3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
51 #ifdef HAVE_SYS_STAT_H
52 # include <sys/stat.h>
56 #include <zlib.h> /* to get the libz version number */
60 # include <sys/capability.h>
63 #ifndef HAVE_GETOPT_LONG
64 #include "wsutil/wsgetopt.h"
69 #include <epan/exceptions.h>
70 #include <epan/epan-int.h>
71 #include <epan/epan.h>
73 #include <wsutil/clopts_common.h>
74 #include <wsutil/cmdarg_err.h>
75 #include <wsutil/crash_info.h>
76 #include <wsutil/filesystem.h>
77 #include <wsutil/file_util.h>
78 #include <wsutil/privileges.h>
79 #include <wsutil/report_err.h>
80 #include <wsutil/ws_diag_control.h>
81 #include <wsutil/ws_version_info.h>
84 #include <epan/timestamp.h>
85 #include <epan/packet.h>
87 #include <epan/wslua/init_wslua.h>
90 #include "frame_tvbuff.h"
91 #include <epan/disabled_protos.h>
92 #include <epan/prefs.h>
93 #include <epan/column.h>
94 #include <epan/print.h>
95 #include <epan/addr_resolv.h>
97 #include "ui/capture_ui_utils.h"
100 #include "ui/ui_util.h"
101 #include "ui/cli/tshark-tap.h"
102 #include "register.h"
103 #include <epan/epan_dissect.h>
104 #include <epan/tap.h>
105 #include <epan/stat_tap_ui.h>
106 #include <epan/conversation_table.h>
107 #include <epan/srt_table.h>
108 #include <epan/rtd_table.h>
109 #include <epan/ex-opt.h>
111 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
112 #include <epan/asn1.h>
113 #include <epan/dissectors/packet-kerberos.h>
116 #include "capture_opts.h"
118 #include "caputils/capture-pcap-util.h"
121 #include "caputils/capture_ifinfo.h"
123 #include "caputils/capture-wpcap.h"
124 #include <wsutil/os_version_info.h>
125 #include <wsutil/unicode-utils.h>
127 #include <capchild/capture_session.h>
128 #include <capchild/capture_sync.h>
129 #endif /* HAVE_LIBPCAP */
131 #include <epan/funnel.h>
134 #include <wsutil/plugins.h>
138 * This is the template for the decode as option; it is shared between the
139 * various functions that output the usage for this parameter.
141 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
143 static guint32 cum_bytes;
144 static const frame_data *ref;
145 static frame_data ref_frame;
146 static frame_data *prev_dis;
147 static frame_data prev_dis_frame;
148 static frame_data *prev_cap;
149 static frame_data prev_cap_frame;
151 static const char* prev_display_dissector_name = NULL;
153 static gboolean perform_two_pass_analysis;
156 * The way the packet decode is to be written.
159 WRITE_TEXT, /* summary or detail text */
160 WRITE_XML, /* PDML or PSML */
161 WRITE_FIELDS /* User defined list of fields */
162 /* Add CSV and the like here */
165 static output_action_e output_action;
166 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
167 static gboolean print_packet_info; /* TRUE if we're to print packet information */
168 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
169 static gboolean print_details; /* TRUE if we're to print packet details information */
170 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
171 static gboolean line_buffered;
172 static gboolean really_quiet = FALSE;
174 static print_format_e print_format = PR_FMT_TEXT;
175 static print_stream_t *print_stream;
177 static output_fields_t* output_fields = NULL;
179 /* The line separator used between packets, changeable via the -S option */
180 static const char *separator = "";
184 * TRUE if we're to print packet counts to keep track of captured packets.
186 static gboolean print_packet_counts;
188 static capture_options global_capture_opts;
189 static capture_session global_capture_session;
192 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
193 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
196 static gboolean capture(void);
197 static void report_counts(void);
199 static BOOL WINAPI capture_cleanup(DWORD);
201 static void capture_cleanup(int);
203 static void report_counts_siginfo(int);
207 #else /* HAVE_LIBPCAP */
209 static char *output_file_name;
211 #endif /* HAVE_LIBPCAP */
213 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
214 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
215 struct wtap_pkthdr *whdr, const guchar *pd,
217 static void show_capture_file_io_error(const char *, int, gboolean);
218 static void show_print_file_io_error(int err);
219 static gboolean write_preamble(capture_file *cf);
220 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
221 static gboolean write_finale(void);
222 static const char *cf_open_error_message(int err, gchar *err_info,
223 gboolean for_writing, int file_type);
225 static void open_failure_message(const char *filename, int err,
226 gboolean for_writing);
227 static void failure_message(const char *msg_format, va_list ap);
228 static void read_failure_message(const char *filename, int err);
229 static void write_failure_message(const char *filename, int err);
230 static void failure_message_cont(const char *msg_format, va_list ap);
234 static GHashTable *output_only_tables = NULL;
237 const char *sstr; /* The short string */
238 const char *lstr; /* The long string */
242 string_compare(gconstpointer a, gconstpointer b)
244 return strcmp(((const struct string_elem *)a)->sstr,
245 ((const struct string_elem *)b)->sstr);
249 string_elem_print(gpointer data, gpointer not_used _U_)
251 fprintf(stderr, " %s - %s\n",
252 ((struct string_elem *)data)->sstr,
253 ((struct string_elem *)data)->lstr);
257 list_capture_types(void) {
259 struct string_elem *captypes;
262 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
264 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
265 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
266 if (wtap_dump_can_open(i)) {
267 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
268 captypes[i].lstr = wtap_file_type_subtype_string(i);
269 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
272 g_slist_foreach(list, string_elem_print, NULL);
278 list_read_capture_types(void) {
280 struct string_elem *captypes;
282 const char *magic = "Magic-value-based";
283 const char *heuristic = "Heuristics-based";
285 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
286 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
288 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
289 for (i = 0; open_routines[i].name != NULL; i++) {
290 captypes[i].sstr = open_routines[i].name;
291 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
292 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
294 g_slist_foreach(list, string_elem_print, NULL);
300 print_usage(FILE *output)
302 fprintf(output, "\n");
303 fprintf(output, "Usage: tshark [options] ...\n");
304 fprintf(output, "\n");
307 fprintf(output, "Capture interface:\n");
308 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
309 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
310 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
311 fprintf(output, " -p don't capture in promiscuous mode\n");
312 #ifdef HAVE_PCAP_CREATE
313 fprintf(output, " -I capture in monitor mode, if available\n");
315 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
316 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
318 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
319 fprintf(output, " -D print list of interfaces and exit\n");
320 fprintf(output, " -L print list of link-layer types of iface and exit\n");
321 fprintf(output, "\n");
322 fprintf(output, "Capture stop conditions:\n");
323 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
324 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
325 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
326 fprintf(output, " files:NUM - stop after NUM files\n");
327 /*fprintf(output, "\n");*/
328 fprintf(output, "Capture output:\n");
329 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
330 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
331 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
332 #endif /* HAVE_LIBPCAP */
333 #ifdef HAVE_PCAP_REMOTE
334 fprintf(output, "RPCAP options:\n");
335 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
337 /*fprintf(output, "\n");*/
338 fprintf(output, "Input file:\n");
339 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
341 fprintf(output, "\n");
342 fprintf(output, "Processing:\n");
343 fprintf(output, " -2 perform a two-pass analysis\n");
344 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
345 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
346 fprintf(output, " syntax\n");
347 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
348 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
349 fprintf(output, " -d %s ...\n", decode_as_arg_template);
350 fprintf(output, " \"Decode As\", see the man page for details\n");
351 fprintf(output, " Example: tcp.port==8888,http\n");
352 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
353 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
355 /*fprintf(output, "\n");*/
356 fprintf(output, "Output:\n");
357 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
358 fprintf(output, " (or to the standard output for \"-\")\n");
359 fprintf(output, " -C <config profile> start with specified configuration profile\n");
360 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
361 fprintf(output, " an empty \"-F\" option will list the file types\n");
362 fprintf(output, " -V add output of packet tree (Packet Details)\n");
363 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
364 fprintf(output, " separated\n");
365 fprintf(output, " -P print packet summary even when writing to a file\n");
366 fprintf(output, " -S <separator> the line separator to print between packets\n");
367 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
368 fprintf(output, " -T pdml|ps|psml|text|fields\n");
369 fprintf(output, " format of text output (def: text)\n");
370 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
371 fprintf(output, " _ws.col.Info)\n");
372 fprintf(output, " this option can be repeated to print multiple fields\n");
373 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
374 fprintf(output, " header=y|n switch headers on and off\n");
375 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
376 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
377 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
378 fprintf(output, " aggregator\n");
379 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
380 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
381 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
382 fprintf(output, " -l flush standard output after each packet\n");
383 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
384 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
385 fprintf(output, " -g enable group read access on the output file(s)\n");
386 fprintf(output, " -W n Save extra information in the file, if supported.\n");
387 fprintf(output, " n = write network address resolution information\n");
388 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
389 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
390 fprintf(output, " --capture-comment <comment>\n");
391 fprintf(output, " add a capture comment to the newly created\n");
392 fprintf(output, " output file (only for pcapng)\n");
394 fprintf(output, "\n");
395 fprintf(output, "Miscellaneous:\n");
396 fprintf(output, " -h display this help and exit\n");
397 fprintf(output, " -v display version info and exit\n");
398 fprintf(output, " -o <name>:<value> ... override preference setting\n");
399 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
400 fprintf(output, " -G [report] dump one of several available reports and exit\n");
401 fprintf(output, " default report=\"fields\"\n");
402 fprintf(output, " use \"-G ?\" for more help\n");
404 fprintf(output, "\n");
405 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
406 fprintf(output, "You might want to reset it\n");
407 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
408 fprintf(output, "\n");
414 glossary_option_help(void)
420 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
422 fprintf(output, "\n");
423 fprintf(output, "Usage: tshark -G [report]\n");
424 fprintf(output, "\n");
425 fprintf(output, "Glossary table reports:\n");
426 fprintf(output, " -G column-formats dump column format codes and exit\n");
427 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
428 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
429 fprintf(output, " -G fields dump fields glossary and exit\n");
430 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
431 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
432 fprintf(output, " -G plugins dump installed plugins and exit\n");
433 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
434 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
435 fprintf(output, "\n");
436 fprintf(output, "Preference reports:\n");
437 fprintf(output, " -G currentprefs dump current preferences and exit\n");
438 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
439 fprintf(output, "\n");
443 * For a dissector table, print on the stream described by output,
444 * its short name (which is what's used in the "-d" option) and its
448 display_dissector_table_names(const char *table_name, const char *ui_name,
451 if ((prev_display_dissector_name == NULL) ||
452 (strcmp(prev_display_dissector_name, table_name) != 0)) {
453 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
454 prev_display_dissector_name = table_name;
459 * For a dissector handle, print on the stream described by output,
460 * the filter name (which is what's used in the "-d" option) and the full
461 * name for the protocol that corresponds to this handle.
464 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
467 const gchar *proto_filter_name;
468 const gchar *proto_ui_name;
470 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
472 if (proto_id != -1) {
473 proto_filter_name = proto_get_protocol_filter_name(proto_id);
474 proto_ui_name = proto_get_protocol_name(proto_id);
475 g_assert(proto_filter_name != NULL);
476 g_assert(proto_ui_name != NULL);
478 if ((prev_display_dissector_name == NULL) ||
479 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
480 fprintf((FILE *)output, "\t%s (%s)\n",
483 prev_display_dissector_name = proto_filter_name;
489 * The protocol_name_search structure is used by find_protocol_name_func()
490 * to pass parameters and store results
492 struct protocol_name_search{
493 gchar *searched_name; /* Protocol filter name we are looking for */
494 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
495 guint nb_match; /* How many dissectors matched searched_name */
497 typedef struct protocol_name_search *protocol_name_search_t;
500 * This function parses all dissectors associated with a table to find the
501 * one whose protocol has the specified filter name. It is called
502 * as a reference function in a call to dissector_table_foreach_handle.
503 * The name we are looking for, as well as the results, are stored in the
504 * protocol_name_search struct pointed to by user_data.
505 * If called using dissector_table_foreach_handle, we actually parse the
506 * whole list of dissectors.
509 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
513 const gchar *protocol_filter_name;
514 protocol_name_search_t search_info;
518 search_info = (protocol_name_search_t)user_data;
520 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
521 if (proto_id != -1) {
522 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
523 g_assert(protocol_filter_name != NULL);
524 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
526 if (search_info->nb_match == 0) {
527 /* Record this handle only if this is the first match */
528 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
530 search_info->nb_match++;
536 * Allow dissector key names to be sorted alphabetically
540 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
542 return strcmp((const char*)dissector_a, (const char*)dissector_b);
546 * Print all layer type names supported.
547 * We send the output to the stream described by the handle output.
551 fprint_all_layer_types(FILE *output)
554 prev_display_dissector_name = NULL;
555 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
559 * Print all protocol names supported for a specific layer type.
560 * table_name contains the layer type name in which the search is performed.
561 * We send the output to the stream described by the handle output.
565 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
568 prev_display_dissector_name = NULL;
569 dissector_table_foreach_handle(table_name,
570 display_dissector_names,
575 * The function below parses the command-line parameters for the decode as
576 * feature (a string pointer by cl_param).
577 * It checks the format of the command-line, searches for a matching table
578 * and dissector. If a table/dissector match is not found, we display a
579 * summary of the available tables/dissectors (on stderr) and return FALSE.
580 * If everything is fine, we get the "Decode as" preference activated,
581 * then we return TRUE.
584 add_decode_as(const gchar *cl_param)
587 guint32 selector, selector2;
588 gchar *decoded_param;
589 gchar *remaining_param;
591 gchar *dissector_str;
592 dissector_handle_t dissector_matching;
593 dissector_table_t table_matching;
594 ftenum_t dissector_table_selector_type;
595 struct protocol_name_search user_protocol_name;
599 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
602 decoded_param = g_strdup(cl_param);
603 g_assert(decoded_param);
606 /* The lines below will parse this string (modifying it) to extract all
607 necessary information. Note that decoded_param is still needed since
608 strings are not copied - we just save pointers. */
610 /* This section extracts a layer type (table_name) from decoded_param */
611 table_name = decoded_param; /* Layer type string starts from beginning */
613 remaining_param = strchr(table_name, '=');
614 if (remaining_param == NULL) {
615 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
616 /* If the argument does not follow the template, carry on anyway to check
617 if the table name is at least correct. If remaining_param is NULL,
618 we'll exit anyway further down */
621 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
624 /* Remove leading and trailing spaces from the table name */
625 while ( table_name[0] == ' ' )
627 while ( table_name[strlen(table_name) - 1] == ' ' )
628 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
630 /* The following part searches a table matching with the layer type specified */
631 table_matching = NULL;
633 /* Look for the requested table */
634 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
635 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
638 table_matching = find_dissector_table(table_name);
639 if (!table_matching) {
640 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
644 if (!table_matching) {
645 /* Display a list of supported layer types to help the user, if the
646 specified layer type was not found */
647 cmdarg_err("Valid layer types are:");
648 fprint_all_layer_types(stderr);
650 if (remaining_param == NULL || !table_matching) {
651 /* Exit if the layer type was not found, or if no '=' separator was found
653 g_free(decoded_param);
657 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
658 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
661 remaining_param++; /* Move to the second '=' */
662 *remaining_param = '\0'; /* Remove the second '=' */
664 remaining_param++; /* Position after the layer type string */
666 /* This section extracts a selector value (selector_str) from decoded_param */
668 selector_str = remaining_param; /* Next part starts with the selector number */
670 remaining_param = strchr(selector_str, ',');
671 if (remaining_param == NULL) {
672 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
673 /* If the argument does not follow the template, carry on anyway to check
674 if the selector value is at least correct. If remaining_param is NULL,
675 we'll exit anyway further down */
678 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
681 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
683 switch (dissector_table_selector_type) {
689 /* The selector for this table is an unsigned number. Parse it as such.
690 There's no need to remove leading and trailing spaces from the
691 selector number string, because sscanf will do that for us. */
692 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
697 if (op != ':' && op != '-') {
698 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
699 g_free(decoded_param);
703 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
704 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
705 g_free(decoded_param);
709 else if (selector2 < selector) {
710 /* We could swap them for the user, but maybe it's better to call
711 * this out as an error in case it's not what was intended? */
712 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
713 g_free(decoded_param);
718 cmdarg_err("Invalid selector number \"%s\"", selector_str);
719 g_free(decoded_param);
728 /* The selector for this table is a string. */
732 /* There are currently no dissector tables with any types other
733 than the ones listed above. */
734 g_assert_not_reached();
737 if (remaining_param == NULL) {
738 /* Exit if no ',' separator was found (see above) */
739 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
740 fprint_all_protocols_for_layer_types(stderr, table_name);
741 g_free(decoded_param);
745 remaining_param++; /* Position after the selector number string */
747 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
749 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
751 /* Remove leading and trailing spaces from the dissector name */
752 while ( dissector_str[0] == ' ' )
754 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
755 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
757 dissector_matching = NULL;
759 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
760 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
761 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
764 user_protocol_name.nb_match = 0;
765 user_protocol_name.searched_name = dissector_str;
766 user_protocol_name.matched_handle = NULL;
768 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
770 if (user_protocol_name.nb_match != 0) {
771 dissector_matching = user_protocol_name.matched_handle;
772 if (user_protocol_name.nb_match > 1) {
773 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
777 /* OK, check whether the problem is that there isn't any such
778 protocol, or that there is but it's not specified as a protocol
779 that's valid for that dissector table.
780 Note, we don't exit here, but dissector_matching will remain NULL,
782 if (proto_get_id_by_filter_name(dissector_str) == -1) {
783 /* No such protocol */
784 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
786 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
787 dissector_str, table_name);
792 if (!dissector_matching) {
793 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
794 fprint_all_protocols_for_layer_types(stderr, table_name);
795 g_free(decoded_param);
799 /* This is the end of the code that parses the command-line options.
800 All information is now stored in the variables:
804 The above variables that are strings are still pointing to areas within
805 decoded_parm. decoded_parm thus still needs to be kept allocated in
806 until we stop needing these variables
807 decoded_param will be deallocated at each exit point of this function */
810 /* We now have a pointer to the handle for the requested dissector
811 (requested protocol) inside the variable dissector_matching */
812 switch (dissector_table_selector_type) {
818 /* The selector for this table is an unsigned number. */
820 dissector_change_uint(table_name, selector, dissector_matching);
821 } else if (op == ':') {
822 for (i = selector; i < (guint64)selector + selector2; i++) {
823 dissector_change_uint(table_name, (guint32)i, dissector_matching);
825 } else { /* op == '-' */
826 for (i = selector; i <= selector2; i++) {
827 dissector_change_uint(table_name, (guint32)i, dissector_matching);
836 /* The selector for this table is a string. */
837 dissector_change_string(table_name, selector_str, dissector_matching);
841 /* There are currently no dissector tables with any types other
842 than the ones listed above. */
843 g_assert_not_reached();
845 g_free(decoded_param); /* "Decode As" rule has been successfully added */
850 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
851 const gchar *message, gpointer user_data)
853 /* ignore log message, if log_level isn't interesting based
854 upon the console log preferences.
855 If the preferences haven't been loaded loaded yet, display the
858 The default console_log_level preference value is such that only
859 ERROR, CRITICAL and WARNING level messages are processed;
860 MESSAGE, INFO and DEBUG level messages are ignored.
862 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
863 ERROR and CRITICAL level messages so the current code is a behavioral
864 change. The current behavior is the same as in Wireshark.
866 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
867 prefs.console_log_level != 0) {
871 g_log_default_handler(log_domain, log_level, message, user_data);
876 output_file_description(const char *fname)
878 char *save_file_string;
880 /* Get a string that describes what we're writing to */
881 if (strcmp(fname, "-") == 0) {
882 /* We're writing to the standard output */
883 save_file_string = g_strdup("standard output");
885 /* We're writing to a file with the name in save_file */
886 save_file_string = g_strdup_printf("file \"%s\"", fname);
888 return save_file_string;
892 print_current_user(void) {
893 gchar *cur_user, *cur_group;
895 if (started_with_special_privs()) {
896 cur_user = get_cur_username();
897 cur_group = get_cur_groupname();
898 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
899 cur_user, cur_group);
902 if (running_with_special_privs()) {
903 fprintf(stderr, " This could be dangerous.");
905 fprintf(stderr, "\n");
910 get_tshark_compiled_version_info(GString *str)
912 /* Capture libraries */
913 get_compiled_caplibs_version(str);
916 g_string_append(str, ", ");
918 g_string_append(str, "with libz ");
920 g_string_append(str, ZLIB_VERSION);
921 #else /* ZLIB_VERSION */
922 g_string_append(str, "(version unknown)");
923 #endif /* ZLIB_VERSION */
924 #else /* HAVE_LIBZ */
925 g_string_append(str, "without libz");
926 #endif /* HAVE_LIBZ */
930 get_tshark_runtime_version_info(GString *str)
933 /* Capture libraries */
934 g_string_append(str, ", ");
935 get_runtime_caplibs_version(str);
939 #if defined(HAVE_LIBZ) && !defined(_WIN32)
940 g_string_append_printf(str, ", with libz %s", zlibVersion());
943 /* stuff used by libwireshark */
944 epan_get_runtime_version_info(str);
948 main(int argc, char *argv[])
950 GString *comp_info_str;
951 GString *runtime_info_str;
952 char *init_progfile_dir_error;
955 static const struct option long_options[] = {
956 {(char *)"help", no_argument, NULL, 'h'},
957 {(char *)"version", no_argument, NULL, 'v'},
958 LONGOPT_CAPTURE_COMMON
962 gboolean arg_error = FALSE;
968 char *gpf_path, *pf_path;
969 char *gdp_path, *dp_path;
970 int gpf_open_errno, gpf_read_errno;
971 int pf_open_errno, pf_read_errno;
972 int gdp_open_errno, gdp_read_errno;
973 int dp_open_errno, dp_read_errno;
975 volatile int exit_status = 0;
977 gboolean list_link_layer_types = FALSE;
978 gboolean start_capture = FALSE;
983 gboolean capture_option_specified = FALSE;
985 gboolean quiet = FALSE;
986 #ifdef PCAP_NG_DEFAULT
987 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
989 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
991 volatile gboolean out_file_name_res = FALSE;
992 volatile int in_file_type = WTAP_TYPE_AUTO;
993 gchar *volatile cf_name = NULL;
994 gchar *rfilter = NULL;
995 gchar *dfilter = NULL;
996 #ifdef HAVE_PCAP_OPEN_DEAD
997 struct bpf_program fcode;
999 dfilter_t *rfcode = NULL;
1000 dfilter_t *dfcode = NULL;
1005 gchar *output_only = NULL;
1008 * The leading + ensures that getopt_long() does not permute the argv[]
1011 * We have to make sure that the first getopt_long() preserves the content
1012 * of argv[] for the subsequent getopt_long() call.
1014 * We use getopt_long() in both cases to ensure that we're using a routine
1015 * whose permutation behavior we can control in the same fashion on all
1016 * platforms, and so that, if we ever need to process a long argument before
1017 * doing further initialization, we can do so.
1019 * Glibc and Solaris libc document that a leading + disables permutation
1020 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1021 * and OS X don't document it, but do so anyway.
1023 * We do *not* use a leading - because the behavior of a leading - is
1024 * platform-dependent.
1026 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1028 static const char optstring[] = OPTSTRING;
1030 /* Set the C-language locale to the native environment. */
1031 setlocale(LC_ALL, "");
1033 cmdarg_err_init(failure_message, failure_message_cont);
1036 arg_list_utf_16to8(argc, argv);
1037 create_app_running_mutex();
1038 #if !GLIB_CHECK_VERSION(2,31,0)
1039 g_thread_init(NULL);
1044 * Get credential information for later use, and drop privileges
1045 * before doing anything else.
1046 * Let the user know if anything happened.
1048 init_process_policies();
1049 relinquish_special_privs_perm();
1050 print_current_user();
1053 * Attempt to get the pathname of the executable file.
1055 init_progfile_dir_error = init_progfile_dir(argv[0], (void *)main);
1056 if (init_progfile_dir_error != NULL) {
1057 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1058 init_progfile_dir_error);
1061 initialize_funnel_ops();
1064 /* Load wpcap if possible. Do this before collecting the run-time version information */
1067 /* Warn the user if npf.sys isn't loaded. */
1068 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1069 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1070 "capturing or\nlisting interfaces.\n");
1074 /* Get the compile-time version information string */
1075 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1076 epan_get_compiled_version_info);
1078 /* Get the run-time version information string */
1079 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1081 /* Add it to the information to be reported on a crash. */
1082 ws_add_crash_info("TShark (Wireshark) %s\n"
1087 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1088 g_string_free(comp_info_str, TRUE);
1089 g_string_free(runtime_info_str, TRUE);
1092 * In order to have the -X opts assigned before the wslua machine starts
1093 * we need to call getopt_long before epan_init() gets called.
1095 * In order to handle, for example, -o options, we also need to call it
1096 * *after* epan_init() gets called, so that the dissectors have had a
1097 * chance to register their preferences.
1099 * XXX - can we do this all with one getopt_long() call, saving the
1100 * arguments we can't handle until after initializing libwireshark,
1101 * and then process them after initializing libwireshark?
1105 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1107 case 'C': /* Configuration Profile */
1108 if (profile_exists (optarg, FALSE)) {
1109 set_profile_name (optarg);
1111 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1115 case 'P': /* Print packet summary info even when writing to a file */
1116 print_packet_info = TRUE;
1117 print_summary = TRUE;
1119 case 'O': /* Only output these protocols */
1120 output_only = g_strdup(optarg);
1122 case 'V': /* Verbose */
1123 print_details = TRUE;
1124 print_packet_info = TRUE;
1126 case 'x': /* Print packet data in hex (and ASCII) */
1128 /* The user asked for hex output, so let's ensure they get it,
1129 * even if they're writing to a file.
1131 print_packet_info = TRUE;
1142 * Print packet summary information is the default, unless either -V or -x
1143 * were specified and -P was not. Note that this is new behavior, which
1144 * allows for the possibility of printing only hex/ascii output without
1145 * necessarily requiring that either the summary or details be printed too.
1147 if (print_summary == -1)
1148 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1150 /** Send All g_log messages to our own handler **/
1154 G_LOG_LEVEL_CRITICAL|
1155 G_LOG_LEVEL_WARNING|
1156 G_LOG_LEVEL_MESSAGE|
1159 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1161 g_log_set_handler(NULL,
1162 (GLogLevelFlags)log_flags,
1163 tshark_log_handler, NULL /* user_data */);
1164 g_log_set_handler(LOG_DOMAIN_MAIN,
1165 (GLogLevelFlags)log_flags,
1166 tshark_log_handler, NULL /* user_data */);
1169 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1170 (GLogLevelFlags)log_flags,
1171 tshark_log_handler, NULL /* user_data */);
1172 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1173 (GLogLevelFlags)log_flags,
1174 tshark_log_handler, NULL /* user_data */);
1177 init_report_err(failure_message, open_failure_message, read_failure_message,
1178 write_failure_message);
1181 capture_opts_init(&global_capture_opts);
1182 capture_session_init(&global_capture_session, &cfile);
1185 timestamp_set_type(TS_RELATIVE);
1186 timestamp_set_precision(TS_PREC_AUTO);
1187 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1189 init_open_routines();
1192 /* Register all the plugin types we have. */
1193 epan_register_plugin_types(); /* Types known to libwireshark */
1194 wtap_register_plugin_types(); /* Types known to libwiretap */
1196 /* Scan for plugins. This does *not* call their registration routines;
1197 that's done later. */
1200 /* Register all libwiretap plugin modules. */
1201 register_all_wiretap_modules();
1204 /* Register all dissectors; we must do this before checking for the
1205 "-G" flag, as the "-G" flag dumps information registered by the
1206 dissectors, and we must do it before we read the preferences, in
1207 case any dissectors register preferences. */
1208 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1210 /* Register all tap listeners; we do this before we parse the arguments,
1211 as the "-z" argument can specify a registered tap. */
1213 /* we register the plugin taps before the other taps because
1214 stats_tree taps plugins will be registered as tap listeners
1215 by stats_tree_stat.c and need to registered before that */
1217 register_all_plugin_tap_listeners();
1219 register_all_tap_listeners();
1220 conversation_table_set_gui_info(init_iousers);
1221 hostlist_table_set_gui_info(init_hostlists);
1222 srt_table_iterate_tables(register_srt_tables, NULL);
1223 rtd_table_iterate_tables(register_rtd_tables, NULL);
1225 /* If invoked with the "-G" flag, we dump out information based on
1226 the argument to the "-G" flag; if no argument is specified,
1227 for backwards compatibility we dump out a glossary of display
1230 XXX - we do this here, for now, to support "-G" with no arguments.
1231 If none of our build or other processes uses "-G" with no arguments,
1232 we can just process it with the other arguments. */
1233 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1234 proto_initialize_all_prefixes();
1237 proto_registrar_dump_fields();
1239 if (strcmp(argv[2], "column-formats") == 0)
1240 column_dump_column_formats();
1241 else if (strcmp(argv[2], "currentprefs") == 0) {
1242 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1243 &pf_open_errno, &pf_read_errno, &pf_path);
1246 else if (strcmp(argv[2], "decodes") == 0)
1247 dissector_dump_decodes();
1248 else if (strcmp(argv[2], "defaultprefs") == 0)
1250 else if (strcmp(argv[2], "dissector-tables") == 0)
1251 dissector_dump_dissector_tables();
1252 else if (strcmp(argv[2], "fields") == 0)
1253 proto_registrar_dump_fields();
1254 else if (strcmp(argv[2], "ftypes") == 0)
1255 proto_registrar_dump_ftypes();
1256 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1257 dissector_dump_heur_decodes();
1258 else if (strcmp(argv[2], "plugins") == 0) {
1263 wslua_plugins_dump_all();
1266 else if (strcmp(argv[2], "protocols") == 0)
1267 proto_registrar_dump_protocols();
1268 else if (strcmp(argv[2], "values") == 0)
1269 proto_registrar_dump_values();
1270 else if (strcmp(argv[2], "?") == 0)
1271 glossary_option_help();
1272 else if (strcmp(argv[2], "-?") == 0)
1273 glossary_option_help();
1275 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1282 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1283 &pf_open_errno, &pf_read_errno, &pf_path);
1284 if (gpf_path != NULL) {
1285 if (gpf_open_errno != 0) {
1286 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1287 pf_path, g_strerror(gpf_open_errno));
1289 if (gpf_read_errno != 0) {
1290 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1291 pf_path, g_strerror(gpf_read_errno));
1294 if (pf_path != NULL) {
1295 if (pf_open_errno != 0) {
1296 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1297 g_strerror(pf_open_errno));
1299 if (pf_read_errno != 0) {
1300 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1301 pf_path, g_strerror(pf_read_errno));
1307 /* Read the disabled protocols file. */
1308 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1309 &dp_path, &dp_open_errno, &dp_read_errno);
1310 if (gdp_path != NULL) {
1311 if (gdp_open_errno != 0) {
1312 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1313 gdp_path, g_strerror(gdp_open_errno));
1315 if (gdp_read_errno != 0) {
1316 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1317 gdp_path, g_strerror(gdp_read_errno));
1321 if (dp_path != NULL) {
1322 if (dp_open_errno != 0) {
1324 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1325 g_strerror(dp_open_errno));
1327 if (dp_read_errno != 0) {
1329 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1330 g_strerror(dp_read_errno));
1335 cap_file_init(&cfile);
1337 /* Print format defaults to this. */
1338 print_format = PR_FMT_TEXT;
1340 output_fields = output_fields_new();
1343 * To reset the options parser, set optreset to 1 on platforms that
1344 * have optreset (documented in *BSD and OS X, apparently present but
1345 * not documented in Solaris - the Illumos repository seems to
1346 * suggest that the first Solaris getopt_long(), at least as of 2004,
1347 * was based on the NetBSD one, it had optreset) and set optind to 1,
1348 * and set optind to 0 otherwise (documented as working in the GNU
1349 * getopt_long(). Setting optind to 0 didn't originally work in the
1350 * NetBSD one, but that was added later - we don't want to depend on
1351 * it if we have optreset).
1353 * Also reset opterr to 1, so that error messages are printed by
1356 #ifdef HAVE_OPTRESET
1364 /* Now get our args */
1365 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1367 case '2': /* Perform two pass analysis */
1368 perform_two_pass_analysis = TRUE;
1370 case 'a': /* autostop criteria */
1371 case 'b': /* Ringbuffer option */
1372 case 'c': /* Capture x packets */
1373 case 'f': /* capture filter */
1374 case 'g': /* enable group read access on file(s) */
1375 case 'i': /* Use interface x */
1376 case 'p': /* Don't capture in promiscuous mode */
1377 #ifdef HAVE_PCAP_REMOTE
1378 case 'A': /* Authentication */
1380 #ifdef HAVE_PCAP_CREATE
1381 case 'I': /* Capture in monitor mode, if available */
1383 case 's': /* Set the snapshot (capture) length */
1384 case 'w': /* Write to capture file x */
1385 case 'y': /* Set the pcap data link type */
1386 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1387 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1388 case 'B': /* Buffer size */
1391 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1398 * Output file name, if we're reading a file and writing to another
1401 output_file_name = optarg;
1403 capture_option_specified = TRUE;
1409 /* already processed; just ignore it now */
1411 case 'd': /* Decode as rule */
1412 if (!add_decode_as(optarg))
1415 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1416 case 'K': /* Kerberos keytab file */
1417 read_keytab_file(optarg);
1420 case 'D': /* Print a list of capture devices and exit */
1422 if_list = capture_interface_list(&err, &err_str,NULL);
1423 if (if_list == NULL) {
1425 cmdarg_err("There are no interfaces on which a capture can be done");
1427 cmdarg_err("%s", err_str);
1432 capture_opts_print_interfaces(if_list);
1433 free_interface_list(if_list);
1436 capture_option_specified = TRUE;
1442 output_fields_add(output_fields, optarg);
1446 if (!output_fields_set_option(output_fields, optarg)) {
1447 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1448 output_fields_list_options(stderr);
1453 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1454 if (out_file_type < 0) {
1455 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1456 list_capture_types();
1460 case 'W': /* Select extra information to save in our capture file */
1461 /* This is patterned after the -N flag which may not be the best idea. */
1462 if (strchr(optarg, 'n')) {
1463 out_file_name_res = TRUE;
1465 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1466 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1470 case 'H': /* Read address to name mappings from a hosts file */
1471 if (! add_hosts_file(optarg))
1473 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1476 out_file_name_res = TRUE;
1479 case 'h': /* Print help and exit */
1480 printf("TShark (Wireshark) %s\n"
1481 "Dump and analyze network traffic.\n"
1482 "See https://www.wireshark.org for more information.\n",
1483 get_ws_vcs_version_info());
1484 print_usage(stdout);
1487 case 'l': /* "Line-buffer" standard output */
1488 /* This isn't line-buffering, strictly speaking, it's just
1489 flushing the standard output after the information for
1490 each packet is printed; however, that should be good
1491 enough for all the purposes to which "-l" is put (and
1492 is probably actually better for "-V", as it does fewer
1495 See the comment in "process_packet()" for an explanation of
1496 why we do that, and why we don't just use "setvbuf()" to
1497 make the standard output line-buffered (short version: in
1498 Windows, "line-buffered" is the same as "fully-buffered",
1499 and the output buffer is only flushed when it fills up). */
1500 line_buffered = TRUE;
1502 case 'L': /* Print list of link-layer types and exit */
1504 list_link_layer_types = TRUE;
1506 capture_option_specified = TRUE;
1510 case 'n': /* No name resolution */
1511 gbl_resolv_flags.mac_name = FALSE;
1512 gbl_resolv_flags.network_name = FALSE;
1513 gbl_resolv_flags.transport_name = FALSE;
1514 gbl_resolv_flags.concurrent_dns = FALSE;
1516 case 'N': /* Select what types of addresses/port #s to resolve */
1517 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1518 if (badopt != '\0') {
1519 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1521 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1522 "\t'm' to enable MAC address resolution\n"
1523 "\t'n' to enable network address resolution\n"
1524 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1525 "\t for network address resolution\n"
1526 "\t't' to enable transport-layer port number resolution");
1530 case 'o': /* Override preference from command line */
1531 switch (prefs_set_pref(optarg)) {
1536 case PREFS_SET_SYNTAX_ERR:
1537 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1541 case PREFS_SET_NO_SUCH_PREF:
1542 case PREFS_SET_OBSOLETE:
1543 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1548 case 'q': /* Quiet */
1551 case 'Q': /* Really quiet */
1553 really_quiet = TRUE;
1555 case 'r': /* Read capture file x */
1556 cf_name = g_strdup(optarg);
1558 case 'R': /* Read file filter */
1562 /* already processed; just ignore it now */
1564 case 'S': /* Set the line Separator to be printed between packets */
1567 case 't': /* Time stamp type */
1568 if (strcmp(optarg, "r") == 0)
1569 timestamp_set_type(TS_RELATIVE);
1570 else if (strcmp(optarg, "a") == 0)
1571 timestamp_set_type(TS_ABSOLUTE);
1572 else if (strcmp(optarg, "ad") == 0)
1573 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1574 else if (strcmp(optarg, "adoy") == 0)
1575 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1576 else if (strcmp(optarg, "d") == 0)
1577 timestamp_set_type(TS_DELTA);
1578 else if (strcmp(optarg, "dd") == 0)
1579 timestamp_set_type(TS_DELTA_DIS);
1580 else if (strcmp(optarg, "e") == 0)
1581 timestamp_set_type(TS_EPOCH);
1582 else if (strcmp(optarg, "u") == 0)
1583 timestamp_set_type(TS_UTC);
1584 else if (strcmp(optarg, "ud") == 0)
1585 timestamp_set_type(TS_UTC_WITH_YMD);
1586 else if (strcmp(optarg, "udoy") == 0)
1587 timestamp_set_type(TS_UTC_WITH_YDOY);
1589 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1590 cmdarg_err_cont("\t\"a\" for absolute\n"
1591 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1592 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1593 "\t\"d\" for delta\n"
1594 "\t\"dd\" for delta displayed\n"
1595 "\t\"e\" for epoch\n"
1596 "\t\"r\" for relative\n"
1597 "\t\"u\" for absolute UTC\n"
1598 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1599 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1603 case 'T': /* printing Type */
1604 print_packet_info = TRUE;
1605 if (strcmp(optarg, "text") == 0) {
1606 output_action = WRITE_TEXT;
1607 print_format = PR_FMT_TEXT;
1608 } else if (strcmp(optarg, "ps") == 0) {
1609 output_action = WRITE_TEXT;
1610 print_format = PR_FMT_PS;
1611 } else if (strcmp(optarg, "pdml") == 0) {
1612 output_action = WRITE_XML;
1613 print_details = TRUE; /* Need details */
1614 print_summary = FALSE; /* Don't allow summary */
1615 } else if (strcmp(optarg, "psml") == 0) {
1616 output_action = WRITE_XML;
1617 print_details = FALSE; /* Don't allow details */
1618 print_summary = TRUE; /* Need summary */
1619 } else if (strcmp(optarg, "fields") == 0) {
1620 output_action = WRITE_FIELDS;
1621 print_details = TRUE; /* Need full tree info */
1622 print_summary = FALSE; /* Don't allow summary */
1624 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1625 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1626 "\t specified by the -E option.\n"
1627 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1628 "\t details of a decoded packet. This information is equivalent to\n"
1629 "\t the packet details printed with the -V flag.\n"
1630 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1631 "\t the packets, or a multi-line view of the details of each of\n"
1632 "\t the packets, depending on whether the -V flag was specified.\n"
1633 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1634 "\t summary information of a decoded packet. This information is\n"
1635 "\t equivalent to the information shown in the one-line summary\n"
1636 "\t printed by default.\n"
1637 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1638 "\t packets, or a multi-line view of the details of each of the\n"
1639 "\t packets, depending on whether the -V flag was specified.\n"
1640 "\t This is the default.");
1644 case 'u': /* Seconds type */
1645 if (strcmp(optarg, "s") == 0)
1646 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1647 else if (strcmp(optarg, "hms") == 0)
1648 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1650 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1651 cmdarg_err_cont("\t\"s\" for seconds\n"
1652 "\t\"hms\" for hours, minutes and seconds");
1656 case 'v': /* Show version and exit */
1657 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1658 epan_get_compiled_version_info);
1659 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1660 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1661 g_string_free(comp_info_str, TRUE);
1662 g_string_free(runtime_info_str, TRUE);
1663 /* We don't really have to cleanup here, but it's a convenient way to test
1664 * start-up and shut-down of the epan library without any UI-specific
1665 * cruft getting in the way. Makes the results of running
1666 * $ ./tools/valgrind-wireshark -n
1667 * much more useful. */
1670 case 'O': /* Only output these protocols */
1671 /* already processed; just ignore it now */
1673 case 'V': /* Verbose */
1674 /* already processed; just ignore it now */
1676 case 'x': /* Print packet data in hex (and ASCII) */
1677 /* already processed; just ignore it now */
1680 /* already processed; just ignore it now */
1686 /* We won't call the init function for the stat this soon
1687 as it would disallow MATE's fields (which are registered
1688 by the preferences set callback) from being used as
1689 part of a tap filter. Instead, we just add the argument
1690 to a list of stat arguments. */
1691 if (strcmp("help", optarg) == 0) {
1692 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1693 list_stat_cmd_args();
1696 if (!process_stat_cmd_arg(optarg)) {
1697 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1698 list_stat_cmd_args();
1703 case '?': /* Bad flag - print usage message */
1706 list_capture_types();
1709 print_usage(stderr);
1716 /* If we specified output fields, but not the output field type... */
1717 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1718 cmdarg_err("Output fields were specified with \"-e\", "
1719 "but \"-Tfields\" was not specified.");
1721 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1722 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1723 "specified with \"-e\".");
1728 /* If no capture filter or display filter has been specified, and there are
1729 still command-line arguments, treat them as the tokens of a capture
1730 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1731 flag was specified. */
1732 if (optind < argc) {
1733 if (cf_name != NULL) {
1734 if (dfilter != NULL) {
1735 cmdarg_err("Display filters were specified both with \"-d\" "
1736 "and with additional command-line arguments.");
1739 dfilter = get_args_as_string(argc, argv, optind);
1744 if (global_capture_opts.default_options.cfilter) {
1745 cmdarg_err("A default capture filter was specified both with \"-f\""
1746 " and with additional command-line arguments.");
1749 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1750 interface_options interface_opts;
1751 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1752 if (interface_opts.cfilter == NULL) {
1753 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1754 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1755 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1757 cmdarg_err("A capture filter was specified both with \"-f\""
1758 " and with additional command-line arguments.");
1762 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1764 capture_option_specified = TRUE;
1770 if (!global_capture_opts.saving_to_file) {
1771 /* We're not saving the capture to a file; if "-q" wasn't specified,
1772 we should print packet information */
1774 print_packet_info = TRUE;
1776 /* We're saving to a file; if we're writing to the standard output.
1777 and we'll also be writing dissected packets to the standard
1778 output, reject the request. At best, we could redirect that
1779 to the standard error; we *can't* write both to the standard
1780 output and have either of them be useful. */
1781 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1782 cmdarg_err("You can't write both raw packet data and dissected packets"
1783 " to the standard output.");
1788 /* We're not saving the capture to a file; if "-q" wasn't specified,
1789 we should print packet information */
1791 print_packet_info = TRUE;
1794 #ifndef HAVE_LIBPCAP
1795 if (capture_option_specified)
1796 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1799 print_usage(stderr);
1804 if (output_action != WRITE_TEXT) {
1805 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1810 if (output_only != NULL) {
1813 if (!print_details) {
1814 cmdarg_err("-O requires -V");
1818 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1819 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1820 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1824 if (rfilter != NULL && !perform_two_pass_analysis) {
1825 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1830 if (list_link_layer_types) {
1831 /* We're supposed to list the link-layer types for an interface;
1832 did the user also specify a capture file to be read? */
1834 /* Yes - that's bogus. */
1835 cmdarg_err("You can't specify -L and a capture file to be read.");
1838 /* No - did they specify a ring buffer option? */
1839 if (global_capture_opts.multi_files_on) {
1840 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1846 * "-r" was specified, so we're reading a capture file.
1847 * Capture options don't apply here.
1850 /* We don't support capture filters when reading from a capture file
1851 (the BPF compiler doesn't support all link-layer types that we
1852 support in capture files we read). */
1853 if (global_capture_opts.default_options.cfilter) {
1854 cmdarg_err("Only read filters, not capture filters, "
1855 "can be specified when reading a capture file.");
1858 if (global_capture_opts.multi_files_on) {
1859 cmdarg_err("Multiple capture files requested, but "
1860 "a capture isn't being done.");
1863 if (global_capture_opts.has_file_duration) {
1864 cmdarg_err("Switching capture files after a time interval was specified, but "
1865 "a capture isn't being done.");
1868 if (global_capture_opts.has_ring_num_files) {
1869 cmdarg_err("A ring buffer of capture files was specified, but "
1870 "a capture isn't being done.");
1873 if (global_capture_opts.has_autostop_files) {
1874 cmdarg_err("A maximum number of capture files was specified, but "
1875 "a capture isn't being done.");
1878 if (global_capture_opts.capture_comment) {
1879 cmdarg_err("A capture comment was specified, but "
1880 "a capture isn't being done.\nThere's no support for adding "
1881 "a capture comment to an existing capture file.");
1885 /* Note: TShark now allows the restriction of a _read_ file by packet count
1886 * and byte count as well as a write file. Other autostop options remain valid
1887 * only for a write file.
1889 if (global_capture_opts.has_autostop_duration) {
1890 cmdarg_err("A maximum capture time was specified, but "
1891 "a capture isn't being done.");
1896 * "-r" wasn't specified, so we're doing a live capture.
1898 if (perform_two_pass_analysis) {
1899 /* Two-pass analysis doesn't work with live capture since it requires us
1900 * to buffer packets until we've read all of them, but a live capture
1901 * has no useful/meaningful definition of "all" */
1902 cmdarg_err("Live captures do not support two-pass analysis.");
1906 if (global_capture_opts.saving_to_file) {
1907 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1909 /* When capturing, we only support writing pcap or pcap-ng format. */
1910 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1911 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1912 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1915 if (global_capture_opts.capture_comment &&
1916 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1917 cmdarg_err("A capture comment can only be written to a pcapng file.");
1920 if (global_capture_opts.multi_files_on) {
1921 /* Multiple-file mode doesn't work under certain conditions:
1922 a) it doesn't work if you're writing to the standard output;
1923 b) it doesn't work if you're writing to a pipe;
1925 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1926 cmdarg_err("Multiple capture files requested, but "
1927 "the capture is being written to the standard output.");
1930 if (global_capture_opts.output_to_pipe) {
1931 cmdarg_err("Multiple capture files requested, but "
1932 "the capture file is a pipe.");
1935 if (!global_capture_opts.has_autostop_filesize &&
1936 !global_capture_opts.has_file_duration) {
1937 cmdarg_err("Multiple capture files requested, but "
1938 "no maximum capture file size or duration was specified.");
1942 /* Currently, we don't support read or display filters when capturing
1943 and saving the packets. */
1944 if (rfilter != NULL) {
1945 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1948 if (dfilter != NULL) {
1949 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1952 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1954 /* They didn't specify a "-w" flag, so we won't be saving to a
1955 capture file. Check for options that only make sense if
1956 we're saving to a file. */
1957 if (global_capture_opts.has_autostop_filesize) {
1958 cmdarg_err("Maximum capture file size specified, but "
1959 "capture isn't being saved to a file.");
1962 if (global_capture_opts.multi_files_on) {
1963 cmdarg_err("Multiple capture files requested, but "
1964 "the capture isn't being saved to a file.");
1967 if (global_capture_opts.capture_comment) {
1968 cmdarg_err("A capture comment was specified, but "
1969 "the capture isn't being saved to a file.");
1978 /* Start windows sockets */
1979 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1982 /* Notify all registered modules that have had any of their preferences
1983 changed either from one of the preferences file or from the command
1984 line that their preferences have changed. */
1987 /* At this point MATE will have registered its field array so we can
1988 have a tap filter with one of MATE's late-registered fields as part
1989 of the filter. We can now process all the "-z" arguments. */
1990 start_requested_stats();
1992 /* At this point MATE will have registered its field array so we can
1993 check if the fields specified by the user are all good.
1995 if (!output_fields_valid(output_fields)) {
1996 cmdarg_err("Some fields aren't valid");
2001 /* We currently don't support taps, or printing dissected packets,
2002 if we're writing to a pipe. */
2003 if (global_capture_opts.saving_to_file &&
2004 global_capture_opts.output_to_pipe) {
2005 if (tap_listeners_require_dissection()) {
2006 cmdarg_err("Taps aren't supported when saving to a pipe.");
2009 if (print_packet_info) {
2010 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2016 if (ex_opt_count("read_format") > 0) {
2017 const gchar* name = ex_opt_get_next("read_format");
2018 in_file_type = open_info_name_to_type(name);
2019 if (in_file_type == WTAP_TYPE_AUTO) {
2020 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2021 list_read_capture_types();
2026 /* disabled protocols as per configuration file */
2027 if (gdp_path == NULL && dp_path == NULL) {
2028 set_disabled_protos_list();
2031 /* Build the column format array */
2032 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2035 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2036 capture_opts_trim_ring_num_files(&global_capture_opts);
2039 if (rfilter != NULL) {
2040 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2041 cmdarg_err("%s", err_msg);
2044 #ifdef HAVE_PCAP_OPEN_DEAD
2048 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2050 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2052 " Note: That read filter code looks like a valid capture filter;\n"
2053 " maybe you mixed them up?");
2062 cfile.rfcode = rfcode;
2064 if (dfilter != NULL) {
2065 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2066 cmdarg_err("%s", err_msg);
2069 #ifdef HAVE_PCAP_OPEN_DEAD
2073 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2075 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2077 " Note: That display filter code looks like a valid capture filter;\n"
2078 " maybe you mixed them up?");
2087 cfile.dfcode = dfcode;
2089 if (print_packet_info) {
2090 /* If we're printing as text or PostScript, we have
2091 to create a print stream. */
2092 if (output_action == WRITE_TEXT) {
2093 switch (print_format) {
2096 print_stream = print_stream_text_stdio_new(stdout);
2100 print_stream = print_stream_ps_stdio_new(stdout);
2104 g_assert_not_reached();
2109 /* We have to dissect each packet if:
2111 we're printing information about each packet;
2113 we're using a read filter on the packets;
2115 we're using a display filter on the packets;
2117 we're using any taps that need dissection. */
2118 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2122 * We're reading a capture file.
2124 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2129 /* Process the packets in the file */
2132 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2133 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2134 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2136 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2139 CATCH(OutOfMemoryError) {
2143 "Sorry, but TShark has to terminate now.\n"
2145 "More information and workarounds can be found at\n"
2146 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2151 /* We still dump out the results of taps, etc., as we might have
2152 read some packets; however, we exit with an error status. */
2156 /* No capture file specified, so we're supposed to do a live capture
2157 or get a list of link-layer types for a live capture device;
2158 do we have support for live captures? */
2160 /* if no interface was specified, pick a default */
2161 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2162 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2163 if (exit_status != 0)
2166 /* if requested, list the link layer types and exit */
2167 if (list_link_layer_types) {
2170 /* Get the list of link-layer types for the capture devices. */
2171 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2172 interface_options interface_opts;
2173 if_capabilities_t *caps;
2175 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2176 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2178 cmdarg_err("%s", err_str);
2182 if (caps->data_link_types == NULL) {
2183 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2186 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2187 free_if_capabilities(caps);
2193 * If the standard error isn't a terminal, don't print packet counts,
2194 * as they won't show up on the user's terminal and they'll get in
2195 * the way of error messages in the file (to which we assume the
2196 * standard error was redirected; if it's redirected to the null
2197 * device, there's no point in printing packet counts anyway).
2199 * Otherwise, if we're printing packet information and the standard
2200 * output is a terminal (which we assume means the standard output and
2201 * error are going to the same terminal), don't print packet counts,
2202 * as they'll get in the way of the packet information.
2204 * Otherwise, if the user specified -q, don't print packet counts.
2206 * Otherwise, print packet counts.
2208 * XXX - what if the user wants to do a live capture, doesn't want
2209 * to save it to a file, doesn't want information printed for each
2210 * packet, does want some "-z" statistic, and wants packet counts
2211 * so they know whether they're seeing any packets? -q will
2212 * suppress the information printed for each packet, but it'll
2213 * also suppress the packet counts.
2215 if (!isatty(fileno(stderr)))
2216 print_packet_counts = FALSE;
2217 else if (print_packet_info && isatty(fileno(stdout)))
2218 print_packet_counts = FALSE;
2220 print_packet_counts = FALSE;
2222 print_packet_counts = TRUE;
2224 if (print_packet_info) {
2225 if (!write_preamble(&cfile)) {
2226 show_print_file_io_error(errno);
2232 * XXX - this returns FALSE if an error occurred, but it also
2233 * returns FALSE if the capture stops because a time limit
2234 * was reached (and possibly other limits), so we can't assume
2235 * it means an error.
2237 * The capture code is a bit twisty, so it doesn't appear to
2238 * be an easy fix. We just ignore the return value for now.
2239 * Instead, pass on the exit status from the capture child.
2242 exit_status = global_capture_session.fork_child_status;
2244 if (print_packet_info) {
2245 if (!write_finale()) {
2247 show_print_file_io_error(err);
2251 /* No - complain. */
2252 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2259 if (cfile.frames != NULL) {
2260 free_frame_data_sequence(cfile.frames);
2261 cfile.frames = NULL;
2264 draw_tap_listeners(TRUE);
2265 funnel_dump_all_text_windows();
2266 epan_free(cfile.epan);
2269 output_fields_free(output_fields);
2270 output_fields = NULL;
2275 /*#define USE_BROKEN_G_MAIN_LOOP*/
2277 #ifdef USE_BROKEN_G_MAIN_LOOP
2280 gboolean loop_running = FALSE;
2282 guint32 packet_count = 0;
2285 typedef struct pipe_input_tag {
2288 ws_process_id *child_process;
2289 pipe_input_cb_t input_cb;
2290 guint pipe_input_id;
2292 GMutex *callback_running;
2296 static pipe_input_t pipe_input;
2299 /* The timer has expired, see if there's stuff to read from the pipe,
2300 if so, do the callback */
2302 pipe_timer_cb(gpointer data)
2308 pipe_input_t *pipe_input_p = data;
2309 gint iterations = 0;
2311 g_mutex_lock (pipe_input_p->callback_running);
2313 /* try to read data from the pipe only 5 times, to avoid blocking */
2314 while(iterations < 5) {
2315 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2317 /* Oddly enough although Named pipes don't work on win9x,
2318 PeekNamedPipe does !!! */
2319 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2320 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2322 /* Get the child process exit status */
2323 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2326 /* If the Peek returned an error, or there are bytes to be read
2327 or the childwatcher thread has terminated then call the normal
2329 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2331 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2333 /* And call the real handler */
2334 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2335 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2336 /* pipe closed, return false so that the timer is stopped */
2337 g_mutex_unlock (pipe_input_p->callback_running);
2342 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2343 /* No data, stop now */
2350 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2352 g_mutex_unlock (pipe_input_p->callback_running);
2354 /* we didn't stopped the timer, so let it run */
2361 pipe_input_set_handler(gint source, gpointer user_data, ws_process_id *child_process, pipe_input_cb_t input_cb)
2364 pipe_input.source = source;
2365 pipe_input.child_process = child_process;
2366 pipe_input.user_data = user_data;
2367 pipe_input.input_cb = input_cb;
2370 #if GLIB_CHECK_VERSION(2,31,0)
2371 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2372 g_mutex_init(pipe_input.callback_running);
2374 pipe_input.callback_running = g_mutex_new();
2376 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2377 do this but that doesn't cover all win32 platforms. GTK can do
2378 this but doesn't seem to work over processes. Attempt to do
2379 something similar here, start a timer and check for data on every
2381 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2382 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2386 static const nstime_t *
2387 tshark_get_frame_ts(void *data, guint32 frame_num)
2389 capture_file *cf = (capture_file *) data;
2391 if (ref && ref->num == frame_num)
2392 return &ref->abs_ts;
2394 if (prev_dis && prev_dis->num == frame_num)
2395 return &prev_dis->abs_ts;
2397 if (prev_cap && prev_cap->num == frame_num)
2398 return &prev_cap->abs_ts;
2401 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2403 return (fd) ? &fd->abs_ts : NULL;
2410 tshark_epan_new(capture_file *cf)
2412 epan_t *epan = epan_new();
2415 epan->get_frame_ts = tshark_get_frame_ts;
2416 epan->get_interface_name = cap_file_get_interface_name;
2417 epan->get_user_comment = NULL;
2429 #ifdef USE_TSHARK_SELECT
2433 struct sigaction action, oldaction;
2436 /* Create new dissection section. */
2437 epan_free(cfile.epan);
2438 cfile.epan = tshark_epan_new(&cfile);
2441 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2442 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2444 /* Catch SIGINT and SIGTERM and, if we get either of them,
2445 clean up and exit. If SIGHUP isn't being ignored, catch
2446 it too and, if we get it, clean up and exit.
2448 We restart any read that was in progress, so that it doesn't
2449 disrupt reading from the sync pipe. The signal handler tells
2450 the capture child to finish; it will report that it finished,
2451 or will exit abnormally, so we'll stop reading from the sync
2452 pipe, pick up the exit status, and quit. */
2453 memset(&action, 0, sizeof(action));
2454 action.sa_handler = capture_cleanup;
2455 action.sa_flags = SA_RESTART;
2456 sigemptyset(&action.sa_mask);
2457 sigaction(SIGTERM, &action, NULL);
2458 sigaction(SIGINT, &action, NULL);
2459 sigaction(SIGHUP, NULL, &oldaction);
2460 if (oldaction.sa_handler == SIG_DFL)
2461 sigaction(SIGHUP, &action, NULL);
2464 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2465 quiet mode, report the number of packets we've captured.
2467 Again, restart any read that was in progress, so that it doesn't
2468 disrupt reading from the sync pipe. */
2469 action.sa_handler = report_counts_siginfo;
2470 action.sa_flags = SA_RESTART;
2471 sigemptyset(&action.sa_mask);
2472 sigaction(SIGINFO, &action, NULL);
2473 #endif /* SIGINFO */
2476 global_capture_session.state = CAPTURE_PREPARING;
2478 /* Let the user know which interfaces were chosen. */
2479 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2480 interface_options interface_opts;
2482 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2483 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2484 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2485 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2487 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2488 if (really_quiet == FALSE)
2489 fprintf(stderr, "Capturing on %s\n", str->str);
2491 g_string_free(str, TRUE);
2493 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2498 /* the actual capture loop
2500 * XXX - glib doesn't seem to provide any event based loop handling.
2502 * XXX - for whatever reason,
2503 * calling g_main_loop_new() ends up in 100% cpu load.
2505 * But that doesn't matter: in UNIX we can use select() to find an input
2506 * source with something to do.
2508 * But that doesn't matter because we're in a CLI (that doesn't need to
2509 * update a GUI or something at the same time) so it's OK if we block
2510 * trying to read from the pipe.
2512 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2513 * wrong (but I leave it there in case I am...).
2516 #ifdef USE_TSHARK_SELECT
2518 FD_SET(pipe_input.source, &readfds);
2521 loop_running = TRUE;
2525 while (loop_running)
2527 #ifdef USE_TSHARK_SELECT
2528 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2532 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2534 } else if (ret == 1) {
2536 /* Call the real handler */
2537 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2538 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2541 #ifdef USE_TSHARK_SELECT
2546 CATCH(OutOfMemoryError) {
2550 "Sorry, but TShark has to terminate now.\n"
2552 "More information and workarounds can be found at\n"
2553 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2560 /* capture child detected an error */
2562 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2564 cmdarg_err("%s", error_msg);
2565 cmdarg_err_cont("%s", secondary_error_msg);
2569 /* capture child detected an capture filter related error */
2571 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2573 capture_options *capture_opts = cap_session->capture_opts;
2574 dfilter_t *rfcode = NULL;
2575 interface_options interface_opts;
2577 g_assert(i < capture_opts->ifaces->len);
2578 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2580 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2582 "Invalid capture filter \"%s\" for interface '%s'.\n"
2584 "That string looks like a valid display filter; however, it isn't a valid\n"
2585 "capture filter (%s).\n"
2587 "Note that display filters and capture filters don't have the same syntax,\n"
2588 "so you can't use most display filter expressions as capture filters.\n"
2590 "See the User's Guide for a description of the capture filter syntax.",
2591 interface_opts.cfilter, interface_opts.descr, error_message);
2592 dfilter_free(rfcode);
2595 "Invalid capture filter \"%s\" for interface '%s'.\n"
2597 "That string isn't a valid capture filter (%s).\n"
2598 "See the User's Guide for a description of the capture filter syntax.",
2599 interface_opts.cfilter, interface_opts.descr, error_message);
2604 /* capture child tells us we have a new (or the first) capture file */
2606 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2608 capture_options *capture_opts = cap_session->capture_opts;
2609 capture_file *cf = (capture_file *) cap_session->cf;
2610 gboolean is_tempfile;
2613 if (cap_session->state == CAPTURE_PREPARING) {
2614 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2616 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2618 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2620 /* free the old filename */
2621 if (capture_opts->save_file != NULL) {
2623 /* we start a new capture file, close the old one (if we had one before) */
2624 if (cf->state != FILE_CLOSED) {
2625 if (cf->wth != NULL) {
2626 wtap_close(cf->wth);
2629 cf->state = FILE_CLOSED;
2632 g_free(capture_opts->save_file);
2633 is_tempfile = FALSE;
2635 epan_free(cf->epan);
2636 cf->epan = tshark_epan_new(cf);
2638 /* we didn't had a save_file before, must be a tempfile */
2642 /* save the new filename */
2643 capture_opts->save_file = g_strdup(new_file);
2645 /* if we are in real-time mode, open the new file now */
2646 if (do_dissection) {
2647 /* this is probably unecessary, but better safe than sorry */
2648 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2649 /* Attempt to open the capture file and set up to read from it. */
2650 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2654 /* Don't unlink (delete) the save file - leave it around,
2655 for debugging purposes. */
2656 g_free(capture_opts->save_file);
2657 capture_opts->save_file = NULL;
2662 cap_session->state = CAPTURE_RUNNING;
2668 /* capture child tells us we have new packets to read */
2670 capture_input_new_packets(capture_session *cap_session, int to_read)
2676 capture_file *cf = (capture_file *)cap_session->cf;
2677 gboolean filtering_tap_listeners;
2682 * Prevent a SIGINFO handler from writing to the standard error while
2683 * we're doing so or writing to the standard output; instead, have it
2684 * just set a flag telling us to print that information when we're done.
2687 #endif /* SIGINFO */
2689 /* Do we have any tap listeners with filters? */
2690 filtering_tap_listeners = have_filtering_tap_listeners();
2692 /* Get the union of the flags for all tap listeners. */
2693 tap_flags = union_of_tap_listener_flags();
2695 if (do_dissection) {
2696 gboolean create_proto_tree;
2697 epan_dissect_t *edt;
2699 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2700 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2701 create_proto_tree = TRUE;
2703 create_proto_tree = FALSE;
2705 /* The protocol tree will be "visible", i.e., printed, only if we're
2706 printing packet details, which is true if we're printing stuff
2707 ("print_packet_info" is true) and we're in verbose mode
2708 ("packet_details" is true). */
2709 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2711 while (to_read-- && cf->wth) {
2712 wtap_cleareof(cf->wth);
2713 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2715 /* read from file failed, tell the capture child to stop */
2716 sync_pipe_stop(cap_session);
2717 wtap_close(cf->wth);
2720 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2721 wtap_buf_ptr(cf->wth),
2725 /* packet successfully read and gone through the "Read Filter" */
2730 epan_dissect_free(edt);
2734 * Dumpcap's doing all the work; we're not doing any dissection.
2735 * Count all the packets it wrote.
2737 packet_count += to_read;
2740 if (print_packet_counts) {
2741 /* We're printing packet counts. */
2742 if (packet_count != 0) {
2743 fprintf(stderr, "\r%u ", packet_count);
2744 /* stderr could be line buffered */
2751 * Allow SIGINFO handlers to write.
2756 * If a SIGINFO handler asked us to write out capture counts, do so.
2760 #endif /* SIGINFO */
2766 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2767 /* Report the count only if we aren't printing a packet count
2768 as packets arrive. */
2769 fprintf(stderr, "%u packet%s captured\n", packet_count,
2770 plurality(packet_count, "", "s"));
2773 infoprint = FALSE; /* we just reported it */
2774 #endif /* SIGINFO */
2779 report_counts_siginfo(int signum _U_)
2781 int sav_errno = errno;
2782 /* If we've been told to delay printing, just set a flag asking
2783 that we print counts (if we're supposed to), otherwise print
2784 the count of packets captured (if we're supposed to). */
2791 #endif /* SIGINFO */
2794 /* capture child detected any packet drops? */
2796 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2798 if (print_packet_counts) {
2799 /* We're printing packet counts to stderr.
2800 Send a newline so that we move to the line after the packet count. */
2801 fprintf(stderr, "\n");
2805 /* We're printing packet counts to stderr.
2806 Send a newline so that we move to the line after the packet count. */
2807 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2813 * Capture child closed its side of the pipe, report any error and
2814 * do the required cleanup.
2817 capture_input_closed(capture_session *cap_session, gchar *msg)
2819 capture_file *cf = (capture_file *) cap_session->cf;
2822 fprintf(stderr, "tshark: %s\n", msg);
2826 if (cf != NULL && cf->wth != NULL) {
2827 wtap_close(cf->wth);
2828 if (cf->is_tempfile) {
2829 ws_unlink(cf->filename);
2832 #ifdef USE_BROKEN_G_MAIN_LOOP
2833 /*g_main_loop_quit(loop);*/
2834 g_main_loop_quit(loop);
2836 loop_running = FALSE;
2845 capture_cleanup(DWORD ctrltype _U_)
2847 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2848 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2849 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2850 like SIGTERM at least when the machine's shutting down.
2852 For now, we handle them all as indications that we should clean up
2853 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2856 We must return TRUE so that no other handler - such as one that would
2857 terminate the process - gets called.
2859 XXX - for some reason, typing ^C to TShark, if you run this in
2860 a Cygwin console window in at least some versions of Cygwin,
2861 causes TShark to terminate immediately; this routine gets
2862 called, but the main loop doesn't get a chance to run and
2863 exit cleanly, at least if this is compiled with Microsoft Visual
2864 C++ (i.e., it's a property of the Cygwin console window or Bash;
2865 it happens if TShark is not built with Cygwin - for all I know,
2866 building it with Cygwin may make the problem go away). */
2868 /* tell the capture child to stop */
2869 sync_pipe_stop(&global_capture_session);
2871 /* don't stop our own loop already here, otherwise status messages and
2872 * cleanup wouldn't be done properly. The child will indicate the stop of
2873 * everything by calling capture_input_closed() later */
2879 capture_cleanup(int signum _U_)
2881 /* tell the capture child to stop */
2882 sync_pipe_stop(&global_capture_session);
2884 /* don't stop our own loop already here, otherwise status messages and
2885 * cleanup wouldn't be done properly. The child will indicate the stop of
2886 * everything by calling capture_input_closed() later */
2889 #endif /* HAVE_LIBPCAP */
2892 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2893 gint64 offset, struct wtap_pkthdr *whdr,
2900 /* The frame number of this packet is one more than the count of
2901 frames in this packet. */
2902 framenum = cf->count + 1;
2904 /* If we're not running a display filter and we're not printing any
2905 packet information, we don't need to do a dissection. This means
2906 that all packets can be marked as 'passed'. */
2909 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2911 /* If we're going to print packet information, or we're going to
2912 run a read filter, or display filter, or we're going to process taps, set up to
2913 do a dissection and do so. */
2915 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2916 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2917 /* Grab any resolved addresses */
2918 host_name_lookup_process();
2920 /* If we're running a read filter, prime the epan_dissect_t with that
2923 epan_dissect_prime_dfilter(edt, cf->rfcode);
2926 epan_dissect_prime_dfilter(edt, cf->dfcode);
2928 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2930 if (ref == &fdlocal) {
2931 ref_frame = fdlocal;
2935 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2937 /* Run the read filter if we have one. */
2939 passed = dfilter_apply_edt(cf->rfcode, edt);
2943 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2944 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2946 /* If we're not doing dissection then there won't be any dependent frames.
2947 * More importantly, edt.pi.dependent_frames won't be initialized because
2948 * epan hasn't been initialized.
2949 * if we *are* doing dissection, then mark the dependent frames, but only
2950 * if a display filter was given and it matches this packet.
2952 if (edt && cf->dfcode) {
2953 if (dfilter_apply_edt(cf->dfcode, edt)) {
2954 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2960 /* if we don't add it to the frame_data_sequence, clean it up right now
2962 frame_data_destroy(&fdlocal);
2966 epan_dissect_reset(edt);
2972 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2973 struct wtap_pkthdr *phdr, Buffer *buf,
2979 /* If we're not running a display filter and we're not printing any
2980 packet information, we don't need to do a dissection. This means
2981 that all packets can be marked as 'passed'. */
2984 /* If we're going to print packet information, or we're going to
2985 run a read filter, or we're going to process taps, set up to
2986 do a dissection and do so. */
2988 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2989 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2990 /* Grab any resolved addresses */
2991 host_name_lookup_process();
2993 /* If we're running a display filter, prime the epan_dissect_t with that
2996 epan_dissect_prime_dfilter(edt, cf->dfcode);
2998 col_custom_prime_edt(edt, &cf->cinfo);
3000 /* We only need the columns if either
3001 1) some tap needs the columns
3003 2) we're printing packet info but we're *not* verbose; in verbose
3004 mode, we print the protocol tree, not the protocol summary.
3006 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
3011 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3018 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3020 /* Run the read/display filter if we have one. */
3022 passed = dfilter_apply_edt(cf->dfcode, edt);
3026 frame_data_set_after_dissect(fdata, &cum_bytes);
3027 /* Process this packet. */
3028 if (print_packet_info) {
3029 /* We're printing packet information; print the information for
3031 print_packet(cf, edt);
3033 /* The ANSI C standard does not appear to *require* that a line-buffered
3034 stream be flushed to the host environment whenever a newline is
3035 written, it just says that, on such a stream, characters "are
3036 intended to be transmitted to or from the host environment as a
3037 block when a new-line character is encountered".
3039 The Visual C++ 6.0 C implementation doesn't do what is intended;
3040 even if you set a stream to be line-buffered, it still doesn't
3041 flush the buffer at the end of every line.
3043 So, if the "-l" flag was specified, we flush the standard output
3044 at the end of a packet. This will do the right thing if we're
3045 printing packet summary lines, and, as we print the entire protocol
3046 tree for a single packet without waiting for anything to happen,
3047 it should be as good as line-buffered mode if we're printing
3048 protocol trees. (The whole reason for the "-l" flag in either
3049 tcpdump or TShark is to allow the output of a live capture to
3050 be piped to a program or script and to have that script see the
3051 information for the packet as soon as it's printed, rather than
3052 having to wait until a standard I/O buffer fills up. */
3056 if (ferror(stdout)) {
3057 show_print_file_io_error(errno);
3066 epan_dissect_reset(edt);
3068 return passed || fdata->flags.dependent_of_displayed;
3072 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3073 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3076 int snapshot_length;
3080 gchar *err_info = NULL;
3082 char *save_file_string = NULL;
3083 gboolean filtering_tap_listeners;
3085 wtapng_section_t *shb_hdr;
3086 wtapng_iface_descriptions_t *idb_inf;
3087 char *appname = NULL;
3088 struct wtap_pkthdr phdr;
3090 epan_dissect_t *edt = NULL;
3092 wtap_phdr_init(&phdr);
3094 shb_hdr = wtap_file_get_shb_info(cf->wth);
3095 idb_inf = wtap_file_get_idb_info(cf->wth);
3096 #ifdef PCAP_NG_DEFAULT
3097 if (idb_inf->interface_data->len > 1) {
3098 linktype = WTAP_ENCAP_PER_PACKET;
3100 linktype = wtap_file_encap(cf->wth);
3103 linktype = wtap_file_encap(cf->wth);
3105 if (save_file != NULL) {
3106 /* Get a string that describes what we're writing to */
3107 save_file_string = output_file_description(save_file);
3109 /* Set up to write to the capture file. */
3110 snapshot_length = wtap_snapshot_length(cf->wth);
3111 if (snapshot_length == 0) {
3112 /* Snapshot length of input file not known. */
3113 snapshot_length = WTAP_MAX_PACKET_SIZE;
3115 /* If we don't have an application name add Tshark */
3116 if (shb_hdr->shb_user_appl == NULL) {
3117 appname = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3118 shb_hdr->shb_user_appl = appname;
3121 if (linktype != WTAP_ENCAP_PER_PACKET &&
3122 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3123 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3124 snapshot_length, FALSE /* compressed */, &err);
3126 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3127 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3133 /* We couldn't set up to write to the capture file. */
3136 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3137 cmdarg_err("Capture files can't be written in that format.");
3140 case WTAP_ERR_UNWRITABLE_ENCAP:
3141 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3142 cmdarg_err("The capture file being read can't be written as a "
3143 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3146 case WTAP_ERR_CANT_OPEN:
3147 cmdarg_err("The %s couldn't be created for some "
3148 "unknown reason.", save_file_string);
3151 case WTAP_ERR_SHORT_WRITE:
3152 cmdarg_err("A full header couldn't be written to the %s.",
3157 cmdarg_err("The %s could not be created: %s.", save_file_string,
3158 wtap_strerror(err));
3164 if (print_packet_info) {
3165 if (!write_preamble(cf)) {
3167 show_print_file_io_error(err);
3176 /* Do we have any tap listeners with filters? */
3177 filtering_tap_listeners = have_filtering_tap_listeners();
3179 /* Get the union of the flags for all tap listeners. */
3180 tap_flags = union_of_tap_listener_flags();
3182 if (perform_two_pass_analysis) {
3185 /* Allocate a frame_data_sequence for all the frames. */
3186 cf->frames = new_frame_data_sequence();
3188 if (do_dissection) {
3189 gboolean create_proto_tree = FALSE;
3191 /* If we're going to be applying a filter, we'll need to
3192 create a protocol tree against which to apply the filter. */
3193 if (cf->rfcode || cf->dfcode)
3194 create_proto_tree = TRUE;
3196 /* We're not going to display the protocol tree on this pass,
3197 so it's not going to be "visible". */
3198 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3201 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3202 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3203 wtap_buf_ptr(cf->wth))) {
3204 /* Stop reading if we have the maximum number of packets;
3205 * When the -c option has not been used, max_packet_count
3206 * starts at 0, which practically means, never stop reading.
3207 * (unless we roll over max_packet_count ?)
3209 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3210 err = 0; /* This is not an error */
3217 epan_dissect_free(edt);
3221 /* Close the sequential I/O side, to free up memory it requires. */
3222 wtap_sequential_close(cf->wth);
3224 /* Allow the protocol dissectors to free up memory that they
3225 * don't need after the sequential run-through of the packets. */
3226 postseq_cleanup_all_protocols();
3230 ws_buffer_init(&buf, 1500);
3232 if (do_dissection) {
3233 gboolean create_proto_tree;
3235 if (cf->dfcode || print_details || filtering_tap_listeners ||
3236 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3237 create_proto_tree = TRUE;
3239 create_proto_tree = FALSE;
3241 /* The protocol tree will be "visible", i.e., printed, only if we're
3242 printing packet details, which is true if we're printing stuff
3243 ("print_packet_info" is true) and we're in verbose mode
3244 ("packet_details" is true). */
3245 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3248 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3249 fdata = frame_data_sequence_find(cf->frames, framenum);
3250 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3252 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3254 /* Either there's no read filtering or this packet passed the
3255 filter, so, if we're writing to a capture file, write
3258 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3259 /* Error writing to a capture file */
3262 case WTAP_ERR_UNWRITABLE_ENCAP:
3264 * This is a problem with the particular frame we're writing
3265 * and the file type and subtype we're writing; note that,
3266 * and report the frame number and file type/subtype.
3268 * XXX - framenum is not necessarily the frame number in
3269 * the input file if there was a read filter.
3272 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3273 framenum, cf->filename,
3274 wtap_file_type_subtype_short_string(out_file_type));
3277 case WTAP_ERR_PACKET_TOO_LARGE:
3279 * This is a problem with the particular frame we're writing
3280 * and the file type and subtype we're writing; note that,
3281 * and report the frame number and file type/subtype.
3283 * XXX - framenum is not necessarily the frame number in
3284 * the input file if there was a read filter.
3287 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3288 framenum, cf->filename,
3289 wtap_file_type_subtype_short_string(out_file_type));
3292 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3294 * This is a problem with the particular record we're writing
3295 * and the file type and subtype we're writing; note that,
3296 * and report the record number and file type/subtype.
3298 * XXX - framenum is not necessarily the record number in
3299 * the input file if there was a read filter.
3302 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3303 framenum, cf->filename,
3304 wtap_file_type_subtype_short_string(out_file_type));
3307 case WTAP_ERR_UNWRITABLE_REC_DATA:
3309 * This is a problem with the particular record we're writing
3310 * and the file type and subtype we're writing; note that,
3311 * and report the record number and file type/subtype.
3313 * XXX - framenum is not necessarily the record number in
3314 * the input file if there was a read filter.
3317 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3318 framenum, cf->filename,
3319 wtap_file_type_subtype_short_string(out_file_type),
3320 err_info != NULL ? err_info : "no information supplied");
3325 show_capture_file_io_error(save_file, err, FALSE);
3328 wtap_dump_close(pdh, &err);
3339 epan_dissect_free(edt);
3343 ws_buffer_free(&buf);
3348 if (do_dissection) {
3349 gboolean create_proto_tree;
3351 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3352 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3353 create_proto_tree = TRUE;
3355 create_proto_tree = FALSE;
3357 /* The protocol tree will be "visible", i.e., printed, only if we're
3358 printing packet details, which is true if we're printing stuff
3359 ("print_packet_info" is true) and we're in verbose mode
3360 ("packet_details" is true). */
3361 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3364 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3367 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3368 wtap_buf_ptr(cf->wth),
3370 /* Either there's no read filtering or this packet passed the
3371 filter, so, if we're writing to a capture file, write
3374 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3375 /* Error writing to a capture file */
3378 case WTAP_ERR_UNWRITABLE_ENCAP:
3380 * This is a problem with the particular frame we're writing
3381 * and the file type and subtype we're writing; note that,
3382 * and report the frame number and file type/subtype.
3385 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3386 framenum, cf->filename,
3387 wtap_file_type_subtype_short_string(out_file_type));
3390 case WTAP_ERR_PACKET_TOO_LARGE:
3392 * This is a problem with the particular frame we're writing
3393 * and the file type and subtype we're writing; note that,
3394 * and report the frame number and file type/subtype.
3397 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3398 framenum, cf->filename,
3399 wtap_file_type_subtype_short_string(out_file_type));
3402 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3404 * This is a problem with the particular record we're writing
3405 * and the file type and subtype we're writing; note that,
3406 * and report the record number and file type/subtype.
3409 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3410 framenum, cf->filename,
3411 wtap_file_type_subtype_short_string(out_file_type));
3414 case WTAP_ERR_UNWRITABLE_REC_DATA:
3416 * This is a problem with the particular record we're writing
3417 * and the file type and subtype we're writing; note that,
3418 * and report the record number and file type/subtype.
3421 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3422 framenum, cf->filename,
3423 wtap_file_type_subtype_short_string(out_file_type),
3424 err_info != NULL ? err_info : "no information supplied");
3429 show_capture_file_io_error(save_file, err, FALSE);
3432 wtap_dump_close(pdh, &err);
3439 /* Stop reading if we have the maximum number of packets;
3440 * When the -c option has not been used, max_packet_count
3441 * starts at 0, which practically means, never stop reading.
3442 * (unless we roll over max_packet_count ?)
3444 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3445 err = 0; /* This is not an error */
3451 epan_dissect_free(edt);
3456 wtap_phdr_cleanup(&phdr);
3460 * Print a message noting that the read failed somewhere along the line.
3462 * If we're printing packet data, and the standard output and error are
3463 * going to the same place, flush the standard output, so everything
3464 * buffered up is written, and then print a newline to the standard error
3465 * before printing the error message, to separate it from the packet
3466 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3467 * the _fstat() documentation at Microsoft doesn't indicate whether
3468 * st_ino is even supported.)
3471 if (print_packet_info) {
3472 ws_statb64 stat_stdout, stat_stderr;
3474 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3475 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3476 stat_stdout.st_ino == stat_stderr.st_ino) {
3478 fprintf(stderr, "\n");
3485 case WTAP_ERR_UNSUPPORTED:
3486 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3488 err_info != NULL ? err_info : "no information supplied");
3492 case WTAP_ERR_SHORT_READ:
3493 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3497 case WTAP_ERR_BAD_FILE:
3498 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3500 err_info != NULL ? err_info : "no information supplied");
3504 case WTAP_ERR_DECOMPRESS:
3505 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3506 "(%s)", cf->filename,
3507 err_info != NULL ? err_info : "no information supplied");
3512 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3513 cf->filename, wtap_strerror(err));
3516 if (save_file != NULL) {
3517 /* Now close the capture file. */
3518 if (!wtap_dump_close(pdh, &err))
3519 show_capture_file_io_error(save_file, err, TRUE);
3522 if (save_file != NULL) {
3523 if (pdh && out_file_name_res) {
3524 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3525 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3526 wtap_file_type_subtype_short_string(out_file_type));
3529 /* Now close the capture file. */
3530 if (!wtap_dump_close(pdh, &err))
3531 show_capture_file_io_error(save_file, err, TRUE);
3533 if (print_packet_info) {
3534 if (!write_finale()) {
3536 show_print_file_io_error(err);
3543 wtap_close(cf->wth);
3546 g_free(save_file_string);
3554 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3555 const guchar *pd, guint tap_flags)
3561 /* Count this packet. */
3564 /* If we're not running a display filter and we're not printing any
3565 packet information, we don't need to do a dissection. This means
3566 that all packets can be marked as 'passed'. */
3569 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3571 /* If we're going to print packet information, or we're going to
3572 run a read filter, or we're going to process taps, set up to
3573 do a dissection and do so. */
3575 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3576 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3577 /* Grab any resolved addresses */
3578 host_name_lookup_process();
3580 /* If we're running a filter, prime the epan_dissect_t with that
3583 epan_dissect_prime_dfilter(edt, cf->dfcode);
3585 col_custom_prime_edt(edt, &cf->cinfo);
3587 /* We only need the columns if either
3588 1) some tap needs the columns
3590 2) we're printing packet info but we're *not* verbose; in verbose
3591 mode, we print the protocol tree, not the protocol summary.
3593 3) there is a column mapped as an individual field */
3594 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3599 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3601 if (ref == &fdata) {
3606 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3608 /* Run the filter if we have it. */
3610 passed = dfilter_apply_edt(cf->dfcode, edt);
3614 frame_data_set_after_dissect(&fdata, &cum_bytes);
3616 /* Process this packet. */
3617 if (print_packet_info) {
3618 /* We're printing packet information; print the information for
3620 print_packet(cf, edt);
3622 /* The ANSI C standard does not appear to *require* that a line-buffered
3623 stream be flushed to the host environment whenever a newline is
3624 written, it just says that, on such a stream, characters "are
3625 intended to be transmitted to or from the host environment as a
3626 block when a new-line character is encountered".
3628 The Visual C++ 6.0 C implementation doesn't do what is intended;
3629 even if you set a stream to be line-buffered, it still doesn't
3630 flush the buffer at the end of every line.
3632 So, if the "-l" flag was specified, we flush the standard output
3633 at the end of a packet. This will do the right thing if we're
3634 printing packet summary lines, and, as we print the entire protocol
3635 tree for a single packet without waiting for anything to happen,
3636 it should be as good as line-buffered mode if we're printing
3637 protocol trees. (The whole reason for the "-l" flag in either
3638 tcpdump or TShark is to allow the output of a live capture to
3639 be piped to a program or script and to have that script see the
3640 information for the packet as soon as it's printed, rather than
3641 having to wait until a standard I/O buffer fills up. */
3645 if (ferror(stdout)) {
3646 show_print_file_io_error(errno);
3651 /* this must be set after print_packet() [bug #8160] */
3652 prev_dis_frame = fdata;
3653 prev_dis = &prev_dis_frame;
3656 prev_cap_frame = fdata;
3657 prev_cap = &prev_cap_frame;
3660 epan_dissect_reset(edt);
3661 frame_data_destroy(&fdata);
3667 write_preamble(capture_file *cf)
3669 switch (output_action) {
3672 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3676 write_pdml_preamble(stdout, cf->filename);
3678 write_psml_preamble(&cf->cinfo, stdout);
3679 return !ferror(stdout);
3682 write_fields_preamble(output_fields, stdout);
3683 return !ferror(stdout);
3686 g_assert_not_reached();
3692 get_line_buf(size_t len)
3694 static char *line_bufp = NULL;
3695 static size_t line_buf_len = 256;
3696 size_t new_line_buf_len;
3698 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3699 new_line_buf_len *= 2)
3701 if (line_bufp == NULL) {
3702 line_buf_len = new_line_buf_len;
3703 line_bufp = (char *)g_malloc(line_buf_len + 1);
3705 if (new_line_buf_len > line_buf_len) {
3706 line_buf_len = new_line_buf_len;
3707 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3714 put_string(char *dest, const char *str, size_t str_len)
3716 memcpy(dest, str, str_len);
3717 dest[str_len] = '\0';
3721 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3725 for (i = str_len; i < str_with_spaces; i++)
3728 put_string(dest, str, str_len);
3732 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3736 memcpy(dest, str, str_len);
3737 for (i = str_len; i < str_with_spaces; i++)
3740 dest[str_with_spaces] = '\0';
3744 print_columns(capture_file *cf)
3752 line_bufp = get_line_buf(256);
3755 for (i = 0; i < cf->cinfo.num_cols; i++) {
3756 /* Skip columns not marked as visible. */
3757 if (!get_column_visible(i))
3759 switch (cf->cinfo.col_fmt[i]) {
3761 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3764 line_bufp = get_line_buf(buf_offset + column_len);
3765 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3771 case COL_ABS_YMD_TIME: /* XXX - wider */
3772 case COL_ABS_YDOY_TIME: /* XXX - wider */
3774 case COL_UTC_YMD_TIME: /* XXX - wider */
3775 case COL_UTC_YDOY_TIME: /* XXX - wider */
3776 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3777 if (column_len < 10)
3779 line_bufp = get_line_buf(buf_offset + column_len);
3780 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3786 case COL_DEF_DL_SRC:
3787 case COL_RES_DL_SRC:
3788 case COL_UNRES_DL_SRC:
3789 case COL_DEF_NET_SRC:
3790 case COL_RES_NET_SRC:
3791 case COL_UNRES_NET_SRC:
3792 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3793 if (column_len < 12)
3795 line_bufp = get_line_buf(buf_offset + column_len);
3796 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3802 case COL_DEF_DL_DST:
3803 case COL_RES_DL_DST:
3804 case COL_UNRES_DL_DST:
3805 case COL_DEF_NET_DST:
3806 case COL_RES_NET_DST:
3807 case COL_UNRES_NET_DST:
3808 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3809 if (column_len < 12)
3811 line_bufp = get_line_buf(buf_offset + column_len);
3812 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3816 column_len = strlen(cf->cinfo.col_data[i]);
3817 line_bufp = get_line_buf(buf_offset + column_len);
3818 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3821 buf_offset += column_len;
3822 if (i != cf->cinfo.num_cols - 1) {
3824 * This isn't the last column, so we need to print a
3825 * separator between this column and the next.
3827 * If we printed a network source and are printing a
3828 * network destination of the same type next, separate
3829 * them with " -> "; if we printed a network destination
3830 * and are printing a network source of the same type
3831 * next, separate them with " <- "; otherwise separate them
3834 * We add enough space to the buffer for " <- " or " -> ",
3835 * even if we're only adding " ".
3837 line_bufp = get_line_buf(buf_offset + 4);
3838 switch (cf->cinfo.col_fmt[i]) {
3843 switch (cf->cinfo.col_fmt[i + 1]) {
3848 put_string(line_bufp + buf_offset, " -> ", 4);
3853 put_string(line_bufp + buf_offset, " ", 1);
3859 case COL_DEF_DL_SRC:
3860 case COL_RES_DL_SRC:
3861 case COL_UNRES_DL_SRC:
3862 switch (cf->cinfo.col_fmt[i + 1]) {
3864 case COL_DEF_DL_DST:
3865 case COL_RES_DL_DST:
3866 case COL_UNRES_DL_DST:
3867 put_string(line_bufp + buf_offset, " -> ", 4);
3872 put_string(line_bufp + buf_offset, " ", 1);
3878 case COL_DEF_NET_SRC:
3879 case COL_RES_NET_SRC:
3880 case COL_UNRES_NET_SRC:
3881 switch (cf->cinfo.col_fmt[i + 1]) {
3883 case COL_DEF_NET_DST:
3884 case COL_RES_NET_DST:
3885 case COL_UNRES_NET_DST:
3886 put_string(line_bufp + buf_offset, " -> ", 4);
3891 put_string(line_bufp + buf_offset, " ", 1);
3900 switch (cf->cinfo.col_fmt[i + 1]) {
3905 put_string(line_bufp + buf_offset, " <- ", 4);
3910 put_string(line_bufp + buf_offset, " ", 1);
3916 case COL_DEF_DL_DST:
3917 case COL_RES_DL_DST:
3918 case COL_UNRES_DL_DST:
3919 switch (cf->cinfo.col_fmt[i + 1]) {
3921 case COL_DEF_DL_SRC:
3922 case COL_RES_DL_SRC:
3923 case COL_UNRES_DL_SRC:
3924 put_string(line_bufp + buf_offset, " <- ", 4);
3929 put_string(line_bufp + buf_offset, " ", 1);
3935 case COL_DEF_NET_DST:
3936 case COL_RES_NET_DST:
3937 case COL_UNRES_NET_DST:
3938 switch (cf->cinfo.col_fmt[i + 1]) {
3940 case COL_DEF_NET_SRC:
3941 case COL_RES_NET_SRC:
3942 case COL_UNRES_NET_SRC:
3943 put_string(line_bufp + buf_offset, " <- ", 4);
3948 put_string(line_bufp + buf_offset, " ", 1);
3955 put_string(line_bufp + buf_offset, " ", 1);
3961 return print_line(print_stream, 0, line_bufp);
3965 print_packet(capture_file *cf, epan_dissect_t *edt)
3967 print_args_t print_args;
3969 if (print_summary || output_fields_has_cols(output_fields)) {
3970 /* Just fill in the columns. */
3971 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3973 if (print_summary) {
3974 /* Now print them. */
3975 switch (output_action) {
3978 if (!print_columns(cf))
3983 write_psml_columns(edt, stdout);
3984 return !ferror(stdout);
3985 case WRITE_FIELDS: /*No non-verbose "fields" format */
3986 g_assert_not_reached();
3991 if (print_details) {
3992 /* Print the information in the protocol tree. */
3993 switch (output_action) {
3996 /* Only initialize the fields that are actually used in proto_tree_print.
3997 * This is particularly important for .range, as that's heap memory which
3998 * we would otherwise have to g_free().
3999 print_args.to_file = TRUE;
4000 print_args.format = print_format;
4001 print_args.print_summary = print_summary;
4002 print_args.print_formfeed = FALSE;
4003 packet_range_init(&print_args.range, &cfile);
4005 print_args.print_hex = print_hex;
4006 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4008 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4011 if (!print_line(print_stream, 0, separator))
4017 write_pdml_proto_tree(edt, stdout);
4019 return !ferror(stdout);
4021 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4023 return !ferror(stdout);
4027 if (print_summary || print_details) {
4028 if (!print_line(print_stream, 0, ""))
4031 if (!print_hex_data(print_stream, edt))
4033 if (!print_line(print_stream, 0, separator))
4042 switch (output_action) {
4045 return print_finale(print_stream);
4049 write_pdml_finale(stdout);
4051 write_psml_finale(stdout);
4052 return !ferror(stdout);
4055 write_fields_finale(output_fields, stdout);
4056 return !ferror(stdout);
4059 g_assert_not_reached();
4065 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4069 char err_msg[2048+1];
4071 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4075 /* The open succeeded. Fill in the information for this file. */
4077 /* Create new epan session for dissection. */
4078 epan_free(cf->epan);
4079 cf->epan = tshark_epan_new(cf);
4082 cf->f_datalen = 0; /* not used, but set it anyway */
4084 /* Set the file name because we need it to set the follow stream filter.
4085 XXX - is that still true? We need it for other reasons, though,
4087 cf->filename = g_strdup(fname);
4089 /* Indicate whether it's a permanent or temporary file. */
4090 cf->is_tempfile = is_tempfile;
4092 /* No user changes yet. */
4093 cf->unsaved_changes = FALSE;
4095 cf->cd_t = wtap_file_type_subtype(cf->wth);
4096 cf->open_type = type;
4098 cf->drops_known = FALSE;
4100 cf->snap = wtap_snapshot_length(cf->wth);
4101 if (cf->snap == 0) {
4102 /* Snapshot length not known. */
4103 cf->has_snap = FALSE;
4104 cf->snap = WTAP_MAX_PACKET_SIZE;
4106 cf->has_snap = TRUE;
4107 nstime_set_zero(&cf->elapsed_time);
4112 cf->state = FILE_READ_IN_PROGRESS;
4114 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4115 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4120 g_snprintf(err_msg, sizeof err_msg,
4121 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4122 cmdarg_err("%s", err_msg);
4127 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4129 char *save_file_string;
4131 save_file_string = output_file_description(fname);
4136 cmdarg_err("Not all the packets could be written to the %s because there is "
4137 "no space left on the file system.",
4143 cmdarg_err("Not all the packets could be written to the %s because you are "
4144 "too close to, or over your disk quota.",
4149 case WTAP_ERR_CANT_CLOSE:
4150 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4154 case WTAP_ERR_SHORT_WRITE:
4155 cmdarg_err("Not all the packets could be written to the %s.",
4161 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4162 wtap_strerror(err));
4164 cmdarg_err("An error occurred while writing to the %s: %s.",
4165 save_file_string, wtap_strerror(err));
4169 g_free(save_file_string);
4173 show_print_file_io_error(int err)
4178 cmdarg_err("Not all the packets could be printed because there is "
4179 "no space left on the file system.");
4184 cmdarg_err("Not all the packets could be printed because you are "
4185 "too close to, or over your disk quota.");
4190 cmdarg_err("An error occurred while printing packets: %s.",
4197 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4201 static char errmsg_errno[1024+1];
4204 /* Wiretap error. */
4207 case WTAP_ERR_NOT_REGULAR_FILE:
4208 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4211 case WTAP_ERR_RANDOM_OPEN_PIPE:
4212 /* Seen only when opening a capture file for reading. */
4213 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4216 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4217 /* Seen only when opening a capture file for reading. */
4218 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4221 case WTAP_ERR_UNSUPPORTED:
4222 /* Seen only when opening a capture file for reading. */
4223 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4224 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4226 err_info != NULL ? err_info : "no information supplied");
4228 errmsg = errmsg_errno;
4231 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4232 /* Seen only when opening a capture file for writing. */
4233 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4234 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4235 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4236 errmsg = errmsg_errno;
4239 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4240 /* Seen only when opening a capture file for writing. */
4241 errmsg = "TShark doesn't support writing capture files in that format.";
4244 case WTAP_ERR_UNWRITABLE_ENCAP:
4245 /* Seen only when opening a capture file for writing. */
4246 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4247 "TShark can't save this capture as a \"%s\" file.",
4248 wtap_file_type_subtype_short_string(file_type));
4249 errmsg = errmsg_errno;
4252 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4254 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4255 "TShark can't save this capture as a \"%s\" file.",
4256 wtap_file_type_subtype_short_string(file_type));
4257 errmsg = errmsg_errno;
4259 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4262 case WTAP_ERR_BAD_FILE:
4263 /* Seen only when opening a capture file for reading. */
4264 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4265 "The file \"%%s\" appears to be damaged or corrupt.\n"
4267 err_info != NULL ? err_info : "no information supplied");
4269 errmsg = errmsg_errno;
4272 case WTAP_ERR_CANT_OPEN:
4274 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4276 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4279 case WTAP_ERR_SHORT_READ:
4280 errmsg = "The file \"%s\" appears to have been cut short"
4281 " in the middle of a packet or other data.";
4284 case WTAP_ERR_SHORT_WRITE:
4285 errmsg = "A full header couldn't be written to the file \"%s\".";
4288 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4289 errmsg = "This file type cannot be written as a compressed file.";
4292 case WTAP_ERR_DECOMPRESS:
4293 /* Seen only when opening a capture file for reading. */
4294 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4295 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4297 err_info != NULL ? err_info : "no information supplied");
4299 errmsg = errmsg_errno;
4303 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4304 "The file \"%%s\" could not be %s: %s.",
4305 for_writing ? "created" : "opened",
4306 wtap_strerror(err));
4307 errmsg = errmsg_errno;
4311 errmsg = file_open_error_message(err, for_writing);
4316 * Open/create errors are reported with an console message in TShark.
4319 open_failure_message(const char *filename, int err, gboolean for_writing)
4321 fprintf(stderr, "tshark: ");
4322 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4323 fprintf(stderr, "\n");
4327 * General errors are reported with an console message in TShark.
4330 failure_message(const char *msg_format, va_list ap)
4332 fprintf(stderr, "tshark: ");
4333 vfprintf(stderr, msg_format, ap);
4334 fprintf(stderr, "\n");
4338 * Read errors are reported with an console message in TShark.
4341 read_failure_message(const char *filename, int err)
4343 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4344 filename, g_strerror(err));
4348 * Write errors are reported with an console message in TShark.
4351 write_failure_message(const char *filename, int err)
4353 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4354 filename, g_strerror(err));
4358 * Report additional information for an error in command-line arguments.
4361 failure_message_cont(const char *msg_format, va_list ap)
4363 vfprintf(stderr, msg_format, ap);
4364 fprintf(stderr, "\n");
4368 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4373 * indent-tabs-mode: nil
4376 * vi: set shiftwidth=2 tabstop=8 expandtab:
4377 * :indentSize=2:tabSize=8:noTabs=true: