3 * Text-mode variant of Wireshark, along the lines of tcpdump and snoop,
4 * by Gilbert Ramirez <gram@alumni.rice.edu> and Guy Harris <guy@alum.mit.edu>.
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
51 #ifdef HAVE_SYS_STAT_H
52 # include <sys/stat.h>
56 #include <zlib.h> /* to get the libz version number */
60 # include <sys/capability.h>
63 #ifndef HAVE_GETOPT_LONG
64 #include "wsutil/wsgetopt.h"
69 #include <epan/exceptions.h>
70 #include <epan/epan-int.h>
71 #include <epan/epan.h>
73 #include <wsutil/clopts_common.h>
74 #include <wsutil/cmdarg_err.h>
75 #include <wsutil/crash_info.h>
76 #include <wsutil/filesystem.h>
77 #include <wsutil/file_util.h>
78 #include <wsutil/privileges.h>
79 #include <wsutil/report_err.h>
80 #include <wsutil/ws_diag_control.h>
81 #include <wsutil/ws_version_info.h>
84 #include <epan/timestamp.h>
85 #include <epan/packet.h>
87 #include <epan/wslua/init_wslua.h>
90 #include "frame_tvbuff.h"
91 #include <epan/disabled_protos.h>
92 #include <epan/prefs.h>
93 #include <epan/column.h>
94 #include <epan/print.h>
95 #include <epan/addr_resolv.h>
97 #include "ui/capture_ui_utils.h"
100 #include "ui/ui_util.h"
101 #include "ui/cli/tshark-tap.h"
102 #include "register.h"
103 #include <epan/epan_dissect.h>
104 #include <epan/tap.h>
105 #include <epan/stat_tap_ui.h>
106 #include <epan/conversation_table.h>
107 #include <epan/ex-opt.h>
109 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
110 #include <epan/asn1.h>
111 #include <epan/dissectors/packet-kerberos.h>
114 #include "capture_opts.h"
116 #include "caputils/capture-pcap-util.h"
119 #include "caputils/capture_ifinfo.h"
121 #include "caputils/capture-wpcap.h"
122 #include <wsutil/os_version_info.h>
123 #include <wsutil/unicode-utils.h>
125 #include <capchild/capture_session.h>
126 #include <capchild/capture_sync.h>
127 #endif /* HAVE_LIBPCAP */
129 #include <epan/funnel.h>
132 #include <wsutil/plugins.h>
136 * This is the template for the decode as option; it is shared between the
137 * various functions that output the usage for this parameter.
139 static const gchar decode_as_arg_template[] = "<layer_type>==<selector>,<decode_as_protocol>";
141 static guint32 cum_bytes;
142 static const frame_data *ref;
143 static frame_data ref_frame;
144 static frame_data *prev_dis;
145 static frame_data prev_dis_frame;
146 static frame_data *prev_cap;
147 static frame_data prev_cap_frame;
149 static const char* prev_display_dissector_name = NULL;
151 static gboolean perform_two_pass_analysis;
154 * The way the packet decode is to be written.
157 WRITE_TEXT, /* summary or detail text */
158 WRITE_XML, /* PDML or PSML */
159 WRITE_FIELDS /* User defined list of fields */
160 /* Add CSV and the like here */
163 static output_action_e output_action;
164 static gboolean do_dissection; /* TRUE if we have to dissect each packet */
165 static gboolean print_packet_info; /* TRUE if we're to print packet information */
166 static gint print_summary = -1; /* TRUE if we're to print packet summary information */
167 static gboolean print_details; /* TRUE if we're to print packet details information */
168 static gboolean print_hex; /* TRUE if we're to print hex/ascci information */
169 static gboolean line_buffered;
170 static gboolean really_quiet = FALSE;
172 static print_format_e print_format = PR_FMT_TEXT;
173 static print_stream_t *print_stream;
175 static output_fields_t* output_fields = NULL;
177 /* The line separator used between packets, changeable via the -S option */
178 static const char *separator = "";
182 * TRUE if we're to print packet counts to keep track of captured packets.
184 static gboolean print_packet_counts;
186 static capture_options global_capture_opts;
187 static capture_session global_capture_session;
190 static gboolean infodelay; /* if TRUE, don't print capture info in SIGINFO handler */
191 static gboolean infoprint; /* if TRUE, print capture info after clearing infodelay */
194 static gboolean capture(void);
195 static void report_counts(void);
197 static BOOL WINAPI capture_cleanup(DWORD);
199 static void capture_cleanup(int);
201 static void report_counts_siginfo(int);
205 #else /* HAVE_LIBPCAP */
207 static char *output_file_name;
209 #endif /* HAVE_LIBPCAP */
211 static int load_cap_file(capture_file *, char *, int, gboolean, int, gint64);
212 static gboolean process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset,
213 struct wtap_pkthdr *whdr, const guchar *pd,
215 static void show_capture_file_io_error(const char *, int, gboolean);
216 static void show_print_file_io_error(int err);
217 static gboolean write_preamble(capture_file *cf);
218 static gboolean print_packet(capture_file *cf, epan_dissect_t *edt);
219 static gboolean write_finale(void);
220 static const char *cf_open_error_message(int err, gchar *err_info,
221 gboolean for_writing, int file_type);
223 static void open_failure_message(const char *filename, int err,
224 gboolean for_writing);
225 static void failure_message(const char *msg_format, va_list ap);
226 static void read_failure_message(const char *filename, int err);
227 static void write_failure_message(const char *filename, int err);
228 static void failure_message_cont(const char *msg_format, va_list ap);
232 static GHashTable *output_only_tables = NULL;
235 const char *sstr; /* The short string */
236 const char *lstr; /* The long string */
240 string_compare(gconstpointer a, gconstpointer b)
242 return strcmp(((const struct string_elem *)a)->sstr,
243 ((const struct string_elem *)b)->sstr);
247 string_elem_print(gpointer data, gpointer not_used _U_)
249 fprintf(stderr, " %s - %s\n",
250 ((struct string_elem *)data)->sstr,
251 ((struct string_elem *)data)->lstr);
255 list_capture_types(void) {
257 struct string_elem *captypes;
260 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
262 fprintf(stderr, "tshark: The available capture file types for the \"-F\" flag are:\n");
263 for (i = 0; i < WTAP_NUM_FILE_TYPES_SUBTYPES; i++) {
264 if (wtap_dump_can_open(i)) {
265 captypes[i].sstr = wtap_file_type_subtype_short_string(i);
266 captypes[i].lstr = wtap_file_type_subtype_string(i);
267 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
270 g_slist_foreach(list, string_elem_print, NULL);
276 list_read_capture_types(void) {
278 struct string_elem *captypes;
280 const char *magic = "Magic-value-based";
281 const char *heuristic = "Heuristics-based";
283 /* this is a hack, but WTAP_NUM_FILE_TYPES_SUBTYPES is always >= number of open routines so we're safe */
284 captypes = g_new(struct string_elem, WTAP_NUM_FILE_TYPES_SUBTYPES);
286 fprintf(stderr, "tshark: The available read file types for the \"-X read_format:\" option are:\n");
287 for (i = 0; open_routines[i].name != NULL; i++) {
288 captypes[i].sstr = open_routines[i].name;
289 captypes[i].lstr = (open_routines[i].type == OPEN_INFO_MAGIC) ? magic : heuristic;
290 list = g_slist_insert_sorted(list, &captypes[i], string_compare);
292 g_slist_foreach(list, string_elem_print, NULL);
298 print_usage(FILE *output)
300 fprintf(output, "\n");
301 fprintf(output, "Usage: tshark [options] ...\n");
302 fprintf(output, "\n");
305 fprintf(output, "Capture interface:\n");
306 fprintf(output, " -i <interface> name or idx of interface (def: first non-loopback)\n");
307 fprintf(output, " -f <capture filter> packet filter in libpcap filter syntax\n");
308 fprintf(output, " -s <snaplen> packet snapshot length (def: 65535)\n");
309 fprintf(output, " -p don't capture in promiscuous mode\n");
310 #ifdef HAVE_PCAP_CREATE
311 fprintf(output, " -I capture in monitor mode, if available\n");
313 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
314 fprintf(output, " -B <buffer size> size of kernel buffer (def: %dMB)\n", DEFAULT_CAPTURE_BUFFER_SIZE);
316 fprintf(output, " -y <link type> link layer type (def: first appropriate)\n");
317 fprintf(output, " -D print list of interfaces and exit\n");
318 fprintf(output, " -L print list of link-layer types of iface and exit\n");
319 fprintf(output, "\n");
320 fprintf(output, "Capture stop conditions:\n");
321 fprintf(output, " -c <packet count> stop after n packets (def: infinite)\n");
322 fprintf(output, " -a <autostop cond.> ... duration:NUM - stop after NUM seconds\n");
323 fprintf(output, " filesize:NUM - stop this file after NUM KB\n");
324 fprintf(output, " files:NUM - stop after NUM files\n");
325 /*fprintf(output, "\n");*/
326 fprintf(output, "Capture output:\n");
327 fprintf(output, " -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\n");
328 fprintf(output, " filesize:NUM - switch to next file after NUM KB\n");
329 fprintf(output, " files:NUM - ringbuffer: replace after NUM files\n");
330 #endif /* HAVE_LIBPCAP */
331 #ifdef HAVE_PCAP_REMOTE
332 fprintf(output, "RPCAP options:\n");
333 fprintf(output, " -A <user>:<password> use RPCAP password authentication\n");
335 /*fprintf(output, "\n");*/
336 fprintf(output, "Input file:\n");
337 fprintf(output, " -r <infile> set the filename to read from (- to read from stdin)\n");
339 fprintf(output, "\n");
340 fprintf(output, "Processing:\n");
341 fprintf(output, " -2 perform a two-pass analysis\n");
342 fprintf(output, " -R <read filter> packet Read filter in Wireshark display filter syntax\n");
343 fprintf(output, " -Y <display filter> packet displaY filter in Wireshark display filter\n");
344 fprintf(output, " syntax\n");
345 fprintf(output, " -n disable all name resolutions (def: all enabled)\n");
346 fprintf(output, " -N <name resolve flags> enable specific name resolution(s): \"mntC\"\n");
347 fprintf(output, " -d %s ...\n", decode_as_arg_template);
348 fprintf(output, " \"Decode As\", see the man page for details\n");
349 fprintf(output, " Example: tcp.port==8888,http\n");
350 fprintf(output, " -H <hosts file> read a list of entries from a hosts file, which will\n");
351 fprintf(output, " then be written to a capture file. (Implies -W n)\n");
353 /*fprintf(output, "\n");*/
354 fprintf(output, "Output:\n");
355 fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
356 fprintf(output, " (or to the standard output for \"-\")\n");
357 fprintf(output, " -C <config profile> start with specified configuration profile\n");
358 fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
359 fprintf(output, " an empty \"-F\" option will list the file types\n");
360 fprintf(output, " -V add output of packet tree (Packet Details)\n");
361 fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
362 fprintf(output, " separated\n");
363 fprintf(output, " -P print packet summary even when writing to a file\n");
364 fprintf(output, " -S <separator> the line separator to print between packets\n");
365 fprintf(output, " -x add output of hex and ASCII dump (Packet Bytes)\n");
366 fprintf(output, " -T pdml|ps|psml|text|fields\n");
367 fprintf(output, " format of text output (def: text)\n");
368 fprintf(output, " -e <field> field to print if -Tfields selected (e.g. tcp.port,\n");
369 fprintf(output, " _ws.col.Info)\n");
370 fprintf(output, " this option can be repeated to print multiple fields\n");
371 fprintf(output, " -E<fieldsoption>=<value> set options for output when -Tfields selected:\n");
372 fprintf(output, " header=y|n switch headers on and off\n");
373 fprintf(output, " separator=/t|/s|<char> select tab, space, printable character as separator\n");
374 fprintf(output, " occurrence=f|l|a print first, last or all occurrences of each field\n");
375 fprintf(output, " aggregator=,|/s|<char> select comma, space, printable character as\n");
376 fprintf(output, " aggregator\n");
377 fprintf(output, " quote=d|s|n select double, single, no quotes for values\n");
378 fprintf(output, " -t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first)\n");
379 fprintf(output, " -u s|hms output format of seconds (def: s: seconds)\n");
380 fprintf(output, " -l flush standard output after each packet\n");
381 fprintf(output, " -q be more quiet on stdout (e.g. when using statistics)\n");
382 fprintf(output, " -Q only log true errors to stderr (quieter than -q)\n");
383 fprintf(output, " -g enable group read access on the output file(s)\n");
384 fprintf(output, " -W n Save extra information in the file, if supported.\n");
385 fprintf(output, " n = write network address resolution information\n");
386 fprintf(output, " -X <key>:<value> eXtension options, see the man page for details\n");
387 fprintf(output, " -z <statistics> various statistics, see the man page for details\n");
388 fprintf(output, " --capture-comment <comment>\n");
389 fprintf(output, " add a capture comment to the newly created\n");
390 fprintf(output, " output file (only for pcapng)\n");
392 fprintf(output, "\n");
393 fprintf(output, "Miscellaneous:\n");
394 fprintf(output, " -h display this help and exit\n");
395 fprintf(output, " -v display version info and exit\n");
396 fprintf(output, " -o <name>:<value> ... override preference setting\n");
397 fprintf(output, " -K <keytab> keytab file to use for kerberos decryption\n");
398 fprintf(output, " -G [report] dump one of several available reports and exit\n");
399 fprintf(output, " default report=\"fields\"\n");
400 fprintf(output, " use \"-G ?\" for more help\n");
402 fprintf(output, "\n");
403 fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n");
404 fprintf(output, "You might want to reset it\n");
405 fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n");
406 fprintf(output, "\n");
412 glossary_option_help(void)
418 fprintf(output, "TShark (Wireshark) %s\n", get_ws_vcs_version_info());
420 fprintf(output, "\n");
421 fprintf(output, "Usage: tshark -G [report]\n");
422 fprintf(output, "\n");
423 fprintf(output, "Glossary table reports:\n");
424 fprintf(output, " -G column-formats dump column format codes and exit\n");
425 fprintf(output, " -G decodes dump \"layer type\"/\"decode as\" associations and exit\n");
426 fprintf(output, " -G dissector-tables dump dissector table names, types, and properties\n");
427 fprintf(output, " -G fields dump fields glossary and exit\n");
428 fprintf(output, " -G ftypes dump field type basic and descriptive names\n");
429 fprintf(output, " -G heuristic-decodes dump heuristic dissector tables\n");
430 fprintf(output, " -G plugins dump installed plugins and exit\n");
431 fprintf(output, " -G protocols dump protocols in registration database and exit\n");
432 fprintf(output, " -G values dump value, range, true/false strings and exit\n");
433 fprintf(output, "\n");
434 fprintf(output, "Preference reports:\n");
435 fprintf(output, " -G currentprefs dump current preferences and exit\n");
436 fprintf(output, " -G defaultprefs dump default preferences and exit\n");
437 fprintf(output, "\n");
441 * For a dissector table, print on the stream described by output,
442 * its short name (which is what's used in the "-d" option) and its
446 display_dissector_table_names(const char *table_name, const char *ui_name,
449 if ((prev_display_dissector_name == NULL) ||
450 (strcmp(prev_display_dissector_name, table_name) != 0)) {
451 fprintf((FILE *)output, "\t%s (%s)\n", table_name, ui_name);
452 prev_display_dissector_name = table_name;
457 * For a dissector handle, print on the stream described by output,
458 * the filter name (which is what's used in the "-d" option) and the full
459 * name for the protocol that corresponds to this handle.
462 display_dissector_names(const gchar *table _U_, gpointer handle, gpointer output)
465 const gchar *proto_filter_name;
466 const gchar *proto_ui_name;
468 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
470 if (proto_id != -1) {
471 proto_filter_name = proto_get_protocol_filter_name(proto_id);
472 proto_ui_name = proto_get_protocol_name(proto_id);
473 g_assert(proto_filter_name != NULL);
474 g_assert(proto_ui_name != NULL);
476 if ((prev_display_dissector_name == NULL) ||
477 (strcmp(prev_display_dissector_name, proto_filter_name) != 0)) {
478 fprintf((FILE *)output, "\t%s (%s)\n",
481 prev_display_dissector_name = proto_filter_name;
487 * The protocol_name_search structure is used by find_protocol_name_func()
488 * to pass parameters and store results
490 struct protocol_name_search{
491 gchar *searched_name; /* Protocol filter name we are looking for */
492 dissector_handle_t matched_handle; /* Handle for a dissector whose protocol has the specified filter name */
493 guint nb_match; /* How many dissectors matched searched_name */
495 typedef struct protocol_name_search *protocol_name_search_t;
498 * This function parses all dissectors associated with a table to find the
499 * one whose protocol has the specified filter name. It is called
500 * as a reference function in a call to dissector_table_foreach_handle.
501 * The name we are looking for, as well as the results, are stored in the
502 * protocol_name_search struct pointed to by user_data.
503 * If called using dissector_table_foreach_handle, we actually parse the
504 * whole list of dissectors.
507 find_protocol_name_func(const gchar *table _U_, gpointer handle, gpointer user_data)
511 const gchar *protocol_filter_name;
512 protocol_name_search_t search_info;
516 search_info = (protocol_name_search_t)user_data;
518 proto_id = dissector_handle_get_protocol_index((dissector_handle_t)handle);
519 if (proto_id != -1) {
520 protocol_filter_name = proto_get_protocol_filter_name(proto_id);
521 g_assert(protocol_filter_name != NULL);
522 if (strcmp(protocol_filter_name, search_info->searched_name) == 0) {
524 if (search_info->nb_match == 0) {
525 /* Record this handle only if this is the first match */
526 search_info->matched_handle = (dissector_handle_t)handle; /* Record the handle for this matching dissector */
528 search_info->nb_match++;
534 * Allow dissector key names to be sorted alphabetically
538 compare_dissector_key_name(gconstpointer dissector_a, gconstpointer dissector_b)
540 return strcmp((const char*)dissector_a, (const char*)dissector_b);
544 * Print all layer type names supported.
545 * We send the output to the stream described by the handle output.
549 fprint_all_layer_types(FILE *output)
552 prev_display_dissector_name = NULL;
553 dissector_all_tables_foreach_table(display_dissector_table_names, (gpointer)output, (GCompareFunc)compare_dissector_key_name);
557 * Print all protocol names supported for a specific layer type.
558 * table_name contains the layer type name in which the search is performed.
559 * We send the output to the stream described by the handle output.
563 fprint_all_protocols_for_layer_types(FILE *output, gchar *table_name)
566 prev_display_dissector_name = NULL;
567 dissector_table_foreach_handle(table_name,
568 display_dissector_names,
573 * The function below parses the command-line parameters for the decode as
574 * feature (a string pointer by cl_param).
575 * It checks the format of the command-line, searches for a matching table
576 * and dissector. If a table/dissector match is not found, we display a
577 * summary of the available tables/dissectors (on stderr) and return FALSE.
578 * If everything is fine, we get the "Decode as" preference activated,
579 * then we return TRUE.
582 add_decode_as(const gchar *cl_param)
585 guint32 selector, selector2;
586 gchar *decoded_param;
587 gchar *remaining_param;
589 gchar *dissector_str;
590 dissector_handle_t dissector_matching;
591 dissector_table_t table_matching;
592 ftenum_t dissector_table_selector_type;
593 struct protocol_name_search user_protocol_name;
597 /* The following code will allocate and copy the command-line options in a string pointed by decoded_param */
600 decoded_param = g_strdup(cl_param);
601 g_assert(decoded_param);
604 /* The lines below will parse this string (modifying it) to extract all
605 necessary information. Note that decoded_param is still needed since
606 strings are not copied - we just save pointers. */
608 /* This section extracts a layer type (table_name) from decoded_param */
609 table_name = decoded_param; /* Layer type string starts from beginning */
611 remaining_param = strchr(table_name, '=');
612 if (remaining_param == NULL) {
613 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
614 /* If the argument does not follow the template, carry on anyway to check
615 if the table name is at least correct. If remaining_param is NULL,
616 we'll exit anyway further down */
619 *remaining_param = '\0'; /* Terminate the layer type string (table_name) where '=' was detected */
622 /* Remove leading and trailing spaces from the table name */
623 while ( table_name[0] == ' ' )
625 while ( table_name[strlen(table_name) - 1] == ' ' )
626 table_name[strlen(table_name) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
628 /* The following part searches a table matching with the layer type specified */
629 table_matching = NULL;
631 /* Look for the requested table */
632 if ( !(*(table_name)) ) { /* Is the table name empty, if so, don't even search for anything, display a message */
633 cmdarg_err("No layer type specified"); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
636 table_matching = find_dissector_table(table_name);
637 if (!table_matching) {
638 cmdarg_err("Unknown layer type -- %s", table_name); /* Note, we don't exit here, but table_matching will remain NULL, so we exit below */
642 if (!table_matching) {
643 /* Display a list of supported layer types to help the user, if the
644 specified layer type was not found */
645 cmdarg_err("Valid layer types are:");
646 fprint_all_layer_types(stderr);
648 if (remaining_param == NULL || !table_matching) {
649 /* Exit if the layer type was not found, or if no '=' separator was found
651 g_free(decoded_param);
655 if (*(remaining_param + 1) != '=') { /* Check for "==" and not only '=' */
656 cmdarg_err("WARNING: -d requires \"==\" instead of \"=\". Option will be treated as \"%s==%s\"", table_name, remaining_param + 1);
659 remaining_param++; /* Move to the second '=' */
660 *remaining_param = '\0'; /* Remove the second '=' */
662 remaining_param++; /* Position after the layer type string */
664 /* This section extracts a selector value (selector_str) from decoded_param */
666 selector_str = remaining_param; /* Next part starts with the selector number */
668 remaining_param = strchr(selector_str, ',');
669 if (remaining_param == NULL) {
670 cmdarg_err("Parameter \"%s\" doesn't follow the template \"%s\"", cl_param, decode_as_arg_template);
671 /* If the argument does not follow the template, carry on anyway to check
672 if the selector value is at least correct. If remaining_param is NULL,
673 we'll exit anyway further down */
676 *remaining_param = '\0'; /* Terminate the selector number string (selector_str) where ',' was detected */
679 dissector_table_selector_type = get_dissector_table_selector_type(table_name);
681 switch (dissector_table_selector_type) {
687 /* The selector for this table is an unsigned number. Parse it as such.
688 There's no need to remove leading and trailing spaces from the
689 selector number string, because sscanf will do that for us. */
690 switch (sscanf(selector_str, "%u%c%u", &selector, &op, &selector2)) {
695 if (op != ':' && op != '-') {
696 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
697 g_free(decoded_param);
701 if ((selector2 == 0) || ((guint64)selector + selector2 - 1) > G_MAXUINT32) {
702 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
703 g_free(decoded_param);
707 else if (selector2 < selector) {
708 /* We could swap them for the user, but maybe it's better to call
709 * this out as an error in case it's not what was intended? */
710 cmdarg_err("Invalid selector numeric range \"%s\"", selector_str);
711 g_free(decoded_param);
716 cmdarg_err("Invalid selector number \"%s\"", selector_str);
717 g_free(decoded_param);
726 /* The selector for this table is a string. */
730 /* There are currently no dissector tables with any types other
731 than the ones listed above. */
732 g_assert_not_reached();
735 if (remaining_param == NULL) {
736 /* Exit if no ',' separator was found (see above) */
737 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
738 fprint_all_protocols_for_layer_types(stderr, table_name);
739 g_free(decoded_param);
743 remaining_param++; /* Position after the selector number string */
745 /* This section extracts a protocol filter name (dissector_str) from decoded_param */
747 dissector_str = remaining_param; /* All the rest of the string is the dissector (decode as protocol) name */
749 /* Remove leading and trailing spaces from the dissector name */
750 while ( dissector_str[0] == ' ' )
752 while ( dissector_str[strlen(dissector_str) - 1] == ' ' )
753 dissector_str[strlen(dissector_str) - 1] = '\0'; /* Note: if empty string, while loop will eventually exit */
755 dissector_matching = NULL;
757 /* We now have a pointer to the handle for the requested table inside the variable table_matching */
758 if ( ! (*dissector_str) ) { /* Is the dissector name empty, if so, don't even search for a matching dissector and display all dissectors found for the selected table */
759 cmdarg_err("No protocol name specified"); /* Note, we don't exit here, but dissector_matching will remain NULL, so we exit below */
762 user_protocol_name.nb_match = 0;
763 user_protocol_name.searched_name = dissector_str;
764 user_protocol_name.matched_handle = NULL;
766 dissector_table_foreach_handle(table_name, find_protocol_name_func, &user_protocol_name); /* Go and perform the search for this dissector in the this table's dissectors' names and shortnames */
768 if (user_protocol_name.nb_match != 0) {
769 dissector_matching = user_protocol_name.matched_handle;
770 if (user_protocol_name.nb_match > 1) {
771 cmdarg_err("WARNING: Protocol \"%s\" matched %u dissectors, first one will be used", dissector_str, user_protocol_name.nb_match);
775 /* OK, check whether the problem is that there isn't any such
776 protocol, or that there is but it's not specified as a protocol
777 that's valid for that dissector table.
778 Note, we don't exit here, but dissector_matching will remain NULL,
780 if (proto_get_id_by_filter_name(dissector_str) == -1) {
781 /* No such protocol */
782 cmdarg_err("Unknown protocol -- \"%s\"", dissector_str);
784 cmdarg_err("Protocol \"%s\" isn't valid for layer type \"%s\"",
785 dissector_str, table_name);
790 if (!dissector_matching) {
791 cmdarg_err("Valid protocols for layer type \"%s\" are:", table_name);
792 fprint_all_protocols_for_layer_types(stderr, table_name);
793 g_free(decoded_param);
797 /* This is the end of the code that parses the command-line options.
798 All information is now stored in the variables:
802 The above variables that are strings are still pointing to areas within
803 decoded_parm. decoded_parm thus still needs to be kept allocated in
804 until we stop needing these variables
805 decoded_param will be deallocated at each exit point of this function */
808 /* We now have a pointer to the handle for the requested dissector
809 (requested protocol) inside the variable dissector_matching */
810 switch (dissector_table_selector_type) {
816 /* The selector for this table is an unsigned number. */
818 dissector_change_uint(table_name, selector, dissector_matching);
819 } else if (op == ':') {
820 for (i = selector; i < (guint64)selector + selector2; i++) {
821 dissector_change_uint(table_name, (guint32)i, dissector_matching);
823 } else { /* op == '-' */
824 for (i = selector; i <= selector2; i++) {
825 dissector_change_uint(table_name, (guint32)i, dissector_matching);
834 /* The selector for this table is a string. */
835 dissector_change_string(table_name, selector_str, dissector_matching);
839 /* There are currently no dissector tables with any types other
840 than the ones listed above. */
841 g_assert_not_reached();
843 g_free(decoded_param); /* "Decode As" rule has been successfully added */
848 tshark_log_handler (const gchar *log_domain, GLogLevelFlags log_level,
849 const gchar *message, gpointer user_data)
851 /* ignore log message, if log_level isn't interesting based
852 upon the console log preferences.
853 If the preferences haven't been loaded loaded yet, display the
856 The default console_log_level preference value is such that only
857 ERROR, CRITICAL and WARNING level messages are processed;
858 MESSAGE, INFO and DEBUG level messages are ignored.
860 XXX: Aug 07, 2009: Prior tshark g_log code was hardwired to process only
861 ERROR and CRITICAL level messages so the current code is a behavioral
862 change. The current behavior is the same as in Wireshark.
864 if ((log_level & G_LOG_LEVEL_MASK & prefs.console_log_level) == 0 &&
865 prefs.console_log_level != 0) {
869 g_log_default_handler(log_domain, log_level, message, user_data);
874 output_file_description(const char *fname)
876 char *save_file_string;
878 /* Get a string that describes what we're writing to */
879 if (strcmp(fname, "-") == 0) {
880 /* We're writing to the standard output */
881 save_file_string = g_strdup("standard output");
883 /* We're writing to a file with the name in save_file */
884 save_file_string = g_strdup_printf("file \"%s\"", fname);
886 return save_file_string;
890 print_current_user(void) {
891 gchar *cur_user, *cur_group;
893 if (started_with_special_privs()) {
894 cur_user = get_cur_username();
895 cur_group = get_cur_groupname();
896 fprintf(stderr, "Running as user \"%s\" and group \"%s\".",
897 cur_user, cur_group);
900 if (running_with_special_privs()) {
901 fprintf(stderr, " This could be dangerous.");
903 fprintf(stderr, "\n");
908 get_tshark_compiled_version_info(GString *str)
910 /* Capture libraries */
911 get_compiled_caplibs_version(str);
914 g_string_append(str, ", ");
916 g_string_append(str, "with libz ");
918 g_string_append(str, ZLIB_VERSION);
919 #else /* ZLIB_VERSION */
920 g_string_append(str, "(version unknown)");
921 #endif /* ZLIB_VERSION */
922 #else /* HAVE_LIBZ */
923 g_string_append(str, "without libz");
924 #endif /* HAVE_LIBZ */
928 get_tshark_runtime_version_info(GString *str)
931 /* Capture libraries */
932 g_string_append(str, ", ");
933 get_runtime_caplibs_version(str);
937 #if defined(HAVE_LIBZ) && !defined(_WIN32)
938 g_string_append_printf(str, ", with libz %s", zlibVersion());
941 /* stuff used by libwireshark */
942 epan_get_runtime_version_info(str);
946 main(int argc, char *argv[])
948 GString *comp_info_str;
949 GString *runtime_info_str;
950 char *init_progfile_dir_error;
953 static const struct option long_options[] = {
954 {(char *)"help", no_argument, NULL, 'h'},
955 {(char *)"version", no_argument, NULL, 'v'},
956 LONGOPT_CAPTURE_COMMON
960 gboolean arg_error = FALSE;
966 char *gpf_path, *pf_path;
967 char *gdp_path, *dp_path;
968 int gpf_open_errno, gpf_read_errno;
969 int pf_open_errno, pf_read_errno;
970 int gdp_open_errno, gdp_read_errno;
971 int dp_open_errno, dp_read_errno;
973 volatile int exit_status = 0;
975 gboolean list_link_layer_types = FALSE;
976 gboolean start_capture = FALSE;
981 gboolean capture_option_specified = FALSE;
983 gboolean quiet = FALSE;
984 #ifdef PCAP_NG_DEFAULT
985 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG;
987 volatile int out_file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP;
989 volatile gboolean out_file_name_res = FALSE;
990 volatile int in_file_type = WTAP_TYPE_AUTO;
991 gchar *volatile cf_name = NULL;
992 gchar *rfilter = NULL;
993 gchar *dfilter = NULL;
994 #ifdef HAVE_PCAP_OPEN_DEAD
995 struct bpf_program fcode;
997 dfilter_t *rfcode = NULL;
998 dfilter_t *dfcode = NULL;
1003 gchar *output_only = NULL;
1006 * The leading + ensures that getopt_long() does not permute the argv[]
1009 * We have to make sure that the first getopt_long() preserves the content
1010 * of argv[] for the subsequent getopt_long() call.
1012 * We use getopt_long() in both cases to ensure that we're using a routine
1013 * whose permutation behavior we can control in the same fashion on all
1014 * platforms, and so that, if we ever need to process a long argument before
1015 * doing further initialization, we can do so.
1017 * Glibc and Solaris libc document that a leading + disables permutation
1018 * of options, regardless of whether POSIXLY_CORRECT is set or not; *BSD
1019 * and OS X don't document it, but do so anyway.
1021 * We do *not* use a leading - because the behavior of a leading - is
1022 * platform-dependent.
1024 #define OPTSTRING "+2" OPTSTRING_CAPTURE_COMMON "C:d:e:E:F:gG:hH:" "K:lnN:o:O:PqQr:R:S:t:T:u:vVw:W:xX:Y:z:"
1026 static const char optstring[] = OPTSTRING;
1028 /* Set the C-language locale to the native environment. */
1029 setlocale(LC_ALL, "");
1031 cmdarg_err_init(failure_message, failure_message_cont);
1034 arg_list_utf_16to8(argc, argv);
1035 create_app_running_mutex();
1036 #if !GLIB_CHECK_VERSION(2,31,0)
1037 g_thread_init(NULL);
1042 * Get credential information for later use, and drop privileges
1043 * before doing anything else.
1044 * Let the user know if anything happened.
1046 init_process_policies();
1047 relinquish_special_privs_perm();
1048 print_current_user();
1051 * Attempt to get the pathname of the executable file.
1053 init_progfile_dir_error = init_progfile_dir(argv[0], (void *)main);
1054 if (init_progfile_dir_error != NULL) {
1055 fprintf(stderr, "tshark: Can't get pathname of tshark program: %s.\n",
1056 init_progfile_dir_error);
1059 initialize_funnel_ops();
1062 /* Load wpcap if possible. Do this before collecting the run-time version information */
1065 /* Warn the user if npf.sys isn't loaded. */
1066 if (!npf_sys_is_running() && get_windows_major_version() >= 6) {
1067 fprintf(stderr, "The NPF driver isn't running. You may have trouble "
1068 "capturing or\nlisting interfaces.\n");
1072 /* Get the compile-time version information string */
1073 comp_info_str = get_compiled_version_info(get_tshark_compiled_version_info,
1074 epan_get_compiled_version_info);
1076 /* Get the run-time version information string */
1077 runtime_info_str = get_runtime_version_info(get_tshark_runtime_version_info);
1079 /* Add it to the information to be reported on a crash. */
1080 ws_add_crash_info("TShark (Wireshark) %s\n"
1085 get_ws_vcs_version_info(), comp_info_str->str, runtime_info_str->str);
1088 * In order to have the -X opts assigned before the wslua machine starts
1089 * we need to call getopt_long before epan_init() gets called.
1091 * In order to handle, for example, -o options, we also need to call it
1092 * *after* epan_init() gets called, so that the dissectors have had a
1093 * chance to register their preferences.
1095 * XXX - can we do this all with one getopt_long() call, saving the
1096 * arguments we can't handle until after initializing libwireshark,
1097 * and then process them after initializing libwireshark?
1101 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1103 case 'C': /* Configuration Profile */
1104 if (profile_exists (optarg, FALSE)) {
1105 set_profile_name (optarg);
1107 cmdarg_err("Configuration Profile \"%s\" does not exist", optarg);
1111 case 'P': /* Print packet summary info even when writing to a file */
1112 print_packet_info = TRUE;
1113 print_summary = TRUE;
1115 case 'O': /* Only output these protocols */
1116 output_only = g_strdup(optarg);
1118 case 'V': /* Verbose */
1119 print_details = TRUE;
1120 print_packet_info = TRUE;
1122 case 'x': /* Print packet data in hex (and ASCII) */
1124 /* The user asked for hex output, so let's ensure they get it,
1125 * even if they're writing to a file.
1127 print_packet_info = TRUE;
1138 * Print packet summary information is the default, unless either -V or -x
1139 * were specified and -P was not. Note that this is new behavior, which
1140 * allows for the possibility of printing only hex/ascii output without
1141 * necessarily requiring that either the summary or details be printed too.
1143 if (print_summary == -1)
1144 print_summary = (print_details || print_hex) ? FALSE : TRUE;
1146 /** Send All g_log messages to our own handler **/
1150 G_LOG_LEVEL_CRITICAL|
1151 G_LOG_LEVEL_WARNING|
1152 G_LOG_LEVEL_MESSAGE|
1155 G_LOG_FLAG_FATAL|G_LOG_FLAG_RECURSION;
1157 g_log_set_handler(NULL,
1158 (GLogLevelFlags)log_flags,
1159 tshark_log_handler, NULL /* user_data */);
1160 g_log_set_handler(LOG_DOMAIN_MAIN,
1161 (GLogLevelFlags)log_flags,
1162 tshark_log_handler, NULL /* user_data */);
1165 g_log_set_handler(LOG_DOMAIN_CAPTURE,
1166 (GLogLevelFlags)log_flags,
1167 tshark_log_handler, NULL /* user_data */);
1168 g_log_set_handler(LOG_DOMAIN_CAPTURE_CHILD,
1169 (GLogLevelFlags)log_flags,
1170 tshark_log_handler, NULL /* user_data */);
1173 init_report_err(failure_message, open_failure_message, read_failure_message,
1174 write_failure_message);
1177 capture_opts_init(&global_capture_opts);
1178 capture_session_init(&global_capture_session, &cfile);
1181 timestamp_set_type(TS_RELATIVE);
1182 timestamp_set_precision(TS_PREC_AUTO);
1183 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1185 init_open_routines();
1188 /* Register all the plugin types we have. */
1189 epan_register_plugin_types(); /* Types known to libwireshark */
1190 wtap_register_plugin_types(); /* Types known to libwiretap */
1192 /* Scan for plugins. This does *not* call their registration routines;
1193 that's done later. */
1196 /* Register all libwiretap plugin modules. */
1197 register_all_wiretap_modules();
1200 /* Register all dissectors; we must do this before checking for the
1201 "-G" flag, as the "-G" flag dumps information registered by the
1202 dissectors, and we must do it before we read the preferences, in
1203 case any dissectors register preferences. */
1204 epan_init(register_all_protocols, register_all_protocol_handoffs, NULL, NULL);
1206 /* Register all tap listeners; we do this before we parse the arguments,
1207 as the "-z" argument can specify a registered tap. */
1209 /* we register the plugin taps before the other taps because
1210 stats_tree taps plugins will be registered as tap listeners
1211 by stats_tree_stat.c and need to registered before that */
1213 register_all_plugin_tap_listeners();
1215 register_all_tap_listeners();
1216 conversation_table_set_gui_info(init_iousers);
1217 hostlist_table_set_gui_info(init_hostlists);
1219 /* If invoked with the "-G" flag, we dump out information based on
1220 the argument to the "-G" flag; if no argument is specified,
1221 for backwards compatibility we dump out a glossary of display
1224 XXX - we do this here, for now, to support "-G" with no arguments.
1225 If none of our build or other processes uses "-G" with no arguments,
1226 we can just process it with the other arguments. */
1227 if (argc >= 2 && strcmp(argv[1], "-G") == 0) {
1228 proto_initialize_all_prefixes();
1231 proto_registrar_dump_fields();
1233 if (strcmp(argv[2], "column-formats") == 0)
1234 column_dump_column_formats();
1235 else if (strcmp(argv[2], "currentprefs") == 0) {
1236 read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1237 &pf_open_errno, &pf_read_errno, &pf_path);
1240 else if (strcmp(argv[2], "decodes") == 0)
1241 dissector_dump_decodes();
1242 else if (strcmp(argv[2], "defaultprefs") == 0)
1244 else if (strcmp(argv[2], "dissector-tables") == 0)
1245 dissector_dump_dissector_tables();
1246 else if (strcmp(argv[2], "fields") == 0)
1247 proto_registrar_dump_fields();
1248 else if (strcmp(argv[2], "ftypes") == 0)
1249 proto_registrar_dump_ftypes();
1250 else if (strcmp(argv[2], "heuristic-decodes") == 0)
1251 dissector_dump_heur_decodes();
1252 else if (strcmp(argv[2], "plugins") == 0) {
1257 wslua_plugins_dump_all();
1260 else if (strcmp(argv[2], "protocols") == 0)
1261 proto_registrar_dump_protocols();
1262 else if (strcmp(argv[2], "values") == 0)
1263 proto_registrar_dump_values();
1264 else if (strcmp(argv[2], "?") == 0)
1265 glossary_option_help();
1266 else if (strcmp(argv[2], "-?") == 0)
1267 glossary_option_help();
1269 cmdarg_err("Invalid \"%s\" option for -G flag, enter -G ? for more help.", argv[2]);
1276 prefs_p = read_prefs(&gpf_open_errno, &gpf_read_errno, &gpf_path,
1277 &pf_open_errno, &pf_read_errno, &pf_path);
1278 if (gpf_path != NULL) {
1279 if (gpf_open_errno != 0) {
1280 cmdarg_err("Can't open global preferences file \"%s\": %s.",
1281 pf_path, g_strerror(gpf_open_errno));
1283 if (gpf_read_errno != 0) {
1284 cmdarg_err("I/O error reading global preferences file \"%s\": %s.",
1285 pf_path, g_strerror(gpf_read_errno));
1288 if (pf_path != NULL) {
1289 if (pf_open_errno != 0) {
1290 cmdarg_err("Can't open your preferences file \"%s\": %s.", pf_path,
1291 g_strerror(pf_open_errno));
1293 if (pf_read_errno != 0) {
1294 cmdarg_err("I/O error reading your preferences file \"%s\": %s.",
1295 pf_path, g_strerror(pf_read_errno));
1301 /* Read the disabled protocols file. */
1302 read_disabled_protos_list(&gdp_path, &gdp_open_errno, &gdp_read_errno,
1303 &dp_path, &dp_open_errno, &dp_read_errno);
1304 if (gdp_path != NULL) {
1305 if (gdp_open_errno != 0) {
1306 cmdarg_err("Could not open global disabled protocols file\n\"%s\": %s.",
1307 gdp_path, g_strerror(gdp_open_errno));
1309 if (gdp_read_errno != 0) {
1310 cmdarg_err("I/O error reading global disabled protocols file\n\"%s\": %s.",
1311 gdp_path, g_strerror(gdp_read_errno));
1315 if (dp_path != NULL) {
1316 if (dp_open_errno != 0) {
1318 "Could not open your disabled protocols file\n\"%s\": %s.", dp_path,
1319 g_strerror(dp_open_errno));
1321 if (dp_read_errno != 0) {
1323 "I/O error reading your disabled protocols file\n\"%s\": %s.", dp_path,
1324 g_strerror(dp_read_errno));
1329 cap_file_init(&cfile);
1331 /* Print format defaults to this. */
1332 print_format = PR_FMT_TEXT;
1334 output_fields = output_fields_new();
1337 * To reset the options parser, set optreset to 1 on platforms that
1338 * have optreset (documented in *BSD and OS X, apparently present but
1339 * not documented in Solaris - the Illumos repository seems to
1340 * suggest that the first Solaris getopt_long(), at least as of 2004,
1341 * was based on the NetBSD one, it had optreset) and set optind to 1,
1342 * and set optind to 0 otherwise (documented as working in the GNU
1343 * getopt_long(). Setting optind to 0 didn't originally work in the
1344 * NetBSD one, but that was added later - we don't want to depend on
1345 * it if we have optreset).
1347 * Also reset opterr to 1, so that error messages are printed by
1350 #ifdef HAVE_OPTRESET
1358 /* Now get our args */
1359 while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
1361 case '2': /* Perform two pass analysis */
1362 perform_two_pass_analysis = TRUE;
1364 case 'a': /* autostop criteria */
1365 case 'b': /* Ringbuffer option */
1366 case 'c': /* Capture x packets */
1367 case 'f': /* capture filter */
1368 case 'g': /* enable group read access on file(s) */
1369 case 'i': /* Use interface x */
1370 case 'p': /* Don't capture in promiscuous mode */
1371 #ifdef HAVE_PCAP_REMOTE
1372 case 'A': /* Authentication */
1374 #ifdef HAVE_PCAP_CREATE
1375 case 'I': /* Capture in monitor mode, if available */
1377 case 's': /* Set the snapshot (capture) length */
1378 case 'w': /* Write to capture file x */
1379 case 'y': /* Set the pcap data link type */
1380 case LONGOPT_NUM_CAP_COMMENT: /* add a capture comment */
1381 #ifdef CAN_SET_CAPTURE_BUFFER_SIZE
1382 case 'B': /* Buffer size */
1385 status = capture_opts_add_opt(&global_capture_opts, opt, optarg, &start_capture);
1392 * Output file name, if we're reading a file and writing to another
1395 output_file_name = optarg;
1397 capture_option_specified = TRUE;
1403 /* already processed; just ignore it now */
1405 case 'd': /* Decode as rule */
1406 if (!add_decode_as(optarg))
1409 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
1410 case 'K': /* Kerberos keytab file */
1411 read_keytab_file(optarg);
1414 case 'D': /* Print a list of capture devices and exit */
1416 if_list = capture_interface_list(&err, &err_str,NULL);
1417 if (if_list == NULL) {
1419 cmdarg_err("There are no interfaces on which a capture can be done");
1421 cmdarg_err("%s", err_str);
1426 capture_opts_print_interfaces(if_list);
1427 free_interface_list(if_list);
1430 capture_option_specified = TRUE;
1436 output_fields_add(output_fields, optarg);
1440 if (!output_fields_set_option(output_fields, optarg)) {
1441 cmdarg_err("\"%s\" is not a valid field output option=value pair.", optarg);
1442 output_fields_list_options(stderr);
1447 out_file_type = wtap_short_string_to_file_type_subtype(optarg);
1448 if (out_file_type < 0) {
1449 cmdarg_err("\"%s\" isn't a valid capture file type", optarg);
1450 list_capture_types();
1454 case 'W': /* Select extra information to save in our capture file */
1455 /* This is patterned after the -N flag which may not be the best idea. */
1456 if (strchr(optarg, 'n')) {
1457 out_file_name_res = TRUE;
1459 cmdarg_err("Invalid -W argument \"%s\"; it must be one of:", optarg);
1460 cmdarg_err_cont("\t'n' write network address resolution information (pcapng only)");
1464 case 'H': /* Read address to name mappings from a hosts file */
1465 if (! add_hosts_file(optarg))
1467 cmdarg_err("Can't read host entries from \"%s\"", optarg);
1470 out_file_name_res = TRUE;
1473 case 'h': /* Print help and exit */
1474 printf("TShark (Wireshark) %s\n"
1475 "Dump and analyze network traffic.\n"
1476 "See https://www.wireshark.org for more information.\n",
1477 get_ws_vcs_version_info());
1478 print_usage(stdout);
1481 case 'l': /* "Line-buffer" standard output */
1482 /* This isn't line-buffering, strictly speaking, it's just
1483 flushing the standard output after the information for
1484 each packet is printed; however, that should be good
1485 enough for all the purposes to which "-l" is put (and
1486 is probably actually better for "-V", as it does fewer
1489 See the comment in "process_packet()" for an explanation of
1490 why we do that, and why we don't just use "setvbuf()" to
1491 make the standard output line-buffered (short version: in
1492 Windows, "line-buffered" is the same as "fully-buffered",
1493 and the output buffer is only flushed when it fills up). */
1494 line_buffered = TRUE;
1496 case 'L': /* Print list of link-layer types and exit */
1498 list_link_layer_types = TRUE;
1500 capture_option_specified = TRUE;
1504 case 'n': /* No name resolution */
1505 gbl_resolv_flags.mac_name = FALSE;
1506 gbl_resolv_flags.network_name = FALSE;
1507 gbl_resolv_flags.transport_name = FALSE;
1508 gbl_resolv_flags.concurrent_dns = FALSE;
1510 case 'N': /* Select what types of addresses/port #s to resolve */
1511 badopt = string_to_name_resolve(optarg, &gbl_resolv_flags);
1512 if (badopt != '\0') {
1513 cmdarg_err("-N specifies unknown resolving option '%c'; valid options are:",
1515 cmdarg_err_cont("\t'C' to enable concurrent (asynchronous) DNS lookups\n"
1516 "\t'm' to enable MAC address resolution\n"
1517 "\t'n' to enable network address resolution\n"
1518 "\t'N' to enable using external resolvers (e.g., DNS)\n"
1519 "\t for network address resolution\n"
1520 "\t't' to enable transport-layer port number resolution");
1524 case 'o': /* Override preference from command line */
1525 switch (prefs_set_pref(optarg)) {
1530 case PREFS_SET_SYNTAX_ERR:
1531 cmdarg_err("Invalid -o flag \"%s\"", optarg);
1535 case PREFS_SET_NO_SUCH_PREF:
1536 case PREFS_SET_OBSOLETE:
1537 cmdarg_err("-o flag \"%s\" specifies unknown preference", optarg);
1542 case 'q': /* Quiet */
1545 case 'Q': /* Really quiet */
1547 really_quiet = TRUE;
1549 case 'r': /* Read capture file x */
1550 cf_name = g_strdup(optarg);
1552 case 'R': /* Read file filter */
1556 /* already processed; just ignore it now */
1558 case 'S': /* Set the line Separator to be printed between packets */
1561 case 't': /* Time stamp type */
1562 if (strcmp(optarg, "r") == 0)
1563 timestamp_set_type(TS_RELATIVE);
1564 else if (strcmp(optarg, "a") == 0)
1565 timestamp_set_type(TS_ABSOLUTE);
1566 else if (strcmp(optarg, "ad") == 0)
1567 timestamp_set_type(TS_ABSOLUTE_WITH_YMD);
1568 else if (strcmp(optarg, "adoy") == 0)
1569 timestamp_set_type(TS_ABSOLUTE_WITH_YDOY);
1570 else if (strcmp(optarg, "d") == 0)
1571 timestamp_set_type(TS_DELTA);
1572 else if (strcmp(optarg, "dd") == 0)
1573 timestamp_set_type(TS_DELTA_DIS);
1574 else if (strcmp(optarg, "e") == 0)
1575 timestamp_set_type(TS_EPOCH);
1576 else if (strcmp(optarg, "u") == 0)
1577 timestamp_set_type(TS_UTC);
1578 else if (strcmp(optarg, "ud") == 0)
1579 timestamp_set_type(TS_UTC_WITH_YMD);
1580 else if (strcmp(optarg, "udoy") == 0)
1581 timestamp_set_type(TS_UTC_WITH_YDOY);
1583 cmdarg_err("Invalid time stamp type \"%s\"; it must be one of:", optarg);
1584 cmdarg_err_cont("\t\"a\" for absolute\n"
1585 "\t\"ad\" for absolute with YYYY-MM-DD date\n"
1586 "\t\"adoy\" for absolute with YYYY/DOY date\n"
1587 "\t\"d\" for delta\n"
1588 "\t\"dd\" for delta displayed\n"
1589 "\t\"e\" for epoch\n"
1590 "\t\"r\" for relative\n"
1591 "\t\"u\" for absolute UTC\n"
1592 "\t\"ud\" for absolute UTC with YYYY-MM-DD date\n"
1593 "\t\"udoy\" for absolute UTC with YYYY/DOY date");
1597 case 'T': /* printing Type */
1598 print_packet_info = TRUE;
1599 if (strcmp(optarg, "text") == 0) {
1600 output_action = WRITE_TEXT;
1601 print_format = PR_FMT_TEXT;
1602 } else if (strcmp(optarg, "ps") == 0) {
1603 output_action = WRITE_TEXT;
1604 print_format = PR_FMT_PS;
1605 } else if (strcmp(optarg, "pdml") == 0) {
1606 output_action = WRITE_XML;
1607 print_details = TRUE; /* Need details */
1608 print_summary = FALSE; /* Don't allow summary */
1609 } else if (strcmp(optarg, "psml") == 0) {
1610 output_action = WRITE_XML;
1611 print_details = FALSE; /* Don't allow details */
1612 print_summary = TRUE; /* Need summary */
1613 } else if (strcmp(optarg, "fields") == 0) {
1614 output_action = WRITE_FIELDS;
1615 print_details = TRUE; /* Need full tree info */
1616 print_summary = FALSE; /* Don't allow summary */
1618 cmdarg_err("Invalid -T parameter \"%s\"; it must be one of:", optarg); /* x */
1619 cmdarg_err_cont("\t\"fields\" The values of fields specified with the -e option, in a form\n"
1620 "\t specified by the -E option.\n"
1621 "\t\"pdml\" Packet Details Markup Language, an XML-based format for the\n"
1622 "\t details of a decoded packet. This information is equivalent to\n"
1623 "\t the packet details printed with the -V flag.\n"
1624 "\t\"ps\" PostScript for a human-readable one-line summary of each of\n"
1625 "\t the packets, or a multi-line view of the details of each of\n"
1626 "\t the packets, depending on whether the -V flag was specified.\n"
1627 "\t\"psml\" Packet Summary Markup Language, an XML-based format for the\n"
1628 "\t summary information of a decoded packet. This information is\n"
1629 "\t equivalent to the information shown in the one-line summary\n"
1630 "\t printed by default.\n"
1631 "\t\"text\" Text of a human-readable one-line summary of each of the\n"
1632 "\t packets, or a multi-line view of the details of each of the\n"
1633 "\t packets, depending on whether the -V flag was specified.\n"
1634 "\t This is the default.");
1638 case 'u': /* Seconds type */
1639 if (strcmp(optarg, "s") == 0)
1640 timestamp_set_seconds_type(TS_SECONDS_DEFAULT);
1641 else if (strcmp(optarg, "hms") == 0)
1642 timestamp_set_seconds_type(TS_SECONDS_HOUR_MIN_SEC);
1644 cmdarg_err("Invalid seconds type \"%s\"; it must be one of:", optarg);
1645 cmdarg_err_cont("\t\"s\" for seconds\n"
1646 "\t\"hms\" for hours, minutes and seconds");
1650 case 'v': /* Show version and exit */
1652 show_version("TShark (Wireshark)", comp_info_str, runtime_info_str);
1653 g_string_free(comp_info_str, TRUE);
1654 g_string_free(runtime_info_str, TRUE);
1655 /* We don't really have to cleanup here, but it's a convenient way to test
1656 * start-up and shut-down of the epan library without any UI-specific
1657 * cruft getting in the way. Makes the results of running
1658 * $ ./tools/valgrind-wireshark -n
1659 * much more useful. */
1663 case 'O': /* Only output these protocols */
1664 /* already processed; just ignore it now */
1666 case 'V': /* Verbose */
1667 /* already processed; just ignore it now */
1669 case 'x': /* Print packet data in hex (and ASCII) */
1670 /* already processed; just ignore it now */
1673 /* already processed; just ignore it now */
1679 /* We won't call the init function for the stat this soon
1680 as it would disallow MATE's fields (which are registered
1681 by the preferences set callback) from being used as
1682 part of a tap filter. Instead, we just add the argument
1683 to a list of stat arguments. */
1684 if (strcmp("help", optarg) == 0) {
1685 fprintf(stderr, "tshark: The available statistics for the \"-z\" option are:\n");
1686 list_stat_cmd_args();
1689 if (!process_stat_cmd_arg(optarg)) {
1690 cmdarg_err("Invalid -z argument \"%s\"; it must be one of:", optarg);
1691 list_stat_cmd_args();
1696 case '?': /* Bad flag - print usage message */
1699 list_capture_types();
1702 print_usage(stderr);
1709 /* If we specified output fields, but not the output field type... */
1710 if (WRITE_FIELDS != output_action && 0 != output_fields_num_fields(output_fields)) {
1711 cmdarg_err("Output fields were specified with \"-e\", "
1712 "but \"-Tfields\" was not specified.");
1714 } else if (WRITE_FIELDS == output_action && 0 == output_fields_num_fields(output_fields)) {
1715 cmdarg_err("\"-Tfields\" was specified, but no fields were "
1716 "specified with \"-e\".");
1721 /* If no capture filter or display filter has been specified, and there are
1722 still command-line arguments, treat them as the tokens of a capture
1723 filter (if no "-r" flag was specified) or a display filter (if a "-r"
1724 flag was specified. */
1725 if (optind < argc) {
1726 if (cf_name != NULL) {
1727 if (dfilter != NULL) {
1728 cmdarg_err("Display filters were specified both with \"-d\" "
1729 "and with additional command-line arguments.");
1732 dfilter = get_args_as_string(argc, argv, optind);
1737 if (global_capture_opts.default_options.cfilter) {
1738 cmdarg_err("A default capture filter was specified both with \"-f\""
1739 " and with additional command-line arguments.");
1742 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
1743 interface_options interface_opts;
1744 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
1745 if (interface_opts.cfilter == NULL) {
1746 interface_opts.cfilter = get_args_as_string(argc, argv, optind);
1747 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
1748 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
1750 cmdarg_err("A capture filter was specified both with \"-f\""
1751 " and with additional command-line arguments.");
1755 global_capture_opts.default_options.cfilter = get_args_as_string(argc, argv, optind);
1757 capture_option_specified = TRUE;
1763 if (!global_capture_opts.saving_to_file) {
1764 /* We're not saving the capture to a file; if "-q" wasn't specified,
1765 we should print packet information */
1767 print_packet_info = TRUE;
1769 /* We're saving to a file; if we're writing to the standard output.
1770 and we'll also be writing dissected packets to the standard
1771 output, reject the request. At best, we could redirect that
1772 to the standard error; we *can't* write both to the standard
1773 output and have either of them be useful. */
1774 if (strcmp(global_capture_opts.save_file, "-") == 0 && print_packet_info) {
1775 cmdarg_err("You can't write both raw packet data and dissected packets"
1776 " to the standard output.");
1781 /* We're not saving the capture to a file; if "-q" wasn't specified,
1782 we should print packet information */
1784 print_packet_info = TRUE;
1787 #ifndef HAVE_LIBPCAP
1788 if (capture_option_specified)
1789 cmdarg_err("This version of TShark was not built with support for capturing packets.");
1792 print_usage(stderr);
1797 if (output_action != WRITE_TEXT) {
1798 cmdarg_err("Raw packet hex data can only be printed as text or PostScript");
1803 if (output_only != NULL) {
1806 if (!print_details) {
1807 cmdarg_err("-O requires -V");
1811 output_only_tables = g_hash_table_new (g_str_hash, g_str_equal);
1812 for (ps = strtok (output_only, ","); ps; ps = strtok (NULL, ",")) {
1813 g_hash_table_insert(output_only_tables, (gpointer)ps, (gpointer)ps);
1817 if (rfilter != NULL && !perform_two_pass_analysis) {
1818 cmdarg_err("-R without -2 is deprecated. For single-pass filtering use -Y.");
1823 if (list_link_layer_types) {
1824 /* We're supposed to list the link-layer types for an interface;
1825 did the user also specify a capture file to be read? */
1827 /* Yes - that's bogus. */
1828 cmdarg_err("You can't specify -L and a capture file to be read.");
1831 /* No - did they specify a ring buffer option? */
1832 if (global_capture_opts.multi_files_on) {
1833 cmdarg_err("Ring buffer requested, but a capture isn't being done.");
1839 * "-r" was specified, so we're reading a capture file.
1840 * Capture options don't apply here.
1843 /* We don't support capture filters when reading from a capture file
1844 (the BPF compiler doesn't support all link-layer types that we
1845 support in capture files we read). */
1846 if (global_capture_opts.default_options.cfilter) {
1847 cmdarg_err("Only read filters, not capture filters, "
1848 "can be specified when reading a capture file.");
1851 if (global_capture_opts.multi_files_on) {
1852 cmdarg_err("Multiple capture files requested, but "
1853 "a capture isn't being done.");
1856 if (global_capture_opts.has_file_duration) {
1857 cmdarg_err("Switching capture files after a time interval was specified, but "
1858 "a capture isn't being done.");
1861 if (global_capture_opts.has_ring_num_files) {
1862 cmdarg_err("A ring buffer of capture files was specified, but "
1863 "a capture isn't being done.");
1866 if (global_capture_opts.has_autostop_files) {
1867 cmdarg_err("A maximum number of capture files was specified, but "
1868 "a capture isn't being done.");
1871 if (global_capture_opts.capture_comment) {
1872 cmdarg_err("A capture comment was specified, but "
1873 "a capture isn't being done.\nThere's no support for adding "
1874 "a capture comment to an existing capture file.");
1878 /* Note: TShark now allows the restriction of a _read_ file by packet count
1879 * and byte count as well as a write file. Other autostop options remain valid
1880 * only for a write file.
1882 if (global_capture_opts.has_autostop_duration) {
1883 cmdarg_err("A maximum capture time was specified, but "
1884 "a capture isn't being done.");
1889 * "-r" wasn't specified, so we're doing a live capture.
1891 if (perform_two_pass_analysis) {
1892 /* Two-pass analysis doesn't work with live capture since it requires us
1893 * to buffer packets until we've read all of them, but a live capture
1894 * has no useful/meaningful definition of "all" */
1895 cmdarg_err("Live captures do not support two-pass analysis.");
1899 if (global_capture_opts.saving_to_file) {
1900 /* They specified a "-w" flag, so we'll be saving to a capture file. */
1902 /* When capturing, we only support writing pcap or pcap-ng format. */
1903 if (out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAP &&
1904 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1905 cmdarg_err("Live captures can only be saved in pcap or pcapng format.");
1908 if (global_capture_opts.capture_comment &&
1909 out_file_type != WTAP_FILE_TYPE_SUBTYPE_PCAPNG) {
1910 cmdarg_err("A capture comment can only be written to a pcapng file.");
1913 if (global_capture_opts.multi_files_on) {
1914 /* Multiple-file mode doesn't work under certain conditions:
1915 a) it doesn't work if you're writing to the standard output;
1916 b) it doesn't work if you're writing to a pipe;
1918 if (strcmp(global_capture_opts.save_file, "-") == 0) {
1919 cmdarg_err("Multiple capture files requested, but "
1920 "the capture is being written to the standard output.");
1923 if (global_capture_opts.output_to_pipe) {
1924 cmdarg_err("Multiple capture files requested, but "
1925 "the capture file is a pipe.");
1928 if (!global_capture_opts.has_autostop_filesize &&
1929 !global_capture_opts.has_file_duration) {
1930 cmdarg_err("Multiple capture files requested, but "
1931 "no maximum capture file size or duration was specified.");
1935 /* Currently, we don't support read or display filters when capturing
1936 and saving the packets. */
1937 if (rfilter != NULL) {
1938 cmdarg_err("Read filters aren't supported when capturing and saving the captured packets.");
1941 if (dfilter != NULL) {
1942 cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.");
1945 global_capture_opts.use_pcapng = (out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAPNG) ? TRUE : FALSE;
1947 /* They didn't specify a "-w" flag, so we won't be saving to a
1948 capture file. Check for options that only make sense if
1949 we're saving to a file. */
1950 if (global_capture_opts.has_autostop_filesize) {
1951 cmdarg_err("Maximum capture file size specified, but "
1952 "capture isn't being saved to a file.");
1955 if (global_capture_opts.multi_files_on) {
1956 cmdarg_err("Multiple capture files requested, but "
1957 "the capture isn't being saved to a file.");
1960 if (global_capture_opts.capture_comment) {
1961 cmdarg_err("A capture comment was specified, but "
1962 "the capture isn't being saved to a file.");
1971 /* Start windows sockets */
1972 WSAStartup( MAKEWORD( 1, 1 ), &wsaData );
1975 /* Notify all registered modules that have had any of their preferences
1976 changed either from one of the preferences file or from the command
1977 line that their preferences have changed. */
1980 /* At this point MATE will have registered its field array so we can
1981 have a tap filter with one of MATE's late-registered fields as part
1982 of the filter. We can now process all the "-z" arguments. */
1983 start_requested_stats();
1985 /* At this point MATE will have registered its field array so we can
1986 check if the fields specified by the user are all good.
1988 if (!output_fields_valid(output_fields)) {
1989 cmdarg_err("Some fields aren't valid");
1994 /* We currently don't support taps, or printing dissected packets,
1995 if we're writing to a pipe. */
1996 if (global_capture_opts.saving_to_file &&
1997 global_capture_opts.output_to_pipe) {
1998 if (tap_listeners_require_dissection()) {
1999 cmdarg_err("Taps aren't supported when saving to a pipe.");
2002 if (print_packet_info) {
2003 cmdarg_err("Printing dissected packets isn't supported when saving to a pipe.");
2009 if (ex_opt_count("read_format") > 0) {
2010 const gchar* name = ex_opt_get_next("read_format");
2011 in_file_type = open_info_name_to_type(name);
2012 if (in_file_type == WTAP_TYPE_AUTO) {
2013 cmdarg_err("\"%s\" isn't a valid read file format type", name? name : "");
2014 list_read_capture_types();
2019 /* disabled protocols as per configuration file */
2020 if (gdp_path == NULL && dp_path == NULL) {
2021 set_disabled_protos_list();
2024 /* Build the column format array */
2025 build_column_format_array(&cfile.cinfo, prefs_p->num_cols, TRUE);
2028 capture_opts_trim_snaplen(&global_capture_opts, MIN_PACKET_SIZE);
2029 capture_opts_trim_ring_num_files(&global_capture_opts);
2032 if (rfilter != NULL) {
2033 if (!dfilter_compile(rfilter, &rfcode, &err_msg)) {
2034 cmdarg_err("%s", err_msg);
2037 #ifdef HAVE_PCAP_OPEN_DEAD
2041 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2043 if (pcap_compile(pc, &fcode, rfilter, 0, 0) != -1) {
2045 " Note: That read filter code looks like a valid capture filter;\n"
2046 " maybe you mixed them up?");
2055 cfile.rfcode = rfcode;
2057 if (dfilter != NULL) {
2058 if (!dfilter_compile(dfilter, &dfcode, &err_msg)) {
2059 cmdarg_err("%s", err_msg);
2062 #ifdef HAVE_PCAP_OPEN_DEAD
2066 pc = pcap_open_dead(DLT_EN10MB, MIN_PACKET_SIZE);
2068 if (pcap_compile(pc, &fcode, dfilter, 0, 0) != -1) {
2070 " Note: That display filter code looks like a valid capture filter;\n"
2071 " maybe you mixed them up?");
2080 cfile.dfcode = dfcode;
2082 if (print_packet_info) {
2083 /* If we're printing as text or PostScript, we have
2084 to create a print stream. */
2085 if (output_action == WRITE_TEXT) {
2086 switch (print_format) {
2089 print_stream = print_stream_text_stdio_new(stdout);
2093 print_stream = print_stream_ps_stdio_new(stdout);
2097 g_assert_not_reached();
2102 /* We have to dissect each packet if:
2104 we're printing information about each packet;
2106 we're using a read filter on the packets;
2108 we're using a display filter on the packets;
2110 we're using any taps that need dissection. */
2111 do_dissection = print_packet_info || rfcode || dfcode || tap_listeners_require_dissection();
2115 * We're reading a capture file.
2117 if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) {
2122 /* Process the packets in the file */
2125 err = load_cap_file(&cfile, global_capture_opts.save_file, out_file_type, out_file_name_res,
2126 global_capture_opts.has_autostop_packets ? global_capture_opts.autostop_packets : 0,
2127 global_capture_opts.has_autostop_filesize ? global_capture_opts.autostop_filesize : 0);
2129 err = load_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res, 0, 0);
2132 CATCH(OutOfMemoryError) {
2136 "Sorry, but TShark has to terminate now.\n"
2138 "More information and workarounds can be found at\n"
2139 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2144 /* We still dump out the results of taps, etc., as we might have
2145 read some packets; however, we exit with an error status. */
2149 /* No capture file specified, so we're supposed to do a live capture
2150 or get a list of link-layer types for a live capture device;
2151 do we have support for live captures? */
2153 /* if no interface was specified, pick a default */
2154 exit_status = capture_opts_default_iface_if_necessary(&global_capture_opts,
2155 ((prefs_p->capture_device) && (*prefs_p->capture_device != '\0')) ? get_if_name(prefs_p->capture_device) : NULL);
2156 if (exit_status != 0)
2159 /* if requested, list the link layer types and exit */
2160 if (list_link_layer_types) {
2163 /* Get the list of link-layer types for the capture devices. */
2164 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2165 interface_options interface_opts;
2166 if_capabilities_t *caps;
2168 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2169 caps = capture_get_if_capabilities(interface_opts.name, interface_opts.monitor_mode, &err_str, NULL);
2171 cmdarg_err("%s", err_str);
2175 if (caps->data_link_types == NULL) {
2176 cmdarg_err("The capture device \"%s\" has no data link types.", interface_opts.name);
2179 capture_opts_print_if_capabilities(caps, interface_opts.name, interface_opts.monitor_mode);
2180 free_if_capabilities(caps);
2186 * If the standard error isn't a terminal, don't print packet counts,
2187 * as they won't show up on the user's terminal and they'll get in
2188 * the way of error messages in the file (to which we assume the
2189 * standard error was redirected; if it's redirected to the null
2190 * device, there's no point in printing packet counts anyway).
2192 * Otherwise, if we're printing packet information and the standard
2193 * output is a terminal (which we assume means the standard output and
2194 * error are going to the same terminal), don't print packet counts,
2195 * as they'll get in the way of the packet information.
2197 * Otherwise, if the user specified -q, don't print packet counts.
2199 * Otherwise, print packet counts.
2201 * XXX - what if the user wants to do a live capture, doesn't want
2202 * to save it to a file, doesn't want information printed for each
2203 * packet, does want some "-z" statistic, and wants packet counts
2204 * so they know whether they're seeing any packets? -q will
2205 * suppress the information printed for each packet, but it'll
2206 * also suppress the packet counts.
2208 if (!isatty(fileno(stderr)))
2209 print_packet_counts = FALSE;
2210 else if (print_packet_info && isatty(fileno(stdout)))
2211 print_packet_counts = FALSE;
2213 print_packet_counts = FALSE;
2215 print_packet_counts = TRUE;
2217 if (print_packet_info) {
2218 if (!write_preamble(&cfile)) {
2219 show_print_file_io_error(errno);
2225 * XXX - this returns FALSE if an error occurred, but it also
2226 * returns FALSE if the capture stops because a time limit
2227 * was reached (and possibly other limits), so we can't assume
2228 * it means an error.
2230 * The capture code is a bit twisty, so it doesn't appear to
2231 * be an easy fix. We just ignore the return value for now.
2232 * Instead, pass on the exit status from the capture child.
2235 exit_status = global_capture_session.fork_child_status;
2237 if (print_packet_info) {
2238 if (!write_finale()) {
2240 show_print_file_io_error(err);
2244 /* No - complain. */
2245 cmdarg_err("This version of TShark was not built with support for capturing packets.");
2252 if (cfile.frames != NULL) {
2253 free_frame_data_sequence(cfile.frames);
2254 cfile.frames = NULL;
2257 draw_tap_listeners(TRUE);
2258 funnel_dump_all_text_windows();
2259 epan_free(cfile.epan);
2262 output_fields_free(output_fields);
2263 output_fields = NULL;
2268 /*#define USE_BROKEN_G_MAIN_LOOP*/
2270 #ifdef USE_BROKEN_G_MAIN_LOOP
2273 gboolean loop_running = FALSE;
2275 guint32 packet_count = 0;
2278 typedef struct pipe_input_tag {
2282 pipe_input_cb_t input_cb;
2283 guint pipe_input_id;
2285 GMutex *callback_running;
2289 static pipe_input_t pipe_input;
2292 /* The timer has expired, see if there's stuff to read from the pipe,
2293 if so, do the callback */
2295 pipe_timer_cb(gpointer data)
2301 pipe_input_t *pipe_input_p = data;
2302 gint iterations = 0;
2304 g_mutex_lock (pipe_input_p->callback_running);
2306 /* try to read data from the pipe only 5 times, to avoid blocking */
2307 while(iterations < 5) {
2308 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: new iteration");*/
2310 /* Oddly enough although Named pipes don't work on win9x,
2311 PeekNamedPipe does !!! */
2312 handle = (HANDLE) _get_osfhandle (pipe_input_p->source);
2313 result = PeekNamedPipe(handle, NULL, 0, NULL, &avail, NULL);
2315 /* Get the child process exit status */
2316 GetExitCodeProcess((HANDLE)*(pipe_input_p->child_process),
2319 /* If the Peek returned an error, or there are bytes to be read
2320 or the childwatcher thread has terminated then call the normal
2322 if (!result || avail > 0 || childstatus != STILL_ACTIVE) {
2324 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: data avail");*/
2326 /* And call the real handler */
2327 if (!pipe_input_p->input_cb(pipe_input_p->source, pipe_input_p->user_data)) {
2328 g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: input pipe closed, iterations: %u", iterations);
2329 /* pipe closed, return false so that the timer is stopped */
2330 g_mutex_unlock (pipe_input_p->callback_running);
2335 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: no data avail");*/
2336 /* No data, stop now */
2343 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_timer_cb: finished with iterations: %u, new timer", iterations);*/
2345 g_mutex_unlock (pipe_input_p->callback_running);
2347 /* we didn't stopped the timer, so let it run */
2354 pipe_input_set_handler(gint source, gpointer user_data, int *child_process, pipe_input_cb_t input_cb)
2357 pipe_input.source = source;
2358 pipe_input.child_process = child_process;
2359 pipe_input.user_data = user_data;
2360 pipe_input.input_cb = input_cb;
2363 #if GLIB_CHECK_VERSION(2,31,0)
2364 pipe_input.callback_running = g_malloc(sizeof(GMutex));
2365 g_mutex_init(pipe_input.callback_running);
2367 pipe_input.callback_running = g_mutex_new();
2369 /* Tricky to use pipes in win9x, as no concept of wait. NT can
2370 do this but that doesn't cover all win32 platforms. GTK can do
2371 this but doesn't seem to work over processes. Attempt to do
2372 something similar here, start a timer and check for data on every
2374 /*g_log(NULL, G_LOG_LEVEL_DEBUG, "pipe_input_set_handler: new");*/
2375 pipe_input.pipe_input_id = g_timeout_add(200, pipe_timer_cb, &pipe_input);
2379 static const nstime_t *
2380 tshark_get_frame_ts(void *data, guint32 frame_num)
2382 capture_file *cf = (capture_file *) data;
2384 if (ref && ref->num == frame_num)
2385 return &ref->abs_ts;
2387 if (prev_dis && prev_dis->num == frame_num)
2388 return &prev_dis->abs_ts;
2390 if (prev_cap && prev_cap->num == frame_num)
2391 return &prev_cap->abs_ts;
2394 frame_data *fd = frame_data_sequence_find(cf->frames, frame_num);
2396 return (fd) ? &fd->abs_ts : NULL;
2403 tshark_epan_new(capture_file *cf)
2405 epan_t *epan = epan_new();
2408 epan->get_frame_ts = tshark_get_frame_ts;
2409 epan->get_interface_name = cap_file_get_interface_name;
2410 epan->get_user_comment = NULL;
2422 #ifdef USE_TSHARK_SELECT
2426 struct sigaction action, oldaction;
2429 /* Create new dissection section. */
2430 epan_free(cfile.epan);
2431 cfile.epan = tshark_epan_new(&cfile);
2434 /* Catch a CTRL+C event and, if we get it, clean up and exit. */
2435 SetConsoleCtrlHandler(capture_cleanup, TRUE);
2437 /* Catch SIGINT and SIGTERM and, if we get either of them,
2438 clean up and exit. If SIGHUP isn't being ignored, catch
2439 it too and, if we get it, clean up and exit.
2441 We restart any read that was in progress, so that it doesn't
2442 disrupt reading from the sync pipe. The signal handler tells
2443 the capture child to finish; it will report that it finished,
2444 or will exit abnormally, so we'll stop reading from the sync
2445 pipe, pick up the exit status, and quit. */
2446 memset(&action, 0, sizeof(action));
2447 action.sa_handler = capture_cleanup;
2448 action.sa_flags = SA_RESTART;
2449 sigemptyset(&action.sa_mask);
2450 sigaction(SIGTERM, &action, NULL);
2451 sigaction(SIGINT, &action, NULL);
2452 sigaction(SIGHUP, NULL, &oldaction);
2453 if (oldaction.sa_handler == SIG_DFL)
2454 sigaction(SIGHUP, &action, NULL);
2457 /* Catch SIGINFO and, if we get it and we're capturing to a file in
2458 quiet mode, report the number of packets we've captured.
2460 Again, restart any read that was in progress, so that it doesn't
2461 disrupt reading from the sync pipe. */
2462 action.sa_handler = report_counts_siginfo;
2463 action.sa_flags = SA_RESTART;
2464 sigemptyset(&action.sa_mask);
2465 sigaction(SIGINFO, &action, NULL);
2466 #endif /* SIGINFO */
2469 global_capture_session.state = CAPTURE_PREPARING;
2471 /* Let the user know which interfaces were chosen. */
2472 for (i = 0; i < global_capture_opts.ifaces->len; i++) {
2473 interface_options interface_opts;
2475 interface_opts = g_array_index(global_capture_opts.ifaces, interface_options, i);
2476 interface_opts.descr = get_interface_descriptive_name(interface_opts.name);
2477 global_capture_opts.ifaces = g_array_remove_index(global_capture_opts.ifaces, i);
2478 g_array_insert_val(global_capture_opts.ifaces, i, interface_opts);
2480 str = get_iface_list_string(&global_capture_opts, IFLIST_QUOTE_IF_DESCRIPTION);
2481 if (really_quiet == FALSE)
2482 fprintf(stderr, "Capturing on %s\n", str->str);
2484 g_string_free(str, TRUE);
2486 ret = sync_pipe_start(&global_capture_opts, &global_capture_session, NULL);
2491 /* the actual capture loop
2493 * XXX - glib doesn't seem to provide any event based loop handling.
2495 * XXX - for whatever reason,
2496 * calling g_main_loop_new() ends up in 100% cpu load.
2498 * But that doesn't matter: in UNIX we can use select() to find an input
2499 * source with something to do.
2501 * But that doesn't matter because we're in a CLI (that doesn't need to
2502 * update a GUI or something at the same time) so it's OK if we block
2503 * trying to read from the pipe.
2505 * So all the stuff in USE_TSHARK_SELECT could be removed unless I'm
2506 * wrong (but I leave it there in case I am...).
2509 #ifdef USE_TSHARK_SELECT
2511 FD_SET(pipe_input.source, &readfds);
2514 loop_running = TRUE;
2518 while (loop_running)
2520 #ifdef USE_TSHARK_SELECT
2521 ret = select(pipe_input.source+1, &readfds, NULL, NULL, NULL);
2525 fprintf(stderr, "%s: %s\n", "select()", g_strerror(errno));
2527 } else if (ret == 1) {
2529 /* Call the real handler */
2530 if (!pipe_input.input_cb(pipe_input.source, pipe_input.user_data)) {
2531 g_log(NULL, G_LOG_LEVEL_DEBUG, "input pipe closed");
2534 #ifdef USE_TSHARK_SELECT
2539 CATCH(OutOfMemoryError) {
2543 "Sorry, but TShark has to terminate now.\n"
2545 "More information and workarounds can be found at\n"
2546 "https://wiki.wireshark.org/KnownBugs/OutOfMemory\n");
2553 /* capture child detected an error */
2555 capture_input_error_message(capture_session *cap_session _U_, char *error_msg, char *secondary_error_msg)
2557 cmdarg_err("%s", error_msg);
2558 cmdarg_err_cont("%s", secondary_error_msg);
2562 /* capture child detected an capture filter related error */
2564 capture_input_cfilter_error_message(capture_session *cap_session, guint i, char *error_message)
2566 capture_options *capture_opts = cap_session->capture_opts;
2567 dfilter_t *rfcode = NULL;
2568 interface_options interface_opts;
2570 g_assert(i < capture_opts->ifaces->len);
2571 interface_opts = g_array_index(capture_opts->ifaces, interface_options, i);
2573 if (dfilter_compile(interface_opts.cfilter, &rfcode, NULL) && rfcode != NULL) {
2575 "Invalid capture filter \"%s\" for interface '%s'.\n"
2577 "That string looks like a valid display filter; however, it isn't a valid\n"
2578 "capture filter (%s).\n"
2580 "Note that display filters and capture filters don't have the same syntax,\n"
2581 "so you can't use most display filter expressions as capture filters.\n"
2583 "See the User's Guide for a description of the capture filter syntax.",
2584 interface_opts.cfilter, interface_opts.descr, error_message);
2585 dfilter_free(rfcode);
2588 "Invalid capture filter \"%s\" for interface '%s'.\n"
2590 "That string isn't a valid capture filter (%s).\n"
2591 "See the User's Guide for a description of the capture filter syntax.",
2592 interface_opts.cfilter, interface_opts.descr, error_message);
2597 /* capture child tells us we have a new (or the first) capture file */
2599 capture_input_new_file(capture_session *cap_session, gchar *new_file)
2601 capture_options *capture_opts = cap_session->capture_opts;
2602 capture_file *cf = (capture_file *) cap_session->cf;
2603 gboolean is_tempfile;
2606 if (cap_session->state == CAPTURE_PREPARING) {
2607 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "Capture started.");
2609 g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_MESSAGE, "File: \"%s\"", new_file);
2611 g_assert(cap_session->state == CAPTURE_PREPARING || cap_session->state == CAPTURE_RUNNING);
2613 /* free the old filename */
2614 if (capture_opts->save_file != NULL) {
2616 /* we start a new capture file, close the old one (if we had one before) */
2617 if (cf->state != FILE_CLOSED) {
2618 if (cf->wth != NULL) {
2619 wtap_close(cf->wth);
2622 cf->state = FILE_CLOSED;
2625 g_free(capture_opts->save_file);
2626 is_tempfile = FALSE;
2628 epan_free(cf->epan);
2629 cf->epan = tshark_epan_new(cf);
2631 /* we didn't had a save_file before, must be a tempfile */
2635 /* save the new filename */
2636 capture_opts->save_file = g_strdup(new_file);
2638 /* if we are in real-time mode, open the new file now */
2639 if (do_dissection) {
2640 /* this is probably unecessary, but better safe than sorry */
2641 ((capture_file *)cap_session->cf)->open_type = WTAP_TYPE_AUTO;
2642 /* Attempt to open the capture file and set up to read from it. */
2643 switch(cf_open((capture_file *)cap_session->cf, capture_opts->save_file, WTAP_TYPE_AUTO, is_tempfile, &err)) {
2647 /* Don't unlink (delete) the save file - leave it around,
2648 for debugging purposes. */
2649 g_free(capture_opts->save_file);
2650 capture_opts->save_file = NULL;
2655 cap_session->state = CAPTURE_RUNNING;
2661 /* capture child tells us we have new packets to read */
2663 capture_input_new_packets(capture_session *cap_session, int to_read)
2669 capture_file *cf = (capture_file *)cap_session->cf;
2670 gboolean filtering_tap_listeners;
2675 * Prevent a SIGINFO handler from writing to the standard error while
2676 * we're doing so or writing to the standard output; instead, have it
2677 * just set a flag telling us to print that information when we're done.
2680 #endif /* SIGINFO */
2682 /* Do we have any tap listeners with filters? */
2683 filtering_tap_listeners = have_filtering_tap_listeners();
2685 /* Get the union of the flags for all tap listeners. */
2686 tap_flags = union_of_tap_listener_flags();
2688 if (do_dissection) {
2689 gboolean create_proto_tree;
2690 epan_dissect_t *edt;
2692 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
2693 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
2694 create_proto_tree = TRUE;
2696 create_proto_tree = FALSE;
2698 /* The protocol tree will be "visible", i.e., printed, only if we're
2699 printing packet details, which is true if we're printing stuff
2700 ("print_packet_info" is true) and we're in verbose mode
2701 ("packet_details" is true). */
2702 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
2704 while (to_read-- && cf->wth) {
2705 wtap_cleareof(cf->wth);
2706 ret = wtap_read(cf->wth, &err, &err_info, &data_offset);
2708 /* read from file failed, tell the capture child to stop */
2709 sync_pipe_stop(cap_session);
2710 wtap_close(cf->wth);
2713 ret = process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
2714 wtap_buf_ptr(cf->wth),
2718 /* packet successfully read and gone through the "Read Filter" */
2723 epan_dissect_free(edt);
2727 * Dumpcap's doing all the work; we're not doing any dissection.
2728 * Count all the packets it wrote.
2730 packet_count += to_read;
2733 if (print_packet_counts) {
2734 /* We're printing packet counts. */
2735 if (packet_count != 0) {
2736 fprintf(stderr, "\r%u ", packet_count);
2737 /* stderr could be line buffered */
2744 * Allow SIGINFO handlers to write.
2749 * If a SIGINFO handler asked us to write out capture counts, do so.
2753 #endif /* SIGINFO */
2759 if ((print_packet_counts == FALSE) && (really_quiet == FALSE)) {
2760 /* Report the count only if we aren't printing a packet count
2761 as packets arrive. */
2762 fprintf(stderr, "%u packet%s captured\n", packet_count,
2763 plurality(packet_count, "", "s"));
2766 infoprint = FALSE; /* we just reported it */
2767 #endif /* SIGINFO */
2772 report_counts_siginfo(int signum _U_)
2774 int sav_errno = errno;
2775 /* If we've been told to delay printing, just set a flag asking
2776 that we print counts (if we're supposed to), otherwise print
2777 the count of packets captured (if we're supposed to). */
2784 #endif /* SIGINFO */
2787 /* capture child detected any packet drops? */
2789 capture_input_drops(capture_session *cap_session _U_, guint32 dropped)
2791 if (print_packet_counts) {
2792 /* We're printing packet counts to stderr.
2793 Send a newline so that we move to the line after the packet count. */
2794 fprintf(stderr, "\n");
2798 /* We're printing packet counts to stderr.
2799 Send a newline so that we move to the line after the packet count. */
2800 fprintf(stderr, "%u packet%s dropped\n", dropped, plurality(dropped, "", "s"));
2806 * Capture child closed its side of the pipe, report any error and
2807 * do the required cleanup.
2810 capture_input_closed(capture_session *cap_session, gchar *msg)
2812 capture_file *cf = (capture_file *) cap_session->cf;
2815 fprintf(stderr, "tshark: %s\n", msg);
2819 if (cf != NULL && cf->wth != NULL) {
2820 wtap_close(cf->wth);
2821 if (cf->is_tempfile) {
2822 ws_unlink(cf->filename);
2825 #ifdef USE_BROKEN_G_MAIN_LOOP
2826 /*g_main_loop_quit(loop);*/
2827 g_main_loop_quit(loop);
2829 loop_running = FALSE;
2838 capture_cleanup(DWORD ctrltype _U_)
2840 /* CTRL_C_EVENT is sort of like SIGINT, CTRL_BREAK_EVENT is unique to
2841 Windows, CTRL_CLOSE_EVENT is sort of like SIGHUP, CTRL_LOGOFF_EVENT
2842 is also sort of like SIGHUP, and CTRL_SHUTDOWN_EVENT is sort of
2843 like SIGTERM at least when the machine's shutting down.
2845 For now, we handle them all as indications that we should clean up
2846 and quit, just as we handle SIGINT, SIGHUP, and SIGTERM in that
2849 We must return TRUE so that no other handler - such as one that would
2850 terminate the process - gets called.
2852 XXX - for some reason, typing ^C to TShark, if you run this in
2853 a Cygwin console window in at least some versions of Cygwin,
2854 causes TShark to terminate immediately; this routine gets
2855 called, but the main loop doesn't get a chance to run and
2856 exit cleanly, at least if this is compiled with Microsoft Visual
2857 C++ (i.e., it's a property of the Cygwin console window or Bash;
2858 it happens if TShark is not built with Cygwin - for all I know,
2859 building it with Cygwin may make the problem go away). */
2861 /* tell the capture child to stop */
2862 sync_pipe_stop(&global_capture_session);
2864 /* don't stop our own loop already here, otherwise status messages and
2865 * cleanup wouldn't be done properly. The child will indicate the stop of
2866 * everything by calling capture_input_closed() later */
2872 capture_cleanup(int signum _U_)
2874 /* tell the capture child to stop */
2875 sync_pipe_stop(&global_capture_session);
2877 /* don't stop our own loop already here, otherwise status messages and
2878 * cleanup wouldn't be done properly. The child will indicate the stop of
2879 * everything by calling capture_input_closed() later */
2882 #endif /* HAVE_LIBPCAP */
2885 process_packet_first_pass(capture_file *cf, epan_dissect_t *edt,
2886 gint64 offset, struct wtap_pkthdr *whdr,
2893 /* The frame number of this packet is one more than the count of
2894 frames in this packet. */
2895 framenum = cf->count + 1;
2897 /* If we're not running a display filter and we're not printing any
2898 packet information, we don't need to do a dissection. This means
2899 that all packets can be marked as 'passed'. */
2902 frame_data_init(&fdlocal, framenum, whdr, offset, cum_bytes);
2904 /* If we're going to print packet information, or we're going to
2905 run a read filter, or display filter, or we're going to process taps, set up to
2906 do a dissection and do so. */
2908 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2909 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2910 /* Grab any resolved addresses */
2911 host_name_lookup_process();
2913 /* If we're running a read filter, prime the epan_dissect_t with that
2916 epan_dissect_prime_dfilter(edt, cf->rfcode);
2919 epan_dissect_prime_dfilter(edt, cf->dfcode);
2921 frame_data_set_before_dissect(&fdlocal, &cf->elapsed_time,
2923 if (ref == &fdlocal) {
2924 ref_frame = fdlocal;
2928 epan_dissect_run(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdlocal, pd), &fdlocal, NULL);
2930 /* Run the read filter if we have one. */
2932 passed = dfilter_apply_edt(cf->rfcode, edt);
2936 frame_data_set_after_dissect(&fdlocal, &cum_bytes);
2937 prev_cap = prev_dis = frame_data_sequence_add(cf->frames, &fdlocal);
2939 /* If we're not doing dissection then there won't be any dependent frames.
2940 * More importantly, edt.pi.dependent_frames won't be initialized because
2941 * epan hasn't been initialized.
2942 * if we *are* doing dissection, then mark the dependent frames, but only
2943 * if a display filter was given and it matches this packet.
2945 if (edt && cf->dfcode) {
2946 if (dfilter_apply_edt(cf->dfcode, edt)) {
2947 g_slist_foreach(edt->pi.dependent_frames, find_and_mark_frame_depended_upon, cf->frames);
2953 /* if we don't add it to the frame_data_sequence, clean it up right now
2955 frame_data_destroy(&fdlocal);
2959 epan_dissect_reset(edt);
2965 process_packet_second_pass(capture_file *cf, epan_dissect_t *edt, frame_data *fdata,
2966 struct wtap_pkthdr *phdr, Buffer *buf,
2972 /* If we're not running a display filter and we're not printing any
2973 packet information, we don't need to do a dissection. This means
2974 that all packets can be marked as 'passed'. */
2977 /* If we're going to print packet information, or we're going to
2978 run a read filter, or we're going to process taps, set up to
2979 do a dissection and do so. */
2981 if (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
2982 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns)
2983 /* Grab any resolved addresses */
2984 host_name_lookup_process();
2986 /* If we're running a display filter, prime the epan_dissect_t with that
2989 epan_dissect_prime_dfilter(edt, cf->dfcode);
2991 col_custom_prime_edt(edt, &cf->cinfo);
2993 /* We only need the columns if either
2994 1) some tap needs the columns
2996 2) we're printing packet info but we're *not* verbose; in verbose
2997 mode, we print the protocol tree, not the protocol summary.
2999 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary))
3004 frame_data_set_before_dissect(fdata, &cf->elapsed_time,
3011 epan_dissect_run_with_taps(edt, cf->cd_t, phdr, frame_tvbuff_new_buffer(fdata, buf), fdata, cinfo);
3013 /* Run the read/display filter if we have one. */
3015 passed = dfilter_apply_edt(cf->dfcode, edt);
3019 frame_data_set_after_dissect(fdata, &cum_bytes);
3020 /* Process this packet. */
3021 if (print_packet_info) {
3022 /* We're printing packet information; print the information for
3024 print_packet(cf, edt);
3026 /* The ANSI C standard does not appear to *require* that a line-buffered
3027 stream be flushed to the host environment whenever a newline is
3028 written, it just says that, on such a stream, characters "are
3029 intended to be transmitted to or from the host environment as a
3030 block when a new-line character is encountered".
3032 The Visual C++ 6.0 C implementation doesn't do what is intended;
3033 even if you set a stream to be line-buffered, it still doesn't
3034 flush the buffer at the end of every line.
3036 So, if the "-l" flag was specified, we flush the standard output
3037 at the end of a packet. This will do the right thing if we're
3038 printing packet summary lines, and, as we print the entire protocol
3039 tree for a single packet without waiting for anything to happen,
3040 it should be as good as line-buffered mode if we're printing
3041 protocol trees. (The whole reason for the "-l" flag in either
3042 tcpdump or TShark is to allow the output of a live capture to
3043 be piped to a program or script and to have that script see the
3044 information for the packet as soon as it's printed, rather than
3045 having to wait until a standard I/O buffer fills up. */
3049 if (ferror(stdout)) {
3050 show_print_file_io_error(errno);
3059 epan_dissect_reset(edt);
3061 return passed || fdata->flags.dependent_of_displayed;
3065 load_cap_file(capture_file *cf, char *save_file, int out_file_type,
3066 gboolean out_file_name_res, int max_packet_count, gint64 max_byte_count)
3069 int snapshot_length;
3073 gchar *err_info = NULL;
3075 char *save_file_string = NULL;
3076 gboolean filtering_tap_listeners;
3078 wtapng_section_t *shb_hdr;
3079 wtapng_iface_descriptions_t *idb_inf;
3080 char *appname = NULL;
3081 struct wtap_pkthdr phdr;
3083 epan_dissect_t *edt = NULL;
3085 wtap_phdr_init(&phdr);
3087 shb_hdr = wtap_file_get_shb_info(cf->wth);
3088 idb_inf = wtap_file_get_idb_info(cf->wth);
3089 #ifdef PCAP_NG_DEFAULT
3090 if (idb_inf->interface_data->len > 1) {
3091 linktype = WTAP_ENCAP_PER_PACKET;
3093 linktype = wtap_file_encap(cf->wth);
3096 linktype = wtap_file_encap(cf->wth);
3098 if (save_file != NULL) {
3099 /* Get a string that describes what we're writing to */
3100 save_file_string = output_file_description(save_file);
3102 /* Set up to write to the capture file. */
3103 snapshot_length = wtap_snapshot_length(cf->wth);
3104 if (snapshot_length == 0) {
3105 /* Snapshot length of input file not known. */
3106 snapshot_length = WTAP_MAX_PACKET_SIZE;
3108 /* If we don't have an application name add Tshark */
3109 if (shb_hdr->shb_user_appl == NULL) {
3110 appname = g_strdup_printf("TShark (Wireshark) %s", get_ws_vcs_version_info());
3111 shb_hdr->shb_user_appl = appname;
3114 if (linktype != WTAP_ENCAP_PER_PACKET &&
3115 out_file_type == WTAP_FILE_TYPE_SUBTYPE_PCAP)
3116 pdh = wtap_dump_open(save_file, out_file_type, linktype,
3117 snapshot_length, FALSE /* compressed */, &err);
3119 pdh = wtap_dump_open_ng(save_file, out_file_type, linktype,
3120 snapshot_length, FALSE /* compressed */, shb_hdr, idb_inf, &err);
3126 /* We couldn't set up to write to the capture file. */
3129 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
3130 cmdarg_err("Capture files can't be written in that format.");
3133 case WTAP_ERR_UNWRITABLE_ENCAP:
3134 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
3135 cmdarg_err("The capture file being read can't be written as a "
3136 "\"%s\" file.", wtap_file_type_subtype_short_string(out_file_type));
3139 case WTAP_ERR_CANT_OPEN:
3140 cmdarg_err("The %s couldn't be created for some "
3141 "unknown reason.", save_file_string);
3144 case WTAP_ERR_SHORT_WRITE:
3145 cmdarg_err("A full header couldn't be written to the %s.",
3150 cmdarg_err("The %s could not be created: %s.", save_file_string,
3151 wtap_strerror(err));
3157 if (print_packet_info) {
3158 if (!write_preamble(cf)) {
3160 show_print_file_io_error(err);
3169 /* Do we have any tap listeners with filters? */
3170 filtering_tap_listeners = have_filtering_tap_listeners();
3172 /* Get the union of the flags for all tap listeners. */
3173 tap_flags = union_of_tap_listener_flags();
3175 if (perform_two_pass_analysis) {
3178 /* Allocate a frame_data_sequence for all the frames. */
3179 cf->frames = new_frame_data_sequence();
3181 if (do_dissection) {
3182 gboolean create_proto_tree = FALSE;
3184 /* If we're going to be applying a filter, we'll need to
3185 create a protocol tree against which to apply the filter. */
3186 if (cf->rfcode || cf->dfcode)
3187 create_proto_tree = TRUE;
3189 /* We're not going to display the protocol tree on this pass,
3190 so it's not going to be "visible". */
3191 edt = epan_dissect_new(cf->epan, create_proto_tree, FALSE);
3194 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3195 if (process_packet_first_pass(cf, edt, data_offset, wtap_phdr(cf->wth),
3196 wtap_buf_ptr(cf->wth))) {
3197 /* Stop reading if we have the maximum number of packets;
3198 * When the -c option has not been used, max_packet_count
3199 * starts at 0, which practically means, never stop reading.
3200 * (unless we roll over max_packet_count ?)
3202 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3203 err = 0; /* This is not an error */
3210 epan_dissect_free(edt);
3214 /* Close the sequential I/O side, to free up memory it requires. */
3215 wtap_sequential_close(cf->wth);
3217 /* Allow the protocol dissectors to free up memory that they
3218 * don't need after the sequential run-through of the packets. */
3219 postseq_cleanup_all_protocols();
3223 ws_buffer_init(&buf, 1500);
3225 if (do_dissection) {
3226 gboolean create_proto_tree;
3228 if (cf->dfcode || print_details || filtering_tap_listeners ||
3229 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3230 create_proto_tree = TRUE;
3232 create_proto_tree = FALSE;
3234 /* The protocol tree will be "visible", i.e., printed, only if we're
3235 printing packet details, which is true if we're printing stuff
3236 ("print_packet_info" is true) and we're in verbose mode
3237 ("packet_details" is true). */
3238 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3241 for (framenum = 1; err == 0 && framenum <= cf->count; framenum++) {
3242 fdata = frame_data_sequence_find(cf->frames, framenum);
3243 if (wtap_seek_read(cf->wth, fdata->file_off, &phdr, &buf, &err,
3245 if (process_packet_second_pass(cf, edt, fdata, &phdr, &buf,
3247 /* Either there's no read filtering or this packet passed the
3248 filter, so, if we're writing to a capture file, write
3251 if (!wtap_dump(pdh, &phdr, ws_buffer_start_ptr(&buf), &err, &err_info)) {
3252 /* Error writing to a capture file */
3255 case WTAP_ERR_UNWRITABLE_ENCAP:
3257 * This is a problem with the particular frame we're writing
3258 * and the file type and subtype we're writing; note that,
3259 * and report the frame number and file type/subtype.
3261 * XXX - framenum is not necessarily the frame number in
3262 * the input file if there was a read filter.
3265 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3266 framenum, cf->filename,
3267 wtap_file_type_subtype_short_string(out_file_type));
3270 case WTAP_ERR_PACKET_TOO_LARGE:
3272 * This is a problem with the particular frame we're writing
3273 * and the file type and subtype we're writing; note that,
3274 * and report the frame number and file type/subtype.
3276 * XXX - framenum is not necessarily the frame number in
3277 * the input file if there was a read filter.
3280 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3281 framenum, cf->filename,
3282 wtap_file_type_subtype_short_string(out_file_type));
3285 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3287 * This is a problem with the particular record we're writing
3288 * and the file type and subtype we're writing; note that,
3289 * and report the record number and file type/subtype.
3291 * XXX - framenum is not necessarily the record number in
3292 * the input file if there was a read filter.
3295 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3296 framenum, cf->filename,
3297 wtap_file_type_subtype_short_string(out_file_type));
3300 case WTAP_ERR_UNWRITABLE_REC_DATA:
3302 * This is a problem with the particular record we're writing
3303 * and the file type and subtype we're writing; note that,
3304 * and report the record number and file type/subtype.
3306 * XXX - framenum is not necessarily the record number in
3307 * the input file if there was a read filter.
3310 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3311 framenum, cf->filename,
3312 wtap_file_type_subtype_short_string(out_file_type),
3313 err_info != NULL ? err_info : "no information supplied");
3318 show_capture_file_io_error(save_file, err, FALSE);
3321 wtap_dump_close(pdh, &err);
3332 epan_dissect_free(edt);
3336 ws_buffer_free(&buf);
3341 if (do_dissection) {
3342 gboolean create_proto_tree;
3344 if (cf->rfcode || cf->dfcode || print_details || filtering_tap_listeners ||
3345 (tap_flags & TL_REQUIRES_PROTO_TREE) || have_custom_cols(&cf->cinfo))
3346 create_proto_tree = TRUE;
3348 create_proto_tree = FALSE;
3350 /* The protocol tree will be "visible", i.e., printed, only if we're
3351 printing packet details, which is true if we're printing stuff
3352 ("print_packet_info" is true) and we're in verbose mode
3353 ("packet_details" is true). */
3354 edt = epan_dissect_new(cf->epan, create_proto_tree, print_packet_info && print_details);
3357 while (wtap_read(cf->wth, &err, &err_info, &data_offset)) {
3360 if (process_packet(cf, edt, data_offset, wtap_phdr(cf->wth),
3361 wtap_buf_ptr(cf->wth),
3363 /* Either there's no read filtering or this packet passed the
3364 filter, so, if we're writing to a capture file, write
3367 if (!wtap_dump(pdh, wtap_phdr(cf->wth), wtap_buf_ptr(cf->wth), &err, &err_info)) {
3368 /* Error writing to a capture file */
3371 case WTAP_ERR_UNWRITABLE_ENCAP:
3373 * This is a problem with the particular frame we're writing
3374 * and the file type and subtype we're writing; note that,
3375 * and report the frame number and file type/subtype.
3378 "Frame %u of \"%s\" has a network type that can't be saved in a \"%s\" file.\n",
3379 framenum, cf->filename,
3380 wtap_file_type_subtype_short_string(out_file_type));
3383 case WTAP_ERR_PACKET_TOO_LARGE:
3385 * This is a problem with the particular frame we're writing
3386 * and the file type and subtype we're writing; note that,
3387 * and report the frame number and file type/subtype.
3390 "Frame %u of \"%s\" is too large for a \"%s\" file.\n",
3391 framenum, cf->filename,
3392 wtap_file_type_subtype_short_string(out_file_type));
3395 case WTAP_ERR_UNWRITABLE_REC_TYPE:
3397 * This is a problem with the particular record we're writing
3398 * and the file type and subtype we're writing; note that,
3399 * and report the record number and file type/subtype.
3402 "Record %u of \"%s\" has a record type that can't be saved in a \"%s\" file.\n",
3403 framenum, cf->filename,
3404 wtap_file_type_subtype_short_string(out_file_type));
3407 case WTAP_ERR_UNWRITABLE_REC_DATA:
3409 * This is a problem with the particular record we're writing
3410 * and the file type and subtype we're writing; note that,
3411 * and report the record number and file type/subtype.
3414 "Record %u of \"%s\" has data that can't be saved in a \"%s\" file.\n(%s)\n",
3415 framenum, cf->filename,
3416 wtap_file_type_subtype_short_string(out_file_type),
3417 err_info != NULL ? err_info : "no information supplied");
3422 show_capture_file_io_error(save_file, err, FALSE);
3425 wtap_dump_close(pdh, &err);
3432 /* Stop reading if we have the maximum number of packets;
3433 * When the -c option has not been used, max_packet_count
3434 * starts at 0, which practically means, never stop reading.
3435 * (unless we roll over max_packet_count ?)
3437 if ( (--max_packet_count == 0) || (max_byte_count != 0 && data_offset >= max_byte_count)) {
3438 err = 0; /* This is not an error */
3444 epan_dissect_free(edt);
3449 wtap_phdr_cleanup(&phdr);
3453 * Print a message noting that the read failed somewhere along the line.
3455 * If we're printing packet data, and the standard output and error are
3456 * going to the same place, flush the standard output, so everything
3457 * buffered up is written, and then print a newline to the standard error
3458 * before printing the error message, to separate it from the packet
3459 * data. (Alas, that only works on UN*X; st_dev is meaningless, and
3460 * the _fstat() documentation at Microsoft doesn't indicate whether
3461 * st_ino is even supported.)
3464 if (print_packet_info) {
3465 ws_statb64 stat_stdout, stat_stderr;
3467 if (ws_fstat64(1, &stat_stdout) == 0 && ws_fstat64(2, &stat_stderr) == 0) {
3468 if (stat_stdout.st_dev == stat_stderr.st_dev &&
3469 stat_stdout.st_ino == stat_stderr.st_ino) {
3471 fprintf(stderr, "\n");
3478 case WTAP_ERR_UNSUPPORTED:
3479 cmdarg_err("The file \"%s\" contains record data that TShark doesn't support.\n(%s)",
3481 err_info != NULL ? err_info : "no information supplied");
3485 case WTAP_ERR_SHORT_READ:
3486 cmdarg_err("The file \"%s\" appears to have been cut short in the middle of a packet.",
3490 case WTAP_ERR_BAD_FILE:
3491 cmdarg_err("The file \"%s\" appears to be damaged or corrupt.\n(%s)",
3493 err_info != NULL ? err_info : "no information supplied");
3497 case WTAP_ERR_DECOMPRESS:
3498 cmdarg_err("The compressed file \"%s\" appears to be damaged or corrupt.\n"
3499 "(%s)", cf->filename,
3500 err_info != NULL ? err_info : "no information supplied");
3505 cmdarg_err("An error occurred while reading the file \"%s\": %s.",
3506 cf->filename, wtap_strerror(err));
3509 if (save_file != NULL) {
3510 /* Now close the capture file. */
3511 if (!wtap_dump_close(pdh, &err))
3512 show_capture_file_io_error(save_file, err, TRUE);
3515 if (save_file != NULL) {
3516 if (pdh && out_file_name_res) {
3517 if (!wtap_dump_set_addrinfo_list(pdh, get_addrinfo_list())) {
3518 cmdarg_err("The file format \"%s\" doesn't support name resolution information.",
3519 wtap_file_type_subtype_short_string(out_file_type));
3522 /* Now close the capture file. */
3523 if (!wtap_dump_close(pdh, &err))
3524 show_capture_file_io_error(save_file, err, TRUE);
3526 if (print_packet_info) {
3527 if (!write_finale()) {
3529 show_print_file_io_error(err);
3536 wtap_close(cf->wth);
3539 g_free(save_file_string);
3547 process_packet(capture_file *cf, epan_dissect_t *edt, gint64 offset, struct wtap_pkthdr *whdr,
3548 const guchar *pd, guint tap_flags)
3554 /* Count this packet. */
3557 /* If we're not running a display filter and we're not printing any
3558 packet information, we don't need to do a dissection. This means
3559 that all packets can be marked as 'passed'. */
3562 frame_data_init(&fdata, cf->count, whdr, offset, cum_bytes);
3564 /* If we're going to print packet information, or we're going to
3565 run a read filter, or we're going to process taps, set up to
3566 do a dissection and do so. */
3568 if (print_packet_info && (gbl_resolv_flags.mac_name || gbl_resolv_flags.network_name ||
3569 gbl_resolv_flags.transport_name || gbl_resolv_flags.concurrent_dns))
3570 /* Grab any resolved addresses */
3571 host_name_lookup_process();
3573 /* If we're running a filter, prime the epan_dissect_t with that
3576 epan_dissect_prime_dfilter(edt, cf->dfcode);
3578 col_custom_prime_edt(edt, &cf->cinfo);
3580 /* We only need the columns if either
3581 1) some tap needs the columns
3583 2) we're printing packet info but we're *not* verbose; in verbose
3584 mode, we print the protocol tree, not the protocol summary.
3586 3) there is a column mapped as an individual field */
3587 if ((tap_flags & TL_REQUIRES_COLUMNS) || (print_packet_info && print_summary) || output_fields_has_cols(output_fields))
3592 frame_data_set_before_dissect(&fdata, &cf->elapsed_time,
3594 if (ref == &fdata) {
3599 epan_dissect_run_with_taps(edt, cf->cd_t, whdr, frame_tvbuff_new(&fdata, pd), &fdata, cinfo);
3601 /* Run the filter if we have it. */
3603 passed = dfilter_apply_edt(cf->dfcode, edt);
3607 frame_data_set_after_dissect(&fdata, &cum_bytes);
3609 /* Process this packet. */
3610 if (print_packet_info) {
3611 /* We're printing packet information; print the information for
3613 print_packet(cf, edt);
3615 /* The ANSI C standard does not appear to *require* that a line-buffered
3616 stream be flushed to the host environment whenever a newline is
3617 written, it just says that, on such a stream, characters "are
3618 intended to be transmitted to or from the host environment as a
3619 block when a new-line character is encountered".
3621 The Visual C++ 6.0 C implementation doesn't do what is intended;
3622 even if you set a stream to be line-buffered, it still doesn't
3623 flush the buffer at the end of every line.
3625 So, if the "-l" flag was specified, we flush the standard output
3626 at the end of a packet. This will do the right thing if we're
3627 printing packet summary lines, and, as we print the entire protocol
3628 tree for a single packet without waiting for anything to happen,
3629 it should be as good as line-buffered mode if we're printing
3630 protocol trees. (The whole reason for the "-l" flag in either
3631 tcpdump or TShark is to allow the output of a live capture to
3632 be piped to a program or script and to have that script see the
3633 information for the packet as soon as it's printed, rather than
3634 having to wait until a standard I/O buffer fills up. */
3638 if (ferror(stdout)) {
3639 show_print_file_io_error(errno);
3644 /* this must be set after print_packet() [bug #8160] */
3645 prev_dis_frame = fdata;
3646 prev_dis = &prev_dis_frame;
3649 prev_cap_frame = fdata;
3650 prev_cap = &prev_cap_frame;
3653 epan_dissect_reset(edt);
3654 frame_data_destroy(&fdata);
3660 write_preamble(capture_file *cf)
3662 switch (output_action) {
3665 return print_preamble(print_stream, cf->filename, get_ws_vcs_version_info());
3669 write_pdml_preamble(stdout, cf->filename);
3671 write_psml_preamble(&cf->cinfo, stdout);
3672 return !ferror(stdout);
3675 write_fields_preamble(output_fields, stdout);
3676 return !ferror(stdout);
3679 g_assert_not_reached();
3685 get_line_buf(size_t len)
3687 static char *line_bufp = NULL;
3688 static size_t line_buf_len = 256;
3689 size_t new_line_buf_len;
3691 for (new_line_buf_len = line_buf_len; len > new_line_buf_len;
3692 new_line_buf_len *= 2)
3694 if (line_bufp == NULL) {
3695 line_buf_len = new_line_buf_len;
3696 line_bufp = (char *)g_malloc(line_buf_len + 1);
3698 if (new_line_buf_len > line_buf_len) {
3699 line_buf_len = new_line_buf_len;
3700 line_bufp = (char *)g_realloc(line_bufp, line_buf_len + 1);
3707 put_string(char *dest, const char *str, size_t str_len)
3709 memcpy(dest, str, str_len);
3710 dest[str_len] = '\0';
3714 put_spaces_string(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3718 for (i = str_len; i < str_with_spaces; i++)
3721 put_string(dest, str, str_len);
3725 put_string_spaces(char *dest, const char *str, size_t str_len, size_t str_with_spaces)
3729 memcpy(dest, str, str_len);
3730 for (i = str_len; i < str_with_spaces; i++)
3733 dest[str_with_spaces] = '\0';
3737 print_columns(capture_file *cf)
3745 line_bufp = get_line_buf(256);
3748 for (i = 0; i < cf->cinfo.num_cols; i++) {
3749 /* Skip columns not marked as visible. */
3750 if (!get_column_visible(i))
3752 switch (cf->cinfo.col_fmt[i]) {
3754 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3757 line_bufp = get_line_buf(buf_offset + column_len);
3758 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3764 case COL_ABS_YMD_TIME: /* XXX - wider */
3765 case COL_ABS_YDOY_TIME: /* XXX - wider */
3767 case COL_UTC_YMD_TIME: /* XXX - wider */
3768 case COL_UTC_YDOY_TIME: /* XXX - wider */
3769 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3770 if (column_len < 10)
3772 line_bufp = get_line_buf(buf_offset + column_len);
3773 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3779 case COL_DEF_DL_SRC:
3780 case COL_RES_DL_SRC:
3781 case COL_UNRES_DL_SRC:
3782 case COL_DEF_NET_SRC:
3783 case COL_RES_NET_SRC:
3784 case COL_UNRES_NET_SRC:
3785 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3786 if (column_len < 12)
3788 line_bufp = get_line_buf(buf_offset + column_len);
3789 put_spaces_string(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3795 case COL_DEF_DL_DST:
3796 case COL_RES_DL_DST:
3797 case COL_UNRES_DL_DST:
3798 case COL_DEF_NET_DST:
3799 case COL_RES_NET_DST:
3800 case COL_UNRES_NET_DST:
3801 column_len = col_len = strlen(cf->cinfo.col_data[i]);
3802 if (column_len < 12)
3804 line_bufp = get_line_buf(buf_offset + column_len);
3805 put_string_spaces(line_bufp + buf_offset, cf->cinfo.col_data[i], col_len, column_len);
3809 column_len = strlen(cf->cinfo.col_data[i]);
3810 line_bufp = get_line_buf(buf_offset + column_len);
3811 put_string(line_bufp + buf_offset, cf->cinfo.col_data[i], column_len);
3814 buf_offset += column_len;
3815 if (i != cf->cinfo.num_cols - 1) {
3817 * This isn't the last column, so we need to print a
3818 * separator between this column and the next.
3820 * If we printed a network source and are printing a
3821 * network destination of the same type next, separate
3822 * them with " -> "; if we printed a network destination
3823 * and are printing a network source of the same type
3824 * next, separate them with " <- "; otherwise separate them
3827 * We add enough space to the buffer for " <- " or " -> ",
3828 * even if we're only adding " ".
3830 line_bufp = get_line_buf(buf_offset + 4);
3831 switch (cf->cinfo.col_fmt[i]) {
3836 switch (cf->cinfo.col_fmt[i + 1]) {
3841 put_string(line_bufp + buf_offset, " -> ", 4);
3846 put_string(line_bufp + buf_offset, " ", 1);
3852 case COL_DEF_DL_SRC:
3853 case COL_RES_DL_SRC:
3854 case COL_UNRES_DL_SRC:
3855 switch (cf->cinfo.col_fmt[i + 1]) {
3857 case COL_DEF_DL_DST:
3858 case COL_RES_DL_DST:
3859 case COL_UNRES_DL_DST:
3860 put_string(line_bufp + buf_offset, " -> ", 4);
3865 put_string(line_bufp + buf_offset, " ", 1);
3871 case COL_DEF_NET_SRC:
3872 case COL_RES_NET_SRC:
3873 case COL_UNRES_NET_SRC:
3874 switch (cf->cinfo.col_fmt[i + 1]) {
3876 case COL_DEF_NET_DST:
3877 case COL_RES_NET_DST:
3878 case COL_UNRES_NET_DST:
3879 put_string(line_bufp + buf_offset, " -> ", 4);
3884 put_string(line_bufp + buf_offset, " ", 1);
3893 switch (cf->cinfo.col_fmt[i + 1]) {
3898 put_string(line_bufp + buf_offset, " <- ", 4);
3903 put_string(line_bufp + buf_offset, " ", 1);
3909 case COL_DEF_DL_DST:
3910 case COL_RES_DL_DST:
3911 case COL_UNRES_DL_DST:
3912 switch (cf->cinfo.col_fmt[i + 1]) {
3914 case COL_DEF_DL_SRC:
3915 case COL_RES_DL_SRC:
3916 case COL_UNRES_DL_SRC:
3917 put_string(line_bufp + buf_offset, " <- ", 4);
3922 put_string(line_bufp + buf_offset, " ", 1);
3928 case COL_DEF_NET_DST:
3929 case COL_RES_NET_DST:
3930 case COL_UNRES_NET_DST:
3931 switch (cf->cinfo.col_fmt[i + 1]) {
3933 case COL_DEF_NET_SRC:
3934 case COL_RES_NET_SRC:
3935 case COL_UNRES_NET_SRC:
3936 put_string(line_bufp + buf_offset, " <- ", 4);
3941 put_string(line_bufp + buf_offset, " ", 1);
3948 put_string(line_bufp + buf_offset, " ", 1);
3954 return print_line(print_stream, 0, line_bufp);
3958 print_packet(capture_file *cf, epan_dissect_t *edt)
3960 print_args_t print_args;
3962 if (print_summary || output_fields_has_cols(output_fields)) {
3963 /* Just fill in the columns. */
3964 epan_dissect_fill_in_columns(edt, FALSE, TRUE);
3966 if (print_summary) {
3967 /* Now print them. */
3968 switch (output_action) {
3971 if (!print_columns(cf))
3976 write_psml_columns(edt, stdout);
3977 return !ferror(stdout);
3978 case WRITE_FIELDS: /*No non-verbose "fields" format */
3979 g_assert_not_reached();
3984 if (print_details) {
3985 /* Print the information in the protocol tree. */
3986 switch (output_action) {
3989 /* Only initialize the fields that are actually used in proto_tree_print.
3990 * This is particularly important for .range, as that's heap memory which
3991 * we would otherwise have to g_free().
3992 print_args.to_file = TRUE;
3993 print_args.format = print_format;
3994 print_args.print_summary = print_summary;
3995 print_args.print_formfeed = FALSE;
3996 packet_range_init(&print_args.range, &cfile);
3998 print_args.print_hex = print_hex;
3999 print_args.print_dissections = print_details ? print_dissections_expanded : print_dissections_none;
4001 if (!proto_tree_print(&print_args, edt, output_only_tables, print_stream))
4004 if (!print_line(print_stream, 0, separator))
4010 write_pdml_proto_tree(edt, stdout);
4012 return !ferror(stdout);
4014 write_fields_proto_tree(output_fields, edt, &cf->cinfo, stdout);
4016 return !ferror(stdout);
4020 if (print_summary || print_details) {
4021 if (!print_line(print_stream, 0, ""))
4024 if (!print_hex_data(print_stream, edt))
4026 if (!print_line(print_stream, 0, separator))
4035 switch (output_action) {
4038 return print_finale(print_stream);
4042 write_pdml_finale(stdout);
4044 write_psml_finale(stdout);
4045 return !ferror(stdout);
4048 write_fields_finale(output_fields, stdout);
4049 return !ferror(stdout);
4052 g_assert_not_reached();
4058 cf_open(capture_file *cf, const char *fname, unsigned int type, gboolean is_tempfile, int *err)
4062 char err_msg[2048+1];
4064 wth = wtap_open_offline(fname, type, err, &err_info, perform_two_pass_analysis);
4068 /* The open succeeded. Fill in the information for this file. */
4070 /* Create new epan session for dissection. */
4071 epan_free(cf->epan);
4072 cf->epan = tshark_epan_new(cf);
4075 cf->f_datalen = 0; /* not used, but set it anyway */
4077 /* Set the file name because we need it to set the follow stream filter.
4078 XXX - is that still true? We need it for other reasons, though,
4080 cf->filename = g_strdup(fname);
4082 /* Indicate whether it's a permanent or temporary file. */
4083 cf->is_tempfile = is_tempfile;
4085 /* No user changes yet. */
4086 cf->unsaved_changes = FALSE;
4088 cf->cd_t = wtap_file_type_subtype(cf->wth);
4089 cf->open_type = type;
4091 cf->drops_known = FALSE;
4093 cf->snap = wtap_snapshot_length(cf->wth);
4094 if (cf->snap == 0) {
4095 /* Snapshot length not known. */
4096 cf->has_snap = FALSE;
4097 cf->snap = WTAP_MAX_PACKET_SIZE;
4099 cf->has_snap = TRUE;
4100 nstime_set_zero(&cf->elapsed_time);
4105 cf->state = FILE_READ_IN_PROGRESS;
4107 wtap_set_cb_new_ipv4(cf->wth, add_ipv4_name);
4108 wtap_set_cb_new_ipv6(cf->wth, (wtap_new_ipv6_callback_t) add_ipv6_name);
4113 g_snprintf(err_msg, sizeof err_msg,
4114 cf_open_error_message(*err, err_info, FALSE, cf->cd_t), fname);
4115 cmdarg_err("%s", err_msg);
4120 show_capture_file_io_error(const char *fname, int err, gboolean is_close)
4122 char *save_file_string;
4124 save_file_string = output_file_description(fname);
4129 cmdarg_err("Not all the packets could be written to the %s because there is "
4130 "no space left on the file system.",
4136 cmdarg_err("Not all the packets could be written to the %s because you are "
4137 "too close to, or over your disk quota.",
4142 case WTAP_ERR_CANT_CLOSE:
4143 cmdarg_err("The %s couldn't be closed for some unknown reason.",
4147 case WTAP_ERR_SHORT_WRITE:
4148 cmdarg_err("Not all the packets could be written to the %s.",
4154 cmdarg_err("The %s could not be closed: %s.", save_file_string,
4155 wtap_strerror(err));
4157 cmdarg_err("An error occurred while writing to the %s: %s.",
4158 save_file_string, wtap_strerror(err));
4162 g_free(save_file_string);
4166 show_print_file_io_error(int err)
4171 cmdarg_err("Not all the packets could be printed because there is "
4172 "no space left on the file system.");
4177 cmdarg_err("Not all the packets could be printed because you are "
4178 "too close to, or over your disk quota.");
4183 cmdarg_err("An error occurred while printing packets: %s.",
4190 cf_open_error_message(int err, gchar *err_info, gboolean for_writing,
4194 static char errmsg_errno[1024+1];
4197 /* Wiretap error. */
4200 case WTAP_ERR_NOT_REGULAR_FILE:
4201 errmsg = "The file \"%s\" is a \"special file\" or socket or other non-regular file.";
4204 case WTAP_ERR_RANDOM_OPEN_PIPE:
4205 /* Seen only when opening a capture file for reading. */
4206 errmsg = "The file \"%s\" is a pipe or FIFO; TShark can't read pipe or FIFO files in two-pass mode.";
4209 case WTAP_ERR_FILE_UNKNOWN_FORMAT:
4210 /* Seen only when opening a capture file for reading. */
4211 errmsg = "The file \"%s\" isn't a capture file in a format TShark understands.";
4214 case WTAP_ERR_UNSUPPORTED:
4215 /* Seen only when opening a capture file for reading. */
4216 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4217 "The file \"%%s\" contains record data that TShark doesn't support.\n"
4219 err_info != NULL ? err_info : "no information supplied");
4221 errmsg = errmsg_errno;
4224 case WTAP_ERR_CANT_WRITE_TO_PIPE:
4225 /* Seen only when opening a capture file for writing. */
4226 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4227 "The file \"%%s\" is a pipe, and \"%s\" capture files can't be "
4228 "written to a pipe.", wtap_file_type_subtype_short_string(file_type));
4229 errmsg = errmsg_errno;
4232 case WTAP_ERR_UNWRITABLE_FILE_TYPE:
4233 /* Seen only when opening a capture file for writing. */
4234 errmsg = "TShark doesn't support writing capture files in that format.";
4237 case WTAP_ERR_UNWRITABLE_ENCAP:
4238 /* Seen only when opening a capture file for writing. */
4239 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4240 "TShark can't save this capture as a \"%s\" file.",
4241 wtap_file_type_subtype_short_string(file_type));
4242 errmsg = errmsg_errno;
4245 case WTAP_ERR_ENCAP_PER_PACKET_UNSUPPORTED:
4247 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4248 "TShark can't save this capture as a \"%s\" file.",
4249 wtap_file_type_subtype_short_string(file_type));
4250 errmsg = errmsg_errno;
4252 errmsg = "The file \"%s\" is a capture for a network type that TShark doesn't support.";
4255 case WTAP_ERR_BAD_FILE:
4256 /* Seen only when opening a capture file for reading. */
4257 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4258 "The file \"%%s\" appears to be damaged or corrupt.\n"
4260 err_info != NULL ? err_info : "no information supplied");
4262 errmsg = errmsg_errno;
4265 case WTAP_ERR_CANT_OPEN:
4267 errmsg = "The file \"%s\" could not be created for some unknown reason.";
4269 errmsg = "The file \"%s\" could not be opened for some unknown reason.";
4272 case WTAP_ERR_SHORT_READ:
4273 errmsg = "The file \"%s\" appears to have been cut short"
4274 " in the middle of a packet or other data.";
4277 case WTAP_ERR_SHORT_WRITE:
4278 errmsg = "A full header couldn't be written to the file \"%s\".";
4281 case WTAP_ERR_COMPRESSION_NOT_SUPPORTED:
4282 errmsg = "This file type cannot be written as a compressed file.";
4285 case WTAP_ERR_DECOMPRESS:
4286 /* Seen only when opening a capture file for reading. */
4287 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4288 "The compressed file \"%%s\" appears to be damaged or corrupt.\n"
4290 err_info != NULL ? err_info : "no information supplied");
4292 errmsg = errmsg_errno;
4296 g_snprintf(errmsg_errno, sizeof(errmsg_errno),
4297 "The file \"%%s\" could not be %s: %s.",
4298 for_writing ? "created" : "opened",
4299 wtap_strerror(err));
4300 errmsg = errmsg_errno;
4304 errmsg = file_open_error_message(err, for_writing);
4309 * Open/create errors are reported with an console message in TShark.
4312 open_failure_message(const char *filename, int err, gboolean for_writing)
4314 fprintf(stderr, "tshark: ");
4315 fprintf(stderr, file_open_error_message(err, for_writing), filename);
4316 fprintf(stderr, "\n");
4320 * General errors are reported with an console message in TShark.
4323 failure_message(const char *msg_format, va_list ap)
4325 fprintf(stderr, "tshark: ");
4326 vfprintf(stderr, msg_format, ap);
4327 fprintf(stderr, "\n");
4331 * Read errors are reported with an console message in TShark.
4334 read_failure_message(const char *filename, int err)
4336 cmdarg_err("An error occurred while reading from the file \"%s\": %s.",
4337 filename, g_strerror(err));
4341 * Write errors are reported with an console message in TShark.
4344 write_failure_message(const char *filename, int err)
4346 cmdarg_err("An error occurred while writing to the file \"%s\": %s.",
4347 filename, g_strerror(err));
4351 * Report additional information for an error in command-line arguments.
4354 failure_message_cont(const char *msg_format, va_list ap)
4356 vfprintf(stderr, msg_format, ap);
4357 fprintf(stderr, "\n");
4361 * Editor modelines - https://www.wireshark.org/tools/modelines.html
4366 * indent-tabs-mode: nil
4369 * vi: set shiftwidth=2 tabstop=8 expandtab:
4370 * :indentSize=2:tabSize=8:noTabs=true: