520 enough for all the purposes to which "-l" is put (and
1521 is probably actually better for "-V", as it does fewer
1524 See the comment in "process_packet()" for an explanation of
1525 why we do that, and why we don't just use "setvbuf()" to
1526 make the standard output line-buffered (short version: in
1527 Windows, "line-buffered" is the same as "fully-buffered",
1528 and the output buffer is only flushed when it fills up). */
1529 line_buffered = TRUE;
1531 case 'L': /* Print list of link-layer types and exit */
1533 list_link_layer_types = TRUE;
1535 capture_option_specified = TRUE;
1539 case 'n': /* No name resolution */
1540 disable_name_resolution();
1542 case 'N': /* Select what types of addresses/port #s to resolve */
1543 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1544 if (badopt != '\0') {
1545 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1547 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1548 "\t'd' to enable address resolution from captured DNS packets\n"
1549 "\t'm' to enable MAC address resolution\n"
1550 "\t'n' to enable network address resolution\n"
1551 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1552 "\t for network address resolution\n"
1553 "\t't' to enable transport-layer port number resolution");
1557 case 'o': /* Override preference from command line */
1558 switch (prefs_set_pref(optarg)) {
1563 case PREFS_SET_SYNTAX_ERR:
1564 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1568 case PREFS_SET_NO_SUCH_PREF:
1569 case PREFS_SET_OBSOLETE:
1570 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1575 case 'q': /* Quiet */
1578 case 'Q': /* Really quiet */
1580 really_quiet = TRUE;
1582 case 'r': /* Read capture file x */
1583 cf_name = g_strdup(optarg);
1585 case 'R': /* Read file filter */
1589 /* already processed; just ignore it now */
1591 case 'S': /* Set the line Separator to be printed between packets */
1594 case 't': /* Time stamp type */
1595 if (strcmp(optarg, "r") == 0)
1596 timestamp_set_type(TS_RELATIVE);
1597 else if (strcmp(optarg, "a") == 0)
1598 timestamp_set_type(TS_ABSOLUTE);
1599 else if (strcmp(optarg, "ad") == 0)
1600 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1601 else if (strcmp(optarg, "adoy") == 0)
1602 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1603 else if (strcmp(optarg, "d") == 0)
1604 timestamp_set_type(TS_DELTA);
1605 else if (strcmp(optarg, "dd") == 0)
1606 timestamp_set_type(TS_DELTA_DIS);
1607 else if (strcmp(optarg, "e") == 0)
1608 timestamp_set_type(TS_EPOCH);
1609 else if (strcmp(optarg, "u") == 0)
1610 timestamp_set_type(TS_UTC);
1611 else if (strcmp(optarg, "ud") == 0)
1612 timestamp_set_type(TS_UTC_WITH_YMD);
1613 else if (strcmp(optarg, "udoy") == 0)
1614 timestamp_set_type(TS_UTC_WITH_YDOY);
1616 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1617 cmdarg_err_cont("\t\"a\" for absolute\n"
1618 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1619 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1620 "\t\"d\" for delta\n"
1621 "\t\"dd\" for delta displayed\n"
1622 "\t\"e\" for epoch\n"
1623 "\t\"r\" for relative\n"
1624 "\t\"u\" for absolute UTC\n"
1625 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1626 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1630 case 'T': /* printing Type */
1631 print_packet_info = TRUE;
1632 if (strcmp(optarg, "text") == 0) {
1633 output_action = WRITE_TEXT;
1634 print_format = PR_FMT_TEXT;
1635 } else if (strcmp(optarg, "ps") == 0) {
1636 output_action = WRITE_TEXT;
1637 print_format = PR_FMT_PS;
1638 } else if (strcmp(optarg, "pdml") == 0) {
1639 output_action = WRITE_XML;
1640 print_details = TRUE; /* Need details */
1641 print_summary = FALSE; /* Don't allow summary */
1642 } else if (strcmp(optarg, "psml") == 0) {
1643 output_action = WRITE_XML;
1644 print_details = FALSE; /* Don't allow details */
1645 print_summary = TRUE; /* Need summary */
1646 } else if (strcmp(optarg, "fields") == 0) {
1647 output_action = WRITE_FIELDS;
1648 print_details = TRUE; /* Need full tree info */
1649 print_summary = FALSE; /* Don't allow summary */
1651 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1652 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1653 "\t specified by the -E option.\n"
1654 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1655 "\t details of a decoded packet. This information is equivalent to\n"
1656 "\t the packet details printed with the -V flag.\n"
1657 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1658 "\t the packets, or a multi-line view of the details of each of\n"
1659 "\t the packets, depending on whether the -V flag was specified.\n"
1660 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1661 "\t summary information of a decoded packet. This information is\n"
1662 "\t equivalent to the information shown in the one-line summary\n"
1663 "\t printed by default.\n"
1664 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1665 "\t packets, or a multi-line view of the details of each of the\n"
1666 "\t packets, depending on whether the -V flag was specified.\n"
1667 "\t This is the default.");
1671 case 'u': /* Seconds type */
1672 if (strcmp(optarg, "s") == 0)
1673 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1674 else if (strcmp(optarg, "hms") == 0)
1675 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1677 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1678 cmdarg_err_cont("\t\"s\" for seconds\n"
1679 "\t\"hms\" for hours, minutes and seconds");
1683 case 'v': /* Show version and exit */
1684 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1685 epan_get_compiled_version_info);
1686 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1687 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1688 g_string_free(comp_info_str, TRUE);
1689 g_string_free(runtime_info_str, TRUE);
1690 /* We don't really have to cleanup here, but it's a convenient way to test
1691 * start-up and shut-down of the epan library without any UI-specific
1692 * cruft getting in the way. Makes the results of running
1693 * $ ./tools/valgrind-wireshark -n
1694 * much more useful. */
1697 case 'O': /* Only output these protocols */
1698 /* already processed; just ignore it now */
1700 case 'V': /* Verbose */
1701 /* already processed; just ignore it now */
1703 case 'x': /* Print packet data in hex (and ASCII) */
1704 /* already processed; just ignore it now */
1707 /* already processed; just ignore it now */
1713 /* We won't call the init function for the stat this soon
1714 as it would disallow MATE's fields (which are registered
1715 by the preferences set callback) from being used as
1716 part of a tap filter. Instead, we just add the argument
1717 to a list of stat arguments. */
1718 if (strcmp("help", optarg) == 0) {
1719 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1720 list_stat_cmd_args();
1723 if (!process_stat_cmd_arg(optarg)) {
1724 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1725 list_stat_cmd_args();
1729 case LONGOPT_DISABLE_PROTOCOL: /* disable dissection of protocol */
1730 disable_protocol_slist = g_slist_append(disable_protocol_slist, optarg);
1732 case LONGOPT_ENABLE_HEURISTIC: /* enable heuristic dissection of protocol */
1733 enable_heur_slist = g_slist_append(enable_heur_slist, optarg);
1735 case LONGOPT_DISABLE_HEURISTIC: /* disable heuristic dissection of protocol */
1736 disable_heur_slist = g_slist_append(disable_heur_slist, optarg);
1740 case '?': /* Bad flag - print usage message */
1743 list_capture_types();
1746 print_usage(stderr);
1753 /* If we specified output fields, but not the output field type... */
1754 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1755 cmdarg_err("Output fields were specified with \"-e\", "
1756 "but \"-Tfields\" was not specified.");
1758 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1759 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1760 "specified with \"-e\".");
1765 /* If no capture filter or display filter has been specified, and there are
1766 still command-line arguments, treat them as the tokens of a capture
1767 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1768 flag was specified. */
1769 if (optind < argc) {
1770 if (cf_name != NULL) {
1771 if (dfilter != NULL) {
1772 cmdarg_err("Display filters were specified both with \"-d\" "
1773 "and with additional command-line arguments.");
1776 dfilter = get_args_as_string(argc, argv, optind);
1781 if (global_capture_opts.default_options.cfilter) {
1782 cmdarg_err("A default capture filter was specified both with \"-f\""
1783 " and with additional command-line arguments.");
1786 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1787 interface_options interface_opts;
1788 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1789 if (interface_opts.cfilter == NULL) {
1790 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1791 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1792 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1794 cmdarg_err("A capture filter was specified both with \"-f\""
1795 " and with additional command-line arguments.");
1799 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1801 capture_option_specified = TRUE;
1807 if (!global_capture_opts.saving_to_file) {
1808 /* We're not saving the capture to a file; if "-q" wasn't specified,
1809 we should print packet information */
1811 print_packet_info = TRUE;
1813 /* We're saving to a file; if we're writing to the standard output.
1814 and we'll also be writing dissected packets to the standard
1815 output, reject the request. At best, we could redirect that
1816 to the standard error; we *can't* write both to the standard
1817 output and have either of them be useful. */
1818 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1819 cmdarg_err("You can't write both raw packet data and dissected packets"
1820 " to the standard output.");
1825 /* We're not saving the capture to a file; if "-q" wasn't specified,
1826 we should print packet information */
1828 print_packet_info = TRUE;
1831 #ifndef HAVE_LIBPCAP
1832 if (capture_option_specified)
1833 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1836 print_usage(stderr);
1841 if (output_action != WRITE_TEXT) {
1842 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1847 if (output_only != NULL) {
1850 if (!print_details) {
1851 cmdarg_err("-O requires -V");
1855 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1856 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1857 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1861 if (rfilter != NULL && !perform_two_pass_analysis) {
1862 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1867 if (list_link_layer_types) {
1868 /* We're supposed to list the link-layer types for an interface;
1869 did the user also specify a capture file to be read? */
1871 /* Yes - that's bogus. */
1872 cmdarg_err("You can't specify -L and a capture file to be read.");
1875 /* No - did they specify a ring buffer option? */
1876 if (global_capture_opts.multi_files_on) {
1877 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1883 * "-r" was specified, so we're reading a capture file.
1884 * Capture options don't apply here.
1887 /* We don't support capture filters when reading from a capture file
1888 (the BPF compiler doesn't support all link-layer types that we
1889 support in capture files we read). */
1890 if (global_capture_opts.default_options.cfilter) {
1891 cmdarg_err("Only read filters, not capture filters, "
1892 "can be specified when reading a capture file.");
1895 if (global_capture_opts.multi_files_on) {
1896 cmdarg_err("Multiple capture files requested, but "
1897 "a capture isn't being done.");
1900 if (global_capture_opts.has_file_duration) {
1901 cmdarg_err("Switching capture files after a time interval was specified, but "
1902 "a capture isn't being done.");
1905 if (global_capture_opts.has_ring_num_files) {
1906 cmdarg_err("A ring buffer of capture files was specified, but "
1907 "a capture isn't being done.");
1910 if (global_capture_opts.has_autostop_files) {
1911 cmdarg_err("A maximum number of capture files was specified, but "
1912 "a capture isn't being done.");
1915 if (global_capture_opts.capture_comment) {
1916 cmdarg_err("A capture comment was specified, but "
1917 "a capture isn't being done.\nThere's no support for adding "
1918 "a capture comment to an existing capture file.");
1922 /* Note: TShark now allows the restriction of a _read_ file by packet count
1923 * and byte count as well as a write file. Other autostop options remain valid
1924 * only for a write file.
1926 if (global_capture_opts.has_autostop_duration) {
1927 cmdarg_err("A maximum capture time was specified, but "
1928 "a capture isn't being done.");
1933 * "-r" wasn't specified, so we're doing a live capture.
1935 if (perform_two_pass_analysis) {
1936 /* Two-pass analysis doesn't work with live capture since it requires us
1937 * to buffer packets until we've read all of them, but a live capture
1938 * has no useful/meaningful definition of "all" */
1939 cmdarg_err("Live captures do not support two-pass analysis.");
1943 if (global_capture_opts.saving_to_file) {
1944 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1946 /* When capturing, we only support writing pcap or pcap-ng format. */
1947 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1948 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1949 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1952 if (global_capture_opts.capture_comment &&
1953 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1954 cmdarg_err("A capture comment can only be written to a pcapng file.");
1957 if (global_capture_opts.multi_files_on) {
1958 /* Multiple-file mode doesn't work under certain conditions:
1959 a) it doesn't work if you're writing to the standard output;
1960 b) it doesn't work if you're writing to a pipe;
1962 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1963 cmdarg_err("Multiple capture files requested, but "
1964 "the capture is being written to the standard output.");
1967 if (global_capture_opts.output_to_pipe) {
1968 cmdarg_err("Multiple capture files requested, but "
1969 "the capture file is a pipe.");
1972 if (!global_capture_opts.has_autostop_filesize &&
1973 !global_capture_opts.has_file_duration) {
1974 cmdarg_err("Multiple capture files requested, but "
1975 "no maximum capture file size or duration was specified.");
1979 /* Currently, we don't support read or display filters when capturing
1980 and saving the packets. */
1981 if (rfilter != NULL) {
1982 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1985 if (dfilter != NULL) {
1986 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1989 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1991 /* They didn't specify a "-w" flag, so we won't be saving to a
1992 capture file. Check for options that only make sense if
1993 we're saving to a file. */
1994 if (global_capture_opts.has_autostop_filesize) {
1995 cmdarg_err("Maximum capture file size specified, but "
1996 "capture isn't being saved to a file.");
1999 if (global_capture_opts.multi_files_on) {
2000 cmdarg_err("Multiple capture files requested, but "
2001 "the capture isn't being saved to a file.");
2004 if (global_capture_opts.capture_comment) {
2005 cmdarg_err("A capture comment was specified, but "
2006 "the capture isn't being saved to a file.");
2015 /* Start windows sockets */
2016 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
2019 /* Notify all registered modules that have had any of their preferences
2020 changed either from one of the preferences file or from the command
2021 line that their preferences have changed. */
2024 /* At this point MATE will have registered its field array so we can
2025 have a tap filter with one of MATE's late-registered fields as part
2026 of the filter. We can now process all the "-z" arguments. */
2027 start_requested_stats();
2029 /* At this point MATE will have registered its field array so we can
2030 check if the fields specified by the user are all good.
2034 GSList *invalid_fields = output_fields_valid(output_fields);
2035 if (invalid_fields != NULL) {
2037 cmdarg_err("Some fields aren't valid:");
2038 for (it=invalid_fields; it != NULL; it = g_slist_next(it)) {
2039 cmdarg_err_cont("\t%s", (gchar *)it->data);
2041 g_slist_free(invalid_fields);
2046 /* We currently don't support taps, or printing dissected packets,
2047 if we're writing to a pipe. */
2048 if (global_capture_opts.saving_to_file &&
2049 global_capture_opts.output_to_pipe) {
2050 if (tap_listeners_require_dissection()) {
2051 cmdarg_err("Taps aren't supported when saving to a pipe.");
2054 if (print_packet_info) {
2055 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2061 if (ex_opt_count("read_format") > 0) {
2062 const gchar* name = ex_opt_get_next("read_format");
2063 in_file_type = open_info_name_to_type(name);
2064 if (in_file_type == WTAP_TYPE_AUTO) {
2065 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2066 list_read_capture_types();
2071 /* disabled protocols as per configuration file */
2072 if (gdp_path == NULL && dp_path == NULL) {
2073 set_disabled_protos_list();
2074 set_disabled_heur_dissector_list();
2077 if(disable_protocol_slist) {
2078 GSList *proto_disable;
2079 for (proto_disable = disable_protocol_slist; proto_disable != NULL; proto_disable = g_slist_next(proto_disable))
2081 proto_disable_proto_by_name((char*)proto_disable->data);
2085 if(enable_heur_slist) {
2086 GSList *heur_enable;
2087 for (heur_enable = enable_heur_slist; heur_enable != NULL; heur_enable = g_slist_next(heur_enable))
2089 proto_enable_heuristic_by_name((char*)heur_enable->data, TRUE);
2093 if(disable_heur_slist) {
2094 GSList *heur_disable;
2095 for (heur_disable = disable_heur_slist; heur_disable != NULL; heur_disable = g_slist_next(heur_disable))
2097 proto_enable_heuristic_by_name((char*)heur_disable->data, FALSE);
2101 /* Build the column format array */
2102 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2105 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2106 capture_opts_trim_ring_num_files(&global_capture_opts);
2109 if (rfilter != NULL) {
2110 tshark_debug("Compiling read filter: '%s'", rfilter);
2111 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2112 cmdarg_err("%s", err_msg);
2115 #ifdef HAVE_PCAP_OPEN_DEAD
2119 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2121 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2123 " Note: That read filter code looks like a valid capture filter;\n"
2124 " maybe you mixed them up?");
2133 cfile.rfcode = rfcode;
2135 if (dfilter != NULL) {
2136 tshark_debug("Compiling display filter: '%s'", dfilter);
2137 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2138 cmdarg_err("%s", err_msg);
2141 #ifdef HAVE_PCAP_OPEN_DEAD
2145 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2147 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2149 " Note: That display filter code looks like a valid capture filter;\n"
2150 " maybe you mixed them up?");
2159 cfile.dfcode = dfcode;
2161 if (print_packet_info) {
2162 /* If we're printing as text or PostScript, we have
2163 to create a print stream. */
2164 if (output_action == WRITE_TEXT) {
2165 switch (print_format) {
2168 print_stream = print_stream_text_stdio_new(stdout);
2172 print_stream = print_stream_ps_stdio_new(stdout);
2176 g_assert_not_reached();
2181 /* We have to dissect each packet if:
2183 we're printing information about each packet;
2185 we're using a read filter on the packets;
2187 we're using a display filter on the packets;
2189 we're using any taps that need dissection. */
2190 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2191 tshark_debug("tshark: do_dissection = %s", do_dissection ? "TRUE" : "FALSE");
2194 tshark_debug("tshark: Opening capture file: %s", cf_name);
2196 * We're reading a capture file.
2198 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2203 /* Process the packets in the file */
2204 tshark_debug("tshark: invoking load_cap_file() to process the packets");
2207 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2208 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2209 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2211 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2214 CATCH(OutOfMemoryError) {
2218 "Sorry, but TShark has to terminate now.\n"
2220 "More information and workarounds can be found at\n"
2221 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2226 /* We still dump out the results of taps, etc., as we might have
2227 read some packets; however, we exit with an error status. */
2231 tshark_debug("tshark: no capture file specified");
2232 /* No capture file specified, so we're supposed to do a live capture
2233 or get a list of link-layer types for a live capture device;
2234 do we have support for live captures? */
2236 /* if no interface was specified, pick a default */
2237 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2238 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2239 if (exit_status != 0)
2242 /* if requested, list the link layer types and exit */
2243 if (list_link_layer_types) {
2246 /* Get the list of link-layer types for the capture devices. */
2247 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2248 interface_options interface_opts;
2249 if_capabilities_t *caps;
2250 char *auth_str = NULL;
2252 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2253 #ifdef HAVE_PCAP_REMOTE
2254 if (interface_opts.auth_type == CAPTURE_AUTH_PWD) {
2255 auth_str = g_strdup_printf("%s:%s", interface_opts.auth_username, interface_opts.auth_password);
2258 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, auth_str, &err_str, NULL);
2261 cmdarg_err("%s", err_str);
2265 if (caps->data_link_types == NULL) {
2266 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2269 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2270 free_if_capabilities(caps);
2276 * If the standard error isn't a terminal, don't print packet counts,
2277 * as they won't show up on the user's terminal and they'll get in
2278 * the way of error messages in the file (to which we assume the
2279 * standard error was redirected; if it's redirected to the null
2280 * device, there's no point in printing packet counts anyway).
2282 * Otherwise, if we're printing packet information and the standard
2283 * output is a terminal (which we assume means the standard output and
2284 * error are going to the same terminal), don't print packet counts,
2285 * as they'll get in the way of the packet information.
2287 * Otherwise, if the user specified -q, don't print packet counts.
2289 * Otherwise, print packet counts.
2291 * XXX - what if the user wants to do a live capture, doesn't want
2292 * to save it to a file, doesn't want information printed for each
2293 * packet, does want some "-z" statistic, and wants packet counts
2294 * so they know whether they're seeing any packets? -q will
2295 * suppress the information printed for each packet, but it'll
2296 * also suppress the packet counts.
2298 if (!isatty(fileno(stderr)))
2299 print_packet_counts = FALSE;
2300 else if (print_packet_info && isatty(fileno(stdout)))
2301 print_packet_counts = FALSE;
2303 print_packet_counts = FALSE;
2305 print_packet_counts = TRUE;
2307 if (print_packet_info) {
2308 if (!write_preamble(&cfile)) {
2309 show_print_file_io_error(errno);
2314 tshark_debug("tshark: performing live capture");
2316 * XXX - this returns FALSE if an error occurred, but it also
2317 * returns FALSE if the capture stops because a time limit
2318 * was reached (and possibly other limits), so we can't assume
2319 * it means an error.
2321 * The capture code is a bit twisty, so it doesn't appear to
2322 * be an easy fix. We just ignore the return value for now.
2323 * Instead, pass on the exit status from the capture child.
2326 exit_status = global_capture_session.fork_child_status;
2328 if (print_packet_info) {
2329 if (!write_finale()) {
2331 show_print_file_io_error(err);
2335 /* No - complain. */
2336 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2343 if (cfile.frames != NULL) {
2344 free_frame_data_sequence(cfile.frames);
2345 cfile.frames = NULL;
2348 draw_tap_listeners(TRUE);
2349 funnel_dump_all_text_windows();
2350 epan_free(cfile.epan);
2353 output_fields_free(output_fields);
2354 output_fields = NULL;
2359 /*#define USE_BROKEN_G_MAIN_LOOP*/
2361 #ifdef USE_BROKEN_G_MAIN_LOOP
2364 gboolean loop_running = FALSE;
2366 guint32 packet_count = 0;
2369 typedef struct pipe_input_tag {
2372 ws_process_id *child_process;
2373 pipe_input_cb_t input_cb;
2374 guint pipe_input_id;
2376 GMutex *callback_running;
2380 static pipe_input_t pipe_input;
2383 /* The timer has expired, see if there's stuff to read from the pipe,
2384 if so, do the callback */
2386 pipe_timer_cb(gpointer data)
2392 pipe_input_t *pipe_input_p = data;
2393 gint iterations = 0;
2395 g_mutex_lock (pipe_input_p->callback_running);
2397 /* try to read data from the pipe only 5 times, to avoid blocking */
2398 while(iterations < 5) {
2399 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2401 /* Oddly enough although Named pipes don't work on win9x,
2402 PeekNamedPipe does !!! */
2403 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2404 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2406 /* Get the child process exit status */
2407 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2410 /* If the Peek returned an error, or there are bytes to be read
2411 or the childwatcher thread has terminated then call the normal
2413 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2415 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2417 /* And call the real handler */
2418 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2419 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2420 /* pipe closed, return false so that the timer is stopped */
2421 g_mutex_unlock (pipe_input_p->callback_running);
2426 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2427 /* No data, stop now */
2434 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2436 g_mutex_unlock (pipe_input_p->callback_running);
2438 /* we didn't stopped the timer, so let it run */
2445 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2448 pipe_input.source = source;
2449 pipe_input.child_process = child_process;
2450 pipe_input.user_data = user_data;
2451 pipe_input.input_cb = input_cb;
2454 #if GLIB_CHECK_VERSION(2,31,0)
2455 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2456 g_mutex_init(pipe_input.callback_running);
2458 pipe_input.callback_running = g_mutex_new();
2460 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2461 do this but that doesn't cover all win32 platforms. GTK can do
2462 this but doesn't seem to work over processes. Attempt to do
2463 something similar here, start a timer and check for data on every
2465 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2466 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2470 static const nstime_t *
2471 tshark_get_frame_ts(void *data, guint32 frame_num)
2473 capture_file *cf = (capture_file *) data;
2475 if (ref && ref->num == frame_num)
2476 return &ref->abs_ts;
2478 if (prev_dis && prev_dis->num == frame_num)
2479 return &prev_dis->abs_ts;
2481 if (prev_cap && prev_cap->num == frame_num)
2482 return &prev_cap->abs_ts;
2485 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2487 return (fd) ? &fd->abs_ts : NULL;
2494 tshark_epan_new(capture_file *cf)
2496 epan_t *epan = epan_new();
2499 epan->get_frame_ts = tshark_get_frame_ts;
2500 epan->get_interface_name = cap_file_get_interface_name;
2501 epan->get_user_comment = NULL;
2513 #ifdef USE_TSHARK_SELECT
2517 struct sigaction action, oldaction;
2520 /* Create new dissection section. */
2521 epan_free(cfile.epan);
2522 cfile.epan = tshark_epan_new(&cfile);
2525 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2526 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2528 /* Catch SIGINT and SIGTERM and, if we get either of them,
2529 clean up and exit. If SIGHUP isn't being ignored, catch
2530 it too and, if we get it, clean up and exit.
2532 We restart any read that was in progress, so that it doesn't
2533 disrupt reading from the sync pipe. The signal handler tells
2534 the capture child to finish; it will report that it finished,
2535 or will exit abnormally, so we'll stop reading from the sync
2536 pipe, pick up the exit status, and quit. */
2537 memset(&action, 0, sizeof(action));
2538 action.sa_handler = capture_cleanup;
2539 action.sa_flags = SA_RESTART;
2540 sigemptyset(&action.sa_mask);
2541 sigaction(SIGTERM, &action, NULL);
2542 sigaction(SIGINT, &action, NULL);
2543 sigaction(SIGHUP, NULL, &oldaction);
2544 if (oldaction.sa_handler == SIG_DFL)
2545 sigaction(SIGHUP, &action, NULL);
2548 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2549 quiet mode, report the number of packets we've captured.
2551 Again, restart any read that was in progress, so that it doesn't
2552 disrupt reading from the sync pipe. */
2553 action.sa_handler = report_counts_siginfo;
2554 action.sa_flags = SA_RESTART;
2555 sigemptyset(&action.sa_mask);
2556 sigaction(SIGINFO, &action, NULL);
2557 #endif /* SIGINFO */
2560 global_capture_session.state = CAPTURE_PREPARING;
2562 /* Let the user know which interfaces were chosen. */
2563 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2564 interface_options interface_opts;
2566 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2567 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2568 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2569 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2571 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2572 if (really_quiet == FALSE)
2573 fprintf(stderr, "Capturing on %s\n", str->str);
2575 g_string_free(str, TRUE);
2577 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, &global_info_data, NULL);
2582 /* the actual capture loop
2584 * XXX - glib doesn't seem to provide any event based loop handling.
2586 * XXX - for whatever reason,
2587 * calling g_main_loop_new() ends up in 100% cpu load.
2589 * But that doesn't matter: in UNIX we can use select() to find an input
2590 * source with something to do.
2592 * But that doesn't matter because we're in a CLI (that doesn't need to
2593 * update a GUI or something at the same time) so it's OK if we block
2594 * trying to read from the pipe.
2596 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2597 * wrong (but I leave it there in case I am...).
2600 #ifdef USE_TSHARK_SELECT
2602 FD_SET(pipe_input.source, &readfds);
2605 loop_running = TRUE;
2609 while (loop_running)
2611 #ifdef USE_TSHARK_SELECT
2612 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2616 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2618 } else if (ret == 1) {
2620 /* Call the real handler */
2621 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2622 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2625 #ifdef USE_TSHARK_SELECT
2630 CATCH(OutOfMemoryError) {
2634 "Sorry, but TShark has to terminate now.\n"
2636 "More information and workarounds can be found at\n"
2637 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2644 /* capture child detected an error */
2646 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2648 cmdarg_err("%s", error_msg);
2649 cmdarg_err_cont("%s", secondary_error_msg);
2653 /* capture child detected an capture filter related error */
2655 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2657 capture_options *capture_opts = cap_session->capture_opts;
2658 dfilter_t *rfcode = NULL;
2659 interface_options interface_opts;
2661 g_assert(i < capture_opts->ifaces->len);
2662 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2664 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2666 "Invalid capture filter \"%s\" for interface '%s'.\n"
2668 "That string looks like a valid display filter; however, it isn't a valid\n"
2669 "capture filter (%s).\n"
2671 "Note that display filters and capture filters don't have the same syntax,\n"
2672 "so you can't use most display filter expressions as capture filters.\n"
2674 "See the User's Guide for a description of the capture filter syntax.",
2675 interface_opts.cfilter, interface_opts.descr, error_message);
2676 dfilter_free(rfcode);
2679 "Invalid capture filter \"%s\" for interface '%s'.\n"
2681 "That string isn't a valid capture filter (%s).\n"
2682 "See the User's Guide for a description of the capture filter syntax.",
2683 interface_opts.cfilter, interface_opts.descr, error_message);
2688 /* capture child tells us we have a new (or the first) capture file */
2690 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2692 capture_options *capture_opts = cap_session->capture_opts;
2693 capture_file *cf = (capture_file *) cap_session->cf;
2694 gboolean is_tempfile;
2697 if (cap_session->state == CAPTURE_PREPARING) {
2698 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2700 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2702 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2704 /* free the old filename */
2705 if (capture_opts->save_file != NULL) {
2707 /* we start a new capture file, close the old one (if we had one before) */
2708 if (cf->state != FILE_CLOSED) {
2709 if (cf->wth != NULL) {
2710 wtap_close(cf->wth);
2713 cf->state = FILE_CLOSED;
2716 g_free(capture_opts->save_file);
2717 is_tempfile = FALSE;
2719 epan_free(cf->epan);
2720 cf->epan = tshark_epan_new(cf);
2722 /* we didn't had a save_file before, must be a tempfile */
2726 /* save the new filename */
2727 capture_opts->save_file = g_strdup(new_file);
2729 /* if we are in real-time mode, open the new file now */
2730 if (do_dissection) {
2731 /* this is probably unecessary, but better safe than sorry */
2732 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2733 /* Attempt to open the capture file and set up to read from it. */
2734 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2738 /* Don't unlink (delete) the save file - leave it around,
2739 for debugging purposes. */
2740 g_free(capture_opts->save_file);
2741 capture_opts->save_file = NULL;
2746 cap_session->state = CAPTURE_RUNNING;
2752 /* capture child tells us we have new packets to read */
2754 capture_input_new_packets(capture_session *cap_session, int to_read)
2760 capture_file *cf = (capture_file *)cap_session->cf;
2761 gboolean filtering_tap_listeners;
2766 * Prevent a SIGINFO handler from writing to the standard error while
2767 * we're doing so or writing to the standard output; instead, have it
2768 * just set a flag telling us to print that information when we're done.
2771 #endif /* SIGINFO */
2773 /* Do we have any tap listeners with filters? */
2774 filtering_tap_listeners = have_filtering_tap_listeners();
2776 /* Get the union of the flags for all tap listeners. */
2777 tap_flags = union_of_tap_listener_flags();
2779 if (do_dissection) {
2780 gboolean create_proto_tree;
2781 epan_dissect_t *edt;
2783 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2784 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2785 create_proto_tree = TRUE;
2787 create_proto_tree = FALSE;
2789 /* The protocol tree will be "visible", i.e., printed, only if we're
2790 printing packet details, which is true if we're printing stuff
2791 ("print_packet_info" is true) and we're in verbose mode
2792 ("packet_details" is true). */
2793 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2795 while (to_read-- && cf->wth) {
2796 wtap_cleareof(cf->wth);
2797 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2799 /* read from file failed, tell the capture child to stop */
2800 sync_pipe_stop(cap_session);
2801 wtap_close(cf->wth);
2804 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2805 wtap_buf_ptr(cf->wth),
2809 /* packet successfully read and gone through the "Read Filter" */
2814 epan_dissect_free(edt);
2818 * Dumpcap's doing all the work; we're not doing any dissection.
2819 * Count all the packets it wrote.
2821 packet_count += to_read;
2824 if (print_packet_counts) {
2825 /* We're printing packet counts. */
2826 if (packet_count != 0) {
2827 fprintf(stderr, "\r%u ", packet_count);
2828 /* stderr could be line buffered */
2835 * Allow SIGINFO handlers to write.
2840 * If a SIGINFO handler asked us to write out capture counts, do so.
2844 #endif /* SIGINFO */
2850 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2851 /* Report the count only if we aren't printing a packet count
2852 as packets arrive. */
2853 fprintf(stderr, "%u packet%s captured\n", packet_count,
2854 plurality(packet_count, "", "s"));
2857 infoprint = FALSE; /* we just reported it */
2858 #endif /* SIGINFO */
2863 report_counts_siginfo(int signum _U_)
2865 int sav_errno = errno;
2866 /* If we've been told to delay printing, just set a flag asking
2867 that we print counts (if we're supposed to), otherwise print
2868 the count of packets captured (if we're supposed to). */
2875 #endif /* SIGINFO */
2878 /* capture child detected any packet drops? */
2880 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2882 if (print_packet_counts) {
2883 /* We're printing packet counts to stderr.
2884 Send a newline so that we move to the line after the packet count. */
2885 fprintf(stderr, "\n");
2889 /* We're printing packet counts to stderr.
2890 Send a newline so that we move to the line after the packet count. */
2891 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2897 * Capture child closed its side of the pipe, report any error and
2898 * do the required cleanup.
2901 capture_input_closed(capture_session *cap_session, gchar *msg)
2903 capture_file *cf = (capture_file *) cap_session->cf;
2906 fprintf(stderr, "tshark: %s\n", msg);
2910 if (cf != NULL && cf->wth != NULL) {
2911 wtap_close(cf->wth);
2912 if (cf->is_tempfile) {
2913 ws_unlink(cf->filename);
2916 #ifdef USE_BROKEN_G_MAIN_LOOP
2917 /*g_main_loop_quit(loop);*/
2918 g_main_loop_quit(loop);
2920 loop_running = FALSE;
2929 capture_cleanup(DWORD ctrltype _U_)
2931 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2932 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2933 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2934 like SIGTERM at least when the machine's shutting down.
2936 For now, we handle them all as indications that we should clean up
2937 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2940 We must return TRUE so that no other handler - such as one that would
2941 terminate the process - gets called.
2943 XXX - for some reason, typing ^C to TShark, if you run this in
2944 a Cygwin console window in at least some versions of Cygwin,
2945 causes TShark to terminate immediately; this routine gets
2946 called, but the main loop doesn't get a chance to run and
2947 exit cleanly, at least if this is compiled with Microsoft Visual
2948 C++ (i.e., it's a property of the Cygwin console window or Bash;
2949 it happens if TShark is not built with Cygwin - for all I know,
2950 building it with Cygwin may make the problem go away). */
2952 /* tell the capture child to stop */
2953 sync_pipe_stop(&global_capture_session);
2955 /* don't stop our own loop already here, otherwise status messages and
2956 * cleanup wouldn't be done properly. The child will indicate the stop of
2957 * everything by calling capture_input_closed() later */
2963 capture_cleanup(int signum _U_)
2965 /* tell the capture child to stop */
2966 sync_pipe_stop(&global_capture_session);
2968 /* don't stop our own loop already here, otherwise status messages and
2969 * cleanup wouldn't be done properly. The child will indicate the stop of
2970 * everything by calling capture_input_closed() later */
2973 #endif /* HAVE_LIBPCAP */
2976 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2977 gint64 offset, struct wtap_pkthdr *whdr,
2984 /* The frame number of this packet is one more than the count of
2985 frames in this packet. */
2986 framenum = cf->count + 1;
2988 /* If we're not running a display filter and we're not printing any
2989 packet information, we don't need to do a dissection. This means
2990 that all packets can be marked as 'passed'. */
2993 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2995 /* If we're going to print packet information, or we're going to
2996 run a read filter, or display filter, or we're going to process taps, set up to
2997 do a dissection and do so. */
2999 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3000 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3001 /* Grab any resolved addresses */
3002 host_name_lookup_process();
3004 /* If we're running a read filter, prime the epan_dissect_t with that
3007 epan_dissect_prime_dfilter(edt, cf->rfcode);
3010 epan_dissect_prime_dfilter(edt, cf->dfcode);
3012 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
3014 if (ref == &fdlocal) {
3015 ref_frame = fdlocal;
3019 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
3021 /* Run the read filter if we have one. */
3023 passed = dfilter_apply_edt(cf->rfcode, edt);
3027 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
3028 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
3030 /* If we're not doing dissection then there won't be any dependent frames.
3031 * More importantly, edt.pi.dependent_frames won't be initialized because
3032 * epan hasn't been initialized.
3033 * if we *are* doing dissection, then mark the dependent frames, but only
3034 * if a display filter was given and it matches this packet.
3036 if (edt && cf->dfcode) {
3037 if (dfilter_apply_edt(cf->dfcode, edt)) {
3038 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
3044 /* if we don't add it to the frame_data_sequence, clean it up right now
3046 frame_data_destroy(&fdlocal);
3050 epan_dissect_reset(edt);
3056 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
3057 struct wtap_pkthdr *phdr, Buffer *buf,
3063 /* If we're not running a display filter and we're not printing any
3064 packet information, we don't need to do a dissection. This means
3065 that all packets can be marked as 'passed'. */
3068 /* If we're going to print packet information, or we're going to
3069 run a read filter, or we're going to process taps, set up to
3070 do a dissection and do so. */
3072 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3073 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
3074 /* Grab any resolved addresses */
3075 host_name_lookup_process();
3077 /* If we're running a display filter, prime the epan_dissect_t with that
3080 epan_dissect_prime_dfilter(edt, cf->dfcode);
3082 col_custom_prime_edt(edt, &cf->cinfo);
3084 /* We only need the columns if either
3085 1) some tap needs the columns
3087 2) we're printing packet info but we're *not* verbose; in verbose
3088 mode, we print the protocol tree, not the protocol summary.
3090 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3095 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3102 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3104 /* Run the read/display filter if we have one. */
3106 passed = dfilter_apply_edt(cf->dfcode, edt);
3110 frame_data_set_after_dissect(fdata, &cum_bytes);
3111 /* Process this packet. */
3112 if (print_packet_info) {
3113 /* We're printing packet information; print the information for
3115 print_packet(cf, edt);
3117 /* The ANSI C standard does not appear to *require* that a line-buffered
3118 stream be flushed to the host environment whenever a newline is
3119 written, it just says that, on such a stream, characters "are
3120 intended to be transmitted to or from the host environment as a
3121 block when a new-line character is encountered".
3123 The Visual C++ 6.0 C implementation doesn't do what is intended;
3124 even if you set a stream to be line-buffered, it still doesn't
3125 flush the buffer at the end of every line.
3127 So, if the "-l" flag was specified, we flush the standard output
3128 at the end of a packet. This will do the right thing if we're
3129 printing packet summary lines, and, as we print the entire protocol
3130 tree for a single packet without waiting for anything to happen,
3131 it should be as good as line-buffered mode if we're printing
3132 protocol trees. (The whole reason for the "-l" flag in either
3133 tcpdump or TShark is to allow the output of a live capture to
3134 be piped to a program or script and to have that script see the
3135 information for the packet as soon as it's printed, rather than
3136 having to wait until a standard I/O buffer fills up. */
3140 if (ferror(stdout)) {
3141 show_print_file_io_error(errno);
3150 epan_dissect_reset(edt);
3152 return passed || fdata->flags.dependent_of_displayed;
3156 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3157 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3160 int snapshot_length;
3164 gchar *err_info = NULL;
3166 char *save_file_string = NULL;
3167 gboolean filtering_tap_listeners;
3169 wtapng_section_t *shb_hdr = NULL;
3170 wtapng_iface_descriptions_t *idb_inf = NULL;
3171 wtapng_name_res_t *nrb_hdr = NULL;
3172 struct wtap_pkthdr phdr;
3174 epan_dissect_t *edt = NULL;
3176 wtap_phdr_init(&phdr);
3178 idb_inf = wtap_file_get_idb_info(cf->wth);
3179 #ifdef PCAP_NG_DEFAULT
3180 if (idb_inf->interface_data->len > 1) {
3181 linktype = WTAP_ENCAP_PER_PACKET;
3183 linktype = wtap_file_encap(cf->wth);
3186 linktype = wtap_file_encap(cf->wth);
3188 if (save_file != NULL) {
3189 /* Get a string that describes what we're writing to */
3190 save_file_string = output_file_description(save_file);
3192 /* Set up to write to the capture file. */
3193 snapshot_length = wtap_snapshot_length(cf->wth);
3194 if (snapshot_length == 0) {
3195 /* Snapshot length of input file not known. */
3196 snapshot_length = WTAP_MAX_PACKET_SIZE;
3198 tshark_debug("tshark: snapshot_length = %d", snapshot_length);
3200 shb_hdr = wtap_file_get_shb_for_new_file(cf->wth);
3201 nrb_hdr = wtap_file_get_nrb_for_new_file(cf->wth);
3203 /* If we don't have an application name add Tshark */
3204 if (shb_hdr->shb_user_appl == NULL) {
3205 /* this is free'd by wtap_free_shb() later */
3206 shb_hdr->shb_user_appl = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3209 if (linktype != WTAP_ENCAP_PER_PACKET &&
3210 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP) {
3211 tshark_debug("tshark: writing PCAP format to %s", save_file);
3212 if (strcmp(save_file, "-") == 0) {
3213 /* Write to the standard output. */
3214 pdh = wtap_dump_open_stdout(out_file_type, linktype,
3215 snapshot_length, FALSE /* compressed */, &err);
3217 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3218 snapshot_length, FALSE /* compressed */, &err);
3222 tshark_debug("tshark: writing format type %d, to %s", out_file_type, save_file);
3223 if (strcmp(save_file, "-") == 0) {
3224 /* Write to the standard output. */
3225 pdh = wtap_dump_open_stdout_ng(out_file_type, linktype,
3226 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3228 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3229 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, nrb_hdr, &err);
3237 /* We couldn't set up to write to the capture file. */
3240 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3241 cmdarg_err("Capture files can't be written in that format.");
3244 case WTAP_ERR_UNWRITABLE_ENCAP:
3245 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3246 cmdarg_err("The capture file being read can't be written as a "
3247 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3250 case WTAP_ERR_CANT_OPEN:
3251 cmdarg_err("The %s couldn't be created for some "
3252 "unknown reason.", save_file_string);
3255 case WTAP_ERR_SHORT_WRITE:
3256 cmdarg_err("A full header couldn't be written to the %s.",
3261 cmdarg_err("The %s could not be created: %s.", save_file_string,
3262 wtap_strerror(err));
3268 if (print_packet_info) {
3269 if (!write_preamble(cf)) {
3271 show_print_file_io_error(err);
3280 /* Do we have any tap listeners with filters? */
3281 filtering_tap_listeners = have_filtering_tap_listeners();
3283 /* Get the union of the flags for all tap listeners. */
3284 tap_flags = union_of_tap_listener_flags();
3286 if (perform_two_pass_analysis) {
3289 tshark_debug("tshark: perform_two_pass_analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3291 /* Allocate a frame_data_sequence for all the frames. */
3292 cf->frames = new_frame_data_sequence();
3294 if (do_dissection) {
3295 gboolean create_proto_tree = FALSE;
3297 /* If we're going to be applying a filter, we'll need to
3298 create a protocol tree against which to apply the filter. */
3299 if (cf->rfcode || cf->dfcode)
3300 create_proto_tree = TRUE;
3302 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3304 /* We're not going to display the protocol tree on this pass,
3305 so it's not going to be "visible". */
3306 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3309 tshark_debug("tshark: reading records for first pass");
3310 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3311 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3312 wtap_buf_ptr(cf->wth))) {
3313 /* Stop reading if we have the maximum number of packets;
3314 * When the -c option has not been used, max_packet_count
3315 * starts at 0, which practically means, never stop reading.
3316 * (unless we roll over max_packet_count ?)
3318 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3319 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3320 max_packet_count, data_offset, max_byte_count);
3321 err = 0; /* This is not an error */
3328 epan_dissect_free(edt);
3332 /* Close the sequential I/O side, to free up memory it requires. */
3333 wtap_sequential_close(cf->wth);
3335 /* Allow the protocol dissectors to free up memory that they
3336 * don't need after the sequential run-through of the packets. */
3337 postseq_cleanup_all_protocols();
3341 ws_buffer_init(&buf, 1500);
3343 tshark_debug("tshark: done with first pass");
3345 if (do_dissection) {
3346 gboolean create_proto_tree;
3348 if (cf->dfcode || print_details || filtering_tap_listeners ||
3349 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3350 create_proto_tree = TRUE;
3352 create_proto_tree = FALSE;
3354 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3356 /* The protocol tree will be "visible", i.e., printed, only if we're
3357 printing packet details, which is true if we're printing stuff
3358 ("print_packet_info" is true) and we're in verbose mode
3359 ("packet_details" is true). */
3360 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3363 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3364 fdata = frame_data_sequence_find(cf->frames, framenum);
3365 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3367 tshark_debug("tshark: invoking process_packet_second_pass() for frame #%d", framenum);
3368 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3370 /* Either there's no read filtering or this packet passed the
3371 filter, so, if we're writing to a capture file, write
3374 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3375 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3376 /* Error writing to a capture file */
3377 tshark_debug("tshark: error writing to a capture file (%d)", err);
3380 case WTAP_ERR_UNWRITABLE_ENCAP:
3382 * This is a problem with the particular frame we're writing
3383 * and the file type and subtype we're writing; note that,
3384 * and report the frame number and file type/subtype.
3386 * XXX - framenum is not necessarily the frame number in
3387 * the input file if there was a read filter.
3390 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3391 framenum, cf->filename,
3392 wtap_file_type_subtype_short_string(out_file_type));
3395 case WTAP_ERR_PACKET_TOO_LARGE:
3397 * This is a problem with the particular frame we're writing
3398 * and the file type and subtype we're writing; note that,
3399 * and report the frame number and file type/subtype.
3401 * XXX - framenum is not necessarily the frame number in
3402 * the input file if there was a read filter.
3405 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3406 framenum, cf->filename,
3407 wtap_file_type_subtype_short_string(out_file_type));
3410 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3412 * This is a problem with the particular record we're writing
3413 * and the file type and subtype we're writing; note that,
3414 * and report the record number and file type/subtype.
3416 * XXX - framenum is not necessarily the record number in
3417 * the input file if there was a read filter.
3420 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3421 framenum, cf->filename,
3422 wtap_file_type_subtype_short_string(out_file_type));
3425 case WTAP_ERR_UNWRITABLE_REC_DATA:
3427 * This is a problem with the particular record we're writing
3428 * and the file type and subtype we're writing; note that,
3429 * and report the record number and file type/subtype.
3431 * XXX - framenum is not necessarily the record number in
3432 * the input file if there was a read filter.
3435 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3436 framenum, cf->filename,
3437 wtap_file_type_subtype_short_string(out_file_type),
3438 err_info != NULL ? err_info : "no information supplied");
3443 show_capture_file_io_error(save_file, err, FALSE);
3446 wtap_dump_close(pdh, &err);
3447 wtap_free_shb(shb_hdr);
3448 wtap_free_nrb(nrb_hdr);
3457 epan_dissect_free(edt);
3461 ws_buffer_free(&buf);
3463 tshark_debug("tshark: done with second pass");
3466 /* !perform_two_pass_analysis */
3469 tshark_debug("tshark: perform one pass analysis, do_dissection=%s", do_dissection ? "TRUE" : "FALSE");
3471 if (do_dissection) {
3472 gboolean create_proto_tree;
3474 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3475 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3476 create_proto_tree = TRUE;
3478 create_proto_tree = FALSE;
3480 tshark_debug("tshark: create_proto_tree = %s", create_proto_tree ? "TRUE" : "FALSE");
3482 /* The protocol tree will be "visible", i.e., printed, only if we're
3483 printing packet details, which is true if we're printing stuff
3484 ("print_packet_info" is true) and we're in verbose mode
3485 ("packet_details" is true). */
3486 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3489 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3492 tshark_debug("tshark: processing packet #%d", framenum);
3494 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3495 wtap_buf_ptr(cf->wth),
3497 /* Either there's no read filtering or this packet passed the
3498 filter, so, if we're writing to a capture file, write
3501 tshark_debug("tshark: writing packet #%d to outfile", framenum);
3502 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3503 /* Error writing to a capture file */
3504 tshark_debug("tshark: error writing to a capture file (%d)", err);
3507 case WTAP_ERR_UNWRITABLE_ENCAP:
3509 * This is a problem with the particular frame we're writing
3510 * and the file type and subtype we're writing; note that,
3511 * and report the frame number and file type/subtype.
3514 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3515 framenum, cf->filename,
3516 wtap_file_type_subtype_short_string(out_file_type));
3519 case WTAP_ERR_PACKET_TOO_LARGE:
3521 * This is a problem with the particular frame we're writing
3522 * and the file type and subtype we're writing; note that,
3523 * and report the frame number and file type/subtype.
3526 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3527 framenum, cf->filename,
3528 wtap_file_type_subtype_short_string(out_file_type));
3531 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3533 * This is a problem with the particular record we're writing
3534 * and the file type and subtype we're writing; note that,
3535 * and report the record number and file type/subtype.
3538 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3539 framenum, cf->filename,
3540 wtap_file_type_subtype_short_string(out_file_type));
3543 case WTAP_ERR_UNWRITABLE_REC_DATA:
3545 * This is a problem with the particular record we're writing
3546 * and the file type and subtype we're writing; note that,
3547 * and report the record number and file type/subtype.
3550 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3551 framenum, cf->filename,
3552 wtap_file_type_subtype_short_string(out_file_type),
3553 err_info != NULL ? err_info : "no information supplied");
3558 show_capture_file_io_error(save_file, err, FALSE);
3561 wtap_dump_close(pdh, &err);
3562 wtap_free_shb(shb_hdr);
3563 wtap_free_nrb(nrb_hdr);
3568 /* Stop reading if we have the maximum number of packets;
3569 * When the -c option has not been used, max_packet_count
3570 * starts at 0, which practically means, never stop reading.
3571 * (unless we roll over max_packet_count ?)
3573 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3574 tshark_debug("tshark: max_packet_count (%d) or max_byte_count (%" G_GINT64_MODIFIER "d/%" G_GINT64_MODIFIER "d) reached",
3575 max_packet_count, data_offset, max_byte_count);
3576 err = 0; /* This is not an error */
3582 epan_dissect_free(edt);
3587 wtap_phdr_cleanup(&phdr);
3590 tshark_debug("tshark: something failed along the line (%d)", err);
3592 * Print a message noting that the read failed somewhere along the line.
3594 * If we're printing packet data, and the standard output and error are
3595 * going to the same place, flush the standard output, so everything
3596 * buffered up is written, and then print a newline to the standard error
3597 * before printing the error message, to separate it from the packet
3598 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3599 * the _fstat() documentation at Microsoft doesn't indicate whether
3600 * st_ino is even supported.)
3603 if (print_packet_info) {
3604 ws_statb64 stat_stdout, stat_stderr;
3606 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3607 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3608 stat_stdout.st_ino == stat_stderr.st_ino) {
3610 fprintf(stderr, "\n");
3617 case WTAP_ERR_UNSUPPORTED:
3618 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3620 err_info != NULL ? err_info : "no information supplied");
3624 case WTAP_ERR_SHORT_READ:
3625 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3629 case WTAP_ERR_BAD_FILE:
3630 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3632 err_info != NULL ? err_info : "no information supplied");
3636 case WTAP_ERR_DECOMPRESS:
3637 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3638 "(%s)", cf->filename,
3639 err_info != NULL ? err_info : "no information supplied");
3644 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3645 cf->filename, wtap_strerror(err));
3648 if (save_file != NULL) {
3649 /* Now close the capture file. */
3650 if (!wtap_dump_close(pdh, &err))
3651 show_capture_file_io_error(save_file, err, TRUE);
3654 if (save_file != NULL) {
3655 if (pdh && out_file_name_res) {
3656 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3657 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3658 wtap_file_type_subtype_short_string(out_file_type));
3661 /* Now close the capture file. */
3662 if (!wtap_dump_close(pdh, &err))
3663 show_capture_file_io_error(save_file, err, TRUE);
3665 if (print_packet_info) {
3666 if (!write_finale()) {
3668 show_print_file_io_error(err);
3675 wtap_close(cf->wth);
3678 g_free(save_file_string);
3679 wtap_free_shb(shb_hdr);
3680 wtap_free_nrb(nrb_hdr);
3686 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3687 const guchar *pd, guint tap_flags)
3693 /* Count this packet. */
3696 /* If we're not running a display filter and we're not printing any
3697 packet information, we don't need to do a dissection. This means
3698 that all packets can be marked as 'passed'. */
3701 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3703 /* If we're going to print packet information, or we're going to
3704 run a read filter, or we're going to process taps, set up to
3705 do a dissection and do so. */
3707 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3708 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3709 /* Grab any resolved addresses */
3710 host_name_lookup_process();
3712 /* If we're running a filter, prime the epan_dissect_t with that
3715 epan_dissect_prime_dfilter(edt, cf->dfcode);
3717 col_custom_prime_edt(edt, &cf->cinfo);
3719 /* We only need the columns if either
3720 1) some tap needs the columns
3722 2) we're printing packet info but we're *not* verbose; in verbose
3723 mode, we print the protocol tree, not the protocol summary.
3725 3) there is a column mapped as an individual field */
3726 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3731 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3733 if (ref == &fdata) {
3738 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3740 /* Run the filter if we have it. */
3742 passed = dfilter_apply_edt(cf->dfcode, edt);
3746 frame_data_set_after_dissect(&fdata, &cum_bytes);
3748 /* Process this packet. */
3749 if (print_packet_info) {
3750 /* We're printing packet information; print the information for
3752 print_packet(cf, edt);
3754 /* The ANSI C standard does not appear to *require* that a line-buffered
3755 stream be flushed to the host environment whenever a newline is
3756 written, it just says that, on such a stream, characters "are
3757 intended to be transmitted to or from the host environment as a
3758 block when a new-line character is encountered".
3760 The Visual C++ 6.0 C implementation doesn't do what is intended;
3761 even if you set a stream to be line-buffered, it still doesn't
3762 flush the buffer at the end of every line.
3764 So, if the "-l" flag was specified, we flush the standard output
3765 at the end of a packet. This will do the right thing if we're
3766 printing packet summary lines, and, as we print the entire protocol
3767 tree for a single packet without waiting for anything to happen,
3768 it should be as good as line-buffered mode if we're printing
3769 protocol trees. (The whole reason for the "-l" flag in either
3770 tcpdump or TShark is to allow the output of a live capture to
3771 be piped to a program or script and to have that script see the
3772 information for the packet as soon as it's printed, rather than
3773 having to wait until a standard I/O buffer fills up. */
3777 if (ferror(stdout)) {
3778 show_print_file_io_error(errno);
3783 /* this must be set after print_packet() [bug #8160] */
3784 prev_dis_frame = fdata;
3785 prev_dis = &prev_dis_frame;
3788 prev_cap_frame = fdata;
3789 prev_cap = &prev_cap_frame;
3792 epan_dissect_reset(edt);
3793 frame_data_destroy(&fdata);
3799 write_preamble(capture_file *cf)
3801 switch (output_action) {
3804 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3808 write_pdml_preamble(stdout, cf->filename);
3810 write_psml_preamble(&cf->cinfo, stdout);
3811 return !ferror(stdout);
3814 write_fields_preamble(output_fields, stdout);
3815 return !ferror(stdout);
3818 g_assert_not_reached();
3824 get_line_buf(size_t len)
3826 static char *line_bufp = NULL;
3827 static size_t line_buf_len = 256;
3828 size_t new_line_buf_len;
3830 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3831 new_line_buf_len *= 2)
3833 if (line_bufp == NULL) {
3834 line_buf_len = new_line_buf_len;
3835 line_bufp = (char *)g_malloc(line_buf_len + 1);
3837 if (new_line_buf_len > line_buf_len) {
3838 line_buf_len = new_line_buf_len;
3839 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3846 put_string(char *dest, const char *str, size_t str_len)
3848 memcpy(dest, str, str_len);
3849 dest[str_len] = '\0';
3853 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3857 for (i = str_len; i < str_with_spaces; i++)
3860 put_string(dest, str, str_len);
3864 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3868 memcpy(dest, str, str_len);
3869 for (i = str_len; i < str_with_spaces; i++)
3872 dest[str_with_spaces] = '\0';
3876 print_columns(capture_file *cf)
3883 col_item_t* col_item;
3885 line_bufp = get_line_buf(256);
3888 for (i = 0; i < cf->cinfo.num_cols; i++) {
3889 col_item = &cf->cinfo.columns[i];
3890 /* Skip columns not marked as visible. */
3891 if (!get_column_visible(i))
3893 switch (col_item->col_fmt) {
3895 column_len = col_len = strlen(col_item->col_data);
3898 line_bufp = get_line_buf(buf_offset + column_len);
3899 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3905 case COL_ABS_YMD_TIME: /* XXX - wider */
3906 case COL_ABS_YDOY_TIME: /* XXX - wider */
3908 case COL_UTC_YMD_TIME: /* XXX - wider */
3909 case COL_UTC_YDOY_TIME: /* XXX - wider */
3910 column_len = col_len = strlen(col_item->col_data);
3911 if (column_len < 10)
3913 line_bufp = get_line_buf(buf_offset + column_len);
3914 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3920 case COL_DEF_DL_SRC:
3921 case COL_RES_DL_SRC:
3922 case COL_UNRES_DL_SRC:
3923 case COL_DEF_NET_SRC:
3924 case COL_RES_NET_SRC:
3925 case COL_UNRES_NET_SRC:
3926 column_len = col_len = strlen(col_item->col_data);
3927 if (column_len < 12)
3929 line_bufp = get_line_buf(buf_offset + column_len);
3930 put_spaces_string(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3936 case COL_DEF_DL_DST:
3937 case COL_RES_DL_DST:
3938 case COL_UNRES_DL_DST:
3939 case COL_DEF_NET_DST:
3940 case COL_RES_NET_DST:
3941 case COL_UNRES_NET_DST:
3942 column_len = col_len = strlen(col_item->col_data);
3943 if (column_len < 12)
3945 line_bufp = get_line_buf(buf_offset + column_len);
3946 put_string_spaces(line_bufp + buf_offset, col_item->col_data, col_len, column_len);
3950 column_len = strlen(col_item->col_data);
3951 line_bufp = get_line_buf(buf_offset + column_len);
3952 put_string(line_bufp + buf_offset, col_item->col_data, column_len);
3955 buf_offset += column_len;
3956 if (i != cf->cinfo.num_cols - 1) {
3958 * This isn't the last column, so we need to print a
3959 * separator between this column and the next.
3961 * If we printed a network source and are printing a
3962 * network destination of the same type next, separate
3963 * them with " -> "; if we printed a network destination
3964 * and are printing a network source of the same type
3965 * next, separate them with " <- "; otherwise separate them
3968 * We add enough space to the buffer for " <- " or " -> ",
3969 * even if we're only adding " ".
3971 line_bufp = get_line_buf(buf_offset + 4);
3972 switch (col_item->col_fmt) {
3977 switch (cf->cinfo.columns[i+1].col_fmt) {
3982 put_string(line_bufp + buf_offset, " -> ", 4);
3987 put_string(line_bufp + buf_offset, " ", 1);
3993 case COL_DEF_DL_SRC:
3994 case COL_RES_DL_SRC:
3995 case COL_UNRES_DL_SRC:
3996 switch (cf->cinfo.columns[i+1].col_fmt) {
3998 case COL_DEF_DL_DST:
3999 case COL_RES_DL_DST:
4000 case COL_UNRES_DL_DST:
4001 put_string(line_bufp + buf_offset, " -> ", 4);
4006 put_string(line_bufp + buf_offset, " ", 1);
4012 case COL_DEF_NET_SRC:
4013 case COL_RES_NET_SRC:
4014 case COL_UNRES_NET_SRC:
4015 switch (cf->cinfo.columns[i+1].col_fmt) {
4017 case COL_DEF_NET_DST:
4018 case COL_RES_NET_DST:
4019 case COL_UNRES_NET_DST:
4020 put_string(line_bufp + buf_offset, " -> ", 4);
4025 put_string(line_bufp + buf_offset, " ", 1);
4034 switch (cf->cinfo.columns[i+1].col_fmt) {
4039 put_string(line_bufp + buf_offset, " <- ", 4);
4044 put_string(line_bufp + buf_offset, " ", 1);
4050 case COL_DEF_DL_DST:
4051 case COL_RES_DL_DST:
4052 case COL_UNRES_DL_DST:
4053 switch (cf->cinfo.columns[i+1].col_fmt) {
4055 case COL_DEF_DL_SRC:
4056 case COL_RES_DL_SRC:
4057 case COL_UNRES_DL_SRC:
4058 put_string(line_bufp + buf_offset, " <- ", 4);
4063 put_string(line_bufp + buf_offset, " ", 1);
4069 case COL_DEF_NET_DST:
4070 case COL_RES_NET_DST:
4071 case COL_UNRES_NET_DST:
4072 switch (cf->cinfo.columns[i+1].col_fmt) {
4074 case COL_DEF_NET_SRC:
4075 case COL_RES_NET_SRC:
4076 case COL_UNRES_NET_SRC:
4077 put_string(line_bufp + buf_offset, " <- ", 4);
4082 put_string(line_bufp + buf_offset, " ", 1);
4089 put_string(line_bufp + buf_offset, " ", 1);
4095 return print_line(print_stream, 0, line_bufp);
4099 print_packet(capture_file *cf, epan_dissect_t *edt)
4101 print_args_t print_args;
4103 if (print_summary || output_fields_has_cols(output_fields)) {
4104 /* Just fill in the columns. */
4105 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
4107 if (print_summary) {
4108 /* Now print them. */
4109 switch (output_action) {
4112 if (!print_columns(cf))
4117 write_psml_columns(edt, stdout);
4118 return !ferror(stdout);
4119 case WRITE_FIELDS: /*No non-verbose "fields" format */
4120 g_assert_not_reached();
4125 if (print_details) {
4126 /* Print the information in the protocol tree. */
4127 switch (output_action) {
4130 /* Only initialize the fields that are actually used in proto_tree_print.
4131 * This is particularly important for .range, as that's heap memory which
4132 * we would otherwise have to g_free().
4133 print_args.to_file = TRUE;
4134 print_args.format = print_format;
4135 print_args.print_summary = print_summary;
4136 print_args.print_formfeed = FALSE;
4137 packet_range_init(&print_args.range, &cfile);
4139 print_args.print_hex = print_hex;
4140 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4142 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4145 if (!print_line(print_stream, 0, separator))
4151 write_pdml_proto_tree(edt, stdout);
4153 return !ferror(stdout);
4155 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4157 return !ferror(stdout);
4161 if (print_summary || print_details) {
4162 if (!print_line(print_stream, 0, ""))
4165 if (!print_hex_data(print_stream, edt))
4167 if (!print_line(print_stream, 0, separator))
4176 switch (output_action) {
4179 return print_finale(print_stream);
4183 write_pdml_finale(stdout);
4185 write_psml_finale(stdout);
4186 return !ferror(stdout);
4189 write_fields_finale(output_fields, stdout);
4190 return !ferror(stdout);
4193 g_assert_not_reached();
4199 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4203 char err_msg[2048+1];
4205 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4209 /* The open succeeded. Fill in the information for this file. */
4211 /* Create new epan session for dissection. */
4212 epan_free(cf->epan);
4213 cf->epan = tshark_epan_new(cf);
4216 cf->f_datalen = 0; /* not used, but set it anyway */
4218 /* Set the file name because we need it to set the follow stream filter.
4219 XXX - is that still true? We need it for other reasons, though,
4221 cf->filename = g_strdup(fname);
4223 /* Indicate whether it's a permanent or temporary file. */
4224 cf->is_tempfile = is_tempfile;
4226 /* No user changes yet. */
4227 cf->unsaved_changes = FALSE;
4229 cf->cd_t = wtap_file_type_subtype(cf->wth);
4230 cf->open_type = type;
4232 cf->drops_known = FALSE;
4234 cf->snap = wtap_snapshot_length(cf->wth);
4235 if (cf->snap == 0) {
4236 /* Snapshot length not known. */
4237 cf->has_snap = FALSE;
4238 cf->snap = WTAP_MAX_PACKET_SIZE;
4240 cf->has_snap = TRUE;
4241 nstime_set_zero(&cf->elapsed_time);
4246 cf->state = FILE_READ_IN_PROGRESS;
4248 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4249 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4254 g_snprintf(err_msg, sizeof err_msg,
4255 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4256 cmdarg_err("%s", err_msg);
4261 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4263 char *save_file_string;
4265 save_file_string = output_file_description(fname);
4270 cmdarg_err("Not all the packets could be written to the %s because there is "
4271 "no space left on the file system.",
4277 cmdarg_err("Not all the packets could be written to the %s because you are "
4278 "too close to, or over your disk quota.",
4283 case WTAP_ERR_CANT_CLOSE:
4284 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4288 case WTAP_ERR_SHORT_WRITE:
4289 cmdarg_err("Not all the packets could be written to the %s.",
4295 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4296 wtap_strerror(err));
4298 cmdarg_err("An error occurred while writing to the %s: %s.",
4299 save_file_string, wtap_strerror(err));
4303 g_free(save_file_string);
4307 show_print_file_io_error(int err)
4312 cmdarg_err("Not all the packets could be printed because there is "
4313 "no space left on the file system.");
4318 cmdarg_err("Not all the packets could be printed because you are "
4319 "too close to, or over your disk quota.");
4324 cmdarg_err("An error occurred while printing packets: %s.",
4331 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4335 static char errmsg_errno[1024+1];
4338 /* Wiretap error. */
4341 case WTAP_ERR_NOT_REGULAR_FILE:
4342 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4345 case WTAP_ERR_RANDOM_OPEN_PIPE:
4346 /* Seen only when opening a capture file for reading. */
4347 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4350 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4351 /* Seen only when opening a capture file for reading. */
4352 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4355 case WTAP_ERR_UNSUPPORTED:
4356 /* Seen only when opening a capture file for reading. */
4357 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4358 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4360 err_info != NULL ? err_info : "no information supplied");
4362 errmsg = errmsg_errno;
4365 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4366 /* Seen only when opening a capture file for writing. */
4367 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4368 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4369 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4370 errmsg = errmsg_errno;
4373 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4374 /* Seen only when opening a capture file for writing. */
4375 errmsg = "TShark doesn't support writing capture files in that format.";
4378 case WTAP_ERR_UNWRITABLE_ENCAP:
4379 /* Seen only when opening a capture file for writing. */
4380 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4381 "TShark can't save this capture as a \"%s\" file.",
4382 wtap_file_type_subtype_short_string(file_type));
4383 errmsg = errmsg_errno;
4386 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4388 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4389 "TShark can't save this capture as a \"%s\" file.",
4390 wtap_file_type_subtype_short_string(file_type));
4391 errmsg = errmsg_errno;
4393 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4396 case WTAP_ERR_BAD_FILE:
4397 /* Seen only when opening a capture file for reading. */
4398 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4399 "The file \"%%s\" appears to be damaged or corrupt.\n"
4401 err_info != NULL ? err_info : "no information supplied");
4403 errmsg = errmsg_errno;
4406 case WTAP_ERR_CANT_OPEN:
4408 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4410 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4413 case WTAP_ERR_SHORT_READ:
4414 errmsg = "The file \"%s\" appears to have been cut short"
4415 " in the middle of a packet or other data.";
4418 case WTAP_ERR_SHORT_WRITE:
4419 errmsg = "A full header couldn't be written to the file \"%s\".";
4422 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4423 errmsg = "This file type cannot be written as a compressed file.";
4426 case WTAP_ERR_DECOMPRESS:
4427 /* Seen only when opening a capture file for reading. */
4428 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4429 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4431 err_info != NULL ? err_info : "no information supplied");
4433 errmsg = errmsg_errno;
4437 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4438 "The file \"%%s\" could not be %s: %s.",
4439 for_writing ? "created" : "opened",
4440 wtap_strerror(err));
4441 errmsg = errmsg_errno;
4445 errmsg = file_open_error_message(err, for_writing);
4450 * Open/create errors are reported with an console message in TShark.
4453 open_failure_message(const char *filename, int err, gboolean for_writing)
4455 fprintf(stderr, "tshark: ");
4456 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4457 fprintf(stderr, "\n");
4461 * General errors are reported with an console message in TShark.
4464 failure_message(const char *msg_format, va_list ap)
4466 fprintf(stderr, "tshark: ");
4467 vfprintf(stderr, msg_format, ap);
4468 fprintf(stderr, "\n");
4472 * Read errors are reported with an console message in TShark.
4475 read_failure_message(const char *filename, int err)
4477 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4478 filename, g_strerror(err));
4482 * Write errors are reported with an console message in TShark.
4485 write_failure_message(const char *filename, int err)
4487 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4488 filename, g_strerror(err));
4492 * Report additional information for an error in command-line arguments.
4495 failure_message_cont(const char *msg_format, va_list ap)
4497 vfprintf(stderr, msg_format, ap);
4498 fprintf(stderr, "\n");
4502 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4507 * indent-tabs-mode: nil
4510 * vi: set shiftwidth=2 tabstop=8 expandtab:
4511 * :indentSize=2:tabSize=8:noTabs=true: